



# AMD64 Technology

## AMD64 Architecture Programmer's Manual

### Volume 3: General-Purpose and System Instructions

| Publication No. | Revision | Date      |
|-----------------|----------|-----------|
| 24594           | 3.37     | July 2025 |

The information contained herein is for informational purposes only, and is subject to change without notice. While every precaution has been taken in the preparation of this document, it may contain technical inaccuracies, omissions and typographical errors, and AMD is under no obligation to update or otherwise correct this information. Advanced Micro Devices, Inc. makes no representations or warranties with respect to the accuracy or completeness of the contents of this document, and assumes no liability of any kind, including the implied warranties of noninfringement, merchantability or fitness for particular purposes, with respect to the operation or use of AMD hardware, software or other products described herein. No license, including implied or arising by estoppel, to any intellectual property rights is granted by this document. Terms and limitations applicable to the purchase or use of AMD's products are as set forth in a signed agreement between the parties or in AMD's Standard Terms and Conditions of Sale. Any unauthorized copying, alteration, distribution, transmission, performance, display or other use of this material is prohibited.

## Trademarks

AMD, the AMD Arrow logo, and combinations thereof, and 3DNow! are trademarks of Advanced Micro Devices, Inc. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.

MMX is a trademark and Pentium is a registered trademark of Intel Corporation.

# Contents

|                                                                         |             |
|-------------------------------------------------------------------------|-------------|
| <b>Contents .....</b>                                                   | <b>i</b>    |
| <b>Figures.....</b>                                                     | <b>xi</b>   |
| <b>Tables .....</b>                                                     | <b>xiii</b> |
| <b>Revision History.....</b>                                            | <b>xvii</b> |
| <b>Preface.....</b>                                                     | <b>xxv</b>  |
| About This Book.....                                                    | xxv         |
| Audience.....                                                           | xxv         |
| Organization .....                                                      | xxv         |
| Conventions and Definitions .....                                       | xxvi        |
| Related Documents.....                                                  | xxxviii     |
| <b>1     Instruction Encoding.....</b>                                  | <b>1</b>    |
| 1.1    Instruction Encoding Overview.....                               | 1           |
| 1.1.1 Encoding Syntax.....                                              | 1           |
| 1.1.2 Representation in Memory .....                                    | 4           |
| 1.2    Instruction Prefixes .....                                       | 5           |
| 1.2.1 Summary of Legacy Prefixes .....                                  | 6           |
| 1.2.2 Operand-Size Override Prefix .....                                | 7           |
| 1.2.3 Address-Size Override Prefix .....                                | 9           |
| 1.2.4 Segment-Override Prefixes.....                                    | 10          |
| 1.2.5 Lock Prefix .....                                                 | 11          |
| 1.2.6 Repeat Prefixes .....                                             | 12          |
| 1.2.7 REX Prefix .....                                                  | 14          |
| 1.2.8 VEX, XOP, and EVEX Prefixes.....                                  | 16          |
| 1.3    Opcode.....                                                      | 16          |
| 1.4    ModRM and SIB Bytes .....                                        | 17          |
| 1.4.1 ModRM Byte Format .....                                           | 17          |
| 1.4.2 SIB Byte Format .....                                             | 19          |
| 1.4.3 Operand Addressing in Legacy 32-bit and Compatibility Modes ..... | 20          |
| 1.4.4 Operand Addressing in 64-bit Mode.....                            | 23          |
| 1.5    Displacement Bytes .....                                         | 24          |
| 1.6    Immediate Bytes .....                                            | 24          |
| 1.7    RIP-Relative Addressing .....                                    | 24          |
| 1.7.1 Encoding .....                                                    | 25          |
| 1.7.2 REX Prefix and RIP-Relative Addressing .....                      | 25          |
| 1.7.3 Address-Size Prefix and RIP-Relative Addressing .....             | 25          |
| 1.8    Encoding Considerations Using REX .....                          | 26          |
| 1.8.1 Byte-Register Addressing .....                                    | 26          |
| 1.8.2 Special Encodings for Registers .....                             | 26          |
| 1.9    Encoding Using the VEX and XOP Prefixes .....                    | 29          |
| 1.9.1 Three-Byte Escape Sequences .....                                 | 29          |
| 1.9.2 Two-Byte Escape Sequence .....                                    | 32          |

|          |                                                        |           |
|----------|--------------------------------------------------------|-----------|
| 1.10     | Encoding Using the EVEX Prefix . . . . .               | 34        |
| 1.10.1   | Four-Byte Escape Sequence . . . . .                    | 34        |
| <b>2</b> | <b>Instruction Overview . . . . .</b>                  | <b>39</b> |
| 2.1      | Instruction Groups . . . . .                           | 39        |
| 2.2      | Reference-Page Format . . . . .                        | 40        |
| 2.3      | Summary of Registers and Data Types . . . . .          | 42        |
| 2.3.1    | General-Purpose Instructions . . . . .                 | 42        |
| 2.3.2    | System Instructions . . . . .                          | 45        |
| 2.3.3    | SSE Instructions . . . . .                             | 47        |
| 2.3.4    | 64-Bit Media Instructions . . . . .                    | 52        |
| 2.3.5    | x87 Floating-Point Instructions . . . . .              | 54        |
| 2.4      | Summary of Exceptions . . . . .                        | 55        |
| 2.5      | Notation . . . . .                                     | 57        |
| 2.5.1    | Mnemonic Syntax . . . . .                              | 57        |
| 2.5.2    | Opcode Syntax . . . . .                                | 60        |
| 2.5.3    | Pseudocode Definition . . . . .                        | 61        |
| <b>3</b> | <b>General-Purpose Instruction Reference . . . . .</b> | <b>79</b> |
|          | AAA . . . . .                                          | 81        |
|          | AAD . . . . .                                          | 82        |
|          | AAM . . . . .                                          | 83        |
|          | AAS . . . . .                                          | 84        |
|          | ADC . . . . .                                          | 85        |
|          | ADCX . . . . .                                         | 87        |
|          | ADD . . . . .                                          | 89        |
|          | ADOX . . . . .                                         | 91        |
|          | AND . . . . .                                          | 93        |
|          | ANDN . . . . .                                         | 95        |
|          | BEXTR<br>(register form) . . . . .                     | 97        |
|          | BEXTR<br>(immediate form) . . . . .                    | 99        |
|          | BLCFILL . . . . .                                      | 101       |
|          | BLCI . . . . .                                         | 103       |
|          | BLCIC . . . . .                                        | 105       |
|          | BLCMSK . . . . .                                       | 107       |
|          | BLCS . . . . .                                         | 109       |
|          | BLSFILL . . . . .                                      | 111       |
|          | BLSI . . . . .                                         | 113       |
|          | BLSIC . . . . .                                        | 115       |
|          | BLSMSK . . . . .                                       | 117       |
|          | BLSR . . . . .                                         | 119       |
|          | BOUND . . . . .                                        | 121       |
|          | BSF . . . . .                                          | 123       |
|          | BSR . . . . .                                          | 124       |
|          | BSWAP . . . . .                                        | 125       |
|          | BT . . . . .                                           | 126       |

|                      |     |
|----------------------|-----|
| BTC .....            | 128 |
| BTR .....            | 130 |
| BTS .....            | 132 |
| BZHI .....           | 134 |
| CALL (Near) .....    | 136 |
| CALL (Far) .....     | 139 |
| CBW                  |     |
| CWDE                 |     |
| CDQE .....           | 146 |
| CWD                  |     |
| CDQ                  |     |
| CQO .....            | 147 |
| CLC .....            | 148 |
| CLD .....            | 149 |
| CLFLUSH .....        | 150 |
| CLFLUSHOPT .....     | 152 |
| CLWB .....           | 154 |
| CLZERO .....         | 156 |
| CMC .....            | 157 |
| CMOV <i>cc</i> ..... | 158 |
| CMP .....            | 162 |
| CMPS                 |     |
| CMPSB                |     |
| CMPSW                |     |
| CMPSD                |     |
| CMPSQ .....          | 165 |
| CMPXCHG .....        | 167 |
| CMPXCHG8B            |     |
| CMPXCHG16B .....     | 169 |
| CPUID .....          | 171 |
| CRC32 .....          | 174 |
| DAA .....            | 176 |
| DAS .....            | 177 |
| DEC .....            | 178 |
| DIV .....            | 180 |
| ENTER .....          | 182 |
| IDIV .....           | 184 |
| IMUL .....           | 186 |
| IN .....             | 188 |
| INC .....            | 190 |
| INS                  |     |
| INSB                 |     |
| INSW                 |     |
| INSD .....           | 192 |
| INT .....            | 194 |
| INTO .....           | 202 |
| Jcc .....            | 203 |

|            |     |
|------------|-----|
| JCXZ       |     |
| JECXZ      |     |
| JRCXZ      | 207 |
| JMP (Near) | 208 |
| JMP (Far)  | 210 |
| LAHF       | 215 |
| LDS        |     |
| LES        |     |
| LFS        |     |
| LGS        |     |
| LSS        | 216 |
| LEA        | 218 |
| LEAVE      | 220 |
| LFENCE     | 221 |
| LLWPCB     | 222 |
| LODS       |     |
| LODSB      |     |
| LODSW      |     |
| LODSD      |     |
| LODSQ      | 225 |
| LOOP       |     |
| LOOPE      |     |
| LOOPNE     |     |
| LOOPNZ     |     |
| LOOPZ      | 227 |
| LWPINS     | 229 |
| LWPVAL     | 231 |
| LZCNT      | 234 |
| MCOMMIT    | 236 |
| MFENCE     | 237 |
| MONITORX   | 238 |
| MOV        | 240 |
| MOVBE      | 243 |
| MOVD       | 245 |
| MOVDIRI    | 249 |
| MOVDIR64B  | 251 |
| MOVMSKPD   | 253 |
| MOVMSKPS   | 255 |
| MOVNTI     | 257 |
| MOVS       |     |
| MOVSB      |     |
| MOVSW      |     |
| MOVSD      |     |
| MOVSQ      | 259 |
| MOVSX      | 261 |
| MOVSDX     | 262 |
| MOVZX      | 263 |

|                       |     |
|-----------------------|-----|
| MUL                   | 264 |
| MULX                  | 266 |
| MWAITX                | 268 |
| NEG                   | 270 |
| NOP                   | 272 |
| NOT                   | 273 |
| OR                    | 274 |
| OUT                   | 277 |
| OUTS                  |     |
| OUTSB                 |     |
| OUTSW                 |     |
| OUTSD                 | 278 |
| PAUSE                 | 280 |
| PDEP                  | 281 |
| PEXT                  | 283 |
| POP                   | 285 |
| POPA                  |     |
| POPAD                 | 287 |
| POPCNT                | 288 |
| POPF                  |     |
| POPFD                 |     |
| POPFQ                 | 290 |
| PREFETCH              |     |
| PREFETCHW             | 293 |
| PREFETCH <i>level</i> | 295 |
| PUSH                  | 297 |
| PUSHA                 |     |
| PUSHAD                | 299 |
| PUSHF                 |     |
| PUSHFD                |     |
| PUSHFQ                | 300 |
| RCL                   | 302 |
| RCR                   | 304 |
| RDFSBASE              |     |
| RDGSBASE              | 306 |
| RDPID                 | 307 |
| RDPRU                 | 308 |
| RDRAND                | 309 |
| RDSEED                | 310 |
| RET (Near)            | 311 |
| RET (Far)             | 313 |
| ROL                   | 318 |
| ROR                   | 320 |
| RORX                  | 322 |
| SAHF                  | 324 |
| SAL                   |     |
| SHL                   | 325 |

|                                             |            |
|---------------------------------------------|------------|
| SAR .....                                   | 328        |
| SARX .....                                  | 330        |
| SBB .....                                   | 332        |
| SCAS                                        |            |
| SCASB                                       |            |
| SCASW                                       |            |
| SCASD                                       |            |
| SCASQ .....                                 | 334        |
| SETcc .....                                 | 336        |
| SFENCE .....                                | 338        |
| SHL .....                                   | 339        |
| SHLD .....                                  | 340        |
| SHLX .....                                  | 342        |
| SHR .....                                   | 344        |
| SHRD .....                                  | 346        |
| SHRX .....                                  | 348        |
| SLWPCB .....                                | 350        |
| STC .....                                   | 352        |
| STD .....                                   | 353        |
| STOS                                        |            |
| STOSB                                       |            |
| STOSW                                       |            |
| STOSD                                       |            |
| STOSQ .....                                 | 354        |
| SUB .....                                   | 356        |
| T1MSKC .....                                | 358        |
| TEST .....                                  | 360        |
| TZCNT .....                                 | 362        |
| TZMSK .....                                 | 364        |
| UD0, UD1, UD2 .....                         | 366        |
| WRFSBASE                                    |            |
| WRGSBASE .....                              | 367        |
| XADD .....                                  | 368        |
| XCHG .....                                  | 370        |
| XLAT .....                                  | 372        |
| XLATB .....                                 | 372        |
| XOR .....                                   | 373        |
| <b>4 System Instruction Reference .....</b> | <b>377</b> |
| ARPL .....                                  | 379        |
| CLAC .....                                  | 381        |
| CLGI .....                                  | 382        |
| CLI .....                                   | 383        |
| CLTS .....                                  | 385        |
| CLRSSBSY .....                              | 386        |
| HLT .....                                   | 388        |
| INCSSP .....                                | 389        |
| INT 3 .....                                 | 391        |

|                       |     |
|-----------------------|-----|
| INVD . . . . .        | 394 |
| INVLPG . . . . .      | 395 |
| INVLPGA . . . . .     | 396 |
| INVLPGB . . . . .     | 397 |
| INVPCID . . . . .     | 401 |
| IRET . . . . .        |     |
| IRETD . . . . .       |     |
| IRETQ . . . . .       | 403 |
| LAR . . . . .         | 411 |
| LGDT . . . . .        | 413 |
| LIDT . . . . .        | 415 |
| LLDT . . . . .        | 417 |
| LMSW . . . . .        | 419 |
| LSL . . . . .         | 420 |
| LTR . . . . .         | 422 |
| MONITOR . . . . .     | 424 |
| MOV CRn . . . . .     | 426 |
| MOV DRn . . . . .     | 428 |
| MWAIT . . . . .       | 430 |
| PSMASH . . . . .      | 432 |
| PVALIDATE . . . . .   | 435 |
| RDMSR . . . . .       | 438 |
| RDPKRU . . . . .      | 439 |
| RDPMC . . . . .       | 440 |
| RDSSP . . . . .       | 442 |
| RDTSC . . . . .       | 443 |
| RDTSCP . . . . .      | 445 |
| RMPADJUST . . . . .   | 447 |
| RMPQUERY . . . . .    | 450 |
| RMPREAD . . . . .     | 453 |
| RSM . . . . .         | 460 |
| RSTORSSP . . . . .    | 462 |
| SAVEPREVSSP . . . . . | 465 |
| SETSSBSY . . . . .    | 467 |
| SGDT . . . . .        | 469 |
| SIDT . . . . .        | 470 |
| SKINIT . . . . .      | 471 |
| SLDT . . . . .        | 473 |
| SMSW . . . . .        | 475 |
| STAC . . . . .        | 476 |
| STI . . . . .         | 477 |
| STGI . . . . .        | 479 |
| STR . . . . .         | 480 |
| SWAPGS . . . . .      | 481 |
| SYSCALL . . . . .     | 483 |
| SYSENTER . . . . .    | 487 |
| SYSEXIT . . . . .     | 489 |

|                                                                                        |            |
|----------------------------------------------------------------------------------------|------------|
| SYSRET.....                                                                            | 491        |
| TLBSYNC.....                                                                           | 495        |
| VERR.....                                                                              | 496        |
| VERW.....                                                                              | 498        |
| VMLOAD.....                                                                            | 499        |
| VMMCALL.....                                                                           | 501        |
| VMGEXIT.....                                                                           | 501        |
| VMRUN.....                                                                             | 502        |
| VMSAVE.....                                                                            | 507        |
| WBINVD.....                                                                            | 509        |
| WBNOINVD.....                                                                          | 509        |
| WRMSR.....                                                                             | 511        |
| WRPKRU.....                                                                            | 513        |
| WRSS.....                                                                              | 514        |
| WRUSS.....                                                                             | 517        |
| <b>Appendix A      Opcode and Operand Encodings .....</b>                              | <b>519</b> |
| A.1      Opcode Maps.....                                                              | 522        |
| Legacy Opcode Maps .....                                                               | 523        |
| 3DNow!™ Opcodes .....                                                                  | 539        |
| x87 Encodings .....                                                                    | 542        |
| rFLAGS Condition Codes for x87 Opcodes .....                                           | 551        |
| Extended Instruction Opcode Maps.....                                                  | 551        |
| A.2      Operand Encodings .....                                                       | 571        |
| ModRM Operand References .....                                                         | 571        |
| SIB Operand References .....                                                           | 576        |
| <b>Appendix B      General-Purpose Instructions in 64-Bit Mode .....</b>               | <b>581</b> |
| B.1      General Rules for 64-Bit Mode .....                                           | 581        |
| B.2      Operation and Operand Size in 64-Bit Mode .....                               | 582        |
| B.3      Invalid and Reassigned Instructions in 64-Bit Mode .....                      | 607        |
| B.4      Instructions with 64-Bit Default Operand Size.....                            | 608        |
| B.5      Single-Byte INC and DEC Instructions in 64-Bit Mode.....                      | 609        |
| B.6      NOP in 64-Bit Mode .....                                                      | 610        |
| B.7      Segment Override Prefixes in 64-Bit Mode .....                                | 610        |
| <b>Appendix C      Differences Between Long Mode and Legacy Mode.....</b>              | <b>611</b> |
| <b>Appendix D      Instruction Subsets and CPUID Feature Flags.....</b>                | <b>613</b> |
| D.1      Instruction Set Overview .....                                                | 614        |
| D.2      CPUID Feature Flags Related to Instruction Support .....                      | 616        |
| <b>Appendix E      Obtaining Processor Information Via the CPUID Instruction .....</b> | <b>621</b> |
| E.1      Special Notational Conventions .....                                          | 621        |
| E.2      Standard and Extended Function Numbers .....                                  | 622        |
| E.3      Standard Feature Function Numbers .....                                       | 622        |
| Function 0h—Maximum Standard Function Number and Vendor String.....                    | 622        |
| Function 1h—Processor and Processor Feature Identifiers.....                           | 623        |
| Functions 2h–4h—Reserved .....                                                         | 626        |
| Function 5h—Monitor and MWAIT Features .....                                           | 627        |

|                                                                                             |            |
|---------------------------------------------------------------------------------------------|------------|
| Function 6h—Power Management Related Features .....                                         | 627        |
| Function 7h—Structured Extended Feature Identifiers.....                                    | 628        |
| Functions 8h–Ah—Reserved.....                                                               | 631        |
| Function Bh — Extended Topology Enumeration .....                                           | 631        |
| Function Ch—Reserved.....                                                                   | 633        |
| Function Dh—Processor Extended State Enumeration.....                                       | 633        |
| Function Eh—Reserved.....                                                                   | 637        |
| Function Fh—PQOS Monitoring (PQM) .....                                                     | 637        |
| Function 10h—PQOS Enforcement (PQE).....                                                    | 638        |
| E.4 Functions 4000_0000h-4000_00FFh—Reserved for Hypervisor Use .....                       | 639        |
| Extended Feature Function Numbers .....                                                     | 640        |
| Function 8000_0000h—Maximum Extended Function Number and Vendor String .....                | 640        |
| Function 8000_0001h—Extended Processor and Processor Feature Identifiers.....               | 640        |
| Functions 8000_0002h-8000_0004h—Extended Processor Name String .....                        | 644        |
| Function 8000_0005h—L1 Cache and TLB Information.....                                       | 644        |
| Function 8000_0006h—L2 Cache and TLB and L3 Cache Information .....                         | 646        |
| Function 8000_0007h—Processor Power Management and RAS Capabilities .....                   | 648        |
| Function 8000_0008h—Processor Capacity Parameters and Extended Feature Identification ..... | 650        |
| Function 8000_0009h—Reserved.....                                                           | 653        |
| Function 8000_000Ah—SVM Features .....                                                      | 653        |
| Functions 8000_000Bh-8000_0018h—Reserved.....                                               | 655        |
| Function 8000_0019h—TLB Characteristics for 1GB pages .....                                 | 655        |
| Function 8000_001Ah—Instruction Optimizations .....                                         | 656        |
| Function 8000_001Bh—Instruction-Based Sampling Capabilities.....                            | 656        |
| Function 8000_001Ch—Lightweight Profiling Capabilities.....                                 | 657        |
| Function 8000_001Dh—Cache Topology Information.....                                         | 659        |
| Function 8000_001Eh—Processor Topology Information .....                                    | 661        |
| Function 8000_001Fh—SEV Capabilities .....                                                  | 662        |
| Function 8000_0020—PQOS Extended Features .....                                             | 663        |
| Function 8000_0021—Extended Feature Identification 2 .....                                  | 666        |
| Function 8000_0022—Extended Performance Monitoring and Debug .....                          | 667        |
| Function 8000_0023—Multi-Key Encrypted Memory Capabilities.....                             | 668        |
| Function 8000_0024—Reserved.....                                                            | 668        |
| Function 8000_0025—SEV Capabilities 2 .....                                                 | 668        |
| Function 8000_0026—Extended CPU Topology .....                                              | 669        |
| E.5 Multiple Processor Calculation .....                                                    | 671        |
| Legacy Method .....                                                                         | 671        |
| Extended Method (Recommended) .....                                                         | 671        |
| <b>Appendix F      Instruction Effects on RFLAGS .....</b>                                  | <b>673</b> |
| <b>Index .....</b>                                                                          | <b>677</b> |

# Figures

---

|              |                                                           |     |
|--------------|-----------------------------------------------------------|-----|
| Figure 1-1.  | Instruction Encoding Syntax .....                         | 2   |
| Figure 1-2.  | An Instruction as Stored in Memory .....                  | 5   |
| Figure 1-3.  | REX Prefix Format .....                                   | 15  |
| Figure 1-4.  | ModRM-Byte Format .....                                   | 17  |
| Figure 1-5.  | SIB Byte Format .....                                     | 19  |
| Figure 1-6.  | Encoding Examples Using REX R, X, and B Bits .....        | 28  |
| Figure 1-7.  | VEX/XOP Three-byte Escape Sequence Format .....           | 29  |
| Figure 1-8.  | VEX Two-byte Escape Sequence Format .....                 | 33  |
| Figure 1-9.  | EVEX Four-byte Escape Sequence Format .....               | 34  |
| Figure 2-1.  | Format of Instruction-Detail Pages .....                  | 41  |
| Figure 2-2.  | General Registers in Legacy and Compatibility Modes ..... | 42  |
| Figure 2-3.  | General Registers in 64-Bit Mode .....                    | 43  |
| Figure 2-4.  | Segment Registers .....                                   | 44  |
| Figure 2-5.  | General-Purpose Data Types .....                          | 45  |
| Figure 2-6.  | System Registers .....                                    | 46  |
| Figure 2-7.  | System Data Structures .....                              | 47  |
| Figure 2-8.  | SSE Registers .....                                       | 48  |
| Figure 2-9.  | 128-Bit SSE Data Types .....                              | 49  |
| Figure 2-10. | SSE 256-bit Data Types .....                              | 50  |
| Figure 2-11. | SSE 256-Bit Data Types (Continued) .....                  | 51  |
| Figure 2-12. | 64-Bit Media Registers .....                              | 52  |
| Figure 2-13. | 64-Bit Media Data Types .....                             | 53  |
| Figure 2-14. | x87 Registers .....                                       | 54  |
| Figure 2-15. | x87 Data Types .....                                      | 55  |
| Figure 2-16. | Syntax for Typical Two-Operand Instruction .....          | 57  |
| Figure 3-1.  | MOVD Instruction Operation .....                          | 246 |
| Figure A-1.  | ModRM-Byte Fields .....                                   | 532 |
| Figure A-2.  | ModRM-Byte Format .....                                   | 571 |
| Figure A-3.  | SIB Byte Format .....                                     | 577 |
| Figure D-1.  | AMD64 ISA Instruction Subsets .....                       | 615 |

# Tables

|             |                                                                 |     |
|-------------|-----------------------------------------------------------------|-----|
| Table 1-1.  | Legacy Instruction Prefixes .....                               | 7   |
| Table 1-2.  | Operand-Size Overrides .....                                    | 8   |
| Table 1-3.  | Address-Size Overrides.....                                     | 9   |
| Table 1-4.  | Pointer and Count Registers and the Address-Size Prefix .....   | 10  |
| Table 1-5.  | Segment-Override Prefixes.....                                  | 11  |
| Table 1-6.  | REP Prefix Opcodes .....                                        | 12  |
| Table 1-7.  | REPE and REPZ Prefix Opcodes .....                              | 13  |
| Table 1-8.  | REPNE and REPNZ Prefix Opcodes .....                            | 14  |
| Table 1-9.  | Instructions Not Requiring REX Prefix in 64-Bit Mode .....      | 15  |
| Table 1-10. | ModRM.reg and .r/m Field Encodings.....                         | 18  |
| Table 1-11. | SIB.scale Field Encodings .....                                 | 19  |
| Table 1-12. | SIB.index and .base Field Encodings .....                       | 20  |
| Table 1-13. | SIB.base encodings for ModRM.r/m = 100b .....                   | 20  |
| Table 1-14. | Operand Addressing Using ModRM and SIB Bytes .....              | 21  |
| Table 1-15. | REX Prefix-Byte Fields .....                                    | 23  |
| Table 1-16. | Encoding for RIP-Relative Addressing.....                       | 25  |
| Table 1-17. | Special REX Encodings for Registers .....                       | 27  |
| Table 1-18. | Three-byte Escape Sequence Field Definitions .....              | 30  |
| Table 1-19. | VEX.map_select Encoding .....                                   | 30  |
| Table 1-20. | XOP.map_select Encoding .....                                   | 31  |
| Table 1-21. | VEX/XOP.vvvv Encoding .....                                     | 32  |
| Table 1-22. | VEX/XOP.pp Encoding .....                                       | 32  |
| Table 1-23. | VEX Two-byte Escape Sequence Field Definitions.....             | 33  |
| Table 1-24. | Fixed Field Values for VEX 2-Byte Format.....                   | 33  |
| Table 1-25. | EVEX Four-byte Escape Sequence Field Definitions .....          | 34  |
| Table 1-26. | EVEX.map Encoding .....                                         | 35  |
| Table 1-27. | EVEX.L'L Encoding Size of Operation .....                       | 36  |
| Table 1-28. | EVEX.b and EVE.X.L'L Encodings .....                            | 37  |
| Table 2-1.  | Interrupt-Vector Source and Cause.....                          | 56  |
| Table 2-2.  | +rb, +rw, +rd, and +rq Register Value .....                     | 61  |
| Table 3-1.  | Instruction Support Indicated by CPUID Feature Bits .....       | 79  |
| Table 3-2.  | Processor Vendor Return Values .....                            | 172 |
| Table 3-3.  | Locality References for the Prefetch Instructions.....          | 296 |
| Table 4-1.  | System Instruction Support Indicated by CPUID Feature Bits..... | 377 |

|             |                                                                            |     |
|-------------|----------------------------------------------------------------------------|-----|
| Table A-1.  | Primary Opcode Map (One-byte Opcodes), Low Nibble 0–7h . . . . .           | 524 |
| Table A-2.  | Primary Opcode Map (One-byte Opcodes), Low Nibble 8–Fh . . . . .           | 525 |
| Table A-3.  | Secondary Opcode Map (Two-byte Opcodes), Low Nibble 0–7h . . . . .         | 527 |
| Table A-4.  | Secondary Opcode Map (Two-byte Opcodes), Low Nibble 8–Fh . . . . .         | 529 |
| Table A-5.  | rFLAGS Condition Codes for CMOVcc, Jcc, and SETcc . . . . .                | 531 |
| Table A-6.  | ModRM.reg Extensions for the Primary Opcode Map <sup>1</sup> . . . . .     | 532 |
| Table A-7.  | ModRM.reg Extensions for the Secondary Opcode Map . . . . .                | 534 |
| Table A-8.  | Opcde 01h ModRM Extensions . . . . .                                       | 536 |
| Table A-9.  | 0F_38h Opcode Map, Low Nibble = [0h:7h] . . . . .                          | 537 |
| Table A-10. | 0F_38h Opcode Map, Low Nibble = [8h:Fh] . . . . .                          | 537 |
| Table A-11. | 0F_3Ah Opcode Map, Low Nibble = [0h:7h] . . . . .                          | 538 |
| Table A-12. | 0F_3Ah Opcode Map, Low Nibble = [8h:Fh] . . . . .                          | 538 |
| Table A-13. | Immediate Byte for 3DNow! <sup>TM</sup> Opcodes, Low Nibble 0–7h . . . . . | 540 |
| Table A-14. | Immediate Byte for 3DNow! <sup>TM</sup> Opcodes, Low Nibble 8–Fh . . . . . | 541 |
| Table A-15. | x87 Opcodes and ModRM Extensions . . . . .                                 | 543 |
| Table A-16. | rFLAGS Condition Codes for FCMOVcc . . . . .                               | 551 |
| Table A-17. | VEX Opcode Map 1, Low Nibble = [0h:7h] . . . . .                           | 552 |
| Table A-18. | VEX Opcode Map 1, Low Nibble = [0h:7h] Continued. . . . .                  | 553 |
| Table A-19. | VEX Opcode Map 1, Low Nibble = [8h:Fh] . . . . .                           | 554 |
| Table A-20. | VEX Opcode Map 2, Low Nibble = [0h:7h] . . . . .                           | 555 |
| Table A-21. | VEX Opcode Map 2, Low Nibble = [8h:Fh] . . . . .                           | 556 |
| Table A-22. | VEX Opcode Map 3, Low Nibble = [0h:7h] . . . . .                           | 557 |
| Table A-23. | VEX Opcode Map 3, Low Nibble = [8h:Fh] . . . . .                           | 558 |
| Table A-24. | VEX Opcode Groups . . . . .                                                | 559 |
| Table A-25. | XOP Opcode Map 8h, Low Nibble = [0h:7h]. . . . .                           | 559 |
| Table A-26. | XOP Opcode Map 8h, Low Nibble = [8h:Fh] . . . . .                          | 560 |
| Table A-27. | XOP Opcode Map 9h, Low Nibble = [0h:7h]. . . . .                           | 560 |
| Table A-28. | XOP Opcode Map 9h, Low Nibble = [8h:Fh] . . . . .                          | 561 |
| Table A-29. | XOP Opcode Map Ah, Low Nibble = [0h:7h] . . . . .                          | 561 |
| Table A-30. | XOP Opcode Map Ah, Low Nibble = [8h:Fh] . . . . .                          | 561 |
| Table A-31. | XOP Opcode Groups . . . . .                                                | 561 |
| Table A-32. | EVEX Opcode Map 1, Low Nibble=[0h:7h] . . . . .                            | 562 |
| Table A-33. | EVEX Opcode Map 1, Low Nibble=[8h:Fh] . . . . .                            | 563 |
| Table A-34. | EVEX Opcode Map 1, Low Nibble=[8h:Fh] (Contd.) . . . . .                   | 564 |
| Table A-35. | EVEX Opcode Map 2, Low Nibble=[0h:7h] . . . . .                            | 565 |
| Table A-36. | EVEX Opcode Map 2, Low Nibble=[0h:7h] (Contd.) . . . . .                   | 566 |

|                                                                                     |     |
|-------------------------------------------------------------------------------------|-----|
| Table A-37. EVEX Opcode Map 2, Low Nibble=[8h:Fh] . . . . .                         | 567 |
| Table A-38. EVEX Opcode Map 2, Low Nibble=[8h:Fh] (Contd.) . . . . .                | 568 |
| Table A-39. EVEX Opcode Map 3, Low Nibble=[0h:7h] . . . . .                         | 569 |
| Table A-40. EVEX Opcode Map 3, Low Nibble=[8h:Fh] . . . . .                         | 570 |
| Table A-41. EVEX Opcode Groups . . . . .                                            | 570 |
| Table A-42. ModRM <i>reg</i> Field Encoding, 16-Bit Addressing . . . . .            | 572 |
| Table A-43. ModRM Byte Encoding, 16-Bit Addressing. . . . .                         | 572 |
| Table A-44. ModRM <i>reg</i> Field Encoding, 32-Bit and 64-Bit Addressing . . . . . | 574 |
| Table A-45. ModRM Byte Encoding, 32-Bit and 64-Bit Addressing. . . . .              | 575 |
| Table A-46. Addressing Modes: SIB <i>base</i> Field Encoding . . . . .              | 577 |
| Table A-47. Addressing Modes: SIB Byte Encoding . . . . .                           | 578 |
| Table B-1. Operations and Operands in 64-Bit Mode . . . . .                         | 582 |
| Table B-2. Invalid Instructions in 64-Bit Mode . . . . .                            | 607 |
| Table B-3. Reassigned Instructions in 64-Bit Mode. . . . .                          | 608 |
| Table B-4. Invalid Instructions in Long Mode . . . . .                              | 608 |
| Table B-5. Instructions Defaulting to 64-Bit Operand Size . . . . .                 | 609 |
| Table C-1. Differences Between Long Mode and Legacy Mode . . . . .                  | 611 |
| Table D-1. Feature Flags for Instruction / Instruction Subset Support . . . . .     | 616 |
| Table E-1. CPUID Fn0000_0000_E[D,C,B]X values . . . . .                             | 623 |
| Table E-2. CPUID Fn8000_0000_E[D,C,B]X values . . . . .                             | 640 |
| Table E-3. L1 Cache and TLB Associativity Field Encodings. . . . .                  | 645 |
| Table E-4. L2/L3 Cache and TLB Associativity Field Encoding. . . . .                | 647 |
| Table E-5. LogicalProcessorCount, CmpLegacy, HTT, and NC . . . . .                  | 671 |
| Table F-1. Instruction Effects on RFLAGS . . . . .                                  | 673 |

## Revision History

| Date       | Revision | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| July 2025  | 3.37     | <ul style="list-style-type: none"><li>• Added AVX512 information.</li><li>• Added GET_RMP_ENTRY_ADDR(SYSTEM_PA) function which covers contiguous and segmented RMP tables under Chapter 2.5.3 "Pseudocode Definition" on page 61.</li><li>• Updated SNP instructions pseudo code to use GET_RMP_ENTRY_ADDR.</li><li>• Added MOVDIR64B and MOVDIRI instructions.</li><li>• Added PREFETCHI instructions.</li><li>• Added CPUID information for:<ol style="list-style-type: none"><li>i. AVX512</li><li>ii. MOVDIR64B and MOVDIRI instructions</li><li>iii. PREFETCHI instructions</li><li>iv. Enhanced REP MOVSB/STOSB</li><li>v. x2AVIC Extension</li><li>vi. Segmented RMP</li><li>vii. Guest Intercept Control</li><li>viii. Enhanced RAP Security</li></ol></li><li>• Miscellaneous editorial updates.</li></ul> |
| March 2024 | 3.36     | <p>Chapter 4:</p> <p>Added RMPREAD instruction.</p> <p>Appendix E:</p> <p>Added CPUID information for:</p> <p>Indirect Branch Prediction Barrier on Entry</p> <p>Idle HLT intercept</p> <p>Allowed SEV Features</p> <p>Secure AVIC</p> <p>Performance Monitoring Counter Virtualization</p>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |

| Date          | Revision | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|---------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| June 2023     | 3.35     | <p>Table 1-1 and Table 1-5: Added the qualification “unless Upper Address Ignore is enabled” to notes stating segment overrides are ignored.</p> <p>Section E.3.6, CPUID Fn0000_0007_ECX_x0 Structured Extended Feature Identifiers (ECX=0) table: Added definition for bit 24.</p> <p>Section E.3.8, “Extended Topology Enumeration” Updated several field names and descriptions.</p> <p>Added Section E.3.12, “Function Fh—PQOS Monitoring (PQM)”.</p> <p>Section E.4.7, “CPUID Fn8000_0008_EBX Extended Feature Identifiers”: Added definitions for bits 30, 27, and 6.</p> <p>Section E.4.9, “CPUID Fn8000_000A_EDX SVM Feature Identification”: Added definitions for bits 27, 28, and 29.</p> <p>Added Section E.4.18, “Function 8000_0020—PQOS Extended Features”.</p> |
| November 2022 | 3.34     | <p>Chapter 4:</p> <p>Added RMPQUERY instruction.</p> <p>Appendix E:</p> <p>Added CPUID Fn8000_0020 - Platform QoS Extended Features</p> <p>Added CPUID Fn8000_0022 - Extended PerformanceMonitoring and Debug</p> <p>Added CPUID Fn8000_0023 - Multi-Key Encrypted Memory Capabilities</p> <p>Added CPUID Fn8000_0026 - Extended CPU Topology.</p> <p>Added CPUID information for new features.</p>                                                                                                                                                                                                                                                                                                                                                                            |
| November 2021 | 3.33     | <p>Added CET exception case to RET FAR pseudo code.</p> <p>Added missing INCSSP exception information.</p> <p>Clarified INVLPG description.</p> <p>Added details to RDPMC description.</p> <p>Corrected exception information for PSMASH, RMPADJUST, RMPUPDATE.</p> <p>Added clarification to TLBSYNC.</p> <p>Added CPUID information for various new features.</p> <p>Corrected opcode map note for PREFETCH encodings.</p>                                                                                                                                                                                                                                                                                                                                                   |

| Date         | Revision | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|--------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| March 2021   | 3.32     | <p>Chapter 1: Updated Instruction Encoding Syntax and An Instruction as Stored in Memory figures.</p> <p>Added content to Summary of Legacy Prefixes section.</p> <p>Chapter 3: Added content Instruction Support Indicated by CPUID Feature Bits table.</p> <p>Added content to LFENCE</p> <p>Updated note 1 in the Legacy Instruction Prefixes table.</p> <p>Chapter 4: Added content to the System Instruction Support Indicated by CPUID Feature Bits table.</p> <p>Added VMGEXIT instruction.</p> <p>Added content to WRMSR instruction.</p> <p>Appendix D: Added content to the Feature Flags for Instruction / Instruction Subset Support table.</p> <p>Appendix E: Updated instructions and added instructions to sections E.3 and E.4: See bold line items.</p>                                                                                      |
| October 2020 | 3.31     | <p>Chapter 2: Added to pseudocode Definition section. Table 2-1: Added content.</p> <p>Chapter 3: Added pseudocode updates.</p> <p>Chapter 4: Added pseudocode updates. Added 8 new instructions. Added INVLPG, TLBSYNC to System Instruction Support Indicated by CPUID Feature Bits table. Updated INVLPG and TLBSYNC description.</p> <p>Appendix A: Instructions encoding clarifications.</p> <p>Appendix D: Added new instructions to Feature Flags for Instruction / Instruction Subset Support table.</p> <p>Appendix E: Added content to CPUID Fn0000_0007_ECX_x0 Structured Extended Feature Identifiers (ECX=0) table and to Function Dh—Processor Extended State Enumeration section. Added content to CPUID Fn8000_0008_EBX Extended Feature Identifiers, CPUID Fn8000_000A_EDX SVM Feature Identification, and CPUID Fn8000_001F_EAX tables.</p> |
| April 2020   | 3.30     | <p>Chapter 4: Updated INVLPG, MOV CRn, and RSM sections.</p> <p>Chapter 4: Added INVLPG, INVPCID, RDPKRU, TLBSYNC, and WRPKRU instructions.</p> <p>Appendix D: Table D-1. Updated table.</p> <p>Appendix E: Updated E.3.6, E.4.7, and E.4.9 sections.</p>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |

| Date           | Revision | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|----------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| April 2020     | 3.29     | <p>Table 2-1: Added content.</p> <p>Chapter 4: Added PSMASH, PVALIDATE, RMPADJUST, and RMPUPDATE instructions.</p> <p>Appendix A: Table A-6, A-7, and A-8: Updated table.</p> <p>Appendix D: Table D-1: Added content. Removed D.3 section.</p> <p>Appendix E: Material for new features plus clarifications.</p> <p>Appendix F: Table F-1: Added content.</p>                                                                                                                 |
| September 2019 | 3.28     | Added MCOMMIT instruction. Corrected CPUID function 8000_001Dh description.                                                                                                                                                                                                                                                                                                                                                                                                    |
| July 2019      | 3.27     | Added CLWB, RDPID, RDPRU, and WBNOINVD instructions. Corrected functional details of BZHI instruction. Corrected SAHF and LAHF #UD fault details. Corrected RSM reserved-bit behavioral details.                                                                                                                                                                                                                                                                               |
| May 2018       | 3.26     | <p>Modified description of CLFLUSH.</p> <p>Added clarification that MOVD is referred to in some forms as MOVQ.</p> <p>Corrected the operands for VMOVNTDQA.</p> <p>Updated L2/L3 Cache and Associativity tables with new encodings over old reserved encodings</p> <p>Updated CPUID with Nested Virtualization and Virtual GIF indication bits.</p>                                                                                                                            |
| December 2017  | 3.25     | Updated Appendix E.                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| November 2017  | 3.24     | <p>Modified Mem16int in Section 2.5.1 Mnemonic Syntax</p> <p>Corrected Opcode for ADCX and ADOX.</p> <p>Clarified the explanation for Load Far Pointer</p> <p>Modified the Description for CLAC and STAC</p> <p>Added clarification to MWAITX.</p> <p>Added clarifying footnote to Table A-6.</p> <p>Added CPUID flags for new SVM features.</p> <p>Added Bit descriptions for CPUID Fn8000_0008_EBX Reserved</p> <p>Modified SAL1 and SAL count in Appendix F, Table F-1.</p> |

| Date           | Revision | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|----------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| March 2017     | 3.23     | <p>Added CR0.PE, CR0.PE=1, EFER.LME=0 to Conventions and Definitions in the Preface.</p> <p>Modified Note 4 in Table 1-10.</p> <p>Chapter 3:</p> <ul style="list-style-type: none"> <li>Added ADCX, ADOX, CLFLUSHOPT, CLZERO, RDSEED, UD0 and UD1.</li> <li>Modified CALL (Far).</li> <li>Moved UD2 and MONITORX, MWAITX, from Chapter 4.</li> </ul> <p>Chapter 4:</p> <ul style="list-style-type: none"> <li>Modified RDTSC and RDTSCP.</li> <li>Added CLAC and STAC.</li> </ul> <p>Appendix A:</p> <ul style="list-style-type: none"> <li>Modified Table A-7, Group 11.</li> </ul> <p>Appendix D:</p> <ul style="list-style-type: none"> <li>Modified Table D-1 and Added new Feature Flags.</li> </ul> |
| June 2015      | 3.22     | Added MONITORX and MWAITX to Chapter 4.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| October 2013   | 3.21     | <p>Added BMI2 instructions to Chapter 3.</p> <p>Added BZHI to Table F-1 on page 643.</p> <p>Changed CPUID Fn8000_0001_ECX[25] to reserved.</p> <p>Changed CPUID Fn8000_0007_EAX and _EDX[11] to reserved.</p> <p>Added CPUID Fn0000_0006_EDX[ARAT] (bit 2).</p>                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| May 2013       | 3.20     | <p>Updated Appendix D “Instruction Subsets and CPUID Feature Flags” on page 593 to make instruction list comprehensive.</p> <p>Added a new Appendix E “Obtaining Processor Information Via the CPUID Instruction” on page 599 which describes all defined processor feature bits. Supersedes and replaces the <i>CPUID Specification</i> (PID # 25481).</p> <p>Previous Appendix E “Instruction Effects on RFLAGS” renumbered as Appendix F.</p>                                                                                                                                                                                                                                                          |
| September 2012 | 3.19     | Corrected the value specified for the most significant nibble of the encoding for the Pshaw instructions in Table A-28 on page 550.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |

| Date           | Revision | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|----------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| March 2012     | 3.18     | <p>Added MOVBE instruction reference page to Chapter 3 “General-Purpose Instruction Reference” on page 71.</p> <p>Added instruction reference pages for the RDFSBASE/RDGGSBASE and WRFSBASE/WRGGSBASE instructions to Chapter 3.</p> <p>Added opcodes for the instructions to the opcode maps in Appendix</p>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| December 2011  | 3.17     | <p>Corrected second byte of VEX C5 escape sequence in Figure 1-2 on page 5.</p> <p>Made multiple corrections to the description of register-indirect addressing in Section 1.4 on page 17.</p> <p>Corrected <i>mod</i> field value in third row of Figure 1-16 on page 25.</p> <p>Updated pseudocode definition (see Section 2.5.3 on page 57).</p> <p>Corrected exception tables for LZCNT and TZCNT instructions.</p> <p>Added discussion of UD opcodes to introduction of Appendix A.</p> <p>Provided omitted definition of “B” used in the specification of operand types in opcode maps of Appendix A.</p> <p>Provided numerous corrections to instruction entries in opcode maps of Appendix A.</p> <p>Added ymm register mnemonic to Table A-32 on page 552 and Table A-34 on page 554.</p> <p>Changed notational convention for indicating addressing modes in Table A-33 on page 552, Table A-35 on page 555, Table A-36 on page 557, and Table A-37 on page 558; edited footnotes.</p> |
| September 2011 | 3.16     | <p>Reworked “Instruction Byte Order” section of Chapter 1. See “Instruction Encoding Overview” on page 1.</p> <p>Added clarification: Execution of VMRUN is disallowed while in System Management Mode.</p> <p>Made wording for BMI and TBM feature flag indication consistent with other instructions.</p> <p>Moved BMI and TBM instructions to this volume from Volume 4.</p> <p>Added instruction reference page for CRC32 Instruction.</p> <p>Removed one cause of #GP fault from exception table for LAR and LSL instructions.</p> <p>Added three-byte, VEX, and XOP opcode maps to Appendix A.</p> <p>Revised description of RDPMC instruction.</p> <p>Corrected errors in description of CLFLUSH instruction.</p> <p>Corrected footnote of Table A-35 on page 555.</p>                                                                                                                                                                                                                    |

| Date           | Revision | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|----------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| November 2009  | 3.15     | Clarified MFENCE serializing behavior.<br>Added multibyte variant to “NOP” on page 237.<br>Corrected descriptive text to “CMPXCHG8B CMPXCHG16B” on page 151.                                                                                                                                                                                                                                                                                                                                                              |
| September 2007 | 3.14     | Added minor clarifications and corrected typographical and formatting errors.                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| July 2007      | 3.13     | Added the following instructions: LZCNT, POPCNT, MONITOR, and MWAIT.<br>Reformatted information on instruction support indicated by CPUID feature bits into a table.<br>Added minor clarifications and corrected typographical and formatting errors.                                                                                                                                                                                                                                                                     |
| September 2006 | 3.12     | Added minor clarifications and corrected typographical and formatting errors.                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| December 2005  | 3.11     | Added SVM instructions; added PAUSE instructions; made factual changes.                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| January 2005   | 3.10     | Clarified CPUID information in exception tables on instruction pages. Added information under “CPUID” on page 153. Made numerous small corrections.                                                                                                                                                                                                                                                                                                                                                                       |
| September 2003 | 3.09     | Corrected table of valid descriptor types for LAR and LSL instructions and made several minor formatting, stylistic and factual corrections. Clarified several technical definitions.                                                                                                                                                                                                                                                                                                                                     |
| April 2003     | 3.08     | Corrected description of the operation of flags for RCL, RCR, ROL, and ROR instructions. Clarified description of the MOVSXD and IMUL instructions. Corrected operand specification for the STOS instruction. Corrected opcode of SETcc, Jcc, instructions. Added thermal control and thermal monitoring bits to CPUID instruction. Corrected exception tables for POPF, SFENCE, SUB, XLAT, IRET, LSL, MOV(CRn), SGDT/SIDT, SMSW, and STI instructions. Corrected many small typos and incorporated branding terminology. |

# Preface

## About This Book

This book is part of a multi-volume work entitled the *AMD64 Architecture Programmer's Manual* (APM). This table lists each volume and its order number.

| Title                                                             | Order No. |
|-------------------------------------------------------------------|-----------|
| <i>Volume 1: Application Programming</i>                          | 24592     |
| <i>Volume 2: System Programming</i>                               | 24593     |
| <i>Volume 3: General-Purpose and System Instructions</i>          | 24594     |
| <i>Volume 4: 128-Bit, 256-Bit, and 512-bit Media Instructions</i> | 26568     |
| <i>Volume 5: 64-Bit Media and x87 Floating-Point Instructions</i> | 26569     |

## Audience

This volume (APM Volume 3) is intended for all programmers writing application or system software for a processor that implements the AMD64 architecture. Descriptions of general-purpose instructions assume an understanding of the application-level programming topics described in APM Volume 1. Descriptions of system instructions assume an understanding of the system-level programming topics described in APM Volume 2.

## Organization

APM Volumes 3, 4, and 5 describe the AMD64 architecture's instruction set in detail. Together, they cover each instruction's mnemonic syntax, opcodes, functions, affected flags, and possible exceptions.

The AMD64 instruction set is divided into five subsets:

- General-purpose instructions
- System instructions
- Streaming SIMD Extensions—SSE (includes 128-bit and 256-bit media instructions)
- 64-bit media instructions (MMX™)
- x87 floating-point instructions

Several instructions belong to—and are described identically in—multiple instruction subsets.

This volume describes the general-purpose and system instructions. The index at the end cross-references topics within this volume. For other topics relating to the AMD64 architecture, and for

information on instructions in other subsets, see the tables of contents and indexes of the other APM volumes.

## Conventions and Definitions

The following section **Notational Conventions** describes notational conventions used in this volume and in the remaining APM volumes. This is followed by a **Definitions** section which lists a number of terms used in the manual along with their technical definitions. Finally, the **Registers** section lists the registers which are a part of the application programming model.

### Notational Conventions

#GP(0)

An instruction exception—in this example, a general-protection exception with error code of 0.

1011b

A binary value—in this example, a 4-bit value.

F0EA\_0B02h

A hexadecimal value. Underscore characters may be inserted to improve readability.

128

Numbers without an alpha suffix are decimal unless the context indicates otherwise.

7:4

A bit range, from bit 7 to 4, inclusive. The high-order bit is shown first. Commas may be inserted to indicate gaps.

CPUID FnXXXX\_XXXX\_RRR[*FieldName*]

Support for optional features or the value of an implementation-specific parameter of a processor can be discovered by executing the CPUID instruction on that processor. To obtain this value, software must execute the CPUID instruction with the function code *XXXX\_XXXh* in EAX and then examine the field *FieldName* returned in register *RRR*. If the “*RRR*” notation is followed by “\_xYY”, register ECX must be set to the value *YYh* before executing CPUID. When *FieldName* is not given, the entire contents of register *RRR* contains the desired value. When determining optional feature support, if the bit identified by *FieldName* is set to a one, the feature is supported on that processor.

CR0–CR4

A register range, from register CR0 through CR4, inclusive, with the low-order register first.

CR0[PE], CR0.PE

Notation for referring to a field within a register—in this case, the PE field of the CR0 register.

CR0[PE] = 1, CR0.PE = 1

Notation indicating that the PE bit of the CR0 register has a value of 1.

DS:rSI

The contents of a memory location whose segment address is in the DS register and whose offset relative to that segment is in the rSI register.

EFER[LME] = 0, EFER.LME = 0

Notation indicating that the LME bit of the EFER register has a value of 0.

RFLAGS[13:12]

A field within a register identified by its bit range. In this example, corresponding to the IOPL field.

## Definitions

Many of the following definitions assume an in-depth knowledge of the legacy x86 architecture. See “Related Documents” on page xxxviii for descriptions of the legacy x86 architecture.

128-bit media instructions

Instructions that operate on the various 128-bit vector data types. Supported within both the legacy SSE and extended SSE instruction sets.

256-bit media instructions

Instructions that operate on the various 256-bit vector data types. Supported within the extended SSE instruction set.

512-bit media instructions

Instructions that operate on the various 512-bit vector data types. Supported within the AVX512 extended SSE instruction set.

64-bit media instructions

Instructions that operate on the 64-bit vector data types. These are primarily a combination of MMX™ and 3DNow!™ instruction sets, with some additional instructions from the SSE1 and SSE2 instruction sets.

16-bit mode

Legacy mode or compatibility mode in which a 16-bit address size is active. See *legacy mode* and *compatibility mode*.

32-bit mode

Legacy mode or compatibility mode in which a 32-bit address size is active. See *legacy mode* and *compatibility mode*.

**64-bit mode**

A submode of *long mode*. In 64-bit mode, the default address size is 64 bits and new features, such as register extensions, are supported for system and application software.

**absolute**

Said of a displacement that references the base of a code segment rather than an instruction pointer. Contrast with *relative*.

**biased exponent**

The sum of a floating-point value's exponent and a constant bias for a particular floating-point data type. The bias makes the range of the biased exponent always positive, which allows reciprocation without overflow.

**byte**

Eight bits.

**clear**

To write a bit value of 0. Compare *set*.

**compatibility mode**

A submode of *long mode*. In compatibility mode, the default address size is 32 bits, and legacy 16-bit and 32-bit applications run without modification.

**commit**

To irreversibly write, in program order, an instruction's result to software-visible storage, such as a register (including flags), the data cache, an internal write buffer, or memory.

**CPL**

Current privilege level.

**direct**

Referencing a memory location whose address is included in the instruction's syntax as an immediate operand. The address may be an absolute or relative address. Compare *indirect*.

**dirty data**

Data held in the processor's caches or internal buffers that is more recent than the copy held in main memory.

**displacement**

A signed value that is added to the base of a segment (absolute addressing) or an instruction pointer (relative addressing). Same as *offset*.

**doubleword**

Two words, or four bytes, or 32 bits.

double quadword

Eight words, or 16 bytes, or 128 bits. Also called *octword*.

effective address size

The address size for the current instruction after accounting for the default address size and any address-size override prefix.

effective operand size

The operand size for the current instruction after accounting for the default operand size and any operand-size override prefix.

element

See *vector*.

exception

An abnormal condition that occurs as the result of executing an instruction. The processor's response to an exception depends on the type of the exception. For all exceptions except 128-bit media SIMD floating-point exceptions and x87 floating-point exceptions, control is transferred to the handler (or service routine) for that exception, as defined by the exception's vector. For floating-point exceptions defined by the IEEE 754 standard, there are both masked and unmasked responses. When unmasked, the exception handler is called, and when masked, a default response is provided instead of calling the handler.

flush

An often ambiguous term meaning (1) writeback, if modified, and invalidate, as in “flush the cache line,” or (2) invalidate, as in “flush the pipeline,” or (3) change a value, as in “flush to zero.”

GDT

Global descriptor table.

IDT

Interrupt descriptor table.

IGN

Ignored. Value written is ignored by hardware. Value returned on a read is indeterminate. See *reserved*.

indirect

Referencing a memory location whose address is in a register or other memory location. The address may be an absolute or relative address. Compare *direct*.

IRB

The virtual-8086 mode interrupt-redirection bitmap.

**IST**

The long-mode interrupt-stack table.

**IVT**

The real-address mode interrupt-vector table.

**LDT**

Local descriptor table.

**legacy x86**

The legacy x86 architecture. See “Related Documents” on page xxxviii for descriptions of the legacy x86 architecture.

**legacy mode**

An operating mode of the AMD64 architecture in which existing 16-bit and 32-bit applications and operating systems run without modification. A processor implementation of the AMD64 architecture can run in either *long mode* or *legacy mode*. Legacy mode has three submodes, *real mode*, *protected mode*, and *virtual-8086 mode*.

**LIP**

Linear Instruction Pointer. LIP = (CS.base + rIP).

**long mode**

An operating mode unique to the AMD64 architecture. A processor implementation of the AMD64 architecture can run in either *long mode* or *legacy mode*. Long mode has two submodes, *64-bit mode* and *compatibility mode*.

**lsb**

Least-significant bit.

**LSB**

Least-significant byte.

**main memory**

Physical memory, such as RAM and ROM (but not cache memory) that is installed in a particular computer system.

**mask**

(1) A control bit that prevents the occurrence of a floating-point exception from invoking an exception-handling routine. (2) A field of bits used for a control purpose.

**MBZ**

Must be zero. If software attempts to set an MBZ bit to 1, a general-protection exception (#GP) occurs.

**memory**

Unless otherwise specified, *main memory*.

**ModRM**

A byte following an instruction opcode that specifies address calculation based on mode (Mod), register (R), and memory (M) variables.

**moffset**

A 16, 32, or 64-bit offset that specifies a memory operand directly, without using a ModRM or SIB byte.

**msb**

Most-significant bit.

**MSB**

Most-significant byte.

**multimedia instructions**

A combination of *128-bit media instructions* and *64-bit media instructions*.

**octword**

Same as *double quadword*.

**offset**

Same as *displacement*.

**overflow**

The condition in which a floating-point number is larger in magnitude than the largest, finite, positive or negative number that can be represented in the data-type format being used.

**packed**

See *vector*.

**PAE**

Physical-address extensions.

**physical memory**

Actual memory, consisting of *main memory* and cache.

**probe**

A check for an address in a processor's caches or internal buffers. *External probes* originate outside the processor, and *internal probes* originate within the processor.

**procedure stack**

A portion of a stack segment in memory that is used to link procedures. Also known as a program

stack.

program stack

See procedure stack.

protected mode

A submode of *legacy mode*.

quadword

Four words, or eight bytes, or 64 bits.

RAZ

Read as zero. Value returned on a read is always zero (0) regardless of what was previously written. See *reserved*.

real-address mode

See *real mode*.

real mode

A short name for *real-address mode*, a submode of *legacy mode*.

relative

Referencing with a displacement (also called offset) from an instruction pointer rather than the base of a code segment. Contrast with *absolute*.

reserved

Fields marked as reserved may be used at some future time.

To preserve compatibility with future processors, reserved fields require special handling when read or written by software. Software must not depend on the state of a reserved field (unless qualified as RAZ), nor upon the ability of such fields to return a previously written state.

If a field is marked reserved without qualification, software must not change the state of that field; it must reload that field with the same value returned from a prior read.

Reserved fields may be qualified as IGN, MBZ, RAZ, or SBZ (see definitions).

REX

An instruction prefix that specifies a 64-bit operand size and provides access to additional registers.

RIP-relative addressing

Addressing relative to the 64-bit RIP instruction pointer.

SBZ

Should be zero. An attempt by software to set an SBZ bit to 1 results in undefined behavior.

**shadow stack**

A shadow stack is a separate, protected stack that is conceptually parallel to the procedure stack and used only by the shadow stack feature.

**set**

To write a bit value of 1. Compare *clear*.

**SIB**

A byte following an instruction opcode that specifies address calculation based on scale (S), index (I), and base (B).

**SIMD**

Single instruction, multiple data. See *vector*.

**SSE**

Streaming SIMD extensions instruction set. See *128-bit media instructions* and *64-bit media instructions*.

**SSE2**

Extensions to the SSE instruction set. See *128-bit media instructions* and *64-bit media instructions*.

**SSE3**

Further extensions to the SSE instruction set. See *128-bit media instructions*.

**sticky bit**

A bit that is set or cleared by hardware and that remains in that state until explicitly changed by software.

**TOP**

The x87 top-of-stack pointer.

**TPR**

Task-priority register (CR8).

**TSS**

Task-state segment.

**underflow**

The condition in which a floating-point number is smaller in magnitude than the smallest nonzero, positive or negative number that can be represented in the data-type format being used.

**vector**

(1) A set of integer or floating-point values, called *elements*, that are packed into a single operand. Most of the 128-bit and 64-bit media instructions use vectors as operands. Vectors are also called *packed* or *SIMD* (single-instruction multiple-data) operands.

(2) An index into an interrupt descriptor table (IDT), used to access exception handlers. Compare *exception*.

**virtual-8086 mode**

A submode of *legacy mode*.

**word**

Two bytes, or 16 bits.

**x86**

See *legacy x86*.

## **Registers**

In the following list of registers, the names are used to refer either to a given register or to the contents of that register:

**AH–DH**

The high 8-bit AH, BH, CH, and DH registers. Compare *AL–DL*.

**AL–DL**

The low 8-bit AL, BL, CL, and DL registers. Compare *AH–DH*.

**AL–r15B**

The low 8-bit AL, BL, CL, DL, SIL, DIL, BPL, SPL, and R8B–R15B registers, available in 64-bit mode.

**BP**

Base pointer register.

**CR $n$**

Control register number  $n$ .

**CS**

Code segment register.

**eAX–eSP**

The 16-bit AX, BX, CX, DX, DI, SI, BP, and SP registers or the 32-bit EAX, EBX, ECX, EDX, EDI, ESI, EBP, and ESP registers. Compare *rAX–rSP*.

**EFER**

Extended features enable register.

**eFLAGS**

16-bit or 32-bit flags register. Compare *rFLAGS*.

**EFLAGS**

32-bit (extended) flags register.

**eIP**

16-bit or 32-bit instruction-pointer register. Compare *rIP*.

**EIP**

32-bit (extended) instruction-pointer register.

**FLAGS**

16-bit flags register.

**GDTR**

Global descriptor table register.

**GPRs**

General-purpose registers. For the 16-bit data size, these are AX, BX, CX, DX, DI, SI, BP, and SP. For the 32-bit data size, these are EAX, EBX, ECX, EDX, EDI, ESI, EBP, and ESP. For the 64-bit data size, these include RAX, RBX, RCX, RDX, RDI, RSI, RBP, RSP, and R8–R15.

**IDTR**

Interrupt descriptor table register.

**IP**

16-bit instruction-pointer register.

**LDTR**

Local descriptor table register.

**MSR**

Model-specific register.

**r8–r15**

The 8-bit R8B–R15B registers, or the 16-bit R8W–R15W registers, or the 32-bit R8D–R15D registers, or the 64-bit R8–R15 registers.

**rAX–rSP**

The 16-bit AX, BX, CX, DX, DI, SI, BP, and SP registers, or the 32-bit EAX, EBX, ECX, EDX, EDI, ESI, EBP, and ESP registers, or the 64-bit RAX, RBX, RCX, RDX, RDI, RSI, RBP, and RSP registers. Replace the placeholder *r* with nothing for 16-bit size, “E” for 32-bit size, or “R” for 64-bit size.

**RAX**

64-bit version of the EAX register.

**RBP**

64-bit version of the EBP register.

**RBX**

64-bit version of the EBX register.

**RCX**

64-bit version of the ECX register.

**RDI**

64-bit version of the EDI register.

**RDX**

64-bit version of the EDX register.

**rFLAGS**16-bit, 32-bit, or 64-bit flags register. Compare *RFLAGS*.**RFLAGS**64-bit flags register. Compare *rFLAGS*.**rIP**16-bit, 32-bit, or 64-bit instruction-pointer register. Compare *RIP*.**RIP**

64-bit instruction-pointer register.

**RSI**

64-bit version of the ESI register.

**RSP**

64-bit version of the ESP register.

**SP**

Stack pointer register.

**SS**

Stack segment register.

**SSP**

Shadow-stack pointer register.

**TPR**

Task priority register, a new register introduced in the AMD64 architecture to speed interrupt management.

TR

Task register.

## Endian Order

The x86 and AMD64 architectures address memory using little-endian byte-ordering. Multi-byte values are stored with their least-significant byte at the lowest byte address, and they are illustrated with their least significant byte at the right side. Strings are illustrated in reverse order, because the addresses of their bytes increase from right to left.

## Related Documents

- Peter Abel, *IBM PC Assembly Language and Programming*, Prentice-Hall, Englewood Cliffs, NJ, 1995.
- Rakesh Agarwal, *80x86 Architecture & Programming: Volume II*, Prentice-Hall, Englewood Cliffs, NJ, 1991.
- AMD, *Software Optimization Guide for AMD Family 15h Processors*, order number 47414.
- AMD, *BIOS and Kernel Developer's Guide (BKDG)* for particular hardware implementations of older families of the AMD64 architecture.
- AMD, *Processor Programming Reference (PPR)* for particular hardware implementations of newer families of the AMD64 architecture.
- Don Anderson and Tom Shanley, *Pentium Processor System Architecture*, Addison-Wesley, New York, 1995.
- Nabajyoti Barkakati and Randall Hyde, *Microsoft Macro Assembler Bible*, Sams, Carmel, Indiana, 1992.
- Barry B. Brey, *8086/8088, 80286, 80386, and 80486 Assembly Language Programming*, Macmillan Publishing Co., New York, 1994.
- Barry B. Brey, *Programming the 80286, 80386, 80486, and Pentium Based Personal Computer*, Prentice-Hall, Englewood Cliffs, NJ, 1995.
- Ralf Brown and Jim Kyle, *PC Interrupts*, Addison-Wesley, New York, 1994.
- Penn Brumm and Don Brumm, *80386/80486 Assembly Language Programming*, Windcrest McGraw-Hill, 1993.
- Geoff Chappell, *DOS Internals*, Addison-Wesley, New York, 1994.
- Chips and Technologies, Inc. *Super386 DX Programmer's Reference Manual*, Chips and Technologies, Inc., San Jose, 1992.
- John Crawford and Patrick Gelsinger, *Programming the 80386*, Sybex, San Francisco, 1987.
- Cyrix Corporation, *5x86 Processor BIOS Writer's Guide*, Cyrix Corporation, Richardson, TX, 1995.
- Cyrix Corporation, *M1 Processor Data Book*, Cyrix Corporation, Richardson, TX, 1996.
- Cyrix Corporation, *MX Processor MMX Extension Opcode Table*, Cyrix Corporation, Richardson, TX, 1996.
- Cyrix Corporation, *MX Processor Data Book*, Cyrix Corporation, Richardson, TX, 1997.
- Ray Duncan, *Extending DOS: A Programmer's Guide to Protected-Mode DOS*, Addison Wesley, NY, 1991.
- William B. Giles, *Assembly Language Programming for the Intel 80xxx Family*, Macmillan, New York, 1991.
- Frank van Gilluwe, *The Undocumented PC*, Addison-Wesley, New York, 1994.

- John L. Hennessy and David A. Patterson, *Computer Architecture*, Morgan Kaufmann Publishers, San Mateo, CA, 1996.
- Thom Hogan, *The Programmer's PC Sourcebook*, Microsoft Press, Redmond, WA, 1991.
- Hal Katircioglu, *Inside the 486, Pentium, and Pentium Pro*, Peer-to-Peer Communications, Menlo Park, CA, 1997.
- IBM Corporation, *486SLC Microprocessor Data Sheet*, IBM Corporation, Essex Junction, VT, 1993.
- IBM Corporation, *486SLC2 Microprocessor Data Sheet*, IBM Corporation, Essex Junction, VT, 1993.
- IBM Corporation, *80486DX2 Processor Floating Point Instructions*, IBM Corporation, Essex Junction, VT, 1995.
- IBM Corporation, *80486DX2 Processor BIOS Writer's Guide*, IBM Corporation, Essex Junction, VT, 1995.
- IBM Corporation, *Blue Lightning 486DX2 Data Book*, IBM Corporation, Essex Junction, VT, 1994.
- Institute of Electrical and Electronics Engineers, *IEEE Standard for Binary Floating-Point Arithmetic*, ANSI/IEEE Std 754-1985.
- Institute of Electrical and Electronics Engineers, *IEEE Standard for Radix-Independent Floating-Point Arithmetic*, ANSI/IEEE Std 854-1987.
- Muhammad Ali Mazidi and Janice Gillispie Mazidi, *80X86 IBM PC and Compatible Computers*, Prentice-Hall, Englewood Cliffs, NJ, 1997.
- Hans-Peter Messmer, *The Indispensable Pentium Book*, Addison-Wesley, New York, 1995.
- Karen Miller, *An Assembly Language Introduction to Computer Architecture: Using the Intel Pentium*, Oxford University Press, New York, 1999.
- Stephen Morse, Eric Isaacson, and Douglas Albert, *The 80386/387 Architecture*, John Wiley & Sons, New York, 1987.
- NexGen Inc., *Nx586 Processor Data Book*, NexGen Inc., Milpitas, CA, 1993.
- NexGen Inc., *Nx686 Processor Data Book*, NexGen Inc., Milpitas, CA, 1994.
- Bipin Patwardhan, *Introduction to the Streaming SIMD Extensions in the Pentium III*, [www.x86.org/articles/sse\\_pt1/simd1.htm](http://www.x86.org/articles/sse_pt1/simd1.htm), June, 2000.
- Peter Norton, Peter Aitken, and Richard Wilton, *PC Programmer's Bible*, Microsoft Press, Redmond, WA, 1993.
- *PharLap 386|ASM Reference Manual*, Pharlap, Cambridge MA, 1993.
- *PharLap TNT DOS-Extender Reference Manual*, Pharlap, Cambridge MA, 1995.
- Sen-Cuo Ro and Sheau-Chuen Her, *i386/i486 Advanced Programming*, Van Nostrand Reinhold, New York, 1993.
- Jeffrey P. Royer, *Introduction to Protected Mode Programming*, course materials for an onsite class, 1992.

- Tom Shanley, *Protected Mode System Architecture*, Addison Wesley, NY, 1996.
- SGS-Thomson Corporation, *80486DX Processor SMM Programming Manual*, SGS-Thomson Corporation, 1995.
- Walter A. Triebel, *The 80386DX Microprocessor*, Prentice-Hall, Englewood Cliffs, NJ, 1992.
- John Wharton, *The Complete x86*, MicroDesign Resources, Sebastopol, California, 1994.

# 1 Instruction Encoding

AMD64 technology instructions are encoded as byte strings of variable length. The order and meaning of each byte of an instruction's encoding is specified by the architecture. Fields within the encoding specify the instruction's basic operation, the location of the one or more source operands, and the destination of the result of the operation. Data to be used in the execution of the instruction or the computation of addresses for memory-based operands may also be included. This section describes the general format and parameters used by all instructions.

For information on the specific encoding(s) for each instruction, see:

- Chapter 3, “General-Purpose Instruction Reference.”
- Chapter 4, “System Instruction Reference.”
- “SSE Instruction Reference” in APM Volume 4.
- “64-Bit Media Instruction Reference” in APM Volume 5.
- “x87 Floating-Point Instruction Reference” in APM Volume 5.

For information on determining the instruction form and operands specified by a given binary encoding, see Appendix A, “Opcode and Operand Encodings”.

## 1.1 Instruction Encoding Overview

An instruction is encoded as a string between one and 15 bytes in length. The entire sequence of bytes that represents an instruction, including the basic operation, the location of source and destination operands, any operation modifiers, and any immediate and/or displacement values, is called the instruction encoding. The following sections discuss instruction encoding syntax and representation in memory.

### 1.1.1 Encoding Syntax

Figure 1-1 provides a schematic representation of the encoding syntax of an instruction.



**Figure 1-1. Instruction Encoding Syntax**

Each square in the Figure 1-1 diagram represents an instruction byte of a particular type and function. To understand the diagram, follow the connecting paths in the direction indicated by the arrows from Start to End. The squares passed through as the graph is traversed indicate the order and number of

bytes used to encode the instruction. Note that the path shown above the legacy prefix byte loops back indicating that up to four additional prefix bytes may be used in the encoding of a single instruction. Branches indicate points in the syntax where alternate semantics are employed based on the instruction being encoded. The “VEX or XOP” gate across the path leading down to the VEX prefix and XOP prefix blocks means that only extended instructions employing the VEX or XOP prefixes use this particular branch of the syntax diagram. This diagram will be further explained in the sections that follow.

### 1.1.1.1 Legacy Prefixes

As shown in the figure, an instruction optionally begins with up to five *legacy prefixes*. These prefixes are described in “Summary of Legacy Prefixes” on page 6. The legacy prefixes modify an instruction’s default address size, operand size, or segment, or they invoke a special function such as modification of the opcode, atomic bus-locking, or repetition.

In the encoding of most SSE instructions, a legacy operand-size or repeat prefix is repurposed to modify the opcode. For the extended encodings utilizing the XOP or VEX prefixes, these prefixes are not allowed.

### 1.1.1.2 REX Prefix

Following the optional legacy prefix or prefixes, the REX prefix can be used in 64-bit mode to access the AMD64 register number and size extensions. Refer to the diagram in “Application-Programming Register Set” in APM Volume 1 for an illustration of these facilities. If a REX prefix is used, it must immediately precede the opcode byte or the first byte of a legacy *escape sequence*. The REX prefix is not allowed in extended instruction encodings using the VEX, XOP, or EVEX encoding escape prefixes. Violating this restriction results in an #UD exception.

### 1.1.1.3 Opcode

The *opcode* is a single byte that specifies the basic operation of an instruction. Every instruction requires an opcode. The correspondence between the binary value of an opcode and the operation it represents is presented in a table called an *opcode map*. Because it is indexed by an 8-bit value, an opcode map has 256 entries. Since there are more than 256 instructions defined by the architecture, multiple different opcode maps must be defined and the selection of these alternate opcode maps must be encoded in the instruction. Escape sequences provide this access to alternate opcode maps.

If there are no opcode escapes, the primary (“one-byte”) opcode map is used. In the figure this is the path pointing from the REX Prefix block to the Primary opcode map block.

Section “Primary Opcode Map” of Appendix A provides details concerning this opcode map.

### 1.1.1.4 Escape Sequences

Escape sequences allow access to alternate opcode maps that are distinct from the primary opcode map. Escape sequences may be one, two, or three bytes in length and begin with a unique byte value designated for this purpose in the primary opcode map. Escape sequences are of two distinct types: legacy escape sequences and extended escape sequences. The legacy escape sequences will be covered

here. For more details on the extended escape sequences, see “VEX, XOP, and EVEX Prefixes” on page 16.

## Legacy Escape Sequences

The legacy syntax allows one 1-byte escape sequence (0Fh), and three 2-byte escape sequences (0Fh, 0Fh; 0Fh, 38h; and 0Fh, 3Ah). The 1-byte legacy escape sequence 0Fh selects the secondary (“two-byte”) opcode map. In legacy terminology, the sequence [0Fh, *opcode*] is called a two-byte opcode. See “Secondary Opcode Map” of Appendix A for details concerning this opcode map.

The 2-byte escape sequence 0F, 0Fh selects the 3DNow! opcode map which is indexed using an immediate byte rather than an opcode byte. In this case, the byte following the escape sequence is the ModRM byte instead of the opcode byte. In Figure 1-1 this is indicated by the path labeled “3DNow!” leaving the second 0Fh escape block. Details concerning the 3DNow! opcode map are presented in Section A.1.2, “3DNow!<sup>TM</sup> Opcodes” of Appendix A.

The 2-byte escape sequences [0Fh, 38h] and [0Fh, 3Ah] respectively select the 0F\_38h opcode map and the 0F\_3Ah opcode map. These are used primarily to encode SSE instructions and are described in “0F\_38h and 0F\_3Ah Opcode Maps” of Appendix A.

### 1.1.1.5 ModRM and SIB Bytes

The opcode can be followed by a *mode-register-memory* (ModRM) byte, which further describes the operation and/or operands. The ModRM byte may also be followed by a *scale-index-base* (SIB) byte, which is used to specify indexed register-indirect forms of memory addressing. The ModRM and SIB bytes are described in “ModRM Byte Format” on page 17. Their legacy functions can be augmented by the REX prefix (see “REX Prefix” on page 14) or the VEX and XOP escape sequences (See “VEX, XOP, and EVEX Prefixes” on page 16).

### 1.1.1.6 Displacement and Immediate Fields

The instruction encoding may end with a 1-, 2-, or 4-byte *displacement* field and/or a 1-, 2-, or 4-byte *immediate* field depending on the instruction and/or the addressing mode. Specific instructions also allow either an 8-byte immediate field or an 8-byte displacement field.

## 1.1.2 Representation in Memory

Instructions are stored in memory in little-endian order. The first byte of an instruction is stored at the lowest memory address, as shown in Figure 1-2 below. Since instructions are strings of bytes, they may start at any memory address. The total instruction length must be less than or equal to 15. If this limit is exceeded, a general-protection exception results.



**Figure 1-2. An Instruction as Stored in Memory**

## 1.2 Instruction Prefixes

Instruction prefixes are of two types: *instruction modifier* prefixes and *encoding escape* prefixes. Instruction modifier prefixes can change the operation of the instruction (including causing its execution to repeat), change its operand types, specify an alternate operand size, augment register specification, or even change the interpretation of the opcode byte.

The instruction modifier prefixes comprise the legacy prefixes and the REX prefix. The legacy prefixes are discussed in the next section. The REX prefix is discussed in “REX Prefix” on page 14.

Encoding escape prefixes, on the other hand, signal that the two or three bytes that follow obey a different encoding syntax. As a group, the encoding escape prefix and its subsequent bytes constitute a multi-byte escape sequence. These multi-byte escape sequences perform functions similar to that of

the instruction modifier prefixes, but they also provide a means to directly specify alternate opcode maps.

The currently defined encoding escape prefixes are the VEX, XOP, and EVEX prefixes. They are discussed further in the section entitled “VEX, XOP, and EVEX Prefixes” on page 16.

### 1.2.1 Summary of Legacy Prefixes

Table 1-1 on page 7 shows the legacy prefixes. The legacy prefixes are organized into five groups, as shown in the left-most column of Table 1-1. An instruction encoding may include a maximum of one prefix from each of the five groups. The legacy prefixes can appear in any order within the position shown in Figure 1-1 for legacy prefixes. The result of using multiple prefixes from a single group is undefined.

Some of the restrictions on legacy prefixes are:

- *Operand-Size Override*—This prefix only affects the operand size for general-purpose instructions or for other instructions whose source or destination is a general-purpose register. When used in the encoding of SIMD and some other instructions, this prefix is repurposed to modify the opcode.
- *Address-Size Override*—This prefix only affects the address size of memory operands.
- *Segment Override*—In 64-bit mode, the CS, DS, ES, and SS segment override prefixes are ignored.
- *LOCK Prefix*—This prefix is allowed only with certain instructions that modify memory.
- *Repeat Prefixes*—These prefixes affect only certain string instructions. When used in the encoding of SIMD and some other instructions, these prefixes are repurposed to modify the opcode.

Note that Lock and Repeat prefixes are in effect mutually exclusive when used as instruction modifiers, in that there are no instructions for which both are meaningful.

**Table 1-1. Legacy Instruction Prefixes**

| <b>Prefix Group<sup>1</sup></b>                                                                                                                                                                                                                                      | <b>Mnemonic</b> | <b>Prefix Byte (Hex)</b> | <b>Description</b>                                                                                                                         |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| Operand-Size Override                                                                                                                                                                                                                                                | none            | 66 <sup>2</sup>          | Changes the default operand size of a memory or register operand, as shown in Table 1-2 on page 8.                                         |
| Address-Size Override                                                                                                                                                                                                                                                | none            | 67 <sup>3</sup>          | Changes the default address size of a memory operand, as shown in Table 1-3 on page 9.                                                     |
| Segment Override                                                                                                                                                                                                                                                     | CS              | 2E <sup>4</sup>          | Forces use of the current CS segment for memory operands.                                                                                  |
|                                                                                                                                                                                                                                                                      | DS              | 3E <sup>4</sup>          | Forces use of the current DS segment for memory operands.                                                                                  |
|                                                                                                                                                                                                                                                                      | ES              | 26 <sup>4</sup>          | Forces use of the current ES segment for memory operands.                                                                                  |
|                                                                                                                                                                                                                                                                      | FS              | 64                       | Forces use of the current FS segment for memory operands.                                                                                  |
|                                                                                                                                                                                                                                                                      | GS              | 65                       | Forces use of the current GS segment for memory operands.                                                                                  |
|                                                                                                                                                                                                                                                                      | SS              | 36 <sup>4</sup>          | Forces use of the current SS segment for memory operands.                                                                                  |
| Lock                                                                                                                                                                                                                                                                 | LOCK            | F0 <sup>5</sup>          | Causes certain kinds of memory read-modify-write instructions to occur atomically.                                                         |
| Repeat                                                                                                                                                                                                                                                               | REP             | F3 <sup>6</sup>          | Repeats a string operation (INS, MOVS, OUTS, LODS, and STOS) until the rCX register equals 0.                                              |
|                                                                                                                                                                                                                                                                      | REPE or REPZ    |                          | Repeats a compare-string or scan-string operation (CMPSx and SCASx) until the rCX register equals 0 or the zero flag (ZF) is cleared to 0. |
|                                                                                                                                                                                                                                                                      | REPNE or REPNZ  | F2 <sup>6</sup>          | Repeats a compare-string or scan-string operation (CMPSx and SCASx) until the rCX register equals 0 or the zero flag (ZF) is set to 1.     |
| <b>Notes:</b>                                                                                                                                                                                                                                                        |                 |                          |                                                                                                                                            |
| 1. A single instruction should include no more than one prefix from each of the Override prefix groups plus either a Lock or Repeat prefix, when used as instruction modifiers.                                                                                      |                 |                          |                                                                                                                                            |
| 2. When used in the encoding of SIMD and some other instructions, this prefix is repurposed to extend the opcode. The prefix is ignored by 64-bit media floating-point (3DNow!™) instructions. See “Instructions that Cannot Use the Operand-Size Prefix” on page 8. |                 |                          |                                                                                                                                            |
| 3. This prefix also changes the size of the RCX register when used as an implied count register.                                                                                                                                                                     |                 |                          |                                                                                                                                            |
| 4. In 64-bit mode, the CS, DS, ES, and SS segment overrides are ignored unless Upper Address Ignore is enabled.                                                                                                                                                      |                 |                          |                                                                                                                                            |
| 5. The LOCK prefix should not be used for instructions other than those listed in “Lock Prefix” on page 11.                                                                                                                                                          |                 |                          |                                                                                                                                            |
| 6. This prefix should be used only with compare-string and scan-string instructions. When used in the encoding of SIMD and some other instructions, the prefix is repurposed to extend the opcode.                                                                   |                 |                          |                                                                                                                                            |

## 1.2.2 Operand-Size Override Prefix

The default operand size for an instruction is determined by a combination of its opcode, the D (default) bit in the current code-segment descriptor, and the current operating mode, as shown in Table 1-2. The operand-size override prefix (66h) selects the non-default operand size. The prefix can

be used with any general-purpose instruction that accesses non-fixed-size operands in memory or general-purpose registers (GPRs), and it can also be used with the x87 FLDENV, FNSTENV, FNSAVE, and FRSTOR instructions.

In 64-bit mode, the prefix allows mixing of 16-bit, 32-bit, and 64-bit data on an instruction-by-instruction basis. In compatibility and legacy modes, the prefix allows mixing of 16-bit and 32-bit operands on an instruction-by-instruction basis.

**Table 1-2. Operand-Size Overrides**

| Operating Mode   |                                                            | Default Operand Size (Bits) | Effective Operand Size (Bits) | Instruction Prefix <sup>1</sup> |                    |
|------------------|------------------------------------------------------------|-----------------------------|-------------------------------|---------------------------------|--------------------|
|                  |                                                            |                             |                               | 66h                             | REX.W <sup>3</sup> |
| <b>Long Mode</b> | <b>64-Bit Mode</b>                                         | 32 <sup>2</sup>             | 64                            | don't care                      | yes                |
|                  |                                                            |                             | 32                            | no                              | no                 |
|                  |                                                            |                             | 16                            | yes                             | no                 |
|                  | <b>Compatibility Mode</b>                                  | 32                          | 32                            | no                              | Not Applicable     |
|                  |                                                            |                             | 16                            | yes                             |                    |
|                  |                                                            | 16                          | 32                            | yes                             |                    |
|                  |                                                            |                             | 16                            | no                              |                    |
|                  | <b>Legacy Mode (Protected, Virtual-8086, or Real Mode)</b> | 32                          | 32                            | no                              |                    |
|                  |                                                            |                             | 16                            | yes                             |                    |
|                  |                                                            | 16                          | 32                            | yes                             |                    |
|                  |                                                            |                             | 16                            | no                              |                    |

**Notes:**

1. A “no” indicates that the default operand size is used.
2. This is the typical default, although some instructions default to other operand sizes. See Appendix B, “General-Purpose Instructions in 64-Bit Mode,” for details.
3. See “REX Prefix” on page 14.

In 64-bit mode, most instructions default to a 32-bit operand size. For these instructions, a REX prefix (page 14) can specify a 64-bit operand size, and a 66h prefix specifies a 16-bit operand size. The REX prefix takes precedence over the 66h prefix. However, if an instruction defaults to a 64-bit operand size, it does not need a REX prefix and it can only be overridden to a 16-bit operand size. It cannot be overridden to a 32-bit operand size, because there is no 32-bit operand-size override prefix in 64-bit mode. Two groups of instructions have a default 64-bit operand size in 64-bit mode:

- Near branches. For details, see “Near Branches in 64-Bit Mode” in APM Volume 1.
- All instructions, except far branches, that implicitly reference the RSP. For details, see “Stack Operation” in APM Volume 1.

**Instructions that Cannot Use the Operand-Size Prefix.** The operand-size prefix should be used only with general-purpose instructions and the x87 FLDENV, FNSTENV, FNSAVE, and FRSTOR

instructions, in which the prefix selects between 16-bit and 32-bit operand size. The prefix is ignored by all other x87 instructions and by 64-bit media floating-point (3DNow!™) instructions.

For other instructions (mostly SIMD instructions) the 66h, F2h, and F3h prefixes are used as opcode extensions to extend the instruction encoding space in the 0Fh, 0F\_38h, and 0F\_3Ah opcode maps.

**Operand-Size and REX Prefixes.** The W bit field of the REX prefix takes precedence over the 66h prefix. See “REX.W: Operand width (Bit 3)” on page 23 for details.

### 1.2.3 Address-Size Override Prefix

The default address size for instructions that access non-stack memory is determined by the current operating mode, as shown in Table 1-3. The address-size override prefix (67h) selects the non-default address size. Depending on the operating mode, this prefix allows mixing of 16-bit and 32-bit, or of 32-bit and 64-bit addresses, on an instruction-by-instruction basis. The prefix changes the address size for memory operands. It also changes the size of the RCX register for instructions that use RCX implicitly.

For instructions that implicitly access the stack segment (SS), the address size for stack accesses is determined by the D (default) bit in the stack-segment descriptor. In 64-bit mode, the D bit is ignored, and all stack references have a 64-bit address size. However, if an instruction accesses both stack and non-stack memory, the address size of the non-stack access is determined as shown in Table 1-3.

**Table 1-3. Address-Size Overrides**

| Operating Mode                                             |                                                        | Default Address Size (Bits) | Effective Address Size (Bits) | Address-Size Prefix (67h) <sup>1</sup> Required? |  |  |
|------------------------------------------------------------|--------------------------------------------------------|-----------------------------|-------------------------------|--------------------------------------------------|--|--|
| Long Mode                                                  | 64-Bit Mode                                            | 64                          | 64                            | no                                               |  |  |
|                                                            |                                                        |                             | 32                            | yes                                              |  |  |
|                                                            | Compatibility Mode                                     | 32                          | 32                            | no                                               |  |  |
|                                                            |                                                        |                             | 16                            | yes                                              |  |  |
|                                                            |                                                        | 16                          | 32                            | yes                                              |  |  |
|                                                            |                                                        |                             | 16                            | no                                               |  |  |
|                                                            | Legacy Mode<br>(Protected, Virtual-8086, or Real Mode) | 32                          | 32                            | no                                               |  |  |
|                                                            |                                                        |                             | 16                            | yes                                              |  |  |
|                                                            |                                                        | 16                          | 32                            | yes                                              |  |  |
|                                                            |                                                        |                             | 16                            | no                                               |  |  |
| <b>Notes:</b>                                              |                                                        |                             |                               |                                                  |  |  |
| 1. A “no” indicates that the default address size is used. |                                                        |                             |                               |                                                  |  |  |

As Table 1-3 shows, the default address size is 64 bits in 64-bit mode. The size can be overridden to 32 bits, but 16-bit addresses are not supported in 64-bit mode. In compatibility and legacy modes, the default address size is 16 bits or 32 bits, depending on the operating mode (see “Processor

Initialization and Long Mode Activation” in APM Volume 2 for details). In these modes, the address-size prefix selects the non-default size, but the 64-bit address size is not available.

Certain instructions reference pointer registers or count registers implicitly, rather than explicitly. In such instructions, the address-size prefix affects the size of such addressing and count registers, just as it does when such registers are explicitly referenced. Table 1-4 lists all such instructions and the registers referenced using the three possible address sizes.

**Table 1-4. Pointer and Count Registers and the Address-Size Prefix**

| Instruction                                                  | Pointer or Count Register |                     |                     |
|--------------------------------------------------------------|---------------------------|---------------------|---------------------|
|                                                              | 16-Bit Address Size       | 32-Bit Address Size | 64-Bit Address Size |
| <b>CMPS, CMPSB, CMPSW,<br/>CMPSD, CMPSQ</b> —Compare Strings | SI, DI, CX                | ESI, EDI, ECX       | RSI, RDI, RCX       |
| <b>INS, INSB, INSW, INSD</b> —Input String                   | DI, CX                    | EDI, ECX            | RDI, RCX            |
| <b>JCXZ, JECXZ, JRCXZ</b> —Jump on CX/ECX/RCX Zero           | CX                        | ECX                 | RCX                 |
| <b>LODS, LODSB, LODSW,<br/>LODSD, LODSQ</b> —Load String     | SI, CX                    | ESI, ECX            | RSI, RCX            |
| <b>LOOP, LOOPE, LOOPNZ,<br/>LOOPNE, LOOPZ</b> —Loop          | CX                        | ECX                 | RCX                 |
| <b>MOVS, MOVSB, MOVSW,<br/>MOVSD, MOVSQ</b> —Move String     | SI, DI, CX                | ESI, EDI, ECX       | RSI, RDI, RCX       |
| <b>OUTS, OUTSB, OUTSW,<br/>OUTSD</b> —Output String          | SI, CX                    | ESI, ECX            | RSI, RCX            |
| <b>REP, REPE, REPNE, REPNZ,<br/>REPZ</b> —Repeat Prefixes    | CX                        | ECX                 | RCX                 |
| <b>SCAS, SCASB, SCASW,<br/>SCASD, SCASQ</b> —Scan String     | DI, CX                    | EDI, ECX            | RDI, RCX            |
| <b>STOS, STOSB, STOSW,<br/>STOSD, STOSQ</b> —Store String    | DI, CX                    | EDI, ECX            | RDI, RCX            |
| <b>XLAT, XLATB</b> —Table Look-up Translation                | BX                        | EBX                 | RBX                 |

#### 1.2.4 Segment-Override Prefixes

Segment overrides can be used only with instructions that reference non-stack memory. Most instructions that reference memory are encoded with a ModRM byte (page 17). The default segment

for such memory-referencing instructions is implied by the base register indicated in its ModRM byte, as follows:

- *Instructions that Reference a Non-Stack Segment*—If an instruction encoding references any base register other than rBP or rSP, or if an instruction contains an immediate offset, the default segment is the data segment (DS). These instructions can use the segment-override prefix to select one of the non-default segments, as shown in Table 1-5.
- *String Instructions*—String instructions reference two memory operands. By default, they reference both the DS and ES segments (DS:rSI and ES:rDI). These instructions can override their DS-segment reference, as shown in Table 1-5, but they cannot override their ES-segment reference.
- *Instructions that Reference the Stack Segment*—If an instruction’s encoding references the rBP or rSP base register, the default segment is the stack segment (SS). All instructions that reference the stack (push, pop, call, interrupt, return from interrupt) use SS by default. These instructions cannot use the segment-override prefix.

**Table 1-5. Segment-Override Prefixes**

| Mnemonic        | Prefix Byte (Hex) | Description                                           |
|-----------------|-------------------|-------------------------------------------------------|
| CS <sup>1</sup> | 2E                | Forces use of current CS segment for memory operands. |
| DS <sup>1</sup> | 3E                | Forces use of current DS segment for memory operands. |
| ES <sup>1</sup> | 26                | Forces use of current ES segment for memory operands. |
| FS              | 64                | Forces use of current FS segment for memory operands. |
| GS              | 65                | Forces use of current GS segment for memory operands. |
| SS <sup>1</sup> | 36                | Forces use of current SS segment for memory operands. |

**Notes:**

1. In 64-bit mode, the CS, DS, ES, and SS segment overrides are ignored unless Upper Address Ignore is enabled.

**Segment Overrides in 64-Bit Mode.** In 64-bit mode, the CS, DS, ES, and SS segment-override prefixes have no effect. These four prefixes are not treated as segment-override prefixes for the purposes of multiple-prefix rules. Instead, they are treated as null prefixes.

The FS and GS segment-override prefixes are treated as true segment-override prefixes in 64-bit mode. Use of the FS or GS prefix causes their respective segment bases to be added to the effective address calculation. See “FS and GS Registers in 64-Bit Mode” in APM Volume 2 for details.

### 1.2.5 Lock Prefix

The LOCK prefix causes certain kinds of memory read-modify-write instructions to occur atomically. The mechanism for doing so is implementation-dependent (for example, the mechanism may involve bus signaling or packet messaging between the processor and a memory controller). The prefix is intended to give the processor exclusive use of shared memory in a multiprocessor system.

The LOCK prefix can only be used with forms of the following instructions that write a memory operand: ADC, ADD, AND, BTC, BTR, BTS, CMPXCHG, CMPXCHG8B, CMPXCHG16B, DEC, INC, NEG, NOT, OR, SBB, SUB, XADD, XCHG, and XOR. An invalid-opcode exception occurs if the LOCK prefix is used with any other instruction.

### 1.2.6 Repeat Prefixes

The repeat prefixes cause repetition of certain instructions that load, store, move, input, or output strings. The prefixes should only be used with such string instructions. Two pairs of repeat prefixes, REPE/REPZ and REPNE/REPNZ, perform the same repeat functions for certain compare-string and scan-string instructions. The repeat function uses rCX as a count register. The size of rCX is based on address size, as shown in Table 1-4 on page 10.

**REP.** The REP prefix repeats its associated string instruction the number of times specified in the counter register (rCX). It terminates the repetition when the value in rCX reaches 0. The prefix can be used with the INS, LODS, MOVS, OUTS, and STOS instructions. Table 1-6 shows the valid REP prefix opcodes.

**Table 1-6. REP Prefix Opcodes**

| Mnemonic                                                                        | Opcode |
|---------------------------------------------------------------------------------|--------|
| REP INS <i>reg/mem8</i> , DX<br>REP INSB                                        | F3 6C  |
| REP INS <i>reg/mem16/32</i> , DX<br>REP INSW<br>REP INSD                        | F3 6D  |
| REP LODS <i>mem8</i><br>REP LODSB                                               | F3 AC  |
| REP LODS <i>mem16/32/64</i><br>REP LODSW<br>REP LODSD<br>REP LODSQ              | F3 AD  |
| REP MOVS <i>mem8, mem8</i><br>REP MOVSB                                         | F3 A4  |
| REP MOVS <i>mem16/32/64, mem16/32/64</i><br>REP MOVSW<br>REP MOVSD<br>REP MOVSQ | F3 A5  |
| REP OUTS DX, <i>reg/mem8</i><br>REP OUTSB                                       | F3 6E  |

**Table 1-6. REP Prefix Opcodes (continued)**

| Mnemonic                         | Opcode |
|----------------------------------|--------|
| REP OUTS DX, <i>reg/mem16/32</i> |        |
| REP OUTSW                        | F3 6F  |
| REP OUTSD                        |        |
| REP STOS <i>mem8</i>             |        |
| REP STOSB                        | F3 AA  |
| REP STOS <i>mem16/32/64</i>      |        |
| REP STOSW                        |        |
| REP STOSD                        | F3 AB  |
| REP STOSQ                        |        |

**REPE and REPZ.** REPE and REPZ are synonyms and have identical opcodes. These prefixes repeat their associated string instruction the number of times specified in the counter register (rCX). The repetition terminates when the value in rCX reaches 0 or when the zero flag (ZF) is cleared to 0. The REPE and REPZ prefixes can be used with the CMPS, CMPSB, CMPSD, CMPSW, SCAS, SCASB, SCASD, and SCASW instructions. Table 1-7 shows the valid REPE and REPZ prefix opcodes.

**Table 1-7. REPE and REPZ Prefix Opcodes**

| Mnemonic                                  | Opcode |
|-------------------------------------------|--------|
| REPx CMPS <i>mem8, mem8</i>               |        |
| REPx CMPSB                                | F3 A6  |
| REPx CMPS <i>mem16/32/64, mem16/32/64</i> |        |
| REPx CMPSW                                |        |
| REPx CMPSD                                | F3 A7  |
| REPx CMPSQ                                |        |
| REPx SCAS <i>mem8</i>                     |        |
| REPx SCASB                                | F3 AE  |
| REPx SCAS <i>mem16/32/64</i>              |        |
| REPx SCASW                                |        |
| REPx SCASD                                | F3 AF  |
| REPx SCASQ                                |        |

**REPNE and REPNZ.** REPNE and REPNZ are synonyms and have identical opcodes. These prefixes repeat their associated string instruction the number of times specified in the counter register (rCX). The repetition terminates when the value in rCX reaches 0 or when the zero flag (ZF) is set to 1. The REPNE and REPNZ prefixes can be used with the CMPS, CMPSB, CMPSD, CMPSW, SCAS, SCASB, SCASD, and SCASW instructions. Table 1-8 on page 14 shows the valid REPNE and REPNZ prefix opcodes.

**Table 1-8. REPNE and REPNZ Prefix Opcodes**

| Mnemonic                                                | Opcode |
|---------------------------------------------------------|--------|
| REP <sup>N</sup> x CMPS <i>mem8, mem8</i>               | F2 A6  |
| REP <sup>N</sup> x CMPSB                                |        |
| REP <sup>N</sup> x CMPS <i>mem16/32/64, mem16/32/64</i> | F2 A7  |
| REP <sup>N</sup> x CMPSW                                |        |
| REP <sup>N</sup> x CMPSD                                |        |
| REP <sup>N</sup> x CMPSQ                                |        |
| REP <sup>N</sup> x SCAS <i>mem8</i>                     | F2 AE  |
| REP <sup>N</sup> x SCASB                                |        |
| REP <sup>N</sup> x SCAS <i>mem16/32/64</i>              | F2 AF  |
| REP <sup>N</sup> x SCASW                                |        |
| REP <sup>N</sup> x SCASD                                |        |
| REP <sup>N</sup> x SCASQ                                |        |

**Instructions that Cannot Use Repeat Prefixes.** In general, the repeat prefixes should only be used in the string instructions listed in tables 1-6, 1-7, and 1-8 above. For other instructions (mostly SIMD instructions) the 66h, F2h, and F3h prefixes are used as instruction modifiers to extend the instruction encoding space in the 0Fh, 0F\_38h, and 0F\_3Ah opcode maps.

**Optimization of Repeats.** Depending on the hardware implementation, the repeat prefixes can have a setup overhead. If the repeated count is variable, the overhead can sometimes be avoided by substituting a simple loop to move or store the data. Repeated string instructions can be expanded into equivalent sequences of in-line loads and stores or a sequence of stores can be used to emulate a REP STOS.

For repeated string moves, performance can be maximized by moving the largest possible operand size. For example, use REP MOVSD rather than REP MOVSW and REP MOVSW rather than REP MOVSB. Use REP STOSD rather than REP STOSW and REP STOSW rather than REP MOVSB.

Depending on the hardware implementation, string moves with the direction flag (DF) cleared to 0 (up) may be faster than string moves with DF set to 1 (down). DF = 1 is only needed for certain cases of overlapping REP MOVS, such as when the source and the destination overlap.

### 1.2.7 REX Prefix

The REX prefix, available in 64-bit mode, enables use of the AMD64 register and operand size extensions. Unlike the legacy instruction modification prefixes, REX is not a single unique value, but occupies a range (40h to 4Fh). Figure 1-1 on page 2 shows how the REX prefix fits within the encoding syntax of instructions.

The REX prefix enables the following features in 64-bit mode:

- Use of the extended GPR (Figure 2-3 on page 43) and YMM/XMM registers (Figure 2-8 on page 48).

- Use of the 64-bit operand size when accessing GPRs.
- Use of the extended control and debug registers, as described in Section 2.4 “Registers” in APM Volume 2.
- Use of the uniform byte registers (AL–R15).

REX contains five fields. The upper nibble is unique to the REX prefix and identifies it is as such. The lower nibble is divided into four 1-bit fields (W, R, X, and B). See below for a discussion of these fields. Figure 1-3 below shows the format of the REX prefix. Since each bit of the lower nibble can be a 1 or a 0, REX spans one full row of the primary opcode map occupying entries 40h through 4Fh.



**Figure 1-3. REX Prefix Format**

A REX prefix is normally required with an instruction that accesses a 64-bit GPR or one of the extended GPR or YMM/XMM registers. A few instructions have an operand size that defaults to (or is fixed at) 64 bits in 64-bit mode, and thus do not need a REX prefix. These instructions are listed in Table 1-9 below.

**Table 1-9. Instructions Not Requiring REX Prefix in 64-Bit Mode**

|             |                       |
|-------------|-----------------------|
| CALL (Near) | POP reg/mem           |
| ENTER       | POP reg               |
| Jcc         | POP FS                |
| JrCXZ       | POP GS                |
| JMP (Near)  | POPF, POPFD, POPFQ    |
| LEAVE       | PUSH imm8             |
| LGDT        | PUSH imm32            |
| LIDT        | PUSH reg/mem          |
| LLDT        | PUSH reg              |
| LOOP        | PUSH FS               |
| LOOPcc      | PUSH GS               |
| LTR         | PUSHF, PUSHFD, PUSHFQ |
| MOV CR $n$  | RET (Near)            |
| MOV DR $n$  |                       |

An instruction may have only one REX prefix which must immediately precede the opcode or first escape byte in the instruction encoding. The use of a REX prefix in an instruction that does not access an extended register is ignored. The instruction-size limit of 15 bytes applies to instructions that contain a REX prefix.

## Implications for INC and DEC Instructions

The REX prefix values are taken from the 16 single-byte INC and DEC instructions, one for each of the eight legacy GPRs. Therefore, these single-byte opcodes for INC and DEC are not available in 64-bit mode, although they are available in legacy and compatibility modes. The functionality of these INC and DEC instructions is still available in 64-bit mode, however, using the ModRM forms of those instructions (opcodes FF /0 and FF /1).

### 1.2.8 VEX, XOP, and EVEX Prefixes

The extended instruction encoding syntax, available in protected and long modes, provides one two-byte and three three-byte escape sequences introduced by either the VEX or XOP prefixes. These multi-byte sequences not only select opcode maps, they also provide instruction modifiers similar to, but in lieu of, the REX prefix.

The two-byte escape sequence initiated by the VEX C5h prefix implies a map\_select encoding of 1. The three-byte escape sequences, initiated by the VEX C4h prefix or the XOP (8Fh) prefix, select the target opcode map explicitly via the VEX/XOP.map\_select field. The five-bit VEX.map\_select field allows the selection of one of 31 different opcode maps (opcode map 00h is reserved). The XOP.map\_select field is restricted to the range 08h–1Fh and thus can only select one of 24 different opcode maps. The four-byte escape sequence, initiated by the EVEX 62h prefix selects the target opcode map explicitly via the EVEX.map field.

The VEX and XOP escape sequences contain fields that extend register addressing to a total of 16, increase the operand specification capability to four operands, and modify the instruction operation. The EVEX escape sequences contain fields that extend register addressing to a total of 32, and modify the instruction operation.

The extended SSE instruction subsets AVX, AES, CLMU, FMA, FMA4, and XOP and a few non-SSE instructions utilize the extended encoding syntax. See “Encoding Using the VEX and XOP Prefixes” on page 29 for details on the encoding of the two- and three-byte extended escape sequences.

The extended SSE instruction subset AVX512 utilizes the EVEX prefix encoding syntax. See “Encoding Using the EVEX Prefix” on page 34 for details on encoding the EVEX escape sequence.

## 1.3 Opcode

The *opcode* is a single byte that specifies the basic operation of an instruction. In some cases, it also specifies the operands for the instruction. Every instruction requires an opcode. The correspondence between the binary value of the opcode and the operation it represents is defined by a table called an *opcode map*. As discussed in the previous sections, the legacy prefixes 66h, F2h, and F3h and other fields within the instruction encoding may be used to modify the operation encoded by the opcode.

The affect of the presence of a 66h, F2h, or F3h prefix on the operation performed by the opcode is represented in the opcode map by additional rows in the table indexed by the applicable prefix. The 3-bit reg and r/m fields of the ModRM byte (“ModRM Byte Format” on page 17 and “SIB Byte Format”

on page 19) are used as well in the encoding of certain instructions. This is represented in the opcode maps via instruction group tables that detail the modifications represented via the extra encoding bits. See Section A.1, “Opcode Maps” of Appendix A for examples.

Even though each instruction has a unique opcode map and opcode, assemblers often support multiple alternate mnemonics for the same instruction to improve the readability of assembly language code.

The 64-bit floating-point 3DNow! instructions utilize the two-byte escape sequence 0Fh, 0Fh to select the 3DNow! opcode map. For these instructions the opcode is encoded in the immediate field at the end of the instruction encoding.

For details on how the opcode byte encodes the basic operation for specific instructions, see Section A.1, “Opcode Maps” of Appendix A

## 1.4 ModRM and SIB Bytes

The ModRM byte is optional depending on the instruction. When present, it follows the opcode and is used to specify:

- two register-based operands, or
- one register-based operand and a second memory-based operand and an addressing mode.

In the encoding of some instructions, fields within the ModRM byte are repurposed to provide additional opcode bits used to define the instruction’s function.

The ModRM byte is partitioned into three fields—*mod*, *reg*, and *r/m*. Normally the *reg* field specifies a register-based operand and the *mod* and *r/m* fields used together specify a second operand that is either register-based or memory-based. The addressing mode is also specified when the operand is memory-based.

In 64-bit mode, the REX.R and REX.B bits augment the *reg* and *r/m* fields respectively allowing the specification of twice the number of registers.

### 1.4.1 ModRM Byte Format

Figure 1-4 below shows the format of a ModRM byte.



Figure 1-4. ModRM-Byte Format

Depending on the addressing mode, the SIB byte may appear after the ModRM byte. SIB is used in the specification of various forms of indexed register-indirect addressing. See the following section for details.

**ModRM.mod (Bits[7:6]).** The mod field is used with the r/m field to specify the addressing mode for an operand. ModRM.mod = 11b specifies the register-direct addressing mode. In the register-direct mode, the operand is held in the specified register. ModRM.mod values less than 11b specify register-indirect addressing modes. In register-indirect addressing modes, values held in registers along with an optional displacement specified in the instruction encoding are used to calculate the address of a memory-based operand. Other encodings of the 5 bits {mod, r/m} are discussed below.

**ModRM.reg (Bits[5:3]).** The reg field is used to specify a register-based operand, although for some instructions, this field is used to extend the operation encoding. The encodings for this field are shown in Table 1-10 below.

**ModRM.r/m (Bits[2:0]).** As stated above, the r/m field is used in combination with the mod field to encode 32 different operand specifications (See Table 1-14 on page 21). The encodings for this field are shown in Table 1-10 below.

**Table 1-10. ModRM.reg and .r/m Field Encodings**

| Encoded value<br>(binary) | ModRM.reg <sup>1</sup>    | ModRM.r/m (mod = 11b) <sup>1</sup> | ModRM.r/m<br>(mod ≠ 11b) <sup>2</sup> |
|---------------------------|---------------------------|------------------------------------|---------------------------------------|
| 000                       | rAX, MMX0, XMM0, YMM0     | rAX, MMX0, XMM0, YMM0              | [rAX]                                 |
| 001                       | rCX, MMX1, XMM1, YMM1     | rCX, MMX1, XMM1, YMM1              | [rCX]                                 |
| 010                       | rDX, MMX2, XMM2, YMM2     | rDX, MMX2, XMM2, YMM2              | [rDX]                                 |
| 011                       | rBX, MMX3, XMM3, YMM3     | rBX, MMX3, XMM3, YMM3              | [rBX]                                 |
| 100                       | AH, rSP, MMX4, XMM4, YMM4 | AH, rSP, MMX4, XMM4, YMM4          | SIB <sup>3</sup>                      |
| 101                       | CH, rBP, MMX5, XMM5, YMM5 | CH, rBP, MMX5, XMM5, YMM5          | [rBP] <sup>4</sup>                    |
| 110                       | DH, rSI, MMX6, XMM6, YMM6 | DH, rSI, MMX6, XMM6, YMM6          | [rSI]                                 |
| 111                       | BH, rDI, MMX7, XMM7, YMM7 | BH, rDI, MMX7, XMM7, YMM7          | [rDI]                                 |

**Notes:**

1. Specific register used is instruction-dependent.
2. mod = 01 and mod = 10 include an offset specified by the instruction displacement field. The notation [\*] signifies that the specified register holds the address of the operand.
3. Indexed register-indirect addressing. SIB byte follows ModRM byte. See following section for SIB encoding.
4. For mod = 00b , r/m = 101b signifies absolute (displacement-only) addressing in 32-bit mode or RIP-relative addressing in 64-bit mode, where the rBP register is not used. For mod = [01b, 10b], r/m = 101b specifies the base + offset addressing mode with [rBP] as the base.

Similar to the reg field, r/m is used in some instructions to extend the operation encoding.

### 1.4.2 SIB Byte Format

The SIB byte has three fields—*scale*, *index*, and *base*—that define the scale factor, index-register number, and base-register number for the 32-bit and 64-bit indexed register-indirect addressing modes.

The basic formula for computing the effective address of a memory-based operand using the indexed register-indirect address modes is:

$$\text{effective\_address} = \text{scale} * \text{index} + \text{base} + \text{offset}$$

Specific variants of this addressing mode set one or more elements of the sum to zero.

Figure 1-5 below shows the format of the SIB byte.



**Figure 1-5. SIB Byte Format**

**SIB.scale (Bits[7:6]).** The scale field is used to specify the scale factor used in computing the scale\*index portion of the effective address. In normal usage scale represents the size of data elements in an array expressed in number of bytes. SIB.scale is encoded as shown in Table 1-11 below.

**Table 1-11. SIB.scale Field Encodings**

| Encoded value<br>(binary) | scale<br>factor |
|---------------------------|-----------------|
| 00                        | 1               |
| 01                        | 2               |
| 10                        | 4               |
| 11                        | 8               |

**SIB.index (Bits[5:3]).** The index field is used to specify the register containing the index portion of the indexed register-indirect effective address. SIB.index is encoded as shown in Table 1-12 below.

**SIB.base (Bits[2:0]).** The base field is used to specify the register containing the base address portion of the indexed register-indirect effective address. SIB.base is encoded as shown in Table 1-12 below.

**Table 1-12. SIB.index and .base Field Encodings**

| Encoded value<br>(binary) | SIB.index           | SIB.base                   |
|---------------------------|---------------------|----------------------------|
| 000                       | [rAX]               | [rAX]                      |
| 001                       | [rCX]               | [rCX]                      |
| 010                       | [rDX]               | [rDX]                      |
| 011                       | [rBX]               | [rBX]                      |
| 100                       | (none) <sup>1</sup> | [rSP]                      |
| 101                       | [rBP]               | [rBP], (none) <sup>2</sup> |
| 110                       | [rSI]               | DH, [rSI]                  |
| 111                       | [rDI]               | BH, [rDI]                  |

**Notes:**

1. Register specification is null. The scale\*index portion of the indexed register-indirect effective address is set to 0.
2. If ModRM.mod = 00b, the register specification is null. The base portion of the indexed register-indirect effective address is set to 0. Otherwise, base encodes the rBP register as the source of the base address used in the effective address calculation.

**Table 1-13. SIB.base encodings for ModRM.r/m = 100b**

|     | SIB base Field |       |       |       |       |                  |       |       |
|-----|----------------|-------|-------|-------|-------|------------------|-------|-------|
| mod | 000            | 001   | 010   | 011   | 100   | 101              | 110   | 111   |
| 00  |                |       |       |       |       | disp32           |       |       |
| 01  | [rAX]          | [rCX] | [rDX] | [rBX] | [rSP] | [rBP]+disp8      | [rSI] | [rDI] |
| 10  |                |       |       |       |       | [rBP]+disp32     |       |       |
| 11  |                |       |       |       |       | (not applicable) |       |       |

More discussion of operand addressing follows in the next two sections.

#### 1.4.3 Operand Addressing in Legacy 32-bit and Compatibility Modes

The mod and r/m fields of the ModRM byte provide a total of five bits used to encode 32 operand specification and memory addressing modes. Table 1-14 below shows these encodings.

**Table 1-14. Operand Addressing Using ModRM and SIB Bytes**

| <b>ModRM.mod</b>                                                                                                                                                                   | <b>ModRM.r/m</b> | <b>Register / Effective Address</b> |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|-------------------------------------|
| 00                                                                                                                                                                                 | 000              | [rAX]                               |
|                                                                                                                                                                                    | 001              | [rCX]                               |
|                                                                                                                                                                                    | 010              | [rDX]                               |
|                                                                                                                                                                                    | 011              | [rBX]                               |
|                                                                                                                                                                                    | 100              | SIB <sup>1</sup>                    |
|                                                                                                                                                                                    | 101              | <i>disp32</i>                       |
|                                                                                                                                                                                    | 110              | [rSI]                               |
|                                                                                                                                                                                    | 111              | [rDI]                               |
| 01                                                                                                                                                                                 | 000              | [rAX]+ <i>disp8</i>                 |
|                                                                                                                                                                                    | 001              | [rCX]+ <i>disp8</i>                 |
|                                                                                                                                                                                    | 010              | [rDX]+ <i>disp8</i>                 |
|                                                                                                                                                                                    | 011              | [rBX]+ <i>disp8</i>                 |
|                                                                                                                                                                                    | 100              | SIB+ <i>disp8</i> <sup>2</sup>      |
|                                                                                                                                                                                    | 101              | [rBP]+ <i>disp8</i>                 |
|                                                                                                                                                                                    | 110              | [rSI]+ <i>disp8</i>                 |
|                                                                                                                                                                                    | 111              | [rDI]+ <i>disp8</i>                 |
| 10                                                                                                                                                                                 | 000              | [rAX]+ <i>disp32</i>                |
|                                                                                                                                                                                    | 001              | [rCX]+ <i>disp32</i>                |
|                                                                                                                                                                                    | 010              | [rDX]+ <i>disp32</i>                |
|                                                                                                                                                                                    | 011              | [rBX]+ <i>disp32</i>                |
|                                                                                                                                                                                    | 100              | SIB+ <i>disp32</i> <sup>3</sup>     |
|                                                                                                                                                                                    | 101              | [rBP]+ <i>disp32</i>                |
|                                                                                                                                                                                    | 110              | [rSI]+ <i>disp32</i>                |
|                                                                                                                                                                                    | 111              | [rDI]+ <i>disp32</i>                |
| <b>Notes:</b>                                                                                                                                                                      |                  |                                     |
| 0. In the following notes, <i>scaled_index</i> = SIB.index * (1 << SIB.scale).                                                                                                     |                  |                                     |
| 1. SIB byte follows ModRM byte. Effective address is calculated using <i>scaled_index</i> +base. When SIB.base = 101b, addressing mode depends on ModRM.mod. See Table 1-13 above. |                  |                                     |
| 2. SIB byte follows ModRM byte. Effective address is calculated using <i>scaled_index</i> +base+8-bit_offset. One-byte Displacement field provides the offset.                     |                  |                                     |
| 3. SIB byte follows ModRM byte. Effective address is calculated using <i>scaled_index</i> +base+32-bit_offset. Four-byte Displacement field provides the offset.                   |                  |                                     |

**Table 1-14. Operand Addressing Using ModRM and SIB Bytes (continued)**

| ModRM.mod                                                                                                                                                                         | ModRM.r/m | Register / Effective Address   |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|--------------------------------|
| 11                                                                                                                                                                                | 000       | AL/rAX/MMX0/XMM0/YMM0/ZMM0     |
|                                                                                                                                                                                   | 001       | CL/rCX/MMX1/XMM1/YMM1/ZMM1     |
|                                                                                                                                                                                   | 010       | DL/rDX/MMX2/XMM2/YMM2/ZMM2     |
|                                                                                                                                                                                   | 011       | BL/rBX/MMX3/XMM3/YMM3/ZMM3     |
|                                                                                                                                                                                   | 100       | AH/SPL/rSP/MMX4/XMM4/YMM4/ZMM4 |
|                                                                                                                                                                                   | 101       | CH/BPL/rBP/MMX5/XMM5/YMM5/ZMM5 |
|                                                                                                                                                                                   | 110       | DH/SIL/rSI/MMX6/XMM6/YMM6/ZMM6 |
|                                                                                                                                                                                   | 111       | BH/DIL/rDI/MMX7/XMM7/YMM7/ZMM7 |
| <b>Notes:</b>                                                                                                                                                                     |           |                                |
| 0. In the following notes, <i>scaled_index</i> = <i>SIB.index</i> * (1 << <i>SIB.scale</i> ).                                                                                     |           |                                |
| 1. <i>SIB byte follows ModRM byte. Effective address is calculated using scaled_index+base. When SIB.base = 101b, addressing mode depends on ModRM.mod. See Table 1-13 above.</i> |           |                                |
| 2. <i>SIB byte follows ModRM byte. Effective address is calculated using scaled_index+base+8-bit_offset. One-byte Displacement field provides the offset.</i>                     |           |                                |
| 3. <i>SIB byte follows ModRM byte. Effective address is calculated using scaled_index+base+32-bit_offset. Four-byte Displacement field provides the offset.</i>                   |           |                                |

Note that the addressing mode mod = 11b is a register-direct mode, that is, the operand is contained in the specified register, while the modes mod = [00b:10b] specify different addressing modes for a memory-based operand.

For mod = 11b, the register containing the operand is specified by the r/m field. For the other modes (mod = [00b:10b]), the mod and r/m fields are combined to specify the addressing mode for the memory-based operand. Most are register-indirect addressing modes meaning that the address of the memory-based operand is contained in the register specified by r/m. For these register-indirect modes, mod = 01b and mod = 10b include an offset encoded in the displacement field of the instruction.

The encodings {mod ≠ 11b, r/m = 100b} specify the *indexed register-indirect* addressing mode in which the target address is computed using a combination of values stored in registers and a scale factor encoded directly in the SIB byte. For these addressing modes the effective address is given by the formula:

$$\text{effective\_address} = \text{scale} * \text{index} + \text{base} + \text{offset}$$

Scale is encoded in SIB.scale field. Index is contained in the register specified by SIB.index field and base is contained in the register specified by SIB.base field. Offset is encoded in the displacement field of the instruction using either one or four bytes.

If {mod, r/m} = 00100b, the offset portion of the formula is set to 0. For {mod, r/m} = 01100b and {mod, r/m} = 10100b, offset is encoded in the one- or 4-byte displacement field of the instruction.

Finally, the encoding {mod, r/m} = 00101b specifies an absolute addressing mode. In this mode, the address is provided directly in the instruction encoding using a 4-byte displacement field. In 64-bit mode this addressing mode is changed to RIP-relative (see “RIP-Relative Addressing” on page 24).

#### 1.4.4 Operand Addressing in 64-bit Mode

AMD64 architecture doubles the number of GPRs and increases their width to 64-bits. It also doubles the number of YMM/XMM registers. In order to support the specification of register operands contained in the eight additional GPRs or YMM/XMM registers and to make the additional GPRs available to hold addresses to be used in the addressing modes, the REX prefix provides the R, X, and B bit fields to extend the reg, r/m, index, and base fields of the ModRM and SIB bytes in the various operand addressing modes to four bits. A fourth REX bit field (W) allows instruction encodings to specify a 64-bit operand size.

Table 1-15 below and the sections that follow describe each of these bit fields.

**Table 1-15. REX Prefix-Byte Fields**

| Mnemonic                                                                               | Bit Position(s) | Definition                                                                                                                                                             |
|----------------------------------------------------------------------------------------|-----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| —                                                                                      | 7:4             | 0100 (4h)                                                                                                                                                              |
| REX.W                                                                                  | 3               | 0 = Default operand size<br>1 = 64-bit operand size                                                                                                                    |
| REX.R                                                                                  | 2               | 1-bit (msb) extension of the ModRM <i>reg</i> field <sup>1</sup> , permitting access to 16 registers.                                                                  |
| REX.X                                                                                  | 1               | 1-bit (msb) extension of the SIB <i>index</i> field <sup>1</sup> , permitting access to 16 registers.                                                                  |
| REX.B                                                                                  | 0               | 1-bit (msb) extension of the ModRM <i>r/m</i> field <sup>1</sup> , SIB <i>base</i> field <sup>1</sup> , or opcode <i>reg</i> field, permitting access to 16 registers. |
| <b>Notes:</b>                                                                          |                 |                                                                                                                                                                        |
| 1. For a description of the ModRM and SIB bytes, see “ModRM and SIB Bytes” on page 17. |                 |                                                                                                                                                                        |

**REX.W: Operand width (Bit 3).** Setting the REX.W bit to 1 specifies a 64-bit operand size. Like the existing 66h operand-size override prefix, the REX 64-bit operand-size override has no effect on byte operations. For non-byte operations, the REX operand-size override takes precedence over the 66h prefix. If a 66h prefix is used together with a REX prefix that has the W bit set to 1, the 66h prefix is ignored. However, if a 66h prefix is used together with a REX prefix that has the W bit cleared to 0, the 66h prefix is not ignored and the operand size becomes 16 bits.

**REX.R: Register field extension (Bit 2).** The REX.R bit adds a 1-bit extension (in the most significant bit position) to the ModRM.reg field when that field encodes a GPR, YMM/XMM, control, or debug register. REX.R does not modify ModRM.reg when that field specifies other registers or is used to extend the opcode. REX.R is ignored in such cases.

**REX.X: Index field extension (Bit 1).** The REX.X bit adds a 1-bit (msb) extension to the SIB.index field. See “ModRM and SIB Bytes” on page 17.

**REX.B: Base field extension (Bit 0).** The REX.B bit adds a 1-bit (msb) extension to either the ModRM.r/m field to specify a GPR or XMM register, or to the SIB.base field to specify a GPR. (See Table 2-2 on page 61 for more about the B bit.)

## 1.5 Displacement Bytes

A *displacement* (also called an *offset*) is a signed value that is added to the base of a code segment (absolute addressing) or to an instruction pointer (relative addressing), depending on the addressing mode. The size of a displacement is 1, 2, or 4 bytes. If an addressing mode requires a displacement, the bytes (1, 2, or 4) for the displacement follow the opcode, ModRM, or SIB byte (whichever comes last) in the instruction encoding.

In 64-bit mode, the same ModRM and SIB encodings are used to specify displacement sizes as those used in legacy and compatibility modes. However, the displacement is sign-extended to 64 bits during effective-address calculations. Also, in 64-bit mode, support is provided for some 64-bit displacement and immediate forms of the MOV instruction. See “Immediate Operand Size” in Volume 1 for more information.

For EVEX encoded instructions, one-byte displacements are scaled by a factor 'N'. See Section 4.13.8, “Disp8\*N” in Volume 1 for more details.

## 1.6 Immediate Bytes

An *immediate* is a value—typically an operand value—encoded directly into the instruction. Depending on the opcode and the operating mode, the size of an immediate operand can be 1, 2, 4, or 8 bytes. 64-bit immediates are allowed in 64-bit mode on MOV instructions that load GPRs, otherwise they are limited to 4 bytes. See “Immediate Operand Size” in APM Volume 1 for more information.

If an instruction takes an immediate operand, the bytes (1, 2, 4, or 8) for the immediate follow the opcode, ModRM, SIB, or displacement bytes (whichever come last) in the instruction encoding. Some 128-bit media instructions use the immediate byte as a condition code.

## 1.7 RIP-Relative Addressing

In 64-bit mode, addressing relative to the contents of the 64-bit instruction pointer (program counter)—called RIP-relative addressing or PC-relative addressing—is implemented for certain instructions. In such cases, the effective address is formed by adding the displacement to the 64-bit RIP of the next instruction.

In the legacy x86 architecture, addressing relative to the instruction pointer is available only in control-transfer instructions. In the 64-bit mode, any instruction that uses ModRM addressing can use RIP-relative addressing. This feature is particularly useful for addressing data in position-independent code and for code that addresses global data.

Without RIP-relative addressing, ModRM instructions address memory relative to zero. With RIP-relative addressing, ModRM instructions can address memory relative to the 64-bit RIP using a signed 32-bit displacement. This provides an offset range of  $\pm 2$  Gbytes from the RIP.

Programs usually have many references to data, especially global data, that are not register-based. To load such a program, the loader typically selects a location for the program in memory and then adjusts program references to global data based on the load location. RIP-relative addressing of data makes this adjustment unnecessary.

### 1.7.1 Encoding

Table 1-16 shows the ModRM and SIB encodings for RIP-relative addressing. Redundant forms of 32-bit displacement-only addressing exist in the current ModRM and SIB encodings. There is one ModRM encoding with several SIB encodings. RIP-relative addressing is encoded using one of the redundant forms. In 64-bit mode, the ModRM *disp32* (32-bit displacement) encoding ( $\{mod,r/m\} = 00101b$ ) is redefined to be *RIP + disp32* rather than displacement-only.

**Table 1-16. Encoding for RIP-Relative Addressing**

| ModRM                                                                                                                                                                                                                                                                                                                                                          | SIB                                                                                                                                 | Legacy and Compatibility Modes | 64-bit Mode    | Additional 64-bit Implications                                                |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|----------------|-------------------------------------------------------------------------------|
| <ul style="list-style-type: none"> <li>• mod = 00</li> <li>• r/m = 101</li> </ul>                                                                                                                                                                                                                                                                              | not present                                                                                                                         | disp32                         | RIP + disp32   | Zero-based (normal) displacement addressing must use SIB form (see next row). |
| <ul style="list-style-type: none"> <li>• mod = 00</li> <li>• r/m = 100<sup>1</sup></li> </ul>                                                                                                                                                                                                                                                                  | <ul style="list-style-type: none"> <li>• base = 101<sup>2</sup></li> <li>• index = 100<sup>3</sup></li> <li>• scale = xx</li> </ul> | disp32                         | Same as Legacy | None                                                                          |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                     |                                |                |                                                                               |
| <ol style="list-style-type: none"> <li>1. Encodes the indexed register-indirect addressing mode with 32-bit offset.</li> <li>2. Base register specification is null (base portion of effective address calculation is set to 0)</li> <li>3. Index register specification is null (scale*index portion of effective address calculation is set to 0)</li> </ol> |                                                                                                                                     |                                |                |                                                                               |

### 1.7.2 REX Prefix and RIP-Relative Addressing

ModRM encoding for RIP-relative addressing does not depend on a REX prefix. In particular, the *r/m* encoding of 101, used to select RIP-relative addressing, is not affected by the REX prefix. For example, selecting R13 (REX.B = 1, *r/m* = 101) with mod = 00 still results in RIP-relative addressing.

The four-bit *r/m* field of ModRM is not fully decoded. Therefore, in order to address R13 with no displacement, software must encode it as R13 + 0 using a one-byte displacement of zero.

### 1.7.3 Address-Size Prefix and RIP-Relative Addressing

RIP-relative addressing is enabled by 64-bit mode, not by a 64-bit address-size. Conversely, use of the address-size prefix (“Address-Size Override Prefix” on page 9) does not disable RIP-relative

addressing. The effect of the address-size prefix is to truncate and zero-extend the computed effective address to 32 bits, like any other addressing mode.

## 1.8 Encoding Considerations Using REX

Figure 1-6 on page 28 shows four examples of how the R, X, and B bits of the REX prefix are concatenated with fields from the ModRM byte, SIB byte, and opcode to specify register and memory addressing.

### 1.8.1 Byte-Register Addressing

In the legacy architecture, the byte registers (AH, AL, BH, BL, CH, CL, DH, and DL, shown in Figure 2-2 on page 42) are encoded in the ModRM reg or r/m field or in the opcode *reg* field as registers 0 through 7. The REX prefix provides an additional byte-register addressing capability that makes the least-significant byte of any GPR available for byte operations (Figure 2-3 on page 43). This provides a uniform set of byte, word, doubleword, and quadword registers better suited for register allocation by compilers.

### 1.8.2 Special Encodings for Registers

Readers who need to know the details of instruction encodings should be aware that certain combinations of the ModRM and SIB fields have special meaning for register encodings. For some of these combinations, the instruction fields expanded by the REX prefix are not decoded (treated as don't cares), thereby creating aliases of these encodings in the extended registers. Table 1-17 on page 27 describes how each of these cases behaves.

**Table 1-17. Special REX Encodings for Registers**

| <b>ModRM and SIB Encodings<sup>2</sup></b>                                                                                                                                                                                                                                                                                                                                                                                                                         | <b>Meaning in Legacy and Compatibility Modes</b> | <b>Implications in Legacy and Compatibility Modes</b>                                                                                                      | <b>Additional REX Implications</b>                                                                                                                                                                              |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ModRM Byte:<br>• mod ≠ 11<br>• r/m <sup>1</sup> = 100 (ESP)                                                                                                                                                                                                                                                                                                                                                                                                        | SIB byte is present.                             | SIB byte is required for ESP-based addressing.                                                                                                             | REX prefix adds a fourth bit (b), which is decoded and modifies the base register in the SIB byte. Therefore, the SIB byte is also required for R12-based addressing.                                           |
| ModRM Byte:<br>• mod = 00<br>• r/m <sup>1</sup> = x101 (EBP)                                                                                                                                                                                                                                                                                                                                                                                                       | Base register is not used.                       | Using EBP without a displacement must be done by setting mod = 01 with a displacement of 0 (with or without an index register).                            | REX prefix adds a fourth bit (x), which is not decoded (don't care). Therefore, using RBP or R13 without a displacement must be done via mod = 01 with a displacement of 0.                                     |
| SIB Byte:<br>• index <sup>1</sup> = x100 (ESP)                                                                                                                                                                                                                                                                                                                                                                                                                     | Index register is not used.                      | ESP cannot be used as an index register.                                                                                                                   | REX prefix adds a fourth bit (x), which is decoded. Therefore, there are no additional implications. The expanded index field is used to distinguish RSP from R12, allowing R12 to be used as an index.         |
| SIB Byte:<br>• base = b101 (EBP)<br>• ModRM.mod = 00                                                                                                                                                                                                                                                                                                                                                                                                               | Base register is not used if ModRM.mod = 00.     | Base register depends on mod encoding. Using EBP with a scaled index and without a displacement must be done by setting mod = 01 with a displacement of 0. | REX prefix adds a fourth bit (b), which is not decoded (don't care). Therefore, using RBP or R13 without a displacement must be done via mod = 01 with a displacement of 0 (with or without an index register). |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                  |                                                                                                                                                            |                                                                                                                                                                                                                 |
| <ol style="list-style-type: none"> <li>1. The REX-prefix bit is shown in the fourth (most-significant) bit position of the encodings for the ModRM r/m, SIB index, and SIB base fields. The lower-case "x" for ModRM r/m (rather than the upper-case "B" shown in Figure 1-6 on page 28) indicates that the REX-prefix bit is not decoded (don't care).</li> <li>2. For a description of the ModRM and SIB bytes, see "ModRM and SIB Bytes" on page 17.</li> </ol> |                                                  |                                                                                                                                                            |                                                                                                                                                                                                                 |

## Examples of Operand Addressing Extension Using REX

Case 1: Register-Register Addressing (No Memory Operand)



Case 2: Memory Addressing Without an SIB Byte



Case 3: Memory Addressing With an SIB Byte



Case 4: Register Operand Coded in Opcode Byte



**Figure 1-6. Encoding Examples Using REX R, X, and B Bits**

## 1.9 Encoding Using the VEX and XOP Prefixes

An extended escape sequence is introduced by an encoding escape prefix which establishes the context and the format of the bytes that follow. The currently defined prefixes fall in two classes: the XOP and the VEX prefixes (of which there are two). The XOP prefix and the VEX C4h prefix introduce a three byte sequence with identical syntax, while the VEX C5h prefix introduces a two-byte escape sequence with a different syntax.

These escape sequences supply fields used to extend operand specification as well as provide for the selection of alternate opcode maps. Encodings support up to two additional operands and the addressing of the extended (beyond 7) registers. The specification of two of the operands is accomplished using the legacy ModRM and optional SIB bytes with the reg, r/m, index, and base fields extended by one bit in a manner analogous to the REX prefix.

The encoding of the extended SSE instructions utilize extended escape sequences. XOP instructions use three-byte escape sequences introduced by the XOP prefix. The AVX, FMA, FMA4, and CLMUL instruction subsets use three-byte or two-byte escape sequences introduced by the VEX prefixes.

### 1.9.1 Three-Byte Escape Sequences

All the extended instructions can be encoded using a three-byte escape sequence, but certain VEX-encoded instructions that comply with the constraints described below in Section 1.9.2, “Two-Byte Escape Sequence” can also utilize a two-byte escape sequence. Figure 1-7 below shows the format of the three-byte escape sequence which is common to the XOP and VEX-based encodings.



Figure 1-7. VEX/XOP Three-byte Escape Sequence Format

| Byte | Bit   | Mnemonic   | Description                                                           |
|------|-------|------------|-----------------------------------------------------------------------|
| 0    | [7:0] | VEX, XOP   | Value specific to the extended instruction set                        |
| 1    | [7]   | R          | Inverted one-bit extension of ModRM <i>reg</i> field                  |
|      | [6]   | X          | Inverted one-bit extension of SIB <i>index</i> field                  |
|      | [5]   | B          | Inverted one-bit extension, <i>r/m</i> field or SIB <i>base</i> field |
|      | [4:0] | map_select | Opcode map select                                                     |

| Byte | Bit   | Mnemonic | Description                                                                                                                                                       |
|------|-------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2    | [7]   | W        | Default operand size override for a general purpose register to 64-bit size in 64-bit mode; operand configuration specifier for certain YMM/XMM-based operations. |
|      | [6:3] | vvv      | Source or destination register selector, in ones' complement format                                                                                               |
|      | [2]   | L        | Vector length specifier                                                                                                                                           |
|      | [1:0] | pp       | Implied 66, F2, or F3 opcode extension                                                                                                                            |

**Table 1-18. Three-byte Escape Sequence Field Definitions****Byte 0 (VEX/XOP Prefix)**

Byte 0 is the encoding escape prefix byte which introduces the encoding escape sequence and establishes the context for the bytes that follow. The VEX and XOP prefixes have the following encodings:

- VEX prefix is encoded as C4h
- XOP prefix is encoded as 8Fh

**Byte 1**

**VEX/XOP.R (Bit 7).** The bit-inverted equivalent of the REX.R bit. A one-bit extension of the ModRM.reg field in 64-bit mode, permitting access to 16 YMM/XMM and GPR registers. In 32-bit protected and compatibility modes, the value must be 1.

**VEX/XOP.X (Bit 6).** The bit-inverted equivalent of the REX.X bit. A one-bit extension of the SIB.index field in 64-bit mode, permitting access to 16 YMM/XMM and GPR registers. In 32-bit protected and compatibility modes, this value must be 1.

**VEX/XOP.B (Bit 5).** The bit-inverted equivalent of the REX.B bit, available only in the 3-byte prefix format. A one-bit extension of either the ModRM.r/m field, to specify a GPR or XMM register, or of the SIB base field, to specify a GPR. This permits access to all 16 GPR and YMM/XMM registers. In 32-bit protected and compatibility modes, this bit is ignored.

**VEX/XOP.map\_select (Bits [4:0]).** The five-bit map\_select field is used to select an alternate opcode map. The map select encoding spaces for VEX and XOP are disjoint. Table 1-19 below lists the encodings for VEX.map\_select and Table 1-20 lists the encodings for XOP.map\_select.

**Table 1-19. VEX.map\_select Encoding**

| Binary Value | Opcode Map       | Analogous Legacy Opcode Map       |
|--------------|------------------|-----------------------------------|
| 00000        | Reserved         | —                                 |
| 00001        | VEX opcode map 1 | Secondary (“two-byte”) opcode map |

**Table 1-19. VEX.map\_select Encoding**

| Binary Value | Opcode Map       | Analogous Legacy Opcode Map      |
|--------------|------------------|----------------------------------|
| 00010        | VEX opcode map 2 | 0F_38h (“three-byte”) opcode map |
| 00011        | VEX opcode map 3 | 0F_3Ah (“three-byte”) opcode map |
| 00100–11111  | Reserved         | —                                |

**Table 1-20. XOP.map\_select Encoding**

| Binary Value | Opcode Map             |
|--------------|------------------------|
| 00000–00111  | Reserved               |
| 01000        | XOP opcode map 8       |
| 01001        | XOP opcode map 9       |
| 01010        | XOP opcode map 10 (Ah) |
| 01011–11111  | Reserved               |

AVX instructions are encoded using the VEX opcode maps 1–3. The AVX instruction set includes instructions that provide operations similar to most legacy SSE instructions. For those AVX instructions that have an analogous legacy SSE instruction, the VEX opcode maps use the same binary opcode value and modifiers as the legacy version. The correspondence between the VEX opcode maps and the legacy opcode maps are shown in Table 1-19 above.

VEX opcode maps 1–3 are also used to encode the FMA4 and FMA instructions. In addition, not all legacy SSE instructions have AVX equivalents. Therefore, the VEX opcode maps are not the same as the legacy opcode maps.

The XOP opcode maps are unique to the XOP instructions. The XOP.map\_select value is restricted to the range [08h:1Fh]. If the value of the XOP.map\_select field is less than 8, the first two bytes of the three-byte XOP escape sequence are interpreted as a form of the POP instruction.

Both legacy and extended opcode maps are covered in detail in Appendix A.

## Byte 2

**VEX/XOP.W (Bit 7).** Function is instruction-specific. The bit is often used to configure source operand order.

**VEX/XOP.vvv (Bits [6:3]).** Used to specify an additional operand for three and four operand instructions. Encodes an XMM or YMM register in inverted ones’ complement form, as shown in Table 1-21.

**Table 1-21.** VEX/XOP.vvvv Encoding

| Binary Value | Register    | Binary Value | Register    |
|--------------|-------------|--------------|-------------|
| 0000         | XMM15/YMM15 | 1000         | XMM07/YMM07 |
| 0001         | XMM14/YMM14 | 1001         | XMM06/YMM06 |
| 0010         | XMM13/YMM13 | 1010         | XMM05/YMM05 |
| 0011         | XMM12/YMM12 | 1011         | XMM04/YMM04 |
| 0100         | XMM11/YMM11 | 1100         | XMM03/YMM03 |
| 0101         | XMM10/YMM10 | 1101         | XMM02/YMM02 |
| 0110         | XMM09/YMM09 | 1110         | XMM01/YMM01 |
| 0111         | XMM08/YMM08 | 1111         | XMM00/YMM00 |

Values 0000h to 0111h are not valid in 32-bit modes. vvvv is typically used to encode the first source operand, but for the VPSLLDQ, VPSRLDQ, VPSRLW, VPSRLD, VPSRLQ, VPSRAW, VPSRAD, VPSLLW, VPSLLD, and VPSLLQ shift instructions, the field specifies the destination register.

**VEX/XOP.L (Bit 2).** L = 0 specifies 128-bit vector length (XMM registers/128-bit memory locations). L=1 specifies 256-bit vector length (YMM registers/256-bit memory locations). For SSE or XOP instructions with scalar operands, the L bit is ignored. Some vector SSE instructions support only the 128 bit vector size. For these instructions, L is cleared to 0.

**VEX/XOP.pp (Bits [1:0]).** Specifies an implied 66h, F2h, or F3h opcode extension which is used in a way analogous to the legacy instruction encodings to extend the opcode encoding space. The correspondence between the encoding of the VEX/XOP.pp field and its function as an opcode modifier is shown in Table 1-22. The legacy prefixes 66h, F2h, and F3h are not allowed in the encoding of extended instructions.

**Table 1-22.** VEX/XOP.pp Encoding

| Binary Value | Implied Prefix |
|--------------|----------------|
| 00           | None           |
| 01           | 66h            |
| 10           | F3h            |
| 11           | F2h            |

### 1.9.2 Two-Byte Escape Sequence

All VEX-encoded instructions can be encoded using the three-byte escape sequence, but certain instructions can also be encoded utilizing a more compact, two-byte VEX escape sequence. The format of the two-byte escape sequence is shown in Figure 1-8 below.

**Figure 1-8. VEX Two-byte Escape Sequence Format****Table 1-23. VEX Two-byte Escape Sequence Field Definitions**

| Prefix Byte | Bit   | Mnemonic | Description                                                          |
|-------------|-------|----------|----------------------------------------------------------------------|
| <b>0</b>    | [7:0] | VEX      | VEX 2-byte encoding escape prefix                                    |
| <b>1</b>    | [7]   | R        | Inverted one-bit extension of ModRM.reg field                        |
|             | [6:3] | vvvv     | Source or destination register selector, in ones' complement format. |
|             | [2]   | L        | Vector length specifier                                              |
|             | [1:0] | pp       | Implied 66, F2, or F3 opcode extension.                              |

### Byte 0 (VEX Prefix)

The VEX prefix for the two-byte escape sequence is encoded as C5h.

### Byte 1

Note that the bit 7 of this byte is used to encode VEX.R instead of VEX.W as in the three-byte escape sequence form. The R, vvvv, L, and pp fields are defined as in the three-byte escape sequence.

When the two-byte escape sequence is used, specific fields from the three-byte format take on fixed values as shown in Table 1-24 below.

**Table 1-24. Fixed Field Values for VEX 2-Byte Format**

| VEX Field  | Value  |
|------------|--------|
| X          | 1      |
| B          | 1      |
| W          | 0      |
| map_select | 00001b |

Although they may be encoded using the VEX three-byte escape sequence, all instructions that conform with the constraints listed in Table 1-24 may be encoded using the two-byte escape sequence. Note that the implied value of map\_select is 00001b, which means that only instructions included in the VEX opcode map 1 may be encoded using this format.

VEX-encoded instructions that use the other defined values of map\_select (00010b and 00011b) cannot be encoded using this a two-byte escape sequence format. Note that the VEX.pp field value is explicitly encoded in this form and can be used to specify any of the implied legacy prefixes as defined in Table 1-22.

## 1.10 Encoding Using the EVEX Prefix

AVX512 introduces a new extended escape sequence called the EVEX prefix. It is a four byte sequence. It is similar to the VEX prefix with additional register specifier bits and bits for enhanced features.

Many (but not all) AVX512 instructions use the EVEX prefix. Instructions that are not AVX512 can also use the EVEX prefix.

### 1.10.1 Four-Byte Escape Sequence

Instructions that are encoded with the four-byte EVEX prefix use the format described in Figure 1-9.



**Figure 1-9. EVEX Four-byte Escape Sequence Format**

| Byte | Bit   | Mnemonic | Description                                                                                     |
|------|-------|----------|-------------------------------------------------------------------------------------------------|
| 0    | [7:0] | EVEX     | EVEX Prefix Byte 62h                                                                            |
| 1    | [7]   | R        | Inverted bit [3] extension of ModRM reg field                                                   |
|      | [6]   | X        | Inverted bit [3] extension of SIB index field, or Inverted bit [4] extension of ModRM r/m field |
|      | [5]   | B        | Inverted bit [3] extension of ModRM r/m field                                                   |
|      | [4]   | R'       | Inverted bit [4] extension of ModRM reg field                                                   |
|      | [3]   | Reserved | 0                                                                                               |
|      | [2:0] | map      | Opcode map select                                                                               |
| 2    | [7]   | W        | Operand size override, or Opcode extension bit                                                  |
|      | [6:3] | vvvv     | Inverted bits [3:0] of additional register operand                                              |
|      | [2]   | Reserved | 1                                                                                               |
|      | [1:0] | pp       | Implied 66, F2, or F3 opcode extension                                                          |
| 3    | [7]   | z        | Zeroing-masking specifier                                                                       |
|      | [6:5] | L'L      | Vector Length Specifier, or Rounding Control                                                    |
|      | [4]   | b        | Broadcast specifier, or Rounding control specifier, or Suppress-all-exceptions specifier        |
|      | [3]   | V'       | Inverted bit [4] of additional register operand                                                 |
|      | [2:0] | aaa      | K Masking register                                                                              |

**Table 1-25. EVEX Four-byte Escape Sequence Field Definitions**

## Byte 0 (EVEX Prefix)

Byte 0 is the encoding escape prefix byte which introduces the encoding escape sequence and establishes the context for the bytes that follow. The EVEX prefix has the following encodings:

- EVEX prefix is encoded as 62h

## Byte 1

**EVEX.R (Bit [7]).** Similar to the VEX.R bit, this bit is the bit-inverted equivalent of the REX.R bit. Bit [3] extension of the ModRM.reg field in 64-bit mode, permitting access to additional ZMM/YMM/XMM and GPR registers. In non-64-bit modes, the value must be 1.

**EVEX.X (Bit [6]).** Similar to the VEX.X bit, this bit is the bit-inverted equivalent of the REX.X bit, with additional functionality. For memory accessing instructions (ModRM[7:6] != 11b), this is bit [3] extension of the SIB.index field in 64-bit mode, permitting access to additional GPR registers. For non-memory accessing instructions (ModRM[7:6] == 11b), this is bit [4] extension of the ModRM.r/m field in 64-bit mode, permitting access to additional ZMM/YMM/XMM registers. In non-64-bit modes, this value must be 1.

**EVEX.B (Bit [5]).** Similar to the VEX.B bit, this bit is the bit-inverted equivalent of the REX.B bit. Bit [3] extension of either the ModRM.r/m field, to specify a GPR or ZMM/YMM/XMM register, or of the SIB.base field, to specify a GPR. This permits access to all 16 GPR and additional ZMM/YMM/XMM registers. In 32-bit protected and compatibility modes, this bit is ignored.

**EVEX.R' (Bit [4]).** Inverted bit [4] extension of the ModRM.reg field in 64-bit mode, to specify a ZMM/YMM/XMM register. This permits access of up to 32 ZMM/YMM/XMM registers. In 32-bit protected and compatibility modes, this bit is ignored.

**Reserved (Bit [3]).** Must be 0.

**EVEX.map (Bits [2:0]).** The three-bit map field is used to select an alternate opcode map. Table 1-26 below lists the encodings for EVEX.map.

**Table 1-26. EVEX.map Encoding**

| Binary Value | Opcode Map        | Analogous Legacy Opcode Map             |
|--------------|-------------------|-----------------------------------------|
| 000          | Reserved          | -                                       |
| 001          | EVEX opcode map 1 | Secondary (“0F”, “two-byte”) opcode map |
| 010          | EVEX opcode map 2 | 0F_38h (“three-byte”) opcode map        |
| 011          | EVEX opcode map 3 | 0F_3Ah (“three-byte”) opcode map        |
| 100-111      | Reserved          | -                                       |

## Byte 2

**EVEX.W (Bit [7]).** Similar to VEX.W, this bit is used to override the operand size (i.e., GPR override to 64-bits in 64-bit mode), to extend the opcode, or for other purposes, depending on the specific instruction.

**EVEX.vvvv (Bits [6:3]).** Similar to VEX.vvvv, used to specify an additional operand for three operand instructions. Encodes bits [3:0] of a ZMM/YMM/XMM register in ones' complement form. Bit [4] of the same register operand is specified in EVEX.V'.

**Reserved (Bit [2]).** Must be 1.

**EVEX.pp (Bits [1:0]).** Specifies an implied 66h, F2h, or F3h opcode extension which is used in a way analogous to the legacy instruction encodings to extend the opcode encoding space. The correspondence between the encoding of the EVEX.pp field and its function as an opcode modifier is the same as the VEX.pp field, and is shown in Table 1-22, “VEX/XOP.pp Encoding” on page 32. The legacy prefixes 66h, F2h, and F3h are not allowed in the encoding of instructions that use the EVEX prefix.

## Byte 3

**EVEX.z (Bit [7]).** Specifies zeroing masking. When EVEX.aaa indicates that K register masking is occurring, this bit specifies whether the masked off elements of the destination are unchanged (EVEX.z == 0), or set to zero (EVEX.z == 1).

**EVEX.L'L (Bits [6:5]).** Specifies either the size of the operation or the explicit rounding control value as shown in Table 1-28. When specifying the size of operation, the encoding is shown in Table 1-27. When specifying the explicit rounding control value, the encoding is the same as MXCSR.RC specified in Volume 1 section 4.3.2. See also Table 1-28.

**Table 1-27. EVEX.L'L Encoding Size of Operation**

| EVEX.L'L | Size of operation |
|----------|-------------------|
| 00b      | 128 bits          |
| 01b      | 256 bits          |
| 10b      | 512 bits          |
| 11b      | Reserved          |

**Table 1-28. EVEX.b and EVEX.L'L Encodings**

| Instruction                                 |                      |        |        | EVEX.L'L<br>determines | EVEX.b<br>determines    | Notes                                                                                                                                                             |
|---------------------------------------------|----------------------|--------|--------|------------------------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Type                                        | Rounding<br>Semantic | Can#XF | EVEX.b |                        |                         |                                                                                                                                                                   |
| Memory accessing<br>(ModRM[7:6] != 11b)     | X                    | X      | 0      | Size of operation      | Normal memory read      | EVEX.L'L determine size of operation                                                                                                                              |
|                                             |                      |        | 1      |                        | Broadcast memory read   | One element is read from memory and broadcast to all elements for that operand.<br>If the instruction does not support the memory broadcast feature, it will #UD. |
| Non-memory accessing<br>(ModRM[7:6] == 11b) | X                    | X      | 0      | Size of operation      | No {er} or {sae}        | EVEX.L'L determine size of operation                                                                                                                              |
|                                             | No                   | No     | 1      | n/a                    | n/a                     | #UD - Illegal encoding                                                                                                                                            |
|                                             | Yes                  | Yes    | 1      | Rounding Control       | Explicit Rounding       | Size of operation is set to 512 (vector instruction) or 128 (scalar instructions)<br>Instructions with {er} in the mnemonic                                       |
|                                             | No                   | Yes    | 1      | Ignored                | Suppress All Exceptions | Size of operation is set to 512 (vector instruction) or 128 (scalar instructions)<br>Instructions with {sae} in the mnemonic                                      |

**EVEX.b (Bit [4]).** Specifies either broadcast of a memory read or to turn on the explicit rounding or suppress all exceptions features as shown in Table 1-28.

**EVEX.V' (Bit [3]).** Used to specify an additional operand for three operand instructions. Encodes bit [4] of a ZMM/YMM/XMM register in ones' complement form. Bits [3:0] of the same register operand are specified in EVEX.vvvv.

**EVEX.aaa (Bits [2:0]).** Specifies a K register to use for masking the result of an instruction when EVEX.aaa != 000b. When EVEX.aaa == 000b, rather than using the value in K0, this specifies that K masking is not occurring. This is similar to using a K mask register with all bits set.

## 2 Instruction Overview

### 2.1 Instruction Groups

For easier reference, the instruction descriptions are divided into five groups based on usage. The following sections describe the function, mnemonic syntax, opcodes, affected flags, and possible exceptions generated by all instructions in the AMD64 architecture:

- Chapter 3, “General-Purpose Instruction Reference”—The general-purpose instructions are used in basic software execution. Most of these load, store, or operate on data in the general-purpose registers (GPRs), in memory, or in both. Other instructions are used to alter sequential program flow by branching to other locations within the program or to entirely different programs.
- Chapter 4, “System Instruction Reference”—The system instructions establish the processor operating mode, access processor resources, handle program and system errors, and manage memory.
- “Instruction Reference” in APM Volume 4—The Streaming SIMD Extensions (SSE) instructions load, store, or operate on data located in the ZMM/YMM/XMM registers. These instructions define both vector and scalar operations on floating-point and integer data types. They include the SSE, AVX and AVX512 instructions that operate on the ZMM/YMM/XMM registers. Some of these instructions convert source operands in YMM/XMM registers to destination operands in GPR, MMX, or x87 registers or otherwise affect ZMM/YMM/XMM state.
- “64-Bit Media Instruction Reference” in APM Volume 5—The 64-bit media instructions load, store, or operate on data located in the 64-bit MMX registers. These instructions define both vector and scalar operations on integer and floating-point data types. They include the legacy MMX™ instructions, the 3DNow!™ instructions, and the AMD extensions to the MMX and 3DNow! instruction sets. Some of these instructions convert source operands in MMX registers to destination operands in GPR, YMM/XMM, or x87 registers or otherwise affect MMX state.
- “x87 Floating-Point Instruction Reference” in APM Volume 5—The x87 instructions are used in legacy floating-point applications. Most of these instructions load, store, or operate on data located in the x87 ST(0)–ST(7) stack registers (the FPR0–FPR7 physical registers). The remaining instructions within this category are used to manage the x87 floating-point environment.

The description of each instruction covers its behavior in all operating modes, including legacy mode (real, virtual-8086, and protected modes) and long mode (compatibility and 64-bit modes). Details of certain kinds of complex behavior—such as control-flow changes in CALL, INT, or FXSAVE instructions—have cross-references in the instruction-detail pages to detailed descriptions in APM Volumes 1 and 2.

Two instructions—CMPSD and MOVSD—use the same mnemonic for different instructions. Assemblers can distinguish them on the basis of the number and type of operands with which they are used.

## 2.2 Reference-Page Format

Figure 2-1 on page 41 shows the format of an instruction-detail page. The instruction mnemonic is shown in bold at the top-left, along with its name. In this example, *AAM* is the mnemonic and *ASCII Adjust After Multiply* is the name. Next, there is a general description of the instruction’s operation. Many descriptions have cross-references to more detail in other parts of the manual.

Beneath the general description, the mnemonic is shown again, together with the related opcode(s) and a description summary. Related instructions are listed below this, followed by a table showing the flags that the instruction can affect. Finally, each instruction has a summary of the possible exceptions that can occur when executing the instruction. The columns labeled “Real” and “Virtual-8086” apply only to execution in legacy mode. The column labeled “Protected” applies both to legacy mode and long mode, because long mode is a superset of legacy protected mode.

The 128-bit and 64-bit media instructions also have diagrams illustrating the operation. A few instructions have examples or pseudocode describing the action.

| Mnemonic and any operands                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Opcode                                              | Description of operation                                                                  |           |                                               |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------|-------------------------------------------------------------------------------------------|-----------|-----------------------------------------------|----|----|-------|------|----|----|----|----|----|----|----|----|----|--|--|--|--|--|--|--|--|---|--|--|--|---|---|---|---|---|----|----|----|----|----|----|----|-------|----|----|---|---|---|---|---|---|---|-------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|-----------|------|-----------------|-----------|--------------------|---------------------|---|---|---|------------------------------|---------------------|--|--|---|-----------------------------------------------|------------------------------------------------------------------------------|--|
| <p style="text-align: center;">24594 Rev. 3.07 September 2003</p> <p style="text-align: center;"><b>AAM</b></p> <p style="text-align: center;"><b>ASCII Adjust After Multiply</b></p> <p>Converts the value in the AL register from binary to two unpacked BCD digits in the AH (most significant) and AL (least significant) registers using the following formula:<br/> <math>AH = (AL/10d)</math><br/> <math>AL = (AL \bmod 10d)</math>.</p> <p>In most modern assemblers, the AAM instruction adjusts to base-10 values. However, by coding the instruction directly in binary, it can adjust to any base specified by the immediate byte value (<i>ib</i>) suffixed onto the D4h opcode. For example, code D408h for octal, D40Ah for decimal, and D40Ch for duodecimal (base 12).</p> <p>Using this instruction in 64-bit mode generates an invalid-opcode exception.</p>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                     |                                                                                           |           |                                               |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| Mnemonic                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Opcode                                              | Description                                                                               |           |                                               |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| AAM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | D4 0A                                               | Create a pair of unpacked BCD values in AH and AL.<br>(Invalid in 64-bit mode.)           |           |                                               |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| (None)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | D4 <i>ib</i>                                        | Create a pair of unpacked values to the immediate byte base.<br>(Invalid in 64-bit mode.) |           |                                               |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| <p><b>Related Instructions</b></p> <p>AAA, AAD, AAS</p> <p><b>rFLAGS Affected</b></p> <table border="1" style="width: 100%; border-collapse: collapse;"> <tr> <th>ID</th><th>VIP</th><th>VIF</th><th>AC</th><th>VM</th><th>RF</th><th>NT</th><th>IOPL</th><th>OF</th><th>DF</th><th>IF</th><th>TF</th><th>SF</th><th>ZF</th><th>AF</th><th>PF</th><th>CF</th></tr> <tr> <td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td><td>U</td><td></td><td></td><td></td><td>M</td><td>M</td><td>U</td><td>M</td><td>U</td></tr> <tr> <td>21</td><td>20</td><td>19</td><td>18</td><td>17</td><td>16</td><td>14</td><td>13–12</td><td>11</td><td>10</td><td>9</td><td>8</td><td>7</td><td>6</td><td>4</td><td>2</td><td>0</td></tr> <tr> <td colspan="17" style="text-align: center; padding-top: 2px;"> <i>Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M. Unaffected flags are blank. Undefined flags are U.</i> </td></tr> </table> <p><b>Exceptions</b></p> <table border="1" style="width: 100%; border-collapse: collapse;"> <thead> <tr> <th>Exception</th><th>Real</th><th>Virtual<br/>8086</th><th>Protected</th><th>Cause of Exception</th></tr> </thead> <tbody> <tr> <td>Divide by zero, #DE</td><td>X</td><td>X</td><td>X</td><td>8-bit immediate value was 0.</td></tr> <tr> <td>Invalid opcode, #UD</td><td></td><td></td><td>X</td><td>This instruction was executed in 64-bit mode.</td></tr> </tbody> </table> | ID                                                  | VIP                                                                                       | VIF       | AC                                            | VM | RF | NT    | IOPL | OF | DF | IF | TF | SF | ZF | AF | PF | CF |  |  |  |  |  |  |  |  | U |  |  |  | M | M | U | M | U | 21 | 20 | 19 | 18 | 17 | 16 | 14 | 13–12 | 11 | 10 | 9 | 8 | 7 | 6 | 4 | 2 | 0 | <i>Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M. Unaffected flags are blank. Undefined flags are U.</i> |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | Exception | Real | Virtual<br>8086 | Protected | Cause of Exception | Divide by zero, #DE | X | X | X | 8-bit immediate value was 0. | Invalid opcode, #UD |  |  | X | This instruction was executed in 64-bit mode. | <p>“M” means the flag is either set or cleared, depending on the result.</p> |  |
| ID                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | VIP                                                 | VIF                                                                                       | AC        | VM                                            | RF | NT | IOPL  | OF   | DF | IF | TF | SF | ZF | AF | PF | CF |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                     |                                                                                           |           |                                               |    |    |       | U    |    |    |    | M  | M  | U  | M  | U  |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| 21                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 20                                                  | 19                                                                                        | 18        | 17                                            | 16 | 14 | 13–12 | 11   | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| <i>Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M. Unaffected flags are blank. Undefined flags are U.</i>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                     |                                                                                           |           |                                               |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| Exception                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Real                                                | Virtual<br>8086                                                                           | Protected | Cause of Exception                            |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| Divide by zero, #DE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | X                                                   | X                                                                                         | X         | 8-bit immediate value was 0.                  |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| Invalid opcode, #UD                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                     |                                                                                           | X         | This instruction was executed in 64-bit mode. |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |
| Possible exceptions and causes, by mode of operation                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | “Protected” column covers both legacy and long mode | Alphabetic mnemonic locator                                                               |           |                                               |    |    |       |      |    |    |    |    |    |    |    |    |    |  |  |  |  |  |  |  |  |   |  |  |  |   |   |   |   |   |    |    |    |    |    |    |    |       |    |    |   |   |   |   |   |   |   |                                                                                                                                                 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |           |      |                 |           |                    |                     |   |   |   |                              |                     |  |  |   |                                               |                                                                              |  |

Figure 2-1. Format of Instruction-Detail Pages

## 2.3 Summary of Registers and Data Types

This section summarizes the registers available to software using the five instruction subsets described in “Instruction Groups” on page 39. For details on the organization and use of these registers, see their respective chapters in APM Volumes 1 and 2.

### 2.3.1 General-Purpose Instructions

**Registers.** The size and number of general-purpose registers (GPRs) depends on the operating mode, as do the size of the flags and instruction-pointer registers. Figure 2-2 shows the registers available in legacy and compatibility modes.



**Figure 2-2. General Registers in Legacy and Compatibility Modes**

Figure 2-3 on page 43 shows the registers accessible in 64-bit mode. Compared with legacy mode, registers become 64 bits wide, eight new data registers (R8–R15) are added and the low byte of all 16 GPRs is available for byte operations, and the four high-byte registers of legacy mode (AH, BH, CH, and DH) are not available if the REX prefix is used. The high 32 bits of doubleword operands are zero-extended to 64 bits, but the high bits of word and byte operands are not modified by operations in 64-

bit mode. The RFLAGS register is 64 bits wide, but the high 32 bits are reserved. They can be written with anything but they read as zeros (RAZ).



- \* Not addressable in REX prefix instruction forms
- \*\* Only addressable in REX prefix instruction forms

**Figure 2-3. General Registers in 64-Bit Mode**

For most instructions running in 64-bit mode, access to the extended GPRs requires either a REX instruction modification prefix or extended encoding using the VEX or XOP sequences (page 16).

Figure 2-4 shows the segment registers which, like the instruction pointer, are used by all instructions. In legacy and compatibility modes, all segments are accessible. In 64-bit mode, which uses the flat

(non-segmented) memory model, only the CS, FS, and GS segments are recognized, whereas the contents of the DS, ES, and SS segment registers are ignored (the base for each of these segments is assumed to be zero, and neither their segment limit nor attributes are checked). For details, see “Segmented Virtual Memory” in APM Volume 2.



**Figure 2-4. Segment Registers**

**Data Types.** Figure 2-5 on page 45 shows the general-purpose data types. They are all scalar, integer data types. The 64-bit (quadword) data types are only available in 64-bit mode, and for most instructions they require a REX instruction prefix.



Figure 2-5. General-Purpose Data Types

### 2.3.2 System Instructions

**Registers.** The system instructions use several specialized registers shown in Figure 2-6 on page 46. System software uses these registers to, among other things, manage the processor's operating environment, define system resource characteristics, and monitor software execution. With the exception of the RFLAGS register, system registers can be read and written only from privileged software.

All system registers are 64 bits wide, except for the descriptor-table registers and the task register, which include 64-bit base-address fields and other fields.



Figure 2-6. System Registers

**Data Structures.** Figure 2-7 on page 47 shows the system data structures. These are created and maintained by system software for use in protected mode. A processor running in protected mode uses these data structures to manage memory and protection, and to store program-state information when an interrupt or task switch occurs.



Figure 2-7. System Data Structures

### 2.3.3 SSE Instructions

**Registers.** The SSE instructions operate primarily on 128-bit, 256-bit, and 512-bit floating-point vector operands located in the 512-bit ZMM/YMM/XMM registers. Each 128-bit XMM register is defined as the lower octword of the corresponding YMM register. Each 256-bit YMM register is defined as the lower two octwords of the corresponding ZMM register. The number of available ZMM/YMM/XMM data registers depends on the operating mode, as shown in Figure 2-8 below. In legacy and compatibility modes, eight ZMM/YMM/XMM registers (ZMM/YMM/XMM0–7) are available. In 64-bit mode, twenty four additional ZMM/YMM/XMM data registers (ZMM/YMM/XMM8–31) are available. These eight additional registers are addressed via the encoding extensions provided by the REX, VEX, XOP, and EVEX prefixes.

The MXCSR register contains floating-point and other control and status flags used by the 128-bit/256-bit/512-bit media instructions. Some of these media instructions also use the GPR (Figure 2-2 and Figure 2-3) and the MMX registers (Figure 2-12 on page 52) or set or clear flags in the rFLAGS register (see Figure 2-2 and Figure 2-3).



**Figure 2-8. SSE Registers**

**Data Types.** The SSE instruction set architecture provides support for 128-bit/256-bit/512-bit packed floating-point and integer data types as well as integer and floating-point scalars. Figure 2-9 below shows the 128-bit data types. Figure 2-10 on page 50 and Figure 2-11 on page 51 show the 256-bit data types. The floating-point data types include IEEE-754 single precision and double precision types.



**Figure 2-9. 128-Bit SSE Data Types**

## Vector (Packed) Floating-Point – Double Precision and Single Precision



## Vector (Packed) Signed Integer – Double Quadword, Quadword, Doubleword, Word, Byte



Figure 2-10. SSE 256-bit Data Types

**Vector (Packed) Unsigned Integer – Double Quadword, Quadword, Doubleword, Word, Byte**

**Scalar Floating-Point – Double Precision and Single Precision<sup>1</sup>**

**Scalar Signed Integers**

**Scalar Unsigned Integers**


Note: 1) A 16 bit Half-Precision Floating-Point Scalar is also defined.

**Figure 2-11. SSE 256-Bit Data Types (Continued)**

### 2.3.4 64-Bit Media Instructions

**Registers.** The 64-bit media instructions use the eight 64-bit MMX registers, as shown in Figure 2-12. These registers are mapped onto the x87 floating-point registers, and 64-bit media instructions write the x87 tag word in a way that prevents an x87 instruction from using MMX data.

Some 64-bit media instructions also use the GPR (Figure 2-2 and Figure 2-3) and the XMM registers (Figure 2-8).



**Figure 2-12. 64-Bit Media Registers**

**Data Types.** Figure 2-13 on page 53 shows the 64-bit media data types. They include floating-point and integer vectors and integer scalars. The floating-point data type, used by 3DNow! instructions, consists of a packed vector or two IEEE-754 32-bit single-precision data types. Unlike other kinds of floating-point instructions, however, the 3DNow!<sup>TM</sup> instructions do not generate floating-point exceptions. For this reason, there is no register for reporting or controlling the status of exceptions in the 64-bit-media instruction subset.

Vector (Packed) Single-Precision Floating-Point



Vector (Packed) Signed Integers



Vector (Packed) Unsigned Integers



Signed Integers



Unsigned Integers



Figure 2-13. 64-Bit Media Data Types

### 2.3.5 x87 Floating-Point Instructions

**Registers.** The x87 floating-point instructions use the x87 registers shown in Figure 2-14. There are eight 80-bit data registers, three 16-bit registers that hold the x87 control word, status word, and tag word, and three registers (last instruction pointer, last opcode, last data pointer) that hold information about the last x87 operation.

The physical data registers are named FPR0–FPR7, although x87 software references these registers as a stack of registers, named ST(0)–ST(7). The x87 instructions store operands only in their own 80-bit floating-point registers or in memory. They do not access the GPR or XMM registers.



**Figure 2-14. x87 Registers**

**Data Types.** Figure 2-15 on page 55 shows all x87 data types. They include three floating-point formats (80-bit double-extended precision, 64-bit double precision, and 32-bit single precision), three signed-integer formats (quadword, doubleword, and word), and an 80-bit packed binary-coded decimal (BCD) format.

**Figure 2-15. x87 Data Types**

## 2.4 Summary of Exceptions

Table 2-1 on page 56 lists all possible exceptions. The table shows the interrupt-vector numbers, names, mnemonics, source, and possible causes. Exceptions that apply to specific instructions are documented with each instruction in the instruction-detail pages that follow.

**Table 2-1. Interrupt-Vector Source and Cause**

| <b>Vector</b> | <b>Interrupt (Exception)</b>     | <b>Mnemonic</b> | <b>Source</b>        | <b>Cause</b>                                                    |
|---------------|----------------------------------|-----------------|----------------------|-----------------------------------------------------------------|
| 0             | Divide-By-Zero-Error             | #DE             | Software             | DIV, IDIV, AAM instructions                                     |
| 1             | Debug                            | #DB             | Internal             | Instruction accesses and data accesses                          |
| 2             | Non-Maskable-Interrupt           | #NMI            | External             | External NMI signal                                             |
| 3             | Breakpoint                       | #BP             | Software             | INT3 instruction                                                |
| 4             | Overflow                         | #OF             | Software             | INTO instruction                                                |
| 5             | Bound-Range                      | #BR             | Software             | BOUND instruction                                               |
| 6             | Invalid-Opcode                   | #UD             | Internal             | Invalid instructions                                            |
| 7             | Device-Not-Available             | #NM             | Internal             | x87 instructions                                                |
| 8             | Double-Fault                     | #DF             | Internal             | Interrupt during an interrupt                                   |
| 9             | Coprocessor-Segment-Overrun      | —               | External             | Unsupported (reserved)                                          |
| 10            | Invalid-TSS                      | #TS             | Internal             | Task-state segment access and task switch                       |
| 11            | Segment-Not-Present              | #NP             | Internal             | Segment access through a descriptor                             |
| 12            | Stack                            | #SS             | Internal             | SS register loads and stack references                          |
| 13            | General-Protection               | #GP             | Internal             | Memory accesses and protection checks                           |
| 14            | Page-Fault                       | #PF             | Internal             | Memory accesses when paging enabled                             |
| 15            | Reserved                         |                 |                      | —                                                               |
| 16            | Floating-Point Exception-Pending | #MF             | Software             | x87 floating-point and 64-bit media floating-point instructions |
| 17            | Alignment-Check                  | #AC             | Internal             | Memory accesses                                                 |
| 18            | Machine-Check                    | #MC             | Internal<br>External | Model specific                                                  |
| 19            | SIMD Floating-Point              | #XF             | Internal             | 128-bit media floating-point instructions                       |
| 20            | Reserved                         |                 |                      | —                                                               |
| 21            | Control-Protection               | #CP             | Internal             | Shadow Stack Protection checks                                  |
| 22–27         | Reserved (Internal and External) |                 |                      | —                                                               |
| 28            | Hypervisor Injection Exception   | #HV             | Software             | Event injection                                                 |
| 29            | VMM Communication Exception      | #VC             | Internal             | Virtualization event                                            |
| 30            | SVM Security Exception           | #SX             | External             | Security-sensitive events                                       |
| 31            | Reserved (Internal and External) |                 |                      | —                                                               |
| 0–255         | External Interrupts (Maskable)   | #INTR           | External             | External interrupt signal                                       |
| 0–255         | Software Interrupts              | —               | Software             | INTn instruction                                                |

## 2.5 Notation

### 2.5.1 Mnemonic Syntax

Each instruction has a syntax that includes the mnemonic and any operands that the instruction can take. Figure 2-16 shows an example of a syntax in which the instruction takes two operands. In most instructions that take two operands, the first (left-most) operand is both a source operand (the first source operand) and the destination operand. The second (right-most) operand serves only as a source, not a destination.



**Figure 2-16. Syntax for Typical Two-Operand Instruction**

The following notation is used to denote the size and type of source and destination operands:

- *cReg*—Control register.
- *dReg*—Debug register.
- *imm8*—Byte (8-bit) immediate.
- *imm16*—Word (16-bit) immediate.
- *imm16/32*—Word (16-bit) or doubleword (32-bit) immediate.
- *imm32*—Doubleword (32-bit) immediate.
- *imm32/64*—Doubleword (32-bit) or quadword (64-bit) immediate.
- *imm64*—Quadword (64-bit) immediate.
- *mem*—An operand of unspecified size in memory.
- *mem8*—Byte (8-bit) operand in memory.
- *mem16*—Word (16-bit) operand in memory.
- *mem16/32*—Word (16-bit) or doubleword (32-bit) operand in memory.
- *mem32*—Doubleword (32-bit) operand in memory.
- *mem32/48*—Doubleword (32-bit) or 48-bit operand in memory.
- *mem48*—48-bit operand in memory.

- *mem64*—Quadword (64-bit) operand in memory.
- *mem128*—Double quadword (128-bit) operand in memory.
- *mem256*—256-bit operand in memory.
- *mem512*—512-bit operand in memory.
- *mem16:16*—Two sequential word (16-bit) operands in memory.
- *mem16:32*—A doubleword (32-bit) operand followed by a word (16-bit) operand in memory.
- *mem32real*—Single-precision (32-bit) floating-point operand in memory.
- *mem16int*—Word (16-bit) integer operand in memory.
- *mem32int*—Doubleword (32-bit) integer operand in memory.
- *mem64real*—Double-precision (64-bit) floating-point operand in memory.
- *mem64int*—Quadword (64-bit) integer operand in memory.
- *mem80real*—Double-extended-precision (80-bit) floating-point operand in memory.
- *mem80dec*—80-bit packed BCD operand in memory, containing 18 4-bit BCD digits.
- *mem2env*—16-bit x87 control word or x87 status word.
- *mem14/28env*—14-byte or 28-byte x87 environment. The x87 environment consists of the x87 control word, x87 status word, x87 tag word, last non-control instruction pointer, last data pointer, and opcode of the last non-control instruction completed.
- *mem94/108env*—94-byte or 108-byte x87 environment and register stack.
- *mem512env*—512-byte environment for 128-bit media, 64-bit media, and x87 instructions.
- *mmx*—Quadword (64-bit) operand in an MMX register.
- *mmx1*—Quadword (64-bit) operand in an MMX register, specified as the left-most (first) operand in the instruction syntax.
- *mmx2*—Quadword (64-bit) operand in an MMX register, specified as the right-most (second) operand in the instruction syntax.
- *mmx/mem32*—Doubleword (32-bit) operand in an MMX register or memory.
- *mmx/mem64*—Quadword (64-bit) operand in an MMX register or memory.
- *mmx1/mem64*—Quadword (64-bit) operand in an MMX register or memory, specified as the left-most (first) operand in the instruction syntax.
- *mmx2/mem64*—Quadword (64-bit) operand in an MMX register or memory, specified as the right-most (second) operand in the instruction syntax.
- *moffset*—Direct memory offset that specifies an operand in memory.
- *moffset8*—Direct memory offset that specifies a byte (8-bit) operand in memory.
- *moffset16*—Direct memory offset that specifies a word (16-bit) operand in memory.
- *moffset32*—Direct memory offset that specifies a doubleword (32-bit) operand in memory.
- *moffset64*—Direct memory offset that specifies a quadword (64-bit) operand in memory.
- *pntr16:16*—Far pointer with 16-bit selector and 16-bit offset.

- *pntr16:32*—Far pointer with 16-bit selector and 32-bit offset.
- *reg*—Operand of unspecified size in a GPR register.
- *reg8*—Byte (8-bit) operand in a GPR register.
- *reg16*—Word (16-bit) operand in a GPR register.
- *reg16/32*—Word (16-bit) or doubleword (32-bit) operand in a GPR register.
- *reg32*—Doubleword (32-bit) operand in a GPR register.
- *reg64*—Quadword (64-bit) operand in a GPR register.
- *reg/mem8*—Byte (8-bit) operand in a GPR register or memory.
- *reg/mem16*—Word (16-bit) operand in a GPR register or memory.
- *reg/mem32*—Doubleword (32-bit) operand in a GPR register or memory.
- *reg/mem64*—Quadword (64-bit) operand in a GPR register or memory.
- *rel8off*—Signed 8-bit offset relative to the instruction pointer.
- *rel16off*—Signed 16-bit offset relative to the instruction pointer.
- *rel32off*—Signed 32-bit offset relative to the instruction pointer.
- *segReg or sReg*—Word (16-bit) operand in a segment register.
- *ST(0)*—x87 stack register 0.
- *ST(i)*—x87 stack register *i*, where *i* is between 0 and 7.
- *xmm*—Double quadword (128-bit) operand in an XMM register.
- *xmm1*—Double quadword (128-bit) operand in an XMM register, specified as the left-most (first) operand in the instruction syntax.
- *xmm2*—Double quadword (128-bit) operand in an XMM register, specified as the second operand in the instruction syntax.
- *xmm3*—Double quadword (128-bit) operand in an XMM register, specified as the right-most (last) operand in the instruction syntax.
- *xmm/mem64*—Quadword (64-bit) operand in a 128-bit XMM register or memory.
- *xmm/mem128*—Double quadword (128-bit) operand in an XMM register or memory.
- *xmm1/mem128*—Double quadword (128-bit) operand in an XMM register or memory, specified as the left-most (first) operand in the instruction syntax.
- *xmm2/mem128*—Double quadword (128-bit) operand in an XMM register or memory, specified as the second operand in the instruction syntax.
- *xmm3/mem128*—Double quadword (128-bit) operand in an XMM register or memory, specified as the right-most (last) operand in the instruction syntax.
- *ymm*—Double octword (256-bit) operand in an YMM register.
- *ymm1*—Double octword (256-bit) operand in an YMM register, specified as the left-most (first) operand in the instruction syntax.

- *ymm2*—Double octword (256-bit) operand in an YMM register, specified as the second operand in the instruction syntax.
- *ymm3*—Double octword (256-bit) operand in an YMM register, specified as the right-most (last) operand in the instruction syntax.
- *ymm/mem64*—Quadword (64-bit) operand in a 256-bit YMM register or memory.
- *ymm/mem128*—Double quadword (128-bit) operand in an YMM register or memory.
- *ymm1/mem256*—Double octword (256-bit) operand in an YMM register or memory, specified as the left-most (first) operand in the instruction syntax.
- *ymm2/mem256*—Double octword (256-bit) operand in an YMM register or memory, specified as the second operand in the instruction syntax.
- *ymm3/mem256*—Double octword (256-bit) operand in an YMM register or memory, specified as the right-most (last) operand in the instruction syntax.
- *zmm*—Quad octword (512-bit) operand in an ZMM register.
- *zmm1*—Quad octword (512-bit) operand in an ZMM register, specified as the left-most (first) operand in the instruction syntax.
- *zmm2*—Quad octword (512-bit) operand in an ZMM register, specified as the second operand in the instruction syntax.
- *zmm3*—Quad octword (512-bit) operand in an ZMM register, specified as the right-most (last) operand in the instruction syntax.
- *zmm/mem512*—Quad octword (512-bit) operand in an ZMM register or memory, specified as the right-most (last) operand in the instruction syntax.

### 2.5.2 Opcode Syntax

In addition to the notation shown above in “Mnemonic Syntax” on page 57, the following notation indicates the size and type of operands in the syntax of an instruction opcode:

- */digit*—Indicates that the ModRM byte specifies only one register or memory (r/m) operand. The digit is specified by the ModRM reg field and is used as an instruction-opcode extension. Valid digit values range from 0 to 7.
- */r*—Indicates that the ModRM byte specifies both a register operand and a reg/mem (register or memory) operand.
- *cb, cw, cd, cp*—Specifies a code-offset value and possibly a new code-segment register value. The value following the opcode is either one byte (cb), two bytes (cw), four bytes (cd), or six bytes (cp).
- *ib, iw, id, iq*—Specifies an immediate-operand value. The opcode determines whether the value is signed or unsigned. The value following the opcode, ModRM, or SIB byte is either one byte (ib), two bytes (iw), or four bytes (id). Word and doubleword values start with the low-order byte.
- *+rb, +rw, +rd, +rq*—Specifies a register value that is added to the hexadecimal byte on the left, forming a one-byte opcode. The result is an instruction that operates on the register specified by the register code. Valid register-code values are shown in Table 2-2.

- *m64*—Specifies a quadword (64-bit) operand in memory.
- *+i*—Specifies an x87 floating-point stack operand, ST(*i*). The value is used only with x87 floating-point instructions. It is added to the hexadecimal byte on the left, forming a one-byte opcode. Valid values range from 0 to 7.

**Table 2-2. +rb, +rw, +rd, and +rq Register Value**

| REX.B<br>Bit <sup>1</sup> | Value | Specified Register   |      |      |     |
|---------------------------|-------|----------------------|------|------|-----|
|                           |       | +rb                  | +rw  | +rd  | +rq |
| 0<br>or no REX<br>Prefix  | 0     | AL                   | AX   | EAX  | RAX |
|                           | 1     | CL                   | CX   | ECX  | RCX |
|                           | 2     | DL                   | DX   | EDX  | RDX |
|                           | 3     | BL                   | BX   | EBX  | RBX |
|                           | 4     | AH, SPL <sup>1</sup> | SP   | ESP  | RSP |
|                           | 5     | CH, BPL <sup>1</sup> | BP   | EBP  | RBP |
|                           | 6     | DH, SIL <sup>1</sup> | SI   | ESI  | RSI |
|                           | 7     | BH, DIL <sup>1</sup> | DI   | EDI  | RDI |
| 1                         | 0     | R8B                  | R8W  | R8D  | R8  |
|                           | 1     | R9B                  | R9W  | R9D  | R9  |
|                           | 2     | R10B                 | R10W | R10D | R10 |
|                           | 3     | R11B                 | R11W | R11D | R11 |
|                           | 4     | R12B                 | R12W | R12D | R12 |
|                           | 5     | R13B                 | R13W | R13D | R13 |
|                           | 6     | R14B                 | R14W | R14D | R14 |
|                           | 7     | R15B                 | R15W | R15D | R15 |

1. See “REX Prefix” on page 14.

### 2.5.3 Pseudocode Definition

Pseudocode examples are given for the actions of several complex instructions (for example, see “CALL (Near)” on page 136). The following definitions apply to all such pseudocode examples:

```
//////////  
// Pseudo Code Definition  
//////////  
//  
// Comments start with double slashes.  
//  
// '=' can mean "is", or assignment based on context  
// '==' is the equals comparison operator  
//  
//////////  
// Constants  
//////////
```

```

0           // numbers are in base-10 (decimal), unless followed by a suffix
0000_0001b // a number in binary notation, underbars added for readability
FFEO_0000h // a number expressed in hexadecimal notation

// in the following, '&&' is the logical AND operator. See "Logical Operators"
// below.
// reg[fld] identifies a field (one or more bits) within architected register
// or within a sub-element of a larger data structure. A dot separates the
// higher-level data structure name from the sub-element name.
//
CS.desc = Code Segment descriptor    // CS.desc has sub-elements: base, limit, attr
SS.desc = Stack Segment descriptor   // SS.desc has the same sub-elements
CS.desc.base = base subfield of CS.desc
CS = Code Segment Register
SS = Stack Segment Register
CPL = Current Privilege Level (0 <= CPL <= 3)
REAL_MODE = (CR0[PE] == 0)
PROTECTED_MODE = ((CR0[PE] == 1) && (RFLAGS[VM] == 0))
VIRTUAL_MODE = ((CR0[PE] == 1) && (RFLAGS[VM] == 1))
LEGACY_MODE = (EFER[LMA] == 0)
LONG_MODE = (EFER[LMA] == 1)
64BIT_MODE = ((EFER[LMA]==1) && (CS_desc.attr[L] == 1) && (CS_desc.attr[D] == 0))
COMPATIBILITY_MODE = (EFER[LMA] == 1) && (CS_desc.attr[L] == 0)
PAGING_ENABLED = (CR0[PG] == 1)
ALIGNMENT_CHECK_ENABLED = ((CR0[AM] == 1) && (RFLAGS[AC] == 1) && (CPL == 3))

OPERAND_SIZE = 16, 32, or 64    // size, in bits, of an operand
// OPERAND_SIZE depends on processor mode, the current code segment descriptor
// default operand size [D], presence of the operand size override prefix (66h)
// and, in 64-bit mode, the REX prefix.
// NOTE: Specific instructions take 8-bit operands, but for these instructions,
// operand size is fixed and the variable OPERAND_SIZE is not needed.

ADDRESS_SIZE = 16, 32, or 64    // size, in bits, of the effective address for
// memory reads. ADDRESS_SIZE depends processor mode, the current code segment
// descriptor default operand size [D], and the presence of the address size
// override prefix (67h)

STACK_SIZE = 16, 32, or 64      // size, in bits of stack operation operand
// STACK_SIZE depends on current code segment descriptor attribute D bit and
// the Stack Segment descriptor attribute B bit.

///////////////////////////////
// Architected Registers
///////////////////////////////
// Identified using abbreviated names assigned by the Architecture; can represent
// the register or its contents depending on context.
RAX = the 64-bit contents of the general-purpose register
EAX = 32-bit contents of GPR EAX
AX = 16-bit contents of GPR AX

```

AL = lower 8 bits of GPR AX  
AH = upper 8 bits of GPR AX

```
index_of(reg) = value used to encode the register.  
index_of(AX) = 0000b  
index_of(RAX) = 0000b  
  
// in legacy and compatibility modes the msb of the index is fixed as 0
```

```
//////////////////////////////  
// Defined Variables  
//////////////////////////////
```

```
old_RIP = RIP at the start of current instruction  
old_RSP = RSP at the start of current instruction  
old_RFLAGS = RFLAGS at the start of the instruction  
old_CS = CS selector at the start of current instruction  
old_DS = DS selector at the start of current instruction  
old_ES = ES selector at the start of current instruction  
old_FS = FS selector at the start of current instruction  
old_GS = GS selector at the start of current instruction  
old_SS = SS selector at the start of current instruction
```

```
RIP = the current RIP register  
RSP = the current RSP register  
RBP = the current RBP register  
RFLAGS = the current RFLAGS register  
next_RIP = RIP at start of next instruction
```

```
CS.desc = the current CS descriptor, including the subfields:  
    base limit attr  
SS.desc = the current SS descriptor, including the subfields:  
    base limit attr
```

```
SRC = the instruction's source operand  
SRC1 = the instruction's first source operand  
SRC2 = the instruction's second source operand  
SRC3 = the instruction's third source operand  
IMM8 = 8-bit immediate encoded in the instruction  
IMM16 = 16-bit immediate encoded in the instruction  
IMM32 = 32-bit immediate encoded in the instruction  
IMM64 = 64-bit immediate encoded in the instruction  
DEST = instruction's destination register
```

```
temp_* // 64-bit temporary register  
temp_*_desc // temporary descriptor, with sub-elements:  
            // if it points to a block of memory: base limit attr  
            // if it's a gate descriptor: offset segment attr
```

```
NULL = 0000h // null selector is all zeros
```

```
//////////  
// Exceptions  
//////////  
EXCEPTION [#GP(0)] // Signals an exception; error code in parenthesis  
EXCEPTION [#UD] // if no error code  
  
// possible exception types:  
#DE // Divide-By-Zero-Error Exception (Vector 0)  
#DB // Debug Exception (Vector 1)  
#BP // INT3 Breakpoint Exception (Vector 3)  
#OF // INTO Overflow Exception (Vector 4)  
#BR // Bound-Range Exception (Vector 5)  
#UD // Invalid-Opcode Exception (Vector 6)  
#NM // Device-Not-Available Exception (Vector 7)  
#DF // Double-Fault Exception (Vector 8)  
#TS // Invalid-TSS Exception (Vector 10)  
#NP // Segment-Not-Present Exception (Vector 11)  
#SS // Stack Exception (Vector 12)  
#GP // General-Protection Exception (Vector 13)  
#PF // Page-Fault Exception (Vector 14)  
#MF // x87 Floating-Point Exception-Pending (Vector 16)  
#AC // Alignment-Check Exception (Vector 17)  
#MC // Machine-Check Exception (Vector 18)  
#XF // SIMD Floating-Point Exception (Vector 19)  
  
//////////  
// Implicit Assignments  
//////////  
  
// V,Z,A,S are integer variables, assigned a value when an instruction begins  
// executing (they can be assigned a different value in the middle of an  
// instruction, if needed)  
IF (OPERAND_SIZE == 16) V = 2  
IF (OPERAND_SIZE == 32) V = 4  
IF (OPERAND_SIZE == 64) V = 8  
IF (OPERAND_SIZE == 16) Z = 2  
IF (OPERAND_SIZE == 32) Z = 4  
IF (OPERAND_SIZE == 64) Z = 4  
IF (ADDRESS_SIZE == 16) A = 2  
IF (ADDRESS_SIZE == 32) A = 4  
IF (ADDRESS_SIZE == 64) A = 8  
IF (STACK_SIZE == 16) S = 2  
IF (STACK_SIZE == 32) S = 4  
IF (STACK_SIZE == 64) S = 8  
  
//////////  
// Bit Range Inside a Register  
//////////  
  
temp_data[x:y] // Bits x through y (inclusive) of temp_data
```

```
//////////  
// Variables and data types  
//////////  
NxtValue = 5           //default data type is unsigned int.  
  
int                  //abstract data type representing an integer  
bool                 //abstract data type; either TRUE or FALSE  
vector               //An array of data elements. Individual elements are accessed via  
                     //an unsigned integer zero-based index. Elements have a data type.  
bit                  //a single bit  
byte                 //8-bit value  
word                 //16-bit value  
doubleword           //32-bit value  
quadword              //64-bit value  
octword              //128-bit value  
double octword        //256-bit value  
  
unsigned int aval    //treat aval as an unsigned integer value  
signed int valx     //treat valx as a signed integer value  
bit vector b_vect   //b_vect is an array of data elements. Each element is a bit.  
b_vect[5]            //The sixth element (bit) in the array. Indices are 0-based.  
  
//////////  
// Elements Within a packed data type  
//////////  
  
// element i of size w occupies bits [wi-1:wi]  
  
//////////  
// Moving Data From One Register To Another  
//////////  
temp_dest.b = temp_src; // 1-byte move (copies lower 8 bits of temp_src to  
                     // temp_dest, preserving the upper 56 bits of temp_dest)  
temp_dest.w = temp_src; // 2-byte move (copies lower 16 bits of temp_src to  
                     // temp_dest, preserving the upper 48 bits of temp_dest)  
temp_dest.d = temp_src; // 4-byte move (copies lower 32 bits of temp_src to  
                     // temp_dest; zeros out the upper 32 bits of temp_dest)  
temp_dest.q = temp_src; // 8-byte move (copies all 64 bits of temp_src to  
                     // temp_dest)  
temp_dest.v = temp_src; // 2-byte move if V==2  
                     // 4-byte move if V==4  
                     // 8-byte move if V==8  
temp_dest.z = temp_src; // 2-byte move if Z==2  
                     // 4-byte move if Z==4  
temp_dest.a = temp_src; // 2-byte move if A==2  
                     // 4-byte move if A==4  
                     // 8-byte move if A==8  
temp_dest.s = temp_src; // 2-byte move if S==2  
                     // 4-byte move if S==4  
                     // 8-byte move if S==8
```

```
//////////  
// Arithmetic Operators  
//////////  
a + b      // integer addition  
a - b      // integer subtraction  
a * b      // integer multiplication  
a / b      // integer division. Result is the quotient  
a % b      // modulo. Result is the remainder after a is divided by b  
// multiplication has precedence over addition where precedence is not explicitly  
// indicated by grouping terms with parentheses  
  
//////////  
// Bitwise Operators  
//////////  
// temp, a, and b are values or register contents of the same size  
temp = a AND b;    // Corresponding bits of a and b are logically ANDed together  
temp = a OR b;     // Corresponding bits of a and b are logically ORed together  
temp = a XOR b;    // Each bit of temp is the exclusive OR of the corresponding  
                   // bits of a and b  
temp = NOT a;      // Each bit of temp is the complement of the corresponding  
                   // bit of a  
  
// Concatenation  
value = {field1,field2,100b}; //pack values of field1, field2 and 100b  
size_of(value) = (size_of(field1) + size_of(field2) + 3)  
  
//////////  
// Logical Shift Operators  
//////////  
temp = a << b;      // Result is a shifted left by _b_ bit positions. Zeros are  
                   // shifted into vacant positions. Bits shifted out are lost.  
temp = a >> b;      // Result is a shifted right by _b_ bit positions. Zeros are  
                   // shifted into vacant positions. Bits shifted out are lost.  
  
//////////  
// Logical Operators  
//////////  
// a boolean variable can assume one of two values (TRUE or FALSE)  
// In these examples, FOO, BAR, CONE, and HEAD have been defined to be boolean  
// variables  
FOO && BAR // Logical AND  
FOO || BAR // Logical OR  
!FOO        // Logical complement (NOT)  
  
//////////  
// Comparison Operators  
//////////  
// a and b are integer values. The result is a boolean value.  
a == b      // if a and b are equal, the result is TRUE; otherwise it is FALSE.  
a != b      // if a and b are not equal, the result is TRUE; otherwise it is FALSE.
```

```

a > b      // if a is greater than b, the result is TRUE; otherwise it is FALSE.
a < b      // if a is less than b, the result is TRUE; otherwise it is FALSE.
a >= b     // if a is greater than or equal to b, the result is TRUE; otherwise
           // it is FALSE.
a <= b     // if a is less than or equal to b, the result is TRUE; otherwise
           // it is FALSE.
////////////////////////////// Logical Expressions ///////////////////////////////
// Logical binary (two operand) and unary (one operand) operators can be combined
// with comparison operators to form more complex expressions. Parentheses are
// used to enclose comparison terms and to show precedence. If precedence is not
// explicitly shown, logical AND has precedence over logical OR. Unary operators
// have precedence over binary operators.

FOO && (a < b) || !BAR // evaluate the comparison a < b first, then
                         // AND this with FOO. Finally OR this intermediate result
                         // with the complement of BAR.

// Logical expressions can be English phrases that can be evaluated to be TRUE
// or FALSE. Statements assume knowledge of the system architecture (APM Volumes
// 1 and 2).
////////////////////////////// Assignment Operators ///////////////////////////////
IF (it is raining)
    close the window

// Assignment Operators
////////////////////////////// Assignment Operators ///////////////////////////////
a = a + b // The value a is assigned the sum of the values a and b
          //
temp = R1 // The contents of the register temp is replaced by a copy of the
          // contents of register R1.
R0 += 2 // R0 is assigned the sum of the contents of R0 and the integer 2.
          //
R5 |= R6 // R5 is assigned the result of the bit-wise OR of the contents of R5
          // and R6. Contents of R6 is unchanged.
R4 &= R7 // R4 is assigned the result of the bit-wise AND of the contents of
          // R4 and R7. Contents of R7 is unchanged.
////////////////////////////// IF-THEN-ELSE ///////////////////////////////
// IF-THEN-ELSE
////////////////////////////// IF-THEN-ELSE ///////////////////////////////
IF (FOO) <expression> // evaluation of <expression> is dependent on FOO
                      // being TRUE. If FOO is FALSE, <expression> is not
                      // evaluated.

IF (FOO)
    <dependent expression1> // scope of IF is indicated by indentation
    ...
    <dependent expressionx>

```

```

IF (FOO)                                // If FOO is TRUE, <dependent expression> is
                                         // evaluated and the remaining ELSEIF and ELSE
                                         // clauses are skipped.
                                         //
<dependent expression>
ELSIF (BAR)                                // IF FOO is FALSE and BAR is TRUE, <alt expression>
                                         // is evaluated and the subsequent ELSEIF or ELSE
                                         // clauses are skipped.
ELSE
    <default expressions>                  // evaluated if all the preceding IF and ELSEIF
                                         // conditions are FALSE.

IF ((FOO && BAR) || (CONE && HEAD))   // The condition can be an expression.
    <dependent expressions>

////////////////////////////// // Loops //////////////////////////////
FOR i = <init_val> to <final_val>, BY <step>
    <expression>                      // scope of loop is indicated by indentation
                                         // if <step> = 1, may omit "BY" clause

// nested loop example
temp = 0                                     //initialize temp
FOR i = 0 to 7                               // i takes on the values 0 through 7 in succession
    temp += 1                                 // In the outer loop. Evaluated a total of 8 times.
    For j = 0 to 7, BY 2                     // j takes on the values 0, 2, 4, and 6; but not 7.
        <inner-most exp>                   // This will be evaluated a total of 8 * 4 times.
<next expression outside both loops>

// C Language form of loop syntax is also allowed

FOR (i = 0; i < MAX; i++)
{
    <expressions>                      //evaluated MAX times
}

////////////////////////////// // Functions //////////////////////////////
// Syntax for function definition
<return data type> <function_name>(argument,...)
    <expressions>
RETURN <result>

////////////////////////////// // Built-in Functions //////////////////////////////
SignExtend(arg) // returns value of _arg_ sign extended to the width of the data
                 // type of the function. Data type of function is inferred from
                 // the context of the function's invocation.

```

```
ZeroExtend(arg) // returns value of _arg_ zero extended to the width of the data
                // type of the function. Data type of function is inferred from
                // the context of the function's invocation.

indexof(reg)      //returns binary value used to encode reg specification

////////////////////////////// READ_MEM /////////////////////////////////
// READ_MEM
// General memory read. This zero-extends the data to 64 bits and returns it.
////////////////////////////// READ_MEM /////////////////////////////////

usage:
temp = READ_MEM.x [seg:offset] // where x is one of {v, z, b, w, d, q}
                                // and denotes the size of the memory read

definition:

IF ((seg AND 0xFFFC) == NULL)
    // GP fault for using a null segment to reference memory
    EXCEPTION [#GP(0)]

IF ((seg==CS) || (seg==DS) || (seg==ES) || (seg==FS) || (seg==GS))
    // CS,DS,ES,FS,GS check for segment limit or canonical

    IF (!64BIT_MODE) && (offset is outside seg's limit)
        // #GP fault for segment limit violation in non-64-bit mode
        EXCEPTION [#GP(0)]

    IF ((64BIT_MODE) && (offset is non-canonical))
        // #GP fault for non-canonical address in 64-bit mode
        EXCEPTION [#GP(0)]

ELSIF (seg==SS) // SS checks for segment limit or canonical

    IF (!64BIT_MODE) && (offset is outside seg's limit)
        // stack fault for segment limit violation in non-64-bit mode
        EXCEPTION [#SS(0)]

    IF ((64BIT_MODE) && (offset is non-canonical))
        // stack fault for non-canonical address in 64-bit mode
        EXCEPTION [#SS(0)]

ELSE // ((seg==GDT) || (seg==LDT) || (seg==IDT) || (seg==TSS))
    // GDT,LDT,IDT,TSS check for segment limit and canonical

    IF (offset > seg.limit)
        // #GP fault for segment limit violation in all modes
        EXCEPTION [#GP(0)]
```

```

IF ((LONG_MODE) && (offset is non-canonical))
    EXCEPTION [#GP(0)] // #GP fault for non-canonical address in long mode

IF ((ALIGNMENT_CHECK_ENABLED) && (offset misaligned, considering its
                                         size and alignment))
    EXCEPTION [#AC(0)]

IF ((64_bit_mode) && ((seg==CS) || (seg==DS) || (seg==ES) || (seg==SS)))
    temp_linear = offset
ELSE
    temp_linear = seg.base + offset

IF ((PAGING_ENABLED) && (virtual-to-physical translation for temp_linear
                           results in a page-protection violation))
    EXCEPTION [#PF(error_code)] // page fault for page-protection violation
                                // (U/S violation, Reserved bit violation)

IF ((PAGING_ENABLED) && (temp_linear is on a not-present page))
    EXCEPTION [#PF(error_code)] // page fault for not-present page

temp_data = memory [temp_linear].x // zero-extends the data to 64
                                   // bits, and saves it in temp_data

RETURN (temp_data) // return the zero-extended data

```

```
//////////////////////////////  
// WRITE_MEM // General memory write  
//////////////////////////////
```

usage:

```
WRITE_MEM.x [seg:offset] = temp.x // where <X> is one of these:
                                    // {V, Z, B, W, D, Q} and denotes the
                                    // size of the memory write
```

definition:

```

IF ((seg & 0xFFFF) == NULL) // GP fault for using a null segment
                           // to reference memory
    EXCEPTION [#GP(0)]

IF ((seg==CS) || (seg==DS) || (seg==ES) || (seg==FS) || (seg==GS))
    // CS,DS,ES,FS,GS check for segment limit or canonical
    IF ((!64BIT_MODE) && (offset is outside seg's limit))
        // #GP fault for segment limit violation in non-64-bit mode
        EXCEPTION [#GP(0)]
    IF ((64BIT_MODE) && (offset is non-canonical))
        // #GP fault for non-canonical address in 64-bit mode
        EXCEPTION [#GP(0)]
    ELSEIF (seg==SS) // SS checks for segment limit or canonical
        IF ((!64BIT_MODE) && (offset is outside seg's limit))

```

```

// stack fault for segment limit violation in non-64-bit mode
EXCEPTION [#SS(0)]
IF ((64BIT_MODE) && (offset is non-canonical))
    // stack fault for non-canonical address in 64-bit mode
    EXCEPTION [#SS(0)]
ELSE // ((seg==GDT) || (seg==LDT) || (seg==IDT) || (seg==TSS))
    // GDT,LDT,IDT,TSS check for segment limit and canonical
    IF (offset > seg.limit)
        // #GP fault for segment limit violation in all modes
        EXCEPTION [#GP(0)]
    IF ((LONG_MODE) && (offset is non-canonical))
        // #GP fault for non-canonical address in long mode
        EXCEPTION [#GP(0)]

IF ((ALIGNMENT_CHECK_ENABLED) && (offset is misaligned, considering
                                         its size and alignment))
    EXCEPTION [#AC(0)]

IF ((64_bit_mode) && ((seg==CS) || (seg==DS) || (seg==ES) || (seg==SS)))
    temp_linear = offset
ELSE
    temp_linear = seg.base + offset

IF ((PAGING_ENABLED) && (the virtual-to-physical translation for
                           temp_linear results in a page-protection violation))
{
    EXCEPTION [#PF(error_code)]
        // page fault for page-protection violation
        // (U/S violation, Reserved bit violation)
}

IF ((PAGING_ENABLED) && (temp_linear is on a not-present page))
    EXCEPTION [#PF(error_code)]           // page fault for not-present page

memory [temp_linear].x = temp.x          // write the bytes to memory

///////////////////////////////
// PUSH // Write data to the stack
///////////////////////////////

usage:
PUSH.x temp                         // where x is one of these: {v, z, b, w, d, q} and
                                      // denotes the size of the push

definition:

WRITE_MEM.x [SS:RSP.s - X] = temp.x      // write to the stack
RSP.s = RSP - X                        // point RSP to the data just written

```

```
//////////  

// POP // Read data from the stack, zero-extend it to 64 bits  

//////////  

usage:  

POP.x temp          // where x is one of these: {v, z, b, w, d, q} and  

                     // denotes the size of the pop  

definition:  

temp = READ_MEM.x [SS:RSP.s]           // read from the stack  

RSP.s = RSP + X                      // point RSP above the data just read  

  

//////////  

// READ_DESCRIPTOR // Read 8-byte descriptor from GDT/LDT, return the descriptor  

//////////  

usage:  

temp_descriptor = READ_DESCRIPTOR (selector, chktype)  

// chktype field is one of the following:  

// cs_chk      used for far call and far jump  

// clg_chk     used when reading CS for far call or far jump through call gate  

// ss_chk      used when reading SS  

// iret_chk    used when reading CS for IRET or RETF  

// intcs_chk   used when reading the CS for interrupts and exceptions  

definition:  

temp_offset = selector AND 0xffff8 // upper 13 bits give an offset  

                           // in the descriptor table  

  

IF (selector.TI == 0)           // read 8 bytes from the gdt, split it into  

                           // (base,limit,attr) if the type bits  

temp_desc = READ_MEM.q [gdt:temp_offset]  

                           // indicate a block of memory, or split  

                           // it into (segment,offset,attr)  

                           // if the type bits indicate  

                           // a gate, and save the result in temp_desc  

ELSE  

temp_desc = READ_MEM.q [ldt:temp_offset]  

                           // read 8 bytes from the LDT, split it into  

                           // (base,limit,attr) if the type bits  

                           // indicate a block of memory, or split  

                           // it into (segment,offset,attr) if the type  

                           // bits indicate a gate, and save the result  

                           // in temp_desc  

  

IF (selector.rpl or temp_desc.attr.dpl is illegal for the current mode/cpl)  

EXCEPTION [#GP(selector)]
```

```
IF (temp_desc.attr.type is illegal for the current mode/chktype)
    EXCEPTION [#GP(selector)]  
  
IF (temp_desc.attr.p==0)
    EXCEPTION [#NP(selector)]  
  
RETURN (temp_desc)  
  
//////////  
// READ_IDT // Read an 8-byte descriptor from the IDT, return the descriptor  
//////////  
  
usage:  
    temp_idt_desc = READ_IDT (vector)  
                                // "vector" is the interrupt vector number  
  
definition:  
  
    IF (LONG_MODE)           // long-mode idt descriptors are 16 bytes long
        temp_offset = vector*16
    ELSE // (LEGACY_MODE) legacy-protected-mode idt descriptors are 8 bytes long
        temp_offset = vector*8  
  
    // read 8 bytes from the idt, split it into
    // (segment,offset,attr), and save it in temp_desc
    temp_desc = READ_MEM.q [idt:temp_offset]  
  
    IF (temp_desc.attr.dpl is illegal for the current mode/cpl)
        // exception, with error code that indicates this IDT gate
        EXCEPTION [#GP(vector*8+2)]  
  
    IF (temp_desc.attr.type is illegal for the current mode)
        // exception, with error code that indicates this IDT gate
        EXCEPTION [#GP(vector*8+2)]  
  
    IF (temp_desc.attr.p==0)
        // segment-not-present exception, with an error code that
        // indicates this IDT gate
        EXCEPTION [#NP(vector*8+2)]  
  
RETURN (temp_desc)  
  
//////////  
// READ_INNER_LEVEL_SP
// Read a new stack pointer (RSP or SS:ESP) from the TSS
//////////  
  
usage:  
    temp_SS_desc:temp_RSP = READ_INNER_LEVEL_SP (new_cpl, ist_index)
```

definition:

```

IF (LONG_MODE)
{
    IF (ist_index>0)
        temp_RSP = READ_MEM.q [tss:ist_index*8+28] // read ISTn stack
                                                // pointer from the TSS
    ELSE // (ist_index==0)
        temp_RSP = READ_MEM.q [tss:new_cpl*8+4]    // read RSPn stack
                                                // pointer from the TSS

    // in long mode, changing to lower cpl sets SS.sel to NULL+new_cpl
    temp_SS_desc.sel = NULL + new_cpl

ELSE // (LEGACY_MODE)
{
    temp_RSP = READ_MEM.d [tss:new_cpl*8+4]          // read ESPn from the TSS
    temp_sel = READ_MEM.d [tss:new_cpl*8+8]          // read SSn from the TSS
    temp_SS_desc = READ_DESCRIPTOR (temp_sel, ss_chk)
}

return (temp_RSP,temp_SS_desc)

///////////////////////////////
// READ_BIT_ARRAY // Read 1 bit from a bit array in memory
/////////////////////////////

```

usage:

```
temp_value = READ_BIT_ARRAY ([mem], bit_number)
```

definition:

```

temp_BYTE = READ_MEM.b [mem + (bit_number SHR 3)]
                    // read the byte containing the bit

temp_BIT = temp_BYTE SHR (bit_number & 7)
                    // shift the requested bit position into bit 0

return (temp_BIT & 0x01)      // return '0' or '1'

/////////////////////////////
// Shadow Stack Functions
/////////////////////////////

define SSTK_ENABLED      = (CR4.CET) && (CR0.PE) && (!EFLAGS.VM)
define SSTK_USER_ENABLED = SSTK_ENABLED && (CPL==3) && (U_CET.SH_STK_EN)
define SSTK_SUPV_ENABLED = SSTK_ENABLED && (CPL <3) && (S_CET.SH_STK_EN)

bool ShadowStacksEnabled (privLevel)
IF ( SSTK_ENABLED &&
```

```

(( privLevel == 3) && U_CET.SH_STK_EN) ||
(( privLevel < 3) && S_CET.SH_STK_EN))
    RETURN (TRUE)
ELSE
    RETURN (FALSE)

///////////////////////////////
// SSTK_READ_MEM // read shadow stack memory
//      Usage: temp = SSTK_READ_MEM.x [linear_addr]
//              where x is either d or q (4 or 8 bytes)
///////////////////////////////

IF (PAGING_ENABLED) &&
    ( the linear address maps to a not-present page )
|| ( the linear address maps to a non-shadow stack page )
|| ( the access is user-mode &&
        the linear address maps to a supervisor shadow stack page )
|| ( the access is supervisor-mode &&
        the linear address maps to a user shadow stack page )
EXCEPTION [PF(error_code)] // page fault, with the SS (shadow stack) bit
                            // set in error_code and the present and
                            // protection violation bits as appropriate
temp_data.x = memory [linear_addr].x
RETURN (temp_data)

///////////////////////////////
// SSTK_WRITE_MEM // write shadow stack memory
//      Usage: SSTK_WRITE_MEM.x [linear_addr] = temp.x
//              where x is either d or q (4 or 8 bytes)
///////////////////////////////

IF (PAGING_ENABLED) &&
    ( the linear address maps to a not-present page )
|| ( the linear address maps to a non-shadow stack page )
|| ( the access is user-mode &&
        the linear address maps to a supervisor shadow stack page )
|| ( the access is supervisor-mode &&
        the linear address maps to a user shadow stack page )
EXCEPTION [PF(error_code)] // page fault, w/ the SS (shadow stack) bit
                            // set in error_code and the present and
                            // protection violation bits as appropriate
memory [linear_addr].x = temp.x

///////////////////////////////
// SET_SSTK_TOKEN_BUSY (new_SSP)
//      Checks shadow stack token and if valid set the token's busy bit
// Usage: SET_SSTK_TOKEN_BUSY (new_SSP)
///////////////////////////////

IF (new_SSP[2:0] != 0)                                // new SSP must be 8-byte aligned
EXCEPTION [#GP(0)]

```

```

// check shadow stack token and set busy
bool FAULT = FALSE
< start atomic section >
temp_Token = SSTK_READ_MEM.q [new_SSP] // fetch token with locked read
IF ((!64-bit mode) && (temp_token[63:32] != 0))
    FAULT = TRUE                      // address in token must be <4GB
                                         // in legacy/compatibility mode
IF ((temp_Token AND 0x01) != 0)
    FAULT = TRUE                      // token busy bit must be 0
IF ((temp_Token AND ~0x01) != new_SSP)
    FAULT = TRUE                      // address in token must match new SSP
IF (!FAULT)
    temp_Token = temp_Token OR 0x01 // if no faults, set token busy bit
SSTK_WRITE_MEM.q [new_SSP] = temp_Token // write token and unlock
< end atomic section >
IF (FAULT)
    EXCEPTION [#GP(0)]

///////////////////////////////
// Secure Nested Paging Functions
///////////////////////////////

define RMP_BASE = RMP_BASE_MSR
define RMP_END = RMP_END_MSR
define SEGMENTED_RMP = RMP_CFG_MSR.SEGMENTED_RMP_EN
define RMP_SEG_SIZE = RMP_CFG_MSR.RMP_SEGMENT_SIZE
define NUM_SEG_REDUCTION = CPUID Fn8000_0025_EBX[NumSegmentReduction]
define NUM_CACHED_SEG = CPUID Fn8000_0025_EBX[NumCachedSegments]

/////////////////////////////
// GET_RMP_ENTRY_ADDR (SYSTEM_PA)
// Checks if a system physical address is covered by RMP, and if covered
// returns RMP entry address
// Usage: GET_RMP_ENTRY_ADDR (SYSTEM_PA)
/////////////////////////////

RMP_COVERED = FALSE

IF (SEGMENTED_RMP)
    IF (NUM_SEG_REDUCTION)
        N = NUM_CACHED_SEG
    ELSE
        N = 512

    IF (SYSTEM_PA < N * 2^RMP_SEG_SIZE)
        RST_INDEX = SYSTEM_PA[RMP_SEG_SIZE+8:RMP_SEG_SIZE]
        RST_PA = RMP_BASE + 0x4000 + RST_INDEX * 8
        RST_ENTRY = READ_MEM_PA.o [RST_PA]
        MAPPED_SIZE = RST_ENTRY[19:0]
        RMP_SEGMENT_BASE = {RST_ENTRY[51:20], 00000h}
        SYSTEM_PA_SEGMENT = SYSTEM_PA[RMP_SEG_SIZE-1:30]

```

```
SYSTEM_PA_OFFSET = SYSTEM_PA[RMP_SEG_SIZE-1:0]
IF (SYSTEM_PA_SEGMENT < MAPPED_SIZE)
    RMP_ENTRY_PA = RMP_SEGMENT_BASE + (SYSTEM_PA_OFFSET/0x1000) * 16
    COVERED = TRUE
ELSE
    RMP_ENTRY_PA = RMP_BASE + 0x4000 + (SYSTEM_PA / 0x1000) * 16
    IF (RMP_ENTRY_PA <= RMP_END)
        RMP_COVERED = TRUE

RETURN (RMP_COVERED, RMP_ENTRY_PA)
```

## 3 General-Purpose Instruction Reference

This chapter describes the function, mnemonic syntax, opcodes, affected flags, and possible exceptions generated by the general-purpose instructions. General-purpose instructions are used in basic software execution. Most of these instructions load, store, or operate on data located in the general-purpose registers (GPRs), in memory, or in both. The remaining instructions are used to alter the sequential flow of the program by branching to other locations within the program, or to entirely different programs. With the exception of the MOVD, MOVMSKPD and MOVMSKPS instructions, which operate on MMX/XMM registers, the instructions within the category of general-purpose instructions do not operate on any other register set.

Most general-purpose instructions are supported in all hardware implementations of the AMD64 architecture. However, some instructions in this group are optional and support must be determined by testing processor feature flags using the CPUID instruction. These instructions are listed in Table 3-1, along with the CPUID function, register and bit used to test for the presence of the instruction.

**Table 3-1. Instruction Support Indicated by CPUID Feature Bits**

| Instruction                             | CPUID Function(s)      | Register[Bit] | Feature Flag |
|-----------------------------------------|------------------------|---------------|--------------|
| ADCX, ADOX                              | 0000_0007h (ECX=0)     | EBX[19]       | ADX          |
| Bit Manipulation Instructions - group 1 | 0000_0007h (ECX=0)     | EBX[3]        | BMI1         |
| Bit Manipulation Instructions - group 2 | 0000_0007h (ECX=0)     | EBX[8]        | BMI2         |
| CLFLOPT                                 | 0000_0007_0            | EBX[23]       | CLFLOPT      |
| CLWB                                    | 0000_0007h (ECX=0)     | EBX[24]       | CLWB         |
| CLZERO                                  | 8000_0008h             | EBX[0]        | CLZERO       |
| CMPXCHG8B                               | 0000_0001h, 8000_0001h | EDX[8]        | CMPXCHG8B    |
| CMPXCHG16B                              | 0000_0001h             | ECX[13]       | CMPXCHG16B   |
| CMOVcc (Conditional Moves)              | 0000_0001h, 8000_0001h | EDX[15]       | CMOV         |
| CLFLUSH                                 | 0000_0001h             | EDX[19]       | CLFSH        |
| CRC32                                   | 0000_0001h             | ECX[20]       | SSE42        |
| LAHF, SAHF                              | 8000_0001h             | ECX[0]        | LahfSahf     |
| LZCNT                                   | 8000_0001h             | ECX[5]        | ABM          |
| Long Mode and Long Mode instructions    | 8000_0001h             | EDX[29]       | LM           |
| MCOMMIT                                 | 8000_0008h             | EBX[8]        | MCOMMIT      |
| MFENCE, LFENCE                          | 0000_0001h             | EDX[26]       | SSE2         |
| MONITORX, MWAITX                        | 8000_0001h             | ECX[29]       | MONITORX     |
| MOVBE                                   | 0000_0001h             | ECX[22]       | MOVBE        |

**Table 3-1. Instruction Support Indicated by CPUID Feature Bits (continued)**

| Instruction                              | CPUID Function(s)      | Register[Bit] | Feature Flag  |
|------------------------------------------|------------------------|---------------|---------------|
| MOVD <sup>1</sup>                        | 0000_0001h, 8000_0001h | EDX[23]       | MMX           |
|                                          | 0000_0001h             | EDX[26]       | SSE2          |
| MOVNTI                                   | 0000_0001h             | EDX[26]       | SSE2          |
| POPCNT                                   | 0000_0001h             | ECX[23]       | POPCNT        |
| PREFETCH / PREFETCHW <sup>2</sup>        | 8000_0001h             | ECX[8]        | 3DNowPrefetch |
|                                          |                        | EDX[29]       | LM            |
|                                          |                        | EDX[31]       | 3DNow         |
| RDFSBASE, RDGSBASE<br>WRFSBASE, WRGSBASE | 0000_0007h (ECX=0)     | EBX[0]        | FSGSBASE      |
| RDPRU                                    | 8000_0008h             | EBX[4]        | RDPRU         |
| RDRAND                                   | 0000_0001h             | ECX[30]       | RDRAND        |
| RDSEED                                   | 0000_0007h (ECX=0)     | EBX[18]       | RDSEED        |
| RDPID                                    | 0000_0007h (ECX=0)     | ECX[22]       | RDPID         |
| SFENCE                                   | 0000_0001h             | EDX[25]       | SSE           |
| Trailing Bit Manipulation Instructions   | 8000_0001h             | ECX[21]       | TBM           |

**Notes:**

1. The MOVD variant that moves values to or from MMX registers is part of the MMX subset; the MOVD variant that moves data to or from XMM registers is part of the SSE2 subset.
2. Instruction is supported if any one of the listed feature flags is set.

For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171. For a comprehensive list of all instruction support feature flags, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

The general-purpose instructions can be used in legacy mode or 64-bit long mode. Compilation of general-purpose programs for execution in 64-bit long mode offers three primary advantages: access to the eight extended, 64-bit general-purpose registers (for a register set consisting of GPR0–GPR15), access to the 64-bit virtual address space, and access to the RIP-relative addressing mode.

For further information about the general-purpose instructions and register resources, see:

- “General-Purpose Programming” in APM Volume 1.
- “Summary of Registers and Data Types” on page 42.
- “Notation” on page 57.
- “Instruction Prefixes” on page 5.
- Appendix B, “General-Purpose Instructions in 64-Bit Mode.” In particular, see “General Rules for 64-Bit Mode” on page 581.

**AAA****ASCII Adjust After Addition**

Adjusts the value in the AL register to an unpacked BCD value. Use the AAA instruction after using the ADD instruction to add two unpacked BCD numbers.

The instruction is coded without explicit operands:

```
AAA
```

If the value in the lower nibble of AL is greater than 9 or the AF flag is set to 1, the instruction increments the AH register, adds 6 to the AL register, and sets the CF and AF flags to 1. Otherwise, it does not change the AH register and clears the CF and AF flags to 0. In either case, AAA clears bits 7:4 of the AL register, leaving the correct decimal digit in bits 3:0.

This instruction also makes it possible to add ASCII numbers without having to mask off the upper nibble ‘3’.

**MXCSR Flags Affected**

Using this instruction in 64-bit mode generates an invalid-opcode exception.

| Mnemonic | Opcode | Description                                                 |
|----------|--------|-------------------------------------------------------------|
| AAA      | 37     | Create an unpacked BCD number.<br>(Invalid in 64-bit mode.) |

**Related Instructions**

AAD, AAM, AAS

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | M  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception              | Real | Virtual 8086 | Protected | Cause of Exception                            |
|------------------------|------|--------------|-----------|-----------------------------------------------|
| Invalid opcode,<br>#UD |      |              | X         | This instruction was executed in 64-bit mode. |

## AAD

## ASCII Adjust Before Division

Converts two unpacked BCD digits in the AL (least significant) and AH (most significant) registers to a single binary value in the AL register.

The instruction is coded without explicit operands:

AAD

The instruction performs the following operation on the contents of AL and AH using the formula:

$$\text{AL} = ((10d * \text{AH}) + (\text{AL}))$$

After the conversion, AH is cleared to 00h.

In most modern assemblers, the AAD instruction adjusts from base-10 values. However, by coding the instruction directly in binary, it can adjust from any base specified by the immediate byte value (*ib*) suffixed onto the D5h opcode. For example, code D508h for octal, D50Ah for decimal, and D50Ch for duodecimal (base 12).

Using this instruction in 64-bit mode generates an invalid-opcode exception.

| Mnemonic | Opcode       | Description                                                                    |
|----------|--------------|--------------------------------------------------------------------------------|
| AAD      | D5 0A        | Adjust two BCD digits in AL and AH.<br>(Invalid in 64-bit mode.)               |
| (None)   | D5 <i>ib</i> | Adjust two BCD digits to the immediate byte base.<br>(Invalid in 64-bit mode.) |

## Related Instructions

AAA, AAM, AAS

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | M  | M  | U  | M  | U  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception              | Real | Virtual 8086 | Protected | Cause of Exception                            |
|------------------------|------|--------------|-----------|-----------------------------------------------|
| Invalid opcode,<br>#UD |      |              | X         | This instruction was executed in 64-bit mode. |

## AAM

## ASCII Adjust After Multiply

Converts the value in the AL register from binary to two unpacked BCD digits in the AH (most significant) and AL (least significant) registers.

The instruction is coded without explicit operands:

AAM

The instruction performs the following operation on the contents of AL and AH using the formula:

$$\begin{aligned} \text{AH} &= (\text{AL}/10\text{d}) \\ \text{AL} &= (\text{AL} \bmod 10\text{d}) \end{aligned}$$

In most modern assemblers, the AAM instruction adjusts to base-10 values. However, by coding the instruction directly in binary, it can adjust to any base specified by the immediate byte value (*ib*) suffixed onto the D4h opcode. For example, code D408h for octal, D40Ah for decimal, and D40Ch for duodecimal (base 12).

Using this instruction in 64-bit mode generates an invalid-opcode exception.

| Mnemonic | Opcode       | Description                                                                               |
|----------|--------------|-------------------------------------------------------------------------------------------|
| AAM      | D4 0A        | Create a pair of unpacked BCD values in AH and AL.<br>(Invalid in 64-bit mode.)           |
| (None)   | D4 <i>ib</i> | Create a pair of unpacked values to the immediate byte base.<br>(Invalid in 64-bit mode.) |

## Related Instructions

AAA, AAD, AAS

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | M  | M  | U  | M  | U  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M. Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception           | Real | Virtual 8086 | Protected | Cause of Exception                            |
|---------------------|------|--------------|-----------|-----------------------------------------------|
| Divide by zero, #DE | X    | X            | X         | 8-bit immediate value was 0.                  |
| Invalid opcode, #UD |      |              | X         | This instruction was executed in 64-bit mode. |

## AAS

## ASCII Adjust After Subtraction

Adjusts the value in the AL register to an unpacked BCD value. Use the AAS instruction after using the SUB instruction to subtract two unpacked BCD numbers.

The instruction is coded without explicit operands:

AAS

If the value in AL is greater than 9 or the AF flag is set to 1, the instruction decrements the value in AH, subtracts 6 from the AL register, and sets the CF and AF flags to 1. Otherwise, it clears the CF and AF flags and the AH register is unchanged. In either case, the instruction clears bits 7:4 of the AL register, leaving the correct decimal digit in bits 3:0.

Using this instruction in 64-bit mode generates an invalid-opcode exception.

| Mnemonic | Opcode | Description                                                                                      |
|----------|--------|--------------------------------------------------------------------------------------------------|
| AAS      | 3F     | Create an unpacked BCD number from the contents of the AL register.<br>(Invalid in 64-bit mode.) |

## Related Instructions

AAA, AAD, AAM

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | M  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception              | Real | Virtual 8086 | Protected | Cause of Exception                            |
|------------------------|------|--------------|-----------|-----------------------------------------------|
| Invalid opcode,<br>#UD |      |              | X         | This instruction was executed in 64-bit mode. |

**ADC****Add with Carry**

Adds the carry flag (CF), the value in a register or memory location (first operand), and an immediate value or the value in a register or memory location (second operand), and stores the result in the first operand location.

The instruction has two operands:

**ADC *dest*, *src***

The instruction cannot add two memory operands. The CF flag indicates a pending carry from a previous addition operation. The instruction sign-extends an immediate value to the length of the destination register or memory location.

This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF flags to indicate a carry in a signed or unsigned result, respectively. It sets the SF flag to indicate the sign of a signed result.

Use the ADC instruction after an ADD instruction as part of a multibyte or multiword addition.

The forms of the ADC instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                    | Opcode          | Description                                              |
|-----------------------------|-----------------|----------------------------------------------------------|
| ADC AL, <i>imm8</i>         | 14 <i>ib</i>    | Add <i>imm8</i> to AL + CF.                              |
| ADC AX, <i>imm16</i>        | 15 <i>iw</i>    | Add <i>imm16</i> to AX + CF.                             |
| ADC EAX, <i>imm32</i>       | 15 <i>id</i>    | Add <i>imm32</i> to EAX + CF.                            |
| ADC RAX, <i>imm32</i>       | 15 <i>id</i>    | Add sign-extended <i>imm32</i> to RAX + CF.              |
| ADC <i>reg/mem8, imm8</i>   | 80 /2 <i>ib</i> | Add <i>imm8</i> to <i>reg/mem8</i> + CF.                 |
| ADC <i>reg/mem16, imm16</i> | 81 /2 <i>iw</i> | Add <i>imm16</i> to <i>reg/mem16</i> + CF.               |
| ADC <i>reg/mem32, imm32</i> | 81 /2 <i>id</i> | Add <i>imm32</i> to <i>reg/mem32</i> + CF.               |
| ADC <i>reg/mem64, imm32</i> | 81 /2 <i>id</i> | Add sign-extended <i>imm32</i> to <i>reg/mem64</i> + CF. |
| ADC <i>reg/mem16, imm8</i>  | 83 /2 <i>ib</i> | Add sign-extended <i>imm8</i> to <i>reg/mem16</i> + CF.  |
| ADC <i>reg/mem32, imm8</i>  | 83 /2 <i>ib</i> | Add sign-extended <i>imm8</i> to <i>reg/mem32</i> + CF.  |
| ADC <i>reg/mem64, imm8</i>  | 83 /2 <i>ib</i> | Add sign-extended <i>imm8</i> to <i>reg/mem64</i> + CF.  |
| ADC <i>reg/mem8, reg8</i>   | 10 / <i>r</i>   | Add <i>reg8</i> to <i>reg/mem8</i> + CF                  |
| ADC <i>reg/mem16, reg16</i> | 11 / <i>r</i>   | Add <i>reg16</i> to <i>reg/mem16</i> + CF.               |
| ADC <i>reg/mem32, reg32</i> | 11 / <i>r</i>   | Add <i>reg32</i> to <i>reg/mem32</i> + CF.               |
| ADC <i>reg/mem64, reg64</i> | 11 / <i>r</i>   | Add <i>reg64</i> to <i>reg/mem64</i> + CF.               |
| ADC <i>reg8, reg/mem8</i>   | 12 / <i>r</i>   | Add <i>reg/mem8</i> to <i>reg8</i> + CF.                 |
| ADC <i>reg16, reg/mem16</i> | 13 / <i>r</i>   | Add <i>reg/mem16</i> to <i>reg16</i> + CF.               |

| Mnemonic                    | Opcode | Description                                |
|-----------------------------|--------|--------------------------------------------|
| ADC <i>reg32, reg/mem32</i> | 13 /r  | Add <i>reg/mem32</i> to <i>reg32</i> + CF. |
| ADC <i>reg64, reg/mem64</i> | 13 /r  | Add <i>reg/mem64</i> to <i>reg64</i> + CF. |

## Related Instructions

ADD, SBB, SUB

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X            | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |              | X         | The destination operand was in a non-writable segment.                            |
|                         |      |              | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X            | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**ADCX****Unsigned ADD with Carry Flag**

Adds the value in a register (first operand) with a register or memory (second operand) and the carry flag, and stores the result in the first operand location. This instruction sets the CF based on the unsigned addition. This instruction is useful in multi-precision addition algorithms.

This is an ADX instructions. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX[ADX]=1.

| Mnemonic              | Opcode         | Description                   |
|-----------------------|----------------|-------------------------------|
| ADCX reg32, reg/mem32 | 66 0F 38 F6 /r | Unsigned add with carryflag   |
| ADCX reg64, reg/mem64 | 66 0F 38 F6 /r | Unsigned add with carry flag. |

**Related Instructions**

ADOX

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                         |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                           |
|---------------------|------|-----------------|-----------|--------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | Instruction not supported by CPUID Fn0000_0007_EBX[ADX] = 0. |
|                     | X    |                 | X         | Lock prefix (F0h) preceding opcode.                          |

**ADD****Signed or Unsigned Add**

Adds the value in a register or memory location (first operand) and an immediate value or the value in a register or memory location (second operand), and stores the result in the first operand location.

The instruction has two operands:

`ADD dest, src`

The instruction cannot add two memory operands. The instruction sign-extends an immediate value to the length of the destination register or memory operand.

This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF flags to indicate a carry in a signed or unsigned result, respectively. It sets the SF flag to indicate the sign of a signed result.

The forms of the ADD instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                    | Opcode   | Description                                          |
|-----------------------------|----------|------------------------------------------------------|
| ADD AL, <i>imm8</i>         | 04 /b    | Add <i>imm8</i> to AL.                               |
| ADD AX, <i>imm16</i>        | 05 /w    | Add <i>imm16</i> to AX.                              |
| ADD EAX, <i>imm32</i>       | 05 /d    | Add <i>imm32</i> to EAX.                             |
| ADD RAX, <i>imm32</i>       | 05 /d    | Add sign-extended <i>imm32</i> to RAX.               |
| ADD <i>reg/mem8, imm8</i>   | 80 /0 /b | Add <i>imm8</i> to <i>reg/mem8</i> .                 |
| ADD <i>reg/mem16, imm16</i> | 81 /0 /w | Add <i>imm16</i> to <i>reg/mem16</i>                 |
| ADD <i>reg/mem32, imm32</i> | 81 /0 /d | Add <i>imm32</i> to <i>reg/mem32</i> .               |
| ADD <i>reg/mem64, imm32</i> | 81 /0 /d | Add sign-extended <i>imm32</i> to <i>reg/mem64</i> . |
| ADD <i>reg/mem16, imm8</i>  | 83 /0 /b | Add sign-extended <i>imm8</i> to <i>reg/mem16</i>    |
| ADD <i>reg/mem32, imm8</i>  | 83 /0 /b | Add sign-extended <i>imm8</i> to <i>reg/mem32</i> .  |
| ADD <i>reg/mem64, imm8</i>  | 83 /0 /b | Add sign-extended <i>imm8</i> to <i>reg/mem64</i> .  |
| ADD <i>reg/mem8, reg8</i>   | 00 /r    | Add <i>reg8</i> to <i>reg/mem8</i> .                 |
| ADD <i>reg/mem16, reg16</i> | 01 /r    | Add <i>reg16</i> to <i>reg/mem16</i> .               |
| ADD <i>reg/mem32, reg32</i> | 01 /r    | Add <i>reg32</i> to <i>reg/mem32</i> .               |
| ADD <i>reg/mem64, reg64</i> | 01 /r    | Add <i>reg64</i> to <i>reg/mem64</i> .               |
| ADD <i>reg8, reg/mem8</i>   | 02 /r    | Add <i>reg/mem8</i> to <i>reg8</i> .                 |
| ADD <i>reg16, reg/mem16</i> | 03 /r    | Add <i>reg/mem16</i> to <i>reg16</i> .               |
| ADD <i>reg32, reg/mem32</i> | 03 /r    | Add <i>reg/mem32</i> to <i>reg32</i> .               |
| ADD <i>reg64, reg/mem64</i> | 03 /r    | Add <i>reg/mem64</i> to <i>reg64</i> .               |

## Related Instructions

ADC, SBB, SUB

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## ADOX

## Unsigned ADD with Overflow Flag

Adds the value in a register (first operand) with a register or memory (second operand) and the overflow flag, and stores the result in the first operand location. This instruction sets the OF based on the unsigned addition and whether there is a carry out. This instruction is useful in multi-precision addition algorithms.

This is an ADX instructions. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX[ADX]=1.

| Mnemonic              | Opcode         | Description                      |
|-----------------------|----------------|----------------------------------|
| ADOX reg32, reg/mem32 | F3 0F 38 F6 /r | Unsigned add with overflow flag  |
| ADOX reg64, reg/mem64 | F3 0F 38 F6 /r | Unsigned add with overflow flag. |

### Related Instructions

ADCX

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                         |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                           |
|---------------------|------|-----------------|-----------|--------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | Instruction not supported by CPUID Fn0000_0007_EBX[ADX] = 0. |
|                     | X    |                 | X         | Lock prefix (F0h) preceding opcode.                          |

**AND****Logical AND**

Performs a bit-wise logical and operation on the value in a register or memory location (first operand) and an immediate value or the value in a register or memory location (second operand), and stores the result in the first operand location. Both operands cannot be memory locations.

The instruction has two operands:

**AND dest, src**

The instruction sets each bit of the result to 1 if the corresponding bit of both operands is set; otherwise, it clears the bit to 0. The following table shows the truth table for the logical and operation:

| X | Y | X and Y |
|---|---|---------|
| 0 | 0 | 0       |
| 0 | 1 | 0       |
| 1 | 0 | 0       |
| 1 | 1 | 1       |

The forms of the AND instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                    | Opcode          | Description                                                                                      |
|-----------------------------|-----------------|--------------------------------------------------------------------------------------------------|
| AND AL, <i>imm8</i>         | 24 <i>ib</i>    | and the contents of AL with an immediate 8-bit value and store the result in AL.                 |
| AND AX, <i>imm16</i>        | 25 <i>iw</i>    | and the contents of AX with an immediate 16-bit value and store the result in AX.                |
| AND EAX, <i>imm32</i>       | 25 <i>id</i>    | and the contents of EAX with an immediate 32-bit value and store the result in EAX.              |
| AND RAX, <i>imm32</i>       | 25 <i>id</i>    | and the contents of RAX with a sign-extended immediate 32-bit value and store the result in RAX. |
| AND <i>reg/mem8, imm8</i>   | 80 /4 <i>ib</i> | and the contents of <i>reg/mem8</i> with <i>imm8</i> .                                           |
| AND <i>reg/mem16, imm16</i> | 81 /4 <i>iw</i> | and the contents of <i>reg/mem16</i> with <i>imm16</i> .                                         |
| AND <i>reg/mem32, imm32</i> | 81 /4 <i>id</i> | and the contents of <i>reg/mem32</i> with <i>imm32</i> .                                         |
| AND <i>reg/mem64, imm32</i> | 81 /4 <i>id</i> | and the contents of <i>reg/mem64</i> with sign-extended <i>imm32</i> .                           |
| AND <i>reg/mem16, imm8</i>  | 83 /4 <i>ib</i> | and the contents of <i>reg/mem16</i> with a sign-extended 8-bit value.                           |
| AND <i>reg/mem32, imm8</i>  | 83 /4 <i>ib</i> | and the contents of <i>reg/mem32</i> with a sign-extended 8-bit value.                           |
| AND <i>reg/mem64, imm8</i>  | 83 /4 <i>ib</i> | and the contents of <i>reg/mem64</i> with a sign-extended 8-bit value.                           |

| Mnemonic             | Opcode | Description                                                                                      |
|----------------------|--------|--------------------------------------------------------------------------------------------------|
| AND reg/mem8, reg8   | 20 /r  | and the contents of an 8-bit register or memory location with the contents of an 8-bit register. |
| AND reg/mem16, reg16 | 21 /r  | and the contents of a 16-bit register or memory location with the contents of a 16-bit register. |
| AND reg/mem32, reg32 | 21 /r  | and the contents of a 32-bit register or memory location with the contents of a 32-bit register. |
| AND reg/mem64, reg64 | 21 /r  | and the contents of a 64-bit register or memory location with the contents of a 64-bit register. |
| AND reg8, reg/mem8   | 22 /r  | and the contents of an 8-bit register with the contents of an 8-bit memory location or register. |
| AND reg16, reg/mem16 | 23 /r  | and the contents of a 16-bit register with the contents of a 16-bit memory location or register. |
| AND reg32, reg/mem32 | 23 /r  | and the contents of a 32-bit register with the contents of a 32-bit memory location or register. |
| AND reg64, reg/mem64 | 23 /r  | and the contents of a 64-bit register with the contents of a 64-bit memory location or register. |

## Related Instructions

TEST, OR, NOT, NEG, XOR

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | M  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X            | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |              | X         | The destination operand was in a non-writable segment.                            |
|                         |      |              | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X            | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## ANDN

## Logical And-Not

Performs a bit-wise logical and of the second source operand and the one's complement of the first source operand and stores the result into the destination operand.

This instruction has three operands:

`ANDN dest, src1, src2`

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64-bit; if VEX.W is 0, the operand size is 32-bit. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination operand (*dest*) is always a general purpose register.

The first source operand (*src1*) is a general purpose register and the second source operand (*src2*) is either a general purpose register or a memory operand.

This instruction implements the following operation:

```
not tmp, src1
and dest, tmp, src2
```

The flags are set according to the result of the and pseudo-operation.

The ANDN instruction is a BMI1 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI1] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                            |                                   |        |
|------------------------------|----------|----------------------------|-----------------------------------|--------|
|                              | VEX      | RXB.map_select             | W.vvvv.L.pp                       | Opcode |
| ANDN reg32, reg32, reg/mem32 | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{src1}}$ .0.00 | F2 /r  |
| ANDN reg64, reg64, reg/mem64 | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{src1}}$ .0.00 | F2 /r  |

## Related Instructions

BEXTR, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSSMK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>80806 | Protected | Cause of Exception                                                                    |
|-------------------------|------|------------------|-----------|---------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X                |           | BMI instructions are only recognized in protected mode.                               |
|                         |      |                  | X         | BMI instructions are not supported as indicated by CPUID Fn0000_0007_EBX_x0[BMI] = 0. |
|                         |      |                  | X         | VEX.L is 1.                                                                           |
| Stack, #SS              |      |                  | X         | A memory address exceeded the stack segment limit or was non-canonical.               |
| General protection, #GP |      |                  | X         | A memory address exceeded a data segment limit or was non-canonical.                  |
|                         |      |                  | X         | A null data segment was used to reference memory.                                     |
| Page fault, #PF         |      |                  | X         | A page fault resulted from the execution of the instruction.                          |
| Alignment check, #AC    |      |                  | X         | An unaligned memory reference was performed while alignment checking was enabled.     |

## BEXTR (register form)

Extracts a contiguous field of bits from the first source operand, as specified by the control field setting in the second source operand and puts the extracted field into the least significant bit positions of the destination. The remaining bits in the destination register are cleared to 0.

This instruction has three operands:

**BEXTR *dest, src, cntl***

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64-bit; if VEX.W is 0, the operand size is 32-bit. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is either a general purpose register or a memory operand.

The control (*cntl*) operand is a general purpose register that provides two fields describing the range of bits to extract:

- *lsb\_index* (in bits 7:0)—specifies the index of the least significant bit of the field
- *length* (in bits 15:8)—specifies the number of bits in the field.

The position of the extracted field can be expressed as:

[*lsb\_index* + *length* - 1] : [*lsb\_index*]

For example, if the *lsb\_index* is 7 and *length* is 5, then bits 11:7 of the source will be copied to bits 4:0 of the destination, with the rest of the destination being zero-filled. Zeros are provided for any bit positions in the specified range that lie beyond the most significant bit of the source operand. A length value of zero results in all zeros being written to the destination.

This form of the BEXTR instruction is a BMI1 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI1] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

## Bit Field Extract

## Related Instructions

ANDN, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | U  | M  | U  | U  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

*Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.*

## Exceptions

| Exception               | Mode |                 |           | Cause of Exception                                                                     |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                        |
| Invalid opcode, #UD     | X    | X               |           | BMI instructions are only recognized in protected mode.                                |
|                         |      |                 | X         | BMI instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                            |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                   |
|                         |      |                 | X         | A null data segment was used to reference memory.                                      |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                           |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.      |

## BEXTR (immediate form)

Extracts a contiguous field of bits from the first source operand, as specified by the control field setting in the second source operand and puts the extracted field into the least significant bit positions of the destination. The remaining bits in the destination register are cleared to 0.

This instruction has three operands:

**BEXTR** *dest, src, cntl*

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is either a general purpose register or a memory operand.

The control (*cntl*) operand is a 32-bit immediate value that provides two fields describing the range of bits to extract:

- *lsb\_index* (in immediate operand bits 7:0)—specifies the index of the least significant bit of the field
- *length* (in immediate operand bits 15:8)—specifies the number of bits in the field.

The position of the extracted field can be expressed as:

[*lsb\_index* + *length* - 1] : [*lsb\_index*]

For example, if the *lsb\_index* is 7 and *length* is 5, then bits 11:7 of the source will be copied to bits 4:0 of the destination, with the rest of the destination being zero-filled. Zeros are provided for any bit positions in the specified range that lie beyond the most significant bit of the source operand. A length value of zero results in all zeros being written to the destination.

This form of the BEXTR instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM]=1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

## Bit Field Extract

### Bit Field Extract

#### (immediate form)

Extracts a contiguous field of bits from the first source operand, as specified by the control field setting in the second source operand and puts the extracted field into the least significant bit positions of the destination. The remaining bits in the destination register are cleared to 0.

This instruction has three operands:

**Bit Field Extract** *dest, src, cntl*

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is either a general purpose register or a memory operand.

The control (*cntl*) operand is a 32-bit immediate value that provides two fields describing the range of bits to extract:

- *lsb\_index* (in immediate operand bits 7:0)—specifies the index of the least significant bit of the field
- *length* (in immediate operand bits 15:8)—specifies the number of bits in the field.

The position of the extracted field can be expressed as:

[*lsb\_index* + *length* - 1] : [*lsb\_index*]

For example, if the *lsb\_index* is 7 and *length* is 5, then bits 11:7 of the source will be copied to bits 4:0 of the destination, with the rest of the destination being zero-filled. Zeros are provided for any bit positions in the specified range that lie beyond the most significant bit of the source operand. A length value of zero results in all zeros being written to the destination.

This form of the Bit Field Extract instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM]=1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                             | Encoding |                |             |           |
|--------------------------------------|----------|----------------|-------------|-----------|
|                                      | XOP      | RXB.map_select | W.vvvv.L.pp | Opcode    |
| BEXTR <i>reg32, reg/mem32, imm32</i> | 8F       | —<br>RXB.0A    | 0.1111.0.00 | 10 /r /id |
| BEXTR <i>reg64, reg/mem64, imm32</i> | 8F       | —<br>RXB.0A    | 1.1111.0.00 | 10 /r /id |

## Related Instructions

ANDN, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | U  | M  | U  | U  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

*Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.*

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

**BLCFILL****Fill From Lowest Clear Bit**

Finds the least significant zero bit in the source operand, clears all bits below that bit to 0 and writes the result to the destination. If there is no zero bit in the source operand, the destination is written with all zeros.

This instruction has two operands:

**BLCFILL dest, src**

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The BLCFILL instruction effectively performs a bit-wise logical and of the source operand and the result of incrementing the source operand by 1 and stores the result to the destination register:

```
add tmp, src, 1
and dest,tmp, src
```

The value of the carry flag of rFLAGS is generated according to the result of the add pseudo-instruction and the remaining arithmetic flags are generated by the and pseudo-instruction.

The BLCFILL instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001(ECX)[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                 | Encoding |                |             |        |
|--------------------------|----------|----------------|-------------|--------|
|                          | XOP      | RXB.map_select | W.vvvv.L.pp | Opcode |
| BLCFILL reg32, reg/mem32 | 8F       | —RXB.09        | 0.dest.00   | 01 /1  |
| BLCFILL reg64, reg/mem64 | 8F       | —RXB.09        | 1.dest.00   | 01 /1  |

**Related Instructions**

ANDN, BEXTR, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

**BLCI****Isolate Lowest Clear Bit**

Finds the least significant zero bit in the source operand, sets all other bits to 1 and writes the result to the destination. If there is no zero bit in the source operand, the destination is written with all ones.

This instruction has two operands:

**BLCI** *dest, src*

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The BLCI instruction effectively performs a bit-wise logical *or* of the source operand and the inverse of the result of incrementing the source operand by 1, and stores the result to the destination register:

```
add tmp, src, 1
not tmp, tmp
or dest, tmp, src
```

The value of the carry flag of rFLAGS is generated according to the result of the *add* pseudo-instruction and the remaining arithmetic flags are generated by the *or* pseudo-instruction.

The BLCI instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | XOP | RXB.map_select             | W.vvvv.L.pp | Opcode |
|------------------------------|-----|----------------------------|-------------|--------|
| BLCI <i>reg32, reg/mem32</i> | 8F  | $\overline{\text{RXB}}.09$ | 0.dest.0.00 | 02 /6  |
| BLCI <i>reg64, reg/mem64</i> | 8F  | $\overline{\text{RXB}}.09$ | 1.dest.0.00 | 02 /6  |

**Related Instructions**

ANDN, BEXTR, BLCFILL, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

**BLCIC****Isolate Lowest Clear Bit and Complement**

Finds the least significant zero bit in the source operand, sets that bit to 1, clears all other bits to 0 and writes the result to the destination. If there is no zero bit in the source operand, the destination is written with all zeros.

This instruction has two operands:

BLCIC dest, src

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The BLCIC instruction effectively performs a bit-wise logical and of the negation of the source operand and the result of incrementing the source operand by 1, and stores the result to the destination register:

```
add tmp1, src, 1
not tmp2, src
and dest, tmp1, tmp2
```

The value of the carry flag of rFLAGS is generated according to the result of the add pseudo-instruction and the remaining arithmetic flags are generated by the and pseudo-instruction.

The BLCIC instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                      | Encoding |                            |                    |        |
|-------------------------------|----------|----------------------------|--------------------|--------|
|                               | XOP      | RXB.map_select             | W.vvv.L.pp         | Opcode |
| BLCIC <i>reg32, reg/mem32</i> | 8F       | $\overline{\text{RXB}}.09$ | 0. <u>dest</u> .00 | 01 /5  |
| BLCIC <i>reg64, reg/mem64</i> | 8F       | $\overline{\text{RXB}}.09$ | 1. <u>dest</u> .00 | 01 /5  |

**Related Instructions**

ANDN, BEXTR, BLCFILL, BLCI, BLCKMSK, BLCS, BLFSILL, BLISI, BLKSC, BLSR, BLKMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

**BLCMSK****Mask From Lowest Clear Bit**

Finds the least significant zero bit in the source operand, sets that bit to 1, clears all bits above that bit to 0 and writes the result to the destination. If there is no zero bit in the source operand, the destination is written with all ones.

This instruction has two operands:

**BLCMSK dest, src**

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The BLCMSK instruction effectively performs a bit-wise logical `xor` of the source operand and the result of incrementing the source operand by 1 and stores the result to the destination register:

```
add tmp1, src, 1
xor dest, tmp1,src
```

The value of the carry flag of rFLAGS is generated according to the result of the `add` pseudo-instruction and the remaining arithmetic flags are generated by the `xor` pseudo-instruction.

If the input is all ones, the output is a value with all bits set to 1.

The BLCMSK instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

**Instruction Encoding**

| Mnemonic                       | Encoding |                            |                                   |        |
|--------------------------------|----------|----------------------------|-----------------------------------|--------|
|                                | XOP      | RXB.map_select             | W.vvvv.L.pp                       | Opcode |
| BLCMSK <i>reg32, reg/mem32</i> | 8F       | $\overline{\text{RXB}}.09$ | 0. $\overline{\text{dest}}$ .0.00 | 02 /1  |
| BLCMSK <i>reg64, reg/mem64</i> | 8F       | $\overline{\text{RXB}}.09$ | 1. $\overline{\text{dest}}$ .0.00 | 02 /1  |

**Related Instructions**

ANDN, BEXTR, BLCFILL, BLCI, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

**BLCS****Set Lowest Clear Bit**

Finds the least significant zero bit in the source operand, sets that bit to 1 and writes the result to the destination. If there is no zero bit in the source operand, the source is copied to the destination (and CF in rFLAGS is set to 1).

This instruction has two operands:

BLCS dest, src

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The BLCS instruction effectively performs a bit-wise logical *or* of the source operand and the result of incrementing the source operand by 1, and stores the result to the destination register:

```
add tmp, src, 1
or dest, tmp, src
```

The value of the carry flag of rFLAGS is generated by the add pseudo-instruction and the remaining arithmetic flags are generated by the *or* pseudo-instruction.

The BLCS instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001(ECX[TBM] = 1).

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic              | XOP | RXB.map_select             | W.vvvv.L.pp                     | Opcode |
|-----------------------|-----|----------------------------|---------------------------------|--------|
| BLCS reg32, reg/mem32 | 8F  | $\overline{\text{RXB}}.09$ | 0. $\overline{\text{dest}}$ .00 | 01 / 3 |
| BLCS reg64, reg/mem64 | 8F  | $\overline{\text{RXB}}.09$ | 1. $\overline{\text{dest}}$ .00 | 01 / 3 |

**Related Instructions**

ANDN, BEXTR, BLCFILL, BLCI, BLCIC, BLCMSK, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

## BLSFILL

## Fill From Lowest Set Bit

Finds the least significant one bit in the source operand, sets all bits below that bit to 1 and writes the result to the destination. If there is no one bit in the source operand, the destination is written with all ones.

This instruction has two operands:

**BLSFILL dest, src**

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The BLSFILL instruction effectively performs a bit-wise logical **or** of the source operand and the result of subtracting 1 from the source operand, and stores the result to the destination register:

```
sub tmp, src, 1
or dest, tmp, src
```

The value of the carry flag of rFLAGS is generated by the sub pseudo-instruction and the remaining arithmetic flags are generated by the or pseudo-instruction.

The BLSFILL instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001(ECX)[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                 | XOP | RXB.map_select | W.vvvv.L.pp          | Opcode |
|--------------------------|-----|----------------|----------------------|--------|
| BLSFILL reg32, reg/mem32 | 8F  | <u>RXB</u> .09 | 0. <u>dest</u> .0.00 | 01 /2  |
| BLSFILL reg64, reg/mem64 | 8F  | <u>RXB</u> .09 | 1. <u>dest</u> .0.00 | 01 /2  |

### Related Instructions

ANDN, BEXTR, BLCFILL, BLCI, BLCIC, BLCMSK, BLCS, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

**BLSI****Isolate Lowest Set Bit**

Clears all bits in the source operand except for the least significant bit that is set to 1 and writes the result to the destination. If the source is all zeros, the destination is written with all zeros.

This instruction has two operands:

**BLSI** dest, src

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64-bit; if VEX.W is 0, the operand size is 32-bit. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is either a general purpose register or a bit memory operand.

This instruction implements the following operation:

```
neg tmp, src1
and dst, tmp, src1
```

The value of the carry flag is generated by the `neg` pseudo-instruction and the remaining status flags are generated by the `and` pseudo-instruction.

The BLSI instruction is a BMI1 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI1] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic              | Encoding |                            |                                   |        |
|-----------------------|----------|----------------------------|-----------------------------------|--------|
|                       | VEX      | RXB.map_select             | W.vvvv.L.pp                       | Opcode |
| BLSI reg32, reg/mem32 | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{dest}}$ .0.00 | F3 /3  |
| BLSI reg64, reg/mem64 | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{dest}}$ .0.00 | F3 /3  |

**Related Instructions**

ANDN, BEXTR, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Mode |                 |           | Cause of Exception                                                                     |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                        |
| Invalid opcode, #UD     | X    | X               |           | BMI instructions are only recognized in protected mode.                                |
|                         |      |                 | X         | BMI instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                            |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                   |
|                         |      |                 | X         | A null data segment was used to reference memory.                                      |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                           |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.      |

**BLSIC****Isolate Lowest Set Bit and Complement**

Finds the least significant bit that is set to 1 in the source operand, clears that bit to 0, sets all other bits to 1 and writes the result to the destination. If there is no one bit in the source operand, the destination is written with all ones.

This instruction has two operands:

**BLSIC dest, src**

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The BLSIC instruction effectively performs a bit-wise logical **or** of the inverse of the source operand and the result of subtracting 1 from the source operand, and stores the result to the destination register:

```
sub tmp1, src, 1
not tmp2, src
or dest, tmp1, tmp2
```

The value of the carry flag of rFLAGS is generated by the **sub** pseudo-instruction and the remaining arithmetic flags are generated by the **or** pseudo-instruction.

The BLSR instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic               | Encoding |                |                    |        |
|------------------------|----------|----------------|--------------------|--------|
|                        | XOP      | RXB.map_select | W.vvvv.L.pp        | Opcode |
| BLSIC reg32, reg/mem32 | 8F       | <u>RXB</u> .09 | 0. <u>dest</u> .00 | 01 / 6 |
| BLSIC reg64, reg/mem64 | 8F       | <u>RXB</u> .09 | 1. <u>dest</u> .00 | 01 / 6 |

**Related Instructions**

ANDN, BEXTR, BLCFILL, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

**BLSMSK****Mask From Lowest Set Bit**

Forms a mask with bits set to 1 from bit 0 up to and including the least significant bit position that is set to 1 in the source operand and writes the mask to the destination. If the value of the source operand is zero, the destination is written with all ones.

This instruction has two operands:

**BLSMSK dest, src**

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64-bit; if VEX.W is 0, the operand size is 32-bit. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is always a general purpose register.

The source operand (*src*) is either a general purpose register or a memory operand and the destination operand (*dest*) is a general purpose register.

This instruction implements the operation:

```
sub tmp, src1, 1
xor dst, tmp, src1
```

The value of the carry flag is generated by the `sub` pseudo-instruction and the remaining status flags are generated by the `xor` pseudo-instruction.

If the input is zero, the output is a value with all bits set to 1. If this is considered a corner case input, software may test the carry flag to detect the zero input value.

The BLSMSK instruction is a BMI1 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI1] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                | Encoding |                            |                               |        |
|-------------------------|----------|----------------------------|-------------------------------|--------|
|                         | VEX      | RXB.map_select             | W.vvvv.L.pp                   | Opcode |
| BLSMSK reg32, reg/mem32 | C4       | $\overline{\text{RXB}}.02$ | $0.\overline{\text{dest}}.00$ | F3 /2  |
| BLSMSK reg64, reg/mem64 | C4       | $\overline{\text{RXB}}.02$ | $1.\overline{\text{dest}}.00$ | F3 /2  |

**Related Instructions**

ANDN, BEXTR, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Mode |                 |           | Cause of Exception                                                                     |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                        |
| Invalid opcode, #UD     | X    | X               |           | BMI instructions are only recognized in protected mode.                                |
|                         |      |                 | X         | BMI instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                            |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                   |
|                         |      |                 | X         | A null data segment was used to reference memory.                                      |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                           |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.      |

**BLSR****Reset Lowest Set Bit**

Clears the least-significant bit that is set to 1 in the input operand and writes the modified operand to the destination.

This instruction has two operands:

**BLSR *dest*, *src***

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64-bit; if VEX.W is 0, the operand size is 32-bit. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is always a general purpose register.

The source operand (*src*) is either a general purpose register or a memory operand.

This instruction implements the operation:

```
sub tmp, src1, 1
and dst, tmp, src1
```

The value of the carry flag is generated by the `sub` pseudo-instruction and the remaining status flags are generated by the `and` pseudo-instruction.

The BLSR instruction is a BMI1 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI1] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                            |                                 |        |
|------------------------------|----------|----------------------------|---------------------------------|--------|
|                              | VEX      | RXB.map_select             | W.vvvv.L.pp                     | Opcode |
| BLSR <i>reg32, reg/mem32</i> | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{dest}}$ .00 | F3 /1  |
| BLSR <i>reg64, reg/mem64</i> | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{dest}}$ .00 | F3 /1  |

**Related Instructions**

ANDN, BEXTR, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Mode |                 |           | Cause of Exception                                                                     |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                        |
| Invalid opcode, #UD     | X    | X               |           | BMI instructions are only recognized in protected mode.                                |
|                         |      |                 | X         | BMI instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                            |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                   |
|                         |      |                 | X         | A null data segment was used to reference memory.                                      |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                           |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.      |

## BOUND

## Check Array Bound

Checks whether an array index (first operand) is within the bounds of an array (second operand). The array index is a signed integer in the specified register. If the operand-size attribute is 16, the array operand is a memory location containing a pair of signed word-integers; if the operand-size attribute is 32, the array operand is a pair of signed doubleword-integers. The first word or doubleword specifies the lower bound of the array and the second word or doubleword specifies the upper bound.

The array index must be greater than or equal to the lower bound and less than or equal to the upper bound. If the index is not within the specified bounds, the processor generates a BOUND range-exceeded exception (#BR).

The bounds of an array, consisting of two words or doublewords containing the lower and upper limits of the array, usually reside in a data structure just before the array itself, making the limits addressable through a constant offset from the beginning of the array. With the address of the array in a register, this practice reduces the number of bus cycles required to determine the effective address of the array bounds.

| Mnemonic                 | Opcode | Description                                                                                                                         |
|--------------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------|
| BOUND reg16, mem16&mem16 | 62 /r  | Test whether a 16-bit array index is within the bounds specified by the two 16-bit values in mem16&mem16. (Invalid in 64-bit mode.) |
| BOUND reg32, mem32&mem32 | 62 /r  | Test whether a 32-bit array index is within the bounds specified by the two 32-bit values in mem32&mem32. (Invalid in 64-bit mode.) |

### Related Instructions

INT, INT3, INTO

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                |
|----------------------------|------|-----------------|-----------|---------------------------------------------------|
| Bound range, #BR           | X    | X               | X         | The bound range was exceeded.                     |
| Invalid opcode,<br>#UD     | X    | X               | X         | The source operand was a register.                |
|                            |      |                 | X         | Instruction was executed in 64-bit mode.          |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit.   |
|                            |      |                 | X         | A null data segment was used to reference memory. |

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**BSF****Bit Scan Forward**

Searches the value in a register or a memory location (second operand) for the least-significant set bit. If a set bit is found, the instruction clears the zero flag (ZF) and stores the index of the least-significant set bit in a destination register (first operand). If the second operand contains 0, the instruction sets ZF to 1 and does not change the contents of the destination register. The bit index is an unsigned offset from bit 0 of the searched value.

| Mnemonic             | Opcode   | Description                                            |
|----------------------|----------|--------------------------------------------------------|
| BSF reg16, reg/mem16 | 0F BC /r | Bit scan forward on the contents of <i>reg/mem16</i> . |
| BSF reg32, reg/mem32 | 0F BC /r | Bit scan forward on the contents of <i>reg/mem32</i> . |
| BSF reg64, reg/mem64 | 0F BC /r | Bit scan forward on the contents of <i>reg/mem64</i>   |

**Related Instructions**

BSR

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | M  | U  | U  | U  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X            | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |              | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X            | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**BSR****Bit Scan Reverse**

Searches the value in a register or a memory location (second operand) for the most-significant set bit. If a set bit is found, the instruction clears the zero flag (ZF) and stores the index of the most-significant set bit in a destination register (first operand). If the second operand contains 0, the instruction sets ZF to 1 and does not change the contents of the destination register. The bit index is an unsigned offset from bit 0 of the searched value.

| Mnemonic             | Opcode   | Description                                            |
|----------------------|----------|--------------------------------------------------------|
| BSR reg16, reg/mem16 | 0F BD /r | Bit scan reverse on the contents of <i>reg/mem16</i> . |
| BSR reg32, reg/mem32 | 0F BD /r | Bit scan reverse on the contents of <i>reg/mem32</i> . |
| BSR reg64, reg/mem64 | 0F BD /r | Bit scan reverse on the contents of <i>reg/mem64</i> . |

**Related Instructions**

BSF

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | M  | U  | U  | U  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X            | X         | A memory address exceeded the data segment limit or was non-canonical.            |
|                         |      |              | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X            | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## BSWAP

## Byte Swap

Reverses the byte order of the specified register. This action converts the contents of the register from little endian to big endian or vice versa. In a doubleword, bits 7:0 are exchanged with bits 31:24, and bits 15:8 are exchanged with bits 23:16. In a quadword, bits 7:0 are exchanged with bits 63:56, bits 15:8 with bits 55:48, bits 23:16 with bits 47:40, and bits 31:24 with bits 39:32. A subsequent use of the BSWAP instruction with the same operand restores the original value of the operand.

The result of applying the BSWAP instruction to a 16-bit register is undefined. To swap the bytes of a 16-bit register, use the XCHG instruction and specify the respective byte halves of the 16-bit register as the two operands. For example, to swap the bytes of AX, use XCHG AL, AH.

| Mnemonic    | Opcode    | Description                      |
|-------------|-----------|----------------------------------|
| BSWAP reg32 | 0F C8 +rd | Reverse the byte order of reg32. |
| BSWAP reg64 | 0F C8 +rq | Reverse the byte order of reg64. |

### Related Instructions

XCHG

### rFLAGS Affected

None

### Exceptions

None

**BT****Bit Test**

Copies a bit, specified by a bit index in a register or 8-bit immediate value (second operand), from a bit string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register.

If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the operand size) of the bit index to select a bit in the register.

If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base in the range  $-2^{63}$  to  $+2^{63} - 1$  if the operand size is 64,  $-2^{31}$  to  $+2^{31} - 1$ , if the operand size is 32, and  $-2^{15}$  to  $+2^{15} - 1$  if the operand size is 16. If the bit index is in an immediate value, the bit selected is that value modulo 16, 32, or 64, depending on operand size.

When the instruction attempts to copy a bit from memory, it accesses 2, 4, or 8 bytes starting from the specified memory address for 16-bit, 32-bit, or 64-bit operand sizes, respectively, using the following formula:

$$\text{Effective Address} + (\text{NumBytes}_i * (\text{BitOffset DIV NumBits}_i * 8))$$

When using this bit addressing mechanism, avoid referencing areas of memory close to address space holes, such as references to memory-mapped I/O registers. Instead, use a MOV instruction to load a register from such an address and use a register form of the BT instruction to manipulate the data.

| Mnemonic            | Opcode      | Description                                           |
|---------------------|-------------|-------------------------------------------------------|
| BT reg/mem16, reg16 | 0F A3 /r    | Copy the value of the selected bit to the carry flag. |
| BT reg/mem32, reg32 | 0F A3 /r    | Copy the value of the selected bit to the carry flag. |
| BT reg/mem64, reg64 | 0F A3 /r    | Copy the value of the selected bit to the carry flag. |
| BT reg/mem16, imm8  | 0F BA /4 ib | Copy the value of the selected bit to the carry flag. |
| BT reg/mem32, imm8  | 0F BA /4 ib | Copy the value of the selected bit to the carry flag. |
| BT reg/mem64, imm8  | 0F BA /4 ib | Copy the value of the selected bit to the carry flag. |

**Related Instructions**

BTC, BTR, BTS

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## BTC

## Bit Test and Complement

Copies a bit, specified by a bit index in a register or 8-bit immediate value (second operand), from a bit string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register, and then complements (toggles) the bit in the bit string.

If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the operand size) of the bit index to select a bit in the register.

If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base in the range  $-2^{63}$  to  $+2^{63} - 1$  if the operand size is 64,  $-2^{31}$  to  $+2^{31} - 1$ , if the operand size is 32, and  $-2^{15}$  to  $+2^{15} - 1$  if the operand size is 16. If the bit index is in an immediate value, the bit selected is that value modulo 16, 32, or 64, depending the operand size.

This instruction is useful for implementing semaphores in concurrent operating systems. Such an application should precede this instruction with the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                    | Opcode      | Description                                                                             |
|-----------------------------|-------------|-----------------------------------------------------------------------------------------|
| BTC <i>reg/mem16, reg16</i> | 0F BB /r    | Copy the value of the selected bit to the carry flag, then complement the selected bit. |
| BTC <i>reg/mem32, reg32</i> | 0F BB /r    | Copy the value of the selected bit to the carry flag, then complement the selected bit. |
| BTC <i>reg/mem64, reg64</i> | 0F BB /r    | Copy the value of the selected bit to the carry flag, then complement the selected bit. |
| BTC <i>reg/mem16, imm8</i>  | 0F BA /7 ib | Copy the value of the selected bit to the carry flag, then complement the selected bit. |
| BTC <i>reg/mem32, imm8</i>  | 0F BA /7 ib | Copy the value of the selected bit to the carry flag, then complement the selected bit. |
| BTC <i>reg/mem64, imm8</i>  | 0F BA /7 ib | Copy the value of the selected bit to the carry flag, then complement the selected bit. |

## Related Instructions

BT, BTR, BTS

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## BTR

## Bit Test and Reset

Copies a bit, specified by a bit index in a register or 8-bit immediate value (second operand), from a bit string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register, and then clears the bit in the bit string to 0.

If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the operand size) of the bit index to select a bit in the register.

If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base in the range  $-2^{63}$  to  $+2^{63} - 1$  if the operand size is 64,  $-2^{31}$  to  $+2^{31} - 1$ , if the operand size is 32, and  $-2^{15}$  to  $+2^{15} - 1$  if the operand size is 16. If the bit index is in an immediate value, the bit selected is that value modulo 16, 32, or 64, depending on the operand size.

This instruction is useful for implementing semaphores in concurrent operating systems. Such applications should precede this instruction with the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic             | Opcode      | Description                                                                        |
|----------------------|-------------|------------------------------------------------------------------------------------|
| BTR reg/mem16, reg16 | 0F B3 /r    | Copy the value of the selected bit to the carry flag, then clear the selected bit. |
| BTR reg/mem32, reg32 | 0F B3 /r    | Copy the value of the selected bit to the carry flag, then clear the selected bit. |
| BTR reg/mem64, reg64 | 0F B3 /r    | Copy the value of the selected bit to the carry flag, then clear the selected bit. |
| BTR reg/mem16, imm8  | 0F BA /6 ib | Copy the value of the selected bit to the carry flag, then clear the selected bit. |
| BTR reg/mem32, imm8  | 0F BA /6 ib | Copy the value of the selected bit to the carry flag, then clear the selected bit. |
| BTR reg/mem64, imm8  | 0F BA /6 ib | Copy the value of the selected bit to the carry flag, then clear the selected bit. |

## Related Instructions

BT, BTC, BTS

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**BTS****Bit Test and Set**

Copies a bit, specified by bit index in a register or 8-bit immediate value (second operand), from a bit string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register, and then sets the bit in the bit string to 1.

If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the operand size) of the bit index to select a bit in the register.

If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base in the range  $-2^{63}$  to  $+2^{63} - 1$  if the operand size is 64,  $-2^{31}$  to  $+2^{31} - 1$ , if the operand size is 32, and  $-2^{15}$  to  $+2^{15} - 1$  if the operand size is 16. If the bit index is in an immediate value, the bit selected is that value modulo 16, 32, or 64, depending on the operand size.

This instruction is useful for implementing semaphores in concurrent operating systems. Such applications should precede this instruction with the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                    | Opcode      | Description                                                                      |
|-----------------------------|-------------|----------------------------------------------------------------------------------|
| BTS <i>reg/mem16, reg16</i> | 0F AB /r    | Copy the value of the selected bit to the carry flag, then set the selected bit. |
| BTS <i>reg/mem32, reg32</i> | 0F AB /r    | Copy the value of the selected bit to the carry flag, then set the selected bit. |
| BTS <i>reg/mem64, reg64</i> | 0F AB /r    | Copy the value of the selected bit to the carry flag, then set the selected bit. |
| BTS <i>reg/mem16, imm8</i>  | 0F BA /5 ib | Copy the value of the selected bit to the carry flag, then set the selected bit. |
| BTS <i>reg/mem32, imm8</i>  | 0F BA /5 ib | Copy the value of the selected bit to the carry flag, then set the selected bit. |
| BTS <i>reg/mem64, imm8</i>  | 0F BA /5 ib | Copy the value of the selected bit to the carry flag, then set the selected bit. |

**Related Instructions**

BT, BTC, BTR

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**BZHI****Zero High Bits**

Copies bits, left to right, from the first source operand starting with the bit position specified by the second source operand (*index*), writes these bits to the destination, and clears all the bits in positions greater than or equal to *index*.

This instruction has three operands:

**BZHI dest, src, index**

In 64-bit mode, the operand size (*op\_size*) is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register. The first source operand (*src*) is either a general purpose register or a memory operand. The second source operand is a general purpose register. Bits [7:0] of this register, treated as an unsigned 8-bit integer, specify the index of the most-significant bit of the first source operand to be copied to the corresponding bit of the destination. Bits [*op\_size*-1:*index*] of the destination are cleared.

If the value of *index* is greater than or equal to the operand size, *index* is set to (*op\_size*-1). In this case, the CF flag is set.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                |                |        |
|------------------------------|----------|----------------|----------------|--------|
|                              | VEX      | RXB.map_select | W.vvvv.L.pp    | Opcode |
| BZHI reg32, reg/mem32, reg32 | C4       | —<br>RXB.02    | 0.<br>index.00 | F5 /r  |
| BZHI reg64, reg/mem64, reg64 | C4       | —<br>RXB.02    | 1.<br>index.00 | F5 /r  |

**Related Instructions****rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Mode |                 |           | Cause of Exception                                                                       |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                          |
| Invalid opcode, #UD     | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                         |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                              |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                         |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

## CALL (Near)

## Near Procedure Call

Pushes the offset of the next instruction onto the stack and branches to the target address, which contains the first instruction of the called procedure. The target operand can specify a register, a memory location, or a label. A procedure accessed by a near CALL is located in the same code segment as the CALL instruction.

If the CALL target is specified by a register or memory location, then a 16-, 32-, or 64-bit rIP is read from the operand, depending on the operand size. A 16- or 32-bit rIP is zero-extended to 64 bits.

If the CALL target is specified by a displacement, the signed displacement is added to the rIP (of the following instruction), and the result is truncated to 16, 32, or 64 bits, depending on the operand size. The signed displacement is 16 or 32 bits, depending on the operand size.

In all cases, the rIP of the instruction after the CALL is pushed on the stack, and the size of the stack push (16, 32, or 64 bits) depends on the operand size of the CALL instruction.

For near calls in 64-bit mode, the operand size defaults to 64 bits. The E8 opcode results in RIP = RIP + 32-bit signed displacement and the FF /2 opcode results in RIP = 64-bit offset from register or memory. No prefix is available to encode a 32-bit operand size in 64-bit mode.

At the end of the called procedure, RET is used to return control to the instruction following the original CALL. When RET is executed, the rIP is popped off the stack, which returns control to the instruction after the CALL.

See CALL (Far) for information on far calls—calls to procedures located outside of the current code segment. For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic              | Opcode       | Description                                                                                                      |
|-----------------------|--------------|------------------------------------------------------------------------------------------------------------------|
| CALL <i>rel16off</i>  | E8 <i>iw</i> | Near call with the target specified by a 16-bit relative displacement.                                           |
| CALL <i>rel32off</i>  | E8 <i>id</i> | Near call with the target specified by a 32-bit relative displacement.                                           |
| CALL <i>reg/mem16</i> | FF /2        | Near call with the target specified by <i>reg/mem16</i> .                                                        |
| CALL <i>reg/mem32</i> | FF /2        | Near call with the target specified by <i>reg/mem32</i> . (There is no prefix for encoding this in 64-bit mode.) |
| CALL <i>reg/mem64</i> | FF /2        | Near call with the target specified by <i>reg/mem64</i> .                                                        |

For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

## Action

```

// For function ShadowStacksEnabled()
// see "Pseudocode Definition" on page 57

CALLN_START:

IF (OPCODE == calln abs [mem] )      // CALLN, abs indirect
    temp_RIP = READ_MEM.z [mem]
ELSE                                // CALLN, rel/abs direct
    temp_RIP = z-sized instruction offset field, zero-extended to 64 bits

IF (OPCODE == calln rel )           // if relative, add offset to rIP
    temp_RIP = temp_RIP + RIP.v

IF (stack is not large enough for a v-sized push)
    EXCEPTION[#SS(0)]

PUSH.v next_RIP

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
    (!64BIT_MODE) && (temp_RIP > CS.limit))
    EXCEPTION[#GP(0)]

IF ((ShadowStacksEnabled(current CPL)) && (OPCODE != calln +0))
{
    IF (v == 2)          // operand size = 16
    {
        SSTK_WRITE_MEM.d [SSP-4] = next_IP
        SSP = SSP - 4
    }
    ELSEIF (v == 4)       // operand size = 32
    {
        SSTK_WRITE_MEM.d [SSP-4] = next_EIP
        SSP = SSP - 4
    }
    ELSE // (v == 8)     // operand size = 64
    {
        SSTK_WRITE_MEM.q [SSP-8] = next_RIP
        SSP = SSP - 8
    }
} // end shadow stacks enabled

RIP = temp_RIP

EXIT

```

## Related Instructions

CALL(Far), RET(Near), RET(Far)

## rFLAGS Affected

None.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.           |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Alignment Check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |
| Page Fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |

## CALL (Far)

## Far Procedure Call

Pushes procedure linking information onto the stack and branches to the target address, which contains the first instruction of the called procedure. The operand specifies a target selector and offset.

The instruction can specify the target directly, by including the far pointer in the immediate and displacement fields of the instruction, or indirectly, by referencing a far pointer in memory. In 64-bit mode, only indirect far calls are allowed; executing a direct far call (opcode 9A) generates an undefined opcode exception. For both direct and indirect far calls, if the CALL (Far) operand-size is 16 bits, the instruction's operand is a 16-bit offset followed by a 16-bit selector. If the operand-size is 32 or 64 bits, the operand is a 32-bit offset followed by a 16-bit selector.

The target selector used by the instruction can be a code selector in all modes. Additionally, the target selector can reference a call gate in protected mode, or a task gate or TSS selector in legacy protected mode.

- *Target is a code selector*—The CS:rIP of the next instruction is pushed to the stack, using operand-size stack pushes. Then code is executed from the target CS:rIP. In this case, the target offset can only be a 16- or 32-bit value, depending on operand-size, and is zero-extended to 64 bits. No CPL change is allowed.
- *Target is a call gate*—The call gate specifies the actual target code segment and offset. Call gates allow calls to the same or more privileged code. If the target segment is at the same CPL as the current code segment, the CS:rIP of the next instruction is pushed to the stack.

If the CALL (Far) changes privilege level, then a stack-switch occurs, using an inner-level stack pointer from the TSS. The CS:rIP of the next instruction is pushed to the new stack. If the mode is legacy mode and the param-count field in the call gate is non-zero, then up to 31 operands are copied from the caller's stack to the new stack. Finally, the caller's SS:rSP is pushed to the new stack.

When calling through a call gate, the stack pushes are 16-, 32-, or 64-bits, depending on the size of the call gate. The size of the target rIP is also 16, 32, or 64 bits, depending on the size of the call gate. If the target rIP is less than 64 bits, it is zero-extended to 64 bits. Long mode only allows 64-bit call gates that must point to 64-bit code segments.

- *Target is a task gate or a TSS*—If the mode is legacy protected mode, then a task switch occurs. See “Hardware Task-Management in Legacy Mode” in APM Volume 2 for details about task switches. Hardware task switches are not supported in long mode.

See CALL (Near) for information on near calls—calls to procedures located inside the current code segment. For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic                 | Opcode | Description                                                                                                         |
|--------------------------|--------|---------------------------------------------------------------------------------------------------------------------|
| CALL FAR <i>ptr16:16</i> | 9A cd  | Far call direct, with the target specified by a far pointer contained in the instruction. (Invalid in 64-bit mode.) |
| CALL FAR <i>ptr16:32</i> | 9A cp  | Far call direct, with the target specified by a far pointer contained in the instruction. (Invalid in 64-bit mode.) |
| CALL FAR <i>mem16:16</i> | FF /3  | Far call indirect, with the target specified by a far pointer in memory.                                            |
| CALL FAR <i>mem16:32</i> | FF /3  | Far call indirect, with the target specified by a far pointer in memory.                                            |

## Action

```

// For functions READ_DESCRIPTOR, READ_INNER_LEVEL_SP,
// ShadowStacksEnabled and SET_TOKEN_BUSY see "Pseudocode Definition"
// on page 57

CALLF_START:

IF (REAL_MODE)
    CALLF_REAL_OR_VIRTUAL // CALLF real mode
ELSEIF (PROTECTED_MODE)
    CALLF_PROTECTED // CALLF protected mode
ELSE // virtual mode
    CALLF_REAL_OR_VIRTUAL // CALLF virtual mode

CALLF_REAL_OR_VIRTUAL:

IF (OPCODE == callf [mem] ) // CALLF real mode, indirect
{
    temp_RIP = READ_MEM.z [mem]
    temp_CS = READ_MEM.w [mem+Z]
}
ELSE // CALLF real mode, direct
{
    temp_RIP = z-sized instruction offset field, zero-extended to 64 bits
    temp_CS = selector specified in the instruction
}
PUSH.v old_CS
PUSH.v next_RIP

IF (temp_RIP > CS.limit)
    EXCEPTION [#GP(0)]

CS.sel = temp_CS
CS.base = temp_CS SHL 4
RIP = temp_RIP

EXIT // end CALLF real or virtual

```

CALLF\_PROTECTED:

```

IF (OPCODE == callf [mem])      // CALLF protected mode, indirect
{
    temp_offset = READ_MEM.z [mem]
    temp_sel    = READ_MEM.w [mem+Z]
}
ELSE                           // CALLF protected mode, direct
{
    IF (64BIT_MODE)
        EXCEPTION [#UD]      // CALLF direct is illegal in 64-bit mode.
    temp_offset = z-sized instruction offset field, zero-extended to 64 bits
    temp_sel    = selector specified in the instruction
}

temp_desc = READ_DESCRIPTOR (temp_sel, cs_chk)

IF (temp_desc.attr.type == 'available_tss')
    TASK_SWITCH // Using temp_sel as the target TSS
ELSEIF (temp_desc.attr.type == 'taskgate')
    TASK_SWITCH // Using the TSS selector in the task gate as the target TSS
ELSEIF (temp_desc.attr.type == 'callgate')
    CALLF_CALLGATE // CALLF through callgate
ELSE // (temp_desc.attr.type == 'code')
{
    // the selector refers to a code descriptor
    temp_RIP = temp_offset // the target RIP is the instruction offset field
    CS = temp_desc
    PUSH.v old_CS
    PUSH.v next_RIP

    IF ((!64BIT_MODE) && (temp_RIP > CS.limit))
        EXCEPTION [#GP(0)] // temp_RIP can't be non-canonical because its' a
                            // 16- or 32-bit offset, zero-extended to 64 bits
    RIP = temp_RIP

    IF ShadowStacksEnabled at current CPL
    {
        IF (v == 2)
            temp_LIP = CS.base + next_IP // operand size = 16
        ELSEIF (v == 4)
            temp_LIP = CS.base + next_EIP // operand size = 32
        ELSE // (v == 8)
            temp_LIP = next_RIP         // operand size = 64

        IF EFER.LMA && (temp_desc.attr.L == 0) && (SSP[63:32] != 0)
            EXCEPTION [#GP(0)] // SSP must be <4 GB

        Align SSP to 8B boundary, storing 4B of 0 if needed
        old_SSP = SSP
        SSTK_WRITE_MEMORY.q [SSP-16] = old_CS // push CS, LIP, SSP
    }
}

```

```

SSTK_WRITE_MEM.q [SSP-8] = temp_LIP // onto the shadow stack
SSTK_WRITE_MEM.q [SSP] = old_SSP
SSP = SSP - 24
}

EXIT
} // end CALLF selector=code segment

CALLF_CALLGATE:

IF (LONG_MODE) // the gate size controls the size of the stack pushes
v=8-byte // Long mode only uses 64-bit call gates, force 8-byte opsize
ELSEIF (temp_desc.attr.type == 'callgate32')
v=4-byte // Legacy mode, using a 32-bit call-gate, force 4-byte
ELSE // (temp_desc.attr.type == 'callgate16')
v=2-byte // Legacy mode, using a 16-bit call-gate, force 2-byte opsize

// the target CS and RIP both come from the call gate.
temp_RIP = temp_desc.offset

IF (LONG_MODE)
{
temp_upper = READ_MEM.q [temp_sel+8] // to get upper 32 bits of target RIP
IF (temp_upper's extended attribute bits != 0)
EXCEPTION [#GP(temp_sel)]
temp_RIP = tempRIP + (temp_upper SHL 32) // Concatenate both halves of RIP
}

CS = READ_DESCRIPTOR (temp_desc.segment, callgate_check)

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
(!64BIT_MODE) && (temp_RIP > CS.limit))
EXCEPTION[#GP(0)]

IF (CS.attr.conforming == 1)
temp_CPL = CPL
ELSE
temp_CPL = CS.attr.dpl

IF (CPL == temp_CPL) // CALLF through gate, to same privilege
{
PUSH.v old_CS
PUSH.v next_RIP
RIP = temp_RIP

IF (ShadowStacksEnabled at current CPL)
{
IF (v == 2)
temp_LIP = CS.base + next_IP // operand size = 16
ELSEIF (v == 4)

```

```

        temp_LIP = CS.base + next_EIP // operand size = 32
    ELSE // (v == 8)
        temp_LIP = next_RIP           // operand size = 64

    IF ((EFER.LMA && (temp_desc.attr.L == 0)) && (SSP[63:32] != 0))
        EXCEPTION [#GP(0)]          // SSP must be <4 GB
    Align SSP to next 8B boundary, storing 4B of 0 if needed
    old_SSP = SSP
    SSTK_WRITE_MEM.q [SSP-24] = old_CS   // push CS, LIP, SSP
    SSTK_WRITE_MEM.q [SSP-16] = temp_LIP // onto the shadow stack
    SSTK_WRITE_MEM.q [SSP-8] = old_SSP
    SSP = SSP - 24
    } // end shadow stacks enabled
    EXIT // end CALLF through gate, to same privilege
}
ELSE // CALLF through gate, to more privilege
{
old_CPL = CPL
CPL = temp_CPL
temp_ist = 0      // CALLF doesn't use IST pointers.
temp_SS_desc:temp_RSP = READ_INNER_LEVEL_SP(CPL,temp_ist)
RSP.q = temp_RSP
SS = temp_SS_desc

PUSH.v old_SS // #SS on this or next pushes use SS.sel as error code
PUSH.v old_RSP

IF (LEGACY_MODE) // Legacy-mode call gates have a param_count field
    temp_PARAM_COUNT = temp_desc.attr.param_count
    FOR (I=temp_PARAM_COUNT; I>0; I--)
    {
        temp_DATA = READ_MEM.v [old_SS:(old_RSP+I*V)]
        PUSH.v temp_DATA
    }

PUSH.v old_CS
PUSH.v next_RIP
RIP = temp_RIP

IF ((ShadowStacksEnabled at CPL=3) && (old_CPL == 3))
    PL3_SSP = SSP

IF (ShadowStacksEnabled at new CPL)
{
    old_SSP = SSP
    SSP     = PLn_SSP // where n=new CPL

    SET_SSTK_TOKEN_BUSY(SSP) // check for valid token and set busy bit

    IF old_CPL != 3
    {

```

```

// push CS,LIP,SSP onto sstk
SSTK_WRITE_MEM.q [SSP-24] = old_CS    // push CS
SSTK_WRITE_MEM.q [SSP-16] = temp_LIP // LIP and
SSTK_WRITE_MEM.q [SSP-8]  = old_SSP   // SSP to the shadow stack
SSP = SSP - 24
}
} // end shadow stacks enabled at new CPL
EXIT
} // end CALLF to more priv

```

## Related Instructions

CALL (Near), RET (Near), RET (Far)

## rFLAGS Affected

None, unless a task switch occurs, in which case all flags are modified.

## Exceptions

| Exception                              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                  |
|----------------------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD                 | X    | X               | X         | The far CALL indirect opcode (FF /3) had a register operand.                                                                                        |
|                                        |      |                 | X         | The far CALL direct opcode (9A) was executed in 64-bit mode.                                                                                        |
| Invalid TSS, #TS<br>(selector)         |      |                 | X         | As part of a stack switch, the target stack segment selector or rSP in the TSS was beyond the TSS limit.                                            |
|                                        |      |                 | X         | As part of a stack switch, the target stack segment selector in the TSS was a null selector.                                                        |
|                                        |      |                 | X         | As part of a stack switch, the target stack selector's TI bit was set, but LDT selector was a null selector.                                        |
|                                        |      |                 | X         | As part of a stack switch, the target stack segment selector in the TSS was beyond the limit of the GDT or LDT descriptor table.                    |
|                                        |      |                 | X         | As part of a stack switch, the target stack segment selector in the TSS contained a RPL that was not equal to its DPL.                              |
|                                        |      |                 | X         | As part of a stack switch, the target stack segment selector in the TSS contained a DPL that was not equal to the CPL of the code segment selector. |
|                                        |      |                 | X         | As part of a stack switch, the target stack segment selector in the TSS was not a writable segment.                                                 |
| Segment not present, #NP<br>(selector) |      |                 | X         | The accessed code segment, call gate, task gate, or TSS was not present.                                                                            |
| Stack, #SS                             | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical, and no stack switch occurred.                                               |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                                                 |
|------------------------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Stack, #SS<br>(selector)                 |      |                 | X         | After a stack switch, a memory access exceeded the stack segment limit or was non-canonical.                                                                                                       |
|                                          |      |                 | X         | As part of a stack switch, the SS register was loaded with a non-null segment selector and the segment was marked not present.                                                                     |
| General protection,<br>#GP               | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                                                                                                               |
|                                          | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.                                                                                                                            |
|                                          |      |                 | X         | A null data segment was used to reference memory.                                                                                                                                                  |
| General protection,<br>#GP<br>(selector) |      |                 | X         | The target code segment selector was a null selector.                                                                                                                                              |
|                                          |      |                 | X         | A code, call gate, task gate, or TSS descriptor exceeded the descriptor table limit.                                                                                                               |
|                                          |      |                 | X         | A segment selector's TI bit was set but the LDT selector was a null selector.                                                                                                                      |
|                                          |      |                 | X         | The segment descriptor specified by the instruction was not a code segment, task gate, call gate or available TSS in legacy mode, or not a 64-bit code segment or a 64-bit call gate in long mode. |
|                                          |      |                 | X         | The RPL of the non-conforming code segment selector specified by the instruction was greater than the CPL, or its DPL was not equal to the CPL.                                                    |
|                                          |      |                 | X         | The DPL of the conforming code segment descriptor specified by the instruction was greater than the CPL.                                                                                           |
|                                          |      |                 | X         | The DPL of the callgate, taskgate, or TSS descriptor specified by the instruction was less than the CPL, or less than its own RPL.                                                                 |
|                                          |      |                 | X         | The segment selector specified by the call gate or task gate was a null selector.                                                                                                                  |
|                                          |      |                 | X         | The segment descriptor specified by the call gate was not a code segment in legacy mode, or not a 64-bit code segment in long mode.                                                                |
|                                          |      |                 | X         | The DPL of the segment descriptor specified by the call gate was greater than the CPL.                                                                                                             |
|                                          |      |                 | X         | The 64-bit call gate's extended attribute bits were not zero.                                                                                                                                      |
|                                          |      |                 | X         | The TSS descriptor was found in the LDT.                                                                                                                                                           |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                                                                       |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                                                                  |

**CBW  
CWDE  
CDQE****Convert to Sign-Extended**

Copies the sign bit in the AL or eAX register to the upper bits of the rAX register. The effect of this instruction is to convert a signed byte, word, or doubleword in the AL or eAX register into a signed word, doubleword, or quadword in the rAX register. This action helps avoid overflow problems in signed number arithmetic.

The CDQE mnemonic is meaningful only in 64-bit mode.

| Mnemonic | Opcode | Description               |
|----------|--------|---------------------------|
| CBW      | 98     | Sign-extend AL into AX.   |
| CWDE     | 98     | Sign-extend AX into EAX.  |
| CDQE     | 98     | Sign-extend EAX into RAX. |

**Related Instructions**

CWD, CDQ, CQO

**rFLAGS Affected**

None

**Exceptions**

None

**CWD  
CDQ  
CQO****Convert to Sign-Extended**

Copies the sign bit in the rAX register to all bits of the rDX register. The effect of this instruction is to convert a signed word, doubleword, or quadword in the rAX register into a signed doubleword, quadword, or double-quadword in the rDX:rAX registers. This action helps avoid overflow problems in signed number arithmetic.

The CQO mnemonic is meaningful only in 64-bit mode.

| Mnemonic | Opcode | Description                   |
|----------|--------|-------------------------------|
| CWD      | 99     | Sign-extend AX into DX:AX.    |
| CDQ      | 99     | Sign-extend EAX into EDX:EAX. |
| CQO      | 99     | Sign-extend RAX into RDX:RAX. |

**Related Instructions**

CBW, CWDE, CDQE

**rFLAGS Affected**

None

**Exceptions**

None

**CLC****Clear Carry Flag**

Clears the carry flag (CF) in the rFLAGS register to zero.

| Mnemonic | Opcode | Description                        |
|----------|--------|------------------------------------|
| CLC      | F8     | Clear the carry flag (CF) to zero. |

**Related Instructions**

STC, CMC

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    |    |    | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

None

**CLD****Clear Direction Flag**

Clears the direction flag (DF) in the rFLAGS register to zero. If the DF flag is 0, each iteration of a string instruction increments the data pointer (index registers rSI or rDI). If the DF flag is 1, the string instruction decrements the pointer. Use the CLD instruction before a string instruction to make the data pointer increment.

| Mnemonic | Opcode | Description                            |
|----------|--------|----------------------------------------|
| CLD      | FC     | Clear the direction flag (DF) to zero. |

**Related Instructions**

CMPSSx, INSx, LODSx, MOVSx, OUTSx, SCASx, STD, STOSx

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    | 0  |    |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

None

## CLFLUSH

## Cache Line Flush

Flushes the cache line specified by the *mem8* linear-address. The instruction checks all levels of the cache hierarchy—internal caches and external caches—and invalidates the cache line in every cache in which it is found. If a cache contains a dirty copy of the cache line (that is, the cache line is in the *modified* or *owned* MOESI state), the line is written back to memory before it is invalidated. The instruction sets the cache-line MOESI state to *invalid*.

The instruction also checks the physical address corresponding to the linear-address operand against the processor’s write-combining buffers. If the write-combining buffer holds data intended for that physical address, the instruction writes the entire contents of the buffer to memory. This occurs even though the data is not cached in the cache hierarchy. In a multiprocessor system, the instruction checks the write-combining buffers only on the processor that executed the CLFLUSH instruction.

On processors that do not support the CLFLUSHOPT instruction, (CPUID Fn 0000\_0007\_EBX\_x0[CLFLOPT]=0), the CLFLUSH instruction is weakly ordered with respect to other instructions that operate on memory. Speculative loads initiated by the processor, or specified explicitly using cache-prefetch instructions, can be reordered around a CLFLUSH instruction. Such reordering can invalidate a speculatively prefetched cache line, unintentionally defeating the prefetch operation. The only way to avoid this situation is to use the MFENCE instruction after the CLFLUSH instruction to force strong-ordering of the CLFLUSH instruction with respect to subsequent memory operations. The CLFLUSH instruction may also take effect on a cache line while stores from previous store instructions are still pending in the store buffer. To ensure that such stores are included in the cache line that is flushed, use an MFENCE instruction ahead of the CLFLUSH instruction. Such stores would otherwise cause the line to be re-cached and modified after the CLFLUSH completed. The LFENCE, SFENCE, and serializing instructions are *not* ordered with respect to CLFLUSH.

On processors that support CLFLUSHOPT, (CPUID Fn 0000\_0007\_EBX\_x0[CLFLOPT]=1), CLFLUSH is ordered with respect to locked operations, fence instructions, and CLFLUSHOPT, CLFLUSH and write instructions that touch the same cache line. CLFLUSH is not ordered with CLFLUSHOPT, CLFLUSH and write instructions to other cache lines.

The CLFLUSH instruction behaves like a load instruction with respect to setting the page-table accessed and dirty bits. That is, it sets the page-table accessed bit to 1, but does not set the page-table dirty bit.

The CLFLUSH instruction executes at any privilege level. CLFLUSH performs all the segmentation and paging checks that a 1-byte read would perform, except that it also allows references to execute-only segments.

The CLFLUSH instruction is supported if the feature flag CPUID Fn0000\_0001\_EDX[CLFSH] is set. The 8-bit field CPUID Fn 0000\_0001\_EBX[CLFlush] returns the size of the cacheline in quadwords.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic            | Opcode   | Description                               |
|---------------------|----------|-------------------------------------------|
| CLFLUSH <i>mem8</i> | 0F AE /7 | flush cache line containing <i>mem8</i> . |

## Related Instructions

INVD, WBINVD, CLFLUSHOPT, CLZERO

## rFLAGS Affected

None

## Exceptions

| Exception (vector)         | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                      |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | CLFLUSH instruction is not supported, as indicated by CPUID Fn0000_0001_EDX[CLFSH] = 0. |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                 |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                    |
|                            |      |                 | X         | A null data segment was used to reference memory.                                       |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                            |

## CLFLUSHOPT

## Optimized Cache Line Flush

Flushes the cache line specified by the mem8 linear-address. The instruction checks all levels of the cache hierarchy—internal caches and external caches—and invalidates the cache line in every cache in which it is found. If a cache contains a dirty copy of the cache line (that is, the cache line is in the modified or owned MOESI state), the line is written back to memory before it is invalidated. The instruction sets the cache-line MOESI state to invalid.

The instruction also checks the physical address corresponding to the linear-address operand against the processor's write-combining buffers. If the write-combining buffer holds data intended for that physical address, the instruction writes the entire contents of the buffer to memory. This occurs even though the data is not cached in the cache hierarchy. In a multiprocessor system, the instruction checks the write-combining buffers only on the processor that executed the CLFLUSHOPT instruction.

The CLFLUSHOPT instruction is ordered with respect to fence instructions and locked operations. CLFLUSHOPT is also ordered with writes, CLFLUSH, and CLFLUSHOPT instructions that reference the same cache line as the CLFLUSHOPT. CLFLUSHOPT is not ordered with writes, CLFLUSH, and CLFLUSHOPT to other cache lines. To enforce ordering in that situation, a SFENCE instruction or stronger should be used.

Speculative loads initiated by the processor, or specified explicitly using cache-prefetch instructions, can be reordered around a CLFLUSHOPT instruction. Such reordering can invalidate a speculatively prefetched cache line, unintentionally defeating the prefetch operation.

The only way to avoid this situation is to use the MFENCE instruction after the CLFLUSHOPT instruction to force strong ordering of the CLFLUSHOPT instruction with respect to subsequent memory operations.

The CLFLUSHOPT instruction behaves like a load instruction with respect to setting the page-table accessed and dirty bits. That is, it sets the page-table accessed bit to 1, but does not set the page-table dirty bit.

The CLFLUSHOPT instruction executes at any privilege level. CLFLUSHOPT performs all the segmentation and paging checks that a 1-byte read would perform, except that it also allows references to execute-only segments.

The CLFLUSHOPT instruction is supported if the feature flag CPUID Fn0000\_0007\_EBX\_x0[CLFLOPT] is set. The 8-bit field CPUID Fn 0000\_0001\_EBX[CLFlush] returns the size of the cacheline in quadwords.

| Mnemonic        | Opcode      | Description                      |
|-----------------|-------------|----------------------------------|
| CLFLUSHOPT mem8 | 66 0F AE /7 | Flush cache line containing mem8 |

**Related Instructions**

CLFLUSH

**rFLAGS Affected**

None

**Exceptions**

| Exception (vector)         | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                      |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | CLFLUSH instruction is not supported, as indicated by CPUID Fn0000_0001_EDX[CLFSH] = 0. |
|                            | X    | X               | X         | Instruction not supported by CPUID Fn0000_0007_EBX_x0[CLFLUSHOPT] = 0                   |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                 |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                    |
|                            |      |                 | X         | A null data segment was used to reference memory.                                       |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                            |

## CLWB

## Cache Line Write Back and Retain

Flushes the cache line specified by the *mem8* linear address. The instruction checks all levels of the cache hierarchy—internal caches and external caches—and causes the cache line, if dirty, to be written to memory. The cache line may be retained in the cache where found in a non-dirty state.

The CLWB instruction is weakly ordered with respect to other instructions that operate on memory. Speculative loads initiated by the processor, or specified explicitly using cache prefetch instructions, can be reordered around a CLWB instruction. CLWB is ordered naturally with older stores to the same address on the same logical processor. To create strict ordering of CLWB use a store-ordering instruction such as SFENCE.

The CLWB instruction behaves like a load instruction with respect to setting the page table accessed and dirty bits. That is, it sets the page table accessed bit to 1, but does not set the page table dirty bit.

The CLWB instruction executes at any privilege level. CLWB performs all the segmentation and paging checks that a 1-byte read would perform, except that it also allows references to execute only segments.

The CLWB instruction is supported if the feature flag CPUID Fn0000\_0007-EBX[24]=1.

The 8-bit field CPUID Fn 0000\_0001\_EBX[CLFlush] returns the size of the cacheline in quadwords.

| Mnemonic | Opcode      | Description            |
|----------|-------------|------------------------|
| CLWB     | 66 0F AE /6 | Cache line write-back. |

### Related Instructions

CLFLUSH, CLFLUSHOPT, WBINVD, WBNOINVD

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception (vector)         | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | Instruction not supported by CPUID Fn0000_0007_EBX[24] = 0              |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.            |

## CLZERO

## Zero Cache Line

Clears the cache line specified by the logical address in rAX by writing a zero to every byte in the line. The instruction uses an implied non temporal memory type, similar to a streaming store, and uses the write combining protocol to minimize cache pollution.

CLZERO is weakly-ordered with respect to other instructions that operate on memory. Software should use an SFENCE or stronger to enforce memory ordering of CLZERO with respect to other store instructions.

The CLZERO instruction executes at any privilege level. CLZERO performs all the segmentation and paging checks that a store of the specified cache line would perform.

The CLZERO instruction is supported if the feature flag CPUID Fn8000\_0008\_EBX[CLZERO] is set. The 8-bit field CPUID Fn 0000\_0001\_EBX[CLFlush] returns the size of the cacheline in quadwords.

| Mnemonic   | Opcode   | Description                      |
|------------|----------|----------------------------------|
| CLZERO rAX | 0F 01 FC | Clears cache line containing rAX |

### Related Instructions

CLFLUSH

### rFLAGS Affected

None

### Exceptions

| Exception (vector)         | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | Instruction not supported by CPUID Fn8000_0008_EBX[CLZERO] = 0          |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.            |

**CMC****Complement Carry Flag**

Complements (toggles) the carry flag (CF) bit of the rFLAGS register.

| Mnemonic | Opcode | Description                     |
|----------|--------|---------------------------------|
| CMC      | F5     | Complement the carry flag (CF). |

**Related Instructions**

CLC, STC

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

None

## CMOVcc

## Conditional Move

Conditionally moves a 16-bit, 32-bit, or 64-bit value in memory or a general-purpose register (second operand) into a register (first operand), depending upon the settings of condition flags in the rFLAGS register. If the condition is not satisfied, the destination register is not modified. For the memory-based forms of CMOVcc, memory-related exceptions may be reported even if the condition is false. In 64-bit mode, CMOVcc with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.

The mnemonics of CMOVcc instructions denote the condition that must be satisfied. Most assemblers provide instruction mnemonics with A (above) and B (below) tags to supply the semantics for manipulating unsigned integers. Those with G (greater than) and L (less than) tags deal with signed integers. Many opcodes may be represented by synonymous mnemonics. For example, the CMOVL instruction is synonymous with the CMOVNGE instruction and denote the instruction with the opcode 0F 4C.

The feature flag CPUID Fn0000\_0001\_EDX[CMOV] or CPUID Fn8000\_0001\_EDX[CMOV] =1 indicates support for CMOVcc instructions on a particular processor implementation.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                                                                                              | Opcode   | Description                          |
|-------------------------------------------------------------------------------------------------------|----------|--------------------------------------|
| CMOVO <i>reg16, reg/mem16</i><br>CMOVO <i>reg32, reg/mem32</i><br>CMOVO <i>reg64, reg/mem64</i>       | 0F 40 /r | Move if overflow (OF = 1).           |
| CMOVNO <i>reg16, reg/mem16</i><br>CMOVNO <i>reg32, reg/mem32</i><br>CMOVNO <i>reg64, reg/mem64</i>    | 0F 41 /r | Move if not overflow (OF = 0).       |
| CMOVB <i>reg16, reg/mem16</i><br>CMOVB <i>reg32, reg/mem32</i><br>CMOVB <i>reg64, reg/mem64</i>       | 0F 42 /r | Move if below (CF = 1).              |
| CMOVC <i>reg16, reg/mem16</i><br>CMOVC <i>reg32, reg/mem32</i><br>CMOVC <i>reg64, reg/mem64</i>       | 0F 42 /r | Move if carry (CF = 1).              |
| CMOVNAE <i>reg16, reg/mem16</i><br>CMOVNAE <i>reg32, reg/mem32</i><br>CMOVNAE <i>reg64, reg/mem64</i> | 0F 42 /r | Move if not above or equal (CF = 1). |
| CMOVNB <i>reg16, reg/mem16</i><br>CMOVNB <i>reg32, reg/mem32</i><br>CMOVNB <i>reg64, reg/mem64</i>    | 0F 43 /r | Move if not below (CF = 0).          |
| CMOVNC <i>reg16, reg/mem16</i><br>CMOVNC <i>reg32, reg/mem32</i><br>CMOVNC <i>reg64, reg/mem64</i>    | 0F 43 /r | Move if not carry (CF = 0).          |

| Mnemonic                                                                                              | Opcode   | Description                                     |
|-------------------------------------------------------------------------------------------------------|----------|-------------------------------------------------|
| CMOVAE <i>reg16, reg/mem16</i><br>CMOVAE <i>reg32, reg/mem32</i><br>CMOVAE <i>reg64, reg/mem64</i>    | 0F 43 /r | Move if above or equal (CF = 0).                |
| CMOVZ <i>reg16, reg/mem16</i><br>CMOVZ <i>reg32, reg/mem32</i><br>CMOVZ <i>reg64, reg/mem64</i>       | 0F 44 /r | Move if zero (ZF = 1).                          |
| CMOVE <i>reg16, reg/mem16</i><br>CMOVE <i>reg32, reg/mem32</i><br>CMOVE <i>reg64, reg/mem64</i>       | 0F 44 /r | Move if equal (ZF = 1).                         |
| CMOVNZ <i>reg16, reg/mem16</i><br>CMOVNZ <i>reg32, reg/mem32</i><br>CMOVNZ <i>reg64, reg/mem64</i>    | 0F 45 /r | Move if not zero (ZF = 0).                      |
| CMOVNE <i>reg16, reg/mem16</i><br>CMOVNE <i>reg32, reg/mem32</i><br>CMOVNE <i>reg64, reg/mem64</i>    | 0F 45 /r | Move if not equal (ZF = 0).                     |
| CMOVBE <i>reg16, reg/mem16</i><br>CMOVBE <i>reg32, reg/mem32</i><br>CMOVBE <i>reg64, reg/mem64</i>    | 0F 46 /r | Move if below or equal (CF = 1 or ZF = 1).      |
| CMOVNA <i>reg16, reg/mem16</i><br>CMOVNA <i>reg32, reg/mem32</i><br>CMOVNA <i>reg64, reg/mem64</i>    | 0F 46 /r | Move if not above (CF = 1 or ZF = 1).           |
| CMOVNBE <i>reg16, reg/mem16</i><br>CMOVNBE <i>reg32, reg/mem32</i><br>CMOVNBE <i>reg64, reg/mem64</i> | 0F 47 /r | Move if not below or equal (CF = 0 and ZF = 0). |
| CMOVA <i>reg16, reg/mem16</i><br>CMOVA <i>reg32, reg/mem32</i><br>CMOVA <i>reg64, reg/mem64</i>       | 0F 47 /r | Move if above (CF = 0 and ZF = 0).              |
| CMOVS <i>reg16, reg/mem16</i><br>CMOVS <i>reg32, reg/mem32</i><br>CMOVS <i>reg64, reg/mem64</i>       | 0F 48 /r | Move if sign (SF = 1).                          |
| CMOVNS <i>reg16, reg/mem16</i><br>CMOVNS <i>reg32, reg/mem32</i><br>CMOVNS <i>reg64, reg/mem64</i>    | 0F 49 /r | Move if not sign (SF = 0).                      |
| CMOVNP <i>reg16, reg/mem16</i><br>CMOVNP <i>reg32, reg/mem32</i><br>CMOVNP <i>reg64, reg/mem64</i>    | 0F 4A /r | Move if parity (PF = 1).                        |
| CMOVPE <i>reg16, reg/mem16</i><br>CMOVPE <i>reg32, reg/mem32</i><br>CMOVPE <i>reg64, reg/mem64</i>    | 0F 4A /r | Move if parity even (PF = 1).                   |
| CMOVNP <i>reg16, reg/mem16</i><br>CMOVNP <i>reg32, reg/mem32</i><br>CMOVNP <i>reg64, reg/mem64</i>    | 0F 4B /r | Move if not parity (PF = 0).                    |
| CMOVPO <i>reg16, reg/mem16</i><br>CMOVPO <i>reg32, reg/mem32</i><br>CMOVPO <i>reg64, reg/mem64</i>    | 0F 4B /r | Move if parity odd (PF = 0).                    |

| Mnemonic                 | Opcode   | Description              |
|--------------------------|----------|--------------------------|
| CMOVL reg16, reg/mem16   |          |                          |
| CMOVL reg32, reg/mem32   |          |                          |
| CMOVL reg64, reg/mem64   |          |                          |
| CMOVNGE reg16, reg/mem16 | 0F 4C /r | Move if less (SF <> OF). |
| CMOVNGE reg32, reg/mem32 |          |                          |
| CMOVNGE reg64, reg/mem64 |          |                          |
| CMOVNL reg16, reg/mem16  |          |                          |
| CMOVNL reg32, reg/mem32  |          |                          |
| CMOVNL reg64, reg/mem64  |          |                          |
| CMOVGE reg16, reg/mem16  |          |                          |
| CMOVGE reg32, reg/mem32  |          |                          |
| CMOVGE reg64, reg/mem64  |          |                          |
| CMOVLE reg16, reg/mem16  |          |                          |
| CMOVLE reg32, reg/mem32  |          |                          |
| CMOVLE reg64, reg/mem64  |          |                          |
| CMOVNG reg16, reg/mem16  |          |                          |
| CMOVNG reg32, reg/mem32  |          |                          |
| CMOVNG reg64, reg/mem64  |          |                          |
| CMOVNLE reg16, reg/mem16 |          |                          |
| CMOVNLE reg32, reg/mem32 |          |                          |
| CMOVNLE reg64, reg/mem64 |          |                          |
| CMOVG reg16, reg/mem16   |          |                          |
| CMOVG reg32, reg/mem32   |          |                          |
| CMOVG reg64, reg/mem64   |          |                          |

## Related Instructions

MOV

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                             |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | CMOVcc instruction is not supported, as indicated by CPUID Fn0000_0001_EDX[CMOV] or Fn8000_0001_EDX[CMOV] = 0. |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                        |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                           |
|                            |      |                 | X         | A null data segment was used to reference memory.                                                              |

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**CMP****Compare**

Compares the contents of a register or memory location (first operand) with an immediate value or the contents of a register or memory location (second operand), and sets or clears the status flags in the rFLAGS register to reflect the results. To perform the comparison, the instruction subtracts the second operand from the first operand and sets the status flags in the same manner as the SUB instruction, but does not alter the first operand. If the second operand is an immediate value, the instruction sign-extends the value to the length of the first operand.

Use the CMP instruction to set the condition codes for a subsequent conditional jump (*Jcc*), conditional move (CMOV*cc*), or conditional SET*cc* instruction. Appendix F, “Instruction Effects on RFLAGS” shows how instructions affect the rFLAGS status flags.

| Mnemonic                    | Opcode          | Description                                                                                         |
|-----------------------------|-----------------|-----------------------------------------------------------------------------------------------------|
| CMP AL, <i>imm8</i>         | 3C <i>ib</i>    | Compare an 8-bit immediate value with the contents of the AL register.                              |
| CMP AX, <i>imm16</i>        | 3D <i>iw</i>    | Compare a 16-bit immediate value with the contents of the AX register.                              |
| CMP EAX, <i>imm32</i>       | 3D <i>id</i>    | Compare a 32-bit immediate value with the contents of the EAX register.                             |
| CMP RAX, <i>imm32</i>       | 3D <i>id</i>    | Compare a 32-bit immediate value with the contents of the RAX register.                             |
| CMP <i>reg/mem8, imm8</i>   | 80 /7 <i>ib</i> | Compare an 8-bit immediate value with the contents of an 8-bit register or memory operand.          |
| CMP <i>reg/mem16, imm16</i> | 81 /7 <i>iw</i> | Compare a 16-bit immediate value with the contents of a 16-bit register or memory operand.          |
| CMP <i>reg/mem32, imm32</i> | 81 /7 <i>id</i> | Compare a 32-bit immediate value with the contents of a 32-bit register or memory operand.          |
| CMP <i>reg/mem64, imm32</i> | 81 /7 <i>id</i> | Compare a 32-bit signed immediate value with the contents of a 64-bit register or memory operand.   |
| CMP <i>reg/mem16, imm8</i>  | 83 /7 <i>ib</i> | Compare an 8-bit signed immediate value with the contents of a 16-bit register or memory operand.   |
| CMP <i>reg/mem32, imm8</i>  | 83 /7 <i>ib</i> | Compare an 8-bit signed immediate value with the contents of a 32-bit register or memory operand.   |
| CMP <i>reg/mem64, imm8</i>  | 83 /7 <i>ib</i> | Compare an 8-bit signed immediate value with the contents of a 64-bit register or memory operand.   |
| CMP <i>reg/mem8, reg8</i>   | 38 / <i>r</i>   | Compare the contents of an 8-bit register or memory operand with the contents of an 8-bit register. |
| CMP <i>reg/mem16, reg16</i> | 39 / <i>r</i>   | Compare the contents of a 16-bit register or memory operand with the contents of a 16-bit register. |
| CMP <i>reg/mem32, reg32</i> | 39 / <i>r</i>   | Compare the contents of a 32-bit register or memory operand with the contents of a 32-bit register. |
| CMP <i>reg/mem64, reg64</i> | 39 / <i>r</i>   | Compare the contents of a 64-bit register or memory operand with the contents of a 64-bit register. |

| Mnemonic             | Opcode | Description                                                                                         |
|----------------------|--------|-----------------------------------------------------------------------------------------------------|
| CMP reg8, reg/mem8   | 3A /r  | Compare the contents of an 8-bit register with the contents of an 8-bit register or memory operand. |
| CMP reg16, reg/mem16 | 3B /r  | Compare the contents of a 16-bit register with the contents of a 16-bit register or memory operand. |
| CMP reg32, reg/mem32 | 3B /r  | Compare the contents of a 32-bit register with the contents of a 32-bit register or memory operand. |
| CMP reg64, reg/mem64 | 3B /r  | Compare the contents of a 64-bit register with the contents of a 64-bit register or memory operand. |

When interpreting operands as unsigned, flag settings are as follows:

| Operands      | CF | ZF |
|---------------|----|----|
| dest > source | 0  | 0  |
| dest = source | 0  | 1  |
| dest < source | 1  | 0  |

When interpreting operands as signed, flag settings are as follows:

| Operands      | OF     | ZF |
|---------------|--------|----|
| dest > source | SF     | 0  |
| dest = source | 0      | 1  |
| dest < source | NOT SF | 0  |

## Related Instructions

SUB, CMPSx, SCASx

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## **CMP** **CMPSB** **CMPSW** **CMPSD** **CMPSQ**

## **Compare Strings**

Compares the bytes, words, doublewords, or quadwords pointed to by the rSI and rDI registers, sets or clears the status flags of the rFLAGS register to reflect the results, and then increments or decrements the rSI and rDI registers according to the state of the DF flag in the rFLAGS register. To perform the comparison, the instruction subtracts the second operand from the first operand and sets the status flags in the same manner as the SUB instruction, but does not alter the first operand. The two operands must be the same size.

If the DF flag is 0, the instruction increments rSI and rDI; otherwise, it decrements the pointers. It increments or decrements the pointers by 1, 2, 4, or 8, depending on the size of the operands.

The forms of the CMPSx instruction with explicit operands address the first operand at *seg*:[rSI]. The value of *seg* defaults to the DS segment, but may be overridden by a segment prefix. These instructions always address the second operand at ES:[rDI]. ES may not be overridden. The explicit operands serve only to specify the type (size) of the values being compared and the segment used by the first operand.

The no-operands forms of the instruction use the DS:[rSI] and ES:[rDI] registers to point to the values to be compared. The mnemonic determines the size of the operands.

Do not confuse this CMPSD instruction with the same-mnemonic CMPSD (compare scalar double-precision floating-point) instruction in the 128-bit media instruction set. Assemblers can distinguish the instructions by the number and type of operands.

For block comparisons, the CMPS instruction supports the REPE or REPZ prefixes (they are synonyms) and the REPNE or REPNZ prefixes (they are synonyms). For details about the REP prefixes, see “Repeat Prefixes” on page 12. If a conditional jump instruction like JL follows a CMPSx instruction, the jump occurs if the value of the *seg*:[rSI] operand is less than the ES:[rDI] operand. This action allows lexicographical comparisons of string or array elements. A CMPSx instruction can also operate inside a loop controlled by the LOOPcc instruction.

| Mnemonic                 | Opcode | Description                                                                                                 |
|--------------------------|--------|-------------------------------------------------------------------------------------------------------------|
| CMPS <i>mem8, mem8</i>   | A6     | Compare the byte at DS:rSI with the byte at ES:rDI and then increment or decrement rSI and rDI.             |
| CMPS <i>mem16, mem16</i> | A7     | Compare the word at DS:rSI with the word at ES:rDI and then increment or decrement rSI and rDI.             |
| CMPS <i>mem32, mem32</i> | A7     | Compare the doubleword at DS:rSI with the doubleword at ES:rDI and then increment or decrement rSI and rDI. |
| CMPS <i>mem64, mem64</i> | A7     | Compare the quadword at DS:rSI with the quadword at ES:rDI and then increment or decrement rSI and rDI.     |

| Mnemonic | Opcode | Description                                                                                                 |
|----------|--------|-------------------------------------------------------------------------------------------------------------|
| CMPSB    | A6     | Compare the byte at DS:rSI with the byte at ES:rDI and then increment or decrement rSI and rDI.             |
| CMPSW    | A7     | Compare the word at DS:rSI with the word at ES:rDI and then increment or decrement rSI and rDI.             |
| CMPSD    | A7     | Compare the doubleword at DS:rSI with the doubleword at ES:rDI and then increment or decrement rSI and rDI. |
| CMPSQ    | A7     | Compare the quadword at DS:rSI with the quadword at ES:rDI and then increment or decrement rSI and rDI.     |

## Related Instructions

CMP, SCASx

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## CMPXCHG

## Compare and Exchange

Compares the value in the AL, AX, EAX, or RAX register with the value in a register or a memory location (first operand). If the two values are equal, the instruction copies the value in the second operand to the first operand and sets the ZF flag in the rFLAGS register to 1. Otherwise, it copies the value in the first operand to the AL, AX, EAX, or RAX register and clears the ZF flag to 0.

The OF, SF, AF, PF, and CF flags are set to reflect the results of the compare.

When the first operand is a memory operand, CMPXCHG always does a read-modify-write on the memory operand. If the compared operands were unequal, CMPXCHG writes the same value to the memory operand that was read.

The forms of the CMPXCHG instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                        | Opcode   | Description                                                                                                                                                       |
|---------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CMPXCHG <i>reg/mem8, reg8</i>   | 0F B0 /r | Compare AL register with an 8-bit register or memory location. If equal, copy the second operand to the first operand. Otherwise, copy the first operand to AL.   |
| CMPXCHG <i>reg/mem16, reg16</i> | 0F B1 /r | Compare AX register with a 16-bit register or memory location. If equal, copy the second operand to the first operand. Otherwise, copy the first operand to AX.   |
| CMPXCHG <i>reg/mem32, reg32</i> | 0F B1 /r | Compare EAX register with a 32-bit register or memory location. If equal, copy the second operand to the first operand. Otherwise, copy the first operand to EAX. |
| CMPXCHG <i>reg/mem64, reg64</i> | 0F B1 /r | Compare RAX register with a 64-bit register or memory location. If equal, copy the second operand to the first operand. Otherwise, copy the first operand to RAX. |

## Related Instructions

CMPXCHG8B, CMPXCHG16B

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## CMPXCHG8B CMPXCHG16B

## Compare and Exchange Eight Bytes Compare and Exchange Sixteen Bytes

Compares the value in the rDX:rAX registers with a 64-bit or 128-bit value in the specified memory location. If the values are equal, the instruction copies the value in the rCX:rBX registers to the memory location and sets the zero flag (ZF) of the rFLAGS register to 1. Otherwise, it copies the value in memory to the rDX:rAX registers and clears ZF to 0.

If the effective operand size is 16-bit or 32-bit, the CMPXCHG8B instruction is used. This instruction uses the EDX:EAX and ECX:EBX register operands and a 64-bit memory operand. If the effective operand size is 64-bit, the CMPXCHG16B instruction is used; this instruction uses RDX:RAX register operands and a 128-bit memory operand.

The CMPXCHG8B and CMPXCHG16B instructions always do a read-modify-write on the memory operand. If the compared operands were unequal, the instructions write the same value to the memory operand that was read.

The CMPXCHG8B and CMPXCHG16B instructions support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

Support for the CMPXCHG8B and CMPXCHG16B instructions is implementation dependent. Support for the CMPXCHG8B instruction is indicated by CPUID Fn0000\_0001\_EDX[CMPXCHG8B] or Fn8000\_0001\_EDX[CMPXCHG8B] = 1. Support for the CMPXCHG16B instruction is indicated by CPUID Fn0000\_0001\_ECX[CMPXCHG16B] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

The memory operand used by CMPXCHG16B must be 16-byte aligned or else a general-protection exception is generated.

| Mnemonic                 | Opcode               | Description                                                                                                                                                                                                              |
|--------------------------|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CMPXCHG8B <i>mem64</i>   | 0F C7 /1 <i>m64</i>  | Compare EDX:EAX register to 64-bit memory location. If equal, set the zero flag (ZF) to 1 and copy the ECX:EBX register to the memory location. Otherwise, copy the memory location to EDX:EAX and clear the zero flag.  |
| CMPXCHG16B <i>mem128</i> | 0F C7 /1 <i>m128</i> | Compare RDX:RAX register to 128-bit memory location. If equal, set the zero flag (ZF) to 1 and copy the RCX:RBX register to the memory location. Otherwise, copy the memory location to RDX:RAX and clear the zero flag. |

### Related Instructions

CMPXCHG

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    | M  |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                          |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | CMPXCHG8B instruction is not supported, as indicated by CPUID Fn0000_0001_EDX[CMPXCHG8B] or Fn8000_0001_EDX[CMPXCHG8B] = 0. |
|                            |      |                 | X         | CMPXCHG16B instruction is not supported, as indicated by CPUID Fn0000_0001_ECX[CMPXCHG16B] = 0.                             |
|                            | X    | X               | X         | The operand was a register.                                                                                                 |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                                     |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                                        |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                                                                      |
|                            |      |                 | X         | A null data segment was used to reference memory.                                                                           |
|                            |      |                 | X         | The memory operand for CMPXCHG16B was not aligned on a 16-byte boundary.                                                    |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                           |

## CPUID

## Processor Identification

Provides information about the processor and its capabilities through a number of different functions. Software should load the number of the CPUID function to execute into the EAX register before executing the CPUID instruction. The processor returns information in the EAX, EBX, ECX, and EDX registers; the contents and format of these registers depend on the function.

The architecture supports CPUID information about *standard functions* and *extended functions*. The standard functions have numbers in the 0000\_xxxxh series (for example, standard function 1). To determine the largest standard function number that a processor supports, execute CPUID function 0.

The extended functions have numbers in the 8000\_xxxxh series (for example, extended function 8000\_0001h). To determine the largest extended function number that a processor supports, execute CPUID extended function 8000\_0000h. If the value returned in EAX is greater than 8000\_0000h, the processor supports extended functions.

When HWCR[CpuidUserDis]=0, software operating at any privilege level can execute the CPUID instruction to collect this information. When HWCR[CpuidUserDis]=1 and not in SMM, only privileged software can execute the CPUID instruction. CPUID Fn8000\_0021\_EAX[CpuidUserDis] (bit 17) indicates support for CPUID instruction disable for non-privileged software (CPL>0).

In 64-bit mode, this instruction works the same as in legacy mode except that it zero-extends 32-bit register results to 64 bits.

CPUID is a serializing instruction.

| Mnemonic | Opcode | Description                                                                                                                                      |
|----------|--------|--------------------------------------------------------------------------------------------------------------------------------------------------|
| CPUID    | 0F A2  | Returns information about the processor and its capabilities. EAX specifies the function number, and the data is returned in EAX, EBX, ECX, EDX. |

## Testing for the CPUID Instruction

To avoid an invalid-opcode exception (#UD) on those processor implementations that do not support the CPUID instruction, software must first test to determine if the CPUID instruction is supported. Support for the CPUID instruction is indicated by the ability to write the ID bit in the rFLAGS register. Normally, 32-bit software uses the PUSHFD and POPFD instructions in an attempt to write rFLAGS.ID. After reading the updated rFLAGS.ID bit, a comparison determines if the operation changed its value. If the value changed, the processor executing the code supports the CPUID instruction. If the value did not change, rFLAGS.ID is not writable, and the processor does not support the CPUID instruction.

The following code sample shows how to test for the presence of the CPUID instruction using 32-bit code.

```
pushfd          ; save EFLAGS
pop    eax       ; store EFLAGS in EAX
```

```

mov      ebx, eax          ; save in EBX for later testing
xor      eax, 00200000h    ; toggle bit 21
push     eax              ; push to stack
popfd   eax              ; save changed EAX to EFLAGS
pushfd  eax              ; push EFLAGS to TOS
pop     eax              ; store EFLAGS in EAX
cmp     eax, ebx          ; see if bit 21 has changed
jz      NO_CPUID         ; if no change, no CPUID

```

## Standard Function 0 and Extended Function 8000\_0000h

CPUID standard function 0 loads the EAX register with the largest CPUID *standard* function number supported by the processor implementation; similarly, CPUID extended function 8000\_0000h loads the EAX register with the largest *extended* function number supported.

Standard function 0 and extended function 8000\_0000h both load a 12-character string into the EBX, EDX, and ECX registers identifying the processor vendor. For AMD processors, the string is AuthenticAMD. This string informs software that it should follow the AMD CPUID definition for subsequent CPUID function calls. If the function returns another vendor's string, software must use that vendor's CPUID definition when interpreting the results of subsequent CPUID function calls. Table 3-2 shows the contents of the EBX, EDX, and ECX registers after executing function 0 on an AMD processor.

**Table 3-2. Processor Vendor Return Values**

| Register | Return Value | ASCII Characters |
|----------|--------------|------------------|
| EBX      | 6874_7541h   | "h t u A"        |
| EDX      | 6974_6E65h   | "i t n e"        |
| ECX      | 444D_4163h   | "D M A c"        |

For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613. For a description of all defined feature numbers and return values, see Appendix E, “Obtaining Processor Information Via the CPUID Instruction,” on page 621.

## Related Instructions

None

## rFLAGS Affected

None

## Exceptions

| Exception                  | Mode |                 |           | Cause of Exception                          |
|----------------------------|------|-----------------|-----------|---------------------------------------------|
|                            | Real | Virtual<br>8086 | Protected |                                             |
| General Protection,<br>#GP | X    | X               | X         | HWCR[CpuidUserDis] = 1 and CPL was<br>not 0 |

## CRC32

## CRC32 Cyclical Redundancy Check

Performs one step of a 32-bit cyclic redundancy check.

The first source, which is also the destination, is a doubleword value in either a 32-bit or 64-bit GPR depending on the presence of a REX prefix and the value of the REX.W bit. The second source is a GPR or memory location of width 8, 16, or 32 bits. A vector of width 40, 48, or 64 bits is derived from the two operands as follows:

1. The low-order 32 bits of the first operand is bit-wise inverted and shifted left by the width of the second operand.
2. The second operand is bit-wise inverted and shifted left by 32 bits
3. The results of steps 1 and 2 are `xor`d.

This vector is interpreted as a polynomial of degree 40, 48, or 64 over the field of two elements (i.e., bit  $i$  is interpreted as the coefficient of  $X^i$ ). This polynomial is divided by the polynomial of degree 32 that is similarly represented by the vector 11EDC6F41h. (The division admits an efficient iterative implementation based on the `xor` operation.) The remainder is encoded as a 32-bit vector, which is bit-wise inverted and written to the destination. In the case of a 64-bit destination, the upper 32 bits are cleared.

In an application of the CRC algorithm, a data block is partitioned into byte, word, or doubleword segments and CRC32 is executed iteratively, once for each segment.

CRC32 is a SSE4.2 instruction. Support for SSE4.2 instructions is indicated by CPUID Fn0000\_0001\_ECX[SSE42]=1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

### Instruction Encoding

| Mnemonic                      | Encoding             | Notes                                                     |
|-------------------------------|----------------------|-----------------------------------------------------------|
| CRC32 <i>reg32, reg/mem8</i>  | F2 0F 38 F0 /r       | Perform CRC32 operation on 8-bit values                   |
| CRC32 <i>reg32, reg/mem8</i>  | F2 REX 0F 38 F0 /r   | Encoding using REX prefix allows access to GPR8–15        |
| CRC32 <i>reg32, reg/mem16</i> | F2 0F 38 F1 /r       | Effective operand size determines size of second operand. |
| CRC32 <i>reg32, reg/mem32</i> | F2 0F 38 F1 /r       |                                                           |
| CRC32 <i>reg64, reg/mem8</i>  | F2 REX.W 0F 38 F0 /r | REX.W = 1.                                                |
| CRC32 <i>reg64, reg/mem64</i> | F2 REX.W 0F 38 F1 /r | REX.W = 1.                                                |

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Mode |                 |           | Cause of Exception                                                                     |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------|
|                            | Real | Virtual<br>8086 | Protected |                                                                                        |
| Invalid opcode,<br>#UD     | X    | X               | X         | Lock prefix (F0h) preceding opcode.                                                    |
|                            | X    | X               | X         | SSE42 instructions are not supported as indicated by CPUID Fn0000_0001_ECX[SSE42] = 0. |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                   |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                                 |
|                            |      |                 | X         | A null data segment was used to reference memory.                                      |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                           |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.      |

## DAA

## Decimal Adjust after Addition

Adjusts the value in the AL register into a packed BCD result and sets the CF and AF flags in the rFLAGS register to indicate a decimal carry out of either nibble of AL.

Use this instruction to adjust the result of a byte ADD instruction that performed the binary addition of one 2-digit packed BCD values to another.

The instruction performs the adjustment by adding 06h to AL if the lower nibble is greater than 9 or if AF = 1. Then 60h is added to AL if the original AL was greater than 99h or if CF = 1.

If the lower nibble of AL was adjusted, the AF flag is set to 1. Otherwise AF is not modified. If the upper nibble of AL was adjusted, the CF flag is set to 1. Otherwise, CF is not modified. SF, ZF, and PF are set according to the final value of AL.

Using this instruction in 64-bit mode generates an invalid-opcode (#UD) exception.

| Mnemonic | Opcode | Description                                     |
|----------|--------|-------------------------------------------------|
| DAA      | 27     | Decimal adjust AL.<br>(Invalid in 64-bit mode.) |

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception              | Real | Virtual 8086 | Protected | Cause of Exception                            |
|------------------------|------|--------------|-----------|-----------------------------------------------|
| Invalid opcode,<br>#UD |      |              | X         | This instruction was executed in 64-bit mode. |

## DAS

## Decimal Adjust after Subtraction

Adjusts the value in the AL register into a packed BCD result and sets the CF and AF flags in the rFLAGS register to indicate a decimal borrow.

Use this instruction to adjust the result of a byte SUB instruction that performed a binary subtraction of one 2-digit, packed BCD value from another.

This instruction performs the adjustment by subtracting 06h from AL if the lower nibble is greater than 9 or if AF = 1. Then 60h is subtracted from AL if the original AL was greater than 99h or if CF = 1.

If the adjustment changes the lower nibble of AL, the AF flag is set to 1; otherwise AF is not modified. If the adjustment results in a borrow for either nibble of AL, the CF flag is set to 1; otherwise CF is not modified. The SF, ZF, and PF flags are set according to the final value of AL.

Using this instruction in 64-bit mode generates an invalid-opcode (#UD) exception.

| Mnemonic | Opcode | Description                                                        |
|----------|--------|--------------------------------------------------------------------|
| DAS      | 2F     | Decimal adjusts AL after subtraction.<br>(Invalid in 64-bit mode.) |

### Related Instructions

DAA

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                            |
|------------------------|------|-----------------|-----------|-----------------------------------------------|
| Invalid opcode,<br>#UD |      |                 | X         | This instruction was executed in 64-bit mode. |

## DEC

## Decrement by 1

Subtracts 1 from the specified register or memory location. The CF flag is not affected.

The one-byte forms of this instruction (opcodes 48 through 4F) are used as REX prefixes in 64-bit mode. See “REX Prefix” on page 14.

The forms of the DEC instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

To perform a decrement operation that updates the CF flag, use a SUB instruction with an immediate operand of 1.

| Mnemonic      | Opcode | Description                                                                         |
|---------------|--------|-------------------------------------------------------------------------------------|
| DEC reg/mem8  | FE /1  | Decrement the contents of an 8-bit register or memory location by 1.                |
| DEC reg/mem16 | FF /1  | Decrement the contents of a 16-bit register or memory location by 1.                |
| DEC reg/mem32 | FF /1  | Decrement the contents of a 32-bit register or memory location by 1.                |
| DEC reg/mem64 | FF /1  | Decrement the contents of a 64-bit register or memory location by 1.                |
| DEC reg16     | 48 +rw | Decrement the contents of a 16-bit register by 1.<br>(See “REX Prefix” on page 14.) |
| DEC reg32     | 48 +rd | Decrement the contents of a 32-bit register by 1.<br>(See “REX Prefix” on page 14.) |

## Related Instructions

INC, SUB

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded the data segment limit or was non-canonical.            |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**DIV****Unsigned Divide**

Divides the unsigned value in a register by the unsigned value in the specified register or memory location. The register to be divided depends on the size of the divisor.

When dividing a word, the dividend is in the AX register. The instruction stores the quotient in the AL register and the remainder in the AH register.

When dividing a doubleword, quadword, or double quadword, the most-significant word of the dividend is in the rDX register and the least-significant word is in the rAX register. After the division, the instruction stores the quotient in the rAX register and the remainder in the rDX register.

The following table summarizes the action of this instruction:

| Division Size            | Dividend | Divisor   | Quotient | Remainder | Maximum Quotient |
|--------------------------|----------|-----------|----------|-----------|------------------|
| Word/byte                | AX       | reg/mem8  | AL       | AH        | 255              |
| Doubleword/word          | DX:AX    | reg/mem16 | AX       | DX        | 65,535           |
| Quadword/doubleword      | EDX:EAX  | reg/mem32 | EAX      | EDX       | $2^{32} - 1$     |
| Double quadword/quadword | RDX:RAX  | reg/mem64 | RAX      | RDX       | $2^{64} - 1$     |

The instruction truncates non-integral results towards 0 and the remainder is always less than the divisor. An overflow generates a #DE (divide error) exception, rather than setting the CF flag.

Division by zero generates a divide-by-zero exception.

| Mnemonic      | Opcode | Description                                                                                                                                          |
|---------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| DIV reg/mem8  | F6 /6  | Perform unsigned division of AX by the contents of an 8-bit register or memory location and store the quotient in AL and the remainder in AH.        |
| DIV reg/mem16 | F7 /6  | Perform unsigned division of DX:AX by the contents of a 16-bit register or memory operand store the quotient in AX and the remainder in DX.          |
| DIV reg/mem32 | F7 /6  | Perform unsigned division of EDX:EAX by the contents of a 32-bit register or memory location and store the quotient in EAX and the remainder in EDX. |
| DIV reg/mem64 | F7 /6  | Perform unsigned division of RDX:RAX by the contents of a 64-bit register or memory location and store the quotient in RAX and the remainder in RDX. |

**Related Instructions**

MUL

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | U  | U  | U  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Divide by zero, #DE        | X    | X               | X         | The divisor operand was 0.                                                        |
|                            | X    | X               | X         | The quotient was too large for the designated register.                           |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## ENTER

## Create Procedure Stack Frame

Creates a stack frame for a procedure.

The first operand specifies the size of the stack frame allocated by the instruction.

The second operand specifies the nesting level (0 to 31—the value is automatically masked to 5 bits). For nesting levels of 1 or greater, the processor copies earlier stack frame pointers before adjusting the stack pointer. This action provides a called procedure with access points to other nested stack frames.

The 32-bit `enter N, 0` (a nesting level of 0) instruction is equivalent to the following 32-bit instruction sequence:

```
push    ebp          ; save current EBP
mov     ebp, esp    ; set stack frame pointer value
sub     esp, N       ; allocate space for local variables
```

The ENTER and LEAVE instructions provide support for block structured languages. The LEAVE instruction releases the stack frame on returning from a procedure.

In 64-bit mode, the operand size of ENTER defaults to 64 bits, and there is no prefix available for encoding a 32-bit operand size.

| Mnemonic                       | Opcode   | Description                                  |
|--------------------------------|----------|----------------------------------------------|
| <code>ENTER imm16, 0</code>    | C8 iw 00 | Create a procedure stack frame.              |
| <code>ENTER imm16, 1</code>    | C8 iw 01 | Create a nested stack frame for a procedure. |
| <code>ENTER imm16, imm8</code> | C8 iw ib | Create a nested stack frame for a procedure. |

### Action

// See "Pseudocode Definition" on page 61.

ENTER\_START:

```
temp_ALLOC_SPACE = word-sized immediate specified in the instruction
                  (first operand), zero-extended to 64 bits
temp_LEVEL = byte-sized immediate specified in the instruction
                  (second operand), zero-extended to 64 bits

temp_LEVEL = temp_LEVEL AND 0x1f
                  // only keep 5 bits of level count

PUSH.v old_RBP

temp_RBP = RSP          // This value of RSP will eventually be loaded
                  // into RBP.
IF (temp_LEVEL>0)      // Push "temp_LEVEL" parameters to the stack.
{
    FOR (I=1; I<temp_LEVEL; I++)
        PUSH.B temp_LEVEL
```

```

        // All but one of the parameters are copied
        // from higher up on the stack.
    {
        temp_DATA = READ_MEM.v [SS:old_RBP-I*V]
        PUSH.v temp_DATA
    }
    PUSH.v temp_RBP           // The last parameter is the offset of the old
                               // value of RSP on the stack.
}
RSP.s = RSP - temp_ALLOC_SPACE // Leave "temp_ALLOC_SPACE" free bytes on
                               // the stack

        WRITE_MEM.v [SS:RSP.s] = temp_unused // ENTER finishes with a memory
write                                         // check on the final stack pointer,
                                         // but no write actually occurs.

RBP.v = temp_RBP
EXIT

```

## Related Instructions

LEAVE

## rFLAGS Affected

None

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack-segment limit or was non-canonical.           |
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**IDIV****Signed Divide**

Divides the signed value in a register by the signed value in the specified register or memory location. The register to be divided depends on the size of the divisor.

When dividing a word, the dividend is in the AX register. The instruction stores the quotient in the AL register and the remainder in the AH register.

When dividing a doubleword, quadword, or double quadword, the most-significant word of the dividend is in the rDX register and the least-significant word is in the rAX register. After the division, the instruction stores the quotient in the rAX register and the remainder in the rDX register.

The following table summarizes the action of this instruction:

| Division Size            | Dividend | Divisor   | Quotient | Remainder | Quotient Range           |
|--------------------------|----------|-----------|----------|-----------|--------------------------|
| Word/byte                | AX       | reg/mem8  | AL       | AH        | -128 to +127             |
| Doubleword/word          | DX:AX    | reg/mem16 | AX       | DX        | -32,768 to +32,767       |
| Quadword/doubleword      | EDX:EAX  | reg/mem32 | EAX      | EDX       | - $2^{31}$ to $2^{31}-1$ |
| Double quadword/quadword | RDX:RAX  | reg/mem64 | RAX      | RDX       | - $2^{63}$ to $2^{63}-1$ |

The instruction truncates non-integral results towards 0. The sign of the remainder is always the same as the sign of the dividend, and the absolute value of the remainder is less than the absolute value of the divisor. An overflow generates a #DE (divide error) exception, rather than setting the OF flag.

To avoid overflow problems, precede this instruction with a CBW, CWD, CDQ, or CQO instruction to sign-extend the dividend.

| Mnemonic       | Opcode | Description                                                                                                                                        |
|----------------|--------|----------------------------------------------------------------------------------------------------------------------------------------------------|
| IDIV reg/mem8  | F6 /7  | Perform signed division of AX by the contents of an 8-bit register or memory location and store the quotient in AL and the remainder in AH.        |
| IDIV reg/mem16 | F7 /7  | Perform signed division of DX:AX by the contents of a 16-bit register or memory location and store the quotient in AX and the remainder in DX.     |
| IDIV reg/mem32 | F7 /7  | Perform signed division of EDX:EAX by the contents of a 32-bit register or memory location and store the quotient in EAX and the remainder in EDX. |
| IDIV reg/mem64 | F7 /7  | Perform signed division of RDX:RAX by the contents of a 64-bit register or memory location and store the quotient in RAX and the remainder in RDX. |

## Related Instructions

IMUL

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | U  | U  | U  | U  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Divide by zero, #DE        | X    | X               | X         | The divisor operand was 0.                                                        |
|                            | X    | X               | X         | The quotient was too large for the designated register.                           |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## IMUL

## Signed Multiply

Multiplies two signed operands. The number of operands determines the form of the instruction.

If a single operand is specified, the instruction multiplies the value in the specified general-purpose register or memory location by the value in the AL, AX, EAX, or RAX register (depending on the operand size) and stores the product in AX, DX:AX, EDX:EAX, or RDX:RAX, respectively.

If two operands are specified, the instruction multiplies the value in a general-purpose register (first operand) by an immediate value or the value in a general-purpose register or memory location (second operand) and stores the product in the first operand location.

If three operands are specified, the instruction multiplies the value in a general-purpose register or memory location (second operand), by an immediate value (third operand) and stores the product in a register (first operand).

The IMUL instruction sign-extends an immediate operand to the length of the other register/memory operand.

The CF and OF flags are set if, due to integer overflow, the double-width multiplication result cannot be represented in the half-width destination register. Otherwise the CF and OF flags are cleared.

| Mnemonic                    | Opcode   | Description                                                                                                                                                                 |
|-----------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IMUL reg/mem8               | F6 /5    | Multiply the contents of AL by the contents of an 8-bit memory or register operand and put the signed result in AX.                                                         |
| IMUL reg/mem16              | F7 /5    | Multiply the contents of AX by the contents of a 16-bit memory or register operand and put the signed result in DX:AX.                                                      |
| IMUL reg/mem32              | F7 /5    | Multiply the contents of EAX by the contents of a 32-bit memory or register operand and put the signed result in EDX:EAX.                                                   |
| IMUL reg/mem64              | F7 /5    | Multiply the contents of RAX by the contents of a 64-bit memory or register operand and put the signed result in RDX:RAX.                                                   |
| IMUL reg16, reg/mem16       | 0F AF /r | Multiply the contents of a 16-bit destination register by the contents of a 16-bit register or memory operand and put the signed result in the 16-bit destination register. |
| IMUL reg32, reg/mem32       | 0F AF /r | Multiply the contents of a 32-bit destination register by the contents of a 32-bit register or memory operand and put the signed result in the 32-bit destination register. |
| IMUL reg64, reg/mem64       | 0F AF /r | Multiply the contents of a 64-bit destination register by the contents of a 64-bit register or memory operand and put the signed result in the 64-bit destination register. |
| IMUL reg16, reg/mem16, imm8 | 6B /r ib | Multiply the contents of a 16-bit register or memory operand by a sign-extended immediate byte and put the signed result in the 16-bit destination register.                |

| Mnemonic                     | Opcode   | Description                                                                                                                                                    |
|------------------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IMUL reg32, reg/mem32, imm8  | 6B /r ib | Multiply the contents of a 32-bit register or memory operand by a sign-extended immediate byte and put the signed result in the 32-bit destination register.   |
| IMUL reg64, reg/mem64, imm8  | 6B /r ib | Multiply the contents of a 64-bit register or memory operand by a sign-extended immediate byte and put the signed result in the 64-bit destination register.   |
| IMUL reg16, reg/mem16, imm16 | 69 /r iw | Multiply the contents of a 16-bit register or memory operand by a sign-extended immediate word and put the signed result in the 16-bit destination register.   |
| IMUL reg32, reg/mem32, imm32 | 69 /r id | Multiply the contents of a 32-bit register or memory operand by a sign-extended immediate double and put the signed result in the 32-bit destination register. |
| IMUL reg64, reg/mem64, imm32 | 69 /r id | Multiply the contents of a 64-bit register or memory operand by a sign-extended immediate double and put the signed result in the 64-bit destination register. |

## Related Instructions

IDIV

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | U  | U  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**IN****Input from Port**

Transfers a byte, word, or doubleword from an I/O port to the AL, AX, or EAX register. The port address is specified either by an 8-bit immediate value (00h to FFh) encoded in the instruction or a 16-bit value contained in the DX register (0000h to FFFFh). The processor's I/O address space is distinct from system memory addressing.

For two opcodes (E4h and ECh), the data size of the port is fixed at 8 bits. For the other opcodes (E5h and EDh), the effective operand-size determines the port size. If the effective operand size is 64 bits, IN reads only 32 bits from the I/O port.

If the CPL is higher than IOPL, or the mode is virtual mode, IN checks the I/O permission bitmap in the TSS before allowing access to the I/O port. (See APM Volume 2 for details on the TSS I/O permission bitmap.)

| Mnemonic            | Opcode       | Description                                                                                                    |
|---------------------|--------------|----------------------------------------------------------------------------------------------------------------|
| IN AL, <i>imm8</i>  | E4 <i>ib</i> | Input a byte from the port at the address specified by <i>imm8</i> and put it into the AL register.            |
| IN AX, <i>imm8</i>  | E5 <i>ib</i> | Input a word from the port at the address specified by <i>imm8</i> and put it into the AX register.            |
| IN EAX, <i>imm8</i> | E5 <i>ib</i> | Input a doubleword from the port at the address specified by <i>imm8</i> and put it into the EAX register.     |
| IN AL, DX           | EC           | Input a byte from the port at the address specified by the DX register and put it into the AL register.        |
| IN AX, DX           | ED           | Input a word from the port at the address specified by the DX register and put it into the AX register.        |
| IN EAX, DX          | ED           | Input a doubleword from the port at the address specified by the DX register and put it into the EAX register. |

**Related Instructions**INS $x$ , OUT, OUTS $x$ **rFLAGS Affected**

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                               |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP |      | X               |           | One or more I/O permission bits were set in the TSS for the accessed port.                                       |
|                            |      |                 | X         | The CPL was greater than the IOPL and one or more I/O permission bits were set in the TSS for the accessed port. |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                                                     |

## INC

## Increment by 1

Adds 1 to the specified register or memory location. The CF flag is not affected, even if the operand is incremented to 0000.

The one-byte forms of this instruction (opcodes 40 through 47) are used as REX prefixes in 64-bit mode. See “REX Prefix” on page 14.

The forms of the INC instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

To perform an increment operation that updates the CF flag, use an ADD instruction with an immediate operand of 1.

| Mnemonic      | Opcode | Description                                                                                                                                |
|---------------|--------|--------------------------------------------------------------------------------------------------------------------------------------------|
| INC reg/mem8  | FE /0  | Increment the contents of an 8-bit register or memory location by 1.                                                                       |
| INC reg/mem16 | FF /0  | Increment the contents of a 16-bit register or memory location by 1.                                                                       |
| INC reg/mem32 | FF /0  | Increment the contents of a 32-bit register or memory location by 1.                                                                       |
| INC reg/mem64 | FF /0  | Increment the contents of a 64-bit register or memory location by 1.                                                                       |
| INC reg16     | 40 +rw | Increment the contents of a 16-bit register by 1.<br>(These opcodes are used as REX prefixes in 64-bit mode. See “REX Prefix” on page 14.) |
| INC reg32     | 40 +rd | Increment the contents of a 32-bit register by 1.<br>(These opcodes are used as REX prefixes in 64-bit mode. See “REX Prefix” on page 14.) |

## Related Instructions

ADD, DEC

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## **INS**

## **INSB**

## **INSW**

## **INSD**

## **Input String**

Transfers data from the I/O port specified in the DX register to an input buffer specified in the rDI register and increments or decrements the rDI register according to the setting of the DF flag in the rFLAGS register.

If the DF flag is 0, the instruction increments rDI by 1, 2, or 4, depending on the number of bytes read. If the DF flag is 1, it decrements the pointer by 1, 2, or 4.

In 16-bit and 32-bit mode, the INS instruction always uses ES as the data segment. The ES segment cannot be overridden with a segment override prefix. In 64-bit mode, INS always uses the unsegmented memory space.

The INS instructions use the explicit memory operand (first operand) to determine the size of the I/O port, but always use ES:[rDI] for the location of the input buffer. The explicit register operand (second operand) specifies the I/O port address and must always be DX.

The INSB, INSW, and INSD instructions copy byte, word, and doubleword data, respectively, from the I/O port (0000h to FFFFh) specified in the DX register to the input buffer specified in the ES:rDI registers.

If the operand size is 64-bits, the instruction behaves as if the operand size were 32-bits.

If the CPL is higher than the IOPL or the mode is virtual mode, INSx checks the I/O permission bitmap in the TSS before allowing access to the I/O port. (See APM Volume 2 for details on the TSS I/O permission bitmap.)

The INSx instructions support the REP prefix for block input of rCX bytes, words, or doublewords. For details about the REP prefix, see “Repeat Prefixes” on page 12.

| Mnemonic              | Opcode | Description                                                                                                                                    |
|-----------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------|
| INS <i>mem8</i> , DX  | 6C     | Input a byte from the port specified by DX, put it into the memory location specified in ES:rDI, and then increment or decrement rDI.          |
| INS <i>mem16</i> , DX | 6D     | Input a word from the port specified by DX register, put it into the memory location specified in ES:rDI, and then increment or decrement rDI. |
| INS <i>mem32</i> , DX | 6D     | Input a doubleword from the port specified by DX, put it into the memory location specified in ES:rDI, and then increment or decrement rDI.    |
| INSB                  | 6C     | Input a byte from the port specified by DX, put it into the memory location specified in ES:rDI, and then increment or decrement rDI.          |

| Mnemonic | Opcode | Description                                                                                                                                 |
|----------|--------|---------------------------------------------------------------------------------------------------------------------------------------------|
| INSW     | 6D     | Input a word from the port specified by DX, put it into the memory location specified in ES:rDI, and then increment or decrement rDI.       |
| INSD     | 6D     | Input a doubleword from the port specified by DX, put it into the memory location specified in ES:rDI, and then increment or decrement rDI. |

## Related Instructions

IN, OUT, OUTS<sub>x</sub>

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                               |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                             |
|                            |      | X               |           | One or more I/O permission bits were set in the TSS for the accessed port.                                       |
|                            |      |                 | X         | The CPL was greater than the IOPL and one or more I/O permission bits were set in the TSS for the accessed port. |
|                            |      |                 | X         | A null data segment was used to reference memory.                                                                |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                                                           |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                                                     |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                |

**INT****Interrupt to Vector**

Transfers execution to the interrupt handler specified by an 8-bit unsigned immediate value. This value is an interrupt vector number (00h to FFh), which the processor uses as an index into the interrupt descriptor table (IDT).

For detailed descriptions of the steps performed by INT*n* instructions, see the following:

- *Legacy-Mode Interrupts*: “Virtual-8086 Mode Interrupt Control Transfers” in APM Volume 2.
- *Long-Mode Interrupts*: “Long-Mode Interrupt Control Transfers” in APM Volume 2.

See also the descriptions of the INT3 instruction on page 391 and the INTO instruction on page 202.

| Mnemonic        | Opcode       | Description                                                                |
|-----------------|--------------|----------------------------------------------------------------------------|
| INT <i>imm8</i> | CD <i>ib</i> | Call interrupt service routine specified by interrupt vector <i>imm8</i> . |

**Action**

```

// For functions READ_IDT, READ_DESCRIPTOR, READ_INNER_LEVEL_SP,
// ShadowStacksEnabled and SET_TOKEN_BUSY see "Pseudocode Definition"
// on page 57

INT_N_START:

IF (REAL_MODE)
    INT_N_REAL           // INTn real mode
ELSEIF (PROTECTED_MODE)
    INT_N_PROTECTED     // INTn protected mode
ELSE // (VIRTUAL_MODE)
    INT_N_VIRTUAL       // INTn virtual mode

INT_N_REAL:

temp_int_n_vector = byte-sized interrupt vector specified in
                    the instruction, zero-extended to 64 bits

// read target CS:RIP from the real-mode IDT
temp_RIP = READ_MEM.w [idt:temp_int_n_vector*4]
temp_CS  = READ_MEM.w [idt:temp_int_n_vector*4+2]

PUSH.w old_RFLAGS
PUSH.w old_CS
PUSH.w next_RIP

IF (temp_RIP > CS.limit)
    EXCEPTION [#GP(0)]

CS.sel  = temp_CS
CS.base = temp_CS SHL 4

```

```

RFLAGS.AC,TF,IF,RF cleared
RIP = temp_RIP

EXIT

INT_N_PROTECTED:

temp_int_n_vector = byte-sized interrupt vector specified in
                     the instruction, zero-extended to 64 bits
temp_idt_desc = READ_IDT (temp_int_n_vector)

IF (temp_idt_desc.attr.type == 'taskgate')
    TASK_SWITCH // using TSS selector in the task gate as the target TSS

// The size of the gate controls the size of the stack pushes
IF (LONG_MODE)
    v = 8-byte // Long mode only uses 64-bit gates
ELSEIF ((temp_idt_desc.attr.type == 'intgate32') ||
         (temp_idt_desc.attr.type == 'trapgate32'))
    v = 4-byte // Legacy mode, using a 32-bit gate
ELSE
    v = 2-byte // Legacy mode, using a 16-bit gate

temp_RIP = temp_idt_desc.offset

IF (LONG_MODE) // In long mode, read 2nd half of 16-byte interrupt-gate
{
    // from the IDT to get the upper 32 bits of target RIP
    temp_upper = READ_MEM.q [idt:temp_int_n_vector*16+8]
    temp_RIP = temp_RIP + (temp_upper SHL 32) // form 64-bit target RIP
}

CS = READ_DESCRIPTOR (temp_idt_desc.segment, intcs_chk)

IF (CS.attr.conforming == 1)
    temp_CPL = CPL
ELSE
    temp_CPL = CS.attr.dpl

IF (CPL == temp_CPL) // no privilege-level change
{
    temp_CheckToken = FALSE
    IF (LONG_MODE)
    {
        IF (temp_idt_desc.ist != 0)
        {
            // IDT gate IST is non-zero, do stack switch
            RSP = READ_MEM.q [tss:ist_index*8+28] // fetch new RSP
            RSP = RSP AND 0xFFFFFFFFFFFFFFF0 // ensure 16-byte alignment

            // fetch SSP from ISST if sstk enabled at current privilege
        }
    }
}

```

```

IF (ShadowStacksEnabled(current CPL))
{
    temp_isst_addr = INTERRUPT_SSP_TABLE_ADDR + (temp_idt_desc.ist*8)
    SSP = READ_MEM.q [tss:temp_isst_addr]
    IF (SSP[2:0] != 0)
        EXCEPTION [#GP(0)] // new SSP must be 8-byte aligned
    temp_CheckToken = TRUE
}
}
PUSH.q old_SS           // in long mode, save old SS:RSP to stack
PUSH.q old_RSP
} // end long mode

PUSH.v old_RFLAGS
PUSH.v old_CS
PUSH.v next_RIP

IF (ShadowStacksEnabled(current CPL))
{
    IF (temp_CheckToken == TRUE)
        SET_SSTK_TOKEN_BUSY(SSP)           // validate token, set busy
    Align SSP to next 8B boundary, storing 4B of 0 if needed
    SSTK_WRITE_MEM.q [SSP-24] = old_CS // push CS,LIP,SSP to shadow stack
    SSTK_WRITE_MEM.q [SSP-16] = (CS.base + old_RIP)
    SSTK_WRITE_MEM.q [SSP-8] = old_SSP
    SSP = SSP - 24
} // end shadow stacks enabled @ CPL

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
    (!64BIT_MODE) && (temp_RIP > CS.limit))
    EXCEPTION [#GP(0)]
RFLAGS.VM,NT,TF,RF cleared
RFLAGS.IF cleared if interrupt gate
RIP = temp_RIP
EXIT
} // end of INTn to same privilege level

ELSE // INTn to more privileged level
{
// (CPL > temp_CPL), changing privilege so get inner level SS:RSP
CPL = temp_CPL
temp_SS_desc:temp_RSP = READ_INNER_LEVEL_SP(CPL, temp_idt_desc.ist)

IF (LONG_MODE)
    temp_RSP = temp_RSP AND 0xFFFFFFFFFFFFFFF // force 16-byte alignment
    RSP = temp_RSP
    SS = temp_SS_desc

IF (ShadowStacksEnabled(new CPL))
{
    old_SSP = SSP
}
}

```

```

IF ((temp_idt_desc.ist == 0) || (!LONG_MODE))
    SSP = PLn_SSP // where n=new CPL
ELSE
{
    temp_isst_addr = INTERRUPT_SSP_TABLE_ADDR + (temp_idt_desc.ist*8)
    SSP = READ_MEM.q [tss:temp_isst_addr]
}
IF (SSP[2:0] != 0) // new SSP must be 8-byte aligned
    EXCEPTION [#GP(0)]
}

// Any #SS from the following pushes uses SS.sel as error code
PUSH.v old_SS
PUSH.v old_RSP
PUSH.v old_RFLAGS
PUSH.v old_CS
PUSH.v next_RIP

IF ((ShadowStacksEnabled(CPL 3) && (old_CPL == 3)))
    PL3_SSP = SSP

IF (ShadowStacksEnabled(new CPL))
{
    old_SSP = SSP
    SSP = PLn_SSP // where n=new CPL
    SET_SSTK_TOKEN_BUSY(SSP) // validate token, set busy
    IF (old_CPL != 3)
        SSTK_WRITE_MEM.q [SSP-24] = old_CS // push CS, LIP, SSP
        SSTK_WRITE_MEM.q [SSP-16] = LIP // onto the shadow stack
        SSTK_WRITE_MEM.q [SSP-8] = old_SSP
        SSP = SSP - 24
    } // end shadow stacks enabled at new CPL

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
    (!64BIT_MODE) && (temp_RIP > CS.limit))
    EXCEPTION [#GP(0)]

RFLAGS.VM,NT,TF,RF cleared
RFLAGS.IF cleared if interrupt gate
RIP = temp_RIP
EXIT
} end INTn to more privileged level

INT_N_VIRTUAL:

temp_int_n_vector = byte-sized interrupt vector specified in
                    the instruction, zero-extended to 64 bits

IF (CR4.VME == 0) // VME isn't enabled
    IF (RFLAGS.IOPL == 3)

```

```

        INT_N_VIRTUAL_TO_PROTECTED
    ELSE
        EXCEPTION [#GP(0)]

temp_IRB_BASE = READ_MEM.w [tss:102] - 32

// Check the VME Interrupt Redirection Bitmap (IRB) to
// see if we should redirect to a virtual-mode handler
temp_VME_REDIRECTION = READ_BIT_ARRAY ([tss:temp_IRB_BASE], temp_int_n_vector)
IF (temp_VME_REDIRECTION == 1)
{ // continue with transition to protected mode
IF (RFLAGS.IOPL==3)
    INT_N_VIRTUAL_TO_PROTECTED
ELSE
    EXCEPTION [#GP(0)]
}
ELSE
{ // INTn stays in virtual mode
// redirect interrupt through virtual-mode IDT
temp_RIP = READ_MEM.w [0:temp_int_n_vector*4]
// read target CS:RIP from the virtual-mode IDT at linear address 0
temp_CS = READ_MEM.w [0:temp_int_n_vector*4+2]
IF (RFLAGS.IOPL < 3)
    old_RFLAGS = old_RFLAGS with VIF bit shifted into IF bit, and IOPL = 3
PUSH.w old_RFLAGS
PUSH.w old_CS
PUSH.w next_RIP
CS.sel = temp_CS
CS.base = temp_CS SHL 4
RFLAGS.TF,RF = 0
IF (RFLAGS.IOPL == 3)
    RFLAGS.IF = 0
ELSE
    RFLAGS.VIF = 0
RIP = temp_RIP
EXIT
}

INT_N_VIRTUAL_TO_PROTECTED:

temp_idt_desc = READ_IDT (temp_int_n_vector)
IF (temp_idt_desc.attr.type == 'taskgate')
    TASK_SWITCH // using tss selector in the task gate as the target tss

// The size of the gate controls the size of the stack pushes
IF ((temp_idt_desc.attr.type == 'intgate32') ||
    (temp_idt_desc.attr.type == 'trapgate32'))
    v = 4-byte          // legacy mode, using a 32-bit gate
ELSE
    v = 2-byte          // gate is intgate16 or trapgate16

```

```

temp_RIP = temp_idt_desc.offset
old_CPL = CPL
CS = READ_DESCRIPTOR(temp_idt_desc.segment, intcs_chk)

IF (CS.attr.dpl !=0 )           // Handler must run at CPL 0.
    EXCEPTION [#GP(CS.sel)]]

CPL = 0
temp_ist = 0                  // Legacy mode doesn't use IST pointers
temp_SS_desc:temp_RSP = READ_INNER_LEVEL_SP(CPL, temp_ist)
RSP = temp_RSP
SS = temp_SS_desc

// Any #SS from the following pushes uses SS.sel as error code
PUSH.v old_GS
PUSH.v old_FS
PUSH.v old_DS
PUSH.v old_ES
PUSH.v old_SS
PUSH.v old_RSP
PUSH.v old_RFLAGS // Pushed with RF = 0
PUSH.v old_CS
PUSH.v next_RIP

IF (temp_RIP > CS.limit)
    EXCEPTION [#GP(0)]

DS = NULL // can't use virtual-mode selectors in protected mode
ES = NULL // can't use virtual-mode selectors in protected mode
FS = NULL // can't use virtual-mode selectors in protected mode
GS = NULL // can't use virtual-mode selectors in protected mode
RFLAGS.VM,NT,TF,RF cleared
RFLAGS.IF cleared if interrupt gate
RIP = temp_RIP

IF (ShadowStacksEnabled(CPL 0))
{
    old_SSP = SSP
    SSP     = PL0_SSP          // fetch new SSP
    SET_SSTK_TOKEN_BUSY(SSP)   // validate token, set busy
    IF (old_CPL) != 3
    {
        SSTK_WRITE_MEM.q [SSP-24] = old_CS    // push CS, LIP, SSP
        SSTK_WRITE_MEM.q [SSP-16] = LIP        // onto the shadow stack
        SSTK_WRITE_MEM.q [SSP-8]  = old_SSP
        SSP = SSP - 24
    }
}

EXIT // end INTn VIRTUAL_TO_PROTECTED

```

## Related Instructions

INT 3, INTO, BOUND

### rFLAGS Affected

If a task switch occurs, all flags are modified. Otherwise settings are as follows:

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     | M   | M  | M  | 0  | M  |       |    |    | M  | 0  |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                           | Real | Virtual 8086 | Protected | Cause of Exception                                                                                                                                  |
|-------------------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid TSS, #TS (selector)         |      | X            | X         | As part of a stack switch, the target stack segment selector or rSP in the TSS was beyond the TSS limit.                                            |
|                                     |      | X            | X         | As part of a stack switch, the target stack segment selector in the TSS was a null selector.                                                        |
|                                     |      | X            | X         | As part of a stack switch, the target stack segment selector's TI bit was set, but the LDT selector was a null selector.                            |
|                                     |      | X            | X         | As part of a stack switch, the target stack segment selector in the TSS was beyond the limit of the GDT or LDT descriptor table.                    |
|                                     |      | X            | X         | As part of a stack switch, the target stack segment selector in the TSS contained a RPL that was not equal to its DPL.                              |
|                                     |      | X            | X         | As part of a stack switch, the target stack segment selector in the TSS contained a DPL that was not equal to the CPL of the code segment selector. |
|                                     |      | X            | X         | As part of a stack switch, the target stack segment selector in the TSS was not a writable segment.                                                 |
| Segment not present, #NP (selector) |      | X            | X         | The accessed code segment, interrupt gate, trap gate, task gate, or TSS was not present.                                                            |
| Stack, #SS                          | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical, and no stack switch occurred.                                               |
| Stack, #SS (selector)               |      | X            | X         | After a stack switch, a memory address exceeded the stack segment limit or was non-canonical.                                                       |
|                                     |      | X            | X         | As part of a stack switch, the SS register was loaded with a non-null segment selector and the segment was marked not present.                      |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                               |
|------------------------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP               | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                                                             |
|                                          | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.                                                                          |
|                                          |      | X               |           | The IOPL was less than 3 and CR4.VME was 0.                                                                                                      |
|                                          |      | X               |           | IOPL was less than 3, CR4.VME was 1, and the corresponding bit in the VME interrupt redirection bitmap was 1.                                    |
| General protection,<br>#GP<br>(selector) | X    | X               | X         | The interrupt vector was beyond the limit of IDT.                                                                                                |
|                                          |      | X               | X         | The descriptor in the IDT was not an interrupt, trap, or task gate in legacy mode or not a 64-bit interrupt or trap gate in long mode.           |
|                                          |      | X               | X         | The DPL of the interrupt, trap, or task gate descriptor was less than the CPL.                                                                   |
|                                          |      | X               | X         | The segment selector specified by the interrupt or trap gate had its TI bit set, but the LDT selector was a null selector.                       |
|                                          |      | X               | X         | The segment descriptor specified by the interrupt or trap gate exceeded the descriptor table limit or was a null selector.                       |
|                                          |      | X               | X         | The segment descriptor specified by the interrupt or trap gate was not a code segment in legacy mode, or not a 64-bit code segment in long mode. |
|                                          |      |                 | X         | The DPL of the segment specified by the interrupt or trap gate was greater than the CPL.                                                         |
|                                          |      | X               |           | The DPL of the segment specified by the interrupt or trap gate pointed was not 0 or it was a conforming segment.                                 |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                     |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                |

## INTO

## Interrupt to Overflow Vector

Checks the overflow flag (OF) in the rFLAGS register and calls the overflow exception (#OF) handler if the OF flag is set to 1. This instruction has no effect if the OF flag is cleared to 0. The INTO instruction detects overflow in signed number addition. See APM Volume 1 for more information on the OF flag.

Using this instruction in 64-bit mode generates an invalid-opcode exception.

For detailed descriptions of the steps performed by INT instructions, see the following:

- *Legacy-Mode Interrupts*: “Legacy Protected-Mode Interrupt Control Transfers” in APM Volume 2.
- *Long-Mode Interrupts*: “Long-Mode Interrupt Control Transfers” in APM Volume 2.

| Mnemonic | Opcode | Description                                                                       |
|----------|--------|-----------------------------------------------------------------------------------|
| INTO     | CE     | Call overflow exception if the overflow flag is set.<br>(Invalid in 64-bit mode.) |

### Action

```

IF (64BIT_MODE)
    EXCEPTION [#UD]
IF (RFLAGS.OF == 1)      // #OF is a trap, and pushes the rIP of the instruction
    EXCEPTION [#OF]      // following INTO.
EXIT

```

### Related Instructions

INT, INT 3, BOUND

### rFLAGS Affected

None.

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                  |
|------------------------|------|-----------------|-----------|-----------------------------------------------------|
| Overflow, #OF          | X    | X               | X         | The INTO instruction was executed with OF set to 1. |
| Invalid opcode,<br>#UD |      |                 | X         | Instruction was executed in 64-bit mode.            |

**Jcc****Jump on Condition**

Checks the status flags in the rFLAGS register and, if the flags meet the condition specified by the condition code in the mnemonic (*cc*), jumps to the target instruction located at the specified relative offset. Otherwise, execution continues with the instruction following the Jcc instruction.

Unlike the unconditional jump (JMP), conditional jump instructions have only two forms—*short* and *near conditional jumps*. Different opcodes correspond to different forms of one instruction. For example, the JO instruction (jump if overflow) has opcode 0Fh 80h for its near form and 70h for its short form, but the mnemonic is the same for both forms. The only difference is that the near form has a 16- or 32-bit relative displacement, while the short form always has an 8-bit relative displacement.

Mnemonics are provided to deal with the programming semantics of both signed and unsigned numbers. Instructions tagged A (above) and B (below) are intended for use in unsigned integer code; those tagged G (greater) and L (less) are intended for use in signed integer code.

If the jump is taken, the signed displacement is added to the rIP (of the following instruction) and the result is truncated to 16, 32, or 64 bits, depending on operand size.

In 64-bit mode, the operand size defaults to 64 bits. The processor sign-extends the 8-bit or 32-bit displacement value to 64 bits before adding it to the RIP.

These instructions cannot perform far jumps (to other code segments). To create a far-conditional-jump code sequence corresponding to a high-level language statement like:

```
IF A == B THEN GOTO FarLabel
```

where FarLabel is located in another code segment, use the opposite condition in a conditional short jump before an unconditional far jump. Such a code sequence might look like:

```
cmp    A,B          ; compare operands
jne   NextInstr     ; continue program if not equal
jmp   far FarLabel  ; far jump if operands are equal

NextInstr:           ; continue program
```

For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic     | Opcode   | Description                    |
|--------------|----------|--------------------------------|
| JO rel8off   | 70 cb    |                                |
| JO rel16off  | 0F 80 cw | Jump if overflow (OF = 1).     |
| JO rel32off  | 0F 80 cd |                                |
| JNO rel8off  | 71 cb    |                                |
| JNO rel16off | 0F 81 cw | Jump if not overflow (OF = 0). |
| JNO rel32off | 0F 81 cd |                                |
| JB rel8off   | 72 cb    |                                |
| JB rel16off  | 0F 82 cw | Jump if below (CF = 1).        |
| JB rel32off  | 0F 82 cd |                                |

| Mnemonic      | Opcode   | Description                                     |
|---------------|----------|-------------------------------------------------|
| JC rel8off    | 72 cb    |                                                 |
| JC rel16off   | 0F 82 cw | Jump if carry (CF = 1).                         |
| JC rel32off   | 0F 82 cd |                                                 |
| JNAE rel8off  | 72 cb    |                                                 |
| JNAE rel16off | 0F 82 cw | Jump if not above or equal (CF = 1).            |
| JNAE rel32off | 0F 82 cd |                                                 |
| JNB rel8off   | 73 cb    |                                                 |
| JNB rel16off  | 0F 83 cw | Jump if not below (CF = 0).                     |
| JNB rel32off  | 0F 83 cd |                                                 |
| JNC rel8off   | 73 cb    |                                                 |
| JNC rel16off  | 0F 83 cw | Jump if not carry (CF = 0).                     |
| JNC rel32off  | 0F 83 cd |                                                 |
| JAE rel8off   | 73 cb    |                                                 |
| JAE rel16off  | 0F 83 cw | Jump if above or equal (CF = 0).                |
| JAE rel32off  | 0F 83 cd |                                                 |
| JZ rel8off    | 74 cb    |                                                 |
| JZ rel16off   | 0F 84 cw | Jump if zero (ZF = 1).                          |
| JZ rel32off   | 0F 84 cd |                                                 |
| JE rel8off    | 74 cb    |                                                 |
| JE rel16off   | 0F 84 cw | Jump if equal (ZF = 1).                         |
| JE rel32off   | 0F 84 cd |                                                 |
| JNZ rel8off   | 75 cb    |                                                 |
| JNZ rel16off  | 0F 85 cw | Jump if not zero (ZF = 0).                      |
| JNZ rel32off  | 0F 85 cd |                                                 |
| JNE rel8off   | 75 cb    |                                                 |
| JNE rel16off  | 0F 85 cw | Jump if not equal (ZF = 0).                     |
| JNE rel32off  | 0F 85 cd |                                                 |
| JBE rel8off   | 76 cb    |                                                 |
| JBE rel16off  | 0F 86 cw | Jump if below or equal (CF = 1 or ZF = 1).      |
| JBE rel32off  | 0F 86 cd |                                                 |
| JNA rel8off   | 76 cb    |                                                 |
| JNA rel16off  | 0F 86 cw | Jump if not above (CF = 1 or ZF = 1).           |
| JNA rel32off  | 0F 86 cd |                                                 |
| JNBE rel8off  | 77 cb    |                                                 |
| JNBE rel16off | 0F 87 cw | Jump if not below or equal (CF = 0 and ZF = 0). |
| JNBE rel32off | 0F 87 cd |                                                 |
| JA rel8off    | 77 cb    |                                                 |
| JA rel16off   | 0F 87 cw | Jump if above (CF = 0 and ZF = 0).              |
| JA rel32off   | 0F 87 cd |                                                 |
| JS rel8off    | 78 cb    |                                                 |
| JS rel16off   | 0F 88 cw | Jump if sign (SF = 1).                          |
| JS rel32off   | 0F 88 cd |                                                 |
| JNS rel8off   | 79 cb    |                                                 |
| JNS rel16off  | 0F 89 cw | Jump if not sign (SF = 0).                      |
| JNS rel32off  | 0F 89 cd |                                                 |

| Mnemonic             | Opcode          | Description                                     |
|----------------------|-----------------|-------------------------------------------------|
| JP <i>rel8off</i>    | 7A <i>cb</i>    |                                                 |
| JP <i>rel16off</i>   | 0F 8A <i>cw</i> | Jump if parity (PF = 1).                        |
| JP <i>rel32off</i>   | 0F 8A <i>cd</i> |                                                 |
| JPE <i>rel8off</i>   | 7A <i>cb</i>    |                                                 |
| JPE <i>rel16off</i>  | 0F 8A <i>cw</i> | Jump if parity even (PF = 1).                   |
| JPE <i>rel32off</i>  | 0F 8A <i>cd</i> |                                                 |
| JNP <i>rel8off</i>   | 7B <i>cb</i>    |                                                 |
| JNP <i>rel16off</i>  | 0F 8B <i>cw</i> | Jump if not parity (PF = 0).                    |
| JNP <i>rel32off</i>  | 0F 8B <i>cd</i> |                                                 |
| JPO <i>rel8off</i>   | 7B <i>cb</i>    |                                                 |
| JPO <i>rel16off</i>  | 0F 8B <i>cw</i> | Jump if parity odd (PF = 0).                    |
| JPO <i>rel32off</i>  | 0F 8B <i>cd</i> |                                                 |
| JL <i>rel8off</i>    | 7C <i>cb</i>    |                                                 |
| JL <i>rel16off</i>   | 0F 8C <i>cw</i> | Jump if less (SF <> OF).                        |
| JL <i>rel32off</i>   | 0F 8C <i>cd</i> |                                                 |
| JNGE <i>rel8off</i>  | 7C <i>cb</i>    |                                                 |
| JNGE <i>rel16off</i> | 0F 8C <i>cw</i> | Jump if not greater or equal (SF <> OF).        |
| JNGE <i>rel32off</i> | 0F 8C <i>cd</i> |                                                 |
| JNL <i>rel8off</i>   | 7D <i>cb</i>    |                                                 |
| JNL <i>rel16off</i>  | 0F 8D <i>cw</i> | Jump if not less (SF = OF).                     |
| JNL <i>rel32off</i>  | 0F 8D <i>cd</i> |                                                 |
| JGE <i>rel8off</i>   | 7D <i>cb</i>    |                                                 |
| JGE <i>rel16off</i>  | 0F 8D <i>cw</i> | Jump if greater or equal (SF = OF).             |
| JGE <i>rel32off</i>  | 0F 8D <i>cd</i> |                                                 |
| JLE <i>rel8off</i>   | 7E <i>cb</i>    |                                                 |
| JLE <i>rel16off</i>  | 0F 8E <i>cw</i> | Jump if less or equal (ZF = 1 or SF <> OF).     |
| JLE <i>rel32off</i>  | 0F 8E <i>cd</i> |                                                 |
| JNG <i>rel8off</i>   | 7E <i>cb</i>    |                                                 |
| JNG <i>rel16off</i>  | 0F 8E <i>cw</i> | Jump if not greater (ZF = 1 or SF <> OF).       |
| JNG <i>rel32off</i>  | 0F 8E <i>cd</i> |                                                 |
| JNLE <i>rel8off</i>  | 7F <i>cb</i>    |                                                 |
| JNLE <i>rel16off</i> | 0F 8F <i>cw</i> | Jump if not less or equal (ZF = 0 and SF = OF). |
| JNLE <i>rel32off</i> | 0F 8F <i>cd</i> |                                                 |
| JG <i>rel8off</i>    | 7F <i>cb</i>    |                                                 |
| JG <i>rel16off</i>   | 0F 8F <i>cw</i> | Jump if greater (ZF = 0 and SF = OF).           |
| JG <i>rel32off</i>   | 0F 8F <i>cd</i> |                                                 |

## Related Instructions

JMP (Near), JMP (Far), JrCXZ

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| General protection,<br>#GP | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical. |

**JCXZ****Jump if rCX Zero****JECXZ****JRCXZ**

Checks the contents of the count register (rCX) and, if 0, jumps to the target instruction located at the specified 8-bit relative offset. Otherwise, execution continues with the instruction following the JrCXZ instruction.

The size of the count register (CX, ECX, or RCX) depends on the address-size attribute of the JrCXZ instruction. Therefore, JRCXZ can only be executed in 64-bit mode and JCXZ cannot be executed in 64-bit mode.

If the jump is taken, the signed displacement is added to the rIP (of the following instruction) and the result is truncated to 16, 32, or 64 bits, depending on operand size.

In 64-bit mode, the operand size defaults to 64 bits. The processor sign-extends the 8-bit displacement value to 64 bits before adding it to the RIP.

For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic             | Opcode | Description                                            |
|----------------------|--------|--------------------------------------------------------|
| JCXZ <i>rel8off</i>  | E3 cb  | Jump short if the 16-bit count register (CX) is zero.  |
| JECXZ <i>rel8off</i> | E3 cb  | Jump short if the 32-bit count register (ECX) is zero. |
| JRCXZ <i>rel8off</i> | E3 cb  | Jump short if the 64-bit count register (RCX) is zero. |

**Related Instructions**

Jcc, JMP (Near), JMP (Far)

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                     |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------|
| General protection,<br>#GP | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical |

## JMP (Near)

## Near Jump

Unconditionally transfers control to a new address without saving the current rIP value. This form of the instruction jumps to an address in the current code segment and is called a *near jump*. The target operand can specify a register, a memory location, or a label.

If the JMP target is specified in a register or memory location, then a 16-, 32-, or 64-bit rIP is read from the operand, depending on operand size. This rIP is zero-extended to 64 bits.

If the JMP target is specified by a displacement in the instruction, the signed displacement is added to the rIP (of the following instruction), and the result is truncated to 16, 32, or 64 bits depending on operand size. The signed displacement can be 8 bits, 16 bits, or 32 bits, depending on the opcode and the operand size.

For near jumps in 64-bit mode, the operand size defaults to 64 bits. The E9 opcode results in  $\text{RIP} = \text{RIP} + 32\text{-bit signed displacement}$ , and the FF /4 opcode results in  $\text{RIP} = 64\text{-bit offset from register or memory}$ . No prefix is available to encode a 32-bit operand size in 64-bit mode.

See JMP (Far) for information on far jumps—jumps to procedures located outside of the current code segment. For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic             | Opcode       | Description                                                                                        |
|----------------------|--------------|----------------------------------------------------------------------------------------------------|
| JMP <i>rel8off</i>   | EB <i>cb</i> | Short jump with the target specified by an 8-bit signed displacement.                              |
| JMP <i>rel16off</i>  | E9 <i>cw</i> | Near jump with the target specified by a 16-bit signed displacement.                               |
| JMP <i>rel32off</i>  | E9 <i>cd</i> | Near jump with the target specified by a 32-bit signed displacement.                               |
| JMP <i>reg/mem16</i> | FF /4        | Near jump with the target specified <i>reg/mem16</i> .                                             |
| JMP <i>reg/mem32</i> | FF /4        | Near jump with the target specified <i>reg/mem32</i> .<br>(No prefix for encoding in 64-bit mode.) |
| JMP <i>reg/mem64</i> | FF /4        | Near jump with the target specified <i>reg/mem64</i> .                                             |

## Related Instructions

JMP (Far), Jcc, JrCX

## rFLAGS Affected

None.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.           |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## JMP (Far)

## Far Jump

Unconditionally transfers control to a new address without saving the current CS:rIP values. This form of the instruction jumps to an address outside the current code segment and is called a *far jump*. The operand specifies a target selector and offset.

The target operand can be specified by the instruction directly, by containing the far pointer in the jmp far opcode itself, or indirectly, by referencing a far pointer in memory. In 64-bit mode, only indirect far jumps are allowed, executing a direct far jmp (opcode EA) will generate an undefined opcode exception. For both direct and indirect far jumps, if the JMP (Far) operand-size is 16 bits, the instruction's operand is a 16-bit selector followed by a 16-bit offset. If the operand-size is 32 or 64 bits, the operand is a 16-bit selector followed by a 32-bit offset.

In all modes, the target selector used by the instruction can be a code selector. Additionally, the target selector can also be a call gate in protected mode, or a task gate or TSS selector in legacy protected mode.

- *Target is a code segment*—Control is transferred to the target CS:rIP. In this case, the target offset can only be a 16 or 32 bit value, depending on operand-size, and is zero-extended to 64 bits; 64-bit offsets are only available via call gates. No CPL change is allowed.
- *Target is a call gate*—The call gate specifies the actual target code segment and offset, and control is transferred to the target CS:rIP. When jumping through a call gate, the size of the target rIP is 16, 32, or 64 bits, depending on the size of the call gate. If the target rIP is less than 64 bits, it's zero-extended to 64 bits. In long mode, only 64-bit call gates are allowed, and they must point to 64-bit code segments. No CPL change is allowed.
- *Target is a task gate or a TSS*—If the mode is legacy protected mode, then a task switch occurs. See “Hardware Task-Management in Legacy Mode” in APM Volume 2 for details about task switches. Hardware task switches are not supported in long mode.

See JMP (Near) for information on near jumps—jumps to procedures located inside the current code segment. For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic                 | Opcode       | Description                                                                                                         |
|--------------------------|--------------|---------------------------------------------------------------------------------------------------------------------|
| JMP FAR <i>pntr16:16</i> | EA <i>cd</i> | Far jump direct, with the target specified by a far pointer contained in the instruction. (Invalid in 64-bit mode.) |
| JMP FAR <i>pntr16:32</i> | EA <i>cp</i> | Far jump direct, with the target specified by a far pointer contained in the instruction. (Invalid in 64-bit mode.) |
| JMP FAR <i>mem16:16</i>  | FF /5        | Far jump indirect, with the target specified by a far pointer in memory (16-bit operand size).                      |
| JMP FAR <i>mem16:32</i>  | FF /5        | Far jump indirect, with the target specified by a far pointer in memory (32- and 64-bit operand size).              |

## Action

```
// Far jumps (JMPF)
// See "Pseudocode Definition" on page 61.

JMPF_START:

IF (REAL_MODE)
    JMPF_REAL_OR_VIRTUAL
ELSIF (PROTECTED_MODE)
    JMPF_PROTECTED
ELSE // (VIRTUAL_MODE)
    JMPF_REAL_OR_VIRTUAL

JMPF_REAL_OR_VIRTUAL:

IF (OPCODE == jmpf [mem]) // JMPF Indirect
{
    temp_RIP = READ_MEM.z [mem]
    temp_CS  = READ_MEM.w [mem+Z]
}
ELSE // (OPCODE == jmpf direct)
{
    temp_RIP = z-sized offset specified in the instruction,
               zero-extended to 64 bits
    temp_CS  = selector specified in the instruction
}

IF (temp_RIP>CS.limit)
    EXCEPTION [#GP(0)]

CS.sel  = temp_CS
CS.base = temp_CS SHL 4
RIP = temp_RIP
EXIT

JMPF_PROTECTED:
IF (OPCODE == jmpf [mem]) // JMPF Indirect
{
    temp_offset = READ_MEM.z [mem]
    temp_sel    = READ_MEM.w [mem+Z]
}
ELSE // (OPCODE == jmpf direct)
{
    IF (64BIT_MODE)
        EXCEPTION [#UD]           // 'jmpf direct' is illegal in 64-bit mode

    temp_offset = z-sized offset specified in the instruction,
                  zero-extended to 64 bits
    temp_sel    = selector specified in the instruction
}
```

```

temp_desc = READ_DESCRIPTOR (temp_sel, cs_chk)
                // read descriptor, perform protection and type checks

IF (temp_desc.attr.type == 'available_tss')
    TASK_SWITCH      // using temp_sel as the target tss selector
ELSIF (temp_desc.attr.type == 'taskgate')
    TASK_SWITCH      // using the tss selector in the task gate as the
                      // target tss
ELSIF (temp_desc.attr.type == 'code')
    // if the selector refers to a code descriptor, then
    // the offset we read is the target RIP
{
    temp_RIP = temp_offset
    CS = temp_desc
    IF ((!64BIT_MODE) && (temp_RIP > CS.limit))
        // temp_RIP can't be non-canonical because
        // it's a 16- or 32-bit offset, zero-extended to 64 bits
    {
        EXCEPTION [#GP(0)]
    }
    RIP = temp_RIP
    EXIT
}
ELSE
{
    // (temp_desc.attr.type == 'callgate')
    // if the selector refers to a call gate, then
    // the target CS and RIP both come from the call gate
    temp_RIP = temp_desc.offset

    IF (LONG_MODE)
    {
        // in long mode, we need to read the 2nd half of a 16-byte call-gate
        // from the gdt/ldt to get the upper 32 bits of the target RIP
        temp_upper = READ_MEM.q [temp_sel+8]
        IF (temp_upper's extended attribute bits != 0)
            EXCEPTION [#GP(temp_sel)]           // Make sure the extended
                                                // attribute bits are all zero.

        temp_RIP = tempRIP + (temp_upper SHL 32)
                    // concatenate both halves of RIP
    }
    CS = READ_DESCRIPTOR (temp_desc.segment, clg_chk)
                    // set up new CS base, attr, limits
    IF ((64BIT_MODE) && (temp_RIP is non-canonical)
    || (!64BIT_MODE) && (temp_RIP > CS.limit))
        EXCEPTION [#GP(0)]
    RIP = temp_RIP
    EXIT
}

```

## Related Instructions

JMP (Near), Jcc, JrCX

## rFLAGS Affected

None, unless a task switch occurs, in which case all flags are modified.

## Exceptions

| Exception                              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                       |
|----------------------------------------|------|-----------------|-----------|--------------------------------------------------------------------------|
| Invalid opcode,<br>#UD                 | X    | X               | X         | The far JUMP indirect opcode (FF /5) had a register operand.             |
|                                        |      |                 | X         | The far JUMP direct opcode (EA) was executed in 64-bit mode.             |
| Segment not present, #NP<br>(selector) |      |                 | X         | The accessed code segment, call gate, task gate, or TSS was not present. |
| Stack, #SS                             | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.  |
| General protection,<br>#GP             | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.     |
|                                        | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.  |
|                                        |      |                 | X         | A null data segment was used to reference memory.                        |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                                                 |
|------------------------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP<br>(selector) |      | X               |           | The target code segment selector was a null selector.                                                                                                                                              |
|                                          |      | X               |           | A code, call gate, task gate, or TSS descriptor exceeded the descriptor table limit.                                                                                                               |
|                                          |      | X               |           | A segment selector's TI bit was set, but the LDT selector was a null selector.                                                                                                                     |
|                                          |      | X               |           | The segment descriptor specified by the instruction was not a code segment, task gate, call gate or available TSS in legacy mode, or not a 64-bit code segment or a 64-bit call gate in long mode. |
|                                          |      | X               |           | The RPL of the non-conforming code segment selector specified by the instruction was greater than the CPL, or its DPL was not equal to the CPL.                                                    |
|                                          |      | X               |           | The DPL of the conforming code segment descriptor specified by the instruction was greater than the CPL.                                                                                           |
|                                          |      | X               |           | The DPL of the callgate, taskgate, or TSS descriptor specified by the instruction was less than the CPL or less than its own RPL.                                                                  |
|                                          |      | X               |           | The segment selector specified by the call gate or task gate was a null selector.                                                                                                                  |
|                                          |      | X               |           | The segment descriptor specified by the call gate was not a code segment in legacy mode or not a 64-bit code segment in long mode.                                                                 |
|                                          |      | X               |           | The DPL of the segment descriptor specified by the call gate was greater than the CPL and it is a conforming segment.                                                                              |
|                                          |      | X               |           | The DPL of the segment descriptor specified by the callgate was not equal to the CPL and it is a non-conforming segment.                                                                           |
|                                          |      | X               |           | The 64-bit call gate's extended attribute bits were not zero.                                                                                                                                      |
|                                          |      | X               |           | The TSS descriptor was found in the LDT.                                                                                                                                                           |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                                                                       |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                                                                  |

**LAHF****Load Status Flags into AH Register**

Loads the lower 8 bits of the rFLAGS register, including sign flag (SF), zero flag (ZF), auxiliary carry flag (AF), parity flag (PF), and carry flag (CF), into the AH register.

The instruction sets the reserved bits 1, 3, and 5 of the rFLAGS register to 1, 0, and 0, respectively, in the AH register.

The LAHF instruction is available in 64-bit mode if CPUID Fn8000\_0001\_ECX[LahfSahf] = 1. It is always available in the other operating modes (including compatibility mode)

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic | Opcode | Description                                                 |
|----------|--------|-------------------------------------------------------------|
| LAHF     | 9F     | Load the SF, ZF, AF, PF, and CF flags into the AH register. |

**Related Instructions**

SAHF

**rFLAGS Affected**

None.

**Exceptions**

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                         |
|------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD |      |                 | X         | The LAHF instruction is not supported in 64-bit mode, as indicated by CPUID Fn8000_0001_ECX[LahfSahf] = 0. |

## LDS LES LFS LGS LSS

## Load Far Pointer

Loads a far pointer from a memory location (second operand) into a segment register (mnemonic) and general-purpose register (first operand). The instruction stores the 16-bit segment selector of the pointer into the segment register and the 16-bit or 32-bit offset portion into the general-purpose register. The operand-size attribute determines whether the pointer loaded is 32 or 48 bits in length. A 64-bit operand is not supported.

These instructions load associated segment-descriptor information into the hidden portion of the specified segment register.

| Mnemonic                   | Opcode   | Description                                                                                         |
|----------------------------|----------|-----------------------------------------------------------------------------------------------------|
| LDS <i>reg16, mem16:16</i> | C5 /r    | Load DS:reg16 with a far pointer from memory.<br>[Redefined as VEX (2-byte prefix) in 64-bit mode.] |
| LDS <i>reg32, mem16:32</i> | C5 /r    | Load DS:reg32 with a far pointer from memory.<br>[Redefined as VEX (2-byte prefix) in 64-bit mode.] |
| LES <i>reg16, mem16:16</i> | C4 /r    | Load ES:reg16 with a far pointer from memory.<br>[Redefined as VEX (3-byte prefix) in 64-bit mode.] |
| LES <i>reg32, mem16:32</i> | C4 /r    | Load ES:reg32 with a far pointer from memory.<br>[Redefined as VEX (3-byte prefix) in 64-bit mode.] |
| LFS <i>reg16, mem16:16</i> | 0F B4 /r | Load FS:reg16 with a 32-bit far pointer from memory.                                                |
| LFS <i>reg32, mem16:32</i> | 0F B4 /r | Load FS:reg32 with a 48-bit far pointer from memory.                                                |
| LGS <i>reg16, mem16:16</i> | 0F B5 /r | Load GS:reg16 with a 32-bit far pointer from memory.                                                |
| LGS <i>reg32, mem16:32</i> | 0F B5 /r | Load GS:reg32 with a 48-bit far pointer from memory.                                                |
| LSS <i>reg16, mem16:16</i> | 0F B2 /r | Load SS:reg16 with a 32-bit far pointer from memory.                                                |
| LSS <i>reg32, mem16:32</i> | 0F B2 /r | Load SS:reg32 with a 48-bit far pointer from memory.                                                |

## Related Instructions

None

## rFLAGS Affected

None

## Exceptions

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                           |
|------------------------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD                   | X    | X               | X         | The source operand was a register.                                                                                                                           |
|                                          |      |                 | X         | LDS or LES was executed in 64-bit mode and not subject to interpretation as a VEX prefix.                                                                    |
| Segment not present, #NP<br>(selector)   |      |                 | X         | The DS, ES, FS, or GS register was loaded with a non-null segment selector and the segment was marked not present.                                           |
| Stack, #SS                               | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                                                                      |
| Stack, #SS<br>(selector)                 |      |                 | X         | The SS register was loaded with a non-null segment selector and the segment was marked not present.                                                          |
| General protection,<br>#GP               | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                                                                         |
|                                          |      |                 | X         | A null data segment was used to reference memory.                                                                                                            |
| General protection,<br>#GP<br>(selector) |      |                 | X         | A segment register was loaded, but the segment descriptor exceeded the descriptor table limit.                                                               |
|                                          |      |                 | X         | A segment register was loaded and the segment selector's TI bit was set, but the LDT selector was a null selector.                                           |
|                                          |      |                 | X         | The SS register was loaded with a null segment selector in non-64-bit mode or while CPL = 3.                                                                 |
|                                          |      |                 | X         | The SS register was loaded and the segment selector RPL and the segment descriptor DPL were not equal to the CPL.                                            |
|                                          |      |                 | X         | The SS register was loaded and the segment pointed to was not a writable data segment.                                                                       |
|                                          |      |                 | X         | The DS, ES, FS, or GS register was loaded and the segment pointed to was a data or non-conforming code segment, but the RPL or CPL was greater than the DPL. |
|                                          |      |                 | X         | The DS, ES, FS, or GS register was loaded and the segment pointed to was not a data segment or readable code segment.                                        |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                                 |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                            |

## LEA

## Load Effective Address

Computes the effective address of a memory location (second operand) and stores it in a general-purpose register (first operand).

The address size of the memory location and the size of the register determine the specific action taken by the instruction, as follows:

- If the address size and the register size are the same, the instruction stores the effective address as computed.
- If the address size is longer than the register size, the instruction truncates the effective address to the size of the register.
- If the address size is shorter than the register size, the instruction zero-extends the effective address to the size of the register.

If the second operand is a register, an undefined-opcode exception occurs.

The LEA instruction is related to the MOV instruction, which copies data from a memory location to a register, but LEA takes the address of the source operand, whereas MOV takes the contents of the memory location specified by the source operand. In the simplest cases, LEA can be replaced with MOV. For example:

```
lea eax, [ebx]
```

has the same effect as:

```
mov eax, ebx
```

However, LEA allows software to use any valid ModRM and SIB addressing mode for the source operand. For example:

```
lea eax, [ebx+edi]
```

loads the sum of the EBX and EDI registers into the EAX register. This could not be accomplished by a single MOV instruction.

The LEA instruction has a limited capability to perform multiplication of operands in general-purpose registers using scaled-index addressing. For example:

```
lea eax, [ebx+ebx*8]
```

loads the value of the EBX register, multiplied by 9, into the EAX register. Possible values of multipliers are 2, 4, 8, 3, 5, and 9.

The LEA instruction is widely used in string-processing and array-processing to initialize an index register (rSI or rDI) before performing string instructions such as MOVSx. It is also used to initialize the rBX register before performing the XLAT instruction in programs that perform character translations. In data structures, the LEA instruction can calculate addresses of operands stored in memory, and in particular, addresses of array or string elements.

| Mnemonic       | Opcode | Description                                   |
|----------------|--------|-----------------------------------------------|
| LEA reg16, mem | 8D /r  | Store effective address in a 16-bit register. |
| LEA reg32, mem | 8D /r  | Store effective address in a 32-bit register. |
| LEA reg64, mem | 8D /r  | Store effective address in a 64-bit register. |

## Related Instructions

MOV

## rFLAGS Affected

None

## Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                 |
|------------------------|------|-----------------|-----------|------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | The source operand was a register. |

## LEAVE

## Delete Procedure Stack Frame

Releases a stack frame created by a previous ENTER instruction. To release the frame, it copies the frame pointer (in the rBP register) to the stack pointer register (rSP), and then pops the old frame pointer from the stack into the rBP register, thus restoring the stack frame of the calling procedure.

The 32-bit LEAVE instruction is equivalent to the following 32-bit operation:

```
MOV ESP, EBP
POP EBP
```

To return program control to the calling procedure, execute a RET instruction after the LEAVE instruction.

In 64-bit mode, the LEAVE operand size defaults to 64 bits, and there is no prefix available for encoding a 32-bit operand size.

| Mnemonic | Opcode | Description                                                                                                                       |
|----------|--------|-----------------------------------------------------------------------------------------------------------------------------------|
| LEAVE    | C9     | Set the stack pointer register SP to the value in the BP register and pop BP.                                                     |
| LEAVE    | C9     | Set the stack pointer register ESP to the value in the EBP register and pop EBP.<br>(No prefix for encoding this in 64-bit mode.) |
| LEAVE    | C9     | Set the stack pointer register RSP to the value in the RBP register and pop RBP.                                                  |

### Related Instructions

ENTER

### rFLAGS Affected

None

### Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## LFENCE

## Load Fence

Acts as a barrier to force strong memory ordering (serialization) between load instructions preceding the LFENCE and load instructions that follow the LFENCE. Loads from differing memory types may be performed out of order, in particular between WC/WC+ and other memory types. The LFENCE instruction assures that the system completes all previous loads before executing subsequent loads.

The LFENCE instruction is weakly-ordered with respect to store instructions, data and instruction prefetches, and the SFENCE instruction. Speculative loads initiated by the processor, or specified explicitly using cache-prefetch instructions, can be reordered around an LFENCE.

In addition to load instructions, the LFENCE instruction is strongly ordered with respect to other LFENCE instructions, as well as MFENCE and other serializing instructions. Further details on the use of MFENCE to order accesses among differing memory types may be found in APM Volume 2 section 7.4 “Memory Types” on page 12.

LFENCE is an SSE2 instruction. Support for SSE2 instructions is indicated by CPUID Fn0000\_0001\_EDX[SSE2] = 1.

In some systems, LFENCE may be configured to be dispatch serializing. In systems where CPUID Fn8000\_0021\_EAX[LFenceAlwaysSerializing](bit 2) = 1, LFENCE is always dispatch serializing.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic | Opcode   | Description                                           |
|----------|----------|-------------------------------------------------------|
| LFENCE   | 0F AE E8 | Force strong ordering of (serialize) load operations. |

### Related Instructions

MFENCE, SFENCE, MCOMMIT

### rFLAGS Affected

None

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                    |
|------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | SSE2 instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SSE2] = 0. |

## LLWPCB

## Load Lightweight Profiling Control Block Address

Parses the Lightweight Profiling Control Block at the address contained in the specified register. If the LWPCB is valid, writes the address into the LWP\_CBAADDR MSR and enables Lightweight Profiling.

See APM Volume 2, Chapter 13, for an overview of the lightweight profiling facility.

The LWPCB must be in memory that is readable and writable in user mode. For better performance, it should be aligned on a 64-byte boundary in memory and placed so that it does not cross a page boundary, though neither of these suggestions is required.

The LWPCB address in the register is truncated to 32 bits if the operand size is 32.

### Action

1. If LWP is not available or if the machine is not in protected mode, LLWPCB immediately causes a #UD exception.
2. If LWP is already enabled, the processor flushes the LWP state to memory in the old LWPCB. See description of the SLWPCB instruction on page 350 for details on saving the active LWP state.  
If the flush causes a #PF exception, LWP remains enabled with the old LWPCB still active. Note that the flush is done before LWP attempts to access the new LWPCB.
3. If the specified LWPCB address is 0, LWP is disabled and the execution of LLWPCB is complete.
4. The LWPCB address is non-zero. LLWPCB validates it as follows:
  - If any part of the LWPCB or the ring buffer is beyond the data segment limit, LLWPCB causes a #GP exception.
  - If the ring buffer size is below the implementation's minimum ring buffer size, LLWPCB causes a #GP exception.
  - While doing these checks, LWP reads and writes the LWPCB, which may cause a #PF exception.

If any of these exceptions occurs, LLWPCB aborts and LWP is left disabled. Usually, the operating system will handle a #PF exception by making the memory available and returning to retry the LLWPCB instruction. The #GP exceptions indicate application programming errors.

5. LWP converts the LWPCB address and the ring buffer address to linear address form by adding the DS base address and stores the addresses internally.
6. LWP examines the LWPCB.Flags field to determine which events should be enabled and whether threshold interrupts should be taken. It clears the bits for any features that are not available and stores the result back to LWPCB.Flags to inform the application of the actual LWP state.
7. For each event being enabled, LWP examines the EventInterval $n$  value and, if necessary, sets it to an implementation-defined minimum. (The minimum event interval for LWPVAL is zero.) It loads its internal counter for the event from the value in EventCountern. A zero or negative value

in EventCountn means that the next event of that type will cause an event record to be stored. To count every  $j^{\text{th}}$  event, a program should set EventIntervaln to  $j-1$  and EventCountn to some starting value (where  $j-1$  is a good initial count). If the counter value is larger than the interval, the first event record will be stored after a larger number of events than subsequent records.

8. LWP is started. The execution of LLWPCB is complete.

## Notes

If none of the bits in the LWPCB.Flags specifies an available event, LLWPCB still enables LWP to allow the use of the LWPINS instruction. However, no other event records will be stored.

A program can temporarily disable LWP by executing SLWPCB to obtain the current LWPCB address, saving that value, and then executing LLWPCB with a register containing 0. It can later re-enable LWP by executing LLWPCB with a register containing the saved address.

When LWP is enabled, it is typically an error to execute LLWPCB with the address of the active LWPCB. When the hardware flushes the existing LWP state into the LWPCB, it may overwrite fields that the application may have set to new LWP parameter values. The flushed values will then be loaded as LWP is restarted. To reuse an LWPCB, an application should stop LWP by passing a zero to LLWPCB, then prepare the LWPCB with new parameters and execute LLWPCB again to restart LWP.

Internally, LWP keeps the linear address of the LWPCB and the ring buffer. If the application changes the value of DS, LWP will continue to collect samples even if the new DS value would no longer allow access the LWPCB or the ring buffer. However, a #GP fault will occur if the application uses XRSTOR to restore LWP state saved by XSAVE. Programs should avoid using XSAVE/XRSTOR on LWP state if DS has changed. This only applies when the CPL != 0; kernel mode operation of XRSTOR is unaffected by changes to DS. See instruction listing for XSAVE in APM Volume 4 for details.

Operating system and hypervisor code that runs when CPL  $\neq 3$  should use XSAVE and XRSTOR to control LWP rather than using LLWPCB. Use WRMSR to write 0 to the LWP\_CBADDR MSR to immediately stop LWP without saving its current state.

It is possible to execute LLWPCB when the CPL != 3 or when SMM is active, but the system software must ensure that the LWPCB and the entire ring buffer are properly mapped into writable memory in order to avoid a #PF or #GP fault. Furthermore, if LWP is enabled when a kernel executes LLWPCB, both the old and new control blocks and ring buffers must be accessible. Using LLWPCB in these situations is not recommended.

LLWPCB is an LWP instruction. Support for LWP instructions is indicated by CPUID Fn8000\_0001(ECX[LWP] = 1).

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

## Instruction Encoding

| Mnemonic     | Encoding |                |             |        |
|--------------|----------|----------------|-------------|--------|
|              | XOP      | RXB.map_select | W.vvvv.L.pp | Opcode |
| LLWPCB reg32 | 8F       | —RXB.09        | 0.1111.0.00 | 12 /0  |
| LLWPCB reg64 | 8F       | —RXB.09        | 1.1111.0.00 | 12 /0  |

ModRM.reg augments the opcode and is assigned the value 0. ModRM.r/m (augmented by XOP.R) specifies the register containing the effective address of the LWPCB. ModRM.mod is 11b.

## Related Instructions

SLWPCB, LWPVAL, LWPINS

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                               |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | LWP instructions are not supported, as indicated by CPUID Fn8000_0001(ECX)[LWP] = 0.             |
|                            | X    | X               |           | The system is not in protected mode.                                                             |
|                            |      |                 | X         | LWP is not available, or mod != 11b, or vvvv != 1111b.                                           |
| General protection,<br>#GP |      |                 | X         | Any part of the LWPCB or the event ring buffer is beyond the DS segment limit.                   |
|                            |      |                 | X         | Any restrictions on the contents of the LWPCB are violated                                       |
| Page fault, #PF            |      |                 | X         | A page fault resulted from reading or writing the LWPCB.                                         |
|                            |      |                 | X         | LWP was already enabled and a page fault resulted from reading or writing the old LWPCB.         |
|                            |      |                 | X         | LWP was already enabled and a page fault resulted from flushing an event to the old ring buffer. |

**LODS**  
**LODSB**  
**LODSW**  
**LODSD**  
**LODSQ**

**Load String**

Copies the byte, word, doubleword, or quadword in the memory location pointed to by the DS:rSI registers to the AL, AX, EAX, or RAX register, depending on the size of the operand, and then increments or decrements the rSI register according to the state of the DF flag in the rFLAGS register.

If the DF flag is 0, the instruction increments rSI; otherwise, it decrements rSI. It increments or decrements rSI by 1, 2, 4, or 8, depending on the number of bytes being loaded.

The forms of the LODS instruction with an explicit operand address the operand at *seg*:[rSI]. The value of *seg* defaults to the DS segment, but may be overridden by a segment prefix. The explicit operand serves only to specify the type (size) of the value being copied and the specific registers used.

The no-operands forms of the instruction always use the DS:[rSI] registers to point to the value to be copied (they do not allow a segment prefix). The mnemonic determines the size of the operand and the specific registers used.

The LODSx instructions support the REP prefixes. For details about the REP prefixes, see “Repeat Prefixes” on page 12. More often, software uses the LODSx instruction inside a loop controlled by a LOOPcc instruction as a more efficient replacement for instructions like:

```
mov eax, dword ptr ds:[esi]
add esi, 4
```

The LODSQ instruction can only be used in 64-bit mode.

| Mnemonic          | Opcode | Description                                                             |
|-------------------|--------|-------------------------------------------------------------------------|
| LODS <i>mem8</i>  | AC     | Load byte at DS:rSI into AL and then increment or decrement rSI.        |
| LODS <i>mem16</i> | AD     | Load word at DS:rSI into AX and then increment or decrement rSI.        |
| LODS <i>mem32</i> | AD     | Load doubleword at DS:rSI into EAX and then increment or decrement rSI. |
| LODS <i>mem64</i> | AD     | Load quadword at DS:rSI into RAX and then increment or decrement rSI.   |
| LODSB             | AC     | Load byte at DS:rSI into AL and then increment or decrement rSI.        |
| LODSW             | AD     | Load the word at DS:rSI into AX and then increment or decrement rSI.    |

| Mnemonic | Opcode | Description                                                             |
|----------|--------|-------------------------------------------------------------------------|
| LODSD    | AD     | Load doubleword at DS:rSI into EAX and then increment or decrement rSI. |
| LODSQ    | AD     | Load quadword at DS:rSI into RAX and then increment or decrement rSI.   |

## Related Instructions

MOV\$*x*, STOS*x*

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**LOOP****Loop****LOOPE****LOOPNE****LOOPNZ****LOOPZ**

Decrements the count register (rCX) by 1, then, if rCX is not 0 and the ZF flag meets the condition specified by the mnemonic, it jumps to the target instruction specified by the signed 8-bit relative offset. Otherwise, it continues with the next instruction after the LOOPcc instruction.

The size of the count register used (CX, ECX, or RCX) depends on the address-size attribute of the LOOPcc instruction.

The LOOP instruction ignores the state of the ZF flag.

The LOOPE and LOOPZ instructions jump if rCX is not 0 and the ZF flag is set to 1. In other words, the instruction exits the loop (falls through to the next instruction) if rCX becomes 0 or ZF = 0.

The LOOPNE and LOOPNZ instructions jump if rCX is not 0 and ZF flag is cleared to 0. In other words, the instruction exits the loop if rCX becomes 0 or ZF = 1.

The LOOPcc instruction does not change the state of the ZF flag. Typically, the loop contains a compare instruction to set or clear the ZF flag.

If the jump is taken, the signed displacement is added to the rIP (of the following instruction) and the result is truncated to 16, 32, or 64 bits, depending on operand size.

In 64-bit mode, the operand size defaults to 64 bits without the need for a REX prefix, and the processor sign-extends the 8-bit offset before adding it to the RIP.

| Mnemonic              | Opcode       | Description                                                 |
|-----------------------|--------------|-------------------------------------------------------------|
| LOOP <i>rel8off</i>   | E2 <i>cb</i> | Decrement rCX, then jump short if rCX is not 0.             |
| LOOPE <i>rel8off</i>  | E1 <i>cb</i> | Decrement rCX, then jump short if rCX is not 0 and ZF is 1. |
| LOOPNE <i>rel8off</i> | E0 <i>cb</i> | Decrement rCX, then jump short if rCX is not 0 and ZF is 0. |
| LOOPNZ <i>rel8off</i> | E0 <i>cb</i> | Decrement rCX, then jump short if rCX is not 0 and ZF is 0. |
| LOOPZ <i>rel8off</i>  | E1 <i>cb</i> | Decrement rCX, then jump short if rCX is not 0 and ZF is 1. |

## Related Instructions

None

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| General protection,<br>#GP | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical. |

## LWPINS

## Lightweight Profiling Insert Record

Inserts programmed event record into the LWP event ring buffer in memory and advances the ring buffer pointer.

Refer to the description of the programmed event record in APM Volume 2, Chapter 13. The record has an EventId of 255. The value in the register specified by vvvv (first operand) is stored in the Data2 field at bytes 23–16 (zero extended if the operand size is 32). The value in a register or memory location (second operand) is stored in the Data1 field at bytes 7–4. The immediate value (third operand) is truncated to 16 bits and stored in the Flags field at bytes 3–2.

If the ring buffer is not full, or if LWP is running in Continuous Mode, the head pointer is advanced and the CF flag is cleared. If the ring buffer threshold is exceeded and threshold interrupts are enabled, an interrupt is signaled. If LWP is in Continuous Mode and the new head pointer equals the tail pointer, the MissedEvents counter is incremented to indicate that the buffer wrapped.

If the ring buffer is full and LWP is running in Synchronized Mode, the event record overwrites the last record in the buffer, the MissedEvents counter in the LWPCB is incremented, the head pointer is not advanced, and the CF flag is set.

LWPINS generates an invalid opcode exception (#UD) if the machine is not in protected mode or if LWP is not available.

LWPINS simply clears CF if LWP is not enabled. This allows LWPINS instructions to be harmlessly ignored if profiling is turned off.

It is possible to execute LWPINS when the CPL ≠ 3 or when SMM is active, but the system software must ensure that the memory operand (if present), the LWPCB, and the entire ring buffer are properly mapped into writable memory in order to avoid a #PF or #GP fault. Using LWPINS in these situations is not recommended.

LWPINS can be used by a program to mark significant events in the ring buffer as they occur. For instance, a program might capture information on changes in the process' address space such as library loads and unloads, or changes in the execution environment such as a change in the state of a user-mode thread of control.

Note that when the LWPINS instruction finishes writing a event record in the event ring buffer, it counts as an instruction retired. If the Instructions Retired event is active, this might cause that counter to become negative and immediately store another event record with the same instruction address (but different EventId values).

LWPINS is an LWP instruction. Support for LWP instructions is indicated by CPUID Fn8000\_0001(ECX[LWP]) = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

## Instruction Encoding

| Mnemonic                            | Encoding |                |             |              |
|-------------------------------------|----------|----------------|-------------|--------------|
|                                     | XOP      | RXB.map_select | W.vvvv.L.pp | Opcode       |
| LWPINS reg32.vvvv, reg/mem32, imm32 | 8F       | RXB.0A         | 0.src1.0.00 | 12 /0 /imm32 |
| LWPINS reg64.vvvv, reg/mem32, imm32 | 8F       | RXB.0A         | 1.src1.0.00 | 12 /0 /imm32 |

ModRM.reg augments the opcode and is assigned the value 0. The {mod, r/m} field of the ModRM byte (augmented by XOP.R) encodes the second operand. A 4-byte immediate field follows ModRM.

## Related Instructions

LLWPCB, SLWPCB, LWPVAL

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                   |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | LWP instructions are not supported, as indicated by CPUID Fn8000_0001(ECX)[LWP] = 0. |
|                            | X    | X               |           | The system is not in protected mode.                                                 |
|                            |      |                 | X         | LWP is not available.                                                                |
| Page fault, #PF            |      |                 | X         | A page fault resulted from reading or writing the LWPCB.                             |
|                            |      |                 | X         | A page fault resulted from writing the event to the ring buffer.                     |
|                            |      |                 | X         | A page fault resulted from reading a modrm operand from memory.                      |
| General protection,<br>#GP |      |                 | X         | A modrm operand in memory exceeded the segment limit.                                |

## LWPVAL

## Lightweight Profiling Insert Value

Decrements the event counter associated with the programmed value sample event (see “Programmed Value Sample” in APM Volume 2, Chapter 13). If the resulting counter value is negative, inserts an event record into the LWP event ring buffer in memory and advances the ring buffer pointer.

Refer to the description of the programmed value sample record in APM Volume 2, Chapter 13. The event record has an EventId of 1. The value in the register specified by vvvv (first operand) is stored in the Data2 field at bytes 23–16 (zero extended if the operand size is 32). The value in a register or memory location (second operand) is stored in the Data1 field at bytes 7–4. The immediate value (third operand) is truncated to 16 bits and stored in the Flags field at bytes 3–2.

If the programmed value sample record is not written to the event ring buffer, the memory location of the second operand (assuming it is memory-based) is not accessed.

If the ring buffer is not full or if LWP is running in continuous mode, the head pointer is advanced and the event counter is reset to the interval for the event (subject to randomization). If the ring buffer threshold is exceeded and threshold interrupts are enabled, an interrupt is signaled. If LWP is in Continuous Mode and the new head pointer equals the tail pointer, the MissedEvents counter is incremented to indicate that the buffer wrapped.

If the ring buffer is full and LWP is running in Synchronized Mode, the event record overwrites the last record in the buffer, the MissedEvents counter in the LWPCB is incremented, and the head pointer is not advanced.

LWPVAL generates an invalid opcode exception (#UD) if the machine is not in protected mode or if LWP is not available.

LWPVAL does nothing if LWP is not enabled or if the Programmed Value Sample event is not enabled in LWPCB.Flags. This allows LWPVAL instructions to be harmlessly ignored if profiling is turned off.

It is possible to execute LWPVAL when the CPL != 3 or when SMM is active, but the system software must ensure that the memory operand (if present), the LWPCB, and the entire ring buffer are properly mapped into writable memory in order to avoid a #PF or #GP fault. Using LWPVAL in these situations is not recommended.

LWPVAL can be used by a program to perform value profiling. This is the technique of sampling the value of some program variable at a predetermined frequency. For example, a managed runtime might use LWPVAL to sample the value of the divisor for a frequently executed divide instruction in order to determine whether to generate specialized code for a common division. It might sample the target location of an indirect branch or call to see if one destination is more frequent than others. Since LWPVAL does not modify any registers or condition codes, it can be inserted harmlessly between any instructions.

## Note

When LWPVAL completes (whether or not it stored an event record in the event ring buffer), it counts as an instruction retired. If the Instructions Retired event is active, this might cause that counter to become negative and immediately store an event record. If LWPVAL also stored an event record, the buffer will contain two records with the same instruction address (but different EventId values).

LWPVAL is an LWP instruction. Support for LWP instructions is indicated by CPUID Fn8000\_0001\_ECX[LWP] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

## Instruction Encoding

| Mnemonic                                   | Encoding |                            |             |              |
|--------------------------------------------|----------|----------------------------|-------------|--------------|
|                                            | XOP      | RXB.map_select             | W.vvvv.L.pp | Opcode       |
| LWPVAL <i>reg32.vvvv, reg/mem32, imm32</i> | 8F       | $\overline{\text{RXB}}.0A$ | 0.src1.0.00 | 12 /1 /imm32 |
| LWPVAL <i>reg64.vvvv, reg/mem32, imm32</i> | 8F       | $\overline{\text{RXB}}.0A$ | 1.src1.0.00 | 12 /1 /imm32 |

ModRM.reg augments the opcode and is assigned the value 001b. The {mod, r/m} field of the ModRM byte (augmented by XOP.R) encodes the second operand. A four-byte immediate field follows ModRM.

## Related Instructions

LLWPCB, SLWPCB, LWPINS

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                   |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | LWP instructions are not supported, as indicated by CPUID Fn8000_0001(ECX[LWP]) = 0. |
|                            | X    | X               |           | The system is not in protected mode.                                                 |
|                            |      |                 | X         | LWP is not available.                                                                |
| Page fault, #PF            |      |                 | X         | A page fault resulted from reading or writing the LWPCB.                             |
|                            |      |                 | X         | A page fault resulted from writing the event to the ring buffer.                     |
|                            |      |                 | X         | A page fault resulted from reading a modrm operand from memory.                      |
| General protection,<br>#GP |      |                 | X         | A modrm operand in memory exceeded the segment limit.                                |

## LZCNT

## Count Leading Zeros

Counts the number of leading zero bits in the 16-, 32-, or 64-bit general purpose register or memory source operand. Counting starts downward from the most significant bit and stops when the highest bit having a value of 1 is encountered or when the least significant bit is encountered. The count is written to the destination register.

This instruction has two operands:

*LZCNT dest, src*

If the input operand is zero, CF is set to 1 and the size (in bits) of the input operand is written to the destination register. Otherwise, CF is cleared.

If the most significant bit is a one, the ZF flag is set to 1, zero is written to the destination register. Otherwise, ZF is cleared.

LZCNT is an Advanced Bit Manipulation (ABM) instruction. Support for the LZCNT instruction is indicated by CPUID Fn8000\_0001\_ECX[ABM] = 1. If the LZCNT instruction is not available, the encoding is interpreted as the BSR instruction. Software MUST check the CPUID bit once per program or library initialization before using the LZCNT instruction, or inconsistent behavior may result.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                      | Opcode      | Description                                     |
|-------------------------------|-------------|-------------------------------------------------|
| LZCNT <i>reg16, reg/mem16</i> | F3 0F BD /r | Count the number of leading zeros in reg/mem16. |
| LZCNT <i>reg32, reg/mem32</i> | F3 0F BD /r | Count the number of leading zeros in reg/mem32. |
| LZCNT <i>reg64, reg/mem64</i> | F3 0F BD /r | Count the number of leading zeros in reg/mem64. |

### Related Instructions

ANDN, BEXTR, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, POPCNT, T1MSKC, TZCNT, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Mode |                 |           | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
|                            | Real | Virtual<br>8086 | Protected |                                                                                   |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC       |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## MCOMMIT

## Commit Stores to Memory

MCOMMIT provides a fencing and error detection capability for stores to system memory components that have delayed error reporting. Execution of MCOMMIT ensures that any preceding stores in the thread to such memory components have completed (target locations written, unless inhibited by an error condition) and that any errors encountered by those stores have been signaled to associated error logging resources. If any such errors are present, MCOMMIT will clear rFLAGS.CF to zero, otherwise it will set rFLAGS.CF to one.

These errors are specific to the design of the platform and are reported only via MCOMMIT and in associated error logging registers on the platform; they are not visible to the Machine Check Architecture. Execution of MCOMMIT does not change any state in the error logging resources. Any error indications will need to be cleared by privileged software before MCOMMIT can return an error-free indication. Details on the error logging mechanisms may be found in the Processor Programming Reference manual for any product that supports this technology and the MCOMMIT instruction.

The MCOMMIT instruction is supported if the feature flag CPUID Fn8000\_0008\_EBX[MCOMMIT]=1 (bit 8). The MCOMMIT instruction must be explicitly enabled by the OS by setting EFER.MCOMMIT=1 (EFER bit 17), otherwise attempted execution of MCOMMIT will result in a #UD exception.

MCOMMIT uses the same ordering rules as the SFENCE instruction. It may be executed at any privilege level.

### Instruction Encoding

| Mnemonic | Opcode      | Description             |
|----------|-------------|-------------------------|
| MCOMMIT  | F3 0F 01 FA | Commit stores to memory |

### Related Instructions

LFENCE, SFENCE, MFENCE

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | 0  | 0  | 0  | 0  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## MFENCE

## Memory Fence

Acts as a barrier to force strong memory ordering (serialization) between load and store instructions preceding the MFENCE, and load and store instructions that follow the MFENCE. The processor may perform loads out of program order with respect to non-conflicting stores for certain memory types. The MFENCE instruction ensures that the system completes all previous memory accesses before executing subsequent accesses.

The MFENCE instruction is weakly-ordered with respect to data and instruction prefetches. Speculative loads initiated by the processor, or specified explicitly using cache-prefetch instructions, can be reordered around an MFENCE.

In addition to load and store instructions, the MFENCE instruction is strongly ordered with respect to other MFENCE instructions, LFENCE instructions, SFENCE instructions, serializing instructions, and CLFLUSH instructions. Further details on the use of MFENCE to order accesses among differing memory types may be found in APM Volume 2, Section 7.4 “Memory Types” on page 12.

The MFENCE instruction is a serializing instruction.

MFENCE is an SSE2 instruction. Support for SSE2 instructions is indicated by CPUID Fn0000\_0001\_EDX[SSE2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

### Instruction Encoding

| Mnemonic | Opcode   | Description                                                      |
|----------|----------|------------------------------------------------------------------|
| MFENCE   | OF AE F0 | Force strong ordering of (serialized) load and store operations. |

### Related Instructions

LFENCE, SFENCE, MCOMMIT

### rFLAGS Affected

None

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                    |
|------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | SSE2 instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SSE2] = 0. |

## MONITORX

Establishes a linear address range of memory for hardware to monitor and puts the processor in the monitor event pending state. When in the monitor event pending state, the monitoring hardware detects stores to the specified linear address range and causes the processor to exit the monitor event pending state. The MWAIT and MWAITX instructions use the state of the monitor hardware.

The address range should be a write-back memory type. Executing MONITORX on an address range for a non-write-back memory type is not guaranteed to cause the processor to enter the monitor event pending state. The size of the linear address range that is established by the MONITORX instruction can be determined by CPUID function 0000\_0005h.

The rAX register provides the effective address. The DS segment is the default segment used to create the linear address. Segment overrides may be used with the MONITORX instruction.

The ECX register specifies optional extensions for the MONITORX instruction. There are currently no extensions defined and setting any bits in ECX will result in a #GP exception. The ECX register operand is implicitly 32-bits.

The EDX register specifies optional hints for the MONITORX instruction. There are currently no hints defined and EDX is ignored by the processor. The EDX register operand is implicitly 32-bits.

The MONITORX instruction can be executed at any privilege level and MSR C001\_0015h [MonMwaitUserEn] has no effect on MONITORX.

MONITORX performs the same segmentation and paging checks as a 1-byte read.

Support for the MONITORX instruction is indicated by CPUID Fn8000\_0001\_ECX[MONITORX] (bit 29) = 1.

Software must check the CPUID bit once per program or library initialization before using the MONITORX instruction, or inconsistent behavior may result.

The following pseudo-code shows typical usage of a MONITORX/MWAITX pair:

```
EAX = Linear_Address_to_Monitor;
ECX = 0; // Extensions
EDX = 0; // Hints
while (!matching_store_done) {
    MONITORX EAX, ECX, EDX
    IF (!matching_store_done) {
        MWAITX EAX, ECX
    }
}
```

## Setup Monitor Address

| Mnemonic | Opcode   | Description                         |
|----------|----------|-------------------------------------|
| MONITORX | 0F 01 FA | Establishes a range to be monitored |

## Related Instructions

MWAITX, MONITOR, MWAIT

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                 |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | MONITORX/MWAITX instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[MONITORX] =0 |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                            |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical                                |
|                            | X    | X               | X         | ECX was non-zero                                                                                   |
|                            |      |                 | X         | A null data segment was used to reference memory                                                   |
| Page Fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction                                        |

**MOV****Move**

Copies an immediate value or the value in a general-purpose register, segment register, or memory location (second operand) to a general-purpose register, segment register, or memory location. The source and destination must be the same size (byte, word, doubleword, or quadword) and cannot both be memory locations.

In opcodes A0 through A3, the memory offsets (called *moffsets*) are address sized. In 64-bit mode, memory offsets default to 64 bits. Opcodes A0–A3, in 64-bit mode, are the only cases that support a 64-bit offset value. (In all other cases, offsets and displacements are a maximum of 32 bits.) The B8 through BF ( $B8 +rq$ ) opcodes, in 64-bit mode, are the only cases that support a 64-bit immediate value (in all other cases, immediate values are a maximum of 32 bits).

When reading segment-registers with a 32-bit operand size, the processor zero-extends the 16-bit selector results to 32 bits. When reading segment-registers with a 64-bit operand size, the processor zero-extends the 16-bit selector to 64 bits. If the destination operand specifies a segment register (DS, ES, FS, GS, or SS), the source operand must be a valid segment selector.

It is possible to move a null segment selector value (0000–0003h) into the DS, ES, FS, or GS register. This action does not cause a general protection fault, but a subsequent reference to such a segment *does* cause a #GP exception. For more information about segment selectors, see “Segment Selectors and Registers” in APM Volume 2.

When the MOV instruction is used to load the SS register, the processor blocks external interrupts until after the execution of the following instruction. This action allows the following instruction to be a MOV instruction to load a stack pointer into the ESP register (MOV ESP, val) before an interrupt occurs. However, the LSS instruction provides a more efficient method of loading SS and ESP.

Attempting to use the MOV instruction to load the CS register generates an invalid opcode exception (#UD). Use the far JMP, CALL, or RET instructions to load the CS register.

To initialize a register to 0, rather than using a MOV instruction, it may be more efficient to use the XOR instruction with identical destination and source operands.

| Mnemonic             | Opcode | Description                                                                                |
|----------------------|--------|--------------------------------------------------------------------------------------------|
| MOV reg/mem8, reg8   | 88 /r  | Move the contents of an 8-bit register to an 8-bit destination register or memory operand. |
| MOV reg/mem16, reg16 | 89 /r  | Move the contents of a 16-bit register to a 16-bit destination register or memory operand. |
| MOV reg/mem32, reg32 | 89 /r  | Move the contents of a 32-bit register to a 32-bit destination register or memory operand. |
| MOV reg/mem64, reg64 | 89 /r  | Move the contents of a 64-bit register to a 64-bit destination register or memory operand. |
| MOV reg8, reg/mem8   | 8A /r  | Move the contents of an 8-bit register or memory operand to an 8-bit destination register. |

| Mnemonic                      | Opcode    | Description                                                                                                                |
|-------------------------------|-----------|----------------------------------------------------------------------------------------------------------------------------|
| MOV reg16, reg/mem16          | 8B /r     | Move the contents of a 16-bit register or memory operand to a 16-bit destination register.                                 |
| MOV reg32, reg/mem32          | 8B /r     | Move the contents of a 32-bit register or memory operand to a 32-bit destination register.                                 |
| MOV reg64, reg/mem64          | 8B /r     | Move the contents of a 64-bit register or memory operand to a 64-bit destination register.                                 |
| MOV reg16/32/64/mem16, segReg | 8C /r     | Move the contents of a segment register to a 16-bit, 32-bit, or 64-bit destination register or to a 16-bit memory operand. |
| MOV segReg, reg/mem16         | 8E /r     | Move the contents of a 16-bit register or memory operand to a segment register.                                            |
| MOV AL, moffset8              | A0        | Move 8-bit data at a specified memory offset to the AL register.                                                           |
| MOV AX, moffset16             | A1        | Move 16-bit data at a specified memory offset to the AX register.                                                          |
| MOV EAX, moffset32            | A1        | Move 32-bit data at a specified memory offset to the EAX register.                                                         |
| MOV RAX, moffset64            | A1        | Move 64-bit data at a specified memory offset to the RAX register.                                                         |
| MOV moffset8, AL              | A2        | Move the contents of the AL register to an 8-bit memory offset.                                                            |
| MOV moffset16, AX             | A3        | Move the contents of the AX register to a 16-bit memory offset.                                                            |
| MOV moffset32, EAX            | A3        | Move the contents of the EAX register to a 32-bit memory offset.                                                           |
| MOV moffset64, RAX            | A3        | Move the contents of the RAX register to a 64-bit memory offset.                                                           |
| MOV reg8, imm8                | B0 +rb ib | Move an 8-bit immediate value into an 8-bit register.                                                                      |
| MOV reg16, imm16              | B8 +rw iw | Move a 16-bit immediate value into a 16-bit register.                                                                      |
| MOV reg32, imm32              | B8 +rd id | Move an 32-bit immediate value into a 32-bit register.                                                                     |
| MOV reg64, imm64              | B8 +rq iq | Move an 64-bit immediate value into a 64-bit register.                                                                     |
| MOV reg/mem8, imm8            | C6 /0 ib  | Move an 8-bit immediate value to an 8-bit register or memory operand.                                                      |
| MOV reg/mem16, imm16          | C7 /0 iw  | Move a 16-bit immediate value to a 16-bit register or memory operand.                                                      |
| MOV reg/mem32, imm32          | C7 /0 id  | Move a 32-bit immediate value to a 32-bit register or memory operand.                                                      |
| MOV reg/mem64, imm32          | C7 /0 id  | Move a 32-bit signed immediate value to a 64-bit register or memory operand.                                               |

## Related Instructions

MOV CR $n$ , MOV DR $n$ , MOVD, MOVSX, MOVZX, MOVSXD, MOVSx

## rFLAGS Affected

None

## Exceptions

| Exception                                 | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                           |
|-------------------------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD                    | X    | X               | X         | An attempt was made to load the CS register.                                                                                                                 |
| Segment not<br>present, #NP<br>(selector) |      |                 | X         | The DS, ES, FS, or GS register was loaded with a non-null segment selector and the segment was marked not present.                                           |
| Stack, #SS                                | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                                                                      |
| Stack, #SS<br>(selector)                  |      |                 | X         | The SS register was loaded with a non-null segment selector, and the segment was marked not present.                                                         |
| General protection,<br>#GP                | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                                                                         |
|                                           |      |                 | X         | The destination operand was in a non-writable segment.                                                                                                       |
|                                           |      |                 | X         | A null data segment was used to reference memory.                                                                                                            |
| General protection,<br>#GP<br>(selector)  |      |                 | X         | A segment register was loaded, but the segment descriptor exceeded the descriptor table limit.                                                               |
|                                           |      |                 | X         | A segment register was loaded and the segment selector's TI bit was set, but the LDT selector was a null selector.                                           |
|                                           |      |                 | X         | The SS register was loaded with a null segment selector in non-64-bit mode or while CPL = 3.                                                                 |
|                                           |      |                 | X         | The SS register was loaded and the segment selector RPL and the segment descriptor DPL were not equal to the CPL.                                            |
|                                           |      |                 | X         | The SS register was loaded and the segment pointed to was not a writable data segment.                                                                       |
|                                           |      |                 | X         | The DS, ES, FS, or GS register was loaded and the segment pointed to was a data or non-conforming code segment, but the RPL or CPL was greater than the DPL. |
|                                           |      |                 | X         | The DS, ES, FS, or GS register was loaded and the segment pointed to was not a data segment or readable code segment.                                        |
| Page fault, #PF                           |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                                 |
| Alignment check,<br>#AC                   |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                            |

## MOVBE

## Move Big Endian

Loads or stores a general purpose register while swapping the byte order. Operates on 16-bit, 32-bit, or 64-bit values. Converts big-endian formatted memory data to little-endian format when loading a register and reverses the conversion when storing a GPR to memory.

The load form reads a 16-, 32-, or 64-bit value from memory, swaps the byte order, and places the reordered value in a general-purpose register. When the operand size is 16 bits, the upper word of the destination register remains unchanged. In 64-bit mode, when the operand size is 32 bits, the upper doubleword of the destination register is cleared.

The store form takes a 16-, 32-, or 64-bit value from a general-purpose register, swaps the byte order, and stores the reordered value in the specified memory location. The contents of the source GPR remains unchanged.

In the 16-bit swap, the upper and lower bytes are exchanged. In the doubleword swap operation, bits 7:0 are exchanged with bits 31:24 and bits 15:8 are exchanged with bits 23:16. In the quadword swap operation, bits 7:0 are exchanged with bits 63:56, bits 15:8 with bits 55:48, bits 23:16 with bits 47:40, and bits 31:24 with bits 39:32.

Support for the MOVBE instruction is indicated by CPUID Fn0000\_0001\_ECX[MOVBE] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

### Instruction Encoding

| Mnemonic                  | Opcode      | Description                                                                                                   |
|---------------------------|-------------|---------------------------------------------------------------------------------------------------------------|
| MOVBE <i>reg16, mem16</i> | 0F 38 F0 /r | Load the low word of a general-purpose register from a 16-bit memory location while swapping the bytes.       |
| MOVBE <i>reg32, mem32</i> | 0F 38 F0 /r | Load the low doubleword of a general-purpose register from a 32-bit memory location while swapping the bytes. |
| MOVBE <i>reg64, mem64</i> | 0F 38 F0 /r | Load a 64-bit register from a 64-bit memory location while swapping the bytes.                                |
| MOVBE <i>mem16, reg16</i> | 0F 38 F1 /r | Store the low word of a general-purpose register to a 16-bit memory location while swapping the bytes.        |
| MOVBE <i>mem32, reg32</i> | 0F 38 F1 /r | Store the low doubleword of a general-purpose register to a 32-bit memory location while swapping the bytes.  |
| MOVBE <i>mem64, reg64</i> | 0F 38 F1 /r | Store the contents of a 64-bit general-purpose register to a 64-bit memory location while swapping the bytes. |

### Related Instruction

BSWAP

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | Instruction not supported as indicated by CPUID Fn0000_0001(ECX[MOVBE] = 0).      |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## MOVD

## Move Doubleword or Quadword

Moves a 32-bit or 64-bit value in one of the following ways:

- from a 32-bit or 64-bit general-purpose register or memory location to the low-order 32 or 64 bits of an XMM register, with zero-extension to 128 bits
- from the low-order 32 or 64 bits of an XMM to a 32-bit or 64-bit general-purpose register or memory location
- from a 32-bit or 64-bit general-purpose register or memory location to the low-order 32 bits (with zero-extension to 64 bits) or the full 64 bits of an MMX register
- from the low-order 32 or the full 64 bits of an MMX register to a 32-bit or 64-bit general-purpose register or memory location

Figure 3-1 on page 246 illustrates the operation of the MOVD instruction.

The MOVD instruction form that moves data to or from MMX registers is part of the MMX instruction subset. Support for MMX instructions is indicated by CPUID Fn0000\_0001\_EDX[MMX] or Fn0000\_0001\_EDX[MMX] = 1.

The MOVD instruction form that moves data to or from XMM registers is part of the SSE2 instruction subset. Support for SSE2 instructions is indicated by CPUID Fn0000\_0001\_EDX[SSE2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.



Figure 3-1. MOVD Instruction Operation

## Instruction Encoding

| Mnemonic                                | Opcode      | Description                                                                                     |
|-----------------------------------------|-------------|-------------------------------------------------------------------------------------------------|
| MOVD <i>xmm, reg/mem32</i>              | 66 0F 6E /r | Move 32-bit value from a general-purpose register or 32-bit memory location to an XMM register. |
| MOVD <sup>1</sup> <i>xmm, reg/mem64</i> | 66 0F 6E /r | Move 64-bit value from a general-purpose register or 64-bit memory location to an XMM register. |
| MOVD <i>reg/mem32, xmm</i>              | 66 0F 7E /r | Move 32-bit value from an XMM register to a 32-bit general-purpose register or memory location. |
| MOVD <sup>1</sup> <i>reg/mem64, xmm</i> | 66 0F 7E /r | Move 64-bit value from an XMM register to a 64-bit general-purpose register or memory location. |
| MOVD <i>mmx, reg/mem32</i>              | 0F 6E /r    | Move 32-bit value from a general-purpose register or 32-bit memory location to an MMX register. |
| MOVD <i>mmx, reg/mem64</i>              | 0F 6E /r    | Move 64-bit value from a general-purpose register or 64-bit memory location to an MMX register. |
| MOVD <i>reg/mem32, mmx</i>              | 0F 7E /r    | Move 32-bit value from an MMX register to a 32-bit general-purpose register or memory location. |
| MOVD <i>reg/mem64, mmx</i>              | 0F 7E /r    | Move 64-bit value from an MMX register to a 64-bit general-purpose register or memory location. |

**Note:** 1. Also known as MOVQ in some developer tools.

## Related Instructions

MOVDQA, MOVDQU, MOVDQ2Q, MOVQ, MOVQ2DQ

## rFLAGS Affected

None

## MXCSR Flags Affected

None

## Exceptions

| Exception                                 | Real | Virtual<br>8086 | Protected | Description                                                                                                 |
|-------------------------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD                       | X    | X               | X         | MMX instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[MMX] or Fn0000_0001_EDX[MMX] = 0. |
|                                           | X    | X               | X         | SSE2 instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SSE2] = 0.                       |
|                                           | X    | X               | X         | The emulate bit (EM) of CR0 was set to 1.                                                                   |
|                                           | X    | X               | X         | The instruction used XMM registers while CR4.OSFXSR = 0.                                                    |
| Device not available, #NM                 | X    | X               | X         | The task-switch bit (TS) of CR0 was set to 1.                                                               |
| Stack, #SS                                | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                     |
| General protection, #GP                   | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                        |
| Page fault, #PF                           |      | X               | X         | A page fault resulted from the execution of the instruction.                                                |
| x87 floating-point exception pending, #MF | X    | X               | X         | An x87 floating-point exception was pending and the instruction referenced an MMX register.                 |
| Alignment check, #AC                      |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                           |

## MOVDIRI

## Move Doubleword or Quadword as Direct Store

Moves a doubleword or a quadword integer value as a direct-store that uses:

- write-combining (WC) memory type if the base destination memory type is non-coherent (uncacheable (UC) or WC)
- write-combining plus (WC+) memory type if the base destination memory type is coherent (write-back (WB), write-through (WT), write-protect (WP), or cache disable (CD)).

The operand size is 8 bytes in 64-bit mode when REX.W = 1 and 4 bytes in all other cases.

MOVDIRI uses the weakly-ordered WC or WC+ memory type even if the base memory type is stronger ordering. MOVDIRI will allocate a new write-combining buffer (WCB) and will not combine with any WCBs from older instructions. The new WCB will be evicted before it is combined with younger stores.

The MOVDIRI instruction is weakly-ordered with respect to other stores. Software should use the SFENCE or MFENCE instruction to force strong memory ordering of MOVDIRI with respect to other memory instructions.

If the MOVDIRI destination address is aligned to the write size boundary, then there will be a single atomic write to the destination, providing write-completion atomicity. If the destination address is not aligned to the write size boundary, then there may be two writes in either order, but they will not be combined with younger stores.

Support for the MOVDIRI instruction is indicated by CPUID Fn0000\_0007\_ECX\_x0[MOVDIRI]=1.

### Instruction Encoding

| Mnemonic                    | Opcode            | Description                                                                     |
|-----------------------------|-------------------|---------------------------------------------------------------------------------|
| MOVDIRI <i>mem32, reg32</i> | 0F 3B F9 /r       | Direct store of 32-bit value from general purpose register to memory.           |
| MOVDIRI <i>mem64, reg64</i> | REX.W 0F 3B F9 /r | Direct store of 64-bit value from general purpose register to memory (REX.W=1). |

### Related Instructions

MOVDIR64B

### rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                           |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | MOVDIRI instruction is not supported, as indicated by CPUID Fn0000_0007_ECX_x0[MOVDIRI] = 0. |
|                            | X    | X               | X         | LOCK prefix (F0h) or operand-size prefix (66h) preceding opcode.                             |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                      |
| General Protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                         |
|                            |      |                 | X         | A null data segment was used to reference memory.                                            |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                                       |
| Page Fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                                 |
| Alignment Check, #AC       |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.            |

## MOVDIR64B

## Move 64B as Direct Store

Moves 64-bytes as direct-store from a source memory address to a 64-byte aligned destination memory address with 64-byte write atomicity. The destination address is specified in the register operand as offset in the ES segment and must be 64-byte aligned. The source address does not have alignment requirements.

MOVDIR64B uses:

- write-combining (WC) memory type if the base destination memory type is non-coherent (uncacheable (UC) or WC)
- write-combining plus (WC+) memory type if the base destination memory type is coherent (write-back (WB), write-through (WT), write-protect (WP), or cache disable (CD)).

MOVDIR64B uses the weakly-ordered WC or WC+ memory type even if the base memory type is stronger ordering. MOVDIRI will allocate a new write-combining buffer (WCB) and will not combine with any WCBs from older instructions. The new WCB will be evicted before it is combined with younger stores.

The MOVDIR64B instruction is weakly-ordered with respect to other stores. Software should use the SFENCE or MFENCE instruction to force strong memory ordering of MOVDIR64B with respect to other memory instructions.

The 64B load from the source has no atomicity guarantee and may require more than one load operation to complete. The 64-byte store is guaranteed to be an atomic write to the destination, providing write-completion atomicity.

Support for the MOVDIR64B instruction is indicated by CPUID Fn0000\_0007\_ECX\_x0[MOVDIR64B] = 1.

### Instruction Encoding

| Mnemonic                       | Opcode            | Description                                                           |
|--------------------------------|-------------------|-----------------------------------------------------------------------|
| MOVDIR64B <i>mem512, reg64</i> | 66 0F 3B F8<br>/r | Direct store of 64-bit value from general purpose register to memory. |

### Related Instructions

MOVDIRI

### rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                               |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | MOVDIR64B instruction is not supported, as indicated by CPUID Fn0000_0007_ECX_x0[MOVDIR64B] = 0. |
|                            | X    | X               | X         | LOCK prefix (F0h) preceding opcode.                                                              |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                          |
| General Protection,<br>#GP | X    | X               | X         | The destination operand was not 64-byte aligned.                                                 |
|                            | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                             |
|                            |      |                 | X         | A null data segment was used to reference memory.                                                |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                                           |
| Page Fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                                     |

## MOVMSKPD

## Extract Packed Double-Precision Floating-Point Sign Mask

Moves the sign bits of two packed double-precision floating-point values in an XMM register (second operand) to the two low-order bits of a general-purpose register (first operand) with zero-extension.

The function of the MOVMSKPD instruction is illustrated by the diagram below:



The MOVMSKPD instruction is an SSE2 instruction. Support for SSE2 instructions is indicated by CPUID Fn0000\_0001\_EDX[SSE2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

### Instruction Encoding

| Mnemonic                   | Opcode      | Description                                                                        |
|----------------------------|-------------|------------------------------------------------------------------------------------|
| MOVMSKPD <i>reg32, xmm</i> | 66 0F 50 /r | Move sign bits 127 and 63 in an XMM register to a 32-bit general-purpose register. |

### Related Instructions

MOVMSKPS, PMOVMSKB

### rFLAGS Affected

None

### MXCSR Flags Affected

None

## Exceptions

| Exception (vector)           | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                    |
|------------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------|
| Invalid opcode, #UD          | X    | X               | X         | SSE2 instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SSE2] = 0. |
|                              | X    | X               | X         | The operating-system FXSAVE/FXRSTOR support bit (OSFXSR) of CR4 was cleared to 0.     |
|                              | X    | X               | X         | The emulate bit (EM) of CR0 was set to 1.                                             |
| Device not available,<br>#NM | X    | X               | X         | The task-switch bit (TS) of CR0 was set to 1.                                         |

## MOVMSKPS

## Extract Packed Single-Precision Floating-Point Sign Mask

Moves the sign bits of four packed single-precision floating-point values in an XMM register (second operand) to the four low-order bits of a general-purpose register (first operand) with zero-extension.

The MOVMSKPD instruction is an SSE2 instruction. Support for SSE2 instructions is indicated by CPUID Fn0000\_0001\_EDX[SSE2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                   | Opcode   | Description                                                                             |
|----------------------------|----------|-----------------------------------------------------------------------------------------|
| MOVMSKPS <i>reg32, xmm</i> | 0F 50 /r | Move sign bits 127, 95, 63, 31 in an XMM register to a 32-bit general-purpose register. |



### Related Instructions

MOVMSKPD, PMOVMSKB

### rFLAGS Affected

None

### MXCSR Flags Affected

None

## Exceptions

| Exception                    | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                    |
|------------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------|
| Invalid opcode, #UD          | X    | X               | X         | SSE2 instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SSE2] = 0. |
|                              | X    | X               | X         | The operating-system FXSAVE/FXRSTOR support bit (OSFXSR) of CR4 was cleared to 0.     |
|                              | X    | X               | X         | The emulate bit (EM) of CR0 was set to 1.                                             |
| Device not available,<br>#NM | X    | X               | X         | The task-switch bit (TS) of CR0 was set to 1.                                         |

**MOVNTI****Move Non-Temporal Doubleword or Quadword**

Stores a value in a 32-bit or 64-bit general-purpose register (second operand) in a memory location (first operand). This instruction indicates to the processor that the data is non-temporal and is unlikely to be used again soon. The processor treats the store as a write-combining (WC) memory write, which minimizes cache pollution. The exact method by which cache pollution is minimized depends on the hardware implementation of the instruction. For further information, see “Memory Optimization” in APM Volume 1.

The MOVNTI instruction is weakly-ordered with respect to other instructions that operate on memory. Software should use an SFENCE instruction to force strong memory ordering of MOVNTI with respect to other stores.

The MOVNTI instruction is an SSE2 instruction. Support for SSE2 instructions is indicated by CPUID Fn0000\_0001\_EDX[SSE2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                   | Opcode   | Description                                                                                               |
|----------------------------|----------|-----------------------------------------------------------------------------------------------------------|
| MOVNTI <i>mem32, reg32</i> | 0F C3 /r | Stores a 32-bit general-purpose register value into a 32-bit memory location, minimizing cache pollution. |
| MOVNTI <i>mem64, reg64</i> | 0F C3 /r | Stores a 64-bit general-purpose register value into a 64-bit memory location, minimizing cache pollution. |

**Related Instructions**

MOVNTDQ, MOVNTPD, MOVNTPS, MOVNTQ

**rFLAGS Affected**

None

**Exceptions**

| Exception (vector)  | Real | Virtual 8086 | Protected | Cause of Exception                                                                    |
|---------------------|------|--------------|-----------|---------------------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X            | X         | SSE2 instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SSE2] = 0. |
| Stack, #SS          | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.               |

| Exception (vector)         | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC       |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## **MOVS MOVSB MOVSW MOVSD MOVSQ**

## **Move String**

Moves a byte, word, doubleword, or quadword from the memory location pointed to by DS:rSI to the memory location pointed to by ES:rDI, and then increments or decrements the rSI and rDI registers according to the state of the DF flag in the rFLAGS register.

If the DF flag is 0, the instruction increments both pointers; otherwise, it decrements them. It increments or decrements the pointers by 1, 2, 4, or 8, depending on the size of the operands.

The forms of the MOVSx instruction with explicit operands address the first operand at *seg*:[rSI]. The value of *seg* defaults to the DS segment, but can be overridden by a segment prefix. These instructions always address the second operand at ES:[rDI] (ES may not be overridden). The explicit operands serve only to specify the type (size) of the value being moved.

The no-operands forms of the instruction use the DS:[rSI] and ES:[rDI] registers to point to the value to be moved (they do not allow a segment prefix). The mnemonic determines the size of the operands.

Do not confuse this MOVSD instruction with the same-mnemonic MOVSD (move scalar double-precision floating-point) instruction in the 128-bit media instruction set. Assemblers can distinguish the instructions by the number and type of operands.

The MOVSx instructions support the REP prefixes. For details about the REP prefixes, see “Repeat Prefixes” on page 12.

| <b>Mnemonic</b>          | <b>Opcode</b> | <b>Description</b>                                                                |
|--------------------------|---------------|-----------------------------------------------------------------------------------|
| MOVS <i>mem8, mem8</i>   | A4            | Move byte at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI.       |
| MOVS <i>mem16, mem16</i> | A5            | Move word at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI.       |
| MOVS <i>mem32, mem32</i> | A5            | Move doubleword at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI. |
| MOVS <i>mem64, mem64</i> | A5            | Move quadword at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI.   |
| MOVSB                    | A4            | Move byte at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI.       |
| MOVSW                    | A5            | Move word at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI.       |

| Mnemonic | Opcode | Description                                                                       |
|----------|--------|-----------------------------------------------------------------------------------|
| MOVSD    | A5     | Move doubleword at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI. |
| MOVSQ    | A5     | Move quadword at DS:rSI to ES:rDI, and then increment or decrement rSI and rDI.   |

## Related Instructions

MOV, LODSx, STOSx

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## MOVsx

## Move with Sign-Extension

Copies the value in a register or memory location (second operand) into a register (first operand), extending the most significant bit of an 8-bit or 16-bit value into all higher bits in a 16-bit, 32-bit, or 64-bit register.

| Mnemonic               | Opcode   | Description                                                                                          |
|------------------------|----------|------------------------------------------------------------------------------------------------------|
| MOVsx reg16, reg/mem8  | 0F BE /r | Move the contents of an 8-bit register or memory location to a 16-bit register with sign extension.  |
| MOVsx reg32, reg/mem8  | 0F BE /r | Move the contents of an 8-bit register or memory location to a 32-bit register with sign extension.  |
| MOVsx reg64, reg/mem8  | 0F BE /r | Move the contents of an 8-bit register or memory location to a 64-bit register with sign extension.  |
| MOVsx reg32, reg/mem16 | 0F BF /r | Move the contents of an 16-bit register or memory location to a 32-bit register with sign extension. |
| MOVsx reg64, reg/mem16 | 0F BF /r | Move the contents of an 16-bit register or memory location to a 64-bit register with sign extension. |

### Related Instructions

MOVSXD, MOVZX

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## MOVSXD

## Move with Sign-Extend Doubleword

Copies the 32-bit value in a register or memory location (second operand) into a 64-bit register (first operand), extending the most significant bit of the 32-bit value into all higher bits of the 64-bit register.

This instruction requires the REX prefix 64-bit operand size bit (REX.W) to be set to 1 to sign-extend a 32-bit source operand to a 64-bit result. Without the REX operand-size prefix, the operand size will be 32 bits, the default for 64-bit mode, and the source is zero-extended into a 64-bit register. With a 16-bit operand size, only 16 bits are copied, without modifying the upper 48 bits in the destination.

This instruction is available only in 64-bit mode. In legacy or compatibility mode this opcode is interpreted as ARPL.

| Mnemonic                | Opcode | Description                                                                                        |
|-------------------------|--------|----------------------------------------------------------------------------------------------------|
| MOVSXD reg64, reg/mem32 | 63 /r  | Move the contents of a 32-bit register or memory operand to a 64-bit register with sign extension. |

### Related Instructions

MOVSX, MOVZX

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 |      |                 | X         | A memory address was non-canonical.                                               |
| General protection,<br>#GP |      |                 | X         | A memory address was non-canonical.                                               |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## MOVZX

## Move with Zero-Extension

Copies the value in a register or memory location (second operand) into a register (first operand), zero-extending the value to fit in the destination register. The operand-size attribute determines the size of the zero-extended value.

| Mnemonic               | Opcode   | Description                                                                                        |
|------------------------|----------|----------------------------------------------------------------------------------------------------|
| MOVZX reg16, reg/mem8  | 0F B6 /r | Move the contents of an 8-bit register or memory operand to a 16-bit register with zero-extension. |
| MOVZX reg32, reg/mem8  | 0F B6 /r | Move the contents of an 8-bit register or memory operand to a 32-bit register with zero-extension. |
| MOVZX reg64, reg/mem8  | 0F B6 /r | Move the contents of an 8-bit register or memory operand to a 64-bit register with zero-extension. |
| MOVZX reg32, reg/mem16 | 0F B7 /r | Move the contents of a 16-bit register or memory operand to a 32-bit register with zero-extension. |
| MOVZX reg64, reg/mem16 | 0F B7 /r | Move the contents of a 16-bit register or memory operand to a 64-bit register with zero-extension. |

### Related Instructions

MOVSXD, MOVSX

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**MUL****Unsigned Multiply**

Multiplies the unsigned byte, word, doubleword, or quadword value in the specified register or memory location by the value in AL, AX, EAX, or RAX and stores the result in AX, DX:AX, EDX:EAX, or RDX:RAX (depending on the operand size). It puts the high-order bits of the product in AH, DX, EDX, or RDX.

If the upper half of the product is non-zero, the instruction sets the carry flag (CF) and overflow flag (OF) both to 1. Otherwise, it clears CF and OF to 0. The other arithmetic flags (SF, ZF, AF, PF) are undefined.

| Mnemonic      | Opcode | Description                                                                                                                       |
|---------------|--------|-----------------------------------------------------------------------------------------------------------------------------------|
| MUL reg/mem8  | F6 /4  | Multiplies an 8-bit register or memory operand by the contents of the AL register and stores the result in the AX register.       |
| MUL reg/mem16 | F7 /4  | Multiplies a 16-bit register or memory operand by the contents of the AX register and stores the result in the DX:AX register.    |
| MUL reg/mem32 | F7 /4  | Multiplies a 32-bit register or memory operand by the contents of the EAX register and stores the result in the EDX:EAX register. |
| MUL reg/mem64 | F7 /4  | Multiplies a 64-bit register or memory operand by the contents of the RAX register and stores the result in the RDX:RAX register. |

**Related Instructions**

DIV

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | U  | U  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                               |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.          |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.             |
|                            |      |                 | X         | A null data segment was used to reference memory.                                |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                     |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference is performed while alignment checking was enabled. |

## MULX

## Multiply Unsigned

Computes the unsigned product of the specified source operand and the implicit source operand rDX. Writes the upper half of the product to the first destination and the lower half to the second. Does not affect the arithmetic flags.

This instruction has three operands:

**MULX dest1, dest2, src**

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The first and second operands (*dest1* and *dest2*) are general purpose registers. The specified source operand (*src*) is either a general purpose register or a memory operand. If the first and second operands specify the same register, the register receives the upper half of the product.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                            |                                    |        |
|------------------------------|----------|----------------------------|------------------------------------|--------|
|                              | VEX      | RXB.map_select             | W.vvvv.L.pp                        | Opcode |
| MULX reg32, reg32, reg/mem32 | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{dest2}}$ .0.11 | F6 /r  |
| MULX reg64, reg64, reg/mem64 | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{dest2}}$ .0.11 | F6 /r  |

## Related Instructions

### rFLAGS Affected

None.

### Exceptions

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|---------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                     |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                     |      |                 | X         | VEX.L is 1.                                                                              |

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## MWAITX

## Monitor Wait with Timeout

Used in conjunction with the MONITORX instruction to cause a processor to wait until a store occurs to a specific linear address range from another processor or the timer expires. The previously executed MONITORX instruction causes the processor to enter the monitor event pending state. The MWAITX instruction may enter an implementation dependent power state until the monitor event pending state is exited. The MWAITX instruction has the same effect on architectural state as the NOP instruction.

Events that cause an exit from the monitor event pending state include:

- A store from another processor matches the address range established by the MONITORX instruction.
- The timer expires.
- Any unmasked interrupt, including INTR, NMI, SMI, INIT.
- RESET.
- Any far control transfer that occurs between the MONITORX and the MWAITX.

EAX specifies optional hints for the MWAITX instruction. Optimized C-state request is communicated through EAX[7:4]. The processor C-state is EAX[7:4]+1, so to request C0 is to place the value F in EAX[7:4] and to request C1 is to place the value 0 in EAX[7:4]. All other components of EAX should be zero when making the C1 request. Setting a reserved bit in EAX is ignored by the processor. This is implicitly a 32-bit operand.

ECX specifies optional extensions for the MWAITX instruction. The extensions currently defined for ECX are:

- Bit 0: When set, allows interrupts to wake MWAITX, even when eFLAGS.IF = 0. Support for this extension is indicated by a feature flag returned by the CPUID instruction.
- Bit 1: When set, EBX contains the maximum wait time expressed in Software P0 clocks, the same clocks counted by the TSC. Setting bit 1 but passing in a value of zero on EBX is equivalent to setting bit 1 to a zero. The timer will not be an exit condition.
- Bit 31-2: When non-zero, results in a #GP(0) exception.

This is implicitly a 32-bit operand.

CPUID Function 0000\_0005h indicates support for extended features of MONITORX/MWAITX as well as MONITOR/MWAIT:

- CPUID Fn0000\_0005\_ECX[EMX] = 1 indicates support for enumeration of MONITOR/MWAIT/MONITORX/MWAITX extensions.
- CPUID Fn0000\_0005\_ECX[IBE] = 1 indicates that MWAIT/MWAITX can set ECX[0] to allow interrupts to cause an exit from the monitor event pending state even when eFLAGS.IF = 0.

The MWAITX instruction can be executed at any privilege level and MSR C001\_0015h[MonMwaitUserEn] has no effect on MWAITX.

Support for the MWAITX instruction is indicated by CPUID Fn8000\_0001\_ECX[MONITORX] (bit 29)=1.

Software must check the CPUID bit once per program or library initialization before using the MWAITX instruction, or inconsistent behavior may result.

The use of the MWAITX instruction is contingent upon the satisfaction of the following coding requirements:

- MONITORX must precede the MWAITX and occur in the same loop.
- MWAITX must be conditionally executed only if the awaited store has not already occurred. (This prevents a race condition between the MONITORX instruction arming the monitoring hardware and the store intended to trigger the monitoring hardware.)

There is no indication after exiting MWAITX of why the processor exited or if the timer expired. It is up to software to check whether the awaiting store has occurred, and if not, determining how much time has elapsed if it wants to re-establish the MONITORX with a new timer value.

| Mnemonic | Opcode   | Description                                                                                                                                    |
|----------|----------|------------------------------------------------------------------------------------------------------------------------------------------------|
| MWAITX   | 0F 01 FB | Causes the processor to stop instruction execution and enter an implementation-dependent optimized state until occurrence of a class of events |

## Related Instructions

MONITORX, MONITOR, MWAIT

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                 |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | MONITORX/MWAITX instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[MONITORX] =0 |
| General protection,<br>#GP | X    | X               | X         | Unsupported extension bits in ECX                                                                  |

## NEG

## Two's Complement Negation

Performs the two's complement negation of the value in the specified register or memory location by subtracting the value from 0. Use this instruction only on signed integer numbers.

If the value is 0, the instruction clears the CF flag to 0; otherwise, it sets CF to 1. The OF, SF, ZF, AF, and PF flag settings depend on the result of the operation.

The forms of the NEG instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic      | Opcode | Description                                                                  |
|---------------|--------|------------------------------------------------------------------------------|
| NEG reg/mem8  | F6 /3  | Performs a two's complement negation on an 8-bit register or memory operand. |
| NEG reg/mem16 | F7 /3  | Performs a two's complement negation on a 16-bit register or memory operand. |
| NEG reg/mem32 | F7 /3  | Performs a two's complement negation on a 32-bit register or memory operand. |
| NEG reg/mem64 | F7 /3  | Performs a two's complement negation on a 64-bit register or memory operand. |

## Related Instructions

AND, NOT, OR, XOR

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand is in a non-writable segment.                             |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## NOP

## No Operation

Does nothing. This instruction increments the rIP to point to next instruction, but does not affect the machine state in any other way.

The single-byte variant is an alias for XCHG rAX, rAX.

| Mnemonic      | Opcode   | Description                                                   |
|---------------|----------|---------------------------------------------------------------|
| NOP           | 90       | Performs no operation.                                        |
| NOP reg/mem16 | 0F 1F /0 | Performs no operation on a 16-bit register or memory operand. |
| NOP reg/mem32 | 0F 1F /0 | Performs no operation on a 32-bit register or memory operand. |
| NOP reg/mem64 | 0F 1F /0 | Performs no operation on a 64-bit register or memory operand. |

## Related Instructions

None

## rFLAGS Affected

None

## Exceptions

None

**NOT****One's Complement Negation**

Performs the one's complement negation of the value in the specified register or memory location by inverting each bit of the value.

The memory-operand forms of the NOT instruction support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic      | Opcode | Description                                                  |
|---------------|--------|--------------------------------------------------------------|
| NOT reg/mem8  | F6 /2  | Complements the bits in an 8-bit register or memory operand. |
| NOT reg/mem16 | F7 /2  | Complements the bits in a 16-bit register or memory operand. |
| NOT reg/mem32 | F7 /2  | Complements the bits in a 32-bit register or memory operand. |
| NOT reg/mem64 | F7 /2  | Complements the bits in a 64-bit register or memory operand. |

**Related Instructions**

AND, NEG, OR, XOR

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                               |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.          |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.             |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                           |
|                            |      |                 | X         | A null data segment was used to reference memory.                                |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                     |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference is performed while alignment checking was enabled. |

**OR****Logical OR**

Performs a logical `OR` on the bits in a register, memory location, or immediate value (second operand) and a register or memory location (first operand) and stores the result in the first operand location. The two operands cannot both be memory locations.

If both corresponding bits are 0, the corresponding bit of the result is 0; otherwise, the corresponding result bit is 1.

The forms of the OR instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                   | Opcode          | Description                                                                                                    |
|----------------------------|-----------------|----------------------------------------------------------------------------------------------------------------|
| OR AL, <i>imm8</i>         | 0C <i>ib</i>    | <code>OR</code> the contents of AL with an immediate 8-bit value.                                              |
| OR AX, <i>imm16</i>        | 0D <i>iw</i>    | <code>OR</code> the contents of AX with an immediate 16-bit value.                                             |
| OR EAX, <i>imm32</i>       | 0D <i>id</i>    | <code>OR</code> the contents of EAX with an immediate 32-bit value.                                            |
| OR RAX, <i>imm32</i>       | 0D <i>id</i>    | <code>OR</code> the contents of RAX with a sign-extended immediate 32-bit value.                               |
| OR <i>reg/mem8, imm8</i>   | 80 /1 <i>ib</i> | <code>OR</code> the contents of an 8-bit register or memory operand and an immediate 8-bit value.              |
| OR <i>reg/mem16, imm16</i> | 81 /1 <i>iw</i> | <code>OR</code> the contents of a 16-bit register or memory operand and an immediate 16-bit value.             |
| OR <i>reg/mem32, imm32</i> | 81 /1 <i>id</i> | <code>OR</code> the contents of a 32-bit register or memory operand and an immediate 32-bit value.             |
| OR <i>reg/mem64, imm32</i> | 81 /1 <i>id</i> | <code>OR</code> the contents of a 64-bit register or memory operand and sign-extended immediate 32-bit value.  |
| OR <i>reg/mem16, imm8</i>  | 83 /1 <i>ib</i> | <code>OR</code> the contents of a 16-bit register or memory operand and a sign-extended immediate 8-bit value. |
| OR <i>reg/mem32, imm8</i>  | 83 /1 <i>ib</i> | <code>OR</code> the contents of a 32-bit register or memory operand and a sign-extended immediate 8-bit value. |
| OR <i>reg/mem64, imm8</i>  | 83 /1 <i>ib</i> | <code>OR</code> the contents of a 64-bit register or memory operand and a sign-extended immediate 8-bit value. |
| OR <i>reg/mem8, reg8</i>   | 08 /r           | <code>OR</code> the contents of an 8-bit register or memory operand with the contents of an 8-bit register.    |
| OR <i>reg/mem16, reg16</i> | 09 /r           | <code>OR</code> the contents of a 16-bit register or memory operand with the contents of a 16-bit register.    |
| OR <i>reg/mem32, reg32</i> | 09 /r           | <code>OR</code> the contents of a 32-bit register or memory operand with the contents of a 32-bit register.    |
| OR <i>reg/mem64, reg64</i> | 09 /r           | <code>OR</code> the contents of a 64-bit register or memory operand with the contents of a 64-bit register.    |

| Mnemonic            | Opcode | Description                                                                                    |
|---------------------|--------|------------------------------------------------------------------------------------------------|
| OR reg8, reg/mem8   | 0A /r  | or the contents of an 8-bit register with the contents of an 8-bit register or memory operand. |
| OR reg16, reg/mem16 | 0B /r  | or the contents of a 16-bit register with the contents of a 16-bit register or memory operand. |
| OR reg32, reg/mem32 | 0B /r  | or the contents of a 32-bit register with the contents of a 32-bit register or memory operand. |
| OR reg64, reg/mem64 | 0B /r  | or the contents of a 64-bit register with the contents of a 64-bit register or memory operand. |

The following chart summarizes the effect of this instruction:

| X | Y | X or Y |
|---|---|--------|
| 0 | 0 | 0      |
| 0 | 1 | 1      |
| 1 | 0 | 1      |
| 1 | 1 | 1      |

## Related Instructions

AND, NEG, NOT, XOR

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | M  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                      |
|-------------------------|------|--------------|-----------|-------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection, #GP | X    | X            | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                         |      |              | X         | The destination operand was in a non-writable segment.                  |
|                         |      |              | X         | A null data segment was used to reference memory.                       |

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## OUT

## Output to Port

Copies the value from the AL, AX, or EAX register (second operand) to an I/O port (first operand). The port address can be a byte-immediate value (00h to FFh) or the value in the DX register (0000h to FFFFh). The source register used determines the size of the port (8, 16, or 32 bits).

If the operand size is 64 bits, OUT only writes to a 32-bit I/O port.

If the CPL is higher than the IOPL or the mode is virtual mode, OUT checks the I/O permission bitmap in the TSS before allowing access to the I/O port. See APM Volume 2 for details on the TSS I/O permission bitmap.

| Mnemonic              | Opcode       | Description                                                                                  |
|-----------------------|--------------|----------------------------------------------------------------------------------------------|
| OUT <i>imm8</i> , AL  | E6 <i>ib</i> | Output the byte in the AL register to the port specified by an 8-bit immediate value.        |
| OUT <i>imm8</i> , AX  | E7 <i>ib</i> | Output the word in the AX register to the port specified by an 8-bit immediate value.        |
| OUT <i>imm8</i> , EAX | E7 <i>ib</i> | Output the doubleword in the EAX register to the port specified by an 8-bit immediate value. |
| OUT DX, AL            | EE           | Output byte in AL to the output port specified in DX.                                        |
| OUT DX, AX            | EF           | Output word in AX to the output port specified in DX.                                        |
| OUT DX, EAX           | EF           | Output doubleword in EAX to the output port specified in DX.                                 |

## Related Instructions

IN, INS<sub>x</sub>, OUTS<sub>x</sub>

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                               |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP |      | X               |           | One or more I/O permission bits were set in the TSS for the accessed port.                                       |
|                            |      |                 | X         | The CPL was greater than the IOPL and one or more I/O permission bits were set in the TSS for the accessed port. |
| Page fault (#PF)           |      | X               | X         | A page fault resulted from the execution of the instruction.                                                     |

## **OUTS OUTSB OUTSW OUTSD**

## **Output String**

Copies data from the memory location pointed to by DS:rSI to the I/O port address (0000h to FFFFh) specified in the DX register, and then increments or decrements the rSI register according to the setting of the DF flag in the rFLAGS register.

If the DF flag is 0, the instruction increments rSI; otherwise, it decrements rSI. It increments or decrements the pointer by 1, 2, or 4, depending on the size of the value being copied.

The OUTS DX mnemonic uses an explicit memory operand (second operand) to determine the type (size) of the value being copied, but always uses DS:rSI for the location of the value to copy. The explicit register operand (first operand) specifies the I/O port address and must always be DX.

The no-operands forms of the mnemonic use the DS:rSI register pair to point to the memory data to be copied and the contents of the DX register as the destination I/O port address. The mnemonic specifies the size of the I/O port and the type (size) of the value being copied.

The OUTSx instruction supports the REP prefix. For details about the REP prefix, see “Repeat Prefixes” on page 12.

If the effective operand size is 64-bits, the instruction behaves as if the operand size were 32 bits.

If the CPL is higher than the IOPL or the mode is virtual mode, OUTSx checks the I/O permission bitmap in the TSS before allowing access to the I/O port. See APM Volume 2 for details on the TSS I/O permission bitmap.

| Mnemonic              | Opcode | Description                                                                                   |
|-----------------------|--------|-----------------------------------------------------------------------------------------------|
| OUTS DX, <i>mem8</i>  | 6E     | Output the byte in DS:rSI to the port specified in DX, then increment or decrement rSI.       |
| OUTS DX, <i>mem16</i> | 6F     | Output the word in DS:rSI to the port specified in DX, then increment or decrement rSI.       |
| OUTS DX, <i>mem32</i> | 6F     | Output the doubleword in DS:rSI to the port specified in DX, then increment or decrement rSI. |
| OUTSB                 | 6E     | Output the byte in DS:rSI to the port specified in DX, then increment or decrement rSI.       |
| OUTSW                 | 6F     | Output the word in DS:rSI to the port specified in DX, then increment or decrement rSI.       |
| OUTSD                 | 6F     | Output the doubleword in DS:rSI to the port specified in DX, then increment or decrement rSI. |

**Related Instructions**IN, INS<sub>x</sub>, OUT**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                               |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                          |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                             |
|                            |      |                 | X         | A null data segment was used to reference memory.                                                                |
|                            |      | X               |           | One or more I/O permission bits were set in the TSS for the accessed port.                                       |
|                            |      |                 | X         | The CPL was greater than the IOPL and one or more I/O permission bits were set in the TSS for the accessed port. |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                                                     |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference is performed while alignment checking was enabled.                                 |

## PAUSE

## Pause

Improves the performance of spin loops, by providing a hint to the processor that the current code is in a spin loop. The processor may use this to optimize power consumption while in the spin loop.

Architecturally, this instruction behaves like a NOP instruction.

Processors that do not support PAUSE treat this opcode as a NOP instruction.

| Mnemonic | Opcode | Description                                                      |
|----------|--------|------------------------------------------------------------------|
| PAUSE    | F3 90  | Provides a hint to processor that a spin loop is being executed. |

### Related Instructions

None

### rFLAGS Affected

None

### Exceptions

None

## PDEP

## Parallel Deposit Bits

Scatters consecutive bits of the first source operand, starting at the least significant bit, to bit positions in the destination as specified by 1 bits in the second source operand (*mask*). Bit positions in the destination corresponding to 0 bits in the mask are cleared.

This instruction has three operands:

**PDEP** *dest, src, mask*

The following diagram illustrates the operation of this instruction.



v3\_PDEP\_instruct.eps

If the mask is all ones, the execution of this instruction effectively copies the source to the destination.

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) and the source (*src*) are general-purpose registers. The second source operand (*mask*) is either a general-purpose register or a memory operand.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                            |                                  |        |
|------------------------------|----------|----------------------------|----------------------------------|--------|
|                              | VEX      | RXB.map_select             | W.vvvv.L.pp                      | Opcode |
| PDEP reg32, reg32, reg/mem32 | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{src}}$ .0.11 | F5 /r  |
| PDEP reg64, reg64, reg/mem64 | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{src}}$ .0.11 | F5 /r  |

## Related Instructions

### rFLAGS Affected

None.

### Exceptions

| Exception               | Mode |                 |           | Cause of Exception                                                                       |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                          |
| Invalid opcode, #UD     | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                         |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                              |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                         |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

**PEXT****Parallel Extract Bits**

Copies bits from the source operand, based on a mask, and packs them into the low-order bits of the destination. Clears all bits in the destination to the left of the most-significant bit copied.

This instruction has three operands:

**PEXT dest, src, mask**

The following diagram illustrates the operation of this instruction.



v3\_PEXT\_instruct.eps

If the mask is all ones, the execution of this instruction effectively copies the source to the destination.

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) and the source (*src*) are general-purpose registers. The second source operand (*mask*) is either a general-purpose register or a memory operand.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                            |                                  |        |
|------------------------------|----------|----------------------------|----------------------------------|--------|
|                              | VEX      | RXB.map_select             | W.vvvv.L.pp                      | Opcode |
| PEXT reg32, reg32, reg/mem32 | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{src}}$ .0.10 | F5 /r  |
| PEXT reg64, reg64, reg/mem64 | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{src}}$ .0.10 | F5 /r  |

## Related Instructions

### rFLAGS Affected

None.

### Exceptions

| Exception               | Mode |                 |           | Cause of Exception                                                                       |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                          |
| Invalid opcode, #UD     | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                         |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                              |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                         |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

## POP

## Pop Stack

Copies the value pointed to by the stack pointer (SS:rSP) to the specified register or memory location and then increments the rSP by 2 for a 16-bit pop, 4 for a 32-bit pop, or 8 for a 64-bit pop.

The operand-size attribute determines the amount by which the stack pointer is incremented (2, 4 or 8 bytes). The stack-size attribute determines whether SP, ESP, or RSP is incremented.

For forms of the instruction that load a segment register (POP DS, POP ES, POP FS, POP GS, POP SS), the source operand must be a valid segment selector. When a segment selector is popped into a segment register, the processor also loads all associated descriptor information into the hidden part of the register and validates it.

It is possible to pop a null segment selector value (0000–0003h) into the DS, ES, FS, or GS register. This action does not cause a general protection fault, but a subsequent reference to such a segment *does* cause a #GP exception. For more information about segment selectors, see “Segment Selectors and Registers” in APM Volume 2.

In 64-bit mode, the POP operand size defaults to 64 bits and there is no prefix available to encode a 32-bit operand size. Using POP DS, POP ES, or POP SS instruction in 64-bit mode generates an invalid-opcode exception.

This instruction cannot pop a value into the CS register. The RET (Far) instruction performs this function.

| Mnemonic      | Opcode | Description                                                                                                          |
|---------------|--------|----------------------------------------------------------------------------------------------------------------------|
| POP reg/mem16 | 8F /0  | Pop the top of the stack into a 16-bit register or memory location.                                                  |
| POP reg/mem32 | 8F /0  | Pop the top of the stack into a 32-bit register or memory location.<br>(No prefix for encoding this in 64-bit mode.) |
| POP reg/mem64 | 8F /0  | Pop the top of the stack into a 64-bit register or memory location.                                                  |
| POP reg16     | 58 +rw | Pop the top of the stack into a 16-bit register.                                                                     |
| POP reg32     | 58 +rd | Pop the top of the stack into a 32-bit register.<br>(No prefix for encoding this in 64-bit mode.)                    |
| POP reg64     | 58 +rq | Pop the top of the stack into a 64-bit register.                                                                     |
| POP DS        | 1F     | Pop the top of the stack into the DS register.<br>(Invalid in 64-bit mode.)                                          |
| POP ES        | 07     | Pop the top of the stack into the ES register.<br>(Invalid in 64-bit mode.)                                          |
| POP SS        | 17     | Pop the top of the stack into the SS register.<br>(Invalid in 64-bit mode.)                                          |

| Mnemonic | Opcode | Description                                    |
|----------|--------|------------------------------------------------|
| POP FS   | 0F A1  | Pop the top of the stack into the FS register. |
| POP GS   | 0F A9  | Pop the top of the stack into the GS register. |

## Related Instructions

PUSH

## rFLAGS Affected

None

## Exceptions

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                               |
|------------------------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD                   |      |                 | X         | POP DS, POP ES, or POP SS was executed in 64-bit mode.                                                                                                           |
| Segment not present, #NP<br>(selector)   |      |                 | X         | The DS, ES, FS, or GS register was loaded with a non-null segment selector and the segment was marked not present.                                               |
| Stack, #SS                               | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                                                                          |
| Stack, #SS<br>(selector)                 |      |                 | X         | The SS register was loaded with a non-null segment selector and the segment was marked not present.                                                              |
| General protection,<br>#GP               | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                                                                             |
|                                          |      |                 | X         | The destination operand was in a non-writable segment.                                                                                                           |
|                                          |      |                 | X         | A null data segment was used to reference memory.                                                                                                                |
| General protection,<br>#GP<br>(selector) |      |                 | X         | A segment register was loaded and the segment descriptor exceeded the descriptor table limit.                                                                    |
|                                          |      |                 | X         | A segment register was loaded and the segment selector's TI bit was set, but the LDT selector was a null selector.                                               |
|                                          |      |                 | X         | The SS register was loaded with a null segment selector in non-64-bit mode or while CPL = 3.                                                                     |
|                                          |      |                 | X         | The SS register was loaded and the segment selector RPL and the segment descriptor DPL were not equal to the CPL.                                                |
|                                          |      |                 | X         | The SS register was loaded and the segment pointed to was not a writable data segment.                                                                           |
|                                          |      |                 | X         | The DS, ES, FS, or GS register was loaded and the segment pointed to was a data or non-conforming code segment, but the RPL or the CPL was greater than the DPL. |
|                                          |      |                 | X         | The DS, ES, FS, or GS register was loaded and the segment pointed to was not a data segment or readable code segment.                                            |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                                     |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                                |

## POPA POPAD

## POP All GPRs

Pops words or doublewords from the stack into the general-purpose registers in the following order: eDI, eSI, eBP, eSP (image is popped and discarded), eBX, eDX, eCX, and eAX. The instruction increments the stack pointer by 16 or 32, depending on the operand size.

Using the POPA or POPAD instructions in 64-bit mode generates an invalid-opcode exception.

| Mnemonic | Opcode | Description                                                                                |
|----------|--------|--------------------------------------------------------------------------------------------|
| POPA     | 61     | Pop the DI, SI, BP, SP, BX, DX, CX, and AX registers.<br>(Invalid in 64-bit mode.)         |
| POPAD    | 61     | Pop the EDI, ESI, EBP, ESP, EBX, EDX, ECX, and EAX registers.<br>(Invalid in 64-bit mode.) |

### Related Instructions

PUSHA, PUSHAD

### rFLAGS Affected

None

### Exceptions

| Exception            | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|----------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode (#UD) |      |              | X         | This instruction was executed in 64-bit mode.                                     |
| Stack, #SS           | X    | X            | X         | A memory address exceeded the stack segment limit.                                |
| Page fault, #PF      |      | X            | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## POPCNT

## Bit Population Count

Counts the number of bits having a value of 1 in the source operand and places the result in the destination register. The source operand is a 16-, 32-, or 64-bit general purpose register or memory operand; the destination operand is a general purpose register of the same size as the source operand register.

If the input operand is zero, the ZF flag is set to 1 and zero is written to the destination register. Otherwise, the ZF flag is cleared. The other flags are cleared.

Support for the POPCNT instruction is indicated by CPUID Fn0000\_0001\_ECX[POPCNT] = 1. Software MUST check the CPUID bit once per program or library initialization before using the POPCNT instruction, or inconsistent behavior may result.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic |                         | Opcode      | Description                |
|----------|-------------------------|-------------|----------------------------|
| POPCNT   | <i>reg16, reg/mem16</i> | F3 OF B8 /r | Count the 1s in reg/mem16. |
| POPCNT   | <i>reg32, reg/mem32</i> | F3 OF B8 /r | Count the 1s in reg/mem32. |
| POPCNT   | <i>reg64, reg/mem64</i> | F3 OF B8 /r | Count the 1s in reg/mem64. |

### Related Instructions

BSF, BSR, LZCNT

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | 0  | M  | 0  | 0  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The POPCNT instruction is not supported, as indicated by CPUID Fn0000_0001(ECX[POPCNT]). |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                            |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

**POPF****POPFD****POPFQ****POP to rFLAGS**

Pops a word, doubleword, or quadword from the stack into the rFLAGS register and then increments the stack pointer by 2, 4, or 8, depending on the operand size.

In protected or real mode, all the non-reserved flags in the rFLAGS register can be modified, except the VIP, VIF, and VM flags, which are unchanged. In protected mode, at a privilege level greater than 0, the IOPL is also unchanged. The instruction alters the interrupt flag (IF) only when the CPL is less than or equal to the IOPL.

In virtual-8086 mode, if IOPL field is less than 3, attempting to execute a POPFx or PUSHFx instruction while VME is not enabled, or the operand size is not 16-bit, generates a #GP exception.

In 64-bit mode, this instruction defaults to a 64-bit operand size; there is no prefix available to encode a 32-bit operand size.

| Mnemonic | Opcode | Description                                                                                              |
|----------|--------|----------------------------------------------------------------------------------------------------------|
| POPF     | 9D     | Pop a word from the stack into the FLAGS register.                                                       |
| POPFD    | 9D     | Pop a double word from the stack into the EFLAGS register. (No prefix for encoding this in 64-bit mode.) |
| POPFQ    | 9D     | Pop a quadword from the stack to the RFLAGS register.                                                    |

**Action**

```
// See "Pseudocode Definition" on page 61.

POPF_START:

IF (REAL_MODE)
    POPF_REAL
ELSIF (PROTECTED_MODE)
    POPF_PROTECTED
ELSE // (VIRTUAL_MODE)
    POPF_VIRTUAL

POPF_REAL:

POP.v temp_RFLAGS
RFLAGS.v = temp_RFLAGS          // VIF,VIP,VM unchanged
                                // RF cleared
EXIT
```

`POPF_PROTECTED:`

```
POP.v temp_RFLAGS
RFLAGS.v = temp_RFLAGS          // VIF,VIP,VM unchanged
                                // IOPL changed only if (CPL==0)
                                // IF changed only if (CPL<=old_RFLAGS.IOPL)
                                // RF cleared
EXIT
```

`POPF_VIRTUAL:`

```
IF (RFLAGS.IOPL==3)
{
    POP.v temp_RFLAGS
    RFLAGS.v = temp_RFLAGS          // VIF,VIP,VM,IOPL unchanged
                                    // RF cleared
    EXIT
}
ELSIF ((CR4.VME==1) && (OPERAND_SIZE==16))
{
    POP.w temp_RFLAGS
    IF (((temp_RFLAGS.IF==1) && (RFLAGS.VIP==1)) || (temp_RFLAGS.TF==1))
        EXCEPTION [#GP(0)]           // notify the virtual-mode-manager to
deliver
    RFLAGS.w = temp_RFLAGS          // the task's pending interrupts
                                    // IF,IOPL unchanged
                                    // RFLAGS.VIF=temp_RFLAGS.IF
                                    // RF cleared
    EXIT
}
ELSE // ((RFLAGS.IOPL<3) && ((CR4.VME==0) || (OPERAND_SIZE!=16)))
    EXCEPTION [#GP(0)]
```

## Related Instructions

PUSHF, PUSHFD, PUSHFQ

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
| M  |     | M   | M  |    | 0  | M  | M     | M  | M  | M  | M  | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                                                                                                                                                                           |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                                                                                                                                                                                                                                      |
| General protection,<br>#GP |      | X               |           | The I/O privilege level was less than 3 and one of the following conditions was true: <ul style="list-style-type: none"><li>• CR4.VME was 0.</li><li>• The effective operand size was 32-bit.</li><li>• Both the original EFLAGS.VIP and the new EFLAGS.IF bits were set.</li><li>• The new EFLAGS.TF bit was set.</li></ul> |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                                                                                                                                                                                                 |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                                                                                                                                                                                            |

## PREFETCH PREFETCHW

Loads the entire 64-byte aligned memory sequence *containing* the specified memory address into the L1 data cache. The position of the specified memory address within the 64-byte cache line is irrelevant. If a cache hit occurs, or if a memory fault is detected, no bus cycle is initiated and the instruction is treated as a NOP.

The PREFETCHW instruction loads the prefetched line and sets the cache-line state to Modified, in anticipation of subsequent data writes to the line. The PREFETCH instruction, by contrast, typically sets the cache-line state to Exclusive (depending on the hardware implementation).

The opcodes for the PREFETCH/PREFETCHW instructions include the ModRM byte; however, only the memory form of ModRM is valid. The register form of ModRM causes an invalid-opcode exception. Because there is no destination register, the three destination register field bits of the ModRM byte define the type of prefetch to be performed. The bit patterns 000b and 001b define the PREFETCH and PREFETCHW instructions, respectively. All other bit patterns are reserved for future use.

The *reserved* PREFETCH types do not result in an invalid-opcode exception if executed. Instead, for forward compatibility with future processors that may implement additional forms of the PREFETCH instruction, all reserved PREFETCH types are implemented as synonyms of the basic PREFETCH type (the PREFETCH instruction with type 000b).

The operation of these instructions is implementation-dependent. The processor implementation can ignore or change these instructions. The size of the cache line also depends on the implementation, with a minimum size of 32 bytes. For details on the use of this instruction, see the processor data sheets or other software-optimization documentation relating to particular hardware implementations.

When paging is enabled and PREFETCHW performs a prefetch from a writable page, it may set the PTE Dirty bit to 1.

Support for the PREFETCH and PREFETCHW instructions is indicated by CPUID Fn8000\_0001\_ECX[3DNowPrefetch] OR Fn8000\_0001\_EDX[LM] OR Fn8000\_0001\_EDX[3DNow] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

## Prefetch L1 Data-Cache Line

## Related Instructions

PREFETCH*level*

## rFLAGS Affected

None

## Exceptions

| Exception (vector)  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                     |
|---------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | PREFETCH and PREFETCHW instructions are not supported, as indicated by CPUID Fn8000_0001(ECX[3DNowPrefetch]) AND Fn8000_0001(EDX[LM]) AND Fn8000_0001(EDX[3DNow]) = 0. |
|                     | X    | X               | X         | The operand was a register.                                                                                                                                            |

**PREFETCH/level****Prefetch Data to Cache Level /level**

Loads a cache line from the specified memory address into the data or instruction cache level specified by the locality reference bits 5:3 of the ModRM byte. Table 3-3 on page 296 lists the locality reference options for the instruction.

This instruction loads a cache line even if the *mem8* address is not aligned with the start of the line. If the cache line is already contained in a cache level that is lower than the specified locality reference, or if a memory fault is detected, a bus cycle is not initiated and the instruction is treated as a NOP.

The operation of this instruction is implementation-dependent. The processor implementation can ignore or change this instruction. The size of the cache line also depends on the implementation, with a minimum size of 32 bytes. Some AMD processors alias PREFETCHT1 and PREFETCHT2 to PREFETCHT0. Also for PREFETCHT0 and PREFETCHT1, some processors may only prefetch if the memory operand is a RIP-relative memory address. Support for PREFETCHT0 and PREFETCHT1 is indicated by CPUID Fn8000\_0021\_EAX[PREFETCHI] = 1. For details on the use of this instruction, see the software-optimization documentation relating to particular hardware implementations.

| Mnemonic                | Opcode   | Description                                                      |
|-------------------------|----------|------------------------------------------------------------------|
| PREFETCHNTA <i>mem8</i> | 0F 18 /0 | Move data closer to the processor using the NTA reference.       |
| PREFETCHT0 <i>mem8</i>  | 0F 18 /1 | Move data closer to the processor using the T0 reference.        |
| PREFETCHT1 <i>mem8</i>  | 0F 18 /2 | Move data closer to the processor using the T1 reference.        |
| PREFETCHT2 <i>mem8</i>  | 0F 18 /3 | Move data closer to the processor using the T2 reference.        |
| PREFETCHT1 <i>mem8</i>  | 0F 18 /6 | Move instructions closer to the processor using the T1 locality. |
| PREFETCHT0 <i>mem8</i>  | 0F 18 /7 | Move instructions closer to the processor using the T0 locality. |

**Table 3-3. Locality References for the Prefetch Instructions**

| Locality Reference | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| NTA                | Non-Temporal Access—Move the specified data into the processor with minimum cache pollution. This is intended for data that will be used only once, rather than repeatedly. The specific technique for minimizing cache pollution is implementation-dependent and may include such techniques as allocating space in a software-invisible buffer, allocating a cache line in only a single way, etc. For details, see the software-optimization documentation for a particular hardware implementation. |
| T0                 | All Cache Levels—Move the specified data into all cache levels.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| T1                 | Level 2 and Higher—Move the specified data into all cache levels except 0th level (L1) cache.                                                                                                                                                                                                                                                                                                                                                                                                           |
| T2                 | Level 3 and Higher—Move the specified data into all cache levels except 0th level (L1) and 1st level (L2) caches.                                                                                                                                                                                                                                                                                                                                                                                       |
| IT1                | Level 2 Instruction Cache and Higher—Move the specified instructions into all instruction cache levels except 0th level (L1) cache.                                                                                                                                                                                                                                                                                                                                                                     |
| IT0                | All Instruction Cache Levels—Move the specified instructions into all instruction cache levels.                                                                                                                                                                                                                                                                                                                                                                                                         |

**Related Instructions**

PREFETCH, PREFETCHW

**rFLAGS Affected**

None

**Exceptions**

None

## PUSH

## Push onto Stack

Decrements the stack pointer and then copies the specified immediate value or the value in the specified register or memory location to the top of the stack (the memory location pointed to by SS:rSP).

The operand-size attribute determines the number of bytes pushed to the stack. The stack-size attribute determines whether SP, ESP, or RSP is the stack pointer. The address-size attribute is used only to locate the memory operand when pushing a memory operand to the stack.

If the instruction pushes the stack pointer (rSP), the resulting value on the stack is that of rSP before execution of the instruction.

There is a PUSH CS instruction but no corresponding POP CS. The RET (Far) instruction pops a value from the top of stack into the CS register as part of its operation.

In 64-bit mode, the operand size of all PUSH instructions defaults to 64 bits, and there is no prefix available to encode a 32-bit operand size. Using the PUSH CS, PUSH DS, PUSH ES, or PUSH SS instructions in 64-bit mode generates an invalid-opcode exception.

Pushing an odd number of 16-bit operands when the stack address-size attribute is 32 results in a misaligned stack pointer.

| Mnemonic       | Opcode | Description                                                                                                            |
|----------------|--------|------------------------------------------------------------------------------------------------------------------------|
| PUSH reg/mem16 | FF /6  | Push the contents of a 16-bit register or memory operand onto the stack.                                               |
| PUSH reg/mem32 | FF /6  | Push the contents of a 32-bit register or memory operand onto the stack. (No prefix for encoding this in 64-bit mode.) |
| PUSH reg/mem64 | FF /6  | Push the contents of a 64-bit register or memory operand onto the stack.                                               |
| PUSH reg16     | 50 +rw | Push the contents of a 16-bit register onto the stack.                                                                 |
| PUSH reg32     | 50 +rd | Push the contents of a 32-bit register onto the stack. (No prefix for encoding this in 64-bit mode.)                   |
| PUSH reg64     | 50 +rq | Push the contents of a 64-bit register onto the stack.                                                                 |
| PUSH imm8      | 6A ib  | Push an 8-bit immediate value (sign-extended to 16, 32, or 64 bits) onto the stack.                                    |
| PUSH imm16     | 68 iw  | Push a 16-bit immediate value onto the stack.                                                                          |
| PUSH imm32     | 68 id  | Push a 32-bit immediate value onto the stack. (No prefix for encoding this in 64-bit mode.)                            |
| PUSH imm64     | 68 id  | Push a sign-extended 32-bit immediate value onto the stack.                                                            |
| PUSH CS        | 0E     | Push the CS selector onto the stack. (Invalid in 64-bit mode.)                                                         |

| Mnemonic | Opcode | Description                                                    |
|----------|--------|----------------------------------------------------------------|
| PUSH SS  | 16     | Push the SS selector onto the stack. (Invalid in 64-bit mode.) |
| PUSH DS  | 1E     | Push the DS selector onto the stack. (Invalid in 64-bit mode.) |
| PUSH ES  | 06     | Push the ES selector onto the stack. (Invalid in 64-bit mode.) |
| PUSH FS  | 0F A0  | Push the FS selector onto the stack.                           |
| PUSH GS  | 0F A8  | Push the GS selector onto the stack.                           |

## Related Instructions

POP

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     |      |                 | X         | PUSH CS, PUSH DS, PUSH ES, or PUSH SS was executed in 64-bit mode.                |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## PUSHA PUSHAD

## Push All GPRs onto Stack

Pushes the contents of the eAX, eCX, eDX, eBX, eSP (original value), eBP, eSI, and eDI general-purpose registers onto the stack in that order. This instruction decrements the stack pointer by 16 or 32 depending on operand size.

Using the PUSHA or PUSHAD instruction in 64-bit mode generates an invalid-opcode exception.

| Mnemonic | Opcode | Description                                                                                                                         |
|----------|--------|-------------------------------------------------------------------------------------------------------------------------------------|
| PUSHA    | 60     | Push the contents of the AX, CX, DX, BX, original SP, BP, SI, and DI registers onto the stack.<br>(Invalid in 64-bit mode.)         |
| PUSHAD   | 60     | Push the contents of the EAX, ECX, EDX, EBX, original ESP, EBP, ESI, and EDI registers onto the stack.<br>(Invalid in 64-bit mode.) |

### Related Instructions

POPA, POPAD

### rFLAGS Affected

None

### Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD  |      |                 | X         | This instruction was executed in 64-bit mode.                                     |
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack segment limit.                                |
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## PUSHF PUSHFD PUSHFQ

### Push rFLAGS onto Stack

Decrements the rSP register and copies the rFLAGS register (except for the VM and RF flags) onto the stack. The instruction clears the VM and RF flags in the rFLAGS image before putting it on the stack.

The instruction pushes 2, 4, or 8 bytes, depending on the operand size.

In 64-bit mode, this instruction defaults to a 64-bit operand size and there is no prefix available to encode a 32-bit operand size.

In virtual-8086 mode, if system software has set the IOPL field to a value less than 3, a general-protection exception occurs if application software attempts to execute PUSHFx or POPFx while VME is not enabled or the operand size is not 16-bit.

| Mnemonic | Opcode | Description                                                                      |
|----------|--------|----------------------------------------------------------------------------------|
| PUSHF    | 9C     | Push the FLAGS word onto the stack.                                              |
| PUSHFD   | 9C     | Push the EFLAGS doubleword onto stack. (No prefix encoding this in 64-bit mode.) |
| PUSHFQ   | 9C     | Push the RFLAGS quadword onto stack.                                             |

### Action

```
// See "Pseudocode Definition" on page 61.

PUSHF_START:
IF (REAL_MODE)
    PUSHF_REAL
ELSIF (PROTECTED_MODE)
    PUSHF_PROTECTED
ELSE // (VIRTUAL_MODE)
    PUSHF_VIRTUAL

PUSHF_REAL:
    PUSH.v old_RFLAGS      // Pushed with RF and VM cleared.
    EXIT

PUSHF_PROTECTED:
    PUSH.v old_RFLAGS      // Pushed with RF cleared.
    EXIT

PUSHF_VIRTUAL:
    IF (RFLAGS.IOPL==3)
    {
        PUSH.v old_RFLAGS // Pushed with RF,VM cleared.
        EXIT
    }
```

```

ELSIF ((CR4.VME==1) && (OPERAND_SIZE==16))
{
    PUSH.v old_RFLAGS // Pushed with VIF in the IF position.
                        // Pushed with IOPL=3.
    EXIT
}
ELSE // ((RFLAGS.IOPL<3) && ((CR4.VME==0) || (OPERAND_SIZE!=16)))
    EXCEPTION [#GP(0)]

```

## Related Instructions

POPF, POPFD, POPFQ

## rFLAGS Affected

None

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                         |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------|
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                    |
| General protection, #GP |      | X               |           | The I/O privilege level was less than 3 and either VME was not enabled or the operand size was not 16-bit. |
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                                               |
| Alignment check, #AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                          |

**RCL****Rotate Through Carry Left**

Rotates the bits of a register or memory location (first operand) to the left (more significant bit positions) and through the carry flag by the number of bit positions in an unsigned immediate value or the CL register (second operand). The bits rotated through the carry flag are rotated back in at the right end (lsb) of the first operand location.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63.

For 1-bit rotates, the instruction sets the OF flag to the logical `xor` of the CF bit (after the rotate) and the most significant bit of the result. When the rotate count is greater than 1, the OF flag is undefined. When the rotate count is 0, no flags are affected.

| Mnemonic                         | Opcode   | Description                                                                                                                                             |
|----------------------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| <code>RCL reg/mem8,1</code>      | D0 /2    | Rotate the 9 bits consisting of the carry flag and an 8-bit register or memory location left 1 bit.                                                     |
| <code>RCL reg/mem8, CL</code>    | D2 /2    | Rotate the 9 bits consisting of the carry flag and an 8-bit register or memory location left the number of bits specified in the CL register.           |
| <code>RCL reg/mem8, imm8</code>  | C0 /2 ib | Rotate the 9 bits consisting of the carry flag and an 8-bit register or memory location left the number of bits specified by an 8-bit immediate value.  |
| <code>RCL reg/mem16, 1</code>    | D1 /2    | Rotate the 17 bits consisting of the carry flag and a 16-bit register or memory location left 1 bit.                                                    |
| <code>RCL reg/mem16, CL</code>   | D3 /2    | Rotate the 17 bits consisting of the carry flag and a 16-bit register or memory location left the number of bits specified in the CL register.          |
| <code>RCL reg/mem16, imm8</code> | C1 /2 ib | Rotate the 17 bits consisting of the carry flag and a 16-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| <code>RCL reg/mem32, 1</code>    | D1 /2    | Rotate the 33 bits consisting of the carry flag and a 32-bit register or memory location left 1 bit.                                                    |
| <code>RCL reg/mem32, CL</code>   | D3 /2    | Rotate 33 bits consisting of the carry flag and a 32-bit register or memory location left the number of bits specified in the CL register.              |
| <code>RCL reg/mem32, imm8</code> | C1 /2 ib | Rotate the 33 bits consisting of the carry flag and a 32-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| <code>RCL reg/mem64, 1</code>    | D1 /2    | Rotate the 65 bits consisting of the carry flag and a 64-bit register or memory location left 1 bit.                                                    |

| Mnemonic            | Opcode   | Description                                                                                                                                              |
|---------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| RCL reg/mem64, CL   | D3 /2    | Rotate the 65 bits consisting of the carry flag and a 64-bit register or memory location left the number of bits specified in the CL register.           |
| RCL reg/mem64, imm8 | C1 /2 ib | Rotates the 65 bits consisting of the carry flag and a 64-bit register or memory location left the number of bits specified by an 8-bit immediate value. |

## Related Instructions

RCR, ROL, ROR

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**RCR****Rotate Through Carry Right**

Rotates the bits of a register or memory location (first operand) to the right (toward the less significant bit positions) and through the carry flag by the number of bit positions in an unsigned immediate value or the CL register (second operand). The bits rotated through the carry flag are rotated back in at the left end (msb) of the first operand location.

The processor masks the upper three bits in the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63.

For 1-bit rotates, the instruction sets the OF flag to the logical  $\text{xor}$  of the two most significant bits of the result. When the rotate count is greater than 1, the OF flag is undefined. When the rotate count is 0, no flags are affected.

| Mnemonic                   | Opcode   | Description                                                                                                                                              |
|----------------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| RCR <i>reg/mem8, 1</i>     | D0 /3    | Rotate the 9 bits consisting of the carry flag and an 8-bit register or memory location right 1 bit.                                                     |
| RCR <i>reg/mem8,CL</i>     | D2 /3    | Rotate the 9 bits consisting of the carry flag and an 8-bit register or memory location right the number of bits specified in the CL register.           |
| RCR <i>reg/mem8,imm8</i>   | C0 /3 ib | Rotate the 9 bits consisting of the carry flag and an 8-bit register or memory location right the number of bits specified by an 8-bit immediate value.  |
| RCR <i>reg/mem16,1</i>     | D1 /3    | Rotate the 17 bits consisting of the carry flag and a 16-bit register or memory location right 1 bit.                                                    |
| RCR <i>reg/mem16,CL</i>    | D3 /3    | Rotate the 17 bits consisting of the carry flag and a 16-bit register or memory location right the number of bits specified in the CL register.          |
| RCR <i>reg/mem16, imm8</i> | C1 /3 ib | Rotate the 17 bits consisting of the carry flag and a 16-bit register or memory location right the number of bits specified by an 8-bit immediate value. |
| RCR <i>reg/mem32,1</i>     | D1 /3    | Rotate the 33 bits consisting of the carry flag and a 32-bit register or memory location right 1 bit.                                                    |
| RCR <i>reg/mem32,CL</i>    | D3 /3    | Rotate 33 bits consisting of the carry flag and a 32-bit register or memory location right the number of bits specified in the CL register.              |
| RCR <i>reg/mem32, imm8</i> | C1 /3 ib | Rotate the 33 bits consisting of the carry flag and a 32-bit register or memory location right the number of bits specified by an 8-bit immediate value. |
| RCR <i>reg/mem64,1</i>     | D1 /3    | Rotate the 65 bits consisting of the carry flag and a 64-bit register or memory location right 1 bit.                                                    |

| Mnemonic                   | Opcode   | Description                                                                                                                                              |
|----------------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| RCR <i>reg/mem64,CL</i>    | D3 /3    | Rotate 65 bits consisting of the carry flag and a 64-bit register or memory location right the number of bits specified in the CL register.              |
| RCR <i>reg/mem64, imm8</i> | C1 /3 ib | Rotate the 65 bits consisting of the carry flag and a 64-bit register or memory location right the number of bits specified by an 8-bit immediate value. |

## Related Instructions

RCL, ROR, ROL

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X            | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |              | X         | The destination operand was in a non-writable segment.                            |
|                         |      |              | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X            | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## RDFSBASE RDGSBASE

## Read FS.base Read GS.base

Copies the base field of the FS or GS segment descriptor to the specified register. When supported and enabled, these instructions can be executed at any processor privilege level. The RDFSBASE and RDGSBASE instructions are only defined in 64-bit mode.

System software must set the FSGSBASE bit (bit 16) of CR4 to enable the RDFSBASE and RDGSBASE instructions.

Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[FSGSBASE] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic       | Opcode      | Description                                                                           |
|----------------|-------------|---------------------------------------------------------------------------------------|
| RDFSBASE reg32 | F3 0F AE /0 | Copy the lower 32 bits of FS.base to the specified general-purpose register.          |
| RDFSBASE reg64 | F3 0F AE /0 | Copy the entire 64-bit contents of FS.base to the specified general-purpose register. |
| RDGSBASE reg32 | F3 0F AE /1 | Copy the lower 32 bits of GS.base to the specified general-purpose register.          |
| RDGSBASE reg64 | F3 0F AE /1 | Copy the entire 64-bit contents of GS.base to the specified general-purpose register. |

### Related Instructions

WRFSBASE, WRGSBASE

### rFLAGS Affected

None.

### Exceptions

| Exception | Legacy | Compat-<br>ibility | 64-bit | Cause of Exception                                                                                                     |
|-----------|--------|--------------------|--------|------------------------------------------------------------------------------------------------------------------------|
| #UD       | X      | X                  |        | Instruction is not valid in compatibility or legacy modes.                                                             |
|           |        |                    | X      | Instruction not supported as indicated by CPUID Fn0000_0007_EBX_x0[FSGSBASE] = 0 or, if supported, not enabled in CR4. |

## RDPID

## Read Processor ID

RDPID reads the value of TSC\_AUX MSR used by the RDTSCP instruction into the specified destination register. Normal operand size prefixes do not apply and the update is either 32 bit or 64 bit based on the current mode.

The RDPID instruction can be used to access the TSC\_AUX value at CPL > 0 in cases where the operating system has disabled unprivileged execution of the RDTSCP instruction.

The content of the TSC\_AUX MSR, including how and even whether it actually indicates a processor ID, is a matter of operating system convention.

The RDPID instruction is supported if the feature flag CPUID Fn0000\_0007\_ECX\_x0[RDPID]=1.

| Mnemonic | Opcode     | Description  |
|----------|------------|--------------|
| RDPID    | F3 0F C7/7 | Read TSC_AUX |

### Related Instructions

RDTSCP

### rFLAGS Affected

rNone

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                          |
|------------------------|------|-----------------|-----------|-------------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | Instruction not supported by CPUID Fn0000_0007_ECX[22] = 0. |

## RDPRU

## Read Processor Register

RDPRU instruction is used to give access to some processor registers that are typically only accessible when the privilege level is zero. ECX is used as the implicit register to specify which register to read. RDPRU places the specified register's value into EDX:EAX.

The RDPRU instruction normally can be executed at any privilege level. When CR4.TSD=1, RDPRU can only be used when the privilege level is zero. When the CPL>0 with CR4.TSD=1, the RDPRU instruction will generate a #UD fault.

The RDPRU instruction is supported if the feature flag CPUID Fn8000\_0008 EBX[4]=1. The 16-bit field in CPUID Fn8000\_0008-EDX[31:16] returns the largest ECX value that returns a valid register. Any unsupported ECX values return zero. Registers currently supported by ECX values are:

- ECX Value 0 = Register MPERF
- ECX Value 1 = Register APERF

| Mnemonic | Opcode   | Description                                 |
|----------|----------|---------------------------------------------|
| RDPRU    | 0F 01 FD | Copy register specified by ECX into EDX:EAX |

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | 0  | 0  | 0  | 0  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                          |
|------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | Instruction not supported by<br>CPUID Fn8000_0008_EBX[RDPRU] = 0 or CPL>0 and<br>CR4.TSD=1. |

## RDRAND

## Read Random

Loads the destination register with a hardware-generated random value.

The size of the returned value in bits is determined by the size of the destination register.

Hardware modifies the CF flag to indicate whether the value returned in the destination register is valid. If CF = 1, the value is valid. If CF = 0, the value is invalid. Software must test the state of the CF flag prior to using the value returned in the destination register to determine if the value is valid. If the returned value is invalid, software must execute the instruction again. Software should implement a retry limit to ensure forward progress of code.

The execution of RDRAND clears the OF, SF, ZF, AF, and PF flags.

Support for the RDRAND instruction is optional. On processors that support the instruction, CPUID Fn0000\_0001\_ECX[RDRAND] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic     | Opcode   | Description                                                |
|--------------|----------|------------------------------------------------------------|
| RDRAND reg16 | 0F C7 /6 | Load the destination register with a 16-bit random number. |
| RDRAND reg32 | 0F C7 /6 | Load the destination register with a 32-bit random number. |
| RDRAND reg64 | 0F C7 /6 | Load the destination register with a 64-bit random number. |

### Related Instructions

RDSEED

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | 0  | 0  | 0  | 0  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                              |
|------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | Instruction not supported as indicated by<br>CPUID Fn0000_0001_ECX[RDRAND] = 0. |

## RDSEED

## Read Random Seed

Loads the destination register with a hardware-generated random “seed” value.

The size of the returned value in bits is determined by the size of the destination register.

Hardware modifies the CF flag to indicate whether the value returned in the destination register is valid. If CF = 1, the value is valid. If CF = 0, the value is invalid and will be returned as zero. Software must test the state of the CF flag prior to using the value returned in the destination register to determine if the value is valid. If the returned value is invalid, software must execute the instruction again. Software should implement a retry limit to ensure forward progress of code.

The execution of RDSEED clears the OF, SF, ZF, AF, and PF flags.

| Mnemonic     | Opcode   | Description             |
|--------------|----------|-------------------------|
| RDSEED reg16 | 0F C7 /7 | Read 16-bit random seed |
| RDSEED reg32 | 0F C7 /7 | Read 32-bit random seed |
| RDSEED reg64 | 0F C7 /7 | Read 64-bit random seed |

### Related Instructions

RDRAND

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | 0  | 0  | 0  | 0  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception           | Real | Virtual 8086 | Protected | Cause of Exception                                                             |
|---------------------|------|--------------|-----------|--------------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X            | X         | Instruction not supported as indicated by CPUID Fn0000_0007_EBX_x0[RDSEED] = 0 |

## RET (Near)

## Near Return from Called Procedure

Returns from a procedure previously entered by a CALL near instruction. This form of the RET instruction returns to a calling procedure within the current code segment.

This instruction pops the rIP from the stack, with the size of the pop determined by the operand size. The new rIP is then zero-extended to 64 bits. The RET instruction can accept an immediate value operand that it adds to the rSP after it pops the target rIP. This action skips over any parameters previously passed back to the subroutine that are no longer needed.

In 64-bit mode, the operand size defaults to 64 bits (eight bytes) without the need for a REX prefix. No prefix is available to encode a 32-bit operand size in 64-bit mode.

See RET (Far) for information on far returns—returns to procedures located outside of the current code segment. For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic         | Opcode       | Description                                                                                 |
|------------------|--------------|---------------------------------------------------------------------------------------------|
| RET              | C3           | Near return to the calling procedure.                                                       |
| RET <i>imm16</i> | C2 <i>iw</i> | Near return to the calling procedure then pop the specified number of bytes from the stack. |

## Action

```

RETN_START:

IF (OPCODE == retn imm16)
    temp_IMM = 16 bit immediate from the instruction, zero-extended to 64 bits
ELSE // (OPCODE == retn)
    temp_IMM = 0

IF (stack is not large enough for a v-sized pop)
    EXCEPTION[#SS(0)]

POP.v temp_RIP

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
    (!64BIT_MODE) && (temp_RIP > CS.limit))
    EXCEPTION [#GP(0)]

IF (ShadowStacksEnabled at current CPL)
{
    IF (v == 2)                  // operand size = 16
    {
        temp_sstk_RIP = SSTK_READ_MEM.d [SSP]
        SSP = SSP + 4
    }
}

```

```

        }
ELSEIF (v == 4)           // operand size = 32
{
    temp_sstk_RIP = SSTK_READ_MEM.d [SSP]
    SSP = SSP + 4
}
ELSE // (v == 8)           // operand size = 64
{
    temp_sstk_RIP = SSTK_READ_MEM.q [SSP]
    SSP = SSP + 8
}
IF (temp_RIP != temp_sstk_RIP)
    EXCEPTION [#CP(RETN)]
} end shadow stacks enabled

RSP.s = RSP + temp_IMM
RIP   = temp_RIP
EXIT  // end RETN

```

## Related Instructions

CALL (Near), CALL (Far), RET (Far)

## rFLAGS Affected

None

## Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                     |
|-------------------------|------|--------------|-----------|----------------------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.                |
| General protection, #GP | X    | X            | X         | The target offset exceeded the code segment limit or was non-canonical.                |
| Page fault, #PF         |      | X            | X         | A page fault resulted from the execution of the instruction.                           |
| Alignment check, #AC    |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled.      |
| Control-protection, #CP |      |              | X         | The return address on the program stack did not match the address on the shadow stack. |

## RET (Far)

## Far Return from Called Procedure

Returns from a procedure previously entered by a CALL Far instruction. This form of the RET instruction returns to a calling procedure in a different segment than the current code segment. It can return to the same CPL or to a less privileged CPL.

RET Far pops a target CS and rIP from the stack. If the new code segment is less privileged than the current code segment, the stack pointer is incremented by the number of bytes indicated by the immediate operand, if present; then a new SS and rSP are also popped from the stack.

The final value of rSP is incremented by the number of bytes indicated by the immediate operand, if present. This action skips over the parameters (previously passed to the subroutine) that are no longer needed.

All stack pops are determined by the operand size. If necessary, the target rIP is zero-extended to 64 bits before assuming program control.

If the CPL changes, the data segment selectors are set to NULL for any of the data segments (DS, ES, FS, GS) not accessible at the new CPL.

See RET (Near) for information on near returns—returns to procedures located inside the current code segment. For details about control-flow instructions, see “Control Transfers” in APM Volume 1, and “Control-Transfer Privilege Checks” in APM Volume 2.

| Mnemonic          | Opcode       | Description                                                                                 |
|-------------------|--------------|---------------------------------------------------------------------------------------------|
| RETF              | CB           | Far return to the calling procedure.                                                        |
| RETF <i>imm16</i> | CA <i>iw</i> | Far return to the calling procedure, then pop the specified number of bytes from the stack. |

### Action

```
// For functions READ_DESCRIPTOR, ShadowStacksEnabled
// see "Pseudocode Definition" on page 57

RETF_START:

IF (PROTECTED_MODE)
    RETF_PROTECTED
ELSE // (REAL_MODE or VIRTUAL_MODE)
    RETF_REAL_OR_VIRTUAL

RETF_REAL_OR_VIRTUAL:

IF (OPCODE == retf imm16)
    temp_IMM = 16 bit immediate operand, zero-extended to 64 bits
ELSE // (OPCODE == retf)
    temp_IMM = 0
```

```

POP.v temp_RIP
POP.v temp_CS

IF (temp_RIP > CS.limit)
    EXCEPTION [#GP(0)]

CS.sel = temp_CS
CS.base = temp_CS SHL 4

RSP.s = RSP + temp_IMM
RIP = temp_RIP
EXIT // end RETF real or virtual modes

RETF_PROTECTED:

IF (OPCODE == retf imm16)
    temp_IMM = 16 bit immediate operand, zero-extended to 64 bits
ELSE // (OPCODE == retf)
    temp_IMM = 0

POP.v temp_RIP
POP.v temp_CS
temp_CPL = temp_CS.rpl

IF (CPL == temp_CPL) // not changing privilege level
    RETF_PROTECTED_TO_SAME_PRIV
ELSE
    RETF_PROTECTED_TO_OUTER_PRIV

RETF_PROTECTED_TO_SAME_PRIV:
    // CPL = temp_CS.rpl (RETF to same privilege level)
CS = READ_DESCRIPTOR (temp_CS, iret_chk)

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
    (!64BIT_MODE) && (temp_RIP > CS.limit))
    EXCEPTION [#GP(0)]

RIP = temp_RIP
RSP.s = RSP + temp_IMM

IF (ShadowStacksEnabled(current CPL))
{
    IF (SSP[2:0] != 0)
        EXCEPTION [#CP(RETF/IRET)] // SSP must be 8-byte aligned
    temp_sstk_CS = SSTK_READ_MEM.q [SSP + 16] // read CS from sstk
    temp_sstk_LIP = SSTK_READ_MEM.q [SSP + 8] // read LIP
    temp_sstk_prevSSP = SSTK_READ_MEM.q [SSP] // read previous SSP
    SSP = SSP + 24
}

```

```

IF (temp_CS != temp_sstk_CS)
    EXCEPTION [#CP(RET/IRET)]      // CS mismatch
IF ((CS.base + RIP) != temp_sstk_LIP)
    EXCEPTION [#CP(RET/IRET)]      // LIP mismatch
IF (temp_sstk_prevSSP[1:0] != 0)
    EXCEPTION [#CP(RET/IRET)]      // prevSSP must be 4-byte aligned
IF ((COMPATIBILITY_MODE) && (tmp_sstk_prevSSP[63:32] != 0))
    EXCEPTION [#GP(0)]           // prevSSP must be <4GB in compat mode
IF ((64BIT_MODE) && (temp_sstk_prevSSP is non-canonical))
    EXCEPTION [#GP(0)]
SSP = temp_sstk_prevSSP
} // end shadow stacks enabled at current CPL

EXIT // end RETF to same privilege level

RETF_PROTECTED_TO_OUTER_PRIV:
                    // CPL != temp_CS.rpl (RETF changing privilege level)
POP.v temp_RSP
POP.v temp_SS

CS = READ_DESCRIPTOR (temp_CS, iret_chk)
temp_oldCPL = CPL

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
    (!64BIT_MODE) && (temp_RIP > CS.limit))
    EXCEPTION [#GP(0)]

CPL = temp_CPL
SS = READ_DESCRIPTOR (temp_SS, ss_chk)

RIP = temp_RIP
RSP.s = temp_RSP + temp_IMM

IF (ShadowStacksEnabled(old CPL))
{
    IF (SSP[2:0] != 0)
        EXCEPTION [#CP(RET/IRET)] // SSP must be 8-byte aligned
    temp_sstk_CS = SSTK_READ_MEM.q [SSP + 16] // read CS from sstk
    temp_sstk_LIP = SSTK_READ_MEM.q [SSP + 8] // read LIP
    temp_SSP = SSTK_READ_MEM.q [SSP]           // read previous SSP
    SSP = SSP + 24
    IF (temp_CS != temp_sstk_CS)
        EXCEPTION [#CP(RET/IRET)] // CS mismatch
    IF ((CS.base + RIP) != temp_sstk_LIP)
        EXCEPTION [#CP(RET/IRET)] // LIP mismatch
    IF (temp_SSP[1:0] != 0)
        EXCEPTION [#CP(RET/IRET)] // prevSSP must be 4-byte aligned
    IF ((COMPATIBILITY_MODE) && (tmp_sstk_prevSSP[63:32] != 0))
        EXCEPTION [#GP(0)]       // prevSSP must be <4GB in compat mode
}
temp_oldSSP = SSP

```

```

IF (ShadowStacksEnabled(new CPL))
{
    IF ((ShadowStacksEnabled(CPL 3) && (old_CPL == 3))
        temp_SSP = PL3_SSP
    IF ((COMPATIBILITY_MODE) && (temp_SSP[63:32] != 0))
        EXCEPTION [#GP(0)] // SSP must be <4GB in compat mode
    SSP = temp_SSP
}

IF (ShadowStacksEnabled(old CPL))
{ // check shadow stack token and clear busy
    bool invalid_token = FALSE
    < start atomic section >
    temp_Token= SSTK_READ_MEM.q [temp_oldSSP] // read supervisor sstk token
    IF ((temp_Token AND 0x01) != 1)
        invalid_Token = TRUE // token busy bit must be 1
    IF ((temp_Token AND ~0x01) != temp_oldSSP)
        invalid_Token = TRUE // address in token must = old SSP
    IF (!invalid_Token)
        temp_Token = temp_Token AND ~0x01 // if valid clear token busy bit
    SSTK_WRITE_MEM.q [temp_oldSSP] = temp_Token // writeback token
    < end atomic section >
} // end shadow stacks enabled

FOR (seg = ES, DS, FS, GS)
    IF ((seg.sel == NULL) || ((seg.attr.dpl < CPL) &&
        ((seg.attr.type == 'data') ||
        (seg.attr.type == 'non-conforming-code'))))
        seg = NULL // can't use lower DPL data segment at higher CPL
        // also clears RPL of any null selectors

```

## Related Instructions

CALL (Near), CALL (Far), RET (Near)

## rFLAGS Affected

None

## Exceptions

| Exception                           | Real | Virtual 8086 | Protected | Cause of Exception                                                      |
|-------------------------------------|------|--------------|-----------|-------------------------------------------------------------------------|
| Segment not present, #NP (selector) |      |              | X         | The return code segment was marked not present.                         |
| Stack, #SS                          | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| Stack, #SS (selector)               |      |              | X         | The return stack segment was marked not present.                        |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                         |
|------------------------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP               | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.                                                                    |
| General protection,<br>#GP<br>(selector) |      |                 | X         | The return code selector was a null selector.                                                                                              |
|                                          |      |                 | X         | The return stack selector was a null selector and the return mode was non-64-bit mode or CPL was 3.                                        |
|                                          |      |                 | X         | The return code or stack descriptor exceeded the descriptor table limit.                                                                   |
|                                          |      |                 | X         | The return code or stack selector's TI bit was set but the LDT selector was a null selector.                                               |
|                                          |      |                 | X         | The segment descriptor for the return code was not a code segment.                                                                         |
|                                          |      |                 | X         | The RPL of the return code segment selector was less than the CPL.                                                                         |
|                                          |      |                 | X         | The return code segment was non-conforming and the segment selector's DPL was not equal to the RPL of the code segment's segment selector. |
|                                          |      |                 | X         | The segment descriptor for the return stack was not a writable data segment.                                                               |
|                                          |      |                 | X         | The stack segment descriptor DPL was not equal to the RPL of the return code segment selector.                                             |
|                                          |      |                 | X         | The stack segment selector RPL was not equal to the RPL of the return code segment selector.                                               |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                               |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned-memory reference was performed while alignment checking was enabled.                                                          |
| Control-protection,<br>#CP               |      |                 | X         | The return address on the program stack did not match the address on the shadow stack, or the previous SSP is not 4 byte aligned.          |

## ROL

## Rotate Left

Rotates the bits of a register or memory location (first operand) to the left (toward the more significant bit positions) by the number of bit positions in an unsigned immediate value or the CL register (second operand). The bits rotated out left are rotated back in at the right end (lsb) of the first operand location.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, it masks the upper two bits of the count, providing a count in the range of 0 to 63.

After completing the rotation, the instruction sets the CF flag to the last bit rotated out (the lsb of the result). For 1-bit rotates, the instruction sets the OF flag to the logical  $\text{xor}$  of the CF bit (after the rotate) and the most significant bit of the result. When the rotate count is greater than 1, the OF flag is undefined. When the rotate count is 0, no flags are affected.

| Mnemonic            | Opcode   | Description                                                                                               |
|---------------------|----------|-----------------------------------------------------------------------------------------------------------|
| ROL reg/mem8, 1     | D0 /0    | Rotate an 8-bit register or memory operand left 1 bit.                                                    |
| ROL reg/mem8, CL    | D2 /0    | Rotate an 8-bit register or memory operand left the number of bits specified in the CL register.          |
| ROL reg/mem8, imm8  | C0 /0 ib | Rotate an 8-bit register or memory operand left the number of bits specified by an 8-bit immediate value. |
| ROL reg/mem16, 1    | D1 /0    | Rotate a 16-bit register or memory operand left 1 bit.                                                    |
| ROL reg/mem16, CL   | D3 /0    | Rotate a 16-bit register or memory operand left the number of bits specified in the CL register.          |
| ROL reg/mem16, imm8 | C1 /0 ib | Rotate a 16-bit register or memory operand left the number of bits specified by an 8-bit immediate value. |
| ROL reg/mem32, 1    | D1 /0    | Rotate a 32-bit register or memory operand left 1 bit.                                                    |
| ROL reg/mem32, CL   | D3 /0    | Rotate a 32-bit register or memory operand left the number of bits specified in the CL register.          |
| ROL reg/mem32, imm8 | C1 /0 ib | Rotate a 32-bit register or memory operand left the number of bits specified by an 8-bit immediate value. |
| ROL reg/mem64, 1    | D1 /0    | Rotate a 64-bit register or memory operand left 1 bit.                                                    |
| ROL reg/mem64, CL   | D3 /0    | Rotate a 64-bit register or memory operand left the number of bits specified in the CL register.          |
| ROL reg/mem64, imm8 | C1 /0 ib | Rotate a 64-bit register or memory operand left the number of bits specified by an 8-bit immediate value. |

## Related Instructions

RCL, RCR, ROR

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**ROR****Rotate Right**

Rotates the bits of a register or memory location (first operand) to the right (toward the less significant bit positions) by the number of bit positions in an unsigned immediate value or the CL register (second operand). The bits rotated out right are rotated back in at the left end (the most significant bit) of the first operand location.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63.

After completing the rotation, the instruction sets the CF flag to the last bit rotated out (the most significant bit of the result). For 1-bit rotates, the instruction sets the OF flag to the logical `xor` of the two most significant bits of the result. When the rotate count is greater than 1, the OF flag is undefined. When the rotate count is 0, no flags are affected.

| Mnemonic                         | Opcode   | Description                                                                                                 |
|----------------------------------|----------|-------------------------------------------------------------------------------------------------------------|
| <code>ROR reg/mem8, 1</code>     | D0 /1    | Rotate an 8-bit register or memory location right 1 bit.                                                    |
| <code>ROR reg/mem8, CL</code>    | D2 /1    | Rotate an 8-bit register or memory location right the number of bits specified in the CL register.          |
| <code>ROR reg/mem8, imm8</code>  | C0 /1 ib | Rotate an 8-bit register or memory location right the number of bits specified by an 8-bit immediate value. |
| <code>ROR reg/mem16, 1</code>    | D1 /1    | Rotate a 16-bit register or memory location right 1 bit.                                                    |
| <code>ROR reg/mem16, CL</code>   | D3 /1    | Rotate a 16-bit register or memory location right the number of bits specified in the CL register.          |
| <code>ROR reg/mem16, imm8</code> | C1 /1 ib | Rotate a 16-bit register or memory location right the number of bits specified by an 8-bit immediate value. |
| <code>ROR reg/mem32, 1</code>    | D1 /1    | Rotate a 32-bit register or memory location right 1 bit.                                                    |
| <code>ROR reg/mem32, CL</code>   | D3 /1    | Rotate a 32-bit register or memory location right the number of bits specified in the CL register.          |
| <code>ROR reg/mem32, imm8</code> | C1 /1 ib | Rotate a 32-bit register or memory location right the number of bits specified by an 8-bit immediate value. |
| <code>ROR reg/mem64, 1</code>    | D1 /1    | Rotate a 64-bit register or memory location right 1 bit.                                                    |
| <code>ROR reg/mem64, CL</code>   | D3 /1    | Rotate a 64-bit register or memory operand right the number of bits specified in the CL register.           |
| <code>ROR reg/mem64, imm8</code> | C1 /1 ib | Rotate a 64-bit register or memory operand right the number of bits specified by an 8-bit immediate value.  |

**Related Instructions**

RCL, RCR, ROL

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    |    |    |    |    | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## RORX

## Rotate Right Extended

Rotates the bits of the source operand right (toward the least-significant bit) by the number of bit positions specified in an immediate operand and writes the result to the destination. Does not affect the arithmetic flags.

This instruction has three operands:

**RORX *dest, src, rot\_cnt***

On each right-shift, the bit shifted out of the least-significant bit position is copied to the most-significant bit. This instruction performs a non-destructive operation; that is, the contents of the source operand are unaffected by the operation, unless the destination and source are the same general-purpose register.

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general-purpose register and the source (*src*) is either a general-purpose register or a memory operand. The rotate count *rot\_cnt* is encoded in an immediate byte. When the operand size is 32, bits [7:5] of the immediate byte are ignored; when the operand size is 64, bits [7:6] of the immediate byte are ignored.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                    | Encoding |                            |             |          |
|-----------------------------|----------|----------------------------|-------------|----------|
|                             | VEX      | RXB.map_select             | W.vvvv.L.pp | Opcode   |
| RORX reg32, reg/mem32, imm8 | C4       | $\overline{\text{RXB}}.03$ | 0.1111.0.11 | F0 /r ib |
| RORX reg64, reg/mem64, imm8 | C4       | $\overline{\text{RXB}}.03$ | 1.1111.0.11 | F0 /r ib |

### Related Instructions

SARX, SHLX, SHRX

### rFLAGS Affected

None.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                         |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                              |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                         |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

## SAHF

## Store AH into Flags

Loads the SF, ZF, AF, PF, and CF flags of the EFLAGS register with values from the corresponding bits in the AH register (bits 7, 6, 4, 2, and 0, respectively). The instruction ignores bits 1, 3, and 5 of register AH; it sets those bits in the EFLAGS register to 1, 0, and 0, respectively.

The SAHF instruction is available in 64-bit mode if CPUID Fn8000\_0001\_ECX[LahfSahf] = 1. It is always available in the other operating modes (including compatibility mode)

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic | Opcode | Description                                                                                                                                                    |
|----------|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SAHF     | 9E     | Loads the sign flag, the zero flag, the auxiliary flag, the parity flag, and the carry flag from the AH register into the lower 8 bits of the EFLAGS register. |

## Related Instructions

LAHF

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                         |
|------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD |      |                 | X         | The SAHF instruction is not supported in 64-bit mode, as indicated by CPUID Fn8000_0001_ECX[LahfSahf] = 0. |

**SAL  
SHL****Shift Left**

Shifts the bits of a register or memory location (first operand) to the left through the CF bit by the number of bit positions in an unsigned immediate value or the CL register (second operand). The instruction discards bits shifted out of the CF flag. For each bit shift, the SAL instruction clears the least-significant bit to 0. At the end of the shift operation, the CF flag contains the last bit shifted out of the first operand.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63.

The effect of this instruction is multiplication by powers of two.

For 1-bit shifts, the instruction sets the OF flag to the logical `xor` of the CF bit (after the shift) and the most significant bit of the result. When the shift count is greater than 1, the OF flag is undefined.

If the shift count is 0, no flags are modified.

SHL is an alias to the SAL instruction.

| Mnemonic            | Opcode   | Description                                                                                               |
|---------------------|----------|-----------------------------------------------------------------------------------------------------------|
| SAL reg/mem8, 1     | D0 /4    | Shift an 8-bit register or memory location left 1 bit.                                                    |
| SAL reg/mem8, CL    | D2 /4    | Shift an 8-bit register or memory location left the number of bits specified in the CL register.          |
| SAL reg/mem8, imm8  | C0 /4 ib | Shift an 8-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| SAL reg/mem16, 1    | D1 /4    | Shift a 16-bit register or memory location left 1 bit.                                                    |
| SAL reg/mem16, CL   | D3 /4    | Shift a 16-bit register or memory location left the number of bits specified in the CL register.          |
| SAL reg/mem16, imm8 | C1 /4 ib | Shift a 16-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| SAL reg/mem32, 1    | D1 /4    | Shift a 32-bit register or memory location left 1 bit.                                                    |
| SAL reg/mem32, CL   | D3 /4    | Shift a 32-bit register or memory location left the number of bits specified in the CL register.          |
| SAL reg/mem32, imm8 | C1 /4 ib | Shift a 32-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| SAL reg/mem64, 1    | D1 /4    | Shift a 64-bit register or memory location left 1 bit.                                                    |
| SAL reg/mem64, CL   | D3 /4    | Shift a 64-bit register or memory location left the number of bits specified in the CL register.          |
| SAL reg/mem64, imm8 | C1 /4 ib | Shift a 64-bit register or memory location left the number of bits specified by an 8-bit immediate value. |

| Mnemonic            | Opcode   | Description                                                                                               |
|---------------------|----------|-----------------------------------------------------------------------------------------------------------|
| SHL reg/mem8, 1     | D0 /4    | Shift an 8-bit register or memory location by 1 bit.                                                      |
| SHL reg/mem8, CL    | D2 /4    | Shift an 8-bit register or memory location left the number of bits specified in the CL register.          |
| SHL reg/mem8, imm8  | C0 /4 ib | Shift an 8-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| SHL reg/mem16, 1    | D1 /4    | Shift a 16-bit register or memory location left 1 bit.                                                    |
| SHL reg/mem16, CL   | D3 /4    | Shift a 16-bit register or memory location left the number of bits specified in the CL register.          |
| SHL reg/mem16, imm8 | C1 /4 ib | Shift a 16-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| SHL reg/mem32, 1    | D1 /4    | Shift a 32-bit register or memory location left 1 bit.                                                    |
| SHL reg/mem32, CL   | D3 /4    | Shift a 32-bit register or memory location left the number of bits specified in the CL register.          |
| SHL reg/mem32, imm8 | C1 /4 ib | Shift a 32-bit register or memory location left the number of bits specified by an 8-bit immediate value. |
| SHL reg/mem64, 1    | D1 /4    | Shift a 64-bit register or memory location left 1 bit.                                                    |
| SHL reg/mem64, CL   | D3 /4    | Shift a 64-bit register or memory location left the number of bits specified in the CL register.          |
| SHL reg/mem64, imm8 | C1 /4 ib | Shift a 64-bit register or memory location left the number of bits specified by an 8-bit immediate value. |

## Related Instructions

SAR, SHR, SHLD, SHRD

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | U  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 |      | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## SAR

## Shift Arithmetic Right

Shifts the bits of a register or memory location (first operand) to the right through the CF bit by the number of bit positions in an unsigned immediate value or the CL register (second operand). The instruction discards bits shifted out of the CF flag. At the end of the shift operation, the CF flag contains the last bit shifted out of the first operand.

The SAR instruction does not change the sign bit of the target operand. For each bit shift, it copies the sign bit to the next bit, preserving the sign of the result.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63.

For 1-bit shifts, the instruction clears the OF flag to 0. When the shift count is greater than 1, the OF flag is undefined.

If the shift count is 0, no flags are modified.

Although the SAR instruction effectively divides the operand by a power of 2, the behavior is different from the IDIV instruction. For example, shifting –11 (FFFFFFF5h) by two bits to the right (that is, divide –11 by 4), gives a result of FFFFFFFDh, or –3, whereas the IDIV instruction for dividing –11 by 4 gives a result of –2. This is because the IDIV instruction rounds off the quotient to zero, whereas the SAR instruction rounds off the remainder to zero for positive dividends and to negative infinity for negative dividends. So, for positive operands, SAR behaves like the corresponding IDIV instruction. For negative operands, it gives the same result if and only if all the shifted-out bits are zeroes; otherwise, the result is smaller by 1.

| Mnemonic            | Opcode   | Description                                                                                                      |
|---------------------|----------|------------------------------------------------------------------------------------------------------------------|
| SAR reg/mem8, 1     | D0 /7    | Shift a signed 8-bit register or memory operand right 1 bit.                                                     |
| SAR reg/mem8, CL    | D2 /7    | Shift a signed 8-bit register or memory operand right the number of bits specified in the CL register.           |
| SAR reg/mem8, imm8  | C0 /7 ib | Shift a signed 8-bit register or memory operand right the number of bits specified by an 8-bit immediate value.  |
| SAR reg/mem16, 1    | D1 /7    | Shift a signed 16-bit register or memory operand right 1 bit.                                                    |
| SAR reg/mem16, CL   | D3 /7    | Shift a signed 16-bit register or memory operand right the number of bits specified in the CL register.          |
| SAR reg/mem16, imm8 | C1 /7 ib | Shift a signed 16-bit register or memory operand right the number of bits specified by an 8-bit immediate value. |
| SAR reg/mem32, 1    | D1 /7    | Shift a signed 32-bit register or memory location 1 bit.                                                         |
| SAR reg/mem32, CL   | D3 /7    | Shift a signed 32-bit register or memory location right the number of bits specified in the CL register.         |

| Mnemonic            | Opcode   | Description                                                                                                       |
|---------------------|----------|-------------------------------------------------------------------------------------------------------------------|
| SAR reg/mem32, imm8 | C1 /7 ib | Shift a signed 32-bit register or memory location right the number of bits specified by an 8-bit immediate value. |
| SAR reg/mem64, 1    | D1 /7    | Shift a signed 64-bit register or memory location right 1 bit.                                                    |
| SAR reg/mem64, CL   | D3 /7    | Shift a signed 64-bit register or memory location right the number of bits specified in the CL register.          |
| SAR reg/mem64, imm8 | C1 /7 ib | Shift a signed 64-bit register or memory location right the number of bits specified by an 8-bit immediate value. |

## Related Instructions

SAL, SHL, SHR, SHLD, SHRD

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | U  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## SARX

## Shift Right Arithmetic Extended

Shifts the bits of the first source operand right (toward the least-significant bit) arithmetically by the number of bit positions specified in the second source operand and writes the result to the destination. Does not affect the arithmetic flags.

This instruction has three operands:

**SARX *dest, src, shft\_cnt***

On each right-shift, the most-significant bit (the sign bit) is replicated. This instruction performs a non-destructive operation; that is, the contents of the source operand are unaffected by the operation, unless the destination and source are the same general-purpose register.

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general-purpose register and the first source (*src*) is either a general-purpose register or a memory operand. The second source operand *shft\_cnt* is a general-purpose register. When the operand size is 32, bits [31:5] of *shft\_cnt* are ignored; when the operand size is 64, bits [63:6] of *shft\_cnt* are ignored.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                            |                                   |        |
|------------------------------|----------|----------------------------|-----------------------------------|--------|
|                              | VEX      | RXB.map_select             | W.vvvv.L.pp                       | Opcode |
| SARX reg32, reg/mem32, reg32 | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{src}}$ 2.0.10 | F7 /r  |
| SARX reg64, reg/mem64, reg64 | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{src}}$ 2.0.10 | F7 /r  |

### Related Instructions

RORX, SHLX, SHRX

### rFLAGS Affected

None.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                         |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                              |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                         |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

**SBB****Subtract with Borrow**

Subtracts an immediate value or the value in a register or a memory location (second operand) from a register or a memory location (first operand), and stores the result in the first operand location. If the carry flag (CF) is 1, the instruction subtracts 1 from the result. Otherwise, it operates like SUB.

The SBB instruction sign-extends immediate value operands to the length of the first operand size.

This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF flags to indicate a borrow in a signed or unsigned result, respectively. It sets the SF flag to indicate the sign of a signed result.

This instruction is useful for multibyte (multiword) numbers because it takes into account the borrow from a previous SUB instruction.

The forms of the SBB instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                    | Opcode          | Description                                                                                            |
|-----------------------------|-----------------|--------------------------------------------------------------------------------------------------------|
| SBB AL, <i>imm8</i>         | 1C <i>ib</i>    | Subtract an immediate 8-bit value from the AL register with borrow.                                    |
| SBB AX, <i>imm16</i>        | 1D <i>iw</i>    | Subtract an immediate 16-bit value from the AX register with borrow.                                   |
| SBB EAX, <i>imm32</i>       | 1D <i>id</i>    | Subtract an immediate 32-bit value from the EAX register with borrow.                                  |
| SBB RAX, <i>imm32</i>       | 1D <i>id</i>    | Subtract a sign-extended immediate 32-bit value from the RAX register with borrow.                     |
| SBB <i>reg/mem8, imm8</i>   | 80 /3 <i>ib</i> | Subtract an immediate 8-bit value from an 8-bit register or memory location with borrow.               |
| SBB <i>reg/mem16, imm16</i> | 81 /3 <i>iw</i> | Subtract an immediate 16-bit value from a 16-bit register or memory location with borrow.              |
| SBB <i>reg/mem32, imm32</i> | 81 /3 <i>id</i> | Subtract an immediate 32-bit value from a 32-bit register or memory location with borrow.              |
| SBB <i>reg/mem64, imm32</i> | 81 /3 <i>id</i> | Subtract a sign-extended immediate 32-bit value from a 64-bit register or memory location with borrow. |
| SBB <i>reg/mem16, imm8</i>  | 83 /3 <i>ib</i> | Subtract a sign-extended 8-bit immediate value from a 16-bit register or memory location with borrow.  |
| SBB <i>reg/mem32, imm8</i>  | 83 /3 <i>ib</i> | Subtract a sign-extended 8-bit immediate value from a 32-bit register or memory location with borrow.  |
| SBB <i>reg/mem64, imm8</i>  | 83 /3 <i>ib</i> | Subtract a sign-extended 8-bit immediate value from a 64-bit register or memory location with borrow.  |
| SBB <i>reg/mem8, reg8</i>   | 18 / <i>r</i>   | Subtract the contents of an 8-bit register from an 8-bit register or memory location with borrow.      |
| SBB <i>reg/mem16, reg16</i> | 19 / <i>r</i>   | Subtract the contents of a 16-bit register from a 16-bit register or memory location with borrow.      |

| Mnemonic             | Opcode | Description                                                                                                       |
|----------------------|--------|-------------------------------------------------------------------------------------------------------------------|
| SBB reg/mem32, reg32 | 19 /r  | Subtract the contents of a 32-bit register from a 32-bit register or memory location with borrow.                 |
| SBB reg/mem64, reg64 | 19 /r  | Subtract the contents of a 64-bit register from a 64-bit register or memory location with borrow.                 |
| SBB reg8, reg/mem8   | 1A /r  | Subtract the contents of an 8-bit register or memory location from the contents of an 8-bit register with borrow. |
| SBB reg16, reg/mem16 | 1B /r  | Subtract the contents of a 16-bit register or memory location from the contents of a 16-bit register with borrow. |
| SBB reg32, reg/mem32 | 1B /r  | Subtract the contents of a 32-bit register or memory location from the contents of a 32-bit register with borrow. |
| SBB reg64, reg/mem64 | 1B /r  | Subtract the contents of a 64-bit register or memory location from the contents of a 64-bit register with borrow. |

## Related Instructions

SUB, ADD, ADC

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS              | X    | X            | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X            | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |              | X         | The destination operand was in a non-writable segment.                            |
|                         |      |              | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X            | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X            | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**SCAS****Scan String****SCASB****SCASW****SCASD****SCASQ**

Compares the AL, AX, EAX, or RAX register with the byte, word, doubleword, or quadword pointed to by ES:rDI, sets the status flags in the rFLAGS register according to the results, and then increments or decrements the rDI register according to the state of the DF flag in the rFLAGS register.

If the DF flag is 0, the instruction increments the rDI register; otherwise, it decrements it. The instruction increments or decrements the rDI register by 1, 2, 4, or 8, depending on the size of the operands.

The forms of the SCASx instruction with an explicit operand address the operand at ES:rDI. The explicit operand serves only to specify the size of the values being compared.

The no-operands forms of the instruction use the ES:rDI registers to point to the value to be compared. The mnemonic determines the size of the operands and the specific register containing the other comparison value.

For block comparisons, the SCASx instructions support the REPE or REPZ prefixes (they are synonyms) and the REPNE or REPNZ prefixes (they are synonyms). For details about the REP prefixes, see “Repeat Prefixes” on page 12. A SCASx instruction can also operate inside a loop controlled by the LOOPcc instruction.

| Mnemonic          | Opcode | Description                                                                                                  |
|-------------------|--------|--------------------------------------------------------------------------------------------------------------|
| SCAS <i>mem8</i>  | AE     | Compare the contents of the AL register with the byte at ES:rDI, and then increment or decrement rDI.        |
| SCAS <i>mem16</i> | AF     | Compare the contents of the AX register with the word at ES:rDI, and then increment or decrement rDI.        |
| SCAS <i>mem32</i> | AF     | Compare the contents of the EAX register with the doubleword at ES:rDI, and then increment or decrement rDI. |
| SCAS <i>mem64</i> | AF     | Compare the contents of the RAX register with the quadword at ES:rDI, and then increment or decrement rDI.   |
| SCASB             | AE     | Compare the contents of the AL register with the byte at ES:rDI, and then increment or decrement rDI.        |
| SCASW             | AF     | Compare the contents of the AX register with the word at ES:rDI, and then increment or decrement rDI.        |

| Mnemonic | Opcode | Description                                                                                                  |
|----------|--------|--------------------------------------------------------------------------------------------------------------|
| SCASD    | AF     | Compare the contents of the EAX register with the doubleword at ES:rDI, and then increment or decrement rDI. |
| SCASQ    | AF     | Compare the contents of the RAX register with the quadword at ES:rDI, and then increment or decrement rDI.   |

## Related Instructions

CMP, CMPS<sub>x</sub>

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| General protection,<br>#GP |      |                 | X         | A null ES segment was used to reference memory.                                   |
|                            | X    | X               | X         | A memory address exceeded the ES segment limit or was non-canonical.              |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## SETcc

## Set Byte on Condition

Checks the status flags in the rFLAGS register and, if the flags meet the condition specified in the mnemonic (*cc*), sets the value in the specified 8-bit memory location or register to 1. If the flags do not meet the specified condition, SET*cc* clears the memory location or register to 0.

Mnemonics with the A (above) and B (below) tags are intended for use when performing unsigned integer comparisons; those with G (greater) and L (less) tags are intended for use with signed integer comparisons.

Software typically uses the SET*cc* instructions to set logical indicators. Like the CMOV*cc* instructions (page 158), the SET*cc* instructions can replace two instructions—a conditional jump and a move. Replacing conditional jumps with conditional sets can help avoid branch-prediction penalties that may result from conditional jumps.

If the logical value “true” (logical one) is represented in a high-level language as an integer with all bits set to 1, software can accomplish such representation by first executing the opposite SET*cc* instruction—for example, the opposite of SETZ is SETNZ—and then decrementing the result.

A ModR/M byte is used to identify the operand. The *reg* field in the ModR/M byte is unused.

| Mnemonic               | Opcode   | Description                                         |
|------------------------|----------|-----------------------------------------------------|
| SETO <i>reg/mem8</i>   | 0F 90 /0 | Set byte if overflow (OF = 1).                      |
| SETNO <i>reg/mem8</i>  | 0F 91 /0 | Set byte if not overflow (OF = 0).                  |
| SETB <i>reg/mem8</i>   | 0F 92 /0 | Set byte if below (CF = 1).                         |
| SETC <i>reg/mem8</i>   |          | Set byte if carry (CF = 1).                         |
| SETNAE <i>reg/mem8</i> |          | Set byte if not above or equal (CF = 1).            |
| SETNB <i>reg/mem8</i>  | 0F 93 /0 | Set byte if not below (CF = 0).                     |
| SETNC <i>reg/mem8</i>  |          | Set byte if not carry (CF = 0).                     |
| SETAE <i>reg/mem8</i>  |          | Set byte if above or equal (CF = 0).                |
| SETZ <i>reg/mem8</i>   | 0F 94 /0 | Set byte if zero (ZF = 1).                          |
| SETE <i>reg/mem8</i>   |          | Set byte if equal (ZF = 1).                         |
| SETNZ <i>reg/mem8</i>  | 0F 95 /0 | Set byte if not zero (ZF = 0).                      |
| SETNE <i>reg/mem8</i>  |          | Set byte if not equal (ZF = 0).                     |
| SETBE <i>reg/mem8</i>  | 0F 96 /0 | Set byte if below or equal (CF = 1 or ZF = 1).      |
| SETNA <i>reg/mem8</i>  |          | Set byte if not above (CF = 1 or ZF = 1).           |
| SETNBE <i>reg/mem8</i> | 0F 97 /0 | Set byte if not below or equal (CF = 0 and ZF = 0). |
| SETA <i>reg/mem8</i>   |          | Set byte if above (CF = 0 and ZF = 0).              |
| SETS <i>reg/mem8</i>   | 0F 98 /0 | Set byte if sign (SF = 1).                          |
| SETNS <i>reg/mem8</i>  | 0F 99 /0 | Set byte if not sign (SF = 0).                      |
| SETP <i>reg/mem8</i>   | 0F 9A /0 | Set byte if parity (PF = 1).                        |
| SETPE <i>reg/mem8</i>  |          | Set byte if parity even (PF = 1).                   |
| SETNP <i>reg/mem8</i>  | 0F 9B /0 | Set byte if not parity (PF = 0).                    |
| SETPO <i>reg/mem8</i>  |          | Set byte if parity odd (PF = 0).                    |

| Mnemonic               | Opcode   | Description                                         |
|------------------------|----------|-----------------------------------------------------|
| SETL <i>reg/mem8</i>   | 0F 9C /0 | Set byte if less (SF <> OF).                        |
| SETNGE <i>reg/mem8</i> |          | Set byte if not greater or equal (SF <= OF).        |
| SETNL <i>reg/mem8</i>  | 0F 9D /0 | Set byte if not less (SF = OF).                     |
| SETGE <i>reg/mem8</i>  |          | Set byte if greater or equal (SF = OF).             |
| SETLE <i>reg/mem8</i>  | 0F 9E /0 | Set byte if less or equal (ZF = 1 or SF <= OF).     |
| SETNG <i>reg/mem8</i>  |          | Set byte if not greater (ZF = 1 or SF <= OF).       |
| SETNLE <i>reg/mem8</i> | 0F 9F /0 | Set byte if not less or equal (ZF = 0 and SF = OF). |
| SETG <i>reg/mem8</i>   |          | Set byte if greater (ZF = 0 and SF = OF).           |

## Related Instructions

None

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                  |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.            |

## SFENCE

## Store Fence

Acts as a barrier to force strong memory ordering (serialization) between store instructions preceding the SFENCE and store instructions that follow the SFENCE. Stores to differing memory types, or within the WC memory type, may become visible out of program order; the SFENCE instruction ensures that the system completes all previous stores in such a way that they are globally visible before executing subsequent stores. This includes emptying the store buffer and all write-combining buffers.

The SFENCE instruction is weakly-ordered with respect to load instructions, data and instruction prefetches, and the LFENCE instruction. Speculative loads initiated by the processor, or specified explicitly using cache-prefetch instructions, can be reordered around an SFENCE.

In addition to store instructions, SFENCE is strongly ordered with respect to other SFENCE instructions, MFENCE instructions, and serializing instructions. Further details on the use of MFENCE to order accesses among differing memory types may be found in APM Volume 2, section 7.4 “Memory Types” on page 12.

The SFENCE instruction is an SSE1 instruction. Support for SSE1 instructions is indicated by CPUID Fn0000\_0001\_EDX[SSE] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic | Opcode   | Description                                             |
|----------|----------|---------------------------------------------------------|
| SFENCE   | 0F AE F8 | Force strong ordering of (serialized) store operations. |

### Related Instructions

LFENCE, MFENCE, MCOMMIT

### rFLAGS Affected

None

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                                 |
|------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid Opcode,<br>#UD | X    | X               | X         | The SSE instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[25]=0; and the AMD extensions to MMX are not supported, as indicated by CPUID Fn8000_0001_EDX[22]=0. |

**SHL****Shift Left**

This instruction is synonymous with the SAL instruction. For information, see “SAL SHL” on page 325.

## SHLD

## Shift Left Double

Shifts the bits of a register or memory location (first operand) to the left by the number of bit positions in an unsigned immediate value or the CL register (third operand), and shifts in a bit pattern (second operand) from the right. At the end of the shift operation, the CF flag contains the last bit shifted out of the first operand.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63. If the masked count is greater than the operand size, the result in the destination register is undefined.

If the shift count is 0, no flags are modified.

If the count is 1 and the sign of the operand being shifted changes, the instruction sets the OF flag to 1. If the count is greater than 1, OF is undefined.

| Mnemonic                           | Opcode      | Description                                                                                                                                                                         |
|------------------------------------|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SHLD <i>reg/mem16, reg16, imm8</i> | 0F A4 /r ib | Shift bits of a 16-bit destination register or memory operand to the left the number of bits specified in an 8-bit immediate value, while shifting in bits from the second operand. |
| SHLD <i>reg/mem16, reg16, CL</i>   | 0F A5 /r    | Shift bits of a 16-bit destination register or memory operand to the left the number of bits specified in the CL register, while shifting in bits from the second operand.          |
| SHLD <i>reg/mem32, reg32, imm8</i> | 0F A4 /r ib | Shift bits of a 32-bit destination register or memory operand to the left the number of bits specified in an 8-bit immediate value, while shifting in bits from the second operand. |
| SHLD <i>reg/mem32, reg32, CL</i>   | 0F A5 /r    | Shift bits of a 32-bit destination register or memory operand to the left the number of bits specified in the CL register, while shifting in bits from the second operand.          |
| SHLD <i>reg/mem64, reg64, imm8</i> | 0F A4 /r ib | Shift bits of a 64-bit destination register or memory operand to the left the number of bits specified in an 8-bit immediate value, while shifting in bits from the second operand. |
| SHLD <i>reg/mem64, reg64, CL</i>   | 0F A5 /r    | Shift bits of a 64-bit destination register or memory operand to the left the number of bits specified in the CL register, while shifting in bits from the second operand.          |

## Related Instructions

SHRD, SAL, SAR, SHR, SHL

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | U  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## SHLX

## Shift Left Logical Extended

Shifts the bits of the first source operand left (toward the most-significant bit) by the number of bit positions specified in the second source operand and writes the result to the destination. Does not affect the arithmetic flags.

This instruction has three operands:

**SHLX *dest, src, shft\_cnt***

On each left-shift, a zero is shifted into the least-significant bit position. This instruction performs a non-destructive operation; that is, the contents of the source operand are unaffected by the operation, unless the destination and source are the same general-purpose register.

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general-purpose register and the first source (*src*) is either a general-purpose register or a memory operand. The second source operand *shft\_cnt* is a general-purpose register. When the operand size is 32, bits [31:5] of *shft\_cnt* are ignored; when the operand size is 64, bits [63:6] of *shft\_cnt* are ignored.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                            | Encoding |                            |                                   |        |
|-------------------------------------|----------|----------------------------|-----------------------------------|--------|
|                                     | VEX      | RXB.map_select             | W.vvvv.L.pp                       | Opcode |
| SHLX <i>reg32, reg/mem32, reg32</i> | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{src}}$ 2.0.01 | F7 /r  |
| SHLX <i>reg64, reg/mem64, reg64</i> | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{src}}$ 2.0.01 | F7 /r  |

### Related Instructions

RORX, SARX, SHRX

### rFLAGS Affected

None.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                         |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                              |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                         |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

**SHR****Shift Right**

Shifts the bits of a register or memory location (first operand) to the right through the CF bit by the number of bit positions in an unsigned immediate value or the CL register (second operand). The instruction discards bits shifted out of the CF flag. At the end of the shift operation, the CF flag contains the last bit shifted out of the first operand.

For each bit shift, the instruction clears the most-significant bit to 0.

The effect of this instruction is unsigned division by powers of two.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63.

For 1-bit shifts, the instruction sets the OF flag to the most-significant bit of the original value. If the count is greater than 1, the OF flag is undefined.

If the shift count is 0, no flags are modified.

| Mnemonic            | Opcode   | Description                                                                                               |
|---------------------|----------|-----------------------------------------------------------------------------------------------------------|
| SHR reg/mem8, 1     | D0 /5    | Shift an 8-bit register or memory operand right 1 bit.                                                    |
| SHR reg/mem8, CL    | D2 /5    | Shift an 8-bit register or memory operand right the number of bits specified in the CL register.          |
| SHR reg/mem8, imm8  | C0 /5 ib | Shift an 8-bit register or memory operand right the number of bits specified by an 8-bit immediate value. |
| SHR reg/mem16, 1    | D1 /5    | Shift a 16-bit register or memory operand right 1 bit.                                                    |
| SHR reg/mem16, CL   | D3 /5    | Shift a 16-bit register or memory operand right the number of bits specified in the CL register.          |
| SHR reg/mem16, imm8 | C1 /5 ib | Shift a 16-bit register or memory operand right the number of bits specified by an 8-bit immediate value. |
| SHR reg/mem32, 1    | D1 /5    | Shift a 32-bit register or memory operand right 1 bit.                                                    |
| SHR reg/mem32, CL   | D3 /5    | Shift a 32-bit register or memory operand right the number of bits specified in the CL register.          |
| SHR reg/mem32, imm8 | C1 /5 ib | Shift a 32-bit register or memory operand right the number of bits specified by an 8-bit immediate value. |
| SHR reg/mem64, 1    | D1 /5    | Shift a 64-bit register or memory operand right 1 bit.                                                    |
| SHR reg/mem64, CL   | D3 /5    | Shift a 64-bit register or memory operand right the number of bits specified in the CL register.          |
| SHR reg/mem64, imm8 | C1 /5 ib | Shift a 64-bit register or memory operand right the number of bits specified by an 8-bit immediate value. |

## Related Instructions

SHL, SAL, SAR, SHLD, SHRD

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | U  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## SHRD

## Shift Right Double

Shifts the bits of a register or memory location (first operand) to the right by the number of bit positions in an unsigned immediate value or the CL register (third operand), and shifts in a bit pattern (second operand) from the left. At the end of the shift operation, the CF flag contains the last bit shifted out of the first operand.

The processor masks the upper three bits of the count operand, thus restricting the count to a number between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the count, providing a count in the range of 0 to 63. If the masked count is greater than the operand size, the result in the destination register is undefined.

If the shift count is 0, no flags are modified.

If the count is 1 and the sign of the value being shifted changes, the instruction sets the OF flag to 1. If the count is greater than 1, the OF flag is undefined.

| Mnemonic                           | Opcode      | Description                                                                                                                                                                          |
|------------------------------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SHRD <i>reg/mem16, reg16, imm8</i> | 0F AC /r ib | Shift bits of a 16-bit destination register or memory operand to the right the number of bits specified in an 8-bit immediate value, while shifting in bits from the second operand. |
| SHRD <i>reg/mem16, reg16, CL</i>   | 0F AD /r    | Shift bits of a 16-bit destination register or memory operand to the right the number of bits specified in the CL register, while shifting in bits from the second operand.          |
| SHRD <i>reg/mem32, reg32, imm8</i> | 0F AC /r ib | Shift bits of a 32-bit destination register or memory operand to the right the number of bits specified in an 8-bit immediate value, while shifting in bits from the second operand. |
| SHRD <i>reg/mem32, reg32, CL</i>   | 0F AD /r    | Shift bits of a 32-bit destination register or memory operand to the right the number of bits specified in the CL register, while shifting in bits from the second operand.          |
| SHRD <i>reg/mem64, reg64, imm8</i> | 0F AC /r ib | Shift bits of a 64-bit destination register or memory operand to the right the number of bits specified in an 8-bit immediate value, while shifting in bits from the second operand. |
| SHRD <i>reg/mem64, reg64, CL</i>   | 0F AD /r    | Shift bits of a 64-bit destination register or memory operand to the right the number of bits specified in the CL register, while shifting in bits from the second operand.          |

## Related Instructions

SHLD, SHR, SHL, SAR, SAL

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | U  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## SHRX

## Shift Right Logical Extended

Shifts the bits of the first source operand right (toward the least-significant bit) by the number of bit positions specified in the second source operand and writes the result to the destination. Does not affect the arithmetic flags.

This instruction has three operands:

**SHRX *dest, src, shft\_cnt***

On each right-shift, a zero is shifted into the most-significant bit position. This instruction performs a non-destructive operation; that is, the contents of the source operand are unaffected by the operation, unless the destination and source are the same general-purpose register.

In 64-bit mode, the operand size is determined by the value of VEX.W. If VEX.W is 1, the operand size is 64 bits; if VEX.W is 0, the operand size is 32 bits. In 32-bit mode, VEX.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general-purpose register and the first source (*src*) is either a general-purpose register or a memory operand. The second source operand *shft\_cnt* is a general-purpose register. When the operand size is 32, bits [31:5] of *shft\_cnt* are ignored; when the operand size is 64, bits [63:6] of *shft\_cnt* are ignored.

This instruction is a BMI2 instruction. Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI2] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                     | Encoding |                            |                                   |        |
|------------------------------|----------|----------------------------|-----------------------------------|--------|
|                              | VEX      | RXB.map_select             | W.vvvv.L.pp                       | Opcode |
| SHRX reg32, reg/mem32, reg32 | C4       | $\overline{\text{RXB}}.02$ | 0. $\overline{\text{src2}}$ .0.11 | F7 /r  |
| SHRX reg64, reg/mem64, reg64 | C4       | $\overline{\text{RXB}}.02$ | 1. $\overline{\text{src2}}$ .0.11 | F7 /r  |

### Related Instructions

RORX, SARX, SHLX

### rFLAGS Affected

None.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|-------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | BMI2 instructions are only recognized in protected mode.                                 |
|                         |      |                 | X         | BMI2 instructions are not supported, as indicated by CPUID Fn0000_0007_EBX_x0[BMI2] = 0. |
|                         |      |                 | X         | VEX.L is 1.                                                                              |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                  |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                     |
|                         |      |                 | X         | A null data segment was used to reference memory.                                        |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                             |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.        |

**SLWPCB****Store Lightweight Profiling Control Block Address**

Flushes Lightweight Profiling (LWP) state to memory and returns the current effective address of the Lightweight Profiling Control Block (LWPCB) in the specified register. The LWPCB address returned is truncated to 32 bits if the operand size is 32.

If LWP is not currently enabled, SLWPCB sets the specified register to zero.

The flush operation stores the internal event counters for active events and the current ring buffer head pointer into the LWPCB. If there is an unwritten event record pending, it is written to the event ring buffer.

The LWP\_CBAADDR MSR holds the linear address of the current LWPCB. If the contents of LWP\_CBAADDR is not zero, the value returned in the specified register is an effective address that is calculated by subtracting the current DS.Base address from the linear address kept in LWP\_CBAADDR. Note that if DS has changed between the time LLWPCB was executed and the time SLWPCB is executed, this might result in an address that is not currently accessible by the application.

SLWPCB generates an invalid opcode exception (#UD) if the machine is not in protected mode or if LWP is not available.

It is possible to execute SLWPCB when the CPL != 3 or when SMM is active, but if the LWPCB pointer is not zero, system software must ensure that the LWPCB and the entire ring buffer are properly mapped into writable memory in order to avoid a #PF fault. Using SLWPCB in these situations is not recommended.

See the discussion of lightweight profiling in APM Volume 2, Chapter 13 for more information on the use of the LLWPCB, SLWPCB, LWPINS, and LWPVAL instructions.

The SLWPCB instruction is implemented if LWP is supported on a processor. Support for LWP is indicated by CPUID Fn8000\_0001\_ECX[LWP] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

**Instruction Encoding**

| Mnemonic     | Encoding |                |             |        |
|--------------|----------|----------------|-------------|--------|
|              | XOP      | RXB.map_select | W.vvvv.L.pp | Opcode |
| SLWPCB reg32 | 8F       | <u>RXB</u> .09 | 0.1111.0.00 | 12 /1  |
| SLWPCB reg64 | 8F       | <u>RXB</u> .09 | 1.1111.0.00 | 12 /1  |

ModRM.reg augments the opcode and is assigned the value 001b. ModRM.r/m (augmented by XOP.R) specifies the register in which to put the LWPCB address. ModRM.mod must be 11b.

## Related Instructions

LLWPCB, LWPINS, LWPVAL

## rFLAGS Affected

None

## Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | The SLWPCB instruction is not supported, as indicated by CPUID Fn8000_0001_ECX[LWP] = 0. |
|                        | X    | X               |           | The system is not in protected mode.                                                     |
|                        |      |                 | X         | LWP is not available, or mod != 11b, or vvvv != 1111b.                                   |
| Page fault, #PF        |      |                 | X         | A page fault resulted from reading or writing the LWPCB.                                 |
|                        |      |                 | X         | A page fault resulted from flushing an event to the ring buffer.                         |

**STC****Set Carry Flag**

Sets the carry flag (CF) in the rFLAGS register to one.

| Mnemonic | Opcode | Description                     |
|----------|--------|---------------------------------|
| STC      | F9     | Set the carry flag (CF) to one. |

**Related Instructions**

CLC, CMC

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    |    |    | 1  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

None

**STD****Set Direction Flag**

Set the direction flag (DF) in the rFLAGS register to 1. If the DF flag is 0, each iteration of a string instruction increments the data pointer (index registers rSI or rDI). If the DF flag is 1, the string instruction decrements the pointer. Use the CLD instruction before a string instruction to make the data pointer increment.

| Mnemonic | Opcode | Description                         |
|----------|--------|-------------------------------------|
| STD      | FD     | Set the direction flag (DF) to one. |

**Related Instructions**

CLD, INSx, LODSx, MOVSx, OUTSx, SCASx, STOSx, CMPSx

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    | 1  |    |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

None

**STOS****STOSB****STOSW****STOSD****STOSQ****Store String**

Copies a byte, word, doubleword, or quadword from the AL, AX, EAX, or RAX registers to the memory location pointed to by ES:rDI and increments or decrements the rDI register according to the state of the DF flag in the rFLAGS register.

If the DF flag is 0, the instruction increments the pointer; otherwise, it decrements the pointer. It increments or decrements the pointer by 1, 2, 4, or 8, depending on the size of the value being copied.

The forms of the STOSx instruction with an explicit operand use the operand only to specify the type (size) of the value being copied.

The no-operands forms specify the type (size) of the value being copied with the mnemonic.

The STOSx instructions support the REP prefixes. For details about the REP prefixes, see “Repeat Prefixes” on page 12. The STOSx instructions can also operate inside a LOOPcc instruction.

| Mnemonic          | Opcode | Description                                                                            |
|-------------------|--------|----------------------------------------------------------------------------------------|
| STOS <i>mem8</i>  | AA     | Store the contents of the AL register to ES:rDI, and then increment or decrement rDI.  |
| STOS <i>mem16</i> | AB     | Store the contents of the AX register to ES:rDI, and then increment or decrement rDI.  |
| STOS <i>mem32</i> | AB     | Store the contents of the EAX register to ES:rDI, and then increment or decrement rDI. |
| STOS <i>mem64</i> | AB     | Store the contents of the RAX register to ES:rDI, and then increment or decrement rDI. |
| STOSB             | AA     | Store the contents of the AL register to ES:rDI, and then increment or decrement rDI.  |
| STOSW             | AB     | Store the contents of the AX register to ES:rDI, and then increment or decrement rDI.  |
| STOSD             | AB     | Store the contents of the EAX register to ES:rDI, and then increment or decrement rDI. |
| STOSQ             | AB     | Store the contents of the RAX register to ES:rDI, and then increment or decrement rDI. |

**Related Instructions**

LODSx, MOVSx

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded the ES segment limit or was non-canonical.              |
|                            |      |                 | X         | The ES segment was a non-writable segment.                                        |
|                            |      |                 | X         | A null ES segment was used to reference memory.                                   |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**SUB****Subtract**

Subtracts an immediate value or the value in a register or memory location (second operand) from a register or a memory location (first operand) and stores the result in the first operand location. An immediate value is sign-extended to the length of the first operand.

This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF flags to indicate a borrow in a signed or unsigned result, respectively. It sets the SF flag to indicate the sign of a signed result.

The forms of the SUB instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic                    | Opcode          | Description                                                                                            |
|-----------------------------|-----------------|--------------------------------------------------------------------------------------------------------|
| SUB AL, <i>imm8</i>         | 2C <i>ib</i>    | Subtract an immediate 8-bit value from the AL register and store the result in AL.                     |
| SUB AX, <i>imm16</i>        | 2D <i>iw</i>    | Subtract an immediate 16-bit value from the AX register and store the result in AX.                    |
| SUB EAX, <i>imm32</i>       | 2D <i>id</i>    | Subtract an immediate 32-bit value from the EAX register and store the result in EAX.                  |
| SUB RAX, <i>imm32</i>       | 2D <i>id</i>    | Subtract a sign-extended immediate 32-bit value from the RAX register and store the result in RAX.     |
| SUB <i>reg/mem8, imm8</i>   | 80 /5 <i>ib</i> | Subtract an immediate 8-bit value from an 8-bit destination register or memory location.               |
| SUB <i>reg/mem16, imm16</i> | 81 /5 <i>iw</i> | Subtract an immediate 16-bit value from a 16-bit destination register or memory location.              |
| SUB <i>reg/mem32, imm32</i> | 81 /5 <i>id</i> | Subtract an immediate 32-bit value from a 32-bit destination register or memory location.              |
| SUB <i>reg/mem64, imm32</i> | 81 /5 <i>id</i> | Subtract a sign-extended immediate 32-bit value from a 64-bit destination register or memory location. |
| SUB <i>reg/mem16, imm8</i>  | 83 /5 <i>ib</i> | Subtract a sign-extended immediate 8-bit value from a 16-bit register or memory location.              |
| SUB <i>reg/mem32, imm8</i>  | 83 /5 <i>ib</i> | Subtract a sign-extended immediate 8-bit value from a 32-bit register or memory location.              |
| SUB <i>reg/mem64, imm8</i>  | 83 /5 <i>ib</i> | Subtract a sign-extended immediate 8-bit value from a 64-bit register or memory location.              |
| SUB <i>reg/mem8, reg8</i>   | 28 / <i>r</i>   | Subtract the contents of an 8-bit register from an 8-bit destination register or memory location.      |
| SUB <i>reg/mem16, reg16</i> | 29 / <i>r</i>   | Subtract the contents of a 16-bit register from a 16-bit destination register or memory location.      |
| SUB <i>reg/mem32, reg32</i> | 29 / <i>r</i>   | Subtract the contents of a 32-bit register from a 32-bit destination register or memory location.      |
| SUB <i>reg/mem64, reg64</i> | 29 / <i>r</i>   | Subtract the contents of a 64-bit register from a 64-bit destination register or memory location.      |

| Mnemonic             | Opcode | Description                                                                                      |
|----------------------|--------|--------------------------------------------------------------------------------------------------|
| SUB reg8, reg/mem8   | 2A /r  | Subtract the contents of an 8-bit register or memory operand from an 8-bit destination register. |
| SUB reg16, reg/mem16 | 2B /r  | Subtract the contents of a 16-bit register or memory operand from a 16-bit destination register. |
| SUB reg32, reg/mem32 | 2B /r  | Subtract the contents of a 32-bit register or memory operand from a 32-bit destination register. |
| SUB reg64, reg/mem64 | 2B /r  | Subtract the contents of a 64-bit register or memory operand from a 64-bit destination register. |

## Related Instructions

ADC, ADD, SBB

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## T1MSKC

## Inverse Mask From Trailing Ones

Finds the least significant zero bit in the source operand, clears all bits below that bit to 0, sets all other bits to 1 (including the found bit) and writes the result to the destination. If the least significant bit of the source operand is 0, the destination is written with all ones.

This instruction has two operands:

**T1MSKC** *dest, src*

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The T1MSKC instruction effectively performs a bit-wise logical **or** of the inverse of the source operand and the result of incrementing the source operand by 1 and stores the result to the destination register:

```
add tmp1, src, 1
not tmp2, src
or dest, tmp1, tmp2
```

The value of the carry flag of rFLAGS is generated by the add pseudo-instruction and the remaining arithmetic flags are generated by the **or** pseudo-instruction.

The T1MSKC instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic                       | Encoding |                            |                                 |        |
|--------------------------------|----------|----------------------------|---------------------------------|--------|
|                                | XOP      | RXB.map_select             | W.vvvv.L.pp                     | Opcode |
| T1MSKC <i>reg32, reg/mem32</i> | 8F       | $\overline{\text{RXB}}.09$ | 0. $\overline{\text{dest}}$ .00 | 01 /7  |
| T1MSKC <i>reg64, reg/mem64</i> | 8F       | $\overline{\text{RXB}}.09$ | 1. $\overline{\text{dest}}$ .00 | 01 /7  |

### Related Instructions

ANDN, BEXTR, BLCFILL, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, TZMSK, TZCNT

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL |    | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|------|----|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |      |    | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13   | 12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

## TEST

## Test Bits

Performs a bit-wise logical and on the value in a register or memory location (first operand) with an immediate value or the value in a register (second operand) and sets the flags in the rFLAGS register based on the result.

This instruction has two operands:

**TEST *dest, src***

While the AND instruction changes the contents of the destination and the flag bits, the TEST instruction changes only the flag bits.

| Mnemonic                     | Opcode          | Description                                                                                                                               |
|------------------------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------|
| TEST AL, <i>imm8</i>         | A8 <i>ib</i>    | and an immediate 8-bit value with the contents of the AL register and set rFLAGS to reflect the result.                                   |
| TEST AX, <i>imm16</i>        | A9 <i>iw</i>    | and an immediate 16-bit value with the contents of the AX register and set rFLAGS to reflect the result.                                  |
| TEST EAX, <i>imm32</i>       | A9 <i>id</i>    | and an immediate 32-bit value with the contents of the EAX register and set rFLAGS to reflect the result.                                 |
| TEST RAX, <i>imm32</i>       | A9 <i>id</i>    | and a sign-extended immediate 32-bit value with the contents of the RAX register and set rFLAGS to reflect the result.                    |
| TEST <i>reg/mem8, imm8</i>   | F6 /0 <i>ib</i> | and an immediate 8-bit value with the contents of an 8-bit register or memory operand and set rFLAGS to reflect the result.               |
| TEST <i>reg/mem16, imm16</i> | F7 /0 <i>iw</i> | and an immediate 16-bit value with the contents of a 16-bit register or memory operand and set rFLAGS to reflect the result.              |
| TEST <i>reg/mem32, imm32</i> | F7 /0 <i>id</i> | and an immediate 32-bit value with the contents of a 32-bit register or memory operand and set rFLAGS to reflect the result.              |
| TEST <i>reg/mem64, imm32</i> | F7 /0 <i>id</i> | and a sign-extended immediate 32-bit value with the contents of a 64-bit register or memory operand and set rFLAGS to reflect the result. |
| TEST <i>reg/mem8, reg8</i>   | 84 /r           | and the contents of an 8-bit register with the contents of an 8-bit register or memory operand and set rFLAGS to reflect the result.      |
| TEST <i>reg/mem16, reg16</i> | 85 /r           | and the contents of a 16-bit register with the contents of a 16-bit register or memory operand and set rFLAGS to reflect the result.      |
| TEST <i>reg/mem32, reg32</i> | 85 /r           | and the contents of a 32-bit register with the contents of a 32-bit register or memory operand and set rFLAGS to reflect the result.      |
| TEST <i>reg/mem64, reg64</i> | 85 /r           | and the contents of a 64-bit register with the contents of a 64-bit register or memory operand and set rFLAGS to reflect the result.      |

## Related Instructions

AND, CMP

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | M  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**TZCNT****Count Trailing Zeros**

Counts the number of trailing zero bits in the 16-, 32-, or 64-bit general purpose register or memory source operand. Counting starts upward from the least significant bit and stops when the lowest bit having a value of 1 is encountered or when the most significant bit is encountered. The count is written to the destination register.

If the input operand is zero, CF is set to 1 and the size (in bits) of the input operand is written to the destination register. Otherwise, CF is cleared.

If the least significant bit is a one, the ZF flag is set to 1 and zero is written to the destination register. Otherwise, ZF is cleared.

TZCNT is a BMI instruction. Support for BMI instructions is indicated by CPUID Fn0000\_0007\_EBX\_x0[BMI] = 1. If the TZCNT instruction is not available, the encoding is treated as the BSF instruction. Software *must* check the CPUID bit once per program or library initialization before using the TZCNT instruction or inconsistent behavior may result.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic               | Opcode      | Description                                      |
|------------------------|-------------|--------------------------------------------------|
| TZCNT reg16, reg/mem16 | F3 0F BC /r | Count the number of trailing zeros in reg/mem16. |
| TZCNT reg32, reg/mem32 | F3 0F BC /r | Count the number of trailing zeros in reg/mem32. |
| TZCNT reg64, reg/mem64 | F3 0F BC /r | Count the number of trailing zeros in reg/mem64. |

**Related Instructions**

ANDN, BEXTR, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZMSK

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | U  |    |    |    | U  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

*Note:* Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Mode |                 |           | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
|                         | Real | Virtual<br>8086 | Protected |                                                                                   |
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## TZMSK

## Mask From Trailing Zeros

Finds the least significant one bit in the source operand, sets all bits below that bit to 1, clears all other bits to 0 (including the found bit) and writes the result to the destination. If the least significant bit of the source operand is 1, the destination is written with all zeros.

This instruction has two operands:

**TZMSK *dest*, *src***

In 64-bit mode, the operand size is determined by the value of XOP.W. If XOP.W is 1, the operand size is 64-bit; if XOP.W is 0, the operand size is 32-bit. In 32-bit mode, XOP.W is ignored. 16-bit operands are not supported.

The destination (*dest*) is a general purpose register.

The source operand (*src*) is a general purpose register or a memory operand.

The TZMSK instruction effectively performs a bit-wise logical and of the negation of the source operand and the result of subtracting 1 from the source operand, and stores the result to the destination register:

```
sub tmp1, src, 1
not tmp2, src
and dest, tmp1, tmp2
```

The value of the carry flag of rFLAGS is generated by the sub pseudo-instruction and the remaining arithmetic flags are generated by the and pseudo-instruction.

The TZMSK instruction is a TBM instruction. Support for this instruction is indicated by CPUID Fn8000\_0001\_ECX[TBM] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

|                               | <b>Mnemonic</b> | <b>Encoding</b> |                            |                                   |               |
|-------------------------------|-----------------|-----------------|----------------------------|-----------------------------------|---------------|
|                               |                 | <b>XOP</b>      | <b>RXB.map_select</b>      | <b>W.vvvv.L.pp</b>                | <b>Opcode</b> |
| TZMSK <i>reg32, reg/mem32</i> |                 | 8F              | $\overline{\text{RXB}}.09$ | 0. $\overline{\text{dest}}$ .0.00 | 01 /4         |
| TZMSK <i>reg64, reg/mem64</i> |                 | 8F              | $\overline{\text{RXB}}.09$ | 1. $\overline{\text{dest}}$ .0.00 | 01 /4         |

### Related Instructions

ANDN, BEXTR, BLCFILL, BLCI, BLCIC, BLCMSK, BLCS, BLSFILL, BLSI, BLSIC, BLSR, BLSMSK, BSF, BSR, LZCNT, POPCNT, T1MSKC, TZCNT

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | U  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

Note: Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                  |
|-------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | TBM instructions are only recognized in protected mode.                             |
|                         |      |                 | X         | TBM instructions are not supported, as indicated by CPUID Fn8000_0001_ECX[TBM] = 0. |
|                         |      |                 | X         | XOP.L is 1.                                                                         |
| Stack, #SS              |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.             |
| General protection, #GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.                |
|                         |      |                 | X         | A null data segment was used to reference memory.                                   |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                        |
| Alignment check, #AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled.   |

## UD0, UD1, UD2

## Undefined Operation

These opcodes generate an invalid opcode exception. Unlike other undefined opcodes that may be defined as legal instructions in the future, these opcodes are intended to stay undefined. On some AMD64 processor implementations, UD1 may report an invalid opcode exception regardless of whether fetching the ModRM byte could trigger a paging or segmentation exception.

| Mnemonic | Opcode   | Description                        |
|----------|----------|------------------------------------|
| UD0      | 0F FF    | Raise an invalid opcode exception  |
| UD1      | 0F B9 /r | Raise an invalid opcode exception  |
| UD2      | 0F 0B    | Raise an invalid opcode exception. |

### Related Instructions

None

### rFLAGS Affected

None

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                  |
|------------------------|------|-----------------|-----------|-------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | This instruction is not recognized. |

## WRFSBASE WRGSBASE

## Write FS.base Write GS.base

Writes the base field of the FS or GS segment descriptor with the value contained in the register operand. When supported and enabled, these instructions can be executed at any processor privilege level. Instructions are only defined in 64-bit mode. The address written to the base field must be in canonical form or a #GP fault will occur.

System software must set the FSGSBASE bit (bit 16) of CR4 to enable the WRFSBASE and WRGSBASE instructions.

Support for this instruction is indicated by CPUID Fn0000\_0007\_EBX\_x0[FSGSBASE] = 1.

For more information on using the CPUID instruction, see the instruction reference page for the CPUID instruction on page 171. For a description of all feature flags related to instruction subset support, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613.

| Mnemonic       | Opcode      | Description                                                                                         |
|----------------|-------------|-----------------------------------------------------------------------------------------------------|
| WRFSBASE reg32 | F3 0F AE /2 | Copy the contents of the specified 32-bit general-purpose register to the lower 32 bits of FS.base. |
| WRFSBASE reg64 | F3 0F AE /2 | Copy the contents of the specified 64-bit general-purpose register to FS.base.                      |
| WRGSBASE reg32 | F3 0F AE /3 | Copy the contents of the specified 32-bit general-purpose register to the lower 32 bits of GS.base. |
| WRGSBASE reg64 | F3 0F AE /3 | Copy the contents of the specified 64-bit general-purpose register to GS.base.                      |

## Related Instructions

RDFSBASE, RDGSBASE

## rFLAGS Affected

None.

## Exceptions

| Exception | Legacy | Compatibility | 64-bit | Cause of Exception                                                                                                     |
|-----------|--------|---------------|--------|------------------------------------------------------------------------------------------------------------------------|
| #UD       | X      | X             |        | Instruction is not valid in compatibility or legacy modes.                                                             |
|           |        |               | X      | Instruction not supported as indicated by CPUID Fn0000_0007_EBX_x0[FSGSBASE] = 0 or, if supported, not enabled in CR4. |
| #GP       |        |               | X      | Attempt to write non-canonical address to segment base address.                                                        |

## XADD

## Exchange and Add

Exchanges the contents of a register (second operand) with the contents of a register or memory location (first operand), computes the sum of the two values, and stores the result in the first operand location.

The forms of the XADD instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

| Mnemonic              | Opcode   | Description                                                                                                                                              |
|-----------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| XADD reg/mem8, reg8   | 0F C0 /r | Exchange the contents of an 8-bit register with the contents of an 8-bit destination register or memory operand and load their sum into the destination. |
| XADD reg/mem16, reg16 | 0F C1 /r | Exchange the contents of a 16-bit register with the contents of a 16-bit destination register or memory operand and load their sum into the destination. |
| XADD reg/mem32, reg32 | 0F C1 /r | Exchange the contents of a 32-bit register with the contents of a 32-bit destination register or memory operand and load their sum into the destination. |
| XADD reg/mem64, reg64 | 0F C1 /r | Exchange the contents of a 64-bit register with the contents of a 64-bit destination register or memory operand and load their sum into the destination. |

## Related Instructions

None

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

*Note:* Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**XCHG****Exchange**

Exchanges the contents of the two operands. The operands can be two general-purpose registers or a register and a memory location. If either operand references memory, the processor locks automatically, whether or not the LOCK prefix is used and independently of the value of IOPL. For details about the LOCK prefix, see “Lock Prefix” on page 11.

The x86 architecture commonly uses the XCHG EAX, EAX instruction (opcode 90h) as a one-byte NOP. In 64-bit mode, the processor treats opcode 90h as a true NOP only if it would exchange rAX with itself. Without this special handling, the instruction would zero-extend the upper 32 bits of RAX, and thus it would not be a true no-operation. Opcode 90h can still be used to exchange rAX and r8 if the appropriate REX prefix is used.

This special handling does not apply to the two-byte ModRM form of the XCHG instruction.

| Mnemonic                             | Opcode | Description                                                                                          |
|--------------------------------------|--------|------------------------------------------------------------------------------------------------------|
| XCHG AX, <i>reg16</i>                | 90 +rw | Exchange the contents of the AX register with the contents of a 16-bit register.                     |
| XCHG <i>reg16</i> , AX               | 90 +rw | Exchange the contents of a 16-bit register with the contents of the AX register.                     |
| XCHG EAX, <i>reg32</i>               | 90 +rd | Exchange the contents of the EAX register with the contents of a 32-bit register.                    |
| XCHG <i>reg32</i> , EAX              | 90 +rd | Exchange the contents of a 32-bit register with the contents of the EAX register.                    |
| XCHG RAX, <i>reg64</i>               | 90 +rq | Exchange the contents of the RAX register with the contents of a 64-bit register.                    |
| XCHG <i>reg64</i> , RAX              | 90 +rq | Exchange the contents of a 64-bit register with the contents of the RAX register.                    |
| XCHG <i>reg/mem8</i> , <i>reg8</i>   | 86 /r  | Exchange the contents of an 8-bit register with the contents of an 8-bit register or memory operand. |
| XCHG <i>reg8</i> , <i>reg/mem8</i>   | 86 /r  | Exchange the contents of an 8-bit register or memory operand with the contents of an 8-bit register. |
| XCHG <i>reg/mem16</i> , <i>reg16</i> | 87 /r  | Exchange the contents of a 16-bit register with the contents of a 16-bit register or memory operand. |
| XCHG <i>reg16</i> , <i>reg/mem16</i> | 87 /r  | Exchange the contents of a 16-bit register or memory operand with the contents of a 16-bit register. |
| XCHG <i>reg/mem32</i> , <i>reg32</i> | 87 /r  | Exchange the contents of a 32-bit register with the contents of a 32-bit register or memory operand. |
| XCHG <i>reg32</i> , <i>reg/mem32</i> | 87 /r  | Exchange the contents of a 32-bit register or memory operand with the contents of a 32-bit register. |
| XCHG <i>reg/mem64</i> , <i>reg64</i> | 87 /r  | Exchange the contents of a 64-bit register with the contents of a 64-bit register or memory operand. |
| XCHG <i>reg64</i> , <i>reg/mem64</i> | 87 /r  | Exchange the contents of a 64-bit register or memory operand with the contents of a 64-bit register. |

## Related Instructions

BSWAP, XADD

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The source or destination operand was in a non-writable segment.                  |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**XLAT****XLATB****Translate Table Index**

Uses the unsigned integer in the AL register as an offset into a table and copies the contents of the table entry at that location to the AL register.

The instruction uses *seg*:[rBX] as the base address of the table. The value of *seg* defaults to the DS segment, but may be overridden by a segment prefix.

This instruction writes AL without changing RAX[63:8]. This instruction ignores operand size.

The single-operand form of the XLAT instruction uses the operand to document the segment and address size attribute, but it uses the base address specified by the rBX register.

This instruction is often used to translate data from one format (such as ASCII) to another (such as EBCDIC).

| Mnemonic         | Opcode | Description                                       |
|------------------|--------|---------------------------------------------------|
| XLAT <i>mem8</i> | D7     | Set AL to the contents of DS:[rBX + unsigned AL]. |
| XLATB            | D7     | Set AL to the contents of DS:[rBX + unsigned AL]. |

**Related Instructions**

None

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.            |

**XOR****Logical Exclusive OR**

Performs a bit-wise logical `xor` operation on both operands and stores the result in the first operand location. The first operand can be a register or memory location. The second operand can be an immediate value, a register, or a memory location. XOR-ing a register with itself clears the register.

The forms of the XOR instruction that write to memory support the LOCK prefix. For details about the LOCK prefix, see “Lock Prefix” on page 11.

The instruction performs the following operation for each bit:

| <b>X</b> | <b>Y</b> | <b>X xor Y</b> |
|----------|----------|----------------|
| 0        | 0        | 0              |
| 0        | 1        | 1              |
| 1        | 0        | 1              |
| 1        | 1        | 0              |

| <b>Mnemonic</b>             | <b>Opcode</b>   | <b>Description</b>                                                                                                                                                    |
|-----------------------------|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| XOR AL, <i>imm8</i>         | 34 <i>ib</i>    | <code>xor</code> the contents of AL with an immediate 8-bit operand and store the result in AL.                                                                       |
| XOR AX, <i>imm16</i>        | 35 <i>iw</i>    | <code>xor</code> the contents of AX with an immediate 16-bit operand and store the result in AX.                                                                      |
| XOR EAX, <i>imm32</i>       | 35 <i>id</i>    | <code>xor</code> the contents of EAX with an immediate 32-bit operand and store the result in EAX.                                                                    |
| XOR RAX, <i>imm32</i>       | 35 <i>id</i>    | <code>xor</code> the contents of RAX with a sign-extended immediate 32-bit operand and store the result in RAX.                                                       |
| XOR <i>reg/mem8, imm8</i>   | 80 /6 <i>ib</i> | <code>xor</code> the contents of an 8-bit destination register or memory operand with an 8-bit immediate value and store the result in the destination.               |
| XOR <i>reg/mem16, imm16</i> | 81 /6 <i>iw</i> | <code>xor</code> the contents of a 16-bit destination register or memory operand with a 16-bit immediate value and store the result in the destination.               |
| XOR <i>reg/mem32, imm32</i> | 81 /6 <i>id</i> | <code>xor</code> the contents of a 32-bit destination register or memory operand with a 32-bit immediate value and store the result in the destination.               |
| XOR <i>reg/mem64, imm32</i> | 81 /6 <i>id</i> | <code>xor</code> the contents of a 64-bit destination register or memory operand with a sign-extended 32-bit immediate value and store the result in the destination. |
| XOR <i>reg/mem16, imm8</i>  | 83 /6 <i>ib</i> | <code>xor</code> the contents of a 16-bit destination register or memory operand with a sign-extended 8-bit immediate value and store the result in the destination.  |

| Mnemonic             | Opcode   | Description                                                                                                                                             |
|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| XOR reg/mem32, imm8  | 83 /6 ib | xor the contents of a 32-bit destination register or memory operand with a sign-extended 8-bit immediate value and store the result in the destination. |
| XOR reg/mem64, imm8  | 83 /6 ib | xor the contents of a 64-bit destination register or memory operand with a sign-extended 8-bit immediate value and store the result in the destination. |
| XOR reg/mem8, reg8   | 30 /r    | xor the contents of an 8-bit destination register or memory operand with the contents of an 8-bit register and store the result in the destination.     |
| XOR reg/mem16, reg16 | 31 /r    | xor the contents of a 16-bit destination register or memory operand with the contents of a 16-bit register and store the result in the destination.     |
| XOR reg/mem32, reg32 | 31 /r    | xor the contents of a 32-bit destination register or memory operand with the contents of a 32-bit register and store the result in the destination.     |
| XOR reg/mem64, reg64 | 31 /r    | xor the contents of a 64-bit destination register or memory operand with the contents of a 64-bit register and store the result in the destination.     |
| XOR reg8, reg/mem8   | 32 /r    | xor the contents of an 8-bit destination register with the contents of an 8-bit register or memory operand and store the results in the destination.    |
| XOR reg16, reg/mem16 | 33 /r    | xor the contents of a 16-bit destination register with the contents of a 16-bit register or memory operand and store the results in the destination.    |
| XOR reg32, reg/mem32 | 33 /r    | xor the contents of a 32-bit destination register with the contents of a 32-bit register or memory operand and store the results in the destination.    |
| XOR reg64, reg/mem64 | 33 /r    | xor the contents of a 64-bit destination register with the contents of a 64-bit register or memory operand and store the results in the destination.    |

## Related Instructions

OR, AND, NOT, NEG

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | M  | M  | U  | M  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## 4 System Instruction Reference

This chapter describes the function, mnemonic syntax, opcodes, affected flags, and possible exceptions generated by the system instructions. System instructions are used to establish the processor operating mode, access processor resources, handle program and system errors, manage memory, and instantiate a virtual machine. Most of these instructions can only be executed by privileged software, such as the operating system or a Virtual Machine Monitor (VMM), also known as a hypervisor. Only system instructions can access certain processor resources, such as the control registers, model-specific registers, and debug registers.

Most system instructions are supported in all hardware implementations of the AMD64 architecture. The table below lists instructions that may not be supported on a given processor implementation. System software must execute the CPUID instruction using the function number listed to determine support prior to using these instructions.

**Table 4-1. System Instruction Support Indicated by CPUID Feature Bits**

| Instruction                             | CPUID Feature Bit              | Register[Bit] |
|-----------------------------------------|--------------------------------|---------------|
| CET_SS                                  | 0000_0007_0                    | ECX[7]        |
| CLAC, STAC                              | 0000_0007_0                    | EBX[20]       |
| Long Mode and Long Mode instructions    | 8000_0001_EDX[LM]              | EDX[29]       |
| INVPCID                                 | 0000_0007_0                    | EBX[10]       |
| INVLPG, TLBSYNC                         | 8000_0008_EBX[INVLPG]          | EBX[3]        |
| MONITOR, MWAIT                          | 0000_0001_ECX[MONITOR]         | ECX[3]        |
| RDPKRU, WRPKRU                          | 0000_0007_0                    | ECX[4]        |
| PSMASH, PVALIDATE, RMPADJUST, RMPUPDATE | 8000_001F_EAX[SNP]             | EAX[4]        |
| RMPQUERY                                | 8000_001F_EAX[RMPQUERY]        | EAX[6]        |
| RMPREAD                                 | 8000_001F_EAX[RMPREAD]         | EAX[21]       |
| RDMSR, WRMSR                            | 0000_0001_EDX[MSR]             | EDX[5]        |
| RDTSCP                                  | 8000_0001_EDX[RDTSCP]          | EDX[27]       |
| SKINIT, STGI                            | 8000_0001_ECX[SKINIT]          | ECX[12]       |
| SVM Architecture and instructions       | 8000_0001_ECX[SVM]             | ECX[2]        |
| SYSCALL, SYSRET                         | 8000_0001_EDX[SysCallSysRet]   | EDX[11]       |
| SYSENTER, SYSEXIT                       | 0000_0001_EDX[SysEnterSysExit] | EDX[11]       |
| VMGEXIT                                 | 8000_001F[SEV-ES]              | EAX[3]        |
| WBNOINVD                                | 8000_0008_EBX[WBNOINVD]        | EBX[9]        |

There are also several other CPUID feature bits that indicate support for certain paging functions, virtual-mode extensions, machine-check exceptions, advanced programmable interrupt control (APIC), memory-type range registers (MTRRs), etc.

For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171. For a comprehensive list of all instruction support feature flags, see Appendix D, “Instruction Subsets and CPUID Feature Flags,” on page 613. For a comprehensive list of all defined CPUID feature numbers and return values, see Appendix E, “Obtaining Processor Information Via the CPUID Instruction,” on page 621.

For further information about the system instructions and register resources, see:

- “System Instructions” in Volume 2.
- “Summary of Registers and Data Types” on page 42.
- “Notation” on page 57.
- “Instruction Prefixes” on page 5.

**ARPL****Adjust Requestor Privilege Level**

Compares the requestor privilege level (RPL) fields of two segment selectors in the source and destination operands of the instruction. If the RPL field of the destination operand is less than the RPL field of the segment selector in the source register, then the zero flag is set and the RPL field of the destination operand is increased to match that of the source operand. Otherwise, the destination operand remains unchanged and the zero flag is cleared.

The destination operand can be either a 16-bit register or memory location; the source operand must be a 16-bit register.

The ARPL instruction is intended for use by operating-system procedures to adjust the RPL of a segment selector that has been passed to the operating system by an application program to match the privilege level of the application program. The segment selector passed to the operating system is placed in the destination operand and the segment selector for the code segment of the application program is placed in the source operand. The RPL field in the source operand represents the privilege level of the application program. The ARPL instruction then insures that the RPL of the segment selector received by the operating system is no lower than the privilege level of the application program.

See “Adjusting Access Rights” in APM Volume 2 for more information on access rights.

In 64-bit mode, this opcode (63H) is used for the MOVSXD instruction.

| Mnemonic              | Opcode | Description                                                                                                                                                                     |
|-----------------------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ARPL reg/mem16, reg16 | 63 /r  | Adjust the RPL of a destination segment selector to a level not less than the RPL of the segment selector specified in the 16-bit source register.<br>(Invalid in 64-bit mode.) |

**Related Instructions**

LAR, LSL, VERR, VERW

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    | M  |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               |           | This instruction is only recognized in protected legacy and compatibility mode.   |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit.                                |
| General protection,<br>#GP |      |                 | X         | A memory address exceeded a data segment limit.                                   |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null segment selector was used to reference memory.                             |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC       |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## CLAC

## Clear Alignment Check Flag

Sets the Alignment Check flag in the rFLAGS register to zero. Support for the CLAC instruction is indicated by CPUID Fn07\_EBX[20] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

| Mnemonic | Opcode   | Description   |
|----------|----------|---------------|
| CLAC     | 0F 01 CA | Clear AC Flag |

### Related Instructions

STAC

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     | 0  |    |    |    |       |    |    |    |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                           |
|---------------------|------|-----------------|-----------|----------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | Instruction not supported by CPUID           |
|                     |      | X               | X         | Instruction is not supported in virtual mode |
|                     | X    |                 | X         | Lock prefix (F0h) preceding opcode.          |
|                     |      |                 | X         | CPL was not 0                                |

**CLGI****Clear Global Interrupt Flag**

Clears the global interrupt flag (GIF). While GIF is zero, all external interrupts are disabled.

This is a Secure Virtual Machine instruction. Support for the SVM architecture and the SVM instructions is indicated by CPUID Fn8000\_0001(ECX[SVM]) = 1. For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171.

This instruction generates a #UD exception if SVM is not enabled. See “Enabling SVM” in APM Volume 2.

| Mnemonic | Opcode   | Description                             |
|----------|----------|-----------------------------------------|
| CLGI     | 0F 01 DD | Clears the global interrupt flag (GIF). |

**Related Instructions**

STGI

**rFLAGS Affected**

None.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                      |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | The SVM instructions are not supported as indicated by CPUID Fn8000_0001(ECX[SVM]) = 0. |
|                            |      |                 | X         | Secure Virtual Machine was not enabled (EFER.SVME=0).                                   |
|                            | X    | X               |           | Instruction is only recognized in protected mode.                                       |
| General protection,<br>#GP |      |                 | X         | CPL was not 0.                                                                          |

## CLI

## Clear Interrupt Flag

Clears the interrupt flag (IF) in the rFLAGS register to zero, thereby masking external interrupts received on the INTR input. Interrupts received on the non-maskable interrupt (NMI) input are not affected by this instruction.

In real mode, this instruction clears IF to 0.

In protected mode and virtual-8086-mode, this instruction is IOPL-sensitive. If the CPL is less than or equal to the rFLAGS.IOPL field, the instruction clears IF to 0.

In protected mode, if IOPL < 3, CPL = 3, and protected mode virtual interrupts are enabled (CR4.PVI = 1), then the instruction instead clears rFLAGS.VIF to 0. If none of these conditions apply, the processor raises a general-purpose exception (#GP). For more information, see “Protected Mode Virtual Interrupts” in APM Volume 2.

In virtual-8086 mode, if IOPL < 3 and the virtual-8086-mode extensions are enabled (CR4.VME = 1), the CLI instruction clears the virtual interrupt flag (rFLAGS.VIF) to 0 instead.

See “Virtual-8086 Mode Extensions” in APM Volume 2 for more information about IOPL-sensitive instructions.

| Mnemonic | Opcode | Description                            |
|----------|--------|----------------------------------------|
| CLI      | FA     | Clear the interrupt flag (IF) to zero. |

### Action

```

IF (CPL <= IOPL)
    RFLAGS.IF = 0

ELSEIF (((VIRTUAL_MODE) && (CR4.VME == 1))
        || ((PROTECTED_MODE) && (CR4.PVI == 1) && (CPL == 3)))
    RFLAGS.VIF = 0;

ELSE
    EXCEPTION[#GP(0)]

```

### Related Instructions

STI

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     | M   |    |    |    |    |       |    |    | M  |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                  |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP |      | X               |           | The CPL was greater than the IOPL and virtual mode extensions are not enabled (CR4.VME = 0).                                        |
|                            |      |                 | X         | The CPL was greater than the IOPL and either the CPL was not 3 or protected mode virtual interrupts were not enabled (CR4.PVI = 0). |

## CLTS

## Clear Task-Switched Flag in CR0

Clears the task-switched (TS) flag in the CR0 register to 0. The processor sets the TS flag on each task switch. The CLTS instruction is intended to facilitate the synchronization of FPU context saves during multitasking operations.

This instruction can only be used if the current privilege level is 0.

See “System-Control Registers” in APM Volume 2 for more information on FPU synchronization and the TS flag.

| Mnemonic | Opcode | Description                                    |
|----------|--------|------------------------------------------------|
| CLTS     | 0F 06  | Clear the task-switched (TS) flag in CR0 to 0. |

### Related Instructions

LMSW, MOV CR $n$

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception |
|----------------------------|------|-----------------|-----------|--------------------|
| General protection,<br>#GP |      | X               | X         | CPL was not 0.     |

## CLRSSBSY

## Clear Shadow Stack Busy

Validates the busy (in use) shadow stack token pointed to by the memory operand and clears the token's busy bit. If the token validation checks pass, CF is cleared to 0 and SSP is cleared to 0. If the token validation checks fail, CF is set to 1 and the token and SSP are not modified.

CLRSSBSY is a privileged instruction and must be executed with CPL=0, otherwise a #GP exception is generated. If shadow stacks are not enabled at the supervisor level, a #UD exception is generated.

| Mnemonic              | Opcode      | Description                                     |
|-----------------------|-------------|-------------------------------------------------|
| CLRSSBSY <i>mem64</i> | F3 0F AE /6 | Validate shadow stack token and clear busy bit. |

### Actions

```
// see "Pseudocode Definition" on page 57

IF (CR4.CET == 0)
    EXCEPTION [#UD]
IF (S_CET.SH_STK_EN == 0)
    EXCEPTION [#UD]
IF (CPL != 0)
    EXCEPTION [#GP(0)]

temp_linAddr = Linear_Address(mem64)

IF (temp_linAddr is not 8-byte aligned)
    EXCEPTION [#GP(0)]

bool INVALID_TOKEN = FALSE

< start atomic section >
temp_Token = SSTK_READ_MEM.q [temp_linAddr] // fetch token with locked read

IF ((temp_Token AND 0x01) != 1)
    INVALID_TOKEN = TRUE // token busy bit must be set

IF ((temp_Token AND ~0x01) != temp_linAddr)
    INVALID_TOKEN = TRUE // address in token must equal
                           // linear address of mem64
IF (!INVALID_TOKEN)
    temp_Token = temp_Token AND ~0x01 // valid token, clear busy bit

SSTK_WRITE_MEM.q[temp_linAddr] = temp_Token // write back token and unlock
< end atomic section >

RFLAGS.ZF,PF,AF,OF,SF = 0

IF (INVALID_TOKEN)
    RFLAGS.CF = 1 // set CF if token not valid
ELSE
```

```
{
    RFLAGS.CF = 0 // else clear CF
    SSP = 0      // and set SSP = 0
}
EXIT
```

## Related Instructions

SETSSBSY

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | 0  | 0  | 0  | 0  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception (vector)         | Real | Virtual<br>8086 | Protected | Cause of Exception                                                              |
|----------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               |           | Instruction is only recognized in protected mode.                               |
|                            |      |                 | X         | CR4.CET = 0                                                                     |
|                            |      |                 | X         | Shadow stacks not enabled at supervisor level                                   |
| General protection,<br>#GP |      |                 | X         | CPL != 0                                                                        |
|                            |      |                 | X         | The linear address is not 8-byte aligned.                                       |
|                            |      |                 | X         | A memory address exceeded a data segment limit.                                 |
|                            |      |                 | X         | In long mode, the address of the memory operand was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                               |
|                            |      |                 | X         | A non-writable data segment was used.                                           |
|                            |      |                 | X         | An execute-only code segment was used to reference memory.                      |
| Page fault, #PF            |      |                 | X         | The linear address is not a supervisor shadow stack page in the OS page tables. |
|                            |      |                 | X         | A page fault resulted from the execution of the instruction.                    |

## HLT

## Halt

Causes the microprocessor to halt instruction execution and enter the HALT state. Entering the HALT state puts the processor in low-power mode. Execution resumes when an unmasked hardware interrupt (INTR), non-maskable interrupt (NMI), system management interrupt (SMI), RESET, or INIT occurs.

If an INTR, NMI, or SMI is used to resume execution after a HLT instruction, the saved instruction pointer points to the instruction following the HLT instruction.

Before executing a HLT instruction, hardware interrupts should be enabled. If rFLAGS.IF = 0, the system will remain in a HALT state until an NMI, SMI, RESET, or INIT occurs.

If an SMI brings the processor out of the HALT state, the SMI handler can decide whether to return to the HALT state or not. See APM Volume 2, for information on SMIs.

Current privilege level must be 0 to execute this instruction.

| Mnemonic | Opcode | Description                 |
|----------|--------|-----------------------------|
| HLT      | F4     | Halt instruction execution. |

### Related Instructions

STI, CLI

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception |
|----------------------------|------|-----------------|-----------|--------------------|
| General protection,<br>#GP |      | X               | X         | CPL was not 0.     |

**INCSSP****Increment Shadow Stack Pointer**

Increments SSP by the operand size of the instruction multiplied by the unsigned 8-bit value in bits [7:0] of the register operand. The operand size is 8 bytes in 64-bit mode (when REX.W = 1) and is 4 bytes in all other cases.

Before incrementing SSP, the first and last elements of the shadow stack in the range specified by the register operand are read and discarded.

| Mnemonic      | Opcode       | Description                      |
|---------------|--------------|----------------------------------|
| INCSSPD reg32 | F3 0F AE /05 | Increment SSP by 4*(reg32[7:0]). |
| INCSSPQ reg64 | F3 0F AE /05 | Increment SSP by 8*(reg64[7:0]). |

**Action**

```

IF ((CPL == 3) && (!SSTK_USER_ENABLED))
    EXCEPTION [#UD]
ELSEIF ((CPL < 3) && (!SSTK_SUPV_ENABLED))
    EXCEPTION [#UD]

IF (OPERAND_SIZE == 64)
{
    temp_numItems = (reg64[7:0] == 0) ? 1 : reg64[7:0]
    temp = SSTK_READ_MEM.q [SSP]                                // touch TOS and last
    temp = SSTK_READ_MEM.q [SSP + temp_numItems*8 - 8] // element in range
    SSP = SSP + reg64[7:0]*8 // increment SSP
}
ELSE
{
    temp_numItems = (reg32[7:0] == 0) ? 1 : reg32[7:0]
    temp = SSTK_READ_MEM.d [SSP]                                // touch TOS and last
    temp = SSTK_READ_MEM.d [SSP + temp_numItems*4 - 4] // element in range
    SSP = SSP + reg32[7:0]*4 // increment SSP
}
EXIT

```

**Related Instructions**

RDSSP, RSTORSSP

**rFLAGS Affected**

None

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                        |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | Instruction is only recognized in protected mode.                                                         |
|                         |      |                 | X         | CR4.CET = 0                                                                                               |
|                         |      |                 | X         | Shadow stacks are not enabled at the current privilege level.                                             |
| Page fault, #PF         |      |                 | X         | A page fault occurred when touching the first or last element of the shadow stack in the range specified. |
|                         |      |                 | X         | The first or last element in the range specified is not in a shadow stack page.                           |
| General protection, #GP |      |                 | X         | In long mode, the address of the memory operand was non-canonical.                                        |
|                         |      |                 | X         | A memory address exceeded a data segment limit.                                                           |
|                         |      |                 | X         | A null data segment was used to reference memory.                                                         |

## INT 3

## Interrupt to Debug Vector

Calls the debug exception handler. This instruction maps to a 1-byte opcode (CC) that raises a #BP exception. The INT 3 instruction is normally used by debug software to set instruction breakpoints by replacing the first byte of the instruction opcode bytes with the INT 3 opcode.

This one-byte INT 3 instruction behaves differently from the two-byte INT 3 instruction (opcode CD 03) (see “INT” in Chapter 3 “General Purpose Instructions” for further information) in two ways:

The #BP exception is handled without any IOPL checking in virtual x86 mode. (IOPL mismatches will not trigger an exception.)

- In VME mode, the #BP exception is not redirected via the interrupt redirection table. (Instead, it is handled by a protected mode handler.)

| Mnemonic | Opcode | Description                      |
|----------|--------|----------------------------------|
| INT 3    | CC     | Trap to debugger at Interrupt 3. |

For complete descriptions of the steps performed by INT instructions, see the following:

- *Legacy-Mode Interrupts*: “Legacy Protected-Mode Interrupt Control Transfers” in APM Volume 2.
- *Long-Mode Interrupts*: “Long-Mode Interrupt Control Transfers” in APM Volume 2.

## Action

```
// Refer to INT instruction's Action section for the details on INT_N_REAL,
// INT_N_PROTECTED, and INT_N_VIRTUAL_TO_PROTECTED.
INT3_START:

If (REAL_MODE)
    INT_N_REAL                //N = 3

ELSEIF (PROTECTED_MODE)
    INT_N_PROTECTED           //N = 3

ELSE // VIRTUAL_MODE
    INT_N_VIRTUAL_TO_PROTECTED //N = 3
```

## Related Instructions

INT, INTO, IRET

## rFLAGS Affected

If a task switch occurs, all flags are modified; otherwise, setting are as follows:

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     | M  | 0  | 0  | M  |       |    |    | M  | 0  |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                  |
|----------------------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| Breakpoint, #BP                        | X    | X               | X         | INT 3 instruction was executed.                                                                                                                     |
| Invalid TSS, #TS<br>(selector)         |      | X               | X         | As part of a stack switch, the target stack segment selector or rSP in the TSS that was beyond the TSS limit.                                       |
|                                        |      | X               | X         | As part of a stack switch, the target stack segment selector in the TSS was beyond the limit of the GDT or LDT descriptor table.                    |
|                                        |      | X               | X         | As part of a stack switch, the target stack segment selector in the TSS was a null selector.                                                        |
|                                        |      | X               | X         | As part of a stack switch, the target stack segment selector's TI bit was set, but the LDT selector was a null selector.                            |
|                                        |      | X               | X         | As part of a stack switch, the target stack segment selector in the TSS contained a RPL that was not equal to its DPL.                              |
|                                        |      | X               | X         | As part of a stack switch, the target stack segment selector in the TSS contained a DPL that was not equal to the CPL of the code segment selector. |
|                                        |      | X               | X         | As part of a stack switch, the target stack segment selector in the TSS was not a writable segment.                                                 |
| Segment not present, #NP<br>(selector) |      | X               | X         | The accessed code segment, interrupt gate, trap gate, task gate, or TSS was not present.                                                            |
| Stack, #SS                             | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                                                             |
| Stack, #SS<br>(selector)               |      | X               | X         | After a stack switch, a memory address exceeded the stack segment limit or was non-canonical and a stack switch occurred.                           |
|                                        |      | X               | X         | As part of a stack switch, the SS register was loaded with a non-null segment selector and the segment was marked not present.                      |
| General protection,<br>#GP             | X    | X               | X         | A memory address exceeded the data segment limit or was non-canonical.                                                                              |
|                                        | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.                                                                             |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                               |
|------------------------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP<br>(selector) | X    | X               | X         | The interrupt vector was beyond the limit of IDT.                                                                                                |
|                                          |      | X               | X         | The descriptor in the IDT was not an interrupt, trap, or task gate in legacy mode or not a 64-bit interrupt or trap gate in long mode.           |
|                                          | X    | X               | X         | The DPL of the interrupt, trap, or task gate descriptor was less than the CPL.                                                                   |
|                                          | X    | X               | X         | The segment selector specified by the interrupt or trap gate had its TI bit set, but the LDT selector was a null selector.                       |
|                                          | X    | X               | X         | The segment descriptor specified by the interrupt or trap gate exceeded the descriptor table limit or was a null selector.                       |
|                                          | X    | X               | X         | The segment descriptor specified by the interrupt or trap gate was not a code segment in legacy mode, or not a 64-bit code segment in long mode. |
|                                          |      |                 | X         | The DPL of the segment specified by the interrupt or trap gate was greater than the CPL.                                                         |
|                                          | X    |                 |           | The DPL of the segment specified by the interrupt or trap gate pointed was not 0 or it was a conforming segment.                                 |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                     |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                |

## INVD

## Invalidate Caches

Invalidates all levels of cache associated with this processor. This may or may not include lower level caches associated with another processor that shares any level of this processor's cache hierarchy.

No data is written back to main memory from invalidating the caches.

CPUID Fn8000\_001D\_EDX[WBINVD]\_xN indicates the behavior of the processor at various levels of the cache hierarchy. If the feature bit is 0, the instruction causes the invalidation of all lower level caches of other processors sharing the designated level of cache. If the feature bit is 1, the instruction does not necessarily cause the invalidation of all lower level caches of other processors sharing the designated level of cache. See Appendix E, “Obtaining Processor Information Via the CPUID Instruction,” on page 621 for more information on using the CPUID function.

This is a privileged instruction. The current privilege level (CPL) of a procedure invalidating the processor's internal caches must be 0.

To insure that data is written back to memory prior to invalidating caches, use the WBINVD instruction.

This instruction does not invalidate TLB caches.

INVD is a serializing instruction.

| Mnemonic | Opcode | Description                                                          |
|----------|--------|----------------------------------------------------------------------|
| INVD     | OF 08  | Invalidate internal caches and trigger external cache invalidations. |

### Related Instructions

WBINVD, WBNOINVD, CLWB, CLFLUSH

### rFLAGS Affected

None

### Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception |
|-------------------------|------|--------------|-----------|--------------------|
| General protection, #GP |      | X            | X         | CPL was not 0.     |

## INVLPG

## Invalidate TLB Entry

Invalidates the TLB entry that would be used for the 1-byte memory operand.

This instruction invalidates the TLB entry, regardless of the G (Global) bit setting in the associated PDE or PTE entry and regardless of the page size (4 Kbytes, 2 Mbytes, 4 Mbytes, or 1 Gbyte). It may invalidate any number of additional TLB entries, in addition to the targeted entry. INVLPG only invalidates TLB entries tagged with the current PCID and also global pages regardless of PCIDs. If PCIDs are disabled (CR4.PCID=0) then the current PCID is zero.

INVLPG is a serializing instruction and a privileged instruction. The current privilege level must be 0 to execute this instruction.

See “Page Translation and Protection” in APM Volume 2 for more information on page translation.

| Mnemonic           | Opcode   | Description                                                                   |
|--------------------|----------|-------------------------------------------------------------------------------|
| INVLPG <i>mem8</i> | 0F 01 /7 | Invalidate the TLB entry for the page containing a specified memory location. |

### Related Instructions

INVLPGA, INVLPGB, INVPCID, MOV CR*n* (CR3 and CR4)

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception |
|----------------------------|------|-----------------|-----------|--------------------|
| General protection,<br>#GP |      | X               | X         | CPL was not 0.     |

**INVLPGA****Invalidate TLB Entry in a Specified ASID**

Invalidates the TLB mapping for a given virtual page and a given ASID. The virtual (linear) address is specified in the implicit register operand rAX. The portion of rAX used to form the address is determined by the effective address size (current execution mode and optional address size prefix). The ASID is taken from ECX.

The INVLPGA instruction may invalidate any number of additional TLB entries, in addition to the targeted entry.

The INVLPGA instruction is a serializing instruction and a privileged instruction. The current privilege level must be 0 to execute this instruction.

This is a Secure Virtual Machine (SVM) instruction. Support for the SVM architecture and the SVM instructions is indicated by CPUID Fn8000\_0001(ECX[SVM] = 1. For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171.

This instruction generates a #UD exception if SVM is not enabled. See “Enabling SVM” in APM Volume 2.

| Mnemonic         | Opcode   | Description                                                                                      |
|------------------|----------|--------------------------------------------------------------------------------------------------|
| INVLPGA rAX, ECX | 0F 01 DF | Invalidates the TLB mapping for the virtual page specified in rAX and the ASID specified in ECX. |

**Related Instructions**

INVLPG, INVLPGB, INVPCID

**rFLAGS Affected**

None.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                      |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | The SVM instructions are not supported as indicated by CPUID Fn8000_0001(ECX[SVM] = 0). |
|                            |      |                 | X         | Secure Virtual Machine was not enabled (EFER.SVME=0).                                   |
|                            | X    | X               |           | Instruction is only recognized in protected mode.                                       |
| General protection,<br>#GP |      |                 | X         | CPL was not 0.                                                                          |

**INVLPG****Invalidate TLB Entry(s) with Broadcast**

Invalidates the TLB entry or entries specified by the descriptor in the rAX:EDX register pair. Invalidations are done both in the local TLB and broadcast to all processors to perform the same invalidations. The virtual (linear) address is specified in the implicit register operand rAX. The portion of rAX used to form the address is determined by the effective address size.

The TLB control field is specified in rAX[5:0]. It determines which components of the address (VA, PCID, ASID) are valid for comparison in the TLB and whether to include global entries in the invalidation process. If rAX[4] is set, only the final translation is invalidated and not the cached upper level TLB entries that lead to the final page. This ability may not be possible with all processors in which case the bit is ignored. If rAX[5] is set, all nested translations that could be used for guest translation selected in rAX[4:0] are flushed. rAX[5] can only be set if CPUID Fn8000\_0008\_EBX[21]=1. ECX provides a count of the number of pages to include in invalidation with the specified address and the page size at which to increment the specified address.

The descriptor in rAX has the following format:

| rAX            | Attributes                  |
|----------------|-----------------------------|
| 0              | Valid VA                    |
| 1              | Valid PCID                  |
| 2              | Valid ASID                  |
| 3              | Include Global              |
| 4              | Final Translation Only      |
| 5              | Include Nested Translations |
| 11:6           | Reserved, MBZ               |
| 63:12 or 31:12 | VA                          |

rAX[3:0] provides for various types of invalidations. A few examples are listed in the following table, but all values are legal.

| rAX [3:0] | Action                                                                  |
|-----------|-------------------------------------------------------------------------|
| 0xF       | Invalidate all TLB entries that match {ASID, PCID, VA} including Global |
| 0xC       | Invalidate all TLB entries that match {ASID} including Global           |
| 0xD       | Invalidate all TLB entries that match {ASID, VA} including Global       |
| 0x4       | Invalidate all TLB entries that match {ASID} excluding Global           |

| rAX [3:0] | Action                                                              |
|-----------|---------------------------------------------------------------------|
| 0xE       | Invalidate all TLB entries that match {ASID, PCID} including Global |
| 0x6       | Invalidate all TLB entries that match {ASID, PCID} excluding Global |

The descriptor in EDX has the following format:

| EDX   | Attributes    |
|-------|---------------|
| 15:0  | ASID          |
| 27:16 | PCID          |
| 31:28 | Reserved, MBZ |

ECX[15:0] contains a count of the number of sequential pages to invalidate in addition to the original virtual address, starting from the virtual address specified in rAX. A count of 0 invalidates a single page. ECX[31]=0 indicates to increment the virtual address at the 4K boundary. ECX[31]=1 indicates to increment the virtual address at the 2M boundary. The maximum count supported is reported in CPUID function 8000\_0008h, EDX[15:0].

This instruction invalidates the TLB entry or entries, regardless of the page size (4 Kbytes, 2 Mbytes, 4 Mbytes, or 1 Gbyte). It may invalidate any number of additional TLB entries in addition to the targeted entry or entries to accomplish the specified function. INVLPG follows the same rules for cached upper TLB entries as INVLPG which is controlled by EFER.TCE. However, since this is a broadcast, the invalidation is controlled by the EFER.TCE value on the processor executing the INVLPG instruction. (See Section 3, “Translation Cache Extension” in APM Volume 2 for more information on EFER.TCE.)

Under the following circumstances, execution of INVLPG will result in a General Protection fault (#GP):

- If SVM is disabled, requesting the ASID field with any value but zero, even if the ASID is not necessary for the flush.
- If PCID is disabled, requesting the PCID field with any value but zero, even if the PCID is not necessary for the flush.
- If the request exceeds the number of valid ASIDs for the processor, even if the ASID is not valid.
- Attempts to request a count larger than the maximum count supported, even if the VA is not valid
- Attempts to execute an INVLPG while in 4M paging mode.

**Guest Usage of INVLPG.** Guest usage of INVLPG is supported only when the instruction has been explicitly enabled by the hypervisor in the VMCB (see APM Volume 2, Appendix B, Table B-1: VMCB Layout, Control Area). Support for INVLPG/TLBSYNC hypervisor enable in VMCB is indicated by CPUID Fn8000\_000A\_EDX[24] = 1.

A guest that executes a legal INVLPG that is not intercepted will have the requested ASID field replaced by the current ASID and the valid ASID bit set before doing the broadcast invalidation. Because of its broadcast nature, the ASID field must be global and all processors must allocate the same ASID to the same Guest for proper operation. Hypervisors that do not support a global ASID must intercept the Guest usage of INVLPG, if enabled, for proper behavior.

Two forms of INVLPG intercepts, conditional and unconditional, are available to the hypervisor. The unconditional intercept traps all guest usage of INVLPG. The conditional intercept traps only illegally-specified INVLPG instructions. An illegally specified INVLPG is one that would, if not intercepted, cause a #GP for any reason other than not being executed at CPL 0.

INVLPG is a privileged instruction but not a serializing instruction. It must be executed at CPL 0, but will broadcast the invalidate to the rest of the processors which may be running at any privilege level.

INVLPG is weakly ordered as it broadcasts the invalidation types throughout the system to all processors, so that a batch of invalidations can be done in a parallel fashion. For software to guarantee that all processors have seen and done the TLB invalidations, a TLBSYNC must be executed on the initiating processor.

| Mnemonic | Opcode   | Description                              |
|----------|----------|------------------------------------------|
| INVLPG   | 0F 01 FE | Invalidates TLB entry(s) with Broadcast. |

## Related Instructions

TLBSYNC, INVLPG, INVLPGA, INVPCID

## rFLAGS Affected

None.

## Exceptions

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                   |
|---------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               |           | This instruction is only recognized in protected mode.                               |
|                     | X    | X               | X         | This instruction is not supported as indicated by CPUID Fn8000_0008_EBX[INVLPG] = 0. |
|                     |      |                 | X         | The hypervisor has not enabled Guest usage of this instruction.                      |

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                         |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------|
| General protection,<br>#GP |      |                 | X         | CPL was not 0.                                             |
|                            |      |                 | X         | EAX[11:6] is not zero or EAX[5] not zero if not supported. |
|                            |      |                 |           | EDX[31:28] is not zero.                                    |
|                            |      |                 | X         | CR4.PCID =0 and EDX[PCID] is not zero.                     |
|                            |      |                 | X         | EFER.SVME =0 and EDX[ASID] is not zero.                    |
|                            |      |                 | X         | EDX[ASID] > number of supported ASIDs.                     |
|                            |      |                 | X         | ECX[15:0] > maximum page count supported.                  |
|                            |      |                 | X         | 4M paging is active.                                       |

**INVPCID****Invalidate TLB Entry(s) in a Specified PCID**

Invalidates the TLB entry or entries on the logical processor for a given PCID in the local TLB based on the operation type specified in the register operand and the PCID and virtual (linear) address specified by the descriptor in the memory operand. (See “Process Context Identifier” in Chapter 5 of APM Volume 2 for more information on PCIDs.)

The register operand is always 64 bits in 64-bit mode and 32 bits outside 64-bit mode regardless of value of CS.D.

The operation type is specified in the register operand bits [1:0]. The operation type determines which components of the address (VA, PCID) are valid for comparison in the TLB and whether to include global valid bits in the invalidation process.

The operation types are:

| reg32/64 [1:0] | Action                                                        |
|----------------|---------------------------------------------------------------|
| 0              | Invalidate TLB entries that match {PCID, VA} excluding Global |
| 1              | Invalidate all TLB entries that match {PCID} excluding Global |
| 2              | Invalidate all TLB entries including Global                   |
| 3              | Invalidate all TLB entries excluding Global                   |

The descriptor in the memory operand is formatted as follows:

|        |               |      |
|--------|---------------|------|
| 127:64 | 63:12         | 11:0 |
| VA     | Reserved, MBZ | PCID |

This instruction invalidates the TLB entry or entries, regardless of the page size (4 Kbytes, 2 Mbytes, 4 Mbytes, or 1 Gbyte). It may invalidate any number of additional TLB entries, in addition to the targeted entry or entries to accomplish the specified function. INVPCID follows the same rules for cached upper TLB entries as INVLPG which is controlled by EFER.TCE. (See Section 3, “Translation Cache Extension” in APM Volume 2 for more information on EFER.TCE.)

If PCID is disabled (CR4.PCID = 0), all TLB entries are being cached with PCID = 0. When CR4.PCID = 0, executing INVPCID with type 0 and 1 is only allowed if the PCID specified in the descriptor is zero. Furthermore, when CR4.PCID = 0, executing INVPCID with type 2 or 3 invalidate mappings only for PCID = 0.

INVPCID is a serializing instruction and a privileged instruction. The current privilege level must be 0 to execute this instruction.

| Mnemonic              | Opcode         | Description                                                          |
|-----------------------|----------------|----------------------------------------------------------------------|
| INVPCID reg32, mem128 | 66 0F 38 82 /r | Invalidates the TLB entry(s) by PCID in r32 and descriptor in mem28. |
| INVPCID reg64, mem128 | 66 0F 38 82 /r | Invalidates the TLB entry(s) by PCID in r64 and descriptor in mem28. |

## Related Instructions

INVLPG, INVLPGA, INVLPGB, TLBSYNC

## rFLAGS Affected

None.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                       |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               |           | This instruction is only recognized in protected mode.                                                   |
|                            |      |                 | X         | This instruction not supported as indicated by CPUID Fn0000_0007_EBX_x0[INVPCID] = 0.                    |
|                            |      |                 | X         | If mod=11 (register is specified instead of memory for desc).                                            |
|                            |      |                 | X         | Lock prefix (F0h) preceding opcode.                                                                      |
| General protection,<br>#GP |      |                 | X         | CPL was not 0.                                                                                           |
|                            |      |                 | X         | An invalid type (>3) was specified in register operand.                                                  |
|                            |      |                 | X         | Bits 63:12 of descriptor in memory operand are not all zero.                                             |
|                            |      |                 | X         | Invalidation type 0 was specified and the virtual address in bits 127:64 of descriptor is not canonical. |
|                            |      |                 | X         | Invalidation type 0 or 1 and bits 11:0 of descriptor are not zero when CR4.PCIDE = 0.                    |
|                            |      |                 | X         | An execute-only code segment was used to reference memory.                                               |
|                            |      |                 | X         | A memory address exceeded a data segment limit.                                                          |
|                            |      |                 | X         | In long mode, the address of the memory operand was non-canonical.                                       |
|                            |      |                 | X         | A null data segment was used to reference memory.                                                        |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.                                  |
| Page Fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.                                             |

**IRET****IRETD****IRETQ****Return from Interrupt**

Returns program control from an exception or interrupt handler to a program or procedure previously interrupted by an exception, an external interrupt, or a software-generated interrupt. These instructions also perform a return from a nested task. All flags, CS, and rIP are restored to the values they had before the interrupt so that execution may continue at the next instruction following the interrupt or exception. In 64-bit mode or if the CPL changes, SS and RSP are also restored.

IRET, IRETD, and IRETQ are synonyms mapping to the same opcode. They are intended to provide semantically distinct forms for various opcode sizes. The IRET instruction is used for 16-bit operand size; IRETD is used for 32-bit operand sizes; IRETQ is used for 64-bit operands. The latter form is only meaningful in 64-bit mode.

IRET, IRETD, or IRETQ must be used to terminate the exception or interrupt handler associated with the exception, external interrupt, or software-generated interrupt.

IRET<sub>x</sub> is a serializing instruction.

For detailed descriptions of the steps performed by IRET<sub>x</sub> instructions, see the following:

- *Legacy-Mode Interrupts*: “Legacy Protected-Mode Interrupt Control Transfers” in APM Volume 2.
- *Long-Mode Interrupts*: “Long-Mode Interrupt Control Transfers” in APM Volume 2.

| Mnemonic | Opcode | Description                                  |
|----------|--------|----------------------------------------------|
| IRET     | CF     | Return from interrupt (16-bit operand size). |
| IRETD    | CF     | Return from interrupt (32-bit operand size). |
| IRETQ    | CF     | Return from interrupt (64-bit operand size). |

**Action**

```
// For functions READ_DESCRIPTOR, ShadowStacksEnabled
// see "Pseudocode Definition" on page 57

IRET_START:

IF (REAL_MODE)
    IRET_REAL

ELSIF (PROTECTED_MODE)
    IRET_PROTECTED

ELSE // (VIRTUAL_MODE)
    IRET_VIRTUAL
```

IRET\_REAL:

```
POP.v temp_RIP
POP.v temp_CS
POP.v temp_RFLAGS

IF (temp_RIP > CS.limit)
    EXCEPTION [#GP(0)]

CS.sel = temp_CS
CS.base = temp_CS SHL 4
RFLAGS.v = temp_RFLAGS // VIF,VIP,VM unchanged
RIP = temp_RIP
EXIT
```

IRET\_PROTECTED:

```
IF (RFLAGS.NT == 1)
    IF (LEGACY_MODE)           // IRET does a task-switch to a previous task
        TASK_SWITCH            // using the 'back link' field in the TSS
    ELSE // (LONG_MODE)
        EXCEPTION [#GP(0)]     // task switches aren't supported in long mode

POP.v temp_RIP
POP.v temp_CS
POP.v temp_RFLAGS

IF ((temp_RFLAGS.VM==1) && (CPL==0) && (LEGACY_MODE))
    IRET_FROM_PROTECTED_TO_VIRTUAL

IF (temp_CS.rpl == CPL)
    changing_CPL = FALSE
ELSEIF (temp_CS.rpl > CPL)
    changing_CPL = TRUE
ELSE // (temp_CS.rpl < CPL)
    EXCEPTION [#GP(temp_CS)] // IRET to greater priv not allowed

IF ((64BIT_MODE) || (changing_CPL))
    POP.v temp_RSP // in 64-bit mode or changing CPL, IRET always pops SS:RSP
    POP.v temp_SS

CS = READ_DESCRIPTOR (temp_CS, iret_chk)

IF ((64BIT_MODE) && (temp_RIP is non-canonical) ||
    (!64BIT_MODE) && (temp_RIP > CS.limit))
    EXCEPTION [#GP(0)]

IF (changing_CPL)
    IRET_PROTECTED_TO_OUTER_PRIV
```

```

ELSE
    IRET_PROTECTED_TO_SAME_PRIV

IRET_PROTECTED_TO_OUTER_PRIV:

CPL = CS.rpl

// SS:RSP were popped, so load them into the registers
SS = READ_DESCRIPTOR (temp_SS, ss_chk)
RSP.s = temp_RSP

// pop shadow stack and compare with program stack
IF (ShadowStacksEnabled(old CPL))
{
    IF (SSP[2:0] != 0)
        EXCEPTION [#CP(RET/IRET)] // SSP must be 8-byte aligned
    IF (temp_newCPL != 3)
    {
        temp_sstk_CS = SSTK_READ_MEM.q [SSP + 16] // read CS from sstk
        temp_sstk_LIP = SSTK_READ_MEM.q [SSP + 8] // read LIP
        temp_SSP = SSTK_READ_MEM.q [SSP] // read previous SSP
        SSP = SSP + 24
        IF (temp_CS != temp_sstk_CS)
            EXCEPTION [#CP(RET/IRET)] // CS mismatch
        IF ((CS.base + RIP) != temp_sstk_LIP)
            EXCEPTION [#CP(RET/IRET)] // LIP mismatch
        IF (temp_SSP[1:0] != 0)
            EXCEPTION [#CP(RET/IRET)] // prevSSP must be 4-byte aligned
    }
}

temp_oldSSP = SSP

IF (ShadowStacksEnabled(new CPL))
    IF (new CPL == 3)
        temp_SSP = PL3_SSP
    IF ((COMPATIBILITY_MODE) && (temp_SSP[63:32] != 0))
        EXCEPTION [#GP(0)] // SSP must be <4GB in compat mode
    SSP = temp_SSP

IF (ShadowStacksEnabled(old CPL)) // check shadow stack token, clear busy
{
    bool invalid_token = FALSE
    < start atomic section >
    temp_Token= SSTK_READ_MEM.q [temp_oldSSP] // read supervisor sstk token
    IF ((temp_Token AND 0x01) != 1)
        invalid_Token = TRUE // token busy bit must be 1
    IF ((temp_Token AND ~0x01) != temp_oldSSP)
        invalid_Token = TRUE // address in token must=oldSSP
    IF (!invalid_Token)
}

```

```

        temp_Token = temp_Token AND ~0x01      // clear token busy, if valid
SSTK_WRITE_MEM.q [temp_oldSSP] = temp_Token // writeback token
< end atomic section >
} // end shadow stacks enabled at old CPL

FOR (seg = ES, DS, FS, GS)
IF ((seg.sel == NULL) || ((seg.attr.dpl < CPL) &&
    ((seg.attr.type == 'data') ||
     (seg.attr.type == 'non-conforming-code'))))
    seg = NULL // can't use lower DPL data segment at higher CPL
                // also clears RPL of any null selectors

RFLAGS.v = temp_RFLAGS // VIF,VIP,IOPL only changed if old_CPL == 0
                    // IF only changed if old_CPL <= old_RFLAGS.IOPL
                    // VM unchanged
                    // RF cleared

RIP = temp_RIP
EXIT // end IRET_PROTECTED_TO_OUTER_PRIV

IRET_PROTECTED_TO_SAME_PRIV:

IF (started in 64-bit mode)
{ // in Long Mode SS:RSP were popped, so load them into the registers
SS = READ_DESCRIPTOR (temp_SS, ss_chk)
RSP.s = temp_RSP
}

IF (ShadowStacksEnabled(current CPL)) // pop the shadow stack
{
    // and compare with program stack
IF (SSP[2:0] != 0)
    EXCEPTION [#CP(REF/IRET)] // SSP must be 8-byte aligned
temp_sstk_CS = SSTK_READ_MEM.q [SSP + 16] // read CS from sstk
temp_sstk_LIP = SSTK_READ_MEM.q [SSP + 8] // read LIP
temp_SSP = SSTK_READ_MEM.q [SSP] // read previous SSP
SSP = SSP +24
IF (temp_CS != temp_sstk_CS)
    EXCEPTION [#CP(REF/IRET)] // CS mismatch
IF ((CS.base + RIP) != temp_sstk_LIP)
    EXCEPTION [#CP(REF/IRET)] // LIP mismatch
IF (temp_SSP[1:0] != 0)
    EXCEPTION [#CP(REF/IRET)] // prevSSP must be 4-byte aligned
IF ((COMPATIBILITY_MODE) && (tmp_sstk_prevSSP[63:32] != 0))
    EXCEPTION [#GP(0)] // prevSSP must be <4GB in compat mode
} // end shadow stack enabled at current CPL

// check shadow stack token, clear busy
IF ((ShadowStacksEnabled(currentCPL)) && (LONG_MODE))
{
    bool invalid_token = FALSE
    < start atomic section >
}

```

```

temp_Token= SSTK_READ_MEM.q [temp_oldSSP] // read supervisor sstk token
IF ((temp_Token AND 0x01) != 1)
    invalid_Token = TRUE // token busy bit must be 1
IF ((temp_Token AND ~0x01) != temp_oldSSP)
    invalid_Token = TRUE // address in token must=oldSSP
IF temp_SSP = SSP
    to_same_sstk = TRUE // switch was to same sstk
IF (!invalid_Token) AND (!to_same_sstk))
    temp_Token = temp_Token AND ~0x01 // clear token busy, if valid
SSTK_WRITE_MEM.q [temp_oldSSP] = temp_Token // writeback token
< end atomic section >
} // end shadow stacks enabled at CPL and in Long Mode

RFLAGS.v = temp_RFLAGS // VIF,VIP,IOPL only changed if old_CPL == 0
// IF only changed if old_CPL <= old_RFLAGS.IOPL
// VM unchanged
// RF cleared
RIP = temp_RIP
EXIT // end IRET_PROTECTED_TO_SAME_PRIV

IRET_VIRTUAL:

IF ((RFLAGS.IOPL < 3) && (CR4.VME == 0))
    EXCEPTION [#GP(0)]

POP.v temp_RIP
POP.v temp_CS
POP.v temp_RFLAGS

IF (temp_RIP > CS.limit)
    EXCEPTION [#GP(0)]

IF (RFLAGS.IOPL == 3)
{
    RFLAGS.v = temp_RFLAGS // VIF,VIP,VM,IOPL unchanged, RF cleared
    CS.sel = temp_CS
    CS.base = temp_CS SHL 4

    RIP = temp_RIP
    EXIT
}

// (IOPL < 3) && (CR4.VME == 1)
ELSEIF ((OPERAND_SIZE == 16) &&
        ((temp_RFLAGS.IF == 0) || (RFLAGS.VIP == 0)) &&
        (temp_RFLAGS.TF == 0))
{
    RFLAGS.w = temp_RFLAGS // RFLAGS.VIF = temp_RFLAGS.IF
                           // IF unchanged, RF cleared
    CS.sel = temp_CS
}

```

```
CS.base = temp_CS SHL 4
RIP = temp_RIP
EXIT
}

ELSE
// ((RFLAGS.IOPL < 3) && (CR4.VME == 1) && ((OPERAND_SIZE == 32) ||
// ((temp_RFLAGS.IF == 1) && (RFLAGS.VIP == 1)) ||
// (temp_RFLAGS.TF == 1)))
EXCEPTION [#GP(0)]

IRET_FROM_PROTECTED_TO_VIRTUAL:

// temp_RIP already popped
// temp_CS already popped
// temp_RFLAGS already popped, temp_RFLAGS.VM = 1
// and CPL = 0

POP.d temp_RSP
POP.d temp_SS
POP.d temp_ES
POP.d temp_DS
POP.d temp_FS
POP.d temp_GS

// force the segments to have virtual-mode values
FOR (seg = CS, SS, ES, DS, FS, GS)
{
    seg.sel      = temp_seg
    seg.base     = temp_seg SHL 4
    seg.limit   = 0x0000FFFF
    IF (seg == CS)
        CS.attr  = 16-bit dpl3 code
    ELSEIF (seg == SS)
        SS.attr  = 16-bit dpl3 stack
    ELSE
        seg.attr = 16-bit dpl3 data
}

RSP.d      = temp_RSP
RFLAGS.d = temp_RFLAGS
CPL      = 3

temp_oldSSP = SSP

IF (ShadowStacksEnabled(old CPL)) // old CPL is 0 at this point
{
    // check shadow stack token, clear busy
    bool invalid_token = FALSE
    < start atomic section >
    temp_Token= SSTK_READ_MEM.q [temp_oldSSP] // read supervisor sstk token
```

```

IF ((temp_Token AND 0x01) != 1)
    invalid_Token = TRUE                                // token busy bit must be 1
IF ((temp_Token AND ~0x01) != temp_oldSSP)
    invalid_Token = TRUE                                // address in token must = oldSSP
IF (!invalid_Token)
    temp_Token = temp_Token AND ~0x01                  // clear token busy, if valid
SSTK_WRITE_MEM.q [temp_oldSSP] = temp_Token // writeback token
< end atomic section >
}      // end shadow stacks enabled at old CPL

RIP = temp_RIP AND 0x0000FFFF
EXIT // end IRET FROM PROTECTED TO VIRTUAL

```

## Related Instructions

INT, INTO, INT3

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
| M  | M   | M   | M  | M  | M  | M  | M     | M  | M  | M  | M  | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                                                                                                                                                    |
|----------------------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Segment not present, #NP<br>(selector) |      |                 | X         | The return code segment was marked not present.                                                                                                                                                                                                                                                       |
| Stack, #SS                             | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                                                                                                                                                                                                               |
| Stack, #SS<br>(selector)               |      |                 | X         | The SS register was loaded with a non-null segment selector and the segment was marked not present.                                                                                                                                                                                                   |
|                                        | X    | X               | X         | The target offset exceeded the code segment limit or was non-canonical.                                                                                                                                                                                                                               |
| General protection,<br>#GP             |      | X               |           | IOPL was less than 3 and one of the following conditions was true: <ul style="list-style-type: none"> <li>• CR4.VME was 0.</li> <li>• The effective operand size was 32-bit.</li> <li>• Both the original EFLAGS.VIP and the new EFLAGS.IF were set.</li> <li>• The new EFLAGS.TF was set.</li> </ul> |
|                                        |      |                 | X         | IRET <sub>x</sub> was executed in long mode while EFLAGS.NT=1.                                                                                                                                                                                                                                        |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                                                                      |
|------------------------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP<br>(selector) |      | X               |           | The return code selector was a null selector.                                                                                                                                                                           |
|                                          |      | X               |           | The return stack selector was a null selector and the return mode was non-64-bit mode or CPL was 3.                                                                                                                     |
|                                          |      | X               |           | The return code or stack descriptor exceeded the descriptor table limit.                                                                                                                                                |
|                                          |      | X               |           | The return code or stack selector's TI bit was set but the LDT selector was a null selector.                                                                                                                            |
|                                          |      | X               |           | The segment descriptor for the return code was not a code segment.                                                                                                                                                      |
|                                          |      | X               |           | The RPL of the return code segment selector was less than the CPL.                                                                                                                                                      |
|                                          |      | X               |           | The return code segment was non-conforming and the segment selector's DPL was not equal to the RPL of the code segment's segment selector.                                                                              |
|                                          |      | X               |           | The return code segment was conforming and the segment selector's DPL was greater than the RPL of the code segment's segment selector.                                                                                  |
|                                          |      | X               |           | The segment descriptor for the return stack was not a writable data segment.                                                                                                                                            |
|                                          |      | X               |           | The stack segment descriptor DPL was not equal to the RPL of the return code segment selector.                                                                                                                          |
| Page fault, #PF                          |      | X               | X         | A page fault resulted from the execution of the instruction.                                                                                                                                                            |
| Alignment check,<br>#AC                  |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled.                                                                                                                                       |
| Control-protection,<br>#CP               |      |                 | X         | The return address on the program stack did not match the address on the shadow stack, or the previous SSP is not 4 byte aligned, or the previous SSP was not <4GB when returning to 32-bit mode or compatibility mode. |

**LAR****Load Access Rights Byte**

Loads the access rights from the segment descriptor specified by a 16-bit source register or memory operand into a specified 16-bit, 32-bit, or 64-bit general-purpose register and sets the zero (ZF) flag in the rFLAGS register if successful. LAR clears the zero flag if the descriptor is invalid for any reason.

The LAR instruction checks that:

- the segment selector is not a null selector.
- the descriptor is within the GDT or LDT limit.
- the descriptor DPL is greater than or equal to both the CPL and RPL, or the segment is a conforming code segment.
- the descriptor type is valid for the LAR instruction. Valid descriptor types are shown in the following table. LDT and TSS descriptors in 64-bit mode, and call-gate descriptors in long mode, are only valid if bits 12:8 of doubleword +12 are zero.

See APM Volume 2, Section 6.4 for more information on checking access rights using LAR.

| Valid Descriptor Type |           | Description                    |
|-----------------------|-----------|--------------------------------|
| Legacy Mode           | Long Mode |                                |
| All                   | All       | All code and data descriptors  |
| 1                     | —         | Available 16-bit TSS           |
| 2                     | 2         | LDT                            |
| 3                     | —         | Busy 16-bit TSS                |
| 4                     | —         | 16-bit call gate               |
| 5                     | —         | Task gate                      |
| 9                     | 9         | Available 32-bit or 64-bit TSS |
| B                     | B         | Busy 32-bit or 64-bit TSS      |
| C                     | C         | 32-bit or 64-bit call gate     |

If the segment descriptor passes these checks, the attributes are loaded into the destination general-purpose register. If it does not, then the zero flag is cleared and the destination register is not modified.

When the operand size is 16 bits, access rights include the DPL and Type fields located in bytes 4 and 5 of the descriptor table entry. Before loading the access rights into the destination operand, the low order word is masked with FF00H.

When the operand size is 32 or 64 bits, access rights include the DPL and type as well as the descriptor type (S field), segment present (P flag), available to system (AVL flag), default operation size (D/B

flag), and granularity flags located in bytes 4–7 of the descriptor. Before being loaded into the destination operand, the doubleword is masked with 00FF\_FF00H.

In 64-bit mode, for both 32-bit and 64-bit operand sizes, 32-bit register results are zero-extended to 64 bits.

This instruction can only be executed in protected mode.

| Mnemonic             | Opcode   | Description                                                                                                                                                        |
|----------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| LAR reg16, reg/mem16 | 0F 02 /r | Reads the GDT/LDT descriptor referenced by the 16-bit source operand, masks the attributes with FF00h and saves the result in the 16-bit destination register.     |
| LAR reg32, reg/mem16 | 0F 02 /r | Reads the GDT/LDT descriptor referenced by the 16-bit source operand, masks the attributes with 00FFFF00h and saves the result in the 32-bit destination register. |
| LAR reg64, reg/mem16 | 0F 02 /r | Reads the GDT/LDT descriptor referenced by the 16-bit source operand, masks the attributes with 00FFFF00h and saves the result in the 64-bit destination register. |

## Related Instructions

ARPL, LSL, VERR, VERW

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    | M  |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or zero is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               |           | This instruction is only recognized in protected mode.                            |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP |      |                 | X         | A memory address exceeded the data segment limit or was non-canonical.            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC       |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**LGDT****Load Global Descriptor Table Register**

Loads the pseudo-descriptor specified by the source operand into the global descriptor table register (GDTR). The pseudo-descriptor is a memory location containing the GDTR base and limit. In legacy and compatibility mode, the pseudo-descriptor is 6 bytes; in 64-bit mode, it is 10 bytes.

If the operand size is 16 bits, the high-order byte of the 6-byte pseudo-descriptor is not used. The lower two bytes specify the 16-bit limit and the third, fourth, and fifth bytes specify the 24-bit base address. The high-order byte of the GDTR is filled with zeros.

If the operand size is 32 bits, the lower two bytes specify the 16-bit limit and the upper four bytes specify a 32-bit base address.

In 64-bit mode, the lower two bytes specify the 16-bit limit and the upper eight bytes specify a 64-bit base address. In 64-bit mode, operand-size prefixes are ignored and the operand size is forced to 64-bits; therefore, the pseudo-descriptor is always 10 bytes.

This instruction is only used in operating system software and must be executed at CPL 0. It is typically executed once in real mode to initialize the processor before switching to protected mode.

LGDT is a serializing instruction.

| Mnemonic             | Opcode   | Description                                                      |
|----------------------|----------|------------------------------------------------------------------|
| LGDT <i>mem16:32</i> | 0F 01 /2 | Loads <i>mem16:32</i> into the global descriptor table register. |
| LGDT <i>mem16:64</i> | 0F 01 /2 | Loads <i>mem16:64</i> into the global descriptor table register. |

**Related Instructions**

LIDT, LLDT, LTR, SGDT, SIDT, SLDT, STR

**rFLAGS Affected**

None

**Exceptions**

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|---------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | The operand was a register.                                             |
| Stack, #SS          | X    |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                     |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------|
| General protection,<br>#GP | X    |                 | X         | A memory address exceeded the data segment limit or was non-canonical. |
|                            |      | X               | X         | CPL was not 0.                                                         |
|                            |      |                 | X         | The new GDT base address was non-canonical.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                      |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.           |

**LIDT****Load Interrupt Descriptor Table Register**

Loads the pseudo-descriptor specified by the source operand into the interrupt descriptor table register (IDTR). The pseudo-descriptor is a memory location containing the IDTR base and limit. In legacy and compatibility mode, the pseudo-descriptor is six bytes; in 64-bit mode, it is 10 bytes.

If the operand size is 16 bits, the high-order byte of the 6-byte pseudo-descriptor is not used. The lower two bytes specify the 16-bit limit and the third, fourth, and fifth bytes specify the 24-bit base address. The high-order byte of the IDTR is filled with zeros.

If the operand size is 32 bits, the lower two bytes specify the 16-bit limit and the upper four bytes specify a 32-bit base address.

In 64-bit mode, the lower two bytes specify the 16-bit limit, and the upper eight bytes specify a 64-bit base address. In 64-bit mode, operand-size prefixes are ignored and the operand size is forced to 64-bits; therefore, the pseudo-descriptor is always 10 bytes.

This instruction is only used in operating system software and must be executed at CPL 0. It is normally executed once in real mode to initialize the processor before switching to protected mode.

LIDT is a serializing instruction.

| Mnemonic             | Opcode   | Description                                                         |
|----------------------|----------|---------------------------------------------------------------------|
| LIDT <i>mem16:32</i> | 0F 01 /3 | Loads <i>mem16:32</i> into the interrupt descriptor table register. |
| LIDT <i>mem16:64</i> | 0F 01 /3 | Loads <i>mem16:64</i> into the interrupt descriptor table register. |

**Related Instructions**

LGDT, LLDT, LTR, SGDT, SIDT, SLDT, STR

**rFLAGS Affected**

None

**Exceptions**

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|---------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | The operand was a register.                                             |
| Stack, #SS          | X    |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                     |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------|
| General protection,<br>#GP | X    |                 | X         | A memory address exceeded the data segment limit or was non-canonical. |
|                            |      | X               | X         | CPL was not 0.                                                         |
|                            |      |                 | X         | The new IDT base address was non-canonical.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                      |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.           |

**LLDT****Load Local Descriptor Table Register**

Loads the specified segment selector into the visible portion of the local descriptor table (LDT). The processor uses the selector to locate the descriptor for the LDT in the global descriptor table. It then loads this descriptor into the hidden portion of the LDTR.

If the source operand is a null selector, the LDTR is marked invalid and all references to descriptors in the LDT will generate a general protection exception (#GP), except for the LAR, VERR, VERW or LSL instructions.

In legacy and compatibility modes, the LDT descriptor is 8 bytes long and contains a 32-bit base address.

In 64-bit mode, the LDT descriptor is 16-bytes long and contains a 64-bit base address. The LDT descriptor type (02h) is redefined in 64-bit mode for use as the 16-byte LDT descriptor.

This instruction must be executed in protected mode. It is only provided for use by operating system software at CPL 0.

LLDT is a serializing instruction.

| Mnemonic          | Opcode   | Description                                                                                                         |
|-------------------|----------|---------------------------------------------------------------------------------------------------------------------|
| LLDT<br>reg/mem16 | 0F 00 /2 | Load the 16-bit segment selector into the local descriptor table register and load the LDT descriptor from the GDT. |

**Related Instructions**

LGDT, LIDT, LTR, SGDT, SIDT, SLDT, STR

**rFLAGS Affected**

None

**Exceptions**

| Exception                              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD                    | X    | X               |           | This instruction is only recognized in protected mode.                  |
| Segment not present,<br>#NP (selector) |      |                 | X         | The LDT descriptor was marked not present.                              |
| Stack, #SS                             |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection,<br>#GP             |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                                        |      |                 | X         | CPL was not 0.                                                          |
|                                        |      |                 | X         | A null data segment was used to reference memory.                       |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                     |
|------------------------------------------|------|-----------------|-----------|------------------------------------------------------------------------|
| General protection,<br>#GP<br>(selector) |      |                 | X         | The source selector did not point into the GDT.                        |
|                                          |      |                 | X         | The descriptor was beyond the GDT limit.                               |
|                                          |      |                 | X         | The descriptor was not an LDT descriptor.                              |
|                                          |      |                 | X         | The descriptor's extended attribute bits were not zero in 64-bit mode. |
|                                          |      |                 | X         | The new LDT base address was non-canonical.                            |
| Page fault, #PF                          |      |                 | X         | A page fault resulted from the execution of the instruction.           |

## LMSW

## Load Machine Status Word

Loads the lower four bits of the 16-bit register or memory operand into bits 3:0 of the machine status word in register CR0. Only the protection enabled (PE), monitor coprocessor (MP), emulation (EM), and task switched (TS) bits of CR0 are modified. Additionally, LMSW can set CR0.PE, but cannot clear it.

The LMSW instruction can be used only when the current privilege level is 0. It is only provided for compatibility with early processors.

Use the MOV CR0 instruction to load all 32 or 64 bits of CR0.

| Mnemonic       | Opcode   | Description                                                       |
|----------------|----------|-------------------------------------------------------------------|
| LMSW reg/mem16 | 0F 01 /6 | Load the lower 4 bits of the source into the lower 4 bits of CR0. |

### Related Instructions

MOV CR $n$ , SMSW

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Stack, #SS                 | X    |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection,<br>#GP | X    |                 | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                            |      | X               | X         | CPL was not 0.                                                          |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.            |

**LSL****Load Segment Limit**

Loads the segment limit from the segment descriptor specified by a 16-bit source register or memory operand into a specified 16-bit, 32-bit, or 64-bit general-purpose register and sets the zero (ZF) flag in the rFLAGS register if successful. LSL clears the zero flag if the descriptor is invalid for any reason.

In 64-bit mode, for both 32-bit and 64-bit operand sizes, 32-bit register results are zero-extended to 64 bits.

The LSL instruction checks that:

- the segment selector is not a null selector.
- the descriptor is within the GDT or LDT limit.
- the descriptor DPL is greater than or equal to both the CPL and RPL, or the segment is a conforming code segment.
- the descriptor type is valid for the LAR instruction. Valid descriptor types are shown in the following table. LDT and TSS descriptors in 64-bit mode are only valid if bits 12:8 of doubleword +12 are zero, as described in “System Descriptors” in APM Volume 2.

| Valid Descriptor Type |           | Description                    |
|-----------------------|-----------|--------------------------------|
| Legacy Mode           | Long Mode |                                |
| —                     | —         | All code and data descriptors  |
| 1                     | —         | Available 16-bit TSS           |
| 2                     | 2         | LDT                            |
| 3                     | —         | Busy 16-bit TSS                |
| 9                     | 9         | Available 32-bit or 64-bit TSS |
| B                     | B         | Busy 32-bit or 64-bit TSS      |

If the segment selector passes these checks and the segment limit is loaded into the destination general-purpose register, the instruction sets the zero flag of the rFLAGS register to 1. If the selector does not pass the checks, then LSL clears the zero flag to 0 and does not modify the destination.

The instruction calculates the segment limit to 32 bits, taking the 20-bit limit and the granularity bit into account. When the operand size is 16 bits, it truncates the upper 16 bits of the 32-bit adjusted segment limit and loads the lower 16-bits into the target register.

| Mnemonic             | Opcode   | Description                                                                                                                     |
|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------|
| LSL reg16, reg/mem16 | 0F 03 /r | Loads a 16-bit general-purpose register with the segment limit for a selector specified in a 16-bit memory or register operand. |

LSL reg32, reg/mem16 0F 03 /r

Loads a 32-bit general-purpose register with the segment limit for a selector specified in a 16-bit memory or register operand.

LSL reg64, reg/mem16 0F 03 /r

Loads a 64-bit general-purpose register with the segment limit for a selector specified in a 16-bit memory or register operand.

## Related Instructions

ARPL, LAR, VERR, VERW

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    | M  |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               |           | This instruction is only recognized in protected mode.                            |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**LTR****Load Task Register**

Loads the specified segment selector into the visible portion of the task register (TR). The processor uses the selector to locate the descriptor for the TSS in the global descriptor table. It then loads this descriptor into the hidden portion of TR. The TSS descriptor in the GDT is marked busy, but no task switch is made.

If the source operand is null, a general protection exception (#GP) is generated.

In legacy and compatibility modes, the TSS descriptor is 8 bytes long and contains a 32-bit base address.

In 64-bit mode, the instruction references a 64-bit descriptor to load a 64-bit base address. The TSS type (09H) is redefined in 64-bit mode for use as the 16-byte TSS descriptor.

This instruction must be executed in protected mode when the current privilege level is 0. It is only provided for use by operating system software.

The operand size attribute has no effect on this instruction.

LTR is a serializing instruction.

| Mnemonic      | Opcode   | Description                                                                                       |
|---------------|----------|---------------------------------------------------------------------------------------------------|
| LTR reg/mem16 | 0F 00 /3 | Load the 16-bit segment selector into the task register and load the TSS descriptor from the GDT. |

**Related Instructions**

LGDT, LIDT, LLDT, STR, SGDT, SIDT, SLDT

**rFLAGS Affected**

None

**Exceptions**

| Exception                              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD                    | X    | X               |           | This instruction is only recognized in protected mode.                  |
| Segment not present,<br>#NP (selector) |      |                 | X         | The TSS descriptor was marked not present.                              |
| Stack, #SS                             |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |

| Exception                                | Real | Virtual<br>8086 | Protected | Cause of Exception                                                     |
|------------------------------------------|------|-----------------|-----------|------------------------------------------------------------------------|
| General protection,<br>#GP               |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.   |
|                                          |      |                 | X         | CPL was not 0.                                                         |
|                                          |      |                 | X         | A null data segment was used to reference memory.                      |
|                                          |      |                 | X         | The new TSS selector was a null selector.                              |
| General protection,<br>#GP<br>(selector) |      |                 | X         | The source selector did not point into the GDT.                        |
|                                          |      |                 | X         | The descriptor was beyond the GDT limit.                               |
|                                          |      |                 | X         | The descriptor was not an available TSS descriptor.                    |
|                                          |      |                 | X         | The descriptor's extended attribute bits were not zero in 64-bit mode. |
|                                          |      |                 | X         | The new TSS base address was non-canonical.                            |
| Page fault, #PF                          |      |                 | X         | A page fault resulted from the execution of the instruction.           |

## MONITOR

## Setup Monitor Address

Establishes a linear address range of memory for hardware to monitor and puts the processor in the monitor event pending state. When in the monitor event pending state, the monitoring hardware detects stores to the specified linear address range and causes the processor to exit the monitor event pending state. The MWAIT instruction uses the state of the monitor hardware.

The address range should be a write-back memory type. Executing MONITOR on an address range for a non-write-back memory type is not guaranteed to cause the processor to enter the monitor event pending state. The size of the linear address range that is established by the MONITOR instruction can be determined by CPUID function 0000\_0005h.

The [rAX] register provides the effective address. The DS segment is the default segment used to create the linear address. Segment overrides may be used with the MONITOR instruction.

The ECX register specifies optional extensions for the MONITOR instruction. There are currently no extensions defined and setting any bits in ECX will result in a #GP exception. The ECX register operand is implicitly 32-bits.

The EDX register specifies optional hints for the MONITOR instruction. There are currently no hints defined and EDX is ignored by the processor. The EDX register operand is implicitly 32-bits.

The MONITOR instruction can be executed at CPL 0 and is allowed at CPL > 0 only if MSR C001\_0015h[MonMwaitUserEn] = 1. When MSR C001\_0015h[MonMwaitUserEn] = 0, MONITOR generates #UD at CPL > 0. (See the *BIOS and Kernel Developer's Guide* applicable to your product for specific details on MSR C001\_0015h.)

MONITOR performs the same segmentation and paging checks as a 1-byte read.

Support for the MONITOR instruction is indicated by CPUID Fn0000\_0001\_ECX[MONITOR] = 1. Software must check the CPUID bit once per program or library initialization before using the MONITOR instruction, or inconsistent behavior may result. Software designed to run at CPL greater than 0 must also check for availability by testing whether executing MONITOR causes a #UD exception.

The following pseudo-code shows typical usage of a MONITOR/MWAIT pair:

```
EAX = Linear_Address_to_Monitor;
ECX = 0; // Extensions
EDX = 0; // Hints

while (!matching_store_done) {
    MONITOR EAX, ECX, EDX
    IF (!matching_store_done) {
        MWAIT EAX, ECX
    }
}
```

| Mnemonic | Opcode   | Description                                                                                        |
|----------|----------|----------------------------------------------------------------------------------------------------|
| MONITOR  | 0F 01 C8 | Establishes a linear address range to be monitored by hardware and activates the monitor hardware. |

## Related Instructions

MWAIT, MONITORX, MWAITX

## rFLAGS Affected

None

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                     |
|-------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               | X         | The MONITOR/MWAIT instructions are not supported, as indicated by CPUID Fn0000_0001(ECX)[MONITOR] = 0. |
|                         |      | X               | X         | CPL was not 0 and MSR C001_0015[MonMwaitUserEn] = 0.                                                   |
| Stack, #SS              | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.                                |
| General protection, #GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.                                   |
|                         | X    | X               | X         | ECX was non-zero.                                                                                      |
|                         |      |                 | X         | A null data segment was used to reference memory.                                                      |
| Page Fault, #PF         |      | X               | X         | A page fault resulted from the execution of the instruction.                                           |

## MOV CR $n$

## Move to/from Control Registers

Moves the contents of a 32-bit or 64-bit general-purpose register to a control register or vice versa.

In 64-bit mode, the operand size is fixed at 64 bits without the need for a REX prefix. In non-64-bit mode, the operand size is fixed at 32 bits and the upper 32 bits of the destination are forced to 0.

CR0 maintains the state of various control bits. CR2 and CR3 are used for page translation. CR4 holds various feature enable bits. CR8 is used to prioritize external interrupts. CR1, CR5, CR6, CR7, and CR9 through CR15 are all reserved and raise an undefined opcode exception (#UD) if referenced.

CR8 can be read and written in 64-bit mode, using a REX prefix. CR8 can be read and written in all modes using a LOCK prefix instead of a REX prefix to specify the additional opcode bit. To verify whether the LOCK prefix can be used in this way, check for support of this feature. CPUID Fn8000\_0001\_ECX[AltMovCr8] = 1, indicates that this feature is supported.

For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

CR8 can also be read and modified using the task priority register described in “System-Control Registers” in APM Volume 2.

This instruction is always treated as a register-to-register (MOD = 11) instruction, regardless of the encoding of the MOD field in the MODR/M byte.

MOV CR $n$  is a privileged instruction and must always be executed at CPL = 0.

MOV CR $n$  is a serializing instruction.

| Mnemonic           | Opcode     | Description                                       |
|--------------------|------------|---------------------------------------------------|
| MOV CR $n$ , reg32 | 0F 22 /r   | Move the contents of a 32-bit register to CR $n$  |
| MOV CR $n$ , reg64 | 0F 22 /r   | Move the contents of a 64-bit register to CR $n$  |
| MOV reg32, CR $n$  | 0F 20 /r   | Move the contents of CR $n$ to a 32-bit register. |
| MOV reg64, CR $n$  | 0F 20 /r   | Move the contents of CR $n$ to a 64-bit register. |
| MOV CR8, reg32     | F0 0F 22/r | Move the contents of a 32-bit register to CR8.    |
| MOV CR8, reg64     | F0 0F 22/r | Move the contents of a 64-bit register to CR8.    |
| MOV reg32, CR8     | F0 0F 20/r | Move the contents of CR8 into a 32-bit register.  |
| MOV reg64, CR8     | F0 0F 20/r | Move the contents of CR8 into a 64-bit register.  |

### Related Instructions

CLTS, LMSW, SMSW

**rFLAGS Affected**

None

**Exceptions**

| Exception                   | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                |
|-----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid Instruction,<br>#UD | X    | X               | X         | An illegal control register was referenced (CR1, CR5–CR7, CR9–CR15).                                                                                              |
|                             | X    | X               | X         | The use of the LOCK prefix to read CR8 is not supported, as indicated by CPUID Fn8000_0001_ECX[AltMovCr8] = 0.                                                    |
| General protection,<br>#GP  |      | X               | X         | CPL was not 0.                                                                                                                                                    |
|                             | X    |                 | X         | An attempt was made to set CR0.PG = 1 and CR0.PE = 0.                                                                                                             |
|                             | X    |                 | X         | An attempt was made to set CR0.CD = 0 and CR0.NW = 1.                                                                                                             |
|                             | X    |                 | X         | Reserved bits were set in the page-directory pointers table (used in the legacy extended physical addressing mode) and the instruction modified CR0, CR3, or CR4. |
|                             | X    |                 | X         | An attempt was made to write 1 to any reserved bit in CR0, CR3, CR4 or CR8.                                                                                       |
|                             | X    |                 | X         | An attempt was made to set CR0.PG while long mode was enabled (EFER.LME = 1), but paging address extensions were disabled (CR4.PAE = 0).                          |
|                             |      |                 | X         | An attempt was made to clear CR4.PAE while long mode was active (EFER.LMA = 1).                                                                                   |
|                             |      |                 | X         | An attempt was made to set CR4.PCIDE=1 when long mode was disabled (EFER.LMA=0).                                                                                  |
|                             |      |                 | X         | An attempt was made to set CR4.PCIDE=1 when CR3[11:0] <>0.                                                                                                        |
|                             |      |                 | X         | An attempt was made to set CR0.PG=0 when CR4.PCIDE=1.                                                                                                             |

## MOV DR $n$

## Move to/from Debug Registers

Moves the contents of a debug register into a 32-bit or 64-bit general-purpose register or vice versa.

In 64-bit mode, the operand size is fixed at 64 bits without the need for a REX prefix. In non-64-bit mode, the operand size is fixed at 32-bits and the upper 32 bits of the destination are forced to 0.

DR0 through DR3 are linear breakpoint address registers. DR6 is the debug status register and DR7 is the debug control register. DR4 and DR5 are aliased to DR6 and DR7 if CR4.DE = 0, and are reserved if CR4.DE = 1.

DR8 through DR15 are reserved and generate an undefined opcode exception if referenced.

These instructions are privileged and must be executed at CPL 0.

The MOV DR $n$ , reg32 and MOV DR $n$ , reg64 instructions are serializing instructions.

The MOV(DR) instruction is always treated as a register-to-register (MOD = 11) instruction, regardless of the encoding of the MOD field in the MODR/M byte.

See “Debug and Performance Resources” in APM Volume 2 for details.

| Mnemonic           | Opcode   | Description                                        |
|--------------------|----------|----------------------------------------------------|
| MOV reg32, DR $n$  | 0F 21 /r | Move the contents of DR $n$ to a 32-bit register.  |
| MOV reg64, DR $n$  | 0F 21 /r | Move the contents of DR $n$ to a 64-bit register.  |
| MOV DR $n$ , reg32 | 0F 23 /r | Move the contents of a 32-bit register to DR $n$ . |
| MOV DR $n$ , reg64 | 0F 23 /r | Move the contents of a 64-bit register to DR $n$ . |

### Related Instructions

None

### rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Debug, #DB                 | X    |                 | X         | A debug register was referenced while the general detect (GD) bit in DR7 was set. |
| Invalid opcode, #UD        | X    |                 | X         | DR4 or DR5 was referenced while the debug extensions (DE) bit in CR4 was set.     |
|                            |      |                 | X         | An illegal debug register (DR8–DR15) was referenced.                              |
| General protection,<br>#GP |      | X               | X         | CPL was not 0.                                                                    |
|                            |      |                 | X         | A 1 was written to any of the upper 32 bits of DR6 or DR7 in 64-bit mode.         |

## MWAIT

## Monitor Wait

Used in conjunction with the MONITOR instruction to cause a processor to wait until a store occurs to a specific linear address range from another processor. The previously executed MONITOR instruction causes the processor to enter the monitor event pending state. The MWAIT instruction may enter an implementation dependent power state until the monitor event pending state is exited. The MWAIT instruction has the same effect on architectural state as the NOP instruction.

Events that cause an exit from the monitor event pending state include:

- A store from another processor matches the address range established by the MONITOR instruction.
- Any unmasked interrupt, including INTR, NMI, SMI, INIT.
- RESET.
- Any far control transfer that occurs between the MONITOR and the MWAIT.

EAX specifies optional hints for the MWAIT instruction. Optimized C-state request is communicated through EAX[7:4]. The processor C-state is EAX[7:4]+1, so to request C0 is to place the value F in EAX[7:4] and to request C1 is to place the value 0 in EAX[7:4]. All other components of EAX should be zero when making the C1 request. Setting a reserved bit in EAX is ignored by the processor. This is implicitly a 32-bit operand.

ECX specifies optional extensions for the MWAIT instruction. The only extension currently defined is ECX bit 0, which allows interrupts to wake MWAIT, even when eFLAGS.IF = 0. Support for this extension is indicated by a feature flag returned by the CPUID instruction. Setting any unsupported bit in ECX results in a #GP exception. This is implicitly a 32-bit operand.

CPUID Function 0000\_0005h indicates support for extended features of MONITOR/MWAIT:

- CPUID Fn0000\_0005\_ECX[EMX] = 1 indicates support for enumeration of MONITOR/MWAIT extensions.
- CPUID Fn0000\_0005\_ECX[IBE] = 1 indicates that MWAIT can set ECX[0] to allow interrupts to cause an exit from the monitor event pending state even when eFLAGS.IF = 0.

The MWAIT instruction can be executed at CPL 0 and is allowed at CPL > 0 only if MSR C001\_0015h[MonMwaitUserEn] = 1. When MSR C001\_0015h[MonMwaitUserEn] is 0, MWAIT generates #UD at CPL > 0. (See the *BIOS and Kernel Developer's Guide* applicable to your product for specific details on MSR C001\_0015h.)

Support for the MWAIT instruction is indicated by CPUID Fn0000\_0001\_ECX[MONITOR] = 1. Software MUST check the CPUID bit once per program or library initialization before using the MWAIT instruction, or inconsistent behavior may result. Software designed to run at CPL greater than 0 must also check for availability by testing whether executing MWAIT causes a #UD exception.

The use of the MWAIT instruction is contingent upon the satisfaction of the following coding requirements:

- MONITOR must precede the MWAIT and occur in the same loop.
- MWAIT must be conditionally executed only if the awaited store has not already occurred. (This prevents a race condition between the MONITOR instruction arming the monitoring hardware and the store intended to trigger the monitoring hardware.)

The following pseudo-code shows typical usage of a MONITOR/MWAIT pair:

```
EAX = Linear_Address_to_Monitor;
ECX = 0; // Extensions
EDX = 0; // Hints

WHILE (!matching_store_done ) {
    MONITOR EAX, ECX, EDX
    IF ( !matching_store_done ) {
        MWAIT EAX, ECX
    }
}
```

| Mnemonic | Opcode   | Description                                                                                                                                     |
|----------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------|
| MWAIT    | OF 01 C9 | Causes the processor to stop instruction execution and enter an implementation-dependent optimized state until occurrence of a class of events. |

## Related Instructions

MONITOR

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                     |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | The MONITOR/MWAIT instructions are not supported, as indicated by CPUID Fn0000_0001(ECX)[MONITOR] = 0. |
|                            |      | X               | X         | CPL was not 0 and MSRC001_0015[MonMwaitUserEn] = 0.                                                    |
| General protection,<br>#GP | X    | X               | X         | Unsupported extension bits were set in ECX                                                             |

## PSMASH

## Page Smash

Expands a 2MB-page RMP entry into a corresponding set of contiguous 4KB-page RMP entries. The 2MB page's system physical address is specified in the RAX register.

The new entries inherit the attributes of the original entry. Upon completion, a return code is stored in EAX. rFLAGS bits OF, ZF, AF, PF and SF are set based on this return code.

The PSMASH instruction invalidates all TLB entries in the system that translate to the 2MB page being expanded.

This instruction is intended for hypervisor use. Attempted execution at an ASID other than 0 will result in a FAIL\_PERMISSION return code.

This is a privileged instruction. Attempted execution at a privilege level other than CPL0 will result in a #GP(0) exception. In addition, this instruction is only valid in 64-bit mode with SNP enabled; in all other modes a #UD exception will be generated.

Support for this instruction is indicated by CPUID Fn8000\_001F\_EAX[SNP]=1.

| Mnemonic | Opcode      | Description                                      |
|----------|-------------|--------------------------------------------------|
| PSMASH   | F3 0F 01 FF | Creates 512 4KB RMP entries from a 2MB RMP entry |

### Action

```

SYSTEM_PA = RAX & ~0x1FFFFF

IF (!64BIT_MODE)                                // Instruction only valid in 64-bit mode
EXCEPTION [#UD]

IF (!SYSCFG.SNP_EN)                            // Instruction only valid when SNP is enabled
EXCEPTION [#UD]

IF (CPL != 0)                                    // Instruction only allowed at CPL 0
EXCEPTION [#GP(0)]

IF (CURRENT_ASID != 0)                          // Instruction only allowed at ASID 0
EAX = FAIL_PERMISSION
EXIT

(RMP_COVERED, RMP_ENTRY_PA) = GET_RMP_ENTRY_ADDR(SYSTEM_PA)

IF (!RMP_COVERED)                               // System address must have an RMP entry
EAX = FAIL_INPUT
EXIT

temp_RMP = READ_MEM_PA.o [RMP_ENTRY_PA]

IF (temp_RMP.IMMUTABLE || !temp_RMP.ASSIGNED || (temp_RMP.PAGE_SIZE != 2MB))

```

```
EAX = FAIL_BADADDR
EXIT

temp_RMP.PAGE_SIZE = 4KB
WRITE_MEM_PA.o [RMP_ENTRY_PA] = temp_RMP

FOR (I = 1; I < 512, I++)
{
    temp_RMP.GUEST_PA = temp_RMP.GUEST_PA + 0x1000;
    WRITE_MEM_PA.o [RMP_ENTRY_PA + I * 16] = temp_RMP;
}

EAX = SUCCESS
EXIT
```

## Return Codes

| Value | Name            | Description                                       |
|-------|-----------------|---------------------------------------------------|
| 0     | SUCCESS         | Successful completion                             |
| 1     | FAIL_INPUT      | Illegal input parameters                          |
| 2     | FAIL_PERMISSION | Current ASID not 0                                |
| 3     | FAIL_INUSE      | Another processor is modifying the same RMP entry |
| 7     | FAIL_BADADDR    | The page did not meet smashing criteria           |

## Related Instructions

RMPUPDATE, PVALIDATE, RMPADJUST

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The SNP instructions are not supported as indicated by<br>CPUID Fn8000_001F_EAX[SNP] = 0 |
|                            | X    | X               | X         | This instruction is only recognized in 64-bit mode                                       |
|                            |      |                 | X         | SYSCFG[SNP_EN] was not set to 1                                                          |
| General Protection,<br>#GP |      |                 | X         | CPL was not 0                                                                            |

## PVALIDATE

## Page Validate

Validates or rescinds validation of a guest page's RMP entry. The guest virtual address is specified in the register operand rAX. The portion of RAX used to form the address is determined by the effective address size (current execution mode and optional address size prefix). The page size is specified in ECX[0]. The new RMP Validated bit is specified in EDX[0].

The PVALIDATE instruction is used by an SNP-active guest to modify the validation status of a page. The PVALIDATE instruction will attempt to access the provided page and will take a #VMEXIT(NPF) if a nested translation error occurs or the translated address is outside the range of memory covered by the RMP. Assuming no error is detected, the PVALIDATE instruction will store EDX[0] to the Validated bit in the page's RMP entry.

Upon completion, a return code is stored in EAX. rFLAGS bits OF, ZF, AF, PF and SF are set based on this return code. If the instruction completed successfully, the rFLAGS bit CF indicates if the contents of the RMP entry were changed or not.

While this instruction is intended for use in SNP-active guest system software, it is recognized in any operating mode at CPL0. If the PVALIDATE instruction is executed by an SNP-active guest and changes the Validated bit in the RMP entry, upon completion it sets rFLAGS.CF to 0. If the PVALIDATE instruction is executed in a non-SNP-active environment or does not change the Validated bit in the RMP entry, it sets rFLAGS.CF to 1 and otherwise behaves as a NOP instruction.

This is a privileged instruction. Attempted execution at a privilege level other than CPL0 will result in a #GP(0) exception.

PVALIDATE performs the same segmentation and paging checks as a 1-byte read. PVALIDATE does not invalidate TLB caches.

Support for this instruction is indicated by CPUID Fn8000\_001F\_EAX[SNP]=1.

| Mnemonic  | Opcode      | Description                    |
|-----------|-------------|--------------------------------|
| PVALIDATE | F2 0F 01 FF | Performs guest page validation |

### Action

```

GUEST_VA = rAX & ~0xFFFF
PAGE_SIZE = ECX[0]
VALIDATE_PAGE = EDX[0]

IF (CPL != 0)                                // This instruction is only allowed at CPL 0
    EXCEPTION [#GP(0)]

IF (!SNP_ACTIVE)
    rFLAGS.CF = 1                            // Set CF to indicate that the RMP was not changed
    EAX = SUCCESS
    EXIT

```

```

IF (CURRENT_VMPL != 0)
    EXCEPTION [#GP(0)]           // This instruction is only allowed at VMPL 0

IF ((PAGE_SIZE == 2MB) && (GUEST_VA[20:12] != 0))
    EAX = FAIL_INPUT             // Page size is 2MB and page is not 2MB aligned
    EXIT

(SYSTEM_PA, GUEST_PA) = TRANSLATE(GUEST_VA)
(RMP_COVERED, RMP_ENTRY_PA) = GET_RMP_ENTRY_ADDR(SYSTEM_PA)

IF (!RMP_COVERED)
    #VMEXIT(NPF)                //Translated system address must have an RMP entry

temp_RMP = READ_MEM_PA.o [RMP_ENTRY_PA]

IF (temp_RMP.IMMUTABLE || !temp_RMP.ASSIGNED ||
    (temp_RMP.GUEST_PA != GUEST_PA) || (temp_RMP.ASID != ASID) ||
    (temp_RMP.PAGE_SIZE != nPT page size) ||
    ((temp_RMP.PAGE_SIZE == 2MB) && (PAGE_SIZE == 4KB)))
    #VMEXIT(NPF)

IF ((temp_RMP.PAGE_SIZE == 4KB) && (PAGE_SIZE == 2MB))
    EAX = FAIL_SIZEMISMATCH // 2MB validation backed by 4KB pages
    EXIT

IF (temp_RMP.VALIDATED == VALIDATE_PAGE)
    rFLAGS.CF = 1
ELSE
    rFLAGS.CF = 0

temp_RMP.VALIDATED = VALIDATE_PAGE
WRITE_MEM_PA.o [RMP_ENTRY_PA] = temp_RMP
EAX = SUCCESS
EXIT

```

## Return Codes

| Value | Name              | Description                                                               |
|-------|-------------------|---------------------------------------------------------------------------|
| 0     | SUCCESS           | Successful completion (regardless of whether Validated bit changed state) |
| 1     | FAIL_INPUT        | Illegal input parameters                                                  |
| 6     | FAIL_SIZEMISMATCH | Page size mismatch between guest (2M) and RMP entry (4K)                  |

## Related Instructions

RMPUPDATE, PSMASH, RMPADJUST

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The SNP instructions are not supported as indicated by<br>CPUID Fn8000_001F_EAX[SNP] = 0 |
| General Protection,<br>#GP |      | X               | X         | CPL was not 0                                                                            |
|                            | X    | X               | X         | Current VMPL was not zero                                                                |
| Page Fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction                              |
|                            |      |                 | X         | The effective C-bit was a 0 during the guest page table walk                             |

## RDMSR

## Read Model-Specific Register

Loads the contents of a 64-bit model-specific register (MSR) specified in the ECX register into registers EDX:EAX. The EDX register receives the high-order 32 bits and the EAX register receives the low order bits. The RDMSR instruction ignores operand size; ECX always holds the MSR number, and EDX:EAX holds the data. If a model-specific register has fewer than 64 bits, the unimplemented bit positions loaded into the destination registers are undefined.

This instruction must be executed at a privilege level of 0 or a general protection exception (#GP) will be raised. This exception is also generated if a reserved or unimplemented model-specific register is specified in ECX.

Support for the RDMSR instruction is indicated by CPUID Fn0000\_0001\_EDX[MSR] = 1 OR CPUID Fn8000\_0001\_EDX[MSR] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

For more information about model-specific registers, see the documentation for various hardware implementations and “Model-Specific Registers (MSRs)” in APM Volume 2.

| Mnemonic | Opcode | Description                             |
|----------|--------|-----------------------------------------|
| RDMSR    | 0F 32  | Copy MSR specified by ECX into EDX:EAX. |

### Related Instructions

WRMSR, RDTSC, RDPMC

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                        |
|----------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The RDMSR instruction is not supported, as indicated by CPUID Fn0000_0001_EDX[MSR] = 0 or CPUID Fn8000_0001_EDX[MSR] = 0. |
| General protection,<br>#GP |      | X               | X         | CPL was not 0.                                                                                                            |
|                            | X    |                 | X         | The value in ECX specifies a reserved or unimplemented MSR address.                                                       |

**RDPKRU****Read Protection Key Rights**

Loads the contents of the 32-bit Protection Key Rights (PKRU) register into RAX[31:0] and clears the upper 32 bits of RAX. RDX is also cleared to 0. The RDPKRU instruction ignores operand size.

This instruction must be executed with ECX=0, otherwise a general protection fault (#GP) is generated. The upper 32 bits of RCX are ignored. Memory protection keys must be enabled (CR4.PKE=1), otherwise executing this instruction generates an invalid opcode fault (#UD).

Software can check that the operating system has enabled memory protection keys (CR4.PKE=1) by testing CPUID Function 0000\_0007h\_ECX[OSPKE]. (See Section 5, “Protection Key Rights for User Pages” in APM Volume 2 for more information on memory protection keys.)

RDPKRU can be executed at any privilege level.

| Mnemonic | Opcode   | Description                              |
|----------|----------|------------------------------------------|
| RDPKRU   | 0F 01 EE | Read the PKRU MSR into EAX and clear RDX |

**Related Instructions**

WRPKRU

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception |
|----------------------------|------|-----------------|-----------|--------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | CR4.PKE=0          |
| General protection,<br>#GP |      |                 | X         | ECX was not zero   |

**RDPMC****Read Performance-Monitoring Counter**

Reads the contents of a 64-bit performance counter and returns it in the registers EDX:EAX. The ECX register is used to specify the index of the performance counter to be read. The EDX register receives the high-order 32 bits and the EAX register receives the low order 32 bits of the counter. The RDPMC instruction ignores operand size; the index and the return values are all 32 bits.

The base architecture supports four core performance counters: PerfCtr0–3. An extension to the architecture increases the number of core performance counters to 6 (PerfCtr0–5). Other extensions add up to 16 Northbridge performance counters NB\_PerfCtr0–15 and four L2 cache performance counters L2I\_PerfCtr0–3.

The table below lists supported performance counters and the corresponding CPUID feature flags.

| <b>ECX</b> | <b>Supported Performance Counters</b> | <b>CPUID Feature Flag</b>                                                       |
|------------|---------------------------------------|---------------------------------------------------------------------------------|
| 0–3        | Core performance counters 0–3         | All processors                                                                  |
| 4–5        | Core performance counters 4–5         | Fn8000_0001(ECX[PerfCtrExtCore] = 1)                                            |
| 6–9        | Northbridge performance counters 0–3  | Fn8000_0001(ECX[PerfCtrExtNB] = 1)                                              |
| 10–15      | L3 Cache performance counters 0–5     | Fn8000_0001(ECX[PerfCtrExtLLC] = 1)                                             |
| 16–27      | Northbridge performance counters 4–15 | Fn8000_0022(EBX[NumPerfCtrNB] > Northbridge performance counter number (4–15)). |
| > 27       | Reserved                              |                                                                                 |

For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

Programs running at any privilege level can read performance monitor counters if the PCE flag in CR4 is set to 1; otherwise this instruction must be executed at a privilege level of 0.

This instruction is not serializing. Therefore, there is no guarantee that all instructions have completed at the time the performance counter is read.

For more information about performance-counter registers, see the documentation for various hardware implementations and “Performance Counters” in APM Volume 2.

**Instruction Encoding**

| <b>Mnemonic</b> | <b>Opcode</b> | <b>Description</b>                                                  |
|-----------------|---------------|---------------------------------------------------------------------|
| RDPMC           | 0F 33         | Copy the performance monitor counter specified by ECX into EDX:EAX. |

**Related Instructions**

RDMSR, WRMSR

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| General Protection,<br>#GP | X    | X               | X         | The value in ECX specified an unimplemented performance counter number. |
|                            |      | X               | X         | CPL was not 0 and CR4.PCE = 0.                                          |

## RDSSP

## Read Shadow Stack Pointer

Reads the current Shadow Stack Pointer (SSP) to the specified GPR. The operand size is 64 bits in 64-bit mode when REX.W=1 and is 32 bits in all other cases. RDSSP is treated as a NOP if CR4.CET = 0, or if shadow stacks are not enabled at the current privilege level.

| Mnemonic            | Opcode      | Description                    |
|---------------------|-------------|--------------------------------|
| RDSSPD <i>reg32</i> | F3 0F 1E /1 | Read SSP[31:0] to <i>reg32</i> |
| RDSSPQ <i>reg64</i> | F3 0F 1E /1 | Read SSP[63:0] to <i>reg64</i> |

### Action

```
IF (((CPL==3) && SSTK_USER_ENABLED) || ((CPL!=3) && SSTK_SUPV_ENABLED))  
    IF (OPERAND_SIZE == 64)  
        reg64 = SSP  
    ELSE  
        reg32 = SSP[31:0]  
    EXIT
```

### Related Instructions

RDSSP, RSTORSSP

### rFLAGS Affected

None

### Exceptions

None.

## RDTSC

## Read Time-Stamp Counter

Loads the value of the processor’s 64-bit time-stamp counter into registers EDX:EAX.

The time-stamp counter (TSC) is contained in a 64-bit model-specific register (MSR). The processor sets the counter to 0 upon reset and increments the counter every clock cycle. INIT does not modify the TSC.

The high-order 32 bits are loaded into EDX, and the low-order 32 bits are loaded into the EAX register. This instruction ignores operand size.

When the time-stamp disable flag (TSD) in CR4 is set to 1, the RDTSC instruction can only be used at privilege level 0. If the TSD flag is 0, this instruction can be used at any privilege level.

This instruction is not serializing. Therefore, there is no guarantee that all instructions have completed at the time the time-stamp counter is read.

The behavior of the RDTSC instruction is implementation dependent. The TSC counts at a constant rate, but may be affected by power management events (such as frequency changes), depending on the processor implementation. If CPUID Fn8000\_0007\_EDX[TscInvariant] = 1, then the TSC rate is ensured to be invariant across all P-States, C-States, and stop-grant transitions (such as STPCLK Throttling); therefore, the TSC is suitable for use as a source of time. Consult the *BIOS and Kernel Developer’s Guide* applicable to your product for information concerning the effect of power management on the TSC.

Support for the RDTSC instruction is indicated by CPUID Fn0000\_0001\_EDX[TSC] = 1 OR CPUID Fn8000\_0001\_EDX[TSC] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

### Instruction Encoding

| Mnemonic | Opcode | Description                               |
|----------|--------|-------------------------------------------|
| RDTSC    | 0F 31  | Copy the time-stamp counter into EDX:EAX. |

### Related Instructions

RDTSCP, RDMSR, WRMSR

### rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                        |
|----------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | The RDTSC instruction is not supported, as indicated by CPUID Fn0000_0001_EDX[TSC] = 0 OR CPUID Fn8000_0001_EDX[TSC] = 0. |
| General protection,<br>#GP |      | X               | X         | CPL was not 0 and CR4.TSD = 1.                                                                                            |

## RDTSCP

### Read Time-Stamp Counter and Processor ID

Loads the value of the processor's 64-bit time-stamp counter into registers EDX:EAX, and loads the value of TSC\_AUX into ECX. This instruction ignores operand size.

The time-stamp counter is contained in a 64-bit model-specific register (MSR). The processor sets the counter to 0 upon reset and increments the counter every clock cycle. INIT does not modify the TSC.

The high-order 32 bits are loaded into EDX, and the low-order 32 bits are loaded into the EAX register.

The TSC\_AUX value is contained in the low-order 32 bits of the TSC\_AUX register (MSR address C000\_0103h). This MSR is initialized by privileged software to any meaningful value, such as a processor ID, that software wants to associate with the returned TSC value.

When the time-stamp disable flag (TSD) in CR4 is set to 1, the RDTSCP instruction can only be used at privilege level 0. If the TSD flag is 0, this instruction can be used at any privilege level.

Unlike the RDTSCL instruction, RDTSCP forces all older instructions to retire before reading the time-stamp counter.

The behavior of the RDTSCP instruction is implementation dependent. The TSC counts at a constant rate, but may be affected by power management events (such as frequency changes), depending on the processor implementation. If CPUID Fn8000\_0007\_EDX[TscInvariant] = 1, then the TSC rate is ensured to be invariant across all P-States, C-States, and stop-grant transitions (such as STPCLK Throttling); therefore, the TSC is suitable for use as a source of time. Consult the *BIOS and Kernel Developer's Guide* applicable to your product for information concerning the effect of power management on the TSC.

Support for the RDTSCP instruction is indicated by CPUID Fn8000\_0001\_EDX[RDTSCP] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

#### Instruction Encoding

| Mnemonic | Opcode   | Description                                                                 |
|----------|----------|-----------------------------------------------------------------------------|
| RDTSCP   | 0F 01 F9 | Copy the time-stamp counter into EDX:EAX and the TSC_AUX register into ECX. |

#### Related Instructions

RDTSC

#### rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                          |
|----------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | The RDTSCP instruction is not supported, as indicated by CPUID Fn8000_0001_EDX[RDTSCP] = 0. |
| General protection,<br>#GP |      | X               | X         | CPL was not 0 and CR4.TSD = 1.                                                              |

## RMPADJUST

## Adjust RMP Permissions

Modifies RMP permissions for a guest page. The guest virtual address is specified in the RAX register. The page size is specified in RCX[0]. The target VMPL and its permissions are specified in the RDX register as follows:

| RDX bits | Field            | Description                                                                                                      |
|----------|------------------|------------------------------------------------------------------------------------------------------------------|
| [63:17]  | RESERVED         |                                                                                                                  |
| [16]     | VMSA             | Indicates if the page may be used as a VM Save Area page. This bit is ignored whenever the current VMPL is not 0 |
| [15:8]   | TARGET_PERM_MASK | Desired permission mask settings                                                                                 |
| [7:0]    | TARGET_VMPL      | Target VMPL                                                                                                      |

The RMPADJUST instruction is used by an SNP-active guest to modify RMP permissions of a lesser-privileged VMPL. The RMPADJUST instruction will attempt to access the specified page and will take a #VMEXIT(NPF) if a nested translation error occurs or the translated address is outside the range of memory covered by the RMP. Assuming no such error is detected, the target VMPL is numerically higher than the current VMPL, and the specified permissions for the target VMPL are not greater than the permissions of the current VMPL, the RMPADJUST instruction will modify the target permission mask in the RMP entry.

Upon completion, a return code is stored in EAX. rFLAGS bits OF, ZF, AF, PF and SF are set based on this return code.

RMPADJUST performs the same segmentation and paging checks as a 1-byte read. RMPADJUST does not invalidate TLB caches.

This is a privileged instruction. Attempted execution at a privilege level other than CPL0 will result in a #GP(0) exception. In addition, this instruction is only valid in 64-bit mode in an SNP-active guest; in all other modes a #UD exception will be generated.

Support for this instruction is indicated by CPUID Fn8000\_001F\_EAX[SNP]=1.

| Mnemonic  | Opcode      | Description              |
|-----------|-------------|--------------------------|
| RMPADJUST | F3 0F 01 FE | Modifies RMP permissions |

### Action

```

GUEST_VA = RAX & ~0xFFF
PAGE_SIZE = RCX[0]
TARGET_VMPL = RDX[7:0]
TARGET_PERM_MASK = RDX[15:8]
VMSA = RDX[16]

IF (!64BIT_MODE)                                // Instruction only valid in 64-bit mode
    EXCEPTION [#UD]

IF (!SNP_ACTIVE)

```

```
EXCEPTION [#UD]

IF (CPL != 0)                                // Instruction only allowed at CPL 0
    EXCEPTION [#GP(0)]

IF ((PAGE_SIZE == 2MB) && (GUEST_VA[20:12] != 0))
    EAX = FAIL_INPUT                         // Page size is 2MB and not 2MB aligned
    EXIT

IF (TARGET_VMPL <= CURRENT_VMPL)   // Only permissions for numerically-
    EAX = FAIL_PERMISSION                  // higher VMPL can be modified
    EXIT

(SYSTEM_PA, GUEST_PA) = TRANSLATE(GUEST_VA)
(RMP_COVERED, RMP_ENTRY_PA) = GET_RMP_ENTRY_ADDR(SYSTEM_PA)

IF (!RMP_COVERED)                            // Translated system address
    #VMEXIT(NPF)                           // must have an RMP entry

temp_RMP = READ_MEM_PA.o [RMP_ENTRY_PA]

IF (temp_RMP.IMMUTABLE || !temp_RMP.ASSIGNED ||
    (temp_RMP.GUEST_PA != GUEST_PA) || (temp_RMP.ASID != ASID) ||
    (temp_RMP.PAGE_SIZE != nPT page size) ||
    ((temp_RMP.PAGE_SIZE == 2MB) && (PAGE_SIZE == 4KB)))
    #VMEXIT(NPF)

IF (!temp_RMP.VALIDATED)
    #VC(PAGE_NOT_VALIDATED)

IF ((temp_RMP.PAGE_SIZE == 4KB) && (PAGE_SIZE == 2MB))
    EAX = FAIL_SIZEISMATCH
    EXIT

IF (TARGET_PERM_MASK & ~temp_RMP.PERMISSIONS[CURRENT_VMPL])
    EAX = FAIL_PERMISSION
    EXIT

IF (CURRENT_VMPL == 0)
    temp_RMP.VMSA = VMSA

temp_RMP.PERMISSIONS[TARGET_VMPL] = TARGET_PERM_MASK

WRITE_MEM_PA.o [RMP_ENTRY_PA] = temp_RMP
EAX = SUCCESS
EXIT
```

## Return Codes

| Value | Name              | Description                              |
|-------|-------------------|------------------------------------------|
| 0     | SUCCESS           | Successful completion                    |
| 1     | FAIL_INPUT        | Illegal input parameters                 |
| 2     | FAIL_PERMISSION   | Insufficient permissions                 |
| 6     | FAIL_SIZEMISMATCH | Page size mismatch between guest and RMP |

## Related Instructions

PVALIDATE, RMPUPDATE, PSMASH

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                    | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|------------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD       | X    | X               | X         | The SNP instructions are not supported as indicated by<br>CPUID Fn8000_001F_EAX[SNP] = 0 |
|                              | X    | X               | X         | This instruction is only recognized in 64-bit mode                                       |
|                              |      |                 | X         | Guest is not SNP-Active                                                                  |
| General Protection,<br>#GP   |      |                 | X         | CPL was not 0                                                                            |
| Page Fault, #PF              |      |                 | X         | A page fault resulted from the execution of the instruction                              |
|                              |      |                 | X         | The effective C-bit was a 0 during the guest page table walk                             |
| VMM<br>Communication,<br>#VC |      |                 | X         | RMP.VALIDATED was not set to 1                                                           |

## RMPQUERY

## Read RMP Permissions

Reads an RMP permission mask for a guest page. The guest virtual address is specified in the RAX register. The target VMPL is specified in RDX[7:0]. RMP permissions for the specified VMPL are returned in RDX[63:8] and the RCX register as shown below.

| RDX Bits | Field            | Description                                                             |
|----------|------------------|-------------------------------------------------------------------------|
| [63:17]  | RESERVED         |                                                                         |
| [16]     | VMSA             | VMSA flag<br>This field is always set to 0 unless the current VMPL is 0 |
| [15:8]   | TARGET_PERM_MASK | Target VMPL permission mask                                             |
| [7:0]    | TARGET_VMPL      | Target VMPL                                                             |

| RCX Bits | Field     | Description |
|----------|-----------|-------------|
| [63:1]   | RESERVED  |             |
| [0]      | PAGE_SIZE | Page Size   |

The RMPQUERY instruction is used by an SNP-active guest to read RMP permissions of a lesser-privileged VMPL. The RMPQUERY instruction will attempt to access the specified page and can take a #VMEXIT(NPF) if a nested translation error occurs or the translated address is outside the range of memory covered by the RMP. Assuming no such error is detected and the target VMPL is numerically higher than the current VMPL, the RMPQUERY instruction will read RMP permissions from the RMP entry and return them in RDX and RCX registers.

Upon completion, a return code is stored in EAX. rFLAGS bits OF, ZF, AF, PF and SF are set based on return code.

RMPQUERY performs the same segmentation and paging checks as a 1-byte read at the current VMPL.

This is a privileged instruction. Attempted execution at a privilege level other than CPL0 will result in a #GP(0) exception. In addition, this instruction is only valid in 64-bit mode in an SNP-active guest; in all other modes a #UD exception will be generated.

Support for this instruction is indicated by CPUID Fn8000\_001F\_EAX[RMPQUERY] (bit 6) = 1.

| Mnemonic | Opcode      | Description            |
|----------|-------------|------------------------|
| RMPQUERY | F3 0F 01 FD | Reads RMP permissions. |

## Action

```

GUEST_VA = RAX & ~0xFFFF
TARGET_VMPL = RDX[7:0]

IF (!64BIT_MODE)           // This instruction is only valid in 64-bit mode
    EXCEPTION [#UD]

IF (!SNP_ACTIVE)
    EXCEPTION [#UD]

IF (CPL != 0)             // This instruction is only allowed at CPL 0
    EXCEPTION [#GP(0)]

IF (TARGET_VMPL <= CURRENT_VMPL)      // Only permissions for a numerically
    EAX = FAIL_PERMISSION            // higher VMPL can be read
    EXIT

(SYSTEM_PA, GUEST_PA) = TRANSLATE(GUEST_VA)
(RMP_COVERED, RMP_ENTRY_PA) = GET_RMP_ENTRY_ADDR(SYSTEM_PA)

IF (!RMP_COVERED) // Translated system address must have an RMP entry
    #VMEXIT(NPF)

temp_RMP = READ_MEM_PA.o [RMP_ENTRY_PA]

IF (!temp_RMP.ASSIGNED || (temp_RMP.GUEST_PA != GUEST_PA) ||
    (temp_RMP.ASID != ASID) || (temp_RMP.PAGE_SIZE != nPT page size))
    #VMEXIT(NPF)

IF (!temp_RMP.VALIDATED)
    #VC(PAGE_NOT_VALIDATED)

RDX[63:16] = 0
RDX[15:8] = temp_RMP.PERMISSIONS[TARGET_VMPL]

IF (CURRENT_VMPL == 0)
    RDX[16] = temp_RMP.VMSA

RCX[63:1] = 0
RCX[0] = temp_RMP.PAGE_SIZE

EAX = SUCCESS
EXIT

```

## Return Codes

| Value | Name            | Description                                  |
|-------|-----------------|----------------------------------------------|
| 0     | SUCCESS         | Successful completion                        |
| 2     | FAIL_PERMISSION | Current ASID not 0 or RMP entry is Immutable |

## Related Instructions

PVALIDATE, PSMASH, RMPADJUST

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                    | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                 |
|------------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD       | X    | X               | X         | The RMPQUERY instruction is not supported as indicated by CPUID Fn8000_001F_EAX[RMPQUERY](bit 6)=0 |
|                              | X    | X               | X         | This instruction is only recognized in 64-bit mode                                                 |
|                              |      |                 | X         | Guest is not SNP-Active                                                                            |
| General Protection,<br>#GP   | X    | X               | X         | CPL was not zero                                                                                   |
| Page Fault, #PF              |      | X               | X         | A page fault resulted from the execution of the instruction                                        |
|                              |      |                 | X         | The effective C-bit was a 0 during the guest page table walk                                       |
| VMM<br>Communication,<br>#VC |      |                 | X         | RMP.VALIDATED was not set to 1                                                                     |

**RMPREAD****Read RMP Entry**

Reads an RMP entry for a page and writes RMP state to memory. The system physical address of the page whose RMP entry is read is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure into which the RMP state is written. The DS segment is the default segment used to create the linear address but may be overridden by a segment prefix. The layout of the data structure written with the RMP state is as follows:

| Byte Offset | Length (bytes) | Name              | Description                          |
|-------------|----------------|-------------------|--------------------------------------|
| 00h         | 8              | GUEST_PA          | Guest physical address               |
| 08h         | 1              | ASSIGNED          | Assigned flag (bit 0)                |
| 09h         | 1              | PAGE_SIZE         | Page size (0 = 4KB, 1 = 2MB) (bit 0) |
|             |                | 2MB_REGION_STATUS | 2MB RMP region status (bit 1)        |
| 0Ah         | 1              | IMMUTABLE         | Immutable flag (bit 0)               |
| 0Bh         | 1              | -                 | Reserved (SBZ)                       |
| 0Ch         | 4              | ASID              | ASID of intended page owner          |

If the page address specified in RAX is 2MB-aligned, the value of 2MB\_REGION\_STATUS indicates if any other pages within the same 2MB region are assigned in the RMP. Specifically, if any page from RAX+0x1000 to RAX+0x1FF000 inclusive have the ASSIGNED flag set in their RMP entry, 2MB\_REGION\_STATUS will be set to 1. If none of these pages have the ASSIGNED flag set, 2MB\_REGION\_STATUS will be set to 0. If the page address specified in RAX is not 2MB-aligned, the value of 2MB\_REGION\_STATUS is always set to 0.

Upon completion, a return code is stored in EAX. rFLAGS bits OF, ZF, AF, PF and SF are set based on return code.

This instruction is intended for hypervisor use. Attempted execution at an ASID other than 0 will result in a FAIL\_PERMISSION return code.

This is a privileged instruction. Attempted execution at a privilege level other than CPL0 will result in a #GP(0) exception. In addition, this instruction is only valid in 64-bit mode with SNP enabled; in all other modes a #UD exception will be generated.

Support for this instruction is indicated by CPUID Fn8000\_001F\_EAX[RMPREAD] (bit 21) = 1.

| Mnemonic | Opcode      | Description     |
|----------|-------------|-----------------|
| RMPREAD  | F2 0F 01 FD | Reads RMP entry |

**Action**

```
SYSTEM_PA = RAX & ~0xFFFF
RMP_PTR = RCX
```

```

IF (!64BIT_MODE)      // This instruction is only valid in 64-bit mode
EXCEPTION [#UD]

IF (!SYSCFG.SNP_EN)  // This instruction is only valid when SNP is enabled
EXCEPTION [#UD]

IF (CPL != 0)        // This instruction is only allowed at CPL 0
EXCEPTION [#GP(0)]

IF (ASID != 0)        // This instruction is only allowed at ASID 0
EAX = FAIL_PERMISSION
EXIT

(RMP_COVERED, RMP_ENTRY_PA) = GET_RMP_ENTRY_ADDR(SYSTEM_PA)

IF (!RMP_COVERED)          // System address must have an RMP entry
EAX = FAIL_INPUT
EXIT

temp_RMP = READ_MEM_PA.o [RMP_ENTRY_PA]

temp_DATA.o = 0
temp_DATA.GUEST_PA = temp_RMP.GUEST_PA
temp_DATA.ASSIGNED = temp_RMP.ASSIGNED
temp_DATA.PAGE_SIZE = temp_RMP.PAGE_SIZE
temp_DATA.IMMUTABLE = temp_RMP.IMMUTABLE
temp_DATA.ASID = temp_RMP.ASID

IF (!(SYSTEM_PA & 0x1FFFFF))
temp_DATA.2MB_REGION_STATUS = (Any 4KB page RMP entry with (RMP.ASSIGNED == 1)
exists in the 2MB region)

WRITE_MEM.o [RMP_PTR] = temp_DATA

EAX = SUCCESS
EXIT

```

## Return Codes

| Value | Name            | Description              |
|-------|-----------------|--------------------------|
| 0     | SUCCESS         | Successful completion    |
| 1     | FAIL_INPUT      | Illegal input parameters |
| 2     | FAIL_PERMISSION | Current ASID not 0       |

## Related Instructions

RMPUPDATE, RMPQUERY

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                   |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The RMPREAD instruction is not supported as indicated by CPUID Fn8000_001F_EAX[RMPREAD] (bit 21) = 0 |
|                            | X    | X               | X         | This instruction is only recognized in 64-bit mode                                                   |
|                            |      |                 | X         | SYSCFG[SNP_EN] was not set to 1                                                                      |
| General Protection,<br>#GP |      |                 | X         | CPL was not 0                                                                                        |

## RMPUPDATE

## Write RMP Entry

Writes a new RMP entry. The system physical address of a page whose RMP entry is modified is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure which contains the new RMP state. The DS segment is the default segment used to create the linear address, but may be overridden by a segment prefix. The layout of the data structure with the new RMP state is as follows:

| Byte Offset | Length (bytes) | Name      | Description                          |
|-------------|----------------|-----------|--------------------------------------|
| 00h         | 8              | GUEST_PA  | Guest physical address               |
| 08h         | 1              | ASSIGNED  | Assigned flag (bit 0)                |
| 09h         | 1              | PAGE_SIZE | Page size (0 = 4KB, 1 = 2MB) (bit 0) |
| 0Ah         | 1              | IMMUTABLE | Immutable flag (bit 0)               |
| 0Bh         | 1              | -         | Reserved (SBZ)                       |
| 0Ch         | 4              | ASID      | ASID of intended page owner          |

The RMPUPDATE instruction checks that new RMP state is legal before it updates the RMP table.

Upon completion, a return code is stored in EAX. rFLAGS bits OF, ZF, AF, PF and SF are set based on this return code.

The RMPUPDATE instruction invalidates all TLB entries in the system that translate to the page being modified.

This instruction is intended for hypervisor use. Attempted execution at an ASID other than 0 will result in a FAIL\_PERMISSION return code.

This is a privileged instruction. Attempted execution at a privilege level other than CPL0 will result in a #GP(0) exception. In addition, this instruction is only valid in 64-bit mode with SNP enabled; in all other modes a #UD exception will be generated.

Support for this instruction is indicated by the feature flag CPUID Fn8000\_001F\_EAX[SNP]=1.

| Mnemonic  | Opcode      | Description            |
|-----------|-------------|------------------------|
| RMPUPDATE | F2 0F 01 FE | Writes a new RMP entry |

### Action

```

SYSTEM_PA = RAX & ~0xFFFF
NEW_RMP_PTR = RCX

IF (!64BIT_MODE)                                // Instruction only valid in 64-bit mode
    EXCEPTION [#UD]

IF (!SYSCFG.SNP_EN)                            // Instruction only valid when SNP enabled
    EXCEPTION [#UD]

```

```
IF (CPL != 0)                                // Instruction only allowed at CPL 0
    EXCEPTION [#GP(0)]


IF (CURRENT_ASID != 0)                         // Instruction only allowed at ASID 0
    EAX = FAIL_PERMISSION
    EXIT


NEW_RMP = READ_MEM.o [NEW_RMP_PTR]

IF ((NEW_RMP.PAGE_SIZE == 2MB) && (SYSTEM_PA[20:12] != 0))
    EAX = FAIL_INPUT
    EXIT


IF (!NEW_RMP.ASSIGNED && (NEW_RMP.IMMUTABLE || (NEW_RMP.ASID != 0)))
    EAX = FAIL_INPUT
    EXIT


(RMP_COVERED, RMP_ENTRY_PA) = GET_RMP_ENTRY_ADDR(SYSTEM_PA)
2MB_RMP_ENTRY_PA = RMP_ENTRY_PA & ~0x1FF0

IF (!RMP_COVERED)                               // System address must have an RMP entry
    EAX = FAIL_INPUT
    EXIT


OLD_RMP = READ_MEM_PA.o [RMP_ENTRY_PA]

IF (OLD_RMP.IMMUTABLE)
    EAX = FAIL_PERMISSION
    EXIT


IF (NEW_RMP.PAGE_SIZE == 4KB)
    IF ((SYSTEM_PA[20:12] == 0) && (OLD_RMP.PAGE_SIZE == 2MB))
        EAX = FAIL_OVERLAP
        EXIT
    ELSE IF (SYSTEM_PA[20:12] != 0)
        2MB_RMP = READ_MEM_PA.o [2MB_RMP_ENTRY_PA]
        IF (2MB_RMP.ASSIGNED && (2MB_RMP.PAGE_SIZE == 2MB))
            EAX = FAIL_OVERLAP
            EXIT
        ELSE IF (Another processor is modifying a page in 2MB region)
            EAX = FAIL_OVERLAP
            EXIT
    ELSE
        IF (Any 4KB RMP entry with (RMP.ASSIGNED == 1) exists in 2MB region)
            EAX = FAIL_OVERLAP
            EXIT
    ELSE
        FOR (I = 1; I < 512, I++)
        {
            temp_RMP = 0
            temp_RMP.ASSIGNED = NEW_RMP.ASSIGNED
```

```

        WRITE_MEM.o [RMP_ENTRY_PA + I * 16] = temp_RMP;
    }

IF (!NEW_RMP.ASSIGNED)
    temp_RMP = 0
ELSE
    temp_RMP.ASID = NEW_RMP.ASID
    temp_RMP.GUEST_PA = NEW_RMP.GUEST_PA
    temp_RMP.PAGE_SIZE = NEW_RMP.PAGE_SIZE
    temp_RMP.ASSIGNED = NEW_RMP.ASSIGNED
    temp_RMP.IMMUTABLE = NEW_RMP.IMMUTABLE

    temp_RMP.VALIDATED = OLD_RMP.VALIDATED
    temp_RMP.PERMISSIONS = OLD_RMP.PERMISSIONS
    temp_RMP.VMSA = OLD_RMP.VMSA

IF (NEW_RMP.ASID == 0)
    temp_RMP.GUEST_PA = 0

IF ((OLD_RMP.ASID ^ NEW_RMP.ASID) ||
    (OLD_RMP.GUEST_PA ^ NEW_RMP.GUEST_PA) ||
    (OLD_RMP.PAGE_SIZE ^ NEW_RMP.PAGE_SIZE) ||
    (OLD_RMP.ASSIGNED ^ NEW_RMP.ASSIGNED))
    N = CPUID Fn8000001F_EBX[15:12]
    temp_RMP.VALIDATED = 0
    temp_RMP.VMSA = 0
    temp_RMP.PERMISSIONS[0] = FULL_PERMISSIONS
    temp_RMP.PERMISSIONS[1:(N-1)] = 0

WRITE_MEM_PA.o [RMP_ENTRY_PA] = temp_RMP
EAX = SUCCESS
EXIT

```

## Return Codes

| Value | Name            | Description                                       |
|-------|-----------------|---------------------------------------------------|
| 0     | SUCCESS         | Successful completion                             |
| 1     | FAIL_INPUT      | Illegal input parameters                          |
| 2     | FAIL_PERMISSION | Current ASID not 0 or RMP entry is Immutable      |
| 3     | FAIL_INUSE      | Another processor is modifying the same RMP entry |
| 4     | FAIL_OVERLAP    | 4KB page and 2MB page RMP overlap detected        |

## Related Instructions

PVALIDATE, PSMASH, RMPADJUST

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | M  |    |    |    | M  | M  | M  | M  |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                       |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The SNP instructions are not supported as indicated by<br>CPUID Fn8000_001F_EAX[SNP] = 0 |
|                            | X    | X               | X         | This instruction is only recognized in 64-bit mode                                       |
|                            |      |                 | X         | SYSCFG[SNP_EN] was not set to 1                                                          |
| General Protection,<br>#GP |      |                 | X         | CPL was not 0                                                                            |
|                            |      |                 | X         | A null data segment was used to reference memory                                         |

## RSM

## Resume from System Management Mode

Resumes an operating system or application procedure previously interrupted by a system management interrupt (SMI). The processor state is restored from the information saved when the SMI was taken. The processor goes into a shutdown state if it detects invalid state information in the system management mode (SMM) save area during RSM.

RSM will shut down if any of the following conditions are found in the save map (SSM):

- An illegal combination of flags in CR0 (CR0.PG = 1 and CR0.PE = 0, or CR0.NW = 1 and CR0.CD = 0).
- A reserved bit in CR3, CR4, or the extended feature enable register (EFER) is set to 1.
- A reserved bit in the range 63:32 of CR0, DR6, or DR7 is set to 1.
- The following bit combination occurs: EFER.LME = 1, CR0.PG = 1, CR4.PAE = 0.
- The following bit combination occurs: EFER.LME = 1, CR0.PG = 1, CR4.PAE = 1, CS.D = 1, CS.L = 1.
- SMM revision field has been modified.
- The following bit combination occurs: CR4.PCIDE=1 and EFER.LMA=0.

RSM cannot modify EFER.SVME. Attempts to do so are ignored.

When EFER.SVME is 1, RSM reloads the four PDPEs (through the incoming CR3) when returning to a mode that has legacy PAE mode paging enabled.

When EFER.SVME is 1, the RSM instruction is permitted to return to paged real mode (i.e., CR0.PE=0 and CR0.PG=1).

The AMD64 architecture uses a new 64-bit SMM state-save memory image. This 64-bit save-state map is used in all modes, regardless of mode. See “System-Management Mode” in APM Volume 2 for details.

| Mnemonic | Opcode | Description                                 |
|----------|--------|---------------------------------------------|
| RSM      | 0F AA  | Resume operation of an interrupted program. |

### Related Instructions

None

## rFLAGS Affected

All flags are restored from the state-save map (SSM).

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
| M  | M   | M   | M  | M  | M  | M  | M     | M  | M  | M  | M  | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                     |
|------------------------|------|-----------------|-----------|--------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | The processor was not in System Management Mode (SMM). |

## RSTORSSP

## Restore Saved Shadow Stack Pointer

Restores SSP using the shadow stack restore token pointed to by the memory operand. If the token validation checks pass, SSP is set to the linear address of the memory operand and the restore token is replaced with a previous SSP token.

If a return to the previous shadow stack is required, the SAVEPREVSSP instruction can be used to save the previous SSP token to the previous stack. Otherwise, the INCSSP instruction can be used to pop the unneeded previous SSP token from the shadow stack.

If the restored SSP is 4-byte aligned and not 8-byte aligned, CF is set to 1 indicating an alignment hole. The INCSSP instruction can be used to increment SSP past the alignment hole.

| Mnemonic              | Opcode      | Description                                |
|-----------------------|-------------|--------------------------------------------|
| RSTORSSP <i>mem64</i> | F3 0F 01 /5 | Restore SSP and create previous SSP token. |

### Action

```
// see "Pseudocode Definition" on page 57

IF ((CPL == 3) && (!SSTK_USER_ENABLED))
    EXCEPTION [#UD]

IF ((CPL < 3) && (!SSTK_SUPV_ENABLED))
    EXCEPTION [#UD]

temp_linAddr = Linear_Address(mem64)
IF (temp_linAddr is not 8-byte aligned)
    EXCEPTION [#GP(0)]

bool INVALID_TOKEN = FALSE

< start atomic section >

temp_rstорToken = SSTK_READ_MEM.q [mem64] // fetch token, with locked read

IF ((temp_rstорToken AND 0x02) != 0)
    INVALID_TOKEN = TRUE           // token bit 1 must be clear

IF (64BIT_MODE != (temp_rstорToken AND 0x01))
    INVALID_TOKEN = TRUE           // token bit 0 must match current mode

IF (!64-bit mode) && (temp_rstорToken[63:32] != 0))
    INVALID_TOKEN = TRUE           // previous SSP must be <4Gb in
                                    // legacy and compat modes

temp_prevSSP = (temp_rstорToken AND ~0x01) - 8
temp_prevSSP = temp_prevSSP AND ~0x07
```

```

IF (temp_prevSSP != temp_linAddr)
    INVALID_TOKEN = TRUE           // prev SSP from token must match lin addr

temp_prevSSPtoken = SSP OR 64BIT_MODE OR 0x02 //create the previousSSP token
SSTK_WRITE_MEM.q [mem64] = INVALID_TOKEN ? temp_rstorToken : temp_prevSSPtoken
                                         // write token and unlock
< end atomic section >

IF (INVALID_TOKEN)
    EXCEPTION [#CP(RSTORSSP)]
ELSE
{
    SSP = temp_linAddr           // SSP = linear address of memory operand
    RFLAGS.ZF,PF,AF,OF,SF = 0
    RFLAGS.CF = (temp_rstorToken AND 0x04) ? 1 : 0; // set CF if SSP in token
                                                   // was 4-byte aligned
}
EXIT

```

## Related Instructions

SAVEPREVSSP

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       | 0  |    |    |    | 0  | 0  | 0  | 0  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                 |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------------|
| Invalid opcode, #UD        |      | X               |           | CR4.CET = 0                                                        |
|                            |      | X               |           | Shadow stacks not enabled at current privilege level.              |
|                            |      | X               |           | The linear address was not 8-byte aligned.                         |
|                            |      | X               |           | A memory address exceeded a data segment limit.                    |
| General protection,<br>#GP |      | X               |           | In long mode, the address of the memory operand was non-canonical. |
|                            |      | X               |           | A null data segment was used to reference memory.                  |
|                            |      | X               |           | A non-writeable data segment was used.                             |
|                            |      | X               |           | An execute-only code segment was used to reference memory.         |

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                   |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------------------------------|
| Control Protection,<br>#CP |      |                 | X         | The mode bit (bit 0) in the token did not match the current mode.                    |
|                            |      |                 | X         | The type bit (bit 1) in the token was not 0.                                         |
|                            |      |                 | X         | The SSP address in the token did not match the linear address of the memory operand. |
| Page fault, #PF            |      |                 | X         | The linear address was not a shadow stack page.                                      |
|                            |      |                 | X         | A page fault resulted from the execution of the instruction.                         |

**SAVEPREVSSP****Save Previous Shadow Stack Pointer**

Saves a restore shadow stack token to previous shadow stack. The previous SSP pointer is taken from the previous SSP token found at the top of the current shadow stack. The previous SSP token is then popped from the current shadow stack.

| Mnemonic    | Opcode      | Description                                                  |
|-------------|-------------|--------------------------------------------------------------|
| SAVEPREVSSP | F3 0F 01 EA | Push restore shadow stack token to the previous shadow stack |

**Action**

```
// see "Pseudocode Definition" on page 57

IF ((CPL == 3) && (!SSTK_USER_ENABLED))
    EXCEPTION [#UD]

IF ((CPL < 3) && (!SSTK_SUPV_ENABLED))
    EXCEPTION [#UD]

IF (SSP is not 8-byte aligned)
    EXCEPTION [#GP(0)]

temp_prevSSPtoken = SSTK_READ_MEM.q [SSP] // pop prev SSP token
                                            // from current stack
temp_SSP = SSP
temp_SSP = temp_SSP + 8

IF (RFLAGS.CF)                         // CF indicates a 4-byte alignment hole exists
    IF (64BIT_MODE)
        EXCEPTION [#GP(0)] // alignment hole allowed only in legacy/compat mode
    ELSE
        {
            hole = SSTK_READ_MEM.d [temp_SSP] // pop the 4-byte alignment hole
            temp_SSP = temp_SSP + 4
            IF (hole != 0)
                EXCEPTION [#GP(0)]          // the alignment hole must be all 0's
        }
IF ((temp_prevSSPtoken AND 0x02) != 1)
    EXCEPTION [#GP(0)]                  // prev SSP token must have bit 1 set

IF (64BIT_MODE != (temp_prevSSPtoken AND 0x01))
    EXCEPTION [#GP(0)]                  // token bit 0 must match current mode

IF (!64-bit mode) && (temp_prevSSPtoken[63:32] != 0))
    EXCEPTION [#GP(0)]                  // previous SSP must be <4Gb in
                                            // legacy and compat modes

temp_oldSSP = temp_prevSSPtoken AND ~0x03
```

```

temp_rstorSSPtoken = temp_oldSSP OR (64BIT_MODE) //create the restore
                                                SSP token
SSTK_WRITE_MEM.d [temp_oldSSP - 4] = 0x0 // zero out hole (in case aligning
                                            // oldSSP creates a hole)
temp_oldSSP = temp_oldSSP AND ~0x07          // align oldSSP to next 8b boundary
SSTK_WRITE_MEM.q [temp_oldSSP-8]= temp_rstorSSPtoken // write restore token to
                                                    // old stack
SSP = temp_SSP                                // no faults, update SSP

```

## Related Instructions

RSTORSSP

## rFLAGS Affected

None.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                   |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               |           | Instruction is only recognized in protected mode.                    |
|                         |      |                 | X         | CR4.CET = 0                                                          |
|                         |      |                 | X         | Shadow stacks not enabled at current privilege level.                |
| General protection, #GP |      |                 | X         | The SSP was not 8-byte aligned.                                      |
|                         |      |                 | X         | The type bit (bit 1) in the token was not 1.                         |
|                         |      |                 | X         | CF was set in 64-bit mode.                                           |
|                         |      |                 | X         | The previous SSP was >4Gb when not in 64-bit mode.                   |
|                         |      |                 | X         | A non-zero alignment hole was found in legacy or compatibility mode. |
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.         |
|                         |      |                 | X         | A shadow stack reference was made to a non-shadow stack page.        |

**SETSSBSY****Set Shadow Stack Busy**

Validates a non-busy (not in-use) shadow stack token pointed to by the PL0\_SS<sub>P</sub> MSR and sets the token's busy bit. If the validation checks pass, SSP is set to the address in PL0\_SS<sub>P</sub>.

SETSSBY is a privileged instruction and must be executed with CPL=0, otherwise a #GP exception is generated. If shadow stacks are not enabled at the supervisor level, a #UD exception is generated.

| Mnemonic | Opcode      | Description                                  |
|----------|-------------|----------------------------------------------|
| SETSSBY  | F3 0F 01 E8 | Validate token and set shadow stack busy bit |

**Action**

```
// see "Pseudocode Definition" on page 57

IF (CR4.CET == 0)
    EXCEPTION [#UD]
IF (S_CET.SH_STK_EN == 0)
    EXCEPTION [#UD]
IF (CPL != 0)
    EXCEPTION [#GP(0)]

temp_newSSP = PL0_SSP

IF (temp_newSSP is not 8-byte aligned)
    EXCEPTION [#GP(0)]

bool FAULT = FALSE

< start atomic section >

temp_Token = SSTK_READ_MEM.q [temp_newSSP] // fetch token with locked read

IF (!64-bit mode) && (temp_token[63:32] != 0)
    FAULT=TRUE                      // address in token must be < 4GB
                                      // in legacy/compatibility mode
IF ((temp_Token AND 0x01) != 0)
    FAULT = TRUE                    // token busy bit must be 0
IF ((temp_Token AND ~0x01) != temp_newSSP)
    FAULT = TRUE                    // address in token must match new SSP
IF (!FAULT)
    temp_Token = temp_Token OR 0x01 // if no faults, set token busy bit

SSTK_WRITE_MEM.q [temp_newSSP] = temp_Token // write token and unlock

< end atomic section >

IF (FAULT)
    EXCEPTION [#CP(SETSSBSY)]
```

```

ELSE
    SSP = temp_newSSP      // if no faults, SSP = PL0_SSP

EXIT

```

## Related Instructions

CLRSSBSY

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                           |
|----------------------------|------|-----------------|-----------|--------------------------------------------------------------|
| Invalid Opcode,<br>#UD     | X    | X               | X         | Instruction is only recognized in protected mode.            |
|                            |      |                 | X         | CR4.CET = 0.                                                 |
|                            |      |                 | X         | Shadow stacks not enabled at supervisor level.               |
| General Protection,<br>#GP |      |                 | X         | CPL != 0                                                     |
|                            |      |                 | X         | PL0_SSP MSR is not 8-byte aligned.                           |
| Control, #CP               |      |                 | X         | The shadow stack token is busy.                              |
|                            |      |                 | X         | The shadow stack token reserved bits are not 0.              |
|                            |      |                 | X         | PL0_SSP MSR >4Gb when not in 64-bit mode.                    |
|                            |      |                 | X         | The new SSP in the token != PL0_SSP.                         |
| Page Fault, #PF            |      |                 | X         | PL0_SSP MSR is not a supervisor shadow stack page.           |
|                            |      |                 | X         | A page fault resulted from the execution of the instruction. |

**SGDT****Store Global Descriptor Table Register**

Stores the global descriptor table register (GDTR) into the destination operand. In legacy and compatibility mode, the destination operand is 6 bytes; in 64-bit mode, it is 10 bytes. In all modes, operand-size prefixes are ignored.

In non-64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 4 bytes specify the 32-bit base address.

In 64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 8 bytes specify the 64-bit base address.

This instruction is intended for use in operating system software, but it can be used at any privilege level.

| Mnemonic             | Opcode   | Description                                       |
|----------------------|----------|---------------------------------------------------|
| SGDT <i>mem16:32</i> | 0F 01 /0 | Store global descriptor table register to memory. |
| SGDT <i>mem16:64</i> | 0F 01 /0 | Store global descriptor table register to memory. |

**Related Instructions**

SIDT, SLDT, STR, LGDT, LIDT, LLDT, LTR

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The operand was a register.                                                       |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**SIDT****Store Interrupt Descriptor Table Register**

Stores the interrupt descriptor table register (IDTR) in the destination operand. In legacy and compatibility mode, the destination operand is 6 bytes; in 64-bit mode it is 10 bytes. In all modes, operand-size prefixes are ignored.

In non-64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 4 bytes specify the 32-bit base address.

In 64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 8 bytes specify the 64-bit base address.

This instruction is intended for use in operating system software, but it can be used at any privilege level.

| Mnemonic             | Opcode   | Description                                          |
|----------------------|----------|------------------------------------------------------|
| SIDT <i>mem16:32</i> | 0F 01 /1 | Store interrupt descriptor table register to memory. |
| SIDT <i>mem16:64</i> | 0F 01 /1 | Store interrupt descriptor table register to memory. |

**Related Instructions**

SGDT, SLDT, STR, LGDT, LIDT, LLDT, LTR

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | The operand was a register.                                                       |
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**SKINIT****Secure Init and Jump with Attestation**

Securely reinitializes the CPU, allowing for the startup of trusted software (such as a VMM). The code to be executed after reinitialization can be verified based on a secure hash comparison. SKINIT takes the physical base address of the SLB as its only input operand, in EAX. The SLB must be structured as described in “Secure Loader Block” on page 61 of APM Volume 2, and is assumed to contain the code for a Secure Loader (SL).

This is a Secure Virtual Machine (SVM) instruction. Support for the SVM architecture and the SVM instructions is indicated by CPUID Fn8000\_0001\_ECX[SVM] = 1. For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171.

This instruction generates a #UD exception if SVM is not enabled. See “Enabling SVM” in APM Volume 2.

| Mnemonic   | Opcode   | Description                                       |
|------------|----------|---------------------------------------------------|
| SKINIT EAX | 0F 01 DE | Secure initialization and jump, with attestation. |

**Action**

```

IF ((EFER.SVME == 0) && !(CPUID 8000_0001.ECX[SKINIT]) || (!PROTECTED_MODE))

    EXCEPTION [#UD]           // This instruction can only be executed
                                // in protected mode with SVM enabled.

IF (CPL != 0)                  // This instruction is only allowed at CPL 0.
    EXCEPTION [#GP]

Initialize processor state as for an INIT signal
CR0.PE = 1

CS.sel = 0x0008
CS.attr = 32-bit code, read/execute
CS.base = 0
CS.limit = 0xFFFFFFFF

SS.sel = 0x0010
SS.attr = 32-bit stack, read/write, expand up
SS.base = 0
SS.limit = 0xFFFFFFFF

EAX = EAX & 0xFFFF0000 // Form SLB base address.
EDX = family/model/stepping
ESP = EAX + 0x00010000 // Initial SL stack.
Clear GPRs other than EAX, EDX, ESP

EFER = 0
VM_CR.DPD = 1
VM_CR.R_INIT = 1
VM_CR.DIS_A20M = 1

```

Enable SL\_DEV, to protect 64Kbyte of physical memory starting at the physical address in EAX

GIF = 0

Read the SL length from offset 0x0002 in the SLB  
Copy the SL image to the TPM for attestation

Read the SL entrypoint offset from offset 0x0000 in the SLB  
Jump to the SL entrypoint, at EIP = EAX+entrypoint offset

## Related Instructions

None.

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
| 0  | 0   | 0   | 0  | 0  | 0  | 0  | 0     | 0  | 0  | 0  | 0  | 0  | 0  | 0  | 0  | 0  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                                                                                                                                                                                                                                                    |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     |      |              | X         | Secure Virtual Machine was not enabled (EFER.SVME=0) and both of the following conditions were true: <ul style="list-style-type: none"><li>• SVM-Lock is not available, as indicated by CPUID Fn8000_000A_EDX[SVML] = 0.</li><li>• DEV is not available, as indicated by CPUID Fn8000_0001_ECX[SKINIT] = 0.</li></ul> |
|                         | X    | X            |           | Instruction is only recognized in protected mode.                                                                                                                                                                                                                                                                     |
| General protection, #GP |      |              | X         | CPL was not 0.                                                                                                                                                                                                                                                                                                        |

**SLDT****Store Local Descriptor Table Register**

Stores the local descriptor table (LDT) selector to a register or memory destination operand.

If the destination is a register, the selector is zero-extended into a 16-, 32-, or 64-bit general purpose register, depending on operand size.

If the destination operand is a memory location, the segment selector is written to memory as a 16-bit value, regardless of operand size.

This SLDT instruction can only be used in protected mode, but it can be executed at any privilege level.

| Mnemonic   | Opcode   | Description                                                                                      |
|------------|----------|--------------------------------------------------------------------------------------------------|
| SLDT reg16 | 0F 00 /0 | Store the segment selector from the local descriptor table register to a 16-bit register.        |
| SLDT reg32 | 0F 00 /0 | Store the segment selector from the local descriptor table register to a 32-bit register.        |
| SLDT reg64 | 0F 00 /0 | Store the segment selector from the local descriptor table register to a 64-bit register.        |
| SLDT mem16 | 0F 00 /0 | Store the segment selector from the local descriptor table register to a 16-bit memory location. |

**Related Instructions**

SIDT, SGDT, STR, LIDT, LGDT, LLDT, LTR

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               |           | This instruction is only recognized in protected mode.                  |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| General protection,<br>#GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.    |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                  |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**SMSW****Store Machine Status Word**

Stores the lower bits of the machine status word (CR0). The target can be a 16-, 32-, or 64-bit register or a 16-bit memory operand.

This instruction is provided for compatibility with early processors.

This instruction can be used at any privilege level (CPL).

| Mnemonic   | Opcode   | Description                                        |
|------------|----------|----------------------------------------------------|
| SMSW reg16 | 0F 01 /4 | Store the low 16 bits of CR0 to a 16-bit register. |
| SMSW reg32 | 0F 01 /4 | Store the low 32 bits of CR0 to a 32-bit register. |
| SMSW reg64 | 0F 01 /4 | Store the entire 64-bit CR0 to a 64-bit register.  |
| SMSW mem16 | 0F 01 /4 | Store the low 16 bits of CR0 to memory.            |

**Related Instructions**

LMSW, MOV CR $n$

**rFLAGS Affected**

None

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Stack, #SS                 | X    | X               | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP | X    | X               | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      | X               | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      | X               | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## STAC

## Set Alignment Check Flag

Sets the Alignment Check flag in the rFLAGS register to one. Support for the STAC instruction is indicated by CPUID Fn07\_EBX[20]=1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

| Mnemonic | Opcode   | Description      |
|----------|----------|------------------|
| STAC     | 0F 01 CB | Sets the AC flag |

### Related Instructions

CLAC

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     | 1  |    |    |    |       |    |    |    |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                           |
|---------------------|------|-----------------|-----------|----------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | Instruction not supported by CPUID           |
|                     |      | X               |           | Instruction is not supported in virtual mode |
|                     |      |                 | X         | Lock prefix (F0h) preceding opcode.          |
|                     |      |                 | X         | CPL was not 0                                |

**STI****Set Interrupt Flag**

Sets the interrupt flag (IF) in the rFLAGS register to 1, thereby allowing external interrupts received on the INTR input. Interrupts received on the non-maskable interrupt (NMI) input are not affected by this instruction.

In real mode, this instruction sets IF to 1.

In protected mode and virtual-8086-mode, this instruction is IOPL-sensitive. If the CPL is less than or equal to the rFLAGS.IOPL field, the instruction sets IF to 1.

In protected mode, if  $\text{IOPL} < 3$ ,  $\text{CPL} = 3$ , and protected mode virtual interrupts are enabled ( $\text{CR4.PVI} = 1$ ), then the instruction instead sets rFLAGS.VIF to 1. If none of these conditions apply, the processor raises a general protection exception (#GP). For more information, see “Protected Mode Virtual Interrupts” in APM Volume 2.

In virtual-8086 mode, if  $\text{IOPL} < 3$  and the virtual-8086-mode extensions are enabled ( $\text{CR4.VME} = 1$ ), the STI instruction instead sets the virtual interrupt flag (rFLAGS.VIF) to 1.

If STI sets the IF flag and IF was initially clear, then interrupts are not enabled until after the instruction following STI. Thus, if IF is 0, this code will not allow an INTR to happen:

```
STI  
CLI
```

In the following sequence, INTR will be allowed to happen only after the NOP.

```
STI  
NOP  
CLI
```

If STI sets the VIF flag and VIP is already set, a #GP fault will be generated.

See “Virtual-8086 Mode Extensions” in APM Volume 2 for more information about IOPL-sensitive instructions.

| Mnemonic | Opcode | Description                   |
|----------|--------|-------------------------------|
| STI      | FB     | Set interrupt flag (IF) to 1. |

## Action

```

IF (CPL <= IOPL)
    RFLAGS.IF = 1

ELSIF (((VIRTUAL_MODE) && (CR4.VME == 1))
        || ((PROTECTED_MODE) && (CR4.PVI == 1) && (CPL == 3)))
{
    IF (RFLAGS.VIP == 1)
        EXCEPTION[#GP(0)]
    RFLAGS.VIF = 1
}
ELSE
    EXCEPTION[#GP(0)]

```

## Related Instructions

CLI

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     | M   |    |    |    |    |       |    |    | M  |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. M (modified) is either set to one or cleared to zero. Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                  |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------|
| General protection,<br>#GP |      | X               |           | The CPL was greater than the IOPL and virtual-mode extensions were not enabled (CR4.VME = 0).                                       |
|                            |      |                 | X         | The CPL was greater than the IOPL and either the CPL was not 3 or protected-mode virtual interrupts were not enabled (CR4.PVI = 0). |
|                            |      | X               | X         | This instruction would set RFLAGS.VIF to 1 and RFLAGS.VIP was already 1.                                                            |

**STGI****Set Global Interrupt Flag**

Sets the global interrupt flag (GIF) to 1. While GIF is zero, all external interrupts are disabled.

This is a Secure Virtual Machine (SVM) instruction.

Attempted execution of this instruction causes a #UD exception if SVM is not enabled and neither SVM Lock nor the device exclusion vector (DEV) are supported. Support for SVM Lock is indicated by CPUID Fn8000\_000A\_EDX[SVML] = 1. Support for DEV is part of the SKINIT architecture and is indicated by CPUID Fn8000\_0001\_ECX[SKINIT] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

For information on enabling SVM, see “Enabling SVM” in APM Volume 2.

| Mnemonic | Opcode   | Description                           |
|----------|----------|---------------------------------------|
| STGI     | 0F 01 DC | Sets the global interrupt flag (GIF). |

**Related Instructions**

CLGI

**rFLAGS Affected**

None.

**Exceptions**

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                                                                                                                                                                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD        |      |                 | X         | Secure Virtual Machine was not enabled (EFER.SVME=0) and both of the following conditions were true:<br><ul style="list-style-type: none"> <li>SVM Lock is not available, as indicated by CPUID Fn8000_000A_EDX[SVML] = 0.</li> <li>DEV is not available, as indicated by CPUID Fn8000_0001_ECX[SKINIT] = 0.</li> </ul> |
|                            | X    | X               |           | Instruction is only recognized in protected mode.                                                                                                                                                                                                                                                                       |
| General protection,<br>#GP |      |                 | X         | CPL was not 0.                                                                                                                                                                                                                                                                                                          |

## STR

## Store Task Register

Stores the task register (TR) selector to a register or memory destination operand.

If the destination is a register, the selector is zero-extended into a 16-, 32-, or 64-bit general purpose register, depending on the operand size.

If the destination is a memory location, the segment selector is written to memory as a 16-bit value, regardless of operand size.

The STR instruction can only be used in protected mode, but it can be used at any privilege level.

| Mnemonic  | Opcode   | Description                                                                             |
|-----------|----------|-----------------------------------------------------------------------------------------|
| STR reg16 | 0F 00 /1 | Store the segment selector from the task register to a 16-bit general-purpose register. |
| STR reg32 | 0F 00 /1 | Store the segment selector from the task register to a 32-bit general-purpose register. |
| STR reg64 | 0F 00 /1 | Store the segment selector from the task register to a 64-bit general-purpose register. |
| STR mem16 | 0F 00 /1 | Store the segment selector from the task register to a 16-bit memory location.          |

### Related Instructions

LGDT, LIDT, LLDT, LTR, SIDT, SGDT, SLDT

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               |           | This instruction is only recognized in protected mode.                            |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection,<br>#GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                            |      |                 | X         | The destination operand was in a non-writable segment.                            |
|                            |      |                 | X         | A null data segment was used to reference memory.                                 |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC    |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## SWAPGS

## Swap GS Register with KernelGSbase MSR

Provides a fast method for system software to load a pointer to system data structures. SWAPGS can be used upon entering system-software routines as a result of a SYSCALL instruction, an interrupt or an exception. Prior to returning to application software, SWAPGS can be used to restore the application data pointer that was replaced by the system data-structure pointer.

This instruction can only be executed in 64-bit mode. Executing SWAPGS in any other mode generates an undefined opcode exception.

The SWAPGS instruction only exchanges the base-address value located in the KernelGSbase model-specific register (MSR address C000\_0102h) with the base-address value located in the hidden portion of the GS selector register (GS.base). This allows the system-kernel software to access kernel data structures by using the GS segment-override prefix during memory references.

The address stored in the KernelGSbase MSR must be in canonical form. The WRMSR instruction used to load the KernelGSbase MSR causes a general-protection exception if the address loaded is not in canonical form. The SWAPGS instruction itself does not perform a canonical check.

This instruction is only valid in 64-bit mode at CPL 0. A general protection exception (#GP) is generated if this instruction is executed at any other privilege level.

For additional information about this instruction, refer to “System Instructions” in APM Volume 2.

### Examples

At a kernel entry point, the OS uses SwapGS to obtain a pointer to kernel data structures and simultaneously save the user's GS base. Upon exit, it uses SwapGS to restore the user's GS base:

```
SystemCallEntryPoint:
SwapGS          ; get kernel pointer, save user GSbase
mov gs:[SavedUserRSP], rsp    ; save user's stack pointer
mov rsp, gs:[KernelStackPtr]  ; set up kernel stack
push rax           ; now save user GPRs on kernel stack
.
.
.
push rax           ; perform system service
.
.
.

SwapGS          ; restore user GS, save kernel pointer
```

| Mnemonic | Opcode   | Description                                                                             |
|----------|----------|-----------------------------------------------------------------------------------------|
| SWAPGS   | 0F 01 F8 | Exchange GS base with KernelGSBase MSR.<br>(Invalid in legacy and compatibility modes.) |

### Related Instructions

None

### rFLAGS Affected

None

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                             |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               | X         | This instruction was executed in legacy or compatibility mode. |
| General protection, #GP |      |                 | X         | CPL was not 0.                                                 |

## SYSCALL

## Fast System Call

Transfers control to a fixed entry point in an operating system. It is designed for use by system and application software implementing a flat-segment memory model.

The SYSCALL and SYSRET instructions are low-latency system call and return control-transfer instructions, which assume that the operating system implements a flat-segment memory model. By eliminating unneeded checks, and by loading pre-determined values into the CS and SS segment registers (both visible and hidden portions), calls to and returns from the operating system are greatly simplified. These instructions can be used in protected mode and are particularly well-suited for use in 64-bit mode, which requires implementation of a paged, flat-segment memory model.

This instruction has been optimized by reducing the number of checks and memory references that are normally made so that a call or return takes considerably fewer clock cycles than the CALL FAR /RET FAR instruction method.

It is assumed that the base, limit, and attributes of the Code Segment will remain flat for all processes and for the operating system, and that only the current privilege level for the selector of the calling process should be changed from a current privilege level of 3 to a new privilege level of 0. It is also assumed (but not checked) that the RPL of the SYSCALL and SYSRET target selectors are set to 0 and 3, respectively.

SYSCALL sets the CPL to 0, regardless of the values of bits 33:32 of the STAR register. There are no permission checks based on the CPL, real mode, or virtual-8086 mode. SYSCALL and SYSRET must be enabled by setting EFER.SCE to 1.

It is the responsibility of the operating system to keep the descriptors in memory that correspond to the CS and SS selectors loaded by the SYSCALL and SYSRET instructions consistent with the segment base, limit, and attribute values forced by these instructions.

**Legacy x86 Mode.** In legacy x86 mode, when SYSCALL is executed, the EIP of the instruction following the SYSCALL is copied into the ECX register. Bits 31:0 of the SYSCALL/SYSRET target address register (STAR) are copied into the EIP register. (The STAR register is model-specific register C000\_0081h.)

New selectors are loaded, without permission checking (see above), as follows:

- Bits 47:32 of the STAR register specify the selector that is copied into the CS register.
- Bits 47:32 of the STAR register + 8 specify the selector that is copied into the SS register.
- The CS\_base and the SS\_base are both forced to zero.
- The CS\_limit and the SS\_limit are both forced to 4 Gbyte.
- The CS segment attributes are set to execute/read 32-bit code with a CPL of zero.
- The SS segment attributes are set to read/write and expand-up with a 32-bit stack referenced by ESP.

**Long Mode.** When long mode is activated, the behavior of the SYSCALL instruction depends on whether the calling software is in 64-bit mode or compatibility mode. In 64-bit mode, SYSCALL saves the RIP of the instruction following the SYSCALL into RCX and loads the new RIP from LSTAR bits 63:0. (The LSTAR register is model-specific register C000\_0082h.) In compatibility mode, SYSCALL saves the RIP of the instruction following the SYSCALL into RCX and loads the new RIP from CSTAR bits 63:0. (The CSTAR register is model-specific register C000\_0083h.)

New selectors are loaded, without permission checking (see above), as follows:

- Bits 47:32 of the STAR register specify the selector that is copied into the CS register.
- Bits 47:32 of the STAR register + 8 specify the selector that is copied into the SS register.
- The CS\_base and the SS\_base are both forced to zero.
- The CS\_limit and the SS\_limit are both forced to 4 Gbyte.
- The CS segment attributes are set to execute/read 64-bit code with a CPL of zero.
- The SS segment attributes are set to read/write and expand-up with a 64-bit stack referenced by RSP.

The WRMSR instruction loads the target RIP into the LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical form, a general-protection exception (#GP) occurs.

How SYSCALL and SYSRET handle rFLAGS, depends on the processor's operating mode.

In legacy mode, SYSCALL treats EFLAGS as follows:

- EFLAGS.IF is cleared to 0.
- EFLAGS.RF is cleared to 0.
- EFLAGS.VM is cleared to 0.

In long mode, SYSCALL treats RFLAGS as follows:

- The current value of RFLAGS is saved in R11.
- RFLAGS is masked using the value stored in SYSCALL\_FLAG\_MASK.
- RFLAGS.RF is cleared to 0.

For further details on the SYSCALL and SYSRET instructions and their associated MSR registers (STAR, LSTAR, CSTAR, and SYSCALL\_FLAG\_MASK), see “Fast System Call and Return” in APM Volume 2.

Support for the SYSCALL instruction is indicated by CPUID Fn8000\_0001\_EDX[SysCallSysRet] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

## Instruction Encoding

| Mnemonic | Opcode | Description            |
|----------|--------|------------------------|
| SYSCALL  | 0F 05  | Call operating system. |

### Action

// See “Pseudocode Definition” on page 61.

SYSCALL\_START:

```
IF (MSR_EFER.SCE == 0)           // Check if syscall/sysret are enabled.
    EXCEPTION [#UD]
```

```
IF (LONG_MODE)
    SYSCALL_LONG_MODE
ELSE // (LEGACY_MODE)
    SYSCALL_LEGACY_MODE
```

SYSCALL\_LONG\_MODE:

```
RCX.q = next_RIP
R11.q = RFLAGS      // with rf cleared

IF (64BIT_MODE)
    temp_RIP.q = MSR_LSTAR
ELSE // (COMPATIBILITY_MODE)
    temp_RIP.q = MSR_CSTAR

CS.sel    = MSR_STAR.SYSCALL_CS AND 0xFFFF
CS.attr   = 64-bit code,dpl0 // Always switch to 64-bit mode in long mode.
CS.base   = 0x00000000
CS.limit  = 0xFFFFFFFF
```

```
SS.sel    = MSR_STAR.SYSCALL_CS + 8
SS.attr   = 64-bit stack,dpl0
SS.base   = 0x00000000
SS.limit  = 0xFFFFFFFF
```

```
RFLAGS = RFLAGS AND ~MSR_SFMASK
RFLAGS.RF = 0
```

```
IF (ShadowStacksEnabled at current CPL)
    PL3_SSP = SSP
```

```
CPL = 0
```

```
IF (ShadowStacksEnabled at current CPL)
    SSP = 0
```

```

RIP = temp_RIP
EXIT

SYSCALL_LEGACY_MODE:

RCX.d = next_RIP

temp_RIP.d = MSR_STAR.EIP

CS.sel    = MSR_STAR.SYSCALL_CS AND 0xFFFFC
CS.attr   = 32-bit code,dpl0 // Always switch to 32-bit mode in legacy mode.
CS.base   = 0x00000000
CS.limit  = 0xFFFFFFFF

SS.sel    = MSR_STAR.SYSCALL_CS + 8
SS.attr   = 32-bit stack,dpl0
SS.base   = 0x00000000
SS.limit  = 0xFFFFFFFF

RFLAGS.VM, IF, RF=0

CPL = 0

RIP = temp_RIP
EXIT

```

## Related Instructions

SYSRET, SYSENTER, SYSEXIT

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
| M  | M   | M   | M  | 0  | 0  | M  | M     | M  | M  | M  | M  | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                     |
|---------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | The SYSCALL and SYSRET instructions are not supported, as indicated by CPUID Fn8000_0001_EDX[SysCallSysRet] = 0.                       |
|                     | X    | X               | X         | The system call extension bit (SCE) of the extended feature enable register (EFER) is set to 0. (The EFER register is MSR C000_0080h.) |

## SYSENTER

## System Call

Transfers control to a fixed entry point in an operating system. It is designed for use by system and application software implementing a flat-segment memory model. This instruction is valid only in legacy mode.

Three model-specific registers (MSRs) are used to specify the target address and stack pointers for the SYSENTER instruction, as well as the CS and SS selectors of the called and returned procedures:

- MSR\_SYSENTER\_CS: Contains the CS selector of the called procedure. The SS selector is set to MSR\_SYSENTER\_CS + 8.
- MSR\_SYSENTER\_ESP: Contains the called procedure's stack pointer.
- MSR\_SYSENTER\_EIP: Contains the offset into the CS of the called procedure.

The hidden portions of the CS and SS segment registers are not loaded from the descriptor table as they would be using a legacy x86 CALL instruction. Instead, the hidden portions are forced by the processor to the following values:

- The CS and SS base values are forced to 0.
- The CS and SS limit values are forced to 4 Gbytes.
- The CS segment attributes are set to execute/read 32-bit code with a CPL of zero.
- The SS segment attributes are set to read/write and expand-up with a 32-bit stack referenced by ESP.

System software must create corresponding descriptor-table entries referenced by the new CS and SS selectors that match the values described above.

The return EIP and application stack are not saved by this instruction. System software must explicitly save that information.

An invalid-opcode exception occurs if this instruction is used in long mode. Software should use the SYSCALL (and SYSRET) instructions in long mode. If SYSENTER is used in real mode, a #GP is raised.

For additional information on this instruction, see “SYSENTER and SYSEXIT (Legacy Mode Only)” in APM Volume 2.

Support for the SYSENTER instruction is indicated by CPUID Fn0000\_0001\_EDX[SysEnterSysExit] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

### Instruction Encoding

| Mnemonic | Opcode | Description            |
|----------|--------|------------------------|
| SYSENTER | 0F 34  | Call operating system. |

## Related Instructions

SYSCALL, SYSEXIT, SYSRET

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    | 0  |    |    |       |    |    | 0  |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or zero is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                   |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               | X         | The SYSENTER and SYSEXIT instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SysEnterSysExit] = 0. |
|                         |      |                 | X         | This instruction is not recognized in long mode.                                                                     |
| General protection, #GP | X    |                 |           | This instruction is not recognized in real mode.                                                                     |
|                         |      | X               | X         | MSR_SYSENTER_CS was a null selector.                                                                                 |

## SYSEXIT

## System Return

Returns from the operating system to an application. It is a low-latency system return instruction designed for use by system and application software implementing a flat-segment memory model.

This is a privileged instruction. The current privilege level must be zero to execute this instruction. An invalid-opcode exception occurs if this instruction is used in long mode. Software should use the SYSRET (and SYSCALL) instructions when running in long mode.

When a system procedure performs a SYSEXIT back to application software, the CS selector is updated to point to the second descriptor entry after the SYSENTER CS value (MSR SYSENTER\_CS+16). The SS selector is updated to point to the third descriptor entry after the SYSENTER CS value (MSR SYSENTER\_CS+24). The CPL is forced to 3, as are the descriptor privilege levels.

The hidden portions of the CS and SS segment registers are not loaded from the descriptor table as they would be using a legacy x86 RET instruction. Instead, the hidden portions are forced by the processor to the following values:

- The CS and SS base values are forced to 0.
- The CS and SS limit values are forced to 4 Gbytes.
- The CS segment attributes are set to 32-bit read/execute at CPL 3.
- The SS segment attributes are set to read/write and expand-up with a 32-bit stack referenced by ESP.

System software must create corresponding descriptor-table entries referenced by the new CS and SS selectors that match the values described above.

The following additional actions result from executing SYSEXIT:

- EIP is loaded from EDX.
- ESP is loaded from ECX.

System software must explicitly load the return address and application software-stack pointer into the EDX and ECX registers prior to executing SYSEXIT.

For additional information on this instruction, see “SYSENTER and SYSEXIT (Legacy Mode Only)” in APM Volume 2.

Support for the SYSEXIT instruction is indicated by CPUID Fn0000\_0001\_EDX[SysEnterSysExit] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

## Instruction Encoding

| Mnemonic | Opcode | Description                                  |
|----------|--------|----------------------------------------------|
| SYSEXIT  | 0F 35  | Return from operating system to application. |

## Related Instructions

SYSCALL, SYSENTER, SYSRET

## rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    | 0  |    |       |    |    |    |    |    |    |    |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                   |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               | X         | The SYSENTER and SYSEXIT instructions are not supported, as indicated by CPUID Fn0000_0001_EDX[SysEnterSysExit] = 0. |
|                         |      |                 | X         | This instruction is not recognized in long mode.                                                                     |
| General protection, #GP | X    | X               |           | This instruction is only recognized in protected mode.                                                               |
|                         |      |                 | X         | CPL was not 0.                                                                                                       |
|                         |      |                 | X         | MSR_SYSENTER_CS was a null selector.                                                                                 |

## SYSRET

## Fast System Return

Returns from the operating system to an application. It is a low-latency system return instruction designed for use by system and application software implementing a flat segmentation memory model.

The SYSCALL and SYSRET instructions are low-latency system call and return control-transfer instructions that assume that the operating system implements a flat-segment memory model. By eliminating unneeded checks, and by loading pre-determined values into the CS and SS segment registers (both visible and hidden portions), calls to and returns from the operating system are greatly simplified. These instructions can be used in protected mode and are particularly well-suited for use in 64-bit mode, which requires implementation of a paged, flat-segment memory model.

This instruction has been optimized by reducing the number of checks and memory references that are normally made so that a call or return takes substantially fewer internal clock cycles when compared to the CALL/RET instruction method.

It is assumed that the base, limit, and attributes of the Code Segment will remain flat for all processes and for the operating system, and that only the current privilege level for the selector of the calling process should be changed from a current privilege level of 0 to a new privilege level of 3. It is also assumed (but not checked) that the RPL of the SYSCALL and SYSRET target selectors are set to 0 and 3, respectively.

SYSRET sets the CPL to 3, regardless of the values of bits 49:48 of the star register. SYSRET can only be executed in protected mode at CPL 0. SYSCALL and SYSRET must be enabled by setting EFER.SCE to 1.

It is the responsibility of the operating system to keep the descriptors in memory that correspond to the CS and SS selectors loaded by the SYSCALL and SYSRET instructions consistent with the segment base, limit, and attribute values forced by these instructions.

When a system procedure performs a SYSRET back to application software, the CS selector is updated from bits 63:50 of the STAR register (STAR.SYSRET\_CS) as follows:

- If the return is to 32-bit mode (legacy or compatibility), CS is updated with the value of STAR.SYSRET\_CS.
- If the return is to 64-bit mode, CS is updated with the value of STAR.SYSRET\_CS + 16.

In both cases, the CPL is forced to 3, effectively ignoring STAR bits 49:48. The SS selector is updated to point to the next descriptor-table entry after the CS descriptor (STAR.SYSRET\_CS + 8), and its RPL is not forced to 3.

The hidden portions of the CS and SS segment registers are not loaded from the descriptor table as they would be using a legacy x86 RET instruction. Instead, the hidden portions are forced by the processor to the following values:

- The CS base value is forced to 0.
- The CS limit value is forced to 4 Gbytes.

- The CS segment attributes are set to execute-read 32 bits or 64 bits (see below).
- The SS segment base, limit, and attributes are not modified.

When SYSCALLed system software is running in 64-bit mode, it has been entered from either 64-bit mode or compatibility mode. The corresponding SYSRET needs to know the mode to which it must return. Executing SYSRET in non-64-bit mode or with a 16- or 32-bit operand size returns to 32-bit mode with a 32-bit stack pointer. Executing SYSRET in 64-bit mode with a 64-bit operand size returns to 64-bit mode with a 64-bit stack pointer.

The instruction pointer is updated with the return address based on the operating mode in which SYSRET is executed:

- If returning to 64-bit mode, SYSRET loads RIP with the value of RCX.
- If returning to 32-bit mode, SYSRET loads EIP with the value of ECX.

How SYSRET handles RFLAGS depends on the processor's operating mode:

- If executed in 64-bit mode, SYSRET loads the lower-32 RFLAGS bits from R11[31:0] and clears the upper 32 RFLAGS bits.
- If executed in legacy mode or compatibility mode, SYSRET sets EFLAGS.IF.

For further details on the SYSCALL and SYSRET instructions and their associated MSR registers (STAR, LSTAR, and CSTAR), see “Fast System Call and Return” in APM Volume 2.

Support for the SYSRET instruction is indicated by CPUID Fn8000\_0001\_EDX[SysCallSysRet] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

## Instruction Encoding

| Mnemonic | Opcode | Description                   |
|----------|--------|-------------------------------|
| SYSRET   | 0F 07  | Return from operating system. |

## Action

// See “Pseudocode Definition” on page 61.

SYSRET\_START:

```
IF (MSR_EFER.SCE == 0)           // Check if syscall/sysret are enabled.  
    EXCEPTION [#UD]  
  
IF ((!PROTECTED_MODE) || (CPL != 0))  
    EXCEPTION [#GP(0)]           // SYSRET requires protected mode, cpl0  
  
IF (64BIT_MODE)  
    SYSRET_64BIT_MODE  
ELSE // (!64BIT_MODE)
```

```

SYSRET_NON_64BIT_MODE

SYSRET_64BIT_MODE:

IF (OPERAND_SIZE == 64)           // Return to 64-bit mode.
{
    CS.sel    = MSR_STAR.SYSRET_CS + 16) OR 3
    CS.base   = 0x00000000
    CS.limit  = 0xFFFFFFFF
    CS.attr   = 64-bit code,dpl3

    temp_RIP.q = RCX
}
ELSE                           // Return to 32-bit compatibility mode.
{
    CS.sel    = MSR_STAR.SYSRET_CS OR 3
    CS.base   = 0x00000000
    CS.limit  = 0xFFFFFFFF
    CS.attr   = 32-bit code,dpl3

    temp_RIP.d = RCX
}

SS.sel = MSR_STAR.SYSRET_CS + 8      // SS selector is changed,
                                      // SS base, limit, attributes unchanged.

RFLAGS.q = R11          // RF=0,VM=0
CPL = 3

IF (ShadowStacksEnabled at current CPL)
    SSP = PL3_SSP

RIP = temp_RIP
EXIT

SYSRET_NON_64BIT_MODE:

CS.sel    = MSR_STAR.SYSRET_CS OR 3 // Return to 32-bit legacy protected mode.
CS.base   = 0x00000000
CS.limit  = 0xFFFFFFFF
CS.attr   = 32-bit code,dpl3

temp_RIP.d = RCX

SS.sel = MSR_STAR.SYSRET_CS + 8      // SS selector is changed.
                                      // SS base, limit, attributes unchanged.

RFLAGS.IF = 1
CPL = 3

IF (ShadowStacksEnabled at current CPL)
    SSP = PL3_SSP

```

```
RIP = temp_RIP
EXIT
```

## Related Instructions

SYSCALL, SYSENTER, SYSEXIT

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
| M  | M   | M   | M  |    | 0  | M  | M     | M  | M  | M  | M  | M  | M  | M  | M  | M  |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                                     |
|-------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               | X         | The SYSCALL and SYSRET instructions are not supported, as indicated by CPUID Fn8000_0001_EDX[SysCallSysRet] = 0.                       |
|                         | X    | X               | X         | The system call extension bit (SCE) of the extended feature enable register (EFER) is set to 0. (The EFER register is MSR C000_0080h.) |
| General protection, #GP | X    | X               |           | This instruction is only recognized in protected mode.                                                                                 |
|                         |      |                 | X         | CPL was not 0.                                                                                                                         |

## TLBSYNC

## Synchronize TLB Invalidations

TLBSYNC acts as a synchronizing instruction to ensure that all logical processors in a system have responded to an INVLPG previously executed by the current logical processor. Upon execution of an INVLPG, the processor does not wait for confirmation that the other processors have performed the specified TLB invalidation. A TLBSYNC is therefore required before software can move forward with the knowledge that all requested invalidations have been completed in the system. A TLBSYNC also ensures that memory instructions using the translations invalidated by those prior INVLPG instructions have retired and writes using the translations have drained from the write combining buffers.

The TLBSYNC instruction is weakly ordered with respect to data and instruction prefetches.

The TLBSYNC instruction is strongly ordered with respect to surrounding loads and stores.

TLBSYNC is a serializing instruction and is privileged. It can only be executed at CPL 0. TLBSYNC is only supported in guests if enabled by hypervisor in the VMCB.

| Mnemonic | Opcode   | Description                               |
|----------|----------|-------------------------------------------|
| TLBSYNC  | 0F 01 FF | Synchronize broadcasted TLB Invalidations |

### Related Instructions

INVLPG

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                          |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | Instruction not supported as indicated by CPUID Fn8000_0008_EBX[INVLPG] = 0 |
|                            | X    | X               |           | Instruction is only recognized in protected mode                            |
|                            |      |                 | X         | The hypervisor has not enabled Guest usage of this instruction.             |
| General protection,<br>#GP |      |                 | X         | CPL was not 0                                                               |

## VERR

## Verify Segment for Reads

Verifies whether a code or data segment specified by the segment selector in the 16-bit register or memory operand is readable from the current privilege level. The zero flag (ZF) is set to 1 if the specified segment is readable. Otherwise, ZF is cleared.

A segment is readable if all of the following apply:

- the selector is not a null selector.
- the descriptor is within the GDT or LDT limit.
- the segment is a data segment or readable code segment.
- the descriptor DPL is greater than or equal to both the CPL and RPL, or the segment is a conforming code segment.

The processor does not recognize the VERR instruction in real or virtual-8086 mode.

| Mnemonic       | Opcode   | Description                                                      |
|----------------|----------|------------------------------------------------------------------|
| VERR reg/mem16 | 0F 00 /4 | Set the zero flag (ZF) to 1 if the segment selected can be read. |

### Related Instructions

ARPL, LAR, LSL, VERW

### rFLAGS Affected

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    | M  |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                     |
|----------------------------|------|-----------------|-----------|------------------------------------------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               |           | This instruction is only recognized in protected mode.                 |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or is non-canonical. |
| General protection,<br>#GP |      |                 | X         | A memory address exceeded a data segment limit or was non-canonical.   |
|                            |      |                 | X         | A null data segment was used to reference memory.                      |

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------|
| Page fault, #PF         |      |                 | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check,<br>#AC |      |                 | X         | An unaligned memory reference was performed while alignment checking was enabled. |

**VERW****Verify Segment for Write**

Verifies whether a data segment specified by the segment selector in the 16-bit register or memory operand is writable from the current privilege level. The zero flag (ZF) is set to 1 if the specified segment is writable. Otherwise, ZF is cleared.

A segment is writable if all of the following apply:

- the selector is not a null selector.
- the descriptor is within the GDT or LDT limit.
- the segment is a writable data segment.
- the descriptor DPL is greater than or equal to both the CPL and RPL.

The processor does not recognize the VERW instruction in real or virtual-8086 mode.

| Mnemonic       | Opcode   | Description                                                         |
|----------------|----------|---------------------------------------------------------------------|
| VERW reg/mem16 | 0F 00 /5 | Set the zero flag (ZF) to 1 if the segment selected can be written. |

**Related Instructions**

ARPL, LAR, LSL, VERR

**rFLAGS Affected**

| ID | VIP | VIF | AC | VM | RF | NT | IOPL  | OF | DF | IF | TF | SF | ZF | AF | PF | CF |
|----|-----|-----|----|----|----|----|-------|----|----|----|----|----|----|----|----|----|
|    |     |     |    |    |    |    |       |    |    |    |    |    |    | M  |    |    |
| 21 | 20  | 19  | 18 | 17 | 16 | 14 | 13:12 | 11 | 10 | 9  | 8  | 7  | 6  | 4  | 2  | 0  |

**Note:** Bits 31:22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags are blank. Undefined flags are U.

**Exceptions**

| Exception               | Real | Virtual 8086 | Protected | Cause of Exception                                                                |
|-------------------------|------|--------------|-----------|-----------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X            |           | This instruction is only recognized in protected mode.                            |
| Stack, #SS              |      |              | X         | A memory address exceeded the stack segment limit or was non-canonical.           |
| General protection, #GP |      |              | X         | A memory address exceeded a data segment limit or was non-canonical.              |
|                         |      |              | X         | A null data segment was used to access memory.                                    |
| Page fault, #PF         |      |              | X         | A page fault resulted from the execution of the instruction.                      |
| Alignment check, #AC    |      |              | X         | An unaligned memory reference was performed while alignment checking was enabled. |

## VMLOAD

## Load State from VMCB

Loads a subset of processor state from the VMCB specified by the system-physical address in the rAX register. The portion of RAX used to form the address is determined by the effective address size.

The VMSAVE and VMLOAD instructions complement the state save/restore abilities of VMRUN and #VMEXIT, providing access to hidden state that software is otherwise unable to access, plus some additional commonly-used state.

This is a Secure Virtual Machine (SVM) instruction. Support for the SVM architecture and the SVM instructions is indicated by CPUID Fn8000\_0001\_ECX[SVM] = 1. For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171.

This instruction generates a #UD exception if SVM is not enabled. See “Enabling SVM” in APM Volume 2.

| Mnemonic   | Opcode   | Description                      |
|------------|----------|----------------------------------|
| VMLOAD rAX | 0F 01 DA | Load additional state from VMCB. |

### Action

```

IF ((MSR_EFER.SVME == 0) || (!PROTECTED_MODE))
    EXCEPTION [#UD]           // This instruction can only be executed in protected
                                // mode with SVM enabled

IF (CPL != 0)                  // This instruction is only allowed at CPL 0
    EXCEPTION [#GP]

IF (rAX contains an unsupported system-physical address)
    EXCEPTION [#GP]

Load from a VMCB at system-physical address rAX:
    FS, GS, TR, LDTR (including all hidden state)
    KernelGsBase
    STAR, LSTAR, CSTAR, SFMASK
    SYSENTER_CS, SYSENTER_ESP, SYSENTER_EIP

```

### Related Instructions

VMSAVE

### rFLAGS Affected

None.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                      |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | The SVM instructions are not supported as indicated by CPUID Fn8000_0001(ECX[SVM] = 0). |
|                            |      |                 | X         | Secure Virtual Machine was not enabled (EFER.SVME=0).                                   |
|                            | X    | X               |           | The instruction is only recognized in protected mode.                                   |
| General protection,<br>#GP |      |                 | X         | CPL was not 0.                                                                          |
|                            |      |                 | X         | rAX referenced a physical address above the maximum supported physical address.         |
|                            |      |                 | X         | The address in rAX was not aligned on a 4Kbyte boundary.                                |

## VMMCALL VMGEXIT

## Call VMM SEV-ES Exit to VMM

VMMCALL and VMGEXIT provide a mechanism for a non-SEV-ES and an SEV-ES guest, respectively, to explicitly communicate with the VMM by generating a #VMEXIT.

A non-intercepted VMMCALL unconditionally raises a #UD exception. VMGEXIT is always intercepted and unconditionally causes a #VMEXIT.

VMMCALL and VMGEXIT instructions are allowed in all modes and at all privilege levels. These instructions generate a #UD exception if SVM is not enabled. See “Enabling SVM” in APM Volume 2.

VMMCALL and VMGEXIT are Secure Virtual Machine (SVM) instructions. Support for the SVM architecture and the SVM instructions is indicated by CPUID Fn8000\_0001\_ECX[SVM] = 1. Support for VMGEXIT instruction is indicated by CPUID Fn8000\_001F\_EAX[SEV-ES] = 1. The VMGEXIT encoding is interpreted as VMMCALL on processors that do not explicitly support VMGEXIT, including legacy processors, or if VMGEXIT instruction is not executed by an SEV-ES guest. For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171.

| Mnemonic | Opcode         | Description                                         |
|----------|----------------|-----------------------------------------------------|
| VMMCALL  | 0F 01 D9       | Explicit communication with the VMM.                |
| VMGEXIT  | F2/F3 0F 01 D9 | Explicit communication with the VMM for SEV-ES VMs. |

### Related Instructions

None.

### rFLAGS Affected

None.

### Exceptions

| Exception           | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                     |
|---------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------|
| Invalid opcode, #UD | X    | X               | X         | The SVM instructions are not supported as indicated by CPUID Fn8000_0001_ECX[SVM] = 0. |
|                     | X    | X               | X         | Secure Virtual Machine was not enabled (EFER.SVME=0).                                  |
|                     | X    | X               | X         | VMMCALL was not intercepted.                                                           |

## VMRUN

## Run Virtual Machine

Starts execution of a guest instruction stream. The physical address of the *virtual machine control block* (VMCB) describing the guest is taken from the rAX register (the portion of RAX used to form the address is determined by the effective address size). The physical address of the VMCB must be aligned on a 4KB boundary.

VMRUN saves a subset of host processor state to the host state-save area specified by the physical address in the VM\_HSAVE\_PA MSR. VMRUN then loads guest processor state (and control information) from the VMCB at the physical address specified in rAX. The processor then executes guest instructions until one of several *intercept* events (specified in the VMCB) is triggered. When an intercept event occurs, the processor stores a snapshot of the guest state back into the VMCB, reloads the host state, and continues execution of host code at the instruction following the VMRUN instruction.

This is a Secure Virtual Machine (SVM) instruction. Support for the SVM architecture and the SVM instructions is indicated by CPUID Fn8000\_0001\_ECX[SVM] = 1. For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171.

This instruction generates a #UD exception if SVM is not enabled. See “Enabling SVM” in APM Volume 2.

The VMRUN instruction is not supported in System Management Mode. Processor behavior resulting from an attempt to execute this instruction from within the SMM handler is undefined.

### Instruction Encoding

| Mnemonic  | Opcode   | Description                       |
|-----------|----------|-----------------------------------|
| VMRUN rAX | 0F 01 D8 | Performs a world-switch to guest. |

### Action

```

IF ((MSR_EFER.SVME == 0) || (!PROTECTED_MODE))
    EXCEPTION [#UD]           // This instruction can only be executed in protected
                                // mode with SVM enabled

IF (CPL != 0)                  // This instruction is only allowed at CPL 0
    EXCEPTION [#GP]

IF (rAX contains an unsupported physical address)
    EXCEPTION [#GP]

IF (intercepted(VMRUN))
    #VMEXIT (VMRUN)
remember VMCB address (delivered in rAX) for next #VMEXIT
save host state to physical memory indicated in the VM_HSAVE_PA MSR:
    ES.sel
    CS.sel
    SS.sel

```

```
DS.sel
GDTR.{base,limit}
IDTR.{base,limit}
EFER
CR0
CR4
CR3
// host CR2 is not saved
RFLAGS
RIP
RSP
RAX
```

from the VMCB at physical address rAX, load control information:

```
intercept vector
TSC_OFFSET
interrupt control (v_irq, v_intr_*, v_tpr)
EVENTINJ field
ASID
```

```
IF(nested paging supported)
NP_ENABLE
IF (NP_ENABLE == 1)
nCR3
```

from the VMCB at physical address rAX, load guest state:

```
ES.{base,limit,attr,sel}
CS.{base,limit,attr,sel}
SS.{base,limit,attr,sel}
DS.{base,limit,attr,sel}
GDTR.{base,limit}
IDTR.{base,limit}
EFER
CR0
CR4
CR3
CR2
IF (NP_ENABLE == 1)
gPAT           // Leaves host hPAT register unchanged.
RFLAGS
RIP
RSP
RAX
DR7
DR6
CPL           // 0 for real mode, 3 for v86 mode, else as loaded.
INTERRUPT_SHADOW

IF (LBR virtualization supported)
LBR_VIRTUALIZATION_ENABLE
IF (LBR_VIRTUALIZATION_ENABLE == 1)
```

```
save LBR state to the host save area
    DBGCTL
    BR_FROM
    BR_TO
    LASTEXCP_FROM
    LASTEXCP_TO
load LBR state from the VMCB
    DBGCTL
    BR_FROM
    BR_TO
    LASTEXCP_FROM
    LASTEXCP_TO

IF (guest state consistency checks fail)
    #VMEXIT(INVALID)
```

Execute command stored in TLB\_CONTROL.

```
GIF = 1          // allow interrupts in the guest
IF (EVENTINJ.V)
    cause exception/interrupt in guest
else
    jump to first guest instruction
```

Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context:

```
GIF = 0
save guest state to VMCB:
    ES.{base,limit,attr,sel}
    CS.{base,limit,attr,sel}
    SS.{base,limit,attr,sel}
    DS.{base,limit,attr,sel}
    GDTR.{base,limit}
    IDTR.{base,limit}
    EFER
    CR4
    CR3
    CR2
    CR0
    if (nested paging enabled)
        gPAT
    RFLAGS
    RIP
    RSP
    RAX
    DR7
    DR6
    CPL
    INTERRUPT_SHADOW
save additional state and intercept information:
    V_IRQ, V_TPR
```

```
EXITCODE
EXITINFO1
EXITINFO2
EXITINTINFO
clear EVENTINJ field in VMCB

prepare for host mode by clearing internal processor state bits:
    clear intercepts
    clear v_irq
    clear v_intr_masking
    clear tsc_offset
    disable nested paging
    clear ASID to zero

reload host state
    GDTR.{base,limit}
    IDTR.{base,limit}
    EFER
    CR0
    CR0.PE = 1 // saved copy of CR0.PE is ignored
    CR4
    CR3
    if (host is in PAE paging mode)
        reloaded host PDPEs
    // Do not reload host CR2 or PAT
    RFLAGS
    RIP
    RSP
    RAX
    DR7 = "all disabled"
    CPL = 0
    ES.sel; reload segment descriptor from GDT
    CS.sel; reload segment descriptor from GDT
    SS.sel; reload segment descriptor from GDT
    DS.sel; reload segment descriptor from GDT

if (LBR virtualization supported)
    LBR_VIRTUALIZATION_ENABLE
    if (LBR_VIRTUALIZATION_ENABLE == 1)
        save LBR state to the VMCB:
            DBGCTL
            BR_FROM
            BR_TO
            LASTEXCP_FROM
            LASTEXCP_TO
        load LBR state from the host save area:
            DBGCTL
            BR_FROM
            BR_TO
            LASTEXCP_FROM
            LASTEXCP_TO
```

```
if (illegal host state loaded, or exception while loading host state)
    shutdown
else
    execute first host instruction following the VMRUN
```

## Related Instructions

VMLOAD, VMSAVE.

## rFLAGS Affected

None.

## Exceptions

| Exception               | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                      |
|-------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------|
| Invalid opcode, #UD     | X    | X               | X         | The SVM instructions are not supported as indicated by CPUID Fn8000_0001(ECX[SVM] = 0). |
|                         |      |                 | X         | Secure Virtual Machine was not enabled (EFER.SVME=0).                                   |
|                         | X    | X               |           | The instruction is only recognized in protected mode.                                   |
| General protection, #GP |      |                 | X         | CPL was not 0.                                                                          |
|                         |      |                 | X         | rAX referenced a physical address above the maximum supported physical address.         |
|                         |      |                 | X         | The address in rAX was not aligned on a 4Kbyte boundary.                                |

## VMSAVE

## Save State to VMCB

Stores a subset of the processor state into the VMCB specified by the system-physical address in the rAX register (the portion of RAX used to form the address is determined by the effective address size).

The VMSAVE and VMLOAD instructions complement the state save/restore abilities of VMRUN and #VMEXIT, providing access to hidden state that software is otherwise unable to access, plus some additional commonly-used state.

This is a Secure Virtual Machine (SVM) instruction. Support for the SVM architecture and the SVM instructions is indicated by CPUID Fn8000\_0001\_ECX[SVM] = 1. For more information on using the CPUID instruction, see the reference page for the CPUID instruction on page 171.

This instruction generates a #UD exception if SVM is not enabled. See “Enabling SVM” in APM Volume 2.

### Instruction Encoding

| Mnemonic   | Opcode   | Description                          |
|------------|----------|--------------------------------------|
| VMSAVE rAX | OF 01 DB | Save additional guest state to VMCB. |

### Action

```
IF ((MSR_EFER.SVME == 0) || (!PROTECTED_MODE))
    EXCEPTION [#UD]           // This instruction can only be executed in protected
                                // mode with SVM enabled
```

```
IF (CPL != 0)                  // This instruction is only allowed at CPL 0
    EXCEPTION [#GP]
```

```
IF (rAX contains an unsupported system-physical address)
    EXCEPTION [#GP]
```

```
Store to a VMCB at system-physical address rAX:
    FS, GS, TR, LDTR (including all hidden state)
    KernelGsBase
    STAR, LSTAR, CSTAR, SFMASK
    SYSENTER_CS, SYSENTER_ESP, SYSENTER_EIP
```

### Related Instructions

VMLOAD

### rFLAGS Affected

None.

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                      |
|----------------------------|------|-----------------|-----------|-----------------------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | The SVM instructions are not supported as indicated by CPUID Fn8000_0001(ECX[SVM]) = 0. |
|                            |      |                 | X         | Secure Virtual Machine was not enabled (EFER.SVME=0).                                   |
|                            | X    | X               |           | The instruction is only recognized in protected mode.                                   |
| General protection,<br>#GP |      |                 | X         | CPL was not 0.                                                                          |
|                            |      |                 | X         | rAX referenced a physical address above the maximum supported physical address.         |
|                            |      |                 | X         | The address in rAX was not aligned on a 4Kbyte boundary.                                |

## WBINVD WBNOINVD

## Writeback and Invalidate Caches Writeback With No Invalidate

WBINVD writes all modified lines in all levels of cache associated with this processor to main memory and invalidates the caches. This may or may not include lower level caches associated with another processor that shares any level of this processor's cache hierarchy. WBNOINVD does not invalidate the caches, instead leaving all (or most) cache lines in the cache hierarchy in non-modified state, but in all other respects it behaves the same as WBINVD.

CPUID Fn8000\_001D\_EDX[WBINVD]\_xN indicates the behavior of the operation at various levels of the cache hierarchy, for both WBINVD and WBNOINVD, with respect to lower branches in the cache hierarchy. If the feature bit is 0, the instruction causes the write back and (for WBINVD) invalidation of all lower level caches of other processors sharing the designated level of cache. If the feature bit is 1, the instruction does not necessarily cause the write back and invalidation of all lower level caches of other processors sharing the designated level of cache. See Appendix E, “Obtaining Processor Information Via the CPUID Instruction,” on page 621 for more information on using the CPUID function.

The INVD instruction can be used when cache coherence with memory is not important.

These instructions do not invalidate TLB caches.

These are privileged instructions. The current privilege level of a procedure invalidating the processor's internal caches must be zero.

WBINVD and WBNOINVD are serializing instructions

Support for WBNOINVD is indicated by CPUID Fn8000\_0008\_EBX[WBNOINVD] = 1. However, the encoding of WBNOINVD results in it being interpreted as WBINVD on processors that do not explicitly support WBNOINVD, including legacy processors. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

On some processor implementations, WBINVD and WBNOINVD can be made interruptible by setting EFER.INTWB to 1. When this bit is set, the processor periodically checks pending interrupts while flushing the caches. If an interrupt is pending, the processor stops flushing the caches, saves the instruction pointer and transfers control to the interrupt handler. Upon returning from the interrupt handler, the processor restarts the flush process from the beginning as lines may have been modified and cached while executing the interrupt handler. Interruptible WBINVD and WBNOINVD support is indicated by CPUID Fn8000\_0008\_EBX[INT\_WBINVD] (bit 13) = 1.

| Mnemonic | Opcode   | Description                                                                                                |
|----------|----------|------------------------------------------------------------------------------------------------------------|
| WBINVD   | 0F 09    | Write modified cache lines to main memory, invalidate internal caches, and trigger external cache flushes. |
| WBNOINVD | F3 0F 09 | Write modified cache lines to main memory and trigger external cache flushes.                              |

## Related Instructions

CLFLUSH, CLWB, INVD

## rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception |
|----------------------------|------|-----------------|-----------|--------------------|
| General protection,<br>#GP |      | X               | X         | CPL was not 0.     |

## WRMSR

## Write to Model-Specific Register

Writes data to 64-bit model-specific registers (MSRs). These registers are widely used in performance-monitoring and debugging applications, as well as testability and program execution tracing.

This instruction writes the contents of the EDX:EAX register pair into a 64-bit model-specific register specified in the ECX register. The 32 bits in the EDX register are mapped into the high-order bits of the model-specific register and the 32 bits in EAX form the low-order 32 bits.

This instruction must be executed at a privilege level of 0 or a general protection fault #GP(0) will be raised. This exception is also generated if an attempt is made to specify a reserved or unimplemented model-specific register in ECX.

WRMSR is a serializing instruction for most MSRs, however some x2APIC and AVIC MSRs may have relaxed serialization semantics. See the APIC and AVIC sections in APM Volume 2 for details.

Support for the WRMSR instruction is indicated by CPUID Fn0000\_0001\_EDX[MSR] = 1 OR CPUID Fn8000\_0001\_EDX[MSR] = 1. For more information on using the CPUID instruction, see the description of the CPUID instruction on page 171.

The CPUID instruction can provide model information useful in determining the existence of a particular MSR.

See “Model-Specific Registers (MSRs)” in APM Volume 2 for more information about model-specific registers, machine check architecture, performance monitoring and debug registers.

| Mnemonic | Opcode | Description                                |
|----------|--------|--------------------------------------------|
| WRMSR    | 0F 30  | Write EDX:EAX to the MSR specified by ECX. |

### Related Instructions

RDMSR

### rFLAGS Affected

None

### Exceptions

| Exception              | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                                                        |
|------------------------|------|-----------------|-----------|---------------------------------------------------------------------------------------------------------------------------|
| Invalid opcode,<br>#UD | X    | X               | X         | The WRMSR instruction is not supported, as indicated by CPUID Fn0000_0001_EDX[MSR] = 0 OR CPUID Fn8000_0001_EDX[MSR] = 0. |

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                                     |
|----------------------------|------|-----------------|-----------|----------------------------------------------------------------------------------------|
| General protection,<br>#GP |      | X               | X         | CPL was not 0.                                                                         |
|                            | X    |                 | X         | The value in ECX specifies a reserved or unimplemented MSR address.                    |
|                            | X    |                 | X         | Writing 1 to any bit that must be zero (MBZ) in the MSR.                               |
|                            | X    |                 | X         | Writing a non-canonical value to a MSR that can only be written with canonical values. |

## WRPKRU

## Write Protection Key Rights

Writes the contents of the 32-bit Protection Key Rights (PKRU) register with the value in EAX. This instruction forces strong memory ordering between load and store instructions preceding the WRPKRU, and load and store instructions that follow the WRPKRU.

This instruction must be executed with ECX=0 and EDX=0, otherwise a general protection fault (#GP) is generated. The upper 32 bits of RCX and RDX are ignored. The WRPKRU instruction ignores operand size overrides.

Memory protection keys must be enabled (CR4.PKE=1), otherwise executing this instruction generates an invalid opcode fault (#UD).

Software can check that system software has enabled memory protection keys (CR4.PKE=1) by testing CPUID Function 0000\_0007h\_ECX[OSPKE]. (See Section 5, “Protection Key Rights for User Pages” in APM Volume 2 for more information on memory protection keys.)

WRPKRU can be executed at any privilege level.

| Mnemonic | Opcode   | Description                            |
|----------|----------|----------------------------------------|
| WRPKRU   | 0F 01 EF | Write the value in EAX to the PKRU MSR |

### Related Instructions

RDPKRU

### rFLAGS Affected

None

### Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                   |
|----------------------------|------|-----------------|-----------|--------------------------------------|
| Invalid opcode,<br>#UD     | X    | X               | X         | CR4.PKE=0                            |
| General protection,<br>#GP |      |                 | X         | ECX was not zero or EDX was not zero |

**WRSS****Write to Shadow Stack**

Writes 4 or 8 bytes from the source register operand to the specified address in a shadow stack page. The operand size is 8 bytes in 64-bit mode (when REX.W set to 1) and 4 bytes in all other cases.

If shadow stacks are not enabled at the current privilege level, or if WRSS is not enabled at the current privilege level a #UD exception is generated.

| Mnemonic                  | Opcode      | Description                            |
|---------------------------|-------------|----------------------------------------|
| WRSS <i>mem32, reg32</i>  | 66 0F 38 F6 | Write 4 bytes to shadow stack at mem32 |
| WRSSQ <i>mem64, reg64</i> | 66 0F 38 F6 | Write 8 bytes to shadow stack at mem64 |

**Action**

```
// see "Pseudocode Definition" on page 57

IF (CPL == 3)
{
    IF ((CR4.CET && U_CET.SH_STK_EN) == 0)
        EXCEPTION [#UD]
    IF (U_CET.WR_SSTK_EN == 0)
        EXCEPTION [#UD]           // WRSS not enabled in U_CET
}
ELSE // CPL < 3
{
    IF ((CR4.CET && S_CET.SH_STK_EN) == 0)
        EXCEPTION [#UD]
    IF (S_CET.WR_SSTK_EN == 0)
        EXCEPTION [#UD]           // WRSS not enabled in S_CET
}

IF (OPERAND_SIZE == 64)
{
    temp_LinAddr = Linear_Address(mem64)
    IF (temp_LinAddr is 8-byte aligned)
        SSTK_WRITE_MEMORY.q[temp_LinAddr] = reg64[63:0] // write reg64
                                                // to shadow stack
    ELSE
        EXCEPTION [#GP(0)]
}
ELSE
{
    temp_LinAddr = Linear_Address(mem32)
    IF (tmp_LinAddr is 4-byte aligned)
        SSTK_WRITE_MEMORY.d[temp_LinAddr] = reg32[31:0] // write reg32
                                                // to shadow stack
    ELSE
        EXCEPTION [#GP(0)]
}
```

EXIT

**Related Instructions**

WRUSS

**rFLAGS Affected**

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | Instruction is only recognized in protected mode.                       |
|                            |      |                 | X         | CR4.CET = 0.                                                            |
|                            |      |                 | X         | Shadow stacks are not enabled at the current privilege level.           |
|                            |      |                 | X         | If CPL == 3 and U_CET.WR_SHSTK_EN = 0.                                  |
|                            |      |                 | X         | If CPL !=3 and S_CET.WR_SHSTK_EN = 0.                                   |
|                            |      |                 | X         | If mod=11b (register destination was specified).                        |
| General protection,<br>#GP |      |                 | X         | Address not 8-byte aligned for 64-bit operand size.                     |
|                            |      |                 | X         | Address not 4-byte aligned for 32-bit operand size.                     |
|                            |      |                 | X         | A memory address exceeded a data segment limit.                         |
|                            |      |                 | X         | In long mode, the address of the memory operand was non-canonical.      |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |
|                            |      |                 | X         | A non-writeable data segment was used.                                  |
|                            |      |                 | X         | An execute-only code segment was used to reference memory.              |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| Page fault, #PF            |      |                 | X         | A page fault resulted from the execution of the instruction.            |
|                            |      |                 | X         | The destination was not a shadow stack page.                            |

## WRUSS

## Write to User Shadow Stack

Writes 4 or 8 bytes from the source register operand to the specified address in a user shadow stack page. The write is performed with user-mode shadow stack semantics. The operand size is 8 bytes in 64-bit mode (when REX.W set to 1) and 4 bytes in all other cases.

The destination must be a user shadow stack page, otherwise a #PF exception is generated. WRUSS is a privileged instruction and must be executed with CPL=0, otherwise a #GP exception is generated.

| Mnemonic                   | Opcode      | Description                        |
|----------------------------|-------------|------------------------------------|
| WRUSSD <i>mem32, reg32</i> | 66 0F 38 F5 | Write 4 bytes to user shadow stack |
| WRUSSQ <i>mem64, reg64</i> | 66 0F 38 F5 | Write 8 bytes to user shadow stack |

### Action

```
// see "Pseudocode Definition" on page 57

IF (CR4.CET == 0)
    EXCEPTION [#UD]
IF (CPL != 0)
    EXCEPTION [#GP(0)]

IF (OPERAND_SIZE == 64)
{
    temp_LinAddr = Linear_Address(mem64)
    IF (temp_LinAddr is 8-byte aligned)
        SSTK_WRITE_MEM.q[tmp_LinAddr] = reg64[63:0] // write as user access
    ELSE
        EXCEPTION [#GP(0)]
}
ELSE
{
    temp_LinAddr = Linear_Address(mem32)
    IF (tmp_LinAddr is 4-byte aligned)
        SSTK_WRITE_MEM.d[temp_LinAddr] = reg32[31:0] // write as user access
    ELSE
        EXCEPTION [#GP(0)]
}

EXIT
```

### Related Instructions

WRSS

### rFLAGS Affected

None

## Exceptions

| Exception                  | Real | Virtual<br>8086 | Protected | Cause of Exception                                                      |
|----------------------------|------|-----------------|-----------|-------------------------------------------------------------------------|
| Invalid opcode, #UD        | X    | X               | X         | Instruction is only recognized in protected mode.                       |
|                            |      |                 | X         | CR4.CET = 0.                                                            |
|                            |      |                 | X         | If mod=11b (register destination was specified).                        |
| General protection,<br>#GP |      |                 | X         | If CPL != 0.                                                            |
|                            |      |                 | X         | Address not 8-byte aligned for 64-bit operand size.                     |
|                            |      |                 | X         | Address not 4-byte aligned for 32-bit operand size.                     |
|                            |      |                 | X         | A memory address exceeded a data segment limit.                         |
|                            |      |                 | X         | In long mode, the address of the memory operand was non-canonical.      |
|                            |      |                 | X         | A null data segment was used to reference memory.                       |
|                            |      |                 | X         | A non-writable data segment was used.                                   |
|                            |      |                 | X         | An execute-only code segment was used to reference memory.              |
| Stack, #SS                 |      |                 | X         | A memory address exceeded the stack segment limit or was non-canonical. |
| Page fault, #PF            |      |                 | X         | The linear address is not a user shadow stack page.                     |
|                            |      |                 | X         | A page fault resulted from the execution of the instruction.            |

## Appendix A Opcode and Operand Encodings

This appendix specifies the opcode and operand encodings for each instruction in the AMD64 instruction set. As discussed in Chapter 1, “Instruction Encoding,” the basic operation and implied operand type(s) of an instruction are encoded by the binary value of the opcode byte. The correspondence between an opcode binary value and its meaning is provided by the *opcode map*.

Each opcode map has 256 entries and can encode up to 256 different operations. Since the AMD64 instruction set comprises more than 256 instructions, multiple opcode maps are utilized to encode the instruction set. A particular opcode map is selected using the instruction encoding syntax diagrammed in Figure 1-1 on page 2. For each opcode map, values may be reserved or utilized for purposes other than encoding an instruction operation.

To preserve compatibility with future instruction architectural extensions, reserved opcodes should not be used. If a means to reliably cause an invalid-opcode exception (#UD) is required, software should use one of the UDx opcodes. These opcodes are set aside for this purpose and will not be used for future instructions. The UD opcodes are located on the secondary opcode map at code points B9h, 0Bh, and FFh.

The following section provides a key to the notation used in the opcode maps to specify the implied operand types.

### Opcode-Syntax Notation

In the opcode maps which follow, each table entry represents a specific form of an instruction, identifying the instruction by its mnemonic and listing the operand or operands peculiar to that opcode. If a register-based operand is specified by the opcode itself, the operand is represented directly using the register mnemonic as defined in “Summary of Registers and Data Types” on page 42. If the operand is encoded in one or more bytes following the opcode byte, the following special notation is used to represent the operand and its encoding in more generic terms.

This special notation, used exclusively in the opcode maps, is composed of three parts:

- an initial capital letter that represents the operand source / destination (register-based, memory-based, or immediate) and how it is encoded in the instruction (either as an immediate, or via the ModRM.reg, ModRM.{mod,r/m}, or EVEX/XOP.vvvv fields). For register-based operands, the initial letter also specifies the register type (General-purpose, MMX, ZMM/YMM/XMM, debug, or control register).
- one, two, or three letter modifier (in lowercase) that represents the data type (for example, byte, word, quadword, packed single-precision floating-point vector).
- *x*, which indicates for an SSE instruction that the instruction supports both vector sizes (128 bits and 256 bits). The specific vector size is encoded in the VEX/XOP.L field. L=0 indicates 128 bits and L=1 indicates 256 bits.

The following list describes the meaning of each letter that is used in the first position of the operand notation:

- A* A far pointer encoded in the instruction. No ModRM byte in the instruction encoding.
- B* General-purpose register specified by the VEX or XOP vvvv field, or by the EVEX V' and vvvv fields.
- C* Control register specified by the ModRM.reg field.
- D* Debug register specified by the ModRM.reg field.
- E* General purpose register or memory operand specified by the r/m field of the ModRM byte. For memory operands, the ModRM byte may be followed by a SIB byte to specify one of the indexed register-indirect addressing forms.
- F* rFLAGS register.
- G* General purpose register specified by the ModRM.reg field.
- H* ZMM, YMM, or XMM register specified by the VEX/XOP.vvvv field or by the EVEX V' and vvvv fields.
- I* Immediate value encoded in the instruction immediate field.
- J* The instruction encoding includes a relative offset that is added to the rIP.
- KM* K mask register specified by the ModRM.r/m field.
- KR* K mask register specified by the ModRM.reg field.
- KV* K mask register specified by the VEX.vvvv field or by the EVEX vvvv field.
- KW* K mask register or memory operand specified by the ModRM.r/m field.
- L* YMM or XMM register specified using the most-significant 4 bits of an 8-bit immediate value. In legacy or compatibility mode the most significant bit is ignored.
- M* A memory operand specified by the {mod, r/m} field of the ModRM byte. ModRM.mod ≠ 11b.
- M\** A sparse array of memory operands addressed using the VSIB addressing mode. See “VSIB Addressing” in APM Volume 4.
- N* 64-bit MMX register specified by the ModRM.r/m field. The ModRM.mod field must be 11b.
- O* The offset of an operand is encoded in the instruction. There is no ModRM byte in the instruction encoding. Indexed register-indirect addressing using the SIB byte is not supported.
- P* 64-bit MMX register specified by the ModRM.reg field.
- Q* 64-bit MMX-register or memory operand specified by the {mod, r/m} field of the ModRM byte. For memory operands, the ModRM byte may be followed by a SIB byte to specify one of the indexed register-indirect addressing forms.
- R* General purpose register specified by the ModRM.r/m field. The ModRM.mod field must be 11b.

- S* Segment register specified by the ModRM.reg field.
- U* ZMM/YMM/XMM register specified by the ModRM.r/m field. The ModRM.mod field must be 11b.
- V* ZMM/YMM/XMM register specified by the ModRM.reg field.
- W* ZMM/YMM/XMM register or memory operand specified by the {mod, r/m} field of the ModRM byte. For memory operands, the ModRM byte may be followed by a SIB byte to specify one of the indexed register-indirect addressing forms.
- X* A memory operand addressed by the DS.rSI registers. Used in string instructions.
- Y* A memory operand addressed by the ES.rDI registers. Used in string instructions.

The following list provides the key for the second part of the operand notation:

- a* Two 16-bit or 32-bit memory operands, depending on the effective operand size. Used in the BOUND instruction.
- b* A byte, irrespective of the effective operand size.
- c* A byte or a word, depending on the effective operand size.
- d* A doubleword (32 bits), irrespective of the effective operand size.
- do* A double octword (256 bits), irrespective of the effective operand size.
- i* A 16-bit integer.
- j* A 32-bit integer.
- m* A bit mask of size equal to the source operand.
- mn* Where  $n = 2, 4, 8$ , or 16. A bit mask of size  $n$ .
- o* An octword (128 bits), irrespective of the effective operand size.
- o.q* Operand is either the upper or lower half of a 128-bit value.
- p* A 32- or 48-bit far pointer, depending on 16- or 32-bit effective operand size.
- pb* Vector with byte-wide (8-bit) elements (packed byte).
- pd* A double-precision (64-bit) floating-point vector operand (packed double-precision).
- pdw* Vector composed of 32-bit doublewords.
- ph* A half-precision (16-bit) floating-point vector operand (packed half-precision)
- pi* Vector composed of 16-bit integers (packed integer).
- pj* Vector composed of 32-bit integers (packed double integer).
- pk* Vector composed of 8-bit integers (packed half-word integer).
- pq* Vector composed of 64-bit integers (packed quadword integer).
- pqw* Vector composed of 64-bit quadwords (packed quadword).

- ps* A single-precision floating-point vector operand (packed single-precision).
- pw* Vector composed of 16-bit words (packed word).
- q* A quadword (64 bits), irrespective of the effective operand size.
- s* A 6-byte or 10-byte pseudo-descriptor.
- sd* A scalar double-precision floating-point operand (scalar double).
- sj* A scalar doubleword (32-bit) integer operand (scalar double integer).
- ss* A scalar single-precision floating-point operand (scalar single).
- v* A word, doubleword, or quadword (in 64-bit mode), depending on the effective operand size.
- w* A word, irrespective of the effective operand size.
- x* Instruction supports both vector sizes (128 bits or 256 bits). Size is encoded using the VEX/XOP.L field. (L=0: 128 bits; L=1: 256 bits). This symbol may be appended to *ps* or *pd* to represent a packed single- or double-precision floating-point vector of either size; or to *pk*, *pi*, *pj*, or *pq*, to represent a packed 8-bit, 16-bit, 32-bit, or 64-bit packed integer vector of either size.
- y* A doubleword or quadword depending on effective operand size.
- z* A word if the effective operand size is 16 bits, or a doubleword if the effective operand size is 32 or 64 bits.

For the EVEX encoded instructions, there are 2 modifiers that may be present:

- .*k* The instruction takes a K mask in EVEX.aaa that enables merge-masking.
- .*kz* The instruction takes a K mask in EVEX.aaa that enables merge-masking or zero-masking, depending on the value of EVEX.z.

For some instructions, fields in the ModRM or SIB byte are used as encoding extensions. This is indicated using the following notation:

- /*n* A ModRM-byte *reg* field or SIB-byte *base* field, where *n* is a value between zero (000b) and 7 (111b).

For SSE instructions that take scalar operands, VEX/XOP.L field is ignored.

For immediates and memory-based operands, only the size and not the data type is indicated. Operand widths and data types are specified based on the source operands. For instructions where the result overwrites one of the source registers, the data width and data type of the result may not match that of the source register. See individual instruction descriptions for more details.

## A.1      Opcode Maps

In all of the following opcode maps, cells shaded gray represent reserved opcodes.

### A.1.1 Legacy Opcode Maps

**Primary Opcode Map.** Tables A-1 and A-2 below show the primary opcode map (known in legacy terminology as one-byte opcodes).

Table A-1 below shows those instructions for which the low nibble is in the range 0–7h. Table A-2 on page 525 shows those instructions for which the low nibble is in the range 8–Fh. In both tables, the rows show the full range (0–Fh) of the high nibble, and the columns show the specified range of the low nibble.

**Table A-1. Primary Opcode Map (One-byte Opcodes), Low Nibble 0–7h**

| Nibble <sup>1</sup> | 0                                        | 1                                      | 2                            | 3                                                            | 4                       | 5                       | 6                                  | 7                                  |
|---------------------|------------------------------------------|----------------------------------------|------------------------------|--------------------------------------------------------------|-------------------------|-------------------------|------------------------------------|------------------------------------|
| 0                   | ADD                                      |                                        |                              |                                                              |                         |                         | PUSH ES <sup>3</sup>               | POP ES <sup>3</sup>                |
|                     | Eb, Gb                                   | Ev, Gv                                 | Gb, Eb                       | Gv, Ev                                                       | AL, Ib                  | rAX, Iz                 |                                    |                                    |
| 1                   | ADC                                      |                                        |                              |                                                              |                         |                         | PUSH SS <sup>3</sup>               | POP SS <sup>3</sup>                |
|                     | Eb, Gb                                   | Ev, Gv                                 | Gb, Eb                       | Gv, Ev                                                       | AL, Ib                  | rAX, Iz                 |                                    |                                    |
| 2                   | AND                                      |                                        |                              |                                                              |                         |                         | seg ES <sup>6</sup>                | DAA <sup>3</sup>                   |
|                     | Eb, Gb                                   | Ev, Gv                                 | Gb, Eb                       | Gv, Ev                                                       | AL, Ib                  | rAX, Iz                 |                                    |                                    |
| 3                   | XOR                                      |                                        |                              |                                                              |                         |                         | seg SS <sup>6</sup>                | AAA <sup>3</sup>                   |
|                     | Eb, Gb                                   | Ev, Gv                                 | Gb, Eb                       | Gv, Ev                                                       | AL, Ib                  | rAX, Iz                 |                                    |                                    |
| 4                   | INC / REX prefix <sup>5</sup>            |                                        |                              |                                                              |                         |                         |                                    |                                    |
|                     | eAX                                      | eCX                                    | eDX                          | eBX                                                          | eSP                     | eBP                     | eSI                                | eDI                                |
| 5                   | PUSH                                     |                                        |                              |                                                              |                         |                         |                                    |                                    |
|                     | rAX/r8                                   | rCX/r9                                 | rDX/r10                      | rBX/r11                                                      | rSP/r12                 | rBP/r13                 | rSI/r14                            | rDI/r15                            |
| 6                   | PUSHA <sup>3</sup><br>PUSHD <sup>3</sup> | POPA <sup>3</sup><br>POPD <sup>3</sup> | BOUND <sup>3</sup><br>Gv, Ma | ARPL <sup>3</sup><br>Ew, Gw<br>MOVSXD <sup>4</sup><br>Gv, Ez | seg FS<br>prefix        | seg GS<br>prefix        | operand size<br>override<br>prefix | address<br>size override<br>prefix |
| 7                   | JO Jb                                    | JNO Jb                                 | JB Jb                        | JNB Jb                                                       | JZ Jb                   | JNZ Jb                  | JBE Jb                             | JNBE Jb                            |
| 8                   | Group 1 <sup>2</sup>                     |                                        |                              |                                                              | TEST                    |                         | XCHG                               |                                    |
|                     | Eb, Ib                                   | Ev, Iz                                 | Eb, Ib <sup>3</sup>          | Ev, Ib                                                       | Eb, Gb                  | Ev, Gv                  | Eb, Gb                             | Ev, Gv                             |
| 9                   | XCHG                                     |                                        |                              |                                                              |                         |                         |                                    |                                    |
|                     | r8, rAX<br>NOP,PAUSE                     | rCX/r9, rAX                            | rDX/r10, rAX                 | rBX/r11, rAX                                                 | rSP/r12, rAX            | rBP/r13, rAX            | rSI/r14, rAX                       | rDI/r15, rAX                       |
| A                   | MOV                                      |                                        |                              |                                                              | MOVS B<br>Yb, Xb        | MOV SW/D/Q<br>Yv, Xv    | CMP SB<br>Xb, Yb                   | CMP SW/D/Q<br>Xv, Yv               |
|                     | AL, Ob                                   | rAX, Ov                                | Ob, AL                       | Ov, rAX                                                      |                         |                         |                                    |                                    |
| B                   | MOV                                      |                                        |                              |                                                              |                         |                         |                                    |                                    |
|                     | AL, Ib<br>r8b, Ib                        | CL, Ib<br>r9b, Ib                      | DL, Ib<br>r10b, Ib           | BL, Ib<br>r11b, Ib                                           | AH, Ib<br>r12b, Ib      | CH, Ib<br>r13b, Ib      | DH, Ib<br>r14b, Ib                 | BH, Ib<br>r15b, Ib                 |
| C                   | Group 2 <sup>2</sup>                     |                                        |                              |                                                              | LES <sup>3</sup> Gz, Mp | LDS <sup>3</sup> Gz, Mp | Group 112                          |                                    |
|                     | Eb, Ib                                   | Ev, Ib                                 | Iw                           |                                                              | VEX escape<br>prefix    | VEX escape<br>prefix    | Eb, Ib                             | Ev, Iz                             |
| D                   | Group 2 <sup>2</sup>                     |                                        |                              |                                                              | AAM Ib <sup>3</sup>     | AAD Ib <sup>3</sup>     | invalid                            | XLAT<br>XLATB                      |
|                     | Eb, 1                                    | Ev, 1                                  | Eb, CL                       | Ev, CL                                                       |                         |                         |                                    |                                    |
| E                   | LOO-<br>PNE/NZJb                         | LOOP E/Z<br>Jb                         | LOOP Jb                      | JrCXZ Jb                                                     | IN                      |                         | OUT                                |                                    |
|                     |                                          |                                        |                              |                                                              | AL, Ib                  | eAX, Ib                 | Ib, AL                             | Ib, eAX                            |
| F                   | LOCK Prefix                              | INT1                                   | REPNE<br>Prefix              | REP / REPE<br>Prefix                                         | HLT                     | CMC                     | Group 3 <sup>2</sup>               |                                    |
|                     |                                          |                                        |                              |                                                              |                         |                         | Eb                                 | Ev                                 |

**Notes:**

1. Rows in this table show the high opcode nibble, columns show the low opcode nibble (both in hexadecimal).
2. An opcode extension is specified using the reg field of the ModRM byte (ModRM bits [5:3]) which follows the opcode. See Table A-6 on page 532 for details.
3. Invalid in 64-bit mode.
4. Valid only in 64-bit mode.
5. Used as REX prefixes in 64-bit mode.
6. This is a null prefix in 64-bit mode.

**Table A-2. Primary Opcode Map (One-byte Opcodes), Low Nibble 8–Fh**

| Nibble <sup>1</sup> | 8                                              | 9                  | A                       | B                  | C                    | D                  | E                          | F                                             |
|---------------------|------------------------------------------------|--------------------|-------------------------|--------------------|----------------------|--------------------|----------------------------|-----------------------------------------------|
| 0                   | OR                                             |                    |                         |                    |                      |                    | PUSH<br>CS <sup>3</sup>    | escape to<br>secondary<br>opcode map          |
|                     | Eb, Gb                                         | Ev, Gv             | Gb, Eb                  | Gv, Ev             | AL, Ib               | rAX, Iz            |                            |                                               |
| 1                   | SBB                                            |                    |                         |                    |                      |                    | PUSH<br>DS <sup>3</sup>    | POP<br>DS <sup>3</sup>                        |
|                     | Eb, Gb                                         | Ev, Gv             | Gb, Eb                  | Gv, Ev             | AL, Ib               | rAX, Iz            |                            |                                               |
| 2                   | SUB                                            |                    |                         |                    |                      |                    | seg CS <sup>6</sup>        | DAS <sup>3</sup>                              |
|                     | Eb, Gb                                         | Ev, Gv             | Gb, Eb                  | Gv, Ev             | AL, Ib               | rAX, Iz            |                            |                                               |
| 3                   | CMP                                            |                    |                         |                    |                      |                    | seg DS <sup>6</sup>        | AAS <sup>3</sup>                              |
|                     | Eb, Gb                                         | Ev, Gv             | Gb, Eb                  | Gv, Ev             | AL, Ib               | rAX, Iz            |                            |                                               |
| 4                   | DEC <sup>3</sup> / REX prefix <sup>5</sup>     |                    |                         |                    |                      |                    | eSI                        | eDI                                           |
|                     | eAX                                            | eCX                | eDX                     | eBX                | eSP                  | eBP                |                            |                                               |
| 5                   | POP                                            |                    |                         |                    |                      |                    | rSI/r14                    | rDI/r15                                       |
|                     | rAX/r8                                         | rCX/r9             | rDX/r10                 | rBX/r11            | rSP/r12              | rBP/r13            |                            |                                               |
| 6                   | PUSH<br>Iz                                     | IMUL<br>Gv, Ev, Iz | PUSH<br>Ib              | IMUL<br>Gv, Ev, Ib | INSB<br>Yb, DX       | INSW/D<br>Yz, DX   | OUTS/<br>OUTSB<br>DX, Xb   | OUTS<br>OUTSW/D<br>DX, Xz                     |
| 7                   | JS Jb                                          | JNS Jb             | JP Jb                   | JNP Jb             | JL Jb                | JNL Jb             | JLE Jb                     | JNLE Jb                                       |
| 8                   | MOV                                            |                    |                         |                    |                      | LEA<br>Gv, M       | MOV<br>Sw, Ew              | Group 1a <sup>2</sup><br>XOP escape<br>prefix |
|                     | Eb, Gb                                         | Ev, Gv             | Gb, Eb                  | Gv, Ev             | Mw/Rv, Sw            |                    |                            |                                               |
| 9                   | CBW, CWDE<br>CDQE                              | CWD, CDQ,<br>CQO   | CALL <sup>3</sup><br>Ap | WAIT<br>FWAIT      | PUSHF/D/Q<br>Fv      | POPF/D/Q<br>Fv     | SAHF                       | LAHF                                          |
| A                   | TEST<br>AL, Ib                                 | STOSB<br>Yb, AL    | STOSW/D/Q<br>Yv, rAX    | LODSB<br>AL, Xb    | LODSW/D/Q<br>rAX, Xv | SCASB<br>AL, Yb    | SCASW/D/Q<br>rAX, Yv       |                                               |
| B                   | rAX, Iv<br>r8, Iv                              | rCX, Iv<br>r9, Iv  | rDX, Iv<br>r10, Iv      | rBX, Iv<br>r11, Iv | rSP, Iv<br>r12, Iv   | rBP, Iv<br>r13, Iv | rSI, Iv<br>r14, Iv         | rDI, Iv<br>r15, Iv                            |
| C                   | ENTER<br>Iw, Ib                                | LEAVE              | RET far<br>Iw           |                    | INT3                 | INT Ib             | INTO <sup>3</sup>          | IRET, IRETD,<br>IRETQ                         |
| D                   | x87 instructions<br>see Table A-15 on page 543 |                    |                         |                    |                      |                    |                            |                                               |
| E                   | CALL Jz                                        | Jz                 | JMP<br>Ap <sup>3</sup>  | Jb                 | AL, DX               | IN<br>eAX, DX      | OUT<br>DX, AL              | DX, eAX                                       |
| F                   | CLC                                            | STC                | CLI                     | STI                | CLD                  | STD                | Group 4 <sup>2</sup><br>Eb | Group 5 <sup>2</sup>                          |

**Notes:**

1. Rows in this table show the high opcode nibble, columns show the low opcode nibble (both in hexadecimal).
2. An opcode extension is specified using the reg field of the ModRM byte (ModRM bits [5:3]) which follows the opcode. See Table A-6 on page 532 for details.
3. Invalid in 64-bit mode.
4. Valid only in 64-bit mode.
5. Used as REX prefixes in 64-bit mode.
6. This is a null prefix in 64-bit mode.

**Secondary Opcode Map.** As described in “Encoding Syntax” on page 1, the escape code 0Fh indicates the switch from the primary to the secondary opcode map. In legacy terminology, the secondary opcode map is presented as a listing of “two-byte” opcodes where the first byte is 0Fh. Tables A-3 and A-4 show the secondary opcode map.

Table A-3 below shows those instructions for which the low nibble is in the range 0–7h. Table A-4 on page 529 shows those instructions for which the low nibble is in the range 8–Fh. In both tables, the rows show the full range (0–Fh) of the high nibble, and the columns show the specified range of the low nibble. Note the added column labeled “prefix.”

For the secondary opcode map shown below, the legacy prefixes 66h, F2h, and F3 are repurposed to provide additional opcode encoding space. For those rows that utilize them, the presence of a 66h, F2h, or F3h prefix changes the operation or the operand types specified by the corresponding opcode value.

As discussed in “Encoding Extensions Using the ModRM Byte” on page 532, some opcode values represent a group of instructions. This is denoted in the map entry by “Group *n*”, where *n* = [1:17,P]. Instructions within a group are encoded by the reg field of the ModRM byte. These encodings are specified in Table A-7 on page 534. For some opcodes, both the reg and the r/m field of the ModRM byte are used to extend the encoding. See Table A-8 on page 536.

**Table A-3. Secondary Opcode Map (Two-byte Opcodes), Low Nibble 0–7h**

| Prefix | Nibble <sup>1</sup> | 0                             | 1                        | 2                                          | 3                     | 4                      | 5                      | 6                                           | 7                    |
|--------|---------------------|-------------------------------|--------------------------|--------------------------------------------|-----------------------|------------------------|------------------------|---------------------------------------------|----------------------|
| n/a    | 0                   | Group 6 <sup>2</sup>          | Group 7 <sup>2</sup>     | LAR<br>Gv, Ew                              | LSL<br>Gv, Ew         |                        | SYSCALL                | CLTS                                        | SYSRET               |
| none   | 1                   | MOVUPS<br>Vps, Wps   Wps, Vps |                          | MOVLPSS<br>Vq, Mq<br>MOVHLPS<br>Vo.q, Uo.q | MOVLPSS<br>Mq, Vq     | UNPCKLPS<br>Vps, Wps   | UNPCKHPS<br>Vps, Wps   | MOVHPS<br>Vo.q, Mq<br>MOVLHPS<br>Vo.q, Uo.q | MOVHPS<br>Mq, Vo.q   |
|        |                     | MOVSS<br>Vss, Wss   Wss, Vss  |                          | MOVSLDUP<br>Vps, Wps                       |                       |                        |                        | MOVSHDUP<br>Vps, Wps                        |                      |
|        |                     | MOVUPD<br>Vpd, Wpd   Wpd, Vpd |                          | MOVLPD<br>Vo.q, Mq   Mq, Vo.q              |                       | UNPCKLPD<br>Vo.q, Wo.q | UNPCKHPD<br>Vo.q, Wo.q | MOVHPD<br>Vo.q, Mq   Mq, Vo.q               |                      |
|        |                     | MOVSD<br>Vsd, Wsd   Wsd, Vsd  |                          | MOVDDUP<br>Vo, Wsd                         |                       |                        |                        |                                             |                      |
| n/a    | 2                   | MOV <sup>4</sup>              |                          |                                            |                       |                        |                        |                                             |                      |
| n/a    | 3                   | WRMSR                         | RDTSC                    | RDMSR                                      | RDPMC                 | SYSENTER <sup>3</sup>  | SYSEXIT <sup>3</sup>   |                                             |                      |
| n/a    | 4                   | CMOVO<br>Gv, Ev               | CMOVNO<br>Gv, Ev         | CMOVB<br>Gv, Ev                            | CMOVNB<br>Gv, Ev      | CMOVZ<br>Gv, Ev        | CMOVNZ<br>Gv, Ev       | CMOVBE<br>Gv, Ev                            | CMOVNBE<br>Gv, Ev    |
| none   | 5                   | MOVMSKPS<br>Gd, Ups           | SQRTPS<br>Vps, Wps       | RSQRTPS<br>Vps, Wps                        | RCPPS<br>Vps, Wps     | ANDPS<br>Vps, Wps      | ANDNPS<br>Vps, Wps     | ORPS<br>Vps, Wps                            | XORPS<br>Vps, Wps    |
| F3     |                     |                               | SQRTSS<br>Vss, Wss       | RSQRTSS<br>Vss, Wss                        | RCPSS<br>Vss, Wss     |                        |                        |                                             |                      |
| 66     |                     | MOVMSKPD<br>Gd, Upd           | SQRTPD<br>Vpd, Wpd       |                                            |                       | ANDPD<br>Vpd, Wpd      | ANDNPD<br>Vpd, Wpd     | ORPD<br>Vpd, Wpd                            | XORPD<br>Vpd, Wpd    |
| F2     |                     |                               | SQRTSD<br>Vsd, Wsd       |                                            |                       |                        |                        |                                             |                      |
| none   | 6                   | PUNPCK-LBW<br>Pq, Qd          | PUNPCK-LWD<br>Pq, Qd     | PUNPCK-LDQ<br>Pq, Qd                       | PACKSSWB<br>Ppi, Qpi  | PCMPGTB<br>Ppk, Qpk    | PCMPGTW<br>Ppi, Qpi    | PCMPGTD<br>Ppj, Qpj                         | PACKUSWB<br>Ppi, Qpi |
| F3     |                     |                               |                          |                                            |                       |                        |                        |                                             |                      |
| 66     |                     | PUNPCK-LBW<br>Vo.q, Wo.q      | PUNPCK-LWD<br>Vo.q, Wo.q | PUNPCK-LDQ<br>Vo.q, Wo.q                   | PACKSSWB<br>Vpi, Wpi  | PCMPGTB<br>Vpk, Wpk    | PCMPGTW<br>Vpi, Wpi    | PCMPGTD<br>Vpj, Wpj                         | PACKUSWB<br>Vpi, Wpi |
| F2     |                     |                               |                          |                                            |                       |                        |                        |                                             |                      |
| none   | 7                   | PSHUFW<br>Pq, Qq, Ib          | Group 12 <sup>2</sup>    | Group 13 <sup>2</sup>                      | Group 14 <sup>2</sup> | PCMPEQB<br>Ppk, Qpk    | PCMPEQW<br>Ppi, Qpi    | PCMPEQD<br>Ppj, Qpj                         | EMMS                 |
| F3     |                     | PSHUFHW<br>Vq, Wq, Ib         |                          |                                            |                       |                        |                        |                                             |                      |
| 66     |                     | PSHUFD<br>Vo, Wo, Ib          |                          |                                            |                       | PCMPEQB<br>Vpk, Wpk    | PCMPEQW<br>Vpi, Wpi    | PCMPEQD<br>Vpj, Wpj                         |                      |
| F2     |                     | PSHUFLW<br>Vq, Wq, Ib         |                          |                                            |                       |                        |                        |                                             |                      |

**Notes:**

1. Rows show the high opcode nibble, columns show the low opcode nibble (both in hexadecimal). All opcodes in this map are immediately preceded in the instruction encoding by the escape byte 0Fh.
2. An opcode extension is specified using the reg field of the ModRM byte (ModRM bits [5:3]) which follows the opcode. See Table A-7 on page 534 for details.
3. Invalid in long mode.
4. Operand size is based on processor mode.

**Table A-3. Secondary Opcode Map (Two-byte Opcodes), Low Nibble 0–7h (continued)**

| Prefix | Nibble <sup>1</sup> | 0                    | 1                  | 2                     | 3                   | 4                          | 5                    | 6                      | 7                          |
|--------|---------------------|----------------------|--------------------|-----------------------|---------------------|----------------------------|----------------------|------------------------|----------------------------|
| n/a    | 8                   | JO Jz                | JNO Jz             | JB Jz                 | JNB Jz              | JZ Jz                      | JNZ Jz               | JBE Jz                 | JNBE Jz                    |
| n/a    | 9                   | SETO Eb              | SETNO Eb           | SETB Eb               | SETNB Eb            | SETZ Eb                    | SETNZ Eb             | SETBE Eb               | SETNBE Eb                  |
| n/a    | A                   | PUSH FS              | POP FS             | CPUID                 | BT Ev, Gv           | SHLD<br>Ev, Gv, Ib         | SHLD<br>Ev, Gv, CL   |                        |                            |
| n/a    | B                   | CMPXCHG<br>Eb, Gb    | Ev, Gv             | LSS Gz, Mp            | BTR Ev, Gv          | LFS Gz, Mp                 | LGS Gz, Mp           | MOVZX<br>Gv, Eb        | MOVZX<br>Gv, Ew            |
| none   | C                   | XADD<br>Eb, Gb       | Ev, Gv             | CMPSS<br>Vps, Wps, Ib | MOVNTI<br>My, Gy    | PINSRW<br>Pq, Ry/Mw,<br>Ib | PEXTRW<br>Gd, Nq, Ib | SHUFPS<br>Vps, Wps, Ib | Group 9 <sup>2</sup><br>Mq |
| F3     |                     |                      |                    | CMPSS<br>Vss, Wss, Ib |                     |                            |                      |                        |                            |
| 66     |                     |                      |                    | CMPPD<br>Vpd, Wpd, Ib |                     | PINSRW<br>Vo, Ry/Mw,<br>Ib | PEXTRW<br>Gd, Uo, Ib | SHUFPD<br>Vpd, Wpd, Ib |                            |
| F2     |                     |                      |                    | CMPSD<br>Vsd, Wsd, Ib |                     |                            |                      |                        |                            |
| none   | D                   |                      | PSRLW<br>Pq, Qq    | PSRLD<br>Pq, Qq       | PSRLQ<br>Pq, Qq     | PADDQ<br>Pq, Qq            | PMULLW<br>Pq, Qq     |                        | PMOVMSKB<br>Gd, Nq         |
| F3     |                     |                      |                    |                       |                     |                            |                      | MOVQ2DQ<br>Vo, Nq      |                            |
| 66     |                     | ADDSUBPD<br>Vpd, Wpd | PSRLW<br>Vo, Wo    | PSRLD<br>Vo, Wo       | PSRLQ<br>Vo, Wo     | PADDQ<br>Vo, Wo            | PMULLW<br>Vo, Wo     | MOVQ<br>Wq, Vq         | PMOVMSKB<br>Gd, Uo         |
| F2     |                     | ADDSUBPS<br>Vps, Wps |                    |                       |                     |                            |                      | MOVDQ2Q<br>Pq, Uq      |                            |
| none   | E                   | PAVGB<br>Pq, Qq      | PSRAW<br>Pq, Qq    | PSRAD<br>Pq, Qq       | PAVGW<br>Pq, Qq     | PMULHUW<br>Pq, Qq          | PMULHW<br>Pq, Qq     |                        | MOVNTQ<br>Mq, Pq           |
| F3     |                     |                      |                    |                       |                     |                            |                      | CVTDQ2PD<br>Vpd, Wpj   |                            |
| 66     |                     | PAVGB<br>Vo, Wo      | PSRAW<br>Vo, Wo    | PSRAD<br>Vo, Wo       | PAVGW<br>Vo, Wo     | PMULHUW<br>Vo, Wo          | PMULHW<br>Vo, Wo     | CVTPD2DQ<br>Vpj, Wpd   | MOVNTDQ<br>Mo, Vo          |
| F2     |                     |                      |                    |                       |                     |                            |                      | CVTPD2DQ<br>Vpj, Wpd   |                            |
| none   | F                   |                      | PSLLW<br>Pq, Qq    | PSLLD<br>Pq, Qq       | PSLLQ<br>Pq, Qq     | PMULUDQ<br>Pq, Qq          | PMADDWD<br>Pq, Qq    | PSADBW<br>Pq, Qq       | MASKMOVQ<br>Pq, Nq         |
| F3     |                     |                      |                    |                       |                     |                            |                      |                        |                            |
| 66     |                     |                      | PSLLW<br>Vpw, Wo.q | PSLLD<br>Vpwd, Wo.q   | PSLLQ<br>Vpqw, Wo.q | PMULUDQ<br>Vpj, Wpj        | PMADDWD<br>Vpi, Wpi  | PSADBW<br>Vpk, Wpk     | MASKMOVDQU<br>Vpb, Upb     |
| F2     |                     | LDDQU<br>Vo, Mo      |                    |                       |                     |                            |                      |                        |                            |

**Notes:**

1. Rows show the high opcode nibble, columns show the low opcode nibble (both in hexadecimal). All opcodes in this map are immediately preceded in the instruction encoding by the escape byte 0Fh.
2. An opcode extension is specified using the reg field of the ModRM byte (ModRM bits [5:3]) which follows the opcode. See Table A-7 on page 534 for details.
3. Invalid in long mode.
4. Operand size is based on processor mode.

**Table A-4. Secondary Opcode Map (Two-byte Opcodes), Low Nibble 8–Fh**

| Prefix | Nibble <sup>1</sup> | 8                                 | 9                          | A                                 | B                   | C                         | D                                                  | E                   | F                                                    |
|--------|---------------------|-----------------------------------|----------------------------|-----------------------------------|---------------------|---------------------------|----------------------------------------------------|---------------------|------------------------------------------------------|
| n/a    | 0                   | INVD                              | WBINVD<br>(F3)<br>WBNOINVD |                                   | UD2                 |                           | Group P <sup>2</sup><br>PREFETCH                   | FEMMS               | 3DNow!<br>See<br>“3DNow!™<br>Opcodes”<br>on page 539 |
| n/a    | 1                   | Group 16 <sup>2</sup>             | NOP <sup>3</sup>           | NOP <sup>3</sup>                  | NOP <sup>3</sup>    | NOP <sup>3</sup>          | NOP <sup>3</sup><br>(F3) RDSSP<br>reg=1,<br>mod=11 | NOP <sup>3</sup>    | NOP <sup>3</sup>                                     |
| none   | 2                   | MOVAPS                            |                            | CVTPI2PS<br>Vps, Wps              | MOVNTPS<br>Vps, Qpj | CVTPS2PI<br>Ppj, Wps      | CVTPS2PI<br>Ppj, Wps                               | UCOMISS<br>Vss, Wss | COMISS<br>Vss, Wss                                   |
|        |                     |                                   |                            | CVTSI2SS<br>Vss, Ey               | MOVNTSS<br>Md, Vss  | CVTTSS2SI<br>Gy, Wss      | CVTSS2SI<br>Gy, Wss                                |                     |                                                      |
|        |                     | MOVAPD                            |                            | CVTPI2PD<br>Vpd, Wpd              | MOVNTPD<br>Vpd, Qpj | CVTPD2PI<br>Ppj, Wpd      | CVTPD2PI<br>Ppj, Wpd                               | UCOMISD<br>Vsd, Wsd | COMISD<br>Vsd, Wsd                                   |
|        |                     |                                   |                            | CVTSI2SD<br>Vsd, Ey               | MOVNTSD<br>Mq, Vsd  | CVTSD2SI<br>Gy, Wsd       | CVTSD2SI<br>Gy, Wsd                                |                     |                                                      |
| n/a    | 3                   | Escape to<br>0F_38h<br>opcode map |                            | Escape to<br>0F_3Ah<br>opcode map |                     |                           |                                                    |                     |                                                      |
| n/a    | 4                   | CMOVNS<br>Gv, Ev                  | CMOVNS<br>Gv, Ev           | CMOVP<br>Gv, Ev                   | CMOVNP<br>Gv, Ev    | CMOVL<br>Gv, Ev           | CMOVNL<br>Gv, Ev                                   | CMOVLE<br>Gv, Ev    | CMOVNLE<br>Gv, Ev                                    |
| none   | 5                   | ADDPs<br>Vps, Wps                 | MULPs<br>Vps, Wps          | CVTPS2PD<br>Vpd, Wps              | CVTDQ2PS<br>Vps, Wo | SUBPS<br>Vps, Wps         | MINPS<br>Vps, Wps                                  | DIVPS<br>Vps, Wps   | MAXPS<br>Vps, Wps                                    |
| F3     |                     | ADDSS<br>Vss, Wss                 | MULSS<br>Vss, Wss          | CVTSS2SD<br>Vsd, Wss              | CVTPS2DQ<br>Vo, Wps | SUBSS<br>Vss, Wss         | MINSS<br>Vss, Wss                                  | DIVSS<br>Vss, Wss   | MAXSS<br>Vss, Wss                                    |
| 66     |                     | ADDPD<br>Vpd, Wpd                 | MULPD<br>Vpd, Wpd          | CVTPD2PS<br>Vps, Wpd              | CVTPS2DQ<br>Vo, Wps | SUBPD<br>Vpd, Wpd         | MINPD<br>Vpd, Wpd                                  | DIVPD<br>Vpd, Wpd   | MAXPD<br>Vpd, Wpd                                    |
| F2     |                     | ADDSD<br>Vsd, Wsd                 | MULSD<br>Vsd, Wsd          | CVTSD2SS<br>Vss, Wsd              |                     | SUBSD<br>Vsd, Wsd         | MINSD<br>Vsd, Wsd                                  | DIVSD<br>Vsd, Wsd   | MAXSD<br>Vsd, Wsd                                    |
| none   | 6                   | PUNPCK-<br>HBW<br>Pq, Qd          | PUNPCK-<br>HWD<br>Pq, Qd   | PUNPCK-<br>HDQ<br>Pq, Qd          | PACKSSDW<br>Pq, Qq  |                           |                                                    | MOVD<br>Py, Ey      | MOVQ<br>Pq, Qq                                       |
| F3     |                     |                                   |                            |                                   |                     |                           |                                                    |                     | MOVDQU<br>Vo, Wo                                     |
| 66     |                     | PUNPCK-<br>HBW<br>Vo, Wq          | PUNPCK-<br>HWD<br>Vo, Wq   | PUNPCK-<br>HDQ<br>Vo, Wq          | PACKSSDW<br>Vo, Wo  | PUNPCK-<br>LQDQ<br>Vo, Wq | PUNPCKH-<br>QDQ<br>Vo, Wq                          | MOVD<br>Vy, Ey      | MOVDQA<br>Vo, Wo                                     |
| F2     |                     |                                   |                            |                                   |                     |                           |                                                    |                     |                                                      |

**Notes:**

1. Rows show the high opcode nibble, columns show the low opcode nibble (both in hexadecimal). All opcodes in this map are immediately preceded in the instruction encoding by the escape byte 0Fh.
2. An opcode extension is specified using the reg field of the ModRM byte (ModRM bits [5:3]) which follows the opcode. See Table A-7 on page 534 for details.
3. This instruction takes a ModRM byte.

**Table A-4. Secondary Opcode Map (Two-byte Opcodes), Low Nibble 8–Fh**

| Prefix | Nibble <sup>1</sup> | 8                                 | 9                     | A                              | B              | C                  | D                  | E                                   | F                |
|--------|---------------------|-----------------------------------|-----------------------|--------------------------------|----------------|--------------------|--------------------|-------------------------------------|------------------|
| none   | 7                   |                                   |                       |                                |                |                    |                    | MOVD<br>Ey, Py                      | MOVQ<br>Qq, Pq   |
| F3     |                     |                                   |                       |                                |                |                    |                    | MOVQ<br>Vq, Wq                      | MOVDQU<br>Wo, Vo |
| 66     |                     | Group 17 <sup>2</sup><br>Vo.q, Uo | EXTRQ<br>Vo.q, Uo     |                                |                | HADDPD<br>Vpd, Wpd | HSUBPD<br>Vpd, Wpd | MOVD<br>Ey, Vy                      | MOVDQA<br>Wo, Vo |
| F2     |                     | INSERTQ<br>Vo.q, Uo.q,<br>lb, lb  | INSERTQ<br>Vo.q, Uo   |                                |                | HADDPD<br>Vps, Wps | HSUBPS<br>Vps, Wps |                                     |                  |
| n/a    | 8                   | JS<br>Jz                          | JNS<br>Jz             | JP<br>Jz                       | JNP<br>Jz      | JL<br>Jz           | JNL<br>Jz          | JLE<br>Jz                           | JNLE<br>Jz       |
| n/a    | 9                   | SETS<br>Eb                        | SETNS<br>Eb           | SETP<br>Eb                     | SETNP<br>Eb    | SETL<br>Eb         | SETNL<br>Eb        | SETLE<br>Eb                         | SETNLE<br>Eb     |
| n/a    | A                   | PUSH<br>GS                        | POP<br>GS             | RSM                            | BTS<br>Ev, Gv  | SHRD<br>Ev, Gv, Ib |                    | Group 15 <sup>2</sup><br>Ev, Gv, CL | IMUL<br>Gv, Ev   |
| none   | B                   |                                   | Group 10 <sup>2</sup> | Group 8 <sup>2</sup><br>Ev, Ib | BTC<br>Ev, Gv  | BSF<br>Gv, Ev      | BSR<br>Gv, Ev      | MOVSX<br>Gv, Eb                     |                  |
| F3     |                     | POPCNT<br>Gv, Ev                  |                       |                                |                | TZCNT<br>Gv, Ev    | LZCNT<br>Gv, Ev    |                                     |                  |
| F2     |                     |                                   |                       |                                |                |                    |                    |                                     |                  |
| n/a    | C                   | BSWAP                             |                       |                                |                |                    |                    |                                     |                  |
| none   | D                   | PSUBUSB<br>Pq, Qq                 | PSUBUSW<br>Pq, Qq     | PMINUB<br>Pq, Qq               | PAND<br>Pq, Qq | PADDUSB<br>Pq, Qq  | PADDUSW<br>Pq, Qq  | PMAXUB<br>Pq, Qq                    | PANDN<br>Pq, Qq  |
| F3     |                     |                                   |                       |                                |                |                    |                    |                                     |                  |
| 66     |                     | PSUBUSB<br>Vo, Wo                 | PSUBUSW<br>Vo, Wo     | PMINUB<br>Vo, Wo               | PAND<br>Vo, Wo | PADDUSB<br>Vo, Wo  | PADDUSW<br>Vo, Wo  | PMAXUB<br>Vo, Wo                    | PANDN<br>Vo, Wo  |
| F2     |                     |                                   |                       |                                |                |                    |                    |                                     |                  |
| none   | E                   | PSUBSB<br>Pq, Qq                  | PSUBSW<br>Pq, Qq      | PMINSW<br>Pq, Qq               | POR<br>Pq, Qq  | PADDSB<br>Pq, Qq   | PADDSW<br>Pq, Qq   | PMAXSW<br>Pq, Qq                    | PXOR<br>Pq, Qq   |
| F3     |                     |                                   |                       |                                |                |                    |                    |                                     |                  |
| 66     |                     | PSUBSB<br>Vo, Wo                  | PSUBSW<br>Vo, Wo      | PMINSW<br>Vo, Wo               | POR<br>Vo, Wo  | PADDSB<br>Vo, Wo   | PADDSW<br>Vo, Wo   | PMAXSW<br>Vo, Wo                    | PXOR<br>Vo, Wo   |
| F2     |                     |                                   |                       |                                |                |                    |                    |                                     |                  |

**Notes:**

1. Rows show the high opcode nibble, columns show the low opcode nibble (both in hexadecimal). All opcodes in this map are immediately preceded in the instruction encoding by the escape byte 0Fh.
2. An opcode extension is specified using the reg field of the ModRM byte (ModRM bits [5:3]) which follows the opcode. See Table A-7 on page 534 for details.
3. This instruction takes a ModRM byte.

**Table A-4. Secondary Opcode Map (Two-byte Opcodes), Low Nibble 8–Fh**

| Prefix | Nibble <sup>1</sup> | 8               | 9               | A               | B               | C               | D               | E               | F   |
|--------|---------------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----|
| none   | F                   | PSUBB<br>Pq, Qq | PSUBW<br>Pq, Qq | PSUBD<br>Pq, Qq | PSUBQ<br>Pq, Qq | PADDB<br>Pq, Qq | PADDW<br>Pq, Qq | PADDD<br>Pq, Qq | UD0 |
| F3     |                     |                 |                 |                 |                 |                 |                 |                 |     |
| 66     |                     | PSUBB<br>Vo, Wo | PSUBW<br>Vo, Wo | PSUBD<br>Vo, Wo | PSUBQ<br>Vo, Wo | PADDB<br>Vo, Wo | PADDW<br>Vo, Wo | PADDD<br>Vo, Wo |     |
| F2     |                     |                 |                 |                 |                 |                 |                 |                 |     |

**Notes:**

1. Rows show the high opcode nibble, columns show the low opcode nibble (both in hexadecimal). All opcodes in this map are immediately preceded in the instruction encoding by the escape byte 0Fh.
2. An opcode extension is specified using the reg field of the ModRM byte (ModRM bits [5:3]) which follows the opcode. See Table A-7 on page 534 for details.
3. This instruction takes a ModRM byte.

**rFLAGS Condition Codes for CMOVcc, Jcc, and SETcc Instructions.** Table A-5 shows the rFLAGS condition codes specified by the low nibble in the opcode of the CMOVcc, Jcc, and SETcc instructions.

**Table A-5. rFLAGS Condition Codes for CMOVcc, Jcc, and SETcc**

| Low Nibble of Opcode (hex) | rFLAGS Value               | cc Mnemonic | Arithmetic Type | Condition(s)                            |
|----------------------------|----------------------------|-------------|-----------------|-----------------------------------------|
| 0                          | OF = 1                     | O           | Signed          | Overflow                                |
| 1                          | OF = 0                     | NO          |                 | No Overflow                             |
| 2                          | CF = 1                     | B, C, NAE   |                 | Below, Carry, Not Above or Equal        |
| 3                          | CF = 0                     | NB, NC, AE  |                 | Not Below, No Carry, Above or Equal     |
| 4                          | ZF = 1                     | Z, E        |                 | Zero, Equal                             |
| 5                          | ZF = 0                     | NZ, NE      |                 | Not Zero, Not Equal                     |
| 6                          | CF = 1 or ZF = 1           | BE, NA      |                 | Below or Equal, Not Above               |
| 7                          | CF = 0 and ZF = 0          | NBE, A      |                 | Not Below or Equal, Above               |
| 8                          | SF = 1                     | S           | Signed          | Sign                                    |
| 9                          | SF = 0                     | NS          |                 | Not Sign                                |
| A                          | PF = 1                     | P, PE       | n/a             | Parity, Parity Even                     |
| B                          | PF = 0                     | NP, PO      |                 | Not Parity, Parity Odd                  |
| C                          | (SF xor OF) = 1            | L, NGE      | Signed          | Less than, Not Greater than or Equal to |
| D                          | (SF xor OF) = 0            | NL, GE      |                 | Not Less than, Greater than or Equal to |
| E                          | (SF xor OF) = 1 or ZF = 1  | LE, NG      |                 | Less than or Equal to, Not Greater than |
| F                          | (SF xor OF) = 0 and ZF = 0 | NLE, G      |                 | Not Less than or Equal to, Greater than |

**Encoding Extensions Using the ModRM Byte.** The ModRM byte, which immediately follows the opcode byte, is used in certain instruction encodings to provide additional opcode bits with which to define the function of the instruction. ModRM bytes have three fields—*mod*, *reg*, and *r/m*, as shown in Figure A-1.



**Figure A-1. ModRM-Byte Fields**

In most cases, the *reg* field (bits [5:3]), and in some cases, the *r/m* field (bits [2:0]) provide the additional bits used to extend the encodings of the opcode byte. In the case of the x87 floating-point instructions, the entire ModRM byte is used to extend the opcode encodings.

Table A-6 shows how the ModRM.*reg* field is used to extend the range of opcodes in the primary opcode map. The opcode ranges are organized into *groups* of opcode extensions. The group number is shown in the left-most column. These groups are referenced in the primary opcode map shown in Table A-1 on page 524 and Table A-2 on page 525. An entry of “n.a.” in the Prefix column means that prefixes are not applicable to the opcodes in that row. Prefixes only apply to certain 64-bit media and SSE instructions.

Table A-7 on page 534 shows how the ModRM.*reg* field is used to extend the range of the opcodes in the secondary opcode map.

The /0 through /7 notation for the ModRM *reg* field (bits [5:3]) in the tables below means that the three-bit field contains a value from zero (000b) to 7 (111b).

**Table A-6. ModRM.reg Extensions for the Primary Opcode Map<sup>1</sup>**

| Group Number | Prefix | Opcode | ModRM reg Field            |                           |                            |                            |                            |                            |                            |                            |
|--------------|--------|--------|----------------------------|---------------------------|----------------------------|----------------------------|----------------------------|----------------------------|----------------------------|----------------------------|
|              |        |        | /0                         | /1                        | /2                         | /3                         | /4                         | /5                         | /6                         | /7                         |
| Group 1      | n/a    | 80     | ADD<br>Eb, Ib              | OR<br>Eb, Ib              | ADC<br>Eb, Ib              | SBB<br>Eb, Ib              | AND<br>Eb, Ib              | SUB<br>Eb, Ib              | XOR<br>Eb, Ib              | CMP<br>Eb, Ib              |
|              |        | 81     | ADD<br>Ev, Iz              | OR<br>Ev, Iz              | ADC<br>Ev, Iz              | SBB<br>Ev, Iz              | AND<br>Ev, Iz              | SUB<br>Ev, Iz              | XOR<br>Ev, Iz              | CMP<br>Ev, Iz              |
|              |        | 82     | ADD<br>Eb, Ib <sup>2</sup> | OR<br>Eb, Ib <sup>2</sup> | ADC<br>Eb, Ib <sup>2</sup> | SBB<br>Eb, Ib <sup>2</sup> | AND<br>Eb, Ib <sup>2</sup> | SUB<br>Eb, Ib <sup>2</sup> | XOR<br>Eb, Ib <sup>2</sup> | CMP<br>Eb, Ib <sup>2</sup> |
|              |        | 83     | ADD<br>Ev, Ib              | OR<br>Ev, Ib              | ADC<br>Ev, Ib              | SBB<br>Ev, Ib              | AND<br>Ev, Ib              | SUB<br>Ev, Ib              | XOR<br>Ev, Ib              | CMP<br>Ev, Ib              |

**Notes:**

1. See Table A-7 on page 534 for ModRM extensions for the secondary (two-byte) opcode map.
2. Invalid in 64-bit mode.
3. This instruction takes a ModRM byte.
4. Reserved prefetch encodings are aliased to the /0 encoding (PREFETCH Exclusive) for future compatibility.
5. Redundant encoding generally unsupported by tools.

**Table A-6. ModRM.reg Extensions for the Primary Opcode Map<sup>1</sup> (continued)**

| Group Number | Prefix | Opcode | ModRM reg Field |               |               |               |                   |               |                                |               |  |
|--------------|--------|--------|-----------------|---------------|---------------|---------------|-------------------|---------------|--------------------------------|---------------|--|
|              |        |        | /0              | /1            | /2            | /3            | /4                | /5            | /6                             | /7            |  |
| Group 1a     | n/a    | 8F     | POP<br>Ev       | XOP           |               |               |                   |               |                                |               |  |
| Group 2      | n/a    | C0     | ROL<br>Eb, Ib   | ROR<br>Eb, Ib | RCL<br>Eb, Ib | RCR<br>Eb, Ib | SHL/SAL<br>Eb, Ib | SHR<br>Eb, Ib | SHL/SAL <sup>5</sup><br>Eb, Ib | SAR<br>Eb, Ib |  |
|              |        | C1     | ROL<br>Ev, Ib   | ROR<br>Ev, Ib | RCL<br>Ev, Ib | RCR<br>Ev, Ib | SHL/SAL<br>Ev, Ib | SHR<br>Ev, Ib | SHL/SAL <sup>5</sup><br>Ev, Ib | SAR<br>Ev, Ib |  |
|              |        | D0     | ROL<br>Eb, 1    | ROR<br>Eb, 1  | RCL<br>Eb, 1  | RCR<br>Eb, 1  | SHL/SAL<br>Eb, 1  | SHR<br>Eb, 1  | SHL/SAL <sup>5</sup><br>Eb, 1  | SAR<br>Eb, 1  |  |
|              |        | D1     | ROL<br>Ev, 1    | ROR<br>Ev, 1  | RCL<br>Ev, 1  | RCR<br>Ev, 1  | SHL/SAL<br>Ev, 1  | SHR<br>Ev, 1  | SHL/SAL <sup>5</sup><br>Ev, 1  | SAR<br>Ev, 1  |  |
|              |        | D2     | ROL<br>Eb, CL   | ROR<br>Eb, CL | RCL<br>Eb, CL | RCR<br>Eb, CL | SHL/SAL<br>Eb, CL | SHR<br>Eb, CL | SHL/SAL <sup>5</sup><br>Eb, CL | SAR<br>Eb, CL |  |
|              |        | D3     | ROL<br>Ev, CL   | ROR<br>Ev, CL | RCL<br>Ev, CL | RCR<br>Ev, CL | SHL/SAL<br>Ev, CL | SHR<br>Ev, CL | SHL/SAL <sup>5</sup><br>Ev, CL | SAR<br>Ev, CL |  |
| Group 3      | n/a    | F6     | TEST<br>Eb,lb   |               | NOT<br>Eb     | NEG<br>Eb     | MUL<br>Eb         | IMUL<br>Eb    | DIV<br>Eb                      | IDIV<br>Eb    |  |
|              |        | F7     | TEST<br>Ev,Iz   |               | NOT<br>Ev     | NEG<br>Ev     | MUL<br>Ev         | IMUL<br>Ev    | DIV<br>Ev                      | IDIV<br>Ev    |  |
| Group 4      | n/a    | FE     | INC<br>Eb       | DEC<br>Eb     |               |               |                   |               |                                |               |  |
| Group 5      | n/a    | FF     | INC<br>Ev       | DEC<br>Ev     | CALL<br>Ev    | CALL<br>Mp    | JMP<br>Ev         | JMP<br>Mp     | PUSH<br>Ev                     |               |  |
| Group 11     | n/a    | C6     | MOV<br>Eb, Ib   |               |               |               |                   |               |                                |               |  |
|              | n/a    | C7     | MOV<br>Ev, Iz   |               |               |               |                   |               |                                |               |  |

**Notes:**

1. See Table A-7 on page 534 for ModRM extensions for the secondary (two-byte) opcode map.
2. Invalid in 64-bit mode.
3. This instruction takes a ModRM byte.
4. Reserved prefetch encodings are aliased to the /0 encoding (PREFETCH Exclusive) for future compatibility.
5. Redundant encoding generally unsupported by tools.

**Table A-7. ModRM.reg Extensions for the Secondary Opcode Map**

| Group Number | Prefix | Opcode | ModRM reg Field |                                             |                                          |                             |                 |                                    |                 |                                               |
|--------------|--------|--------|-----------------|---------------------------------------------|------------------------------------------|-----------------------------|-----------------|------------------------------------|-----------------|-----------------------------------------------|
|              |        |        | /0              | /1                                          | /2                                       | /3                          | /4              | /5                                 | /6              | /7                                            |
| Group 6      | n/a    | 0F 00  | SLDT<br>Mw/Rv   | STR Mw/Rv                                   | LLDT Ew                                  | LTR Ew                      | VERR Ew         | VERW Ew                            |                 |                                               |
| Group 7      | n/a    | 0F 01  | SGDT<br>Ms      | SIDT<br>Ms<br>MONITOR <sup>1</sup><br>MWAIT | LGDT Ms<br>XGETBV <sup>1</sup><br>XSETBV | LIDT Ms<br>SVM <sup>1</sup> | SMSW Mw<br>/ Rv | RSTORSSP <sup>1</sup><br>(mod!=11) | LMSW Ew         | INVLPG<br>Mb<br>SWAPGS <sup>1</sup><br>RDTSCP |
| Group 8      | n/a    | 0F BA  |                 |                                             |                                          |                             | BT Ev, Ib       | BTS Ev, Ib                         | BTR Ev, Ib      | BTC Ev, Ib                                    |
| Group 9      | none   | 0F C7  |                 | CMPX-<br>CHG8B Mq                           |                                          |                             |                 |                                    | RDRAND<br>Rv    | RDSEED<br>Rv                                  |
|              | 66     |        |                 | CMPX-<br>CHG16B Mo                          |                                          |                             |                 |                                    |                 |                                               |
|              | F2     |        |                 |                                             |                                          |                             |                 |                                    |                 |                                               |
|              | F3     |        |                 |                                             |                                          |                             |                 |                                    |                 | RDPID<br>Rd/q                                 |
| Group 10     | n/a    | 0F B9  | UD1             |                                             |                                          |                             |                 |                                    |                 |                                               |
| Group 12     | none   | 0F 71  |                 |                                             | PSRLW<br>Nq, Ib                          |                             | PSRAW<br>Nq, Ib |                                    | PSLLW<br>Nq, Ib |                                               |
|              | 66     |        |                 |                                             | PSRLW<br>Uo, Ib                          |                             | PSRAW<br>Uo, Ib |                                    | PSLLW<br>Uo, Ib |                                               |
|              | F2, F3 |        |                 |                                             |                                          |                             |                 |                                    |                 |                                               |
| Group 13     | none   | 0F 72  |                 |                                             | PSRLD<br>Nq, Ib                          |                             | PSRAD<br>Nq, Ib |                                    | PSLLD<br>Nq, Ib |                                               |
|              | 66     |        |                 |                                             | PSRLD<br>Uo, Ib                          |                             | PSRAD<br>Uo, Ib |                                    | PSLLD<br>Uo, Ib |                                               |
|              | F2, F3 |        |                 |                                             |                                          |                             |                 |                                    |                 |                                               |
| Group 14     | none   | 0F 73  |                 |                                             | PSRLQ<br>Nq, Ib                          |                             |                 |                                    | PSLLQ<br>Nq, Ib |                                               |
|              | 66     |        |                 |                                             | PSRLQ<br>Uo, Ib                          | PSRLDQ<br>Uo, Ib            |                 |                                    | PSLLQ<br>Uo, Ib | PSLLDQ<br>Uo, Ib                              |
|              | F2, F3 |        |                 |                                             |                                          |                             |                 |                                    |                 |                                               |

**Notes:**

1. Opcode is extended further using the r/m field of the ModRM byte in conjunction with the reg field. See Table A-8 on page 536 for ModRM.r/m extensions of this opcode.
2. Invalid in 64-bit mode.
3. This instruction takes a ModRM byte.
4. Reserved prefetch encodings are aliased to the /0 encoding (PREFETCH Exclusive) for future compatibility.
5. ModRM.mod = 11b.
6. ModRM.mod ≠ 11b.
7. ModRM.mod ≠ 11b, ModRM.mod = 11b is an invalid encoding.

**Table A-7. ModRM.reg Extensions for the Secondary Opcode Map**

| Group Number | Prefix       | Opcode | ModRM reg Field    |                   |                       |                   |                       |                                           |                                              |                                             |
|--------------|--------------|--------|--------------------|-------------------|-----------------------|-------------------|-----------------------|-------------------------------------------|----------------------------------------------|---------------------------------------------|
|              |              |        | /0                 | /1                | /2                    | /3                | /4                    | /5                                        | /6                                           | /7                                          |
| Group 15     | none         | 0F AE  | FXSAVE M           | FXRSTOR M         | LDMXCSR Md            | STMXCS R Md       | XSAVE M <sup>6</sup>  | LFENCE <sup>5</sup> XRSTOR M <sup>6</sup> | MFENCE <sup>5</sup> XSAVE-OPT M <sup>6</sup> | SFENCE <sup>5</sup> CLFLUSH MB <sup>6</sup> |
|              | F3           |        | RDFSBASE Rv        | RDGSBASE Rv       | WRFBSBASE Rv          | WRGS-BASE Rv      |                       | INCSSP                                    | CLRSSBSY                                     |                                             |
|              | F2           |        |                    |                   |                       |                   |                       |                                           |                                              |                                             |
|              | 66           |        |                    |                   |                       |                   |                       |                                           | CLWB MB <sup>6</sup>                         |                                             |
| Group 16     | n/a.         | 0F 18  | PREFETCH NTA       | PREFETCH T0       | PREFETCH T1           | PREFETCH T2       | NOP                   | NOP                                       | NOP                                          | NOP                                         |
| Group 17     | 66           | 0F 78  | EXTRQ Vo.q, Ib, Ib |                   |                       |                   |                       |                                           |                                              |                                             |
|              | none, F2, F3 |        |                    |                   |                       |                   |                       |                                           |                                              |                                             |
| Group P      | n/a.         | 0F 0D  | PREFETCH Exclusive | PREFETCH Modified | PREFETCH <sup>4</sup> | PREFETCH Modified | PREFETCH <sup>4</sup> | PREFETCH <sup>4</sup>                     | PREFETCH <sup>4</sup>                        | PREFETCH <sup>4</sup>                       |

**Notes:**

1. Opcode is extended further using the r/m field of the ModRM byte in conjunction with the reg field. See Table A-8 on page 536 for ModRM.r/m extensions of this opcode.
2. Invalid in 64-bit mode.
3. This instruction takes a ModRM byte.
4. Reserved prefetch encodings are aliased to the /0 encoding (PREFETCH Exclusive) for future compatibility.
5. ModRM.mod = 11b.
6. ModRM.mod ≠ 11b.
7. ModRM.mod ≠ 11b, ModRM.mod = 11b is an invalid encoding.

**Secondary Opcode Map, ModRM Extensions for Opcode 01h .** Table A-8 below shows the ModRM byte encodings for the 01h opcode. In the table the full ModRM byte is listed below the instruction in hexadecimal, with ellipses representing the [0Fh, 01h] opcode bytes.

**Table A-8. Opcode 01h ModRM Extensions**

| reg Field       | Prefix | ModRM.r/m Field |                 |                   |                |              |                    |                     |                     |
|-----------------|--------|-----------------|-----------------|-------------------|----------------|--------------|--------------------|---------------------|---------------------|
|                 |        | 0               | 1               | 2                 | 3              | 4            | 5                  | 6                   | 7                   |
| /1              | none   | MONITOR (...C8) | MWAIT (...C9)   | CLAC (...CA)      | STAC (...CB)   |              |                    |                     |                     |
| /2              | none   | XGETBV (...D0)  | XSETBV (...D1)  |                   |                |              |                    |                     |                     |
| /3              | none   | VMRUN (...D8)   | VMMCALL (...D9) | VMLOAD (...DA)    | VMSAVE (...DB) | STGI (...DC) | CLGI (...DD)       | SKINIT (...DE)      | INVLPGA (...DF)     |
|                 | F3     |                 | VMGEXIT (...D9) |                   |                |              |                    |                     |                     |
|                 | F2     |                 |                 |                   |                |              |                    |                     |                     |
| /5              | none   |                 |                 |                   |                |              |                    | RDPKRU              | WRPKRU              |
|                 | F3     | SETSSBSY        |                 | SAVE-PREVSSP      |                |              |                    |                     |                     |
| /7              | none   | SWAPGS (...F8)  | RDTSCP (...F9)  | MON...ITORX (FA)  | MWAITX (...FB) |              | RDPRU (...FD)      |                     |                     |
|                 | F3     |                 |                 | MCOMMIT (F3...FA) |                |              | RMPQUERY (F3...FD) | RMPADJUST (F3...FE) | PSMASH (F3...FF)    |
|                 | F2     |                 |                 |                   |                |              | RMPREAD (F2...FD)  | RMPUPDATE (F2...FE) | PVALIDATE (F2...FF) |
| ModRM.mod = 11b |        |                 |                 |                   |                |              |                    |                     |                     |

**0F\_38h and 0F\_3Ah Opcode Maps.** The 0F\_38h and 0F\_3Ah opcode maps are used primarily to encode the legacy SSE instructions. In legacy terminology, these maps are presented as three-byte opcodes where the first two bytes are {0Fh, 38h} and {0Fh, 3Ah} respectively.

In these maps the legacy prefixes F2h and F3h are repurposed to provide additional opcode encoding space. In rows [0:E] the legacy prefix 66h is also used to modify the opcode. However, in row F, 66h is used as an operand-size override. See the CRC32 instruction as an example.

The 0F\_38h opcode map is presented below in Tables A-9 and A-10. The 0F\_3Ah opcode map is presented in Tables A-11 and A-12.

**Table A-9. 0F\_38h Opcode Map, Low Nibble = [0h:7h]**

| Prefix    | Opcode | x0                   | x1                     | x2                   | x3                   | x4                    | x5                   | x6                 | x7                  |
|-----------|--------|----------------------|------------------------|----------------------|----------------------|-----------------------|----------------------|--------------------|---------------------|
| none      | 0x     | PSHUFB<br>Ppb, Qpb   | PHADDW<br>Ppi, Qpi     | PHADDD<br>Ppj, Qpj   | PHADDSW<br>Ppk, Qpk  | PMADDUBSW<br>Ppk, Qpk | PHSUBW<br>Ppi, Qpi   | PHSUBD<br>Ppj, Qpj | PHSUBSW<br>Ppi, Qpi |
| 66        |        | PSHUFB<br>Pvb, Wpb   | PHADDW<br>Vpi, Wpi     | PHADDD<br>Vpj, Vpj   | PHADDSW<br>Vpi, Wpi  | PMADDUBSW<br>Vpk, Wpk | PHSUBW<br>Vpi, Wpi   | PHSUBD<br>Vpj, Wpj | PHSUBSW<br>Vpi, Wpi |
| none      | 1x     |                      |                        |                      |                      |                       |                      |                    |                     |
| 66        |        | PBLENDVB<br>Vpb, Wpb |                        |                      |                      | BLENDVPS<br>Vps, Wps  | PBLENDVB<br>Vpb, Wpb |                    | PTEST<br>Vo, Wo     |
| none      | 2x     |                      |                        |                      |                      |                       |                      |                    |                     |
| 66        |        | PMOVSXBB<br>Vpi, Wpk | PMOVSXBD<br>Vpj, Wpk   | PMOVSXHQ<br>Vpq, Wpk | PMOVSXWD<br>Vpj, Wpi | PMOVSXWQ<br>Vpq, Wpi  | PMOVSXDQ<br>Vpq, Wpj |                    |                     |
| none      | 3x     |                      |                        |                      |                      |                       |                      |                    |                     |
| 66        |        | PMOVZXBB<br>Vpi, Wpk | PMOVZXBD<br>Vpj, Wpk   | PMOVZXHQ<br>Vpq, Wpk | PMOVZXWD<br>Vpj, Wpi | PMOVZXWQ<br>Vpq, Wpi  | PMOVZXDQ<br>Vpq, Wpj |                    | PCMPGTQ<br>Vpq, Wpq |
| none      | 4x     |                      |                        |                      |                      |                       |                      |                    |                     |
| 66        |        | PMULLD<br>Vpj, Wpj   | PHMINPOSUW<br>Vpi, Wpi |                      |                      |                       |                      |                    |                     |
| ...       | 5x-Ex  | ...                  |                        |                      |                      |                       |                      |                    |                     |
| none      | Fx     | MOVBE<br>Gv, Mv      | MOVBE<br>Mv, Gv        |                      |                      |                       |                      | WRSS<br>My, Gy     |                     |
| F2        |        | CRC32<br>Gy, Eb      | CRC32<br>Gy, Ev        |                      |                      |                       |                      |                    |                     |
| 66        |        | MOVBE<br>Gv, Mv      | MOVBE<br>Mv, Gv        |                      |                      |                       | WRUSS<br>My, Gy      |                    |                     |
| 66 and F2 |        | CRC32<br>Gy, Eb      | CRC32<br>Gy, Ev        |                      |                      |                       |                      |                    |                     |

**Table A-10. 0F\_38h Opcode Map, Low Nibble = [8h:Fh]**

| Prefix | Opcode  | x8h                | x9h                 | xAh                | xBh                  | xCh                | xDh                  | xEh                | xFh                   |
|--------|---------|--------------------|---------------------|--------------------|----------------------|--------------------|----------------------|--------------------|-----------------------|
| none   | 0x      | PSIGNB<br>Ppk, Qpk | PSIGNW<br>Ppi, Qpi  | PSIGND<br>Ppj, Qpj | PMULHRSW<br>Ppi, Qpi |                    |                      |                    |                       |
| 66     |         | PSIGNB<br>Vpk, Wpk | PSIGNW<br>Vpi, Wpi  | PSIGND<br>Vpj, Wpj | PMULHRSW<br>Vpi, Wpi |                    |                      |                    |                       |
| none   | 1x      |                    |                     |                    |                      | PABSB<br>Ppk, Qpk  | PABSW<br>Ppi, Qpi    | PABSD<br>Ppj, Qpj  |                       |
| 66     |         |                    |                     |                    |                      | PABSB<br>Vpk, Wpk  | PABSW<br>Vpi, Wpi    | PABSD<br>Vpj, Wpj  |                       |
| none   | 2x      |                    |                     |                    |                      |                    |                      |                    |                       |
| 66     |         | PMULDQ<br>Vpq, Wpj | PCMPEQQ<br>Vpq, Wpq | MOVNTDQA<br>Vo, Mo | PACKUSDW<br>Vpi, Wpj |                    |                      |                    |                       |
| none   | 3x      |                    |                     |                    |                      |                    |                      |                    |                       |
| 66     |         | PMINSB<br>Vpk, pk  | PMINSD<br>Vpj, Wpj  | PMINUW<br>Vpi, Wpi | PMINUD<br>Vpj, Wpj   | PMAXSB<br>Vpk, Wpk | PMAXSD<br>Vpj, Wpj   | PMAXUW<br>Vpi, Wpi | PMAXUD<br>Vpj, Wpj    |
| none   | 4xh-Bxh |                    |                     |                    |                      |                    |                      |                    |                       |
| 66     | Cxh     | ...                |                     |                    |                      |                    |                      |                    | GF2P8MULB<br>Vpb, Wpb |
| 66     | Dxh     |                    |                     |                    | AESIMC<br>Vo, Wo     | AESENC<br>Vo, Wo   | AESENCLAST<br>Vo, Wo | AESDEC<br>Vo, Wo   | AESDECLAST<br>Vo, Wo  |
| ...    | Exh-Fxh | ...                |                     |                    |                      |                    |                      |                    |                       |

**Table A-11. 0F\_3Ah Opcode Map, Low Nibble = [0h:7h]**

| Prefix                             | Opcode | x0                                             | x1                                                 | x2                                                          | x3                      | x4                        | x5                    | x6                                 | x7                       |
|------------------------------------|--------|------------------------------------------------|----------------------------------------------------|-------------------------------------------------------------|-------------------------|---------------------------|-----------------------|------------------------------------|--------------------------|
| n/a                                | 0x     |                                                |                                                    |                                                             |                         |                           |                       |                                    |                          |
| none                               | 1x     |                                                |                                                    |                                                             |                         | PEXTRB<br>Mb, Vpk, Ib     | PEXTRW<br>Mw, Vpw, Ib | PEXTRD<br>Ed, Vpj, Ib              | EXTRACTPS<br>Md, Vps, Ib |
| 66                                 |        |                                                |                                                    |                                                             |                         | PEXTRB<br>Ry, Vpk, Ib     | PEXTRW<br>Ry, Vpw, Ib | PEXTRQ <sup>1</sup><br>Eq, Vpq, Ib | EXTRACTPS<br>Ry, Vps, Ib |
| none                               | 2x     |                                                |                                                    |                                                             |                         |                           |                       |                                    |                          |
| 66                                 |        | PINSRB<br>Vpk, Mb, Ib<br>PINSRB<br>Vpk, Ry, Ib | INSERTPS<br>Vps, Md, Ib<br>INSERTPS<br>Vps, Uo, Ib | PINSRD<br>Vpj, Ed, Ib<br>PINSRQ <sup>1</sup><br>Vpq, Eq, Ib |                         |                           |                       |                                    |                          |
| ...                                | 3x     | ...                                            |                                                    |                                                             |                         |                           |                       |                                    |                          |
| none                               | 4x     |                                                |                                                    |                                                             |                         |                           |                       |                                    |                          |
| 66                                 |        | DPPS<br>Vps, Wps, Ib                           | DPPD<br>Vpd, Wpd, Ib                               | MPSADBW<br>Vpk, Wpk, Ib                                     |                         | PCLMULQDQ<br>Vpq, Wpq, Ib |                       |                                    |                          |
| n/a                                | 5x     |                                                |                                                    |                                                             |                         |                           |                       |                                    |                          |
| none                               | 6x     |                                                |                                                    |                                                             |                         |                           |                       |                                    |                          |
| 66                                 |        | PCMPESTRM<br>Vo, Wo, Ib                        | PCMPESTRI<br>Vo, Wo, Ib                            | PCMPISTRM<br>Vo, Wo, Ib                                     | PCMPISTRI<br>Vo, Wo, Ib |                           |                       |                                    |                          |
| ...                                | 7x-Ex  | ...                                            |                                                    |                                                             |                         |                           |                       |                                    |                          |
| n/a                                | Fx     |                                                |                                                    |                                                             |                         |                           |                       |                                    |                          |
| Note 1: When REX prefix is present |        |                                                |                                                    |                                                             |                         |                           |                       |                                    |                          |

**Table A-12. 0F\_3Ah Opcode Map, Low Nibble = [8h:Fh]**

| Prefix | Opcode | x8                      | x9                      | xA                      | xB                      | xC                       | xD                       | xE                      | xF                            |
|--------|--------|-------------------------|-------------------------|-------------------------|-------------------------|--------------------------|--------------------------|-------------------------|-------------------------------|
| none   | 0x     |                         |                         |                         |                         |                          |                          |                         | PALIGNR<br>Ppb, Qpb, Ib       |
| 66     |        | ROUNDPS<br>Vps, Wps, Ib | ROUNDPD<br>Vpd, Wpd, Ib | ROUNDSS<br>Vss, Wss, Ib | ROUNDSD<br>Vsd, Wsd, Ib | BLENDDPS<br>Vps, Wps, Ib | BLENDDPD<br>Vpd, Wpd, Ib | PBLENDW<br>Vpw, Wpw, Ib | PALIGNR<br>Vpb, Wpb, Ib       |
| ...    | 1x-Cx  | ...                     |                         |                         |                         |                          |                          |                         |                               |
| 66     | Dx     |                         |                         |                         |                         |                          |                          |                         | AESKEYGENASSIST<br>Vo, Wo, Ib |
| ...    | Fx     | ...                     |                         |                         |                         |                          |                          |                         |                               |

### A.1.2 3DNow!™ Opcodes

The 64-bit media instructions include the MMX™ instructions and the AMD 3DNow!™ instructions. The MMX instructions are encoded using two opcode bytes, as described in “Secondary Opcode Map” on page 525.

The 3DNow! instructions are encoded using two 0Fh opcode bytes and an immediate byte that is located at the last byte position of the instruction encoding. Thus, the format for 3DNow! instructions is:

0Fh 0Fh [ModRM] [SIB] [displacement] *imm8\_opcode*

Table A-13 and Table A-14 on page 541 show the immediate byte following the opcode bytes for 3DNow! instructions. In these tables, rows show the high nibble of the immediate byte, and columns show the low nibble of the immediate byte. Table A-13 shows the immediate bytes whose low nibble is in the range 0–7h. Table A-14 shows the same for immediate bytes whose low nibble is in the range 8–Fh.

Byte values shown as *reserved* in these tables have implementation-specific functions, which can include an invalid-opcode exception.

**Table A-13. Immediate Byte for 3DNow!™ Opcodes, Low Nibble 0–7h**

| Nibble <sup>1</sup> | 0                 | 1 | 2 | 3 | 4               | 5 | 6                 | 7                  |
|---------------------|-------------------|---|---|---|-----------------|---|-------------------|--------------------|
| 0                   |                   |   |   |   |                 |   |                   |                    |
| 1                   |                   |   |   |   |                 |   |                   |                    |
| 2                   |                   |   |   |   |                 |   |                   |                    |
| 3                   |                   |   |   |   |                 |   |                   |                    |
| 4                   |                   |   |   |   |                 |   |                   |                    |
| 5                   |                   |   |   |   |                 |   |                   |                    |
| 6                   |                   |   |   |   |                 |   |                   |                    |
| 7                   |                   |   |   |   |                 |   |                   |                    |
| 8                   |                   |   |   |   |                 |   |                   |                    |
| 9                   | PFCMPGE<br>Pq, Qq |   |   |   | PFMIN<br>Pq, Qq |   | PFRCP<br>Pq, Qq   | PFRSQRT<br>Pq, Qq  |
| A                   | PFCMPGT<br>Pq, Qq |   |   |   | PFMAX<br>Pq, Qq |   | PFRCPI1<br>Pq, Qq | PFRSQIT1<br>Pq, Qq |
| B                   | PFCMPEQ<br>Pq, Qq |   |   |   | PFMUL<br>Pq, Qq |   | PFRCPI2<br>Pq, Qq | PMULHRW<br>Pq, Qq  |
| C                   |                   |   |   |   |                 |   |                   |                    |
| D                   |                   |   |   |   |                 |   |                   |                    |
| E                   |                   |   |   |   |                 |   |                   |                    |
| F                   |                   |   |   |   |                 |   |                   |                    |

**Notes:**

1. All 3DNow!™ opcodes consist of two 0Fh bytes. This table shows the immediate byte for 3DNow! opcodes. Rows show the high nibble of the immediate byte. Columns show the low nibble of the immediate byte.

**Table A-14. Immediate Byte for 3DNow!™ Opcodes, Low Nibble 8–Fh**

| Nibble <sup>1</sup> | 8 | 9 | A                | B                | C               | D               | E                 | F                 |
|---------------------|---|---|------------------|------------------|-----------------|-----------------|-------------------|-------------------|
| 0                   |   |   |                  |                  | PI2FW<br>Pq, Qq | PI2FD<br>Pq, Qq |                   |                   |
| 1                   |   |   |                  |                  | PF2IW<br>Pq, Qq | PF2ID<br>Pq, Qq |                   |                   |
| 2                   |   |   |                  |                  |                 |                 |                   |                   |
| 3                   |   |   |                  |                  |                 |                 |                   |                   |
| 4                   |   |   |                  |                  |                 |                 |                   |                   |
| 5                   |   |   |                  |                  |                 |                 |                   |                   |
| 6                   |   |   |                  |                  |                 |                 |                   |                   |
| 7                   |   |   |                  |                  |                 |                 |                   |                   |
| 8                   |   |   | PFNACC<br>Pq, Qq |                  |                 |                 | PFPNACC<br>Pq, Qq |                   |
| 9                   |   |   | PFSUB<br>Pq, Qq  |                  |                 |                 | PFADD<br>Pq, Qq   |                   |
| A                   |   |   | PFSUBR<br>Pq, Qq |                  |                 |                 | PFACC<br>Pq, Qq   |                   |
| B                   |   |   |                  | PSWAPD<br>Pq, Qq |                 |                 |                   | PAVGUSB<br>Pq, Qq |
| C                   |   |   |                  |                  |                 |                 |                   |                   |
| D                   |   |   |                  |                  |                 |                 |                   |                   |
| E                   |   |   |                  |                  |                 |                 |                   |                   |
| F                   |   |   |                  |                  |                 |                 |                   |                   |

**Notes:**

1. All 3DNow!™ opcodes consist of two 0Fh bytes. This table shows the immediate byte for 3DNow! opcodes. Rows show the high nibble of the immediate byte. Columns show the low nibble of the immediate byte.

### A.1.3 x87 Encodings

All x87 instructions begin with an opcode byte in the range D8h to DFh, as shown in Table A-2 on page 525. These opcodes are followed by a ModRM byte that further defines the opcode. Table A-15 shows both the opcode byte and the ModRM byte for each x87 instruction.

There are two significant ranges for the ModRM byte for x87 opcodes: 00–BFh and C0–FFh. When the value of the ModRM byte falls within the first range, 00–BFh, the opcode uses only the *reg* field to further define the opcode. When the value of the ModRM byte falls within the second range, C0–FFh, the opcode uses the entire ModRM byte to further define the opcode.

Byte values shown as *reserved* or *invalid* in Table A-15 have implementation-specific functions, which can include an invalid-opcode exception.

The basic instructions FNSTENV, FNSTCW, FNCLEX, FNINIT, FNSAVE, FNSTSW, and FNSTSW do not check for possible floating point exceptions before operating. Utility versions of these mnemonics are provided that insert an FWAIT (opcode 9B) before the corresponding non-waiting instruction. These are FSTENV, FSTCW, FCLEX, FINIT, FSAVE, and FSTSW. For further information on wait and non-waiting versions of these instructions, see their corresponding pages in APM Volume 5.

Table A-15. x87 Opcodes and ModRM Extensions

| Opcode | ModRM<br><i>mod</i><br>Field | ModRM reg Field               |                            |                            |                             |                            |                                |                            |                             |
|--------|------------------------------|-------------------------------|----------------------------|----------------------------|-----------------------------|----------------------------|--------------------------------|----------------------------|-----------------------------|
|        |                              | /0                            | /1                         | /2                         | /3                          | /4                         | /5                             | /6                         | /7                          |
| 00–BF  |                              |                               |                            |                            |                             |                            |                                |                            |                             |
| D8     | !11                          | FADD<br>mem32-<br>real        | FMUL<br>mem32real          | FCOM<br>mem32real          | FCOMP<br>mem32real          | FSUB<br>mem32real          | FSUBR<br>mem32-<br>real        | FDIV<br>mem32real          | FDIVR<br>mem32real          |
|        | 11                           | C0<br>FADD<br>ST(0),<br>ST(0) | C8<br>FMUL<br>ST(0), ST(0) | D0<br>FCOM<br>ST(0), ST(0) | D8<br>FCOMP<br>ST(0), ST(0) | E0<br>FSUB<br>ST(0), ST(0) | E8<br>FSUBR<br>ST(0),<br>ST(0) | F0<br>FDIV<br>ST(0), ST(0) | F8<br>FDIVR<br>ST(0), ST(0) |
|        |                              | C1<br>FADD<br>ST(0),<br>ST(1) | C9<br>FMUL<br>ST(0), ST(1) | D1<br>FCOM<br>ST(0), ST(1) | D9<br>FCOMP<br>ST(0), ST(1) | E1<br>FSUB<br>ST(0), ST(1) | E9<br>FSUBR<br>ST(0),<br>ST(1) | F1<br>FDIV<br>ST(0), ST(1) | F9<br>FDIVR<br>ST(0), ST(1) |
|        |                              | C2<br>FADD<br>ST(0),<br>ST(2) | CA<br>FMUL<br>ST(0), ST(2) | D2<br>FCOM<br>ST(0), ST(2) | DA<br>FCOMP<br>ST(0), ST(2) | E2<br>FSUB<br>ST(0), ST(2) | EA<br>FSUBR<br>ST(0),<br>ST(2) | F2<br>FDIV<br>ST(0), ST(2) | FA<br>FDIVR<br>ST(0), ST(2) |
|        |                              | C3<br>FADD<br>ST(0),<br>ST(3) | CB<br>FMUL<br>ST(0), ST(3) | D3<br>FCOM<br>ST(0), ST(3) | DB<br>FCOMP<br>ST(0), ST(3) | E3<br>FSUB<br>ST(0), ST(3) | EB<br>FSUBR<br>ST(0),<br>ST(3) | F3<br>FDIV<br>ST(0), ST(3) | FB<br>FDIVR<br>ST(0), ST(3) |
|        |                              | C4<br>FADD<br>ST(0),<br>ST(4) | CC<br>FMUL<br>ST(0), ST(4) | D4<br>FCOM<br>ST(0), ST(4) | DC<br>FCOMP<br>ST(0), ST(4) | E4<br>FSUB<br>ST(0), ST(4) | EC<br>FSUBR<br>ST(0),<br>ST(4) | F4<br>FDIV<br>ST(0), ST(4) | FC<br>FDIVR<br>ST(0), ST(4) |
|        |                              | C5<br>FADD<br>ST(0),<br>ST(5) | CD<br>FMUL<br>ST(0), ST(5) | D5<br>FCOM<br>ST(0), ST(5) | DD<br>FCOMP<br>ST(0), ST(5) | E5<br>FSUB<br>ST(0), ST(5) | ED<br>FSUBR<br>ST(0),<br>ST(5) | F5<br>FDIV<br>ST(0), ST(5) | FD<br>FDIVR<br>ST(0), ST(5) |
|        |                              | C6<br>FADD<br>ST(0),<br>ST(6) | CE<br>FMUL<br>ST(0), ST(6) | D6<br>FCOM<br>ST(0), ST(6) | DE<br>FCOMP<br>ST(0), ST(6) | E6<br>FSUB<br>ST(0), ST(6) | EE<br>FSUBR<br>ST(0),<br>ST(6) | F6<br>FDIV<br>ST(0), ST(6) | FE<br>FDIVR<br>ST(0), ST(6) |
|        |                              | C7<br>FADD<br>ST(0),<br>ST(7) | CF<br>FMUL<br>ST(0), ST(7) | D7<br>FCOM<br>ST(0), ST(7) | DF<br>FCOMP<br>ST(0), ST(7) | E7<br>FSUB<br>ST(0), ST(7) | EF<br>FSUBR<br>ST(0),<br>ST(7) | F7<br>FDIV<br>ST(0), ST(7) | FF<br>FDIVR<br>ST(0), ST(7) |

Table A-15. x87 Opcodes and ModRM Extensions (continued)

| Opcode | ModRM<br>mod<br>Field | ModRM reg Field |                              |                            |                  |                   |                       |                |                        |                 |
|--------|-----------------------|-----------------|------------------------------|----------------------------|------------------|-------------------|-----------------------|----------------|------------------------|-----------------|
|        |                       | /0              | /1                           | /2                         | /3               | /4                | /5                    | /6             | /7                     |                 |
| D9     | 11                    | !11             | FLD<br>mem32-real            |                            | FST<br>mem32real | FSTP<br>mem32real | FLDENV<br>mem14/28env | FLDCW<br>mem16 | FNSTENV<br>mem14/28env | FNSTCW<br>mem16 |
|        |                       | C0              | C8<br>FLD<br>ST(0),<br>ST(0) | D0<br>FXCH<br>ST(0), ST(0) | D8<br>FNOP       | reserved          | E0<br>FCHS            | E8<br>FLD1     | F0<br>F2XM1            | F8<br>FPREM     |
|        |                       | C1              | C9<br>FLD<br>ST(0),<br>ST(1) | D1<br>FXCH<br>ST(0), ST(1) | D9<br>invalid    | reserved          | E1<br>FABS            | E9<br>FLDL2T   | F1<br>FYL2X            | F9<br>FYL2XP1   |
|        |                       | C2              | CA<br>FLD<br>ST(0),<br>ST(2) | D2<br>FXCH<br>ST(0), ST(2) | DA<br>invalid    | reserved          | E2<br>invalid         | EA<br>FLDL2E   | F2<br>FPTAN            | FA<br>FSQRT     |
|        |                       | C3              | CB<br>FLD<br>ST(0),<br>ST(3) | D3<br>FXCH<br>ST(0), ST(3) | DB<br>invalid    | reserved          | E3<br>invalid         | EB<br>FLDP1    | F3<br>FPATAN           | FB<br>FSINCOS   |
|        |                       | C4              | CC<br>FLD<br>ST(0),<br>ST(4) | D4<br>FXCH<br>ST(0), ST(4) | DC<br>invalid    | reserved          | E4<br>FTST            | EC<br>FLDLG2   | F4<br>FXTRACT          | FC<br>FRNDINT   |
|        |                       | C5              | CD<br>FLD<br>ST(0),<br>ST(5) | D5<br>FXCH<br>ST(0), ST(5) | DD<br>invalid    | reserved          | E5<br>FXAM            | ED<br>FLDLN2   | F5<br>FPREM1           | FD<br>FSCALE    |
|        |                       | C6              | CE<br>FLD<br>ST(0),<br>ST(6) | D6<br>FXCH<br>ST(0), ST(6) | DE<br>invalid    | reserved          | E6<br>invalid         | EE<br>FLDZ     | F6<br>FDECSTP          | FE<br>FSIN      |
|        |                       | C7              | CF<br>FLD<br>ST(0),<br>ST(7) | D7<br>FXCH<br>ST(0), ST(7) | DF<br>invalid    | reserved          | E7<br>invalid         | EF<br>invalid  | F7<br>FINCSTP          | FF<br>FCOS      |

**Table A-15. x87 Opcodes and ModRM Extensions (continued)**

| Opcode | ModRM<br><i>mod</i><br>Field | ModRM reg Field                 |                   |                   |                    |                   |                    |                   |                    |
|--------|------------------------------|---------------------------------|-------------------|-------------------|--------------------|-------------------|--------------------|-------------------|--------------------|
|        |                              | /0                              | /1                | /2                | /3                 | /4                | /5                 | /6                | /7                 |
| DA     | 11                           | 00–BF                           |                   |                   |                    |                   |                    |                   |                    |
|        |                              | F1ADD<br>mem32int               | FIMUL<br>mem32int | FICOM<br>mem32int | FICOMP<br>mem32int | FISUB<br>mem32int | FISUBR<br>mem32int | FIDIV<br>mem32int | FIDIVR<br>mem32int |
|        |                              | C0<br>FCMOVB<br>ST(0),<br>ST(0) | C8<br>FCMOVE      | D0<br>FCMOVBE     | D8<br>FCMOVU       | E0<br>invalid     | E8<br>invalid      | F0<br>invalid     | F8<br>invalid      |
|        |                              | C1<br>FCMOVB<br>ST(0),<br>ST(1) | C9<br>FCMOVE      | D1<br>FCMOVBE     | D9<br>FCMOVU       | E1<br>invalid     | E9<br>FUCOMPP      | F1<br>invalid     | F9<br>invalid      |
|        |                              | C2<br>FCMOVB<br>ST(0),<br>ST(2) | CA<br>FCMOVE      | D2<br>FCMOVBE     | DA<br>FCMOVU       | E2<br>invalid     | EA<br>invalid      | F2<br>invalid     | FA<br>invalid      |
|        |                              | C3<br>FCMOVB<br>ST(0),<br>ST(3) | CB<br>FCMOVE      | D3<br>FCMOVBE     | DB<br>FCMOVU       | E3<br>invalid     | EB<br>invalid      | F3<br>invalid     | FB<br>invalid      |
|        |                              | C4<br>FCMOVB<br>ST(0),<br>ST(4) | CC<br>FCMOVE      | D4<br>FCMOVBE     | DC<br>FCMOVU       | E4<br>invalid     | EC<br>invalid      | F4<br>invalid     | FC<br>invalid      |
|        |                              | C5<br>FCMOVB<br>ST(0),<br>ST(5) | CD<br>FCMOVE      | D5<br>FCMOVBE     | DD<br>FCMOVU       | E5<br>invalid     | ED<br>invalid      | F5<br>invalid     | FD<br>invalid      |
|        |                              | C6<br>FCMOVB<br>ST(0),<br>ST(6) | CE<br>FCMOVE      | D6<br>FCMOVBE     | DE<br>FCMOVU       | E6<br>invalid     | EE<br>invalid      | F6<br>invalid     | FE<br>invalid      |
|        |                              | C7<br>FCMOVB<br>ST(0),<br>ST(7) | CF<br>FCMOVE      | D7<br>FCMOVBE     | DF<br>FCMOVU       | E7<br>invalid     | EF<br>invalid      | F7<br>invalid     | FF<br>invalid      |

Table A-15. x87 Opcodes and ModRM Extensions (continued)

| Opcode | ModRM<br>mod<br>Field | ModRM reg Field                  |                               |                                |                               |                |                                 |                             |                   |
|--------|-----------------------|----------------------------------|-------------------------------|--------------------------------|-------------------------------|----------------|---------------------------------|-----------------------------|-------------------|
|        |                       | /0                               | /1                            | /2                             | /3                            | /4             | /5                              | /6                          | /7                |
| 00–BF  |                       |                                  |                               |                                |                               |                |                                 |                             |                   |
| DB     | !11                   | FILD<br>mem32int                 | FISTTP<br>mem32int            | FIST<br>mem32int               | FISTP<br>mem32int             | invalid        | FLD<br>mem80-<br>real           | invalid                     | FSTP<br>mem80real |
|        | 11                    | C0<br>FCMOVNB<br>ST(0),<br>ST(0) | C8<br>FCMOVNE<br>ST(0), ST(0) | D0<br>FCMOVNBE<br>ST(0), ST(0) | D8<br>FCMOVNU<br>ST(0), ST(0) | E0<br>reserved | E8<br>FUCOMI<br>ST(0),<br>ST(0) | F0<br>FCOMI<br>ST(0), ST(0) | F8<br>invalid     |
|        | 11                    | C1<br>FCMOVNB<br>ST(0),<br>ST(1) | C9<br>FCMOVNE<br>ST(0), ST(1) | D1<br>FCMOVNBE<br>ST(0), ST(1) | D9<br>FCMOVNU<br>ST(0), ST(1) | E1<br>reserved | E9<br>FUCOMI<br>ST(0),<br>ST(1) | F1<br>FCOMI<br>ST(0), ST(1) | F9<br>invalid     |
|        | 11                    | C2<br>FCMOVNB<br>ST(0),<br>ST(2) | CA<br>FCMOVNE<br>ST(0), ST(2) | D2<br>FCMOVNBE<br>ST(0), ST(2) | DA<br>FCMOVNU<br>ST(0), ST(2) | E2<br>FNCLEX   | EA<br>FUCOMI<br>ST(0),<br>ST(2) | F2<br>FCOMI<br>ST(0), ST(2) | FA<br>invalid     |
|        | 11                    | C3<br>FCMOVNB<br>ST(0),<br>ST(3) | CB<br>FCMOVNE<br>ST(0), ST(3) | D3<br>FCMOVNBE<br>ST(0), ST(3) | DB<br>FCMOVNU<br>ST(0), ST(3) | E3<br>FNINIT   | EB<br>FUCOMI<br>ST(0),<br>ST(3) | F3<br>FCOMI<br>ST(0), ST(3) | FB<br>invalid     |
|        | 11                    | C4<br>FCMOVNB<br>ST(0),<br>ST(4) | CC<br>FCMOVNE<br>ST(0), ST(4) | D4<br>FCMOVNBE<br>ST(0), ST(4) | DC<br>FCMOVNU<br>ST(0), ST(4) | E4<br>reserved | EC<br>FUCOMI<br>ST(0),<br>ST(4) | F4<br>FCOMI<br>ST(0), ST(4) | FC<br>invalid     |
|        | 11                    | C5<br>FCMOVNB<br>ST(0),<br>ST(5) | CD<br>FCMOVNE<br>ST(0), ST(5) | D5<br>FCMOVNBE<br>ST(0), ST(5) | DD<br>FCMOVNU<br>ST(0), ST(5) | E5<br>invalid  | ED<br>FUCOMI<br>ST(0),<br>ST(5) | F5<br>FCOMI<br>ST(0), ST(5) | FD<br>invalid     |
|        | 11                    | C6<br>FCMOVNB<br>ST(0),<br>ST(6) | CE<br>FCMOVNE<br>ST(0), ST(6) | D6<br>FCMOVNBE<br>ST(0), ST(6) | DE<br>FCMOVNU<br>ST(0), ST(6) | E6<br>invalid  | EE<br>FUCOMI<br>ST(0),<br>ST(6) | F6<br>FCOMI<br>ST(0), ST(6) | FE<br>invalid     |
|        | 11                    | C7<br>FCMOVNB<br>ST(0),<br>ST(7) | CF<br>FCMOVNE<br>ST(0), ST(7) | D7<br>FCMOVNBE<br>ST(0), ST(7) | DF<br>FCMOVNU<br>ST(0), ST(7) | E7<br>invalid  | EF<br>FUCOMI<br>ST(0),<br>ST(7) | F7<br>FCOMI<br>ST(0), ST(7) | FF<br>invalid     |

**Table A-15. x87 Opcodes and ModRM Extensions (continued)**

| Opcode | ModRM<br>mod<br>Field | ModRM reg Field               |                            |                   |                    |                             |                               |                             |                            |
|--------|-----------------------|-------------------------------|----------------------------|-------------------|--------------------|-----------------------------|-------------------------------|-----------------------------|----------------------------|
|        |                       | /0                            | /1                         | /2                | /3                 | /4                          | /5                            | /6                          | /7                         |
| DC     | 11                    | FADD<br>mem64-<br>real        | FMUL<br>mem64real          | FCOM<br>mem64real | FCOMP<br>mem64real | FSUB<br>mem64real           | FSUBR<br>mem64-<br>real       | FDIV<br>mem64real           | FDIVR<br>mem64real         |
|        |                       | C0<br>FADD<br>ST(0),<br>ST(0) | C8<br>FMUL<br>ST(0), ST(0) | D0<br>reserved    | D8<br>reserved     | E0<br>FSUBR<br>ST(0), ST(0) | E8<br>FSUB<br>ST(0),<br>ST(0) | F0<br>FDIVR<br>ST(0), ST(0) | F8<br>FDIV<br>ST(0), ST(0) |
|        |                       | C1<br>FADD<br>ST(1),<br>ST(0) | C9<br>FMUL<br>ST(1), ST(0) | D1<br>reserved    | D9<br>reserved     | E1<br>FSUBR<br>ST(1), ST(0) | E9<br>FSUB<br>ST(1),<br>ST(0) | F1<br>FDIVR<br>ST(1), ST(0) | F9<br>FDIV<br>ST(1), ST(0) |
|        |                       | C2<br>FADD<br>ST(2),<br>ST(0) | CA<br>FMUL<br>ST(2), ST(0) | D2<br>reserved    | DA<br>reserved     | E2<br>FSUBR<br>ST(2), ST(0) | EA<br>FSUB<br>ST(2),<br>ST(0) | F2<br>FDIVR<br>ST(2), ST(0) | FA<br>FDIV<br>ST(2), ST(0) |
|        |                       | C3<br>FADD<br>ST(3),<br>ST(0) | CB<br>FMUL<br>ST(3), ST(0) | D3<br>reserved    | DB<br>reserved     | E3<br>FSUBR<br>ST(3), ST(0) | EB<br>FSUB<br>ST(3),<br>ST(0) | F3<br>FDIVR<br>ST(3), ST(0) | FB<br>FDIV<br>ST(3), ST(0) |
|        |                       | C4<br>FADD<br>ST(4),<br>ST(0) | CC<br>FMUL<br>ST(4), ST(0) | D4<br>reserved    | DC<br>reserved     | E4<br>FSUBR<br>ST(4), ST(0) | EC<br>FSUB<br>ST(4),<br>ST(0) | F4<br>FDIVR<br>ST(4), ST(0) | FC<br>FDIV<br>ST(4), ST(0) |
|        |                       | C5<br>FADD<br>ST(5),<br>ST(0) | CD<br>FMUL<br>ST(5), ST(0) | D5<br>reserved    | DD<br>reserved     | E5<br>FSUBR<br>ST(5), ST(0) | ED<br>FSUB<br>ST(5),<br>ST(0) | F5<br>FDIVR<br>ST(5), ST(0) | FD<br>FDIV<br>ST(5), ST(0) |
|        |                       | C6<br>FADD<br>ST(6),<br>ST(0) | CE<br>FMUL<br>ST(6), ST(0) | D6<br>reserved    | DE<br>reserved     | E6<br>FSUBR<br>ST(6), ST(0) | EE<br>FSUB<br>ST(6),<br>ST(0) | F6<br>FDIVR<br>ST(6), ST(0) | FE<br>FDIV<br>ST(6), ST(0) |
|        |                       | C7<br>FADD<br>ST(7),<br>ST(0) | CF<br>FMUL<br>ST(7), ST(0) | D7<br>reserved    | DF<br>reserved     | E7<br>FSUBR<br>ST(7), ST(0) | EF<br>FSUB<br>ST(7),<br>ST(0) | F7<br>FDIVR<br>ST(7), ST(0) | FF<br>FDIV<br>ST(7), ST(0) |

Table A-15. x87 Opcodes and ModRM Extensions (continued)

| Opcode | ModRM<br>mod<br>Field | ModRM reg Field       |                    |                    |                     |                             |                       |                            |                 |
|--------|-----------------------|-----------------------|--------------------|--------------------|---------------------|-----------------------------|-----------------------|----------------------------|-----------------|
|        |                       | /0                    | /1                 | /2                 | /3                  | /4                          | /5                    | /6                         | /7              |
| DD     | !11                   | FLD<br>mem64-<br>real | FISTTP<br>mem64int | FST<br>mem64real   | FSTP<br>mem64real   | FRSTOR<br>mem98/108e<br>nv  | invalid               | FNSAVE<br>mem98/108e<br>nv | FNSTSW<br>mem16 |
|        |                       | C0<br>FFREE<br>ST(0)  | C8<br>reserved     | D0<br>FST<br>ST(0) | D8<br>FSTP<br>ST(0) | E0<br>FUCOM<br>ST(0), ST(0) | E8<br>FUCOMP<br>ST(0) | F0<br>invalid              | F8<br>invalid   |
|        | 11                    | C1<br>FFREE<br>ST(1)  | C9<br>reserved     | D1<br>FST<br>ST(1) | D9<br>FSTP<br>ST(1) | E1<br>FUCOM<br>ST(1), ST(0) | E9<br>FUCOMP<br>ST(1) | F1<br>invalid              | F9<br>invalid   |
|        |                       | C2<br>FFREE<br>ST(2)  | CA<br>reserved     | D2<br>FST<br>ST(2) | DA<br>FSTP<br>ST(2) | E2<br>FUCOM<br>ST(2), ST(0) | EA<br>FUCOMP<br>ST(2) | F2<br>invalid              | FA<br>invalid   |
|        |                       | C3<br>FFREE<br>ST(3)  | CB<br>reserved     | D3<br>FST<br>ST(3) | DB<br>FSTP<br>ST(3) | E3<br>FUCOM<br>ST(3), ST(0) | EB<br>FUCOMP<br>ST(3) | F3<br>invalid              | FB<br>invalid   |
|        |                       | C4<br>FFREE<br>ST(4)  | CC<br>reserved     | D4<br>FST<br>ST(4) | DC<br>FSTP<br>ST(4) | E4<br>FUCOM<br>ST(4), ST(0) | EC<br>FUCOMP<br>ST(4) | F4<br>invalid              | FC<br>invalid   |
|        |                       | C5<br>FFREE<br>ST(5)  | CD<br>reserved     | D5<br>FST<br>ST(5) | DD<br>FSTP<br>ST(5) | E5<br>FUCOM<br>ST(5), ST(0) | ED<br>FUCOMP<br>ST(5) | F5<br>invalid              | FD<br>invalid   |
|        |                       | C6<br>FFREE<br>ST(6)  | CE<br>reserved     | D6<br>FST<br>ST(6) | DE<br>FSTP<br>ST(6) | E6<br>FUCOM<br>ST(6), ST(0) | EE<br>FUCOMP<br>ST(6) | F6<br>invalid              | FE<br>invalid   |
|        |                       | C7<br>FFREE<br>ST(7)  | CF<br>reserved     | D7<br>FST<br>ST(7) | DF<br>FSTP<br>ST(7) | E7<br>FUCOM<br>ST(7), ST(0) | EF<br>FUCOMP<br>ST(7) | F7<br>invalid              | FF<br>invalid   |

**Table A-15. x87 Opcodes and ModRM Extensions (continued)**

| Opcode | ModRM<br><i>mod</i><br>Field | ModRM reg Field                |                             |                   |                   |                              |                                |                              |                             |                    |
|--------|------------------------------|--------------------------------|-----------------------------|-------------------|-------------------|------------------------------|--------------------------------|------------------------------|-----------------------------|--------------------|
|        |                              | /0                             | /1                          | /2                | /3                | /4                           | /5                             | /6                           | /7                          |                    |
| DE     | 11                           | 00–BF                          |                             |                   |                   |                              |                                |                              |                             |                    |
|        |                              | !11                            | FIADD<br>mem16int           | FIMUL<br>mem16int | FICOM<br>mem16int | FICOMP<br>mem16int           | FISUB<br>mem16int              | FISUBR<br>mem16int           | FIDIV<br>mem16int           | FIDIVR<br>mem16int |
|        |                              | C0<br>FADDP<br>ST(0),<br>ST(0) | C8<br>FMULP<br>ST(0), ST(0) | D0<br>reserved    | D8<br>invalid     | E0<br>FSUBRP<br>ST(0), ST(0) | E8<br>FSUBP<br>ST(0),<br>ST(0) | F0<br>FDIVRP<br>ST(0), ST(0) | F8<br>FDIVP<br>ST(0), ST(0) |                    |
|        |                              | C1<br>FADDP<br>ST(1),<br>ST(0) | C9<br>FMULP<br>ST(1), ST(0) | D1<br>reserved    | D9<br>FCOMPP      | E1<br>FSUBRP<br>ST(1), ST(0) | E9<br>FSUBP<br>ST(1),<br>ST(0) | F1<br>FDIVRP<br>ST(1), ST(0) | F9<br>FDIVP<br>ST(1), ST(0) |                    |
|        |                              | C2<br>FADDP<br>ST(2),<br>ST(0) | CA<br>FMULP<br>ST(2), ST(0) | D2<br>reserved    | DA<br>invalid     | E2<br>FSUBRP<br>ST(2), ST(0) | EA<br>FSUBP<br>ST(2),<br>ST(0) | F2<br>FDIVRP<br>ST(2), ST(0) | FA<br>FDIVP<br>ST(2), ST(0) |                    |
|        |                              | C3<br>FADDP<br>ST(3),<br>ST(0) | CB<br>FMULP<br>ST(3), ST(0) | D3<br>reserved    | DB<br>invalid     | E3<br>FSUBRP<br>ST(3), ST(0) | EB<br>FSUBP<br>ST(3),<br>ST(0) | F3<br>FDIVRP<br>ST(3), ST(0) | FB<br>FDIVP<br>ST(3), ST(0) |                    |
|        |                              | C4<br>FADDP<br>ST(4),<br>ST(0) | CC<br>FMULP<br>ST(4), ST(0) | D4<br>reserved    | DC<br>invalid     | E4<br>FSUBRP<br>ST(4), ST(0) | EC<br>FSUBP<br>ST(4),<br>ST(0) | F4<br>FDIVRP<br>ST(4), ST(0) | FC<br>FDIVP<br>ST(4), ST(0) |                    |
|        |                              | C5<br>FADDP<br>ST(5),<br>ST(0) | CD<br>FMULP<br>ST(5), ST(0) | D5<br>reserved    | DD<br>invalid     | E5<br>FSUBRP<br>ST(5), ST(0) | ED<br>FSUBP<br>ST(5),<br>ST(0) | F5<br>FDIVRP<br>ST(5), ST(0) | FD<br>FDIVP<br>ST(5), ST(0) |                    |
|        |                              | C6<br>FADDP<br>ST(6),<br>ST(0) | CE<br>FMULP<br>ST(6), ST(0) | D6<br>reserved    | DE<br>invalid     | E6<br>FSUBRP<br>ST(6), ST(0) | EE<br>FSUBP<br>ST(6),<br>ST(0) | F6<br>FDIVRP<br>ST(6), ST(0) | FE<br>FDIVP<br>ST(6), ST(0) |                    |
|        |                              | C7<br>FADDP<br>ST(7),<br>ST(0) | CF<br>FMULP<br>ST(7), ST(0) | D7<br>reserved    | DF<br>invalid     | E7<br>FSUBRP<br>ST(7), ST(0) | EF<br>FSUBP<br>ST(7),<br>ST(0) | F7<br>FDIVRP<br>ST(7), ST(0) | FF<br>FDIVP<br>ST(7), ST(0) |                    |

Table A-15. x87 Opcodes and ModRM Extensions (continued)

| Opcode | ModRM<br>mod<br>Field | ModRM reg Field  |                    |                  |                   |                    |                                  |                              |                   |
|--------|-----------------------|------------------|--------------------|------------------|-------------------|--------------------|----------------------------------|------------------------------|-------------------|
|        |                       | /0               | /1                 | /2               | /3                | /4                 | /5                               | /6                           | /7                |
| DF     | 11                    | 00–BF            |                    |                  |                   |                    |                                  |                              |                   |
|        |                       | FILD<br>mem16int | FISTTP<br>mem16int | FIST<br>mem16int | FISTP<br>mem16int | FBLD<br>mem80dec   | FILD<br>mem64int                 | FBSTP<br>mem80dec            | FISTP<br>mem64int |
|        |                       | C0<br>reserved   | C8<br>reserved     | D0<br>reserved   | D8<br>reserved    | E0<br>FNSTSW<br>AX | E8<br>FUCOMIP<br>ST(0),<br>ST(0) | F0<br>FCOMIP<br>ST(0), ST(0) | F8<br>invalid     |
|        |                       | C1<br>reserved   | C9<br>reserved     | D1<br>reserved   | D9<br>reserved    | E1<br>invalid      | E9<br>FUCOMIP<br>ST(0),<br>ST(1) | F1<br>FCOMIP<br>ST(0), ST(1) | F9<br>invalid     |
|        |                       | C2<br>reserved   | CA<br>reserved     | D2<br>reserved   | DA<br>reserved    | E2<br>invalid      | EA<br>FUCOMIP<br>ST(0),<br>ST(2) | F2<br>FCOMIP<br>ST(0), ST(2) | FA<br>invalid     |
|        |                       | C3<br>reserved   | CB<br>reserved     | D3<br>reserved   | DB<br>reserved    | E3<br>invalid      | EB<br>FUCOMIP<br>ST(0),<br>ST(3) | F3<br>FCOMIP<br>ST(0), ST(3) | FB<br>invalid     |
|        |                       | C4<br>reserved   | CC<br>reserved     | D4<br>reserved   | DC<br>reserved    | E4<br>invalid      | EC<br>FUCOMIP<br>ST(0),<br>ST(4) | F4<br>FCOMIP<br>ST(0), ST(4) | FC<br>invalid     |
|        |                       | C5<br>reserved   | CD<br>reserved     | D5<br>reserved   | DD<br>reserved    | E5<br>invalid      | ED<br>FUCOMIP<br>ST(0),<br>ST(5) | F5<br>FCOMIP<br>ST(0), ST(5) | FD<br>invalid     |
|        |                       | C6<br>reserved   | CE<br>reserved     | D6<br>reserved   | DE<br>reserved    | E6<br>invalid      | EE<br>FUCOMIP<br>ST(0),<br>ST(6) | F6<br>FCOMIP<br>ST(0), ST(6) | FE<br>invalid     |
|        |                       | C7<br>reserved   | CF<br>reserved     | D7<br>reserved   | DF<br>reserved    | E7<br>invalid      | EF<br>FUCOMIP<br>ST(0),<br>ST(7) | F7<br>FCOMIP<br>ST(0), ST(7) | FF<br>invalid     |

### A.1.4 rFLAGS Condition Codes for x87 Opcodes

Table A-16 shows the rFLAGS condition codes specified by the opcode and ModRM bytes of the FCMOVcc instructions.

**Table A-16. rFLAGS Condition Codes for FCMOVcc**

| Opcode<br>(hex) | ModRM<br><i>mod</i><br>Field | ModRM<br><i>reg</i><br>Field | rFLAGS Value      | cc Mnemonic | Condition          |  |
|-----------------|------------------------------|------------------------------|-------------------|-------------|--------------------|--|
| DA              | 11                           | 000                          | CF = 1            | B           | Below              |  |
|                 |                              | 001                          | ZF = 1            | E           | Equal              |  |
|                 |                              | 010                          | CF = 1 or ZF = 1  | BE          | Below or Equal     |  |
|                 |                              | 011                          | PF = 1            | U           | Unordered          |  |
| DB              |                              | 000                          | CF = 0            | NB          | Not Below          |  |
|                 |                              | 001                          | ZF = 0            | NE          | Not Equal          |  |
|                 |                              | 010                          | CF = 0 and ZF = 0 | NBE         | Not Below or Equal |  |
|                 |                              | 011                          | PF = 0            | NU          | Not Unordered      |  |

### A.1.5 Extended Instruction Opcode Maps

The following sections present the VEX and the XOP extended instruction opcode maps. The VEX.map\_select field of the three-byte VEX encoding escape sequence selects VEX opcode maps: 01h, 02h, or 03h. The two-byte VEX encoding escape sequence implicitly selects the VEX map 01h.

The XOP.map\_select field selects between the three XOP maps: 08h, 09h or 0Ah.

**VEX Opcode Maps.** Tables A-17 to A-23 below present the VEX opcode maps and Table A-24 on page 559 presents the VEX opcode groups.

**Table A-17. VEX Opcode Map 1, Low Nibble = [0h:7h]**

| VEX.pp | Opcode | x0                                                    | x1                                                    | x2                                              | x3                                   | x4                                   | x5                                       | x6                                              | x7                                         |
|--------|--------|-------------------------------------------------------|-------------------------------------------------------|-------------------------------------------------|--------------------------------------|--------------------------------------|------------------------------------------|-------------------------------------------------|--------------------------------------------|
| 00     | 1x     | VMOVUPS <sup>2</sup><br>Vx, Wx                        | VMOVUPS <sup>2</sup><br>Wx, Vx                        | VMOVHLPS<br>Vx, Hx, Ux<br>VMOVLPS<br>Hx, Vx, Mq | VMOVLPS<br>Mq, Vx                    | VUNPCKLPS <sup>2</sup><br>Vx, Hx, Wx | VUNPCKHPS <sup>2</sup><br>Vx, Hx, Wx     | VMOVHPS<br>Vx, Hx, Mq<br>VMOVLHPS<br>Vx, Hx, Ux | VMOVHPS<br>Mq, Vx                          |
|        |        | VMOVUPD <sup>2</sup><br>Vx, Wx                        | VMOVUPD <sup>2</sup><br>Wx, Vx                        | VMOVLPD<br>Hx, Vx, Mq                           | VMOVLPD<br>Mq, Vx                    | VUNPCKLPD <sup>2</sup><br>Vx, Hx, Wx | VUNPCKHPD <sup>2</sup><br>Vx, Hx, Wx     | VMOVHPD<br>Vx, Hx, Mq                           | VMOVHPD<br>Mq, Vx                          |
|        |        | VMOVSS <sup>3</sup><br>Vx, Hx, Ux<br>VMOVSS<br>Vx, Md | VMOVSS <sup>3</sup><br>Ux, Hx, Vx<br>VMOVSS<br>Md, Vx | VMOVSLDUP <sup>2</sup><br>Vx, Wx                |                                      |                                      |                                          | VMOVSHDUP <sup>2</sup><br>Vx, Wx                |                                            |
|        |        | VMOVS <sup>3</sup><br>Vx, Hx, Ux<br>VMOVS<br>Vx, Mq   | VMOVS <sup>3</sup><br>Ux, Hx, Vx<br>VMOVS<br>Md, Vx   | VMOVDDUP<br>Vx, Wx                              |                                      |                                      |                                          |                                                 |                                            |
| ...    | 2x-4x  | ...                                                   |                                                       |                                                 |                                      |                                      |                                          |                                                 |                                            |
| 00     | 4x     |                                                       | KANDQ<br>KR, KV, KM<br>KANDW<br>KR, KV, KM            | KANDNQ<br>KR, KV, KM<br>KANDNW<br>KR, KV, KM    |                                      | KNOTQ<br>KR, KM<br>KNOTW<br>KR, KM   | KORQ<br>KR, KV, KM<br>KORW<br>KR, KV, KM | KXNORQ<br>KR, KV, KM<br>KXNORW<br>KR, KV, KM    | KXORQ<br>KR, KV, KM<br>KXORW<br>KR, KV, KM |
|        |        |                                                       | KANDB<br>KR, KV, KM<br>KANDD<br>KR, KV, KM            | KANDNB<br>KR, KV, KM<br>KANDND<br>KR, KV, KM    |                                      | KNOTB<br>KR, KM<br>KNODT<br>KR, KM   | KORB<br>KR, KV, KM<br>KORD<br>KR, KV, KM | KXNORB<br>KR, KV, KM<br>KXNORD<br>KR, KV, KM    | KXORB<br>KR, KV, KM<br>KXORD<br>KR, KV, KM |
| 01     | 5x     | VMOVMSKPS <sup>2</sup><br>Gw, Ux                      | VSQRTPS <sup>2</sup><br>Vx, Wx                        | VRSQRTPS <sup>2</sup><br>Vx, Wx                 | VRCPPS <sup>2</sup><br>Vx, Wx        | VANDPS <sup>2</sup><br>Vx, Hx, Wx    | VANDNPS <sup>2</sup><br>Vx, Hx, Wx       | VORPS <sup>2</sup><br>Vx, Hx, Wx                | VXORPS <sup>2</sup><br>Vx, Hx, Wx          |
|        |        | VMOVMSKPD <sup>2</sup><br>Gw, Ux                      | VSQRTPD <sup>2</sup><br>Vx, Wx                        |                                                 |                                      | VANDPD <sup>2</sup><br>Vx, Hx, Wx    | VANDNPD <sup>2</sup><br>Vx, Hx, Wx       | VORPD <sup>2</sup><br>Vx, Hx, Wx                | VXORPD <sup>2</sup><br>Vx, Hx, Wx          |
|        |        |                                                       | VSQRTSS <sup>3</sup><br>Vx, Hx, Wx                    | VRSQRTSS <sup>3</sup><br>Vx, Hx, Wx             | VRCPPS <sup>3</sup><br>Vx, Hx, Wx    |                                      |                                          |                                                 |                                            |
|        |        |                                                       | VSQRTSD <sup>3</sup><br>Vx, Hx, Wx                    |                                                 |                                      |                                      |                                          |                                                 |                                            |
| 01     | 6x     | VPUNPCKLBW <sup>2</sup><br>Vx, Hx, Wx                 | VPUNPCKLWD <sup>2</sup><br>Vx, Hx, Wx                 | VPUNPCKLDQ <sup>2</sup><br>Vx, Hx, Wx           | VPACKSSWB <sup>2</sup><br>Vx, Hx, Wx | VPCMGTB <sup>2</sup><br>Vx, Hx, Wx   | VPCMGTW <sup>2</sup><br>Vx, Hx, Wx       | VPCMGTD <sup>2</sup><br>Vx, Hx, Wx              | VPACKUSWB <sup>2</sup><br>Vx, Hx, Wx       |
| 01     | 7x     | VPSHUFD <sup>2</sup><br>Vx, Wx, Ib                    | VEX Group 12                                          | VEX Group 13                                    | VEX Group 14                         | VPCMPEQB <sup>2</sup><br>Vx, Hx, Wx  | VPCMPEQW <sup>2</sup><br>Vx, Hx, Wx      | VPCMPEQD <sup>2</sup><br>Vx, Hx, Wx             |                                            |
| 10     |        | VPSHUFHW <sup>2</sup><br>Vx, Wx, Ib                   |                                                       |                                                 |                                      |                                      |                                          |                                                 |                                            |
| 11     |        | VPSHUFLW <sup>2</sup><br>Vx, Wx, Ib                   |                                                       |                                                 |                                      |                                      |                                          |                                                 |                                            |
| 00     | 9x     | KMOVQ<br>KR, KW<br>KMOVW<br>KR, KW                    | KMOVQ<br>Mq, KR<br>KMOVW<br>Mw, KR                    | KMOVW<br>KR, Rd                                 | KMOVW<br>Gd, KM                      |                                      |                                          |                                                 |                                            |
|        |        | KMOVB<br>KR, KW<br>KMOVD<br>KR, KW                    | KMOVB<br>Mx, KR<br>KMOVD<br>Md, KR                    | KMOVB<br>KR, Rd                                 | KMOVB<br>Gd, KM                      |                                      |                                          |                                                 |                                            |
|        |        |                                                       |                                                       | KMOVD<br>KR, Rd<br>KMOVQ<br>KR, Rq              | KMOVD<br>Gd, KM<br>KMOVQ<br>Gq, KM   |                                      |                                          |                                                 |                                            |

**Notes:**

1. The condition codes are: EQ, LT, LE, UNORD, NEQ, NLT, NLE, and ORD; encoded as [00:07h] using Ib.

VEX encoding adds: EQ\_UQ, NGE, NGT, FALSE, NEQ\_OQ, GE, GT, TRUE [08:0Fh];

EQ\_OS, LT\_OQ, LE\_OQ, UNORD\_S, NEQ\_US, NLT\_UQ, NLE\_UQ, ORD\_S [10h:17h]; and

EQ\_US, NGE\_UQ, NGT\_UQ, FALSE\_OS, NEQ\_OS, GE\_OQ, GT\_OQ, TRUE\_US [18:1Fh].

2. Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit. When L = 0, size is 128 bits; when L = 1, size is 256 bits.

3. Operands are scalars. VEX.L bit is ignored.

**Table A-18. VEX Opcode Map 1, Low Nibble = [0h:7h] Continued**

| VEX.pp | Opcode | x0                      | x1                   | x2                        | x3                   | x4                        | x5                     | x6                        | x7                        |
|--------|--------|-------------------------|----------------------|---------------------------|----------------------|---------------------------|------------------------|---------------------------|---------------------------|
| ...    | Ax-Bx  | ...                     |                      |                           |                      |                           |                        |                           |                           |
| 00     | Cx     |                         |                      | VCMPPS<br>Vx, Hx, Wx, Ib  |                      |                           |                        | VSHUFPS<br>Vx, Hx, Wx, Ib |                           |
| 01     |        |                         |                      | VCMPPD<br>Vx, Hx, Wx, Ib  |                      | VPINSRW<br>Vx, Hx, Ed, Ib | VPEXTRW<br>Gw, Ux, Ib  | VSHUFPD<br>Vx, Hx, Wx, Ib |                           |
| 10     |        |                         |                      | VCMPPS<br>Vx, Hx, Wx, Ib  |                      |                           |                        |                           |                           |
| 11     |        |                         |                      | VCMPPSD<br>Vx, Hx, Wx, Ib |                      |                           |                        |                           |                           |
| 00     | Dx     |                         |                      |                           |                      |                           |                        |                           |                           |
| 01     |        | VADDSUBPD<br>Vx, Hx, Wx | VPSRLW<br>Vx, Hx, Wx | VPSRLD<br>Vx, Hx, Wx      | VPSRLQ<br>Vx, Hx, Wx | VPADDQ<br>Vx, Hx, Wx      | VPMULLW<br>Vx, Hx, Wx  | VMOVQ<br>Wx, Vx           | VPMOVMSKB<br>Gw, Ux       |
| 10     |        |                         |                      |                           |                      |                           |                        |                           |                           |
| 11     |        | VADDSUBPS<br>Vx, Hx, Wx |                      |                           |                      |                           |                        |                           |                           |
| 00     | Ex     |                         |                      |                           |                      |                           |                        |                           |                           |
| 01     |        | VPAVGB<br>Vx, Hx, Wx    | VPSRAW<br>Vx, Hx, Wx | VPSRAD<br>Vx, Hx, Wx      | VPAVGW<br>Vx, Hx, Wx | VPMULHUW<br>Vx, Hx, Wx    | VPMULHW<br>Vx, Hx, Wx  | VCVTTPD2DQ<br>Vx, Wx      | VMOVNTDQ<br>Mx, Vx        |
| 10     |        |                         |                      |                           |                      |                           |                        | VCVTDQ2PD<br>Vx, Wx       |                           |
| 11     |        |                         |                      |                           |                      |                           |                        | VCVTDP2DQ<br>Vx, Wx       |                           |
| 00     | Fx     |                         |                      |                           |                      |                           |                        |                           |                           |
| 01     |        |                         | VPSLLW<br>Vx, Hx, Wx | VPSLLD<br>Vx, Hx, Wx      | VPSLLQ<br>Vx, Hx, Wx | VPMULUDQ<br>Vx, Hx, Wx    | VPMADDWD<br>Vx, Hx, Wx | VPSADBW<br>Vx, Hx, Wx     | VMASKMOVD<br>QU<br>Vx, Ux |
| 10     |        |                         |                      |                           |                      |                           |                        |                           |                           |
| 11     |        | VLDDQU<br>Vx, Mx        |                      |                           |                      |                           |                        |                           |                           |

**Notes:**

1. The condition codes are: EQ, LT, LE, UNORD, NEQ, NLT, NLE, and ORD; encoded as [00:07h] using Ib.  
VEX encoding adds: EQ\_UQ, NGE, NGT, FALSE, NEQ\_OQ, GE, GT, TRUE [08:0Fh];  
EQ\_OS, LT\_OQ, LE\_OQ, UNORD\_S, NEQ\_US, NLT\_UQ, NLE\_UQ, ORD\_S [10h:17h]; and  
EQ\_US, NGE\_UQ, NGT\_UQ, FALSE\_OS, NEQ\_OS, GE\_OQ, GT\_OQ, TRUE\_US [18:1Fh].
2. Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit. When L = 0, size is 128 bits; when L = 1, size is 256 bits.
3. Operands are scalars. VEX.L bit is ignored.

**Table A-19. VEX Opcode Map 1, Low Nibble = [8h:Fh]**

| VEX.pp | Opcode | x8                                       | x9                                   | xA                                         | xB                                               | xC                                         | xD                                         | xE                               | xF                   |
|--------|--------|------------------------------------------|--------------------------------------|--------------------------------------------|--------------------------------------------------|--------------------------------------------|--------------------------------------------|----------------------------------|----------------------|
| ...    | 0x-1x  | ...                                      |                                      |                                            |                                                  |                                            |                                            |                                  |                      |
| 00     | 2x     | VMOVAPS<br>Vx, Wx                        | VMOVAPS<br>Wx, Vx                    |                                            | VMOVNTPS<br>Mx, Vx                               |                                            |                                            | VUCOMISS<br>Vx, Wx               | VCOMISS<br>Vx, Wx    |
| 01     |        | VMOVAPD<br>Vx, Wx                        | VMOVAPD<br>Wx, Vx                    |                                            | VMOVNTPD<br>Mx, Vx                               |                                            |                                            | VUCOMISD<br>Vx, Wx               | VCOMISD<br>Vx, Wx    |
| 10     |        |                                          |                                      | VCVTSI2SS<br>Vx, Hx, Ed                    |                                                  | VCVTSS2SI<br>Gd, Wx<br>VCVTSS2SI<br>Gq, Wx | VCVTSS2SI<br>Gd, Wx<br>VCVTSS2SI<br>Gq, Wx |                                  |                      |
| 11     |        |                                          |                                      | VCVTSI2SD<br>Vx, Hx, Ed                    |                                                  | VCVTSD2SI<br>Gd, Wx<br>VCVTSD2SI<br>Gq, Wx | VCVTSD2SI<br>Gd, Wx<br>VCVTSD2SI<br>Gq, Wx |                                  |                      |
| ...    | 3x     | ...                                      |                                      |                                            |                                                  |                                            |                                            |                                  |                      |
| 00     | 4x     |                                          |                                      | KADDQ<br>KR, KV, KM<br>KADDW<br>KR, KV, KM | KUNPCKDQ<br>KR, KV, KM<br>KUNPCKWD<br>KR, KV, KM |                                            |                                            |                                  |                      |
| 01     |        |                                          |                                      | KADDB<br>KR, KV, KM<br>KADDD<br>KR, KV, KM | KUNPCKBW<br>KR, KV, KM                           |                                            |                                            |                                  |                      |
| 00     | 5x     | VADDPS<br>Vx, Hx, Wx                     | VMULPS<br>Vx, Hx, Wx                 | VCVTPS2PD<br>Vx, Wx                        | VCVTQ2PS<br>Vx, Wx                               | VSUBPS<br>Vx, Hx, Wx                       | VMINPS<br>Vx, Hx, Wx                       | VDIVPS<br>Vx, Hx, Wx             | VMAXPS<br>Vx, Hx, Wx |
| 01     |        | VADDPD<br>Vx, Hx, Wx                     | VMULPD<br>Vx, Hx, Wx                 | VCVTPD2PS<br>Vx, Wx                        | VCVTPS2DQ<br>Vx, Wx                              | VSUBPD<br>Vx, Hx, Wx                       | VMINPD<br>Vx, Hx, Wx                       | VDIVPD<br>Vx, Hx, Wx             | VMAXPD<br>Vx, Hx, Wx |
| 10     |        | VADDSS<br>Vx, Hx, Wx                     | VMULSS<br>Vx, Hx, Wx                 | VCVTSS2SD<br>Vx, Wx                        | VCVTTPS2DQ<br>Vx, Wx                             | VSUBSS<br>Vx, Hx, Wx                       | VMINSS<br>Vx, Hx, Wx                       | VDIVSS<br>Vx, Hx, Wx             | VMAXSS<br>Vx, Hx, Wx |
| 11     |        | VADDSD<br>Vx, Hx, Wx                     | VMULSD<br>Vx, Hx, Wx                 | VCVTSD2SS<br>Vx, Hx, Wx                    |                                                  | VSUBSD<br>Vx, Hx, Wx                       | VMINSD<br>Vx, Hx, Wx                       | VDIVSD<br>Vx, Hx, Wx             | VMAXSD<br>Vx, Hx, Wx |
| 00     | 6x     | VPUNPCKHBW<br>Vx, Hx, Wx                 | VPUNPCKHW<br>Vx, Hx, Wx              | VPUNPCKHDQ<br>Vx, Hx, Wx                   | VPACKSSDW<br>Vx, Hx, Wx                          | VPUNPCKLQDQ<br>Vx, Hx, Wx                  | VPUNPCKHQDQ<br>Vx, Hx, Wx                  | VMOVD<br>Vx, Ed                  | VMOVDQA<br>Vx, Wx    |
| 01     |        |                                          |                                      |                                            |                                                  |                                            |                                            | VMOVQ<br>Vx, Eq                  |                      |
| 10     |        |                                          |                                      |                                            |                                                  |                                            |                                            |                                  | VMOVDQU<br>Vx, Wx    |
| 11     |        |                                          |                                      |                                            |                                                  |                                            |                                            |                                  |                      |
| 00     | 7x     |                                          |                                      |                                            |                                                  |                                            |                                            |                                  |                      |
| 01     |        |                                          |                                      |                                            |                                                  | VHADDPD<br>Vx, Hx, Wx                      | VHSUBPD<br>Vx, Hx, Wx                      | VMOVD<br>Ed, Vx                  | VMOVDQA<br>Wx, Vx    |
| 10     |        |                                          |                                      |                                            |                                                  |                                            |                                            |                                  | VMOVDQU<br>Wx, Vx    |
| 11     |        |                                          |                                      |                                            |                                                  | VHADDPD<br>Vx, Hx, Wx                      | VHSUBPS<br>Vx, Hx, Wx                      |                                  |                      |
| ...    | 8x     | ...                                      |                                      |                                            |                                                  |                                            |                                            |                                  |                      |
| 00     | 9x     | KORTESTQ<br>KR, KM<br>KORTESTW<br>KR, KM | KTESTQ<br>KR, KM<br>KTESTW<br>KR, KM |                                            |                                                  |                                            |                                            |                                  |                      |
| 01     |        | KORTESTB<br>KR, KM<br>KORTESTD<br>KR, KM | KTESTB<br>KR, KM<br>KTESTD<br>KR, KM |                                            |                                                  |                                            |                                            |                                  |                      |
| 00     | Ax     |                                          |                                      |                                            |                                                  |                                            |                                            | VLDMXCSR<br>Md<br>VSTMXCSR<br>Md |                      |
| ..     | Bx-Cx  | ...                                      |                                      |                                            |                                                  |                                            |                                            |                                  |                      |
| 00     | Dx     | VPSUBUSB<br>Vx, Hx, Wx                   | VPSUBSW<br>Vx, Hx, Wx                | VPMINUB<br>Vx, Hx, Wx                      | VPAND<br>Vx, Hx, Wx                              | VPADDUSB<br>Vx, Hx, Wx                     | VPADDUSW<br>Vx, Hx, Wx                     | VPMAXUB<br>Vx, Hx, Wx            | VPANDN<br>Vx, Hx, Wx |
| 01     |        | VPSUBSB<br>Vx, Hx, Wx                    | VPSUBSW<br>Vx, Hx, Wx                | VPMINSW<br>Vx, Hx, Wx                      | VPOR<br>Vx, Hx, Wx                               | VPADDSB<br>Vx, Hx, Wx                      | VPADDSW<br>Vx, Hx, Wx                      | VPMAXSW<br>Vx, Hx, Wx            | VPXOR<br>Vx, Hx, Wx  |
| 00     | Ex     | VPSUBBB<br>Vx, Hx, Wx                    | VPSUBW<br>Vx, Hx, Wx                 | VPSUBD<br>Vx, Hx, Wx                       | VPSUBQ<br>Vx, Hx, Wx                             | VPADDDB<br>Vx, Hx, Wx                      | VPADDW<br>Vx, Hx, Wx                       | VPADD<br>Vx, Hx, Wx              |                      |
| 01     |        | VPSUBB<br>Vx, Hx, Wx                     | VPSUBW<br>Vx, Hx, Wx                 | VPSUBD<br>Vx, Hx, Wx                       | VPSUBQ<br>Vx, Hx, Wx                             |                                            |                                            |                                  |                      |

**Note:**

1. Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit. When L = 0, size is 128 bits; when L = 1, size is 256 bits.

2. Operands are scalars. VEX.L bit is ignored.

**Table A-20. VEX Opcode Map 2, Low Nibble = [0h:7h]**

| VEX.pp | Opcode | x0                        | x1                        | x2                        | x3                                   | x4                                                                                               | x5                                   | x6                                   | x7                                   |
|--------|--------|---------------------------|---------------------------|---------------------------|--------------------------------------|--------------------------------------------------------------------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|
| 01     | 0x     | VPSHUFB<br>Vx, Hx, Wx     | VPHADDW<br>Vx, Hx, Wx     | VPHADDD<br>Vx, Hx, Wx     | VPHADDSW<br>Vx, Hx, Wx               | VPMADDUBSW<br>Vx, Hx, Wx                                                                         | VPHSUBW<br>Vx, Hx, Wx                | VPHSUBD<br>Vx, Hx, Wx                | VPHSUBSW<br>Vx, Hx, Wx               |
| 01     | 1x     |                           |                           |                           | VCVTPH2PS<br>Vx, Wx                  |                                                                                                  |                                      | VPERMPS<br>Vx, Hx, Wx                | VPTEST<br>Vx, Wx                     |
| 01     | 2x     | VPMOVSXWB<br>Vx, Wx       | VPMOVSXBD<br>Vx, Wx       | VPMOVSXQB<br>Vx, Wx       | VPMOVSXWD<br>Vx, Wx                  | VPMOVSXWQ<br>Vx, Wx                                                                              | VPMOVSXDQ<br>Vx, Wx                  |                                      |                                      |
| 01     | 3x     | VPMOVZXBW<br>Vx, Wx       | VPMOVZXBD<br>Vx, Wx       | VPMOVZXBQ<br>Vx, Wx       | VPMOVZXWD<br>Vx, Wx                  | VPMOVZXWQ<br>Vx, Wx                                                                              | VPMOVZXDQ<br>Vx, Wx                  | VPERMD<br>Vx, Hx, Wx                 | VPCMPGTQ<br>Vx, Hx, Wx               |
| 01     | 4x     | VPMULLD<br>Vx, Hx, Wx     | VPHMINPOSUW<br>Vx, Wx     |                           |                                      |                                                                                                  | VPSRLVD<br>Vx, Hx, Wx                | VPSRAVD<br>Vx, Hx, Wx                | VPSLLVD<br>Vx, Hx, Wx                |
| 01     | 5x     | VPDPBUSD<br>Vx, Hx, Wx    | VPDPBUSDS<br>Vx, Hx, Wx   | VPDPWSSD<br>Vx, Hx, Wx    | VPDPWSSDS<br>Vx, Hx, Wx              |                                                                                                  |                                      |                                      | VPSLLVQ<br>Vx, Hx, Wx                |
| ...    | 6x-8x  | ...                       |                           |                           |                                      |                                                                                                  |                                      |                                      |                                      |
| 01     | 9x     | VPGATHERDD<br>Vx, M*d, Hx | VPGATHERQD<br>Vx, M*d, Hx | VGATHERDPD<br>Vx, M*d, Hx | VGATHERQPD<br>Vx, M*q, Hx            |                                                                                                  |                                      | VFMADDSSUB132PD<br>Vx, Hx, Wx        | VFMSUBADD132PD<br>Vx, Hx, Wx         |
|        |        | VPGATHERDQ<br>Vx, M*d, Hx | VPGATHERQQ<br>Vx, M*q, Hx | VGATHERDPS<br>Vx, M*d, Hx | VGATHERQPS<br>Vx, M*q, Hx            |                                                                                                  |                                      | VFMADDSSUB132PS<br>Vx, Hx, Wx        | VFMSUBADD132PS<br>Vx, Hx, Wx         |
| 01     | Ax     |                           |                           |                           |                                      |                                                                                                  |                                      | VFMADDSSUB213PD<br>Vx, Hx, Wx        | VFMSUBADD213PD<br>Vx, Hx, Wx         |
| 01     | Bx     |                           |                           |                           |                                      |                                                                                                  |                                      | VFMADDSSUB213PS<br>Vx, Hx, Wx        | VFMSUBADD213PS<br>Vx, Hx, Wx         |
| ...    | Cx-Ex  |                           |                           |                           |                                      |                                                                                                  |                                      | VFMADDSSUB231PD<br>Vx, Hx, Wx        | VFMSUBADD231PD<br>Vx, Hx, Wx         |
|        |        |                           |                           |                           |                                      |                                                                                                  |                                      | VFMADDSSUB231PS<br>Vx, Hx, Wx        | VFMSUBADD231PS<br>Vx, Hx, Wx         |
| 00     | Fx     |                           |                           |                           | ANDN<br>Gd, , Ed<br>ANDN<br>Gq, , Eq | BLSI<br>, Ed<br>BLSI<br>, Eq<br>BLSMSK<br>, Ed<br>BLSMSK<br>, Eq<br>BLSR<br>, Ed<br>BLSR<br>, Eq | BZHI<br>Gd, , Ed<br>BZHI<br>Gq, , Eq |                                      | BEXT<br>Gd, , Ed<br>BEXT<br>Gq, , Eq |
| 01     |        |                           |                           |                           |                                      |                                                                                                  |                                      |                                      | SHLX<br>Gd, , Ed<br>SHLX<br>Gq, , Eq |
| 10     |        |                           |                           |                           |                                      |                                                                                                  | PEXT<br>Gd, , Ed<br>PEXT<br>Gq, , Eq |                                      | SARX<br>Gd, , Ed<br>SARX<br>Gq, , Eq |
| 11     |        |                           |                           |                           |                                      |                                                                                                  | PDEP<br>Gd, , Ed<br>PDEP<br>Gq, , Eq | MULX<br>Gd, , Ed<br>MULX<br>Gq, , Eq | SHRX<br>Gd, , Ed<br>SHRX<br>Gq, , Eq |

Note:

1. Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit. When L = 0, size is 128 bits; when L = 1, size is 256 bits.
2. For all VFMADDSSUBnnnPS instructions, the data type is packed single-precision floating point.
- For all VFMADDSSUBnnnPD instructions, the data type is packed double-precision floating point.
3. For all VFMSUBADDnnnPS instructions, the data type is packed single-precision floating point.
- For all VFMSUBADDnnnPD instructions, the data type is packed double-precision floating point.
4. Operands are treated as bit vectors.
5. Uses VSIB addressing mode.

**Table A-21. VEX Opcode Map 2, Low Nibble = [8h:Fh]**

| VEX.pp | Opcode       | x8                                                     | x9                                                     | xA                                                     | xB                                                     | xC                                                       | xD                                                       | xE                                                       | xF                                                       |
|--------|--------------|--------------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------------|----------------------------------------------------------|----------------------------------------------------------|----------------------------------------------------------|
| 01     | 0x           | VPSIGNB<br>Vx, Hx, Wx                                  | VPSIGNW<br>Vx, Hx, Wx                                  | VPSIGND<br>Vx, Hx, Wx                                  | VPMULHRSW<br>Vx, Hx, Wx                                | VPERMILPS<br>Vx, Hx, Wx                                  | VPERMILPD<br>Vx, Hx, Wx                                  | VTESTPS<br>Vx, Wx                                        | VTESTPD<br>Vx, Wx                                        |
| 01     | 1x           | VBROADCASTSS<br>Vx, Wx                                 | VBROADCASTSD<br>Vx, Wx                                 | VBROADCASTF128<br>Vx, Mx                               |                                                        | VPABSB<br>Vx, Wx                                         | VPABSW<br>Vx, Wx                                         | VPABSD<br>Vx, Wx                                         |                                                          |
| 01     | 2x           | VPMULDQ<br>Vx, Hx, Wx                                  | VPCMPEQQ<br>Vx, Hx, Wx                                 | VMOVTNDQA<br>Vx, Mx                                    | VPACKUSDW<br>Vx, Hx, Wx                                | VMASKMOVPS<br>Vx, Hx, Mx                                 | VMASKMOVPD<br>Vx, Hx, Mx                                 | VMASKMOVPS<br>Mx, Hx, Vx                                 | VMASKMOVPD<br>Mx, Hx, Vx                                 |
| 01     | 3x           | VPMINSB<br>Vx, Hx, Wx                                  | VPMINSD<br>Vx, Hx, Wx                                  | VPMINUW<br>Vx, Hx, Wx                                  | VPMINUD<br>Vx, Hx, Wx                                  | VPMAXSB<br>Vx, Hx, Wx                                    | VPMAXSD<br>Vx, Hx, Wx                                    | VPMAXUW<br>Vx, Hx, Wx                                    | VPMAXUD<br>Vx, Hx, Wx                                    |
| ...    | <b>4x</b>    | ...                                                    |                                                        |                                                        |                                                        |                                                          |                                                          |                                                          |                                                          |
| 01     | 5x           | VPBROADCASTD<br>Vx, Wx                                 | VPBROADCASTQ<br>Vx, Wx                                 | VPBROADCASTI128<br>Vx, Mx                              |                                                        |                                                          |                                                          |                                                          |                                                          |
| ...    | <b>6x</b>    | ...                                                    |                                                        |                                                        |                                                        |                                                          |                                                          |                                                          |                                                          |
| 01     | 7x           | VPBROADCASTB<br>Vx, Wx                                 | VPBROADCASTW<br>Vx, Wx                                 |                                                        |                                                        |                                                          |                                                          |                                                          |                                                          |
| 01     | 8x           |                                                        |                                                        |                                                        |                                                        | VPMASKMOVD<br>Vx, Hx, Mx<br>VPMASKMOVQ<br>Vx, Hx, Mx     |                                                          | VPMASKMOVD<br>Mx, Hx, Vx<br>VPMASKMOVQ<br>Mx, Hx, Vx     |                                                          |
| 01     | 9x           | VFMADD132PD<br>Vx, Hx, Wx<br>VFMADD132PS<br>Vx, Hx, Wx | VFMADD132SD<br>Vx, Hx, Wx<br>VFMADD132SS<br>Vx, Hx, Wx | VFMSUB132PD<br>Vx, Hx, Wx<br>VFMSUB132PS<br>Vx, Hx, Wx | VFMSUB132SD<br>Vx, Hx, Wx<br>VFMSUB132SS<br>Vx, Hx, Wx | VFNMADD132PD<br>Vx, Hx, Wx<br>VFNMADD132PS<br>Vx, Hx, Wx | VFNMSUB132PD<br>Vx, Hx, Wx<br>VFNMSUB132SS<br>Vx, Hx, Wx | VFNMSUB132SD<br>Vx, Hx, Wx<br>VFNMSUB132SS<br>Vx, Hx, Wx | VFNMSUB132SD<br>Vx, Hx, Wx<br>VFNMSUB132SS<br>Vx, Hx, Wx |
| 01     | Ax           | VFMADD213PD<br>Vx, Hx, Wx<br>VFMADD213PS<br>Vx, Hx, Wx | VFMADD213SD<br>Vx, Hx, Wx<br>VFMADD213SS<br>Vx, Hx, Wx | VFMSUB213PD<br>Vx, Hx, Wx<br>VFMSUB213PS<br>Vx, Hx, Wx | VFMSUB213SD<br>Vx, Hx, Wx<br>VFMSUB213SS<br>Vx, Hx, Wx | VFNMADD213PD<br>Vx, Hx, Wx<br>VFNMADD213PS<br>Vx, Hx, Wx | VFNMSUB213PD<br>Vx, Hx, Wx<br>VFNMSUB213PS<br>Vx, Hx, Wx | VFNMSUB213SD<br>Vx, Hx, Wx<br>VFNMSUB213SS<br>Vx, Hx, Wx | VFNMSUB213SD<br>Vx, Hx, Wx<br>VFNMSUB213SS<br>Vx, Hx, Wx |
| 01     | Bx           | VFMADD231PD<br>Vx, Hx, Wx<br>VFMADD231PS<br>Vx, Hx, Wx | VFMADD231SD<br>Vx, Hx, Wx<br>VFMADD231SS<br>Vx, Hx, Wx | VFMSUB231PD<br>Vx, Hx, Wx<br>VFMSUB231PS<br>Vx, Hx, Wx | VFMSUB231SD<br>Vx, Hx, Wx<br>VFMSUB231SS<br>Vx, Hx, Wx | VFNMADD231PD<br>Vx, Hx, Wx<br>VFNMADD231PS<br>Vx, Hx, Wx | VFNMSUB231PD<br>Vx, Hx, Wx<br>VFNMSUB231PS<br>Vx, Hx, Wx | VFNMSUB231SD<br>Vx, Hx, Wx<br>VFNMSUB231SS<br>Vx, Hx, Wx | VFNMSUB231SD<br>Vx, Hx, Wx<br>VFNMSUB231SS<br>Vx, Hx, Wx |
| 01     | Cx           |                                                        |                                                        |                                                        |                                                        |                                                          |                                                          |                                                          | VGF2P8MULB<br>Vx, Hx, Wx                                 |
| 01     | Dx           |                                                        |                                                        |                                                        | VAESIMC<br>Vx, Wx                                      | VAESENCLAST<br>Vx, Hx, Wx                                | VAESENCLAST<br>Vx, Hx, Wx                                | VAESDEC<br>Vx, Hx, Wx                                    | VAESDECLAST<br>Vx, Hx, Wx                                |
| ...    | <b>Ex-Fx</b> | ...                                                    |                                                        |                                                        |                                                        |                                                          |                                                          |                                                          |                                                          |

**Note:**

- Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit. When L=0, size is 128 bits; when L=1, size is 256 bits.
- Operands are scalar. VEX.L bit is ignored.
- For all VFMADDnnPS instructions, the data type is packed single-precision floating point.  
For all VFMADDnnPD instructions, the data type is packed double-precision floating point.
- For all VFMSUBnnPS instructions, the data type is packed single-precision floating point.  
For all VFMSUBnnPD instructions, the data type is packed double-precision floating point.

**Table A-22. VEX Opcode Map 3, Low Nibble = [0h:7h]**

| VEX.pp | Opcode | x0                                               | x1                                               | x2                                               | x3                                               | x4                           | x5                      | x6                           | x7                       |
|--------|--------|--------------------------------------------------|--------------------------------------------------|--------------------------------------------------|--------------------------------------------------|------------------------------|-------------------------|------------------------------|--------------------------|
| 00     | 0x     |                                                  |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 01     |        | VPERMQ<br>Vx, Wx, Ib                             | VPERMPD<br>Vx, Wx, Ib                            | VPBLEND<br>Vx, Hx, Wx, Ib                        |                                                  | VPERMILPS<br>Vx, Wx, Ib      | VPERMILPD<br>Vx, Wx, Ib | VPERM2F128<br>Vx, Hx, Wx, Ib |                          |
| 00     | 1x     |                                                  |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 01     |        |                                                  |                                                  |                                                  |                                                  | VPEXTRB<br>Ed, Vx, Ib        | VPEXTRW<br>Ew, Vx, Ib   | VPEXTRD<br>Ed, Vx, Ib        | VEXTRACTPS<br>Eq, Vx, Ib |
| 00     | 2x     |                                                  |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 01     |        | VPINSRB<br>Vx, Hx, Ed, Ib                        | VINSERTPS<br>Vx, Hx, Wx, Ib                      | VPINSRD<br>Vx, Hx, Ed, Ib                        |                                                  |                              |                         |                              |                          |
| 01     | 3x     | KSHIFTRB<br>KR, KM, Ib<br>KSHIFTRW<br>KR, KM, Ib | KSHIFTRD<br>KR, KM, Ib<br>KSHIFTRQ<br>KR, KM, Ib | KSHIFTLB<br>KR, KM, Ib<br>KSHIFTLW<br>KR, KM, Ib | KSHIFTLD<br>KR, KM, Ib<br>KSHIFTLQ<br>KR, KM, Ib |                              |                         |                              |                          |
| 00     | 4x     |                                                  |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 01     |        | VDPPS<br>Vx, Hx, Wx, Ib                          | VDPPD<br>Vx, Hx, Wx, Ib                          | VMPSADBW<br>Vx, Hx, Wx, Ib                       |                                                  | VPCLMULQDQ<br>Vx, Hx, Wx, Ib |                         | VPERM2I128<br>Vx, Hx, Wx, Ib |                          |
| ...    | 5x     | ...                                              |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 00     | 6x     |                                                  |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 01     |        | VPCMPESTRM<br>Vx, Wx, Ib                         | VPCMPESTRI<br>Vx, Wx, Ib                         | VPCMPISTRM<br>Vx, Wx, Ib                         | VPCMPISTRI<br>Vx, Wx, Ib                         |                              |                         |                              |                          |
| ...    | 7x-Ex  | ...                                              |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 10     | Fx     |                                                  |                                                  |                                                  |                                                  |                              |                         |                              |                          |
| 11     |        | RORX<br>Gd, Ed, Ib<br>RORX<br>Gq, Eq, Ib         |                                                  |                                                  |                                                  |                              |                         |                              |                          |

**Note:** Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit.  
When L=0, size is 128 bits; when L=1, size is 256 bits.

**Table A-23. VEX Opcode Map 3, Low Nibble = [8h:Fh]**

| VEX.pp | Opcde | x8                                                                                    | x9                                                                                  | xA                                                                            | xB                                                                            | xC                                                                                 | xD                                                                               | xE                                                                               | xF                                                                              |
|--------|-------|---------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|-------------------------------------------------------------------------------|------------------------------------------------------------------------------------|----------------------------------------------------------------------------------|----------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
| 01     | 0x    | VROUNDPS<br>Vx, Wx, Ib                                                                | VROUNDPD<br>Vx, Wx, Ib                                                              | VROUNDSS<br>Vx, Hx, Wx, Ib                                                    | VROUNDSD<br>Vx, Hx, Wx, Ib                                                    | VBLENDPS<br>Vx, Hx, Wx, Ib                                                         | VBLENDPD<br>Vx, Hx, Wx, Ib                                                       | VPBLENDW<br>Vx, Hx, Wx, Ib                                                       | VPALIGNR<br>Vx, Hx, Wx, Ib                                                      |
| 01     | 1x    | VINSERTF128<br>Vx, Hx, Wx, Ib                                                         | VEXTRACTF128<br>8<br>Wx, Vx, Ib                                                     |                                                                               |                                                                               |                                                                                    | VCVTTPS2PH<br>Wx, Vx, Ib                                                         |                                                                                  |                                                                                 |
| ...    | 2x    | ...                                                                                   |                                                                                     |                                                                               |                                                                               |                                                                                    |                                                                                  |                                                                                  |                                                                                 |
| 01     | 3x    | VINSERTI128<br>Vx, Hx, Wx, Ib                                                         | VEXTRACTI128<br>Wx, Vx, Ib                                                          |                                                                               |                                                                               |                                                                                    |                                                                                  |                                                                                  |                                                                                 |
| 01     | 4x    |                                                                                       |                                                                                     | VBLENDVPS<br>Vx, Hx, Wx,<br>VBLENDVPS<br>Vx, Hx, Wx,                          | VBLENDVPD<br>Vx, Hx, Wx,<br>VBLENDVPD<br>Vx, Hx, Wx,                          | VPBLENDVB<br>Vx, Hx, Wx,<br>VPBLENDVB<br>Vx, Hx, Wx,                               |                                                                                  |                                                                                  |                                                                                 |
| 01     | 5x    |                                                                                       |                                                                                     |                                                                               |                                                                               | VFMADDSSUBPS<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=0)<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=1) | VFMADDSSUBPD<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=0)<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=1) | VFMSUBADDP<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=0)<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=1) | VFMSUBADDPD<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=0)<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=1) |
| 01     | 6x    | VFMADDPS<br>Vpsx, Lpsx,<br>Wpsx, Hpsx<br>(W=0)<br>Vpsx, Lpsx,<br>Wpsx, Hpsx<br>(W=1)  | VFMADDPD<br>Vpdx, Lpdx,<br>Wpdx, Hpx<br>(W=0)<br>Vpdx, Lpdx,<br>Wpdx, Hpx<br>(W=1)  | VFMADDSS<br>Vss, Lss,<br>Wss, Hss<br>(W=0)<br>Vss, Lss,<br>Wss, Hss<br>(W=1)  | VFMADDSD<br>Vsd, Lsd,<br>Wsd, Hsd<br>(W=0)<br>Vsd, Lsd,<br>Wsd, Hsd<br>(W=1)  | VFMSUBPS<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=0)<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=1)     | VFMSUBPD<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=0)<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=1)     | VFMSUBSS<br>Vss, Lss, Wss, Hss<br>(W=0)<br>Vss, Lss, Wss, Hss<br>(W=1)           | VFMSUBSD<br>Vsd, Lsd, Wsd, Hsd<br>(W=0)<br>Vsd, Lsd, Wsd, Hsd<br>(W=1)          |
| 01     | 7x    | VFNMADDPS<br>Vpsx, Lpsx,<br>Wpsx, Hpsx<br>(W=0)<br>Vpsx, Lpsx,<br>Wpsx, Hpsx<br>(W=1) | VFNMADDPD<br>Vpdx, Lpdx,<br>Wpdx, Hpx<br>(W=0)<br>Vpdx, Lpdx,<br>Wpdx, Hpx<br>(W=1) | VFNMADDSS<br>Vss, Lss,<br>Wss, Hss<br>(W=0)<br>Vss, Lss,<br>Wss, Hss<br>(W=1) | VFNMADDSD<br>Vsd, Lsd,<br>Wsd, Hsd<br>(W=0)<br>Vsd, Lsd,<br>Wsd, Hsd<br>(W=1) | VFNMSUBPS<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=0)<br>Vpsx, Lpsx, Wpsx,<br>Hpsx (W=1)    | VFNMSUBPD<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=0)<br>Vpdx, Lpdx, Wpdx,<br>Hpx (W=1)    | VFNMSUBSS<br>Vss, Lss, Wss, Hss<br>(W=0)<br>Vss, Lss, Wss, Hss<br>(W=1)          | VFNMSUBSD<br>Vsd, Lsd, Wsd, Hsd<br>(W=0)<br>Vsd, Lsd, Wsd, Hsd<br>(W=1)         |
| ...    | 8x-Bx | ...                                                                                   |                                                                                     |                                                                               |                                                                               |                                                                                    |                                                                                  |                                                                                  |                                                                                 |
| 01     | Cx    |                                                                                       |                                                                                     |                                                                               |                                                                               |                                                                                    |                                                                                  | VGF2P8AFFINEQ<br>Vx, Hx, Wx, Ib                                                  | VGF2P8AFFINEINVQ<br>Vx, Hx, Wx, Ib                                              |
| 01     | Dx    |                                                                                       |                                                                                     |                                                                               |                                                                               |                                                                                    |                                                                                  |                                                                                  | VAESKEYGENASSIST<br>Vx, Wx, Ib                                                  |
| ...    | Ex-Fx | ...                                                                                   |                                                                                     |                                                                               |                                                                               |                                                                                    |                                                                                  |                                                                                  |                                                                                 |

**Note:** 1. Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit. When L=0, size is 128 bits; when L=1, size is 256 bits.  
 2. The zero match codes are TD, TD (alias), MO, and MZ. They are encoded as the zzzz field of the Ib, using 0...3h.

**Table A-24. VEX Opcode Groups**

| Group  |                 | ModRM Byte |          |                |                                         |                                        |                                         |          |                                         |                                        |
|--------|-----------------|------------|----------|----------------|-----------------------------------------|----------------------------------------|-----------------------------------------|----------|-----------------------------------------|----------------------------------------|
| Number | VEX Map, Opcode | VEX.pp     | xx000xxx | xx001xxx       | xx010xxx                                | xx011xxx                               | xx100xxx                                | xx101xxx | xx110xxx                                | xx111xxx                               |
| 12     | 1<br>71         | 01         |          |                | VPSRLW <sup>1</sup><br>Hpxw, Upwx, Ib   |                                        | VPSRAW <sup>1</sup><br>Hpxw, Upwx, Ib   |          | VPSLLW <sup>1</sup><br>Hpxw, Upwx, Ib   |                                        |
| 13     | 1<br>72         | 01         |          |                | VPSRLD <sup>1</sup><br>Hpdwx, Updwx, Ib |                                        | VPSRAD <sup>1</sup><br>Hpdwx, Updwx, Ib |          | VPSLLD <sup>1</sup><br>Hpdwx, Updwx, Ib |                                        |
| 14     | 1<br>73         | 01         |          |                | VPSRLQ <sup>1</sup><br>Hpqwx, Upqwx, Ib | VPSRLDQ <sup>1</sup><br>Hpbx, Upbx, Ib |                                         |          | VPSLLQ <sup>1</sup><br>Hpqwx, Upqwx, Ib | VPSLLDQ <sup>1</sup><br>Hpbx, Upbx, Ib |
| 15     | 1<br>AE         | 00         |          |                | VLDMXCSR Md                             | VSTMXCSR Md                            |                                         |          |                                         |                                        |
| 17     | 2<br>F3         | 00         |          | BLSR<br>By, Ey | BLSMSK<br>By, Ey                        | BLSI<br>By, Ey                         |                                         |          |                                         |                                        |

Note: 1. Supports both 128 bit and 256 bit vector sizes. Vector size is specified using the VEX.L bit. When L=0, size is 128 bits; when L=1, size is 256 bits.

**XOP Opcode Maps.** Tables A-25 to A-30 below represents the XOP opcode maps and Table A-31 on page 561 represents the VEX opcode groups.

**Table A-25. XOP Opcode Map 8h, Low Nibble = [0h:7h]**

| XOP.pp | Opcde | x0                 | x1                 | x2                                               | x3                                               | x4 | x5                       | x6                        | x7                        |
|--------|-------|--------------------|--------------------|--------------------------------------------------|--------------------------------------------------|----|--------------------------|---------------------------|---------------------------|
| ...    | 0x-7x | ...                |                    |                                                  |                                                  |    |                          |                           |                           |
| 00     | 8x    |                    |                    |                                                  |                                                  |    | VPMACSSWW<br>Vo,Ho,Wo,Lo | VPMACSSWD<br>Vo,Ho,Wo,Lo  | VPMACSSDQL<br>Vo,Ho,Wo,Lo |
| 00     | 9x    |                    |                    |                                                  |                                                  |    | VPMACSWW<br>Vo,Ho,Wo,Lo  | VPMACSWD<br>Vo,Ho,Wo,Lo   | VPMACSDQL<br>Vo,Ho,Wo,Lo  |
| 00     | Ax    |                    |                    | VPCMOM<br>Vx,Hx,Wx,Lx (W=0)<br>Vx,Hx,Lx,Wx (W=1) | VPPERL<br>Vo,Ho,Wo,Lo (W=0)<br>Vo,Ho,Lo,Wo (W=1) |    |                          | VPMADCSSWD<br>Vo,Ho,Wo,Lo |                           |
| 00     | Bx    |                    |                    |                                                  |                                                  |    |                          | VPMADCSDW<br>Vo,Ho,Wo,Lo  |                           |
| 00     | Cx    | VPROTB<br>Vo,Wo,Ib | VPROTW<br>Vo,Wo,Ib | VPROTD<br>Vo,Wo,Ib                               | VPROTQ<br>Vo,Wo,Ib                               |    |                          |                           |                           |
| ...    | Dx-Fx | ...                |                    |                                                  |                                                  |    |                          |                           |                           |

**Table A-26. XOP Opcode Map 8h, Low Nibble = [8h:Fh]**

| XOP.pp                                                                                                             | Opcode | x8  | x9 | xA | xB | xC                                    | xD                                    | xE                                    | xF                                    |
|--------------------------------------------------------------------------------------------------------------------|--------|-----|----|----|----|---------------------------------------|---------------------------------------|---------------------------------------|---------------------------------------|
| ...                                                                                                                | 0x-07x | ... |    |    |    |                                       |                                       |                                       |                                       |
| 00                                                                                                                 | 8x     |     |    |    |    |                                       | VPMACSSDD<br>Vo,Ho,Wo,Lo              | VPMACSSDQH<br>Vo,Ho,Wo,Lo             |                                       |
| 00                                                                                                                 | 9x     |     |    |    |    |                                       | VPMACSDDD<br>Vo,Ho,Wo,Lo              | VPMACSDQH<br>Vo,Ho,Wo,Lo              |                                       |
| ...                                                                                                                | Ax-Bx  | ... |    |    |    |                                       |                                       |                                       |                                       |
| 00                                                                                                                 | Cx     |     |    |    |    | VPCOMccB <sup>1</sup><br>Vo,Ho,Wo,lb  | VPCOMccW <sup>1</sup><br>Vo,Ho,Wo,lb  | VPCOMccD <sup>1</sup><br>Vo,Ho,Wo,lb  | VPCOMccQ <sup>1</sup><br>Vo,Ho,Wo,lb  |
| 00                                                                                                                 | Dx     |     |    |    |    |                                       |                                       |                                       |                                       |
| 00                                                                                                                 | Ex     |     |    |    |    | VPCOMccUB <sup>1</sup><br>Vo,Ho,Wo,lb | VPCOMccUW <sup>1</sup><br>Vo,Ho,Wo,lb | VPCOMccUD <sup>1</sup><br>Vo,Ho,Wo,lb | VPCOMccUQ <sup>1</sup><br>Vo,Ho,Wo,lb |
| 00                                                                                                                 | Fx     |     |    |    |    |                                       |                                       |                                       |                                       |
| Note 1: The condition codes are LT, LE, GT, GE, EQ, NEQ, FALSE, and TRUE. They are encoded via lb, using 00...07h. |        |     |    |    |    |                                       |                                       |                                       |                                       |

**Table A-27. XOP Opcode Map 9h, Low Nibble = [0h:7h]**

| XOP.pp | Opcode | x0                                         | x1                                         | x2                                         | x3                                         | x4                                         | x5                                         | x6                                         | x7                                         |
|--------|--------|--------------------------------------------|--------------------------------------------|--------------------------------------------|--------------------------------------------|--------------------------------------------|--------------------------------------------|--------------------------------------------|--------------------------------------------|
| 00     | 0x     |                                            | XOP group #1                               | XOP group #2                               |                                            |                                            |                                            |                                            |                                            |
| 00     | 1x     |                                            |                                            | XOP group #3                               |                                            |                                            |                                            |                                            |                                            |
| ...    | 2x-7x  | ...                                        |                                            |                                            |                                            |                                            |                                            |                                            |                                            |
| 00     | 8x     | VFR CZPS<br>Vx,Wx                          | VFR CZPD<br>Vx,Wx                          | VFR CZSS<br>Vq,Wss                         | VFR CZSD<br>Vq,Wsd                         |                                            |                                            |                                            |                                            |
| 00     | 9x     | VPROTB<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPROTW<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPROTD<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPROTQ<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPSHLB<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPSHLW<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPSHLD<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPSHLQ<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) |
| ...    | Ax-Bx  | ...                                        |                                            |                                            |                                            |                                            |                                            |                                            |                                            |
| 00     | Cx     |                                            | VPHADDWB<br>Vo,Wo                          | VPHADDBD<br>Vo,Wo                          | VPHADDBQ<br>Vo,Wo                          |                                            |                                            | VPHADDWD<br>Vo,Wo                          | VPHADDWQ<br>Vo,Wo                          |
| 00     | Dx     |                                            | VPHADDUBWD<br>Vo,Wo                        | VPHADDUBD<br>Vo,Wo                         | VPHADDUBQ<br>Vo,Wo                         |                                            |                                            | VPHADDUWD<br>Vo,Wo                         | VPHADDUWQ<br>Vo,Wo                         |
| 00     | Ex     |                                            | VPHSUBBW<br>Vo,Wo                          | VPHSUBWD<br>Vo,Wo                          | VPHSUBDQ<br>Vo,Wo                          |                                            |                                            |                                            |                                            |
| ...    | Fx     | ...                                        |                                            |                                            |                                            |                                            |                                            |                                            |                                            |

**Table A-28. XOP Opcode Map 9h, Low Nibble = [8h:Fh]**

| XOP.pp | Opcode | x8                                         | x9                                         | xA                                         | xB                                         | xC | xD | xE | xF |
|--------|--------|--------------------------------------------|--------------------------------------------|--------------------------------------------|--------------------------------------------|----|----|----|----|
| ...    | 0x-8x  | ...                                        |                                            |                                            |                                            |    |    |    |    |
| 00     | 9x     | VPSHAB<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPSHAW<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPSHAD<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) | VPSHAQ<br>Vo,Wo,Ho (W=0)<br>Vo,Ho,Wo (W=1) |    |    |    |    |
| ...    | Ax-Bx  | ...                                        |                                            |                                            |                                            |    |    |    |    |
| 00     | Cx     |                                            |                                            |                                            | VPHADDDQ<br>Vo,Wo                          |    |    |    |    |
| 00     | Dx     |                                            |                                            |                                            | VPHADDUDQ<br>Vo,Wo                         |    |    |    |    |
| ...    | Ex-Fx  | ...                                        |                                            |                                            |                                            |    |    |    |    |

**Table A-29. XOP Opcode Map Ah, Low Nibble = [0h:7h]**

| XOP.pp | Opcode | x0                | x1 | x2           | x3 | x4 | x5 | x6 | x7 |
|--------|--------|-------------------|----|--------------|----|----|----|----|----|
| ...    | 0x     | ...               |    |              |    |    |    |    |    |
| 00     | 1x     | BEXTR<br>Gy,Ey,Id |    | XOP group #4 |    |    |    |    |    |
| ...    | 2x-Fx  | ...               |    |              |    |    |    |    |    |

**Table A-30. XOP Opcode Map Ah, Low Nibble = [8h:Fh]**

| XOP.pp           | Opcode | x8 | x9 | xA | xB | xC | xD | xE | xF |
|------------------|--------|----|----|----|----|----|----|----|----|
| n/a              | 0x-Fx  |    |    |    |    |    |    |    |    |
| Opcodes Reserved |        |    |    |    |    |    |    |    |    |

**Table A-31. XOP Opcode Groups**

|          |                    | ModRM.reg          |                  |                  |               |                |                |                |                 |
|----------|--------------------|--------------------|------------------|------------------|---------------|----------------|----------------|----------------|-----------------|
| Group    |                    | /0                 | /1               | /2               | /3            | /4             | /5             | /6             | /7              |
| XOP 9 #1 |                    |                    | BLCFILL<br>By,Ey | BLSFILL<br>By,Ey | BLCS<br>By,Ey | TZMSK<br>By,Ey | BLCIC<br>By,Ey | BLSIC<br>By,Ey | T1MSKC<br>By,Ey |
| XOP 9 #2 |                    |                    | BLCMSK<br>By,Ey  |                  |               |                |                | BLCI<br>By,Ey  |                 |
| XOP 9 #3 | LLWPCB<br>Ry       | SLWPCB<br>Ry       |                  |                  |               |                |                |                |                 |
| XOP A #4 | LWPINS<br>By,Ed,Id | LWPVAL<br>By,Ed,Id |                  |                  |               |                |                |                |                 |

**EVEX Opcode Maps.** Tables A-32 to A-40 below represents the EVEX opcode maps and Table A-41 on page 570 represents the EVEX opcode groups.

Table A-32. EVEX Opcode Map 1, Low Nibble=[0h:7h]

| EVEX.pp | Opcode | x0                                             | x1                                            | x2                                                 | x3                         | x4                         | x5                         | x6                                               | x7                         |
|---------|--------|------------------------------------------------|-----------------------------------------------|----------------------------------------------------|----------------------------|----------------------------|----------------------------|--------------------------------------------------|----------------------------|
| 00      | 1x     | VMOVUPS<br>Vx.kz, Wx                           | VMOVUPS<br>Wx.kz, Vx                          | VMOVHLPS<br>Vx, Hx, Ux<br>VMOVLPS<br>Vx, Hx, Mq    | VMOVLPs<br>Mq, Vx          | VUNPCKLPS<br>Vx.kz, Hx, Wx | VUNPCKHPS<br>Vx.kz, Hx, Wx | VMOVHPS<br>Vx, Hx, Mq<br>VMOVLHPS<br>Vx, Hx, Ux  | VMOVHPS<br>Mq, Vx          |
| 01      |        | VMOVUPD<br>Vx.kz, Wx                           | VMOVUPD<br>Wx.kz, Vx                          | VMOVLPD<br>Vx, Hx, Mq                              | VMOVLPD<br>Mq, Vx          | VUNPCKLPD<br>Vx.kz, Hx, Wx | VUNPCKHPD<br>Vx.kz, Hx, Wx | VMOVHPD<br>Vx, Hx, Mq                            | VMOVHPD<br>Mq, Vx          |
| 10      |        | VMOVSS<br>Vx.kz, Hx, Ux<br>VMOVSS<br>Vx.kz, Md | VMOVSS<br>Ux.kz, Hx, Vx<br>VMOVSS<br>Md.k, Vx | VMOVSLDUP<br>Vx.kz, Wx                             |                            |                            |                            | VMOVSHDUP<br>Vx.kz, Wx                           |                            |
| 11      |        | VMOVSD<br>Vx.kz, Hx, Ux<br>VMOVSD<br>Vx.kz, Mq | VMOVSD<br>Ux.kz, Hx, Vx<br>VMOVSD<br>Mq.k, Vx | VMOVDDUP<br>Vx.kz, Wx                              |                            |                            |                            |                                                  |                            |
| 00      | 5x     | VSQRTPS<br>Vx.kz, Wx                           |                                               |                                                    | VANDPS<br>Vx.kz, Hx, Wx    | VANDNPS<br>Vx.kz, Hx, Wx   | VORPS<br>Vx.kz, Hx, Wx     | VXORPS<br>Vx.kz, Hx, Wx                          |                            |
| 01      |        | VSQRTPD<br>Vx.kz, Wx                           |                                               |                                                    | VANDPD<br>Vx.kz, Hx, Wx    | VANDNPD<br>Vx.kz, Hx, Wx   | VORPD<br>Vx.kz, Hx, Wx     | VXORPD<br>Vx.kz, Hx, Wx                          |                            |
| 10      |        | VSQRTSS<br>Vx.kz, Hx, Wx                       |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 11      |        | VSQRTSD<br>Vx.kz, Hx, Wx                       |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 00      | 6x     |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 01      |        | VPUNPCBLBW<br>Vx.kz, Hx, Wx                    | VPUNPCBLWD<br>Vx.kz, Hx, Wx                   | VPUNPCLDQ<br>Vx.kz, Hx, Wx                         | VPACKSSWB<br>Vx.kz, Hx, Wx | VPCMGTB<br>KR.k, Hx, Wx    | VPCMGTW<br>KR.k, Hx, Wx    | VPCMGTD<br>KR.k, Hx, Wx                          | VPACKUSWB<br>Vx.kz, Hx, Wx |
| 10      |        |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 11      |        |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 00      | 7x     |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 01      |        | VPSHUFD<br>Vx.kz, Wx, Ib                       | EVEX Group<br>71.1.01                         | EVEX Group<br>72.1.01                              | EVEX Group<br>73.1.01      | VPCMPEQB<br>KR.k, Hx, Wx   | VPCMPEQW<br>KR.k, Hx, Wx   | VPCMPEQD<br>KR.k, Hx, Wx                         |                            |
| 10      |        | VPSHUFHW<br>Vx.kz, Wx, Ib                      |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 11      |        | VPSHUFHW<br>Vx.kz, Wx, Ib                      |                                               |                                                    |                            |                            |                            |                                                  |                            |
| ...     | 8x-Bx  | ...                                            |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 00      | Cx     |                                                |                                               | VCMPPS<br>KR.k, Hx, Wx,<br>Ib                      |                            |                            |                            | VSHUFPS<br>Vx.kz, Hx, Wx,<br>Ib                  |                            |
| 01      |        |                                                |                                               | VCMPPD<br>KR.k, Hx, Wx,<br>Ib                      |                            | VPINSRW<br>Vx, Hx, Ed, Ib  | VPEXTRW<br>Gd, Ux, Ib      | VSHUFPD<br>Vx.kz, Hx, Wx,<br>Ib                  |                            |
| 10      |        |                                                |                                               | VCMPPS<br>KR.k, Hx, Wx,<br>Ib                      |                            |                            |                            |                                                  |                            |
| 11      |        |                                                |                                               | VCMPPS<br>KR.k, Hx, Wx,<br>Ib                      |                            |                            |                            |                                                  |                            |
| 00      | Dx     |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 01      |        |                                                | VPSRLW<br>Vx.kz, Hx, Wx                       | VPSRLD<br>Vx.kz, Hx, Wx                            | VPSRLQ<br>Vx.kz, Hx, Wx    | VPADDQ<br>Vx.kz, Hx, Wx    | VPMULLW<br>Vx.kz, Hx, Wx   | VMOVQ<br>Wx, Vx                                  |                            |
| 10      |        |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 11      |        |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 00      | Ex     |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 01      |        | VPAVGB<br>Vx.kz, Hx, Wx                        | VPSRAW<br>Vx.kz, Hx, Wx                       | VPSRAD<br>Vx.kz, Hx, Wx<br>VPSRAQ<br>Vx.kz, Hx, Wx | VPAVGW<br>Vx.kz, Hx, Wx    | VPMULHUV<br>Vx.kz, Hx, Wx  | VPMULHW<br>Vx.kz, Hx, Wx   | VCVTPD2DQ<br>Vx.kz, Wx                           | VMOVNTDQ<br>Mx, Vx         |
| 10      |        |                                                |                                               |                                                    |                            |                            |                            | VCVTDQ2PD<br>Vx.kz, Wx<br>VCVTQQ2PD<br>Vx.kz, Wx |                            |
| 11      |        |                                                |                                               |                                                    |                            |                            |                            | VCVTPD2DQ<br>Vx.kz, Wx                           |                            |
| 00      | Fx     |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 01      |        |                                                | VPSLLW<br>Vx.kz, Hx, Wx                       | VPSLLD<br>Vx.kz, Hx, Wx                            | VPSLLQ<br>Vx.kz, Hx, Wx    | VPMULUDQ<br>Vx.kz, Hx, Wx  | VPMADDWD<br>Vx.kz, Hx, Wx  | VPSADBW<br>Vx, Hx, Wx                            |                            |
| 10      |        |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |
| 11      |        |                                                |                                               |                                                    |                            |                            |                            |                                                  |                            |

**Table A-33. EVEX Opcode Map 1, Low Nibble=[8h:Fh]**

| EVEX.pp | Opcode | x8                          | x9                          | xA                          | xB                         | xC                               | xD                               | xE                      | xF                                               |
|---------|--------|-----------------------------|-----------------------------|-----------------------------|----------------------------|----------------------------------|----------------------------------|-------------------------|--------------------------------------------------|
| ...     | 1x     | ...                         |                             |                             |                            |                                  |                                  |                         |                                                  |
| 00      | 2x     | VMOVAPS<br>Vx.kz, Wx        | VMOVAPS<br>Wx.kz, Vx        |                             | VMOVNTPS<br>Mx, Vx         |                                  |                                  | VUCOMISS<br>Vx, Wx      | VCOMISS<br>Vx, Wx                                |
| 01      |        | VMOVAPD<br>Vx.kz, Wx        | VMOVAPD<br>Wx.kz, Vx        |                             | VMOVNTPD<br>Mx, Vx         |                                  |                                  | VUCOMISD<br>Vx, Wx      | VCOMISD<br>Vx, Wx                                |
| 10      |        |                             |                             | VCVTSI2SS<br>Vx, Hx, Ed     |                            | VCVTSS2SI<br>Gd, Wx              | VCVTSS2SI<br>Gd, Wx              |                         |                                                  |
| 11      |        |                             |                             | VCVTSI2SD<br>Vx, Hx, Ed     |                            | VCVTSD2SI<br>Gd, Wx              | VCVTSD2SI<br>Gd, Wx              |                         |                                                  |
| ...     | 3x-4x  | ...                         |                             |                             |                            |                                  |                                  |                         |                                                  |
| 00      | 5x     | VADDPS<br>Vx.kz, Hx, Wx     | VMULPS<br>Vx.kz, Hx, Wx     | VCVTPS2PD<br>Vx.kz, Wx      | VCVTQD2PS<br>Vx.kz, Wx     | VSUBPS<br>Vx.kz, Hx, Wx          | VMINPS<br>Vx.kz, Hx, Wx          | VDIVPS<br>Vx.kz, Hx, Wx | VMAXPS<br>Vx.kz, Hx, Wx                          |
| 01      |        | VADDPD<br>Vx.kz, Hx, Wx     | VMULPD<br>Vx.kz, Hx, Wx     | VCVTPD2PS<br>Vx.kz, Wx      | VCVTPS2DQ<br>Vx.kz, Wx     | VSUBPD<br>Vx.kz, Hx, Wx          | VMINPD<br>Vx.kz, Hx, Wx          | VDIVPD<br>Vx.kz, Hx, Wx | VMAXPD<br>Vx.kz, Hx, Wx                          |
| 10      |        | VADDSS<br>Vx.kz, Hx, Wx     | VMULSS<br>Vx.kz, Hx, Wx     | VCVTSS2SD<br>Vx.kz, Hx, Wx  | VCVTPS2DQ<br>Vx.kz, Wx     | VSUBSS<br>Vx.kz, Hx, Wx          | VMINSS<br>Vx.kz, Hx, Wx          | VDIVSS<br>Vx.kz, Hx, Wx | VMAXSS<br>Vx.kz, Hx, Wx                          |
| 11      |        | VADDSD<br>Vx.kz, Hx, Wx     | VMULSD<br>Vx.kz, Hx, Wx     | VCVTSD2SS<br>Vx.kz, Hx, Wx  |                            | VSUBSD<br>Vx.kz, Hx, Wx          | VMINSD<br>Vx.kz, Hx, Wx          | VDIVSD<br>Vx.kz, Hx, Wx | VMAXSD<br>Vx.kz, Hx, Wx                          |
| 00      | 6x     |                             |                             |                             |                            |                                  |                                  |                         |                                                  |
| 01      |        | VPUNPCKHBW<br>Vx.kz, Hx, Wx | VPUNPCKHWD<br>Vx.kz, Hx, Wx | VPUNPCKHDQ<br>Vx.kz, Hx, Wx | VPACKSSDW<br>Vx.kz, Hx, Wx | VPUNPCKLQ<br>DQ<br>Vx.kz, Hx, Wx | VPUNPCKH<br>QDQ<br>Vx.kz, Hx, Wx | VMOVD<br>Vx, Ed         | VMOVDQA32<br>Vx.kz, Wx                           |
| 10      |        |                             |                             |                             |                            |                                  |                                  | VMOVQ<br>Vx, Eq         | VMOVDQA64<br>Vx.kz, Wx                           |
| 11      |        |                             |                             |                             |                            |                                  |                                  |                         | VMOVDQU32<br>Vx.kz, Wx<br>VMOVDQU64<br>Vx.kz, Wx |
|         |        |                             |                             |                             |                            |                                  |                                  |                         | VMOVDQU16<br>Vx.kz, Wx<br>VMOVDQU8<br>Vx.kz, Wx  |

**Table A-34. EVEX Opcode Map 1, Low Nibble=[8h:Fh] (Contd.)**

| EVEX.pp | Opcode | x8                                                   | x9                                                 | xA                                                 | xB                                                 | xC                        | xD                        | xE                                 | xF                                                   |
|---------|--------|------------------------------------------------------|----------------------------------------------------|----------------------------------------------------|----------------------------------------------------|---------------------------|---------------------------|------------------------------------|------------------------------------------------------|
| 00      | 7x     | VCVTPPD2UDQ<br>Vx.kz, Wx<br>VCVTPPS2UDQ<br>Vx.kz, Wx | VCVTPD2UDQ<br>Vx.kz, Wx<br>VCVTPS2UDQ<br>Vx.kz, Wx |                                                    |                                                    |                           |                           |                                    |                                                      |
| 01      |        | VCVTPPD2UQQ<br>Vx.kz, Wx<br>VCVTPPS2UQQ<br>Vx.kz, Wx | VCVTPD2UQQ<br>Vx.kz, Wx<br>VCVTPS2UQQ<br>Vx.kz, Wx | VCVTPPD2QQ<br>Vx.kz, Wx<br>VCVTPPS2QQ<br>Vx.kz, Wx | VCVTPD2QQ<br>Vx.kz, Wx<br>VCVTPPS2QQ<br>Vx.kz, Wx  |                           |                           | VMOVD<br>Ed, Vx<br>VMOVQ<br>Eq, Vx | VMOVDQA32<br>Wx.kz, Vx<br>VMOVDQA64<br>Wx.kz, Vx     |
| 10      |        | VCVTSS2USI<br>Gd, Wx<br>VCVTSS2USI<br>Gq, Wx         | VCVTSS2USI<br>Gd, Wx<br>VCVTSS2USI<br>Gq, Wx       | VCVTUDQ2PD<br>Vx.kz, Wx<br>VCVTUQQ2PD<br>Vx.kz, Wx | VCVTUSI2SS<br>Vx, Hx, Ed                           |                           |                           | VMOVQ<br>Vx, Wx                    | VMOVDQU32<br>Wx.kz, Vx<br>VMOVDQU64<br>Wx.kz, Vx     |
| 11      |        | VCVTSID2USI?<br>Gd, Wx<br>VCVTSID2USI<br>Gq, Wx      | VCVTSID2USI?<br>Gd, Wx<br>VCVTSID2USI<br>Gq, Wx    | VCVTUDQ2PS<br>Vx.kz, Wx<br>VCVTUQQ2PS<br>Vx.kz, Wx | VCVTUSI2SD<br>Vx, Hx, Ed                           |                           |                           |                                    | VMOVDQU16<br>Wx.kz, Vx<br>VMOVDQU8<br>Wx.kz, Vx      |
| ...     | 8x-Cx  | ...                                                  |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 00      | Dx     |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 01      |        | VPSUBUSB<br>Vx.kz, Hx, Wx                            | VPSUBUSW<br>Vx.kz, Hx, Wx                          | VPMINUB<br>Vx.kz, Hx, Wx                           | VPANDD<br>Vx.kz, Hx, Wx<br>VPANDQ<br>Vx.kz, Hx, Wx | VPADDUSB<br>Vx.kz, Hx, Wx | VPADDUSW<br>Vx.kz, Hx, Wx | VPMAXUB<br>Vx.kz, Hx, Wx           | VPANDND<br>Vx.kz, Hx, Wx<br>VPANDNQ<br>Vx.kz, Hx, Wx |
| 10      |        |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 11      |        |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 00      | Ex     |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 01      |        | VPSUBSB<br>Vx.kz, Hx, Wx                             | VPSUBSW<br>Vx.kz, Hx, Wx                           | VPMINSW<br>Vx.kz, Hx, Wx                           | VPORD<br>Vx.kz, Hx, Wx<br>VPORQ<br>Vx.kz, Hx, Wx   | VPADDSB<br>Vx.kz, Hx, Wx  | VPADDSW<br>Vx.kz, Hx, Wx  | VPMAXSW<br>Vx.kz, Hx, Wx           | VPXORD<br>Vx.kz, Hx, Wx<br>VPXORQ<br>Vx.kz, Hx, Wx   |
| 10      |        |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 11      |        |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 00      | Fx     |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 01      |        | VPSUBB<br>Vx.kz, Hx, Wx                              | VPSUBW<br>Vx.kz, Hx, Wx                            | VPSUBD<br>Vx.kz, Hx, Wx                            | VPSUBQ<br>Vx.kz, Hx, Wx                            | VPADDDB<br>Vx.kz, Hx, Wx  | VPADDW<br>Vx.kz, Hx, Wx   | VPADD<br>Vx.kz, Hx, Wx             |                                                      |
| 10      |        |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |
| 11      |        |                                                      |                                                    |                                                    |                                                    |                           |                           |                                    |                                                      |

**Table A-35. EVEX Opcode Map 2, Low Nibble=[0h:7h]**

| EVEX.pp | Opcode | x0                        | x1                         | x2                         | x3                           | x4                          | x5                         | x6                              | x7                         |
|---------|--------|---------------------------|----------------------------|----------------------------|------------------------------|-----------------------------|----------------------------|---------------------------------|----------------------------|
| 00      | 0x     |                           |                            |                            |                              |                             |                            |                                 |                            |
| 01      |        | VPSHUFFB<br>Vx.kz, Hx, Wx |                            |                            |                              | VPMADDUBSW<br>Vx.kz, Hx, Wx |                            |                                 |                            |
| 10      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 11      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 00      | 1x     |                           |                            |                            |                              |                             |                            |                                 |                            |
| 01      |        | VPSRLVW<br>Vx.kz, Hx, Wx  | VPSRAVW<br>Vx.kz, Hx, Wx   | VPSLLVW<br>Vx.kz, Hx, Wx   | VCVTPH2PS<br>Vx.kz, Wx       | VPRORVD<br>Vx.kz, Hx, Wx    | VPROLVD<br>Vx.kz, Hx, Wx   | VPERMPD<br>Vx.kz, Hx, Wx        |                            |
| 10      |        | VPMOVUSWB<br>Wx.kz, Vx    | VPMOVUSDB<br>Wx.kz, Vx     | VPMOVUSQB<br>Wx.kz, Vx     | VPMOVUSDW<br>Wx.kz, Vx       | VPMOVUSQW<br>Wx.kz, Vx      | VPMOVUSQD<br>Wx.kz, Vx     |                                 |                            |
| 11      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 00      | 2x     |                           |                            |                            |                              |                             |                            |                                 |                            |
| 01      |        | VPMOVSXBW<br>Vx.kz, Wx    | VPMOVSXBD<br>Vx.kz, Wx     | VPMOVSXBQ<br>Vx.kz, Wx     | VPMOVSXWD<br>Vx.kz, Wx       | VPMOVSXWQ<br>Vx.kz, Wx      | VPMOVSXDQ<br>Vx.kz, Wx     | VPTESTMB<br>KR.k, Hx, Wx        | VPTESTMD<br>KR.k, Hx, Wx   |
| 10      |        | VPMOVSWB<br>Wx.kz, Vx     | VPMOVSDB<br>Wx.kz, Vx      | VPMOVSQB<br>Wx.kz, Vx      | VPMOVS DW<br>Wx.kz, Vx       | VPMOVSQW<br>Wx.kz, Vx       | VPMOVSQD<br>Wx.kz, Vx      | VPTESTNMB<br>KR.k, Hx, Wx       | VPTESTNMD<br>KR.k, Hx, Wx  |
| 11      |        |                           |                            |                            |                              |                             |                            | VPTESTNMW<br>KR.k, Hx, Wx       | VPTESTNMQ<br>KR.k, Hx, Wx  |
| 00      | 3x     |                           |                            |                            |                              |                             |                            |                                 |                            |
| 01      |        | VPMOVZXBW<br>Vx.kz, Wx    | VPMOVZXBD<br>Vx.kz, Wx     | VPMOVZXHQ<br>Vx.kz, Wx     | VPMOVZXWD<br>Vx.kz, Wx       | VPMOVZXWQ<br>Vx.kz, Wx      | VPMOVZXDQ<br>Vx.kz, Wx     | VPERMD<br>Vx.kz, Hx, Wx         | VPCM PG TQ<br>KR.k, Hx, Wx |
| 10      |        | VPMOVWB<br>Wx.kz, Vx      | VPMOVDB<br>Wx.kz, Vx       | VPMOVQB<br>Wx.kz, Vx       | VPMOVDW<br>Wx.kz, Vx         | VPMOVQW<br>Wx.kz, Vx        | VPMOVQD<br>Wx.kz, Vx       |                                 |                            |
| 11      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 00      | 4x     |                           |                            |                            |                              |                             |                            |                                 |                            |
| 01      |        | VPMULLD<br>Vx.kz, Hx, Wx  |                            | VGETEXP RD<br>Vx.kz, Wx    | VGETEXP SD<br>Vx.kz, Hx, Wx  | VPLZCNTD<br>Vx.kz, Wx       | VPSRLVD<br>Vx.kz, Hx, Wx   | VPSRAV D<br>Vx.kz, Hx, Wx       | VPSLLVD<br>Vx.kz, Hx, Wx   |
|         |        | VPMULLQ<br>Vx.kz, Hx, Wx  |                            | VGETEXP PS<br>Vx.kz, Wx    | VGETEXP SS<br>Vx.kz, Hx, Wx  | VPLZCNTQ<br>Vx.kz, Wx       | VPSRLVQ<br>Vx.kz, Hx, Wx   | VPSRAV Q<br>Vx.kz, Hx, Wx       | VPSLLVQ<br>Vx.kz, Hx, Wx   |
| 10      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 11      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 00      | 5x     |                           |                            |                            |                              |                             |                            |                                 |                            |
| 01      |        | VPDPBUSD<br>Vx.kz, Hx, Wx | VPDPBUSDS<br>Vx.kz, Hx, Wx | VPDPWSSD<br>Vx.kz, Hx, Wx  | VPDPWSSDS<br>Vx.kz, Hx, Wx   | VPOPCNTB<br>Vx.kz, Wx       | VPOPCNTD<br>Vx.kz, Wx      |                                 |                            |
| 10      |        |                           |                            | VDPBF16PS<br>Vx.kz, Hx, Wx |                              |                             |                            |                                 |                            |
| 11      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 00      | 6x     |                           |                            |                            |                              |                             |                            |                                 |                            |
| 01      |        |                           |                            | VPEXPANDB<br>Vx.kz, Wx     | VPCOMPRESSB<br>Wx.kz, Vx     | VPBLENDMD<br>Vx.kz, Hx, Wx  | VBLENDMPD<br>Vx.kz, Hx, Wx | VPBLEND MB<br>Vx.kz, Hx, Wx     |                            |
|         |        |                           |                            | VPEXPANDW<br>Vx.kz, Wx     | VPCOMPRESS<br>W<br>Wx.kz, Vx | VPBLENDMQ<br>Vx.kz, Hx, Wx  | VBLENDMPS<br>Vx.kz, Hx, Wx | VPBLEND M<br>W<br>Vx.kz, Hx, Wx |                            |
| 10      |        |                           |                            |                            |                              |                             |                            |                                 |                            |
| 11      |        |                           |                            |                            |                              |                             |                            |                                 |                            |

Table A-36. EVEX Opcode Map 2, Low Nibble=[0h:7h] (Contd.)

| EVEX.pp | Opcode | x0                        | x1                        | x2                              | x3                                  | x4                           | x5                           | x6                                   | x7                                  |
|---------|--------|---------------------------|---------------------------|---------------------------------|-------------------------------------|------------------------------|------------------------------|--------------------------------------|-------------------------------------|
| 00      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 01      | 7x     | VPSHLDVW<br>Vx.kz, Hx, Wx | VPSHLDVD<br>Vx.kz, Hx, Wx | VPSHRDVW<br>Vx.kz, Hx, Wx       | VPSHRDVD<br>Vx.kz, Hx, Wx           |                              | VPERMI2B<br>Vx.kz, Hx, Wx    | VPERMI2D<br>Vx.kz, Hx, Wx            | VPERMI2PD<br>Vx.kz, Hx, Wx          |
|         |        | VPSHLDVQ<br>Vx.kz, Hx, Wx |                           | Vx.kz, Hx, Wx                   | VPSHRDVQ<br>Vx.kz, Hx, Wx           |                              | VPERMI2W<br>Vx.kz, Hx, Wx    | VPERMI2Q<br>Vx.kz, Hx, Wx            | VPERMI2PS<br>Vx.kz, Hx, Wx          |
|         |        |                           |                           | VCVTNEPS2BF16<br>Vx.kz, Wx      |                                     |                              |                              |                                      |                                     |
|         |        |                           |                           | VCVTNE2PS2BF16<br>Vx.kz, Hx, Wx |                                     |                              |                              |                                      |                                     |
| 10      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 11      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 00      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 01      | 8x     |                           |                           |                                 | VPMULTISHIFT<br>QB<br>Vx.kz, Hx, Wx |                              |                              |                                      |                                     |
| 10      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 11      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 00      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 01      | 9x     | VPGATHERDD<br>Vx.k, M*d   | VPGATHERQD<br>Vx.k, M*q   | VGATHERDPD<br>Vx.k, M*d         | VGATHERQPD<br>Vx.k, M*q             |                              |                              | VFMADDSSUB<br>132PD<br>Vx.kz, Hx, Wx | VFMSUBAD<br>D132PD<br>Vx.kz, Hx, Wx |
|         |        | VPGATHERDQ<br>Vx.k, M*d   | VPGATHERQQ<br>Vx.k, M*q   | VGATHERDPS<br>Vx.k, M*d         | VGATHERQPS<br>Vx.k, M*q             |                              |                              | VFMADDSSUB<br>132PS<br>Vx.kz, Hx, Wx | VFMSUBAD<br>D132PS<br>Vx.kz, Hx, Wx |
| 10      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 11      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 00      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 01      | Ax     | VPSCATTERDD<br>M*d.k, Ux  | VPSCATTERQD<br>M*q.k, Ux  | VSCATTERDPD<br>M*d.k, Ux        | VSCATTERQPD<br>M*q.k, Ux            |                              |                              | VFMADDSSUB<br>213PD<br>Vx.kz, Hx, Wx | VFMSUBAD<br>D213PD<br>Vx.kz, Hx, Wx |
|         |        | VPSCATTERDQ<br>M*d.k, Ux  | VPSCATTERQQ<br>M*q.k, Ux  | VSCATTERDPS<br>M*d.k, Ux        | VSCATTERQPS<br>M*q.k, Ux            |                              |                              | VFMADDSSUB<br>213PS<br>Vx.kz, Hx, Wx | VFMSUBAD<br>D213PS<br>Vx.kz, Hx, Wx |
| 10      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 11      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 00      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 01      | Bx     |                           |                           |                                 |                                     | VPMADD52LUQ<br>Vx.kz, Hx, Wx | VPMADD52HUQ<br>Vx.kz, Hx, Wx | VFMADDSSUB<br>231PD<br>Vx.kz, Hx, Wx | VFMSUBAD<br>D231PD<br>Vx.kz, Hx, Wx |
|         |        |                           |                           |                                 |                                     |                              |                              | VFMADDSSUB<br>231PS<br>Vx.kz, Hx, Wx | VFMSUBAD<br>D231PS<br>Vx.kz, Hx, Wx |
| 10      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 11      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 00      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |
| 01      | Cx     |                           |                           |                                 |                                     | VPCONFLICTD<br>Vx.kz, Wx     |                              |                                      |                                     |
| 10      |        |                           |                           |                                 |                                     | VPCONFLICTQ<br>Vx.kz, Wx     |                              |                                      |                                     |
| 11      |        |                           |                           |                                 |                                     |                              |                              |                                      |                                     |

**Table A-37. EVEX Opcode Map 2, Low Nibble=[8h:Fh]**

| EVEX.pp | Opcode | x8                             | x9                               | xA                               | xB                               | xC                         | xD                         | xE                       | xF                          |
|---------|--------|--------------------------------|----------------------------------|----------------------------------|----------------------------------|----------------------------|----------------------------|--------------------------|-----------------------------|
| 00      | 0x     |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 01      |        |                                |                                  |                                  | VPMULHRSW<br>Vx.kz, Hx, Wx       | VPERMILPS<br>Vx.kz, Hx, Wx | VPERMILPD<br>Vx.kz, Hx, Wx |                          |                             |
| 10      |        |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 11      |        |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 00      | 1x     |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 01      |        | VBROADCAST<br>SS<br>Vx.kz, Wx  | VBROADCAST<br>F32X2<br>Vx.kz, Wx | VBROADCAST<br>F32X4<br>Vx.kz, Mx | VBROADCAST<br>F32X8<br>Vx.kz, Mx | VPABSB<br>Vx.kz, Wx        | VPABSW<br>Vx.kz, Wx        | VPABSD<br>Vx.kz, Wx      | VPABSQ<br>Vx.kz, Wx         |
| 10      |        |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 11      |        |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 00      | 2x     |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 01      |        | VPMULDQ<br>Vx.kz, Hx, Wx       | VPCMPEQQ<br>KR.k, Hx, Wx         | VMOVNTDQA<br>Vx, Mx              | VPACKUSDW<br>Vx.kz, Hx, Wx       | VSCALEFPD<br>Vx.kz, Hx, Wx | VSCALEFSD<br>Vx.kz, Hx, Wx |                          |                             |
| 10      |        | VPMOVVM2B<br>Vx, KM            | VPMOVBM2M<br>KR, Ux              | VPBROADCAST<br>TMB2Q<br>Vx, KM   |                                  |                            |                            |                          |                             |
| 11      |        | VPMOVVM2W<br>Vx, KM            | VPMOVW2M<br>KR, Ux               |                                  |                                  |                            |                            |                          |                             |
| 00      | 3x     |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 01      |        | VPMINSB<br>Vx.kz, Hx, Wx       | VPMINSD<br>Vx.kz, Hx, Wx         | VPMINUW<br>Vx.kz, Hx, Wx         | VPMINUD<br>Vx.kz, Hx, Wx         | VPMAXSB<br>Vx.kz, Hx, Wx   | VPMAXSD<br>Vx.kz, Hx, Wx   | VPMAXUW<br>Vx.kz, Hx, Wx | VPMAXUD<br>Vx.kz, Hx, Wx    |
| 10      |        | VPMOVMD2<br>Vx, KM             | VPMOVD2M<br>KR, Ux               | VPBROADCAST<br>TMW2D<br>Vx, KM   |                                  |                            |                            |                          |                             |
| 11      |        | VPMOVVM2Q<br>Vx, KM            | VPMOVQ2M<br>KR, Ux               |                                  |                                  |                            |                            |                          |                             |
| 00      | 4x     |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 01      |        |                                |                                  |                                  |                                  | VRCP14PD<br>Vx.kz, Wx      | VRCP14SD<br>Vx.kz, Hx, Wx  | VRSQRT14PD<br>Vx.kz, Wx  | VRSQRT14SD<br>Vx.kz, Hx, Wx |
| 10      |        |                                |                                  |                                  |                                  | VRCP14PS<br>Vx.kz, Wx      | VRCP14SS<br>Vx.kz, Hx, Wx  | VRSQRT14PS<br>Vx.kz, Wx  | VRSQRT14SS<br>Vx.kz, Hx, Wx |
| 11      |        |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 00      | 5x     |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 01      |        | VPBROADCAST<br>TD<br>Vx.kz, Wx | VBROADCAST<br>32X2<br>Vx.kz, Wx  | VBROADCAST<br>32X4<br>Vx.kz, Mx  | VBROADCAST<br>32X8<br>Vx.kz, Mx  |                            |                            |                          |                             |
| 10      |        |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| 11      |        |                                |                                  |                                  |                                  |                            |                            |                          |                             |
| ...     | 6x     | ...                            |                                  |                                  |                                  |                            |                            |                          |                             |

**Table A-38. EVEX Opcode Map 2, Low Nibble=[8h:Fh] (Contd.)**

| EVEX.pp | Opcode | x8                           | x9                           | xA                           | xB                           | xC                                                     | xD                                                     | xE                                                     | xF                                                       |
|---------|--------|------------------------------|------------------------------|------------------------------|------------------------------|--------------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------------|
| 00      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 01      | 7x     | VPBROADCASTB<br>Vx.kz, Wx    | VPBROADCASTW<br>Vx.kz, Wx    | VPBROADCASTB<br>Vx.kz, Rd    | VPBROADCASTW<br>Vx.kz, Rd    | VPBROADCASTD<br>Vx.kz, Rd<br>VPBROADCASTQ<br>Vx.kz, Rq | VPERMT2B<br>Vx.kz, Hx, Wx<br>VPERMT2W<br>Vx.kz, Hx, Wx | VPERMT2D<br>Vx.kz, Hx, Wx<br>VPERMT2Q<br>Vx.kz, Hx, Wx | VPERMT2PD<br>Vx.kz, Hx, Wx<br>VPERMT2PS<br>Vx.kz, Hx, Wx |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 10      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 11      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 00      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 01      | 8x     | VEXPANDPD<br>Vx.kz, Wx       | VEXPANDDD<br>Vx.kz, Wx       | VCOMPRESSPD<br>Wx.kz, Vx     | VCOMPRESSSD<br>Wx.kz, Vx     |                                                        | VPERMB<br>Vx.kz, Hx, Wx                                |                                                        | VPSHUFBITQMB<br>KR.k, Hx, Wx                             |
|         |        | VEXPANDPS<br>Vx.kz, Wx       | VEXPANDDQ<br>Vx.kz, Wx       | VCOMPRESSPS<br>Wx.kz, Vx     | VCOMPRESSSQ<br>Wx.kz, Vx     |                                                        | VPERMW<br>Vx.kz, Hx, Wx                                |                                                        |                                                          |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 10      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 11      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 00      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 01      | 9x     | VFMADD132PD<br>Vx.kz, Hx, Wx | VFMADD132SD<br>Vx.kz, Hx, Wx | VFMSUB132PD<br>Vx.kz, Hx, Wx | VFMSUB132SD<br>Vx.kz, Hx, Wx | VFNMADD132PD<br>Vx.kz, Hx, Wx                          | VFNMADD132SD<br>Vx.kz, Hx, Wx                          | VFNMSUB132PD<br>Vx.kz, Hx, Wx                          | VFNMSUB132SD<br>Vx.kz, Hx, Wx                            |
|         |        | VFMADD132PS<br>Vx.kz, Hx, Wx | VFMADD132SS<br>Vx.kz, Hx, Wx | VFMSUB132PS<br>Vx.kz, Hx, Wx | VFMSUB132SS<br>Vx.kz, Hx, Wx | VFNMADD132PS<br>Vx.kz, Hx, Wx                          | VFNMADD132SS<br>Vx.kz, Hx, Wx                          | VFNMSUB132PS<br>Vx.kz, Hx, Wx                          | VFNMSUB132SS<br>Vx.kz, Hx, Wx                            |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 10      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 11      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 00      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 01      | Ax     | VFMADD213PD<br>Vx.kz, Hx, Wx | VFMADD213SD<br>Vx.kz, Hx, Wx | VFMSUB213PD<br>Vx.kz, Hx, Wx | VFMSUB213SD<br>Vx.kz, Hx, Wx | VFNMADD213PD<br>Vx.kz, Hx, Wx                          | VFNMADD213SD<br>Vx.kz, Hx, Wx                          | VFNMSUB213PD<br>Vx.kz, Hx, Wx                          | VFNMSUB213SD<br>Vx.kz, Hx, Wx                            |
|         |        | VFMADD213PS<br>Vx.kz, Hx, Wx | VFMADD213SS<br>Vx.kz, Hx, Wx | VFMSUB213PS<br>Vx.kz, Hx, Wx | VFMSUB213SS<br>Vx.kz, Hx, Wx | VFNMADD213PS<br>Vx.kz, Hx, Wx                          | VFNMADD213SS<br>Vx.kz, Hx, Wx                          | VFNMSUB213PS<br>Vx.kz, Hx, Wx                          | VFNMSUB213SS<br>Vx.kz, Hx, Wx                            |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 10      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 11      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 00      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 01      | Bx     | VFMADD231PD<br>Vx.kz, Hx, Wx | VFMADD231SD<br>Vx.kz, Hx, Wx | VFMSUB231PD<br>Vx.kz, Hx, Wx | VFMSUB231SD<br>Vx.kz, Hx, Wx | VFNMADD231PD<br>Vx.kz, Hx, Wx                          | VFNMADD231SD<br>Vx.kz, Hx, Wx                          | VFNMSUB231PD<br>Vx.kz, Hx, Wx                          | VFNMSUB231SD<br>Vx.kz, Hx, Wx                            |
|         |        | VFMADD231PS<br>Vx.kz, Hx, Wx | VFMADD231SS<br>Vx.kz, Hx, Wx | VFMSUB231PS<br>Vx.kz, Hx, Wx | VFMSUB231SS<br>Vx.kz, Hx, Wx | VFNMADD231PS<br>Vx.kz, Hx, Wx                          | VFNMADD231SS<br>Vx.kz, Hx, Wx                          | VFNMSUB231PS<br>Vx.kz, Hx, Wx                          | VFNMSUB231SS<br>Vx.kz, Hx, Wx                            |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
|         |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 10      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 11      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 00      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 01      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        | VGF2P8MULB<br>Vx.kz, Hx, Wx                              |
| 10      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 11      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 00      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 01      |        |                              |                              |                              |                              | VAESENC<br>Vx, Hx, Wx                                  | VAESENCLAST<br>Vx, Hx, Wx                              | VAESDEC<br>Vx, Hx, Wx                                  | VAESDECLAST<br>Vx, Hx, Wx                                |
| 10      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |
| 11      |        |                              |                              |                              |                              |                                                        |                                                        |                                                        |                                                          |

**Table A-39. EVEX Opcode Map 3, Low Nibble=[0h:7h]**

| <b>EVEX.pp</b> | <b>Opcode</b> | <b>x0</b>                                                            | <b>x1</b>                                                            | <b>x2</b>                                              | <b>x3</b>                                                                  | <b>x4</b>                                                                  | <b>x5</b>                                                                | <b>x6</b>                                                              | <b>x7</b>                                                                |
|----------------|---------------|----------------------------------------------------------------------|----------------------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------|--------------------------------------------------------------------------|
| 00             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 01             | 0x            | VPERMQ<br>Vx.kz, Wx,<br>lb                                           | VPERMPD<br>Vx.kz, Wx,<br>lb                                          |                                                        | VALIGND<br>Vx.kz, Hx,<br>Wx, lb<br>VALIGNQ<br>Vx.kz, Hx,<br>Wx, lb         | VPERMILPS<br>Vx.kz, Wx, lb                                                 | VPERMILPD<br>Vx.kz, Wx, lb                                               |                                                                        |                                                                          |
| 10             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 11             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 00             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 01             | 1x            |                                                                      |                                                                      |                                                        |                                                                            | VPEXTRB<br>Ed, Vx, lb                                                      | VPEXTRW<br>Ed, Vx, lb                                                    | VPEXTRD<br>Ed, Vx, lb<br>VPEXTRQ<br>Eq, Vx, lb                         | VEXTRACTPS<br>Ed, Vx, lb                                                 |
| 10             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 11             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 00             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 01             | 2x            | VPINSRB<br>Vx, Hx, Ed,<br>lb                                         | VINSERTPS<br>Vx, Hx, Wx,<br>lb                                       | VPINSRD<br>Vx, Hx, Ed, lb<br>VPINSRQ<br>Vx, Hx, Eq, lb | VSHUFF32X4<br>Vx.kz, Hx,<br>Wx, lb<br>VSHUFF64X2<br>Vx.kz, Hx,<br>Wx, lb   |                                                                            | VPTERNLOGD<br>Vx.kz, Hx, Wx,<br>lb<br>VPTERNLOGQ<br>Vx.kz, Hx, Wx,<br>lb | VGETMANTPD<br>Vx.kz, Wx, lb<br>VGETMANTPS<br>Vx.kz, Wx, lb             | VGETMANTSD<br>Vx.kz, Hx, Wx,<br>lb<br>VGETMANTSS<br>Vx.kz, Hx, Wx,<br>lb |
| 10             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 11             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| ...            | 3x            | ...                                                                  |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 00             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 01             | 4x            |                                                                      |                                                                      | VDBPSADBW<br>Vx.kz, Hx,<br>Wx, lb                      | VSHUFI32X4<br>Vx.kz, Hx,<br>Wx, lb<br>VSHUFI64X2<br>Vx.kz, Hx,<br>Wx, lb   | VPCLMULQDQ<br>Vx, Hx, Wx, lb                                               |                                                                          |                                                                        |                                                                          |
| 10             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 11             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 00             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 01             | 5x            | VRANGEPD<br>Vx.kz, Hx,<br>Wx, lb<br>VRANGEPS<br>Vx.kz, Hx,<br>Wx, lb | VRANGESD<br>Vx.kz, Hx,<br>Wx, lb<br>VRANGESS<br>Vx.kz, Hx,<br>Wx, lb |                                                        | VFIXUPIMMPD<br>Vx.kz, Hx, Wx,<br>lb<br>VFIXUPIMMPS<br>Vx.kz, Hx, Wx,<br>lb | VFIXUPIMMSD<br>Vx.kz, Hx, Wx,<br>lb<br>VFIXUPIMMSS<br>Vx.kz, Hx, Wx,<br>lb | VREDUCEPD<br>Vx.kz, Wx, lb<br>VREDUCEPS<br>Vx.kz, Wx, lb                 | VREDUCESD<br>Vx.kz, Hx, Wx,<br>lb<br>VREDUCESS<br>Vx.kz, Hx, Wx,<br>lb |                                                                          |
| 10             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 11             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 00             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 01             | 6x            |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          | VFPCLASSPD<br>KR.k, Wx, lb<br>VFPCLASSPS<br>KR.k, Wx, lb               | VFPCLASSSD<br>KR.k, Wx, lb<br>VFPCLASSSS<br>KR.k, Wx, lb                 |
| 10             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 11             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 00             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 01             | 7x            | VPSHLDW<br>Vx.kz, Hx,<br>Wx, lb                                      | VPSHLDW<br>Vx.kz, Hx,<br>Wx, lb<br>VPSHLDDQ<br>Vx.kz, Hx,<br>Wx, lb  | VPSHRDW<br>Vx.kz, Hx,<br>Wx, lb                        | VPSHRDD<br>Vx.kz, Hx,<br>Wx, lb<br>VPSHRDQ<br>Vx.kz, Hx,<br>Wx, lb         |                                                                            |                                                                          |                                                                        |                                                                          |
| 10             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |
| 11             |               |                                                                      |                                                                      |                                                        |                                                                            |                                                                            |                                                                          |                                                                        |                                                                          |

**Table A-40. EVEX Opcode Map 3, Low Nibble=[8h:Fh]**

| <b>EVEX.pp</b> | <b>Opcde</b> | <b>x8</b>                         | <b>x9</b>                      | <b>xA</b>                         | <b>xB</b>                        | <b>xC</b>                  | <b>xD</b>        | <b>xE</b>                           | <b>xF</b>                                  |
|----------------|--------------|-----------------------------------|--------------------------------|-----------------------------------|----------------------------------|----------------------------|------------------|-------------------------------------|--------------------------------------------|
| 01             | 0x           | VRNDSCALEPS<br>Vx.kz, Wx, Ib      | VRNDSCALEPD<br>Vx.kz, Wx, Ib   | VRNDSCALESS<br>Vx.kz, Hx, Wx, Ib  | VRNDSCALESD<br>Vx.kz, Hx, Wx, Ib |                            |                  |                                     | VPALIGNR<br>Vx.kz, Hx, Wx, Ib              |
| 01             | 1x           | VINSERTF32X4<br>Vx.kz, Hx, Wx, Ib | VEXTRACTF32X4<br>Wx.kz, Vx, Ib | VINSERTF32X8<br>Vx.kz, Hx, Wx, Ib | VEXTRACTF32X8<br>Wx.kz, Vx, Ib   | VCVTPS2PH<br>Wx.kz, Vx, Ib | KR.k, Hx, Wx, Ib | VPCMUD<br>VPCMPUQ                   | VPCMFD<br>KR.k, Hx, Wx, Ib                 |
| 01             | 3x           | VINSERTI32X4<br>Vx.kz, Hx, Wx, Ib | VEXTRACTI32X4<br>Wx.kz, Vx, Ib | VINSERTI32X8<br>Vx.kz, Hx, Wx, Ib | VEXTRACTI32X8<br>Wx.kz, Vx, Ib   |                            |                  | VPCMUPUB<br>VPCMUPUW                | VPCMFB<br>KR.k, Hx, Wx, Ib                 |
| ...            | 4x-Bx        | ...                               |                                |                                   |                                  |                            |                  |                                     |                                            |
| 01             | Cx           |                                   |                                |                                   |                                  |                            |                  | VGF2P8AFFINEQB<br>Vx.kz, Hx, Wx, Ib | VGF2P8AFFIN<br>EINVQB<br>Vx.kz, Hx, Wx, Ib |

**Table A-41. EVEX Opcode Groups**

| <b>Group</b>         |                                                    | <b>Modrm.reg</b>                                   |                         |                       |                                                    |             |                         |                       |
|----------------------|----------------------------------------------------|----------------------------------------------------|-------------------------|-----------------------|----------------------------------------------------|-------------|-------------------------|-----------------------|
| <b>Opcode.map.pp</b> | <b>000b</b>                                        | <b>001b</b>                                        | <b>010b</b>             | <b>011b</b>           | <b>100b</b>                                        | <b>101b</b> | <b>110b</b>             | <b>111b</b>           |
| 71.1.01              |                                                    |                                                    | VPSRLW<br>Hx.kz, Wx, Ib |                       | VPSRAW<br>Hx.kz, Wx, Ib                            |             | VPSLLW<br>Hx.kz, Wx, Ib |                       |
| 72.1.01              | VPRORD<br>Hx.kz, Wx, Ib<br>VPRORQ<br>Hx.kz, Wx, Ib | VPROLD<br>Hx.kz, Wx, Ib<br>VPROLQ<br>Hx.kz, Wx, Ib | VPSRLD<br>Hx.kz, Wx, Ib |                       | VPSRAD<br>Hx.kz, Wx, Ib<br>VPSRAQ<br>Hx.kz, Wx, Ib |             | VPSLLD<br>Hx.kz, Wx, Ib |                       |
| 73.1.01              |                                                    |                                                    | VPSRLQ<br>Hx.kz, Wx, Ib | VPSRLDQ<br>Hx, Wx, Ib |                                                    |             | VPSLLQ<br>Hx.kz, Wx, Ib | VPSLLDQ<br>Hx, Wx, Ib |

## A.2 Operand Encodings

An operand is data that affects or is affected by the execution of an instruction. Operands may be located in registers, memory, or I/O ports. For some instructions, the location of one or more operands is implicitly specified based on the opcode alone. However, for most instructions, operands are specified using bytes that immediately follow the opcode byte. These bytes are designated the *mode-register-memory* (ModRM) byte, the *scale-index-base* (SIB) byte, the displacement byte(s), and the immediate byte(s). The presence of the SIB, displacement, and immediate bytes are optional depending on the instruction, and, for instructions that reference memory, the memory addressing mode.

The following sections describe the encoding of the ModRM and SIB bytes in various processor modes.

### A.2.1 ModRM Operand References

Figure A-2 below shows the format of the ModRM byte. There are three fields—*mod*, *reg*, and *r/m*. The *reg* field is normally used to specify a register-based operand. The *mod* and *r/m* fields together provide a 5-bit field, augmented in 64-bit mode by the R and B bits of a REX, VEX, or XOP prefix, normally used to specify the location of a second memory- or register-based operand and, for a memory-based operand, the addressing mode.

As described in “Encoding Extensions Using the ModRM Byte” on page 532, certain instructions use either the *reg* field, the *r/m* field, or the entire ModRM byte to extend the opcode byte in the encoding of the instruction operation.



**Figure A-2. ModRM-Byte Format**

The two sections below describe the ModRM operand encodings, first for 16-bit references and then for 32-bit and 64-bit references.

**16-Bit Register and Memory References.** Table A-42 shows the notation and encoding conventions for register references using the ModRM *reg* field. This table is comparable to Table A-44 on page 574 but applies only when the address-size is 16-bit. Table A-43 on page 572 shows the

notation and encoding conventions for 16-bit memory references using the ModRM byte. This table is comparable to Table A-45 on page 575.

**Table A-42. ModRM reg Field Encoding, 16-Bit Addressing**

| Mnemonic Notation | ModRM reg Field |      |      |      |      |      |         |         |
|-------------------|-----------------|------|------|------|------|------|---------|---------|
|                   | /0              | /1   | /2   | /3   | /4   | /5   | /6      | /7      |
| reg8              | AL              | CL   | DL   | BL   | AH   | CH   | DH      | BH      |
| reg16             | AX              | CX   | DX   | BX   | SP   | BP   | SI      | DI      |
| reg32             | EAX             | ECX  | EDX  | EBX  | ESP  | EBP  | ESI     | EDI     |
| mmx               | MMX0            | MMX1 | MMX2 | MMX3 | MMX4 | MMX5 | MMX6    | MMX7    |
| xmm               | XMM0            | XMM1 | XMM2 | XMM3 | XMM4 | XMM5 | XMM6    | XMM7    |
| ymm               | YMM0            | YMM1 | YMM2 | YMM3 | YMM4 | YMM5 | YMM6    | YMM7    |
| zmm               | ZMM0            | ZMM1 | ZMM2 | ZMM3 | ZMM4 | ZMM5 | ZMM6    | ZMM7    |
| sReg              | ES              | CS   | SS   | DS   | FS   | GS   | invalid | invalid |
| cReg              | CR0             | CR1  | CR2  | CR3  | CR4  | CR5  | CR6     | CR7     |
| dReg              | DR0             | DR1  | DR2  | DR3  | DR4  | DR5  | DR6     | DR7     |

**Table A-43. ModRM Byte Encoding, 16-Bit Addressing**

| Effective Address                                                  | ModRM mod Field (binary) | ModRM reg Field <sup>1</sup> |    |    |    |    |    |    |    | ModRM r/m Field (binary) |
|--------------------------------------------------------------------|--------------------------|------------------------------|----|----|----|----|----|----|----|--------------------------|
|                                                                    |                          | /0                           | /1 | /2 | /3 | /4 | /5 | /6 | /7 |                          |
|                                                                    |                          | Complete ModRM Byte (hex)    |    |    |    |    |    |    |    |                          |
| [BX] + [SI]                                                        | 00                       | 00                           | 08 | 10 | 18 | 20 | 28 | 30 | 38 | 000                      |
| [BX] + [DI]                                                        |                          | 01                           | 09 | 11 | 19 | 21 | 29 | 31 | 39 | 001                      |
| [BP] + [SI]                                                        |                          | 02                           | 0A | 12 | 1A | 22 | 2A | 32 | 3A | 010                      |
| [BP] + [DI]                                                        |                          | 03                           | 0B | 13 | 1B | 23 | 2B | 33 | 3B | 011                      |
| [SI]                                                               |                          | 04                           | 0C | 14 | 1C | 24 | 2C | 34 | 3C | 100                      |
| [DI]                                                               |                          | 05                           | 0D | 15 | 1D | 25 | 2D | 35 | 3D | 101                      |
| disp16                                                             |                          | 06                           | 0E | 16 | 1E | 26 | 2E | 36 | 3E | 110                      |
| [BX]                                                               |                          | 07                           | 0F | 17 | 1F | 27 | 2F | 37 | 3F | 111                      |
| <b>Notes:</b>                                                      |                          |                              |    |    |    |    |    |    |    |                          |
| 1. See Table A-42 for complete specification of ModRM “reg” field. |                          |                              |    |    |    |    |    |    |    |                          |

**Table A-43. ModRM Byte Encoding, 16-Bit Addressing (continued)**

| Effective Address             | ModRM<br><i>mod</i><br>Field<br>(binary) | ModRM reg Field <sup>1</sup> |    |    |    |    |    |    |    | ModRM<br><i>r/m</i><br>Field<br>(binary) |
|-------------------------------|------------------------------------------|------------------------------|----|----|----|----|----|----|----|------------------------------------------|
|                               |                                          | /0                           | /1 | /2 | /3 | /4 | /5 | /6 | /7 |                                          |
|                               |                                          | Complete ModRM Byte (hex)    |    |    |    |    |    |    |    |                                          |
| [BX] + [SI] + disp8           | 01                                       | 40                           | 48 | 50 | 58 | 60 | 68 | 70 | 78 | 000                                      |
| [BX] + [DI] + disp8           |                                          | 41                           | 49 | 51 | 59 | 61 | 69 | 71 | 79 | 001                                      |
| [BP] + [SI] + disp8           |                                          | 42                           | 4A | 52 | 5A | 62 | 6A | 72 | 7A | 010                                      |
| [BP] + [DI] + disp8           |                                          | 43                           | 4B | 53 | 5B | 63 | 6B | 73 | 7B | 011                                      |
| [SI] + disp8                  |                                          | 44                           | 4C | 54 | 5C | 64 | 6C | 74 | 7C | 100                                      |
| [DI] + disp8                  |                                          | 45                           | 4D | 55 | 5D | 65 | 6D | 75 | 7D | 101                                      |
| [BP] + disp8                  |                                          | 46                           | 4E | 56 | 5E | 66 | 6E | 76 | 7E | 110                                      |
| [BX] + disp8                  |                                          | 47                           | 4F | 57 | 5F | 67 | 6F | 77 | 7F | 111                                      |
| [BX] + [SI] + disp16          | 10                                       | 80                           | 88 | 90 | 98 | A0 | A8 | B0 | B8 | 000                                      |
| [BX] + [DI] + disp16          |                                          | 81                           | 89 | 91 | 99 | A1 | A9 | B1 | B9 | 001                                      |
| [BP] + [SI] + disp16          |                                          | 82                           | 8A | 92 | 9A | A2 | AA | B2 | BA | 010                                      |
| [BP] + [DI] + disp16          |                                          | 83                           | 8B | 93 | 9B | A3 | AB | B3 | BB | 011                                      |
| [SI] + disp16                 |                                          | 84                           | 8C | 94 | 9C | A4 | AC | B4 | BC | 100                                      |
| [DI] + disp16                 |                                          | 85                           | 8D | 95 | 9D | A5 | AD | B5 | BD | 101                                      |
| [BP] + disp16                 |                                          | 86                           | 8E | 96 | 9E | A6 | AE | B6 | BE | 110                                      |
| [BX] + disp16                 |                                          | 87                           | 8F | 97 | 9F | A7 | AF | B7 | BF | 111                                      |
| AL/ AX/ EAX/ MMX0/ XMM0/ YMM0 | 11                                       | C0                           | C8 | D0 | D8 | E0 | E8 | F0 | F8 | 000                                      |
| CL/ CX/ ECX/ MMX1/ XMM1/ YMM1 |                                          | C1                           | C9 | D1 | D9 | E1 | E9 | F1 | F9 | 001                                      |
| DL/ DX/ EDX/ MMX2/ XMM2/ YMM2 |                                          | C2                           | CA | D2 | DA | E2 | EA | F2 | FA | 010                                      |
| BL/ BX/ EBX/ MMX3/ XMM3/ YMM3 |                                          | C3                           | CB | D3 | DB | E3 | EB | F3 | FB | 011                                      |
| AH/ SP/ ESP/ MMX4/ XMM4/ YMM4 |                                          | C4                           | CC | D4 | DC | E4 | EC | F4 | FC | 100                                      |
| CH/ BP/ EBP/ MMX5/ XMM5/ YMM5 |                                          | C5                           | CD | D5 | DD | E5 | ED | F5 | FD | 101                                      |
| DH/ SI/ ESI/ MMX6/ XMM6/ YMM6 |                                          | C6                           | CE | D6 | DE | E6 | EE | F6 | FE | 110                                      |
| BH/ DI/ EDI/ MMX7/ XMM7/ YMM7 |                                          | C7                           | CF | D7 | DF | E7 | EF | F7 | FF | 111                                      |

**Notes:**

- See Table A-42 for complete specification of ModRM “reg” field.

**Register and Memory References for 32-Bit and 64-Bit Addressing.** Table A-44 on page 574 shows the encoding for register references using the ModRM reg field. The first ten rows of Table A-44 show references when the REX.R bit is cleared to 0, and the last ten rows show references when the REX.R bit is set to 1. In this table, entries under the *Mnemonic Notation* heading correspond

to register notation described in “Mnemonic Syntax” on page 57, and the /r notation under the *ModRM reg Field* heading corresponds to that described in “Opcode Syntax” on page 60.

**Table A-44. ModRM reg Field Encoding, 32-Bit and 64-Bit Addressing**

| Mnemonic Notation | REX.R Bit | ModRM reg Field |      |       |       |        |        |         |         |
|-------------------|-----------|-----------------|------|-------|-------|--------|--------|---------|---------|
|                   |           | /0              | /1   | /2    | /3    | /4     | /5     | /6      | /7      |
| reg8              | 0         | AL              | CL   | DL    | BL    | AH/SPL | CH/BPL | DH/SIL  | BH/DIL  |
| reg16             |           | AX              | CX   | DX    | BX    | SP     | BP     | SI      | DI      |
| reg32             |           | EAX             | ECX  | EDX   | EBX   | ESP    | EBP    | ESI     | EDI     |
| reg64             |           | RAX             | RCX  | RDX   | RBX   | RSP    | RBP    | RSI     | RDI     |
| mmx               |           | MMX0            | MMX1 | MMX2  | MMX3  | MMX4   | MMX5   | MMX6    | MMX7    |
| xmm               |           | XMM0            | XMM1 | XMM2  | XMM3  | XMM4   | XMM5   | XMM6    | XMM7    |
| ymm               |           | YMM0            | YMM1 | YMM2  | YMM3  | YMM4   | YMM5   | YMM6    | YMM7    |
| zmm               |           | ZMM0            | ZMM1 | ZMM2  | ZMM3  | ZMM4   | ZMM5   | ZMM6    | ZMM7    |
| sReg              |           | ES              | CS   | SS    | DS    | FS     | GS     | invalid | invalid |
| cReg              |           | CR0             | CR1  | CR2   | CR3   | CR4    | CR5    | CR6     | CR7     |
| dReg              |           | DR0             | DR1  | DR2   | DR3   | DR4    | DR5    | DR6     | DR7     |
| reg8              | 1         | R8B             | R9B  | R10B  | R11B  | R12B   | R13B   | R14B    | R15B    |
| reg16             |           | R8W             | R9W  | R10W  | R11W  | R12W   | R13W   | R14W    | R15W    |
| reg32             |           | R8D             | R9D  | R10D  | R11D  | R12D   | R13D   | R14D    | R15D    |
| reg64             |           | R8              | R9   | R10   | R11   | R12    | R13    | R14     | R15     |
| mmx               |           | MMX0            | MMX1 | MMX2  | MMX3  | MMX4   | MMX5   | MMX6    | MMX7    |
| xmm               |           | XMM8            | XMM9 | XMM10 | XMM11 | XMM12  | XMM13  | XMM14   | XMM15   |
| ymm               |           | YMM8            | YMM9 | YMM10 | YMM11 | YMM12  | YMM13  | YMM14   | YMM15   |
| zmm               |           | ZMM8            | ZMM9 | ZMM10 | ZMM11 | ZMM12  | ZMM13  | ZMM14   | ZMM15   |
| sReg              |           | ES              | CS   | SS    | DS    | FS     | GS     | invalid | invalid |
| cReg              |           | CR8             | CR9  | CR10  | CR11  | CR12   | CR13   | CR14    | CR15    |
| dReg              |           | DR8             | DR9  | DR10  | DR11  | DR12   | DR13   | DR14    | DR15    |

Table A-45 on page 575 shows the encoding for 32-bit and 64-bit memory references using the ModRM byte. This table describes 32-bit and 64-bit addressing, with the REX.B bit set or cleared. The *Effective Address* is shown in the two left-most columns, followed by the binary encoding of the ModRM-byte *mod* field, followed by the eight possible hex values of the complete ModRM byte (one value for each binary encoding of the ModRM-byte *reg* field), followed by the binary encoding of the ModRM *r/m* field.

The /0 through /7 notation for the ModRM *reg* field (bits [5:3]) means that the three-bit field contains a value from zero (binary 000) to 7 (binary 111).

**Table A-45. ModRM Byte Encoding, 32-Bit and 64-Bit Addressing**

| Effective Address                        |                                          | ModRM<br><i>mod</i><br>Field<br>(binary) | ModRM <i>reg</i> Field <sup>1</sup> |    |    |    |    |    |    |    | ModRM<br><i>r/m</i><br>Field<br>(binary) |
|------------------------------------------|------------------------------------------|------------------------------------------|-------------------------------------|----|----|----|----|----|----|----|------------------------------------------|
|                                          |                                          |                                          | /0                                  | /1 | /2 | /3 | /4 | /5 | /6 | /7 |                                          |
| REX.B = 0                                | REX.B = 1                                | Complete ModRM Byte (hex)                |                                     |    |    |    |    |    |    |    |                                          |
| [rAX]                                    | [r8]                                     | 00                                       | 00                                  | 08 | 10 | 18 | 20 | 28 | 30 | 38 | 000                                      |
| [rCX]                                    | [r9]                                     |                                          | 01                                  | 09 | 11 | 19 | 21 | 29 | 31 | 39 | 001                                      |
| [rDX]                                    | [r10]                                    |                                          | 02                                  | 0A | 12 | 1A | 22 | 2A | 32 | 3A | 010                                      |
| [rBX]                                    | [r11]                                    |                                          | 03                                  | 0B | 13 | 1B | 23 | 2B | 33 | 3B | 011                                      |
| SIB <sup>2</sup>                         | SIB <sup>2</sup>                         |                                          | 04                                  | 0C | 14 | 1C | 24 | 2C | 34 | 3C | 100                                      |
| [rIP] + disp32 or<br>disp32 <sup>3</sup> | [rIP] + disp32 or<br>disp32 <sup>3</sup> |                                          | 05                                  | 0D | 15 | 1D | 25 | 2D | 35 | 3D | 101                                      |
| [rSI]                                    | [r14]                                    |                                          | 06                                  | 0E | 16 | 1E | 26 | 2E | 36 | 3E | 110                                      |
| [rDI]                                    | [r15]                                    |                                          | 07                                  | 0F | 17 | 1F | 27 | 2F | 37 | 3F | 111                                      |
| [rAX] + disp8                            | [r8] + disp8                             | 01                                       | 40                                  | 48 | 50 | 58 | 60 | 68 | 70 | 78 | 000                                      |
| [rCX] + disp8                            | [r9] + disp8                             |                                          | 41                                  | 49 | 51 | 59 | 61 | 69 | 71 | 79 | 001                                      |
| [rDX] + disp8                            | [r10] + disp8                            |                                          | 42                                  | 4A | 52 | 5A | 62 | 6A | 72 | 7A | 010                                      |
| [rBX] + disp8                            | [r11] + disp8                            |                                          | 43                                  | 4B | 53 | 5B | 63 | 6B | 73 | 7B | 011                                      |
| [SIB] + disp8                            | [SIB] + disp8                            |                                          | 44                                  | 4C | 54 | 5C | 64 | 6C | 74 | 7C | 100                                      |
| [rBP] + disp8                            | [r13] + disp8                            |                                          | 45                                  | 4D | 55 | 5D | 65 | 6D | 75 | 7D | 101                                      |
| [rSI] + disp8                            | [r14] + disp8                            |                                          | 46                                  | 4E | 56 | 5E | 66 | 6E | 76 | 7E | 110                                      |
| [rDI] + disp8                            | [r15] + disp8                            |                                          | 47                                  | 4F | 57 | 5F | 67 | 6F | 77 | 7F | 111                                      |

**Notes:**

1. See Table A-44 for complete specification of ModRM “reg” field.
2. If SIB.base = 5, the SIB byte is followed by four-byte disp32 field and addressing mode is absolute.
3. In 64-bit mode, the effective address is [rIP]+disp32. In all other modes, the effective address is disp32. If the address-size prefix is used in 64-bit mode to override 64-bit addressing, the [RIP]+disp32 effective address is truncated after computation to 32 bits.

**Table A-45. ModRM Byte Encoding, 32-Bit and 64-Bit Addressing (continued)**

| Effective Address             |                          | ModRM<br>mod<br>Field<br>(binary) | ModRM reg Field <sup>1</sup> |    |    |    |    |    |    |    | ModRM<br>r/m<br>Field<br>(binary) |
|-------------------------------|--------------------------|-----------------------------------|------------------------------|----|----|----|----|----|----|----|-----------------------------------|
|                               |                          |                                   | /0                           | /1 | /2 | /3 | /4 | /5 | /6 | /7 |                                   |
| REX.B = 0                     | REX.B = 1                | Complete ModRM Byte (hex)         |                              |    |    |    |    |    |    |    |                                   |
| [rAX] + disp32                | [r8] + disp32            | 10                                | 80                           | 88 | 90 | 98 | A0 | A8 | B0 | B8 | 000                               |
| [rCX] + disp32                | [r9] + disp32            |                                   | 81                           | 89 | 91 | 99 | A1 | A9 | B1 | B9 | 001                               |
| [rDX] + disp32                | [r10] + disp32           |                                   | 82                           | 8A | 92 | 9A | A2 | AA | B2 | BA | 010                               |
| [rBX] + disp32                | [r11] + disp32           |                                   | 83                           | 8B | 93 | 9B | A3 | AB | B3 | BB | 011                               |
| SIB + disp32                  | SIB + disp32             |                                   | 84                           | 8C | 94 | 9C | A4 | AC | B4 | BC | 100                               |
| [rBP] + disp32                | [r13] + disp32           |                                   | 85                           | 8D | 95 | 9D | A5 | AD | B5 | BD | 101                               |
| [rSI] + disp32                | [r14] + disp32           |                                   | 86                           | 8E | 96 | 9E | A6 | AE | B6 | BE | 110                               |
| [rDI] + disp32                | [r15] + disp32           |                                   | 87                           | 8F | 97 | 9F | A7 | AF | B7 | BF | 111                               |
| AL/rAX/MMX0/XMM0/<br>YMM0     | r8/MMX0/XMM8/<br>YMM8    | 11                                | C0                           | C8 | D0 | D8 | E0 | E8 | F0 | F8 | 000                               |
| CL/rCX/MMX1/XMM1/<br>YMM1     | r9/MMX1/XMM9/<br>YMM9    |                                   | C1                           | C9 | D1 | D9 | E1 | E9 | F1 | F9 | 001                               |
| DL/rDX/MMX2/XMM2/<br>YMM2     | r10/MMX2/XMM10/<br>YMM10 |                                   | C2                           | CA | D2 | DA | E2 | EA | F2 | FA | 010                               |
| BL/rBX/MMX3/XMM3/<br>YMM3     | r11/MMX3/XMM11/<br>YMM11 |                                   | C3                           | CB | D3 | DB | E3 | EB | F3 | FB | 011                               |
| AH/SPL/rSP/MMX4/<br>XMM4/YMM4 | r12/MMX4/XMM12/<br>YMM12 |                                   | C4                           | CC | D4 | DC | E4 | EC | F4 | FC | 100                               |
| CH/BPL/rBP/MMX5/<br>XMM5/YMM5 | r13/MMX5/XMM13/<br>YMM13 |                                   | C5                           | CD | D5 | DD | E5 | ED | F5 | FD | 101                               |
| DH/SIL/rSI/MMX6/<br>XMM6/YMM6 | r14/MMX6/XMM14/<br>YMM14 |                                   | C6                           | CE | D6 | DE | E6 | EE | F6 | FE | 110                               |
| BH/DIL/rDI/MMX7/<br>XMM7/YMM7 | r15/MMX7/XMM15/<br>YMM15 |                                   | C7                           | CF | D7 | DF | E7 | EF | F7 | FF | 111                               |

**Notes:**

- See Table A-44 for complete specification of ModRM “reg” field.
- If SIB.base = 5, the SIB byte is followed by four-byte disp32 field and addressing mode is absolute.
- In 64-bit mode, the effective address is [rIP]+disp32. In all other modes, the effective address is disp32. If the address-size prefix is used in 64-bit mode to override 64-bit addressing, the [RIP]+disp32 effective address is truncated after computation to 32 bits.

## A.2.2 SIB Operand References

Figure A-3 on page 577 shows the format of a scale-index-base (SIB) byte. Some instructions have an SIB byte following their ModRM byte to define memory addressing for the complex-addressing modes described in “Effective Addresses” in APM Volume 1. The SIB byte has three fields—scale,

*index*, and *base*—that define the scale factor, index-register number, and base-register number for 32-bit and 64-bit complex addressing modes. In 64-bit mode, the REX.B and REX.X bits extend the encoding of the SIB byte’s *base* and *index* fields.



**Figure A-3. SIB Byte Format**

Table A-46 shows the encodings for the SIB byte’s *base* field, which specifies the base register for addressing. Table A-47 on page 578 shows the encodings for the effective address referenced by a complete SIB byte, including its *scale* and *index* fields. The /0 through /7 notation for the SIB *base* field means that the three-bit field contains a value between zero (binary 000) and 7 (binary 111).

**Table A-46. Addressing Modes: SIB *base* Field Encoding**

| REX.B Bit | ModRM <i>mod</i> Field | SIB <i>base</i> Field |       |       |       |       |                |       |       |
|-----------|------------------------|-----------------------|-------|-------|-------|-------|----------------|-------|-------|
|           |                        | /0                    | /1    | /2    | /3    | /4    | /5             | /6    | /7    |
| 0         | 00                     | [rAX]                 | [rCX] | [rDX] | [rBX] | [rSP] | disp32         | [rSI] | [rDI] |
|           | 01                     |                       |       |       |       |       | [rBP] + disp8  |       |       |
|           | 10                     |                       |       |       |       |       | [rBP] + disp32 |       |       |
| 1         | 00                     | [r8]                  | [r9]  | [r10] | [r11] | [r12] | disp32         | [r14] | [r15] |
|           | 01                     |                       |       |       |       |       | [r13] + disp8  |       |       |
|           | 10                     |                       |       |       |       |       | [r13] + disp32 |       |       |

**Table A-47. Addressing Modes: SIB Byte Encoding**

| Effective Address                                                                           |                    | SIB<br>scale<br>Field   | SIB<br>index<br>Field | SIB base Field <sup>1</sup> |     |     |     |     |     |           |     |     |  |  |
|---------------------------------------------------------------------------------------------|--------------------|-------------------------|-----------------------|-----------------------------|-----|-----|-----|-----|-----|-----------|-----|-----|--|--|
|                                                                                             |                    |                         |                       | REX.B = 0                   | rAX | rCX | rDX | rBX | rSP | note<br>1 | rSI | rDI |  |  |
|                                                                                             |                    |                         |                       | REX.B = 1                   | r8  | r9  | r10 | r11 | r12 | note<br>1 | r14 | r15 |  |  |
|                                                                                             |                    |                         |                       |                             | /0  | /1  | /2  | /3  | /4  | /5        | /6  | /7  |  |  |
| REX.X = 0                                                                                   |                    | Complete SIB Byte (hex) |                       |                             |     |     |     |     |     |           |     |     |  |  |
| [rAX] + [base]                                                                              | [r8] + [base]      | 00                      | 000                   | 00                          | 00  | 01  | 02  | 03  | 04  | 05        | 06  | 07  |  |  |
| [rCX] + [base]                                                                              | [r9] + [base]      |                         |                       | 001                         | 08  | 09  | 0A  | 0B  | 0C  | 0D        | 0E  | 0F  |  |  |
| [rDX] + [base]                                                                              | [r10] + [base]     |                         |                       | 010                         | 10  | 11  | 12  | 13  | 14  | 15        | 16  | 17  |  |  |
| [rBX] + [base]                                                                              | [r11] + [base]     |                         |                       | 011                         | 18  | 19  | 1A  | 1B  | 1C  | 1D        | 1E  | 1F  |  |  |
| [base]                                                                                      | [r12] + [base]     |                         |                       | 100                         | 20  | 21  | 22  | 23  | 24  | 25        | 26  | 27  |  |  |
| [rBP] + [base]                                                                              | [r13] + [base]     |                         |                       | 101                         | 28  | 29  | 2A  | 2B  | 2C  | 2D        | 2E  | 2F  |  |  |
| [rSI] + [base]                                                                              | [r14] + [base]     |                         |                       | 110                         | 30  | 31  | 32  | 33  | 34  | 35        | 36  | 37  |  |  |
| [rDI] + [base]                                                                              | [r15] + [base]     |                         |                       | 111                         | 38  | 39  | 3A  | 3B  | 3C  | 3D        | 3E  | 3F  |  |  |
| [rAX] * 2 + [base]                                                                          | [r8] * 2 + [base]  | 01                      | 000                   | 00                          | 40  | 41  | 42  | 43  | 44  | 45        | 46  | 47  |  |  |
| [rCX] * 2 + [base]                                                                          | [r9] * 2 + [base]  |                         |                       | 001                         | 48  | 49  | 4A  | 4B  | 4C  | 4D        | 4E  | 4F  |  |  |
| [rDX] * 2 + [base]                                                                          | [r10] * 2 + [base] |                         |                       | 010                         | 50  | 51  | 52  | 53  | 54  | 55        | 56  | 57  |  |  |
| [rBX] * 2 + [base]                                                                          | [r11] * 2 + [base] |                         |                       | 011                         | 58  | 59  | 5A  | 5B  | 5C  | 5D        | 5E  | 5F  |  |  |
| [base]                                                                                      | [r12] * 2 + [base] |                         |                       | 100                         | 60  | 61  | 62  | 63  | 64  | 65        | 66  | 67  |  |  |
| [rBP] * 2 + [base]                                                                          | [r13] * 2 + [base] |                         |                       | 101                         | 68  | 69  | 6A  | 6B  | 6C  | 6D        | 6E  | 6F  |  |  |
| [rSI] * 2 + [base]                                                                          | [r14] * 2 + [base] |                         |                       | 110                         | 70  | 71  | 72  | 73  | 74  | 75        | 76  | 77  |  |  |
| [rDI] * 2 + [base]                                                                          | [r15] * 2 + [base] |                         |                       | 111                         | 78  | 79  | 7A  | 7B  | 7C  | 7D        | 7E  | 7F  |  |  |
| [rAX] * 4 + [base]                                                                          | [r8] * 4 + [base]  | 10                      | 000                   | 00                          | 80  | 81  | 82  | 83  | 84  | 85        | 86  | 87  |  |  |
| [rCX] * 4 + [base]                                                                          | [r9] * 4 + [base]  |                         |                       | 001                         | 88  | 89  | 8A  | 8B  | 8C  | 8D        | 8E  | 8F  |  |  |
| [rDX] * 4 + [base]                                                                          | [r10] * 4 + [base] |                         |                       | 010                         | 90  | 91  | 92  | 93  | 94  | 95        | 96  | 97  |  |  |
| [rBX] * 4 + [base]                                                                          | [r11] * 4 + [base] |                         |                       | 011                         | 98  | 99  | 9A  | 9B  | 9C  | 9D        | 9E  | 9F  |  |  |
| [base]                                                                                      | [r12] * 4 + [base] |                         |                       | 100                         | A0  | A1  | A2  | A3  | A4  | A5        | A6  | A7  |  |  |
| [rBP]*4+[base]                                                                              | [r13] * 4 + [base] |                         |                       | 101                         | A8  | A9  | AA  | AB  | AC  | AD        | AE  | AF  |  |  |
| [rSI]*4+[base]                                                                              | [r14] * 4 + [base] |                         |                       | 110                         | B0  | B1  | B2  | B3  | B4  | B5        | B6  | B7  |  |  |
| [rDI]*4+[base]                                                                              | [r15] * 4 + [base] |                         |                       | 111                         | B8  | B9  | BA  | BB  | BC  | BD        | BE  | BF  |  |  |
| <b>Notes:</b>                                                                               |                    |                         |                       |                             |     |     |     |     |     |           |     |     |  |  |
| 1. See <a href="#">Table A-46</a> on page 577 for complete specification of SIB base field. |                    |                         |                       |                             |     |     |     |     |     |           |     |     |  |  |

**Table A-47. Addressing Modes: SIB Byte Encoding (continued)**

| Effective Address  |                    | SIB<br>scale<br>Field | SIB<br>index<br>Field | SIB base Field <sup>1</sup> |     |     |     |     |     |           |     |     |    |
|--------------------|--------------------|-----------------------|-----------------------|-----------------------------|-----|-----|-----|-----|-----|-----------|-----|-----|----|
|                    |                    |                       |                       | REX.B = 0                   | rAX | rCX | rDX | rBX | rSP | note<br>1 | rSI | rDI |    |
|                    |                    |                       |                       | REX.B = 1                   | r8  | r9  | r10 | r11 | r12 | note<br>1 | r14 | r15 |    |
| REX.X = 0          |                    | REX.X = 1             |                       |                             |     | /0  | /1  | /2  | /3  | /4        | /5  | /6  | /7 |
| [rAX] * 8 + [base] | [r8] * 8 + [base]  | 11                    | 000                   | C0                          | C1  | C2  | C3  | C4  | C5  | C6        | C7  |     |    |
| [rCX] * 8 + [base] | [r9] * 8 + [base]  |                       |                       | C8                          | C9  | CA  | CB  | CC  | CD  | CE        | CF  |     |    |
| [rDX] * 8 + [base] | [r10] * 8 + [base] |                       |                       | D0                          | D1  | D2  | D3  | D4  | D5  | D6        | D7  |     |    |
| [rBX] * 8 + [base] | [r11] * 8 + [base] |                       |                       | D8                          | D9  | DA  | DB  | DC  | DD  | DE        | DF  |     |    |
| [base]             | [r12] * 8 + [base] |                       |                       | E0                          | E1  | E2  | E3  | E4  | E5  | E6        | E7  |     |    |
| [rBP] * 8 + [base] | [r13] * 8 + [base] |                       |                       | E8                          | E9  | EA  | EB  | EC  | ED  | EE        | EF  |     |    |
| [rSI] * 8 + [base] | [r14] * 8 + [base] |                       |                       | F0                          | F1  | F2  | F3  | F4  | F5  | F6        | F7  |     |    |
| [rDI] * 8 + [base] | [r15] * 8 + [base] |                       |                       | F8                          | F9  | FA  | FB  | FC  | FD  | FE        | FF  |     |    |

**Notes:**

1. See [Table A-46 on page 577](#) for complete specification of SIB base field.

# Appendix B General-Purpose Instructions in 64-Bit Mode

This appendix provides details of the general-purpose instructions in 64-bit mode and its differences from legacy and compatibility modes. The appendix covers only the general-purpose instructions (those described in Chapter 3, “General-Purpose Instruction Reference”). It does not cover the 128-bit media, 64-bit media, or x87 floating-point instructions because those instructions are not affected by 64-bit mode, other than in the access by such instructions to extended GPR and XMM registers when using a REX prefix.

## B.1 General Rules for 64-Bit Mode

In 64-bit mode, the following general rules apply to instructions and their operands:

- **“Promoted to 64 Bit”:** If an instruction’s operand size (16-bit or 32-bit) in legacy and compatibility modes depends on the CS.D bit and the operand-size override prefix, then the operand-size choices in 64-bit mode are extended from 16-bit and 32-bit to include 64 bits (with a REX prefix), or the operand size is fixed at 64 bits. Such instructions are said to be “*Promoted to 64 bits*” in Table B-1. However, byte-operand opcodes of such instructions are not promoted.
- **Byte-Operand OpCodes Not Promoted:** As stated above in “Promoted to 64 Bit”, byte-operand opcodes of promoted instructions are not promoted. Those opcodes continue to operate only on bytes.
- **Fixed Operand Size:** If an instruction’s operand size is fixed in legacy mode (thus, independent of CS.D and prefix overrides), that operand size is usually fixed at the same size in 64-bit mode. For example, CPUID operates on 32-bit operands, irrespective of attempts to override the operand size.
- **Default Operand Size:** The default operand size for most instructions is 32 bits, and a REX prefix must be used to change the operand size to 64 bits. However, two groups of instructions default to 64-bit operand size and do not need a REX prefix: (1) near branches and (2) all instructions, except far branches, that implicitly reference the RSP. See Table B-5 on page 609 for a list of all instructions that default to 64-bit operand size.
- **Zero-Extension of 32-Bit Results:** Operations on 32-bit operands in 64-bit mode zero-extend the high 32 bits of 64-bit GPR destination registers.
- **No Extension of 8-Bit and 16-Bit Results:** Operations on 8-bit and 16-bit operands in 64-bit mode leave the high 56 or 48 bits, respectively, of 64-bit GPR destination registers unchanged.
- **Shift and Rotate Counts:** When the operand size is 64 bits, shifts and rotates use one additional bit (6 bits total) to specify shift-count or rotate-count, allowing 64-bit shifts and rotates.
- **Immediates:** The maximum size of immediate operands is 32 bits, except that 64-bit immediates can be MOVED into 64-bit GPRs. Immediates that are less than 64 bits are a maximum of 32 bits, and are sign-extended to 64 bits during use.

- Displacements and Offsets:** The maximum size of an address displacement or offset is 32 bits, except that 64-bit offsets can be used by specific MOV opcodes that read or write AL or rAX. Displacements and offsets that are less than 64 bits are a maximum of 32 bits, and are sign-extended to 64 bits during use.
- Undefined High 32 Bits After Mode Change:** The processor does not preserve the upper 32 bits of the 64-bit GPRs across switches from 64-bit mode to compatibility or legacy modes. In compatibility or legacy mode, the upper 32 bits of the GPRs are undefined and not accessible to software.

## B.2 Operation and Operand Size in 64-Bit Mode

Table B-1 lists the integer instructions, showing operand size in 64-bit mode and the state of the high 32 bits of destination registers when 32-bit operands are used. Opcodes, such as byte-operand versions of several instructions, that do not appear in Table B-1 are covered by the general rules described in “General Rules for 64-Bit Mode” on page 581.

**Table B-1. Operations and Operands in 64-Bit Mode**

| Instruction and<br>Opcode (hex) <sup>1</sup>         | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>           | For 64-Bit<br>Operand Size <sup>4</sup> |
|------------------------------------------------------|-----------------------------------|-----------------------------------------|---------------------------------------------------|-----------------------------------------|
| <b>AAA</b> - ASCII Adjust after Addition<br>37       |                                   |                                         | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                         |
| <b>AAD</b> - ASCII Adjust AX before Division<br>D5   |                                   |                                         | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                         |
| <b>AAM</b> - ASCII Adjust AX after Multiply<br>D4    |                                   |                                         | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                         |
| <b>AAS</b> - ASCII Adjust AL after Subtraction<br>3F |                                   |                                         | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                         |

**Notes:**

- See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
- The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
- If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
- Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
- Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
- The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                                                                                                                                                                                                                                                  | Type of<br>Operation <sup>2</sup>                 | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>             | For 64-Bit<br>Operand Size <sup>4</sup> |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|-----------------------------------------|-----------------------------------------------------|-----------------------------------------|
| <b>ADC</b> —Add with Carry<br>11<br>13<br>15<br>81 /2<br>83 /2                                                                                                                                                                                                                                                                                                | Promoted to<br>64 bits.                           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                         |
| <b>ADD</b> —Signed or Unsigned Add<br>01<br>03<br>05<br>81 /0<br>83 /0                                                                                                                                                                                                                                                                                        | Promoted to<br>64 bits.                           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                         |
| <b>AND</b> —Logical AND<br>21<br>23<br>25<br>81 /4<br>83 /4                                                                                                                                                                                                                                                                                                   | Promoted to<br>64 bits.                           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                         |
| <b>ARPL</b> - Adjust Requestor Privilege Level<br>63                                                                                                                                                                                                                                                                                                          | OPCODE USED as MOVSXD in 64-BIT MODE              |                                         |                                                     |                                         |
| <b>BOUND</b> - Check Array Against Bounds<br>62                                                                                                                                                                                                                                                                                                               | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                         |                                                     |                                         |
| <b>BSF</b> —Bit Scan Forward<br>0F BC                                                                                                                                                                                                                                                                                                                         | Promoted to<br>64 bits.                           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                         |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                 |                                                   |                                         |                                                     |                                         |
| 1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.                                                                                                                                                                                                                                                             |                                                   |                                         |                                                     |                                         |
| 2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.                                                                                                                                                      |                                                   |                                         |                                                     |                                         |
| 3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.                                                                                                                                             |                                                   |                                         |                                                     |                                         |
| 4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64 bits. |                                                   |                                         |                                                     |                                         |
| 5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.                                                                                                                                                                 |                                                   |                                         |                                                     |                                         |
| 6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.                                                                                                                                                                                                                        |                                                   |                                         |                                                     |                                         |

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                                                                                                                                                                                                                                                 | Type of<br>Operation <sup>2</sup>                   | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>             | For 64-Bit<br>Operand Size <sup>4</sup>                         |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------|-----------------------------------------|-----------------------------------------------------|-----------------------------------------------------------------|
| <b>BSR</b> —Bit Scan Reverse<br>0F BD                                                                                                                                                                                                                                                                                                                        | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                                                 |
| <b>BSWAP</b> —Byte Swap<br>0F C8 through 0F CF                                                                                                                                                                                                                                                                                                               | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. | Swap all 8 bytes<br>of a 64-bit GPR.                            |
| <b>BT</b> —Bit Test<br>0F A3<br>0F BA /4                                                                                                                                                                                                                                                                                                                     | Promoted to<br>64 bits.                             | 32 bits                                 | No GPR register results.                            |                                                                 |
| <b>BTC</b> —Bit Test and Complement<br>0F BB<br>0F BA /7                                                                                                                                                                                                                                                                                                     | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                                                 |
| <b>BTR</b> —Bit Test and Reset<br>0F B3<br>0F BA /6                                                                                                                                                                                                                                                                                                          | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                                                 |
| <b>BTS</b> —Bit Test and Set<br>0F AB<br>0F BA /5                                                                                                                                                                                                                                                                                                            | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                                                 |
| <b>CALL</b> —Procedure Call Near<br><br>E8<br><br>FF /2                                                                                                                                                                                                                                                                                                      | See “Near Branches in 64-Bit Mode” in APM Volume 1. |                                         |                                                     |                                                                 |
|                                                                                                                                                                                                                                                                                                                                                              | Promoted to<br>64 bits.                             | 64 bits                                 | Can't encode. <sup>6</sup>                          | RIP = RIP + 32-bit displacement<br>sign-extended to<br>64 bits. |
|                                                                                                                                                                                                                                                                                                                                                              | Promoted to<br>64 bits.                             | 64 bits                                 | Can't encode. <sup>6</sup>                          | RIP = 64-bit<br>offset from<br>register or<br>memory.           |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                |                                                     |                                         |                                                     |                                                                 |
| 1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.                                                                                                                                                                                                                                                            |                                                     |                                         |                                                     |                                                                 |
| 2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.                                                                                                                                                     |                                                     |                                         |                                                     |                                                                 |
| 3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.                                                                                                                                            |                                                     |                                         |                                                     |                                                                 |
| 4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits. |                                                     |                                         |                                                     |                                                                 |
| 5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.                                                                                                                                                                |                                                     |                                         |                                                     |                                                                 |
| 6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.                                                                                                                                                                                                                       |                                                     |                                         |                                                     |                                                                 |

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Type of<br>Operation <sup>2</sup>                 | Default<br>Operand<br>Size <sup>3</sup>   | For 32-Bit<br>Operand Size <sup>4</sup>                                                                                                              | For 64-Bit<br>Operand Size <sup>4</sup>                                           |  |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|--|--|
| <b>CALL</b> —Procedure Call Far<br><br>9A<br><br>FF /3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | See “Branches to 64-Bit Offsets” in APM Volume 1. |                                           |                                                                                                                                                      |                                                                                   |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                           |                                                                                                                                                      |                                                                                   |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Promoted to 64 bits.                              | 32 bits                                   | If selector points to a gate, then RIP = 64-bit offset from gate, else RIP = zero-extended 32-bit offset from far pointer referenced in instruction. |                                                                                   |  |  |
| <b>CBW, CWDE, CDQE</b> —Convert Byte to Word, Convert Word to Doubleword, Convert Doubleword to Quadword<br><br>98                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Promoted to 64 bits.                              | 32 bits<br>(size of destination register) | CWDE: Converts word to doubleword.<br>Zero-extends EAX to RAX.                                                                                       | CDQE (new mnemonic): Converts doubleword to quadword.<br>RAX = sign-extended EAX. |  |  |
| <b>CDQ</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | see <b>CWD, CDQ, CQO</b>                          |                                           |                                                                                                                                                      |                                                                                   |  |  |
| <b>CDQE</b> (new mnemonic)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | see <b>CBW, CWDE, CDQE</b>                        |                                           |                                                                                                                                                      |                                                                                   |  |  |
| <b>CDWE</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | see <b>CBW, CWDE, CDQE</b>                        |                                           |                                                                                                                                                      |                                                                                   |  |  |
| <b>CLC</b> —Clear Carry Flag<br><br>F8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Same as legacy mode.                              | Not relevant.                             | No GPR register results.                                                                                                                             |                                                                                   |  |  |
| <b>CLD</b> —Clear Direction Flag<br><br>FC                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Same as legacy mode.                              | Not relevant.                             | No GPR register results.                                                                                                                             |                                                                                   |  |  |
| <b>CLFLUSH</b> —Cache Line Invalidate<br><br>0F AE /7                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Same as legacy mode.                              | Not relevant.                             | No GPR register results.                                                                                                                             |                                                                                   |  |  |
| <b>CLGI</b> —Clear Global Interrupt<br><br>0F 01 DD                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Same as legacy mode                               | Not relevant                              | No GPR register results.                                                                                                                             |                                                                                   |  |  |
| <b>CLI</b> —Clear Interrupt Flag<br><br>FA                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Same as legacy mode.                              | Not relevant.                             | No GPR register results.                                                                                                                             |                                                                                   |  |  |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                   |                                           |                                                                                                                                                      |                                                                                   |  |  |
| <ol style="list-style-type: none"> <li>1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.</li> <li>2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.</li> <li>3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.</li> <li>4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.</li> <li>5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.</li> <li>6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.</li> </ol> |                                                   |                                           |                                                                                                                                                      |                                                                                   |  |  |

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>            | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                      | For 64-Bit<br>Operand Size <sup>4</sup>                                        |
|---------------------------------------------------------|-----------------------------------|-----------------------------------------|----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|
| <b>CLTS</b> —Clear Task-Switched Flag in CR0<br>0F 06   | Same as legacy mode.              | Not relevant.                           | No GPR register results.                                                                     |                                                                                |
| <b>CMC</b> —Complement Carry Flag<br>F5                 | Same as legacy mode.              | Not relevant.                           | No GPR register results.                                                                     |                                                                                |
| <b>CMOVcc</b> —Conditional Move<br>0F 40 through 0F 4F  | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits. This occurs even if the condition is false. |                                                                                |
| <b>CMP</b> —Compare<br>39<br>3B<br>3D<br>81 /7<br>83 /7 | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                             |                                                                                |
| <b>CMPS, CMPSW, CMPSD, CMPSQ</b> —Compare Strings<br>A7 | Promoted to 64 bits.              | 32 bits                                 | CMPSD:<br>Compare String Doublewords.<br>See footnote <sup>5</sup>                           | CMPSQ (new mnemonic):<br>Compare String Quadwords<br>See footnote <sup>5</sup> |
| <b>CMPXCHG</b> —Compare and Exchange<br>0F B1           | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                             |                                                                                |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Type of<br>Operation <sup>2</sup>                 | Default<br>Operand<br>Size <sup>3</sup>   | For 32-Bit<br>Operand Size <sup>4</sup>                                                                            | For 64-Bit<br>Operand Size <sup>4</sup>                                                                    |  |  |  |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|--|--|--|--|
| <b>CMPXCHG8B</b> —Compare and Exchange Eight Bytes<br><br>0F C7 /1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Same as legacy mode.                              | 32 bits.                                  | Zero-extends EDX and EAX to 64 bits.                                                                               | CMPXCHG16B (new mnemonic): Compare and Exchange 16 Bytes.                                                  |  |  |  |  |
| <b>CPUID</b> —Processor Identification<br><br>0F A2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Same as legacy mode.                              | Operand size fixed at 32 bits.            | Zero-extends 32-bit register results to 64 bits.                                                                   |                                                                                                            |  |  |  |  |
| <b>CQO</b> (new mnemonic)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | see <b>CWD, CDQ, CQO</b>                          |                                           |                                                                                                                    |                                                                                                            |  |  |  |  |
| <b>CWD, CDQ, CQO</b> —Convert Word to Doubleword, Convert Doubleword to Quadword, Convert Quadword to Double Quadword<br><br>99                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Promoted to 64 bits.                              | 32 bits<br>(size of destination register) | CDQ: Converts doubleword to quadword.<br>Sign-extends EAX to EDX.<br>Zero-extends EDX to RDX.<br>RAX is unchanged. | CQO (new mnemonic): Converts quadword to double quadword.<br>Sign-extends RAX to RDX.<br>RAX is unchanged. |  |  |  |  |
| <b>DAA</b> - Decimal Adjust AL after Addition<br>27                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                           |                                                                                                                    |                                                                                                            |  |  |  |  |
| <b>DAS</b> - Decimal Adjust AL after Subtraction<br>2F                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                           |                                                                                                                    |                                                                                                            |  |  |  |  |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                   |                                           |                                                                                                                    |                                                                                                            |  |  |  |  |
| <ol style="list-style-type: none"> <li>1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.</li> <li>2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.</li> <li>3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.</li> <li>4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.</li> <li>5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.</li> <li>6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.</li> </ol> |                                                   |                                           |                                                                                                                    |                                                                                                            |  |  |  |  |

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Type of<br>Operation <sup>2</sup>        | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>             | For 64-Bit<br>Operand Size <sup>4</sup>                                         |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------|-----------------------------------------|-----------------------------------------------------|---------------------------------------------------------------------------------|
| <b>DEC</b> —Decrement by 1<br>FF /1<br><br>48 through 4F                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Promoted to<br>64 bits.                  | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. |                                                                                 |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | OPCODE USED as REX PREFIX in 64-BIT MODE |                                         |                                                     |                                                                                 |
| <b>DIV</b> —Unsigned Divide<br><br>F7 /6                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Promoted to<br>64 bits.                  | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. | RDX:RAX<br>contain a 64-bit<br>quotient (RAX)<br>and 64-bit<br>remainder (RDX). |
| <b>ENTER</b> —Create Procedure Stack<br>Frame<br><br>C8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Promoted to<br>64 bits.                  | 64 bits                                 | Can't encode <sup>6</sup>                           |                                                                                 |
| <b>HLT</b> —Halt<br><br>F4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Same as<br>legacy mode.                  | Not relevant.                           | No GPR register results.                            |                                                                                 |
| <b>IDIV</b> —Signed Divide<br><br>F7 /7                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Promoted to<br>64 bits.                  | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits. | RDX:RAX<br>contain a 64-bit<br>quotient (RAX)<br>and 64-bit<br>remainder (RDX). |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                          |                                         |                                                     |                                                                                 |
| <ol style="list-style-type: none"> <li>See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.</li> <li>The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.</li> <li>If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.</li> <li>Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.</li> <li>Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.</li> <li>The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.</li> </ol> |                                          |                                         |                                                     |                                                                                 |

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup> | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup>           | For 32-Bit<br>Operand Size <sup>4</sup>                                                  | For 64-Bit<br>Operand Size <sup>4</sup>          |
|----------------------------------------------|-----------------------------------|---------------------------------------------------|------------------------------------------------------------------------------------------|--------------------------------------------------|
| <b>IMUL</b> - Signed Multiply                | Promoted to 64 bits.              | 32 bits                                           | Zero-extends 32-bit register results to 64 bits.                                         | RDX:RAX = RAX * reg/mem64 (i.e., 128-bit result) |
| F7 /5                                        |                                   |                                                   |                                                                                          | reg64 = reg64 * reg/mem64                        |
| 0F AF                                        |                                   |                                                   |                                                                                          | reg64 = reg/mem64 * imm32                        |
| 69                                           |                                   |                                                   |                                                                                          | reg64 = reg/mem64 * imm8                         |
| 6B                                           |                                   |                                                   |                                                                                          |                                                  |
| <b>IN</b> —Input From Port                   | Same as legacy mode.              | 32 bits                                           | Zero-extends 32-bit register results to 64 bits.                                         |                                                  |
| E5                                           |                                   |                                                   |                                                                                          |                                                  |
| ED                                           |                                   |                                                   |                                                                                          |                                                  |
| <b>INC</b> —Increment by 1                   | Promoted to 64 bits.              | 32 bits                                           | Zero-extends 32-bit register results to 64 bits.                                         |                                                  |
| FF /0                                        |                                   |                                                   |                                                                                          |                                                  |
| 40 through 47                                |                                   |                                                   | OPCODE USED as REX PREFIX in 64-BIT MODE                                                 |                                                  |
| <b>INS, INSW, INSD</b> —Input String         | Same as legacy mode.              | 32 bits                                           | INSD: Input String Doublewords.<br>No GPR register results.<br>See footnote <sup>5</sup> |                                                  |
| 6D                                           |                                   |                                                   |                                                                                          |                                                  |
| <b>INT n</b> —Interrupt to Vector            | Promoted to 64 bits.              | Not relevant.                                     | See “Long-Mode Interrupt Control Transfers” in APM Volume 2.                             |                                                  |
| CD                                           |                                   |                                                   |                                                                                          |                                                  |
| <b>INT3</b> —Interrupt to Debug Vector       |                                   |                                                   |                                                                                          |                                                  |
| CC                                           |                                   |                                                   |                                                                                          |                                                  |
| <b>INTO</b> - Interrupt to Overflow Vector   |                                   | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                                                                          |                                                  |
| CE                                           |                                   |                                                   |                                                                                          |                                                  |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                 | Type of<br>Operation <sup>2</sup>                   | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                            | For 64-Bit<br>Operand Size <sup>4</sup>                                                                                            |
|------------------------------------------------------------------------------|-----------------------------------------------------|-----------------------------------------|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|
| <b>INVD</b> —Invalidate Internal Caches<br>0F 08                             | Same as<br>legacy mode.                             | Not relevant.                           | No GPR register results.                                                                                           |                                                                                                                                    |
| <b>INVLPG</b> —Invalidate TLB Entry<br>0F 01 /7                              | Promoted to<br>64 bits.                             | Not relevant.                           | No GPR register results.                                                                                           |                                                                                                                                    |
| <b>INVLPGA</b> —Invalidate TLB Entry in a<br>Specified ASID                  | Same as<br>legacy mode.                             | Not relevant.                           | No GPR register results.                                                                                           |                                                                                                                                    |
| <b>IRET, IRETD, IRETQ</b> —Interrupt Return<br><br>CF                        | Promoted to<br>64 bits.                             | 32 bits                                 | IRETD: Interrupt<br>Return<br>Doubleword.<br>See “Long-Mode<br>Interrupt Control<br>Transfers” in<br>APM Volume 2. | IRETQ (new<br>mnemonic):<br>Interrupt Return<br>Quadword.<br>See “Long-Mode<br>Interrupt Control<br>Transfers” in<br>APM Volume 2. |
| <b>Jcc</b> —Jump Conditional<br><br>70 through 7F<br><br>0F 80 through 0F 8F | See “Near Branches in 64-Bit Mode” in APM Volume 1. |                                         |                                                                                                                    |                                                                                                                                    |
|                                                                              | Promoted to<br>64 bits.                             | 64 bits                                 | Can't encode. <sup>6</sup>                                                                                         | RIP = RIP + 8-bit<br>displacement<br>sign-extended to<br>64 bits.                                                                  |
|                                                                              |                                                     |                                         |                                                                                                                    | RIP = RIP + 32-<br>bit displacement<br>sign-extended to<br>64 bits.                                                                |
| <b>JCXZ, JECXZ, JRCXZ</b> —Jump on<br>CX/ECX/RCX Zero<br><br>E3              | Promoted to<br>64 bits.                             | 64 bits                                 | Can't encode. <sup>6</sup>                                                                                         | RIP = RIP + 8-bit<br>displacement<br>sign-extended to<br>64 bits.<br><br>See footnote <sup>5</sup>                                 |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>     | Type of<br>Operation <sup>2</sup>                   | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                                                              | For 64-Bit<br>Operand Size <sup>4</sup>                   |
|--------------------------------------------------|-----------------------------------------------------|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|
| <b>JMP</b> —Jump Near                            | See “Near Branches in 64-Bit Mode” in APM Volume 1. |                                         |                                                                                                                                                      |                                                           |
| EB                                               |                                                     |                                         |                                                                                                                                                      | RIP = RIP + 8-bit displacement sign-extended to 64 bits.  |
| E9                                               | Promoted to 64 bits.                                | 64 bits                                 | Can't encode. <sup>6</sup>                                                                                                                           | RIP = RIP + 32-bit displacement sign-extended to 64 bits. |
| FF /4                                            |                                                     |                                         |                                                                                                                                                      | RIP = 64-bit offset from register or memory.              |
| <b>JMP</b> —Jump Far                             | See “Branches to 64-Bit Offsets” in APM Volume 1.   |                                         |                                                                                                                                                      |                                                           |
| EA                                               | INVALID IN 64-BIT MODE (invalid-opcode exception)   |                                         |                                                                                                                                                      |                                                           |
| FF /5                                            | Promoted to 64 bits.                                | 32 bits                                 | If selector points to a gate, then RIP = 64-bit offset from gate, else RIP = zero-extended 32-bit offset from far pointer referenced in instruction. |                                                           |
| <b>LAHF</b> - Load Status Flags into AH Register | Same as legacy mode.                                | Not relevant.                           |                                                                                                                                                      |                                                           |
| 9F                                               |                                                     |                                         |                                                                                                                                                      |                                                           |
| <b>LAR</b> —Load Access Rights Byte              | Same as legacy mode.                                | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                                                                                     |                                                           |
| 0F 02                                            |                                                     |                                         |                                                                                                                                                      |                                                           |
| <b>LDS</b> - Load DS Far Pointer                 | INVALID IN 64-BIT MODE (invalid-opcode exception)   |                                         |                                                                                                                                                      |                                                           |
| C5                                               |                                                     |                                         |                                                                                                                                                      |                                                           |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                         | Type of<br>Operation <sup>2</sup>                 | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                           | For 64-Bit<br>Operand Size <sup>4</sup> |
|----------------------------------------------------------------------|---------------------------------------------------|-----------------------------------------|-----------------------------------------------------------------------------------|-----------------------------------------|
| <b>LEA</b> —Load Effective Address<br>8D                             | Promoted to<br>64 bits.                           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.                               |                                         |
| <b>LEAVE</b> —Delete Procedure Stack Frame<br>C9                     | Promoted to<br>64 bits.                           | 64 bits                                 | Can't encode <sup>6</sup>                                                         |                                         |
| <b>LES</b> - Load ES Far Pointer<br>C4                               | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                         |                                                                                   |                                         |
| <b>LFENCE</b> —Load Fence<br>0F AE /5                                | Same as<br>legacy mode.                           | Not relevant.                           | No GPR register results.                                                          |                                         |
| <b>LFS</b> —Load FS Far Pointer<br>0F B4                             | Same as<br>legacy mode.                           | 32 bits                                 | Zero-extends 32-bit register results<br>to 64 bits.                               |                                         |
| <b>LGDT</b> —Load Global Descriptor Table<br>Register<br>0F 01 /2    | Promoted to<br>64 bits.                           | Operand size<br>fixed at 64<br>bits.    | No GPR register results.<br>Loads 8-byte base and 2-byte limit.                   |                                         |
| <b>LGS</b> —Load GS Far Pointer<br>0F B5                             | Same as<br>legacy mode.                           | 32 bits                                 | Zero-extends 32-bit register results<br>to 64 bits.                               |                                         |
| <b>LIDT</b> —Load Interrupt Descriptor Table<br>Register<br>0F 01 /3 | Promoted to<br>64 bits.                           | Operand size<br>fixed at 64<br>bits.    | No GPR register results.<br>Loads 8-byte base and 2-byte limit.                   |                                         |
| <b>LLDT</b> —Load Local Descriptor Table<br>Register<br>0F 00 /2     | Promoted to<br>64 bits.                           | Operand size<br>fixed at 16<br>bits.    | No GPR register results.<br>References 16-byte descriptor to<br>load 64-bit base. |                                         |
| <b>LMSW</b> —Load Machine Status Word<br>0F 01 /6                    | Same as<br>legacy mode.                           | Operand size<br>fixed at 16<br>bits.    | No GPR register results.                                                          |                                         |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                                       | For 64-Bit<br>Operand Size <sup>4</sup>                                                        |
|-------------------------------------------------------------|-----------------------------------|-----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
| <b>LODS, LODSW, LODSD, LODSQ</b> —<br>Load String<br><br>AD | Promoted to<br>64 bits.           | 32 bits                                 | LODSD: Load<br>String<br>Doublewords.<br>Zero-extends 32-<br>bit register<br>results to 64 bits.<br>See footnote <sup>5</sup> | LODSQ (new<br>mnemonic): Load<br>String<br>Quadwords.<br>See footnote <sup>5</sup>             |
| <b>LOOP</b> —Loop<br>E2                                     | Promoted to<br>64 bits.           | 64 bits                                 | Can't encode. <sup>6</sup>                                                                                                    | RIP = RIP + 8-bit<br>displacement<br>sign-extended to<br>64 bits.<br>See footnote <sup>5</sup> |
| <b>LOOPZ, LOOPE</b> —Loop if Zero/Equal<br>E1               |                                   |                                         |                                                                                                                               |                                                                                                |
| <b>LOOPNZ, LOOPNE</b> —Loop if Not<br>Zero/Equal<br><br>E0  |                                   |                                         |                                                                                                                               |                                                                                                |
| <b>LSL</b> —Load Segment Limit<br>0F 03                     | Same as<br>legacy mode.           | 32 bits                                 | Zero-extends 32-bit register results<br>to 64 bits.                                                                           |                                                                                                |
| <b>LSS</b> —Load SS Segment Register<br>0F B2               | Same as<br>legacy mode.           | 32 bits                                 | Zero-extends 32-bit register results<br>to 64 bits.                                                                           |                                                                                                |
| <b>LTR</b> —Load Task Register<br>0F 00 /3                  | Promoted to<br>64 bits.           | Operand size<br>fixed at 16<br>bits.    | No GPR register results.<br>References 16-byte descriptor to<br>load 64-bit base.                                             |                                                                                                |
| <b>LZCNT</b> —Count Leading Zeros<br>F3 0F BD               | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register results<br>to 64 bits.                                                                           |                                                                                                |
| <b>MFENCE</b> —Memory Fence<br>0F AE /6                     | Same as<br>legacy mode.           | Not relevant.                           | No GPR register results.                                                                                                      |                                                                                                |
| <b>MONITOR</b> —Setup Monitor Address<br>0F 01 C8           | Same as<br>legacy mode.           | Operand size<br>fixed at 32<br>bits.    | No GPR register results.                                                                                                      |                                                                                                |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>    | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                                                                 | For 64-Bit<br>Operand Size <sup>4</sup>                  |
|-------------------------------------------------|-----------------------------------|-----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|
| <b>MOV</b> —Move                                | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                                                                                        |                                                          |
| 89                                              |                                   |                                         |                                                                                                                                                         | 32-bit immediate is sign-extended to 64 bits.            |
| 8B                                              |                                   |                                         |                                                                                                                                                         | 64-bit immediate.                                        |
| C7                                              |                                   |                                         |                                                                                                                                                         |                                                          |
| B8 through BF<br>A1 (moffset)                   |                                   |                                         | Zero-extends 32-bit register results to 64 bits.<br>Memory offsets are address-sized and default to 64 bits.                                            | Memory offsets are address-sized and default to 64 bits. |
| A3 (moffset)                                    |                                   |                                         |                                                                                                                                                         |                                                          |
| <b>MOV</b> —Move to/from Segment Registers      | Same as legacy mode.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                                                                                        |                                                          |
| 8C                                              |                                   |                                         |                                                                                                                                                         |                                                          |
| 8E                                              |                                   |                                         | Operand size fixed at 16 bits.                                                                                                                          | No GPR register results.                                 |
| <b>MOV(CRn)</b> —Move to/from Control Registers | Promoted to 64 bits.              | Operand size fixed at 64 bits.          | The high 32 bits of control registers differ in their writability and reserved status. See “System Resources” in APM Volume 2 for details.              |                                                          |
| 0F 22                                           |                                   |                                         |                                                                                                                                                         |                                                          |
| 0F 20                                           |                                   |                                         |                                                                                                                                                         |                                                          |
| <b>MOV(DRn)</b> —Move to/from Debug Registers   | Promoted to 64 bits.              | Operand size fixed at 64 bits.          | The high 32 bits of debug registers differ in their writability and reserved status. See “Debug and Performance Resources” in APM Volume 2 for details. |                                                          |
| 0F 21                                           |                                   |                                         |                                                                                                                                                         |                                                          |
| 0F 23                                           |                                   |                                         |                                                                                                                                                         |                                                          |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                           | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                      | For 64-Bit<br>Operand Size <sup>4</sup>                                   |
|----------------------------------------------------------------------------------------|-----------------------------------|-----------------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------|
| <b>MOVD</b> —Move Doubleword or Quadword<br><br>0F 6E<br>0F 7E<br>66 0F 6E<br>66 0F 7E | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.             |                                                                           |
|                                                                                        |                                   |                                         | Zero-extends 32-bit register results to 128 bits.            | Zero-extends 64-bit register results to 128 bits.                         |
| <b>MOVNTI</b> —Move Non-Temporal Doubleword<br><br>0F C3                               | Promoted to 64 bits.              | 32 bits                                 | No GPR register results.                                     |                                                                           |
| <b>MOVS, MOVSW, MOVSD, MOVSQ</b> —Move String<br><br>A5                                | Promoted to 64 bits.              | 32 bits                                 | MOVSD: Move String Doublewords.<br>See footnote <sup>5</sup> | MOVSQ (new mnemonic): Move String Quadwords.<br>See footnote <sup>5</sup> |
| <b>MOVSX</b> —Move with Sign-Extend<br><br>0F BE<br><br>0F BF                          | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.             | Sign-extends byte to quadword.                                            |
|                                                                                        |                                   |                                         |                                                              | Sign-extends word to quadword.                                            |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                  | Type of<br>Operation <sup>2</sup>                                                                  | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>          | For 64-Bit<br>Operand Size <sup>4</sup>      |
|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------|-----------------------------------------|--------------------------------------------------|----------------------------------------------|
| <b>MOVSXD</b> —Move with Sign-Extend Doubleword<br><br>63     | New instruction, available only in 64-bit mode. (In other modes, this opcode is ARPL instruction.) | 32 bits                                 | Zero-extends 32-bit register results to 64 bits. | Sign-extends doubleword to quadword.         |
| <b>MOVZX</b> —Move with Zero-Extend<br><br>0F B6<br><br>0F B7 | Promoted to 64 bits.                                                                               | 32 bits                                 | Zero-extends 32-bit register results to 64 bits. | Zero-extends byte to quadword.               |
|                                                               |                                                                                                    |                                         |                                                  | Zero-extends word to quadword.               |
| <b>MUL</b> —Multiply Unsigned<br><br>F7 /4                    | Promoted to 64 bits.                                                                               | 32 bits                                 | Zero-extends 32-bit register results to 64 bits. | RDX:RAX=RAX* quadword in register or memory. |
| <b>MWAIT</b> —Monitor Wait<br><br>0F 01 C9                    | Same as legacy mode.                                                                               | Operand size fixed at 32 bits.          | No GPR register results.                         |                                              |
| <b>NEG</b> —Negate Two's Complement<br><br>F7 /3              | Promoted to 64 bits.                                                                               | 32 bits                                 | Zero-extends 32-bit register results to 64 bits. |                                              |
| <b>NOP</b> —No Operation<br><br>90                            | Same as legacy mode.                                                                               | Not relevant.                           | No GPR register results.                         |                                              |
| <b>NOT</b> —Negate One's Complement<br><br>F7 /2              | Promoted to 64 bits.                                                                               | 32 bits                                 | Zero-extends 32-bit register results to 64 bits. |                                              |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                   | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                 | For 64-Bit<br>Operand Size <sup>4</sup> |
|--------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|-----------------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------|
| <b>OR</b> —Logical OR<br>09<br>0B<br>0D<br>81 /1<br>83 /1                                                                      | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                        |                                         |
| <b>OUT</b> —Output to Port<br>E7<br>EF                                                                                         | Same as legacy mode.              | 32 bits                                 | No GPR register results.                                                                |                                         |
| <b>OUTS, OUTSW, OUTSD</b> —Output String<br>6F                                                                                 | Same as legacy mode.              | 32 bits                                 | Writes doubleword to I/O port.<br>No GPR register results.<br>See footnote <sup>5</sup> |                                         |
| <b>PAUSE</b> —Pause<br>F3 90                                                                                                   | Same as legacy mode.              | Not relevant.                           | No GPR register results.                                                                |                                         |
| <b>POP</b> —Pop Stack<br>8F /0<br>58 through 5F                                                                                | Promoted to<br>64 bits.           | 64 bits                                 | Cannot encode <sup>6</sup>                                                              | No GPR register results.                |
| <b>POP</b> —Pop (segment register from) Stack<br>0F A1 (POP FS)<br>0F A9 (POP GS)<br>1F (POP DS)<br>07 (POP ES)<br>17 (POP SS) | Same as legacy mode.              | 64 bits                                 | Cannot encode <sup>6</sup>                                                              | No GPR register results.                |
|                                                                                                                                |                                   |                                         | INVALID IN 64-BIT MODE (invalid-opcode exception)                                       |                                         |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                                                                                                                                                                                                                                                 | Type of<br>Operation <sup>2</sup>                 | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>          | For 64-Bit<br>Operand Size <sup>4</sup>                                                                                   |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|-----------------------------------------|--------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| <b>POPA, POPAD</b> —Pop All to GPR Words or Doublewords<br>61                                                                                                                                                                                                                                                                                                | INVALID IN 64-BIT MODE (invalid-opcode exception) |                                         |                                                  |                                                                                                                           |
| <b>POPCNT</b> —Bit Population Count<br>F3 0F B8                                                                                                                                                                                                                                                                                                              | Promoted to 64 bits.                              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits. |                                                                                                                           |
| <b>POPF, POPFD, POPFQ</b> —Pop to rFLAGS Word, Doublword, or Quadword<br>9D                                                                                                                                                                                                                                                                                  | Promoted to 64 bits.                              | 64 bits                                 | Cannot encode <sup>6</sup>                       | POPFQ (new mnemonic): Pops 64 bits off stack, writes low 32 bits into EFLAGS and zero-extends the high 32 bits of RFLAGS. |
| <b>PREFETCH</b> —Prefetch L1 Data-Cache Line<br>0F 0D /0                                                                                                                                                                                                                                                                                                     | Same as legacy mode.                              | Not relevant.                           | No GPR register results.                         |                                                                                                                           |
| <b>PREFETCH/level</b> —Prefetch Data to Cache Level <i>level</i><br>0F 18 /0-3, 7, 8                                                                                                                                                                                                                                                                         | Same as legacy mode.                              | Not relevant.                           | No GPR register results.                         |                                                                                                                           |
| <b>PREFETCHW</b> —Prefetch L1 Data-Cache Line for Write<br>0F 0D /1                                                                                                                                                                                                                                                                                          | Same as legacy mode.                              | Not relevant.                           | No GPR register results.                         |                                                                                                                           |
| <b>PUSH</b> —Push onto Stack<br>FF /6<br>50 through 57<br>6A<br>68                                                                                                                                                                                                                                                                                           | Promoted to 64 bits.                              | 64 bits                                 | Cannot encode <sup>6</sup>                       |                                                                                                                           |
| <b>Notes:</b>                                                                                                                                                                                                                                                                                                                                                |                                                   |                                         |                                                  |                                                                                                                           |
| 1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.                                                                                                                                                                                                                                                            |                                                   |                                         |                                                  |                                                                                                                           |
| 2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.                                                                                                                                                     |                                                   |                                         |                                                  |                                                                                                                           |
| 3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.                                                                                                                                            |                                                   |                                         |                                                  |                                                                                                                           |
| 4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits. |                                                   |                                         |                                                  |                                                                                                                           |
| 5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.                                                                                                                                                                |                                                   |                                         |                                                  |                                                                                                                           |
| 6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.                                                                                                                                                                                                                       |                                                   |                                         |                                                  |                                                                                                                           |

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                                                                                                              | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                       | For 64-Bit<br>Operand Size <sup>4</sup>                      |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|-----------------------------------------|---------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| <b>PUSH</b> —Push (segment register) onto Stack<br><br>0F A0 (PUSH FS)<br>0F A8 (PUSH GS)<br>0E (PUSH CS)<br>1E (PUSH DS)<br>06 (PUSH ES)<br>16 (PUSH SS) | Promoted to 64 bits.              | 64 bits                                 | Cannot encode <sup>6</sup>                                                                                    |                                                              |
|                                                                                                                                                           |                                   |                                         | INVALID IN 64-BIT MODE (invalid-opcode exception)                                                             |                                                              |
| <b>PUSHA, PUSHAD</b> - Push All to GPR Words or Doublewords<br><br>60                                                                                     |                                   |                                         | INVALID IN 64-BIT MODE (invalid-opcode exception)                                                             |                                                              |
| <b>PUSHF, PUSHFD, PUSHFQ</b> —Push rFLAGS Word, Doubleword, or Quadword onto Stack<br><br>9C                                                              | Promoted to 64 bits.              | 64 bits                                 | Cannot encode <sup>6</sup>                                                                                    | PUSHFQ (new mnemonic):<br>Pushes the 64-bit RFLAGS register. |
| <b>RCL</b> —Rotate Through Carry Left<br><br>D1 /2<br>D3 /2<br>C1 /2                                                                                      | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                                              | Uses 6-bit count.                                            |
| <b>RCR</b> —Rotate Through Carry Right<br><br>D1 /3<br>D3 /3<br>C1 /3                                                                                     | Promoted to 64 bits.              | 32 bits                                 | Zero-extends 32-bit register results to 64 bits.                                                              | Uses 6-bit count.                                            |
| <b>RDMSR</b> —Read Model-Specific Register<br><br>0F 32                                                                                                   | Same as legacy mode.              | Not relevant.                           | RDX[31:0] contains MSR[63:32], RAX[31:0] contains MSR[31:0]. Zero-extends 32-bit register results to 64 bits. |                                                              |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                        | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                                                                            | For 64-Bit<br>Operand Size <sup>4</sup> |
|---------------------------------------------------------------------|-----------------------------------|-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|
| <b>RDPMC</b> —Read Performance-Monitoring Counters<br>0F 33         | Same as legacy mode.              | Not relevant.                           | RDX[31:0] contains PMC[63:32], RAX[31:0] contains PMC[31:0]. Zero-extends 32-bit register results to 64 bits.                                                      |                                         |
| <b>RDTSC</b> —Read Time-Stamp Counter<br>0F 31                      | Same as legacy mode.              | Not relevant.                           | RDX[31:0] contains TSC[63:32], RAX[31:0] contains TSC[31:0]. Zero-extends 32-bit register results to 64 bits.                                                      |                                         |
| <b>RDTSCP</b> —Read Time-Stamp Counter and Processor ID<br>0F 01 F9 | Same as legacy mode.              | Not relevant.                           | RDX[31:0] contains TSC[63:32], RAX[31:0] contains TSC[31:0]. RCX[31:0] contains the TSC_AUX MSR C000_0103h[31:0]. Zero-extends 32-bit register results to 64 bits. |                                         |
| <b>REP INS</b> —Repeat Input String<br>F3 6D                        | Same as legacy mode.              | 32 bits                                 | Reads doubleword I/O port.<br>See footnote <sup>5</sup>                                                                                                            |                                         |
| <b>REP LODS</b> —Repeat Load String<br>F3 AD                        | Promoted to 64 bits.              | 32 bits                                 | Zero-extends EAX to 64 bits.<br>See footnote <sup>5</sup>                                                                                                          | See footnote <sup>5</sup>               |
| <b>REP MOVS</b> —Repeat Move String<br>F3 A5                        | Promoted to 64 bits.              | 32 bits                                 | No GPR register results.<br>See footnote <sup>5</sup>                                                                                                              |                                         |
| <b>REP OUTS</b> —Repeat Output String to Port<br>F3 6F              | Same as legacy mode.              | 32 bits                                 | Writes doubleword to I/O port.<br>No GPR register results.<br>See footnote <sup>5</sup>                                                                            |                                         |
| <b>REP STOS</b> —Repeat Store String<br>F3 AB                       | Promoted to 64 bits.              | 32 bits                                 | No GPR register results.<br>See footnote <sup>5</sup>                                                                                                              |                                         |
| <b>REPx CMPS</b> —Repeat Compare String<br>F3 A7                    | Promoted to 64 bits.              | 32 bits                                 | No GPR register results.<br>See footnote <sup>5</sup>                                                                                                              |                                         |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                 | Type of<br>Operation <sup>2</sup>                   | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                | For 64-Bit<br>Operand Size <sup>4</sup> |
|--------------------------------------------------------------|-----------------------------------------------------|-----------------------------------------|--------------------------------------------------------------------------------------------------------|-----------------------------------------|
| <b>REPx SCAS</b> —Repeat Scan String<br>F3 AF                | Promoted to<br>64 bits.                             | 32 bits                                 | No GPR register results.<br>See footnote <sup>5</sup>                                                  |                                         |
| <b>RET</b> —Return from Call Near<br>C2<br>C3                | See “Near Branches in 64-Bit Mode” in APM Volume 1. |                                         |                                                                                                        |                                         |
| <b>RET</b> —Return from Call Far<br>CB<br>CA                 | Promoted to<br>64 bits.                             | 32 bits                                 | See “Control Transfers” in APM<br>Volume 1 and “Control-Transfer<br>Privilege Checks” in APM Volume 2. |                                         |
| <b>ROL</b> —Rotate Left<br>D1 /0<br>D3 /0<br>C1 /0           | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.                                                    | Uses 6-bit count.                       |
| <b>ROR</b> —Rotate Right<br>D1 /1<br>D3 /1<br>C1 /1          | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.                                                    | Uses 6-bit count.                       |
| <b>RSM</b> —Resume from System<br>Management Mode<br>0F AA   | New SMM<br>state-save<br>area.                      | Not relevant.                           | See “System-Management Mode” in<br>APM Volume 2.                                                       |                                         |
| <b>SAHF</b> —Store AH into Flags<br>9E                       | Same as leg-<br>acy mode.                           | Not relevant.                           | No GPR register results.                                                                               |                                         |
| <b>SAL</b> —Shift Arithmetic Left<br>D1 /4<br>D3 /4<br>C1 /4 | Promoted to<br>64 bits.                             | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.                                                    | Uses 6-bit count.                       |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                         | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                                                                   | For 64-Bit<br>Operand Size <sup>4</sup>                                            |
|----------------------------------------------------------------------|-----------------------------------|-----------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------|
| <b>SAR</b> —Shift Arithmetic Right<br>D1 /7<br>D3 /7<br>C1 /7        | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.<br>Uses 6-bit count.                                                  |                                                                                    |
| <b>SBB</b> —Subtract with Borrow<br>19<br>1B<br>1D<br>81 /3<br>83 /3 | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.                                                                       |                                                                                    |
| <b>SCAS, SCASW, SCASD, SCASQ</b> —<br>Scan String<br>AF              | Promoted to<br>64 bits.           | 32 bits                                 | SCASD: Scan<br>String<br>Doublewords.<br>Zero-extends 32-bit register<br>results to 64 bits.<br>See footnote <sup>5</sup> | SCASQ (new<br>mnemonic): Scan<br>String<br>Quadwords.<br>See footnote <sup>5</sup> |
| <b>SFENCE</b> —Store Fence<br>0F AE /7                               | Same as<br>legacy mode.           | Not relevant.                           | No GPR register results.                                                                                                  |                                                                                    |
| <b>SGDT</b> —Store Global Descriptor Table<br>Register<br>0F 01 /0   | Promoted to<br>64 bits.           | Operand size<br>fixed at 64<br>bits.    | No GPR register results.<br>Stores 8-byte base and 2-byte limit.                                                          |                                                                                    |
| <b>SHL</b> —Shift Left<br>D1 /4<br>D3 /4<br>C1 /4                    | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.<br>Uses 6-bit count.                                                  |                                                                                    |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                          | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                          | For 64-Bit<br>Operand Size <sup>4</sup>        |
|-----------------------------------------------------------------------|-----------------------------------|-----------------------------------------|------------------------------------------------------------------|------------------------------------------------|
| <b>SHLD</b> —Shift Left Double<br>0F A4<br>0F A5                      | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.              | Uses 6-bit count.                              |
| <b>SHR</b> —Shift Right<br>D1 /5<br>D3 /5<br>C1 /5                    | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.              | Uses 6-bit count.                              |
| <b>SHRD</b> —Shift Right Double<br>0F AC<br>0F AD                     | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.              | Uses 6-bit count.                              |
| <b>SIDT</b> —Store Interrupt Descriptor Table<br>Register<br>0F 01 /1 | Promoted to<br>64 bits.           | Operand size<br>fixed at 64<br>bits.    | No GPR register results.<br>Stores 8-byte base and 2-byte limit. |                                                |
| <b>SKINIT</b> —Secure Init and Jump with<br>Attestation<br>0F 01 DE   | Same as<br>legacy mode.           | Not relevant                            | Zero-extends 32-bit register<br>results to 64 bits.              |                                                |
| <b>SLDT</b> —Store Local Descriptor Table<br>Register<br>0F 00 /0     | Same as<br>legacy mode.           | 32                                      | Zero-extends 2-byte LDT selector to<br>64 bits.                  |                                                |
| <b>SMSW</b> —Store Machine Status Word<br>0F 01 /4                    | Same as<br>legacy mode.           | 32                                      | Zero-extends 32-bit register<br>results to 64 bits.              | Stores 64-bit<br>machine status<br>word (CR0). |
| <b>STC</b> —Set Carry Flag<br>F9                                      | Same as<br>legacy mode.           | Not relevant.                           | No GPR register results.                                         |                                                |
| <b>STD</b> —Set Direction Flag<br>FD                                  | Same as<br>legacy mode.           | Not relevant.                           | No GPR register results.                                         |                                                |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                         | Type of<br>Operation <sup>2</sup>                                                                              | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                  | For 64-Bit<br>Operand Size <sup>4</sup>                                       |
|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|-----------------------------------------|--------------------------------------------------------------------------|-------------------------------------------------------------------------------|
| <b>STGI</b> —Set Global Interrupt Flag<br>0F 01 DC                   | Same as<br>legacy mode.                                                                                        | Not relevant.                           | No GPR register results.                                                 |                                                                               |
| <b>STI</b> - Set Interrupt Flag<br>FB                                | Same as<br>legacy mode.                                                                                        | Not relevant.                           | No GPR register results.                                                 |                                                                               |
| <b>STOS, STOSW, STOSD, STOSQ</b> - Store String<br>AB                | Promoted to<br>64 bits.                                                                                        | 32 bits                                 | STOSD: Store String Doublewords.<br>See footnote <sup>5</sup>            | STOSQ (new mnemonic):<br>Store String Quadwords.<br>See footnote <sup>5</sup> |
| <b>STR</b> —Store Task Register<br>0F 00 /1                          | Same as<br>legacy mode.                                                                                        | 32                                      | Zero-extends 2-byte TR selector to<br>64 bits.                           |                                                                               |
| <b>SUB</b> —Subtract<br>29<br>2B<br>2D<br>81 /5<br>83 /5             | Promoted to<br>64 bits.                                                                                        | 32 bits                                 | Zero-extends 32-bit register<br>results to 64 bits.                      |                                                                               |
| <b>SWAPGS</b> —Swap GS Register with<br>KernelGSbase MSR<br>0F 01 /7 | New<br>instruction,<br>available only<br>in 64-bit<br>mode. (In<br>other modes,<br>this opcode<br>is invalid.) | Not relevant.                           | See “SWAPGS Instruction” in APM<br>Volume 2.                             |                                                                               |
| <b>SYSCALL</b> —Fast System Call<br>0F 05                            | Promoted to<br>64 bits.                                                                                        | Not relevant.                           | See “SYSCALL and SYSRET<br>Instructions” in APM Volume 2 for<br>details. |                                                                               |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>       | Type of<br>Operation <sup>2</sup>               | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                            | For 64-Bit<br>Operand Size <sup>4</sup> |
|----------------------------------------------------|-------------------------------------------------|-----------------------------------------|--------------------------------------------------------------------|-----------------------------------------|
| <b>SYSENTER</b> —System Call<br>0F 34              | INVALID IN LONG MODE (invalid-opcode exception) |                                         |                                                                    |                                         |
| <b>SYSEXIT</b> —System Return<br>0F 35             | INVALID IN LONG MODE (invalid-opcode exception) |                                         |                                                                    |                                         |
| <b>SYSRET</b> —Fast System Return<br>0F 07         | Promoted to<br>64 bits.                         | 32 bits                                 | See “SYSCALL and SYSRET Instructions” in APM Volume 2 for details. |                                         |
| <b>TEST</b> —Test Bits<br>85<br>A9<br>F7 /0        | Promoted to<br>64 bits.                         | 32 bits                                 | No GPR register results.                                           |                                         |
| <b>UD2</b> —Undefined Operation<br>0F 0B           | Same as<br>legacy mode.                         | Not relevant.                           | No GPR register results.                                           |                                         |
| <b>VERR</b> —Verify Segment for Reads<br>0F 00 /4  | Same as<br>legacy mode.                         | Operand size<br>fixed at 16<br>bits     | No GPR register results.                                           |                                         |
| <b>VERW</b> —Verify Segment for Writes<br>0F 00 /5 | Same as<br>legacy mode.                         | Operand size<br>fixed at 16<br>bits     | No GPR register results.                                           |                                         |
| <b>VMLOAD</b> —Load State from VMCB<br>0F 01 DA    | Same as<br>legacy mode.                         | Not relevant.                           | No GPR register results.                                           |                                         |
| <b>VMMCALL</b> —Call VMM<br>0F 01 D9               | Same as<br>legacy mode.                         | Not relevant.                           | No GPR register results.                                           |                                         |
| <b>VMRUN</b> —Run Virtual Machine<br>0F 01 D8      | Same as<br>legacy mode.                         | Not relevant.                           | No GPR register results.                                           |                                         |
| <b>VMSAVE</b> —Save State to VMCB<br>0F 01 DB      | Same as<br>legacy mode.                         | Not relevant.                           | No GPR register results.                                           |                                         |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

**Table B-1. Operations and Operands in 64-Bit Mode (continued)**

| Instruction and<br>Opcode (hex) <sup>1</sup>                         | Type of<br>Operation <sup>2</sup> | Default<br>Operand<br>Size <sup>3</sup> | For 32-Bit<br>Operand Size <sup>4</sup>                                     | For 64-Bit<br>Operand Size <sup>4</sup> |
|----------------------------------------------------------------------|-----------------------------------|-----------------------------------------|-----------------------------------------------------------------------------|-----------------------------------------|
| <b>WAIT</b> —Wait for Interrupt<br>9B                                | Same as<br>legacy mode.           | Not relevant.                           | No GPR register results.                                                    |                                         |
| <b>WBINVD</b> —Writeback and Invalidate All<br>Caches<br>0F 09       | Same as<br>legacy mode.           | Not relevant.                           | No GPR register results.                                                    |                                         |
| <b>WRMSR</b> —Write to Model-Specific<br>Register<br>0F 30           | Same as<br>legacy mode.           | Not relevant.                           | No GPR register results.<br>MSR[63:32] = RDX[31:0]<br>MSR[31:0] = RAX[31:0] |                                         |
| <b>XADD</b> —Exchange and Add<br>0F C1                               | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-<br>bit register<br>results to 64 bits.                     |                                         |
| <b>XCHG</b> —Exchange Register/Memory<br>with Register<br>87<br>90   | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-<br>bit register<br>results to 64 bits.                     |                                         |
| <b>XOR</b> —Logical Exclusive OR<br>31<br>33<br>35<br>81 /6<br>83 /6 | Promoted to<br>64 bits.           | 32 bits                                 | Zero-extends 32-<br>bit register<br>results to 64 bits.                     |                                         |

**Notes:**

1. See “General Rules for 64-Bit Mode” on page 581, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-Bit Mode” on page 581 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result operands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respectively, of 64-bit destination registers unchanged. Immediate and branch displacements are sign-extended to 64 bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override in 64-bit mode.

## B.3 Invalid and Reassigned Instructions in 64-Bit Mode

Table B-2 lists instructions that are illegal in 64-bit mode. Attempted use of these instructions generates an invalid-opcode exception (#UD).

**Table B-2. Invalid Instructions in 64-Bit Mode**

| Mnemonic         | Opcode (hex) | Description                                |
|------------------|--------------|--------------------------------------------|
| AAA              | 37           | ASCII Adjust After Addition                |
| AAD              | D5           | ASCII Adjust Before Division               |
| AAM              | D4           | ASCII Adjust After Multiply                |
| AAS              | 3F           | ASCII Adjust After Subtraction             |
| CALL (far)       | 9A           | Procedure Call Far (far absolute)          |
| DAA              | 27           | Decimal Adjust after Addition              |
| DAS              | 2F           | Decimal Adjust after Subtraction           |
| INTO             | CE           | Interrupt to Overflow Vector               |
| JMP (far)        | EA           | Jump Far (absolute)                        |
| LDS              | C5           | Load DS Far Pointer                        |
| LES              | C4           | Load ES Far Pointer                        |
| POP DS           | 1F           | Pop Stack into DS Segment                  |
| POP ES           | 07           | Pop Stack into ES Segment                  |
| POP SS           | 17           | Pop Stack into SS Segment                  |
| POPA, POPAD      | 61           | Pop All to GPR Words or Doublewords        |
| PUSH CS          | 0E           | Push CS Segment Selector onto Stack        |
| PUSH DS          | 1E           | Push DS Segment Selector onto Stack        |
| PUSH ES          | 06           | Push ES Segment Selector onto Stack        |
| PUSH SS          | 16           | Push SS Segment Selector onto Stack        |
| PUSHA,<br>PUSHAD | 60           | Push All to GPR Words or Doublewords       |
| Redundant Grp1   | 82 /2        | Redundant encoding of group1 Eb,lb opcodes |
| SALC             | D6           | Set AL According to CF                     |

Table B-3 lists instructions that are reassigned to different functions in 64-bit mode. Attempted use of these instructions generates the reassigned function.

**Table B-3. Reassigned Instructions in 64-Bit Mode**

| Mnemonic    | Opcode (hex) | Description                                                                                                                        |
|-------------|--------------|------------------------------------------------------------------------------------------------------------------------------------|
| ARPL        | 63           | Opcode for MOVSXD instruction in 64-bit mode. In all other modes, this is the Adjust Requestor Privilege Level instruction opcode. |
| DEC and INC | 40-4F        | REX prefixes in 64-bit mode. In all other modes, decrement by 1 and increment by 1.                                                |
| BOUND       | 62           | EVEX Prefix. Introduces the EVEX four-byte instruction encoding escape sequence.                                                   |
| LDS         | C5           | VEX Prefix. Introduces the VEX two-byte instruction encoding escape sequence.                                                      |
| LES         | C4           | VEX Prefix. Introduces the VEX three-byte instruction encoding escape sequence.                                                    |

Table B-4 lists instructions that are illegal in long mode. Attempted use of these instructions generates an invalid-opcode exception (#UD).

**Table B-4. Invalid Instructions in Long Mode**

| Mnemonic | Opcode (hex) | Description   |
|----------|--------------|---------------|
| SYSENTER | 0F 34        | System Call   |
| SYSEXIT  | 0F 35        | System Return |

## B.4 Instructions with 64-Bit Default Operand Size

In 64-bit mode, two groups of instructions default to 64-bit operand size without the need for a REX prefix:

- *Near branches* —CALL, Jcc, JrCX, JMP, LOOP, and RET.
- *All instructions, except far branches, that implicitly reference the RSP*—CALL, ENTER, LEAVE, POP, PUSH, and RET (CALL and RET are in both groups of instructions).

Table B-5 lists these instructions.

**Table B-5. Instructions Defaulting to 64-Bit Operand Size**

| Mnemonic              | Opcode (hex)  | Implicitly Reference RSP | Description                                          |
|-----------------------|---------------|--------------------------|------------------------------------------------------|
| CALL                  | E8, FF /2     | yes                      | Call Procedure Near                                  |
| ENTER                 | C8            | yes                      | Create Procedure Stack Frame                         |
| Jcc                   | many          | no                       | Jump Conditional Near                                |
| JMP                   | E9, EB, FF /4 | no                       | Jump Near                                            |
| LEAVE                 | C9            | yes                      | Delete Procedure Stack Frame                         |
| LOOP                  | E2            | no                       | Loop                                                 |
| LOOPcc                | E0, E1        | no                       | Loop Conditional                                     |
| POP reg/mem           | 8F /0         | yes                      | Pop Stack (register or memory)                       |
| POP reg               | 58-5F         | yes                      | Pop Stack (register)                                 |
| POP FS                | 0F A1         | yes                      | Pop Stack into FS Segment Register                   |
| POP GS                | 0F A9         | yes                      | Pop Stack into GS Segment Register                   |
| POPF, POPFD, POPFQ    | 9D            | yes                      | Pop to rFLAGS Word, Doubleword, or Quadword          |
| PUSH imm8             | 6A            | yes                      | Push onto Stack (sign-extended byte)                 |
| PUSH imm32            | 68            | yes                      | Push onto Stack (sign-extended doubleword)           |
| PUSH reg/mem          | FF /6         | yes                      | Push onto Stack (register or memory)                 |
| PUSH reg              | 50-57         | yes                      | Push onto Stack (register)                           |
| PUSH FS               | 0F A0         | yes                      | Push FS Segment Register onto Stack                  |
| PUSH GS               | 0F A8         | yes                      | Push GS Segment Register onto Stack                  |
| PUSHF, PUSHFD, PUSHFQ | 9C            | yes                      | Push rFLAGS Word, Doubleword, or Quadword onto Stack |
| RET                   | C2, C3        | yes                      | Return From Call (near)                              |

The 64-bit default operand size can be overridden to 16 bits using the 66h operand-size override. However, it is not possible to override the operand size to 32 bits because there is no 32-bit operand-size override prefix for 64-bit mode. See “Operand-Size Override Prefix” on page 7 for details.

## B.5 Single-Byte INC and DEC Instructions in 64-Bit Mode

In 64-bit mode, the legacy encodings for the 16 single-byte INC and DEC instructions (one for each of the eight GPRs) are used to encode the REX prefix values, as described in “REX Prefix” on page 14. Therefore, these single-byte opcodes for INC and DEC are not available in 64-bit mode, although they are available in legacy and compatibility modes. The functionality of these INC and DEC instructions is still available in 64-bit mode, however, using the ModRM forms of those instructions (opcodes FF/0 and FF/1).

## B.6 NOP in 64-Bit Mode

Programs written for the legacy x86 architecture commonly use opcode 90h (the XCHG EAX, EAX instruction) as a one-byte NOP. In 64-bit mode, the processor treats opcode 90h specially in order to preserve this legacy NOP use. Without special handling in 64-bit mode, the instruction would not be a true no-operation. Therefore, in 64-bit mode the processor treats XCHG EAX, EAX as a true NOP, regardless of operand size.

This special handling does not apply to the two-byte ModRM form of the XCHG instruction. Unless a 64-bit operand size is specified using a REX prefix byte, using the two byte form of XCHG to exchange a register with itself will not result in a no-operation because the default operation size is 32 bits in 64-bit mode.

## B.7 Segment Override Prefixes in 64-Bit Mode

In 64-bit mode, the CS, DS, ES, SS segment-override prefixes have no effect. These four prefixes are no longer treated as segment-override prefixes in the context of multiple-prefix rules. Instead, they are treated as null prefixes.

The FS and GS segment-override prefixes are treated as true segment-override prefixes in 64-bit mode. Use of the FS and GS prefixes cause their respective segment bases to be added to the effective address calculation. See “FS and GS Registers in 64-Bit Mode” in APM Volume 2 for details.

## Appendix C Differences Between Long Mode and Legacy Mode

Table C-1 summarizes the major differences between 64-bit mode and legacy protected mode. The third column indicates differences between 64-bit mode and legacy mode. The fourth column indicates whether that difference also applies to compatibility mode.

**Table C-1. Differences Between Long Mode and Legacy Mode**

| Type                    | Subject                 | 64-Bit Mode Difference                                                                                      | Applies To Compatibility Mode? |
|-------------------------|-------------------------|-------------------------------------------------------------------------------------------------------------|--------------------------------|
| Application Programming | Addressing              | RIP-relative addressing available                                                                           | no                             |
|                         | Data and Address Sizes  | Default data size is 32 bits                                                                                |                                |
|                         |                         | REX Prefix toggles data size to 64 bits                                                                     |                                |
|                         |                         | Default address size is 64 bits                                                                             |                                |
|                         |                         | Address size prefix toggles address size to 32 bits                                                         |                                |
|                         | Instruction Differences | Various opcodes are invalid or changed in 64-bit mode (see Table B-2 on page 607 and Table B-3 on page 608) | yes                            |
|                         |                         | Various opcodes are invalid in long mode (see Table B-4 on page 608)                                        |                                |
|                         |                         | MOV reg,imm32 becomes MOV reg,imm64 (with REX operand size prefix)                                          | no                             |
|                         |                         | REX is always enabled                                                                                       |                                |
|                         |                         | Direct-offset forms of MOV to or from accumulator become 64-bit offsets                                     |                                |
|                         |                         | MOVD extended to MOV 64 bits between MMX registers and long GPRs (with REX operand-size prefix)             |                                |

**Table C-1. Differences Between Long Mode and Legacy Mode (continued)**

| Type               | Subject                                                | 64-Bit Mode Difference                                                                     | Applies To Compatibility Mode? |
|--------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------|--------------------------------|
| System Programming | x86 Modes                                              | Real and virtual-8086 modes not supported                                                  | yes                            |
|                    | Task Switching                                         | Task switching not supported                                                               | yes                            |
|                    | Addressing                                             | 64-bit virtual addresses                                                                   | yes                            |
|                    |                                                        | 4-level paging structures                                                                  |                                |
|                    |                                                        | PAE must always be enabled                                                                 |                                |
|                    | Segmentation                                           | CS, DS, ES, SS segment bases are ignored                                                   | no                             |
|                    |                                                        | CS, DS, ES, FS, GS, SS segment limits are ignored                                          |                                |
|                    |                                                        | CS, DS, ES, SS Segment prefixes are ignored                                                |                                |
|                    | Exception and Interrupt Handling                       | All pushes are 8 bytes                                                                     | yes                            |
|                    |                                                        | 16-bit interrupt and trap gates are illegal                                                |                                |
|                    |                                                        | 32-bit interrupt and trap gates are redefined as 64-bit gates and are expanded to 16 bytes |                                |
|                    |                                                        | SS is set to null on stack switch                                                          |                                |
|                    |                                                        | SS:RSP is pushed unconditionally                                                           |                                |
|                    | Call Gates                                             | All pushes are 8 bytes                                                                     | yes                            |
|                    |                                                        | 16-bit call gates are illegal                                                              |                                |
|                    |                                                        | 32-bit call gate type is redefined as 64-bit call gate and is expanded to 16 bytes.        |                                |
|                    |                                                        | SS is set to null on stack switch                                                          |                                |
|                    | System-Descriptor Registers                            | GDT, IDT, LDT, TR base registers expanded to 64 bits                                       | yes                            |
|                    | System-Descriptor Table Entries and Pseudo-descriptors | LGDT and LIDT use expanded 10-byte pseudo-descriptors.                                     | no                             |
|                    |                                                        | LLDT and LTR use expanded 16-byte table entries.                                           |                                |

## Appendix D Instruction Subsets and CPUID Feature Flags

This appendix provides information that can be used to determine if a specific instruction within the AMD64 instruction-set architecture (ISA) is supported on a processor.

Originally the x86 ISA was composed of a set of instructions from the general-purpose and system instruction groups. This set forms the base of the AMD64 ISA. As the ISA expanded over time, new instructions were added. Each addition constituted either a single instruction or a set of instructions and each addition was assigned a specific processor feature flag.

Although most current processor products support the entire ISA, support for each added instruction or instruction subset is optional and must be confirmed by testing the corresponding feature flag. The presence of a particular instruction or subset is indicated by the corresponding feature flag being set. A feature flag is a single bit value located at a specific bit position within the 32-bit value returned in a register as a result of executing the CPUID instruction.

For more information on using the CPUID instruction, see the instruction reference page for CPUID on page 171. For a comprehensive list of processor feature flags accessed using the CPUID instruction, see Appendix E, “Obtaining Processor Information Via the CPUID Instruction” on page 621.

## D.1 Instruction Set Overview

The AMD64 ISA can be organized into five instruction groups:

### 1. General-purpose instructions

These instructions operate on the general-purpose registers (GP registers) and can be used at all privilege levels. This group includes instructions to load and store the contents of a GP register to and from memory, move values between the GP registers, and perform arithmetic and logical operations on the contents of the registers.

### 2. System instructions

These instructions provide the means to manipulate the processor operating mode, access processor resources, handle program and system errors, and manage system memory. Many of these instructions require privilege level 0 to execute.

### 3. x87 instructions

These instructions are available at all privilege levels and include legacy floating-point instructions that use the ST(0)–ST(7) stack registers (FPR0–FPR7 physical registers) and internally use extended precision (80-bit) binary floating-point representation and operations.

### 4. 64-bit media Instructions

These instructions are available at all privilege levels and perform vector operations on packed integer and floating-point values held in the 64-bit MMX™ registers. The MMX register set overlays the FPR0–FPR7 physical registers. This group is composed of the MMX and 3DNow!™ instruction subsets and was subsequently expanded by the MMX and 3DNow! extensions subsets.

### 5. SSE instructions

The SSE instructions operate on packed integer and floating-point values held in the XMM / YMM / ZMM registers. SSE includes the original Streaming SIMD Extensions, all the subsequent named SSE subsets, and the AVX512, AVX, XOP, and AES instructions.

Figure D-1 on page 615 represents the relationship between the five major instruction groups and the named instruction subsets. Circles represent the instruction subsets. These include the base instruction set labeled “Base Instructions” in the diagram and the named subsets. The diagram omits individual optional instructions and some of the minor named instruction subsets. Dashed-line polygons represent the instruction groups.

Note that the 128-bit, 256-bit and 512-bit media instructions are referred to collectively as the Streaming SIMD Extensions (SSE). This is also the name of the original SSE subset. In the diagram the original SSE subset is labeled “SSE1 Instructions.” Collectively the 64-bit media and the SSE instructions make up the single instruction / multiple data (SIMD) group (labeled “SIMD Instructions” in the diagram).

The overlapping of the SSE and 64-bit media instruction subsets indicates that these subsets share some common mnemonics. However, these common mnemonics either have distinct opcodes for each subset or they take operands in both the MMX and XMM register sets.

The horizontal axis of Figure D-1 shows how the subsets have evolved over time.



Figure D-1. AMD64 ISA Instruction Subsets

## D.2 CPUD Feature Flags Related to Instruction Support

Only a subset of the CPUD feature flags provides information related to instruction support.

The feature flags related to supported instruction subsets are accessed via the *standard* function number 0000\_0001h, the *extended* function number 8000\_0001h, and the *structured extended* function number 0000\_0007h.

The following table lists all flags related to instruction support. Entries for each flag provide the instruction or instruction subset corresponding to the flag, the CPUD function that must be executed to access the flag, and the bit position of the flag in the return value.

**Table D-1. Feature Flags for Instruction / Instruction Subset Support**

| Feature Flag  | Instruction or Subset                                  | CPUD Function <sup>1</sup> | Feature Flag Bit Position <sup>2</sup> |
|---------------|--------------------------------------------------------|----------------------------|----------------------------------------|
| 3DNow         | 3DNow!                                                 | extended                   | EDX[31]                                |
| 3DNowExt      | 3DNow! Extensions                                      | extended                   | EDX[30]                                |
| 3DNowPrefetch | PREFETCH / PREFETCHW                                   | extended                   | ECX[8], EDX[29], or EDX[31]            |
| ABM           | LZCNT                                                  | extended                   | ECX[5]                                 |
| ADX           | ADCX, ADOX                                             | 0000_0007_0                | EBX[19]                                |
| AES           | AES                                                    | standard                   | ECX[25]                                |
| AVX           | AVX                                                    | standard                   | ECX[28]                                |
| AVX2          | AVX2                                                   | 0000_0007_0                | EBX[5]                                 |
| AVX512BW      | AVX512 Byte/Word Packed Integer Instructions           | 0000_0007_0                | EBX[30]                                |
| AVX512CD      | AVX512 Conflict Detection for Vectorizing Loops        | 0000_0007_0                | EBX[28]                                |
| AVX512DQ      | AVX512 Doubleword/Quadword Packed Integer instructions | 0000_0007_0                | EBX[17]                                |
| AVX512F       | AVX512 Base (Foundation)                               | 0000_0007_0                | EBX[16]                                |
| AVX512VL      | Extends AVX512 Instructions to 128 and 256 bits        | 0000_0007_0                | EBX[31]                                |

**Notes:**

1. *standard* = Fn0000\_0001h; *extended* = Fn 8000\_0001h; *both* means that both standard and extended CPUD functions return the same feature flag in the same bit position of the return value. For functions of the form xxxx\_xxxx\_x, the trailing digit is the value required in ECX.
2. Register and bit position of the return value that corresponds to the feature flag.
3. FCMOVcc instruction is supported if x87 and CMOVcc instructions are both supported.
4. XSAVE (and related) instructions require separate enablement.

**Table D-1. Feature Flags for Instruction / Instruction Subset Support (continued)**

| Feature Flag        | Instruction or Subset                                                                                                        | CPUID Function <sup>1</sup> | Feature Flag Bit Position <sup>2</sup> |
|---------------------|------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------|
| AVX512_BF16         | AVX512 BFloat16<br>Converts and Dot-Products<br>VCVTNE(2)PS2BF16,<br>VDPBF16PS                                               | 0000_0007_1                 | EAX[5]                                 |
| AVX512_BITALG       | AVX512 Bit Manipulation<br>VPOPCNT[BW],<br>VPSHUFBITQMB                                                                      | 0000_0007_0                 | ECX[12]                                |
| AVX512_IFMA         | Integer Fused Mul-Add<br>VPMADD52HUQ,<br>VPMADD52LUQ                                                                         | 0000_0007_0                 | EBX[21]                                |
| AVX512_VBMI         | Vector Byte Permutation<br>VPERMB, VPERMI2B,<br>VPERMT2B,<br>VPMULTISHIFTQB                                                  | 0000_0007_0                 | ECX[1]                                 |
| AVX512_VBMI2        | Vector Byte Permutation<br>VPCOMPRESS[BW],<br>VPEXPAND[BW],<br>VPSHLD[WDQ],<br>VPSHLDV[WDQ],<br>VPSHRD[WDQ],<br>VPSHRDV[WDQ] | 0000_0007_0                 | ECX[6]                                 |
| AVX512_VNNI         | Vector Neural Net Instructions<br>VPDPBUSD,<br>VPDPBUSDS,<br>VPDPWSSD,<br>VPDPWSSDS                                          | 0000_0007_0                 | ECX[11]                                |
| AVX512_VPOPCNTDQ    | Bit Manipulation<br>VPOPCNT[DQ]                                                                                              | 0000_0007_0                 | ECX[14]                                |
| AVX512_VP2INTERSECT | VP2INTERSECT [DQ] instructions                                                                                               | 0000_0007_0                 | EDX[8]                                 |
| AVX-VNNI            | AVX Neural Network Instructions<br>VPDPBUSD,<br>VPDPBUSDS,<br>VPDPWSSD,<br>VPDPWSSDS                                         | 0000_0007_1                 | EAX[4]                                 |

**Notes:**

1. *standard* = Fn0000\_0001h; *extended* = Fn 8000\_0001h; *both* means that both standard and extended CPUID functions return the same feature flag in the same bit position of the return value. For functions of the form xxxx\_xxxx\_x, the trailing digit is the value required in ECX.
2. Register and bit position of the return value that corresponds to the feature flag.
3. FCMOVcc instruction is supported if x87 and CMOVcc instructions are both supported.
4. XSAVE (and related) instructions require separate enablement.

**Table D-1. Feature Flags for Instruction / Instruction Subset Support (continued)**

| Feature Flag | Instruction or Subset                                                                              | CPUID Function <sup>1</sup> | Feature Flag Bit Position <sup>2</sup> |
|--------------|----------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------|
| BASE         | Base Instruction set                                                                               | —                           | —                                      |
| BMI1         | Bit Manipulation, group 1                                                                          | 0000_0007_0                 | EBX[3]                                 |
| BMI2         | Bit Manipulation, group 2                                                                          | 0000_0007_0                 | EBX[8]                                 |
| CET_SS       | Shadow Stack,<br>CLRSSBSY, INCSSP,<br>RDSSP, RSTORSSP,<br>SAVEPREVSSP,<br>SETSSBSY, WRSS,<br>WRUSS | 0000_0007_0                 | ECX[7]                                 |
| CLFLOPT      | CLFLUSHOPT                                                                                         | 0000_0007_0                 | EBX[23]                                |
| CLFSH        | CLFLUSH, CLWB                                                                                      | standard                    | EDX[19]                                |
| CLWB         | CLWB                                                                                               | 0000_0007_0                 | EBX[24]                                |
| CLZERO       | CLZERO                                                                                             | 8000_0008                   | EBX[0]                                 |
| CMPXCHG8B    | CMPXCHG8B                                                                                          | both                        | EDX[8]                                 |
| CMPXCHG16B   | CMPXCHG16B                                                                                         | standard                    | ECX[13]                                |
| CMOV         | CMOVcc                                                                                             | both                        | EDX[15]                                |
| F16C         | 16-bit floating-point<br>conversion                                                                | standard                    | ECX[29]                                |
| FMA          | FMA                                                                                                | standard                    | ECX[12]                                |
| FMA4         | FMA4                                                                                               | extended                    | ECX[16]                                |
| FPU          | x87                                                                                                | both                        | EDX[0]                                 |
| FSGSBASE     | FS and GS base read<br>and write                                                                   | 0000_0007_0                 | EBX[0]                                 |
| FXSR         | FXSAVE / FXRSTOR                                                                                   | both                        | EDX[24]                                |
| GFNI         | Galois Field New<br>Instructions<br>(V)GF2P8AFFINE(INV)Q<br>B,<br>(V)GF2P8MULB                     | 0000_0007_0                 | ECX[8]                                 |
| INVLPG       | INVLPG, TLBSYNC                                                                                    | 8000_0008                   | EBX[3]                                 |
| INVPCID      | INVPCID                                                                                            | 0000_0007_0                 | EBX[10]                                |
| LahfSahf     | LAHF / SAHF                                                                                        | extended                    | ECX[0]                                 |
| LM           | Long Mode                                                                                          | extended                    | EDX[29]                                |
| MCOMMIT      | MCOMMIT                                                                                            | 8000_0008                   | EBX[8]                                 |
| MMX          | MMX                                                                                                | both                        | EDX[23]                                |
| MmxExt       | MMX Extensions                                                                                     | extended                    | EDX[22]                                |
| MONITOR      | MONITOR / MWAIT                                                                                    | standard                    | ECX[3]                                 |

**Notes:**

1. standard = Fn0000\_0001h; extended = Fn 8000\_0001h; both means that both standard and extended CPUID functions return the same feature flag in the same bit position of the return value. For functions of the form xxxx\_xxxx\_x, the trailing digit is the value required in ECX.
2. Register and bit position of the return value that corresponds to the feature flag.
3. FCMOVcc instruction is supported if x87 and CMOVcc instructions are both supported.
4. XSAVE (and related) instructions require separate enablement.

**Table D-1. Feature Flags for Instruction / Instruction Subset Support (continued)**

| <b>Feature Flag</b> | <b>Instruction or Subset</b>                  | <b>CPUID Function<sup>1</sup></b> | <b>Feature Flag Bit Position<sup>2</sup></b> |
|---------------------|-----------------------------------------------|-----------------------------------|----------------------------------------------|
| MONITORX            | MONITORX / MWAITX                             | extended                          | ECX[29]                                      |
| MOVBE               | MOVBE                                         | standard                          | ECX[22]                                      |
| MOVDIR              | MOVDIRI, MOVDIR64B                            | 0000_0007_0                       | ECX[27]                                      |
| MSR                 | RDMSR / WRMSR                                 | both                              | EDX[5]                                       |
| OSPKE               | RDPKRU, WRPKRU                                | 0000_0007_0                       | ECX[4]                                       |
| PCLMULQDQ           | PCLMULQDQ                                     | standard                          | ECX[1]                                       |
| POPCNT              | POPCNT                                        | standard                          | ECX[23]                                      |
| RDPID               | RDPID                                         | 0000_0007_0                       | ECX[22]                                      |
| RDPRU               | RDPRU                                         | 8000_0008                         | EBX[4]                                       |
| RDRAND              | RDRAND                                        | standard                          | ECX[30]                                      |
| RDTSCP              | RDTSCP                                        | extended                          | EDX[27]                                      |
| RDSEED              | RDSEED                                        | 0000_0007_0                       | EBX[18]                                      |
| SevEs               | VMGEXIT                                       | 8000_001F                         | EAX[3]                                       |
| SHA                 | SHA                                           | 0000_0007_0                       | EBX[29]                                      |
| SKINIT              | SKINIT / STGI                                 | extended                          | ECX[12]                                      |
| SMAP                | CLAC, STAC                                    | 0000_0007_0                       | EBX[20]                                      |
| SNP                 | PSMASH, PVALIDATE,<br>RMPADJUST,<br>RMPUPDATE | 8000_001F                         | EAX[4]                                       |
| SNP                 | RMPQUERY                                      | 8000_001F                         | EAX[6]                                       |
| SNP                 | RMPREAD                                       | 8000_001F                         | EAX[21]                                      |
| SSE                 | SSE1                                          | standard                          | EDX[25]                                      |
| SSE2                | SSE2                                          | standard                          | EDX[26]                                      |
| SSE3                | SSE3                                          | standard                          | ECX[0]                                       |
| SSSE3               | SSSE3                                         | standard                          | ECX[9]                                       |
| SSE4A               | SSE4A                                         | extended                          | ECX[6]                                       |
| SSE41               | SSE4.1                                        | standard                          | ECX[19]                                      |
| SSE42               | SSE4.2                                        | standard                          | ECX[20]                                      |
| SVM                 | Secure Virtual Machine                        | extended                          | ECX[2]                                       |
| SysCallSysRet       | SYSCALL / SYSRET                              | extended                          | EDX[11]                                      |
| SysEnterSysExit     | SYSENTER / SYSEXIT                            | standard                          | EDX[11]                                      |
| TBM                 | Trailing bit manipulation                     | extended                          | ECX[21]                                      |
| TSC                 | RDTSC                                         | both                              | EDX[4]                                       |
| VAES                | VAES 256-bit instructions                     | 0000_0007_0                       | ECX[9]                                       |
| VPCMULQDQ           | VPCMULQDQ 256-bit<br>instructions             | 0000_0007_0                       | ECX[10]                                      |

**Notes:**

1. *standard* = Fn0000\_0001h; *extended* = Fn 8000\_0001h; *both* means that both standard and extended CPUID functions return the same feature flag in the same bit position of the return value. For functions of the form xxxx\_xxxx\_x, the trailing digit is the value required in ECX.
2. Register and bit position of the return value that corresponds to the feature flag.
3. FCMOVcc instruction is supported if x87 and CMOVcc instructions are both supported.
4. XSAVE (and related) instructions require separate enablement.

**Table D-1. Feature Flags for Instruction / Instruction Subset Support (continued)**

| Feature Flag    | Instruction or Subset       | CPUID Function <sup>1</sup> | Feature Flag Bit Position <sup>2</sup> |
|-----------------|-----------------------------|-----------------------------|----------------------------------------|
| WBNOINVD        | WBNOINVD                    | 8000_0008                   | EBX[9]                                 |
| x87 && CMOV     | FCMOVcc <sup>3</sup>        | both                        | EDX[0] && EDX[15]                      |
| XGETBV w/ ECX=1 | XGETBV w/ ECX=1             | 0000_000D_1                 | EAX[2]                                 |
| XOP             | XOP                         | extended                    | ECX[11]                                |
| XSAVE           | XSAVE / XRSTOR <sup>4</sup> | standard                    | ECX[26]                                |
| XSAVEC          | XSAVEC                      | 0000_000D_1                 | EAX[1]                                 |
| XSAVEOPT        | XSAVEOPT                    | 0000_000D_1                 | EAX[0]                                 |
| XSAVES/XRSTORS  | XSAVES / XRSTORS            | 0000_000D_1                 | EAX[3]                                 |

**Notes:**

1. *standard* = Fn0000\_0001h; *extended* = Fn 8000\_0001h; *both* means that both standard and extended CPUID functions return the same feature flag in the same bit position of the return value. For functions of the form xxxx\_xxxx\_x, the trailing digit is the value required in ECX.
2. Register and bit position of the return value that corresponds to the feature flag.
3. FCMOVcc instruction is supported if x87 and CMOVcc instructions are both supported.
4. XSAVE (and related) instructions require separate enablement.

## Appendix E Obtaining Processor Information Via the CPUID Instruction

This appendix specifies the information that software can obtain about the processor on which it is running by executing the CPUID instruction. The information in this appendix supersedes the contents of the *CPUID Specification*, order #25481, which is now obsolete.

The CPUID instruction is described on page 171. This appendix does not replace the CPUID instruction reference information presented there.

The CPUID instruction behaves much like a function call. Parameters are passed to the instruction via registers and on execution the instruction loads specific registers with return values. These return values can be interpreted by software based on the field definitions and their assigned meanings.

The first input parameter is the *function number* which is passed to the instruction via the EAX register. Some functions also accept a second input parameter passed via the ECX register. Values are returned via the EAX, EBX, ECX, and EDX registers. Software should not assume that any values written to these registers prior to the execution of CPUID instruction will be retained after the instruction executes (even those that are marked reserved).

The description of each return value breaks the value down into one or more named *fields* which represent a bit position or contiguous range of bits. All bit positions that are not defined as fields are reserved. The value of bits within reserved ranges cannot be relied upon to be zero. Software must mask off all reserved bits in the return value prior to making any value comparisons of represented information.

This appendix applies to all AMD processors with a family designation of 0Fh or greater.

### E.1 Special Notational Conventions

The following special notation conventions are used in this appendix:

- The notation (standard throughout this APM) for representing the function number, optional input parameter, and the information returned is as follows:

CPUID FnXXXX\_XXXX\_RRR[*FieldName*]\_xYYY.

Where:

- *XXXX\_XXXX* is the function number represented in hexadecimal (passed to the instruction in EAX).
- *RRR* is one of {EDX, ECX, EBX, EAX} and represents a register holding a return value.
- *YYY* represents the optional input parameter passed in the ECX register expressed as a hexadecimal number. If this parameter is not used, the characters represented by *\_xYYY* are omitted from the notation.

- *FieldName* identifies a specific named element of processor information represented by a specific bit range (1 or more bits wide) within the *RRR* register.
- The notation CPUID FnXXXX\_XXXX\_RRR is used when referring to one of the registers that holds information returned by the instruction.
- The notation CPUID FnXXXX\_XXXX or FnXXXX\_XXXX is used to refer to a specific function number.
- Most one-bit fields indicate support or non-support of a specific processor feature. By convention, (unless otherwise noted) a value of 1 means that the feature is supported by the processor and a value of 0 means that the feature is not supported by the processor.

## E.2 Standard and Extended Function Numbers

The CPUID instruction supports two sets or ranges of function numbers: standard and extended.

- The smallest function number of the standard function range is Fn0000\_0000. The largest function number of the standard function range, for a particular implementation, is returned in CPUID Fn0000\_0000\_EAX.
- The smallest function number of the extended function range is Fn8000\_0000. The largest function number of the extended function range, for a particular implementation, is returned in CPUID Fn8000\_0000\_EAX.

## E.3 Standard Feature Function Numbers

This section describes each of the defined CPUID functions in the standard range.

### E.3.1 Function 0h—Maximum Standard Function Number and Vendor String

This function number provides information about the maximum standard function number supported on this processor and a string that identifies the vendor of the product.

#### CPUID Fn0000\_0000\_EAX Largest Standard Function Number

The value returned in EAX provides the largest standard function number supported by this processor.

| Bits | Field Name | Description                                                                                                           |
|------|------------|-----------------------------------------------------------------------------------------------------------------------|
| 31:0 | LFuncStd   | Largest standard function. The largest CPUID standard function input value supported by the processor implementation. |

#### CPUID Fn0000\_0000\_E[D,C,B]X Processor Vendor

The values returned in EBX, EDX, and ECX together provide a 12-character string identifying the vendor of this processor. Each register supplies 4 characters. The leftmost character of each substring

is stored in the least significant bit position in the register. The string is the concatenation of the contents of EBX, EDX, and ECX in left to right order. No null terminator is included in the string.

CPUID Fn8000\_0000\_E[D,C,B]X return the same values as this function.

| Bits | Field Name | Description                                                                                             |
|------|------------|---------------------------------------------------------------------------------------------------------|
| 31:0 | Vendor     | Four characters of the 12-byte character string (encoded in ASCII) “AuthenticAMD”. See Table E-1 below. |

**Table E-1. CPUID Fn0000\_0000\_E[D,C,B]X values**

| Register              | Value      | Description                     |
|-----------------------|------------|---------------------------------|
| CPUID Fn0000_0000_EBX | 6874_7541h | The ASCII characters “h t u A”. |
| CPUID Fn0000_0000_ECX | 444D_4163h | The ASCII characters “D M A c”. |
| CPUID Fn0000_0000_EDX | 6974_6E65h | The ASCII characters “i t n e”. |

### E.3.2 Function 1h—Processor and Processor Feature Identifiers

This function number identifies the processor family, model, and stepping and provides feature support information.

#### CPUID Fn0000\_0001\_EAX Family, Model, Stepping Identifiers

The value returned in EAX provides the family, model, and stepping identifiers. Three values are used by software to identify a processor: Family, Model, and Stepping.

| Bits  | Field Name | Description                                                             |
|-------|------------|-------------------------------------------------------------------------|
| 31:28 | —          | Reserved                                                                |
| 27:20 | ExtFamily  | Processor extended family. See above for definition of Family[7:0].     |
| 19:16 | ExtModel   | Processor extended model. See above for definition of Model[7:0].       |
| 15:12 | —          | Reserved                                                                |
| 11:8  | BaseFamily | Base processor family. See above for definition of Family[7:0].         |
| 7:4   | BaseModel  | Base processor model. See above for definition of Model[7:0].           |
| 3:0   | Stepping   | Processor stepping. Processor stepping (revision) for a specific model. |

The processor *Family* identifies one or more processors as belonging to a group that possesses some common definition for software or hardware purposes. The *Model* specifies one instance of a processor family. The *Stepping* identifies a particular version of a specific model. Therefore, Family, Model and Stepping, when taken together, form a unique identification or signature for a processor.

The **Family** is an 8-bit value and is defined as: **Family[7:0]** = ({0000b,BaseFamily[3:0]} + ExtFamily[7:0]). For example, if BaseFamily[3:0] = Fh and ExtFamily[7:0] = 01h, then Family[7:0] = 10h. If BaseFamily[3:0] is less than Fh, then ExtFamily is reserved and Family is equal to BaseFamily[3:0].

**Model** is an 8-bit value and is defined as: **Model[7:0]** = {ExtModel[3:0], BaseModel[3:0]}. For example, if ExtModel[3:0] = Eh and BaseModel[3:0] = 8h, then Model[7:0] = E8h. If BaseFamily[3:0] is less than 0Fh, then ExtModel is reserved and Model is equal to BaseModel[3:0].

The value returned by CPUID Fn8000\_0001\_EAX is equivalent to CPUID Fn0000\_0001\_EAX.

### **CPUID Fn0000\_0001\_EBX LocalApicId, LogicalProcessorCount, CLFlush**

The value returned in EBX provides miscellaneous information regarding the processor brand, the number of logical threads per processor socket, the CLFLUSH instruction, and APIC.

| Bits  | Field Name            | Description                                                                                                                                                                                                                                                                                               |
|-------|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:24 | LocalApicId           | Initial local APIC physical ID. The 8-bit value assigned to the local APIC physical ID register at power-up. Some of the bits of LocalApicId represent the core within a processor and other bits represent the processor ID. See the APIC20 “APIC ID” register in the processor BKDG or PPR for details. |
| 23:16 | LogicalProcessorCount | Logical processor count.<br>If CPUID Fn0000_0001_EDX[HTT] = 1 then LogicalProcessorCount is the number of logic processors per package.<br>If CPUID Fn0000_0001_EDX[HTT] = 0 then LogicalProcessorCount is reserved.<br>See E.5.1 [Legacy Method].                                                        |
| 15:8  | CLFlush               | CLFLUSH size. Specifies the size of a cache line in quadwords flushed by the CLFLUSH instruction. See “CLFLUSH” on page 150.                                                                                                                                                                              |
| 7:0   | 8BitBrandId           | 8-bit brand ID. This field, in conjunction with CPUID Fn8000_0001_EBX[BrandId], is used by the system firmware to generate the processor name string. See the appropriate processor revision guide for how to program the processor name string.                                                          |

### **CPUID Fn0000\_0001\_ECX Feature Identifiers**

The value returned in ECX contains the following miscellaneous feature identifiers:

| Bits | Field Name | Description                                                                                                                                                                           |
|------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31   | —          | RAZ. Reserved for use by hypervisor to indicate guest status.                                                                                                                         |
| 30   | RDRAND     | RDRAND instruction support.                                                                                                                                                           |
| 29   | F16C       | Half-precision convert instruction support. See “Half-Precision Floating-Point Conversion” on page 193 of APM Volume 1 and listings for individual F16C instructions in APM Volume 5. |
| 28   | AVX        | AVX instruction support. See APM Volume 4.                                                                                                                                            |
| 27   | OSXSAVE    | XSAVE (and related) instructions are enabled. See “OSXSAVE” in APM Volume 2.                                                                                                          |
| 26   | XSAVE      | XSAVE (and related) instructions are supported by hardware. See “XSAVE/XRSTOR Instructions” in APM Volume 2.                                                                          |
| 25   | AES        | AES instruction support. See “AES Instructions” in APM Volume 4.                                                                                                                      |

| Bits  | Field Name | Description                                                                                                                                                                                               |
|-------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 24    | —          | Reserved                                                                                                                                                                                                  |
| 23    | POPCNT     | POPCNT instruction. See “POPCNT” on page 288.                                                                                                                                                             |
| 22    |            | MOVBE: MOVBE instruction support.                                                                                                                                                                         |
| 21    | x2APIC     | x2APIC support. See “x2APIC Mode” in APM Volume 2.                                                                                                                                                        |
| 20    | SSE42      | SSE4.2 instruction support. “Determining Media and x87 Feature Support” in APM Volume 2 and individual SSE4.2 instruction listings in APM Volume 4.                                                       |
| 19    | SSE41      | SSE4.1 instruction support. See individual instruction listings in APM Volume 4.                                                                                                                          |
| 18:14 | —          | Reserved                                                                                                                                                                                                  |
| 13    | CMPXCHG16B | CMPXCHG16B instruction support. See “CMPXCHG16B” in APM Volume 3.                                                                                                                                         |
| 12    | FMA        | FMA instruction support.                                                                                                                                                                                  |
| 11:10 | —          | Reserved                                                                                                                                                                                                  |
| 9     | SSSE3      | Supplemental SSE3 instruction support.                                                                                                                                                                    |
| 8:4   | —          | Reserved                                                                                                                                                                                                  |
| 3     | MONITOR    | MONITOR/MWAIT instructions. See “MONITOR” and “MWAIT” in APM Volume 3.                                                                                                                                    |
| 2     | —          | Reserved                                                                                                                                                                                                  |
| 1     | PCLMULQDQ  | PCLMULQDQ instruction support. See instruction reference page for the PCLMULQDQ / VPCLMULQDQ instruction in APM Volume 4.                                                                                 |
| 0     | SSE3       | SSE3 instruction support. See Appendix D “CPUID Feature Sets” in APM Volume 3 for the list of instructions covered by the SSE3 feature bit. See APM Volume 4 for the definition of the SSE3 instructions. |

### CPUID Fn0000\_0001\_EDX Feature Identifiers

The value returned in EDX contains the following miscellaneous feature identifiers:

| Bits  | Field Name | Description                                                                                                                                                       |
|-------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:29 | —          | Reserved                                                                                                                                                          |
| 28    | HTT        | Hyper-threading technology. Indicates either that there is more than one thread per core or more than one core per compute unit. See “Legacy Method” on page 671. |
| 27    | —          | Reserved                                                                                                                                                          |
| 26    | SSE2       | SSE2 instruction support. See Appendix D “CPUID Feature Sets” in APM Volume 3.                                                                                    |
| 25    | SSE        | SSE instruction support. See Appendix D “CPUID Feature Sets” in APM Volume 3 appendix and “64-Bit Media Programming” in APM Volume 1.                             |
| 24    | FXSR       | FXSAVE and FXRSTOR instructions. See “FXSAVE” and “FXRSTOR” in APM Volume 5.                                                                                      |
| 23    | MMX        | MMX™ instructions. See Appendix D “CPUID Feature Sets” in APM Volume 3 and “128-Bit Media and Scientific Programming” in APM Volume 1.                            |
| 22:20 | —          | Reserved                                                                                                                                                          |
| 19    | CLFSH      | CLFLUSH instruction support. See “CLFLUSH” in APM Volume 3.                                                                                                       |

| Bits | Field Name      | Description                                                                                                                                                                                                          |
|------|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 18   | —               | Reserved                                                                                                                                                                                                             |
| 17   | PSE36           | Page-size extensions. The PDE[20:13] supplies physical address [39:32]. See “Page Translation and Protection” in APM Volume 2.                                                                                       |
| 16   | PAT             | Page attribute table. See “Page-Attribute Table Mechanism” in APM Volume 2.                                                                                                                                          |
| 15   | CMOV            | Conditional move instructions. See “CMOV”, “FCMOV” in APM Volume 3.                                                                                                                                                  |
| 14   | MCA             | Machine check architecture. See “Machine Check Mechanism” in APM Volume 2.                                                                                                                                           |
| 13   | PGE             | Page global extension. See “Page Translation and Protection” in APM Volume 2.                                                                                                                                        |
| 12   | MTRR            | Memory-type range registers. See “Page Translation and Protection” in APM Volume 2.                                                                                                                                  |
| 11   | SysEnterSysExit | SYSENTER and SYSEXIT instructions. See “SYSENTER”, “SYSEXIT” in APM Volume 3.                                                                                                                                        |
| 10   | —               | Reserved                                                                                                                                                                                                             |
| 9    | APIC            | Advanced programmable interrupt controller. Indicates APIC exists and is enabled. See “Exceptions and Interrupts” in APM Volume 2.                                                                                   |
| 8    | CMPXCHG8B       | CMPXCHG8B instruction. See “CMPXCHG8B” in APM Volume 3.                                                                                                                                                              |
| 7    | MCE             | Machine check exception. See “Machine Check Mechanism” in APM Volume 2.                                                                                                                                              |
| 6    | PAE             | Physical-address extensions. Indicates support for physical addresses <sup>3</sup> 32b. Number of physical address bits above 32b is implementation specific. See “Page Translation and Protection” in APM Volume 2. |
| 5    | MSR             | AMD model-specific registers. Indicates support for AMD model-specific registers (MSRs), with RDMSR and WRMSR instructions. See “Model Specific Registers” in APM Volume 2.                                          |
| 4    | TSC             | Time stamp counter. RDTSC and RDTSCP instruction support. See “Debug and Performance Resources” in APM Volume 2.                                                                                                     |
| 3    | PSE             | Page-size extensions. See “Page Translation and Protection” in APM Volume 2.                                                                                                                                         |
| 2    | DE              | Debugging extensions. See “Debug and Performance Resources” in APM Volume 2.                                                                                                                                         |
| 1    | VME             | Virtual-mode enhancements. CR4.VME, CR4.PVI, software interrupt indirection, expansion of the TSS with the software, indirection bitmap, EFLAGS.VIF, EFLAGS.VIP. See “System Resources” in APM Volume 2.             |
| 0    | FPU             | x87 floating point unit on-chip. See “x87 Floating Point Programming” in APM Volume 1.                                                                                                                               |

### E.3.3 Functions 2h–4h—Reserved

#### CPUID Fn0000\_000[4:2] Reserved

These function numbers are reserved.

### E.3.4 Function 5h—Monitor and MWAIT Features

This function provides feature identifiers for the MONITOR and MWAIT instructions. For more information see the description of the MONITOR instruction on page 424 and the MWAIT instruction on page 430.

#### **CPUID Fn0000\_0005\_EAX Monitor/MWait**

The value returned in EAX provides the following information:

| Bits  | Field Name     | Description                          |
|-------|----------------|--------------------------------------|
| 31:16 | —              | Reserved                             |
| 15:0  | MonLineSizeMin | Smallest monitor-line size in bytes. |

#### **CPUID Fn0000\_0005\_EBX Monitor/MWait**

The value returned in EBX provides the following information:

| Bits  | Field Name     | Description                         |
|-------|----------------|-------------------------------------|
| 31:16 | —              | Reserved                            |
| 15:0  | MonLineSizeMax | Largest monitor-line size in bytes. |

#### **CPUID Fn0000\_0005(ECX) Monitor/MWait**

The value returned in ECX provides the following information:

| Bits | Field Name | Description                                                                                                                                              |
|------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:2 | —          | Reserved                                                                                                                                                 |
| 1    | IBE        | Interrupt break-event. Indicates MWAIT can use ECX bit 0 to allow interrupts to cause an exit from the monitor event pending state, even if EFLAGS.IF=0. |
| 0    | EMX        | Enumerate MONITOR/MWAIT extensions: Indicates enumeration MONITOR/MWAIT extensions are supported.                                                        |

#### **CPUID Fn0000\_0005\_EDX Monitor/MWait**

The value returned in EDX is undefined and is reserved.

### E.3.5 Function 6h—Power Management Related Features

This function provides information about the local APIC timer timebase and the effective frequency interface for the processor.

---

**CPUID Fn0000\_0006\_EAX Local APIC Timer Invariance**

---

The value returned in EAX is undefined and is reserved.

| Bits | Field Name | Description                                                                                        |
|------|------------|----------------------------------------------------------------------------------------------------|
| 31:3 | —          | Reserved                                                                                           |
| 2    | ARAT       | If set, indicates that the timebase for the local APIC timer is not affected by processor p-state. |
| 1:0  | —          | Reserved                                                                                           |

---

**CPUID Fn0000\_0006\_EBX Reserved**

---

The value returned in EBX is undefined and is reserved.

---

**CPUID Fn0000\_0006(ECX) Effective Processor Frequency Interface**

---

The value returned in ECX indicates support of the processor effective frequency interface. For more information on this feature, see “Determining Processor Effective Frequency” in APM Volume 2.

| Bits | Field Name | Description                                                                                                         |
|------|------------|---------------------------------------------------------------------------------------------------------------------|
| 31:1 | —          | Reserved                                                                                                            |
| 0    | EffFreq    | Effective frequency interface support. If set, indicates presence of MSR0000_00E7 (MPERF) and MSR0000_00E8 (APERF). |

---

**CPUID Fn0000\_0006\_EDX Reserved**

---

The value returned in EDX is undefined and is reserved.

**E.3.6 Function 7h—Structured Extended Feature Identifiers****Subfunction 0 of Fn0000\_0007**

---

**CPUID Fn0000\_0007\_EAX\_x0 Structured Extended Feature Identifiers (ECX=0)**

---

| Bits | Field Name | Description                                   |
|------|------------|-----------------------------------------------|
| 31:0 | MaxSubFn   | Returns the number of subfunctions supported. |

---

**CPUID Fn0000\_0007\_EBX\_x0 Structured Extended Feature Identifiers (ECX=0)**

---

| Bits | Field Name | Description                                          |
|------|------------|------------------------------------------------------|
| 31   | AVX512VL   | AVX512 instructions are extended to 128 and 256 bits |
| 30   | AVX512BW   | AVX512 Byte/Word Packed Integer instructions         |

| Bits  | Field Name  | Description                                                                                                           |
|-------|-------------|-----------------------------------------------------------------------------------------------------------------------|
| 29    | SHA         | Secure Hash Algorithm instruction extension.                                                                          |
| 28    | AVX512CD    | AVX512 Conflict Detection for Vectorizing Loops                                                                       |
| 27:25 | —           | Reserved                                                                                                              |
| 24    | CLWB        | CLWB instruction support.                                                                                             |
| 23    | CLFLUSHOPT  | CLFLUSHOPT instruction support.                                                                                       |
| 22    | —           | Reserved                                                                                                              |
| 21    | AVX512_IFMA | AVX512 Integer Fused Multiply-Add instructions support.                                                               |
| 20    | SMAP        | Supervisor mode access prevention.                                                                                    |
| 19    | ADX         | ADCX, ADOX instruction support.                                                                                       |
| 18    | RDSEED      | RDSEED instruction support.                                                                                           |
| 17    | AVX512DQ    | AVX512 Doubleword/Quadword Packed Integer instructions                                                                |
| 16    | AVX512F     | AVX512 Foundation                                                                                                     |
| 15    | PQE         | Platform QOS Enforcement support. See <i>AMD64 Technology Platform Quality of Service Extensions</i> in APM Volume 2. |
| 14:13 | —           | Reserved                                                                                                              |
| 12    | PQM         | Platform QOS Monitoring support. See <i>AMD64 Technology Platform Quality of Service Extensions</i> in APM Volume 2.  |
| 11    | —           | Reserved                                                                                                              |
| 10    | INVPCID     | INVPCID instruction support.                                                                                          |
| 9     | ERMS        | Enhanced REP MOVSB/STOSB support.                                                                                     |
| 8     | BMI2        | Bit manipulation group 2 instruction support.                                                                         |
| 7     | SMEP        | Supervisor mode execution prevention.                                                                                 |
| 6     | —           | Reserved                                                                                                              |
| 5     | AVX2        | AVX2 instruction subset support.                                                                                      |
| 4     | —           | Reserved                                                                                                              |
| 3     | BMI1        | Bit manipulation group 1 instruction support.                                                                         |
| 2     | —           | Reserved                                                                                                              |
| 1     | TSCADJUST   | TSC Adjust MSR (3Bh) support.                                                                                         |
| 0     | FSGSBASE    | FS and GS base read/write instruction support.                                                                        |

**CPUID Fn0000\_0007\_ECX\_x0 Structured Extended Feature Identifiers (ECX=0)**

| Bits  | Field Name  | Description                    |
|-------|-------------|--------------------------------|
| 31:29 | —           | Reserved                       |
| 28    | MOVDIR64B   | MOVDIR64B instruction support. |
| 27    | MOVDIRI     | MOVDIRI instruction support.   |
| 26:25 | —           | Reserved                       |
| 24    | BUSLOCKTRAP | Bus Lock Trap (#DB) support.   |
| 23    | —           | Reserved                       |

| Bits  | Field Name        | Description                                                                                           |
|-------|-------------------|-------------------------------------------------------------------------------------------------------|
| 22    | RDPID             | RDPID instruction and TSC_AUX MSR support.                                                            |
| 21:17 | —                 | Reserved                                                                                              |
| 16    | LA57              | 5-Level paging support.                                                                               |
| 15    | —                 | Reserved                                                                                              |
| 14    | AVX512_VPOPC_NTDQ | AVX-512 VPOPCNTD/Q instruction support.                                                               |
| 13    | —                 | Reserved                                                                                              |
| 12    | AVX512_BITALG     | AVX512 bit algorithm instructions VPSHUFBITQMB and VPOPCNTB/W support.                                |
| 11    | AVX512_VNNI       | AVX512 vector neural network instructions support.                                                    |
| 10    | VPCMULQDQ         | VPCLMULQDQ 256-bit instruction support.                                                               |
| 9     | VAES              | VAES 256-bit instructions support.                                                                    |
| 8     | GFNI              | Galois Field New instructions support.                                                                |
| 7     | CET_SS            | Shadow Stacks supported.                                                                              |
| 6     | AVX512_VBMI2      | AVX512 vector byte permutation instruction 2 support.                                                 |
| 5     | —                 | Reserved                                                                                              |
| 4     | OSPKE             | OS has enabled Memory Protection Keys and use of the RDPKRU/WRPKRU instructions by setting CR4.PKE=1. |
| 3     | PKU               | Memory Protection Keys supported.                                                                     |
| 2     | UMIP              | User mode instruction prevention support.                                                             |
| 1     | AVX512_VBMI       | AVX512 vector byte permutation instructions support.                                                  |
| 0     | —                 | Reserved                                                                                              |

**CPUID Fn0000\_0007\_EDX\_x0 Structured Extended Feature Identifiers (ECX=0)**

| Bits | Field Name | Description |
|------|------------|-------------|
| 31:0 | —          | Reserved    |

**Subfunction 1 of Fn0000\_0007****CPUID Fn0000\_0007\_EAX\_x1 Structured Extended Feature Identifiers (ECX=1)**

| Bits | Field Name  | Description                     |
|------|-------------|---------------------------------|
| 31:6 | —           | Reserved                        |
| 5    | AVX512_BF16 | AVX512 BFloat16 instructions    |
| 4    | AVX_VNNI    | AVX Neural Network instructions |
| 3:0  | —           | Reserved                        |

**CPUID Fn0000\_0007\_EBX\_x1 Structured Extended Feature Identifiers (ECX=1)**

| Bits | Field Name | Description |
|------|------------|-------------|
| 31:0 | —          | Reserved    |

**CPUID Fn0000\_0007\_ECX\_x1 Structured Extended Feature Identifiers (ECX=1)**

| Bits | Field Name | Description |
|------|------------|-------------|
| 31:0 | —          | Reserved    |

**CPUID Fn0000\_0007\_EDX\_x1 Structured Extended Feature Identifiers (ECX=1)**

| Bits | Field Name | Description |
|------|------------|-------------|
| 31:0 | —          | Reserved    |

**E.3.7 Functions 8h–Ah—Reserved****E.3.8 Function Bh — Extended Topology Enumeration**

CPUID Fn0000\_000B enumerates each level in the processor’s topological hierarchy. The hierarchy level is specified by the input value passed in the ECX register.

If this function is executed with an unimplemented level (passed in ECX), the instruction returns all zeros in the EAX register.

**Subfunction 0 of Fn0000\_000B - Thread Level**

Subfunction 0 provides information about the thread-level topology.

**CPUID Fn0000\_000B\_EAX\_x0 Extended Topology Enumeration (ECX=0)**

| Bits | Field Name      | Description                                                                          |
|------|-----------------|--------------------------------------------------------------------------------------|
| 31:5 | —               | Reserved                                                                             |
| 4:0  | ThreadMaskWidth | Number of bits to shift x2APIC_ID right to get to the topology ID of the next level. |

**CPUID Fn0000\_000B\_EBX\_x0 Extended Topology Enumeration (ECX=0)**

| Bits  | Field Name | Description                             |
|-------|------------|-----------------------------------------|
| 31:16 | —          | Reserved                                |
| 15:0  | NumLogProc | Number of logical processors in a core. |

**CPUID Fn0000\_000B(ECX\_x0) Extended Topology Enumeration (ECX=0)**

| Bits  | Field Name     | Description      |
|-------|----------------|------------------|
| 31:16 | —              | Reserved         |
| 15:8  | HierarchyLevel | 1 (thread level) |
| 7:0   | InputEcx       | 0                |

**CPUID Fn0000\_000B(ECX\_x0) Extended Topology Enumeration (ECX=0)**

| Bits | Field Name | Description              |
|------|------------|--------------------------|
| 31:0 | x2APIC_ID  | 32-bit Extended APIC_ID. |

**Subfunction 1 of Fn0000\_000B - Core Level**

Subfunction 1 provides information about the core-level topology.

**CPUID Fn0000\_000B(ECX\_x1) Extended Topology Enumeration (ECX=1)**

| Bits | Field Name    | Description                                                                          |
|------|---------------|--------------------------------------------------------------------------------------|
| 31:5 | —             | Reserved                                                                             |
| 4:0  | CoreMaskWidth | Number of bits to shift x2APIC_ID right to get to the topology ID of the next level. |

**CPUID Fn0000\_000B(ECX\_x1) Extended Topology Enumeration (ECX=1)**

| Bits  | Field Name  | Description                        |
|-------|-------------|------------------------------------|
| 31:16 | —           | Reserved                           |
| 15:0  | NumLogCores | Number of logical cores in socket. |

**CPUID Fn0000\_000B(ECX\_x1) Extended Topology Enumeration (ECX=1)**

| Bits  | Field Name     | Description |
|-------|----------------|-------------|
| 31:16 | —              | Reserved    |
| 15:8  | HierarchyLevel | 2           |
| 7:0   | InputEcx       | 1           |

**CPUID Fn0000\_000B(ECX\_x1) Extended Topology Enumeration (ECX=1)**

| Bits | Field Name | Description              |
|------|------------|--------------------------|
| 31:0 | x2APIC_ID  | 32-bit Extended APIC_ID. |

### E.3.9 Function Ch—Reserved

### E.3.10 Function Dh—Processor Extended State Enumeration

The XSAVE / XRSTOR instructions are used to save and restore x87/MMX FPU and SSE processor state. These instructions allow processor state associated with specific architected features to be selectively saved and restored. This function provides information about extended state support and save area size requirements.

The function has a number of sub functions specified by the input value passed to the CPUID instruction in the ECX register. If CPUID Fn0000\_000D is executed with an unimplemented subfunction (passed in ECX), the instruction returns all zeros in the EAX, EBX, ECX, and EDX registers.

#### **Subfunction 0 of Fn0000\_000D**

Subfunction 0 provides information about features within the extended processor state management architecture that are supported by the processor.

---

#### **CPUID Fn0000\_000D\_EAX\_x0 Processor Extended State Enumeration (ECX=0)**

---

The value returned in EAX provides a bit mask specifying which of the features defined by the extended processor state architecture are supported by the processor.

| Bits | Field Name                  | Description                                                                                                                                                                                          |
|------|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:0 | XFeatureSupportedMask[31:0] | Reports the valid bit positions for the lower 32 bits of the XFeatureEnabledMask register. If a bit is set, the corresponding feature is supported. See “XSAVE/XRSTOR Instructions” in APM Volume 2. |

---

#### **CPUID Fn0000\_000D\_EBX\_x0 Processor Extended State Enumeration (ECX=0)**

---

The value returned in EBX gives the save area size requirement in bytes based on the features currently enabled in the XFEATURE\_ENABLED\_MASK (XCR0).

| Bits | Field Name             | Description                                                                    |
|------|------------------------|--------------------------------------------------------------------------------|
| 31:0 | XFeatureEnabledSizeMax | Size in bytes of XSAVE/XRSTOR area for the currently enabled features in XCR0. |

---

#### **CPUID Fn0000\_000D\_ECX\_x0 Processor Extended State Enumeration (ECX=0)**

---

The value returned in ECX gives the save area size requirement in bytes for all extended state management features supported by the processor (whether enabled or not).

| Bits | Field Name               | Description                                                                                                          |
|------|--------------------------|----------------------------------------------------------------------------------------------------------------------|
| 31:0 | XFeatureSupportedSizeMax | Size in bytes of XSAVE/XRSTOR area for all features that the logical processor supports. See XFeatureEnabledSizeMax. |

### CPUID Fn0000\_000D\_EDX\_x0 Processor Extended State Enumeration (ECX=0)

The value returned in EDX provides a bit mask specifying which of the features defined by the extended processor state architecture are supported by the processor.

| Bits | Field Name                   | Description                                                                                                                                         |
|------|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:0 | XFeatureSupportedMask[63:32] | Reports the valid bit positions for the upper 32 bits of the XFeatureEnabledMask register. If a bit is set, the corresponding feature is supported. |

See “XSAVE/XRSTOR Instructions” in APM Volume 2 and reference pages for the individual instructions in APM Volume 4.

### Subfunction 1 of Fn0000\_000D

Subfunction 1 provides additional information about features within the extended processor state management architecture that are supported by the processor.

### CPUID Fn0000\_000D\_EAX\_x1 Processor Extended State Enumeration (ECX=1)

| Bits | Field Name | Description                            |
|------|------------|----------------------------------------|
| 31:4 |            | Reserved                               |
| 3    | XSAVES     | XSAVES, XRSTOR, and XSS are supported. |
| 2    | XGETBV     | XGETBV with ECX = 1 supported.         |
| 1    | XSAVEC     | XSAVEC and compact XRSTOR supported.   |
| 0    | XSAVEOPT   | XSAVEOPT is available.                 |

### CPUID Fn0000\_000D\_EBX\_x1 Processor Extended State Enumeration (ECX=1)

The value returned on EBX represents the fixed size of the save area (240h) plus the state size of each enabled extended feature:

$$\begin{aligned} \text{EBX} &= 0240h \\ &+ ((\text{XCR0[AVX]} == 1) ? 0000_0100h : 0) \\ &+ ((\text{XCR0[MPK]} == 1) ? 0000_0008h : 0) \\ &+ ((\text{XSS[CET_U]} == 1) ? 0000_0010h : 0) \\ &+ ((\text{XSS[CET_S]} == 1) ? 0000_0018h : 0) \end{aligned}$$

**CPUID Fn0000\_000D(ECX\_x1) Processor Extended State Enumeration (ECX=1)**

The value returned on ECX returns a 1 for each bit that is settable in the XSS MSR. The following bits are defined:

| Bits  | Field Name | Description     |
|-------|------------|-----------------|
| 31:13 | —          | Reserved        |
| 12    | CET_S      | CET supervisor. |
| 11    | CET_U      | CET user state. |
| 10:0  | —          | Reserved        |

**CPUID Fn0000\_000D(ECX\_x1) Processor Extended State Enumeration (ECX=1)**

The value returned in EDX for subfunction 1 is undefined and reserved.

**Subfunction 2 of Fn0000\_000D**

Subfunction 2 provides information about the size and offset of the 256-bit SSE vector floating point processor unit state save area.

**CPUID Fn0000\_000D(EAX\_x2) Processor Extended State Enumeration (ECX=2)**

The value returned in EAX provides information about the size of the 256-bit SSE vector floating point processor unit state save area.

| Bits | Field Name       | Description                                                                   |
|------|------------------|-------------------------------------------------------------------------------|
| 31:0 | YmmSaveStateSize | YMM state save size. The state save area size in bytes for The YMM registers. |

**CPUID Fn0000\_000D(EBX\_x2) Processor Extended State Enumeration (ECX=2)**

The value returned in EBX provides information about the offset of the 256-bit SSE vector floating point processor unit state save area from the base of the extended state (XSAVE/XRSTOR) save area.

| Bits | Field Name         | Description                                                                                                                   |
|------|--------------------|-------------------------------------------------------------------------------------------------------------------------------|
| 31:0 | YmmSaveStateOffset | YMM state save offset. The offset in bytes from the base of the extended state save area of the YMM register state save area. |

**CPUID Fn0000\_000D(E[D,C]X\_x2) Processor Extended State Enumeration (ECX=2)**

The values returned in ECX and EDX for subfunction 2 are undefined and are reserved.

## Subfunction 11 of Fn0000\_000D

Subfunction 11 provides information about the CET user state save area.

### **CPUID Fn0000\_000D\_E[A, B, C, D]X\_x11 Processor Extended State Emulation (ECX=11)**

The value returned in EAX, EBX, ECX and EDX provides information about the CET user state save area.

| Register | Bits | Field Name    | Description                                                          |
|----------|------|---------------|----------------------------------------------------------------------|
| EAX      | 31:0 | CetUserSize   | CET user state save size in bytes.                                   |
| EBX      | 31:0 | CetUserOffset | CET user state offset from the base of the extended state save area. |
| ECX      | 0    | U/S           | Set to 1, indicating a supervisor state component.                   |
| ECX      | 31:0 | —             | Cleared to 0.                                                        |
| EDX      | 31:0 | —             | Unused, cleared to 0.                                                |

## Subfunction 12 of Fn0000\_000D

Subfunction 12 provides information about the CET supervisor state save area.

### **CPUID Fn0000\_000D\_E[A, B, C, D]X\_x12 Processor Extended State Emulation (ECX=12)**

The value returned in EAX, EBX, ECX and EDX provides information about the CET supervisor state save area.

| Register | Bits | Field Name          | Description                                                                |
|----------|------|---------------------|----------------------------------------------------------------------------|
| EAX      | 31:0 | CetSupervisorSize   | CET supervisor state save size in bytes.                                   |
| EBX      | 31:0 | CetSupervisorOffset | CET supervisor state offset from the base of the extended state save area. |
| ECX      | 0    | U/S                 | Set to 1, indicating a supervisor state component.                         |
| ECX      | 31:0 | —                   | Cleared to 0.                                                              |
| EDX      | 31:0 | —                   | Unused, cleared to 0.                                                      |

## Subfunction 3Eh of Fn0000\_000D

Subfunction 3Eh provides information about the size and offset of the Lightweight Profiling (LWP) unit state save area.

**CPUID Fn0000\_000D\_EAX\_x3E Processor Extended State Enumeration (ECX=62)**

The value returned in EAX provides the size of the Lightweight Profiling (LWP) unit state save area.

| Bits | Field Name       | Description                                                                                                              |
|------|------------------|--------------------------------------------------------------------------------------------------------------------------|
| 31:0 | LwpSaveStateSize | LWP state save area size. The size of the save area for LWP state in bytes. See “Lightweight Profiling” in APM Volume 2. |

**CPUID Fn0000\_000D\_EBX\_x3E Processor Extended State Enumeration (ECX=62)**

The value returned in EBX provides the offset of the Lightweight Profiling (LWP) unit state save area from the base of the extended state (XSAVE/XRSTOR) save area.

| Bits | Field Name         | Description                                                                                                                                                                |
|------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:0 | LwpSaveStateOffset | LWP state save byte offset. The offset in bytes from the base of the extended state save area of the state save area for LWP. See “Lightweight Profiling” in APM Volume 2. |

**CPUID Fn0000\_000D\_E[D,C]X\_x3E Processor Extended State Enumeration (ECX=62)**

The values returned in ECX and EDX for subfunction 3Eh are undefined and are reserved.

**Subfunctions of Fn0000\_000D greater than 3Eh**

For CPUID Fn0000\_000D, if the subfunction (specified by contents of ECX) passed as input to the instruction is greater than 3Eh, the instruction returns zero in the EAX, EBX, ECX, and EDX registers.

**E.3.11 Function Eh—Reserved****E.3.12 Function Fh—PQOS Monitoring (PQM)**

If PQM is supported (CPUID Fn0000\_0007\_EBX\_x0[PQM] = 1), this CPUID function can be used to obtain PQM feature information. If PQM is not supported this function is reserved. For more information on using PQM, see “Platform Quality of Service” in APM Volume 2.

### **CPUID Fn0000\_000F\_x0 PQM Capabilities**

Subfunction 0 provides information about PQM capabilities.

| Register | Bits | Field Name | Description                                            |
|----------|------|------------|--------------------------------------------------------|
| EAX      | 31:0 | —          | Reserved                                               |
| EBX      | 31:0 | Max_RMID   | Largest RMID supported by the system for any resource. |
| ECX      | 31:0 | —          | Reserved                                               |
| EDX      | 31:2 | —          | Reserved                                               |
|          | 1    | L3CacheMon | L3 Cache Monitoring Support.                           |
|          | 0    | —          | Reserved                                               |

### **CPUID Fn0000\_000F\_x1 L3 Cache Monitoring Capabilities**

Subfunction 1 provides information about PQM L3 Cache Monitoring capabilities.

| Register | Bits | Field Name       | Description                                                                                                                                                                          |
|----------|------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| EAX      | 31:7 | —                | Reserved                                                                                                                                                                             |
|          | 8    | OverflowBit      | Indicates that MSR QM_CTR bit 61 is a counter overflow bit.                                                                                                                          |
|          | 7:0  | CounterSize      | QM_CTR counter width, offset from 24 bits.<br>If 0, the family, model, and stepping should be used to determine the counter size. See “Platform Quality of Service” in APM Volume 2. |
| EBX      | 31:0 | ScaleFactor      | Scale factor for the value obtained from QOS_CTR.                                                                                                                                    |
| ECX      | 31:0 | Max_RMID         | Largest RMID supported by the L3CachMon resource.                                                                                                                                    |
| EDX      | 31:3 | —                | Reserved                                                                                                                                                                             |
|          | 2    | L3CacheBWMonEvt1 | L3 Cache Bandwidth Monitoring Event 1.                                                                                                                                               |
|          | 1    | L3CacheBWMonEvt0 | L3 Cache Bandwidth Monitoring Event 0.                                                                                                                                               |
|          | 0    | L3CacheOccMon    | L3 Cache Occupancy Monitoring Event.                                                                                                                                                 |

### **E.3.13 Function 10h—PQOS Enforcement (PQE)**

If PQE is supported (CPUID Fn0000\_0007\_EBX\_x0[PQE] = 1), this CPUID function can be used to obtain PQE feature information. If PQE is not supported this function is reserved. For more information on using PQE, see “Platform Quality of Service” in APM Volume 2.

### **CPUID Fn0000\_0010\_x0 PQE Capabilities**

---

Subfunction 0 provides information about PQE supported resources.

| <b>Register</b> | <b>Bits</b> | <b>Field Name</b> | <b>Description</b>                       |
|-----------------|-------------|-------------------|------------------------------------------|
| EAX             | 31:0        | —                 | Reserved                                 |
| EBX             | 31:0        | —                 | Reserved                                 |
| ECX             | 31:0        | —                 | Reserved                                 |
| EDX             | 31:2        | —                 | Reserved                                 |
|                 | 1           | L3Alloc           | L3 Cache Allocation Enforcement Support. |
|                 | 0           | —                 | Reserved                                 |

### **CPUID Fn0000\_0010\_x1 L3 Cache Allocation Enforcement Capabilities**

---

Subfunction 1 provides information about PQE L3 cache allocation enforcement capabilities.

| <b>Register</b> | <b>Bits</b> | <b>Field Name</b> | <b>Description</b>                                        |
|-----------------|-------------|-------------------|-----------------------------------------------------------|
| EAX             | 31:5        | —                 | Reserved                                                  |
|                 | 4:0         | CBM_LEN           | L3 cache capacity bit mask length minus 1.                |
| EBX             | 31:0        | L3ShareAllocMask  | L3 cache allocation sharing mask.                         |
| ECX             | 31:3        | —                 | Reserved                                                  |
|                 | 2           | CDP               | Code-Data Prioritization support.                         |
|                 | 1:0         | —                 | Reserved                                                  |
| EDX             | 31:16       | —                 | Reserved                                                  |
|                 | 15:0        | COS_MAX           | Maximum COS supported by L3 cache allocation enforcement. |

### **E.3.14 Functions 4000\_0000h-4000\_00FFh—Reserved for Hypervisor Use**

#### **CPUID Fn4000\_00[FF:00] Reserved**

---

These function numbers are reserved for use by the virtual machine monitor.

## E.4 Extended Feature Function Numbers

This section describes each of the defined CPUID functions in the extended range.

### E.4.1 Function 8000\_0000h—Maximum Extended Function Number and Vendor String

This function provides information about the maximum extended function number supported on this processor and a string that identifies the vendor of the product.

#### CPUID Fn8000\_0000\_EAX Largest Extended Function Number

The value returned in EAX provides the largest extended function number supported by the processor.

| Bits | Field Name | Description                                                                                                           |
|------|------------|-----------------------------------------------------------------------------------------------------------------------|
| 31:0 | LFuncExt   | Largest extended function. The largest CPUID extended function input value supported by the processor implementation. |

#### CPUID Fn8000\_0000\_E[D,C,B]X Processor Vendor

The values returned in EBX, ECX, and EDX together provide a 12-character string identifying the vendor of this processor. The output string is the same as the one returned by Fn0000\_0000. See CPUID Fn0000\_0000\_E[D,C,B]X on page 622 for more details.

| Bits | Field Name | Description                                                                                             |
|------|------------|---------------------------------------------------------------------------------------------------------|
| 31:0 | Vendor     | Four characters of the 12-byte character string (encoded in ASCII) “AuthenticAMD”. See Table E-2 below. |

**Table E-2. CPUID Fn8000\_0000\_E[D,C,B]X values**

| Register              | Value      | Description                     |
|-----------------------|------------|---------------------------------|
| CPUID Fn8000_0000_EBX | 6874_7541h | The ASCII characters “h t u A”. |
| CPUID Fn8000_0000_ECX | 444D_4163h | The ASCII characters “D M A c”. |
| CPUID Fn8000_0000_EDX | 6974_6E65h | The ASCII characters “i t n e”. |

### E.4.2 Function 8000\_0001h—Extended Processor and Processor Feature Identifiers

#### CPUID Fn8000\_0001\_EAX AMD Family, Model, Stepping

The value returned in EAX provides the family, model, and stepping identifiers. Three values are used by software to identify a processor: Family, Model, and Stepping. The value returned in EAX is the same as the value returned in EAX for Fn0000\_0001. See CPUID Fn0000\_0001\_EAX on page 623 for more details on the field definitions.

| Bits | Field Names             | Description                 |
|------|-------------------------|-----------------------------|
| 31:0 | Family, Model, Stepping | See: CPUID Fn0000_0001_EAX. |

### CPUID Fn8000\_0001\_EBX BrandId Identifier

The value returned in EBX provides package type and a 16-bit processor name string identifiers.

| Bits  | Field Name | Description                                                                                                                                                                                                                     |
|-------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:28 | PkgType    | Package type. If (Family[7:0] >= 10h), this field is valid. If (Family[7:0]<10h), this field is reserved.                                                                                                                       |
| 27:16 | —          | Reserved                                                                                                                                                                                                                        |
| 15:0  | BrandId    | Brand ID. This field, in conjunction with CPUID Fn0000_0001_EBX[8BitBrandId], is used by system firmware to generate the processor name string. See your processor revision guide for how to program the processor name string. |

For processor families 10h and greater, PkgType is described in the *BIOS and Kernel Developer's Guide* for the product.

### CPUID Fn8000\_0001\_ECX Feature Identifiers

This function contains the following miscellaneous feature identifiers:

| Bits | Field Name         | Description                                                                                                                    |
|------|--------------------|--------------------------------------------------------------------------------------------------------------------------------|
| 31   | —                  | Reserved                                                                                                                       |
| 30   | AddrMaskExt        | Breakpoint Addressing masking extended to bit 31.                                                                              |
| 29   | MONITORX           | Support for MWAITX and MONITORX instructions.                                                                                  |
| 28   | PerfCtrExtLLC      | Support for L3 performance counter extension.                                                                                  |
| 27   | PerfTsc            | Performance time-stamp counter. Indicates support for MSRC001_0280 [Performance Time Stamp Counter].                           |
| 26   | DataBkptExt        | Data access breakpoint extension. Indicates support for MSRC001_1027 and MSRC001_101[B:9].                                     |
| 25   | —                  | Reserved                                                                                                                       |
| 24   | PerfCtrExtNB       | NB performance counter extensions support. Indicates support for MSRC001_024[6,4,2,0] and MSRC001_024[7,5,3,1].                |
| 23   | PerfCtrExtCore     | Processor performance counter extensions support. Indicates support for MSRC001_020[A,8,6,4,2,0] and MSRC001_020[B,9,7,5,3,1]. |
| 22   | TopologyExtensions | Topology extensions support. Indicates support for CPUID Fn8000_001D_EAX_x[N:0]-CPUID Fn8000_001E_EDX.                         |
| 21   | TBM                | Trailing bit manipulation instruction support.                                                                                 |
| 20   | —                  | Reserved                                                                                                                       |

| Bits | Field Name    | Description                                                                                                                                                                   |
|------|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 19   | —             | Reserved                                                                                                                                                                      |
| 18   | —             | Reserved                                                                                                                                                                      |
| 17   | TCE           | Translation Cache Extension support.                                                                                                                                          |
| 16   | FMA4          | Four-operand FMA instruction support.                                                                                                                                         |
| 15   | LWP           | Lightweight profiling support. See “Lightweight Profiling” in APM Volume 2 and reference pages for individual LWP instructions in APM Volume 3.                               |
| 14   | —             | Reserved                                                                                                                                                                      |
| 13   | WDT           | Watchdog timer support. See APM Volume 2 and APM Volume 3. Indicates support for MSRC001_0074.                                                                                |
| 12   | SKINIT        | SKINIT and STGI are supported. Indicates support for SKINIT and STGI, independent of the value of MSRC000_0080[SVME]. See APM Volume 2 and APM Volume 3.                      |
| 11   | XOP           | Extended operation support.                                                                                                                                                   |
| 10   | IBS           | Instruction based sampling. See “Instruction Based Sampling” in APM Volume 2.                                                                                                 |
| 9    | OSVW          | OS visible workaround. Indicates OS-visible workaround support. See “OS Visible Work-around (OSVW) Information” in APM Volume 2.                                              |
| 8    | 3DNowPrefetch | PREFETCH and PREFETCHW instruction support. See “PREFETCH” and “PREFETCHW” in APM Volume 3.                                                                                   |
| 7    | MisAlignSse   | Misaligned SSE mode. See “Misaligned Access Support Added for SSE Instructions” in APM Volume 1.                                                                              |
| 6    | SSE4A         | EXTRQ, INSERTQ, MOVNTSS, and MOVNTSD instruction support. See “EXTRQ”, “INSERTQ”, “MOVNTSS”, and “MOVNTSD” in APM Volume 4.                                                   |
| 5    | ABM           | Advanced bit manipulation. LZCNT instruction support. See “LZCNT” in APM Volume 3.                                                                                            |
| 4    | AltMovCr8     | LOCK MOV CR0 means MOV CR8. See “MOV(CRn)” in APM Volume 3.                                                                                                                   |
| 3    | ExtApicSpace  | Extended APIC space. This bit indicates the presence of extended APIC register space starting at offset 400h from the “APIC Base Address Register,” as specified in the BKDG. |
| 2    | SVM           | Secure virtual machine. See “Secure Virtual Machine” in APM Volume 2.                                                                                                         |
| 1    | CmpLegacy     | Core multi-processing legacy mode. See “Legacy Method” on page 671.                                                                                                           |
| 0    | LahfSahf      | LAHF and SAHF instruction support in 64-bit mode. See “LAHF” and “SAHF” in APM Volume 3.                                                                                      |

### CPUID Fn8000\_0001\_EDX Feature Identifiers

This function contains the following miscellaneous feature identifiers:

| Bits  | Field Name    | Description                                                                                                                                                                     |
|-------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31    | 3DNow         | 3DNow!™ instructions. See Appendix D “Instruction Subsets and CPUID Feature Sets” in APM Volume 3.                                                                              |
| 30    | 3DNowExt      | AMD extensions to 3DNow! instructions. See Appendix D “Instruction Subsets and CPUID Feature Sets” in APM Volume 3.                                                             |
| 29    | LM            | Long mode. See “Processor Initialization and Long-Mode Activation” in APM Volume 2.                                                                                             |
| 28    | —             | Reserved                                                                                                                                                                        |
| 27    | RDTSCP        | RDTSCP instruction. See “RDTSCP” in APM Volume 3.                                                                                                                               |
| 26    | Page1GB       | 1-GB large page support. See “1-GB Paging Support” in APM Volume 2.                                                                                                             |
| 25    | FFXSR         | FXSAVE and FXRSTOR instruction optimizations. See “FXSAVE” and “FXRSTOR” in APM Volume 5.                                                                                       |
| 24    | FXSR          | FXSAVE and FXRSTOR instructions. Same as CPUID Fn0000_0001_EDX[FXSR].                                                                                                           |
| 23    | MMX           | MMX™ instructions. Same as CPUID Fn0000_0001_EDX[MMX].                                                                                                                          |
| 22    | MmxExt        | AMD extensions to MMX instructions. See Appendix D “Instruction Subsets and CPUID Feature Sets” in APM Volume 3 and “128-Bit Media and Scientific Programming” in APM Volume 1. |
| 21    | —             | Reserved.                                                                                                                                                                       |
| 20    | NX            | No-execute page protection. See “Page Translation and Protection” in APM Volume 2.                                                                                              |
| 19:18 | —             | Reserved                                                                                                                                                                        |
| 17    | PSE36         | Page-size extensions. Same as CPUID Fn0000_0001_EDX[PSE36].                                                                                                                     |
| 16    | PAT           | Page attribute table. Same as CPUID Fn0000_0001_EDX[PAT].                                                                                                                       |
| 15    | CMOV          | Conditional move instructions. Same as CPUID Fn0000_0001_EDX[CMOV].                                                                                                             |
| 14    | MCA           | Machine check architecture. Same as CPUID Fn0000_0001_EDX[MCA].                                                                                                                 |
| 13    | PGE           | Page global extension. Same as CPUID Fn0000_0001_EDX[PGE].                                                                                                                      |
| 12    | MTRR          | Memory-type range registers. Same as CPUID Fn0000_0001_EDX[MTRR].                                                                                                               |
| 11    | SysCallSysRet | SYSCALL and SYSRET instructions. See “SYSCALL” and “SYSRET” in APM Volume 3.                                                                                                    |
| 10    | —             | Reserved                                                                                                                                                                        |
| 9     | APIC          | Advanced programmable interrupt controller. Same as CPUID Fn0000_0001_EDX[APIC].                                                                                                |
| 8     | CMPXCHG8B     | CMPXCHG8B instruction. Same as CPUID Fn0000_0001_EDX[CMPXCHG8B].                                                                                                                |
| 7     | MCE           | Machine check exception. Same as CPUID Fn0000_0001_EDX[MCE].                                                                                                                    |
| 6     | PAE           | Physical-address extensions. Same as CPUID Fn0000_0001_EDX[PAE].                                                                                                                |
| 5     | MSR           | AMD model-specific registers. Same as CPUID Fn0000_0001_EDX[MSR].                                                                                                               |
| 4     | TSC           | Time stamp counter. Same as CPUID Fn0000_0001_EDX[TSC].                                                                                                                         |

| Bits | Field Name | Description                                                          |
|------|------------|----------------------------------------------------------------------|
| 3    | PSE        | Page-size extensions. Same as CPUID Fn0000_0001_EDX[PSE].            |
| 2    | DE         | Debugging extensions. Same as CPUID Fn0000_0001_EDX[DE].             |
| 1    | VME        | Virtual-mode enhancements. Same as CPUID Fn0000_0001_EDX[VME].       |
| 0    | FPU        | x87 floating-point unit on-chip. Same as CPUID Fn0000_0001_EDX[FPU]. |

#### E.4.3 Functions 8000\_0002h–8000\_0004h—Extended Processor Name String

##### CPUID Fn8000\_000[4:2]\_E[D,C,B,A]X Processor Name String Identifier

The three extended functions from Fn8000\_0002 to Fn8000\_0004 are programmed to return a null terminated ASCII string up to 48 characters in length corresponding to the processor name.

| Bits | Field Name | Description                                            |
|------|------------|--------------------------------------------------------|
| 31:0 | ProcName   | Four characters of the extended processor name string. |

The 48 character maximum includes the terminating null character. The 48 character string is ordered first to last (left to right) as follows:

Fn8000\_0002[EAX[7:0],..., EAX[31:24], EBX[7:0],..., EBX[31:24], ECX[7:0],..., ECX[31:24], EDX[7:0],..., EDX[31:24]],

Fn8000\_0003[EAX[7:0],..., EAX[31:24], EBX[7:0],..., EBX[31:24], ECX[7:0],..., ECX[31:24], EDX[7:0],..., EDX[31:24]],

Fn8000\_0004[EAX[7:0],..., EAX[31:24], EBX[7:0],..., EBX[31:24], ECX[7:0],..., ECX[31:24], EDX[7:0],..., EDX[31:24]].

The extended processor name string is programmed by system firmware. See your processor revision guide for information about how to display the extended processor name string.

#### E.4.4 Function 8000\_0005h—L1 Cache and TLB Information

This function provides first level cache TLB characteristics for the processor that executes the instruction.

##### CPUID Fn8000\_0005\_EAX L1 TLB 2M/4M Information

The value returned in EAX provides information about the L1 TLB for 2-MB and 4-MB pages.

| Bits  | Field Name        | Description                                                                                                                                                                                                                                                                 |
|-------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:24 | L1DTlb2and4MAssoc | Data TLB associativity for 2-MB and 4-MB pages. Encoding is per Table E-3 below.                                                                                                                                                                                            |
| 23:16 | L1DTlb2and4MSize  | Data TLB number of entries for 2-MB and 4-MB pages. The value returned is for the number of entries available for the 2-MB page size; 4-MB pages require two 2-MB entries, so the number of entries available for the 4-MB page size is one-half the returned value.        |
| 15:8  | L1ITlb2and4MAssoc | Instruction TLB associativity for 2-MB and 4-MB pages. Encoding is per Table E-3 below.                                                                                                                                                                                     |
| 7:0   | L1ITlb2and4MSize  | Instruction TLB number of entries for 2-MB and 4-MB pages. The value returned is for the number of entries available for the 2-MB page size; 4-MB pages require two 2-MB entries, so the number of entries available for the 4-MB page size is one-half the returned value. |

The associativity fields (L1DTlb2and4MAssoc and L1ITlb2and4MAssoc) are encoded as follows:

**Table E-3. L1 Cache and TLB Associativity Field Encodings**

| Associativity [7:0] | Definition                                 |
|---------------------|--------------------------------------------|
| 00h                 | Reserved                                   |
| 01h                 | 1 way (direct mapped)                      |
| 02h–FEh             | $n$ -way associative. (field encodes $n$ ) |
| FFh                 | Fully associative                          |

### **CPUID Fn8000\_0005\_EBX L1 TLB 4K Information**

The value returned in EBX provides information about the L1 TLB for 4-KB pages.

| Bits  | Field Name    | Description                                                                    |
|-------|---------------|--------------------------------------------------------------------------------|
| 31:24 | L1DTlb4KAssoc | Data TLB associativity for 4 KB pages. Encoding is per Table E-3 above.        |
| 23:16 | L1DTlb4KSize  | Data TLB number of entries for 4 KB pages.                                     |
| 15:8  | L1ITlb4KAssoc | Instruction TLB associativity for 4 KB pages. Encoding is per Table E-3 above. |
| 7:0   | L1ITlb4KSize  | Instruction TLB number of entries for 4 KB pages.                              |

The associativity fields (L1DTlb4KAssoc and L1ITlb4KAssoc) are encoded as specified in Table E-3 on page 645.

### **CPUID Fn8000\_0005\_ECX L1 Data Cache Information**

The value returned in ECX provides information about the first level data cache.

| Bits  | Field Name      | Description                                             |
|-------|-----------------|---------------------------------------------------------|
| 31:24 | L1DcSize        | L1 data cache size in KB.                               |
| 23:16 | L1DcAssoc       | L1 data cache associativity. Encoding is per Table E-3. |
| 15:8  | L1DcLinesPerTag | L1 data cache lines per tag.                            |
| 7:0   | L1DcLineSize    | L1 data cache line size in bytes.                       |

The associativity field (L1DcAssoc) is encoded as specified in Table E-3 on page 645.

#### **CPUID Fn8000\_0005\_EDX L1 Instruction Cache Information**

The value returned in EDX provides information about the first level instruction cache.

| Bits  | Field Name      | Description                                                    |
|-------|-----------------|----------------------------------------------------------------|
| 31:24 | L1IcSize        | L1 instruction cache size KB.                                  |
| 23:16 | L1IcAssoc       | L1 instruction cache associativity. Encoding is per Table E-3. |
| 15:8  | L1IcLinesPerTag | L1 instruction cache lines per tag.                            |
| 7:0   | L1IcLineSize    | L1 instruction cache line size in bytes.                       |

The associativity field (L1IcAssoc) is encoded as specified in Table E-3 on page 645.

#### **E.4.5 Function 8000\_0006h—L2 Cache and TLB and L3 Cache Information**

This function provides the second level cache and TLB characteristics for the logical processor that executes the instruction. The EDX register returns the processor’s third level cache characteristics that are shared by all logical processors in the package.

#### **CPUID Fn8000\_0006\_EAX L2 TLB 2M/4M Information**

The value returned in EAX provides information about the L2 TLB for 2-MB and 4-MB pages.

| Bits  | Field Name        | Description                                                                                                                                                                                                                                                             |
|-------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:28 | L2DTlb2and4MAssoc | L2 data TLB associativity for 2-MB and 4-MB pages. Encoding is per Table E-4 below.                                                                                                                                                                                     |
| 27:16 | L2DTlb2and4MSize  | L2 data TLB number of entries for 2-MB and 4-MB pages. The value returned is for the number of entries available for the 2 MB page size; 4 MB pages require two 2 MB entries, so the number of entries available for the 4 MB page size is one-half the returned value. |

| Bits  | Field Name        | Description                                                                                                                                                                                                                                                                    |
|-------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 15:12 | L2ITlb2and4MAssoc | L2 instruction TLB associativity for 2-MB and 4-MB pages. Encoding is per Table E-4 below.                                                                                                                                                                                     |
| 11:0  | L2ITlb2and4MSize  | L2 instruction TLB number of entries for 2-MB and 4-MB pages. The value returned is for the number of entries available for the 2 MB page size; 4 MB pages require two 2 MB entries, so the number of entries available for the 4 MB page size is one-half the returned value. |

The associativity fields (L2DTlb2and4MAssoc and L2ITlb2and4MAssoc) are encoded as follows:

**Table E-4. L2/L3 Cache and TLB Associativity Field Encoding**

| Associativity [3:0] | Definition                                                  |
|---------------------|-------------------------------------------------------------|
| 0h                  | L2/L3 cache or TLB is disabled.                             |
| 1h                  | Direct mapped.                                              |
| 2h                  | 2-way associative.                                          |
| 3h                  | 3-way associative.                                          |
| 4h                  | 4 to 5-way associative.                                     |
| 5h                  | 6 to 7-way associative.                                     |
| 6h                  | 8 to 15-way associative.                                    |
| 7h                  | Permanently reserved                                        |
| 8h                  | 16 to 31-way associative.                                   |
| 9h                  | Value for all fields should be determined from Fn8000_001D. |
| Ah                  | 32 to 47-way associative.                                   |
| Bh                  | 48 to 63-way associative.                                   |
| Ch                  | 64 to 95-way associative.                                   |
| Dh                  | 96 to 127-way associative.                                  |
| Eh                  | More than 128-way associative but not fully associative.    |
| Fh                  | Fully associative.                                          |

### CPUID Fn8000\_0006\_EBX L2 TLB 4K Information

The value returned in EBX provides information about the L2 TLB for 4-KB pages.

| Bits  | Field Name    | Description                                                                       |
|-------|---------------|-----------------------------------------------------------------------------------|
| 31:28 | L2DTlb4KAssoc | L2 data TLB associativity for 4-KB pages. Encoding is per Table E-4 above.        |
| 27:16 | L2DTlb4KSize  | L2 data TLB number of entries for 4-KB pages.                                     |
| 15:12 | L2ITlb4KAssoc | L2 instruction TLB associativity for 4-KB pages. Encoding is per Table E-4 above. |
| 11:0  | L2ITlb4KSize  | L2 instruction TLB number of entries for 4-KB pages.                              |

The associativity fields (L2DTlb4KAssoc and L2ITlb4KAssoc) are encoded per Table E-4 above.

### **CPUID Fn8000\_0006\_ECX L2 Cache Information**

The value returned in ECX provides information about the L2 cache.

| Bits  | Field Name    | Description                                              |
|-------|---------------|----------------------------------------------------------|
| 31:16 | L2Size        | L2 cache size in KB.                                     |
| 15:12 | L2Assoc       | L2 cache associativity. Encoding is per Table E-4 above. |
| 11:8  | L2LinesPerTag | L2 cache lines per tag.                                  |
| 7:0   | L2LineSize    | L2 cache line size in bytes.                             |

The associativity field (L2Assoc) is encoded per Table E-4 on page 647.

### **CPUID Fn8000\_0006\_EDX L3 Cache Information**

The value returned in EDX provides the third level cache characteristics shared by all logical processors in the package.

| Bits  | Field Name    | Description                                                                                                          |
|-------|---------------|----------------------------------------------------------------------------------------------------------------------|
| 31:18 | L3Size        | Specifies the L3 cache size range:<br>$(L3Size[31:18] * 512KB) \leq L3\ cache\ size < ((L3Size[31:18]+1) * 512KB)$ . |
| 17:16 | —             | Reserved                                                                                                             |
| 15:12 | L3Assoc       | L3 cache associativity. Encoded per Table E-4 on page 647.                                                           |
| 11:8  | L3LinesPerTag | L3 cache lines per tag.                                                                                              |
| 7:0   | L3LineSize    | L3 cache line size in bytes.                                                                                         |

The associativity field (L3Assoc) is encoded per Table E-4 on page 647.

## **E.4.6 Function 8000\_0007h—Processor Power Management and RAS Capabilities**

This function provides information about the power management, power reporting, and RAS capabilities of the processor that executes the instruction. There may be other processor-specific features and reporting capabilities not covered here. Refer to the *BIOS and Kernel Developer’s Guide* for your specific product to obtain more information.

### **CPUID Fn8000\_0007\_EAX Reserved**

| Bits | Field Name | Description |
|------|------------|-------------|
| 31:0 | —          | Reserved    |

## CPUID Fn8000\_0007\_EBX RAS Capabilities

The value returned in EBX provides information about RAS features that allow system software to detect specific hardware errors.

| Bits | Field Name       | Description                                                                                                                                                                                                                                                                                                     |
|------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:4 | —                | Reserved                                                                                                                                                                                                                                                                                                        |
| 3    | ScalableMca      | 0=MCA is not supported. 1=MCA is supported; the MCAX MSR addresses are supported; MCA Extension (MCAX) support. Indicates support for MCAX MSRs. MCA_CONFIG[Mcax] is present in all MCA banks.                                                                                                                  |
| 2    | HWA              | Hardware assert support. Indicates support for MSRC001_10[DF:C0].                                                                                                                                                                                                                                               |
| 1    | SUCCOR           | Software uncorrectable error containment and recovery capability. The processor supports software containment of uncorrectable errors through context synchronizing data poisoning and deferred error interrupts; see APM Volume 2, Chapter 9, “Determining Machine-Check Architecture Support.”                |
| 0    | McaOverflowRecov | MCA overflow recovery support. If set, indicates that MCA overflow conditions (MCi_STATUS[Overflow]=1) are not fatal; software may safely ignore such conditions. If clear, MCA overflow conditions require software to shut down the system. See APM Volume 2, Chapter 9, “Handling Machine Check Exceptions.” |

## CPUID Fn8000\_0007\_ECX Processor Power Monitoring Interface

The value returned in ECX provides information about the implementation of the processor power monitoring interface.

| Bits | Field Name            | Description                                                                                                                                               |
|------|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:0 | CpuPwrSampleTimeRatio | Specifies the ratio of the compute unit power accumulator sample period to the TSC counter period. Returns a value of 0 if not applicable for the system. |

## CPUID Fn8000\_0007\_EDX Advanced Power Management Features

The value returned in EDX provides information about the advanced power management and power reporting features available. Refer to the *BIOS and Kernel Developer’s Guide* for your specific product for a detailed description of the definition of each power management feature.

| Bits  | Field Name            | Description                                                                                                                            |
|-------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------|
| 31:13 | —                     | Reserved                                                                                                                               |
| 12    | ProcPowerReporting    | Processor power reporting interface supported.                                                                                         |
| 11    | ProcFeedbackInterface | Processor feedback interface. Value: 1. 1=Indicates support for processor feedback interface. <b>Note:</b> This feature is deprecated. |

| Bits | Field Name   | Description                                                                                                                                                                                                                                                                                                     |
|------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 10   | EffFreqRO    | Read-only effective frequency interface. 1=Indicates presence of MSRC000_00E7 [Read-Only Max Performance Frequency Clock Count (MPerfReadOnly)] and MSRC000_00E8 [Read-Only Actual Performance Frequency Clock Count (APerfReadOnly)].                                                                          |
| 9    | CPB          | Core performance boost.                                                                                                                                                                                                                                                                                         |
| 8    | TscInvariant | TSC invariant. The TSC rate is ensured to be invariant across all P-States, C-States, and stop grant transitions (such as STPCLK Throttling); therefore the TSC is suitable for use as a source of time. 0 = No such guarantee is made and software should avoid attempting to use the TSC as a source of time. |
| 7    | HwPstate     | Hardware P-state control. MSRC001_0061 [P-state Current Limit], MSRC001_0062 [P-state Control] and MSRC001_0063 [P-state Status] exist.                                                                                                                                                                         |
| 6    | 100MHzSteps  | 100 MHz multiplier Control.                                                                                                                                                                                                                                                                                     |
| 5    | —            | Reserved.                                                                                                                                                                                                                                                                                                       |
| 4    | TM           | Hardware thermal control (HTC).                                                                                                                                                                                                                                                                                 |
| 3    | TTP          | THERMTRIP.                                                                                                                                                                                                                                                                                                      |
| 2    | VID          | Voltage ID control. Function replaced by HwPstate.                                                                                                                                                                                                                                                              |
| 1    | FID          | Frequency ID control. Function replaced by HwPstate.                                                                                                                                                                                                                                                            |
| 0    | TS           | Temperature sensor.                                                                                                                                                                                                                                                                                             |

#### E.4.7 Function 8000\_0008h—Processor Capacity Parameters and Extended Feature Identification

This function provides the size or capacity of various architectural parameters that vary by implementation, as well as an extension to the Fn8000\_0001 feature identifiers.

##### CPUID Fn8000\_0008\_EAX Long Mode Size Identifiers

The value returned in EAX provides information about the maximum host and guest physical and linear address width (in bits) supported by the processor.

| Bits  | Field Name        | Description                                                                                                                                                                                                                                              |
|-------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:24 | —                 | Reserved                                                                                                                                                                                                                                                 |
| 23:16 | GuestPhysAddrSize | Maximum guest physical address size in bits. This number applies only to guests using nested paging. When this field is zero, refer to the PhysAddrSize field for the maximum guest physical address size. See “Secure Virtual Machine” in APM Volume 2. |
| 15:8  | LinAddrSize       | Maximum linear address size in bits.                                                                                                                                                                                                                     |
| 7:0   | PhysAddrSize      | Maximum physical address size in bits. When GuestPhysAddrSize is zero, this field also indicates the maximum guest physical address size.                                                                                                                |

The address width reported is the maximum supported in any mode. For long mode capable processors, the size reported is independent of whether long mode is enabled. See “Processor Initialization and Long-Mode Activation” in APM Volume 2.

### **CPUID Fn8000\_0008\_EBX Extended Feature Identifiers**

The value returned in EBX is an extension to the Fn8000\_0001 feature flags and indicates the presence of various ISA extensions.

| Bit   | Field Name           | Description                                                |
|-------|----------------------|------------------------------------------------------------|
| 31    | —                    | Reserved                                                   |
| 30    | IBPB_RET             | IBPB clears return address predictor.                      |
| 29    | BTC_NO               | The processor is not affected by branch type confusion.    |
| 28    | PSFD                 | Predictive Store Forward Disable.                          |
| 27    | CPPC                 | Collaborative Processor Performance Control.               |
| 26    | SsbdNotRequired      | SSBD not needed on this processor.                         |
| 25    | SsbdVirtSpecCtrl     | Use VIRT_SPEC_CTL MSR (C001_011Fh) for SSBD.               |
| 24    | SSBD                 | Speculative Store Bypass Disable.                          |
| 23:22 | —                    | Reserved                                                   |
| 21    | INVLPGNestedPages    | INVLPG support for invalidating guest nested translations. |
| 20    | EferLmsleUnsupported | EFER.LMSLE is unsupported.                                 |
| 19    | IbrsSameMode         | IBRS provides same mode speculation limits.                |
| 18    | IbrsPreferred        | IBRS is preferred to software solution.                    |
| 17    | StibpAlwaysOn        | Setting STIBP to 1 once is recommended.                    |
| 16    | IbrsAlwaysOn         | Setting IBRS to 1 once is recommended.                     |
| 15    | STIBP                | Single Thread Indirect Branch Prediction mode.             |
| 14    | IBRS                 | Indirect Branch Restricted Speculation.                    |
| 13    | INT_WBINVD           | WBINVD/WBNOINVD instructions are interruptible.            |
| 12    | IBPB                 | Indirect Branch Prediction Barrier.                        |
| 11:10 | —                    | Reserved.                                                  |
| 9     | WBNOINVD             | WBNOINVD instruction supported.                            |
| 8     | MCOMMIT              | MCOMMIT instruction supported.                             |
| 7     | —                    | Reserved                                                   |
| 6     | BE                   | Bandwidth Enforcement Extension.                           |
| 5     | —                    | Reserved                                                   |
| 4     | RDPRU                | RDPRU instruction supported.                               |
| 3     | INVLPG               | INVLPG and TLBSYNC instruction supported.                  |
| 2     | RstrFpErrPtrs        | FP Error Pointers Restored by XRSTOR.                      |
| 1     | InstRetCntMsr        | Instruction Retired Counter MSR available.                 |
| 0     | CLZERO               | CLZERO instruction supported.                              |

**CPUID Fn8000\_0008\_ECX Size Identifiers**

The value returned in ECX provides information about the number of cores supported by the processor, the width of the APIC ID, and the width of the performance time-stamp counter.

| Bits  | Field Name  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |      |             |     |         |     |         |     |         |     |         |
|-------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|-------------|-----|---------|-----|---------|-----|---------|-----|---------|
| 31:18 | —           | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |      |             |     |         |     |         |     |         |     |         |
| 17:16 | PerfTscSize | <p>Performance time-stamp counter size. Indicates the size of MSRC001_0280[PTSC].</p> <table> <thead> <tr> <th>Bits</th><th>Description</th></tr> </thead> <tbody> <tr> <td>00b</td><td>40 bits</td></tr> <tr> <td>01b</td><td>48 bits</td></tr> <tr> <td>10b</td><td>56 bits</td></tr> <tr> <td>11b</td><td>64 bits</td></tr> </tbody> </table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Bits | Description | 00b | 40 bits | 01b | 48 bits | 10b | 56 bits | 11b | 64 bits |
| Bits  | Description |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |      |             |     |         |     |         |     |         |     |         |
| 00b   | 40 bits     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |      |             |     |         |     |         |     |         |     |         |
| 01b   | 48 bits     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |      |             |     |         |     |         |     |         |     |         |
| 10b   | 56 bits     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |      |             |     |         |     |         |     |         |     |         |
| 11b   | 64 bits     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |      |             |     |         |     |         |     |         |     |         |
| 15:12 | ApicIdSize  | <p>APIC ID size. The number of bits in the initial APIC20[ApicId] value that indicate logical processor ID within a package. The size of this field determines the maximum number of logical processors (MNLP) that the package could theoretically support, and not the actual number of logical processors that are implemented or enabled in the package, as indicated by CPUID Fn8000_0008_ECX[NC]. A value of zero indicates that legacy methods must be used to determine the maximum number of logical processors, as indicated by CPUID Fn8000_0008_ECX[NC].</p> <pre> if (ApicIdSize[3:0] == 0) {     // Used by legacy dual-core/single-core processors     MNLP = CPUID Fn8000_0008_ECX[NC] + 1; } else {     // use ApicIdSize[3:0] field     MNLP = (2 raised to the power of ApicIdSize[3:0]); } </pre> |      |             |     |         |     |         |     |         |     |         |
| 11:8  | —           | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |      |             |     |         |     |         |     |         |     |         |
| 7:0   | NC          | Number of physical threads - 1. The number of threads in the processor is NC+1 (e.g., if NC = 0, then there is one thread). See “Legacy Method” on page 671.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |      |             |     |         |     |         |     |         |     |         |

**CPUID Fn8000\_0008\_EDX RDPRU Register Identifier Range**

The value returned in EDX identifies the maximum recognized register identifier for the RDPRU instruction.

| Bits  | Field Name      | Description                                 |
|-------|-----------------|---------------------------------------------|
| 31:16 | MaxRdpruID      | The maximum ECX value recognized by RDPRU.  |
| 15:0  | InvlpgbCountMax | Maximum page count for INVLPGB instruction. |

## E.4.8 Function 8000\_0009h—Reserved

### CPUID Fn8000\_0009 Reserved

This function is reserved.

## E.4.9 Function 8000\_000Ah—SVM Features

This function provides information about the SVM features that the processor supports. If SVM is not supported (CPUID Fn8000\_0001\_ECX[SVM] = 0), this function is reserved.

### CPUID Fn8000\_000A\_EAX SVM Revision and Feature Identification

The value returned in EAX provides the SVM revision number.

| Bits | Field Name | Description          |
|------|------------|----------------------|
| 31:8 | —          | Reserved             |
| 7:0  | SvmRev     | SVM revision number. |

### CPUID Fn8000\_000A\_EBX SVM Revision and Feature Identification

The value returned in EBX provides the number of address space identifiers (ASIDs) that the processor supports.

| Bits | Field Name | Description                                           |
|------|------------|-------------------------------------------------------|
| 31:0 | NASID      | Number of available address space identifiers (ASID). |

### CPUID Fn8000\_000A\_ECX SVM Feature Identification

The value returned in EDX provides Secure Virtual Machine architecture feature information. All cross references in the table below are to sections within the “Secure Virtual Machine” on page 497 of APM Volume 2.

| Bits | Field Name | Description                          |
|------|------------|--------------------------------------|
| 31:7 | —          | Reserved                             |
| 6    | x2AVIC_EXT | 4096 vCPUs supported in x2AVIC mode. |
| 5:0  | —          | Reserved                             |

### CPUID Fn8000\_000A\_EDX SVM Feature Identification

The value returned in EDX provides Secure Virtual Machine architecture feature information. All cross references in the table below are to sections within the “Secure Virtual Machine” on page 497 of APM Volume 2.

| Bits | Field Name            | Description                                                                                                                                                                                                       |
|------|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31   | —                     | Reserved                                                                                                                                                                                                          |
| 30   | IdleHltIntercept      | Idle HLT intercept.                                                                                                                                                                                               |
| 29   | BusLockThreshold      | Bus Lock Threshold.                                                                                                                                                                                               |
| 28   | NestedVirtVmcbAddrChk | Guest VMCB address check.                                                                                                                                                                                         |
| 27   | ExtLvtAvicAccessChg   | Extended Interrupt Local Vector Table Register AVIC Access changes. See “Virtual APIC Register Accesses.”                                                                                                         |
| 26   | IbsVirt               | IBS Virtualization. See “Instruction-Based Sampling Virtualization.”                                                                                                                                              |
| 25   | VNMI                  | NMI Virtualization. See “NMI Virtualization.”                                                                                                                                                                     |
| 24   | TlbiCtl               | INVLPG/TLB SYNC hypervisor enable in VMCB and TLB SYNC intercept support.                                                                                                                                         |
| 23   | HOST_MCE_OVERRIDE     | When host CR4.MCE=1 and guest CR4.MCE=0, machine check exceptions (#MC) in a guest do not cause shutdown and are always intercepted.                                                                              |
| 22   | —                     | Reserved                                                                                                                                                                                                          |
| 21   | ROGPT                 | Read-Only Guest Page Table feature support. See “Nested Table Walk.”                                                                                                                                              |
| 20   | SpecCtrl              | SPEC_CTRL virtualization.                                                                                                                                                                                         |
| 19   | SSSCheck              | SVM supervisor shadow stack restrictions. See “Supervisor Shadow Stack Restrictions.”                                                                                                                             |
| 18   | x2AVIC                | Support for the AMD advanced virtual interrupt controller for x2APIC mode. See “Advanced Virtual Interrupt Controller.”                                                                                           |
| 17   | GMET                  | Guest Mode Execution Trap.                                                                                                                                                                                        |
| 16   | VGIF                  | Virtualize the Global Interrupt Flag. See “Nested Virtualization.”                                                                                                                                                |
| 15   | VMSAVEvirt            | VMSAVE and VMLOAD virtualization. See “Nested Virtualization.”                                                                                                                                                    |
| 14   | —                     | Reserved                                                                                                                                                                                                          |
| 13   | AVIC                  | Support for the AMD advanced virtual interrupt controller. See “Advanced Virtual Interrupt Controller.”                                                                                                           |
| 12   | PauseFilterThreshold  | PAUSE filter threshold. Indicates support for the PAUSE filter cycle count threshold. See “Pause Intercept Filtering.”                                                                                            |
| 11   | —                     | Reserved                                                                                                                                                                                                          |
| 10   | PauseFilter           | Pause intercept filter. Indicates support for the pause intercept filter. See “Pause Intercept Filtering.”                                                                                                        |
| 9    | —                     | Reserved                                                                                                                                                                                                          |
| 8    | PmcVirt               | PMC virtualization. See “Performance Monitoring Counter Virtualization.”                                                                                                                                          |
| 7    | DecodeAssists         | Decode assists. Indicates support for the decode assists. See “Decode Assists.”                                                                                                                                   |
| 6    | FlushByAsid           | Flush by ASID. Indicates that TLB flush events, including CR3 writes and CR4.PGE toggles, flush only the current ASID’s TLB entries. Also indicates support for the extended VMCB TLB_Control. See “TLB Control.” |
| 5    | VmcbClean             | VMCB clean bits. Indicates support for VMCB clean bits. See “VMCB Clean Bits.”                                                                                                                                    |

| Bits | Field Name | Description                                                                                                                                         |
|------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| 4    | TscRateMsr | MSR based TSC rate control. Indicates support for MSR TSC ratio MSRC000_0104. See “TSC Ratio MSR (C000_0104h).”                                     |
| 3    | NRIPS      | NRIP save. Indicates support for NRIP save on #VMEXIT. See “State Saved on Exit.”                                                                   |
| 2    | SVML       | SVM lock. Indicates support for SVM-Lock. See “Enabling SVM.”                                                                                       |
| 1    | LbrVirt    | LBR virtualization. Indicates support for LBR Virtualization. See “Hardware Acceleration for LBR Virtualization” in Section 15.23.1 of APM Volume 2 |
| 0    | NP         | Nested paging. Indicates support for nested paging. See “Nested Paging.”                                                                            |

#### E.4.10 Functions 8000\_000Bh–8000\_0018h—Reserved

##### CPUID Fn8000\_00[18:0B] Reserved

These functions are reserved.

#### E.4.11 Function 8000\_0019h—TLB Characteristics for 1GB pages

This function provides information about the TLB for 1 GB pages for the processor that executes the instruction.

##### CPUID Fn8000\_0019\_EAX L1 TLB 1G Information

The value returned in EAX provides information about the L1 TLB for 1 GB pages.

| Bits  | Field Name    | Description                                                                 |
|-------|---------------|-----------------------------------------------------------------------------|
| 31:28 | L1DTlb1GAssoc | L1 data TLB associativity for 1 GB pages. See Table E-4 on page 647.        |
| 27:16 | L1DTlb1GSize  | L1 data TLB number of entries for 1 GB pages.                               |
| 15:12 | L1ITlb1GAssoc | L1 instruction TLB associativity for 1 GB pages. See Table E-4 on page 647. |
| 11:0  | L1ITlb1GSize  | L1 instruction TLB number of entries for 1 GB pages.                        |

##### CPUID Fn8000\_0019\_EBX L2 TLB 1G Information

The value returned in EBX provides information about the L2 TLB for 1 GB pages.

| Bits  | Field Name    | Description                                                                 |
|-------|---------------|-----------------------------------------------------------------------------|
| 31:28 | L2DTlb1GAssoc | L2 data TLB associativity for 1 GB pages. See Table E-4 on page 647.        |
| 27:16 | L2DTlb1GSize  | L2 data TLB number of entries for 1 GB pages.                               |
| 15:12 | L2ITlb1GAssoc | L2 instruction TLB associativity for 1 GB pages. See Table E-4 on page 647. |
| 11:0  | L2ITlb1GSize  | L2 instruction TLB number of entries for 1 GB pages.                        |

**CPUID Fn8000\_0019\_E[D,C]X Reserved**

The values returned in ECX and EDX for this function are undefined and reserved for future use.

**E.4.12 Function 8000\_001Ah—Instruction Optimizations****CPUID Fn8000\_001A\_EAX Performance Optimization Identifiers**

This function returns performance related information. For more details on how to use these bits to optimize software, see the *Software Optimization Guide* applicable to your product.

| Bits | Field Name | Description                                                                                                                                                                  |
|------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:3 | —          | Reserved                                                                                                                                                                     |
| 2    | FP256      | The internal FP/SIMD execution data path is 256 bits wide.                                                                                                                   |
| 1    | MOVU       | MOVU SSE instructions are more efficient and should be preferred to SSE MOVL/MOVH. MOVUPS is more efficient than MOVLPS/MOVHPS. MOVUPD is more efficient than MOVLPD/MOVHPD. |
| 0    | FP128      | The internal FP/SIMD execution data path is 128 bits wide.                                                                                                                   |

**CPUID Fn8000\_001A\_E[D,C,B]X Reserved**

The values returned in EBX, ECX, and EDX are undefined for this function and are reserved.

**E.4.13 Function 8000\_001Bh—Instruction-Based Sampling Capabilities**

If instruction-based sampling (IBS) is supported (CPUID Fn8000\_0001\_ECX[IBS] = 1), this CPUID function can be used to obtain IBS feature information. If IBS is not supported (CPUID Fn8000\_0001\_ECX[IBS] = 0), this function number is reserved. For more information on using IBS, see “Instruction-Based Sampling” in APM Volume 2.

**CPUID Fn8000\_001B\_EAX Instruction-Based Sampling Feature Indicators**

The value returned in EAX provides the following information about the specific features of IBS that the processor supports:

| Bits  | Field Name         | Description                                                             |
|-------|--------------------|-------------------------------------------------------------------------|
| 31:12 |                    | Reserved                                                                |
| 11    | IbsL3MissFiltering | L3 Miss Filtering for IBS supported. See IBS Filtering in APM Volume 2. |
| 10:9  |                    | Reserved                                                                |
| 8     | OpBrnFuse          | Fused branch micro-op indication supported.                             |
| 7     | RipInvalidChk      | Invalid RIP indication supported.                                       |
| 6     | OpCntExt           | IbsOpCurCnt and IbsOpMaxCnt extend by 7 bits.                           |

| Bits | Field Name | Description                                |
|------|------------|--------------------------------------------|
| 5    | BrnTrgt    | Branch target address reporting supported. |
| 4    | OpCnt      | Op counting mode supported.                |
| 3    | RdWrOpCnt  | Read write of op counter supported.        |
| 2    | OpSam      | IBS execution sampling supported.          |
| 1    | FetchSam   | IBS fetch sampling supported.              |
| 0    | IBSFFV     | IBS feature flags valid.                   |

**CPUID Fn8000\_001B\_E[D,C,B]X Reserved**

The values returned in EBX, ECX, and EDX are undefined and are reserved.

**E.4.14 Function 8000\_001Ch—Lightweight Profiling Capabilities**

If lightweight profiling (LWP) is supported (CPUID Fn8000\_0001\_ECX[LWP] = 1), this CPUID function can be used to obtain information about LWP features supported by the processor. If LWP is not supported (CPUID Fn8000\_0001\_ECX[LWP] = 0), this function number is reserved. For more information on using LWP, see “Lightweight Profiling” in APM Volume 2.

**CPUID Fn8000\_001C\_EAX Lightweight Profiling Capabilities 0**

The value returned in EAX provides the following information about LWP capabilities supported by the processor:

| Bits | Field Name | Description                                                  |
|------|------------|--------------------------------------------------------------|
| 31   | Lwplnt     | Interrupt on threshold overflow available.                   |
| 30   | LwpPTSC    | Performance time stamp counter in event record is available. |
| 29   | LwpCont    | Sampling in continuous mode is available.                    |
| 28:7 | —          | Reserved                                                     |
| 6    | LwpRNH     | Core reference clocks not halted event available.            |
| 5    | LwpCNH     | Core clocks not halted event available.                      |
| 4    | LwpDME     | DC miss event available.                                     |
| 3    | LwpBRE     | Branch retired event available.                              |
| 2    | LwpIRE     | Instructions retired event available.                        |
| 1    | LwpVAL     | LWPVAL instruction available.                                |
| 0    | LwpAvail   | The LWP feature is available.                                |

**CPUID Fn8000\_001C\_EBX Lightweight Profiling Capabilities 0**

The value returned in EBX provides the following additional information about LWP capabilities supported by the processor:

| Bits  | Field Name     | Description                                                                       |
|-------|----------------|-----------------------------------------------------------------------------------|
| 31:24 | LwpEventOffset | Offset in bytes from the start of the LWPCB to the EventInterval1 field.          |
| 23:16 | LwpMaxEvents   | Maximum EventId value supported.                                                  |
| 15:8  | LwpEventSize   | Event record size. Size in bytes of an event record in the LWP event ring buffer. |
| 7:0   | LwpCbSize      | Control block size. Size in quadwords of the LWPCB.                               |

### CPUID Fn8000\_001C\_EDX Lightweight Profiling Capabilities 0

The value returned in ECX provides the following additional information about LWP capabilities supported by the processor:

| Bits  | Field Name          | Description                                                                                                                        |
|-------|---------------------|------------------------------------------------------------------------------------------------------------------------------------|
| 31    | LwpCacheLatency     | Cache latency filtering supported. Cache-related events can be filtered by latency.                                                |
| 30    | LwpCacheLevels      | Cache level filtering supported. Cache-related events can be filtered by the cache level that returned the data.                   |
| 29    | LwpIpFiltering      | IP filtering supported.                                                                                                            |
| 28    | LwpBranchPrediction | Branch prediction filtering supported. Branches Retired events can be filtered based on whether the branch was predicted properly. |
| 27:24 | —                   | Reserved                                                                                                                           |
| 23:16 | LwpMinBufferSize    | Event ring buffer size. Minimum size of the LWP event ring buffer, in units of 32 event records.                                   |
| 15:9  | LwpVersion          | Version of LWP implementation.                                                                                                     |
| 8:6   | LwpLatencyRnd       | Amount by which cache latency is rounded.                                                                                          |
| 5     | LwpDataAddress      | Data cache miss address valid. Address is valid for cache miss event records.                                                      |
| 4:0   | LwpLatencyMax       | Latency counter size. Size in bits of the cache latency counters.                                                                  |

### CPUID Fn8000\_001C\_EDX Lightweight Profiling Capabilities 0

The value returned in EDX provides the following additional information about LWP capabilities supported by the processor:

| Bits | Field Name | Description                                                  |
|------|------------|--------------------------------------------------------------|
| 31   | LwpInt     | Interrupt on threshold overflow supported.                   |
| 30   | LwpPTSC    | Performance time stamp counter in event record is supported. |
| 29   | LwpCont    | Sampling in continuous mode is supported.                    |
| 28:7 | —          | Reserved                                                     |
| 6    | LwpRNH     | Core reference clocks not halted event is supported.         |
| 5    | LwpCNH     | Core clocks not halted event is supported.                   |
| 4    | LwpDME     | DC miss event is supported.                                  |
| 3    | LwpBRE     | Branch retired event is supported.                           |

| Bits | Field Name | Description                              |
|------|------------|------------------------------------------|
| 2    | LwpIRE     | Instructions retired event is supported. |
| 1    | LwpVAL     | LWPVAL instruction is supported.         |
| 0    | LwpAvail   | Lightweight profiling is supported.      |

#### E.4.15 Function 8000\_001Dh—Cache Topology Information

CPUID Fn8000\_001D reports cache topology information for the cache enumerated by the value passed to the instruction in ECX, referred to as Cache  $n$  in the following description. To gather information for all cache levels, software must repeatedly execute CPUID with 8000\_001Dh in EAX and ECX set to increasing values beginning with 0 until a value of 00h is returned in the field CacheType (EAX[4:0]) indicating no more cache descriptions are available for this processor.

If CPUID Fn8000\_0001\_ECX[TopologyExtensions] = 0, then CPUID Fn8000\_001Dh is reserved. Any value in ECX which does not select an existing cache will return a Null cache type in EAX[4:0].

#### CPUID Fn8000\_001D\_EAX\_x[N:0] Cache Properties

| Bits  | Field Name         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|-------|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:26 | —                  | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 25:14 | NumSharingCache    | <p>Specifies the number of logical processors sharing the cache enumerated by <math>N</math>, the value passed to the instruction in ECX. The number of logical processors sharing this cache is the value of this field incremented by 1. To determine which logical processors are sharing a cache, determine a Share Id for each processor as follows:</p> $\text{ShareId} = \text{LocalApicId} \gg \log_2(\text{NumSharingCache}+1)$ <p>Logical processors with the same ShareId then share a cache. If NumSharingCache+1 is not a power of two, round it up to the next power of two.</p> |
| 13:10 | —                  | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 9     | FullyAssociative   | Fully associative cache. When set, indicates that the cache is fully associative. If 0 is returned in this field, the cache is set associative.                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 8     | SelfInitialization | Self-initializing cache. When set, indicates that the cache is self initializing; software initialization not required. If 0 is returned in this field, hardware does not initialize this cache.                                                                                                                                                                                                                                                                                                                                                                                               |

| Bits      | Field Name            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                          |      |             |      |                       |      |            |      |                   |      |               |           |           |
|-----------|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|-------------|------|-----------------------|------|------------|------|-------------------|------|---------------|-----------|-----------|
| 7:5       | CacheLevel            | <p>Cache level. Identifies the level of this cache. Note that the enumeration value is not necessarily equal to the cache level.</p> <table> <thead> <tr> <th>Bits</th><th>Description</th></tr> </thead> <tbody> <tr> <td>000b</td><td>Reserved.</td></tr> <tr> <td>001b</td><td>Level 1</td></tr> <tr> <td>010b</td><td>Level 2</td></tr> <tr> <td>011b</td><td>Level 3</td></tr> <tr> <td>111b-100b</td><td>Reserved.</td></tr> </tbody> </table> | Bits | Description | 000b | Reserved.             | 001b | Level 1    | 010b | Level 2           | 011b | Level 3       | 111b-100b | Reserved. |
| Bits      | Description           |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 000b      | Reserved.             |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 001b      | Level 1               |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 010b      | Level 2               |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 011b      | Level 3               |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 111b-100b | Reserved.             |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 4:0       | CacheType             | <p>Cache type. Identifies the type of cache.</p> <table> <thead> <tr> <th>Bits</th><th>Description</th></tr> </thead> <tbody> <tr> <td>00h</td><td>Null; no more caches.</td></tr> <tr> <td>01h</td><td>Data cache</td></tr> <tr> <td>02h</td><td>Instruction cache</td></tr> <tr> <td>03h</td><td>Unified cache</td></tr> <tr> <td>1Fh-04h</td><td>Reserved</td></tr> </tbody> </table>                                                             | Bits | Description | 00h  | Null; no more caches. | 01h  | Data cache | 02h  | Instruction cache | 03h  | Unified cache | 1Fh-04h   | Reserved  |
| Bits      | Description           |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 00h       | Null; no more caches. |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 01h       | Data cache            |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 02h       | Instruction cache     |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 03h       | Unified cache         |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |
| 1Fh-04h   | Reserved              |                                                                                                                                                                                                                                                                                                                                                                                                                                                      |      |             |      |                       |      |            |      |                   |      |               |           |           |

**CPUID Fn8000\_001D\_EBX\_x[N:0] Cache Properties**

See CPUID Fn8000\_001D\_EAX\_x[N:0].

| Bits  | Field Name          | Description                                                                                                                      |
|-------|---------------------|----------------------------------------------------------------------------------------------------------------------------------|
| 31:22 | CacheNumWays        | Number of ways for this cache. The number of ways is the value returned in this field incremented by 1.                          |
| 21:12 | CachePhysPartitions | Number of physical line partitions. The number of physical line partitions is the value returned in this field incremented by 1. |
| 11:0  | CacheLineSize       | Cache line size. The cache line size in bytes is the value returned in this field incremented by 1.                              |

**CPUID Fn8000\_001D\_ECX\_x[N:0] Cache Properties**

See CPUID Fn8000\_001D\_EAX\_x[N:0].

| Bits | Field Name   | Description                                                                                                                                                                                                     |
|------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:0 | CacheNumSets | Number of ways for set associative cache. Number of ways is the value returned in this field incremented by 1. Only valid for caches that are not fully associative (Fn8000_001D_EAX_xn[FullyAssociative] = 0). |

**CPUID Fn8000\_001D\_EDX\_x[N:0] Cache Properties**

See CPUID Fn8000\_001D\_EAX\_x[N:0].

| Bits | Field Name     | Description                                                                                                                                                                                                                                                                                                                                                                                                      |
|------|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:2 | —              | Reserved                                                                                                                                                                                                                                                                                                                                                                                                         |
| 1    | Cachelnclusive | Cache inclusivity. A value of 0 indicates that this cache is not inclusive of lower cache levels. A value of 1 indicates that the cache is inclusive of lower cache levels.                                                                                                                                                                                                                                      |
| 0    | WBINVD         | Write-Back Invalidate/Invalidate execution scope. A value of 0 returned in this field indicates that the WBINVD/INVLD instruction invalidates all lower level caches of non-originating logical processors sharing this cache. When set, this field indicates that the WBINVD/INVLD instruction is not guaranteed to invalidate all lower level caches of non-originating logical processors sharing this cache. |

**E.4.16 Function 8000\_001Eh—Processor Topology Information****CPUID Fn8000\_001E\_EAX Extended APIC ID**

If CPUID Fn8000\_0001\_ECX[TopologyExtensions] = 0, this function number is reserved.

| Bits | Field Name     | Description                                                            |
|------|----------------|------------------------------------------------------------------------|
| 31:0 | ExtendedApicId | Extended APIC ID. If MSR0000_001B[ApicEn] = 0, this field is reserved. |

**CPUID Fn8000\_001E\_EBX Compute Unit Identifiers**

See CPUID Fn8000\_001E\_EAX.

| Bits  | Field Name            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|-------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:16 | —                     | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 15:8  | ThreadsPerComputeUnit | <p>Threads per compute unit (zero-based count). The actual number of threads per compute unit is the value of this field + 1. To determine which logical processors (threads) belong to a given Compute Unit, determine a ShareId for each processor as follows:</p> <p>ShareId = LocalApicId &gt;&gt; log2(ThreadsPerComputeUnit+1)</p> <p>Logical processors with the same ShareId then belong to the same Compute Unit. (If ThreadsPerComputeUnit+1 is not a power of two, round it up to the next power of two).</p> |
| 7:0   | ComputeUnitId         | Compute unit ID. Identifies a Compute Unit, which may be one or more physical cores that each implement one or more logical processors.                                                                                                                                                                                                                                                                                                                                                                                  |

**CPUID Fn8000\_001E(ECX) Node Identifiers**

See CPUID Fn8000\_001E\_EAX.

| <b>Bits</b> | <b>Field Name</b> | <b>Description</b>                                                                                                                                                                                                       |
|-------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:0        | —                 | Reserved                                                                                                                                                                                                                 |
| 10:8        | NodesPerProcessor | Specifies the number of nodes in the package/socket in which this logical processor resides. Node in this context corresponds to a processor die. Encoding is N-1, where N is the number of nodes present in the socket. |
| 7:0         | NodeID            | Specifies the ID of the node containing the current logical processor. NodeID values are unique across the system.                                                                                                       |

**CPUID Fn8000\_001E(EDX) Reserved**

The value returned in EDX is undefined and is reserved.

**E.4.17 Function 8000\_001Fh—SEV Capabilities****CPUID Fn8000\_001F\_EAX SEV Capabilities**

| <b>Bits</b> | <b>Field Name</b>  | <b>Description</b>                                                          |
|-------------|--------------------|-----------------------------------------------------------------------------|
| 31          | IpbpOnEntry        | IBPB on Entry supported.                                                    |
| 30          | HvInUseWrAllowed   | Writes to Hypervisor-Owned pages are allowed when marked in-use.            |
| 29          | NestedVirtSnpMsr   | VIRT_RMPUPDATE MSR (C001_F001h) and VIRT_PSMASH MSR (C001_F002h) supported. |
| 28          | SvsmCommPageMsr    | SVSM Communication Page MSR (C001_F000h) is supported.                      |
| 27          | AllowedSevFeatures | Allowed SEV Features supported.                                             |
| 26          | SecureAvic         | Secure AVIC supported.                                                      |
| 25          | SmtProtection      | SMT Protection supported.                                                   |
| 24          | VmsaRegProt        | VMSA Register Protection supported.                                         |
| 23          | SegmentedRmp       | Segmented RMP supported.                                                    |
| 22          | GuestInterceptCtl  | Guest intercept control supported.                                          |
| 21          | RMPREAD            | RMPREAD Instruction supported.                                              |
| 20          | PmcVirtGuestCtl    | PMC Virtualization supported for SEV-ES and SEV-SNP guests.                 |
| 19          | IbsVirtGuestCtl    | IBS Virtualization supported for SEV-ES and SEV-SNP guests.                 |
| 18          | VirtualTomMsr      | Virtual TOM MSR supported.                                                  |
| 17          | VmgexitParameter   | VMGEXIT Parameter supported.                                                |
| 16          | VTE                | Virtual Transparent Encryption supported.                                   |
| 15          | PreventHostIbs     | Disallowing IBS use by the host supported.                                  |
| 14          | DebugVirt          | Full debug state virtualization supported for SEV-ES and SEV-SNP guests.    |

| Bits | Field Name           | Description                                                  |
|------|----------------------|--------------------------------------------------------------|
| 13   | AlternateInjection   | Alternate Injection supported.                               |
| 12   | RestrictedInjection  | Restricted Injection supported.                              |
| 11   | 64BitHost            | SEV guest execution only allowed from a 64-bit host.         |
| 10   | HwEnfCacheCoh        | Hardware cache coherency across encryption domains enforced. |
| 9    | TscAuxVirtualization | TSC AUX Virtualization supported.                            |
| 8    | SecureTsc            | Secure TSC supported.                                        |
| 7    | VmplSSS              | VMPL Supervisor Shadow Stack supported.                      |
| 6    | RMPQUERY             | RMPQUERY Instruction supported                               |
| 5    | VMPL                 | VM Permission Levels supported.                              |
| 4    | SEV-SNP              | SEV Secure Nested Paging supported.                          |
| 3    | SEV-ES               | SEV Encrypted State supported.                               |
| 2    | PageFlushMsr         | Page Flush MSR available.                                    |
| 1    | SEV                  | Secure Encrypted Virtualization supported.                   |
| 0    | SME                  | Secure Memory Encryption supported.                          |

### **CPUID Fn8000\_001F\_EBX SEV Capabilities**

| Bits  | Field Name        | Description                               |
|-------|-------------------|-------------------------------------------|
| 31:16 | —                 | Reserved                                  |
| 15:12 | NumVMPL           | Number of VM Permission Levels supported. |
| 11:6  | PhysAddrReduction | Physical Address bit reduction.           |
| 5:0   | CbitPosition      | C-bit location in page table entry.       |

### **CPUID Fn8000\_001F\_ECX SEV Capabilities**

| Bits | Field Name         | Description                                          |
|------|--------------------|------------------------------------------------------|
| 31:0 | NumEncryptedGuests | Number of encrypted guests supported simultaneously. |

### **CPUID Fn8000\_001F\_EDX Minimum ASID**

| Bits | Field Name     | Description                                                   |
|------|----------------|---------------------------------------------------------------|
| 31:0 | MinSevNoEsAsid | Minimum ASID value for an SEV enabled, SEV-ES disabled guest. |

### **E.4.18 Function 8000\_0020—PQOS Extended Features**

This CPUID function can be used to obtain PQOS Extended feature information. For more information on using PQOS, see “Platform Quality of Service” in APM Volume 2.

## **CPUID Fn8000\_0020\_x0 PQOS Extended Features**

Subfunction 0 provides information about PQOS Extended feature capabilities.

| <b>Register</b> | <b>Bits</b> | <b>Field Name</b> | <b>Description</b>                                                 |
|-----------------|-------------|-------------------|--------------------------------------------------------------------|
| EAX             | 31:0        | —                 | Reserved                                                           |
| EBX             | 31:7        | —                 | Reserved                                                           |
|                 | 6           | SDCIAE            | Smart Data Cache Injection (SDCI) Allocation Enforcement.          |
|                 | 5           | ABMC              | Assignable Bandwidth Monitoring Counters.                          |
|                 | 4           | L3RR              | L3 Range Reservations. See “L3 Range Reservation” in APM Volume 2. |
|                 | 3           | BMEC              | Bandwidth Monitoring Event Configuration.                          |
|                 | 2           | L3SMBE            | Slow Memory Bandwidth Enforcement.                                 |
|                 | 1           | L3MBE             | Memory Bandwidth Enforcement.                                      |
|                 | 0           | —                 | Reserved                                                           |
| ECX             | 31:0        | —                 | Reserved                                                           |
| EDX             | 31:0        | —                 | Reserved                                                           |

## **CPUID Fn8000\_0020\_x1 L3 Memory Bandwidth Enforcement Information**

Subfunction 1 provides information about the L3MBE feature, if this feature is supported (CPUID Fn8000\_0020\_EBX\_x0[L3MBE] = 1). If L3MBE is not supported this function is reserved. For more information on L3MBE, see “Platform Quality of Service” in APM Volume 2.

| <b>Register</b> | <b>Bits</b> | <b>Field Name</b> | <b>Description</b>                                                                   |
|-----------------|-------------|-------------------|--------------------------------------------------------------------------------------|
| EAX             | 31:0        | BW_LEN            | Identifies the size of the bandwidth specifier field in the L3QOS_BW_Control_n MSRs. |
| EBX             | 31:0        | —                 | Reserved                                                                             |
| ECX             | 31:0        | —                 | Reserved                                                                             |
| EDX             | 31:0        | COS_MAX           | Maximum COS number supported by the L3MBE feature.                                   |

## **CPUID Fn8000\_0020\_x2 L3 Slow Memory Bandwidth Enforcement Information**

Subfunction 2 provides information about the L3SMBE feature, if this feature is supported (CPUID Fn8000\_0020\_EBX\_x0[L3SMBE] = 1). If L3MBE is not supported this function is reserved. For more information on L3SMBE, see “Platform Quality of Service” in APM Volume 2.

| Register | Bits | Field Name | Description                                                                              |
|----------|------|------------|------------------------------------------------------------------------------------------|
| EAX      | 31:0 | BW_LEN     | Identifies the size of the bandwidth specifier field in the L3QOS_SLOWBW_Control_n MSRs. |
| EBX      | 31:0 | —          | Reserved                                                                                 |
| ECX      | 31:0 | —          | Reserved                                                                                 |
| EDX      | 31:0 | COS_MAX    | Maximum COS number supported by the L3SMBE feature.                                      |

### **CPUD Fn8000\_0020\_x3 Bandwidth Monitoring Event Counters Information**

Subfunction 3 provides information about the BMEC feature, if this feature is supported (CPUID Fn8000\_0020\_EBX\_x0[BMEC] = 1). If BMEC is not supported this function is reserved. For more information on L3MBE, see “Platform Quality of Service” in APM Volume 2.

| Register | Bits | Field Name              | Description                                         |
|----------|------|-------------------------|-----------------------------------------------------|
| EAX      | 31:0 | —                       | Reserved                                            |
| EBX      | 31:8 | —                       | Reserved                                            |
|          | 7:0  | EVT_NUM                 | Number of configurable bandwidth events.            |
| ECX      | 31:7 | —                       | Reserved                                            |
|          | 6    | L3CacheVicMon           | Dirty victim writes to all types of memory.         |
|          | 5    | L3CacheRmtSlowBwFillMon | Reads to remote memory identified as “Slow Memory”. |
|          | 4    | L3CacheLclSlowBwFillMon | Reads to local memory identified as “Slow Memory”.  |
|          | 3    | L3CacheRmtBwNtWrMon     | Non-temporal writes to remote memory.               |
|          | 2    | L3CacheLclBwNtWrMon     | Non-temporal writes to local memory.                |
|          | 1    | L3CacheRmtBwFillMon     | Reads to remote DRAM memory.                        |
|          | 0    | L3CacheLclBwFillMon     | Reads to local DRAM memory.                         |
|          | 31:0 | —                       | Reserved                                            |

### **CPUD Fn8000\_0020\_x5 Assignable Bandwidth Monitoring Counters Information**

Subfunction 5 provides information about the ABMC feature, if this feature is supported (CPUID Fn8000\_0020\_EAX\_x0[ABMC] = 1). If ABMC is not supported this function is reserved. For more information on ABMC see “Platform Quality of Service” in APM Volume 2.

| Register | Bits | Field Name  | Description                                                                                                                                                                          |
|----------|------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| EAX      | 31:7 | —           | Reserved                                                                                                                                                                             |
|          | 8    | OverflowBit | Indicates that QM_CTR bit 61 is an overflow bit.                                                                                                                                     |
|          | 7:0  | CounterSize | QM_CTR counter width, offset from 24 bits.<br>If 0, the family, model, and stepping should be used to determine the counter size. See “Platform Quality of Service” in APM Volume 2. |

| Register | Bits  | Field Name | Description                                                                                     |
|----------|-------|------------|-------------------------------------------------------------------------------------------------|
| EBX      | 31:16 | —          | Reserved                                                                                        |
|          | 15:0  | MAX_ABMC   | Maximum supported ABMC counter ID.                                                              |
| ECX      | 31:1  | —          | Reserved                                                                                        |
|          | 0     | Select_COS | Bandwidth counters can be configured to measure bandwidth consumed by a COS instead of an RMID. |
| EDX      | 31:0  | —          | Reserved                                                                                        |

#### E.4.19 Function 8000\_0021—Extended Feature Identification 2

##### CPUID Fn8000\_0021\_EAX Extended Feature 2

| Bits  | Field Name          | Description                                                                                                     |
|-------|---------------------|-----------------------------------------------------------------------------------------------------------------|
| 31    | SRSO_MSR_FIX        | Software may use MSR_BP_CFG[BpSpecReduce] to mitigate Speculative Return Stack Overflow vulnerability.          |
| 30    | SRSO_USER_KERNEL_NO | The processor is not affected by Speculative Return Stack Overflow vulnerability across user/kernel boundaries. |
| 29    | SRSO_NO             | The processor is not affected by Speculative Return Stack Overflow vulnerability.                               |
| 28    | IBPB_BRTYPE         | PRED_CMD[IBPB] clears all branch type predictions from the branch predictor.                                    |
| 27    | SBPB                | Selective Branch Predictor Barrier supported.                                                                   |
| 26:25 | —                   | Reserved                                                                                                        |
| 24    | ERAPS               | Enhanced Return Address Predictor Security supported.                                                           |
| 23:22 | —                   | Reserved                                                                                                        |
| 21    | FP512_DOWNGRADE     | FP512 is downgraded to FP256.                                                                                   |
| 20    | PREFETCHI           | IC prefetch supported.                                                                                          |
| 19    | FAST_REP_SCASB      | Fast short REP SCASB supported.                                                                                 |
| 18    | EPSF                | Enhanced Predictive Store Forwarding supported.                                                                 |
| 17    | CpuidUserDis        | CPUID disable for non-privileged software.                                                                      |
| 16    | Opcode0F017Reclaim  | 0F 01/7 opcode space is reserved for AMD use.                                                                   |
| 15    | AMD_ERMSB           | AMD implementation of Enhanced REP MOVS/STOSB is supported.                                                     |
| 14    | L2TlbSizeX32        | L2TLB sizes are encoded as multiples of 32.                                                                     |
| 13    | PrefetchCtlMsr      | Prefetch control MSR supported. See Core::X86::Msr::PrefetchControl in BKDG or PPR for details.                 |
| 12    | Pmc2PreciseRetire   | MSR PerfEvtSel2[PreciseRetire] is supported.                                                                    |
| 11    | FastShortRepeCmpsb  | Fast short REPE CMPSB supported.                                                                                |
| 10    | FastShortRepStosb   | Fast short REP STOSB supported.                                                                                 |
| 9     | NoSmmCtlMSR         | SMM_CTL MSR (C001_0116h) is not supported.                                                                      |
| 8     | AutomaticIBRS       | Automatic IBRS.                                                                                                 |

| Bits | Field Name                  | Description                                                                             |
|------|-----------------------------|-----------------------------------------------------------------------------------------|
| 7    | UpperAddressIgnore          | Upper Address Ignore is supported.                                                      |
| 6    | NullSelectClearsBase        | Null segment selector loads also clear the destination segment register base and limit. |
| 5:4  | —                           | Reserved                                                                                |
| 3    | SmmPgCfgLock                | SMM paging configuration lock supported.                                                |
| 2    | LFenceAlwaysSerializing     | LFENCE is always dispatch serializing.                                                  |
| 1    | FsGsBaseWriteNotSerializing | WRMSR to FS.Base, GS.Base and KernelGSBase MSRs is not serializing.                     |
| 0    | NoNestedDataBp              | Processor ignores nested data breakpoints.                                              |

### CPUID Fn8000\_0021\_EBX Extended Feature 2

| Bits  | Field Name         | Description                                                                                                      |
|-------|--------------------|------------------------------------------------------------------------------------------------------------------|
| 31:24 | —                  | Reserved                                                                                                         |
| 23:16 | RapSize            | Return Address Predictor size                                                                                    |
| 15:0  | MicrocodePatchSize | The size of the Microcode patch in 16-byte multiples. If 0, the size of the patch is at most 5568 (15C0h) bytes. |

### CPUID Fn8000\_0021\_E[C,D]X Reserved

The values returned in ECX and EDX are undefined and reserved.

## E.4.20 Function 8000\_0022—Extended Performance Monitoring and Debug

### CPUID Fn8000\_0022\_EAX Extended Performance Monitoring and Debug

| Bits | Field Name      | Description                                                                                                                       |
|------|-----------------|-----------------------------------------------------------------------------------------------------------------------------------|
| 31:3 | —               | Reserved                                                                                                                          |
| 2    | LbrAndPmcFreeze | Freezing Core Performance Counters and LBR Stack on Core Performance Counter overflow supported.                                  |
| 1    | LbrStack        | Last Branch Record Stack supported.                                                                                               |
| 0    | PerfMonV2       | Performance Monitoring Version 2 supported. When set, CPUID_Fn8000_0022_EBX reports the number of available performance counters. |

### CPUID Fn8000\_0022\_EBX Extended Performance Monitoring and Debug

| Bits  | Field Name     | Description                                         |
|-------|----------------|-----------------------------------------------------|
| 31:16 | —              | Reserved                                            |
| 15:10 | NumPerfCtrNB   | Number of Northbridge Performance Monitor Counters. |
| 9:4   | LbrStackSize   | Number of Last Branch Record Stack entries.         |
| 3:0   | NumPerfCtrCore | Number of Core Performance Counters.                |

**CPUID Fn8000\_0022\_E[C,D]X Reserved**

The values returned in ECX and EDX are undefined and are reserved.

**E.4.21 Function 8000\_0023—Multi-Key Encrypted Memory Capabilities****CPUID Fn8000\_0023\_EAX Secure Multi-Key Encryption**

| Bits | Field Name | Description                                                       |
|------|------------|-------------------------------------------------------------------|
| 31:1 | —          | Reserved                                                          |
| 0    | MemHmk     | Secure Host Multi-Key Memory (MEM-HMK) Encryption Mode Supported. |

**CPUID Fn8000\_0023\_EBX Secure Multi-Key Encryption**

| Bits  | Field Name         | Description                                                                            |
|-------|--------------------|----------------------------------------------------------------------------------------|
| 31:16 | —                  | Reserved                                                                               |
| 15:0  | MaxMemHmkEncrKeyID | Number of simultaneously available host encryption key IDs in MEM-HMK encryption mode. |

**CPUID Fn8000\_0023\_E[C,D]X Reserved**

The values returned in ECX and EDX are undefined and are reserved.

**E.4.22 Function 8000\_0024—Reserved****E.4.23 Function 8000\_0025—SEV Capabilities 2****CPUID Fn8000\_0025\_EAX SEV Capabilities 2**

| Bits  | Field Name    | Description                        |
|-------|---------------|------------------------------------|
| 31:12 | —             | Reserved                           |
| 11:6  | MaxRmpSegSize | Maximum supported RMP segment size |
| 5:0   | MinRmpSegSize | Minimum supported RMP segment size |

**CPUID Fn8000\_0025\_EBX SEV Capabilities 2**

| Bits  | Field Name        | Description                              |
|-------|-------------------|------------------------------------------|
| 31:11 | —                 | Reserved                                 |
| 10    | NumSegReduction   | Number of RMP segments is reduced        |
| 9:0   | NumCachedSegments | Number of cached RMP segment definitions |

### **CPUID Fn8000\_0025\_E[C,D]X Reserved**

The values returned in ECX and EDX are undefined and are reserved.

#### **E.4.24 Function 8000\_0026—Extended CPU Topology**

CPUID Fn8000\_0026 reports extended topology information for logical processors, including asymmetric and heterogeneous topology descriptions. Individual logical processors may report different values in systems with asynchronous and heterogeneous topologies.

The topology level is selected by the value passed to the instruction in ECX. To discover the topology of a system, software should execute CPUID Fn8000\_0026 with increasing ECX values, starting with a value of zero, until the returned hierarchy level type (CPUID Fn8000\_0026(ECX[LevelType])) is equal to zero. It is not guaranteed that all topology level types are present in the system.

Software may use asymmetric and heterogeneous indicators reported by CPUID Fn8000\_0026\_EAX[31:29] for each hierarchy level to efficiently determine system topology. If CPUID Fn8000\_0026\_EAX[31:29] is equal to zero at a given hierarchy level, all components at this level are symmetric and homogeneous. If CPUID Fn8000\_0026\_EAX[31:29] is not equal to zero, software should use APIC ID, APIC ID mask (derived from CPUID Fn8000\_0026\_EAX[MaskWidth]), and the number of logical processors at a hierarchy level (CPUID Fn8000\_0026[NumLogProc]) to determine asymmetric and heterogeneous component properties at this hierarchy level.

**CPUID Fn8000\_0026\_EAX\_n[N:0] Extended CPU Topology**

| <b>Bits</b> | <b>Field Name</b>          | <b>Description</b>                                                                                                                                 |
|-------------|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
| 31          | AsymmetricTopology         | Set to 1 if all components at the current hierarchy level do not report the same number of logical processors (NumLogProc).                        |
| 30          | HeterogeneousCores         | Set to 1 if all components at the current hierarchy level do not consist of the cores that report the same core type (CoreType).                   |
| 29          | EfficiencyRankingAvailable | Set to 1 if processor power efficiency ranking (PwrEfficiencyRanking) is available and varies between cores. Only valid for LevelType = 1h (Core). |
| 28:5        | —                          | Reserved                                                                                                                                           |
| 4:0         | MaskWidth                  | Number of bits to shift Extended APIC ID right to get a unique topology ID of the current hierarchy level.                                         |

**CPUID Fn8000\_0026\_EBX\_n[N:0] Extended CPU Topology**

| <b>Bits</b> | <b>Field Name</b>    | <b>Description</b>                                                                                                                                                                                                                                                                                                                                                         |
|-------------|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31:28       | CoreType             | Reports a value that may be used to distinguish between cores with different architectural and microarchitectural properties (for example, cores with different performance or power characteristics). Refer to the <i>Processor Programming Reference Manual</i> applicable to your product for a list of the available core types. Only valid for LevelType = 1h (Core). |
| 27:24       | NativeModelID        | Reports a value that may be used to further differentiate implementation specific features. Native mode ID is used in conjunction with the family, model, and stepping identifiers. Refer to the <i>Processor Programming Reference Manual</i> applicable to your product for a list of Native Mode IDs. Only valid for LevelType = 1h (Core).                             |
| 23:16       | PwrEfficiencyRanking | Reports a static efficiency ranking between cores of a specific core type, where a lower value indicates comparatively lower power consumption and lower performance. Only valid for LevelType = 1h (Core).                                                                                                                                                                |
| 15:0        | NumLogProc           | Number of logical processors at the current hierarchy level.                                                                                                                                                                                                                                                                                                               |

**CPUID Fn8000\_0026\_ECX\_n[N:0] Extended CPU Topology**

| <b>Bits</b>  | <b>Field Name</b>  | <b>Description</b>                                                                                                                                                                                                                                                                                                                                                                            |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
|--------------|--------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------|----|----------|----|------|----|---------|----|-----|----|--------|---------|----------|
| 31:16        | —                  | Reserved                                                                                                                                                                                                                                                                                                                                                                                      |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
| 15:8         | LevelType          | <p>Encoded hierarchy level type.</p> <table> <thead> <tr> <th><b>Value</b></th> <th><b>Description</b></th> </tr> </thead> <tbody> <tr> <td>0h</td> <td>Reserved</td></tr> <tr> <td>1h</td> <td>Core</td></tr> <tr> <td>2h</td> <td>Complex</td></tr> <tr> <td>3h</td> <td>Die</td></tr> <tr> <td>4h</td> <td>Socket</td></tr> <tr> <td>FFh-05h</td> <td>Reserved</td></tr> </tbody> </table> | <b>Value</b> | <b>Description</b> | 0h | Reserved | 1h | Core | 2h | Complex | 3h | Die | 4h | Socket | FFh-05h | Reserved |
| <b>Value</b> | <b>Description</b> |                                                                                                                                                                                                                                                                                                                                                                                               |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
| 0h           | Reserved           |                                                                                                                                                                                                                                                                                                                                                                                               |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
| 1h           | Core               |                                                                                                                                                                                                                                                                                                                                                                                               |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
| 2h           | Complex            |                                                                                                                                                                                                                                                                                                                                                                                               |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
| 3h           | Die                |                                                                                                                                                                                                                                                                                                                                                                                               |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
| 4h           | Socket             |                                                                                                                                                                                                                                                                                                                                                                                               |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |
| FFh-05h      | Reserved           |                                                                                                                                                                                                                                                                                                                                                                                               |              |                    |    |          |    |      |    |         |    |     |    |        |         |          |

| Bits | Field Name | Description     |
|------|------------|-----------------|
| 7:0  | InputEcx   | Input ECX[7:0]. |

### CPUID Fn8000\_0026\_EDX\_n[N:0] Extended CPU Topology

| Bits | Field Name     | Description                                |
|------|----------------|--------------------------------------------|
| 31:0 | ExtendedApicId | Extended APIC ID of the logical processor. |

## E.5 Multiple Processor Calculation

Operating systems may use one of two possible methods to calculate the actual number of logical processors per package (NC), and the maximum possible number of logical processors per package (MNLP). The extended method is recommended, but a legacy method is also available.

### E.5.1 Legacy Method

The CPUID identification of total number of logical processors per package is derived from information returned by the following fields:

- CPUID Fn0000\_0001\_EBX[LogicalProcessorCount]
- CPUID Fn0000\_0001\_EDX[HTT] (Hyper-Threading Technology)
- CPUID Fn8000\_0001\_ECX[CmpLegacy]
- CPUID Fn8000\_0008\_ECX[NC]

Table E-5 defines LogicalProcessorCount, HTT, CmpLegacy, and NC as a function of the number of logical processors per package (n).

When HTT = 0, LogicalProcessorCount is reserved and the package contains one logical processor.

When HTT = 1 and CmpLegacy = 1, LogicalProcessorCount represents the number of logical processors per package (n).

**Table E-5. LogicalProcessorCount, CmpLegacy, HTT, and NC**

| Logical Processors per package | CmpLegacy | HTT | LogicalProcessorCount | NC  |
|--------------------------------|-----------|-----|-----------------------|-----|
| 1                              | 0         | 0   | Reserved              | 0   |
| 2 or more                      | 1         | 1   | n                     | n-1 |

The use of CmpLegacy and LogicalProcessorCount for determining the number of logical processors is deprecated. Instead, use NC to determine the number of logical processors per package.

### E.5.2 Extended Method (Recommended)

The CPUID identification of total number of logical processors per package is derived from information returned by the CPUID Fn8000\_0008\_ECX[ApicIdSize[3:0]]. This field indicates the number of least sig-

nificant bits in the CPUID Fn0000\_0001\_EBX[LocalApicId] that indicates logical processor ID within the package. The size of this field determines the maximum number of logical processors (MNLP) that the package could theoretically support, and not the actual number of logical processors that are implemented or enabled in the package, as indicated by CPUID Fn8000\_0008\_ECX[NC].

A value of zero for ApicIdSize[3:0] indicates that the legacy method (section E5.1) should be used to derive the maximum number of logical processors:

$$\text{MNLP} = \text{CPUID Fn8000_0008(ECX[NC])} + 1.$$

And for non-zero values of ApicIdSize[3:0]:

$$\text{MNLP} = 2^{\text{ApicIdSize}[3:0]}$$

## Appendix F Instruction Effects on RFLAGS

The flags in the RFLAGS register are described in “Flags Register” in APM Volume 1 and “RFLAGS Register” in APM Volume 2. Table F-1 summarizes the effect that instructions have on these flags. The table includes all instructions that affect the flags. Instructions not shown have no effect on RFLAGS.

The following codes are used within the table:

- 0—The flag is always cleared to 0.
- 1—The flag is always set to 1.
- AH—The flag is loaded with value from AH register.
- Mod—The flag is modified, depending on the results of the instruction.
- Pop—The flag is loaded with value popped off of the stack.
- Tst—The flag is tested.
- U—The effect on the flag is undefined.
- Gray shaded cells indicate that the flag is not affected by the instruction.

**Table F-1. Instruction Effects on RFLAGS**

| Instruction Mnemonic | RFLAGS Mnemonic and Bit Number |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      |         |     |  |
|----------------------|--------------------------------|--------|--------|-------|-------|-------|-------|------------|-------|-------|------|------|------|------|---------|------|---------|-----|--|
|                      | ID 21                          | VIP 20 | VIF 19 | AC 18 | VM 17 | RF 16 | NT 14 | IOPL 13:12 | OF 11 | DF 10 | IF 9 | TF 8 | SF 7 | ZF 6 | AF 4    | PF 2 | CF 0    |     |  |
| AAA                  |                                |        |        |       |       |       |       |            | U     |       |      |      | U    | U    | Tst Mod | U    | Mod     |     |  |
| AAS                  |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      |         |     |  |
| AAD                  |                                |        |        |       |       |       |       |            | U     |       |      |      | Mod  | Mod  | U       | Mod  | U       |     |  |
| AAM                  |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      |         |     |  |
| ADC                  |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  | Tst Mod |     |  |
| ADD                  |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  | Mod     | Mod |  |
| AND                  |                                |        |        |       |       |       |       |            | 0     |       |      |      | Mod  | Mod  | U       | Mod  | 0       |     |  |
| ARPL                 |                                |        |        |       |       |       |       |            |       |       |      |      |      | Mod  |         |      |         |     |  |
| BSF                  |                                |        |        |       |       |       |       |            | U     |       |      |      | U    | Mod  | U       | U    | U       |     |  |
| BSR                  |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      |         |     |  |
| BT                   |                                |        |        |       |       |       |       |            | U     |       |      |      |      |      |         |      |         |     |  |
| BTC                  |                                |        |        |       |       |       |       |            |       |       |      |      | U    | U    | U       | U    | Mod     |     |  |
| BTR                  |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      |         |     |  |
| BTS                  |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      |         |     |  |
| BZHI                 |                                |        |        |       |       |       |       |            | 0     |       |      |      | Mod  | Mod  | U       | U    | Mod     |     |  |
| CLC                  |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      |         | 0   |  |
| CLD                  |                                |        |        |       |       |       |       |            |       | 0     |      |      |      |      |         |      |         |     |  |
| CLI                  |                                | Mod    |        |       |       |       |       | TST        |       |       | Mod  |      |      |      |         |      |         |     |  |
| CMC                  |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |         |      | Mod     |     |  |
| CMOVcc               |                                |        |        |       |       |       |       |            | Tst   |       |      |      | Tst  | Tst  |         | Tst  | Tst     |     |  |

**Table F-1. Instruction Effects on RFLAGS (continued)**

| Instruction Mnemonic                 | RFLAGS Mnemonic and Bit Number |        |        |         |         |       |         |            |       |       |      |      |      |      |         |      |         |
|--------------------------------------|--------------------------------|--------|--------|---------|---------|-------|---------|------------|-------|-------|------|------|------|------|---------|------|---------|
|                                      | ID 21                          | VIP 20 | VIF 19 | AC 18   | VM 17   | RF 16 | NT 14   | IOPL 13:12 | OF 11 | DF 10 | IF 9 | TF 8 | SF 7 | ZF 6 | AF 4    | PF 2 | CF 0    |
| CMP                                  |                                |        |        |         |         |       |         |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  | Mod     |
| CMPSx                                |                                |        |        |         |         |       |         |            | Mod   | Tst   |      |      | Mod  | Mod  | Mod     | Mod  | Mod     |
| CMPXCHG                              |                                |        |        |         |         |       |         |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  | Mod     |
| CMPXCHG8B                            |                                |        |        |         |         |       |         |            |       |       |      |      | Mod  |      |         |      |         |
| CMPXCHG16B                           |                                |        |        |         |         |       |         |            |       |       |      |      | Mod  |      |         |      |         |
| COMISD<br>COMISS                     |                                |        |        |         |         |       |         |            | 0     |       |      |      | 0    | Mod  | 0       | Mod  | Mod     |
| DAA<br>DAS                           |                                |        |        |         |         |       |         |            | U     |       |      |      | Mod  | Mod  | Tst Mod | Mod  | Tst Mod |
| DEC                                  |                                |        |        |         |         |       |         |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  |         |
| DIV                                  |                                |        |        |         |         |       |         |            | U     |       |      |      | U    | U    | U       | U    | U       |
| FCMOVcc                              |                                |        |        |         |         |       |         |            |       |       |      |      | Tst  |      | Tst     | Tst  |         |
| FCOMI<br>FCOMIP<br>FUCOMI<br>FUCOMIP |                                |        |        |         |         |       |         |            |       |       |      |      | Mod  |      | Mod     | Mod  |         |
| IDIV                                 |                                |        |        |         |         |       |         |            | U     |       |      |      | U    | U    | U       | U    | U       |
| IMUL                                 |                                |        |        |         |         |       |         |            | Mod   |       |      |      | U    | U    | U       | U    | Mod     |
| INC                                  |                                |        |        |         |         |       |         |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  |         |
| IN                                   |                                |        |        |         |         |       |         |            | Tst   |       |      |      |      |      |         |      |         |
| INSx                                 |                                |        |        |         |         |       |         |            | Tst   |       | Tst  |      |      |      |         |      |         |
| INT<br>INT 3                         |                                | Mod    | Mod    | Tst Mod | 0       | Mod   | Tst     |            |       | Mod   | 0    |      |      |      |         |      |         |
| INTO                                 |                                |        | Mod    | Tst Mod | 0       | Mod   | Tst     | Tst        |       | Mod   | Mod  |      |      |      |         |      |         |
| IRET <sub>x</sub>                    | Pop                            | Pop    | Pop    | Pop     | Tst Pop | Pop   | Tst Pop | Tst Pop    | Pop   | Pop   | Pop  | Pop  | Pop  | Pop  | Pop     | Pop  | Pop     |
| Jcc                                  |                                |        |        |         |         |       |         |            | Tst   |       |      |      | Tst  | Tst  |         | Tst  | Tst     |
| LAR                                  |                                |        |        |         |         |       |         |            |       |       |      |      | Mod  |      |         |      |         |
| LODS <sub>x</sub>                    |                                |        |        |         |         |       |         |            |       | Tst   |      |      |      |      |         |      |         |
| LOOPE<br>LOOPNE                      |                                |        |        |         |         |       |         |            |       |       |      |      | Tst  |      |         |      |         |
| LSL                                  |                                |        |        |         |         |       |         |            |       |       |      |      | Mod  |      |         |      |         |
| LZCNT                                |                                |        |        |         |         |       |         |            | U     |       |      |      | U    | Mod  | U       | U    | Mod     |
| MOVS <sub>x</sub>                    |                                |        |        |         |         |       |         |            |       | Tst   |      |      |      |      |         |      |         |
| MUL                                  |                                |        |        |         |         |       |         |            | Mod   |       |      |      | U    | U    | U       | U    | Mod     |
| NEG                                  |                                |        |        |         |         |       |         |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  | Mod     |
| OR                                   |                                |        |        |         |         |       |         |            | 0     |       |      |      | Mod  | Mod  | U       | Mod  | 0       |
| OUT                                  |                                |        |        |         |         |       |         |            | Tst   |       |      |      |      |      |         |      |         |
| OUTS <sub>x</sub>                    |                                |        |        |         |         |       |         |            | Tst   |       | Tst  |      |      |      |         |      |         |
| PSMASH                               |                                |        |        |         |         |       |         |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  |         |
| PVALIDATE                            |                                |        |        |         |         |       |         |            | Mod   |       |      |      | Mod  | Mod  | Mod     | Mod  | Mod     |

**Table F-1. Instruction Effects on RFLAGS (continued)**

| Instruction Mnemonic     | RFLAGS Mnemonic and Bit Number |        |        |       |       |       |       |            |       |       |      |      |      |      |      |      |         |
|--------------------------|--------------------------------|--------|--------|-------|-------|-------|-------|------------|-------|-------|------|------|------|------|------|------|---------|
|                          | ID 21                          | VIP 20 | VIF 19 | AC 18 | VM 17 | RF 16 | NT 14 | IOPL 13:12 | OF 11 | DF 10 | IF 9 | TF 8 | SF 7 | ZF 6 | AF 4 | PF 2 | CF 0    |
| POPCNT                   |                                |        |        |       |       |       |       |            | 0     |       |      |      | 0    | Mod  | 0    | 0    | 0       |
| POPFX                    | Pop                            | Tst    | Mod    | Pop   | Tst   | 0     | Pop   | Tst Pop    | Pop   | Pop   | Pop  | Pop  | Pop  | Pop  | Pop  | Pop  | Pop     |
| RCL 1                    |                                |        |        |       |       |       |       |            | Mod   |       |      |      |      |      |      |      | Tst Mod |
| RCL count                |                                |        |        |       |       |       |       |            | U     |       |      |      |      |      |      |      | Tst Mod |
| RCR 1                    |                                |        |        |       |       |       |       |            | Mod   |       |      |      |      |      |      |      | Tst Mod |
| RCR count                |                                |        |        |       |       |       |       |            | U     |       |      |      |      |      |      |      | Tst Mod |
| RMPADJUST                |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod  | Mod  |         |
| RMPQUERY                 |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod  | Mod  |         |
| RMPREAD                  |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod  | Mod  |         |
| RMPUPDATE                |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod  | Mod  |         |
| ROL 1                    |                                |        |        |       |       |       |       |            | Mod   |       |      |      |      |      |      |      | Mod     |
| ROL count                |                                |        |        |       |       |       |       |            | U     |       |      |      |      |      |      |      | Mod     |
| ROR 1                    |                                |        |        |       |       |       |       |            | Mod   |       |      |      |      |      |      |      | Mod     |
| ROR count                |                                |        |        |       |       |       |       |            | U     |       |      |      |      |      |      |      | Mod     |
| RSM                      | Mod                            | Mod    | Mod    | Mod   | Mod   | Mod   | Mod   | Mod        | Mod   | Mod   | Mod  | Mod  | Mod  | Mod  | Mod  | Mod  | Mod     |
| SAHF                     |                                |        |        |       |       |       |       |            |       |       |      | AH   | AH   | AH   | AH   | AH   |         |
| SHL/SAL 1                |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| SHL/SAL count            |                                |        |        |       |       |       |       |            | U     |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| SAR 1                    |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| SAR count                |                                |        |        |       |       |       |       |            | U     |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| SBB                      |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod  | Mod  | Tst Mod |
| SCASx                    |                                |        |        |       |       |       |       |            | Mod   | Tst   |      |      | Mod  | Mod  | Mod  | Mod  | Mod     |
| SETcc                    |                                |        |        |       |       |       |       |            | Tst   |       |      |      | Tst  | Tst  |      | Tst  | Tst     |
| SHLD 1<br>SHRD 1         |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| SHLD count<br>SHRD count |                                |        |        |       |       |       |       |            | U     |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| SHR 1                    |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| SHR count                |                                |        |        |       |       |       |       |            | U     |       |      |      | Mod  | Mod  | U    | Mod  | Mod     |
| STC                      |                                |        |        |       |       |       |       |            |       |       |      |      |      |      |      |      | 1       |
| STD                      |                                |        |        |       |       |       |       |            |       | 1     |      |      |      |      |      |      |         |
| STI                      |                                | Mod    |        |       |       |       |       | Tst        |       |       | Mod  |      |      |      |      |      |         |
| STOSx                    |                                |        |        |       |       |       |       |            |       | Tst   |      |      |      |      |      |      |         |
| SUB                      |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod  | Mod  | Mod     |
| SYSCALL                  | Mod                            | Mod    | Mod    | Mod   | Mod   | 0     | 0     | Mod        | Mod   | Mod   | Mod  | Mod  | Mod  | Mod  | Mod  | Mod  | Mod     |

**Table F-1. Instruction Effects on RFLAGS (continued)**

| Instruction Mnemonic | RFLAGS Mnemonic and Bit Number |        |        |       |       |       |       |            |       |       |      |      |      |      |      |      |      |
|----------------------|--------------------------------|--------|--------|-------|-------|-------|-------|------------|-------|-------|------|------|------|------|------|------|------|
|                      | ID 21                          | VIP 20 | VIF 19 | AC 18 | VM 17 | RF 16 | NT 14 | IOPL 13:12 | OF 11 | DF 10 | IF 9 | TF 8 | SF 7 | ZF 6 | AF 4 | PF 2 | CF 0 |
| SYSENTER             |                                |        |        |       | 0     | 0     |       |            |       |       | 0    |      |      |      |      |      |      |
| SYSRET               | Mod                            | Mod    | Mod    | Mod   |       | 0     | Mod   | Mod        | Mod   | Mod   | Mod  | Mod  | Mod  | Mod  | Mod  | Mod  | Mod  |
| TEST                 |                                |        |        |       |       |       |       |            | 0     |       |      |      | Mod  | Mod  | U    | Mod  | 0    |
| UCOMISD<br>UCOMISS   |                                |        |        |       |       |       |       |            | 0     |       |      |      | 0    | Mod  | 0    | Mod  | Mod  |
| VERR<br>VERW         |                                |        |        |       |       |       |       |            |       |       |      |      | Mod  |      |      |      |      |
| XADD                 |                                |        |        |       |       |       |       |            | Mod   |       |      |      | Mod  | Mod  | Mod  | Mod  | Mod  |
| XOR                  |                                |        |        |       |       |       |       |            | 0     |       |      |      | Mod  | Mod  | U    | Mod  | 0    |

# Index

---

## Numerics

- 0F\_38h opcode map ..... 536  
0F\_3Ah opcode map ..... 536

## A

- addressing  
  effective address ..... 572, 575, 576, 578

- AMD64 Instruction-set Architecture ..... 613  
AMD64 ISA ..... 613

## B

- base field ..... 577, 578

## C

- CMOVcc ..... 531

- condition codes  
  rFLAGS ..... 531, 551

- count ..... 581

- CPUID  
  feature flags ..... 616

## D

- DEC ..... 609

## E

- effective address ..... 572, 575, 576, 578

## F

- FCMOVcc ..... 551

## I

- immediate operands ..... 581

- INC ..... 609

- index field ..... 578

- instructions  
  effects on rFLAGS ..... 673  
  invalid in 64-bit mode ..... 607  
  invalid in long mode ..... 608  
  reassigned in 64-bit mode ..... 608

## J

- Jcc ..... 531

## M

- mod field ..... 575

- mode-register-memory (ModRM) ..... 571

- modes ..... 611  
  64-bit ..... 611

- compatibility ..... 611  
  long ..... 611  
ModRM ..... 571  
ModRM byte ..... 532, 542, 571

## N

- NOP ..... 610

## O

- one-byte opcodes ..... 523  
opcode

- two-byte ..... 525

- opcode map

- 0F\_38h ..... 536

- 0F\_3Ah ..... 536

- primary ..... 523

- secondary ..... 525

- opcode maps ..... 522

- opcodes

- 3DNow!™ ..... 539

- group 1 ..... 532

- group 10 ..... 534

- group 12 ..... 534

- group 13 ..... 534

- group 14 ..... 534

- group 16 ..... 535

- group 17 ..... 535

- group 1a ..... 533

- group 2 ..... 533

- group 3 ..... 533

- group 4 ..... 533

- group 5 ..... 533

- group 6 ..... 534

- group 7 ..... 534

- group 8 ..... 534

- group 9 ..... 534

- group P ..... 535

- groups ..... 532

- ModRM byte ..... 532

- one-byte ..... 523

- x87 opcode map ..... 542

- operands

- immediate ..... 581

- size ..... 581, 582, 608

## P

- primary opcode map ..... 523

## R

- r/m field ..... 532

reg field ..... 532, 572, 574, 575  
registers  
    rFLAGS..... 531, 551, 673  
REX prefix ..... 571  
REX.B bit ..... 575, 577  
REX.R bit ..... 574  
rFLAGS conditions codes..... 531, 551  
rFLAGS register ..... 673  
rotate count ..... 581

**S**

scale field..... 578  
scale-index-base (SIB) ..... 571  
secondary opcode map ..... 525  
segment prefixes ..... 610  
SETcc ..... 531  
shift count ..... 581  
SIB ..... 571  
SIB byte..... 576

**T**

two-byte opcode ..... 525

**V**

VEX prefix ..... 571

**X**

XOP prefix ..... 571

**Z**

zero-extension ..... 581