x86 instruction listings#Original 8086/8088 instructions

|+ Original 8086/8088 instruction set

! style="line-height:120%; text-align:left" | In-
struc-
tion !! Meaning !! Notes !! Opcode

| {{mono|AAA}}

else *(byte*)SI-- - *(byte*)ES:DI--;}}

else *(word*)SI-- - *(word*)ES:DI--;}}

else *(byte*)ES:DI-- = *(byte*)SI--;}}.

else *(word*)ES:DI-- = *(word*)SI--;}}

! Instruction !! Opcode !! Meaning !! Notes

| 6C

| rowspan="2" | Input from port to string. May be used with a REP prefix to repeat the instruction CX times.

| rowspan="2"| equivalent to:

IN AL, DX

MOV ES:[DI], AL

INC DI ; adjust DI according to operand size and DF

| 6E

| rowspan="2" | Output string to port. May be used with a REP prefix to repeat the instruction CX times.

| rowspan="2"| equivalent to:

MOV AL, DS:[SI]

OUT DX, AL

INC SI ; adjust SI according to operand size and DF

POP DI

POP SI

POP BP

POP AX ; no POP SP here, all it does is ADD SP, 2 (since AX will be overwritten later)

POP BX

POP DX

POP CX

POP AX

PUSH AX

PUSH CX

PUSH DX

PUSH BX

PUSH SP ; The value stored is the initial SP value

PUSH BP

PUSH SI

PUSH DI

| 6A ib

| rowspan="2"| Push an immediate byte/word value onto the stack

| rowspan="2"| example:

PUSH 12h

PUSH 1200h

| 6B /r ib

|rowspan="2"| Signed and unsigned multiplication of immediate byte/word value

|rowspan="2"| example:

IMUL BX,12h

IMUL DX,1200h

IMUL CX, DX, 12h

IMUL BX, SI, 1200h

IMUL DI, word ptr [BX+SI], 12h

IMUL SI, word ptr [BP-4], 1200h

Note that since the lower half is the same for unsigned and signed multiplication, this version of the instruction can be used for unsigned multiplication as well.

| C0

| rowspan="2" | Rotate/shift bits with an immediate value greater than 1

| rowspan="2" | example:

ROL AX,3

SHR BL,3

! Instruction !! Opcode !! Instruction description !! Real mode !! Ring

On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of [https://kib.kiev.ua/x86docs/Intel/SDMs/325462-079.pdf Intel SDM revision 079, March 2023] – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.Michal Necasek, [https://www.os2museum.com/wp/sgdtsidt-fiction-and-reality/ SGDT/SIDT Fiction and Reality], 4 May 2017. [https://web.archive.org/web/20231129085923/https://www.os2museum.com/wp/sgdtsidt-fiction-and-reality/ Archived] on 29 Nov 2023.}}

| 0F 01 /2

| Load GDTR (Global Descriptor Table Register) from memory.{{efn|name=i286_serialize|text=The LGDT, LIDT, LLDT and LTR instructions are serializing on Pentium and later processors.}}

| rowspan="4" {{yes}}

| rowspan="6" {{no|0}}

| 0F 01 /3

| Load IDTR (Interrupt Descriptor Table Register) from memory.{{efn|name=i286_serialize}}
The IDTR controls not just the address/size of the IDT (interrupt Descriptor Table) in protected mode, but the IVT (Interrupt Vector Table) in real mode as well.

| 0F 01 /6

| Load MSW (Machine Status Word) from 16-bit register or memory.{{efn|text=The LMSW instruction is serializing on Intel processors from Pentium onwards, but not on AMD processors.}}{{efn|text=On 80386 and later, the "Machine Status Word" is the same as the CR0 control register – however, the LMSW instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means that LMSW can be used to enter but not leave x86 Protected Mode.
On 80286, it is not possible to leave Protected Mode at all (neither with LMSW nor with LOADALL) without a CPU reset – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-later MOV to CR0 instruction.}}

| 0F 06

| Clear task-switched flag in the MSW.

| 0F 00 /2

| Load LDTR (Local Descriptor Table Register) from 16-bit register or memory.{{efn|name=i286_serialize}}

| rowspan="2" {{no|#UD}}

| 0F 00 /3

| Load TR (Task Register) from 16-bit register or memory.{{efn|name=i286_serialize}}

The TSS (Task State Segment) specified by the 16-bit argument is marked busy, but a task switch is not done.

| 0F 01 /0

| Store GDTR to memory.

| rowspan="3" {{yes}}

| rowspan="5" {{yes2|Usually 3{{efn|text=If CR4.UMIP=1 is set, then the SGDT, SIDT, SLDT, SMSW and STR instructions can only run in Ring 0.
These instructions were unprivileged on all x86 CPUs from 80286 onwards until the introduction of UMIP in 2017.WikiChip, [https://en.wikichip.org/wiki/x86/umip UMIP – x86]. [https://web.archive.org/web/20230316111706/https://en.wikichip.org/wiki/x86/umip Archived] on 16 Mar 2023.

This has been a significant security problem for software-based virtualization, since it enables these instructions to be used by a VM guest to detect that it is running inside a VM.Oracle Corp, [https://docs.oracle.com/en/virtualization/virtualbox/6.0/admin/swvirt-details.html Oracle® VM VirtualBox Administrator's Guide for Release 6.0, section 3.5: Details About Software Virtualization]. [https://web.archive.org/web/20231208205121/https://docs.oracle.com/en/virtualization/virtualbox/6.0/admin/swvirt-details.html Archived] on 8 Dec 2023.MBC Project, [https://github.com/MBCProject/mbc-markdown/blob/7223fa76d69015ceb63cb094257e64c3cc6bf3b9/anti-behavioral-analysis/virtual-machine-detection.md Virtual Machine Detection (permanent link)] or [https://github.com/MBCProject/mbc-markdown/blob/main/anti-behavioral-analysis/virtual-machine-detection.md Virtual Machine Detection (non permanent link)]}}}}

| 0F 01 /1

| Store IDTR to memory.

| 0F 01 /4

| Store MSW to register or 16-bit memory.{{efn|name=i286_extend16}}

| 0F 00 /0

| Store LDTR to register or 16-bit memory.{{efn|name=i286_extend16|text=The SMSW, SLDT and STR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows:

• SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise.
• SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors.
• STR: Zero-extends 16-bit argument.}}

| rowspan="2" {{no|#UD}}

| 0F 00 /1

| Store TR to register or 16-bit memory.{{efn|name=i286_extend16}}

| 63 /r{{efn|In 64-bit long mode, the ARPL instruction is not available – the {{nowrap|63 /r}} opcode has been reassigned to the 64-bit-mode-only MOVSXD instruction.}}

| Adjust RPL (Requested Privilege Level) field of selector. The operation performed is:

if (dst & 3) < (src & 3) then
dst = (dst & 0xFFFC) | (src & 3)
eflags.zf = 1
else
eflags.zf = 0

| {{no|#UD{{efn|The ARPL instruction causes #UD in Real mode and Virtual 8086 Mode – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the 63 opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.Andrew Schulman, "Unauthorized Windows 95" ({{ISBN|1-56884-169-8}}), chapter 8, p.249,257.[https://patents.google.com/patent/US4974159A/ US Patent 4974159], "Method of transferring control in a multitasking computer system" mentions 63h/ARPL.}}}}

| rowspan="5" {{yes|3}}

| 0F 02 /r

| Load access rights byte from the specified segment descriptor.
Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with 0x00FxFF00,{{efn|text=Bits 19:16 of this mask are documented as "undefined" on Intel CPUs.Intel, [https://ardent-tool.com/CPU/docs/Intel/Pentium/241430-004.pdf Pentium® Processor Family Developer’s Manual, Volume 3], 1995, order no. 241430-004, section 12.7, p. 323 On AMD CPUs, the mask is documented as 0x00FFFF00.}} then stores the bottom 16/32 bits of the result in destination register. Sets EFLAGS.ZF=1 if the descriptor could be loaded, ZF=0 otherwise.{{efn|name=lar_lsl_unmod|1=For the LAR and LSL instructions, if the specified segment descriptor could not be loaded, then the instruction's destination register is left unmodified.}}

| rowspan="4" {{no|#UD}}

| 0F 03 /r

| Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise.{{efn|name=lar_lsl_unmod}}

| {{nowrap|0F 00 /4}}

| Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise.

| 0F 00 /5

| Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise.{{efn|text=On some Intel CPU/microcode combinations from 2019 onwards, the VERW instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds for Microarchitectural Data Sampling security vulnerabilities.Intel, [https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html How Microarchitectural Data Sampling works], see mitigations section. [https://archive.today/20220422211750/https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html Archived] on Apr 22,2022Linux kernel documentation, [https://www.kernel.org/doc/html/latest/x86/mds.html Microarchitectural Data Sampling (MDS) mitigation] {{Webarchive|url=https://web.archive.org/web/20201021233511/https://www.kernel.org/doc/html/latest/x86/mds.html |date=2020-10-21 }} Some of the microarchitectural buffer-flushing functions that have been added to VERW may require the instruction to be executed with a memory operand.Intel, [https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html?wapkw=VERW Processor MMIO Stale Data Vulnerabilities], 14 Jun 2022 - see "VERW Buffer Overwriting Details" section. [https://web.archive.org/web/20241003223701/https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html Archived] on 3 Oct 2024.}}

| {{unofficial2|align="left"|{{mono| 0F 05}}}}

| Load all CPU registers from a 102-byte data structure starting at physical address 800h, including "hidden" part of segment descriptor registers.

| rowspan="2" {{yes}}

| rowspan="2" {{no|0}}

| {{unofficial2|align="left"|{{mono| F1 0F 04}}}}

| Store all CPU registers to a 102-byte data structure starting at physical address 800h, then shut down CPU.

|+ 80386: new instruction mnemonics for 32-bit variants of older opcodes

! Type !! Instruction mnemonic !! Opcode !! Description !! Mnemonic for older 16-bit variant !! Ring

| LODSD

| rowspan="5" {{yes|3}}

temp1 := DS:[rSI±±]

temp2 := ES:[rDI±±]
CMP temp1, temp2 /* 32-bit compare and set EFLAGS */

temp1 := ES:[rDI±±]

CMP EAX, temp1 /* 32-bit compare and set EFLAGS */

| CWDE

| rowspan="5" {{yes|3}}

Mainly used to prepare a dividend for the 32-bit IDIV (signed divide) instruction.

| CWD

| rowspan="3" {{yes2|Usually 3{{efn|The PUSHFD and POPFD instructions will cause a #GP exception if executed in virtual 8086 mode if IOPL is not 3.
The PUSHF, POPF, IRET and IRETD instructions will cause a #GP exception if executed in Virtual-8086 mode if IOPL is not 3 and VME is not enabled.}}}}

Instruction is serializing.

| IRET

|+ 80386: new opcodes introduced

! Instruction mnemonics !! Opcode !! Description !! Ring

• If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.)
• If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test.}}

Second operand specifies which bit of the first operand to test. The bit to test is copied to EFLAGS.CF.

| rowspan="8" {{yes|3}}

Second operand specifies which bit of the first operand to test and set.

Second operand specifies which bit of the first operand to test and clear.

Second operand specifies which bit of the first operand to test and toggle.

| rowspan="6" {{yes|3}}

| rowspan="7" {{yes|3}}

| {{nowrap|0F 9x /0}}{{efn|name=setcc_conds|text=The condition codes supported for the SETcc and Jcc near instructions (opcodes 0F 9x /0 and 0F 8x respectively, with the x nibble specifying the condition) are:

{{(!}} class="wikitable sortable"

! x !! cc !! Condition (EFLAGS)

{{!}}-

{{!}} 0 {{!!}} O {{!!}} OF=1: "Overflow"

{{!}}-

{{!}} 1 {{!!}} NO {{!!}} OF=0: {{nowrap|"Not Overflow"}}

{{!}}-

{{!}} 2 {{!!}} C,B,NAE {{!!}} CF=1: "Carry", "Below", {{nowrap|"Not Above or Equal"}}

{{!}}-

{{!}} 3 {{!!}} NC,NB,AE {{!!}} CF=0: {{nowrap|"Not Carry"}}, {{nowrap|"Not Below"}}, {{nowrap|"Above or Equal"}}

{{!}}-

{{!}} 4 {{!!}} Z,E {{!!}} ZF=1: "Zero", "Equal"

{{!}}-

{{!}} 5 {{!!}} NZ,NE {{!!}} ZF=0: {{nowrap|"Not Zero"}}, {{nowrap|"Not Equal"}}

{{!}}-

{{!}} 6 {{!!}} NA,BE {{!!}} (CF=1 or ZF=1): {{nowrap|"Not Above"}}, {{nowrap|"Below or Equal"}}

{{!}}-

{{!}} 7 {{!!}} A,NBE {{!!}} (CF=0 and ZF=0): "Above", {{nowrap|"Not Below or Equal"}}

{{!}}-

{{!}} 8 {{!!}} S {{!!}} SF=1: "Sign"

{{!}}-

{{!}} 9 {{!!}} NS {{!!}} SF=0: {{nowrap|"Not Sign"}}

{{!}}-

{{!}} A {{!!}} P,PE {{!!}} PF=1: "Parity", {{nowrap|"Parity Even"}}

{{!}}-

{{!}} B {{!!}} NP,PO {{!!}} PF=0: {{nowrap|"Not Parity"}}, {{nowrap|"Parity Odd"}}

{{!}}-

{{!}} C {{!!}} L,NGE {{!!}} SF≠OF: "Less", {{nowrap|"Not Greater Or Equal"}}

{{!}}-

{{!}} D {{!!}} NL,GE {{!!}} SF=OF: {{nowrap|"Not Less"}}, {{nowrap|"Greater Or Equal"}}

{{!}}-

{{!}} E {{!!}} LE,NG {{!!}} (ZF=1 or SF≠OF): {{nowrap|"Less or Equal"}}, {{nowrap|"Not Greater"}}

{{!}}-

{{!}} F {{!!}} NLE,G {{!!}} (ZF=0 and SF=OF): {{nowrap|"Not Less or Equal"}}, {{nowrap|"Greater"}}

{{!)}}

}}{{efn|text=For SETcc, while the opcode is commonly specified as /0 – implying that bits 5:3 of the instruction's ModR/M byte should be 000 – modern x86 processors (Pentium and later) ignore bits 5:3 and will execute the instruction as SETcc regardless of the contents of these bits.}}

| Set byte to 1 if condition is satisfied, 0 otherwise.

| 0F 8x cw
0F 8x cd{{efn|name=setcc_conds}}

| Conditional jump near.

Differs from older variants of conditional jumps in that they accept a 16/32-bit offset rather than just an 8-bit offset.

| rowspan="9" {{yes|3}}

Offset part is stored in destination register argument, segment part in FS/GS/SS segment register as indicated by the instruction mnemonic.{{efn|For LFS, LGS and LSS, the size of the offset part of the far pointer is given by operand size – the size of the segment part is always 16 bits. In 64-bit mode, using the REX.W prefix with these instructions will cause them to load a far pointer with a 64-bit offset on Intel but not AMD processors.}}

Uniquely for the {{nowrap|MOV CRx/DRx/TRx}} opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b.}}

| rowspan="6" {{no|0}}

Moves to the CR3 control register are serializing and will flush the TLB.{{efn|On processors that support global pages (Pentium and later), global page table entries will not be flushed by a MOV to CR3 − instead, these entries can be flushed by toggling the CR4.PGE bit.
On processors that support PCIDs, writing to CR3 while PCIDs are enabled will only flush TLB entries belonging to the PCID specified in bits 11:0 of the value written to CR3 (this flush can be suppressed by setting bit 63 of the written value to 1). Flushing pages belonging to other PCIDs can instead be done by toggling the CR4.PGE bit, clearing the CR4.PCIDE bit, or using the INVPCID instruction.}}

On Pentium and later processors, moves to the CR0 and CR4 control registers are also serializing.{{efn|On processors prior to Pentium, moves to CR0 would not serialize the instruction stream – in part for this reason, it is usually required to perform a far jumpiPXE, [https://github.com/ipxe/ipxe/commit/bc35b24e3ebd2996b2484b7f9ceb96a3cf25823a Commit bc35b24: Fix use of writable code segment on 486 and earlier CPUs], Github, Feb 2, 2022 − indicates that when leaving protected mode on 386/486 by writing to CR0, it is specifically necessary to do a far JMP (opcode EA) in order to restore proper real-mode access-rights for the CS segment, and that other far control transfers (e.g. RETF, IRET) will not do this. [https://web.archive.org/web/20241104213948/https://github.com/ipxe/ipxe/commit/bc35b24e3ebd2996b2484b7f9ceb96a3cf25823a Archived] on 4 Nov 2024. immediately after a MOV to CR0 if such a MOV is used to enable/disable protected mode and/or memory paging.
MOV to CR2 is architecturally listed as serializing, but has been reported to be {{nowrap|non-serializing}} on at least some Intel Core-i7 processors.Can Bölük, [https://blog.can.ac/2021/03/22/speculating-x86-64-isa-with-one-weird-trick/ Speculating the entire x86-64 Instruction Set In Seconds with This One Weird Trick], Mar 22, 2021. [https://web.archive.org/web/20210323035913/https://blog.can.ac/2021/03/22/speculating-x86-64-isa-with-one-weird-trick/ Archived] on Mar 23, 2021.
MOV to CR8 (introduced with x86-64) is serializing on AMD but not Intel processors.}}

On Pentium and later processors, moves to the DR0-DR7 debug registers are serializing.

| {{unofficial2|align="left"|{{mono| 0F 10 /r}}}}

| rowspan="4" | User Move – perform data moves that can access user memory while in In-circuit emulation HALT mode.

Performs same operation as MOV if executed when not doing in-circuit emulation.{{efn|text=The UMOV instruction is present on 386 and 486 processors only.Robert Collins, [http://www.rcollins.org/secrets/OpCodes.html Undocumented OpCodes], 29 july 1995. [https://web.archive.org/web/20010221221019/http://www.rcollins.org/secrets/OpCodes.html Archived] on 21 feb 2001}}

| {{unofficial2|align="left"|{{mono| 0F 11 /r}}}}

| {{unofficial2|align="left"|{{mono| 0F 12 /r}}}}

| {{unofficial2|align="left"|{{mono| 0F 13 /r}}}}

| {{unofficial2|align="left"|{{mono| 0F A6 /r}}}}

| Bitfield extract (early 386 only).{{efn|name=xbts_discon|The XBTS and IBTS instructions were discontinued with the B1 stepping of 80386.

They have been used by software mainly for detection of the buggy{{Cite web|url=https://www.pcjs.org/documents/manuals/intel/80386/#b0-stepping|title=Intel 80386 CPU Information | PCjs Machines|website=www.pcjs.org}} B0 stepping of the 80386. Microsoft Windows (v2.01 and later) will attempt to run the XBTS instruction as part of its CPU detection if CPUID is not present, and will refuse to boot if XBTS is found to be working.Geoff Chappell, [https://www.geoffchappell.com/studies/windows/km/cpu/precpuid.htm?tx=245 CPU Identification before CPUID], 27 Jan 2020. [https://web.archive.org/web/20220407203913/https://www.geoffchappell.com/studies/windows/km/cpu/precpuid.htm?tx=245 Archived] on 7 Apr 2023.}}{{efn|name=xbts_op|text=For XBTS and IBTS, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.Jeff Parsons, [https://www.pcjs.org/documents/manuals/intel/80386/ibts_xbts/ Obsolete 80386 Instructions: IBTS and XBTS], PCjs Machines. [https://web.archive.org/web/20200919154722/https://www.pcjs.org/documents/manuals/intel/80386/ibts_xbts/ Archived] on Sep 19, 2020.}}

| {{unofficial2|align="left"|{{mono| 0F A7 /r}}}}

| Bitfield insert (early 386 only).{{efn|name=xbts_discon}}{{efn|name=xbts_op}}

| {{unofficial2|align="left"|{{mono| 0F 07}}}}

| Load all CPU registers from a 296-byte data structure starting at ES:EDI, including "hidden" part of segment descriptor registers.

| {{no|0}}

! Instruction !! Opcode !! Description !! Ring

| {{nowrap|0F C8+r}}

| Byte Order Swap. Usually used to convert between big-endian and little-endian data representations. For 32-bit registers, the operation performed is:

r =   (r << 24)
| ((r << 8) & 0x00FF0000)
| ((r >> 8) & 0x0000FF00)
| (r >> 24);

Using BSWAP with a 16-bit register argument produces an undefined result.{{efn|text=Using BSWAP with 16-bit registers is not disallowed per se (it will execute without producing an #UD or other exceptions) but is documented to produce undefined results – it is reported to produce various different results on 486,{{cite web|url=http://www.df.lth.se/~john_e/gems/gem000c.html|archive-url=https://web.archive.org/web/19991103025640/http://www.df.lth.se/~john_e/gems/gem000c.html|url-status=dead|archive-date=1999-11-03|title=BSWAP with 16-bit registers|first=Ervin|last=Toth|date=1998-03-16|quote=The instruction brings down the upper word of the doubleword register without affecting its upper 16 bits.}} 586, and Bochs/QEMU.{{cite web|url=https://gynvael.coldwind.pl/?id=268|title=BSWAP + 66h prefix|first=Gynvael|last=Coldwin|date=2009-12-29|access-date=2018-10-03|quote=internal (zero-)extending the value of a smaller (16-bit) register … applying the bswap to a 32-bit value "00 00 AH AL", … truncated to lower 16-bits, which are "00 00". … Bochs … bswap reg16 acts just like the bswap reg32 … QEMU … ignores the 66h prefix}}}}

| rowspan="5" {{yes|3}}

| {{nowrap|0F B0 /r{{efn|name=i486_cmpxchg|text=On Intel 80486 stepping A,Intel [https://www.ardent-tool.com/CPU/docs/Intel/486/datasheets/240440-001.pdf "i486 Microprocessor"] (April 1989, order no. 240440-001) p.142 lists CMPXCHG with {{nowrap|0F A6/A7}} encodings. the CMPXCHG instruction uses a different encoding - {{nowrap|0F A6 /r}} for 8-bit variant, {{nowrap|0F A7 /r}} for 16/32-bit variant. The {{nowrap|0F B0/B1}} encodings are used on 80486 stepping B and later.Intel [https://www.ardent-tool.com/CPU/docs/Intel/486/datasheets/240440-002.pdf "i486 Microprocessor"] (November 1989, order no. 240440-002) p.135 lists CMPXCHG with {{nowrap|0F B0/B1}} encodings.{{Cite web|url=http://datasheets.chipdb.org/Intel/x86/486/Intel486.htm|title = Intel 486 & 486 POD CPUID, S-spec, & Steppings}}}}}}

| rowspan="2" | Compare and Exchange. If accumulator (AL/AX/EAX/RAX) compares equal to first operand,{{efn|The CMPXCHG instruction sets EFLAGS in the same way as a CMP instruction that uses the accumulator (AL/AX/EAX/RAX) as its first argument would do.}} then EFLAGS.ZF is set to 1 and the first operand is overwritten with the second operand. Otherwise, EFLAGS.ZF is set to 0, and first operand is copied into the accumulator.

Instruction atomic only if used with LOCK prefix.

| {{nowrap|0F B1 /r{{efn|name=i486_cmpxchg}}}}

| {{nowrap|0F C0 /r}}

| rowspan="2" | eXchange and ADD. Exchanges the first operand with the second operand, then stores the sum of the two values into the destination operand.

Instruction atomic only if used with LOCK prefix.

| 0F C1 /r

| {{nowrap|0F 01 /7}}

| Invalidate the TLB entries that would be used for the 1-byte memory operand.{{efn|INVLPG executes as no-operation if the m8 argument is invalid (e.g. unmapped page or non-canonical address).
INVLPG can be used to invalidate TLB entries for individual global pages.}}

Instruction is serializing.

| rowspan="3" {{no|0}}

| 0F 08

| Invalidate Internal Caches.{{efn|name=invd_scope|text=The INVD and WBINVD instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.
These instructions are serializing – on some processors, they may block interrupts until completion as well.}} Modified data in the cache are not written back to memory, potentially causing data loss.{{efn|text=Under Intel VT-x virtualization, the INVD instruction will cause a mandatory #VMEXIT. Also, on processors that support Intel SGX, if the PRM (Processor Reserved Memory) has been set up by using the PRMRRs (PRM range registers), then the INVD instruction is not permitted and will cause a #GP(0) exception.Intel, [https://www.intel.com/content/dam/develop/external/us/en/documents/329298-002-629101.pdf Software Guard Extensions Programming Reference], order no. 329298-002, oct 2014, sections 3.5 and 3.6.5.}}

| {{nowrap|NFx 0F 09{{efn|If the F3 prefix is used with the 0F 09 opcode, then the instruction will execute as WBNOINVD on processors that support the WBNOINVD extension – this will not invalidate the cache.}}}}

| Write Back and Invalidate Cache.{{efn|name=invd_scope}} Writes back all modified cache lines in the processor's internal cache to main memory and invalidates the internal caches.

! Instruction !! Opcode !! Description !! Ring !! Added in

| 0F 32

| Read Model-specific register. The MSR to read is specified in ECX. The value of the MSR is then returned as a 64-bit value in EDX:EAX.{{efn|name="p5rd_clear_hi32"|1=In 64-bit mode, the RDMSR, RDTSC and RDPMC instructions will set the top 32 bits of RDX and RAX to zero.}}

| rowspan="2" {{no|0}}

| rowspan="2" | IBM 386SLC,Frank van Gilluwe, "The Undocumented PC, second edition", 1997, {{ISBN|0-201-47950-8}}, page 55
Intel Pentium,
AMD K5,
{{nowrap|Cyrix 6x86MX,MediaGXm,}}
IDT WinChip C6,
Transmeta Crusoe,
DM&P Vortex86DX3

| 0F 30

| Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX.{{efn|On Intel and AMD CPUs, the WRMSR instruction is also used to update the CPU microcode. This is done by writing the virtual address of the new microcode to upload to MSR 79h on Intel CPUs and MSR C001_0020hAMD, [https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/revision-guides/25759.pdf Revision Guide for AMD Athlon 64 and AMD Opteron Processors] pub.no. 25759, rev 3.79, July 2009, page 34. [https://web.archive.org/web/20231220133454/https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/revision-guides/25759.pdf Archived] on 20 Dec 2023. on AMD CPUs.}}

Instruction is, with some exceptions, serializing.{{efn|text=Writes to the following MSRs are not serializing:Intel, [http://kib.kiev.ua/x86docs/Intel/SDMs/253668-078.pdf Software Developer’s Manual, vol 3A], order no. 253668-078, Dec 2022, section 9.3, page 299.Intel, [https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/cpuid-enumeration-and-architectural-msrs.html CPUID Enumeration and Architectural MSRs], 8 Aug 2023. [https://web.archive.org/web/20240523214955/https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/cpuid-enumeration-and-architectural-msrs.html Archived] on 23 May 2024.

{{(!}} class="wikitable sortable"

! Number !! Name

{{!}}-

{{!}} 48h {{!!}} SPEC_CTRL

{{!}}-

{{!}} 49h {{!!}} PRED_CMD

{{!}}-

{{!}} 10Bh {{!!}} FLUSH_CMD

{{!}}-

{{!}} 122h {{!!}} TSX_CTRL

{{!}}-

{{!}} 6E0h {{!!}} TSC_DEADLINE

{{!}}-

{{!}} 6E1h {{!!}} PKRS

{{!}}-

{{!}} 774h {{!!}} HWP_REQUEST
(non-serializing only if the FAST_IA32_­HWP_REQUEST bit it set)

{{!}}-

{{!}} 802h to 83Fh {{!!}} (x2APIC MSRs)

{{!}}-

{{!}} 1B01h {{!!}} UARCH_MISC_CTL

{{!}}-

{{!}} C001_0100h {{!!}} FS_BASE (non-serializing on AMD Zen 4 and later)AMD, [https://www.amd.com/system/files/TechDocs/56713-B1_3.05.zip PPR for AMD Family 19h Model 61h, Revision B1 processors], document no. 56713, rev 3.05, mar 8 2023, page 116. [https://web.archive.org/web/20230425231817/https://www.amd.com/system/files/TechDocs/56713-B1_3.05.zip Archived] on Apr 25, 2023.

{{!}}-

{{!}} C001_0101h {{!!}} GS_BASE (Zen 4 and later)

{{!}}-

{{!}} C001_0102h {{!!}} KernelGSbase (Zen 4 and later)

{{!}}-

{{!}} C001_011Bh {{!!}} Doorbell Register (AMD-specific)

{{!)}}

WRMSR to the x2APIC ICR (Interrupt Command Register; MSR 830h) is commonly used to produce an IPI (Inter-processor interrupt) - on IntelLKML, [https://lore.kernel.org/all/20210208145812.351639855@linuxfoundation.org/ (PATCH 5.4 55/65) x86/apic: Add extra serialization for non-serializing MSRs], 8 Feb 2021 but not AMDLinux kernel, [https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/cpu&id=04c3024560d3a14acd18d0a51a1d0a89d29b7eb5 git commit: x86/barrier: Do not serialize MSR accesses on AMD], 13 Nov 2023 CPUs, such an IPI can be reordered before an older memory store.

}}

| 0F AA

| Resume from System Management Mode.

Instruction is serializing.

| {{n/a

| {{nowrap|Intel 386SL,Microprocessor Report, [http://www.cecs.uci.edu/~papers/mpr/MPR/ARTICLES/060805.PDF System Management Mode Explained] (vol 6, no. 8, june 17, 1992). [https://web.archive.org/web/20220629220530/https://www.cecs.uci.edu/~papers/mpr/MPR/ARTICLES/060805.PDF Archived] on Jun 29, 2022.Ellis, Simson C., "The 386 SL Microprocessor in Notebook PCs", Intel Corporation, Microcomputer Solutions, March/April 1991, page 20 486SL,{{efn|System Management Mode and the RSM instruction were made available on non-SL variants of the Intel 486 only after the initial release of the Intel Pentium in 1993.}}}}
Intel Pentium,
AMD 5x86,
Cyrix 486SLC/e,[http://www.bitsavers.org/components/cyrix/Cyrix_Cx486SLCe_Data_Sheet_1992.pdf Cyrix 486SLC/e Data Sheet (1992)], section 2.6.4
IDT WinChip C6,
Transmeta Crusoe,
Rise mP6

| 0F A2

| CPU Identification and feature information. Takes as input a CPUID leaf index in EAX and, depending on leaf, a sub-index in ECX. Result is returned in EAX,EBX,ECX,EDX.{{efn|On some older 32-bit processors, executing CPUID with a leaf index (EAX) greater than 0 may leave EBX and ECX unmodified, keeping their old values. For this reason, it is recommended to zero out EBX and ECX before executing CPUID.
Processors noted to exhibit this behavior include Cyrix MIILinux 6.3 kernel sources, [https://elixir.bootlin.com/linux/v6.3/source/arch/x86/include/asm/cpuid.h /arch/x86/include/asm/cpuid.h], line 69 and IDT WinChip 2.gcc-patches mailing list, [https://gcc.gnu.org/pipermail/gcc-patches/2019-May/522177.html CPUID Patch for IDT Winchip], May 21, 2019. [https://web.archive.org/web/20230427201255/https://gcc.gnu.org/pipermail/gcc-patches/2019-May/522177.html Archived] on Apr 27, 2023.

In 64-bit mode, CPUID will set the top 32 bits of RAX, RBX, RCX and RDX to zero.}}

Instruction is serializing, and causes a mandatory #VMEXIT under virtualization.

Support for CPUID can be checked by toggling bit 21 of EFLAGS (EFLAGS.ID) – if this bit can be toggled, CPUID is present.

| {{yes2|Usually 3{{efn|On some Intel processors starting from Ivy Bridge, there exists MSRs that can be used to restrict CPUID to ring 0. Such MSRs are documented for at least Ivy BridgeIntel, [https://www.intel.com/content/dam/www/public/us/en/documents/application-notes/virtualization-technology-flexmigration-application-note.pdf Intel® Virtualization Technology FlexMigration Application Note] order no. 323850-004, oct 2012, section 2.3.2 on page 12. [https://web.archive.org/web/20141013075554/https://www.intel.com/content/dam/www/public/us/en/documents/application-notes/virtualization-technology-flexmigration-application-note.pdf Archived] on Oct 13, 2014. and Denverton.Intel, [https://ru.mouser.com/datasheet/2/612/c3000-family-datasheet-1623704.pdf Atom Processor C3000 Product Family Datasheet] order no. 337018-002, Feb 2018, pages 133, 3808 and 3814. [https://web.archive.org/web/20220209183514/https://ru.mouser.com/datasheet/2/612/c3000-family-datasheet-1623704.pdf Archived] on Feb 9, 2022.
The ability to restrict CPUID to ring 0 also exists on AMD processors supporting the "CpuidUserDis" feature (Zen 4 "Raphael" and later).AMD, [https://kib.kiev.ua/x86docs/AMD/AMD64/24594_APM_v3-r3.34.pdf AMD64 Architecture Programmer’s Manual Volume 3] pub.no. 24594, rev 3.34, oct 2022, p. 165 (entry on CPUID instruction)}}}}

| Intel Pentium,{{efn|name="cpuid_backported"|CPUID is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium.}}
AMD 5x86,{{efn|name="cpuid_backported"}}
Cyrix 5x86,{{efn|On the Cyrix 5x86 and 6x86 CPUs, CPUID is not enabled by default and must be enabled through a Cyrix configuration register.}}
IDT WinChip C6,
Transmeta Crusoe,
Rise mP6,
NexGen Nx586,{{efn|On NexGen CPUs, CPUID is only supported with some system BIOSes. On some NexGen CPUs that do support CPUID, EFLAGS.ID is not supported but EFLAGS.AC is, complicating CPU detection.Robert Collins, [https://web.archive.org/web/20001218003500/http://www.rcollins.org/ddj/Nov96/Nov96.html CPUID Algorithm Wars], nov 1996. Archived from the [http://www.rcollins.org/ddj/Nov96/Nov96.html original] on dec 18, 2000.}}
UMC Green CPU

| {{nowrap|0F C7 /1}}

| Compare and Exchange 8 bytes. Compares EDX:EAX with m64. If equal, set ZF{{efn|Unlike the older CMPXCHG instruction, the CMPXCHG8B instruction does not modify any EFLAGS bits other than ZF.}} and store ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX.

Instruction atomic only if used with LOCK prefix.{{efn|{{nowrap|LOCK CMPXCHG8B}} with a register operand (which is an invalid encoding) will, on some Intel Pentium CPUs, cause a hang rather than the expected #UD exception - this is known as the Pentium F00F bug.}}

| {{yes|3}}

| Intel Pentium,
AMD K5,
Cyrix {{nowrap|6x86L,MediaGXm,}}
IDT WinChip C6,{{efn|name="cmpxchg8b_ntbug"|text=On IDT WinChip, Transmeta Crusoe and Rise mP6 processors, the CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.Geoff Chappell, [https://www.geoffchappell.com/studies/windows/km/cpu/cx8.htm CMPXCHG8B Support in the 32-Bit Windows Kernel], 23 jan 2008. [https://web.archive.org/web/20231105001739/https://www.geoffchappell.com/studies/windows/km/cpu/cx8.htm Archived] on 5 Nov 2023.}}
Transmeta Crusoe,{{efn|name="cmpxchg8b_ntbug"}}
Rise mP6{{efn|name="cmpxchg8b_ntbug"}}

| 0F 31

| Read 64-bit Time Stamp Counter (TSC) into EDX:EAX.{{efn|name="rdtsc_pmc_unordered"|text=The RDTSC and RDPMC instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations of RDPMC (but not RDTSC) may be reordered relative to each other even for reads of the same counter.
In order to impose ordering with respect to other instructions, LFENCE or serializing instructions (e.g. CPUID) are needed.}}{{efn|name="p5rd_clear_hi32"}}

In early processors, the TSC was a cycle counter, incrementing by 1 for each clock cycle (which could cause its rate to vary on processors that could change clock speed at runtime) – in later processors, it increments at a fixed rate that doesn't necessarily match the CPU clock speed.{{efn|text=Fixed-rate TSC was introduced in two stages:{{glossary}}{{term|Constant TSC}}{{defn|TSC running at a fixed rate as long as the processor core is not in a deep-sleep (C2 or deeper) mode, but not synchronized between CPU cores. Introduced in Intel Prescott, Yonah and Bonnell. Also present in all Transmeta and VIA NanoLinux kernel 5.4.12, [https://elixir.bootlin.com/linux/v5.4.12/source/arch/x86/kernel/cpu/centaur.c#L110 /arch/x86/kernel/cpu/centaur.c] CPUs. Does not have a CPUID bit.}}{{term|Invariant TSC}}{{defn|TSC running at a fixed rate, and remaining synchronized between CPU cores in all P-,C- and T-states (but not necessarily S-states).
Present in AMD K10 and later; Intel Nehalem/SaltwellStack Overflow, [https://stackoverflow.com/questions/62492053/can-constant-non-invariant-tsc-change-frequency-across-cpu-states Can constant non-invariant tsc change frequency across cpu states?] Accessed 24 Jan 2023. [https://web.archive.org/web/20230124204354/https://stackoverflow.com/questions/62492053/can-constant-non-invariant-tsc-change-frequency-across-cpu-states Archived] on 24 Jan 2023. and later; Zhaoxin WuDaoKouCPU-World, [https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=81992 CPUID for Zhaoxin KaiXian KX-5000 KX-5650 (by timw4mail)], 24 Apr 2024. [https://web.archive.org/web/20240426121032/https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=81992 Archived] on 26 Apr 2024. and later. Indicated with a CPUID bit (leaf 8000_0007:EDX[8]).}}}}

| {{yes2|Usually 3{{efn|text=RDTSC can be run outside Ring 0 only if CR4.TSD=0.
On Intel Pentium and AMD K5, RDTSC cannot be run in Virtual-8086 mode.Michal Necasek, [http://www.os2museum.com/wp/undocumented-rdtsc/ "Undocumented RDTSC"], 27 Apr 2018. [https://web.archive.org/web/20231216114233/http://www.os2museum.com/wp/undocumented-rdtsc/ Archived] on 16 Dec 2023. Later processors removed this restriction.}}}}

| Intel Pentium,
AMD K5,
Cyrix {{nowrap|6x86MX,MediaGXm,}}
IDT WinChip C6,
Transmeta Crusoe,
Rise mP6

| 0F 33

| Read Performance Monitoring Counter. The counter to read is specified by ECX and its value is returned in EDX:EAX.{{efn|name="rdtsc_pmc_unordered"}}{{efn|name="p5rd_clear_hi32"}}

| {{yes2|Usually 3{{efn|text=RDPMC can be run outside Ring 0 only if CR4.PCE=1.}}}}

| {{nowrap|Intel Pentium MMX,}}
Intel Pentium Pro,
AMD K7,
Cyrix 6x86MX,
IDT WinChip C6,
AMD Geode LX,
VIA Nano{{efn|The RDPMC instruction is not present in VIA processors prior to the Nano.}}

| {{nowrap|0F 4x /r}}{{efn|text=The condition codes supported for CMOVcc instruction (opcode 0F 4x /r, with the x nibble specifying the condition) are:

{{(!}} class="wikitable sortable"

! x !! cc !! Condition (EFLAGS)

{{!}}-

{{!}} 0 {{!!}} O {{!!}} OF=1: "Overflow"

{{!}}-

{{!}} 1 {{!!}} NO {{!!}} OF=0: {{nowrap|"Not Overflow"}}

{{!}}-

{{!}} 2 {{!!}} C,B,NAE {{!!}} CF=1: "Carry", "Below", {{nowrap|"Not Above or Equal"}}

{{!}}-

{{!}} 3 {{!!}} NC,NB,AE {{!!}} CF=0: {{nowrap|"Not Carry"}}, {{nowrap|"Not Below"}}, {{nowrap|"Above or Equal"}}

{{!}}-

{{!}} 4 {{!!}} Z,E {{!!}} ZF=1: "Zero", "Equal"

{{!}}-

{{!}} 5 {{!!}} NZ,NE {{!!}} ZF=0: {{nowrap|"Not Zero"}}, {{nowrap|"Not Equal"}}

{{!}}-

{{!}} 6 {{!!}} NA,BE {{!!}} (CF=1 or ZF=1): {{nowrap|"Not Above"}}, {{nowrap|"Below or Equal"}}

{{!}}-

{{!}} 7 {{!!}} A,NBE {{!!}} (CF=0 and ZF=0): "Above", {{nowrap|"Not Below or Equal"}}

{{!}}-

{{!}} 8 {{!!}} S {{!!}} SF=1: "Sign"

{{!}}-

{{!}} 9 {{!!}} NS {{!!}} SF=0: {{nowrap|"Not Sign"}}

{{!}}-

{{!}} A {{!!}} P,PE {{!!}} PF=1: "Parity", {{nowrap|"Parity Even"}}

{{!}}-

{{!}} B {{!!}} NP,PO {{!!}} PF=0: {{nowrap|"Not Parity"}}, {{nowrap|"Parity Odd"}}

{{!}}-

{{!}} C {{!!}} L,NGE {{!!}} SF≠OF: "Less", {{nowrap|"Not Greater Or Equal"}}

{{!}}-

{{!}} D {{!!}} NL,GE {{!!}} SF=OF: {{nowrap|"Not Less"}}, {{nowrap|"Greater Or Equal"}}

{{!}}-

{{!}} E {{!!}} LE,NG {{!!}} (ZF=1 or SF≠OF): {{nowrap|"Less or Equal"}}, {{nowrap|"Not Greater"}}

{{!}}-

{{!}} F {{!!}} NLE,G {{!!}} (ZF=0 and SF=OF): {{nowrap|"Not Less or Equal"}}, {{nowrap|"Greater"}}

{{!)}}

}}

| Conditional move to register. The source operand may be either register or memory.{{efn|In 64-bit mode, CMOVcc with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.
For CMOVcc with a memory source operand, the CPU will always read the operand from memory – potentially causing memory exceptions and cache line-fills – even if the condition for the move is not satisfied. (The Intel APX extension defines a set of new EVEX-encoded variants of CMOVcc that will suppress memory exceptions if the condition is false.)}}

| {{yes|3}}

| Intel Pentium Pro,
AMD K7,
{{nowrap|Cyrix 6x86MX,MediaGXm,}}
Transmeta Crusoe,
VIA C3 "Nehemiah",{{efn|On pre-Nehemiah VIA C3 variants ("Samuel"/"Ezra"), the {{nowrap|reg,reg}} but not {{nowrap|reg,[mem]}} forms of the CMOVcc instructions have been reported to be present as undocumented instructions.Willy Tarreau, [https://lore.kernel.org/lkml/20091110220652.GE26633@1wt.eu/ Re: i686 quirk for AMD Geode], Linux Kernel Mailing List, 10 Nov 2009.}}
DM&P Vortex86DX3

| {{nowrap|NFx 0F 1F /0}}{{efn|text=Intel's recommended byte encodings for multi-byte NOPs of lengths 2 to 9 bytes in 32/64-bit mode are (in hex):Intel, [https://cdrdv2-public.intel.com/821612/248966-Optimization-Reference-Manual-V1-050.pdf Intel 64 and IA-32 Architectures Optimization Reference Manual: Volume 1], order no. 248966-050US, April 2024, section 3.5.1.9, page 119. [https://web.archive.org/web/20240509192742/https://cdrdv2-public.intel.com/821612/248966-Optimization-Reference-Manual-V1-050.pdf Archived] on 9 May 2024.

{{(!}} class="wikitable sortable"

! Length !! Byte Sequence

{{!}}-

{{!}} 2 {{!!}} 66 90

{{!}}-

{{!}} 3 {{!!}} 0F 1F 00

{{!}}-

{{!}} 4 {{!!}} 0F 1F 40 00

{{!}}-

{{!}} 5 {{!!}} 0F 1F 44 00 00

{{!}}-

{{!}} 6 {{!!}} 66 0F 1F 44 00 00

{{!}}-

{{!}} 7 {{!!}} 0F 1F 80 00 00 00 00

{{!}}-

{{!}} 8 {{!!}} 0F 1F 84 00 00 00 00 00

{{!}}-

{{!}} 9 {{!!}} 66 0F 1F 84 00 00 00 00 00

{{!)}}

For cases where there is a need to use more than 9 bytes of NOP padding, it is recommended to use multiple NOPs.

}}

| Official long NOP.

Other than AMD K7/K8, broadly unsupported in non-Intel processors released before 2005.{{efn|Unlike other instructions added in Pentium Pro, long NOP does not have a CPUID feature bit.}}JookWiki, [https://www.jookia.org/wiki/Nopl "nopl"], sep 24, 2022 – provides a lengthy account of the history of the long NOP and the issues around it. [https://web.archive.org/web/20221028233225/https://www.jookia.org/wiki/Nopl Archived] on oct 28, 2022.

| {{yes|3}}

| Intel Pentium Pro,{{efn|text=0F 1F /0 as long-NOP was introduced in the Pentium Pro, but remained undocumented until 2006.Intel Community: [https://community.intel.com/t5/Software-Archive/Multi-byte-NOP-opcode-made-official/td-p/932580 Multibyte NOP Made Official]. [https://web.archive.org/web/20220407203915/https://community.intel.com/t5/Software-Archive/Multi-byte-NOP-opcode-made-official/td-p/932580 Archived] on 7 Apr 2022.

The whole {{nowrap|0F 18..1F}} opcode range was NOP in Pentium Pro. However, except for {{nowrap|0F 1F /0}}, Intel does not guarantee that these opcodes will remain NOP in future processors, and have indeed assigned some of these opcodes to other instructions in at least some processors.Intel [https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html Software Developers Manual, vol 3B] (order no 253669-076us, December 2021), section 22.15 "Reserved NOP"}}
{{nowrap|AMD K7, x86-64,{{efn|Documented for AMD x86-64 since 2002.AMD, [https://kib.kiev.ua/x86docs/AMD/AMD64/24594_APM_v3-r3.02.pdf AMD 64-bit Technology – AMD x86-64 Architecture Programmer’s Manual Volume 3], publication no. 24594, rev 3.02, aug 2002, page 379.}}}}
VIA C7Debian bug report logs, [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464962#148 -686 build uses long noops, that are unsupported by Transmeta Crusoe, immediate crash on boot], see messages 148 and 158 for NOPL on VIA C7. [https://web.archive.org/web/20190801174955/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464962#148 Archived] on 1 Aug 2019

| 0F 0B

| rowspan="3" | Undefined Instructions – will generate an invalid opcode (#UD) exception in all operating modes.{{efn|The UD2 ({{nowrap|0F 0B}}) instruction will additionally stop subsequent bytes from being decoded as instructions, even speculatively. For this reason, if an indirect branch instruction is followed by something that is not code, it is recommended to place an UD2 instruction after the indirect branch.Intel, [https://web.archive.org/web/20030316105019/http://developer.intel.com/design/pentium4/manuals/24896607.pdf Intel Pentium 4 and Intel Xeon Processor Optimization Reference Manual], order no. 248966-007, see "Assembly/Compiler Coding Rule 13" on page 74. Archived from the [http://developer.intel.com/design/pentium4/manuals/24896607.pdf original] on 16 Mar 2003.}}

These instructions are provided for software testing to explicitly generate invalid opcodes. The opcodes for these instructions are reserved for this purpose.

| rowspan="3" {{yes|(3)}}

| rowspan="2" | (80186),{{efn|name=ud_186|text=The UD0/1/2 opcodes - {{nowrap|0F 0B}}, {{nowrap|0F B9}} and {{nowrap|0F FF}} - will cause an #UD exception on all x86 processors from the 80186 onwards (except NEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors.}}
Intel PentiumIntel, [https://www.ardent-tool.com/CPU/docs/Intel/Pentium/241430-004.pdf Pentium® Processor Family Developer's Manual Volume 3], 1995. order no. 241430-004, appendix A, page 943 – reserves the opcodes {{nowrap|0F 0B}} and {{nowrap|0F B9}}.

| 0F B9,
0F B9 /r{{efn|name=ud01_modrm|For both the {{nowrap|0F B9}} and {{nowrap|0F FF}} opcodes, different x86 implementations are known to differ regarding whether the opcodes accept a {{nowrap|ModR/M}} byte.{{Cite web |first=Julian |last=Stecklina|date=2019-02-08 |title=Fingerprinting x86 CPUs using Illegal Opcodes |url=https://x86.lol/generic/2019/02/08/fingerprint.html |access-date=2023-12-15 |website=x86.lol |language=en |archive-url=https://web.archive.org/web/20231215165112/https://x86.lol/generic/2019/02/08/fingerprint.html |archive-date=15 Dec 2023 |url-status=live}}{{Cite web |title=ud0 length fix · intelxed/xed@7561f54 |url=https://github.com/intelxed/xed/commit/7561f549d787edc55949b671dee2255a8435741a |access-date=2023-12-15 |website=GitHub |language=en |archive-url=https://web.archive.org/web/20230601122641/https://github.com/intelxed/xed/commit/7561f549d787edc55949b671dee2255a8435741a |archive-date=1 Jun 2023 |url-status=live}}AMD, [https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24594.pdf AMD64 Architecture Programmer’s Manual Volume 3], publication no. 24594, rev 3.36, march 2024 – see description of UD1 instruction on page 356. [https://web.archive.org/web/20241229222758/https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24594.pdf Archived] on 29 Dec 2024.}}

| 0F 05

| Fast System call.

| {{yes|3}}

| rowspan="2" | AMD K6,{{efn|On K6, the SYSCALL/SYSRET instructions were available on Model 7 (250nm "Little Foot") and later, not on the earlier Model 6.AMD, [https://www.ardent-tool.com/CPU/docs/AMD/K6/20695.pdf AMD-K6 Processor Data Sheet], order no. 20695H/0, March 1998, section 24.2, page 283.}}
x86-64{{efn|SYSCALL and SYSRET were made an integral part of x86-64 – as a result, the instructions are available in 64-bit mode on all x86-64 processors from AMD, Intel, VIA and Zhaoxin.
Outside 64-bit mode, the instructions are available on AMD processors only.}}{{efn|The exact semantics of SYSRET differs slightly between AMD and Intel processors: non-canonical return addresses cause a #GP exception to be thrown in Ring 3 on AMD CPUs but Ring 0 on Intel CPUs. This has been known to cause security issues.George Dunlap, [https://xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/ The Intel SYSRET Privilege Escalation], The Xen Project., 13 june 2012. [https://web.archive.org/web/20190315121519/https://xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/ Archived] on Mar 15, 2019.}}

| 0F 07{{efn|name="sysret_64bit"|text=For the SYSRET and SYSEXIT instructions under x86-64, it is necessary to add the REX.W prefix for variants that will return to 64-bit user-mode code.
Encodings of these instructions without the REX.W prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code — for return to 16-bit code, IRET/IRETD/IRETQ should be used.)}}

| Fast Return from System Call. Designed to be used together with SYSCALL.

| {{no|0{{efn|name="syscall_realmode"|text=The SYSRET, SYSENTER and SYSEXIT instructions are unavailable in Real mode. (SYSENTER is, however, available in Virtual 8086 mode.)}}}}

| 0F 34

| Fast System call.

| {{yes|3{{efn|name="syscall_realmode"}}}}

| rowspan="2" | Intel Pentium II,{{efn|text=The CPUID flags that indicate support for SYSENTER/SYSEXIT are set on the Pentium Pro, even though the processor does not officially support these instructions.Intel, [http://kib.kiev.ua/x86docs/Intel/AppNote485/241618-039.pdf AP-485: Intel® Processor Identification and the CPUID Instruction], order no. 241618-039, may 2012, section 5.1.2.5, page 32
Third party testing indicates that the opcodes are present on the Pentium Pro but too buggy to be usable.Michal Necasek, [http://www.os2museum.com/wp/sysenter-where-are-you/ "SYSENTER, Where Are You?"], 20 Jul 2017. [https://web.archive.org/web/20231129090510/http://www.os2museum.com/wp/sysenter-where-are-you/ Archived] on 29 Nov 2023.}}
AMD K7,AMD, [https://pdf.datasheetcatalog.com/datasheet/AdvancedMicroDevices/mXvyvs.pdf Athlon Processor x86 Code Optimization Guide], publication no. 22007, rev K, feb 2002, appendix F, page 284. [https://web.archive.org/web/20170413235648/https://pdf.datasheetcatalog.com/datasheet/AdvancedMicroDevices/mXvyvs.pdf Archived] on 13 Apr 2017.{{efn|On AMD CPUs, the SYSENTER and SYSEXIT instructions are not available in x86-64 long mode (#UD).}}
Transmeta Crusoe,{{efn|On Transmeta CPUs, the SYSENTER and SYSEXIT instructions are only available with version 4.2 or higher of the Transmeta Code Morphing software.Transmeta, [http://datasheets.chipdb.org/Transmeta/Crusoe/Crusoe_CPUID_5-7-02.pdf Processor Recognition], May 7, 2002.}}
{{nowrap|NatSemi Geode GX2,}}
VIA C3 "Nehemiah",{{efn|On Nehemiah, SYSENTER and SYSEXIT are available only on stepping 8 and later.VIA, [http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemiah%20Datasheet%20R113.pdf VIA C3 Nehemiah Processor Datasheet], rev 1.13, sep 29, 2004, page 17}}
DM&P Vortex86DX3

| 0F 35{{efn|name="sysret_64bit"}}

| Fast Return from System Call. Designed to be used together with SYSENTER.

| {{no|0{{efn|name="syscall_realmode"}}}}

! Instruction !! Encoding !! Meaning !! Ring

| REX.W 98

| Sign extend EAX into RAX

| rowspan="13" {{yes|3}}

| REX.W 99

| Sign extend RAX into RDX:RAX

| REX.W A7

| CoMPare String Quadword

| {{nowrap|REX.W 0F C7 /1}}

| CoMPare and eXCHanGe 16 Bytes.
Atomic only if used with LOCK prefix.

| REX.W CF

| 64-bit Return from Interrupt

| E3 cb

| Jump if RCX is zero

| REX.W AD

| LoaD String Quadword

| REX.W 63 /r{{efn|Encodings of MOVSXD without REX.W prefix are permitted but discouragedIntel [https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html SDM order no. 325462-077], apr 2022, vol 2B, p.4-130 "MOVSX/MOVSXD-Move with Sign-Extension" lists MOVSXD without REX.W as "discouraged" – such encodings behave identically to 16/32-bit MOV ({{nowrap|8B /r}}).}}

| MOV with Sign Extend 32-bit to 64-bit

| REX.W A5

| Move String Quadword

| 9D

| POP RFLAGS Register

| 9C

| PUSH RFLAGS Register

| REX.W AF

| SCAn String Quadword

| REX.W AB

| STOre String Quadword

| 0F 01 F8

| Exchange GS base with KernelGSBase MSR

| {{no|0}}

! Bit Manipulation Extension !! Instruction
mnemonics !! Opcode !! Instruction description !! Added in

| POPCNT r16,r/m16
{{nowrap|POPCNT r32,r/m32}}

| F3 0F B8 /r

| rowspan="2" | Population Count. Counts the number of bits that are set to 1 in its source argument.

| rowspan="4" | K10,
Bobcat,
Haswell,
ZhangJiang,
Gracemont

| F3 REX.W 0F B8 /r

| F3 0F BD /r

| rowspan="2" | Count Leading zeroes.{{efn|The LZCNT instruction will execute as BSR on systems that do not support the LZCNT or ABM extensions. BSR computes the index of the highest set bit in the source operand, producing a different result from LZCNT for most input values.}}
If source operand is all-0s, then LZCNT will return operand size in bits (16/32/64) and set CF=1.

| {{nowrap|F3 REX.W 0F BD /r}}

| TZCNT r16,r/m16
TZCNT r32,r/m32

| F3 0F BC /r

| rowspan="2" | Count Trailing zeroes.{{efn|The TZCNT instruction will execute as BSF on systems that do not support the BMI1 extension. BSF produces the same result as TZCNT for all input operand values except zero – for which TZCNT returns input operand size, but BSF produces undefined behavior (leaves destination unmodified on most modern CPUs).}}
If source operand is all-0s, then TZCNT will return operand size in bits (16/32/64) and set CF=1.

| rowspan="7" | Haswell,
Piledriver,
Jaguar,
ZhangJiang,
Gracemont

| {{nowrap|F3 REX.W 0F BC /r}}

| VEX.LZ.0F38 F2 /r

| Bitwise AND-NOT: ra = r/m AND NOT(rb)

| VEX.LZ.0F38 F7 /r

| Bitfield extract. Bitfield start position is specified in bits [7:0] of rb, length in bits[15:8] of rb. The bitfield is then extracted from the r/m value with zero-extension, then stored in ra. Equivalent to{{efn|For BEXTR, the start position and length are not masked and can take values from 0 to 255. If the selected bits extend beyond the end of the r/m argument (which has the usual 32/64-bit operand size), then the out-of-bounds bits are read out as 0.}}

mask = (1 << rb[15:8]) - 1
ra = (r/m >> rb[7:0]) AND mask

| VEX.LZ.0F38 F3 /3

| Extract lowest set bit in source argument. Returns 0 if source argument is 0. Equivalent to
dst = (-src) AND src

| VEX.LZ.0F38 F3 /2

| Generate a bitmask of all-1s bits up to the lowest bit position with a 1 in the source argument. Returns all-1s if source argument is 0. Equivalent to
dst = (src-1) XOR src

| VEX.LZ.0F38 F3 /1

| Copy all bits of the source argument, then clear the lowest set bit. Equivalent to
dst = (src-1) AND src

| BZHI ra,r/m,rb

| {{small|VEX.LZ.0F38 F5 /r}}

| Zero out high-order bits in r/m starting from the bit position specified in rb, then write result to rd. Equivalent to
ra = r/m AND NOT(-1 << rb[7:0])

| rowspan="8" | Haswell,
{{nowrap|Excavator,{{efn|text=On AMD processors before Zen 3, the PEXT and PDEP instructions are quite slowAnandtech, [https://www.anandtech.com/show/16214/amd-zen-3-ryzen-deep-dive-review-5950x-5900x-5800x-and-5700x-tested/6 AMD Zen 3 Ryzen Deep Dive Review], nov 5, 2020, page 6 and exhibit data-dependent timing due to the use of a microcoded implementation (about 18 to 300 cycles, depending on the number of bits set in the mask argument). As a result, it is often faster to use other instruction sequences on these processors.{{Cite tweet |user=instlatx64 |number=1322503571288559617 |date=October 31, 2020 |title=Saving Private Ryzen: PEXT/PDEP 32/64b replacement functions for #AMD CPUs (BR/#Zen/Zen+/#Zen2) based on @zwegner's zp7 |access-date=2023-01-20 |language=en}}{{cite web |last1=Wegner |first1=Zach |title=zwegner/zp7 |website=GitHub |url=https://github.com/zwegner/zp7 |date=4 November 2020}}}}}}
ZhangJiang,
Gracemont

| {{small|{{nowrap|VEX.LZ.F2.0F38 F6 /r}}}}

| Widening unsigned integer multiply without setting flags. Multiplies EDX/RDX with r/m, then stores the low half of the multiplication result in ra and the high half in rb. If ra and rb specify the same register, only the high half of the result is stored.

| {{small|{{nowrap|VEX.LZ.F2.0F38 F5 /r}}}}

| Parallel Bit Deposit. Scatters contiguous bits from rb to the bit positions set in r/m, then stores result to ra. Operation performed is:

ra=0; k=0; mask=r/m
for i=0 to opsize-1 do
if (mask[i] == 1) then
ra[i]=rb[k]; k=k+1

| {{small|{{nowrap|VEX.LZ.F3.0F38 F5 /r}}}}

| Parallel Bit Extract. Uses r/m argument as a bit mask to select bits in rb, then compacts the selected bits into a contiguous bit-vector. Operation performed is:

ra=0; k=0; mask=r/m
for i=0 to opsize-1 do
if (mask[i] == 1) then
ra[k]=rb[i]; k=k+1

| {{small|{{nowrap|VEX.LZ.F2.0F3A F0 /r ib}}}}

| Rotate right by immediate without affecting flags.

| {{small|{{nowrap|VEX.LZ.F3.0F38 F7 /r}}}}

| Arithmetic shift right without updating flags.
For SARX, SHRX and SHLX, the shift-amount specified in rb is masked to 5 bits for 32-bit operand size and 6 bits for 64-bit operand size.

| {{small|{{nowrap|VEX.LZ.F2.0F38 F7 /r}}}}

| Logical shift right without updating flags.

| {{small|{{nowrap|VEX.LZ.66.0F38 F7 /r}}}}

| Shift left without updating flags.

! TSX Subset !! Instruction !! Opcode !! Description !! Added in

| XBEGIN rel16
{{nowrap|XBEGIN rel32}}

| C7 F8 cw
{{nowrap|C7 F8 cd}}

| Start transaction. If transaction fails, perform a branch to the given relative offset.

| rowspan="4" | Haswell
(Deprecated on desktop/laptop CPUs from 10th generation (Ice Lake, Comet Lake) onwards, but continues to be available on Xeon-branded server parts (e.g. Ice Lake-SP, Sapphire Rapids))

| C6 F8 ib

| Abort transaction with 8-bit immediate as error code.

| {{nowrap|NP 0F 01 D5}}

| End transaction.

| {{nowrap|NP 0F 01 D6}}

| Test if in transactional execution. Sets EFLAGS.ZF to 0 if executed inside a transaction (RTM or HLE), 1 otherwise.

| XACQUIRE

| F2

| Instruction prefix to indicate start of hardware lock elision, used with memory atomic instructions only (for other instructions, the F2 prefix may have other meanings). When used with such instructions, may start a transaction instead of performing the memory atomic operation.

| rowspan="2" | Haswell
(Discontinued – the last processors to support HLE were {{nowrap|Coffee Lake}} and {{nowrap|Cascade Lake)}}

| F3

| Instruction prefix to indicate end of hardware lock elision, used with memory atomic/store instructions only (for other instructions, the F3 prefix may have other meanings). When used with such instructions during hardware lock elision, will end the associated transaction instead of performing the store/atomic.

| XSUSLDTRK

| {{nowrap|F2 0F 01 E8}}

| Suspend Tracking Load Addresses

| rowspan="2" | {{nowrap|Sapphire Rapids}}

| {{nowrap|F2 0F 01 E9}}

| Resume Tracking Load Addresses

! CET Subset !! Instruction !! Opcode !! Description !! Ring !! Added in

| INCSSPD r32

| F3 0F AE /5

| rowspan="2" | Increment shadow stack pointer

| rowspan="8" {{yes|3}}

| rowspan="12" | {{nowrap|Tiger Lake,}}
Zen 3

| F3 REX.W 0F AE /5

| F3 0F 1E /1

| Read shadow stack pointer into register (low 32 bits){{efn|name="rdssp_nop"|text=The RDSSPD and RDSSPQ instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported.}}

| F3 REX.W 0F 1E /1

| Read shadow stack pointer into register (full 64 bits){{efn|name="rdssp_nop"}}

| F3 0F 01 EA

| Save previous shadow stack pointer

| F3 0F 01 /5

| Restore saved shadow stack pointer

| NP 0F 38 F6 /r

| Write 4 bytes to shadow stack

| {{nowrap|NP REX.W 0F 38 F6 /r}}

| Write 8 bytes to shadow stack

| 66 0F 38 F5 /r

| Write 4 bytes to user shadow stack

| rowspan="4" {{no|0}}

| {{nowrap|66 REX.W 0F 38 F5 /r}}

| Write 8 bytes to user shadow stack

| F3 0F 01 E8

| Mark shadow stack busy

| F3 0F AE /6

| Clear shadow stack busy flag

| ENDBR32

| F3 0F 1E FB

| Terminate indirect branch in 32-bit mode{{efn|name="endbr_nop"|text=ENDBR32 and ENDBR64 act as NOPs on processors that don't support CET_IBT or where IBT is disabled.}}

| rowspan="3" {{yes|3}}

| rowspan="3" | Tiger Lake

| F3 0F 1E FA

| Terminate indirect branch in 64-bit mode{{efn|name="endbr_nop"}}

| 3E{{efn|text=This prefix has the same encoding as the DS: segment override prefix – as of April 2022, Intel documentation does not appear to specify whether this prefix also retains its old segment-override function when used as a no-track prefix, nor does it provide an official mnemonic for this prefix.Intel, [https://kib.kiev.ua/x86docs/Intel/CET/334525-003.pdf Control-flow Enforcement Technology Specification] (v3.0, order no. 334525-003, March 2019)[https://kib.kiev.ua/x86docs/Intel/SDMs/253665-076.pdf Intel SDM, rev 076, December 2021], volume 1, section 18.3.1 (GNU binutils use "notrack"Binutils mailing list: [https://sourceware.org/pipermail/binutils/2017-June/098516.html x86: CET v2.0: Update NOTRACK prefix])}}

| Prefix used with indirect CALL/JMP near instructions (opcodes {{nowrap|FF /2}} and {{nowrap|FF /4}}) to indicate that the branch target is not required to start with an ENDBR32/64 instruction. Prefix only honored when NO_TRACK_EN flag is set.

! XSAVE Extension !! Instruction
mnemonics !! Opcode{{efn|Under Intel APX, the XSAVE* and XRSTOR* instructions cannot be encoded with the REX2 prefix.}} !! Instruction description !! Ring !! Added in

| XSAVE mem
XSAVE64 mem

| NP 0F AE /4
NP REX.W 0F AE /4

| Save state components specified by bitmap in EDX:EAX to memory.

| rowspan="3" {{yes|3}}

| rowspan="4" | Penryn,{{efn|XSAVE was added in steppings E0/R0 of Penryn and is not available in earlier steppings.}}
Bulldozer,
Jaguar,
Goldmont,
ZhangJiang

| NP 0F AE /5
{{nowrap|NP REX.W 0F AE /5}}

| Restore state components specified by EDX:EAX from memory.

| NP 0F 01 D0

| Get value of Extended Control Register.
Reads an XCR specified by ECX into EDX:EAX.{{efn|text=On some processors (starting with Skylake, Goldmont and Zen 1), executing XGETBV with ECX=1 is permitted – this will not return XCR1 (no such register exists) but instead return XCR0 bitwise-ANDed with the current value of the "XINUSE" state-component bitmap (a bitmap of XSAVE state-components that are not known to be in their initial state).
The presence of this functionality of XGETBV is indicated by {{nowrap|1=CPUID.(EAX=0Dh,ECX=1):EAX[bit 2].}}}}

| NP 0F 01 D1

| Set Extended Control Register.{{efn|The XSETBV instruction will cause a mandatory #VMEXIT if executed under Intel VT-x virtualization.}}
Write the value in EDX:EAX to the XCR specified by ECX.

| {{no|0}}

| XSAVEOPT mem
{{nowrap|XSAVEOPT64 mem}}

| NP 0F AE /6
NP REX.W 0F AE /6

| Save state components specified by EDX:EAX to memory.
Unlike the older XSAVE instruction, XSAVEOPT may abstain from writing processor state items to memory when the CPU can determine that they haven't been modified since the most recent corresponding XRSTOR.

| {{yes|3}}

| {{nowrap|Sandy Bridge,}}
Steamroller,
Puma,
Goldmont,
ZhangJiang

| XSAVEC mem
XSAVEC64 mem

| NP 0F C7 /4
NP REX.W 0F C7 /4

| Save processor extended state components specified by EDX:EAX to memory with compaction.

| {{yes|3}}

| Skylake,
Goldmont,
Zen 1

| XSAVES mem
XSAVES64 mem

| NP 0F C7 /5
NP REX.W 0F C7 /5

| Save processor extended state components specified by EDX:EAX to memory with compaction and optimization if possible.

| rowspan="2" {{no|0}}

| rowspan="2" | Skylake,
Goldmont,
Zen 1

| NP 0F C7 /3
{{nowrap|NP REX.W 0F C7 /3}}

| Restore state components specified by EDX:EAX from memory.

! Instruction Set Extension !! Instruction
mnemonics !! Opcode !! Instruction description !! Ring !! Added in

| PREFETCHNTA m8

| 0F 18 /0

| Prefetch with Non-Temporal Access.
Prefetch data under the assumption that the data will be used only once, and attempt to minimize cache pollution from said data. The methods used to minimize cache pollution are implementation-dependent.{{efn|name="prefetch_hint"|text=All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated.}}

| rowspan="5" {{yes|3}}

| rowspan="5" | Pentium III,
(K7),{{efn|name="k7_mmxext"|AMD Athlon processors prior to the Athlon XP did not support full SSE, but did introduce the non-SIMD instructions of SSE as part of "MMX Extensions".AMD, [https://refspecs.linuxfoundation.org/AMD-extensions.pdf Extensions to the 3DNow! and MMX Instruction Sets], ref no. 22466D/0, March 2000, p.11 These extensions (without full SSE) are also present on Geode GX2 and later Geode processors.}}
{{nowrap|(Geode GX2),{{efn|name="k7_mmxext"}}}}
Nehemiah,
Efficeon

| 0F 18 /1

| Prefetch data to all levels of the cache hierarchy.{{efn|name="prefetch_hint"}}

| 0F 18 /2

| Prefetch data to all levels of the cache hierarchy except L1 cache.{{efn|name="prefetch_hint"}}

| 0F 18 /3

| Prefetch data to all levels of the cache hierarchy except L1 and L2 caches.{{efn|name="prefetch_hint"}}

| NP 0F AE F8+x{{efn|name="sse_partial_decode"|For the SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction.}}

| Store Fence.{{efn|The SFENCE instruction ensures that all memory stores after the SFENCE instruction are made globally observable after all memory stores before the SFENCE. This imposes ordering on stores that can otherwise be reordered, such as non-temporal stores and stores to WC (Write-Combining) memory regions.Hadi Brais, [https://hadibrais.wordpress.com/2019/02/26/the-significance-of-the-x86-sfence-instruction/ The Significance of the x86 SFENCE instruction], 26 Feb 2019.
On Intel CPUs, as well as AMD CPUs from Zen1 onwards (but not older AMD CPUs), SFENCE also acts as a reordering barrier on cache flushes/writebacks performed with the CLFLUSH, CLFLUSHOPT and CLWB instructions. (Older AMD CPUs require MFENCE to order CLFLUSH.)
SFENCE is not ordered with respect to LFENCE, and an SFENCE+LFENCE sequence is not sufficient to prevent a load from being reordered past a previous store.Intel, [https://kib.kiev.ua/x86docs/Intel/SDMs/325462-077.pdf Software Developer's Manual], order no. 325426-077, Nov 2022, Volume 1, section 11.4.4.3, page 276. To prevent such reordering, it is necessary to execute an MFENCE, LOCK or a serializing instruction.}}

| LFENCE

| NP 0F AE E8+x{{efn|name="sse_partial_decode"}}

| Load Fence and Dispatch Serialization.{{efn|The LFENCE instruction ensures that all memory loads after the LFENCE instruction are made globally observable after all memory loads before the LFENCE.
On all Intel CPUs that support SSE2, the LFENCE instruction provides a stronger ordering guarantee:Hadi Brais, [https://hadibrais.wordpress.com/2018/05/14/the-significance-of-the-x86-lfence-instruction/ The Significance of the LFENCE instruction], 14 May 2018 it is dispatch-serializing, meaning that instructions after the LFENCE instruction are allowed to start executing only after all instructions before it have retired (which will ensure that all preceding loads but not necessarily stores have completed). The effect of dispatch-serialization is that LFENCE also acts as a speculation barrier and a reordering barrier for accesses to non-memory resources such as performance counters (accessed through e.g. RDTSC or RDPMC) and x2apic MSRs.
On AMD CPUs, LFENCE is not necessarily dispatch-serializing by default – however, on all AMD CPUs that support any form of non-dispatch-serializing LFENCE, it can be made dispatch-serializing by setting bit 1 of MSR C001_1029.AMD, [https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf Software techniques for managing speculation on AMD processor], rev 3.8.22, 8 March 2022, page 4. [https://web.archive.org/web/20220313090311/https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf Archived] on 13 March 2022.}}

| rowspan="4" {{yes|3}}

| rowspan="4" | Pentium 4,
K8,
Efficeon,
C7 Esther

| NP 0F AE F0+x{{efn|name="sse_partial_decode"}}

| Memory Fence.{{efn|The MFENCE instruction ensures that all memory loads, stores and cacheline-flushes after the MFENCE instruction are made globally observable after all memory loads, stores and cacheline-flushes before the MFENCE.
On Intel CPUs, MFENCE is not dispatch-serializing, and therefore cannot be used on its own to enforce ordering on accesses to non-memory resources such as performance counters and x2apic MSRs. MFENCE is still ordered with respect to LFENCE, so if there is a need to enforce ordering between memory stores and subsequent non-memory accesses, then such an ordering can be obtained by issuing an MFENCE followed by an LFENCE.Intel, [https://kib.kiev.ua/x86docs/Intel/SDMs/325462-077.pdf Software Developer's Manual], order no. 325426-077, Nov 2022 – the entry on the RDTSC instruction on p.1739 describes the instruction sequences required to order the RDTSC instruction with respect to earlier and later instructions.Intel, [https://cdrdv2-public.intel.com/825743/325462-sdm-vol-1-2abcd-3abcd-4.pdf Software Developer's Manual], order no. 325426-084, June 2024, vol 3A, section 11.12.3, page 3411 - covers the use of the MFENCE;LFENCE sequence to enforce ordering between a memory store and a later x2apic MSR write. [https://web.archive.org/web/20240714161441/https://cdrdv2-public.intel.com/825743/325462-sdm-vol-1-2abcd-3abcd-4.pdf Archived] on 4 Jul 2024
On AMD CPUs, MFENCE is serializing.}}

| NP 0F C3 /r
NP REX.W 0F C3 /r

| Non-Temporal Memory Store.

| F3 90{{efn|text=The operation of the PAUSE instruction in 64-bit mode is, unlike NOP, unaffected by the presence of the REX.R prefix. Neither NOP nor PAUSE are affected by the other bits of the REX prefix. A few examples of how opcode 90 interacts with various prefixes in 64-bit mode are:

• 90 is NOP
• 41 90 is XCHG R8D,EAX
• 4E 90 is NOP
• 49 90 is XCHG R8,RAX
• F3 90 is PAUSE
• F3 41 90 is PAUSE
• F3 4F 90 is PAUSE

| Pauses CPU thread for a short time period.{{efn|The actual length of the pause performed by the PAUSE instruction is implementation-dependent.
On systems without SSE2, PAUSE will execute as NOP.}}
Intended for use in spinlocks.{{efn|Under VT-x or AMD-V virtualization, executing PAUSE many times in a short time interval may cause a #VMEXIT. The number of PAUSE executions and interval length that can trigger #VMEXIT are platform-specific.}}

| {{nowrap|CLFLUSH m8}}

| NP 0F AE /7

| Flush one cache line to memory.
In a system with multiple cache hierarchy levels and/or multiple processors each with their own caches, the line is flushed from all of them.

| {{yes|3}}

| (SSE2),
Geode LX

| MONITOR{{efn|name="monitor_explicit_op"|For the MONITOR and MWAIT instructions, older Intel documentationIntel, [https://math-atlas.sourceforge.net/devel/assembly/sse3.pdf Prescott New Instructions Software Developer’s Guide], order no. 252490-003, june 2003, pages 3-26 and 3-38 list MONITOR and MWAIT with explicit operands. [https://web.archive.org/web/20050509102126/https://math-atlas.sourceforge.net/devel/assembly/sse3.pdf Archived] on 9 May 2005. lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX and MWAIT EAX,ECX), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.Flat Assembler messageboard, [https://board.flatassembler.net/topic.php?p=98558#98558 "BLENDVPS/BLENDVPD/PBLENDVB syntax"], also covers MONITOR/MWAIT mnemonics. [https://web.archive.org/web/20221106013255/https://board.flatassembler.net/topic.php?p=98558#98558 Archived] on 6 Nov 2022. }}
{{nowrap|MONITOR EAX,ECX,EDX}}

| NP 0F 01 C8

| Start monitoring a memory location for memory writes. The memory address to monitor is given by DS:AX/EAX/RAX.{{efn|For MONITOR, the DS: segment can be overridden with a segment prefix.
The memory area that will be monitored will be not just the single byte specified by DS:rAX, but a linear memory region containing the byte – the size and alignment of this memory region is implementation-dependent and can be queried through CPUID.
The memory location to monitor should have memory type WB (write-back cacheable), or else monitoring may fail.}}
ECX and EDX are reserved for extra extension and hint flags, respectively.{{efn|text=As of April 2024, no extensions or hints have been defined for the MONITOR instruction. As such, the instruction requires ECX=0 and ignores EDX.}}

| rowspan="2" {{no2|Usually 0{{efn|name="monitor_ring3"|On some processors, such as Intel Xeon Phi x200Intel, [https://web.archive.org/web/20170305002312/https://software.intel.com/en-us/blogs/2016/10/06/intel-xeon-phi-product-family-x200-knl-user-mode-ring-3-monitor-and-mwait Intel® Xeon Phi™ Product Family x200 (KNL) User mode (ring 3) MONITOR and MWAIT] (archived 5 mar 2017) and AMD K10AMD, [https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/programmer-references/31116.pdf BIOS and Kernel Developer’s Guide (BKDG) For AMD Family 10h Processors], order no. 31116, rev 3.62, page 419. [https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/programmer-references/31116.pdf Archived] on Apr 8, 2024. and later, there exist documented MSRs that can be used to enable MONITOR and MWAIT to run in Ring 3.}}}}

| rowspan="2" | Prescott,
Yonah,
Bonnell,
K10,
Nano

| NP 0F 01 C9

| Wait for a write to a monitored memory location previously specified with MONITOR.{{efn|The wait performed by MWAITmay be ended by system events other than a memory write (e.g. cacheline evictions, interrupts) – the exact set of events that can cause the wait to end is implementation-specific.
Regardless of whether the wait was ended by a memory write or some other event, monitoring will have ended and it will be necessary to set up monitoring again with MONITOR before using MWAIT to wait for memory writes again.}}
ECX and EAX are used to provide extra extension{{efn|text=The extension flags available for MWAIT in the ECX register are:

{{(!}} class="wikitable sortable"

! Bits !! MWAIT Extension

{{!}}-

{{!}} 0 {{!!}} Treat interrupts as break events, even when masked (EFLAGS.IF=0). (Available on all non-NetBurst implementations of MWAIT.)

{{!}}-

{{!}} 1 {{!!}} {{unofficial2|align="left"|Timed MWAIT: end the wait when the TSC reaches or exceeds the value in EDX:EBX. (Undocumented, reportedly present in Intel Skylake and later Intel processors)R. Zhang et al, [https://publications.cispa.saarland/3769/1/mwait_sec23.pdf (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels], 3 Jan 2023, page 5. [https://web.archive.org/web/20230105140516/https://publications.cispa.saarland/3769/1/mwait_sec23.pdf Archived] from the original on 5 Jan 2023.}}

{{!}}-

{{!}} 2 {{!!}} Monitorless MWAITIntel, [https://cdrdv2-public.intel.com/819680/architecture-instruction-set-extensions-programming-reference.pdf Architecture Instruction Set Extensions Programming Reference], order no. 319433-052, March 2024, chapter 17. [https://web.archive.org/web/20240407230452/https://cdrdv2-public.intel.com/819680/architecture-instruction-set-extensions-programming-reference.pdf Archived] on Apr 7, 2024.

{{!}}-

{{!}} 31:3 {{!!}} {{n/a|align="left"|Not used, must be set to zero.}}

{{!)}}

}} and hint{{efn|text=The hint flags available for MWAIT in the EAX register are:

{{(!}} class="wikitable sortable"

! Bits !! MWAIT Hint

{{!}}-

{{!}} 3:0 {{!!}} Sub-state within a C-state (see bits 7:4) (Intel processors only)

{{!}}-

{{!}} 7:4 {{!!}} Target CPU power C-state during wait, minus 1. (E.g. 0000b for C1, 0001b for C2, 1111b for C0)

{{!}}-

{{!}} 31:8 {{!!}} {{n/a|align="left"|Not used.}}

{{!)}}

The C-states are processor-specific power states, which do not necessarily correspond 1:1 to ACPI C-states.

}} flags, respectively. MWAIT hints are commonly used for CPU power management.

| GETSEC

| {{nowrap|NP 0F 37{{efn|For the GETSEC instruction, the REX.W prefix enables 64-bit addresses for the EXITAC leaf function only - REX prefixes are otherwise permitted but ignored for the instruction.}}}}

| Perform an SMX function. The leaf function to perform is given in EAX.{{efn|text=The leaf functions defined for GETSEC (selected by EAX) are:

{{(!}} class="wikitable sortable"

! EAX !! Function

{{!}}-

{{!}} 0 (CAPABILITIES) {{!!}} Report SMX capabilities

{{!}}-

{{!}} 2 (ENTERACCES) {{!!}} Enter execution of authenticated code module

{{!}}-

{{!}} 3 (EXITAC) {{!!}} Exit execution of authenticated code module

{{!}}-

{{!}} 4 (SENTER) {{!!}} Enter measured environment

{{!}}-

{{!}} 5 (SEXIT) {{!!}} Exit measured environment

{{!}}-

{{!}} 6 (PARAMETERS) {{!!}} Report SMX parameters

{{!}}-

{{!}} 7 (SMCTRL) {{!!}} SMX Mode Control

{{!}}-

{{!}} 8 (WAKEUP) {{!!}} Wake up sleeping processors in measured environment

{{!)}}

Any unsupported value in EAX causes an #UD exception.

}}
Depending on leaf function, the instruction may take additional arguments in RBX, ECX and EDX.

| {{no2|Usually 0{{efn|text=For GETSEC, most leaf functions are restricted to Ring 0, but the CAPABILITIES (EAX=0) and PARAMETERS (EAX=6) leaf functions are available in Ring 3.}}}}

| {{nowrap|Conroe/Merom,}}
WuDaoKou,Guru3D, [https://www.guru3d.com/news-story/via-zhaoxin-x86-4-and-8-core-processors-launched.html VIA Zhaoxin x86 4 and 8-core SoC processors launch], Jan 22, 2018
Tremont

| RDTSCP

| 0F 01 F9

| Read Time Stamp Counter and processor core ID.{{efn|name="rdtscp_rdpid"}}
The TSC value is placed in EDX:EAX and the core ID in ECX.{{efn|text=Unlike the older RDTSC instruction, RDTSCP will delay the TSC read until all previous instructions have retired, guaranteeing ordering with respect to preceding memory loads (but not stores). RDTSCP is not ordered with respect to subsequent instructions, though.}}

| {{yes2|Usually 3{{efn|text=RDTSCP can be run outside Ring 0 only if CR4.TSD=0.}}}}

| K8,{{efn|Support for RDTSCP was added in stepping F of the AMD K8, and is not available on earlier steppings.}}
Nehalem,
Silvermont,
Nano

| POPCNT r16,r/m16
POPCNT r32,r/m32

| F3 0F B8 /r

| rowspan="2" | Count the number of bits that are set to 1 in its source argument.

| rowspan="2" {{yes|3}}

| rowspan="2" | K10,
Nehalem,
Nano 3000

| F3 REX.W 0F B8 /r

| CRC32 r32,r/m8

| F2 0F 38 F0 /r

| rowspan="3" | Accumulate CRC value using the CRC-32C (Castagnoli) polynomial 0x11EDC6F41 (normal form 0x1EDC6F41). This is the polynomial used in iSCSI. In contrast to the more popular one used in Ethernet, its parity is even, and it can thus detect any error with an odd number of changed bits.

| rowspan="3" {{yes|3}}

| rowspan="3" | Nehalem,
Bulldozer,
ZhangJiang

| F2 0F 38 F1 /r

| F2 REX.W 0F 38 F1 /r

| RDFSBASE r32
RDFSBASE r64

| F3 0F AE /0
F3 REX.W 0F AE /0

| Read base address of FS: segment.

| rowspan="4" {{yes|3}}

| rowspan="4" | Ivy Bridge,
Steamroller,
Goldmont,
ZhangJiang

| F3 0F AE /1
F3 REX.W 0F AE /1

| Read base address of GS: segment.

| F3 0F AE /2
F3 REX.W 0F AE /2

| Write base address of FS: segment.

| F3 0F AE /3
F3 REX.W 0F AE /3

| Write base address of GS: segment.

| MOVBE r16,m16
MOVBE r32,m32

| NFx 0F 38 F0 /r

| rowspan="2" | Load from memory to register with byte-order swap.

| rowspan="4" {{yes|3}}

| rowspan="4" | Bonnell,
Haswell,
Jaguar,
Steamroller,
ZhangJiang

| {{nowrap|NP REX.W 0F 38 F0 /r{{efn|name="haswell_movbe"|1=For the MOVBE instruction, encodings that use both the 66h prefix and the REX.W prefix will cause #UD on some processors (e.g. HaswellIntel, [https://web.archive.org/web/20240406115044/https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/4th-gen-core-family-desktop-specification-update.pdf Desktop 4th Generation Specification Update], order no. 328899-039, apr 2020, see erratum HSD145 on page 56. Archived from the [https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/4th-gen-core-family-desktop-specification-update.pdf original] on 6 Apr 2024.) and should therefore be avoided.}}}}

| NFx 0F 38 F1 /r

| rowspan="2" | Store to memory from register with byte-order swap.

| {{nowrap|NP REX.W 0F 38 F1 /r{{efn|name="haswell_movbe"}}}}

| INVPCID reg,m128

| 66 0F 38 82 /r

| Invalidate entries in TLB and paging-structure caches based on invalidation type in register{{efn|text=The invalidation types defined for INVPCID (selected by register argument) are:

{{(!}} class="wikitable sortable"

! Value !! Function

{{!}}-

{{!}} 0 {{!!}} Invalidate TLB entries matching PCID and virtual memory address in descriptor, excluding global entries

{{!}}-

{{!}} 1 {{!!}} Invalidate TLB entries matching PCID in descriptor, excluding global entries

{{!}}-

{{!}} 2 {{!!}} Invalidate all TLB entries, including global entries

{{!}}-

{{!}} 3 {{!!}} Invalidate all TLB entries, excluding global entries

{{!)}}

Any unsupported value in the register argument causes a #GP exception.}} and descriptor in m128. The descriptor contains a memory address and a PCID.{{efn|Unlike the older INVLPG instruction, INVPCID will cause a #GP exception if the provided memory address is non-canonical. This discrepancy has been known to cause security issues.Vulners, [https://vulners.com/xen/XSA-279 x86: DoS from attempting to use INVPCID with a non-canonical addresses], 20 nov 2018}}

Instruction is serializing on AMD but not Intel CPUs.

| {{no|0}}

| Haswell,
ZhangJiang,
Zen 3,
Gracemont

| {{nowrap|PREFETCHW m8}}

| 0F 0D /1

| Prefetch cache line with intent to write.{{efn|name="prefetch_hint"}}

| rowspan="2" {{yes|3}}

| rowspan="2" | K6-2,
{{nowrap|(Cedar Mill),{{efn|The opcodes for PREFETCH and PREFETCHW (0F 0D /r) execute as NOPs on Intel CPUs from Cedar Mill (65nm Pentium 4) onwards, with PREFETCHW gaining prefetch functionality from Broadwell onwards.}}}}
Silvermont,
Broadwell,
ZhangJiang

| 0F 0D /0

| Prefetch cache line.{{efn|name="prefetch_hint"}}

| {{nowrap|ADCX r32,r/m32}}
ADCX r64,r/m64

| 66 0F 38 F6 /r
{{nowrap|66 REX.W 0F 38 F6 /r}}

| Add-with-carry. Differs from the older ADC instruction in that it leaves flags other than EFLAGS.CF unchanged.

| rowspan="2" {{yes|3}}

| rowspan="2" | Broadwell,
Zen 1,
ZhangJiang,
Gracemont

| F3 0F 38 F6 /r
{{nowrap|F3 REX.W 0F 38 F6 /r}}

| Add-with-carry, with the overflow-flag EFLAGS.OF serving as carry input and output, with other flags left unchanged.

| CLAC

| NP 0F 01 CA

| Clear EFLAGS.AC.

| rowspan="2" {{no|0}}

| rowspan="2" | Broadwell,
Goldmont,
Zen 1,
LuJiaZui{{efn|name=lujiazui_step2|text=The SMAP, PKU and RDPID instruction set extensions are supported on stepping 2Instlatx64, [http://users.atw.hu/instlatx64/CentaurHauls/CentaurHauls00307B2_KX6000_01_CPUID.txt Zhaoxin Kaixian KX-6000G CPUID dump], May 15, 2023 and later of Zhaoxin LuJiaZui, but not on earlier steppings.}}

| NP 0F 01 CB

| Set EFLAGS.AC.

| {{nowrap|CLFLUSHOPT m8}}

| NFx 66 0F AE /7

| Flush cache line.
Differs from the older CLFLUSH instruction in that it has more relaxed ordering rules with respect to memory stores and other cache line flushes, enabling improved performance.

| {{yes|3}}

| Skylake,
Goldmont,
Zen 1

| PREFETCHWT1 m8

| 0F 0D /2

| Prefetch data with T1 locality hint (fetch into L2 cache, but not L1 cache) and intent-to-write hint.{{efn|name="prefetch_hint"}}

| {{yes|3}}

| {{nowrap|Knights Landing,}}
YongFeng

| RDPKRU

| NP 0F 01 EE

| Read User Page Key register into EAX.

| rowspan="2" {{yes|3}}

| rowspan="2" | Skylake-X,
Comet Lake,
Gracemont,
Zen 3,
LuJiaZui{{efn|name=lujiazui_step2}}

| NP 0F 01 EF

| Write data from EAX into User Page Key Register, and perform a Memory Fence.

| CLWB m8

| {{nowrap|NFx 66 0F AE /6}}

| Write one cache line back to memory without invalidating the cache line.

| {{yes|3}}

| Skylake-X,
Zen 2,
Tiger Lake,
Tremont

| RDPID r32

| F3 0F C7 /7

| Read processor core ID into register.{{efn|name="rdtscp_rdpid"|text=The "core ID" value read by RDTSCP and RDPID is actually the TSC_AUX MSR (MSR C000_0103h). Whether this value actually corresponds to a processor ID is a matter of operating system convention.}}

| {{yes|3{{efn|text=Unlike the older RDTSCP instruction which can also be used to read the processor ID, user-mode RDPID is not disabled by CR4.TSD=1.}}}}

| {{nowrap|Goldmont Plus,}}
Zen 2,
Ice Lake,
LuJiaZui{{efn|name=lujiazui_step2}}

| MOVDIRI m32,r32
MOVDIRI m64,r64

| NP 0F 38 F9 /r
{{nowrap|NP REX.W 0F 38 F9 /r}}

| Store to memory using Direct Store (memory store that is not cached or write-combined with other stores).

| {{yes|3}}

| Tiger Lake,
Tremont,
Zen 5

| {{nowrap|MOVDIR64B reg,m512}}

| 66 0F 38 F8 /r

| Move 64 bytes of data from m512 to address given by ES:reg. The 64-byte write is done atomically with Direct Store.{{efn|For MOVDIR64, the destination address given by ES:reg must be 64-byte aligned.
The operand size for the register argument is given by the address size, which may be overridden by the 67h prefix.
The 64-byte memory source argument does not need to be 64-byte aligned, and is not guaranteed to be read atomically.}}

| {{yes|3}}

| Tiger Lake,
Tremont,
Zen 5

| WBNOINVD

| F3 0F 09

| Write back all dirty cache lines to memory without invalidation.{{efn|The WBNOINVD instruction will execute as WBINVD if run on a system that doesn't support the WBNOINVD extension.
WBINVD differs from WBNOINVD in that WBINVD will invalidate all cache lines after writeback.}} Instruction is serializing.

| {{no|0}}

| Zen 2,
Ice Lake-SP

| PREFETCHIT0 m8

| 0F 18 /7

| Prefetch code to all levels of the cache hierarchy.{{efn|name=prefetchi_note|text=In initial implementations, the PREFETCHIT0 and PREFETCHIT1 instructions will perform code prefetch only when using the RIP-relative addressing mode and act as NOPs otherwise.
The PREFETCHI instructions are hint instructions only - if an attempt is made to prefetch an invalid address, the instructions will act as NOPs with no exceptions generated. On processors that support Long-NOP but do not support the PREFETCHI instructions, these instructions will always act as NOPs.}}

| rowspan="2" {{yes|3}}

| rowspan="2" | Zen 5,
{{nowrap|Granite Rapids}}

| 0F 18 /6

| Prefetch code to all levels of the cache hierarchy except first-level cache.{{efn|name=prefetchi_note}}

! Instruction Set Extension !! Instruction
mnemonics !! Opcode !! Instruction description !! Ring !! Added in

| HWNT,
hint-not-taken{{efn|name=wmt_hint|1=The branch hint mnemonics HWNT and HST are listed in early Willamette documentation onlyIntel, [https://web.archive.org/web/20050205035023/http://developer.intel.com/design/processor/WmtSDG.pdf Willamette Processor Software Developer’s Guide], order no. 245355-001, feb 2000, section 3.5.3, page 294 - lists HWNT/HST mnemonics for the branch hint prefixes. Archived from the [http://developer.intel.com/design/processor/WmtSDG.pdf original] on 5 Feb 2005. - later Intel documentation lists the branch hint prefixes without assigning them a mnemonic.Intel, [https://kib.kiev.ua/x86docs/Intel/SDMs/325462-083.pdf Software Developer's Manual], order no. 325462-083, March 2024 - volume 1, chapter 11.4.5, page 281 and volume 2A, chapter 2.1.1, page 525.

Intel XED uses the mnemonics {{nowrap|hint-taken}} and {{nowrap|hint-not-taken}} for these branch hints.Intel XED source code, [https://github.com/intelxed/xed/blob/d4d502003bfff51c55c2808804301a62878d7cc8/src/dec/xed-disas.c#L325 src/dec/xed-disas.c, line 325], 11 Nov 2024. [https://web.archive.org/web/20241124214618/https://github.com/intelxed/xed/blob/d4d502003bfff51c55c2808804301a62878d7cc8/src/dec/xed-disas.c#L325 Archived] on 24 Nov 2024.

| 2E{{efn|name=wmt_prefix|The 2E and 3E prefixes are interpreted as branch hints only when used with the Jcc conditional branch instructions (opcodes 70..7F and {{nowrap|0F 80..8F}}) - when used with other opcodes, they may take other meanings (e.g. for instructions with memory operands outside 64-bit mode, they will work as segment-override prefixes CS: and DS:, respectively). On processors that don't support branch hints, these prefixes are accepted but ignored when used with Jcc.}}

| Instruction prefix: branch hint weakly not taken.

| rowspan="2" {{Yes|3}}

| rowspan="2" | Pentium 4,{{efn|Branch hints are supported on all NetBurst (Pentium 4 family) processors - but not supported on any other known processor prior to their re-introduction in "Redwood Cove" CPUs, starting with "Meteor Lake" in 2023.}}
Meteor LakeIntel, [https://cdrdv2-public.intel.com/814198/248966-Optimization-Reference-Manual-V1-050.pdf Intel 64 and IA-32 Architectures Optimization Reference Manual: Volume 1], order no. 248966-050US, April 2024, chapter 2.1.1.1, page 46. [https://web.archive.org/web/20250105153741/https://cdrdv2-public.intel.com/814198/248966-Optimization-Reference-Manual-V1-050.pdf Archived] on 25 Jan 2025.

| 3E{{efn|name=wmt_prefix}}

| Instruction prefix: branch hint strongly taken.

| ENCLS

| {{nowrap|NP 0F 01 CF}}

| Perform an SGX Supervisor function. The function to perform is given in EAX{{efn|text=The leaf functions defined for ENCLS (selected by EAX) are:

{{(!}} class="wikitable sortable"

! EAX !! Function

{{!}}-

{{!}} 0 (ECREATE) {{!!}} Create an enclave

{{!}}-

{{!}} 1 (EADD) {{!!}} Add a page

{{!}}-

{{!}} 2 (EINIT) {{!!}} Initialize an enclave

{{!}}-

{{!}} 3 (EREMOVE) {{!!}} Remove a page from EPC (Enclave Page Cache)

{{!}}-

{{!}} 4 (EDBGRD) {{!!}} Read data by debugger

{{!}}-

{{!}} 5 (EDBGWR) {{!!}} Write data by debugger

{{!}}-

{{!}} 6 (EEXTEND) {{!!}} Extend EPC page measurement

{{!}}-

{{!}} 7 (ELDB) {{!!}} Load an EPC page as blocked

{{!}}-

{{!}} 8 (ELDU) {{!!}} Load an EPC page as unblocked

{{!}}-

{{!}} 9 (EBLOCK) {{!!}} Block an EPC page

{{!}}-

{{!}} A (EPA) {{!!}} Add version array

{{!}}-

{{!}} B (EWB) {{!!}} Writeback/invalidate EPC page

{{!}}-

{{!}} C (ETRACK) {{!!}} Activate EBLOCK checks

{{!}}-

! colspan="2" {{!}} Added with SGX2

{{!}}-

{{!}} D (EAUG) {{!!}} Add page to initialized enclave

{{!}}-

{{!}} E (EMODPTR) {{!!}} Restrict permissions of EPC page

{{!}}-

{{!}} F (EMODT) {{!!}} Change type of EPC page

{{!}}-

! colspan="2" {{!}} Added with OVERSUB

{{!}}-

{{!}} 10 (ERDINFO) {{!!}} Read EPC page type/status info

{{!}}-

{{!}} 11 (ETRACKC) {{!!}} Activate EBLOCK checks

{{!}}-

{{!}} 12 (ELDBC) {{!!}} Load EPC page as blocked with enhanced error reporting

{{!}}-

{{!}} 13 (ELDUC) {{!!}} Load EPC page as unblocked with enhanced error reporting

{{!}}-

! colspan="2" {{!}} Other

{{!}}-

{{!}} 18 (EUPDATESVN) {{!!}} Update SVN (Security Version Number) after live microcode updateIntel, [https://cdrdv2-public.intel.com/648682/648682%20Runtime_Microcode_Update_with_Intel_SGX_rev1p0.pdf Runtime Microcode Updates with Intel® Software Guard Extensions], sep 2021, order no. 648682 rev 1.0. [https://web.archive.org/web/20230331103022/https://cdrdv2-public.intel.com/648682/648682%20Runtime_Microcode_Update_with_Intel_SGX_rev1p0.pdf Archived] from the original on 31 mar 2023.

{{!)}}

Any unsupported value in EAX causes a #GP exception.

}} — depending on function, the instruction may take additional input operands in RBX, RCX and RDX.

Depending on function, the instruction may return data in RBX and/or an error code in EAX.

| {{no|0}}

| rowspan="3" | {{glossary}}{{term|SGX1}}{{defn|Skylake,{{efn|SGX is deprecated on desktop/laptop processors from 11th generation (Rocket Lake, Tiger Lake) onwards,Intel, [https://cdrdv2-public.intel.com/634648/634648-004.pdf 11th Generation Intel® Core™ Processor Desktop Datasheet, Volume 1], may 2022, order no. 634648-004, section 3.5, page 65. [https://web.archive.org/web/20250219182337/https://cdrdv2-public.intel.com/634648/634648-004.pdf Archived] on 19 Feb 2025. but continues to be available on Xeon-branded server parts.}}
Goldmont Plus}}{{term|SGX2}}{{defn|{{nowrap|Goldmont Plus,}}
Ice Lake-SPIntel, [https://www.intel.com/content/www/us/en/support/articles/000058764/software/intel-security-products.html Which Platforms Support Intel® Software Guard Extensions (Intel® SGX) SGX2?] [https://archive.today/20220505112200/https://www.intel.com/content/www/us/en/support/articles/000058764/software/intel-security-products.html Archived] on 5 May 2022.}}{{term|OVERSUBIntel, [https://cdrdv2-public.intel.com/671471/sgx-oversubscription.pdf Intel® Software Guard Extensions (Intel® SGX) Architecture for Oversubscription of Secure Memory in a Virtualized Environment], 25 Jun 2017. [https://web.archive.org/web/20230331203252/https://cdrdv2-public.intel.com/671471/sgx-oversubscription.pdf Archived] on 31 Mar 2023.}}{{defn|Ice Lake-SP,
Tremont}}{{glossary end}}

| {{nowrap|NP 0F 01 D7}}

| Perform an SGX User function. The function to perform is given in EAX{{efn|text=The leaf functions defined for ENCLU (selected by EAX) are:

{{(!}} class="wikitable sortable"

! EAX !! Function

{{!}}-

{{!}} 0 (EREPORT) {{!!}} Create a cryptographic report

{{!}}-

{{!}} 1 (EGETKEY) {{!!}} Create a cryptographic key

{{!}}-

{{!}} 2 (EENTER) {{!!}} Enter an Enclave

{{!}}-

{{!}} 3 (ERESUME) {{!!}} Re-enter an Enclave

{{!}}-

{{!}} 4 (EEXIT) {{!!}} Exit an Enclave

{{!}}-

! colspan="2" {{!}} Added with SGX2

{{!}}-

{{!}} 5 (EACCEPT) {{!!}} Accept changes to EPC page

{{!}}-

{{!}} 6 (EMODPE) {{!!}} Extend EPC page permissions

{{!}}-

{{!}} 7 (EACCEPTCOPY) {{!!}} Initialize pending page

{{!}}-

! colspan="2" {{!}} Added with TDXIntel, [https://cdrdv2-public.intel.com/733582/intel-tdx-cpu-architectural-specification.pdf Trust Domain CPU Architectural Extensions], order no. 343754-002, may 2021. [https://web.archive.org/web/20221226025041/https://cdrdv2-public.intel.com/733582/intel-tdx-cpu-architectural-specification.pdf Archived] on 26 Dec 2022.

{{!}}-

{{!}} 8 (EVERIFYREPORT2) {{!!}} Verify a cryptographic report of a trust domain

{{!}}-

! colspan="2" {{!}} Added with AEX-NotifyIntel, [https://cdrdv2-public.intel.com/736463/aex-notify-white-paper-public.pdf Asynchronous Enclave Exit Notify and the EDECCSSA User Leaf Function], 30 Jun 2022. [https://web.archive.org/web/20221121073302/https://cdrdv2-public.intel.com/736463/aex-notify-white-paper-public.pdf Archived] on 21 Nov 2022.

{{!}}-

{{!}} 9 (EDECCSSA) {{!!}} Decrement TCS.CSSA

{{!}}-

! colspan="2" {{!}} Added with 256BITSGXIntel, [https://cdrdv2-public.intel.com/851355/319433-057-architecture-instruction-set-extensions-programming-reference.pdf Intel Architecture Instruction Set Extensions and Future Features] order no. 319433-057, March 2025, chapter 14. [https://web.archive.org/web/20250406100407/https://cdrdv2-public.intel.com/851355/319433-057-architecture-instruction-set-extensions-programming-reference.pdf Archived] on 6 Apr 2025.

{{!}}-

{{!}} A (EREPORT2) {{!!}} Create a cryptographic report that contains SHA384 measurements

{{!}}-

{{!}} B (EGETKEY256) {{!!}} Create a 256-bit cryptographic key

{{!)}}

Any unsupported value in EAX causes a #GP exception.
The EENTER and ERESUME functions cannot be executed inside an SGX enclave – the other functions can only be executed inside an enclave.

}} — depending on function, the instruction may take additional input operands in RBX, RCX and RDX.

Depending on function, the instruction may return data/status information in EAX and/or RCX.

| {{yes|3{{efn|ENCLU can only be executed in ring 3, not rings 0/1/2.}}}}

| {{nowrap|NP 0F 01 C0}}

| Perform an SGX Virtualization function. The function to perform is given in EAX{{efn|text=The leaf functions defined for ENCLV (selected by EAX) are:

{{(!}} class="wikitable sortable"

! EAX !! Function

{{!}}-

! colspan="2" {{!}} Added with OVERSUB

{{!}}-

{{!}} 0 (EDECVIRTCHILD) {{!!}} Decrement VIRTCHILDCNT in SECS

{{!}}-

{{!}} 1 (EINCVIRTCHILD) {{!!}} Increment VIRTCHILDCNT in SECS

{{!}}-

{{!}} 2 (ESETCONTEXT) {{!!}} Set ENCLAVECONTEXT field in SECS

{{!)}}

Any unsupported value in EAX causes a #GP exception.
The ENCLV instruction is only present on systems that support the EPC Oversubscription Extensions to SGX ("OVERSUB").

}} — depending on function, the instruction may take additional input operands in RBX, RCX and RDX.

Instruction returns status information in EAX.

| {{no|0{{efn|ENCLV is only available if Intel VMX operation is enabled with VMXON, and will produce #UD otherwise.}}}}

| PTWRITE r/m32
PTWRITE r/m64

| F3 0F AE /4
{{nowrap|F3 REX.W 0F AE /4}}

| Read data from register or memory to encode into a PTW packet.{{efn|For PTWRITE, the write to the Processor Trace Packet will only happen if a set of enable-bits (the "TriggerEn", "ContextEn", "FilterEn" bits of the RTIT_STATUS MSR and the "PTWEn" bit of the RTIT_CTL MSR) are all set to 1.
The PTWRITE instruction is indicated in the SDM to cause an #UD exception if the 66h instruction prefix is used, regardless of other prefixes.}}

| {{yes|3}}

| Kaby Lake,
{{nowrap|Goldmont Plus}}

| PCONFIG

| NP 0F 01 C5

| Perform a platform feature configuration function. The function to perform is specified in EAX{{efn|text=The leaf functions defined for PCONFIG (selected by EAX) are:

{{(!}} class="wikitable sortable"

! EAX !! Function

{{!}}-

{{!}} 0 {{!!}} MKTME_KEY_PROGRAM:
Program key and encryption mode to use with an TME-MK Key ID.

{{!}}-

! colspan="2" {{!}} Added with TSE

{{!}}-

{{!}} 1 {{!!}} TSE_KEY_PROGRAM:
Direct key programming for TSE.

{{!}}-

{{!}} 2 {{!!}} TSE_KEY_PROGRAM_WRAPPED:
Wrapped key programming for TSE.

{{!)}}

Any unsupported value in EAX causes a #GP(0) exception.}} - depending on function, the instruction may take additional input operands in RBX, RCX and RDX.

If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0.

| {{no|0}}

| Ice Lake-SP

| CLDEMOTE m8

| NP 0F 1C /0

| Move cache line containing m8 from CPU L1 cache to a more distant level of the cache hierarchy.{{efn|For CLDEMOTE, the cache level that it will demote a cache line to is implementation-dependent.
Since the instruction is considered a hint, it will execute as a NOP without any exceptions if the provided memory address is invalid or not in the L1 cache. It may also execute as a NOP under other implementation-dependent circumstances as well.
On systems that do not support the CLDEMOTE extension, it executes as a NOP.}}

| {{yes|3}}

| (Tremont),
(Alder Lake),
{{nowrap|Sapphire Rapids{{efn|text=Intel documentation lists Tremont and Alder Lake as the processors in which CLDEMOTE was introduced. However, as of May 2022, no Tremont or Alder Lake models have been observed to have the CPUID feature bit for CLDEMOTE set, while several of them have the CPUID bit cleared.{{Cite tweet |user=InstLatX64 |number=1521562151848132609 |date=May 3, 2022 |title=The CLDEMOTE Story |access-date=2023-01-23 |language=en}}
As of April 2023, the CPUID feature bit for CLDEMOTE has been observed to be set for Sapphire Rapids.{{Cite tweet |user=Instlatx64 |number=1648008172974514193 |date=Apr 17, 2023 |title=20-Core Intel Xeon w7-2475X (SapphireRapids-64L) 806F8 CPUID dump |access-date=2023-04-20 |language=en}}}}}}

| UMONITOR r16/32/64

| F3 0F AE /6

| Start monitoring a memory location for memory writes. The memory address to monitor is given by the register argument.{{efn|For UMONITOR, the operand size of the address argument is given by the address size, which may be overridden by the 67h prefix. The default segment used is DS:, which can be overridden with a segment prefix.}}

| {{yes|3}}

| rowspan="3" | Tremont,
Alder Lake

| F2 0F AE /6

| Timed wait for a write to a monitored memory location previously specified with UMONITOR. In the absence of a memory write, the wait will end when either the TSC reaches the value specified by EDX:EAX or the wait has been going on for an OS-controlled maximum amount of time.{{efn|name=umwait_ctrl|For the UMWAIT and TPAUSE instructions, the operating system can use the IA32_UMWAIT_CONTROL MSR to limit the maximum amount of time that a single UMWAIT/TPAUSE invocation is permitted to wait. The UMWAIT and TPAUSE instructions will set RFLAGS.CF to 1 if they reached the IA32_UMWAIT_CONTROL-defined time limit and 0 otherwise.}}

| rowspan="2" {{yes2|Usually 3{{efn|name="waitpkg_cr4tsd"|text=TPAUSE and UMWAIT can be run outside Ring 0 only if CR4.TSD=0.}}}}

| 66 0F AE /6

| Wait until the Time Stamp Counter reaches the value specified in EDX:EAX.{{efn|name=umwait_ctrl}}

The register argument to the UMWAIT and TPAUSE instructions specifies extra flags to control the operation of the instruction.{{efn|name=umwait_flags|text=For the register argument to the UMWAIT and TPAUSE instructions, the following flag bits are supported:{{(!}} class="wikitable sortable"

! Bits !! Usage

{{!}}-

{{!}} 0 {{!!}} Preferred optimization state.

• 0 = C0.2 (slower wakeup, improves performance of other SMT threads on same core)
• 1 = C0.1 (faster wakeup)

{{!}}-

{{!}} 31:1 {{!!}} {{n/a|(Reserved)}}

{{!)}}}}

| SERIALIZE

| NP 0F 01 E8

| Serialize instruction fetch and execution.{{efn|While serialization can be performed with older instructions such as e.g. CPUID and IRET, these instructions perform additional functions, causing side-effects and reduced performance when stand-alone instruction serialization is needed. (CPUID additionally has the issue that it causes a mandatory #VMEXIT when executed under virtualization, which causes a very large overhead.) The SERIALIZE instruction performs serialization only, avoiding these added costs.}}

| {{yes|3}}

| Alder Lake

| HRESET imm8

| {{nowrap|F3 0F 3A F0 C0 ib}}

| Request that the processor reset selected components of hardware-maintained prediction history. A bitmap of which components of the CPU's prediction history to reset is given in EAX (the imm8 argument is ignored).{{efn|text=A bitmap of CPU history components that can be reset through HRESET is provided by {{nowrap|1=CPUID.(EAX=20h,ECX=0):EBX.}}
As of July 2023, the following bits are defined:

{{(!}} class="wikitable sortable"

! Bit !! Usage

{{!}}-

{{!}} 0 {{!!}} Intel Thread Director history

{{!}}-

{{!}} 31:1 {{!!}} {{n/a|(Reserved)}}

{{!)}}}}

| {{no|0}}

| Alder Lake

| SENDUIPI reg

| F3 0F C7 /6

| Send Interprocessor User Interrupt.{{efn|The register argument to SENDUIPI is an index to pick an entry from the UITT (User-Interrupt Target Table, a table specified by the new UINTR_TT and UINT_MISC MSRs.)}}

| rowspan="5" {{yes|3}}

| rowspan="5" | Sapphire Rapids

| F3 0F 01 EC

| User Interrupt Return.

Pops RIP, RFLAGS and RSP off the stack, in that order.{{efn|text=On Sapphire Rapids processors, the UIRET instruction always sets UIF (User Interrupt Flag) to 1. On Sierra Forest and later processors, UIRET will set UIF to the value of bit 1 of the value popped off the stack for RFLAGS - this functionality is indicated by CPUID.(EAX=7,ECX=1):EDX[17].}}

| F3 0F 01 ED

| Test User Interrupt Flag.
Copies UIF to EFLAGS.CF .

| F3 0F 01 EE

| Clear User Interrupt Flag.

| F3 0F 01 EF

| Set User Interrupt Flag.

Part of Intel DSA (Data Streaming Accelerator Architecture).Intel, [https://cdrdv2-public.intel.com/671116/341204-intel-data-streaming-accelerator-spec.pdf Intel Data Streaming Accelerator Architecture Specification], order no. 341204-004, Sep 2022, pages 13 and 23. [https://web.archive.org/web/20230720233510/https://cdrdv2-public.intel.com/671116/341204-intel-data-streaming-accelerator-spec.pdf Archived] on 20 Jul 2023.

| ENQCMD reg,m512

| F2 0F 38 F8 /r

| Enqueue Command. Reads a 64-byte "command data" structure from memory (m512 argument) and writes atomically to a memory-mapped Enqueue Store device (register argument provides the memory address of this device, using ES segment and requiring 64-byte alignment.{{efn|text=For ENQCMD and EMQCMDS, the operand-size of the register argument is given by the current address-size, which can be overridden with the 67h prefix.}}) Sets ZF=0 to indicate that device accepted the command, or ZF=1 to indicate that command was not accepted (e.g. queue full or the memory location was not an Enqueue Store device.)

| {{yes|3}}

| rowspan="2" | {{nowrap|Sapphire Rapids}}

| F3 0F 38 F8 /r

| Enqueue Command Supervisor. Differs from ENQCMD in that it can place an arbitrary PASID (process address-space identifier) and a privilege-bit in the "command data" to enqueue.

| {{no|0}}

| WRMSRNS

| NP 0F 01 C6

|Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX.

The instruction differs from the older WRMSR instruction in that it is not serializing.

| {{no|0}}

| {{nowrap|Sierra Forest}}

| RDMSRLIST

| F2 0F 01 C6

| Read multiple MSRs. RSI points to a table of up to 64 MSR indexes to read (64 bits each), RDI points to a table of up to 64 data items that the MSR read-results will be written to (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR read for.{{efn|name=msrlist_align|text=For the RDMSRLIST and WRMSRLIST instructions, the addresses specified in the RSI and RDI registers must be 8-byte aligned.}}

| rowspan="2" {{no|0}}

| rowspan="2" | {{nowrap|Sierra Forest}}

| F3 0F 01 C6

| Write multiple MSRs. RSI points to a table of up to 64 MSR indexes to write (64 bits each), RDI points to a table of up to 64 data items to write into the MSRs (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR write for.{{efn|name=msrlist_align}} The MSRs are written in table order.

The instruction is not serializing.

| {{nowrap|CMPccXADD m32,r32,r32}}
{{nowrap|CMPccXADD m64,r64,r64}}
 

| {{small|{{nowrap|VEX.128.66.0F38.W0 Ex /r}}
{{nowrap|VEX.128.66.0F38.W1 Ex /r}}}}
{{efn|name=setcc_conds|text=The condition codes supported for the CMPccXADD instructions (opcode VEX.128.66.0F38 Ex /r with the x nibble specifying the condition) are:

{{(!}} class="wikitable sortable"

! x !! cc !! Condition (EFLAGS)

{{!}}-

{{!}} 0 {{!!}} O {{!!}} OF=1: "Overflow"

{{!}}-

{{!}} 1 {{!!}} NO {{!!}} OF=0: {{nowrap|"Not Overflow"}}

{{!}}-

{{!}} 2 {{!!}} B {{!!}} CF=1: "Below"

{{!}}-

{{!}} 3 {{!!}} NB {{!!}} CF=0: {{nowrap|"Not Below"}}

{{!}}-

{{!}} 4 {{!!}} Z {{!!}} ZF=1: "Zero"

{{!}}-

{{!}} 5 {{!!}} NZ {{!!}} ZF=0: {{nowrap|"Not Zero"}}

{{!}}-

{{!}} 6 {{!!}} BE {{!!}} (CF=1 or ZF=1): {{nowrap|"Below or Equal"}}

{{!}}-

{{!}} 7 {{!!}} NBE {{!!}} (CF=0 and ZF=0): {{nowrap|"Not Below or Equal"}}

{{!}}-

{{!}} 8 {{!!}} S {{!!}} SF=1: "Sign"

{{!}}-

{{!}} 9 {{!!}} NS {{!!}} SF=0: {{nowrap|"Not Sign"}}

{{!}}-

{{!}} A {{!!}} P {{!!}} PF=1: "Parity"

{{!}}-

{{!}} B {{!!}} NP {{!!}} PF=0: {{nowrap|"Not Parity"}}

{{!}}-

{{!}} C {{!!}} L {{!!}} SF≠OF: "Less"

{{!}}-

{{!}} D {{!!}} NL {{!!}} SF=OF: {{nowrap|"Not Less"}}

{{!}}-

{{!}} E {{!!}} LE {{!!}} (ZF=1 or SF≠OF): {{nowrap|"Less or Equal"}}

{{!}}-

{{!}} F {{!!}} NLE {{!!}} (ZF=0 and SF=OF): {{nowrap|"Not Less or Equal"}}

{{!)}}}}{{efn|Even though the CMPccXADD instructions perform a locked memory operation, they do not require or accept the LOCK (F0h) prefix - attempting to use this prefix results in #UD.}} 

| Read value from memory, then compare to first register operand. If the comparison passes, then add the second register operand to the memory value. The instruction as a whole is performed atomically.
The operation of {{nowrap|CMPccXADD [mem],reg1,reg2}} is:

temp1 := [mem]
EFLAGS := CMP temp1, reg1 // sets EFLAGS like regular compare
reg1 := temp1
if( condition )
[mem] := temp1 + reg2

| {{yes|3}}

| {{nowrap|Sierra Forest,}}
Lunar Lake

Part of Intel TSE (Total Storage Encryption), and available in 64-bit mode only.

| PBNDKB

| NP 0F 01 C7

| Bind information to a platform by encrypting it with a platform-specific wrapping key. The instruction takes as input the addresses to two 256-byte-aligned "bind structures" in RBX and RCX, reads the structure pointed to by RBX and writes a modified structure to the address given in RCX.

If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0.

| {{no|0}}

| Lunar Lake

! Instruction Set Extension !! Instruction
mnemonics !! Opcode !! Instruction description !! Ring !! Added in

| MOV reg,CR8

| F0 0F 20 /0{{efn|name="altmovcr8_encoding"|Like other variants of MOV to/from the CRx registers, the AltMovCr8 encodings ignore the top 2 bits of the instruction's ModR/M byte, and always execute as if these two bits are set to 11b.
The AltMovCr8 encodings are available in 64-bit mode. However, combining the LOCK prefix with the REX.R prefix is not permitted and will cause an #UD exception.}}

| Read the CR8 register.

| rowspan="2" {{no|0}}

| rowspan="2" | K8{{efn|Support for AltMovCR8 was added in stepping F of the AMD K8, and is not available on earlier steppings.}}

| {{nowrap|F0 0F 22 /0}}{{efn|name="altmovcr8_encoding"}}

| Write to the CR8 register.

| MONITORX

| NP 0F 01 FA

| Start monitoring a memory location for memory writes. Similar to older MONITOR, except available in user mode.

| rowspan="2" {{yes|3}}

| rowspan="2" | Excavator

| NP 0F 01 FB

| Wait for a write to a monitored memory location previously specified with MONITORX.
MWAITX differs from the older MWAIT instruction mainly in that it runs in user mode and that it can accept an optional timeout argument (given in TSC time units) in EBX (enabled by setting bit[1] of ECX to 1.)

| {{nowrap|CLZERO rAX}}

| NP 0F 01 FC

| Write zeroes to all bytes in a memory region that has the size and alignment of a CPU cache line and contains the byte addressed by DS:rAX.{{efn|For CLZERO, the address size and 67h prefix control whether to use AX, EAX or RAX as address. The default segment DS: can be overridden by a segment-override prefix. The provided address does not need to be aligned – hardware will align it as necessary.
The CLZERO instruction is intended for recovery from otherwise-fatal Machine Check errors. It is non-cacheable, cannot be used to allocate a cache line without a memory access, and should not be used for fast memory clears.Wikichip, [https://en.wikichip.org/w/index.php?title=x86/clzero&oldid=94738 CLZERO – x86]}}

| {{yes|3}}

| Zen 1

| RDPRU

| NP 0F 01 FD

| Read selected MSRs (mainly performance counters) in user mode. ECX specifies which register to read.{{efn|text=The register numbering used by RDPRU does not necessarily match that of RDMSR/WRMSR.
The registers supported by RDPRU as of December 2022 are:

{{(!}} class="wikitable sortable"

! ECX !! Register

{{!}}-

{{!}} 0 {{!!}} MPERF (MSR 0E7h: Maximum Performance Frequency Clock Count)

{{!}}-

{{!}} 1 {{!!}} APERF (MSR 0E8h: Actual Performance Frequency Clock Count)

{{!)}}

Unsupported values in ECX return 0.}}

The value of the MSR is returned in EDX:EAX.

| {{yes2|Usually 3{{efn|text=If CR4.TSD=1, then the RDPRU instruction can only run in ring 0.}}}}

| Zen 2

| MCOMMIT

| F3 0F 01 FA

| Ensure that all preceding stores in thread have been committed to memory, and that any errors encountered by these stores have been signalled to any associated error logging resources. The set of errors that can be reported and the logging mechanism are platform-specific.
Sets EFLAGS.CF to 0 if any errors occurred, 1 otherwise.

| {{yes|3}}

| Zen 2

| INVLPGB

| NP 0F 01 FE

| Invalidate TLB Entries for a range of pages, with broadcast. The invalidation is performed on the processor executing the instruction, and also broadcast to all other processors in the system.
rAX takes the virtual address to invalidate and some additional flags, ECX takes the number of pages to invalidate, and EDX specifies ASID and PCID to perform TLB invalidation for.

| rowspan="2" {{no|0}}

| rowspan="2" | Zen 3

| NP 0F 01 FF

| Synchronize TLB invalidations.
Wait until all TLB invalidations signalled by preceding invocations of the INVLPGB instruction on the same logical processor have been responded to by all processors in the system. Instruction is serializing.

! Instruction description

! Mnemonic

! Opcode

! colspan="2" | Additional items

| FNINIT

| DB E3

| FLDCW m16

| FNSTCW m16

| FNSTSW m16{{efn|F(N)STSW with the AX register as a destination is available on 80287 and later, but not on the 8087.}}

| DD /7

| FNCLEX

| DB E2

| FLDENV m112/m224{{efn|name="x87_environment_size"|On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.
64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired.}}

| D9 /4

| {{nowrap|FNSTENV m112/m224{{efn|name="x87_environment_size"}}}}

| D9 /6

| {{nowrap|FNSAVE m752/m864{{efn|name="x87_environment_size"}}}}

| DD /6

| FRSTOR m752/m864{{efn|name="x87_environment_size"}}

| DD /4

| FNENI

| FNDISI

| FLD m32

| FST m32

| DD D0+i

| FSTP m32

| DB /7

| {{nowrap|DD D8+i}}

| FLDZ

| FLD1

| FLDPI

| FLDL2T

| FLDL2E

| FLDLG2

| FLDLN2

| rowspan="3" | FXCH st(i){{efn|name="x87_optarg"|For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.}}{{efn|On Intel Pentium and later processors, FXCH is implemented as a register renaming rather than a true data move. This has no semantic effect, but enables zero-cycle-latency operation. It also allows the instruction to break data dependencies for the x87 top-of-stack value, improving attainable performance for code optimized for these processors.}}

| D9 C8+i

| rowspan=3 {{no}}

| rowspan=3 {{n/a}}

| FILD m16

| FIST m16

| FISTP m16

| FBLD m80

| DF /4

| FBSTP m80

:{{code|dst <- dst + src}}

| FADD m32

:{{code|dst <- dst * src}}

| FMUL m32

:{{code|dst <- dst – src}}

| FSUB m32

:{{code|dst <- src – dst}}

| FSUBR m32

:{{code|dst <- dst / src}}

| FDIV m32

:{{code|dst <- src / dst}}

| FDIVR m32

:{{code|CC <- result_of( st(0) – src )}}
Same operation as subtract, except that it updates the x87 CC status register instead of any of the FPU stack registers

| FCOM m32

| D8 D0+i

| FADDP st(i),st{{efn|name="x87_optarg"}}

| FMULP st(i),st{{efn|name="x87_optarg"}}

| FSUBP st(i),st{{efn|name="x87_optarg"}}

| FSUBRP st(i),st{{efn|name="x87_optarg"}}

| FDIVP st(i),st{{efn|name="x87_optarg"}}

| FDIVRP st(i),st{{efn|name="x87_optarg"}}

| FCOMP m32

| D8 D8+i

| FCOMPP

| FIADD m16

| FIMUL m16

| FISUB m16

| FISUBR m16

| FIDIV m16

| FIDIVR m16

| FICOM m16

| FICOMP m16

| DA /3

| DE /3

| FCHS

| FABS

| FTST

{{(!}} class="wikitable sortable"

! C3 !! C2 !! C0 !! Classification

{{!}}-

{{!}} 0 {{!!}} 0 {{!!}} 0 {{!!}} Unsupported (unnormal or pseudo-NaN)

{{!}}-

{{!}} 0 {{!!}} 0 {{!!}} 1 {{!!}} NaN

{{!}}-

{{!}} 0 {{!!}} 1 {{!!}} 0 {{!!}} Normal finite number

{{!}}-

{{!}} 0 {{!!}} 1 {{!!}} 1 {{!!}} Infinity

{{!}}-

{{!}} 1 {{!!}} 0 {{!!}} 0 {{!!}} Zero

{{!}}-

{{!}} 1 {{!!}} 0 {{!!}} 1 {{!!}} Empty

{{!}}-

{{!}} 1 {{!!}} 1 {{!!}} 0 {{!!}} Denormal number

{{!}}-

{{!}} 1 {{!!}} 1 {{!!}} 1 {{!!}} Empty (may occur on 8087/80287 only)

{{!)}}

C1 is set to the sign-bit of st(0), regardless of whether st(0) is Empty or not.

}}

| FXAM

• If st(0) is ±0, then on 8087/80287, {{mvar|E}} and {{mvar|M}} are both set equal to st(0) with no exception reported — on 80387 and later, {{mvar|M}} is set equal to st(0), {{mvar|E}} is set to -∞, and a zero-divide exception is raised.
• If st(0) is ±∞, then on 8087/80287, an invalid-operation exception is raised and both {{mvar|M}} and {{mvar|E}} are set to NaN — on 80387 and later, {{mvar|M}} is set equal to st(0) and {{mvar|E}} is set to +∞ with no exception reported.Intel, [https://bitsavers.org/components/intel/80386/231917-001_80387_Programmers_Reference_Manual_1987.pdf 80387 Programmer's Reference Manual], order no. 231917-001, see section 4.4.12 on page 89 and section C.5 on page 190 for information on FXTRACT special-cases and section 4.4.9 on page 87 for information about the FPTAN (and by extension FSIN/FCOS/FSINCOS) argument reduction inaccuracy.

}}
st(0) is then replaced with {{mvar|E}}, after which {{mvar|M}} is pushed onto the stack.

| FXTRACT

| FPREM

| FSQRT

| FRNDINT

| FSCALE

| F2XM1

| colspan="2" | 8087: $0\backslash leq\; st(0)\backslash leq\backslash frac\{1\}\{2\}$
80387: $-1\backslash leq\; st(0)\backslash leq1$

| FYL2X

| D9 F1

| FPTAN

| colspan="2" | 8087: $0\backslash leq\backslash left|st(0)\backslash right|\backslash leq\backslash frac\{\backslash pi\}\{4\}$
80387: 

• If both st(0) and st(1) are ±∞, then the arctangent is computed as if each of st(0) and st(1) had been replaced with ±1 of the same sign. This produces a result that is an odd multiple of $\backslash frac\{\backslash pi\}\{4\}$.
• If both st(0) and st(1) are ±0, then the arctangent is computed as if st(0) but not st(1) had been replaced with ±1 of the same sign, producing a result of ±0 or $\backslash pm\backslash pi$.
• If st(0) is negative (has sign bit set), then an addend of $\backslash pm\backslash pi$ with the same sign as st(1) is added to the result.

| FPATAN

| colspan="2" | 8087: 
80387: no restrictions

| FYL2XP1

| colspan="2" | Intel: 
AMD: 

| FNOP

| rowspan="7" colspan="2" |

| FDECSTP

| FINCSTP

| FFREE st(i)

| {{nowrap|DD C0+i}}

| WAIT,
FWAIT

| {{unofficial2|align=left|{{nowrap|{{mono|FSTPNCE st(i)}}}}}}

| {{unofficial2|align=left|{{mono|D9 D8+i}}{{efn|name="x87_alias"}}}}

| {{unofficial2|align=left|{{nowrap|{{mono|FFREEP st(i)}}}}}}

| {{unofficial2|align=left|{{mono|DF C0+i}}{{efn|name="x87_alias"}}}}

! Instruction description

! Mnemonic

! Opcode

! Additional items

| rowspan="3" | {{efn|1=If st(0) is finite and its absolute value is $2^\{63\}$ or greater, then the top-of-stack value st(0) is left unmodified and C2 is set, with no exception raised. This applies to the FSIN, FCOS and FSINCOS instructions, as well as FPTAN on 80387 and later.
In this case, the FSINCOS and FPTAN instructions will also abstain from pushing a value onto the x87 register-stack.}}

• FXSAVE/FXRSTOR will save/restore FIP and FDP as 32-bit items, and will also save/restore FCS and FDS as 16-bit items.
• FXSAVE64/FXRSTOR64 will save/restore FIP and FDP as 64-bit items while not saving/restoring FCS and FDS.

This difference also applies to the later XSAVE/XRSTOR vs XSAVE64/XRSTOR64 instructions.
As a result, saving both FCS/FDS and the top 32 bits of 64-bit FIP/FDP cannot be accomplished with 1 instruction, but instead requires running both (F)XSAVE and (F)XSAVE64. This has been known to cause problems, especially for 64-bit hypervisors running 16/32-bit guests.Michal Necasek, [https://www.os2museum.com/wp/failing-to-fail/ Failing to fail], 16 Jun 2023, OS/2 Museum, see addendum. [https://web.archive.org/web/20241001102457/https://www.os2museum.com/wp/failing-to-fail/ Archived] on 1 Oct 2024.VirtualBox issue tracker, [https://www.virtualbox.org/ticket/12646 ticket 12646: XP Guest GPF in WIN87EM.DLL at 0001:02C9 or 0001:02C6]. [https://web.archive.org/web/20160313041317/https://www.virtualbox.org/ticket/12646 Archived] on 13 Mar 2016.}}

! Mnemonics

! Opcodes

! Description

! Status

| D4 ib

| ASCII-Adjust-after-Multiply. On the 8086, documented for imm8=0Ah only, which is used to convert a binary multiplication result to BCD.

The actual operation is {{code|AH ← AL/imm8; AL ← AL mod imm8}} for any imm8 value (except zero, which produces a divide-by-zero exception).Robert Collins, [http://www.rcollins.org/secrets/opcodes/AAM.html Undocumented OpCodes: AAM]. [https://web.archive.org/web/20010221212212/http://www.rcollins.org/secrets/opcodes/AAM.html Archived on 21 Feb 2001]

| rowspan="2" | Available beginning with 8086, documented for imm8 values other than 0Ah since Pentium (earlier documentation lists no arguments).

| D5 ib

| ASCII-Adjust-Before-Division. On the 8086, documented for imm8=0Ah only, which is used to convert a BCD value to binary for a following division instruction.

The actual operation is {{code|AL ← (AL+(AH*imm8)) & 0FFh; AH ← 0}} for any imm8 value.

| D6

| Set AL depending on the value of the Carry Flag (a 1-byte alternative of {{nowrap|SBB AL, AL}})

| Available beginning with 8086, but only documented since Pentium Pro.

| F1

| Single byte single-step exception / Invoke ICE

| Available beginning with 80386, documented (as INT1) since Pentium Pro. Executes as undocumented instruction prefix on 8086 and 80286.Retrocomputing StackExchange, [https://retrocomputing.stackexchange.com/questions/12004/0f1h-opcode-prefix-on-i80286 0F1h opcode-prefix on i80286]. [https://web.archive.org/web/20230413012532/https://retrocomputing.stackexchange.com/questions/12004/0f1h-opcode-prefix-on-i80286 Archived] on 13 Apr 2023.

| F6 /1 ib

| rowspan=2 | Undocumented variants of the TEST instruction.Frank van Gilluwe, "The Undocumented PC – Second Edition", p. 93-95 Performs the same operation as the documented {{nowrap|F6 /0}} and {{nowrap|F7 /0}} variants, respectively.

| rowspan=2 | Available since the 8086.

Unavailable on some 80486 steppings.Michal Necasek, [http://www.os2museum.com/wp/intel-486-errata/ Intel 486 Errata?], 6 Dec 2015. [https://web.archive.org/web/20231129063912/http://www.os2museum.com/wp/intel-486-errata/ Archived] on 29 Nov 2023.Robert Hummel, "PC Magazine Programmer's Technical Reference" ({{ISBN|1-56276-016-5}}) p.728

| {{nowrap|F7 /1 iw}},
{{nowrap|F7 /1 id}}

| {{nowrap|(D0..D3) /6}},
{{nowrap|(C0..C1) /6 ib}}

| Undocumented variants of the SHL instruction. Performs the same operation as the documented {{nowrap|(D0..D3) /4}} and {{nowrap|(C0..C1) /4 ib}} variants, respectively.

| Available since the 80186 (performs different operation on the 8086)Raúl Gutiérrez Sanz, [http://www.os2museum.com/wp/undocumented-8086-opcodes-part-i/ Undocumented 8086 Opcodes, Part I], 27 Dec 2017. [https://web.archive.org/web/20231129062730/http://www.os2museum.com/wp/undocumented-8086-opcodes-part-i/ Archived] on 29 Nov 2023.

| {{nowrap|82 /(0..7) ib}}

| Alias of opcode 80h, which provides variants of 8-bit integer instructions (ADD, OR, ADC, SBB, AND, SUB, XOR, CMP) with an 8-bit immediate argument.

| Available since the 8086.{{Cite web|url=http://computer-programming-forum.com/46-asm/143edbd28ae1a091.htm|title = Asm, opcode 82h|date=24 Dec 1998|archive-url=https://web.archive.org/web/20230414000947/http://computer-programming-forum.com/46-asm/143edbd28ae1a091.htm|archive-date=14 Apr 2023|url-status=live}} Explicitly unavailable in 64-bit mode but kept and reserved for compatibility.{{sfn|Intel Corporation|2022|p=3698}}

| {{nowrap|83 /(1,4,6) ib}}

| 16-bit OR/AND/XOR with a sign-extended 8-bit immediate.

| Available on 8086, but only documented from 80386 onwards.Intel, [http://bitsavers.org/components/intel/8086/9800722-03_The_8086_Family_Users_Manual_Oct79.pdf The 8086 Family User's Manual, October 1979], opcodes omitted on pages 4-25 and 4-31Retrocomputing StackExchange, [https://retrocomputing.stackexchange.com/questions/20031/undocumented-instructions-in-x86-cpu-prior-to-80386 Undocumented instructions in x86 CPU prior to 80386?], 4 Jun 2021. [https://web.archive.org/web/20230718101651/https://retrocomputing.stackexchange.com/questions/20031/undocumented-instructions-in-x86-cpu-prior-to-80386 Archived] on 18 Jul 2023.

| F2 (A4..A5)

| rowspan="2" | The behavior of the F2 prefix (REPNZ, REPNE) when used with string instructions other than CMPS/SCAS is officially undefined, but there exists commercial software (e.g. the version of FDISK distributed with MS-DOS versions 3.30 to 6.22Daniel B. Sedory, [https://thestarman.pcministry.com/asm/mbr/STDMBR.htm#REP An Examination of the Standard MBR], 2000. [https://web.archive.org/web/20231006232036/https://thestarman.pcministry.com/asm/mbr/STDMBR.htm#REP Archived] on 6 Oct 2023.) that rely on it to behave in the same way as the documented F3 (REP) prefix.

| rowspan="2" | Available since the 8086.

| F2 (AA..AB)

| F3 C3

| The use of the REP prefix with the RET instruction is not listed as supported in either the Intel SDM or the AMD APM. However, AMD's optimization guide for the AMD-K8 describes the {{nowrap|F3 C3}} encoding as a way to encode a two-byte RET instruction – this is the recommended workaround for an issue in the AMD-K8's branch predictor that can cause branch prediction to fail for some 1-byte RET instructions.AMD, [https://www.amd.com/system/files/TechDocs/25112.PDF Software Optimization Guide for AMD64 Processors] (publication 25112, revision 3.06, sep 2005), section 6.2, p.128 At least some versions of gcc are known to use this encoding.GCC bugzilla, [https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48227 Bug 48227 – "rep ret" generated for -march=core2]. [https://web.archive.org/web/20230409143117/https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48227 Archived] on 9 Apr 2023.

| Executes as RET on all known x86 CPUs.

| 67 90

| NOP with address-size override prefix. The use of the 67h prefix for instructions without memory operands is listed by the Intel SDM (vol 2, section 2.1.1) as "reserved", but it is used in Microsoft Windows 95 as a workaround for a bug in the B1 stepping of Intel 80386.Raymond Chen, [https://devblogs.microsoft.com/oldnewthing/20110112-00/?p=11773 My, what strange NOPs you have!], 12 Jan 2011. [https://web.archive.org/web/20230520034608/https://devblogs.microsoft.com/oldnewthing/20110112-00/?p=11773 Archived] on 20 May 2023.Jeff Parsons, [https://www.pcjs.org/documents/manuals/intel/80386/#b1-errata Intel 80386 CPU information] (B1 errata section, item #7). [https://web.archive.org/web/20231113171132/https://www.pcjs.org/documents/manuals/intel/80386/#b1-errata Archived] on 13 Nov 2023.

| Executes as NOP on 80386 and later.

| 0F 1F /0

| Official long NOP.

Introduced in the Pentium Pro in 1995, but remained undocumented until March 2006.Intel [https://kib.kiev.ua/x86docs/Intel/SDMs/253667-018.pdf Software Developers Manual, volume 2B] (Jan 2006, order no 235667-018, does not have long NOP)Intel [https://kib.kiev.ua/x86docs/Intel/SDMs/253667-019.pdf Software Developers Manual, volume 2B] (March 2006, order no 235667-019, has long NOP)

| Available on Pentium Pro and AMD K7Agner Fog, [https://www.agner.org/optimize/instruction_tables.pdf Instruction Tables], AMD K7 section. and later.

Unavailable on AMD K6, AMD Geode LX, VIA Nehemiah.{{Cite web|url=https://bugzilla.redhat.com/show_bug.cgi?id=579838#c46|title=579838 – glibc not compatible with AMD Geode LX|archive-url=https://web.archive.org/web/20230730214505/https://bugzilla.redhat.com/show_bug.cgi?id=579838#c46|archive-date=30 Jul 2023}}

| 0F 0D /r

| Reserved-NOP. Introduced in {{nowrap|65 nm}} Pentium 4. Intel documentation lists this opcode as NOP in opcode tables but not instruction listings since June 2005.Intel [https://kib.kiev.ua/x86docs/Intel/SDMs/253667-015.pdf Software Developers Manual, volume 2B] (April 2005, order no 235667-015, does not list 0F0D-nop)Intel [https://kib.kiev.ua/x86docs/Intel/SDMs/253667-016.pdf Software Developers Manual, volume 2B] (June 2005, order no 235667-016, lists 0F0D-nop in opcode table but not under NOP instruction description.) From Broadwell onwards, {{nowrap|0F 0D /1}} has been documented as PREFETCHW, while {{nowrap|0F 0D /0 and /2../7}} have been reported to exhibit undocumented prefetch functionality.

On AMD CPUs, {{nowrap|0F 0D /r}} with a memory argument is documented as PREFETCH/PREFETCHW since K6-2 – originally as part of 3Dnow!, but has been kept in later AMD CPUs even after the rest of 3Dnow! was dropped.

|

Available on Intel CPUs since {{nowrap|65 nm}} {{nowrap|Pentium 4}}.

| 0F B9 /r

| rowspan="2" | Intentionally undefined instructions, but unlike UD2 ({{nowrap|0F 0B}}) these instructions were left unpublished until December 2016.Intel [https://kib.kiev.ua/x86docs/Intel/SDMs/253667-060.pdf Software Developers Manual, volume 2B] (order no. 253667-060, September 2016) does not list UD0 and UD1.

Microsoft Windows 95 Setup is known to depend on {{nowrap|0F FF}} being invalid{{Cite web|url=https://github.com/jeffpar/pcjs/blob/e565ffa65d8ee5d600ec04e62c6651dabb4894cb/machines/pcx86/lib/x86op0f.js#L1647|title = PCJS : pcjs/x86op0F.js (two-byte x86 opcode handlers), lines 1647–1651|website = GitHub|date = 17 April 2022|archive-url=https://web.archive.org/web/20230413012542/https://github.com/jeffpar/pcjs/blob/e565ffa65d8ee5d600ec04e62c6651dabb4894cb/machines/pcx86/lib/x86op0f.js#L1647|archive-date=13 Apr 2023}}{{Cite web|url=https://www.vogons.org/viewtopic.php?t=62949|title = 80486 paging protection faults? \ VOGONS|url-status=live|archive-url=https://web.archive.org/web/20220409071156/https://www.vogons.org/viewtopic.php?t=62949|archive-date=9 April 2022}} – it is used as a self check to test that its #UD exception handler is working properly.

Other invalid opcodes that are being relied on by commercial software to produce #UD exceptions include {{nowrap|FF FF}} (DIF-2,{{Cite web|url=https://www.vogons.org/viewtopic.php?t=13379|title = Invalid opcode handling \ VOGONS|url-status=live|archive-url=https://web.archive.org/web/20220409071159/https://www.vogons.org/viewtopic.php?t=13379|archive-date=9 April 2022}} LaserLok{{Cite web|url=https://www.vogons.org/viewtopic.php?t=21418|title = Invalid instructions cause exit even if Int 6 is hooked \ VOGONS|url-status=live|archive-url=https://web.archive.org/web/20220409071155/https://www.vogons.org/viewtopic.php?t=21418|archive-date=9 April 2022}}) and {{nowrap|C4 C4}} ("BOP"{{Cite web|url=https://www.ragestorm.net/tutorial?id=27|title = Tutorial – Calling Win32 from DOS|website=Ragestorm|date=17 Sep 2005|url-status=live|archive-url=https://web.archive.org/web/20220409071159/https://www.ragestorm.net/tutorial?id=27|archive-date=9 April 2022}}{{Cite web|url=https://sta.c64.org/blog/dosvddaccess.html|title=Accessing Windows device drivers from DOS programs|archive-url=https://web.archive.org/web/20111108011230/https://sta.c64.org/blog/dosvddaccess.html|archive-date=8 Nov 2011}}), however as of January 2022 they are not published as intentionally invalid opcodes.

| rowspan="2" | All of these opcodes produce #UD exceptions on 80186 and later (except on NEC V20/V30, which assign at least {{nowrap|0F FF}} to the NEC-specific BRKEM instruction.)

| 0F FF

! Mnemonics

! Opcodes

! Description

! Status

| F3 F6 /4, F3 F7 /4

| rowspan=2 | On 8086/8088, a REP or REPNZ prefix on a MUL or IMUL instruction causes the result to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the result.

| rowspan=2 | 8086/8088 only.{{cite web |url=https://www.reenigne.org/blog/8086-microcode-disassembled/ |title=8086 microcode disassembled |date=2020-09-03 |website=Reenigne blog |access-date=2022-07-26 |archive-url=https://web.archive.org/web/20231208191745/https://www.reenigne.org/blog/8086-microcode-disassembled/ |archive-date=8 Dec 2023 |url-status=live |quote=Using the REP or REPNE prefix with a MUL or IMUL instruction negates the product. Using the REP or REPNE prefix with an IDIV instruction negates the quotient.}}

| F3 F6 /5, F3 F7 /5

| F3 F6 /7, F3 F7 /7

| On 8086/8088, a REP or REPNZ prefix on an IDIV (but not DIV) instruction causes the quotient to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the quotient.

| 8086/8088 only.

STOREALL

| (F1) 0F 04

| Exact purpose unknown, causes CPU hang (HCF). The only way out is CPU reset.{{cite web

| url = http://www.sandpile.org/post/msgs/20004129.htm

| archive-url = https://web.archive.org/web/20041106070621/http://www.sandpile.org/post/msgs/20004129.htm

| title = Re: Undocumented opcodes (HINT_NOP)

| archive-date = 2004-11-06

| access-date = 2010-11-07

}}

In some implementations, emulated through BIOS as a halting sequence.{{cite web

| url = http://www.sandpile.org/post/msgs/20003986.htm

| archive-url = https://web.archive.org/web/20030626044017/http://www.sandpile.org/post/msgs/20003986.htm

| title = Re: Also some undocumented 0Fh opcodes

| archive-date = 2003-06-26

| access-date = 2010-11-07

}}

In [https://forum.vcfed.org/index.php?threads/i-found-the-saveall-opcode.71519/ a forum post at the Vintage Computing Federation], this instruction (with F1 prefix) is explained as SAVEALL. It interacts with ICE mode.

| Only available on 80286.

| 0F 05

| Loads All Registers from Memory Address 0x000800H

| Only available on 80286.

Opcode reused for SYSCALL in AMD K6 and later CPUs.

| 0F 07

| Loads All Registers from Memory Address ES:EDI

| Only available on 80386.

Opcode reused for SYSRET in AMD K6 and later CPUs.

| 0F 0AIntel's [https://web.archive.org/web/20220424231054/https://github.com/Intel-SCC/RCCE/blob/master/src/RCCE_admin.c#L87 RCCE library] for the SCC used opcode 0F 0A for SCC's message invalidation instruction.

| On the Intel SCC (Single-chip Cloud Computer), invalidate all message buffers. The mnemonic and operation of the instruction, but not its opcode, are described in Intel's SCC architecture specification.Intel Labs, [https://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/intel-labs-single-chip-cloud-architecture-brief.pdf SCC External Architecture Specification (EAS), Revision 0.94], p.29. [https://web.archive.org/web/20220522083931/https://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/intel-labs-single-chip-cloud-architecture-brief.pdf Archived] on May 22, 2022.

| Available on the SCC only.

| 0F 0E

| On AMD K6 and later maps to FEMMS operation (fast clear of MMX state) but on Intel identified as uarch data read on Intel{{Cite web|date=9 July 2021|title=Undocumented x86 instructions to control the CPU at the microarchitecture level in modern Intel processors|url=https://raw.githubusercontent.com/chip-red-pill/udbgInstr/main/paper/undocumented_x86_insts_for_uarch_control.pdf}}

|Only available in Red unlock state (0F 0F too)

| 0F 0F

| Write uarch

| Can change RAM part of microcode on Intel

| 0F (10..13) /r

| Moves data to/from user memory when operating in ICE HALT mode.Robert R. Collins, [http://www.rcollins.org/secrets/opcodes/UMOV.html Undocumented OpCodes: UMOV]. [https://web.archive.org/web/20010221221425/http://www.rcollins.org/secrets/opcodes/UMOV.html Archived] on Feb 21, 2001. Acts as regular MOV otherwise.

| Available on some 386 and 486 processors only.

Opcodes reused for SSE instructions in later CPUs.

| 0F 55

| NexGen hypercode interface.Herbert Oppmann, [https://www.memotech.franken.de/NexGen/Opcode0F55.html NXOP (Opcode 0Fh 55h)]

| Available on NexGen Nx586 only.

| {{nowrap|0F (E0..FB)}}Herbert Oppmann, [https://www.memotech.franken.de/NexGen/Source/index.html NexGen Nx586 Hypercode Source], see COMMON.INC. [https://web.archive.org/web/20230409144632/https://www.memotech.franken.de/NexGen/Source/index.html Archived] on 9 Apr 2023.

| NexGen Nx586 "hyper mode" instructions.

The NexGen Nx586 CPU uses "hyper code"Herbert Oppmann, [https://www.memotech.franken.de/NexGen/Bios.html Inside the NexGen Nx586 System BIOS]. [https://web.archive.org/web/20231229134905/https://www.memotech.franken.de/NexGen/Bios.html Archived] on 29 Dec 2023. (x86 code sequences unpacked at boot time and only accessible in a special "hyper mode" operation mode, similar to DEC Alpha's PALcode and Intel's XuCodeIntel, [https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/xucode-implementing-complex-instruction-flows.html XuCode: An Innovative Technology for Implementing Complex Instruction Flows], May 6, 2021. [https://archive.today/20220719155812/https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/xucode-implementing-complex-instruction-flows.html Archived] on Jul 19, 2022.) for many complicated operations that are implemented with microcode in most other x86 CPUs. The Nx586 provides a large number of undocumented instructions to assist hyper mode operation.

| Available in Nx586 hyper mode only.

| 0F 0F /r BB

| Undocumented AMD 3DNow! instruction on K6-2 and K6-3. Swaps 16-bit words within 64-bit MMX register.Grzegorz Mazur, [https://web.archive.org/web/20000121143428/http://x86.ddj.com/articles/3dnow/amd_3dnow.htm AMD 3DNow! undocumented instructions]{{cite web |url=http://grafi.ii.pw.edu.pl/gbm/x86/3dundoc.html |title=Undocumented 3DNow! Instructions |website=grafi.ii.pw.edu.pl |access-date=22 February 2022 |archive-url=https://web.archive.org/web/20030130030723/http://grafi.ii.pw.edu.pl/gbm/x86/3dundoc.html |archive-date=30 January 2003 |url-status=dead}}

Instruction known to be recognized by MASM 6.13 and 6.14.

| Available on K6-2 and K6-3 only.

Opcode reused for documented PSWAPD instruction from AMD K7 onwards.

| 64 D6

| Using the 64 (FS: segment) prefix with the undocumented D6 (SALC/SETALC) instruction will, on UMC CPUs only, cause EAX to be set to 0xAB6B1B07.[http://phg.chat.ru/opcode.txt Potemkin's Hacker Group's OPCODE.LST, v4.51], 15 Oct 1999. [https://web.archive.org/web/20010521193749/http://phg.chat.ru/opcode.txt Archived] on 21 May 2001.{{Cite web|url=https://x86.fr/uca-cpu-analysis-prototype-umc-green-cpu-u5s-super33|title = [UCA CPU Analysis] Prototype UMC Green CPU U5S-SUPER33|date = 25 May 2020|archive-url=https://web.archive.org/web/20230609122255/https://x86.fr/uca-cpu-analysis-prototype-umc-green-cpu-u5s-super33/|archive-date=9 Jun 2023|url-status=live}}

| Available on the UMC Green CPU only. Executes as SALC on non-UMC CPUs.

| 64 (70..7F) rel8,

{{nowrap|64 0F (80..8F) rel16/32}}

| On Intel NetBurst (Pentium 4) CPUs, the 64h (FS: segment) instruction prefix will, when used with conditional branch instructions, act as a branch hint to indicate that the branch will be alternating between taken and not-taken.Agner Fog, [https://www.agner.org/optimize/microarchitecture.pdf The Microarchitecture of Intel, AMD and VIA CPUs], section 3.4 "Branch Prediction in P4 and P4E". [https://web.archive.org/web/20240107010216/https://www.agner.org/optimize/microarchitecture.pdf Archived] on 7 Jan 2024. Unlike other NetBurst branch hints (CS: and DS: segment prefixes), this hint is not documented.

| Available on NetBurst CPUs only.

Segment prefixes on conditional branches are accepted but ignored by non-NetBurst CPUs.

| 0F 3F

| Jump and execute instructions in the undocumented Alternate Instruction Set.

| Only available on some x86 processors made by VIA Technologies.

| VEX.66.0F38 (5C..5F,68..6F,78..7F) /r imm8

| On AMD Zen1, FMA4 instructions are present but undocumented (missing CPUID flag). The reason for leaving the feature undocumented may or may not have been due to a buggy implementation.Reddit /r/Amd discussion thread: [https://www.reddit.com/r/Amd/comments/68s4bj/ryzen_has_undocumented_support_for_fma4/dh0y353/ Ryzen has undocumented support for FMA4]

| Removed from Zen2 onwards.

| 0F 0F /r ??

| The whitepapers for SandSifter and UISFuzz report the detection of large numbers of undocumented instructions in the 3DNow! opcode range on several different AMD CPUs (at least Geode NX and C-50). Their operation is not known.

On at least AMD K6-2, all of the unassigned 3DNow! opcodes (other than the undocumented PF2IW, PI2FW and PSWAPW instructions) are reported to execute as equivalents of POR (MMX bitwise-OR instruction).

| Present on some AMD CPUs with 3DNow!.

GP2MEM

| {{unknown}}

| Microprocessor Report's article "MediaGX Targets Low-Cost PCs" from 1997, covering the introduction of the Cyrix MediaGX processor, lists several new instructions that are said to have been added to this processor in order to support its new "Virtual System Architecture" features, including MOVDB and GP2MEM – and also mentions that Cyrix did not intend to publish specifications for these instructions.Microprocessor Report, [http://www.cecs.uci.edu/~papers/mpr/MPR/ARTICLES/110301.PDF MediaGX Targets Low-Cost PCs] (vol 11, no. 3, mar 10, 1997). [https://web.archive.org/web/20220606231124/https://www.cecs.uci.edu/~papers/mpr/MPR/ARTICLES/110301.PDF Archived] on 6 Jun 2022.

| {{unknown|{{wrap|Unknown. No specification known to have been published.}}}}

| {{nowrap|F3 0F A6 E0}}

| Perform SHA-512 hashing.

Supported by OpenSSL{{Cite web|url=https://github.com/openssl/openssl/blob/1aa89a7a3afb053d0c0b7fad8d3ea1b0a5447289/engines/asm/e_padlock-x86.pl#L597|title=Welcome to the OpenSSL Project|website=GitHub|date=21 April 2022|archive-url=https://web.archive.org/web/20220104214039/https://github.com/openssl/openssl/blob/1aa89a7a3afb053d0c0b7fad8d3ea1b0a5447289/engines/asm/e_padlock-x86.pl#L597|archive-date=4 Jan 2022|url-status=live}} as part of its VIA PadLock support, and listed in a Zhaoxin-supplied Linux kernel patch,LKML, [https://lore.kernel.org/lkml/20230802110741.4077-1-TonyWWang-oc@zhaoxin.com/ (PATCH) crypto: Zhaoxin: Hardware Engine Driver for SHA1/256/384/512], 2 Aug 2023. [https://web.archive.org/web/20240117024338/https://lore.kernel.org/lkml/20230802110741.4077-1-TonyWWang-oc@zhaoxin.com/ Archived] on 17 Jan 2024. but not documented by the [https://web.archive.org/web/20100526054140/http://linux.via.com.tw/support/beginDownload.action?eleid=181&fid=261 VIA PadLock Programming Guide].

| rowspan="4" | Only available on some x86 processors made by VIA Technologies and Zhaoxin.

| F3 0F A6 F8

| rowspan=2 | Instructions to perform modular exponentiation and random number generation, respectively.

Listed in a VIA-supplied patch to add support for VIA Nano-specific PadLock instructions to OpenSSL,Kary Jin, [https://marc.info/?l=openssl-dev&m=130767391615291&w=2 PATCH: Update PadLock engine for VIA C7 and Nano CPUs], openssl-dev mailing list, 10 Jun 2011. [https://web.archive.org/web/20220211130841/https://marc.info/?l=openssl-dev&m=130767391615291&w=2 Archived] on 11 Feb 2022. but not documented by the VIA PadLock Programming Guide.

| F3 0F A7 F8

| {{nowrap|0F A7 (C1..C7)}}

| {{unknown|{{wrap|Detected by CPU fuzzing tools such as SandSifterChristopher Domas, [https://raw.githubusercontent.com/xoreaxeaxeax/sandsifter/dff63246fed84d90118441b8ba5b5d3bdd094427/references/domas_breaking_the_x86_isa_wp.pdf Breaking the x86 ISA], 27 July 2017. [https://web.archive.org/web/20231227000052/https://raw.githubusercontent.com/xoreaxeaxeax/sandsifter/dff63246fed84d90118441b8ba5b5d3bdd094427/references/domas_breaking_the_x86_isa_wp.pdf Archived] on 27 Dec 2023. and UISFuzzXixing Li et al, [https://ieeexplore.ieee.org/abstract/document/8863327 UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching], 9 Oct 2019. [https://archive.today/20231227000943/https://ieeexplore.ieee.org/document/8863327 Archived] on 27 Dec 2023. as executing without causing #UD on several different VIA and Zhaoxin CPUs. Unknown operation, may be related to the documented XSTORE (0F A7 C0) instruction. }}}}

| F2 0F A6 C0

| Zhaoxin SM2 instruction. CPUID flags listed in a Linux kernel patch for OpenEuler, description and opcode (but no instruction mnemonic) provided in a Zhaoxin patent applicationUSPTO/Zhaoxin, [https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20230066718 Patent application US2023/006718: Processor with a hash cryptographic algorithm and data processing thereof], pages 13 and 45, Mar 2, 2023. [https://web.archive.org/web/20230912063311/https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20230066718 Archived] on Sep 12, 2023. and a Zhaoxin-provided Linux kernel patch.LKML, [https://lore.kernel.org/lkml/20231109094744.545887-1-LeoLiu-oc@zhaoxin.com/t/#u (PATCH) crypto: x86/sm2 -add Zhaoxin SM2 algorithm implementation], 11 Nov 2023. [https://web.archive.org/web/20240117023414/https://lore.kernel.org/lkml/20231109094744.545887-1-LeoLiu-oc@zhaoxin.com/t/#u Archived] on 17 Jan 2024.

| Present in Zhaoxin KX-6000G.

| F2 0F A6 D0

| Pause the processor until the Time Stamp Counter reaches or exceeds the value specified in EDX:EAX. Low-power processor C-state can be requested in ECX. Listed in OpenEuler kernel patch.OpenEuler kernel [https://gitee.com/openeuler/kernel/pulls/2602/files pull request 2602: x86/delay: add support for Zhaoxin ZXPAUSE instruction]. Gitee. 26 Oct 2023. [https://web.archive.org/web/20240122224925/https://gitee.com/openeuler/kernel/pulls/2602/files Archived] on 22 Jan 2024.

| Present in Zhaoxin KX-7000.

| {{unknown}}

| Zhaoxin RSA/"xmodx" instructions. Mnemonics and CPUID flags are listed in a Linux kernel patch for OpenEuler,OpenEuler mailing list, [https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/thread/W6GXBRRO6OKNHVJ3WDDUXSLQGI2GFU4X/ PATCH kernel-4.19 v2 5/6 : x86/cpufeatures: Add Zhaoxin feature bits]. [https://web.archive.org/web/20220409071314/https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/thread/W6GXBRRO6OKNHVJ3WDDUXSLQGI2GFU4X/ Archived] on 9 Apr 2022. but opcodes and instruction descriptions are not available.

| {{Unknown|{{wrap|1=Unknown. Some Zhaoxin CPUsInstLatx64, [http://users.atw.hu/instlatx64/CentaurHauls/CentaurHauls00307B2_KX6000_01_CPUID.txt CPUID dump for Zhaoxin KaiXian KX-6000G] – has the SM2 and xmodx feature bits set (CPUID leaf C0000001:EDX:bits 0 and 29). [https://web.archive.org/web/20230725214628/http://users.atw.hu/instlatx64/CentaurHauls/CentaurHauls00307B2_KX6000_01_CPUID.txt Archived] on Jul 25, 2023. have the CPUID flags for these instructions set.}}}}

! Mnemonics

! Opcodes

! Description

! Status

FENI8087_NOP

| DB E0

| FPU Enable Interrupts (8087)

| rowspan="3" | Documented for the Intel 80287.

Present on all Intel x87 FPUs from 80287 onwards. For FPUs other than the ones where they were introduced on (8087 for FENI/FDISI and 80287 for FSETPM), they act as NOPs.

These instructions and their operation on modern CPUs are commonly mentioned in later Intel documentation, but with opcodes omitted and opcode table entries left blank (e.g. [https://cdrdv2-public.intel.com/671200/325462-sdm-vol-1-2abcd-3abcd.pdf Intel SDM 325462-077, April 2022] mentions them twice without opcodes).

The opcodes are, however, recognized by Intel XED.[https://github.com/intelxed/xed/blob/ef19f00de14a9c2c253c1c9b1119e1617280e3f2/datafiles/xed-isa.txt#L916 ISA datafile for Intel XED] (April 17, 2022), lines 916-944

FDISI8087_NOP

| DB E1

| FPU Disable Interrupts (8087)

FSETPM287_NOP

| DB E4

| FPU Set Protected Mode (80287)

| {{nowrap|D9 D7,  D9 E2,}}
{{nowrap|D9 E7,  DD FC,}}
{{nowrap|DE D8,  DE DA,}}
{{nowrap|DE DC,  DE DD,}}
{{nowrap|DE DE,  DF FC}}

| "Reserved by Cyrix" opcodes

| These opcodes are listed as reserved opcodes that will produce "unpredictable results" without generating exceptions on at least Cyrix 6x86,[https://www.ardent-tool.com/CPU/docs/Cyrix/6x86/94175.pdf Cyrix 6x86 processor data book], page 6-34 6x86MX, MII, MediaGX, and AMD Geode GX/LX.[https://www.amd.com/system/files/TechDocs/33234H_LX_databook.pdf AMD Geode LX Processors Data Book], publication 33234H, p.670 (The documentation for these CPUs all list the same ten opcodes.)

Their actual operation is not known, nor is it known whether their operation is the same on all of these CPUs.