The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.
The x86 instruction set has been extended several times, introducing wider registers and datatypes as well as new functionality.[1]
See main article: x86 assembly language. Below is the full 8086/8088 instruction set of Intel (81 instructions total).[2] These instructions are also available in 32-bit mode, they operate instead on 32-bit registers (eax, ebx, etc.) and values instead of their 16-bit (ax, bx, etc.) counterparts. The updated instruction set is grouped according to architecture (i186, i286, i386, i486, i586/i686) and is referred to as (32-bit) x86 and (64-bit) x86-64 (also known as AMD64).
This is the original instruction set. In the 'Notes' column, r means register, m means memory address and imm means immediate (i.e. a value).
| ASCII adjust AL after addition | ||||
| ASCII adjust AX before division | 8086/8088 datasheet documents only base 10 version of the AAD instruction (opcode), but any other base will work. Later Intel's documentation has the generic form too. NEC V20 and V30 (and possibly other NEC V-series CPUs) always use base 10, and ignore the argument, causing a number of incompatibilities | |||
| ASCII adjust AX after multiplication | Only base 10 version (Operand is 0xA) is documented, see notes for AAD | |||
| ASCII adjust AL after subtraction | ||||
| Add with carry | destination = destination + source + [[carry_flag]] | ..., ..., ... (186+) | ||
| Add | (1) r/m += r/imm; (2) r += r/imm; | ..., ..., ... (186+) | ||
(1) r/m &= r/imm; (2) r &= r/imm; | ..., ..., ... (186+) | |||
| ,,, | ||||
| Convert byte to word | AX = AL ; sign extended | |||
CF = 0; | ||||
DF = 0; | ||||
IF = 0; | ||||
| Complement carry flag | CF = !CF; | |||
| Compare operands | ..., ..., ... (186+) | |||
| Compare bytes in memory. May be used with a or prefix to test and repeat the instruction times. | ||||
| Compare words. May be used with a or prefix to test and repeat the instruction times. | ||||
| Convert word to doubleword | ||||
| Decimal adjust AL after addition | (used with packed binary-coded decimal) | |||
| Decimal adjust AL after subtraction | ||||
| Decrement by 1 | ...,, | |||
| Unsigned divide | (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder | , | ||
| .. | ||||
| Enter halt state | ||||
| Signed divide | (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder | , | ||
| Signed multiply in One-operand form | (1) DX:AX = AX * r/m; (2) AX = AL * r/m | , (both 186+),,, (386+) | ||
| Input from port | (1) AL = port[imm]; (2) AL = port[DX]; (3) AX = port[imm]; (4) AX = port[DX]; | ,,, | ||
| Increment by 1 | ...,, | |||
| , | ||||
| Call to interrupt if overflow | ||||
| Return from interrupt | ||||
| ..., ... (386+) | ||||
| Jump if CX is zero | ||||
| Jump | ...,, | |||
| Load FLAGS into AH register | ||||
| Load DS:r with far pointer | ||||
| Load ES:r with far pointer | ||||
| Assert BUS LOCK# signal | (for multiprocessing) | |||
| Load string byte. May be used with a prefix to repeat the instruction times. | ||||
| Load string word. May be used with a prefix to repeat the instruction times. | ||||
| / | Loop control | ... | ||
| Move | copies data from one location to another, (1) r/m = r; (2) r = r/m; | ... | ||
| Move byte from string to string. May be used with a prefix to repeat the instruction times. | . | |||
| Move word from string to string. May be used with a prefix to repeat the instruction times. | ||||
| Unsigned multiply | (1) DX:AX = AX * r/m; (2) AX = AL * r/m; | , | ||
| Two's complement negation | ... | |||
| No operation | opcode equivalent to | |||
| ... | ||||
| (1) (2) | ..., ..., ... (186+) | |||
| Output to port | (1) port[imm] = AL; (2) port[DX] = AL; (3) port[imm] = AX; (4) port[DX] = AX; | ,,, | ||
r/m = *SP++; POP CS (opcode) works only on 8086/8088. Later CPUs use as a prefix for newer instructions. | , (8086/8088 only),,, ..., | |||
| Pop FLAGS register from stack | FLAGS = *SP++; | |||
| Push data onto stack | ,,,, ...,, (both 186+), | |||
| Push FLAGS onto stack | ||||
| Rotate left (with carry) | ... (186+), ... | |||
| Rotate right (with carry) | ... (186+), ... | |||
| Repeat MOVS/STOS/CMPS/LODS/SCAS | , | |||
| Return from procedure | Not a real instruction. The assembler will translate these to a RETN or a RETF depending on the memory model of the target system. | |||
| Return from near procedure | , | |||
| Return from far procedure | , | |||
| Rotate left | ... (186+), ... | |||
| Rotate right | ... (186+), ... | |||
| Store AH into FLAGS | ||||
| Shift Arithmetically left (signed shift left) | (1) r/m <<= 1; (2) r/m <<= CL; | ... (186+), ... | ||
| Shift Arithmetically right (signed shift right) | (1) (signed) r/m >>= 1; (2) (signed) r/m >>= CL; | ... (186+), ... | ||
| Subtraction with borrow | alternative 1-byte encoding of is available via undocumented SALC instruction | ..., ..., ... (186+) | ||
| Compare byte string. May be used with a or prefix to test and repeat the instruction times. | ||||
| Compare word string. May be used with a or prefix to test and repeat the instruction times. | ||||
| Shift left (unsigned shift left) | ... (186+), ... | |||
| Shift right (unsigned shift right) | ... (186+), ... | |||
| Set carry flag | CF = 1; | |||
| Set direction flag | DF = 1; | |||
| Set interrupt flag | IF = 1; | |||
| Store byte in string. May be used with a prefix to repeat the instruction times. | ||||
| Store word in string. May be used with a prefix to repeat the instruction times. | ||||
| Subtraction | (1) r/m -= r/imm; (2) r -= m/imm; | ..., ..., ... (186+) | ||
| Logical compare (AND) | (1) r/m & r/imm; (2) r & m/imm; | ,,,,, | ||
| Wait until not busy | Waits until BUSY# pin is inactive (used with floating-point unit) | |||
| Exchange data | A spinlock typically uses xchg as an atomic operation. (coma bug). | ,, ... | ||
| Table look-up translation | behaves like | |||
(1) r/m ^= r/imm; (2) r ^= m/imm; | ..., ..., ... (186+) |
| Instruction | Opcode | Meaning | Notes |
|---|---|---|---|
| 62 /r | Check array index against bounds | raises software interrupt 5 if test fails | |
| C8 iw ib | Enter stack frame | Modifies stack for entry to procedure for high level language. Takes two operands: the amount of storage to be allocated on the stack and the nesting level of the procedure. | |
| 6C | Input from port to string. May be used with a REP prefix to repeat the instruction CX times. | equivalent to: | |
| 6D | |||
| C9 | Leave stack frame | Releases the local stack storage created by the previous ENTER instruction. | |
| 6E | Output string to port. May be used with a REP prefix to repeat the instruction CX times. | equivalent to: | |
| 6F | |||
| 61 | Pop all general purpose registers from stack | equivalent to: | |
| 60 | Push all general purpose registers onto stack | equivalent to: | |
| immediate | 6A ib | Push an immediate byte/word value onto the stack | example: |
| 68 iw | |||
| immediate | 6B /r ib | Signed and unsigned multiplication of immediate byte/word value | example: |
| 69 /r iw | |||
| immediate | C0 | Rotate/shift bits with an immediate value greater than 1 | example: |
| C1 |
The new instructions added in 80286 add support for x86 protected mode. Some but not all of the instructions are available in real mode as well.
| Instruction | Opcode | Instruction description | Real mode | Ring | |
|---|---|---|---|---|---|
LGDT m16&32 | 0F 01 /2 | Load GDTR (Global Descriptor Table Register) from memory. | rowspan="6" | ||
0F 01 /3 | Load IDTR (Interrupt Descriptor Table Register) from memory. The IDTR controls not just the address/size of the IDT (interrupt Descriptor Table) in protected mode, but the IVT (Interrupt Vector Table) in real mode as well. | ||||
LMSW r/m16 | 0F 01 /6 | Load MSW (Machine Status Word) from 16-bit register or memory. | |||
CLTS | 0F 06 | Clear task-switched flag in the MSW. | |||
LLDT r/m16 | 0F 00 /2 | Load LDTR (Local Descriptor Table Register) from 16-bit register or memory. | rowspan="2" | ||
[[Load Task Register|LTR]] r/m16 | 0F 00 /3 | Load TR (Task Register) from 16-bit register or memory. The TSS (Task State Segment) specified by the 16-bit argument is marked busy, but a task switch is not done. | |||
0F 01 /0 | Store GDTR to memory. | rowspan="5" | |||
SIDT m16&32 | 0F 01 /1 | Store IDTR to memory. | |||
SMSW r/m16 | 0F 01 /4 | Store MSW to register or 16-bit memory. | |||
SLDT r/m16 | 0F 00 /0 | Store LDTR to register or 16-bit memory. | rowspan="2" | ||
STR r/m16 | 0F 00 /1 | Store TR to register or 16-bit memory. | |||
63 /r | Adjust RPL (Requested Privilege Level) field of selector. The operation performed is:if (dst & 3) < (src & 3) then dst = (dst & 0xFFFC) | (src & 3) eflags.zf = 1else eflags.zf = 0 | rowspan="5" | ||
LAR r,r/m16 | 0F 02 /r | Load access rights byte from the specified segment descriptor. Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with 0x00FxFF00, then stores the bottom 16/32 bits of the result in destination register. Sets EFLAGS.ZF=1 if the descriptor could be loaded, ZF=0 otherwise. | rowspan="4" | ||
LSL r,r/m16 | 0F 03 /r | Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise. | |||
VERR r/m16 | Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise. | ||||
VERW r/m16 | 0F 00 /5 | Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise. | |||
Load all CPU registers from a 102-byte data structure starting at physical address 800h, including "hidden" part of segment descriptor registers. | rowspan="2" | ||||
Store all CPU registers to a 102-byte data structure starting at physical address 800h, then shut down CPU. | |||||
The 80386 added support for 32-bit operation to the x86 instruction set. This was done by widening the general-purpose registers to 32 bits and introducing the concepts of OperandSize and AddressSize – most instruction forms that would previously take 16-bit data arguments were given the ability to take 32-bit arguments by setting their OperandSize to 32 bits, and instructions that could take 16-bit address arguments were given the ability to take 32-bit address arguments by setting their AddressSize to 32 bits. (Instruction forms that work on 8-bit data continue to be 8-bit regardless of OperandSize. Using a data size of 16 bits will cause only the bottom 16 bits of the 32-bit general-purpose registers to be modified – the top 16 bits are left unchanged.)
The default OperandSize and AddressSize to use for each instruction is given by the D bit of the segment descriptor of the current code segment - D=0 makes both 16-bit, D=1 makes both 32-bit. Additionally, they can be overridden on a per-instruction basis with two new instruction prefixes that were introduced in the 80386:
66h: OperandSize override. Will change OperandSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.67h: AddressSize override. Will change AddressSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.The 80386 also introduced the two new segment registers FS and GS as well as the x86 control, debug and test registers.
The new instructions introduced in the 80386 can broadly be subdivided into two classes:
CWDE, LODSD)SHLD, SETcc)For instruction forms where the operand size can be inferred from the instruction's arguments (e.g. ADD EAX,EBX can be inferred to have a 32-bit OperandSize due to its use of EAX as an argument), new instruction mnemonics are not needed and not provided.
| String instructions | LODSD | AD | Load string doubleword: EAX := DS:[rSI±±] | LODSW | rowspan="5" |
STOSD | AB | Store string doubleword: ES:[rDI±±] := EAX | STOSW | ||
MOVSD | A5 | Move string doubleword: ES:[rDI±±] := DS:[rSI±±] | MOVSW | ||
CMPSD | A7 | Compare string doubleword: temp1 := DS:[rSI±±] temp2 := ES:[rDI±±] CMP temp1, temp2 /* 32-bit compare and set EFLAGS */ | CMPSW | ||
SCASD | AF | Scan string doubleword: temp1 := ES:[rDI±±] CMP EAX, temp1 /* 32-bit compare and set EFLAGS */ | SCASW | ||
INSD | 6D | Input string from doubleword I/O port:ES:[rDI±±] := port[DX] | INSW | rowspan="2" | |
OUTSD | 6F | Output string to doubleword I/O port:port[DX] := DS:[rSI±±] | OUTSW | ||
| Other | CWDE | 98 | Sign-extend 16-bit value in AX to 32-bit value in EAX | CBW | rowspan="5" |
CDQ | 99 | Sign-extend 32-bit value in EAX to 64-bit value in EDX:EAX.Mainly used to prepare a dividend for the 32-bit IDIV (signed divide) instruction. | CWD | ||
| Jump if ECX is zero | JCXZ | ||||
PUSHAD | 60 | Push all 32-bit registers onto stack | PUSHA | ||
POPAD | 61 | Pop all 32-bit general-purpose registers off stack | POPA | ||
PUSHFD | 9C | Push 32-bit EFLAGS register onto stack | PUSHF | rowspan="3" | |
POPFD | 9D | Pop 32-bit EFLAGS register off stack | POPF | ||
IRETD | CF | 32-bit interrupt return. Differs from the older 16-bit IRET instruction in that it will pop interrupt return items (EIP,CS,EFLAGS; also ESP and SS if there is a CPL change) off the stack as 32-bit items instead of 16-bit items. Should be used to return from interrupts when the interrupt handler was entered through a 32-bit IDT interrupt/trap gate.Instruction is serializing. | IRET | ||
BT r/m, r | 0F A3 /r | Bit Test.Second operand specifies which bit of the first operand to test. The bit to test is copied to EFLAGS.CF. | rowspan="8" | |
BT r/m, imm8 | 0F BA /4 ''ib'' | |||
BTS r/m, r | 0F AB /r | Bit Test-and-set.Second operand specifies which bit of the first operand to test and set. | ||
BTS r/m, imm8 | 0F BA /5 ''ib'' | |||
BTR r/m, r | 0F B3 /r | Bit Test and Reset.Second operand specifies which bit of the first operand to test and clear. | ||
BTR r/m, imm8 | 0F BA /6 ''ib'' | |||
BTC r/m, r | 0F BB /r | Bit Test and Complement.Second operand specifies which bit of the first operand to test and toggle. | ||
BTC r/m, imm8 | 0F BA /7 ''ib'' | |||
BSF r, r/m | Bit scan forward. Returns bit index of lowest set bit in input. | rowspan="6" | ||
BSR r, r/m | Bit scan reverse. Returns bit index of highest set bit in input. | |||
SHLD r/m, r, imm8 | 0F A4 /r ''ib'' | Shift Left Double. The operation of SHLD arg1,arg2,shamt is:arg1 := (arg1<<shamt) | (arg2>>(operand_size - shamt)) | |
SHLD r/m, r, CL | 0F A5 /r | |||
| Shift Right Double. The operation of SHRD arg1,arg2,shamt is:arg1 := (arg1>>shamt) | (arg2<<(operand_size - shamt)) | |||
SHRD r/m, r, CL | 0F AD /r | |||
MOVZX reg, r/m8 | 0F B6 /r | Move from 8/16-bit source to 16/32-bit register with zero-extension. | rowspan="7" | |
MOVZX reg, r/m16 | 0F B7 /r | |||
MOVSX reg, r/m8 | 0F BE /r | Move from 8/16-bit source to 16/32/64-bit register with sign-extension. | ||
MOVSX reg, r/m16 | 0F BF /r | |||
SETcc r/m8 | Set byte to 1 if condition is satisfied, 0 otherwise. | |||
Jcc ''rel16''Jcc ''rel32'' | 0F 8x ''cw''0F 8x ''cd'' | Conditional jump near.Differs from older variants of conditional jumps in that they accept a 16/32-bit offset rather than just an 8-bit offset. | ||
IMUL r, r/m | 0F AF /r | Two-operand non-widening integer multiply. | ||
FS: | 64 | Segment-override prefixes for FS and GS segment registers. | rowspan="9" | |
GS: | 65 | |||
PUSH FS | 0F A0 | Push/pop FS and GS segment registers. | ||
POP FS | 0F A1 | |||
PUSH GS | 0F A8 | |||
POP GS | 0F A9 | |||
LFS r16, m16&16LFS r32, m32&16 | 0F B4 /r | Load far pointer from memory.Offset part is stored in destination register argument, segment part in FS/GS/SS segment register as indicated by the instruction mnemonic. | ||
LGS r16, m16&16 | 0F B5 /r | |||
LSS r16, m16&16 | 0F B2 /r | |||
MOV reg,CRx | 0F 20 /r | Move from control register to general register. | rowspan="6" | |
MOV CRx,reg | 0F 22 /r | Move from general register to control register.On Pentium and later processors, moves to the CR0, CR3 and CR4 control registers are serializing. | ||
MOV reg,DRx | 0F 21 /r | Move from x86 debug register to general register. | ||
MOV DRx,reg | 0F 23 /r | Move from general register to x86 debug register.On Pentium and later processors, moves to the DR0-DR7 debug registers are serializing. | ||
MOV reg,TRx | 0F 24 /r | Move from x86 test register to general register. | ||
MOV TRx,reg | 0F 26 /r | Move from general register to x86 test register. | ||
| In-circuit emulation breakpoint. Performs software interrupt #1 if executed when not using in-circuit emulation. | rowspan="7" | |||
| User Move – perform data moves that can access user memory while in In-circuit emulation HALT mode. Performs same operation as | ||||
| Bitfield extract. | ||||
| Bitfield insert. | ||||
| Load all CPU registers from a 296-byte data structure starting at ES:EDI, including "hidden" part of segment descriptor registers. | ||||
| Instruction | Opcode | Description | Ring | |||
|---|---|---|---|---|---|---|
BSWAP r32 | Byte Order Swap. Usually used to convert between big-endian and little-endian data representations. For 32-bit registers, the operation performed is:
r = (r << 24)
| ((r << 8) & 0x00FF0000) | ((r >> 8) & 0x0000FF00) | (r >> 24);Using BSWAP with a 16-bit register argument produces an undefined result. | rowspan="5" | |
CMPXCHG r/m8,r8 | Compare and Exchange. If accumulator (AL/AX/EAX/RAX) compares equal to first operand, then EFLAGS.ZF is set to 1 and the first operand is overwritten with the second operand. Otherwise, EFLAGS.ZF is set to 0, and first operand is copied into the accumulator.Instruction atomic only if used with LOCK prefix. | |||||
XADD r/m,r8 | eXchange and ADD. Exchanges the first operand with the second operand, then stores the sum of the two values into the destination operand.Instruction atomic only if used with LOCK prefix. | |||||
XADD r/m,r16XADD r/m,r32 | 0F C1 /r | |||||
INVLPG m8 | Invalidate the TLB entries that would be used for the 1-byte memory operand.Instruction is serializing. | rowspan="3" | ||||
INVD | 0F 08 | Invalidate Internal Caches. Modified data in the cache are not written back to memory, potentially causing data loss. | ||||
WBINVD | Write Back and Invalidate Cache. Writes back all modified cache lines in the processor's internal cache to main memory and invalidates the internal caches. |
Integer/system instructions that were not present in the basic 80486 instruction set, but were added in various x86 processors prior to the introduction of SSE. (Discontinued instructions are not included.)
| Instruction | Opcode | Description | Added in | |
|---|---|---|---|---|
RDMSR | 0F 32 | Read Model-specific register. The MSR to read is specified in ECX. The value of the MSR is then returned as a 64-bit value in EDX:EAX. | IBM 386SLC,[3] Intel Pentium, AMD K5, IDT WinChip C6, Transmeta Crusoe | |
WRMSR | 0F 30 | Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX. Instruction is, with some exceptions, serializing. | ||
RSM[4] | 0F AA | Resume from System Management Mode. Instruction is serializing. | ||
[[CPUID]] | 0F A2 | CPU Identification and feature information. Takes as input a CPUID leaf index in EAX and, depending on leaf, a sub-index in ECX. Result is returned in EAX,EBX,ECX,EDX. Instruction is serializing, and causes a mandatory #VMEXIT under virtualization. Support for | Intel Pentium, AMD 5x86, Cyrix 5x86, IDT WinChip C6, Transmeta Crusoe, Rise mP6, NexGen Nx586, UMC Green CPU | |
| Compare and Exchange 8 bytes. Compares EDX:EAX with m64. If equal, set ZF and store ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX. Instruction atomic only if used with LOCK prefix. | Intel Pentium, AMD K5, Cyrix IDT WinChip C6, Transmeta Crusoe, Rise mP6 | |||
RDTSC | 0F 31 | Read 64-bit Time Stamp Counter (TSC) into EDX:EAX. In early processors, the TSC was a cycle counter, incrementing by 1 for each clock cycle (which could cause its rate to vary on processors that could change clock speed at runtime) – in later processors, it increments at a fixed rate that doesn't necessarily match the CPU clock speed. | Intel Pentium, AMD K5, Cyrix IDT WinChip C6, Transmeta Crusoe, Rise mP6 | |
RDPMC | 0F 33 | Read Performance Monitoring Counter. The counter to read is specified by ECX and its value is returned in EDX:EAX. | Intel Pentium Pro, AMD K7, Cyrix 6x86MX, IDT WinChip C6, VIA Nano | |
| Conditional move to register. The source operand may be either register or memory. | Intel Pentium Pro, AMD K7, Transmeta Crusoe, VIA C3 "Nehemiah" | |||
NOP r/m,NOPL r/m | Official long NOP. Other than AMD K7/K8, broadly unsupported in non-Intel processors released before 2005.[6] | Intel Pentium Pro, VIA C7[7] | ||
UD2,UD2A | 0F 0B | Undefined Instructions – will generate an invalid opcode (#UD) exception in all operating modes. These instructions are provided for software testing to explicitly generate invalid opcodes. The opcodes for these instructions are reserved for this purpose. | (80186), Intel Pentium[8] | |
UD1 reg,r/m, | 0F B9 /r | |||
OIO,UD0,UD0 reg,r/m | 0F FF,0F FF /r | (80186), Cyrix 6x86,[9] AMD K5[10] | ||
SYSCALL | 0F 05 | Fast System call. | AMD K6, x86-64 | |
SYSRET | 0F 07 | Fast Return from System Call. Designed to be used together with SYSCALL. | ||
SYSENTER | 0F 34 | Fast System call. | Intel Pentium II, AMD K7,[11] Transmeta Crusoe, VIA C3 "Nehemiah" | |
SYSEXIT | 0F 35 | Fast Return from System Call. Designed to be used together with SYSENTER. | ||
These instructions can only be encoded in 64 bit mode. They fall in four groups:
MOVSXD replacing ARPL)SWAPGS)JRCXZ)Most instructions with a 64 bit operand size encode this using a REX.W prefix; in the absence of the REX.W prefix,the corresponding instruction with 32 bit operand size is encoded. This mechanism also applies to most other instructions with 32 bit operandsize. These are not listed here as they do not gain a new mnemonic in Intel syntax when used with a 64 bit operand size.
| Instruction | Encoding | Meaning | Ring | |
|---|---|---|---|---|
CDQE | REX.W 98 | Sign extend EAX into RAX | rowspan="13" | |
CQO | REX.W 99 | Sign extend RAX into RDX:RAX | ||
CMPSQ | REX.W A7 | CoMPare String Quadword | ||
| CoMPare and eXCHanGe 16 Bytes. Atomic only if used with LOCK prefix. | ||||
IRETQ | REX.W CF | 64-bit Return from Interrupt | ||
JRCXZ rel8 | E3 ''cb'' | Jump if RCX is zero | ||
LODSQ | REX.W AD | LoaD String Quadword | ||
REX.W 63 /r | MOV with Sign Extend 32-bit to 64-bit | |||
MOVSQ | REX.W A5 | Move String Quadword | ||
POPFQ | 9D | POP RFLAGS Register | ||
PUSHFQ | 9C | PUSH RFLAGS Register | ||
SCASQ | REX.W AF | SCAn String Quadword | ||
STOSQ | REX.W AB | STOre String Quadword | ||
SWAPGS | 0F 01 F8 | Exchange GS base with KernelGSBase MSR |
See main article: X86 Bit manipulation instruction set.
Bit manipulation instructions. For all of the VEX-encoded instructions defined by BMI1 and BMI2, the operand size may be 32 or 64 bits, controlled by the VEX.W bit – none of these instructions are available in 16-bit variants.
| Bit Manipulation Extension | Instruction mnemonics | Opcode | Instruction description | Added in |
|---|---|---|---|---|
POPCNT r16,r/m16 | F3 0F B8 /r | Population Count. Counts the number of bits that are set to 1 in its source argument. | K10, Bobcat, Haswell, ZhangJiang, Gracemont | |
POPCNT r64,r/m64 | F3 REX.W 0F B8 /r | |||
LZCNT r16,r/m16LZCNT r32,r/m32 | F3 0F BD /r | Count Leading zeroes. If source operand is all-0s, then LZCNT will return operand size in bits (16/32/64) and set CF=1. | ||
LZCNT r64,r/m64 | ||||
TZCNT r16,r/m16TZCNT r32,r/m32 | F3 0F BC /r | Count Trailing zeroes. If source operand is all-0s, then TZCNT will return operand size in bits (16/32/64) and set CF=1. | Haswell, Piledriver, Jaguar, ZhangJiang, Gracemont | |
TZCNT r64,r/m64 | ||||
ANDN ra,rb,r/m | VEX.LZ.0F38 F2 /r | Bitwise AND-NOT: ra = r/m AND NOT(rb) | ||
BEXTR ra,r/m,rb | VEX.LZ.0F38 F7 /r | Bitfield extract. Bitfield start position is specified in bits [7:0] of rb, length in bits[15:8] of rb. The bitfield is then extracted from the r/m value with zero-extension, then stored in ra. Equivalent tomask = (1 << rb[15:8]) - 1 ra = (r/m >> rb[7:0]) AND mask | ||
BLSI reg,r/m | VEX.LZ.0F38 F3 /3 | Extract lowest set bit in source argument. Returns 0 if source argument is 0. Equivalent todst = (-src) AND src | ||
BLSMSK reg,r/m | VEX.LZ.0F38 F3 /2 | Generate a bitmask of all-1s bits up to the lowest bit position with a 1 in the source argument. Returns all-1s if source argument is 0. Equivalent to dst = (src-1) XOR src | ||
BLSR reg,r/m | VEX.LZ.0F38 F3 /1 | Copy all bits of the source argument, then clear the lowest set bit. Equivalent todst = (src-1) AND src | ||
BZHI ra,r/m,rb | Zero out high-order bits in r/m starting from the bit position specified in rb, then write result to rd. Equivalent tora = r/m AND NOT(-1 << rb[7:0]) | Haswell, ZhangJiang, Gracemont | ||
MULX ra,rb,r/m | Widening unsigned integer multiply without setting flags. Multiplies EDX/RDX with r/m, then stores the low half of the multiplication result in ra and the high half in rb. If ra and rb specify the same register, only the high half of the result is stored. | |||
PDEP ra,rb,r/m | Parallel Bit Deposit. Scatters contiguous bits from rb to the bit positions set in r/m, then stores result to ra. Operation performed is:
ra=0; k=0; mask=r/m
for i=0 to opsize-1 do
if (mask[i] == 1) then
ra[i]=rb[k]; k=k+1 | |||
PEXT ra,rb,r/m | Parallel Bit Extract. Uses r/m argument as a bit mask to select bits in rb, then compacts the selected bits into a contiguous bit-vector. Operation performed is:
ra=0; k=0; mask=r/m
for i=0 to opsize-1 do
if (mask[i] == 1) then
ra[k]=rb[i]; k=k+1 | |||
| Rotate right by immediate without affecting flags. | ||||
SARX ra,r/m,rb | Arithmetic shift right without updating flags. For SARX, SHRX and SHLX, the shift-amount specified in rb is masked to 5 bits for 32-bit operand size and 6 bits for 64-bit operand size. | |||
SHRX ra,r/m,rb | Logical shift right without updating flags. | |||
SHLX ra,r/m,rb | Shift left without updating flags. | |||
See main article: Transactional Synchronization Extensions.
| TSX Subset | Instruction | Opcode | Description | Added in |
|---|---|---|---|---|
XBEGIN rel16 | C7 F8 ''cw'' | Start transaction. If transaction fails, perform a branch to the given relative offset. | Haswell (Deprecated on desktop/laptop CPUs from 10th generation (Ice Lake, Comet Lake) onwards, but continues to be available on Xeon-branded server parts (e.g. Ice Lake-SP, Sapphire Rapids)) | |
XABORT imm8 | C6 F8 ''ib'' | Abort transaction with 8-bit immediate as error code. | ||
XEND | End transaction. | |||
XTEST | Test if in transactional execution. Sets [[FLAGS register|EFLAGS]].ZF to 0 if executed inside a transaction (RTM or HLE), 1 otherwise. | |||
XACQUIRE | F2 | Instruction prefix to indicate start of hardware lock elision, used with memory atomic instructions only (for other instructions, the F2 prefix may have other meanings). When used with such instructions, may start a transaction instead of performing the memory atomic operation. | Haswell (Discontinued – the last processors to support HLE were and | |
XRELEASE | F3 | Instruction prefix to indicate end of hardware lock elision, used with memory atomic/store instructions only (for other instructions, the F3 prefix may have other meanings). When used with such instructions during hardware lock elision, will end the associated transaction instead of performing the store/atomic. | ||
XSUSLDTRK | Suspend Tracking Load Addresses | |||
XRESLDTRK | Resume Tracking Load Addresses | |||
Intel CET (Control-Flow Enforcement Technology) adds two distinct features to help protect against security exploits such as return-oriented programming: a shadow stack (CET_SS), and indirect branch tracking (CET_IBT).
| CET Subset | Instruction | Opcode | Description | Added in | |
|---|---|---|---|---|---|
INCSSPD r32 | F3 0F AE /5 | Increment shadow stack pointer | Zen 3 | ||
INCSSPQ r64 | F3 REX.W 0F AE /5 | ||||
RDSSPD r32 | F3 0F 1E /1 | Read shadow stack pointer into register (low 32 bits) | |||
RDSSPQ r64 | F3 REX.W 0F 1E /1 | Read shadow stack pointer into register (full 64 bits) | |||
SAVEPREVSSP | F3 0F 01 EA | Save previous shadow stack pointer | |||
RSTORSSP m64 | F3 0F 01 /5 | Restore saved shadow stack pointer | |||
WRSSD m32,r32 | NP 0F 38 F6 /r | Write 4 bytes to shadow stack | |||
WRSSQ m64,r64 | Write 8 bytes to shadow stack | ||||
WRUSSD m32,r32 | 66 0F 38 F5 /r | Write 4 bytes to user shadow stack | rowspan="4" | ||
| Write 8 bytes to user shadow stack | |||||
SETSSBSY | F3 0F 01 E8 | Mark shadow stack busy | |||
CLRSSBSY m64 | F3 0F AE /6 | Clear shadow stack busy flag | |||
ENDBR32 | F3 0F 1E FB | Terminate indirect branch in 32-bit mode | Tiger Lake | ||
ENDBR64 | F3 0F 1E FA | Terminate indirect branch in 64-bit mode | |||
NOTRACK | 3E | Prefix used with indirect CALL/JMP near instructions (opcodes and) to indicate that the branch target is not required to start with an ENDBR32/64 instruction. Prefix only honored when NO_TRACK_EN flag is set. | |||
The XSAVE instruction set extensions are designed to save/restore CPU extended state (typically for the purpose of context switching) in a manner that can be extended to cover new instruction set extensions without the OS context-switching code needing to understand the specifics of the new extensions. This is done by defining a series of state-components, each with a size and offset within a given save area, and each corresponding to a subset of the state needed for one CPU extension or another. The EAX=0Dh CPUID leaf is used to provide information about which state-components the CPU supports and what their sizes/offsets are, so that the OS can reserve the proper amount of space and set the associated enable-bits.
| XSAVE Extension | Instruction mnemonics | Opcode | Instruction description | Added in | |
|---|---|---|---|---|---|
XSAVE memXSAVE64 mem | NP 0F AE /4NP REX.W 0F AE /4 | Save state components specified by bitmap in EDX:EAX to memory. | Penryn, Bulldozer, Jaguar, Goldmont, ZhangJiang | ||
XRSTOR memXRSTOR64 mem | NP 0F AE /5 | Restore state components specified by EDX:EAX from memory. | |||
XGETBV | NP 0F 01 D0 | Get value of Extended Control Register. Reads an XCR specified by ECX into EDX:EAX. | |||
XSETBV | NP 0F 01 D1 | Set Extended Control Register. Write the value in EDX:EAX to the XCR specified by ECX. | |||
XSAVEOPT mem | NP 0F AE /6NP REX.W 0F AE /6 | Save state components specified by EDX:EAX to memory. Unlike the older XSAVE instruction, XSAVEOPT may abstain from writing processor state items to memory when the CPU can determine that they haven't been modified since the most recent corresponding XRSTOR. | Steamroller, Puma, Goldmont, ZhangJiang | ||
XSAVEC memXSAVEC64 mem | NP 0F C7 /4NP REX.W 0F C7 /4 | Save processor extended state components specified by EDX:EAX to memory with compaction. | Skylake, Goldmont, Zen 1 | ||
XSAVES memXSAVES64 mem | NP 0F C7 /5NP REX.W 0F C7 /5 | Save processor extended state components specified by EDX:EAX to memory with compaction and optimization if possible. | Skylake, Goldmont, Zen 1 | ||
XRSTORS memXRSTORS64 mem | NP 0F C7 /3 | Restore state components specified by EDX:EAX from memory. | |||
| Instruction Set Extension | Instruction mnemonics | Opcode | Instruction description | Added in | ||
|---|---|---|---|---|---|---|
PREFETCHNTA m8 | 0F 18 /0 | Prefetch with Non-Temporal Access. Prefetch data under the assumption that the data will be used only once, and attempt to minimize cache pollution from said data. The methods used to minimize cache pollution are implementation-dependent. | Pentium III, (K7), Nehemiah, Efficeon | |||
PREFETCHT0 m8 | 0F 18 /1 | Prefetch data to all levels of the cache hierarchy. | ||||
PREFETCHT1 m8 | 0F 18 /2 | Prefetch data to all levels of the cache hierarchy except L1 cache. | ||||
PREFETCHT2 m8 | 0F 18 /3 | Prefetch data to all levels of the cache hierarchy except L1 and L2 caches. | ||||
SFENCE | NP 0F AE F8+x{{efn|name="sse_partial_decode"|For the <code>SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction.}} | Store Fence. | ||||
LFENCE | NP 0F AE E8+x{{efn|name="sse_partial_decode"}} | Load Fence and Dispatch Serialization. | Pentium 4, K8, Efficeon, C7 Esther | |||
MFENCE | NP 0F AE F0+x{{efn|name="sse_partial_decode"}} | Memory Fence. | ||||
MOVNTI m32,r32MOVNTI m64,r64 | NP 0F C3 /rNP REX.W 0F C3 /r | Non-Temporal Memory Store. | ||||
PAUSE | F3 90 | Pauses CPU thread for a short time period. Intended for use in spinlocks. | ||||
NP 0F AE /7 | Flush one cache line to memory. In a system with multiple cache hierarchy levels and/or multiple processors each with their own caches, the line is flushed from all of them. | (SSE2), Geode LX | ||||
MONITOR | NP 0F 01 C8 | Start monitoring a memory location for memory writes. The memory address to monitor is given by DS:AX/EAX/RAX. ECX and EDX are reserved for extra extension and hint flags, respectively. | Prescott, Yonah, Bonnell, K10, Nano | |||
MWAITMWAIT EAX,ECX | NP 0F 01 C9 | Wait for a write to a monitored memory location previously specified with MONITOR.ECX and EAX are used to provide extra extension and hint flags, respectively. MWAIT hints are commonly used for CPU power management. | ||||
GETSEC | Perform an SMX function. The leaf function to perform is given in EAX. Depending on leaf function, the instruction may take additional arguments in RBX, ECX and EDX. | WuDaoKou,[12] Tremont | ||||
RDTSCP | 0F 01 F9 | Read Time Stamp Counter and processor core ID. The TSC value is placed in EDX:EAX and the core ID in ECX. | K8, Nehalem, Silvermont, Nano | |||
POPCNT r16,r/m16POPCNT r32,r/m32 | F3 0F B8 /r | Count the number of bits that are set to 1 in its source argument. | K10, Nehalem, Nano 3000 | |||
POPCNT r64,r/m64 | F3 REX.W 0F B8 /r | |||||
CRC32 r32,r/m8 | F2 0F 38 F0 /r | Accumulate CRC value using the CRC-32C (Castagnoli) polynomial 0x11EDC6F41 (normal form 0x1EDC6F41). This is the polynomial used in iSCSI. In contrast to the more popular one used in Ethernet, its parity is even, and it can thus detect any error with an odd number of changed bits. | Nehalem, Bulldozer, ZhangJiang | |||
CRC32 r32,r/m16CRC32 r32,r/m32 | F2 0F 38 F1 /r | |||||
CRC32 r64,r/m64 | F2 REX.W 0F 38 F1 /r | |||||
RDFSBASE r32RDFSBASE r64 | F3 0F AE /0F3 REX.W 0F AE /0 | Read base address of FS: segment. | Ivy Bridge, Steamroller, Goldmont, ZhangJiang | |||
RDGSBASE r32RDGSBASE r64 | F3 0F AE /1F3 REX.W 0F AE /1 | Read base address of GS: segment. | ||||
WRFSBASE r32WRFSBASE r64 | F3 0F AE /2F3 REX.W 0F AE /2 | Write base address of FS: segment. | ||||
WRGSBASE r32WRGSBASE r64 | F3 0F AE /3F3 REX.W 0F AE /3 | Write base address of GS: segment. | ||||
MOVBE r16,m16MOVBE r32,m32 | NFx 0F 38 F0 /r | Load from memory to register with byte-order swap. | Bonnell, Haswell, Jaguar, Steamroller, ZhangJiang | |||
MOVBE r64,m64 | ||||||
MOVBE m16,r16MOVBE m32,r32 | NFx 0F 38 F1 /r | Store to memory from register with byte-order swap. | ||||
MOVBE m64,r64 | ||||||
INVPCID reg,m128 | 66 0F 38 82 /r | Invalidate entries in TLB and paging-structure caches based on invalidation type in register and descriptor in m128. The descriptor contains a memory address and a PCID. Instruction is serializing on AMD but not Intel CPUs. | Haswell, ZhangJiang, Zen 3, Gracemont | |||
0F 0D /1 | Prefetch cache line with intent to write. | K6-2, Silvermont, Broadwell, ZhangJiang | ||||
0F 0D /0 | Prefetch cache line. | |||||
ADCX r64,r/m64 | 66 0F 38 F6 /r | Add-with-carry. Differs from the older ADC instruction in that it leaves flags other than EFLAGS.CF unchanged. | Broadwell, Zen 1, ZhangJiang, Gracemont | |||
ADOX r64,r/m64 | F3 0F 38 F6 /r | Add-with-carry, with the overflow-flag EFLAGS.OF serving as carry input and output, with other flags left unchanged. | ||||
CLAC | NP 0F 01 CA | Clear EFLAGS.AC. | Broadwell, Goldmont, Zen 1, LuJiaZui | |||
STAC | NP 0F 01 CB | Set EFLAGS.AC. | ||||
NFx 66 0F AE /7 | Flush cache line. Differs from the older CLFLUSH instruction in that it has more relaxed ordering rules with respect to memory stores and other cache line flushes, enabling improved performance. | Skylake, Goldmont, Zen 1 | ||||
PREFETCHWT1 m8 | 0F 0D /2 | Prefetch data with T1 locality hint (fetch into L2 cache, but not L1 cache) and intent-to-write hint. | YongFeng | |||
RDPKRU | NP 0F 01 EE | Read User Page Key register into EAX. | Skylake-X, Comet Lake, Gracemont, Zen 3, LuJiaZui | |||
WRPKRU | NP 0F 01 EF | Write data from EAX into User Page Key Register, and perform a Memory Fence. | ||||
CLWB m8 | Write one cache line back to memory without invalidating the cache line. | Skylake-X, Zen 2, Tiger Lake, Tremont | ||||
RDPID r32 | F3 0F C7 /7 | Read processor core ID into register. | Zen 2, Ice Lake, LuJiaZui | |||
MOVDIRI m32,r32MOVDIRI m64,r64 | NP 0F 38 F9 /r | Store to memory using Direct Store (memory store that is not cached or write-combined with other stores). | Tiger Lake, Tremont, Zen 5 | |||
66 0F 38 F8 /r | Move 64 bytes of data from m512 to address given by ES:reg. The 64-byte write is done atomically with Direct Store. | Tiger Lake, Tremont, Zen 5 | ||||
WBNOINVD | F3 0F 09 | Write back all dirty cache lines to memory without invalidation. Instruction is serializing. | Zen 2, Ice Lake-SP | |||
| Instruction Set Extension | Instruction mnemonics | Opcode | Instruction description | Added in | ||
|---|---|---|---|---|---|---|
(HWNT) | 2E | Instruction prefix: branch hint weakly not taken. | Pentium 4, Meteor Lake[13] | |||
(HST) | 3E | Instruction prefix: branch hint strongly taken. | ||||
ENCLS | Perform an SGX Supervisor function. The function to perform is given in EAX - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Depending on function, the instruction may return data in RBX and/or an error code in EAX. | |||||
ENCLU | Perform an SGX User function. The function to perform is given in EAX - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Depending on function, the instruction may return data/status information in EAX and/or RCX. | |||||
ENCLV | Perform an SGX Virtualization function. The function to perform is given in EAX - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Instruction returns status information in EAX. | |||||
PTWRITE r/m32PTWRITE r/m64 | F3 0F AE /4 | Read data from register or memory to encode into a PTW packet. | Kaby Lake, | |||
PCONFIG | NP 0F 01 C5 | Perform a platform feature configuration function. The function to perform is specified in EAX - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0. | Ice Lake-SP | |||
CLDEMOTE m8 | NP 0F 1C /0 | Move cache line containing m8 from CPU L1 cache to a more distant level of the cache hierarchy. | (Tremont), (Alder Lake), | |||
UMONITOR r16/32/64 | F3 0F AE /6 | Start monitoring a memory location for memory writes. The memory address to monitor is given by the register argument. | Tremont, Alder Lake | |||
UMWAIT r32UMWAIT r32,EDX,EAX | F2 0F AE /6 | Timed wait for a write to a monitored memory location previously specified with UMONITOR. In the absence of a memory write, the wait will end when either the TSC reaches the value specified by EDX:EAX or the wait has been going on for an OS-controlled maximum amount of time. | rowspan="2" | |||
TPAUSE r32TPAUSE r32,EDX,EAX | 66 0F AE /6 | Wait until the Time Stamp Counter reaches the value specified in EDX:EAX. The register argument to the | ||||
SERIALIZE | NP 0F 01 E8 | Serialize instruction fetch and execution. | Alder Lake | |||
HRESET imm8 | Request that the processor reset selected components of hardware-maintained prediction history. A bitmap of which components of the CPU's prediction history to reset is given in EAX (the imm8 argument is ignored). | Alder Lake | ||||
SENDUIPI reg | F3 0F C7 /6 | Send Interprocessor User Interrupt. | Sapphire Rapids | |||
UIRET | F3 0F 01 EC | User Interrupt Return. | ||||
TESTUI | F3 0F 01 ED | Test User Interrupt Flag. Copies UIF to EFLAGS.CF . | ||||
CLUI | F3 0F 01 EE | Clear User Interrupt Flag. | ||||
STUI | F3 0F 01 EF | Set User Interrupt Flag. | ||||
ENQCMD r32/64,m512 | F2 0F 38 F8 /r | Enqueue Command. Reads a 64-byte "command data" structure from memory (m512 argument) and writes atomically to a memory-mapped Enqueue Store device (register argument provides the memory address of this device, using ES segment and requiring 64-byte alignment.) Sets ZF=0 to indicate that device accepted the command, or ZF=1 to indicate that command was not accepted (e.g. queue full or the memory location was not an Enqueue Store device.) | ||||
F3 0F 38 F8 /r | Enqueue Command Supervisor. Differs from ENQCMD in that it can place an arbitrary PASID (process address-space identifier) and a privilege-bit in the "command data" to enqueue. | |||||
WRMSRNS | NP 0F 01 C6 | Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX. The instruction differs from the older | ||||
RDMSRLIST | F2 0F 01 C6 | Read multiple MSRs. RSI points to a table of up to 64 MSR indexes to read (64 bits each), RDI points to a table of up to 64 data items that the MSR read-results will be written to (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR read for. | ||||
WRMSRLIST | F3 0F 01 C6 | Write multiple MSRs. RSI points to a table of up to 64 MSR indexes to write (64 bits each), RDI points to a table of up to 64 data items to write into the MSRs (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR write for. The instruction is not serializing. | ||||
| Read value from memory, then compare to first register operand. If the comparison passes, then add the second register operand to the memory value. The instruction as a whole is performed atomically. Memory argument is required to be aligned. The operation of is:
temp1 := [mem]
EFLAGS := CMP temp1, reg1 // sets EFLAGS like regular compare
reg1 := temp1
if(condition)
[mem] := temp1 + reg2 | ||||||
| Instruction Set Extension | Instruction mnemonics | Opcode | Instruction description | Added in | |
|---|---|---|---|---|---|
MOV reg,CR8 | F0 0F 20 /0 | Read the CR8 register. | K8 | ||
| Write to the CR8 register. | |||||
MONITORX | NP 0F 01 FA | Start monitoring a memory location for memory writes. Similar to older MONITOR, except available in user mode. | Excavator | ||
MWAITX | NP 0F 01 FB | Wait for a write to a monitored memory location previously specified with MONITORX.MWAITX differs from the older MWAIT instruction mainly in that it runs in user mode and that it can accept an optional timeout argument (given in TSC time units) in EBX (enabled by setting bit[1] of ECX to 1.) | |||
NP 0F 01 FC | Write zeroes to all bytes in a memory region that has the size and alignment of a CPU cache line and contains the byte addressed by DS:rAX. | Zen 1 | |||
RDPRU | NP 0F 01 FD | Read selected MSRs (mainly performance counters) in user mode. ECX specifies which register to read. The value of the MSR is returned in EDX:EAX. | Zen 2 | ||
MCOMMIT | F3 0F 01 FA | Ensure that all preceding stores in thread have been committed to memory, and that any errors encountered by these stores have been signalled to any associated error logging resources. The set of errors that can be reported and the logging mechanism are platform-specific. Sets EFLAGS.CF to 0 if any errors occurred, 1 otherwise. | Zen 2 | ||
INVLPGB | NP 0F 01 FE | Invalidate TLB Entries for a range of pages, with broadcast. The invalidation is performed on the processor executing the instruction, and also broadcast to all other processors in the system. rAX takes the virtual address to invalidate and some additional flags, ECX takes the number of pages to invalidate, and EDX specifies ASID and PCID to perform TLB invalidation for. | Zen 3 | ||
TLBSYNC | NP 0F 01 FF | Synchronize TLB invalidations. Wait until all TLB invalidations signalled by preceding invocations of the INVLPGB instruction on the same logical processor have been responded to by all processors in the system. Instruction is serializing. | |||
The x87 coprocessor, if present, provides support for floating-point arithmetic. The coprocessor provides eight data registers, each holding one 80-bit floating-point value (1 sign bit, 15 exponent bits, 64 mantissa bits) – these registers are organized as a stack, with the top-of-stack register referred to as "st" or "st(0)", and the other registers referred to as st(1),st(2),...st(7). It additionally provides a number of control and status registers, including "PC" (precision control, to control whether floating-point operations should be rounded to 24, 53 or 64 mantissa bits) and "RC" (rounding control, to pick rounding-mode: round-to-zero, round-to-positive-infinity, round-to-negative-infinity, round-to-nearest-even) and a 4-bit condition code register "CC", whose four bits are individually referred to as C0,C1,C2 and C3). Not all of the arithmetic instructions provided by x87 obey PC and RC.
| Instruction description | Mnemonic | Opcode | Additional items | ||||||
|---|---|---|---|---|---|---|---|---|---|
| x87 Non-Waiting FPU Control Instructions | Waiting mnemonic | ||||||||
| Initialize x87 FPU | FNINIT | DB E3 | FINIT | ||||||
| Load x87 Control Word | FLDCW m16 | D9 /5 | colspan="2" | ||||||
| Store x87 Control Word | FNSTCW m16 | D9 /7 | FSTCW | ||||||
| Store x87 Status Word | FNSTSW m16 | DD /7 | FSTSW | ||||||
| Clear x87 Exception Flags | FNCLEX | DB E2 | FCLEX | ||||||
| Load x87 FPU Environment | FLDENV m112/m224 | D9 /4 | colspan="2" | ||||||
| Store x87 FPU Environment | D9 /6 | FSTENV | |||||||
| Save x87 FPU State, then initialize x87 FPU | DD /6 | FSAVE | |||||||
| Restore x87 FPU State | FRSTOR m752/m864 | DD /4 | colspan="2" | ||||||
| Enable Interrupts (8087 only) | FNENI | DB E0 | FENI | ||||||
| Disable Interrupts (8087 only) | FNDISI | DB E1 | FDISI | ||||||
| x87 Floating-point Load/Store/Move Instructions | precision control | rounding control | |||||||
| Load floating-point value onto stack | FLD m32 | D9 /0 | rowspan="4" | rowspan="4" | |||||
FLD m64 | DD /0 | ||||||||
FLD m80 | DB /5 | ||||||||
FLD st(i) | D9 C0+i | ||||||||
| Store top-of-stack floating-point value to memory or stack register | FST m32 | D9 /2 | rowspan="2" | rowspan="2" | |||||
FST m64 | DD /2 | ||||||||
FST st(i) | DD D0+i | ||||||||
| Store top-of-stack floating-point value to memory or stack register, then pop | FSTP m32 | D9 /3 | rowspan="2" | rowspan="2" | |||||
FSTP m64 | DD /3 | ||||||||
FSTP m80 | DB /7 | rowspan="4" | rowspan="4" | ||||||
FSTP st(i) | |||||||||
| Push +0.0 onto stack | FLDZ | D9 EE | rowspan="2" | rowspan="2" | |||||
| Push +1.0 onto stack | FLD1 | D9 E8 | |||||||
| Push (approximately 3.14159) onto stack | FLDPI | D9 EB | rowspan="5" | rowspan="5" | |||||
| Push log2\left(10\right) | FLDL2T | D9 E9 | |||||||
| Push log2\left(e\right) | FLDL2E | D9 EA | |||||||
| Push log10\left(2\right) | FLDLG2 | D9 EC | |||||||
| Push ln\left(2\right) | FLDLN2 | D9 ED | |||||||
| Exchange top-of-stack register with other stack register | FXCH st(i) | D9 C8+i | rowspan=3 | ||||||
| x87 Integer Load/Store Instructions | precision control | rounding control | |||||||
| Load signed integer value onto stack from memory, with conversion to floating-point | FILD m16 | DF /0 | rowspan="3" | rowspan="3" | |||||
FILD m32 | DB /0 | ||||||||
FILD m64 | DF /5 | ||||||||
| Store top-of-stack value to memory, with conversion to signed integer | FIST m16 | DF /2 | rowspan="2" | rowspan="2" | |||||
FIST m32 | DB /2 | ||||||||
| Store top-of-stack value to memory, with conversion to signed integer, then pop stack | FISTP m16 | DF /3 | rowspan="3" | rowspan="3" | |||||
FISTP m32 | DB /3 | ||||||||
FISTP m64 | DF /7 | ||||||||
| Load 18-digit Binary-Coded-Decimal integer value onto stack from memory, with conversion to floating-point | FBLD m80 | DF /4 | |||||||
| Store top-of-stack value to memory, with conversion to 18-digit Binary-Coded-Decimal integer, then pop stack | FBSTP m80 | DF /6 | |||||||
| x87 Basic Arithmetic Instructions | precision control | rounding control | |||||||
| Floating-point add | FADD m32 | D8 /0 | rowspan="4" | rowspan="4" | |||||
FADD m64 | DC /0 | ||||||||
FADD st,st(i) | D8 C0+i | ||||||||
FADD st(i),st | DC C0+i | ||||||||
| Floating-point multiply | FMUL m32 | D8 /1 | rowspan="4" | rowspan="4" | |||||
FMUL m64 | DC /1 | ||||||||
FMUL st,st(i) | D8 C8+i | ||||||||
FMUL st(i),st | DC C8+i | ||||||||
| Floating-point subtract | FSUB m32 | D8 /4 | rowspan="4" | rowspan="4" | |||||
FSUB m64 | DC /4 | ||||||||
FSUB st,st(i) | D8 E0+i | ||||||||
FSUB st(i),st | DC E8+i | ||||||||
| Floating-point reverse subtract | FSUBR m32 | D8 /5 | rowspan="4" | rowspan="4" | |||||
FSUBR m64 | DC /5 | ||||||||
FSUBR st,st(i) | D8 E8+i | ||||||||
FSUBR st(i),st | DC E0+i | ||||||||
| Floating-point divide | FDIV m32 | D8 /6 | rowspan="4" | rowspan="4" | |||||
FDIV m64 | DC /6 | ||||||||
FDIV st,st(i) | D8 F0+i | ||||||||
FDIV st(i),st | DC F8+i | ||||||||
| Floating-point reverse divide | FDIVR m32 | D8 /7 | rowspan="4" | rowspan="4" | |||||
FDIVR m64 | DC /7 | ||||||||
FDIVR st,st(i) | D8 F8+i | ||||||||
FDIVR st(i),st | DC F0+i | ||||||||
| Floating-point compare
| FCOM m32 | D8 /2 | rowspan="4" | rowspan="4" | |||||
FCOM m64 | DC /2 | ||||||||
FCOM st(i) | D8 D0+i | ||||||||
| x87 Basic Arithmetic Instructions with Stack Pop | precision control | rounding control | |||||||
| Floating-point add and pop | FADDP st(i),st | DE C0+i | |||||||
| Floating-point multiply and pop | FMULP st(i),st | DE C8+i | |||||||
| Floating-point subtract and pop | FSUBP st(i),st | DE E8+i | |||||||
| Floating-point reverse-subtract and pop | FSUBRP st(i),st | DE E0+i | |||||||
| Floating-point divide and pop | FDIVP st(i),st | DE F8+i | |||||||
| Floating-point reverse-divide and pop | FDIVRP st(i),st | DE F0+i | |||||||
| Floating-point compare and pop | FCOMP m32 | D8 /3 | rowspan="5" | rowspan="5" | |||||
FCOMP m64 | DC /3 | ||||||||
FCOMP st(i) | D8 D8+i | ||||||||
| Floating-point compare to st(1), then pop twice | FCOMPP | DE D9 | |||||||
| x87 Basic Arithmetic Instructions with Integer Source Argument | precision control | rounding control | |||||||
| Floating-point add by integer | FIADD m16 | DA /0 | rowspan="2" | rowspan="2" | |||||
FIADD m32 | DE /0 | ||||||||
| Floating-point multiply by integer | FIMUL m16 | DA /1 | rowspan="2" | rowspan="2" | |||||
FIMUL m32 | DE /1 | ||||||||
| Floating-point subtract by integer | FISUB m16 | DA /4 | rowspan="2" | rowspan="2" | |||||
FISUB m32 | DE /4 | ||||||||
| Floating-point reverse-subtract by integer | FISUBR m16 | DA /5 | rowspan="2" | rowspan="2" | |||||
FISUBR m32 | DE /5 | ||||||||
| Floating-point divide by integer | FIDIV m16 | DA /6 | rowspan="2" | rowspan="2" | |||||
FIDIV m32 | DE /6 | ||||||||
| Floating-point reverse-divide by integer | FIDIVR m16 | DA /7 | rowspan="2" | rowspan="2" | |||||
FIDIVR m32 | DE /7 | ||||||||
| Floating-point compare to integer | FICOM m16 | DA /2 | rowspan="2" | rowspan="2" | |||||
FICOM m32 | DE /2 | ||||||||
| Floating-point compare to integer, and stack pop | FICOMP m16 | DA /3 | rowspan="2" | rowspan="2" | |||||
FICOMP m32 | DE /3 | ||||||||
| x87 Additional Arithmetic Instructions | precision control | rounding control | |||||||
| Floating-point change sign | FCHS | D9 E0 | |||||||
| Floating-point absolute value | FABS | D9 E1 | |||||||
| Floating-point compare top-of-stack value to 0 | FTST | D9 E4 | |||||||
| Classify top-of-stack st(0) register value. The classification result is stored in the x87 CC register. | FXAM | D9 E5 | |||||||
| Split the st(0) value into two values and representing the exponent and mantissa of st(0). The split is done such that M*2{E 1\leq\left | M\right | <2. st(0) is then replaced with, after which is pushed onto the stack. | FXTRACT | D9 F4 | |||||
| Floating-point partial remainder (not IEEE 754 compliant): | FPREM | D9 F8 | |||||||
| Floating-point square root | FSQRT | D9 FA | |||||||
| Floating-point round to integer | FRNDINT | D9 FC | |||||||
| Floating-point power-of-2 scaling. Rounds the value of st(1) to integer with round-to-zero, then uses it as a scale factor for st(0): | FSCALE | D9 FD | |||||||
| x87 Transcendental Instructions | Source operand range restriction | ||||||||
| Base-2 exponential minus 1, with extra precision for st(0) close to 0: | F2XM1 | D9 F0 | 8087: 0\leqst(0)\leq
80387: -1\leqst(0)\leq1 | ||||||
| Base-2 Logarithm:followed by stack pop | FYL2X | D9 F1 | no restrictions | ||||||
| Partial Tangent: Computes from st(0) a pair of values and, such thatThe value replaces the top-of-stack value, and then is pushed onto the stack. On 80387 and later x87, but not original 8087, is always 1.0 | FPTAN | D9 F2 | 8087: 0\leq\left | st(0)\right | \leq\frac 80387: 0\leq\left | st(0)\right | <2^ | ||
| Two-argument arctangent with quadrant adjustment: followed by stack pop | FPATAN | D9 F3 | 8087: \left | st(1)\right | \leq\left | st(0)\right | <\infty 80387: no restrictions | ||
| Base-2 Logarithm plus 1, with extra precision for st(0) close to 0:followed by stack pop | FYL2XP1 | D9 F9 | Intel: \left | st(0)\right | <\left(1-\sqrt\right) AMD:
| ||||
| Other x87 Instructions | |||||||||
| No operation | FNOP | D9 D0 | |||||||
| Decrement x87 FPU Register Stack Pointer | FDECSTP | D9 F6 | |||||||
| Increment x87 FPU Register Stack Pointer | FINCSTP | D9 F7 | |||||||
| Free x87 FPU Register | FFREE st(i) | ||||||||
| Check and handle pending unmasked x87 FPU exceptions | WAIT,FWAIT | 9B | |||||||
| Floating-point store and pop, without stack underflow exception | |||||||||
| Free x87 register, then stack pop | |||||||||
| Instruction description | Mnemonic | Opcode | Additional items | ||
|---|---|---|---|---|---|
| Waiting mnemonic | |||||
FNSETPM | DB E4 | FSETPM | |||
| Store x87 Status Word to AX | FNSTSW AX | DF E0 | FSTSW AX | ||
| Floating-point unordered compare. Similar to the regular floating-point compare instruction FCOM, except will not produce an exception in response to any qNaN operands. | FUCOM st(i) | DD E0+i | no restrictions | ||
| Floating-point unordered compare and pop | FUCOMP st(i) | DD E8+i | |||
| Floating-point unordered compare to st(1), then pop twice | FUCOMPP | DA E9 | |||
| IEEE 754 compliant floating-point partial remainder. | FPREM1 | D9 F5 | |||
| Floating-point sine and cosine. Computes two values S=\sin\left(k*st(0)\right) C=\cos\left(k*st(0)\right) Top-of-stack st(0) is replaced with, after which is pushed onto the stack. | FSINCOS | D9 FB | \left | st(0)\right | <2^ |
| Floating-point sine. | FSIN | D9 FE | |||
| Floating-point cosine. | FCOS | D9 FF | |||
[[FCMOV]]B st(0),st(i) | DA C0+i | below (CF=1) | |||
FCMOVE st(0),st(i) | DA C8+i | equal (ZF=1) | |||
FCMOVBE st(0),st(i) | DA D0+i | below or equal (CF=1 or ZF=1) | |||
FCMOVU st(0),st(i) | DA D8+i | unordered (PF=1) | |||
FCMOVNB st(0),st(i) | DB C0+i | not below (CF=0) | |||
FCMOVNE st(0),st(i) | DB C8+i | not equal (ZF=0) | |||
DB D0+i | not below or equal (CF=0 and ZF=0) | ||||
FCMOVNU st(0),st(i) | DB D8+i | not unordered (PF=0) | |||
Floating-point compare and set EFLAGS.Differs from the older FCOM floating-point compare instruction in that it puts its result in the integer [[FLAGS register|EFLAGS]] register rather than the x87 CC register. | FCOMI st(0),st(i) | DB F0+i | |||
Floating-point compare and set EFLAGS, then pop | FCOMIP st(0),st(i) | DF F0+i | |||
Floating-point unordered compare and set EFLAGS | FUCOMI st(0),st(i) | DB E8+i | |||
Floating-point unordered compare and set EFLAGS, then pop | DF E8+i | ||||
| x87 Non-Waiting Instructions added in Pentium II, AMD K7 and SSE | 64-bit mnemonic ( REX.W prefix) | ||||
| Save x87, MMX and SSE state to 512-byte data structure | FXSAVE m512byte | ||||
| Restore x87, MMX and SSE state from 512-byte data structure | |||||
| Floating-point store integer and pop, with round-to-zero | FISTTP m16 | DF /1 | |||
FISTTP m32 | DB /1 | ||||
FISTTP m64 | DD /1 | ||||
See main article: x86 SIMD instruction listings.
See main article: List of x86 cryptographic instructions.
See main article: List of x86 virtualization instructions.
See main article: List of discontinued x86 instructions.
x86 also includes discontinued instruction sets which are no longer supported by Intel and AMD, and undocumented instructions which execute but are not officially documented.
OIO ("Official invalid opcode") for the opcode.