AMD64 Technology

AMD64 Architecture
Programmer’s Manual
Volume 3:
General-Purpose and
System Instructions

Publication No. Revision Date

24594 3.14 September 2007

Advanced Micro Devices

AMD64 Technology 24594—Rev. 3.14—September 2007

© 2002 – 2007 Advanced Micro Devices, Inc. All rights reserved.

The contents of this document are provided in connection with Advanced Micro
Devices, Inc. (“AMD”) products. AMD makes no representations or warranties with
respect to the accuracy or completeness of the contents of this publication and
reserves the right to make changes to specifications and product descriptions at
any time without notice. The information contained herein may be of a preliminary
or advance nature and is subject to change without notice. No license, whether
express, implied, arising by estoppel or otherwise, to any intellectual property rights
is granted by this publication. Except as set forth in AMD’s Standard Terms and
Conditions of Sale, AMD assumes no liability whatsoever, and disclaims any
express or implied warranty, relating to its products including, but not limited to, the
implied warranty of merchantability, fitness for a particular purpose, or infringement
of any intellectual property right.
AMD’s products are not designed, intended, authorized or warranted for use as
components in systems intended for surgical implant into the body, or in other appli-
cations intended to support or sustain life, or in any other application in which the
failure of AMD’s product could create a situation where personal injury, death, or
severe property or environmental damage may occur. AMD reserves the right to
discontinue or make changes to its products at any time without notice.

Trademarks
AMD, the AMD arrow logo, AMD Athlon, and AMD Opteron, and combinations thereof, and 3DNow! are trademarks,
and AMD-K6 is a registered trademark of Advanced Micro Devices, Inc.
MMX is a trademark and Pentium is a registered trademark of Intel Corporation.
Windows NT is a registered trademark of Microsoft Corporation.
Other product names used in this publication are for identification purposes only and may be trademarks of their
respective companies.
24594—Rev. 3.14—September 2007 AMD64 Technology

Contents
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
About This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi
1 Instruction Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
1.1 Instruction Byte Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Instruction Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Summary of Legacy Prefixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Operand-Size Override Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Address-Size Override Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Segment-Override Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lock Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Repeat Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
REX Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Opcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4 ModRM and SIB Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.5 Displacement Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.6 Immediate Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.7 RIP-Relative Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
REX Prefix and RIP-Relative Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Address-Size Prefix and RIP-Relative Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2 Instruction Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
2.1 Instruction Subsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Reference-Page Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3 Summary of Registers and Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
General-Purpose Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
System Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
128-Bit Media Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
64-Bit Media Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
x87 Floating-Point Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.4 Summary of Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.5 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Mnemonic Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Opcode Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Pseudocode Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Contents i
AMD64 Technology 24594—Rev. 3.14—September 2007

3 General-Purpose Instruction Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

AAA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
AAD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
AAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
AAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
ADC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
ADD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
AND. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
BOUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
BSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
BSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
BSWAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
BT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
BTC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
BTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
BTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
CALL (Near) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
CALL (Far) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
CBW
CWDE
CDQE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
CWD
CDQ
CQO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
CLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
CLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
CLFLUSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
CMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
CMOVcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
CMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
CMPS
CMPSB
CMPSW
CMPSD
CMPSQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
CMPXCHG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
CMPXCHG8B
CMPXCHG16B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
CPUID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
DAA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
DAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
DEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
DIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
ENTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
IDIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
IMUL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
IN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

ii Contents
24594—Rev. 3.14—September 2007 AMD64 Technology

INC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
INS
INSB
INSW
INSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
INT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
INTO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Jcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
JCXZ
JECXZ
JRCXZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
JMP (Near). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
JMP (Far) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
LAHF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
LDS
LES
LFS
LGS
LSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
LEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
LEAVE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
LFENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
LODS
LODSB
LODSW
LODSD
LODSQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
LOOP
LOOPE
LOOPNE
LOOPNZ
LOOPZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
LZCNT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
MFENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
MOV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
MOVD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
MOVMSKPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
MOVMSKPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
MOVNTI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
MOVS
MOVSB
MOVSW
MOVSD
MOVSQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
MOVSX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
MOVSXD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
MOVZX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Contents iii
AMD64 Technology 24594—Rev. 3.14—September 2007

MUL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
NEG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
NOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
NOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
OUT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
OUTS
OUTSB
OUTSW
OUTSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
PAUSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
POPA
POPAD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
POPCNT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
POPF
POPFD
POPFQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
PREFETCH
PREFETCHW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
PREFETCHlevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
PUSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
PUSHA
PUSHAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
PUSHF
PUSHFD
PUSHFQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
RCL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
RCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
RET (Near) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
RET (Far). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
ROL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
ROR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
SAHF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
SAL
SHL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
SAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
SBB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
SCAS
SCASB
SCASW
SCASD
SCASQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
SETcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
SFENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
SHL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
SHLD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

iv Contents
24594—Rev. 3.14—September 2007 AMD64 Technology

SHR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
SHRD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
STC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
STD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
STOS
STOSB
STOSW
STOSD
STOSQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
SUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
TEST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
XADD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
XCHG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
XLAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
XLATB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
4 System Instruction Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
ARPL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
CLGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
CLTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
HLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
INT 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
INVD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
INVLPG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
INVLPGA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
IRET
IRETD
IRETQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
LAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
LGDT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
LIDT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
LLDT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
LMSW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
LSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
LTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
MONITOR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
MOV (CRn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
MOV(DRn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
MWAIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
RDMSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
RDPMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
RDTSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
RDTSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
RSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
SGDT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
SIDT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Contents v
AMD64 Technology 24594—Rev. 3.14—September 2007

SKINIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
SLDT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
SMSW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
STI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
STGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
STR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
SWAPGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
SYSCALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
SYSENTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
SYSEXIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
SYSRET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
UD2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
VERR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
VERW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
VMLOAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
VMMCALL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
VMRUN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
VMSAVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
WBINVD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
WRMSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Appendix A Opcode and Operand Encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
A.1 Opcode-Syntax Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
A.2 Opcode Encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
One-Byte Opcodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Two-Byte Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
rFLAGS Condition Codes for Two-Byte Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
ModRM Extensions to One-Byte and Two-Byte Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . 348
ModRM Extensions to Opcodes 0F 01 and 0F AE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
3DNow!™ Opcodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
x87 Encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
rFLAGS Condition Codes for x87 Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
A.3 Operand Encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
ModRM Operand References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
SIB Operand References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Appendix B General-Purpose Instructions in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . .373
B.1 General Rules for 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
B.2 Operation and Operand Size in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
B.3 Invalid and Reassigned Instructions in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
B.4 Instructions with 64-Bit Default Operand Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
B.5 Single-Byte INC and DEC Instructions in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
B.6 NOP in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
B.7 Segment Override Prefixes in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Appendix C Differences Between Long Mode and Legacy Mode. . . . . . . . . . . . . . . . . . . .403

vi Contents
24594—Rev. 3.14—September 2007 AMD64 Technology

Appendix D Instruction Subsets and CPUID Feature Sets . . . . . . . . . . . . . . . . . . . . . . . . .405

D.1 Instruction Subsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
D.2 CPUID Feature Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
D.3 Instruction List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Appendix E Instruction Effects on RFLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Contents vii
AMD64 Technology 24594—Rev. 3.14—September 2007

viii Contents
24594—Rev. 3.14—September 2007 AMD64 Technology

Figures
Figure 1-1. Instruction Byte-Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Figure 1-2. Little-Endian Byte-Order of Instruction Stored in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Figure 1-3. Encoding Examples of REX-Prefix R, X, and B Bits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 1-4. ModRM-Byte Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 1-5. SIB-Byte Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 2-1. Format of Instruction-Detail Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 2-2. General Registers in Legacy and Compatibility Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 2-3. General Registers in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 2-4. Segment Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 2-5. General-Purpose Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 2-6. System Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 2-7. System Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 2-8. 128-Bit Media Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 2-9. 128-Bit Media Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 2-10. 64-Bit Media Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 2-11. 64-Bit Media Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 2-12. x87 Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 2-13. x87 Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 2-14. Syntax for Typical Two-Operand Instruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 3-1. MOVD Instruction Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Figure A-1. ModRM-Byte Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Figure A-2. ModRM-Byte Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Figure A-3. SIB Byte Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Figure D-1. Instruction Subsets vs. CPUID Feature Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Figures ix
AMD64 Technology 24594—Rev. 3.14—September 2007

x Figures
24594—Rev. 3.14—September 2007 AMD64 Technology

Tables
Table 1-1. Legacy Instruction Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Table 1-2. Operand-Size Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 1-3. Address-Size Overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Table 1-4. Pointer and Count Registers and the Address-Size Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 1-5. Segment-Override Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Table 1-6. REP Prefix Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 1-7. REPE and REPZ Prefix Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 1-8. REPNE and REPNZ Prefix Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Table 1-9. REX Instruction Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 1-10. Instructions Not Requiring REX Size Prefix in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 1-11. REX Prefix-Byte Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 1-12. Special REX Encodings for Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table 1-13. Encoding for RIP-Relative Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table 2-1. Interrupt-Vector Source and Cause. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 2-2. +rb, +rw, +rd, and +rq Register Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 3-1. Instruction Support Indicated by CPUID Feature Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 3-2. Processor Vendor Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Table 3-3. Locality References for the Prefetch Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Table A-1. One-Byte Opcodes, Low Nibble 0–7h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Table A-2. One-Byte Opcodes, Low Nibble 8–Fh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Table A-3. Second Byte of Two-Byte Opcodes, Low Nibble 0–7h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Table A-4. Second Byte of Two-Byte Opcodes, Low Nibble 8–Fh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Table A-5. rFLAGS Condition Codes for CMOVcc, Jcc, and SETcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Table A-6. One-Byte and Two-Byte Opcode ModRM Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Table A-7. Opcode 0F 01 and 0F AE ModRM Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Table A-8. Immediate Byte for 3DNow!™ Opcodes, Low Nibble 0–7h . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Table A-9. Immediate Byte for 3DNow!™ Opcodes, Low Nibble 8–Fh . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Table A-10. x87 Opcodes and ModRM Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Table A-11. rFLAGS Condition Codes for FCMOVcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Table A-12. ModRM Register References, 16-Bit Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Table A-13. ModRM Memory References, 16-Bit Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Table A-14. ModRM Register References, 32-Bit and 64-Bit Addressing . . . . . . . . . . . . . . . . . . . . . . . . . 367
Table A-15. ModRM Memory References, 32-Bit and 64-Bit Addressing . . . . . . . . . . . . . . . . . . . . . . . . . 368
Table A-16. SIB base Field References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Tables xi
AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-17. SIB Memory References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Table B-1. Operations and Operands in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Table B-2. Invalid Instructions in 64-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Table B-3. Reassigned Instructions in 64-Bit Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table B-4. Invalid Instructions in Long Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table B-5. Instructions Defaulting to 64-Bit Operand Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table C-1. Differences Between Long Mode and Legacy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Table D-1. Instruction Subsets and CPUID Feature Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Table E-1. Instruction Effects on RFLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

xii Tables
24594—Rev. 3.14—September 2007 AMD64 Technology

Revision History

Date Revision Description

September Added minor clarifications and corrected typographical and
3.14
2007 formatting errors.
Added the following instructions: “LZCNT” on page 153, “POPCNT”
on page 188, “MONITOR” on page 284, and “MWAIT” on page 290.
Reformatted information on instruction support indicated by CPUID
July 2007 3.13
feature bits into Table 3-1.
Added minor clarifications and corrected typographical and
formatting errors.
September Added minor clarifications and corrected typographical and
3.12
2006 formatting errors.
December Added SVM instructions; added PAUSE instructions; made factual
3.11
2005 changes.
Clarified CPUID information in exception tables on instruction pages.
January
3.10 Added information under “CPUID” on page 103. Made numerous
2005
small corrections.
Corrected table of valid descriptor types for LAR and LSL instructions
September
3.09 and made several minor formatting, stylistic and factual corrections.
2003
Clarified several technical definitions.
Corrected description of the operation of flags for RCL, RCR, ROL,
and ROR instructions. Clarified description of the MOVSXD and
IMUL instructions. Corrected operand specification for the STOS
instruction. Corrected opcode of SETcc, Jcc, instructions. Added
April 2003 3.08
thermal control and thermal monitoring bits to CPUID instruction.
Corrected exception tables for POPF, SFENCE, SUB, XLAT, IRET,
LSL, MOV(CRn), SGDT/SIDT, SMSW, and STI instructions.
Corrected many small typos and incorporated branding terminology.

Revision History xiii

AMD64 Technology 24594—Rev. 3.14—September 2007

xiv Revision History

24594—Rev. 3.14—September 2007 AMD64 Technology

Preface

About This Book

This book is part of a multivolume work entitled the AMD64 Architecture Programmer’s Manual. This
table lists each volume and its order number.

Title Order No.

Volume 1: Application Programming 24592

Volume 2: System Programming 24593

Volume 3: General-Purpose and System Instructions 24594

Volume 4: 128-Bit Media Instructions 26568

Volume 5: 64-Bit Media and x87 Floating-Point Instructions 26569

Audience
This volume (Volume 3) is intended for all programmers writing application or system software for a
processor that implements the AMD64 architecture. Descriptions of general-purpose instructions
assume an understanding of the application-level programming topics described in Volume 1.
Descriptions of system instructions assume an understanding of the system-level programming topics
described in Volume 2.

Organization
Volumes 3, 4, and 5 describe the AMD64 architecture’s instruction set in detail. Together, they cover
each instruction’s mnemonic syntax, opcodes, functions, affected flags, and possible exceptions.
The AMD64 instruction set is divided into five subsets:
• General-purpose instructions
• System instructions
• 128-bit media instructions
• 64-bit media instructions
• x87 floating-point instructions
Several instructions belong to—and are described identically in—multiple instruction subsets.
This volume describes the general-purpose and system instructions. The index at the end cross-
references topics within this volume. For other topics relating to the AMD64 architecture, and for

Preface xv
AMD64 Technology 24594—Rev. 3.14—September 2007

information on instructions in other subsets, see the tables of contents and indexes of the other
volumes.

Definitions
Many of the following definitions assume an in-depth knowledge of the legacy x86 architecture. See
“Related Documents” on page xxvi for descriptions of the legacy x86 architecture.

Terms and Notation

In addition to the notation described below, “Opcode-Syntax Notation” on page 339 describes notation
relating specifically to opcodes.
1011b
A binary value—in this example, a 4-bit value.
F0EAh
A hexadecimal value—in this example a 2-byte value.
[1,2)
A range that includes the left-most value (in this case, 1) but excludes the right-most value (in this
case, 2).
7–4
A bit range, from bit 7 to 4, inclusive. The high-order bit is shown first.
128-bit media instructions
Instructions that use the 128-bit XMM registers. These are a combination of the SSE and SSE2
instruction sets.
64-bit media instructions
Instructions that use the 64-bit MMX registers. These are primarily a combination of MMX™ and
3DNow!™ instruction sets, with some additional instructions from the SSE and SSE2 instruction
sets.
16-bit mode
Legacy mode or compatibility mode in which a 16-bit address size is active. See legacy mode and
compatibility mode.
32-bit mode
Legacy mode or compatibility mode in which a 32-bit address size is active. See legacy mode and
compatibility mode.

xvi Preface
24594—Rev. 3.14—September 2007 AMD64 Technology

64-bit mode
A submode of long mode. In 64-bit mode, the default address size is 64 bits and new features, such
as register extensions, are supported for system and application software.
#GP(0)
Notation indicating a general-protection exception (#GP) with error code of 0.
absolute
Said of a displacement that references the base of a code segment rather than an instruction pointer.
Contrast with relative.
biased exponent
The sum of a floating-point value’s exponent and a constant bias for a particular floating-point data
type. The bias makes the range of the biased exponent always positive, which allows reciprocation
without overflow.
byte
Eight bits.
clear
To write a bit value of 0. Compare set.
compatibility mode
A submode of long mode. In compatibility mode, the default address size is 32 bits, and legacy 16-
bit and 32-bit applications run without modification.
commit
To irreversibly write, in program order, an instruction’s result to software-visible storage, such as a
register (including flags), the data cache, an internal write buffer, or memory.
CPL
Current privilege level.
CR0–CR4
A register range, from register CR0 through CR4, inclusive, with the low-order register first.
CR0.PE = 1
Notation indicating that the PE bit of the CR0 register has a value of 1.
direct
Referencing a memory location whose address is included in the instruction’s syntax as an
immediate operand. The address may be an absolute or relative address. Compare indirect.
dirty data
Data held in the processor’s caches or internal buffers that is more recent than the copy held in
main memory.

Preface xvii
AMD64 Technology 24594—Rev. 3.14—September 2007

displacement
A signed value that is added to the base of a segment (absolute addressing) or an instruction pointer
(relative addressing). Same as offset.
doubleword
Two words, or four bytes, or 32 bits.
double quadword
Eight words, or 16 bytes, or 128 bits. Also called octword.
DS:rSI
The contents of a memory location whose segment address is in the DS register and whose offset
relative to that segment is in the rSI register.
EFER.LME = 0
Notation indicating that the LME bit of the EFER register has a value of 0.
effective address size
The address size for the current instruction after accounting for the default address size and any
address-size override prefix.
effective operand size
The operand size for the current instruction after accounting for the default operand size and any
operand-size override prefix.
element
See vector.
exception
An abnormal condition that occurs as the result of executing an instruction. The processor’s
response to an exception depends on the type of the exception. For all exceptions except 128-bit
media SIMD floating-point exceptions and x87 floating-point exceptions, control is transferred to
the handler (or service routine) for that exception, as defined by the exception’s vector. For
floating-point exceptions defined by the IEEE 754 standard, there are both masked and unmasked
responses. When unmasked, the exception handler is called, and when masked, a default response
is provided instead of calling the handler.
FF /0
Notation indicating that FF is the first byte of an opcode, and a subopcode in the ModR/M byte has
a value of 0.
flush
An often ambiguous term meaning (1) writeback, if modified, and invalidate, as in “flush the cache
line,” or (2) invalidate, as in “flush the pipeline,” or (3) change a value, as in “flush to zero.”

xviii Preface
24594—Rev. 3.14—September 2007 AMD64 Technology

GDT
Global descriptor table.
IDT
Interrupt descriptor table.
IGN
Ignore. Field is ignored.
indirect
Referencing a memory location whose address is in a register or other memory location. The
address may be an absolute or relative address. Compare direct.
IRB
The virtual-8086 mode interrupt-redirection bitmap.
IST
The long-mode interrupt-stack table.
IVT
The real-address mode interrupt-vector table.
LDT
Local descriptor table.
legacy x86
The legacy x86 architecture. See “Related Documents” on page xxvi for descriptions of the legacy
x86 architecture.
legacy mode
An operating mode of the AMD64 architecture in which existing 16-bit and 32-bit applications and
operating systems run without modification. A processor implementation of the AMD64
architecture can run in either long mode or legacy mode. Legacy mode has three submodes, real
mode, protected mode, and virtual-8086 mode.
long mode
An operating mode unique to the AMD64 architecture. A processor implementation of the
AMD64 architecture can run in either long mode or legacy mode. Long mode has two submodes,
64-bit mode and compatibility mode.
lsb
Least-significant bit.
LSB
Least-significant byte.

Preface xix
AMD64 Technology 24594—Rev. 3.14—September 2007

main memory
Physical memory, such as RAM and ROM (but not cache memory) that is installed in a particular
computer system.
mask
(1) A control bit that prevents the occurrence of a floating-point exception from invoking an
exception-handling routine. (2) A field of bits used for a control purpose.
MBZ
Must be zero. If software attempts to set an MBZ bit to 1, a general-protection exception (#GP)
occurs.
memory
Unless otherwise specified, main memory.
ModRM
A byte following an instruction opcode that specifies address calculation based on mode (Mod),
register (R), and memory (M) variables.
moffset
A 16, 32, or 64-bit offset that specifies a memory operand directly, without using a ModRM or SIB
byte.
msb
Most-significant bit.
MSB
Most-significant byte.
multimedia instructions
A combination of 128-bit media instructions and 64-bit media instructions.
octword
Same as double quadword.
offset
Same as displacement.
overflow
The condition in which a floating-point number is larger in magnitude than the largest, finite,
positive or negative number that can be represented in the data-type format being used.
packed
See vector.

xx Preface
24594—Rev. 3.14—September 2007 AMD64 Technology

PAE
Physical-address extensions.
physical memory
Actual memory, consisting of main memory and cache.
probe
A check for an address in a processor’s caches or internal buffers. External probes originate
outside the processor, and internal probes originate within the processor.
protected mode
A submode of legacy mode.
quadword
Four words, or eight bytes, or 64 bits.
RAZ
Read as zero (0), regardless of what is written.
real-address mode
See real mode.
real mode
A short name for real-address mode, a submode of legacy mode.
relative
Referencing with a displacement (also called offset) from an instruction pointer rather than the
base of a code segment. Contrast with absolute.
reserved
Fields marked as reserved may be used at some future time.
To preserve compatibility with future processors, reserved fields require special handling when
read or written by software.
Reserved fields may be further qualified as MBZ, RAZ, SBZ or IGN (see definitions).
Software must not depend on the state of a reserved field, nor upon the ability of such fields to
return to a previously written state.
If a reserved field is not marked with one of the above qualifiers, software must not change the state
of that field; it must reload that field with the same values returned from a prior read.
REX
An instruction prefix that specifies a 64-bit operand size and provides access to additional
registers.
RIP-relative addressing
Addressing relative to the 64-bit RIP instruction pointer.

Preface xxi
AMD64 Technology 24594—Rev. 3.14—September 2007

set
To write a bit value of 1. Compare clear.
SIB
A byte following an instruction opcode that specifies address calculation based on scale (S), index
(I), and base (B).
SIMD
Single instruction, multiple data. See vector.
SSE
Streaming SIMD extensions instruction set. See 128-bit media instructions and 64-bit media
instructions.
SSE2
Extensions to the SSE instruction set. See 128-bit media instructions and 64-bit media
instructions.
SSE3
Further extensions to the SSE instruction set. See 128-bit media instructions.
sticky bit
A bit that is set or cleared by hardware and that remains in that state until explicitly changed by
software.
TOP
The x87 top-of-stack pointer.
TPR
Task-priority register (CR8).
TSS
Task-state segment.
underflow
The condition in which a floating-point number is smaller in magnitude than the smallest nonzero,
positive or negative number that can be represented in the data-type format being used.
vector
(1) A set of integer or floating-point values, called elements, that are packed into a single operand.
Most of the 128-bit and 64-bit media instructions use vectors as operands. Vectors are also called
packed or SIMD (single-instruction multiple-data) operands.
(2) An index into an interrupt descriptor table (IDT), used to access exception handlers. Compare
exception.

xxii Preface
24594—Rev. 3.14—September 2007 AMD64 Technology

virtual-8086 mode
A submode of legacy mode.
word
Two bytes, or 16 bits.
x86
See legacy x86.

Registers
In the following list of registers, the names are used to refer either to a given register or to the contents
of that register:
AH–DH
The high 8-bit AH, BH, CH, and DH registers. Compare AL–DL.
AL–DL
The low 8-bit AL, BL, CL, and DL registers. Compare AH–DH.
AL–r15B
The low 8-bit AL, BL, CL, DL, SIL, DIL, BPL, SPL, and R8B–R15B registers, available in 64-bit
mode.
BP
Base pointer register.
CRn
Control register number n.
CS
Code segment register.
eAX–eSP
The 16-bit AX, BX, CX, DX, DI, SI, BP, and SP registers or the 32-bit EAX, EBX, ECX, EDX,
EDI, ESI, EBP, and ESP registers. Compare rAX–rSP.
EFER
Extended features enable register.
eFLAGS
16-bit or 32-bit flags register. Compare rFLAGS.
EFLAGS
32-bit (extended) flags register.

Preface xxiii
AMD64 Technology 24594—Rev. 3.14—September 2007

eIP
16-bit or 32-bit instruction-pointer register. Compare rIP.
EIP
32-bit (extended) instruction-pointer register.
FLAGS
16-bit flags register.
GDTR
Global descriptor table register.
GPRs
General-purpose registers. For the 16-bit data size, these are AX, BX, CX, DX, DI, SI, BP, and SP.
For the 32-bit data size, these are EAX, EBX, ECX, EDX, EDI, ESI, EBP, and ESP. For the 64-bit
data size, these include RAX, RBX, RCX, RDX, RDI, RSI, RBP, RSP, and R8–R15.
IDTR
Interrupt descriptor table register.
IP
16-bit instruction-pointer register.
LDTR
Local descriptor table register.
MSR
Model-specific register.
r8–r15
The 8-bit R8B–R15B registers, or the 16-bit R8W–R15W registers, or the 32-bit R8D–R15D
registers, or the 64-bit R8–R15 registers.
rAX–rSP
The 16-bit AX, BX, CX, DX, DI, SI, BP, and SP registers, or the 32-bit EAX, EBX, ECX, EDX,
EDI, ESI, EBP, and ESP registers, or the 64-bit RAX, RBX, RCX, RDX, RDI, RSI, RBP, and RSP
registers. Replace the placeholder r with nothing for 16-bit size, “E” for 32-bit size, or “R” for 64-
bit size.
RAX
64-bit version of the EAX register.
RBP
64-bit version of the EBP register.

xxiv Preface
24594—Rev. 3.14—September 2007 AMD64 Technology

RBX
64-bit version of the EBX register.
RCX
64-bit version of the ECX register.
RDI
64-bit version of the EDI register.
RDX
64-bit version of the EDX register.
rFLAGS
16-bit, 32-bit, or 64-bit flags register. Compare RFLAGS.
RFLAGS
64-bit flags register. Compare rFLAGS.
rIP
16-bit, 32-bit, or 64-bit instruction-pointer register. Compare RIP.
RIP
64-bit instruction-pointer register.
RSI
64-bit version of the ESI register.
RSP
64-bit version of the ESP register.
SP
Stack pointer register.
SS
Stack segment register.
TPR
Task priority register, a new register introduced in the AMD64 architecture to speed interrupt
management.
TR
Task register.

Preface xxv
AMD64 Technology 24594—Rev. 3.14—September 2007

Endian Order
The x86 and AMD64 architectures address memory using little-endian byte-ordering. Multibyte
values are stored with their least-significant byte at the lowest byte address, and they are illustrated
with their least significant byte at the right side. Strings are illustrated in reverse order, because the
addresses of their bytes increase from right to left.

Related Documents
• Peter Abel, IBM PC Assembly Language and Programming, Prentice-Hall, Englewood Cliffs, NJ,
1995.
• Rakesh Agarwal, 80x86 Architecture & Programming: Volume II, Prentice-Hall, Englewood
Cliffs, NJ, 1991.
• AMD, AMD-K6™ MMX™ Enhanced Processor Multimedia Technology, Sunnyvale, CA, 2000.
• AMD, 3DNow!™ Technology Manual, Sunnyvale, CA, 2000.
• AMD, AMD Extensions to the 3DNow!™ and MMX™ Instruction Sets, Sunnyvale, CA, 2000.
• Don Anderson and Tom Shanley, Pentium Processor System Architecture, Addison-Wesley, New
York, 1995.
• Nabajyoti Barkakati and Randall Hyde, Microsoft Macro Assembler Bible, Sams, Carmel, Indiana,
1992.
• Barry B. Brey, 8086/8088, 80286, 80386, and 80486 Assembly Language Programming,
Macmillan Publishing Co., New York, 1994.
• Barry B. Brey, Programming the 80286, 80386, 80486, and Pentium Based Personal Computer,
Prentice-Hall, Englewood Cliffs, NJ, 1995.
• Ralf Brown and Jim Kyle, PC Interrupts, Addison-Wesley, New York, 1994.
• Penn Brumm and Don Brumm, 80386/80486 Assembly Language Programming, Windcrest
McGraw-Hill, 1993.
• Geoff Chappell, DOS Internals, Addison-Wesley, New York, 1994.
• Chips and Technologies, Inc. Super386 DX Programmer’s Reference Manual, Chips and
Technologies, Inc., San Jose, 1992.
• John Crawford and Patrick Gelsinger, Programming the 80386, Sybex, San Francisco, 1987.
• Cyrix Corporation, 5x86 Processor BIOS Writer's Guide, Cyrix Corporation, Richardson, TX,
1995.
• Cyrix Corporation, M1 Processor Data Book, Cyrix Corporation, Richardson, TX, 1996.
• Cyrix Corporation, MX Processor MMX Extension Opcode Table, Cyrix Corporation, Richardson,
TX, 1996.
• Cyrix Corporation, MX Processor Data Book, Cyrix Corporation, Richardson, TX, 1997.
• Ray Duncan, Extending DOS: A Programmer's Guide to Protected-Mode DOS, Addison Wesley,
NY, 1991.

xxvi Preface
24594—Rev. 3.14—September 2007 AMD64 Technology

• William B. Giles, Assembly Language Programming for the Intel 80xxx Family, Macmillan, New
York, 1991.
• Frank van Gilluwe, The Undocumented PC, Addison-Wesley, New York, 1994.
• John L. Hennessy and David A. Patterson, Computer Architecture, Morgan Kaufmann Publishers,
San Mateo, CA, 1996.
• Thom Hogan, The Programmer’s PC Sourcebook, Microsoft Press, Redmond, WA, 1991.
• Hal Katircioglu, Inside the 486, Pentium, and Pentium Pro, Peer-to-Peer Communications, Menlo
Park, CA, 1997.
• IBM Corporation, 486SLC Microprocessor Data Sheet, IBM Corporation, Essex Junction, VT,
1993.
• IBM Corporation, 486SLC2 Microprocessor Data Sheet, IBM Corporation, Essex Junction, VT,
1993.
• IBM Corporation, 80486DX2 Processor Floating Point Instructions, IBM Corporation, Essex
Junction, VT, 1995.
• IBM Corporation, 80486DX2 Processor BIOS Writer's Guide, IBM Corporation, Essex Junction,
VT, 1995.
• IBM Corporation, Blue Lightning 486DX2 Data Book, IBM Corporation, Essex Junction, VT,
1994.
• Institute of Electrical and Electronics Engineers, IEEE Standard for Binary Floating-Point
Arithmetic, ANSI/IEEE Std 754-1985.
• Institute of Electrical and Electronics Engineers, IEEE Standard for Radix-Independent Floating-
Point Arithmetic, ANSI/IEEE Std 854-1987.
• Muhammad Ali Mazidi and Janice Gillispie Mazidi, 80X86 IBM PC and Compatible Computers,
Prentice-Hall, Englewood Cliffs, NJ, 1997.
• Hans-Peter Messmer, The Indispensable Pentium Book, Addison-Wesley, New York, 1995.
• Karen Miller, An Assembly Language Introduction to Computer Architecture: Using the Intel
Pentium, Oxford University Press, New York, 1999.
• Stephen Morse, Eric Isaacson, and Douglas Albert, The 80386/387 Architecture, John Wiley &
Sons, New York, 1987.
• NexGen Inc., Nx586 Processor Data Book, NexGen Inc., Milpitas, CA, 1993.
• NexGen Inc., Nx686 Processor Data Book, NexGen Inc., Milpitas, CA, 1994.
• Bipin Patwardhan, Introduction to the Streaming SIMD Extensions in the Pentium III,
www.x86.org/articles/sse_pt1/ simd1.htm, June, 2000.
• Peter Norton, Peter Aitken, and Richard Wilton, PC Programmer’s Bible, Microsoft Press,
Redmond, WA, 1993.
• PharLap 386|ASM Reference Manual, Pharlap, Cambridge MA, 1993.
• PharLap TNT DOS-Extender Reference Manual, Pharlap, Cambridge MA, 1995.

Preface xxvii
AMD64 Technology 24594—Rev. 3.14—September 2007

• Sen-Cuo Ro and Sheau-Chuen Her, i386/i486 Advanced Programming, Van Nostrand Reinhold,
New York, 1993.
• Jeffrey P. Royer, Introduction to Protected Mode Programming, course materials for an onsite
class, 1992.
• Tom Shanley, Protected Mode System Architecture, Addison Wesley, NY, 1996.
• SGS-Thomson Corporation, 80486DX Processor SMM Programming Manual, SGS-Thomson
Corporation, 1995.
• Walter A. Triebel, The 80386DX Microprocessor, Prentice-Hall, Englewood Cliffs, NJ, 1992.
• John Wharton, The Complete x86, MicroDesign Resources, Sebastopol, California, 1994.
• Web sites and newsgroups:
- www.amd.com
- news.comp.arch
- news.comp.lang.asm.x86
- news.intel.microprocessors
- news.microsoft

xxviii Preface
24594—Rev. 3.14—September 2007 AMD64 Technology

1 Instruction Formats
The format of an instruction encodes its operation, as well as the locations of the instruction’s initial
operands and the result of the operation. This section describes the general format and parameters used
by all instructions. For information on the specific format(s) for each instruction, see:
• Chapter 3, “General-Purpose Instruction Reference.”
• Chapter 4, “System Instruction Reference.”
• “128-Bit Media Instruction Reference” in Volume 4.
• “64-Bit Media Instruction Reference” in Volume 5.
• “x87 Floating-Point Instruction Reference” in Volume 5.

1.1 Instruction Byte Order

An instruction can be between one and 15 bytes in length. Figure 1-1 shows the byte order of the
instruction format.

Legacy REX Opcode Displacement Immediate

Prefix Prefix (1 or 2 bytes) ModRM SIB (1, 2, 4, or 8 bytes) (1, 2, 4, or 8 bytes)

Instruction Length ≤ 15 Bytes

Figure 1-1. Instruction Byte-Order

Instructions are stored in memory in little-endian order. The least-significant byte of an instruction is
stored at its lowest memory address, as shown in Figure 1-2 on page 2.

Instruction Formats 1
AMD64 Technology 24594—Rev. 3.14—September 2007

7 0
Most-significant Immediate
(highest) address *
Immediate *
Immediate *
Immediate *
Displacement *
Displacement *
Displacement *
Displacement *
SIB *
≤ 15 Bytes
ModRM *
Opcode *
Opcode (all two-byte opcodes have 0Fh as their first byte)
REX Prefix + (available only in 64-bit mode)
Legacy Prefix +
Legacy Prefix +
Legacy Prefix +
Least-significant * optional, depending on the instruction
(lowest) address Legacy Prefix + + optional, with most instructions

513-304.eps

Figure 1-2. Little-Endian Byte-Order of Instruction Stored in Memory

The basic operation of an instruction is specified by an opcode. The opcode is one or two bytes long, as
described in “Opcode” on page 17. An opcode can be preceded by any number of legacy prefixes.
These prefixes can be classified as belonging to any of the five groups of prefixes described in
“Instruction Prefixes” on page 3. The legacy prefixes modify an instruction’s default address size,
operand size, or segment, or they invoke a special function such as modification of the opcode, atomic
bus-locking, or repetition. The REX prefix can be used in 64-bit mode to access the register extensions
illustrated in “Application-Programming Register Set” in Volume 1. If a REX prefix is used, it must
immediately precede the first opcode byte.
An instruction’s opcode consists of one or two bytes. In several 128-bit and 64-bit media instructions,
a legacy operand-size or repeat prefix byte is used in a special-purpose way to modify the opcode. The
opcode can be followed by a mode-register-memory (ModRM) byte, which further describes the
operation and/or operands. The opcode, or the opcode and ModRM byte, can also be followed by a
scale-index-base (SIB) byte, which describes the scale, index, and base forms of memory addressing.
The ModRM and SIB bytes are described in “ModRM and SIB Bytes” on page 17, but their legacy
functions can be modified by the REX prefix (“Instruction Prefixes” on page 3).
The 15-byte instruction-length limit can only be exceeded by using redundant prefixes. If the limit is
exceeded, a general-protection exception occurs.

2 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

1.2 Instruction Prefixes

The instruction prefixes shown in Figure 1-1 on page 1 are of two types: legacy prefixes and REX
prefixes. Each of the legacy prefixes has a unique byte value. By contrast, the REX prefixes, which
enable use of the AMD64 register extensions in 64-bit mode, are organized as a group of byte values in
which the value of the prefix indicates the combination of register-extension features to be enabled.

1.2.1 Summary of Legacy Prefixes

Table 1-1 on page 4 shows the legacy prefixes—that is, all prefixes except the REX prefixes, which are
described on page 11. The legacy prefixes are organized into five groups, as shown in the left-most
column of Table 1-1. A single instruction should include a maximum of one prefix from each of the
five groups. The legacy prefixes can appear in any order within the position shown in Figure 1-1 for
legacy prefixes. The result of using multiple prefixes from a single group is unpredictable.
Some of the restrictions on legacy prefixes are:
• Operand-Size Override—This prefix affects only general-purpose instructions and a few x87
instructions. When used with 128-bit and 64-bit media instructions, this prefix acts in a special
way to modify the opcode.
• Address-Size Override—This prefix affects only memory operands.
• Segment Override—In 64-bit mode, the CS, DS, ES, and SS segment override prefixes are ignored.
• LOCK Prefix—This prefix is allowed only with certain instructions that modify memory.
• Repeat Prefixes—These prefixes affect only certain string instructions. When used with 128-bit
and 64-bit media instructions, these prefixes act in a special way to modify the opcode.

Instruction Formats 3
AMD64 Technology 24594—Rev. 3.14—September 2007

Table 1-1. Legacy Instruction Prefixes

Prefix
Prefix Group1 Mnemonic
Byte (Hex)
Description

Changes the default operand size of a memory or

Operand-Size Override none 662 register operand, as shown in Table 1-2 on page 5.
Changes the default address size of a memory operand,
Address-Size Override none 673 as shown in Table 1-3 on page 6.
Forces use of the current CS segment for memory
CS 2E4 operands.
Forces use of the current DS segment for memory
DS 3E4 operands.
Forces use of the current ES segment for memory
ES 264 operands.
Segment Override
Forces use of the current FS segment for memory
FS 64
operands.
Forces use of the current GS segment for memory
GS 65
operands.
Forces use of the current SS segment for memory
SS 364 operands.
Causes certain kinds of memory read-modify-write
Lock LOCK F05 instructions to occur atomically.
Repeats a string operation (INS, MOVS, OUTS, LODS,
REP
and STOS) until the rCX register equals 0.
F36 Repeats a compare-string or scan-string operation
REPE or
(CMPSx and SCASx) until the rCX register equals 0 or
Repeat REPZ
the zero flag (ZF) is cleared to 0.
Repeats a compare-string or scan-string operation
REPNE or
REPNZ F26 (CMPSx and SCASx) until the rCX register equals 0 or
the zero flag (ZF) is set to 1.
Note:
1. A single instruction should include a maximum of one prefix from each of the five groups.
2. When used with 128-bit and 64-bit media instructions, this prefix acts in a special way to modify the opcode. The
prefix is ignored by 64-bit media floating-point (3DNow!™) instructions. See “Instructions that Cannot Use the Oper-
and-Size Prefix” on page 5.
3. This prefix also changes the size of the RCX register when used as an implied count register.
4. In 64-bit mode, the CS, DS, ES, and SS segment overrides are ignored.
5. The LOCK prefix should not be used for instructions other than those listed in “Lock Prefix” on page 8.
6. This prefix should be used only with compare-string and scan-string instructions. When used with 128-bit and 64-
bit media instructions, the prefix acts in a special way to modify the opcode.

1.2.2 Operand-Size Override Prefix

The default operand size for an instruction is determined by a combination of its opcode, the D
(default) bit in the current code-segment descriptor, and the current operating mode, as shown in
Table 1-2. The operand-size override prefix (66h) selects the non-default operand size. The prefix can

4 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

be used with any general-purpose instruction that accesses non-fixed-size operands in memory or
general-purpose registers (GPRs), and it can also be used with the x87 FLDENV, FNSTENV,
FNSAVE, and FRSTOR instructions.
In 64-bit mode, the prefix allows mixing of 16-bit, 32-bit, and 64-bit data on an instruction-by-
instruction basis. In compatibility and legacy modes, the prefix allows mixing of 16-bit and 32-bit
operands on an instruction-by-instruction basis.

Table 1-2. Operand-Size Overrides

Effective Instruction Prefix1
Default
Operand
Operating Mode Operand
Size 66h REX.W3
Size (Bits)
(Bits)
64 don’t care yes
64-Bit
322 32 no no
Mode
16 yes no
Long
32 no
Mode 32
Compatibility 16 yes
Mode 32 yes
16
16 no Not Appli-
32 no cable
Legacy Mode 32
16 yes
(Protected, Virtual-8086,
or Real Mode) 32 yes
16
16 no
Note:
1. A “no’ indicates that the default operand size is used.
2. This is the typical default, although some instructions default to other operand
sizes. See Appendix B, “General-Purpose Instructions in 64-Bit Mode,” for details.
3. See “REX Prefixes” on page 11.

In 64-bit mode, most instructions default to a 32-bit operand size. For these instructions, a REX prefix
(page 13) can specify a 64-bit operand size, and a 66h prefix specifies a 16-bit operand size. The REX
prefix takes precedence over the 66h prefix. However, if an instruction defaults to a 64-bit operand
size, it does not need a REX prefix and it can only be overridden to a 16-bit operand size. It cannot be
overridden to a 32-bit operand size, because there is no 32-bit operand-size override prefix in 64-bit
mode. Two groups of instructions have a default 64-bit operand size in 64-bit mode:
• Near branches. For details, see “Near Branches in 64-Bit Mode” in Volume 1.
• All instructions, except far branches, that implicitly reference the RSP. For details, see “Stack
Operation” in Volume 1.

Instructions that Cannot Use the Operand-Size Prefix. The operand-size prefix should be used
only with general-purpose instructions and the x87 FLDENV, FNSTENV, FNSAVE, and FRSTOR

Instruction Formats 5
AMD64 Technology 24594—Rev. 3.14—September 2007

instructions, in which the prefix selects between 16-bit and 32-bit operand size. The prefix is ignored
by all other x87 instructions and by 64-bit media floating-point (3DNow!™) instructions.
When used with 64-bit media integer instructions, the 66h prefix acts in a special way to modify the
opcode. This modification typically causes an access to an XMM register or 128-bit memory operand
and thereby converts the 64-bit media instruction into its comparable 128-bit media instruction. The
result of using an F2h or F3h repeat prefix along with a 66h prefix in 128-bit or 64-bit media
instructions is unpredictable.

Operand-Size and REX Prefixes. The REX operand-size prefix takes precedence over the 66h
prefix. See “REX.W: Operand Width” on page 13 for details.

1.2.3 Address-Size Override Prefix

The default address size for instructions that access non-stack memory is determined by the current
operating mode, as shown in Table 1-3. The address-size override prefix (67h) selects the non-default
address size. Depending on the operating mode, this prefix allows mixing of 16-bit and 32-bit, or of
32-bit and 64-bit addresses, on an instruction-by-instruction basis. The prefix changes the address size
for memory operands. It also changes the size of the RCX register for instructions that use RCX
implicitly.
For instructions that implicitly access the stack segment (SS), the address size for stack accesses is
determined by the D (default) bit in the stack-segment descriptor. In 64-bit mode, the D bit is ignored,
and all stack references have a 64-bit address size. However, if an instruction accesses both stack and
non-stack memory, the address size of the non-stack access is determined as shown in Table 1-3.

Table 1-3. Address-Size Overrides

Address-
Default Effective Size Prefix
Operating Mode Address Address Size
Size (Bits) (Bits) (67h)1
Required?
64-Bit 64 no
64
Mode 32 yes
32 no
Long Mode 32
Compatibility 16 yes
Mode 32 yes
16
16 no
32 no
Legacy Mode 32
16 yes
(Protected, Virtual-8086, or Real
Mode) 32 yes
16
16 no
Note:
1. A “no” indicates that the default address size is used.

6 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

As Table 1-3 shows, the default address size is 64 bits in 64-bit mode. The size can be overridden to 32
bits, but 16-bit addresses are not supported in 64-bit mode. In compatibility and legacy modes, the
default address size is 16 bits or 32 bits, depending on the operating mode (see “Processor
Initialization and Long Mode Activation” in Volume 2 for details). In these modes, the address-size
prefix selects the non-default size, but the 64-bit address size is not available.
Certain instructions reference pointer registers or count registers implicitly, rather than explicitly. In
such instructions, the address-size prefix affects the size of such addressing and count registers, just as
it does when such registers are explicitly referenced. Table 1-4 lists all such instructions and the
registers referenced using the three possible address sizes.

Table 1-4. Pointer and Count Registers and the Address-Size Prefix
Pointer or Count Register
Instruction 16-Bit 32-Bit 64-Bit
Address Size Address Size Address Size
CMPS, CMPSB, CMPSW,
CMPSD, CMPSQ—Compare SI, DI, CX ESI, EDI, ECX RSI, RDI, RCX
Strings
INS, INSB, INSW, INSD—
DI, CX EDI, ECX RDI, RCX
Input String
JCXZ, JECXZ, JRCXZ—Jump
CX ECX RCX
on CX/ECX/RCX Zero
LODS, LODSB, LODSW,
LODSD, LODSQ—Load SI, CX ESI, ECX RSI, RCX
String
LOOP, LOOPE, LOOPNZ,
CX ECX RCX
LOOPNE, LOOPZ—Loop
MOVS, MOVSB, MOVSW,
MOVSD, MOVSQ—Move SI, DI, CX ESI, EDI, ECX RSI, RDI, RCX
String
OUTS, OUTSB, OUTSW,
SI, CX ESI, ECX RSI, RCX
OUTSD—Output String
REP, REPE, REPNE, REPNZ,
CX ECX RCX
REPZ—Repeat Prefixes
SCAS, SCASB, SCASW,
SCASD, SCASQ—Scan DI, CX EDI, ECX RDI, RCX
String
STOS, STOSB, STOSW,
STOSD, STOSQ—Store DI, CX EDI, ECX RDI, RCX
String
XLAT, XLATB—Table Look-up
BX EBX RBX
Translation

Instruction Formats 7
AMD64 Technology 24594—Rev. 3.14—September 2007

1.2.4 Segment-Override Prefixes

Segment overrides can be used only with instructions that reference non-stack memory. Most
instructions that reference memory are encoded with a ModRM byte (page 17). The default segment
for such memory-referencing instructions is implied by the base register indicated in its ModRM byte,
as follows:
• Instructions that Reference a Non-Stack Segment—If an instruction encoding references any base
register other than rBP or rSP, or if an instruction contains an immediate offset, the default segment
is the data segment (DS). These instructions can use the segment-override prefix to select one of
the non-default segments, as shown in Table 1-5.
• String Instructions—String instructions reference two memory operands. By default, they
reference both the DS and ES segments (DS:rSI and ES:rDI). These instructions can override their
DS-segment reference, as shown in Table 1-5, but they cannot override their ES-segment
reference.
• Instructions that Reference the Stack Segment—If an instruction’s encoding references the rBP or
rSP base register, the default segment is the stack segment (SS). All instructions that reference the
stack (push, pop, call, interrupt, return from interrupt) use SS by default. These instructions cannot
use the segment-override prefix.

Table 1-5. Segment-Override Prefixes

Prefix Byte
Mnemonic Description
(Hex)
CS1 2E Forces use of current CS segment for memory operands.
DS1 3E Forces use of current DS segment for memory operands.
1
ES 26 Forces use of current ES segment for memory operands.
FS 64 Forces use of current FS segment for memory operands.
GS 65 Forces use of current GS segment for memory operands.
SS1 36 Forces use of current SS segment for memory operands.
Note:
1. In 64-bit mode, the CS, DS, ES, and SS segment overrides are ignored.

Segment Overrides in 64-Bit Mode. In 64-bit mode, the CS, DS, ES, and SS segment-override
prefixes have no effect. These four prefixes are not treated as segment-override prefixes for the
purposes of multiple-prefix rules. Instead, they are treated as null prefixes.
The FS and GS segment-override prefixes are treated as true segment-override prefixes in 64-bit mode.
Use of the FS or GS prefix causes their respective segment bases to be added to the effective address
calculation. See “FS and GS Registers in 64-Bit Mode” in Volume 2 for details.

1.2.5 Lock Prefix

The LOCK prefix causes certain kinds of memory read-modify-write instructions to occur atomically.
The mechanism for doing so is implementation-dependent (for example, the mechanism may involve

8 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

bus signaling or packet messaging between the processor and a memory controller). The prefix is
intended to give the processor exclusive use of shared memory in a multiprocessor system.
The LOCK prefix can only be used with forms of the following instructions that write a memory
operand: ADC, ADD, AND, BTC, BTR, BTS, CMPXCHG, CMPXCHG8B, CMPXCHG16B, DEC,
INC, NEG, NOT, OR, SBB, SUB, XADD, XCHG, and XOR. An invalid-opcode exception occurs if
the LOCK prefix is used with any other instruction.

1.2.6 Repeat Prefixes

The repeat prefixes cause repetition of certain instructions that load, store, move, input, or output
strings. The prefixes should only be used with such string instructions. Two pairs of repeat prefixes,
REPE/REPZ and REPNE/REPNZ, perform the same repeat functions for certain compare-string and
scan-string instructions. The repeat function uses rCX as a count register. The size of rCX is based on
address size, as shown in Table 1-4 on page 7.

REP. The REP prefix repeats its associated string instruction the number of times specified in the
counter register (rCX). It terminates the repetition when the value in rCX reaches 0. The prefix can be
used with the INS, LODS, MOVS, OUTS, and STOS instructions. Table 1-6 shows the valid REP
prefix opcodes.

Table 1-6. REP Prefix Opcodes

Mnemonic Opcode
REP INS reg/mem8, DX
F3 6C
REP INSB
REP INS reg/mem16/32, DX
REP INSW F3 6D
REP INSD
REP LODS mem8
F3 AC
REP LODSB
REP LODS mem16/32/64
REP LODSW
F3 AD
REP LODSD
REP LODSQ
REP MOVS mem8, mem8
F3 A4
REP MOVSB
REP MOVS mem16/32/64, mem16/32/64
REP MOVSW
F3 A5
REP MOVSD
REP MOVSQ
REP OUTS DX, reg/mem8
F3 6E
REP OUTSB

Instruction Formats 9
AMD64 Technology 24594—Rev. 3.14—September 2007

Table 1-6. REP Prefix Opcodes (continued)

Mnemonic Opcode
REP OUTS DX, reg/mem16/32
REP OUTSW F3 6F
REP OUTSD
REP STOS mem8
F3 AA
REP STOSB
REP STOS mem16/32/64
REP STOSW
F3 AB
REP STOSD
REP STOSQ

REPE and REPZ. REPE and REPZ are synonyms and have identical opcodes. These prefixes repeat
their associated string instruction the number of times specified in the counter register (rCX). The
repetition terminates when the value in rCX reaches 0 or when the zero flag (ZF) is cleared to 0. The
REPE and REPZ prefixes can be used with the CMPS, CMPSB, CMPSD, CMPSW, SCAS, SCASB,
SCASD, and SCASW instructions. Table 1-7 shows the valid REPE and REPZ prefix opcodes.

Table 1-7. REPE and REPZ Prefix Opcodes

Mnemonic Opcode
REPx CMPS mem8, mem8
F3 A6
REPx CMPSB
REPx CMPS mem16/32/64, mem16/32/64
REPx CMPSW
F3 A7
REPx CMPSD
REPx CMPSQ
REPx SCAS mem8
F3 AE
REPx SCASB
REPx SCAS mem16/32/64
REPx SCASW
F3 AF
REPx SCASD
REPx SCASQ

REPNE and REPNZ. REPNE and REPNZ are synonyms and have identical opcodes. These prefixes
repeat their associated string instruction the number of times specified in the counter register (rCX).
The repetition terminates when the value in rCX reaches 0 or when the zero flag (ZF) is set to 1. The
REPNE and REPNZ prefixes can be used with the CMPS, CMPSB, CMPSD, CMPSW, SCAS,
SCASB, SCASD, and SCASW instructions. Table 1-8 on page 11 shows the valid REPNE and
REPNZ prefix opcodes.

10 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

Table 1-8. REPNE and REPNZ Prefix Opcodes

Mnemonic Opcode
REPNx CMPS mem8, mem8
F2 A6
REPNx CMPSB
REPNx CMPS mem16/32/64, mem16/32/64
REPNx CMPSW
F2 A7
REPNx CMPSD
REPNx CMPSQ
REPNx SCAS mem8
F2 AE
REPNx SCASB
REPNx SCAS mem16/32/64
REPNx SCASW
F2 AF
REPNx SCASD
REPNx SCASQ

Instructions that Cannot Use Repeat Prefixes. In general, the repeat prefixes should only be used
in the string instructions listed in tables 1-6, 1-7, and 1-8, and in 128-bit or 64-bit media instructions.
When used in media instructions, the F2h and F3h prefixes act in a special way to modify the opcode
rather than cause a repeat operation. The result of using a 66h operand-size prefix along with an F2h or
F3h prefix in 128-bit or 64-bit media instructions is unpredictable.

Optimization of Repeats. Depending on the hardware implementation, the repeat prefixes can have a
setup overhead. If the repeated count is variable, the overhead can sometimes be avoided by substituting
a simple loop to move or store the data. Repeated string instructions can be expanded into equivalent
sequences of inline loads and stores or a sequence of stores can be used to emulate a REP STOS.
For repeated string moves, performance can be maximized by moving the largest possible operand
size. For example, use REP MOVSD rather than REP MOVSW and REP MOVSW rather than REP
MOVSB. Use REP STOSD rather than REP STOSW and REP STOSW rather than REP MOVSB.
Depending on the hardware implementation, string moves with the direction flag (DF) cleared to 0
(up) may be faster than string moves with DF set to 1 (down). DF = 1 is only needed for certain cases
of overlapping REP MOVS, such as when the source and the destination overlap.

1.2.7 REX Prefixes

REX prefixes are a group of instruction-prefix bytes that can be used only in 64-bit mode. They enable
access to the AMD64 register extensions. Figure 1-1 on page 1 and Figure 1-2 on page 2 show how a
REX prefix fits within the byte order of instructions. REX prefixes enable the following features in 64-
bit mode:
• Use of the extended GPR (Figure 2-3 on page 25) or XMM registers (Figure 2-8 on page 30).
• Use of the 64-bit operand size when accessing GPRs.

Instruction Formats 11
AMD64 Technology 24594—Rev. 3.14—September 2007

• Use of the extended control and debug registers, as described in “64-Bit-Mode Extended Control
Registers” in Volume 2 and “64-Bit-Mode Extended Debug Registers” in Volume 2.
• Use of the uniform byte registers (AL–R15).
Table 1-9 shows the REX prefixes. The value of a REX prefix is in the range 40h through 4Fh,
depending on the particular combination of AMD64 register extensions desired.

Table 1-9. REX Instruction Prefixes

Prefix Code
Prefix Type Mnemonic Description
(Hex)
REX.W
401
REX.R Access an AMD64 register
Register Extensions through
REX.X extension.
4F1
REX.B
Note:
1. See Table 1-11 for encoding of REX prefixes.

A REX prefix is normally required with an instruction that accesses a 64-bit GPR or one of the
extended GPR or XMM registers. Only a few instructions have an operand size that defaults to (or is
fixed at) 64 bits in 64-bit mode, and thus do not need a REX prefix. These exceptions to the normal
rule are listed in Table 1-10.

Table 1-10. Instructions Not Requiring REX Size Prefix in 64-Bit Mode
CALL (Near) POP reg/mem
ENTER POP reg
Jcc POP FS
JrCXZ POP GS
JMP (Near) POPFQ
LEAVE PUSH imm8
LGDT PUSH imm32
LIDT PUSH reg/mem
LLDT PUSH reg
LOOP PUSH FS
LOOPcc PUSH GS
LTR PUSHFQ
MOV CR(n) RET (Near)
MOV DR(n)

An instruction can have only one REX prefix, although the prefix can express several extension
features. If a REX prefix is used, it must immediately precede the first opcode byte in the instruction
format. Any other placement of a REX prefix, or any use of a REX prefix in an instruction that does

12 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

not access an extended register, is ignored. The legacy instruction-size limit of 15 bytes still applies to
instructions that contain a REX prefix.
REX prefixes are a set of sixteen values that span one row of the main opcode map and occupy entries
40h through 4Fh. Table 1-11 and Figure 1-3 on page 15 show the prefix fields and their uses.

Table 1-11. REX Prefix-Byte Fields

Mnemonic Bit Position Definition
— 7–4 0100
0 = Default operand size
REX.W 3
1 = 64-bit operand size
1-bit (high) extension of the ModRM reg
REX.R 2 field1, thus permitting access to 16
registers.

REX.X 1 1-bit (high) extension of the SIB index field1,

thus permitting access to 16 registers.
1-bit (high) extension of the ModRM r/m
REX.B 0 field1, SIB base field1, or opcode reg field,
thus permitting access to 16 registers.
Note:
1. For a description of the ModRM and SIB bytes, see “ModRM and SIB Bytes” on
page 17.

REX.W: Operand Width. Setting the REX.W bit to 1 specifies a 64-bit operand size. Like the
existing 66h operand-size prefix, the REX 64-bit operand-size override has no effect on byte
operations. For non-byte operations, the REX operand-size override takes precedence over the 66h
prefix. If a 66h prefix is used together with a REX prefix that has the REX.W bit set to 1, the 66h
prefix is ignored. However, if a 66h prefix is used together with a REX prefix that has the REX.W bit
cleared to 0, the 66h prefix is not ignored and the operand size becomes 16 bits.

REX.R: Register. The REX.R bit adds a 1-bit (high) extension to the ModRM reg field (page 17)
when that field encodes a GPR, XMM, control, or debug register. REX.R does not modify ModRM reg
when that field specifies other registers or opcodes. REX.R is ignored in such cases.

REX.X: Index. The REX.X bit adds a 1-bit (high) extension to the SIB index field (page 17).

REX.B: Base. The REX.B bit adds a 1-bit (high) extension to either the ModRM r/m field to specify
a GPR or XMM register, or to the SIB base field to specify a GPR. (See Table 2-2 on page 40 for more
about the REX.B bit.)

Encoding Examples. Figure 1-3 on page 15 shows four examples of how the R, X, and B bits of
REX prefixes are concatenated with fields from the ModRM byte, SIB byte, and opcode to specify
register and memory addressing. The R, X, and B bits are described in Table 1-11 on page 13.

Instruction Formats 13
AMD64 Technology 24594—Rev. 3.14—September 2007

Byte-Register Addressing. In the legacy architecture, the byte registers (AH, AL, BH, BL, CH, CL,
DH, and DL, shown in Figure 2-2 on page 24) are encoded in the ModRM reg or r/m field or in the
opcode reg field as registers 0 through 7. The REX prefix provides an additional byte-register
addressing capability that makes the least-significant byte of any GPR available for byte operations
(Figure 2-3 on page 25). This provides a uniform set of byte, word, doubleword, and quadword
registers better suited for register allocation by compilers.

Special Encodings for Registers. Readers who need to know the details of instruction encodings
should be aware that certain combinations of the ModRM and SIB fields have special meaning for
register encodings. For some of these combinations, the instruction fields expanded by the REX prefix
are not decoded (treated as don’t cares), thereby creating aliases of these encodings in the extended
registers. Table 1-12 on page 16 describes how each of these cases behaves.

Implications for INC and DEC Instructions. The REX prefix values are taken from the 16 single-
byte INC and DEC instructions, one for each of the eight GPRs. Therefore, these single-byte opcodes
for INC and DEC are not available in 64-bit mode, although they are available in legacy and
compatibility modes. The functionality of these INC and DEC instructions is still available in 64-bit
mode, however, using the ModRM forms of those instructions (opcodes FF /0 and FF /1).

14 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

Case 1: Register-Register Addressing (No Memory Operand)

ModRM Byte
REX Prefix Opcode mod reg r/m
4WRXB 11 rrr bbb REX.X is not used

4
4
Rrrr Bbbb

Case 2: Memory Addressing Without an SIB Byte

ModRM Byte
REX Prefix Opcode mod reg r/m
4WRXB !11 rrr bbb REX.X is not used
ModRM reg field != 100

4
4
Rrrr Bbbb

Case 3: Memory Addressing With an SIB Byte

ModRM Byte SIB Byte
REX Prefix Opcode mod reg r/m scale index base
4WRXB !11 rrr 100 bb xxx bbb

4 4
4
Rrrr Xxxx Bbbb

Case 4: Register Operand Coded in Opcode Byte

Opcode Byte
REX Prefix op reg
4WRXB bbb REX.R is not used
REX.X is not used

4
Bbbb 513-302.eps

Figure 1-3. Encoding Examples of REX-Prefix R, X, and B Bits

Instruction Formats 15
AMD64 Technology 24594—Rev. 3.14—September 2007

Table 1-12. Special REX Encodings for Registers

ModRM and SIB Implications in Legacy

Meaning in Legacy and Additional REX
and Compatibility
Encodings2 Compatibility Modes
Modes
Implications

REX prefix adds a fourth

bit (b), which is decoded
ModRM Byte:
and modifies the base
• mod ≠ 11 SIB byte is required for
SIB byte is present. register in the SIB byte.
ESP-based addressing.
Therefore, the SIB byte is
• r/m1 = 100 (ESP)
also required for R12-
based addressing.
REX prefix adds a fourth
Using EBP without a bit (x), which is not
ModRM Byte: displacement must be decoded (don’t care).
• mod = 00 done by setting mod = 01 Therefore, using RBP or
Base register is not used.
with a displacement of 0 R13 without a
• r/m1 = x101 (EBP) (with or without an index displacement must be
register). done via mod = 01 with a
displacement of 0.
REX prefix adds a fourth
bit (x), which is decoded.
Therefore, there are no
SIB Byte: ESP cannot be used as additional implications.
1
Index register is not used.
• index = x100 (ESP) an index register. The expanded index field
is used to distinguish RSP
from R12, allowing R12 to
be used as an index.
REX prefix adds a fourth
Base register depends on bit (b), which is not
mod encoding. Using decoded (don’t care).
SIB Byte: EBP with a scaled index Therefore, using RBP or
Base register is not used
• base = b101 (EBP) and without a R13 without a
if ModRM.mod = 00.
• ModRM.mod = 00 displacement must be displacement must be
done by setting mod = 01 done via mod = 01 with a
with a displacement of 0. displacement of 0 (with or
without an index register).
Note:
1. The REX-prefix bit is shown in the fourth (most-significant) bit position of the encodings for the ModRM r/m, SIB
index, and SIB base fields. The lower-case “x” for ModRM r/m (rather than the upper-case “B” shown in Figure 1-3
on page 15) indicates that the REX-prefix bit is not decoded (don’t care).
2. For a description of the ModRM and SIB bytes, see “ModRM and SIB Bytes” on page 17.

16 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

1.3 Opcode
Each instruction has a unique opcode, although assemblers can support multiple mnemonics for a
single instruction opcode. The opcode specifies the operation that the instruction performs and, in
certain cases, the kinds of operands it uses. An opcode consists of one or two bytes, but certain 128-bit
media instructions also use a prefix byte in a special way to modify the opcode. The 3-bit reg field of
the ModRM byte (“ModRM and SIB Bytes” on page 17) is also used in certain instructions either for
three additional opcode bits or for a register specification.

128-Bit and 64-Bit Media Instruction Opcodes. Many 128-bit and 64-bit media instructions
include a 66h, F2h, or F3h prefix byte in a special way to modify the opcode. These same byte values
can be used in certain general-purpose and x87 instructions to modify operand size (66h) or repeat the
operation (F2h, F3h). In 128-bit and 64-bit media instructions, however, such prefix bytes modify the
opcode. If a 128-bit or 64-bit media instruction uses one of these three prefixes, and also includes any
other prefix in the 66h, F2h, and F3h group, the result is unpredictable.
All opcodes for 64-bit media instructions begin with a 0Fh byte. In the case of 64-bit floating-point
(3DNow!) instructions, the 0Fh byte is followed by a second 0Fh opcode byte. A third opcode byte
occupies the same position at the end of a 3DNow! instruction as would an immediate byte. The value
of the immediate byte is shown as the third opcode byte-value in the syntax for each instruction in
“64-Bit Media Instruction Reference” in Volume 5. The format is:
0Fh 0Fh ModRM [SIB] [displacement] 3DNow!_third_opcode_byte

For details on opcode encoding, see Appendix A, “Opcode and Operand Encodings.”

1.4 ModRM and SIB Bytes

The ModRM byte is used in certain instruction encodings to:
• Define a register reference.
• Define a memory reference.
• Provide additional opcode bits with which to define the instruction’s function.
ModRM bytes have three fields—mod, reg, and r/m. The reg field provides additional opcode bits with
which to define the function of the instruction or one of its operands. The mod and r/m fields are used
together with each other and, in 64-bit mode, with the REX.R and REX.B bits of the REX prefix
(page 11), to specify the location of an instruction’s operands and certain of the possible addressing
modes (specifically, the non-complex modes).
Figure 1-4 on page 18 shows the format of a ModRM byte.

Instruction Formats 17
AMD64 Technology 24594—Rev. 3.14—September 2007

Bits: 7 6 5 4 3 2 1 0
mod reg r/m ModRM

REX.R bit of REX prefix can

extend this field to 4 bits

REX.B bit of REX prefix can

extend this field to 4 bits 513-305.eps

Figure 1-4. ModRM-Byte Format

In some instructions, the ModRM byte is followed by an SIB byte, which defines memory addressing
for the complex-addressing modes described in “Effective Addresses” in Volume 1. The SIB byte has
three fields—scale, index, and base—that define the scale factor, index-register number, and base-
register number for 32-bit and 64-bit complex addressing modes. In 64-bit mode, the REX.B and
REX.X bits extend the encoding of the SIB byte’s base and index fields.
Figure 1-5 shows the format of an SIB byte.

Bits: 7 6 5 4 3 2 1 0
scale index base SIB

REX.X bit of REX prefix can

extend this field to 4 bits

513-306.eps
REX.B bit of REX prefix can
extend this field to 4 bits

Figure 1-5. SIB-Byte Format

The encodings of ModRM and SIB bytes not only define memory-addressing modes, but they also
specify operand registers. The encodings do this by using 3-bit fields in the ModRM and SIB bytes,
depending on the format:
• ModRM: the reg and r/m fields of the ModRM byte. (Case 1 in Figure 1-3 on page 15 shows an
example of this).
• ModRM with SIB: the reg field of the ModRM byte and the base and index fields of the SIB byte.
(Case 3 in Figure 1-3 on page 15 shows an example of this).

18 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

• Instructions without ModRM: the reg field of the opcode. (Case 4 in Figure 1-3 on page 15 shows
an example of this).
In 64-bit mode, the bits needed to extend each field for accessing the additional registers are provided
by the REX prefixes, as shown in Figure 1-4 and Figure 1-5 on page 18.
For details on opcode encoding, see Appendix A, “Opcode and Operand Encodings.”

1.5 Displacement Bytes

A displacement (also called an offset) is a signed value that is added to the base of a code segment
(absolute addressing) or to an instruction pointer (relative addressing), depending on the addressing
mode. The size of a displacement is 1, 2, or 4 bytes. If an addressing mode requires a displacement, the
bytes (1, 2, or 4) for the displacement follow the opcode, ModRM, or SIB byte (whichever comes last)
in the instruction encoding.
In 64-bit mode, the same ModRM and SIB encodings are used to specify displacement sizes as those
used in legacy and compatibility modes. However, the displacement is sign-extended to 64 bits during
effective-address calculations. Also, in 64-bit mode, support is provided for some 64-bit displacement
and immediate forms of the MOV instruction. See “Immediate Operand Size” in Volume 1 for more
information on this.

1.6 Immediate Bytes

An immediate is a value—typically an operand value—encoded directly into the instruction.
Depending on the opcode and the operating mode, the size of an immediate operand can be 1, 2, 4, or 8
bytes. 64-bit immediates are allowed in 64-bit mode on MOV instructions that load GPRs, otherwise
they are limited to 4 bytes. See “Immediate Operand Size” in Volume 1 for more information.
If an instruction takes an immediate operand, the bytes (1, 2, 4, or 8) for the immediate follow the
opcode, ModRM, SIB, or displacement bytes (whichever come last) in the instruction encoding. Some
128-bit media instructions use the immediate byte as a condition code.

1.7 RIP-Relative Addressing

In 64-bit mode, addressing relative to the contents of the 64-bit instruction pointer (program
counter)—called RIP-relative addressing or PC-relative addressing—is implemented for certain
instructions. In such cases, the effective address is formed by adding the displacement to the 64-bit RIP
of the next instruction.
In the legacy x86 architecture, addressing relative to the instruction pointer is available only in control-
transfer instructions. In the 64-bit mode, any instruction that uses ModRM addressing can use RIP-
relative addressing. This feature is particularly useful for addressing data in position-independent code
and for code that addresses global data.

Instruction Formats 19
AMD64 Technology 24594—Rev. 3.14—September 2007

Without RIP-relative addressing, ModRM instructions address memory relative to zero. With RIP-
relative addressing, ModRM instructions can address memory relative to the 64-bit RIP using a signed
32-bit displacement. This provides an offset range of ±2 Gbytes from the RIP.
Programs usually have many references to data, especially global data, that are not register-based. To
load such a program, the loader typically selects a location for the program in memory and then adjusts
program references to global data based on the load location. RIP-relative addressing of data makes
this adjustment unnecessary.

1.7.1 Encoding
Table 1-13 shows the ModRM and SIB encodings for RIP-relative addressing. Redundant forms of 32-
bit displacement-only addressing exist in the current ModRM and SIB encodings. There is one
ModRM encoding with several SIB encodings. RIP-relative addressing is encoded using one of the
redundant forms. In 64-bit mode, the ModRM Disp32 (32-bit displacement) encoding is redefined to
be RIP + Disp32 rather than displacement-only.

Table 1-13. Encoding for RIP-Relative Addressing

ModRM and SIB Meaning in Legacy and Additional 64-bit
Meaning in 64-bit Mode
Encodings Compatibility Modes Implications
ModRM Byte: Zero-based (normal)
displacement addressing
• mod = 00 Disp32 RIP + Disp32
must use SIB form (see
• r/m = 101 (none) next row).
SIB Byte:
• base = 101 (none)
If mod = 00, Disp32 Same as Legacy None
• index = 100 (none)
• scale = 1, 2, 4,8

1.7.2 REX Prefix and RIP-Relative Addressing

ModRM encoding for RIP-relative addressing does not depend on a REX prefix. In particular, the r/m
encoding of 101, used to select RIP-relative addressing, is not affected by the REX prefix. For
example, selecting R13 (REX.B = 1, r/m = 101) with mod = 00 still results in RIP-relative addressing.
The four-bit r/m field of ModRM is not fully decoded. Therefore, in order to address R13 with no
displacement, software must encode it as R13 + 0 using a one-byte displacement of zero.

1.7.3 Address-Size Prefix and RIP-Relative Addressing

RIP-relative addressing is enabled by 64-bit mode, not by a 64-bit address-size. Conversely, use of the
address-size prefix (“Address-Size Override Prefix” on page 6) does not disable RIP-relative
addressing. The effect of the address-size prefix is to truncate and zero-extend the computed effective
address to 32 bits, like any other addressing mode.

20 Instruction Formats
24594—Rev. 3.14—September 2007 AMD64 Technology

2 Instruction Overview

2.1 Instruction Subsets

For easier reference, the instruction descriptions are divided into five instruction subsets. The
following sections describe the function, mnemonic syntax, opcodes, affected flags, and possible
exceptions generated by all instructions in the AMD64 architecture:
• Chapter 3, “General-Purpose Instruction Reference”—The general-purpose instructions are used
in basic software execution. Most of these load, store, or operate on data in the general-purpose
registers (GPRs), in memory, or in both. Other instructions are used to alter sequential program
flow by branching to other locations within the program or to entirely different programs.
• Chapter 4, “System Instruction Reference”—The system instructions establish the processor
operating mode, access processor resources, handle program and system errors, and manage
memory.
• “128-Bit Media Instruction Reference” in Volume 4—The 128-bit media instructions load, store,
or operate on data located in the 128-bit XMM registers. These instructions define both vector and
scalar operations on floating-point and integer data types. They include the SSE and SSE2
instructions that operate on the XMM registers. Some of these instructions convert source
operands in XMM registers to destination operands in GPR, MMX, or x87 registers or otherwise
affect XMM state.
• “64-Bit Media Instruction Reference” in Volume 5—The 64-bit media instructions load, store, or
operate on data located in the 64-bit MMX registers. These instructions define both vector and
scalar operations on integer and floating-point data types. They include the legacy MMX™
instructions, the 3DNow!™ instructions, and the AMD extensions to the MMX and 3DNow!
instruction sets. Some of these instructions convert source operands in MMX registers to
destination operands in GPR, XMM, or x87 registers or otherwise affect MMX state.
• “x87 Floating-Point Instruction Reference” in Volume 5—The x87 instructions are used in legacy
floating-point applications. Most of these instructions load, store, or operate on data located in the
x87 ST(0)–ST(7) stack registers (the FPR0–FPR7 physical registers). The remaining instructions
within this category are used to manage the x87 floating-point environment.
The description of each instruction covers its behavior in all operating modes, including legacy mode
(real, virtual-8086, and protected modes) and long mode (compatibility and 64-bit modes). Details of
certain kinds of complex behavior—such as control-flow changes in CALL, INT, or FXSAVE
instructions—have cross-references in the instruction-detail pages to detailed descriptions in volumes
1 and 2.
Two instructions—CMPSD and MOVSD—use the same mnemonic for different instructions.
Assemblers can distinguish them on the basis of the number and type of operands with which they are
used.

Instruction Overview 21
AMD64 Technology 24594—Rev. 3.14—September 2007

2.2 Reference-Page Format

Figure 2-1 on page 23 shows the format of an instruction-detail page. The instruction mnemonic is
shown in bold at the top-left, along with its name. In this example, POPFD is the mnemonic and POP
to EFLAGS Doubleword is the name. Next, there is a general description of the instruction’s operation.
Many descriptions have cross-references to more detail in other parts of the manual.
Beneath the general description, the mnemonic is shown again, together with the related opcode(s) and
a description summary. Related instructions are listed below this, followed by a table showing the flags
that the instruction can affect. Finally, each instruction has a summary of the possible exceptions that
can occur when executing the instruction. The columns labeled “Real” and “Virtual-8086” apply only
to execution in legacy mode. The column labeled “Protected” applies both to legacy mode and long
mode, because long mode is a superset of legacy protected mode.
The 128-bit and 64-bit media instructions also have diagrams illustrating the operation. A few
instructions have examples or pseudocode describing the action.

22 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic and any operands Opcode Description of operation

24594 Rev. 3.07 September 2003 AMD64 Technology

AAM ASCII Adjust After Multiply

Converts the value in the AL register from binary to two unpacked BCD digits in the
AH (most significant) and AL (least significant) registers using the following formula:
AH = (AL/10d)
AL = (AL mod 10d).

In most modern assemblers, the AAM instruction adjusts to base-10 values. However,
by coding the instruction directly in binary, it can adjust to any base specified by the
immediate byte value (ib) suffixed onto the D4h opcode. For example, code D408h for
octal, D40Ah for decimal, and D40Ch for duodecimal (base 12).

Using this instruction in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

AAM D4 0A Create a pair of unpacked BCD values in AH and AL.

(Invalid in 64-bit mode.)
(None) D4 ib Create a pair of unpacked values to the immediate byte base.
(Invalid in 64-bit mode.)

Related Instructions “M” means the flag is either set or

cleared, depending on the result.
AAA, AAD, AAS

rFLAGS Affected

ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U M M U M U
21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M. Unaffected flags are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Divide by zero, #DE X X X 8-bit immediate value was 0.
Invalid opcode, #UD X This instruction was executed in 64-bit mode.

AAM 63

Possible exceptions “Protected” column Alphabetic mnemonic locator

and causes, by mode of covers both legacy
operation and long mode

Figure 2-1. Format of Instruction-Detail Pages

Instruction Overview 23
AMD64 Technology 24594—Rev. 3.14—September 2007

2.3 Summary of Registers and Data Types

This section summarizes the registers available to software using the five instruction subsets described
in “Instruction Subsets” on page 21. For details on the organization and use of these registers, see their
respective chapters in volumes 1 and 2.

2.3.1 General-Purpose Instructions

Registers. The size and number of general-purpose registers (GPRs) depends on the operating mode,
as do the size of the flags and instruction-pointer registers. Figure 2-2 shows the registers available in
legacy and compatibility modes.

register high low

encoding 8-bit 8-bit 16-bit 32-bit

0 AH (4) AL AX EAX
3 BH (7) BL BX EBX
1 CH (5) CL CX ECX
2 DH (6) DL DX EDX
6 SI SI ESI
7 DI DI EDI
5 BP BP EBP
4 SP SP ESP
31 16 15 0

FLAGS FLAGS EFLAGS

IP IP EIP
31 0

513-311.eps

Figure 2-2. General Registers in Legacy and Compatibility Modes

Figure 2-3 on page 25 shows the registers accessible in 64-bit mode. Compared with legacy mode,
registers become 64 bits wide, eight new data registers (R8–R15) are added and the low byte of all 16
GPRs is available for byte operations, and the four high-byte registers of legacy mode (AH, BH, CH,
and DH) are not available if the REX prefix is used. The high 32 bits of doubleword operands are zero-
extended to 64 bits, but the high bits of word and byte operands are not modified by operations in 64-

24 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

bit mode. The RFLAGS register is 64 bits wide, but the high 32 bits are reserved. They can be written
with anything but they read as zeros (RAZ).

not modified for 8-bit operands

not modified for 16-bit operands
register zero-extended low
encoding for 32-bit operands 8-bit 16-bit 32-bit 64-bit

0 AH* AL AX EAX RAX

3 BH* BL BX EBX RBX

1 CH* CL CX ECX RCX

2 DH* DL DX EDX RDX

6 SIL** SI ESI RSI

7 DIL** DI EDI RDI

5 BPL** BP EBP RBP

4 SPL** SP ESP RSP

8 R8B R8W R8D R8

9 R9B R9W R9D R9

10 R10B R10W R10D R10

11 R11B R11W R11D R11

12 R12B R12W R12D R12

13 R13B R13W R13D R13

14 R14B R14W R14D R14

15 R15B R15W R15D R15

63 32 31 16 15 8 7 0

0 RFLAGS 513-309.eps

RIP
63 32 31 0 * Not addressable when
a REX prefix is used.
** Only addressable when
a REX prefix is used.

Figure 2-3. General Registers in 64-Bit Mode

For most instructions running in 64-bit mode, access to the extended GPRs requires a REX instruction
prefix (page 11).

Instruction Overview 25
AMD64 Technology 24594—Rev. 3.14—September 2007

Figure 2-4 shows the segment registers which, like the instruction pointer, are used by all instructions.
In legacy and compatibility modes, all segments are accessible. In 64-bit mode, which uses the flat
(non-segmented) memory model, only the CS, FS, and GS segments are recognized, whereas the
contents of the DS, ES, and SS segment registers are ignored (the base for each of these segments is
assumed to be zero, and neither their segment limit nor attributes are checked). For details, see
“Segmented Virtual Memory” in Volume 2.

Legacy Mode and 64-Bit

Compatibility Mode Mode

CS CS
(Attributes only)

DS ignored

ES ignored

FS FS
(Base only)

GS GS
(Base only)

SS ignored
15 0 15 0
513-312.eps

Figure 2-4. Segment Registers

Data Types. Figure 2-5 on page 27 shows the general-purpose data types. They are all scalar, integer
data types. The 64-bit (quadword) data types are only available in 64-bit mode, and for most
instructions they require a REX instruction prefix.

26 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

Signed Integer
127 0
s 16 bytes (64-bit mode only) Double
Quadword
s 8 bytes (64-bit mode only) Quadword
63 s 4 bytes Doubleword
31 s 2 bytes Word
15 s Byte
7 0

Unsigned Integer
127 0

16 bytes (64-bit mode only) Double

Quadword
8 bytes (64-bit mode only) Quadword
63 4 bytes Doubleword
31 2 bytes Word
15 Byte

Packed BCD

BCD Digit
7 3 Bit
513-326.eps
0

Figure 2-5. General-Purpose Data Types

2.3.2 System Instructions

Registers. The system instructions use several specialized registers shown in Figure 2-6 on page 28.
System software uses these registers to, among other things, manage the processor’s operating
environment, define system resource characteristics, and monitor software execution. With the
exception of the RFLAGS register, system registers can be read and written only from privileged
software.
All system registers are 64 bits wide, except for the descriptor-table registers and the task register,
which include 64-bit base-address fields and other fields.

Instruction Overview 27
AMD64 Technology 24594—Rev. 3.14—September 2007

Control Registers Extended-Feature-Enable Register Memory-Typing Registers

CR0 EFER MTRRcap
CR2 MTRRdefType
CR3 System-Configuration Register MTRRphysBasen
CR4 SYSCFG MTRRphysMaskn
CR8 MTRRfixn
System-Linkage Registers PAT
STAR TOP_MEM
System-Flags Register
LSTAR TOP_MEM2
RFLAGS
CSTAR
Performance-Monitoring Registers
SFMASK
FS.base TSC
Debug Registers
GS.base PerfEvtSeln
DR0
KernelGSbase PerfCtrn
DR1
DR2 SYSENTER_CS
SYSENTER_ESP Machine-Check Registers
DR3
DR6 SYSENTER_EIP MCG_CAP

DR7 MCG_STAT

Debug-Extension Registers MCG_CTL

MCi_CTL
DebugCtlMSR
Descriptor-Table Registers MCi_STATUS
LastBranchFromIP
GDTR MCi_ADDR
LastBranchToIP
IDTR MCi_MISC
LastIntFromIP
LDTR
LastIntToIP

Task Register Model-Specific Registers

TR
513-260.eps

Figure 2-6. System Registers

Data Structures. Figure 2-7 on page 29 shows the system data structures. These are created and
maintained by system software for use in protected mode. A processor running in protected mode uses
these data structures to manage memory and protection, and to store program-state information when
an interrupt or task switch occurs.

28 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

Segment Descriptors (Contained in Descriptor Tables) Task-State Segment

Code Gate

Stack Task-State Segment

Data Local-Descriptor Table

Descriptor Tables

Global-Descriptor Table Interrupt-Descriptor Table Local-Descriptor Table

Descriptor Gate Descriptor Descriptor
Descriptor Gate Descriptor Descriptor
... ... ...
Descriptor Gate Descriptor Descriptor

Page-Translation Tables

Page-Map Level-4 Page-Directory Pointer Page Directory Page Table

513-261.eps

Figure 2-7. System Data Structures

2.3.3 128-Bit Media Instructions

Registers. The 128-bit media instructions use the 128-bit XMM registers. The number of available
XMM data registers depends on the operating mode, as shown in Figure 2-8 on page 30. In legacy and
compatibility modes, the eight legacy XMM data registers (XMM0–XMM7) are available. In 64-bit
mode, eight additional XMM data registers (XMM8–XMM15) are available when a REX instruction
prefix is used.
The MXCSR register contains floating-point and other control and status flags used by the 128-bit
media instructions. Some 128-bit media instructions also use the GPR (Figure 2-2 and Figure 2-3) and

Instruction Overview 29
AMD64 Technology 24594—Rev. 3.14—September 2007

the MMX registers (Figure 2-10 on page 32) or set or clear flags in the rFLAGS register (see
Figure 2-2 and Figure 2-3).

XMM Data Registers

127 0

xmm0

xmm1

xmm2

xmm3

xmm4

xmm5

xmm6

xmm7

xmm8

xmm9

xmm10

xmm11

xmm12

xmm13

xmm14

xmm15

Available in all modes

128-Bit Media Control and Status Register MXCSR
Available only in 64-bit mode
31 0
513-314.eps

Figure 2-8. 128-Bit Media Registers

Data Types. Figure 2-9 on page 31 shows the 128-bit media data types. They include floating-point
and integer vectors and floating-point scalars. The floating-point data types include IEEE-754 single
precision and double precision types.

30 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

Vector (Packed) Floating-Point Double Precision and Single Precision

127 115 63 51 0
ss exp significand ss exp significand
ss exp significand ss exp significand ss exp significand ss exp significand
127 118 95 86 63 54 31 22 0

Vector (Packed) Signed Integer Quadword, Doubleword, Word, Byte

ss quadword ss quadword
ss doubleword ss doubleword ss doubleword ss doubleword
ss word ss word ss word ss word ss word ss word ss word ss word
ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte
127 119 111 103 95 87 79 71 63 55 47 39 31 23 15 7 0

Vector (Packed) Unsigned Integer Quadword, Doubleword, Word, Byte

quadword quadword

doubleword doubleword doubleword doubleword

word word word word word word word word

byte byte byte byte byte byte byte byte byte byte byte byte byte byte byte byte
127 119 111 103 95 87 79 71 63 55 47 39 31 23 15 7 0

Scalar Floating-Point Double Precision and Single Precision

ss exp significand
63 51 ss exp significand
31 22 0
Scalar Unsigned Integers

127 double quadword 0

127 quadword
63 doubleword
31 word
15 byte
7
bit
513-316.eps 0

Figure 2-9. 128-Bit Media Data Types

Instruction Overview 31
AMD64 Technology 24594—Rev. 3.14—September 2007

2.3.4 64-Bit Media Instructions

Registers. The 64-bit media instructions use the eight 64-bit MMX registers, as shown in
Figure 2-10. These registers are mapped onto the x87 floating-point registers, and 64-bit media
instructions write the x87 tag word in a way that prevents an x87 instruction from using MMX data.
Some 64-bit media instructions also use the GPR (Figure 2-2 and Figure 2-3) and the XMM registers
(Figure 2-8).

MMX Data Registers

63 0

mmx0

mmx1

mmx2

mmx3

mmx4

mmx5

mmx6

mmx7

513-327.eps

Figure 2-10. 64-Bit Media Registers

Data Types. Figure 2-11 on page 33 shows the 64-bit media data types. They include floating-point
and integer vectors and integer scalars. The floating-point data type, used by 3DNow! instructions,
consists of a packed vector or two IEEE-754 32-bit single-precision data types. Unlike other kinds of
floating-point instructions, however, the 3DNow!™ instructions do not generate floating-point
exceptions. For this reason, there is no register for reporting or controlling the status of exceptions in
the 64-bit-media instruction subset.

32 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

Vector (Packed) Single-Precision Floating-Point

ss exp significand ss exp significand

63 54 31 22 0

Vector (Packed) Signed Integers

ss doubleword ss doubleword
ss word ss word ss word ss word
ss byte ss byte ss byte ss byte ss byte ss byte ss byte ss byte
63 55 47 39 31 23 15 7 0

Vector (Packed) Unsigned Integers

doubleword doubleword

word word word word

byte byte byte byte byte byte byte byte

63 55 47 39 31 23 15 7 0

Signed Integers
s quadword
63 s doubleword
31 s word
15 s byte
7 0

Unsigned Integers

quadword
63 doubleword
31 word
15 byte
7

513-319.eps 0

Figure 2-11. 64-Bit Media Data Types

Instruction Overview 33
AMD64 Technology 24594—Rev. 3.14—September 2007

2.3.5 x87 Floating-Point Instructions

Registers. The x87 floating-point instructions use the x87 registers shown in Figure 2-12. There are
eight 80-bit data registers, three 16-bit registers that hold the x87 control word, status word, and tag
word, and three registers (last instruction pointer, last opcode, last data pointer) that hold information
about the last x87 operation.
The physical data registers are named FPR0–FPR7, although x87 software references these registers as
a stack of registers, named ST(0)–ST(7). The x87 instructions store operands only in their own 80-bit
floating-point registers or in memory. They do not access the GPR or XMM registers.

x87 Data Registers

79 0

fpr0

fpr1

fpr2

fpr3

fpr4

fpr5

fpr6

fpr7

Instruction Pointer (rIP) Control

ControlWord
Word
Data Pointer (rDP) Status
StatusWord
Word
63 Opcode Tag
TagWord
Word
10 0 15 0
513-321.eps

Figure 2-12. x87 Registers

Data Types. Figure 2-13 on page 35 shows all x87 data types. They include three floating-point
formats (80-bit double-extended precision, 64-bit double precision, and 32-bit single precision), three
signed-integer formats (quadword, doubleword, and word), and an 80-bit packed binary-coded
decimal (BCD) format.

34 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

Floating-Point
79 63 0
Double-Extended
s exp i significand Precision
79 s exp significand Double Precision
63 51 s exp significand Single Precision
31 22 0

Signed Integer

s 8 bytes Quadword
63 4 bytes
s Doubleword
31 s 2 bytes Word
15 0

Binary-Coded Decimal (BCD)

ss Packed Decimal
79 71 0
513-317.eps

Figure 2-13. x87 Data Types

2.4 Summary of Exceptions

Table 2-1 on page 36 lists all possible exceptions. The table shows the interrupt-vector numbers,
names, mnemonics, source, and possible causes. Exceptions that apply to specific instructions are
documented with each instruction in the instruction-detail pages that follow.

Instruction Overview 35
AMD64 Technology 24594—Rev. 3.14—September 2007

Table 2-1. Interrupt-Vector Source and Cause

Vector Interrupt (Exception) Mnemonic Source Cause
0 Divide-By-Zero-Error #DE Software DIV, IDIV, AAM instructions
1 Debug #DB Internal Instruction accesses and data accesses
2 Non-Maskable-Interrupt #NMI External External NMI signal
3 Breakpoint #BP Software INT3 instruction
4 Overflow #OF Software INTO instruction
5 Bound-Range #BR Software BOUND instruction
6 Invalid-Opcode #UD Internal Invalid instructions
7 Device-Not-Available #NM Internal x87 instructions
8 Double-Fault #DF Internal Interrupt during an interrupt
9 Coprocessor-Segment-Overrun — External Unsupported (reserved)
Task-state segment access and task
10 Invalid-TSS #TS Internal
switch
11 Segment-Not-Present #NP Internal Segment access through a descriptor
12 Stack #SS Internal SS register loads and stack references
Memory accesses and protection
13 General-Protection #GP Internal
checks
Memory accesses when paging
14 Page-Fault #PF Internal
enabled
15 Reserved —
Floating-Point Exception- x87 floating-point and 64-bit media
16 #MF Software
Pending floating-point instructions
17 Alignment-Check #AC Internal Memory accesses
Internal
18 Machine-Check #MC Model specific
External
19 SIMD Floating-Point #XF Internal 128-bit media floating-point instructions
20—29 Reserved (Internal and External) —
30 SVM Security Exception #SX External Security-Sensitive Events
31 Reserved (Internal and External) —
0—255 External Interrupts (Maskable) #INTR External External interrupt signal
0—255 Software Interrupts — Software INTn instruction

36 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

2.5 Notation
2.5.1 Mnemonic Syntax
Each instruction has a syntax that includes the mnemonic and any operands that the instruction can
take. Figure 2-14 shows an example of a syntax in which the instruction takes two operands. In most
instructions that take two operands, the first (left-most) operand is both a source operand (the first
source operand) and the destination operand. The second (right-most) operand serves only as a source,
not a destination.

ADDPD xmm1, xmm2/mem128

Mnemonic

First Source Operand

and Destination Operand

Second Source Operand 513-322.eps

Figure 2-14. Syntax for Typical Two-Operand Instruction

The following notation is used to denote the size and type of source and destination operands:
• cReg—Control register.
• dReg—Debug register.
• imm8—Byte (8-bit) immediate.
• imm16—Word (16-bit) immediate.
• imm16/32—Word (16-bit) or doubleword (32-bit) immediate.
• imm32—Doubleword (32-bit) immediate.
• imm32/64—Doubleword (32-bit) or quadword (64-bit) immediate.
• imm64—Quadword (64-bit) immediate.
• mem—An operand of unspecified size in memory.
• mem8—Byte (8-bit) operand in memory.
• mem16—Word (16-bit) operand in memory.
• mem16/32—Word (16-bit) or doubleword (32-bit) operand in memory.
• mem32—Doubleword (32-bit) operand in memory.
• mem32/48—Doubleword (32-bit) or 48-bit operand in memory.
• mem48—48-bit operand in memory.

Instruction Overview 37
AMD64 Technology 24594—Rev. 3.14—September 2007

• mem64—Quadword (64-bit) operand in memory.

• mem128—Double quadword (128-bit) operand in memory.
• mem16:16—Two sequential word (16-bit) operands in memory.
• mem16:32—A doubleword (32-bit) operand followed by a word (16-bit) operand in memory.
• mem32real—Single-precision (32-bit) floating-point operand in memory.
• mem32int—Doubleword (32-bit) integer operand in memory.
• mem64real—Double-precision (64-bit) floating-point operand in memory.
• mem64int—Quadword (64-bit) integer operand in memory.
• mem80real—Double-extended-precision (80-bit) floating-point operand in memory.
• mem80dec—80-bit packed BCD operand in memory, containing 18 4-bit BCD digits.
• mem2env—16-bit x87 control word or x87 status word.
• mem14/28env—14-byte or 28-byte x87 environment. The x87 environment consists of the x87
control word, x87 status word, x87 tag word, last non-control instruction pointer, last data pointer,
and opcode of the last non-control instruction completed.
• mem94/108env—94-byte or 108-byte x87 environment and register stack.
• mem512env—512-byte environment for 128-bit media, 64-bit media, and x87 instructions.
• mmx—Quadword (64-bit) operand in an MMX register.
• mmx1—Quadword (64-bit) operand in an MMX register, specified as the left-most (first) operand
in the instruction syntax.
• mmx2—Quadword (64-bit) operand in an MMX register, specified as the right-most (second)
operand in the instruction syntax.
• mmx/mem32—Doubleword (32-bit) operand in an MMX register or memory.
• mmx/mem64—Quadword (64-bit) operand in an MMX register or memory.
• mmx1/mem64—Quadword (64-bit) operand in an MMX register or memory, specified as the left-
most (first) operand in the instruction syntax.
• mmx2/mem64—Quadword (64-bit) operand in an MMX register or memory, specified as the right-
most (second) operand in the instruction syntax.
• moffset—Direct memory offset that specifies an operand in memory.
• moffset8—Direct memory offset that specifies a byte (8-bit) operand in memory.
• moffset16—Direct memory offset that specifies a word (16-bit) operand in memory.
• moffset32—Direct memory offset that specifies a doubleword (32-bit) operand in memory.
• moffset64—Direct memory offset that specifies a quadword (64-bit) operand in memory.
• pntr16:16—Far pointer with 16-bit selector and 16-bit offset.
• pntr16:32—Far pointer with 16-bit selector and 32-bit offset.
• reg—Operand of unspecified size in a GPR register.
• reg8—Byte (8-bit) operand in a GPR register.

38 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

• reg16—Word (16-bit) operand in a GPR register.

• reg16/32—Word (16-bit) or doubleword (32-bit) operand in a GPR register.
• reg32—Doubleword (32-bit) operand in a GPR register.
• reg64—Quadword (64-bit) operand in a GPR register.
• reg/mem8—Byte (8-bit) operand in a GPR register or memory.
• reg/mem16—Word (16-bit) operand in a GPR register or memory.
• reg/mem32—Doubleword (32-bit) operand in a GPR register or memory.
• reg/mem64—Quadword (64-bit) operand in a GPR register or memory.
• rel8off—Signed 8-bit offset relative to the instruction pointer.
• rel16off—Signed 16-bit offset relative to the instruction pointer.
• rel32off—Signed 32-bit offset relative to the instruction pointer.
• segReg or sReg—Word (16-bit) operand in a segment register.
• ST(0)—x87 stack register 0.
• ST(i)—x87 stack register i, where i is between 0 and 7.
• xmm—Double quadword (128-bit) operand in an XMM register.
• xmm1—Double quadword (128-bit) operand in an XMM register, specified as the left-most (first)
operand in the instruction syntax.
• xmm2—Double quadword (128-bit) operand in an XMM register, specified as the right-most
(second) operand in the instruction syntax.
• xmm/mem64—Quadword (64-bit) operand in a 128-bit XMM register or memory.
• xmm/mem128—Double quadword (128-bit) operand in an XMM register or memory.
• xmm1/mem128—Double quadword (128-bit) operand in an XMM register or memory, specified as
the left-most (first) operand in the instruction syntax.
• xmm2/mem128—Double quadword (128-bit) operand in an XMM register or memory, specified as
the right-most (second) operand in the instruction syntax.

2.5.2 Opcode Syntax

In addition to the notation shown above in “Mnemonic Syntax” on page 37, the following notation
indicates the size and type of operands in the syntax of an instruction opcode:
• /digit—Indicates that the ModRM byte specifies only one register or memory (r/m) operand. The
digit is specified by the ModRM reg field and is used as an instruction-opcode extension. Valid
digit values range from 0 to 7.
• /r—Indicates that the ModRM byte specifies both a register operand and a reg/mem (register or
memory) operand.
• cb, cw, cd, cp—Specifies a code-offset value and possibly a new code-segment register value. The
value following the opcode is either one byte (cb), two bytes (cw), four bytes (cd), or six bytes (cp).

Instruction Overview 39
AMD64 Technology 24594—Rev. 3.14—September 2007

• ib, iw, id, iq—Specifies an immediate-operand value. The opcode determines whether the value is
signed or unsigned. The value following the opcode, ModRM, or SIB byte is either one byte (ib),
two bytes (iw), or four bytes (id). Word and doubleword values start with the low-order byte.
• +rb, +rw, +rd, +rq—Specifies a register value that is added to the hexadecimal byte on the left,
forming a one-byte opcode. The result is an instruction that operates on the register specified by the
register code. Valid register-code values are shown in Table 2-2.
• m64—Specifies a quadword (64-bit) operand in memory.
• +i—Specifies an x87 floating-point stack operand, ST(i). The value is used only with x87 floating-
point instructions. It is added to the hexadecimal byte on the left, forming a one-byte opcode. Valid
values range from 0 to 7.

Table 2-2. +rb, +rw, +rd, and +rq Register Value

REX.B Specified Register
Value
Bit1 +rb +rw +rd +rq
0 AL AX EAX RAX
1 CL CX ECX RCX
2 DL DX EDX RDX
0 3 BL BX EBX RBX
or no REX
Prefix 4 AH, SPL1 SP ESP RSP
1
5 CH, BPL BP EBP RBP
1
6 DH, SIL SI ESI RSI
7 BH, DIL1 DI EDI RDI
0 R8B R8W R8D R8
1 R9B R9W R9D R9
2 R10B R10W R10D R10
3 R11B R11W R11D R11
1
4 R12B R12W R12D R12
5 R13B R13W R13D R13
6 R14B R14W R14D R14
7 R15B R15W R15D R15
1. See “REX Prefixes” on page 11.

40 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

2.5.3 Pseudocode Definitions

Pseudocode examples are given for the actions of several complex instructions (for example, see
“CALL (Near)” on page 76). The following definitions apply to all such pseudocode examples:

/////////////////////////////////////////////////////////////////////////////////
// Basic Definitions
/////////////////////////////////////////////////////////////////////////////////

// All comments start with these double slashes.

REAL_MODE = (cr0.pe=0)
PROTECTED_MODE = ((cr0.pe=1) && (rflags.vm=0))
VIRTUAL_MODE = ((cr0.pe=1) && (rflags.vm=1))
LEGACY_MODE = (efer.lma=0)
LONG_MODE = (efer.lma=1)
64BIT_MODE = ((efer.lma=1) && (cs.L=1) && (cs.d=0))
COMPATIBILITY_MODE = (efer.lma=1) && (cs.L=0)
PAGING_ENABLED = (cr0.pg=1)
ALIGNMENT_CHECK_ENABLED = ((cr0.am=1) && (eflags.ac=1) && (cpl=3))
CPL = the current privilege level (0-3)
OPERAND_SIZE = 16, 32, or 64 (depending on current code and 66h/rex prefixes)
ADDRESS_SIZE = 16, 32, or 64 (depending on current code and 67h prefixes)
STACK_SIZE = 16, 32, or 64 (depending on current code and SS.attr.B)

old_RIP = RIP at the start of current instruction

old_RSP = RSP at the start of current instruction
old_RFLAGS = RFLAGS at the start of the instruction
old_CS = CS selector at the start of current instruction
old_DS = DS selector at the start of current instruction
old_ES = ES selector at the start of current instruction
old_FS = FS selector at the start of current instruction
old_GS = GS selector at the start of current instruction
old_SS = SS selector at the start of current instruction

RIP = the current RIP register

RSP = the current RSP register
RBP = the current RBP register
RFLAGS = the current RFLAGS register
next_RIP = RIP at start of next instruction

CS = the current CS descriptor, including the subfields:

sel base limit attr
SS = the current SS descriptor, including the subfields:
sel base limit attr

SRC = the instruction’s Source operand

DEST = the instruction’s Destination operand

temp_* // 64-bit temporary register

Instruction Overview 41
AMD64 Technology 24594—Rev. 3.14—September 2007

temp_*_desc // temporary descriptor, with subfields:

// if it points to a block of memory: sel base limit attr
// if it’s a gate descriptor: sel offset segment attr

NULL = 0x0000 // null selector is all zeros

// V,Z,A,S are integer variables, assigned a value when an instruction begins

// executing (they can be assigned a different value in the middle of an
// instruction, if needed)

V = 2 if OPERAND_SIZE=16
4 if OPERAND_SIZE=32
8 if OPERAND_SIZE=64

Z = 2 if OPERAND_SIZE=16
4 if OPERAND_SIZE=32
4 if OPERAND_SIZE=64

A = 2 if ADDRESS_SIZE=16
4 if ADDRESS_SIZE=32
8 if ADDRESS_SIZE=64

S = 2 if STACK_SIZE=16
4 if STACK_SIZE=32
8 if STACK_SIZE=64

/////////////////////////////////////////////////////////////////////////////////
// Bit Range Inside a Register
/////////////////////////////////////////////////////////////////////////////////

temp_data.[X:Y] // Bit X through Y in temp_data, with the other bits

// in the register masked off.

/////////////////////////////////////////////////////////////////////////////////
// Moving Data From One Register To Another
/////////////////////////////////////////////////////////////////////////////////

temp_dest.b = temp_src // 1-byte move (copies lower 8 bits of temp_src to

// temp_dest, preserving the upper 56 bits of temp_dest)
temp_dest.w = temp_src // 2-byte move (copies lower 16 bits of temp_src to
// temp_dest, preserving the upper 48 bits of temp_dest)
temp_dest.d = temp_src // 4-byte move (copies lower 32 bits of temp_src to
// temp_dest, and zeros out the upper 32 bits of temp_dest)
temp_dest.q = temp_src // 8-byte move (copies all 64 bits of temp_src to
// temp_dest)

temp_dest.v = temp_src // 2-byte move if V=2,

// 4-byte move if V=4,
// 8-byte move if V=8

42 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

temp_dest.z = temp_src // 2-byte move if Z=2,

// 4-byte move if Z=4

temp_dest.a = temp_src // 2-byte move if A=2,

// 4-byte move if A=4,
// 8-byte move if A=8

temp_dest.s = temp_src // 2-byte move if S=2,

// 4-byte move if S=4,
// 8-byte move if S=8

/////////////////////////////////////////////////////////////////////////////////
// Bitwise Operations
/////////////////////////////////////////////////////////////////////////////////

temp = a AND b
temp = a OR b
temp = a XOR b
temp = NOT a
temp = a SHL b
temp = a SHR b

/////////////////////////////////////////////////////////////////////////////////
// Logical Operations
/////////////////////////////////////////////////////////////////////////////////

IF (FOO && BAR)

IF (FOO || BAR)
IF (FOO = BAR)
IF (FOO != BAR)
IF (FOO > BAR)
IF (FOO < BAR)
IF (FOO >= BAR)
IF (FOO <= BAR)

/////////////////////////////////////////////////////////////////////////////////
// IF-THEN-ELSE
/////////////////////////////////////////////////////////////////////////////////

IF (FOO)
...

IF (FOO)
...
ELSIF (BAR)
...
ELSE

Instruction Overview 43
AMD64 Technology 24594—Rev. 3.14—September 2007

...

IF ((FOO && BAR) || (CONE && HEAD))

...

/////////////////////////////////////////////////////////////////////////////////
// Exceptions
/////////////////////////////////////////////////////////////////////////////////

EXCEPTION [#GP(0)] // error code in parenthesis

EXCEPTION [#UD] // if no error code

possible exception types:

#DE // Divide-By-Zero-Error Exception (Vector 0)

#DB // Debug Exception (Vector 1)
#BP // INT3 Breakpoint Exception (Vector 3)
#OF // INTO Overflow Exception (Vector 4)
#BR // Bound-Range Exception (Vector 5)
#UD // Invalid-Opcode Exception (Vector 6)
#NM // Device-Not-Available Exception (Vector 7)
#DF // Double-Fault Exception (Vector 8)
#TS // Invalid-TSS Exception (Vector 10)
#NP // Segment-Not-Present Exception (Vector 11)
#SS // Stack Exception (Vector 12)
#GP // General-Protection Exception (Vector 13)
#PF // Page-Fault Exception (Vector 14)
#MF // x87 Floating-Point Exception-Pending (Vector 16)
#AC // Alignment-Check Exception (Vector 17)
#MC // Machine-Check Exception (Vector 18)
#XF // SIMD Floating-Point Exception (Vector 19)

/////////////////////////////////////////////////////////////////////////////////
// READ_MEM
// General memory read. This zero-extends the data to 64 bits and returns it.
/////////////////////////////////////////////////////////////////////////////////

usage:
temp = READ_MEM.x [seg:offset] // where x is one of {v, z, b, w, d, q}
// and denotes the size of the memory read

definition:

IF ((seg AND 0xFFFC) = NULL) // GP fault for using a null segment to

// reference memory
EXCEPTION [#GP(0)]

IF ((seg=CS) || (seg=DS) || (seg=ES) || (seg=FS) || (seg=GS))

// CS,DS,ES,FS,GS check for segment limit or canonical

44 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

IF ((!64BIT_MODE) && (offset is outside seg’s limit))

EXCEPTION [#GP(0)]
// #GP fault for segment limit violation in non-64-bit mode
IF ((64BIT_MODE) && (offset is non-canonical))
EXCEPTION [#GP(0)]
// #GP fault for non-canonical address in 64-bit mode
ELSIF (seg=SS) // SS checks for segment limit or canonical
IF ((!64BIT_MODE) && (offset is outside seg’s limit))
EXCEPTION [#SS(0)]
// stack fault for segment limit violation in non-64-bit mode
IF ((64BIT_MODE) && (offset is non-canonical))
EXCEPTION [#SS(0)]
// stack fault for non-canonical address in 64-bit mode
ELSE // ((seg=GDT) || (seg=LDT) || (seg=IDT) || (seg=TSS))
// GDT,LDT,IDT,TSS check for segment limit and canonical
IF (offset > seg.limit)
EXCEPTION [#GP(0)] // #GP fault for segment limit violation
// in all modes
IF ((LONG_MODE) && (offset is non-canonical))
EXCEPTION [#GP(0)] // #GP fault for non-canonical address in long mode

IF ((ALIGNMENT_CHECK_ENABLED) && (offset misaligned, considering its

size and alignment))
EXCEPTION [#AC(0)]

IF ((64_bit_mode) && ((seg=CS) || (seg=DS) || (seg=ES) || (seg=SS))

temp_linear = offset
ELSE
temp_linear = seg.base + offset

IF ((PAGING_ENABLED) && (virtual-to-physical translation for temp_linear

results in a page-protection violation))
EXCEPTION [#PF(error_code)] // page fault for page-protection violation
// (U/S violation, Reserved bit violation)

IF ((PAGING_ENABLED) && (temp_linear is on a not-present page))

EXCEPTION [#PF(error_code)] // page fault for not-present page

temp_data = memory [temp_linear].x // zero-extends the data to 64

// bits, and saves it in temp_data

RETURN (temp_data) // return the zero-extended data

/////////////////////////////////////////////////////////////////////////////////
// WRITE_MEM // General memory write
/////////////////////////////////////////////////////////////////////////////////

usage:
WRITE_MEM.x [seg:offset] = temp.x // where <X> is one of these:
// {V, Z, B, W, D, Q} and denotes the

Instruction Overview 45
AMD64 Technology 24594—Rev. 3.14—September 2007

// size of the memory write

definition:

IF ((seg & 0xFFFC)= NULL) // GP fault for using a null segment

// to reference memory
EXCEPTION [#GP(0)]

IF (seg isn’t writable) // GP fault for writing to a read-only segment

EXCEPTION [#GP(0)]

IF ((seg=CS) || (seg=DS) || (seg=ES) || (seg=FS) || (seg=GS))

// CS,DS,ES,FS,GS check for segment limit or canonical
IF ((!64BIT_MODE) && (offset is outside seg’s limit))
EXCEPTION [#GP(0)]
// #GP fault for segment limit violation in non-64-bit mode
IF ((64BIT_MODE) && (offset is non-canonical))
EXCEPTION [#GP(0)]
// #GP fault for non-canonical address in 64-bit mode
ELSIF (seg=SS) // SS checks for segment limit or canonical
IF ((!64BIT_MODE) && (offset is outside seg’s limit))
EXCEPTION [#SS(0)]
// stack fault for segment limit violation in non-64-bit mode
IF ((64BIT_MODE) && (offset is non-canonical))
EXCEPTION [#SS(0)]
// stack fault for non-canonical address in 64-bit mode
ELSE // ((seg=GDT) || (seg=LDT) || (seg=IDT) || (seg=TSS))
// GDT,LDT,IDT,TSS check for segment limit and canonical
IF (offset > seg.limit)
EXCEPTION [#GP(0)]
// #GP fault for segment limit violation in all modes
IF ((LONG_MODE) && (offset is non-canonical))
EXCEPTION [#GP(0)]
// #GP fault for non-canonical address in long mode

IF ((ALIGNMENT_CHECK_ENABLED) && (offset is misaligned, considering

its size and alignment))
EXCEPTION [#AC(0)]

IF ((64_bit_mode) && ((seg=CS) || (seg=DS) || (seg=ES) || (seg=SS))

temp_linear = offset
ELSE
temp_linear = seg.base + offset

IF ((PAGING_ENABLED) && (the virtual-to-physical translation for

temp_linear results in a page-protection violation))
{
EXCEPTION [#PF(error_code)]
// page fault for page-protection violation
// (U/S violation, Reserved bit violation)
}

46 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

IF ((PAGING_ENABLED) && (temp_linear is on a not-present page))

EXCEPTION [#PF(error_code)] // page fault for not-present page

memory [temp_linear].x = temp.x // write the bytes to memory

/////////////////////////////////////////////////////////////////////////////////
// PUSH // Write data to the stack
/////////////////////////////////////////////////////////////////////////////////

usage:
PUSH.x temp // where x is one of these: {v, z, b, w, d, q} and
// denotes the size of the push

definition:

WRITE_MEM.x [SS:RSP.s - X] = temp.x // write to the stack

RSP.s = RSP - X // point rsp to the data just written

/////////////////////////////////////////////////////////////////////////////////
// POP // Read data from the stack, zero-extend it to 64 bits
/////////////////////////////////////////////////////////////////////////////////

usage:
POP.x temp // where x is one of these: {v, z, b, w, d, q} and
// denotes the size of the pop

definition:

temp = READ_MEM.x [SS:RSP.s] // read from the stack

RSP.s = RSP + X // point rsp above the data just written

/////////////////////////////////////////////////////////////////////////////////
// READ_DESCRIPTOR // Read 8-byte descriptor from GDT/LDT, return the descriptor
/////////////////////////////////////////////////////////////////////////////////

usage:
temp_descriptor = READ_DESCRIPTOR (selector, chktype)
// chktype field is one of the following:
// cs_chk used for far call and far jump
// clg_chk used when reading CS for far call or far jump through call gate
// ss_chk used when reading SS
// iret_chk used when reading CS for IRET or RETF
// intcs_chk used when readin the CS for interrupts and exceptions

definition:

temp_offset = selector AND 0xfff8 // upper 13 bits give an offset

Instruction Overview 47
AMD64 Technology 24594—Rev. 3.14—September 2007

// in the descriptor table

IF (selector.TI = 0) // read 8 bytes from the gdt, split it into

// (base,limit,attr) if the type bits
temp_desc = READ_MEM.q [gdt:temp_offset]
// indicate a block of memory, or split
// it into (segment,offset,attr)
// if the type bits indicate
// a gate, and save the result in temp_desc
ELSE
temp_desc = READ_MEM.q [ldt:temp_offset]
// read 8 bytes from the ldt, split it into
// (base,limit,attr) if the type bits
// indicate a block of memory, or split
// it into (segment,offset,attr) if the type
// bits indicate a gate, and save the result
// in temp_desc

IF (selector.rpl or temp_desc.attr.dpl is illegal for the current mode/cpl)

EXCEPTION [#GP(selector)]

IF (temp_desc.attr.type is illegal for the current mode/chktype)

EXCEPTION [#GP(selector)]

IF (temp_desc.attr.p=0)
EXCEPTION [#NP(selector)]

RETURN (temp_desc)

/////////////////////////////////////////////////////////////////////////////////
// READ_IDT // Read an 8-byte descriptor from the IDT, return the descriptor
/////////////////////////////////////////////////////////////////////////////////

usage:
temp_idt_desc = READ_IDT (vector)
// "vector" is the interrupt vector number

definition:

IF (LONG_MODE) // long-mode idt descriptors are 16 bytes long

temp_offset = vector*16
ELSE // (LEGACY_MODE) legacy-protected-mode idt descriptors are 8 bytes long
temp_offset = vector*8

temp_desc = READ_MEM.q [idt:temp_offset]

// read 8 bytes from the idt, split it into
// (segment,offset,attr), and save it in temp_desc

IF (temp_desc.attr.dpl is illegal for the current mode/cpl)

// exception, with error code that indicates this idt gate

48 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

EXCEPTION [#GP(vector*8+2)]

IF (temp_desc.attr.type is illegal for the current mode)

// exception, with error code that indicates this idt gate
EXCEPTION [#GP(vector*8+2)]

IF (temp_desc.attr.p=0)
EXCEPTION [#NP(vector*8+2)]
// segment-not-present exception, with an error code that
// indicates this idt gate

RETURN (temp_desc)

/////////////////////////////////////////////////////////////////////////////////
// READ_INNER_LEVEL_STACK_POINTER
// Read a new stack pointer (rsp or ss:esp) from the tss
/////////////////////////////////////////////////////////////////////////////////

usage:
temp_SS_desc:temp_RSP = READ_INNER_LEVEL_STACK_POINTER (new_cpl, ist_index)

definition:

IF (LONG_MODE)
{
IF (ist_index>0)
// if IST is selected, read an ISTn stack pointer from the tss
temp_RSP = READ_MEM.q [tss:ist_index*8+28]
ELSE // (ist_index=0)
// otherwise read an RSPn stack pointer from the tss
temp_RSP = READ_MEM.q [tss:new_cpl*8+4]

temp_SS_desc.sel = NULL + new_cpl

// in long mode, changing to lower cpl sets SS.sel to
// NULL+new_cpl
}
ELSE // (LEGACY_MODE)
{
temp_RSP = READ_MEM.d [tss:new_cpl*8+4] // read ESPn from the tss
temp_sel = READ_MEM.d [tss:new_cpl*8+8] // read SSn from the tss
temp_SS_desc = READ_DESCRIPTOR (temp_sel, ss_chk)
}

return (temp_RSP:temp_SS_desc)

Instruction Overview 49
AMD64 Technology 24594—Rev. 3.14—September 2007

/////////////////////////////////////////////////////////////////////////////////
// READ_BIT_ARRAY // Read 1 bit from a bit array in memory
/////////////////////////////////////////////////////////////////////////////////

usage:
temp_value = READ_BIT_ARRAY ([mem], bit_number)

definition:

temp_BYTE = READ_MEM.b [mem + (bit_number SHR 3)]

// read the byte containing the bit

temp_BIT = temp_BYTE SHR (bit_number & 7)

// shift the requested bit position into bit 0

return (temp_BIT & 0x01) // return ’0’ or ’1’

50 Instruction Overview
24594—Rev. 3.14—September 2007 AMD64 Technology

3 General-Purpose Instruction Reference

This chapter describes the function, mnemonic syntax, opcodes, affected flags, and possible
exceptions generated by the general-purpose instructions. General-purpose instructions are used in
basic software execution. Most of these instructions load, store, or operate on data located in the
general-purpose registers (GPRs), in memory, or in both. The remaining instructions are used to alter
the sequential flow of the program by branching to other locations within the program, or to entirely
different programs. With the exception of the MOVD, MOVMSKPD and MOVMSKPS instructions,
which operate on MMX/XMM registers, the instructions within the category of general-purpose
instructions do not operate on any other register set.
Most general-purpose instructions are supported in all hardware implementations of the AMD64
architecture, however it may be necessary to use the CPUID instruction to test for support for a small
set of general-purpose instructions. These instructions are listed in Table 3-1, along with the CPUID
function, the register and bit used to test for the presence of the instruction.

Table 3-1. Instruction Support Indicated by CPUID Feature Bits

Instruction Register[Bit] Feature Mnemonic CPUID Function(s)
CMPXCHG8B EDX[8] CMPXCHG8B 0000_0001h, 8000_0001h
CMPXCHG16B ECX[13] CMPXCHG16B 0000_0001h
CMOVcc (Conditional Moves) EDX[15] CMOV 0000_0001h, 8000_0001h
CLFLUSH EDX[19] CLFSH 0000_0001h
Advanced Bit
LZCNT ECX[5] 8000_0001h
Manipulation (ABM)
Long Mode instructions EDX[29] Long Mode (LM) 8000_0001h
MFENCE, LFENCE EDX[26] SSE2 0000_0001h
EDX[25] SSE
MOVD 0000_0001h
EDX[26] SSE2
MOVNTI EDX[26] SSE2 0000_0001h
POPCNT ECX[23] POPCNT 0000_0001h
ECX[8] 3DNow!™ Prefetch
PREFETCH/W EDX[29] LM 8000_0001h
EDX[31] 3DNow!™
SFENCE EDX[25] FXSR 0000_0001h

The general-purpose instructions can be used in legacy mode or 64-bit long mode. Compilation of
general-purpose programs for execution in 64-bit long mode offers three primary advantages: access to
the eight extended, 64-bit general-purpose registers (for a register set consisting of GPR0–GPR15),
access to the 64-bit virtual address space, and access to the RIP-relative addressing mode.
For further information about the general-purpose instructions and register resources, see:

Instruction Reference 51
AMD64 Technology 24594—Rev. 3.14—September 2007

• “General-Purpose Programming” in Volume 1.

• “Summary of Registers and Data Types” on page 24.
• “Notation” on page 37.
• “Instruction Prefixes” on page 3.
• Appendix B, “General-Purpose Instructions in 64-Bit Mode.” In particular, see “General Rules for
64-Bit Mode” on page 373.

52 Instruction Reference
24594—Rev. 3.14—September 2007 AMD64 Technology

AAA ASCII Adjust After Addition

Adjusts the value in the AL register to an unpacked BCD value. Use the AAA instruction after using
the ADD instruction to add two unpacked BCD numbers.
If the value in the lower nibble of AL is greater than 9 or the AF flag is set to 1, the instruction
increments the AH register, adds 6 to the AL register, and sets the CF and AF flags to 1. Otherwise, it
does not change the AH register and clears the CF and AF flags to 0. In either case, AAA clears bits
7–4 of the AL register, leaving the correct decimal digit in bits 3–0.
This instruction also makes it possible to add ASCII numbers without having to mask off the upper
nibble ‘3’.

MXCSR Flags Affected

Using this instruction in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

Create an unpacked BCD number.
AAA 37
(Invalid in 64-bit mode.)

Related Instructions
AAD, AAM, AAS

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U M U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X This instruction was executed in 64-bit mode.

Instruction Reference AAA 53

AMD64 Technology 24594—Rev. 3.14—September 2007

AAD ASCII Adjust Before Division

Converts two unpacked BCD digits in the AL (least significant) and AH (most significant) registers to
a single binary value in the AL register using the following formula:
AL = ((10d * AH) + (AL))

After the conversion, AH is cleared to 00h.

In most modern assemblers, the AAD instruction adjusts from base-10 values. However, by coding the
instruction directly in binary, it can adjust from any base specified by the immediate byte value (ib)
suffixed onto the D5h opcode. For example, code D508h for octal, D50Ah for decimal, and D50Ch for
duodecimal (base 12).
Using this instruction in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

Adjust two BCD digits in AL and AH.
AAD D5 0A
(Invalid in 64-bit mode.)
Adjust two BCD digits to the immediate byte base.
(None) D5 ib
(Invalid in 64-bit mode.)

Related Instructions
AAA, AAM, AAS

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U M M U M U

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X This instruction was executed in 64-bit mode.

54 AAD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

AAM ASCII Adjust After Multiply

Converts the value in the AL register from binary to two unpacked BCD digits in the AH (most
significant) and AL (least significant) registers using the following formula:
AH = (AL/10d)
AL = (AL mod 10d)

In most modern assemblers, the AAM instruction adjusts to base-10 values. However, by coding the
instruction directly in binary, it can adjust to any base specified by the immediate byte value (ib)
suffixed onto the D4h opcode. For example, code D408h for octal, D40Ah for decimal, and D40Ch for
duodecimal (base 12).
Using this instruction in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

Create a pair of unpacked BCD values in AH and AL.
AAM D4 0A
(Invalid in 64-bit mode.)
Create a pair of unpacked values to the immediate byte
(None) D4 ib base.
(Invalid in 64-bit mode.)

Related Instructions
AAA, AAD, AAS

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U M M U M U

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M. Unaffected flags are blank. Undefined
flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Divide by zero, #DE X X X 8-bit immediate value was 0.
Invalid opcode, #UD X This instruction was executed in 64-bit mode.

Instruction Reference AAM 55

AMD64 Technology 24594—Rev. 3.14—September 2007

AAS ASCII Adjust After Subtraction

Adjusts the value in the AL register to an unpacked BCD value. Use the AAS instruction after using
the SUB instruction to subtract two unpacked BCD numbers.
If the value in AL is greater than 9 or the AF flag is set to 1, the instruction decrements the value in AH,
subtracts 6 from the AL register, and sets the CF and AF flags to 1. Otherwise, it clears the CF and AF
flags and the AH register is unchanged. In either case, the instruction clears bits 7–4 of the AL register,
leaving the correct decimal digit in bits 3–0.
Using this instruction in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

Create an unpacked BCD number from the contents of
AAS 3F the AL register.
(Invalid in 64-bit mode.)

Related Instructions
AAA, AAD, AAM

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U M U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X This instruction was executed in 64-bit mode.

56 AAS Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

ADC Add with Carry

Adds the carry flag (CF), the value in a register or memory location (first operand), and an immediate
value or the value in a register or memory location (second operand), and stores the result in the first
operand location. The instruction cannot add two memory operands. The CF flag indicates a pending
carry from a previous addition operation. The instruction sign-extends an immediate value to the
length of the destination register or memory location.
This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF
flags to indicate a carry in a signed or unsigned result, respectively. It sets the SF flag to indicate the
sign of a signed result.
Use the ADC instruction after an ADD instruction as part of a multibyte or multiword addition.
The forms of the ADC instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

ADC AL, imm8 14 ib Add imm8 to AL + CF.
ADC AX, imm16 15 iw Add imm16 to AX + CF.
ADC EAX, imm32 15 id Add imm32 to EAX + CF.
ADC RAX, imm32 15 id Add sign-extended imm32 to RAX + CF.
ADC reg/mem8, imm8 80 /2 ib Add imm8 to reg/mem8 + CF.
ADC reg/mem16, imm16 81 /2 iw Add imm16 to reg/mem16 + CF.
ADC reg/mem32, imm32 81 /2 id Add imm32 to reg/mem32 + CF.
ADC reg/mem64, imm32 81 /2 id Add sign-extended imm32 to reg/mem64 + CF.
ADC reg/mem16, imm8 83 /2 ib Add sign-extended imm8 to reg/mem16 + CF.
ADC reg/mem32, imm8 83 /2 ib Add sign-extended imm8 to reg/mem32 + CF.
ADC reg/mem64, imm8 83 /2 ib Add sign-extended imm8 to reg/mem64 + CF.
ADC reg/mem8, reg8 10 /r Add reg8 to reg/mem8 + CF
ADC reg/mem16, reg16 11 /r Add reg16 to reg/mem16 + CF.
ADC reg/mem32, reg32 11 /r Add reg32 to reg/mem32 + CF.
ADC reg/mem64, reg64 11 /r Add reg64 to reg/mem64 + CF.
ADC reg8, reg/mem8 12 /r Add reg/mem8 to reg8 + CF.
ADC reg16, reg/mem16 13 /r Add reg/mem16 to reg16 + CF.
ADC reg32, reg/mem32 13 /r Add reg/mem32 to reg32 + CF.
ADC reg64, reg/mem64 13 /r Add reg/mem64 to reg64 + CF.

Instruction Reference ADC 57

AMD64 Technology 24594—Rev. 3.14—September 2007

Related Instructions
ADD, SBB, SUB

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

58 ADC Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

ADD Signed or Unsigned Add

Adds the value in a register or memory location (first operand) and an immediate value or the value in
a register or memory location (second operand), and stores the result in the first operand location. The
instruction cannot add two memory operands. The instruction sign-extends an immediate value to the
length of the destination register or memory operand.
This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF
flags to indicate a carry in a signed or unsigned result, respectively. It sets the SF flag to indicate the
sign of a signed result.
The forms of the ADD instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

ADD AL, imm8 04 ib Add imm8 to AL.
ADD AX, imm16 05 iw Add imm16 to AX.
ADD EAX, imm32 05 id Add imm32 to EAX.
ADD RAX, imm32 05 id Add sign-extended imm32 to RAX.
ADD reg/mem8, imm8 80 /0 ib Add imm8 to reg/mem8.
ADD reg/mem16, imm16 81 /0 iw Add imm16 to reg/mem16
ADD reg/mem32, imm32 81 /0 id Add imm32 to reg/mem32.
ADD reg/mem64, imm32 81 /0 id Add sign-extended imm32 to reg/mem64.
ADD reg/mem16, imm8 83 /0 ib Add sign-extended imm8 to reg/mem16
ADD reg/mem32, imm8 83 /0 ib Add sign-extended imm8 to reg/mem32.
ADD reg/mem64, imm8 83 /0 ib Add sign-extended imm8 to reg/mem64.
ADD reg/mem8, reg8 00 /r Add reg8 to reg/mem8.
ADD reg/mem16, reg16 01 /r Add reg16 to reg/mem16.
ADD reg/mem32, reg32 01 /r Add reg32 to reg/mem32.
ADD reg/mem64, reg64 01 /r Add reg64 to reg/mem64.
ADD reg8, reg/mem8 02 /r Add reg/mem8 to reg8.
ADD reg16, reg/mem16 03 /r Add reg/mem16 to reg16.
ADD reg32, reg/mem32 03 /r Add reg/mem32 to reg32.
ADD reg64, reg/mem64 03 /r Add reg/mem64 to reg64.

Related Instructions
ADC, SBB, SUB

Instruction Reference ADD 59

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

60 ADD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

AND Logical AND

Performs a bitwise AND operation on the value in a register or memory location (first operand) and an
immediate value or the value in a register or memory location (second operand), and stores the result in
the first operand location. The instruction cannot AND two memory operands.
The instruction sets each bit of the result to 1 if the corresponding bit of both operands is set;
otherwise, it clears the bit to 0. The following table shows the truth table for the AND operation:

X Y X AND Y

0 0 0

0 1 0

1 0 0

1 1 1

The forms of the AND instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

AND the contents of AL with an immediate 8-bit value
AND AL, imm8 24 ib
and store the result in AL.

AND AX, imm16 25 iw AND the contents of AX with an immediate 16-bit value
and store the result in AX.
AND the contents of EAX with an immediate 32-bit
AND EAX, imm32 25 id
value and store the result in EAX.
AND the contents of RAX with a sign-extended
AND RAX, imm32 25 id immediate 32-bit value and store the result in RAX.
AND reg/mem8, imm8 80 /4 ib AND the contents of reg/mem8 with imm8.
AND reg/mem16, imm16 81 /4 iw AND the contents of reg/mem16 with imm16.
AND reg/mem32, imm32 81 /4 id AND the contents of reg/mem32 with imm32.
AND the contents of reg/mem64 with sign-extended
AND reg/mem64, imm32 81 /4 id
imm32.

AND reg/mem16, imm8 83 /4 ib AND the contents of reg/mem16 with a sign-extended

8-bit value.
AND the contents of reg/mem32 with a sign-extended
AND reg/mem32, imm8 83 /4 ib
8-bit value.

AND reg/mem64, imm8 83 /4 ib AND the contents of reg/mem64 with a sign-extended

8-bit value.
AND the contents of an 8-bit register or memory
AND reg/mem8, reg8 20 /r
location with the contents of an 8-bit register.

Instruction Reference AND 61

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

AND the contents of a 16-bit register or memory
AND reg/mem16, reg16 21 /r
location with the contents of a 16-bit register.

AND reg/mem32, reg32 21 /r AND the contents of a 32-bit register or memory

location with the contents of a 32-bit register.
AND the contents of a 64-bit register or memory
AND reg/mem64, reg64 21 /r
location with the contents of a 64-bit register.
AND the contents of an 8-bit register with the contents
AND reg8, reg/mem8 22 /r
of an 8-bit memory location or register.
AND the contents of a 16-bit register with the contents
AND reg16, reg/mem16 23 /r
of a 16-bit memory location or register.
AND the contents of a 32-bit register with the contents
AND reg32, reg/mem32 23 /r
of a 32-bit memory location or register.
AND the contents of a 64-bit register with the contents
AND reg64, reg/mem64 23 /r
of a 64-bit memory location or register.

Related Instructions
TEST, OR, NOT, NEG, XOR

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

0 M M U M 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

62 AND Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

BOUND Check Array Bound

Checks whether an array index (first operand) is within the bounds of an array (second operand). The
array index is a signed integer in the specified register. If the operand-size attribute is 16, the array
operand is a memory location containing a pair of signed word-integers; if the operand-size attribute is
32, the array operand is a pair of signed doubleword-integers. The first word or doubleword specifies
the lower bound of the array and the second word or doubleword specifies the upper bound.
The array index must be greater than or equal to the lower bound and less than or equal to the upper
bound. If the index is not within the specified bounds, the processor generates a BOUND range-
exceeded exception (#BR).
The bounds of an array, consisting of two words or doublewords containing the lower and upper limits
of the array, usually reside in a data structure just before the array itself, making the limits addressable
through a constant offset from the beginning of the array. With the address of the array in a register,
this practice reduces the number of bus cycles required to determine the effective address of the array
bounds.
Using this instruction in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

Test whether a 16-bit array index is within the bounds
BOUND reg16, mem16&mem16 62 /r specified by the two 16-bit values in mem16&mem16.
(Invalid in 64-bit mode.)
Test whether a 32-bit array index is within the bounds
BOUND reg32, mem32&mem32 62 /r specified by the two 32-bit values in mem32&mem32.
(Invalid in 64-bit mode.)

Related Instructions
INT, INT3, INTO

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Bound range, #BR X X X The bound range was exceeded.
X X X The source operand was a register.
Invalid opcode, #UD
X Instruction was executed in 64-bit mode.
Stack, #SS X X X A memory address exceeded the stack segment limit
General protection, X X X A memory address exceeded a data segment limit.
#GP X A null data segment was used to reference memory.

Instruction Reference BOUND 63

AMD64 Technology 24594—Rev. 3.14—September 2007

Virtual
Exception Real 8086 Protected Cause of Exception
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

64 BOUND Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

BSF Bit Scan Forward

Searches the value in a register or a memory location (second operand) for the least-significant set bit.
If a set bit is found, the instruction clears the zero flag (ZF) and stores the index of the least-significant
set bit in a destination register (first operand). If the second operand contains 0, the instruction sets ZF
to 1 and does not change the contents of the destination register. The bit index is an unsigned offset
from bit 0 of the searched value.

Mnemonic Opcode Description

BSF reg16, reg/mem16 0F BC /r Bit scan forward on the contents of reg/mem16.
BSF reg32, reg/mem32 0F BC /r Bit scan forward on the contents of reg/mem32.
BSF reg64, reg/mem64 0F BC /r Bit scan forward on the contents of reg/mem64

Related Instructions
BSR

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U M U U U

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference BSF 65

AMD64 Technology 24594—Rev. 3.14—September 2007

BSR Bit Scan Reverse

Searches the value in a register or a memory location (second operand) for the most-significant set bit.
If a set bit is found, the instruction clears the zero flag (ZF) and stores the index of the most-significant
set bit in a destination register (first operand). If the second operand contains 0, the instruction sets ZF
to 1 and does not change the contents of the destination register. The bit index is an unsigned offset
from bit 0 of the searched value.

Mnemonic Opcode Description

BSR reg16, reg/mem16 0F BD /r Bit scan reverse on the contents of reg/mem16.
BSR reg32, reg/mem32 0F BD /r Bit scan reverse on the contents of reg/mem32.
BSR reg64, reg/mem64 0F BD /r Bit scan reverse on the contents of reg/mem64.

Related Instructions
BSF

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U M U U U

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded the data segment limit or was
General protection, X X X
non-canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

66 BSR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

BSWAP Byte Swap

Reverses the byte order of the specified register. This action converts the contents of the register from
little endian to big endian or vice versa. In a doubleword, bits 7–0 are exchanged with bits 31–24, and
bits 15–8 are exchanged with bits 23–16. In a quadword, bits 7–0 are exchanged with bits 63–56, bits
15–8 with bits 55–48, bits 23–16 with bits 47–40, and bits 31–24 with bits 39–32. A subsequent use of
the BSWAP instruction with the same operand restores the original value of the operand.
The result of applying the BSWAP instruction to a 16-bit register is undefined. To swap the bytes of a
16-bit register, use the XCHG instruction and specify the respective byte halves of the 16-bit register
as the two operands. For example, to swap the bytes of AX, use XCHG AL, AH.

Mnemonic Opcode Description

BSWAP reg32 0F C8 +rd Reverse the byte order of reg32.
BSWAP reg64 0F C8 +rq Reverse the byte order of reg64.

Related Instructions
XCHG

rFLAGS Affected
None

Exceptions
None

Instruction Reference BSWAP 67

AMD64 Technology 24594—Rev. 3.14—September 2007

BT Bit Test
Copies a bit, specified by a bit index in a register or 8-bit immediate value (second operand), from a bit
string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register.
If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the
operand size) of the bit index to select a bit in the register.
If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of
the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base
in the range –263 to +263 – 1 if the operand size is 64, –231 to +231 – 1, if the operand size is 32, and
–215 to +215 – 1 if the operand size is 16. If the bit index is in an immediate value, the bit selected is
that value modulo 16, 32, or 64, depending on operand size.
When the instruction attempts to copy a bit from memory, it accesses 2, 4, or 8 bytes starting from the
specified memory address for 16-bit, 32-bit, or 64-bit operand sizes, respectively, using the following
formula:
Effective Address + (NumBytesi * (BitOffset DIV NumBitsi*8))
When using this bit addressing mechanism, avoid referencing areas of memory close to address space
holes, such as references to memory-mapped I/O registers. Instead, use a MOV instruction to load a
register from such an address and use a register form of the BT instruction to manipulate the data.

Mnemonic Opcode Description

BT reg/mem16, reg16 0F A3 /r Copy the value of the selected bit to the carry flag.
BT reg/mem32, reg32 0F A3 /r Copy the value of the selected bit to the carry flag.
BT reg/mem64, reg64 0F A3 /r Copy the value of the selected bit to the carry flag.
BT reg/mem16, imm8 0F BA /4 ib Copy the value of the selected bit to the carry flag.
BT reg/mem32, imm8 0F BA /4 ib Copy the value of the selected bit to the carry flag.
BT reg/mem64, imm8 0F BA /4 ib Copy the value of the selected bit to the carry flag.

Related Instructions
BTC, BTR, BTS

68 BT Instruction Reference
24594—Rev. 3.14—September 2007 AMD64 Technology

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U U U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

Instruction Reference BT 69
AMD64 Technology 24594—Rev. 3.14—September 2007

BTC Bit Test and Complement

Copies a bit, specified by a bit index in a register or 8-bit immediate value (second operand), from a bit
string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register, and then
complements (toggles) the bit in the bit string.
If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the
operand size) of the bit index to select a bit in the register.
If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of
the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base
in the range –263 to +263 – 1 if the operand size is 64, –231 to +231 – 1, if the operand size is 32, and
–215 to +215 – 1 if the operand size is 16. If the bit index is in an immediate value, the bit selected is
that value modulo 16, 32, or 64, depending the operand size.
This instruction is useful for implementing semaphores in concurrent operating systems. Such an
application should precede this instruction with the LOCK prefix. For details about the LOCK prefix,
see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Copy the value of the selected bit to the carry flag, then
BTC reg/mem16, reg16 0F BB /r
complement the selected bit.
Copy the value of the selected bit to the carry flag, then
BTC reg/mem32, reg32 0F BB /r
complement the selected bit.
Copy the value of the selected bit to the carry flag, then
BTC reg/mem64, reg64 0F BB /r
complement the selected bit.

BTC reg/mem16, imm8 0F BA /7 ib Copy the value of the selected bit to the carry flag, then
complement the selected bit.
Copy the value of the selected bit to the carry flag, then
BTC reg/mem32, imm8 0F BA /7 ib complement the selected bit.
Copy the value of the selected bit to the carry flag, then
BTC reg/mem64, imm8 0F BA /7 ib
complement the selected bit.

Related Instructions
BT, BTR, BTS

70 BTC Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U U U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

Instruction Reference BTC 71

AMD64 Technology 24594—Rev. 3.14—September 2007

BTR Bit Test and Reset

Copies a bit, specified by a bit index in a register or 8-bit immediate value (second operand), from a bit
string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register, and then
clears the bit in the bit string to 0.
If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the
operand size) of the bit index to select a bit in the register.
If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of
the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base
in the range –263 to +263 – 1 if the operand size is 64, –231 to +231 – 1, if the operand size is 32, and
–215 to +215 – 1 if the operand size is 16. If the bit index is in an immediate value, the bit selected is
that value modulo 16, 32, or 64, depending on the operand size.
This instruction is useful for implementing semaphores in concurrent operating systems. Such
applications should precede this instruction with the LOCK prefix. For details about the LOCK prefix,
see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Copy the value of the selected bit to the carry flag, then
BTR reg/mem16, reg16 0F B3 /r
clear the selected bit.
Copy the value of the selected bit to the carry flag, then
BTR reg/mem32, reg32 0F B3 /r
clear the selected bit.
Copy the value of the selected bit to the carry flag, then
BTR reg/mem64, reg64 0F B3 /r
clear the selected bit.

BTR reg/mem16, imm8 0F BA /6 ib Copy the value of the selected bit to the carry flag, then
clear the selected bit.
Copy the value of the selected bit to the carry flag, then
BTR reg/mem32, imm8 0F BA /6 ib clear the selected bit.
Copy the value of the selected bit to the carry flag, then
BTR reg/mem64, imm8 0F BA /6 ib
clear the selected bit.

Related Instructions
BT, BTC, BTS

72 BTR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U U U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

Instruction Reference BTR 73

AMD64 Technology 24594—Rev. 3.14—September 2007

BTS Bit Test and Set

Copies a bit, specified by bit index in a register or 8-bit immediate value (second operand), from a bit
string (first operand), also called the bit base, to the carry flag (CF) of the rFLAGS register, and then
sets the bit in the bit string to 1.
If the bit base operand is a register, the instruction uses the modulo 16, 32, or 64 (depending on the
operand size) of the bit index to select a bit in the register.
If the bit base operand is a memory location, bit 0 of the byte at the specified address is the bit base of
the bit string. If the bit index is in a register, the instruction selects a bit position relative to the bit base
in the range –263 to +263 – 1 if the operand size is 64, –231 to +231 – 1, if the operand size is 32, and
–215 to +215 – 1 if the operand size is 16. If the bit index is in an immediate value, the bit selected is
that value modulo 16, 32, or 64, depending on the operand size.
This instruction is useful for implementing semaphores in concurrent operating systems. Such
applications should precede this instruction with the LOCK prefix. For details about the LOCK prefix,
see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Copy the value of the selected bit to the carry flag, then
BTS reg/mem16, reg16 0F AB /r
set the selected bit.
Copy the value of the selected bit to the carry flag, then
BTS reg/mem32, reg32 0F AB /r
set the selected bit.
Copy the value of the selected bit to the carry flag, then
BTS reg/mem64, reg64 0F AB /r
set the selected bit.

BTS reg/mem16, imm8 0F BA /5 ib Copy the value of the selected bit to the carry flag, then
set the selected bit.
Copy the value of the selected bit to the carry flag, then
BTS reg/mem32, imm8 0F BA /5 ib set the selected bit.
Copy the value of the selected bit to the carry flag, then
BTS reg/mem64, imm8 0F BA /5 ib
set the selected bit.

Related Instructions
BT, BTC, BTR

74 BTS Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U U U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

Instruction Reference BTS 75

AMD64 Technology 24594—Rev. 3.14—September 2007

CALL (Near) Near Procedure Call

Pushes the offset of the next instruction onto the stack and branches to the target address, which
contains the first instruction of the called procedure. The target operand can specify a register, a
memory location, or a label. A procedure accessed by a near CALL is located in the same code
segment as the CALL instruction.
If the CALL target is specified by a register or memory location, then a 16-, 32-, or 64-bit rIP is read
from the operand, depending on the operand size. A 16- or 32-bit rIP is zero-extended to 64 bits.
If the CALL target is specified by a displacement, the signed displacement is added to the rIP (of the
following instruction), and the result is truncated to 16, 32, or 64 bits, depending on the operand size.
The signed displacement is 16 or 32 bits, depending on the operand size.
In all cases, the rIP of the instruction after the CALL is pushed on the stack, and the size of the stack
push (16, 32, or 64 bits) depends on the operand size of the CALL instruction.
For near calls in 64-bit mode, the operand size defaults to 64 bits. The E8 opcode results in
RIP = RIP + 32-bit signed displacement and the FF /2 opcode results in RIP = 64-bit offset from
register or memory. No prefix is available to encode a 32-bit operand size in 64-bit mode.
At the end of the called procedure, RET is used to return control to the instruction following the
original CALL. When RET is executed, the rIP is popped off the stack, which returns control to the
instruction after the CALL.
See CALL (Far) for information on far calls—calls to procedures located outside of the current code
segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.

Mnemonic Opcode Description

Near call with the target specified by a 16-bit relative
CALL rel16off E8 iw
displacement.
Near call with the target specified by a 32-bit relative
CALL rel32off E8 id
displacement.
CALL reg/mem16 FF /2 Near call with the target specified by reg/mem16.
Near call with the target specified by reg/mem32. (There
CALL reg/mem32 FF /2
is no prefix for encoding this in 64-bit mode.)
CALL reg/mem64 FF /2 Near call with the target specified by reg/mem64.

For details about control-flow instructions, see “Control Transfers” in Volume 1, and “Control-
Transfer Privilege Checks” in Volume 2.

Related Instructions
CALL(Far), RET(Near), RET(Far)

76 CALL (Near) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X X X The target offset exceeded the code segment limit or was non-
canonical.
X A null data segment was used to reference memory.
Alignment Check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.
Page Fault, #PF X X A page fault resulted from the execution of the instruction.

Instruction Reference CALL (Near) 77

AMD64 Technology 24594—Rev. 3.14—September 2007

CALL (Far) Far Procedure Call

Pushes procedure linking information onto the stack and branches to the target address, which contains
the first instruction of the called procedure. The operand specifies a target selector and offset.
The instruction can specify the target directly, by including the far pointer in the CALL (Far) opcode
itself, or indirectly, by referencing a far pointer in memory. In 64-bit mode, only indirect far calls are
allowed, executing a direct far call (opcode 9A) generates an undefined opcode exception. For both
direct and indirect far calls, if the CALL (Far) operand-size is 16 bits, the instruction's operand is a 16-
bit selector followed by a 16-bit offset. If the operand-size is 32 or 64 bits, the operand is a 16-bit
selector followed by a 32-bit offset.
The target selector used by the instruction can be a code selector in all modes. Additionally, the target
selector can reference a call gate in protected mode, or a task gate or TSS selector in legacy protected
mode.
• Target is a code selector—The CS:rIP of the next instruction is pushed to the stack, using operand-
size stack pushes. Then code is executed from the target CS:rIP. In this case, the target offset can
only be a 16- or 32-bit value, depending on operand-size, and is zero-extended to 64 bits. No CPL
change is allowed.
• Target is a call gate—The call gate specifies the actual target code segment and offset. Call gates
allow calls to the same or more privileged code. If the target segment is at the same CPL as the
current code segment, the CS:rIP of the next instruction is pushed to the stack.
If the CALL (Far) changes privilege level, then a stack-switch occurs, using an inner-level stack
pointer from the TSS. The CS:rIP of the next instruction is pushed to the new stack. If the mode is
legacy mode and the param-count field in the call gate is non-zero, then up to 31 operands are
copied from the caller's stack to the new stack. Finally, the caller's SS:rSP is pushed to the new
stack.
When calling through a call gate, the stack pushes are 16-, 32-, or 64-bits, depending on the size of
the call gate. The size of the target rIP is also 16, 32, or 64 bits, depending on the size of the call
gate. If the target rIP is less than 64 bits, it is zero-extended to 64 bits. Long mode only allows 64-
bit call gates that must point to 64-bit code segments.
• Target is a task gate or a TSS—If the mode is legacy protected mode, then a task switch occurs. See
“Hardware Task-Management in Legacy Mode” in volume 2 for details about task switches.
Hardware task switches are not supported in long mode.
See CALL (Near) for information on near calls—calls to procedures located inside the current code
segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.

78 CALL (Far) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Far call direct, with the target specified by a far pointer
CALL FAR pntr16:16 9A cd
contained in the instruction. (Invalid in 64-bit mode.)

CALL FAR pntr16:32 9A cp Far call direct, with the target specified by a far pointer
contained in the instruction. (Invalid in 64-bit mode.)
Far call indirect, with the target specified by a far pointer
CALL FAR mem16:16 FF /3
in memory.
Far call indirect, with the target specified by a far pointer
CALL FAR mem16:32 FF /3
in memory.

Action
// See “Pseudocode Definitions” on page 41.

CALLF_START:

IF (REAL_MODE)
CALLF_REAL_OR_VIRTUAL
ELSIF (PROTECTED_MODE)
CALLF_PROTECTED
ELSE // (VIRTUAL_MODE)
CALLF_REAL_OR_VIRTUAL

CALLF_REAL_OR_VIRTUAL:

IF (OPCODE = callf [mem]) // CALLF Indirect

{
temp_RIP = READ_MEM.z [mem]
temp_CS = READ_MEM.w [mem+Z]
}
ELSE // (OPCODE = callf direct)
{
temp_RIP = z-sized offset specified in the instruction
zero-extended to 64 bits
temp_CS = selector specified in the instruction
}

PUSH.v old_CS
PUSH.v next_RIP

IF (temp_RIP>CS.limit)
EXCEPTION [#GP(0)]

CS.sel = temp_CS
CS.base = temp_CS SHL 4
RIP = temp_RIP
EXIT

Instruction Reference CALL (Far) 79

AMD64 Technology 24594—Rev. 3.14—September 2007

CALLF_PROTECTED:

IF (OPCODE = callf [mem]) //CALLF Indirect

{
temp_offset = READ_MEM.z [mem]
temp_sel = READ_MEM.w [mem+Z]
}
ELSE // (OPCODE = callf direct)
{
IF (64BIT_MODE)
EXCEPTION [#UD] // ’CALLF direct’ is illegal in 64-bit mode.
temp_offset = z-sized offset specified in the instruction
zero-extended to 64 bits
temp_sel = selector specified in the instruction
}

temp_desc = READ_DESCRIPTOR (temp_sel, cs_chk)

IF (temp_desc.attr.type = ’available_tss’)
TASK_SWITCH // Using temp_sel as the target TSS selector.
ELSIF (temp_desc.attr.type = ’taskgate’)
TASK_SWITCH // Using the TSS selector in the task gate
// as the target TSS.
ELSIF (temp_desc.attr.type = ’code’)
// If the selector refers to a code descriptor, then
// the offset we read is the target RIP.
{
temp_RIP = temp_offset
CS = temp_desc
PUSH.v old_CS
PUSH.v next_RIP
IF ((!64BIT_MODE) && (temp_RIP > CS.limit))
// temp_RIP can’t be non-canonical because
EXCEPTION [#GP(0)] // it’s a 16- or 32-bit offset, zero-extended
// to 64 bits.
RIP = temp_RIP
EXIT
}
ELSE // (temp_desc.attr.type = ’callgate’)
// If the selector refers to a call gate, then
// the target CS and RIP both come from the call gate.
{
IF (LONG_MODE)
// The size of the gate controls the size of the stack pushes.
V=8-byte
// Long mode only uses 64-bit call gates, force 8-byte opsize.
ELSIF (temp_desc.attr.type = ’callgate32’)
V=4-byte
// Legacy mode, using a 32-bit call-gate, force 4-byte opsize.
ELSE // (temp_desc.attr.type = ’callgate16’)
V=2-byte

80 CALL (Far) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

// Legacy mode, using a 16-bit call-gate, force 2-byte opsize.

temp_RIP = temp_desc.offset

IF (LONG_MODE) // In long mode, we need to read the 2nd half of a

// 16-byte call-gate from the GDT/LDT, to get the upper
// 32 bits of the target RIP.
{
temp_upper = READ_MEM.q [temp_sel+8]
IF (temp_upper’s extended attribute bits != 0)
EXCEPTION [#GP(temp_sel)]
temp_RIP = tempRIP + (temp_upper SHL 32)
// Concatenate both halves of RIP
}

CS = READ_DESCRIPTOR (temp_desc.segment, clg_chk)

IF (CS.attr.conforming=1)
temp_CPL = CPL
ELSE
temp_CPL = CS.attr.dpl

IF (CPL=temp_CPL)
{
PUSH.v old_CS
PUSH.v next_RIP

IF ((64BIT_MODE) && (temp_RIP is non-canonical)

|| (!64BIT_MODE) && (temp_RIP > CS.limit))
{
EXCEPTION[#GP(0)]
}

RIP = temp_RIP
EXIT
}
ELSE // (CPL != temp_CPL), Changing privilege level.
{
CPL = temp_CPL
temp_ist = 0 // Call-far doesn’t use ist pointers.
temp_SS_desc:temp_RSP = READ_INNER_LEVEL_STACK_POINTER (CPL, temp_ist)

RSP.q = temp_RSP
SS = temp_SS_desc
PUSH.v old_SS // #SS on this and following pushes use
// SS.sel as error code.
PUSH.v old_RSP
IF (LEGACY_MODE) // Legacy-mode call gates have
{ // a param_count field.
temp_PARAM_COUNT = temp_desc.attr.param_count

Instruction Reference CALL (Far) 81

AMD64 Technology 24594—Rev. 3.14—September 2007

FOR (I=temp_PARAM_COUNT; I>0; I--)

{
temp_DATA = READ_MEM.v [old_SS:(old_RSP+I*V)]
PUSH.v temp_DATA
}
}
PUSH.v old_CS
PUSH.v next_RIP
IF ((64BIT_MODE) && (temp_RIP is non-canonical)
|| (!64BIT_MODE) && (temp_RIP > CS.limit))
{
EXCEPTION [#GP(0)]
}
RIP = temp_RIP
EXIT
}
}

Related Instructions
CALL (Near), RET (Near), RET (Far)

rFLAGS Affected
None, unless a task switch occurs, in which case all flags are modified.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
X X X The far CALL indirect opcode (FF /3) had a register operand.
Invalid opcode, #UD
X The far CALL direct opcode (9A) was executed in 64-bit mode.
As part of a stack switch, the target stack segment selector or
X
rSP in the TSS was beyond the TSS limit.
As part of a stack switch, the target stack segment selector in
X the TSS was a null selector.
As part of a stack switch, the target stack selector’s TI bit was
X
set, but LDT selector was a null selector.
As part of a stack switch, the target stack segment selector in
Invalid TSS, #TS X the TSS was beyond the limit of the GDT or LDT descriptor
(selector) table.
As part of a stack switch, the target stack segment selector in
X the TSS contained a RPL that was not equal to its DPL.
As part of a stack switch, the target stack segment selector in
X the TSS contained a DPL that was not equal to the CPL of the
code segment selector.
As part of a stack switch, the target stack segment selector in
X
the TSS was not a writable segment.

82 CALL (Far) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Virtual
Exception Real 8086 Protected Cause of Exception
Segment not
The accessed code segment, call gate, task gate, or TSS was
present, #NP X
not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical, and no stack switch occurred.
After a stack switch, a memory access exceeded the stack
X
segment limit or was non-canonical.
Stack, #SS
(selector) As part of a stack switch, the SS register was loaded with a
X non-null segment selector and the segment was marked not
present.

X X X A memory address exceeded a data segment limit or was non-

canonical.
General protection, The target offset exceeded the code segment limit or was non-
#GP X X X
canonical.
X A null data segment was used to reference memory.
X The target code segment selector was a null selector.

X A code, call gate, task gate, or TSS descriptor exceeded the

descriptor table limit.
A segment selector’s TI bit was set but the LDT selector was a
X
null selector.
The segment descriptor specified by the instruction was not a
code segment, task gate, call gate or available TSS in legacy
X
mode, or not a 64-bit code segment or a 64-bit call gate in long
mode.
The RPL of the non-conforming code segment selector
X specified by the instruction was greater than the CPL, or its
DPL was not equal to the CPL.
General protection, The DPL of the conforming code segment descriptor specified
#GP X by the instruction was greater than the CPL.
(selector)
The DPL of the callgate, taskgate, or TSS descriptor specified
X by the instruction was less than the CPL, or less than its own
RPL.
The segment selector specified by the call gate or task gate
X
was a null selector.
The segment descriptor specified by the call gate was not a
X code segment in legacy mode, or not a 64-bit code segment in
long mode.
The DPL of the segment descriptor specified by the call gate
X
was greater than the CPL.
X The 64-bit call gate’s extended attribute bits were not zero.
X The TSS descriptor was found in the LDT.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference CALL (Far) 83

AMD64 Technology 24594—Rev. 3.14—September 2007

CBW Convert to Sign-Extended

CWDE
CDQE
Copies the sign bit in the AL or eAX register to the upper bits of the rAX register. The effect of this
instruction is to convert a signed byte, word, or doubleword in the AL or eAX register into a signed
word, doubleword, or double quadword in the rAX register. This action helps avoid overflow problems
in signed number arithmetic.
The CDQE mnemonic is meaningful only in 64-bit mode.

Mnemonic Opcode Description

CBW 98 Sign-extend AL into AX.
CWDE 98 Sign-extend AX into EAX.
CDQE 98 Sign-extend EAX into RAX.

Related Instructions
CWD, CDQ, CQO

rFLAGS Affected
None

Exceptions
None

84 CBW, CWDE, CDQE Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CWD Convert to Sign-Extended

CDQ
CQO
Copies the sign bit in the rAX register to all bits of the rDX register. The effect of this instruction is to
convert a signed word, doubleword, or quadword in the rAX register into a signed doubleword,
quadword, or double-quadword in the rDX:rAX registers. This action helps avoid overflow problems
in signed number arithmetic.
The CQO mnemonic is meaningful only in 64-bit mode.

Mnemonic Opcode Description

CWD 99 Sign-extend AX into DX:AX.
CDQ 99 Sign-extend EAX into EDX:EAX.
CQO 99 Sign-extend RAX into RDX:RAX.

Related Instructions
CBW, CWDE, CDQE

rFLAGS Affected
None

Exceptions
None

Instruction Reference CWD, CDQ, CQO 85

AMD64 Technology 24594—Rev. 3.14—September 2007

CLC Clear Carry Flag

Clears the carry flag (CF) in the rFLAGS register to zero.

Mnemonic Opcode Description

CLC F8 Clear the carry flag (CF) to zero.

Related Instructions
STC, CMC

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
None

86 CLC Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CLD Clear Direction Flag

Clears the direction flag (DF) in the rFLAGS register to zero. If the DF flag is 0, each iteration of a
string instruction increments the data pointer (index registers rSI or rDI). If the DF flag is 1, the string
instruction decrements the pointer. Use the CLD instruction before a string instruction to make the data
pointer increment.

Mnemonic Opcode Description

CLD FC Clear the direction flag (DF) to zero.

Related Instructions
CMPSx, INSx, LODSx, MOVSx, OUTSx, SCASx, STD, STOSx

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
None

Instruction Reference CLD 87

AMD64 Technology 24594—Rev. 3.14—September 2007

CLFLUSH Cache Line Flush

Flushes the cache line specified by the mem8 linear-address. The instruction checks all levels of the
cache hierarchy—internal caches and external caches—and invalidates the cache line in every cache in
which it is found. If a cache contains a dirty copy of the cache line (that is, the cache line is in the
modified or owned MOESI state), the line is written back to memory before it is invalidated. The
instruction sets the cache-line MOESI state to invalid.
The instruction also checks the physical address corresponding to the linear-address operand against
the processor’s write-combining buffers. If the write-combining buffer holds data intended for that
physical address, the instruction writes the entire contents of the buffer to memory. This occurs even
though the data is not cached in the cache hierarchy. In a multiprocessor system, the instruction checks
the write-combining buffers only on the processor that executed the CLFLUSH instruction.
The CLFLUSH instruction is weakly-ordered with respect to other instructions that operate on
memory. Speculative loads initiated by the processor, or specified explicitly using cache-prefetch
instructions, can be reordered around a CLFLUSH instruction. Such reordering can invalidate a
speculatively prefetched cache line, unintentionally defeating the prefetch operation. The only way to
avoid this situation is to use the MFENCE instruction after the CLFLUSH instruction to force strong-
ordering of the CLFLUSH instruction with respect to subsequent memory operations. The CLFLUSH
instruction may also take effect on a cache line while stores from previous store instructions are still
pending in the store buffer. To ensure that such stores are included in the cache line that is flushed, use
an MFENCE instruction ahead of the CLFLUSH instruction. Such stores would otherwise cause the
line to be re-cached and modified after the CLFLUSH completed. The LFENCE, SFENCE, and
serializing instructions are not ordered with respect to CLFLUSH.
The CLFLUSH instruction behaves like a load instruction with respect to setting the page-table
accessed and dirty bits. That is, it sets the page-table accessed bit to 1, but does not set the page-table
dirty bit.
The CLFLUSH instruction is supported if CPUID function 0000_0001h sets EDX bit 19. CPUID
function 0000_0001h returns the CLFLUSH size in EBX bits 23:16. This value reports the size of a
line flushed by CLFLUSH in quadwords. See CPUID for details.
The CLFLUSH instruction executes at any privilege level. CLFLUSH performs all the segmentation
and paging checks that a 1-byte read would perform, except that it also allows references to execute-
only segments.

Mnemonic Opcode Description

CFLUSH mem8 0F AE /7 flush cache line containing mem8.

Related Instructions
INVD, WBINVD

88 CLFLUSH Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

rFLAGS Affected
None

Exceptions
Virtual
Exception (vector) Real 8086 Protected Cause of Exception
The CLFLUSH instruction is not supported, as
Invalid opcode, #UD X X X indicated by EDX bit 19 of CPUID function
0000_0001h.
A memory address exceeded the stack segment limit
Stack, #SS X X X
or was non-canonical.
A memory address exceeded a data segment limit or
General protection, X X X was non-canonical.
#GP
X A null data segment was used to reference memory.
A page fault resulted from the execution of the
Page fault, #PF X X
instruction.

Instruction Reference CLFLUSH 89

AMD64 Technology 24594—Rev. 3.14—September 2007

CMC Complement Carry Flag

Complements (toggles) the carry flag (CF) bit of the rFLAGS register.

Mnemonic Opcode Description

CMC F5 Complement the carry flag (CF).

Related Instructions
CLC, STC

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
None

90 CMC Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CMOVcc Conditional Move

Conditionally moves a 16-bit, 32-bit, or 64-bit value in memory or a general-purpose register (second
operand) into a register (first operand), depending upon the settings of condition flags in the rFLAGS
register. If the condition is not satisfied, the instruction has no effect.
The mnemonics of CMOVcc instructions denote the condition that must be satisfied. Most assemblers
provide instruction mnemonics with A (above) and B (below) tags to supply the semantics for
manipulating unsigned integers. Those with G (greater than) and L (less than) tags deal with signed
integers. Many opcodes may be represented by synonymous mnemonics. For example, the CMOVL
instruction is synonymous with the CMOVNGE instruction and denote the instruction with the opcode
0F 4C.
Support for CMOVcc instructions depends on the processor implementation. To determine whether a
processor can perform CMOVcc instructions, use the CPUID instruction to determine whether EDX
bit 15 of CPUID function 0000_0001h or function 8000_0001h is set to 1.

Mnemonic Opcode Description

CMOVO reg16, reg/mem16
CMOVO reg32, reg/mem32 0F 40 /r Move if overflow (OF = 1).
CMOVO reg64, reg/mem64
CMOVNO reg16, reg/mem16
CMOVNO reg32, reg/mem32 0F 41 /r Move if not overflow (OF = 0).
CMOVNO reg64, reg/mem64
CMOVB reg16, reg/mem16
CMOVB reg32, reg/mem32 0F 42 /r Move if below (CF = 1).
CMOVB reg64, reg/mem64
CMOVC reg16, reg/mem16
CMOVC reg32, reg/mem32 0F 42 /r Move if carry (CF = 1).
CMOVC reg64, reg/mem64
CMOVNAE reg16, reg/mem16
CMOVNAE reg32, reg/mem32 0F 42 /r Move if not above or equal (CF = 1).
CMOVNAE reg64, reg/mem64
CMOVNB reg16,reg/mem16
CMOVNB reg32,reg/mem32 0F 43 /r Move if not below (CF = 0).
CMOVNB reg64,reg/mem64
CMOVNC reg16,reg/mem16
CMOVNC reg32,reg/mem32 0F 43 /r Move if not carry (CF = 0).
CMOVNC reg64,reg/mem64
CMOVAE reg16, reg/mem16
CMOVAE reg32, reg/mem32 0F 43 /r Move if above or equal (CF = 0).
CMOVAE reg64, reg/mem64
CMOVZ reg16, reg/mem16
CMOVZ reg32, reg/mem32 0F 44 /r Move if zero (ZF = 1).
CMOVZ reg64, reg/mem64

Instruction Reference CMOVcc 91

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

CMOVE reg16, reg/mem16
CMOVE reg32, reg/mem32 0F 44 /r Move if equal (ZF =1).
CMOVE reg64, reg/mem64
CMOVNZ reg16, reg/mem16
CMOVNZ reg32, reg/mem32 0F 45 /r Move if not zero (ZF = 0).
CMOVNZ reg64, reg/mem64
CMOVNE reg16, reg/mem16
CMOVNE reg32, reg/mem32 0F 45 /r Move if not equal (ZF = 0).
CMOVNE reg64, reg/mem64
CMOVBE reg16, reg/mem16
CMOVBE reg32, reg/mem32 0F 46 /r Move if below or equal (CF = 1 or ZF = 1).
CMOVBE reg64, reg/mem64
CMOVNA reg16, reg/mem16
CMOVNA reg32, reg/mem32 0F 46 /r Move if not above (CF = 1 or ZF = 1).
CMOVNA reg64, reg/mem64
CMOVNBE reg16, reg/mem16
CMOVNBE reg32,reg/mem32 0F 47 /r Move if not below or equal (CF = 0 and ZF = 0).
CMOVNBE reg64,reg/mem64
CMOVA reg16, reg/mem16
CMOVA reg32, reg/mem32 0F 47 /r Move if above (CF = 0 and ZF = 0).
CMOVA reg64, reg/mem64
CMOVS reg16, reg/mem16
CMOVS reg32, reg/mem32 0F 48 /r Move if sign (SF =1).
CMOVS reg64, reg/mem64
CMOVNS reg16, reg/mem16
CMOVNS reg32, reg/mem32 0F 49 /r Move if not sign (SF = 0).
CMOVNS reg64, reg/mem64
CMOVP reg16, reg/mem16
CMOVP reg32, reg/mem32 0F 4A /r Move if parity (PF = 1).
CMOVP reg64, reg/mem64
CMOVPE reg16, reg/mem16
CMOVPE reg32, reg/mem32 0F 4A /r Move if parity even (PF = 1).
CMOVPE reg64, reg/mem64
CMOVNP reg16, reg/mem16
CMOVNP reg32, reg/mem32 0F 4B /r Move if not parity (PF = 0).
CMOVNP reg64, reg/mem64
CMOVPO reg16, reg/mem16
CMOVPO reg32, reg/mem32 0F 4B /r Move if parity odd (PF = 0).
CMOVPO reg64, reg/mem64
CMOVL reg16, reg/mem16
CMOVL reg32, reg/mem32 0F 4C /r Move if less (SF <> OF).
CMOVL reg64, reg/mem64
CMOVNGE reg16, reg/mem16
CMOVNGE reg32, reg/mem32 0F 4C /r Move if not greater or equal (SF <> OF).
CMOVNGE reg64, reg/mem64

92 CMOVcc Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

CMOVNL reg16, reg/mem16
CMOVNL reg32, reg/mem32 0F 4D /r Move if not less (SF = OF).
CMOVNL reg64, reg/mem64
CMOVGE reg16, reg/mem16
CMOVGE reg32, reg/mem32 0F 4D /r Move if greater or equal (SF = OF).
CMOVGE reg64, reg/mem64
CMOVLE reg16, reg/mem16
CMOVLE reg32, reg/mem32 0F 4E /r Move if less or equal (ZF = 1 or SF <> OF).
CMOVLE reg64, reg/mem64
CMOVNG reg16, reg/mem16
CMOVNG reg32, reg/mem32 0F 4E /r Move if not greater (ZF = 1 or SF <> OF).
CMOVNG reg64, reg/mem64
CMOVNLE reg16, reg/mem16
CMOVNLE reg32, reg/mem32 0F 4F /r Move if not less or equal (ZF = 0 and SF = OF).
CMOVNLE reg64, reg/mem64
CMOVG reg16, reg/mem16
CMOVG reg32, reg/mem32 0F 4F /r Move if greater (ZF = 0 and SF = OF).
CMOVG reg64, reg/mem64

Related Instructions
MOV

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The CMOVcc instruction is not supported, as indicated by
Invalid opcode, #UD X X X EDX bit 15 of CPUID function 0000_0001h or function
8000_0001h.

Stack, #SS X X X A memory address exceeded the stack segment limit or was
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

Instruction Reference CMOVcc 93

AMD64 Technology 24594—Rev. 3.14—September 2007

CMP Compare
Compares the contents of a register or memory location (first operand) with an immediate value or the
contents of a register or memory location (second operand), and sets or clears the status flags in the
rFLAGS register to reflect the results. To perform the comparison, the instruction subtracts the second
operand from the first operand and sets the status flags in the same manner as the SUB instruction, but
does not alter the first operand. If the second operand is an immediate value, the instruction sign-
extends the value to the length of the first operand.
Use the CMP instruction to set the condition codes for a subsequent conditional jump (Jcc),
conditional move (CMOVcc), or conditional SETcc instruction. Appendix E, “Instruction Effects on
RFLAGS,” shows how instructions affect the rFLAGS status flags.
.

Mnemonic Opcode Description

Compare an 8-bit immediate value with the contents of
CMP AL, imm8 3C ib
the AL register.
Compare a 16-bit immediate value with the contents of
CMP AX, imm16 3D iw
the AX register.
Compare a 32-bit immediate value with the contents of
CMP EAX, imm32 3D id
the EAX register.
Compare a 32-bit immediate value with the contents of
CMP RAX, imm32 3D id
the RAX register.

CMP reg/mem8, imm8 80 /7 ib Compare an 8-bit immediate value with the contents of
an 8-bit register or memory operand.
Compare a 16-bit immediate value with the contents of
CMP reg/mem16, imm16 81 /7 iw
a 16-bit register or memory operand.
Compare a 32-bit immediate value with the contents of
CMP reg/mem32, imm32 81 /7 id
a 32-bit register or memory operand.
Compare a 32-bit signed immediate value with the
CMP reg/mem64, imm32 81 /7 id
contents of a 64-bit register or memory operand.
Compare an 8-bit signed immediate value with the
CMP reg/mem16, imm8 83 /7 ib
contents of a 16-bit register or memory operand.

CMP reg/mem32, imm8 83 /7 ib Compare an 8-bit signed immediate value with the
contents of a 32-bit register or memory operand.
Compare an 8-bit signed immediate value with the
CMP reg/mem64, imm8 83 /7 ib
contents of a 64-bit register or memory operand.
Compare the contents of an 8-bit register or memory
CMP reg/mem8, reg8 38 /r
operand with the contents of an 8-bit register.

CMP reg/mem16, reg16 39 /r Compare the contents of a 16-bit register or memory

operand with the contents of a 16-bit register.
Compare the contents of a 32-bit register or memory
CMP reg/mem32, reg32 39 /r
operand with the contents of a 32-bit register.
Compare the contents of a 64-bit register or memory
CMP reg/mem64, reg64 39 /r
operand with the contents of a 64-bit register.

94 CMP Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Compare the contents of an 8-bit register with the
CMP reg8, reg/mem8 3A /r
contents of an 8-bit register or memory operand.

CMP reg16, reg/mem16 3B /r Compare the contents of a 16-bit register with the
contents of a 16-bit register or memory operand.
Compare the contents of a 32-bit register with the
CMP reg32, reg/mem32 3B /r
contents of a 32-bit register or memory operand.
Compare the contents of a 64-bit register with the
CMP reg64, reg/mem64 3B /r
contents of a 64-bit register or memory operand.

When interpreting operands as unsigned, flag settings are as follows:

Operands CF ZF

dest > source 0 0

dest = source 0 1

dest < source 1 0

When interpreting operands as signed, flag settings are as follows:

Operands OF ZF

dest > source SF 0

dest = source 0 1

dest < source NOT SF 0

Related Instructions
SUB, CMPSx, SCASx

Instruction Reference CMP 95

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

96 CMP Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CMPS Compare Strings

CMPSB
CMPSW
CMPSD
CMPSQ
Compares the bytes, words, doublewords, or quadwords pointed to by the rSI and rDI registers, sets or
clears the status flags of the rFLAGS register to reflect the results, and then increments or decrements
the rSI and rDI registers according to the state of the DF flag in the rFLAGS register. To perform the
comparison, the instruction subtracts the second operand from the first operand and sets the status
flags in the same manner as the SUB instruction, but does not alter the first operand. The two operands
must be the same size.
If the DF flag is 0, the instruction increments rSI and rDI; otherwise, it decrements the pointers. It
increments or decrements the pointers by 1, 2, 4, or 8, depending on the size of the operands.
The forms of the CMPSx instruction with explicit operands address the first operand at seg:[rSI]. The
value of seg defaults to the DS segment, but may be overridden by a segment prefix. These instructions
always address the second operand at ES:[rDI]. ES may not be overridden. The explicit operands serve
only to specify the type (size) of the values being compared and the segment used by the first operand.
The no-operands forms of the instruction use the DS:[rSI] and ES:[rDI] registers to point to the values
to be compared. The mnemonic determines the size of the operands.
Do not confuse this CMPSD instruction with the same-mnemonic CMPSD (compare scalar double-
precision floating-point) instruction in the 128-bit media instruction set. Assemblers can distinguish
the instructions by the number and type of operands.
For block comparisons, the CMPS instruction supports the REPE or REPZ prefixes (they are
synonyms) and the REPNE or REPNZ prefixes (they are synonyms). For details about the REP
prefixes, see “Repeat Prefixes” on page 9. If a conditional jump instruction like JL follows a CMPSx
instruction, the jump occurs if the value of the seg:[rSI] operand is less than the ES:[rDI] operand. This
action allows lexicographical comparisons of string or array elements. A CMPSx instruction can also
operate inside a loop controlled by the LOOPcc instruction.

Mnemonic Opcode Description

Compare the byte at DS:rSI with the byte at ES:rDI and
CMPS mem8, mem8 A6
then increment or decrement rSI and rDI.
Compare the word at DS:rSI with the word at ES:rDI and
CMPS mem16, mem16 A7
then increment or decrement rSI and rDI.
Compare the doubleword at DS:rSI with the doubleword
CMPS mem32, mem32 A7 at ES:rDI and then increment or decrement rSI and rDI.
Compare the quadword at DS:rSI with the quadword at
CMPS mem64, mem64 A7
ES:rDI and then increment or decrement rSI and rDI.

Instruction Reference CMPSx 97

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Compare the byte at DS:rSI with the byte at ES:rDI and
CMPSB A6
then increment or decrement rSI and rDI.

CMPSW A7 Compare the word at DS:rSI with the word at ES:rDI and
then increment or decrement rSI and rDI.
Compare the doubleword at DS:rSI with the doubleword
CMPSD A7
at ES:rDI and then increment or decrement rSI and rDI.
Compare the quadword at DS:rSI with the quadword at
CMPSQ A7
ES:rDI and then increment or decrement rSI and rDI.

Related Instructions
CMP, SCASx

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

98 CMPSx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CMPXCHG Compare and Exchange

Compares the value in the AL, AX, EAX, or RAX register with the value in a register or a memory
location (first operand). If the two values are equal, the instruction copies the value in the second
operand to the first operand and sets the ZF flag in the rFLAGS register to 1. Otherwise, it copies the
value in the first operand to the AL, AX, EAX, or RAX register and clears the ZF flag to 0.
The OF, SF, AF, PF, and CF flags are set to reflect the results of the compare.
When the first operand is a memory operand, CMPXCHG always does a read-modify-write on the
memory operand. If the compared operands were unequal, CMPXCHG writes the same value to the
memory operand that was read.
The forms of the CMPXCHG instruction that write to memory support the LOCK prefix. For details
about the LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Compare AL register with an 8-bit register or memory
CMPXCHG reg/mem8, reg8 0F B0 /r location. If equal, copy the second operand to the first
operand. Otherwise, copy the first operand to AL.
Compare AX register with a 16-bit register or memory
CMPXCHG reg/mem16, reg16 0F B1 /r location. If equal, copy the second operand to the first
operand. Otherwise, copy the first operand to AX.
Compare EAX register with a 32-bit register or memory
CMPXCHG reg/mem32, reg32 0F B1 /r location. If equal, copy the second operand to the first
operand. Otherwise, copy the first operand to EAX.
Compare RAX register with a 64-bit register or memory
CMPXCHG reg/mem64, reg64 0F B1 /r location. If equal, copy the second operand to the first
operand. Otherwise, copy the first operand to RAX.

Related Instructions
CMPXCHG8B, CMPXCHG16B

Instruction Reference CMPXCHG 99

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

100 CMPXCHG Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CMPXCHG8B Compare and Exchange Eight Bytes

CMPXCHG16B Compare and Exchange Sixteen Bytes
Compares the value in the rDX:rAX registers with a 64-bit or 128-bit value in the specified memory
location. If the values are equal, the instruction copies the value in the rCX:rBX registers to the
memory location and sets the zero flag (ZF) of the rFLAGS register to 1. Otherwise, it copies the value
in memory to the rDX:rAX registers and clears ZF to 0.
If the effective operand size is 16-bit or 32-bit, the CMPXCHG8B instruction is used. This instruction
uses the EDX:EAX and ECX:EBX register operands and a 64-bit memory operand. If the effective
operand size is 64-bit, the CMPXCHG16B instruction is used; this instruction uses RDX:RAX and
RCX:RBX register operands and a 128-bit memory operand.
The CMPXCHG8B and CMPXCHG16B instructions always do a read-modify-write on the memory
operand. If the compared operands were unequal, the instructions write the same value to the memory
operand that was read.
The CMPXCHG8B and CMPXCHG16B instructions support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.
Support for the CMPXCHG8B and CMPXCHG16B instructions depends on the processor
implementation. To find out if a processor can execute the CMPXCHG8B instruction, use the CPUID
instruction to determine whether EDX bit 8 of CPUID function 0000_0001h or function 8000_0001h
is set to 1. To find out if a processor can execute the CMPXCHG16B instruction, use the CPUID
instruction to determine whether ECX bit 13 of CPUID function 0000_0001h is set to 1.
The memory operand used by CMPXCHG16B must be 16-byte aligned or else a general-protection
exception is generated.

Mnemonic Opcode Description

Compare EDX:EAX register to 64-bit memory location.
If equal, set the zero flag (ZF) to 1 and copy the
CMPXCHG8B mem64 0F C7 /1 m64 ECX:EBX register to the memory location. Otherwise,
copy the memory location to EDX:EAX and clear the
zero flag.
Compare RDX:RAX register to 128-bit memory location.
If equal, set the zero flag (ZF) to 1 and copy the
0F C7 /1
CMPXCHG16B mem128 RCX:RBX register to the memory location. Otherwise,
m128
copy the memory location to RDX:RAX and clear the
zero flag.

Related Instructions
CMPXCHG

Instruction Reference CMPXCHG8/16B 101

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The CMPXCHG8B instruction is not supported, as indicated
X X X by EDX bit 8 of CPUID function 0000_0001h or function
8000_0001h.
Invalid opcode, #UD
The CMPXCHG16B instruction is not supported, as indicated
X by ECX bit 13 of CPUID function 0000_0001h.
X X X The operand was a register.
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X canonical.
General protection, X The destination operand was in a non-writable segment.
#GP X A null data segment was used to reference memory.
The memory operand for CMPXCHG16B was not aligned on a
X
16-byte boundary.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

102 CMPXCHG8/16B Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CPUID Processor Identification

Provides information about the processor and its capabilities through a number of different functions.
Software should load the number of the CPUID function to execute into the EAX register before
executing the CPUID instruction. The processor returns information in the EAX, EBX, ECX, and
EDX registers; the contents and format of these registers depend on the function.
The architecture supports CPUID information about standard functions and extended functions. The
standard functions have numbers in the 0000_xxxxh series (for example, standard function 1). To
determine the largest standard function number that a processor supports, execute CPUID function 0.
The extended functions have numbers in the 8000_xxxxh series (for example, extended
function 8000_0001h). To determine the largest extended function number that a processor supports,
execute CPUID extended function 8000_0000h. If the value returned in EAX is greater than
8000_0000h, the processor supports extended functions.
Software operating at any privilege level can execute the CPUID instruction to collect this information.
In 64-bit mode, this instruction works the same as in legacy mode except that it zero-extends 32-bit
register results to 64 bits.
CPUID is a serializing instruction.

Mnemonic Opcode Description

Returns information about the processor and its
CPUID 0F A2 capabilities. EAX specifies the function number, and the
data is returned in EAX, EBX, ECX, EDX.

Testing for the CPUID Instruction

To avoid an invalid-opcode exception (#UD) on those processor implementations that do not support
the CPUID instruction, software must first test to determine if the CPUID instruction is supported.
Support for the CPUID instruction is indicated by the ability to write the ID bit in the rFLAGS register.
Normally, 32-bit software uses the PUSHFD and POPFD instructions in an attempt to write
rFLAGS.ID. After reading the updated rFLAGS.ID bit, a comparison determines if the operation
changed its value. If the value changed, the processor executing the code supports the CPUID
instruction. If the value did not change, rFLAGS.ID is not writable, and the processor does not support
the CPUID instruction.
The following code sample shows how to test for the presence of the CPUID instruction using 32-bit
code.
pushfd ; save EFLAGS
pop eax ; store EFLAGS in EAX
mov ebx, eax ; save in EBX for later testing
xor eax, 00200000h ; toggle bit 21
push eax ; push to stack
popfd ; save changed EAX to EFLAGS

Instruction Reference CPUID 103

AMD64 Technology 24594—Rev. 3.14—September 2007

pushfd ; push EFLAGS to TOS

pop eax ; store EFLAGS in EAX
cmp eax, ebx ; see if bit 21 has changed
jz NO_CPUID ; if no change, no CPUID

Standard Function 0 and Extended Function 8000_0000h

CPUID standard function 0 loads the EAX register with the largest CPUID standard function number
supported by the processor implementation; similarly, CPUID extended function 8000_0000h loads
the EAX register with the largest extended function number supported.
Standard function 0 and extended function 8000_0000h both load a 12-character string into the EBX,
EDX, and ECX registers identifying the processor vendor. For AMD processors, the string is
AuthenticAMD. This string informs software that it should follow the AMD CPUID definition for
subsequent CPUID function calls. If the function returns another vendor’s string, software must use
that vendor’s CPUID definition when interpreting the results of subsequent CPUID function calls.
Table 3-2 shows the contents of the EBX, EDX, and ECX registers after executing function 0 on an
AMD processor.

Table 3-2. Processor Vendor Return Values

Register Return Value ASCII Characters
EBX 6874_7541h “h t u A”
EDX 6974_6E65h “i t n e”
ECX 444D_4163h “D M A c”

For more detailed on CPUID standard and extended functions, see the AMD CPUID Specification,
order# 25481.

Related Instructions
None

rFLAGS Affected
None

Exceptions
None

104 CPUID Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

DAA Decimal Adjust after Addition

Adjusts the value in the AL register into a packed BCD result and sets the CF and AF flags in the
rFLAGS register to indicate a decimal carry out of either nibble of AL.
Use this instruction to adjust the result of a byte ADD instruction that performed the binary addition of
one 2-digit packed BCD values to another.
The instruction performs the adjustment by adding 06h to AL if the lower nibble is greater than 9 or if
AF = 1. Then 60h is added to AL if the original AL was greater than 99h or if CF = 1.
If the lower nibble of AL was adjusted, the AF flag is set to 1. Otherwise AF is not modified. If the
upper nibble of AL was adjusted, the CF flag is set to 1. Otherwise, CF is not modified. SF, ZF, and PF
are set according to the final value of AL.
Using this instruction in 64-bit mode generates an invalid-opcode (#UD) exception.

Mnemonic Opcode Description

Decimal adjust AL.
DAA 27
(Invalid in 64-bit mode.)

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X This instruction was executed in 64-bit mode.

Instruction Reference DAA 105

AMD64 Technology 24594—Rev. 3.14—September 2007

DAS Decimal Adjust after Subtraction

Adjusts the value in the AL register into a packed BCD result and sets the CF and AF flags in the
rFLAGS register to indicate a decimal borrow.
Use this instruction to adjust the result of a byte SUB instruction that performed a binary subtraction of
one 2-digit, packed BCD value from another.
This instruction performs the adjustment by subtracting 06h from AL if the lower nibble is greater than
9 or if AF = 1. Then 60h is subtracted from AL if the original AL was greater than 99h or if CF = 1.
If the adjustment changes the lower nibble of AL, the AF flag is set to 1; otherwise AF is not modified.
If the adjustment results in a borrow for either nibble of AL, the CF flag is set to 1; otherwise CF is not
modified. The SF, ZF, and PF flags are set according to the final value of AL.
Using this instruction in 64-bit mode generates an invalid-opcode (#UD) exception.

Mnemonic Opcode Description

Decimal adjusts AL after subtraction.
DAS 2F
(Invalid in 64-bit mode.)

Related Instructions
DAA

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X This instruction was executed in 64-bit mode.

106 DAS Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

DEC Decrement by 1
Subtracts 1 from the specified register or memory location. The CF flag is not affected.
The one-byte forms of this instruction (opcodes 48 through 4F) are used as REX prefixes in 64-bit
mode. See “REX Prefixes” on page 11.
The forms of the DEC instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.
To perform a decrement operation that updates the CF flag, use a SUB instruction with an immediate
operand of 1.

Mnemonic Opcode Description

Decrement the contents of an 8-bit register or memory
DEC reg/mem8 FE /1
location by 1.
Decrement the contents of a 16-bit register or memory
DEC reg/mem16 FF /1
location by 1.
Decrement the contents of a 32-bit register or memory
DEC reg/mem32 FF /1
location by 1.

DEC reg/mem64 FF /1 Decrement the contents of a 64-bit register or memory

location by 1.
Decrement the contents of a 16-bit register by 1.
DEC reg16 48 +rw
(See “REX Prefixes” on page 11.)
Decrement the contents of a 32-bit register by 1.
DEC reg32 48 +rd
(See “REX Prefixes” on page 11.)

Related Instructions
INC, SUB

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Instruction Reference DEC 107

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded the data segment limit or was
X X X
non-canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

108 DEC Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

DIV Unsigned Divide

Divides the unsigned value in a register by the unsigned value in the specified register or memory
location. The register to be divided depends on the size of the divisor.
When dividing a word, the dividend is in the AX register. The instruction stores the quotient in the AL
register and the remainder in the AH register.
When dividing a doubleword, quadword, or double quadword, the most-significant word of the
dividend is in the rDX register and the least-significant word is in the rAX register. After the division,
the instruction stores the quotient in the rAX register and the remainder in the rDX register.
The following table summarizes the action of this instruction:

Division Size Dividend Divisor Quotient Remainder Maximum Quotient

Word/byte AX reg/mem8 AL AH 255

Doubleword/word DX:AX reg/mem16 AX DX 65,535

Quadword/doubleword EDX:EAX reg/mem32 EAX EDX 2 32 – 1

Double quadword/
RDX:RAX reg/mem64 RAX RDX 264 – 1
quadword

The instruction truncates non-integral results towards 0 and the remainder is always less than the
divisor. An overflow generates a #DE (divide error) exception, rather than setting the CF flag.
Division by zero generates a divide-by-zero exception.

Mnemonic Opcode Description

Perform unsigned division of AX by the contents of an 8-
DIV reg/mem8 F6 /6 bit register or memory location and store the quotient in
AL and the remainder in AH.
Perform unsigned division of DX:AX by the contents of a
DIV reg/mem16 F7 /6 16-bit register or memory operand store the quotient in
AX and the remainder in DX.
Perform unsigned division of EDX:EAX by the contents
DIV reg/mem32 F7 /6 of a 32-bit register or memory location and store the
quotient in EAX and the remainder in EDX.
Perform unsigned division of RDX:RAX by the contents
DIV reg/mem64 F7 /6 of a 64-bit register or memory location and store the
quotient in RAX and the remainder in RDX.

Related Instructions
MUL

Instruction Reference DIV 109

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U U U U

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
X X X The divisor operand was 0.
Divide by zero, #DE
X X X The quotient was too large for the designated register.
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.

X X X A memory address exceeded a data segment limit or was non-

General protection, canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

110 DIV Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

ENTER Create Procedure Stack Frame

Creates a stack frame for a procedure.
The first operand specifies the size of the stack frame allocated by the instruction.
The second operand specifies the nesting level (0 to 31—the value is automatically masked to 5 bits).
For nesting levels of 1 or greater, the processor copies earlier stack frame pointers before adjusting the
stack pointer. This action provides a called procedure with access points to other nested stack frames.
The 32-bit enter N, 0 (a nesting level of 0) instruction is equivalent to the following 32-bit
instruction sequence:
push ebp ; save current EBP
mov ebp, esp ; set stack frame pointer value
sub esp, N ; allocate space for local variables

The ENTER and LEAVE instructions provide support for block structured languages. The LEAVE
instruction releases the stack frame on returning from a procedure.
In 64-bit mode, the operand size of ENTER defaults to 64 bits, and there is no prefix available for
encoding a 32-bit operand size.

Mnemonic Opcode Description

ENTER imm16, 0 C8 iw 00 Create a procedure stack frame.
ENTER imm16, 1 C8 iw 01 Create a nested stack frame for a procedure.
ENTER imm16, imm8 C8 iw ib Create a nested stack frame for a procedure.

Action
// See “Pseudocode Definitions” on page 41.

ENTER_START:

temp_ALLOC_SPACE = word-sized immediate specified in the instruction

(first operand), zero-extended to 64 bits
temp_LEVEL = byte-sized immediate specified in the instruction
(second operand), zero-extended to 64 bits

temp_LEVEL = temp_LEVEL AND 0x1f

// only keep 5 bits of level count

PUSH.v old_RBP

temp_RBP = RSP // This value of RSP will eventually be loaded

// into RBP.
IF (temp_LEVEL>0) // Push "temp_LEVEL" parameters to the stack.
{
FOR (I=1; I<temp_LEVEL; I++)

Instruction Reference ENTER 111

AMD64 Technology 24594—Rev. 3.14—September 2007

// All but one of the parameters are copied

// from higher up on the stack.
{
temp_DATA = READ_MEM.v [SS:old_RBP-I*V]
PUSH.v temp_DATA
}
PUSH.v temp_RBP // The last parameter is the offset of the old
// value of RSP on the stack.
}
RSP.s = RSP - temp_ALLOC_SPACE // Leave "temp_ALLOC_SPACE" free bytes on
// the stack

WRITE_MEM.v [SS:RSP.s] = temp_unused // ENTER finishes with a memory write

// check on the final stack pointer,
// but no write actually occurs.

RBP.v = temp_RBP
EXIT

Related Instructions
LEAVE

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack-segment limit or was
Stack, #SS X X X
non-canonical.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

112 ENTER Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

IDIV Signed Divide

Divides the signed value in a register by the signed value in the specified register or memory location.
The register to be divided depends on the size of the divisor.
When dividing a word, the dividend is in the AX register. The instruction stores the quotient in the AL
register and the remainder in the AH register.
When dividing a doubleword, quadword, or double quadword, the most-significant word of the
dividend is in the rDX register and the least-significant word is in the rAX register. After the division,
the instruction stores the quotient in the rAX register and the remainder in the rDX register.
The following table summarizes the action of this instruction:

Division Size Dividend Divisor Quotient Remainder Quotient Range

Word/byte AX reg/mem8 AL AH –128 to +127

Doubleword/word DX:AX reg/mem16 AX DX –32,768 to +32,767

Quadword/doubleword EDX:EAX reg/mem32 EAX EDX –2 31 to 2 31– 1

Double quadword/
RDX:RAX reg/mem64 RAX RDX –2 63 to 263– 1
quadword

The instruction truncates non-integral results towards 0. The sign of the remainder is always the same
as the sign of the dividend, and the absolute value of the remainder is less than the absolute value of the
divisor. An overflow generates a #DE (divide error) exception, rather than setting the OF flag.
To avoid overflow problems, precede this instruction with a CBW, CWD, CDQ, or CQO instruction to
sign-extend the dividend.

Mnemonic Opcode Description

Perform signed division of AX by the contents of an 8-bit
IDIV reg/mem8 F6 /7 register or memory location and store the quotient in AL
and the remainder in AH.
Perform signed division of DX:AX by the contents of a
IDIV reg/mem16 F7 /7 16-bit register or memory location and store the quotient
in AX and the remainder in DX.
Perform signed division of EDX:EAX by the contents of
IDIV reg/mem32 F7 /7 a 32-bit register or memory location and store the
quotient in EAX and the remainder in EDX.
Perform signed division of RDX:RAX by the contents of
IDIV reg/mem64 F7 /7 a 64-bit register or memory location and store the
quotient in RAX and the remainder in RDX.

Instruction Reference IDIV 113

AMD64 Technology 24594—Rev. 3.14—September 2007

Related Instructions
IMUL

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U U U U U

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
X X X The divisor operand was 0.
Divide by zero, #DE
X X X The quotient was too large for the designated register.
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

114 IDIV Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

IMUL Signed Multiply

Multiplies two signed operands. The number of operands determines the form of the instruction.
If a single operand is specified, the instruction multiplies the value in the specified general-purpose
register or memory location by the value in the AL, AX, EAX, or RAX register (depending on the
operand size) and stores the product in AX, DX:AX, EDX:EAX, or RDX:RAX, respectively.
If two operands are specified, the instruction multiplies the value in a general-purpose register (first
operand) by an immediate value or the value in a general-purpose register or memory location (second
operand) and stores the product in the first operand location.
If three operands are specified, the instruction multiplies the value in a general-purpose register or
memory location (second operand), by an immediate value (third operand) and stores the product in a
register (first operand).
The IMUL instruction sign-extends an immediate operand to the length of the other register/memory
operand.
The CF and OF flags are set if, due to integer overflow, the double-width multiplication result cannot
be represented in the half-width destination register. Otherwise the CF and OF flags are cleared.

Mnemonic Opcode Description

Multiply the contents of AL by the contents of an 8-bit
IMUL reg/mem8 F6 /5 memory or register operand and put the signed result in
AX.
Multiply the contents of AX by the contents of a 16-bit
IMUL reg/mem16 F7 /5 memory or register operand and put the signed result in
DX:AX.
Multiply the contents of EAX by the contents of a 32-bit
IMUL reg/mem32 F7 /5 memory or register operand and put the signed result in
EDX:EAX.
Multiply the contents of RAX by the contents of a 64-bit
IMUL reg/mem64 F7 /5 memory or register operand and put the signed result in
RDX:RAX.
Multiply the contents of a 16-bit destination register by
IMUL reg16, reg/mem16 0F AF /r the contents of a 16-bit register or memory operand and
put the signed result in the 16-bit destination register.
Multiply the contents of a 32-bit destination register by
IMUL reg32, reg/mem32 0F AF /r the contents of a 32-bit register or memory operand and
put the signed result in the 32-bit destination register.
Multiply the contents of a 64-bit destination register by
IMUL reg64, reg/mem64 0F AF /r the contents of a 64-bit register or memory operand and
put the signed result in the 64-bit destination register.
Multiply the contents of a 16-bit register or memory
IMUL reg16, reg/mem16, imm8 6B /r ib operand by a sign-extended immediate byte and put the
signed result in the 16-bit destination register.

Instruction Reference IMUL 115

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Multiply the contents of a 32-bit register or memory
IMUL reg32, reg/mem32, imm8 6B /r ib operand by a sign-extended immediate byte and put the
signed result in the 32-bit destination register.
Multiply the contents of a 64-bit register or memory
IMUL reg64, reg/mem64, imm8 6B /r ib operand by a sign-extended immediate byte and put the
signed result in the 64-bit destination register.
Multiply the contents of a 16-bit register or memory
IMUL reg16, reg/mem16, 69 /r iw operand by a sign-extended immediate word and put the
imm16
signed result in the 16-bit destination register.
Multiply the contents of a 32-bit register or memory
IMUL reg32, reg/mem32,
69 /r id operand by a sign-extended immediate double and put
imm32 the signed result in the 32-bit destination register.
Multiply the contents of a 64-bit register or memory
IMUL reg64, reg/mem64,
69 /r id operand by a sign-extended immediate double and put
imm32
the signed result in the 64-bit destination register.

Related Instructions
IDIV

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M U U U U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

116 IMUL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

IN Input from Port

Transfers a byte, word, or doubleword from an I/O port (second operand) to the AL, AX or EAX
register (first operand). The port address can be an 8-bit immediate value (00h to FFh) or contained in
the DX register (0000h to FFFFh).
The port is in the processor’s I/O address space. For 8-bit I/O port accesses, the opcode determines the
port size. For 16-bit and 32-bit accesses, the operand-size attribute determines the port size. If the
operand size is 64-bits, IN reads only 32 bits from the I/O port.
If the CPL is higher than IOPL, or the mode is virtual mode, IN checks the I/O permission bitmap in
the TSS before allowing access to the I/O port. (See Volume 2 for details on the TSS I/O permission
bitmap.)

Mnemonic Opcode Description

Input a byte from the port at the address specified by
IN AL, imm8 E4 ib
imm8 and put it into the AL register.
Input a word from the port at the address specified by
IN AX, imm8 E5 ib
imm8 and put it into the AX register.
Input a doubleword from the port at the address
IN EAX, imm8 E5 ib
specified by imm8 and put it into the EAX register.
Input a byte from the port at the address specified by the
IN AL, DX EC
DX register and put it into the AL register.

IN AX, DX ED Input a word from the port at the address specified by

the DX register and put it into the AX register.
Input a doubleword from the port at the address
IN EAX, DX ED specified by the DX register and put it into the EAX
register.

Related Instructions
INSx, OUT, OUTSx

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
One or more I/O permission bits were set in the TSS for the
X
General protection, accessed port.
#GP The CPL was greater than the IOPL and one or more I/O
X permission bits were set in the TSS for the accessed port.
Page fault, #PF X X A page fault resulted from the execution of the instruction.

Instruction Reference IN 117

AMD64 Technology 24594—Rev. 3.14—September 2007

INC Increment by 1
Adds 1 to the specified register or memory location. The CF flag is not affected, even if the operand is
incremented to 0000.
The one-byte forms of this instruction (opcodes 40 through 47) are used as REX prefixes in 64-bit
mode. See “REX Prefixes” on page 11.
The forms of the INC instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.
To perform an increment operation that updates the CF flag, use an ADD instruction with an
immediate operand of 1.

Mnemonic Opcode Description

Increment the contents of an 8-bit register or memory
INC reg/mem8 FE /0
location by 1.
Increment the contents of a 16-bit register or memory
INC reg/mem16 FF /0
location by 1.
Increment the contents of a 32-bit register or memory
INC reg/mem32 FF /0
location by 1.
Increment the contents of a 64-bit register or memory
INC reg/mem64 FF /0
location by 1.
Increment the contents of a 16-bit register by 1.
INC reg16 40 +rw (These opcodes are used as REX prefixes in 64-bit
mode. See “REX Prefixes” on page 11.)
Increment the contents of a 32-bit register by 1.
INC reg32 40 +rd (These opcodes are used as REX prefixes in 64-bit
mode. See “REX Prefixes” on page 11.)

Related Instructions
ADD, DEC

118 INC Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

Instruction Reference INC 119

AMD64 Technology 24594—Rev. 3.14—September 2007

INS Input String

INSB
INSW
INSD
Transfers data from the I/O port specified in the DX register to an input buffer specified in the rDI
register and increments or decrements the rDI register according to the setting of the DF flag in the
rFLAGS register.
If the DF flag is 0, the instruction increments rDI by 1, 2, or 4, depending on the number of bytes read.
If the DF flag is 1, it decrements the pointer by 1, 2, or 4.
In 16-bit and 32-bit mode, the INS instruction always uses ES as the data segment. The ES segment
cannot be overridden with a segment override prefix. In 64-bit mode, INS always uses the
unsegmented memory space.
The INS instructions use the explicit memory operand (first operand) to determine the size of the I/O
port, but always use ES:[rDI] for the location of the input buffer. The explicit register operand (second
operand) specifies the I/O port address and must always be DX.
The INSB, INSW, and INSD instructions copy byte, word, and doubleword data, respectively, from the
I/O port (0000h to FFFFh) specified in the DX register to the input buffer specified in the ES:rDI
registers.
If the operand size is 64-bits, the instruction behaves as if the operand size were 32-bits.
If the CPL is higher than the IOPL or the mode is virtual mode, INSx checks the I/O permission bitmap
in the TSS before allowing access to the I/O port. (See volume 2 for details on the TSS I/O permission
bitmap.)
The INSx instructions support the REP prefix for block input of rCX bytes, words, or doublewords.
For details about the REP prefix, see “Repeat Prefixes” on page 9.

Mnemonic Opcode Description

Input a byte from the port specified by DX, put it into the
INS mem8, DX 6C memory location specified in ES:rDI, and then
increment or decrement rDI.
Input a word from the port specified by DX register, put it
INS mem16, DX 6D into the memory location specified in ES:rDI, and then
increment or decrement rDI.
Input a doubleword from the port specified by DX, put it
INS mem32, DX 6D into the memory location specified in ES:rDI, and then
increment or decrement rDI.
Input a byte from the port specified by DX, put it into the
INSB 6C memory location specified in ES:rDI, and then
increment or decrement rDI.

120 INSx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Input a word from the port specified by DX, put it into the
INSW 6D memory location specified in ES:rDI, and then
increment or decrement rDI.
Input a doubleword from the port specified by DX, put it
INSD 6D into the memory location specified in ES:rDI, and then
increment or decrement rDI.

Related Instructions
IN, OUT, OUTSx

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception

X X X A memory address exceeded a data segment limit or was non-

canonical.
One or more I/O permission bits were set in the TSS for the
X accessed port.
General protection,
#GP X The CPL was greater than the IOPL and one or more I/O
permission bits were set in the TSS for the accessed port.
X A null data segment was used to reference memory.
X The destination operand was in a non-writable segment.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference INSx 121

AMD64 Technology 24594—Rev. 3.14—September 2007

INT Interrupt to Vector

Transfers execution to the interrupt handler specified by an 8-bit unsigned immediate value. This value
is an interrupt vector number (00h to FFh), which the processor uses as an index into the interrupt-
descriptor table (IDT).
For detailed descriptions of the steps performed by INTn instructions, see the following:
• Legacy-Mode Interrupts: “Legacy Protected-Mode Interrupt Control Transfers” in Volume 2.
• Long-Mode Interrupts: “Long-Mode Interrupt Control Transfers” in Volume 2.
See also the descriptions of the INT3 instruction on page 259 and the INTO instruction on page 129.

Mnemonic Opcode Description

Call interrupt service routine specified by interrupt
INT imm8 CD ib
vector imm8.

Action
// See “Pseudocode Definitions” on page 41.

INT_N_START:

IF (REAL_MODE)
INT_N_REAL
ELSIF (PROTECTED_MODE)
INT_N_PROTECTED
ELSE // (VIRTUAL_MODE)
INT_N_VIRTUAL

INT_N_REAL:
temp_int_n_vector = byte-sized interrupt vector specified in the instruction,
zero-extended to 64 bits

temp_RIP = READ_MEM.w [idt:temp_int_n_vector*4]

// read target CS:RIP from the real-mode idt
temp_CS = READ_MEM.w [idt:temp_int_n_vector*4+2]

PUSH.w old_RFLAGS
PUSH.w old_CS
PUSH.w next_RIP

IF (temp_RIP>CS.limit)
EXCEPTION [#GP]

CS.sel = temp_CS
CS.base = temp_CS SHL 4

RFLAGS.AC,TF,IF,RF cleared

122 INT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

RIP = temp_RIP
EXIT

INT_N_PROTECTED:

temp_int_n_vector = byte-sized interrupt vector specified in the instruction,

zero-extended to 64 bits
temp_idt_desc = READ_IDT (temp_int_n_vector)

IF (temp_idt_desc.attr.type = ’taskgate’)
TASK_SWITCH // using tss selector in the task gate as the target tss

IF (LONG_MODE) // The size of the gate controls the size of the

// stack pushes.
V=8-byte // Long mode only uses 64-bit gates.
ELSIF ((temp_idt_desc.attr.type = ’intgate32’)
|| (temp_idt_desc.attr.type = ’trapgate32’))
V=4-byte // Legacy mode, using a 32-bit gate
ELSE // gate is intgate16 or trapgate16
V=2-byte // Legacy mode, using a 16-bit gate

temp_RIP = temp_idt_desc.offset

IF (LONG_MODE)
// In long mode, we need to read the 2nd half of a
// 16-byte interrupt-gate from the IDT, to get the
// upper 32 bits of the target RIP
{
temp_upper = READ_MEM.q [idt:temp_int_n_vector*16+8]

temp_RIP = tempRIP + (temp_upper SHL 32) // concatenate both halves of RIP

}

CS = READ_DESCRIPTOR (temp_idt_desc.segment, intcs_chk)

IF (CS.attr.conforming=1)
temp_CPL = CPL
ELSE
temp_CPL = CS.attr.dpl

IF (CPL=temp_CPL) // no privilege-level change

{
IF (LONG_MODE)
{
IF (temp_idt_desc.ist!=0)
// In long mode, if the IDT gate specifies an IST pointer,
// a stack-switch is always done
RSP = READ_MEM.q [tss:ist_index*8+28]

RSP = RSP AND 0xFFFFFFFFFFFFFFF0

Instruction Reference INT 123

AMD64 Technology 24594—Rev. 3.14—September 2007

// In long mode, interrupts/exceptions align RSP to a

// 16-byte boundary

PUSH.q old_SS // In long mode, SS:RSP is always pushed to the stack

PUSH.q old_RSP
}

PUSH.v old_RFLAGS
PUSH.v old_CS
PUSH.v next_RIP

IF ((64BIT_MODE) && (temp_RIP is non-canonical)

|| (!64BIT_MODE) && (temp_RIP > CS.limit))
EXCEPTION [#GP(0)]

RFLAGS.VM,NT,TF,RF cleared
RFLAGS.IF cleared if interrupt gate

RIP = temp_RIP
EXIT
}
ELSE // (CPL > temp_CPL), changing privilege level
{
CPL = temp_CPL

temp_SS_desc:temp_RSP = READ_INNER_LEVEL_STACK_POINTER
(CPL, temp_idt_desc.ist)

IF (LONG_MODE)
temp_RSP = temp_RSP AND 0xFFFFFFFFFFFFFFF0
// in long mode, interrupts/exceptions align rsp
// to a 16-byte boundary

RSP.q = temp_RSP
SS = temp_SS_desc

PUSH.v old_SS // #SS on the following pushes uses SS.sel as error code
PUSH.v old_RSP
PUSH.v old_RFLAGS
PUSH.v old_CS
PUSH.v next_RIP

IF ((64BIT_MODE) && (temp_RIP is non-canonical)

|| (!64BIT_MODE) && (temp_RIP > CS.limit))
EXCEPTION [#GP(0)]

RFLAGS.VM,NT,TF,RF cleared
RFLAGS.IF cleared if interrupt gate
RIP = temp_RIP
EXIT
}

124 INT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

INT_N_VIRTUAL:

temp_int_n_vector = byte-sized interrupt vector specified in the instruction,

zero-extended to 64 bits

IF (CR4.VME=0) // vme isn’t enabled

{
IF (RFLAGS.IOPL=3)
INT_N_VIRTUAL_TO_PROTECTED
ELSE
EXCEPTION [#GP(0)]
}

temp_IRB_BASE = READ_MEM.w [tss:102] - 32

// check the vme Int-n Redirection Bitmap (IRB), to see
// if we should redirect this interrupt to a virtual-mode
// handler
temp_VME_REDIRECTION_BIT = READ_BIT_ARRAY ([tss:temp_IRB_BASE],
temp_int_n_vector)

IF (temp_VME_REDIRECTION_BIT=1)
{ // the virtual-mode int-n bitmap bit is set, so don’t
// redirect this interrupt
IF (RFLAGS.IOPL=3)
INT_N_VIRTUAL_TO_PROTECTED
ELSE
EXCEPTION [#GP(0)]
}
ELSE // redirect interrupt through virtual-mode idt
{
temp_RIP = READ_MEM.w [0:temp_int_n_vector*4]
// read target CS:RIP from the virtual-mode idt at
// linear address 0
temp_CS = READ_MEM.w [0:temp_int_n_vector*4+2]

IF (RFLAGS.IOPL < 3)
old_RFLAGS = old_RFLAGS with VIF bit shifted into IF bit, and IOPL = 3

PUSH.w old_RFLAGS
PUSH.w old_CS
PUSH.w next_RIP

CS.sel = temp_CS
CS.base = temp_CS SHL 4

RFLAGS.TF,RF cleared
RIP = temp_RIP // RFLAGS.IF cleared if IOPL = 3
// RFLAGS.VIF cleared if IOPL < 3
EXIT
}

Instruction Reference INT 125

AMD64 Technology 24594—Rev. 3.14—September 2007

INT_N_VIRTUAL_TO_PROTECTED:

temp_idt_desc = READ_IDT (temp_int_n_vector)

IF (temp_idt_desc.attr.type = ’taskgate’)
TASK_SWITCH // using tss selector in the task gate as the target tss

IF ((temp_idt_desc.attr.type = ’intgate32’)
|| (temp_idt_desc.attr.type = ’trapgate32’))
// the size of the gate controls the size of the stack pushes
V=4-byte // legacy mode, using a 32-bit gate
ELSE // gate is intgate16 or trapgate16
V=2-byte // legacy mode, using a 16-bit gate

temp_RIP = temp_idt_desc.offset
CS = READ_DESCRIPTOR (temp_idt_desc.segment, intcs_chk)

IF (CS.attr.dpl!=0) // Handler must run at CPL 0.

EXCEPTION [#GP(CS.sel)]

CPL = 0

temp_ist = 0 // Legacy mode doesn’t use ist pointers

temp_SS_desc:temp_RSP = READ_INNER_LEVEL_STACK_POINTER (CPL, temp_ist)

RSP.q = temp_RSP
SS = temp_SS_desc

PUSH.v old_GS // #SS on the following pushes use SS.sel as error code.
PUSH.v old_FS
PUSH.v old_DS
PUSH.v old_ES
PUSH.v old_SS
PUSH.v old_RSP
PUSH.v old_RFLAGS // Pushed with RF clear.
PUSH.v old_CS
PUSH.v next_RIP

IF (temp_RIP > CS.limit)

EXCEPTION [#GP(0)]

DS = NULL // can’t use virtual-mode selectors in protected mode

ES = NULL // can’t use virtual-mode selectors in protected mode
FS = NULL // can’t use virtual-mode selectors in protected mode
GS = NULL // can’t use virtual-mode selectors in protected mode

RFLAGS.VM,NT,TF,RF cleared
RFLAGS.IF cleared if interrupt gate

RIP = temp_RIP
EXIT

126 INT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Related Instructions
INT 3, INTO, BOUND

rFLAGS Affected
If a task switch occurs, all flags are modified. Otherwise settings are as follows:
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M 0 M M 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
As part of a stack switch, the target stack segment selector or
X X
rSP in the TSS was beyond the TSS limit.
As part of a stack switch, the target stack segment selector in
X X the TSS was a null selector.
As part of a stack switch, the target stack segment selector’s
X X
TI bit was set, but the LDT selector was a null selector.
As part of a stack switch, the target stack segment selector in
Invalid TSS, #TS X X the TSS was beyond the limit of the GDT or LDT descriptor
(selector) table.
As part of a stack switch, the target stack segment selector in
X X the TSS contained a RPL that was not equal to its DPL.
As part of a stack switch, the target stack segment selector in
X X the TSS contained a DPL that was not equal to the CPL of the
code segment selector.
As part of a stack switch, the target stack segment selector in
X X
the TSS was not a writable segment.
Segment not
present, #NP X X The accessed code segment, interrupt gate, trap gate, task
gate, or TSS was not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical, and no stack switch occurred.
After a stack switch, a memory address exceeded the stack
X X segment limit or was non-canonical.
Stack, #SS
(selector) As part of a stack switch, the SS register was loaded with a
X X non-null segment selector and the segment was marked not
present.

Instruction Reference INT 127

AMD64 Technology 24594—Rev. 3.14—September 2007

Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded a data segment limit or was non-
X X X
canonical.
The target offset exceeded the code segment limit or was non-
X X X
General protection, canonical.
#GP X The IOPL was less than 3 and CR4.VME was 0.
IOPL was less than 3, CR4.VME was 1, and the
X corresponding bit in the VME interrupt redirection bitmap was
1.
X X X The interrupt vector was beyond the limit of IDT.
The descriptor in the IDT was not an interrupt, trap, or task
X X gate in legacy mode or not a 64-bit interrupt or trap gate in
long mode.
The DPL of the interrupt, trap, or task gate descriptor was less
X X
than the CPL.
The segment selector specified by the interrupt or trap gate
X X had its TI bit set, but the LDT selector was a null selector.
General protection,
#GP The segment descriptor specified by the interrupt or trap gate
(selector) X X
exceeded the descriptor table limit or was a null selector.
The segment descriptor specified by the interrupt or trap gate
X X was not a code segment in legacy mode, or not a 64-bit code
segment in long mode.
The DPL of the segment specified by the interrupt or trap gate
X
was greater than the CPL.
The DPL of the segment specified by the interrupt or trap gate
X pointed was not 0 or it was a conforming segment.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

128 INT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

INTO Interrupt to Overflow Vector

Checks the overflow flag (OF) in the rFLAGS register and calls the overflow exception (#OF) handler
if the OF flag is set to 1. This instruction has no effect if the OF flag is cleared to 0. The INTO
instruction detects overflow in signed number addition. See AMD64 Architecture Programmer’s
Manual Volume 1: Application Programming for more information on the OF flag.
Using this instruction in 64-bit mode generates an invalid-opcode exception.
For detailed descriptions of the steps performed by INT instructions, see the following:
• Legacy-Mode Interrupts: “Legacy Protected-Mode Interrupt Control Transfers” in Volume 2.
• Long-Mode Interrupts: “Long-Mode Interrupt Control Transfers” in Volume 2.

Mnemonic Opcode Description

Call overflow exception if the overflow flag is set.
INTO CE
(Invalid in 64-bit mode.)

Action
IF (64BIT_MODE)
EXCEPTION[#UD]
IF (RFLAGS.OF = 1) // #OF is a trap, and pushes the rIP of the instruction
EXCEPTION [#OF] // following INTO.
EXIT

Related Instructions
INT, INT 3, BOUND

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Overflow, #OF X X X The INTO instruction was executed with 0F set to 1.
Invalid opcode, #UD X Instruction was executed in 64-bit mode.

Instruction Reference INTO 129

AMD64 Technology 24594—Rev. 3.14—September 2007

Jcc Jump on Condition

Checks the status flags in the rFLAGS register and, if the flags meet the condition specified by the
condition code in the mnemonic (cc), jumps to the target instruction located at the specified relative
offset. Otherwise, execution continues with the instruction following the Jcc instruction.
Unlike the unconditional jump (JMP), conditional jump instructions have only two forms—short and
near conditional jumps. Different opcodes correspond to different forms of one instruction. For
example, the JO instruction (jump if overflow) has opcode 0Fh 80h for its near form and 70h for its
short form, but the mnemonic is the same for both forms. The only difference is that the near form has
a 16- or 32-bit relative displacement, while the short form always has an 8-bit relative displacement.
Mnemonics are provided to deal with the programming semantics of both signed and unsigned
numbers. Instructions tagged A (above) and B (below) are intended for use in unsigned integer code;
those tagged G (greater) and L (less) are intended for use in signed integer code.
If the jump is taken, the signed displacement is added to the rIP (of the following instruction) and the
result is truncated to 16, 32, or 64 bits, depending on operand size.
In 64-bit mode, the operand size defaults to 64 bits. The processor sign-extends the 8-bit or 32-bit
displacement value to 64 bits before adding it to the RIP.
These instructions cannot perform far jumps (to other code segments). To create a far-conditional-
jump code sequence corresponding to a high-level language statement like:
IF A = B THEN GOTO FarLabel

where FarLabel is located in another code segment, use the opposite condition in a conditional short
jump before an unconditional far jump. Such a code sequence might look like:
cmp A,B ; compare operands
jne NextInstr ; continue program if not equal
jmp far FarLabel ; far jump if operands are equal

NextInstr: ; continue program

For details about control-flow instructions, see “Control Transfers” in Volume 1, and “Control-
Transfer Privilege Checks” in Volume 2.

Mnemonic Opcode Description

JO rel8off 70 cb
JO rel16off 0F 80 cw Jump if overflow (OF = 1).
JO rel32off 0F 80 cd
JNO rel8off 71 cb
JNO rel16off 0F 81 cw Jump if not overflow (OF = 0).
JNO rel32off 0F 81 cd
JB rel8off 72 cb
JB rel16off 0F 82 cw Jump if below (CF = 1).
JB rel32off 0F 82 cd

130 Jcc Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

JC rel8off 72 cb
JC rel16off 0F 82 cw Jump if carry (CF = 1).
JC rel32off 0F 82 cd
JNAE rel8off 72 cb
JNAE rel16off 0F 82 cw Jump if not above or equal (CF = 1).
JNAE rel32off 0F 82 cd
JNB rel8off 73 cb
JNB rel16off 0F 83 cw Jump if not below (CF = 0).
JNB rel32off 0F 83 cd
JNC rel8off 73 cb
JNC rel16off 0F 83 cw Jump if not carry (CF = 0).
JNC rel32off 0F 83 cd
JAE rel8off 73 cb
JAE rel16off 0F 83 cw Jump if above or equal (CF = 0).
JAE rel32off 0F 83 cd
JZ rel8off 74 cb
JZ rel16off 0F 84 cw Jump if zero (ZF = 1).
JZ rel32off 0F 84 cd
JE rel8off 74 cb
JE rel16off 0F 84 cw Jump if equal (ZF = 1).
JE rel32off 0F 84 cd
JNZ rel8off 75 cb
JNZ rel16off 0F 85 cw Jump if not zero (ZF = 0).
JNZ rel32off 0F 85 cd
JNE rel8off 75 cb
JNE rel16off 0F 85 cw Jump if not equal (ZF = 0).
JNE rel32off 0F 85 cd
JBE rel8off 76 cb
JBE rel16off 0F 86 cw Jump if below or equal (CF = 1 or ZF = 1).
JBE rel32off 0F 86 cd
JNA rel8off 76 cb
JNA rel16off 0F 86 cw Jump if not above (CF = 1 or ZF = 1).
JNA rel32off 0F 86 cd
JNBE rel8off 77 cb
JNBE rel16off 0F 87 cw Jump if not below or equal (CF = 0 and ZF = 0).
JNBE rel32off 0F 87 cd
JA rel8off 77 cb
JA rel16off 0F 87 cw Jump if above (CF = 0 and ZF = 0).
JA rel32off 0F 87 cd
JS rel8off 78 cb
JS rel16off 0F 88 cw Jump if sign (SF = 1).
JS rel32off 0F 88 cd
JNS rel8off 79 cb
JNS rel16off 0F 89 cw Jump if not sign (SF = 0).
JNS rel32off 0F 89 cd

Instruction Reference Jcc 131

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

JP rel8off 7A cb
JP rel16off 0F 8A cw Jump if parity (PF = 1).
JP rel32off 0F 8A cd
JPE rel8off 7A cb
JPE rel16off 0F 8A cw Jump if parity even (PF = 1).
JPE rel32off 0F 8A cd
JNP rel8off 7B cb
JNP rel16off 0F 8B cw Jump if not parity (PF = 0).
JNP rel32off 0F 8B cd
JPO rel8off 7B cb
JPO rel16off 0F 8B cw Jump if parity odd (PF = 0).
JPO rel32off 0F 8B cd
JL rel8off 7C cb
JL rel16off 0F 8C cw Jump if less (SF <> OF).
JL rel32off 0F 8C cd
JNGE rel8off 7C cb
JNGE rel16off 0F 8C cw Jump if not greater or equal (SF <> OF).
JNGE rel32off 0F 8C cd
JNL rel8off 7D cb
JNL rel16off 0F 8D cw Jump if not less (SF = OF).
JNL rel32off 0F 8D cd
JGE rel8off 7D cb
JGE rel16off 0F 8D cw Jump if greater or equal (SF = OF).
JGE rel32off 0F 8D cd
JLE rel8off 7E cb
JLE rel16off 0F 8E cw Jump if less or equal (ZF = 1 or SF <> OF).
JLE rel32off 0F 8E cd
JNG rel8off 7E cb
JNG rel16off 0F 8E cw Jump if not greater (ZF = 1 or SF <> OF).
JNG rel32off 0F 8E cd
JNLE rel8off 7F cb
JNLE rel16off 0F 8F cw Jump if not less or equal (ZF = 0 and SF = OF).
JNLE rel32off 0F 8F cd
JG rel8off 7F cb
JG rel16off 0F 8F cw Jump if greater (ZF = 0 and SF = OF).
JG rel32off 0F 8F cd

Related Instructions
JMP (Near), JMP (Far), JrCXZ

rFLAGS Affected
None

132 Jcc Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection, The target offset exceeded the code segment limit or was non-
#GP X X X canonical.

Instruction Reference Jcc 133

AMD64 Technology 24594—Rev. 3.14—September 2007

JCXZ Jump if rCX Zero

JECXZ
JRCXZ
Checks the contents of the count register (rCX) and, if 0, jumps to the target instruction located at the
specified 8-bit relative offset. Otherwise, execution continues with the instruction following the
JrCXZ instruction.
The size of the count register (CX, ECX, or RCX) depends on the address-size attribute of the JrCXZ
instruction. Therefore, JRCXZ can only be executed in 64-bit mode and JCXZ cannot be executed in
64-bit mode.
If the jump is taken, the signed displacement is added to the rIP (of the following instruction) and the
result is truncated to 16, 32, or 64 bits, depending on operand size.
In 64-bit mode, the operand size defaults to 64 bits. The processor sign-extends the 8-bit displacement
value to 64 bits before adding it to the RIP.
For details about control-flow instructions, see “Control Transfers” in Volume 1, and “Control-
Transfer Privilege Checks” in Volume 2.

Mnemonic Opcode Description

JCXZ rel8off E3 cb Jump short if the 16-bit count register (CX) is zero.
JECXZ rel8off E3 cb Jump short if the 32-bit count register (ECX) is zero.
JRCXZ rel8off E3 cb Jump short if the 64-bit count register (RCX) is zero.

Related Instructions
Jcc, JMP (Near), JMP (Far)

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection, The target offset exceeded the code segment limit or was non-
X X X
#GP canonical

134 JrCXZ Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

JMP (Near) Near Jump

Unconditionally transfers control to a new address without saving the current rIP value. This form of
the instruction jumps to an address in the current code segment and is called a near jump. The target
operand can specify a register, a memory location, or a label.
If the JMP target is specified in a register or memory location, then a 16-, 32-, or 64-bit rIP is read from
the operand, depending on operand size. This rIP is zero-extended to 64 bits.
If the JMP target is specified by a displacement in the instruction, the signed displacement is added to
the rIP (of the following instruction), and the result is truncated to 16, 32, or 64 bits depending on
operand size. The signed displacement can be 8 bits, 16 bits, or 32 bits, depending on the opcode and
the operand size.
For near jumps in 64-bit mode, the operand size defaults to 64 bits. The E9 opcode results in RIP = RIP
+ 32-bit signed displacement, and the FF /4 opcode results in RIP = 64-bit offset from register or
memory. No prefix is available to encode a 32-bit operand size in 64-bit mode.
See JMP (Far) for information on far jumps—jumps to procedures located outside of the current code
segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.

Mnemonic Opcode Description

Short jump with the target specified by an 8-bit signed
JMP rel8off EB cb
displacement.
Near jump with the target specified by a 16-bit signed
JMP rel16off E9 cw
displacement.
Near jump with the target specified by a 32-bit signed
JMP rel32off E9 cd
displacement.
JMP reg/mem16 FF /4 Near jump with the target specified reg/mem16.
Near jump with the target specified reg/mem32.
JMP reg/mem32 FF /4
(No prefix for encoding in 64-bit mode.)
JMP reg/mem64 FF /4 Near jump with the target specified reg/mem64.

Related Instructions
JMP (Far), Jcc, JrCX

rFLAGS Affected
None.

Instruction Reference JMP (Near) 135

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
The target offset exceeded the code segment limit or was non-
#GP X X X
canonical.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

136 JMP (Near) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

JMP (Far) Far Jump

Unconditionally transfers control to a new address without saving the current CS:rIP values. This form
of the instruction jumps to an address outside the current code segment and is called a far jump. The
operand specifies a target selector and offset.
The target operand can be specified by the instruction directly, by containing the far pointer in the jmp
far opcode itself, or indirectly, by referencing a far pointer in memory. In 64-bit mode, only indirect far
jumps are allowed, executing a direct far jmp (opcode EA) will generate an undefined opcode
exception. For both direct and indirect far calls, if the JMP (Far) operand-size is 16 bits, the
instruction's operand is a 16-bit selector followed by a 16-bit offset. If the operand-size is 32 or 64 bits,
the operand is a 16-bit selector followed by a 32-bit offset.
In all modes, the target selector used by the instruction can be a code selector. Additionally, the target
selector can also be a call gate in protected mode, or a task gate or TSS selector in legacy protected
mode.
• Target is a code segment—Control is transferred to the target CS:rIP. In this case, the target offset
can only be a 16 or 32 bit value, depending on operand-size, and is zero-extended to 64 bits. No
CPL change is allowed.
• Target is a call gate—The call gate specifies the actual target code segment and offset, and control
is transferred to the target CS:rIP. When jumping through a call gate, the size of the target rIP is 16,
32, or 64 bits, depending on the size of the call gate. If the target rIP is less than 64 bits, it's zero-
extended to 64 bits. In long mode, only 64-bit call gates are allowed, and they must point to 64-bit
code segments. No CPL change is allowed.
• Target is a task gate or a TSS—If the mode is legacy protected mode, then a task switch occurs. See
“Hardware Task-Management in Legacy Mode” in volume 2 for details about task switches.
Hardware task switches are not supported in long mode.
See JMP (Near) for information on near jumps—jumps to procedures located inside the current code
segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.

Mnemonic Opcode Description

Far jump direct, with the target specified by a far pointer
JMP FAR pntr16:16 EA cd
contained in the instruction. (Invalid in 64-bit mode.)
Far jump direct, with the target specified by a far pointer
JMP FAR pntr16:32 EA cp
contained in the instruction. (Invalid in 64-bit mode.)
Far jump indirect, with the target specified by a far
JMP FAR mem16:16 FF /5
pointer in memory.

JMP FAR mem16:32 FF /5 Far jump indirect, with the target specified by a far
pointer in memory.

Instruction Reference JMP (Far) 137

AMD64 Technology 24594—Rev. 3.14—September 2007

Action
// Far jumps (JMPF)
// See “Pseudocode Definitions” on page 41.

JMPF_START:

IF (REAL_MODE)
JMPF_REAL_OR_VIRTUAL
ELSIF (PROTECTED_MODE)
JMPF_PROTECTED
ELSE // (VIRTUAL_MODE)
JMPF_REAL_OR_VIRTUAL

JMPF_REAL_OR_VIRTUAL:

IF (OPCODE = jmpf [mem]) //JMPF Indirect

{
temp_RIP = READ_MEM.z [mem]
temp_CS = READ_MEM.w [mem+Z]
}
ELSE // (OPCODE = jmpf direct)
{
temp_RIP = z-sized offset specified in the instruction,
zero-extended to 64 bits
temp_CS = selector specified in the instruction
}

IF (temp_RIP>CS.limit)
EXCEPTION [#GP(0)]

CS.sel = temp_CS
CS.base = temp_CS SHL 4
RIP = temp_RIP
EXIT

JMPF_PROTECTED:
IF (OPCODE = jmpf [mem]) // JMPF Indirect
{
temp_offset = READ_MEM.z [mem]
temp_sel = READ_MEM.w [mem+Z]
}
ELSE // (OPCODE = jmpf direct)
{
IF (64BIT_MODE)
EXCEPTION [#UD] // ’jmpf direct’ is illegal in 64-bit mode

temp_offset = z-sized offset specified in the instruction,

zero-extended to 64 bits
temp_sel = selector specified in the instruction
}

138 JMP (Far) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

temp_desc = READ_DESCRIPTOR (temp_sel, cs_chk)

// read descriptor, perform protection and type checks

IF (temp_desc.attr.type = ’available_tss’)
TASK_SWITCH // using temp_sel as the target tss selector
ELSIF (temp_desc.attr.type = ’taskgate’)
TASK_SWITCH // using the tss selector in the task gate as the
// target tss
ELSIF (temp_desc.attr.type = ’code’)
// if the selector refers to a code descriptor, then
// the offset we read is the target RIP
{
temp_RIP = temp_offset
CS = temp_desc
IF ((!64BIT_MODE) && (temp_RIP > CS.limit))
// temp_RIP can’t be non-canonical because
// it’s a 16- or 32-bit offset, zero-extended to 64 bits
{
EXCEPTION [#GP(0)]
}
RIP = temp_RIP
EXIT
}
ELSE
{
// (temp_desc.attr.type = ’callgate’)
// if the selector refers to a call gate, then
// the target CS and RIP both come from the call gate
temp_RIP = temp_desc.offset

IF (LONG_MODE)
{
// in long mode, we need to read the 2nd half of a 16-byte call-gate
// from the gdt/ldt to get the upper 32 bits of the target RIP
temp_upper = READ_MEM.q [temp_sel+8]
IF (temp_upper’s extended attribute bits != 0)
EXCEPTION [#GP(temp_sel)] // Make sure the extended
// attribute bits are all zero.

temp_RIP = tempRIP + (temp_upper SHL 32)

// concatenate both halves of RIP
}
CS = READ_DESCRIPTOR (temp_desc.segment, clg_chk)
// set up new CS base, attr, limits
IF ((64BIT_MODE) && (temp_RIP is non-canonical)
|| (!64BIT_MODE) && (temp_RIP > CS.limit))
EXCEPTION [#GP(0)]
RIP = temp_RIP
EXIT
}

Instruction Reference JMP (Far) 139

AMD64 Technology 24594—Rev. 3.14—September 2007

Related Instructions
JMP (Near), Jcc, JrCX

rFLAGS Affected
None, unless a task switch occurs, in which case all flags are modified.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
X X X The far JUMP indirect opcode (FF /5) had a register operand.
Invalid opcode, #UD The far JUMP direct opcode (EA) was executed in 64-bit
X
mode.
Segment not The accessed code segment, call gate, task gate, or TSS was
present, #NP X
not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection, The target offset exceeded the code segment limit or was non-
#GP X X X
canonical.
X A null data segment was used to reference memory.

140 JMP (Far) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Virtual
Exception Real 8086 Protected Cause of Exception
X The target code segment selector was a null selector.
A code, call gate, task gate, or TSS descriptor exceeded the
X
descriptor table limit.
A segment selector’s TI bit was set, but the LDT selector was
X
a null selector.
The segment descriptor specified by the instruction was not a
code segment, task gate, call gate or available TSS in legacy
X
mode, or not a 64-bit code segment or a 64-bit call gate in long
mode.
The RPL of the non-conforming code segment selector
X specified by the instruction was greater than the CPL, or its
DPL was not equal to the CPL.
The DPL of the conforming code segment descriptor specified
X by the instruction was greater than the CPL.
General protection,
#GP
The DPL of the callgate, taskgate, or TSS descriptor specified
(selector) X by the instruction was less than the CPL or less than its own
RPL.
The segment selector specified by the call gate or task gate
X
was a null selector.
The segment descriptor specified by the call gate was not a
X code segment in legacy mode or not a 64-bit code segment in
long mode.

X The DPL of the segment descriptor specified the call gate was
greater than the CPL and it is a conforming segment.
The DPL of the segment descriptor specified by the callgate
X
was not equal to the CPL and it is a non-conforming segment.
X The 64-bit call gate’s extended attribute bits were not zero.
X The TSS descriptor was found in the LDT.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference JMP (Far) 141

AMD64 Technology 24594—Rev. 3.14—September 2007

LAHF Load Status Flags into AH Register

Loads the lower 8 bits of the rFLAGS register, including sign flag (SF), zero flag (ZF), auxiliary carry
flag (AF), parity flag (PF), and carry flag (CF), into the AH register.
The instruction sets the reserved bits 1, 3, and 5 of the rFLAGS register to 1, 0, and 0, respectively, in
the AH register.
The LAHF instruction can only be executed in 64-bit mode if supported by the processor
implementation. Check the status of ECX bit 0 returned by CPUID function 8000_0001h to verify that
the processor supports LAHF in 64-bit mode.

Mnemonic Opcode Description

Load the SF, ZF, AF, PF, and CF flags into the AH
LAHF 9F
register.

Related Instructions
SAHF

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
This instruction is not supported in 64-bit mode, as indicated
Invalid opcode, #UD X
by ECX bit 0 returned by CPUID function 8000_0001h.

142 LAHF Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LDS Load Far Pointer

LES
LFS
LGS
LSS
Loads a far pointer from a memory location (second operand) into a segment register (mnemonic) and
general-purpose register (first operand). The instruction stores the 16-bit segment selector of the
pointer into the segment register and the 16-bit or 32-bit offset portion into the general-purpose
register. The operand-size attribute determines whether the pointer is 32-bit or 48-bit.
These instructions load associated segment-descriptor information into the hidden portion of the
specified segment register.
Using LDS or LES in 64-bit mode generates an invalid-opcode exception.
Executing LFS, LGS, or LSS with a 64-bit operand size only loads a 32-bit general purpose register
and the specified segment register.

Mnemonic Opcode Description

Load DS:reg16 with a far pointer from memory.
LDS reg16, mem16:16 C5 /r
(Invalid in 64-bit mode.)
Load DS:reg32 with a far pointer from memory.
LDS reg32, mem16:32 C5 /r
(Invalid in 64-bit mode.)
Load ES:reg16 with a far pointer from memory.
LES reg16, mem16:16 C4 /r
(Invalid in 64-bit mode.)
Load ES:reg32 with a far pointer from memory.
LES reg32, mem16:32 C4 /r
(Invalid in 64-bit mode.)
LFS reg16, mem16:16 0F B4 /r Load FS:reg16 with a far pointer from memory.
LFS reg32, mem16:32 0F B4 /r Load FS:reg32 with a far pointer from memory.
LGS reg16, mem16:16 0F B5 /r Load GS:reg16 with a far pointer from memory.
LGS reg32, mem16:32 0F B5 /r Load GS:reg32 with a far pointer from memory.
LSS reg16, mem16:16 0F B2 /r Load SS:reg16 with a far pointer from memory.
LSS reg32, mem16:32 0F B2 /r Load SS:reg32 with a far pointer from memory.

Related Instructions
None

rFLAGS Affected
None

Instruction Reference LxS 143

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
X X X The source operand was a register.
Invalid opcode, #UD
X LDS or LES was executed in 64-bit mode.
Segment not
The DS, ES, FS, or GS register was loaded with a non-null
present, #NP X
segment selector and the segment was marked not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
Stack, #SS X The SS register was loaded with a non-null segment selector
(selector) and the segment was marked not present.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
A segment register was loaded, but the segment descriptor
X exceeded the descriptor table limit.
A segment register was loaded and the segment selector’s TI
X
bit was set, but the LDT selector was a null selector.
The SS register was loaded with a null segment selector in
X
non-64-bit mode or while CPL = 3.
General protection, The SS register was loaded and the segment selector RPL
X
#GP and the segment descriptor DPL were not equal to the CPL.
(selector)
X The SS register was loaded and the segment pointed to was
not a writable data segment.
The DS, ES, FS, or GS register was loaded and the segment
X pointed to was a data or non-conforming code segment, but
the RPL or CPL was greater than the DPL.

X The DS, ES, FS, or GS register was loaded and the segment
pointed to was not a data segment or readable code segment.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

144 LxS Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LEA Load Effective Address

Computes the effective address of a memory location (second operand) and stores it in a general-
purpose register (first operand).
The address size of the memory location and the size of the register determine the specific action taken
by the instruction, as follows:
• If the address size and the register size are the same, the instruction stores the effective address as
computed.
• If the address size is longer than the register size, the instruction truncates the effective address to
the size of the register.
• If the address size is shorter than the register size, the instruction zero-extends the effective address
to the size of the register.
If the second operand is a register, an undefined-opcode exception occurs.
The LEA instruction is related to the MOV instruction, which copies data from a memory location to a
register, but LEA takes the address of the source operand, whereas MOV takes the contents of the
memory location specified by the source operand. In the simplest cases, LEA can be replaced with
MOV. For example:
lea eax, [ebx]

has the same effect as:

mov eax, ebx

However, LEA allows software to use any valid ModRM and SIB addressing mode for the source
operand. For example:
lea eax, [ebx+edi]

loads the sum of the EBX and EDI registers into the EAX register. This could not be accomplished by
a single MOV instruction.
The LEA instruction has a limited capability to perform multiplication of operands in general-purpose
registers using scaled-index addressing. For example:
lea eax, [ebx+ebx*8]

loads the value of the EBX register, multiplied by 9, into the EAX register. Possible values of
multipliers are 2, 4, 8, 3, 5, and 9.
The LEA instruction is widely used in string-processing and array-processing to initialize an index
register (rSI or rDI) before performing string instructions such as MOVSx. It is also used to initialize
the rBX register before performing the XLAT instruction in programs that perform character
translations. In data structures, the LEA instruction can calculate addresses of operands stored in
memory, and in particular, addresses of array or string elements.

Instruction Reference LEA 145

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

LEA reg16, mem 8D /r Store effective address in a 16-bit register.
LEA reg32, mem 8D /r Store effective address in a 32-bit register.
LEA reg64, mem 8D /r Store effective address in a 64-bit register.

Related Instructions
MOV

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X The source operand was a register.

146 LEA Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LEAVE Delete Procedure Stack Frame

Releases a stack frame created by a previous ENTER instruction. To release the frame, it copies the
frame pointer (in the rBP register) to the stack pointer register (rSP), and then pops the old frame
pointer from the stack into the rBP register, thus restoring the stack frame of the calling procedure.
The 32-bit LEAVE instruction is equivalent to the following 32-bit operation:
MOV ESP,EBP
POP EBP

To return program control to the calling procedure, execute a RET instruction after the LEAVE
instruction.
In 64-bit mode, the LEAVE operand size defaults to 64 bits, and there is no prefix available for
encoding a 32-bit operand size.

Mnemonic Opcode Description

Set the stack pointer register SP to the value in the BP
LEAVE C9
register and pop BP.
Set the stack pointer register ESP to the value in the
LEAVE C9 EBP register and pop EBP.
(No prefix for encoding this in 64-bit mode.)
Set the stack pointer register RSP to the value in the
LEAVE C9
RBP register and pop RBP.

Related Instructions
ENTER

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference LEAVE 147

AMD64 Technology 24594—Rev. 3.14—September 2007

LFENCE Load Fence

Acts as a barrier to force strong memory ordering (serialization) between load instructions preceding
the LFENCE and load instructions that follow the LFENCE. Loads from differing memory types may
be performed out of order, in particular between WC/WC+ and other memory types. The LFENCE
instruction assures that the system completes all previous loads before executing subsequent loads.
The LFENCE instruction is weakly-ordered with respect to store instructions, data and instruction
prefetches, and the SFENCE instruction. Speculative loads initiated by the processor, or specified
explicitly using cache-prefetch instructions, can be reordered around an LFENCE.
In addition to load instructions, the LFENCE instruction is strongly ordered with respect to other
LFENCE instructions, MFENCE instructions, and serializing instructions. Further details on the use
of MFENCE to order accesses among differing memory types may be found in AMD64 Architecture
Programmer’s Manual Volume 2: System Programming, section 7.4 “Memory Types” on page 170.
Support for the LFENCE instruction is indicated when the SSE2 bit (bit 26) is set to 1 in EDX after
executing CPUID function 0000_0001h.

Mnemonic Opcode Description

LFENCE 0F AE E8 Force strong ordering of (serialize) load operations.

Related Instructions
MFENCE, SFENCE

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The LFENCE instruction is not supported as indicated by EDX
Invalid opcode, #UD X X X
bit 26 of CPUID function 0000_0001h.

148 LFENCE Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LODS Load String

LODSB
LODSW
LODSD
LODSQ
Copies the byte, word, doubleword, or quadword in the memory location pointed to by the DS:rSI
registers to the AL, AX, EAX, or RAX register, depending on the size of the operand, and then
increments or decrements the rSI register according to the state of the DF flag in the rFLAGS register.
If the DF flag is 0, the instruction increments rSI; otherwise, it decrements rSI. It increments or
decrements rSI by 1, 2, 4, or 8, depending on the number of bytes being loaded.
The forms of the LODS instruction with an explicit operand address the operand at seg:[rSI]. The
value of seg defaults to the DS segment, but may be overridden by a segment prefix. The explicit
operand serves only to specify the type (size) of the value being copied and the specific registers used.
The no-operands forms of the instruction always use the DS:[rSI] registers to point to the value to be
copied (they do not allow a segment prefix). The mnemonic determines the size of the operand and the
specific registers used.
The LODSx instructions support the REP prefixes. For details about the REP prefixes, see “Repeat
Prefixes” on page 9. More often, software uses the LODSx instruction inside a loop controlled by a
LOOPcc instruction as a more efficient replacement for instructions like:
mov eax, dword ptr ds:[esi]
add esi, 4

The LODSQ instruction can only be used in 64-bit mode.

Mnemonic Opcode Description

Load byte at DS:rSI into AL and then increment or
LODS mem8 AC
decrement rSI.
Load word at DS:rSI into AX and then increment or
LODS mem16 AD
decrement rSI.
Load doubleword at DS:rSI into EAX and then
LODS mem32 AD
increment or decrement rSI.
Load quadword at DS:rSI into RAX and then increment
LODS mem64 AD
or decrement rSI.

LODSB AC Load byte at DS:rSI into AL and then increment or

decrement rSI.
Load the word at DS:rSI into AX and then increment or
LODSW AD
decrement rSI.

Instruction Reference LODSx 149

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Load doubleword at DS:rSI into EAX and then
LODSD AD
increment or decrement rSI.

LODSQ AD Load quadword at DS:rSI into RAX and then increment

or decrement rSI.

Related Instructions
MOVSx, STOSx

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

150 LODSx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LOOP Loop
LOOPE
LOOPNE
LOOPNZ
LOOPZ
Decrements the count register (rCX) by 1, then, if rCX is not 0 and the ZF flag meets the condition
specified by the mnemonic, it jumps to the target instruction specified by the signed 8-bit relative
offset. Otherwise, it continues with the next instruction after the LOOPcc instruction.
The size of the count register used (CX, ECX, or RCX) depends on the address-size attribute of the
LOOPcc instruction.
The LOOP instruction ignores the state of the ZF flag.
The LOOPE and LOOPZ instructions jump if rCX is not 0 and the ZF flag is set to 1. In other words,
the instruction exits the loop (falls through to the next instruction) if rCX becomes 0 or ZF = 0.
The LOOPNE and LOOPNZ instructions jump if rCX is not 0 and ZF flag is cleared to 0. In other
words, the instruction exits the loop if rCX becomes 0 or ZF = 1.
The LOOPcc instruction does not change the state of the ZF flag. Typically, the loop contains a
compare instruction to set or clear the ZF flag.
If the jump is taken, the signed displacement is added to the rIP (of the following instruction) and the
result is truncated to 16, 32, or 64 bits, depending on operand size.
In 64-bit mode, the operand size defaults to 64 bits without the need for a REX prefix, and the
processor sign-extends the 8-bit offset before adding it to the RIP.

Mnemonic Opcode Description

LOOP rel8off E2 cb Decrement rCX, then jump short if rCX is not 0.

LOOPE rel8off E1 cb Decrement rCX, then jump short if rCX is not 0 and ZF
is 1.
Decrement rCX, then Jump short if rCX is not 0 and ZF
LOOPNE rel8off E0 cb
is 0.
Decrement rCX, then Jump short if rCX is not 0 and ZF
LOOPNZ rel8off E0 cb
is 0.
Decrement rCX, then Jump short if rCX is not 0 and ZF
LOOPZ rel8off E1 cb
is 1.

Related Instructions
None

Instruction Reference LOOPcc 151

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection, The target offset exceeded the code segment limit or was non-
X X X
#GP canonical.

152 LOOPcc Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LZCNT Count Leading Zeros

Counts the number of leading zero bits in the 16-, 32-, or 64-bit general purpose register or memory
source operand. Counting starts downward from the most significant bit and stops when the highest bit
having a value of 1 is encountered or when the least significant bit is encountered. The count is written
to the destination register.
If the input operand is zero, CF is set to 1 and the size (in bits) of the input operand is written to the
destination register. Otherwise, CF is cleared.
If the most significant bit is a one, the ZF flag is set to 1, zero is written to the destination register.
Otherwise, ZF is cleared.
Support for the LZCNT instruction is indicated by ECX bit 5 (LZCNT) as returned by CPUID
function 8000_0001h. If the LZCNT instruction is not available, the encoding is treated as the BSR
instruction. Software MUST check the CPUID bit once per program or library initialization before
using the LZCNT instruction, or inconsistent behavior may result.

Mnemonic Opcode Description

LZCNT reg16, reg/mem16 F3 0F BD /r Count the number of leading zeros in reg/mem16.

LZCNT reg32, reg/mem32 F3 0F BD /r Count the number of leading zeros in reg/mem32.

LZCNT reg64, reg/mem64 F3 0F BD /r Count the number of leading zeros in reg/mem64.

Related Instructions
BSF, BSR, POPCNT

Instruction Reference LZCNT 153

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected

ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

U U M U U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or
Stack, #SS X X X
was non-canonical.
A memory address exceeded a data segment limit or was
X X X
General protection, #GP non-canonical.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
An unaligned memory reference was performed while
Alignment check, #AC X X alignment checking was enabled.

154 LZCNT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

MFENCE Memory Fence

Acts as a barrier to force strong memory ordering (serialization) between load and store instructions
preceding the MFENCE, and load and store instructions that follow the MFENCE. The processor may
perform loads out of program order with respect to non-conflicting stores for certain memory types.
The MFENCE instruction guarantees that the system completes all previous memory accesses before
executing subsequent accesses.
The MFENCE instruction is weakly-ordered with respect to data and instruction prefetches.
Speculative loads initiated by the processor, or specified explicitly using cache-prefetch instructions,
can be reordered around an MFENCE.
In addition to load and store instructions, the MFENCE instruction is strongly ordered with respect to
other MFENCE instructions, LFENCE instructions, SFENCE instructions, serializing instructions,
and CLFLUSH instructions. Further details on the use of MFENCE to order accesses among differing
memory types may be found in AMD64 Architecture Programmer’s Manual Volume 2: System
Programming, section 7.4 “Memory Types” on page 170.
Support for the MFENCE instruction is indicated when the SSE2 bit (bit 26) is set to 1 in EDX after
executing CPUID with function 0000_0001h.

Mnemonic Opcode Description

Force strong ordering of (serialized) load and store
MFENCE 0F AE F0
operations.

Related Instructions
LFENCE, SFENCE

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The MFENCE instruction is not supported as indicated by bit
Invalid opcode, #UD X X X
26 of CPUID function 0000_0001h.

Instruction Reference MFENCE 155

AMD64 Technology 24594—Rev. 3.14—September 2007

MOV Move
Copies an immediate value or the value in a general-purpose register, segment register, or memory
location (second operand) to a general-purpose register, segment register, or memory location. The
source and destination must be the same size (byte, word, doubleword, or quadword) and cannot both
be memory locations.
In opcodes A0 through A3, the memory offsets (called moffsets) are address sized. In 64-bit mode,
memory offsets default to 64 bits. Opcodes A0–A3, in 64-bit mode, are the only cases that support a
64-bit offset value. (In all other cases, offsets and displacements are a maximum of 32 bits.) The B8
through BF (B8 +rq) opcodes, in 64-bit mode, are the only cases that support a 64-bit immediate value
(in all other cases, immediate values are a maximum of 32 bits).
When reading segment-registers with a 32-bit operand size, the processor zero-extends the 16-bit
selector results to 32 bits. When reading segment-registers with a 64-bit operand size, the processor
zero-extends the 16-bit selector to 64 bits. If the destination operand specifies a segment register (DS,
ES, FS, GS, or SS), the source operand must be a valid segment selector.
It is possible to move a null segment selector value (0000–0003h) into the DS, ES, FS, or GS register.
This action does not cause a general protection fault, but a subsequent reference to such a segment
does cause a #GP exception. For more information about segment selectors, see “Segment Selectors
and Registers” on page 67.
When the MOV instruction is used to load the SS register, the processor blocks external interrupts until
after the execution of the following instruction. This action allows the following instruction to be a
MOV instruction to load a stack pointer into the ESP register (MOV ESP,val) before an interrupt
occurs. However, the LSS instruction provides a more efficient method of loading SS and ESP.
Attempting to use the MOV instruction to load the CS register generates an invalid opcode exception
(#UD). Use the far JMP, CALL, or RET instructions to load the CS register.
To initialize a register to 0, rather than using a MOV instruction, it may be more efficient to use the
XOR instruction with identical destination and source operands.

Mnemonic Opcode Description

Move the contents of an 8-bit register to an 8-bit
MOV reg/mem8, reg8 88 /r
destination register or memory operand.
Move the contents of a 16-bit register to a 16-bit
MOV reg/mem16, reg16 89 /r
destination register or memory operand.
Move the contents of a 32-bit register to a 32-bit
MOV reg/mem32, reg32 89 /r
destination register or memory operand.
Move the contents of a 64-bit register to a 64-bit
MOV reg/mem64, reg64 89 /r
destination register or memory operand.

MOV reg8, reg/mem8 8A /r Move the contents of an 8-bit register or memory

operand to an 8-bit destination register.

156 MOV Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Move the contents of a 16-bit register or memory
MOV reg16, reg/mem16 8B /r
operand to a 16-bit destination register.

MOV reg32, reg/mem32 8B /r Move the contents of a 32-bit register or memory

operand to a 32-bit destination register.
Move the contents of a 64-bit register or memory
MOV reg64, reg/mem64 8B /r
operand to a 64-bit destination register.
Move the contents of a segment register to a 16-bit, 32-
MOV reg16/32/64/mem16,
8C /r bit, or 64-bit destination register or to a 16-bit memory
segReg
operand.
Move the contents of a 16-bit register or memory
MOV segReg, reg/mem16 8E /r
operand to a segment register.
Move 8-bit data at a specified memory offset to the AL
MOV AL, moffset8 A0
register.
Move 16-bit data at a specified memory offset to the AX
MOV AX, moffset16 A1 register.
Move 32-bit data at a specified memory offset to the
MOV EAX, moffset32 A1
EAX register.

MOV RAX, moffset64 A1 Move 64-bit data at a specified memory offset to the
RAX register.
Move the contents of the AL register to an 8-bit memory
MOV moffset8, AL A2
offset.
Move the contents of the AX register to a 16-bit memory
MOV moffset16, AX A3 offset.
Move the contents of the EAX register to a 32-bit
MOV moffset32, EAX A3
memory offset.
Move the contents of the RAX register to a 64-bit
MOV moffset64, RAX A3 memory offset.
MOV reg8, imm8 B0 +rb ib Move an 8-bit immediate value into an 8-bit register.
MOV reg16, imm16 B8 +rw iw Move a 16-bit immediate value into a 16-bit register.
MOV reg32, imm32 B8 +rd id Move an 32-bit immediate value into a 32-bit register.
MOV reg64, imm64 B8 +rq iq Move an 64-bit immediate value into a 64-bit register.
Move an 8-bit immediate value to an 8-bit register or
MOV reg/mem8, imm8 C6 /0 ib
memory operand.
Move a 16-bit immediate value to a 16-bit register or
MOV reg/mem16, imm16 C7 /0 iw
memory operand.
Move a 32-bit immediate value to a 32-bit register or
MOV reg/mem32, imm32 C7 /0 id
memory operand.

MOV reg/mem64, imm32 C7 /0 id Move a 32-bit signed immediate value to a 64-bit

register or memory operand.

Instruction Reference MOV 157

AMD64 Technology 24594—Rev. 3.14—September 2007

Related Instructions
MOV(CRn), MOV(DRn), MOVD, MOVSX, MOVZX, MOVSXD, MOVSx

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X An attempt was made to load the CS register.
Segment not
The DS, ES, FS, or GS register was loaded with a non-null
present, #NP X
segment selector and the segment was marked not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
Stack, #SS The SS register was loaded with a non-null segment selector,
X
(selector) and the segment was marked not present.

X X X A memory address exceeded a data segment limit or was non-

canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
A segment register was loaded, but the segment descriptor
X exceeded the descriptor table limit.
A segment register was loaded and the segment selector’s TI
X
bit was set, but the LDT selector was a null selector.
The SS register was loaded with a null segment selector in
X
non-64-bit mode or while CPL = 3.
General protection, X The SS register was loaded and the segment selector RPL
#GP and the segment descriptor DPL were not equal to the CPL.
(selector)
The SS register was loaded and the segment pointed to was
X not a writable data segment.
The DS, ES, FS, or GS register was loaded and the segment
X pointed to was a data or non-conforming code segment, but
the RPL or CPL was greater than the DPL.
The DS, ES, FS, or GS register was loaded and the segment
X pointed to was not a data segment or readable code segment.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

158 MOV Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

MOVD Move Doubleword or Quadword

Moves a 32-bit or 64-bit value in one of the following ways:
• from a 32-bit or 64-bit general-purpose register or memory location to the low-order 32 or 64 bits
of an XMM register, with zero-extension to 128 bits
• from the low-order 32 or 64 bits of an XMM to a 32-bit or 64-bit general-purpose register or
memory location
• from a 32-bit or 64-bit general-purpose register or memory location to the low-order 32 bits (with
zero-extension to 64 bits) or the full 64 bits of an MMX register
• from the low-order 32 or the full 64 bits of an MMX register to a 32-bit or 64-bit general-purpose
register or memory location

Mnemonic Opcode Description

Move 32-bit value from a general-purpose register or
MOVD xmm, reg/mem32 66 0F 6E /r
32-bit memory location to an XMM register.
Move 64-bit value from a general-purpose register or
MOVD xmm, reg/mem64 66 0F 6E /r
64-bit memory location to an XMM register.
Move 32-bit value from an XMM register to a 32-bit
MOVD reg/mem32, xmm 66 0F 7E /r
general-purpose register or memory location.
Move 64-bit value from an XMM register to a 64-bit
MOVD reg/mem64, xmm 66 0F 7E /r
general-purpose register or memory location.

MOVD mmx, reg/mem32 0F 6E /r Move 32-bit value from a general-purpose register or

32-bit memory location to an MMX register.
Move 64-bit value from a general-purpose register or
MOVD mmx, reg/mem64 0F 6E /r
64-bit memory location to an MMX register.
Move 32-bit value from an MMX register to a 32-bit
MOVD reg/mem32, mmx 0F 7E /r
general-purpose register or memory location.
Move 64-bit value from an MMX register to a 64-bit
MOVD reg/mem64, mmx 0F 7E /r
general-purpose register or memory location.

The diagrams in Figure 3-1 on page 160 illustrate the operation of the MOVD instruction.

Instruction Reference MOVD 159

AMD64 Technology 24594—Rev. 3.14—September 2007

xmm reg/mem32
127 32 31 0 31 0
0

xmm reg/mem64
127 64 63 0 63 0
0

with REX prefix

reg/mem32 xmm
All operations 31 0 127 32 31 0
are "copy"

reg/mem64 xmm
63 0 127 64 63 0

with REX prefix

mmx reg/mem32
63 32 31 0 31 0
0

mmx reg/mem64
63 0 63 0

with REX prefix

reg/mem32 mmx
31 0 63 32 31 0

reg/mem64 mmx
63 0 63 0

with REX prefix

movd.eps

Figure 3-1. MOVD Instruction Operation

160 MOVD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Related Instructions
MOVDQA, MOVDQU, MOVDQ2Q, MOVQ, MOVQ2DQ

rFLAGS Affected
None

MXCSR Flags Affected

None

Exceptions
Virtual
Exception Real 8086 Protected Description
The MMX instructions are not supported, as indicated
X X X
by EDX bit 23 of CPUID function 0000_0001h.
The SSE2 instructions are not supported, as indicated
X X X
Invalid opcode, #UD by EDX bit 26 of CPUID function 0000_0001.
X X X The emulate bit (EM) of CR0 was set to 1.

X X X The instruction used XMM registers while

CR4.OSFXSR=0.
Device not available,
X X X The task-switch bit (TS) of CR0 was set to 1.
#NM
A memory address exceeded the stack segment limit
Stack, #SS X X X or was non-canonical.
General protection, A memory address exceeded a data segment limit or
X X X
#GP was non-canonical.

Page fault, #PF X X A page fault resulted from the execution of the
instruction.
x87 floating-point
An x87 floating-point exception was pending and the
exception pending, X X X
instruction referenced an MMX register.
#MF

Alignment check, #AC X X An unaligned memory reference was performed while

alignment checking was enabled.

Instruction Reference MOVD 161

AMD64 Technology 24594—Rev. 3.14—September 2007

MOVMSKPD Extract Packed Double-Precision

Floating-Point Sign Mask
Moves the sign bits of two packed double-precision floating-point values in an XMM register (second
operand) to the two low-order bits of a general-purpose register (first operand) with zero-extension.
The MOVMSKPD instruction is an SSE2 instruction; Check the status of EDX bit 26 of CPUID
function 0000_0001h to verify that the processor supports this function.

Mnemonic Opcode Description

Move sign bits 127 and 63 in an XMM register to a 32-bit
MOVMSKPD reg32, xmm 66 0F 50 /r general-purpose register.

reg32 xmm

31 1 0 127 63 0
0

copy sign
copy sign

movmskpd.eps

Related Instructions
MOVMSKPS, PMOVMSKB

rFLAGS Affected
None

MXCSR Flags Affected

None

162 MOVMSKPD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Exceptions
Virtual
Exception (vector) Real 8086 Protected Cause of Exception
The SSE2 instructions are not supported, as indicated
X X X by EDX bit 26 of CPUID function 0000_0001h.
Invalid opcode, #UD The operating-system FXSAVE/FXRSTOR support bit
X X X
(OSFXSR) of CR4 was cleared to 0.
X X X The emulate bit (EM) of CR0 was set to 1.
Device not available,
X X X The task-switch bit (TS) of CR0 was set to 1.
#NM

Instruction Reference MOVMSKPD 163

AMD64 Technology 24594—Rev. 3.14—September 2007

MOVMSKPS Extract Packed Single-Precision

Floating-Point Sign Mask
Moves the sign bits of four packed single-precision floating-point values in an XMM register (second
operand) to the four low-order bits of a general-purpose register (first operand) with zero-extension.
The MOVMSKPD instruction is an SSE2 instruction; Check the status of EDX bit 26 of CPUID
function 0000_0001h to verify that the processor supports this function.

Mnemonic Opcode Description

Move sign bits 127, 95, 63, 31 in an XMM register to a
MOVMSKPS reg32, xmm 0F 50 /r 32-bit general-purpose register.

reg32 xmm

31 3 0 127 95 63 31 0
0

copy sign copy sign copy sign copy sign

movmskps.eps

Related Instructions
MOVMSKPD, PMOVMSKB

rFLAGS Affected
None

MXCSR Flags Affected

None

164 MOVMSKPS Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SSE2 instructions are not supported, as indicated
X X X by EDX bit 26 of CPUID function 1.
Invalid opcode, #UD The operating-system FXSAVE/FXRSTOR support bit
X X X
(OSFXSR) of CR4 was cleared to 0.
X X X The emulate bit (EM) of CR0 was set to 1.
Device not available,
X X X The task-switch bit (TS) of CR0 was set to 1.
#NM

Instruction Reference MOVMSKPS 165

AMD64 Technology 24594—Rev. 3.14—September 2007

MOVNTI Move Non-Temporal Doubleword or

Quadword
Stores a value in a 32-bit or 64-bit general-purpose register (second operand) in a memory location
(first operand). This instruction indicates to the processor that the data is non-temporal and is unlikely
to be used again soon. The processor treats the store as a write-combining (WC) memory write, which
minimizes cache pollution. The exact method by which cache pollution is minimized depends on the
hardware implementation of the instruction. For further information, see “Memory Optimization” in
Volume 1.
The MOVNTI instruction is weakly-ordered with respect to other instructions that operate on memory.
Software should use an SFENCE instruction to force strong memory ordering of MOVNTI with
respect to other stores.
Support for the MOVNTI instruction is indicated when the SSE2 bit (bit 26) is set to 1 in EDX after
executing CPUID function 0000_0001h.

Mnemonic Opcode Description

Stores a 32-bit general-purpose register value into a 32-
MOVNTI mem32, reg32 0F C3 /r
bit memory location, minimizing cache pollution.
Stores a 64-bit general-purpose register value into a 64-
MOVNTI mem64, reg64 0F C3 /r
bit memory location, minimizing cache pollution.

Related Instructions
MOVNTDQ, MOVNTPD, MOVNTPS, MOVNTQ

rFLAGS Affected
None

Exceptions
Virtual
Exception (vector) Real 8086 Protected Cause of Exception
The SSE2 instructions are not supported, as indicated
Invalid opcode, #UD X X X
by EDX bit 26 of CPUID function 0000_0001h.
A memory address exceeded the stack segment limit
Stack, #SS X X X
or was non-canonical.

X X X A memory address exceeded a data segment limit or

was non-canonical.
General protection, X A null data segment was used to reference memory.
#GP
The destination operand was in a non-writable
X
segment.

166 MOVNTI Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Virtual
Exception (vector) Real 8086 Protected Cause of Exception
A page fault resulted from the execution of the
Page fault, #PF X X
instruction.

Alignment check, #AC X X An unaligned memory reference was performed while

alignment checking was enabled.

Instruction Reference MOVNTI 167

AMD64 Technology 24594—Rev. 3.14—September 2007

MOVS Move String

MOVSB
MOVSW
MOVSD
MOVSQ
Moves a byte, word, doubleword, or quadword from the memory location pointed to by DS:rSI to the
memory location pointed to by ES:rDI, and then increments or decrements the rSI and rDI registers
according to the state of the DF flag in the rFLAGS register.
If the DF flag is 0, the instruction increments both pointers; otherwise, it decrements them. It
increments or decrements the pointers by 1, 2, 4, or 8, depending on the size of the operands.
The forms of the MOVSx instruction with explicit operands address the first operand at seg:[rSI]. The
value of seg defaults to the DS segment, but can be overridden by a segment prefix. These instructions
always address the second operand at ES:[rDI] (ES may not be overridden). The explicit operands
serve only to specify the type (size) of the value being moved.
The no-operands forms of the instruction use the DS:[rSI] and ES:[rDI] registers to point to the value
to be moved (they do not allow a segment prefix). The mnemonic determines the size of the operands.
Do not confuse this MOVSD instruction with the same-mnemonic MOVSD (move scalar double-
precision floating-point) instruction in the 128-bit media instruction set. Assemblers can distinguish
the instructions by the number and type of operands.
The MOVSx instructions support the REP prefixes. For details about the REP prefixes, see “Repeat
Prefixes” on page 9.

Mnemonic Opcode Description

Move byte at DS:rSI to ES:rDI, and then increment or
MOVS mem8, mem8 A4
decrement rSI and rDI.
Move word at DS:rSI to ES:rDI, and then increment or
MOVS mem16, mem16 A5
decrement rSI and rDI.
Move doubleword at DS:rSI to ES:rDI, and then
MOVS mem32, mem32 A5
increment or decrement rSI and rDI.

MOVS mem64, mem64 A5 Move quadword at DS:rSI to ES:rDI, and then increment
or decrement rSI and rDI.
Move byte at DS:rSI to ES:rDI, and then increment or
MOVSB A4
decrement rSI and rDI.
Move word at DS:rSI to ES:rDI, and then increment or
MOVSW A5
decrement rSI and rDI.

168 MOVSx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Move doubleword at DS:rSI to ES:rDI, and then
MOVSD A5
increment or decrement rSI and rDI.

MOVSQ A5 Move quadword at DS:rSI to ES:rDI, and then increment

or decrement rSI and rDI.

Related Instructions
MOV, LODSx, STOSx

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.

X X X A memory address exceeded a data segment limit or was non-

canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference MOVSx 169

AMD64 Technology 24594—Rev. 3.14—September 2007

MOVSX Move with Sign-Extension

Copies the value in a register or memory location (second operand) into a register (first operand),
extending the most significant bit of an 8-bit or 16-bit value into all higher bits in a 16-bit, 32-bit, or
64-bit register.

Mnemonic Opcode Description

Move the contents of an 8-bit register or memory
MOVSX reg16, reg/mem8 0F BE /r location to a 16-bit register with sign extension.
Move the contents of an 8-bit register or memory
MOVSX reg32, reg/mem8 0F BE /r
location to a 32-bit register with sign extension.
Move the contents of an 8-bit register or memory
MOVSX reg64, reg/mem8 0F BE /r
location to a 64-bit register with sign extension.
Move the contents of an 16-bit register or memory
MOVSX reg32, reg/mem16 0F BF /r
location to a 32-bit register with sign extension.

MOVSX reg64, reg/mem16 0F BF /r Move the contents of an 16-bit register or memory

location to a 64-bit register with sign extension.

Related Instructions
MOVSXD, MOVZX

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

170 MOVSX Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

MOVSXD Move with Sign-Extend Doubleword

Copies the 32-bit value in a register or memory location (second operand) into a 64-bit register (first
operand), extending the most significant bit of the 32-bit value into all higher bits of the 64-bit register.
This instruction requires the REX prefix 64-bit operand size bit (REX.W) to be set to 1 to sign-extend
a 32-bit source operand to a 64-bit result. Without the REX operand-size prefix, the operand size will
be 32 bits, the default for 64-bit mode, and the source is zero-extended into a 64-bit register. With a 16-
bit operand size, only 16 bits are copied, without modifying the upper 48 bits in the destination.
This instruction is available only in 64-bit mode. In legacy or compatibility mode this opcode is
interpreted as ARPL.

Mnemonic Opcode Description

Move the contents of a 32-bit register or memory
MOVSXD reg64, reg/mem32 63 /r
operand to a 64-bit register with sign extension.

Related Instructions
MOVSX, MOVZX

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Stack, #SS X A memory address was non-canonical.
General protection,
#GP X A memory address was non-canonical.

Page fault, #PF X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X
#AC alignment checking was enabled.

Instruction Reference MOVSXD 171

AMD64 Technology 24594—Rev. 3.14—September 2007

MOVZX Move with Zero-Extension

Copies the value in a register or memory location (second operand) into a register (first operand), zero-
extending the value to fit in the destination register. The operand-size attribute determines the size of
the zero-extended value.

Mnemonic Opcode Description

Move the contents of an 8-bit register or memory
MOVZX reg16, reg/mem8 0F B6 /r operand to a 16-bit register with zero-extension.
Move the contents of an 8-bit register or memory
MOVZX reg32, reg/mem8 0F B6 /r
operand to a 32-bit register with zero-extension.
Move the contents of an 8-bit register or memory
MOVZX reg64, reg/mem8 0F B6 /r
operand to a 64-bit register with zero-extension.
Move the contents of a 16-bit register or memory
MOVZX reg32, reg/mem16 0F B7 /r
operand to a 32-bit register with zero-extension.

MOVZX reg64, reg/mem16 0F B7 /r Move the contents of a 16-bit register or memory

operand to a 64-bit register with zero-extension.

Related Instructions
MOVSXD, MOVSX

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

172 MOVZX Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

MUL Unsigned Multiply

Multiplies the unsigned byte, word, doubleword, or quadword value in the specified register or
memory location by the value in AL, AX, EAX, or RAX and stores the result in AX, DX:AX,
EDX:EAX, or RDX:RAX (depending on the operand size). It puts the high-order bits of the product in
AH, DX, EDX, or RDX.
If the upper half of the product is non-zero, the instruction sets the carry flag (CF) and overflow flag
(OF) both to 1. Otherwise, it clears CF and OF to 0. The other arithmetic flags (SF, ZF, AF, PF) are
undefined.

Mnemonic Opcode Description

Multiplies an 8-bit register or memory operand by the
MUL reg/mem8 F6 /4 contents of the AL register and stores the result in the
AX register.
Multiplies a 16-bit register or memory operand by the
MUL reg/mem16 F7 /4 contents of the AX register and stores the result in the
DX:AX register.
Multiplies a 32-bit register or memory operand by the
MUL reg/mem32 F7 /4 contents of the EAX register and stores the result in the
EDX:EAX register.
Multiplies a 64-bit register or memory operand by the
MUL reg/mem64 F7 /4 contents of the RAX register and stores the result in the
RDX:RAX register.

Related Instructions
DIV

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M U U U U M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Instruction Reference MUL 173

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X X X
canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference is performed while alignment
X X
#AC checking was enabled.

174 MUL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

NEG Two’s Complement Negation

Performs the two’s complement negation of the value in the specified register or memory location by
subtracting the value from 0. Use this instruction only on signed integer numbers.
If the value is 0, the instruction clears the CF flag to 0; otherwise, it sets CF to 1. The OF, SF, ZF, AF,
and PF flag settings depend on the result of the operation.
The forms of the NEG instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Performs a two’s complement negation on an 8-bit
NEG reg/mem8 F6 /3
register or memory operand.
Performs a two’s complement negation on a 16-bit
NEG reg/mem16 F7 /3
register or memory operand.
Performs a two’s complement negation on a 32-bit
NEG reg/mem32 F7 /3
register or memory operand.
Performs a two’s complement negation on a 64-bit
NEG reg/mem64 F7 /3
register or memory operand.

Related Instructions
AND, NOT, OR, XOR

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Instruction Reference NEG 175

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand is in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

176 NEG Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

NOP No Operation
Does nothing. This one-byte instruction increments the rIP to point to next instruction in the
instruction stream, but does not affect the machine state in any other way.
The NOP instruction is an alias for XCHG rAX,rAX.

Mnemonic Opcode Description

NOP 90 Performs no operation.

Related Instructions
None

rFLAGS Affected
None

Exceptions
None

Instruction Reference NOP 177

AMD64 Technology 24594—Rev. 3.14—September 2007

NOT One’s Complement Negation

Performs the one’s complement negation of the value in the specified register or memory location by
inverting each bit of the value.
The memory-operand forms of the NOT instruction support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

NOT reg/mem8 F6 /2 Complements the bits in an 8-bit register or memory

operand.
Complements the bits in a 16-bit register or memory
NOT reg/mem16 F7 /2
operand.
Complements the bits in a 32-bit register or memory
NOT reg/mem32 F7 /2
operand.
Compliments the bits in a 64-bit register or memory
NOT reg/mem64 F7 /2 operand.

Related Instructions
AND, NEG, OR, XOR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference is performed while alignment
#AC X X checking was enabled.

178 NOT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

OR Logical OR
Performs a logical OR on the bits in a register, memory location, or immediate value (second operand)
and a register or memory location (first operand) and stores the result in the first operand location. The
two operands cannot both be memory locations.
If both corresponding bits are 0, the corresponding bit of the result is 0; otherwise, the corresponding
result bit is 1.
The forms of the OR instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

OR AL, imm8 0C ib OR the contents of AL with an immediate 8-bit value.
OR AX, imm16 0D iw OR the contents of AX with an immediate 16-bit value.
OR EAX, imm32 0D id OR the contents of EAX with an immediate 32-bit value.

OR RAX, imm32 0D id OR the contents of RAX with a sign-extended

immediate 32-bit value.
OR the contents of an 8-bit register or memory operand
OR reg/mem8, imm8 80 /1 ib
and an immediate 8-bit value.
OR the contents of a 16-bit register or memory operand
OR reg/mem16, imm16 81 /1 iw
and an immediate 16-bit value.
OR the contents of a 32-bit register or memory operand
OR reg/mem32, imm32 81 /1 id and an immediate 32-bit value.
OR the contents of a 64-bit register or memory operand
OR reg/mem64, imm32 81 /1 id
and sign-extended immediate 32-bit value.
OR the contents of a 16-bit register or memory operand
OR reg/mem16, imm8 83 /1 ib
and a sign-extended immediate 8-bit value.
OR the contents of a 32-bit register or memory operand
OR reg/mem32, imm8 83 /1 ib
and a sign-extended immediate 8-bit value.
OR the contents of a 64-bit register or memory operand
OR reg/mem64, imm8 83 /1 ib
and a sign-extended immediate 8-bit value.
OR the contents of an 8-bit register or memory operand
OR reg/mem8, reg8 08 /r
with the contents of an 8-bit register.
OR the contents of a 16-bit register or memory operand
OR reg/mem16, reg16 09 /r
with the contents of a 16-bit register.
OR the contents of a 32-bit register or memory operand
OR reg/mem32, reg32 09 /r
with the contents of a 32-bit register.
OR the contents of a 64-bit register or memory operand
OR reg/mem64, reg64 09 /r with the contents of a 64-bit register.
OR the contents of an 8-bit register with the contents of
OR reg8, reg/mem8 0A /r
an 8-bit register or memory operand.

Instruction Reference OR 179

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

OR the contents of a 16-bit register with the contents of
OR reg16, reg/mem16 0B /r
a 16-bit register or memory operand.

OR reg32, reg/mem32 0B /r OR the contents of a 32-bit register with the contents of

a 32-bit register or memory operand.
OR the contents of a 64-bit register with the contents of
OR reg64, reg/mem64 0B /r
a 64-bit register or memory operand.

The following chart summarizes the effect of this instruction:

X Y X OR Y

0 0 0

0 1 1

1 0 1

1 1 1

Related Instructions
AND, NEG, NOT, XOR

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

0 M M U M 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

180 OR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

OUT Output to Port

Copies the value from the AL, AX, or EAX register (second operand) to an I/O port (first operand).
The port address can be a byte-immediate value (00h to FFh) or the value in the DX register (0000h to
FFFFh). The source register used determines the size of the port (8, 16, or 32 bits).
If the operand size is 64 bits, OUT only writes to a 32-bit I/O port.
If the CPL is higher than the IOPL or the mode is virtual mode, OUT checks the I/O permission bitmap
in the TSS before allowing access to the I/O port. See Volume 2 for details on the TSS I/O permission
bitmap.

Mnemonic Opcode Description

Output the byte in the AL register to the port specified by
OUT imm8, AL E6 ib
an 8-bit immediate value.
Output the word in the AX register to the port specified
OUT imm8, AX E7 ib
by an 8-bit immediate value.
Output the doubleword in the EAX register to the port
OUT imm8, EAX E7 ib
specified by an 8-bit immediate value.
OUT DX, AL EE Output byte in AL to the output port specified in DX.
OUT DX, AX EF Output word in AX to the output port specified in DX.
Output doubleword in EAX to the output port specified in
OUT DX, EAX EF
DX.

Related Instructions
IN, INSx, OUTSx

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
One or more I/O permission bits were set in the TSS for the
X
General protection, accessed port.
#GP The CPL was greater than the IOPL and one or more I/O
X
permission bits were set in the TSS for the accessed port.
Page fault (#PF) X X A page fault resulted from the execution of the instruction.

Instruction Reference OUT 181

AMD64 Technology 24594—Rev. 3.14—September 2007

OUTS Output String

OUTSB
OUTSW
OUTSD
Copies data from the memory location pointed to by DS:rSI to the I/O port address (0000h to FFFFh)
specified in the DX register, and then increments or decrements the rSI register according to the setting
of the DF flag in the rFLAGS register.
If the DF flag is 0, the instruction increments rSI; otherwise, it decrements rSI. It increments or
decrements the pointer by 1, 2, or 4, depending on the size of the value being copied.
The OUTSx instruction uses an explicit memory operand (second operand) to determine the type (size)
of the value being copied, but always uses DS:rSI for the location of the value to copy. The explicit
register operand specifies the I/O port address and must always be DX.
The no-operands forms of the instruction use the DS:[rSI] register pair to point to the data to be copied
and the DX register as the destination. The mnemonic specifies the size of the I/O port and the type
(size) of the value being copied.
The OUTSx instruction supports the REP prefix. For details about the REP prefix, see “Repeat
Prefixes” on page 9.
If the operand size is 64-bits, OUTS only writes to a 32-bit I/O port.
If the CPL is higher than the IOPL or the mode is virtual mode, OUTSx checks the I/O permission
bitmap in the TSS before allowing access to the I/O port. See Volume 2 for details on the TSS I/O
permission bitmap.

Mnemonic Opcode Description

Output the byte in DS:rSI to the port specified in DX,
OUTS DX, mem8 6E
then increment or decrement rSI.
Output the word in DS:rSI to the port specified in DX,
OUTS DX, mem16 6F
then increment or decrement rSI.
Output the doubleword in DS:rSI to the port specified in
OUTS DX, mem32 6F
DX, then increment or decrement rSI.
Output the byte in DS:rSI to the port specified in DX,
OUTSB 6E
then increment or decrement rSI.

OUTSW 6F Output the word in DS:rSI to the port specified in DX,

then increment or decrement rSI.
Output the doubleword in DS:rSI to the port specified in
OUTSD 6F
DX, then increment or decrement rSI.

182 OUTSx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Related Instructions
IN, INSx, OUT

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
X A null data segment was used to reference memory.
General protection,
#GP One or more I/O permission bits were set in the TSS for the
X
accessed port.
The CPL was greater than the IOPL and one or more I/O
X
permission bits were set in the TSS for the accessed port.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference is performed while alignment
#AC X X checking was enabled.

Instruction Reference OUTSx 183

AMD64 Technology 24594—Rev. 3.14—September 2007

PAUSE Pause
Improves the performance of spin loops, by providing a hint to the processor that the current code is in
a spin loop. The processor may use this to optimize power consumption while in the spin loop.
Architecturally, this instruction behaves like a NOP instruction.
Processors that do not support PAUSE treat this opcode as a NOP instruction.

Mnemonic Opcode Description

PAUSE F3 90 Provides a hint to processor that a spin loop is being

executed.

Related Instructions
None

rFLAGS Affected
None

Exceptions
None

184 PAUSE Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

POP Pop Stack

Copies the value pointed to by the stack pointer (SS:rSP) to the specified register or memory location
and then increments the rSP by 2 for a 16-bit pop, 4 for a 32-bit pop, or 8 for a 64-bit pop.
The operand-size attribute determines the amount by which the stack pointer is incremented (2, 4 or 8
bytes). The stack-size attribute determines whether SP, ESP, or RSP is incremented.
For forms of the instruction that load a segment register (POP DS, POP ES, POP FS, POP GS, POP
SS), the source operand must be a valid segment selector. When a segment selector is popped into a
segment register, the processor also loads all associated descriptor information into the hidden part of
the register and validates it.
It is possible to pop a null segment selector value (0000–0003h) into the DS, ES, FS, or GS register.
This action does not cause a general protection fault, but a subsequent reference to such a segment
does cause a #GP exception. For more information about segment selectors, see “Segment Selectors
and Registers” on page 67.
In 64-bit mode, the POP operand size defaults to 64 bits and there is no prefix available to encode a 32-
bit operand size. Using POP DS, POP ES, or POP SS instruction in 64-bit mode generates an invalid-
opcode exception.
This instruction cannot pop a value into the CS register. The RET (Far) instruction performs this
function.

Mnemonic Opcode Description

Pop the top of the stack into a 16-bit register or memory
POP reg/mem16 8F /0
location.
Pop the top of the stack into a 32-bit register or memory
POP reg/mem32 8F /0 location.
(No prefix for encoding this in 64-bit mode.)
Pop the top of the stack into a 64-bit register or memory
POP reg/mem64 8F /0
location.
POP reg16 58 +rw Pop the top of the stack into a 16-bit register.

POP reg32 58 +rd Pop the top of the stack into a 32-bit register.
(No prefix for encoding this in 64-bit mode.)
POP reg64 58 +rq Pop the top of the stack into a 64-bit register.
Pop the top of the stack into the DS register.
POP DS 1F (Invalid in 64-bit mode.)
Pop the top of the stack into the ES register.
POP ES 07
(Invalid in 64-bit mode.)

POP SS 17 Pop the top of the stack into the SS register.

(Invalid in 64-bit mode.)

Instruction Reference POP 185

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

POP FS 0F A1 Pop the top of the stack into the FS register.
POP GS 0F A9 Pop the top of the stack into the GS register.

Related Instructions
PUSH

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X POP DS, POP ES, or POP SS was executed in 64-bit mode.
Segment not The DS, ES, FS, or GS register was loaded with a non-null
present, #NP X
(selector) segment selector and the segment was marked not present.

A memory address exceeded the stack segment limit or was

Stack, #SS X X X
non-canonical.
Stack, #SS The SS register was loaded with a non-null segment selector
(selector) X and the segment was marked not present.

X X X A memory address exceeded a data segment limit or was non-

canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
A segment register was loaded and the segment descriptor
X exceeded the descriptor table limit.

X A segment register was loaded and the segment selector’s TI

bit was set, but the LDT selector was a null selector.
The SS register was loaded with a null segment selector in
X
non-64-bit mode or while CPL = 3.
General protection, X
The SS register was loaded and the segment selector RPL
#GP and the segment descriptor DPL were not equal to the CPL.
(selector)
The SS register was loaded and the segment pointed to was
X
not a writable data segment.
The DS, ES, FS, or GS register was loaded and the segment
X pointed to was a data or non-conforming code segment, but
the RPL or the CPL was greater than the DPL.
The DS, ES, FS, or GS register was loaded and the segment
X
pointed to was not a data segment or readable code segment.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

186 POP Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

POPA POP All GPRs

POPAD
Pops words or doublewords from the stack into the general-purpose registers in the following order:
eDI, eSI, eBP, eSP (image is popped and discarded), eBX, eDX, eCX, and eAX. The instruction
increments the stack pointer by 16 or 32, depending on the operand size.
Using the POPA or POPAD instructions in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

Pop the DI, SI, BP, SP, BX, DX, CX, and AX registers.
POPA 61 (Invalid in 64-bit mode.)
Pop the EDI, ESI, EBP, ESP, EBX, EDX, ECX, and EAX
POPAD 61 registers.
(Invalid in 64-bit mode.)

Related Instructions
PUSHA, PUSHAD

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode
X This instruction was executed in 64-bit mode.
(#UD)
Stack, #SS X X X A memory address exceeded the stack segment limit.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference POPAx 187

AMD64 Technology 24594—Rev. 3.14—September 2007

POPCNT Bit Population Count

Counts the number of bits having a value of 1 in the source operand and places the result in the
destination register. The source operand is a 16-, 32-, or 64-bit general purpose register or memory
operand; the destination operand is a general purpose register of the same size as the source operand
register.
If the input operand is zero, the ZF flag is set to 1 and zero is written to the destination register.
Otherwise, the ZF flag is cleared. The other flags are cleared.
Support for the POPCNT instruction is indicated by ECX bit 23 (POPCNT) as returned by CPUID
function 0000_0001h. Software MUST check the CPUID bit once per program or library initialization
before using the POPCNT instruction, or inconsistent behavior may result.

Mnemonic Opcode Description

POPCNT reg16, reg/mem16 F3 0F B8 /r Count the 1s in reg/mem16.

POPCNT reg32, reg/mem32 F3 0F B8 /r Count the 1s in reg/mem32.

POPCNT reg64, reg/mem64 F3 0F B8 /r Count the 1s in reg/mem64.

Related Instructions
BSF, BSR, LZCNT

rFLAGS Affected

ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

0 0 M 0 0 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

188 POPCNT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The POPCNT instruction is not supported, as indicated by
Invalid opcode, #UD X X X ECX bit 23 as returned by CPUID function 0000_0001h.
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.

X X X A memory address exceeded a data segment limit or was non-

General protection, canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference POPCNT 189

AMD64 Technology 24594—Rev. 3.14—September 2007

POPF POP to rFLAGS

POPFD
POPFQ
Pops a word, doubleword, or quadword from the stack into the rFLAGS register and then increments
the stack pointer by 2, 4, or 8, depending on the operand size.
In protected or real mode, all the non-reserved flags in the rFLAGS register can be modified, except
the VIP, VIF, and VM flags, which are unchanged. In protected mode, at a privilege level greater than
0 the IOPL is also unchanged. The instruction alters the interrupt flag (IF) only when the CPL is less
than or equal to the IOPL.
In virtual-8086 mode, if IOPL field is less than 3, attempting to execute a POPFx or PUSHFx
instruction while VME is not enabled, or the operand size is not 16-bit, generates a #GP exception.
In 64-bit mode, this instruction defaults to a 64-bit operand size; there is no prefix available to encode
a 32-bit operand size.

Mnemonic Opcode Description

POPF 9D Pop a word from the stack into the FLAGS register.
Pop a double word from the stack into the EFLAGS
POPFD 9D
register. (No prefix for encoding this in 64-bit mode.)
POPFQ 9D Pop a quadword from the stack to the RFLAGS register.

Action
// See “Pseudocode Definitions” on page 41.

POPF_START:

IF (REAL_MODE)
POPF_REAL
ELSIF (PROTECTED_MODE)
POPF_PROTECTED
ELSE // (VIRTUAL_MODE)
POPF_VIRTUAL

POPF_REAL:

POP.v temp_RFLAGS
RFLAGS.v = temp_RFLAGS // VIF,VIP,VM unchanged
// RF cleared
EXIT

190 POPFx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

POPF_PROTECTED:

POP.v temp_RFLAGS
RFLAGS.v = temp_RFLAGS // VIF,VIP,VM unchanged
// IOPL changed only if (CPL=0)
// IF changed only if (CPL<=old_RFLAGS.IOPL)
// RF cleared
EXIT

POPF_VIRTUAL:

IF (RFLAGS.IOPL=3)
{
POP.v temp_RFLAGS
RFLAGS.v = temp_RFLAGS // VIF,VIP,VM,IOPL unchanged
// RF cleared
EXIT
}
ELSIF ((CR4.VME=1) && (OPERAND_SIZE=16))
{
POP.w temp_RFLAGS
IF (((temp_RFLAGS.IF=1) && (RFLAGS.VIP=1)) || (temp_RFLAGS.TF=1))
EXCEPTION [#GP(0)]
// notify the virtual-mode-manager to deliver
// the task’s pending interrupts
RFLAGS.w = temp_RFLAGS // IF,IOPL unchanged
// RFLAGS.VIF=temp_RFLAGS.IF
// RF cleared
EXIT
}
ELSE // ((RFLAGS.IOPL<3) && ((CR4.VME=0) || (OPERAND_SIZE!=16)))
EXCEPTION [#GP(0)]

Related Instructions
PUSHF, PUSHFD, PUSHFQ

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M 0 M M M M M M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Instruction Reference POPFx 191

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
The I/O privilege level was less than 3 and one of the following
conditions was true:
• CR4.VME was 0.
General protection, • The effective operand size was 32-bit.
X
#GP
• Both the original EFLAGS.VIP and the new EFLAGS.IF bits
were set.
• The new EFLAGS.TF bit was set.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

192 POPFx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

PREFETCH Prefetch L1 Data-Cache Line

PREFETCHW
Loads the entire 64-byte aligned memory sequence containing the specified memory address into the
L1 data cache. The position of the specified memory address within the 64-byte cache line is
irrelevant. If a cache hit occurs, or if a memory fault is detected, no bus cycle is initiated and the
instruction is treated as a NOP.
The PREFETCHW instruction loads the prefetched line and sets the cache-line state to Modified, in
anticipation of subsequent data writes to the line. The PREFETCH instruction, by contrast, typically
sets the cache-line state to Exclusive (depending on the hardware implementation).
The opcodes for the PREFETCH/PREFETCHW instructions include the ModRM byte; however, only
the memory form of ModRM is valid. The register form of ModRM causes an invalid-opcode
exception. Because there is no destination register, the three destination register field bits of the
ModRM byte define the type of prefetch to be performed. The bit patterns 000b and 001b define the
PREFETCH and PREFETCHW instructions, respectively. All other bit patterns are reserved for future
use.
The reserved PREFETCH types do not result in an invalid-opcode exception if executed. Instead, for
forward compatibility with future processors that may implement additional forms of the PREFETCH
instruction, all reserved PREFETCH types are implemented as synonyms of the basic PREFETCH
type (the PREFETCH instruction with type 000b).
The operation of these instructions is implementation-dependent. The processor implementation can
ignore or change these instructions. The size of the cache line also depends on the implementation,
with a minimum size of 32 bytes. For details on the use of this instruction, see the processor data sheets
or other software-optimization documentation relating to particular hardware implementations.
Support for these instructions may be indicated by any of the following:
• EDX bit 31 as returned by CPUID function 8000_0001h
• EDX bit 29 as returned by CPUID function 8000_0001h
• ECX bit 8 as returned by CPUID function 8000_0001h

Mnemonic Opcode Description

PREFETCH mem8 0F 0D /0 Prefetch processor cache line into L1 data cache.
Prefetch processor cache line into L1 data cache and
PREFETCHW mem8 0F 0D /1
mark it modified.

Related Instructions
PREFETCHlevel

Instruction Reference PREFETCHx 193

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
None

Exceptions
Virtual
Exception (vector) Real 8086 Protected Cause of Exception
The PREFETCH/W instructions are not supported, as
indicated when the following bits are all clear:
• PREFETCH/PREFETCHW are not supported, as
indicated by ECX bit 8 of CPUID function
8000_0001h
X X X
Invalid opcode, #UD • Long Mode is not supported, as indicated by EDX
bit 29 of CPUID function 8000_0001h
• The 3DNow!™ instructions are not supported, as
indicated by EDX bit 31 of CPUID function
8000_0001h.
X X X The operand was a register.

194 PREFETCHx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

PREFETCHlevel Prefetch Data to Cache Level level

Loads a cache line from the specified memory address into the data-cache level specified by the
locality reference bits 5–3 of the ModRM byte. Table 3-3 on page 195 lists the locality reference
options for the instruction.
This instruction loads a cache line even if the mem8 address is not aligned with the start of the line. If
the cache line is already contained in a cache level that is lower than the specified locality reference, or
if a memory fault is detected, a bus cycle is not initiated and the instruction is treated as a NOP.
The operation of this instruction is implementation-dependent. The processor implementation can
ignore or change this instruction. The size of the cache line also depends on the implementation, with a
minimum size of 32 bytes. AMD processors alias PREFETCH1 and PREFETCH2 to PREFETCH0.
For details on the use of this instruction, see the software-optimization documentation relating to
particular hardware implementations.

Mnemonic Opcode Description

Move data closer to the processor using the NTA
PREFETCHNTA mem8 0F 18 /0
reference.
Move data closer to the processor using the T0
PREFETCHT0 mem8 0F 18 /1
reference.
Move data closer to the processor using the T1
PREFETCHT1 mem8 0F 18 /2
reference.
Move data closer to the processor using the T2
PREFETCHT2 mem8 0F 18 /3
reference.

Table 3-3. Locality References for the Prefetch Instructions

Locality
Reference Description
Non-Temporal Access—Move the specified data into the processor with
minimum cache pollution. This is intended for data that will be used only
once, rather than repeatedly. The specific technique for minimizing cache
NTA pollution is implementation-dependent and may include such techniques
as allocating space in a software-invisible buffer, allocating a cache line in
only a single way, etc. For details, see the software-optimization
documentation for a particular hardware implementation.
T0 All Cache Levels—Move the specified data into all cache levels.
Level 2 and Higher—Move the specified data into all cache levels except
T1 0th level (L1) cache.
Level 3 and Higher—Move the specified data into all cache levels except
T2
0th level (L1) and 1st level (L2) caches.

Related Instructions
PREFETCH, PREFETCHW

Instruction Reference PREFETCHlevel 195

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
None

Exceptions
None

196 PREFETCHlevel Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

PUSH Push onto Stack

Decrements the stack pointer and then copies the specified immediate value or the value in the
specified register or memory location to the top of the stack (the memory location pointed to by
SS:rSP).
The operand-size attribute determines the number of bytes pushed to the stack. The stack-size attribute
determines whether SP, ESP, or RSP is the stack pointer. The address-size attribute is used only to
locate the memory operand when pushing a memory operand to the stack.
If the instruction pushes the stack pointer (rSP), the resulting value on the stack is that of rSP before
execution of the instruction.
There is a PUSH CS instruction but no corresponding POP CS. The RET (Far) instruction pops a value
from the top of stack into the CS register as part of its operation.
In 64-bit mode, the operand size of all PUSH instructions defaults to 64 bits, and there is no prefix
available to encode a 32-bit operand size. Using the PUSH CS, PUSH DS, PUSH ES, or PUSH SS
instructions in 64-bit mode generates an invalid-opcode exception.
Pushing an odd number of 16-bit operands when the stack address-size attribute is 32 results in a
misaligned stack pointer.

Mnemonic Opcode Description

Push the contents of a 16-bit register or memory
PUSH reg/mem16 FF /6
operand onto the stack.
Push the contents of a 32-bit register or memory
PUSH reg/mem32 FF /6 operand onto the stack. (No prefix for encoding this in
64-bit mode.)
Push the contents of a 64-bit register or memory
PUSH reg/mem64 FF /6 operand onto the stack.
PUSH reg16 50 +rw Push the contents of a 16-bit register onto the stack.
Push the contents of a 32-bit register onto the stack. (No
PUSH reg32 50 +rd
prefix for encoding this in 64-bit mode.)
PUSH reg64 50 +rq Push the contents of a 64-bit register onto the stack.

PUSH imm8 6A ib Push an 8-bit immediate value (sign-extended to 16, 32,

or 64 bits) onto the stack.
PUSH imm16 68 iw Push a 16-bit immediate value onto the stack.
Push a 32-bit immediate value onto the stack. (No prefix
PUSH imm32 68 id
for encoding this in 64-bit mode.)
Push a sign-extended 32-bit immediate value onto the
PUSH imm64 68 id
stack.
Push the CS selector onto the stack. (Invalid in 64-bit
PUSH CS 0E
mode.)

Instruction Reference PUSH 197

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Push the SS selector onto the stack. (Invalid in 64-bit
PUSH SS 16
mode.)

PUSH DS 1E Push the DS selector onto the stack. (Invalid in 64-bit

mode.)
Push the ES selector onto the stack. (Invalid in 64-bit
PUSH ES 06
mode.)
PUSH FS 0F A0 Push the FS selector onto the stack.
PUSH GS 0F A8 Push the GS selector onto the stack.

Related Instructions
POP

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
PUSH CS, PUSH DS, PUSH ES, or PUSH SS was executed
Invalid opcode, #UD X
in 64-bit mode.
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.

X X X A memory address exceeded a data segment limit or was non-

General protection, canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

198 PUSH Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

PUSHA Push All GPRs onto Stack

PUSHAD
Pushes the contents of the eAX, eCX, eDX, eBX, eSP (original value), eBP, eSI, and eDI general-
purpose registers onto the stack in that order. This instruction decrements the stack pointer by 16 or 32
depending on operand size.
Using the PUSHA or PUSHAD instruction in 64-bit mode generates an invalid-opcode exception.

Mnemonic Opcode Description

Push the contents of the AX, CX, DX, BX, original SP,
PUSHA 60 BP, SI, and DI registers onto the stack.
(Invalid in 64-bit mode.)
Push the contents of the EAX, ECX, EDX, EBX, original
PUSHAD 60 ESP, EBP, ESI, and EDI registers onto the stack.
(Invalid in 64-bit mode.)

Related Instructions
POPA, POPAD

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X This instruction was executed in 64-bit mode.
Stack, #SS X X X A memory address exceeded the stack segment limit.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference PUSHAx 199

AMD64 Technology 24594—Rev. 3.14—September 2007

PUSHF Push rFLAGS onto Stack

PUSHFD
PUSHFQ
Decrements the rSP register and copies the rFLAGS register (except for the VM and RF flags) onto the
stack. The instruction clears the VM and RF flags in the rFLAGS image before putting it on the stack.
The instruction pushes 2, 4, or 8 bytes, depending on the operand size.
In 64-bit mode, this instruction defaults to a 64-bit operand size and there is no prefix available to
encode a 32-bit operand size.
In virtual-8086 mode, if system software has set the IOPL field to a value less than 3, a general-
protection exception occurs if application software attempts to execute PUSHFx or POPFx while VME
is not enabled or the operand size is not 16-bit.

Mnemonic Opcode Description

PUSHF 9C Push the FLAGS word onto the stack.
Push the EFLAGS doubleword onto stack. (No prefix
PUSHFD 9C encoding this in 64-bit mode.)
PUSHFQ 9C Push the RFLAGS quadword onto stack.

Action
// See “Pseudocode Definitions” on page 41.

PUSHF_START:
IF (REAL_MODE)
PUSHF_REAL
ELSIF (PROTECTED_MODE)
PUSHF_PROTECTED
ELSE // (VIRTUAL_MODE)
PUSHF_VIRTUAL

PUSHF_REAL:
PUSH.v old_RFLAGS // Pushed with RF and VM cleared.
EXIT

PUSHF_PROTECTED:
PUSH.v old_RFLAGS // Pushed with RF cleared.
EXIT

PUSHF_VIRTUAL:
IF (RFLAGS.IOPL=3)
{
PUSH.v old_RFLAGS // Pushed with RF,VM cleared.
EXIT
}

200 PUSHFx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

ELSIF ((CR4.VME=1) && (OPERAND_SIZE=16))

{
PUSH.v old_RFLAGS // Pushed with VIF in the IF position.
// Pushed with IOPL=3.
EXIT
}
ELSE // ((RFLAGS.IOPL<3) && ((CR4.VME=0) || (OPERAND_SIZE!=16)))
EXCEPTION [#GP(0)]

Related Instructions
POPF, POPFD, POPFQ

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
General protection, The I/O privilege level was less than 3 and either VME was not
X
#GP enabled or the operand size was not 16-bit.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference PUSHFx 201

AMD64 Technology 24594—Rev. 3.14—September 2007

RCL Rotate Through Carry Left

Rotates the bits of a register or memory location (first operand) to the left (more significant bit
positions) and through the carry flag by the number of bit positions in an unsigned immediate value or
the CL register (second operand). The bits rotated through the carry flag are rotated back in at the right
end (lsb) of the first operand location.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63.
For 1-bit rotates, the instruction sets the OF flag to the exclusive OR of the CF bit (after the rotate) and
the most significant bit of the result. When the rotate count is greater than 1, the OF flag is undefined.
When the rotate count is 0, no flags are affected.

Mnemonic Opcode Description

Rotate the 9 bits consisting of the carry flag and an 8-bit
RCL reg/mem8,1 D0 /2
register or memory location left 1 bit.
Rotate the 9 bits consisting of the carry flag and an 8-bit
RCL reg/mem8, CL D2 /2 register or memory location left the number of bits
specified in the CL register.
Rotate the 9 bits consisting of the carry flag and an 8-bit
RCL reg/mem8, imm8 C0 /2 ib register or memory location left the number of bits
specified by an 8-bit immediate value.
Rotate the 17 bits consisting of the carry flag and a 16-
RCL reg/mem16, 1 D1 /2
bit register or memory location left 1 bit.
Rotate the 17 bits consisting of the carry flag and a 16-
RCL reg/mem16, CL D3 /2 bit register or memory location left the number of bits
specified in the CL register.
Rotate the 17 bits consisting of the carry flag and a 16-
RCL reg/mem16, imm8 C1 /2 ib bit register or memory location left the number of bits
specified by an 8-bit immediate value.

RCL reg/mem32, 1 D1 /2 Rotate the 33 bits consisting of the carry flag and a 32-
bit register or memory location left 1 bit.
Rotate 33 bits consisting of the carry flag and a 32-bit
RCL reg/mem32, CL D3 /2 register or memory location left the number of bits
specified in the CL register.
Rotate the 33 bits consisting of the carry flag and a 32-
RCL reg/mem32, imm8 C1 /2 ib bit register or memory location left the number of bits
specified by an 8-bit immediate value.
Rotate the 65 bits consisting of the carry flag and a 64-
RCL reg/mem64, 1 D1 /2
bit register or memory location left 1 bit.

202 RCL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Rotate the 65 bits consisting of the carry flag and a 64-
RCL reg/mem64, CL D3 /2 bit register or memory location left the number of bits
specified in the CL register.
Rotates the 65 bits consisting of the carry flag and a 64-
RCL reg/mem64, imm8 C1 /2 ib bit register or memory location left the number of bits
specified by an 8-bit immediate value.

Related Instructions
RCR, ROL, ROR

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference RCL 203

AMD64 Technology 24594—Rev. 3.14—September 2007

RCR Rotate Through Carry Right

Rotates the bits of a register or memory location (first operand) to the right (toward the less significant
bit positions) and through the carry flag by the number of bit positions in an unsigned immediate value
or the CL register (second operand). The bits rotated through the carry flag are rotated back in at the
left end (msb) of the first operand location.
The processor masks the upper three bits in the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63.
For 1-bit rotates, the instruction sets the OF flag to the exclusive OR of the CF flag (before the rotate)
and the most significant bit of the original value. When the rotate count is greater than 1, the OF flag is
undefined. When the rotate count is 0, no flags are affected.

Mnemonic Opcode Description

Rotate the 9 bits consisting of the carry flag and an 8-bit
RCR reg/mem8, 1 D0 /3
register or memory location right 1 bit.
Rotate the 9 bits consisting of the carry flag and an 8-bit
RCR reg/mem8,CL D2 /3 register or memory location right the number of bits
specified in the CL register.
Rotate the 9 bits consisting of the carry flag and an 8-bit
RCR reg/mem8,imm8 C0 /3 ib register or memory location right the number of bits
specified by an 8-bit immediate value.
Rotate the 17 bits consisting of the carry flag and a 16-
RCR reg/mem16,1 D1 /3
bit register or memory location right 1 bit.
Rotate the17 bits consisting of the carry flag and a 16-
RCR reg/mem16,CL D3 /3 bit register or memory location right the number of bits
specified in the CL register.
Rotate the 17 bits consisting of the carry flag and a 16-
RCR reg/mem16, imm8 C1 /3 ib bit register or memory location right the number of bits
specified by an 8-bit immediate value.

RCR reg/mem32,1 D1 /3 Rotate the 33 bits consisting of the carry flag and a 32-
bit register or memory location right 1 bit.
Rotate 33 bits consisting of the carry flag and a 32-bit
RCR reg/mem32,CL D3 /3 register or memory location right the number of bits
specified in the CL register.
Rotate the 33 bits consisting of the carry flag and a 32-
RCR reg/mem32, imm8 C1 /3 ib bit register or memory location right the number of bits
specified by an 8-bit immediate value.
Rotate the 65 bits consisting of the carry flag and a 64-
RCR reg/mem64,1 D1 /3
bit register or memory location right 1 bit.

204 RCR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Rotate 65 bits consisting of the carry flag and a 64-bit
RCR reg/mem64,CL D3 /3 register or memory location right the number of bits
specified in the CL register.
Rotate the 65 bits consisting of the carry flag and a 64-
RCR reg/mem64, imm8 C1 /3 ib bit register or memory location right the number of bits
specified by an 8-bit immediate value.

Related Instructions
RCL, ROR, ROL

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference RCR 205

AMD64 Technology 24594—Rev. 3.14—September 2007

RET (Near) Near Return from Called Procedure

Returns from a procedure previously entered by a CALL near instruction. This form of the RET
instruction returns to a calling procedure within the current code segment.
This instruction pops the rIP from the stack, with the size of the pop determined by the operand size.
The new rIP is then zero-extended to 64 bits. The RET instruction can accept an immediate value
operand that it adds to the rSP after it pops the target rIP. This action skips over any parameters
previously passed back to the subroutine that are no longer needed.
In 64-bit mode, the operand size defaults to 64 bits (eight bytes) without the need for a REX prefix. No
prefix is available to encode a 32-bit operand size in 64-bit mode.
See RET (Far) for information on far returns—returns to procedures located outside of the current
code segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.

Mnemonic Opcode Description

RET C3 Near return to the calling procedure.
Near return to the calling procedure then pop the
RET imm16 C2 iw
specified number of bytes from the stack.

Related Instructions
CALL (Near), CALL (Far), RET (Far)

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
General protection, The target offset exceeded the code segment limit or was non-
X X X
#GP canonical.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

206 RET (Near) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

RET (Far) Far Return from Called Procedure

Returns from a procedure previously entered by a CALL Far instruction. This form of the RET
instruction returns to a calling procedure in a different segment than the current code segment. It can
return to the same CPL or to a less privileged CPL.
RET Far pops a target CS and rIP from the stack. If the new code segment is less privileged than the
current code segment, the stack pointer is incremented by the number of bytes indicated by the
immediate operand, if present; then a new SS and rSP are also popped from the stack.
The final value of rSP is incremented by the number of bytes indicated by the immediate operand, if
present. This action skips over the parameters (previously passed to the subroutine) that are no longer
needed.
All stack pops are determined by the operand size. If necessary, the target rIP is zero-extended to 64
bits before assuming program control.
If the CPL changes, the data segment selectors are set to NULL for any of the data segments (DS, ES,
FS, GS) not accessible at the new CPL.
See RET (Near) for information on near returns—returns to procedures located inside the current code
segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.

Mnemonic Opcode Description

RETF CB Far return to the calling procedure.

RETF imm16 CA iw Far return to the calling procedure, then pop the
specified number of bytes from the stack.

Action
// Far returns (RETF)
// See “Pseudocode Definitions” on page 41.

RETF_START:

IF (REAL_MODE)
RETF_REAL_OR_VIRTUAL
ELSIF (PROTECTED_MODE)
RETF_PROTECTED
ELSE // (VIRTUAL_MODE)
RETF_REAL_OR_VIRTUAL

RETF_REAL_OR_VIRTUAL:

IF (OPCODE = retf imm16)

temp_IMM = word-sized immediate specified in the instruction,
zero-extended to 64 bits

Instruction Reference RET (Far) 207

AMD64 Technology 24594—Rev. 3.14—September 2007

ELSE // (OPCODE = retf)

temp_IMM = 0

POP.v temp_RIP
POP.v temp_CS

IF (temp_RIP > CS.limit)

EXCEPTION [#GP(0)]

CS.sel = temp_CS
CS.base = temp_CS SHL 4

RSP.s = RSP + temp_IMM

RIP = temp_RIP
EXIT

RETF_PROTECTED:

IF (OPCODE = retf imm16)

temp_IMM = word-sized immediate specified in the instruction,
zero-extended to 64 bits
ELSE // (OPCODE = retf)
temp_IMM = 0

POP.v temp_RIP
POP.v temp_CS

temp_CPL = temp_CS.rpl

IF (CPL=temp_CPL)
{
CS = READ_DESCRIPTOR (temp_CS, iret_chk)

RSP.s = RSP + temp_IMM

IF ((64BIT_MODE) && (temp_RIP is non-canonical)

|| (!64BIT_MODE) && (temp_RIP > CS.limit))
EXCEPTION [#GP(0)]

RIP = temp_RIP
EXIT
}
ELSE // (CPL!=temp_CPL)
{
RSP.s = RSP + temp_IMM

POP.v temp_RSP
POP.v temp_SS

CS = READ_DESCRIPTOR (temp_CS, iret_chk)

208 RET (Far) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CPL = temp_CPL

IF ((64BIT_MODE) && (temp_RIP is non-canonical)

|| (!64BIT_MODE) && (temp_RIP > CS.limit))
EXCEPTION [#GP(0)]

SS = READ_DESCRIPTOR (temp_SS, ss_chk)

RSP.s = temp_RSP + temp_IMM

IF (changing CPL)
{
FOR (seg = ES, DS, FS, GS)
IF ((seg.attr.dpl < CPL) && ((seg.attr.type = ’data’)
|| (seg.attr.type = ’non-conforming-code’)))
{
seg = NULL // can’t use lower dpl data segment at higher cpl
}
}

RIP = temp_RIP
EXIT
}

Related Instructions
CALL (Near), CALL (Far), RET (Near)

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Segment not
present, #NP X The return code segment was marked not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
Stack, #SS
X The return stack segment was marked not present.
(selector)
General protection, X X X The target offset exceeded the code segment limit or was non-
#GP canonical.

Instruction Reference RET (Far) 209

AMD64 Technology 24594—Rev. 3.14—September 2007

Virtual
Exception Real 8086 Protected Cause of Exception
X The return code selector was a null selector.
The return stack selector was a null selector and the return
X
mode was non-64-bit mode or CPL was 3.
The return code or stack descriptor exceeded the descriptor
X table limit.
The return code or stack selector’s TI bit was set but the LDT
X
selector was a null selector.
The segment descriptor for the return code was not a code
X
segment.
The RPL of the return code segment selector was less than
X
General protection, the CPL.
#GP
(selector) The return code segment was non-conforming and the
X segment selector’s DPL was not equal to the RPL of the code
segment’s segment selector.
The return code segment was conforming and the segment
X selector’s DPL was greater than the RPL of the code
segment’s segment selector.
The segment descriptor for the return stack was not a writable
X data segment.
The stack segment descriptor DPL was not equal to the RPL
X
of the return code segment selector.
The stack segment selector RPL was not equal to the RPL of
X the return code segment selector.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned-memory reference was performed while
#AC X X alignment checking was enabled.

210 RET (Far) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

ROL Rotate Left

Rotates the bits of a register or memory location (first operand) to the left (toward the more significant
bit positions) by the number of bit positions in an unsigned immediate value or the CL register (second
operand). The bits rotated out left are rotated back in at the right end (lsb) of the first operand location.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, it masks the upper two bits of the count,
providing a count in the range of 0 to 63.
After completing the rotation, the instruction sets the CF flag to the last bit rotated out (the lsb of the
result). For 1-bit rotates, the instruction sets the OF flag to the exclusive OR of the CF bit (after the
rotate) and the most significant bit of the result. When the rotate count is greater than 1, the OF flag is
undefined. When the rotate count is 0, no flags are affected.

Mnemonic Opcode Description

ROL reg/mem8, 1 D0 /0 Rotate an 8-bit register or memory operand left 1 bit.

ROL reg/mem8, CL D2 /0 Rotate an 8-bit register or memory operand left the

number of bits specified in the CL register.
Rotate an 8-bit register or memory operand left the
ROL reg/mem8, imm8 C0 /0 ib
number of bits specified by an 8-bit immediate value.
ROL reg/mem16, 1 D1 /0 Rotate a 16-bit register or memory operand left 1 bit.
Rotate a 16-bit register or memory operand left the
ROL reg/mem16, CL D3 /0
number of bits specified in the CL register.

ROL reg/mem16, imm8 C1 /0 ib Rotate a 16-bit register or memory operand left the
number of bits specified by an 8-bit immediate value.
ROL reg/mem32, 1 D1 /0 Rotate a 32-bit register or memory operand left 1 bit.

ROL reg/mem32, CL D3 /0 Rotate a 32-bit register or memory operand left the

number of bits specified in the CL register.
Rotate a 32-bit register or memory operand left the
ROL reg/mem32, imm8 C1 /0 ib
number of bits specified by an 8-bit immediate value.
ROL reg/mem64, 1 D1 /0 Rotate a 64-bit register or memory operand left 1 bit.
Rotate a 64-bit register or memory operand left the
ROL reg/mem64, CL D3 /0
number of bits specified in the CL register.

ROL reg/mem64, imm8 C1 /0 ib Rotate a 64-bit register or memory operand left the
number of bits specified by an 8-bit immediate value.

Related Instructions
RCL, RCR, ROR

Instruction Reference ROL 211

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

212 ROL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

ROR Rotate Right

Rotates the bits of a register or memory location (first operand) to the right (toward the less significant
bit positions) by the number of bit positions in an unsigned immediate value or the CL register (second
operand). The bits rotated out right are rotated back in at the left end (the most significant bit) of the
first operand location.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63.
After completing the rotation, the instruction sets the CF flag to the last bit rotated out (the most
significant bit of the result). For 1-bit rotates, the instruction sets the OF flag to the exclusive OR of the
two most significant bits of the result. When the rotate count is greater than 1, the OF flag is undefined.
When the rotate count is 0, no flags are affected.

Mnemonic Opcode Description

ROR reg/mem8, 1 D0 /1 Rotate an 8-bit register or memory location right 1 bit.
Rotate an 8-bit register or memory location right the
ROR reg/mem8, CL D2 /1
number of bits specified in the CL register.

ROR reg/mem8, imm8 C0 /1 ib Rotate an 8-bit register or memory location right the
number of bits specified by an 8-bit immediate value.
ROR reg/mem16, 1 D1 /1 Rotate a 16-bit register or memory location right 1 bit.
Rotate a 16-bit register or memory location right the
ROR reg/mem16, CL D3 /1 number of bits specified in the CL register.
Rotate a 16-bit register or memory location right the
ROR reg/mem16, imm8 C1 /1 ib
number of bits specified by an 8-bit immediate value.
ROR reg/mem32, 1 D1 /1 Rotate a 32-bit register or memory location right 1 bit.
Rotate a 32-bit register or memory location right the
ROR reg/mem32, CL D3 /1
number of bits specified in the CL register.
Rotate a 32-bit register or memory location right the
ROR reg/mem32, imm8 C1 /1 ib
number of bits specified by an 8-bit immediate value.
ROR reg/mem64, 1 D1 /1 Rotate a 64-bit register or memory location right 1 bit.
Rotate a 64-bit register or memory operand right the
ROR reg/mem64, CL D3 /1
number of bits specified in the CL register.

ROR reg/mem64, imm8 C1 /1 ib Rotate a 64-bit register or memory operand right the
number of bits specified by an 8-bit immediate value.

Related Instructions
RCL, RCR, ROL

Instruction Reference ROR 213

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

214 ROR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SAHF Store AH into Flags

Loads the SF, ZF, AF, PF, and CF flags of the EFLAGS register with values from the corresponding
bits in the AH register (bits 7, 6, 4, 2, and 0, respectively). The instruction ignores bits 1, 3, and 5 of
register AH; it sets those bits in the EFLAGS register to 1, 0, and 0, respectively.
The SAHF instruction can only be executed in 64-bit mode if supported by the processor
implementation. Check the status of ECX bit 0 returned by CPUID function 8000_0001h to verify that
the processor supports SAHF in 64-bit mode.

Mnemonic Opcode Description

Loads the sign flag, the zero flag, the auxiliary flag, the
SAHF 9E parity flag, and the carry flag from the AH register into
the lower 8 bits of the EFLAGS register.

Related Instructions
LAHF

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
This instruction is not supported in 64-bit mode, as indicated
Invalid opcode, #UD X
by ECX bit 0 returned by CPUID function 8000_0001h.

Instruction Reference SAHF 215

AMD64 Technology 24594—Rev. 3.14—September 2007

SAL Shift Left

SHL
Shifts the bits of a register or memory location (first operand) to the left through the CF bit by the
number of bit positions in an unsigned immediate value or the CL register (second operand). The
instruction discards bits shifted out of the CF flag. For each bit shift, the SAL instruction clears the
least-significant bit to 0. At the end of the shift operation, the CF flag contains the last bit shifted out of
the first operand.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63.
The effect of this instruction is multiplication by powers of two.
For 1-bit shifts, the instruction sets the OF flag to the exclusive OR of the CF bit (after the shift) and
the most significant bit of the result. When the shift count is greater than 1, the OF flag is undefined.
If the shift count is 0, no flags are modified.
SHL is an alias to the SAL instruction.

Mnemonic Opcode Description

SAL reg/mem8, 1 D0 /4 Shift an 8-bit register or memory location left 1 bit.
Shift an 8-bit register or memory location left the number
SAL reg/mem8, CL D2 /4 of bits specified in the CL register.

SAL reg/mem8, imm8 C0 /4 ib Shift an 8-bit register or memory location left the number
of bits specified by an 8-bit immediate value.
SAL reg/mem16, 1 D1 /4 Shift a 16-bit register or memory location left 1 bit.
Shift a 16-bit register or memory location left the number
SAL reg/mem16, CL D3 /4
of bits specified in the CL register.
Shift a 16-bit register or memory location left the number
SAL reg/mem16, imm8 C1 /4 ib
of bits specified by an 8-bit immediate value.
SAL reg/mem32, 1 D1 /4 Shift a 32-bit register or memory location left 1 bit.
Shift a 32-bit register or memory location left the number
SAL reg/mem32, CL D3 /4
of bits specified in the CL register.
Shift a 32-bit register or memory location left the number
SAL reg/mem32, imm8 C1 /4 ib
of bits specified by an 8-bit immediate value.
SAL reg/mem64, 1 D1 /4 Shift a 64-bit register or memory location left 1 bit.

SAL reg/mem64, CL D3 /4 Shift a 64-bit register or memory location left the number
of bits specified in the CL register.
Shift a 64-bit register or memory location left the number
SAL reg/mem64, imm8 C1 /4 ib
of bits specified by an 8-bit immediate value.

216 SAL, SHL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

SHL reg/mem8, 1 D0 /4 Shift an 8-bit register or memory location by 1 bit.

SHL reg/mem8, CL D2 /4 Shift an 8-bit register or memory location left the number
of bits specified in the CL register.
Shift an 8-bit register or memory location left the number
SHL reg/mem8, imm8 C0 /4 ib
of bits specified by an 8-bit immediate value.
SHL reg/mem16, 1 D1 /4 Shift a 16-bit register or memory location left 1 bit.
Shift a 16-bit register or memory location left the number
SHL reg/mem16, CL D3 /4
of bits specified in the CL register.

SHL reg/mem16, imm8 C1 /4 ib Shift a 16-bit register or memory location left the number
of bits specified by an 8-bit immediate value.
SHL reg/mem32, 1 D1 /4 Shift a 32-bit register or memory location left 1 bit.
Shift a 32-bit register or memory location left the number
SHL reg/mem32, CL D3 /4 of bits specified in the CL register.
Shift a 32-bit register or memory location left the number
SHL reg/mem32, imm8 C1 /4 ib
of bits specified by an 8-bit immediate value.
SHL reg/mem64, 1 D1 /4 Shift a 64-bit register or memory location left 1 bit.

SHL reg/mem64, CL D3 /4 Shift a 64-bit register or memory location left the number
of bits specified in the CL register.
Shift a 64-bit register or memory location left the number
SHL reg/mem64, imm8 C1 /4 ib of bits specified by an 8-bit immediate value.

Related Instructions
SAR, SHR, SHLD, SHRD

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M U M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Instruction Reference SAL, SHL 217

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

218 SAL, SHL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SAR Shift Arithmetic Right

Shifts the bits of a register or memory location (first operand) to the right through the CF bit by the
number of bit positions in an unsigned immediate value or the CL register (second operand). The
instruction discards bits shifted out of the CF flag. At the end of the shift operation, the CF flag
contains the last bit shifted out of the first operand.
The SAR instruction does not change the sign bit of the target operand. For each bit shift, it copies the
sign bit to the next bit, preserving the sign of the result.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63.
For 1-bit shifts, the instruction clears the OF flag to 0. When the shift count is greater than 1, the OF
flag is undefined.
If the shift count is 0, no flags are modified.
Although the SAR instruction effectively divides the operand by a power of 2, the behavior is different
from the IDIV instruction. For example, shifting –11 (FFFFFFF5h) by two bits to the right (that is,
divide –11 by 4), gives a result of FFFFFFFDh, or –3, whereas the IDIV instruction for dividing –11 by
4 gives a result of –2. This is because the IDIV instruction rounds off the quotient to zero, whereas the
SAR instruction rounds off the remainder to zero for positive dividends and to negative infinity for
negative dividends. So, for positive operands, SAR behaves like the corresponding IDIV instruction.
For negative operands, it gives the same result if and only if all the shifted-out bits are zeroes;
otherwise, the result is smaller by 1.

Mnemonic Opcode Description

Shift a signed 8-bit register or memory operand right 1
SAR reg/mem8, 1 D0 /7
bit.
Shift a signed 8-bit register or memory operand right the
SAR reg/mem8, CL D2 /7
number of bits specified in the CL register.
Shift a signed 8-bit register or memory operand right the
SAR reg/mem8, imm8 C0 /7 ib number of bits specified by an 8-bit immediate value.
Shift a signed 16-bit register or memory operand right 1
SAR reg/mem16, 1 D1 /7
bit.

SAR reg/mem16, CL D3 /7 Shift a signed 16-bit register or memory operand right

the number of bits specified in the CL register.
Shift a signed 16-bit register or memory operand right
SAR reg/mem16, imm8 C1 /7 ib
the number of bits specified by an 8-bit immediate value.
SAR reg/mem32, 1 D1 /7 Shift a signed 32-bit register or memory location 1 bit.
Shift a signed 32-bit register or memory location right
SAR reg/mem32, CL D3 /7
the number of bits specified in the CL register.

Instruction Reference SAR 219

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Shift a signed 32-bit register or memory location right
SAR reg/mem32, imm8 C1 /7 ib
the number of bits specified by an 8-bit immediate value.

SAR reg/mem64, 1 D1 /7 Shift a signed 64-bit register or memory location right 1

bit.
Shift a signed 64-bit register or memory location right
SAR reg/mem64, CL D3 /7
the number of bits specified in the CL register.
Shift a signed 64-bit register or memory location right
SAR reg/mem64, imm8 C1 /7 ib
the number of bits specified by an 8-bit immediate value.

Related Instructions
SAL, SHL, SHR, SHLD, SHRD

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M U M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.

X X X A memory address exceeded a data segment limit or was non-

canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

220 SAR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SBB Subtract with Borrow

Subtracts an immediate value or the value in a register or a memory location (second operand) from a
register or a memory location (first operand), and stores the result in the first operand location. If the
carry flag (CF) is 1, the instruction subtracts 1 from the result. Otherwise, it operates like SUB.
The SBB instruction sign-extends immediate value operands to the length of the first operand size.
This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF
flags to indicate a borrow in a signed or unsigned result, respectively. It sets the SF flag to indicate the
sign of a signed result.
This instruction is useful for multibyte (multiword) numbers because it takes into account the borrow
from a previous SUB instruction.
The forms of the SBB instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Subtract an immediate 8-bit value from the AL register
SBB AL, imm8 1C ib
with borrow.
Subtract an immediate 16-bit value from the AX register
SBB AX, imm16 1D iw
with borrow.
Subtract an immediate 32-bit value from the EAX
SBB EAX, imm32 1D id
register with borrow.
Subtract a sign-extended immediate 32-bit value from
SBB RAX, imm32 1D id
the RAX register with borrow.

SBB reg/mem8, imm8 80 /3 ib Subtract an immediate 8-bit value from an 8-bit register
or memory location with borrow.
Subtract an immediate 16-bit value from a 16-bit register
SBB reg/mem16, imm16 81 /3 iw
or memory location with borrow.
Subtract an immediate 32-bit value from a 32-bit register
SBB reg/mem32, imm32 81 /3 id
or memory location with borrow.
Subtract a sign-extended immediate 32-bit value from a
SBB reg/mem64, imm32 81 /3 id
64-bit register or memory location with borrow.
Subtract a sign-extended 8-bit immediate value from a
SBB reg/mem16, imm8 83 /3 ib
16-bit register or memory location with borrow.
Subtract a sign-extended 8-bit immediate value from a
SBB reg/mem32, imm8 83 /3 ib
32-bit register or memory location with borrow.
Subtract a sign-extended 8-bit immediate value from a
SBB reg/mem64, imm8 83 /3 ib
64-bit register or memory location with borrow.

SBB reg/mem8, reg8 18 /r Subtract the contents of an 8-bit register from an 8-bit
register or memory location with borrow.
Subtract the contents of a 16-bit register from a 16-bit
SBB reg/mem16, reg16 19 /r
register or memory location with borrow.

Instruction Reference SBB 221

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Subtract the contents of a 32-bit register from a 32-bit
SBB reg/mem32, reg32 19 /r
register or memory location with borrow.

SBB reg/mem64, reg64 19 /r Subtract the contents of a 64-bit register from a 64-bit
register or memory location with borrow.
Subtract the contents of an 8-bit register or memory
SBB reg8, reg/mem8 1A /r location from the contents of an 8-bit register with
borrow.
Subtract the contents of a 16-bit register or memory
SBB reg16, reg/mem16 1B /r location from the contents of a 16-bit register with
borrow.
Subtract the contents of a 32-bit register or memory
SBB reg32, reg/mem32 1B /r location from the contents of a 32-bit register with
borrow.
Subtract the contents of a 64-bit register or memory
SBB reg64, reg/mem64 1B /r location from the contents of a 64-bit register with
borrow.

Related Instructions
SUB, ADD, ADC

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

222 SBB Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SCAS Scan String

SCASB
SCASW
SCASD
SCASQ
Compares the AL, AX, EAX, or RAX register with the byte, word, doubleword, or quadword pointed
to by ES:rDI, sets the status flags in the rFLAGS register according to the results, and then increments
or decrements the rDI register according to the state of the DF flag in the rFLAGS register.
If the DF flag is 0, the instruction increments the rDI register; otherwise, it decrements it. The
instruction increments or decrements the rDI register by 1, 2, 4, or 8, depending on the size of the
operands.
The forms of the SCASx instruction with an explicit operand address the operand at ES:rDI. The
explicit operand serves only to specify the size of the values being compared.
The no-operands forms of the instruction use the ES:rDI registers to point to the value to be compared.
The mnemonic determines the size of the operands and the specific register containing the other
comparison value.
For block comparisons, the SCASx instructions support the REPE or REPZ prefixes (they are
synonyms) and the REPNE or REPNZ prefixes (they are synonyms). For details about the REP
prefixes, see “Repeat Prefixes” on page 9. A SCASx instruction can also operate inside a loop
controlled by the LOOPcc instruction.

Mnemonic Opcode Description

Compare the contents of the AL register with the byte at
SCAS mem8 AE
ES:rDI, and then increment or decrement rDI.
Compare the contents of the AX register with the word
SCAS mem16 AF
at ES:rDI, and then increment or decrement rDI.
Compare the contents of the EAX register with the
SCAS mem32 AF doubleword at ES:rDI, and then increment or decrement
rDI.
Compare the contents of the RAX register with the
SCAS mem64 AF quadword at ES:rDI, and then increment or decrement
rDI.
Compare the contents of the AL register with the byte at
SCASB AE
ES:rDI, and then increment or decrement rDI.
Compare the contents of the AX register with the word
SCASW AF
at ES:rDI, and then increment or decrement rDI.

Instruction Reference SCASx 223

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Compare the contents of the EAX register with the
SCASD AF doubleword at ES:rDI, and then increment or decrement
rDI.
Compare the contents of the RAX register with the
SCASQ AF quadword at ES:rDI, and then increment or decrement
rDI.

Related Instructions
CMP, CMPSx

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
X A null ES segment was used to reference memory.
General protection,
#GP X X X A memory address exceeded the ES segment limit or was
non-canonical.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

224 SCASx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SETcc Set Byte on Condition

Checks the status flags in the rFLAGS register and, if the flags meet the condition specified in the
mnemonic (cc), sets the value in the specified 8-bit memory location or register to 1. If the flags do not
meet the specified condition, SETcc clears the memory location or register to 0.
Mnemonics with the A (above) and B (below) tags are intended for use when performing unsigned
integer comparisons; those with G (greater) and L (less) tags are intended for use with signed integer
comparisons.
Software typically uses the SETcc instructions to set logical indicators. Like the CMOVcc instructions
(page 91), the SETcc instructions can replace two instructions—a conditional jump and a move.
Replacing conditional jumps with conditional sets can help avoid branch-prediction penalties that may
result from conditional jumps.
If the logical value “true” (logical one) is represented in a high-level language as an integer with all bits
set to 1, software can accomplish such representation by first executing the opposite SETcc
instruction—for example, the opposite of SETZ is SETNZ—and then decrementing the result.
A ModR/M byte is used to identify the operand. The reg field in the ModR/M byte is unused.

Mnemonic Opcode Description

SETO reg/mem8 0F 90 /0 Set byte if overflow (OF = 1).
SETNO reg/mem8 0F 91 /0 Set byte if not overflow (OF = 0).
SETB reg/mem8 Set byte if below (CF = 1).
SETC reg/mem8 0F 92 /0 Set byte if carry (CF = 1).
SETNAE reg/mem8 Set byte if not above or equal (CF = 1).
SETNB reg/mem8 Set byte if not below (CF = 0).
SETNC reg/mem8 0F 93 /0 Set byte if not carry (CF = 0).
SETAE reg/mem8 Set byte if above or equal (CF = 0).
SETZ reg/mem8 0F 94 /0 Set byte if zero (ZF = 1).
SETE reg/mem8 Set byte if equal (ZF = 1).
SETNZ reg/mem8 Set byte if not zero (ZF = 0).
0F 95 /0
SETNE reg/mem8 Set byte if not equal (ZF = 0).
SETBE reg/mem8 Set byte if below or equal (CF = 1 or ZF = 1).
0F 96 /0
SETNA reg/mem8 Set byte if not above (CF = 1 or ZF = 1).
SETNBE reg/mem8 Set byte if not below or equal (CF = 0 and ZF = 0).
0F 97 /0
SETA reg/mem8 Set byte if above (CF = 0 and ZF = 0).
SETS reg/mem8 0F 98 /0 Set byte if sign (SF = 1).
SETNS reg/mem8 0F 99 /0 Set byte if not sign (SF = 0).
SETP reg/mem8 Set byte if parity (PF = 1).
0F 9A /0
SETPE reg/mem8 Set byte if parity even (PF = 1).
SETNP reg/mem8 Set byte if not parity (PF = 0).
0F 9B /0
SETPO reg/mem8 Set byte if parity odd (PF = 0).

Instruction Reference SETcc 225

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

SETL reg/mem8 Set byte if less (SF <> OF).
0F 9C /0
SETNGE reg/mem8 Set byte if not greater or equal (SF <> OF).
SETNL reg/mem8 Set byte if not less (SF = OF).
0F 9D /0
SETGE reg/mem8 Set byte if greater or equal (SF = OF).
SETLE reg/mem8 Set byte if less or equal (ZF = 1 or SF <> OF).
0F 9E /0
SETNG reg/mem8 Set byte if not greater (ZF = 1 or SF <> OF).
SETNLE reg/mem8 Set byte if not less or equal (ZF = 0 and SF = OF).
0F 9F /0
SETG reg/mem8 Set byte if greater (ZF = 0 and SF = OF).

Related Instructions
None

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.

226 SETcc Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SFENCE Store Fence

Acts as a barrier to force strong memory ordering (serialization) between store instructions preceding
the SFENCE and store instructions that follow the SFENCE. Stores to differing memory types, or
within the WC memory type, may become visible out of program order; the SFENCE instruction
ensures that the system completes all previous stores in such a way that they are globally visible
before executing subsequent stores. This includes emptying the store buffer and all write-combining
buffers.
The SFENCE instruction is weakly-ordered with respect to load instructions, data and instruction
prefetches, and the LFENCE instruction. Speculative loads initiated by the processor, or specified
explicitly using cache-prefetch instructions, can be reordered around an SFENCE.
In addition to store instructions, SFENCE is strongly ordered with respect to other SFENCE
instructions, MFENCE instructions, and serializing instructions. Further details on the use of
MFENCE to order accesses among differing memory types may be found in AMD64 Architecture
Programmer’s Manual Volume 2: System Programming, section 7.4 “Memory Types” on page 170.
Support for the SFENCE instruction is indicated when the SSE bit (bit 25) is set to 1 in EDX after
executing CPUID function 0000_0001h.

Mnemonic Opcode Description

SFENCE 0F AE F8 Force strong ordering of (serialized) store operations.

Related Instructions
LFENCE, MFENCE

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SSE instructions are not supported, as indicated by EDX
Invalid Opcode, bit 25 of CPUID function 0000_0001h; and the AMD
X X X
#UD extensions to MMX are not supported, as indicated by EDX bit
22 of CPUID function 8000_0001h.

Instruction Reference SFENCE 227

AMD64 Technology 24594—Rev. 3.14—September 2007

SHL Shift Left

This instruction is synonymous with the SAL instruction. For information, see “SAL SHL” on
page 216.

228 SHL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SHLD Shift Left Double

Shifts the bits of a register or memory location (first operand) to the left by the number of bit positions
in an unsigned immediate value or the CL register (third operand), and shifts in a bit pattern (second
operand) from the right. At the end of the shift operation, the CF flag contains the last bit shifted out of
the first operand.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63. If the masked count is greater than the operand size,
the result in the destination register is undefined.
If the shift count is 0, no flags are modified.
If the count is 1 and the sign of the operand being shifted changes, the instruction sets the OF flag to 1.
If the count is greater than 1, OF is undefined.

Mnemonic Opcode Description

Shift bits of a 16-bit destination register or memory
operand to the left the number of bits specified in an 8-
SHLD reg/mem16, reg16, imm8 0F A4 /r ib bit immediate value, while shifting in bits from the
second operand.
Shift bits of a 16-bit destination register or memory
SHLD reg/mem16, reg16, CL 0F A5 /r operand to the left the number of bits specified in the CL
register, while shifting in bits from the second operand.
Shift bits of a 32-bit destination register or memory
operand to the left the number of bits specified in an 8-
SHLD reg/mem32, reg32, imm8 0F A4 /r ib
bit immediate value, while shifting in bits from the
second operand.
Shift bits of a 32-bit destination register or memory
SHLD reg/mem32, reg32, CL 0F A5 /r operand to the left the number of bits specified in the CL
register, while shifting in bits from the second operand.
Shift bits of a 64-bit destination register or memory
SHLD reg/mem64, reg64, imm8 0F A4 /r ib operand to the left the number of bits specified in an 8-
bit immediate value, while shifting in bits from the
second operand.
Shift bits of a 64-bit destination register or memory
SHLD reg/mem64, reg64, CL 0F A5 /r operand to the left the number of bits specified in the CL
register, while shifting in bits from the second operand.

Related Instructions
SHRD, SAL, SAR, SHR, SHL

Instruction Reference SHLD 229

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M U M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

230 SHLD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SHR Shift Right

Shifts the bits of a register or memory location (first operand) to the right through the CF bit by the
number of bit positions in an unsigned immediate value or the CL register (second operand). The
instruction discards bits shifted out of the CF flag. At the end of the shift operation, the CF flag
contains the last bit shifted out of the first operand.
For each bit shift, the instruction clears the most-significant bit to 0.
The effect of this instruction is unsigned division by powers of two.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63.
For 1-bit shifts, the instruction sets the OF flag to the most-significant bit of the original value. If the
count is greater than 1, the OF flag is undefined.
If the shift count is 0, no flags are modified.

Mnemonic Opcode Description

SHR reg/mem8, 1 D0 /5 Shift an 8-bit register or memory operand right 1 bit.
Shift an 8-bit register or memory operand right the
SHR reg/mem8, CL D2 /5 number of bits specified in the CL register.

SHR reg/mem8, imm8 C0 /5 ib Shift an 8-bit register or memory operand right the
number of bits specified by an 8-bit immediate value.
SHR reg/mem16, 1 D1 /5 Shift a 16-bit register or memory operand right 1 bit.
Shift a 16-bit register or memory operand right the
SHR reg/mem16, CL D3 /5
number of bits specified in the CL register.
Shift a 16-bit register or memory operand right the
SHR reg/mem16, imm8 C1 /5 ib
number of bits specified by an 8-bit immediate value.
SHR reg/mem32, 1 D1 /5 Shift a 32-bit register or memory operand right 1 bit.
Shift a 32-bit register or memory operand right the
SHR reg/mem32, CL D3 /5
number of bits specified in the CL register.
Shift a 32-bit register or memory operand right the
SHR reg/mem32, imm8 C1 /5 ib
number of bits specified by an 8-bit immediate value.
SHR reg/mem64, 1 D1 /5 Shift a 64-bit register or memory operand right 1 bit.

SHR reg/mem64, CL D3 /5 Shift a 64-bit register or memory operand right the

number of bits specified in the CL register.
Shift a 64-bit register or memory operand right the
SHR reg/mem64, imm8 C1 /5 ib
number of bits specified by an 8-bit immediate value.

Instruction Reference SHR 231

AMD64 Technology 24594—Rev. 3.14—September 2007

Related Instructions
SHL, SAL, SAR, SHLD, SHRD

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M U M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

232 SHR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SHRD Shift Right Double

Shifts the bits of a register or memory location (first operand) to the right by the number of bit
positions in an unsigned immediate value or the CL register (third operand), and shifts in a bit pattern
(second operand) from the left. At the end of the shift operation, the CF flag contains the last bit shifted
out of the first operand.
The processor masks the upper three bits of the count operand, thus restricting the count to a number
between 0 and 31. When the destination is 64 bits wide, the processor masks the upper two bits of the
count, providing a count in the range of 0 to 63. If the masked count is greater than the operand size,
the result in the destination register is undefined.
If the shift count is 0, no flags are modified.
If the count is 1 and the sign of the value being shifted changes, the instruction sets the OF flag to 1. If
the count is greater than 1, the OF flag is undefined.

Mnemonic Opcode Description

Shift bits of a 16-bit destination register or memory
operand to the right the number of bits specified in an 8-
SHRD reg/mem16, reg16, imm8 0F AC /r ib bit immediate value, while shifting in bits from the
second operand.
Shift bits of a 16-bit destination register or memory
operand to the right the number of bits specified in the
SHRD reg/mem16, reg16, CL 0F AD /r
CL register, while shifting in bits from the second
operand.
Shift bits of a 32-bit destination register or memory
operand to the right the number of bits specified in an 8-
SHRD reg/mem32, reg32, imm8 0F AC /r ib bit immediate value, while shifting in bits from the
second operand.
Shift bits of a 32-bit destination register or memory
operand to the right the number of bits specified in the
SHRD reg/mem32, reg32, CL 0F AD /r
CL register, while shifting in bits from the second
operand.
Shift bits of a 64-bit destination register or memory
operand to the right the number of bits specified in an 8-
SHRD reg/mem64, reg64, imm8 0F AC /r ib
bit immediate value, while shifting in bits from the
second operand.
Shift bits of a 64-bit destination register or memory
operand to the right the number of bits specified in the
SHRD reg/mem64, reg64, CL 0F AD /r
CL register, while shifting in bits from the second
operand.

Related Instructions
SHLD, SHR, SHL, SAR, SAL

Instruction Reference SHRD 233

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M U M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

234 SHRD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

STC Set Carry Flag

Sets the carry flag (CF) in the rFLAGS register to one.

Mnemonic Opcode Description

STC F9 Set the carry flag (CF) to one.

Related Instructions
CLC, CMC

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
None

Instruction Reference STC 235

AMD64 Technology 24594—Rev. 3.14—September 2007

STD Set Direction Flag

Set the direction flag (DF) in the rFLAGS register to 1. If the DF flag is 0, each iteration of a string
instruction increments the data pointer (index registers rSI or rDI). If the DF flag is 1, the string
instruction decrements the pointer. Use the CLD instruction before a string instruction to make the data
pointer increment.

Mnemonic Opcode Description

STD FD Set the direction flag (DF) to one.

Related Instructions
CLD, INSx, LODSx, MOVSx, OUTSx, SCASx, STOSx, CMPSx

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
None

236 STD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

STOS Store String

STOSB
STOSW
STOSD
STOSQ
Copies a byte, word, doubleword, or quadword from the AL, AX, EAX, or RAX registers to the
memory location pointed to by ES:rDI and increments or decrements the rDI register according to the
state of the DF flag in the rFLAGS register.
If the DF flag is 0, the instruction increments the pointer; otherwise, it decrements the pointer. It
increments or decrements the pointer by 1, 2, 4, or 8, depending on the size of the value being copied.
The forms of the STOSx instruction with an explicit operand use the operand only to specify the type
(size) of the value being copied.
The no-operands forms specify the type (size) of the value being copied with the mnemonic.
The STOSx instructions support the REP prefixes. For details about the REP prefixes, see “Repeat
Prefixes” on page 9. The STOSx instructions can also operate inside a LOOPcc instruction.

Mnemonic Opcode Description

Store the contents of the AL register to ES:rDI, and then
STOS mem8 AA
increment or decrement rDI.
Store the contents of the AX register to ES:rDI, and then
STOS mem16 AB
increment or decrement rDI.
Store the contents of the EAX register to ES:rDI, and
STOS mem32 AB
then increment or decrement rDI.
Store the contents of the RAX register to ES:rDI, and
STOS mem64 AB
then increment or decrement rDI.
Store the contents of the AL register to ES:rDI, and then
STOSB AA
increment or decrement rDI.
Store the contents of the AX register to ES:rDI, and then
STOSW AB
increment or decrement rDI.
Store the contents of the EAX register to ES:rDI, and
STOSD AB
then increment or decrement rDI.
Store the contents of the RAX register to ES:rDI, and
STOSQ AB then increment or decrement rDI.

Related Instructions
LODSx, MOVSx

Instruction Reference STOSx 237

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the ES segment limit or was
X X X
non-canonical.
General protection,
#GP X The ES segment was a non-writable segment.
X A null ES segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

238 STOSx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SUB Subtract
Subtracts an immediate value or the value in a register or memory location (second operand) from a
register or a memory location (first operand) and stores the result in the first operand location. An
immediate value is sign-extended to the length of the first operand.
This instruction evaluates the result for both signed and unsigned data types and sets the OF and CF
flags to indicate a borrow in a signed or unsigned result, respectively. It sets the SF flag to indicate the
sign of a signed result.
The forms of the SUB instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Subtract an immediate 8-bit value from the AL register
SUB AL, imm8 2C ib
and store the result in AL.
Subtract an immediate 16-bit value from the AX register
SUB AX, imm16 2D iw
and store the result in AX.
Subtract an immediate 32-bit value from the EAX
SUB EAX, imm32 2D id
register and store the result in EAX.
Subtract a sign-extended immediate 32-bit value from
SUB RAX, imm32 2D id
the RAX register and store the result in RAX.

SUB reg/mem8, imm8 80 /5 ib Subtract an immediate 8-bit value from an 8-bit

destination register or memory location.
Subtract an immediate 16-bit value from a 16-bit
SUB reg/mem16, imm16 81 /5 iw
destination register or memory location.
Subtract an immediate 32-bit value from a 32-bit
SUB reg/mem32, imm32 81 /5 id
destination register or memory location.

SUB reg/mem64, imm32 81 /5 id Subtract a sign-extended immediate 32-bit value from a

64-bit destination register or memory location.
Subtract a sign-extended immediate 8-bit value from a
SUB reg/mem16, imm8 83 /5 ib
16-bit register or memory location.
Subtract a sign-extended immediate 8-bit value from a
SUB reg/mem32, imm8 83 /5 ib
32-bit register or memory location.
Subtract a sign-extended immediate 8-bit value from a
SUB reg/mem64, imm8 83 /5 ib
64-bit register or memory location.

SUB reg/mem8, reg8 28 /r Subtract the contents of an 8-bit register from an 8-bit
destination register or memory location.
Subtract the contents of a 16-bit register from a 16-bit
SUB reg/mem16, reg16 29 /r
destination register or memory location.

SUB reg/mem32, reg32 Subtract the contents of a 32-bit register from a 32-bit
29 /r
destination register or memory location.
Subtract the contents of a 64-bit register from a 64-bit
SUB reg/mem64, reg64 29 /r destination register or memory location.

Instruction Reference SUB 239

AMD64 Technology 24594—Rev. 3.14—September 2007

Mnemonic Opcode Description

Subtract the contents of an 8-bit register or memory
SUB reg8, reg/mem8 2A /r
operand from an 8-bit destination register.

SUB reg16, reg/mem16 2B /r Subtract the contents of a 16-bit register or memory

operand from a 16-bit destination register.
Subtract the contents of a 32-bit register or memory
SUB reg32, reg/mem32 2B /r
operand from a 32-bit destination register.
Subtract the contents of a 64-bit register or memory
SUB reg64, reg/mem64 2B /r
operand from a 64-bit destination register.

Related Instructions
ADC, ADD, SBB

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.

X X X A memory address exceeded a data segment limit or was non-

canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

240 SUB Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

TEST Test Bits

Performs a bit-wise logical AND on the value in a register or memory location (first operand) with an
immediate value or the value in a register (second operand) and sets the flags in the rFLAGS register
based on the result. While the AND instruction changes the contents of the destination and the flag
bits, the TEST instruction changes only the flag bits.

Mnemonic Opcode Description

TEST AL, imm8 A8 ib AND an immediate 8-bit value with the contents of the
AL register and set rFLAGS to reflect the result.
AND an immediate 16-bit value with the contents of the
TEST AX, imm16 A9 iw
AX register and set rFLAGS to reflect the result.

TEST EAX, imm32 A9 id AND an immediate 32-bit value with the contents of the
EAX register and set rFLAGS to reflect the result.
AND a sign-extended immediate 32-bit value with the
TEST RAX, imm32 A9 id contents of the RAX register and set rFLAGS to reflect
the result.
AND an immediate 8-bit value with the contents of an 8-
TEST reg/mem8, imm8 F6 /0 ib bit register or memory operand and set rFLAGS to
reflect the result.
AND an immediate 16-bit value with the contents of a
TEST reg/mem16, imm16 F7 /0 iw 16-bit register or memory operand and set rFLAGS to
reflect the result.
AND an immediate 32-bit value with the contents of a
TEST reg/mem32, imm32 F7 /0 id 32-bit register or memory operand and set rFLAGS to
reflect the result.
AND a sign-extended immediate32-bit value with the
TEST reg/mem64, imm32 F7 /0 id contents of a 64-bit register or memory operand and set
rFLAGS to reflect the result.
AND the contents of an 8-bit register with the contents
TEST reg/mem8, reg8 84 /r of an 8-bit register or memory operand and set rFLAGS
to reflect the result.
AND the contents of a 16-bit register with the contents
TEST reg/mem16, reg16 85 /r of a 16-bit register or memory operand and set rFLAGS
to reflect the result.
AND the contents of a 32-bit register with the contents
TEST reg/mem32, reg32 85 /r of a 32-bit register or memory operand and set rFLAGS
to reflect the result.
AND the contents of a 64-bit register with the contents
TEST reg/mem64, reg64 85 /r of a 64-bit register or memory operand and set rFLAGS
to reflect the result.

Related Instructions
AND, CMP

Instruction Reference TEST 241

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

0 M M U M 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

242 TEST Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

XADD Exchange and Add

Exchanges the contents of a register (second operand) with the contents of a register or memory
location (first operand), computes the sum of the two values, and stores the result in the first operand
location.
The forms of the XADD instruction that write to memory support the LOCK prefix. For details about
the LOCK prefix, see “Lock Prefix” on page 8.

Mnemonic Opcode Description

Exchange the contents of an 8-bit register with the
XADD reg/mem8, reg8 0F C0 /r contents of an 8-bit destination register or memory
operand and load their sum into the destination.
Exchange the contents of a 16-bit register with the
XADD reg/mem16, reg16 0F C1 /r contents of a 16-bit destination register or memory
operand and load their sum into the destination.
Exchange the contents of a 32-bit register with the
XADD reg/mem32, reg32 0F C1 /r contents of a 32-bit destination register or memory
operand and load their sum into the destination.
Exchange the contents of a 64-bit register with the
XADD reg/mem64, reg64 0F C1 /r contents of a 64-bit destination register or memory
operand and load their sum into the destination.

Related Instructions
None

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Instruction Reference XADD 243

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

244 XADD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

XCHG Exchange
Exchanges the contents of the two operands. The operands can be two general-purpose registers or a
register and a memory location. If either operand references memory, the processor locks
automatically, whether or not the LOCK prefix is used and independently of the value of IOPL. For
details about the LOCK prefix, see “Lock Prefix” on page 8.
The x86 architecture commonly uses the XCHG EAX, EAX instruction (opcode 90h) as a one-byte
NOP. In 64-bit mode, the processor treats opcode 90h as a true NOP only if it would exchange rAX
with itself. Without this special handling, the instruction would zero-extend the upper 32 bits of RAX,
and thus it would not be a true no-operation. Opcode 90h can still be used to exchange rAX and r8 if
the appropriate REX prefix is used.
This special handling does not apply to the two-byte ModRM form of the XCHG instruction.

Mnemonic Opcode Description

Exchange the contents of the AX register with the
XCHG AX, reg16 90 +rw
contents of a 16-bit register.
Exchange the contents of a 16-bit register with the
XCHG reg16, AX 90 +rw
contents of the AX register.
Exchange the contents of the EAX register with the
XCHG EAX, reg32 90 +rd
contents of a 32-bit register.

XCHG reg32, EAX 90 +rd Exchange the contents of a 32-bit register with the
contents of the EAX register.
Exchange the contents of the RAX register with the
XCHG RAX, reg64 90 +rq
contents of a 64-bit register.
Exchange the contents of a 64-bit register with the
XCHG reg64, RAX 90 +rq
contents of the RAX register.
Exchange the contents of an 8-bit register with the
XCHG reg/mem8, reg8 86 /r
contents of an 8-bit register or memory operand.
Exchange the contents of an 8-bit register or memory
XCHG reg8, reg/mem8 86 /r
operand with the contents of an 8-bit register.
Exchange the contents of a 16-bit register with the
XCHG reg/mem16, reg16 87 /r
contents of a 16-bit register or memory operand.
Exchange the contents of a 16-bit register or memory
XCHG reg16, reg/mem16 87 /r
operand with the contents of a 16-bit register.
Exchange the contents of a 32-bit register with the
XCHG reg/mem32, reg32 87 /r
contents of a 32-bit register or memory operand.
Exchange the contents of a 32-bit register or memory
XCHG reg32, reg/mem32 87 /r
operand with the contents of a 32-bit register.
Exchange the contents of a 64-bit register with the
XCHG reg/mem64, reg64 87 /r
contents of a 64-bit register or memory operand.
Exchange the contents of a 64-bit register or memory
XCHG reg64, reg/mem64 87 /r
operand with the contents of a 64-bit register.

Instruction Reference XCHG 245

AMD64 Technology 24594—Rev. 3.14—September 2007

Related Instructions
BSWAP, XADD

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection, The source or destination operand was in a non-writable
#GP X
segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

246 XCHG Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

XLAT Translate Table Index

XLATB
Uses the unsigned integer in the AL register as an offset into a table and copies the contents of the table
entry at that location to the AL register.
The instruction uses seg:[rBX] as the base address of the table. The value of seg defaults to the DS
segment, but may be overridden by a segment prefix.
This instruction writes AL without changing RAX[63:8]. This instruction ignores operand size.
The single-operand form of the XLAT instruction uses the operand to document the segment and
address size attribute, but it uses the base address specified by the rBX register.
This instruction is often used to translate data from one format (such as ASCII) to another (such as
EBCDIC).

Mnemonic Opcode Description

XLAT mem8 D7 Set AL to the contents of DS:[rBX + unsigned AL].
XLATB D7 Set AL to the contents of DS:[rBX + unsigned AL].

Related Instructions
None

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.

X X X A memory address exceeded a data segment limit or was non-

General protection, canonical.
#GP
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.

General-Purpose Instruction Reference 247

AMD64 Technology 24594—Rev. 3.14—September 2007

XOR Logical Exclusive OR

Performs a bitwise exclusive OR operation on both operands and stores the result in the first operand
location. The first operand can be a register or memory location. The second operand can be an
immediate value, a register, or a memory location. XOR-ing a register with itself clears the register.
The forms of the XOR instruction that write to memory support the LOCK prefix. For details about the
LOCK prefix, see “Lock Prefix” on page 8.
The instruction performs the following operation for each bit:

X Y X XOR Y

0 0 0

0 1 1

1 0 1

1 1 0

Mnemonic Opcode Description

XOR the contents of AL with an immediate 8-bit
XOR AL, imm8 34 ib
operand and store the result in AL.
XOR the contents of AX with an immediate 16-bit
XOR AX, imm16 35 iw
operand and store the result in AX.
XOR the contents of EAX with an immediate 32-bit
XOR EAX, imm32 35 id
operand and store the result in EAX.
XOR the contents of RAX with a sign-extended
XOR RAX, imm32 35 id
immediate 32-bit operand and store the result in RAX.
XOR the contents of an 8-bit destination register or
XOR reg/mem8, imm8 80 /6 ib memory operand with an 8-bit immediate value and
store the result in the destination.
XOR the contents of a 16-bit destination register or
XOR reg/mem16, imm16 81 /6 iw memory operand with a 16-bit immediate value and
store the result in the destination.
XOR the contents of a 32-bit destination register or
XOR reg/mem32, imm32 81 /6 id memory operand with a 32-bit immediate value and
store the result in the destination.
XOR the contents of a 64-bit destination register or
XOR reg/mem64, imm32 81 /6 id memory operand with a sign-extended 32-bit immediate
value and store the result in the destination.
XOR the contents of a 16-bit destination register or
XOR reg/mem16, imm8 83 /6 ib memory operand with a sign-extended 8-bit immediate
value and store the result in the destination.

248 General-Purpose Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

XOR the contents of a 32-bit destination register or
XOR reg/mem32, imm8 83 /6 ib memory operand with a sign-extended 8-bit immediate
value and store the result in the destination.
XOR the contents of a 64-bit destination register or
XOR reg/mem64, imm8 83 /6 ib memory operand with a sign-extended 8-bit immediate
value and store the result in the destination.
XOR the contents of an 8-bit destination register or
XOR reg/mem8, reg8 30 /r memory operand with the contents of an 8-bit register
and store the result in the destination.
XOR the contents of a 16-bit destination register or
XOR reg/mem16, reg16 31 /r memory operand with the contents of a 16-bit register
and store the result in the destination.
XOR the contents of a 32-bit destination register or
XOR reg/mem32, reg32 31 /r memory operand with the contents of a 32-bit register
and store the result in the destination.
XOR the contents of a 64-bit destination register or
XOR reg/mem64, reg64 31 /r memory operand with the contents of a 64-bit register
and store the result in the destination.
XOR the contents of an 8-bit destination register with
XOR reg8, reg/mem8 32 /r the contents of an 8-bit register or memory operand and
store the results in the destination.
XOR the contents of a 16-bit destination register with
XOR reg16, reg/mem16 33 /r the contents of a 16-bit register or memory operand and
store the results in the destination.
XOR the contents of a 32-bit destination register with
XOR reg32, reg/mem32 33 /r the contents of a 32-bit register or memory operand and
store the results in the destination.
XOR the contents of a 64-bit destination register with
XOR reg64, reg/mem64 33 /r the contents of a 64-bit register or memory operand and
store the results in the destination.

Related Instructions
OR, AND, NOT, NEG

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

0 M M U M 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

General-Purpose Instruction Reference 249

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

250 General-Purpose Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

4 System Instruction Reference

This chapter describes the function, mnemonic syntax, opcodes, affected flags, and possible
exceptions generated by the system instructions. The system instructions are used to establish the
operating mode, access processor resources, handle program and system errors, and manage memory.
Many of these instructions can only be executed by privileged software, such as the operating system
kernel and interrupt handlers, that run at the highest privilege level. Only system instructions can
access certain processor resources, such as the control registers, model-specific registers, and debug
registers.
System instructions are supported in all hardware implementations of the AMD64 architecture, except
that the following system instructions are implemented only if their associated CPUID function bits
are set:
• RDMSR and WRMSR, indicated by bit 5 of CPUID function 0000_0001h or function
8000_0001h.
• SYSENTER and SYSEXIT, indicated by bit 11 of CPUID function 0000_0001h.
• SYSCALL and SYSRET, indicated by bit 11 of CPUID function 8000_0001h.
• Long Mode instructions, indicated by bit 29 of CPUID function 8000_0001h.
• There are also several other CPUID function bits that control the use of system resources and
functions, such as paging functions, virtual-mode extensions, machine-check exceptions,
advanced programmable interrupt control (APIC), memory-type range registers (MTRRs), etc.
For details, see “Processor Feature Identification” in Volume 2.
For further information about the system instructions and register resources, see:
• “System-Management Instructions” in Volume 2.
• “Summary of Registers and Data Types” on page 24.
• “Notation” on page 37.
• “Instruction Prefixes” on page 3.

Instruction Reference 251

AMD64 Technology 24594—Rev. 3.14—September 2007

ARPL Adjust Requestor Privilege Level

Compares the requestor privilege level (RPL) fields of two segment selectors in the source and
destination operands of the instruction. If the RPL field of the destination operand is less than the RPL
field of the segment selector in the source register, then the zero flag is set and the RPL field of the
destination operand is increased to match that of the source operand. Otherwise, the destination
operand remains unchanged and the zero flag is cleared.
The destination operand can be either a 16-bit register or memory location; the source operand must be
a 16-bit register.
The ARPL instruction is intended for use by operating-system procedures to adjust the RPL of a
segment selector that has been passed to the operating system by an application program to match the
privilege level of the application program. The segment selector passed to the operating system is
placed in the destination operand and the segment selector for the code segment of the application
program is placed in the source operand. The RPL field in the source operand represents the privilege
level of the application program. The ARPL instruction then insures that the RPL of the segment
selector received by the operating system is no lower than the privilege level of the application
program.
See “Adjusting Access Rights” in Volume 2, for more information on access rights.
In 64-bit mode, this opcode (63H) is used for the MOVSXD instruction.

Mnemonic Opcode Description

Adjust the RPL of a destination segment selector to
a level not less than the RPL of the segment
ARPL reg/mem16, reg16 63 /r selector specified in the 16-bit source register.
(Invalid in 64-bit mode.)

Related Instructions
LAR, LSL, VERR, VERW

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

252 ARPL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
This instruction is only recognized in protected legacy and
Invalid opcode, #UD X X compatibility mode.
Stack, #SS X A memory address exceeded the stack segment limit.
X A memory address exceeded a data segment limit.
General protection, X The destination operand was in a non-writable segment.
#GP
X A null segment selector was used to reference memory.
Page fault, #PF X A page fault resulted from the execution of the instruction.
An unaligned memory reference was performed while
Alignment check, #AC X
alignment checking was enabled.

Instruction Reference ARPL 253

AMD64 Technology 24594—Rev. 3.14—September 2007

CLGI Clear Global Interrupt Flag

Clears the global interrupt flag (GIF). While GIF is zero, all external interrupts are disabled.
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled. See “Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual
Volume-2: System Instructions, order# 24593.

Mnemonic Opcode Description

CLGI 0F 01 DD Clears the global interrupt flag (GIF).

Related Instructions
STGI

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SVM instructions are not supported as indicated by ECX
X X X
bit 2 as returned by CPUID function 8000_0001h.
Invalid opcode, #UD
X Secure Virtual Machine was not enabled (EFER.SVME=0).
X X Instruction is only recognized in protected mode.
General protection,
X CPL was not zero.
#GP

254 CLGI Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CLI Clear Interrupt Flag

Clears the interrupt flag (IF) in the rFLAGS register to zero, thereby masking external interrupts
received on the INTR input. Interrupts received on the non-maskable interrupt (NMI) input are not
affected by this instruction.
In real mode, this instruction clears IF to 0.
In protected mode and virtual-8086-mode, this instruction is IOPL-sensitive. If the CPL is less than or
equal to the rFLAGS.IOPL field, the instruction clears IF to 0.
In protected mode, if IOPL < 3, CPL = 3, and protected mode virtual interrupts are enabled (CR4.PVI
= 1), then the instruction instead clears rFLAGS.VIF to 0. If none of these conditions apply, the
processor raises a general-purpose exception (#GP). For more information, see “Protected Mode
Virtual Interrupts” in Volume 2.
In virtual-8086 mode, if IOPL < 3 and the virtual-8086-mode extensions are enabled (CR4.VME = 1),
the CLI instruction clears the virtual interrupt flag (rFLAGS.VIF) to 0 instead.
See “Virtual-8086 Mode Extensions” in Volume 2 for more information about IOPL-sensitive
instructions.

Mnemonic Opcode Description

CLI FA Clear the interrupt flag (IF) to zero.

Action
IF (CPL <= IOPL)
RFLAGS.IF = 0

ELSEIF (((VIRTUAL_MODE) && (CR4.VME = 1))

|| ((PROTECTED_MODE) && (CR4.PVI = 1) && (CPL == 3)))
RFLAGS.VIF = 0;

ELSE
EXCEPTION[#GP(0)]

Related Instructions
STI

Instruction Reference CLI 255

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The CPL was greater than the IOPL and virtual mode
X
extensions are not enabled (CR4.VME = 0).
General protection,
#GP The CPL was greater than the IOPL and either the CPL was
X not 3 or protected mode virtual interrupts were not enabled
(CR4.PVI = 0).

256 CLI Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CLTS Clear Task-Switched Flag in CR0

Clears the task-switched (TS) flag in the CR0 register to 0. The processor sets the TS flag on each task
switch. The CLTS instruction is intended to facilitate the synchronization of FPU context saves during
multitasking operations.
This instruction can only be used if the current privilege level is 0.
See “System-Control Registers” in Volume 2 for more information on FPU synchronization and the
TS flag.

Mnemonic Opcode Description

CLTS 0F 06 Clear the task-switched (TS) flag in CR0 to 0.

Related Instructions
LMSW, MOV (CRn)

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection,
X X CPL was not 0.
#GP

Instruction Reference CLTS 257

AMD64 Technology 24594—Rev. 3.14—September 2007

HLT Halt
Causes the microprocessor to halt instruction execution and enter the HALT state. Entering the HALT
state puts the processor in low-power mode. Execution resumes when an unmasked hardware interrupt
(INTR), non-maskable interrupt (NMI), system management interrupt (SMI), RESET, or INIT occurs.
If an INTR, NMI, or SMI is used to resume execution after a HLT instruction, the saved instruction
pointer points to the instruction following the HLT instruction.
Before executing a HLT instruction, hardware interrupts should be enabled. If rFLAGS.IF = 0, the
system will remain in a HALT state until an NMI, SMI, RESET, or INIT occurs.
If an SMI brings the processor out of the HALT state, the SMI handler can decide whether to return to
the HALT state or not. See Volume 2: System Programming, for information on SMIs.
Current privilege level must be 0 to execute this instruction.

Mnemonic Opcode Description

HLT F4 Halt instruction execution.

Related Instructions
STI, CLI

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection,
X X CPL was not 0.
#GP

258 HLT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

INT 3 Interrupt to Debug Vector

Calls the debug exception handler. This instruction maps to a 1-byte opcode (CC) that raises a #BP
exception. The INT 3 instruction is normally used by debug software to set instruction breakpoints by
replacing the first byte of the instruction opcode bytes with the INT 3 opcode.
This one-byte INT 3 instruction behaves differently from the two-byte INT 3 instruction (opcode CD
03) (see “INT” in Chapter 3 “General Purpose Instructions” for further information) in two ways:
The #BP exception is handled without any IOPL checking in virtual x86 mode. (IOPL mismatches will
not trigger an exception.)
• In VME mode, the #BP exception is not redirected via the interrupt redirection table. (Instead, it is
handled by a protected mode handler.)

Mnemonic Opcode Description

INT 3 CC Trap to debugger at Interrupt 3.

For complete descriptions of the steps performed by INT instructions, see the following:
• Legacy-Mode Interrupts: “Legacy Protected-Mode Interrupt Control Transfers” in Volume 2.
• Long-Mode Interrupts: “Long-Mode Interrupt Control Transfers” in Volume 2.

Action
// Refer to INT instruction’s Action section for the details on INT_N_REAL,
// INT_N_PROTECTED, and INT_N_VIRTUAL_TO_PROTECTED.
INT3_START:

If (REAL_MODE)
INT_N_REAL //N = 3

ELSEIF (PROTECTED_MODE)
INT_N_PROTECTED //N = 3

ELSE // VIRTUAL_MODE
INT_N_VIRTUAL_TO_PROTECTED //N = 3

Related Instructions
INT, INTO, IRET

Instruction Reference INT 3 259

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
If a task switch occurs, all flags are modified; otherwise, setting are as follows:
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M 0 0 M M 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Breakpoint, #BP X X X INT 3 instruction was executed.
As part of a stack switch, the target stack segment selector or
X X
rSP in the TSS that was beyond the TSS limit.
As part of a stack switch, the target stack segment selector in
X X the TSS was beyond the limit of the GDT or LDT descriptor
table.
As part of a stack switch, the target stack segment selector in
X X
the TSS was a null selector.
Invalid TSS, #TS X X
As part of a stack switch, the target stack segment selector’s
(selector) TI bit was set, but the LDT selector was a null selector.
As part of a stack switch, the target stack segment selector in
X X
the TSS contained a RPL that was not equal to its DPL.
As part of a stack switch, the target stack segment selector in
X X the TSS contained a DPL that was not equal to the CPL of the
code segment selector.
As part of a stack switch, the target stack segment selector in
X X
the TSS was not a writable segment.
Segment not
The accessed code segment, interrupt gate, trap gate, task
present, #NP X X
gate, or TSS was not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
After a stack switch, a memory address exceeded the stack
X X segment limit or was non-canonical and a stack switch
Stack, #SS occurred.
(selector) As part of a stack switch, the SS register was loaded with a
X X non-null segment selector and the segment was marked not
present.
A memory address exceeded the data segment limit or was
X X X non-canonical.
General protection,
#GP The target offset exceeded the code segment limit or was non-
X X X
canonical.

260 INT 3 Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Virtual
Exception Real 8086 Protected Cause of Exception
X X X The interrupt vector was beyond the limit of IDT.
The descriptor in the IDT was not an interrupt, trap, or task
X X gate in legacy mode or not a 64-bit interrupt or trap gate in
long mode.
The DPL of the interrupt, trap, or task gate descriptor was less
X X
than the CPL.
The segment selector specified by the interrupt or trap gate
X X
General protection, had its TI bit set, but the LDT selector was a null selector.
#GP The segment descriptor specified by the interrupt or trap gate
(selector) X X exceeded the descriptor table limit or was a null selector.
The segment descriptor specified by the interrupt or trap gate
X X was not a code segment in legacy mode, or not a 64-bit code
segment in long mode.
The DPL of the segment specified by the interrupt or trap gate
X
was greater than the CPL.
The DPL of the segment specified by the interrupt or trap gate
X
pointed was not 0 or it was a conforming segment.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X X
#AC alignment checking was enabled.

Instruction Reference INT 3 261

AMD64 Technology 24594—Rev. 3.14—September 2007

INVD Invalidate Caches

Invalidates internal caches (data cache, instruction cache, and on-chip L2 cache) and triggers a bus
cycle that causes external caches to invalidate themselves as well.
No data is written back to main memory from invalidating internal caches. After invalidating internal
caches, the processor proceeds immediately with the execution of the next instruction without waiting
for external hardware to invalidate its caches.
This is a privileged instruction. The current privilege level (CPL) of a procedure invalidating the
processor’s internal caches must be 0.
To insure that data is written back to memory prior to invalidating caches, use the WBINVD
instruction.
This instruction does not invalidate TLB caches.
INVD is a serializing instruction.

Mnemonic Opcode Description

Invalidate internal caches and trigger external cache
INVD 0F 08
invalidations.

Related Instructions
WBINVD, CLFLUSH

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection,
X X CPL was not 0.
#GP

262 INVD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

INVLPG Invalidate TLB Entry

Invalidates the TLB entry that would be used for the 1-byte memory operand.
This instruction invalidates the TLB entry, regardless of the G (Global) bit setting in the associated
PDE or PTE entry and regardless of the page size (4 Kbytes, 2 Mbytes, or 4 Mbytes). It may invalidate
any number of additional TLB entries, in addition to the targeted entry.
INVLPG is a serializing instruction and a privileged instruction. The current privilege level must be 0
to execute this instruction.
See “Page Translation and Protection” in Volume 2 for more information on page translation.

Mnemonic Opcode Description

Invalidate the TLB entry for the page containing a specified
INVLPG mem8 0F 01 /7
memory location.

Related Instructions
INVLPGA, MOV CRn (CR3 and CR4)

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection, X X CPL was not 0.
#GP

Instruction Reference INVLPG 263

AMD64 Technology 24594—Rev. 3.14—September 2007

INVLPGA Invalidate TLB Entry in a Specified ASID

Invalidates the TLB mapping for a given virtual page and a given ASID. The virtual address is
specified in the implicit register operand rAX. The portion of RAX used to form the address is
determined by the effective address size. The ASID is taken from ECX.
The INVLPGA instruction may invalidate any number of additional TLB entries, in addition to the
targeted entry.
The INVLPGA instruction is a serializing instruction and a privileged instruction. The current
privilege level must be 0 to execute this instruction.
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled. See “Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual
Volume-2: System Instructions, order# 24593.

Mnemonic Opcode Description

Invalidates the TLB mapping for the virtual page
INVLPGA rAX, ECX 0F 01 DF
specified in rAX and the ASID specified in ECX.

Related Instructions
INVLPG.

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SVM instructions are not supported as indicated by ECX
X X X bit 2 as returned by CPUID function 8000_0001h.
Invalid opcode, #UD
X Secure Virtual Machine was not enabled (EFER.SVME=0).
X X Instruction is only recognized in protected mode.
General protection,
X CPL was not zero.
#GP

264 INVLPGA Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

IRET Return from Interrupt

IRETD
IRETQ
Returns program control from an exception or interrupt handler to a program or procedure previously
interrupted by an exception, an external interrupt, or a software-generated interrupt. These instructions
also perform a return from a nested task. All flags, CS, and rIP are restored to the values they had
before the interrupt so that execution may continue at the next instruction following the interrupt or
exception. In 64-bit mode or if the CPL changes, SS and RSP are also restored.
IRET, IRETD, and IRETQ are synonyms mapping to the same opcode. They are intended to provide
semantically distinct forms for various opcode sizes. The IRET instruction is used for 16-bit operand
size; IRETD is used for 32-bit operand sizes; IRETQ is used for 64-bit operands. The latter form is
only meaningful in 64-bit mode.
IRET, IRETD, or IRETQ must be used to terminate the exception or interrupt handler associated with
the exception, external interrupt, or software-generated interrupt.
IRETx is a serializing instruction.
For detailed descriptions of the steps performed by IRETx instructions, see the following:
• Legacy-Mode Interrupts: “Legacy Protected-Mode Interrupt Control Transfers” in Volume 2.
• Long-Mode Interrupts: “Long-Mode Interrupt Control Transfers” in Volume 2.

Mnemonic Opcode Description

IRET CF Return from interrupt (16-bit operand size).
IRETD CF Return from interrupt (32-bit operand size).
IRETQ CF Return from interrupt (64-bit operand size).

Action

IRET_START:

IF (REAL_MODE)
IRET_REAL
ELSIF (PROTECTED_MODE)
IRET_PROTECTED
ELSE // (VIRTUAL_MODE)
IRET_VIRTUAL

IRET_REAL:

POP.v temp_RIP
POP.v temp_CS
POP.v temp_RFLAGS

Instruction Reference IRETx 265

AMD64 Technology 24594—Rev. 3.14—September 2007

IF (temp_RIP > CS.limit)

EXCEPTION [#GP(0)]

CS.sel = temp_CS
CS.base = temp_CS SHL 4

RFLAGS.v = temp_RFLAGS // VIF,VIP,VM unchanged

RIP = temp_RIP
EXIT

IRET_PROTECTED:

IF (RFLAGS.NT=1) // iret does a task-switch to a previous task

IF (LEGACY_MODE)
TASK_SWITCH // using the ’back link’ field in the tss
ELSE // (LONG_MODE)
EXCEPTION [#GP(0)] // task switches aren’t supported in long mode

POP.v temp_RIP
POP.v temp_CS
POP.v temp_RFLAGS

IF ((temp_RFLAGS.VM=1) && (CPL=0) && (LEGACY_MODE))

IRET_FROM_PROTECTED_TO_VIRTUAL

temp_CPL = temp_CS.rpl

IF ((64BIT_MODE) || (temp_CPL!=CPL))
{
POP.v temp_RSP // in 64-bit mode, iret always pops ss:rsp
POP.v temp_SS
}

CS = READ_DESCRIPTOR (temp_CS, iret_chk)

IF ((64BIT_MODE) && (temp_RIP is non-canonical)

|| (!64BIT_MODE) && (temp_RIP > CS.limit))
{
EXCEPTION [#GP(0)]
}

CPL = temp_CPL

IF ((started in 64-bit mode) || (changing CPL))

// ss:rsp were popped, so load them into the registers
{
SS = READ_DESCRIPTOR (temp_SS, ss_chk)
RSP.s = temp_RSP
}

266 IRETx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

IF (changing CPL)
{
FOR (seg = ES, DS, FS, GS)
IF ((seg.attr.dpl < CPL) && ((seg.attr.type = ’data’)
|| (seg.attr.type = ’non-conforming-code’)))
{
seg = NULL // can’t use lower dpl data segment at higher cpl
}
}
RFLAGS.v = temp_RFLAGS // VIF,VIP,IOPL only changed if (old_CPL=0)
// IF only changed if (old_CPL<=old_RFLAGS.IOPL)
// VM unchanged
// RF cleared
RIP = temp_RIP
EXIT

IRET_VIRTUAL:

IF ((RFLAGS.IOPL<3) && (CR4.VME=0))

EXCEPTION [#GP(0)]

POP.v temp_RIP
POP.v temp_CS
POP.v temp_RFLAGS

IF (temp_RIP > CS.limit)

EXCEPTION [#GP(0)]

IF (RFLAGS.IOPL=3)
{
RFLAGS.v = temp_RFLAGS // VIF,VIP,VM,IOPL unchanged
// RF cleared
CS.sel = temp_CS
CS.base = temp_CS SHL 4

RIP = temp_RIP
EXIT
}

// now ((IOPL<3) && (CR4.VME=1)

ELSIF ((OPERAND_SIZE=16)
&& !((temp_RFLAGS.IF=1) && (RFLAGS.VIP=1))
&& (temp_RFLAGS.TF=0))
{
RFLAGS.w = temp_RFLAGS // RFLAGS.VIF=temp_RFLAGS.IF
// IF,IOPL unchanged
// RF cleared
CS.sel = temp_CS
CS.base = temp_CS SHL 4

Instruction Reference IRETx 267

AMD64 Technology 24594—Rev. 3.14—September 2007

RIP = temp_RIP
EXIT
}
ELSE // ((RFLAGS.IOPL<3) && (CR4.VME=1) && ((OPERAND_SIZE=32) ||
// ((temp_RFLAGS.IF=1) && (RFLAGS.VIP=1)) || (temp_RFLAGS.TF=1)))
EXCEPTION [#GP(0)]

IRET_FROM_PROTECTED_TO_VIRTUAL:

// temp_RIP already popped

// temp_CS already popped
// temp_RFLAGS already popped, temp_RFLAGS.VM=1

POP.d temp_RSP
POP.d temp_SS
POP.d temp_ES
POP.d temp_DS
POP.d temp_FS
POP.d temp_GS

CS.sel = temp_CS // force the segments to have virtual-mode values

CS.base = temp_CS SHL 4
CS.limit= 0x0000FFFF
CS.attr = 16-bit dpl3 code

SS.sel = temp_SS
SS.base = temp_SS SHL 4
SS.limit= 0x0000FFFF
SS.attr = 16-bit dpl3 stack

DS.sel = temp_DS
DS.base = temp_DS SHL 4
DS.limit= 0x0000FFFF
DS.attr = 16-bit dpl3 data

ES.sel = temp_ES
ES.base = temp_ES SHL 4
ES.limit= 0x0000FFFF
ES.attr = 16-bit dpl3 data

FS.sel = temp_FS
FS.base = temp_FS SHL 4
FS.limit= 0x0000FFFF
FS.attr = 16-bit dpl3 data

GS.sel = temp_GS
GS.base = temp_GS SHL 4
GS.limit= 0x0000FFFF
GS.attr = 16-bit dpl3 data

268 IRETx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

RSP.d = temp_RSP
RFLAGS.d = temp_RFLAGS
CPL = 3

RIP = temp_RIP AND 0x0000FFFF

EXIT

Related Instructions
INT, INTO, INT3

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M M M M M M M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Segment not
present, #NP X The return code segment was marked not present.
(selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
Stack, #SS The SS register was loaded with a non-null segment selector
X
(selector) and the segment was marked not present.

X X X The target offset exceeded the code segment limit or was non-
canonical.
IOPL was less than 3 and one of the following conditions was
true:
• CR4.VME was 0.
General protection,
#GP X • The effective operand size was 32-bit.
• Both the original EFLAGS.VIP and the new EFLAGS.IF
were set.
• The new EFLAGS.TF was set.
X IRETx was executed in long mode while EFLAGS.NT=1.

Instruction Reference IRETx 269

AMD64 Technology 24594—Rev. 3.14—September 2007

Virtual
Exception Real 8086 Protected Cause of Exception
X The return code selector was a null selector.
The return stack selector was a null selector and the return
X
mode was non-64-bit mode or CPL was 3.
The return code or stack descriptor exceeded the descriptor
X table limit.
The return code or stack selector’s TI bit was set but the LDT
X
selector was a null selector.
The segment descriptor for the return code was not a code
X
segment.
The RPL of the return code segment selector was less than
X
General protection, the CPL.
#GP
(selector) The return code segment was non-conforming and the
X segment selector’s DPL was not equal to the RPL of the code
segment’s segment selector.
The return code segment was conforming and the segment
X selector’s DPL was greater than the RPL of the code
segment’s segment selector.
The segment descriptor for the return stack was not a writable
X data segment.
The stack segment descriptor DPL was not equal to the RPL
X
of the return code segment selector.
The stack segment selector RPL was not equal to the RPL of
X the return code segment selector.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

270 IRETx Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LAR Load Access Rights Byte

Loads the access rights from the segment descriptor specified by a 16-bit source register or memory
operand into a specified 16-bit, 32-bit, or 64-bit general-purpose register and sets the zero (ZF) flag in
the rFLAGS register if successful. LAR clears the zero flag if the descriptor is invalid for any reason.
The LAR instruction checks that:
• the segment selector is not a null selector.
• the descriptor is within the GDT or LDT limit.
• the descriptor DPL is greater than or equal to both the CPL and RPL, or the segment is a conform-
ing code segment.
• the descriptor type is valid for the LAR instruction. Valid descriptor types are shown in the fol-
lowing table. LDT and TSS descriptors in 64-bit mode, and call-gate descriptors in long mode, are
only valid if bits 12–8 of doubleword +12 are zero, as shown on page 111 of vol. 2 in Figure 4-22.

Valid Descriptor Type Description

Legacy Mode Long Mode

All All All code and data descriptors

1 — Available 16-bit TSS

2 2 LDT

3 — Busy 16-bit TSS

4 — 16-bit call gate

5 — Task gate

9 9 Available 32-bit or 64-bit TSS

B B Busy 32-bit or 64-bit TSS

C C 32-bit or 64-bit call gate

If the segment descriptor passes these checks, the attributes are loaded into the destination general-
purpose register. If it does not, then the zero flag is cleared and the destination register is not modified.
When the operand size is 16 bits, access rights include the DPL and Type fields located in bytes 4 and
5 of the descriptor table entry. Before loading the access rights into the destination operand, the low
order word is masked with FF00H.
When the operand size is 32 or 64 bits, access rights include the DPL and type as well as the descriptor
type (S field), segment present (P flag), available to system (AVL flag), default operation size (D/B
flag), and granularity flags located in bytes 4–7 of the descriptor. Before being loaded into the
destination operand, the doubleword is masked with 00FF_FF00H.

Instruction Reference LAR 271

AMD64 Technology 24594—Rev. 3.14—September 2007

In 64-bit mode, for both 32-bit and 64-bit operand sizes, 32-bit register results are zero-extended to 64
bits.
This instruction can only be executed in protected mode.

Mnemonic Opcode Description

Reads the GDT/LDT descriptor referenced by the 16-bit
LAR reg16, reg/mem16 0F 02 /r source operand, masks the attributes with FF00h and saves
the result in the 16-bit destination register.
Reads the GDT/LDT descriptor referenced by the 16-bit
LAR reg32, reg/mem16 0F 02 /r source operand, masks the attributes with 00FFFF00h and
saves the result in the 32-bit destination register.
Reads the GDT/LDT descriptor referenced by the 16-bit
LAR reg64, reg/mem16 0F 02 /r source operand, masks the attributes with 00FFFF00h and
saves the result in the 64-bit destination register.

Related Instructions
ARPL, LSL, VERR, VERW

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or zero is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
A memory address exceeded the stack segment limit or was
Stack, #SS X non-canonical.

X A memory address exceeded the data segment limit or was

non-canonical.
General protection,
X A null data segment was used to reference memory.
#GP
The extended attribute bits of a system descriptor was not
X
zero in 64-bit mode.
Page fault, #PF X A page fault resulted from the execution of the instruction.
An unaligned memory reference was performed while
Alignment check, #AC X alignment checking was enabled.

272 LAR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LGDT Load Global Descriptor Table Register

Loads the pseudo-descriptor specified by the source operand into the global descriptor table register
(GDTR). The pseudo-descriptor is a memory location containing the GDTR base and limit. In legacy
and compatibility mode, the pseudo-descriptor is 6 bytes; in 64-bit mode, it is 10 bytes.
If the operand size is 16 bits, the high-order byte of the 6-byte pseudo-descriptor is not used. The lower
two bytes specify the 16-bit limit and the third, fourth, and fifth bytes specify the 24-bit base address.
The high-order byte of the GDTR is filled with zeros.
If the operand size is 32 bits, the lower two bytes specify the 16-bit limit and the upper four bytes
specify a 32-bit base address.
In 64-bit mode, the lower two bytes specify the 16-bit limit and the upper eight bytes specify a 64-bit
base address. In 64-bit mode, operand-size prefixes are ignored and the operand size is forced to 64-
bits; therefore, the pseudo-descriptor is always 10 bytes.
This instruction is only used in operating system software and must be executed at CPL 0. It is
typically executed once in real mode to initialize the processor before switching to protected mode.
LGDT is a serializing instruction.

Mnemonic Opcode Description

LGDT mem16:32 0F 01 /2 Loads mem16:32 into the global descriptor table register.
LGDT mem16:64 0F 01 /2 Loads mem16:64 into the global descriptor table register.

Related Instructions
LIDT, LLDT, LTR, SGDT, SIDT, SLDT, STR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X The operand was a register.
A memory address exceeded the stack segment limit or was
Stack, #SS X X
non-canonical.

Instruction Reference LGDT 273

AMD64 Technology 24594—Rev. 3.14—September 2007

Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the data segment limit or was
X X non-canonical.
General protection, X X CPL was not 0.
#GP
X The new GDT base address was non-canonical.
X A null data segment was used to reference memory.
Page fault, #PF X A page fault resulted from the execution of the instruction.

274 LGDT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LIDT Load Interrupt Descriptor Table Register

Loads the pseudo-descriptor specified by the source operand into the interrupt descriptor table register
(IDTR). The pseudo-descriptor is a memory location containing the IDTR base and limit. In legacy
and compatibility mode, the pseudo-descriptor is six bytes; in 64-bit mode, it is 10 bytes.
If the operand size is 16 bits, the high-order byte of the 6-byte pseudo-descriptor is not used. The lower
two bytes specify the 16-bit limit and the third, fourth, and fifth bytes specify the 24-bit base address.
The high-order byte of the IDTR is filled with zeros.
If the operand size is 32 bits, the lower two bytes specify the 16-bit limit and the upper four bytes
specify a 32-bit base address.
In 64-bit mode, the lower two bytes specify the 16-bit limit, and the upper eight bytes specify a 64-bit
base address. In 64-bit mode, operand-size prefixes are ignored and the operand size is forced to 64-
bits; therefore, the pseudo-descriptor is always 10 bytes.
This instruction is only used in operating system software and must be executed at CPL 0. It is
normally executed once in real mode to initialize the processor before switching to protected mode.
LIDT is a serializing instruction.

Mnemonic Opcode Description

LIDT mem16:32 0F 01 /3 Loads mem16:32 into the interrupt descriptor table register.
LIDT mem16:64 0F 01 /3 Loads mem16:64 into the interrupt descriptor table register.

Related Instructions
LGDT, LLDT, LTR, SGDT, SIDT, SLDT, STR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X The operand was a register.
A memory address exceeded the stack segment limit or was
Stack, #SS X X
non-canonical.

Instruction Reference LIDT 275

AMD64 Technology 24594—Rev. 3.14—September 2007

Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the data segment limit or was
X X non-canonical.
General protection, X X CPL was not 0.
#GP
X The new IDT base address was non-canonical.
X A null data segment was used to reference memory.
Page fault, #PF X A page fault resulted from the execution of the instruction.

276 LIDT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LLDT Load Local Descriptor Table Register

Loads the specified segment selector into the visible portion of the local descriptor table (LDT). The
processor uses the selector to locate the descriptor for the LDT in the global descriptor table. It then
loads this descriptor into the hidden portion of the LDTR.
If the source operand is a null selector, the LDTR is marked invalid and all references to descriptors in
the LDT will generate a general protection exception (#GP), except for the LAR, VERR, VERW or
LSL instructions.
In legacy and compatibility modes, the LDT descriptor is 8 bytes long and contains a 32-bit base
address.
In 64-bit mode, the LDT descriptor is 16-bytes long and contains a 64-bit base address. The LDT
descriptor type (02h) is redefined in 64-bit mode for use as the 16-byte LDT descriptor.
This instruction must be executed in protected mode. It is only provided for use by operating system
software at CPL 0.
LLDT is a serializing instruction.

Mnemonic Opcode Description

LLDT Load the 16-bit segment selector into the local descriptor
0F 00 /2
reg/mem16 table register and load the LDT descriptor from the GDT.

Related Instructions
LGDT, LIDT, LTR, SGDT, SIDT, SLDT, STR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
Segment not present,
X The LDT descriptor was marked not present.
#NP (selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X
non-canonical.

X A memory address exceeded a data segment limit or was

non-canonical.
General protection,
#GP X CPL was not 0.
X A null data segment was used to reference memory.

Instruction Reference LLDT 277

AMD64 Technology 24594—Rev. 3.14—September 2007

Virtual
Exception Real 8086 Protected Cause of Exception
X The source selector did not point into the GDT.
X The descriptor was beyond the GDT limit.
General protection,
X The descriptor was not an LDT descriptor.
#GP
(selector) The descriptor's extended attribute bits were not zero in 64-
X bit mode.
X The new LDT base address was non-canonical.
Page fault, #PF X A page fault resulted from the execution of the instruction.

278 LLDT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

LMSW Load Machine Status Word

Loads the lower four bits of the 16-bit register or memory operand into bits 3–0 of the machine status
word in register CR0. Only the protection enabled (PE), monitor coprocessor (MP), emulation (EM),
and task switched (TS) bits of CR0 are modified. Additionally, LMSW can set CR0.PE, but cannot
clear it.
The LMSW instruction can be used only when the current privilege level is 0. It is only provided for
compatibility with early processors.
Use the MOV CR0 instruction to load all 32 or 64 bits of CR0.

Mnemonic Opcode Description

Load the lower 4 bits of the source into the lower 4 bits of
LMSW reg/mem16 0F 01 /6
CR0.

Related Instructions
MOV (CRn), SMSW

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X
canonical.
General protection,
#GP X X CPL was not 0.
X A null data segment was used to reference memory.
Page fault, #PF X A page fault resulted from the execution of the instruction.

Instruction Reference LMSW 279

AMD64 Technology 24594—Rev. 3.14—September 2007

LSL Load Segment Limit

Loads the segment limit from the segment descriptor specified by a 16-bit source register or memory
operand into a specified 16-bit, 32-bit, or 64-bit general-purpose register and sets the zero (ZF) flag in
the rFLAGS register if successful. LSL clears the zero flag if the descriptor is invalid for any reason.
In 64-bit mode, for both 32-bit and 64-bit operand sizes, 32-bit register results are zero-extended to 64
bits.
The LSL instruction checks that:
• the segment selector is not a null selector.
• the descriptor is within the GDT or LDT limit.
• the descriptor DPL is greater than or equal to both the CPL and RPL, or the segment is a conform-
ing code segment.
• the descriptor type is valid for the LAR instruction. Valid descriptor types are shown in the fol-
lowing table. LDT and TSS descriptors in 64-bit mode are only valid if bits 12–8 of doubleword
+12 are zero, as shown on Figure 4-22 on page 89 of Volume 2: System Programming.

Valid Descriptor Type Description

Legacy Mode Long Mode

— — All code and data descriptors

1 — Available 16-bit TSS

2 2 LDT

3 — Busy 16-bit TSS

9 9 Available 32-bit or 64-bit TSS

B B Busy 32-bit or 64-bit TSS

If the segment selector passes these checks and the segment limit is loaded into the destination general-
purpose register, the instruction sets the zero flag of the rFLAGS register to 1. If the selector does not
pass the checks, then LSL clears the zero flag to 0 and does not modify the destination.
The instruction calculates the segment limit to 32 bits, taking the 20-bit limit and the granularity bit
into account. When the operand size is 16 bits, it truncates the upper 16 bits of the 32-bit adjusted
segment limit and loads the lower 16-bits into the target register.

Mnemonic Opcode Description

Loads a 16-bit general-purpose register with the segment
LSL reg16, reg/mem16 0F 03 /r limit for a selector specified in a 16-bit memory or register
operand.

280 LSL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Loads a 32-bit general-purpose register with the segment

LSL reg32, reg/mem16 0F 03 /r limit for a selector specified in a 16-bit memory or register
operand.
Loads a 64-bit general-purpose register with the segment
LSL reg64, reg/mem16 0F 03 /r limit for a selector specified in a 16-bit memory or register
operand.

Related Instructions
ARPL, LAR, VERR, VERW

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
A memory address exceeded the stack segment limit or was
Stack, #SS X
non-canonical.
A memory address exceeded a data segment limit or was non-
X canonical.
General protection,
#GP X A null data segment was used to reference memory.
The extended attribute bits of a system descriptor was not
X
zero in 64-bit mode.
Page fault, #PF X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X
#AC alignment checking was enabled.

Instruction Reference LSL 281

AMD64 Technology 24594—Rev. 3.14—September 2007

LTR Load Task Register

Loads the specified segment selector into the visible portion of the task register (TR). The processor
uses the selector to locate the descriptor for the TSS in the global descriptor table. It then loads this
descriptor into the hidden portion of TR. The TSS descriptor in the GDT is marked busy, but no task
switch is made.
If the source operand is null, a general protection exception (#GP) is generated.
In legacy and compatibility modes, the TSS descriptor is 8 bytes long and contains a 32-bit base
address.
In 64-bit mode, the instruction references a 64-bit descriptor to load a 64-bit base address. The TSS
type (09H) is redefined in 64-bit mode for use as the 16-byte TSS descriptor.
This instruction must be executed in protected mode when the current privilege level is 0. It is only
provided for use by operating system software.
The operand size attribute has no effect on this instruction.
LTR is a serializing instruction.

Mnemonic Opcode Description

Load the 16-bit segment selector into the task register and
LTR reg/mem16 0F 00 /3
load the TSS descriptor from the GDT.

Related Instructions
LGDT, LIDT, LLDT, STR, SGDT, SIDT, SLDT

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
Segment not present,
X The TSS descriptor was marked not present.
#NP (selector)
A memory address exceeded the stack segment limit or was
Stack, #SS X
non-canonical.

282 LTR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded a data segment limit or was
X non-canonical.
General protection, X CPL was not 0.
#GP
X A null data segment was used to reference memory.
X The new TSS selector was a null selector.
X The source selector did not point into the GDT.
X The descriptor was beyond the GDT limit.
General protection, X The descriptor was not an available TSS descriptor.
#GP
(selector) The descriptor's extended attribute bits were not zero in 64-
X
bit mode.
X The new TSS base address was non-canonical.
Page fault, #PF X A page fault resulted from the execution of the instruction.

Instruction Reference LTR 283

AMD64 Technology 24594—Rev. 3.14—September 2007

MONITOR Setup Monitor Address

Establishes a linear address range of memory for hardware to monitor and puts the processor in the
monitor event pending state. When in the monitor event pending state, the monitoring hardware
detects stores to the specified linear address range and causes the processor to exit the monitor event
pending state. The MWAIT instruction uses the state of the monitor hardware.
The address range should be a write-back memory type. Executing MONITOR on an address range for
a non-write-back memory type is not guaranteed to cause the processor to enter the monitor event
pending state. The size of the linear address range that is established by the MONITOR instruction can
be determined by CPUID function 0000_0005h.
The [rAX] register provides the effective address. The DS segment is the default segment used to
create the linear address. Segment overrides may be used with the MONITOR instruction.
The ECX register specifies optional extensions for the MONITOR instruction. There are currently no
extensions defined and setting any bits in ECX will result in a #GP exception. The ECX register
operand is implicitly 32-bits.
The EDX register specifies optional hints for the MONITOR instruction. There are currently no hints
defined and EDX is ignored by the processor. The EDX register operand is implicitly 32-bits.
The MONITOR instruction can be executed at CPL 0 and is allowed at CPL > 0
only if MSR C001_0015h[MonMwaitUserEn] = 1. When MSR C001_0015h[MonMwaitUserEn] = 0,
MONITOR generates #UD at CPL > 0. (See the appropriate version of the BIOS and Kernel
Developer's Guide for specific details on MSR C001_0015h.)
MONITOR performs the same segmentation and paging checks as a 1-byte read.
Support for the MONITOR instruction is indicated by ECX bit 3 (Monitor) as returned by CPUID
function 0000_0001h. Software must check the CPUID bit once per program or library initialization
before using the MONITOR instruction, or inconsistent behavior may result. Software designed to run
at CPL greater than 0 must also check for availability by testing whether executing MONITOR causes
a #UD exception.
The following pseudo-code shows typical usage of a MONITOR/MWAIT pair:
EAX = Linear_Address_to_Monitor;
ECX = 0; // Extensions
EDX = 0; // Hints

while (!matching_store_done){
MONITOR EAX, ECX, EDX
IF (!matching_store_done) {
MWAIT EAX, ECX
}
}

284 MONITOR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Mnemonic Opcode Description

Establishes a linear address range to be monitored

MONITOR 0F 01 C8
by hardware and activates the monitor hardware.

Related Instructions
MWAIT

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The MONITOR/MWAIT instructions are not
X X X supported, as indicated by ECX bit 3 (Monitor) as
Invalid opcode, #UD returned by CPUID function 0000_0001h.
CPL was not zero and
X X MSR C001_0015[MonMwaitUserEn] = 0.
A memory address exceeded the stack segment limit
Stack, #SS X X X or was non-canonical.
A memory address exceeded a data segment limit or
X X X
was non-canonical.
General protection, #GP
X X X ECX was non-zero.
X A null data segment was used to reference memory.
A page fault resulted from the execution of the
Page Fault, #PF X X
instruction.

Instruction Reference MONITOR 285

AMD64 Technology 24594—Rev. 3.14—September 2007

MOV (CRn) Move to/from Control Registers

Moves the contents of a 32-bit or 64-bit general-purpose register to a control register or vice versa.
In 64-bit mode, the operand size is fixed at 64 bits without the need for a REX prefix. In non-64-bit
mode, the operand size is fixed at 32 bits and the upper 32 bits of the destination are forced to 0.
CR0 maintains the state of various control bits. CR2 and CR3 are used for page translation. CR4 holds
various feature enable bits. CR8 is used to prioritize external interrupts. CR1, CR5, CR6, CR7, and
CR9 through CR15 are all reserved and raise an undefined opcode exception (#UD) if referenced.
CR8 can be read and written in 64-bit mode, using a REX prefix. CR8 can be read and written in all
modes using a LOCK prefix instead of a REX prefix to specify the additional opcode bit. To verify
whether the LOCK prefix can be used in this way, check the status of ECX bit 4 returned by CPUID
function 8000_0001h.
CR8 can also be read and modified using the task priority register described in “System-Control
Registers” in Volume 2.
This instruction is always treated as a register-to-register (MOD = 11) instruction, regardless of the
encoding of the MOD field in the MODR/M byte.
MOV(CRn) is a privileged instruction and must always be executed at CPL = 0.
MOV (CRn) is a serializing instruction.

Mnemonic Opcode Description

MOV CRn, reg32 0F 22 /r Move the contents of a 32-bit register to CRn
MOV CRn, reg64 0F 22 /r Move the contents of a 64-bit register to CRn
MOV reg32, CRn 0F 20 /r Move the contents of CRn to a 32-bit register.
MOV reg64, CRn 0F 20 /r Move the contents of CRn to a 64-bit register.
MOV CR8, reg32 F0 0F 22/r Move the contents of a 32-bit register to CR8.
MOV CR8, reg64 F0 0F 22/r Move the contents of a 64-bit register to CR8.
MOV reg32, CR8 F0 0F 20/r Move the contents of CR8 into a 32-bit register.
MOV reg64, CR8 F0 0F 20/r Move the contents of CR8 into a 64-bit register.

Related Instructions
CLTS, LMSW, SMSW

rFLAGS Affected
None

286 MOV (CRn) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
An illegal control register was referenced (CR1, CR5–CR7,
X X X CR9–CR15).
Invalid Instruction,
#UD The use of the LOCK prefix to read CR8 is not supported, as
X X X indicated by ECX bit 4 as returned by CPUID function
8000_0001h.
X X CPL was not 0.
X X An attempt was made to set CR0.PG = 1 and CR0.PE = 0.
X X An attempt was made to set CR0.CD = 0 and CR0.NW = 1.
Reserved bits were set in the page-directory pointers table
X X (used in the legacy extended physical addressing mode) and
the instruction modified CR0, CR3, or CR4.
General protection,
#GP An attempt was made to write 1 to any reserved bit in CR0,
X X
CR3, CR4 or CR8.
An attempt was made to set CR0.PG while long mode was
X X enabled (EFER.LME = 1), but paging address extensions
were disabled (CR4.PAE = 0).
An attempt was made to clear CR4.PAE while long mode was
X
active (EFER.LMA = 1).

Instruction Reference MOV (CRn) 287

AMD64 Technology 24594—Rev. 3.14—September 2007

MOV(DRn) Move to/from Debug Registers

Moves the contents of a debug register into a 32-bit or 64-bit general-purpose register or vice versa.
In 64-bit mode, the operand size is fixed at 64 bits without the need for a REX prefix. In non-64-bit
mode, the operand size is fixed at 32-bits and the upper 32 bits of the destination are forced to 0.
DR0 through DR3 are linear breakpoint address registers. DR6 is the debug status register and DR7 is
the debug control register. DR4 and DR5 are aliased to DR6 and DR7 if CR4.DE = 0, and are reserved
if CR4.DE = 1.
DR8 through DR15 are reserved and generate an undefined opcode exception if referenced.
These instructions are privileged and must be executed at CPL 0.
The MOV DRn,reg32 and MOV DRn,reg64 instructions are serializing instructions.
The MOV(DR) instruction is always treated as a register-to-register (MOD = 11) instruction,
regardless of the encoding of the MOD field in the MODR/M byte.
See “Debug and Performance Resources” in Volume 2 for details.

Mnemonic Opcode Description

MOV reg32, DRn 0F 21 /r Move the contents of DRn to a 32-bit register.
MOV reg64, DRn 0F 21 /r Move the contents of DRn to a 64-bit register.
MOV DRn, reg32 0F 23 /r Move the contents of a 32-bit register to DRn.
MOV DRn, reg64 0F 23 /r Move the contents of a 64-bit register to DRn.

Related Instructions
None

rFLAGS Affected
None

288 MOV(DRn) Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A debug register was referenced while the general detect
Debug, #DB X X (GD) bit in DR7 was set.
DR4 or DR5 was referenced while the debug extensions
X X
Invalid opcode, #UD (DE) bit in CR4 was set.
X An illegal debug register (DR8–DR15) was referenced.
X X CPL was not 0.
General protection,
#GP A 1 was written to any of the upper 32 bits of DR6 or DR7 in
X
64-bit mode.

Instruction Reference MOV(DRn) 289

AMD64 Technology 24594—Rev. 3.14—September 2007

MWAIT Monitor Wait

Used in conjunction with the MONITOR instruction to cause a processor to wait until a store occurs to
a specific linear address range from another processor. The previously executed MONITOR
instruction causes the processor to enter the monitor event pending state. The MWAIT instruction may
enter an implementation dependent power state until the monitor event pending state is exited. The
MWAIT instruction has the same effect on architectural state as the NOP instruction.
Events that cause an exit from the monitor event pending state include:
• A store from another processor matches the address range established by the MONITOR instruc-
tion.
• Any unmasked interrupt, including INTR, NMI, SMI, INIT.
• RESET.
• Any far control transfer that occurs between the MONITOR and the MWAIT.
EAX specifies optional hints for the MWAIT instruction. There are currently no hints defined and all
bits should be 0. Setting a reserved bit in EAX is ignored by the processor.
ECX specifies optional extensions for the MWAIT instruction. The only extension currently defined is
ECX bit 0, which allows interrupts to wake MWAIT, even when eFLAGS.IF=0. Support for this
extension is indicated by CPUID. Setting any unsupported bit in ECX results in a #GP exception.
CPUID function 5 indicates support for extended features of MONITOR/MWAIT in ECX:
• ECX[0] indicates support for enumeration of MONITOR/MWAIT extensions.
• ECX[1] indicates that MWAIT can use ECX bit 0 to allow interrupts to cause an exit from the
monitor event pending state even when eFLAGS.IF=0.
The MWAIT instruction can be executed at CPL 0 and is allowed at CPL > 0 only if MSR
C001_0015h[MonMwaitUserEn] =1. When MSR C001_0015h[MonMwaitUserEn] is 0, MWAIT
generates #UD at CPL > 0. (See the appropriate version of the BIOS and Kernel Developer's Guide for
specific details on MSR C001_0015h.)
Support for the MWAIT instruction is indicated by ECX bit 3 (Monitor) as returned by CPUID
function 0000_0001h. Software MUST check the CPUID bit once per program or library initialization
before using the MWAIT instruction, or inconsistent behavior may result. Software designed to run at
CPL greater than 0 must also check for availability by testing whether executing MWAIT causes a
#UD exception.
The use of the MWAIT instruction is contingent upon the satisfaction of the following coding
requirements:
• MONITOR must precede the MWAIT and occur in the same loop.
• MWAIT must be conditionally executed only if the awaited store has not already occurred. (This
prevents a race condition between the MONITOR instruction arming the monitoring hardware
and the store intended to trigger the monitoring hardware.)

290 MWAIT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

The following pseudo-code shows typical usage of a MONITOR/MWAIT pair:

EAX = Linear_Address_to_Monitor;
ECX = 0; // Extensions
EDX = 0; // Hints

while (!matching_store_done ){
MONITOR EAX, ECX, EDX
IF ( !matching_store_done ) {
MWAIT EAX, ECX
}
}

Mnemonic Opcode Description

Causes the processor to stop instruction execution

MWAIT 0F 01 C9 and enter an implementation-dependent optimized
state until occurrence of a class of events.

Related Instructions
MONITOR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The MONITOR/MWAIT instructions are not supported,
X X X as indicated by ECX bit 3 (Monitor) as returned by
Invalid opcode, #UD CPUID function 0000_0001h.
CPL was not zero and
X X
MSRC001_0015[MonMwaitUserEn] = 0.
General protection,
X X X Unsupported extension bits were set in ECX
#GP

Instruction Reference MWAIT 291

AMD64 Technology 24594—Rev. 3.14—September 2007

RDMSR Read Model-Specific Register

Loads the contents of a 64-bit model-specific register (MSR) specified in the ECX register into
registers EDX:EAX. The EDX register receives the high-order 32 bits and the EAX register receives
the low order bits. The RDMSR instruction ignores operand size; ECX always holds the MSR number,
and EDX:EAX holds the data. If a model-specific register has fewer than 64 bits, the unimplemented
bit positions loaded into the destination registers are undefined.
This instruction must be executed at a privilege level of 0 or a general protection exception (#GP) will
be raised. This exception is also generated if a reserved or unimplemented model-specific register is
specified in ECX.
Use the CPUID instruction to determine if this instruction is supported.
For more information about model-specific registers, see the documentation for various hardware
implementations and Volume 2: System Programming.

Mnemonic Opcode Description

RDMSR 0F 32 Copy MSR specified by ECX into EDX:EAX.

Related Instructions
WRMSR, RDTSC, RDPMC

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The RDMSR instruction is not supported, as indicated by
Invalid opcode, #UD X X X EDX bit 5 returned by CPUID function 0000_0001h or function
8000_0001h.
X X CPL was not 0.
General protection,
#GP The value in ECX specifies a reserved or unimplemented
X X
MSR address.

292 RDMSR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

RDPMC Read Performance-Monitoring Counter

Loads the contents of a 64-bit performance counter register (PerfCtrn) specified in the ECX register
into registers EDX:EAX. The EDX register receives the high-order 32 bits and the EAX register
receives the low order 32 bits. The RDPMC instruction ignores operand size; ECX always holds the
number of the PerfCtr, and EDX:EAX holds the data.
The AMD64 architecture currently supports four performance counters: PerfCtr0 through PerfCtr3. To
specify the performance counter number in ECX, specify the counter number
(0000_0000h–0000_0003h), rather than the performance counter MSR address
(C001_0004h–C001_0007h).
Programs running at any privilege level can read performance monitor counters if the PCE flag in CR4
is set to 1; otherwise this instruction must be executed at a privilege level of 0.
This instruction is not serializing. Therefore, there is no guarantee that all instructions have completed
at the time the performance counter is read.
For more information about performance-counter registers, see the documentation for various
hardware implementations and “Performance Counters” in Volume 2.

Mnemonic Opcode Description

Copy the performance monitor counter specified
RDPMC 0F 33
by ECX into EDX:EAX.

Related Instructions
RDMSR, WRMSR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The value in ECX specified an unimplemented performance
General Protection, X X X
counter number.
#GP
X X CPL was not 0 and CR4.PCE = 0.

Instruction Reference RDPMC 293

AMD64 Technology 24594—Rev. 3.14—September 2007

RDTSC Read Time-Stamp Counter

Loads the value of the processor’s 64-bit time-stamp counter into registers EDX:EAX.
The time-stamp counter (TSC) is contained in a 64-bit model-specific register (MSR). The processor
sets the counter to 0 upon reset and increments the counter every clock cycle. INIT does not modify the
TSC.
The high-order 32 bits are loaded into EDX, and the low-order 32 bits are loaded into the EAX register.
This instruction ignores operand size.
When the time-stamp disable flag (TSD) in CR4 is set to 1, the RDTSC instruction can only be used at
privilege level 0. If the TSD flag is 0, this instruction can be used at any privilege level.
This instruction is not serializing. Therefore, there is no guarantee that all instructions have completed
at the time the time-stamp counter is read.
The behavior of the RDTSC instruction is implementation dependent. The TSC counts at a constant
rate, but may be affected by power management events (such as frequency changes), depending on the
processor implementation. If CPUID 8000_0007.edx[8] = 1, then the TSC rate is ensured to be
invariant across all P-States, C-States, and stop-grant transitions (such as STPCLK Throttling);
therefore, the TSC is suitable for use as a source of time. Consult the BIOS and kernel developer’s
guide for your AMD processor implementation for information concerning the effect of power
management on the TSC.

Mnemonic Opcode Description

RDTSC 0F 31 Copy the time-stamp counter into EDX:EAX.

Related Instructions
RDTSCP, RDMSR, WRMSR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The RDTSC instruction is not supported, as indicated by
Invalid opcode, #UD X X X EDX bit 4 returned by CPUID function 0000_0001h or
function 8000_0001h.
General protection,
X X CPL was not 0 and CR4.TSD = 1.
#GP

294 RDTSC Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

RDTSCP Read Time-Stamp Counter

and Processor ID
Loads the value of the processor’s 64-bit time-stamp counter into registers EDX:EAX, and loads the
value of TSC_AUX into ECX. This instruction ignores operand size.
The time-stamp counter is contained in a 64-bit model-specific register (MSR). The processor sets the
counter to 0 upon reset and increments the counter every clock cycle. INIT does not modify the TSC.
The high-order 32 bits are loaded into EDX, and the low-order 32 bits are loaded into the EAX register.
The TSC_AUX value is contained in the low-order 32 bits of the TSC_AUX register (MSR address
C000_0103h). This MSR is initialized by privileged software to any meaningful value, such as a
processor ID, that software wants to associate with the returned TSC value.
When the time-stamp disable flag (TSD) in CR4 is set to 1, the RDTSCP instruction can only be used
at privilege level 0. If the TSD flag is 0, this instruction can be used at any privilege level.
Unlike the RDTSC instruction, RDTSCP forces all older instructions to retire before reading the time-
stamp counter.
The behavior of the RDTSCP instruction is implementation dependent. The TSC counts at a constant
rate, but may be affected by power management events (such as frequency changes), depending on the
processor implementation. If CPUID 8000_0007.edx[8] = 1, then the TSC rate is ensured to be
invariant across all P-States, C-States, and stop-grant transitions (such as STPCLK Throttling);
therefore, the TSC is suitable for use as a source of time. Consult the BIOS and kernel developer’s
guide for your AMD processor implementation for information concerning the effect of power
management on the TSC.
Use the CPUID instruction to verify support for this instruction.

Mnemonic Opcode Description

Copy the time-stamp counter into EDX:EAX and
RDTSCP 0F 01 F9
the TSC_AUX register into ECX.

Related Instructions
RDTSC

rFLAGS Affected
None

Instruction Reference RDTSCP 295

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The RDTSCP instruction is not supported, as indicated by
Invalid opcode, #UD X X X EDX bit 27 returned by CPUID function 8000_0001h.
General protection,
X X CPL was not 0 and CR4.TSD = 1.
#GP

296 RDTSCP Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

RSM Resume from System Management Mode

Resumes an operating system or application procedure previously interrupted by a system
management interrupt (SMI). The processor state is restored from the information saved when the SMI
was taken. If the processor detects invalid state information in the system management mode (SMM)
save area during RSM, it goes into a shutdown state.
RSM will shutdown if any of the following conditions are found in the save map (SSM):
• An illegal combination of flags in CR0 (CR0.PG = 1 and CR0.PE = 0, or CR0.NW = 1 and
CR0.CD = 0).
• A reserved bit in CR0, CR3, CR4, DR6, DR7, or the extended feature enable register (EFER) is
set to 1.
• The following bit combination occurs: EFER.LME = 1, CR0.PG = 1, CR4.PAE = 0.
• The following bit combination occurs: EFER.LME = 1, CR0.PG = 1, CR4.PAE = 1, CS.D = 1,
CS.L = 1.
• SMM revision field has been modified.
RSM cannot modify EFER.SVME. Attempts to do so are ignored.
When EFER.SVME is 1, RSM reloads the four PDPEs (through the incoming CR3) when returning to
a mode that has legacy PAE mode paging enabled.
When EFER.SVME is 1, the RSM instruction is permitted to return to paged real mode (i.e.,
CR0.PE=0 and CR0.PG=1).
The AMD64 architecture uses a new 64-bit SMM state-save memory image. This 64-bit save-state
map is used in all modes, regardless of mode. See “System-Management Mode” in Volume 2 for
details.

Mnemonic Opcode Description

RSM 0F AA Resume operation of an interrupted program.

Related Instructions
None

Instruction Reference RSM 297

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
All flags are restored from the state-save map (SSM).
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M M M M M M M M M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are
blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X The processor was not in System Management Mode (SMM).

298 RSM Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SGDT Store Global Descriptor Table Register

Stores the global descriptor table register (GDTR) into the destination operand. In legacy and
compatibility mode, the destination operand is 6 bytes; in 64-bit mode, it is 10 bytes. In all modes,
operand-size prefixes are ignored.
In non-64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 4 bytes
specify the 32-bit base address.
In 64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 8 bytes
specify the 64-bit base address.
This instruction is intended for use in operating system software, but it can be used at any privilege
level.

Mnemonic Opcode Description

SGDT mem16:32 0F 01 /0 Store global descriptor table register to memory.
SGDT mem16:64 0F 01 /0 Store global descriptor table register to memory.

Related Instructions
SIDT, SLDT, STR, LGDT, LIDT, LLDT, LTR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X The operand was a register.
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

Instruction Reference SGDT 299

AMD64 Technology 24594—Rev. 3.14—September 2007

SIDT Store Interrupt Descriptor Table Register

Stores the interrupt descriptor table register (IDTR) in the destination operand. In legacy and
compatibility mode, the destination operand is 6 bytes; in 64-bit mode it is 10 bytes. In all modes,
operand-size prefixes are ignored.
In non-64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 4 bytes
specify the 32-bit base address.
In 64-bit mode, the lower two bytes of the operand specify the 16-bit limit and the upper 8 bytes
specify the 64-bit base address.
This instruction is intended for use in operating system software, but it can be used at any privilege
level.

Mnemonic Opcode Description

SIDT mem16:32 0F 01 /1 Store interrupt descriptor table register to memory.
SIDT mem16:64 0F 01 /1 Store interrupt descriptor table register to memory.

Related Instructions
SGDT, SLDT, STR, LGDT, LIDT, LLDT, LTR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X The operand was a register.
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, X X An unaligned memory reference was performed while
#AC alignment checking was enabled.

300 SIDT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SKINIT Secure Init and Jump with Attestation

Securely reinitializes the cpu, allowing for the startup of trusted software (such as a VMM). The code
to be executed after reinitialization can be verified based on a secure hash comparison. SKINIT takes
the physical base address of the SLB as its only input operand, in EAX. The SLB must be structured as
described in “Secure Loader Block” on page 415 of the AMD64 Architecture Programmer’s Manual
Volume 2: System Programming, order# 24593, and is assumed to contain the code for a Secure Loader
(SL).
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled. See “Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual
Volume 2: System Instructions, order# 24593.

Mnemonic Opcode Description

SKINIT EAX 0F 01 DE Secure initialization and jump, with attestation.

Action
IF ((EFER.SVMEN == 0) && !(CPUID 8000_0001.ECX[SKINIT]) || (!PROTECTED_MODE))

EXCEPTION [#UD] // This instruction can only be executed

// in protected mode with SVM enabled.

IF (CPL != 0) // This instruction is only allowed at CPL 0.

EXCEPTION [#GP]

Initialize processor state as for an INIT signal

CR0.PE = 1

CS.sel = 0x0008
CS.attr = 32-bit code, read/execute
CS.base = 0
CS.limit = 0xFFFFFFFF

SS.sel = 0x0010
SS.attr = 32-bit stack, read/write, expand up
SS.base = 0
SS.limit = 0xFFFFFFFF

EAX = EAX & 0xFFFF0000 // Form SLB base address.

EDX = family/model/stepping
ESP = EAX + 0x00010000 // Initial SL stack.
Clear GPRs other than EAX, EDX, ESP

EFER = 0
VM_CR.DPD = 1
VM_CR.R_INIT = 1
VM_CR.DIS_A20M = 1

Instruction Reference SKINIT 301

AMD64 Technology 24594—Rev. 3.14—September 2007

Enable SL_DEV, to protect 64Kbyte of physical memory starting at

the physical address in EAX

GIF = 0

Read the SL length from offset 0x0002 in the SLB

Copy the SL image to the TPM for attestation

Read the SL entrypoint offset from offset 0x0000 in the SLB

Jump to the SL entrypoint, at EIP = EAX+entrypoint offset

Related Instructions
None.

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to 1 or cleared to 0 is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Secure Virtual Machine was not enabled (EFER.SVME=0)
and both of the following conditions were true:
• SVM-Lock is not available, as indicated by EDX bit 2
X returned by CPUID function 8000_000Ah.
Invalid opcode, #UD
• DEV is not available, as indicated by ECX bit 12 returned
by CPUID function 8000_0001h.
X X Instruction is only recognized in protected mode.
General protection,
X CPL was not zero.
#GP

302 SKINIT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SLDT Store Local Descriptor Table Register

Stores the local descriptor table (LDT) selector to a register or memory destination operand.
If the destination is a register, the selector is zero-extended into a 16-, 32-, or 64-bit general purpose
register, depending on operand size.
If the destination operand is a memory location, the segment selector is written to memory as a 16-bit
value, regardless of operand size.
This SLDT instruction can only be used in protected mode, but it can be executed at any privilege
level.

Mnemonic Opcode Description

Store the segment selector from the local
SLDT reg16 0F 00 /0
descriptor table register to a 16-bit register.
Store the segment selector from the local
SLDT reg32 0F 00 /0
descriptor table register to a 32-bit register.
Store the segment selector from the local
SLDT reg64 0F 00 /0
descriptor table register to a 64-bit register.
Store the segment selector from the local
SLDT mem16 0F 00 /0 descriptor table register to a 16-bit memory
location.

Related Instructions
SIDT, SGDT, STR, LIDT, LGDT, LLDT, LTR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
A memory address exceeded the stack segment limit or was
Stack, #SS X
non-canonical.
A memory address exceeded a data segment limit or was non-
X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X
#AC alignment checking was enabled.

Instruction Reference SLDT 303

AMD64 Technology 24594—Rev. 3.14—September 2007

SMSW Store Machine Status Word

Stores the lower bits of the machine status word (CR0). The target can be a 16-, 32-, or 64-bit register
or a 16-bit memory operand.
This instruction is provided for compatibility with early processors.
This instruction can be used at any privilege level (CPL).

Mnemonic Opcode Description

SMSW reg16 0F 01 /4 Store the low 16 bits of CR0 to a 16-bit register.
SMSW reg32 0F 01 /4 Store the low 32 bits of CR0 to a 32-bit register.
SMSW reg64 0F 01 /4 Store the entire 64-bit CR0 to a 64-bit register.
SMSW mem16 0F 01 /4 Store the low 16 bits of CR0 to memory.

Related Instructions
LMSW, MOV(CRn)

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
A memory address exceeded the stack segment limit or was
Stack, #SS X X X
non-canonical.
A memory address exceeded a data segment limit or was non-
X X X
canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
#AC X X alignment checking was enabled.

304 SMSW Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

STI Set Interrupt Flag

Sets the interrupt flag (IF) in the rFLAGS register to 1, thereby allowing external interrupts received on
the INTR input. Interrupts received on the non-maskable interrupt (NMI) input are not affected by this
instruction.
In real mode, this instruction sets IF to 1.
In protected mode and virtual-8086-mode, this instruction is IOPL-sensitive. If the CPL is less than or
equal to the rFLAGS.IOPL field, the instruction sets IF to 1.
In protected mode, if IOPL < 3, CPL = 3, and protected mode virtual interrupts are enabled
(CR4.PVI = 1), then the instruction instead sets rFLAGS.VIF to 1. If none of these conditions apply,
the processor raises a general protection exception (#GP). For more information, see “Protected Mode
Virtual Interrupts” in Volume 2.
In virtual-8086 mode, if IOPL < 3 and the virtual-8086-mode extensions are enabled (CR4.VME = 1),
the STI instruction instead sets the virtual interrupt flag (rFLAGS.VIF) to 1.
If STI sets the IF flag and IF was initially clear, then interrupts are not enabled until after the
instruction following STI. Thus, if IF is 0, this code will not allow an INTR to happen:
STI
CLI

In the following sequence, INTR will be allowed to happen only after the NOP.
STI
NOP
CLI

If STI sets the VIF flag and VIP is already set, a #GP fault will be generated.
See “Virtual-8086 Mode Extensions” in Volume 2 for more information about IOPL-sensitive
instructions.

Mnemonic Opcode Description

STI FB Set interrupt flag (IF) to 1.

Instruction Reference STI 305

AMD64 Technology 24594—Rev. 3.14—September 2007

Action
IF (CPL <= IOPL)
RFLAGS.IF = 1

ELSIF (((VIRTUAL_MODE) && (CR4.VME = 1))

|| ((PROTECTED_MODE) && (CR4.PVI = 1) && (CPL = 3)))
{
IF (RFLAGS.VIP = 1)
EXCEPTION[#GP(0)]
RFLAGS.VIF = 1
}
ELSE
EXCEPTION[#GP(0)]

Related Instructions
CLI

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. M (modified) is either set to one or cleared to zero. Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The CPL was greater than the IOPL and virtual-mode
X
extensions were not enabled (CR4.VME = 0).
The CPL was greater than the IOPL and either the CPL was
General protection,
X not 3 or protected-mode virtual interrupts were not enabled
#GP (CR4.PVI = 0).
This instruction would set RFLAGS.VIF to 1 and
X X
RFLAGS.VIP was already 1.

306 STI Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

STGI Set Global Interrupt Flag

Sets the global interrupt flag (GIF) to 1. While GIF is zero, all external interrupts are disabled.
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled and ECX.SKINIT as returned by CPUID function 8000_0001 is cleared to 0. See
“Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual Volume-2: System
Instructions, order# 24593.

Mnemonic Opcode Description

STGI 0F 01 DC Sets the global interrupt flag (GIF).

Related Instructions
CLGI

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Secure Virtual Machine was not enabled (EFER.SVME=0)
and both of the following conditions were true:
• SVM-Lock is not available, as indicated by EDX bit 2
X returned by CPUID function 8000_000Ah.
Invalid opcode, #UD
• DEV is not available, as indicated by ECX bit 12 returned
by CPUID function 8000_0001h.
X X Instruction is only recognized in protected mode.
General protection, X CPL was not zero.
#GP

Instruction Reference STGI 307

AMD64 Technology 24594—Rev. 3.14—September 2007

STR Store Task Register

Stores the task register (TR) selector to a register or memory destination operand.
If the destination is a register, the selector is zero-extended into a 16-, 32-, or 64-bit general purpose
register, depending on the operand size.
If the destination is a memory location, the segment selector is written to memory as a 16-bit value,
regardless of operand size.
The STR instruction can only be used in protected mode, but it can be used at any privilege level.

Mnemonic Opcode Description

Store the segment selector from the task register to a 16-bit
STR reg16 0F 00 /1
general-purpose register.
Store the segment selector from the task register to a 32-bit
STR reg32 0F 00 /1
general-purpose register.
Store the segment selector from the task register to a 64-bit
STR reg64 0F 00 /1
general-purpose register.
Store the segment selector from the task register to a 16-bit
STR mem16 0F 00 /1
memory location.

Related Instructions
LGDT, LIDT, LLDT, LTR, SIDT, SGDT, SLDT

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
A memory address exceeded the stack segment limit or was
Stack, #SS X
non-canonical.
A memory address exceeded a data segment limit or was
X
non-canonical.
General protection,
#GP X The destination operand was in a non-writable segment.
X A null data segment was used to reference memory.
Page fault, #PF X A page fault resulted from the execution of the instruction.
An unaligned memory reference was performed while
Alignment check, #AC X
alignment checking was enabled.

308 STR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SWAPGS Swap GS Register with KernelGSbase MSR

Provides a fast method for system software to load a pointer to system data structures. SWAPGS can
be used upon entering system-software routines as a result of a SYSCALL instruction, an interrupt or
an exception. Prior to returning to application software, SWAPGS can be used to restore the
application data pointer that was replaced by the system data-structure pointer.
This instruction can only be executed in 64-bit mode. Executing SWAPGS in any other mode
generates an undefined opcode exception.
The SWAPGS instruction only exchanges the base-address value located in the KernelGSbase model-
specific register (MSR address C000_0102h) with the base-address value located in the hidden-portion
of the GS selector register (GS.base). This allows the system-kernel software to access kernel data
structures by using the GS segment-override prefix during memory references.
The address stored in the KernelGSbase MSR must be in canonical form. The WRMSR instruction
used to load the KernelGSbase MSR causes a general-protection exception if the address loaded is not
in canonical form. The SWAPGS instruction itself does not perform a canonical check.
This instruction is only valid in 64-bit mode at CPL 0. A general protection exception (#GP) is
generated if this instruction is executed at any other privilege level.
For additional information about this instruction, refer to “System-Management Instructions” in
Volume 2.

Examples
At a kernel entry point, the OS uses SwapGS to obtain a pointer to kernel data structures and
simultaneously save the user's GS base. Upon exit, it uses SwapGS to restore the user's GS base:
SystemCallEntryPoint:
SwapGS ; get kernel pointer, save user GSbase
mov gs:[SavedUserRSP], rsp ; save user's stack pointer
mov rsp, gs:[KernelStackPtr] ; set up kernel stack
push rax ; now save user GPRs on kernel stack
. ; perform system service
.
SwapGS ; restore user GS, save kernel pointer

Mnemonic Opcode Description

Exchange GS base with KernelGSBase MSR.
SWAPGS 0F 01 F8
(Invalid in legacy and compatibility modes.)

Related Instructions
None

Instruction Reference SWAPGS 309

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
This instruction was executed in legacy or
Invalid opcode, #UD X X X
compatibility mode.
General protection, #GP X CPL was not 0.

310 SWAPGS Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SYSCALL Fast System Call

Transfers control to a fixed entry point in an operating system. It is designed for use by system and
application software implementing a flat-segment memory model.
The SYSCALL and SYSRET instructions are low-latency system call and return control-transfer
instructions, which assume that the operating system implements a flat-segment memory model. By
eliminating unneeded checks, and by loading pre-determined values into the CS and SS segment
registers (both visible and hidden portions), calls to and returns from the operating system are greatly
simplified. These instructions can be used in protected mode and are particularly well-suited for use in
64-bit mode, which requires implementation of a paged, flat-segment memory model.
This instruction has been optimized by reducing the number of checks and memory references that are
normally made so that a call or return takes considerably fewer clock cycles than the CALL FAR /RET
FAR instruction method.
It is assumed that the base, limit, and attributes of the Code Segment will remain flat for all processes
and for the operating system, and that only the current privilege level for the selector of the calling
process should be changed from a current privilege level of 3 to a new privilege level of 0. It is also
assumed (but not checked) that the RPL of the SYSCALL and SYSRET target selectors are set to 0
and 3, respectively.
SYSCALL sets the CPL to 0, regardless of the values of bits 33–32 of the STAR register. There are no
permission checks based on the CPL, real mode, or virtual-8086 mode. SYSCALL and SYSRET must
be enabled by setting EFER.SCE to 1.
It is the responsibility of the operating system to keep the descriptors in memory that correspond to the
CS and SS selectors loaded by the SYSCALL and SYSRET instructions consistent with the segment
base, limit, and attribute values forced by these instructions.

Legacy x86 Mode. In legacy x86 mode, when SYSCALL is executed, the EIP of the instruction
following the SYSCALL is copied into the ECX register. Bits 31–0 of the SYSCALL/SYSRET target
address register (STAR) are copied into the EIP register. (The STAR register is model-specific register
C000_0081h.)
New selectors are loaded, without permission checking (see above), as follows:
• Bits 47–32 of the STAR register specify the selector that is copied into the CS register.
• Bits 47–32 of the STAR register + 8 specify the selector that is copied into the SS register.
• The CS_base and the SS_base are both forced to zero.
• The CS_limit and the SS_limit are both forced to 4 Gbyte.
• The CS segment attributes are set to execute/read 32-bit code with a CPL of zero.
• The SS segment attributes are set to read/write and expand-up with a 32-bit stack referenced by
ESP.

Instruction Reference SYSCALL 311

AMD64 Technology 24594—Rev. 3.14—September 2007

Long Mode. When long mode is activated, the behavior of the SYSCALL instruction depends on
whether the calling software is in 64-bit mode or compatibility mode. In 64-bit mode, SYSCALL
saves the RIP of the instruction following the SYSCALL into RCX and loads the new RIP from
LSTAR bits 63–0. (The LSTAR register is model-specific register C000_0082h.) In compatibility
mode, SYSCALL saves the RIP of the instruction following the SYSCALL into RCX and loads the
new RIP from CSTAR bits 63–0. (The CSTAR register is model-specific register C000_0083h.)
New selectors are loaded, without permission checking (see above), as follows:
• Bits 47–32 of the STAR register specify the selector that is copied into the CS register.
• Bits 47–32 of the STAR register + 8 specify the selector that is copied into the SS register.
• The CS_base and the SS_base are both forced to zero.
• The CS_limit and the SS_limit are both forced to 4 Gbyte.
• The CS segment attributes are set to execute/read 64-bit code with a CPL of zero.
• The SS segment attributes are set to read/write and expand-up with a 64-bit stack referenced by
RSP.
The WRMSR instruction loads the target RIP into the LSTAR and CSTAR registers. If an RIP written
by WRMSR is not in canonical form, a general-protection exception (#GP) occurs.
How SYSCALL and SYSRET handle rFLAGS, depends on the processor’s operating mode.
In legacy mode, SYSCALL treats EFLAGS as follows:
• EFLAGS.IF is cleared to 0.
• EFLAGS.RF is cleared to 0.
• EFLAGS.VM is cleared to 0.
In long mode, SYSCALL treats RFLAGS as follows:
• The current value of RFLAGS is saved in R11.
• RFLAGS is masked using the value stored in SYSCALL_FLAG_MASK.
• RFLAGS.RF is cleared to 0.
For further details on the SYSCALL and SYSRET instructions and their associated MSR registers
(STAR, LSTAR, CSTAR, and SYSCALL_FLAG_MASK), see “Fast System Call and Return” in
Volume 2.

Mnemonic Opcode Description

SYSCALL 0F 05 Call operating system.

312 SYSCALL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Action
// See “Pseudocode Definitions” on page 41.

SYSCALL_START:

IF (MSR_EFER.SCE = 0) // Check if syscall/sysret are enabled.

EXCEPTION [#UD]

IF (LONG_MODE)
SYSCALL_LONG_MODE
ELSE // (LEGACY_MODE)
SYSCALL_LEGACY_MODE

SYSCALL_LONG_MODE:

RCX.q = next_RIP
R11.q = RFLAGS // with rf cleared

IF (64BIT_MODE)
temp_RIP.q = MSR_LSTAR
ELSE // (COMPATIBILITY_MODE)
temp_RIP.q = MSR_CSTAR

CS.sel = MSR_STAR.SYSCALL_CS AND 0xFFFC

CS.attr = 64-bit code,dpl0 // Always switch to 64-bit mode in long mode.
CS.base = 0x00000000
CS.limit = 0xFFFFFFFF

SS.sel = MSR_STAR.SYSCALL_CS + 8
SS.attr = 64-bit stack,dpl0
SS.base = 0x00000000
SS.limit = 0xFFFFFFFF

RFLAGS = RFLAGS AND ~MSR_SFMASK

RFLAGS.RF = 0

CPL = 0

RIP = temp_RIP
EXIT

SYSCALL_LEGACY_MODE:

RCX.d = next_RIP

temp_RIP.d = MSR_STAR.EIP

CS.sel = MSR_STAR.SYSCALL_CS AND 0xFFFC

CS.attr = 32-bit code,dpl0 // Always switch to 32-bit mode in legacy mode.

Instruction Reference SYSCALL 313

AMD64 Technology 24594—Rev. 3.14—September 2007

CS.base = 0x00000000
CS.limit = 0xFFFFFFFF

SS.sel = MSR_STAR.SYSCALL_CS + 8
SS.attr = 32-bit stack,dpl0
SS.base = 0x00000000
SS.limit = 0xFFFFFFFF

RFLAGS.VM,IF,RF=0

CPL = 0

RIP = temp_RIP
EXIT

Related Instructions
SYSRET, SYSENTER, SYSEXIT

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M 0 0 M M M M M M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SYSCALL and SYSRET instructions are not
X X X supported, as indicated by EDX bit 11 returned by
CPUID function 8000_0001h.
Invalid opcode, #UD
The system call extension bit (SCE) of the extended
X X X feature enable register (EFER) is set to 0. (The
EFER register is MSR C000_0080h.)

314 SYSCALL Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SYSENTER System Call

Transfers control to a fixed entry point in an operating system. It is designed for use by system and
application software implementing a flat-segment memory model. This instruction is valid only in
legacy mode.
Three model-specific registers (MSRs) are used to specify the target address and stack pointers for the
SYSENTER instruction, as well as the CS and SS selectors of the called and returned procedures:
• MSR_SYSENTER_CS: Contains the CS selector of the called procedure. The SS selector is set to
MSR_SYSENTER_CS + 8.
• MSR_SYSENTER_ESP: Contains the called procedure’s stack pointer.
• MSR_SYSENTER_EIP: Contains the offset into the CS of the called procedure.
The hidden portions of the CS and SS segment registers are not loaded from the descriptor table as they
would be using a legacy x86 CALL instruction. Instead, the hidden portions are forced by the
processor to the following values:
• The CS and SS base values are forced to 0.
• The CS and SS limit values are forced to 4 Gbytes.
• The CS segment attributes are set to execute/read 32-bit code with a CPL of zero.
• The SS segment attributes are set to read/write and expand-up with a 32-bit stack referenced by
ESP.
System software must create corresponding descriptor-table entries referenced by the new CS and SS
selectors that match the values described above.
The return EIP and application stack are not saved by this instruction. System software must explicitly
save that information.
An invalid-opcode exception occurs if this instruction is used in long mode. Software should use the
SYSCALL (and SYSRET) instructions in long mode. If SYSENTER is used in real mode, a #GP is
raised.
For additional information on this instruction, see “SYSENTER and SYSEXIT (Legacy Mode Only)”
in Volume 2.

Mnemonic Opcode Description

SYSENTER 0F 34 Call operating system.

Related Instructions
SYSCALL, SYSEXIT, SYSRET

Instruction Reference SYSENTER 315

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

0 0

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or zero is M (modified). Unaffected flags are blank.
Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SYSENTER and SYSEXIT instructions are not
X X X supported, as indicated by EDX bit 11 returned by
Invalid opcode, #UD CPUID function 0000_0001h.
X This instruction is not recognized in long mode.
X This instruction is not recognized in real mode.
General protection, #GP
X X MSR_SYSENTER_CS was a null selector.

316 SYSENTER Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SYSEXIT System Return

Returns from the operating system to an application. It is a low-latency system return instruction
designed for use by system and application software implementing a flat-segment memory model.
This is a privileged instruction. The current privilege level must be zero to execute this instruction. An
invalid-opcode exception occurs if this instruction is used in long mode. Software should use the
SYSRET (and SYSCALL) instructions when running in long mode.
When a system procedure performs a SYSEXIT back to application software, the CS selector is
updated to point to the second descriptor entry after the SYSENTER CS value (MSR
SYSENTER_CS+16). The SS selector is updated to point to the third descriptor entry after the
SYSENTER CS value (MSR SYSENTER_CS+24). The CPL is forced to 3, as are the descriptor
privilege levels.
The hidden portions of the CS and SS segment registers are not loaded from the descriptor table as they
would be using a legacy x86 RET instruction. Instead, the hidden portions are forced by the processor
to the following values:
• The CS and SS base values are forced to 0.
• The CS and SS limit values are forced to 4 Gbytes.
• The CS segment attributes are set to 32-bit read/execute at CPL 3.
• The SS segment attributes are set to read/write and expand-up with a 32-bit stack referenced by
ESP.
System software must create corresponding descriptor-table entries referenced by the new CS and SS
selectors that match the values described above.
The following additional actions result from executing SYSEXIT:
• EIP is loaded from EDX.
• ESP is loaded from ECX.
System software must explicitly load the return address and application software-stack pointer into the
EDX and ECX registers prior to executing SYSEXIT.
For additional information on this instruction, see “SYSENTER and SYSEXIT (Legacy Mode Only)”
in Volume 2.

Mnemonic Opcode Description

SYSEXIT 0F 35 Return from operating system to application.

Related Instructions
SYSCALL, SYSENTER, SYSRET

Instruction Reference SYSEXIT 317

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SYSENTER and SYSEXIT instructions are not
X X X supported, as indicated by EDX bit 11 returned by
Invalid opcode, #UD CPUID function 0000_0001h.
X This instruction is not recognized in long mode.
This instruction is only recognized in protected
X X
mode.
General protection, #GP
X CPL was not 0.
X MSR_SYSENTER_CS was a null selector.

318 SYSEXIT Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

SYSRET Fast System Return

Returns from the operating system to an application. It is a low-latency system return instruction
designed for use by system and application software implementing a flat segmentation memory model.
The SYSCALL and SYSRET instructions are low-latency system call and return control-transfer
instructions that assume that the operating system implements a flat-segment memory model. By
eliminating unneeded checks, and by loading pre-determined values into the CS and SS segment
registers (both visible and hidden portions), calls to and returns from the operating system are greatly
simplified. These instructions can be used in protected mode and are particularly well-suited for use in
64-bit mode, which requires implementation of a paged, flat-segment memory model.
This instruction has been optimized by reducing the number of checks and memory references that are
normally made so that a call or return takes substantially fewer internal clock cycles when compared to
the CALL/RET instruction method.
It is assumed that the base, limit, and attributes of the Code Segment will remain flat for all processes
and for the operating system, and that only the current privilege level for the selector of the calling
process should be changed from a current privilege level of 0 to a new privilege level of 3. It is also
assumed (but not checked) that the RPL of the SYSCALL and SYSRET target selectors are set to 0
and 3, respectively.
SYSRET sets the CPL to 3, regardless of the values of bits 49–48 of the star register. SYSRET can
only be executed in protected mode at CPL 0. SYSCALL and SYSRET must be enabled by setting
EFER.SCE to 1.
It is the responsibility of the operating system to keep the descriptors in memory that correspond to the
CS and SS selectors loaded by the SYSCALL and SYSRET instructions consistent with the segment
base, limit, and attribute values forced by these instructions.
When a system procedure performs a SYSRET back to application software, the CS selector is
updated from bits 63–50 of the STAR register (STAR.SYSRET_CS) as follows:
• If the return is to 32-bit mode (legacy or compatibility), CS is updated with the value of
STAR.SYSRET_CS.
• If the return is to 64-bit mode, CS is updated with the value of STAR.SYSRET_CS + 16.
In both cases, the CPL is forced to 3, effectively ignoring STAR bits 49–48. The SS selector is updated
to point to the next descriptor-table entry after the CS descriptor (STAR.SYSRET_CS + 8), and its
RPL is not forced to 3.
The hidden portions of the CS and SS segment registers are not loaded from the descriptor table as they
would be using a legacy x86 RET instruction. Instead, the hidden portions are forced by the processor
to the following values:
• The CS base value is forced to 0.
• The CS limit value is forced to 4 Gbytes.

Instruction Reference SYSRET 319

AMD64 Technology 24594—Rev. 3.14—September 2007

• The CS segment attributes are set to execute-read 32 bits or 64 bits (see below).
• The SS segment base, limit, and attributes are not modified.
When SYSCALLed system software is running in 64-bit mode, it has been entered from either 64-bit
mode or compatibility mode. The corresponding SYSRET needs to know the mode to which it must
return. Executing SYSRET in non-64-bit mode or with a 16- or 32-bit operand size returns to 32-bit
mode with a 32-bit stack pointer. Executing SYSRET in 64-bit mode with a 64-bit operand size returns
to 64-bit mode with a 64-bit stack pointer.
The instruction pointer is updated with the return address based on the operating mode in which
SYSRET is executed:
• If returning to 64-bit mode, SYSRET loads RIP with the value of RCX.
• If returning to 32-bit mode, SYSRET loads EIP with the value of ECX.
How SYSRET handles RFLAGS depends on the processor’s operating mode:
• If executed in 64-bit mode, SYSRET loads the lower-32 RFLAGS bits from R11[31:0] and clears
the upper 32 RFLAGS bits.
• If executed in legacy mode or compatibility mode, SYSRET sets EFLAGS.IF.
For further details on the SYSCALL and SYSRET instructions and their associated MSR registers
(STAR, LSTAR, and CSTAR), see “Fast System Call and Return” in Volume 2.

Mnemonic Opcode Description

SYSRET 0F 07 Return from operating system.

Action
// See “Pseudocode Definitions” on page 41.

SYSRET_START:

IF (MSR_EFER.SCE = 0) // Check if syscall/sysret are enabled.

EXCEPTION [#UD]

IF ((!PROTECTED_MODE) || (CPL != 0))

EXCEPTION [#GP(0)] // SYSRET requires protected mode, cpl0

IF (64BIT_MODE)
SYSRET_64BIT_MODE
ELSE // (!64BIT_MODE)
SYSRET_NON_64BIT_MODE

SYSRET_64BIT_MODE:

IF (OPERAND_SIZE = 64) // Return to 64-bit mode.

{

320 SYSRET Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

CS.sel = (MSR_STAR.SYSRET_CS + 16) OR 3

CS.base = 0x00000000
CS.limit = 0xFFFFFFFF
CS.attr = 64-bit code,dpl3

temp_RIP.q = RCX
}
ELSE // Return to 32-bit compatibility mode.
{
CS.sel = MSR_STAR.SYSRET_CS OR 3
CS.base = 0x00000000
CS.limit = 0xFFFFFFFF
CS.attr = 32-bit code,dpl3

temp_RIP.d = RCX
}

SS.sel = MSR_STAR.SYSRET_CS + 8 // SS selector is changed,

// SS base, limit, attributes unchanged.

RFLAGS.q = R11 // RF=0,VM=0

CPL = 3

RIP = temp_RIP
EXIT

SYSRET_NON_64BIT_MODE:

CS.sel = MSR_STAR.SYSRET_CS OR 3 // Return to 32-bit legacy protected mode.

CS.base = 0x00000000
CS.limit = 0xFFFFFFFF
CS.attr = 32-bit code,dpl3

temp_RIP.d = RCX

SS.sel = MSR_STAR.SYSRET_CS + 8 // SS selector is changed.

// SS base, limit, attributes unchanged.
RFLAGS.IF = 1
CPL = 3

RIP = temp_RIP
EXIT

Related Instructions
SYSCALL, SYSENTER, SYSEXIT

Instruction Reference SYSRET 321

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

M M M M 0 M M M M M M M M M M M

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SYSCALL and SYSRET instructions are not
X X X supported, as indicated by EDX bit 11 returned by
CPUID function 8000_0001h.
Invalid opcode, #UD
The system call extension bit (SCE) of the extended
X X X feature enable register (EFER) is set to 0. (The
EFER register is MSR C000_0080h.)
This instruction is only recognized in protected
X X
General protection, #GP mode.
X CPL was not 0.

322 SYSRET Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

UD2 Undefined Operation

Generates an invalid opcode exception. Unlike other undefined opcodes that may be defined as legal
instructions in the future, UD2 is guaranteed to stay undefined.

Mnemonic Opcode Description

UD2 0F 0B Raise an invalid opcode exception.

Related Instructions
None

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X X This instruction is not recognized.

Instruction Reference UD2 323

AMD64 Technology 24594—Rev. 3.14—September 2007

VERR Verify Segment for Reads

Verifies whether a code or data segment specified by the segment selector in the 16-bit register or
memory operand is readable from the current privilege level. The zero flag (ZF) is set to 1 if the
specified segment is readable. Otherwise, ZF is cleared.
A segment is readable if all of the following apply:
• the selector is not a null selector.
• the descriptor is within the GDT or LDT limit.
• the segment is a data segment or readable code segment.
• the descriptor DPL is greater than or equal to both the CPL and RPL, or the segment is a conform-
ing code segment.
The processor does not recognize the VERR instruction in real or virtual-8086 mode.

Mnemonic Opcode Description

Set the zero flag (ZF) to 1 if the segment
VERR reg/mem16 0F 00 /4
selected can be read.

Related Instructions
ARPL, LAR, LSL, VERW

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
A memory address exceeded the stack segment limit or is
Stack, #SS X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X
canonical.
#GP
X A null data segment was used to reference memory.

324 VERR Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Virtual
Exception Real 8086 Protected Cause of Exception
Page fault, #PF X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X
#AC alignment checking was enabled.

Instruction Reference VERR 325

AMD64 Technology 24594—Rev. 3.14—September 2007

VERW Verify Segment for Write

Verifies whether a data segment specified by the segment selector in the 16-bit register or memory
operand is writable from the current privilege level. The zero flag (ZF) is set to 1 if the specified
segment is writable. Otherwise, ZF is cleared.
A segment is writable if all of the following apply:
• the selector is not a null selector.
• the descriptor is within the GDT or LDT limit.
• the segment is a writable data segment.
• the descriptor DPL is greater than or equal to both the CPL and RPL.
The processor does not recognize the VERW instruction in real or virtual-8086 mode.

Mnemonic Opcode Description

Set the zero flag (ZF) to 1 if the segment
VERW reg/mem16 0F 00 /5
selected can be written.

Related Instructions
ARPL, LAR, LSL, VERR

rFLAGS Affected
ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF

21 20 19 18 17 16 14 13–12 11 10 9 8 7 6 4 2 0
Note: Bits 31–22, 15, 5, 3, and 1 are reserved. A flag set to one or cleared to zero is M (modified). Unaffected flags
are blank. Undefined flags are U.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
Invalid opcode, #UD X X This instruction is only recognized in protected mode.
A memory address exceeded the stack segment limit or was
Stack, #SS X
non-canonical.
A memory address exceeded a data segment limit or was non-
General protection, X canonical.
#GP
X A null data segment was used to access memory.
Page fault, #PF X A page fault resulted from the execution of the instruction.
Alignment check, An unaligned memory reference was performed while
X
#AC alignment checking was enabled.

326 VERW Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

VMLOAD Load State from VMCB

Loads a subset of processor state from the VMCB specified by the physical address in the rAX register.
The portion of RAX used to form the address is determined by the effective address size.
The VMSAVE and VMLOAD instructions complement the state save/restore abilities of VMRUN and
#VMEXIT, providing access to hidden state that software is otherwise unable to access, plus some
additional commonly-used state.
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled. See “Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual
Volume 2: System Instructions, order# 24593.

Mnemonic Opcode Description

VMLOAD rAX 0F 01 DA Load additional state from VMCB.

Action
IF ((MSR_EFER.SVME = 0) || (!PROTECTED_MODE))
EXCEPTION [#UD] // This instruction can only be executed in protected
// mode with SVM enabled

IF (CPL != 0) // This instruction is only allowed at CPL 0

EXCEPTION [#GP]

IF (rAX contains an unsupported physical address)

EXCEPTION [#GP]

Load from a VMCB at physical address rAX:

FS, GS, TR, LDTR (including all hidden state)
KernelGsBase
STAR, LSTAR, CSTAR, SFMASK
SYSENTER_CS, SYSENTER_ESP, SYSENTER_EIP

Related Instructions
VMSAVE

rFLAGS Affected
None.

Instruction Reference VMLOAD 327

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SVM instructions are not supported as indicated by ECX
X X X
bit 2 as returned by CPUID function 8000_0001h.
Invalid opcode, #UD
X Secure Virtual Machine was not enabled (EFER.SVME=0).
X X The instruction is only recognized in protected mode.
X CPL was not zero.
General protection, rAX referenced a physical address above the maximum
X
#GP supported physical address.
X The address in rAX was not aligned on a 4Kbyte boundary.

328 VMLOAD Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

VMMCALL Call VMM

Provides a mechanism for a guest to explicitly communicate with the VMM by generating a
#VMEXIT.
A non-intercepted VMMCALL unconditionally raises a #UD exception.
VMMCALL is not restricted to either protected mode or CPL zero.
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled. See “Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual
Volume 2: System Instructions, order# 24593.

Mnemonic Opcode Description

VMMCALL 0F 01 D9 Explicit communication with the VMM.

Related Instructions
None.

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SVM instructions are not supported as indicated by ECX
X X X
bit 2 as returned by CPUID function 8000_0001h.
Invalid opcode, #UD
X X X Secure Virtual Machine was not enabled (EFER.SVME=0).
X X X VMMCALL was not intercepted.

Instruction Reference VMMCALL 329

AMD64 Technology 24594—Rev. 3.14—September 2007

VMRUN Run Virtual Machine

Starts execution of a guest instruction stream. The physical address of the virtual machine control
block (VMCB) describing the guest is taken from the rAX register (the portion of RAX used to form
the address is determined by the effective address size).
VMRUN saves a subset of host processor state to the host state-save area specified by the physical
address in the VM_HSAVE_PA MSR. VMRUN then loads guest processor state (and control
information) from the VMCB at the physical address specified in rAX. The processor then executes
guest instructions until one of several intercept events (specified in the VMCB) is triggered. When an
intercept event occurs, the processor stores a snapshot of the guest state back into the VMCB, reloads
the host state, and continues execution of host code at the instruction following the VMRUN
instruction.
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled. See “Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual
Volume 2: System Instructions, order# 24593.

Mnemonic Opcode Description

VMRUN rAX 0F 01 D8 Performs a world-switch to guest.

Action
IF ((MSR_EFER.SVME = 0) || (!PROTECTED_MODE))
EXCEPTION [#UD] // This instruction can only be executed in protected
// mode with SVM enabled

IF (CPL != 0) // This instruction is only allowed at CPL 0

EXCEPTION [#GP]

IF (rAX contains an unsupported physical address)

EXCEPTION [#GP]

if (intercepted(VMRUN))
#VMEXIT (VMRUN)
remember VMCB address (delivered in rAX) for next #VMEXIT
save host state to physical memory indicated in the VM_HSAVE_PA MSR:
ES.sel
CS.sel
SS.sel
DS.sel
GDTR.{base,limit}
IDTR.{base,limit}
EFER
CR0
CR4
CR3
// host CR2 is not saved
RFLAGS

330 VMRUN Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

RIP
RSP
RAX

from the VMCB at physical address rAX, load control information:

intercept vector
TSC_OFFSET
interrupt control (v_irq, v_intr_*, v_tpr)
EVENTINJ field
ASID

if (nested paging supported)

NP_ENABLE
if (NP_ENABLE = 1)
nCR3

from the VMCB at physical address rAX, load guest state:

ES.{base,limit,attr,sel}
CS.{base,limit,attr,sel}
SS.{base,limit,attr,sel}
DS.{base,limit,attr,sel}
GDTR.{base,limit}
IDTR.{base,limit}
EFER
CR0
CR4
CR3
CR2
if (NP_ENABLE = 1)
gPAT // Leaves host hPAT register unchanged.
RFLAGS
RIP
RSP
RAX
DR7
DR6
CPL // 0 for real mode, 3 for v86 mode, else as loaded.
INTERRUPT_SHADOW

if (LBR virtualization supported)

LBR_VIRTUALIZATION_ENABLE
if (LBR_VIRTUALIZATION_ENABLE=1)
save LBR state to the host save area
DBGCTL
BR_FROM
BR_TO
LASTEXCP_FROM
LASTEXCP_TO
load LBR state from the VMCB
DBGCTL
BR_FROM

Instruction Reference VMRUN 331

AMD64 Technology 24594—Rev. 3.14—September 2007

BR_TO
LASTEXCP_FROM
LASTEXCP_TO

if (guest state consistency checks fail)

#VMEXIT(INVALID)

Execute command stored in TLB_CONTROL.

GIF = 1 // allow interrupts in the guest

if (EVENTINJ.V)
cause exception/interrupt in guest
else
jump to first guest instruction

Upon #VMEXIT, the processor performs the following actions in order to return to the host execution
context:
GIF = 0
save guest state to VMCB:
ES.{base,limit,attr,sel}
CS.{base,limit,attr,sel}
SS.{base,limit,attr,sel}
DS.{base,limit,attr,sel}
GDTR.{base,limit}
IDTR.{base,limit}
EFER
CR4
CR3
CR2
CR0
if (nested paging enabled)
gPAT
RFLAGS
RIP
RSP
RAX
DR7
DR6
CPL
INTERRUPT_SHADOW
save additional state and intercept information:
V_IRQ, V_TPR
EXITCODE
EXITINFO1
EXITINFO2
EXITINTINFO
clear EVENTINJ field in VMCB

prepare for host mode by clearing internal processor state bits:

clear intercepts
clear v_irq

332 VMRUN Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

clear v_intr_masking
clear tsc_offset
disable nested paging
clear ASID to zero

reload host state

GDTR.{base,limit}
IDTR.{base,limit}
EFER
CR0
CR0.PE = 1 // saved copy of CR0.PE is ignored
CR4
CR3
if (host is in PAE paging mode)
reloaded host PDPEs
// Do not reload host CR2 or PAT
RFLAGS
RIP
RSP
RAX
DR7 = “all disabled”
CPL = 0
ES.sel; reload segment descriptor from GDT
CS.sel; reload segment descriptor from GDT
SS.sel; reload segment descriptor from GDT
DS.sel; reload segment descriptor from GDT

if (LBR virtualization supported)

LBR_VIRTUALIZATION_ENABLE
if (LBR_VIRTUALIZATION_ENABLE=1)
save LBR state to the VMCB:
DBGCTL
BR_FROM
BR_TO
LASTEXCP_FROM
LASTEXCP_TO
load LBR state from the host save area:
DBGCTL
BR_FROM
BR_TO
LASTEXCP_FROM
LASTEXCP_TO

if (illegal host state loaded, or exception while loading host state)

shutdown
else
execute first host instruction following the VMRUN

Related Instructions
VMLOAD, VMSAVE.

Instruction Reference VMRUN 333

AMD64 Technology 24594—Rev. 3.14—September 2007

rFLAGS Affected
None.

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SVM instructions are not supported as indicated by ECX
X X X
bit 2 as returned by CPUID function 8000_0001h.
Invalid opcode, #UD
X Secure Virtual Machine was not enabled (EFER.SVME=0).
X X The instruction is only recognized in protected mode.
X CPL was not zero.
General protection, rAX referenced a physical address above the maximum
#GP X supported physical address.
X The address in rAX was not aligned on a 4Kbyte boundary.

334 VMRUN Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

VMSAVE Save State to VMCB

Stores a subset of the processor state into the VMCB specified by the physical address in the rAX
register (the portion of RAX used to form the address is determined by the effective address size).
The VMSAVE and VMLOAD instructions complement the state save/restore abilities of VMRUN and
#VMEXIT, providing access to hidden state that software is otherwise unable to access, plus some
additional commonly-used state.
This is a Secure Virtual Machine instruction. This instruction generates a #UD exception if SVM is
not enabled. See “Enabling SVM” on page 369 in AMD64 Architecture Programmer’s Manual
Volume 2: System Instructions, order# 24593.

Mnemonic Opcode Description

VMSAVE rAX 0F 01 DB Save additional guest state to VMCB.

Action
IF ((MSR_EFER.SVME = 0) || (!PROTECTED_MODE))
EXCEPTION [#UD] // This instruction can only be executed in protected
// mode with SVM enabled

IF (CPL != 0) // This instruction is only allowed at CPL 0

EXCEPTION [#GP]

IF (rAX contains an unsupported physical address)

EXCEPTION [#GP]

Store to a VMCB at physical address rAX:

FS, GS, TR, LDTR (including all hidden state)
KernelGsBase
STAR, LSTAR, CSTAR, SFMASK
SYSENTER_CS, SYSENTER_ESP, SYSENTER_EIP

Related Instructions
VMLOAD

rFLAGS Affected
None.

System Instruction Reference 335

AMD64 Technology 24594—Rev. 3.14—September 2007

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The SVM instructions are not supported as indicated by ECX
X X X
bit 2 as returned by CPUID function 8000_0001h.
Invalid opcode, #UD
X Secure Virtual Machine was not enabled (EFER.SVME=0).
X X The instruction is only recognized in protected mode.
X CPL was not zero.
General protection, rAX referenced a physical address above the maximum
X
#GP supported physical address.
X The address in rAX was not aligned on a 4Kbyte boundary.

336 System Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

WBINVD Writeback and Invalidate Caches

Writes all modified cache lines in the internal caches back to main memory and invalidates (flushes)
internal caches. It then causes external caches to write back modified data to main memory; the
external caches are subsequently invalidated. After invalidating internal caches, the processor
proceeds immediately with the execution of the next instruction without waiting for external hardware
to invalidate its caches.
The INVD instruction can be used when cache coherence with memory is not important.
This instruction does not invalidate TLB caches.
This is a privileged instruction. The current privilege level of a procedure invalidating the processor’s
internal caches must be zero.
WBINVD is a serializing instruction.

Mnemonic Opcode Description

Write modified cache lines to main memory, invalidate
WBINVD 0F 09
internal caches, and trigger external cache flushes.

Related Instructions
CLFLUSH, INVD

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
General protection, X X CPL was not 0.
#GP

System Instruction Reference 337

AMD64 Technology 24594—Rev. 3.14—September 2007

WRMSR Write to Model-Specific Register

Writes data to 64-bit model-specific registers (MSRs). These registers are widely used in performance-
monitoring and debugging applications, as well as testability and program execution tracing.
This instruction writes the contents of the EDX:EAX register pair into a 64-bit model-specific register
specified in the ECX register. The 32 bits in the EDX register are mapped into the high-order bits of the
model-specific register and the 32 bits in EAX form the low-order 32 bits.
This instruction must be executed at a privilege level of 0 or a general protection fault #GP(0) will be
raised. This exception is also generated if an attempt is made to specify a reserved or unimplemented
model-specific register in ECX.
WRMSR is a serializing instruction.
The CPUID instruction can provide model information useful in determining the existence of a
particular MSR.
See Volume 2: System Programming, for more information about model-specific registers, machine
check architecture, performance monitoring and debug registers.

Mnemonic Opcode Description

WRMSR 0F 30 Write EDX:EAX to the MSR specified by ECX.

Related Instructions
RDMSR

rFLAGS Affected
None

Exceptions
Virtual
Exception Real 8086 Protected Cause of Exception
The WRMSR instruction is not supported, as indicated by
Invalid opcode, #UD X X X
EDX bit 5 returned by CPUID function 1 or 8000_0001h.
X X CPL was not 0.
The value in ECX specifies a reserved or unimplemented
X X
General protection, MSR address.
#GP X X Writing 1 to any bit that must be zero (MBZ) in the MSR.
Writing a non-canonical value to a MSR that can only be
X X
written with canonical values.

338 System Instruction Reference

24594—Rev. 3.14—September 2007 AMD64 Technology

Appendix A Opcode and Operand Encodings

This section specifies the hexadecimal and/or binary encodings for the opcodes and the implicit
operand references used in the AMD64 instruction set. For an overview of the instruction formats to
which these encodings apply, see Chapter 1, “Instruction Formats.”

A.1 Opcode-Syntax Notation

The following notation is used in this section to specify opcodes and their operands:
A Far pointer is encoded in the instruction.
C Control register specified by the ModRM reg field.
D Debug register specified by the ModRM reg field.
E General purpose register or memory operand specified by the ModRM byte. Memory addresses
can be computed from a segment register, SIB byte, and/or displacement.
F rFLAGS register.
G General purpose register specified by the ModRM reg field.
I Immediate value.
J The instruction includes a relative offset that is added to the rIP.
M A memory operand specified by the ModRM byte.
O The offset of an operand is encoded in the instruction. There is no ModRM byte in the
instruction. Complex addressing using the SIB byte cannot be done.
P 64-bit MMX register specified by the ModRM reg field.
PR 64-bit MMX register specified by the ModRM r/m field. The ModRM mod field must be 11b.
Q 64-bit MMX-register or memory operand specified by the ModRM byte. Memory addresses can
be computed from a segment register, SIB byte, and/or displacement.
R General purpose register specified by the ModRM r/m field. The ModRM mod field must be 11b.
S Segment register specified by the ModRM reg field.
V 128-bit XMM register specified by the ModRM reg field.
VR 128-bit XMM register specified by the ModRM r/m field. The ModRM mod field must be 11b.
W A 128-bit XMM register or memory operand specified by the ModRM byte. Memory addresses
can be computed from a segment register, SIB byte, and/or displacement.
X A memory operand addressed by the DS.rSI registers. Used in string instructions.
Y A memory operand addressed by the ES.rDI registers. Used in string instructions.

Opcode and Operand Encodings 339

AMD64 Technology 24594—Rev. 3.14—September 2007

a Two 16-bit or 32-bit memory operands, depending on the effective operand size. Used in the
BOUND instruction.
b A byte, irrespective of the effective operand size.
d A doubleword (32 bits), irrespective of the effective operand size.
dq A double-quadword (128 bits), irrespective of the effective operand size.
p A 32-bit or 48-bit far pointer, depending on the effective operand size.
pd A 128-bit double-precision floating-point vector operand (packed double).
pi A 64-bit MMX operand (packed integer).
ps A 128-bit single-precision floating-point vector operand (packed single).
q A quadword, irrespective of the effective operand size.
s A 6-byte or 10-byte pseudo-descriptor.
sd A scalar double-precision floating-point operand (scalar double).
si A scalar doubleword (32-bit) integer operand (scalar integer).
ss A scalar single-precision floating-point operand (scalar single).
v A word, doubleword, or quadword, depending on the effective operand size.
w A word, irrespective of the effective operand size.
z A word if the effective operand size is 16 bits, or a doubleword if the effective operand size is 32
or 64 bits.
/n A ModRM-byte reg field or SIB-byte base field that contains a value (n) between zero (binary
000) and 7 (binary 111).
For definitions of the mnemonics used to name registers, see “Summary of Registers and Data Types”
on page 24.

A.2 Opcode Encodings

A.2.1 One-Byte Opcodes
Table A-1 on page 341 shows the one-byte opcodes in which the low nibble is in the range 0–7h.
Table A-2 on page 342 shows those opcodes in which the low nibble is in the range 8–Fh. In both
tables, the rows show the full range (0–Fh) of the high nibble, and the columns show the specified
range of the low nibble.

340 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-1. One-Byte Opcodes, Low Nibble 0–7h

Nibble1 0 1 2 3 4 5 6 7
ADD PUSH POP
0
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz ES3 ES3
ADC PUSH POP
1
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz SS3 SS3
6
AND seg ES DAA3
2
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz
XOR seg SS6 AAA3
3
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz
INC5
4
eAX eCX eDX eBX eSP eBP eSI eDI
PUSH
5
rAX/r8 rCX/r9 rDX/r10 rBX/r11 rSP/r12 rBP/r13 rSI/r14 rDI/r15
BOUND 3 ARPL3 address
PUSHA/D3 POPA/D3 seg FS seg GS operand size
Gv, Ma Ew, Gw size
6
MOVSXD4
Gv, Ed
JO JNO JB JNB JZ JNZ JBE JNBE
7
Jb Jb Jb Jb Jb Jb Jb Jb
Group 12 TEST XCHG
8
Eb, Ib Ev, Iz Eb, Ib3 Ev, Ib Eb, Gb Ev, Gv Eb, Gb Ev, Gv
XCHG
9 r8, rAX
rCX/r9, rAX rDX/r10, rAX rBX/r11, rAX rSP/r12, rAX rBP/r13, rAX rSI/r14, rAX rDI/r15, rAX
NOP,PAUSE
MOV MOVSB MOVSW/D/Q CMPSB CMPSW/D/Q
A
AL, Ob rAX, Ov Ob, AL Ov, rAX Yb, Xb Yv, Xv Xb, Yb Xv, Yv
MOV
B AL, Ib CL, Ib DL, Ib BL, Ib AH, Ib CH, Ib DH, Ib BH, Ib
r8b, Ib r9b, Ib r10b, Ib r11b, Ib r12b, Ib r13b, Ib r14b, Ib r15b, Ib
Group 22 RET near LES3 LDS3 Group 112
C
Eb, Ib Ev, Ib Iw Gz, Mp Gz, Mp Eb, Ib Ev, Iz
Group 22 AAM3 AAD3 SALC3 XLAT
D
Eb, 1 Ev, 1 Eb, CL Ev, CL
LOOPNE/NZ LOOPE/Z LOOP JrCXZ IN OUT
E
Jb Jb Jb Jb AL, Ib eAX, Ib Ib, AL Ib, eAX
LOCK: INT1 REPNE: REP: HLT CMC Group 32
F
ICE Bkpt REPE:
Notes:
1. Rows in this table show the high opcode nibble, columns show the low opcode nibble.
2. An opcode extension is specified in bits 5–3 of the ModRM byte. See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. Invalid in 64-bit mode.
4. Valid only in 64-bit mode.
5. Used as REX prefixes in 64-bit mode.
6. This is a null prefix in 64-bit mode.

Opcode and Operand Encodings 341

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-2. One-Byte Opcodes, Low Nibble 8–Fh

Nibble1 8 9 A B C D E F
OR PUSH 2-byte
0
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz CS3 opcodes
SBB PUSH POP
1
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz DS3 DS3
6
SUB seg CS DAS3
2
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz
CMP seg DS6 AAS3
3
Eb, Gb Ev, Gv Gb, Eb Gv, Ev AL, Ib rAX, Iz
DEC5
4
eAX eCX eDX eBX eSP eBP eSI eDI
POP
5
rAX/r8 rCX/r9 rDX/r10 rBX/r11 rSP/r12 rBP/r13 rSI/r14 rDI/r15
PUSH IMUL PUSH IMUL INSB INSW/D OUTSB OUTSW/D
6
Iz Gv, Ev, Iz Ib Gv, Ev, Ib Yb, DX Yz, DX DX, Xb DX, Xz
JS JNS JP JNP JL JNL JLE JNLE
7
Jb Jb Jb Jb Jb Jb Jb Jb
MOV LEA MOV Group 1a2
8
Eb, Gb Ev, Gv Gb, Eb Gv, Ev Mw/Rv, Sw Gv, M Sw, Ew Ev
CBW, CWDE CWD, CDQ, CALL3 WAIT PUSHF/D/Q POPF/D/Q SAHF LAHF
9
CDQE CQO Ap FWAIT Fv Fv
TEST STOSB STOSW/D/Q LODSB LODSW/D/Q SCASB SCASW/D/Q
A
AL, Ib rAX, Iz Yb, AL Yv, rAX AL, Xb rAX, Xv AL, Yb rAX, Yv
MOV
B rAX, Iv rCX, Iv rDX, Iv rBX, Iv rSP, Iv rBP, Iv rSI, Iv rDI, Iv
r8, Iv r9, Iv r10, Iv r11, Iv r12, Iv r13, Iv r14, Iv r15, Iv
ENTER LEAVE RET far INT3 INT INTO3 IRET, IRETD
C
Iw, Ib Iw Ib IRETQ
x87
D
see Table A-10 on page 355
CALL JMP IN OUT
E
Jz Jz Ap3 Jb AL, DX eAX, DX DX, AL DX, eAX
CLC STC CLI STI CLD STD Group 42 Group 52
F
Eb
Note:
1. Rows in this table show the high opcode nibble, columns show the low opcode nibble.
2. An opcode extension is specified in bits 5–3 of the ModRM byte. See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. Invalid in 64-bit mode.
4. Valid only in 64-bit mode.
5. Used as REX prefixes in 64-bit mode.
6. This is a null prefix in 64-bit mode.

342 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

A.2.2 Two-Byte Opcodes

All two-byte opcodes have 0Fh as their first byte. Table A-3 below shows the second byte of the two-
byte opcodes in which the second byte’s low nibble is in the range 0–7h. Table A-4 on page 345 shows
those opcodes in which the second byte’s low nibble is in the range 8–Fh. In both tables, the rows show
the full range (0–Fh) of the high nibble, and the columns show the low nibble of the opcode. The left-
most column shows special-purpose prefix bytes used in many 128-bit and 64-bit instructions to
modify the opcode.

Table A-3. Second Byte of Two-Byte Opcodes, Low Nibble 0–7h

Prefix Nibble1 0 1 2 3 4 5 6 7
Group 62 Group 72 LAR LSL invalid SYSCALL CLTS SYSRET
n/a 0
Gv, Ew Gv, Ew
MOVLPS MOVHPS
MOVUPS
Vps, Mq MOVLPS UNPCKLPS UNPCKHPS Vps, Mq MOVHPS
none MOVHLPS MOVLHPS
Vps, Wps Wps, Vps Vps, VRq Mq, Vps Vps, Wq Vps, Wq Vps, VRq Mq, Vps
MOVSS MOVSLDUP invalid invalid invalid MOVSHDUP invalid
F3 1 Vdq/ss, Wss Wss, Vss Vps, Wps Vps, Wps
MOVUPD MOVLPD UNPCKLPD UNPCKHPD MOVHPD
66
Vpd, Wpd Wpd, Vpd Vsd, Mq Mq, Vsd Vpd, Wq Vpd, Wq Vsd, Mq Mq, Vsd
MOVSD MOVDDUP invalid invalid invalid invalid invalid
F2
Vdq/sd, Wsd Wsd, Vsd Vpd,Wsd
MOV invalid invalid invalid invalid
n/a 2
Rd/q, Cd/q Rd/q, Dd/q Cd/q, Rd/q Dd/q, Rd/q
WRMSR RDTSC RDMSR RDPMC SYSENTER3 SYSEXIT3 invalid invalid
n/a 3
CMOVO CMOVNO CMOVB CMOVNB CMOVZ CMOVNZ CMOVBE CMOVNBE
n/a 4
Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev
MOVMSKPS SQRTPS RSQRTPS RCPPS ANDPS ANDNPS ORPS XORPS
none
Gd, VRps Vps, Wps Vps, Wps Vps, Wps Vps, Wps Vps, Wps Vps, Wps Vps, Wps
invalid SQRTSS RSQRTSS RCPSS invalid invalid invalid invalid
F3
Vss, Wss Vss, Wss Vss, Wss
5
MOVMSKPD SQRTPD invalid invalid ANDPD ANDNPD ORPD XORPD
66
Gd, VRpd Vpd, Wpd Vpd, Wpd Vpd, Wpd Vpd, Wpd Vpd, Wpd
invalid SQRTSD invalid invalid invalid invalid invalid invalid
F2
Vsd, Wsd
Note:
1. All two-byte opcodes begin with an 0Fh byte. Rows in the table show the high nibble of the second opcode bytes,
columns show the low nibble of this byte.
2. An opcode extension is specified in bits 5–3 of the ModRM byte. See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. Invalid in long mode.

Opcode and Operand Encodings 343

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-3. Second Byte of Two-Byte Opcodes, Low Nibble 0–7h (continued)
Prefix Nibble1 0 1 2 3 4 5 6 7
PUNPCK- PUNPCK- PUN-
PACKSSWB PCMPGTB PCMPGTW PCMPGTD PACKUSWB
none LBW LWD PCKLDQ
Pq, Qd Pq, Qd Pq, Qd Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq
invalid invalid invalid invalid invalid invalid invalid invalid
F3
6
PUNPCK- PUNPCK- PUN-
PACKSSWB PCMPGTB PCMPGTW PCMPGTD PACKUSWB
LBW LWD PCKLDQ
66 Vdq, Wq Vdq, Wq Vdq, Wq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq
invalid invalid invalid invalid invalid invalid invalid invalid
F2
PSHUFW Group 122 Group 132 Group 142 PCMPEQB PCMPEQW PCMPEQD EMMS
none
Pq, Qq, Ib Pq, Qq Pq, Qq Pq, Qq
PSHUFHW invalid invalid invalid invalid invalid invalid invalid
F3
Vq, Wq, Ib
7
PSHUFD Group 122 Group 132 Group 142 PCMPEQB PCMPEQW PCMPEQD invalid
66
Vdq, Wdq, Ib Vdq, Wdq Vdq, Wdq Vdq, Wdq
PSHUFLW invalid invalid invalid invalid invalid invalid invalid
F2
Vq, Wq, Ib
JO JNO JB JNB JZ JNZ JBE JNBE
n/a 8
Jz Jz Jz Jz Jz Jz Jz Jz
SETO SETNO SETB SETNB SETZ SETNZ SETBE SETNBE
n/a 9
Eb Eb Eb Eb Eb Eb Eb Eb
PUSH POP CPUID BT SHLD invalid invalid
n/a A
FS FS Ev, Gv Ev, Gv, Ib Ev, Gv, CL
CMPXCHG LSS BTR LFS LGS MOVZX
n/a B
Eb, Gb Ev, Gv Gz, Mp Ev, Gv Gz, Mp Gz, Mp Gv, Eb Gv, Ew
XADD CMPPS MOVNTI PINSRW PEXTRW SHUFPS Group 92
none
Vps, Wps, Ib Md/q, Gd/q Pq, Ew, Ib Gd, PRq, Ib Vps, Wps, Ib
CMPSS invalid invalid invalid invalid
F3
Vss, Wss, Ib
C
Eb, Gb Ev, Gv CMPPD invalid PINSRW PEXTRW SHUFPD Mq
66
Vpd, Wpd, Ib Vdq, Ew, Ib Gd, VRdq, Ib Vpd, Wpd, Ib
CMPSD invalid invalid invalid invalid
F2
Vsd, Wsd, Ib
invalid PSRLW PSRLD PSRLQ PADDQ PMULLW invalid PMOVMSKB
none
Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Gd, PRq
invalid invalid invalid invalid invalid invalid MOVQ2DQ invalid
F3
Vdq, PRq
D
ADDSUBPD PSRLW PSRLD PSRLQ PADDQ PMULLW MOVQ PMOVMSKB
66
Vpd, Wpd Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Wq, Vq Gd, VRdq
ADDSUBPS invalid invalid invalid invalid invalid MOVDQ2Q invalid
F2
Vps, Wps Pq, VRq
Note:
1. All two-byte opcodes begin with an 0Fh byte. Rows in the table show the high nibble of the second opcode bytes,
columns show the low nibble of this byte.
2. An opcode extension is specified in bits 5–3 of the ModRM byte. See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. Invalid in long mode.

344 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-3. Second Byte of Two-Byte Opcodes, Low Nibble 0–7h (continued)
Prefix Nibble1 0 1 2 3 4 5 6 7
PAVGB PSRAW PSRAD PAVGW PMULHUW PMULHW invalid MOVNTQ
none
Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Mq, Pq
invalid invalid invalid invalid invalid invalid CVTDQ2PD invalid
F3
Vpd, Wq
E CVTTPD2D
PAVGB PSRAW PSRAD PAVGW PMULHUW PMULHW MOVNTDQ
66 Q
Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vq, Wpd Mdq, Vdq
invalid invalid invalid invalid invalid invalid CVTPD2DQ invalid
F2
Vq, Wpd
invalid PSLLW PSLLD PSLLQ PMULUDQ PMADDWD PSADBW MASKMOVQ
none
Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, PRq
invalid invalid invalid invalid invalid invalid invalid invalid
F3
F MASK-
invalid PSLLW PSLLD PSLLQ PMULUDQ PMADDWD PSADBW
66 MOVDQU
Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, VRdq
LDDQU invalid invalid invalid invalid invalid invalid invalid
F2
Vpd,Mdq
Note:
1. All two-byte opcodes begin with an 0Fh byte. Rows in the table show the high nibble of the second opcode bytes,
columns show the low nibble of this byte.
2. An opcode extension is specified in bits 5–3 of the ModRM byte. See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. Invalid in long mode.

Table A-4. Second Byte of Two-Byte Opcodes, Low Nibble 8–Fh

Prefix Nibble1 8 9 A B C D E F
INVD WBINVD invalid UD2 invalid Group P2 FEMMS 3DNow!
See
n/a 0 “3DNow!™
PREFETCH
Opcodes” on
page 351
Group 162 NOP3 NOP3 NOP3 NOP3 NOP3 NOP3 NOP3
n/a 1
MOVAPS CVTPI2PS MOVNTPS CVTTPS2PI CVTPS2PI UCOMISS COMISS
none
Vps, Wps Wps, Vps Vps, Qq Mdq, Vps Pq, Wps Pq, Wps Vss, Wss Vps, Wps
invalid invalid CVTSI2SS MOVNTSS CVTTSS2SI CVTSS2SI invalid invalid
F3
Vss, Ed/q Md, Vss Gd/q, Wss Gd/q, Wss
2
MOVAPD CVTPI2PD MOVNTPD CVTTPD2PI CVTPD2PI UCOMISD COMISD
66
Vpd, Wpd Wpd, Vpd Vpd, Qq Mdq, Vpd Pq, Wpd Pq, Wpd Vsd, Wsd Vpd, Wsd
invalid invalid CVTSI2SD MOVNTSD CVTTSD2SI CVTSD2SI invalid invalid
F2
Vsd, Ed/q Mq, Vsd Gd/q, Wsd Gd/q, Wsd
Note:
1. All two-byte opcodes begin with an 0Fh byte. Rows show high opcode nibble (hex), columns show low opcode nibble
in hex.
2. An opcode extension is specified in the ModRM reg field (bits 5–3). See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. This instruction takes a ModRM byte.

Opcode and Operand Encodings 345

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-4. Second Byte of Two-Byte Opcodes, Low Nibble 8–Fh (continued)
Prefix Nibble1 8 9 A B C D E F
invalid invalid invalid invalid invalid invalid invalid invalid
n/a 3
CMOVS CMOVNS CMOVP CMOVNP CMOVL CMOVNL CMOVLE CMOVNLE
n/a 4
Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev Gv, Ev
ADDPS MULPS CVTPS2PD CVTDQ2PS SUBPS MINPS DIVPS MAXPS
none
Vps, Wps Vps, Wps Vpd, Wps Vps, Wdq Vps, Wps Vps, Wps Vps, Wps Vps, Wps
CVTTPS2D
ADDSS MULSS CVTSS2SD SUBSS MINSS DIVSS MAXSS
F3 Q
5 Vss, Wss Vss, Wss Vsd, Wss Vdq, Wps Vss, Wss Vss, Wss Vss, Wss Vss, Wss
ADDPD MULPD CVTPD2PS CVTPS2DQ SUBPD MINPD DIVPD MAXPD
66
Vpd, Wpd Vpd, Wpd Vps, Wpd Vdq, Wps Vpd, Wpd Vpd, Wpd Vpd, Wpd Vpd, Wpd
ADDSD MULSD CVTSD2SS invalid SUBSD MINSD DIVSD MAXSD
F2
Vsd, Wsd Vsd, Wsd Vss, Wsd Vsd, Wsd Vsd, Wsd Vsd, Wsd Vsd, Wsd
PUNPCK- PUNPCK- PUNPCK-
PACKSSDW invalid invalid MOVD MOVQ
none HBW HWD HDQ
Pq, Qd Pq, Qd Pq, Qd Pq, Qq Pq, Ed/q Pq, Qq
invalid invalid invalid invalid invalid invalid invalid MOVDQU
F3
Vdq, Wdq
6
PUNPCK- PUNPCK- PUNPCK- PUNPCK- PUNPCK-
PACKSSDW MOVD MOVDQA
66 HBW HWD HDQ LQDQ HQDQ
Vdq, Wq Vdq, Wq Vdq, Wq Vdq, Wdq Vdq, Wq Vdq, Wq Vdq, Ed/q Vdq, Wdq
invalid invalid invalid invalid invalid invalid invalid invalid
F2
invalid invalid invalid invalid invalid invalid MOVD MOVQ
none
Ed/q, Pd/q Qq, Pq
invalid invalid invalid invalid invalid invalid MOVQ MOVDQU
F3
Vq, Wq Wdq, Vdq
7
Group 172 EXTRQ invalid invalid HADDPD HSUBPD MOVD MOVDQA
66
Vdq, VRq Vpd,Wpd Vpd,Wpd Ed/q, Vd/q Wdq, Vdq
INSERTQ INSERTQ invalid invalid HADDPS HSUBPS invalid invalid
F2
Vdq,VRq,Ib,Ib Vdq, VRdq Vps,Wps Vps,Wps
JS JNS JP JNP JL JNL JLE JNLE
n/a 8
Jz Jz Jz Jz Jz Jz Jz Jz
SETS SETNS SETP SETNP SETL SETNL SETLE SETNLE
n/a 9
Eb Eb Eb Eb Eb Eb Eb Eb
PUSH POP RSM BTS SHRD Group 152 IMUL
n/a A
GS GS Ev, Gv Ev, Gv, Ib Ev, Gv, CL Gv, Ev
reserved Group 102 Group 82 BTC BSF BSR MOVSX
none
Ev, Ib Ev, Gv Gv, Ev Gv, Ev Gv, Eb Gv, Ew
POPCNT reserved reserved reserved reserved LZCNT reserved reserved
F3 B
Gv, Ev Gv, Ev
reserved reserved reserved reserved reserved reserved reserved reserved
F2
Note:
1. All two-byte opcodes begin with an 0Fh byte. Rows show high opcode nibble (hex), columns show low opcode nibble
in hex.
2. An opcode extension is specified in the ModRM reg field (bits 5–3). See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. This instruction takes a ModRM byte.

346 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-4. Second Byte of Two-Byte Opcodes, Low Nibble 8–Fh (continued)
Prefix Nibble1 8 9 A B C D E F
BSWAP
n/a C
rAX/r8 rCX/r9 rDX/r10 rBX/r11 rSP/r12 rBP/r13 rSI/r14 rDI/r15
PSUBUSB PSUBUSW PMINUB PAND PADDUSB PADDUSW PMAXUB PANDN
none
Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq
invalid invalid invalid invalid invalid invalid invalid invalid
F3
D
PSUBUSB PSUBUSW PMINUB PAND PADDUSB PADDUSW PMAXUB PANDN
66
Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq
invalid invalid invalid invalid invalid invalid invalid invalid
F2
PSUBSB PSUBSW PMINSW POR PADDSB PADDSW PMAXSW PXOR
none
Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq
invalid invalid invalid invalid invalid invalid invalid invalid
F3
E
PSUBSB PSUBSW PMINSW POR PADDSB PADDSW PMAXSW PXOR
66
Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq
invalid invalid invalid invalid invalid invalid invalid invalid
F2
PSUBB PSUBW PSUBD PSUBQ PADDB PADDW PADDD invalid
none
Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq Pq, Qq
invalid invalid invalid invalid invalid invalid invalid invalid
F3
F
PSUBB PSUBW PSUBD PSUBQ PADDB PADDW PADDD invalid
66
Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq Vdq, Wdq
invalid invalid invalid invalid invalid invalid invalid invalid
F2
Note:
1. All two-byte opcodes begin with an 0Fh byte. Rows show high opcode nibble (hex), columns show low opcode nibble
in hex.
2. An opcode extension is specified in the ModRM reg field (bits 5–3). See “ModRM Extensions to One-Byte and Two-
Byte Opcodes” on page 348 for details.
3. This instruction takes a ModRM byte.

Opcode and Operand Encodings 347

AMD64 Technology 24594—Rev. 3.14—September 2007

A.2.3 rFLAGS Condition Codes for Two-Byte Opcodes

Table A-5 shows the rFLAGS condition codes specified by the low nibble in the second opcode byte of
the CMOVcc, Jcc, and SETcc instructions.

Table A-5. rFLAGS Condition Codes for CMOVcc, Jcc, and SETcc
Low Nibble of
Arithmetic
Second Opcode rFLAGS Value cc Mnemonic Condition(s)
Type
Byte (hex)
0 OF = 1 O Overflow
Signed
1 OF = 0 NO No Overflow
2 CF = 1 B, C, NAE Below, Carry, Not Above or Equal
3 CF = 0 NB, NC, AE Not Below, No Carry, Above or Equal
4 ZF = 1 Z, E Zero, Equal
Unsigned
5 ZF = 0 NZ, NE Not Zero, Not Equal
6 CF = 1 or ZF = 1 BE, NA Below or Equal, Not Above
7 CF = 0 and ZF = 0 NBE, A Not Below or Equal, Above
8 SF = 1 S Sign
Signed
9 SF = 0 NS Not Sign
A PF = 1 P, PE Parity, Parity Even
n/a
B PF = 0 NP, PO Not Parity, Parity Odd
C (SF xor OF) = 1 L, NGE Less than, Not Greater than or Equal to
D (SF xor OF) = 0 NL, GE Not Less than, Greater than or Equal to
(SF xor OF) = 1 Signed
E LE, NG Less than or Equal to, Not Greater than
or ZF = 1
(SF xor OF) = 0
F NLE, G Not Less than or Equal to, Greater than
and ZF = 0

A.2.4 ModRM Extensions to One-Byte and Two-Byte Opcodes

The ModRM byte, which immediately follows the last opcode byte, is used in certain instruction
encodings to provide additional opcode bits with which to define the function of the instruction.
ModRM bytes have three fields—mod, reg, and r/m, as shown in Figure A-1.

Bits: 7 6 5 4 3 2 1 0
mod reg r/m ModRM

513-325.eps

Figure A-1. ModRM-Byte Fields

In most cases, the reg field (bits 5–3) provides the additional bits with which to extend the encodings
of the first one or two opcode bytes. In the case of the x87 floating-point instructions, the entire
ModRM byte is used to extend the opcode encodings.

348 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-6 on page 349 shows how the ModRM reg field is used to extend the range of one-byte and
two-byte opcodes. The opcode ranges are organized into groups of opcode extensions. The group
number is shown in the left-most column of Table A-6. These groups are referenced in the opcodes
shown in Table A-1 on page 341 through Table A-4 on page 345. An entry of “n.a.” in the Prefix
column means that prefixes are not applicable to the opcodes in that row. Prefixes only apply to certain
128-bit media, 64-bit media, and a few other instructions introduced with the SSE or SSE2
technologies.
The /0 through /7 notation for the ModRM reg field (bits 5–3) means that the three-bit field contains a
value from zero (binary 000) to 7 (binary 111).

Table A-6. One-Byte and Two-Byte Opcode ModRM Extensions

Group ModRM reg Field
Prefix Opcode
Number /0 /1 /2 /3 /4 /5 /6 /7
ADD OR ADC SBB AND SUB XOR CMP
80
Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib
ADD OR ADC SBB AND SUB XOR CMP
81
Ev, Iz Ev, Iz Ev, Iz Ev, Iz Ev, Iz Ev, Iz Ev, Iz Ev, Iz
Group 1 n/a
ADD OR ADC SBB AND SUB XOR CMP
82
Eb, Ib2 Eb, Ib2 Eb, Ib2 Eb, Ib2 Eb, Ib2 Eb, Ib2 Eb, Ib2 Eb, Ib2
ADD OR ADC SBB AND SUB XOR CMP
83
Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib
POP invalid invalid invalid invalid invalid invalid invalid
Group 1a n/a 8F
Ev
ROL ROR RCL RCR SHL/SAL SHR SHL/SAL SAR
C0
Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib Eb, Ib
ROL ROR RCL RCR SHL/SAL SHR SHL/SAL SAR
C1
Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib Ev, Ib
ROL ROR RCL RCR SHL/SAL SHR SHL/SAL SAR
D0
Eb, 1 Eb, 1 Eb, 1 Eb, 1 Eb, 1 Eb, 1 Eb, 1 Eb, 1
Group 2 n/a
ROL ROR RCL RCR SHL/SAL SHR SHL/SAL SAR
D1
Ev, 1 Ev, 1 Ev, 1 Ev, 1 Ev, 1 Ev, 1 Ev, 1 Ev, 1
ROL ROR RCL RCR SHL/SAL SHR SHL/SAL SAR
D2
Eb, CL Eb, CL Eb, CL Eb, CL Eb, CL Eb, CL Eb, CL Eb, CL
ROL ROR RCL RCR SHL/SAL SHR SHL/SAL SAR
D3
Ev, CL Ev, CL Ev, CL Ev, CL Ev, CL Ev, CL Ev, CL Ev, CL
TEST NOT NEG MUL IMUL DIV IDIV
F6
Eb,Ib Eb Eb Eb Eb Eb Eb
Group 3 n/a
TEST NOT NEG MUL IMUL DIV IDIV
F7
Ev,Iz Ev Ev Ev Ev Ev Ev
INC DEC invalid invalid invalid invalid invalid invalid
Group 4 n/a FE
Eb Eb
INC DEC CALL CALL JMP JMP PUSH invalid
Group 5 n/a FF
Ev Ev Ev Mp Ev Mp Ev
Note:
1. See Table A-7 on page 351 for ModRM extensions of this two-byte opcode.
2. Invalid in 64-bit mode.
3. This instruction takes a ModRM byte.
4. Reserved prefetch encodings are aliased to the /0 encoding (PREFETCH Exclusive) for future compatibility.

Opcode and Operand Encodings 349

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-6. One-Byte and Two-Byte Opcode ModRM Extensions (continued)

Group ModRM reg Field
Prefix Opcode
Number /0 /1 /2 /3 /4 /5 /6 /7
SLDT STR LLDT LTR VERR VERW invalid invalid
Group 6 n/a 0F 00
Mw/Rv Mw/Rv Ew Ew Ew Ew
SGDT SIDT INVLPG
LGDT LIDT SMSW invalid LMSW
Ms Ms Mb
Group 7 n/a 0F 01
MONITOR1 Ms SWAPGS1
Ms Mw/Rv Ew
MWAIT SVM1 RDTSCP
invalid invalid invalid invalid BT BTS BTR BTC
Group 8 n/a 0F BA
Ev, Ib Ev, Ib Ev, Ib Ev, Ib
CMPXCH
invalid invalid invalid invalid invalid invalid invalid
G8B
Group 9 n/a 0F C7 Mq
CMPXCH
G16Mdq
invalid invalid invalid invalid invalid invalid invalid invalid
Group 10 n/a 0F B9

MOV invalid invalid invalid invalid invalid invalid invalid

n/a C6
Eb,Ib
Group 11
MOV invalid invalid invalid invalid invalid invalid invalid
n/a C7
Ev,Iz
invalid invalid PSRLW invalid PSRAW invalid PSLLW invalid
none
PRq, Ib PRq, Ib PRq, Ib
invalid invalid PSRLW invalid PSRAW invalid PSLLW invalid
Group 12 66 0F 71
VRdq, Ib VRdq, Ib VRdq, Ib
invalid invalid invalid invalid invalid invalid invalid invalid
F2, F3

invalid invalid PSRLD invalid PSRAD invalid PSLLD invalid

none
PRq, Ib PRq, Ib PRq, Ib
invalid invalid PSRLD invalid PSRAD invalid PSLLD invalid
Group 13 66 0F 72
VRdq, Ib VRdq, Ib VRdq, Ib
invalid invalid invalid invalid invalid invalid invalid invalid
F2, F3

invalid invalid PSRLQ invalid invalid invalid PSLLQ invalid

none
PRq, Ib PRq, Ib
invalid invalid PSRLQ PSRLDQ invalid invalid PSLLQ PSLLDQ
Group 14 66 0F 73
VRdq, Ib VRdq, Ib VRdq, Ib VRdq, Ib
invalid invalid invalid invalid invalid invalid invalid invalid
F2, F3

FXSAVE FXRSTOR LDMXCSR STMXCSR invalid LFENCE1 MFENCE1 SFENCE1

none CLFLUSH
M M Md Md
Group 15 0F AE Mb
66, invalid invalid invalid invalid invalid invalid invalid invalid
F2, F3
PREFETCH PREFETCH PREFETCH PREFETCH NOP4 NOP4 NOP4 NOP4
Group 16 n/a. 0F 18
NTA T0 T1 T2
Note:
1. See Table A-7 on page 351 for ModRM extensions of this two-byte opcode.
2. Invalid in 64-bit mode.
3. This instruction takes a ModRM byte.
4. Reserved prefetch encodings are aliased to the /0 encoding (PREFETCH Exclusive) for future compatibility.

350 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-6. One-Byte and Two-Byte Opcode ModRM Extensions (continued)

Group ModRM reg Field
Prefix Opcode
Number /0 /1 /2 /3 /4 /5 /6 /7
EXTRQ invalid invalid invalid invalid invalid invalid invalid
66
Vdq, Ib, Ib
Group 17 0F 78
none, invalid invalid invalid invalid invalid invalid invalid invalid
F2, F3
PREFETCH PREFETCH Prefetch PREFETCH Prefetch Prefetch Prefetch Prefetch
Group P n/a. 0F 0D 4 4 4 4
Exclusive Modified Reserved Modified Reserved Reserved Reserved Reserved4
Note:
1. See Table A-7 on page 351 for ModRM extensions of this two-byte opcode.
2. Invalid in 64-bit mode.
3. This instruction takes a ModRM byte.
4. Reserved prefetch encodings are aliased to the /0 encoding (PREFETCH Exclusive) for future compatibility.

A.2.5 ModRM Extensions to Opcodes 0F 01 and 0F AE

Table A-7 shows the ModRM r/m field encodings for the 0F 01 and 0F AE opcodes, shown in
Table A-6 on page 349. The 0F 01 opcode is shared by several system instructions, and the 0F AE
opcode is shared by several media and fence instructions. The opcodes are differentiated by the fact
that the binary value of the ModRM mod field is always 11 for these instructions. The ModRM mod
field can be any value except 11 for the instructions having an explicit memory operand.

Table A-7. Opcode 0F 01 and 0F AE ModRM Extensions

ModRM r/m Field
Opcode
0 1 2 3 4 5 6 7
0F 01 /7 0F 01 F8 0F 01 F9
invalid invalid invalid invalid invalid invalid
mod=11 SWAPGS RDTSCP
0F 01 /3 0F 01 D8 0F 01 D9 0F 01 DA 0F 01 DB 0F 01 DC 0F 01 DD 0F 01 DE 0F 01 DF
mod=11 VMRUN VMMCALL VMLOAD VMSAVE STGI CLGI SKINIT INVLPGA
0F 01 /1 0F 01 C8 0F 01 C9
invalid invalid invalid invalid invalid invalid
mod=11 MONITOR MWAIT
0F AE /5
LFENCE
mod=11
0F AE /6
MFENCE
mod=11
0F AE /7
SFENCE
mod=11

A.2.6 3DNow!™ Opcodes

The 64-bit media instructions include the MMX™ instructions and the AMD 3DNow!™ instructions.
The MMX instructions are encoded using two opcode bytes, as described in “Two-Byte Opcodes” on
page 343.
The 3DNow! instructions are encoded using two 0Fh opcode bytes and an immediate byte that is
located at the last byte position of the instruction encoding. Thus, the format for 3DNow! instructions
is:

Opcode and Operand Encodings 351

AMD64 Technology 24594—Rev. 3.14—September 2007

0Fh 0Fh [ModRM] [SIB] [displacement] imm8_opcode

Table A-8 and Table A-9 on page 353 show the immediate byte following the opcode bytes for
3DNow! instructions. In these tables, rows show the high nibble of the immediate byte, and columns
show the low nibble of the immediate byte. Table A-8 shows the immediate bytes whose low nibble is
in the range 0–7h. Table A-9 shows the same for immediate bytes whose low nibble is in the range
8–Fh.
Byte values shown as reserved in these tables have implementation-specific functions, which can
include an invalid-opcode exception.

Table A-8. Immediate Byte for 3DNow!™ Opcodes, Low Nibble 0–7h
Nibble1 0 1 2 3 4 5 6 7
reserved reserved reserved reserved reserved reserved reserved reserved
0
reserved reserved reserved reserved reserved reserved reserved reserved
1
reserved reserved reserved reserved reserved reserved reserved reserved
2
reserved reserved reserved reserved reserved reserved reserved reserved
3
reserved reserved reserved reserved reserved reserved reserved reserved
4
reserved reserved reserved reserved reserved reserved reserved reserved
5
reserved reserved reserved reserved reserved reserved reserved reserved
6
reserved reserved reserved reserved reserved reserved reserved reserved
7
reserved reserved reserved reserved reserved reserved reserved reserved
8
PFCMPGE reserved reserved reserved PFMIN reserved PFRCP PFRSQRT
9
Pq, Qq Pq, Qq Pq, Qq Pq, Qq
PFCMPGT reserved reserved reserved PFMAX reserved PFRCPIT1 PFRSQIT1
A
Pq, Qq Pq, Qq Pq, Qq Pq, Qq
PFCMPEQ reserved reserved reserved PFMUL reserved PFRCPIT2 PMULHRW
B
Pq, Qq Pq, Qq Pq, Qq Pq, Qq
reserved reserved reserved reserved reserved reserved reserved reserved
C
reserved reserved reserved reserved reserved reserved reserved reserved
D
reserved reserved reserved reserved reserved reserved reserved reserved
E
reserved reserved reserved reserved reserved reserved reserved reserved
F
Note:
1. All 3DNow!™ opcodes consist of two 0Fh bytes. This table shows the immediate byte for 3DNow! opcodes. Rows
show the high nibble of the immediate byte. Columns show the low nibble of the immediate byte.

352 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-9. Immediate Byte for 3DNow!™ Opcodes, Low Nibble 8–Fh
Nibble1 8 9 A B C D E F
reserved reserved reserved reserved PI2FW PI2FD reserved reserved
0
Pq, Qq Pq, Qq
reserved reserved reserved reserved PF2IW PF2ID reserved reserved
1
Pq, Qq Pq, Qq
reserved reserved reserved reserved reserved reserved reserved reserved
2
reserved reserved reserved reserved reserved reserved reserved reserved
3
reserved reserved reserved reserved reserved reserved reserved reserved
4
reserved reserved reserved reserved reserved reserved reserved reserved
5
reserved reserved reserved reserved reserved reserved reserved reserved
6
reserved reserved reserved reserved reserved reserved reserved reserved
7
reserved reserved PFNACC reserved reserved reserved PFPNACC reserved
8
Pq, Qq Pq, Qq
reserved reserved PFSUB reserved reserved reserved PFADD reserved
9
Pq, Qq Pq, Qq
reserved reserved PFSUBR reserved reserved reserved PFACC reserved
A
Pq, Qq Pq, Qq
reserved reserved reserved PSWAPD reserved reserved reserved PAVGUSB
B
Pq, Qq Pq, Qq
reserved reserved reserved reserved reserved reserved reserved reserved
C
reserved reserved reserved reserved reserved reserved reserved reserved
D
reserved reserved reserved reserved reserved reserved reserved reserved
E
reserved reserved reserved reserved reserved reserved reserved reserved
F
Note:
1. All 3DNow!™ opcodes consist of two 0Fh bytes. This table shows the immediate byte for 3DNow! opcodes. Rows
show the high nibble of the immediate byte. Columns show the low nibble of the immediate byte.

Opcode and Operand Encodings 353

AMD64 Technology 24594—Rev. 3.14—September 2007

A.2.7 x87 Encodings

All x87 instructions begin with an opcode byte in the range D8h to DFh, as shown in Table A-2 on
page 342. These opcodes are followed by a ModRM byte that further defines the opcode. Table A-10
shows both the opcode byte and the ModRM byte for each x87 instruction.
There are two significant ranges for the ModRM byte for x87 opcodes: 00–BFh and C0–FFh. When
the value of the ModRM byte falls within the first range, 00–BFh, the opcode uses only the reg field to
further define the opcode. When the value of the ModRM byte falls within the second range, C0–FFh,
the opcode uses the entire ModRM byte to further define the opcode.
Byte values shown as reserved or invalid in Table A-10 have implementation-specific functions, which
can include an invalid-opcode exception.
The basic instructions FNSTENV, FNSTCW, FNCLEX, FNINIT, FNSAVE, FNSTSW, and FNSTSW
do not check for possible floating point exceptions before operating. Utility versions of these
mnemonics are provided that insert an FWAIT (opcode 9B) before the corresponding non-waiting
instruction. These are FSTENV, FSTCW, FCLEX, FINIT, FSAVE, and FSTSW. For further
information on wait and non-waiting versions of these instructions, see their corresponding pages in
Volume 5.

354 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-10. x87 Opcodes and ModRM Extensions

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7

00–BF
!11 FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
mem32real mem32real mem32real mem32real mem32real mem32real mem32real mem32real
C0 C8 D0 D8 E0 E8 F0 F8
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
ST(0), ST(0),
ST(0), ST(0) ST(0), ST(0) ST(0), ST(0) ST(0), ST(0) ST(0), ST(0) ST(0), ST(0)
ST(0) ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
ST(0), ST(0),
ST(0), ST(1) ST(0), ST(1) ST(0), ST(1) ST(0), ST(1) ST(0), ST(1) ST(0), ST(1)
ST(1) ST(1)
C2 CA D2 DA E2 EA F2 FA
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
ST(0), ST(0),
ST(0), ST(2) ST(0), ST(2) ST(0), ST(2) ST(0), ST(2) ST(0), ST(2) ST(0), ST(2)
ST(2) ST(2)
C3 CB D3 DB E3 EB F3 FB
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
D8 ST(0), ST(0),
ST(0), ST(3) ST(0), ST(3) ST(0), ST(3) ST(0), ST(3) ST(0), ST(3) ST(0), ST(3)
ST(3) ST(3)
11
C4 CC D4 DC E4 EC F4 FC
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
ST(0), ST(0),
ST(0), ST(4) ST(0), ST(4) ST(0), ST(4) ST(0), ST(4) ST(0), ST(4) ST(0), ST(4)
ST(4) ST(4)
C5 CD D5 DD E5 ED F5 FD
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
ST(0), ST(0),
ST(0), ST(5) ST(0), ST(5) ST(0), ST(5) ST(0), ST(5) ST(0), ST(5) ST(0), ST(5)
ST(5) ST(5)
C6 CE D6 DE E6 EE F6 FE
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
ST(0), ST(0),
ST(0), ST(6) ST(0), ST(6) ST(0), ST(6) ST(0), ST(6) ST(0), ST(6) ST(0), ST(6)
ST(6) ST(6)
C7 CF D7 DF E7 EF F7 FF
FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
ST(0), ST(0),
ST(0), ST(7) ST(0), ST(7) ST(0), ST(7) ST(0), ST(7) ST(0), ST(7) ST(0), ST(7)
ST(7) ST(7)

Opcode and Operand Encodings 355

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-10. x87 Opcodes and ModRM Extensions (continued)

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7
00–BF
!11 FLD invalid FST FSTP FLDENV FLDCW FNSTENV FNSTCW
mem32real mem32real mem32real mem14/28env mem16 mem14/28env mem16
C0 C8 D0 D8 E0 E8 F0 F8
FLD FXCH FNOP reserved FCHS FLD1 F2XM1 FPREM
ST(0),
ST(0), ST(0)
ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
FLD FXCH invalid reserved FABS FLDL2T FYL2X FYL2XP1
ST(0),
ST(0), ST(1)
ST(1)
C2 CA D2 DA E2 EA F2 FA
FLD FXCH invalid reserved invalid FLDL2E FPTAN FSQRT
ST(0),
ST(0), ST(2)
ST(2)
C3 CB D3 DB E3 EB F3 FB
FLD FXCH invalid reserved invalid FLDPI FPATAN FSINCOS
D9 ST(0),
ST(0), ST(3)
ST(3)
11
C4 CC D4 DC E4 EC F4 FC
FLD FXCH invalid reserved FTST FLDLG2 FXTRACT FRNDINT
ST(0),
ST(0), ST(4)
ST(4)
C5 CD D5 DD E5 ED F5 FD
FLD FXCH invalid reserved FXAM FLDLN2 FPREM1 FSCALE
ST(0),
ST(0), ST(5)
ST(5)
C6 CE D6 DE E6 EE F6 FE
FLD FXCH invalid reserved invalid FLDZ FDECSTP FSIN
ST(0),
ST(0), ST(6)
ST(6)
C7 CF D7 DF E7 EF F7 FF
FLD FXCH invalid reserved invalid invalid FINCSTP FCOS
ST(0),
ST(0), ST(7)
ST(7)

356 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-10. x87 Opcodes and ModRM Extensions (continued)

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7
00–BF
!11 FIADD FIMUL FICOM FICOMP FISUB FISUBR FIDIV FIDIVR
mem32int mem32int mem32int mem32int mem32int mem32int mem32int mem32int
C0 C8 D0 D8 E0 E8 F0 F8
FCMOVB FCMOVE FCMOVBE FCMOVU invalid invalid invalid invalid
ST(0),
ST(0), ST(0) ST(0), ST(0) ST(0), ST(0)
ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
FCMOVB FCMOVE FCMOVBE FCMOVU invalid FUCOMPP invalid invalid
ST(0),
ST(0), ST(1) ST(0), ST(1) ST(0), ST(1)
ST(1)
C2 CA D2 DA E2 EA F2 FA
FCMOVB FCMOVE FCMOVBE FCMOVU invalid invalid invalid invalid
ST(0),
ST(0), ST(2) ST(0), ST(2) ST(0), ST(2)
ST(2)
C3 CB D3 DB E3 EB F3 FB
FCMOVB FCMOVE FCMOVBE FCMOVU invalid invalid invalid invalid
DA ST(0),
ST(0), ST(3) ST(0), ST(3) ST(0), ST(3)
ST(3)
11
C4 CC D4 DC E4 EC F4 FC
FCMOVB FCMOVE FCMOVBE FCMOVU invalid invalid invalid invalid
ST(0),
ST(0), ST(4) ST(0), ST(4) ST(0), ST(4)
ST(4)
C5 CD D5 DD E5 ED F5 FD
FCMOVB FCMOVE FCMOVBE FCMOVU invalid invalid invalid invalid
ST(0),
ST(0), ST(5) ST(0), ST(5) ST(0), ST(5)
ST(5)
C6 CE D6 DE E6 EE F6 FE
FCMOVB FCMOVE FCMOVBE FCMOVU invalid invalid invalid invalid
ST(0),
ST(0), ST(6) ST(0), ST(6) ST(0), ST(6)
ST(6)
C7 CF D7 DF E7 EF F7 FF
FCMOVB FCMOVE FCMOVBE FCMOVU invalid invalid invalid invalid
ST(0),
ST(0), ST(7) ST(0), ST(7) ST(0), ST(7)
ST(7)

Opcode and Operand Encodings 357

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-10. x87 Opcodes and ModRM Extensions (continued)

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7

00–BF
!11 FILD FISTTP FIST FISTP invalid FLD invalid FSTP
mem32int mem32int mem32int mem32int mem80real mem80real
C0 C8 D0 D8 E0 E8 F0 F8
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU reserved FUCOMI FCOMI invalid
ST(0), ST(0),
ST(0), ST(0) ST(0), ST(0) ST(0), ST(0) ST(0), ST(0)
ST(0) ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU reserved FUCOMI FCOMI invalid
ST(0), ST(0),
ST(0), ST(1) ST(0), ST(1) ST(0), ST(1) ST(0), ST(1)
ST(1) ST(1)
C2 CA D2 DA E2 EA F2 FA
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU FNCLEX FUCOMI FCOMI invalid
ST(0), ST(0),
ST(0), ST(2) ST(0), ST(2) ST(0), ST(2) ST(0), ST(2)
ST(2) ST(2)
C3 CB D3 DB E3 EB F3 FB
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU FNINIT FUCOMI FCOMI invalid
DB ST(0), ST(0),
ST(0), ST(3) ST(0), ST(3) ST(0), ST(3) ST(0), ST(3)
ST(3) ST(3)
11
C4 CC D4 DC E4 EC F4 FC
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU reserved FUCOMI FCOMI invalid
ST(0), ST(0),
ST(0), ST(4) ST(0), ST(4) ST(0), ST(4) ST(0), ST(4)
ST(4) ST(4)
C5 CD D5 DD E5 ED F5 FD
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU invalid FUCOMI FCOMI invalid
ST(0), ST(0),
ST(0), ST(5) ST(0), ST(5) ST(0), ST(5) ST(0), ST(5)
ST(5) ST(5)
C6 CE D6 DE E6 EE F6 FE
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU invalid FUCOMI FCOMI invalid
ST(0), ST(0),
ST(0), ST(6) ST(0), ST(6) ST(0), ST(6) ST(0), ST(6)
ST(6) ST(6)
C7 CF D7 DF E7 EF F7 FF
FCMOVNB FCMOVNE FCMOVNBE FCMOVNU invalid FUCOMI FCOMI invalid
ST(0), ST(0),
ST(0), ST(7) ST(0), ST(7) ST(0), ST(7) ST(0), ST(7)
ST(7) ST(7)

358 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-10. x87 Opcodes and ModRM Extensions (continued)

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7
00–BF
!11 FADD FMUL FCOM FCOMP FSUB FSUBR FDIV FDIVR
mem64real mem64real mem64real mem64real mem64real mem64real mem64real mem64real
C0 C8 D0 D8 E0 E8 F0 F8
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
ST(0), ST(0),
ST(0), ST(0) ST(0), ST(0) ST(0), ST(0) ST(0), ST(0)
ST(0) ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
ST(1), ST(1),
ST(1), ST(0) ST(1), ST(0) ST(1), ST(0) ST(1), ST(0)
ST(0) ST(0)
C2 CA D2 DA E2 EA F2 FA
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
ST(2), ST(2),
ST(2), ST(0) ST(2), ST(0) ST(2), ST(0) ST(2), ST(0)
ST(0) ST(0)
C3 CB D3 DB E3 EB F3 FB
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
DC ST(3), ST(3),
ST(3), ST(0) ST(3), ST(0) ST(3), ST(0) ST(3), ST(0)
ST(0) ST(0)
11
C4 CC D4 DC E4 EC F4 FC
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
ST(4), ST(4),
ST(4), ST(0) ST(4), ST(0) ST(4), ST(0) ST(4), ST(0)
ST(0) ST(0)
C5 CD D5 DD E5 ED F5 FD
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
ST(5), ST(5),
ST(5), ST(0) ST(5), ST(0) ST(5), ST(0) ST(5), ST(0)
ST(0) ST(0)
C6 CE D6 DE E6 EE F6 FE
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
ST(6), ST(6),
ST(6), ST(0) ST(6), ST(0) ST(6), ST(0) ST(6), ST(0)
ST(0) ST(0)
C7 CF D7 DF E7 EF F7 FF
FADD FMUL reserved reserved FSUBR FSUB FDIVR FDIV
ST(7), ST(7),
ST(7), ST(0) ST(7), ST(0) ST(7), ST(0) ST(7), ST(0)
ST(0) ST(0)

Opcode and Operand Encodings 359

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-10. x87 Opcodes and ModRM Extensions (continued)

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7
00–BF
FLD FISTTP FST FSTP FRSTOR invalid FNSAVE FNSTSW
!11
mem98/108e mem98/108e
mem64real mem64int mem64real mem64real mem16
nv nv
C0 C8 D0 D8 E0 E8 F0 F8
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(0) ST(0) ST(0) ST(0), ST(0) ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(1) ST(1) ST(1) ST(1), ST(0) ST(1)
C2 CA D2 DA E2 EA F2 FA
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(2) ST(2) ST(2) ST(2), ST(0) ST(2)
C3 CB D3 DB E3 EB F3 FB
DD
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(3) ST(3) ST(3) ST(3), ST(0) ST(3)
11
C4 CC D4 DC E4 EC F4 FC
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(4) ST(4) ST(4) ST(4), ST(0) ST(4)
C5 CD D5 DD E5 ED F5 FD
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(5) ST(5) ST(5) ST(5), ST(0) ST(5)
C6 CE D6 DE E6 EE F6 FE
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(6) ST(6) ST(6) ST(6), ST(0) ST(6)
C7 CF D7 DF E7 EF F7 FF
FFREE reserved FST FSTP FUCOM FUCOMP invalid invalid
ST(7) ST(7) ST(7) ST(7), ST(0) ST(7)

360 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-10. x87 Opcodes and ModRM Extensions (continued)

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7
00–BF
!11 FIADD FIMUL FICOM FICOMP FISUB FISUBR FIDIV FIDIVR
mem16int mem16int mem16int mem16int mem16int mem16int mem16int mem16int
C0 C8 D0 D8 E0 E8 F0 F8
FADDP FMULP reserved invalid FSUBRP FSUBP FDIVRP FDIVP
ST(0), ST(0),
ST(0), ST(0) ST(0), ST(0) ST(0), ST(0) ST(0), ST(0)
ST(0) ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
FADDP FMULP reserved FCOMPP FSUBRP FSUBP FDIVRP FDIVP
ST(1), ST(1),
ST(1), ST(0) ST(1), ST(0) ST(1), ST(0) ST(1), ST(0)
ST(0) ST(0)
C2 CA D2 DA E2 EA F2 FA
FADDP FMULP reserved invalid FSUBRP FSUBP FDIVRP FDIVP
ST(2), ST(2),
ST(2), ST(0) ST(2), ST(0) ST(2), ST(0) ST(2), ST(0)
ST(0) ST(0)
C3 CB D3 DB E3 EB F3 FB
FADDP FMULP reserved invalid FSUBRP FSUBP FDIVRP FDIVP
DE ST(3), ST(3),
ST(3), ST(0) ST(3), ST(0) ST(3), ST(0) ST(3), ST(0)
ST(0) ST(0)
11
C4 CC D4 DC E4 EC F4 FC
FADDP FMULP reserved invalid FSUBRP FSUBP FDIVRP FDIVP
ST(4), ST(4),
ST(4), ST(0) ST(4), ST(0) ST(4), ST(0) ST(4), ST(0)
ST(0) ST(0)
C5 CD D5 DD E5 ED F5 FD
FADDP FMULP reserved invalid FSUBRP FSUBP FDIVRP FDIVP
ST(5), ST(5),
ST(5), ST(0) ST(5), ST(0) ST(5), ST(0) ST(5), ST(0)
ST(0) ST(0)
C6 CE D6 DE E6 EE F6 FE
FADDP FMULP reserved invalid FSUBRP FSUBP FDIVRP FDIVP
ST(6), ST(6),
ST(6), ST(0) ST(6), ST(0) ST(6), ST(0) ST(6), ST(0)
ST(0) ST(0)
C7 CF D7 DF E7 EF F7 FF
FADDP FMULP reserved invalid FSUBRP FSUBP FDIVRP FDIVP
ST(7), ST(7),
ST(7), ST(0) ST(7), ST(0) ST(7), ST(0) ST(7), ST(0)
ST(0) ST(0)

Opcode and Operand Encodings 361

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-10. x87 Opcodes and ModRM Extensions (continued)

ModRM ModRM reg Field
Opcode mod
Field /0 /1 /2 /3 /4 /5 /6 /7
00–BF
!11 FILD FISTTP FIST FISTP FBLD FILD FBSTP FISTP
mem16int mem16int mem16int mem16int mem80dec mem64int mem80dec mem64int
C0 C8 D0 D8 E0 E8 F0 F8
reserved reserved reserved reserved FNSTSW FUCOMIP FCOMIP invalid
ST(0),
AX ST(0), ST(0)
ST(0)
C1 C9 D1 D9 E1 E9 F1 F9
reserved reserved reserved reserved invalid FUCOMIP FCOMIP invalid
ST(0),
ST(0), ST(1)
ST(1)
C2 CA D2 DA E2 EA F2 FA
reserved reserved reserved reserved invalid FUCOMIP FCOMIP invalid
ST(0),
ST(0), ST(2)
ST(2)
C3 CB D3 DB E3 EB F3 FB
reserved reserved reserved reserved invalid FUCOMIP FCOMIP invalid
DF ST(0),
ST(0), ST(3)
ST(3)
11
C4 CC D4 DC E4 EC F4 FC
reserved reserved reserved reserved invalid FUCOMIP FCOMIP invalid
ST(0),
ST(0), ST(4)
ST(4)
C5 CD D5 DD E5 ED F5 FD
reserved reserved reserved reserved invalid FUCOMIP FCOMIP invalid
ST(0),
ST(0), ST(5)
ST(5)
C6 CE D6 DE E6 EE F6 FE
reserved reserved reserved reserved invalid FUCOMIP FCOMIP invalid
ST(0),
ST(0), ST(6)
ST(6)
C7 CF D7 DF E7 EF F7 FF
reserved reserved reserved reserved invalid FUCOMIP FCOMIP invalid
ST(0),
ST(0), ST(7)
ST(7)

362 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

A.2.8 rFLAGS Condition Codes for x87 Opcodes

Table A-11 shows the rFLAGS condition codes specified by the opcode and ModRM bytes of the
FCMOVcc instructions.

Table A-11. rFLAGS Condition Codes for FCMOVcc

ModRM ModRM
Opcode
mod reg rFLAGS Value cc Mnemonic Condition
(hex)
Field Field
000 CF = 1 B Below
001 ZF = 1 E Equal
DA
010 CF = 1 or ZF = 1 BE Below or Equal
011 PF = 1 U Unordered
11
000 CF = 0 NB Not Below
001 ZF = 0 NE Not Equal
DB
010 CF = 0 and ZF = 0 NBE Not Below or Equal
011 PF = 0 NU Not Unordered

A.3 Operand Encodings

Register and memory operands are encoded using the mode-register-memory (ModRM) and the scale-
index-base (SIB) bytes that follow the opcodes. In some instructions, the ModRM byte is followed by
an SIB byte, which defines the instruction’s memory-addressing mode for the complex-addressing
modes.

A.3.1 ModRM Operand References

Figure A-2 on page 364 shows the format of a ModRM byte. There are three fields—mod, reg, and
r/m. The reg field not only provides additional opcode bits—as described above beginning with
“ModRM Extensions to One-Byte and Two-Byte Opcodes” on page 348 and ending with “x87
Encodings” on page 354—but is also used with the other two fields to specify operands. The mod and
r/m fields are used together with each other and, in 64-bit mode, with the REX.R and REX.B bits of the
REX prefix, to specify the location of the instruction’s operands and certain of the possible addressing
modes (specifically, the non-complex modes).

Opcode and Operand Encodings 363

AMD64 Technology 24594—Rev. 3.14—September 2007

Bits: 7 6 5 4 3 2 1 0
mod reg r/m ModRM

REX.R bit of REX prefix can

extend this field to 4 bits

REX.B bit of REX prefix can

extend this field to 4 bits 513-305.eps

Figure A-2. ModRM-Byte Format

The two sections below describe the ModRM operand encodings, first for 16-bit references and then
for 32-bit and 64-bit references.

16-Bit Register and Memory References. Table A-12 shows the notation and encoding
conventions for register references using the ModRM reg field. This table is comparable to Table A-14
on page 367 but applies only when the address-size is 16-bit. Table A-13 on page 365 shows the
notation and encoding conventions for 16-bit memory references using the ModRM byte. This table is
comparable to Table A-15 on page 368.

Table A-12. ModRM Register References, 16-Bit Addressing

Mnemonic ModRM reg Field
Notation /0 /1 /2 /3 /4 /5 /6 /7
reg8 AL CL DL BL AH CH DH BH
reg16 AX CX DX BX SP BP SI DI
reg32 EAX ECX EDX EBX ESP EBP ESI EDI
mmx MMX0 MMX1 MMX2 MMX3 MMX4 MMX5 MMX6 MMX7
xmm XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7
sReg ES CS SS DS FS GS invalid invalid
cReg CR0 CR1 CR2 CR3 CR4 CR5 CR6 CR7
dReg DR0 DR1 DR2 DR3 DR4 DR5 DR6 DR7

364 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-13. ModRM Memory References, 16-Bit Addressing

ModRM ModRM reg Field2 ModRM
mod r/m
Effective Address1 Field /0 /1 /2 /3 /4 /5 /6 /7 Field
(binary) Complete ModRM Byte (hex) (binary)
[BX+SI] 00 08 10 18 20 28 30 38 000

[BX+DI] 01 09 11 19 21 29 31 39 001

[BP+SI] 02 0A 12 1A 22 2A 32 3A 010

[BP+DI] 03 0B 13 1B 23 2B 33 3B 011
00
[SI] 04 0C 14 1C 24 2C 34 3C 100

[DI] 05 0D 15 1D 25 2D 35 3D 101

[disp16] 06 0E 16 1E 26 2E 36 3E 110

[BX] 07 0F 17 1F 27 2F 37 3F 111

[BX+SI+disp8] 40 48 50 58 60 68 70 78 000

[BX+DI+disp8] 41 49 51 59 61 69 71 79 001

[BP+SI+disp8] 42 4A 52 5A 62 6A 72 7A 010

[BP+DI+disp8] 43 4B 53 5B 63 6B 73 7B 011
01
[SI+disp8] 44 4C 54 5C 64 6C 74 7C 100

[DI+disp8] 45 4D 55 5D 65 6D 75 7D 101

[BP+disp8] 46 4E 56 5E 66 6E 76 7E 110

[BX+disp8] 47 4F 57 5F 67 6F 77 7F 111

[BX+SI+disp16] 80 88 90 98 A0 A8 B0 B8 000

[BX+DI+disp16] 81 89 91 99 A1 A9 B1 B9 001

[BP+SI+disp16] 82 8A 92 9A A2 AA B2 BA 010

[BP+DI+disp16] 83 8B 93 9B A3 AB B3 BB 011
10
[SI+disp16] 84 8C 94 9C A4 AC B4 BC 100

[DI+disp16] 85 8D 95 9D A5 AD B5 BD 101

[BP+disp16] 86 8E 96 9E A6 AE B6 BE 110

[BX+disp16] 87 8F 97 9F A7 AF B7 BF 111
Note:
1. In these combinations, “disp8” and “disp16” indicate an 8-bit or 16-bit signed displacement.
2. See Table A-12 for complete specification of ModRM “reg” field.

Opcode and Operand Encodings 365

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-13. ModRM Memory References, 16-Bit Addressing (continued)

ModRM ModRM reg Field2 ModRM
mod r/m
Effective Address1 Field /0 /1 /2 /3 /4 /5 /6 /7 Field
(binary) Complete ModRM Byte (hex) (binary)
AL/AX/EAX/MMX0/XMM0 C0 C8 D0 D8 E0 E8 F0 F8 000

CL/CX/ECX/MMX1/XMM1 C1 C9 D1 D9 E1 E9 F1 F9 001

DL/DX/EDX/MMX2/XMM2 C2 CA D2 DA E2 EA F2 FA 010

BL/BX/EBX/MMX3/XMM3 C3 CB D3 DB E3 EB F3 FB 011
11
AH/SP/ESP/MMX4/XMM4 C4 CC D4 DC E4 EC F4 FC 100

CH/BP/EBP/MMX5/XMM5 C5 CD D5 DD E5 ED F5 FD 101

DH/SI/ESI/MMX6/XMM6 C6 CE D6 DE E6 EE F6 FE 110

BH/DI/EDI/MMX7/XMM7 C7 CF D7 DF E7 EF F7 FF 111
Note:
1. In these combinations, “disp8” and “disp16” indicate an 8-bit or 16-bit signed displacement.
2. See Table A-12 for complete specification of ModRM “reg” field.

Register and Memory References for 32-Bit and 64-Bit Addressing. Ta b l e A -1 4 on

page 367 shows the encoding for 32-bit and 64-bit register references using the ModRM reg field. The
first nine rows of Table A-14 show references when the REX.R bit is cleared to 0, and the last nine
rows show references when the REX.R bit is set to 1. In this table, Mnemonic Notation means the
syntax notation shown in “Mnemonic Syntax” on page 37 for a register, and ModRM Notation (/r)
means the opcode-syntax notation shown in “Opcode Syntax” on page 39 for the register.
Table A-15 on page 368 shows the encoding for 32-bit and 64-bit memory references using the
ModRM byte. This table describes 32-bit and 64-bit addressing, with the REX.B bit set or cleared. The
Effective Address is shown in the two left-most columns, followed by the binary encoding of the
ModRM-byte mod field, followed by the eight possible hex values of the complete ModRM byte (one
value for each binary encoding of the ModRM-byte reg field), followed by the binary encoding of the
ModRM r/m field.
The /0 through /7 notation for the ModRM reg field (bits 5–3) means that the three-bit field contains a
value from zero (binary 000) to 7 (binary 111).

366 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-14. ModRM Register References, 32-Bit and 64-Bit Addressing

Mnemonic ModRM reg Field
REX.R Bit
Notation /0 /1 /2 /3 /4 /5 /6 /7
reg8 AL CL DL BL AH/SPL CH/BPL DH/SIL BH/DIL

reg16 AX CX DX BX SP BP SI DI

reg32 EAX ECX EDX EBX ESP EBP ESI EDI

reg64 RAX RCX RDX RBX RSP RBP RSI RDI

mmx 0 MMX0 MMX1 MMX2 MMX3 MMX4 MMX5 MMX6 MMX7

xmm XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7

sReg ES CS SS DS FS GS invalid invalid

cReg CR0 CR1 CR2 CR3 CR4 CR5 CR6 CR7

dReg DR0 DR1 DR2 DR3 DR4 DR5 DR6 DR7

reg8 R8B R9B R10B R11B R12B R13B R14B R15B

reg16 R8W R9W R10W R11W R12W R13W R14W R15W

reg32 R8D R9D R10D R11D R12D R13D R14D R15D

reg64 R8 R9 R10 R11 R12 R13 R14 R15

mmx 1 MMX0 MMX1 MMX2 MMX3 MMX4 MMX5 MMX6 MMX7

xmm XMM8 XMM9 XMM10 XMM11 XMM12 XMM13 XMM14 XMM15

sReg ES CS SS DS FS GS invalid invalid

cReg CR8 CR9 CR10 CR11 CR12 CR13 CR14 CR15

dReg DR8 DR9 DR10 DR11 DR12 DR13 DR14 DR15

Opcode and Operand Encodings 367

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-15. ModRM Memory References, 32-Bit and 64-Bit Addressing

ModRM ModRM reg Field3 ModRM
Effective Address1 mod r/m
Field /0 /1 /2 /3 /4 /5 /6 /7 Field
REX.B = 0 REX.B = 1 (binary) Complete ModRM Byte (hex) (binary)
[rAX] [r8] 00 08 10 18 20 28 30 38 000

[rCX] [r9] 01 09 11 19 21 29 31 39 001

[rDX] [r10] 02 0A 12 1A 22 2A 32 3A 010

[rBX] [r11] 03 0B 13 1B 23 2B 33 3B 011

[SIB]4 [SIB]4 00 04 0C 14 1C 24 2C 34 3C 100

[rIP+disp32] or
[rIP+disp32] or [disp32]2 05 0D 15 1D 25 2D 35 3D 101
[disp32]2
[rSI] [r14] 06 0E 16 1E 26 2E 36 3E 110

[rDI] [r15] 07 0F 17 1F 27 2F 37 3F 111

[rAX+disp8] [r8+disp8] 40 48 50 58 60 68 70 78 000

[rCX+disp8] [r9+disp8] 41 49 51 59 61 69 71 79 001

[rDX+disp8] [r10+disp8] 42 4A 52 5A 62 6A 72 7A 010

[rBX+disp8] [r11+disp8] 43 4B 53 5B 63 6B 73 7B 011

01
[SIB+disp8]4 [SIB+disp8]4 44 4C 54 5C 64 6C 74 7C 100

[rBP+disp8] [r13+disp8] 45 4D 55 5D 65 6D 75 7D 101

[rSI+disp8] [r14+disp8] 46 4E 56 5E 66 6E 76 7E 110

[rDI+disp8] [r15+disp8] 47 4F 57 5F 67 6F 77 7F 111

[rAX+disp32] [r8+disp32] 80 88 90 98 A0 A8 B0 B8 000

[rCX+disp32] [r9+disp32] 81 89 91 99 A1 A9 B1 B9 001

[rDX+disp32] [r10+disp32] 82 8A 92 9A A2 AA B2 BA 010

[rBX+disp32] [r11+disp32] 83 8B 93 9B A3 AB B3 BB 011

10
[SIB+disp32]4 [SIB+disp32]4 84 8C 94 9C A4 AC B4 BC 100

[rBP+disp32] [r13+disp32] 85 8D 95 9D A5 AD B5 BD 101

[rSI+disp32] [r14+disp32] 86 8E 96 9E A6 AE B6 BE 110

[rDI+disp32] [r15+disp32] 87 8F 97 9F A7 AF B7 BF 111

Note:
1. In these combinations, “disp8” and “disp32” indicate an 8-bit or 32-bit signed displacement.
2. In 64-bit mode, the effective address is [rIP+disp32]. In all other modes, the effective address is [disp32]. If the
address-size prefix is used in 64-bit mode to override 64-bit addressing, the [RIP+disp32] effective address is trun-
cated after computation to 64 bits.
3. See Table A-14 for complete specification of ModRM “reg” field.
4. An SIB byte follows the ModRM byte to identify the memory operand.

368 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-15. ModRM Memory References, 32-Bit and 64-Bit Addressing (continued)
ModRM ModRM reg Field3 ModRM
Effective Address1 mod r/m
Field /0 /1 /2 /3 /4 /5 /6 /7 Field
REX.B = 0 REX.B = 1 (binary) Complete ModRM Byte (hex) (binary)
AL/rAX/MMX0/XMM0 r8/MMX0/XMM8 C0 C8 D0 D8 E0 E8 F0 F8 000

CL/rCX/MMX1/XMM1 r9/MMX1/XMM9 C1 C9 D1 D9 E1 E9 F1 F9 001

r10/MMX2/XMM1
DL/rDX/MMX2/XMM2 C2 CA D2 DA E2 EA F2 FA 010
0
r11/MMX3/XMM1
BL/rBX/MMX3/XMM3 C3 CB D3 DB E3 EB F3 FB 011
1
AH/SPL/rSP/MMX4/XM r12/MMX4/XMM1 11 C4 CC D4 DC E4 EC F4 FC 100
M4 2
CH/BPL/rBP/MMX5/XM r13/MMX5/XMM1
C5 CD D5 DD E5 ED F5 FD 101
M5 3
DH/SIL/rSI/MMX6/XMM r14/MMX6/XMM1
C6 CE D6 DE E6 EE F6 FE 110
6 4
BH/DIL/rDI/MMX7/XMM r15/MMX7/XMM1
C7 CF D7 DF E7 EF F7 FF 111
7 5
Note:
1. In these combinations, “disp8” and “disp32” indicate an 8-bit or 32-bit signed displacement.
2. In 64-bit mode, the effective address is [rIP+disp32]. In all other modes, the effective address is [disp32]. If the
address-size prefix is used in 64-bit mode to override 64-bit addressing, the [RIP+disp32] effective address is trun-
cated after computation to 64 bits.
3. See Table A-14 for complete specification of ModRM “reg” field.
4. An SIB byte follows the ModRM byte to identify the memory operand.

A.3.2 SIB Operand References

Figure A-3 on page 370 shows the format of a scale-index-base (SIB) byte. Some instructions have an
SIB byte following their ModRM byte to define memory addressing for the complex-addressing
modes described in “Effective Addresses” in Volume 1. The SIB byte has three fields—scale, index,
and base—that define the scale factor, index-register number, and base-register number for 32-bit and
64-bit complex addressing modes. In 64-bit mode, the REX.B and REX.X bits extend the encoding of
the SIB byte’s base and index fields.

Opcode and Operand Encodings 369

AMD64 Technology 24594—Rev. 3.14—September 2007

Bits: 7 6 5 4 3 2 1 0
scale index base SIB

REX.X bit of REX prefix can

extend this field to 4 bits

513-306.eps
REX.B bit of REX prefix can
extend this field to 4 bits

Figure A-3. SIB Byte Format

Table A-16 shows the encodings for the SIB byte’s base field, which specifies the base register for
addressing. Table A-17 on page 371 shows the encodings for the effective address referenced by a
complete SIB byte, including its scale and index fields. The /0 through /7 notation for the SIB base
field means that the three-bit field contains a value between zero (binary 000) and 7 (binary 111).

Table A-16. SIB base Field References

SIB base Field
REX.B Bit ModRM mod Field
/0 /1 /2 /3 /4 /5 /6 /7
00 disp32
0 01 rAX rCX rDX rBX rSP rBP+disp8 rSI rDI
10 rBP+disp32
00 disp32
1 01 r8 r9 r10 r11 r12 r13+disp8 r14 r15
10 r13+disp32

370 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Table A-17. SIB Memory References

SIB base Field1
note
REX.B = 0: rAX rCX rDX rBX rSP 1 rSI rDI
Effective Address SIB SIB
scale index note
Field Field REX.B = 1: r8 r9 r10 r11 r12 1 r14 r15

/0 /1 /2 /3 /4 /5 /6 /7
REX.X = 0 REX.X = 1 Complete SIB Byte (hex)
[rAX+base] [r8+base] 000 00 01 02 03 04 05 06 07

[rCX+base] [r9+base] 001 08 09 0A 0B 0C 0D 0E 0F

[rDX+base] [r10+base] 010 10 11 12 13 14 15 16 17

[rBX+base] [r11+base] 011 18 19 1A 1B 1C 1D 1E 1F

00
[base] [r12+base] 100 20 21 22 23 24 25 26 27

[rBP+base] [r13+base] 101 28 29 2A 2B 2C 2D 2E 2F

[rSI+base] [r14+base] 110 30 31 32 33 34 35 36 37

[rDI+base] [r15+base] 111 38 39 3A 3B 3C 3D 3E 3F

[rAX*2+base] [r8*2+base] 000 40 41 42 43 44 45 46 47

[rCX*2+base] [r9*2+base] 001 48 49 4A 4B 4C 4D 4E 4F

[rDX*2+base] [r10*2+base] 010 50 51 52 53 54 55 56 57

[rBX*2+base] [r11*2+base] 011 58 59 5A 5B 5C 5D 5E 5F

01
[base] [r12*2+base] 100 60 61 62 63 64 65 66 67

[rBP*2+base] [r13*2+base] 101 68 69 6A 6B 6C 6D 6E 6F

[rSI*2+base] [r14*2+base] 110 70 71 72 73 74 75 76 77

[rDI*2+base] [r15*2+base] 111 78 79 7A 7B 7C 7D 7E 7F

[rAX*4+base] [r8*4+base] 000 80 81 82 83 84 85 86 87

[rCX*4+base] [r9*4+base] 001 88 89 8A 8B 8C 8D 8E 8F

[rDX*4+base] [r10*4+base] 010 90 91 92 93 94 95 96 97

[rBX*4+base] [r11*4+base] 011 98 99 9A 9B 9C 9D 9E 9F

10
[base] [r12*4+base] 100 A0 A1 A2 A3 A4 A5 A6 A7

[rBP*4+base] [r13*4+base] 101 A8 A9 AA AB AC AD AE AF

[rSI*4+base] [r14*4+base] 110 B0 B1 B2 B3 B4 B5 B6 B7

[rDI*4+base] [r15*4+base] 111 B8 B9 BA BB BC BD BE BF

Note:
1. See Table A-16 on page 370 for complete specification of SIB “base” field.

Opcode and Operand Encodings 371

AMD64 Technology 24594—Rev. 3.14—September 2007

Table A-17. SIB Memory References (continued)

SIB base Field1
note
REX.B = 0: rAX rCX rDX rBX rSP 1 rSI rDI
Effective Address SIB SIB
scale index note
Field Field REX.B = 1: r8 r9 r10 r11 r12 1 r14 r15

/0 /1 /2 /3 /4 /5 /6 /7
REX.X = 0 REX.X = 1 Complete SIB Byte (hex)
[rAX*8+base] [r8*8+base] 000 C0 C1 C2 C3 C4 C5 C6 C7

[rCX*8+base] [r9*8+base] 001 C8 C9 CA CB CC CD CE CF

[rDX*8+base] [r10*8+base] 010 D0 D1 D2 D3 D4 D5 D6 D7

[rBX*8+base] [r11*8+base] 011 D8 D9 DA DB DC DD DE DF

11
[base] [r12*8+base] 100 E0 E1 E2 E3 E4 E5 E6 E7

[rBP*8+base] [r13*8+base] 101 E8 E9 EA EB EC ED EE EF

[rSI*8+base] [r14*8+base] 110 F0 F1 F2 F3 F4 F5 F6 F7

[rDI*8+base] [r15*8+base] 111 F8 F9 FA FB FC FD FE FF

Note:
1. See Table A-16 on page 370 for complete specification of SIB “base” field.

372 Opcode and Operand Encodings

24594—Rev. 3.14—September 2007 AMD64 Technology

Appendix B General-Purpose Instructions in

64-Bit Mode
This appendix provides details of the general-purpose instructions in 64-bit mode and its differences
from legacy and compatibility modes. The appendix covers only the general-purpose instructions
(those described in Chapter 3, “General-Purpose Instruction Reference”). It does not cover the 128-
bit media, 64-bit media, or x87 floating-point instructions because those instructions are not affected
by 64-bit mode, other than in the access by such instructions to extended GPR and XMM registers
when using a REX prefix.

B.1 General Rules for 64-Bit Mode

In 64-bit mode, the following general rules apply to instructions and their operands:
• “Promoted to 64 Bit”: If an instruction’s operand size (16-bit or 32-bit) in legacy and
compatibility modes depends on the CS.D bit and the operand-size override prefix, then the
operand-size choices in 64-bit mode are extended from 16-bit and 32-bit to include 64 bits (with a
REX prefix), or the operand size is fixed at 64 bits. Such instructions are said to be “Promoted to
64 bits” in Table B-1. However, byte-operand opcodes of such instructions are not promoted.
• Byte-Operand Opcodes Not Promoted: As stated above in “Promoted to 64 Bit”, byte-operand
opcodes of promoted instructions are not promoted. Those opcodes continue to operate only on
bytes.
• Fixed Operand Size: If an instruction’s operand size is fixed in legacy mode (thus, independent of
CS.D and prefix overrides), that operand size is usually fixed at the same size in 64-bit mode. For
example, CPUID operates on 32-bit operands, irrespective of attempts to override the operand size.
• Default Operand Size: The default operand size for most instructions is 32 bits, and a REX prefix
must be used to change the operand size to 64 bits. However, two groups of instructions default to
64-bit operand size and do not need a REX prefix: (1) near branches and (2) all instructions, except
far branches, that implicitly reference the RSP. See Table B-5 on page 400 for a list of all
instructions that default to 64-bit operand size.
• Zero-Extension of 32-Bit Results: Operations on 32-bit operands in 64-bit mode zero-extend the
high 32 bits of 64-bit GPR destination registers.
• No Extension of 8-Bit and 16-Bit Results: Operations on 8-bit and 16-bit operands in 64-bit
mode leave the high 56 or 48 bits, respectively, of 64-bit GPR destination registers unchanged.
• Shift and Rotate Counts: When the operand size is 64 bits, shifts and rotates use one additional
bit (6 bits total) to specify shift-count or rotate-count, allowing 64-bit shifts and rotates.
• Immediates: The maximum size of immediate operands is 32 bits, except that 64-bit immediates
can be MOVed into 64-bit GPRs. Immediates that are less than 64 bits are a maximum of 32 bits,
and are sign-extended to 64 bits during use.

General-Purpose Instructions in 64-Bit Mode 373

AMD64 Technology 24594—Rev. 3.14—September 2007

• Displacements and Offsets: The maximum size of an address displacement or offset is 32 bits,
except that 64-bit offsets can be used by specific MOV opcodes that read or write AL or rAX.
Displacements and offsets that are less than 64 bits are a maximum of 32 bits, and are sign-
extended to 64 bits during use.
• Undefined High 32 Bits After Mode Change: The processor does not preserve the upper 32 bits
of the 64-bit GPRs across switches from 64-bit mode to compatibility or legacy modes. In
compatibility or legacy mode, the upper 32 bits of the GPRs are undefined and not accessible to
software.

B.2 Operation and Operand Size in 64-Bit Mode

Table B-1 on page 374 lists the integer instructions, showing operand size in 64-bit mode and the state
of the high 32 bits of destination registers when 32-bit operands are used. Opcodes, such as byte-
operand versions of several instructions, that do not appear in Table B-1 are covered by the general
rules described in “General Rules for 64-Bit Mode” on page 373.

Table B-1. Operations and Operands in 64-Bit Mode

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
AAA - ASCII Adjust after Addition
INVALID IN 64-BIT MODE (invalid-opcode exception)
37
AAD - ASCII Adjust AX before Division
INVALID IN 64-BIT MODE (invalid-opcode exception)
D5
AAM - ASCII Adjust AX after Multiply
INVALID IN 64-BIT MODE (invalid-opcode exception)
D4
AAS - ASCII Adjust AL after Subtraction
INVALID IN 64-BIT MODE (invalid-opcode exception)
3F
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

374 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
ADC—Add with Carry
11
13 Zero-extends 32-
Promoted to
32 bits bit register
15 64 bits.
results to 64 bits.
81 /2
83 /2
ADD—Signed or Unsigned Add
01
03 Zero-extends 32-
Promoted to
32 bits bit register
05 64 bits.
results to 64 bits.
81 /0
83 /0
AND—Logical AND
21
23 Zero-extends 32-
Promoted to
32 bits bit register
25 64 bits.
results to 64 bits.
81 /4
83 /4
ARPL - Adjust Requestor Privilege Level
OPCODE USED as MOVSXD in 64-BIT MODE
63
BOUND - Check Array Against Bounds
INVALID IN 64-BIT MODE (invalid-opcode exception)
62
BSF—Bit Scan Forward Zero-extends 32-
Promoted to
32 bits bit register
0F BC 64 bits.
results to 64 bits.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 375

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
BSR—Bit Scan Reverse Zero-extends 32-
Promoted to
32 bits bit register
0F BD 64 bits.
results to 64 bits.
BSWAP—Byte Swap Zero-extends 32-
Promoted to Swap all 8 bytes
32 bits bit register
0F C8 through 0F CF 64 bits. of a 64-bit GPR.
results to 64 bits.
BT—Bit Test
Promoted to
0F A3 32 bits No GPR register results.
64 bits.
0F BA /4
BTC—Bit Test and Complement Zero-extends 32-
Promoted to
0F BB 32 bits bit register
64 bits.
0F BA /7 results to 64 bits.

BTR—Bit Test and Reset Zero-extends 32-

Promoted to
0F B3 32 bits bit register
64 bits.
0F BA /6 results to 64 bits.

BTS—Bit Test and Set Zero-extends 32-

Promoted to
0F AB 32 bits bit register
64 bits.
0F BA /5 results to 64 bits.

CALL—Procedure Call Near See “Near Branches in 64-Bit Mode” in Volume 1.

RIP = RIP + 32-
Promoted to bit displacement
E8
64 bits.
64 bits Can’t encode.6 sign-extended to
64 bits.
RIP = 64-bit
offset from
Promoted to
FF /2
64 bits.
64 bits Can’t encode.6 register or
memory.

Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

376 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
CALL—Procedure Call Far See “Branches to 64-Bit Offsets” in Volume 1.
9A INVALID IN 64-BIT MODE (invalid-opcode exception)
If selector points to a gate, then
RIP = 64-bit offset from gate, else
Promoted to
FF /3 32 bits RIP = zero-extended 32-bit offset
64 bits.
from far pointer referenced in
instruction.
CBW, CWDE, CDQE—Convert Byte to CDQE (new
Word, Convert Word to Doubleword, CWDE: Converts mnemonic):
32 bits
Convert Doubleword to Quadword word to Converts
Promoted to (size of desti- doubleword. doubleword to
64 bits. nation regis- quadword.
Zero-extends
98 ter)
EAX to RAX. RAX = sign-
extended EAX.
CDQ see CWD, CDQ, CQO
CDQE (new mnemonic) see CBW, CWDE, CDQE
CDWE see CBW, CWDE, CDQE
CLC—Clear Carry Flag Same as
Not relevant. No GPR register results.
F8 legacy mode.
CLD—Clear Direction Flag Same as
Not relevant. No GPR register results.
FC legacy mode.
CLFLUSH—Cache Line Invalidate Same as
Not relevant. No GPR register results.
0F AE /7 legacy mode.
CLGI—Clear Global Interrupt Same as
Not relevant No GPR register results.
0F 01 DD legacy mode
CLI—Clear Interrupt Flag Same as
Not relevant. No GPR register results.
FA legacy mode.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 377

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
CLTS—Clear Task-Switched Flag in
CR0 Same as
Not relevant. No GPR register results.
legacy mode.
0F 06
CMC—Complement Carry Flag Same as
Not relevant. No GPR register results.
F5 legacy mode.
CMOVcc—Conditional Move Zero-extends 32-
bit register
Promoted to results to 64 bits.
32 bits
0F 40 through 0F 4F 64 bits. This occurs even
if the condition is
false.
CMP—Compare
39
3B Zero-extends 32-
Promoted to
32 bits bit register
3D 64 bits.
results to 64 bits.
81 /7
83 /7
CMPS, CMPSW, CMPSD, CMPSQ— CMPSQ (new
CMPSD:
Compare Strings mnemonic):
Promoted to Compare String
32 bits Compare String
64 bits. Doublewords.
A7 Quadwords
See footnote5
See footnote5
CMPXCHG—Compare and Exchange Zero-extends 32-
Promoted to
32 bits bit register
0F B1 64 bits.
results to 64 bits.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

378 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
CMPXCHG8B—Compare and CMPXCHG16B
Exchange Eight Bytes (new mne-
Zero-extends
Same as monic): Com-
32 bits. EDX and EAX to
legacy mode. pare and
0F C7 /1 64 bits.
Exchange 16
Bytes.
CPUID—Processor Identification Operand size
Same as Zero-extends 32-bit register results
fixed at 32
0F A2 legacy mode. to 64 bits.
bits.
CQO (new mnemonic) see CWD, CDQ, CQO
CWD, CDQ, CQO—Convert Word to CQO (new
CDQ: Converts
Doubleword, Convert Doubleword to mnemonic):
doubleword to
Quadword, Convert Quadword to Double Converts
quadword.
Quadword 32 bits quadword to
Sign-extends double
Promoted to (size of desti-
EAX to EDX. quadword.
64 bits. nation regis-
Zero-extends
ter) Sign-extends
99 EDX to RDX.
RAX to RDX.
RAX is
RAX is
unchanged.
unchanged.
DAA - Decimal Adjust AL after Addition
INVALID IN 64-BIT MODE (invalid-opcode exception)
27
DAS - Decimal Adjust AL after
Subtraction INVALID IN 64-BIT MODE (invalid-opcode exception)
2F
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 379

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
Zero-extends 32-
DEC—Decrement by 1 Promoted to
32 bits bit register
FF /1 64 bits.
results to 64 bits.
48 through 4F OPCODE USED as REX PREFIX in 64-BIT MODE
DIV—Unsigned Divide RDX:RAX
contain a 64-bit
Zero-extends 32-
Promoted to quotient (RAX)
32 bits bit register
F7 /6 64 bits. and 64-bit
results to 64 bits.
remainder
(RDX).
ENTER—Create Procedure Stack
Frame Promoted to
64 bits.
64 bits Can’t encode6
C8
HLT—Halt Same as
Not relevant. No GPR register results.
F4 legacy mode.
IDIV—Signed Divide RDX:RAX
contain a 64-bit
Zero-extends 32-
Promoted to quotient (RAX)
32 bits bit register
F7 /7 64 bits. and 64-bit
results to 64 bits.
remainder
(RDX).
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

380 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
IMUL - Signed Multiply RDX:RAX = RAX
* reg/mem64
F7 /5 (i.e., 128-bit
result)
reg64 = reg64 *
0F AF Zero-extends 32- reg/mem64
Promoted to
32 bits bit register
64 bits.
results to 64 bits. reg64 =
69 reg/mem64 *
imm32
reg64 =
6B reg/mem64 *
imm8
IN—Input From Port
Same as Zero-extends 32-bit register results
E5 32 bits
legacy mode. to 64 bits.
ED
INC—Increment by 1 Zero-extends 32-
Promoted to
32 bits bit register
FF /0 64 bits.
results to 64 bits.
40 through 47 OPCODE USED as REX PREFIX in 64-BIT MODE
INS, INSW, INSD—Input String INSD: Input String Doublewords.
Same as No GPR register results.
32 bits
6D legacy mode.
See footnote5
INT n—Interrupt to Vector
CD Promoted to See “Long-Mode Interrupt Control
Not relevant.
INT3—Interrupt to Debug Vector 64 bits. Transfers” in Volume 2.
CC
INTO - Interrupt to Overflow Vector
INVALID IN 64-BIT MODE (invalid-opcode exception)
CE
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 381

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
INVD—Invalidate Internal Caches Same as
Not relevant. No GPR register results.
0F 08 legacy mode.
INVLPG—Invalidate TLB Entry Promoted to
Not relevant. No GPR register results.
0F 01 /7 64 bits.
INVLPGA—Invalidate TLB Entry in a Same as
Not relevant. No GPR register results.
Specified ASID legacy mode.
IRET, IRETD, IRETQ—Interrupt Return IRETQ (new
IRETD: Interrupt
mnemonic):
Return
Interrupt Return
Doubleword.
Promoted to Quadword.
32 bits See “Long-Mode
CF 64 bits. See “Long-Mode
Interrupt Control
Interrupt Control
Transfers” in
Transfers” in
Volume 2.
Volume 2.
Jcc—Jump Conditional See “Near Branches in 64-Bit Mode” in Volume 1.
RIP = RIP + 8-bit
displacement
70 through 7F
sign-extended to
Promoted to 64 bits.
64 bits.
64 bits Can’t encode.6
RIP = RIP + 32-
bit displacement
0F 80 through 0F 8F
sign-extended to
64 bits.
JCXZ, JECXZ, JRCXZ—Jump on RIP = RIP + 8-bit
CX/ECX/RCX Zero displacement
Promoted to sign-extended to
64 bits.
64 bits Can’t encode.6
E3 64 bits.
See footnote5
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

382 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
JMP—Jump Near See “Near Branches in 64-Bit Mode” in Volume 1.
RIP = RIP + 8-bit
displacement
EB
sign-extended to
64 bits.
RIP = RIP + 32-
Promoted to bit displacement
E9
64 bits.
64 bits Can’t encode.6 sign-extended to
64 bits.
RIP = 64-bit
offset from
FF /4
register or
memory.
JMP—Jump Far See “Branches to 64-Bit Offsets” in Volume 1.
EA INVALID IN 64-BIT MODE (invalid-opcode exception)
If selector points to a gate, then
RIP = 64-bit offset from gate, else
Promoted to
FF /5 32 bits RIP = zero-extended 32-bit offset
64 bits.
from far pointer referenced in
instruction.
LAHF - Load Status Flags into AH
Register Same as leg-
Not relevant.
acy mode.
9F
LAR—Load Access Rights Byte Zero-extends 32-
Same as
32 bits bit register
0F 02 legacy mode.
results to 64 bits.
LDS - Load DS Far Pointer
INVALID IN 64-BIT MODE (invalid-opcode exception)
C5
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 383

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
LEA—Load Effective Address Zero-extends 32-
Promoted to
32 bits bit register
8D 64 bits.
results to 64 bits.
LEAVE—Delete Procedure Stack Frame Promoted to
64 bits.
64 bits Can’t encode6
C9
LES - Load ES Far Pointer
INVALID IN 64-BIT MODE (invalid-opcode exception)
C4
LFENCE—Load Fence Same as
Not relevant. No GPR register results.
0F AE /5 legacy mode.
LFS—Load FS Far Pointer Same as Zero-extends 32-bit register results
32 bits
0F B4 legacy mode. to 64 bits.
LGDT—Load Global Descriptor Table Operand size No GPR register results.
Register Promoted to
fixed at 64
64 bits. Loads 8-byte base and 2-byte limit.
0F 01 /2 bits.
LGS—Load GS Far Pointer Same as Zero-extends 32-bit register results
32 bits
0F B5 legacy mode. to 64 bits.
LIDT—Load Interrupt Descriptor Table Operand size
Promoted to No GPR register results.
Register fixed at 64
64 bits. Loads 8-byte base and 2-byte limit.
0F 01 /3 bits.
LLDT—Load Local Descriptor Table Operand size No GPR register results.
Register Promoted to
fixed at 16 References 16-byte descriptor to
64 bits.
0F 00 /2 bits. load 64-bit base.
LMSW—Load Machine Status Word Operand size
Same as
fixed at 16 No GPR register results.
0F 01 /6 legacy mode.
bits.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

384 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
LODS, LODSW, LODSD, LODSQ— LODSD: Load
Load String String LODSQ (new
Doublewords. mnemonic): Load
Promoted to Zero-extends 32- String
32 bits
64 bits. bit register Quadwords.
AD
results to 64 bits. See footnote5
5
See footnote
LOOP—Loop
E2 RIP = RIP + 8-bit
LOOPZ, LOOPE—Loop if Zero/Equal displacement
Promoted to sign-extended to
E1 64 bits.
64 bits Can’t encode.6
64 bits.
LOOPNZ, LOOPNE—Loop if Not
Zero/Equal See footnote5
E0
LSL—Load Segment Limit Same as Zero-extends 32-bit register results
32 bits
0F 03 legacy mode. to 64 bits.
LSS —Load SS Segment Register Same as Zero-extends 32-bit register results
32 bits
0F B2 legacy mode. to 64 bits.
LTR—Load Task Register Operand size No GPR register results.
Promoted to
fixed at 16 References 16-byte descriptor to
0F 00 /3 64 bits.
bits. load 64-bit base.
LZCNT—Count Leading Zeros Promoted to Zero-extends 32-bit register results
32 bits
F3 0F BD 64 bits. to 64 bits.
MFENCE—Memory Fence Same as
Not relevant. No GPR register results.
0F AE /6 legacy mode.
Operand size
MONITOR—Setup Monitor Address Same as
fixed at 32 No GPR register results.
0F 01 C8 legacy mode.
bits.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 385

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
MOV—Move
89
8B Zero-extends 32-
bit register 32-bit immediate
C7 results to 64 bits. is sign-extended
to 64 bits.
Promoted to
B8 through BF 32 bits 64-bit immediate.
64 bits.
A1 (moffset) Zero-extends 32-
bit register Memory offsets
results to 64 bits. are address-
Memory offsets sized and default
A3 (moffset) to 64 bits.
are address-
sized and default
to 64 bits.
MOV—Move to/from Segment Registers Zero-extends 32-bit register results
32 bits
8C to 64 bits.
Same as
legacy mode. Operand size
8E fixed at 16 No GPR register results.
bits.
MOV(CRn)—Move to/from Control The high 32 bits of control registers
Registers Operand size
Promoted to differ in their writability and reserved
fixed at 64
0F 22 64 bits. status. See “System Resources” in
bits.
0F 20 Volume 2 for details.

MOV(DRn)—Move to/from Debug The high 32 bits of debug registers

Registers Operand size differ in their writability and reserved
Promoted to
0F 21 fixed at 64 status. See “Debug and
64 bits.
bits. Performance Resources” in
0F 23 Volume 2 for details.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

386 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
MOVD—Move Doubleword or Quadword Zero-extends 32-
0F 6E bit register
0F 7E results to 64 bits.
Promoted to
32 bits
66 0F 6E 64 bits. Zero-extends 32- Zero-extends 64-
bit register bit register
66 0F 7E results to 128 results to 128
bits. bits.
MOVNTI—Move Non-Temporal
Doubleword Promoted to
32 bits No GPR register results.
64 bits.
0F C3
MOVS, MOVSW, MOVSD, MOVSQ— MOVSQ (new
MOVSD: Move
Move String mnemonic):
Promoted to String
32 bits Move String
64 bits. Doublewords.
A5 Quadwords.
See footnote5
See footnote5
MOVSX—Move with Sign-Extend
Sign-extends
0F BE Zero-extends 32- byte to
Promoted to
32 bits bit register quadword.
64 bits.
results to 64 bits. Sign-extends
0F BF word to
quadword.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 387

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
MOVSXD—Move with Sign-Extend New
Doubleword instruction,
available only
in 64-bit Zero-extends 32- Sign-extends
mode. (In 32 bits bit register doubleword to
63 other modes, results to 64 bits. quadword.
this opcode
is ARPL
instruction.)
MOVZX—Move with Zero-Extend
Zero-extends
0F B6 Zero-extends 32- byte to
Promoted to bit register quadword.
32 bits results to 64 bits. Zero-extends
64 bits.
0F B7 word to
quadword.
MUL—Multiply Unsigned RDX:RAX=RAX *
Zero-extends 32-
Promoted to quadword in
32 bits bit register
F7 /4 64 bits. register or
results to 64 bits.
memory.
Operand size
MWAIT—Monitor Wait Same as
fixed at 32 No GPR register results.
0F 01 C9 legacy mode.
bits.
NEG—Negate Two’s Complement Zero-extends 32-
Promoted to
32 bits bit register
F7 /3 64 bits.
results to 64 bits.
NOP—No Operation Same as
Not relevant. No GPR register results.
90 legacy mode.
NOT—Negate One’s Complement Zero-extends 32-
Promoted to
32 bits bit register
F7 /2 64 bits.
results to 64 bits.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

388 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
OR—Logical OR
09
0B Zero-extends 32-
Promoted to
32 bits bit register
0D 64 bits.
results to 64 bits.
81 /1
83 /1
OUT—Output to Port
Same as
E7 32 bits No GPR register results.
legacy mode.
EF
OUTS, OUTSW, OUTSD—Output String Writes doubleword to I/O port.
Same as No GPR register results.
32 bits
6F legacy mode.
See footnote5
PAUSE—Pause Same as
Not relevant. No GPR register results.
F3 90 legacy mode.
POP—Pop Stack
Promoted to No GPR register
8F /0
64 bits.
64 bits Cannot encode6 results.
58 through 5F
POP—Pop (segment register from)
Stack Same as No GPR register
0F A1 (POP FS) legacy mode.
64 bits Cannot encode6 results.
0F A9 (POP GS)
1F (POP DS)
07 (POP ES) INVALID IN 64-BIT MODE (invalid-opcode exception)
17 (POP SS)
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 389

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
POPA, POPAD—Pop All to GPR Words
or Doublewords INVALID IN 64-BIT MODE (invalid-opcode exception)
61
POPCNT—Bit Population Count Promoted to Zero-extends 32-bit register results
32 bits
F3 0F B8 64 bits. to 64 bits.
POPF, POPFD, POPFQ—Pop to POPFQ (new
rFLAGS Word, Doublword, or Quadword mnemonic): Pops
64 bits off stack,
Promoted to writes low 32 bits
64 bits.
64 bits Cannot encode6 into EFLAGS and
9D zero-extends the
high 32 bits of
RFLAGS.
PREFETCH—Prefetch L1 Data-Cache
Line Same as
Not relevant. No GPR register results.
legacy mode.
0F 0D /0
PREFETCHlevel—Prefetch Data to
Cache Level level Same as
Not relevant. No GPR register results.
legacy mode.
0F 18 /0-3
PREFETCHW—Prefetch L1 Data-Cache
Line for Write Same as
Not relevant. No GPR register results.
legacy mode.
0F 0D /1
PUSH—Push onto Stack
FF /6
Promoted to
50 through 57
64 bits.
64 bits Cannot encode6
6A
68
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

390 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
PUSH—Push (segment register) onto
Stack Promoted to
0F A0 (PUSH FS) 64 bits.
64 bits Cannot encode6

0F A8 (PUSH GS)
0E (PUSH CS)
1E (PUSH DS)
INVALID IN 64-BIT MODE (invalid-opcode exception)
06 (PUSH ES)
16 (PUSH SS)
PUSHA, PUSHAD - Push All to GPR
Words or Doublewords INVALID IN 64-BIT MODE (invalid-opcode exception)
60
PUSHF, PUSHFD, PUSHFQ—Push PUSHFQ (new
rFLAGS Word, Doubleword, or mnemonic):
Promoted to
Quadword onto Stack
64 bits.
64 bits Cannot encode6 Pushes the 64-bit
RFLAGS
9C register.
RCL—Rotate Through Carry Left
D1 /2 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /2 64 bits.
results to 64 bits.
C1 /2
RCR—Rotate Through Carry Right
D1 /3 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /3 64 bits.
results to 64 bits.
C1 /3
RDMSR—Read Model-Specific Register RDX[31:0] contains MSR[63:32],
Same as RAX[31:0] contains MSR[31:0].
Not relevant.
0F 32 legacy mode. Zero-extends 32-bit register results
to 64 bits.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 391

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
RDPMC—Read Performance-Monitoring RDX[31:0] contains PMC[63:32],
Counters Same as RAX[31:0] contains PMC[31:0].
Not relevant.
legacy mode. Zero-extends 32-bit register results
0F 33 to 64 bits.
RDTSC—Read Time-Stamp Counter RDX[31:0] contains TSC[63:32],
Same as RAX[31:0] contains TSC[31:0].
Not relevant.
0F 31 legacy mode. Zero-extends 32-bit register results
to 64 bits.
RDTSCP—Read Time-Stamp Counter RDX[31:0] contains TSC[63:32],
and Processor ID RAX[31:0] contains TSC[31:0].
Same as RCX[31:0] contains the TSC_AUX
Not relevant.
legacy mode. MSR C000_0103h[31:0]. Zero-
0F 01 F9 extends 32-bit register results to 64
bits.
REP INS—Repeat Input String Same as Reads doubleword I/O port.
32 bits
F3 6D legacy mode. See footnote5
REP LODS—Repeat Load String Zero-extends
Promoted to EAX to 64 bits.
64 bits.
32 bits See footnote5
F3 AD
See footnote5
REP MOVS—Repeat Move String Promoted to No GPR register results.
32 bits
F3 A5 64 bits. See footnote5
REP OUTS—Repeat Output String to Writes doubleword to I/O port.
Port Same as No GPR register results.
32 bits
legacy mode.
F3 6F See footnote5
REP STOS—Repeat Store String Promoted to No GPR register results.
32 bits
F3 AB 64 bits. See footnote5
REPx CMPS —Repeat Compare String Promoted to No GPR register results.
32 bits
F3 A7 64 bits. See footnote5
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

392 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
REPx SCAS —Repeat Scan String Promoted to No GPR register results.
32 bits
F3 AF 64 bits. See footnote5
RET—Return from Call Near See “Near Branches in 64-Bit Mode” in Volume 1.
C2 Promoted to No GPR register
64 bits.
64 bits Cannot encode.6 results.
C3
RET—Return from Call Far See “Control Transfers” in Volume 1
Promoted to
CB 32 bits and “Control-Transfer Privilege
64 bits.
CA Checks” in Volume 2.

ROL—Rotate Left
D1 /0 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /0 64 bits.
results to 64 bits.
C1 /0
ROR—Rotate Right
D1 /1 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /1 64 bits.
results to 64 bits.
C1 /1
RSM—Resume from System New SMM
Management Mode See “System-Management Mode” in
state-save Not relevant.
Volume 2.
0F AA area.
SAHF - Store AH into Flags Same as leg-
Not relevant. No GPR register results.
9E acy mode.
SAL—Shift Arithmetic Left
D1 /4 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /4 64 bits.
results to 64 bits.
C1 /4
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 393

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
SAR—Shift Arithmetic Right
D1 /7 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /7 64 bits.
results to 64 bits.
C1 /7
SBB—Subtract with Borrow
19
1B Zero-extends 32-
Promoted to
32 bits bit register
1D 64 bits.
results to 64 bits.
81 /3
83 /3
SCAS, SCASW, SCASD, SCASQ— SCASD: Scan
Scan String String SCASQ (new
Doublewords. mnemonic): Scan
Promoted to Zero-extends 32- String
32 bits
64 bits. bit register Quadwords.
AF
results to 64 bits. See footnote5
5
See footnote
SFENCE—Store Fence Same as
Not relevant. No GPR register results.
0F AE /7 legacy mode.
SGDT—Store Global Descriptor Table Operand size
Promoted to No GPR register results.
Register fixed at 64
64 bits. Stores 8-byte base and 2-byte limit.
0F 01 /0 bits.
SHL—Shift Left
D1 /4 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /4 64 bits.
results to 64 bits.
C1 /4
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

394 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
SHLD—Shift Left Double Zero-extends 32-
Promoted to
0F A4 32 bits bit register Uses 6-bit count.
64 bits.
0F A5 results to 64 bits.

SHR—Shift Right
D1 /5 Zero-extends 32-
Promoted to
32 bits bit register Uses 6-bit count.
D3 /5 64 bits.
results to 64 bits.
C1 /5
SHRD—Shift Right Double Zero-extends 32-
Promoted to
0F AC 32 bits bit register Uses 6-bit count.
64 bits.
0F AD results to 64 bits.

SIDT—Store Interrupt Descriptor Table Operand size

Promoted to No GPR register results.
Register fixed at 64
64 bits. Stores 8-byte base and 2-byte limit.
0F 01 /1 bits.
SKINIT—Secure Init and Jump with Zero-extends 32-
Same as
Attestation Not relevant bit register
legacy mode.
0F 01 DE results to 64 bits.
SLDT—Store Local Descriptor Table
Register Same as Zero-extends 2-byte LDT selector to
32
legacy mode. 64 bits.
0F 00 /0
SMSW—Store Machine Status Word Zero-extends 32- Stores 64-bit
Same as
32 bit register machine status
0F 01 /4 legacy mode.
results to 64 bits. word (CR0).
STC—Set Carry Flag Same as
Not relevant. No GPR register results.
F9 legacy mode.
STD—Set Direction Flag Same as
Not relevant. No GPR register results.
FD legacy mode.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 395

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
STGI—Set Global Interrupt Flag Same as Not relevant.
No GPR register results.
0F 01 DC legacy mode.
STI - Set Interrupt Flag Same as
Not relevant. No GPR register results.
FB legacy mode.
STOS, STOSW, STOSD, STOSQ- Store STOSQ (new
STOSD: Store
String mnemonic):
Promoted to String
32 bits Store String
64 bits. Doublewords.
AB Quadwords.
See footnote5
See footnote5
STR—Store Task Register Same as Zero-extends 2-byte TR selector to
32
0F 00 /1 legacy mode. 64 bits.
SUB—Subtract
29
2B Zero-extends 32-
Promoted to
32 bits bit register
2D 64 bits.
results to 64 bits.
81 /5
83 /5
SWAPGS—Swap GS Register with New
KernelGSbase MSR instruction,
available only
in 64-bit See “SWAPGS Instruction” in
Not relevant.
mode. (In Volume 2.
0F 01 /7 other modes,
this opcode
is invalid.)
SYSCALL—Fast System Call Promoted to See “SYSCALL and SYSRET
Not relevant.
0F 05 64 bits. Instructions” in Volume 2 for details.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

396 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
SYSENTER—System Call
INVALID IN LONG MODE (invalid-opcode exception)
0F 34
SYSEXIT—System Return
INVALID IN LONG MODE (invalid-opcode exception)
0F 35
SYSRET—Fast System Return Promoted to See “SYSCALL and SYSRET
32 bits
0F 07 64 bits. Instructions” in Volume 2 for details.
TEST—Test Bits
85 Promoted to
32 bits No GPR register results.
A9 64 bits.
F7 /0
UD2—Undefined Operation Same as
Not relevant. No GPR register results.
0F 0B legacy mode.
VERR—Verify Segment for Reads Operand size
Same as
fixed at 16 No GPR register results.
0F 00 /4 legacy mode.
bits
VERW—Verify Segment for Writes Operand size
Same as
fixed at 16 No GPR register results.
0F 00 /5 legacy mode.
bits
VMLOAD—Load State from VMCB Same as
Not relevant. No GPR register results.
0F 01 DA legacy mode.
VMMCALL—Call VMM Same as
Not relevant. No GPR register results.
0F 01 D9 legacy mode.
VMRUN—Run Virtual Machine Same as
Not relevant. No GPR register results.
0F 01 D8 legacy mode.
VMSAVE—Save State to VMCB Same as
Not relevant. No GPR register results.
0F 01 DB legacy mode.
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

General-Purpose Instructions in 64-Bit Mode 397

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-1. Operations and Operands in 64-Bit Mode (continued)

Default
Instruction and Type of For 32-Bit For 64-Bit
Operand
Opcode (hex)1 Operation2 Operand Size4 Operand Size4
Size3
WAIT—Wait for Interrupt Same as
Not relevant. No GPR register results.
9B legacy mode.
WBINVD—Writeback and Invalidate All
Caches Same as
Not relevant. No GPR register results.
legacy mode.
0F 09
WRMSR—Write to Model-Specific No GPR register results.
Register Same as
Not relevant. MSR[63:32] = RDX[31:0]
legacy mode.
0F 30 MSR[31:0] = RAX[31:0]
XADD—Exchange and Add Zero-extends 32-
Promoted to
32 bits bit register
0F C1 64 bits.
results to 64 bits.
XCHG—Exchange Register/Memory
with Register Zero-extends 32-
Promoted to
32 bits bit register
87 64 bits.
results to 64 bits.
90
XOR—Logical Exclusive OR
31
33 Zero-extends 32-
Promoted to
32 bits bit register
35 64 bits.
results to 64 bits.
81 /6
83 /6
Note:
1. See “General Rules for 64-Bit Mode” on page 373, for opcodes that do not appear in this table.
2. The type of operation, excluding considerations of operand size or extension of results. See “General Rules for 64-
Bit Mode” on page 373 for definitions of “Promoted to 64 bits” and related topics.
3. If “Type of Operation” is 64 bits, a REX prefix is needed for 64-bit operand size, unless the instruction size defaults
to 64 bits. If the operand size is fixed, operand-size overrides are silently ignored.
4. Special actions in 64-bit mode, in addition to legacy-mode actions. Zero or sign extensions apply only to result oper-
ands, not source operands. Unless otherwise stated, 8-bit and 16-bit results leave the high 56 or 48 bits, respec-
tively, of 64-bit destination registers unchanged. Immediates and branch displacements are sign-extended to 64
bits.
5. Any pointer registers (rDI, rSI) or count registers (rCX) are address-sized and default to 64 bits. For 32-bit address
size, any pointer and count registers are zero-extended to 64 bits.
6. The default operand size can be overridden to 16 bits with 66h prefix, but there is no 32-bit operand-size override
in 64-bit mode.

398 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

B.3 Invalid and Reassigned Instructions in 64-Bit Mode

Table B-2 lists instructions that are illegal in 64-bit mode. Attempted use of these instructions
generates an invalid-opcode exception (#UD).

Table B-2. Invalid Instructions in 64-Bit Mode

Opcode
Mnemonic Description
(hex)
AAA 37 ASCII Adjust After Addition
AAD D5 ASCII Adjust Before Division
AAM D4 ASCII Adjust After Multiply
AAS 3F ASCII Adjust After Subtraction
BOUND 62 Check Array Bounds
CALL (far) 9A Procedure Call Far (far absolute)
DAA 27 Decimal Adjust after Addition
DAS 2F Decimal Adjust after Subtraction
INTO CE Interrupt to Overflow Vector
JMP (far) EA Jump Far (absolute)
LDS C5 Load DS Far Pointer
LES C4 Load ES Far Pointer
POP DS 1F Pop Stack into DS Segment
POP ES 07 Pop Stack into ES Segment
POP SS 17 Pop Stack into SS Segment
POPA, POPAD 61 Pop All to GPR Words or Doublewords
PUSH CS 0E Push CS Segment Selector onto Stack
PUSH DS 1E Push DS Segment Selector onto Stack
PUSH ES 06 Push ES Segment Selector onto Stack
PUSH SS 16 Push SS Segment Selector onto Stack
PUSHA,
60 Push All to GPR Words or Doublewords
PUSHAD
Redundant encoding of group1 Eb,Ib
Redundant Grp1 82 /2
opcodes
SALC D6 Set AL According to CF

General-Purpose Instructions in 64-Bit Mode 399

AMD64 Technology 24594—Rev. 3.14—September 2007

Table B-3 lists instructions that are reassigned to different functions in 64-bit mode. Attempted use of
these instructions generates the reassigned function.

Table B-3. Reassigned Instructions in 64-Bit Mode

Opcode
Mnemonic Description
(hex)
Opcode for MOVSXD instruction in 64-bit
ARPL 63 mode. In all other modes, this is the Adjust
Requestor Privilege Level instruction opcode.
REX prefixes in 64-bit mode. In all other
DEC and INC 40-4F
modes, decrement by 1 and increment by 1.

Table B-4 lists instructions that are illegal in long mode. Attempted use of these instructions generates
an invalid-opcode exception (#UD).

Table B-4. Invalid Instructions in Long Mode

Opcode
Mnemonic Description
(hex)
SYSENTER 0F 34 System Call
SYSEXIT 0F 35 System Return

B.4 Instructions with 64-Bit Default Operand Size

In 64-bit mode, two groups of instructions default to 64-bit operand size without the need for a REX
prefix:
• Near branches —CALL, Jcc, JrCX, JMP, LOOP, and RET.
• All instructions, except far branches, that implicitly reference the RSP—CALL, ENTER, LEAVE,
POP, PUSH, and RET (CALL and RET are in both groups of instructions).
Table B-5 lists these instructions.

Table B-5. Instructions Defaulting to 64-Bit Operand Size

Implicitly
Opcode
Mnemonic Reference Description
(hex)
RSP
CALL E8, FF /2 yes Call Procedure Near
ENTER C8 yes Create Procedure Stack Frame
Jcc many no Jump Conditional Near
JMP E9, EB, FF /4 no Jump Near
LEAVE C9 yes Delete Procedure Stack Frame
LOOP E2 no Loop

400 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Table B-5. Instructions Defaulting to 64-Bit Operand Size (continued)

Implicitly
Opcode
Mnemonic Reference Description
(hex)
RSP
LOOPcc E0, E1 no Loop Conditional
POP reg/mem 8F /0 yes Pop Stack (register or memory)
POP reg 58-5F yes Pop Stack (register)
POP FS 0F A1 yes Pop Stack into FS Segment Register
POP GS 0F A9 yes Pop Stack into GS Segment Register
POPF, POPFD, POPFQ 9D yes Pop to rFLAGS Word, Doubleword, or Quadword
PUSH imm8 6A yes Push onto Stack (sign-extended byte)
PUSH imm32 68 yes Push onto Stack (sign-extended doubleword)
PUSH reg/mem FF /6 yes Push onto Stack (register or memory)
PUSH reg 50-57 yes Push onto Stack (register)
PUSH FS 0F A0 yes Push FS Segment Register onto Stack
PUSH GS 0F A8 yes Push GS Segment Register onto Stack
Push rFLAGS Word, Doubleword, or Quadword onto
PUSHF, PUSHFD, PUSHFQ 9C yes
Stack
RET C2, C3 yes Return From Call (near)

The 64-bit default operand size can be overridden to 16 bits using the 66h operand-size override.
However, it is not possible to override the operand size to 32 bits because there is no 32-bit operand-
size override prefix for 64-bit mode. See “Operand-Size Override Prefix” on page 4 for details.

B.5 Single-Byte INC and DEC Instructions in 64-Bit Mode

In 64-bit mode, the legacy encodings for the 16 single-byte INC and DEC instructions (one for each of
the eight GPRs) are used to encode the REX prefix values, as described in “REX Prefixes” on page 11.
Therefore, these single-byte opcodes for INC and DEC are not available in 64-bit mode, although they
are available in legacy and compatibility modes. The functionality of these INC and DEC instructions
is still available in 64-bit mode, however, using the ModRM forms of those instructions (opcodes FF/0
and FF/1).

B.6 NOP in 64-Bit Mode

Programs written for the legacy x86 architecture commonly use opcode 90h (the XCHG EAX, EAX
instruction) as a one-byte NOP. In 64-bit mode, the processor treats opcode 90h specially in order to
preserve this legacy NOP use. Without special handling in 64-bit mode, the instruction would not be a
true no-operation. Therefore, in 64-bit mode the processor treats XCHG EAX, EAX as a true NOP,
regardless of operand size.

General-Purpose Instructions in 64-Bit Mode 401

AMD64 Technology 24594—Rev. 3.14—September 2007

This special handling does not apply to the two-byte ModRM form of the XCHG instruction. Unless a
64-bit operand size is specified using a REX prefix byte, using the two byte form of XCHG to
exchange a register with itself will not result in a no-operation because the default operation size is 32
bits in 64-bit mode.

B.7 Segment Override Prefixes in 64-Bit Mode

In 64-bit mode, the CS, DS, ES, SS segment-override prefixes have no effect. These four prefixes are
no longer treated as segment-override prefixes in the context of multiple-prefix rules. Instead, they are
treated as null prefixes.
The FS and GS segment-override prefixes are treated as true segment-override prefixes in 64-bit mode.
Use of the FS and GS prefixes cause their respective segment bases to be added to the effective address
calculation. See “FS and GS Registers in 64-Bit Mode” in Volume 2 for details.

402 General-Purpose Instructions in 64-Bit Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Appendix C Differences Between Long Mode and

Legacy Mode
Table C-1 summarizes the major differences between 64-bit mode and legacy protected mode. The
third column indicates differences between 64-bit mode and legacy mode. The fourth column indicates
whether that difference also applies to compatibility mode.

Table C-1. Differences Between Long Mode and Legacy Mode

Applies To
Type Subject 64-Bit Mode Difference Compatibility
Mode?
Addressing RIP-relative addressing available
Default data size is 32 bits
Data and Address REX Prefix toggles data size to 64 bits
Sizes Default address size is 64 bits no
Address size prefix toggles address size to 32 bits
Various opcodes are invalid or changed in 64-bit
mode (see Table B-2 on page 399 and Table B-3 on
page 400)
Application Various opcodes are invalid in long mode (see
Programming yes
Table B-4 on page 400)
MOV reg,imm32 becomes MOV reg,imm64 (with
Instruction REX operand size prefix)
Differences
REX is always enabled
Direct-offset forms of MOV to or from accumulator no
become 64-bit offsets
MOVD extended to MOV 64 bits between MMX
registers and long GPRs (with REX operand-size
prefix)

Differences Between Long Mode and Legacy Mode 403

AMD64 Technology 24594—Rev. 3.14—September 2007

Table C-1. Differences Between Long Mode and Legacy Mode (continued)
Applies To
Type Subject 64-Bit Mode Difference Compatibility
Mode?
x86 Modes Real and virtual-8086 modes not supported yes
Task Switching Task switching not supported yes
64-bit virtual addresses
Addressing 4-level paging structures yes
PAE must always be enabled
CS, DS, ES, SS segment bases are ignored
Segmentation CS, DS, ES, FS, GS, SS segment limits are ignored no
CS, DS, ES, SS Segment prefixes are ignored
All pushes are 8 bytes
16-bit interrupt and trap gates are illegal
Exception and 32-bit interrupt and trap gates are redefined as 64-bit
System yes
Interrupt Handling gates and are expanded to 16 bytes
Programming
SS is set to null on stack switch
SS:RSP is pushed unconditionally
All pushes are 8 bytes
16-bit call gates are illegal
Call Gates 32-bit call gate type is redefined as 64-bit call gate yes
and is expanded to 16 bytes.
SS is set to null on stack switch
System-Descriptor GDT, IDT, LDT, TR base registers expanded to 64
yes
Registers bits
System-Descriptor LGDT and LIDT use expanded 10-byte pseudo-
Table Entries and descriptors. no
Pseudo-descriptors LLDT and LTR use expanded 16-byte table entries.

404 Differences Between Long Mode and Legacy Mode

24594—Rev. 3.14—September 2007 AMD64 Technology

Appendix D Instruction Subsets and CPUID

Feature Sets
Table D-1 is an alphabetical list of the AMD64 instruction set, including the instructions from all five
of the instruction subsets that make up the entire AMD64 instruction-set architecture:
• Chapter 3, “General-Purpose Instruction Reference.”
• Chapter 4, “System Instruction Reference.”
• “128-Bit Media Instruction Reference” in Volume 4.
• “64-Bit Media Instruction Reference” in Volume 5.
• “x87 Floating-Point Instruction Reference” in Volume 5.
Several instructions belong to—and are described in—multiple instruction subsets. Table D-1 shows
the minimum current privilege level (CPL) required to execute each instruction and the instruction
subset(s) to which the instruction belongs. For each instruction subset, the CPUID feature set(s) that
enables the instruction is shown.

D.1 Instruction Subsets

Figure D-1 on page 406 shows the relationship between the five instruction subsets and the CPUID
feature sets. Dashed-line polygons represent the instruction subsets. Circles represent the major
CPUID feature sets that enable various classes of instructions. (There are a few additional CPUID
feature sets, not shown, each of which apply to only a few instructions.)
The overlapping of the 128-bit and 64-bit media instruction subsets indicates that these subsets share
some common mnemonics. However, these common mnemonics either have distinct opcodes for each
subset or they take operands in both the MMX and XMM register sets.
The horizontal axis of Figure D-1 shows how the subsets and CPUID feature sets have evolved over
time.

Instruction Subsets and CPUID Feature Sets 405

AMD64 Technology 24594—Rev. 3.14—September 2007

General-Purpose Instructions

Long-Mode
Instructions Instructions
Basic

SVM
System Instructions Instructions

x87 Instructions
x87 Instructions

SSE3
Instructions
AMD Extensions
MMX™ to MMX™ SSE
Instructions Instructions
Instructions

64-Bit Media
Instructions 128-Bit Media
Instructions

AMD 3DNow!™ AMD Extension

to
Instructions 3DNow!™
Instructions
SSE2
Instructions

Time of Introduction
SSE4A
Instructions
Dashed-line boxes show instruction subsets.
Circles show major CPUID feature sets.
(Minor features sets are not shown.)

Figure D-1. Instruction Subsets vs. CPUID Feature Sets

406 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

D.2 CPUID Feature Sets

The CPUID feature sets shown in Figure D-1 and listed in Table D-1 on page 409 include:
• Basic Instructions—Instructions that are supported in all hardware implementations of the
AMD64 architecture, except that the following instructions are implemented only if their
associated CPUID function bit is set:
- CLFLUSH, indicated by EDX bit 19 of CPUID function 0000_0001h.
- CMPXCHG8B, indicated by EDX bit 8 of CPUID function 0000_0001h and function
8000_0001h.
- CMPXCHG16B, indicated by ECX bit 13 of CPUID function 0000_0001h.
- CMOVcc (conditional moves), indicated by EDX bit 15 of CPUID function 0000_0001h and
function 8000_0001h.
- RDMSR and WRMSR, indicated by EDX bit 5 of CPUID function 0000_0001h and function
8000_0001h.
- RDTSC, indicated by EDX bit 4 of CPUID function 0000_0001h and function 8000_0001h.
- RDTSCP, indicated by EDX bit 27 of CPUID function 8000_0001h.
- SYSCALL and SYSRET, indicated by EDX bit 11 of CPUID function 8000_0001h.
- SYSENTER and SYSEXIT, indicated by EDX bit 11 of CPUID function 0000_0001h.
• x87 Instructions—Legacy floating-point instructions that use the ST(0)–ST(7) stack registers
(FPR0–FPR7 physical registers) and are supported if the following bits are set:
- On-chip floating-point unit, indicated by EDX bit 0 of CPUID function 0000_0001h and
function 8000_0001h.
- FCMOVcc (conditional moves), indicated by EDX bit 15 of CPUID function 0000_0001h and
function 8000_0001h. This bit indicates support for x87 floating-point conditional moves
(FCMOVcc) whenever the On-Chip Floating-Point Unit bit (bit 0) is also set.
• MMX™ Instructions—Vector integer instructions that are implemented in the MMX instruction
set, use the MMX logical registers (FPR0–FPR7 physical registers), and are supported if the
following bit is set:
- MMX instructions, indicated by EDX bit 23 of CPUID function 0000_0001h and function
8000_0001h.
• AMD 3DNow!™ Instructions—Vector floating-point instructions that comprise the AMD
3DNow! technology, use the MMX logical registers (FPR0–FPR7 physical registers), and are
supported if the following bit is set:
- AMD 3DNow! instructions, indicated by EDX bit 31 of CPUID function 8000_0001h.
• AMD Extensions to MMX™ Instructions—Vector integer instructions that use the MMX registers
and are supported if the following bit is set:
- AMD extensions to MMX instructions, indicated by EDX bit 22 of CPUID function
8000_0001h.

Instruction Subsets and CPUID Feature Sets 407

AMD64 Technology 24594—Rev. 3.14—September 2007

• AMD Extensions to 3DNow!™ Instructions—Vector floating-point instructions that use the MMX
registers and are supported if the following bit is set:
- AMD extensions to 3DNow! instructions, indicated by EDX bit 30 of CPUID function
8000_0001h.
• SSE Instructions—Vector integer instructions that use the MMX registers, single-precision vector
and scalar floating-point instructions that use the XMM registers, plus other instructions for data-
type conversion, prefetching, cache control, and memory-access ordering. These instructions are
supported if the following bits are set:
- SSE, indicated by EDX bit 25 of CPUID function 0000_0001h.
- FXSAVE and FXRSTOR, indicated by EDX bit 24 of CPUID function 0000_0001h and
function 8000_0001h.
Several SSE opcodes are also implemented by the AMD Extensions to MMX™ Instructions.
• SSE2 Instructions—Vector and scalar integer and double-precision floating-point instructions that
use the XMM registers, plus other instructions for data-type conversion, cache control, and
memory-access ordering. These instructions are supported if the following bit is set:
- SSE2, indicated by EDX bit 26 of CPUID function 0000_0001h.
Several instructions originally implemented as MMX™ instructions are extended in the SSE2
instruction set to include opcodes that use XMM registers.
• SSE3 Instructions—Horizontal addition and subtraction of packed single-precision and double-
precision floating point values, simultaneous addition and subtraction of packed single-precision
and double-precision values, move with duplication, and floating-point-to-integer conversion.
These instructions are supported if the following bit is set:
- SSE3, indicated by ECX bit 0 of CPUID function 0000_0001h.
• SSE4A Instructions—The SSE4A instructions are EXTRQ, INSERTQ, MOVNTSD, and
MOVNTSS.
- SSE4A, indicated by ECX bit 6 of CPUID function 8000_0001h.
• Long-Mode Instructions—Instructions introduced by AMD with the AMD64 architecture. These
instructions are supported if the following bit is set:
- Long mode, indicated by EDX bit 29 of CPUID function 8000_0001h.
• SVM Instructions—Instructions introduced by AMD with the Secure Virtual Machine feature.
These instructions are supported if the following bit is set:
- SVM, indicated by ECX bit 2 of CPUID function 8000_0001h.
For complete details on the CPUID feature sets listed in Table D-1, see the AMD CPUID
Specification, order# 25481.

408 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

D.3 Instruction List

Table D-1. Instruction Subsets and CPUID Feature Sets
Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
AAA ASCII Adjust After Addition 3 Basic
ASCII Adjust Before
AAD 3 Basic
Division
AAM ASCII Adjust After Multiply 3 Basic
ASCII Adjust After
AAS 3 Basic
Subtraction
ADC Add with Carry 3 Basic
ADD Signed or Unsigned Add 3 Basic
Add Packed Double-
ADDPD 3 SSE2
Precision Floating-Point
Add Packed Single-
ADDPS 3 SSE
Precision Floating-Point
Add Scalar Double-
ADDSD 3 SSE2
Precision Floating-Point
Add Scalar Single-
ADDSS 3 SSE
Precision Floating-Point
Add and Subtract Double-
ADDSUBPD 3 SSE3
Precision
Add and Subtract Single-
ADDSUBPS 3 SSE3
Precision
AND Logical AND 3 Basic
Logical Bitwise AND NOT
ANDNPD Packed Double-Precision 3 SSE2
Floating-Point
Logical Bitwise AND NOT
ANDNPS Packed Single-Precision 3 SSE
Floating-Point
Logical Bitwise AND
ANDPD Packed Double-Precision 3 SSE2
Floating-Point
Logical Bitwise AND
ANDPS Packed Single-Precision 3 SSE
Floating-Point
Adjust Requestor Privilege
ARPL 3 Basic
Level
BOUND Check Array Bounds 3 Basic
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 409

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
BSF Bit Scan Forward 3 Basic
BSR Bit Scan Reverse 3 Basic
BSWAP Byte Swap 3 Basic
BT Bit Test 3 Basic
BTC Bit Test and Complement 3 Basic
BTR Bit Test and Reset 3 Basic
BTS Bit Test and Set 3 Basic
CALL Procedure Call 3 Basic
CBW Convert Byte to Word 3 Basic
Convert Doubleword to
CDQ 3 Basic
Quadword
Convert Doubleword to
CDQE 3 Long Mode
Quadword
CLC Clear Carry Flag 3 Basic
CLD Clear Direction Flag 3 Basic
CLFLUSH Cache Line Flush 3 CLFLUSH
CLGI Clear Global Interrupt Flag 0 SVM
CLI Clear Interrupt Flag 3 Basic
Clear Task-Switched Flag
CLTS 0 Basic
in CR0
CMC Complement Carry Flag 3 Basic
CMOVcc Conditional Move 3 CMOVcc
CMP Compare 3 Basic
Compare Packed Double-
CMPPD 3 SSE2
Precision Floating-Point
Compare Packed Single-
CMPPS 3 SSE
Precision Floating-Point
CMPS Compare Strings 3 Basic
CMPSB Compare Strings by Byte 3 Basic
Compare Strings by
CMPSD 3 Basic2
Doubleword
Compare Scalar Double-
CMPSD 3 SSE22
Precision Floating-Point
Compare Strings by
CMPSQ 3 Long Mode
Quadword
Compare Scalar Single-
CMPSS 3 SSE
Precision Floating-Point
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

410 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
CMPSW Compare Strings by Word 3 Basic
CMPXCHG Compare and Exchange 3 Basic
Compare and Exchange
CMPXCHG8B 3 CMPXCHG8B
Eight Bytes
Compare and Exchange
CMPXCHG16B 3 CMPXCHG16B
Sixteen Bytes
Compare Ordered Scalar
COMISD Double-Precision Floating- 3 SSE2
Point
Compare Ordered Scalar
COMISS Single-Precision Floating- 3 SSE
Point
CPUID Processor Identification 3 Basic
Convert Quadword to
CQO 3 Long Mode
Double Quadword
Convert Packed
Doubleword Integers to
CVTDQ2PD 3 SSE2
Packed Double-Precision
Floating-Point
Convert Packed
Doubleword Integers to
CVTDQ2PS 3 SSE2
Packed Single-Precision
Floating-Point
Convert Packed Double-
Precision Floating-Point to
CVTPD2DQ 3 SSE2
Packed Doubleword
Integers
Convert Packed Double-
Precision Floating-Point to
CVTPD2PI 3 SSE2 SSE2
Packed Doubleword
Integers
Convert Packed Double-
Precision Floating-Point to
CVTPD2PS 3 SSE2
Packed Single-Precision
Floating-Point
Convert Packed
Doubleword Integers to
CVTPI2PD 3 SSE2 SSE2
Packed Double-Precision
Floating-Point
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 411

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Convert Packed
Doubleword Integers to
CVTPI2PS 3 SSE SSE
Packed Single-Precision
Floating-Point
Convert Packed Single-
Precision Floating-Point to
CVTPS2DQ 3 SSE2
Packed Doubleword
Integers
Convert Packed Single-
Precision Floating-Point to
CVTPS2PD 3 SSE2
Packed Double-Precision
Floating-Point
Convert Packed Single-
Precision Floating-Point to
CVTPS2PI 3 SSE SSE
Packed Doubleword
Integers
Convert Scalar Double-
Precision Floating-Point to
CVTSD2SI 3 SSE2
Signed Doubleword or
Quadword Integer
Convert Scalar Double-
Precision Floating-Point to
CVTSD2SS 3 SSE2
Scalar Single-Precision
Floating-Point
Convert Signed
Doubleword or Quadword
CVTSI2SD 3 SSE2
Integer to Scalar Double-
Precision Floating-Point
Convert Signed
Doubleword or Quadword
CVTSI2SS 3 SSE
Integer to Scalar Single-
Precision Floating-Point
Convert Scalar Single-
Precision Floating-Point to
CVTSS2SD 3 SSE2
Scalar Double-Precision
Floating-Point
Convert Scalar Single-
Precision Floating-Point to
CVTSS2SI 3 SSE
Signed Doubleword or
Quadword Integer
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

412 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Convert Packed Double-
Precision Floating-Point to
CVTTPD2DQ 3 SSE2
Packed Doubleword
Integers, Truncated
Convert Packed Double-
Precision Floating-Point to
CVTTPD2PI 3 SSE2 SSE2
Packed Doubleword
Integers, Truncated
Convert Packed Single-
Precision Floating-Point to
CVTTPS2DQ 3 SSE2
Packed Doubleword
Integers, Truncated
Convert Packed Single-
Precision Floating-Point to
CVTTPS2PI 3 SSE SSE
Packed Doubleword
Integers, Truncated
Convert Scalar Double-
Precision Floating-Point to
CVTTSD2SI Signed Doubleword or 3 SSE2
Quadword Integer,
Truncated
Convert Scalar Single-
Precision Floating-Point to
CVTTSS2SI Signed Doubleword or 3 SSE
Quadword Integer,
Truncated
Convert Word to
CWD 3 Basic
Doubleword
Convert Word to
CWDE 3 Basic
Doubleword
Decimal Adjust after
DAA 3 Basic
Addition
Decimal Adjust after
DAS 3 Basic
Subtraction
DEC Decrement by 1 3 Basic
DIV Unsigned Divide 3 Basic
Divide Packed Double-
DIVPD 3 SSE2
Precision Floating-Point
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 413

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Divide Packed Single-
DIVPS 3 SSE
Precision Floating-Point
Divide Scalar Double-
DIVSD 3 SSE2
Precision Floating-Point
Divide Scalar Single-
DIVSS 3 SSE
Precision Floating-Point
EMMS Enter/Exit Multimedia State 3 MMX™ MMX
Create Procedure Stack
ENTER 3 Basic
Frame
EXTRQ Extract Field From Register 3 SSE4A
Floating-Point Compute
F2XM1 3 X87
2x–1
Floating-Point Absolute
FABS 3 X87
Value
FADD Floating-Point Add 3 X87
FADDP Floating-Point Add and Pop 3 X87
Floating-Point Load Binary-
FBLD 3 X87
Coded Decimal
Floating-Point Store
FBSTP Binary-Coded Decimal 3 X87
Integer and Pop
Floating-Point Change
FCHS 3 X87
Sign
FCLEX Floating-Point Clear Flags 3 X87
Floating-Point Conditional X87,
FCMOVB 3
Move If Below CMOVcc
Floating-Point Conditional X87,
FCMOVBE 3
Move If Below or Equal CMOVcc
Floating-Point Conditional X87,
FCMOVE 3
Move If Equal CMOVcc
Floating-Point Conditional X87,
FCMOVNB 3
Move If Not Below CMOVcc
Floating-Point Conditional X87,
FCMOVNBE 3
Move If Not Below or Equal CMOVcc
Floating-Point Conditional X87,
FCMOVNE 3
Move If Not Equal CMOVcc
Floating-Point Conditional X87,
FCMOVNU 3
Move If Not Unordered CMOVcc
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

414 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Floating-Point Conditional X87,
FCMOVU 3
Move If Unordered CMOVcc
FCOM Floating-Point Compare 3 X87
Floating-Point Compare
FCOMI 3 X87
and Set Flags
Floating-Point Compare
FCOMIP 3 X87
and Set Flags and Pop
Floating-Point Compare
FCOMP 3 X87
and Pop
Floating-Point Compare
FCOMPP 3 X87
and Pop Twice
FCOS Floating-Point Cosine 3 X87
Floating-Point Decrement
FDECSTP 3 X87
Stack-Top Pointer
FDIV Floating-Point Divide 3 X87
Floating-Point Divide and
FDIVP 3 X87
Pop
Floating-Point Divide
FDIVR 3 X87
Reverse
Floating-Point Divide
FDIVRP 3 X87
Reverse and Pop
Fast Enter/Exit Multimedia
FEMMS 3 3DNow!™ 3DNow!
State
Free Floating-Point
FFREE 3 X87
Register
Floating-Point Add Integer
FIADD 3 X87
to Stack Top
Floating-Point Integer
FICOM 3 X87
Compare
Floating-Point Integer
FICOMP 3 X87
Compare and Pop
Floating-Point Integer
FIDIV 3 X87
Divide
Floating-Point Integer
FIDIVR 3 X87
Divide Reverse
FILD Floating-Point Load Integer 3 X87
Floating-Point Integer
FIMUL 3 X87
Multiply
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 415

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Floating-Point Increment
FINCSTP 3 X87
Stack-Top Pointer
FINIT Floating-Point Initialize 3 X87
Floating-Point Integer
FIST 3 X87
Store
Floating-Point Integer
FISTP 3 X87
Store and Pop
Floating-Point Integer
FISTTP 3 SSE3
Truncate and Store
Floating-Point Integer
FISUB 3 X87
Subtract
Floating-Point Integer
FISUBR 3 X87
Subtract Reverse
FLD Floating-Point Load 3 X87
FLD1 Floating-Point Load +1.0 3 X87
Floating-Point Load x87
FLDCW 3 X87
Control Word
Floating-Point Load x87
FLDENV 3 X87
Environment
Floating-Point Load
FLDL2E 3 X87
Log2 e
Floating-Point Load
FLDL2T 3 X87
Log2 10
Floating-Point Load Log10
FLDLG2 3 X87
2
FLDLN2 Floating-Point Load Ln 2 3 X87
FLDPI Floating-Point Load Pi 3 X87
FLDZ Floating-Point Load +0.0 3 X87
FMUL Floating-Point Multiply 3 X87
Floating-Point Multiply and
FMULP 3 X87
Pop
Floating-Point No-Wait
FNCLEX 3 X87
Clear Flags
Floating-Point No-Wait
FNINIT 3 X87
Initialize
Floating-Point No
FNOP 3 X87
Operation
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

416 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Save No-Wait x87 and
FNSAVE 3 X87 X87
MMX State
Floating-Point No-Wait
FNSTCW 3 X87
Store x87 Control Word
Floating-Point No-Wait
FNSTENV 3 X87
Store x87 Environment
Floating-Point No-Wait
FNSTSW 3 X87
Store x87 Status Word
Floating-Point Partial
FPATAN 3 X87
Arctangent
Floating-Point Partial
FPREM 3 X87
Remainder
Floating-Point Partial
FPREM1 3 X87
Remainder
Floating-Point Partial
FPTAN 3 X87
Tangent
Floating-Point Round to
FRNDINT 3 X87
Integer
Restore x87 and MMX
FRSTOR 3 X87 X87
State
FSAVE Save x87 and MMX State 3 X87 X87
FSCALE Floating-Point Scale 3 X87
FSIN Floating-Point Sine 3 X87
Floating-Point Sine and
FSINCOS 3 X87
Cosine
FSQRT Floating-Point Square Root 3 X87
Floating-Point Store Stack
FST 3 X87
Top
Floating-Point Store x87
FSTCW 3 X87
Control Word
Floating-Point Store x87
FSTENV 3 X87
Environment
Floating-Point Store Stack
FSTP 3 X87
Top and Pop
Floating-Point Store x87
FSTSW 3 X87
Status Word
FSUB Floating-Point Subtract 3 X87
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 417

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Floating-Point Subtract and
FSUBP 3 X87
Pop
Floating-Point Subtract
FSUBR 3 X87
Reverse
Floating-Point Subtract
FSUBRP 3 X87
Reverse and Pop
Floating-Point Test with
FTST 3 X87
Zero
Floating-Point Unordered
FUCOM 3 X87
Compare
Floating-Point Unordered
FUCOMI 3 X87
Compare and Set Flags
Floating-Point Unordered
FUCOMIP Compare and Set Flags 3 X87
and Pop
Floating-Point Unordered
FUCOMP 3 X87
Compare and Pop
Floating-Point Unordered
FUCOMPP 3 X87
Compare and Pop Twice
Wait for x87 Floating-Point
FWAIT 3 X87
Exceptions
FXAM Floating-Point Examine 3 X87
FXCH Floating-Point Exchange 3 X87
Restore XMM, MMX, and FXSAVE, FXSAVE, FXSAVE,
FXRSTOR 3
x87 State FXRSTOR FXRSTOR FXRSTOR
Save XMM, MMX, and x87 FXSAVE, FXSAVE, FXSAVE,
FXSAVE 3
State FXRSTOR FXRSTOR FXRSTOR
Floating-Point Extract
FXTRACT 3 X87
Exponent and Significand
FYL2X Floating-Point y * log2x 3 X87
Floating-Point
FYL2XP1 3 X87
y * log2(x +1)
Horizontal Add Packed
HADDPD 3 SSE3
Double
Horizontal Add Packed
HADDPS 3 SSE3
Single
HLT Halt 0 Basic
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

418 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Horizontal Subtract Packed
HSUBPD 3 SSE3
Double
Horizontal Subtract Packed
HSUBPS 3 SSE3
Single
IDIV Signed Divide 3 Basic
IMUL Signed Multiply 3 Basic
IN Input from Port 3 Basic
INC Increment by 1 3 Basic
INS Input String 3 Basic
INSB Input String Byte 3 Basic
INSD Input String Doubleword 3 Basic
INSERTQ Insert Field 3 SSE4A
INSW Input String Word 3 Basic
INT Interrupt to Vector 3 Basic
INT 3 Interrupt to Debug Vector 3 Basic
INTO Interrupt to Overflow Vector 3 Basic
INVD Invalidate Caches 0 Basic
INVLPG Invalidate TLB Entry 0 Basic
Invalidate TLB Entry in a
INVLPGA 0 SVM
Specified ASID
IRET Interrupt Return Word 3 Basic
Interrupt Return
IRETD 3 Basic
Doubleword
IRETQ Interrupt Return Quadword 3 Long Mode
Jcc Jump Condition 3 Basic
JCXZ Jump if CX Zero 3 Basic
JECXZ Jump if ECX Zero 3 Basic
JMP Jump 3 Basic
JRCXZ Jump if RCX Zero 3 Basic
Load Status Flags into AH
LAHF 3 Basic
Register
LAR Load Access Rights Byte 3 Basic
Load Unaligned Double
LDDQU 3 SSE3
Quadword
Load MXCSR
LDMXCSR 3 SSE
Control/Status Register
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 419

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
LDS Load DS Far Pointer 3 Basic
LEA Load Effective Address 3 Basic
Delete Procedure Stack
LEAVE 3 Basic
Frame
LES Load ES Far Pointer 3 Basic
LFENCE Load Fence 3 SSE2
LFS Load FS Far Pointer 3 Basic
Load Global Descriptor
LGDT 0 Basic
Table Register
LGS Load GS Far Pointer 3 Basic
Load Interrupt Descriptor
LIDT 0 Basic
Table Register
Load Local Descriptor
LLDT 0 Basic
Table Register
LMSW Load Machine Status Word 0 Basic
LODS Load String 3 Basic
LODSB Load String Byte 3 Basic
LODSD Load String Doubleword 3 Basic
LODSQ Load String Quadword 3 Long Mode
LODSW Load String Word 3 Basic
LOOP Loop 3 Basic
LOOPE Loop if Equal 3 Basic
LOOPNE Loop if Not Equal 3 Basic
LOOPNZ Loop if Not Zero 3 Basic
LOOPZ Loop if Zero 3 Basic
LSL Load Segment Limit 3 Basic
LSS Load SS Segment Register 3 Basic
LTR Load Task Register 0 Basic
LZCNT Count Leading Zeros 3 Basic
Masked Move Double
MASKMOVDQU 3 SSE2
Quadword Unaligned
SSE, MMX
MASKMOVQ Masked Move Quadword 3
Extensions
Maximum Packed Double-
MAXPD 3 SSE2
Precision Floating-Point
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

420 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Maximum Packed Single-
MAXPS 3 SSE
Precision Floating-Point
Maximum Scalar Double-
MAXSD 3 SSE2
Precision Floating-Point
Maximum Scalar Single-
MAXSS 3 SSE
Precision Floating-Point
MFENCE Memory Fence 3 SSE2
Minimum Packed Double-
MINPD 3 SSE2
Precision Floating-Point
Minimum Packed Single-
MINPS 3 SSE
Precision Floating-Point
Minimum Scalar Double-
MINSD 3 SSE2
Precision Floating-Point
Minimum Scalar Single-
MINSS 3 SSE
Precision Floating-Point
MONITOR Setup Monitor Address 0 Basic
MOV Move 3 Basic
Move to/from Control
MOV CRn 0 Basic
Registers
Move to/from Debug
MOV DRn 0 Basic
Registers
Move Aligned Packed
MOVAPD Double-Precision Floating- 3 SSE2
Point
Move Aligned Packed
MOVAPS Single-Precision Floating- 3 SSE
Point
Move Doubleword or
MOVD 3 MMX, SSE2 SSE2 MMX
Quadword
Move Double-Precision
MOVDDUP 3 SSE3
and Duplicate
Move Quadword to
MOVDQ2Q 3 SSE2 SSE2
Quadword
Move Aligned Double
MOVDQA 3 SSE2
Quadword
Move Unaligned Double
MOVDQU 3 SSE2
Quadword
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 421

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Move Packed Single-
MOVHLPS Precision Floating-Point 3 SSE
High to Low
Move High Packed Double-
MOVHPD 3 SSE2
Precision Floating-Point
Move High Packed Single-
MOVHPS 3 SSE
Precision Floating-Point
Move Packed Single-
MOVLHPS Precision Floating-Point 3 SSE
Low to High
Move Low Packed Double-
MOVLPD 3 SSE2
Precision Floating-Point
Move Low Packed Single-
MOVLPS 3 SSE
Precision Floating-Point
Extract Packed Double-
MOVMSKPD Precision Floating-Point 3 SSE2 SSE2
Sign Mask
Extract Packed Single-
MOVMSKPS Precision Floating-Point 3 SSE SSE
Sign Mask
Move Non-Temporal
MOVNTDQ 3 SSE2
Double Quadword
Move Non-Temporal
MOVNTI 3 SSE2
Doubleword or Quadword
Move Non-Temporal
MOVNTPD Packed Double-Precision 3 SSE2
Floating-Point
Move Non-Temporal
MOVNTPS Packed Single-Precision 3 SSE
Floating-Point
Move Non-Temporal Scalar
MOVNTSD Double-Precision Floating- 3 SSE4A
Point
Move Non-Temporal Scalar
MOVNTSS Single-Precision Floating- 3 SSE4A
Point
Move Non-Temporal SSE, MMX
MOVNTQ 3
Quadword Extensions
MOVQ Move Quadword 3 SSE2 MMX
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

422 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Move Quadword to
MOVQ2DQ 3 SSE2 SSE2
Quadword
MOVS Move String 3 Basic
MOVSB Move String Byte 3 Basic
MOVSD Move String Doubleword 3 Basic2
Move Scalar Double-
MOVSD 3 SSE22
Precision Floating-Point
Move Single-Precision
MOVSHDUP 3 SSE3
High and Duplicate
Move Single-Precision Low
MOVSLDUP 3 SSE3
and Duplicate
MOVSQ Move String Quadword 3 Long Mode
Move Scalar Single-
MOVSS 3 SSE
Precision Floating-Point
MOVSW Move String Word 3 Basic
MOVSX Move with Sign-Extend 3 Basic
Move with Sign-Extend
MOVSXD 3 Long Mode
Doubleword
Move Unaligned Packed
MOVUPD Double-Precision Floating- 3 SSE2
Point
Move Unaligned Packed
MOVUPS Single-Precision Floating- 3 SSE
Point
MOVZX Move with Zero-Extend 3 Basic
MUL Multiply Unsigned 3 Basic
Multiply Packed Double-
MULPD 3 SSE2
Precision Floating-Point
Multiply Packed Single-
MULPS 3 SSE
Precision Floating-Point
Multiply Scalar Double-
MULSD 3 SSE2
Precision Floating-Point
Multiply Scalar Single-
MULSS 3 SSE
Precision Floating-Point
MWAIT Monitor Wait 0 Basic
Two's Complement
NEG 3 Basic
Negation
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 423

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
NOP No Operation 3 Basic
One's Complement
NOT 3 Basic
Negation
OR Logical OR 3 Basic
Logical Bitwise OR Packed
ORPD Double-Precision Floating- 3 SSE2
Point
Logical Bitwise OR Packed
ORPS Single-Precision Floating- 3 SSE
Point
OUT Output to Port 3 Basic
OUTS Output String 3 Basic
OUTSB Output String Byte 3 Basic
OUTSD Output String Doubleword 3 Basic
OUTSW Output String Word 3 Basic
Pack with Saturation
PACKSSDW Signed Doubleword to 3 SSE2 MMX
Word
Pack with Saturation
PACKSSWB 3 SSE2 MMX
Signed Word to Byte
Pack with Saturation
PACKUSWB Signed Word to Unsigned 3 SSE2 MMX
Byte
PADDB Packed Add Bytes 3 SSE2 MMX
PADDD Packed Add Doublewords 3 SSE2 MMX
PADDQ Packed Add Quadwords 3 SSE2 SSE2
Packed Add Signed with
PADDSB 3 SSE2 MMX
Saturation Bytes
Packed Add Signed with
PADDSW 3 SSE2 MMX
Saturation Words
Packed Add Unsigned with
PADDUSB 3 SSE2 MMX
Saturation Bytes
Packed Add Unsigned with
PADDUSW 3 SSE2 MMX
Saturation Words
PADDW Packed Add Words 3 SSE2 MMX
Packed Logical Bitwise
PAND 3 SSE2 MMX
AND
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

424 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Packed Logical Bitwise
PANDN 3 SSE2 MMX
AND NOT
Packed Average Unsigned SSE, MMX
PAVGB 3 SSE2
Bytes Extensions
Packed Average Unsigned
PAVGUSB 3 3DNow!
Bytes
Packed Average Unsigned SSE, MMX
PAVGW 3 SSE2
Words Extensions
Packed Compare Equal
PCMPEQB 3 SSE2 MMX
Bytes
Packed Compare Equal
PCMPEQD 3 SSE2 MMX
Doublewords
Packed Compare Equal
PCMPEQW 3 SSE2 MMX
Words
Packed Compare Greater
PCMPGTB 3 SSE2 MMX
Than Signed Bytes
Packed Compare Greater
PCMPGTD 3 SSE2 MMX
Than Signed Doublewords
Packed Compare Greater
PCMPGTW 3 SSE2 MMX
Than Signed Words
SSE, MMX
PEXTRW Packed Extract Word 3 SSE2
Extensions
Packed Floating-Point to
PF2ID Integer Doubleword 3 3DNow!
Conversion
Packed Floating-Point to 3DNow!
PF2IW 3
Integer Word Conversion Extensions
Packed Floating-Point
PFACC 3 3DNow!
Accumulate
PFADD Packed Floating-Point Add 3 3DNow!
Packed Floating-Point
PFCMPEQ 3 3DNow!
Compare Equal
Packed Floating-Point
PFCMPGE 3 3DNow!
Compare Greater or Equal
Packed Floating-Point
PFCMPGT 3 3DNow!
Compare Greater Than
Packed Floating-Point
PFMAX 3 3DNow!
Maximum
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 425

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Packed Floating-Point
PFMIN 3 3DNow!
Minimum
Packed Floating-Point
PFMUL 3 3DNow!
Multiply
Packed Floating-Point 3DNow!
PFNACC 3
Negative Accumulate Extensions
Packed Floating-Point
3DNow!
PFPNACC Positive-Negative 3
Extensions
Accumulate
Packed Floating-Point
PFRCP 3 3DNow!
Reciprocal Approximation
Packed Floating-Point
PFRCPIT1 3 3DNow!
Reciprocal, Iteration 1
Packed Floating-Point
PFRCPIT2 Reciprocal or Reciprocal 3 3DNow!
Square Root, Iteration 2
Packed Floating-Point
PFRSQIT1 Reciprocal Square Root, 3 3DNow!
Iteration 1
Packed Floating-Point
PFRSQRT Reciprocal Square Root 3 3DNow!
Approximation
Packed Floating-Point
PFSUB 3 3DNow!
Subtract
Packed Floating-Point
PFSUBR 3 3DNow!
Subtract Reverse
Packed Integer to Floating-
PI2FD Point Doubleword 3 3DNow!
Conversion
Packed Integer To Floating- 3DNow!
PI2FW 3
Point Word Conversion Extensions
SSE, MMX
PINSRW Packed Insert Word 3 SSE2
Extensions
Packed Multiply Words and
PMADDWD 3 SSE2 MMX
Add Doublewords
Packed Maximum Signed SSE, MMX
PMAXSW 3 SSE2
Words Extensions
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

426 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Packed Maximum SSE, MMX
PMAXUB 3 SSE2
Unsigned Bytes Extensions
Packed Minimum Signed SSE, MMX
PMINSW 3 SSE2
Words Extensions
Packed Minimum Unsigned SSE, MMX
PMINUB 3 SSE2
Bytes Extensions
SSE, MMX
PMOVMSKB Packed Move Mask Byte 3 SSE2
Extensions
Packed Multiply High
PMULHRW 3 3DNow!
Rounded Word
Packed Multiply High SSE, MMX
PMULHUW 3 SSE2
Unsigned Word Extensions
Packed Multiply High
PMULHW 3 SSE2 MMX
Signed Word
Packed Multiply Low
PMULLW 3 SSE2 MMX
Signed Word
Packed Multiply Unsigned
PMULUDQ Doubleword and Store 3 SSE2 SSE2
Quadword
POP Pop Stack 3 Basic
POPA Pop All to GPR Words 3 Basic
Pop All to GPR
POPAD 3 Basic
Doublewords
POPCNT Bit Population Count 3 Basic
POPF Pop to FLAGS Word 3 Basic
Pop to EFLAGS
POPFD 3 Basic
Doubleword
POPFQ Pop to RFLAGS Quadword 3 Long Mode
POR Packed Logical Bitwise OR 3 SSE2 MMX
Prefetch L1 Data-Cache 3DNow!™,
PREFETCH 3
Line Long Mode
Prefetch Data to Cache SSE, MMX
PREFETCHlevel 3
Level level Extensions
Prefetch L1 Data-Cache 3DNow!,
PREFETCHW 3
Line for Write Long Mode
Packed Sum of Absolute
SSE, MMX
PSADBW Differences of Bytes into a 3 SSE2
Extensions
Word
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 427

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Packed Shuffle
PSHUFD 3 SSE2
Doublewords
PSHUFHW Packed Shuffle High Words 3 SSE2
PSHUFLW Packed Shuffle Low Words 3 SSE2
SSE, MMX
PSHUFW Packed Shuffle Words 3
Extensions
Packed Shift Left Logical
PSLLD 3 SSE2 MMX
Doublewords
Packed Shift Left Logical
PSLLDQ 3 SSE2
Double Quadword
Packed Shift Left Logical
PSLLQ 3 SSE2 MMX
Quadwords
Packed Shift Left Logical
PSLLW 3 SSE2 MMX
Words
Packed Shift Right
PSRAD 3 SSE2 MMX
Arithmetic Doublewords
Packed Shift Right
PSRAW 3 SSE2 MMX
Arithmetic Words
Packed Shift Right Logical
PSRLD 3 SSE2 MMX
Doublewords
Packed Shift Right Logical
PSRLDQ 3 SSE2
Double Quadword
Packed Shift Right Logical
PSRLQ 3 SSE2 MMX
Quadwords
Packed Shift Right Logical
PSRLW 3 SSE2 MMX
Words
PSUBB Packed Subtract Bytes 3 SSE2 MMX
Packed Subtract
PSUBD 3 SSE2 MMX
Doublewords
PSUBQ Packed Subtract Quadword 3 SSE2 SSE2
Packed Subtract Signed
PSUBSB 3 SSE2 MMX
With Saturation Bytes
Packed Subtract Signed
PSUBSW 3 SSE2 MMX
with Saturation Words
Packed Subtract Unsigned
PSUBUSB 3 SSE2 MMX
and Saturate Bytes
Packed Subtract Unsigned
PSUBUSW 3 SSE2 MMX
and Saturate Words
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

428 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
PSUBW Packed Subtract Words 3 SSE2 MMX
3DNow!
PSWAPD Packed Swap Doubleword 3
Extensions
Unpack and Interleave
PUNPCKHBW 3 SSE2 MMX
High Bytes
Unpack and Interleave
PUNPCKHDQ 3 SSE2 MMX
High Doublewords
Unpack and Interleave
PUNPCKHQDQ 3 SSE2
High Quadwords
Unpack and Interleave
PUNPCKHWD 3 SSE2 MMX
High Words
Unpack and Interleave Low
PUNPCKLBW 3 SSE2 MMX
Bytes
Unpack and Interleave Low
PUNPCKLDQ 3 SSE2 MMX
Doublewords
Unpack and Interleave Low
PUNPCKLQDQ 3 SSE2
Quadwords
Unpack and Interleave Low
PUNPCKLWD 3 SSE2 3DNow!
Words
PUSH Push onto Stack 3 Basic
Push All GPR Words onto
PUSHA 3 Basic
Stack
Push All GPR
PUSHAD 3 Basic
Doublewords onto Stack
Push EFLAGS Word onto
PUSHF 3 Basic
Stack
Push EFLAGS Doubleword
PUSHFD 3 Basic
onto Stack
Push RFLAGS Quadword
PUSHFQ 3 Long Mode
onto Stack
Packed Logical Bitwise
PXOR 3 SSE2 MMX
Exclusive OR
RCL Rotate Through Carry Left 3 Basic
Reciprocal Packed Single-
RCPPS 3 SSE
Precision Floating-Point
Reciprocal Scalar Single-
RCPSS 3 SSE
Precision Floating-Point
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 429

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
Rotate Through Carry
RCR 3 Basic
Right
Read Model-Specific RDMSR,
RDMSR 0
Register WRMSR
Read Performance-
RDPMC 3 Basic
Monitoring Counter
RDTSC Read Time-Stamp Counter 3 TSC
Read Time-Stamp Counter
RDTSCP 3 RDTSCP
and Processor ID
RET Return from Call 3 Basic
ROL Rotate Left 3 Basic
ROR Rotate Right 3 Basic
Resume from System
RSM 3 Basic
Management Mode
Reciprocal Square Root
RSQRTPS Packed Single-Precision 3 SSE
Floating-Point
Reciprocal Square Root
RSQRTSS Scalar Single-Precision 3 SSE
Floating-Point
SAHF Store AH into Flags 3 Basic
SAL Shift Arithmetic Left 3 Basic
SAR Shift Arithmetic Right 3 Basic
SBB Subtract with Borrow 3 Basic
SCAS Scan String 3 Basic
SCASB Scan String as Bytes 3 Basic
SCASD Scan String as Doubleword 3 Basic
SCASQ Scan String as Quadword 3 Long Mode
SCASW Scan String as Words 3 Basic
SETcc Set Byte if Condition 3 Basic
SSE,
SFENCE Store Fence 3 MMX™
Extensions
Store Global Descriptor
SGDT 3 Basic
Table Register
SHL Shift Left 3 Basic
SHLD Shift Left Double 3 Basic
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

430 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
SHR Shift Right 3 Basic
SHRD Shift Right Double 3 Basic
Shuffle Packed Double-
SHUFPD 3 SSE2
Precision Floating-Point
Shuffle Packed Single-
SHUFPS 3 SSE
Precision Floating-Point
Store Interrupt Descriptor
SIDT 3 Basic
Table Register
Secure Init and Jump with
SKINIT 0 SVM
Attestation
Store Local Descriptor
SLDT 3 Basic
Table Register
Store Machine Status
SMSW 3 Basic
Word
Square Root Packed
SQRTPD Double-Precision Floating- 3 SSE2
Point
Square Root Packed
SQRTPS Single-Precision Floating- 3 SSE
Point
Square Root Scalar
SQRTSD Double-Precision Floating- 3 SSE2
Point
Square Root Scalar Single-
SQRTSS 3 SSE
Precision Floating-Point
STC Set Carry Flag 3 Basic
STD Set Direction Flag 3 Basic
STGI Set Global Interrupt Flag 0 SVM
STI Set Interrupt Flag 3 Basic
Store MXCSR
STMXCSR 3 SSE
Control/Status Register
STOS Store String 3 Basic
STOSB Store String Bytes 3 Basic
STOSD Store String Doublewords 3 Basic
STOSQ Store String Quadwords 3 Long Mode
STOSW Store String Words 3 Basic
STR Store Task Register 3 Basic
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 431

AMD64 Technology 24594—Rev. 3.14—September 2007

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
SUB Subtract 3 Basic
Subtract Packed Double-
SUBPD 3 SSE2
Precision Floating-Point
Subtract Packed Single-
SUBPS 3 SSE
Precision Floating-Point
Subtract Scalar Double-
SUBSD 3 SSE2
Precision Floating-Point
Subtract Scalar Single-
SUBSS 3 SSE
Precision Floating-Point
Swap GS Register with
SWAPGS 0 Long Mode
KernelGSbase MSR
SYSCALL,
SYSCALL Fast System Call 3
SYSRET
SYSENTER
SYSENTER System Call 3
, SYSEXIT
SYSENTER
SYSEXIT System Return 0
, SYSEXIT
SYSCALL,
SYSRET Fast System Return 0
SYSRET
TEST Test Bits 3 Basic
Unordered Compare
UCOMISD Scalar Double-Precision 3 SSE2
Floating-Point
Unordered Compare
UCOMISS Scalar Single-Precision 3 SSE
Floating-Point
UD2 Undefined Operation 3 Basic
Unpack High Double-
UNPCKHPD 3 SSE2
Precision Floating-Point
Unpack High Single-
UNPCKHPS 3 SSE
Precision Floating-Point
Unpack Low Double-
UNPCKLPD 3 SSE2
Precision Floating-Point
Unpack Low Single-
UNPCKLPS 3 SSE
Precision Floating-Point
VERR Verify Segment for Reads 3 Basic
VERW Verify Segment for Writes 3 Basic
VMLOAD Load State from VMCB 0 SVM
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

432 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Table D-1. Instruction Subsets and CPUID Feature Sets (continued)

Instruction Subset
Instruction
and CPUID Feature Set(s)1
General- 128-Bit 64-Bit
Mnemonic Description CPL x87 System
Purpose Media Media
VMMCALL Call VMM 0 SVM
VMRUN Run Virtual Machine 0 SVM
VMSAVE Save State to VMCB 0 SVM
Wait for x87 Floating-Point
WAIT 3 X87
Exceptions
Writeback and Invalidate
WBINVD 0 Basic
Caches
Write to Model-Specific RDMSR,
WRMSR 0
Register WRMSR
XADD Exchange and Add 3 Basic
XCHG Exchange 3 Basic
XLAT Translate Table Index 3 Basic
Translate Table Index (No
XLATB 3 Basic
Operands)
XOR Exclusive OR 3 Basic
Logical Bitwise Exclusive
XORPD OR Packed Double- 3 SSE2
Precision Floating-Point
Logical Bitwise Exclusive
XORPS OR Packed Single- 3 SSE
Precision Floating-Point
Note:
1. Columns indicate the instruction subsets. Entries indicate the CPUID feature set(s) to which the instruction belongs.
2. Mnemonic is used for two different instructions. Assemblers can distinguish them by the number and type of oper-
ands.

Instruction Subsets and CPUID Feature Sets 433

AMD64 Technology 24594—Rev. 3.14—September 2007

434 Instruction Subsets and CPUID Feature Sets

24594—Rev. 3.14—September 2007 AMD64 Technology

Appendix E Instruction Effects on RFLAGS

The flags in the RFLAGS register are described in “Flags Register” in Volume 1 and “RFLAGS
Register” in Volume 2. Table E-1 summarizes the effect that instructions have on these flags. The table
includes all instructions that affect the flags. Instructions not shown have no effect on RFLAGS.
The following codes are used within the table:
• 0—The flag is always cleared to 0.
• 1—The flag is always set to 1.
• AH—The flag is loaded with value from AH register.
• Mod—The flag is modified, depending on the results of the instruction.
• Pop—The flag is loaded with value popped off of the stack.
• Tst—The flag is tested.
• U—The effect on the flag is undefined.
• Gray shaded cells indicate that the flag is not affected by the instruction.

Table E-1. Instruction Effects on RFLAGS

RFLAGS Mnemonic and Bit Number
Instruction
Mnemonic ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF
21 20 19 18 17 16 14 13-12 11 10 9 8 7 6 4 2 0
AAA Tst
U U U U Mod
AAS Mod
AAD
U Mod Mod U Mod U
AAM
Tst
ADC Mod Mod Mod Mod Mod
Mod
ADD Mod Mod Mod Mod Mod Mod
AND 0 Mod Mod U Mod 0
ARPL Mod
BSF
U U Mod U U U
BSR
BT
BTC
U U U U U Mod
BTR
BTS
CLC 0
CLD 0
CLI Mod TST Mod
CMC Mod
CMOVcc Tst Tst Tst Tst Tst
CMP Mod Mod Mod Mod Mod Mod
CMPSx Mod Tst Mod Mod Mod Mod Mod

Instruction Effects on RFLAGS 435

AMD64 Technology 24594—Rev. 3.14—September 2007

Table E-1. Instruction Effects on RFLAGS (continued)

RFLAGS Mnemonic and Bit Number
Instruction
Mnemonic ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF
21 20 19 18 17 16 14 13-12 11 10 9 8 7 6 4 2 0
CMPXCHG Mod Mod Mod Mod Mod Mod
CMPXCHG8B Mod
CMPXCHG16B Mod
COMISD
0 0 Mod 0 Mod Mod
COMISS
DAA Tst Tst
U Mod Mod Mod
DAS Mod Mod
DEC Mod Mod Mod Mod Mod
DIV U U U U U U
FCMOVcc Tst Tst Tst
FCOMI
FCOMIP
Mod Mod Mod
FUCOMI
FUCOMIP
IDIV U U U U U U
IMUL Mod U U U U Mod
INC Mod Mod Mod Mod Mod
IN Tst
INSx Tst Tst
INT Tst
Mod Mod 0 Mod Tst Mod 0
INT 3 Mod
Tst
INTO Mod 0 Mod Tst Tst Mod Mod
Mod
Tst Tst Tst
IRETx Pop Pop Pop Pop Pop Pop Pop Pop Pop Pop Pop Pop Pop Pop
Pop Pop Pop
Jcc Tst Tst Tst Tst Tst
LAR Mod
LODSx Tst
LOOPE
Tst
LOOPNE
LSL Mod
LZCNT U U Mod U U Mod
MOVSx Tst
MUL Mod U U U U Mod
NEG Mod Mod Mod Mod Mod Mod
OR 0 Mod Mod U Mod 0
OUT Tst
OUTSx Tst Tst
POPCNT 0 0 Mod 0 0 0
Tst
POPFx Pop Tst Mod Pop Tst 0 Pop Pop Pop Pop Pop Pop Pop Pop Pop Pop
Pop

436 Instruction Effects on RFLAGS

24594—Rev. 3.14—September 2007 AMD64 Technology

Table E-1. Instruction Effects on RFLAGS (continued)

RFLAGS Mnemonic and Bit Number
Instruction
Mnemonic ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF
21 20 19 18 17 16 14 13-12 11 10 9 8 7 6 4 2 0
Tst
RCL 1 Mod
Mod
Tst
RCL count U
Mod
Tst
RCR 1 Mod
Mod
Tst
RCR count U
Mod
ROL 1 Mod Mod
ROL count U Mod
ROR 1 Mod Mod
ROR count U Mod
RSM Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod
SAHF AH AH AH AH AH
SAL 1 Mod Mod Mod U Mod Mod
SAL count U Mod Mod U Mod Mod
SAR 1 Mod Mod Mod U Mod Mod
SAR count U Mod Mod U Mod Mod
Tst
SBB Mod Mod Mod Mod Mod
Mod
SCASx Mod Tst Mod Mod Mod Mod Mod
SETcc Tst Tst Tst Tst Tst
SHLD 1
Mod Mod Mod U Mod Mod
SHRD 1
SHLD count
U Mod Mod U Mod Mod
SHRD count
SHR 1 Mod Mod Mod U Mod Mod
SHR count U Mod Mod U Mod Mod
STC 1
STD 1
STI Mod Tst Mod
STOSx Tst
SUB Mod Mod Mod Mod Mod Mod
SYSCALL Mod Mod Mod Mod 0 0 Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod
SYSENTER 0 0 0
SYSRET Mod Mod Mod Mod 0 Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod Mod
TEST 0 Mod Mod U Mod 0
UCOMISD
0 0 Mod 0 Mod Mod
UCOMISS

Instruction Effects on RFLAGS 437

AMD64 Technology 24594—Rev. 3.14—September 2007

Table E-1. Instruction Effects on RFLAGS (continued)

RFLAGS Mnemonic and Bit Number
Instruction
Mnemonic ID VIP VIF AC VM RF NT IOPL OF DF IF TF SF ZF AF PF CF
21 20 19 18 17 16 14 13-12 11 10 9 8 7 6 4 2 0
VERR
Mod
VERW
XADD Mod Mod Mod Mod Mod Mod
XOR 0 Mod Mod U Mod 0

438 Instruction Effects on RFLAGS

24594—Rev. 3.14—September 2007 AMD64 Technology

Index
Symbols CLGI .................................................................... 254
CLI ....................................................................... 255
#VMEXIT............................................................. 332 CLTS .................................................................... 257
Numerics CMC ....................................................................... 90
CMOVcc ......................................................... 91, 348
16-bit mode ............................................................ xvi CMP ....................................................................... 94
32-bit mode ............................................................ xvi CMPSx ................................................................... 97
64-bit mode ........................................................... xvii CMPXCHG ............................................................. 99
A CMPXCHG16B ..................................................... 101
CMPXCHG8B....................................................... 101
AAA ....................................................................... 53 commit .................................................................. xvii
AAD ....................................................................... 54 compatibility mode ................................................ xvii
AAM ...................................................................... 55 condition codes
AAS ....................................................................... 56 rFLAGS ..................................................... 348, 363
ADC ....................................................................... 57 count ..................................................................... 373
ADD ....................................................................... 59 CPUID .................................................................. 103
address size prefix................................................ 6, 20 extended functions .............................................. 103
addressing feature sets ......................................................... 407
byte registers ........................................................ 14 standard functions ............................................... 103
effective address ........................... 365, 368, 369, 371 CPUID instruction
PC-relative ........................................................... 19 testing for ........................................................... 103
RIP-relative ................................................... xxi, 19
CQO ....................................................................... 85
AND ....................................................................... 61
CWD ...................................................................... 85
ARPL ................................................................... 252
CWDE .................................................................... 84
B D
base field ........................................................ 370, 371
DAA ..................................................................... 105
biased exponent ..................................................... xvii
DAS ...................................................................... 106
BOUND .................................................................. 63 data types
BSF ........................................................................ 65 128-bit media ....................................................... 30
BSR ........................................................................ 66 64-bit media ......................................................... 32
BSWAP .................................................................. 67 general-purpose .................................................... 26
BT .......................................................................... 68 x87 ...................................................................... 34
BTC ....................................................................... 70 DEC......................................................... 14, 107, 401
BTR ....................................................................... 72 direct referencing ................................................... xvii
BTS ........................................................................ 74 displacements ................................................. xviii, 19
byte order of instructions ............................................ 1 DIV ...................................................................... 109
byte register addressing ............................................ 14 double quadword .................................................. xviii
C doubleword........................................................... xviii
E
CALL ..................................................................... 12
far call ................................................................. 78 eAX–eSP register .................................................. xxiii
near call ............................................................... 76 effective address .............................. 365, 368, 369, 371
CBW ...................................................................... 84 effective address size ............................................. xviii
CDQ ....................................................................... 85 effective operand size ............................................ xviii
CDQE ..................................................................... 84 eFLAGS register ................................................... xxiii
CLC ....................................................................... 86 eIP register ........................................................... xxiv
CLD ....................................................................... 87 element ................................................................ xviii
CLFLUSH .............................................................. 88 endian order...................................................... xxvi, 1

Index 439
AMD64 Technology 24594—Rev. 3.14—September 2007

ENTER ............................................................ 12, 111 INVD .................................................................... 262

exceptions ...................................................... xviii, 35 INVLPG ............................................................... 263
exponent ............................................................... xvii INVLPGA ............................................................. 264
IRET ..................................................................... 265
F
IRETD .................................................................. 265
FCMOVcc............................................................. 363 IRETQ .................................................................. 265
flush .................................................................... xviii
J
G
Jcc ........................................................... 12, 130, 348
general-purpose registers .......................................... 24 JCXZ .................................................................... 134
JECXZ .................................................................. 134
H
JMP ........................................................................ 12
HLT ...................................................................... 258 far jump ............................................................. 137
near jump ........................................................... 135
I
JRCXZ .................................................................. 134
IDIV ..................................................................... 113 JrCXZ ..................................................................... 12
IGN ....................................................................... xix L
immediate operands .......................................... 19, 373
IMUL ................................................................... 115 LAHF ................................................................... 142
IN ......................................................................... 117 LAR...................................................................... 271
INC ......................................................... 14, 118, 401 LDS ...................................................................... 143
index field ............................................................. 371 LEA ...................................................................... 145
indirect .................................................................. xix LEAVE ........................................................... 12, 147
INSB .................................................................... 120 legacy mode ........................................................... xix
INSD .................................................................... 120 legacy x86 .............................................................. xix
Instructions LES ...................................................................... 143
SSE3 ................................................................. 408 LFENCE ............................................................... 148
SSE4A............................................................... 408 LFS....................................................................... 143
instructions LGDT ............................................................. 12, 273
128-bit media ..................................................... 409 LGS ...................................................................... 143
3DNow!™ ......................................................... 407 LIDT........................................................ 12, 275, 277
64-bit media ....................................................... 409 LLDT.............................................................. 12, 277
byte order .............................................................. 1
LMSW .................................................................. 279
effects on rFLAGS .............................................. 435
LOCK prefix ............................................................. 8
formats .................................................................. 1
general-purpose ............................................. 51, 409 LODSB ................................................................. 149
invalid in 64-bit mode ......................................... 399 LODSD ................................................................. 149
invalid in long mode ........................................... 400 LODSQ ................................................................. 149
MMX™ ............................................................. 407 LODSW ................................................................ 149
opcodes ........................................................ 17, 339 LODSx ................................................................. 149
origins ............................................................... 405 long mode .............................................................. xix
reassigned in 64-bit mode.................................... 400 LOOP ..................................................................... 12
SSE ................................................................... 408 LOOPcc .................................................................. 12
SSE-2 ................................................................ 408 LOOPx ................................................................. 151
subsets .......................................................... 21, 405
LSB ....................................................................... xix
system ........................................................ 251, 409
lsb.......................................................................... xix
x87 ............................................................. 407, 409
INSW ................................................................... 120 LSL ...................................................................... 280
INSx ..................................................................... 120 LSS....................................................................... 143
INT....................................................................... 122 LTR ................................................................ 12, 282
INT 3 .................................................................... 259 LZCNT ................................................................. 153
interrupt vectors ....................................................... 35
INTO .................................................................... 129

440 Index
24594—Rev. 3.14—September 2007 AMD64 Technology

M group 10 ............................................................ 350

group 11 ............................................................ 350
mask ....................................................................... xx group 12 ............................................................ 350
MBZ ....................................................................... xx group 13 ............................................................ 350
MFENCE .............................................................. 155 group 14 ............................................................ 350
mod field ............................................................... 368 group 15 ............................................................ 350
mode-register-memory (ModRM) ........................... 363 group 16 ............................................................ 350
modes ................................................................... 403 group 17 ............................................................ 351
16-bit.................................................................. xvi group 1a ............................................................. 349
32-bit.................................................................. xvi group 2 .............................................................. 349
64-bit.......................................................... xvii, 403 group 3 .............................................................. 349
compatibility ............................................... xvii, 403 group 4 .............................................................. 349
legacy ................................................................. xix group 5 .............................................................. 349
long ............................................................. xix, 403 group 6 .............................................................. 350
protected ............................................................. xxi group 7 .............................................................. 350
real ..................................................................... xxi group 8 .............................................................. 350
virtual-8086 ...................................................... xxiii group 9 .............................................................. 350
ModRM ................................................................ 363 group P .............................................................. 351
ModRM byte ......................... 16, 17, 20, 348, 354, 363 groups ................................................................ 349
ModRM byte ...................................................... 348
moffset.................................................................... xx
one-byte opcode map .......................................... 340
MONITOR ............................................................ 284 two-byte opcode map .......................................... 343
MOV .................................................................... 156 x87 opcode map ................................................. 354
MOV (CRn) .......................................................... 286 operands
MOV CR(n) ............................................................ 12 encodings ........................................................... 363
MOV DR(n) ............................................................ 12 immediate .................................................... 19, 373
MOV(DRn) ........................................................... 288 size ................................................. 4, 373, 374, 400
MOVD .................................................................. 159 OR ........................................................................ 179
MOVMSKPD ........................................................ 162 OUT ..................................................................... 181
MOVMSKPS ........................................................ 164 OUTS ................................................................... 182
MOVNTI .............................................................. 166 OUTSB ................................................................. 182
MOVSX ................................................................ 170 OUTSD ................................................................. 182
MOVSx ................................................................ 168 OUTSW ................................................................ 182
MOVSXD ............................................................. 171 overflow .................................................................. xx
MOVZX ............................................................... 172
P
MSB ....................................................................... xx
msb ........................................................................ xx packed..................................................................... xx
MSR .................................................................... xxiv PAUSE .................................................................. 184
MUL .................................................................... 173 PC-relative addressing .............................................. 19
MWAIT ................................................................ 290 POP ...................................................................... 185
POP FS ................................................................... 12
N
POP GS................................................................... 12
NEG ..................................................................... 175 POP reg ................................................................... 12
NOP .............................................................. 177, 401 POP reg/mem .......................................................... 12
NOT ..................................................................... 178 POPAD ................................................................. 187
notation ............................................................ 37, 339 POPAx .................................................................. 187
POPCNT ............................................................... 188
O
POPF .................................................................... 190
octword ................................................................... xx POPFD ................................................................. 190
offset ................................................................ xx, 19 POPFQ ........................................................... 12, 190
opcodes ................................................................... 17 PREFETCH ........................................................... 193
3DNow!™ ......................................................... 351 PREFETCHlevel .................................................... 195
group 1 .............................................................. 349 PREFETCHW ....................................................... 193

Index 441
AMD64 Technology 24594—Rev. 3.14—September 2007

prefixes x87 ...................................................................... 34

address size ...................................................... 6, 20 XMM .................................................................. 29
LOCK ................................................................... 8 relative ................................................................... xxi
operand size ........................................................... 4 REPx prefixes ............................................................ 9
repeat .................................................................... 9 reserved.................................................................. xxi
REX .............................................................. 11, 20 RET
segment ................................................................. 8 far return ............................................................ 207
processor feature identification (rFLAGS.ID) ........... 103 near return .......................................................... 206
processor vendor .................................................... 104 RET (Near).............................................................. 12
protected mode ....................................................... xxi revision history ....................................................... xiii
PUSH ................................................................... 197 REX prefixes .............................................. 11, 20, 363
PUSH FS ................................................................ 12 REX.B bit .......................................... 13, 40, 368, 370
PUSH GS ................................................................ 12 REX.R bit ....................................................... 13, 367
PUSH imm32 .......................................................... 12 REX.W bit .............................................................. 13
PUSH imm8 ............................................................ 12 REX.X bit ............................................................... 13
PUSH reg ................................................................ 12 rFLAGS conditions codes ............................... 348, 363
PUSH reg/mem ....................................................... 12 rFLAGS register ............................................ xxv, 435
PUSHA ................................................................. 199 rIP register............................................................. xxv
PUSHAD .............................................................. 199 RIP-relative addressing ...................................... xxi, 19
PUSHF ................................................................. 200 ROL ...................................................................... 211
PUSHFD ............................................................... 200 ROR ..................................................................... 213
PUSHFQ .......................................................... 12, 200 rotate count............................................................ 373
Q RSM ..................................................................... 297
RSM instruction ..................................................... 297
quadword ............................................................... xxi
S
R
SAHF.................................................................... 215
r/m field ................................................................ 348 SAL ...................................................................... 216
r8–r15 .................................................................. xxiv SAR ...................................................................... 219
rAX–rSP .............................................................. xxiv SBB ...................................................................... 221
RAZ ...................................................................... xxi scale field .............................................................. 371
RCL ..................................................................... 202 scale-index-base (SIB) ............................................ 363
RCR ..................................................................... 204 SCAS .................................................................... 223
RDMSR ................................................................ 292 SCASB ................................................................. 223
RDPMC ................................................................ 293 SCASD ................................................................. 223
RDTSC ................................................................. 294 SCASQ ................................................................. 223
RDTSCP ............................................................... 295 SCASW ................................................................ 223
real address mode. See real mode segment prefixes ................................................ 8, 402
real mode ............................................................... xxi segment registers...................................................... 26
reg field .......................................... 349, 364, 367, 368 set ......................................................................... xxii
registers SETcc ........................................................... 225, 348
eAX–eSP .......................................................... xxiii SFENCE ............................................................... 227
eFLAGS ........................................................... xxiii
SGDT ................................................................... 299
eIP ................................................................... xxiv
encodings............................................................. 14 shift count ............................................................. 373
general-purpose .................................................... 24 SHL .............................................................. 216, 228
MMX .................................................................. 32 SHLD ................................................................... 229
r8–r15............................................................... xxiv SHR ...................................................................... 231
rAX–rSP ........................................................... xxiv SHRD ................................................................... 233
rFLAGS ....................................... xxv, 348, 363, 435 SIB ....................................................................... 363
rIP ..................................................................... xxv SIB byte ............................................... 16, 18, 20, 369
segment ............................................................... 26 SIDT ..................................................................... 300
system ................................................................. 27 SKINIT ................................................................. 301

442 Index
24594—Rev. 3.14—September 2007 AMD64 Technology

SLDT ................................................................... 303 XOR ..................................................................... 248

SMSW .................................................................. 304
Z
SSE ...................................................................... xxii
SSE2 .................................................................... xxii zero-extension ....................................................... 373
SSE3 .................................................................... xxii
STC ...................................................................... 235
STD ...................................................................... 236
STGI .................................................................... 307
STI ....................................................................... 305
sticky bits .............................................................. xxii
STOS .................................................................... 237
STOSB ................................................................. 237
STOSD ................................................................. 237
STOSQ ................................................................. 237
STOSW ................................................................ 237
STR ...................................................................... 308
SUB ..................................................................... 239
SWAPGS .............................................................. 309
syntax ..................................................................... 37
SYSCALL ............................................................ 311
SYSENTER .......................................................... 315
SYSEXIT.............................................................. 317
SYSRET ............................................................... 319
system data structures .............................................. 28
T
TEST .................................................................... 241
TSS ...................................................................... xxii
U
UD2 ..................................................................... 323
underflow .............................................................. xxii
V
vector.................................................................... xxii
VERR ................................................................... 324
VERW .................................................................. 326
virtual-8086 mode................................................. xxiii
VMLOAD ............................................................. 327
VMMCALL .......................................................... 329
VMRUN ............................................................... 330
VMSAVE .............................................................. 335
W
WBINVD .............................................................. 337
WRMSR ............................................................... 338
X
XADD .................................................................. 243
XCHG .................................................................. 245
XLATx ................................................................. 247

Index 443
AMD64 Technology 24594—Rev. 3.14—September 2007

444 Index