x86 opcode and instruction reference

7/29/2019 X86 Opcode and Instruction Reference

1/16

x86asm.net

Store

HTML Editions

Using HTML Editions

Columns Description

Instruction Operand Codes

Source XML Document

Current State

Why to Contribute - Benefits

How to Contribute

ImplementationsLicense

Resources

Credits

References

Download

Comments

X86 Opcode and Instruction Reference

MazeGen, 2009-01-20 Revision: 1.11

This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes.

Quick Navigation

coder32, coder32-abc, geek32, geek32-abc

coder64, coder64-abc, geek64, geek64-abc

coder, coder-abc, geek, geek-abc (these contain both x86-32 and x64 instructions).

In contrast to other references, primary source of this reference is an XML document, which guarantees clear and structured information base and therefore ability to extract

many various informations such as a list of instructions from requested groups, etc.

The reference is primarily based on Intel manuals as Intel is the originator of x86 architecture. Additionally, it describes undocumented instructions as well. On appropriate

places, it gives a notice if an opcode act differently on AMD architecture. Support for Cyrix, NexGen etc. specific instructions is not scheduled at all.

Store

Get one copy for$20, two copies for$32.

Immediately following the initial release of the reference, it emerged that a large number of users are interested in a printed version. You can order a copy in the on-line store.

HTML Editions

These editions are available at the moment: The codersuite is intended to more common use and contains the following editions: coder32, coder64, and coder(sorted by

opcode), and coder32-abc, coder64-abc, and coder-abc (sorted by mnemonic). Thegeeksuite is intended for deeper research of x86 architectures' instruction set. This

includes geek32, geek64, and geekeditions (by opcode) and geek32-abc, geek64-abc, and geek-abc editions (by mnemonic). More on the purpose and use of this suite see

close below.

Don't get confused by geek(-abc) and coder(-abc) editions. Both of them contains instruction set of both x86-32 and x86-64 architectures. If you don't have a particular reason

to use them (such as to view the differencies between the architectures), the other editions would probably suit you better.

Editions coder32 a geek32 relate exclusively to x86-32 architecture. Similarly, editions coder64 and geek64 relate exclusively to x86-64 architecture.

The following chart illustrates the differencies between editions for current release:

Edition coder coder32 coder64 geek geek32 geek64

Supported Architectures both pure x86-32 pure x86-64 both pure x86-32 pure x86-64

Operand Codes traditional traditional traditional special special special

Abandoned Instructions no no no yes yes yes

Opcode Bitfields Information no no no yes yes yes

Instruction Extension Indicated yes yes yes yes yes yes

Instruction Group Indicated no no no yes yes yes

general yes yes yes yes yes yes

system yes yes yes yes yes yes

x87 FPU yes yes yes yes yes yes
http://ref.x86asm.net/x86reference.xmlhttp://ref.x86asm.net/coder64.htmlhttp://ref.x86asm.net/coder64-abc.htmlhttp://ref.x86asm.net/geek64.htmlhttp://ref.x86asm.net/geek64-abc.htmlhttp://ref.x86asm.net/geek-abc.htmlhttp://ref.x86asm.net/geek64-abc.htmlhttp://ref.x86asm.net/geek32-abc.htmlhttp://ref.x86asm.net/geek.htmlhttp://ref.x86asm.net/geek64.htmlhttp://ref.x86asm.net/geek32.htmlhttp://ref.x86asm.net/coder-abc.htmlhttp://ref.x86asm.net/coder64-abc.htmlhttp://ref.x86asm.net/coder32-abc.htmlhttp://ref.x86asm.net/coder.htmlhttp://ref.x86asm.net/coder64.htmlhttp://ref.x86asm.net/coder32.htmlhttp://ref.x86asm.net/store/index.htmlhttp://ref.x86asm.net/store/index.htmlhttp://ref.x86asm.net/x86reference.xmlhttp://ref.x86asm.net/geek-abc.htmlhttp://ref.x86asm.net/geek.htmlhttp://ref.x86asm.net/coder-abc.htmlhttp://ref.x86asm.net/coder.htmlhttp://ref.x86asm.net/geek64-abc.htmlhttp://ref.x86asm.net/geek64.htmlhttp://ref.x86asm.net/coder64-abc.htmlhttp://ref.x86asm.net/coder64.htmlhttp://ref.x86asm.net/geek32-abc.htmlhttp://ref.x86asm.net/geek32.htmlhttp://ref.x86asm.net/coder32-abc.htmlhttp://ref.x86asm.net/coder32.htmlhttp://x86asm.net/index.html


2/16

Present InstructionsMMX yes yes yes yes yes yes

Intel SSE (all) yes yes yes yes yes yes

VMX yes yes yes yes yes yes

SMX yes yes yes yes yes yes

Itanium no no no yes yes yes

The Purpose of Geek Editions in Short

The geek editions contains as much complete information from the source XML document as possible. That's why they may seem quite unclear. You appreciate them only if youneed to get to know the instruction set deeply or if you investigate the source XML and you need to visualize it better.

These editions use specific operand codes (which are described in Instruction Operand Codes chapter below). These codes may look strange and obscure at the first sight. The

reason to use them is that they hold more information than the more common ones. One example can be operand combination rAX, imm16/32, such as in instruction

ADD rAX, imm16/32 in coder64 edition. One can determine that the destination operand is eitherax, eax, orrax, and the source one is eitherimm16 orimm32. A problem

arises when one needs to determine what magic is behind rax, imm32 combination. If one is just getting started with x64 architecture, it is not clear how exactly is 32-bit

immediate added to 64-bit rax. This question is answered by corresponding geek edition, ADD rAX, Ivds in geek64 edition. The immediate value is encoded there using Ivds

code. I code meansImmediate, v means wordordoubleword(imm16 orimm32). The most important part is ds code, which means doubleword, sign-extended to 64 bits

for 64-bit operand size. Now is it clear.

As for Itanium-specific instructions, they are added just for the sake of interest - they give a notice that the appropriate opcodes are already used.

Hypertext Reference to Particular Opcode

If you want to refer to particular opcode (in any edition), e. g., 0FA0 PUSH FS, it can be easily achieved this way:

ref.x86asm.net/geek.html#x0FA0 (try it)

It works for opcode extension similarly, e. g., 83 /7 CMP:

ref.x86asm.net/coder32.html#x83_7 (try it)

Browsers, Printing

For browsing, the best seem to me Firefox. Opera 9 seems to be a bit slower. Internet Explorer 6 and 7 doesn't support some CSS features so the reference looks slightly

different.

Full support for printing is available only as a part of the benefits.

You can also order a printed copy in the on-line store. This is how a copy looks like:

Using HTML Editions

Since HTML editions can look complicated at first sight, here goes an outline how to work with them. Following examples come from coder32's edition because it is easier to

use than geek's editions.

Example: ADC Instruction

Let's start with more known instruction, such as ADC. We find something similar to the following:

|pf|0F|po|so|flds|o|proc|st|m|rl|l|mnemonic|op1 |op2 |op3|op4|iext|grp1|grp2 |tested f|modif f |def f |undef f|f values|descr

| | |11| | |r| | | | |L|ADC |r/m16/32|r16/32| | | |gen |arith|.......c|o..szapc|o..szapc| | |Add w

First columnpf(Prefix) is empty. That means the instruction's opcode doesn't contain any fixed prefix.

Next column 0F is just allocated for0F prefix for multiple-byte opcodes so it is empty.

Next columnpo (Primary Opcode) holds primary opcode value itself.

Because the instruction's opcode doesn't contain any added byte, the column so (Secondary Opcode) is empty too.

The opcode doesn't contain any specific bits so the column flds (Opcode Fields) is empty.
http://ref.x86asm.net/coder32.html#x11http://ref.x86asm.net/coder32.htmlhttp://ref.x86asm.net/store/index.htmlhttp://ref.x86asm.net/coder32.html#x83_7http://ref.x86asm.net/geek.html#x0FA0http://ref.x86asm.net/geek64.htmlhttp://ref.x86asm.net/geek64.html#x05http://ref.x86asm.net/coder64.htmlhttp://ref.x86asm.net/coder64.html#x05


3/16

The column o (Register/Opcode Field) here holds "r", which indicates that the instruction uses "full" ModR/M byte (no opcode extension).

Because this instruction is supported since 8086 processor, proc column (Introduced with Processor) is empty.

This instruction is officially documented so st column is empty too.

InstructionADC can work on any ring level so the column rl, Ring Level, is empty.

The column x holds "L", which means that LOCK prefix is allowed with this instruction.

Next three columns, mnemonic, op1 and op2 show instruction's syntax. The destination operand of this instruction is set up using bold, what always means the operand is

modified by the instruction.

The column iext (Instruction Extension Group) is empty because the instruction doesn't belong to any instruction set extension.

Columns grp1 and grp2 classify the instruction among general arithmetic instructions.

ADC instruction is influenced by CF flag, what represents tested fcolumn.

This instruction influences (overwrites) all status flags. These can be found in next column modif fcolumn.

All of these flags are defined (don't contain random values) so the same flags are in next def fcolumn, and undef fcolumn must be empty.

No flag is set to a fixed value (all modified flags depend on input operands) so f values column is empty.

Last column description, notes contains only a general description of the instruction.

Example: Opcode Extensions

Some opcodes (only a few) depend on Opcode Extension Field in ModR/M byte. Using this field, the opcode is actually extended by three bits. In most cases, different

extension of the same opcode means more or less different instruction. An example can be opcode F6. We choose last three extensions of the opcode:

|pf|0F|po|so|flds|o|proc|st|m|rl|l|mnemonic|op1|op2|op3 |op4 |iext|grp1|grp2 |tested f|modif f |def f |undef f |f values|descriptio

-------------------------------------------------------------------------------------------------------------------------------------

| | |F6| | |5| | | | | |IMUL |AX |AL |r/m8| | |gen |arith| |o..szapc|o......c|...szap.| |Signed Mul

-------------------------------------------------------------------------------------------------------------------------------------

| | |F6| | |6| | | | | |DIV |AL |AH |AX |r/m8| |gen |arith| |o..szapc| |o..szapc| |Unsigned D

-------------------------------------------------------------------------------------------------------------------------------------

| | |F6| | |7| | | | | |IDIV |AL |AH |AX |r/m8| |gen |arith| |o..szapc| |o..szapc| |Signed Div

The opcode extension can be a value from 0 through 7. These values are indicated in o (Register/Opcode Field) column. In this example, values 5, 6, and 7 are chosen.

Additionally, this example shows that operands, which are not explicitly used (AL, AH, and AX operands), are set up using italic. It also shows that DIV and IDIV instructions

always destroy all status flags: both modif fand undef fcolumn contain these flags.

Example: One Opcode, More Syntaxes

Some opcodes are represented by more instructions with the same meaning, using different syntaxes. (This doesn't apply to the case when an opcode depends on Opcode

Extension field in ModR/M byte. In this case, these instructions act more or less differently). Best known example are conditional jumps, for example JZ/JE, where we find

something similar:

|pf|0F|po|so|flds|o|proc|st|m|rl|l|mnemonic|op1 |op2|op3|op4|iext|grp1|grp2 |tested f|modif f|def f|undef f|f values|description,

| | |74| | | | | | | | |JZ |rel8 | | | | |gen |branch|....z...| | | | |Jump short

| | | | | | | | | | | |JE |rel8 | | | | | | | | | | | |

Each syntax has dedicated row in mnemonic column and in columns with instruction operands.

More complex case is, for example, MOVS/MOVSW/MOVSD instruction:

|pf|0F|po|so|flds|o|proc|st|m|rl|l|mnemonic|op1 |op2 |op3|op4|iext|grp1|grp2 |tested f|modif f|def f|undef f|f values|descripti

-------------------------------------------------------------------------------------------------------------------------------------

| | |A5| | | | | | | | |MOVS |m16 |m16 | | | |gen |datamov|.d......| | | | |Move Data

| | | | | | | | | | | |MOVSW |m16

|m16

| | | | |string | | | | | |-------------------------------------------------------------------------------------------------------------------------------------

| | |A5| | | |03+ | | | | |MOVS |m16/32|m16/32| | | |gen |datamov|.d......| | | | |Move Data

| | | | | | | | | | | |MOVSD |m32 |m32 | | | | |string | | | | | |

Here, the opcode's record is complicated by the fact that since 80386 processor, the syntax is extended (thanks to 32-bit operands) with MOVSD mnemonic and MOVS syntax is

changed. That's why all four syntaxes have to be split by twos.

More examples with multiple syntaxes: PUSHA/PUSHAD, SHL/SAL, orSLDT.

Example: Undocumented Instruction SETALC

All main editions contain a few undocumented instructions (from the Intel manual point of view). No that in this reference, undocumented doesn't equal invalid. All undocumented

instructions mentioned by this reference work well in their shape. It is, for example, SETALC instruction:

|pf|0F|po|so|flds|o|proc|st|m|rl|l|mnemonic|op1|op2|op3|op4|iext|grp1|grp2 |tested f|modif f |def f|undef f|f values|description, n

-------------------------------------------------------------------------------------------------------------------------------------

| | |D6| | | |02+ |D5| | | |undefined | | | | | | | | |Undefined and

-------------------------------------------------------------------------------------------------------------------------------------

| | |D6| | | |02+ |U6| | | |SALC |AL | | | | |gen |datamov|.......c| | | | |Set AL If Carr

| | | | | | | | | | | |SETALC |AL | | | | | | | | | | | |

In this case, the documented meaning goes first, as indicated in st column by "D" value. Since this opcode's documented meaning is not a common one, there is additional

reference to the description where the opcode is documented. The column mnemonic implies by the value "undefined" (which is set up using italic, which always means here that
http://ref.x86asm.net/geek32.html#gen_note_u_D6_F1http://ref.x86asm.net/geek32.html#gen_note_D6_F1http://ref.x86asm.net/coder32.html#xD6http://ref.x86asm.net/coder32.html#x0F00_0http://ref.x86asm.net/coder32.html#xD0_4http://ref.x86asm.net/coder32.html#x60http://ref.x86asm.net/coder32.html#xA5http://ref.x86asm.net/coder32.html#x74http://ref.x86asm.net/coder32.html#xF6


4/16

it is not an original mnemonic) that the documented meaning of this opcode is "undefined and reserved". This is also stated in the last column.

Below goes the undocumented meaning of the opcode - st column holds "U" value. Each undocumented meaning should contain a reference to the description where is the

opcode unofficially documented, like in this case.

More examples of undocumented instructions:INT1/ICEBP orTEST.

Columns Description

Quick navigation:

pfPrefix

0F0F Prefix

po Primary Opcode

so Secondary Opcode

flds Opcode Fields

o Register/Opcode Field

proc Introduced with Processor

st Documentation Status

m Mode of Operation

rl Ring Level

x Lock Prefix/FPU Push/FPU Pop

mnemonic Instruction Mnemonic

op1, op2, Instruction Operands

iext Instruction Extension Group

grp1, grp2, grp3 Main Group, Sub-group, Sub-sub-group

tested f, modif f, def f, undef fTested, Modified, Defined, and Undefined Flags

f values Flags Values

description, notes

Name Meaning Description, Examples

pf PrefixFixed extraordinary prefix, which may change the semantic of the Primary Opcode. Usually used in case of waiting x87 FPU

instructions, and many SSE instructions. F390 PAUSE, 9BD9/7 FSTCW, F30F10 MOVSS

0F 0F Prefix Dedicated for 0F Prefix. two-byte opcodes

po Primary OpcodeBasic opcode. Second opcode byte in case of two- and three-byte opcodes. For coder's editions: +r means a register code, from

0 through 7, added to the value. 50 PUSH

so Secondary OpcodeFixed appended value to the primary opcode. It is used in some special cases, x87 FPU instructions and for new three-byte

instructions. D40A AAM, D50A AAD, D5F8 FLD1, three-byte escape 0F38

flds Opcode Fields

This column is present only in geek's editions. It contain present Primary Opcode binary fields. These are:

+r means a register code, from 0 through 7, added to the basic value of the Primary Opcode. 40 INC

The following fields are case-sensitive: if a letter of the code is set up in lower case, it means the appropriate bit is cleared, otherwise

is set.

w means bit w (bit index 0, operand size) is present; may be combined with bits d ors. 04 ADD

s means bit s (bit index 1, Sign-extend) is present; may be combined with bit w. 6B IMUL

d means bit d (bit index 1,Direction) is present; may be combined with bit w. 00 ADD

tttn means bit field tttn (4 bits, bit index 0, condition). Used only with conditional instructions. 70 JO

sr means segment register specifier - a code of one of original four segment registers (2 bits, bit index 3). See also S2

addressing method. 06 PUSH

sre means segment register specifier - a code of any segment registers (3 bits, bit index 0 or 3). See also S30 and S33

addressing methods. 0FA0 PUSH

mf means bit field MF (2 bits, bit index 1, memory format); used only with x87 FPU instructions coded with second floating-

point instruction format. DA/0 FIADD

oRegister/ Opcode

Field

1. The value of the opcode extension (values from 0 through 7). group 80

2. r indicates that the ModR/M byte contains a register operand and an r/m operand. 00 ADD

Introduced with

Indicates the instruction's introductory processor (code in curves apply to XML reference):

00: 8086

01: 80186

02: 80286

03: 80386

04: 80486

P1 (05): Pentium (1)

PX (06): Pentium with MMX

PP (07): Pentium Pro

P2 (08): Pentium II

P3 (09): Pentium III

P4 (10): Pentium 4

C1 (11): Core (1)
http://ref.x86asm.net/geek.html#x00http://ref.x86asm.net/geek.html#x80http://ref.x86asm.net/geek.html#xDA_0http://ref.x86asm.net/geek.html#x0FA0http://ref.x86asm.net/geek.html#x06http://ref.x86asm.net/geek.html#x70http://ref.x86asm.net/geek.html#x00http://ref.x86asm.net/geek.html#x6Bhttp://ref.x86asm.net/geek.html#x04http://ref.x86asm.net/geek.html#x40http://ref.x86asm.net/geek.html#x0F38http://ref.x86asm.net/geek.html#xD9_5http://ref.x86asm.net/geek.html#xD5http://ref.x86asm.net/geek.html#xD4http://ref.x86asm.net/coder.html#x50http://ref.x86asm.net/geek.html#x0F00http://ref.x86asm.net/geek.html#x0F10http://ref.x86asm.net/geek.html#xD9_7http://ref.x86asm.net/geek.html#x90http://ref.x86asm.net/coder32.html#xF6_1http://ref.x86asm.net/coder32.html#xF1


5/16

proc

Processor C2 (12): Core 2

C7 (13): Core i7

IT (99): Itanium (only geek editions)

The opcodes that are not forward-compatible (the ones which have been abandoned) are present only in geek's editions.

1. If the processor marking is a range (e.g., 03-04), it means that the instruction is unsupported in latter processors. 0F24 MOV

2. + (e. g., 00+) means the instruction is supported in any of latter processors and also in 64-bit mode, if the next row doesn't

explicitly say otherwise. 06 PUSH ES

3. ++ (e. g., P4++) the same meaning, but only in the latter steppings of the processor (e. g., SSE3 instruction extensions).

0FA2 CPUID

If this column is empty: In case of 32-bit editions, it means 00+ (8086 and all latter processors). In case of 64-bit editions, it meansP4++ (P4, latter stepping, and all latter processors), because Intel 64 Architecture is available since latter stepping of the Pentium 4

processor.

st Document. Status

Indicates how is the instruction documented in the Intel manuals:

1. D means fully documented. It can contain a reference to description which chapter in Intel manual it is documented in, if it may

be unclear. D6

2. M means documented only marginally. 66 (SSE2)

3. U undocumented at all. It should contain a reference to description of the source. Note that in this reference, undocumented

doesn't equal invalid. All mentioned undocumented instructions should work well in their scope. D6 SALC

If this column is empty, it means D (documented with no further notes).

m Mode of Operation

Indicates the mode, which is the instruction valid on. Virtual-8086 Mode is not taken into account.

1. R applies for real, protected and 64-bit mode. SMM is not taken into account.2. P applies for protected and 64-bit mode. SMM is not taken into account. group 0F00

3. E applies for 64-bit mode. SMM is not taken into account. 63 MOVSXD

4. S applies for SMM. 0FAA RSM

If this column is empty, it means R. For 64-bit editions, E code indicates in most cases that the semantics of the opcode is specific to

64-bit mode.

rl Ring LevelThe ring level, which is the instruction valid (3 or 0) from; f indicates that the level depends on a flag(s) and it should contain a

reference to the description of that flag, if the flag is not too complex. If this column is empty, it means ring 3. INT, INS, RDTSC

x

Lock Prefix L indicates that the instruction is basically valid with F0 LOCK prefix. 00 ADD

FPU Push/ FPU Pop

The following codes apply only to x87 FPU instructions (none of them can use LOCK prefix).

s incidates that the opcode performs additional push of a value to the register stack. D9 /0 FLD

p incidates that the opcode performs additional pop of the register stack. D9 /3 FSTPP incidates the same like p, but pops twice. DA /5 FUCOMPP

mnemonic Instr. Mnemonic

The instruction mnemonic itself. If there is no mnemonic, it holds additional information about the mnemonic or instruction:

If the mnemonic is set up using italic, there is no oficial mnemonic and the present one is just suggested one. D4 AMX, D5 ADX,

0FB9 UD

no mnemonic means that there is no mnemonic for the opcode. 66

invalidmeans that the opcode is invalid. This option is not used everywhere the opcode is invalid, but only in some cases.

06 (64-bit mode)

undefinedmeans that the behaviour of the instruction is according to official documentation undefined. D6

nop means that the opcode is treated as integerNOP instruction. It should contain a reference to description of the source.

no mnenonic nop

nullmeans that the prefix has no meaning (no operation). 26 (64-bit mode)

If there is a mnemonic, it can hold additional attributes of the instruction:

nop means that the instruction is treated as integerNOP instruction (except NOP instructions themselves). It should contain a

reference to description of the source. DBE0 FNENI

Only geek's editions:

alias means that the opcode is an alias to another opcode. The attribute should be a reference to that instruction. group 82,

C0 /6 SAL

part alias means not true alias. It should contain a reference to the description of the differences between referenced

instructions. F1 INT1

op1, op2, ... Instr. Operands

Instruction operands. Geek's editions use special operand codes, explained in Instruction Operand Codes chapter below. If an

operand is set up using italic, it is an implicit operand, which is not explicitly used. If an operand is set up using boldface, it is modifiedby the instruction.

The instruction extension group, which was the opcode released on:

1. MMX MMX Technology

2. SSE1 Streaming SIMD Extensions (1)

3. SSE2 Streaming SIMD Extensions 2
http://ref.x86asm.net/geek.html#xF1http://ref.x86asm.net/geek.html#xC0_6http://ref.x86asm.net/geek.html#x82http://ref.x86asm.net/geek.html#DB_4http://ref.x86asm.net/geek.html#x26http://ref.x86asm.net/geek.html#x90http://ref.x86asm.net/geek.html#xD6http://ref.x86asm.net/geek.html#x06http://ref.x86asm.net/geek.html#x66http://ref.x86asm.net/geek.html#x0FB9http://ref.x86asm.net/geek.html#xD5http://ref.x86asm.net/geek.html#xD4http://ref.x86asm.net/geek.html#xD9_3http://ref.x86asm.net/geek.html#xD9_3http://ref.x86asm.net/geek.html#xD9_0http://ref.x86asm.net/geek.html#x00http://ref.x86asm.net/geek.html#xF0http://ref.x86asm.net/geek.html#x0F31http://ref.x86asm.net/geek.html#x6Chttp://ref.x86asm.net/geek.html#xCDhttp://ref.x86asm.net/geek.html#x0FAAhttp://ref.x86asm.net/geek.html#x63http://ref.x86asm.net/geek.html#x0F00http://ref.x86asm.net/geek.html#xD6http://ref.x86asm.net/geek.html#x66http://ref.x86asm.net/geek.html#xD6http://ref.x86asm.net/geek.html#x0FA2http://ref.x86asm.net/geek.html#x06http://ref.x86asm.net/geek.html#x0F24


6/16

iextInstr. Extension

Group

4. SSE3 Streaming SIMD Extensions 3

5. SSSE3 Supplemental Streaming SIMD Extensions 3

6. SSE41 Streaming SIMD Extensions 4.1

7. SSE42 Streaming SIMD Extensions 4.2

8. VMX Virtualization Technology Extensions

9. SMX Safer Mode Extensions

grp1, grp2,

grp3

Main Group, Sub-

group, Sub -sub-

group

These columns are present only in geek's editions. They classifies the instruction among groups. These groups don't match the

instruction groups given by the Intel manual (I found them too loose). One instruction may fit into more groups.

1. prefix

1. segregsegment register2. branch

1. condconditional

3. x87fpu

1. control(only WAIT)

2. obsolobsolete

1. control

3. gen general

1. datamov data movement

2. stack

3. convertype conversion

4. arith arithmetic

1. binary

2. decimal

5. logical

6. shftrotshift&rotate7. bitbit manipulation

8. branch

1. condconditional

9. break interrupt

10. string(means that the instruction can make use of the REP family prefixes)

11. inoutI/O

12. flgctrlflag control

13. segregsegment register manipulation

14. control

4. system

1. branch

1. trans transitional (implies sensitivity to operand-size attribute)

5. x87fpu x87 FPU

1. datamov data movement2. arith basic arithmetic

3. comparcomparison

4. trans transcendental

5. ldconstload constant

6. control

7. conv conversion

6. sm x87 FPU and SIMD state management

MMX instruction extensions technology groups. Note that these groups are just experimental and may change in future.


2. arith packed arithmetic

3. comparcomparison

4. converconversion

5. logical6. shift

7. unpackunpacking

SSE1 instruction extensions groups. Note that these groups are just experimental and may change in future.

1. simdfp SIMD single-precision floating-point



3. comparcomparison

4. logical

5. shunpckshuffle&unpacking

2. converconversion instructions

3. simdint64-bit SIMD integer

4. mxcsrsmMXCSR state management

5. cachectcacheability control

6. fetch prefetch

7. orderinstruction ordering


1. pcksclrpacked and scalar double-precision floating-point

http://ref.x86asm.net/geek.html#xF2http://ref.x86asm.net/geek.html#x9B


7/16

.


4. comparcomparison

5. logical


2. pcksp packed single-precision floating-point

3. simdint128-bit SIMD integer




4. shift

5. comparcomparison

6. converconversion7. logical


5. orderinstruction ordering


1. simdfp SIMD single-precision floating-point (SIMD packed)




3. sync agent synchronization

SSSE3 instruction extensions group. Note that these groups are just experimental and may change in future.

1. simdintSIMD integer

SSE4.1 instruction extensions group. Note that these groups are just experimental and may change in future.




3. comparcomparison

4. converconversion

2. simdfp SIMD SIMD floating-point



3. converconversion


SSE4.2 instruction extensions group. Note that these groups are just experimental and may change in future.


1. comparcomparison

2. strtxtstring and text processing

VMX and SMX instruction extensions has no groups at the moment. The grouping may be added in future.

tested f,

modif f,

def f, undef f

Tested, Modified,

Defined, and

Undefined Flags

ForrFlags register, indicates these flags usingodiszapc pattern. Present flag fits in with the appropriate group. group C0

For x87 FPU flags, indicates these flags using 1234 x87 FPU flag pattern. Present flag fits in with the appropriate group.

DB/7 FSTP

Note that if a flag is present in both Defined and Undefined column, the flag fits in under further conditions, which are not described by

this reference.

f values Flags Values

ForrFlags register, indicates the values of flags, which are always set or cleared, using case-sensitive odiszapc flag pattern.

Lower-case flag means cleared flag, upper-case means set flag. STC

For x87 FPU flags, indicates these flags using 1234 x87 FPU flag pattern. Present flag holds its value. DBE3 FNINIT

description,

notesShort desciption of the opcode. For now, the descriptions are very general. They will be improved in future perhaps.

Instruction Operand Codes

These codes come from official codes used in Intel manual Instruction Set Reference, N-Z for Pentium 4 processor, revision 17. The reason of using this particular, out-of-date

revision is that the codes from this revision are most apposite ones. In next revisions the codes changed unfortunately. These codes were modified and completed mainly because

of the possibility to code operands simultaneously for 64-bit mode. Ideally, it would be the best to make brand new codes, but I'm afraid those wouldn't be widely acceptable.

The State column says if the code is original, added or changed.

The "Geek" part in these tables in the first column indicates codes used in HTML geek's editions and in the source XML document as well. The "Coder" part indicates

alternative codes used in HTML coder's editions. These are used also within instruction reference in Intel manual.

Codes for Addressing Method
http://ref.x86asm.net/geek.html#DB_4http://ref.x86asm.net/geek.html#xF9http://ref.x86asm.net/geek.html#DB_7http://ref.x86asm.net/geek.html#xC0


8/16

The following abbreviations are used for addressing methods:

GeekState Description

Coder

A

OriginalDirect address. The instruction has no ModR/M byte; the address of the operand is encoded in the instruction; no base register, index register, or scaling

factor can be applied (for example, farJMP (EA)).ptr

BA

Added Memory addressed byDS:EAX, or by rAX in 64-bit mode (only 0F01C8 MONITOR).m

BB

Added Memory addressed byDS:eBX+AL, or by rBX+AL in 64-bit mode (only XLAT). (This code changed from single B in revision 1.00)m

BD

AddedMemory addressed by DS:eDI or by RDI (only 0FF7 MASKMOVQ and 660FF7 MASKMOVDQU) (This code changed from YD (introduced in 1.00) in

revision 1.02)m

C

Original The reg field of the ModR/M byte selects a control register (onlyMOV (0F20, 0F22)).CRn

D

Original The reg field of the ModR/M byte selects a debug register (onlyMOV (0F21, 0F23)).DRn

E

Original

A ModR/M byte follows the opcode and specifies the operand. The operand is either a general-purpose register or a memory address. If it is a memory

address, the address is computed from a segment register and any of the following values: a base register, an index register, a scaling factor, or a

displacement.r/m

ES

Added

(Implies original E). A ModR/M byte follows the opcode and specifies the operand. The operand is either a x87 FPU stack register or a memory

address. If it is a memory address, the address is computed from a segment register and any of the following values: a base register, an index register, a

scaling factor, or a displacement.STi/m

EST

Added (Implies original E). A ModR/M byte follows the opcode and specifies the x87 FPU stack register.STi

F

Original rFLAGS register.-

G

Original The reg field of the ModR/M byte selects a general register (for example, AX (000)).r

H

Added The r/m field of the ModR/M byte always selects a general register, regardless of the mod field (for example, MOV (0F20)).r

I

Original Immediate data. The operand value is encoded in subsequent bytes of the instruction.imm

J

Original The instruction contains a relative offset to be added to the instruction pointer register (for example, JMP (E9), LOOP)).rel

M

Original The ModR/M byte may refer only to memory: mod != 11bin (BOUND, LEA, CALLF, JMPF, LES, LDS, LSS, LFS, LGS, CMPXCHG8B, CMPXCHG16B,F20FF0 LDDQU).m

N

Original The R/M field of the ModR/M byte selects a packed quadword MMX technology register.mm

O

OriginalThe instruction has no ModR/M byte; the offset of the operand is coded as a word, double word or quad word (depending on address size attribute) in

the instruction. No base register, index register, or scaling factor can be applied (only MOV (A0, A1, A2, A3)).moffs

P

Original The reg field of the ModR/M byte selects a packed quadword MMX technology register.mm

Q

Original

A ModR/M byte follows the opcode and specifies the operand. The operand is either an MMX technology register or a memory address. If it is a

memory address, the address is computed from a segment register and any of the following values: a base register, an index register, a scaling factor, and

a displacement.mm/m64

R

Original The mod field of the ModR/M byte may refer only to a general register (only MOV (0F20-0F24, 0F26)).r

S

Original The reg field of the ModR/M byte selects a segment register (onlyMOV (8C, 8E)).
http://ref.x86asm.net/geek.html#x8Ehttp://ref.x86asm.net/geek.html#x8Chttp://ref.x86asm.net/geek.html#x0F26http://ref.x86asm.net/geek.html#x0F24http://ref.x86asm.net/geek.html#x0F20http://ref.x86asm.net/geek.html#xA3http://ref.x86asm.net/geek.html#xA2http://ref.x86asm.net/geek.html#xA1http://ref.x86asm.net/geek.html#xA0http://ref.x86asm.net/geek.html#x0FF0http://ref.x86asm.net/geek.html#x0FC7_1http://ref.x86asm.net/geek.html#x0FC7_1http://ref.x86asm.net/geek.html#x0FB5http://ref.x86asm.net/geek.html#x0FB4http://ref.x86asm.net/geek.html#x0FB2http://ref.x86asm.net/geek.html#xC5http://ref.x86asm.net/geek.html#xC4http://ref.x86asm.net/geek.html#xFF_5http://ref.x86asm.net/geek.html#xFF_3http://ref.x86asm.net/geek.html#x8Dhttp://ref.x86asm.net/geek.html#x62http://ref.x86asm.net/geek.html#xE2http://ref.x86asm.net/geek.html#xE9http://ref.x86asm.net/geek.html#x0F20http://ref.x86asm.net/geek.html#x0F23http://ref.x86asm.net/geek.html#x0F21http://ref.x86asm.net/geek.html#x0F22http://ref.x86asm.net/geek.html#x0F20http://ref.x86asm.net/geek.html#x0FF7http://ref.x86asm.net/geek.html#x0FF7http://ref.x86asm.net/geek.html#xD7http://ref.x86asm.net/geek.html#x0F01_1http://ref.x86asm.net/geek.html#xEA


9/16

Sreg

SC

Added

Stack operand, used by instructions which either push an operand to the stack or pop an operand from the stack. Pop-like instructions are, for example,

POP, RET, IRET, LEAVE. Push-like are, for example, PUSH, CALL, INT. No Operand type is provided along with this method because it depends on

source/destination operand(s).-

T

Original The reg field of the ModR/M byte selects a test register (only MOV (0F24, 0F26)).TRn

U

Original The R/M field of the ModR/M byte selects a 128-bit XMM register.xmm

V

Original The reg field of the ModR/M byte selects a 128-bit XMM register.xmm

W

Original

A ModR/M byte follows the opcode and specifies the operand. The operand is either a 128-bit XMM register or a memory address. If it is a memory

address, the address is computed from a segment register and any of the following values: a base register, an index register, a scaling factor, and a

displacementxmm/m

X

OriginalMemory addressed by the DS:eSI or by RSI (only MOVS, CMPS, OUTS, and LODS). In 64-bit mode, only 64-bit (RSI) and 32-bit (ESI) address sizes are

supported. In non-64-bit modes, only 32-bit (ESI) and 16-bit (SI) address sizes are supported.m

Y

Original

Memory addressed by the ES:eDI or by RDI (only MOVS, CMPS, INS, STOS, and SCAS). In 64-bit mode, only 64-bit (RDI) and 32-bit (EDI) address

sizes are supported. In non-64-bit modes, only 32-bit (EDI) and 16-bit (DI) address sizes are supported. The implicit ES segment register cannot be

overriden by a segment prefix.m

Z

Added The instruction has no ModR/M byte; the three least-significant bits of the opcode byte selects a general-purpose registerr

The following abbreviations are used for addressing methods only in case of direct segment registers and are accessible only in HTML geek's editions as segment register's title.

As forsource XML document, they are used within address atribute ofsyntax/dstorsyntax/src elements. All of them are added:

S2 The two bits at bit index three of the opcode byte selects one of original four segment registers (for example, PUSH ES).

S30 The three least-significant bits of the opcode byte selects segment register SS, FS, orGS (for example, LSS).

S33 The three bits at bit index three of the opcode byte selects segment register FS orGS (for example, PUSH FS).

Codes for Operand Type

The following abbreviations are used for operand types:

Geek

State DescriptionCoder

a

Original Two one-word operands in memory or two double-word operands in memory, depending on operand-size attribute (only BOUND).16/32&16/32

b

Original Byte, regardless of operand-size attribute.8

bcd

Added Packed-BCD. Only x87 FPU instructions (for example, FBLD).80dec

bs

Added; simplified bsq Byte, sign-extended to the size of the destination operand.8

bsq Original; replaced by

bs(Byte, sign-extended to 64 bits.)

-

bss

Original Byte, sign-extended to the size of the stack pointer (for example, PUSH (6A)).8

c

Original Byte or word, depending on operand-size attribute. (unused even by Intel?)

?

d

Original Doubleword, regardless of operand-size attribute.32

diAdded Doubleword-integer. Only x87 FPU instructions (for example, FIADD).
http://ref.x86asm.net/geek.html#xDA_0http://ref.x86asm.net/geek.html#x6Ahttp://ref.x86asm.net/geek.html#xDF_4http://ref.x86asm.net/geek.html#x62http://ref.x86asm.net/geek.html#x0FA0http://ref.x86asm.net/geek.html#x0FB2http://ref.x86asm.net/geek.html#x06http://ref.x86asm.net/geek.html#xAEhttp://ref.x86asm.net/geek.html#xAAhttp://ref.x86asm.net/geek.html#x6Chttp://ref.x86asm.net/geek.html#xA6http://ref.x86asm.net/geek.html#xA4http://ref.x86asm.net/geek.html#xAChttp://ref.x86asm.net/geek.html#x6Ehttp://ref.x86asm.net/geek.html#xA6http://ref.x86asm.net/geek.html#xA4http://ref.x86asm.net/geek.html#x0F26http://ref.x86asm.net/geek.html#x0F24http://ref.x86asm.net/geek.html#x8Ehttp://ref.x86asm.net/geek.html#x8C


10/16

nt

dq

Original Double-quadword, regardless of operand-size attribute (for example, CMPXCHG16B).128

dqpAdded; combines d

and qpDoubleword, or quadword, promoted by REX.W in 64-bit mode (for example, MOVSXD).

32/64

dr

Added Double- real. Only x87 FPU instructions (for example, FADD).64real

ds

Original Doubleword, sign-extended to 64 bits (for example, CALL (E8).32

e

Added x87 FPU environment (for example, FSTENV).14/28

er

Added Extended-real. Only x87 FPU instructions (for example, FLD).80real

p

Original 32-bit or 48-bit pointer, depending on operand-size attribute (for example, CALLF (9A).16:16/32

pi

Original Quadword MMX technology data.(64)

pd

Original 128-bit packed double-precision floating-point data.

ps

Original 128-bit packed single-precision floating-point data.(128)

psq

Added 64-bit packed single-precision floating-point data.64

ptOriginal; replaced by

ptp(80-bit far pointer.)

-

ptp

Added32-bit or 48-bit pointer, depending on operand-size attribute, or 80-bit far pointer, promoted by REX.W in 64-bit mode (for

example, CALLF (FF /3)).16:16/32/64

q

Original Quadword, regardless of operand-size attribute (for example, CALL (FF /2)).64

qi

Added Qword-integer. Only x87 FPU instructions (for example, FILD).64int

qp

Original Quadword, promoted by REX.W (for example, IRETQ).64

s Changed to 6-byte pseudo-descriptor, or 10-byte pseudo-descriptor in 64-bit mode (for example, SGDT).

- Changed from 6-byte pseudo-descriptor.

sd

Original Scalar element of a 128-bit packed double-precision floating data.-

si

Original Doubleword integer register (e. g., eax). (unused even by Intel?)?

sr

Added Single-real. Only x87 FPU instructions (for example, FADD).32real

ss

Original Scalar element of a 128-bit packed single-precision floating data.

-

st

Added x87 FPU state (for example, FSAVE).94/108
http://ref.x86asm.net/geek.html#xDD_6http://ref.x86asm.net/geek.html#xD8_0http://ref.x86asm.net/geek.html#x0F01_0http://ref.x86asm.net/geek.html#xCFhttp://ref.x86asm.net/geek.html#x48http://ref.x86asm.net/geek.html#xDF_5http://ref.x86asm.net/geek.html#xFF_2http://ref.x86asm.net/geek.html#xFF_3http://ref.x86asm.net/geek.html#x48http://ref.x86asm.net/geek.html#x9Ahttp://ref.x86asm.net/geek.html#xDB_5http://ref.x86asm.net/geek.html#xD9_6http://ref.x86asm.net/geek.html#xE8http://ref.x86asm.net/geek.html#xDC_0http://ref.x86asm.net/geek.html#x63http://ref.x86asm.net/geek.html#x48http://ref.x86asm.net/geek.html#x0FC7_1


11/16

stx

Added x87 FPU and SIMD state (FXSAVE and FXRSTOR).512

tOriginal; replaced by

ptp10-byte far pointer.

-

v

Original Word or doubleword, depending on operand-size attribute (for example, INC (40), PUSH (50)).16/32

vds Added; combines v

and dsWord or doubleword, depending on operand-size attribute, or doubleword, sign-extended to 64 bits for 64-bit operand size.

16/32

vq

Original Quadword (default) or word if operand-size prefix is used (for example, PUSH (50)).64/16

vqpAdded; combines v

and qpWord or doubleword, depending on operand-size attribute, or quadword, promoted by REX.W in 64-bit mode.

16/32/64

vs

Original Word or doubleword sign extended to the size of the stack pointer (for example, PUSH (68)).16/32

w

Original Word, regardless of operand-size attribute (for example, ENTER).16

wi

Added Word-integer. Only x87 FPU instructions (for example, FIADD).16int

The following abbreviations are used for operand types and are accessible only in HTML geek's editions as operand's code title. They are issued to indicate a dependency on

address-size attribute instead of operand-size attribute. As forsource XML document, they are used within address atribute ofsyntax/dstorsyntax/src elements. All of them

are added:

va Word or doubleword, according to address-size attribute (only REP and LOOP families).

dqa Doubleword or quadword, according to address-size attribute (only REP and LOOP families).

wa Word, according to address-size attribute (only JCXZ instruction).

wo Word, according to current operand size (e. g., MOVSW instruction).

ws Word, according to current stack size (only PUSHF and POPF instructions in 64-bit mode).

da Doubleword, according to address-size attribute (only JECXZ instruction).

do Doubleword, according to current operand size (e. g., MOVSD instruction).

qa Quadword, according to address-size attribute (only JRCXZ instruction).

qs Quadword, according to current stack size (only PUSHFQ and POPFQ instructions).

Source XML Document

Description of the source XMLstructure is available only as a part of thebenefits. Brief notes are also inside the DTD file.

Current State

In this version, the reference is almost complete. It contains general, system, x87 FPU, MMX, SSE, SSE1, SSE2, SSE3, SSSE3, SSE4, VMX, and SMX instructions (both

one-byte and two-byte ones). We are working on AMD-specific instructions and Intel AVX instructions now.

The MMX and SSE* instruction classification among groups is considered experimental and may change in future.

Future plans

For future, many new specific editions are planned, for example editions containg only instructions from particular group or extension, etc.

Why to Contribute - Benefits

Contributors can get access to benefits, which are not available for passive users. Benefits include HTML editions, which supports printing, PDF editions, many XSLtransformations, working drafts, articles, and other related files.

Why are not all these features free?

A few contributors worked hard to help me complete this reference so I gave them advantage this way. I believe that this benefits program can encourage you to find your way

how to become an active contributor.
http://ref.x86asm.net/x86reference.dtdhttp://ref.x86asm.net/x86reference.xmlhttp://ref.x86asm.net/geek64.html#x9Dhttp://ref.x86asm.net/geek64.html#x9Chttp://ref.x86asm.net/geek.html#xE3http://ref.x86asm.net/geek.html#xA5http://ref.x86asm.net/geek.html#xE3http://ref.x86asm.net/geek64.html#x9Dhttp://ref.x86asm.net/geek64.html#x9Chttp://ref.x86asm.net/geek.html#xA5http://ref.x86asm.net/geek.html#xE3http://ref.x86asm.net/geek.html#xE0http://ref.x86asm.net/geek.html#xF2http://ref.x86asm.net/geek.html#xE0http://ref.x86asm.net/geek.html#xF2http://ref.x86asm.net/geek.html#xDE_0http://ref.x86asm.net/geek.html#xC8http://ref.x86asm.net/geek.html#x68http://ref.x86asm.net/geek.html#x48http://ref.x86asm.net/geek.html#x50http://ref.x86asm.net/geek.html#x50http://ref.x86asm.net/geek.html#x40http://ref.x86asm.net/geek.html#x0FAE_1http://ref.x86asm.net/geek.html#x0FAE_0


12/16

How to Contribute

The following list shows possible contributions:

Write an article or a blog entry about your experiences with this reference. You can write this article forx86asm.net, too

If you are native English speaker, review this page's text and correct the worst mistakes

Help us to find the way how to add AVX instructions to the XMLreference.

Note that from the point of project's progress, modifications of any of HTML editions is almost useless. A HTML edition is just a result of transformation ofsource XML file, so

all modifications need to be done there.

ImplementationsBukowski's disassembler is first public implementation of the XML reference. See alsoproject's blog.

License

The license is here not to restrict regular use of the reference. All I want is to keep control over its development.

1. If you improve this reference, whether its source files (XML, DTD, XSL transformations) or any of derived files (in any format), send these files to the author. The author

reserve the right to use these files for any purpose.

2. You can publish source or any derivative files in any form only with author's permission and under the following conditions:

1. Mention the name of the author

2. Mention this hypertext reference to the source: ref.x86asm.net

3. Mention this license agreement

3. You can't sell printed copies of any files (original or derived) of this reference, including cases when it is a part of other project.

Resources

This reference has been completed using the following resources:

Intel manuals

Sandpile.org

AMD manuals

Intel iAPX 86/88, 186/188 User's manual

Credits

Thanks to all these geeks involved in some way in this project:

Christian Ludloff: maintainer of great Sandpile.org site, one of important sources for this project

Martin Mocko a.k.a. vid: many design ideas for HTML editions

Anthony Lopes: great XML and XSL contributions

Aquila: many great contributions

EliCZ: bug reports, design ideas

Cephexin: many great contributions to XML

Miloslav Ponkrc: helped with PHP and JavaScript on this site

William Whistler: valuable reviews and bug reports

Mikae: reviews, bug reports

References

Handily-organized x86 instruction and opcode references

x86

Referencia de Instrucciones y Cdigos de Operacin (OPCodes) x86

Download

Here go all main files of the reference together. A lot of other files are available only as a part of the benefits.

x86reference.xml 491 kB

x86reference.dtd

HTML Editions Files
http://ref.x86asm.net/x86reference.dtdhttp://ref.x86asm.net/x86reference.xmlhttp://www.cyberhades.com/2009/12/18/referencia-de-instrucciones-y-codigos-de-operacion-opcodes-x86/http://qune.cside.com/archives/001054.htmlhttp://www.reddit.com/r/ReverseEngineering/comments/7j57x/handilyorganized_x86_instruction_and_opcode/http://www.linkedin.com/pub/2/463/246http://ponkrac.net/http://secumania.net/http://www.apihooks.com/EliCZ/http://www.linkedin.com/pub/6/b16/908http://fasmlib.x86asm.net/http://sandpile.org/http://sandpile.org/http://x86asm.net/links/index.html#amd_manhttp://x86asm.net/links/index.html#sandpilehttp://x86asm.net/links/index.html#intel_manhttp://ref.x86asm.net/http://bukowski-framework.blogspot.com/http://ref.x86asm.net/x86reference.xmlhttp://sourceforge.net/projects/bukowski/http://ref.x86asm.net/x86reference.xmlhttp://ref.x86asm.net/x86reference.xmlhttp://x86asm.net/


13/16

coder.html coder-abc.html

coder32.html coder32-abc.html

coder64.html coder64-abc.html

geek.html geek-abc.html

geek32.html geek32-abc.html

geek64.html geek64-abc.html

CommentsContinue to discussion board.

My contact information is here.

Revisions

2009-

01-201.11

Mostly a bugfix release

Bugfixes:

Many missing SSE2 instructions (actually MMX instructions promoted to XMM registers) added (reported by Phil Keenan):

660F60 /r PUNPCKLBW Vdq, Wdq

660F61 /r PUNPCKLWD Vdq, Wdq

660F62 /r PUNPCKLDQ Vdq, Wdq

660F63 /r PACKSSWB Vdq, Wdq

660F64 /r PCMPGTB Vdq, Wdq

660F65 /r PCMPGTW Vdq, Wdq

660F66 /r PCMPGTD Vdq, Wdq

660F67 /r PACKUSWB Vdq, Wdq

660F68 /r PUNPCKHBW Vdq, Wdq

660F69 /r PUNPCKHWD Vdq, Wdq

660F6A /r PUNPCKHDQ Vdq, Wdq

660F6B /r PACKSSDW Vdq, Wdq

660FD1 /r PSRLW Vdq, Wdq

660FD2 /r PSRLD Vdq, Wdq

660FD3 /r PSRLQ Vdq, Wdq

660FD5 /r PMULLW Vdq, Wdq660FD8 /r PSUBUSB Vdq, Wdq

660FD9 /r PSUBUSW Vdq, Wdq

660FDB /r PAND Vdq, Wdq

660FDC /r PADDUSB Vdq, Wdq

660FDD /r PADDUSW Vdq, Wdq

660FDF /r PANDN Vdq, Wdq

660FE1 /r PSRAW Vdq, Wdq

660FE2 /r PSRAD Vdq, Wdq

660FE5 /r PMULHW Vdq, Wdq

660FE8 /r PSUBSB Vdq, Wdq

660FE9 /r PSUBSW Vdq, Wdq

660FEB /r POR Vdq, Wdq

660FEC /r PADDSB Vdq, Wdq

660FED /r PADDSW Vdq, Wdq

660FEF /r PXOR Vdq, Wdq660FF1 /r PSLLW Vdq, Wdq

660FF2 /r PSLLD Vdq, Wdq

660FF3 /r PSLLQ Vdq, Wdq

660FF5 /r PMADDWD Vdq, Wdq

660FF8 /r PSUBB Vdq, Wdq

660FF9 /r PSUBW Vdq, Wdq

660FFA /r PSUBD Vdq, Wdq

660FFC /r PADDB Vdq, Wdq

660FFD /r PADDW Vdq, Wdq

660FFE /r PADDD Vdq, Wdq

For the following instructions, P method was fixed to N method (reported by Will Whistler):

0F71 /2 PSRLW Nq, Ib

0F71 /4 PSRAW Nq, Ib

0F71 /6 PSLLW Nq, Ib

0F72 /2 PSRLD Nq, Ib

0F72 /4 PSRAD Nq, Ib

0F72 /6 PSLLD Nq, Ib

0F73 /2 PSRLQ Nq, Ib

0F73 /6 PSLLQ Nq, Ib

Many other small bugfixes, including the DTD

MazeGen
http://x86asm.net/contact/index.htmlhttp://board.x86asm.net/viewtopic.php?t=601http://ref.x86asm.net/geek64-abc.htmlhttp://ref.x86asm.net/geek64.htmlhttp://ref.x86asm.net/geek32-abc.htmlhttp://ref.x86asm.net/geek32.htmlhttp://ref.x86asm.net/geek-abc.htmlhttp://ref.x86asm.net/geek.htmlhttp://ref.x86asm.net/coder64-abc.htmlhttp://ref.x86asm.net/coder64.htmlhttp://ref.x86asm.net/coder32-abc.htmlhttp://ref.x86asm.net/coder32.htmlhttp://ref.x86asm.net/coder-abc.htmlhttp://ref.x86asm.net/coder.html


14/16

Other:

Hintable NOPinstructions added (suggested by Mikae)

New SSE2 subgroups: simdint/conver and simdint/logical

2009-

08-191.10

News:

All SSE4 instructions (Aquila contribution)

All VMX instructions

(the only) SMX instruction

All new general instructions: POPCNT, MOVBE

All new system instructions: XGETBV, XSETBV, RDTSCP, XSAVE, XRSTOR

Processor code C7 to indicate Core i7

Implicate register operand group xcr (extended control register) added because ofXGETBV and XSETBV instructions

HTML editions:

Many new general notes

ModR/M byte and SIB byte encoding tables

Bugfixes:

MOVD and MOVQ instructions added:

0F6E MOVQ Pq, Eqp (in 64-bit mode with REX.W)

0F7E MOVQ Eqp, Pq (in 64-bit mode with REX.W)

660F6E MOVD Vdq, Ed

660F6E MOVQ Vdq, Eqp (in 64-bit mode with REX.W)

660F7E MOVD Ed, Vdq660F7E MOVQ Eqp, Vdq (in 64-bit mode with REX.W)

F30F7E MOVQ Vq, Wq

660FD6 MOVQ Wq, Vq

Many other small bugfixes

MazeGen

2009-

06-301.02

This is the first revision considered stable (after more than two years of development)

Bugfixes:

LODSB (AC): addressing method corrected to X

All LODS variants:depend='no' attribute removed from src element

SCASD (AF), 64-bit entry: EAX type corrected to d

UD (0FB9): entry attribute r='yes' added

Duplicated syntaxes forPUSHA, POPA, PUSHF and POPF in 386+ entries removedDuplicated two-byte/pri_opcd element with value 18 merged into one

HSUBPS (F20F7D): fixed prefix corrected to F2

FSTP1 (D9/3), FCOM2 (DC/2), FCOMP3 (DC/3), FXCH4 (DD/1), FCOMP5 (DE/2), FXCH7 (DF/1), FSTP8 (DF/2), FSTP9 (DF/3):

proc_end='02' element added

First entry for opcode F390: proc_end='09' element added

CMPXCHG8B and CMPXCHG16B (0FC7/1) merged into one 64-bit entry

Entries forCALL (E8), JMP (E9), and Jcc (0F80-0F8F) merged while merging operand types v and ds to (documented) vds

All JMPE instruction entries and RSMentry: grp1='system' , grp2='branch' elements added

CLTSentry: grp1='system' element added

EMMSentry: grp1='x87fpu', grp2='control' elements added

Missing depend='no' attribute added to many dst elements at various places

UD and UD2 entries: attribute attr='invd' added

IMUL (69, 6B) entries: r='yes' attribute added

ENTER and LEAVE: 64-bit entry added while correcting eBP type to v and rBP type to vq

LOOPE (E1), non-64-bit entry: type ofeCX corrected to vaMOV DRn, r (0F23), undocumented entry: addressing method corrected to H

Branch hint prefixes (2E, 3E, 64) entries: proc_start@post='no' attribute added, proc_end='10' element added

All entries with attr='undef' and prefix-branch-cond grouping for opcodes 2E, 3E, and 64 removed

SYSENTER and SYSEXIT entries:grp2='stack' removed, SS and ESP orRSP register operands added

SYSENTER: 64-bit entry added because RSP is fixed to 64 bits in 64-bit mode

Eithersrc ordst element with new implicate addressing method SC added to entries with grp2='stack' element value

MOV from segment register (8C): memory operand size and register operand size differ (reported by Mikae)

MOV to segment register (8E): source operand is always a word (reported by Mikae)

The following SSE2 instructions added (reported by Mikae):

660F71 /2 PSRLW Udq, Ib

660F71 /4 PSRAW Udq, Ib

660F71 /6 PSLLW Udq, Ib

660F72 /2 PSRLD Udq, Ib

660F72 /4 PSRAD Udq, Ib

660F72 /6 PSLLD Udq, Ib660F73 /2 PSRLQ Udq, Ib

660F73 /6 PSLLQ Udq, Ib

660F74 /r PCMPEQB Vdq, Wdq

660F75 /r PCMPEQW Vdq, Wdq

660F76 /r PCMPEQD Vdq, Wdq

MOV from/to DRn register (0F21, 0F23): size of the other operand differs between 64-bit mode and non-64-bit modes, regardless ofREX.W

MazeGen


15/16

LAR (0F02) and LSL (0F03): attribute entry/@r="yes" added (reported by Mikae)

Backward-incompatible changes to the XML and DTD:

All default attribute values removed from DTD

Addressing methods BA, BB, F, X, Y, and YD are always implicate so they are not indicated using a and t elements

Addressing method YD renamed to BD

New implicate type wo issued forPUSHA, POPA, INS, INSW, OUTS, OUTSW, CBW, CWD, PUSHF, POPF, MOVS, MOVSW, CMPS, CMPSW, STOS,

STOSW, LODS, LODSW, SCAS, SCASW, and IRET to indicate fixed operand size according to current operand size

New implicate type do issued forPUSHAD, POPAD, INSD, OUTSD, CWDE, CDQ, PUSHFD, POPFD, MOVSD, CMPSD, STOSD, LODSD, SCASD,

IRETD to indicate fixed operand size according to current operand size

New implicate type ws issued forPUSHF and POPF in 64-bit mode to indicate fixed operand size according to current stack sizeNew implicate type qs issued forPUSHFQ and POPFQ to indicate fixed operand size according to current stack size

News to the XML and DTD:

Attribute is_doc (only value yes) forentry element, used along with doc='u' attribute value

Attribute is_undoc (only value yes) forentry element

Implicate addressing method SC

Node note has two new nodes: brief, which contains original note contents, and det, not used yet

Other changes:

CBW (98): destination operand changed to AX

The stack subgroup ofsystem main group is no longer used

2008-

12-171.01

I forgot to upload the XML reference for previous revision. Now it comes in this revision

Bugfixes:

CALLF (FF /3) and JMPF (FF /5): only a memory operand is allowed (reported by Fabio Fernandes)

PSRLD (0F72 /2): typo in mnemonic (reported by Japheth)

PMADDUBSW ([66]0F3804) description fixed

The following bugfixes affect the geek suite:

Opcodes FF /2, FF /3, FF /4, FF /5, FF /6 had unfounded W opcode field (reported by William Whistler)

The following changes and bugfixes affects mostly only the XML reference and DTD:

Backward-incompatible change: Operand type vaqp removed, was wrong

Backward-incompatible change: New operand type dqa issued to replace removed vaqp forREP family operands and LOOP family operands

in 64-bit modeBackward-incompatible change: Decided not to indicate sign extension on MOVSXD operand

New attribute escape forsec_opcd element to indicate three-byte escapes 0F38XX and 0F3AXX

Removed all entities from DTD to make it ready to convert to XSD (suggested by Herbert Oppmann)

Bugfix: all @op_size attributes removed from opcodes FF /2, FF /3, FF /4, FF /5, FF /6 (reported by William Whistler)

Bugfix: No (implicate) rFlags operand was declared correctly (reported by William Whistler)

New implicate Addressing method F for rFlags operand defined in DTD

Bugfix: Many entry/@mod and syntax@mod attributes changed and fixed

MazeGen

2008-

10-191.00

News:

All SSE, SSE2, SSE3, and SSSE3 instructions added (Aquila and Cephexin contributions)

Alphabetically sorted editions (postfixed with -abc)

On-line store improved, prices discounted

The HTML transformation process is not documented now

Bugfixes:

FDIVRP ST1, ST secondary opcode was missing, it should be F1

PAUSE instruction came with SSE2

PUSH FF/6, FCOMI, FCOMIP, FISTTP, FNSAVE, FSAVE and TAKEN prefix description fixed

The following changes and bugfixes affect mostly only the XML reference:

CALL FF/2, CALLF FF/3, JMP FF/4, JMPF FF/5, PUSH FF/6: the operand must be src instead ofdst

Opcode D9/3, doc_part_alias_ref attribute fixed

All MMX instructions' operand codes fixed usinga and t elements

Backward-incompatible change ofB addressing code to BB

The gen_notes and ring_notes nodes are no longer present in the XML

All id attributes renamed to xml:id

New sup and sub child elements fornotes nodeNew addressing code BA

New particular attribute forentry node

MazeGen

News:

All MMX instructions added (Anthony Lopes contribution)

HTML transformation rocess has chan ed
http://ref.x86asm.net/store/index.html


16/16

2008-

05-150.40

Support for printing from the public files is no longer available (i. e., PDF editions are no longer publicly available as well)

Bugfixes:

CLTS (0F06): valid only at ring 0; valid also in real mode (reported by Anthony Lopes, EliCZ)

STD (FD): typo in mnemonic (reported by EliCZ, andrewl)

WRMSR (0F30): confusing and unnecessary 64-bit operands (reported by EliCZ)

RDTSC (0F31), RDPMC (0F33): unnecessary 64-bit entry (reported by EliCZ)

LAR (0F02), LSL (0F03): valid only in protected mode (reported by EliCZ)

HLT (F4), SYSRET (0F07), SWAPGS (0F01 /7): valid only at ring 0 (reported by EliCZ)

The following changes and bugfixes affect mostly only the XML reference:

MOV (A2, A3): dst must be depend='no', src must not

CMPS (A6, A7): first src must not be depend='no'

SCAS (AE): no dst operand, both operands are src

SCAS (AF): first src operand must not be depend='no'

Attribute proc_start/@post="no" duplicated using proc_end element

Operand address and type codes split into a and t subelements (DTD changed along)

MazeGen

2008-

03-110.30

All x87 FPU instructions added, including new ones

The l column was renamed to x and now holds more information

In HTML a PDF editions, the prefix values were moved to pfcolumn

On-line store opened

The project was renamed to X86 Opcode and Instruction Reference

MazeGen

2007-

11-290.21

The HTML table is split into two parts: one-byte and two-byte opcode part. This should make browsers to render it faster and more easily. I

hope this also helps Firefox to render the table at first (without refresh)

Instructions, which doesn't really test all flags but push them on the stack (PUSHF, INT and few others) are corrected (suggested by Wolfgang

Kern)

PDF edition for each HTML edition

MazeGen

2007-

11-060.20 Added coder, coder32, coder64, geek32, and geek64 editions. All main project's files modified. Project's documentation completed. MazeGen

2007-

06-040.10 First public version MazeGen

(dates format correspond to ISO 8601)
http://www.w3.org/QA/Tips/iso-date#goodhttp://ref.x86asm.net/store/index.html

x86 opcode and instruction reference

Documents