MOV_(x86_instruction)

x86 instruction listings

List of x86 microprocessor instructions

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

The x86 instruction set has been extended several times, introducing wider registers and datatypes as well as new functionality.^[1]

x87 floating-point instructions

The x87 coprocessor, if present, provides support for floating-point arithmetic. The coprocessor provides eight data registers, each holding one 80-bit floating-point value (1 sign bit, 15 exponent bits, 64 mantissa bits) – these registers are organized as a stack, with the top-of-stack register referred to as "st" or "st(0)", and the other registers referred to as st(1),st(2),...st(7). It additionally provides a number of control and status registers, including "PC" (precision control, to control whether floating-point operations should be rounded to 24, 53 or 64 mantissa bits) and "RC" (rounding control, to pick rounding-mode: round-to-zero, round-to-positive-infinity, round-to-negative-infinity, round-to-nearest-even) and a 4-bit condition code register "CC", whose four bits are individually referred to as C0,C1,C2 and C3). Not all of the arithmetic instructions provided by x87 obey PC and RC.

Original 8087 instructions

More information Push

...

Instruction description	Mnemonic	Opcode	Additional items

x87 Non-Waiting^{[lower-alpha 1]} FPU Control Instructions			Waiting mnemonic^{[lower-alpha 2]}
Initialize x87 FPU	`FNINIT`	`DB E3`	`FINIT`
Load x87 Control Word	`FLDCW m16`	`D9 /5`	(none)
Store x87 Control Word	`FNSTCW m16`	`D9 /7`	`FSTCW`
Store x87 Status Word	`FNSTSW m16`	`DD /7`	`FSTSW`
Clear x87 Exception Flags	`FNCLEX`	`DB E2`	`FCLEX`
Load x87 FPU Environment	`FLDENV m112/m224`^{[lower-alpha 3]}	`D9 /4`	(none)
Store x87 FPU Environment	`FNSTENV m112/m224`^{[lower-alpha 3]}	`D9 /6`	`FSTENV`
Save x87 FPU State, then initialize x87 FPU	`FNSAVE m752/m864`^{[lower-alpha 3]}	`DD /6`	`FSAVE`
Restore x87 FPU State	`FRSTOR m752/m864`^{[lower-alpha 3]}	`DD /4`	(none)
Enable Interrupts (8087 only)^{[lower-alpha 4]}	`FNENI`	`DB E0`	`FENI`
Disable Interrupts (8087 only)^{[lower-alpha 4]}	`FNDISI`	`DB E1`	`FDISI`

x87 Floating-point Load/Store/Move Instructions			precision control	rounding control
Load floating-point value onto stack	`FLD m32`	`D9 /0`	No	—
	`FLD m64`	`DD /0`
	`FLD m80`	`DB /5`
	`FLD st(i)`	`D9 C0+i`
Store top-of-stack floating-point value to memory or stack register	`FST m32`	`D9 /2`	No	Yes
	`FST m64`	`DD /2`	No	Yes
	`FST st(i)`^{[lower-alpha 5]}	`DD D0+i`	No	—
Store top-of-stack floating-point value to memory or stack register, then pop	`FSTP m32`	`D9 /3`	No	Yes
	`FSTP m64`	`DD /3`	No	Yes
	`FSTP m80`^{[lower-alpha 5]}	`DB /7`	No	—
	`FSTP st(i)`^{[lower-alpha 5]}^{[lower-alpha 6]}	`DD D8+i`
		DF D0+i^{[lower-alpha 7]}
		DF D8+i^{[lower-alpha 7]}
Push +0.0 onto stack	`FLDZ`	`D9 EE`	No	—
Push +1.0 onto stack	`FLD1`	`D9 E8`	No	—
Push π (approximately 3.14159) onto stack	`FLDPI`	`D9 EB`	No	387^{[lower-alpha 8]}
Push $\log _{2}\left(10\right)$ (approximately 3.32193) onto stack	`FLDL2T`	`D9 E9`
Push $\log _{2}\left(e\right)$ (approximately 1.44269) onto stack	`FLDL2E`	`D9 EA`
Push $\log _{10}\left(2\right)$ (approximately 0.30103) onto stack	`FLDLG2`	`D9 EC`
Push $\ln \left(2\right)$ (approximately 0.69315) onto stack	`FLDLN2`	`D9 ED`
Exchange top-of-stack register with other stack register	`FXCH st(i)`^{[lower-alpha 9]}^{[lower-alpha 10]}	`D9 C8+i`	No	—
		DD C8+i^{[lower-alpha 7]}
		DF C8+i^{[lower-alpha 7]}
x87 Integer Load/Store Instructions			precision control	rounding control
Load signed integer value onto stack from memory, with conversion to floating-point	`FILD m16`	`DF /0`	No	—
	`FILD m32`	`DB /0`
	`FILD m64`	`DF /5`
Store top-of-stack value to memory, with conversion to signed integer	`FIST m16`	`DF /2`	No	Yes
	`FIST m32`	`DB /2`	No	Yes
Store top-of-stack value to memory, with conversion to signed integer, then pop stack	`FISTP m16`	`DF /3`	No	Yes
	`FISTP m32`	`DB /3`
	`FISTP m64`	`DF /7`
Load 18-digit Binary-Coded-Decimal integer value onto stack from memory, with conversion to floating-point	`FBLD m80`^{[lower-alpha 11]}	`DF /4`	No	—
Store top-of-stack value to memory, with conversion to 18-digit Binary-Coded-Decimal integer, then pop stack	`FBSTP m80`	`DF /6`	No	387^{[lower-alpha 8]}
x87 Basic Arithmetic Instructions			precision control	rounding control
Floating-point add `dst <- dst + src`	`FADD m32`	`D8 /0`	Yes	Yes
	`FADD m64`	`DC /0`
	`FADD st,st(i)`	`D8 C0+i`
	`FADD st(i),st`	`DC C0+i`
Floating-point multiply `dst <- dst * src`	`FMUL m32`	`D8 /1`	Yes	Yes
	`FMUL m64`	`DC /1`
	`FMUL st,st(i)`	`D8 C8+i`
	`FMUL st(i),st`	`DC C8+i`
Floating-point subtract `dst <- dst – src`	`FSUB m32`	`D8 /4`	Yes	Yes
	`FSUB m64`	`DC /4`
	`FSUB st,st(i)`	`D8 E0+i`
	`FSUB st(i),st`	`DC E8+i`
Floating-point reverse subtract `dst <- src – dst`	`FSUBR m32`	`D8 /5`	Yes	Yes
	`FSUBR m64`	`DC /5`
	`FSUBR st,st(i)`	`D8 E8+i`
	`FSUBR st(i),st`	`DC E0+i`
Floating-point divide^{[lower-alpha 12]} `dst <- dst / src`	`FDIV m32`	`D8 /6`	Yes	Yes
	`FDIV m64`	`DC /6`
	`FDIV st,st(i)`	`D8 F0+i`
	`FDIV st(i),st`	`DC F8+i`
Floating-point reverse divide `dst <- src / dst`	`FDIVR m32`	`D8 /7`	Yes	Yes
	`FDIVR m64`	`DC /7`
	`FDIVR st,st(i)`	`D8 F8+i`
	`FDIVR st(i),st`	`DC F0+i`
Floating-point compare `CC <- result_of( st(0) – src )` Same operation as subtract, except that it updates the x87 CC status register instead of any of the FPU stack registers	`FCOM m32`	`D8 /2`	No	—
	`FCOM m64`	`DC /2`
	`FCOM st(i)`^{[lower-alpha 9]}	`D8 D0+i`
	`FCOM st(i)`^{[lower-alpha 9]}	DC D0+i^{[lower-alpha 7]}
x87 Basic Arithmetic Instructions with Stack Pop			precision control	rounding control
Floating-point add and pop	`FADDP st(i),st`^{[lower-alpha 9]}	`DE C0+i`	Yes	Yes
Floating-point multiply and pop	`FMULP st(i),st`^{[lower-alpha 9]}	`DE C8+i`	Yes	Yes
Floating-point subtract and pop	`FSUBP st(i),st`^{[lower-alpha 9]}	`DE E8+i`	Yes	Yes
Floating-point reverse-subtract and pop	`FSUBRP st(i),st`^{[lower-alpha 9]}	`DE E0+i`	Yes	Yes
Floating-point divide and pop	`FDIVP st(i),st`^{[lower-alpha 9]}	`DE F8+i`	Yes	Yes
Floating-point reverse-divide and pop	`FDIVRP st(i),st`^{[lower-alpha 9]}	`DE F0+i`	Yes	Yes
Floating-point compare and pop	`FCOMP m32`	`D8 /3`	No	—
	`FCOMP m64`	`DC /3`
	`FCOMP st(i)`^{[lower-alpha 9]}	`D8 D8+i`
		DC D8+i^{[lower-alpha 7]}
		DE D0+i^{[lower-alpha 7]}
Floating-point compare to st(1), then pop twice	`FCOMPP`	`DE D9`	No	—
x87 Basic Arithmetic Instructions with Integer Source Argument			precision control	rounding control
Floating-point add by integer	`FIADD m16`	`DA /0`	Yes	Yes
Floating-point add by integer	`FIADD m32`	`DE /0`	Yes	Yes
Floating-point multiply by integer	`FIMUL m16`	`DA /1`	Yes	Yes
Floating-point multiply by integer	`FIMUL m32`	`DE /1`	Yes	Yes
Floating-point subtract by integer	`FISUB m16`	`DA /4`	Yes	Yes
Floating-point subtract by integer	`FISUB m32`	`DE /4`	Yes	Yes
Floating-point reverse-subtract by integer	`FISUBR m16`	`DA /5`	Yes	Yes
Floating-point reverse-subtract by integer	`FISUBR m32`	`DE /5`	Yes	Yes
Floating-point divide by integer	`FIDIV m16`	`DA /6`	Yes	Yes
Floating-point divide by integer	`FIDIV m32`	`DE /6`	Yes	Yes
Floating-point reverse-divide by integer	`FIDIVR m16`	`DA /7`	Yes	Yes
Floating-point reverse-divide by integer	`FIDIVR m32`	`DE /7`	Yes	Yes
Floating-point compare to integer	`FICOM m16`	`DA /2`	No	—
Floating-point compare to integer	`FICOM m32`	`DE /2`	No	—
Floating-point compare to integer, and stack pop	`FICOMP m16`	`DA /3`	No	—
Floating-point compare to integer, and stack pop	`FICOMP m32`	`DE /3`	No	—
x87 Additional Arithmetic Instructions			precision control	rounding control
Floating-point change sign	`FCHS`	`D9 E0`	No	—
Floating-point absolute value	`FABS`	`D9 E1`	No	—
Floating-point compare top-of-stack value to 0	`FTST`	`D9 E4`	No	—
Classify top-of-stack st(0) register value. The classification result is stored in the x87 CC register.^{[lower-alpha 13]}	`FXAM`	`D9 E5`	No	—
Split the st(0) value into two values E and M representing the exponent and mantissa of st(0). The split is done such that $M*2^{E}=st(0)$ , where E is an integer and M is a number whose absolute value is within the range $1\leq \left\|M\right\|<2$ . ^{[lower-alpha 14]} st(0) is then replaced with E, after which M is pushed onto the stack.	`FXTRACT`	`D9 F4`	No	—
Floating-point partial^{[lower-alpha 15]} remainder (not IEEE 754 compliant): $Q\leftarrow {\mathtt {IntegerRoundToZero}}\left({\frac {st(0)}{st(1)}}\right)$ $st(0)\leftarrow st(0)-st(1)*Q$	`FPREM`	`D9 F8`	No	—^{[lower-alpha 16]}
Floating-point square root	`FSQRT`	`D9 FA`	Yes	Yes
Floating-point round to integer	`FRNDINT`	`D9 FC`	No	Yes
Floating-point power-of-2 scaling. Rounds the value of st(1) to integer with round-to-zero, then uses it as a scale factor for st(0):^{[lower-alpha 17]} $st(0)\leftarrow st(0)*2^{{\mathtt {IntegerRoundToZero}}\left(st(1)\right)}$	`FSCALE`	`D9 FD`	No	Yes^{[lower-alpha 18]}

x87 Transcendental Instructions^{[lower-alpha 19]}			Source operand range restriction
Base-2 exponential minus 1, with extra precision for st(0) close to 0: $st(0)\leftarrow 2^{st(0)}-1$	`F2XM1`	`D9 F0`	8087: $0\leq st(0)\leq {\frac {1}{2}}$ 80387: $-1\leq st(0)\leq 1$
Base-2 Logarithm: $st(1)\leftarrow st(1)*\log _{2}\left(st(0)\right)$ followed by stack pop	`FYL2X`^{[lower-alpha 20]}	`D9 F1`	no restrictions
Partial Tangent: Computes from st(0) a pair of values X and Y, such that $\tan \left(st(0)\right)={\frac {Y}{X}}$ The Y value replaces the top-of-stack value, and then X is pushed onto the stack. On 80387 and later x87, but not original 8087, X is always 1.0	`FPTAN`	`D9 F2`	8087: $0\leq \left\|st(0)\right\|\leq {\frac {\pi }{4}}$ 80387: $0\leq \left\|st(0)\right\|<2^{63}$
Two-argument arctangent with quadrant adjustment:^{[lower-alpha 21]} $st(1)\leftarrow \arctan \left({\frac {st(1)}{st(0)}}\right)$ followed by stack pop	`FPATAN`	`D9 F3`	8087: $\left\|st(1)\right\|\leq \left\|st(0)\right\|<\infty$ 80387: no restrictions
Base-2 Logarithm plus 1, with extra precision for st(0) close to 0: $st(1)\leftarrow st(1)*\log _{2}\left(st(0)+1\right)$ followed by stack pop	`FYL2XP1`^{[lower-alpha 20]}	`D9 F9`	Intel: $\left\|st(0)\right\|<\left(1-{\sqrt {\frac {1}{2}}}\right)$ AMD: $\left({\sqrt {\frac {1}{2}}}-1\right)<st(0)<\left({\sqrt {2}}-1\right)$

Other x87 Instructions
No operation^{[lower-alpha 22]}	`FNOP`	`D9 D0`
Decrement x87 FPU Register Stack Pointer	`FDECSTP`	`D9 F6`
Increment x87 FPU Register Stack Pointer	`FINCSTP`	`D9 F7`
Free x87 FPU Register	`FFREE st(i)`	`DD C0+i`
Check and handle pending unmasked x87 FPU exceptions	`WAIT`, `FWAIT`	`9B`
Floating-point store and pop, without stack underflow exception	FSTPNCE st(i)	D9 D8+i^{[lower-alpha 7]}
Free x87 register, then stack pop	FFREEP st(i)	DF C0+i^{[lower-alpha 7]}

x87 coprocessors (other than the 8087) handle exceptions in a fairly unusual way. When an x87 instruction generates an unmasked arithmetic exception, it will still complete without causing a CPU fault – instead of causing a fault, it will record within the coprocessor information needed to handle the exception (instruction pointer, opcode, data pointer if the instruction had a memory operand) and set FPU status-word flag to indicate that a pending exception is present. This pending exception will then cause a CPU fault when the next x87, MMX or WAIT instruction is executed.
The exception to this is x87's "Non-Waiting" instructions, which will execute without causing such a fault even if a pending exception is present (with some caveats, see application note AP-578^[108]). These instructions are mostly control instructions that can inspect and/or modify the pending-exception state of the x87 FPU.
For each non-waiting x87 instruction whose mnemonic begins with FN, there exists a pseudo-instruction that has the same mnemonic except without the N. These pseudo-instructions consist of a WAIT instruction (opcode 9B) followed by the corresponding non-waiting x87 instruction. For example:
- FNCLEX is an instruction with the opcode DB E2. The corresponding pseudo-instruction FCLEX is then encoded as 9B DB E2.
- FNSAVE ES:[BX+6] is an instruction with the opcode 26 DD 77 06. The corresponding pseudo-instruction FSAVE ES:[BX+6] is then encoded as 9B 26 DD 77 06
These pseudo-instructions are commonly recognized by x86 assemblers and disassemblers and treated as single instructions, even though all x86 CPUs with x87 coprocessors execute them as a sequence of two instructions.
On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.
64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired.
In the case of an x87 instruction producing an unmasked FPU exception, the 8087 FPU will signal an IRQ some indeterminate time after the instruction was issued. This may not always be possible to handle,^[109] and so the FPU offers the F(N)DISI and F(N)ENI instructions to set/clear the Interrupt Mask bit (bit 7) of the x87 Control Word,^[110] to control the interrupt.
Later x87 FPUs, from 80287 onwards, changed the FPU exception mechanism to instead produce a CPU exception on the next x87 instruction. This made the Interrupt Mask bit unnecessary, so it was removed.^[111] In later Intel x87 FPUs, the F(N)ENI and F(N)DISI instructions were kept for backwards compatibility, executing as NOPs that do not modify any x87 state.
FST/FSTP with an 80-bit destination (m80 or st(i)) and an sNaN source value will produce exceptions on AMD but not Intel FPUs.
FSTP ST(0) is a commonly used idiom for popping a single register off the x87 register stack.
Intel x87 alias opcode. Use of this opcode is not recommended.
On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087^[112] and 80287,^[113] but then omitted from later manuals until the October 2017 update of the Intel SDM.^[114]
They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86^[115] and NexGen 586PF.^[116]
On the 8087 and 80287, FBSTP and the load-constant instructions always use the round-to-nearest rounding mode. On the 80387 and later x87 FPUs, these instructions will use the rounding mode specified in the x87 RC register.
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
On Intel Pentium and later processors, FXCH is implemented as a register renaming rather than a true data move. This has no semantic effect, but enables zero-cycle-latency operation. It also allows the instruction to break data dependencies for the x87 top-of-stack value, improving attainable performance for code optimized for these processors.
The result of executing the FBLD instruction on non-BCD data is undefined.
On early Intel Pentium processors, floating-point divide was subject to the Pentium FDIV bug. This also affected instructions that perform divide as part of their operations, such as FPREM and FPATAN.^[117]
The FXAM instruction will set C0, C2 and C3 based on value type in st(0) as follows: C1 is set to the sign-bit of st(0), regardless of whether st(0) is Empty or not.
More information C3, C2 ...

C3 C2 C0 Classification

0 0 0 Unsupported (unnormal or pseudo-NaN)

0 0 1 NaN

0 1 0 Normal finite number

0 1 1 Infinity

1 0 0 Zero

1 0 1 Empty

1 1 0 Denormal number

1 1 1 Empty (may occur on 8087/80287 only)

Close
For FXTRACT, if st(0) is zero or ±∞, then M is set equal to st(0). If st(0) is zero, E is set to 0 on 8087/80287 but -∞ on 80387 and later. If st(0) is ±∞, then E is set to +∞.
For FPREM, if the quotient Q is larger than $2^{63}$ , then the remainder calculation may have been done only partially – in this case, the FPREM instruction will need to be run again in order to complete the remainder calculation. This is indicated by the instruction setting C2 to 1.
If the instruction did complete the remainder calculation, it will set C2 to 0 and set the three bits {C0,C3,C1} to the bottom three bits of the quotient Q.
On 80387 and later, if the instruction didn't complete the remainder calculation, then the computed remainder Q used for argument reduction will have been rounded to a multiple of 8 (or larger power-of-2), so that the bottom 3 bits of the quotient can still be correctly retrieved in a later pass that does complete the remainder calculation.
The remainder computation done by the FPREM instruction is always exact with no roundoff errors.
For the FSCALE instruction on 8087 and 80287, st(1) is required to be in the range $-2^{15}\leq st(1)<2^{15}$ . Also, its absolute value must be either 0 or at least 1. If these requirements are not satisfied, the result is undefined.
These restrictions were removed in the 80387.
For FSCALE, rounding is only applied in the case of overflow, underflow or subnormal result.
The x87 transcendental instructions do not obey PC or RC, but instead compute full 80-bit results. These results are not necessarily correctly rounded (see Table-maker's dilemma) – they may have an error of up to ±1 ulp on Pentium or later, or up to ±1.5 ulps on earlier x87 coprocessors.
For the FYL2X and FYL2XP1 instructions, the maximum error bound of ±1 ulp only holds for st(1)=1.0 – for other values of st(1), the error bound is increased to ±1.35 ulps.
For FPATAN, the following adjustments are done as compared to just computing a one-argument arctangent of the ratio ${\frac {st(1)}{st(0)}}$ ${\frac {st(1)}{st(0)}}$ :
- If both st(0) and st(1) are ±∞, then the arctangent is computed as if each of st(0) and st(1) had been replaced with ±1 of the same sign. This produces a result that is an odd multiple of ${\frac {\pi }{4}}$ .
- If both st(0) and st(1) are ±0, then the arctangent is computed as if st(0) but not st(1) had been replaced with ±1 of the same sign, producing a result of ±0 or $\pm \pi$ .
- If st(0) is negative (has sign bit set), then an addend of $\pm \pi$ with the same sign as st(1) is added to the result.
While FNOP is a no-op in the sense that will leave the x87 FPU register stack unmodified, it may still modify FIP and CC, and it may fault if a pending x87 FPU exception is present.

x87 instructions added in later processors

More information Computes two values

...

Instruction description	Mnemonic	Opcode	Additional items

x87 Non-Waiting Control Instructions added in 80287			Waiting mnemonic
Notify FPU of entry into Protected Mode^{[lower-alpha 1]}	`FNSETPM`	`DB E4`	`FSETPM`
Store x87 Status Word to AX	`FNSTSW AX`	`DF E0`	`FSTSW AX`

x87 Instructions added in 80387^{[lower-alpha 2]}			Source operand range restriction
Floating-point unordered compare. Similar to the regular floating-point compare instruction `FCOM`, except will not produce an exception in response to any qNaN operands.	`FUCOM st(i)`^{[lower-alpha 3]}	`DD E0+i`	no restrictions
Floating-point unordered compare and pop	`FUCOMP st(i)`^{[lower-alpha 3]}	`DD E8+i`
Floating-point unordered compare to st(1), then pop twice	`FUCOMPP`	`DA E9`
IEEE 754 compliant floating-point partial remainder.^{[lower-alpha 4]}	`FPREM1`	`D9 F5`
Floating-point sine and cosine. Computes two values $S=\sin \left(kst(0)\right)$ and $C=\cos \left(kst(0)\right)$ ^{[lower-alpha 5]} Top-of-stack st(0) is replaced with S, after which C is pushed onto the stack.	`FSINCOS`	`D9 FB`	$\left\|st(0)\right\|<2^{63}$
Floating-point sine.^{[lower-alpha 5]} $st(0)\leftarrow \sin \left(k*st(0)\right)$	`FSIN`	`D9 FE`
Floating-point cosine.^{[lower-alpha 5]} $st(0)\leftarrow \cos \left(k*st(0)\right)$	`FCOS`	`D9 FF`

x87 Instructions added in Pentium Pro			Condition for conditional moves
Floating-point conditional move to st(0) based on EFLAGS	`FCMOVB st(0),st(i)`	`DA C0+i`	below (CF=1)
	`FCMOVE st(0),st(i)`	`DA C8+i`	equal (ZF=1)
	`FCMOVBE st(0),st(i)`	`DA D0+i`	below or equal (CF=1 or ZF=1)
	`FCMOVU st(0),st(i)`	`DA D8+i`	unordered (PF=1)
	`FCMOVNB st(0),st(i)`	`DB C0+i`	not below (CF=0)
	`FCMOVNE st(0),st(i)`	`DB C8+i`	not equal (ZF=0)
	`FCMOVNBE st(0),st(i)`	`DB D0+i`	not below or equal (CF=0 and ZF=0)
	`FCMOVNU st(0),st(i)`	`DB D8+i`	not unordered (PF=0)
Floating-point compare and set `EFLAGS`. Differs from the older `FCOM` floating-point compare instruction in that it puts its result in the integer `EFLAGS` register rather than the x87 CC register.^{[lower-alpha 6]}	`FCOMI st(0),st(i)`	`DB F0+i`
Floating-point compare and set `EFLAGS`, then pop	`FCOMIP st(0),st(i)`	`DF F0+i`
Floating-point unordered compare and set `EFLAGS`	`FUCOMI st(0),st(i)`	`DB E8+i`
Floating-point unordered compare and set `EFLAGS`, then pop	`FUCOMIP st(0),st(i)`	`DF E8+i`

x87 Non-Waiting Instructions added in Pentium II, AMD K7 and SSE^{[lower-alpha 7]}			64-bit mnemonic (`REX.W` prefix)
Save x87, MMX and SSE state to 512-byte data structure^{[lower-alpha 8]}^{[lower-alpha 9]}^{[lower-alpha 10]}	`FXSAVE m512byte`	`NP 0F AE /0`	`FXSAVE64 m512byte`
Restore x87, MMX and SSE state from 512-byte data structure^{[lower-alpha 8]}^{[lower-alpha 9]}	`FXRSTOR m512byte`	`NP 0F AE /1`	`FXRSTOR64 m512byte`

x87 Instructions added as part of SSE3
Floating-point store integer and pop, with round-to-zero	`FISTTP m16`	`DF /1`
	`FISTTP m32`	`DB /1`
	`FISTTP m64`	`DD /1`

The x87 FPU needs to know whether it is operating in Real Mode or Protected Mode because the floating-point environment accessed by the F(N)SAVE, FRSTOR, FLDENV and F(N)STENV instructions has different formats in Real Mode and Protected Mode. On 80287, the F(N)SETPM instruction is required to communicate the real-to-protected mode transition to the FPU. On 80387 and later x87 FPUs, real↔protected mode transitions are communicated automatically to the FPU without the need for any dedicated instructions – therefore, on these FPUs, FNSETPM executes as a NOP that does not modify any FPU state.
Not including discontinued instructions specific to particular 80387-compatible FPU models.
For the FUCOM and FUCOMP instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
The 80387 FPREM1 instruction differs from the older FPREM (D9 F8) instruction in that the quotient Q is rounded to integer with round-to-nearest-even rounding rather than the round-to-zero rounding used by FPREM. Like FPREM, FPREM1 always computes an exact result with no roundoff errors. Like FPREM, it may also perform a partial computation if the quotient is too large, in which case it must be run again.
Due to the x87 FPU performing argument reduction for sin/cos with only about 68 bits of precision, the value of k used in the calculation of FSIN, FCOS and FSINCOS is not precisely 1.0, but instead given by^[118]^[119] $k{=}{\frac {2^{66}*\pi }{\lfloor 2^{66}*\pi \rfloor }}\approx 1.0000000000000000000012874$ This argument reduction inaccuracy also affects the FPTAN instruction.
The FCOMI, FCOMIP, FUCOMI and FUCOMIP instructions write their results to the ZF, CF and PF bits of the EFLAGS register. On Intel but not AMD processors, the SF, AF and OF bits of EFLAGS are also zeroed out by these instructions.
The FXSAVE and FXRSTOR instructions were added in the "Deschutes" revision of Pentium II, and are not present in earlier "Klamath" revision.
They are also present in AMD K7.
They are also considered an integral part of SSE and are therefore present in all processors with SSE.
The FXSAVE and FXRSTOR instructions will save/restore SSE state only on processors that support SSE. Otherwise, they will only save/restore x87 and MMX state.
The x87 section of the state saved/restored by FXSAVE/FXRSTOR has a completely different layout than the data structure of the older F(N)SAVE/FRSTOR instructions, enabling faster save/restore by avoiding misaligned loads and stores.
When floating-point emulation is enabled with CR0.EM=1, FXSAVE(64) and FXRSTOR(64) are considered to be x87 instructions and will accordingly produce an #NM (device-not-available) exception. Other than WAIT, these are the only opcodes outside the D8..DF ESC opcode space that exhibit this behavior. (All opcodes in D8..DF will produce #NM if CR0.EM=1, even for undefined opcodes that would produce #UD otherwise.)
Unlike the older F(N)SAVE instruction, FXSAVE will not initialize the FPU after saving its state to memory, but instead leave the x87 coprocessor state unmodified.

Share this article:

This article uses material from the Wikipedia article MOV_(x86_instruction), and is written by contributors. Text is available under a CC BY-SA 4.0 International License; additional terms may apply. Images, videos and audio are available under their respective licenses.

[gdt_idt_descriptor-3] The descriptors used by the LGDT, LIDT, SGDT and SIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.
For LGDT and LIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh. On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of Intel SDM revision 079, March 2023 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.^[2]

[i286_serialize-4] The LGDT, LIDT, LLDT, LMSW and LTR instructions are serializing on Pentium and later processors.

[6] On 80386 and later, the "Machine Status Word" is the same as the CR0 control register – however, the LMSW instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means that LMSW can be used to enter but not leave x86 Protected Mode.
On 80286, it is not possible to leave Protected Mode at all (neither with LMSW nor with LOADALL^[3]) without a CPU reset – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-later MOV to CR0 instruction.

[10] If CR4.UMIP=1 is set, then the SGDT, SIDT, SLDT, SMSW and STR instructions can only run in Ring 0.
These instructions were unprivileged on all x86 CPUs from 80286 onwards until the introduction of UMIP in 2017.^[4] This has been a significant security problem for software-based virtualization, since it enables these instructions to be used by a VM guest to detect that it is running inside a VM.^[5]^[6]

[i286_extend16-11] The SMSW, SLDT and STR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows:
SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise.

SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors.

STR: Zero-extends 16-bit argument.

[6] SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise.

[7] SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors.

[8] STR: Zero-extends 16-bit argument.

[12] In 64-bit long mode, the ARPL instruction is not available – the 63 /r opcode has been reassigned to the 64-bit-mode-only MOVSXD instruction.

[15] The ARPL instruction causes #UD in Real mode and Virtual 8086 Mode – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the 63 opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.^[7]^[8]

[17] Bits 19:16 of this mask are documented as "undefined" on Intel CPUs.^[9] On AMD CPUs, the mask is documented as 0x00FFFF00.

[20] On some Intel CPU/microcode combinations from 2019 onwards, the VERW instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds for Microarchitectural Data Sampling security vulnerabilities.^[10]^[11]

[i286_undoc-23] Undocumented, 80286 only.^[3]^[12]^[13] (A different variant of LOADALL with a different opcode and memory layout exists on 80386.)

[24] For the 32-bit string instructions, the ±± notation is used to indicate that the indicated register is post-decremented by 4 if EFLAGS.DF=1 and post-incremented by 4 otherwise.
For the operands where the DS segment is indicated, the DS segment can be overridden by a segment-override prefix – where the ES segment is indicated, the segment is always ES and cannot be overridden.
The choice of whether to use the 16-bit SI/DI registers or the 32-bit ESI/EDI registers as the address registers to use is made by AddressSize, overridable with the 67 prefix.

[25] The 32-bit string instructions accept repeat-prefixes in the same way as older 8/16-bit string instructions.
For LODSD, STOSD, MOVSD, INSD and OUTSD, the REP prefix (F3) will repeat the instruction the number of times specified in rCX (CX or ECX, decided by AddressSize), decrementing rCX for each iteration (with rCX=0 resulting in no-op and proceeding to the next instruction).
For CMPSD and SCASD, the REPE (F3) and REPNE (F2) prefixes are available, which will repeat the instruction but only as long as the flag condition (ZF=1 for REPE, ZF=0 for REPNE) holds true.

[26] For the INSB/W/D instructions, the memory access rights for the ES:[rDI] memory address might not be checked until after the port access has been performed – if this check fails (e.g. page fault or other memory exception), then the data item read from the port is lost. As such, it is not recommended to use this instruction to access an I/O port that performs any kind of side effect upon read.

[27] I/O port access is only allowed when CPL≤IOPL or the I/O port permission bitmap bits for the port to access are all set to 0.

[28] The CWDE instruction differs from the older CWD instruction in that CWD would sign-extend the 16-bit value in AX into a 32-bit value in the DX:AX register pair.

[29] For the E3 opcode (JCXZ/JECXZ), the choice of whether the instruction will use CX or ECX for its comparison (and consequently which mnemonic to use) is based on the AddressSize, not OperandSize. (OperandSize instead controls whether the jump destination should be truncated to 16 bits or not).
This also applies to the loop instructions LOOP,LOOPE,LOOPNE (opcodes E0,E1,E2), however, unlike JCXZ/JECXZ, these instructions have not been given new mnemonics for their ECX-using variants.

[30] For PUSHA(D), the value of SP/ESP pushed onto the stack is the value it had just before the PUSHA(D) instruction started executing.

[31] For POPA/POPAD, the stack item corresponding to SP/ESP is popped off the stack (performing a memory read), but not placed into SP/ESP.

[32] The PUSHFD and POPFD instructions will cause a #GP exception if executed in virtual 8086 mode if IOPL is not 3.
The PUSHF, POPF, IRET and IRETD instructions will cause a #GP exception if executed in Virtual-8086 mode if IOPL is not 3 and VME is not enabled.

[35] If IRETD is used to return from kernel mode to user mode (which will entail a CPL change) and the user-mode stack segment indicated by SS is a 16-bit segment, then the IRETD instruction will only restore the low 16 bits of the stack pointer (ESP/RSP), with the remaining bits keeping whatever value they had in kernel code before the IRETD. This has necessitated complex workarounds on both Linux ("ESPFIX")^[14] and Windows.^[15] This issue also affects the later 64-bit IRETQ instruction.

[bt_offsetting-36] For the BT, BTS, BTR and BTC instructions:
If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.)

If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test.

[25] If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.)

[26] If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test.

[bt_atomic-37] The BTS, BTC and BTR instructions accept the LOCK (F0) prefix when used with a memory argument – this results in the instruction executing atomically.

[38] If the F3 prefix is used with the 0F BC /r opcode, then the instruction will execute as TZCNT on systems that support the BMI1 extension. TZCNT differs from BSF in that TZCNT but not BSR is defined to return operand size if the source operand is zero – for other source operand values, they produce the same result.

[bsf_bsr_zero-39] BSF and BSR set the EFLAGS.ZF flag to 1 if the source argument was all-0s and 0 otherwise.
If the source argument was all-0s, then the destination register is documented as being left unchanged on AMD processors, but set to an undefined value on Intel processors.

[40] If the F3 prefix is used with the 0F BD /r opcode, then the instruction will execute as LZCNT on systems that support the ABM or LZCNT extensions. LZCNT produces a different result from BSR for most input values.

[shld_shamt-42] For SHLD and SHRD, the shift-amount is masked – the bottom 5 bits are used for 16/32-bit operand size and 6 bits for 64-bit operand size.
SHLD and SHRD with 16-bit arguments and a shift-amount greater than 16 produce undefined results. (Actual results differ between different Intel CPUs, with at least three different behaviors known.^[16])

[setcc_conds-43] The condition codes supported for the SETcc and Jcc near instructions (opcodes 0F 9x /0 and 0F 8x respectively, with the x nibble specifying the condition) are:
More information x, cc ...

x cc Condition (EFLAGS)

0 O OF=1: "Overflow"

1 NO OF=0: "Not Overflow"

2 C,B,NAE CF=1: "Carry", "Below", "Not Above or Equal"

3 NC,NB,AE CF=0: "Not Carry", "Not Below", "Above or Equal"

4 Z,E ZF=1: "Zero", "Equal"

5 NZ,NE ZF=0: "Not Zero", "Not Equal"

6 NA,BE (CF=1 or ZF=1): "Not Above", "Below or Equal"

7 A,NBE (CF=0 and ZF=0): "Above", "Not Below or Equal"

8 S SF=1: "Sign"

9 NS SF=0: "Not Sign"

A P,PE PF=1: "Parity", "Parity Even"

B NP,PO PF=0: "Not Parity", "Parity Odd"

C L,NGE SF≠OF: "Less", "Not Greater Or Equal"

D NL,GE SF=OF: "Not Less", "Greater Or Equal"

E LE,NG (ZF=1 or SF≠OF): "Less or Equal", "Not Greater"

F NLE,G (ZF=0 and SF=OF): "Not Less or Equal", "Greater"

Close

[44] For SETcc, while the opcode is commonly specified as /0 – implying that bits 5:3 of the instruction's ModR/M byte should be 000 – modern x86 processors (Pentium and later) ignore bits 5:3 and will execute the instruction as SETcc regardless of the contents of these bits.

[45] For LFS, LGS and LSS, the size of the offset part of the far pointer is given by operand size – the size of the segment part is always 16 bits. In 64-bit mode, using the REX.W prefix with these instructions will cause them to load a far pointer with a 64-bit offset on Intel but not AMD processors.

[movcr_modrm-46] For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b.

[movcr_opsiz-47] For moves to/from the CRx and DRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise.

[49] On processors prior to Pentium, moves to CR0 would not serialize the instruction stream – in part for this reason, it is usually required to perform a far jump immediately after a MOV to CR0 if such a MOV is used to enable/disable protected mode and/or memory paging.
MOV to CR2 is architecturally listed as serializing, but has been reported to be non-serializing on at least some Intel Core-i7 processors.^[17]
MOV to CR8 (introduced with x86-64) is not serializing.

[movtr_pent-50] The MOV TRx instructions were discontinued from Pentium onwards.

[55] The INT1/ICEBP (F1) instruction is present on all known Intel x86 processors from the 80386 onwards,^[18] but only fully documented for Intel processors from the May 2018 release of the Intel SDM (rev 067) onwards.^[19] Before this release, mention of the instruction in Intel material was sporadic, e.g. AP-526 rev 001.^[20]
For AMD processors, the instruction has been documented since 2002.^[21]

[56] The operation of the F1(ICEBP) opcode differs from the operation of the regular software interrupt opcode CD 01 in several ways:
In protected mode, CD 01 will check CPL against the interrupt descriptor's DPL field as an access-rights check, while F1 will not.
In virtual-8086 mode, CD 01 will also check CPL against IOPL as an access-rights check, while F1 will not.
In virtual-8086 mode with VME enabled, interrupt redirection is supported for CD 01 but not F1.

[41] In virtual-8086 mode, CD 01 will also check CPL against IOPL as an access-rights check, while F1 will not.

[42] In virtual-8086 mode with VME enabled, interrupt redirection is supported for CD 01 but not F1.

[57] The UMOV instruction is present on 386 and 486 processors only.^[18]

[xbts_discon-60] The XBTS and IBTS instructions were discontinued with the B1 stepping of 80386.
They have been used by software mainly for detection of the buggy^[22] B0 stepping of the 80386. Microsoft Windows (v2.01 and later) will attempt to run the XBTS instruction as part of its CPU detection if CPUID is not present, and will refuse to boot if XBTS is found to be working.^[23]

[xbts_op-62] For XBTS and IBTS, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.^[24]

[i386_loadall-64] Undocumented, 80386 only.^[25]

[67] Using BSWAP with 16-bit registers isn't disallowed per se (it will execute without producing an #UD or other exceptions) but is documented to produce undefined results – it is reported to produce various different results on 486,^[26] 586, and Bochs/QEMU.^[27]

[i486_cmpxchg-71] On Intel 80486 stepping A,^[28] the CMPXCHG instruction uses a different encoding - 0F A6 /r for 8-bit variant, 0F A7 /r for 16/32-bit variant. The 0F B0/B1 encodings are used on 80486 stepping B and later.^[29]^[30]

[72] The CMPXCHG instruction sets EFLAGS in the same way as a CMP instruction that uses the accumulator (AL/AX/EAX/RAX) as its first argument would do.

[73] INVLPG executes as no-operation if the m8 argument is invalid (e.g. unmapped page or non-canonical address).
INVLPG can be used to invalidate TLB entries for individual global pages.

[invd_scope-74] The INVD and WBINVD instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.
These instructions are serializing – on some processors, they may block interrupts until completion as well.

[76] If the PRM (Processor Reserved Memory) has been set up by using the PRMRRs (PRM range registers), then the INVD instruction is not permitted and will cause a #GP(0) exception. (The PRM is needed for Intel SGX.)^[31]

[77] If the F3 prefix is used with the 0F 09 opcode, then the instruction will execute as WBNOINVD on processors that support the WBNOINVD extension – this will not invalidate the cache.

[80] On Intel and AMD CPUs, the WRMSR instruction is also used to update the CPU microcode. This is done by writing the virtual address of the new microcode to upload to MSR 79h on Intel CPUs and MSR C001_0020h^[33] on AMD CPUs.

[82] Writes to the following MSRs are not serializing:^[34]
More information Number, Name ...

Number Name

48h SPEC_CTRL

49h PRED_CMD

122h TSX_CTRL

6E0h TSC_DEADLINE

6E1h PKRS

774h HWP_REQUEST
(non-serializing only if the FAST_IA32_HWP_REQUEST bit it set)

802h to 83Fh (x2APIC MSRs)

C001_011Bh Doorbell Register (AMD)

Close

[86] System Management Mode and the RSM instruction were made available on non-SL variants of the Intel 486 only after the initial release of the Intel Pentium in 1993.

[90] On some older 32-bit processors, executing CPUID with a leaf index (EAX) greater than 0 may leave EBX and ECX unmodified, keeping their old values. For this reason, it is recommended to zero out EBX and ECX before executing CPUID.
Processors noted to exhibit this behavior include Cyrix MII^[39] and IDT WinChip 2.^[40]

In 64-bit mode, CPUID will set the top 32 bits of RAX, RBX, RCX and RDX to zero.

[94] On some Intel processors starting from Ivy Bridge, there exists MSRs that can be used to restrict CPUID to ring 0. Such MSRs are documented for at least Ivy Bridge^[41] and Denverton.^[42]
The ability to restrict CPUID to ring 0 also exists on AMD processors supporting the "CpuidUserDis" feature (Zen 4 "Raphael" and later).^[43]

[cpuid_backported-95] CPUID is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium.

[96] On the Cyrix 5x86 and 6x86 CPUs, CPUID is not enabled by default and must be enabled through a Cyrix configuration register.

[98] On NexGen CPUs, CPUID is only supported with some system BIOSes. On some NexGen CPUs that do support CPUID, EFLAGS.ID is not supported but EFLAGS.AC is, complicating CPU detection.^[44]

[99] Unlike the older CMPXCHG instruction, the CMPXCHG8B instruction does not modify any EFLAGS bits other than ZF.

[100] LOCK CMPXCHG8B with a register operand (which is an invalid encoding) can cause hangs on some Intel Pentium CPUs (Pentium F00F bug).

[cmpxchg8b_ntbug-102] On IDT WinChip, Transmeta Crusoe and Rise mP6 processors, the CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.^[45]

[rdtsc_pmc_unordered-104] The RDTSC and RDPMC instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations of RDPMC (but not RDTSC) may be reordered relative to each other even for reads of the same counter.
In order to impose ordering with respect to other instructions, LFENCE or serializing instructions (e.g. CPUID) are needed.^[46]

[108] Fixed-rate TSC was introduced in two stages:
Constant TSC
TSC running at a fixed rate as long as the processor core is not in a deep-sleep (C2 or deeper) mode, but not synchronized between CPU cores. Introduced in Intel Prescott, Yonah and Bonnell. Also present in all Transmeta and VIA Nano^[47] CPUs. Does not have a CPUID bit.
Invariant TSC
TSC running at a fixed rate, and remaining synchronized between CPU cores in all P-,C- and T-states (but not necessarily S-states).
Present in AMD K10 and later; Intel Nehalem/Saltwell^[48] and later; Zhaoxin WuDaoKou^[49] and later. Indicated with a CPUID bit (leaf 8000_0007:EDX[8]).

[110] RDTSC can be run outside Ring 0 only if CR4.TSD=0.
On Intel Pentium and AMD K5, RDTSC cannot be run in Virtual-8086 mode.^[50] Later processors removed this restriction.

[111] RDPMC can be run outside Ring 0 only if CR4.PCE=1.

[112] The RDPMC instruction is not present in VIA processors prior to the Nano.

[113] The condition codes supported for CMOVcc instruction (opcode 0F 4x /r, with the x nibble specifying the condition) are:
More information x, cc ...

x cc Condition (EFLAGS)

0 O OF=1: "Overflow"

1 NO OF=0: "Not Overflow"

2 C,B,NAE CF=1: "Carry", "Below", "Not Above or Equal"

3 NC,NB,AE CF=0: "Not Carry", "Not Below", "Above or Equal"

4 Z,E ZF=1: "Zero", "Equal"

5 NZ,NE ZF=0: "Not Zero", "Not Equal"

6 NA,BE (CF=1 or ZF=1): "Not Above", "Below or Equal"

7 A,NBE (CF=0 and ZF=0): "Above", "Not Below or Equal"

8 S SF=1: "Sign"

9 NS SF=0: "Not Sign"

A P,PE PF=1: "Parity", "Parity Even"

B NP,PO PF=0: "Not Parity", "Parity Odd"

C L,NGE SF≠OF: "Less", "Not Greater Or Equal"

D NL,GE SF=OF: "Not Less", "Greater Or Equal"

E LE,NG (ZF=1 or SF≠OF): "Less or Equal", "Not Greater"

F NLE,G (ZF=0 and SF=OF): "Not Less or Equal", "Greater"

Close

[114] In 64-bit mode, CMOVcc with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.
For CMOVcc with a memory source operand, the CPU will always read the operand from memory – potentially causing memory exceptions and cache line-fills – even if the condition for the move is not satisfied. (The Intel APX extension defines an EVEX-encoded variant of CMOVcc that will suppress memory exceptions if the condition is false.)

[115] Unlike other instructions added in Pentium Pro, long NOP does not have a CPUID feature bit.

[119] 0F 1F /0 as long-NOP was introduced in the Pentium Pro, but remained undocumented until 2006.^[52] The whole 0F 18..1F opcode range was NOP in Pentium Pro. However, except for 0F 1F /0, Intel does not guarantee that these opcodes will remain NOP in future processors, and have indeed assigned some of these opcodes to other instructions in at least some processors.^[53]

[121] Documented for AMD x86-64 since 2002.^[54]

[124] While the 0F 0B opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned the mnemonic UD2 from Pentium Pro onwards.^[56]

[ud2_binutils-127] GNU Binutils have used the UD2A and UD2B mnemonics for the 0F 0B and 0F B9 opcodes since version 2.7.^[57]
Neither UD2A nor UD2B originally took any arguments - UD2B was later modified to accept a ModR/M byte, in Binutils version 2.30.^[58]

[ud_186-128] The UD0/1/2 opcodes - 0F 0B, 0F B9 and 0F FF - will cause an #UD exception on all x86 processors from the 80186 onwards (except NEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors.

[132] While the 0F B9 opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned its mnemonic UD1 much later – AMD APM started listing UD1 in its opcode maps from rev 3.17 onwards,^[60] while Intel SDM started listing it from rev 061 onwards.^[61]

[ud01_modrm-135] For both the 0F B9 and 0F FF opcodes, different x86 implementations are known to differ regarding whether the opcodes accept a ModR/M byte.^[62]^[63]

[138] For the 0F FF opcode, the OIO mnemonic was introduced by Cyrix,^[64] while the UD0 menmonic (without arguments) was introduced by AMD and Intel at the same time as the UD1 mnemonic for 0F B9.^[60]^[61] Later Intel (but not AMD) documentation modified its description of UD0 to add a ModR/M byte and take two arguments.^[65]

[141] On K6, the SYSCALL/SYSRET instructions were available on Model 7 (250nm "Little Foot") and later, not on the earlier Model 6.^[67]

[142] SYSCALL and SYSRET were made an integral part of x86-64 – as a result, the instructions are available in 64-bit mode on all x86-64 processors from AMD, Intel, VIA and Zhaoxin.
Outside 64-bit mode, the instructions are available on AMD processors only.

[144] The exact semantics of SYSRET differs slightly between AMD and Intel processors: non-canonical return addresses cause a #GP exception to be thrown in Ring 3 on AMD CPUs but Ring 0 on Intel CPUs. This has been known to cause security issues.^[68]

[sysret_64bit-145] For the SYSRET and SYSEXIT instructions under x86-64, it is necessary to add the REX.W prefix for variants that will return to 64-bit user-mode code.
Encodings of these instructions without the REX.W prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code.)

[syscall_realmode-146] The SYSRET, SYSENTER and SYSEXIT instructions are unavailable in Real mode. (SYSENTER is, however, available in Virtual 8086 mode.)

[149] The CPUID flags that indicate support for SYSENTER/SYSEXIT are set on the Pentium Pro, even though the processor does not officially support these instructions.^[69]
Third party testing indicates that the opcodes are present on the Pentium Pro but too buggy to be usable.^[70]

[151] On AMD CPUs, the SYSENTER and SYSEXIT instructions are not available in x86-64 long mode (#UD).

[153] On Transmeta CPUs, the SYSENTER and SYSEXIT instructions are only available with version 4.2 or higher of the Transmeta Code Morphing software.^[72]

[155] On Nehemiah, SYSENTER and SYSEXIT are available only on stepping 8 and later.^[73]

[156] The memory operand to CMPXCHG16B must be 16-byte aligned.

[160] The CMPXCHG16B instruction was absent from a few of the earliest Intel/AMD x86-64 processors. On Intel processors, the instruction was missing from Xeon "Nocona" stepping D,^[74] but added in stepping E.^[75] On AMD K8 family processors, it was added in stepping F, at the same time as DDR2 support was introduced.^[76]
For this reason, CMPXCHG16B has its own CPUID flag, separate from the rest of x86-64.

[162] Encodings of MOVSXD without REX.W prefix are permitted but discouraged^[77] – such encodings behave identically to 16/32-bit MOV (8B /r).

[163] On AMD CPUs, the "ABM" extension provides both POPCNT and LZCNT. On Intel CPUs, however, the CPUID bit for "ABM" is only documented to indicate the presence of the LZCNT instruction and is listed as "LZCNT", while POPCNT has its own separate CPUID feature bit.
However, all known processors that implement the "ABM"/"LZCNT" extensions also implement POPCNT and set the CPUID feature bit for POPCNT, so the distinction is theoretical only.
(The converse is not true – there exist processors that support POPCNT but not ABM, such as Intel Nehalem and VIA Nano 3000.)

[164] The LZCNT instruction will execute as BSR on systems that do not support the LZCNT or ABM extensions. BSR computes the index of the highest set bit in the source operand, producing a different result from LZCNT for most input values.

[165] The TZCNT instruction will execute as BSF on systems that do not support the BMI1 extension. BSF produces the same result as TZCNT for all input operand values except zero – for which TZCNT returns input operand size, but BSF produces undefined behavior (leaves destination unmodified on most modern CPUs).

[166] For BEXTR, the start position and length are not masked and can take values from 0 to 255. If the selected bits extend beyond the end of the r/m argument (which has the usual 32/64-bit operand size), then the excess bits are read out as 0.

[170] On AMD processors before Zen 3, the PEXT and PDEP instructions are quite slow^[78] and exhibit data-dependent timing due to the use of a microcoded implementation (about 18 to 300 cycles, depending on the number of bits set in the mask argument). As a result, it is often faster to use other instruction sequences on these processors.^[79]^[80]

[rdssp_nop-171] The RDSSPD and RDSSPQ instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported.

[endbr_nop-172] ENDBR32 and ENDBR64 act as NOPs on processors that don't support CET_IBT or where IBT is disabled.

[176] This prefix has the same encoding as the DS: segment override prefix – as of April 2022, Intel documentation does not appear to specify whether this prefix also retains its old segment-override function when used as a no-track prefix, nor does it provide an official mnemonic for this prefix.^[81]^[82] (GNU binutils use "notrack"^[83])

[k7_mmxext-177] AMD Athlon processors prior to the Athlon XP did not support full SSE, but did introduce the non-SIMD instructions of SSE as part of "MMX Extensions".^[84] These extensions (without full SSE) are also present on Geode GX2 and later Geode processors.

[prefetch_hint-178] All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated.

[sse_partial_decode-180] For the SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction.

[183] The SFENCE instruction ensures that all memory stores after the SFENCE instruction are made globally observable after all memory stores before the SFENCE. This imposes ordering on stores that can otherwise be reordered, such as non-temporal stores and stores to WC (Write-Combining) memory regions.^[85]
On Intel CPUs, as well as AMD CPUs from Zen1 onwards (but not older AMD CPUs), SFENCE also acts as a reordering barrier on cache flushes/writebacks performed with the CLFLUSH, CLFLUSHOPT and CLWB instructions. (Older AMD CPUs require MFENCE to order CLFLUSH.)
SFENCE is not ordered with respect to LFENCE, and an SFENCE+LFENCE sequence is not sufficient to prevent a load from being reordered past a previous store.^[86] To prevent such reordering, it is necessary to execute an MFENCE, LOCK or a serializing instruction.

[186] The LFENCE instruction ensures that all memory loads after the LFENCE instruction are made globally observable after all memory loads before the LFENCE.
On all Intel CPUs that support SSE2, the LFENCE instruction provides a stronger ordering guarantee:^[87] it is dispatch-serializing, meaning that instructions after the LFENCE instruction are allowed to start executing only after all instructions before it have retired (which will ensure that all preceding loads but not necessarily stores have completed). The effect of dispatch-serialization is that LFENCE also acts as a speculation barrier and a reordering barrier for accesses to non-memory resources such as performance counters (accessed through e.g. RDTSC or RDPMC) and x2apic MSRs.
On AMD CPUs, LFENCE is not necessarily dispatch-serializing by default – however, on all AMD CPUs that support any form of non-dispatch-serializing LFENCE, it can be made dispatch-serializing by setting bit 1 of MSR C001_1029.^[88]

[187] The MFENCE instruction ensures that all memory loads, stores and cacheline-flushes after the MFENCE instruction are made globally observable after all memory loads, stores and cacheline-flushes before the MFENCE.
On Intel CPUs, MFENCE is not dispatch-serializing, and therefore cannot be used to enforce ordering on accesses to non-memory resources such as performance counters and x2apic MSRs. MFENCE is still ordered with respect to LFENCE, so if a memory barrier with dispatch serialization is needed, then it can be obtained by issuing an MFENCE followed by an LFENCE.^[46]
On AMD CPUs, MFENCE is serializing.

[188] The operation of the PAUSE instruction in 64-bit mode is, unlike NOP, unaffected by the presence of the REX.R prefix. Neither NOP nor PAUSE are affected by the other bits of the REX prefix. A few examples of opcode 90 with various prefixes in 64-bit mode are:
90 is NOP
41 90 is XCHG R8D,EAX
4E 90 is NOP
49 90 is XCHG R8,RAX
F3 90 is PAUSE
F3 41 90 is PAUSE
F3 4F 90 is PAUSE

[108] 90 is NOP

[109] 41 90 is XCHG R8D,EAX

[110] 4E 90 is NOP

[111] 49 90 is XCHG R8,RAX

[112] F3 90 is PAUSE

[113] F3 41 90 is PAUSE

[114] F3 4F 90 is PAUSE

[189] The actual length of the pause performed by the PAUSE instruction is implementation-dependent.
On systems without SSE2, PAUSE will execute as NOP.

[190] Under VT-x or AMD-V virtualization, executing PAUSE many times in a short time interval may cause a #VMEXIT. The number of PAUSE executions and interval length that can trigger #VMEXIT are platform-specific.

[191] While the CLFLUSH instruction was introduced together with SSE2, it has its own CPUID flag and may be present on processors not otherwise implementing SSE2 and/or absent from processors that otherwise implement SSE2. (E.g. AMD Geode LX supports CLFLUSH but not SSE2.)

[192] While the MONITOR and MWAIT instructions were introduced at the same time as SSE3, they have their own CPUID flag that needs to be checked separately from the SSE3 CPUID flag (e.g. Athlon 64 X2 and VIA C7 supported SSE3 but not MONITOR.)

[monitor_explicit_op-195] For the MONITOR and MWAIT instructions, older Intel documentation^[89] lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX and MWAIT EAX,ECX), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.^[90]

[196] For MONITOR, the DS: segment can be overridden with a segment prefix.
The memory area that will be monitored will be not just the single byte specified by DS:rAX, but a linear memory region containing the byte – the size and alignment of this memory region is implementation-dependent and can be queried through CPUID.
The memory location to monitor should have memory type WB (write-back cacheable), or else monitoring may fail.

[197] As of April 2024, no extensions or hints have been defined for the MONITOR instruction. As such, the instruction requires ECX=0 and ignores EDX.

[monitor_ring3-200] On some processors, such as Intel Xeon Phi x200^[91] and AMD K10^[92] and later, there exist documented MSRs that can be used to enable MONITOR and MWAIT to run in Ring 3.

[201] The wait performed by MWAITmay be ended by system events other than a memory write (e.g. cacheline evictions, interrupts) – the exact set of events that can cause the wait to end is implementation-specific.
Regardless of whether the wait was ended by a memory write or some other event, monitoring will have ended and it will be necessary to set up monitoring again with MONITOR before using MWAIT to wait for memory writes again.

[204] The extension flags available for MWAIT in the ECX register are:
More information Bits, MWAIT Extension ...

Bits MWAIT Extension

0 Treat interrupts as break events, even when masked (EFLAGS.IF=0). (Available on all non-NetBurst implementations of MWAIT.)

1 Timed MWAIT: end the wait when the TSC reaches or exceeds the value in EDX:EBX. (Undocumented, reportedly present in Intel Skylake and later Intel processors)^[93]

2 Monitorless MWAIT^[94]

31:3 Not used, must be set to zero.

Close

[205] The hint flags available for MWAIT in the EAX register are: The C-states are processor-specific power states, which do not necessarily correspond 1:1 to ACPI C-states.
More information Bits, MWAIT Hint ...

Bits MWAIT Hint

3:0 Sub-state within a C-state (see bits 7:4) (Intel processors only)

7:4 Target CPU power C-state during wait, minus 1. (E.g. 0000b for C1, 0001b for C2, 1111b for C0)

31:8 Not used.

Close

[206] For the GETSEC instruction, the REX.W prefix enables 64-bit addresses for the EXITAC leaf function only - REX prefixes are otherwise permitted but ignored for the instruction.

[207] The leaf functions defined for GETSEC (selected by EAX) are: Any unsupported value in EAX causes an #UD exception.
More information EAX, Function ...

EAX Function

0 (CAPABILITIES) Report SMX capabilities

2 (ENTERACCES) Enter execution of authenticated code module

3 (EXITAC) Exit execution of authenticated code module

4 (SENTER) Enter measured environment

5 (SEXIT) Exit measured environment

6 (PARAMETERS) Report SMX parameters

7 (SMCTRL) SMX Mode Control

8 (WAKEUP) Wake up sleeping processors in measured environment

Close

[208] For GETSEC, most leaf functions are restricted to Ring 0, but the CAPABILITIES (EAX=0) and PARAMETERS (EAX=6) leaf functions are available in Ring 3.

[210] XSAVE was added in steppings E0/R0 of Penryn and is not available in earlier steppings.

[211] On some processors (starting with Skylake, Goldmont and Zen 1), executing XGETBV with ECX=1 is permitted – this will not return XCR1 (no such register exists) but instead return XCR0 bitwise-ANDed with the current value of the "XINUSE" state-component bitmap (a bitmap of XSAVE state-components that are not known to be in their initial state).
The presence of this functionality of XGETBV is indicated by CPUID.(EAX=0Dh,ECX=1):EAX[bit 2].

[rdtscp_rdpid-212] The "core ID" value read by RDTSCP and RDPID is actually the TSC_AUX MSR (MSR C000_0103h). Whether this value actually corresponds to a processor ID is a matter of operating system convention.

[213] Unlike the older RDTSC instruction, RDTSCP will delay the TSC read until all previous instructions have retired, guaranteeing ordering with respect to preceding memory loads (but not stores). RDTSCP is not ordered with respect to subsequent instructions, though.

[214] RDTSCP can be run outside Ring 0 only if CR4.TSD=0.

[215] Support for RDTSCP was added in stepping F of the AMD K8, and is not available on earlier steppings.

[216] While the POPCNT instruction was introduced at the same time as SSE4.2, it is not considered to be a part of SSE4.2, but instead a separate extension with its own CPUID flag.
On AMD processors, it is considered to be a part of the ABM extension, but still has its own CPUID flag.

[217] The invalidation types defined for INVPCID (selected by register argument) are: Any unsupported value in the register argument causes a #GP exception.
More information Value, Function ...

Value Function

0 Invalidate TLB entries matching PCID and virtual memory address in descriptor, excluding global entries

1 Invalidate TLB entries matching PCID in descriptor, excluding global entries

2 Invalidate all TLB entries, including global entries

3 Invalidate all TLB entries, excluding global entries

Close

[219] Unlike the older INVLPG instruction, INVPCID will cause a #GP exception if the provided memory address is non-canonical. This discrepancy has been known to cause security issues.^[96]

[220] The PREFETCH and PREFETCHW instructions are mandatory parts of the 3DNow! instruction set extension, but are also available as a standalone extension on systems that do not support 3DNow!

[221] The opcodes for PREFETCH and PREFETCHW (0F 0D /r) execute as NOPs on Intel CPUs from Cedar Mill (65nm Pentium 4) onwards, with PREFETCHW gaining prefetch functionality from Broadwell onwards.

[224] The PREFETCH (0F 0D /0) instruction is a 3DNow! instruction, present on all processors with 3DNow! but not necessarily on processors with the PREFETCHW extension.
On AMD CPUs with PREFETCHW, opcode 0F 0D /0 as well as opcodes 0F 0D /2../7 are all documented to be performing prefetch.
On Intel processors with PREFETCHW, these opcodes are documented as performing reserved-NOPs^[97] (except 0F 0D /2 being PREFETCHWT1 m8 on Xeon Phi only) – third party testing^[98] indicates that some or all of these opcodes may be performing prefetch on at least some Intel Core CPUs.

[lujiazui_step2-226] The SMAP, PKU and RDPID instruction set extensions are supported on stepping 2^[99] and later of Zhaoxin LuJiaZui, but not on earlier steppings.

[227] Unlike the older RDTSCP instruction which can also be used to read the processor ID, user-mode RDPID is not disabled by CR4.TSD=1.

[228] The WBNOINVD instruction will execute as WBINVD if run on a system that doesn't support the WBNOINVD extension.
WBINVD differs from WBNOINVD in that WBINVD will invalidate all cache lines after writeback.

[231] The leaf functions defined for ENCLS (selected by EAX) are: Any unsupported value in EAX causes a #GP exception.
More information EAX, Function ...

EAX Function

0 (ECREATE) Create an enclave

1 (EADD) Add a page

2 (EINIT) Initialize an enclave

3 (EREMOVE) Remove a page from EPC (Enclave Page Cache)

4 (EDBGRD) Read data by debugger

5 (EDBGWR) Write data by debugger

6 (EEXTEND) Extend EPC page measurement

7 (ELDB) Load an EPC page as blocked

8 (ELDU) Load an EPC page as unblocked

9 (EBLOCK) Block an EPC page

A (EPA) Add version array

B (EWB) Writeback/invalidate EPC page

C (ETRACK) Activate EBLOCK checks

Added with SGX2

D (EAUG) Add page to initialized enclave

E (EMODPTR) Restrict permissions of EPC page

F (EMODT) Change type of EPC page

Added with OVERSUB^[100]

10 (ERDINFO) Read EPC page type/status info

11 (ETRACKC) Activate EBLOCK checks

12 (ELDBC) Load EPC page as blocked with enhanced error reporting

13 (ELDUC) Load EPC page as unblocked with enhanced error reporting

Other

18 (EUPDATESVN) Update SVN (Security Version Number) after live microcode update^[101]

Close

[233] SGX is deprecated on desktop/laptop processors from 11th generation (Rocket Lake, Tiger Lake) onwards, but continues to be available on Xeon-branded server parts.^[102]

[236] The leaf functions defined for ENCLU (selected by EAX) are: Any unsupported value in EAX causes a #GP exception.
The EENTER and ERESUME functions cannot be executed inside an SGX enclave – the other functions can only be executed inside an enclave.
More information EAX, Function ...

EAX Function

0 (EREPORT) Create a cryptographic report

1 (EGETKEY) Create a cryptographic key

2 (EENTER) Enter an Enclave

3 (ERESUME) Re-enter an Enclave

4 (EEXIT) Exit an Enclave

Added with SGX2

5 (EACCEPT) Accept changes to EPC page

6 (EMODPE) Extend EPC page permissions

7 (EACCEPTCOPY) Initialize pending page

Added with TDX^[104]

8 (EVERIFYREPORT2) Verify a cryptographic report of a trust domain

Added with AEX-Notify

9 (EDECCSSA) Decrement TCS.CSSA

Close

[237] ENCLU can only be executed in ring 3, not rings 0/1/2.

[238] The leaf functions defined for ENCLV (selected by EAX) are: Any unsupported value in EAX causes a #GP exception.
The ENCLV instruction is only present on systems that support the EPC Oversubscription Extensions to SGX ("OVERSUB").
More information EAX, Function ...

EAX Function

Added with OVERSUB^[100]

0 (EDECVIRTCHILD) Decrement VIRTCHILDCNT in SECS

1 (EINCVIRTCHILD) Increment VIRTCHILDCNT in SECS

2 (ESETCONTEXT) Set ENCLAVECONTEXT field in SECS

Close

[239] ENCLV is only available if Intel VMX operation is enabled with VMXON, and will produce #UD otherwise.

[240] For PTWRITE, the write to the Processor Trace Packet will only happen if a set of enable-bits (the "TriggerEn", "ContextEn", "FilterEn" bits of the RTIT_STATUS MSR and the "PTWEn" bit of the RTIT_CTL MSR) are all set to 1.
The PTWRITE instruction is indicated in the SDM to cause an #UD exception if the 66h instruction prefix is used, regardless of other prefixes.

[241] For MOVDIR64, the destination address given by ES:reg must be 64-byte aligned.
The operand size for the register argument is given by the address size, which may be overridden by the 67h prefix.
The 64-byte memory source argument does not need to be 64-byte aligned, and is not guaranteed to be read atomically.

[242] The leaf functions defined for PCONFIG (selected by EAX) are: Any unsupported value in EAX causes a #GP(0) exception.
More information EAX, Function ...

EAX Function

0 MKTME_KEY_PROGRAM:
Program key and encryption mode to use with an TME-MK Key ID.

Added with TSE

1 TSE_KEY_PROGRAM:
Direct key programming for TSE.

2 TSE_KEY_PROGRAM_WRAPPED:
Wrapped key programming for TSE.

Close

[243] For CLDEMOTE, the cache level that it will demote a cache line to is implementation-dependent.
Since the instruction is considered a hint, it will execute as a NOP without any exceptions if the provided memory address is invalid or not in the L1 cache. It may also execute as a NOP under other implementation-dependent circumstances as well.
On systems that do not support the CLDEMOTE extension, it executes as a NOP.

[246] Intel documentation lists Tremont and Alder Lake as the processors in which CLDEMOTE was introduced. However, as of May 2022, no Tremont or Alder Lake models have been observed to have the CPUID feature bit for CLDEMOTE set, while several of them have the CPUID bit cleared.^[105]
As of April 2023, the CPUID feature bit for CLDEMOTE has been observed to be set for Sapphire Rapids.^[106]

[247] For UMONITOR, the operand size of the address argument is given by the address size, which may be overridden by the 67h prefix. The default segment used is DS:, which can be overridden with a segment prefix.

[248] For UMWAIT, the operating system can use the IA32_UMWAIT_CONTROL MSR to limit the maximum amount of time that a single UMWAIT invocation is permitted to wait. The UMWAIT instruction will set RFLAGS.CF to 1 if it reached the IA32_UMWAIT_CONTROL-defined time limit and 0 otherwise.

[waitpkg_cr4tsd-249] TPAUSE and UMWAIT can be run outside Ring 0 only if CR4.TSD=0.

[250] While serialization can be performed with older instructions such as e.g. CPUID and IRET, these instructions perform additional functions, causing side-effects and reduced performance when stand-alone instruction serialization is needed. (CPUID additionally has the issue that it causes a mandatory #VMEXIT when executed under virtualization, which causes a very large overhead.) The SERIALIZE instruction performs serialization only, avoiding these added costs.

[251] A bitmap of CPU history components that can be reset through HRESET is provided by CPUID.(EAX=20h,ECX=0):EBX.
As of July 2023, the following bits are defined:
More information Bit, Usage ...

Bit Usage

0 Intel Thread Director history

31:1 (Reserved)

Close

[252] The register argument to SENDUIPI is an index to pick an entry from the UITT (User-Interrupt Target Table, a table specified by the new UINTR_TT and UINT_MISC MSRs.)

[1]

[lower-alpha 1]

[lower-alpha 2]

[lower-alpha 3]

[lower-alpha 4]

[lower-alpha 5]

[lower-alpha 6]

[lower-alpha 7]

[lower-alpha 8]

[lower-alpha 9]

[lower-alpha 10]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[lower-alpha 1]

[lower-alpha 2]

[lower-alpha 3]

[lower-alpha 4]

[lower-alpha 5]

[lower-alpha 6]

[lower-alpha 7]

[lower-alpha 8]

[lower-alpha 9]

[lower-alpha 10]

[14]

[15]

[lower-alpha 1]

[lower-alpha 2]

[lower-alpha 3]

[lower-alpha 4]

[lower-alpha 5]

[lower-alpha 6]

[lower-alpha 7]

[lower-alpha 8]

[lower-alpha 9]

[lower-alpha 10]

[lower-alpha 11]

[lower-alpha 12]

[lower-alpha 13]

[lower-alpha 14]

[lower-alpha 15]

[lower-alpha 16]

[lower-alpha 17]

[lower-alpha 18]

[lower-alpha 19]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[lower-alpha 1]

[lower-alpha 2]

[lower-alpha 3]

[lower-alpha 4]

[lower-alpha 5]

[lower-alpha 6]

[lower-alpha 7]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[lower-alpha 1]

[lower-alpha 2]

[35]

[36]

[37]

[lower-alpha 3]

[38]

[lower-alpha 4]

[lower-alpha 5]

[lower-alpha 6]

[lower-alpha 7]

[lower-alpha 8]

[lower-alpha 9]

[lower-alpha 10]

[lower-alpha 11]

[lower-alpha 12]

[lower-alpha 13]

[lower-alpha 14]

[lower-alpha 15]

[lower-alpha 16]

[lower-alpha 17]

[lower-alpha 18]

In- struc- tion	Meaning	Notes	Opcode
AAA	ASCII adjust AL after addition	used with unpacked binary-coded decimal	0x37
AAD	ASCII adjust AX before division	8086/8088 datasheet documents only base 10 version of the AAD instruction (opcode 0xD5 0x0A), but any other base will work. Later Intel's documentation has the generic form too. NEC V20 and V30 (and possibly other NEC V-series CPUs) always use base 10, and ignore the argument, causing a number of incompatibilities	0xD5
AAM	ASCII adjust AX after multiplication	Only base 10 version (Operand is 0xA) is documented, see notes for AAD	0xD4
AAS	ASCII adjust AL after subtraction		0x3F
ADC	Add with carry	`destination = destination + source + carry_flag`	0x10...0x15, 0x80...0x81/2, 0x82...0x83/2 (186+)
ADD	Add	(1) `r/m += r/imm;` (2) `r += r/imm;`	0x00...0x05, 0x80/0...0x81/0, 0x82/0...0x83/0 (186+)
AND	Logical AND	(1) `r/m &= r/imm;` (2) `r &= r/imm;`	0x20...0x25, 0x80...0x81/4, 0x82...0x83/4 (186+)
CALL	Call procedure	`push eip; eip points to the instruction directly after the call`	0x9A, 0xE8, 0xFF/2, 0xFF/3
CBW	Convert byte to word		0x98
CLC	Clear carry flag	`CF = 0;`	0xF8
CLD	Clear direction flag	`DF = 0;`	0xFC
CLI	Clear interrupt flag	`IF = 0;`	0xFA
CMC	Complement carry flag		0xF5
CMP	Compare operands		0x38...0x3D, 0x80...0x81/7, 0x82...0x83/7 (186+)
CMPSB	Compare bytes in memory. May be used with a REP prefix to repeat the instruction CX times.		0xA6
CMPSW	Compare words. May be used with a REP prefix to repeat the instruction CX times.		0xA7
CWD	Convert word to doubleword		0x99
DAA	Decimal adjust AL after addition	(used with packed binary-coded decimal)	0x27
DAS	Decimal adjust AL after subtraction		0x2F
DEC	Decrement by 1		0x48...0x4F, 0xFE/1, 0xFF/1
DIV	Unsigned divide	(1) `AX = DX:AX / r/m;` resulting `DX = remainder` (2) `AL = AX / r/m;` resulting `AH = remainder`	0xF7/6, 0xF6/6
ESC	Used with floating-point unit		0xD8..0xDF
HLT	Enter halt state		0xF4
IDIV	Signed divide	(1) `AX = DX:AX / r/m;` resulting `DX = remainder` (2) `AL = AX / r/m;` resulting `AH = remainder`	0xF7/7, 0xF6/7
IMUL	Signed multiply in One-operand form	(1) `DX:AX = AX * r/m;` (2) `AX = AL * r/m`	0x69, 0x6B (both 186+), 0xF7/5, 0xF6/5, 0x0FAF (386+)
IN	Input from port	(1) `AL = port[imm];` (2) `AL = port[DX];` (3) `AX = port[imm];` (4) `AX = port[DX];`	0xE4, 0xE5, 0xEC, 0xED
INC	Increment by 1		0x40...0x47, 0xFE/0, 0xFF/0
INT	Call to interrupt		0xCC, 0xCD
INTO	Call to interrupt if overflow		0xCE
IRET	Return from interrupt		0xCF
Jcc	Jump if condition	(JA, JAE, JB, JBE, JC, JE, JG, JGE, JL, JLE, JNA, JNAE, JNB, JNBE, JNC, JNE, JNG, JNGE, JNL, JNLE, JNO, JNP, JNS, JNZ, JO, JP, JPE, JPO, JS, JZ)	0x70...0x7F, 0x0F80...0x0F8F (386+)
JCXZ	Jump if CX is zero		0xE3
JMP	Jump		0xE9...0xEB, 0xFF/4, 0xFF/5
LAHF	Load FLAGS into AH register		0x9F
LDS	Load DS:r with far pointer		0xC5
LEA	Load Effective Address		0x8D
LES	Load ES:r with far pointer		0xC4
LOCK	Assert BUS LOCK# signal	(for multiprocessing)	0xF0
LODSB	Load string byte. May be used with a REP prefix to repeat the instruction CX times.	`if (DF==0) AL = SI++; else AL = SI--;`	0xAC
LODSW	Load string word. May be used with a REP prefix to repeat the instruction CX times.	`if (DF==0) AX = SI++; else AX = SI--;`	0xAD
LOOP/ LOOPx	Loop control	(LOOPE, LOOPNE, LOOPNZ, LOOPZ) `if (x && --CX) goto lbl;`	0xE0...0xE2
MOV	Move	copies data from one location to another, (1) `r/m = r;` (2) `r = r/m;`	0xA0...0xA3
MOVSB	Move byte from string to string. May be used with a REP prefix to repeat the instruction CX times.	if (DF==0) (byte)DI++ = (byte)SI++; else (byte)DI-- = (byte)SI--; .	0xA4
MOVSW	Move word from string to string. May be used with a REP prefix to repeat the instruction CX times.	if (DF==0) (word)DI++ = (word)SI++; else (word)DI-- = (word)SI--;	0xA5
MUL	Unsigned multiply	(1) `DX:AX = AX * r/m;` (2) `AX = AL * r/m;`	0xF7/4, 0xF6/4
NEG	Two's complement negation	`r/m = 0 – r/m;`	0xF6/3...0xF7/3
NOP	No operation	opcode equivalent to `XCHG EAX, EAX`	0x90
NOT	Negate the operand, logical NOT	`r/m ^= -1;`	0xF6/2...0xF7/2
OR	Logical OR	(1) `r/m` (2) `r`	0x08...0x0D, 0x80...0x81/1, 0x82...0x83/1 (186+)
OUT	Output to port	(1) `port[imm] = AL;` (2) `port[DX] = AL;` (3) `port[imm] = AX;` (4) `port[DX] = AX;`	0xE6, 0xE7, 0xEE, 0xEF
POP	Pop data from stack	`r/m = *SP++;` POP CS (opcode 0x0F) works only on 8086/8088. Later CPUs use 0x0F as a prefix for newer instructions.	0x07, 0x0F(8086/8088 only), 0x17, 0x1F, 0x58...0x5F, 0x8F/0
POPF	Pop FLAGS register from stack	`FLAGS = *SP++;`	0x9D
PUSH	Push data onto stack	`*--SP = r/m;`	0x06, 0x0E, 0x16, 0x1E, 0x50...0x57, 0x68, 0x6A (both 186+), 0xFF/6
PUSHF	Push FLAGS onto stack	`*--SP = FLAGS;`	0x9C
RCL	Rotate left (with carry)		0xC0...0xC1/2 (186+), 0xD0...0xD3/2
RCR	Rotate right (with carry)		0xC0...0xC1/3 (186+), 0xD0...0xD3/3
REPxx	Repeat MOVS/STOS/CMPS/LODS/SCAS	(REP, REPE, REPNE, REPNZ, REPZ)	0xF2, 0xF3
RET	Return from procedure	Not a real instruction. The assembler will translate these to a RETN or a RETF depending on the memory model of the target system.
RETN	Return from near procedure		0xC2, 0xC3
RETF	Return from far procedure		0xCA, 0xCB
ROL	Rotate left		0xC0...0xC1/0 (186+), 0xD0...0xD3/0
ROR	Rotate right		0xC0...0xC1/1 (186+), 0xD0...0xD3/1
SAHF	Store AH into FLAGS		0x9E
SAL	Shift Arithmetically left (signed shift left)	(1) `r/m <<= 1;` (2) `r/m <<= CL;`	0xC0...0xC1/4 (186+), 0xD0...0xD3/4
SAR	Shift Arithmetically right (signed shift right)	(1) `(signed) r/m >>= 1;` (2) `(signed) r/m >>= CL;`	0xC0...0xC1/7 (186+), 0xD0...0xD3/7
SBB	Subtraction with borrow	alternative 1-byte encoding of `SBB AL, AL` is available via undocumented SALC instruction	0x18...0x1D, 0x80...0x81/3, 0x82...0x83/3 (186+)
SCASB	Compare byte string. May be used with a REP prefix to repeat the instruction CX times.		0xAE
SCASW	Compare word string. May be used with a REP prefix to repeat the instruction CX times.		0xAF
SHL	Shift left (unsigned shift left)		0xC0...0xC1/4 (186+), 0xD0...0xD3/4
SHR	Shift right (unsigned shift right)		0xC0...0xC1/5 (186+), 0xD0...0xD3/5
STC	Set carry flag	`CF = 1;`	0xF9
STD	Set direction flag	`DF = 1;`	0xFD
STI	Set interrupt flag	`IF = 1;`	0xFB
STOSB	Store byte in string. May be used with a REP prefix to repeat the instruction CX times.	`if (DF==0) ES:DI++ = AL; else ES:DI-- = AL;`	0xAA
STOSW	Store word in string. May be used with a REP prefix to repeat the instruction CX times.	`if (DF==0) ES:DI++ = AX; else ES:DI-- = AX;`	0xAB
SUB	Subtraction	(1) `r/m -= r/imm;` (2) `r -= m/imm;`	0x28...0x2D, 0x80...0x81/5, 0x82...0x83/5 (186+)
TEST	Logical compare (AND)	(1) `r/m & r/imm;` (2) `r & m/imm;`	0x84, 0x85, 0xA8, 0xA9, 0xF6/0, 0xF7/0
WAIT	Wait until not busy	Waits until BUSY# pin is inactive (used with floating-point unit)	0x9B
XCHG	Exchange data	`r :=: r/m;` A spinlock typically uses xchg as an atomic operation. (coma bug).	0x86, 0x87, 0x91...0x97
XLAT	Table look-up translation	behaves like `MOV AL, [BX+AL]`	0xD7
XOR	Exclusive OR	(1) `r/m ^= r/imm;` (2) `r ^= m/imm;`	0x30...0x35, 0x80...0x81/6, 0x82...0x83/6 (186+)

Instruction	Opcode	Meaning	Notes
BOUND	62 /r	Check array index against bounds	raises software interrupt 5 if test fails
ENTER	C8 iw ib	Enter stack frame	Modifies stack for entry to procedure for high level language. Takes two operands: the amount of storage to be allocated on the stack and the nesting level of the procedure.
INSB/INSW	6C	Input from port to string	equivalent to: IN AX, DX MOV ES:[DI], AX ; adjust DI according to operand size and DF
INSB/INSW	6D	Input from port to string
LEAVE	C9	Leave stack frame	Releases the local stack storage created by the previous ENTER instruction.
OUTSB/OUTSW	6E	Output string to port	equivalent to: MOV AX, DS:[SI] OUT DX, AX ; adjust SI according to operand size and DF
OUTSB/OUTSW	6F	Output string to port
POPA	61	Pop all general purpose registers from stack	equivalent to: POP DI POP SI POP BP POP AX ; no POP SP here, all it does is ADD SP, 2 (since AX will be overwritten later) POP BX POP DX POP CX POP AX
PUSHA	60	Push all general purpose registers onto stack	equivalent to: PUSH AX PUSH CX PUSH DX PUSH BX PUSH SP ; The value stored is the initial SP value PUSH BP PUSH SI PUSH DI
PUSH immediate	6A ib	Push an immediate byte/word value onto the stack	example: PUSH 12h PUSH 1200h
PUSH immediate	68 iw	Push an immediate byte/word value onto the stack	example: PUSH 12h PUSH 1200h
IMUL immediate	6B /r ib	Signed and unsigned multiplication of immediate byte/word value	example: IMUL BX,12h IMUL DX,1200h IMUL CX, DX, 12h IMUL BX, SI, 1200h IMUL DI, word ptr [BX+SI], 12h IMUL SI, word ptr [BP-4], 1200h Note that since the lower half is the same for unsigned and signed multiplication, this version of the instruction can be used for unsigned multiplication as well.
IMUL immediate	69 /r iw
SHL/SHR/SAL/SAR/ROL/ROR/RCL/RCR immediate	C0	Rotate/shift bits with an immediate value greater than 1	example: ROL AX,3 SHR BL,3
SHL/SHR/SAL/SAR/ROL/ROR/RCL/RCR immediate	C1	Rotate/shift bits with an immediate value greater than 1	example: ROL AX,3 SHR BL,3

Instruction	Opcode	Instruction description	Real mode	Ring

`LGDT m16&32`^{[lower-alpha 1]}	`0F 01 /2`	Load GDTR (Global Descriptor Table Register) from memory.^{[lower-alpha 2]}	Yes	0
`LIDT m16&32`^{[lower-alpha 1]}	`0F 01 /3`	Load IDTR (Interrupt Descriptor Table Register) from memory.^{[lower-alpha 2]} The IDTR controls not just the address/size of the IDT (interrupt Descriptor Table) in protected mode, but the IVT (Interrupt Vector Table) in real mode as well.
`LMSW r/m16`	`0F 01 /6`	Load MSW (Machine Status Word) from 16-bit register or memory.^{[lower-alpha 2]}^{[lower-alpha 3]}
`CLTS`	`0F 06`	Clear task-switched flag in the MSW.
`LLDT r/m16`	`0F 00 /2`	Load LDTR (Local Descriptor Table Register) from 16-bit register or memory.^{[lower-alpha 2]}	#UD
`LTR r/m16`	`0F 00 /3`	Load TR (Task Register) from 16-bit register or memory.^{[lower-alpha 2]} The TSS (Task State Segment) specified by the 16-bit argument is marked busy, but a task switch is not done.	#UD

`SGDT m16&32`^{[lower-alpha 1]}	`0F 01 /0`	Store GDTR to memory.	Yes	Usually 3^{[lower-alpha 4]}
`SIDT m16&32`^{[lower-alpha 1]}	`0F 01 /1`	Store IDTR to memory.
`SMSW r/m16`	`0F 01 /4`	Store MSW to register or 16-bit memory.^{[lower-alpha 5]}
`SLDT r/m16`	`0F 00 /0`	Store LDTR to register or 16-bit memory.^{[lower-alpha 5]}	#UD
`STR r/m16`	`0F 00 /1`	Store TR to register or 16-bit memory.^{[lower-alpha 5]}	#UD

`ARPL r/m16,r16`	`63 /r`^{[lower-alpha 6]}	Adjust RPL (Requested Privilege Level) field of selector. The operation performed is: if (dst & 3) < (src & 3) then dst = (dst & 0xFFFC) \| (src & 3) eflags.zf = 1 else eflags.zf = 0	#UD^{[lower-alpha 7]}	3
`LAR r,r/m16`	`0F 02 /r`	Load access rights byte from the specified segment descriptor. Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with `0x00FxFF00`,^{[lower-alpha 8]} then stores the bottom 16/32 bits of the result in destination register. Sets EFLAGS.ZF=1 if the descriptor could be loaded, ZF=0 otherwise.	#UD
`LSL r,r/m16`	`0F 03 /r`	Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise.
`VERR r/m16`	`0F 00 /4`	Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise.
`VERW r/m16`	`0F 00 /5`	Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise.^{[lower-alpha 9]}

LOADALL^{[lower-alpha 10]}	0F 05	Load all CPU registers from a 102-byte data structure starting at physical address `800h`, including "hidden" part of segment descriptor registers.	Yes	0
STOREALL^{[lower-alpha 10]}	F1 0F 04	Store all CPU registers to a 102-byte data structure starting at physical address `800h`, then shut down CPU.	Yes	0

Type	Instruction mnemonic	Opcode	Description	Mnemonic for older 16-bit variant	Ring
String instructions^{[lower-alpha 1]}^{[lower-alpha 2]}	`LODSD`	`AD`	Load string doubleword: `EAX := DS:[rSI±±]`	`LODSW`	3
	`STOSD`	`AB`	Store string doubleword: `ES:[rDI±±] := EAX`	`STOSW`
	`MOVSD`	`A5`	Move string doubleword: `ES:[rDI±±] := DS:[rSI±±]`	`MOVSW`
	`CMPSD`	`A7`	Compare string doubleword: temp1 := DS:[rSI±±] temp2 := ES:[rDI±±] CMP temp1, temp2 /* 32-bit compare and set EFLAGS */	`CMPSW`
	`SCASD`	`AF`	Scan string doubleword: temp1 := ES:[rDI±±] CMP EAX, temp1 /* 32-bit compare and set EFLAGS */	`SCASW`
	`INSD`	`6D`	Input string from doubleword I/O port:`ES:[rDI±±] := port[DX]`^{[lower-alpha 3]}	`INSW`	Usually 0^{[lower-alpha 4]}
	`OUTSD`	`6F`	Output string to doubleword I/O port:`port[DX] := DS:[rSI±±]`	`OUTSW`	Usually 0^{[lower-alpha 4]}

Other	`CWDE`	`98`	Sign-extend 16-bit value in AX to 32-bit value in EAX^{[lower-alpha 5]}	`CBW`	3
	`CDQ`	`99`	Sign-extend 32-bit value in EAX to 64-bit value in EDX:EAX. Mainly used to prepare a dividend for the 32-bit `IDIV` (signed divide) instruction.	`CWD`
	`JECXZ rel8`	`E3 cb`^{[lower-alpha 6]}	Jump if ECX is zero	`JCXZ`
	`PUSHAD`	`60`	Push all 32-bit registers onto stack^{[lower-alpha 7]}	`PUSHA`
	`POPAD`	`61`	Pop all 32-bit general-purpose registers off stack^{[lower-alpha 8]}	`POPA`
	`PUSHFD`	`9C`	Push 32-bit EFLAGS register onto stack	`PUSHF`	Usually 3^{[lower-alpha 9]}
	`POPFD`	`9D`	Pop 32-bit EFLAGS register off stack	`POPF`
	`IRETD`	`CF`	32-bit interrupt return. Differs from the older 16-bit `IRET` instruction in that it will pop interrupt return items (EIP,CS,EFLAGS; also ESP^{[lower-alpha 10]} and SS if there is a CPL change) off the stack as 32-bit items instead of 16-bit items. Should be used to return from interrupts when the interrupt handler was entered through a 32-bit IDT interrupt/trap gate. Instruction is serializing.	`IRET`

Instruction mnemonics	Opcode	Description	Ring
`BT r/m, r`	`0F A3 /r`	Bit Test.^{[lower-alpha 1]} Second operand specifies which bit of the first operand to test. The bit to test is copied to EFLAGS.CF.	3
`BT r/m, imm8`	`0F BA /4 ib`
`BTS r/m, r`	`0F AB /r`	Bit Test-and-set.^{[lower-alpha 1]}^{[lower-alpha 2]} Second operand specifies which bit of the first operand to test and set.
`BTS r/m, imm8`	`0F BA /5 ib`
`BTR r/m, r`	`0F B3 /r`	Bit Test and Reset.^{[lower-alpha 1]}^{[lower-alpha 2]} Second operand specifies which bit of the first operand to test and clear.
`BTR r/m, imm8`	`0F BA /6 ib`
`BTC r/m, r`	`0F BB /r`	Bit Test and Complement.^{[lower-alpha 1]}^{[lower-alpha 2]} Second operand specifies which bit of the first operand to test and toggle.
`BTC r/m, imm8`	`0F BA /7 ib`

`BSF r, r/m`	`NFx 0F BC /r`^{[lower-alpha 3]}	Bit scan forward. Returns bit index of lowest set bit in input.^{[lower-alpha 4]}	3
`BSR r, r/m`	`NFx 0F BD /r`^{[lower-alpha 5]}	Bit scan reverse. Returns bit index of highest set bit in input.^{[lower-alpha 4]}
`SHLD r/m, r, imm8`	`0F A4 /r ib`	Shift Left Double. The operation of `SHLD arg1,arg2,shamt` is: `arg1 := (arg1<<shamt) \| (arg2>>(operand_size - shamt))`^{[lower-alpha 6]}
`SHLD r/m, r, CL`	`0F A5 /r`
`SHRD r/m, r, imm8`	`0F AC /r ib`	Shift Right Double. The operation of `SHRD arg1,arg2,shamt` is: `arg1 := (arg1>>shamt) \| (arg2<<(operand_size - shamt))`^{[lower-alpha 6]}
`SHRD r/m, r, CL`	`0F AD /r`

`MOVZX reg, r/m8`	`0F B6 /r`	Move from 8/16-bit source to 16/32-bit register with zero-extension.	3
`MOVZX reg, r/m16`	`0F B7 /r`
`MOVSX reg, r/m8`	`0F BE /r`	Move from 8/16-bit source to 16/32/64-bit register with sign-extension.
`MOVSX reg, r/m16`	`0F BF /r`
`SETcc r/m8`	`0F 9x /0`^{[lower-alpha 7]}^{[lower-alpha 8]}	Set byte to 1 if condition is satisfied, 0 otherwise.
`Jcc rel16` `Jcc rel32`	`0F 8x cw` `0F 8x cd`^{[lower-alpha 7]}	Conditional jump near. Differs from older variants of conditional jumps in that they accept a 16/32-bit offset rather than just an 8-bit offset.
`IMUL r, r/m`	`0F AF /r`	Two-operand non-widening integer multiply.

`FS:`	`64`	Segment-override prefixes for FS and GS segment registers.	3
`GS:`	`65`	Segment-override prefixes for FS and GS segment registers.
`PUSH FS`	`0F A0`	Push/pop FS and GS segment registers.
`POP FS`	`0F A1`
`PUSH GS`	`0F A8`
`POP GS`	`0F A9`
`LFS r16, m16&16` `LFS r32, m32&16`	`0F B4 /r`	Load far pointer from memory. Offset part is stored in destination register argument, segment part in FS/GS/SS segment register as indicated by the instruction mnemonic.^{[lower-alpha 9]}
`LGS r16, m16&16` `LGS r32, m32&16`	`0F B5 /r`
`LSS r16, m16&16` `LSS r32, m32&16`	`0F B2 /r`

`MOV reg,CRx`	`0F 20 /r`^{[lower-alpha 10]}	Move from control register to general register.^{[lower-alpha 11]}	0
`MOV CRx,reg`	`0F 22 /r`^{[lower-alpha 10]}	Move from general register to control register.^{[lower-alpha 11]} On Pentium and later processors, moves to the `CR0`, `CR3` and `CR4` control registers are serializing.^{[lower-alpha 12]}
`MOV reg,DRx`	`0F 21 /r`^{[lower-alpha 10]}	Move from x86 debug register to general register.^{[lower-alpha 11]}
`MOV DRx,reg`	`0F 23 /r`^{[lower-alpha 10]}	Move from general register to x86 debug register.^{[lower-alpha 11]} On Pentium and later processors, moves to the DR0-DR7 debug registers are serializing.
`MOV reg,TRx`	`0F 24 /r`^{[lower-alpha 10]}	Move from x86 test register to general register.^{[lower-alpha 13]}
`MOV TRx,reg`	`0F 26 /r`^{[lower-alpha 10]}	Move from general register to x86 test register.^{[lower-alpha 13]}

ICEBP, INT01, INT1^{[lower-alpha 14]}	F1	In-circuit emulation breakpoint. Performs software interrupt #1 if executed when not using in-circuit emulation.^{[lower-alpha 15]}	3
UMOV r/m, r8	0F 10 /r	User Move – perform data moves that can access user memory while in In-circuit emulation HALT mode. Performs same operation as `MOV` if executed when not doing in-circuit emulation.^{[lower-alpha 16]}
UMOV r/m, r16/32	0F 11 /r
UMOV r8, r/m	0F 12 /r
UMOV r16/32, r/m	0F 13 /r
XBTS reg,r/m	0F A6 /r	Bitfield extract.^{[lower-alpha 17]}^{[lower-alpha 18]}
IBTS r/m,reg	0F A7 /r	Bitfield insert.^{[lower-alpha 17]}^{[lower-alpha 18]}
LOADALLD, LOADALL386^{[lower-alpha 19]}	0F 07	Load all CPU registers from a 296-byte data structure starting at ES:EDI, including "hidden" part of segment descriptor registers.	0

x	cc	Condition (EFLAGS)
0	O	OF=1: "Overflow"
1	NO	OF=0: "Not Overflow"
2	C,B,NAE	CF=1: "Carry", "Below", "Not Above or Equal"
3	NC,NB,AE	CF=0: "Not Carry", "Not Below", "Above or Equal"
4	Z,E	ZF=1: "Zero", "Equal"
5	NZ,NE	ZF=0: "Not Zero", "Not Equal"
6	NA,BE	(CF=1 or ZF=1): "Not Above", "Below or Equal"
7	A,NBE	(CF=0 and ZF=0): "Above", "Not Below or Equal"
8	S	SF=1: "Sign"
9	NS	SF=0: "Not Sign"
A	P,PE	PF=1: "Parity", "Parity Even"
B	NP,PO	PF=0: "Not Parity", "Parity Odd"
C	L,NGE	SF≠OF: "Less", "Not Greater Or Equal"
D	NL,GE	SF=OF: "Not Less", "Greater Or Equal"
E	LE,NG	(ZF=1 or SF≠OF): "Less or Equal", "Not Greater"
F	NLE,G	(ZF=0 and SF=OF): "Not Less or Equal", "Greater"

Instruction	Opcode	Description	Ring
`BSWAP r32`	`0F C8+r`	Byte Order Swap. Usually used to convert between big-endian and little-endian data representations. For 32-bit registers, the operation performed is: r = (r << 24) \| ((r << 8) & 0x00FF0000) \| ((r >> 8) & 0x0000FF00) \| (r >> 24); Using `BSWAP` with a 16-bit register argument produces an undefined result.^{[lower-alpha 1]}	3
`CMPXCHG r/m8,r8`	`0F B0 /r`^{[lower-alpha 2]}	Compare and Exchange. If accumulator (AL/AX/EAX/RAX) compares equal to first operand,^{[lower-alpha 3]} then `EFLAGS.ZF` is set to 1 and the first operand is overwritten with the second operand. Otherwise, `EFLAGS.ZF` is set to 0, and first operand is copied into the accumulator. Instruction atomic only if used with `LOCK` prefix.
`CMPXCHG r/m,r16` `CMPXCHG r/m,r32`	`0F B1 /r`^{[lower-alpha 2]}
`XADD r/m,r8`	`0F C0 /r`	eXchange and ADD. Exchanges the first operand with the second operand, then stores the sum of the two values into the destination operand. Instruction atomic only if used with `LOCK` prefix.
`XADD r/m,r16` `XADD r/m,r32`	`0F C1 /r`
`INVLPG m8`	`0F 01 /7`	Invalidate the TLB entries that would be used for the 1-byte memory operand.^{[lower-alpha 4]} Instruction is serializing.	0
`INVD`	`0F 08`	Invalidate Internal Caches.^{[lower-alpha 5]} Modified data in the cache are not written back to memory, potentially causing data loss.^{[lower-alpha 6]}
`WBINVD`	`NFx 0F 09`^{[lower-alpha 7]}	Write Back and Invalidate Cache.^{[lower-alpha 5]} Writes back all modified cache lines in the processor's internal cache to main memory and invalidates the internal caches.

Instruction	Opcode	Description	Ring	Added in

`RDMSR`	`0F 32`	Read Model-specific register. The MSR to read is specified in ECX. The value of the MSR is then returned as a 64-bit value in EDX:EAX.	0	IBM 386SLC,^[32] Intel Pentium, AMD K5, Cyrix 6x86MX,MediaGXm, IDT WinChip C6, Transmeta Crusoe
`WRMSR`	`0F 30`	Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX.^{[lower-alpha 1]} Instruction is, with some exceptions, serializing.^{[lower-alpha 2]}	0
`RSM`^[35]	`0F AA`	Resume from System Management Mode. Instruction is serializing.	-2 (SMM)	Intel 386SL,^[36]^[37] 486SL,^{[lower-alpha 3]} Intel Pentium, AMD 5x86, Cyrix 486SLC/e,^[38] IDT WinChip C6, Transmeta Crusoe, Rise mP6
`CPUID`	`0F A2`	CPU Identification and feature information. Takes as input a CPUID leaf index in EAX and, depending on leaf, a sub-index in ECX. Result is returned in EAX,EBX,ECX,EDX.^{[lower-alpha 4]} Instruction is serializing, and causes a mandatory #VMEXIT under virtualization. Support for `CPUID` can be checked by toggling bit 21 of EFLAGS (EFLAGS.ID) – if this bit can be toggled, `CPUID` is present.	Usually 3^{[lower-alpha 5]}	Intel Pentium,^{[lower-alpha 6]} AMD 5x86,^{[lower-alpha 6]} Cyrix 5x86,^{[lower-alpha 7]} IDT WinChip C6, Transmeta Crusoe, Rise mP6, NexGen Nx586,^{[lower-alpha 8]} UMC Green CPU
`CMPXCHG8B m64`	`0F C7 /1`	Compare and Exchange 8 bytes. Compares EDX:EAX with m64. If equal, set ZF^{[lower-alpha 9]} and store ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX. Instruction atomic only if used with `LOCK` prefix.^{[lower-alpha 10]}	3	Intel Pentium, AMD K5, Cyrix 6x86L,MediaGXm, IDT WinChip C6,^{[lower-alpha 11]} Transmeta Crusoe,^{[lower-alpha 11]} Rise mP6^{[lower-alpha 11]}
`RDTSC`	`0F 31`	Read 64-bit Time Stamp Counter (TSC) into EDX:EAX.^{[lower-alpha 12]} In early processors, the TSC was a cycle counter, incrementing by 1 for each clock cycle (which could cause its rate to vary on processors that could change clock speed at runtime) – in later processors, it increments at a fixed rate that doesn't necessarily match the CPU clock speed.^{[lower-alpha 13]}	Usually 3^{[lower-alpha 14]}	Intel Pentium, AMD K5, Cyrix 6x86MX,MediaGXm, IDT WinChip C6, Transmeta Crusoe, Rise mP6

`RDPMC`	`0F 33`	Read Performance Monitoring Counter. The counter to read is specified by ECX and its value is returned in EDX:EAX.^{[lower-alpha 12]}	Usually 3^{[lower-alpha 15]}	Intel Pentium MMX, Intel Pentium Pro, AMD K7, Cyrix 6x86MX, IDT WinChip C6, VIA Nano^{[lower-alpha 16]}
`CMOVcc reg,r/m`	`0F 4x /r`^{[lower-alpha 17]}	Conditional move to register. The source operand may be either register or memory.^{[lower-alpha 18]}	3	Intel Pentium Pro, AMD K7, Cyrix 6x86MX,MediaGXm, Transmeta Crusoe, VIA C3 "Nehemiah"

`NOP r/m`, `NOPL r/m`	`NFx 0F 1F /0`	Official long NOP. Other than AMD K7/K8, broadly unsupported in non-Intel processors released before 2005.^{[lower-alpha 19]}^[51]	3	Intel Pentium Pro,^{[lower-alpha 20]} AMD K7, x86-64,^{[lower-alpha 21]} VIA C7^[55]
`UD2`,^{[lower-alpha 22]} `UD2A`^{[lower-alpha 23]}	`0F 0B`	Undefined Instructions – will generate an invalid opcode (#UD) exception in all operating modes. These instructions are provided for software testing to explicitly generate invalid opcodes. The opcodes for these instructions are reserved for this purpose.	(3)	(80186),^{[lower-alpha 24]} Intel Pentium^[59]
`UD1 reg,r/m`,^{[lower-alpha 25]} `UD2B reg,r/m`^{[lower-alpha 23]}	`0F B9 /r`^{[lower-alpha 26]}			(80186),^{[lower-alpha 24]} Intel Pentium^[59]
`OIO`, `UD0`, `UD0 reg,r/m`^{[lower-alpha 27]}	`0F FF`, `0F FF /r`^{[lower-alpha 26]}			(80186),^{[lower-alpha 24]} Cyrix 6x86,^[64] AMD K5^[66]

`SYSCALL`	`0F 05`	Fast System call.	3	AMD K6,^{[lower-alpha 28]} x86-64^{[lower-alpha 29]}^{[lower-alpha 30]}
`SYSRET`	`0F 07`^{[lower-alpha 31]}	Fast Return from System Call. Designed to be used together with `SYSCALL`.	0^{[lower-alpha 32]}
`SYSENTER`	`0F 34`	Fast System call.	3^{[lower-alpha 32]}	Intel Pentium II,^{[lower-alpha 33]} AMD K7,^[71]^{[lower-alpha 34]} Transmeta Crusoe,^{[lower-alpha 35]} NatSemi Geode GX2, VIA C3 "Nehemiah"^{[lower-alpha 36]}
`SYSEXIT`	`0F 35`^{[lower-alpha 31]}	Fast Return from System Call. Designed to be used together with `SYSENTER`.	0^{[lower-alpha 32]}

Number	Name
`48h`	SPEC_CTRL
`49h`	PRED_CMD
`122h`	TSX_CTRL
`6E0h`	TSC_DEADLINE
`6E1h`	PKRS
`774h`	HWP_REQUEST (non-serializing only if the FAST_IA32_HWP_REQUEST bit it set)
`802h` to `83Fh`	(x2APIC MSRs)
`C001_011Bh`	Doorbell Register (AMD)

Instruction	Encoding	Meaning	Ring
`CDQE`	`REX.W 98`	Sign extend EAX into RAX	3
`CQO`	`REX.W 99`	Sign extend RAX into RDX:RAX
`CMPSQ`	`REX.W A7`	CoMPare String Quadword
`CMPXCHG16B m128`^{[lower-alpha 1]}^{[lower-alpha 2]}	`REX.W 0F C7 /1`	CoMPare and eXCHanGe 16 Bytes. Atomic only if used with LOCK prefix.
`IRETQ`	`REX.W CF`	64-bit Return from Interrupt
`JRCXZ rel8`	`E3 cb`	Jump if RCX is zero
`LODSQ`	`REX.W AD`	LoaD String Quadword
`MOVSXD r64,r/m32`	`REX.W 63 /r`^{[lower-alpha 3]}	MOV with Sign Extend 32-bit to 64-bit
`MOVSQ`	`REX.W A5`	Move String Quadword
`POPFQ`	`9D`	POP RFLAGS Register
`PUSHFQ`	`9C`	PUSH RFLAGS Register
`SCASQ`	`REX.W AF`	SCAn String Quadword
`STOSQ`	`REX.W AB`	STOre String Quadword
`SWAPGS`	`0F 01 F8`	Exchange GS base with KernelGSBase MSR	0

Bit Manipulation Extension	Instruction mnemonics	Opcode	Instruction description	Added in

ABM (LZCNT)^{[lower-alpha 1]} Advanced Bit Manipulation	`POPCNT r16,r/m16` `POPCNT r32,r/m32`	`F3 0F B8 /r`	Population Count. Counts the number of bits that are set to 1 in its source argument.	K10, Bobcat, Haswell, ZhangJiang, Gracemont
	`POPCNT r64,r/m64`	`F3 REX.W 0F B8 /r`
	`LZCNT r16,r/m16` `LZCNT r32,r/m32`	`F3 0F BD /r`	Count Leading zeroes.^{[lower-alpha 2]} If source operand is all-0s, then `LZCNT` will return operand size in bits (16/32/64) and set CF=1.
	`LZCNT r64,r/m64`	`F3 REX.W 0F BD /r`

BMI1 Bit Manipulation Instruction Set 1	`TZCNT r16,r/m16` `TZCNT r32,r/m32`	`F3 0F BC /r`	Count Trailing zeroes.^{[lower-alpha 3]} If source operand is all-0s, then `TZCNT` will return operand size in bits (16/32/64) and set CF=1.	Haswell, Piledriver, Jaguar, ZhangJiang, Gracemont
	`TZCNT r64,r/m64`	`F3 REX.W 0F BC /r`
	`ANDN ra,rb,r/m`	`VEX.LZ.0F38 F2 /r`	Bitwise AND-NOT: `ra = r/m AND NOT(rb)`
	`BEXTR ra,r/m,rb`	`VEX.LZ.0F38 F7 /r`	Bitfield extract. Bitfield start position is specified in bits [7:0] of `rb`, length in bits[15:8] of `rb`. The bitfield is then extracted from the `r/m` value with zero-extension, then stored in `ra`. Equivalent to^{[lower-alpha 4]} mask = (1 << rb[15:8]) - 1 ra = (r/m >> rb[7:0]) AND mask
	`BLSI reg,r/m`	`VEX.LZ.0F38 F3 /3`	Extract lowest set bit in source argument. Returns 0 if source argument is 0. Equivalent to `dst = (-src) AND src`
	`BLSMSK reg,r/m`	`VEX.LZ.0F38 F3 /2`	Generate a bitmask of all-1s bits up to the lowest bit position with a 1 in the source argument. Returns all-1s if source argument is 0. Equivalent to `dst = (src-1) XOR src`
	`BLSR reg,r/m`	`VEX.LZ.0F38 F3 /1`	Copy all bits of the source argument, then clear the lowest set bit. Equivalent to `dst = (src-1) AND src`

BMI2 Bit Manipulation Instruction Set 2	`BZHI ra,r/m,rb`	`VEX.LZ.0F38 F5 /r`	Zero out high-order bits in `r/m` starting from the bit position specified in `rb`, then write result to `rd`. Equivalent to `ra = r/m AND NOT(-1 << rb[7:0])`	Haswell, Excavator,^{[lower-alpha 5]} ZhangJiang, Gracemont
	`MULX ra,rb,r/m`	`VEX.LZ.F2.0F38 F6 /r`	Widening unsigned integer multiply without setting flags. Multiplies EDX/RDX with `r/m`, then stores the low half of the multiplication result in `ra` and the high half in `rb`. If `ra` and `rb` specify the same register, only the high half of the result is stored.
	`PDEP ra,rb,r/m`	`VEX.LZ.F2.0F38 F5 /r`	Parallel Bit Deposit. Scatters contiguous bits from `rb` to the bit positions set in `r/m`, then stores result to `ra`. Operation performed is: ra=0; k=0; mask=r/m for i=0 to opsize-1 do if (mask[i] == 1) then ra[i]=rb[k]; k=k+1
	`PEXT ra,rb,r/m`	`VEX.LZ.F3.0F38 F5 /r`	Parallel Bit Extract. Uses `r/m` argument as a bit mask to select bits in `rb`, then compacts the selected bits into a contiguous bit-vector. Operation performed is: ra=0; k=0; mask=r/m for i=0 to opsize-1 do if (mask[i] == 1) then ra[k]=rb[i]; k=k+1
	`RORX reg,r/m,imm8`	`VEX.LZ.F2.0F3A F0 /r ib`	Rotate right by immediate without affecting flags.
	`SARX ra,r/m,rb`	`VEX.LZ.F3.0F38 F7 /r`	Arithmetic shift right without updating flags. For `SARX`, `SHRX` and `SHLX`, the shift-amount specified in `rb` is masked to 5 bits for 32-bit operand size and 6 bits for 64-bit operand size.
	`SHRX ra,r/m,rb`	`VEX.LZ.F2.0F38 F7 /r`	Logical shift right without updating flags.
	`SHLX ra,r/m,rb`	`VEX.LZ.66.0F38 F7 /r`	Shift left without updating flags.

TSX Subset	Instruction	Opcode	Description	Added in

RTM Restricted Transactional memory	`XBEGIN rel16` `XBEGIN rel32`	`C7 F8 cw` `C7 F8 cd`	Start transaction. If transaction fails, perform a branch to the given relative offset.	Haswell (Deprecated on desktop/laptop CPUs from 10th generation (Ice Lake, Comet Lake) onwards, but continues to be available on Xeon-branded server parts (e.g. Ice Lake-SP, Sapphire Rapids))
	`XABORT imm8`	`C6 F8 ib`	Abort transaction with 8-bit immediate as error code.
	`XEND`	`NP 0F 01 D5`	End transaction.
	`XTEST`	`NP 0F 01 D6`	Test if in transactional execution. Sets `EFLAGS.ZF` to 0 if executed inside a transaction (RTM or HLE), 1 otherwise.

HLE Hardware Lock Elision	`XACQUIRE`	`F2`	Instruction prefix to indicate start of hardware lock elision, used with memory atomic instructions only (for other instructions, the `F2` prefix may have other meanings). When used with such instructions, may start a transaction instead of performing the memory atomic operation.	Haswell (Discontinued – the last processors to support HLE were Coffee Lake and Cascade Lake)
HLE Hardware Lock Elision	`XRELEASE`	`F3`	Instruction prefix to indicate end of hardware lock elision, used with memory atomic/store instructions only (for other instructions, the `F3` prefix may have other meanings). When used with such instructions during hardware lock elision, will end the associated transaction instead of performing the store/atomic.

TSXLDTRK Load Address Tracking suspend/resume	`XSUSLDTRK`	`F2 0F 01 E8`	Suspend Tracking Load Addresses	Sapphire Rapids
TSXLDTRK Load Address Tracking suspend/resume	`XRESLDTRK`	`F2 0F 01 E9`	Resume Tracking Load Addresses	Sapphire Rapids

CET Subset	Instruction	Opcode	Description	Ring	Added in

CET_SS Shadow stack. When shadow stacks are enabled, return addresses are pushed on both the regular stack and the shadow stack when a function call is made. They are then both popped on return from the function call – if they do not match, then the stack is assumed to be corrupted, and a #CP exception is issued. The shadow stack is additionally required to be stored in specially marked memory pages which cannot be modified by normal memory store instructions.	`INCSSPD r32`	`F3 0F AE /5`	Increment shadow stack pointer	3	Tiger Lake, Zen 3
	`INCSSPQ r64`	`F3 REX.W 0F AE /5`	Increment shadow stack pointer
	`RDSSPD r32`	`F3 0F 1E /1`	Read shadow stack pointer into register (low 32 bits)^{[lower-alpha 1]}
	`RDSSPQ r64`	`F3 REX.W 0F 1E /1`	Read shadow stack pointer into register (full 64 bits)^{[lower-alpha 1]}
	`SAVEPREVSSP`	`F3 0F 01 EA`	Save previous shadow stack pointer
	`RSTORSSP m64`	`F3 0F 01 /5`	Restore saved shadow stack pointer
	`WRSSD m32,r32`	`NP 0F 38 F6 /r`	Write 4 bytes to shadow stack
	`WRSSQ m64,r64`	`NP REX.W 0F 38 F6 /r`	Write 8 bytes to shadow stack
	`WRUSSD m32,r32`	`66 0F 38 F5 /r`	Write 4 bytes to user shadow stack	0
	`WRUSSQ m64,r64`	`66 REX.W 0F 38 F5 /r`	Write 8 bytes to user shadow stack
	`SETSSBSY`	`F3 0F 01 E8`	Mark shadow stack busy
	`CLRSSBSY m64`	`F3 0F AE /6`	Clear shadow stack busy flag

CET_IBT Indirect Branch Tracking. When IBT is enabled, an indirect branch (jump, call, return) to any instruction that is not an `ENDBR32/64` instruction will cause a #CP exception.	`ENDBR32`	`F3 0F 1E FB`	Terminate indirect branch in 32-bit mode^{[lower-alpha 2]}	3	Tiger Lake
	`ENDBR64`	`F3 0F 1E FA`	Terminate indirect branch in 64-bit mode^{[lower-alpha 2]}
	`NOTRACK`	`3E`^{[lower-alpha 3]}	Prefix used with indirect `CALL`/`JMP` near instructions (opcodes `FF /2` and `FF /4`) to indicate that the branch target is not required to start with an `ENDBR32/64` instruction. Prefix only honored when NO_TRACK_EN flag is set.

Instruction Set Extension	Instruction mnemonics	Opcode	Instruction description	Ring	Added in

SSE^{[lower-alpha 1]} (non-SIMD)	`PREFETCHNTA m8`	`0F 18 /0`	Prefetch with Non-Temporal Access. Prefetch data under the assumption that the data will be used only once, and attempt to minimize cache pollution from said data. The methods used to minimize cache pollution are implementation-dependent.^{[lower-alpha 2]}	3	Pentium III, (K7),^{[lower-alpha 1]} (Geode GX2),^{[lower-alpha 1]} Nehemiah, Efficeon
	`PREFETCHT0 m8`	`0F 18 /1`	Prefetch data to all levels of the cache hierarchy.^{[lower-alpha 2]}
	`PREFETCHT1 m8`	`0F 18 /2`	Prefetch data to all levels of the cache hierarchy except L1 cache.^{[lower-alpha 2]}
	`PREFETCHT2 m8`	`0F 18 /3`	Prefetch data to all levels of the cache hierarchy except L1 and L2 caches.^{[lower-alpha 2]}
	`SFENCE`	`NP 0F AE F8+x^{[lower-alpha 3]}`	Store Fence.^{[lower-alpha 4]}

SSE2 (non-SIMD)	`LFENCE`	`NP 0F AE E8+x^{[lower-alpha 3]}`	Load Fence and Dispatch Serialization.^{[lower-alpha 5]}	3	Pentium 4, K8, Efficeon, C7 Esther
	`MFENCE`	`NP 0F AE F0+x^{[lower-alpha 3]}`	Memory Fence.^{[lower-alpha 6]}
	`MOVNTI m32,r32` `MOVNTI m64,r64`	`NP 0F C3 /r` `NP REX.W 0F C3 /r`	Non-Temporal Memory Store.
	`PAUSE`	`F3 90`^{[lower-alpha 7]}	Pauses CPU thread for a short time period.^{[lower-alpha 8]} Intended for use in spinlocks.^{[lower-alpha 9]}

CLFSH^{[lower-alpha 10]} Cache Line Flush.	`CLFLUSH m8`	`NP 0F AE /7`	Flush one cache line to memory. In a system with multiple cache hierarchy levels and/or multiple processors each with their own caches, the line is flushed from all of them.	3	(SSE2), Geode LX

MONITOR^{[lower-alpha 11]} Monitor a memory location for memory writes.	`MONITOR`^{[lower-alpha 12]} `MONITOR EAX,ECX,EDX`	`NP 0F 01 C8`	Start monitoring a memory location for memory writes. The memory address to monitor is given by DS:AX/EAX/RAX.^{[lower-alpha 13]} ECX and EDX are reserved for extra extension and hint flags, respectively.^{[lower-alpha 14]}	Usually 0^{[lower-alpha 15]}	Prescott, Yonah, Bonnell, K10, Nano
	`MWAIT`^{[lower-alpha 12]} `MWAIT EAX,ECX`	`NP 0F 01 C9`	Wait for a write to a monitored memory location previously specified with `MONITOR`.^{[lower-alpha 16]} ECX and EAX are used to provide extra extension^{[lower-alpha 17]} and hint^{[lower-alpha 18]} flags, respectively. `MWAIT` hints are commonly used for CPU power management.	Usually 0^{[lower-alpha 15]}	Prescott, Yonah, Bonnell, K10, Nano

SMX Safer Mode Extensions. Load, authenticate and execute a digitally signed "Authenticated Code Module" as part of Intel Trusted Execution Technology.	`GETSEC`	`NP 0F 37`^{[lower-alpha 19]}	Perform an SMX function. The leaf function to perform is given in EAX.^{[lower-alpha 20]} Depending on leaf function, the instruction may take additional arguments in RBX, ECX and EDX.	Usually 0^{[lower-alpha 21]}	Conroe/Merom, WuDaoKou,^[95] Tremont

XSAVE Processor Extended State Save/Restore.	`XSAVE mem` `XSAVE64 mem`	`NP 0F AE /4` `NP REX.W 0F AE /4`	Save state components specified by EDX:EAX to memory.	3	Penryn,^{[lower-alpha 22]} Bulldozer, Jaguar, Goldmont, ZhangJiang
	`XRSTOR mem` `XRSTOR64 mem`	`NP 0F AE /5` `NP REX.W 0F AE /5`	Restore state components specified by EDX:EAX from memory.
	`XGETBV`	`NP 0F 01 D0`	Get value of Extended Control Register. Reads an XCR specified by ECX into EDX:EAX.^{[lower-alpha 23]}
	`XSETBV`	`NP 0F 01 D1`	Set Extended Control Register. Write the value in EDX:EAX to the XCR specified by ECX.	0

RDTSCP Read Time Stamp Counter and Processor ID.	`RDTSCP`	`0F 01 F9`	Read Time Stamp Counter and processor core ID.^{[lower-alpha 24]} The TSC value is placed in EDX:EAX and the core ID in ECX.^{[lower-alpha 25]}	Usually 3^{[lower-alpha 26]}	K8,^{[lower-alpha 27]} Nehalem, Silvermont, Nano

POPCNT^{[lower-alpha 28]} Population Count.	`POPCNT r16,r/m16` `POPCNT r32,r/m32`	`F3 0F B8 /r`	Count the number of bits that are set to 1 in its source argument.	3	K10, Nehalem, Nano 3000
POPCNT^{[lower-alpha 28]} Population Count.	`POPCNT r64,r/m64`	`F3 REX.W 0F B8 /r`		3	K10, Nehalem, Nano 3000

SSE4.2 (non-SIMD)	`CRC32 r32,r/m8`	`F2 0F 38 F0 /r`	Accumulate CRC value using the CRC-32C (Castagnoli) polynomial 0x11EDC6F41 (normal form 0x1EDC6F41). This is the polynomial used in iSCSI. In contrast to the more popular one used in Ethernet, its parity is even, and it can thus detect any error with an odd number of changed bits.	3	Nehalem, Bulldozer, ZhangJiang
	`CRC32 r32,r/m16` `CRC32 r32,r/m32`	`F2 0F 38 F1 /r`
	`CRC32 r64,r/m64`	`F2 REX.W 0F 38 F1 /r`

XSAVEOPT Processor Extended State Save/Restore Optimized	`XSAVEOPT mem` `XSAVEOPT64 mem`	`NP 0F AE /6` `NP REX.W 0F AE /6`	Save state components specified by EDX:EAX to memory. Unlike the older `XSAVE` instruction, `XSAVEOPT` may abstain from writing processor state items to memory when the CPU can determine that they haven't been modified since the most recent corresponding `XRSTOR`.	3	Sandy Bridge, Steamroller, Puma, Goldmont, ZhangJiang

FSGSBASE Read/write base address of FS and GS segments from user-mode. Available in 64-bit mode only.	`RDFSBASE r32` `RDFSBASE r64`	`F3 0F AE /0` `F3 REX.W 0F AE /0`	Read base address of FS: segment.	3	Ivy Bridge, Steamroller, Goldmont, ZhangJiang
	`RDGSBASE r32` `RDGSBASE r64`	`F3 0F AE /1` `F3 REX.W 0F AE /1`	Read base address of GS: segment.
	`WRFSBASE r32` `WRFSBASE r64`	`F3 0F AE /2` `F3 REX.W 0F AE /2`	Write base address of FS: segment.
	`WRGSBASE r32` `WRGSBASE r64`	`F3 0F AE /3` `F3 REX.W 0F AE /3`	Write base address of GS: segment.

MOVBE Move to/from memory with byte order swap.	`MOVBE r16,m16` `MOVBE r32,m32`	`NFx 0F 38 F0 /r`	Load from memory to register with byte-order swap.	3	Bonnell, Haswell, Jaguar, Steamroller, ZhangJiang
	`MOVBE r64,m64`	`NFx REX.W 0F 38 F0 /r`	Load from memory to register with byte-order swap.
	`MOVBE m16,r16` `MOVBE m32,r32`	`NFx 0F 38 F1 /r`	Store to memory from register with byte-order swap.
	`MOVBE m64,r64`	`NFx REX.W 0F 38 F1 /r`	Store to memory from register with byte-order swap.

INVPCID Invalidate TLB entries by Process-context identifier.	`INVPCID reg,m128`	`66 0F 38 82 /r`	Invalidate entries in TLB and paging-structure caches based on invalidation type in register^{[lower-alpha 29]} and descriptor in m128. The descriptor contains a memory address and a PCID.^{[lower-alpha 30]} Instruction is serializing on AMD but not Intel CPUs.	0	Haswell, ZhangJiang, Zen 3, Gracemont

PREFETCHW^{[lower-alpha 31]} Cache-line prefetch with intent to write.	`PREFETCHW m8`	`0F 0D /1`	Prefetch cache line with intent to write.^{[lower-alpha 2]}	3	K6-2, (Cedar Mill),^{[lower-alpha 32]} Silvermont, Broadwell, ZhangJiang
	`PREFETCH m8`^{[lower-alpha 33]}	`0F 0D /0`	Prefetch cache line.^{[lower-alpha 2]}	3

ADX Enhanced variants of add-with-carry.	`ADCX r32,r/m32` `ADCX r64,r/m64`	`66 0F 38 F6 /r` `66 REX.W 0F 38 F6 /r`	Add-with-carry. Differs from the older `ADC` instruction in that it leaves flags other than `EFLAGS.CF` unchanged.	3	Broadwell, Zen 1, ZhangJiang, Gracemont
ADX Enhanced variants of add-with-carry.	`ADOX r32,r/m32` `ADOX r64,r/m64`	`F3 0F 38 F6 /r` `F3 REX.W 0F 38 F6 /r`	Add-with-carry, with the overflow-flag `EFLAGS.OF` serving as carry input and output, with other flags left unchanged.	3	Broadwell, Zen 1, ZhangJiang, Gracemont

SMAP Supervisor Mode Access Prevention. Repurposes the `EFLAGS.AC` (alignment check) flag to a flag that prevents access to user-mode memory while in ring 0, 1 or 2.	`CLAC`	`NP 0F 01 CA`	Clear `EFLAGS.AC`.	0	Broadwell, Goldmont, Zen 1, LuJiaZui^{[lower-alpha 34]}
	`STAC`	`NP 0F 01 CB`	Set `EFLAGS.AC`.	0	Broadwell, Goldmont, Zen 1, LuJiaZui^{[lower-alpha 34]}

CLFLUSHOPT Optimized Cache Line Flush.	`CLFLUSHOPT m8`	`NFx 66 0F AE /7`	Flush cache line. Differs from the older `CLFLUSH` instruction in that it has more relaxed ordering rules with respect to memory stores and other cache line flushes, enabling improved performance.	3	Skylake, Goldmont, Zen 1

XSAVEC Processor Extended State save/restore with compaction.	`XSAVEC mem` `XSAVEC64 mem`	`NP 0F C7 /4` `NP REX.W 0F C7 /4`	Save processor extended state components specified by EDX:EAX to memory with compaction.	3	Skylake, Goldmont, Zen 1

XSS Processor Extended State save/restore, including supervisor state.	`XSAVES mem` `XSAVES64 mem`	`NP 0F C7 /5` `NP REX.W 0F C7 /5`	Save processor extended state components specified by EDX:EAX to memory with compaction and optimization if possible.	0	Skylake, Goldmont, Zen 1
	`XRSTORS mem` `XRSTORS64 mem`	`NP 0F C7 /3` `NP REX.W 0F C7 /3`	Restore state components specified by EDX:EAX from memory.	0	Skylake, Goldmont, Zen 1

PREFETCHWT1 Cache-line prefetch into L2 cache with intent to write.	`PREFETCHWT1 m8`	`0F 0D /2`	Prefetch data with T1 locality hint (fetch into L2 cache, but not L1 cache) and intent-to-write hint.^{[lower-alpha 2]}	3	Knights Landing, YongFeng

PKU Protection Keys for user pages.	`RDPKRU`	`NP 0F 01 EE`	Read User Page Key register into EAX.	3	Skylake-X, Comet Lake, Gracemont, Zen 3, LuJiaZui^{[lower-alpha 34]}
PKU Protection Keys for user pages.	`WRPKRU`	`NP 0F 01 EF`	Write data from EAX into User Page Key Register, and perform a Memory Fence.	3

CLWB Cache Line Writeback to memory.	`CLWB m8`	`NFx 66 0F AE /6`	Write one cache line back to memory without invalidating the cache line.	3	Skylake-X, Zen 2, Tiger Lake, Tremont

RDPID Read processor core ID.	`RDPID r32`	`F3 0F C7 /7`	Read processor core ID into register.^{[lower-alpha 24]}	3^{[lower-alpha 35]}	Goldmont Plus, Zen 2, Ice Lake, LuJiaZui^{[lower-alpha 34]}

WBNOINVD Whole Cache Writeback without invalidate.	`WBNOINVD`	`F3 0F 09`	Write back all dirty cache lines to memory without invalidation.^{[lower-alpha 36]} Instruction is serializing.	0	Zen 2, Ice Lake-SP

Bits	MWAIT Extension
0	Treat interrupts as break events, even when masked (EFLAGS.IF=0). (Available on all non-NetBurst implementations of `MWAIT`.)
1	Timed MWAIT: end the wait when the TSC reaches or exceeds the value in EDX:EBX. (Undocumented, reportedly present in Intel Skylake and later Intel processors)^[93]
2	Monitorless MWAIT^[94]
31:3	Not used, must be set to zero.

Bits	MWAIT Hint
3:0	Sub-state within a C-state (see bits 7:4) (Intel processors only)
7:4	Target CPU power C-state during wait, minus 1. (E.g. 0000b for C1, 0001b for C2, 1111b for C0)
31:8	Not used.

EAX	Function
0 (CAPABILITIES)	Report SMX capabilities
2 (ENTERACCES)	Enter execution of authenticated code module
3 (EXITAC)	Exit execution of authenticated code module
4 (SENTER)	Enter measured environment
5 (SEXIT)	Exit measured environment
6 (PARAMETERS)	Report SMX parameters
7 (SMCTRL)	SMX Mode Control
8 (WAKEUP)	Wake up sleeping processors in measured environment

EAX	Function
0 (ECREATE)	Create an enclave
1 (EADD)	Add a page
2 (EINIT)	Initialize an enclave
3 (EREMOVE)	Remove a page from EPC (Enclave Page Cache)
4 (EDBGRD)	Read data by debugger
5 (EDBGWR)	Write data by debugger
6 (EEXTEND)	Extend EPC page measurement
7 (ELDB)	Load an EPC page as blocked
8 (ELDU)	Load an EPC page as unblocked
9 (EBLOCK)	Block an EPC page
A (EPA)	Add version array
B (EWB)	Writeback/invalidate EPC page
C (ETRACK)	Activate EBLOCK checks
Added with SGX2
D (EAUG)	Add page to initialized enclave
E (EMODPTR)	Restrict permissions of EPC page
F (EMODT)	Change type of EPC page
Added with OVERSUB^[100]
10 (ERDINFO)	Read EPC page type/status info
11 (ETRACKC)	Activate EBLOCK checks
12 (ELDBC)	Load EPC page as blocked with enhanced error reporting
13 (ELDUC)	Load EPC page as unblocked with enhanced error reporting
Other
18 (EUPDATESVN)	Update SVN (Security Version Number) after live microcode update^[101]

EAX	Function
0 (EREPORT)	Create a cryptographic report
1 (EGETKEY)	Create a cryptographic key
2 (EENTER)	Enter an Enclave
3 (ERESUME)	Re-enter an Enclave
4 (EEXIT)	Exit an Enclave
Added with SGX2
5 (EACCEPT)	Accept changes to EPC page
6 (EMODPE)	Extend EPC page permissions
7 (EACCEPTCOPY)	Initialize pending page
Added with TDX^[104]
8 (EVERIFYREPORT2)	Verify a cryptographic report of a trust domain
Added with AEX-Notify
9 (EDECCSSA)	Decrement TCS.CSSA

Value	Function
0	Invalidate TLB entries matching PCID and virtual memory address in descriptor, excluding global entries
1	Invalidate TLB entries matching PCID in descriptor, excluding global entries
2	Invalidate all TLB entries, including global entries
3	Invalidate all TLB entries, excluding global entries

Instruction Set Extension	Instruction mnemonics	Opcode	Instruction description	Ring	Added in

SGX Software Guard Extensions. Set up an encrypted enclave in which a guest can execute code that a compromised or malicious host cannot inspect or tamper with.	`ENCLS`	`NP 0F 01 CF`	Perform an SGX Supervisor function. The function to perform is given in EAX.^{[lower-alpha 1]}	0	SGX1 Skylake,^{[lower-alpha 2]} Goldmont Plus SGX2 Goldmont Plus, Ice Lake-SP^[103] OVERSUB^[100] Ice Lake-SP, Tremont
	`ENCLU`	`NP 0F 01 D7`	Perform an SGX User function. The function to perform is given in EAX.^{[lower-alpha 3]}	3^{[lower-alpha 4]}
	`ENCLV`	`NP 0F 01 C0`	Perform an SGX Virtualization function. The function to perform is given in EAX.^{[lower-alpha 5]}	0^{[lower-alpha 6]}

PTWRITE Write data to a Processor Trace Packet.	`PTWRITE r/m32` `PTWRITE r/m64`	`F3 0F AE /4` `F3 REX.W 0F AE /4`	Read data from register or memory to encode into a PTW packet.^{[lower-alpha 7]}	3	Kaby Lake, Goldmont Plus

MOVDIRI Move to memory as Direct Store.	`MOVDIRI m32,r32` `MOVDIRI m64,r64`	`NP 0F 38 F9 /r` `NP REX.W 0F 38 F9 /r`	Store to memory using Direct Store (memory store that is not cached or write-combined with other stores).	3	Tiger Lake, Tremont

MOVDIR64B Move 64 bytes as Direct Store.	`MOVDIR64B reg,m512`	`66 0F 38 F8 /r`	Move 64 bytes of data from m512 to address given by ES:reg. The 64-byte write is done atomically with Direct Store.^{[lower-alpha 8]}	3	Tiger Lake, Tremont

PCONFIG Platform Configuration, including TME-MK ("Total Memory Encryption – Multi-Key") and TSE ("Total Storage Encryption").	`PCONFIG`	`NP 0F 01 C5`	Perform a platform feature configuration function. The function to perform is specified in EAX^{[lower-alpha 9]} - depending on function, RBX, RCX and RDX may provide additional input information. If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0.	0	Ice Lake-SP

CLDEMOTE Cache Line Demotion Hint.	`CLDEMOTE m8`	`NP 0F 1C /0`	Move cache line containing m8 from CPU L1 cache to a more distant level of the cache hierarchy.^{[lower-alpha 10]}	3	(Tremont), (Alder Lake), Sapphire Rapids^{[lower-alpha 11]}

WAITPKG User-mode memory monitoring and waiting.	`UMONITOR r16/32/64`	`F3 0F AE /6`	Start monitoring a memory location for memory writes. The memory address to monitor is given by the register argument.^{[lower-alpha 12]}	3	Tremont, Alder Lake
	`UMWAIT r32` `UMWAIT r32,EDX,EAX`	`F2 0F AE /6`	Timed wait for a write to a monitored memory location previously specified with `UMONITOR`. In the absence of a memory write, the wait will end when either the TSC reaches the value specified by EDX:EAX or the wait has been going on for an OS-controlled maximum amount of time.^{[lower-alpha 13]}	Usually 3^{[lower-alpha 14]}
	`TPAUSE r32` `TPAUSE r32,EDX,EAX`	`66 0F AE /6`	Wait until the Time Stamp Counter reaches the value specified in EDX:EAX. The register argument to the instruction specifies extra flags to control the operation of the instruction.	Usually 3^{[lower-alpha 14]}

SERIALIZE Instruction Execution Serialization.	`SERIALIZE`	`NP 0F 01 E8`	Serialize instruction fetch and execution.^{[lower-alpha 15]}	3	Alder Lake

HRESET Processor History Reset.	`HRESET imm8`	`F3 0F 3A F0 C0 ib`	Request that the processor reset selected components of hardware-maintained prediction history. A bitmap of which components of the CPU's prediction history to reset is given in EAX (the imm8 argument is ignored).^{[lower-alpha 16]}	0	Alder Lake

UINTR User Interprocessor interrupt. Available in 64-bit mode only.	`SENDUIPI reg`	`F3 0F C7 /6`	Send Interprocessor User Interrupt.^{[lower-alpha 17]}	3	Sapphire Rapids
	`UIRET`	`F3 0F 01 EC`	User Interrupt Return.
	`TESTUI`	`F3 0F 01 ED`	Test User Interrupt Flag. Copies UIF to EFLAGS.CF .
	`CLUI`	`F3 0F 01 EE`	Clear User Interrupt Flag.
	`STUI`	`F3 0F 01 EF`	Set User Interrupt Flag.

ENQCMD Enqueue Store.	`ENQCMD r32/64,m512`	`F2 0F 38 F8 /r`	Enqueue Command. Reads a 64-byte "command data" structure from memory (m512 argument) and writes atomically to a memory-mapped Enqueue Store device (register argument provides the memory address of this device, using ES segment and requiring 64-byte alignment.) Sets ZF=0 to indicate that device accepted the command, or ZF=1 to indicate that command was not accepted (e.g. queue full or the memory location was not an Enqueue Store device.)	3	Sapphire Rapids
ENQCMD Enqueue Store.	`ENQCMDS r32/64,m512`	`F3 0F 38 F8 /r`	Enqueue Command Supervisor. Differs from `ENQCMD` in that it can place an arbitrary PASID (process address-space identifier) and a privilege-bit in the "command data" to enqueue.	0	Sapphire Rapids

EAX	Function
Added with OVERSUB^[100]
0 (EDECVIRTCHILD)	Decrement VIRTCHILDCNT in SECS
1 (EINCVIRTCHILD)	Increment VIRTCHILDCNT in SECS
2 (ESETCONTEXT)	Set ENCLAVECONTEXT field in SECS

EAX	Function
0	MKTME_KEY_PROGRAM: Program key and encryption mode to use with an TME-MK Key ID.
Added with TSE
1	TSE_KEY_PROGRAM: Direct key programming for TSE.
2	TSE_KEY_PROGRAM_WRAPPED: Wrapped key programming for TSE.

Instruction Set Extension	Instruction mnemonics	Opcode	Instruction description	Ring	Added in

AltMovCr8 Alternative mechanism to access the CR8 control register.^{[lower-alpha 1]}	`MOV reg,CR8`	`F0 0F 20 /0`^{[lower-alpha 2]}	Read the CR8 register.	0	K8^{[lower-alpha 3]}
	`MOV CR8,reg`	`F0 0F 22 /0`^{[lower-alpha 2]}	Write to the CR8 register.	0	K8^{[lower-alpha 3]}

MONITORX Monitor a memory location for writes in user mode.	`MONITORX`	`NP 0F 01 FA`	Start monitoring a memory location for memory writes. Similar to older `MONITOR`, except available in user mode.	3	Excavator
MONITORX Monitor a memory location for writes in user mode.	`MWAITX`	`NP 0F 01 FB`	Wait for a write to a monitored memory location previously specified with `MONITORX`. `MWAITX` differs from the older `MWAIT` instruction mainly in that it runs in user mode and that it can accept an optional timeout argument (given in TSC time units) in EBX (enabled by setting bit[1] of ECX to 1.)	3	Excavator

CLZERO Zero out full cache line.	`CLZERO rAX`	`NP 0F 01 FC`	Write zeroes to all bytes in a memory region that has the size and alignment of a CPU cache line and contains the byte addressed by DS:rAX.^{[lower-alpha 4]}	3	Zen 1

RDPRU Read processor register in user mode.	`RDPRU`	`NP 0F 01 FD`	Read selected MSRs (mainly performance counters) in user mode. ECX specifies which register to read.^{[lower-alpha 5]} The value of the MSR is returned in EDX:EAX.	Usually 3^{[lower-alpha 6]}	Zen 2

MCOMMIT Commit Stores To Memory.	`MCOMMIT`	`F3 0F 01 FA`	Ensure that all preceding stores in thread have been committed to memory, and that any errors encountered by these stores have been signalled to any associated error logging resources. The set of errors that can be reported and the logging mechanism are platform-specific. Sets `EFLAGS.CF` to 0 if any errors occurred, 1 otherwise.	3	Zen 2

INVLPGB Invalidate TLB Entries with broadcast.	`INVLPGB`	`NP 0F 01 FE`	Invalidate TLB Entries for a range of pages, with broadcast. The invalidation is performed on the processor executing the instruction, and also broadcast to all other processors in the system. rAX takes the virtual address to invalidate and some additional flags, ECX takes the number of pages to invalidate, and EDX specifies ASID and PCID to perform TLB invalidation for.	0	Zen 3
INVLPGB Invalidate TLB Entries with broadcast.	`TLBSYNC`	`NP 0F 01 FF`	Synchronize TLB invalidations. Wait until all TLB invalidations signalled by preceding invocations of the `INVLPGB` instruction on the same logical processor have been responded to by all processors in the system. Instruction is serializing.	0	Zen 3

ECX	Register
0	MPERF (MSR 0E7h: Maximum Performance Frequency Clock Count)
1	APERF (MSR 0E8h: Actual Performance Frequency Clock Count)

C3	C2	C0	Classification
0	0	0	Unsupported (unnormal or pseudo-NaN)
0	0	1	NaN
0	1	0	Normal finite number
0	1	1	Infinity
1	0	0	Zero
1	0	1	Empty
1	1	0	Denormal number
1	1	1	Empty (may occur on 8087/80287 only)

Instruction	Opcode	Meaning	Notes
EMMS	0F 77	Empty MMX Technology State	Marks all x87 FPU registers for use by FPU
MOVD mm, r/m32	0F 6E /r	Move doubleword
MOVD r/m32, mm	0F 7E /r	Move doubleword
MOVQ mm/m64, mm	0F 7F /r	Move quadword
MOVQ mm, mm/m64	0F 6F /r	Move quadword
MOVQ mm, r/m64	REX.W + 0F 6E /r	Move quadword
MOVQ r/m64, mm	REX.W + 0F 7E /r	Move quadword
PACKSSDW mm1, mm2/m64	0F 6B /r	Pack doublewords to words (signed with saturation)
PACKSSWB mm1, mm2/m64	0F 63 /r	Pack words to bytes (signed with saturation)
PACKUSWB mm, mm/m64	0F 67 /r	Pack words to bytes (unsigned with saturation)
PADDB mm, mm/m64	0F FC /r	Add packed byte integers
PADDW mm, mm/m64	0F FD /r	Add packed word integers
PADDD mm, mm/m64	0F FE /r	Add packed doubleword integers
PADDSB mm, mm/m64	0F EC /r	Add packed signed byte integers and saturate
PADDSW mm, mm/m64	0F ED /r	Add packed signed word integers and saturate
PADDUSB mm, mm/m64	0F DC /r	Add packed unsigned byte integers and saturate
PADDUSW mm, mm/m64	0F DD /r	Add packed unsigned word integers and saturate
PAND mm, mm/m64	0F DB /r	Bitwise AND
PANDN mm, mm/m64	0F DF /r	Bitwise AND NOT
POR mm, mm/m64	0F EB /r	Bitwise OR
PXOR mm, mm/m64	0F EF /r	Bitwise XOR
PCMPEQB mm, mm/m64	0F 74 /r	Compare packed bytes for equality
PCMPEQW mm, mm/m64	0F 75 /r	Compare packed words for equality
PCMPEQD mm, mm/m64	0F 76 /r	Compare packed doublewords for equality
PCMPGTB mm, mm/m64	0F 64 /r	Compare packed signed byte integers for greater than
PCMPGTW mm, mm/m64	0F 65 /r	Compare packed signed word integers for greater than
PCMPGTD mm, mm/m64	0F 66 /r	Compare packed signed doubleword integers for greater than
PMADDWD mm, mm/m64	0F F5 /r	Multiply packed words, add adjacent doubleword results
PMULHW mm, mm/m64	0F E5 /r	Multiply packed signed word integers, store high 16 bits of results
PMULLW mm, mm/m64	0F D5 /r	Multiply packed signed word integers, store low 16 bits of results
PSLLW mm1, imm8	0F 71 /6 ib	Shift left words, shift in zeros
PSLLW mm, mm/m64	0F F1 /r	Shift left words, shift in zeros
PSLLD mm, imm8	0F 72 /6 ib	Shift left doublewords, shift in zeros
PSLLD mm, mm/m64	0F F2 /r	Shift left doublewords, shift in zeros
PSLLQ mm, imm8	0F 73 /6 ib	Shift left quadword, shift in zeros
PSLLQ mm, mm/m64	0F F3 /r	Shift left quadword, shift in zeros
PSRAD mm, imm8	0F 72 /4 ib	Shift right doublewords, shift in sign bits
PSRAD mm, mm/m64	0F E2 /r	Shift right doublewords, shift in sign bits
PSRAW mm, imm8	0F 71 /4 ib	Shift right words, shift in sign bits
PSRAW mm, mm/m64	0F E1 /r	Shift right words, shift in sign bits
PSRLW mm, imm8	0F 71 /2 ib	Shift right words, shift in zeros
PSRLW mm, mm/m64	0F D1 /r	Shift right words, shift in zeros
PSRLD mm, imm8	0F 72 /2 ib	Shift right doublewords, shift in zeros
PSRLD mm, mm/m64	0F D2 /r	Shift right doublewords, shift in zeros
PSRLQ mm, imm8	0F 73 /2 ib	Shift right quadword, shift in zeros
PSRLQ mm, mm/m64	0F D3 /r	Shift right quadword, shift in zeros
PSUBB mm, mm/m64	0F F8 /r	Subtract packed byte integers
PSUBW mm, mm/m64	0F F9 /r	Subtract packed word integers
PSUBD mm, mm/m64	0F FA /r	Subtract packed doubleword integers
PSUBSB mm, mm/m64	0F E8 /r	Subtract signed packed bytes with saturation
PSUBSW mm, mm/m64	0F E9 /r	Subtract signed packed words with saturation
PSUBUSB mm, mm/m64	0F D8 /r	Subtract unsigned packed bytes with saturation
PSUBUSW mm, mm/m64	0F D9 /r	Subtract unsigned packed words with saturation
PUNPCKHBW mm, mm/m64	0F 68 /r	Unpack and interleave high-order bytes
PUNPCKHWD mm, mm/m64	0F 69 /r	Unpack and interleave high-order words
PUNPCKHDQ mm, mm/m64	0F 6A /r	Unpack and interleave high-order doublewords
PUNPCKLBW mm, mm/m32	0F 60 /r	Unpack and interleave low-order bytes
PUNPCKLWD mm, mm/m32	0F 61 /r	Unpack and interleave low-order words
PUNPCKLDQ mm, mm/m32	0F 62 /r	Unpack and interleave low-order doublewords

Instruction	Opcode	Meaning
MASKMOVQ mm1, mm2	0F F7 /r	Masked Move of Quadword
MOVNTQ m64, mm	0F E7 /r	Move Quadword Using Non-Temporal Hint
PSHUFW mm1, mm2/m64, imm8	0F 70 /r ib	Shuffle Packed Words
PINSRW mm, r32/m16, imm8	0F C4 /r	Insert Word
PEXTRW reg, mm, imm8	0F C5 /r	Extract Word
PMOVMSKB reg, mm	0F D7 /r	Move Byte Mask
PMINUB mm1, mm2/m64	0F DA /r	Minimum of Packed Unsigned Byte Integers
PMAXUB mm1, mm2/m64	0F DE /r	Maximum of Packed Unsigned Byte Integers
PAVGB mm1, mm2/m64	0F E0 /r	Average Packed Integers
PAVGW mm1, mm2/m64	0F E3 /r	Average Packed Integers
PMULHUW mm1, mm2/m64	0F E4 /r	Multiply Packed Unsigned Integers and Store High Result
PMINSW mm1, mm2/m64	0F EA /r	Minimum of Packed Signed Word Integers
PMAXSW mm1, mm2/m64	0F EE /r	Maximum of Packed Signed Word Integers
PSADBW mm1, mm2/m64	0F F6 /r	Compute Sum of Absolute Differences

Instruction	Opcode	Meaning
PADDQ mm, mm/m64	0F D4 /r	Add packed quadword integers
PSUBQ mm1, mm2/m64	0F FB /r	Subtract packed quadword integers
PMULUDQ mm1, mm2/m64	0F F4 /r	Multiply unsigned doubleword integer

MOV_(x86_instruction)

x86 integer instructions

Original 8086/8088 instructions

Added in specific processors

Added with 80186/80188

Added with 80286

Added with 80386

Added with 80486

Added in P5/P6-class processors

Added as instruction set extensions

Added with x86-64

Bit manipulation extensions

Added with Intel TSX

Added with Intel CET

Added with other cross-vendor extensions

Added with other Intel-specific extensions

Added with other AMD-specific extensions

x87 floating-point instructions

Original 8087 instructions

x87 instructions added in later processors

SIMD instructions

MMX instructions

Original MMX instructions

MMX instructions added in specific processors

MMX instructions added with MMX+ and SSE

MMX instructions added with SSE2

MMX instructions added with SSSE3

SSE instructions

SSE2 instructions

SSE2 SIMD floating-point instructions

SSE2 data movement instructions

SSE2 packed arithmetic instructions

SSE2 logical instructions

SSE2 compare instructions

SSE2 shuffle and unpack instructions

SSE2 conversion instructions

SSE2 SIMD integer instructions

SSE2 MMX-like instructions extended to SSE registers

SSE2 integer instructions for SSE registers only

SSE3 instructions

SSE3 SIMD floating-point instructions

SSE3 SIMD integer instructions

SSSE3 instructions

SSE4 instructions

SSE4.1

SSE4.1 SIMD floating-point instructions

SSE4.1 SIMD integer instructions

SSE4a

SSE4.2

F16C

AVX

AVX2

FMA3 and FMA4 instructions

AVX-512

AMX

Cryptographic instructions

Intel AES instructions

CLMUL instructions

RDRAND and RDSEED

Intel SHA instructions

Intel AES Key Locker instructions

VIA PadLock instructions

Virtualization instructions

AMD-V instructions

Intel VT-x instructions

Other instructions

Undocumented instructions

Undocumented x86 instructions

Undocumented instructions that are widely available across many x86 CPUs include

Undocumented instructions that appear only in a limited subset of x86 CPUs include

Undocumented x87 instructions

See also

References

External links

Share this article:

Instruction	Opcode	Meaning
PSIGNB mm1, mm2/m64	0F 38 08 /r	Negate/zero/preserve packed byte integers depending on corresponding sign
PSIGNW mm1, mm2/m64	0F 38 09 /r	Negate/zero/preserve packed word integers depending on corresponding sign
PSIGND mm1, mm2/m64	0F 38 0A /r	Negate/zero/preserve packed doubleword integers depending on corresponding sign
PSHUFB mm1, mm2/m64	0F 38 00 /r	Shuffle bytes
PMULHRSW mm1, mm2/m64	0F 38 0B /r	Multiply 16-bit signed words, scale and round signed doublewords, pack high 16 bits
PMADDUBSW mm1, mm2/m64	0F 38 04 /r	Multiply signed and unsigned bytes, add horizontal pair of signed words, pack saturated signed-words
PHSUBW mm1, mm2/m64	0F 38 05 /r	Subtract and pack 16-bit signed integers horizontally
PHSUBSW mm1, mm2/m64	0F 38 07 /r	Subtract and pack 16-bit signed integer horizontally with saturation
PHSUBD mm1, mm2/m64	0F 38 06 /r	Subtract and pack 32-bit signed integers horizontally
PHADDSW mm1, mm2/m64	0F 38 03 /r	Add and pack 16-bit signed integers horizontally, pack saturated integers to mm1.
PHADDW mm1, mm2/m64	0F 38 01 /r	Add and pack 16-bit integers horizontally
PHADDD mm1, mm2/m64	0F 38 02 /r	Add and pack 32-bit integers horizontally
PALIGNR mm1, mm2/m64, imm8	0F 3A 0F /r ib	Concatenate destination and source operands, extract byte-aligned result shifted to the right
PABSB mm1, mm2/m64	0F 38 1C /r	Compute the absolute value of bytes and store unsigned result
PABSW mm1, mm2/m64	0F 38 1D /r	Compute the absolute value of 16-bit integers and store unsigned result
PABSD mm1, mm2/m64	0F 38 1E /r	Compute the absolute value of 32-bit integers and store unsigned result

Instruction	Opcode	Meaning
ANDPS* xmm1, xmm2/m128	0F 54 /r	Bitwise Logical AND of Packed Single-Precision Floating-Point Values
ANDNPS* xmm1, xmm2/m128	0F 55 /r	Bitwise Logical AND NOT of Packed Single-Precision Floating-Point Values
ORPS* xmm1, xmm2/m128	0F 56 /r	Bitwise Logical OR of Single-Precision Floating-Point Values
XORPS* xmm1, xmm2/m128	0F 57 /r	Bitwise Logical XOR for Single-Precision Floating-Point Values
MOVUPS xmm1, xmm2/m128	0F 10 /r	Move Unaligned Packed Single-Precision Floating-Point Values
MOVSS xmm1, xmm2/m32	F3 0F 10 /r	Move Scalar Single-Precision Floating-Point Values
MOVUPS xmm2/m128, xmm1	0F 11 /r	Move Unaligned Packed Single-Precision Floating-Point Values
MOVSS xmm2/m32, xmm1	F3 0F 11 /r	Move Scalar Single-Precision Floating-Point Values
MOVLPS xmm, m64	0F 12 /r	Move Low Packed Single-Precision Floating-Point Values
MOVHLPS xmm1, xmm2	0F 12 /r	Move Packed Single-Precision Floating-Point Values High to Low
MOVLPS m64, xmm	0F 13 /r	Move Low Packed Single-Precision Floating-Point Values
UNPCKLPS xmm1, xmm2/m128	0F 14 /r	Unpack and Interleave Low Packed Single-Precision Floating-Point Values
UNPCKHPS xmm1, xmm2/m128	0F 15 /r	Unpack and Interleave High Packed Single-Precision Floating-Point Values
MOVHPS xmm, m64	0F 16 /r	Move High Packed Single-Precision Floating-Point Values
MOVLHPS xmm1, xmm2	0F 16 /r	Move Packed Single-Precision Floating-Point Values Low to High
MOVHPS m64, xmm	0F 17 /r	Move High Packed Single-Precision Floating-Point Values
MOVAPS xmm1, xmm2/m128	0F 28 /r	Move Aligned Packed Single-Precision Floating-Point Values
MOVAPS xmm2/m128, xmm1	0F 29 /r	Move Aligned Packed Single-Precision Floating-Point Values
MOVNTPS m128, xmm1	0F 2B /r	Move Aligned Four Packed Single-FP Non Temporal
MOVMSKPS reg, xmm	0F 50 /r	Extract Packed Single-Precision Floating-Point 4-bit Sign Mask. The upper bits of the register are filled with zeros.
CVTPI2PS xmm, mm/m64	0F 2A /r	Convert Packed Dword Integers to Packed Single-Precision FP Values
CVTSI2SS xmm, r/m32	F3 0F 2A /r	Convert Dword Integer to Scalar Single-Precision FP Value
CVTSI2SS xmm, r/m64	F3 REX.W 0F 2A /r	Convert Qword Integer to Scalar Single-Precision FP Value
CVTTPS2PI mm, xmm/m64	0F 2C /r	Convert with Truncation Packed Single-Precision FP Values to Packed Dword Integers
CVTTSS2SI r32, xmm/m32	F3 0F 2C /r	Convert with Truncation Scalar Single-Precision FP Value to Dword Integer
CVTTSS2SI r64, xmm1/m32	F3 REX.W 0F 2C /r	Convert with Truncation Scalar Single-Precision FP Value to Qword Integer
CVTPS2PI mm, xmm/m64	0F 2D /r	Convert Packed Single-Precision FP Values to Packed Dword Integers
CVTSS2SI r32, xmm/m32	F3 0F 2D /r	Convert Scalar Single-Precision FP Value to Dword Integer
CVTSS2SI r64, xmm1/m32	F3 REX.W 0F 2D /r	Convert Scalar Single-Precision FP Value to Qword Integer
UCOMISS xmm1, xmm2/m32	0F 2E /r	Unordered Compare Scalar Single-Precision Floating-Point Values and Set EFLAGS
COMISS xmm1, xmm2/m32	0F 2F /r	Compare Scalar Ordered Single-Precision Floating-Point Values and Set EFLAGS
SQRTPS xmm1, xmm2/m128	0F 51 /r	Compute Square Roots of Packed Single-Precision Floating-Point Values
SQRTSS xmm1, xmm2/m32	F3 0F 51 /r	Compute Square Root of Scalar Single-Precision Floating-Point Value
RSQRTPS xmm1, xmm2/m128	0F 52 /r	Compute Reciprocal of Square Root of Packed Single-Precision Floating-Point Value
RSQRTSS xmm1, xmm2/m32	F3 0F 52 /r	Compute Reciprocal of Square Root of Scalar Single-Precision Floating-Point Value
RCPPS xmm1, xmm2/m128	0F 53 /r	Compute Reciprocal of Packed Single-Precision Floating-Point Values
RCPSS xmm1, xmm2/m32	F3 0F 53 /r	Compute Reciprocal of Scalar Single-Precision Floating-Point Values
ADDPS xmm1, xmm2/m128	0F 58 /r	Add Packed Single-Precision Floating-Point Values
ADDSS xmm1, xmm2/m32	F3 0F 58 /r	Add Scalar Single-Precision Floating-Point Values
MULPS xmm1, xmm2/m128	0F 59 /r	Multiply Packed Single-Precision Floating-Point Values
MULSS xmm1, xmm2/m32	F3 0F 59 /r	Multiply Scalar Single-Precision Floating-Point Values
SUBPS xmm1, xmm2/m128	0F 5C /r	Subtract Packed Single-Precision Floating-Point Values
SUBSS xmm1, xmm2/m32	F3 0F 5C /r	Subtract Scalar Single-Precision Floating-Point Values
MINPS xmm1, xmm2/m128	0F 5D /r	Return Minimum Packed Single-Precision Floating-Point Values
MINSS xmm1, xmm2/m32	F3 0F 5D /r	Return Minimum Scalar Single-Precision Floating-Point Values
DIVPS xmm1, xmm2/m128	0F 5E /r	Divide Packed Single-Precision Floating-Point Values
DIVSS xmm1, xmm2/m32	F3 0F 5E /r	Divide Scalar Single-Precision Floating-Point Values
MAXPS xmm1, xmm2/m128	0F 5F /r	Return Maximum Packed Single-Precision Floating-Point Values
MAXSS xmm1, xmm2/m32	F3 0F 5F /r	Return Maximum Scalar Single-Precision Floating-Point Values
LDMXCSR m32	0F AE /2	Load MXCSR Register State
STMXCSR m32	0F AE /3	Store MXCSR Register State
CMPPS xmm1, xmm2/m128, imm8	0F C2 /r ib	Compare Packed Single-Precision Floating-Point Values
CMPSS xmm1, xmm2/m32, imm8	F3 0F C2 /r ib	Compare Scalar Single-Precision Floating-Point Values
SHUFPS xmm1, xmm2/m128, imm8	0F C6 /r ib	Shuffle Packed Single-Precision Floating-Point Values

Instruction	Opcode	Meaning
MOVAPD xmm1, xmm2/m128	66 0F 28 /r	Move Aligned Packed Double-Precision Floating-Point Values
MOVAPD xmm2/m128, xmm1	66 0F 29 /r	Move Aligned Packed Double-Precision Floating-Point Values
MOVNTPD m128, xmm1	66 0F 2B /r	Store Packed Double-Precision Floating-Point Values Using Non-Temporal Hint
MOVHPD xmm1, m64	66 0F 16 /r	Move High Packed Double-Precision Floating-Point Value
MOVHPD m64, xmm1	66 0F 17 /r	Move High Packed Double-Precision Floating-Point Value
MOVLPD xmm1, m64	66 0F 12 /r	Move Low Packed Double-Precision Floating-Point Value
MOVLPD m64, xmm1	66 0F 13/r	Move Low Packed Double-Precision Floating-Point Value
MOVUPD xmm1, xmm2/m128	66 0F 10 /r	Move Unaligned Packed Double-Precision Floating-Point Values
MOVUPD xmm2/m128, xmm1	66 0F 11 /r	Move Unaligned Packed Double-Precision Floating-Point Values
MOVMSKPD reg, xmm	66 0F 50 /r	Extract Packed Double-Precision Floating-Point Sign Mask
MOVSD* xmm1, xmm2/m64	F2 0F 10 /r	Move or Merge Scalar Double-Precision Floating-Point Value
MOVSD xmm1/m64, xmm2	F2 0F 11 /r	Move or Merge Scalar Double-Precision Floating-Point Value

Instruction	Opcode	Meaning
ADDPD xmm1, xmm2/m128	66 0F 58 /r	Add Packed Double-Precision Floating-Point Values
ADDSD xmm1, xmm2/m64	F2 0F 58 /r	Add Low Double-Precision Floating-Point Value
DIVPD xmm1, xmm2/m128	66 0F 5E /r	Divide Packed Double-Precision Floating-Point Values
DIVSD xmm1, xmm2/m64	F2 0F 5E /r	Divide Scalar Double-Precision Floating-Point Value
MAXPD xmm1, xmm2/m128	66 0F 5F /r	Maximum of Packed Double-Precision Floating-Point Values
MAXSD xmm1, xmm2/m64	F2 0F 5F /r	Return Maximum Scalar Double-Precision Floating-Point Value
MINPD xmm1, xmm2/m128	66 0F 5D /r	Minimum of Packed Double-Precision Floating-Point Values
MINSD xmm1, xmm2/m64	F2 0F 5D /r	Return Minimum Scalar Double-Precision Floating-Point Value
MULPD xmm1, xmm2/m128	66 0F 59 /r	Multiply Packed Double-Precision Floating-Point Values
MULSD xmm1,xmm2/m64	F2 0F 59 /r	Multiply Scalar Double-Precision Floating-Point Value
SQRTPD xmm1, xmm2/m128	66 0F 51 /r	Square Root of Double-Precision Floating-Point Values
SQRTSD xmm1,xmm2/m64	F2 0F 51/r	Compute Square Root of Scalar Double-Precision Floating-Point Value
SUBPD xmm1, xmm2/m128	66 0F 5C /r	Subtract Packed Double-Precision Floating-Point Values
SUBSD xmm1, xmm2/m64	F2 0F 5C /r	Subtract Scalar Double-Precision Floating-Point Value

Instruction	Opcode	Meaning
ANDPD xmm1, xmm2/m128	66 0F 54 /r	Bitwise Logical AND of Packed Double Precision Floating-Point Values
ANDNPD xmm1, xmm2/m128	66 0F 55 /r	Bitwise Logical AND NOT of Packed Double Precision Floating-Point Values
ORPD xmm1, xmm2/m128	66 0F 56/r	Bitwise Logical OR of Packed Double Precision Floating-Point Values
XORPD xmm1, xmm2/m128	66 0F 57/r	Bitwise Logical XOR of Packed Double Precision Floating-Point Values

Instruction	Opcode	Meaning
CMPPD xmm1, xmm2/m128, imm8	66 0F C2 /r ib	Compare Packed Double-Precision Floating-Point Values
CMPSD* xmm1, xmm2/m64, imm8	F2 0F C2 /r ib	Compare Low Double-Precision Floating-Point Values
COMISD xmm1, xmm2/m64	66 0F 2F /r	Compare Scalar Ordered Double-Precision Floating-Point Values and Set EFLAGS
UCOMISD xmm1, xmm2/m64	66 0F 2E /r	Unordered Compare Scalar Double-Precision Floating-Point Values and Set EFLAGS

Instruction	Opcode	Meaning
SHUFPD xmm1, xmm2/m128, imm8	66 0F C6 /r ib	Packed Interleave Shuffle of Pairs of Double-Precision Floating-Point Values
UNPCKHPD xmm1, xmm2/m128	66 0F 15 /r	Unpack and Interleave High Packed Double-Precision Floating-Point Values
UNPCKLPD xmm1, xmm2/m128	66 0F 14 /r	Unpack and Interleave Low Packed Double-Precision Floating-Point Values

Instruction	Opcode	Meaning
CVTDQ2PD xmm1, xmm2/m64	F3 0F E6 /r	Convert Packed Doubleword Integers to Packed Double-Precision Floating-Point Values
CVTDQ2PS xmm1, xmm2/m128	0F 5B /r	Convert Packed Doubleword Integers to Packed Single-Precision Floating-Point Values
CVTPD2DQ xmm1, xmm2/m128	F2 0F E6 /r	Convert Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
CVTPD2PI mm, xmm/m128	66 0F 2D /r	Convert Packed Double-Precision FP Values to Packed Dword Integers
CVTPD2PS xmm1, xmm2/m128	66 0F 5A /r	Convert Packed Double-Precision Floating-Point Values to Packed Single-Precision Floating-Point Values
CVTPI2PD xmm, mm/m64	66 0F 2A /r	Convert Packed Dword Integers to Packed Double-Precision FP Values
CVTPS2DQ xmm1, xmm2/m128	66 0F 5B /r	Convert Packed Single-Precision Floating-Point Values to Packed Signed Doubleword Integer Values
CVTPS2PD xmm1, xmm2/m64	0F 5A /r	Convert Packed Single-Precision Floating-Point Values to Packed Double-Precision Floating-Point Values
CVTSD2SI r32, xmm1/m64	F2 0F 2D /r	Convert Scalar Double-Precision Floating-Point Value to Doubleword Integer
CVTSD2SI r64, xmm1/m64	F2 REX.W 0F 2D /r	Convert Scalar Double-Precision Floating-Point Value to Quadword Integer With Sign Extension
CVTSD2SS xmm1, xmm2/m64	F2 0F 5A /r	Convert Scalar Double-Precision Floating-Point Value to Scalar Single-Precision Floating-Point Value
CVTSI2SD xmm1, r32/m32	F2 0F 2A /r	Convert Doubleword Integer to Scalar Double-Precision Floating-Point Value
CVTSI2SD xmm1, r/m64	F2 REX.W 0F 2A /r	Convert Quadword Integer to Scalar Double-Precision Floating-Point value
CVTSS2SD xmm1, xmm2/m32	F3 0F 5A /r	Convert Scalar Single-Precision Floating-Point Value to Scalar Double-Precision Floating-Point Value
CVTTPD2DQ xmm1, xmm2/m128	66 0F E6 /r	Convert with Truncation Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
CVTTPD2PI mm, xmm/m128	66 0F 2C /r	Convert with Truncation Packed Double-Precision FP Values to Packed Dword Integers
CVTTPS2DQ xmm1, xmm2/m128	F3 0F 5B /r	Convert with Truncation Packed Single-Precision Floating-Point Values to Packed Signed Doubleword Integer Values
CVTTSD2SI r32, xmm1/m64	F2 0F 2C /r	Convert with Truncation Scalar Double-Precision Floating-Point Value to Signed Dword Integer
CVTTSD2SI r64, xmm1/m64	F2 REX.W 0F 2C /r	Convert with Truncation Scalar Double-Precision Floating-Point Value To Signed Qword Integer

Instruction	Opcode	Meaning
MOVD xmm, r/m32	66 0F 6E /r	Move doubleword
MOVD r/m32, xmm	66 0F 7E /r	Move doubleword
MOVQ xmm1, xmm2/m64	F3 0F 7E /r	Move quadword
MOVQ xmm2/m64, xmm1	66 0F D6 /r	Move quadword
MOVQ r/m64, xmm	66 REX.W 0F 7E /r	Move quadword
MOVQ xmm, r/m64	66 REX.W 0F 6E /r	Move quadword
PMOVMSKB reg, xmm	66 0F D7 /r	Move a byte mask, zeroing the upper bits of the register
PEXTRW reg, xmm, imm8	66 0F C5 /r ib	Extract specified word and move it to reg, setting bits 15-0 and zeroing the rest
PINSRW xmm, r32/m16, imm8	66 0F C4 /r ib	Move low word at the specified word position
PACKSSDW xmm1, xmm2/m128	66 0F 6B /r	Converts 4 packed signed doubleword integers into 8 packed signed word integers with saturation
PACKSSWB xmm1, xmm2/m128	66 0F 63 /r	Converts 8 packed signed word integers into 16 packed signed byte integers with saturation
PACKUSWB xmm1, xmm2/m128	66 0F 67 /r	Converts 8 signed word integers into 16 unsigned byte integers with saturation
PADDB xmm1, xmm2/m128	66 0F FC /r	Add packed byte integers
PADDW xmm1, xmm2/m128	66 0F FD /r	Add packed word integers
PADDD xmm1, xmm2/m128	66 0F FE /r	Add packed doubleword integers
PADDQ xmm1, xmm2/m128	66 0F D4 /r	Add packed quadword integers.
PADDSB xmm1, xmm2/m128	66 0F EC /r	Add packed signed byte integers with saturation
PADDSW xmm1, xmm2/m128	66 0F ED /r	Add packed signed word integers with saturation
PADDUSB xmm1, xmm2/m128	66 0F DC /r	Add packed unsigned byte integers with saturation
PADDUSW xmm1, xmm2/m128	66 0F DD /r	Add packed unsigned word integers with saturation
PAND xmm1, xmm2/m128	66 0F DB /r	Bitwise AND
PANDN xmm1, xmm2/m128	66 0F DF /r	Bitwise AND NOT
POR xmm1, xmm2/m128	66 0F EB /r	Bitwise OR
PXOR xmm1, xmm2/m128	66 0F EF /r	Bitwise XOR
PCMPEQB xmm1, xmm2/m128	66 0F 74 /r	Compare packed bytes for equality.
PCMPEQW xmm1, xmm2/m128	66 0F 75 /r	Compare packed words for equality.
PCMPEQD xmm1, xmm2/m128	66 0F 76 /r	Compare packed doublewords for equality.
PCMPGTB xmm1, xmm2/m128	66 0F 64 /r	Compare packed signed byte integers for greater than
PCMPGTW xmm1, xmm2/m128	66 0F 65 /r	Compare packed signed word integers for greater than
PCMPGTD xmm1, xmm2/m128	66 0F 66 /r	Compare packed signed doubleword integers for greater than
PMULLW xmm1, xmm2/m128	66 0F D5 /r	Multiply packed signed word integers with saturation
PMULHW xmm1, xmm2/m128	66 0F E5 /r	Multiply the packed signed word integers, store the high 16 bits of the results
PMULHUW xmm1, xmm2/m128	66 0F E4 /r	Multiply packed unsigned word integers, store the high 16 bits of the results
PMULUDQ xmm1, xmm2/m128	66 0F F4 /r	Multiply packed unsigned doubleword integers
PSLLW xmm1, xmm2/m128	66 0F F1 /r	Shift words left while shifting in 0s
PSLLW xmm1, imm8	66 0F 71 /6 ib	Shift words left while shifting in 0s
PSLLD xmm1, xmm2/m128	66 0F F2 /r	Shift doublewords left while shifting in 0s
PSLLD xmm1, imm8	66 0F 72 /6 ib	Shift doublewords left while shifting in 0s
PSLLQ xmm1, xmm2/m128	66 0F F3 /r	Shift quadwords left while shifting in 0s
PSLLQ xmm1, imm8	66 0F 73 /6 ib	Shift quadwords left while shifting in 0s
PSRAD xmm1, xmm2/m128	66 0F E2 /r	Shift doubleword right while shifting in sign bits
PSRAD xmm1, imm8	66 0F 72 /4 ib	Shift doublewords right while shifting in sign bits
PSRAW xmm1, xmm2/m128	66 0F E1 /r	Shift words right while shifting in sign bits
PSRAW xmm1, imm8	66 0F 71 /4 ib	Shift words right while shifting in sign bits
PSRLW xmm1, xmm2/m128	66 0F D1 /r	Shift words right while shifting in 0s
PSRLW xmm1, imm8	66 0F 71 /2 ib	Shift words right while shifting in 0s
PSRLD xmm1, xmm2/m128	66 0F D2 /r	Shift doublewords right while shifting in 0s
PSRLD xmm1, imm8	66 0F 72 /2 ib	Shift doublewords right while shifting in 0s
PSRLQ xmm1, xmm2/m128	66 0F D3 /r	Shift quadwords right while shifting in 0s
PSRLQ xmm1, imm8	66 0F 73 /2 ib	Shift quadwords right while shifting in 0s
PSUBB xmm1, xmm2/m128	66 0F F8 /r	Subtract packed byte integers
PSUBW xmm1, xmm2/m128	66 0F F9 /r	Subtract packed word integers
PSUBD xmm1, xmm2/m128	66 0F FA /r	Subtract packed doubleword integers
PSUBQ xmm1, xmm2/m128	66 0F FB /r	Subtract packed quadword integers.
PSUBSB xmm1, xmm2/m128	66 0F E8 /r	Subtract packed signed byte integers with saturation
PSUBSW xmm1, xmm2/m128	66 0F E9 /r	Subtract packed signed word integers with saturation
PMADDWD xmm1, xmm2/m128	66 0F F5 /r	Multiply the packed word integers, add adjacent doubleword results
PSUBUSB xmm1, xmm2/m128	66 0F D8 /r	Subtract packed unsigned byte integers with saturation
PSUBUSW xmm1, xmm2/m128	66 0F D9 /r	Subtract packed unsigned word integers with saturation
PUNPCKHBW xmm1, xmm2/m128	66 0F 68 /r	Unpack and interleave high-order bytes
PUNPCKHWD xmm1, xmm2/m128	66 0F 69 /r	Unpack and interleave high-order words
PUNPCKHDQ xmm1, xmm2/m128	66 0F 6A /r	Unpack and interleave high-order doublewords
PUNPCKLBW xmm1, xmm2/m128	66 0F 60 /r	Interleave low-order bytes
PUNPCKLWD xmm1, xmm2/m128	66 0F 61 /r	Interleave low-order words
PUNPCKLDQ xmm1, xmm2/m128	66 0F 62 /r	Interleave low-order doublewords
PAVGB xmm1, xmm2/m128	66 0F E0, /r	Average packed unsigned byte integers with rounding
PAVGW xmm1, xmm2/m128	66 0F E3 /r	Average packed unsigned word integers with rounding
PMINUB xmm1, xmm2/m128	66 0F DA /r	Compare packed unsigned byte integers and store packed minimum values
PMINSW xmm1, xmm2/m128	66 0F EA /r	Compare packed signed word integers and store packed minimum values
PMAXSW xmm1, xmm2/m128	66 0F EE /r	Compare packed signed word integers and store maximum packed values
PMAXUB xmm1, xmm2/m128	66 0F DE /r	Compare packed unsigned byte integers and store packed maximum values
PSADBW xmm1, xmm2/m128	66 0F F6 /r	Computes the absolute differences of the packed unsigned byte integers; the 8 low differences and 8 high differences are then summed separately to produce two unsigned word integer results

Instruction	Opcode	Meaning
MASKMOVDQU xmm1, xmm2	66 0F F7 /r	Non-Temporal Store of Selected Bytes from an XMM Register into Memory
MOVDQ2Q mm, xmm	F2 0F D6 /r	Move low quadword from XMM to MMX register.
MOVDQA xmm1, xmm2/m128	66 0F 6F /r	Move aligned double quadword
MOVDQA xmm2/m128, xmm1	66 0F 7F /r	Move aligned double quadword
MOVDQU xmm1, xmm2/m128	F3 0F 6F /r	Move unaligned double quadword
MOVDQU xmm2/m128, xmm1	F3 0F 7F /r	Move unaligned double quadword
MOVQ2DQ xmm, mm	F3 0F D6 /r	Move quadword from MMX register to low quadword of XMM register
MOVNTDQ m128, xmm1	66 0F E7 /r	Store Packed Integers Using Non-Temporal Hint
PSHUFHW xmm1, xmm2/m128, imm8	F3 0F 70 /r ib	Shuffle packed high words.
PSHUFLW xmm1, xmm2/m128, imm8	F2 0F 70 /r ib	Shuffle packed low words.
PSHUFD xmm1, xmm2/m128, imm8	66 0F 70 /r ib	Shuffle packed doublewords.
PSLLDQ xmm1, imm8	66 0F 73 /7 ib	Packed shift left logical double quadwords.
PSRLDQ xmm1, imm8	66 0F 73 /3 ib	Packed shift right logical double quadwords.
PUNPCKHQDQ xmm1, xmm2/m128	66 0F 6D /r	Unpack and interleave high-order quadwords,
PUNPCKLQDQ xmm1, xmm2/m128	66 0F 6C /r	Interleave low quadwords,