Editing X86 instruction listings (section)

==== Added with [[80286]] ====
The new instructions added in 80286 add support for x86 [[protected mode]]. Some but not all of the instructions are available in [[real mode]] as well.

{{sticky header}}
{| class="wikitable sortable sticky-header"
! Instruction !! Opcode !! Instruction description !! Real mode !! [[Protection ring|Ring]]
|-
! colspan="5" |
|-
| <code>LGDT m16&32</code>{{efn|name=gdt_idt_descriptor|text=The descriptors used by the <code>LGDT</code>, <code>LIDT</code>, <code>SGDT</code> and <code>SIDT</code> instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.<br />For <code>LGDT</code> and <code>LIDT</code> with a 16-bit operand size, the address is ANDed with 00FFFFFFh.

On Intel (but not AMD) CPUs, the <code>SGDT</code> and <code>SIDT</code> instructions with a 16-bit operand size is – as of Intel SDM revision 079 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.<ref>Michal Necasek SGDT/SIDT Fiction and Reality. [https://web.archive.org/web/20231129085923/https://www.os2museum.com/wp/sgdtsidt-fiction-and-reality/ Archived] on 29 Nov 2023.</ref>}}
| <code>0F 01 /2</code>
| Load GDTR ([[Global Descriptor Table]] Register) from memory.{{efn|name=i286_serialize|text=The <code>LGDT</code>, <code>LIDT</code>, <code>LLDT</code> and <code>LTR</code> instructions are serializing on [[Pentium (original)|Pentium]] and later processors.}}
| rowspan="4" {{yes}}
| rowspan="6" {{no|0}}
|-
| {{nowrap|<code>LIDT m16&32</code>{{efn|name=gdt_idt_descriptor}}}}
| <code>0F 01 /3</code>
| Load IDTR (Interrupt Descriptor Table Register) from memory.{{efn|name=i286_serialize}}<br />The IDTR controls not just the address/size of the IDT ([[interrupt Descriptor Table]]) in [[protected mode]], but the IVT (Interrupt Vector Table) in [[real mode]] as well.
|-
| <code>LMSW r/m16</code>
| <code>0F 01 /6</code>
| Load MSW (Machine Status Word) from 16-bit register or memory.{{efn|text=The <code>LMSW</code> instruction is serializing on Intel processors from [[Pentium (original)|Pentium]] onwards, but not on AMD processors.}}{{efn|text=On 80386 and later, the "Machine Status Word" is the same as the [[Control register#CR0|CR0 control register]] – however, the <code>LMSW</code> instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means that <code>LMSW</code> can be used to enter but not leave x86 [[Protected Mode]].<br />On 80286, it is not possible to leave Protected Mode at all (neither with <code>LMSW</code> nor with <code>LOADALL</code><ref name="loadall286_doc"/>) without a [[Hardware reset|CPU reset]] – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-later <code>MOV</code> to <code>CR0</code> instruction.}}
|-
| <code>CLTS</code>
| <code>0F 06</code>
| Clear task-switched flag in the MSW.
|-
| <code>LLDT r/m16</code>
| <code>0F 00 /2</code>
| Load LDTR (Local Descriptor Table Register) from 16-bit register or memory.{{efn|name=i286_serialize}}
| rowspan="2" {{no|#UD}}
|-
| <code>[[Load Task Register|LTR]] r/m16</code>
| <code>0F 00 /3</code>
| Load TR (Task Register) from 16-bit register or memory.{{efn|name=i286_serialize}}

The TSS ([[Task State Segment]]) specified by the 16-bit argument is marked busy, but a task switch is not done.
|-
! colspan="5" |
|-
| {{nowrap|<code>SGDT m16&32</code>{{efn|name=gdt_idt_descriptor}}}}
| <code>0F 01 /0</code>
| Store GDTR to memory.
| rowspan="3" {{yes}}
| rowspan="5" {{yes2|Usually 3{{efn|text=If <code>[[Control register #CR4|CR4]].UMIP=1</code> is set, then the <code>SGDT</code>, <code>SIDT</code>, <code>SLDT</code>, <code>SMSW</code> and <code>STR</code> instructions can only run in Ring 0.<br />These instructions were unprivileged on all x86 CPUs from 80286 onwards until the introduction of UMIP in 2017.<ref>WikiChip, [https://en.wikichip.org/wiki/x86/umip UMIP – x86]. [https://web.archive.org/web/20230316111706/https://en.wikichip.org/wiki/x86/umip Archived] on 16 Mar 2023.</ref>
This has been a significant security problem for software-based virtualization, since it enables these instructions to be used by a VM guest to detect that it is running inside a VM.<ref>Oracle Corp, [https://docs.oracle.com/en/virtualization/virtualbox/6.0/admin/swvirt-details.html Oracle® VM VirtualBox Administrator's Guide for Release 6.0, section 3.5: Details About Software Virtualization]. [https://web.archive.org/web/20231208205121/https://docs.oracle.com/en/virtualization/virtualbox/6.0/admin/swvirt-details.html Archived] on 8 Dec 2023.</ref>}}}}
|-
| <code>SIDT m16&32</code>{{efn|name=gdt_idt_descriptor}}
| <code>0F 01 /1</code>
| Store IDTR to memory.
|-
| <code>SMSW r/m16</code>
| <code>0F 01 /4</code>
| Store MSW to register or 16-bit memory.{{efn|name=i286_extend16}}
|-
| <code>SLDT r/m16</code>
| <code>0F 00 /0</code>
| Store LDTR to register or 16-bit memory.{{efn|name=i286_extend16|text=The <code>SMSW</code>, <code>SLDT</code> and <code>STR</code> instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows:
* <code>SMSW</code>: Stores full [[Control register#CR0|CR0]] in x86-64 [[long mode]], undefined otherwise.
* <code>SLDT</code>: Zero-extends 16-bit argument on [[Pentium Pro]] and later processors, undefined on earlier processors.
* <code>STR</code>: Zero-extends 16-bit argument.}}
| rowspan="2" {{no|#UD}}
|-
| <code>STR r/m16</code>
| <code>0F 00 /1</code>
| Store TR to register or 16-bit memory.{{efn|name=i286_extend16}}
|-
! colspan="5" |
|-
| {{nowrap|<code>ARPL r/m16,r16</code>}}
| <code>63 /r</code>{{efn|In 64-bit [[long mode]], the <code>ARPL</code> instruction is not available – the {{nowrap|<code>63 /r</code>}} opcode has been reassigned to the 64-bit-mode-only <code>MOVSXD</code> instruction.}}
| Adjust RPL (Requested [[Protection ring#Privilege level|Privilege Level]]) field of selector. The operation performed is:<pre>
if (dst & 3) < (src & 3) then
   dst = (dst & 0xFFFC) | (src & 3)
   eflags.zf = 1
else
   eflags.zf = 0</pre>
| {{no|#UD{{efn|The <code>ARPL</code> instruction causes #UD in [[Real mode]] and [[Virtual 8086 Mode]] – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the <code>63</code> opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.<ref>Andrew Schulman, "Unauthorized Windows 95" ({{ISBN|1-56884-169-8}}), chapter 8, p.249,257.</ref><ref>[https://patents.google.com/patent/US4974159A/ US Patent 4974159], "Method of transferring control in a multitasking computer system" mentions 63h/ARPL.</ref>}}}}
| rowspan="5" {{yes|3}}
|-
| <code>LAR r,r/m16</code>
| <code>0F 02 /r</code>
| Load access rights byte from the specified [[segment descriptor]].<br />Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with <code>0x00FxFF00</code>,{{efn|text=Bits 19:16 of this mask are documented as "undefined" on Intel CPUs.<ref>Intel, [https://ardent-tool.com/CPU/docs/Intel/Pentium/241430-004.pdf Pentium® Processor Family Developer’s Manual, Volume 3], 1995, order no. 241430-004, section 12.7, p. 323</ref> On AMD CPUs, the mask is documented as <code>0x00FFFF00</code>.}} then stores the bottom 16/32 bits of the result in destination register. Sets [[FLAGS register|EFLAGS]].ZF=1 if the descriptor could be loaded, ZF=0 otherwise.{{efn|name=lar_lsl_unmod|1=For the <code>LAR</code> and <code>LSL</code> instructions, if the specified segment descriptor could not be loaded, then the instruction's destination register is left unmodified.}}
| rowspan="4" {{no|#UD}}
|-
| <code>LSL r,r/m16</code>
| <code>0F 03 /r</code>
| Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise.{{efn|name=lar_lsl_unmod}}
|-
| <code>VERR r/m16</code>
| {{nowrap|<code>0F 00 /4</code>}}
| Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise.
|-
| <code>VERW r/m16</code>
| <code>0F 00 /5</code>
| Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise.{{efn|text=On some Intel CPU/microcode combinations from 2019 onwards, the <code>VERW</code> instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds for [[Microarchitectural Data Sampling]] security vulnerabilities.<ref>Intel, [https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html How Microarchitectural Data Sampling works], see mitigations section. [https://archive.today/20220422211750/https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html Archived] on Apr 22,2022</ref><ref>Linux kernel documentation, [https://www.kernel.org/doc/html/latest/x86/mds.html Microarchitectural Data Sampling (MDS) mitigation] {{Webarchive|url=https://web.archive.org/web/20201021233511/https://www.kernel.org/doc/html/latest/x86/mds.html |date=2020-10-21 }}</ref> Some of the microarchitectural buffer-flushing functions that have been added to <code>VERW</code> may require the instruction to be executed with a memory operand.<ref>Intel, [https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html?wapkw=VERW Processor MMIO Stale Data Vulnerabilities], 14 Jun 2022 - see "VERW Buffer Overwriting Details" section. [https://web.archive.org/web/20241003223701/https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html Archived] on 3 Oct 2024.</ref>}}
|-
! colspan="5" |
|-
| {{unofficial2|align="left"|{{mono|&nbsp;[[LOADALL]]}}{{efn|name=i286_undoc|Undocumented, 80286 only.<ref name="loadall286_doc">Intel, [https://docs.pcjs.org/manuals/intel/80286/80286_LOADALL.pdf Undocumented iAPX 286 Test Instruction]. [https://web.archive.org/web/20231220173720/https://docs.pcjs.org/manuals/intel/80286/80286_LOADALL.pdf Archived] on 20 Dec 2023.</ref><ref>VCF Forums, [https://forum.vcfed.org/index.php?threads/i-found-the-saveall-opcode.71519/ I found the SAVEALL opcode], jun 21, 2019. [https://web.archive.org/web/20230413203921/https://forum.vcfed.org/index.php?threads/i-found-the-saveall-opcode.71519/ Archived] on 13 Apr 2023.</ref><ref>rep lodsb, [https://rep-lodsb.mataroa.blog/blog/intel-286-secrets-ice-mode-and-f1-0f-04/ Intel 286 secrets: ICE mode and F1 0F 04], aug 12, 2022. [https://web.archive.org/web/20231208175920/https://rep-lodsb.mataroa.blog/blog/intel-286-secrets-ice-mode-and-f1-0f-04/ Archived] on 8 Dec 2023.</ref> (A different variant of <code>LOADALL</code> with a different opcode and memory layout exists on 80386.)}}}}
| {{unofficial2|align="left"|{{mono|&nbsp;0F 05}}}}
| Load all CPU registers from a 102-byte data structure starting at physical address <code>800h</code>, including "hidden" part of segment descriptor registers.
| rowspan="2" {{yes}}
| rowspan="2" {{no|0}}
|-
| {{unofficial2|align="left"|{{mono|&nbsp;STOREALL}}{{efn|name=i286_undoc}}}}
| {{unofficial2|align="left"|{{mono|&nbsp;F1 0F 04}}}}
| Store all CPU registers to a 102-byte data structure starting at physical address <code>800h</code>, then shut down CPU.
|}
{{notelist}}