Nopl: Difference between revisions
(Add undocumented section) |
(Finish birth of multi-byte NOP) |
||
| Line 35: | Line 35: | ||
I'm not sure why, but third party x86 CPUs aside from AMD didn't implement these NOPs. Perhaps Intel kept this patent close to their heart? Or maybe it's just not worth spending silicon and research on NOPs that nobody used? | I'm not sure why, but third party x86 CPUs aside from AMD didn't implement these NOPs. Perhaps Intel kept this patent close to their heart? Or maybe it's just not worth spending silicon and research on NOPs that nobody used? | ||
== The birth of multi-byte NOP == | |||
In 2006 Intel released an [https://ragestorm.net/downloads/25366719.pdf updated IA-32 Intel Architecture Software Developer's Manual]. In addition to the standard one byte NOP op code, the multi-byte opcode was documented. This NOP could be from 2 to 9 bytes long, much longer than a single byte NOP. This is a pretty useful instruction for aligning code and data in memory. The only thing weird about this instruction is that it was marked as available on Pentium Pro and newer machines despite being documented in 2006. It turned out that Intel had recycled one of their hinting NOPs (0F 1F) as a new instruction. | |||
Someone pointed this out on the Intel forum in the thread [https://community.intel.com/t5/Software-Archive/Multi-byte-NOP-opcode-made-official/td-p/932580 Multi-byte NOP opcode made official]. They had tested and verified the feature and even pointed out that it works on AMD processors despite this instruction not being documented anywhere. They asked a few hard hitting questions to Intel: | |||
* Why was this opcode secret? | |||
* Why does it work on AMD CPUs? | |||
* Why does AMD recommend an opcode of 66 66 66 90 for multi-byte NOPs? | |||
Intel got back to them with a 'this information is Intel Confidential and would require an NDA to discuss' reply. NOPs are definitely serious business. | |||
I'm going to just go out and guess that AMD recommended the 66 90 opcode series because their CPUs optimized it and it worked on older machines. While with Intel their solution seems to be to recycle their trash. | |||
In 2007 Symantec wrote a blog post [https://web.archive.org/web/20070221081630/http://www.symantec.com/enterprise/security_response/weblog/2007/02/x86_fetchdecode_anomalies.html x86 Fetch-Decode Anomalies] showing that Intel's hinting NOP opcode they assigned to the multi-byte NOP actually will attempt to fetch memory (and even page fault) if you instruct it to. This isn't a problem in practice, but it gives more evidence this opcode isn't strictly a NOP. | |||
Revision as of 14:48, 26 January 2022
During research for my Geode Repair projects, I found something incredibly weird so this page is my attempt to write it down.
Background
The AMD Geode LX800 CPU is an incredibly strange CPU. Despite being branded AMD, it's a descendant of the Cyrix MediaGX with a ton of features stapled on.
It implements the following instruction sets:
- Pentium (i586)
- Pentium Pro (i686)
- MMX
- Extended MMX
- 3DNow!
- Enhanced 3DNow!
- Extra AMD Geode instructions
Notably the machine does not support PAE (Physical Address Extension). This may be why the CPUID identifies as family 5 (Pentium), not family 6 (Pentium Pro). This is all according to my reading of the AMD Geode LX Processors Data Book.
In contrast, some CPUs like the VIA C3 marked their CPU as family 6 without implementing the instruction set specified in the Pentium Pro Family Developer's Manual Volume 2. Most notably the 'CMOV' instruction.
But in theory, you could run an i686 system on the Geode without PAE. In practice it's a bit more complicated.
Undocumented i686 instructions
In 1995 Intel released the Pentium Pro and its developer manual documenting the entire instruction set.
By 1997 Christian Ludloff had created a map of 2 byte x86 opcodes. This confirmed Intel's documentation, but included a few unknown opcodes: 0F 34, 0F 35, as well as 0F 18 through 0F 1F.
In 1997 those first two opcodes 0F 34 and 0F 35 were determined to be Pentium II SYSENTER and SYSEXIT instructions despite Intel only documenting this later in 1999. It turns out the instructions were available on the Pentium Pro but broken. See SYSENTER, Where Are you? for a good summary of this situation.
Hilariously enough, the Geode LX800 identifies as a Pentium but supports the SYSENTER and SYSEXIT instructions introduced in the Pentium Pro and finally made useful in the Pentium II. Weird.
In 1998 Christian Ludloff documented in his updated map of 2 byte x86 opcodes that the 0F 18 through 0F 1F range of opcodes were hinting NOPs. The first being the 0F 18 opcode which maps to PREFETCHh instructions. I believe this information was documented first in the Intel Architecture Optimization Reference Manual.
Later in 2003 Christian Ludloff clarified in an email thread Undocumented opcodes (HINT_NOP) that these hinting NOPs were declared by Intel in their 1995 patent US5701442. The idea behind this patent from my reading is that you can encode a program written in another ISA as a series of opcodes that are run as NOPs on older machines and the new ISA on a newer machine.
I'm not sure why, but third party x86 CPUs aside from AMD didn't implement these NOPs. Perhaps Intel kept this patent close to their heart? Or maybe it's just not worth spending silicon and research on NOPs that nobody used?
The birth of multi-byte NOP
In 2006 Intel released an updated IA-32 Intel Architecture Software Developer's Manual. In addition to the standard one byte NOP op code, the multi-byte opcode was documented. This NOP could be from 2 to 9 bytes long, much longer than a single byte NOP. This is a pretty useful instruction for aligning code and data in memory. The only thing weird about this instruction is that it was marked as available on Pentium Pro and newer machines despite being documented in 2006. It turned out that Intel had recycled one of their hinting NOPs (0F 1F) as a new instruction.
Someone pointed this out on the Intel forum in the thread Multi-byte NOP opcode made official. They had tested and verified the feature and even pointed out that it works on AMD processors despite this instruction not being documented anywhere. They asked a few hard hitting questions to Intel:
- Why was this opcode secret?
- Why does it work on AMD CPUs?
- Why does AMD recommend an opcode of 66 66 66 90 for multi-byte NOPs?
Intel got back to them with a 'this information is Intel Confidential and would require an NDA to discuss' reply. NOPs are definitely serious business.
I'm going to just go out and guess that AMD recommended the 66 90 opcode series because their CPUs optimized it and it worked on older machines. While with Intel their solution seems to be to recycle their trash.
In 2007 Symantec wrote a blog post x86 Fetch-Decode Anomalies showing that Intel's hinting NOP opcode they assigned to the multi-byte NOP actually will attempt to fetch memory (and even page fault) if you instruct it to. This isn't a problem in practice, but it gives more evidence this opcode isn't strictly a NOP.