Intel® Pentium® Processor
Invalid Instruction Erratum Overview

Invalid Instruction Errata Home Software Vendor Statements How to Contact Us
Software Backgrounder
Updated Nov. 20 1997


Erratum Technical Description Updated Nov. 20 1997

Software Backgrounder ? Workaround for "Invalid Operand with Locked CMPXCHG8B Instruction Erratum (v0.9)"

The LOCK Prefix

Some types of programs perform computations that require data accesses to have a specific ordering. These types of programs most commonly include operating systems, database engines, and applications for multiple processors. To ensure the ordering of data accesses, these programs use synchronization. Synchronization may be done by either software or hardware methods, but most programs use hardware synchronization for efficiency. Hardware synchronization usually involves reading and updating a memory location, with the hardware ensuring that the sequence is done in one operation. Such a combined operation is called a locked access. Intel processors support locked accesses by an instruction feature called the lock prefix. This feature tells the processor that an instruction that updates memory is to be processed as a locked access to memory.

The CMPXCHG8B Instruction

Beginning with the Pentium® processor, Intel processors have provided special hardware support for synchronization using the CMPXCHG8B (compare and exchange 8 bytes) instruction. This instruction compares a specified memory location with processor registers, and conditionally updates the 8-byte memory location. When used with the lock prefix, this instruction provides very flexible hardware support for synchronization.

The Erratum

In Pentium processors, Pentium processors with MMX™ technology, Pentium OverDrive® processors, and Pentium OverDrive processors with MMX technology there is an erratum that affects the lock prefix on a CMPXCHG8B instruction with a register destination. This erratum does not affect the Pentium® Pro processor, Pentium® II processor, or the Intel486™ and earlier processors. The documented use of the CMPXCHG8B instruction requires an 8-byte memory destination; attempting to use a CMPXCHG8B to update a 4-byte processor register is a program error. A computer?s operating system typically processes program errors through error handling routines. The erratum may cause an unexpected system freeze, preventing the program error from being processed by the error handling routine.

The affected form of the instruction is not contained in any operating system or other application known to Intel, nor is there any reasonable purpose for a software tool to generate it. Hence user software should not be affected. However, it is possible for a malicious program to use this instruction to cause a system freeze. The system freeze will not affect data that a user has already saved to disk. When the system is restarted all saved data will still be available.

The Workarounds

Intel has developed two workarounds for this erratum that can be incorporated by operating systems vendors. Both workarounds take advantage of the memory management support provided by Intel processors. The first workaround takes advantage of the fact that locating the error handling routine normally only involves a read from memory. The workaround marks the memory accessed by an affected instruction to prohibit writing. When an affected instruction is processed and the processor attempts to locate the error handling routine, it appears to be writing this memory. The attempt to write causes a page fault. While processing the page fault the program error is dispatched to the error handling routine, and the operating system continues normally.

The second workaround also relies upon a page fault being processed before the program error handling routine. The page fault prevents the memory bus lock caused by the lock prefix. The workaround marks the memory used to find the error handling routine as not present in memory. When an affected instruction is processed the processor attempts to read memory to find the error handling routine. Since that memory is marked not present, the processor is made to encounter a page fault. While processing the page fault the program error is dispatched to the error handling routine as expected. The operating system then continues normally.

If you are an operating system vendor and would like further information about the erratum or the workaround, call Intel Customer Support. Please identify yourself as an operating system vendor.

This applies to:

Intel® Pentium® Processor
Intel® Pentium® Processor with MMX™ Technology
OverDrive® Processors

Solution ID: CS-013152
Last Modified: 10-Feb-2015
Date Created: 12-Jul-2004
Back to Top