17

I was going through some disassembly of a CRT library (the SEH prolog in particular) when I suddenly came across this strange instruction bnd ret. Can anyone explain the meaning of the f2 prefix right before c3 (ret opcode)?

NTAuthority
  • 351
  • 3
  • 10
  • @fuz That's what I was thinking, but REPNE RET (F2 C3) is used in Intel's MPX extension while it's normally REP RET (F3 C3) that's used to pad out the RET instruction to avoid branch prediction problems on older AMD CPUs. – Ross Ridge Mar 28 '17 at 00:50
  • @Ross That makes sense. But I can't understand how a prefix could avoid branch misprediction. – NTAuthority Mar 28 '17 at 05:12
  • @RossRidge In this case I'm sorry, let me reopen the question. – fuz Mar 28 '17 at 07:44
  • 1
    @fuz Well, the original poster apparently agrees with you that it's a duplicate, that's where the Community vote to close would have come from. – Ross Ridge Mar 28 '17 at 07:53
  • 7
    I think this answer was closed too quickly. `bnd` is different from `rep`. `bnd` is used to in MPX-enabled code to ensure that branches (and returns) are checked. Since it's a no-op if MPX is not supported, always adding it in library functions avoids having to ship two library versions (with and without MPX). – Igor Skochinsky Apr 14 '17 at 17:34
  • @IgorSkochinsky Thanks for shedding light on this! – NTAuthority Apr 14 '17 at 19:24
  • This is a good questions that should be opened such that it can be answered. Currently there is no proper answer. – HJLebbink Jul 24 '17 at 13:46
  • 1
    I also saw a `bnd jae` (opcodes `f2 73`) in a `__chkstk` implementation. – Jonathan Apr 24 '19 at 14:16

1 Answers1

20

The BND prefix is part of Intel MPX (Memory Protection Extensions) and indicates the return target (or in general the branch target, as BND can be applied to any control flow instruction) should be checked against the bounds specified in the BND0 to BND3 registers, else an exception will be generated -- indicating a potential stack overflow, programming error or malicious code attack.

On processors that do not support Intel MPX, or when MPX is disabled, the BND prefix behaves as a no-op, so there is no need to compile two versions of the code (one with and one without BND prefixes).

Note that the encoding of the BND prefix is the same as that of the REPNE prefix (both are F2h), so older disassemblers that don't know about MPX yet, may show this instruction sequence as REPNE RET (or REPNE JMP, REPNE CALL, etc.). This use is unrelated to the REP RET idiom where the prefix is assumed to have no-op behavior and is used purely to work around a performance issue on older CPUs.

Sep Roland
  • 33,889
  • 7
  • 43
  • 76
Wim
  • 11,091
  • 41
  • 58
  • @Sep: writing instruction mnemonics in all-caps is a valid alternative to code-formatting. It's what Intel does in their own manuals. I don't think there was ambiguity in this answer; didn't seem like a very useful edit since there weren't any other improvements to make. (Also, if I'm going to use code-formatting for mnemonics or register names, I tend to use lower-case like `bnd` or `rep ret`). All-caps disrupts the flow of reading the least, I find, with lower-case `bnd` being somewhat disruptive but not as much as `BND`. If I *want* readers to notice a mnemonic when skimming, I use `ret`. – Peter Cordes Jan 24 '22 at 02:56