4

In the following pseudo code description of the Intel loop instruction, when the operand size is 16, this description appears to omit use of the DEST branch-target operand in the taken case:

IF BranchCond = 1
    THEN
        IF OperandSize = 32
            THEN EIP ← EIP + SignExtend(DEST);
            ELSE IF OperandSize = 64
                THEN RIP ← RIP + SignExtend(DEST);
                FI;
            ELSE IF OperandSize = 16
   ?--->        THEN EIP ← EIP AND 0000FFFFH;
                FI;
        FI;
        IF OperandSize = (32 or 64)
            THEN IF (R/E)IP < CS.Base or (R/E)IP > CS.Limit
                #GP; FI;
                FI;
        FI;
    ELSE
        Terminate loop and continue program execution at (R/E)IP;
FI;

By the arrow I added (?--->), it appears to me that DEST goes unused, in the case of 16-bit OperandSize — it is protecting against wrap but adding nothing in.

The write up from intel:

https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf
page "Vol. 2A 3-543".

FelixCloutier has the same code as intel:

https://www.felixcloutier.com/x86/loop:loopcc

If this is a typo/bug in the intel spec where to report it?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Erik Eidt
  • 23,049
  • 2
  • 29
  • 53
  • https://www.felixcloutier.com/x86/ is just scraped from Intel's PDFs with a Python program, but thanks for confirming that we can just look there instead of digging up the PDF. That's not true RTL, that's pseudocode. e.g. the push/pop pseudocode in Intel's manuals [doesn't account for the actual behaviour of `push rsp`](https://stackoverflow.com/questions/14968824/what-is-an-assembly-level-representation-of-pushl-popl-esp/69489798#69489798). – Peter Cordes Feb 17 '22 at 22:25

1 Answers1

3

Yeah, looks like bug. The loop instruction does jump, not just truncate EIP, in 16-bit mode just like in other modes.

(R/E)IP < CS.Base also looks like a bug; the linear address is formed by adding EIP to CS.Base. i.e. valid EIP values are from 0 to CS.Limit, unsigned, regardless of non-zero CS base.

I think Intel's forums work as a way to report bugs in manuals / guides, but it's not obvious which section to report in.

https://community.intel.com/t5/Intel-ISA-Extensions/bd-p/isa-extensions has some posts with bug reports for the intrinsics guide, which got the attention of Intel people who could do something about it.

Also possibly https://community.intel.com/t5/Software-Development-Topics/ct-p/software-dev-topics or some other sub-forum of the "software developer" forums. The "cpu" forums seems to be about people using CPUs, like motherboard / RAM compat and stuff.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847