x86.man/manx86/bndldx.x86 at master · edd255/x86.man · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
'\" t
.nh
.TH "X86-BNDLDX" "7" "May 2019" "TTMO" "Intel x86-64 ISA Manual"
.SH NAME
BNDLDX - LOAD EXTENDED BOUNDS USING ADDRESS TRANSLATION
.TS
allbox;
l l l l l
l l l l l .
\fBOpcode/Instruction\fP	\fBOp/En\fP	\fB64/32 bit Mode Support\fP	\fBCPUID Feature Flag\fP	\fBDescription\fP
NP 0F 1A /r BNDLDX bnd, mib	RM	V/V	MPX	T{
Load the bounds stored in a bound table entry (BTE) into bnd with address translation using the base of mib and conditional on the index of mib matching the pointer value in the BTE.
T}
.TE

.SH INSTRUCTION OPERAND ENCODING
.TS
allbox;
l l l l
l l l l .
\fBOp/En\fP	\fBOperand 1\fP	\fBOperand 2\fP	\fBOperand 3\fP
RM	ModRM:reg (w)	T{
SIB.base (r): Address of pointer SIB.index(r)
T}	N/A
.TE

.SH DESCRIPTION
BNDLDX uses the linear address constructed from the base register and
displacement of the SIB-addressing form of the memory operand (mib) to
perform address translation to access a bound table entry and
conditionally load the bounds in the BTE to the destination. The
destination register is updated with the bounds in the BTE, if the
content of the index register of mib matches the pointer value stored in
the BTE.

.PP
If the pointer value comparison fails, the destination is updated with
INIT bounds (lb = 0x0, ub = 0x0) (note: as articulated earlier, the
upper bound is represented using 1's complement, therefore, the 0x0
value of upper bound allows for access to full memory).

.PP
This instruction does not cause memory access to the linear address of
mib nor the effective address referenced by the base, and does not read
or write any flags.

.PP
Segment overrides apply to the linear address computation with the base
of mib, and are used during address translation to generate the address
of the bound table entry. By default, the address of the BTE is assumed
to be linear address. There are no segmentation checks performed on the
base of mib.

.PP
The base of mib will not be checked for canonical address violation as
it does not access memory.

.PP
Any encoding of this instruction that does not specify base or index
register will treat those registers as zero (constant). The reg-reg form
of this instruction will remain a NOP.

.PP
The scale field of the SIB byte has no effect on these instructions and
is ignored.

.PP
The bound register may be partially updated on memory faults. The order
in which memory operands are loaded is implementation specific.

.SH OPERATION
.EX
base := mib.SIB.base ? mib.SIB.base + Disp: 0;
ptr_value := mib.SIB.index ? mib.SIB.index : 0;
.EE

.SS Outside 64-bit Mode
.EX
A_BDE[31:0] := (Zero_extend32(base[31:12] « 2) + (BNDCFG[31:12] «12 );
A_BT[31:0] := LoadFrom(A_BDE );
IF A_BT[0] equal 0 Then
    BNDSTATUS := A_BDE | 02H;
    #BR;
FI;
A_BTE[31:0] := (Zero_extend32(base[11:2] « 4) + (A_BT[31:2] « 2 );
Temp_lb[31:0] := LoadFrom(A_BTE);
Temp_ub[31:0] := LoadFrom(A_BTE + 4);
Temp_ptr[31:0] := LoadFrom(A_BTE + 8);
IF Temp_ptr equal ptr_value Then
    BND.LB := Temp_lb;
    BND.UB := Temp_ub;
ELSE
    BND.LB := 0;
    BND.UB := 0;
FI;
.EE

.SS In 64-bit Mode
.EX
A_BDE[63:0] := (Zero_extend64(base[47+MAWA:20] « 3) + (BNDCFG[63:12] «12 );1
A_BT[63:0] := LoadFrom(A_BDE);
IF A_BT[0] equal 0 Then
    BNDSTATUS := A_BDE | 02H;
    #BR;
FI;
A_BTE[63:0] := (Zero_extend64(base[19:3] « 5) + (A_BT[63:3] « 3 );
Temp_lb[63:0] := LoadFrom(A_BTE);
Temp_ub[63:0] := LoadFrom(A_BTE + 8);
Temp_ptr[63:0] := LoadFrom(A_BTE + 16);
IF Temp_ptr equal ptr_value Then
    BND.LB := Temp_lb;
    BND.UB := Temp_ub;
ELSE
    BND.LB := 0;
    BND.UB := 0;
FI;
.EE

.SH INTEL C/C++ COMPILER INTRINSIC EQUIVALENT
.EX
BNDLDX: Generated by compiler as needed.
.EE

.SH FLAGS AFFECTED
None.

.SH PROTECTED MODE EXCEPTIONS
.TS
allbox;
l l
l l .
\fB\fP	\fB\fP
#BR	T{
If the bound directory entry is invalid.
T}
#UD	If the LOCK prefix is used.
	T{
If ModRM.r/m encodes BND4-BND7 when Intel MPX is enabled.
T}
	T{
If 67H prefix is not used and CS.D=0.
T}
	T{
If 67H prefix is used and CS.D=1.
T}
#GP(0)	T{
If a destination effective address of the Bound Table entry is outside the DS segment limit.
T}
	T{
If DS register contains a NULL segment selector.
T}
#PF(fault	code) If a page fault occurs.
.TE

.SH REAL-ADDRESS MODE EXCEPTIONS
.TS
allbox;
l l
l l .
\fB\fP	\fB\fP
#UD	If the LOCK prefix is used.
	T{
If ModRM.r/m encodes BND4-BND7 when Intel MPX is enabled.
T}
	If 16-bit addressing is used.
#GP(0)	T{
If a destination effective address of the Bound Table entry is outside the DS segment limit.
T}
.TE

.PP
.RS

.PP
1\&. If CPL &lt; 3, the supervisor MAWA (MAWAS) is used; this value is
0. If CPL = 3, the user MAWA (MAWAU) is used; this value is enumerated
in CPUID.(EAX=07H,ECX=0H):ECX.MAWAU[bits 21:17]\&. See Appendix E.3.1
of Intel® 64 and IA-32 Architectures Software Developer’s Manual,
Volume 1.

.RE

.SH VIRTUAL-8086 MODE EXCEPTIONS
.TS
allbox;
l l
l l .
\fB\fP	\fB\fP
#UD	If the LOCK prefix is used.
	T{
If ModRM.r/m encodes BND4-BND7 when Intel MPX is enabled.
T}
	If 16-bit addressing is used.
#GP(0)	T{
If a destination effective address of the Bound Table entry is outside the DS segment limit.
T}
#PF(fault	code) If a page fault occurs.
.TE

.SH COMPATIBILITY MODE EXCEPTIONS
Same exceptions as in protected mode.

.SH 64-BIT MODE EXCEPTIONS
.TS
allbox;
l l
l l .
\fB\fP	\fB\fP
#BR	T{
If the bound directory entry is invalid.
T}
#UD	If ModRM is RIP relative.
	If the LOCK prefix is used.
	T{
If ModRM.r/m and REX encodes BND4-BND15 when Intel MPX is enabled.
T}
#GP(0)	If the memory address (A_BDE or A_BTE) is in a non-canonical form.
#PF(fault	code) If a page fault occurs.
.TE

.SH SEE ALSO
x86-manpages(7) for a list of other x86-64 man pages.

.SH COLOPHON
This UNOFFICIAL, mechanically-separated, non-verified reference is
provided for convenience, but it may be
incomplete or
broken in various obvious or non-obvious ways.
Refer to Intel® 64 and IA-32 Architectures Software Developer’s Manual
for anything serious.

.br
This page is generated by scripts; therefore may contain visual or semantical bugs. Please report them (or better, fix them) on https://github.com/ttmo-O/x86-manpages.

.br
MIT licensed by TTMO 2025 (Turkish Unofficial Chamber of Reverse Engineers - https://ttmo.re).