F00f
Encyclopedia
The invalid operand with locked CMPXCHG8B instruction bug, commonly referred to as the Pentium F00F bug (as shorthand for
encoding of one offending instruction), is a design flaw in the majority of Intel Pentium, Pentium MMX, and Pentium OverDrive
processors (all in the P5 microarchitecture
).
The operand could be a register other than eax. The cmpxchg8b instruction is used to compare the value in the edx and eax registers
with an 8-byte
value at some memory location. In this example a 4-byte register is used as the destination operand, which is not big enough to store the 8-byte result.
Under normal circumstances, this instruction would simply result in an exception
; however, when used with the lock prefix (normally used to prevent two processors from interfering with the same memory location), the exception handler is never called, the processor stops servicing interrupt
s and the CPU must be reset to recover.
The instruction does not require any special privileges and, due to the proliferation of Intel microprocessors, was considered a serious issue at the time. Operating system
vendors responded by implementing workaround
s that detected the condition and prevented the crash.
Although technically not an example of either, the f00f instruction is often considered an HCF
instruction or a killer poke
. Since the f00f bug has become common knowledge, the term is sometimes used to describe similar hardware design flaws such as the Cyrix coma bug
.
No permanent hardware damage would result from executing the f00f instruction on a vulnerable system. Depending on the file system
, operating system
, and other circumstances, it is possible for data loss
to occur if the disk buffers
have not been flushed, if drives were interrupted during a write operation, or if some other non-atomic operation was interrupted.
No Intel processors since the introduction of the Pentium Pro
have been affected by the bug. The myB2 stepping
fixed this issue.
Information about this bug first appeared on the Internet on or around 7 November 1997.
f0 0f c7 c8, the hexadecimalHexadecimal
In mathematics and computer science, hexadecimal is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and A, B, C, D, E, F to represent values ten to fifteen...
encoding of one offending instruction), is a design flaw in the majority of Intel Pentium, Pentium MMX, and Pentium OverDrive
Pentium OverDrive
The Pentium OverDrive was a microprocessor marketing brand name used by Intel, to cover a variety of consumer upgrade products sold in the mid 1990s. It was originally released for 486 motherboards, and later some Pentium sockets...
processors (all in the P5 microarchitecture
P5 (microarchitecture)
The original Pentium microprocessor was introduced on March 22, 1993. Its microarchitecture, deemed P5, was Intel's fifth-generation and first superscalar x86 microarchitecture. As a direct extension of the 80486 architecture, it included dual integer pipelines, a faster FPU, wider data bus,...
).
Description
The instruction represents:lock cmpxchg8b eaxThe operand could be a register other than eax. The cmpxchg8b instruction is used to compare the value in the edx and eax registers
Processor register
In computer architecture, a processor register is a small amount of storage available as part of a CPU or other digital processor. Such registers are addressed by mechanisms other than main memory and can be accessed more quickly...
with an 8-byte
Byte
The byte is a unit of digital information in computing and telecommunications that most commonly consists of eight bits. Historically, a byte was the number of bits used to encode a single character of text in a computer and for this reason it is the basic addressable element in many computer...
value at some memory location. In this example a 4-byte register is used as the destination operand, which is not big enough to store the 8-byte result.
Under normal circumstances, this instruction would simply result in an exception
Exception handling
Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....
; however, when used with the lock prefix (normally used to prevent two processors from interfering with the same memory location), the exception handler is never called, the processor stops servicing interrupt
Interrupt
In computing, an interrupt is an asynchronous signal indicating the need for attention or a synchronous event in software indicating the need for a change in execution....
s and the CPU must be reset to recover.
The instruction does not require any special privileges and, due to the proliferation of Intel microprocessors, was considered a serious issue at the time. Operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
vendors responded by implementing workaround
Workaround
A workaround is a bypass of a recognized problem in a system. A workaround is typically a temporary fix that implies that a genuine solution to the problem is needed...
s that detected the condition and prevented the crash.
Although technically not an example of either, the f00f instruction is often considered an HCF
Halt and Catch Fire
Halt and Catch Fire, known by the mnemonic HCF, refers to several computer machine code instructions that cause the CPU to cease meaningful operation...
instruction or a killer poke
Killer poke
In computer jargon, a killer poke is a method of inducing physical hardware damage on a machine and/or its peripherals by the insertion of invalid values, via e.g. BASICs POKE command, into a memory-mapped control register...
. Since the f00f bug has become common knowledge, the term is sometimes used to describe similar hardware design flaws such as the Cyrix coma bug
Cyrix coma bug
The Cyrix coma bug is a design flaw in Cyrix 6x86, 6x86L, and early 6x86MX processors that allows a non-privileged program to completely lock the computer.-Discovery:...
.
No permanent hardware damage would result from executing the f00f instruction on a vulnerable system. Depending on the file system
File system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...
, operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
, and other circumstances, it is possible for data loss
Data loss
Data loss is an error condition in information systems in which information is destroyed by failures or neglect in storage, transmission, or processing. Information systems implement backup and disaster recovery equipment and processes to prevent data loss or restore lost data.Data loss is...
to occur if the disk buffers
Page cache
In computing, page cache, sometimes ambiguously called disk cache, is a "transparent" buffer of disk-backed pages kept in main memory by the operating system for quicker access. Page cache is typically implemented in kernels with the paging memory management, and is completely transparent to...
have not been flushed, if drives were interrupted during a write operation, or if some other non-atomic operation was interrupted.
No Intel processors since the introduction of the Pentium Pro
Pentium Pro
The Pentium Pro is a sixth-generation x86 microprocessor developed and manufactured by Intel introduced in November 1, 1995 . It introduced the P6 microarchitecture and was originally intended to replace the original Pentium in a full range of applications...
have been affected by the bug. The myB2 stepping
Stepping level
The term stepping level in the context of CPU architecture or integrated circuitry is a version number.Stepping level refers to the introduction or revision of the lithographic mask or masks within the set of plates that generate the pattern that produces the CPU or integrated circuit...
fixed this issue.
Information about this bug first appeared on the Internet on or around 7 November 1997.
External links
- Intel Pentium erratum
- Microsoft Knowledge Base article
- CNET Article
- The Pentium F00F Bug: Workarounds for a nasty problem provides a detailed description of the bug and possible workarounds.