17-10 Vol. 1
INTEL® MEMORY PROTECTION EXTENSIONS
In compatibility and legacy modes (including 16-bit code segments, real and virtual 8086 modes) all Intel MPX
instructions use 32-bit operands for bounds and 32 bit addressing. The upper 32-bits of destination bound register
are cleared (consistent with behavior of integer registers)
In 32-bit and compatibility mode, the bounds are 32-bit, and are treated same as 32-bit integer registers. There-
fore, when 32-bit bound is updated in a bound register, the upper 32-bits are undefined. When switching from 64-
bit, the behavior of content of bounds register will be similar to that of general purpose registers.
Table 17-3 describes the impact of 67H prefix on memory forms of Intel MPX instructions (register-only forms
ignore 67H prefix) when Intel MPX is enabled:
17.5.2
Intel MPX Support for Pointer Operations with Branching
Intel MPX provides flexibility in supporting pointer operation across control flow changes. Intel MPX allows
•
compatibility with legacy code that may perform pointer operation across control flow changes and are unaware
of Intel MPX, along with
•
Intel MPX-aware code that adds bounds checking protection to pointer operation across control flow changes.
The interface to provide such flexibility consists of:
•
Using a prefix, referred to as BND prefix, to relevant branch instructions: CALL, RET, JMP and Jcc
•
BNDCFGU and BNDCFGS provides the bit field, BNDPRESERVE (bit 1).
The value of BNDPRESERVE in conjunction with the presence/absence the BND prefix with those branching instruc-
tion will determine whether the values in BND0-BND3 will be initialized or unchanged.
17.5.3
CALL, RET, JMP and All Jcc
An application compiled to use Intel MPX will use the REPNE (F2H) prefix (denoted by BND) for all forms of near
CALL, near RET, near JMP, short & near Jcc instructions (BND+CALL, BND+RET, BND+JMP, BND+Jcc). See Table
17-4 for specific opcodes. All far CALL, RET and JMP instructions plus short JMP (JMP rel 8, opcode EB) instructions
will never cause bound registers to be initialized.
If BNDPRESERVE bit is one, above instructions will NOT INIT the bounds registers when BND prefix is not present
for above instructions (legacy behavior). However, If BNDPRESERVE is zero, above instructions will INIT ALL bound
registers (BND0-BND3) when BND prefix is not present for above instructions. If BND prefix is present for above
instructions, the BND registers will NOT INIT any bound registers (BND0-BND3).
The legacy code will continue to use non-prefixed forms of these instructions, so if BNDPRESERVE is zero, all the
bound registers will INIT by legacy code. This allows the legacy function to execute and return to callee with all
bound registers initialized (legacy code by definition cannot make or load bounds in bound registers because it does
not have Intel MPX instructions). This will eliminate compatibility concerns when legacy function might have
changed the pointer in registers but did not update the value of the bounds registers associated with these
pointers.
If BNDCFGx.BNDPRESERVE is clear then non-prefixed forms of these instructions will initialize all the bound regis-
ters. If this bit is set then non-prefixed and prefixed forms of these instructions will preserve the contents of bound
registers as shown in Table 17-4.
Table 17-3. Effective Address Size of Intel MPX Instructions with 67H Prefix
Addressing Mode
67H Prefix
Effective Address Size used for Intel MPX instructions when Intel MPX is enabled
64-bit Mode
Y
64 bit addressing used
64-bit Mode
N
64 bit addressing used
32-bit Mode
Y
#UD
32-bit Mode
N
32 bit addressing used
16-bit Mode
Y
32 bit addressing used
16-bit Mode
N
#UD