background image

Vol. 3C 36-3

INTEL® PROCESSOR TRACE

36.2.1.1   Direct Transfer COFI

Direct Transfer COFI are relative branches. This means that their target is an IP whose offset from the current IP is 
embedded in the instruction bytes. It is not necessary to indicate target of these instructions in the trace output 
since it can be obtained through the source disassembly. Conditional branches need to indicate only whether the 
branch is taken or not. Unconditional branches do not need any recording in the trace output. There are two sub-
categories:

Conditional Branch (Jcc, J*CXZ) and LOOP
To track this type of instruction, the processor encodes a single bit (taken or not taken — TNT) to indicate the 
program flow after the instruction. 
Jcc, J*CXZ, and LOOP can be traced with TNT bits. To improve the trace packet output efficiency, the processor 
will compact several TNT bits into a single packet.

Unconditional Direct Jumps
There is no trace output required for direct unconditional jumps (like JMP near relative or CALL near relative) 
since they can be directly inferred from the application assembly. Direct unconditional jumps do not generate a 
TNT bit or a Target IP packet, though TIP.PGD and TIP.PGE packets can be generated by unconditional direct 
jumps that toggle Intel PT enables (see Section 36.2.5).

36.2.1.2   Indirect Transfer COFI

Indirect transfer instructions involve updating the IP from a register or memory location. Since the register or 
memory contents can vary at any time during execution, there is no way to know the target of the indirect transfer 
until the register or memory contents are read. As a result, the disassembled code is not sufficient to determine the 
target of this type of COFI. Therefore, tracing hardware must send out the destination IP in the trace packet for 
debug software to determine the target address of the COFI. Note that this IP may be a linear or effective address 
(see Section 36.3.1.1).
An indirect transfer instruction generates a Target IP Packet (TIP) that contains the target address of the branch. 
There are two sub-categories:

Near JMP Indirect and Near Call Indirect
As previously mentioned, the target of an indirect COFI resides in the contents of either a register or memory
location. Therefore, the processor must generate a packet that includes this target address to allow the
decoder to determine the program flow.

Near RET
When a CALL instruction executes, it pushes onto the stack the address of the next instruction following the
CALL. Upon completion of the call procedure, the RET instruction is often used to pop the return address off of
the call stack and redirect code flow back to the instruction following the CALL.
A RET instruction simply transfers program flow to the address it popped off the stack. Because a called
procedure may change the return address on the stack before executing the RET instruction, debug software
can be misled if it assumes that code flow will return to the instruction following the last CALL. Therefore,
even for near RET, a Target IP Packet may be sent.
— RET  Compression

A special case is applied if the target of the RET is consistent with what would be expected from tracking the 
CALL stack. If it is assured that the decoder has seen the corresponding CALL (with “corresponding” defined 

Unconditional Direct Branch

JMP (E9 xx, EB xx), CALL (E8 xx)

Indirect Branch

JMP (FF /4), CALL (FF /2)

Near Ret

RET (C3, C2 xx)

Far Transfers

INT3, INTn, INTO, IRET, IRETD, IRETQ, JMP (EA xx, FF /5), CALL (9A xx, FF /3), RET (CB, CA xx), SYS-

CALL, SYSRET, SYSENTER, SYSEXIT, VMLAUNCH, VMRESUME

Table 36-1. COFI Type for Branch Instructions 

COFI Type

Instructions