Vol. 3C 36-5

INTEL® PROCESSOR TRACE

CPL filtering ensures that no IPs or other architectural state information associated with the filtered CPL can be 
seen in the log. For example, if the processor is configured to trace only when CPL > 0, and software executes 
SYSCALL (changing the CPL to 0), the destination IP of the SYSCALL will be suppressed from the generated packet 
(see the discussion of TIP.PGD in Section 36.4.2.5).
It should be noted that CPL is always 0 in real-address mode and that CPL is always 3 in virtual-8086 mode. To 
trace code in these modes, filtering should be configured accordingly.
When software is executing in a non-enabled CPL, ContextEn is cleared. See Section 36.2.5.1 for details.

36.2.4.2   Filtering by CR3

Intel PT supports a CR3-filtering mechanism by which the generation of packets containing architectural states can 
be enabled or disabled based on the value of CR3. A debugger can use CR3 filtering to trace only a single applica-
tion without context switching the state of the RTIT MSRs. For the reconstruction of traces from software with 
multiple threads, debug software may wish to context-switch for the state of the RTIT MSRs (if the operating 
system does not provide context-switch support) to separate the output for the different threads (see Section 
36.3.5, “Context Switch Consideration”).
To trace for only a single CR3 value, software can write that value to the IA32_RTIT_CR3_MATCH MSR, and set 
IA32_RTIT_CTL.CR3Filter. When CR3 value does not match IA32_RTIT_CR3_MATCH and IA32_RTIT_CTL.CR3Filter 
is 1, ContextEn is forced to 0, and packets containing architectural states will not be generated. Some other 
packets can be generated when ContextEn is 0; see Section 36.2.5.3 for details. When CR3 does match 
IA32_RTIT_CR3_MATCH (or when IA32_RTIT_CTL.CR3Filter is 0), CR3 filtering does not force ContextEn to 0 
(although it could be 0 due to other filters or modes).
CR3 matches IA32_RTIT_CR3_MATCH if the two registers are identical for bits 63:12, or 63:5 when in PAE paging 
mode; the lower 5 bits of CR3 and IA32_RTIT_CR3_MATCH are ignored. CR3 filtering is independent of the value 
of CR0.PG. 
When CR3 filtering is in use, PIP packets may still be seen in the log if the processor is configured to trace when 
CPL = 0 (IA32_RTIT_CTL.OS = 1). If not, no PIP packets will be seen.

36.2.4.3   Filtering by IP

Trace packet generation with configurable filtering by IP is supported if CPUID.(EAX=14H, ECX=0):EBX[bit 2] = 1. 
Intel PT can be configured to enable the generation of packets containing architectural states only when the 
processor is executing code within certain IP ranges. If the IP is outside of these ranges, generation of some 
packets is blocked.
IP filtering is enabled using the ADDRn_CFG fields in the IA32_RTIT_CTL MSR (Section 36.2.7.2), where the digit 
'n' is a zero-based number that selects which address range is being configured. Each ADDRn_CFG field configures 
the use of the register pair IA32_RTIT_ADDRn_A and IA32_RTIT_ADDRn_B (Section 36.2.7.5). 
IA32_RTIT_ADDRn_A defines the base and IA32_RTIT_ADDRn_B specifies the limit of the range in which tracing is 
enabled. Thus each range, referred to as the ADDRn range, is defined by [IA32_RTIT_ADDRn_A. 
IA32_RTIT_ADDRn_B]. There can be multiple such ranges, software can query CPUID (Section 36.3.1) for the 
number of ranges supported on a processor. 
Default behavior (ADDRn_CFG=0) defines no IP filter range, meaning FilterEn is always set. In this case code at 
any IP can be traced, though other filters, such as CR3 or CPL, could limit tracing. When ADDRn_CFG is set to 
enable IP filtering (see Section 36.3.1), tracing will commence when a taken branch or event is seen whose target 
address is in the ADDRn range.
While inside a tracing region and with FilterEn is set, leaving the tracing region may only be detected once a taken 
branch or event with a target outside the range is retired. If an ADDRn range is entered or exited by executing the 
next sequential instruction, rather than by a control flow transfer, FilterEn may not toggle immediately. See Section 
36.2.5.5 for more details on FilterEn. 
Note that these address range base and limit values are inclusive, such that the range includes the first and last 
instruction whose first instruction byte is in the ADDRn range.
Depending upon processor implementation, IP filtering may be based on linear or effective address. This can cause 
different behavior between implementations if CSbase is not equal to zero or in real mode. See Section 36.3.1.1 
for details. Software can query CPUID to determine filters are based on linear or effective address (Section 36.3.1).