Undocumented 8086 instructions, explained by the microcode

The Intel 8086 processor, like modern microprocessors, generates an exception when an illegal instruction is executed. However, early microprocessors didn’t have the circuitry to detect illegal instructions. The 8086 has a few undocumented instructions that exhibit unexpected behavior. These instructions can reveal the values of hidden registers. The 8086’s microcode ROM holds 512 micro-instructions that perform multiple parallel actions to execute a machine instruction. The micro-instructions are divided into six types. The Group Decode ROM categorizes the first byte of the instruction into about 35 categories to control the decoding and execution process. The ModR/M byte in the instruction format is pivotal in the behavior of undocumented instructions. The first byte of the instruction represents opcodes, and there are a few “holes” in the opcode table that contain undefined and interesting instructions. One example is the SALC instruction, which sets the AL register to 0 or FF based on the carry flag. Another example is the POP CS instruction, which changes the code segment but not the instruction pointer, resulting in unexpected behavior. The unused opcodes from 60 to 6F act the same as the conditional jump instructions from 70 to 7F. The C0 and C8


To top