18
Specification Update
BJ10.
EFLAGS Discrepancy on Page Faults and on EPT-Induced VM Exits
after a Translation Change
Problem:
This erratum is regarding the case where paging structures are modified to change a
linear address from writable to non-writable without software performing an
appropriate TLB invalidation. When a subsequent access to that address by a specific
instruction (ADD, AND, BTC, BTR, BTS, CMPXCHG, DEC, INC, NEG, NOT, OR, ROL/ROR,
SAL/SAR/SHL/SHR, SHLD, SHRD, SUB, XOR, and XADD) causes a page fault or an EPT-
induced VM exit, the value saved for EFLAGS may incorrectly contain the arithmetic flag
values that the EFLAGS register would have held had the instruction completed without
fault or VM exit. For page faults, this can occur even if the fault causes a VM exit or if
its delivery causes a nested fault.
Implication:
None identified. Although the EFLAGS value saved by an affected event (a page fault or
an EPT-induced VM exit) may contain incorrect arithmetic flag values, Intel has not
identified software that is affected by this erratum. This erratum will have no further
effects once the original instruction is restarted because the instruction will produce the
same results as if it had initially completed without fault or VM exit.
Workaround:
If the handler of the affected events inspects the arithmetic portion of the saved
EFLAGS value, then system software should perform a synchronized paging structure
modification and TLB invalidation.
Status:
For the steppings affected, see the Summary Tables of Changes.
BJ11.
Fault on ENTER Instruction May Result in Unexpected Values on Stack
Frame
Problem:
The ENTER instruction is used to create a procedure stack frame. Due to this erratum,
if execution of the ENTER instruction results in a fault, the dynamic storage area of the
resultant stack frame may contain unexpected values (i.e. residual stack data as a
result of processing the fault).
Implication:
Data in the created stack frame may be altered following a fault on the ENTER
instruction. Please refer to “Procedure Calls For Block-Structured Languages” in IA-32
Intel® Architecture Software Developer's Manual, Vol. 1, Basic Architecture, for
information on the usage of the ENTER instructions. This erratum is not expected to
occur in ring 3. Faults are usually processed in ring 0 and stack switch occurs when
transferring to ring 0. Intel has not observed this erratum on any commercially
available software.
Workaround:
None identified
Status:
For the steppings affected, see the Summary Tables of Changes.
BJ12.
Faulting MMX Instruction May Incorrectly Update x87 FPU Tag Word
Problem:
Under a specific set of conditions, MMX stores (MOVD, MOVQ, MOVNTQ, MASKMOVQ)
which cause memory access faults (#GP, #SS, #PF, or #AC), may incorrectly update
the x87 FPU tag word register.
This erratum will occur when the following additional conditions are also met.
• The MMX store instruction must be the first MMX instruction to operate on x87 FPU
state (i.e. the x87 FP tag word is not already set to 0x0000).
• For MOVD, MOVQ, MOVNTQ stores, the instruction must use an addressing mode
that uses an index register (this condition does not apply to MASKMOVQ).
Implication:
If the erratum conditions are met, the x87 FPU tag word register may be incorrectly set
to a 0x0000 value when it should not have been modified.
Workaround:
None identified