INTEL
®
CELERON® PROCESSOR SPECIFICATION UPDATE
66
C83.
Under Some Complex Conditions, the Instructions in the
shadow of a JMP FAR may be Unintentionally Executed and
Retired
Problem:
If all
of the following events happen in sequence it is possible for the system or application to hang
or to execute with incorrect data.
1. The execution of an instruction, with an OPCODE that requires the processor to stall the issue of micro-
instructions in the flow from the microcode sequence logic block to the instruction decode block (a StallMS
condition).
2. Less than 63 (39 for Pre-CPUID 0x6BX) micro-instructions later, the execution of a mispredictable branch
instruction (Jcc, LOOPcc, RET Near, CALL Near Indirect, JMP ECX=0, or JMP Near Indirect).
3. The conditional branch in event (2) is mispredicted, and furthermore the mispredicted path of execution
must result in either an ITLB miss, or an Instruction Cache miss. This needs to briefly stall the issue of micro-
instructions again immediately after the conditional branch until that branch prediction is corrected by the jump
execution block (a 2nd StallMS condition).
4. Along the correct path of execution, the next instruction must contain a 3rd StallMS condition at a precisely
aligned point in the execution of the instruction (CLTS, POPSS, LSS, or MOV to SS).
5. A JMP FAR instruction must execute within the next 63 micro-instructions (39 Pre-CPUID 0x6BX). The
intervening micro-instructions must not have any events or faults.
When the instruction from event (2) retires, the StallMS condition within the event (5) instruction fails to
operate correctly, and instructions in the shadow of the JMP FAR instruction could be unintentionally
executed.
Implication:
Occurrence of this erratum could lead to erroneous software behavior. Intel has not identified
any commercial software which may encounter this condition; this erratum was discovered in a focused test
environment. One of the four instructions that are required to trigger this erratum, CLTS, is a privileged
instruction that is only executed by an operating system or driver code.The remaining three instructions,
POPSS, LSS, and MOV to SS, are executed infrequently in modern 32-bit application code.
Workaround:
None identified at this time.
Status:
For the stepping affected see the
Summary of Changes
at the beginning of this section.
C84.
Processor Does not Flag #GP on Non-zero Write to Certain
MSRs
Problem:
When a non-zero write occurs to the upper 32 bits of SYSENTER_EIP_MSR or
SYSENTER_ESP_MSR, the processor should indicate a general protection fault by flagging #GP. Due to this
erratum, the processor does not flag #GP.
.
Implication:
The processor unexpectedly does not flag #GP on a non-zero write to the upper 32 bits of
SYSENTER_EIP_MSR or SYSENTER_ESP_MSR. No known commercially available operating system has
been identified to be affected by this erratum.
.
Workaround:
None identified.
Status:
For the steppings affected see the
Summary of Changes
at the beginning of this section.