Pentium F00F bug

From Wikipedia, the free encyclopedia
  (Redirected from F00f)
Jump to: navigation, search

The Pentium F00F bug is a design flaw in the majority of Intel Pentium, Pentium MMX, and Pentium OverDrive processors (all in the P5 microarchitecture). Discovered in 1997, it can result in the processor ceasing to function until the computer is physically rebooted. The bug has been fixed through operating system updates.

The name is shorthand for F0 0F C7 C8, the hexadecimal encoding of one offending instruction.[1] More formally, the bug is called the invalid operand with locked CMPXCHG8B instruction bug. [2] [3]


In the x86 architecture, the byte sequence F0 0F C7 C8 represents the instruction lock cmpxchg8b eax (locked compare and exchange of eight bytes in register eax). The bug also applies to opcodes ending in C9 through CF, which specify register operands other than eax. The F0 0F C7 C8 instruction does not require any special privileges.

This instruction encoding is invalid. The cmpxchg8b instruction compares the value in the edx and eax registers (the lower halves of R0 and R2 on more modern x86 processors) with an eight-byte value in a memory location. In this case, however, a register is specified instead of a memory location, which is not allowed.

Under normal circumstances, this would simply result in an exception; however, when used with the lock prefix (normally used to prevent two processors from interfering with the same memory location), the CPU erroneously uses locked bus cycles to read the illegal instruction exception handler descriptor. Locked reads must be paired with locked writes, and the CPU's bus interface enforces this by forbidding other memory accesses until the corresponding writes occur. As none are forthcoming, after performing these bus cycles all CPU activity stops, and the CPU must be reset to recover.

Due to the proliferation of Intel microprocessors, the existence of this open privilege instruction was considered a serious issue at the time. Operating system vendors responded by implementing workarounds that detected the condition and prevented the crash. Information about the bug first appeared on the Internet on or around 8 November 1997.[4] Since the F00F bug has become common knowledge, the term is sometimes used to describe similar hardware design flaws such as the Cyrix coma bug.

No permanent hardware damage results from executing the F00F instruction on a vulnerable system; it simply locks up until rebooted. However, data loss of unsaved data is likely if the disk buffers have not been flushed, if drives were interrupted during a write operation, or if some other non-atomic operation was interrupted.

The B2 stepping solved this issue for Intel's Pentium processors.[2]

The F00F instruction can be considered an example of a Halt and Catch Fire (HCF) instruction.

See also[edit]


  1. ^ Collins, Robert R. (May 1, 1998). "The Pentium F00F Bug". Dr. Dobb's Journal. Retrieved 27 July 2015. 
  2. ^ a b Intel (1998). "81. Invalid Operand with Locked CMPXCHG8B Instruction". Pentium® Processor Specification Update, Version-041 [Release Date January 1999] (PDF). Santa Clara, CA, USA: Intel. p. 51f. Retrieved 27 July 2015. 
  3. ^ The opening to this specification update reads:

    "PROBLEM: The CMPXCHG8B instruction compares an 8 byte value in EDX and EAX with an 8 byte value in memory (the destination operand). The only valid destination operands for this instruction are memory operands. If the destination operand is a register the processor should generate an invalid opcode exception, execution of the CMPXCHG8B instruction should be halted and the processor should execute the invalid opcode exception handler. This erratum occurs if the LOCK prefix is used with the CMPXCHG8B instruction with an (invalid) register destination operand. In this case, the processor may not start execution of the invalid opcode exception handler because the bus is locked. This results in a system hang. IMPLICATION: If an (invalid) register destination operand is used with the CMPXCHG8B instruction and the LOCK prefix, the system may hang. No memory data is corrupted and the user can perform a system reset to return to normal operation. Note that the specific invalid code sequence necessary for this erratum to occur is not normally generated in the course of programming nor is such a sequence known by Intel to be generated by commercially available software. This erratum only applies to Pentium processors, Pentium processors with MMX technology, Pentium® OverDrive processors and Pentium OverDrive processors with MMX technology. Pentium Pro processors, Pentium II processors and i486TM and earlier processors are not affected…"

  4. ^ Hovers, Onno; et al. (8 November 1997). "Nieuwe Intel Pentium Bug" [New Intel…] (newsgroup thread, 38 posts by 22 authors) (in Dutch). Newsgroupnl.comp.hardware. Retrieved 27 July 2015. Als je er nog niet over gehoord hebt, er is een nieuwe Intel Pentium BUG. Daardoor is het vanuit userspace mogelijk om de Pentium helemaal te laten crashen met 1 instructie. De bug doet zich voor op de Intel Pentium en de Intel Pentium MMX. De bug doet zich niet voor op de Intel Pentium Pro, de Intel Pentium II, de chips van AMD, Cyrix e.d. Deze bug is alleen van belang voor sommige mensen die een multiuser (shell) systeem draaien op een Intel Pentium. Op zo'n systeem kan elke user het systeem crashen… 

Further reading[edit]

External links[edit]