
Illegal and undocumented instructions found in every major vendor CPU - uptown
http://blog.koehntopp.info/index.php/2282-illegal-and-undocumented-instructions/
======
j_s
I would recommend marking as a dupe of
[https://news.ycombinator.com/item?id=14872418](https://news.ycombinator.com/item?id=14872418)
(feels a bit harsh) or pointing to
[http://www.pagetable.com/?p=39](http://www.pagetable.com/?p=39)

------
cakebrewery
Can someone explain why these instructions are "illegal"?

~~~
Arcsech
As far as I can tell, "illegal" and "undocumented" instructions are the same
thing[0]. Likely they are "illegal" according to the spec of the processor,
and that's where the term came from.

[0] At least according to Wikipedia:
[https://en.wikipedia.org/wiki/Illegal_opcode](https://en.wikipedia.org/wiki/Illegal_opcode)

~~~
mikeash
The paper only uses that phrase once, as a synonym for a non-existing
instruction. It seems that refers to an instruction that the CPU will not
execute, and which throws a #UD exception. Despite being illegal/nonexistent,
these instructions still have a length, which is how many bytes the CPU
decodes before it throws that exception. They can figure this out by placing
an illegal instruction sequence at the end of a page, where the next page is
marked as non-executable, and sliding it around. If the CPU tries to decode
bytes on the next page, it throws #GP. Once you slide the instruction far
enough to get a #UD instead, you know that the illegal instruction is that
many bytes.

This is different from undocumented instructions, which are valid instructions
that the CPU can actually execute, but which don't appear in the CPU's
documentation. These may be instructions which were deliberately added as part
of the design but which didn't make it into the documentation for whatever
reason, or they may be an unintended consequence of other aspects of the CPU's
design. (The 6502 famously has a _lot_ of undocumented opcodes of the second
kind, see [http://www.pagetable.com/?p=39](http://www.pagetable.com/?p=39) for
more info on those.)

------
devy
So thanks to Sandsifter we can fuzz test CPUs. Honest question: what's the
implication of these illegal and undocumented instructions discovered by
hardware fuzzing? Do we have to worry about new security vulnerabilities
because of them?

~~~
wongarsu
They found a bunch of instructions, but for most of them we have no idea yet
what they do. At least one instruction on some system can cause the system to
hang. Some instructions might have interesting behavior on hypervisors. But
most likely the vast majority is very boring and does nothing new or
interesting.

~~~
CyberDildonics
Not only hang, but hang in ring 3, meaning it could potentially freeze a CPU
from a VM / Hypervisor

------
tachion
Nothing has changed since 30 years ago. Huge part of the 8-bit demo scene grew
around exactly 'illegal and undocumented' CPU instructions, allowing kids (at
the time) to come up with some really crazy and awesome stuff, given on paper
capabilities of hardware like 6500/6502 in C64 and other machines (think
opening screen borders, think more than 8 sprites, think more than 256 colors
in hi-res and many more).

------
tenebrisalietum
It's interesting reading how the 6502 has a "Decode ROM PLA" that fires off
various parts of the instruction its executing. It's a very primitive
microcode. It would be interesting if that was customizable in an FPGA version
or if the Javascript version allowed that to be changed.

~~~
phire
"primitive microcode" is the wrong way of thinking about it. Microcoded CPUs
had been around for ages by that point.

It's a highly optimised microcode, designed to produce the correct control
signals in the minimum amount of space while not caring about the output for
illegal opcodes.

------
pera
Many demoscene intros uses these kind of instructions (and also undefined side
effects) to optimize or reduce the binaries. When you really know your
targeted CPU you can do some nice tricks :)

------
imbusy111
Call the instruction police.

------
zymhan
This post does nothing to add onto the original post about Sandsifter.

------
Tomminn
Ha, for some reason I was expecting this to be biting satire about
immigration.

------
putsteadywere
For a second, I thought this was a post about immigration.

