Years ago, Geoff Chappell (the author of DOS Internals, among other things) published an article about mysterious instructions that Microsoft’s LINK knows but Intel’s documentation is silent about. The fourteen listed instructions were: LOADALL, CFLSH, WRECR, RDECR, SVDC, RSDC, SVLDT, RSLDT, SVTS, RSTS, SMINT, XBTS, IBTS, ZALLOC.
Mr. Chappell then explains why Intel never mentioned SVDC, RSDC, SVLDT, RSLDT, SVTS, RSTS and SMINT: Those are instructions defined by Cyrix and in fact reasonably well documented.
But that still leaves seven instructions: LOADALL, CFLSH, WRECR, RDECR, XBTS, IBTS, and ZALLOC. What are those instructions? And why did Intel not document them?
The instructions actually fall into roughly three categories. Undocumented, withdrawn, and not implemented in production processors.
The LOADALL instruction is notable for being present in all production 286 processors, but only described in a confidential document provided by Intel to selected third parties under a non-disclosure agreement.
Despite the shady nature of the LOADALL instruction, it was well documented in contemporary literature and used by several major software titles (including OS/2 1.x and Microsoft Windows 3.x).
XBTS and IBTS
These instructions are not so much undocumented as forgotten. XBTS and IBTS, or eXtract BiT String and Insert BiT String, were present in early production steppings of the Intel 386 processor, and removed in the B1 stepping in 1986 or so. Intel’s justification for the removal was that the functionality could be achieved using the SHLD/SHRD instructions without much trouble.
It is unlikely that any production software uses XBTS/IBTS for their intended purpose. However, several major operating systems (from Microsoft, IBM, and others) may attempt to execute XBTS or IBTS on 386 processors, solely for the purpose of distinguishing the B0 and earlier steppings from its successors. This is needed for software to decide whether it needs to activate workarounds for the various severe errata found in the Intel 386 B0 stepping (or refuse to work on such broken hardware).
The XBTS and IBTS instructions were documented, for example in the 80386 datasheet from April 1986 (as seen here). Undocumented PC also describes these instructions. However, all mentions of XBTS/IBTS were removed from later editions of the Intel 386 documentation; only the empty spaces in the opcode map remained. For that reason, it’s fair to call these instructions mysterious, even though they weren’t truly undocumented like LOADALL.
CFLSH, RDECR, WRECR, and ZALLOC
These four instructions are true phantoms. They were almost certainly never present in any production processor, but they were documented in preliminary specifications of the Intel P6 processor, later known as Pentium Pro. The preliminary documentation was naturally only available under a non-disclosure agreement, but Microsoft clearly had no trouble obtaining the confidential documents, which explains LINK’s secret knowledge.
Extremely little is known about these instructions, and since they cannot be seen in the wild, they are strictly historical curiosities. The OS/2 Museum recently obtained information from reliable sources which should shed some light on these instructions.
The RDECR and WRECR instructions were intended to read and write so-called Extended Control Registers (ECRs). Intel apparently decided to drop the ECR idea and would-be ECRs for machine check and MTRR control became MSRs instead.
The ZALLOC instruction allocated a zero-filled cache line and was intended to speed up block memory writes and copies. The semantics were rather odd which may be why the instruction was dropped.
Finally the CFLSH instruction flushed the cache as the name suggests, but only for “restricted cache” (RC) lines, later known as write-combined memory regions. The CFLSH instruction was intended as a performance hint for graphics intensive operations; it allowed software to flush cached framebuffer memory and thus avoid unnecessarily polluting the cache with memory that wasn’t going to be used again (or at least not soon).
The RDECR and WRECR instructions could only executed at privilege 0 (i.e. the most privileged code), while CFLSH and ZALLOC could be executed at any privilege level.
It may also be of interest that in the CPUID capability flags (returned in the EDX register after executing CPUID with EAX equal to 1), two bits were reserved for the above instructions: bit 11 for the ECR feature (RDECR/WRECR) and bit 16 for ZALLOC.
The ZALLOC instruction was mentioned publicly a long time ago (see this post and the link within). The RDECR/WRECR instructions, but not CFLSH and ZALLOC, are listed in this document (in Polish, on page 26) as Pentium Pro additions—who knows what the source of the information was.
All in all, some versions of MS LINK do contain a rather interesting list of curiosities.