In the following pseudo code description of the Intel loop
instruction, when the operand size is 16, this description appears to omit use of the DEST
branch-target operand in the taken case:
IF BranchCond = 1
THEN
IF OperandSize = 32
THEN EIP ← EIP + SignExtend(DEST);
ELSE IF OperandSize = 64
THEN RIP ← RIP + SignExtend(DEST);
FI;
ELSE IF OperandSize = 16
?---> THEN EIP ← EIP AND 0000FFFFH;
FI;
FI;
IF OperandSize = (32 or 64)
THEN IF (R/E)IP < CS.Base or (R/E)IP > CS.Limit
#GP; FI;
FI;
FI;
ELSE
Terminate loop and continue program execution at (R/E)IP;
FI;
By the arrow I added (?--->
), it appears to me that DEST
goes unused, in the case of 16-bit OperandSize — it is protecting against wrap but adding nothing in.
The write up from intel:
https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf
page "Vol. 2A 3-543".
FelixCloutier has the same code as intel:
https://www.felixcloutier.com/x86/loop:loopcc
If this is a typo/bug in the intel spec where to report it?
Yeah, looks like bug. The loop
instruction does jump, not just truncate EIP, in 16-bit mode just like in other modes.
(R/E)IP < CS.Base
also looks like a bug; the linear address is formed by adding EIP to CS.Base. i.e. valid EIP values are from 0
to CS.Limit
, unsigned, regardless of non-zero CS base.
I think Intel's forums work as a way to report bugs in manuals / guides, but it's not obvious which section to report in.
https://community.intel.com/t5/Intel-ISA-Extensions/bd-p/isa-extensions has some posts with bug reports for the intrinsics guide, which got the attention of Intel people who could do something about it.
Also possibly https://community.intel.com/t5/Software-Development-Topics/ct-p/software-dev-topics or some other sub-forum of the "software developer" forums. The "cpu" forums seems to be about people using CPUs, like motherboard / RAM compat and stuff.