Blob


1 INTEL 80286 PROGRAMMER'S REFERENCE MANUAL 1987
3 Intel Corporation makes no warranty for the use of its products and
4 assumes no responsibility for any errors which may appear in this document
5 nor does it make a commitment to update the information contained herein.
7 Intel retains the right to make changes to these specifications at any
8 time, without notice.
10 Contact your local sales office to obtain the latest specifications before
11 placing your order.
13 The following are trademarks of Intel Corporation and may only be used to
14 identify Intel Products:
16 Above, BITBUS, COMMputer, CREDIT, Data Pipeline, FASTPATH, Genius, i, î,
17 ICE, iCEL, iCS, iDBP, iDIS, I²ICE, iLBX, im, iMDDX, iMMX, Inboard, Insite,
18 Intel, intel, intelBOS, Intelevision, inteligent Identifier, inteligent
19 Programming, Intellec, Intellink, iOSP, iPDS, iPSC, iRMX, iSBC, iSBX, iSDM,
20 iSXM, KEPROM, Library Manager, MAP-NET, MCS, Megachassis, MICROMAINFRAME,
21 MULTIBUS, MULTICHANNEL, MULTIMODULE, MultiSERVER, ONCE, OpenNET, OTP,
22 PC-BUBBLE, Plug-A-Bubble, PROMPT, Promware, QUEST, QueX, Quick-Pulse
23 Programming, Ripplemode, RMX/80, RUPI, Seamless, SLD, UPI, and VLSiCEL, and
24 the combination of ICE, iCS, iRMX, iSBC, iSBX, MCS, or UPI and a numerical
25 suffix, 4-SITE.
27 MDS is an ordering code only and is not used as a product name or
28 trademark. MDS(R) is a registered trademark of Mohawk Data Sciences
29 Corporation.
31 *MULTIBUS is a patented Intel bus.
33 Additional copies of this manual or other Intel literature may be obtained
34 from:
36 Intel Corporation
37 Literature Distribution
38 Mail Stop SC6-59
39 3065 Bowers Avenue
40 Santa Clara, CA 95051
42 (c)INTEL CORPORATION 1987 CG-10/86
45 Preface
47 ───────────────────────────────────────────────────────────────────────────────────────────────────
50 This manual describes the 80286, the most powerful 16-bit microprocessor in
51 the 8086 family, and the 80287 Numeric Processor Extension (NPX).
53 Organization of This Manual
55 80286
57 The 80286 contains a table of contents, eleven chapters, four appendices,
58 and an index. For more information on the 80286 book's organization, see its
59 first chapter, Chapter 1, "Introduction to the 80286." Section 1.4 in that
60 chapter explains the organization in detail.
62 Notational Conventions
63 This manual uses special notation to represent sub- and superscript
64 characters. Subscript characters are surrounded by {curly brackets}, for
65 example 10{2} = 10 base 2. Superscript characters are preceeded by a caret
66 and enclosed within (parentheses), for example 10^(3) = 10 to the third
67 power.
69 Table of Contents
71 ───────────────────────────────────────────────────────────────────────────────────────────────────
74 Chapter 1 Introduction to the 80286
76 1.1 General Attributes
77 1.2 Modes of Operation
78 1.3 Advanced Features
79 1.3.1 Memory Management
80 1.3.2 Task Management
81 1.3.3 Protection Mechanisms
82 1.3.4 Support for Operating Systems
84 1.4 Organization of This Book
85 1.5 Related Publications
87 Chapter 2 80286 Base Architecture
89 2.1 Memory Organization and Segmentation
90 2.2 Data Types
91 2.3 Registers
92 2.3.1 General Registers
93 2.3.2 Memory Segmentation and Segment Registers
94 2.3.3 Index, Pointer, and Base Registers
95 2.3.4 Status and Control Registers
97 2.4 Addressing Modes
98 2.4.1 Operands
99 2.4.2 Register and Immediate Modes
100 2.4.3 Memory Addressing Modes
101 2.4.3.1 Segment Selection
102 2.4.3.2 Offset Computation
103 2.4.3.3 Memory Mode
105 2.5 Input/Output
106 2.5.1 I/O Address Space
107 2.5.2 Memory-Mapped I\0
109 2.6 Interrupts and Exceptions
110 2.7 Hierarchy of Instruction Sets
112 Chapter 3 Basic Instruction Set
114 3.1 Data Movement Instructions
115 3.1.1 General-Purpose Data Movement Instructions
116 3.1.2 Stack Manipulation Instructions
118 3.2 Flag Operation with the Basic Instruction Set
119 3.2.1 Status Flags 4
120 3.2.2 Control Flags 4
122 3.3 Arithmetic Instructions
123 3.3.1 Addition Instructions
124 3.3.2 Subtraction Instructions
125 3.3.3 Muitiplication Instructions
126 3.3.4 Division Instructions
128 3.4 Logical Instructions
129 3.4.1 Boolean Operation Instructions
130 3.4.2 Shift and Rotate Instructions
131 3.4.2.1 Shift Instructions
132 3.4.2.2 Rotate Instructions
134 3.4.3 Type Conversion and No-Operation Instructions
136 3.5 Test and Compare Instructions
137 3.6 Control Transfer Instructions
138 3.6.1 Unconditional Transfer Instructions
139 3.6.1.1 Jump instruction
140 3.6.1.2 Call Instruction
141 3.6.1.3 Return and Return from interrupt Instruction
143 3.6.2 Conditional Transfer Instructions
144 3.6.2.1 Conditional Jump Instructions
145 3.6.2.2 Loop Instructions
146 3.6.2.3 Executing a Loop or Repeat Zero Times
148 3.6.3 Software-Generated Interrupts
149 3.6.3.1 Software Interrupt Instruction
151 3.7 Character Translation and String Instructions
152 3.7.1 Translate Instruction
153 3.7.2 String Manipulation Instructions and Repeat Prefixes
154 3.7.2.1 String Movement Instructions
155 3.7.2.2 Other String Operations
157 3.8 Address Manipulation Instructions
158 3.9 Flag Control instructions
159 3.9.1 Carry Flag Control Instructions
160 3.9.2 Direction Flag Control Instructions
161 3.9.3 Flag Transfer Instructions
163 3.10 Binary-Coded Decimal Arithmetic Instructions
164 3.10.1 Packed BCD Adjustment Instructions
165 3.10.2 Unpacked BCD Adjustment Instructions
167 3.11 Trusted Instructions
168 3.11.1 Trusted and Privileged Restrictions on POPF and IRET
169 3.11.2 Machine State Instructions
170 3.11.3 Inputand Output Instructions
172 3.12 Processor Extension Instructions
173 3.12.1 Processor Extension Synchronization Instructions
174 3.12.2 Numeric Data Processor Instructions
175 3.12.2.1 Arithmetic Instructions
176 3.12.2.2 Comparison Instructions
177 3.12.2.3 Transcendental Instructions
178 3.12.2.4 Data Transfer Instructions
179 3.12.2.5 Constant Instructions
181 Chapter 4 Extended Instruction Set
183 4.1 Block I\O Instructions
184 4.2 High-Level Instructions
186 Chapter 5 Real Address Mode
188 5.1 Addressing and Segmentation
189 5.2 Interrupt Handling
190 5.2.1 Interrupt Vector Table
191 5.2.1.1 Interrupt Procedures
192 5.2.2 Interrupt Priorities
193 5.2.3 Reserved and Dedicated Interrupt Vectors
195 5.3 System Initialization.
197 Chapter 6 Memory Management and Virtual Addressing
199 6.1 Memory Management Overview
200 6.2 Virtual Addresses
201 6.3 Descriptor Tables
202 6.4 Virtual-to-Physical Address Translation
203 6.5 Segments and Segment Descriptors
204 6.6 Memory Management Registers
205 6.6.1 Segment Address Translation Registers
206 6.6.2 System Address Registers
208 Chapter 7 Protection
210 7.1 Introduction
211 7.1.1 Types of Protection
212 7.1.2 Protection Implementation
214 7.2 Memory Management and Protection
215 7.2.1 Separation of Address Spaces
216 7.2.2 LDT and GDT Access Checks
217 7.2.3 Type Validation
219 7.3 Privilege Levels and Protection
220 7.3.1 Example of Using Four Privilege Levels
221 7.3.2 Privilege Usage
223 7.4 Segment Descriptor
224 7.4.1 Data Accesses
225 7.4.2 Code Segment Access
226 7.4.3 Data Access Restriction by Privilege Level
227 7.4.4 Pointer Privilege Stamping via ARPL
229 7.5 Control Transfers
230 7.5.1 Gates
231 7.5.1.1 Call Gates
232 7.5.1.2 Intra-Level Transfers via Call Gate
233 7.5.1.3 Inter-Level Control Transfer via Call Gates
234 7.5.1.4 Stack Changes Caused by Call Gates
236 7.5.2 Inter-Level Returns
238 Chapter 8 Tasks and State Transitions
240 8.1 Introduction
241 8.2 Task State Segments and Descriptors
242 8.2.1 Task State Segment Descriptors
244 8.3 Task Switching
245 8.4 Task Linking
246 8.5 Task Gates
248 Chapter 9 Interrupts and Exceptions
250 9.1 Interrupt Descriptor Table
251 9.2 Hardware Initiated Interrupts
252 9.3 Software Initiated Interrupts
253 9.4 Interrupt Gates and Trap Gates
254 9.5 Task Gates and Interrupt Tasks
255 9.5.1 Scheduling Considerations
256 9.5.2 Deciding Between Task, Trap, and Interrupt Gates
258 9.6 Protection Exceptions and Reserved Vectors
259 9.6.1 Invalid OP-Code (Interrupt 6)
260 9.6.2 Double Fault (Interrupt 8)
261 9.6.3 Processor Extension Segment Overrun (Interrupt 9)
262 9.6.4 Invalid Task State Segment (Interrupt 10)
263 9.6.5 Not Present (Interrupt 11)
264 9.6.6 Stack Fault (Interrupt 12)
265 9.6.7 General Protection Fault (Interrupt 13)
267 9.7 Additional Exceptions and Interrupts
268 9.7.1 Single Step Interrupt (Interrupt 1)
270 Chapter 10 System Control and Initialization
272 10.1 System Flags and Registers
273 10.1.1 Descriptor Table Registers
275 10.2 System Control Instructions
276 10.2.1 Machine Status Word
277 10.2.2 Other Instructions
279 10.3 Privileged and Trusted Instructions
281 10.4 Initialization
282 10.4.1 Real Address Mode
283 10.4.2 Protected Mode
285 Chapter 11 Advanced Topics
287 11.1 Virtual Memory Management
288 11.2 Special Segment Attributes
289 11.2.1 Conforming Code Segments
290 11.2.2 Expand-Down Data Segments
292 11.3 Pointer Validation
293 11.3.1 Descriptor Validation
294 11.3.2 Pointer Integrity: RPL and the"Trojan Horse Problem"
296 11.4 NPX Context Switching
297 11.5 Multiprocessor Considerations
298 11.6 Shutdown
300 Appendix A 80286 System Initialization
302 Appendix B The 80286 Instruction Set
304 Appendix C 8086/8088 Compatibility Considerations
306 Appendix D 80286/80386 Software Compatibility Considerations
308 Index
310 Figures
312 1-1 Four Privilege Levels
314 2-1 Segmented Virtual Memory
315 2-2 Bytes and Words in Memory.
316 2-3 80286/80287 Supported Data Types
317 2-4 80286 Base Architecture Register Set
318 2-5 Real Address Mode Segment Selector Interpretation
319 2-6 Protected Mode Segment Selector Interpretation
320 2-7 80286 Stack
321 2-8 Stack Operation
322 2-9 BP Usage as a Stack Frame Base Pointer
323 2-10 Flags Register.
324 2-11 Two-Component Address
325 2-12 Use of Memory Segmentation
326 2-13 Complex Addressing Modes
327 2-14 Memory-Mapped I/O
328 2-15 Hierarchy of Instructions
330 3-1 PUSH
331 3-2 PUSHA
332 3-3 POP
333 3-4 POPA.
334 3-5 Flag Word Contents
335 3-6 SAL and SHL
336 3-7 SHR
337 3-8 SAR
338 3-9 ROL
339 3-10 ROR
340 3-11 RCL
341 3-12 RCR
342 3-13 LAHF and SAHF
343 3-14 PUSHF and POPF
345 4-1 Formal Definition of the ENTER Instruction
346 4-2 Variable Access in Nested Procedures
347 4-2a Stack Frame for MAIN at Level 1
348 4-2b Stack Frame for Procedure A
349 4-2c Stack Frame for Procedure B at Level 3 Called from A
350 4-2d Stack Frame for Procedure C at Level 3 Called from B
352 5-1a Forming the Segment Base Address
353 5-1b Forming the 20-Bit Physical Address in the Real Address Mode
354 5-2 Overlapping Segments to Save Physical Memory
355 5-3 Interrupt Vector Table for Real Address Mode
356 5-4 Stack Structure after Interrupt (Real Address Mode)
358 6-1 Format of the Segment Selector Component
359 6-2 Address Spaces and Task Isolation
360 6-3 Segment Descriptor (S=1)
361 6-4 Special Purpose Descriptors or System Segment Descriptors (S=O)
362 6-5 LDT Descriptor
363 6-6 Virtual-to-Physical Address Translation
364 6-7 Segment Descriptor Access Bytes
365 6-8 Memory Management Registers
366 6-9 Descriptor Loading
368 7-1 Addressing Segments of a Module within a Task
369 7-2 Descriptor Cache Registers
370 7-3 80286 Virtual Address Space
371 7-4 Local and Global Descriptor Table Definitions
372 7-5 Error Code Format (on the stack)
373 7-6 Code and Data Segments Assigned to a Privilege Level.
374 7-7 Selector Fields
375 7-8 Access Byte Examples.
376 7-9 Pointer Privilege Stamping
377 7-10 Gate Descriptor Format.
378 7-11 Call Gate
379 7-12 Stack Contents after an Inter-Level Call
381 8-1 Task State Segment and TSS Registers
382 8-2 TSS Descriptor
383 8-3 Task Gate Descriptor
384 8-4 Task Switch Through a Task Gate
386 9-1 Interrupt Descriptor Table Definition
387 9-2 IDT Selector Error Code.
388 9-3 Trap/Interrupt Gate Descriptors
389 9-4 Stack Layout after an Exception with an Error Code
391 10-1 Local and Global Descriptor Table Definition
392 10-2 Interrupt Descriptor Table Definition
393 10-3 Data Type for Global Descriptor Table and Interrupt Descriptor Table
395 11-1 Expand-Down Segment
396 11-2 Dynamic Segment Relocation and Expansion of Segment Limit
397 11-3 Example of NPX Context Switching
399 B-1 /n Instruction Byte Format
400 B-2 /r Instruction Byte Format
402 Tables
404 2-1 Implied Segment Usage by Index, Pointer, and Base Registers
405 2-2 Segment Register Selection Rules
406 2-3 Memory Operand Addressing Modes
407 2-4 80286 Interrupt Vector Assignments (Real Address Mode)
409 3-1 Status Flags' Functions
410 3-2 Control Flags' Functions
411 3-3 Interpretation of Conditional Transfers
413 5-1 Interrupt Processing Order
414 5-2 Dedicated and Reserved Interrupt Vectors in Real Address Mode
415 5-3 Processor State after RESET
417 7-1 Segment Access Rights Byte Format
418 7-2 Allowed Segment Types in Segment Registers
419 7-3 Call Gate Checks
420 7-4 Inter-Level Return Checks
422 8-1 Checks Made during a Task Switch
423 8-2 Effect of a Task Switch on BUSY and NT Bits and the Link Word
425 9-1 Trap and Interrupt Gate Checks
426 9-2 Interrupt and Gate Interactions
427 9-3 Reserved Exceptions and Interrupts
428 9-4 Interrupt Processing Order
429 9-5 Conditions That Invalidate the TSS
431 10-1 MSW Bit Functions
432 10-2 Recommended MSW Encodings for Processor Extension Control
434 11-1 NPX Context Switching
436 B-1 ModRM Values
437 B-2 Protection Exceptions of the 80286
438 B-3 Hexadecimal Values for the Access Rights Byte
440 C-1 New 80286 Interrupts
444 Chapter 1 Introduction to the 80286
446 ───────────────────────────────────────────────────────────────────────────
448 The 80286 is the most powerful 16-bit processor in the 8086 series of
449 microprocessors, which includes the 8086, the 8088, the 80186, the 80188,
450 and the 80286. It is designed for applications that require very high
451 performance. It is also an excellent choice for sophisticated "high end"
452 applications that will benefit from its advanced architectural features:
453 memory management, protection mechanisms, task management, and virtual
454 memory support. The 80286 provides, on a single VLSI chip, computational
455 and architectural characteristics normally associated with much larger
456 minicomputers.
458 Sections 1.1, 1.2, and 1.3 of this chapter provide an overview of the 80286
459 architecture. Because the 80286 represents an extension of the 8086
460 architecture, some of this overview material may be new and unfamiliar to
461 previous users of the 8086 and similar microprocessors. But the 80286 is
462 also an evolutionary development, with the new architecture superimposed
463 upon the industry standard 8086 in such a way as to affect only the design
464 and programming of operating systems and other such system software.
465 Section 1.4 of this chapter provides a guide to the organization of this
466 manual, suggesting which chapters are relevant to the needs of particular
467 readers.
470 1.1 General Attributes
472 The 80286 base architecture has many features in common with the
473 architecture of other members of the 8086 family, such as byte addressable
474 memory, I/O interfacing hardware, interrupt vectoring, and support for both
475 multiprocessing and processor extensions. The entire family has a common
476 set of addressing modes and basic instructions. The 80286 base architecture
477 also includes a number of extensions which add to the versatility of the
478 computer.
480 The 80286 processor can function in two modes of operation (see section 1.2
481 of this chapter, Modes of Operation). In one of these modes only the base
482 architecture is available to programmers, whereas in the other mode a number
483 of very powerful advanced features have been added, including support for
484 virtual memory, multitasking, and a sophisticated protection mechanism.
485 These advanced features are described in section 1.3 of this chapter.
487 The 80286 base architecture was designed to support programming in
488 high-level languages, such as Pascal, C or PL/M. The register set and
489 instructions are well suited to compiler-generated code. The addressing
490 modes (see section 2.4.3 in Chapter 2) allow efficient addressing
491 of complex data structures, such as static and dynamic arrays, records,
492 and arrays within records, which are commonly supported by high-level
493 languages. The data types supported by the architecture include, along with
494 bytes and words, high level language constructs such as strings, BCD, and
495 floating point.
497 The memory architecture of the 80286 was designed to support modular
498 programming techniques. Memory is divided into segments, which may be of
499 arbitrary size, that can be used to contain procedures and data structures.
500 Segmentation has several advantages over more conventional linear memory
501 architectures. It supports structured software, since segments can contain
502 meaningful program units and data, and more compact code, since references
503 within a segment can be shorter (and locality of reference usually insures
504 that the next few references will be within the same segment). Segmentation
505 also lends itself to efficient implementation of sophisticated memory
506 management, virtual memory, and memory protection.
508 In addition, new instructions have been added to the base architecture to
509 give hardware support for procedure invocations, parameter passing, and
510 array bounds checking.
513 1.2 Modes of Operation
515 The 80286 can be operated in either of two different modes: Real Address
516 Mode or Protected Virtual Address Mode (also referred to as Protected Mode).
517 In either mode of operation, the 80286 represents an upwardly compatible
518 addition to the 8086 family of processors.
520 In Real Address Mode, the 80286 operates essentially as a very
521 high-performance 8086. Programs written for the 8086 or the 80186 can be
522 executed in this mode without any modification (the few exceptions are
523 described in Appendix C, "Compatibility Considerations"). Such upward
524 compatibility extends even to the object code level; for example, an 8086
525 program stored in read-only memory will execute successfully in 80286 Real
526 Address Mode. An 80286 operating in Real Address Mode provides a number of
527 instructions not found on the 8086. These additional instructions, also
528 present with the 80186, allow for efficient subroutine linkage, parameter
529 validation, index calculations, and block I/O transfers.
531 The advanced architectural features and full capabilities of the 80286 are
532 realized in its native Protected Mode. Among these features are
533 sophisticated mechanisms to support data protection, system integrity, task
534 concurrency, and memory management, including virtual storage.
535 Nevertheless, even in Protected Mode, the 80286 remains upwardly compatible
536 with most 8086 and 80186 application programs. Most 8086 applications
537 programs can be re-compiled or re-assembled and executed on the 80286 in
538 Protected Mode.
541 1.3 Advanced Features
543 The architectural features described in section 1.1 of this chapter
544 are common to both operating modes of the processor. In addition to these
545 common features, Protected Mode provides a number of advanced features,
546 including a greatly extended physical and logical address space, new
547 instructions, and support for additional hardware-recognized data
548 structures. The Protected Mode 80286 includes a sophisticated memory
549 management and multilevel protection mechanism. Full hardware support is
550 included for multitasking and task switching operations.
553 1.3.1 Memory Management
555 The memory architecture of the Protected Mode 80286 represents a
556 significant advance over that of the 8086. The physical address space has
557 been increased from 1 megabyte to 16 megabytes (2^(24) bytes), while the
558 virtual address space (i.e., the address space visible to a program) has
559 been increased from 1 megabyte to 1 gigabyte (2^(30) bytes). Moreover,
560 separate virtual address spaces are provided for each task in a
561 multi-tasking system (see the next section, 1.3.2, "Task Management").
563 The 80286 supports on-chip memory management instead of relying on an
564 external memory management unit. The one-chip solution is preferable because
565 no software is required to manage an external memory management unit,
566 performance is much better, and hardware designs are significantly simpler.
568 Mechanisms have been included in the 80286 architecture to allow the
569 efficient implementation of virtual memory systems. (In virtual memory
570 systems, the user regards the combination of main and external storage as a
571 single large memory. The user can write large programs without worrying
572 about the physical memory limitations of the system. To accomplish this, the
573 operating system places some of the user programs and data in external
574 storage and brings them into main memory only as they are needed.) All
575 instructions that can cause a segment-not-present fault are fully
576 restartable. Thus, a not-present segment can be loaded from external
577 storage, and the task can be restarted at the point where the fault
578 occurred.
580 The 80286, like all members of the 8086 series, supports a segmented memory
581 architecture. The 80286 also fully integrates memory segmentation into a
582 comprehensive protection scheme. This protection scheme includes
583 hardware-enforced length and type checking to protect segments from
584 inadvertent misuse.
587 1.3.2 Task Management
589 The 80286 is designed to support multi-tasking systems. The architecture
590 provides direct support for the concept of a task. For example, task state
591 segments (see section 8.2 in Chapter 8) are hardware-recognized and
592 hardware-manipulated structures that contain information on the current
593 state of all tasks in the system.
595 Very efficient context-switching (task-switching) can be invoked with a
596 single instruction. Separate logical address spaces are provided for each
597 task in the system. Finally, mechanisms exist to support intertask
598 communication, synchronization, memory sharing, and task scheduling. Task
599 Management is described in Chapter 8.
602 1.3.3 Protection Mechanisms
604 The 80286 allows the system designer to define a comprehensive protection
605 policy to be applied, uniformly and continuously, to all ongoing operations
606 of the system. Such a policy may be desirable to ensure system reliability,
607 privacy of data, rapid error recovery, and separation of multiple users.
609 The 80286 protection mechanisms are based on the notion of a "hierarchy of
610 trust." Four privilege levels are distinguished, ranging from Level 0 (most
611 trusted) to Level 3 (least trusted). Level 0 is usually reserved for the
612 operating system kernel. The four levels may be visualized as concentric
613 rings, with the most privileged level in the center (see figure 1-1).
615 This four-level scheme offers system reliability, flexibility, and design
616 options not possible with the typical two-level (supervisor/user) separation
617 provided by other processors. A four-level division is capable of separating
618 kernel, executive, system services, and application software, each with
619 different privileges.
621 At any one time, a task executes at one of the four levels. Moreover, all
622 data segments and code segments are also assigned to privilege levels. A
623 task executing at one level cannot access data at a more privileged level,
624 nor can it call a procedure at a less privileged level (i.e., trust a less
625 privileged procedure to do work for it). Thus, both access to data and
626 transfer of control are restricted in appropriate ways.
628 A complete separation can exist between the logical address spaces local to
629 different tasks, providing users with automatic protection against
630 accidental or malicious interference by other users. The hardware also
631 provides immediate detection of a number of fault and error conditions, a
632 feature that can be useful in the development and maintenance of software.
634 Finally, these protection mechanisms require relatively little system
635 overhead because they are integrated into the memory management and
636 protection hardware of the processor itself.
639 Figure 1-1. Four Privilege Levels
641 ╔═══════════════════════════╗
642 ║ LEVEL 3 ◄────────╫──LEAST TRUSTED
643 ║ ╔═════════════════════╗ ║
644 ║ ║ LEVEL 2 ║ ║
645 ║ ║ ╔═══════════════╗ ║ ║
646 ║ ║ ║ LEVEL 1 ║ ║ ║
647 ║ ║ ║ ╔═════════╗ ║ ║ ║
648 ║ ║ ║ ║ LEVEL 0 ║ ║ ║ ║
649 ║ ║ ║ ║ ▲ ║ ║ ║ ║
650 ║ ║ ║ ╚═══════╪═╝ ║ ║ ║
651 ║ ║ ║ │ ║ ║ ║
652 ║ ║ ╚══════════╪════╝ ║ ║
653 ║ ║ │ ║ ║
654 ║ ╚═════════════╪═══════╝ ║
655 ║ │ ║
656 ╚════════════════╪══════════╝
657
658 └MOST TRUSTED
661 1.3.4 Support for Operating Systems
663 Most operating systems involve some degree of concurrency, with multiple
664 tasks vying for system resources. The task management mechanisms described
665 above provide the 80286 with inherent support for such multi-tasking
666 systems. Moreover, the advanced memory management features of the 80286
667 allow the implementation of sophisticated virtual memory systems.
669 Operating system implementors have found that a multi-level approach to
670 system services provides better security and more reliable systems. For
671 example, a very secure kernel might implement critical functions such as
672 task scheduling and resource allocation, while less fundamental functions
673 (such asI/O) are built around the kernel. This layered approach also makes
674 program development and enhancement simpler and facilitates error detection
675 and debugging. The 80286 supports the layered approach through its
676 four-level privilege scheme.
679 1.4 Organization of This Book
681 To facilitate the use of this book both as an introduction to the 80286
682 architecture and as a reference guide, the remaining chapters are divided
683 into three major parts.
685 Part I, comprising chapters 2 through 4, should be read by all those who
686 wish to acquire a basic familiarity with the 80286 architecture. These
687 chapters provide detailed information on memory segmentation, registers,
688 addressing modes and the general (application level) 80286 instruction set.
689 In conjunction with the 80286 Assembly Language Reference Manual, these
690 chapters provide sufficient information for an assembly language programmer
691 to design and write application programs.
693 The chapters in Part I are:
695 Chapter 2, "Architectural Features." This chapter discusses those features
696 of the 80286 architecture that are significant for application programmers.
697 The information presented can also function as an introduction to the
698 machine for system programmers. Memory organization and segmentation,
699 processor registers, addressing modes, and instruction formats are all
700 discussed.
702 Chapter 3, "Basic Instruction Set." This chapter presents the core
703 instructions of the 8086 family.
705 Chapter 4, "Extended Instruction Set." This chapter presents the extended
706 instructions shared by the 80186 and 80286 processors.
708 Part II of the book consists of a single chapter:
710 Chapter 5, "Real Address Mode." This chapter presents the system
711 programmer's view of the 80286 when the processor is operated in Real
712 Address Mode.
714 Part III of the book comprises chapters 6 through 11. Aimed primarily at
715 system programmers, these chapters discuss the more advanced architectural
716 features of the 80286, which are available when the processor is in
717 Protected Mode. Details on memory management, protection mechanisms, and
718 task switching are provided.
720 The chapters in Part III are:
722 Chapter 6, "Virtual Memory." This chapter describes the 80286 address
723 translation mechanisms that support virtual memory. Segment descriptors,
724 global and local descriptor tables, and descriptor caches are discussed.
726 Chapter 7, "Protection." This chapter describes the protection features of
727 the 80286. Privilege levels, segment attributes, access restrictions, and
728 call gates are discussed.
730 Chapter 8, "Tasks and State Transitions." This chapter describes the 80286
731 mechanisms that support concurrent tasks. Context-switching, task state
732 segments, task gates, and interrupt tasks are discussed.
734 Chapter 9, "Interrupts, Traps and Faults." This chapter describes interrupt
735 and trap handling. Special attention is paid to the exception traps, or
736 faults, which may occur in Protected Mode. Interrupt gates, trap gates, and
737 the interrupt descriptor table are discussed.
739 Chapter 10, "System Control and Initialization." This chapter describes the
740 actual instructions used to implement the memory management, protection, and
741 task support features of the 80286. System registers, privileged
742 instructions, and the initial machine state are discussed.
744 Chapter 11, "Advanced Topics." This chapter completes Part III with a
745 description of several advanced topics, including special segment attributes
746 and pointer validation.
749 1.5 Related Publications
751 The following manuals also contain information of interest to programmers
752 of 80287 systems:
754 ■ Introduction to the 80286, order number 210308
755 ■ ASM286 Assembly Language Reference Manual, order number 121924
756 ■ 80286 Operating System Writer's Guide, order number 121960
757 ■ 80286 Hardware Reference Manual, order number 210760
758 ■ Microprocessor and Peripheral Handbook, order number 230843
759 ■ PL/M-286 User's Guide, order number 121945
760 ■ 80287 Support Library Reference Manual, order number 122129
761 ■ 8086 Software Toolbox Manual, order number 122203 (includes
762 information about 80287 Emulator Software)
765 Chapter 2 80286 Base Architecture
767 ───────────────────────────────────────────────────────────────────────────
769 This chapter describes the 80286 application programming environment as
770 seen by assembly language programmers. It is intended to introduce the
771 programmer to those features of the 80286 architecture that directly affect
772 the design and implementation of 80286 application programs.
775 2.1 Memory Organization and Segmentation
777 The main memory of an 80286 system makes up its physical address space.
778 This address space is organized as a sequence of 8-bit quantities, called
779 bytes. Each byte is assigned a unique address ranging from 0 up to a maximum
780 of 2^(20) (1 megabyte) in Real Address Mode, and up to 2^(24) (16 megabytes)
781 in Protected Mode.
783 A virtual address space is the organization of memory as viewed by a
784 program. Virtual address space is also organized in units of bytes. (Other
785 addressable units such as words, strings, and BCD digits are described below
786 in section 2.2, "Data Types.") In Real Address Mode, as with the 8086
787 itself, programs view physical memory directly, inasmuch as they manipulate
788 pure physical addresses. Thus, the virtual address space is identical to the
789 physical address space (1 megabyte).
791 In Protected Mode, however, programs have no direct access to physical
792 addresses. Instead, memory is viewed as a much larger virtual address space
793 of 2^(30) bytes (1 gigabyte). This 1 gigabyte virtual address is mapped onto
794 the Protected Mode's 16-megabyte physical address space by the address
795 translation mechanisms described in Chapter 6.
797 The programmer views the virtual address space on the 80286 as a collection
798 of up to sixteen thousand linear subspaces, each with a specified size or
799 length. Each of these linear address spaces is called a segment. A segment
800 is a logical unit of contiguous memory. Segment sizes may range from one
801 byte up to 64K (65,536) bytes.
803 80286 memory segmentation supports the logical structure of programs and
804 data in memory. Programs are not written as single linear sequences of
805 instructions and data, but rather as modules of code and data. For example,
806 program code may include a main routine and several separate procedures.
807 Data may also be organized into various data structures, some private and
808 some shared with other programs in the system. Run-time stacks constitute
809 yet another data requirement. Each of these several modules of code and
810 data, moreover, may be very different in size or vary dynamically with
811 program execution.
813 Segmentation supports this logical structure (see figure 2-1). Each
814 meaningful module of a program may be separately contained in individual
815 segments. The degree of modularization, of course, depends on the
816 requirements of a particular application. Use of segmentation benefits
817 almost all applications. Programs execute faster and require less space.
818 Segmentation also simplifies the design of structured software.
821 2.2 Data Types
823 Bytes and words are the fundamental units in which the 80286 manipulates
824 data, i.e., the fundamental data types.
826 A byte is 8 contiguous bits starting on an addressable byte boundary. The
827 bits are numbered 0 through 7, starting from the right. Bit 7 is the most
828 significant bit:
830 7 0
831 ┌───┬───┬───┬───┬───┬───┬───┬───┐
832 │ BYTE │
833 └───┴───┴───┴───┴───┴───┴───┴───┘
835 A word is defined as two contiguous bytes starting on an arbitrary byte
836 boundary; a word thus contains 16 bits. The bits are numbered 0 through 15,
837 starting from the right. Bit 15 is the most significant bit. The byte
838 containing bit 0 of the word is called the low byte; the byte containing
839 bit 15 is called the high byte.
841 15 0
842 ┌───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┐
843 │ HIGH BYTE │ LOW BYTE │
844 └───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
845 LOCATION N + 1 LOCATION N
847 Each byte within a word has its own particular address, and the smaller of
848 the two addresses is used as the address of the word. The byte at this lower
849 address contains the eight least significant bits of the word, while the
850 byte at the higher address contains the eight most significant bits. The
851 arrangement of bytes within words is illustrated in figure 2-2.
853 Note that a word need not be aligned at an even-numbered byte address. This
854 allows maximum flexibility in data structures (e.g., records containing
855 mixed byte and word entries) and efficiency in memory utilization. Although
856 actual transfers of data between the processor and memory take place at
857 physically aligned word boundaries, the 80286 converts requests for
858 unaligned words into the appropriate sequences of requests acceptable to the
859 memory interface. Such odd aligned word transfers, however, may impact
860 performance by requiring two memory cycles to transfer the word rather than
861 one. Data structures (e.g., stacks) should therefore be designed in such a
862 way that word operands are aligned on word boundaries whenever possible for
863 maximum system performance. Due to instruction prefetching and queueing
864 within the CPU, there is no requirement for instructions to be aligned on
865 word boundaries and no performance loss if they are not.
867 Although bytes and words are the fundamental data types of operands, the
868 processor also supports additional interpretations on these bytes or words.
869 Depending on the instruction referencing the operand, the following
870 additional data types can be recognized:
872 Integer:
873 A signed binary numeric value contained in an 8-bit byte or a 16-bit word.
874 All operations assume a 2's complement representation. (Signed 32- and
875 64-bit integers are supported using the 80287 Numeric Data Processor.)
877 Ordinal:
878 An unsigned binary numeric value contained in an 8-bit byte or 16-bit word.
880 Pointer:
881 A 32-bit address quantity composed of a segment selector component and an
882 offset component. Each component is a 16-bit word.
884 String:
885 A contiguous sequence of bytes or words. A string may contain from 1 byte
886 to 64K bytes.
888 ASCII:
889 A byte representation of alphanumeric and control characters using the
890 ASCII standard of character representation.
892 BCD:
893 A byte (unpacked) representation of the decimal digits (0-9).
895 Packed BCD:
896 A byte (packed) representation of two decimal digits (0-9). One digit is
897 stored in each nibble of the byte.
899 Floating Point:
900 A signed 32-, 64-, or 80-bit real number representation. (Floating operands
901 are supported using the 80287 Numeric Processor Configuration.)
903 Figure 2-3 graphically represents the data types supported by the 80286.
904 80286 arithmetic operations may be performed on five types of numbers:
905 unsigned binary, signed binary (integers), unsigned packed decimal, unsigned
906 unpacked decimal, and floating point. Binary numbers may be 8 or 16 bits
907 long. Decimal numbers are stored in bytes; two digits per byte for packed
908 decimal, one digit per byte for unpacked decimal. The processor always
909 assumes that the operands specified in arithmetic instructions contain data
910 that represent valid numbers for the type of instruction being performed.
911 Invalid data may produce unpredictable results.
913 Unsigned binary numbers may be either 8 or 16 bits long; all bits are
914 considered in determining a number's magnitude. The value range of an 8-bit
915 unsigned binary number is 0-255; 16 bits can represent values from 0 through
916 65,535. Addition, subtraction, multiplication and division operations are
917 available for unsigned binary numbers.
919 Signed binary numbers (integers) may be either 8 or 16 bits long. The
920 high-order (leftmost) bit is interpreted as the number's sign: 0 = positive
921 and 1 = negative. Negative numbers are represented in standard two's
922 complement notation. Since the high-order bit is used for a sign, the range
923 of an 8-bit integer is -128 through +127; 16-bit integers may range from
924 -32,768 through +32,767. The value zero has a positive sign.
926 Separate multiplication and division operations are provided for both
927 signed and unsigned binary numbers. The same addition and subtraction
928 instructions are used with signed or unsigned binary values. Conditional
929 jump instructions, as well as an "interrupt on overflow" instruction, can
930 be used following an unsigned operation on an integer to detect overflow
931 into the sign bit.
933 Unpacked decimal numbers are stored as unsigned byte quantities. One digit
934 is stored in each byte. The magnitude of the number is determined from the
935 low-order half-byte; hexadecimal values 0-9 are valid and are interpreted as
936 decimal numbers. The high-order half-byte must be zero for multiplication
937 and division; it may contain any value for addition and subtraction.
939 Arithmetic on unpacked decimal numbers is performed in two steps. The
940 unsigned binary addition, subtraction and multiplication operations are used
941 to produce an intermediate result. An adjustment instruction then changes
942 the value to a final correct unpacked decimal number. Division is performed
943 similarly, except that the adjustment is carried out on the two digit
944 numerator operand in register AX first, followed by an unsigned binary
945 division instruction that produces a correct result.
947 Unpacked decimal numbers are similar to the ASCII character representations
948 of the digits 0-9. Note, however, that the high-order half-byte of an ASCII
949 numeral is always 3. Unpacked decimal arithmetic may be performed on ASCII
950 numeric characters under the following conditions:
952 ■ the high-order half-byte of an ASCII numeral must be set to 0H prior
953 to multiplication or division.
955 ■ unpacked decimal arithmetic leaves the high-order half-byte set to 0H;
956 it must be set to 3 to produce a valid ASCII numeral.
958 Packed decimal numbers are stored as unsigned byte quantities. The byte is
959 treated as having one decimal digit in each half-byte (nibble); the digit in
960 the high-order half-byte is the most significant. Values 0-9 are valid in
961 each half-byte, and the range of a packed decimal number is 0-99. Additions
962 and subtractions are performed in two steps. First, an addition or
963 subtraction instruction is used to produce an intermediate result. Then, an
964 adjustment operation is performed which changes the intermediate value to a
965 final correct packed decimal result. Multiplication and division
966 adjustments are only available for unpacked decimal numbers.
968 Pointers and addresses are described below in section 2.3.3, "Index,
969 Pointer, and Base Registers," and in section 3.8, "Address Manipulation
970 Instructions."
972 Strings are contiguous bytes or words from 1 to 64K bytes in length. They
973 generally contain ASCII or other character data representations. The 80286
974 provides string manipulation instructions to move, examine, or modify a
975 string (see section 3.7, "Character Translation and String Instructions").
977 If the 80287 numeric processor extension (NPX) is present in the system ──
978 see the 80287 NPX book──the 80286 architecture also supports floating point
979 numbers, 32- and 64-bit integers, and 18-digit BCD data types.
981 The 80287 Numeric Data Processor supports and stores real numbers in a
982 three-field binary format as required by IEEE standard 754 for floating
983 point numerics (see figure 2-3). The number's significant digits are held
984 in the significand field, the exponent field locates the binary point within
985 the significant digits (and therefore determines the number's magnitude),
986 and the sign field indicates whether the number is positive or negative.
987 (The exponent and significand are analogous to the terms "characteristic"
988 and "mantissa," typically used to describe floating point numbers on some
989 computers.) This format is used by the 80287 with various length
990 significands and exponents to support single precision, double precision and
991 extended (80-bit) precision floating point data types. Negative numbers
992 differ from positive numbers only in their sign bits.
995 Figure 2-1. Segmented Virtual Memory
997 ┌─ ── ── ── ── ── ── ── ── ┐
998 20000╔════════════════╗ 8000╔═══════════════╗
999 │ ║CS ║ │ ║ ║ 8600╔═══════════════╗
1000 ║ MAIN ║ ║ PROCEDURE A ║ ║ PROCEDURE ║
1001 │ ║ PROCEDURE ║ │ ║ ║ ║ B ║
1002 0╚════════════════╝ 0╚═══════════════╝ 0╚═══════════════╝
1003 │ │
1004 ╔════════════════╗ 72535╔═══════════════╗ ╔═══════════════╗
1005 │ ║DS ║ │ ║ ║ ║ ║
1006 ║ DATA (MAIN) ║ ║ DATA (A) ║ ║ DATA (B) ║
1007 │ 0╚════════════════╝ │ 0╚═══════════════╝ 0╚═══════════════╝
1008 2000╔════════════════╗
1009 │ ║SS PROCESS ║ │
1010 ║ STACK ║
1011 │ 0╚════════════════╝ │
1012 ╔════════════════╗
1013 │ ║ES PROCESS-WIDE ║ │
1014 ║ DATA ║
1015 │ 0╚════════════════╝ │
1016 └─ ── ── ── ── ── ── ── ── ┘
1017 CURRENTLY ACCESSIBLE
1020 Figure 2-2. Bytes and Words in Memory
1022 BYTE
1023 ADDRESS
1024 All values in hexadecimal. MEMORY VALUES
1025 • •
1026 ╠═══════════════════════╣
1027 E ║ ║
1028 ╠═══════════════════════╣
1029 D ║ ║
1030 ╠═══════════════════════╣
1031 C ║ FE ║─┐
1032 ╠═══════════════════════╣ ├─ WORD AT ADDRESS B CONTAINS FE06
1033 B ║ 06 ║─┘
1034 ╠═══════════════════════╣
1035 A ║ ║
1036 ╠═══════════════════════╣─┐
1037 9 ║ 1F ║ ├─BYTE AT ADDRESS 9 CONTAINS 1F
1038 ╠═══════════════════════╣─┘
1039 8 ║ ║
1040 ╠═══════════════════════╣
1041 7 ║ 23 ║─┐
1042 ╠═══════════════════════╣ ├─ WORD AT ADDRESS 6 CONTAINS 23OB
1043 6 ║ OB ║─┘
1044 ╠═══════════════════════╣
1045 5 ║ ║
1046 ╠═══════════════════════╣
1047 4 ║ ║
1048 ╠═══════════════════════╣
1049 3 ║ 74 ║ ─┐
1050 ╠═══════════════════════╣─┐├─ WORD AT ADDRESS 2 CONTAINS 74CB
1051 2 ║ CB ║ ─┘
1052 ╠═══════════════════════╣ ├─ WORD AT ADDRESS 1 CONTAINS CB31
1053 1 ║ 31 ║ │
1054 ╠═══════════════════════╣─┘
1055 0 ║ ║
1056 ╚═══════════════════════╝
1059 Figure 2-3. 80286/80287 Supported Data Types
1061 +1 0
1062 7 0 7 0 15 14 8 7 0
1063 SIGNED ╔╤╤╤╤╤╤╤╗ UNSIGNED ╔╤╤╤╤╤╤╤╗ SIGNED ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1064 BYTE ║│ │ ║ BYTE ║ │ ║ WORD ║│ │ │ │ ║
1065 ╚╧══════╝ ╚═══════╝ ╚╧══════╧═══════╝
1066 SIGN BIT┘└──────┘ │└MSB │ SIGN BIT┘└MSB │
1067 MAGNITUDE └───────┘ └───────────────┘
1068 MAGNITUDE MAGNITUDE
1070 +3 +2 +1 0
1071 31 16 15 0
1072 SIGNED DOUBLE WORD
1073 Supported by 80287 numeric data processor configuration.
1074 ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1075 ║│ │ │ │ │ │ │ │ ║
1076 ╚╧══════╧═══════╧═══════╧═══════╝
1077 SIGN BIT┘└MBS │
1078 └───────────────────────────────┘
1079 MAGNITUDE
1081 +7 +6 +5 +4 +3 +2 +1 0
1082 63 48 47 32 31 16 15 0
1083 SIGNED QUAD WORD
1084 Supported by 80287 numeric data processor configuration.
1085 ╔╤══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╗
1086 ║│ │ │ │ │ │ │ │ ║
1087 ╚╧══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╝
1088 SIGN BIT┘└MSB │
1089 └──────────────────────────────┘
1090 MAGNITUDE
1092 +1 0
1093 15 0
1094 UNSIGNED WORD ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1095 ║│ │ │ │ ║
1096 ╚╧══════╧═══════╝
1097 │└MSB │
1098 └───────────────┘
1099 MAGNITUDE
1101 +N +1 0
1102 7 0 7 0 7 0
1103 BINARY CODED DECIMAL ╔╤╤╤╤╤╤╤╗ ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1104 (BCD) ║ │ ║ ••• ║ │ │ │ ║
1105 ╚═══════╝ ╚═══════╧═══════╝
1106 BCD BCD BCD
1107 DIGIT N DIGIT 1 DIGIT 0
1109 +N +1 0
1110 7 0 7 0 7 0
1111 ASCII ╔╤╤╤╤╤╤╤╗ ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1112 ║ │ ║ ••• ║ │ │ │ ║
1113 ╚═══════╝ ╚═══════╧═══════╝
1114 ASCII ASCII ASCII
1115 CHARACTER[N] CHARACTER{1} CHARACTER{0}
1117 +N +1 0
1118 7 0 7 0 7 0
1119 PACKED BCD ╔╤╤╤╤╤╤╤╗ ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1120 ║ │ ║ ••• ║ │ │ │ ║
1121 ╚═══════╝ ╚═══════╧═══════╝
1122 └───┘ └───┘
1123 MOST LEAST
1124 SIGNIFICANT SIGNIFICANT
1125 DIGIT DIGIT
1127 +N +1 0
1128 7/15 0 7/15 0 7/15 0
1129 STRING ╔╤╤╤╤╤╤╤╗ ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1130 ║ │ ║ ••• ║ │ │ │ ║
1131 ╚═══════╝ ╚═══════╧═══════╝
1132 BYTE/WORD N BYTE/WORD BYTE/WORD
1133 1 0
1135 +3 +2 +1 0
1136 31 16 15 0
1137 POINTER ╔╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╤╗
1138 ║│ │ │ │ │ │ │ │ ║
1139 ╚╧══════╧═══════╧═══════╧═══════╝
1140 └───────────────┴───────────────┘
1141 SELECTOR OFFSET
1143 +9 +8 +7 +6 +5 +4 +3 +2 +1 0
1144 79 0
1145 FLOATING POINT
1146 Supported by 80287 numeric data processor configuration.
1147 ╔╤══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╗
1148 ║│ │ │ │ │ │ │ │ │ │ ║
1149 ╚╧══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╝
1150 SIGN BIT┘└──────────┴───────────────────────────┘
1151 EXPONENT MAGNITUDE
1154 2.3 Registers
1156 The 80286 contains a total of fourteen registers that are of interest to
1157 the application programmer. (Five additional registers used by system
1158 programmers are covered in section 10.1.) As shown in figure 2-4, these
1159 registers may be grouped into four basic categories:
1161 ■ General registers. These eight 16-bit general-purpose registers are
1162 used primarily to contain operands for arithmetic and logical
1163 operations.
1165 ■ Segment registers. These four special-purpose registers determine, at
1166 any given time, which segments of memory are currently addressable.
1168 ■ Status and Control registers. These three special-purpose registers
1169 are used to record and alter certain aspects of the 80286 processor
1170 state.
1173 2.3.1 General Registers
1175 The general registers of the 80286 are the 16-bit registers AX, BX, CX, DX,
1176 SP, BP, SI, and DI. These registers are used interchangeably to contain the
1177 operands of logical and arithmetic operations.
1179 Some instructions and addressing modes (see section 2.4), however, dedicate
1180 certain general registers to specific uses. BX and BP are often used to
1181 contain the base address of data structures in memory (for example, the
1182 starting address of an array); for this reason, they are often referred to
1183 as the base registers. Similarly, SI and DI are often used to contain an
1184 index value that will be incremented to step through a data structure; these
1185 two registers are called the index registers. Finally, SP and BP are used
1186 for stack manipulation. Both SP and BP normally contain offsets into the
1187 current stack. SP generally contains the offset of the top of the stack and
1188 BP contains the offset or base address of the current stack frame. The use
1189 of these general-purpose registers for operand addressing is discussed in
1190 section 2.3.3, "Index, Pointer, and Base Registers." Register usage for
1191 individual instructions is discussed in chapters 3 and 4.
1193 As shown in figure 2-4, eight byte registers overlap four of the 16-bit
1194 general registers. These registers are named AH, BH, CH, and DH (high
1195 bytes); and AL, BL, CL, and DL (low bytes); they overlap AX, BX, CX, and DX.
1196 These registers can be used either in their entirety or as individual 8-bit
1197 registers. This dual interpretation simplifies the handling of both 8- and
1198 16-bit data elements.
1201 Figure 2-4. 80286 Base Architecture Register Set
1203 16-BIT SPECIAL
1204 REGISTER REGISTER
1205 NAME FUNCTIONS
1206 GENERAL REGISTERS 7 0 7 0
1207 ┌─ ╔══════╤══════╗─┐
1208 │ AX ║ AH │ AL ║ │
1209 BYTE │ ╟──────┼──────╢ ├─MULTIPLY/DIVIDE
1210 ADDRESSABLE │ DX ║ DH │ DL ║ │ I/O INSTRUCTIONS
1211 (8-BIT─┤ ╟──────┼──────╢═╡
1212 REGISTER │ CX ║ CH │ CL ║ ├─LOOP/SHIFT/REPEAT COUNT
1213 NAMES │ ╟──────┼──────╢═╡
1214 SHOWN) │ BX ║ BH │ BL ║ │
1215 └─ ╟──────┴──────╢ ├─BASE REGISTERS
1216 BP ║ ║ │
1217 ╟─────────────╢═╡
1218 SI ║ ║ │
1219 ╟─────────────╢ ├─INDEX REGISTERS
1220 DI ║ ║ │
1221 ╟─────────────╢═╡
1222 SP ║ ║ ├─STACK POINTER
1223 ╚═════════════╝─┘
1224 15 0
1226 SEGMENT REGISTERS 15 0
1227 ╔═════════════╗
1228 CS ║ ║ CODE SEGMENT SELECTOR
1229 ╟─────────────╢
1230 DS ║ ║ DATA SEGMENT SELECTOR
1231 ╟─────────────╢
1232 SS ║ ║ STACK SEGMENT SELECTOR
1233 ╟─────────────╢
1234 ES ║ ║ EXTRA SEGMENT SELECTOR
1235 ╚═════════════╝
1237 STATUS AND CONTROL 15 0
1238 REGISTERS ╔═════════════╗
1239 F ║ ║ FLAGS
1240 ╟─────────────╢
1241 IP ║ ║ INSTRUCTION POINTER
1242 ╟─────────────╢
1243 MSW ║ ║ MACHINE STATUS WORD
1244 ╚═════════════╝
1247 2.3.2 Memory Segmentation and Segment Registers
1249 Complete programs generally consist of many different code modules (or
1250 segments), and different types of data segments. However, at any given time
1251 during program execution, only a small subset of a program's segments are
1252 actually in use. Generally, this subset will include code, data, and
1253 possibly a stack. The 80286 architecture takes advantage of this by
1254 providing mechanisms to support direct access to the working set of a
1255 program's execution environment and access to additional segments on
1256 demand.
1258 At any given instant, four segments of memory are immediately accessible to
1259 an executing 80286 program. The segment registers DS, ES, SS, and CS are
1260 used to identify these four current segments. Each of these registers
1261 specifies a particular kind of segment, as characterized by the associated
1262 mnemonics ("code," "stack," "data," or "extra") shown in figure 2-4.
1264 An executing program is provided with concurrent access to the four
1265 individual segments of memory──a code segment, a stack segment, and two
1266 data segments──by means of the four segment registers. Each may be said to
1267 select a segment, since it uniquely determines the one particular segment
1268 from among the numerous segments in memory, which is to be immediately
1269 accessible at highest speed. Thus, the 16-bit contents of a segment register
1270 is called a segment selector.
1272 Once a segment is selected, a base address is associated with it. To
1273 address an element within a segment, a 16-bit offset from the segment's base
1274 address must be supplied. The 16-bit segment selector and the 16-bit offset
1275 taken together form the high and low order halves, respectively, of a
1276 32-bit virtual address pointer. Once a segment is selected, only the lower
1277 16-bits of the pointer, called the offset, generally need to be specified by
1278 an instruction. Simple rules define which segment register is used to form
1279 an address when only a 16-bit offset is specified.
1281 An executing program requires, first of all, that its instructions reside
1282 somewhere in memory. The segment of memory containing the currently
1283 executing sequence of instructions is known as the current code segment; it
1284 is specified by means of the CS register. All instructions are fetched from
1285 this code segment, using as an offset the contents of the instruction
1286 pointer (IP). The CS:IP register combination therefore forms the full 32-bit
1287 pointer for the next sequential program instruction. The CS register is
1288 manipulated indirectly. Transitions from one code segment to another (e.g.,
1289 a procedure call) are effected implicitly as the result of control-transfer
1290 instructions, interrupts, and trap operations.
1292 Stacks play a fundamental role in the 80286 architecture; subroutine calls,
1293 for example, involve a number of implicit stack operations. Thus, an
1294 executing program will generally require a region of memory for its stack.
1295 The segment containing this region is known as the current stack segment,
1296 and it is specified by means of the SS register. All stack operations are
1297 performed within this segment, usually in terms of address offsets contained
1298 in the stack pointer (SP) and stack frame base (BP) registers. Unlike CS,
1299 the SS register can be loaded explicitly for dynamic stack definition.
1301 Beyond their code and stack requirements, most programs must also fetch and
1302 store data in memory. The DS and ES registers allow the specification of two
1303 data segments, each addressable by the currently executing program.
1304 Accessibility to two separate data areas supports differentiation and
1305 access requirements like local procedure data and global process data. An
1306 operand within a data segment is addressed by specifying its offset either
1307 directly in an instruction or indirectly via index and/or base registers
1308 (described in the next subsection).
1310 Depending on the data structure (e.g., the way data is parceled into one or
1311 more segments), a program may require access to multiple data segments. To
1312 access additional segments, the DS and ES registers can be loaded under
1313 program control during the course of a program's execution. This simply
1314 requires loading the appropriate data pointer prior to accessing the data.
1316 The interpretation of segment selector values depends on the operating mode
1317 of the processor. In Real Address Mode, a segment selector is a physical
1318 address (figure 2-5). In Protected Mode, a segment selector selects a
1319 segment of the user's virtual address space (figure 2-6). An intervening
1320 level of logical-to-physical address translation converts the logical
1321 address to a physical memory address. Chapter 6, "Memory Management,"
1322 provides a detailed discussion of Protected Mode addressing. In general,
1323 considerations of selector formats and the details of memory mapping need
1324 not concern the application programmer.
1327 2.3.3 Index, Pointer, and Base Registers
1329 Five of the general-purpose registers are available for offset address
1330 calculations. These five registers, shown in figure 2-4, are SP, BP, BX,
1331 SI, and DI. SP is called a pointer register; BP and BX are called base
1332 registers; SI and DI are called index registers.
1334 As described in the previous section, segment registers define the set of
1335 four segments currently addressable by a program. A pointer, base, or index
1336 register may contain an offset value relative to the start of one of these
1337 segments; it thereby points to a particular operand's location within that
1338 segment. To allow for efficient computations of effective address offsets,
1339 all base and index registers may participate interchangeably as operands in
1340 most arithmetical operations.
1342 Stack operations are facilitated by the stack pointer (SP) and stack frame
1343 base (BP) registers. By specifying offsets into the current stack segment,
1344 each of these registers provides access to data on the stack. The SP
1345 register is the customary top-of-stack pointer, addressing the uppermost
1346 datum on a push-down stack. It is referenced implicitly by PUSH and POP
1347 operations, subroutine calls, and interrupt operations. The BP register
1348 provides yet another offset into the stack segment. The existence of this
1349 stack relative base register, in conjunction with certain addressing modes
1350 described in section 2.4.3, is particularly useful for accessing data
1351 structures, variables and dynamically allocated work space within the stack.
1353 Stacks in the 80286 are implemented in memory and are located by the stack
1354 segment register (SS) and the stack pointer register (SP). A system may have
1355 an unlimited number of stacks, and a stack may be up to 64K bytes long, the
1356 maximum length of a segment.
1358 One stack is directly addressable at a time; this is the current stack,
1359 often referred to simply as "the" stack. SP contains the current top of the
1360 stack (TOS). In other words, SP contains the offset to the top of the push
1361 down stack from the stack segment's base address. Note, however, that the
1362 stack's base address (contained in SS) is not the "bottom" of the stack
1363 (figure 2-7).
1365 80286 stack entries are 16 bits wide. Instructions operate on the stack by
1366 adding and removing stack items one word at a time. An item is pushed onto
1367 the stack (see figure 2-8) by decrementing SP by 2 and writing the item at
1368 the new TOS. An item is popped off the stack by copying it from TOS and then
1369 incrementing SP by 2. In other words, the stack grows down in memory toward
1370 its base address. Stack operations never move items on the stack; nor do
1371 they erase them. The top of the stack changes only as a result of updating
1372 the stack pointer.
1374 The stack frame base pointer (BP) is often used to access elements on the
1375 stack relative to a fixed point on the stack rather than relative to the
1376 current TOS. It typically identifies the base address of the current
1377 stack frame established for the current procedure (figure 2-9). If an index
1378 register is used relative to BP (e.g., base + index addressing mode using BP
1379 as the base), the offset will be calculated automatically in the current
1380 stack segment.
1382 Accessing data structures in data segments is facilitated by the BX
1383 register, which has the same function in addressing operands within data
1384 segments that BP does for stack segments. They are called base registers
1385 because they may contain an offset to the base of a data structure. The
1386 similar usage of these two registers is especially important when discussing
1387 addressing modes (see section 2.4, "Addressing Modes").
1389 Operations on data are also facilitated by the SI and DI registers. By
1390 specifying an offset relative to the start of the currently addressable data
1391 segment, an index register can be used to address an operand in the segment.
1392 If an index register is used in conjunction with the BX base register
1393 (i.e., base + index addressing) to form an offset address, the data is also
1394 assumed to reside in the current data segment. As a rule, data referenced
1395 through an index register or BX is presumed to reside in the current data
1396 segment. That is, if an instruction invokes addressing for one of its
1397 operands using either BX, DI, SI, or BX with SI or DI, the contents of the
1398 register(s) (BX, DI, or SI) implicitly specify an offset in the current data
1399 segment. As previously mentioned, data referenced via SP, BP or BP with SI
1400 or DI implicitly specify an operand in the current stack segment (refer to
1401 table 2-1).
1403 There are two exceptions to the rules listed above. The first concerns the
1404 operation of certain 80286 string instructions. For the most flexibility,
1405 these instructions assume that the DI register addresses destination strings
1406 not in the data segment, but rather in the extra segment (ES register).
1407 This allows movement of strings between different segments. This has led to
1408 the descriptive names "source index" and "destination index." In all cases
1409 other than string instructions, however, the SI and DI registers may be used
1410 interchangeably to reference either source or destination operands.
1412 A second more general override capability allows the programmer complete
1413 control of which segment is used for a specific operation. Segment-override
1414 prefixes, discussed in section 2.4.3, allow the index and base registers to
1415 address data in any of the four currently addressable segments.
1418 Table 2-1. Implied Segment Usage by Index, Pointer, and Base Registers
1420 Register Implied Segment
1421 SP SS
1422 BP SS
1423 BX DS
1424 DI DS, ES for String Operations
1425 BP + SI, DI SS
1426 BX + SI, DI DS
1428 ────────────────────────────────────────────────────────────────────────────
1429 NOTE
1430 All implied Segment usage, except SP to SS and DI to ES for String
1431 Operations, may be explicitly specified with a segment override prefix for
1432 any of the four segments. The prefix precedes the instruction for which
1433 explicit reference is desired.
1434 ────────────────────────────────────────────────────────────────────────────
1437 Figure 2-5. Real Address Mode Segment Selector Interpretation
1439 ╔═══════════════╗─┐
1440 ║ ║ │
1441 ║ ║ │
1442 ┌─╠═══════════════╣ │ 1 MEGABYTE
1443 SEGMENT 64K BYTES ─┤ ║ SEG 1 ║ ├─ PHYSICAL
1444 ┌──────────────────────►└─╠═══════════════╣ │ ADDRESS
1445 │ BASE ADDRESS ║ ║ │ SPACE
1446 │ ║ ║ │
1447 ╔═════╧══════╤══════╗ ║ ║ │
1448 ║ SELECTOR │ 0000 ║ ╚═══════════════╝─┘
1449 ╚════════════╧══════╝
1451 ───────────────────────────────────────────────────────────────────────────
1452 NOTES:
1453 1. The selector inentifies a segment in physical memory.
1454 2. A selector specifies the segments base address, Modulo 16, within
1455 the 1 Megabyte address space.
1456 3. The selector is the 16 most significant bits of a segments physical
1457 base address.
1458 4. The values of selectors determines the amount they overlap in real
1459 memory.
1460 5. Segments may overlap by increments of 16 bytes. Overlap ranges from
1461 complete (SEG 1 = SEG 1) to none (SEG 1 ╪ SEG 2 ± 64K).
1462 ───────────────────────────────────────────────────────────────────────────
1465 Figure 2-6. Protected Mode Segment Selector Interpretation
1467 ╔════════════╗─┐
1468 ║ SEG 3FFF ║ │
1469 ╠════════════╣ │
1470 ║ SEG 3FFE ║ │
1471 ┌───────────────────────────►╠════════════╣ │
1472 ╔═══════╧══════╗ ║ SEG 3FFD ║ │
1473 ║ SELECTOR ║ ┌─╠════════════╣ │
1474 ╚══════════════╝ 1 TO 64K BYTES─┤ ║ SEG 3FFC ║ │
1475 └─╠════════════╣ │
1476 ║ SEG 3FFB ║ │
1477 ╠════════════╣ │ 1 GIGABYTE
1478 ≈ ≈ ├─ VIRTUAL
1479 ╠════════════╣ │ ADDRESS
1480 ║ SEG 4 ║ │ SPACE
1481 ╠════════════╣ │
1482 ║ SEG 3 ║ │
1483 ╠════════════╣ │
1484 ║ SEG 2 ║ │
1485 ╠════════════╣ │
1486 ║ SEG 1 ║ │
1487 ╠════════════╣ │
1488 ║ SEG 0 ║ │
1489 ╚════════════╝─┘
1491 ───────────────────────────────────────────────────────────────────────────
1492 NOTES:
1493 1. A selector uniquely identifies (names) one of 16K possible segments
1494 in the task's virtual address space.
1495 2. The selector value does not specify the segment's location in
1496 physical memory.
1497 3. The selector does not imply any overlap with other segments (This
1498 depends on the base address of the segment via the memory management
1499 and protection information).
1500 ───────────────────────────────────────────────────────────────────────────
1503 Figure 2-7. 80286 Stack
1505 ╔═════════════════╗ LOGICAL
1506 ║ ║◄─── BOTTOM OF STACK
1507 ╠═════════════════╣ (initial SP value)
1508 ║ ║
1509 ╠═════════════════╣
1510 ║ ║
1511 ╠═════════════════╣
1512 ║ ║ ▲ POP-UP
1513 ╠═════════════════╣ │
1514 ┌───────────►║ ║◄─── LOGICAL TOP OF STACK
1515 │ ╠═════════════════╣ │
1516 │ ║ ║ ▼ PUSH-DOWN
1517 ╔══════╤═══╧══╗ ║ ║
1518 ║ SS │ SP ║ ║ ║
1519 ╚══╤═══╧══════╝ ║ ║
1520 │ ║ ║
1521 │ ║ ║
1522 │ ║ ║
1523 └───────────────────►╚═════════════════╝ STACK SEGMENT BASE ADDRESS
1526 Figure 2-8. Stack Operation
1528 STACK OPERATION FOR CODE SEQUENCE:
1529 PUSH AX STACK
1530 POP AX SEGMENT
1531 POP BX ┌──────────────┐ • • ▲
1532 │EXISTING STACK│ ╟─────────╢ │ BOTTOM
1533 │ BEFORE PUSH │ 1062 ║ 0 0 0 0 ║ │ OF
1534 └──────────────┘ ╟─────────╢ │ STACK
1535 1060 ║ 1 1 1 1 ║
1536 ╟─────────╢
1537 105E ║ 2 2 2 2 ║
1538 ╟─────────╢
1539 105C ║ 3 3 3 3 ║
1540 ╟─────────╢
1541 105A ║ 4 4 4 4 ║
1542 ╟─────────╢
1543 ┌──────────────► 1058 ║ 5 5 5 5 ║
1544 SS │ SP ╟─────────╢─┐
1545 ╔══════════╤═════╧════╗ 1056 ║ 6 6 6 6 ║ │
1546 ║ SELECTOR │ OFFSET ║ ╟─────────╢ │ NOT
1547 ╚════╤═════╧══════════╝ 1054 ║ 7 7 7 7 ║ ├─ PRESENTLY
1548 │ ╟─────────╢ │ USED
1549 │ 1052 ║ 8 8 8 8 ║ │
1550 │ ╟─────────╢─┘
1551 │ 1050 ║ 9 9 9 9 ║
1552 │ ≈ ≈
1553 └──────────────────────────► 0000 ╟─────────╢
1554 • •
1556 STACK
1557 SEGMENT
1558 • •
1559 ╟─────────╢
1560 1062 ║ 0 0 0 0 ║
1561 ╟─────────╢
1562 1060 ║ 1 1 1 1 ║
1563 ╟─────────╢
1564 105E ║ 2 2 2 2 ║
1565 ╟─────────╢
1566 105C ║ 3 3 3 3 ║
1567 ╟─────────╢
1568 105A ║ 4 4 4 4 ║ PUSH AX
1569 ╟─────────╢╔═════════╗
1570 ┌──────────────► 1058 ║ 5 5 5 5 ║║ A A A A ║
1571 SS │ SP ╟─────────╢╚══╤══════╝
1572 ╔══════════╤═════╧════╗ 1056 ║ A A A A ║◄──┘
1573 ║ SELECTOR │ OFFSET ║ ╟─────────╢
1574 ╚════╤═════╧══════════╝ 1054 ║ 7 7 7 7 ║
1575 │ ╟─────────╢
1576 │ 1052 ║ 8 8 8 8 ║
1577 │ ╟─────────╢
1578 │ 1050 ║ 9 9 9 9 ║
1579 │ ≈ ≈
1580 └──────────────────────────► 0000 ╟─────────╢
1581 • •
1583 STACK
1584 SEGMENT
1585 • •
1586 ╟─────────╢
1587 1062 ║ 0 0 0 0 ║
1588 ╟─────────╢
1589 1060 ║ 1 1 1 1 ║
1590 ╟─────────╢
1591 105E ║ 2 2 2 2 ║
1592 ╟─────────╢ POP BX
1593 105C ║ 3 3 3 3 ║ ╔═════════╗
1594 ╟─────────╢ ║ 5 5 5 5 ║
1595 105A ║ 4 4 4 4 ║ ╚═════════╝
1596 ╟─────────╢ ▲
1597 ┌──────────────► 1058 ║ 5 5 5 5 ║──────┘
1598 SS │ SP ╟─────────╢
1599 ╔══════════╤═════╧════╗ 1056 ║ A A A A ║──────┐
1600 ║ SELECTOR │ OFFSET ║ ╟─────────╢ ▼
1601 ╚════╤═════╧══════════╝ 1054 ║ 7 7 7 7 ║ ╔═════════╗
1602 │ ╟─────────╢ ║ A A A A ║
1603 │ 1052 ║ 8 8 8 8 ║ ╚═════════╝
1604 │ ╟─────────╢ POP AX
1605 │ 1050 ║ 9 9 9 9 ║
1606 │ ≈ ≈
1607 └──────────────────────────► 0000 ╟─────────╢
1608 • •
1611 Figure 2-9. BP Usage as a Stack Frame Base Pointer
1613 BP is a constant pointer to stack based variables and work space. All
1614 references use BP and are independent of SP, which may vary during a routine
1615 execution.
1617 PROC N
1618 PUSH AX
1619 PUSH ARRAY_SIZE
1620 CALL PROC_N 1 ─────────► PROC_N+1
1621 ◄───────┐ PUSH BP
1622 │ PUSH CX
1623 │ MOVE BP, SP
1624 │ SUB SP, WORK_SPACE
1625 │ ∙
1626 │ ∙
1627 │ ∙
1628 │ "PROCEDURE BODY"
1629 │ ∙
1630 │ ∙
1631 │ ∙
1632 │ MOV SP, BP
1633 │ POP CX
1634 │ POP BP
1635 └─── RET
1637 • •
1638 ╠═════════════╣─┐
1639 ║ PARAMETERS ║ │
1640 ╟─────────────╢ │
1641 ║ RETURN ADDR ║ │
1642 ╟─────────────╢ ├─PROCEDURE N
1643 ╔ ═ ═╗ ║ REGISTERS ║ │ STACK FRAME
1644 BP ─────────►╟─────────────╢ │
1645 ╚═ ═ ╝ ║ ║ │ PROCEDURE
1646 ▲ ║ WORK_SPACE ║ │ N+1 STACK
1647 BOTTOM │ ╟─────────────╢═╡ FRAME
1648 OF │ ║ PARAMETERS ║ ├──────┘
1649 STACK │ ╟─────────────╢ │ DYNAMICALLY
1650 ║ RETURN ADDR ║ │ ALLOCATED
1651 ╟─────────────╢ │ ON DEMAND
1652 ╔════╗ ║ REGISTERS ║ │ RATHER THAN
1653 ║ BP ╟─────────►╟─────────────╢ │┐STATICALLY
1654 ╚════╝ ║ ║ │├─────┘
1655 ║ WORK_SPACE ║ ││
1656 ┌─ ── ── ── ─►╟─────────────╢─┘┘ ◄───┐
1657 ├─ ── ── ── ─►║ ║ TOP OF STACK
1658 ╔══════╤═══╧══╗ ║ ║
1659 ║ SS │ SP ║ ╚═════════════╝ STACK SEGMENT BASE
1660 ╚══════╧══════╝
1663 2.3.4 Status and Control Registers
1665 Two status and control registers are of immediate concern to applications
1666 programmers: the instruction pointer and the FLAGS registers.
1668 The instruction pointer register (IP) contains the offset address, relative
1669 to the start of the current code segment, of the next sequential instruction
1670 to be executed. Together, the CS:IP registers thus define a 32-bit
1671 program-counter. The instruction pointer is not directly visible to the
1672 programmer; it is controlled implicitly, by interrupts, traps, and
1673 control-transfer operations.
1675 The FLAGS register encompasses eleven flag fields, mostly one-bit wide, as
1676 shown in figure 2-10. Six of the flags are status flags that record
1677 processor status information. The status flags are affected by the execution
1678 of arithmetic and logical instructions. The carry flag is also modifiable
1679 with instructions that will clear, set or complement this flag bit. See
1680 Chapters 3 and 4.
1682 The carry flag (CF) generally indicates a carry or borrow out of the most
1683 significant bit of an 8- or 16-bit operand after performing an arithmetic
1684 operation; this flag is also useful for bit manipulation operations
1685 involving the shift and rotate instructions. The effect on the remaining
1686 status flags, when defined for a particular instruction, is generally as
1687 follows: the zero flag (ZF) indicates a zero result when set; the sign flag
1688 (SF) indicates whether the result was negative (SF=1) or positive (SF=0);
1689 when set, the overflow flag (OF) indicates whether an operation results in
1690 a carry into the high order bit of the result but not a carry out of the
1691 high-order bit, or vice versa; the parity flag (PF) indicates whether the
1692 modulo 2 sum of the low-order eight bits of the operation is even (PF=0) or
1693 odd (PF=1) parity. The auxiliary carry flag (AF) represents a carry out of
1694 or borrow into the least significant 4-bit digit when performing binary
1695 coded decimal (BCD) arithmetic.
1697 The FLAGS register also contains three control flags that are used, under
1698 program control, to direct certain processor operations. The
1699 interrupt-enable flag (IF), if set, enables external interrupts; otherwise,
1700 interrupts are disabled. The trap flag (TF), if set, puts the processor
1701 into a single-step mode for debugging purposes where the target program is
1702 automatically interrupted to a user supplied debug routine after the
1703 execution of each target program instruction. The direction flag (DF)
1704 controls the forward or backward direction of string operations: 0 = forward
1705 or auto increment the address register(s) (SI, DI or SI and DI),
1706 1 = backward or auto-decrement the address register(s) (SI, DI or SI
1707 and DI).
1709 In general, the interrupt enable flag may be set or reset with special
1710 instructions (STI = set, CLI = clear) or by placing the flags on the stack,
1711 modifying the stack, and returning the flag image from the stack to the flag
1712 register. If operating in Protected Mode, the ability to alter the IF bit
1713 is subject to protection checks to prevent non-privileged programs from
1714 effecting the interrupt state of the CPU. This applies to both instruction
1715 and stack options for modifying the IF bit.
1717 The TF flag may only be modified by copying the flag register to the stack,
1718 setting the TF bit in the stack image, and returning the modified stack
1719 image to the flag register. The trap interrupt occurs on completion of the
1720 next instruction. Entry to the single step routine saves the flag register
1721 on the stack with the TF bit set, and resets the TF bit in the register.
1722 After completion of the single step routine, the TF bit is automatically set
1723 on return to the program being single stepped to interrupt the program again
1724 after completion of the next instruction. Use of TF is not inhibited by the
1725 protection mechanism in Protected Mode.
1727 The DF flag, like the IF flag, is controlled by instructions (CLD = clear,
1728 STD = set) or flag register modification through the stack. Typically,
1729 routines that use string instructions will save the flags on the stack,
1730 modify DF as necessary via the instructions provided, and restore DF to its
1731 original state by restoring the Flag register from the stack before
1732 returning. Access or control of the DF flag is not inhibited by the
1733 protection mechanism in Protected Mode.
1735 The Special Fields bits are only relevant in Protected Mode. Real Address
1736 Mode programs should treat these bits as don't-care's, making no assumption
1737 about their status. Attempts to modify the IOPL and NT fields are subject to
1738 protection checking in Protected Mode. In general, the application's
1739 programmer will not be able to and should not attempt to modify these bits.
1740 (See section 10.3, "Privileged and Trusted Instructions" for more details.)
1743 Figure 2-10. Flags Register
1745 STATUS FLAGS:
1746 CARRY────────────────────────────────────────────────┐
1747 PARITY─────────────────────────────────────────┐ │
1748 AUXILLIARY CARRY─────────────────────────┐ │ │
1749 ZERO───────────────────────────────┐ │ │ │
1750 SIGN────────────────────────────┐ │ │ │ │
1751 OVERFLOW────────────┐ │ │ │ │ │
1752 │ │ │ │ │ │
1753 15 14 13 12▼11 10 9 8▼ 7▼ 6 5▼ 4 3▼ 2 1▼ 0
1754 ╔══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╗
1755 FLAGS:║▒▒│NT│IOPL │OF│DF│IF│TF│SF│ZF│▒▒│AF│▒▒│PF│▒▒│CF║
1756 ╚══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╝
1757 ▲ ▲ ▲ ▲ ▲
1758 │ │ │ │ │ CONTROL FLAGS:
1759 │ │ │ │ └───────────TRAP FLAG
1760 │ │ │ └──────────────INTERRUPT ENABLE
1761 │ │ └─────────────────DIRECTION FLAG
1762 │ │ SPECIAL FIELDS:
1763 │ └─────────────────────────I/O PRIVILEGE LEVEL
1764 └─────────────────────────────NESTED TASK FLAG
1767 2.4 Addressing Modes
1769 The information encoded in an 80286 instruction includes a specification of
1770 the operation to be performed, the type of the operands to be manipulated,
1771 and the location of these operands. If an operand is located in memory, the
1772 instruction must also select, explicitly or implicitly, which of the
1773 currently addressable segments contains the operand. This section covers the
1774 operand addressing mechanisms; 80286 operators are discussed in Chapter 3.
1776 The five elements of a general instruction are briefly described below. The
1777 exact format of 80286 instructions is specified in Appendix B.
1779 ■ The opcode is present in all instructions; in fact, it is the only
1780 required element. Its principal function is the specification of the
1781 operation performed by the instruction.
1783 ■ A register specifier.
1785 ■ The addressing mode specifier, when present, is used to specify the
1786 addressing mode of an operand for referencing data or performing
1787 indirect calls or jumps.
1789 ■ The displacement, when present, is used to compute the effective
1790 address of an operand in memory.
1792 ■ The immediate operand, when present, directly specifies one operand of
1793 the instruction.
1795 Of the four elements, only one, the opcode, is always present. The other
1796 elements may or may not be present, depending on the particular operation
1797 involved and on the location and type of the operands.
1800 2.4.1 Operands
1802 Generally speaking, an instruction is an operation performed on zero, one,
1803 or two operands, which are the data manipulated by the instruction. An
1804 operand can be located either in a register (AX, BX, CX, DX, SI, DI, SP, or
1805 BP in the case of 16-bit operands; AH, AL, BH, BL, CH, CL, DH, or DL in the
1806 case of 8-bit operands; the FLAG register for flag operations in the
1807 instruction itself (as an immediate operand)), or in memory or an I/O port.
1808 Immediate operands and operands in registers can be accessed more rapidly
1809 than operands in memory since memory operands must be fetched from memory
1810 while immediate and register operands are available in the processor.
1812 An 80286 instruction can reference zero, one, or two operands. The three
1813 forms are as follows:
1815 ■ Zero-operand instructions, such as RET, NOP, and HLT. Consult Appendix
1818 ■ One-operand instructions, such as INC or DEC. The location of the
1819 single operand can be specified implicitly, as in AAM (where the
1820 register AX contains the operand), or explicitly, as in INC (where
1821 the operand can be in any register or memory location). Explicitly
1822 specified operands are accessed via one of the addressing modes
1823 described in section 2.4.2.
1825 ■ Two operand instructions such as MOV, ADD, XOR, etc., generally
1826 overwrite one of the two participating operands with the result. A
1827 distinction can thus be made between the source operand (the one left
1828 unaffected by the operation) and the destination operand (the one
1829 overwritten by the result). Like one-operand instructions, two-operand
1830 instructions can specify the location of operands either explicitly or
1831 implicitly. If an instruction contains two explicitly specified
1832 operands, only one of them──either the source or the destination──can
1833 be in a register or memory location. The other operand must be in a
1834 register or be an immediate source operand. Special cases of
1835 two-operand instructions are the string instructions and stack
1836 manipulation. Both operands of some string instructions are in memory
1837 and are explicitly specified. Push and pop stack operations allow
1838 transfer between memory operands and the memory based stack.
1840 Thus, the two-operand instructions of the 80286 permit operations of the
1841 following sort:
1843 ■ Register-to-register
1844 ■ Register-to-memory
1845 ■ Memory-to-register
1846 ■ Immediate-to-register
1847 ■ Immediate-to-memory
1848 ■ Memory-to-memory
1850 Instructions can specify the location of their operands by means of eight
1851 addressing modes, which are described in sections 2.4.2 and 2.4.3.
1854 2.4.2 Register and Immediate Modes
1856 Two addressing modes are used to reference operands contained in registers
1857 and instructions:
1859 ■ Register Operand Mode. The operand is located in one of the 16-bit
1860 registers (AX, BX, CX, DX, SI, DI, SP, or BP) or in one of the 8-bit
1861 general registers (AH, BH, CH, DH, AL, BL, CL, or DL).
1863 Special instructions are also included for referencing the CS, DS, ES, SS,
1864 and Flag registers as operands also.
1866 ■ Immediate Operand Mode. The operand is part of the instruction itself
1867 (the immediate operand element).
1870 2.4.3 Memory Addressing Modes
1872 Six modes are used to access operands in memory. Memory operands are
1873 accessed by means of a pointer consisting of a segment selector (see section
1874 2.3.2) and an offset, which specifies the operand's displacement in bytes
1875 from the beginning of the segment in which it resides. Both the segment
1876 selector component and the offset component are 16-bit values. (See section
1877 2.1 for a discussion of segmentation.) Only some instructions use a full
1878 32-bit address.
1880 Most memory references do not require the instruction to specify a full
1881 32-bit pointer address. Operands that are located within one of the
1882 currently addressable segments, as determined by the four segment registers
1883 (see section 2.3.2, "Segment Registers"), can be referenced very
1884 efficiently simply by means of the 16-bit offset. This form of address is
1885 called by short address. The choice of segment (CS, DS, ES, or SS) is either
1886 implicit within the instruction itself or explicitly specified by means of
1887 a segment override prefix (see below).
1889 See figure 2-11 for a diagram of the addressing process.
1892 2.4.3.1 Segment Selection
1894 All instructions that address operands in memory must specify the segment
1895 and the offset. For speed and compact instruction encoding, segment
1896 selectors are usually stored in the high speed segment registers. An
1897 instruction need specify only the desired segment register and an offset in
1898 order to address a memory operand.
1900 Most instructions need not explicitly specify which segment register is
1901 used. The correct segment register is automatically chosen according to the
1902 rules of table 2-1 and table 2-2. These rules follow the way programs are
1903 written (see figure 2-12) as independent modules that require areas for
1904 code and data, a stack, and access to external data areas.
1906 There is a close connection between the type of memory reference and the
1907 segment in which that operand resides (see the next section for a
1908 discussion of how memory addressing mode calculations are performed). As a
1909 rule, a memory reference implies the current data segment (i.e., the
1910 implicit segment selector is in DS) unless the BP register is involved in
1911 the address specification, in which case the current stack segment is
1912 implied (i.e, SS contains the selector).
1914 The 80286 instruction set defines special instruction prefix elements (see
1915 Appendix B). One of these is SEG, the segment-override prefix.
1916 Segment-override prefixes allow an explicit segment selection. Only in two
1917 special cases──namely, the use of DI to reference destination strings in
1918 the ES segment, and the use of SP to reference stack locations in the SS
1919 segment──is there an implied segment selection which cannot be overridden.
1920 The format of segment override prefixes is shown in Appendix B.
1923 Table 2-2 Segment Register Selection Rules
1925 Memory Reference Segment Register Implicit Segment
1926 Needed Used Selection Rule
1928 Instructions Code (CS) Automatic with
1929 instruction prefetch.
1931 Stack Stack (SS) All stack pushes and
1932 pops. Any memory reference
1933 which uses BP as a base
1934 register.
1936 Local Data Data (DS) All data references
1937 except when relative to
1938 stack or string destination.
1940 External (Global) Extra (ES) Alternate data segment
1941 Data and destination of string
1942 operation.
1945 Figure 2-11. Two-Component Address
1947 • •
1948 POINTER ║ ║
1949 ┌───────────┴───────────┐ ╠═════════════╣─┐
1950 ╔═══════════╤═══════════╗ ║ ║ │
1951 ║ SEGMENT │ OFFSET ║ ║ ║ │
1952 ╚═══════════╧═══════════╝ ║ ║ │
1953 31 16 15 0 ╟─────────────╢ │
1954 └────┬────┘ └────┬────┘ ║ OPERAND ║ │ SELECTED
1955 │ │ ║ SELECTED ║ ├─ SEGMENT
1956 │ └───────────────────►╟─────────────╢ │
1957 │ ║ ║ │
1958 │ ║ ║ │
1959 │ ║ ║ │
1960 │ ║ ║ │
1961 └───────────────────────────────►╠═════════════╣─┘
1962 ║ ║
1963 • MEMORY •
1966 2.4.3.2 Offset Computation
1968 The offset within the desired segment is calculated in accordance with the
1969 desired addressing mode. The offset is calculated by taking the sum of up to
1970 three components:
1972 ■ the displacement element in the instruction
1973 ■ the base (contents of BX or BP──a base register)
1974 ■ the index (contents of SI or DI──an index register)
1976 Each of the three components of an offset may be either a positive or
1977 negative value. Offsets are calculated modulo 2^(16).
1979 The six memory addressing modes are generated using various combinations of
1980 these three components. The six modes are used for accessing different types
1981 of data stored in memory:
1983 addressing mode offset calculation
1984 direct address displacement alone
1985 register indirect base or index alone
1986 based base + displacement
1987 indexed index + displacement
1988 based indexed base + index
1989 based indexed with displacement base + index + disp
1991 In all six modes, the operand is located at the specified offset within the
1992 selected segment. All displacements, except direct address mode, are
1993 optionally 8- or 16-bit values. 8-bit displacements are automatically
1994 sign-extended to 16 bits. The six addressing modes are described and
1995 demonstrated in the following section on memory addressing modes.
1998 Figure 2-12. Use of Memory Segmentation
2000 ┌─ ── ─┐
2001 ╔══════╗
2002 ║ CODE ║
2003 ╟──────╢ MODULE A
2004 ║ DATA ║
2005 ╚══════╝
2006 CPU │ │
2007 ┌───────────┐ ╔══════╗
2008 │ ╔═══════╗ │ ║ CODE ║
2009 │ ║ CODE ╟─┼─────────────────────────►╟──────╢ MODULE B
2010 │ ╟───────╢ │ ║ DATA ║
2011 │ ║ DATA ╟─┼─────────────────────────►╚══════╝
2012 │ ╟───────╢ │ │ │
2013 │ ║ STACK ╟─┼───────────────┐ ╔══════╗
2014 │ ╟───────╢ │ │ ║ ║ PROCESS STACK
2015 │ ║ EXTRA ╟─┼───────────┐ └─────────►╚══════╝
2016 │ ╚═══════╝ │ │ │ │
2017 │ SEGMENT │ │ ╔══════╗ PROCESS
2018 │ REGISTERS │ │ ║ ║ DATA
2019 └───────────┘ └─────────────►╚══════╝ BLOCK 1
2020 │ │
2021 ╔══════╗ PROCESS
2022 ║ ║ DATA
2023 ╚══════╝ BLOCK 2
2024 └─ ── ─┘
2025 MEMORY
2028 2.4.3.3 Memory Mode
2030 Two modes are used for simple scalar operands located in memory:
2032 ■ Direct Address Mode. The offset of the operand is contained in the
2033 instruction as the displacement element. The offset is a 16-bit
2034 quantity.
2036 ■ Register Indirect Mode. The offset of the operand is in one of the
2037 registers SI, DI, or BX. (BP is excluded; if BP is used as a stack
2038 frame base, it requires an index or displacement component to reference
2039 either parameters passed on the stack or temporary variables allocated
2040 on the stack. The instruction level bit encoding for the BP only
2041 address mode is used to specify Direct Address mode.)
2043 The following four modes are used for accessing complex data structures in
2044 memory (see figure 2-13):
2046 ■ Based Mode. The operand is located within the selected segment at an
2047 offset computed as the sum of the displacement and the contents of a
2048 base register (BX or BP). Based mode is often used to access the same
2049 field in different copies of a structure (often called a record). The
2050 base register points to the base of the structure (hence the term
2051 "base" register), and the displacement selects a particular field.
2052 Corresponding fields within a collection of structures can be accessed
2053 simply by changing the base register. (See figure 2-13, example 1.)
2055 ■ Indexed Mode. The operand is located within the selected segment at an
2056 offset computed as the sum of the displacement and the contents of an
2057 index register (SI or DI). Indexed mode is often used to access
2058 elements in a static array (e.g., an array whose starting location is
2059 fixed at translation time). The displacement locates the beginning of
2060 the array, and the value of the index register selects one element.
2061 Since all array elements are the same length, simple arithmetic on the
2062 index register will select any element. (See figure 2-13, example 2.)
2064 ■ Based Indexed Mode. The operand is located within the selected segment
2065 at an offset computed as the sum of the base register's contents and an
2066 index register's contents. Based Indexed mode is often used to access
2067 elements of a dynamic array (i.e., an array whose base address can
2068 change during execution). The base register points to the base of the
2069 array, and the value of the index register is used to select one
2070 element. (See figure 2-13, example 3.)
2072 ■ Based Indexed Mode with Displacement. The operand is located with the
2073 selected segment at an offset computed as the sum of a base register's
2074 contents, an index register's contents, and the displacement. This mode
2075 is often used to access elements of an array within a structure. For
2076 example, the structure could be an activation record (i.e., a region
2077 of the stack containing the register contents, parameters, and
2078 variables associated with one instance of a procedure); and one
2079 variable could be an array. The base register points to the start of
2080 the activation record, the displacement expresses the distance from the
2081 start of the record to the beginning of the array variable, and the
2082 index register selects a particular element of the array. (See figure
2083 2-13, example 4.)
2085 Table 2-3 gives a summary of all memory operand addressing options.
2088 Table 2-3. Memory Operand Addressing Modes
2090 Addressing Mode Offset Calculation
2092 Direct 16-bit Displacement in the instruction
2093 Register Indirect BX, SI, DI
2094 Based (BX or BP) + Displacement
2095 The displacement can be a 0, 8 or 16-bit value.
2096 Indexed (SI or DI) + Displacement
2097 The displacement can be a 0, 8 or 16-bit value.
2098 Based Indexed (BX or BP) + (SI or DI)
2099 Based Indexed + Displacement (BX or BP) + (SI or DI) + Displacement
2100 The displacement can be a 0, 8 or 16-bit value.
2103 Figure 2-13. Complex Addressing Modes
2105 1. BASED MODE 2. INDEXED MODE
2107 MOV AX, [BP + DATE_CODE] MOV ID[SI], DX
2108 ADD[BX + BALANCE], CX SUB BX, DATA_TBL[SI]
2110 • • • • F
2111 ╠═══════════╣─┐ ╠═══════════╣─┐ I
2112 ║ ║ │ ║ ║ │ X
2113 ╔═══════════╗ ╟───────────╢ │ ╔═══════════╗ ╟───────────╢ │ E
2114 ║ DISPL ╟────►║ OPERAND ║ ├─ ║ INDEX ╟────►║ OPERAND ║ ├─D
2115 ╚═══════════╝ ╟───────────╢ │ ╚═══════════╝ ╟───────────╢ │
2116 + ║ ║ │ + ║ ║ │ A
2117 ╔═══════════╗ ┌──►╟───────────╢─┘ ╔═══════════╗ ┌──►╟───────────╢─┘ R
2118 ║ BASE ╟─┘ ║ ║ ║ DISPL ╟─┘ ║ ║ R
2119 ╚═══════════╝ ║ ║ ╚═══════════╝ ║ ║ A
2120 + ║ ║ + ║ ║ Y
2121 ╔═══════════╗ ║ ║ ╔═══════════╗ ║ ║
2122 ║ SEGMENT ╟────►╚═══════════╝ ║ SEGMENT ╟────►╚═══════════╝
2123 ╚═══════════╝ ╚═══════════╝
2125 3. BASED INDEXED 4. BASED INDEXED MODE
2126 WITH DISPLACEMENT BASED
2127 MOV DX, [BP][DI] STRUCTURE
2128 AND [BX + SI], 3FFH MOV CX, [BP][SI + CNT] CONTAINING
2129 SHR[BX + DI + MASK] ARRAY
2130 • • B • • └─┐
2131 ╠═══════════╣─┐ A ╠═══════════╣ ──┐│
2132 ║ ║ │ S ║ ║ ││
2133 ╔═══════════╗ ╟───────────╢ │ E ╔═══════════╗ ╟───────────╢─┐ ││
2134 ║ INDEX ╟────►║ OPERAND ║ ├─D ║ INDEX ╟───┐ ║▒▒▒▒▒▒▒▒▒▒▒║ │ A ││
2135 ╚═══════════╝ ╟───────────╢ │ ╚═══════════╝ │ ╟───────────╢ │ R ││
2136 + ║ ║ │ A + └►║ OPERAND ║ ├─R ├┘
2137 ╔═══════════╗ ┌──►╟───────────╢─┘ R ╔═══════════╗ ┌──►╟───────────╢ │ A │
2138 ║ BASE ╟─┘ ║ ║ R ║ DISPL ╟─┘ ║▒▒▒▒▒▒▒▒▒▒▒║ │ Y │
2139 ╚═══════════╝ ║ ║ A ╚═══════════╝ ┌►╟───────────╢─┘ │
2140 + ║ ║ Y + │ ║ ║ │
2141 ╔═══════════╗ ║ ║ ╔═══════════╗ │ ╟───────────╢ ──┘
2142 ║ SEGMENT ╟────►╚═══════════╝ ║ BASE ╟───┘ ║ ║
2143 ╚═══════════╝ ╚═══════════╝ ║ ║
2144 + ║ ║
2145 ╔═══════════╗ ║ ║
2146 ║ SEGMENT ╟────►╚═══════════╝
2147 ╚═══════════╝
2150 2.5 Input/Output
2152 The 80286 allows input/output to be performed in either of two ways: by
2153 means of a separate I/O address space (using specific I/O instructions) or
2154 by means of memory-mapped I/O (using general-purpose operand manipulation
2155 instructions).
2158 2.5.1 I/O Address Space
2160 The 80286 provides a separate I/O address space, distinct from physical
2161 memory, to address the input/output ports that are used for external
2162 devices. The I/O address space consists of 2^(16) (64K) individually
2163 addressable 8-bit ports. Any two consecutive 8-bit ports can be treated as
2164 a 16-bit port. Thus, the I/O address space can accommodate up to 64K 8-bit
2165 ports or up to 32K 16-bit ports. I/O port addresses 00F8H to 00FFH are
2166 reserved by Intel.
2168 The 80286 can transfer either 8 or 16 bits at a time to a device located in
2169 the I/O space. Like words in memory, 16-bit ports should be aligned at
2170 even-numbered addresses so that the 16 bits will be transferred in a single
2171 access. An 8-bit port may be located at either an even or odd address. The
2172 internal registers in a given peripheral controller device should be
2173 assigned addresses as shown below.
2175 Port Register Port Addresses Example
2177 16-bit even word addresses OUT FE,AX
2178 8-bit; device on
2179 lower half of 16-bit
2181 data bus even byte addresses IN AL,FE
2183 8-bit; device on upper
2184 half of 16-bit data bus odd byte addresses OUT FF,AL
2186 The I/O instructions IN and OUT (described in section 3.11.3) are provided
2187 to move data between I/O ports and the AX (16-bit I/O) or AL (8-bit I/O)
2188 general registers. The block I/O instructions INS and OUTS (described in
2189 section 4.1) move blocks of data between I/O ports and memory space (as
2190 shown below). In Protected Mode, an operating system may prevent a program
2191 from executing these I/O instructions. Otherwise, the function of the I/O
2192 instructions and the structure of the I/O space are identical for both modes
2193 of operation.
2195 INS es:byte ptr [di], DX
2196 OUTS DX, byte ptr [si]
2198 IN and OUT instructions address I/O with either a direct address to one of
2199 up to 256 port addresses, or indirectly via the DX register to one of up to
2200 64K port addresses. Block I/O uses the DX register to specify the I/O
2201 address and either SI or DI to designate the source or destination memory
2202 address. For each transfer, SI or DI are either incremented or decremented
2203 as specified by the direction bit in the flag word while DX is constant to
2204 select the I/O device.
2207 2.5.2 Memory-Mapped I/O
2209 I/O devices also may be placed in the 80286 memory address space. So long
2210 as the devices respond like memory components, they are indistinguishable to
2211 the processor.
2213 Memory-mapped I/O provides additional programming flexibility. Any
2214 instruction that references memory may be used to access an I/O port located
2215 in the memory space. For example, the MOV instruction can transfer data
2216 between any register and a port; and the AND, OR, and TEST instructions may
2217 be used to manipulate bits in the internal registers of a device (see
2218 figure 2-14). Memory-mapped I/O performed via the full instruction set
2219 maintains the full complement of addressing modes for selecting the desired
2220 I/O device.
2222 Memory-mapped I/O, like any other memory reference, is subject to access
2223 protection and control when executing in protected mode.
2226 Figure 2-14. Memory-Mapped I/O
2228 MEMORY
2229 ADDRESS SPACE
2230 ╔════════════════╗ I/O DEVICE 1
2231 ║ ║ ╔═════════════════════╗
2232 ║ ║ ║ INTERNAL REGISTER ║
2233 ╟────────────────╢─ ── ─ ── ─ ── ─║─╔═════════════════╗ ║
2234 ║ ║ ║ ║ ║ ║
2235 ╟────────────────╢─ ── ─ ── ─ ── ─║─╚═════════════════╝ ║
2236 ║ ║ ╚═════════════════════╝
2237 ║ ║
2238 ║ ║ I/O DEVICE 2
2239 ║ ║ ╔═════════════════════╗
2240 ║ ║ ║ INTERNAL REGISTER ║
2241 ║────────────────║─ ── ─ ── ─ ── ─║─╔═════════════════╗ ║
2242 ║ ║ ║ ║ ║ ║
2243 ║────────────────║─ ── ─ ── ─ ── ─║─╚═════════════════╝ ║
2244 ║ ║ ╚═════════════════════╝
2245 ║ ║
2246 ╚════════════════╝
2249 2.6 Interrupts and Exceptions
2251 The 80286 architecture supports several mechanisms for interrupting program
2252 execution. Internal interrupts are synchronous events that are the responses
2253 of the CPU to certain events detected during the execution of an
2254 instruction. External interrupts are asynchronous events typically
2255 triggered by external devices needing attention. The 80286 supports both
2256 maskable (controlled by the IF flag) and non-maskable interrupts. They cause
2257 the processor to temporarily suspend its present program execution in order
2258 to service the requesting device. The major distinction between these two
2259 kinds of interrupts is their origin: an internal interrupt is always
2260 reproducible by re-executing with the program and data that caused the
2261 interrupt, whereas an external interrupt is generally independent of the
2262 currently executing task.
2264 Interrupts 0-31 are reserved by Intel.
2266 Application programmers will normally not be concerned with servicing
2267 external interrupts. More information on external interrupts for system
2268 programmers may be found in Chapter 5, section 5.2, "Interrupt Handling for
2269 Real Address Mode," and in Chapter 9, "Interrupts, Traps and Faults for
2270 Protected Virtual Address Mode."
2272 In Real Address Mode, the application programmer is affected by two kinds
2273 of internal interrupts. (Internal interrupts are the result of executing an
2274 instruction which causes the interrupt.) One type of interrupt is called an
2275 exception because the interrupt only occurs if a particular fault condition
2276 exists. The other type of interrupt generates the interrupt every time the
2277 instruction is executed.
2279 The exceptions are: divide error, INTO detected overflow, bounds check,
2280 segment overrun, invalid operation code, and processor extension error (see
2281 table 2-4). A divide error exception results when the instructions DIV or
2282 IDIV are executed with a zero denominator; otherwise, the quotient will be
2283 too large for the destination operand (see section 3.3.4 for a discussion
2284 of DIV and IDIV). An overflow exception results when the INTO instruction is
2285 executed and the OF flag is set (after an arithmetic operation that set the
2286 overflow (OF) flag). (See section 3.6.3, "Software Generated Interrupts,"
2287 for a discussion of INTO.) A bounds check exception results when the BOUND
2288 instruction is executed and the array index it checks falls outside the
2289 bounds of the array. (See section 4.2 for a discussion of the BOUND
2290 instruction.) The segment overrun exception occurs when a word memory
2291 reference is attempted which extends beyond the end of a segment. An invalid
2292 operation code exception occurs if an attempt is made to execute an
2293 undefined instruction operation code. A processor extension error is
2294 generated when a processor extension detects an illegal operation. Refer to
2295 Chapter 5 for a more complete description of these exception conditions.
2297 The instruction INT generates an internal interrupt whenever it is
2298 executed. The effects of this interrupt (and the effects of all interrupts)
2299 is determined by the interrupt handler routines provided by the application
2300 program or as part of the system software (provided by system programmers).
2301 See Chapter 5 for more on this topic. The INT instruction itself is
2302 discussed in section 3.6.3.
2304 In Protected Mode, many more fault conditions are detected and result in
2305 internal interrupts. Protected Mode interrupts and faults are discussed in
2306 Chapter 9.
2309 2.7 Hierarchy of Instruction Sets
2311 For descriptive purposes, the 80286 instruction set is partitioned into
2312 three distinct subsets: the Basic Instruction Set, the Extended Instruction
2313 Set, and the System Control Instruction Set. The "hierarchy" of instruction
2314 sets defined by this partitioning helps to clarify the relationships
2315 between the various processors in the 8086 family (see figure 2-15).
2317 The Basic Instruction Set, presented in Chapter 3, comprises the common
2318 subset of instructions found on all processors of the 8086 family. Included
2319 are instructions for logical and arithmetic operations, data movement,
2320 input/output, string manipulation, and transfer of control.
2322 The Extended Instruction Set, presented in Chapter 4, consists of those
2323 instructions found only on the 80186, 80188, and 80286 processors. Included
2324 are instructions for block structured procedure entry and exit, parameter
2325 validation, and block I/O transfers.
2327 The System Control Instruction Set, presented in Chapter 10, consists of
2328 those instructions unique to the 80286. These instructions control the
2329 memory management and protection mechanisms of the 80286.
2332 Table 2-4. 80286 Interrupt Vector Assignments (Real Address Mode)
2335 Function Interupt Related Return Address
2336 Number Instructions Before Instruction
2337 Causing Exception?
2338 Divide error exception 0 DIV, IDIV Yes
2339 Single step interrupt 1 All
2340 NMI interrupt 2 All
2341 Breakpoint interrupt 3 INT
2342 INTO detected overflow exception 4 INTO No
2343 BOUND range exceeded exception 5 BOUND Yes
2344 Invalid opcode exception 6 Any undefined Yes
2345 opcode
2346 Processor extension 7 ESC or WAIT Yes
2347 not available exception
2348 Interrupt table limit 8 INT vector Yes
2349 too small exception is not within
2350 table limit
2351 Processor extension segment 9 ESC with memory No
2352 overrun interrupt operand extending
2353 beyond offset
2354 FFFF(H)
2355 Reserved 10-12
2356 Segment overrun exception 13 Word memory Yes
2357 reference with
2358 offset = FFFF(H)
2359 or an attempt to
2360 execute past the
2361 end of a segment
2362 Reserved 14, 15
2363 Processor extension 16 ESC or WAIT
2364 error interrupt
2365 Reserved 17-31
2366 User defined 32-255
2370 Figure 2-15. Hierarchy of Instructions
2372 ╔══════════════════════╗
2373 ║ ║
2374 ║ ║
2375 ║ ╔════════════════╗ ║
2376 ║ ║ ║ ║
2377 ║ ║ ╔══════════╗ ║ ║
2378 ║ ║ ║ 8086 ◄╫──╫──╫──BASIC INSTRUCTION SET
2379 ║ ║ ║ 8088 ║ ║ ║
2380 ║ ║ ╚══════════╝ ║ ║
2381 ║ ║ 80186 ◄───╫──╫──EXTENDED INSTRUCTION SET
2382 ║ ║ 80188 ║ ║
2383 ║ ╚════════════════╝ ║
2384 ║ 80286 ◄──────╫──SYSTEM CONTROL INSTRUCTION SET
2385 ║ ║
2386 ╚══════════════════════╝
2389 Chapter 3 Basic Instruction Set
2391 ───────────────────────────────────────────────────────────────────────────
2393 The base architecture of the 80286 is identical to the complete instruction
2394 set of the 8086, 8088, 80188, and 80186 processors. The 80286 instruction
2395 set includes new forms of some instructions. These new forms reduce program
2396 size and improve the performance and ease of implementation of source code.
2398 This chapter describes the instructions which programmers can use to write
2399 application software for the 80286. The following chapters describe the
2400 operation of more complicated I/O and system control instructions.
2402 All instructions described in this chapter are available for both Real
2403 Address Mode and Protected Virtual Address Mode operation. The instruction
2404 descriptions note any differences that exist between the operation of an
2405 instruction in these two modes.
2407 This chapter also describes the operation of each application
2408 program-relative instruction and includes an example of using the
2409 instruction. The Instruction Dictionary in Appendix B contains formal
2410 descriptions of all instructions. Any opcode pattern that is not described
2411 in the Instruction Dictionary is undefined and results in an opcode
2412 violation trap (interrupt 6).
2415 3.1 Data Movement Instructions
2417 These instructions provide convenient methods for moving bytes or words of
2418 data between memory and the registers of the base architecture.
2421 3.1.1 General-Purpose Data Movement Instructions
2423 MOV (Move) transfers a byte or a word from the source operand to the
2424 destination operand. The MOV instruction is useful for transferring data to
2425 a register from memory, to memory from a register, between registers,
2426 immediate-to-register, or immediate-to-memory. Memory-to-memory or segment
2427 register-to-segment register moves are not allowed.
2429 Example:
2430 MOV DS,AX. Replaces the contents of register DS with the contents of
2431 register AX.
2433 XCHG (Exchange) swaps the contents of two operands. This instruction takes
2434 the place of three MOV instructions. It does not require a temporary memory
2435 location to save the contents of one operand while you load the other.
2437 The XCHG instruction can swap two byte operands or two word operands, but
2438 not a byte for a word or a word for a byte. The operands for the XCHG
2439 instruction may be two register operands, or a register operand with a
2440 memory operand. When used with a memory operand, XCHG automatically
2441 activates the LOCK signal.
2443 Example:
2444 XCHG BX,WORDOPRND. Swaps the contents of register BX with the contents
2445 of the memory word identified by the label WORDOPRND after asserting
2446 bus lock.
2449 3.1.2 Stack Manipulation Instructions
2451 PUSH (Push) decrements the stack pointer (SP) by two and then transfers a
2452 word from the source operand to the top of stack indicated by SP. See figure
2453 3-1. PUSH is often used to place parameters on the stack before calling a
2454 procedure; it is also the basic means of storing temporary variables on the
2455 stack. The PUSH instruction operates on memory operands, immediate operands
2456 (new with the 80286), and register operands (including segment registers).
2458 Example:
2459 PUSH WORDOPRND. Transfers a 16-bit value from the memory word identified
2460 by the label WORDOPRND to the memory location which represents the current
2461 top of stack (byte transfers are not allowed).
2463 PUSHA (Push All Registers) saves the contents of the eight general
2464 registers on the stack. See figure 3-2. This instruction simplifies
2465 procedure calls by reducing the number of instructions required to retain
2466 the contents of the general registers for use in a procedure. PUSHA is
2467 complemented by POPA (see below).
2469 The processor pushes the general registers on the stack in the following
2470 order: AX, CX, DX, BX, the initial value of SP before AX was pushed, BP, SI,
2471 and DI.
2473 Example:
2474 PUSHA. Pushes onto the stack the contents of the eight general registers.
2476 POP (Pop) transfers the word at the current top of stack (indicated by SP)
2477 to the destination operand, and then increments SP by two to point to the
2478 new top of stack. See figure 3-3. POP moves information from the stack to
2479 either a register or memory. The only restriction on POP is that it cannot
2480 place a value in register CS.
2482 Example:
2483 POP BX. Replaces the contents of register BX with the contents of the
2484 memory location at the top of stack.
2486 POPA (Pop All Registers) restores the registers saved on the stack by
2487 PUSHA, except that it ignores the value of SP. See figure 3-4.
2489 Example:
2490 POPA. Pops from the stack the saved contents of the general registers,
2491 and restores the registers (except SP) to their original state.
2494 Figure 3-1. PUSH
2496 • • • •
2497 HIGH ADDRESS ║ ║ ║ ║
2498 ╠═══════════════╣ ╠═══════════════╣ SS LIMIT
2499 OPERANDS FROM ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║
2500 PREVIOUS PUSH ╠═══════════════╣ ╠═══════════════╣
2501 INSTRUCTIONS SP─►║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║
2502 ╠═══════════════╣ ╠═══════════════╣ SP ALWAYS POINTS
2503 ║ ║ ║ OPERAND ║◄─TO THE LAST WORD
2504 ╠═══════════════╣ ╠═══════════════╣ PUSHED ONTO THE
2505 ║ ║ ║ ║ STACK (TOS)
2506 ╠═══════════════╣ ╠═══════════════╣
2507 ≈ ≈ ≈ ≈
2508 ╠═══════════════╣ ╠═══════════════╣
2509 ║ ║ ║ ║ SS ALWAYS POINTS
2510 LOW ADDRESS ╠═══════════════╣ ╠═══════════════╣ TO LOWEST ADDRESS
2511 ║ ║ ║ ║ USED BY THE STACK
2512 • BEFORE • • AFTER •
2513 PUSH OPERAND PUSH OPERAND
2515 PUSH decrements SP by 2 bytes and places the operand in the stack at the
2516 location to which SP points.
2519 Figure 3-2. PUSHA
2521 • • • •
2522 HIGH ADDRESS ║ ║ ║ ║
2523 ╠═══════════════╣ ╠═══════════════╣ SS LIMIT
2524 OPERANDS FROM ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║
2525 PREVIOUS PUSH ╠═══════════════╣ ╠═══════════════╣
2526 INSTRUCTIONS ┌──►║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║
2527 │ ╠═══════════════╣ ╠═══════════════╣
2528 SP──┘ ║ ║ ║ AX ║
2529 ╠═══════════════╣ ╠═══════════════╣
2530 ║ ║ ║ CX ║
2531 ╠═══════════════╣ ╠═══════════════╣
2532 ║ ║ ║ DX ║
2533 ╠═══════════════╣ ╠═══════════════╣
2534 ║ ║ ║ BX ║
2535 ╠═══════════════╣ ╠═══════════════╣
2536 ║ ║ ║ OLD SP ║
2537 ╠═══════════════╣ ╠═══════════════╣
2538 ║ ║ ║ BP ║
2539 ╠═══════════════╣ ╠═══════════════╣
2540 ║ ║ ║ SI ║
2541 ╠═══════════════╣ ╠═══════════════╣
2542 ║ ║ ║ DI ║◄───SP
2543 ╠═══════════════╣ ╠═══════════════╣
2544 ║ ║ ║ ║
2545 ╠═══════════════╣ ╠═══════════════╣
2546 ≈ ≈ ≈ ≈
2547 ╠═══════════════╣ ╠═══════════════╣
2548 ║ ║ ║ ║
2549 ╠═══════════════╣ ╠═══════════════╣
2550 ║ ║ ║ ║
2551 ╠═══════════════╣ ╠═══════════════╣
2552 ║ ║ ║ ║
2553 LOW ADDRESS ╠═══════════════╣ ╠═══════════════╣ SS
2554 ║ ║ ║ ║
2555 • • • •
2556 BEFORE AFTER
2557 PUSHA PUSHA
2559 PUSHA copies the contents of the eight general registers to the stack in
2560 the above order. The instruction decrements SP by 16 bytes (8 words) to
2561 point to the last word pushed on the stack.
2564 Figure 3-3. POP
2566 • • • •
2567 HIGH ADDRESS ║ ║ ║ ║
2568 ╠═══════════════╣ ╠═══════════════╣ SS LIMIT
2569 OPERANDS FROM ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║
2570 PREVIOUS PUSH ╠═══════════════╣ ╠═══════════════╣
2571 INSTRUCTIONS ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║◄───SP
2572 ╠═══════════════╣ ╠═══════════════╣
2573 SP───►║ OPERAND ║ ║ ║
2574 ╠═══════════════╣ ╠═══════════════╣
2575 ║ ║ ║ ║
2576 ╠═══════════════╣ ╠═══════════════╣
2577 ≈ ≈ ≈ ≈
2578 ╠═══════════════╣ ╠═══════════════╣
2579 ║ ║ ║ ║
2580 LOW ADDRESS ╠═══════════════╣ ╠═══════════════╣ SS
2581 ║ ║ ║ ║
2582 • BEFORE • • AFTER •
2583 POP OPERAND POP OPERAND
2585 POP copies the contents of the stack location before SP to the operand in
2586 the instruction. POP then increments SP by 2 bytes (1 word).
2588 Figure 3-4. POPA
2590 • • • •
2591 HIGH ADDRESS ║ ║ ║ ║
2592 ╠═══════════════╣ ╠═══════════════╣ SS LIMIT
2593 OPERANDS FROM ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║
2594 PREVIOUS PUSH ╠═══════════════╣ ╠═══════════════╣
2595 INSTRUCTIONS ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║ ║▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒║◄───SP
2596 ╠═══════════════╣ ╠═══════════════╣
2597 ║ AX ║ ║ ║
2598 ╠═══════════════╣ ╠═══════════════╣
2599 ║ CX ║ ║ ║
2600 ╠═══════════════╣ ╠═══════════════╣
2601 ║ DX ║ ║ ║
2602 ╠═══════════════╣ ╠═══════════════╣
2603 ║ BX ║ ║ ║
2604 ╠═══════════════╣ ╠═══════════════╣
2605 ║ SP ║ ║ ║
2606 ╠═══════════════╣ ╠═══════════════╣
2607 ║ BP ║ ║ ║
2608 ╠═══════════════╣ ╠═══════════════╣
2609 ║ SI ║ ║ ║
2610 ╠═══════════════╣ ╠═══════════════╣
2611 SP───►║ DI ║ ║ ║
2612 ╠═══════════════╣ ╠═══════════════╣
2613 ║ ║ ║ ║
2614 ╠═══════════════╣ ╠═══════════════╣
2615 ≈ ≈ ≈ ≈
2616 ╠═══════════════╣ ╠═══════════════╣
2617 ║ ║ ║ ║
2618 ╠═══════════════╣ ╠═══════════════╣
2619 ║ ║ ║ ║
2620 ╠═══════════════╣ ╠═══════════════╣
2621 ║ ║ ║ ║
2622 LOW ADDRESS ╠═══════════════╣ ╠═══════════════╣ SS
2623 • BEFORE • • AFTER •
2624 POPA POPA
2626 POPA copies the contents of seven stack locations to the corresponding
2627 general registers. POPA discards the stored value of SP.
2630 3.2 Flag Operation With the Basic Instruction Set
2633 3.2.1 Status Flags
2635 The status flags of the FLAGS register reflect conditions that result from
2636 a previous instruction or instructions. The arithmetic instructions use OF,
2637 SF, ZF, AF, PF, and CF.
2639 The SCAS (Scan String), CMPS (Compare String), and LOOP instructions use ZF
2640 to signal that their operations are complete. The base architecture includes
2641 instructions to set, clear, and complement CF before execution of an
2642 arithmetic instruction. See figure 3-5 and tables 3-1 and 3-2.
2645 3.2.2 Control Flags
2647 The control flags of the FLAGS register determine processor operations for
2648 string instructions, maskable interrupts, and debugging.
2650 Setting DF (direction flag) causes string instructions to auto-decrement;
2651 that is, to process strings from high addresses to low addresses, or from
2652 "right-to-left." Clearing DF causes string instructions to auto-increment,
2653 or to process strings from "left-to-right."
2655 Setting IF (interrupt flag) allows the CPU to recognize external (maskable)
2656 interrupt requests. Clearing IF disables these interrupts. IF has no effect
2657 on either internally generated interrupts, nonmaskable external interrupts,
2658 or processor extension segment overrun interrupts.
2660 Setting TF (trap flag) puts the processor into single-step mode for
2661 debugging. In this mode, the CPU automatically generates an internal
2662 interrupt after each instruction, allowing a program to be inspected as it
2663 executes each instruction, instruction by instruction.
2666 Table 3-1. Status Flags' Functions
2668 Bit Position Name Function
2670 0 CF Carry Flag--Set on high-order bit carry or borrow;
2671 cleared otherwise
2673 2 PF Parity Flag--Set if low-order eight bits of result
2674 contain an even number of 1 bits; cleared otherwise
2676 4 AF Set on carry from or borrow to the low order four
2677 bits of AL; cleared otherwise
2679 6 ZF Zero Flag--Set if result is zero; cleared otherwise
2681 7 SF Sign Flag--Set equal to high-order bit of result (0
2682 if positive, 1 if negative)
2684 11 OF Overflow Flag--Set if result is too-large a positive
2685 number or too-small a negative number (excluding
2686 sign-bit) to fit in destination operand; cleared
2687 otherwise
2690 Table 3-2. Control Flags' Functions
2692 Bit Position Name Function
2694 8 TF Trap (Single Step) Flag--Once set, a single step
2695 interrupt occurs after the next instruction executes.
2696 TF is cleared by the single step interrupt.
2698 9 IF Interrupt-enable Flag--When set, maskable interrupts
2699 will cause the CPU to transfer control to an interrupt
2700 vector-specified location.
2702 10 DF Direction Flag--Causes string instructions to auto
2703 decrement the appropriate index registers when set.
2704 Clearing DF causes auto increment.
2707 Figure 3-5. Flag Word Contents
2709 STATUS FLAGS:
2710 CARRY────────────────────────────────────────────────┐
2711 PARITY─────────────────────────────────────────┐ │
2712 AUXILLIARY CARRY─────────────────────────┐ │ │
2713 ZERO───────────────────────────────┐ │ │ │
2714 SIGN────────────────────────────┐ │ │ │ │
2715 OVERFLOW────────────┐ │ │ │ │ │
2716 │ │ │ │ │ │
2717 15 14 13 12▼11 10 9 8▼ 7▼ 6 5▼ 4 3▼ 2 1▼ 0
2718 ╔══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╗
2719 FLAGS:║▒▒│NT│IOPL │OF│DF│IF│TF│SF│ZF│▒▒│AF│▒▒│PF│▒▒│CF║
2720 ╚══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╝
2721 ▲ ▲ ▲ ▲ ▲
2722 │ │ │ │ │ CONTROL FLAGS:
2723 │ │ │ │ └───────────TRAP FLAG
2724 │ │ │ └──────────────INTERRUPT ENABLE
2725 │ │ └─────────────────DIRECTION FLAG
2726 │ │ SPECIAL FIELDS:
2727 │ └─────────────────────────I/O PRIVILEGE LEVEL
2728 └─────────────────────────────NESTED TASK FLAG
2731 3.3 Arithmetic Instructions
2733 The arithmetic instructions of the 8086-family processors simplify the
2734 manipulation of numerical data. Multiplication and division instructions
2735 ease the handling of signed and unsigned binary integers as well as unpacked
2736 decimal integers.
2738 An arithmetic operation may consist of two register operands, a general
2739 register source operand with a memory destination operand, a memory source
2740 operand with a register destination operand, or an immediate field with
2741 either a register or memory destination operand, but not two memory
2742 operands. Arithmetic instructions can operate on either byte or word
2743 operands.
2746 3.3.1 Addition Instructions
2748 ADD (Add Integers) replaces the destination operand with the sum of the
2749 source and destination operands. ADD affects OF, SF, AF, PF, CF, and ZF.
2751 Example:
2752 ADD BL, BYTEOPRND. Adds the contents of the memory byte labeled
2753 BYTEOPRND to the contents of BL, and replaces BL with the resulting sum.
2755 ADC (Add Integers with Carry) sums the operands, adds one if CF is set, and
2756 replaces the destination operand with the result. ADC can be used to add
2757 numbers longer than 16 bits. ADC affects OF, SF, AF, PF, CF, and ZF.
2759 Example:
2760 ADC BX, CX. Replaces the contents of the destination operand BX with
2761 the sum of BX, CS, and 1 (if CF is set). If CF is cleared, ADC
2762 performs the same operation as the ADD instruction.
2764 INC (Increment) adds one to the destination operand. The processor treats
2765 the operand as an unsigned binary number. INC updates AF, OF, PF, SF, and
2766 ZF, but it does not affect CF. Use ADD with an immediate value of 1 if an
2767 increment that updates carry (CF) is needed.
2769 Example:
2770 INC BL. Adds 1 to the contents of BL.
2773 3.3.2 Subtraction Instructions
2775 SUB (Subtract Integers) subtracts the source operand from the destination
2776 operand and replaces the destination operand with the result. If a borrow is
2777 required, carry flag is set. The operands may be signed or unsigned bytes or
2778 words. SUB affects OF, SF, ZF, AF, PF, and CF.
2780 Example:
2781 SUB WORDOPRND, AX. Replaces the contents of the destination operand
2782 WORDOPRND with the result obtained by subtracting the contents of AX from
2783 the contents of the memory word labeled WORDOPRND.
2785 SBB (Subtract Integers with Borrow) subtracts the source operand from the
2786 destination operand, subtracts 1 if CF is set, and returns the result to the
2787 destination operand. The operands may be signed or unsigned bytes or words.
2788 SBB may be used to subtract numbers longer than 16 bits. This instruction
2789 affects OF, SF, ZF, AF, PF, and CF. The carry flag is set if a borrow is
2790 required.
2792 Example:
2793 SBB BL, 32. Subtracts 32 from the contents of BL and then decrements the
2794 result of this subtraction by one if CF is set. If CF is cleared, SBB
2795 performs the same operation as SUB.
2797 DEC (Decrement) subtracts 1 from the destination operand. DEC updates AF,
2798 OF, PF, SF, and ZF, but it does not affect CF. Use SUB with an immediate
2799 value of 1 to perform a decrement that affects carry.
2801 Example:
2802 DEC BX. Subtracts 1 from the contents of BX and places the result back in
2803 BX.
2806 3.3.3 Multiplication Instructions
2808 MUL (Unsigned Integer Multiply) performs an unsigned multiplication of the
2809 source operand and the accumulator. If the source is a byte, the processor
2810 multiplies it by the contents of AL and returns the double-length result to
2811 AH and AL.
2813 If the source operand is a word, the processor multiplies it by the
2814 contents of AX and returns the double-length result to DX and AX. MUL sets
2815 CF and OF to indicate that the upper half of the result is nonzero;
2816 otherwise, they are cleared. This instruction leaves SF, ZF, AF, and PF
2817 undefined.
2819 Example:
2820 MUL BX. Replaces the contents of DX and AX with the product of BX and AX.
2821 The low-order 16 bits of the result replace the contents of AX; the
2822 high-order word goes to DX. The processor sets CF and OF if the unsigned
2823 result is greater than 16 bits.
2825 IMUL (Signed Integer Multiply) performs a signed multiplication operation.
2826 IMUL uses AX and DX in the same way as the MUL instruction, except when used
2827 in the immediate form.
2829 The immediate form of IMUL allows the specification of a destination
2830 register other than the combination of DX and AX. In this case, the result
2831 cannot exceed 16 bits without causing an overflow. If the immediate operand
2832 is a byte, the processor automatically extends it to 16 bits before
2833 performing the multiplication.
2835 The immediate form of IMUL may also be used with unsigned operands because
2836 the low 16 bits of a signed or unsigned multiplication of two 16-bit values
2837 will always be the same.
2839 IMUL clears CF and OF to indicate that the upper half of the result is the
2840 sign of the lower half. This instruction leaves SF, ZF, AF, and PF
2841 undefined.
2843 Example:
2844 IMUL BL. Replaces the contents of AX with the product of BL and AL. The
2845 processor sets CF and OF if the result is more than 8 bits long.
2847 Example:
2848 IMUL BX, SI, 5. Replaces the contents of BX with the product of the
2849 contents of SI and an immediate value of 5. The processor sets CF and OF
2850 if the signed result is longer than 16 bits.
2853 3.3.4 Division Instructions
2855 DIV (Unsigned Integer Divide) performs an unsigned division of the
2856 accumulator by the source operand. If the source operand is a byte, it is
2857 divided into the double-length dividend assumed to be in registers AL and AH
2858 (AH = most significant byte; AL = least significant byte). The
2859 single-length quotient is returned in AL, and the single-length remainder is
2860 returned in AH.
2862 If the source operand is a word, it is divided into the double-length
2863 dividend in registers AX and DX. The single-length quotient is returned in
2864 AX, and the single-length remainder is returned in DX. Non-integral
2865 quotients are truncated to integers toward 0. The remainder is always less
2866 than the quotient.
2868 For unsigned byte division, the largest quotient is 255. For unsigned word
2869 division, the largest quotient is 65,535. DIV leaves OF, SF, ZF, AF, PF, and
2870 CF undefined. Interrupt (INT 0) occurs if the divisor is zero or if the
2871 quotient is too large for AL or AX.
2873 Example:
2874 DIV BX. Replaces the contents of AX with the unsigned quotient of the
2875 doubleword value contained in DX and AX, divided by BX. The unsigned
2876 modulo replaces the contents of DX.
2878 Example:
2879 DIV BL. Replaces the contents of AL with the unsigned quotient of the
2880 word value in AX, divided by BL. The unsigned modulo replaces the
2881 contents of AH.
2883 IDIV (Signed Integer Divide) performs a signed division of the accumulator
2884 by the source operand. IDIV uses the same registers as the DIV instruction.
2886 For signed byte division, the maximum positive quotient is +127 and the
2887 minimum negative quotient is -128. For signed word division, the maximum
2888 positive quotient is +32,767 and the minimum negative quotient is -32,768.
2889 Non-integral results are truncated towards 0. The remainder will always
2890 have the same sign as the dividend and will be less than the divisor in
2891 magnitude. IDIV leaves OF, SF, ZF, AF, PF, and CF undefined. A division by
2892 zero causes an interrupt (INT 0) to occur if the divisor is 0 or if the
2893 quotient is too large for AL or AX.
2895 Example:
2896 IDIV WORDOPRND. Replaces the contents of AX with the signed quotient
2897 of the double-word value contained in DX and AX, divided by the value
2898 contained in the memory word labeled WORDOPRND. The signed modulo
2899 replaces the contents of DX.
2902 3.4 Logical Instructions
2904 The group of logical instructions includes the Boolean operation
2905 instructions, rotate and shift instructions, type conversion instructions,
2906 and the no-operation (NOP)instruction.
2909 3.4.1 Boolean Operation Instructions
2911 Except for the NOT and NEG instructions, the Boolean operation instructions
2912 can use two register operands, a general purpose register operand with a
2913 memory operand, an immediate operand with a general purpose register
2914 operand, or a memory operand. The NOT and NEG instructions are unary
2915 operations that use a single operand in a register or memory.
2917 AND (And) performs the logical "and" of the operands (byte or word) and
2918 returns the result to the destination operand. AND clears OF and DF, leaves
2919 AF undefined, and updates SF, ZF, and PF.
2921 Example:
2922 AND WORDOPRND, BX. Replaces the contents of WORDOPRND with the logical
2923 "and" of the contents of the memory word labeled WORDOPRND and the
2924 contents of BX.
2926 NOT (Not) inverts the bits in the specified operand to form a one's
2927 complement of the operand. NOT has no effect on the flags.
2929 Example:
2930 NOT BYTEOPRND. Replaces the original contents of BYTEOPRND with the
2931 one's complement of the contents of the memory word labeled BYTEOPRND.
2933 OR (Or) performs the logical "inclusive or" of the two operands and returns
2934 the result to the destination operand. OR clears OF and DF, leaves AF
2935 undefined, and updates SF, ZF, and PF.
2937 Example:
2938 OR AL,5. Replaces the original contents of AL with the logical
2939 "inclusive or" of the contents of AL and the immediate value 5.
2941 XOR (Exclusive OR) performs the logical "exclusive or" of the two operands
2942 and returns the result to the destination operand. XOR clears OF and DF,
2943 leaves AF undefined, and updates SF, ZF, and PF.
2945 Example:
2946 XOR DX, WORDOPRND. Replaces the original contents of DX with the logical
2947 "exclusive or" or the contents of DX and the contents of the memory word
2948 labeled WORDOPRND.
2950 NEG (Negate) forms a two's complement of a signed byte or word operand. The
2951 effect of NEG is to reverse the sign of the operand from positive to
2952 negative or from negative to positive. NEG updates OF, SF, ZF, AF, PF, and
2953 CF.
2955 Example:
2956 NEG AX. Replaces the original contents of AX with the two's complement
2957 of the contents of AX.
2960 3.4.2 Shift and Rotate Instructions
2962 The shift and rotate instructions reposition the bits within the specified
2963 operand. The shift instructions provide a convenient way to accomplish
2964 division or multiplication by binary power. The rotate instructions are
2965 useful for bit testing.
2968 3.4.2.1 Shift Instructions
2970 The bits in bytes and words may be shifted arithmetically or logically.
2971 Depending on the value of a specified count, up to 31 shifts may be
2972 performed.
2974 A shift instruction can specify the count in one of three ways. One form of
2975 shift instruction implicitly specifies the count as a single shift. The
2976 second form specifies the count as an immediate value. The third form
2977 specifies the count as the value contained in CL. This last form allows the
2978 shift count to be a variable that the program supplies during execution.
2979 Only the low order 5 bits of CL are used.
2981 Shift instructions affect the flags as follows. AF is always undefined
2982 following a shift operation. PF, SF, and ZF are updated normally as in the
2983 logical instructions.
2985 CF always contains the value of the last bit shifted out of the destination
2986 operand. In a single-bit shift, OF is set if the value of the high-order
2987 (sign) bit was changed by the operation. Otherwise, OF is cleared. Following
2988 a multibit shift, however, the content of OF is always undefined.
2990 SAL (Shift Arithmetic Left) shifts the destination byte or word operand left
2991 by one or by the number of bits specified in the count operand (an immediate
2992 value or the value contained in CL). The processor shifts zeros in from the
2993 right side of the operand as bits exit from the left side. See figure 3-6.
2995 Example:
2996 SAL BL,2. Shifts the contents of BL left by 2 bits and replaces the two
2997 low-order bits with zeros.
2999 Example:
3000 SAL BL,1. Shifts the contents of BL left by 1 bit and replaces the
3001 low-order bit with a zero. Because the processor does not have to decode
3002 the immediate count operand to obtain the shift count, this from of the
3003 instruction takes 2 clock cycles rather than the 6 clock cycles (5 + 1
3004 cycle for each bit shifted) required by the previous example.
3006 SHL (Shift Logical Left) is physically the same instruction as SAL (see SAL
3007 above).
3009 SHR (Shift Logical Right) shifts the destination byte or word operand right
3010 by one or by the number of bits specified in the count operand (an immediate
3011 value or the value contained in CL). The processor shifts zeros in from the
3012 left side of the operand as bits exit from the right side. See figure 3-7.
3014 Example:
3015 SHR BYTEOPRND, CL. Shifts the contents of the memory byte labeled
3016 BYTEOPRND right by the number of bits specified in CL, and pads the left
3017 side of BYTEOPRND with an equal number of zeros.
3019 SAR (Shift Arithmetic Right) shifts the destination byte or word operand to
3020 the right by one or by the number of bits specified in the count operand (an
3021 immediate value or the value contained in CL). The processor preserves the
3022 sign of the operand by shifting in zeros on the left side if the value is
3023 positive or by shifting by ones if the value is negative. See figure 3-8.
3025 Example:
3026 SAR WORDPRND,1. Shifts the contents of the memory byte labeled WORDPRND
3027 right by one, and replaces the high-order sign bit with a value equal to
3028 the original sign of WORDPRND.
3030 SHR shifts the bits in the register or memory operand to the right by the
3031 specified number of bit positions. CF receives the last bit shifted out of
3032 the right of the operand. SHR shifts in zeros to fill the vacated bit
3033 locations. This instruction operates on byte operands as well as word
3034 operands.
3037 Figure 3-6. SAL and SHL
3039 BEFORE SAL OR SHL
3040 ╔═╗ ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3041 ║X║ ║X║ ║ 1 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║
3042 ╚═╝ ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝
3044 AFTER SAL OR SHL BY 1 BIT
3045 ╔═╗ ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3046 ║0║ ║1║◄─╢ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║
3047 ╚═╝ ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝
3049 AFTER SAL OR SHL BY 8 BITS
3050 ╔═╗ ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3051 ║X║ ║ ║◄─╢ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║
3052 ╚═╝ ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝
3053 OF CF
3055 Both SAL and SHL shift the bits in the register or memory operand to the
3056 left by the specified number of bit positions. CF receives the last bit
3057 shifted out of the left of the operand. SAL and SHL shift in zeros to fill
3058 the vacated bit locations. These instructions operate on byte operands as
3059 well as word operands.
3062 Figure 3-7. SHR
3064 BEFORE SHR
3065 ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═╗
3066 ║X║ ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ ║X║
3067 ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═╝
3069 AFTER SHR BY 1 BIT
3070 ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═╗
3071 ║1║ ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ╟─►║1║
3072 ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═╝
3074 AFTER SHR BY 10 BITS
3075 ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═╗
3076 ║X║ ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ╟─►║1║
3077 ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═╝
3078 OF OPERAND CF
3080 SHR shifts the bits in the register or memory operand to the right by the
3081 specified number of bit positions. CF receives the last bit shifted out of
3082 the right of the operand. SHR shifts in zeros to fill the vacated bit
3083 locations. This instruction operates on byte operands as well as word
3084 operands.
3087 Figure 3-8. SAR
3089 BEFORE SAR WITH A POSITIVE OPERAND
3090 ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═╗
3091 ║X║ ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 1 ║ ║X║
3092 ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═╝
3094 AFTER SAR WITH A POSITIVE OPERAND SHIFTED 1 BIT
3095 ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═╗
3096 ║X║ ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ║ 0 ╟─►║1║
3097 ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═╝
3099 BEFORE SAR WITH A NEGATIVE OPERAND
3100 ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═╗
3101 ║X║ ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 1 ║ 0 ╟─►║X║
3102 ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═╝
3104 AFTER SAR WITH A NEGATIVE OPERAND SHIFTED 6 BITS
3105 ╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═╗
3106 ║X║ ║ 1 ║ 1 ║ 1 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ╟─►║0║
3107 ╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═╝
3108 OF OPERAND CF
3110 SAR preserves the sign of the register or memory operand as it shifts the
3111 operand to the right the specified number of bit positions. CF receives the
3112 last bit shifted out of the right of the operand. This instruction also
3113 operates on byte operands.
3116 3.4.2.2 Rotate Instructions
3118 Rotate instructions allow bits in bytes and words to be rotated. Bits
3119 rotated out of an operand are not lost as in a shift, but are "circled" back
3120 into the other "end" of the operand.
3122 Rotates affect only the carry and overflow flags. CF may act as an
3123 extension of the operand in two of the rotate instructions, allowing a bit
3124 to be isolated and then tested by a conditional jump instruction (JC or
3125 JNC). CF always contains the value of the last bit rotated out, even if the
3126 instruction does not use this bit as an extension of the rotated operand.
3128 In single-bit rotates, OF is set if the operation changes the high-order
3129 (sign) bit of the destination operand. If the sign bit retains its original
3130 value, OF is cleared. On multibit rotates, the value of OF is always
3131 undefined.
3133 ROL (Rotate Left) rotates the byte or word destination operand left by one
3134 or by the number of bits specified in the count operand (an immediate value
3135 or the value contained in CL). For each rotation specified, the high-order
3136 bit that exists from the left of the operand returns at the right to become
3137 the new low-order bit of the operand. See figure 3-9.
3139 Example:
3140 ROL AL, 8. Rotates the contents of AL left by 8 bits. This rotate
3141 instruction returns AL to its original state but isolates the low-order
3142 bit in CF for testing by a JC or JNC instruction.
3144 ROR (Rotate Right) rotates the byte or word destination operand right by
3145 one or by the number of bits specified in the count operand (an immediate
3146 value or the value contained in CL). For each rotation specified, the
3147 low-order bit that exits from the right of the operand returns at the left
3148 to become the new high-order bit of the operand. See figure 3-10.
3150 Example:
3151 ROR WORDOPRND, CL. Rotates the contents of the memory word labeled
3152 WORDOPRND by the number of bits specified by the value contained in CL.
3153 CF reflects the value of the last bit rotated from the right to the left
3154 side of the operand.
3156 RCL (Rotate Through Carry Left) rotates bits in the byte or word
3157 destination operand left by one or by the number of bits specified in the
3158 count operand (an immediate value or the value contained in CL).
3160 This instruction differs from ROL in that it treats CF as a high-order
3161 1-bit extension of the destination operand. Each high-order bit that exits
3162 from the left side of the operand moves to CF before it returns to the
3163 operand as the low-order bit on the next rotation cycle. See figure 3-11.
3165 Example:
3166 RCL BX,1. Rotates the contents of BX left by one bit. The high-order bit
3167 of the operand moves to CF, the remaining 15 bits move left one position,
3168 and the original value of CF becomes the new low-order bit.
3170 RCR (Rotate Through Carry Right) rotates bits in the byte or word
3171 destination operand right by one or by the number of bits specified in the
3172 count operand (an immediate value or the value contained in CL).
3174 This instruction differs from ROR in that it treats CF as a low-order 1-bit
3175 extension of the destination operand. Each low-order bit that exits from the
3176 right side of the operand moves to CF before it returns to the operand as
3177 the high-order bit on the next rotation cycle. See figure 3-12.
3179 Example:
3180 RCR BYTEOPRND,3. Rotates the contents of the memory byte labeled BYTEOPRND
3181 to the right by 3 bits. Following the execution of this instruction, CF
3182 reflects the original value of bit number 5 of BYTEOPRND, and the original
3183 value of CF becomes bit 2.
3185 RCL rotates the bits in the memory or register operand to the left in the
3186 same way as ROL except that RCL treats CF as a 1-bit extension of the
3187 operand. Note that a 16-bit RCL produces the same result as a 1-bit RCR
3188 (though it takes much longer to execute). This instruction also operates on
3189 byte operands.
3191 RCR rotates the bits in the memory or register operand to the right in the
3192 same way as ROR except that RCR treats CF as a 1-bit extension of the
3193 operand. This instruction also operates on byte operands.
3196 Figure 3-9. ROL
3198 BEFORE ROL
3199 ╔═╗╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3200 ║X║║X║ ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║
3201 ╚═╝╚═╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝
3203 AFTER ROL BY 1 BIT
3204 ╔═╗╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3205 ║1║║1║◄┬╢ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ◄┐
3206 ╚═╝╚═╝ │╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝│
3207 └─────────────────────────────────────────────────────────────────┘
3209 AFTER ROL BY 12 BITS
3210 ╔═╗╔═╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3211 ║X║║1║◄┬╢ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 1 ║ 0 ║ 0 ║ 1 ◄┐
3212 ╚═╝╚═╝ │╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝│
3213 OF CF │ OPERAND │
3214 └─────────────────────────────────────────────────────────────────┘
3216 ROL shifts the bits in the memory or register operand to the left by the
3217 specified number of bit positions. It copies the bit shifted out of the
3218 left of the operand into the right of the operand. The last bit shifted
3219 into the least significant bit of the operand also appears in CF. This
3220 instruction also operates on byte operands.
3223 Figure 3-10. ROR
3225 BEFORE ROR
3226 ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═══╗
3227 ║ 1 ║ 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ ║ X ║
3228 ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═══╝
3230 AFTER ROR BY 1 BIT
3231 ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═══╗
3232 ┌► 0 ║ 1 ║ 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ╟┬►║ 0 ║
3233 │╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝│ ╚═══╝
3234 └─────────────────────────────────────────────────────────────────┘
3236 AFTER ROR BY 8 BITS
3237 ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═══╗
3238 ┌► 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ╟┬►║ 1 ║
3239 │╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝│ ╚═══╝
3240 │ OPERAND │ CF
3241 └─────────────────────────────────────────────────────────────────┘
3243 ROR shifts the bits in the memory or register operand to the right by the
3244 specified number of bit positions. It copies each bit shifted out of the
3245 right of the operand into the left of the operand. The last bit shifted
3246 into the most significant bit of the operand also appears in CF. This
3247 instruction also operates on byte operands.
3250 Figure 3-11. RCL
3252 BEFORE RCL
3253 ╔═══╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3254 ║ 1 ║ ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 0 ║
3255 ╚═══╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝
3257 AFTER RCL BY 1 BIT
3258 ╔═══╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3259 ┌─╢ 1 ║◄─╢ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 0 ║ 1 ◄┐
3260 │ ╚═══╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝│
3261 └─────────────────────────────────────────────────────────────────────────┘
3263 AFTER RCL BY 16 BITS
3264 ╔═══╗ ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗
3265 ┌─╢ 0 ║◄─╢ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ◄┐
3266 │ ╚═══╝ ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝│
3267 │ CF OPERAND │
3268 └─────────────────────────────────────────────────────────────────────────┘
3270 RCL rotates the bits in the memory or register operand to the left in the
3271 same way as ROL except that RCL treats CF as a 1-bit extension of the
3272 operand. Note that a 16-bit RCL produces the same result as a 1-bit RCR
3273 (though it takes much longer to execute). This instruction also operates
3274 on byte operands.
3277 Figure 3-12. RCR
3279 BEFORE RCR
3280 ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═══╗
3281 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 0 ║ ║ 1 ║
3282 ╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═══╝
3284 AFTER RCR BY 1 BIT
3285 ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═══╗
3286 ┌► 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ╟─►║ 0 ╟─┐
3287 │╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═══╝ │
3288 └─────────────────────────────────────────────────────────────────────────┘
3290 AFTER RCR BY 8 BITS
3291 ╔═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╦═══╗ ╔═══╗
3292 ┌► 0 ║ 0 ║ 1 ║ 1 ║ 1 ║ 1 ║ 0 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ║ 0 ║ 1 ║ 1 ║ 0 ╟─►║ 0 ╟─┐
3293 │╚═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╩═══╝ ╚═══╝ │
3294 │ OPERAND CF │
3295 └─────────────────────────────────────────────────────────────────────────┘
3297 RCR rotates the bits in the memory or register operand to the right in the
3298 same way as ROR except that RCR treats CF as a 1-bit extension of the
3299 operand. This instruction also operates on byte operands.
3302 3.4.3 Type Conversion and No-Operation Instructions
3304 The type conversion instructions prepare operands for division. The NOP
3305 instruction is a 1-byte filler instruction with no effect on registers or
3306 flags.
3308 CWD (Convert Word to Double-Word) extends the sign of the word in register
3309 AX throughout register DX. CWD does not affect any flags. CWD can be used to
3310 produce a double-length (double-word) dividend from a word before a word
3311 division.
3313 CBW (Convert Byte to Word) extends the sign of the byte in register AL
3314 throughout AX. CBW does not affect any flags.
3316 Example:
3317 CWD. Sign-extends the 16-bit value in AX to a 32-bit value in DX and AX
3318 with the high-order 16-bits occupying DX.
3320 NOP (No Operation) occupies a byte of storage but affects nothing but the
3321 instruction pointer, IP. The amount of time that a NOP instruction requires
3322 for execution varies in proportion to the CPU clocking rate. This variation
3323 makes it inadvisable to use NOP instructions in the construction of timing
3324 loops because the operation of such a program will not be independent of the
3325 system hardware configuration.
3327 Example:
3328 NOP. The processor performs no operation for 2 clock cycles.
3331 3.5 Test and Compare Instructions
3333 The test and compare instructions are similar in that they do not alter
3334 their operands. Instead, these instructions perform operations that only set
3335 the appropriate flags to indicate the relationship between the two operands.
3337 TEST (Test) performs the logical "and" of the two operands, clears OF and
3338 DF, leaves AF undefined, and updates SF, ZF, and PF. The difference between
3339 TEST and AND is that TEST does not alter the destination operand.
3341 Example:
3342 TEST BL,32. Performs a logical "and" and sets SF, ZF, and PF according to
3343 the results of this operation. The contents of BL remain unchanged.
3345 CMP (Compare) subtracts the source operand from the destination operand. It
3346 updates OF, SF, ZF, AF, PF, and CF but does not alter the source and
3347 destination operands. A subsequent signed or unsigned conditional transfer
3348 instruction can test the result using the appropriate flag result.
3350 CMP can compare two register operands, a register operand and a memory
3351 operand, a register operand and an immediate operand, or an immediate
3352 operand and a memory operand. The operands may be words or bytes, but CMP
3353 cannot compare a byte with a word.
3355 Example:
3356 CMP BX,32. Subtracts the immediate operand, 32, from the contents of BX
3357 and sets OF, SF, ZF, AF, PF, and CF to reflect the result. The contents
3358 of BX remain unchanged.
3361 3.6 Control Transfer Instructions
3363 The 80286 provides both conditional and unconditional program transfer
3364 instructions to direct the flow of execution. Conditional program transfers
3365 depend on the results of operations that affect the flag register.
3366 Unconditional program transfers are always executed.
3369 3.6.1 Unconditional Transfer Instructions
3371 JMP, CALL, RET, INT and IRET instructions transfer control from one code
3372 segment location to another. These locations can be within the same code
3373 segment or in different code segments.
3376 3.6.1.1 Jump Instruction
3378 JMP (Jump) unconditionally transfers control to the target location. JMP is
3379 a one-way transfer of execution; it does not save a return address on the
3380 stack.
3382 The JMP instruction always performs the same basic function of transferring
3383 control from the current location to a new location. Its implementation
3384 varies depending on the following factors:
3386 ■ Is the address specified directly within the instruction or indirectly
3387 through a register or memory?
3389 ■ Is the target location inside or outside the current code segment
3390 selected in CS?
3392 A direct JMP instruction includes the destination address as part of the
3393 instruction. An indirect JMP instruction obtains the destination address
3394 indirectly through a register or a pointer variable.
3396 Control transfers through a gate or to a task state segment are available
3397 only in Protected Mode operation of the 80286. The formats of the
3398 instructions that transfer control through a call gate, a task gate, or to a
3399 task state segment are the same. The label included in the instruction
3400 selects one of these three paths to a new code segment.
3402 Direct JMP within the current code segment. A direct JMP that transfers
3403 control to a target location within the current code segment uses a relative
3404 displacement value contained in the instruction. This can be either a 16-bit
3405 value or an 8-bit value sign extended to 16 bits. The processor forms an
3406 effective address by adding this relative displacement to the address
3407 contained in IP. IP refers to the next instruction when the additions are
3408 performed.
3410 Example:
3411 JMP NEAR_NEWCODE. Transfers control to the target location labeled
3412 NEAR_NEWCODE, which is within the code segment currently selected in CS.
3414 Indirect JMP within the current code segment. Indirect JMP instructions
3415 that transfer control to a location within the current code segment specify
3416 an absolute address in one of several ways. First, the program can JMP to a
3417 location specified by a 16-bit register (any of AX, DX, CX, BX, BP, SI, or
3418 DI). The processor moves this 16-bit value into IP and resumes execution.
3420 Example:
3421 JMP SI. Transfers control to the target address formed by adding the
3422 16-bit value contained in SI to the base address contained in CS.
3424 The processor can also obtain the destination address within a current
3425 segment from a memory word operand specified in the instruction.
3427 Example:
3428 JMP PTR_X. Transfers control to the target address formed by adding the
3429 16-bit value contained in the memory word labeled PTR X to the base
3430 address contained in CS.
3432 A register can modify the address of the memory word pointer to select a
3433 destination address.
3435 Example:
3436 JMP CASE_TABLE [BX]. CASE_TABLE is the first word in an array of word
3437 pointers. The value of BX determines which pointer the program selects
3438 from the array. The JMP instruction then transfers control to the
3439 location specified by the selected pointer.
3441 Direct JMP outside of the current code segment. Direct JMP instructions
3442 that specify a target location outside the current code segment contain a
3443 full 32-bit pointer. This pointer consists of a selector for the new code
3444 segment and an offset within the new segment.
3446 Example:
3447 JMP FAR_NEWCODE_FOO. Places the selector contained in the instruction into
3448 CS and the offset into IP. The program resumes execution at this location
3449 in the new code segment.
3451 Indirect JMP outside of the current code segment. Indirect JMP instructions
3452 that specify a target location outside the current code segment use a
3453 double-word variable to specify the pointer.
3455 Example:
3456 JMP NEWCODE. NEWCODE the first word of two consecutive words in memory
3457 which represent the new pointer. NEWCODE contains the new offset for IP
3458 and the word following NEWCODE contains the selector for CS. The program
3459 resumes execution at this location in the new code segment. (Protected
3460 mode programs treat this differently. See Chapters 6 and 7).
3462 Direct JMP outside of the current code segment to a call gate. If the
3463 selector included with the instruction refers to a call gate, then the
3464 processor ignores the offset in the instruction and takes the pointer of the
3465 routine being entered from the call gate.
3467 JMP outside of current code segment may only go to the same level.
3469 Example:
3470 JMP CALL_GATE_FOO. The selector in the instruction refers to the call gate
3471 CALL_GATE_FOO, and the call gate actually provides the new contents of CS
3472 and IP to specify the address of the next instructions.
3474 Indirect JMP outside the current code segment to a call gate. If the
3475 selector specified by the instruction refers to a call gate, the processor
3476 ignores the offset in the double-word and takes the address of the routine
3477 being entered from the call gate. The JMP instruction uses the same format
3478 to indirectly specify a task gate or a task state segment.
3480 Example:
3481 JMP CASE_TABLE [BX]. The instruction refers to the double-word in the
3482 array of pointers called CASE_TABLE. The specific double-word chosen
3483 depends on the value in BX when the instruction executes. The selector
3484 portion of this double-word selects a call gate, and the processor takes
3485 the address of the routine being entered from the call gate.
3487 ROL shifts the bits in the memory or register operand to the left by the
3488 specified number of bit positions. It copies the bit shifted out of the left
3489 of the operand into the right of the operand. The last bit shifted into the
3490 least significant bit of the operand also appears in CF. This instruction
3491 also operates on byte operands.
3493 ROR shifts the bits in the memory or register operand to the right by the
3494 specified number of bit positions. It copies each bit shifted out of the
3495 right of the operand into the left of the operand. The last bit shifted into
3496 the most significant bit of the operand also appears in CF. This instruction
3497 also operates on byte operands.
3500 3.6.1.2 Call Instruction
3502 CALL (Call Procedure) activates an out-of-line procedure, saving on the
3503 stack the address of the instruction following the CALL for later use by a
3504 RET (Return) instruction. An intrasegment CALL places the current value of
3505 IP on the stack. An intersegment CALL places both the value of IP and CS on
3506 the stack. The RET instruction in the called procedure uses this address to
3507 transfer control back to the calling program.
3509 A long CALL instruction that invokes a task-switch stores the outgoing
3510 task's task state segment selector in the incoming task state segment's link
3511 field and sets the nested task flag in the new task. In this case, the IRET
3512 instruction takes the place of the RET instruction to return control to the
3513 nested task.
3515 Examples:
3516 CALL NEAR_NEWCODE
3517 CALL SI
3518 CALL PTR_X
3519 CALL CASE_TABLE [BP]
3520 CALL FAR_NEWCODE_FOO
3521 CALL NEWCODE
3522 CALL CALL_GATE_FOO
3523 CALL CASE_TABLE [BX]
3525 See the previous treatment of JMP for a discussion of the operations of
3526 these instructions.
3529 3.6.1.3 Return And Return From Interrupt Instruction
3531 RET (Return From Procedure) terminates the execution of a procedure and
3532 transfers control through a back-link on the stack to the program that
3533 originally invoked the procedure.
3535 An intrasegment RET restores the value of IP that was saved on the stack by
3536 the previous intrasegment CALL instruction. An intersegment RET restores the
3537 values of both CS and IP which were saved on the stack by the previous
3538 intersegment CALL instruction.
3540 RET instructions may optionally specify a constant to the stack pointer.
3541 This constant specifies the new top of stack to effectively remove any
3542 arguments that the calling program pushed on the stack before the execution
3543 of the CALL instruction.
3545 Example:
3546 RET. If the previous CALL instruction did not transfer control to a new
3547 code segment, RET restores the value of IP pushed by the CALL instruction.
3548 If the previous CALL instruction transferred control to a new segment, RET
3549 restores the values of both IP and CS which were pushed on the stack by
3550 the CALL instruction.
3552 Example:
3553 RET n. This form of the RET instruction performs identically to the above
3554 example except that it adds n (which must be an even value) to the value
3555 of SP to eliminate n bytes of parameter information previously pushed by
3556 the calling program.
3558 IRET (Return From Interrupt or Nested Task) returns control to an
3559 interrupted routine or, optionally, reverses the action of a CALL or INT
3560 instruction that caused a task switch. See Chapter 8 for further
3561 information on task switching.
3563 Example:
3564 IRET. Returns from an interrupt with or without a task switch based on
3565 the value of the NT bit.
3568 3.6.2 Conditional Transfer Instructions
3570 The conditional transfer instructions are jumps that may or may not transfer
3571 control, depending on the state of the CPU flags when the instruction
3572 executes. Instruction encoding is most efficient when the target for the
3573 conditional jumps is in the current code segment and within -128 to +127
3574 bytes of the first byte of the next instruction. Alternatively, the opposite
3575 sense of the conditional jump can skip around an unconditional jump to the
3576 destination.
3579 3.6.2.1 Conditional Jump Instructions
3581 Table 3-3 shows the conditional transfer mnemonics and their
3582 interpretations. The conditional jumps that are listed as pairs are actually
3583 the same instruction. The assembler provides the alternate mnemonics for
3584 greater clarity within a program listing.
3587 Table 3-3. Interpretation of Conditional Transfers
3589 Unsigned Conditional Transfers
3590 Mnemonic Condition Tested "Jump If. . ."
3592 JA/JNBE (CF or ZF) = 0 above/not below nor equal
3593 JAE/JNB CF = 0 above or equal/not below
3594 JB/JNAE CF = 1 below/not above nor equal
3595 JBE/JNA (CF or ZF) = 1 below or equal/not above
3596 JC CF = 1 carry
3597 JE/JZ ZF = 1 equal/zero
3598 JNC CF = 0 not carry
3599 JNE/JNZ ZF = 0 not equal/not zero
3600 JNP/JPO PF = 0 not parity/parity odd
3601 JP/JPE PF = 1 parity/parity even
3603 Signed Conditional Transfers
3604 Mnemonic Condition Tested "Jump If. . ."
3606 JG/JNLE ((SF xor OF) or ZF) = 0 greater/not less nor equal
3607 JGE/JNL (SF xor OF) = 0 greater or equal/not less
3608 JL/JNGE (SF xor OF) = 0 less/not greater nor equal
3609 JLE/JNG ((SF xor OF) or ZF) = 1 less or equal/not greater
3610 JNO OF = 0 not overflow
3611 JNS SF = 0 not sign (positive, including 0)
3612 JO OF = 1 overflow
3613 JS SF = 1 sign (negative)
3616 3.6.2.2 Loop Instructions
3618 The loop instructions are conditional jumps that use a value placed in CX
3619 to specify the number of repetitions of a software loop. All loop
3620 instructions automatically decrement CX and terminate the loop when CX=0.
3621 Four of the five loop instructions specify a condition of ZF that
3622 terminates the loop before CX decrements to zero.
3624 LOOP (Loop While CX Not Zero) is a conditional transfer that
3625 auto-decrements the CX register before testing CX for the branch condition.
3626 If CX is non-zero, the program branches to the target label specified in the
3627 instruction. The LOOP instruction causes the repetition of a code section
3628 until the operation of the LOOP instruction decrements CX to a value of
3629 zero. If LOOP finds CX=0, control transfers to the instruction immediately
3630 following the LOOP instruction. If the value of CX is initially zero, then
3631 the LOOP executes 65,536 times.
3633 Example:
3634 LOOP START_LOOP. Each time the program encounters this instruction, it
3635 decrements CX and then tests it. If the value of CX is non-zero, then the
3636 program branches to the instruction labeled START_LOOP. If the value in CX
3637 is zero, then the program continues with the instruction that follows the
3638 LOOP instruction.
3640 LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are physically the
3641 same instruction. These instructions auto-decrement the CX register before
3642 testing CX and ZF for the branch conditions. If CX is non-zero and ZF=1, the
3643 program branches to the target label specified in the instruction. If LOOPE
3644 or LOOPZ finds that CX=0 or ZF=0, control transfers to the instruction
3645 immediately succeeding the LOOPE or LOOPZ instruction.
3647 Example:
3648 LOOPE START_LOOP (or LOOPZ START_LOOP). Each time the program encounters
3649 this instruction, it decrements CX and tests CX and ZF. If the value in
3650 CX is non-zero and the value of ZF is 1, the program branches to the
3651 instruction labeled START_LOOP. If CX=0 or ZF=0, the program continues
3652 with the instruction that follows the LOOPE (or LOOPZ) instruction.
3654 LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are
3655 physically the same instruction. These instructions auto-decrement the CX
3656 register before testing CX and ZF for the branch conditions. If CX is
3657 non-zero and ZF=0, the program branches to the target label specified in
3658 the instruction. If LOOPNE or LOOPNZ finds that CX=0 or ZF=1, control
3659 transfers to the instruction immediately succeeding the LOOPNE or LOOPNZ
3660 instruction.
3662 Example:
3663 LOOPNE START_LOOP (or LOOPNZ START_LOOP). Each time the program encounters
3664 this instruction, it decrements CX and tests CX and ZF. If the value of CX
3665 is non-zero and the value of ZF is 0, the program branches to the
3666 instruction labeled START_LOOP. If CX=0 or ZF=1, the program continues
3667 with the instruction that follows the LOOPNE (or LOOPNZ) instruction.
3670 3.6.2.3 Executing a Loop or Repeat Zero Times
3672 JCXZ (Jump if CX Zero) branches to the label specified in the instruction
3673 if it finds a value of zero in CX. Sometimes, it is desirable to design a
3674 loop that executes zero times if the count variable in CX is initialized to
3675 zero. Because the LOOP instructions (and repeat prefixes) decrement CX
3676 before they test it, a loop will execute 65,536 times if the program enters
3677 the loop with a zero value in CX. A programmer may conveniently overcome
3678 this problem with JCXZ, which enables the program to branch around the code
3679 within the loop if CX is zero when JCXZ executes.
3681 Example:
3682 JCXZ TARGETLABEL. Causes the program to branch to the instruction labeled
3683 TARGETLABEL if CX=0 when the instruction executes.
3686 3.6.3 Software-Generated Interrupts
3688 The INT n and INTO instructions allow the programmer to specify a transfer
3689 to an interrupt service routine from within a program. Interrupts 0-31 are
3690 reserved by Intel.
3693 3.6.3.1 Software Interrupt Instruction
3695 INT n (Software Interrupt) activates the interrupt service routine that
3696 corresponds to the number coded within the instruction. Interrupt type 3 is
3697 reserved for internal software-generated interrupts. However, the INT
3698 instruction may specify any interrupt type to allow multiple types of
3699 internal interrupts or to test the operation of a service routine. The
3700 interrupt service routine terminates with an IRET instruction that returns
3701 control to the instruction that follows INT.
3703 Example:
3704 INT 3. Transfers control to the interrupt service routine specified by a
3705 type 3 interrupt.
3707 Example:
3708 INT 0. Transfers control to the interrupt service routine specified by a
3709 type 0 interrupt, which is reserved for a divide error.
3711 INTO (Interrupt on Overflow) invokes a type 4 interrupt if OF is set when
3712 the INTO instruction executes. The type 4 interrupt is reserved for this
3713 purpose.
3715 Example:
3716 INTO. If the result of a previous operation has set OF and no intervening
3717 operation has reset OF, then INTO invokes a type 4 interrupt. The
3718 interrupt service routine terminates with an IRET instruction, which
3719 returns control to the instruction following INTO.
3722 3.7 Character Translation and String Instructions
3724 The instructions in this category operate on characters or string elements
3725 rather than on logical or numeric values.
3728 3.7.1 Translate Instruction
3730 XLAT (Translate) replaces a byte in the AL register with a byte from a
3731 user-coded translation table. When XLAT is executed, AL should have the
3732 unsigned index to the table addressed by BX. XLAT changes the contents of AL
3733 from table index to table entry. BX is unchanged. The XLAT instruction is
3734 useful for translating from one coding system to another, such as from
3735 ASCII to EBCDIC. The translate table may be up to 256 bytes long. The value
3736 placed in the AL register serves as an index to the location of the
3737 corresponding translation value. Used with a LOOP instruction, the XLAT
3738 instruction can translate a block of codes up to 64K bytes long.
3740 Example:
3741 XLAT. Replaces the byte in AL with the byte from the translate table that
3742 is selected by the value in AL.
3745 3.7.2 String Manipulation Instructions and Repeat Prefixes
3747 The string instructions (also called primitives) operate on string elements
3748 to move, compare, and scan byte or word strings. One-byte repeat prefixes
3749 can cause the operation of a string primitive to be repeated to process
3750 strings as long as 64K bytes.
3752 The repeated string primitives use the direction flag, DF, to specify
3753 left-to-right or right-to-left string processing, and use a count in CX to
3754 limit the processing operation. These instructions use the register pair
3755 DS:SI to point to the source string element and the register pair ES:DI to
3756 point to the destination.
3758 One of two possible opcodes represent each string primitive, depending on
3759 whether it is operating on byte strings or word strings. The string
3760 primitives are generic and require one or more operands along with the
3761 primitive to determine the size of the string elements being processed.
3762 These operands do not determine the addresses of the strings; the addresses
3763 must already be present in the appropriate registers.
3765 Each repetition of a string operation using the Repeat prefixes includes
3766 the following steps:
3768 1. Acknowledge pending interrupts.
3770 2. Check CX for zero and stop repeating if CX is zero.
3772 3. Perform the string operation once.
3774 4. Adjust the memory pointers in DS:SI and ES:DI by incrementing SI
3775 and DI if DF is 0 or by decrementing SI and DI if DF is 1.
3777 5. Decrement CX (this step does not affect the flags).
3779 6. For SCAS (Scan String) and CMPS (Compare String), check ZF for a
3780 match with the repeat condition and stop repeating if the ZF fails to
3781 match.
3783 The Load String and Store String instructions allow a program to perform
3784 arithmetic or logical operations on string characters (using AX for word
3785 strings and AL for byte strings). Repeated operations that include
3786 instructions other than string primitives must use the loop instructions
3787 rather than a repeat prefix.
3790 3.7.2.1 String Movement Instructions
3792 REP (Repeat While CX Not Zero) specifies a repeated operation of a string
3793 primitive. The REP prefix causes the hardware to automatically repeat the
3794 associated string primitive until CX=0. This form of iteration allows the
3795 CPU to process strings much faster than would be possible with a regular
3796 software loop.
3798 When the REP prefix accompanies a MOVS instruction, it operates as a
3799 memory-to-memory block transfer. To set up for this operation, the program
3800 must initialize CX and the register pairs DS:SI and ES:DI. CX specifies the
3801 number of bytes or words in the block.
3803 If DF=0, the program must point DS:SI to the first element of the source
3804 string and point ES:DI to the destination address for the first element. If
3805 DF=1, the program must point these two register pairs to the last element of
3806 the source string and to the destination address for the last element,
3807 respectively.
3809 Example:
3810 REP MOVSW. The processor checks the value in CX for zero. If this value is
3811 not zero, the processor moves a word from the location pointed to by DS:SI
3812 to the location pointed to by ES:DI and increments SI and DI by two (if
3813 DF=0). Next, the processor decrements CX by one and returns to the
3814 beginning of the repeat cycle to check CX again. After CX decrements to
3815 zero, the processor executes the instruction that follows.
3817 MOVS (Move String) moves the string character pointed to by the combination
3818 of DS and SI to the location pointed to by the combination of ES and DI.
3819 This is the only memory-to-memory transfer supported by the instruction set
3820 of the base architecture. MOVSB operates on byte elements. The destination
3821 segment register cannot be overridden by a segment override prefix while
3822 the source segment register can be overridden.
3824 Example:
3825 MOVSW. Moves the contents of the memory byte pointed to by DS:SI to the
3826 location pointed to by ES:DI.
3829 3.7.2.2 Other String Operations
3831 CMPS (Compare Strings) subtracts the destination string element (ES:DI)
3832 from the source string element (DS:SI) and updates the flags AF, SF, PF, CF
3833 and OF. If the string elements are equal, ZF=1; otherwise, ZF=0. If DF=0,
3834 the processor increments the memory pointers (SI and DI) for the two
3835 strings. The segment register used for the source address can be changed
3836 with a segment override prefix, while the destination segment register
3837 cannot be overridden.
3839 Example:
3840 CMPSB. Compares the source and destination string elements with each other
3841 and returns the result of the comparison to ZF.
3843 SCAS (Scan String) subtracts the destination string element at ES:DI from
3844 AX or AL and updates the flags AF, SF, ZF, PF, CF and OF. If the values are
3845 equal, ZF=1; otherwise, ZF=0. If DF=0, the processor increments the memory
3846 pointer (DI) for the string. The segment register used for the source
3847 address can be changed with a segment override prefix while the destination
3848 segment register cannot be overridden.
3850 Example:
3851 SCASW. Compares the value in AX with the destination string element.
3853 REPE/REPZ (Repeat While CX Equal/Zero) and REPNE/REPNZ (Repeat While CX Not
3854 Equal/Not Zero) are the prefixes that are used exclusively with the SCAS
3855 (ScanString) and CMPS (Compare String) primitives.
3857 The difference between these two types of prefix bytes is that REPE/REPZ
3858 terminates when ZF=0 and REPNE/REPNZ terminates when ZF=1. ZF does not
3859 require initialization before execution of a repeated string instruction.
3861 When these prefixes modify either the SCAS or CMPS primitives, the
3862 processor compares the value of the current string element with the value in
3863 AX for word elements or with the value in AL for byte elements. The
3864 resulting state of ZF can then limit the operation of the repeated
3865 operation as well as a zero value in CX.
3867 Example:
3868 REPE SCASB. Causes the processor to scan the string pointed to by ES:DI
3869 until it encounters a match with the byte value in AL or until CX
3870 decrements to zero.
3872 LODS (Load String) places the source string element at DS:SI into AX for
3873 word strings or into AL for byte strings.
3875 Example:
3876 LODSW. Loads AX with the value pointed to by DS:SI.
3879 3.8 Address Manipulation Instructions
3881 The set of address manipulation instructions provide a way to perform
3882 address calculations or to move to a new data segment or extra segment.
3884 LEA (Load Effective Address) transfers the offset of the source operand
3885 (rather than its value) to the destination operand. The source operand must
3886 be a memory operand, and the destination operand must be a 16-bit general
3887 register (AX, DX, BX, CX, BP, SP, SI, or DI).
3889 LEA does not affect any flags. This instruction is useful for initializing
3890 the registers before the execution of the string primitives or the XLAT
3891 instruction.
3893 Example:
3894 LEA BX EBCDIC_TABLE. Causes the processor to place the address of the
3895 starting location of the table labeled EBCDIC_TABLE into BX.
3897 LDS (Load Pointer Using DS) transfers a 32-bit pointer variable from the
3898 source operand to DS and the destination register. The source operand must
3899 be a memory operand, and the destination operand must be a 16-bit general
3900 register (AX, DX, BX, CX, BP, SP, SI or DI). DS receives the high-order
3901 segment word of the pointer. The destination register receives the
3902 low-order word, which points to a specific location within the segment.
3904 Example:
3905 LDS SI, STRING_X. Loads DS with the word identifying the segment pointed
3906 to by STRING_X, and loads the offset of STRING_X into SI. Specifying SI as
3907 the destination operand is a convenient way to prepare for a string
3908 operation on a source string that is not in the current data segment.
3910 LES (Load Pointer Using ES) operates identically to LDS except that ES
3911 receives the offset word rather than DS.
3913 Example:
3914 LES DI, DESTINATION_X. Loads ES with the word identifying the segment
3915 pointed to by DESTINATION_X, and loads the offset of DESTINATION_X into
3916 DI. This instruction provides a convenient way to select a destination for
3917 a string operation if the desired location is not in the current extra
3918 segment.
3921 3.9 Flag Control Instructions
3923 The flag control instructions provide a method of changing the state of
3924 bits in the flag register.
3927 3.9.1 Carry Flag Control Instructions
3929 The carry flag instructions are useful in conjunction with
3930 rotate-with-carry instructions RCL and RCR. They can initialize the carry
3931 flag, CF, to a known state before execution of a rotate that moves the carry
3932 bit into one end of the rotated operand.
3934 STC (Set Carry Flag) sets the carry flag (CF) to 1.
3936 Example:
3937 STC
3939 CLC (Clear Carry Flag) zeros the carry flag (CF).
3941 Example:
3942 CLC
3944 CMC (Complement Carry Flag) reverses the current status of the carry flag
3945 (CF).
3947 Example:
3948 CMC
3951 3.9.2 Direction Flag Control Instructions
3953 The direction flag control instructions are specifically included to set or
3954 clear the direction flag, DF, which controls the left-to-right or
3955 right-to-left direction of string processing. IF DF=0, the processor
3956 automatically increments the string memory pointers, SI and DI, after each
3957 execution of a string primitive. If DF=1, the processor decrements these
3958 pointer values. The initial state of DF is 0.
3960 CLD (Clear Direction Flag) zeros DF, causing the string instructions to
3961 auto-increment SI and/or DI. CLD does not affect any other flags.
3963 Example:
3964 CLD
3966 STD (Set Direction Flag) sets DF to 1, causing the string instructions to
3967 auto-decrement SI and/or DI. STD does not affect any other flags.
3969 Example:
3970 STD
3973 3.9.3 Flag Transfer Instructions
3975 Though specific instructions exist to alter CF and DF, there is no direct
3976 method of altering the other flags. The flag transfer instructions allow a
3977 program to alter the other flag bits with the bit manipulation instructions
3978 after transferring these flags to the stack or the AH register.
3980 The PUSHF and POPF instructions are also useful for preserving the state of
3981 the flag register before executing a procedure.
3983 LAHF (Load AH from Flags) copies SF, ZF, AF, PF, and CF to AH bits 7, 6, 4,
3984 2, and 0, respectively (see figure 3-13). The contents of the remaining
3985 bits (5, 3, and 1) are undefined. The flags remain unaffected. This
3986 instruction can assist in converting 8080/8085 assembly language programs to
3987 run on the base architecture of the 8086, 8088, 80186, 80188, and 80286.
3989 Example:
3990 LAHF
3992 SAHF (Store AH into Flags) transfers bits 7, 6, 4, 2, and 0 from AH into
3993 SF, ZF, AF, PF, and CF, respectively (see figure 3-13). This instruction
3994 also provides 8080/8085 compatibility with the 8086, 8088, 80186, 80188, and
3995 80286.
3997 Example:
3998 SAHF
4000 PUSHF (Push Flags) decrements SP by two and then transfers all flags to the
4001 word at the top of stack pointed to by SP (see figure 3-14). The flags
4002 remain unaffected. This instruction enables a procedure to save the state of
4003 the flag register for later use.
4005 Example:
4006 PUSHF
4008 POPF (Pop Flags) transfers specific bits from the word at the top of stack
4009 into the low-order byte of the flag register (see figure 3-14). The
4010 processor then increments SP by two.
4012 Note that an application program in the protected virtual address mode may
4013 not alter IOPL (the I/O privilege level flag) unless the program is
4014 executing at privilege level 0. A program may alter IF (the interrupt flag)
4015 only when executing at a level that is at least as privileged as IOPL.
4017 Procedures may use this instruction to restore the flag status from a
4018 previous value.
4020 Example:
4021 POPF
4024 Figure 3-13. LAHF and SAHF
4026 7 6 5 4 3 2 1 0
4027 ╔════╤════╤════╤════╤════╤════╤════╤════╗
4028 ║ SF │ ZF │▒▒▒▒│ AF │▒▒▒▒│ PF │▒▒▒▒│ CF ║
4029 ╚════╧════╧════╧════╧════╧════╧════╧════╝
4030 REGISTER AH
4032 LAHF loads five flags from the flag register into register AH. SAHF stores
4033 these same five flgs from AH into the flag register. The bit position of
4034 each flag is the same in AH as it is in the flag register. The remaining
4035 bits are indeterminate.
4038 Figure 3-14. PUSHF and POPF
4040 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
4041 ╔═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╤═══╗
4042 ║▒▒▒│NT │ IOPL │OF │DF │IF │TF │SF │ZF │▒▒▒│AF │▒▒▒│PF │▒▒▒│CF ║
4043 ╚═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╝
4044 STACK WORD
4046 PUSHF decrements SP by 2 bytes (1 word) and copies the contents of the flag
4047 register to the top of the stack. POPF loads the flag register with the
4048 contents of the last word pushed onto the stack. The bit position of each
4049 flag is the same in the stack word as it is in the flag register. Only
4050 programs executing at the highest privilege level (level 0) may alter the
4051 2-bit IOPL flag. Only programs executing at a level at least as privileged
4052 as that indicated by IOPL may alter IF.
4055 3.10 Binary-Coded Decimal Arithmetic Instructions
4057 These instructions adjust the results of a previous arithmetic operation to
4058 produce a valid packed or unpacked decimal result. These instructions
4059 operate only on AL or AH registers.
4062 3.10.1 Packed BCD Adjustment Instructions
4064 DAA (Decimal Adjust) corrects the result of adding two valid packed decimal
4065 operands in AL. DAA must always follow the addition of two pairs of packed
4066 decimal numbers (one digit in each nibble) to obtain a pair of valid packed
4067 decimal digits as results. The carry flag will be set if carry was needed.
4069 Example:
4070 DAA
4072 DAS (Decimal Adjust for Subtraction) corrects the result of subtracting two
4073 valid packed decimal operands in AL. DAS must always follow the subtraction
4074 of one pair of packed decimal numbers (one digit in each nibble) from
4075 another to obtain a pair of valid packed decimal digits as results. The
4076 carry flag will be set if a borrow was needed.
4078 Example:
4079 DAS
4082 3.10.2 Unpacked BCD Adjustment Instructions
4084 AAA (ASCII Adjust for Addition) changes the contents of register AL to a
4085 valid unpacked decimal number, and zeros the top 4 bits. AAA must always
4086 follow the addition of two unpacked decimal operands in AL. The carry flag
4087 will be set and AH will be incremented if a carry was necessary.
4089 Example:
4090 AAA
4092 AAS (ASCII Adjust for Subtraction) changes the contents of register AL to a
4093 valid unpacked decimal number, and zeros the top 4 bits. AAS must always
4094 follow the subtraction of one unpacked decimal operand from another in AL.
4095 The carry flag will be set and AH decremented if a borrow was necessary.
4097 Example:
4098 AAS
4100 AAM (ASCII Adjust for Multiplication) corrects the result of a
4101 multiplication of two valid unpacked decimal numbers. AAM must always follow
4102 the multiplication of two decimal numbers to produce a valid decimal result.
4103 The high order digit will be left in AH, the low order digit in AL.
4105 Example:
4106 AAM
4108 AAD (ASCII Adjust for Division) modifies the numerator in AH and AL to
4109 prepare for the division of two valid unpacked decimal operands so that the
4110 quotient produced by the division will be a valid unpacked decimal number.
4111 AH should contain the high-order digit and AL the low-order digit. This
4112 instruction will adjust the value and leave it in AL. AH will contain 0.
4114 Example:
4115 AAD
4118 3.11 Trusted Instructions
4120 When operating in Protected Mode (Chapter 6 and following), the 80286
4121 processor restricts the execution of trusted instructions according to the
4122 Current Privilege Level (CPL) and the current value of IOPL, the 2-bit I/O
4123 privilege flag. Only a program operating at the highest privilege level
4124 (level 0) may alter the value of IOPL. A program may execute trusted
4125 instructions only when executing at a level that is at least as privileged
4126 as that specified by IOPL.
4128 Trusted instructions control I/O operations, interprocessor communications
4129 in a multiprocessor system, interrupt enabling, and the HLT instruction.
4131 These protection considerations do not apply in the real address mode.
4134 3.11.1 Trusted and Privileged Restrictions on POPF and IRET
4136 POPF (POP Flags) and IRET (Interrupt Return) are not affected by IOPL
4137 unless they attempt to alter IF (flag register bit 9). To change IF, POPF
4138 must be part of a program that is executing at a privilege level greater
4139 than or equal to that specified by IOPL. Any attempt to change IF when
4140 CPL ≥ 0 will be ignored (i.e., the IF flag will be ignored). To change the
4141 IOPL field, CPL must be zero.
4144 3.11.2 Machine State Instructions
4146 These trusted instructions affect the machine state control interrupt
4147 response, the processor halt state, and the bus LOCK signal that regulates
4148 memory access in multiprocessor systems.
4150 CLI (Clear Interrupt-Enable Flag) and STI (Set Interrupt-Enable Flag) alter
4151 bit 9 in the flag register. When IF=0, the processor responds only to
4152 internal interrupts and to non-maskable external interrupts. When IF=1, the
4153 processor responds to all interrupts. An interrupt service routine might
4154 use these instructions to avoid further interruption while it processes a
4155 previous interrupt request. As with the other flag bits, the processor
4156 clears IF during initialization. These instructions may be executed only if
4157 CPL ≤ IOPL. A protection exception will occur if they are executed when
4158 CPL > IOPL.
4160 Example:
4161 STI. Sets IF=1, which enables the processing of maskable external
4162 interrupts.
4164 Example:
4165 CLI. Sets IF=0 to disable maskable interrupt processing.
4167 HLT (Halt) causes the processor to suspend processing operations pending an
4168 interrupt or a system reset. This trusted instruction provides an
4169 alternative to an endless software loop in situations where a program must
4170 wait for an interrupt. The return address saved after the interrupt will
4171 point to the instruction immediately following HLT. This instruction may be
4172 executed only when CPL = 0.
4174 Example:
4175 HLT
4177 LOCK (Assert Bus Lock) is a 1-byte prefix code that causes the processor to
4178 assert the bus LOCK signal during execution of the instruction that follows.
4179 LOCK does not affect any flags. LOCK may be used only when CPL ≤ IOPL. A
4180 protection exception will occur if LOCK is used when CPL > IOPL.
4183 3.11.3 Input and Output Instructions
4185 These trusted instructions provide access to the processor's I/O ports to
4186 transfer data to and from peripheral devices. In Protected Mode, these
4187 instructions may be executed only when CPL ≤ IOPL.
4189 IN (Input from Port) transfers a byte or a word from an input port to AL or
4190 AX. If a program specifies AL with the IN instruction, the processor
4191 transfers 8 bits from the selected port to AL. Alternately, if a program
4192 specifies AX with the IN instruction, the processor transfers 16 bits from
4193 the port to AX.
4195 The program can specify the number of the port in two ways. Using an
4196 immediate byte constant, the program can specify 256 8-bit ports numbered 0
4197 through 255 or 128 16-bit ports numbered 0,2,4,...,252,254. Using the
4198 current value contained in DX, the program can specify 8-bit ports numbered
4199 0 through 65,535, or 16-bit ports using even-numbered ports in the same
4200 range.
4202 Example:
4203 IN AL,
4204 BYTE_PORT_NUMBER. Transfers 8 bits to AL from the port identified by the
4205 immediate constant BYTE_PORT_NUMBER.
4207 OUT (Output to Port) transfers a byte or a word to an output port from AL
4208 or AX. The program can specify the number of the port using the same methods
4209 of the IN instruction.
4211 Example:
4212 OUT AX, DX. Transfers 16 bits from AX to the port identified by the 16-bit
4213 number contained in DX.
4215 INS and OUTS (Input String and Output String) cause block input or output
4216 operations using a Repeat prefix. See Chapter 4 for more information on INS
4217 and OUTS.
4220 3.12 Processor Extension Instructions
4222 Processor Extension provides an extension to the instruction set of the
4223 base architecture (e.g., 80287). The NPX extends the instruction set of the
4224 CPU-based architecture to support high-precision integer and floating-point
4225 calculations. This extended instruction set includes arithmetic,
4226 comparison, transcendental, and data transfer instructions. The NPX also
4227 contains a set of useful constants to enhance the speed of numeric
4228 calculations.
4230 A program contains instructions for the NPX in line with the instructions
4231 for the CPU. The system executes these instructions in the same order as
4232 they appear in the instruction stream. The NPX operates concurrently with
4233 the CPU to provide maximum throughput for numeric calculations.
4235 The software emulation of the NPX is transparent to application software
4236 but requires more time for execution.
4239 3.12.1 Processor Extension Synchronization Instructions
4241 Escape and wait instructions allow a processor extension such as the 80287
4242 NPX to obtain instructions and data from the system bus and to wait for the
4243 NPX to return a result.
4245 ESC (Escape) identifies floating point numeric instructions and allows the
4246 80286 to send the opcode to the NPX or to transfer a memory operand to the
4247 NPX. The 80287 NPX uses the Escape instructions to perform high-performance,
4248 high-precision floating point arithmetic that conforms to the IEEE floating
4249 point standard 754.
4251 Example:
4252 ESC 6, ARRAY [SI]. The CPU sends the escape opcode 6 and the location of
4253 the array pointed to by SI to the NPX.
4255 WAIT (Wait) suspends program execution until the 80286 CPU detects a signal
4256 on the BUSY pin. In a configuration that includes a numeric processor
4257 extension, the NPX activates the BUSY pin to signal that it has completed
4258 its processing task and that the CPU may obtain the results.
4260 Example:
4261 WAIT
4264 3.12.2 Numeric Data Processor Instructions
4266 This section describes the categories of instructions available with
4267 Numeric Data Processor systems that include a Numeric Processor Extension or
4268 a software emulation of this processor extension.
4271 3.12.2.1 Arithmetic Instructions
4273 The extended instruction set includes not only the four arithmetic
4274 operations (add, subtract, multiply, and divide), but also subtract-reversed
4275 and divide-reversed instructions. The arithmetic functions include square
4276 root, modulus, absolute value, integer part, change sign, scale exponent,
4277 and extract exponent instructions.
4280 3.12.2.2 Comparison Instructions
4282 The comparison operations are the compare, examine, and test instructions.
4283 Special forms of the compare instruction can optimize algorithms by allowing
4284 comparisons of binary integers with real numbers in memory.
4287 3.12.2.3 Transcendental Instructions
4289 The instructions in this group perform the otherwise time-consuming
4290 calculations for all common trigonometric, inverse trigonometric,
4291 hyperbolic, inverse hyperbolic, logarithmic, and exponential functions. The
4292 transcendental instructions include tangent, arctangent, 2 x-1, Y. log{2} X,
4293 and Y. log{2} (X+1).
4296 3.12.2.4 Data Transfer Instructions
4298 The data transfer instructions move operands among the registers and
4299 between a register and memory. This group includes the load, store, and
4300 exchange instructions.
4303 3.12.2.5 Constant Instructions
4305 Each of the constant instructions loads a commonly used constant into an
4306 NPX register. The values have a real precision of 64 bits and are accurate
4307 to approximately 19 decimal places. The constants loaded by these
4308 instructions include 0, 1, Pi, log{e} 10, log{2} e, log{10} 2, and log 2{e}.
4311 Chapter 4 Extended Instruction Set
4313 ───────────────────────────────────────────────────────────────────────────
4315 The instructions described in this chapter extend the capabilities of the
4316 base architecture instruction set described in Chapter 3. These extensions
4317 consist of new instructions and variations of some instructions that are not
4318 strictly part of the base architecture (in other words, not included on the
4319 8086 and 8088). These instructions are also available on the 80186 and
4320 80188. The instruction variations, described in Chapter 3, include the
4321 immediate forms of the PUSH and MUL instructions, PUSHA, POPA, and the
4322 privilege level restrictions on POPF.
4324 New instructions described in this chapter include the string input and
4325 output instructions (INS and OUTS), the ENTER procedure and LEAVE procedure
4326 instructions, and the check index BOUND instruction.
4329 4.1 Block I/O Instructions
4331 REP, the Repeat prefix, modifies INS and OUTS (the string I/O instructions)
4332 to provide a means of transferring blocks of data between an I/O port and
4333 Memory. These block I/O instructions are string primitives. They simplify
4334 programming and increase the speed of data transfer by eliminating the need
4335 to use a separate LOOP instruction or an intermediate register to hold the
4336 data.
4338 INS and OUTS are trusted instructions. To use trusted instructions, a
4339 program must execute at a privilege level at least as privileged as that
4340 specified by the 2-bit IOPL flag (CPL ≤ IOPL). Any attempt by a
4341 less-privileged program to use a trusted instruction results in a
4342 protection exception. See Chapter 7 for information on protection concepts.
4344 One of two possible opcodes represents each string primitive depending on
4345 whether it operates on byte strings or word strings. After each transfer,
4346 the memory address in SI or DI is updated by 1 for byte values and by 2 for
4347 word values. The value in the DF field determines if SI or DI is to be auto
4348 incremented (DF=0) or auto decremented (DF=1).
4350 INS and OUTS use DX to specify I/O ports numbered 0 through 65,535 or
4351 16-bit ports using only even port addresses in the same range.
4353 INS (Input String from Port) transfers a byte or a word string element from
4354 an input port to memory. If a program specifies INSB, the processor
4355 transfers 8 bits from the selected port to the memory location indicated by
4356 ES:DI. Alternately, if a program specifies INSW, the processor transfers 16
4357 bits from the port to the memory location indicated by ES:DI. The
4358 destination segment register choice (ES) cannot be changed for the INS
4359 instruction.
4361 Combined with the REP prefix, INS moves a block of information from an
4362 input port to a series of consecutive memory locations.
4364 Example:
4365 REP INSB. The processor repeatedly transfers 8 bits to the memory
4366 location indicated by ES:DI from the port selected by the 16-bit port
4367 number contained in DX. Following each byte transfer, the CPU
4368 decrements CX. The instruction terminates the block transfer when CX=0.
4369 After decrementing CX, the processor increments DI by one if DF=0. It
4370 decrements DI by one if DF=1.
4372 OUTS (Output String to Port) transfers a byte or a word string element to
4373 an output port from memory. Combined with the REP prefix, OUTS moves a block
4374 of information from a series of consecutive memory locations indicated by
4375 DS:SI to an output port.
4377 Example:
4378 REP OUTS WSTRING. Assuming that the program declares WSTRING to be a
4379 word-length string element, the assembler uses the 16-bit form of the OUTS
4380 instruction to create the object code for the program. The processor
4381 repeatedly transfers words from the memory locations indicated by DI to
4382 the output port selected by the 16-bit port number in DX.
4384 Following each word transfer, the CPU decrements CX. The instruction
4385 terminates the block transfer when CX=0. After decrementing CX, the
4386 processor increments SI by two to point to the next word in memory if DF=0;
4387 it decrements SI by two if DF=1.
4390 4.2 High-Level Instructions
4392 The instructions in this section provide machine-language functions
4393 normally found only in high-level languages. These instructions include
4394 ENTER and LEAVE, which simplify the programming of procedures, and BOUND,
4395 which provides a simple method of testing an index against its predefined
4396 range.
4398 ENTER (Enter Procedure) creates the stack frame required by most
4399 block-structured high-level languages. A LEAVE instruction at the end of a
4400 procedure complements an ENTER at the beginning of the procedure to simplify
4401 stack management and to control access to variables for nested procedures.
4403 Example:
4404 ENTER 2048,3. Allocates 2048 bytes of dynamic storage on the stack and
4405 sets up pointers to two previous stack frames in the stack frame that
4406 ENTER creates for this procedure.
4408 The ENTER instruction includes two parameters. The first parameter
4409 specifies the number of bytes of dynamic storage to be allocated on the
4410 stack for the routine being entered. The second parameter corresponds to the
4411 lexical nesting level (0-31) of the routine. (Note that the lexical level
4412 has no relationship to either the protection privilege levels or to the I/O
4413 privilege level.)
4415 The specified lexical level determines how many sets of stack frame
4416 pointers the CPU copies into the new stack frame from the preceding frame.
4417 This list of stack frame pointers is sometimes called the "display." The
4418 first word of the display is a pointer to the last stack frame. This
4419 pointer enables a LEAVE instruction to reverse the action of the previous
4420 ENTER instruction by effectively discarding the last stack frame.
4422 After ENTER creates the new display for a procedure, it allocates the
4423 dynamic storage space for that procedure by decrementing SP by the number of
4424 bytes specified in the first parameter. This new value of SP serves as a
4425 base for all PUSH and POP operations within that procedure.
4427 To enable a procedure to address its display, ENTER leaves BP pointing to
4428 the beginning of the new stack frame. Data manipulation instructions that
4429 specify BP as a base register implicitly address locations within the stack
4430 segment instead of the data segment. Two forms of the ENTER instruction
4431 exist: nested and non-nested. If the lexical level is 0, the non-nested form
4432 is used. Since the second operand is 0, ENTER pushes BP, copies SP to BP and
4433 then subtracts the first operand from SP. The nested form of ENTER occurs
4434 when the second parameter (lexical level) is not 0. Figure 4-1 gives the
4435 formal definition of ENTER.
4437 The main procedure (with other procedures nested within) operates at the
4438 highest lexical level, level 1. The first procedure it calls operates at the
4439 next deeper lexical level, level 2. A level 2 procedure can access the
4440 variables of the main program which are at fixed locations specified by the
4441 compiler. In the case of level 1, ENTER allocates only the requested dynamic
4442 storage on the stack because there is no previous display to copy.
4444 A program operating at a higher lexical level calling a program at a lower
4445 lexical level requires that the called procedure should have access to the
4446 variables of the calling program. ENTER provides this access through a
4447 display that provides addressability to the calling program's stack frame.
4449 A procedure calling another procedure at the same lexical level implies
4450 that they are parallel procedures and that the called procedure should not
4451 have access to the variables of the calling procedure. In this case, ENTER
4452 copies only that portion of the display from the calling procedure which
4453 refers to previously nested procedures operating at higher lexical levels.
4454 The new stack frame does not include the pointer for addressing the calling
4455 procedure's stack frame.
4457 ENTER treats a reentrant procedure as a procedure calling another procedure
4458 at the same lexical level. In this case, each succeeding iteration of the
4459 reentrant procedure can address only its own variables and the variables of
4460 the calling procedures at higher lexical levels. A reentrant procedure can
4461 always address its own variables; it does not require pointers to the stack
4462 frames of previous iterations.
4464 By copying only the stack frame pointers of procedures at higher lexical
4465 levels, ENTER makes sure that procedures access only those variables of
4466 higher lexical levels, not those at parallel lexical levels (see figure
4467 4-2). Figures 4-2a, 4-2b, 4-2c, and 4-2d demonstrate the actions of the
4468 ENTER instruction if the modules shown in figure 4-1 were to call one
4469 another in alphabetic order.
4471 Block-structured high-level languages can use the lexical levels defined by
4472 ENTER to control access to the variables of previously nested procedures.
4473 For example, if PROCEDURE A calls PROCEDURE B which, in turn, calls
4474 PROCEDURE C, then PROCEDURE C will have access to the variables of MAIN and
4475 PROCEDURE A, but not PROCEDURE B because they operate at the same lexical
4476 level. Following is the complete definition of the variable access for
4477 figure 4-2.
4479 1. MAIN PROGRAM has variables at fixed locations.
4481 2. PROCEDURE A can access only the fixed variables of MAIN.
4483 3. PROCEDURE B can access only the variables of PROCEDURE A and MAIN.
4484 PROCEDURE B cannot access the variables of PROCEDURE C or PROCEDURE D.
4486 4. PROCEDURE C can access only the variables of PROCEDURE A and MAIN.
4487 PROCEDURE C cannot access the variables of PROCEDURE B or PROCEDURE D.
4489 5. PROCEDURE D can access the variables of PROCEDURE C, PROCEDURE A, and
4490 MAIN. PROCEDURE D cannot access the variables of PROCEDURE B.
4492 ENTER at the beginning of the MAIN PROGRAM creates dynamic storage space
4493 for MAIN but copies no pointers. The first and only word in the display
4494 points to itself because there is no previous value for LEAVE to return to
4495 BP. See figure 4-2a.
4497 After MAIN calls PROCEDURE A, ENTER creates a new display for PROCEDURE A
4498 with the first word pointing to the previous value of BP (BPM for LEAVE to
4499 return to the MAIN stack frame) and the second word pointing to the current
4500 value of BP. Procedure A can access variables in MAIN since MAIN is at level
4501 1. Therefore the base for the dynamic storage for MAIN is at [BP-2]. All
4502 dynamic variables for MAIN will be at a fixed offset from this value. See
4503 figure 4-2b.
4505 After PROCEDURE A calls PROCEDURE B, ENTER creates a new display for
4506 PROCEDURE B with the first word pointing to the previous value of BP, the
4507 second word pointing to the value of BP for MAIN, and the third word
4508 pointing to the value of BP for A and the last word pointing to the current
4509 BP. B can access variables in A and MAIN by fetching from the display the
4510 base addresses of the respective dynamic storage areas. See figure 4-2c.
4512 After PROCEDURE B calls PROCEDURE C, ENTER creates a new display for
4513 PROCEDURE C with the first word pointing to the previous value of BP, the
4514 second word pointing to the value of BP for MAIN, and the third word
4515 pointing to the BP value for A and the third word pointing to the current
4516 value of BP. Because PROCEDURE B and PROCEDURE C have the same lexical
4517 level, PROCEDURE C is not allowed access to variables in B and therefore
4518 does not receive a pointer to the beginning of PROCEDURE B's stack frame.
4519 See figure 4-2d.
4521 LEAVE (Leave Procedure) reverses the action of the previous ENTER
4522 instruction. The LEAVE instruction does not include any operands.
4524 Example:
4525 LEAVE. First, LEAVE copies BP to SP to release all stack space allocated
4526 to the procedure by the most recent ENTER instruction. Next, LEAVE pops
4527 the old value of BP from the stack. A subsequent RET instruction can then
4528 remove any arguments that were pushed on the stack by the calling program
4529 for use by the called procedure.
4531 BOUND (Detect Value Out of Range) verifies that the signed value contained
4532 in the specified register lies within specified limits. An interrupt (INT 5)
4533 occurs if the value contained in the register is less than the lower bound
4534 or greater than the upper bound.
4536 The BOUND instruction includes two operands. The first operand specifies
4537 the register being tested. The second operand contains the effective
4538 relative address of the two signed BOUND limit values. The BOUND instruction
4539 assumes that it can obtain the upper limit from the memory word that
4540 immediately follows the lower limit. These limit values cannot be register
4541 operands; if they are, an invalid opcode exception occurs.
4543 BOUND is useful for checking array bounds before using a new index value to
4544 access an element within the array. BOUND provides a simple way to check the
4545 value of an index register before the program overwrites information in a
4546 location beyond the limit of the array.
4548 The two-word block of memory that specifies the lower and upper limits of
4549 an array might typically reside just before the array itself. This makes the
4550 array bounds accessible at a constant offset of -4 from the beginning of the
4551 array. Because the address of the array will already be present in a
4552 register, this practice avoids extra calculations to obtain the effective
4553 address of the array bounds.
4555 Example:
4556 BOUND BX,ARRAY-4. Compares the value in BX with the lower limit at
4557 address ARRAY-4 and the upper limit at address ARRAY-2. If the signed
4558 value in BX is less than the lower bound or greater than the upper bound,
4559 the interrupt for this instruction (INT 5) occurs. Otherwise, this
4560 instruction has no effect.
4563 Figure 4-1. Formal Definition of the ENTER Instruction
4565 The Formal Definition Of The ENTER Instruction. For All Cases Is Given By
4566 The Following Listing. LEVEL Denotes The Value Of The Second Operand.
4568 Push BP
4569 Set a temporary value FRAME_PTR:=SP
4570 If LEVEL > 0 then
4571 Repeat (LEVEL - 1) times:
4572 BP:=BP - 2
4573 Push the word pointed to by BP
4574 End repeat
4575 Push FRAME_PTR
4576 End if
4577 BP:=FRAME_PTR
4578 SP:=SP - first operand.
4581 Figure 4-2. Variable Access in Nested Procedures
4583 ╔═════════════════════════════════════════╗
4584 ║ MAIN PROGRAM (LEXICAL LEVEL 1) ║
4585 ║ ╔═════════════════════════════════════╗ ║
4586 ║ ║ PROCEDURE A (LEXICAL LEVEL 2) ║ ║
4587 ║ ║ ╔═════════════════════════════╗ ║ ║
4588 ║ ║ ║PROCEDURE B (LEXICAL LEVEL 3)║ ║ ║
4589 ║ ║ ╚═════════════════════════════╝ ║ ║
4590 ║ ║ ║ ║
4591 ║ ║ ╔═════════════════════════════════╗ ║ ║
4592 ║ ║ ║ PROCEDURE C (LEXICAL LEVEL 3) ║ ║ ║
4593 ║ ║ ║ ╔═════════════════════════════╗ ║ ║ ║
4594 ║ ║ ║ ║PROCEDURE D (LEXICAL LEVEL 4)║ ║ ║ ║
4595 ║ ║ ║ ╚═════════════════════════════╝ ║ ║ ║
4596 ║ ║ ║ ║ ║ ║
4597 ║ ║ ╚═════════════════════════════════╝ ║ ║
4598 ║ ║ ║ ║
4599 ║ ╚═════════════════════════════════════╝ ║
4600 ║ ║
4601 ╚═════════════════════════════════════════╝
4604 Figure 4-2a. Stack Frame for MAIN at Level 1
4606 • •
4607 ║ 15 0 ║
4608 ╠═══════════════╣─┐
4609 ║ OLD BP ║ │
4610 BP FOR MAIN──►╠═══════════════╣ ├─DISPLAY
4611 ║ BPM
4612 BPM = BP value for MAIN ║ │
4613 ╠═══════════════╣─┘
4614 ║ ║
4615 ║ ║
4616 ║ ║∙DYNAMIC
4617 ║ ║ STORAGE
4618 ║ ║
4619 SP──►╠═══════════════╣
4620 ║ ║
4623 Figure 4-2b. Stack Frame for PROCEDURE A
4625 ║15 0║
4626 ╠═══════════════╣
4627 ║ OLD BP ║
4628 ╠═══════════════╣
4629 ║ BPM ║
4630 ╠═══════════════╣
4631 ║ ║
4632 ║ ║
4633 ║ ║
4634 ║ ║
4635 ╠═══════════════╣─┐
4636 ║ BPM ║ │
4637 BP FOR A──►╠═══════════════╣ │
4638 ║ BPM ║ │
4639 ╠═══════════════╣ ├─DISPLAY
4640 ║ BPA
4641 BPA = BP value for PROCEDURE A ║ │
4642 ╠═══════════════╣═╡
4643 ║ ║ │
4644 ║ ║ ├─DYNAMIC
4645 ║ ║ │ STORAGE
4646 ║ ║ │
4647 SP──►╠═══════════════╣─┘
4648 ║ ║
4649 ╠═══════════════╣
4650 ║ ║
4653 Figure 4-2c. Stack Frame for PROCEDURE B at Level 3 Called from A
4655 ║15 0║
4656 ╠═══════════════╣
4657 ║ OLD BP ║
4658 ╠═══════════════╣
4659 ║ BPM ║
4660 ╠═══════════════╣
4661 ║ ║
4662 ║ ║
4663 ║ ║
4664 ║ ║
4665 ╠═══════════════╣
4666 ║ BPM ║
4667 ╠═══════════════╣
4668 ║ BPM ║
4669 ╠═══════════════╣
4670 ║ BPA ║
4671 ╠═══════════════╣
4672 ║ ║
4673 ║ ║
4674 ║ ║
4675 ║ ║
4676 ╠═══════════════╣─┐
4677 ║ BPA ║ │
4678 BP──►╠═══════════════╣ │
4679 ║ BPM ║ │
4680 ╠═══════════════╣ ├─DISPLAY
4681 ║ BPA ║ │
4682 ╠═══════════════╣ │
4683 ║ BPB ║ │
4684 ╠═══════════════╣═╡
4685 ║ ║ │
4686 ║ ║ ├─DYNAMIC
4687 ║ ║ │ STORAGE
4688 ║ ║ │
4689 ╠═══════════════╣─┘
4690 ║ ║
4691 SP──►╠═══════════════╣
4692 ║ ║
4695 Figure 4-2d. Stack Frame for PROCEDURE C at Level 3 Called from B
4697 ║15 0║
4698 ╠═══════════════╣
4699 ║ OLD BP ║
4700 ╠═══════════════╣
4701 ║ BPM ║
4702 ╠═══════════════╣
4703 ║ ║
4704 ║ ║
4705 ║ ║
4706 ║ ║
4707 ╠═══════════════╣
4708 ║ BPM ║
4709 ╠═══════════════╣
4710 ║ BPM ║
4711 ╠═══════════════╣
4712 ║ BPA ║
4713 ╠═══════════════╣
4714 ║ ║
4715 ║ ║
4716 ║ ║
4717 ║ ║
4718 ╠═══════════════╣
4719 ║ BPA ║
4720 BP──►╠═══════════════╣─┐
4721 ║ BPM ║ │
4722 ╠═══════════════╣ │
4723 ║ BPA ║ ├─DISPLAY
4724 ╠═══════════════╣ │
4725 ║ BPB ║ │
4726 ╠═══════════════╣═╡
4727 ║ ║ │
4728 ║ ║ ├─DYNAMIC
4729 ║ ║ │ STORAGE
4730 ║ ║ │
4731 SP──►╠═══════════════╣─┘
4732 ║ ║
4735 Chapter 5 Real Address Mode
4737 ───────────────────────────────────────────────────────────────────────────
4739 The 80286 can be operated in either of two modes according to the status of
4740 the Protection Enabled bit of the MSW status register. In contrast to the
4741 "modes" and "mode bits" of some processors, however, the 80286 modes do not
4742 represent a radical transition between conflicting architectures. Instead,
4743 the setting of the Protection Enabled bit simply determines whether certain
4744 advanced features, in addition to the baseline architecture of the 80286,
4745 are to be made available to system designers and programmers.
4747 If the Protection Enabled (PE) bit is set by the programmer, the processor
4748 changes into Protected Virtual Address Mode. In this mode of operation,
4749 memory addressing is performed in terms of virtual addresses, with on-chip
4750 mapping mechanisms performing the virtual-to-physical translation. Only in
4751 this mode can the system designer make use of the advanced architectural
4752 features of the 80286: virtual memory support, system-wide protection, and
4753 built-in multitasking mechanisms are among the new features provided in this
4754 mode of operation. Refer to Part II of this book (Chapters 6, 7, 8, 9,
4755 10, and 11) for details on Protected Mode operation.
4757 Initially, upon system reset, the processor starts up in Real Address Mode.
4758 In this mode of operation, all memory addressing is performed in terms of
4759 real physical addresses. In effect, the architecture of the 80286 in
4760 this mode is identical to that of the 8086 and other processors in the 8086
4761 family. The principal features of this baseline architecture have already
4762 been discussed throughout Part I (Chapters 2, 3, and 4) of this book.
4763 This chapter discusses certain additional topics──addressing, interrupt
4764 handling, and system initialization──that complete the system programmer's
4765 view of the 80286 in Real Address Mode.
4768 5.1 Addressing and Segmentation
4770 Like other processors in the 8086 family, the 80286 provides a one-megabyte
4771 memory space (2^(20) bytes) when operated in Real Address Mode. Physical
4772 addresses are the 20-bit values that uniquely identify each byte location in
4773 this address space. Physical addresses, therefore, may range from 0 through
4774 FFFFFH. Address bits A20-A23 may not always be zero in Real Address Mode.
4775 A20-A23 should not be used by the system while the 80286 is operating in
4776 Real Address Mode.
4778 An address is specified by a 32-bit pointer containing two components: (1)
4779 a 16-bit effective address offset that determines the displacement, in
4780 bytes, of a particular location within a segment; and (2) a 16-bit segment
4781 selector component that determines the starting address of the segment.
4782 Both components of an address may be referenced explicitly by an instruction
4783 (such as JMP, LES, LDS, or CALL); more often, however, the segment selector
4784 is simply the contents of a segment register.
4786 The interpretation of the first component, the effective address offset, is
4787 straight-forward. Segments are at most 64K (2^(16)) bytes in length, so an
4788 unsigned 16-bit quantity is sufficient to address any arbitrary byte
4789 location with a segment. The lowest-addressed byte within a segment has an
4790 offset of 0, and the highest-addressed byte has an offset of FFFFH. Data
4791 operands must be completely contained within a segment and must be
4792 contiguous. (These rules apply in both modes.)
4794 A segment selector is the second component of a logical address. This
4795 16-bit quantity specifies the starting address of a segment within a
4796 physical address space of 2^(20) bytes.
4798 Whenever the 80286 accesses memory in Real Address Mode, it generates a
4799 20-bit physical address from a segment selector and offset value. The
4800 segment selector value is left-shifted four bit positions to form the
4801 segment base address. The offset is extended with 4 high order zeroes and
4802 added to the base to form the physical address (see figure 5-1).
4804 Therefore, every segment is required to start at a byte address that is
4805 evenly divisible by 16; thus, each segment is positioned at a 20-bit
4806 physical address whose least significant four bits are zeroes. This
4807 arrangement allows the 80286 to interpret a segment selector as the
4808 high-order 16 bits of a 20-bit segment base address.
4810 No limit or access checks are performed by the 80286 in the Real Address
4811 Mode. All segments are readable, writable, executable, and have a limit of
4812 0FFFFH (65,535 bytes). To save physical memory, you can use unused portions
4813 of a segment as another segment by overlapping the two (see figure 5-2).
4814 The Intel 8086 software development tools support this feature via the
4815 segment override and group operators. However, programs that access segment
4816 B from segment A become incompatible in the protected virtual address mode.
4819 Figure 5-1a. Forming the Segment Base Address
4821 16 BIT SEGMENT SELECTOR
4822 ┌───────────────────────┴───────────────────────┐
4823 15 0
4824 ╔══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤ ═ ═ ═ ═ ═ ╗
4825 ║ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │0 │0 │0 │0
4826 ╚══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧ ═ ═ ═ ═ ═ ╝
4827 19 0
4830 Figure 5-1b. Forming the 20-bit Physical Address in the Real Address Mode
4832 ╔══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤ ═ ═ ═ ═ ═ ╗
4833 SEGMENT BASE ║ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │0 │0 │0 │0
4834 ╚══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧ ═ ═ ═ ═ ═ ╝
4835 19 0
4837 ╔ ═ ═ ═ ═ ═ ╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╗
4838 OFFSET 0 │0 │0 │0 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ║
4839 ╚ ═ ═ ═ ═ ═ ╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╝
4840 19 15 0
4842 ─────────────────────────────────────────────────────────────
4843 ╔══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╗
4844 PHYSICAL ║ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ║
4845 ADDRESS ╚══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╝
4846 19 0
4849 Figure 5-2. Overlapping Segments to Save Physical Memory
4851 • •
4852 ║ ║
4853 ╟─ ── ── ── ── ─╫ ───
4854 ║ ║ ▲
4855 ║ ║ │
4856 ║ ║ 64K SEGMENT B
4857 ║ ║ │
4858 ─── ╫─ ── ── ── ── ─╫ │
4859 ▲ ║ OVERLAP ║ ▼
4860 │ ╠═══════════════╣◄───── BASE OF
4861 SEGMENT A 64K ║ ║ SEGMENT B
4862 │ ║ ║
4863 │ ║ ║
4864 ▼ ║ ║
4865 ─── ╠═══════════════╣◄───── BASE OF
4866 ║ ║ SEGMENT A
4867 • •
4870 5.2 Interrupt Handling
4872 Program interrupts may be generated in either of two distinct ways. An
4873 internal interrupt is caused directly by the currently executing program.
4874 The execution of a particular instruction results in the occurrence of an
4875 interrupt, whether intentionally (e.g., an INT n instruction) or as an
4876 unanticipated exception (e.g., invalid opcode). On the other hand, an
4877 external interrupt occurs asynchronously as the result of an event
4878 external to the processor, and bears no necessary relationship with the
4879 currently executing program. The INTR and NMI pins of the 80286 provide the
4880 means by which external hardware signals the occurrence of such events.
4883 5.2.1 Interrupt Vector Table
4885 Whatever its origin, whether internal or external, an interrupt demands
4886 immediate attention from an associated service routine. Control must be
4887 transferred, at least for the moment, from the currently executing program
4888 to the appropriate interrupt service routine. By means of interrupt
4889 vectors, the 80286 handles such control transfers uniformly for both kinds
4890 of interrupts.
4892 An interrupt vector is an unsigned integer in the range of 0-255; every
4893 interrupt is assigned such a vector. In some cases, the assignment is
4894 predetermined and fixed: for example, an external NMI interrupt is
4895 invariably associated with vector 2, while an internal divide exception is
4896 always associated with vector 0. In most cases, however, the association of
4897 an interrupt and a vector is established dynamically. An external INTR
4898 interrupt, for example, supplies a vector in response to an interrupt
4899 acknowledge bus cycle, while the INT n instruction supplies a vector
4900 incorporated within the instruction itself. The vector is shifted two places
4901 left to form a byte address into the table (see figure 5-3).
4903 In any case, the 80286 uses the interrupt vector as an index into a table
4904 in order to determine the address of the corresponding interrupt service
4905 routine. For Real Address Mode, this table is known as the Interrupt Vector
4906 Table. Its format is illustrated in figure 5-3.
4908 The Interrupt Vector Table consists of as many as 256 consecutive entries,
4909 each four bytes long. Each entry defines the address of a service routine to
4910 be associated with the correspondingly numbered interrupt vector code.
4911 Within each entry, an address is specified by a full 32-bit pointer that
4912 consists of a 16-bit offset and a 16-bit segment selector. Interrupts 0-31
4913 are reserved by Intel.
4915 In Real Address Mode, the interrupt table can be accessed directly at
4916 physical memory location 0 through 1023. In the protected virtual address
4917 mode, however, the interrupt vector table has no fixed physical address and
4918 cannot be directly accessed. Therefore, Real Address mode programs that
4919 directly manipulate the interrupt vector table will not work in the
4920 protected virtual address mode.
4923 Table 5-1. Interrupt Processing Order
4925 Order Interrupt
4926 1. Instruction exception
4927 2. Single step
4928 3. NMI
4929 4. Processor extension segment overrun
4930 5. INTR
4933 Figure 5-3. Interrupt Vector Table for Real Address Mode
4935 POWER TO
4936 INTERRUPT HANDLER PHYSICAL
4937 FOR: ADDRESS
4939 ╔═══════════════╗
4940 INTERRUPT 255 ║ POINTER ║ 1020
4941 ╠═══════════════╣
4942 INTERRUPT 254 ║ POINTER ║ 1018
4943 ╠═══════════════╣
4944 INTERRUPT 253 ║ POINTER ║◄┐ 1012
4945 ╠═══════════════╣ └────────────────────┐
4946 ║ ║ ╔═════════════════╤╧═══════════╤═╤═╗
4947 ║ ║ ║0 ∙ ∙ ∙ ∙ ∙ ∙ ∙ 0│ VECTOR │0│0║
4948 ≈ ≈ ╚═════════════════╧════════════╧═╧═╝
4949 ║ ║ 19 10 9 2 1 0
4950 ║ ║
4951 ╠═══════════════╣
4952 INTERRUPT 1 ║ POINTER ║ 4
4953 ╠═══════════════╣
4954 INTERRUPT 0 ║ POINTER ║ 0
4955 ╚═══════════════╝
4958 5.2.1.1 Interrupt Priorities
4960 When simultaneous interrupt requests occur, they are processed in a fixed
4961 order as shown in table 5-1. Interrupt processing involves saving the
4962 flags, the return address, and setting CS:IP to point at the first
4963 instruction of the interrupt handler. If other interrupts remain enabled,
4964 they are processed before the first instruction of the current interrupt
4965 handler is executed. The last interrupt processed is therefore the first one
4966 serviced.
4969 5.2.2 Interrupt Procedures
4971 When an interrupt occurs in Real Address Mode, the 8086 performs the
4972 following sequence of steps. First, the FLAGS register, as well as the old
4973 values of CS and IP, are pushed onto the stack (see figure 5-4). The IF and
4974 TF flag bits are cleared. The vector number is then used to read the
4975 address of the interrupt service routine from the interrupt table. Execution
4976 begins at this address.
4978 Thus, when control is passed to an interrupt service routine, the return
4979 linkage is placed on the stack, interrupts are disabled, and single-step
4980 trace (if in effect) is turned off. The IRET instruction at the end of the
4981 interrupt service routine will reverse these steps before transferring
4982 control to the program that was interrupted.
4984 An interrupt service routine may affect registers other than other IP, CS,
4985 and FLAGS. It is the responsibility of an interrupt routine to save
4986 additional context information before proceeding so that the state of the
4987 machine can be restored upon completion of the interrupt service routine
4988 (PUSHA and POPA instructions are intended for these operations). Finally,
4989 execution of the IRET instruction pops the old IP, CS, and FLAGS from the
4990 stack and resumes the execution of the interrupted program.
4993 Figure 5-4. Stack Structure after Interrupt (Real Address Mode)
4995 ║ ║
4996 ≈ ≈
4997 ▲ ╠═══════════════╣
4998 │ ║ OLD FLAGS ║
4999 INCREASING │ ╠═══════════════╣
5000 ADDRESSES │ ║ OLD CS ║
5001 │ ╠═══════════════╣
5002 │ ║ OLD IP ║◄── <SS:SP>
5003 │ ╠═══════════════╣
5004 ║ • ║
5005 ≈ • ≈
5006 ║ • ║
5009 5.2.3 Reserved and Dedicated Interrupt Vectors
5011 In general, the system designer is free to use almost any interrupt vectors
5012 for any given purpose. Some of the lowest-numbered vectors, however, are
5013 reserved by Intel for dedicated functions; their use is specifically implied
5014 by certain types of exceptions. None of the first 32 vectors should be
5015 defined by the user; these vectors are either invoked by pre-defined
5016 exceptions or reserved by Intel for future expansion. Table 5-2 shows the
5017 dedicated and reserved vectors of the 80286 in Real Address Mode.
5019 The purpose and function of the dedicated interrupt vectors may be
5020 summarized as follows (the saved value of CS:IP will include all leading
5021 prefixes):
5023 ■ Divide error (Interrupt 0). This exception will occur if the quotient
5024 is too large or an attempt is made to divide by zero using either the
5025 DIV or IDIV instruction. The saved CS:IP points at the first byte of
5026 the failing instruction. DX and AX are unchanged.
5028 ■ Single-Step (Interrupt 1). This interrupt will occur after
5029 each instruction if the Trap Flag (TF) bit of the FLAGS register is
5030 set. Of course, TF is cleared upon entry to this or any other interrupt
5031 to prevent infinite recursion. The saved value of CS:IP will point to
5032 the next instruction.
5034 ■ Nonmaskable (Interrupt 2). This interrupt will occur upon receipt of
5035 an external signal on the NMI pin. Typically, the nonmaskable interrupt
5036 is used to implement power-fail/auto-restart procedures. The saved
5037 value of CS:IP will point to the first byte of the interrupted
5038 instruction.
5040 ■ Breakpoint (Interrupt 3). Execution of the one-byte breakpoint
5041 instruction causes this interrupt to occur. This instruction is useful
5042 for the implementation of software debuggers since it requires only one
5043 code byte and can be substituted for any instruction opcode byte. The
5044 saved value of CS:IP will point to the next instruction.
5046 ■ INTO Detected Overflow (Interrupt 4). Execution of the INTO
5047 conditional software interrupt instruction will cause this interrupt
5048 to occur if the overflow bit (OF) of the FLAGS register is set. The
5049 saved value of CS:IP will point to the next instruction.
5051 ■ BOUND Range Exceeded (Interrupt 5). Execution of the BOUND instruction
5052 will cause this interrupt to occur if the specified array index is
5053 found to be invalid with respect to the given array bounds. The saved
5054 value of CS:IP will point to the first byte of the BOUND instruction.
5056 ■ Invalid Opcode (Interrupt 6). This exception will occur if execution
5057 of an invalid opcode is attempted. (In Real Address Mode, most of the
5058 Protected Virtual Address Mode instructions are classified as invalid
5059 and should not be used). This interrupt can also occur if the
5060 effective address given by certain instructions, notably BOUND, LDS,
5061 LES, and LIDT, specifies a register rather than a memory location. The
5062 saved value of CS:IP will point to the first byte of the
5063 invalid instruction or opcode.
5065 ■ Processor Extension Not Available (Interrupt 7). Execution of the ESC
5066 instruction will cause this interrupt to occur if the status bits of
5067 the MSW indicate that processor extension functions are to be emulated
5068 in software. Refer to section 10.2.1 for more details. The saved value
5069 of CS:IP will point to the first byte of the ESC or the WAIT
5070 instruction.
5072 ■ Interrupt Table Limit Too Small (Interrupt 8). This interrupt will
5073 occur if the limit of the interrupt vector table was changed from 3FFH
5074 by the LIDT instruction and an interrupt whose vector is outside the
5075 limit occurs. The saved value of CS:IP will point to the first byte of
5076 the instruction that caused the interrupt or that was ready to execute
5077 before an external interrupt occurred. No error code is pushed.
5079 ■ Processor Extension Segment Overrun Interrupt (Interrupt 9). The
5080 interrupt will occur if a processor extension memory operand does not
5081 fit in a segment. The saved CS:IP will point at the first byte of the
5082 instruction that caused the interrupt.
5084 ■ Segment Overrun Exception (Interrupt 13). This interrupt will occur if
5085 a memory operand does not fit in a segment. In Real Mode this will
5086 occur only when a word operand begins at segment offset 0FFFFH. The
5087 saved CS:IP will point at the first byte of the instruction that
5088 caused the interrupt. No error code is pushed.
5090 ■ Processor Extension Error (Interrupt 16). This interrupt occurs after
5091 the numeric instruction that caused the error. It can only occur while
5092 executing a subsequent WAIT or ESC. The saved value of CS:IP will point
5093 to the first byte of the ESC or the WAIT instruction. The address of
5094 the failed numeric instruction is saved in the NPX.
5097 Table 5-2. Dedicated and Reserved Interrupt Vectors in Real Address Mode
5100 Function Interrupt Related Instructions Return Address
5101 Number Before Instruction
5102 Causing Exception?
5103 Divide error exception 0 DIV, IDIV Yes
5104 Single step interrupt 1 All N/A
5105 NMI interrupt 2 All N/A
5106 Breakpoint interrupt 3 INT N/A
5107 INTO detected overflow 4 INTO No
5108 exception
5109 BOUND range exceeded 5 BOUND Yes
5110 exception
5111 Invalid opcode exception 6 Any undefined opcode Yes
5112 Processor extension 7 ESC or WAIT Yes
5113 not available exception
5114 Interrupt table 8 LIDT Yes
5115 limit too small
5116 Processor extension 9 ESC Yes
5117 segment overrun interrupt
5118 Segment overrun exception 13 Any memory reference Yes
5119 instruction that
5120 attempts to reference
5121 16-bit word at
5122 offset 0FFFFH.
5123 Reserved 10-12,
5124 14, 15
5125 Processor extension 16 ESC or WAIT N/A
5126 error interrupt
5127 Reserved 17-31
5128 User defined 32-255
5130 N/A = Not Applicable
5133 5.3 System Initialization
5135 The 80286 provides an orderly way to start or restart an executing system.
5136 Upon receipt of the RESET signal, certain processor registers go into the
5137 determinate state shown in table 5-3.
5139 Since the CS register contains F000 (thus specifying a code segment
5140 starting at physical address F0000) and the instruction pointer contains
5141 FFF0, the processor will execute its first instruction at physical address
5142 FFFF0H. The uppermost 16 bytes of physical memory are therefore reserved
5143 for initial startup logic. Ordinarily, this location contains an
5144 intersegment direct JMP instruction whose target is the actual beginning of
5145 a system initialization or restart program.
5147 Some of the steps normally performed by a system initialization routine are
5148 as follows:
5150 ■ Allocate a stack.
5152 ■ Load programs and data from secondary storage into memory.
5154 ■ Initialize external devices.
5156 ■ Enable interrupts (i.e., set the IF bit of the FLAGS register). Set
5157 any other desired FLAGS bit as well.
5159 ■ Set the appropriate MSW flags if a processor extension is present, or
5160 if processor extension functions are to be emulated by software.
5162 ■ Set other registers, as appropriate, to the desired initial values.
5164 ■ Execute. (Ordinarily, this last step is performed as an intersegment
5165 JMP to the main system program.)
5168 Table 5-3. Processor State after RESET
5170 Register Contents
5171 FLAGS 0002
5172 MSW FFF0
5173 IP FFF0
5174 CS F000
5175 DS 0000
5176 SS 0000
5177 ES 0000
5180 Chapter 6 Memory Management and Virtual Addressing
5182 ───────────────────────────────────────────────────────────────────────────
5184 In Protected Virtual Address Mode, the 80286 provides an advanced
5185 architecture that retains substantial compatibility with the 8086 and other
5186 processors in the 8086 family. In many respects, the baseline architecture
5187 of the processor remains constant regardless of the mode of operation.
5188 Application programmers continue to use the same set of instructions,
5189 addressing modes, and data types in Protected Mode as in Real Address Mode.
5191 The major difference between the two modes of operation is that the
5192 Protected Mode provides system programmers with additional architectural
5193 features, supplementary to the baseline architecture, that can be used to
5194 good advantage in the design and implementation of advanced systems.
5195 Especially noteworthy are the mechanisms provided for memory management,
5196 protection, and multitasking.
5198 This chapter focuses on the memory management mechanisms of Protected Mode;
5199 the concept of a virtual address and the process of virtual-to-physical
5200 address translation are described in detail in this chapter. Subsequent
5201 chapters deal with other key aspects of Protected Mode operation. Chapter 7
5202 discusses the issue of protection and the integrated mechanisms that
5203 support a system-wide protection policy. Chapter 8 discusses the notion of
5204 a task and its central role in the 80286 architecture. Chapters 9, 10, and
5205 11 discuss certain additional topics──interrupt handling, special
5206 instructions, system initialization, etc.──that complete the system
5207 programmer's view of 80286 Protected Mode.
5210 6.1 Memory Management Overview
5212 A memory management scheme interposes a mapping operation between logical
5213 addresses (i.e., addresses as they are viewed by programs) and physical
5214 addresses (i.e., actual addresses in real memory). Since the logical address
5215 spaces are independent of physical memory (dynamically relocatable), the
5216 mapping (the assignment of real address space to virtual address space) is
5217 transparent to software. This allows the program development tools (for
5218 static systems) or the system software (for reprogrammable systems) to
5219 control the allocation of space in real memory without regard to the
5220 specifics of individual programs.
5222 Application programs may be translated and loaded independently since they
5223 deal strictly with virtual addresses. Any program can be relocated to use
5224 any available segments of physical memory.
5226 The 80286, when operated in Protected Mode, provides an efficient on-chip
5227 memory management architecture. Moreover, as described in Chapter 11, the
5228 80286 also supports the implementation of virtual memory systems──that is,
5229 systems that dynamically swap chunks of code and data between real memory
5230 and secondary storage devices (e.g., a disk) independent of and transparent
5231 to the executing application programs. Thus, a program-visible address is
5232 more aptly termed a virtual address rather than a logical address since it
5233 may actually refer to a location not currently present in real memory.
5235 Memory management, then, consists of a mechanism for mapping the virtual
5236 addresses that are visible to the program onto the physical addresses of
5237 real memory. With the 80286, segmentation is the key to virtual memory
5238 addressing. Virtual memory is partitioned into a number of individual
5239 segments, which are the units of memory that are mapped into physical memory
5240 and swapped to and from secondary storage devices. Most of this chapter is
5241 devoted to a detailed discussion of the mapping and virtual memory
5242 mechanisms of the 80286.
5244 The concept of a task also plays a significant role in memory management
5245 since distinct memory mappings may be assigned to the different tasks in a
5246 multitask or multi-user environment. A complete discussion of tasks is
5247 deferred until Chapter 8, "Tasks and State Transition." For present
5248 purposes, it is sufficient to think of a task as an ongoing process, or
5249 execution path, that is dedicated to a particular function. In a multi-user
5250 time-sharing environment, for example, the processing required to interact
5251 with a particular user may be considered as a single task, functionally
5252 independent of the other tasks (i.e., users) in the system.
5255 6.2 Virtual Addresses
5257 In Protected Mode, application programs deal exclusively with virtual
5258 addresses; programs have no access whatsoever to the actual physical
5259 addresses generated by the processor. As discussed in Chapter 2, an address
5260 is specified by a program in terms of two components: (1) a 16-bit
5261 effective address offset that determines the displacement, in bytes, of a
5262 location within a segment; and (2) a 16-bit segment selector that uniquely
5263 references a particular segment. Jointly, these two components constitute a
5264 complete 32-bit address (pointer data type), as shown in figure 6-1.
5266 These 32-bit virtual addresses are manipulated by programs in exactly the
5267 same way as the two-component addresses of Real Address Mode. After a
5268 program loads the segment selector component of an address into a segment
5269 register, each subsequent reference to locations within the selected
5270 segment requires only a 16-bit offset be specified. Locality of reference
5271 will ordinarily insure that addresses can be specified very efficiently
5272 using only 16-bit offsets.
5274 An important difference between Real Address Mode and Protected Mode,
5275 however, concerns the actual format and information content of segment
5276 selectors. In Real Address Mode, as with the 8086 and other processors in
5277 the 8086 family, a 16-bit selector is merely the upper bits of a segment's
5278 physical base address. By contrast, segment selectors in Protected Mode
5279 follow an entirely different format, as illustrated by figure 6-1.
5281 Two of the selector bits, designated as the RPL field in figure 6-1, are
5282 not actually involved in the selection and specification of segments; their
5283 use is discussed in Chapter 7.
5285 The remaining 14 bits of the selector component uniquely designate a
5286 particular segment. The virtual address space of a program, therefore, may
5287 encompass as many as 16,384 (2^(14)) distinct segments. Segments themselves
5288 are of variable size, ranging from as small as a single byte to as large as
5289 64K (2^(16)) bytes. Thus, a program's virtual address space may contain,
5290 altogether, up to a full gigabyte (2^(30) = 2^(14) * 2^(16)) of individually
5291 addressable byte locations.
5293 The entirety of a program's virtual address space is further subdivided
5294 into two separate halves, as distinguished by the TI ("table indicator") bit
5295 in the virtual address. These two halves are the global address space and
5296 the local address space.
5298 The global address space is used for system-wide data and procedures
5299 including operating system software, library routines, runtime language
5300 support and other commonly shared system services. (To application programs,
5301 the operating system appears to be a set of service routines that are
5302 accessible to all tasks.) Global space is shared by all tasks to avoid
5303 unnecessary replication of system service routines and to facilitate shared
5304 data and interrupt handling. Global address space is defined by addresses
5305 with a zero in the TI bit position; it is identically mapped for all tasks
5306 in the system.
5308 The other half of the virtual address space──comprising those addresses
5309 with the TI bit set──is separately mapped for each task in the system.
5310 Because such an address space is local to the task for which it is defined,
5311 it is referred to as a local address space. In general, code and data
5312 segments within a task's local address space are private to that particular
5313 task or user. Figure 6-2 illustrates the task isolation made possible by
5314 partitioning the virtual address spaces into local and global regions.
5316 Within each of the two regions addressable by a program──either the global
5317 address space or a particular local address space──as many as 8,192 (2^(13))
5318 distinct segments may be defined. The INDEX field of the segment selector
5319 allows for a unique specification of each of these segments. This 13-bit
5320 quantity acts as an index into a memory-resident table, called a descriptor
5321 table, that records the mapping between segment address and the physical
5322 locations allocated to each distinct segment. (These descriptor tables, and
5323 their role in virtual-to-physical address translation, are described in the
5324 sections that follow.)
5326 In summary, a Protected Mode virtual address is a 32-bit pointer to a
5327 particular byte location within a one-gigabyte virtual address space. Each
5328 such pointer consists of a 16-bit selector component and a 16-bit offset
5329 component. The selector component, in turn, comprises a 13-bit table index,
5330 a 1-bit table indicator (local versus global), and a 2-bit RPL field; all
5331 but this last field serve to select a particular segment from among the 16K
5332 segments in a task's virtual address space. The offset component of a full
5333 pointer is an unsigned 16-bit integer that specifies the desired byte
5334 location within the selected segment.
5337 Figure 6-1. Format of the Segment Selector Component
5339 32-BIT POINTER
5340 ┌───────────────────┴───────────────────┐
5341 31 16 15 0
5342 ╔════════════════════╤════════════════════╗
5343 ║ SEGMENT SELECTOR │ SEGMENT OFFSET ║
5344 ╚════════════════════╧════════════════════╝
5345 │ │
5346 │ │
5347 │ │
5348 ┌──┘ └───────────────────────┐
5349 15 3 2 1 0
5350 ╔══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╤══╗
5351 ║ INDEX │TI│ RPL ║
5352 ╚══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╧══╝
5353 └───────────────────────┬───────────────────────┘
5354 SELECTOR
5357 Figure 6-2. Address Spaces and Task Isolation
5359 ┌──────────────┐
5360 │ ╔══════════╗ │
5361 │ ║TASK 1 ║ │
5362 │ ║LOCAL ║ │
5363 TASK 3 │ ║ADDRESS ║ │
5364 VIRTUAL ADDRESS SPACE ┐ │ ║SPACE ║ │◄────TASK 1
5365 ▼ │ ╚══════════╝ │ VIRTUAL ADDRESS SPACE
5366 ┌─────────────│──────────────│┐
5367 │ ╔══════════╗│┌─────────────│───────────────┐
5368 │ ║TASK 3 ║││ ╔════════╗ ││ ╔══════════╗ │
5369 │ ║LOCAL ║││ ║GLOBAL ║ ││ ║TASK 2 ║ │
5370 │ ║ADDRESS ║││ ║ADDRESS ║ ││ ║LOCAL ║ │
5371 │ ║SPACE ║││ ║SPACE ║ ││ ║ADDRESS ║ │
5372 │ ╚══════════╝││ ╚════════╝ ││ ║SPACE ║ │
5373 └─────────────└──────────────┘┘ ╚══════════╝ │
5374 └─────────────────────────────┘
5375
5376 └TASK 2
5377 VIRTUAL ADDRESS SPACE
5380 6.3 Descriptor Tables
5382 A descriptor table is a memory-resident table either defined by program
5383 development tools in a static system or controlled by operating system
5384 software in systems that are reprogrammable. The descriptor table contents
5385 govern the interpretation of virtual addresses. Whenever the 80286 decodes
5386 a virtual address, translating a full 32-bit pointer into a corresponding
5387 24-bit physical address, it implicitly references one of these tables.
5389 Within a Protected Mode system, there are ordinarily several descriptor
5390 tables resident in memory. One of these is the global descriptor table
5391 (GDT); this table provides a complete description of the global address
5392 space. In addition, there may be one or more local descriptor tables
5393 (LDTs), each describing the local address space of one or more tasks.
5395 For each task in the system, a pair of descriptor tables──consisting of the
5396 GDT (shared by all tasks) and a particular LDT (private to the task or to a
5397 group of closely related tasks)──provides a complete description of that
5398 task's virtual address space. The protection mechanism described in Chapter
5399 7, "Protection," ensures that a task is granted access only to its own
5400 virtual address space. In the simplest of system configurations, tasks can
5401 reside entirely within the GDT without the use of local descriptor tables.
5402 This will simplify system software by only requiring maintenance of one
5403 table (the GDT) at the expense of no isolation between tasks. The point is:
5404 the 80286 memory management scheme is flexible enough to accommodate a
5405 variety of implementations and does not require use of all possible
5406 facilities when implementing a system.
5408 The descriptor tables consist of a sequence of 8-byte entries called
5409 descriptors. A descriptor table may contain from 1 to 8192 entries.
5411 Within a descriptor table, two main classes of descriptors are recognized
5412 by the 80286 architecture. The most important of these, from the standpoint
5413 of memory management, are called segment descriptors; these determine the
5414 set of segments that are included within a given address space. The other
5415 class are special-purpose control descriptors──such as call gates and task
5416 descriptors──to implement protection (described in succeeding chapters) and
5417 special system data segments.
5419 Figure 6-3 shows the format of a segment descriptor. Note that it provides
5420 information about the physical-memory base address and size of a segment, as
5421 well as certain access information. If a particular segment is to be
5422 included within a virtual address space, then a segment descriptor that
5423 describes that segment must be included within the appropriate descriptor
5424 table. Thus, within the GDT, there are segment descriptors for all of the
5425 segments that comprise a system's global address space. Similarly, within a
5426 task's LDT, there must be a descriptor for each of the segments that are to
5427 be included in that task's local address space.
5429 Each local descriptor table is itself a special system segment,
5430 recognizable as such by the 80286 architecture and described by a specific
5431 type of segment descriptor (see figure 6-4). Because there is only a single
5432 GDT segment, it is not defined by a segment descriptor. Its base and size
5433 information is maintained in a dedicated register, GDTR, as described below
5434 (section 6.6.2).
5436 Similarly, there is another dedicated register within the 80286, LDTR, that
5437 records the base and size of the current LDT segment (i.e., the LDT
5438 associated with the currently executing task). The LDTR register state,
5439 however, is volatile: its contents are automatically altered whenever a
5440 task switch is made from one task to another. An alternate specification
5441 independent of changeable register contents must therefore exist for each
5442 LDT in the system. This independent specification is accomplished by means
5443 of special system segment descriptors known as descriptor table descriptors
5444 or LDT descriptors.
5446 Figure 6-4 shows the format of a descriptor table descriptor. (Note that it
5447 is distinguished from an ordinary segment descriptor by the contents of
5448 certain bits in the access byte.) This special type of descriptor is used to
5449 specify the physical base address and size of a local descriptor table that
5450 defines the virtual address space and address mapping for an individual user
5451 or task (figure 6-5).
5453 Each LDT segment in a system must lie within that system's global address
5454 space. Thus, all of the descriptor table descriptors must be included among
5455 the entries in the global descriptor table (the GDT) of a system. In fact,
5456 these special descriptors may appear only in the GDT. Reference to an LDT
5457 descriptor within an LDT will cause a protection violation. Even though
5458 they are in the global address space available to all tasks, the descriptor
5459 table descriptors are protected from corruption within the GDT since they
5460 are special system segments and can only be accessed for loading into the
5461 LDTR register.
5464 Figure 6-3. Segment Descriptors (S=1)
5466 7 0 7 0
5467 ╔═══════════════════════════════╤════════════════════════════════╗
5468 +7║ INTEL RESERVED
5469 Must be set to 0 for compatibility with iAPX 386 MUST BE 0 ║+6
5470 ACCESS ╟───┬───────┬───┬───────────┬───┬────────────────────────────────╢
5471 +5║ P │ DPL │S=1│ TYPE │ A │ BASE{23-16} ║+4
5472 RIGHTS ╟───┴───┴───┴───┴───┴───┴───┴───┴────────────────────────────────╢
5473 +3║ BASE{15-0} ║+2
5474 BYTES ╟────────────────────────────────────────────────────────────────╢
5475 +1║ LIMIT{15-0} ║ 0
5476 ╚═══════════════════════════════╧════════════════════════════════╝
5477 15 8 7 0
5479 ACCESS RIGHTS BYTES:
5480 P = PRESENT
5481 DPL = DESCRIPTOR PRIVILEGE LEVEL
5482 S = SEGMENT DESCRIPTOR
5483 TYPE = SEGMENT TYPE AND ACCESS INFORMATION
5484 (see Figure 6-7)
5485 A = ACCESSED
5488 Figure 6-4. Special Purpose Descriptors or System Segment Descriptors (S=1)
5490 7 0 7 0
5491 ╔═══════════════════════════════╤════════════════════════════════╗
5492 +7║ INTEL RESERVED
5493 Must be set to 0 for compatibility with iAPX 386 MUST BE 0 ║+6
5494 ╟───┬───────┬───┬───────────────┬────────────────────────────────╢
5495 +5║ P │ DPL │S=1│ TYPE │ BASE{23-16} ║+4
5496 ╟───┴───┴───┴───┴───┴───┴───┴───┴────────────────────────────────╢
5497 +3║ BASE{15-0} ║+2
5498 ║───────────────────────────────┴────────────────────────────────║
5499 +1║ LIMIT{15-0} ║ 0
5500 ╚═══════════════════════════════╧════════════════════════════════╝
5501 15 8 7 0
5503 ACCESS RIGHTS BYTES:
5504 P = PRESENT
5505 DPL = DESCRIPTOR PRIVILEGE LEVEL
5506 S = SEGMENT DESCRIPTOR
5507 TYPE = SEGMENT TYPE AND ACCESS INFORMATION
5508 (Includes control and system segments)
5510 0 = INVALID DESCRIPTOR
5511 1 = AVAILABLE TASK STATE SEGMENT
5512 2 = LDT DESCRIPTOR
5513 3 = BUSY TASK STATE SEGMENT
5514 4-7 = CONTROL DESCRIPTOR (see Chapter 7)
5515 8 = INVALID DESCRIPTOR (reserved by Intel)
5516 9-F = RESERVED BY INTEL
5518 Figure 6-5. LDT Descriptors
5520 • •
5521 • • ║ ║
5522 ┌─►║ ║ ┌─►╠═══════════════╣
5523 │ ≈ ≈ │ ║ ║
5524 • • │ ║ ║ │ ║ ONE ║
5525 ║ ║ │ ╠═════════════════╣ │ ║ SEGMENT ║
5526 ╠═════════════════╣ │ ║ RESERVED ZERO ║ │ ║ OF THE ║SEGMENT
5527 ║ RESERVED ZERO ║ │ ╠════════╤════════╣┐ │ ║ TASKS ║LIMIT
5528 ╠════════╤════════╣┐ │ ║ │BASE{23-16} │ ║ LOCAL ║
5529 ║ │BASE{23-16} │ ╠════════╧════════╣├─┐ │ ║ (private) ║
5530 ╠════════╧════════╣├─┐ │ ║ BASE{15-0} ║│ │ │ ║ ADDRESS ║
5531 ║ BASE{15-0} ║│ │ │ ╠═════════════════╣┘ │ │ ║ SPACE ║
5532 ╠═════════════════╣┘ │ │ ║ BASE{15-0} ╟──│─┘ ║ ║
5533 ║ LIMIT{15-0} ╟──│─┘ ╠═════════════════╣ └───►╠═══════════════╣SEGMENT
5534 ╠═════════════════╣ │ ║ ║ ║ ║BASE
5535 ║ LDT ║ │ ║ ║ ║ ║
5536 • DESCRIPTION IN • │ ║ ║ ║ ║
5537 THE GDT IN MEMORY │ ╠═════════════════╣ ║ ║
5538 │ ≈ ≈ ║ ║
5539 │ ║ ║ ║ ║
5540 └───►╠═════════════════╣ ║ ║
5541 ║ DESCRIPTOR ║ ║ SEGMENT ║
5542 • TABLES IN RAM • • IN RAM •
5545 6.4 Virtual-to-Physical Address Translation
5547 The translation of a full 32-bit virtual address pointer into a real 24-bit
5548 physical address is shown by figure 6-6. When the segment's base address is
5549 determined as a result of the mapping process, the offset value is added to
5550 the result to obtain the physical address.
5552 The actual mapping is performed on the selector component of the virtual
5553 address. The 16-bit segment selector is mapped to a 24-bit segment base
5554 address via a segment descriptor maintained in one of the descriptor tables.
5556 The TI bit in the segment selector (see figure 6-1) determines which of two
5557 descriptor tables, either the GDT or the current LDT, is to be chosen for
5558 memory mapping. In either case, using the GDTR or LDTR register, the
5559 processor can readily determine the physical base address of the
5560 memory-resident table.
5562 The INDEX field in the segment selector specifies a particular descriptor
5563 entry within the chosen table. The processor simply multiplies this index
5564 value by 8 (the length of a descriptor), and adds the result to the base
5565 address of the descriptor table in order to access the appropriate segment
5566 descriptor in the table.
5568 Finally, the segment descriptor contains the physical base address of the
5569 target segment, as well as size (limit) and access information. The
5570 processor sums the 24-bit segment base and the specified 16-bit offset to
5571 generate the resulting 24-bit physical address.
5574 Figure 6-6. Virtual-to-Physical Address Translation
5576 ╔═════════════════════════════════════════════════════╗
5577 ║ VIRTUAL ADDRESS ║
5578 ║ ╔════════════════════════╤════════════════════════╗ ║ • TARGET •
5579 ║ ║ SELECTOR │ OFFSET ║ ║ ║ SEGMENT ║
5580 ║ ╚════╤═══════════╤═══════╧═════╤══════════════════╝ ║ ║ ║
5581 ╚══════│═══════════│═════════════│════════════════════╝ ║ ║
5582 │ │ TI ▼ ║ ║
5583 │ │ ╔═╗ ╟─────────╢
5584 │ ▼ ║+╟───────────────────────►║ DATUM ║
5585 │ DESCRIPTOR ╚═╝ PHYSICAL ADDRESS ╟─────────╢
5586 │ • TABLE • ▲ ║ ║
5587 │ ╠════════════╣ │ ║ ║
5588 │ ≈ ≈ │ ║ ║
5589 │ ╟────────────╢ │ ║ ║
5590 │ ║ SEGMENT ║ │ SEGMENT BASE ║ ║
5591 ▼ ║ DESCRIPTOR ╟──────┴────────────────────────►╠═════════╣
5592 ─ ─ ─ ─ ─ ─ ╫────────────╢ ║ ║
5593 INDEX ▲ ≈ ≈ • •
5594 ─ ─ ─ ┴ ─ ─ ╫════════════╣
5595 • •
5598 6.5 Segments and Segment Descriptors
5600 Segments are the basic units of 80286 memory management. In contrast to
5601 schemes based on fixed-size pages, segmentation allows for a very efficient
5602 implementation of software: variable-length segments can be tailored to the
5603 exact requirements of an application. Segmentation, moreover, is consistent
5604 with the way a programmer naturally deals with his virtual address space:
5605 programmers are encouraged to divide code and data into clearly defined
5606 modules and structures which are manipulated as consistent entities. This
5607 reduces (minimizes) the potential for virtual memory thrashing.
5608 Segmentation also eliminates the restrictions on data structures that span a
5609 page (e.g., a word that crosses page boundaries).
5611 Each segment within an 80286 system is defined by an associated segment
5612 descriptor, which may appear in one or more descriptor tables. Its inclusion
5613 within a descriptor table represents the presence of its associated segment
5614 within the virtual address space defined by that table. Conversely, its
5615 ommission from a descriptor table means that the segment is absent from the
5616 corresponding address space.
5618 As shown previously in figure 6-3, an 8-byte segment descriptor encodes the
5619 following information about a particular segment:
5621 ■ Size. This 16-bit field, comprising bytes 0 and 1 of a segment
5622 descriptor, specifies an unsigned integer as the size, in bytes (from 1
5623 byte to 64K bytes), of the segment.
5625 Unlike segments in the 8086 (or the 80286 in Real Address Mode)──which
5626 are never explicitly limited to less than a full 64K bytes──Protected
5627 Mode segments are always assigned a specific size value. In conjunction
5628 with the protection features described in Chapter 7, this assigned
5629 size allows the enforcement of a very desirable and natural rule:
5630 inadvertent accesses to locations beyond a segment's actual boundaries
5631 are prohibited.
5633 ■ Base. This 24-bit field, comprising bytes 2 through 4 of a segment
5634 descriptor, specifies the physical base address of the segment; it thus
5635 defines the actual location of the segment within the 16-megabyte real
5636 memory space. The base may be any byte address within the 16-megabyte
5637 real memory space.
5639 ■ Access. This 8-bit field comprises byte 5 of a segment descriptor.
5640 This access byte specifies a variety of additional information about a
5641 segment, particularly in regard to the protection features of the
5642 80286. For example, code segments are distinguished from data
5643 segments; and certain special access restrictions (such as Execute-Only
5644 or Read-Only) may be defined for segments of each type. Access byte
5645 values of 00H or 80H will always denote "invalid."
5647 Figure 6-7 shows the access byte format for both code and data segment
5648 descriptors. Detailed discussion of the protection related fields within an
5649 access byte (Conforming, Execute-Only, Descriptor Privilege Level, Expand
5650 Down, and Write-Permitted), and their use in implementing protection
5651 policies, is deferred to Chapter 7. The two fields Accessed and Present are
5652 used for virtual memory implementations.
5655 Figure 6-7. Segment Descriptor Access Bytes
5657 CODE SEGMENT TYPE
5658 MSB ┌─────┴─────┐LSB
5659 ╔═══╤═════╤═══╤═══╤═══╤═══╤═══╗
5660 ║ P │ DPL │ 1 │ 1 │ C │ R │ A ║
5661 ╚═══╧═════╧═══╧═══╧═══╧═══╧═══╝
5662 ▲ └──┬──┘ ▲ ▲ ▲ ▲ ▲
5663 PRESENT (1 = yes)────────────────────────┘ ▲ │ │ │ │ │
5664 DESCRIPTOR PRIVILEGE LEVEL────────────────────┘ │ │ │ │ │
5665 (indicates segment descriptor)─────────────────────┘ │ │ │ │
5666 EXECUTABLE (1 = yes for code)──────────────────────────┘ │ │ │
5667 CONFORMING (1 = yes)───────────────────────────────────────┘ │ │
5668 READABLE (1 = yes)─────────────────────────────────────────────┘ │
5669 ACCESSED (1 = yes)─────────────────────────────────────────────────┘
5671 DATA OR STACK SEGMENT
5672 MSB LSB
5673 ╔═══╤═════╤═══╤═══╤════╤═══╤═══╗
5674 ║ P │ DPL │ 1 │ 0 │ ED │ W │ A ║
5675 ╚═══╧═════╧═══╧═══╧════╧═══╧═══╝
5676 ▲ ▲ ▲ ▲ ▲ ▲ ▲
5677 PRESENT (1 = yes)───────────────────────┘ │ │ │ │ │ │
5678 DESCRIPTOR PRIVILEGE LEVEL───────────────────┘ │ │ │ │ │
5679 (indicates segment descriptor)────────────────────┘ │ │ │ │
5680 EXECUTABLE (0 = no for data) ────────────────────────┘ │ │ │
5681 CONFORMING (1 = yes)──────────────────────────────────────┘ │ │
5682 WRITEABLE (1 = yes)────────────────────────────────────────────┘ │
5683 ACCESSED (1 = yes)─────────────────────────────────────────────────┘
5686 6.6 Memory Management Registers
5688 The Protected Virtual Address Mode features of the 80286 operate at high
5689 performance due to extensions to the basic 8086 register set. Figure 6-8
5690 illustrates that portion of the extended register structure that pertains to
5691 memory management. (For a complete summary of all Protected Mode registers,
5692 refer to section 10.1).
5695 6.6.1 Segment Address Translation Registers
5697 Figure 6-8 shows the segment registers CS, DS, ES, and SS. In contrast to
5698 their usual representation, however, these registers are now depicted as
5699 64-bit registers, each with "visible" and "hidden" components.
5701 The visible portions of these segment address translation registers are
5702 manipulated by programs exactly as if they were simply the 16-bit segment
5703 registers of Real Address Mode. By loading a segment selector into one of
5704 these registers, the program makes the associated segment one of its four
5705 currently addressable segments.
5707 The operations that load these registers──or, more exactly, those that load
5708 the visible portion of these registers──are normal program instructions.
5709 These instructions may be divided into two categories:
5711 1. Direct segment-register load instructions. These instructions (such
5712 as LDS, LES, MOV, POP, etc.) can explicitly reference the SS, DS, or
5713 ES segment registers as the destination operand.
5715 2. Implied segment-register load instructions. These instructions (such
5716 as intersegment CALL and JMP) implicitly reference the CS code segment
5717 register; as a result of these operations, the contents of CS are
5718 altered.
5720 Using these instructions, a program loads the visible part of the segment
5721 register with a 16-bit selector (i.e., the high-order word of a virtual
5722 address pointer). Whenever this is done, the processor automatically uses
5723 the selector to reference the appropriate descriptor and loads the 48-bit
5724 hidden descriptor cache for that segment register.
5726 The correspondence between selectors and descriptors has already been
5727 described. Remember that the selector's TI bit indicates one of the two
5728 descriptor tables, either the LDT or the GDT. Within the indicated table, a
5729 particular entry is chosen by the selector's 13-bit INDEX field. This
5730 index, scaled by a factor of 8, represents the relative displacement of the
5731 chosen table entry (a descriptor).
5733 Thus, so long as a particular selector value is valid (i.e., it points to a
5734 valid segment descriptor within the bounds of the descriptor table), it can
5735 be readily associated with an 8-byte descriptor. When a selector value is
5736 loaded into the visible part of a segment register, the 80286 automatically
5737 loads 6 bytes of the associated descriptor into the hidden part of the
5738 register. These 6 bytes, therefore, contain the size, base, and access type
5739 of the selected segment. Figure 6-9 illustrates this transparent process of
5740 descriptor loading.
5742 In effect, the hidden descriptor fields of the segment registers function
5743 as the memory management cache of the 80286. All the information required to
5744 address the current working set of segments──that is, the base address,
5745 size, and access rights of the currently addressable segments──is stored in
5746 this memory cache. Unlike the probabilistic caches of other architectures,
5747 however, the 80286 cache is completely deterministic: the caching of
5748 descriptors is explicitly controlled by the program.
5750 Most memory references do not require the translation of a full 32-bit
5751 virtual address, or long pointer. Operands that are located within one of
5752 the currently addressable segments, as determined by the four segment
5753 registers, can be referenced very efficiently by means of a short pointer,
5754 which is simply a 16-bit offset.
5756 In fact, most 80286 instructions reference memory locations in precisely
5757 this way, specifying only a 16-bit offset with respect to one of the
5758 currently addressable segments. The choice of segments (CS, DS, ES, or SS)
5759 is either implicit within the instruction itself, or explicitly specified
5760 by means of a segment-override prefix (as described in Chapter 2).
5762 Thus, in most cases, virtual-to-physical address translation is actually
5763 performed in two separate steps. First, when a program loads a new value
5764 into a segment register, the processor immediately performs a mapping
5765 operation; the physical base address of the selected segment (as well as
5766 certain additional information) is automatically loaded into the hidden
5767 portion of the register. The internal cache registers (virtual address
5768 translation hardware) are therefore dynamically shared among the 16K
5769 different segments potentially addressable within the user's virtual address
5770 space. No software overhead (either system or application) is required to
5771 perform this operation.
5773 Subsequently, as the program utilizes a short pointer to reference a
5774 location within a segment, the processor generates a 24-bit physical address
5775 simply by adding the specified offset value to the previously cached segment
5776 base address. By encouraging the use of short pointers in this way, rather
5777 than requiring a full 32-bit virtual address for every memory reference, the
5778 80286 provides a very efficient on-chip mechanism for address translation,
5779 with minimum overhead for references to memory-based tables or the need for
5780 external address-translation devices.
5783 Figure 6-8. Memory Management Registers
5785 SEGMENT ADDRESS TRANSLATION REGISTERS
5787 16-BIT 48-BIT HIDDEN DESCRIPTOR CACHE
5788 SELECTOR (PROGRAM INVISIBLE──LOADED BY CPU)
5789 ╔═════════╤══════╤══════════════════╤══════════════╗
5790 CS║ │ │ │ ║CODE SEGMENT REGISTER
5791 ╟─────────┼──────┼──────────────────┼──────────────╢
5792 DS║ │ │ │ ║DATA SEGMENT REGISTER
5793 ╟─────────┼──────┼──────────────────┼──────────────╢
5794 ES║ │ │ │ ║EXTRA SEGMENT REGISTER
5795 ╟─────────┼──────┼──────────────────┼──────────────╢
5796 SS║ │ │ │ ║STACK SEGMENT REGISTER
5797 ╚═════════╧══════╧══════════════════╧══════════════╝
5798 63 48 47 40 39 16 15 0
5799 ACCESS SEGMENT BASE SEGMENT
5800 RIGHTS ADDRESS SIZE
5803 SYSTEM ADDRESS REGISTERS
5805 40-BIT EXPLICIT REGISTER
5806 ╔═════════════════╤══════════╗
5807 GDTR ║ ║GLOBAL DESCRIPTOR TABLE REGISTER
5808 ╟─────────────────┼──────────╢
5809 IDTR ║ ║INTERRUPT DESCRIPTOR TABLE REGISTER
5810 ╚═════════════════╧══════════╝
5811 39 16 15 0
5812 BASE LIMIT
5815 16-BIT
5816 VISIBLE 40-BIT HIDDEN
5817 SELECTOR DESCRIPTOR CACHE
5818 ╔══════════╤═════════════════╤══════════╗
5819 LDTR║ │ ║LOCAL DESCRIPTOR TABLE REGISTER
5820 ╚══════════╧═════════════════╧══════════╝
5821 55 40 39 16 15 0
5822 BASE LIMIT
5825 Figure 6-9. Descriptor Loading
5827 ┌── ── ── ── ── ── ── ── ── ── ── ─┐
5828 │ CPU │
5829 APPLICATION DESCRIPTOR • •
5830 │ VISIBLE CACHE │ ║ SYSTEM ║
5831 ┌────┴─────┐ ┌────┴─────┐ ║ MEMORY ║
5832 │ SEGMENT SEGMENT │ ║ ║
5833 REGISTER DESCRIPTOR ║ ║
5834 │ ╔══════════╗ ╔══════════╗ │ ║ ║
5835 ║ SELECTOR ║ ║ TYPE ║ ║ ║
5836 │ ╚═════╤════╝ ╟──────────╢ │ ║ ║
5837 ║ BASE ║ ║ ║
5838 │ │ ╟──────────╢ │ ≈ ≈
5839 ║ LIMIT ║ ║ ║
5840 │ │ ╚══════════╝ │ ║ ║
5841 ▲ ║ ║
5842 │ │ │TRANSPARENT│ ║ ║
5843 │DESCRIPTOR ╠═══════════════╣─┐
5844 │ │ │LOADING │ ║ ║ │
5845 └───────────────╫───────────────╢ │
5846 │ │ │ ║ ║ ├─DESCRIPTOR
5847 ───────────────►╟───────────────╢ │ TABLE
5848 │ └── ── ── ── ── ► ▲ INDEX │ ║ ║ │
5849 ┌ ── ── ── ── ── ─┴ ── ── ── ►╠═══════════════╣─┘
5850 │ │ ║ ║
5851 ╔═════╧════╗ ║ ║
5852 │ ║DESCRIPTOR║ │ ║ ║
5853 ║TABLE BASE║ ║ ║
5854 │ ╚══════════╝ │ • •
5855 └── ── ── ── ── ── ── ── ── ── ── ──┘
5858 6.6.2 System Address Registers
5860 The Global Descriptor Table Register (GDTR) is a dedicated 40-bit (5 byte)
5861 register used to record the base and size of a system's global descriptor
5862 table (GDT). Thus, two of these bytes define the size of the GDT, and three
5863 bytes define its base address.
5865 In figure 6-8, the contents of the GDTR are referred to as a "hidden
5866 descriptor." The term "descriptor" here emphasizes the analogy with the
5867 segment descriptors ordinarily found in descriptor tables. Just as these
5868 descriptors specify the base and size (limit) of ordinary segments, the
5869 GDTR register specifies these same parameters for that segment of memory
5870 serving as the system GDT. The limit prevents accesses to descriptors in the
5871 GDT from accessing beyond the end of the GDT and thus provides address space
5872 isolation at the system level as well as at the task level.
5874 The register contents are "hidden" only in the sense that they are not
5875 accessible by means of ordinary instructions. Instead, the dedicated
5876 protected instructions LGDT and SGDT are reserved for loading and storing,
5877 respectively, the contents of the GDTR at Protected Mode initialization
5878 (refer to section 10.2 for details). Subsequent alteration of the GDT base
5879 and size values is not recommended but is a system option at the most
5880 privileged level of software (see section 7.3 for a discussion of privilege
5881 levels).
5883 The Local Descriptor Table Register (LDTR) is a dedicated 40-bit register
5884 that contains, at any given moment, the base and size of the local
5885 descriptor table (LDT) associated with the currently executing task. Unlike
5886 GDTR, the LDTR register contains both a "visible" and a "hidden" component.
5887 Only the visible component is accessible, while the hidden component remains
5888 truly inaccessible even to dedicated instructions.
5890 The visible component of the LDTR is a 16-bit "selector" field. The format
5891 of these 16 bits corresponds exactly to that of a segment selector in a
5892 virtual address pointer. Thus, it contains a 13-bit INDEX field, a 1-bit TI
5893 field, and a 2-bit RPL field. The TI "table indicator" bit must be zero,
5894 indicating a reference to the GDT (i.e., to global address space). The INDEX
5895 field consequently provides an index to a particular entry within the GDT.
5896 This entry, in turn, must be an LDT descriptor (or descriptor table
5897 descriptor), as defined in the previous section. In this way, the visible
5898 "selector" field of the LDTR, by selecting an LDT descriptor, uniquely
5899 designates a particular LDT in the system.
5901 The dedicated, protected instructions LLDT and SLDT are reserved for
5902 loading and storing, respectively, the visible selector component of the
5903 LDTR register (refer to section 10.2 for details). Whenever a new value is
5904 loaded into the visible "selector" portion of LDTR, an LDT descriptor will
5905 have been uniquely chosen (assuming, of course, that the "selector" value is
5906 valid). In this case, the 80286 automatically loads the hidden "descriptor"
5907 portion of LDTR with five bytes from the chosen LDT descriptor. Thus, size
5908 and base information about a particular LDT, as recorded in a
5909 memory-resident global descriptor table entry, is cached in the LDTR
5910 register.
5912 New values may be loaded into the visible portion of the LDTR (and, thus,
5913 into the hidden portion as well) in either of two ways. The LLDT
5914 instruction, during system initialization, is used explicitly to set an
5915 initial value for the LDTR register; in this way, a local address space is
5916 provided for the first task in a multitasking environment. After system
5917 startup, explicit changes are not required since operations that
5918 automatically invoke a task switch (described in section 8.4) appropriately
5919 manage the LDTR.
5921 At all times, the LDTR register thus records the physical base address (and
5922 size) of the current task's LDT; the descriptor table required for mapping
5923 the current local address space, therefore, is immediately accessible to the
5924 processor. Moreover, since GDTR always maintains the base address of the
5925 GDT, the table that maps the global address space is similarly accessible.
5926 The two system address registers, GDTR and LDTR, act as a special processor
5927 cache, maintaining current information about the two descriptor tables
5928 required, at any given time, for addressing the entire current virtual
5929 address space.
5932 Chapter 7 Protection
5934 ───────────────────────────────────────────────────────────────────────────
5936 7.1 Introduction
5938 In most microprocessor based products, the product's availability, quality,
5939 and reliability are determined by the software it contains. Software is
5940 often the key to a product's success. Protection is a tool used to shorten
5941 software development time, and improve software quality and reliability.
5943 Program testing is an important step in developing software. A system with
5944 protection will detect software errors more quickly and accurately than a
5945 system without protection. Eliminating errors via protection reduces the
5946 development time for a product.
5948 Testing software is difficult. Many errors occur only under complex
5949 circumstances which are difficult to anticipate. The result is that products
5950 are shipped with undetected errors. When such errors occur, products appear
5951 unreliable. The impact of a software error is multiplied if it introduces
5952 errors in other bug-free programs. Thus, the total system reliability
5953 reduces to that of the least reliable program running at any given time.
5955 Protection improves the reliability of an entire system by preventing
5956 software errors in one program from affecting other programs. Protection can
5957 keep the system running even when some user program attempts an invalid or
5958 prohibited operation.
5960 Hardware protection performs run-time checks in parallel with the execution
5961 of the program. But, hardware protection has traditionally resulted in a
5962 design that is more expensive and slower than a system without protection.
5963 However, the 80286 provides hardware-enforced protection without the
5964 performance or cost penalties normally associated with protection.
5966 The protected mode 80286 implements extensive protection by integrating
5967 these functions on-chip. The 80286 protection is more comprehensive and
5968 flexible than comparable solutions. It can locate and isolate a large number
5969 of program errors and prevent the propagation of such errors to other tasks
5970 or programs. The protection of the total system detects and isolates bugs
5971 both during development and installed usage. Chapter 9 discusses exceptions
5972 in more detail.
5974 The remaining sections of this chapter explain the protection model
5975 implemented in the 80286.
5978 7.1.1 Types of Protection
5980 Protection in the 80286 has three basic aspects:
5982 1. Isolation of system software from user applications.
5983 2. Isolation of users from each other (Inter-task protection).
5984 3. Data-type checking.
5986 The 80286 provides a four-level, ringed-type, increasingly-privileged
5987 protection mechanism to isolate applications software from various layers of
5988 system software. This is a major improvement and extension over the simpler
5989 two-level user/supervisor mechanism found in many systems. Software modules
5990 in a supervisor level are protected from modules in the application level
5991 and from software in less privileged supervisor levels.
5993 Restricting the addressability of a software module enables an operating
5994 system to control system resources and priorities. This is especially
5995 important in an environment that supports multiple concurrent users.
5996 Multi-user, multi-tasking, and distributed processing systems require this
5997 complete control of system resources for efficient, reliable operation.
5999 The second aspect of protection is isolating users from each other. Without
6000 such isolation an error in one user program could affect the operation of
6001 another error-free user program. Such subtle interactions are difficult to
6002 diagnose and repair. The reliability of applications programs is greatly
6003 enhanced by such isolation of users.
6005 Within a system or application level program, the 80286 will ensure that
6006 all code and data segments are properly used (e.g., data cannot be executed,
6007 programs cannot be modified, and offset must be within defined limits,
6008 etc.). Such checks are performed on every memory access to provide full
6009 run-time error checking.
6012 7.1.2 Protection Implementation
6014 The protection hardware of the 80286 establishes constraints on memory and
6015 instruction usage. The number of possible interactions between instructions,
6016 memory, and I/O devices is practically unlimited. Out of this very large
6017 field the protection mechanism limits interactions to a controlled,
6018 understandable subset. Within this subset fall the list of "correct"
6019 operations. Any operation that does not fall into this subset is not allowed
6020 by the protection mechanism and is signalled as a protection violation.
6022 To understand protection on the 80286, you must begin with its basic parts:
6023 segments and tasks. 80286 segments are the smallest region of memory which
6024 have unique protection attributes. Modular programming automatically
6025 produces separate regions of memory (segments) whose contents are treated as
6026 a whole. Segments reflect the natural construction of a program, e.g., code
6027 for module A, data for module A, stack for the task, etc. All parts of the
6028 segment are treated in the same way by the 80286. Logically separate regions
6029 of memory should be in separate segments.
6031 The memory segmentation model (see figure 7-1) of the 80286 was designed to
6032 optimally execute code for software composed of independent modules. Modular
6033 programs are easier to construct and maintain. Compared to monolithic
6034 software systems, modular software systems have enhanced capabilities, and
6035 are typically easier to develop and test for proper operation.
6037 Each segment in the system is defined by a memory-resident descriptor. The
6038 protection hardware prevents accesses outside the data areas and attempts to
6039 modify instructions, etc., as defined by the descriptors. Segmentation on
6040 the 80286 allows protection hardware to be integrated into the CPU for full
6041 data access control without any performance impact.
6043 The segmented memory architecture of the 80286 provides unique capabilities
6044 for regulating the transfer of control between programs.
6046 Programs are given direct but controlled access to other procedures and
6047 modules. This capability is the heart of isolating application and system
6048 programs. Since this access is provided and controlled directly by the 80286
6049 hardware, there is no performance penalty. A system designer can take
6050 advantage of the 80286 access control to design high-performance modular
6051 systems with a high degree of confidence in the integrity of the system.
6053 Access control between programs and the operating system is implemented via
6054 address space separation and a privilege mechanism. The address space
6055 control separates applications programs from each other while the privilege
6056 mechanism isolates system software from applications software. The
6057 privilege mechanism grants different capabilities to programs to access
6058 code, data, and I/O resources based on the associated protection level.
6059 Trusted software that controls the whole system is typically placed at the
6060 most privileged level. Ordinary application software does not have to deal
6061 with these control mechanisms. They come into play only when there is a
6062 transfer of control between tasks, or if the Operating System routines have
6063 to be invoked.
6065 The protection features of multiple privilege levels extend to ensuring
6066 reliable I/O control. However, for a system designer to enable only one
6067 specific level to do I/O would excessively constrain subsequent extensions
6068 or application development. Instead, the 80286 permits each task to be
6069 assigned a separate minimum level where I/O is allowed. I/O privilege is
6070 discussed in section 10.3.
6072 An important distinction exists between tasks and programs. Programs (e.g.,
6073 instructions in code segments) are static and consist of a fixed set of code
6074 and data segments each with an associated privilege level. The privilege
6075 assigned to a program determines what the program may do when executed by a
6076 task. Privilege is assigned to a program when the system is built or when
6077 the program is loaded.
6079 Tasks are dynamic; they execute one or more programs. Task privilege
6080 changes with time according to the privilege level of the program being
6081 executed. Each task has a unique set of attributes that define it, e.g.,
6082 address space, register values, stack, data, etc. A task may execute a
6083 program if that program appears in the task's address space. The rules of
6084 protection control determine when a program may be executed by a task, and
6085 once executed, determine what the program may do.
6088 Figure 7-1. Addressing Segments of a Module within a Task
6090 ┌─ ── ─┐
6091 ╔══════╗
6092 ║ CODE ║
6093 ╟──────╢ MODULE A
6094 ║ DATA ║
6095 ╚══════╝
6096 CPU │ │
6097 ┌───────────┐ ╔══════╗
6098 │ ╔═══════╗ │ ║ CODE ║
6099 │ ║ CODE ╟─┼─────────────────────────►╟──────╢ MODULE B
6100 │ ╟───────╢ │ ║ DATA ║
6101 │ ║ DATA ╟─┼─────────────────────────►╚══════╝
6102 │ ╟───────╢ │ │ │
6103 │ ║ STACK ╟─┼───────────────┐ ╔══════╗
6104 │ ╟───────╢ │ │ ║ ║ TASK STACK
6105 │ ║ EXTRA ╟─┼───────────┐ └─────────►╚══════╝
6106 │ ╚═══════╝ │ │ │ │
6107 │ SEGMENT │ │ ╔══════╗ TASK
6108 │ REGISTERS │ │ ║ ║ DATA
6109 └───────────┘ └─────────────►╚══════╝ BLOCK 1
6110 │ │
6111 ╔══════╗ TASK
6112 ║ ║ DATA
6113 ╚══════╝ BLOCK 2
6114 └─ ── ─┘
6115 MEMORY
6118 7.2 Memory Management and Protection
6120 The protection hardware of the 80286 is related to the memory management
6121 hardware. Since protection attributes are assigned to segments, they are
6122 stored along with the memory management information in the segment
6123 descriptor. The protection information is specified when the segment is
6124 created. In addition to privilege levels, the descriptor defines the segment
6125 type (e.g., Code segment, Data segment, etc.). Descriptors may be created
6126 either by program development tools or by a loader in a dynamically loaded
6127 reprogrammable environment.
6129 The protection control information consists of a segment type, its
6130 privilege level, and size. These are fields in the access byte of the
6131 segment descriptor (see figure 7-2). This information is saved on-chip in
6132 the programmer invisible section of the segment register for fast access
6133 during execution. These entries are changed only when a segment register is
6134 loaded. The protection data is used at two times: upon loading a segment
6135 register and upon each reference to the selected segment.
6137 The hardware performs several checks while loading a segment register.
6138 These checks enforce the protection rules before any memory reference is
6139 generated. The hardware verifies that the selected segment is valid (is
6140 identified by a descriptor, is in memory, and is accessible from the
6141 privilege level in which the program is executing) and that the type is
6142 consistent with the target segment register. For example, you cannot load a
6143 read-only segment descriptor into SS because the stack must always be
6144 writable.
6146 Each reference into the segment defined by a segment register is checked by
6147 the hardware to verify that it is within the defined limits of the segment
6148 and is of the proper type. For example, a code segment or read-only data
6149 segment cannot be written. All these checks are made before the memory cycle
6150 is started; any violation will prevent that cycle from starting and cause
6151 an exception to occur. Since the checks are performed concurrently with
6152 address formation, there is no performance penalty.
6154 By controlling the access rights and privilege attributes of segments, the
6155 system designer can assure a program will not change its code or overwrite
6156 data belonging to another task. Such assurances are vital to maintaining
6157 system integrity in the face of error-prone programs.
6160 Figure 7-2. Descriptor Cache Registers
6162 ┌─ ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ─┐
6163 PROGRAM VISIBLE │ PROGRAM INVISIBLE │
6165 │ ACCESS │
6166 SEGMENT SELECTORS RIGHTS SEGMENT BASE ADDRESS SEGMENT SIZE
6167 ╔═════════════════╗ │ ╔══════╤══════════════════════╤══════════════╗ │
6168 CS╟─────────────────╢ ╟──────┼──────────────────────┼──────────────╢
6169 DS╟─────────────────╢ │ ╟──────┼──────────────────────┼──────────────╢ │
6170 SS╟─────────────────╢ ╟──────┼──────────────────────┼──────────────╢
6171 ╚═════════════════╝ │ ╚══════╧══════════════════════╧══════════════╝ │
6172 15 0 47 40 39 16 15 0
6173 │ │
6174 SEGMENT REGISTERS SEGMENT DESCRIPTOR CACHE REGISTERS
6175 (loaded by program) │ (loaded by CPU) │
6176 └─ ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ─┘
6179 7.2.1 Separation of Address Spaces
6181 As described in Chapter 6, each task can address up to a gigabyte
6182 (2^(14) - 2 segments of up to 65,536 bytes each) of virtual memory defined
6183 by the task's LDT (Local Descriptor Table) and the system GDT. Up to
6184 one-half gigabyte (2^(13) segments of up to 65,536 bytes each) of the task's
6185 address space is defined by the LDT and represents the task's private
6186 address space. The remaining virtual address space is defined by the GDT and
6187 is common to all tasks in the system.
6189 Each descriptor table is itself a special kind of segment recognized by the
6190 80286 architecture. These tables are defined by descriptors in the GDT
6191 (Global Descriptor Table). The CPU has a set of base and limit registers
6192 that point to the GDT and the LDT of the currently running task. The local
6193 descriptor table register is loaded by a task switch operation.
6195 An active task can only load selectors that reference segments defined by
6196 descriptors in either the GDT or its private LDT. Since a task cannot
6197 reference descriptors in other LDTs, and no descriptors in its LDT refer to
6198 data or code belonging to other tasks, it cannot gain access to another
6199 tasks' private code and data (see figure 7-3).
6201 Since the GDT contains information that is accessible by all users (e.g.,
6202 library routines, common data, Operating System services, etc.), the 80286
6203 uses privilege levels and special descriptor types to control access (see
6204 section 7.2.2). Privilege levels protect more trusted data and code (in GDT
6205 and LDT) from less trusted access (WITHIN a task), while the private virtual
6206 address spaces defined by unique LDTs provide protection BETWEEN tasks (see
6207 figure 7-4).
6210 Figure 7-3. 80286 Virtual Address Space
6212 ╔═════════════════════════════════════╗
6213 ╔═════════════════════════════════╗ ║ ╔═════════════════════════════════╗ ║
6214 ║ ╔══════╗65535 ║ ║ ║ ╔══════╗65535 ║ ║
6215 ║ ║ SEG. ║ ↑ ║ ║ ║ ║ SEG. ║ ↑ ║ ║
6216 ║ ║ ║OFFSET║ ║ ║ ║ ║OFFSET║ ║
6217 ║ 8191╔═════╗ ┌─►╚══════╝0 ↓ ║ ║ ║ 8191╔═════╗ ┌─►╚══════╝0 ↓ ║ ║
6218 ║ ↑ ║ LDT ╟───┘ • ║ ║ ║ ↑ ║ LDT ╟───┘ • ║ ║
6219 ║ ↓ ║ A ╟───┐ • ║ ║ ║ ↓ ║ B ╟───┐ • ║ ║
6220 ║ 0╚═════╝ │ • ║ ║ ║ 0╚═════╝ │ • ║ ║
6221 ║ │ ╔══════╗65535 ║ ║ ║ │ ╔══════╗65535 ║ ║
6222 ║ │ ║ SEG. ║ ↑ ║ ║ ║ │ ║ SEG. ║ ↑ ║ ║
6223 ║ │ ║ ║OFFSET║ ║ ║ │ ║ ║OFFSET║ ║
6224 ║ └─►╚══════╝0 ↓ ║ ║ ║ └─►╚══════╝0 ↓ ║ ║
6225 ╚═════════════════════════════════╝ ║ ╚═════════════════════════════════╝ ║
6226 TASK A PRIVATE ADDRESS SPACE ║ TASK B PRIVATE ADDRESS SPACE ║
6227 ║ ║
6228 ╔═════════════════════════════════╗ ║ ╔═════════════════════════════════╗ ║
6229 ║ ╔══════╗65535 ║ ║ ║ ╔══════╗65535 ║ ║
6230 ║ ║ SEG. ║ ↑ ║ ║ ║ ║ SEG. ║ ↑ ║ ║
6231 ║ ║ ║OFFSET║ ║ ║ ║ ║OFFSET║ ║
6232 ║ 8191╔═════╗ ┌─►╚══════╝0 ↓ ║ ║ ║ 8191╔═════╗ ┌─►╚══════╝0 ↓ ║ ║
6233 ║ ↑ ║ LDT ╟───┘ • ║ ║ ║ ↑ ║ GDT ╟───┘ • ║ ║
6234 ║ ↓ ║ C ╟───┐ • ║ ║ ║ ↓ ║ ╟───┐ • ║ ║
6235 ║ 0╚═════╝ │ • ║ ║ ║ 0╚═════╝ │ • ║ ║
6236 ║ │ ╔══════╗65535 ║ ║ ║ │ ╔══════╗65535 ║ ║
6237 ║ │ ║ SEG. ║ ↑ ║ ║ ║ │ ║ SEG. ║ ↑ ║ ║
6238 ║ │ ║ ║OFFSET║ ║ ║ │ ║ ║OFFSET║ ║
6239 ║ └─►╚══════╝0 ↓ ║ ║ ║ └─►╚══════╝0 ↓ ║ ║
6240 ╚═════════════════════════════════╝ ║ ╚═════════════════════════════════╝ ║
6241 TASK C PRIVATE ADDRESS SPACE ║ SHARED ADDRESS SPACE ║
6242 ╚═════════════════════════════════════╝
6243 TASK B ADDRESS SPACE
6245 Figure 7-4. Local and Global Descriptor Table Definitions
6247 MEMORY
6248 • •
6249 ┌─┬───►╟───────────────╢─┐
6250 │ ╟───────────────╢ │
6251 CPU │ │ ╟───────────────╢ │
6252 ╔═════════════════════╗ │ ║ ∙ ║ │
6253 ║ ║ │ │ ║ ∙ ║ ├─ GDT
6254 ║ 15 0 ║ │ ║ ∙ ║ │
6255 ║ ╔═════════╗ ║ │ │ ╟───────────────╢ │
6256 ║ 23 ║LDT LIMIT╟───╫─┘ ╟───────────────╢ │
6257 ║ ╔═══╨─────────╢ ║ │ ╟───────────────╢ │
6258 GDTR ║ ║ GDT BASE ╟───╫───────►╟───────────────╢─┘
6259 ║ ╚═════════════╝ ║ ║ ║
6260 ║ ║ ║ ║
6261 ╟─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─╢ ║ ║
6262 ║ ║ ║ LDT{1} ║
6263 ║ 15 0 ║ ┌─┬───►╟───────────────╢─┐
6264 ║ ╔══════════╗ ║ │ ╟───────────────╢ │
6265 ║ ║ LDT ║ ║ │ │ ╟───────────────╢ │
6266 ║ ║ SELECTOR ║ ║ │ ║ ∙ ║ │
6267 ║ ╚══════════╝ ║ │ │ ║ ∙ ║ ├─ CURRENT LDT
6268 ║┌─ ── ── ── ── ── ──┐║ │ ║ ∙ ║ │
6269 ║│ 15 0 │║ │ │ ╟───────────────╢ │
6270 ║ ╔═════════╗ ║ │ ╟───────────────╢ │
6271 ║│ 23 ║LDT LIMIT╟──┼╫─┘ │ ╟───────────────╢ │
6272 ║ ╔═══╨─────────╢ ║ ┌────►╟───────────────╢─┘
6273 LDTR ║│ ║ LDT BASE ╟──┼╟──┘ ║ ║
6274 ║ ╚═════════════╝ ║ ║ ║
6275 ║│ PROGRAM INVISIBLE │║ ║ ║
6276 ║└─ ── ── ── ── ── ──┘║ ║ LDT{n} ║
6277 ╚═════════════════════╝ ╟───────────────╢
6278 ╟───────────────╢
6279 ╟───────────────╢
6280 ╟───────────────╢
6281 ║ ∙ ║
6282 ║ ∙ ║
6283 ║ ∙ ║
6284 ╟───────────────╢
6285 ╟───────────────╢
6286 ╟───────────────╢
6287 ╟───────────────╢
6288 ╟───────────────╢
6289 • •
6292 7.2.2 LDT and GDT Access Checks
6294 All descriptor tables have a limit used by the protection hardware to
6295 ensure address space separation of tasks. Each task's LDT can be a different
6296 size as defined by its descriptor in the GDT. The GDT may also contain less
6297 than 8191 descriptors as defined by the GDT limit value. The descriptor
6298 table limit identifies the last valid byte of the last descriptor in that
6299 table. Since each descriptor is eight bytes long, the limit value is
6300 N * 8 - 1 for N descriptors.
6302 Any attempt by a program to load a segment register, local descriptor table
6303 register (LDTR), or task register (TR) with a selector that refers to a
6304 descriptor outside the corresponding limit causes an exception with an error
6305 code identifying the invalid selector used (see figure 7-5).
6307 Not all descriptor entries in the GDT or LDT need contain a valid
6308 descriptor. There can be holes, or "empty" descriptors, in the LDT and GDT.
6309 "Empty" descriptors allow dynamic allocation and deletion of segments or
6310 other system objects without changing the size of the GDT or LDT. Any
6311 descriptor with an access byte equal to zero is considered empty. Any
6312 attempt to load a segment register with a selector that refers to an empty
6313 descriptor will cause an exception with an error code identifying the
6314 invalid selection.
6317 Figure 7-5. Error Code Format (on the stack)
6319 15 3 2 1 0
6320 ╔═══════════════════════════════════════════════════╤═══╤═══╤═══╗
6321 ║ │ T │ I │ E ║
6322 ║ INDEX │ I │ D │ X ║
6323 ║ │ │ T │ T ║
6324 ╚═══════════════════════════════════════════════════╧═╤═╧═╤═╧═╤═╝
6325 └─────────────────────────┬─────────────────────────┘ │ │ │
6326 ┌─────────────────────┘ │ │ │
6327 │ ┌───────────────────────────────────────┘ │ │
6328 │ │ ┌─────────────────────────────┘ │
6329 ▼ ▼ ▼ ▼
6330 ┌───────┐┌─────────┐┌───────────────┐┌─────────────────────────────────────┐
6331 │ Entry ││ 1 means ││ 1 means use ││ 1 means that an event external to │
6332 │ in ││ use ││ IDT and ││ the program caused the exception │
6333 │ IDT, ││ LDT ││ ignore ││ (i.e., external interrupt, single │
6334 │ GDT, ││ 0 means ││ bit 2. ││ step, processor extension error) │
6335 │ or ││ use ││ 0 means bit 2 ││ 0 means that an exception occurred │
6336 │ LDT ││ GDT ││ indicates ││ while processing the instruction │
6337 │ ││ ││ table usage ││ at CS:IP saved on the stack. │
6338 └───────┘└─────────┘└───────────────┘└─────────────────────────────────────┘
6341 7.2.3 Type Validation
6343 After checking that a selector reference is within the bounds of a
6344 descriptor table and refers to a non-empty descriptor, the type of segment
6345 defined by the descriptor is checked against the destination register. Since
6346 each segment register has predefined functions, each must refer to certain
6347 types of segments (see section 7.4.1). An attempt to load a segment
6348 register in violation of the protection rules causes an exception.
6350 The "null" selector is a special type of segment selector. It has an index
6351 field of all zeros and a table indicator of 0. The null selector appears to
6352 refer to GDT descriptor entry #0 (see GDT in figure 7-3). This selector
6353 value may be used as a place holder in the DS or ES segment registers; it
6354 may be loaded into them without causing an exception. However, any attempt
6355 to use the null segment registers to reference memory will cause an
6356 exception and prevent any memory cycle from occurring.
6359 7.3 Privilege Levels and Protection
6361 As explained in section 6.2, each task has its own separate virtual address
6362 space defined by its LDT. All tasks share a common address space defined by
6363 the GDT. The system software then has direct access to task data and can
6364 treat all pointers in the same way.
6366 Protection is required to prevent programs from improperly using code or
6367 data that belongs to the operating system. The four privilege levels of the
6368 80286 provide the isolation needed between the various layers of the system.
6369 The 80286 privilege levels are numbered from 0 to 3, where 0 is the most
6370 trusted level, 3 the least.
6372 Privilege level is a protection attribute assigned to all segments. It
6373 determines which procedures can access the segment. Like access rights and
6374 limit checks, privilege checks are automatically performed by the hardware,
6375 and thus protect both data and code segments.
6377 Privilege on the 80286 is hierarchical. Operating system code and data
6378 segments placed at the most privileged level (0) cannot be accessed directly
6379 by programs at other privilege levels. Programs at privilege level 0 may
6380 access data at all other levels. Programs at privilege levels 1-3 may only
6381 access data at the same or less trusted (numerically greater) privilege
6382 levels. Figure 7-6 illustrates the privilege level protection of code or
6383 data within tasks.
6385 In figure 7-6, programs can access data at the same or outer level, but not
6386 at inner levels. Code and data segments placed at level 1 cannot be accessed
6387 by programs executing at levels 2 or 3. Programs at privilege level 0 can
6388 access data at level 1 in the course of providing service to that level.
6389 80286 provides mechanisms for inter-level transfer of control when needed
6390 (see section 7.5).
6392 The four privilege levels of the 80286 are an extension of the typical
6393 two-level user/supervisor privilege mechanism. Like user mode, application
6394 programs in the outer level are not permitted direct access to data
6395 belonging to more privileged system services (supervisor mode). The 80286
6396 adds two more privilege levels to provide protection for different layers of
6397 system software (system services, I/O drivers, etc.).
6400 Figure 7-6. Code and Data Segments Assigned to a Privilege Level
6402 TASK C
6403 ┌───────────────────────────────────────────────────┐
6404 │ ╔═══════════════════════════════════════════════╗ │
6405 │ ║ APPLICATIONS ║ │
6406 │ ║ ╔═══════════════════════════════════╗ ║ │
6407 │ ║ ║ CUSTOM EXTENSIONS ║ ║ │
6408 │ ║ ║ ╔═══════════════════════╗ ║ ║ │
6409 │ ║ ║ ║ SYSTEM SERVICES ║ ║ ║ │
6410 │ ║ ║ ║ ╔═══════════╗ ║ ║ ║ │
6411 │ ║ ║ ║ ║ KERNAL ║ ║ ║ ║ │
6412 ╞═╟─────╫─────╫─────╫─────┬─────╫─────╫─────╫─────╢═╡
6413 │ ║ ║ ║ ║ │LEVEL║LEVEL║LEVEL║LEVEL║ │
6414 │ ║ ║ ║ ║ │ 0 ║ 1 ║ 2 ║ 3 ║ │
6415 │ ║ ║ ║ ╚═════╪═════╝ ║ ║ ║ │
6416 │ ║ ║ ║ │ ║ ║ ║ │
6417 │ ║ ║ ╚═══════════╪═══════════╝ ║ ║ │
6418 │ ║ ║ │ ║ ║ │
6419 │ ║ ╚═════════════════╪═════════════════╝ ║ │
6420 │ ║ │ ║ │
6421 TASK B┤ ╚═══════════════════════╧═══════════════════════╝ ├TASK A
6422 └────────────────────────┘ └────────────────────────┘
6425 7.3.1 Example of Using Four Privilege Levels
6427 Two extra privilege levels allow development of more reliable, and flexible
6428 system software. This is achieved by dividing the system into small,
6429 independent units. Figure 7-6 shows an example of the usage of different
6430 protection levels. Here, the most privileged level is called the kernel.
6431 This software would provide basic, application-independent, CPU-oriented
6432 services to all tasks. Such services include memory management, task
6433 isolation, multitasking, inter-task communication, and I/O resource
6434 control. Since the kernel is only concerned with simple functions and cannot
6435 be affected by software at other privilege levels, it can be kept small,
6436 safe, and understandable.
6438 Privilege level one is designated system services. This software provides
6439 high-level functions like file access scheduling, character I/O, data
6440 communcations, and resource allocation policy which are commonly expected in
6441 all systems. Such software remains isolated from applications programs and
6442 relies on the services of the kernel, yet cannot affect the integrity of
6443 level 0.
6445 Privilege level 2 is the custom operating system extensions level. It
6446 allows standard system software to be customized. Such customizing can be
6447 kept isolated from errors in applications programs, yet cannot affect the
6448 basic integrity of the system software. Examples of customized software are
6449 the data base manager, logical file access services, etc.
6451 This is just one example of protection mechanism usage. Levels 1 and 2 may
6452 be used in many different ways. The usage (or non-usage) is up to the system
6453 designer.
6455 Programs at each privilege level are isolated from programs at outer
6456 layers, yet cannot affect programs in inner layers. Programs written for
6457 each privilege level can be smaller, easier to develop, and easier to
6458 maintain than a monolithic system where all system software can affect all
6459 other system software.
6462 7.3.2 Privilege Usage
6464 Privilege applies to tasks and three types of descriptors:
6466 1. Main memory segments
6468 2. Gates (control descriptors for state or task transitions, discussed
6469 in sections 7.5.1, 8.3, 8.4 and 9.2)
6471 3. Task state segments (discussed in Chapter 8).
6473 Task privilege is a dynamic value. It is derived from the code segment
6474 currently being executed. Task privilege can change only when a control
6475 transfers to a different code segment.
6477 Descriptor privilege, including code segment privilege, is assigned when
6478 the descriptor (and any associated segment) is created. The system designer
6479 assigns privilege directly when the system is constructed with the system
6480 builder (see the 80286 Builder User's Guide) or indirectly via a loader.
6482 Each task operates at only one privilege level at any given moment: namely
6483 that of the code segment being executed. (The conforming segments discussed
6484 in section 11.2 permit some flexibility in this regard.) However, as figure
6485 7-6 indicates, the task may contain segments at one, two, three, or four
6486 levels, all of which are to be used at appropriate times. The privilege
6487 level of the task, then, changes under the carefully enforced rules for
6488 transfer of control from one code segment to another.
6490 The descriptor privilege attribute is stored in the access byte of a
6491 descriptor and is called the Descriptor Privilege Level (DPL). Task
6492 privilege is called the Current Privilege Level (CPL). The least significant
6493 two bits of the CS register specify the CPL.
6495 A few general rules of privilege can be stated before the detailed
6496 discussions of later sections. Data access is restricted to those data
6497 segments whose privilege level is the same as or less privileged
6498 (numerically greater) than the current privilege level (CPL). Direct code
6499 access, e.g., via call or jump, is restricted to code segments of equal
6500 privilege. A gate (section 7.5.1) is required for access to code at more
6501 privileged levels.
6504 7.4 Segment Descriptor
6506 Although the format of access control information, discussed below, is
6507 similar for both data and code segment descriptors, the rules for accessing
6508 data segments differ from those for transferring control to code segments.
6509 Data segments are meant to be accessible from many privilege levels, e.g.,
6510 from other programs at the same level or from deep within the operating
6511 system. The main restriction is that they cannot be accessed by less
6512 privileged code.
6514 Code segments, on the other hand, are meant to be executed at a single
6515 privilege level. Transfers of control that cross privilege boundaries are
6516 tightly restricted, requiring the use of gates. Control transfers within a
6517 privilege level can also use gates, but they are not required. Control
6518 transfers are discussed in section 7.5.
6520 Protection checks are automatically invoked at several points in selecting
6521 and using new segments. The process of addressing memory begins when the
6522 currently executing program attempts to load a selector into one of the
6523 segment registers. As discussed in Chapter 6, the selector has the form
6524 shown in figure 7-7.
6526 When a new selector is loaded into a segment register, the processor
6527 accesses the associated descriptor to perform the necessary loading and
6528 privilege checks.
6530 The protection mechanism verifies that the selector points to a valid
6531 descriptor type for the segment register (see section 7.4.1). After
6532 verifying the descriptor type, the CPU compares the privilege level of the
6533 task (CPL) to the privilege level in the descriptor (DPL) before loading
6534 the descriptor's information into the cache.
6536 The general format of the eight bits in the segment descriptor's access
6537 rights byte is shown in table 7-1.
6539 For example, the access rights byte for a data and code segment present in
6540 real memory but not yet accessed (at the same privilege level) is shown in
6541 figure 7-8.
6543 Whenever a segment descriptor is loaded into a segment register, the
6544 accessed bit in the descriptor table is set to 1. This bit is useful for
6545 determining the usage profile of the segment.
6548 Table 7-1. Segment Access Rights Byte Format
6551 Bit Name Description
6553 7 Present 1 means Present and addressable in real memory;
6554 0 means not present. See section 11.3.
6556 6,5 DPL 2-bit Descriptor Privilege Level, 0 to 3.
6558 4 Segment 1 means Segment descriptor; 0 means control
6559 descriptor.
6561 For Segment=1, the remaining bits have the following meanings:
6563 3 Executable 1 means code, 0 means data.
6565 2 C or ED If code, Conforming: 1 means yes, 0 no.
6566 If data, Expand Down: 1 yes, 0 no──normal case.
6568 1 R or W If code, Readable: 1 means readable, 0 not.
6569 If data, Writable: 1 means writable, 0 not.
6571 0 Accessed 1 if segment descriptor has been Accessed, 0 if not.
6574 ───────────────────────────────────────────────────────────────────────────
6575 NOTE
6576 When the Segment bit (bit 4) is 0, the descriptor is for a gate, a
6577 task state segment, or a Local Descriptor Table, and the meanings of bits
6578 0 through 3 change. Control transfers and descriptors are discussed in
6579 section 7.5.
6580 ───────────────────────────────────────────────────────────────────────────
6582 Table 7-2. Allowed Segment Types in Segment Registers
6584 Allowed Segment Types
6585 ┌──────────────────────────┴─────────────────────────────┐
6586 Segment Register Read Only Read-Write Execute Only Execute-Read
6587 Data Segment Data Segment Code Segment Code Segment
6588 DS Yes Yes No Yes
6589 ES Yes Yes No Yes
6590 SS No Yes No No
6591 CS No No Yes Yes
6593 ───────────────────────────────────────────────────────────────────────────────────────────────────
6594 NOTE
6595 The Intel reserved bytes in the segment descriptor must be set to 0 for
6596 compatibility with the 80386.
6597 ───────────────────────────────────────────────────────────────────────────────────────────────────
6599 Figure 7-7. Selector Fields
6601 SELECTOR
6602 ╔═══════════════════════════════════════════════════╤═══╤═══════╗
6603 ║ INDEX │ T │ ║
6604 ║ │ I │ RPL ║
6605 ╚═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╧═══╝
6606 15 8