[mascara-docs.git] / manuals / openwatcom / devel-docs / docs / intel 386 programmers reference manual.txt
| blob | d1c33e1f34f12e40d6d8246aa767f9182345a2e9 |
1 INTEL 80386 PROGRAMMER'S REFERENCE MANUAL 1986
3 Intel Corporation makes no warranty for the use of its products and
4 assumes no responsibility for any errors which may appear in this document
5 nor does it make a commitment to update the information contained herein.
7 Intel retains the right to make changes to these specifications at any
8 time, without notice.
10 Contact your local sales office to obtain the latest specifications before
11 placing your order.
13 The following are trademarks of Intel Corporation and may only be used to
14 identify Intel Products:
16 Above, BITBUS, COMMputer, CREDIT, Data Pipeline, FASTPATH, Genius, i, î,
17 ICE, iCEL, iCS, iDBP, iDIS, I²ICE, iLBX, im, iMDDX, iMMX, Inboard,
18 Insite, Intel, intel, intelBOS, Intel Certified, Intelevision,
19 inteligent Identifier, inteligent Programming, Intellec, Intellink,
20 iOSP, iPDS, iPSC, iRMK, iRMX, iSBC, iSBX, iSDM, iSXM, KEPROM, Library
21 Manager, MAPNET, MCS, Megachassis, MICROMAINFRAME, MULTIBUS, MULTICHANNEL,
22 MULTIMODULE, MultiSERVER, ONCE, OpenNET, OTP, PC BUBBLE, Plug-A-Bubble,
23 PROMPT, Promware, QUEST, QueX, Quick-Pulse Programming, Ripplemode, RMX/80,
24 RUPI, Seamless, SLD, SugarCube, SupportNET, UPI, and VLSiCEL, and the
25 combination of ICE, iCS, iRMX, iSBC, iSBX, iSXM, MCS, or UPI and a numerical
26 suffix, 4-SITE.
28 MDS is an ordering code only and is not used as a product name or
29 trademark. MDS(R) is a registered trademark of Mohawk Data Sciences
30 Corporation.
32 Additional copies of this manual or other Intel literature may be obtained
33 from:
35 Intel Corporation
36 Literature Distribution
37 Mail Stop SC6-59
38 3065 Bowers Avenue
39 Santa Clara, CA 95051
41 (c)INTEL CORPORATION 1987 CG-5/26/87
44 Customer Support
46 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
48 Customer Support is Intel's complete support service that provides Intel
49 customers with hardware support, software support, customer training, and
50 consulting services. For more information contact your local sales offices.
52 After a customer purchases any system hardware or software product,
53 service and support become major factors in determining whether that
54 product will continue to meet a customer's expectations. Such support
55 requires an international support organization and a breadth of programs
56 to meet a variety of customer needs. As you might expect, Intel's customer
57 support is quite extensive. It includes factory repair services and
58 worldwide field service offices providing hardware repair services,
59 software support services, customer training classes, and consulting
60 services.
62 Hardware Support Services
64 Intel is committed to providing an international service support package
65 through a wide variety of service offerings available from Intel Hardware
66 Support.
68 Software Support Services
70 Intel's software support consists of two levels of contracts. Standard
71 support includes TIPS (Technical Information Phone Service), updates and
72 subscription service (product-specific troubleshooting guides and COMMENTS
73 Magazine). Basic support includes updates and the subscription service.
74 Contracts are sold in environments which represent product groupings
75 (i.e., iRMX environment).
77 Consulting Services
79 Intel provides field systems engineering services for any phase of your
80 development or support effort. You can use our systems engineers in a
81 variety of ways ranging from assistance in using a new product, developing
82 an application, personalizing training, and customizing or tailoring an
83 Intel product to providing technical and management consulting. Systems
84 Engineers are well versed in technical areas such as microcommunications,
85 real-time applications, embedded microcontrollers, and network services.
86 You know your application needs; we know our products. Working together we
87 can help you get a successful product to market in the least possible time.
89 Customer Training
91 Intel offers a wide range of instructional programs covering various
92 aspects of system design and implementation. In just three to ten days a
93 limited number of individuals learn more in a single workshop than in
94 weeks of self-study. For optimum convenience, workshops are scheduled
95 regularly at Training Centers woridwide or we can take our workshops to
96 you for on-site instruction. Covering a wide variety of topics, Intel's
97 major course categories include: architecture and assembly language,
98 programming and operating systems, bitbus and LAN applications.
100 Training Center Locations
102 To obtain a complete catalog of our workshops, call the nearest Training
103 Center in your area.
105 Boston (617) 692-1000
106 Chicago (312) 310-5700
107 San Francisco (415) 940-7800
108 Washington D.C. (301) 474-2878
109 Isreal (972) 349-491-099
110 Tokyo 03-437-6611
111 Osaka (Call Tokyo) 03-437-6611
112 Toronto, Canada (416) 675-2105
113 London (0793) 696-000
114 Munich (089) 5389-1
115 Paris (01) 687-22-21
116 Stockholm (468) 734-01-00
117 Milan 39-2-82-44-071
118 Benelux (Rotterdam) (10) 21-23-77
119 Copenhagen (1) 198-033
120 Hong Kong 5-215311-7
123 Table of Contents
125 Chapter 1 Introduction to the 80386
127 1.1 Organization of This Manual
128 1.1.1 Part I ‘‘ Applications Programming
129 1.1.2 Part II ‘‘ Systems Programming
130 1.1.3 Part III ‘‘ Compatibility
131 1.1.4 Part IV ‘‘ Instruction Set
132 1.1.5 Appendices
134 1.2 Related Literature
135 1.3 Notational Conventions
136 1.3.1 Data-Structure Formats
137 1.3.2 Undefined Bits and Software Compatibility
138 1.3.3 Instruction Operands
139 1.3.4 Hexadecimal Numbers
140 1.3.5 Sub- and Super-Scripts
142 PART I APPLICATIONS PROGRAMMING
144 Chapter 2 Basic Programming Model
146 2.1 Memory Organization and Segmentation
147 2.1.1 The"Flat" Model
148 2.1.2 The Segmented Model
150 2.2 Data Types
151 2.3 Registers
152 2.3.1 General Registers
153 2.3.2 Segment Registers
154 2.3.3 Stack Implementation
155 2.3.4 Flags Register
156 2.3.4.1 Status Flags
157 2.3.4.2 Control Flag
158 2.3.4.3 Instruction Pointer
160 2.4 Instruction Format
161 2.5 Operand Selection
162 2.5.1 Immediate Operands
163 2.5.2 Register Operands
164 2.5.3 Memory Operands
165 2.5.3.1 Segment Selection
166 2.5.3.2 Effective-Address Computation
168 2.6 Interrupts and Exceptions
170 Chapter 3 Applications Instruction Set
172 3.1 Data Movement Instructions
173 3.1.1 General-Purpose Data Movement Instructions
174 3.1.2 Stack Manipulation Instructions
175 3.1.3 Type Conversion Instructions
177 3.2 Binary Arithmetic Instructions
178 3.2.1 Addition and Subtraction Instructions
179 3.2.2 Comparison and Sign Change Instruction
180 3.2.3 Multiplication Instructions
181 3.2.4 Division Instructions
183 3.3 Decimal Arithmetic Instructions
184 3.3.1 Packed BCD Adjustment Instructions
185 3.3.2 Unpacked BCD Adjustment Instructions
187 3.4 Logical Instructions
188 3.4.1 Boolean Operation Instructions
189 3.4.2 Bit Test and Modify Instructions
190 3.4.3 Bit Scan Instructions
191 3.4.4 Shift and Rotate Instructions
192 3.4.4.1 Shift Instructions
193 3.4.4.2 Double-Shift Instructions
194 3.4.4.3 Rotate Instructions
195 3.4.4.4 Fast"bit-blt" Using Double Shift
196 Instructions
197 3.4.4.5 Fast Bit-String Insert and Extract
199 3.4.5 Byte-Set-On-Condition Instructions
200 3.4.6 Test Instruction
202 3.5 Control Transfer Instructions
203 3.5.1 Unconditional Transfer Instructions
204 3.5.1.1 Jump Instruction
205 3.5.1.2 Call Instruction
206 3.5.1.3 Return and Return-From-Interrupt Instruction
208 3.5.2 Conditional Transfer Instructions
209 3.5.2.1 Conditional Jump Instructions
210 3.5.2.2 Loop Instructions
211 3.5.2.3 Executing a Loop or Repeat Zero Times
213 3.5.3 Software-Generated Interrupts
215 3.6 String and Character Translation Instructions
216 3.6.1 Repeat Prefixes
217 3.6.2 Indexing and Direction Flag Control
218 3.6.3 String Instructions
220 3.7 Instructions for Block-Structured Languages
221 3.8 Flag Control Instructions
222 3.8.1 Carry and Direction Flag Control Instructions
223 3.8.2 Flag Transfer Instructions
225 3.9 Coprocessor Interface Instructions
226 3.10 Segment Register Instructions
227 3.10.1 Segment-Register Transfer Instructions
228 3.10.2 Far Control Transfer Instructions
229 3.10.3 Data Pointer Instructions
231 3.11 Miscellaneous Instructions
232 3.11.1 Address Calculation Instruction
233 3.11.2 No-Operation Instruction
234 3.11.3 Translate Instruction
236 PART II SYSTEMS PROGRAMMING
238 Chapter 4 Systems Architecture
240 4.1 Systems Registers
241 4.1.1 Systems Flags
242 4.1.2 Memory-Management Registers
243 4.1.3 Control Registers
244 4.1.4 Debug Register
245 4.1.5 Test Registers
247 4.2 Systems Instructions
249 Chapter 5 Memory Management
251 5.1 Segment Translation
252 5.1.1 Descriptors
253 5.1.2 Descriptor Tables
254 5.1.3 Selectors
255 5.1.4 Segment Registers
257 5.2 Page Translation
258 5.2.1 Page Frame
259 5.2.2 Linear Address
260 5.2.3 Page Tables
261 5.2.4 Page-Table Entries
262 5.2.4.1 Page Frame Address
263 5.2.4.2 Present Bit
264 5.2.4.3 Accessed and Dirty Bits
265 5.2.4.4 Read/Write and User/Supervisor Bits
267 5.2.5 Page Translation Cache
269 5.3 Combining Segment and Page Translation
270 5.3.1 "Flat" Architecture
271 5.3.2 Segments Spanning Several Pages
272 5.3.3 Pages Spanning Several Segments
273 5.3.4 Non-Aligned Page and Segment Boundaries
274 5.3.5 Aligned Page and Segment Boundaries
275 5.3.6 Page-Table per Segment
277 Chapter 6 Protection
279 6.1 Why Protection?
280 6.2 Overview of 80386 Protection Mechanisms
281 6.3 Segment-Level Protection
282 6.3.1 Descriptors Store Protection Parameters
283 6.3.1.1 Type Checking
284 6.3.1.2 Limit Checking
285 6.3.1.3 Privilege Levels
287 6.3.2 Restricting Access to Data
288 6.3.2.1 Accessing Data in Code Segments
290 6.3.3 Restricting Control Transfers
291 6.3.4 Gate Descriptors Guard Procedure Entry Points
292 6.3.4.1 Stack Switching
293 6.3.4.2 Returning from a Procedure
295 6.3.5 Some Instructions are Reserved for Operating System
296 6.3.5.1 Privileged Instructions
297 6.3.5.2 Sensitive Instructions
299 6.3.6 Instructions for Pointer Validation
300 6.3.6.1 Descriptor Validation
301 6.3.6.2 Pointer Integrity and RPL
303 6.4 Page-Level Protection
304 6.4.1 Page-Table Entries Hold Protection Parameters
305 6.4.1.1 Restricting Addressable Domain
306 6.4.1.2 Type Checking
308 6.4.2 Combining Protection of Both Levels of Page Tables
309 6.4.3 Overrides to Page Protection
311 6.5 Combining Page and Segment Protection
313 Chapter 7 Multitasking
315 7.1 Task State Segment
316 7.2 TSS Descriptor
317 7.3 Task Register
318 7.4 Task Gate Descriptor
319 7.5 Task Switching
320 7.6 Task Linking
321 7.6.1 Busy Bit Prevents Loops
322 7.6.2 Modifying Task Linkages
324 7.7 Task Address Space
325 7.7.1 Task Linear-to-Physical Space Mapping
326 7.7.2 Task Logical Address Space
328 Chapter 8 Input/Output
330 8.1 I/O Addressing
331 8.1.1 I/O Address Space
332 8.1.2 Memory-Mapped I/O
334 8.2 I/O Instructions
335 8.2.1 Register I/O Instructions
336 8.2.2 Block I/O Instructions
338 8.3 Protection and I/O
339 8.3.1 I/O Privilege Level
340 8.3.2 I/O Permission Bit Map
342 Chapter 9 Exceptions and Interrupts
344 9.1 Identifying Interrupts
345 9.2 Enabling and Disabling Interrupts
346 9.2.1 NMI Masks Further NMls
347 9.2.2 IF Masks INTR
348 9.2.3 RF Masks Debug Faults
349 9.2.4 MOV or POP to SS Masks Some Interrupts and Exceptions
351 9.3 Priority Among Simultaneous Interrupts and Exceptions
352 9.4 Interrupt Descriptor Table
353 9.5 IDT Descriptors
354 9.6 Interrupt Tasks and Interrupt Procedures
355 9.6.1 Interrupt Procedures
356 9.6.1.1 Stack of Interrupt Procedure
357 9.6.1.2 Returning from an Interrupt Procedure
358 9.6.1.3 Flags Usage by Interrupt Procedure
359 9.6.1.4 Protection in Interrupt Procedures
361 9.6.2 Interrupt Tasks
363 9.7 Error Code
364 9.8 Exception Conditions
365 9.8.1 Interrupt 0 ‘‘ Divide Error
366 9.8.2 Interrupt 1 ‘‘ Debug Exceptions
367 9.8.3 Interrupt 3 ‘‘ Breakpoint
368 9.8.4 Interrupt 4 ‘‘ Overflow
369 9.8.5 Interrupt 5 ‘‘ Bounds Check
370 9.8.6 Interrupt 6 ‘‘ Invalid Opcode
371 9.8.7 Interrupt 7 ‘‘ Coprocessor Not Available
372 9.8.8 Interrupt 8 ‘‘ Double Fault
373 9.8.9 Interrupt 9 ‘‘ Coprocessor Segment Overrun
374 9.8.10 Interrupt 10 ‘‘ Invalid TSS
375 9.8.11 Interrupt 11 ‘‘ Segment Not Present
376 9.8.12 Interrupt 12 ‘‘ Stack Exception
377 9.8.13 Interrupt 13 ‘‘ General Protection Exception
378 9.8.14 Interrupt 14 ‘‘ Page Fault
379 9.8.14.1 Page Fault during Task Switch
380 9.8.14.2 Page Fault with Inconsistent Stack Pointer
382 9.8.15 Interrupt 16 ‘‘ Coprocessor Error
384 9.9 Exception Summary
386 9.10 Error Code Summary
388 Chapter 10 Initialization
390 10.1 Processor State after Reset
391 10.2 Software Initialization for Real-Address Mode
392 10.2.1 Stack
393 10.2.2 Interrupt Table
394 10.2.3 First Instructions
396 10.3 Switching to Protected Mode
397 10.4 Software Initialization for Protected Mode
398 10.4.1 Interrupt Descriptor Table
399 10.4.2 Stack
400 10.4.3 Global Descriptor Table
401 10.4.4 Page Tables
402 10.4.5 First Task
404 10.5 Initialization Example
405 10.6 TLB Testing
406 10.6.1 Structure of the TLB
407 10.6.2 Test Registers
408 10.6.3 Test Operations
410 Chapter 11 Coprocessing and Multiprocessing
412 11.1 Coprocessing
413 11.1.1 Coprocessor Identification
414 11.1.2 ESC and WAIT Instructions
415 11.1.3 EM and MP Flags
416 11.1.4 The Task-Switched Flag
417 11.1.5 Coprocessor Exceptions
418 11.1.5.1 Interrupt 7 ‘‘ Coprocessor Not Available
419 11.1.5.2 Interrupt 9 ‘‘ Coprocessor Segment Overrun
420 11.1.5.3 Interrupt 16 ‘‘ Coprocessor Error
422 11.2 General Multiprocessing
423 11.2.1 LOCK and the LOCK# Signal
424 11.2.2 Automatic Locking
425 11.2.3 Cache Considerations
427 Chapter 12 Debugging
429 12.1 Debugging Features of the Architecture
430 12.2 Debug Registers
431 12.2.1 Debug Address Registers (DRO-DR3)
432 12.2.2 Debug Control Register (DR7)
433 12.2.3 Debug Status Register (DR6)
434 12.2.4 Breakpoint Field Recognition
436 12.3 Debug Exceptions
437 12.3.1 Interrupt 1 ‘‘ Debug Exceptions
438 12.3.1.1 Instruction Address Breakpoint
439 12.3.1.2 Data Address Breakpoint
440 12.3.1.3 General Detect Fault
441 12.3.1.4 Single-Step Trap
442 12.3.1.5 Task Switch Breakpoint
444 12.3.2 Interrupt 3 ‘‘ Breakpoint Exception
446 PART III COMPATIBILITY
448 Chapter 13 Executing 80286 Protected-Mode Code
450 13.1 80286 Code Executes as a Subset of the 80386
451 13.2 Two Ways to Execute 80286 Tasks
452 13.3 Differences from 80286
453 13.3.1 Wraparound of 80286 24-Bit Physical Address Space
454 13.3.2 Reserved Word of Descriptor
455 13.3.3 New Descriptor Type Codes
456 13.3.4 Restricted Semantics of LOCK
457 13.3.5 Additional Exceptions
459 Chapter 14 80386 Real-Address Mode
461 14.1 Physical Address Formation
462 14.2 Registers and Instructions
463 14.3 Interrupt and Exception Handling
464 14.4 Entering and Leaving Real-Address Mode
465 14.4.1 Switching to Protected Mode
467 14.5 Switching Back to Real-Address Mode
468 14.6 Real-Address Mode Exceptions
469 14.7 Differences from 8086
470 14.8 Differences from 80286 Real-Address Mode
471 14.8.1 Bus Lock
472 14.8.2 Location of First Instruction
473 14.8.3 Initial Values of General Registers
474 14.8.4 MSW Initialization
476 Chapter 15 Virtual 8088 Mode
478 15.1 Executing 8086 Code
479 15.1.1 Registers and Instructions
480 15.1.2 Linear Address Formation
482 15.2 Structure of a V86 Task
483 15.2.1 Using Paging for V86 Tasks
484 15.2.2 Protection within a V86 Task
486 15.3 Entering and Leaving V86 Mode
487 15.3.1 Transitions Through Task Switches
488 15.3.2 Transitions Through Trap Gates and Interrupt Gates
490 15.4 Additional Sensitive Instructions
491 15.4.1 Emulating 8086 Operating System Calls
492 15.4.2 Virtualizing the Interrupt-Enable Flag
494 15.5 Virtual I/O
495 15.5.1 I/O-Mapped I/O
496 15.5.2 Memory-Mapped I/O
497 15.5.3 Special I/O Buffers
499 15.6 Differences from 8086
500 15.7 Differences from 80286 Real-Address Mode
502 Chapter 16 Mixing 16-Bit and 32-Bit Code
504 16.1 How the 80386 Implements 16-Bit and 32-Bit Features
505 16.2 Mixing 32-Bit and 16-Bit Operations
506 16.3 Sharing Data Segments among Mixed Code Segments
507 16.4 Transferring Control among Mixed Code Segments
508 16.4.1 Size of Code-Segment Pointer
509 16.4.2 Stack Management for Control Transfers
510 16.4.2.1 Controlling the Operand-Size for a CALL
511 16.4.2.2 Changing Size of Call
513 16.4.3 Interrupt Control Transfers
514 16.4.4 Parameter Translation
515 16.4.5 The Interface Procedure
517 PART IV INSTRUCTION SET
519 Chapter 17 80386 Instruction Set
521 17.1 Operand-Size and Address-Size Attributes
522 17.1.1 Default Segment Attribute
523 17.1.2 Operand-Size and Address-Size Instruction Prefixes
524 17.1.3 Address-Size Attribute for Stack
526 17.2 Instruction Format
527 17.2.1 ModR/M and SIB Bytes
528 17.2.2 How to Read the Instruction Set Pages
529 17.2.2.1 Opcode
530 17.2.2.2 Instruction
531 17.2.2.3 Clocks
532 17.2.2.4 Description
533 17.2.2.5 Operation
534 17.2.2.6 Description
535 17.2.2.7 Flags Affected
536 17.2.2.8 Protected Mode Exceptions
537 17.2.2.9 Real Address Mode Exceptions
538 17.2.2.10 Virtual-8086 Mode Exceptions
540 Instruction Sets
542 AAA
543 AAD
544 AAM
545 AAS
546 ADC
547 ADD
548 AND
549 ARPL
550 BOUND
551 BSF
552 BSR
553 BT
554 BTC
555 BTR
556 BTS
557 CALL
558 CBW/CWDE
559 CLC
560 CLD
561 CLI
562 CLTS
563 CMC
564 CMP
565 CMPS/CMPSB/CMPSW/CMPSD
566 CWD/CDQ
567 DAA
568 DAS
569 DEC
570 DIV
571 ENTER
572 HLT
573 IDIV
574 IMUL
575 IN
576 INC
577 INS/INSB/INSW/INSD
578 INT/INTO
579 IRET/IRETD
580 Jcc
581 JMP
582 LAHF
583 LAR
584 LEA
585 LEAVE
586 LGDT/LIDT
587 LGS/LSS/LDS/LES/LFS
588 LLDT
589 LMSW
590 LOCK
591 LODS/LODSB/LODSW/LODSD
592 LOOP/LOOPcond
593 LSL
594 LTR
595 MOV
596 MOV
597 MOVS/MOVSB/MOVSW/MOVSD
598 MOVSX
599 MOVZX
600 MUL
601 NEG
602 NOP
603 NOT
604 OR
605 OUT
606 OUTS/OUTSB/OUTSW/OUTSD
607 POP
608 POPA/POPAD
609 POPF/POPFD
610 PUSH
611 PUSHA/PUSHAD
612 PUSHF/PUSHFD
613 RCL/RCR/ROL/ROR
614 REP/REPE/REPZ/REPNE/REPNZ
615 RET
616 SAHF
617 SAL/SAR/SHL/SHR
618 SBB
619 SCAS/SCASB/SCASW/SCASD
620 SETcc
621 SGDT/SIDT
622 SHLD
623 SHRD
624 SLDT
625 SMSW
626 STC
627 STD
628 STI
629 STOS/STOSB/STOSW/STOSD
630 STR
631 SUB
632 TEST
633 VERR,VERW
634 WAIT
635 XCHG
636 XLAT/XLATB
637 XOR
639 Appendix A Opcode Map
641 Appendix B Complete Flag Cross-Reference
643 Appendix C Status Flag Summary
645 Appendix D Condition Codes
648 Figures
650 1-1 Example Data Structure
652 2-1 Two-Component Pointer
653 2-2 Fundamental Data Types
654 2-3 Bytes, Words, and Doublewords in Memory
655 2-4 80386 Data Types
656 2-5 80386 Applications Register Set
657 2-6 Use of Memory Segmentation
658 2-7 80386 Stack
659 2-8 EFLAGS Register
660 2-9 Instruction Pointer Register
661 2-10 Effective Address Computation
663 3-1 PUSH
664 3-2 PUSHA
665 3-3 POP
666 3-4 POPA
667 3-5 Sign Extension
668 3-6 SAL and SHL
669 3-7 SHR
670 3-8 SAR
671 3-9 Using SAR to Simulate IDIV
672 3-10 Shift Left Double
673 3-11 Shift Right Double
674 3-12 ROL
675 3-13 ROR
676 3-14 RCL
677 3-15 RCR
678 3-16 Formal Definition of the ENTER Instruction
679 3-17 Variable Access in Nested Procedures
680 3-18 Stack Frame for MAIN at Level 1
681 3-19 Stack Frame for Prooedure A
682 3-20 Stack Frame for Procedure B at Level 3 Called from A
683 3-21 Stack Frame for Procedure C at Level 3 Called from B
684 3-22 LAHF and SAHF
685 3-23 Flag Format for PUSHF and POPF
687 4-1 Systems Flags of EFLAGS Register
688 4-2 Control Registers
690 5-1 Address Translation Overview
691 5-2 Segment Translation
692 5-3 General Segment-Descriptor Format
693 5-4 Format of Not-Present Descriptor
694 5-5 Descriptor Tables
695 5-6 Format of a Selector
696 5-7 Segment Registers
697 5-8 Format of a Linear Address
698 5-9 Page Translation
699 5-10 Format of a Page Table Entry
700 5-11 Invalid Page Table Entry
701 5-12 80386 Addressing Mechanism
702 5-13 Descriptor per Page Table
704 6-1 Protection Fields of Segment Descriptors
705 6-2 Levels of Privilege
706 6-3 Privilege Check for Data Access
707 6-4 Privilege Check for Control Transfer without Gate
708 6-5 Format of 80386 Call Gate
709 6-6 Indirect Transfer via Call Gate
710 6-7 Privilege Check via Call Gate
711 6-8 Initial Stack Pointers of TSS
712 6-9 Stack Contents after an Interievel Call
713 6-10 Protection Fields of Page Table Entries
715 7-1 80386 32-Bit Task State Segment
716 7-2 TSS Descriptor for 32-Bit TSS
717 7-3 Task Register
718 7-4 Task Gate Descriptor
719 7-5 Task Gate Indirectly Identifies Task
720 7-6 Partially-Overlapping Linear Spaces
722 8-1 Memory-Mapped I/O
723 8-2 I/O Address Bit Map
725 9-1 IDT Register and Table
726 9-2 Pseudo-Descriptor Format for LIDT and SIDT
727 9-3 80386 IDT Gate Descriptors
728 9-4 Interrupt Vectoring for Procedures
729 9-5 Stack Layout after Exception of Interrupt
730 9-6 Interrupt Vectoring for Tasks
731 9-7 Error Code Format
732 9-8 Page-Fault Error Code Format
733 9-9 CR2 Format
735 10-1 Contents of EDX after RESET
736 10-2 Initial Contents of CRO
737 10-3 TLB Structure
738 10-4 Test Registers
740 12-1 Debug Registers
742 14-1 Real-Address Mode Address Formation
744 15-1 V86 Mode Address Formation
745 15-2 Entering and Leaving an 8086 Program
746 15-3 PL 0 Stack after Interrupt in V86 Task
748 16-1 Stack after Far 16-Bit and 32-Bit Calls
750 17-1 80386 Instruction Format
751 17-2 ModR/M and SIB Byte Formats
752 17-3 Bit Offset for BIT[EAX, 21]
753 17-4 Memory Bit Indexing
756 Tables
758 2-1 Default Segment Register Selection Rules
759 2-2 80386 Reserved Exceptions and Interrupts
761 3-1 Bit Test and Modify Instructions
762 3-2 Interpretation of Conditional Transfers
764 6-1 System and Gate Descriptor Types
765 6-2 Useful Combinations of E, G, and B Bits
766 6-3 Interievel Return Checks
767 6-4 Valid Descriptor Types for LSL
768 6-5 Combining Directory and Page Protection
770 7-1 Checks Made during a Task Switch
771 7-2 Effect of Task Switch on BUSY, NT, and Back-Link
773 9-1 Interrupt and Exception ID Assignments
774 9-2 Priority Among Simultaneous Interrupts and Exceptions
775 9-3 Double-Fault Detection Classes
776 9-4 Double-Fault Definition
777 9-5 Conditions That Invalidate the TSS
778 9-6 Exception Summary
779 9-7 Error-Code Summary
781 10-1 Meaning of D, U, and W Bit Pairs
783 12-1 Breakpeint Field Recognition Examples
784 12-2 Debug Exception Conditions
786 14-1 80386 Real-Address Mode Exceptions
787 14-2 New 80386 Exceptions
789 17-1 Effective Size Attributes
790 17-2 16-Bit Addressing Forms with the ModR/M Byte
791 17-3 32-Bit Addressing Forms with the ModR/M Byte
792 17-4 32-Bit Addressing Forms with the SIB Byte
793 17-5 Task Switch Times for Exceptions
794 17-6 80386 Exceptions
797 Chapter 1 Introduction to the 80386
799 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
801 The 80386 is an advanced 32-bit microprocessor optimized for multitasking
802 operating systems and designed for applications needing very high
803 performance. The 32-bit registers and data paths support 32-bit addresses
804 and data types. The processor can address up to four gigabytes of physical
805 memory and 64 terabytes (2^(46) bytes) of virtual memory. The on-chip
806 memory-management facilities include address translation registers,
807 advanced multitasking hardware, a protection mechanism, and paged virtual
808 memory. Special debugging registers provide data and code breakpoints even
809 in ROM-based software.
812 1.1 Organization of This Manual
814 This book presents the architecture of the 80386 in five parts:
816 Part I ‘‘ Applications Programming
817 Part II ‘‘ Systems Programming
818 Part III ‘‘ Compatibility
819 Part IV ‘‘ Instruction Set
820 Appendices
822 These divisions are determined in part by the architecture itself and in
823 part by the different ways the book will be used. As the following table
824 indicates, the latter two parts are intended as reference material for
825 programmers actually engaged in the process of developing software for the
826 80386. The first three parts are explanatory, showing the purpose of
827 architectural features, developing terminology and concepts, and describing
828 instructions as they relate to specific purposes or to specific
829 architectural features.
831 Explanation Part I ‘‘ Applications Programming
832 Part II ‘‘ Systems Programming
833 Part III ‘‘ Compatibility
835 Reference Part IV ‘‘ Instruction Set
836 Appendices
838 The first three parts follow the execution modes and protection features of
839 the 80386 CPU. The distinction between applications features and systems
840 features is determined by the protection mechanism of the 80386. One purpose
841 of protection is to prevent applications from interfering with the operating
842 system; therefore, the processor makes certain registers and instructions
843 inaccessible to applications programs. The features discussed in Part I are
844 those that are accessible to applications; the features in Part II are
845 available only to systems software that has been given special privileges or
846 in unprotected systems.
848 The processing mode of the 80386 also determines the features that are
849 accessible. The 80386 has three processing modes:
851 1. Protected Mode.
852 2. Real-Address Mode.
853 3. Virtual 8086 Mode.
855 Protected mode is the natural 32-bit environment of the 80386 processor. In
856 this mode all instructions and features are available.
858 Real-address mode (often called just "real mode") is the mode of the
859 processor immediately after RESET. In real mode the 80386 appears to
860 programmers as a fast 8086 with some new instructions. Most applications of
861 the 80386 will use real mode for initialization only.
863 Virtual 8086 mode (also called V86 mode) is a dynamic mode in the sense
864 that the processor can switch repeatedly and rapidly between V86 mode and
865 protected mode. The CPU enters V86 mode from protected mode to execute an
866 8086 program, then leaves V86 mode and enters protected mode to continue
867 executing a native 80386 program.
869 The features that are available to applications programs in protected mode
870 and to all programs in V86 mode are the same. These features form the
871 content of Part I. The additional features that are available to systems
872 software in protected mode form Part II. Part III explains real-address
873 mode and V86 mode, as well as how to execute a mix of 32-bit and 16-bit
874 programs.
876 Available in All Modes Part I ‘‘ Applications Programming
878 Available in Protected Part II ‘‘ Systems Programming
879 Mode Only
881 Compatibility Modes Part III ‘‘ Compatibility
884 1.1.1 Part I ‘‘ Applications Programming
886 This part presents those aspects of the architecture that are customarily
887 used by applications programmers.
889 Chapter 2 ‘‘ Basic Programming Model: Introduces the models of memory
890 organization. Defines the data types. Presents the register set used by
891 applications. Introduces the stack. Explains string operations. Defines the
892 parts of an instruction. Explains addressing calculations. Introduces
893 interrupts and exceptions as they may apply to applications programming.
895 Chapter 3 ‘‘ Application Instruction Set: Surveys the instructions commonly
896 used for applications programming. Considers instructions in functionally
897 related groups; for example, string instructions are considered in one
898 section, while control-transfer instructions are considered in another.
899 Explains the concepts behind the instructions. Details of individual
900 instructions are deferred until Part IV, the instruction-set reference.
903 1.1.2 Part II ‘‘ Systems Programming
905 This part presents those aspects of the architecture that are customarily
906 used by programmers who write operating systems, device drivers, debuggers,
907 and other software that supports applications programs in the protected mode
908 of the 80386.
910 Chapter 4 ‘‘ Systems Architecture: Surveys the features of the 80386 that
911 are used by systems programmers. Introduces the remaining registers and data
912 structures of the 80386 that were not discussed in Part I. Introduces the
913 systems-oriented instructions in the context of the registers and data
914 structures they support. Points to the chapter where each register, data
915 structure, and instruction is considered in more detail.
917 Chapter 5 ‘‘ Memory Management: Presents details of the data structures,
918 registers, and instructions that support virtual memory and the concepts of
919 segmentation and paging. Explains how systems designers can choose a model
920 of memory organization ranging from completely linear ("flat") to fully
921 paged and segmented.
923 Chapter 6 ‘‘ Protection: Expands on the memory management features of the
924 80386 to include protection as it applies to both segments and pages.
925 Explains the implementation of privilege rules, stack switching, pointer
926 validation, user and supervisor modes. Protection aspects of multitasking
927 are deferred until the following chapter.
929 Chapter 7 ‘‘ Multitasking: Explains how the hardware of the 80386 supports
930 multitasking with context-switching operations and intertask protection.
932 Chapter 8 ‘‘ Input/Output: Reveals the I/O features of the 80386, including
933 I/O instructions, protection as it relates to I/O, and the I/O permission
934 map.
936 Chapter 9 ‘‘ Exceptions and Interrupts: Explains the basic interrupt
937 mechanisms of the 80386. Shows how interrupts and exceptions relate to
938 protection. Discusses all possible exceptions, listing causes and including
939 information needed to handle and recover from the exception.
941 Chapter 10 ‘‘ Initialization: Defines the condition of the processor after
942 RESET or power-up. Explains how to set up registers, flags, and data
943 structures for either real-address mode or protected mode. Contains an
944 example of an initialization program.
946 Chapter 11 ‘‘ Coprocessing and Multiprocessing: Explains the instructions
947 and flags that support a numerics coprocessor and multiple CPUs with shared
948 memory.
950 Chapter 12 ‘‘ Debugging: Tells how to use the debugging registers of the
951 80386.
954 1.1.3 Part III ‘‘ Compatibility
956 Other parts of the book treat the processor primarily as a 32-bit machine,
957 omitting for simplicity its facilities for 16-bit operations. Indeed, the
958 80386 is a 32-bit machine, but its design fully supports 16-bit operands and
959 addressing, too. This part completes the picture of the 80386 by explaining
960 the features of the architecture that support 16-bit programs and 16-bit
961 operations in 32-bit programs. All three processor modes are used to
962 execute 16-bit programs: protected mode can directly execute 16-bit 80286
963 protected mode programs, real mode executes 8086 programs and real-mode
964 80286 programs, and virtual 8086 mode executes 8086 programs in a
965 multitasking environment with other 80386 protected-mode programs. In
966 addition, 32-bit and 16-bit modules and individual 32-bit and 16-bit
967 operations can be mixed in protected mode.
969 Chapter 13 ‘‘ Executing 80286 Protected-Mode Code: In its protected mode,
970 the 80386 can execute complete 80286 protected-mode systems, because 80286
971 capabilities are a subset of 80386 capabilities.
973 Chapter 14 ‘‘ 80386 Real-Address Mode: Explains the real mode of the 80386
974 CPU. In this mode the 80386 appears as a fast real-mode 80286 or fast 8086
975 enhanced with additional instructions.
977 Chapter 15 ‘‘ Virtual 8086 Mode: The 80386 can switch rapidly between its
978 protected mode and V86 mode, giving it the ability to multiprogram 8086
979 programs along with "native mode" 32-bit programs.
981 Chapter 16 ‘‘ Mixing 16-Bit and 32-Bit Code: Even within a program or task,
982 the 80386 can mix 16-bit and 32-bit modules. Furthermore, any given module
983 can utilize both 16-bit and 32-bit operands and addresses.
986 1.1.4 Part IV ‘‘ Instruction Set
988 Parts I, II, and III present overviews of the instructions as they relate
989 to specific aspects of the architecture, but this part presents the
990 instructions in alphabetical order, providing the detail needed by
991 assembly-language programmers and programmers of debuggers, compilers,
992 operating systems, etc. Instruction descriptions include algorithmic
993 description of operation, effect of flag settings, effect on flag settings,
994 effect of operand- or address-size attributes, effect of processor modes,
995 and possible exceptions.
998 1.1.5 Appendices
1000 The appendices present tables of encodings and other details in a format
1001 designed for quick reference by assembly-language and systems programmers.
1004 1.2 Related Literature
1006 The following books contain additional material concerning the 80386
1007 microprocessor:
1009 Ž Introduction to the 80386, order number 231252
1011 Ž 80386 Hardware Reference Manual, order number 231732
1013 Ž 80386 System Software Writer's Guide, order number 231499
1015 Ž 80386 High Performance 32-bit Microprocessor with Integrated Memory
1016 Management (Data Sheet), order number 231630
1019 1.3 Notational Conventions
1021 This manual uses special notations for data-structure formats, for symbolic
1022 representation of instructions, for hexadecimal numbers, and for super- and
1023 sub-scripts. Subscript characters are surrounded by {curly brackets}, for
1024 example 10{2} = 10 base 2. Superscript characters are preceeded by a caret
1025 and enclosed within (parentheses), for example 10^(3) = 10 to the third
1026 power. A review of these notations will make it easier to read the
1027 manual.
1029 1.3.1 Data-Structure Formats
1031 In illustrations of data structures in memory, smaller addresses appear at
1032 the lower-right part of the figure; addresses increase toward the left and
1033 upwards. Bit positions are numbered from right to left. Figure 1-1
1034 illustrates this convention.
1037 1.3.2 Undefined Bits and Software Compatibility
1039 In many register and memory layout descriptions, certain bits are marked as
1040 undefined. When bits are marked as undefined (as illustrated in Figure
1041 1-1), it is essential for compatibility with future processors that
1042 software treat these bits as undefined. Software should follow these
1043 guidelines in dealing with undefined bits:
1045 Ž Do not depend on the states of any undefined bits when testing the
1046 values of registers that contain such bits. Mask out the undefined bits
1047 before testing.
1049 Ž Do not depend on the states of any undefined bits when storing them in
1050 memory or in another register.
1052 Ž Do not depend on the ability to retain information written into any
1053 undefined bits.
1055 Ž When loading a register, always load the undefined bits as zeros or
1056 reload them with values previously stored from the same register.
1058 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
1059 NOTE
1060 Depending upon the values of undefined register bits will make software
1061 dependent upon the unspecified manner in which the 80386 handles these
1062 bits. Depending upon undefined values risks making software incompatible
1063 with future processors that define usages for these bits. AVOID ANY
1064 SOFTWARE DEPENDENCE UPON THE STATE OF UNDEFINED 80386 REGISTER BITS.
1065 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
1068 Figure 1-1. Example Data Structure
1070 GREATEST DATA STRUCTURE
1071 ADDRESS
1072 31 23 15 7 0 \x11‘‘BIT
1073 ‚���������������Ï���������������Ï���������������Ï���������������ƒ OFFSET
1074 € €28
1075 †���������������Ï���������������Ï���������������Ï���������������‡
1076 € €24
1077 †���������������Ï���������������Ï���������������Ï���������������‡
1078 € €20
1079 †���������������Ï���������������Ï���������������Ï���������������‡
1080 € €16
1081 †���������������Ï���������������Ï���������������Ï���������������‡
1082 € €12
1083 †���������������Ï���������������Ï���������������Ï���������������‡
1084 € €8
1085 †���������������Ï���������������Ï���������������Ï���������������‡
1086 € UNDEFINED €4
1087 †���������������Ï���������������Ï���������������Ï���������������‡ SMALLEST
1088 € BYTE 3 BYTE 2 BYTE 1 BYTE 0 €0 ADDRESS
1089 „���������������Ï���������������Ï���������������Ï���������������…\x1e
1090 BYTE OFFSET‘‘‘•
1093 1.3.3 Instruction Operands
1095 When instructions are represented symbolically, a subset of the 80386
1096 Assembly Language is used. In this subset, an instruction has the following
1097 format:
1099 label: prefix mnemonic argument1, argument2, argument3
1101 where:
1103 Ž A label is an identifier that is followed by a colon.
1105 Ž A prefix is an optional reserved name for one of the instruction
1106 prefixes.
1108 Ž A mnemonic is a reserved name for a class of instruction opcodes that
1109 have the same function.
1111 Ž The operands argument1, argument2, and argument3 are optional. There
1112 may be from zero to three operands, depending on the opcode. When
1113 present, they take the form of either literals or identifiers for data
1114 items. Operand identifiers are either reserved names of registers or
1115 are assumed to be assigned to data items declared in another part of
1116 the program (which may not be shown in the example). When two operands
1117 are present in an instruction that modifies data, the right operand is
1118 the source and the left operand is the destination.
1120 For example:
1122 LOADREG: MOV EAX, SUBTOTAL
1124 In this example LOADREG is a label, MOV is the mnemonic identifier of an
1125 opcode, EAX is the destination operand, and SUBTOTAL is the source operand.
1127 1.3.4 Hexadecimal Numbers
1129 Base 16 numbers are represented by a string of hexadecimal digits followed
1130 by the character H. A hexadecimal digit is a character from the set (0, 1,
1131 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). In some cases, especially in
1132 examples of program syntax, a leading zero is added if the number would
1133 otherwise begin with one of the digits A-F. For example, 0FH is equivalent
1134 to the decimal number 15.
1136 1.3.5 Sub- and Super-Scripts
1138 This manual uses special notation to represent sub- and super-script
1139 characters. Sub-script characters are surrounded by {curly brackets}, for
1140 example 10{2} = 10 base 2. Super-script characters are preceeded by a
1141 caret and enclosed within (parentheses), for example 10^(3) = 10 to the
1142 third power.
1145 PART I APPLICATIONS PROGRAMMING
1148 Chapter 2 Basic Programming Model
1150 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
1152 This chapter describes the 80386 application programming environment as
1153 seen by assembly language programmers when the processor is executing in
1154 protected mode. The chapter introduces programmers to those features of the
1155 80386 architecture that directly affect the design and implementation of
1156 80386 applications programs. Other chapters discuss 80386 features that
1157 relate to systems programming or to compatibility with other processors of
1158 the 8086 family.
1160 The basic programming model consists of these aspects:
1162 Ž Memory organization and segmentation
1163 Ž Data types
1164 Ž Registers
1165 Ž Instruction format
1166 Ž Operand selection
1167 Ž Interrupts and exceptions
1169 Note that input/output is not included as part of the basic programming
1170 model. Systems designers may choose to make I/O instructions available to
1171 applications or may choose to reserve these functions for the operating
1172 system. For this reason, the I/O features of the 80386 are discussed in Part
1173 II.
1175 This chapter contains a section for each aspect of the architecture that is
1176 normally visible to applications.
1179 2.1 Memory Organization and Segmentation
1181 The physical memory of an 80386 system is organized as a sequence of 8-bit
1182 bytes. Each byte is assigned a unique address that ranges from zero to a
1183 maximum of 2^(32) -1 (4 gigabytes).
1185 80386 programs, however, are independent of the physical address space.
1186 This means that programs can be written without knowledge of how much
1187 physical memory is available and without knowledge of exactly where in
1188 physical memory the instructions and data are located.
1190 The model of memory organization seen by applications programmers is
1191 determined by systems-software designers. The architecture of the 80386
1192 gives designers the freedom to choose a model for each task. The model of
1193 memory organization can range between the following extremes:
1195 Ž A "flat" address space consisting of a single array of up to 4
1196 gigabytes.
1198 Ž A segmented address space consisting of a collection of up to 16,383
1199 linear address spaces of up to 4 gigabytes each.
1201 Both models can provide memory protection. Different tasks may employ
1202 different models of memory organization. The criteria that designers use to
1203 determine a memory organization model and the means that systems programmers
1204 use to implement that model are covered in Part II‘‘Systems Programming.
1207 2.1.1 The "Flat" Model
1209 In a "flat" model of memory organization, the applications programmer sees
1210 a single array of up to 2^(32) bytes (4 gigabytes). While the physical
1211 memory can contain up to 4 gigabytes, it is usually much smaller; the
1212 processor maps the 4 gigabyte flat space onto the physical address space by
1213 the address translation mechanisms described in Chapter 5. Applications
1214 programmers do not need to know the details of the mapping.
1216 A pointer into this flat address space is a 32-bit ordinal number that may
1217 range from 0 to 2^(32) -1. Relocation of separately-compiled modules in this
1218 space must be performed by systems software (e.g., linkers, locators,
1219 binders, loaders).
1222 2.1.2 The Segmented Model
1224 In a segmented model of memory organization, the address space as viewed by
1225 an applications program (called the logical address space) is a much larger
1226 space of up to 2^(46) bytes (64 terabytes). The processor maps the 64
1227 terabyte logical address space onto the physical address space (up to 4
1228 gigabytes) by the address translation mechanisms described in Chapter 5.
1229 Applications programmers do not need to know the details of this mapping.
1231 Applications programmers view the logical address space of the 80386 as a
1232 collection of up to 16,383 one-dimensional subspaces, each with a specified
1233 length. Each of these linear subspaces is called a segment. A segment is a
1234 unit of contiguous address space. Segment sizes may range from one byte up
1235 to a maximum of 2^(32) bytes (4 gigabytes).
1237 A complete pointer in this address space consists of two parts (see Figure
1238 2-1):
1240 1. A segment selector, which is a 16-bit field that identifies a
1241 segment.
1243 2. An offset, which is a 32-bit ordinal that addresses to the byte level
1244 within a segment.
1246 During execution of a program, the processor associates with a segment
1247 selector the physical address of the beginning of the segment. Separately
1248 compiled modules can be relocated at run time by changing the base address
1249 of their segments. The size of a segment is variable; therefore, a segment
1250 can be exactly the size of the module it contains.
1253 2.2 Data Types
1255 Bytes, words, and doublewords are the fundamental data types (refer to
1256 Figure 2-2). A byte is eight contiguous bits starting at any logical
1257 address. The bits are numbered 0 through 7; bit zero is the least
1258 significant bit.
1260 A word is two contiguous bytes starting at any byte address. A word thus
1261 contains 16 bits. The bits of a word are numbered from 0 through 15; bit 0
1262 is the least significant bit. The byte containing bit 0 of the word is
1263 called the low byte; the byte containing bit 15 is called the high byte.
1265 Each byte within a word has its own address, and the smaller of the
1266 addresses is the address of the word. The byte at this lower address
1267 contains the eight least significant bits of the word, while the byte at the
1268 higher address contains the eight most significant bits.
1270 A doubleword is two contiguous words starting at any byte address. A
1271 doubleword thus contains 32 bits. The bits of a doubleword are numbered from
1272 0 through 31; bit 0 is the least significant bit. The word containing bit 0
1273 of the doubleword is called the low word; the word containing bit 31 is
1274 called the high word.
1276 Each byte within a doubleword has its own address, and the smallest of the
1277 addresses is the address of the doubleword. The byte at this lowest address
1278 contains the eight least significant bits of the doubleword, while the byte
1279 at the highest address contains the eight most significant bits. Figure 2-3
1280 illustrates the arrangement of bytes within words anddoublewords.
1282 Note that words need not be aligned at even-numbered addresses and
1283 doublewords need not be aligned at addresses evenly divisible by four. This
1284 allows maximum flexibility in data structures (e.g., records containing
1285 mixed byte, word, and doubleword items) and efficiency in memory
1286 utilization. When used in a configuration with a 32-bit bus, actual
1287 transfers of data between processor and memory take place in units of
1288 doublewords beginning at addresses evenly divisible by four; however, the
1289 processor converts requests for misaligned words or doublewords into the
1290 appropriate sequences of requests acceptable to the memory interface. Such
1291 misaligned data transfers reduce performance by requiring extra memory
1292 cycles. For maximum performance, data structures (including stacks) should
1293 be designed in such a way that, whenever possible, word operands are aligned
1294 at even addresses and doubleword operands are aligned at addresses evenly
1295 divisible by four. Due to instruction prefetching and queuing within the
1296 CPU, there is no requirement for instructions to be aligned on word or
1297 doubleword boundaries. (However, a slight increase in speed results if the
1298 target addresses of control transfers are evenly divisible by four.)
1300 Although bytes, words, and doublewords are the fundamental types of
1301 operands, the processor also supports additional interpretations of these
1302 operands. Depending on the instruction referring to the operand, the
1303 following additional data types are recognized:
1305 Integer:
1306 A signed binary numeric value contained in a 32-bit doubleword,16-bit word,
1307 or 8-bit byte. All operations assume a 2's complement representation. The
1308 sign bit is located in bit 7 in a byte, bit 15 in a word, and bit 31 in a
1309 doubleword. The sign bit has the value zero for positive integers and one
1310 for negative. Since the high-order bit is used for a sign, the range of an
1311 8-bit integer is -128 through +127; 16-bit integers may range from -32,768
1312 through +32,767; 32-bit integers may range from -2^(31) through +2^(31) -1.
1313 The value zero has a positive sign.
1315 Ordinal:
1316 An unsigned binary numeric value contained in a 32-bit doubleword,
1317 16-bit word, or 8-bit byte. All bits are considered in determining
1318 magnitude of the number. The value range of an 8-bit ordinal number
1319 is 0-255; 16 bits can represent values from 0 through 65,535; 32 bits
1320 can represent values from 0 through 2^(32) -1.
1322 Near Pointer:
1323 A 32-bit logical address. A near pointer is an offset within a segment.
1324 Near pointers are used in either a flat or a segmented model of memory
1325 organization.
1327 Far Pointer:
1328 A 48-bit logical address of two components: a 16-bit segment selector
1329 component and a 32-bit offset component. Far pointers are used by
1330 applications programmers only when systems designers choose a
1331 segmented memory organization.
1333 String:
1334 A contiguous sequence of bytes, words, or doublewords. A string may
1335 contain from zero bytes to 2^(32) -1 bytes (4 gigabytes).
1337 Bit field:
1338 A contiguous sequence of bits. A bit field may begin at any bit position
1339 of any byte and may contain up to 32 bits.
1341 Bit string:
1342 A contiguous sequence of bits. A bit string may begin at any bit position
1343 of any byte and may contain up to 2^(32) -1 bits.
1345 BCD:
1346 A byte (unpacked) representation of a decimal digit in the range0 through
1347 9. Unpacked decimal numbers are stored as unsigned byte quantities. One
1348 digit is stored in each byte. The magnitude of the number is determined from
1349 the low-order half-byte; hexadecimal values 0-9 are valid and are
1350 interpreted as decimal numbers. The high-order half-byte must be zero for
1351 multiplication and division; it may contain any value for addition and
1352 subtraction.
1354 Packed BCD:
1355 A byte (packed) representation of two decimal digits, each in the range
1356 0 through 9. One digit is stored in each half-byte. The digit in the
1357 high-order half-byte is the most significant. Values 0-9 are valid in each
1358 half-byte. The range of a packed decimal byte is 0-99.
1360 Figure 2-4 graphically summarizes the data types supported by the 80386.
1363 Figure 2-1. Two-Component Pointer
1366 € €
1367 †���������������‡‘“
1368 32 0 € € �
1369 ‚�������Ï�������ƒ ‚���ƒ †���������������‡ �
1370 € OFFSET Ñ‘‘ + Ñ‘‘\x10€ OPERAND € �
1371 „�������Ï�������… „���… †���������������‡ –‘ SELECTED SEGMENT
1372 \x1e € € �
1373 16 0 � € € �
1374 ‚�������ƒ � € € �
1375 €SEGMENTÑ‘‘‘‘‘‘‘‘¨‘‘‘‘‘\x10†���������������‡‘•
1376 „�������… € €
1377 € €
1378 € €
1382 Figure 2-2. Fundamental Data Types
1384 7 0
1385 ‚���������������ƒ
1386 € BYTE € BYTE
1387 „���������������…
1389 15 7 0
1390 ‚���������������Ð���������������ƒ
1391 € HIGH BYTE � LOW BYTE € WORD
1392 „���������������¤���������������…
1393 address n+1 address n
1395 31 23 15 7 0
1396 ‚���������������Ï���������������Ï���������������Ï��������������ƒ
1397 € HIGH WORD � LOW WORD € DOUBLEWORD
1398 „���������������Ï���������������Ï���������������Ï��������������…
1399 address n+3 address n+2 address n+1 address n
1402 Figure 2-3. Bytes, Words, and Doublewords in Memory
1404 MEMORY
1405 BYTE VALUES
1406 All values in hexadecimal
1407 ADDRESS ‚����������ƒ
1408 E€ €
1409 †����������‡‘‘“
1410 D€ 7A € –‘ DOUBLE WORD AT ADDRESS A
1411 †����������‡‘“� CONTAINS 7AFE0636
1412 C€ FE € ��
1413 †����������‡ –‘ WORD AT ADDRESS B
1414 B€ 06 € �� CONTAINS FE06
1415 †����������‡‘•�
1416 A€ 36 € �
1417 †����������‡��Á
1418 9€ 1F € –‘ WORD AT ADDRESS 9
1419 †����������‡‘‘• CONTAINS IF
1420 8€ €
1421 †����������‡‘‘“
1422 7€ 23 € �
1423 †����������‡ –‘ WORD AT ADDRESS 6
1424 6€ OB € � CONTAINS 23OB
1425 †����������‡‘‘•
1426 5€ €
1427 †����������‡
1428 4€ €
1429 †����������‡‘‘“
1430 3€ 74 € �
1431 †����������‡‘“–‘ WORD AT ADDRESS 2
1432 2€ CB € �� CONTAINS 74CB
1433 †����������‡‘‘•
1434 1€ 31 € –‘‘ WORD AT ADDRESS 1
1435 †����������‡‘• CONTAINS CB31
1436 0€ €
1437 „����������…
1440 Figure 2-4. 80386 Data Types
1442 +1 0
1443 7 0 7 0 15 14 8 7 0
1444 BYTE ‚ÐÐÐÐÐÐЃ BYTE ‚ÐÐÐÐÐÐЃ WORD ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1445 INTEGER €� � € ORDINAL € � € INTEGER €� � � � €
1446 „¤������… „�������… „¤������¤�������…
1447 SIGN BIT•”‘‘‘‘‘‘• ”‘‘‘‘‘‘‘• SIGN BIT•”MSB �
1448 MAGNITUDE MAGNITUDE ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
1449 MAGNITUDE
1452 +1 0 +3 +2 +1 0
1453 15 0 31 16 15 0
1454 WORD ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ DOUBLEWORD ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1455 ORDINAL €� � � � € INTEGER €� � � � � � � � €
1456 „¤������¤�������… „¤������¤�������¤�������¤�������…
1457 � � SIGN BIT•”MSB �
1458 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
1459 MAGNITUDE MAGNITUDE
1462 +3 +2 +1 0
1463 31 0
1464 DOUBLEWORD ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1465 ORDINAL € � � � � � � � €
1466 „�������¤�������¤�������¤�������…
1467 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
1468 MAGNITUDE
1470 +N +1 0
1471 7 0 7 0 7 0
1472 BINARY CODED ‚ÐÐÐÐÐÐЃ ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1474 „�������… „�������¤�������…
1475 BCD BCD BCD
1476 DIGIT N DIGIT 1 DIGIT 0
1478 +N +1 0
1479 7 0 7 0 7 0
1480 PACKED ‚ÐÐÐÐÐÐЃ ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1482 „�������… „�������¤�������…
1483 ”‘‘‘• ”‘‘‘•
1484 MOST LEAST
1485 SIGNIFICANT SIGNIFICANT
1486 DIGIT DIGIT
1488 +N +1 0
1489 7 0 7 0 7 0
1490 BYTE ‚ÐÐÐÐÐÐЃ ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1492 „�������… „�������¤�������…
1494 -2 GIGABYTES
1495 +2 GIGABYTES 210
1496 BIT ‚ÐÐÐÐ������������ÐÐ������� ����������������ÐÐÐЃ
1497 STRING €���� �� ����€
1498 „¤¤¤¤������������¤¤�������� ���������������¤¤¤¤…
1499 BIT 0
1501 +3 +2 +1 0
1502 31 0
1503 NEAR 32-BIT ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1504 POINTER € � � � � � � � €
1505 „�������¤�������¤�������¤�������…
1506 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
1507 OFFSET
1509 +5 +4 +3 +2 +1 0
1510 48 0
1511 FAR 48-BIT ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1512 POINTER € � � � � � � � � � � � €
1513 „�������¤�������¤�������¤�������¤�������¤�������…
1514 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
1515 SELECTOR OFFSET
1517 +5 +4 +3 +2 +1 0
1518 32-BIT ‚ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐЃ
1519 BIT FIELD € � � � � � � � � � � � €
1520 „�������¤�������¤�������¤�������¤�������¤�������…
1522 1 TO 32 BITS
1525 2.3 Registers
1527 The 80386 contains a total of sixteen registers that are of interest to the
1528 applications programmer. As Figure 2-5 shows, these registers may be
1529 grouped into these basic categories:
1531 1. General registers. These eight 32-bit general-purpose registers are
1532 used primarily to contain operands for arithmetic and logical
1533 operations.
1535 2. Segment registers. These special-purpose registers permit systems
1536 software designers to choose either a flat or segmented model of
1537 memory organization. These six registers determine, at any given time,
1538 which segments of memory are currently addressable.
1540 3. Status and instruction registers. These special-purpose registers are
1541 used to record and alter certain aspects of the 80386 processor state.
1544 2.3.1 General Registers
1546 The general registers of the 80386 are the 32-bit registers EAX, EBX, ECX,
1547 EDX, EBP, ESP, ESI, and EDI. These registers are used interchangeably to
1548 contain the operands of logical and arithmetic operations. They may also be
1549 used interchangeably for operands of address computations (except that ESP
1550 cannot be used as an index operand).
1552 As Figure 2-5 shows, the low-order word of each of these eight registers
1553 has a separate name and can be treated as a unit. This feature is useful for
1554 handling 16-bit data items and for compatibility with the 8086 and 80286
1555 processors. The word registers are named AX, BX, CX, DX, BP, SP, SI, and DI.
1557 Figure 2-5 also illustrates that each byte of the 16-bit registers AX, BX,
1558 CX, and DX has a separate name and can be treated as a unit. This feature is
1559 useful for handling characters and other 8-bit data items. The byte
1560 registers are named AH, BH, CH, and DH (high bytes); and AL, BL, CL, and DL
1561 (low bytes).
1563 All of the general-purpose registers are available for addressing
1564 calculations and for the results of most arithmetic and logical
1565 calculations; however, a few functions are dedicated to certain registers.
1566 By implicitly choosing registers for these functions, the 80386 architecture
1567 can encode instructions more compactly. The instructions that use specific
1568 registers include: double-precision multiply and divide, I/O, string
1569 instructions, translate, loop, variable shift and rotate, and stack
1570 operations.
1573 2.3.2 Segment Registers
1575 The segment registers of the 80386 give systems software designers the
1576 flexibility to choose among various models of memory organization.
1577 Implementation of memory models is the subject of Part II ‘‘ Systems
1578 Programming. Designers may choose a model in which applications programs do
1579 not need to modify segment registers, in which case applications programmers
1580 may skip this section.
1582 Complete programs generally consist of many different modules, each
1583 consisting of instructions and data. However, at any given time during
1584 program execution, only a small subset of a program's modules are actually
1585 in use. The 80386 architecture takes advantage of this by providing
1586 mechanisms to support direct access to the instructions and data of the
1587 current module's environment, with access to additional segments on demand.
1589 At any given instant, six segments of memory may be immediately accessible
1590 to an executing 80386 program. The segment registers CS, DS, SS, ES, FS, and
1591 GS are used to identify these six current segments. Each of these registers
1592 specifies a particular kind of segment, as characterized by the associated
1593 mnemonics ("code," "data," or "stack") shown in Figure 2-6. Each register
1594 uniquely determines one particular segment, from among the segments that
1595 make up the program, that is to be immediately accessible at highest speed.
1597 The segment containing the currently executing sequence of instructions is
1598 known as the current code segment; it is specified by means of the CS
1599 register. The 80386 fetches all instructions from this code segment, using
1600 as an offset the contents of the instruction pointer. CS is changed
1601 implicitly as the result of intersegment control-transfer instructions (for
1602 example, CALL and JMP), interrupts, and exceptions.
1604 Subroutine calls, parameters, and procedure activation records usually
1605 require that a region of memory be allocated for a stack. All stack
1606 operations use the SS register to locate the stack. Unlike CS, the SS
1607 register can be loaded explicitly, thereby permitting programmers to define
1608 stacks dynamically.
1610 The DS, ES, FS, and GS registers allow the specification of four data
1611 segments, each addressable by the currently executing program. Accessibility
1612 to four separate data areas helps programs efficiently access different
1613 types of data structures; for example, one data segment register can point
1614 to the data structures of the current module, another to the exported data
1615 of a higher-level module, another to a dynamically created data structure,
1616 and another to data shared with another task. An operand within a data
1617 segment is addressed by specifying its offset either directly in an
1618 instruction or indirectly via general registers.
1620 Depending on the structure of data (e.g., the way data is parceled into one
1621 or more segments), a program may require access to more than four data
1622 segments. To access additional segments, the DS, ES, FS, and GS registers
1623 can be changed under program control during the course of a program's
1624 execution. This simply requires that the program execute an instruction to
1625 load the appropriate segment register prior to executing instructions that
1626 access the data.
1628 The processor associates a base address with each segment selected by a
1629 segment register. To address an element within a segment, a 32-bit offset is
1630 added to the segment's base address. Once a segment is selected (by loading
1631 the segment selector into a segment register), a data manipulation
1632 instruction only needs to specify the offset. Simple rules define which
1633 segment register is used to form an address when only an offset is
1634 specified.
1637 Figure 2-5. 80386 Applications Register Set
1639 GENERAL REGISTERS
1641 31 23 15 7 0
1642 ‚�����������������Ï�����������������Š�����������������¤�����������������ƒ
1643 € EAX AH AX AL €
1644 †�����������������Ï�����������������Š�����������������‰�����������������‡
1645 € EDX DH DX DL €
1646 †�����������������Ï�����������������Š�����������������‰�����������������‡
1647 € ECX CH CX CL €
1648 †�����������������Ï�����������������Š�����������������‰�����������������‡
1649 € EBX BH BX BL €
1650 †�����������������Ï�����������������Š�����������������‰�����������������‡
1651 € EBP BP €
1652 †�����������������Ï�����������������Š�����������������Ï�����������������‡
1653 € ESI SI €
1654 †�����������������Ï�����������������Š�����������������Ï�����������������‡
1655 € EDI DI €
1656 †�����������������Ï�����������������Š�����������������Ï�����������������‡
1657 € ESP SP €
1658 „�����������������Ï�����������������Š�����������������Ï�����������������…
1661 15 7 0
1662 ‚�����������������Ï�����������������ƒ
1663 € CS (CODE SEGMENT) €
1664 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
1665 € SS (STACK SEGMENT) €
1666 SEGMENT Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
1667 REGISTERS € DS (DATA SEGMENT) €
1668 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
1669 € ES (DATA SEGMENT) €
1670 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
1671 € FS (DATA SEGMENT) €
1672 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
1673 € GS (DATA SEGMENT) €
1674 „�����������������Ï�����������������…
1677 STATUS AND INSTRUCTION REGISTERS
1679 31 23 15 7 0
1680 ‚�����������������Ï�����������������Ï�����������������Ï�����������������ƒ
1681 € EFLAGS €
1682 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
1683 € EIP (INSTRUCTION POINTER) €
1684 „�����������������Ï�����������������Ï�����������������Ï�����������������…
1687 Figure 2-6. Use of Memory Segmentation
1689 ‚����������������ƒ ‚����������������ƒ
1690 € MODULE € € MODULE €
1692 € CODE € � � € DATA €
1693 „����������������… � ‚������������������ƒ � „����������������…
1694 ”‘‘Â CS (CODE) € �
1695 †������������������‡ �
1696 ‚����������������ƒ ’‘‘ SS (STACK) € � ‚����������������ƒ
1697 € € � †������������������‡ � € DATA €
1699 € € †������������������‡ � € 1 €
1700 „����������������… € ES (DATA) Ñ‘‘• „����������������…
1701 †������������������‡
1702 ’‘‘Â FS (DATA) €
1703 ‚����������������ƒ � †������������������‡ ‚����������������ƒ
1704 € DATA € � € GS (DATA) Ñ‘“ € DATA €
1706 € 2 € € 3 €
1707 „����������������… „����������������…
1710 2.3.3 Stack Implementation
1712 Stack operations are facilitated by three registers:
1714 1. The stack segment (SS) register. Stacks are implemented in memory. A
1715 system may have a number of stacks that is limited only by the maximum
1716 number of segments. A stack may be up to 4 gigabytes long, the maximum
1717 length of a segment. One stack is directly addressable at a time‘‘the
1718 one located by SS. This is the current stack, often referred to simply
1719 as "the" stack. SS is used automatically by the processor for all
1720 stack operations.
1722 2. The stack pointer (ESP) register. ESP points to the top of the
1723 push-down stack (TOS). It is referenced implicitly by PUSH and POP
1724 operations, subroutine calls and returns, and interrupt operations.
1725 When an item is pushed onto the stack (see Figure 2-7), the processor
1726 decrements ESP, then writes the item at the new TOS. When an item is
1727 popped off the stack, the processor copies it from TOS, then
1728 increments ESP. In other words, the stack grows down in memory toward
1729 lesser addresses.
1731 3. The stack-frame base pointer (EBP) register. The EBP is the best
1732 choice of register for accessing data structures, variables and
1733 dynamically allocated work space within the stack. EBP is often used
1734 to access elements on the stack relative to a fixed point on the stack
1735 rather than relative to the current TOS. It typically identifies the
1736 base address of the current stack frame established for the current
1737 procedure. When EBP is used as the base register in an offset
1738 calculation, the offset is calculated automatically in the current
1739 stack segment (i.e., the segment currently selected by SS). Because
1740 SS does not have to be explicitly specified, instruction encoding in
1741 such cases is more efficient. EBP can also be used to index into
1742 segments addressable via other segment registers.
1745 Figure 2-7. 80386 Stack
1747 31 0
1748 ‚������Ï������Ï������Ï������ƒ \x11‘‘‘‘‘‘‘BOTTOM OF STACK
1749 € € (INITIAL ESP VALUE)
1750 Ã������Ï������Ï������Ï������‡
1751 € €
1752 †������Ï������Ï������Ï������‡ \x1e
1753 € € �POP
1754 †������Ï������Ï������Ï������‡ �
1755 € € �
1756 †������Ï������Ï������Ï������‡ � TOP OF ‚�������������ƒ
1757 € € \x11‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â ESP €
1758 †������Ï������Ï������Ï������‡ � STACK „�������������…
1759 € € �
1760 € € �
1761 € € �PUSH
1762 € € \x1f
1765 2.3.4 Flags Register
1767 The flags register is a 32-bit register named EFLAGS. Figure 2-8 defines
1768 the bits within this register. The flags control certain operations and
1769 indicate the status of the 80386.
1771 The low-order 16 bits of EFLAGS is named FLAGS and can be treated as a
1772 unit. This feature is useful when executing 8086 and 80286 code, because
1773 this part of EFLAGS is identical to the FLAGS register of the 8086 and the
1774 80286.
1776 The flags may be considered in three groups: the status flags, the control
1777 flags, and the systems flags. Discussion of the systems flags is delayed
1778 until Part II.
1781 Figure 2-8. EFLAGS Register
1783 16-BIT FLAGS REGISTER
1784 A
1785 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
1786 31 23 15 7 0
1787 ‚�������������������Ï���������������Ð�Ð�Ð�Ð�Ð�Ï�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�ƒ
1788 € �V�R� �N� IO�O�D�I�T�S�Z� �A� �P� �C€
1789 € 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � � �0� � � � � � � � �0� �0� �1� €
1790 € �M�F� �T� PL�F�F�F�F�F�F� �F� �F� �F€
1791 „�������������������Ï���������������¤Ð¤Ð¤�¤Ð¤�Ï�¤Ð¤Ð¤Ð¤Ð¤Ð¤Ð¤�¤Ð¤�¤Ð¤�¤Ð…
1792 � � � � � � � � � � � � �
1793 VIRTUAL 8086 MODE‘‘‘X‘‘‘‘‘‘‘‘‘‘• � � � � � � � � � � � �
1794 RESUME FLAG‘‘‘X‘‘‘‘‘‘‘‘‘‘‘‘• � � � � � � � � � � �
1795 NESTED TASK FLAG‘‘‘X‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � � � � � � � �
1796 I/O PRIVILEGE LEVEL‘‘‘X‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � � � � � � �
1797 OVERFLOW‘‘‘S‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � � � � � �
1798 DIRECTION FLAG‘‘‘C‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � � � � �
1799 INTERRUPT ENABLE‘‘‘X‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � � � �
1800 TRAP FLAG‘‘‘S‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � � �
1801 SIGN FLAG‘‘‘S‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � �
1802 ZERO FLAG‘‘‘S‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � �
1803 AUXILIARY CARRY‘‘‘S‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � �
1804 PARITY FLAG‘‘‘S‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• �
1805 CARRY FLAG‘‘‘S‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
1807 S = STATUS FLAG, C = CONTROL FLAG, X = SYSTEM FLAG
1809 NOTE: 0 OR 1 INDICATES INTEL RESERVED. DO NOT DEFINE
1812 2.3.4.1 Status Flags
1814 The status flags of the EFLAGS register allow the results of one
1815 instruction to influence later instructions. The arithmetic instructions use
1816 OF, SF, ZF, AF, PF, and CF. The SCAS (Scan String), CMPS (Compare String),
1817 and LOOP instructions use ZF to signal that their operations are complete.
1818 There are instructions to set, clear, and complement CF before execution of
1819 an arithmetic instruction. Refer to Appendix C for definition of each
1820 status flag.
1823 2.3.4.2 Control Flag
1825 The control flag DF of the EFLAGS register controls string instructions.
1827 DF (Direction Flag, bit 10)
1829 Setting DF causes string instructions to auto-decrement; that is, to
1830 process strings from high addresses to low addresses. Clearing DF causes
1831 string instructions to auto-increment, or to process strings from low
1832 addresses to high addresses.
1835 2.3.4.3 Instruction Pointer
1837 The instruction pointer register (EIP) contains the offset address,
1838 relative to the start of the current code segment, of the next sequential
1839 instruction to be executed. The instruction pointer is not directly visible
1840 to the programmer; it is controlled implicitly by control-transfer
1841 instructions, interrupts, and exceptions.
1843 As Figure 2-9 shows, the low-order 16 bits of EIP is named IP and can be
1844 used by the processor as a unit. This feature is useful when executing
1845 instructions designed for the 8086 and 80286 processors.
1848 Figure 2-9. Instruction Pointer Register
1850 16-BIT IP REGISTER
1851 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
1852 31 23 15 7 0
1853 ‚�����������������Ï�����������������Ï�����������������Ï�����������������ƒ
1854 € EIP (INSTRUCTION POINTER) €
1855 „�����������������Ï�����������������Ï�����������������Ï�����������������…
1858 2.4 Instruction Format
1860 The information encoded in an 80386 instruction includes a specification of
1861 the operation to be performed, the type of the operands to be manipulated,
1862 and the location of these operands. If an operand is located in memory, the
1863 instruction must also select, explicitly or implicitly, which of the
1864 currently addressable segments contains the operand.
1866 80386 instructions are composed of various elements and have various
1867 formats. The exact format of instructions is shown in Appendix B; the
1868 elements of instructions are described below. Of these instruction elements,
1869 only one, the opcode, is always present. The other elements may or may not
1870 be present, depending on the particular operation involved and on the
1871 location and type of the operands. The elements of an instruction, in order
1872 of occurrence are as follows:
1874 Ž Prefixes ‘‘ one or more bytes preceding an instruction that modify the
1875 operation of the instruction. The following types of prefixes can be
1876 used by applications programs:
1878 1. Segment override ‘‘ explicitly specifies which segment register an
1879 instruction should use, thereby overriding the default
1880 segment-register selection used by the 80386 for that instruction.
1882 2. Address size ‘‘ switches between 32-bit and 16-bit address
1883 generation.
1885 3. Operand size ‘‘ switches between 32-bit and 16-bit operands.
1887 4. Repeat ‘‘ used with a string instruction to cause the instruction
1888 to act on each element of the string.
1890 Ž Opcode ‘‘ specifies the operation performed by the instruction. Some
1891 operations have several different opcodes, each specifying a different
1892 variant of the operation.
1894 Ž Register specifier ‘‘ an instruction may specify one or two register
1895 operands. Register specifiers may occur either in the same byte as the
1896 opcode or in the same byte as the addressing-mode specifier.
1898 Ž Addressing-mode specifier ‘‘ when present, specifies whether an operand
1899 is a register or memory location; if in memory, specifies whether a
1900 displacement, a base register, an index register, and scaling are to be
1901 used.
1903 Ž SIB (scale, index, base) byte ‘‘ when the addressing-mode specifier
1904 indicates that an index register will be used to compute the address of
1905 an operand, an SIB byte is included in the instruction to encode the
1906 base register, the index register, and a scaling factor.
1908 Ž Displacement ‘‘ when the addressing-mode specifier indicates that a
1909 displacement will be used to compute the address of an operand, the
1910 displacement is encoded in the instruction. A displacement is a signed
1911 integer of 32, 16, or eight bits. The eight-bit form is used in the
1912 common case when the displacement is sufficiently small. The processor
1913 extends an eight-bit displacement to 16 or 32 bits, taking into
1914 account the sign.
1916 Ž Immediate operand ‘‘ when present, directly provides the value of an
1917 operand of the instruction. Immediate operands may be 8, 16, or 32 bits
1918 wide. In cases where an eight-bit immediate operand is combined in some
1919 way with a 16- or 32-bit operand, the processor automatically extends
1920 the size of the eight-bit operand, taking into account the sign.
1923 2.5 Operand Selection
1925 An instruction can act on zero or more operands, which are the data
1926 manipulated by the instruction. An example of a zero-operand instruction is
1927 NOP (no operation). An operand can be in any of these locations:
1929 Ž In the instruction itself (an immediate operand)
1931 Ž In a register (EAX, EBX, ECX, EDX, ESI, EDI, ESP, or EBP in the case
1932 of 32-bit operands; AX, BX, CX, DX, SI, DI, SP, or BP in the case of
1933 16-bit operands; AH, AL, BH, BL, CH, CL, DH, or DL in the case of 8-bit
1934 operands; the segment registers; or the EFLAGS register for flag
1935 operations)
1937 Ž In memory
1939 Ž At an I/O port
1941 Immediate operands and operands in registers can be accessed more rapidly
1942 than operands in memory since memory operands must be fetched from memory.
1943 Register operands are available in the CPU. Immediate operands are also
1944 available in the CPU, because they are prefetched as part of the
1945 instruction.
1947 Of the instructions that have operands, some specify operands implicitly;
1948 others specify operands explicitly; still others use a combination of
1949 implicit and explicit specification; for example:
1951 Implicit operand: AAM
1953 By definition, AAM (ASCII adjust for multiplication) operates on the
1954 contents of the AX register.
1956 Explicit operand: XCHG EAX, EBX
1958 The operands to be exchanged are encoded in the instruction after the
1959 opcode.
1961 Implicit and explicit operands: PUSH COUNTER
1963 The memory variable COUNTER (the explicit operand) is copied to the top of
1964 the stack (the implicit operand).
1966 Note that most instructions have implicit operands. All arithmetic
1967 instructions, for example, update the EFLAGS register.
1969 An 80386 instruction can explicitly reference one or two operands.
1970 Two-operand instructions, such as MOV, ADD, XOR, etc., generally overwrite
1971 one of the two participating operands with the result. A distinction can
1972 thus be made between the source operand (the one unaffected by the
1973 operation) and the destination operand (the one overwritten by the result).
1975 For most instructions, one of the two explicitly specified operands‘‘either
1976 the source or the destination‘‘can be either in a register or in memory.
1977 The other operand must be in a register or be an immediate source operand.
1978 Thus, the explicit two-operand instructions of the 80386 permit operations
1979 of the following kinds:
1981 Ž Register-to-register
1982 Ž Register-to-memory
1983 Ž Memory-to-register
1984 Ž Immediate-to-register
1985 Ž Immediate-to-memory
1987 Certain string instructions and stack manipulation instructions, however,
1988 transfer data from memory to memory. Both operands of some string
1989 instructions are in memory and are implicitly specified. Push and pop stack
1990 operations allow transfer between memory operands and the memory-based
1991 stack.
1994 2.5.1 Immediate Operands
1996 Certain instructions use data from the instruction itself as one (and
1997 sometimes two) of the operands. Such an operand is called an immediate
1998 operand. The operand may be 32-, 16-, or 8-bits long. For example:
2000 SHR PATTERN, 2
2002 One byte of the instruction holds the value 2, the number of bits by which
2003 to shift the variable PATTERN.
2005 TEST PATTERN, 0FFFF00FFH
2007 A doubleword of the instruction holds the mask that is used to test the
2008 variable PATTERN.
2011 2.5.2 Register Operands
2013 Operands may be located in one of the 32-bit general registers (EAX, EBX,
2014 ECX, EDX, ESI, EDI, ESP, or EBP), in one of the 16-bit general registers
2015 (AX, BX, CX, DX, SI, DI, SP, or BP), or in one of the 8-bit general
2016 registers (AH, BH, CH, DH, AL, BL, CL,or DL).
2018 The 80386 has instructions for referencing the segment registers (CS, DS,
2019 ES, SS, FS, GS). These instructions are used by applications programs only
2020 if systems designers have chosen a segmented memory model.
2022 The 80386 also has instructions for referring to the flag register. The
2023 flags may be stored on the stack and restored from the stack. Certain
2024 instructions change the commonly modified flags directly in the EFLAGS
2025 register. Other flags that are seldom modified can be modified indirectly
2026 via the flags image in the stack.
2029 2.5.3 Memory Operands
2031 Data-manipulation instructions that address operands in memory must specify
2032 (either directly or indirectly) the segment that contains the operand and
2033 the offset of the operand within the segment. However, for speed and compact
2034 instruction encoding, segment selectors are stored in the high speed segment
2035 registers. Therefore, data-manipulation instructions need to specify only
2036 the desired segment register and an offset in order to address a memory
2037 operand.
2039 An 80386 data-manipulation instruction that accesses memory uses one of the
2040 following methods for specifying the offset of a memory operand within its
2041 segment:
2043 1. Most data-manipulation instructions that access memory contain a byte
2044 that explicitly specifies the addressing method for the operand. A
2045 byte, known as the modR/M byte, follows the opcode and specifies
2046 whether the operand is in a register or in memory. If the operand is
2047 in memory, the address is computed from a segment register and any of
2048 the following values: a base register, an index register, a scaling
2049 factor, a displacement. When an index register is used, the modR/M
2050 byte is also followed by another byte that identifies the index
2051 register and scaling factor. This addressing method is the
2052 mostflexible.
2054 2. A few data-manipulation instructions implicitly use specialized
2055 addressing methods:
2057 Ž For a few short forms of MOV that implicitly use the EAX register,
2058 the offset of the operand is coded as a doubleword in the
2059 instruction. No base register, index register, or scaling factor
2060 are used.
2062 Ž String operations implicitly address memory via DS:ESI, (MOVS,
2063 CMPS, OUTS, LODS, SCAS) or via ES:EDI (MOVS, CMPS, INS, STOS).
2065 Ž Stack operations implicitly address operands via SS:ESP
2066 registers; e.g., PUSH, POP, PUSHA, PUSHAD, POPA, POPAD, PUSHF,
2067 PUSHFD, POPF, POPFD, CALL, RET, IRET, IRETD, exceptions, and
2068 interrupts.
2071 2.5.3.1 Segment Selection
2073 Data-manipulation instructions need not explicitly specify which segment
2074 register is used. For all of these instructions, specification of a segment
2075 register is optional. For all memory accesses, if a segment is not
2076 explicitly specified by the instruction, the processor automatically chooses
2077 a segment register according to the rules of Table 2-1. (If systems
2078 designers have chosen a flat model of memory organization, the segment
2079 registers and the rules that the processor uses in choosing them are not
2080 apparent to applications programs.)
2082 There is a close connection between the kind of memory reference and the
2083 segment in which that operand resides. As a rule, a memory reference implies
2084 the current data segment (i.e., the implicit segment selector is in DS).
2085 However, ESP and EBP are used to access items on the stack; therefore, when
2086 the ESP or EBP register is used as a base register, the current stack
2087 segment is implied (i.e., SS contains the selector).
2089 Special instruction prefix elements may be used to override the default
2090 segment selection. Segment-override prefixes allow an explicit segment
2091 selection. The 80386 has a segment-override prefix for each of the segment
2092 registers. Only in the following special cases is there an implied segment
2093 selection that a segment prefix cannot override:
2095 Ž The use of ES for destination strings in string instructions.
2096 Ž The use of SS in stack instructions.
2097 Ž The use of CS for instruction fetches.
2100 Table 2-1. Default Segment Register Selection Rules
2102 Memory Reference Needed Segment Implicit Segment Selection Rule
2103 Register
2104 Used
2106 Instructions Code (CS) Automatic with instruction prefetch
2107 Stack Stack (SS) All stack pushes and pops. Any
2108 memory reference that uses ESP or
2109 EBP as a base register.
2110 Local Data Data (DS) All data references except when
2111 relative to stack or string
2112 destination.
2113 Destination Strings Extra (ES) Destination of string instructions.
2116 2.5.3.2 Effective-Address Computation
2118 The modR/M byte provides the most flexible of the addressing methods, and
2119 instructions that require a modR/M byte as the second byte of the
2120 instruction are the most common in the 80386 instruction set. For memory
2121 operands defined by modR/M, the offset within the desired segment is
2122 calculated by taking the sum of up to three components:
2124 Ž A displacement element in the instruction.
2126 Ž A base register.
2128 Ž An index register. The index register may be automatically multiplied
2129 by a scaling factor of 2, 4, or 8.
2131 The offset that results from adding these components is called an effective
2132 address. Each of these components of an effective address may have either a
2133 positive or negative value. If the sum of all the components exceeds 2^(32),
2134 the effective address is truncated to 32 bits.Figure 2-10 illustrates the
2135 full set of possibilities for modR/M addressing.
2137 The displacement component, because it is encoded in the instruction, is
2138 useful for fixed aspects of addressing; for example:
2140 Ž Location of simple scalar operands.
2141 Ž Beginning of a statically allocated array.
2142 Ž Offset of an item within a record.
2144 The base and index components have similar functions. Both utilize the same
2145 set of general registers. Both can be used for aspects of addressing that
2146 are determined dynamically; for example:
2148 Ž Location of procedure parameters and local variables in stack.
2150 Ž The beginning of one record among several occurrences of the same
2151 record type or in an array of records.
2153 Ž The beginning of one dimension of multiple dimension array.
2155 Ž The beginning of a dynamically allocated array.
2157 The uses of general registers as base or index components differ in the
2158 following respects:
2160 Ž ESP cannot be used as an index register.
2162 Ž When ESP or EBP is used as the base register, the default segment is
2163 the one selected by SS. In all other cases the default segment is DS.
2165 The scaling factor permits efficient indexing into an array in the common
2166 cases when array elements are 2, 4, or 8 bytes wide. The shifting of the
2167 index register is done by the processor at the time the address is evaluated
2168 with no performance loss. This eliminates the need for a separate shift or
2169 multiply instruction.
2171 The base, index, and displacement components may be used in any
2172 combination; any of these components may be null. A scale factor can be used
2173 only when an index is also used. Each possible combination is useful for
2174 data structures commonly used by programmers in high-level languages and
2175 assembly languages. Following are possible uses for some of the various
2176 combinations of address components.
2178 DISPLACEMENT
2180 The displacement alone indicates the offset of the operand. This
2181 combination is used to directly address a statically allocated scalar
2182 operand. An 8-bit, 16-bit, or 32-bit displacement can be used.
2184 BASE
2186 The offset of the operand is specified indirectly in one of the general
2187 registers, as for "based" variables.
2189 BASE + DISPLACEMENT
2191 A register and a displacement can be used together for two distinct
2192 purposes:
2194 1. Index into static array when element size is not 2, 4, or 8 bytes.
2195 The displacement component encodes the offset of the beginning of
2196 the array. The register holds the results of a calculation to
2197 determine the offset of a specific element within the array.
2199 2. Access item of a record. The displacement component locates an
2200 item within record. The base register selects one of several
2201 occurrences of record, thereby providing a compact encoding for
2202 this common function.
2204 An important special case of this combination, is to access parameters
2205 in the procedure activation record in the stack. In this case, EBP is
2206 the best choice for the base register, because when EBP is used as a
2207 base register, the processor automatically uses the stack segment
2208 register (SS) to locate the operand, thereby providing a compact
2209 encoding for this common function.
2211 (INDEX * SCALE) + DISPLACEMENT
2213 This combination provides efficient indexing into a static array when
2214 the element size is 2, 4, or 8 bytes. The displacement addresses the
2215 beginning of the array, the index register holds the subscript of the
2216 desired array element, and the processor automatically converts the
2217 subscript into an index by applying the scaling factor.
2219 BASE + INDEX + DISPLACEMENT
2221 Two registers used together support either a two-dimensional array (the
2222 displacement determining the beginning of the array) or one of several
2223 instances of an array of records (the displacement indicating an item
2224 in the record).
2226 BASE + (INDEX * SCALE) + DISPLACEMENT
2228 This combination provides efficient indexing of a two-dimensional array
2229 when the elements of the array are 2, 4, or 8 bytes wide.
2232 Figure 2-10. Effective Address Computation
2234 SEGMENT + BASE + (INDEX * SCALE) + DISPLACEMENT
2236 ’ “
2237 � --- � ’ “ ’ “
2238 ’ “ � EAX � � EAX � � 1 �
2239 � CS � � ECX � � ECX � � � ’ “
2240 � SS � � EDX � � EDX � � 2 � � NO DISPLACEMENT �
2241 ‘— DS –‘ + ‘— EBX –‘ + ‘— EBX –‘ * ‘— –‘ + ‘— 8-BIT DISPLACEMENT –‘
2242 � ES � � ESP � � --- � � 4 � � 32-BIT DISPLACEMENT �
2243 � FS � � EBP � � EBP � � � ” •
2244 � GS � � ESI � � ESI � � 6 �
2245 ” • � EDI � � EDI � ” •
2246 ” • ” •
2249 2.6 Interrupts and Exceptions
2251 The 80386 has two mechanisms for interrupting program execution:
2253 1. Exceptions are synchronous events that are the responses of the CPU
2254 to certain conditions detected during the execution of an instruction.
2256 2. Interrupts are asynchronous events typically triggered by external
2257 devices needing attention.
2259 Interrupts and exceptions are alike in that both cause the processor to
2260 temporarily suspend its present program execution in order to execute a
2261 program of higher priority. The major distinction between these two kinds of
2262 interrupts is their origin. An exception is always reproducible by
2263 re-executing with the program and data that caused the exception, whereas an
2264 interrupt is generally independent of the currently executing program.
2266 Application programmers are not normally concerned with servicing
2267 interrupts. More information on interrupts for systems programmers may be
2268 found in Chapter 9. Certain exceptions, however, are of interest to
2269 applications programmers, and many operating systems give applications
2270 programs the opportunity to service these exceptions. However, the operating
2271 system itself defines the interface between the applications programs and
2272 the exception mechanism of the 80386.
2274 Table 2-2 highlights the exceptions that may be of interest to applications
2275 programmers.
2277 Ž A divide error exception results when the instruction DIV or IDIV is
2278 executed with a zero denominator or when the quotient is too large for
2279 the destination operand. (Refer to Chapter 3 for a discussion of DIV
2280 and IDIV.)
2282 Ž The debug exception may be reflected back to an applications program
2283 if it results from the trap flag (TF).
2285 Ž A breakpoint exception results when the instruction INT 3 is executed.
2286 This instruction is used by some debuggers to stop program execution at
2287 specific points.
2289 Ž An overflow exception results when the INTO instruction is executed
2290 and the OF (overflow) flag is set (after an arithmetic operation that
2291 set the OF flag). (Refer to Chapter 3 for a discussion of INTO).
2293 Ž A bounds check exception results when the BOUND instruction is
2294 executed and the array index it checks falls outside the bounds of the
2295 array. (Refer to Chapter 3 for a discussion of the BOUND instruction.)
2297 Ž Invalid opcodes may be used by some applications to extend the
2298 instruction set. In such a case, the invalid opcode exception presents
2299 an opportunity to emulate the opcode.
2301 Ž The "coprocessor not available" exception occurs if the program
2302 contains instructions for a coprocessor, but no coprocessor is present
2303 in the system.
2305 Ž A coprocessor error is generated when a coprocessor detects an illegal
2306 operation.
2308 The instruction INT generates an interrupt whenever it is executed; the
2309 processor treats this interrupt as an exception. The effects of this
2310 interrupt (and the effects of all other exceptions) are determined by
2311 exception handler routines provided by the application program or as part of
2312 the systems software (provided by systems programmers). The INT instruction
2313 itself is discussed in Chapter 3. Refer to Chapter 9 for a more complete
2314 description of exceptions.
2317 Table 2-2. 80386 Reserved Exceptions and Interrupts
2319 Vector Number Description
2321 0 Divide Error
2322 1 Debug Exceptions
2323 2 NMI Interrupt
2324 3 Breakpoint
2325 4 INTO Detected Overflow
2326 5 BOUND Range Exceeded
2327 6 Invalid Opcode
2328 7 Coprocessor Not Available
2329 8 Double Exception
2330 9 Coprocessor Segment Overrun
2331 10 Invalid Task State Segment
2332 11 Segment Not Present
2333 12 Stack Fault
2334 13 General Protection
2335 14 Page Fault
2336 15 (reserved)
2337 16 Coprocessor Error
2338 17-32 (reserved)
2341 Chapter 3 Applications Instruction Set
2343 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
2345 This chapter presents an overview of the instructions which programmers can
2346 use to write application software for the 80386 executing in protected
2347 virtual-address mode. The instructions are grouped by categories of related
2348 functions.
2350 The instructions not discussed in this chapter are those that are normally
2351 used only by operating-system programmers. Part II describes the operation
2352 of these instructions.
2354 The descriptions in this chapter assume that the 80386 is operating in
2355 protected mode with 32-bit addressing in effect; however, all instructions
2356 discussed are also available when 16-bit addressing is in effect in
2357 protected mode, real mode, or virtual 8086 mode. For any differences of
2358 operation that exist in the various modes, refer to Chapter 13,
2359 Chapter 14, or Chapter 15.
2361 The instruction dictionary in Chapter 17 contains more detailed
2362 descriptions of all instructions, including encoding, operation, timing,
2363 effect on flags, and exceptions.
2366 3.1 Data Movement Instructions
2368 These instructions provide convenient methods for moving bytes, words, or
2369 doublewords of data between memory and the registers of the base
2370 architecture. They fall into the following classes:
2372 1. General-purpose data movement instructions.
2373 2. Stack manipulation instructions.
2374 3. Type-conversion instructions.
2377 3.1.1 General-Purpose Data Movement Instructions
2379 MOV (Move) transfers a byte, word, or doubleword from the source operand to
2380 the destination operand. The MOV instruction is useful for transferring data
2381 along any of these paths
2382 There are also variants of MOV that operate on segment registers. These
2383 are covered in a later section of this chapter.:
2385 Ž To a register from memory
2386 Ž To memory from a register
2387 Ž Between general registers
2388 Ž Immediate data to a register
2389 Ž Immediate data to a memory
2391 The MOV instruction cannot move from memory to memory or from segment
2392 register to segment register are not allowed. Memory-to-memory moves can be
2393 performed, however, by the string move instruction MOVS.
2395 XCHG (Exchange) swaps the contents of two operands. This instruction takes
2396 the place of three MOV instructions. It does not require a temporary
2397 location to save the contents of one operand while load the other is being
2398 loaded. XCHG is especially useful for implementing semaphores or similar
2399 data structures for process synchronization.
2401 The XCHG instruction can swap two byte operands, two word operands, or two
2402 doubleword operands. The operands for the XCHG instruction may be two
2403 register operands, or a register operand with a memory operand. When used
2404 with a memory operand, XCHG automatically activates the LOCK signal. (Refer
2405 to Chapter 11 for more information on the bus lock.)
2408 3.1.2 Stack Manipulation Instructions
2410 PUSH (Push) decrements the stack pointer (ESP), then transfers the source
2411 operand to the top of stack indicated by ESP (see Figure 3-1). PUSH is
2412 often used to place parameters on the stack before calling a procedure; it
2413 is also the basic means of storing temporary variables on the stack. The
2414 PUSH instruction operates on memory operands, immediate operands, and
2415 register operands (including segment registers).
2417 PUSHA (Push All Registers) saves the contents of the eight general
2418 registers on the stack (see Figure 3-2). This instruction simplifies
2419 procedure calls by reducing the number of instructions required to retain
2420 the contents of the general registers for use in a procedure. The processor
2421 pushes the general registers on the stack in the following order: EAX, ECX,
2422 EDX, EBX, the initial value of ESP before EAX was pushed, EBP, ESI, and
2423 EDI. PUSHA is complemented by the POPA instruction.
2425 POP (Pop) transfers the word or doubleword at the current top of stack
2426 (indicated by ESP) to the destination operand, and then increments ESP to
2427 point to the new top of stack. See Figure 3-3. POP moves information from
2428 the stack to a general register, or to memory
2429 There are also a variant of POP that operates on segment registers. This
2430 is covered in a later section of this chapter..
2432 POPA (Pop All Registers) restores the registers saved on the stack by
2433 PUSHA, except that it ignores the saved value of ESP. See Figure 3-4.
2436 Figure 3-1. PUSH
2438 D O BEFORE PUSH AFTER PUSH
2440 R € € € €
2441 E E †�������Ï�������‡ †�������Ï�������‡
2442 C X €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2443 T P †�������Ï�������‡ †�������Ï�������‡
2444 I A €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2445 O N †�������Ï�������‡\x11‘‘ESP †�������Ï�������‡
2446 N S € € € OPERAND €
2447 I †�������Ï�������‡ †�������Ï�������‡\x11‘‘ESP
2448 � O € € € €
2449 � N †�������Ï�������‡ †�������Ï�������‡
2450 � € € € €
2451 \x1f †�������Ï�������‡ †�������Ï�������‡
2452 € € € €
2456 Figure 3-2. PUSHA
2458 BEFORE PUSHA AFTER PUSHA
2460 D O € € € €
2461 I F †�������Ï�������‡ †�������Ï�������‡
2462 R €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2463 E E †�������Ï�������‡ †�������Ï�������‡
2464 C X €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2465 T P †�������Ï�������‡\x11‘‘ESP †�������Ï�������‡
2466 I A € € € EAX €
2467 O N †�������Ï�������‡ †�������Ï�������‡
2468 N S € € € ECX €
2469 I †�������Ï�������‡ †�������Ï�������‡
2470 � O € € € EDX €
2471 � N †�������Ï�������‡ †�������Ï�������‡
2472 � € € € EBX €
2473 \x1f †�������Ï�������‡ †�������Ï�������‡
2474 € € € OLD ESP €
2475 †�������Ï�������‡ †�������Ï�������‡
2476 € € € EBP €
2477 †�������Ï�������‡ †�������Ï�������‡
2478 € € € ESI €
2479 †�������Ï�������‡ †�������Ï�������‡
2480 € € € EDI €
2481 †�������Ï�������‡ †�������Ï�������‡\x11‘‘ESP
2482 € € € €
2483 †�������Ï�������‡ †�������Ï�������‡
2484 € € € €
2488 3.1.3 Type Conversion Instructions
2490 The type conversion instructions convert bytes into words, words into
2491 doublewords, and doublewords into 64-bit items (quad-words). These
2492 instructions are especially useful for converting signed integers, because
2493 they automatically fill the extra bits of the larger item with the value of
2494 the sign bit of the smaller item. This kind of conversion, illustrated by
2495 Figure 3-5, is called sign extension.
2497 There are two classes of type conversion instructions:
2499 1. The forms CWD, CDQ, CBW, and CWDE which operate only on data in the
2500 EAX register.
2502 2. The forms MOVSX and MOVZX, which permit one operand to be in any
2503 general register while permitting the other operand to be in memory or
2504 in a register.
2506 CWD (Convert Word to Doubleword) and CDQ (Convert Doubleword to Quad-Word)
2507 double the size of the source operand. CWD extends the sign of the
2508 word in register AX throughout register DX. CDQ extends the sign of the
2509 doubleword in EAX throughout EDX. CWD can be used to produce a doubleword
2510 dividend from a word before a word division, and CDQ can be used to produce
2511 a quad-word dividend from a doubleword before doubleword division.
2513 CBW (Convert Byte to Word) extends the sign of the byte in register AL
2514 throughout AX.
2516 CWDE (Convert Word to Doubleword Extended) extends the sign of the word in
2517 register AX throughout EAX.
2519 MOVSX (Move with Sign Extension) sign-extends an 8-bit value to a 16-bit
2520 value and a 8- or 16-bit value to 32-bit value.
2522 MOVZX (Move with Zero Extension) extends an 8-bit value to a 16-bit value
2523 and an 8- or 16-bit value to 32-bit value by inserting high-order zeros.
2526 Figure 3-3. POP
2528 D O BEFORE POP AFTER POP
2530 R € € € €
2531 E E †�������Ï�������‡ †�������Ï�������‡
2532 C X €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2533 T P †�������Ï�������‡ †�������Ï�������‡
2534 I A €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2535 O N †�������Ï�������‡ †�������Ï�������‡\x11‘‘ESP
2536 N S € OPERAND € € €
2537 I †�������Ï�������‡\x11‘‘ESP †�������Ï�������‡
2538 � O € € € €
2539 � N †�������Ï�������‡ †�������Ï�������‡
2540 � € € € €
2541 \x1f †�������Ï�������‡ †�������Ï�������‡
2542 € € € €
2546 Figure 3-4. POPA
2548 BEFORE POPA AFTER POPA
2550 D O € € € €
2551 I F †�������Ï�������‡ †�������Ï�������‡
2552 R €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2553 E E †�������Ï�������‡ †�������Ï�������‡
2554 C X €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
2555 T P †�������Ï�������‡ †�������Ï�������‡\x11‘‘ESP
2556 I A € EAX € € €
2557 O N †�������Ï�������‡ †�������Ï�������‡
2558 N S € ECX € € €
2559 I †�������Ï�������‡ †�������Ï�������‡
2560 � O € EDX € € €
2561 � N †�������Ï�������‡ †�������Ï�������‡
2562 � € EBX € € €
2563 \x1f †�������Ï�������‡ †�������Ï�������‡
2564 € ESP € € €
2565 †�������Ï�������‡ †�������Ï�������‡
2566 € EPB € € €
2567 †�������Ï�������‡ †�������Ï�������‡
2568 € ESI € € €
2569 †�������Ï�������‡ †�������Ï�������‡
2570 € EDI € € €
2571 †�������Ï�������‡\x11‘‘ESP †�������Ï�������‡
2572 € € € €
2573 †�������Ï�������‡ †�������Ï�������‡
2574 € € € €
2578 Figure 3-5. Sign Extension
2580 15 7 0
2581 ‚�ˆ��������������Ï����������������ƒ
2582 BEFORE SIGN EXTENSION‘‘‘‘‘‘‘‘‘\x10€S€ N N N N N N N N N N N N N N N €
2583 „�‰��������������Ï����������������…
2584 AFTER SIGN EXTENSION‘‘‘‘‘‘“
2585 �
2586 31 23 \x1f 15 7 0
2587 ‚�ˆ�������������Ï���������������Ï���������������Ï���������������ƒ
2588 €S€S S S S S S S S S S S S S S S S N N N N N N N N N N N N N N N€
2589 „�‰�������������Ï���������������Ï���������������Ï���������������…
2592 3.2 Binary Arithmetic Instructions
2594 The arithmetic instructions of the 80386 processor simplify the
2595 manipulation of numeric data that is encoded in binary. Operations include
2596 the standard add, subtract, multiply, and divide as well as increment,
2597 decrement, compare, and change sign. Both signed and unsigned binary
2598 integers are supported. The binary arithmetic instructions may also be used
2599 as one step in the process of performing arithmetic on decimal integers.
2601 Many of the arithmetic instructions operate on both signed and unsigned
2602 integers. These instructions update the flags ZF, CF, SF, and OF in such a
2603 manner that subsequent instructions can interpret the results of the
2604 arithmetic as either signed or unsigned. CF contains information relevant to
2605 unsigned integers; SF and OF contain information relevant to signed
2606 integers. ZF is relevant to both signed and unsigned integers; ZF is set
2607 when all bits of the result are zero.
2609 If the integer is unsigned, CF may be tested after one of these arithmetic
2610 operations to determine whether the operation required a carry or borrow of
2611 a one-bit in the high-order position of the destination operand. CF is set
2612 if a one-bit was carried out of the high-order position (addition
2613 instructions ADD, ADC, AAA, and DAA) or if a one-bit was carried (i.e.
2614 borrowed) into the high-order bit (subtraction instructions SUB, SBB, AAS,
2615 DAS, CMP, and NEG).
2617 If the integer is signed, both SF and OF should be tested. SF always has
2618 the same value as the sign bit of the result. The most significant bit (MSB)
2619 of a signed integer is the bit next to the sign‘‘bit 6 of a byte, bit 14 of
2620 a word, or bit 30 of a doubleword. OF is set in either of these cases:
2622 Ž A one-bit was carried out of the MSB into the sign bit but no one bit
2623 was carried out of the sign bit (addition instructions ADD, ADC, INC,
2624 AAA, and DAA). In other words, the result was greater than the greatest
2625 positive number that could be contained in the destination operand.
2627 Ž A one-bit was carried from the sign bit into the MSB but no one bit
2628 was carried into the sign bit (subtraction instructions SUB, SBB, DEC,
2629 AAS, DAS, CMP, and NEG). In other words, the result was smaller that
2630 the smallest negative number that could be contained in the destination
2631 operand.
2633 These status flags are tested by executing one of the two families of
2634 conditional instructions: Jcc (jump on condition cc) or SETcc (byte set on
2635 condition).
2638 3.2.1 Addition and Subtraction Instructions
2640 ADD (Add Integers) replaces the destination operand with the sum of the
2641 source and destination operands. Sets CF if overflow.
2643 ADC (Add Integers with Carry) sums the operands, adds one if CF is set, and
2644 replaces the destination operand with the result. If CF is cleared, ADC
2645 performs the same operation as the ADD instruction. An ADD followed by
2646 multiple ADC instructions can be used to add numbers longer than 32 bits.
2648 INC (Increment) adds one to the destination operand. INC does not affect
2649 CF. Use ADD with an immediate value of 1 if an increment that updates carry
2650 (CF) is needed.
2652 SUB (Subtract Integers) subtracts the source operand from the destination
2653 operand and replaces the destination operand with the result. If a borrow is
2654 required, the CF is set. The operands may be signed or unsigned bytes,
2655 words, or doublewords.
2657 SBB (Subtract Integers with Borrow) subtracts the source operand from the
2658 destination operand, subtracts 1 if CF is set, and returns the result to the
2659 destination operand. If CF is cleared, SBB performs the same operation as
2660 SUB. SUB followed by multiple SBB instructions may be used to subtract
2661 numbers longer than 32 bits. If CF is cleared, SBB performs the same
2662 operation as SUB.
2664 DEC (Decrement) subtracts 1 from the destination operand. DEC does not
2665 update CF. Use SUB with an immediate value of 1 to perform a decrement that
2666 affects carry.
2669 3.2.2 Comparison and Sign Change Instruction
2671 CMP (Compare) subtracts the source operand from the destination operand. It
2672 updates OF, SF, ZF, AF, PF, and CF but does not alter the source and
2673 destination operands. A subsequent Jcc or SETcc instruction can test the
2674 appropriate flags.
2676 NEG (Negate) subtracts a signed integer operand from zero. The effect of
2677 NEG is to reverse the sign of the operand from positive to negative or from
2678 negative to positive.
2681 3.2.3 Multiplication Instructions
2683 The 80386 has separate multiply instructions for unsigned and signed
2684 operands. MUL operates on unsigned numbers, while IMUL operates on signed
2685 integers as well as unsigned.
2687 MUL (Unsigned Integer Multiply) performs an unsigned multiplication of the
2688 source operand and the accumulator. If the source is a byte, the processor
2689 multiplies it by the contents of AL and returns the double-length result to
2690 AH and AL. If the source operand is a word, the processor multiplies it by
2691 the contents of AX and returns the double-length result to DX and AX. If the
2692 source operand is a doubleword, the processor multiplies it by the contents
2693 of EAX and returns the 64-bit result in EDX and EAX. MUL sets CF and OF
2694 when the upper half of the result is nonzero; otherwise, they are cleared.
2696 IMUL (Signed Integer Multiply) performs a signed multiplication operation.
2697 IMUL has three variations:
2699 1. A one-operand form. The operand may be a byte, word, or doubleword
2700 located in memory or in a general register. This instruction uses EAX
2701 and EDX as implicit operands in the same way as the MUL instruction.
2703 2. A two-operand form. One of the source operands may be in any general
2704 register while the other may be either in memory or in a general
2705 register. The product replaces the general-register operand.
2707 3. A three-operand form; two are source and one is the destination
2708 operand. One of the source operands is an immediate value stored in
2709 the instruction; the second may be in memory or in any general
2710 register. The product may be stored in any general register. The
2711 immediate operand is treated as signed. If the immediate operand is a
2712 byte, the processor automatically sign-extends it to the size of the
2713 second operand before performing the multiplication.
2715 The three forms are similar in most respects:
2717 Ž The length of the product is calculated to twice the length of the
2718 operands.
2720 Ž The CF and OF flags are set when significant bits are carried into the
2721 high-order half of the result. CF and OF are cleared when the
2722 high-order half of the result is the sign-extension of the low-order
2723 half.
2725 However, forms 2 and 3 differ in that the product is truncated to the
2726 length of the operands before it is stored in the destination register.
2727 Because of this truncation, OF should be tested to ensure that no
2728 significant bits are lost. (For ways to test OF, refer to the INTO and PUSHF
2729 instructions.)
2731 Forms 2 and 3 of IMUL may also be used with unsigned operands because,
2732 whether the operands are signed or unsigned, the low-order half of the
2733 product is the same.
2736 3.2.4 Division Instructions
2738 The 80386 has separate division instructions for unsigned and signed
2739 operands. DIV operates on unsigned numbers, while IDIV operates on signed
2740 integers as well as unsigned. In either case, an exception (interrupt zero)
2741 occurs if the divisor is zero or if the quotient is too large for AL, AX, or
2742 EAX.
2744 DIV (Unsigned Integer Divide) performs an unsigned division of the
2745 accumulator by the source operand. The dividend (the accumulator) is twice
2746 the size of the divisor (the source operand); the quotient and remainder
2747 have the same size as the divisor, as the following table shows.
2749 Size of Source Operand
2750 (divisor) Dividend Quotient Remainder
2752 Byte AX AL AH
2753 Word DX:AX AX DX
2754 Doubleword EDX:EAX EAX EDX
2756 Non-integral quotients are truncated to integers toward 0. The remainder is
2757 always less than the divisor. For unsigned byte division, the largest
2758 quotient is 255. For unsigned word division, the largest quotient is 65,535.
2759 For unsigned doubleword division the largest quotient is 2^(32) -1.
2761 IDIV (Signed Integer Divide) performs a signed division of the accumulator
2762 by the source operand. IDIV uses the same registers as the DIV instruction.
2764 For signed byte division, the maximum positive quotient is +127, and the
2765 minimum negative quotient is -128. For signed word division, the maximum
2766 positive quotient is +32,767, and the minimum negative quotient is -32,768.
2767 For signed doubleword division the maximum positive quotient is 2^(31) -1,
2768 the minimum negative quotient is -2^(31). Non-integral results are truncated
2769 towards 0. The remainder always has the same sign as the dividend and is
2770 less than the divisor in magnitude.
2773 3.3 Decimal Arithmetic Instructions
2775 Decimal arithmetic is performed by combining the binary arithmetic
2776 instructions (already discussed in the prior section) with the decimal
2777 arithmetic instructions. The decimal arithmetic instructions are used in one
2778 of the following ways:
2780 Ž To adjust the results of a previous binary arithmetic operation to
2781 produce a valid packed or unpacked decimal result.
2783 Ž To adjust the inputs to a subsequent binary arithmetic operation so
2784 that the operation will produce a valid packed or unpacked decimal
2785 result.
2787 These instructions operate only on the AL or AH registers. Most utilize the
2788 AF flag.
2791 3.3.1 Packed BCD Adjustment Instructions
2793 DAA (Decimal Adjust after Addition) adjusts the result of adding two valid
2794 packed decimal operands in AL. DAA must always follow the addition of two
2795 pairs of packed decimal numbers (one digit in each half-byte) to obtain a
2796 pair of valid packed decimal digits as results. The carry flag is set if
2797 carry was needed.
2799 DAS (Decimal Adjust after Subtraction) adjusts the result of subtracting
2800 two valid packed decimal operands in AL. DAS must always follow the
2801 subtraction of one pair of packed decimal numbers (one digit in each half-
2802 byte) from another to obtain a pair of valid packed decimal digits as
2803 results. The carry flag is set if a borrow was needed.
2806 3.3.2 Unpacked BCD Adjustment Instructions
2808 AAA (ASCII Adjust after Addition) changes the contents of register AL to a
2809 valid unpacked decimal number, and zeros the top 4 bits. AAA must always
2810 follow the addition of two unpacked decimal operands in AL. The carry flag
2811 is set and AH is incremented if a carry is necessary.
2813 AAS (ASCII Adjust after Subtraction) changes the contents of register AL to
2814 a valid unpacked decimal number, and zeros the top 4 bits. AAS must always
2815 follow the subtraction of one unpacked decimal operand from another in AL.
2816 The carry flag is set and AH decremented if a borrow is necessary.
2818 AAM (ASCII Adjust after Multiplication) corrects the result of a
2819 multiplication of two valid unpacked decimal numbers. AAM must always follow
2820 the multiplication of two decimal numbers to produce a valid decimal result.
2821 The high order digit is left in AH, the low order digit in AL.
2823 AAD (ASCII Adjust before Division) modifies the numerator in AH and AL to
2824 prepare for the division of two valid unpacked decimal operands so that the
2825 quotient produced by the division will be a valid unpacked decimal number.
2826 AH should contain the high-order digit and AL the low-order digit. This
2827 instruction adjusts the value and places the result in AL. AH will contain
2828 zero.
2831 3.4 Logical Instructions
2833 The group of logical instructions includes:
2835 Ž The Boolean operation instructions
2836 Ž Bit test and modify instructions
2837 Ž Bit scan instructions
2838 Ž Rotate and shift instructions
2839 Ž Byte set on condition
2842 3.4.1 Boolean Operation Instructions
2844 The logical operations are AND, OR, XOR, and NOT.
2846 NOT (Not) inverts the bits in the specified operand to form a one's
2847 complement of the operand. The NOT instruction is a unary operation that
2848 uses a single operand in a register or memory. NOT has no effect on the
2849 flags.
2851 The AND, OR, and XOR instructions perform the standard logical operations
2852 "and", "(inclusive) or", and "exclusive or". These instructions can use the
2853 following combinations of operands:
2855 Ž Two register operands
2857 Ž A general register operand with a memory operand
2859 Ž An immediate operand with either a general register operand or a
2860 memory operand.
2862 AND, OR, and XOR clear OF and CF, leave AF undefined, and update SF, ZF,
2863 and PF.
2866 3.4.2 Bit Test and Modify Instructions
2868 This group of instructions operates on a single bit which can be in memory
2869 or in a general register. The location of the bit is specified as an offset
2870 from the low-order end of the operand. The value of the offset either may be
2871 given by an immediate byte in the instruction or may be contained in a
2872 general register.
2874 These instructions first assign the value of the selected bit to CF, the
2875 carry flag. Then a new value is assigned to the selected bit, as determined
2876 by the operation. OF, SF, ZF, AF, PF are left in an undefined state. Table
2877 3-1 defines these instructions.
2880 Table 3-1. Bit Test and Modify Instructions
2882 Instruction Effect on CF Effect on
2883 Selected Bit
2885 Bit (Bit Test) CF \e BIT (none)
2891 3.4.3 Bit Scan Instructions
2893 These instructions scan a word or doubleword for a one-bit and store the
2894 index of the first set bit into a register. The bit string being scanned
2895 may be either in a register or in memory. The ZF flag is set if the entire
2896 word is zero (no set bits are found); ZF is cleared if a one-bit is found.
2897 If no set bit is found, the value of the destination register is undefined.
2899 BSF (Bit Scan Forward) scans from low-order to high-order (starting from
2900 bit index zero).
2902 BSR (Bit Scan Reverse) scans from high-order to low-order (starting from
2903 bit index 15 of a word or index 31 of a doubleword).
2906 3.4.4 Shift and Rotate Instructions
2908 The shift and rotate instructions reposition the bits within the specified
2909 operand.
2911 These instructions fall into the following classes:
2913 Ž Shift instructions
2914 Ž Double shift instructions
2915 Ž Rotate instructions
2918 3.4.4.1 Shift Instructions
2920 The bits in bytes, words, and doublewords may be shifted arithmetically or
2921 logically. Depending on the value of a specified count, bits can be shifted
2922 up to 31 places.
2924 A shift instruction can specify the count in one of three ways. One form of
2925 shift instruction implicitly specifies the count as a single shift. The
2926 second form specifies the count as an immediate value. The third form
2927 specifies the count as the value contained in CL. This last form allows the
2928 shift count to be a variable that the program supplies during execution.
2929 Only the low order 5 bits of CL are used.
2931 CF always contains the value of the last bit shifted out of the destination
2932 operand. In a single-bit shift, OF is set if the value of the high-order
2933 (sign) bit was changed by the operation. Otherwise, OF is cleared. Following
2934 a multibit shift, however, the content of OF is always undefined.
2936 The shift instructions provide a convenient way to accomplish division or
2937 multiplication by binary power. Note however that division of signed numbers
2938 by shifting right is not the same kind of division performed by the IDIV
2939 instruction.
2941 SAL (Shift Arithmetic Left) shifts the destination byte, word, or
2942 doubleword operand left by one or by the number of bits specified in the
2943 count operand (an immediate value or the value contained in CL). The
2944 processor shifts zeros in from the right (low-order) side of the operand as
2945 bits exit from the left (high-order) side. See Figure 3-6.
2947 SHL (Shift Logical Left) is a synonym for SAL (refer to SAL).
2949 SHR (Shift Logical Right) shifts the destination byte, word, or doubleword
2950 operand right by one or by the number of bits specified in the count operand
2951 (an immediate value or the value contained in CL). The processor shifts
2952 zeros in from the left side of the operand as bits exit from the right side.
2953 See Figure 3-7.
2955 SAR (Shift Arithmetic Right) shifts the destination byte, word, or
2956 doubleword operand to the right by one or by the number of bits specified in
2957 the count operand (an immediate value or the value contained in CL). The
2958 processor preserves the sign of the operand by shifting in zeros on the left
2959 (high-order) side if the value is positive or by shifting by ones if the
2960 value is negative. See Figure 3-8.
2962 Even though this instruction can be used to divide integers by a power of
2963 two, the type of division is not the same as that produced by the IDIV
2964 instruction. The quotient of IDIV is rounded toward zero, whereas the
2965 "quotient" of SAR is rounded toward negative infinity. This difference is
2966 apparent only for negative numbers. For example, when IDIV is used to divide
2967 -9 by 4, the result is -2 with a remainder of -1. If SAR is used to shift
2968 -9 right by two bits, the result is -3. The "remainder" of this kind of
2969 division is +3; however, the SAR instruction stores only the high-order bit
2970 of the remainder (in CF).
2972 The code sequence in Figure 3-9 produces the same result as IDIV for any M
2973 = 2^(N), where 0 < N < 32. This sequence takes about 12 to 18 clocks,
2974 depending on whether the jump is taken; if ECX contains M, the corresponding
2975 IDIV ECX instruction will take about 43 clocks.
2978 Figure 3-6. SAL and SHL
2980 OF CF OPERAND
2982 BEFORE SHL X X 10001000100010001000100010001111
2983 OR SAL
2986 OR SAL BY 1
2989 OR SAL BY 10
2991 SHL (WHICH HAS THE SYNONYM SAL) SHIFTS THE BITS IN THE REGISTER OR MEMORY
2992 OPERAND TO THE LEFT BY THE SPECIFIED NUMBER OF BIT POSITIONS. CF RECEIVES
2993 THE LAST BIT SHIFTED OUT OF THE LEFT OF THE OPERAND. SHL SHIFTS IN ZEROS
2994 TO FILL THE VACATED BIT LOCATIONS. THESE INSTRUCTIONS OPERATE ON BYTE,
2995 WORD, AND DOUBLEWORD OPERANDS.
2998 Figure 3-7. SHR
3000 OPERAND CF
3002 BEFORE SHR 10001000100010001000100010001111 X
3005 BY 1
3008 BY 10
3010 SHR SHIFTS THE BITS OF THE REGISTER OR MEMORY OPERAND TO THE RIGHT BY THE
3011 SPECIFIED NUMBER OF BIT POSITIONS. CF RECEIVES THE LAST BIT SHIFTED OUT OF
3012 THE RIGHT OF THE OPERAND. SHR SHIFTS IN ZEROS TO FILL THE VACATED BIT
3013 LOCATIONS.
3016 Figure 3-8. SAR
3018 POSITIVE OPERAND CF
3020 BEFORE SAR 01000100010001000100010001000111 X
3023 BY 1
3025 NEGATIVE OPERAND CF
3027 BEFORE SAR 11000100010001000100010001000111 X
3030 BY 1
3032 SAR PRESERVES THE SIGN OF THE REGISTER OR MEMORY OPERAND AS IT SHIFTS THE
3033 OPERAND TO THE RIGHT BY THE SPECIFIED NUMBER OF BIT POSITIONS. CF RECIEVES
3034 THE LAST BIT SHIFTED OUT OF THE RIGHT OF THE OPERAND.
3037 Figure 3-9. Using SAR to Simulate IDIV
3039 ; assuming N is in ECX, and the dividend is in EAX
3040 ; CLOCKS
3041 CMP EAX, 0 ; to set sign flag 2
3042 JGE NoAdjust ; jump if sign is zero 3 or 9
3043 ADD EAX, ECX ; 2
3044 DEC EAX ; EAX := EAX + (N-1) 2
3045 NoAdjust:
3046 SAR EAX, CL ; 3
3047 ; TOTAL CLOCKS 12 or 18]
3050 3.4.4.2 Double-Shift Instructions
3052 These instructions provide the basic operations needed to implement
3053 operations on long unaligned bit strings. The double shifts operate either
3054 on word or doubleword operands, as follows:
3056 1. Taking two word operands as input and producing a one-word output.
3058 2. Taking two doubleword operands as input and producing a doubleword
3059 output.
3061 Of the two input operands, one may either be in a general register or in
3062 memory, while the other may only be in a general register. The results
3063 replace the memory or register operand. The number of bits to be shifted is
3064 specified either in the CL register or in an immediate byte of the
3065 instruction.
3067 Bits are shifted from the register operand into the memory or register
3068 operand. CF is set to the value of the last bit shifted out of the
3069 destination operand. SF, ZF, and PF are set according to the value of the
3070 result. OF and AF are left undefined.
3072 SHLD (Shift Left Double) shifts bits of the R/M field to the left, while
3073 shifting high-order bits from the Reg field into the R/M field on the right
3074 (see Figure 3-10). The result is stored back into the R/M operand. The Reg
3075 field is not modified.
3077 SHRD (Shift Right Double) shifts bits of the R/M field to the right, while
3078 shifting low-order bits from the Reg field into the R/M field on the left
3079 (see Figure 3-11). The result is stored back into the R/M operand. The Reg
3080 field is not modified.
3083 3.4.4.3 Rotate Instructions
3085 Rotate instructions allow bits in bytes, words, and doublewords to be
3086 rotated. Bits rotated out of an operand are not lost as in a shift, but are
3087 "circled" back into the other "end" of the operand.
3089 Rotates affect only the carry and overflow flags. CF may act as an
3090 extension of the operand in two of the rotate instructions, allowing a bit
3091 to be isolated and then tested by a conditional jump instruction (JC or
3092 JNC). CF always contains the value of the last bit rotated out, even if the
3093 instruction does not use this bit as an extension of the rotated operand.
3095 In single-bit rotates, OF is set if the operation changes the high-order
3096 (sign) bit of the destination operand. If the sign bit retains its original
3097 value, OF is cleared. On multibit rotates, the value of OF is always
3098 undefined.
3100 ROL (Rotate Left) rotates the byte, word, or doubleword destination operand
3101 left by one or by the number of bits specified in the count operand (an
3102 immediate value or the value contained in CL). For each rotation specified,
3103 the high-order bit that exits from the left of the operand returns at the
3104 right to become the new low-order bit of the operand. See Figure 3-12.
3106 ROR (Rotate Right) rotates the byte, word, or doubleword destination
3107 operand right by one or by the number of bits specified in the count operand
3108 (an immediate value or the value contained in CL). For each rotation
3109 specified, the low-order bit that exits from the right of the operand
3110 returns at the left to become the new high-order bit of the operand.
3111 See Figure 3-13.
3113 RCL (Rotate Through Carry Left) rotates bits in the byte, word, or
3114 doubleword destination operand left by one or by the number of bits
3115 specified in the count operand (an immediate value or the value contained in
3116 CL).
3118 This instruction differs from ROL in that it treats CF as a high-order
3119 one-bit extension of the destination operand. Each high-order bit that exits
3120 from the left side of the operand moves to CF before it returns to the
3121 operand as the low-order bit on the next rotation cycle. See Figure 3-14.
3123 RCR (Rotate Through Carry Right) rotates bits in the byte, word, or
3124 doubleword destination operand right by one or by the number of bits
3125 specified in the count operand (an immediate value or the value contained in
3126 CL).
3128 This instruction differs from ROR in that it treats CF as a low-order
3129 one-bit extension of the destination operand. Each low-order bit that exits
3130 from the right side of the operand moves to CF before it returns to the
3131 operand as the high-order bit on the next rotation cycle. See Figure 3-15.
3134 Figure 3-10. Shift Left Double
3136 31 DESTINATION 0
3137 ‚����ƒ ‚��������������������������������������������������ƒ
3139 „����… „��������������������������������������������������… �
3140 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
3141 � 31 SOURCE 0
3142 � ‚��������������������������������������������������ƒ
3143 ”‘‘‘Â REGISTER €
3144 „��������������������������������������������������…
3147 Figure 3-11. Shift Right Double
3149 31 SOURCE 0
3150 ‚��������������������������������������������������ƒ
3151 € REGISTER Ñ‘‘“
3152 „��������������������������������������������������… �
3153 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
3154 � 31 DESTINATION 0
3155 � ‚��������������������������������������������������ƒ ‚����ƒ
3157 „��������������������������������������������������… „����…
3160 Figure 3-12. ROL
3162 31 DESTINATION 0
3163 ‚����ƒ ‚��������������������������������������������������ƒ
3165 „����… � „��������������������������������������������������… �
3166 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
3169 Figure 3-13. ROR
3171 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
3172 � 31 DESTINATION 0 �
3173 � ‚��������������������������������������������������ƒ � ‚����ƒ
3175 „��������������������������������������������������… „����…
3178 Figure 3-14. RCL
3180 31 DESTINATION 0
3181 ‚����ƒ ‚��������������������������������������������������ƒ
3183 � „����… „��������������������������������������������������… �
3184 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
3187 Figure 3-15. RCR
3189 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
3190 � 31 DESTINATION 0 �
3191 � ‚��������������������������������������������������ƒ ‚����ƒ �
3193 „��������������������������������������������������… „����…
3196 3.4.4.4 Fast "BIT BLT" Using Double Shift Instructions
3198 One purpose of the double shifts is to implement a bit string move, with
3199 arbitrary misalignment of the bit strings. This is called a "bit blt" (BIT
3200 BLock Transfer.) A simple example is to move a bit string from an arbitrary
3201 offset into a doubleword-aligned byte string. A left-to-right string is
3202 moved 32 bits at a time if a double shift is used inside the move loop.
3204 MOV ESI,ScrAddr
3205 MOV EDI,DestAddr
3206 MOV EBX,WordCnt
3207 MOV CL,RelOffset ; relative offset Dest-Src
3208 MOV EDX,[ESI] ; load first word of source
3209 ADD ESI,4 ; bump source address
3210 BltLoop:
3211 LODS ; new low order part
3212 SHLD EDX,EAX,CL ; EDX overwritten with aligned stuff
3213 XCHG EDX,EAS ; Swap high/low order parts
3214 STOS ; Write out next aligned chunk
3215 DEC EBX
3216 JA BltLoop
3218 This loop is simple yet allows the data to be moved in 32-bit pieces for
3219 the highest possible performance. Without a double shift, the best that can
3220 be achieved is 16 bits per loop iteration by using a 32-bit shift and
3221 replacing the XCHG with a ROR by 16 to swap high and low order parts of
3222 registers. A more general loop than shown above would require some extra
3223 masking on the first doubleword moved (before the main loop), and on the
3224 last doubleword moved (after the main loop), but would have the same basic
3225 32-bits per loop iteration as the code above.
3228 3.4.4.5 Fast Bit-String Insert and Extract
3230 The double shift instructions also enable:
3232 Ž Fast insertion of a bit string from a register into an arbitrary bit
3233 location in a larger bit string in memory without disturbing the bits
3234 on either side of the inserted bits.
3236 Ž Fast extraction of a bits string into a register from an arbitrary bit
3237 location in a larger bit string in memory without disturbing the bits
3238 on either side of the extracted bits.
3240 The following coded examples illustrate bit insertion and extraction under
3241 variousconditions:
3243 1. Bit String Insert into Memory (when bit string is 1-25 bits long,
3244 i.e., spans four bytes or less):
3246 ; Insert a right-justified bit string from register into
3247 ; memory bit string.
3248 ;
3249 ; Assumptions:
3250 ; 1) The base of the string array is dword aligned, and
3251 ; 2) the length of the bit string is an immediate value
3252 ; but the bit offset is held in a register.
3253 ;
3254 ; Register ESI holds the right-justified bit string
3255 ; to be inserted.
3256 ; Register EDI holds the bit offset of the start of the
3257 ; substring.
3258 ; Registers EAX and ECX are also used by this
3259 ; "insert" operation.
3260 ;
3261 MOV ECX,EDI ; preserve original offset for later use
3262 SHR EDI,3 ; signed divide offset by 8 (byte address)
3263 AND CL,7H ; isolate low three bits of offset in CL
3264 MOV EAX,[EDI]strg_base ; move string dword into EAX
3265 ROR EAX,CL ; right justify old bit field
3266 SHRD EAX,ESI,length ; bring in new bits
3267 ROL EAX,length ; right justify new bit field
3268 ROL EAX,CL ; bring to final position
3269 MOV [EDI]strg_base,EAX ; replace dword in memory
3271 2. Bit String Insert into Memory (when bit string is 1-31 bits long, i.e.
3272 spans five bytes or less):
3274 ; Insert a right-justified bit string from register into
3275 ; memory bit string.
3276 ;
3277 ; Assumptions:
3278 ; 1) The base of the string array is dword aligned, and
3279 ; 2) the length of the bit string is an immediate value
3280 ; but the bit offset is held in a register.
3281 ;
3282 ; Register ESI holds the right-justified bit string
3283 ; to be inserted.
3284 ; Register EDI holds the bit offset of the start of the
3285 ; substring.
3286 ; Registers EAX, EBX, ECX, and EDI are also used by
3287 ; this "insert" operation.
3288 ;
3289 MOV ECX,EDI ; temp storage for offset
3290 SHR EDI,5 ; signed divide offset by 32 (dword address)
3291 SHL EDI,2 ; multiply by 4 (in byte address format)
3292 AND CL,1FH ; isolate low five bits of offset in CL
3293 MOV EAX,[EDI]strg_base ; move low string dword into EAX
3294 MOV EDX,[EDI]strg_base+4 ; other string dword into EDX
3295 MOV EBX,EAX ; temp storage for part of string “ rotate
3296 SHRD EAX,EDX,CL ; double shift by offset within dword – EDX:EAX
3297 SHRD EAX,EBX,CL ; double shift by offset within dword • right
3298 SHRD EAX,ESI,length ; bring in new bits
3299 ROL EAX,length ; right justify new bit field
3300 MOV EBX,EAX ; temp storage for part of string “ rotate
3301 SHLD EAX,EDX,CL ; double shift back by offset within word – EDX:EAX
3302 SHLD EDX,EBX,CL ; double shift back by offset within word • left
3303 MOV [EDI]strg_base,EAX ; replace dword in memory
3304 MOV [EDI]strg_base+4,EDX ; replace dword in memory
3306 3. Bit String Insert into Memory (when bit string is exactly 32 bits
3307 long, i.e., spans five or four types of memory):
3309 ; Insert right-justified bit string from register into
3310 ; memory bit string.
3311 ;
3312 ; Assumptions:
3313 ; 1) The base of the string array is dword aligned, and
3314 ; 2) the length of the bit string is 32
3315 ; but the bit offset is held in a register.
3316 ;
3317 ; Register ESI holds the 32-bit string to be inserted.
3318 ; Register EDI holds the bit offset of the start of the
3319 ; substring.
3320 ; Registers EAX, EBX, ECX, and EDI are also used by
3321 ; this "insert" operation.
3322 ;
3323 MOV EDX,EDI ; preserve original offset for later use
3324 SHR EDI,5 ; signed divide offset by 32 (dword address)
3325 SHL EDI,2 ; multiply by 4 (in byte address format)
3326 AND CL,1FH ; isolate low five bits of offset in CL
3327 MOV EAX,[EDI]strg_base ; move low string dword into EAX
3328 MOV EDX,[EDI]strg_base+4 ; other string dword into EDX
3329 MOV EBX,EAX ; temp storage for part of string “ rotate
3330 SHRD EAX,EDX ; double shift by offset within dword – EDX:EAX
3331 SHRD EDX,EBX ; double shift by offset within dword • right
3332 MOV EAX,ESI ; move 32-bit bit field into position
3333 MOV EBX,EAX ; temp storage for part of string “ rotate
3334 SHLD EAX,EDX ; double shift back by offset within word – EDX:EAX
3335 SHLD EDX,EBX ; double shift back by offset within word • left
3336 MOV [EDI]strg_base,EAX ; replace dword in memory
3337 MOV [EDI]strg_base,+4,EDX ; replace dword in memory
3339 4. Bit String Extract from Memory (when bit string is 1-25 bits long,
3340 i.e., spans four bytes or less):
3342 ; Extract a right-justified bit string from memory bit
3343 ; string into register
3344 ;
3345 ; Assumptions:
3346 ; 1) The base of the string array is dword aligned, and
3347 ; 2) the length of the bit string is an immediate value
3348 ; but the bit offset is held in a register.
3349 ;
3350 ; Register EAX holds the right-justified, zero-padded
3351 ; bit string that was extracted.
3352 ; Register EDI holds the bit offset of the start of the
3353 ; substring.
3354 ; Registers EDI, and ECX are also used by this "extract."
3355 ;
3356 MOV ECX,EDI ; temp storage for offset
3357 SHR EDI,3 ; signed divide offset by 8 (byte address)
3358 AND CL,7H ; isolate low three bits of offset
3359 MOV EAX,[EDI]strg_base ; move string dword into EAX
3360 SHR EAX,CL ; shift by offset within dword
3361 AND EAX,mask ; extracted bit field in EAX
3363 5. Bit String Extract from Memory (when bit string is 1-32 bits long,
3364 i.e., spans five bytes or less):
3366 ; Extract a right-justified bit string from memory bit
3367 ; string into register.
3368 ;
3369 ; Assumptions:
3370 ; 1) The base of the string array is dword aligned, and
3371 ; 2) the length of the bit string is an immediate
3372 ; value but the bit offset is held in a register.
3373 ;
3374 ; Register EAX holds the right-justified, zero-padded
3375 ; bit string that was extracted.
3376 ; Register EDI holds the bit offset of the start of the
3377 ; substring.
3378 ; Registers EAX, EBX, and ECX are also used by this "extract."
3379 MOV ECX,EDI ; temp storage for offset
3380 SHR EDI,5 ; signed divide offset by 32 (dword address)
3381 SHL EDI,2 ; multiply by 4 (in byte address format)
3382 AND CL,1FH ; isolate low five bits of offset in CL
3383 MOV EAX,[EDI]strg_base ; move low string dword into EAX
3384 MOV EDX,[EDI]strg_base+4 ; other string dword into EDX
3385 SHRD EAX,EDX,CL ; double shift right by offset within dword
3386 AND EAX,mask ; extracted bit field in EAX
3389 3.4.5 Byte-Set-On-Condition Instructions
3391 This group of instructions sets a byte to zero or one depending on any of
3392 the 16 conditions defined by the status flags. The byte may be in memory or
3393 may be a one-byte general register. These instructions are especially useful
3394 for implementing Boolean expressions in high-level languages such as Pascal.
3396 SETcc (Set Byte on Condition cc) set a byte to one if condition cc is true;
3397 sets the byte to zero otherwise. Refer to Appendix D for a definition of
3398 the possible conditions.
3401 3.4.6 Test Instruction
3403 TEST (Test) performs the logical "and" of the two operands, clears OF and
3404 CF, leaves AF undefined, and updates SF, ZF, and PF. The flags can be tested
3405 by conditional control transfer instructions or by the byte-set-on-condition
3406 instructions. The operands may be doublewords, words, or bytes.
3408 The difference between TEST and AND is that TEST does not alter the
3409 destination operand. TEST differs from BT in that TEST is useful for testing
3410 the value of multiple bits in one operations, whereas BT tests a single bit.
3413 3.5 Control Transfer Instructions
3415 The 80386 provides both conditional and unconditional control transfer
3416 instructions to direct the flow of execution. Conditional control transfers
3417 depend on the results of operations that affect the flag register.
3418 Unconditional control transfers are always executed.
3421 3.5.1 Unconditional Transfer Instructions
3423 JMP, CALL, RET, INT and IRET instructions transfer control from one code
3424 segment location to another. These locations can be within the same code
3425 segment (near control transfers) or in different code segments (far control
3426 transfers). The variants of these instructions that transfer control to
3427 other segments are discussed in a later section of this chapter. If the
3428 model of memory organization used in a particular 80386 application does
3429 not make segments visible to applications programmers, intersegment control
3430 transfers will not be used.
3433 3.5.1.1 Jump Instruction
3435 JMP (Jump) unconditionally transfers control to the target location. JMP is
3436 a one-way transfer of execution; it does not save a return address on the
3437 stack.
3439 The JMP instruction always performs the same basic function of transferring
3440 control from the current location to a new location. Its implementation
3441 varies depending on whether the address is specified directly within the
3442 instruction or indirectly through a register or memory.
3444 A direct JMP instruction includes the destination address as part of the
3445 instruction. An indirect JMP instruction obtains the destination address
3446 indirectly through a register or a pointer variable.
3448 Direct near JMP. A direct JMP uses a relative displacement value contained
3449 in the instruction. The displacement is signed and the size of the
3450 displacement may be a byte, word, or doubleword. The processor forms an
3451 effective address by adding this relative displacement to the address
3452 contained in EIP. When the additions have been performed, EIP refers to the
3453 next instruction to be executed.
3455 Indirect near JMP. Indirect JMP instructions specify an absolute address in
3456 one of several ways:
3458 1. The program can JMP to a location specified by a general register
3459 (any of EAX, EDX, ECX, EBX, EBP, ESI, or EDI). The processor moves
3460 this 32-bit value into EIP and resumes execution.
3462 2. The processor can obtain the destination address from a memory
3463 operand specified in the instruction.
3465 3. A register can modify the address of the memory pointer to select a
3466 destination address.
3469 3.5.1.2 Call Instruction
3471 CALL (Call Procedure) activates an out-of-line procedure, saving on the
3472 stack the address of the instruction following the CALL for later use by a
3473 RET (Return) instruction. CALL places the current value of EIP on the stack.
3474 The RET instruction in the called procedure uses this address to transfer
3475 control back to the calling program.
3477 CALL instructions, like JMP instructions have relative, direct, and
3478 indirect versions.
3480 Indirect CALL instructions specify an absolute address in one of these
3481 ways:
3483 1. The program can CALL a location specified by a general register (any
3484 of EAX, EDX, ECX, EBX, EBP, ESI, or EDI). The processor moves this
3485 32-bit value into EIP.
3487 2. The processor can obtain the destination address from a memory
3488 operand specified in the instruction.
3491 3.5.1.3 Return and Return-From-Interrupt Instruction
3493 RET (Return From Procedure) terminates the execution of a procedure and
3494 transfers control through a back-link on the stack to the program that
3495 originally invoked the procedure. RET restores the value of EIP that was
3496 saved on the stack by the previous CALL instruction.
3498 RET instructions may optionally specify an immediate operand. By adding
3499 this constant to the new top-of-stack pointer, RET effectively removes any
3500 arguments that the calling program pushed on the stack before the execution
3501 of the CALL instruction.
3503 IRET (Return From Interrupt) returns control to an interrupted procedure.
3504 IRET differs from RET in that it also pops the flags from the stack into the
3505 flags register. The flags are stored on the stack by the interrupt
3506 mechanism.
3509 3.5.2 Conditional Transfer Instructions
3511 The conditional transfer instructions are jumps that may or may not
3512 transfer control, depending on the state of the CPU flags when the
3513 instruction executes.
3516 3.5.2.1 Conditional Jump Instructions
3518 Table 3-2 shows the conditional transfer mnemonics and their
3519 interpretations. The conditional jumps that are listed as pairs are actually
3520 the same instruction. The assembler provides the alternate mnemonics for
3521 greater clarity within a program listing.
3523 Conditional jump instructions contain a displacement which is added to the
3524 EIP register if the condition is true. The displacement may be a byte, a
3525 word, or a doubleword. The displacement is signed; therefore, it can be used
3526 to jump forward or backward.
3529 Table 3-2. Interpretation of Conditional Transfers
3531 Unsigned Conditional Transfers
3533 Mnemonic Condition Tested "Jump If..."
3535 JA/JNBE (CF or ZF) = 0 above/not below nor equal
3536 JAE/JNB CF = 0 above or equal/not below
3537 JB/JNAE CF = 1 below/not above nor equal
3538 JBE/JNA (CF or ZF) = 1 below or equal/not above
3539 JC CF = 1 carry
3540 JE/JZ ZF = 1 equal/zero
3541 JNC CF = 0 not carry
3542 JNE/JNZ ZF = 0 not equal/not zero
3543 JNP/JPO PF = 0 not parity/parity odd
3544 JP/JPE PF = 1 parity/parity even
3546 Signed Conditional Transfers
3548 Mnemonic Condition Tested "Jump If..."
3549 JG/JNLE ((SF xor OF) or ZF) = 0 greater/not less nor equal
3550 JGE/JNL (SF xor OF) = 0 greater or equal/not less
3551 JL/JNGE (SF xor OF) = 1 less/not greater nor equal
3552 JLE/JNG ((SF xor OF) or ZF) = 1 less or equal/not greater
3553 JNO OF = 0 not overflow
3554 JNS SF = 0 not sign (positive, including 0)
3555 JO OF = 1 overflow
3556 JS SF = 1 sign (negative)
3559 3.5.2.2 Loop Instructions
3561 The loop instructions are conditional jumps that use a value placed in ECX
3562 to specify the number of repetitions of a software loop. All loop
3563 instructions automatically decrement ECX and terminate the loop when ECX=0.
3564 Four of the five loop instructions specify a condition involving ZF that
3565 terminates the loop before ECX reaches zero.
3567 LOOP (Loop While ECX Not Zero) is a conditional transfer that automatically
3568 decrements the ECX register before testing ECX for the branch condition. If
3569 ECX is non-zero, the program branches to the target label specified in the
3570 instruction. The LOOP instruction causes the repetition of a code section
3571 until the operation of the LOOP instruction decrements ECX to a value of
3572 zero. If LOOP finds ECX=0, control transfers to the instruction immediately
3573 following the LOOP instruction. If the value of ECX is initially zero, then
3574 the LOOP executes 2^(32) times.
3576 LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are synonyms for the
3577 same instruction. These instructions automatically decrement the ECX
3578 register before testing ECX and ZF for the branch conditions. If ECX is
3579 non-zero and ZF=1, the program branches to the target label specified in the
3580 instruction. If LOOPE or LOOPZ finds that ECX=0 or ZF=0, control transfers
3581 to the instruction immediately following the LOOPE or LOOPZ instruction.
3583 LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are synonyms
3584 for the same instruction. These instructions automatically decrement the ECX
3585 register before testing ECX and ZF for the branch conditions. If ECX is
3586 non-zero and ZF=0, the program branches to the target label specified in the
3587 instruction. If LOOPNE or LOOPNZ finds that ECX=0 or ZF=1, control transfers
3588 to the instruction immediately following the LOOPNE or LOOPNZ instruction.
3591 3.5.2.3 Executing a Loop or Repeat Zero Times
3593 JCXZ (Jump if ECX Zero) branches to the label specified in the instruction
3594 if it finds a value of zero in ECX. JCXZ is useful in combination with the
3595 LOOP instruction and with the string scan and compare instructions, all of
3596 which decrement ECX. Sometimes, it is desirable to design a loop that
3597 executes zero times if the count variable in ECX is initialized to zero.
3598 Because the LOOP instructions (and repeat prefixes) decrement ECX before
3599 they test it, a loop will execute 2^(32) times if the program enters the
3600 loop with a zero value in ECX. A programmer may conveniently overcome this
3601 problem with JCXZ, which enables the program to branch around the code
3602 within the loop if ECX is zero when JCXZ executes. When used with repeated
3603 string scan and compare instructions, JCXZ can determine whether the
3604 repetitions terminated due to zero in ECX or due to satisfaction of the
3605 scan or compare conditions.
3608 3.5.3 Software-Generated Interrupts
3610 The INT n, INTO, and BOUND instructions allow the programmer to specify a
3611 transfer to an interrupt service routine from within a program.
3613 INT n (Software Interrupt) activates the interrupt service routine that
3614 corresponds to the number coded within the instruction. The INT instruction
3615 may specify any interrupt type. Programmers may use this flexibility to
3616 implement multiple types of internal interrupts or to test the operation of
3617 interrupt service routines. (Interrupts 0-31 are reserved by Intel.) The
3618 interrupt service routine terminates with an IRET instruction that returns
3619 control to the instruction that follows INT.
3621 INTO (Interrupt on Overflow) invokes interrupt 4 if OF is set. Interrupt 4
3622 is reserved for this purpose. OF is set by several arithmetic, logical, and
3623 string instructions.
3625 BOUND (Detect Value Out of Range) verifies that the signed value contained
3626 in the specified register lies within specified limits. An interrupt (INT 5)
3627 occurs if the value contained in the register is less than the lower bound
3628 or greater than the upper bound.
3630 The BOUND instruction includes two operands. The first operand specifies
3631 the register being tested. The second operand contains the effective
3632 relative address of the two signed BOUND limit values. The BOUND instruction
3633 assumes that the upper limit and lower limit are in adjacent memory
3634 locations. These limit values cannot be register operands; if they are, an
3635 invalid opcode exception occurs.
3637 BOUND is useful for checking array bounds before using a new index value to
3638 access an element within the array. BOUND provides a simple way to check the
3639 value of an index register before the program overwrites information in a
3640 location beyond the limit of the array.
3642 The block of memory that specifies the lower and upper limits of an array
3643 might typically reside just before the array itself. This makes the array
3644 bounds accessible at a constant offset from the beginning of the array.
3645 Because the address of the array will already be present in a register, this
3646 practice avoids extra calculations to obtain the effective address of the
3647 array bounds.
3649 The upper and lower limit values may each be a word or a doubleword.
3652 3.6 String and Character Translation Instructions
3654 The instructions in this category operate on strings rather than on logical
3655 or numeric values. Refer also to the section on I/O for information about
3656 the string I/O instructions (also known as block I/O).
3658 The power of 80386 string operations derives from the following features of
3659 the architecture:
3661 1. A set of primitive string operations
3663 MOVS ‘‘ Move String
3664 CMPS ‘‘ Compare string
3665 SCAS ‘‘ Scan string
3666 LODS ‘‘ Load string
3667 STOS ‘‘ Store string
3669 2. Indirect, indexed addressing, with automatic incrementing or
3670 decrementing of the indexes.
3672 Indexes:
3674 ESI ‘‘ Source index register
3675 EDI ‘‘ Destination index register
3677 Control flag:
3679 DF ‘‘ Direction flag
3681 Control flag instructions:
3683 CLD ‘‘ Clear direction flag instruction
3684 STD ‘‘ Set direction flag instruction
3686 3. Repeat prefixes
3688 REP ‘‘ Repeat while ECX not xero
3689 REPE/REPZ ‘‘ Repeat while equal or zero
3690 REPNE/REPNZ ‘‘ Repeat while not equal or not zero
3692 The primitive string operations operate on one element of a string. A
3693 string element may be a byte, a word, or a doubleword. The string elements
3694 are addressed by the registers ESI and EDI. After every primitive operation
3695 ESI and/or EDI are automatically updated to point to the next element of the
3696 string. If the direction flag is zero, the index registers are incremented;
3697 if one, they are decremented. The amount of the increment or decrement is
3698 1, 2, or 4 depending on the size of the string element.
3701 3.6.1 Repeat Prefixes
3703 The repeat prefixes REP (Repeat While ECX Not Zero), REPE/REPZ (Repeat
3704 While Equal/Zero), and REPNE/REPNZ (Repeat While Not Equal/Not Zero) specify
3705 repeated operation of a string primitive. This form of iteration allows the
3706 CPU to process strings much faster than would be possible with a regular
3707 software loop.
3709 When a primitive string operation has a repeat prefix, the operation is
3710 executed repeatedly, each time using a different element of the string. The
3711 repetition terminates when one of the conditions specified by the prefix is
3712 satisfied.
3714 At each repetition of the primitive instruction, the string operation may
3715 be suspended temporarily in order to handle an exception or external
3716 interrupt. After the interruption, the string operation can be restarted
3717 again where it left off. This method of handling strings allows operations
3718 on strings of arbitrary length, without affecting interrupt response.
3720 All three prefixes causes the hardware to automatically repeat the
3721 associated string primitive until ECX=0. The differences among the repeat
3722 prefixes have to do with the second termination condition. REPE/REPZ and
3723 REPNE/REPNZ are used exclusively with the SCAS (Scan String) and CMPS
3724 (Compare String) primitives. When these prefixes are used, repetition of the
3725 next instruction depends on the zero flag (ZF) as well as the ECX register.
3726 ZF does not require initialization before execution of a repeated string
3727 instruction, because both SCAS and CMPS set ZF according to the results of
3728 the comparisons they make. The differences are summarized in the
3729 accompanying table.
3731 Prefix Termination Termination
3732 Condition 1 Condition 2
3734 REP ECX = 0 (none)
3735 REPE/REPZ ECX = 0 ZF = 0
3736 REPNE/REPNZ ECX = 0 ZF = 1
3739 3.6.2 Indexing and Direction Flag Control
3741 The addresses of the operands of string primitives are determined by the
3742 ESI and EDI registers. ESI points to source operands. By default, ESI refers
3743 to a location in the segment indicated by the DS segment register. A
3744 segment-override prefix may be used, however, to cause ESI to refer to CS,
3745 SS, ES, FS, or GS. EDI points to destination operands in the segment
3746 indicated by ES; no segment override is possible. The use of two different
3747 segment registers in one instruction allows movement of strings between
3748 different segments.
3750 This use of ESI and DSI has led to the descriptive names source index and
3751 destination index for the ESI and EDI registers, respectively. In all
3752 cases other than string instructions, however, the ESI and EDI registers may
3753 be used as general-purpose registers.
3755 When ESI and EDI are used in string primitives, they are automatically
3756 incremented or decremented after to operation. The direction flag determines
3757 whether they are incremented or decremented. The instruction CLD puts zero
3758 in DF, causing the index registers to be incremented; the instruction STD
3759 puts one in DF, causing the index registers to be decremented. Programmers
3760 should always put a known value in DF before using string instructions in a
3761 procedure.
3764 3.6.3 String Instructions
3766 MOVS (Move String) moves the string element pointed to by ESI to the
3767 location pointed to by EDI. MOVSB operates on byte elements, MOVSW operates
3768 on word elements, and MOVSD operates on doublewords. The destination segment
3769 register cannot be overridden by a segment override prefix, but the source
3770 segment register can be overridden.
3772 The MOVS instruction, when accompanied by the REP prefix, operates as a
3773 memory-to-memory block transfer. To set up for this operation, the program
3774 must initialize ECX and the register pairs ESI and EDI. ECX specifies the
3775 number of bytes, words, or doublewords in the block.
3777 If DF=0, the program must point ESI to the first element of the source
3778 string and point EDI to the destination address for the first element. If
3779 DF=1, the program must point these two registers to the last element of the
3780 source string and to the destination address for the last element,
3781 respectively.
3783 CMPS (Compare Strings) subtracts the destination string element (at ES:EDI)
3784 from the source string element (at ESI) and updates the flags AF, SF, PF, CF
3785 and OF. If the string elements are equal, ZF=1; otherwise, ZF=0. If DF=0,
3786 the processor increments the memory pointers (ESI and EDI) for the two
3787 strings. CMPSB compares bytes, CMPSW compares words, and CMPSD compares
3788 doublewords. The segment register used for the source address can be changed
3789 with a segment override prefix while the destination segment register
3790 cannot be overridden.
3792 SCAS (Scan String) subtracts the destination string element at ES:EDI from
3793 EAX, AX, or AL and updates the flags AF, SF, ZF, PF, CF and OF. If the
3794 values are equal, ZF=1; otherwise, ZF=0. If DF=0, the processor increments
3795 the memory pointer (EDI) for the string. SCASB scans bytes; SCASW scans
3796 words; SCASD scans doublewords. The destination segment register (ES) cannot
3797 be overridden.
3799 When either the REPE or REPNE prefix modifies either the SCAS or CMPS
3800 primitives, the processor compares the value of the current string element
3801 with the value in EAX for doubleword elements, in AX for word elements, or
3802 in AL for byte elements. Termination of the repeated operation depends on
3803 the resulting state of ZF as well as on the value in ECX.
3805 LODS (Load String) places the source string element at ESI into EAX for
3806 doubleword strings, into AX for word strings, or into AL for byte strings.
3807 LODS increments or decrements ESI according to DF.
3809 STOS (Store String) places the source string element from EAX, AX, or AL
3810 into the string at ES:DSI. STOS increments or decrements EDI according to
3811 DF.
3814 3.7 Instructions for Block-Structured Languages
3816 The instructions in this section provide machine-language support for
3817 functions normally found in high-level languages. These instructions include
3818 ENTER and LEAVE, which simplify the programming of procedures.
3820 ENTER (Enter Procedure) creates a stack frame that may be used to implement
3821 the scope rules of block-structured high-level languages. A LEAVE
3822 instruction at the end of a procedure complements an ENTER at the beginning
3823 of the procedure to simplify stack management and to control access to
3824 variables for nested procedures.
3826 The ENTER instruction includes two parameters. The first parameter
3827 specifies the number of bytes of dynamic storage to be allocated on the
3828 stack for the routine being entered. The second parameter corresponds to the
3829 lexical nesting level (0-31) of the routine. (Note that the lexical level
3830 has no relationship to either the protection privilege levels or to the I/O
3831 privilege level.)
3833 The specified lexical level determines how many sets of stack frame
3834 pointers the CPU copies into the new stack frame from the preceding frame.
3835 This list of stack frame pointers is sometimes called the display. The first
3836 word of the display is a pointer to the last stack frame. This pointer
3837 enables a LEAVE instruction to reverse the action of the previous ENTER
3838 instruction by effectively discarding the last stack frame.
3840 Example: ENTER 2048,3
3842 Allocates 2048 bytes of dynamic storage on the stack and sets up pointers
3843 to two previous stack frames in the stack frame that ENTER creates for
3844 this procedure.
3846 After ENTER creates the new display for a procedure, it allocates the
3847 dynamic storage space for that procedure by decrementing ESP by the number
3848 of bytes specified in the first parameter. This new value of ESP serves as a
3849 starting point for all PUSH and POP operations within that procedure.
3851 To enable a procedure to address its display, ENTER leaves EBP pointing to
3852 the beginning of the new stack frame. Data manipulation instructions that
3853 specify EBP as a base register implicitly address locations within the stack
3854 segment instead of the data segment.
3856 The ENTER instruction can be used in two ways: nested and non-nested. If
3857 the lexical level is 0, the non-nested form is used. Since the second
3858 operand is 0, ENTER pushes EBP, copies ESP to EBP and then subtracts the
3859 first operand from ESP. The nested form of ENTER occurs when the second
3860 parameter (lexical level) is not 0.
3862 Figure 3-16 gives the formal definition of ENTER.
3864 The main procedure (with other procedures nested within) operates at the
3865 highest lexical level, level 1. The first procedure it calls operates at the
3866 next deeper lexical level, level 2. A level 2 procedure can access the
3867 variables of the main program which are at fixed locations specified by the
3868 compiler. In the case of level 1, ENTER allocates only the requested
3869 dynamic storage on the stack because there is no previous display to copy.
3871 A program operating at a higher lexical level calling a program at a lower
3872 lexical level requires that the called procedure should have access to the
3873 variables of the calling program. ENTER provides this access through a
3874 display that provides addressability to the calling program's stack frame.
3876 A procedure calling another procedure at the same lexical level implies
3877 that they are parallel procedures and that the called procedure should not
3878 have access to the variables of the calling procedure. In this case, ENTER
3879 copies only that portion of the display from the calling procedure which
3880 refers to previously nested procedures operating at higher lexical levels.
3881 The new stack frame does not include the pointer for addressing the calling
3882 procedure's stack frame.
3884 ENTER treats a reentrant procedure as a procedure calling another procedure
3885 at the same lexical level. In this case, each succeeding iteration of the
3886 reentrant procedure can address only its own variables and the variables of
3887 the calling procedures at higher lexical levels. A reentrant procedure can
3888 always address its own variables; it does not require pointers to the stack
3889 frames of previous iterations.
3891 By copying only the stack frame pointers of procedures at higher lexical
3892 levels, ENTER makes sure that procedures access only those variables of
3893 higher lexical levels, not those at parallel lexical levels (see Figure
3894 3-17). Figures 3-18 through 3-21 demonstrate the actions of the ENTER
3895 instruction if the modules shown in Figure 3-17 were to call one another in
3896 alphabetic order.
3898 Block-structured high-level languages can use the lexical levels defined by
3899 ENTER to control access to the variables of previously nested procedures.
3900 Referring to Figure 3-17 for example, if PROCEDURE A calls PROCEDURE B
3901 which, in turn, calls PROCEDURE C, then PROCEDURE C will have access to the
3902 variables of MAIN and PROCEDURE A, but not PROCEDURE B because they operate
3903 at the same lexical level. Following is the complete definition of access to
3904 variables for Figure 3-17.
3906 1. MAIN PROGRAM has variables at fixed locations.
3908 2. PROCEDURE A can access only the fixed variables of MAIN.
3910 3. PROCEDURE B can access only the variables of PROCEDURE A and MAIN.
3911 PROCEDURE B cannot access the variables of PROCEDURE C or PROCEDURE D.
3913 4. PROCEDURE C can access only the variables of PROCEDURE A and MAIN.
3914 PROCEDURE C cannot access the variables of PROCEDURE B or PROCEDURE D.
3916 5. PROCEDURE D can access the variables of PROCEDURE C, PROCEDURE A, and
3917 MAIN. PROCEDURE D cannot access the variables of PROCEDURE B.
3919 ENTER at the beginning of the MAIN PROGRAM creates dynamic storage space
3920 for MAIN but copies no pointers. The first and only word in the display
3921 points to itself because there is no previous value for LEAVE to return to
3922 EBP. See Figure 3-18.
3924 After MAIN calls PROCEDURE A, ENTER creates a new display for PROCEDURE A
3925 with the first word pointing to the previous value of EBP (BPM for LEAVE to
3926 return to the MAIN stack frame) and the second word pointing to the current
3927 value of EBP. Procedure A can access variables in MAIN since MAIN is at
3928 level 1. Therefore the base for the dynamic storage for MAIN is at [EBP-2].
3929 All dynamic variables for MAIN are at a fixed offset from this value. See
3930 Figure 3-19.
3932 After PROCEDURE A calls PROCEDURE B, ENTER creates a new display for
3933 PROCEDURE B with the first word pointing to the previous value of EBP, the
3934 second word pointing to the value of EBP for MAIN, and the third word
3935 pointing to the value of EBP for A and the last word pointing to the current
3936 EBP. B can access variables in A and MAIN by fetching from the display the
3937 base addresses of the respective dynamic storage areas. See Figure 3-20.
3939 After PROCEDURE B calls PROCEDURE C, ENTER creates a new display for
3940 PROCEDURE C with the first word pointing to the previous value of EBP, the
3941 second word pointing to the value of EBP for MAIN, and the third word
3942 pointing to the EBP value for A and the third word pointing to the current
3943 value of EBP. Because PROCEDURE B and PROCEDURE C have the same lexical
3944 level, PROCEDURE C is not allowed access to variables in B and therefore
3945 does not receive a pointer to the beginning of PROCEDURE B's stack frame.
3946 See Figure 3-21.
3948 LEAVE (Leave Procedure) reverses the action of the previous ENTER
3949 instruction. The LEAVE instruction does not include any operands. LEAVE
3950 copies EBP to ESP to release all stack space allocated to the procedure by
3951 the most recent ENTER instruction. Then LEAVE pops the old value of EBP from
3952 the stack. A subsequent RET instruction can then remove any arguments that
3953 were pushed on the stack by the calling program for use by the called
3954 procedure.
3957 Figure 3-16. Formal Definition of the ENTER Instruction
3959 The formal definition of the ENTER instruction for all cases is given by the
3960 following listing. LEVEL denotes the value of the second operand.
3962 Push EBP
3963 Set a temporary value FRAME_PTR := ESP
3964 If LEVEL > 0 then
3965 Repeat (LEVEL-1) times:
3966 EBP :=EBP - 4
3967 Push the doubleword pointed to by EBP
3968 End repeat
3969 Push FRAME_PTR
3970 End if
3971 EBP := FRAME_PTR
3972 ESP := ESP - first operand.
3975 Figure 3-17. Variable Access in Nested Procedures
3977 ‚����������������������������������������������������������������ƒ
3978 € MAIN PROCEDURE (LEXICAL LEVEL 1) €
3979 € ‚��������������������������������������������������������ƒ €
3980 € € PROCEDURE A (LEXICAL LEVEL 2) € €
3981 € € ‚��������������������������������������������������ƒ € €
3982 € € € PROCEDURE B (LEXICAL LEVEL 3) € € €
3983 € € „��������������������������������������������������… € €
3984 € € € €
3985 € € ‚��������������������������������������������������ƒ € €
3986 € € € PROCEDURE C (LEXICAL LEVEL 3) € € €
3987 € € € ‚��������������������������������������������ƒ € € €
3988 € € € € PROCEDURE D (LEXICAL LEVEL 4) € € € €
3989 € € € „��������������������������������������������… € € €
3990 € € € € € €
3991 € € „��������������������������������������������������… € €
3992 € € € €
3993 € „��������������������������������������������������������… €
3994 € €
3995 „����������������������������������������������������������������…
3998 Figure 3-18. Stack Frame for MAIN at Level 1
4001 D O € €
4002 I F ’‘ †�������Ï�������‡
4003 R � € OLD ESP €
4004 E E DISPLAY ‘— †�������Ï�������‡\x11‘‘EBP FOR
4005 C X � € EBPM
4006 EBPM = EBP VALUE FOR MAIN € MAIN
4007 T P ã� †�������Ï�������‡
4008 I A � € €
4009 O N � †�������Ï�������‡
4010 N S DYNAMIC ‘— € €
4011 I STORAGE � †�������Ï�������‡
4012 � O � € €
4013 � N ”‘ †�������Ï�������‡\x11‘‘ESP
4014 � € €
4018 Figure 3-19. Stack Frame for Procedure A
4021 D O € €
4022 I F †�������Ï�������‡
4023 R € OLD ESP €
4024 E E †�������Ï�������‡
4025 C X € EBPM
4026 EBPM = EBP VALUE FOR MAIN €
4027 T P †�������Ï�������‡
4028 I A € €
4029 O N †�������Ï�������‡
4030 N S € €
4031 I †�������Ï�������‡
4032 � O € €
4033 � N ’‘ †�������Ï�������‡
4034 � � € EBPM €
4036 DISPLAY ‘— € EBPM €
4037 � †�������Ï�������‡
4038 � € EBPA
4039 EBPA = EBP VALUE FOR PROCEDURE A €
4040 ã� †�������Ï�������‡
4041 � € €
4042 � †�������Ï�������‡
4043 DYNAMIC ‘— € €
4044 STORAGE � †�������Ï�������‡
4045 � € €
4046 ”‘ †�������Ï�������‡\x11‘‘ESP
4047 € €
4051 Figure 3-20. Stack Frame for Procedure B at Level 3 Called from A
4054 D O € €
4055 I F †�������Ï�������‡
4056 R € OLD ESP €
4057 E E †�������Ï�������‡
4058 C X € EBPM
4059 EBPM = EBP VALUE FOR MAIN €
4060 T P †�������Ï�������‡
4061 I A € €
4062 O N †�������Ï�������‡
4063 N S € €
4064 I †�������Ï�������‡
4065 � O € €
4066 � N †�������Ï�������‡
4067 � € EBPM €
4068 \x1f †�������Ï�������‡
4069 € EBPM €
4070 †�������Ï�������‡
4071 € EBPA €
4072 †�������Ï�������‡
4073 € €
4074 †�������Ï�������‡
4075 € €
4076 †�������Ï�������‡
4077 € €
4078 ’‘ †�������Ï�������‡
4079 � € EBPA €
4080 � †�������Ï�������‡\x11‘‘EBP
4081 � € EBPM €
4082 DISPLAY ‘— †�������Ï�������‡
4083 � € EBPA €
4084 � †�������Ï�������‡
4085 � € EBPB
4086 EBPB = EBP VALUE FOR PROCEDURE B €
4087 ã� †�������Ï�������‡
4088 � € €
4089 � †�������Ï�������‡
4090 DYNAMIC ‘— € €
4091 STORAGE � †�������Ï�������‡
4092 � € €
4093 ”‘ †�������Ï�������‡\x11‘‘ESP
4094 € €
4098 Figure 3-21. Stack Frame for Procedure C at Level 3 Called from B
4101 D O € €
4102 I F †�������Ï�������‡
4103 R € OLD ESP €
4104 E E †�������Ï�������‡
4105 C X € EBPM
4106 EBPM = EBP VALUE FOR MAIN €
4107 T P †�������Ï�������‡
4108 I A € €
4109 O N †�������Ï�������‡
4110 N S € €
4111 I †�������Ï�������‡
4112 � O € €
4113 � N †�������Ï�������‡
4114 � € EBPM €
4115 \x1f †�������Ï�������‡
4116 € EBPM €
4117 †�������Ï�������‡
4118 € EBPA
4119 EBPA = EBP VALUE FOR PROCEDURE A €
4120 †�������Ï�������‡
4121 € €
4122 †�������Ï�������‡
4123 € €
4124 †�������Ï�������‡
4125 € €
4126 ’‘ †�������Ï�������‡
4127 � € EBPA €
4128 � †�������Ï�������‡\x11‘‘EBP
4129 � € EBPM €
4130 DISPLAY ‘— †�������Ï�������‡
4131 � € EBPA €
4132 � †�������Ï�������‡
4133 � € EBPB
4134 EBPB = EBP VALUE FOR PROCEDURE B €
4135 ã� †�������Ï�������‡
4136 � € €
4137 � †�������Ï�������‡
4138 DYNAMIC ‘— € €
4139 STORAGE � †�������Ï�������‡
4140 � € €
4141 ”‘ †�������Ï�������‡\x11‘‘ESP
4142 € €
4146 3.8 Flag Control Instructions
4148 The flag control instructions provide a method for directly changing the
4149 state of bits in the flag register.
4152 3.8.1 Carry and Direction Flag Control Instructions
4154 The carry flag instructions are useful in conjunction with
4155 rotate-with-carry instructions RCL and RCR. They can initialize the carry
4156 flag, CF, to a known state before execution of a rotate that moves the carry
4157 bit into one end of the rotated operand.
4159 The direction flag control instructions are specifically included to set or
4160 clear the direction flag, DF, which controls the left-to-right or
4161 right-to-left direction of string processing. If DF=0, the processor
4162 automatically increments the string index registers, ESI and EDI, after each
4163 execution of a string primitive. If DF=1, the processor decrements these
4164 index registers. Programmers should use one of these instructions before any
4165 procedure that uses string instructions to insure that DF is set properly.
4167 Flag Control Instruction Effect
4169 STC (Set Carry Flag) CF \e 1
4170 CLC (Clear Carry Flag) CF \e 0
4171 CMC (Complement Carry Flag) CF \e NOT (CF)
4172 CLD (Clear Direction Flag) DF \e 0
4173 STD (Set Direction Flag) DF \e 1
4176 3.8.2 Flag Transfer Instructions
4178 Though specific instructions exist to alter CF and DF, there is no direct
4179 method of altering the other applications-oriented flags. The flag transfer
4180 instructions allow a program to alter the other flag bits with the bit
4181 manipulation instructions after transferring these flags to the stack or the
4182 AH register.
4184 The instructions LAHF and SAHF deal with five of the status flags, which
4185 are used primarily by the arithmetic and logical instructions.
4187 LAHF (Load AH from Flags) copies SF, ZF, AF, PF, and CF to AH bits 7, 6, 4,
4188 2, and 0, respectively (see Figure 3-22). The contents of the remaining bits
4189 (5, 3, and 1) are undefined. The flags remain unaffected.
4191 SAHF (Store AH into Flags) transfers bits 7, 6, 4, 2, and 0 from AH into
4192 SF, ZF, AF, PF, and CF, respectively (see Figure 3-22).
4194 The PUSHF and POPF instructions are not only useful for storing the flags
4195 in memory where they can be examined and modified but are also useful for
4196 preserving the state of the flags register while executing a procedure.
4198 PUSHF (Push Flags) decrements ESP by two and then transfers the low-order
4199 word of the flags register to the word at the top of stack pointed to by ESP
4200 (see Figure 3-23). The variant PUSHFD decrements ESP by four, then
4201 transfers both words of the extended flags register to the top of the stack
4202 pointed to by ESP (the VM and RF flags are not moved, however).
4204 POPF (Pop Flags) transfers specific bits from the word at the top of stack
4205 into the low-order byte of the flag register (see Figure 3-23), then
4206 increments ESP by two. The variant POPFD transfers specific bits from the
4207 doubleword at the top of the stack into the extended flags register (the RF
4208 and VM flags are not changed, however), then increments ESP by four.
4211 Figure 3-22. LAHF and SAHF
4213 7 6 5 4 3 2 1 0
4214 ‚����ˆ����ˆ����ˆ����ˆ����ˆ����ˆ����ˆ����ƒ
4215 € SF € ZF € UU € AF € UU € PF € UU € CF €
4216 „����‰����‰����‰����‰����‰����‰����‰����…
4218 LAHF LOADS FIVE FLAGS FROM THE FLAG REGISTER INTO REGISTER AH. SAHF
4219 STORES THESE SAME FIVE FLAGS FROM AH INTO THE FLAG REGISTER. THE BIT
4220 POSITION OF EACH FLAG IS THE SAME IN AH AS IT IS IN THE FLAG REGISTER.
4221 THE REMAINING BITS (MARKED UU) ARE RESERVED; DO NOT DEFINE.
4224 3.9 Coprocessor Interface Instructions
4226 A numerics coprocessor (e.g., the 80387 or 80287) provides an extension to
4227 the instruction set of the base architecture. The coprocessor extends the
4228 instruction set of the base architecture to support high-precision integer
4229 and floating-point calculations. This extended instruction set includes
4230 arithmetic, comparison, transcendental, and data transfer instructions. The
4231 coprocessor also contains a set of useful constants to enhance the speed of
4232 numeric calculations.
4234 A program contains instructions for the coprocessor in line with the
4235 instructions for the CPU. The system executes these instructions in the same
4236 order as they appear in the instruction stream. The coprocessor operates
4237 concurrently with the CPU to provide maximum throughput for numeric
4238 calculations.
4240 The 80386 also has features to support emulation of the numerics
4241 coprocessor when the coprocessor is absent. The software emulation of the
4242 coprocessor is transparent to application software but requires more time
4243 for execution. Refer to Chapter 11 for more information on coprocessor
4244 emulation.
4246 ESC (Escape) is a 5-bit sequence that begins the opcodes that identify
4247 floating point numeric instructions. The ESC pattern tells the 80386 to send
4248 the opcode and addresses of operands to the numerics coprocessor. The
4249 numerics coprocessor uses the escape instructions to perform
4250 high-performance, high-precision floating point arithmetic that conforms to
4251 the IEEE floating point standard 754.
4253 WAIT (Wait) is an 80386 instruction that suspends program execution until
4254 the 80386 CPU detects that the BUSY pin is inactive. This condition
4255 indicates that the coprocessor has completed its processing task and that
4256 the CPU may obtain the results.
4259 Figure 3-23. Flag Format for PUSHF and POPF
4261 PUSHFD/POPFD
4262 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
4263 PUSHF/POPF
4264 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
4265 31 23 15 7 0
4266 ‚���������������Ï�����������Ð�Ð�Ð�Ð�Ð����Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�Ð�ƒ
4267 € �V�R� �N�ID �O�D�I�T�S�Z� �A� �P� �C€
4268 €0 0 0 0 0 0 0 0 0 0 0 0 0 0� � �0� � � � � � � � �0� �0� �1� €
4269 € �M�F� �T� PL�F�F�F�F�F�F� �F� �F� �F€
4270 „���������������Ï�����������¤�¤�¤�¤�¤����¤�¤�¤�¤�¤�¤�¤�¤�¤�¤�¤�¤�…
4272 BITS MARKED 0 AND 1 ARE RESERVED BY INTEL. DO NOT DEFINE.
4274 SYSTEMS FLAGS (INCLUDING THE IOPL FIELD, AND THE VM, RF, AND IF FLAGS)
4275 ARE PUSHED AND ARE VISIBLE TO APPLICATIONS PROGRAMS. HOWEVER, WHEN AN
4276 APPLICATIONS PROGRAM POPS THE FLAGS, THESE ITEMS ARE NOT CHANGED,
4277 REGARDLESS OF THE VALUES POPPED INTO THEM.
4280 3.10 Segment Register Instructions
4282 This category actually includes several distinct types of instructions.
4283 These various types are grouped together here because, if systems designers
4284 choose an unsegmented model of memory organization, none of these
4285 instructions is used by applications programmers. The instructions that deal
4286 with segment registers are:
4288 1. Segment-register transfer instructions.
4290 MOV SegReg, ...
4291 MOV ..., SegReg
4292 PUSH SegReg
4293 POP SegReg
4295 2. Control transfers to another executable segment.
4297 JMP far ; direct and indirect
4298 CALL far
4299 RET far
4301 3. Data pointer instructions.
4303 LDS
4304 LES
4305 LFS
4306 LGS
4307 LSS
4309 Note that the following interrupt-related instructions are different; all
4310 are capable of transferring control to another segment, but the use of
4311 segmentation is not apparent to the applications programmer.
4313 INT n
4314 INTO
4315 BOUND
4316 IRET
4319 3.10.1 Segment-Register Transfer Instructions
4321 The MOV, POP, and PUSH instructions also serve to load and store segment
4322 registers. These variants operate similarly to their general-register
4323 counterparts except that one operand can be a segment register. MOV cannot
4324 move segment register to a segment register. Neither POP nor MOV can place a
4325 value in the code-segment register CS; only the far control-transfer
4326 instructions can change CS.
4329 3.10.2 Far Control Transfer Instructions
4331 The far control-transfer instructions transfer control to a location in
4332 another segment by changing the content of the CS register.
4334 Direct far JMP. Direct JMP instructions that specify a target location
4335 outside the current code segment contain a far pointer. This pointer
4336 consists of a selector for the new code segment and an offset within the new
4337 segment.
4339 Indirect far JMP. Indirect JMP instructions that specify a target location
4340 outside the current code segment use a 48-bit variable to specify the far
4341 pointer.
4343 Far CALL. An intersegment CALL places both the value of EIP and CS on the
4344 stack.
4346 Far RET. An intersegment RET restores the values of both CS and EIP which
4347 were saved on the stack by the previous intersegment CALL instruction.
4350 3.10.3 Data Pointer Instructions
4352 The data pointer instructions load a pointer (consisting of a segment
4353 selector and an offset) to a segment register and a general register.
4355 LDS (Load Pointer Using DS) transfers a pointer variable from the source
4356 operand to DS and the destination register. The source operand must be a
4357 memory operand, and the destination operand must be a general register. DS
4358 receives the segment-selector of the pointer. The destination register
4359 receives the offset part of the pointer, which points to a specific location
4360 within the segment.
4362 Example: LDS ESI, STRING_X
4364 Loads DS with the selector identifying the segment pointed to by a
4365 STRING_X, and loads the offset of STRING_X into ESI. Specifying ESI as the
4366 destination operand is a convenient way to prepare for a string operation on
4367 a source string that is not in the current data segment.
4369 LES (Load Pointer Using ES) operates identically to LDS except that ES
4370 receives the segment selector rather than DS.
4372 Example: LES EDI, DESTINATION_X
4374 Loads ES with the selector identifying the segment pointed to by
4375 DESTINATION_X, and loads the offset of DESTINATION_X into EDI. This
4376 instruction provides a convenient way to select a destination for a string
4377 operation if the desired location is not in the current extra segment.
4379 LFS (Load Pointer Using FS) operates identically to LDS except that FS
4380 receives the segment selector rather than DS.
4382 LGS (Load Pointer Using GS) operates identically to LDS except that GS
4383 receives the segment selector rather than DS.
4385 LSS (Load Pointer Using SS) operates identically to LDS except that SS
4386 receives the segment selector rather than DS. This instruction is
4387 especially important, because it allows the two registers that identify the
4388 stack (SS:ESP) to be changed in one uninterruptible operation. Unlike the
4389 other instructions which load SS, interrupts are not inhibited at the end
4390 of the LSS instruction. The other instructions (e.g., POP SS) inhibit
4391 interrupts to permit the following instruction to load ESP, thereby forming
4392 an indivisible load of SS:ESP. Since both SS and ESP can be loaded by LSS,
4393 there is no need to inhibit interrupts.
4396 3.11 Miscellaneous Instructions
4398 The following instructions do not fit in any of the previous categories,
4399 but are nonetheless useful.
4402 3.11.1 Address Calculation Instruction
4404 LEA (Load Effective Address) transfers the offset of the source operand
4405 (rather than its value) to the destination operand. The source operand must
4406 be a memory operand, and the destination operand must be a general register.
4407 This instruction is especially useful for initializing registers before the
4408 execution of the string primitives (ESI, EDI) or the XLAT instruction (EBX).
4409 The LEA can perform any indexing or scaling that may be needed.
4411 Example: LEA EBX, EBCDIC_TABLE
4413 Causes the processor to place the address of the starting location of the
4414 table labeled EBCDIC_TABLE into EBX.
4417 3.11.2 No-Operation Instruction
4419 NOP (No Operation) occupies a byte of storage but affects nothing but the
4420 instruction pointer, EIP.
4423 3.11.3 Translate Instruction
4425 XLAT (Translate) replaced a byte in the AL register with a byte from a
4426 user-coded translation table. When XLAT is executed, AL should have the
4427 unsigned index to the table addressed by EBX. XLAT changes the contents of
4428 AL from table index to table entry. EBX is unchanged. The XLAT instruction
4429 is useful for translating from one coding system to another such as from
4430 ASCII to EBCDIC. The translate table may be up to 256 bytes long. The
4431 value placed in the AL register serves as an index to the location of the
4432 corresponding translation value.
4435 PART II SYSTEMS PROGRAMMING
4438 Chapter 4 Systems Architecture
4440 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
4442 Many of the architectural features of the 80386 are used only by systems
4443 programmers. This chapter presents an overview of these aspects of the
4444 architecture.
4446 The systems-level features of the 80386 architecture include:
4448 Memory Management
4449 Protection
4450 Multitasking
4451 Input/Output
4452 Exceptions and Interrupts
4453 Initialization
4454 Coprocessing and Multiprocessing
4455 Debugging
4457 These features are implemented by registers and instructions, all of which
4458 are introduced in the following sections. The purpose of this chapter is not
4459 to explain each feature in detail, but rather to place the remaining
4460 chapters of Part II in perspective. Each mention in this chapter of a
4461 register or instruction is either accompanied by an explanation or a
4462 reference to a following chapter where detailed information can be obtained.
4465 4.1 Systems Registers
4467 The registers designed for use by systems programmers fall into these
4468 classes:
4470 EFLAGS
4471 Memory-Management Registers
4472 Control Registers
4473 Debug Registers
4474 Test Registers
4477 4.1.1 Systems Flags
4479 The systems flags of the EFLAGS register control I/O, maskable interrupts,
4480 debugging, task switching, and enabling of virtual 8086 execution in a
4481 protected, multitasking environment. These flags are highlighted in Figure
4482 4-1.
4484 IF (Interrupt-Enable Flag, bit 9)
4486 Setting IF allows the CPU to recognize external (maskable) interrupt
4487 requests. Clearing IF disables these interrupts. IF has no effect on
4488 either exceptions or nonmaskable external interrupts. Refer to Chapter
4489 9 for more details about interrupts.
4491 NT (Nested Task, bit 14)
4493 The processor uses the nested task flag to control chaining of
4494 interrupted and called tasks. NT influences the operation of the IRET
4495 instruction. Refer to Chapter 7 and Chapter 9 for more information on
4496 nested tasks.
4498 RF (Resume Flag, bit 16)
4500 The RF flag temporarily disables debug exceptions so that an instruction
4501 can be restarted after a debug exception without immediately causing
4502 another debug exception. Refer to Chapter 12 for details.
4504 TF (Trap Flag, bit 8)
4506 Setting TF puts the processor into single-step mode for debugging. In
4507 this mode, the CPU automatically generates an exception after each
4508 instruction, allowing a program to be inspected as it executes each
4509 instruction. Single-stepping is just one of several debugging features of
4510 the 80386. Refer to Chapter 12 for additional information.
4512 VM (Virtual 8086 Mode, bit 17)
4514 When set, the VM flag indicates that the task is executing an 8086
4515 program. Refer to Chapter 14 for a detailed discussion of how the 80386
4516 executes 8086 tasks in a protected, multitasking environment.
4519 Figure 4-1. System Flags of EFLAGS Register
4521 31 23 15 7 0
4522 ‚���������������Ï�����������Ð�Ð�ÐÏÐ�Ð����Ð�Ð�Ð�Ð�ÐÏÐ�Ð�Ð�Ð�Ð�Ð�Ð�ƒ
4523 €œœœœœœœœœœœœœœœœœœœœœœœœœœœ�V�R�œ�N�ID �O�D�I�T�S�Z�œ�A�œ�P�œ�C€
4524 €0 0 0 0 0 0 0 0 0 0 0 0 0 0� � �0� � �œ�œ� �œ�œ�œ�0�œ�0�œ�1�œ€
4525 €œœœœœœœœœœœœœœœœœœœœœœœœœœœ�M�F�œ�T� PL�F�F�F�F�F�F�œ�F�œ�F�œ�F€
4526 „���������������Ï�����������¤Ð¤Ð¤Ï¤Ð¤�Ð��¤�¤�¤Ð¤�¤Ï¤�¤�¤�¤�¤�¤�¤�…
4527 � � � � �
4528 VIRTUAL 8086 MODE‘‘‘‘• � � � �
4529 RESUME FLAG‘‘‘‘‘‘• � � �
4530 NESTED TASK FLAG‘‘‘‘‘‘‘‘‘‘• � �
4531 I/O PRIVILEGE LEVEL‘‘‘‘‘‘‘‘‘‘‘‘‘• �
4532 INTERRUPT ENABLE‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
4534 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
4535 NOTE
4536 0 OR 1 INDICATES INTEL RESERVED. DO NOT DEFINE.
4537 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
4540 4.1.2 Memory-Management Registers
4542 Four registers of the 80386 locate the data structures that control
4543 segmented memory management:
4545 GDTR Global Descriptor Table Register
4546 LDTR Local Descriptor Table Register
4548 These registers point to the segment descriptor tables GDT and LDT.
4549 Refer to Chapter 5 for an explanation of addressing via descriptor
4550 tables.
4552 IDTR Interrupt Descriptor Table Register
4554 This register points to a table of entry points for interrupt handlers
4555 (the IDT). Refer to Chapter 9 for details of the interrupt mechanism.
4557 TR Task Register
4559 This register points to the information needed by the processor to define
4560 the current task. Refer to Chapter 7 for a description of the
4561 multitasking features of the 80386.
4564 4.1.3 Control Registers
4566 Figure 4-2 shows the format of the 80386 control registers CR0, CR2, and
4567 CR3. These registers are accessible to systems programmers only via variants
4568 of the MOV instruction, which allow them to be loaded from or stored in
4569 general registers; for example:
4571 MOV EAX, CR0
4572 MOV CR3, EBX
4574 CR0 contains system control flags, which control or indicate conditions
4575 that apply to the system as a whole, not to an individual task.
4577 EM (Emulation, bit 2)
4579 EM indicates whether coprocessor functions are to be emulated. Refer to
4580 Chapter 11 for details.
4582 ET (Extension Type, bit 4)
4584 ET indicates the type of coprocessor present in the system (80287 or
4585 80387). Refer to Chapter 11 and Chapter 10 for details.
4587 MP (Math Present, bit 1)
4589 MP controls the function of the WAIT instruction, which is used to
4590 coordinate a coprocessor. Refer to Chapter 11 for details.
4592 PE (Protection Enable, bit 0)
4594 Setting PE causes the processor to begin executing in protected mode.
4595 Resetting PE returns to real-address mode. Refer to Chapter 14 and
4596 Chapter 10 for more information on changing processor modes.
4598 PG (Paging, bit 31)
4600 PG indicates whether the processor uses page tables to translate linear
4601 addresses into physical addresses. Refer to Chapter 5 for a description
4602 of page translation; refer to Chapter 10 for a discussion of how to set
4603 PG.
4605 TS (Task Switched, bit 3)
4607 The processor sets TS with every task switch and tests TS when
4608 interpreting coprocessor instructions. Refer to Chapter 11 for details.
4610 CR2 is used for handling page faults when PG is set. The processor stores
4611 in CR2 the linear address that triggers the fault. Refer to Chapter 9 for a
4612 description of page-fault handling.
4614 CR3 is used when PG is set. CR3 enables the processor to locate the page
4615 table directory for the current task. Refer to Chapter 5 for a description
4616 of page tables and page translation.
4619 Figure 4-2. Control Registers
4621 31 23 15 7 0
4622 ‚�����������������Ï�����������������Ï��������ˆ��������Ï�����������������ƒ
4623 € € €
4624 € PAGE DIRECTORY BASE REGISTER (PDBR) € RESERVED €CR3
4625 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ð‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
4626 € €
4627 € PAGE FAULT LINEAR ADDRESS €CR2
4628 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
4629 € €
4630 € RESERVED €CR1
4631 ј‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘˜‘˜‘˜‘˜‘˜‘Â
4632 €P� �E�T�E�M�P€
4633 €G� RESERVED �T�S�M�P�E€CR0
4634 „�¤���������������Ï�����������������Ï�����������������Ï�������¤�¤�¤�¤�¤�…
4637 4.1.4 Debug Register
4639 The debug registers bring advanced debugging abilities to the 80386,
4640 including data breakpoints and the ability to set instruction breakpoints
4641 without modifying code segments. Refer to Chapter 12 for a complete
4642 description of formats and usage.
4645 4.1.5 Test Registers
4647 The test registers are not a standard part of the 80386 architecture. They
4648 are provided solely to enable confidence testing of the translation
4649 lookaside buffer (TLB), the cache used for storing information from page
4650 tables. Chapter 12 explains how to use these registers.
4653 4.2 Systems Instructions
4655 Systems instructions deal with such functions as:
4657 1. Verification of pointer parameters (refer to Chapter 6):
4659 ARPL ‘‘ Adjust RPL
4660 LAR ‘‘ Load Access Rights
4661 LSL ‘‘ Load Segment Limit
4662 VERR ‘‘ Verify for Reading
4663 VERW ‘‘ Verify for Writing
4665 2. Addressing descriptor tables (refer to Chaper 5):
4667 LLDT ‘‘ Load LDT Register
4668 SLDT ‘‘ Store LDT Register
4669 LGDT ‘‘ Load GDT Register
4670 SGDT ‘‘ Store GDT Register
4672 3. Multitasking (refer to Chapter 7):
4674 LTR ‘‘ Load Task Register
4675 STR ‘‘ Store Task Register
4677 4. Coprocessing and Multiprocessing (refer to Chapter 11):
4679 CLTS ‘‘ Clear Task-Switched Flag
4680 ESC ‘‘ Escape instructions
4681 WAIT ‘‘ Wait until Coprocessor not Busy
4682 LOCK ‘‘ Assert Bus-Lock Signal
4684 5. Input and Output (refer to Chapter 8):
4686 IN ‘‘ Input
4687 OUT ‘‘ Output
4688 INS ‘‘ Input String
4689 OUTS ‘‘ Output String
4691 6. Interrupt control (refer to Chapter 9):
4693 CLI ‘‘ Clear Interrupt-Enable Flag
4694 STI ‘‘ Set Interrupt-Enable Flag
4695 LIDT ‘‘ Load IDT Register
4696 SIDT ‘‘ Store IDT Register
4698 7. Debugging (refer to Chapter 12):
4700 MOV ‘‘ Move to and from debug registers
4702 8. TLB testing (refer to Chapter 10):
4704 MOV ‘‘ Move to and from test registers
4706 9. System Control:
4708 SMSW ‘‘ Set MSW
4709 LMSW ‘‘ Load MSW
4710 HLT ‘‘ Halt Processor
4711 MOV ‘‘ Move to and from control registers
4713 The instructions SMSW and LMSW are provided for compatibility with the
4714 80286 processor. 80386 programs access the MSW in CR0 via variants of the
4715 MOV instruction. HLT stops the processor until receipt of an INTR or RESET
4716 signal.
4718 In addition to the chapters cited above, detailed information about each of
4719 these instructions can be found in the instruction reference chapter,
4720 Chapter 17.
4723 Chapter 5 Memory Management
4725 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
4727 The 80386 transforms logical addresses (i.e., addresses as viewed by
4728 programmers) into physical address (i.e., actual addresses in physical
4729 memory) in two steps:
4731 Ž Segment translation, in which a logical address (consisting of a
4732 segment selector and segment offset) are converted to a linear address.
4734 Ž Page translation, in which a linear address is converted to a physical
4735 address. This step is optional, at the discretion of systems-software
4736 designers.
4738 These translations are performed in a way that is not visible to
4739 applications programmers. Figure 5-1 illustrates the two translations at a
4740 high level of abstraction.
4742 Figure 5-1 and the remainder of this chapter present a simplified view of
4743 the 80386 addressing mechanism. In reality, the addressing mechanism also
4744 includes memory protection features. For the sake of simplicity, however,
4745 the subject of protection is taken up in another chapter, Chapter 6.
4748 Figure 5-1. Address Translation Overview
4750 15 0 31 0
4751 LOGICAL ‚���������������ƒ ‚������������������������������ƒ
4752 ADDRESS € SELECTOR € € OFFSET €
4753 „���������������… „���Ð��������������������������…
4754 \x1f
4755 ‚������������������������������ƒ
4756 € SEGMENT TRANSLATION €
4757 „��������������Ð���������������…
4758 ‚��¤�ƒ PAGING ENABLED
4759 €PG ?Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
4760 „��Ð�… �
4761 31 PAGING \x1f DISABLED 0 �
4762 LINEAR ‚�����������ˆ�����������ˆ�����������ƒ �
4763 ADDRESS € DIR € PAGE € OFFSET € �
4764 „�����������‰�����Ð�����‰�����������… �
4765 \x1f �
4766 ‚������������������������������ƒ �
4767 € PAGE TRANSLATION € �
4768 „��������������Ð���������������… �
4769 �\x11‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
4770 31 \x1f 0
4771 PHYSICAL ‚������������������������������ƒ
4772 ADDRESS € €
4773 „������������������������������…
4776 5.1 Segment Translation
4778 Figure 5-2 shows in more detail how the processor converts a logical
4779 address into a linear address.
4781 To perform this translation, the processor uses the following data
4782 structures:
4784 Ž Descriptors
4785 Ž Descriptor tables
4786 Ž Selectors
4787 Ž Segment Registers
4790 5.1.1 Descriptors
4792 The segment descriptor provides the processor with the data it needs to map
4793 a logical address into a linear address. Descriptors are created by
4794 compilers, linkers, loaders, or the operating system, not by applications
4795 programmers. Figure 5-3 illustrates the two general descriptor formats. All
4796 types of segment descriptors take one of these formats. Segment-descriptor
4797 fields are:
4799 BASE: Defines the location of the segment within the 4 gigabyte linear
4800 address space. The processor concatenates the three fragments of the base
4801 address to form a single 32-bit value.
4803 LIMIT: Defines the size of the segment. When the processor concatenates the
4804 two parts of the limit field, a 20-bit value results. The processor
4805 interprets the limit field in one of two ways, depending on the setting of
4806 the granularity bit:
4808 1. In units of one byte, to define a limit of up to 1 megabyte.
4810 2. In units of 4 Kilobytes, to define a limit of up to 4 gigabytes. The
4811 limit is shifted left by 12 bits when loaded, and low-order one-bits
4812 are inserted.
4814 Granularity bit: Specifies the units with which the LIMIT field is
4815 interpreted. When thebit is clear, the limit is interpreted in units of one
4816 byte; when set, the limit is interpreted in units of 4 Kilobytes.
4818 TYPE: Distinguishes between various kinds of descriptors.
4820 DPL (Descriptor Privilege Level): Used by the protection mechanism (refer
4821 to Chapter 6).
4823 Segment-Present bit: If this bit is zero, the descriptor is not valid for
4824 use in address transformation; the processor will signal an exception when a
4825 selector for the descriptor is loaded into a segment register. Figure 5-4
4826 shows the format of a descriptor when the present-bit is zero. The operating
4827 system is free to use the locations marked AVAILABLE. Operating systems that
4828 implement segment-based virtual memory clear the present bit in either of
4829 these cases:
4831 Ž When the linear space spanned by the segment is not mapped by the
4832 paging mechanism.
4834 Ž When the segment is not present in memory.
4836 Accessed bit: The processor sets this bit when the segment is accessed;
4837 i.e., a selector for the descriptor is loaded into a segment register or
4838 used by a selector test instruction. Operating systems that implement
4839 virtual memory at the segment level may, by periodically testing and
4840 clearing this bit, monitor frequency of segment usage.
4842 Creation and maintenance of descriptors is the responsibility of systems
4843 software, usually requiring the cooperation of compilers, program loaders or
4844 system builders, and therating system.
4847 Figure 5-2. Segment Translation
4849 15 0 31 0
4850 LOGICAL ‚����������������ƒ ‚�������������������������������������ƒ
4851 ADDRESS € SELECTOR € € OFFSET €
4852 „���Ð���������Ð��… „�������������������Ð�����������������…
4853 ’‘‘‘‘‘‘• \x1f �
4854 � DESCRIPTOR TABLE �
4855 � ‚������������ƒ �
4856 � € € �
4857 � € € �
4858 � € € �
4859 � € € �
4860 � †������������‡ �
4861 � € SEGMENT € BASE ‚���ƒ �
4863 †������������‡ ADDRESS „�Ð�…
4864 € € �
4865 „������������… �
4866 \x1f
4867 LINEAR ‚������������ˆ�����������ˆ��������������ƒ
4868 ADDRESS € DIR € PAGE € OFFSET €
4869 „������������‰�����������‰��������������…
4872 Figure 5-3. General Segment-Descriptor Format
4874 DESCRIPTORS USED FOR APPLICATIONS CODE AND DATA SEGMENTS
4876 31 23 15 7 0
4877 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð�����Ð�Ð�����Ð�Ï�����������������ƒ
4878 € � � � �A� � � � � � � €
4879 € BASE 31..24 �G�X�O�V� LIMIT �P� DPL �1� TYPE�A� BASE 23..16 € 4
4880 € � � � �L� 19..16 � � � � � � €
4881 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘‘‘‘‘™‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
4882 € � €
4883 € SEGMENT BASE 15..0 � SEGMENT LIMIT 15..0 € 0
4884 € � €
4885 „�����������������Ï�����������������Ï�����������������Ï�����������������…
4887 DESCRIPTORS USED FOR SPECIAL SYSTEM SEGMENTS
4889 31 23 15 7 0
4890 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð�����Ð�Ð�������Ï�����������������ƒ
4891 € � � � �A� � � � � � €
4892 € BASE 31..24 �G�X�O�V� LIMIT �P� DPL �0� TYPE � BASE 23..16 € 4
4893 € � � � �L� 19..16 � � � � � €
4894 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
4895 € � €
4896 € SEGMENT BASE 15..0 � SEGMENT LIMIT 15..0 € 0
4897 € � €
4898 „�����������������Ï�����������������Ï�����������������Ï�����������������…
4900 A - ACCESSED
4901 AVL - AVAILABLE FOR USE BY SYSTEMS PROGRAMMERS
4902 DPL - DESCRIPTOR PRIVILEGE LEVEL
4903 G - GRANULARITY
4904 P - SEGMENT PRESENT
4907 5.1.2 Descriptor Tables
4909 Segment descriptors are stored in either of two kinds of descriptor table:
4911 Ž The global descriptor table (GDT)
4912 Ž A local descriptor table (LDT)
4914 A descriptor table is simply a memory array of 8-byte entries that contain
4915 descriptors, as Figure 5-5 shows. A descriptor table is variable in length
4916 and may contain up to 8192 (2^(13)) descriptors. The first entry of the GDT
4917 (INDEX=0) is not used by the processor, however.
4919 The processor locates the GDT and the current LDT in memory by means of the
4920 GDTR and LDTR registers. These registers store the base addresses of the
4921 tables in the linear address space and store the segment limits. The
4922 instructions LGDT and SGDT give access to the GDTR; the instructions LLDT
4923 and SLDT give access to the LDTR.
4926 Figure 5-4. Format of Not-Present Descriptor
4928 31 23 15 7 0
4929 ‚�����������������Ï�����������������Ï�Ð�����Ð�Ð�������Ï�����������������ƒ
4930 € � � � � � €
4931 € AVAILABLE �O� DPL �S� TYPE � AVAILABLE € 4
4932 € � � � � � €
4933 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘‘‘‘‘™‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
4934 € €
4935 € AVAILABLE € 0
4936 € €
4937 „�����������������Ï�����������������Ï�����������������Ï�����������������…
4940 Figure 5-5. Descriptor Tables
4942 GLOBAL DESCRIPTOR TABLE LOCAL DESCRIPTOR TABLE
4943 ‚������Ð�����Ð�����Ð������ƒ ‚������Ð�����Ð�����Ð������ƒ
4944 € � � � € € � � � €
4945 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
4946 € � € M € � € M
4947 „������������¤������������… „������������¤������������…
4948 | | | |
4949 | | | |
4950 ‚������Ð�����Ð�����Ð������ƒ ‚������Ð�����Ð�����Ð������ƒ
4951 € � � � € € � � � €
4952 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
4953 € � € N + 3 € � € N + 3
4954 †������Ð�����Ï�����Ð������‡ †������Ð�����Ï�����Ð������‡
4955 € � � � € € � � � €
4956 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
4957 € � € N + 2 € � € N + 2
4958 †������Ð�����Ï�����Ð������‡ †������Ð�����Ï�����Ð������‡
4959 € � � � € € � � � €
4960 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
4961 € � € N + 1 € � € N + 1
4962 †������Ð�����Ï�����Ð������‡ †������Ð�����Ï�����Ð������‡
4963 € � � � € € � � � €
4964 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
4965 € � € N € � € N
4966 „������������¤������������… „������������¤������������…
4967 | | | |
4968 | | | |
4969 ‚������Ð�����Ð�����Ð������ƒ ‚������Ð�����Ð�����Ð������ƒ
4970 € � � � € € � � � €
4971 Ñ‘‘‘‘‘™‘‘(UNUSED)‘™‘‘‘‘‘‘ Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
4972 € � € € � €
4973 „������������¤������������… „������������¤������������…
4975 ‚���������������������ƒ � ‚���������������������ƒ �
4976 € GDTR Ñ‘• € LDTR Ñ‘•
4977 „���������������������… „���������������������…
4980 5.1.3 Selectors
4982 The selector portion of a logical address identifies a descriptor by
4983 specifying a descriptor table and indexing a descriptor within that table.
4984 Selectors may be visible to applications programs as a field within a
4985 pointer variable, but the values of selectors are usually assigned (fixed
4986 up) by linkers or linking loaders. Figure 5-6 shows the format of a
4987 selector.
4989 Index: Selects one of 8192 descriptors in a descriptor table. The processor
4990 simply multiplies this index value by 8 (the length of a descriptor), and
4991 adds the result to the base address of the descriptor table in order to
4992 access the appropriate segment descriptor in the table.
4994 Table Indicator: Specifies to which descriptor table the selector refers. A
4995 zero indicates the GDT; a one indicates the current LDT.
4997 Requested Privilege Level: Used by the protection mechanism. (Refer to
4998 Chapter 6.)
5000 Because the first entry of the GDT is not used by the processor, a selector
5001 that has an index of zero and a table indicator of zero (i.e., a selector
5002 that points to the first entry of the GDT), can be used as a null selector.
5003 The processor does not cause an exception when a segment register (other
5004 than CS or SS) is loaded with a null selector. It will, however, cause an
5005 exception when the segment register is used to access memory. This feature
5006 is useful for initializing unused segment registers so as to trap accidental
5007 references.
5010 Figure 5-6. Format of a Selector
5012 15 4 3 0
5013 ‚�������������������������Ð�Ð���ƒ
5014 € �T� €
5015 € INDEX � �RPL€
5016 € �I� €
5017 „�������������������������¤�¤���…
5019 TI - TABLE INDICATOR
5020 RPL - REQUESTOR'S PRIVILEGE LEVEL
5023 Figure 5-7. Segment Registers
5025 16-BIT VISIBLE
5026 SELECTOR HIDDEN DESCRIPTOR
5027 ‚����������������ˆ����������������������������������������ƒ
5028 CS € € €
5029 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5030 SS € € €
5031 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5032 DS € € €
5033 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5034 ES € € €
5035 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5036 FS € € €
5037 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5038 GS € € €
5039 „����������������‰����������������������������������������…
5042 5.1.4 Segment Registers
5044 The 80386 stores information from descriptors in segment registers, thereby
5045 avoiding the need to consult a descriptor table every time it accesses
5046 memory.
5048 Every segment register has a "visible" portion and an "invisible" portion,
5049 as Figure 5-7 illustrates. The visible portions of these segment address
5050 registers are manipulated by programs as if they were simply 16-bit
5051 registers. The invisible portions are manipulated by the processor.
5053 The operations that load these registers are normal program instructions
5054 (previously described in Chapter 3). These instructions are of two classes:
5056 1. Direct load instructions; for example, MOV, POP, LDS, LSS, LGS, LFS.
5057 These instructions explicitly reference the segment registers.
5059 2. Implied load instructions; for example, far CALL and JMP. These
5060 instructions implicitly reference the CS register, and load it with a
5061 new value.
5063 Using these instructions, a program loads the visible part of the segment
5064 register with a 16-bit selector. The processor automatically fetches the
5065 base address, limit, type, and other information from a descriptor table and
5066 loads them into the invisible part of the segment register.
5068 Because most instructions refer to data in segments whose selectors have
5069 already been loaded into segment registers, the processor can add the
5070 segment-relative offset supplied by the instruction to the segment base
5071 address with no additional overhead.
5074 5.2 Page Translation
5076 In the second phase of address transformation, the 80386 transforms a
5077 linear address into a physical address. This phase of address transformation
5078 implements the basic features needed for page-oriented virtual-memory
5079 systems and page-level protection.
5081 The page-translation step is optional. Page translation is in effect only
5082 when the PG bit of CR0 is set. This bit is typically set by the operating
5083 system during software initialization. The PG bit must be set if the
5084 operating system is to implement multiple virtual 8086 tasks, page-oriented
5085 protection, or page-oriented virtual memory.
5088 5.2.1 Page Frame
5090 A page frame is a 4K-byte unit of contiguous addresses of physical memory.
5091 Pages begin onbyte boundaries and are fixed in size.
5094 5.2.2 Linear Address
5096 A linear address refers indirectly to a physical address by specifying a
5097 page table, a page within that table, and an offset within that page. Figure
5098 5-8 shows the format of a linear address.
5100 Figure 5-9 shows how the processor converts the DIR, PAGE, and OFFSET
5101 fields of a linear address into the physical address by consulting two
5102 levels of page tables. The addressing mechanism uses the DIR field as an
5103 index into a page directory, uses the PAGE field as an index into the page
5104 table determined by the page directory, and uses the OFFSET field to address
5105 a byte within the page determined by the page table.
5108 Figure 5-8. Format of a Linear Address
5110 31 22 21 12 11 0
5111 ‚���������������������ˆ���������������������ˆ��������������������ƒ
5112 € € € €
5113 € DIR € PAGE € OFFSET €
5114 € € € €
5115 „���������������������‰���������������������‰��������������������…
5118 Figure 5-9. Page Translation
5120 PAGE FRAME
5121 ‚�����������ˆ�����������ˆ����������ƒ ‚���������������ƒ
5122 € DIR € PAGE € OFFSET € € €
5123 „�����Ð�����‰�����Ð�����‰�����Ð����… € €
5124 � � � € €
5125 ’‘‘‘‘‘‘‘‘‘‘‘‘‘• � ”‘‘‘‘‘‘‘‘‘‘‘‘‘\x10€ PHYSICAL €
5126 � � € ADDRESS €
5127 � PAGE DIRECTORY � PAGE TABLE € €
5128 � ‚���������������ƒ � ‚���������������ƒ € €
5129 � € € � € € „���������������…
5130 � € € � †���������������‡ \x1e
5131 � € € ”‘‘\x10€ PG TBL ENTRY Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘•
5132 � †���������������‡ †���������������‡
5133 ”‘\x10€ DIR ENTRY Ñ‘“ € €
5134 †���������������‡ � € €
5135 € € � € €
5136 „���������������… � „���������������…
5138 ‚�������ƒ � ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
5139 € CR3 Ñ‘‘‘‘‘‘‘•
5140 „�������…
5143 5.2.3 Page Tables
5145 A page table is simply an array of 32-bit page specifiers. A page table is
5146 itself a page, and therefore contains 4 Kilobytes of memory or at most 1K
5147 32-bit entries.
5149 Two levels of tables are used to address a page of memory. At the higher
5150 level is a page directory. The page directory addresses up to 1K page tables
5151 of the second level. A page table of the second level addresses up to 1K
5152 pages. All the tables addressed by one page directory, therefore, can
5153 address 1M pages (2^(20)). Because each page contains 4K bytes 2^(12)
5154 bytes), the tables of one page directory can span the entire physical
5155 address space of the 80386 (2^(20) times 2^(12) = 2^(32)).
5157 The physical address of the current page directory is stored in the CPU
5158 register CR3, also called the page directory base register (PDBR). Memory
5159 management software has the option of using one page directory for all
5160 tasks, one page directory for each task, or some combination of the two.
5161 Refer to Chapter 10 for information on initialization of CR3. Refer to
5162 Chapter 7 to see how CR3 can change for each task.
5165 5.2.4 Page-Table Entries
5167 Entries in either level of page tables have the same format. Figure 5-10
5168 illustrates this format.
5171 5.2.4.1 Page Frame Address
5173 The page frame address specifies the physical starting address of a page.
5174 Because pages are located on 4K boundaries, the low-order 12 bits are always
5175 zero. In a page directory, the page frame address is the address of a page
5176 table. In a second-level page table, the page frame address is the address
5177 of the page frame that contains the desired memory operand.
5180 5.2.4.2 Present Bit
5182 The Present bit indicates whether a page table entry can be used in address
5183 translation. P=1 indicates that the entry can be used.
5185 When P=0 in either level of page tables, the entry is not valid for address
5186 translation, and the rest of the entry is available for software use; none
5187 of the other bits in the entry is tested by the hardware. Figure 5-11
5188 illustrates the format of a page-table entry when P=0.
5190 If P=0 in either level of page tables when an attempt is made to use a
5191 page-table entry for address translation, the processor signals a page
5192 exception. In software systems that support paged virtual memory, the
5193 page-not-present exception handler can bring the required page into physical
5194 memory. The instruction that caused the exception can then be reexecuted.
5195 Refer to Chapter 9 for more information on exception handlers.
5197 Note that there is no present bit for the page directory itself. The page
5198 directory may be not-present while the associated task is suspended, but the
5199 operating system must ensure that the page directory indicated by the CR3
5200 image in the TSS is present in physical memory before the task is
5201 dispatched. Refer to Chapter 7 for an explanation of the TSS and task
5202 dispatching.
5205 Figure 5-10. Format of a Page Table Entry
5207 31 12 11 0
5208 ‚��������������������������������������Ð�������Ð���Ð�Ð�Ð���Ð�Ð�Ð�ƒ
5209 € � � � � � �U�R� €
5210 € PAGE FRAME ADDRESS 31..12 � AVAIL �0 0�D�A�0 0�/�/�P€
5211 € � � � � � �S�W� €
5212 „��������������������������������������¤�������¤���¤�¤�¤���¤�¤�¤�…
5214 P - PRESENT
5215 R/W - READ/WRITE
5216 U/S - USER/SUPERVISOR
5217 D - DIRTY
5218 AVAIL - AVAILABLE FOR SYSTEMS PROGRAMMER USE
5220 NOTE: 0 INDICATES INTEL RESERVED. DO NOT DEFINE.
5223 Figure 5-11. Invalid Page Table Entry
5225 31 1 0
5226 ‚��������������������������������������������������������������Ð�ƒ
5227 € � €
5228 € AVAILABLE �0€
5229 € � €
5230 „��������������������������������������������������������������¤�…
5233 5.2.4.3 Accessed and Dirty Bits
5235 These bits provide data about page usage in both levels of the page tables.
5236 With the exception of the dirty bit in a page directory entry, these bits
5237 are set by the hardware; however, the processor does not clear any of these
5238 bits.
5240 The processor sets the corresponding accessed bits in both levels of page
5241 tables to one before a read or write operation to a page.
5243 The processor sets the dirty bit in the second-level page table to one
5244 before a write to an address covered by that page table entry. The dirty bit
5245 in directory entries is undefined.
5247 An operating system that supports paged virtual memory can use these bits
5248 to determine what pages to eliminate from physical memory when the demand
5249 for memory exceeds the physical memory available. The operating system is
5250 responsible for testing and clearing these bits.
5252 Refer to Chapter 11 for how the 80386 coordinates updates to the accessed
5253 and dirty bits in multiprocessor systems.
5256 5.2.4.4 Read/Write and User/Supervisor Bits
5258 These bits are not used for address translation, but are used for
5259 page-level protection, which the processor performs at the same time as
5260 address translation. Refer to Chapter 6 where protection is discussed in
5261 detail.
5264 5.2.5 Page Translation Cache
5266 For greatest efficiency in address translation, the processor stores the
5267 most recently used page-table data in an on-chip cache. Only if the
5268 necessary paging information is not in the cache must both levels of page
5269 tables be referenced.
5271 The existence of the page-translation cache is invisible to applications
5272 programmers but not to systems programmers; operating-system programmers
5273 must flush the cache whenever the page tables are changed. The
5274 page-translation cache can be flushed by either of two methods:
5276 1. By reloading CR3 with a MOV instruction; for example:
5278 MOV CR3, EAX
5280 2. By performing a task switch to a TSS that has a different CR3 image
5281 than the current TSS. (Refer to Chapter 7 for more information on
5282 task switching.)
5285 5.3 Combining Segment and Page Translation
5287 Figure 5-12 combines Figure 5-2 and Figure 5-9 to summarize both phases
5288 of the transformation from a logical address to a physical address when
5289 paging is enabled. By appropriate choice of options and parameters to both
5290 phases, memory-management software can implement several different styles of
5291 memory management.
5294 5.3.1 "Flat" Architecture
5296 When the 80386 is used to execute software designed for architectures that
5297 don't have segments, it may be expedient to effectively "turn off" the
5298 segmentation features of the 80386. The 80386 does not have a mode that
5299 disables segmentation, but the same effect can be achieved by initially
5300 loading the segment registers with selectors for descriptors that encompass
5301 the entire 32-bit linear address space. Once loaded, the segment registers
5302 don't need to be changed. The 32-bit offsets used by 80386 instructions are
5303 adequate to address the entire linear-address space.
5306 5.3.2 Segments Spanning Several Pages
5308 The architecture of the 80386 permits segments to be larger or smaller than
5309 the size of a page (4 Kilobytes). For example, suppose a segment is used to
5310 address and protect a large data structure that spans 132 Kilobytes. In a
5311 software system that supports paged virtual memory, it is not necessary for
5312 the entire structure to be in physical memory at once. The structure is
5313 divided into 33 pages, any number of which may not be present. The
5314 applications programmer does not need to be aware that the virtual memory
5315 subsystem is paging the structure in this manner.
5318 Figure 5-12. 80306 Addressing Machanism
5320 16 0 32 0
5321 ‚��������������������ˆ�������������������������������������ƒ LOGICAL
5322 € SELECTOR € OFFSET € ADDRESS
5323 „����Ð����������Ð����‰��������������������Ð����������������…
5324 ’‘‘‘‘‘‘‘• \x1f �
5325 � DESCRIPTOR TABLE �
5326 � ‚���������������ƒ �
5327 � € € �
5328 � € € �
5329 � € € �
5330 � € € �
5331 � †���������������‡ �
5332 � € SEGMENT € ‚���ƒ �
5334 †���������������‡ „�Ð�…
5335 € € �
5336 „���������������… �
5337 \x1f PAGE FRAME
5338 LINEAR ‚�����������ˆ�����������ˆ����������ƒ ‚���������������ƒ
5339 ADDRESS € DIR € PAGE € OFFSET € € €
5340 „�����Ð�����‰�����Ð�����‰�����Ð����… € €
5341 � � � € €
5342 ’‘‘‘‘‘‘‘‘‘‘‘‘‘• � ”‘‘‘‘‘‘‘‘‘‘‘‘‘\x10€ PHYSICAL €
5343 � � € ADDRESS €
5344 � PAGE DIRECTORY � PAGE TABLE € €
5345 � ‚���������������ƒ � ‚���������������ƒ € €
5346 � € € � € € € €
5347 � € € � € € „���������������…
5348 � € € � †���������������‡ \x1e
5349 � € € ”‘‘\x10€ PG TBL ENTRY Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘•
5350 � †���������������‡ †���������������‡
5351 ”‘\x10€ DIR ENTRY Ñ‘“ € €
5352 †���������������‡ � € €
5353 € € � € €
5354 „���������������… � „���������������…
5356 ‚�������ƒ � ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
5357 € CR3 Ñ‘‘‘‘‘‘‘•
5358 „�������…
5361 5.3.3 Pages Spanning Several Segments
5363 On the other hand, segments may be smaller than the size of a page. For
5364 example, consider a small data structure such as a semaphore. Because of the
5365 protection and sharing provided by segments (refer to Chapter 6), it may be
5366 useful to create a separate segment for each semaphore. But, because a
5367 system may need many semaphores, it is not efficient to allocate a page for
5368 each. Therefore, it may be useful to cluster many related segments within a
5369 page.
5372 5.3.4 Non-Aligned Page and Segment Boundaries
5374 The architecture of the 80386 does not enforce any correspondence between
5375 the boundaries of pages and segments. It is perfectly permissible for a page
5376 to contain the end of one segment and the beginning of another. Likewise, a
5377 segment may contain the end of one page and the beginning of another.
5380 5.3.5 Aligned Page and Segment Boundaries
5382 Memory-management software may be simpler, however, if it enforces some
5383 correspondence between page and segment boundaries. For example, if segments
5384 are allocated only in units of one page, the logic for segment and page
5385 allocation can be combined. There is no need for logic to account for
5386 partially used pages.
5389 5.3.6 Page-Table per Segment
5391 An approach to space management that provides even further simplification
5392 of space-management software is to maintain a one-to-one correspondence
5393 between segment descriptors and page-directory entries, as Figure 5-13
5394 illustrates. Each descriptor has a base address in which the low-order 22
5395 bits are zero; in other words, the base address is mapped by the first entry
5396 of a page table. A segment may have any limit from 1 to 4 megabytes.
5397 Depending on the limit, the segment is contained in from 1 to 1K page
5398 frames. A task is thus limited to 1K segments (a sufficient number for many
5399 applications), each containing up to 4 Mbytes. The descriptor, the
5400 corresponding page-directory entry, and the corresponding page table can be
5401 allocated and deallocated simultaneously.
5404 Figure 5-13. Descriptor per Page Table
5406 PAGE FRAMES
5407 ‚�����������ƒ
5408 LDT PAGE DIRECTORY PAGE TABLES € €
5409 ‚����������ƒ ‚����������ƒ ‚����������ƒ € €
5410 € € € € € € ’‘\x10„�����������…
5411 †����������‡ †����������‡ †����������‡ �
5412 € € € € € PTE Ñ‘‘• ‚�����������ƒ
5413 †����������‡ †����������‡ †����������‡ € €
5414 € € € € € PTE Ñ‘‘“ € €
5415 †����������‡ †����������‡ †����������‡ ”‘\x10„�����������…
5416 € € € € € PTE Ñ‘‘“
5417 †����������‡ †����������‡ ’‘‘‘\x10„����������… � ‚�����������ƒ
5418 €DESCRIPTORÑ‘‘‘‘‘\x10€ PDE Ñ‘‘• � € €
5419 †����������‡ †����������‡ � € €
5421 †����������‡ †����������‡ � ‚����������ƒ
5422 € € € € � € € ‚�����������ƒ
5423 †����������‡ †����������‡ � †����������‡ € €
5424 € € € € � € € € €
5425 †����������‡ †����������‡ � †����������‡ ’‘\x10„�����������…
5426 € € € € � € PTE Ñ‘‘•
5427 †����������‡ †����������‡ � †����������‡ ‚�����������ƒ
5428 € € € € � € PTE Ñ‘‘“ € €
5429 „����������… „����������… ”‘‘‘\x10„����������… � € €
5430 LDT PAGE DIRECTORY PAGE TABLES ”‘\x10„�����������…
5431 PAGE FRAMES
5434 Chapter 6 Protection
5436 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
5438 6.1 Why Protection?
5440 The purpose of the protection features of the 80386 is to help detect and
5441 identify bugs. The 80386 supports sophisticated applications that may
5442 consist of hundreds or thousands of program modules. In such applications,
5443 the question is how bugs can be found and eliminated as quickly as possible
5444 and how their damage can be tightly confined. To help debug applications
5445 faster and make them more robust in production, the 80386 contains
5446 mechanisms to verify memory accesses and instruction execution for
5447 conformance to protection criteria. These mechanisms may be used or ignored,
5448 according to system design objectives.
5451 6.2 Overview of 80386 Protection Mechanisms
5453 Protection in the 80386 has five aspects:
5455 1. Type checking
5456 2. Limit checking
5457 3. Restriction of addressable domain
5458 4. Restriction of procedure entry points
5459 5. Restriction of instruction set
5461 The protection hardware of the 80386 is an integral part of the memory
5462 management hardware. Protection applies both to segment translation and to
5463 page translation.
5465 Each reference to memory is checked by the hardware to verify that it
5466 satisfies the protection criteria. All these checks are made before the
5467 memory cycle is started; any violation prevents that cycle from starting and
5468 results in an exception. Since the checks are performed concurrently with
5469 address formation, there is no performance penalty.
5471 Invalid attempts to access memory result in an exception. Refer to
5472 Chapter 9 for an explanation of the exception mechanism. The present
5473 chapter defines the protection violations that lead to exceptions.
5475 The concept of "privilege" is central to several aspects of protection
5476 (numbers 3, 4, and 5 in the preceeding list). Applied to procedures,
5477 privilege is the degree to which the procedure can be trusted not to make a
5478 mistake that might affect other procedures or data. Applied to data,
5479 privilege is the degree of protection that a data structure should have
5480 from less trusted procedures.
5482 The concept of privilege applies both to segment protection and to page
5483 protection.
5486 6.3 Segment-Level Protection
5488 All five aspects of protection apply to segment translation:
5490 1. Type checking
5491 2. Limit checking
5492 3. Restriction of addressable domain
5493 4. Restriction of procedure entry points
5494 5. Restriction of instruction set
5496 The segment is the unit of protection, and segment descriptors store
5497 protection parameters. Protection checks are performed automatically by the
5498 CPU when the selector of a segment descriptor is loaded into a segment
5499 register and with every segment access. Segment registers hold the
5500 protection parameters of the currently addressable segments.
5503 6.3.1 Descriptors Store Protection Parameters
5505 Figure 6-1 highlights the protection-related fields of segment descriptors.
5507 The protection parameters are placed in the descriptor by systems software
5508 at the time a descriptor is created. In general, applications programmers do
5509 not need to be concerned about protection parameters.
5511 When a program loads a selector into a segment register, the processor
5512 loads not only the base address of the segment but also protection
5513 information. Each segment register has bits in the invisible portion for
5514 storing base, limit, type, and privilege level; therefore, subsequent
5515 protection checks on the same segment do not consume additional clock
5516 cycles.
5519 Figure 6-1. Protection Fields of Segment Descriptors
5521 DATA SEGMENT DESCRIPTOR
5523 31 23 15 7 0
5524 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð�����Ð���������Ï�����������������ƒ
5525 €œœœœœœœœœœœœœœœœœ�œ�œ�œ�A� LIMIT �œ� � TYPE �œœœœœœœœœœœœœœœœœ€
5526 €œœœBASE 31..24œœœ�G�B�0�V� 19..16 �P� DPL � �œœœBASE 23..16œœœ€ 4
5527 €œœœœœœœœœœœœœœœœœ�œ�œ�œ�L� �œ� �1�0�E�W�A�œœœœœœœœœœœœœœœœœ€
5528 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5529 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� €
5530 €œœœœœœœœSEGMENT BASE 15..0œœœœœœœœœ� SEGMENT LIMIT 15..0 € 0
5531 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� €
5532 „�����������������Ï�����������������Ï�����������������Ï�����������������…
5534 EXECUTABLE SEGMENT DESCRIPTOR
5536 31 23 15 7 0
5537 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð�����Ð���������Ï�����������������ƒ
5538 €œœœœœœœœœœœœœœœœœ�œ�œ�œ�A� LIMIT �œ� � TYPE �œœœœœœœœœœœœœœœœœ€
5539 €œœœBASE 31..24œœœ�G�D�0�V� 19..16 �P� DPL � �œœœBASE 23..16œœœ€ 4
5540 €œœœœœœœœœœœœœœœœœ�œ�œ�œ�L� �œ� �1�0�C�R�A�œœœœœœœœœœœœœœœœœ€
5541 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5542 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� €
5543 €œœœœœœœœSEGMENT BASE 15..0œœœœœœœœœ� SEGMENT LIMIT 15..0 € 0
5544 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� €
5545 „�����������������Ï�����������������Ï�����������������Ï�����������������…
5547 SYSTEM SEGMENT DESCRIPTOR
5549 31 23 15 7 0
5550 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð�����Ð�Ð�������Ï�����������������ƒ
5551 €œœœœœœœœœœœœœœœœœ�œ�œ�œ�A� LIMIT �œ� � � �œœœœœœœœœœœœœœœœœ€
5552 €œœœBASE 31..24œœœ�G�X�0�V� 19..16 �P� DPL �0� TYPE �œœœBASE 23..16œœœ€ 4
5553 €œœœœœœœœœœœœœœœœœ�œ�œ�œ�L� �œ� � � �œœœœœœœœœœœœœœœœœ€
5554 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5555 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� €
5556 €œœœœœœœœSEGMENT BASE 15..0œœœœœœœœœ� SEGMENT LIMIT 15..0 € 0
5557 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� €
5558 „�����������������Ï�����������������Ï�����������������Ï�����������������…
5561 A - ACCESSED E - EXPAND-DOWN
5562 AVL - AVAILABLE FOR PROGRAMMERS USE G - GRANULARITY
5563 B - BIG P - SEGMENT PRESENT
5564 C - CONFORMING R - READABLE
5565 D - DEFAULT W - WRITABLE
5566 DPL - DESCRIPTOR PRIVILEGE LEVEL
5569 6.3.1.1 Type Checking
5571 The TYPE field of a descriptor has two functions:
5573 1. It distinguishes among different descriptor formats.
5574 2. It specifies the intended usage of a segment.
5576 Besides the descriptors for data and executable segments commonly used by
5577 applications programs, the 80386 has descriptors for special segments used
5578 by the operating system and for gates. Table 6-1 lists all the types defined
5579 for system segments and gates. Note that not all descriptors define
5580 segments; gate descriptors have a different purpose that is discussed later
5581 in this chapter.
5583 The type fields of data and executable segment descriptors include bits
5584 which further define the purpose of the segment (refer to Figure 6-1):
5586 Ž The writable bit in a data-segment descriptor specifies whether
5587 instructions can write into the segment.
5589 Ž The readable bit in an executable-segment descriptor specifies
5590 whether instructions are allowed to read from the segment (for example,
5591 to access constants that are stored with instructions). A readable,
5592 executable segment may be read in two ways:
5594 1. Via the CS register, by using a CS override prefix.
5596 2. By loading a selector of the descriptor into a data-segment register
5597 (DS, ES, FS,or GS).
5599 Type checking can be used to detect programming errors that would attempt
5600 to use segments in ways not intended by the programmer. The processor
5601 examines type information on two kinds of occasions:
5603 1. When a selector of a descriptor is loaded into a segment register.
5604 Certain segment registers can contain only certain descriptor types;
5605 for example:
5607 Ž The CS register can be loaded only with a selector of an executable
5608 segment.
5610 Ž Selectors of executable segments that are not readable cannot be
5611 loaded into data-segment registers.
5613 Ž Only selectors of writable data segments can be loaded into SS.
5615 2. When an instruction refers (implicitly or explicitly) to a segment
5616 register. Certain segments can be used by instructions only in certain
5617 predefined ways; for example:
5619 Ž No instruction may write into an executable segment.
5621 Ž No instruction may write into a data segment if the writable bit is
5622 not set.
5624 Ž No instruction may read an executable segment unless the readable bit
5625 is set.
5628 Table 6-1. System and Gate Descriptor Types
5630 Code Type of Segment or Gate
5632 0 -reserved
5633 1 Available 286 TSS
5634 2 LDT
5635 3 Busy 286 TSS
5636 4 Call Gate
5637 5 Task Gate
5638 6 286 Interrupt Gate
5639 7 286 Trap Gate
5640 8 -reserved
5641 9 Available 386 TSS
5642 A -reserved
5643 B Busy 386 TSS
5644 C 386 Call Gate
5645 D -reserved
5646 E 386 Interrupt Gate
5647 F 386 Trap Gate
5650 6.3.1.2 Limit Checking
5652 The limit field of a segment descriptor is used by the processor to prevent
5653 programs from addressing outside the segment. The processor's interpretation
5654 of the limit depends on the setting of the G (granularity) bit. For data
5655 segments, the processor's interpretation of the limit depends also on the
5656 E-bit (expansion-direction bit) and the B-bit (big bit) (refer to Table
5657 6-2).
5659 When G=0, the actual limit is the value of the 20-bit limit field as it
5660 appears in the descriptor. In this case, the limit may range from 0 to
5661 0FFFFFH (2^(20) - 1 or 1 megabyte). When G=1, the processor appends 12
5662 low-order one-bits to the value in the limit field. In this case the actual
5663 limit may range from 0FFFH (2^(12) - 1 or 4 kilobytes) to 0FFFFFFFFH(2^(32)
5664 - 1 or 4 gigabytes).
5666 For all types of segments except expand-down data segments, the value of
5667 the limit is one less than the size (expressed in bytes) of the segment. The
5668 processor causes a general-protection exception in any of these cases:
5670 Ž Attempt to access a memory byte at an address > limit.
5671 Ž Attempt to access a memory word at an address �limit.
5672 Ž Attempt to access a memory doubleword at an address �(limit-2).
5674 For expand-down data segments, the limit has the same function but is
5675 interpreted differently. In these cases the range of valid addresses is from
5676 limit + 1 to either 64K or 2^(32) - 1 (4 Gbytes) depending on the B-bit. An
5677 expand-down segment has maximum size when the limit is zero.
5679 The expand-down feature makes it possible to expand the size of a stack by
5680 copying it to a larger segment without needing also to update intrastack
5681 pointers.
5683 The limit field of descriptors for descriptor tables is used by the
5684 processor to prevent programs from selecting a table entry outside the
5685 descriptor table. The limit of a descriptor table identifies the last valid
5686 byte of the last descriptor in the table. Since each descriptor is eight
5687 bytes long, the limit value is N * 8 - 1 for a table that can contain up to
5688 N descriptors.
5690 Limit checking catches programming errors such as runaway subscripts and
5691 invalid pointer calculations. Such errors are detected when they occur, so
5692 that identification of the cause is easier. Without limit checking, such
5693 errors could corrupt other modules; the existence of such errors would not
5694 be discovered until later, when the corrupted module behaves incorrectly,
5695 and when identification of the cause is difficult.
5698 Table 6-2. Useful Combinations of E, G, and B Bits
5701 Case: 1 2 3 4
5703 Expansion Direction U U D D
5704 G-bit 0 1 0 1
5705 B-bit X X 0 1
5707 Lower bound is:
5708 0 X X
5709 LIMIT+1 X
5710 shl(LIMIT,12,1)+1 X
5712 Upper bound is:
5713 LIMIT X
5714 shl(LIMIT,12,1) X
5715 64K-1 X
5716 4G-1 X
5718 Max seg size is:
5719 64K X
5720 64K-1 X
5721 4G-4K X
5722 4G X
5724 Min seg size is:
5725 0 X X
5726 4K X X
5728 shl (X, 12, 1) = shift X left by 12 bits inserting one-bits on the right
5731 6.3.1.3 Privilege Levels
5733 The concept of privilege is implemented by assigning a value from zero to
5734 three to key objects recognized by the processor. This value is called the
5735 privilege level. The value zero represents the greatest privilege, the
5736 value three represents the least privilege. The following
5737 processor-recognized objects contain privilege levels:
5739 Ž Descriptors contain a field called the descriptor privilege level
5740 (DPL).
5742 Ž Selectors contain a field called the requestor's privilege level
5743 (RPL). The RPL is intended to represent the privilege level of
5744 the procedure that originates a selector.
5746 Ž An internal processor register records the current privilege level
5747 (CPL). Normally the CPL is equal to the DPL of the segment that
5748 the processor is currently executing. CPL changes as control is
5749 transferred to segments with differing DPLs.
5751 The processor automatically evaluates the right of a procedure to access
5752 another segment by comparing the CPL to one or more other privilege levels.
5753 The evaluation is performed at the time the selector of a descriptor is
5754 loaded into a segment register. The criteria used for evaluating access to
5755 data differs from that for evaluating transfers of control to executable
5756 segments; therefore, the two types of access are considered separately in
5757 the following sections.
5759 Figure 6-2 shows how these levels of privilege can be interpreted as rings
5760 of protection. The center is for the segments containing the most critical
5761 software, usually the kernel of the operating system. Outer rings are for
5762 the segments of less critical software.
5764 It is not necessary to use all four privilege levels. Existing software
5765 that was designed to use only one or two levels of privilege can simply
5766 ignore the other levels offered by the 80386. A one-level system should use
5767 privilege level zero; a two-level system should use privilege levels zero
5768 and three.
5771 Figure 6-2. Levels of Privilege
5773 TASK C
5774 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“
5775 � ‚�����������������������������������������������ƒ �
5776 � € APPLICATIONS € �
5777 � € ‚�����������������������������������ƒ € �
5778 � € € CUSTOM EXTENSIONS € € �
5779 � € € ‚�����������������������ƒ € € �
5780 � € € € SYSTEM SERVICES € € € �
5781 � € € € ‚�����������ƒ € € € �
5782 � € € € € KERNAL € € € € �
5783 ã�Ñ‘‘‘‘Α‘‘‘‘Α‘‘‘‘Α‘‘‘‘˜‘‘‘‘‘Α‘‘‘‘Α‘‘‘‘Α‘‘‘‘Â�Á
5784 � € € € € �LEVEL€LEVEL€LEVEL€LEVEL€ �
5785 � € € € € � 0 € 1 € 2 € 3 € �
5786 � € € € „�����Ï�����… € € € �
5787 � € € € � € € € �
5788 � € € „�����������Ï�����������… € € �
5789 � € € � € € �
5790 � € „�����������������Ï�����������������… € �
5791 � € � € �
5792 TASK B— „�����������������������¤�����������������������… –TASK A
5793 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
5796 6.3.2 Restricting Access to Data
5798 To address operands in memory, an 80386 program must load the selector of a
5799 data segment into a data-segment register (DS, ES, FS, GS, SS). The
5800 processor automatically evaluates access to a data segment by comparing
5801 privilege levels. The evaluation is performed at the time a selector for the
5802 descriptor of the target segment is loaded into the data-segment register.
5803 As Figure 6-3 shows, three different privilege levels enter into this type
5804 of privilege check:
5806 1. The CPL (current privilege level).
5808 2. The RPL (requestor's privilege level) of the selector used to specify
5809 the target segment.
5811 3. The DPL of the descriptor of the target segment.
5813 Instructions may load a data-segment register (and subsequently use the
5814 target segment) only if the DPL of the target segment is numerically greater
5815 than or equal to the maximum of the CPL and the selector's RPL. In other
5816 words, a procedure can only access data that is at the same or less
5817 privileged level.
5819 The addressable domain of a task varies as CPL changes. When CPL is zero,
5820 data segments at all privilege levels are accessible; when CPL is one, only
5821 data segments at privilege levels one through three are accessible; when CPL
5822 is three, only data segments at privilege level three are accessible. This
5823 property of the 80386 can be used, for example, to prevent applications
5824 procedures from reading or changing tables of the operating system.
5827 Figure 6-3. Privilege Check for Data Access
5829 16-BIT VISIBLE
5830 SELECTOR INVISIBLE DESCRIPTOR
5831 ‚���������������ˆ�������������������ˆ���ˆ�����������ƒ
5832 CS € € €CPL€ €
5833 „���������������‰�������������������‰�Ð�‰�����������…
5834 �
5835 TARGET SEGMENT SELECTOR � ‚�����������ƒ
5836 ‚�����������������������ˆ�ˆ���ƒ ”‘‘‘‘‘‘‘\x10€ PRIVILEGE €
5837 € INDEX € €RPLÑ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘\x10€ CHECK €
5838 „�����������������������‰�‰���… ’‘‘‘‘‘‘‘\x10€ BY CPU €
5839 � „�����������…
5840 DATA SEGMENT DESCRIPTOR ’‘‘‘•
5841 �
5842 31 23 15 � 7 0
5843 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð��¤��Ð���������Ï�����������������ƒ
5844 € � � � �A� LIMIT � � � TYPE � €
5845 € BASE 31..24 �G�B�0�V� �P� DPL � � BASE 23..16 € 4
5846 € � � � �L� 19..16 � � �1�0�E�W�A� €
5847 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5848 € � €
5849 € SEGMENT BASE 15..0 � SEGMENT LIMIT 15..0 € 0
5850 € � €
5851 „�����������������Ï�����������������Ï�����������������Ï�����������������…
5854 CPL - CURRENT PRIVILEGE LEVEL
5855 RPL - REQUESTOR'S PRIVILEGE LEVEL
5856 DPL - DESCRIPTOR PRIVILEGE LEVEL
5859 6.3.2.1 Accessing Data in Code Segments
5861 Less common than the use of data segments is the use of code segments to
5862 store data. Code segments may legitimately hold constants; it is not
5863 possible to write to a segment described as a code segment. The following
5864 methods of accessing data in code segments are possible:
5866 1. Load a data-segment register with a selector of a nonconforming,
5867 readable, executable segment.
5869 2. Load a data-segment register with a selector of a conforming,
5870 readable, executable segment.
5872 3. Use a CS override prefix to read a readable, executable segment whose
5873 selector is already loaded in the CS register.
5875 The same rules as for access to data segments apply to case 1. Case 2 is
5876 always valid because the privilege level of a segment whose conforming bit
5877 is set is effectively the same as CPL regardless of its DPL. Case 3 always
5878 valid because the DPL of the code segment in CS is, by definition, equal to
5879 CPL.
5882 6.3.3 Restricting Control Transfers
5884 With the 80386, control transfers are accomplished by the instructions JMP,
5885 CALL, RET, INT, and IRET, as well as by the exception and interrupt
5886 mechanisms. Exceptions and interrupts are special cases that Chapter 9
5887 covers. This chapter discusses only JMP, CALL, and RET instructions.
5889 The "near" forms of JMP, CALL, and RET transfer within the current code
5890 segment, and therefore are subject only to limit checking. The processor
5891 ensures that the destination of the JMP, CALL, or RET instruction does not
5892 exceed the limit of the current executable segment. This limit is cached in
5893 the CS register; therefore, protection checks for near transfers require no
5894 extra clock cycles.
5896 The operands of the "far" forms of JMP and CALL refer to other segments;
5897 therefore, the processor performs privilege checking. There are two ways a
5898 JMP or CALL can refer to another segment:
5900 1. The operand selects the descriptor of another executable segment.
5902 2. The operand selects a call gate descriptor. This gated form of
5903 transfer is discussed in a later section on call gates.
5905 As Figure 6-4 shows, two different privilege levels enter into a privilege
5906 check for a control transfer that does not use a call gate:
5908 1. The CPL (current privilege level).
5909 2. The DPL of the descriptor of the target segment.
5911 Normally the CPL is equal to the DPL of the segment that the processor is
5912 currently executing. CPL may, however, be greater than DPL if the conforming
5913 bit is set in the descriptor of the current executable segment. The
5914 processor keeps a record of the CPL cached in the CS register; this value
5915 can be different from the DPL in the descriptor of the code segment.
5917 The processor permits a JMP or CALL directly to another segment only if one
5918 of the following privilege rules is satisfied:
5920 Ž DPL of the target is equal to CPL.
5922 Ž The conforming bit of the target code-segment descriptor is set, and
5923 the DPL of the target is less than or equal to CPL.
5925 An executable segment whose descriptor has the conforming bit set is called
5926 a conforming segment. The conforming-segment mechanism permits sharing of
5927 procedures that may be called from various privilege levels but should
5928 execute at the privilege level of the calling procedure. Examples of such
5929 procedures include math libraries and some exception handlers. When control
5930 is transferred to a conforming segment, the CPL does not change. This is
5931 the only case when CPL may be unequal to the DPL of the current executable
5932 segment.
5934 Most code segments are not conforming. The basic rules of privilege above
5935 mean that, for nonconforming segments, control can be transferred without a
5936 gate only to executable segments at the same level of privilege. There is a
5937 need, however, to transfer control to (numerically) smaller privilege
5938 levels; this need is met by the CALL instruction when used with call-gate
5939 descriptors, which are explained in the next section. The JMP instruction
5940 may never transfer control to a nonconforming segment whose DPL does not
5941 equal CPL.
5944 Figure 6-4. Privilege Check for Control Transfer without Gate
5946 16-BIT VISIBLE
5947 SELECTOR INVISIBLE PART
5948 ‚���������������ˆ�������������������ˆ���ˆ�����������ƒ
5949 € € €CPL€ € CS
5950 „���������������‰�������������������‰�Ð�‰�����������…
5951 �
5952 � ‚�����������ƒ
5953 ”‘‘‘‘‘‘‘\x10€ PRIVILEGE €
5954 ’‘‘‘‘‘‘‘‘‘‘‘\x10€ CHECK €
5955 � ’‘‘‘\x10€ BY CPU €
5956 CODE-SEGMENT DESCRIPTOR � � „�����������…
5957 � �
5958 31 23 15 � � 7 0
5959 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð��¤��Ð����Ï����Ï�����������������ƒ
5960 € � � � �A� LIMIT � � � � � €
5961 € BASE 31..24 �G�D�0�V� �P� DPL � � � BASE 23..16 € 4
5962 € � � � �L� 19..16 � � �1�1�C�R�A� €
5963 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
5964 € � €
5965 € SEGMENT BASE 15..0 � SEGMENT LIMIT 15..0 € 0
5966 € � €
5967 „�����������������Ï�����������������Ï�����������������Ï�����������������…
5969 CPL - CURRENT PRIVILEGE LEVEL
5970 DPL - DESCRIPTOR PRIVILEGE LEVEL
5971 C - CONFORMING BIT
5974 6.3.4 Gate Descriptors Guard Procedure Entry Points
5976 To provide protection for control transfers among executable segments
5977 at different privilege levels, the 80386 uses gate descriptors. There are
5978 four kinds of gate descriptors:
5980 Ž Call gates
5981 Ž Trap gates
5982 Ž Interrupt gates
5983 Ž Task gates
5985 This chapter is concerned only with call gates. Task gates are used for
5986 task switching, and therefore are discussed in Chapter 7. Chapter 9
5987 explains how trap gates and interrupt gates are used by exceptions and
5988 interrupts. Figure 6-5 illustrates the format of a call gate. A call gate
5989 descriptor may reside in the GDT or in an LDT, but not in the IDT.
5991 A call gate has two primary functions:
5993 1. To define an entry point of a procedure.
5994 2. To specify the privilege level of the entry point.
5996 Call gate descriptors are used by call and jump instructions in the same
5997 manner as code segment descriptors. When the hardware recognizes that the
5998 destination selector refers to a gate descriptor, the operation of the
5999 instruction is expanded as determined by the contents of the call gate.
6001 The selector and offset fields of a gate form a pointer to the entry point
6002 of a procedure. A call gate guarantees that all transitions to another
6003 segment go to a valid entry point, rather than possibly into the middle of a
6004 procedure (or worse, into the middle of an instruction). The far pointer
6005 operand of the control transfer instruction does not point to the segment
6006 and offset of the target instruction; rather, the selector part of the
6007 pointer selects a gate, and the offset is not used. Figure 6-6 illustrates
6008 this style of addressing.
6010 As Figure 6-7 shows, four different privilege levels are used to check the
6011 validity of a control transfer via a call gate:
6013 1. The CPL (current privilege level).
6015 2. The RPL (requestor's privilege level) of the selector used to specify
6016 the call gate.
6018 3. The DPL of the gate descriptor.
6020 4. The DPL of the descriptor of the target executable segment.
6022 The DPL field of the gate descriptor determines what privilege levels can
6023 use the gate. One code segment can have several procedures that are intended
6024 for use by different privilege levels. For example, an operating system may
6025 have some services that are intended to be used by applications, whereas
6026 others may be intended only for use by other systems software.
6028 Gates can be used for control transfers to numerically smaller privilege
6029 levels or to the same privilege level (though they are not necessary for
6030 transfers to the same level). Only CALL instructions can use gates to
6031 transfer to smaller privilege levels. A gate may be used by a JMP
6032 instruction only to transfer to an executable segment with the same
6033 privilege level or to a conforming segment.
6035 For a JMP instruction to a nonconforming segment, both of the following
6036 privilege rules must be satisfied; otherwise, a general protection exception
6037 results.
6039 MAX (CPL,RPL) ¾ gate DPL
6040 target segment DPL = CPL
6042 For a CALL instruction (or for a JMP instruction to a conforming segment),
6043 both of the following privilege rules must be satisfied; otherwise, a
6044 general protection exception results.
6046 MAX (CPL,RPL) ¾ gate DPL
6047 target segment DPL ¾ CPL
6050 Figure 6-5. Format of 80386 Call Gate
6052 31 23 15 7 0
6053 ‚�����������������Ï�����������������Ï�Ð�����Ð���������Ï�����Ð���������ƒ
6054 € � � � TYPE � � DWORD €
6055 € OFFSET 31..16 �P� DPL � �0 0 0� € 4
6056 € � � �0 1 1 0 0� � COUNT €
6057 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘‘‘‘‘‘‘‘‘™‘‘‘‘‘™‘‘‘‘‘‘‘‘‘Â
6058 € � €
6059 € SELECTOR � OFFSET 15..0 € 0
6060 € � €
6061 „�����������������Ï�����������������Ï�����������������Ï���������������…
6064 Figure 6-6. Indirect Transfer via Call Gate
6066 OPCODE OFFSET SELECTOR
6067 ‚���������ˆ������������������������������������ˆ�������ˆ�ˆ���ƒ
6068 € CALL € (NOT USED) € INDEX € €RPL€
6069 „���������‰������������������������������������‰���Ð���‰�‰���…
6070 �
6071 DESCRIPTOR TABLE �
6072 ‚������Ð�����Ð�����Ð������ƒ �
6073 € � � � € �
6074 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ �
6075 € � € �
6076 „������������¤������������… �
6080 ‚������������Ð�����Ð������ƒ �
6081 GATE € OFFSET � DPL �COUNT €\x11‘‘‘‘‘‘‘‘‘‘‘‘‘• EXECUTABLE
6082 DESCRIPTOR Ñ‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ SEGMENT
6083 ’‘‘‘‘‘‘ SELECTOR � OFFSET Ñ‘‘‘‘“ ‚��������������ƒ
6084 � †������Ð�����Ï�����Ð������‡ � € €
6085 � € � � � € � € €
6086 � Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ � € €
6087 � € � € � € €
6088 � †������Ð�����Ï�����Ð������‡ � € €
6089 � € � � � € ”‘‘‘‘‘‘‘‘‘\x10€ PROCEDURE €
6090 � Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ € €
6091 � € � € € €
6092 \x1f †������Ð�����Ï�����Ð������‡ € €
6093 EXECUTABLE € BASE � � DPL � BASE € € €
6094 SEGMENT Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ ’‘‘‘‘‘‘‘‘‘\x10„��������������…
6095 DESCRIPTOR € BASE � Ñ‘‘‘‘•
6096 „������������¤������������…
6100 ‚������Ð�����Ð�����Ð������ƒ
6101 € � � � €
6102 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
6103 € � €
6104 „������������¤������������…
6107 Figure 6-7. Privilege Check via Call Gate
6109 16-BIT VISIBLE
6110 SELECTOR INVISIBLE DESCRIPTOR
6111 ‚���������������ˆ�������������������ˆ���ˆ�����������ƒ
6112 CS € € €CPL€ €
6113 „���������������‰�������������������‰�Ð�‰�����������…
6114 �
6115 TARGET SELECTOR � ‚�����������ƒ
6116 ‚�����������������������ˆ�ˆ���ƒ ”‘‘‘‘‘‘‘\x10€ PRIVILEGE €
6117 € INDEX € €RPLÑ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘\x10€ CHECK €
6118 „�����������������������‰�‰���… ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘\x10€ BY €
6119 � ’‘‘\x10€ CPU €
6120 ’‘‘‘‘‘‘• � „�����������…
6121 � �
6122 GATE DESCRIPTOR \x1f �
6123 ‚�����������������������ˆ����������ˆ�����������ƒ �
6124 € OFFSET € DPL € COUNT € �
6125 †�����������������������Š����������‰�����������‡ �
6126 € SELECTOR € OFFSET € �
6127 „�����������������������‰����������������������… �
6128 �
6129 �
6130 ‚�����������ˆ�����������ˆ�����¤����ˆ�����������ƒ
6131 EXECUTABLE € BASE € LIMIT € DPL € BASE €
6132 SEGMENT †�����������‰�����������Š����������‰�����������‡
6133 DESCRIPTOR € BASE € LIMIT €
6134 „�����������������������‰����������������������…
6136 CPL - CURRENT PRIVILEGE LEVEL
6137 RPL - REQUESTOR'S PRIVILEGE LEVEL
6138 DPL - DESCRIPTOR PRIVILEGE LEVEL
6141 6.3.4.1 Stack Switching
6143 If the destination code segment of the call gate is at a different
6144 privilege level than the CPL, an interlevel transfer is being requested.
6146 To maintain system integrity, each privilege level has a separate stack.
6147 These stacks assure sufficient stack space to process calls from less
6148 privileged levels. Without them, a trusted procedure would not work
6149 correctly if the calling procedure did not provide sufficient space on the
6150 caller's stack.
6152 The processor locates these stacks via the task state segment (see Figure
6153 6-8). Each task has a separate TSS, thereby permitting tasks to have
6154 separate stacks. Systems software is responsible for creating TSSs and
6155 placing correct stack pointers in them. The initial stack pointers in the
6156 TSS are strictly read-only values. The processor never changes them during
6157 the course of execution.
6159 When a call gate is used to change privilege levels, a new stack is
6160 selected by loading a pointer value from the Task State Segment (TSS). The
6161 processor uses the DPL of the target code segment (the new CPL) to index the
6162 initial stack pointer for PL 0, PL 1, or PL 2.
6164 The DPL of the new stack data segment must equal the new CPL; if it does
6165 not, a stack exception occurs. It is the responsibility of systems software
6166 to create stacks and stack-segment descriptors for all privilege levels that
6167 are used. Each stack must contain enough space to hold the old SS:ESP, the
6168 return address, and all parameters and local variables that may be required
6169 to process a call.
6171 As with intralevel calls, parameters for the subroutine are placed on the
6172 stack. To make privilege transitions transparent to the called procedure,
6173 the processor copies the parameters to the new stack. The count field of a
6174 call gate tells the processor how many doublewords (up to 31) to copy from
6175 the caller's stack to the new stack. If the count is zero, no parameters are
6176 copied.
6178 The processor performs the following stack-related steps in executing an
6179 interlevel CALL.
6181 1. The new stack is checked to assure that it is large enough to hold
6182 the parameters and linkages; if it is not, a stack fault occurs with
6183 an error code of 0.
6185 2. The old value of the stack registers SS:ESP is pushed onto the new
6186 stack as two doublewords.
6188 3. The parameters are copied.
6190 4. A pointer to the instruction after the CALL instruction (the former
6191 value of CS:EIP) is pushed onto the new stack. The final value of
6192 SS:ESP points to this return pointer on the new stack.
6194 Figure 6-9 illustrates the stack contents after a successful interlevel
6195 call.
6197 The TSS does not have a stack pointer for a privilege level 3 stack,
6198 because privilege level 3 cannot be called by any procedure at any other
6199 privilege level.
6201 Procedures that may be called from another privilege level and that require
6202 more than the 31 doublewords for parameters must use the saved SS:ESP link
6203 to access all parameters beyond the last doubleword copied.
6205 A call via a call gate does not check the values of the words copied onto
6206 the new stack. The called procedure should check each parameter for
6207 validity. A later section discusses how the ARPL, VERR, VERW, LSL, and LAR
6208 instructions can be used to check pointer values.
6211 Figure 6-8. Initial Stack Pointers of TSS
6213 31 23 15 7 0
6214 ‚��������Ï��������Ï��������Ï��������ƒ64
6218 € €
6219 †��������Ï��������Ï��������Ï��������‡
6220 € EFLAGS €24
6221 †��������Ï��������Ï��������Ï��������‡
6222 € INSTRUCTION POINTER (EIP) €20
6223 †��������Ï��������Ï��������Ï��������‡
6224 € CR3 (PDBR) €1C
6225 †��������Ï��������ˆ��������Ï�����ˆ��‡ ‘“
6226 €00000000 00000000€ SS2 €10€18 �
6227 †��������Ï��������‰��������Ï�����‰��‡ �
6228 € ESP2 €14 �
6229 †��������Ï��������ˆ��������Ï�����ˆ��‡ �
6230 €00000000 00000000€ SS1 €01€10 � INITIAL
6231 †��������Ï��������‰��������Ï�����‰��‡ –‘ STACK
6232 € ESP1 €0C � POINTERS
6233 †��������Ï��������ˆ��������Ï�����ˆ��‡ �
6234 €00000000 00000000€ SS0 €00€8 �
6235 †��������Ï��������‰��������Ï�����‰��‡ �
6236 € ESP0 €4 �
6237 †��������Ï��������ˆ��������Ï��������‡ ‘•
6238 €00000000 00000000€ TSS BACK LINK €0
6239 „��������Ï��������‰��������Ï��������…
6242 Figure 6-9. Stack Contents after an Interlevel Call
6244 31 0 SS:ESP
6245 ‚�������Ï�������ƒ\x11‘‘FROM TSS
6246 31 0 €œœœœœœœ�OLD SS €
6247 ‚�������Ï�������ƒ †�������Ï�������‡
6248 D O € € € OLD ESP €
6249 I F € € †�������Ï�������‡
6250 R € € € PARM 3 €
6251 E E € € †�������Ï�������‡
6252 C X € € € PARM 2 €
6253 T P †�������Ï�������‡ †�������Ï�������‡
6254 I A € PARM 3 € € PARM 1 €
6255 O N †�������Ï�������‡ †�������Ï�������‡
6256 N S € PARM 2 € €œœœœœœœ�OLD CS € NEW
6257 I †�������Ï�������‡ OLD †�������Ï�������‡ SS:ESP
6258 � O € PARM 1 € SS:ESP € OLD EIP € �
6260 � € € € €
6261 \x1f € € € €
6262 „�������Ï�������… „�������Ï�������…
6263 OLD STACK NEW STACK
6266 6.3.4.2 Returning from a Procedure
6268 The "near" forms of the RET instruction transfer control within the current
6269 code segment and therefore are subject only to limit checking. The offset of
6270 the instruction following the corresponding CALL, is popped from the stack.
6271 The processor ensures that this offset does not exceed the limit of the
6272 current executable segment.
6274 The "far" form of the RET instruction pops the return pointer that was
6275 pushed onto the stack by a prior far CALL instruction. Under normal
6276 conditions, the return pointer is valid, because of its relation to the
6277 prior CALL or INT. Nevertheless, the processor performs privilege checking
6278 because of the possibility that the current procedure altered the pointer or
6279 failed to properly maintain the stack. The RPL of the CS selector popped
6280 off the stack by the return instruction identifies the privilege level of
6281 the calling procedure.
6283 An intersegment return instruction can change privilege levels, but only
6284 toward procedures of lesser privilege. When the RET instruction encounters a
6285 saved CS value whose RPL is numerically greater than the CPL, an interlevel
6286 return occurs. Such a return follows these steps:
6288 1. The checks shown in Table 6-3 are made, and CS:EIP and SS:ESP are
6289 loaded with their former values that were saved on the stack.
6291 2. The old SS:ESP (from the top of the current stack) value is adjusted
6292 by the number of bytes indicated in the RET instruction. The resulting
6293 ESP value is not compared to the limit of the stack segment. If ESP is
6294 beyond the limit, that fact is not recognized until the next stack
6295 operation. (The SS:ESP value of the returning procedure is not
6296 preserved; normally, this value is the same as that contained in the
6297 TSS.)
6299 3. The contents of the DS, ES, FS, and GS segment registers are checked.
6300 If any of these registers refer to segments whose DPL is greater than
6301 the new CPL (excluding conforming code segments), the segment register
6302 is loaded with the null selector (INDEX = 0, TI = 0). The RET
6303 instruction itself does not signal exceptions in these cases;
6304 however, any subsequent memory reference that attempts to use a
6305 segment register that contains the null selector will cause a general
6306 protection exception. This prevents less privileged code from
6307 accessing more privileged segments using selectors left in the
6308 segment registers by the more privileged procedure.
6311 6.3.5 Some Instructions are Reserved for Operating System
6313 Instructions that have the power to affect the protection mechanism or to
6314 influence general system performance can only be executed by trusted
6315 procedures. The 80386 has two classes of such instructions:
6317 1. Privileged instructions ‘‘ those used for system control.
6319 2. Sensitive instructions ‘‘ those used for I/O and I/O related
6320 activities.
6323 Table 6-3. Interlevel Return Checks
6326 Type of Check Exception
6327 SF Stack Fault
6328 GP General Protection Exception
6329 NP Segment-Not-Present Exception Error Code
6331 ESP is within current SS segment SF 0
6332 ESP + 7 is within current SS segment SF 0
6333 RPL of return CS is greater than CPL GP Return CS
6334 Return CS selector is not null GP Return CS
6335 Return CS segment is within descriptor
6336 table limit GP Return CS
6337 Return CS descriptor is a code segment GP Return CS
6338 Return CS segment is present NP Return CS
6339 DPL of return nonconforming code
6340 segment = RPL of return CS, or DPL of
6341 return conforming code segment ¾ RPL
6342 of return CS GP Return CS
6343 ESP + N + 15 is within SS segment
6344 N Immediate Operand of RET N Instruction SF Return SS
6345 SS selector at ESP + N + 12 is not null GP Return SS
6346 SS selector at ESP + N + 12 is within
6347 descriptor table limit GP Return SS
6348 SS descriptor is writable data segment GP Return SS
6349 SS segment is present SF Return SS
6350 Saved SS segment DPL = RPL of saved
6351 CS GP Return SS
6352 Saved SS selector RPL = Saved SS
6353 segment DPL GP Return SS
6356 6.3.5.1 Privileged Instructions
6358 The instructions that affect system data structures can only be executed
6359 when CPL is zero. If the CPU encounters one of these instructions when CPL
6360 is greater than zero, it signals a general protection exception. These
6361 instructions include:
6363 CLTS ‘‘ Clear Task‘Switched Flag
6364 HLT ‘‘ Halt Processor
6365 LGDT ‘‘ Load GDL Register
6366 LIDT ‘‘ Load IDT Register
6367 LLDT ‘‘ Load LDT Register
6368 LMSW ‘‘ Load Machine Status Word
6369 LTR ‘‘ Load Task Register
6370 MOV to/from CRn ‘‘ Move to Control Register n
6371 MOV to /from DRn ‘‘ Move to Debug Register n
6372 MOV to/from TRn ‘‘ Move to Test Register n
6375 6.3.5.2 Sensitive Instructions
6377 Instructions that deal with I/O need to be restricted but also need to be
6378 executed by procedures executing at privilege levels other than zero. The
6379 mechanisms for restriction of I/O operations are covered in detail in
6380 Chapter 8, "Input/Output".
6383 6.3.6 Instructions for Pointer Validation
6385 Pointer validation is an important part of locating programming errors.
6386 Pointer validation is necessary for maintaining isolation between the
6387 privilege levels. Pointer validation consists of the following steps:
6389 1. Check if the supplier of the pointer is entitled to access the
6390 segment.
6392 2. Check if the segment type is appropriate to its intended use.
6394 3. Check if the pointer violates the segment limit.
6396 Although the 80386 processor automatically performs checks 2 and 3 during
6397 instruction execution, software must assist in performing the first check.
6398 The unprivileged instruction ARPL is provided for this purpose. Software can
6399 also explicitly perform steps 2 and 3 to check for potential violations
6400 (rather than waiting for an exception). The unprivileged instructions LAR,
6401 LSL, VERR, and VERW are provided for this purpose.
6403 LAR (Load Access Rights) is used to verify that a pointer refers to a
6404 segment of the proper privilege level and type. LAR has one operand‘‘a
6405 selector for a descriptor whose access rights are to be examined. The
6406 descriptor must be visible at the privilege level which is the maximum of
6407 the CPL and the selector's RPL. If the descriptor is visible, LAR obtains a
6408 masked form of the second doubleword of the descriptor, masks this value
6409 with 00FxFF00H, stores the result into the specified 32-bit destination
6410 register, and sets the zero flag. (The x indicates that the corresponding
6411 four bits of the stored value are undefined.) Once loaded, the access-rights
6412 bits can be tested. All valid descriptor types can be tested by the LAR
6413 instruction. If the RPL or CPL is greater than DPL, or if the selector is
6414 outside the table limit, no access-rights value is returned, and the zero
6415 flag is cleared. Conforming code segments may be accessed from any privilege
6416 level.
6418 LSL (Load Segment Limit) allows software to test the limit of a descriptor.
6419 If the descriptor denoted by the given selector (in memory or a register) is
6420 visible at the CPL, LSL loads the specified 32-bit register with a 32-bit,
6421 byte granular, unscrambled limit that is calculated from fragmented limit
6422 fields and the G-bit of that descriptor. This can only be done for segments
6423 (data, code, task state, and local descriptor tables); gate descriptors are
6424 inaccessible. (Table 6-4 lists in detail which types are valid and which
6425 are not.) Interpreting the limit is a function of the segment type. For
6426 example, downward expandable data segments treat the limit differently than
6427 code segments do. For both LAR and LSL, the zero flag (ZF) is set if the
6428 loading was performed; otherwise, the ZF is cleared.
6431 Table 6-4. Valid Descriptor Types for LSL
6433 Type Descriptor Type Valid?
6434 Code
6436 0 (invalid) NO
6437 1 Available 286 TSS YES
6438 2 LDT YES
6439 3 Busy 286 TSS YES
6440 4 286 Call Gate NO
6441 5 Task Gate NO
6442 6 286 Trap Gate NO
6443 7 286 Interrupt Gate NO
6444 8 (invalid) NO
6445 9 Available 386 TSS YES
6446 A (invalid) NO
6447 B Busy 386 TSS YES
6448 C 386 Call Gate NO
6449 D (invalid) NO
6450 E 386 Trap Gate NO
6451 F 386 Interrupt Gate NO
6454 6.3.6.1 Descriptor Validation
6456 The 80386 has two instructions, VERR and VERW, which determine whether a
6457 selector points to a segment that can be read or written at the current
6458 privilege level. Neither instruction causes a protection fault if the result
6459 is negative.
6461 VERR (Verify for Reading) verifies a segment for reading and loads ZF with
6462 1 if that segment is readable from the current privilege level. VERR checks
6463 that:
6465 Ž The selector points to a descriptor within the bounds of the GDT or
6466 LDT.
6468 Ž It denotes a code or data segment descriptor.
6470 Ž The segment is readable and of appropriate privilege level.
6472 The privilege check for data segments and nonconforming code segments is
6473 that the DPL must be numerically greater than or equal to both the CPL and
6474 the selector's RPL. Conforming segments are not checked for privilege level.
6476 VERW (Verify for Writing) provides the same capability as VERR for
6477 verifying writability. Like the VERR instruction, VERW loads ZF if the
6478 result of the writability check is positive. The instruction checks that the
6479 descriptor is within bounds, is a segment descriptor, is writable, and that
6480 its DPL is numerically greater or equal to both the CPL and the selector's
6481 RPL. Code segments are never writable, conforming or not.
6484 6.3.6.2 Pointer Integrity and RPL
6486 The Requestor's Privilege Level (RPL) feature can prevent inappropriate use
6487 of pointers that could corrupt the operation of more privileged code or data
6488 from a less privileged level.
6490 A common example is a file system procedure, FREAD (file_id, n_bytes,
6491 buffer_ptr). This hypothetical procedure reads data from a file into a
6492 buffer, overwriting whatever is there. Normally, FREAD would be available at
6493 the user level, supplying only pointers to the file system procedures and
6494 data located and operating at a privileged level. Normally, such a procedure
6495 prevents user-level procedures from directly changing the file tables.
6496 However, in the absence of a standard protocol for checking pointer
6497 validity, a user-level procedure could supply a pointer into the file tables
6498 in place of its buffer pointer, causing the FREAD procedure to corrupt them
6499 unwittingly.
6501 Use of RPL can avoid such problems. The RPL field allows a privilege
6502 attribute to be assigned to a selector. This privilege attribute would
6503 normally indicate the privilege level of the code which generated the
6504 selector. The 80386 processor automatically checks the RPL of any selector
6505 loaded into a segment register to determine whether the RPL allows access.
6507 To take advantage of the processor's checking of RPL, the called procedure
6508 need only ensure that all selectors passed to it have an RPL at least as
6509 high (numerically) as the original caller's CPL. This action guarantees that
6510 selectors are not more trusted than their supplier. If one of the selectors
6511 is used to access a segment that the caller would not be able to access
6512 directly, i.e., the RPL is numerically greater than the DPL, then a
6513 protection fault will result when that selector is loaded into a segment
6514 register.
6516 ARPL (Adjust Requestor's Privilege Level) adjusts the RPL field of a
6517 selector to become the larger of its original value and the value of the RPL
6518 field in a specified register. The latter is normally loaded from the image
6519 of the caller's CS register which is on the stack. If the adjustment changes
6520 the selector's RPL, ZF (the zero flag) is set; otherwise, ZF is cleared.
6523 6.4 Page-Level Protection
6525 Two kinds of protection are related to pages:
6527 1. Restriction of addressable domain.
6528 2. Type checking.
6531 6.4.1 Page-Table Entries Hold Protection Parameters
6533 Figure 6-10 highlights the fields of PDEs and PTEs that control access to
6534 pages.
6537 Figure 6-10. Protection Fields of Page Table Entries
6539 31 12 11 7 0
6540 ‚��������������������������������������Ï�������Ð���Ð�Ð�Ð���Ð�Ð�Ð�ƒ
6541 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ�œœœœœœœ�œœœ�œ�œ�œœœ�U�R�œ€
6542 €œœœœœœPAGE FRAME ADDRESS 31..12œœœœœœœ�œAVAILœ�0œ0�D�A�0œ0�/�/�P€
6543 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ�œœœœœœœ�œœœ�œ�œ�œœœ�S�W�œ€
6544 „��������������������������������������Ï�������¤���¤�¤�¤���¤�¤�¤�…
6545 R/W - READ/WRITE
6546 U/S - USER/SUPERVISOR
6549 6.4.1.1 Restricting Addressable Domain
6551 The concept of privilege for pages is implemented by assigning each page to
6552 one of two levels:
6554 1. Supervisor level (U/S=0) ‘‘ for the operating system and other systems
6555 software and related data.
6557 2. User level (U/S=1) ‘‘ for applications procedures and data.
6559 The current level (U or S) is related to CPL. If CPL is 0, 1, or 2, the
6560 processor is executing at supervisor level. If CPL is 3, the processor is
6561 executing at user level.
6563 When the processor is executing at supervisor level, all pages are
6564 addressable, but, when the processor is executing at user level, only pages
6565 that belong to the user level are addressable.
6568 6.4.1.2 Type Checking
6570 At the level of page addressing, two types are defined:
6572 1. Read-only access (R/W=0)
6573 2. Read/write access (R/W=1)
6575 When the processor is executing at supervisor level, all pages are both
6576 readable and writable. When the processor is executing at user level, only
6577 pages that belong to user level and are marked for read/write access are
6578 writable; pages that belong to supervisor level are neither readable nor
6579 writable from user level.
6582 6.4.2 Combining Protection of Both Levels of Page Tables
6584 For any one page, the protection attributes of its page directory entry may
6585 differ from those of its page table entry. The 80386 computes the effective
6586 protection attributes for a page by examining the protection attributes in
6587 both the directory and the page table. Table 6-5 shows the effective
6588 protection provided by the possible combinations of protection attributes.
6591 6.4.3 Overrides to Page Protection
6593 Certain accesses are checked as if they are privilege-level 0 references,
6594 even if CPL = 3:
6596 Ž LDT, GDT, TSS, IDT references.
6597 Ž Access to inner stack during ring-crossing CALL/INT.
6600 6.5 Combining Page and Segment Protection
6602 When paging is enabled, the 80386 first evaluates segment protection, then
6603 evaluates page protection. If the processor detects a protection violation
6604 at either the segment or the page level, the requested operation cannot
6605 proceed; a protection exception occurs instead.
6607 For example, it is possible to define a large data segment which has some
6608 subunits that are read-only and other subunits that are read-write. In this
6609 case, the page directory (or page table) entries for the read-only subunits
6610 would have the U/S and R/W bits set to x0, indicating no write rights for
6611 all the pages described by that directory entry (or for individual pages).
6612 This technique might be used, for example, in a UNIX-like system to define
6613 a large data segment, part of which is read only (for shared data or ROMmed
6614 constants). This enables UNIX-like systems to define a "flat" data space as
6615 one large segment, use "flat" pointers to address within this "flat" space,
6616 yet be able to protect shared data, shared files mapped into the virtual
6617 space, and supervisor areas.
6620 Table 6-5. Combining Directory and Page Protection
6622 Page Directory Entry Page Table Entry Combined Protection
6623 U/S R/W U/S R/W U/S R/W
6625 S-0 R-0 S-0 R-0 S x
6626 S-0 R-0 S-0 W-1 S x
6627 S-0 R-0 U-1 R-0 S x
6628 S-0 R-0 U-1 W-1 S x
6629 S-0 W-1 S-0 R-0 S x
6630 S-0 W-1 S-0 W-1 S x
6631 S-0 W-1 U-1 R-0 S x
6632 S-0 W-1 U-1 W-1 S x
6633 U-1 R-0 S-0 R-0 S x
6634 U-1 R-0 S-0 W-1 S x
6635 U-1 R-0 U-1 R-0 U R
6636 U-1 R-0 U-1 W-1 U R
6637 U-1 W-1 S-0 R-0 S x
6638 U-1 W-1 S-0 W-1 S x
6639 U-1 W-1 U-1 R-0 U R
6640 U-1 W-1 U-1 W-1 U W
6642 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
6643 NOTE
6644 S ‘‘ Supervisor
6645 R ‘‘ Read only
6646 U ‘‘ User
6647 W ‘‘ Read and Write
6648 x indicates that when the combined U/S attribute is S, the R/W attribute
6649 is not checked.
6650 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
6653 Chapter 7 Multitasking
6655 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
6657 To provide efficient, protected multitasking, the 80386 employs several
6658 special data structures. It does not, however, use special instructions to
6659 control multitasking; instead, it interprets ordinary control-transfer
6660 instructions differently when they refer to the special data structures. The
6661 registers and data structures that support multitasking are:
6663 Ž Task state segment
6664 Ž Task state segment descriptor
6665 Ž Task register
6666 Ž Task gate descriptor
6668 With these structures the 80386 can rapidly switch execution from one task
6669 to another, saving the context of the original task so that the task can be
6670 restarted later. In addition to the simple task switch, the 80386 offers two
6671 other task-management features:
6673 1. Interrupts and exceptions can cause task switches (if needed in the
6674 system design). The processor not only switches automatically to the
6675 task that handles the interrupt or exception, but it automatically
6676 switches back to the interrupted task when the interrupt or exception
6677 has been serviced. Interrupt tasks may interrupt lower-priority
6678 interrupt tasks to any depth.
6680 2. With each switch to another task, the 80386 can also switch to
6681 another LDT and to another page directory. Thus each task can have a
6682 different logical-to-linear mapping and a different linear-to-physical
6683 mapping. This is yet another protection feature, because tasks can be
6684 isolated and prevented from interfering with one another.
6687 7.1 Task State Segment
6689 All the information the processor needs in order to manage a task is stored
6690 in a special type of segment, a task state segment (TSS). Figure 7-1 shows
6691 the format of a TSS for executing 80386 tasks. (Another format is used for
6692 executing 80286 tasks; refer to Chapter 13.)
6694 The fields of a TSS belong to two classes:
6696 1. A dynamic set that the processor updates with each switch from the
6697 task. This set includes the fields that store:
6699 Ž The general registers (EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI).
6701 Ž The segment registers (ES, CS, SS, DS, FS, GS).
6703 Ž The flags register (EFLAGS).
6705 Ž The instruction pointer (EIP).
6707 Ž The selector of the TSS of the previously executing task (updated
6708 only when a return is expected).
6710 2. A static set that the processor reads but does not change. This set
6711 includes the fields that store:
6713 Ž The selector of the task's LDT.
6715 Ž The register (PDBR) that contains the base address of the task's
6716 page directory (read only when paging is enabled).
6718 Ž Pointers to the stacks for privilege levels 0-2.
6720 Ž The T-bit (debug trap bit) which causes the processor to raise a
6721 debug exception when a task switch occurs. (Refer to Chapter 12
6722 for more information on debugging.)
6724 Ž The I/O map base (refer to Chapter 8 for more information on the
6725 use of the I/O map).
6727 Task state segments may reside anywhere in the linear space. The only case
6728 that requires caution is when the TSS spans a page boundary and the
6729 higher-addressed page is not present. In this case, the processor raises an
6730 exception if it encounters the not-present page while reading the TSS during
6731 a task switch. Such an exception can be avoided by either of two strategies:
6733 1. By allocating the TSS so that it does not cross a page boundary.
6735 2. By ensuring that both pages are either both present or both
6736 not-present at the time of a task switch. If both pages are
6737 not-present, then the page-fault handler must make both pages present
6738 before restarting the instruction that caused the task switch.
6741 Figure 7-1. 80386 32-Bit Task State Segment
6743 31 23 15 7 0
6744 ‚���������������Ï���������������Š���������������Ï�������������ˆ�ƒ
6745 € I/O MAP BASE € 0 0 0 0 0 0 0 0 0 0 0 0 0 €T€64
6746 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘ð‘Â
6747 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ LDT €60
6748 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6749 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ GS €5C
6750 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6751 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ FS €58
6752 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6753 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ DS €54
6754 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6755 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ SS €50
6756 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6757 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ CS €4C
6758 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6759 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ ES €48
6760 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6761 € EDI €44
6762 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6763 € ESI €40
6764 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6765 € EBP €3C
6766 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6767 € ESP €38
6768 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6769 € EBX €34
6770 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6771 € EDX €30
6772 †���������������Ï���������������Ï���������������Ï���������������‡
6773 € ECX €2C
6774 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6775 € EAX €28
6776 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6777 € EFLAGS €24
6778 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6779 € INSTRUCTION POINTER (EIP) €20
6780 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6781 € CR3 (PDPR) €1C
6782 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6783 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ SS2 €18
6784 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6785 € ESP2 €14
6786 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6787 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ SS1 €10
6788 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6789 € ESP1 €0C
6790 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6791 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ SS0 €8
6792 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6793 € ESP0 €4
6794 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Α‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6795 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0€ BACK LINK TO PREVIOUS TSS €0
6796 „���������������Ï���������������Š���������������Ï���������������…
6798 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
6799 NOTE
6800 0 MEANS INTEL RESERVED. DO NOT DEFINE.
6801 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
6804 7.2 TSS Descriptor
6806 The task state segment, like all other segments, is defined by a
6807 descriptor. Figure 7-2 shows the format of a TSS descriptor.
6809 The B-bit in the type field indicates whether the task is busy. A type code
6810 of 9 indicates a non-busy task; a type code of 11 indicates a busy task.
6811 Tasks are not reentrant. The B-bit allows the processor to detect an attempt
6812 to switch to a task that is already busy.
6814 The BASE, LIMIT, and DPL fields and the G-bit and P-bit have functions
6815 similar to their counterparts in data-segment descriptors. The LIMIT field,
6816 however, must have a value equal to or greater than 103. An attempt to
6817 switch to a task whose TSS descriptor has a limit less that 103 causes an
6818 exception. A larger limit is permissible, and a larger limit is required if
6819 an I/O permission map is present. A larger limit may also be convenient for
6820 systems software if additional data is stored in the same segment as the
6821 TSS.
6823 A procedure that has access to a TSS descriptor can cause a task switch. In
6824 most systems the DPL fields of TSS descriptors should be set to zero, so
6825 that only trusted software has the right to perform task switching.
6827 Having access to a TSS-descriptor does not give a procedure the right to
6828 read or modify a TSS. Reading and modification can be accomplished only with
6829 another descriptor that redefines the TSS as a data segment. An attempt to
6830 load a TSS descriptor into any of the segment registers (CS, SS, DS, ES, FS,
6831 GS) causes an exception.
6833 TSS descriptors may reside only in the GDT. An attempt to identify a TSS
6834 with a selector that has TI=1 (indicating the current LDT) results in an
6835 exception.
6838 Figure 7-2. TSS Descriptor for 32-bit TSS
6840 31 23 15 7 0
6841 ‚�����������������Ï�Ð�Ð�Ð�Ð���������Ï�Ð�����Ð���������Ï�����������������ƒ
6842 € � � � �A� LIMIT � � � TYPE � €
6843 € BASE 31..24 �G�0�0�V� �P� DPL � � BASE 23..16 € 4
6844 € � � � �L� 19..16 � � �0�1�0�B�1� €
6845 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘™‘™‘™‘™‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6846 € � €
6847 € BASE 15..0 � LIMIT 15..0 € 0
6848 € � €
6849 „�����������������Ï�����������������Ï�����������������Ï�����������������…
6852 7.3 Task Register
6854 The task register (TR) identifies the currently executing task by pointing
6855 to the TSS. Figure 7-3 shows the path by which the processor accesses the
6856 current TSS.
6858 The task register has both a "visible" portion (i.e., can be read and
6859 changed by instructions) and an "invisible" portion (maintained by the
6860 processor to correspond to the visible portion; cannot be read by any
6861 instruction). The selector in the visible portion selects a TSS descriptor
6862 in the GDT. The processor uses the invisible portion to cache the base and
6863 limit values from the TSS descriptor. Holding the base and limit in a
6864 register makes execution of the task more efficient, because the processor
6865 does not need to repeatedly fetch these values from memory when it
6866 references the TSS of the current task.
6868 The instructions LTR and STR are used to modify and read the visible
6869 portion of the task register. Both instructions take one operand, a 16-bit
6870 selector located in memory or in a general register.
6872 LTR (Load task register) loads the visible portion of the task register
6873 with the selector operand, which must select a TSS descriptor in the GDT.
6874 LTR also loads the invisible portion with information from the TSS
6875 descriptor selected by the operand. LTR is a privileged instruction; it may
6876 be executed only when CPL is zero. LTR is generally used during system
6877 initialization to give an initial value to the task register; thereafter,
6878 the contents of TR are changed by task switch operations.
6880 STR (Store task register) stores the visible portion of the task register
6881 in a general register or memory word. STR is not privileged.
6884 Figure 7-3. Task Register
6886 ‚�������������������������ƒ
6887 € €
6888 € €
6889 € TASK STATE €
6890 € SEGMENT €\x11‘‘‘‘‘‘‘‘‘“
6891 € € �
6892 € € �
6893 „�������������������������… �
6894 16-BIT VISIBLE \x1e �
6895 REGISTER � HIDDEN REGISTER �
6896 ‚��������������������ˆ���������¤����������ˆ�������������¤������ƒ
6897 TR € SELECTOR € (BASE) € (LIMT) €
6898 „���������Ð����������‰��������������������‰��������������������…
6900 � ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“ �
6901 � GLOBAL DESCRIPTOR TABLE � �
6902 � ž�������������������������© � �
6903 � | TSS DESCRIPTOR | � �
6904 � ‚������ˆ�����ˆ�����ˆ������ƒ � �
6905 � € € € € Ñ‘‘• �
6906 � †������‰�����Š�����‰������‡ �
6907 ”‘‘‘‘‘‘‘\x10€ € Ñ‘‘‘‘‘‘•
6908 „������������‰������������…
6909 | |
6910 È�������������������������¥
6913 7.4 Task Gate Descriptor
6915 A task gate descriptor provides an indirect, protected reference to a TSS.
6916 Figure 7-4 illustrates the format of a task gate.
6918 The SELECTOR field of a task gate must refer to a TSS descriptor. The value
6919 of the RPL in this selector is not used by the processor.
6921 The DPL field of a task gate controls the right to use the descriptor to
6922 cause a task switch. A procedure may not select a task gate descriptor
6923 unless the maximum of the selector's RPL and the CPL of the procedure is
6924 numerically less than or equal to the DPL of the descriptor. This constraint
6925 prevents untrusted procedures from causing a task switch. (Note that when a
6926 task gate is used, the DPL of the target TSS descriptor is not used for
6927 privilege checking.)
6929 A procedure that has access to a task gate has the power to cause a task
6930 switch, just as a procedure that has access to a TSS descriptor. The 80386
6931 has task gates in addition to TSS descriptors to satisfy three needs:
6933 1. The need for a task to have a single busy bit. Because the busy-bit
6934 is stored in the TSS descriptor, each task should have only one such
6935 descriptor. There may, however, be several task gates that select the
6936 single TSS descriptor.
6938 2. The need to provide selective access to tasks. Task gates fulfill
6939 this need, because they can reside in LDTs and can have a DPL that is
6940 different from the TSS descriptor's DPL. A procedure that does not
6941 have sufficient privilege to use the TSS descriptor in the GDT (which
6942 usually has a DPL of 0) can still switch to another task if it has
6943 access to a task gate for that task in its LDT. With task gates,
6944 systems software can limit the right to cause task switches to
6945 specific tasks.
6947 3. The need for an interrupt or exception to cause a task switch. Task
6948 gates may also reside in the IDT, making it possible for interrupts
6949 and exceptions to cause task switching. When interrupt or exception
6950 vectors to an IDT entry that contains a task gate, the 80386 switches
6951 to the indicated task. Thus, all tasks in the system can benefit from
6952 the protection afforded by isolation from interrupt tasks.
6954 Figure 7-5 illustrates how both a task gate in an LDT and a task gate in
6955 the IDT can identify the same task.
6958 Figure 7-4. Task Gate Descriptor
6960 31 23 15 7 0
6961 ‚�����������������Ï����������������Ï�Ð�����Ð���������Ï�����������������ƒ
6962 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� � � �œœœœœœœœœœœœœœœœœ€
6963 €œœœœœœœœœœœœ(NOT USED)œœœœœœœœœœœœ�P� DPL �0 0 1 0 1�œœœ(NOT USED)œœœœ€ 4
6964 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� � � �œœœœœœœœœœœœœœœœœ€
6965 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘™‘‘‘‘‘™‘‘‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
6966 € �œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ€
6967 € SELECTOR �œœœœœœœœœœœœ(NOT USED)œœœœœœœœœœœœœ€ 0
6968 € �œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ€
6969 „�����������������Ï����������������Ï�����������������Ï�����������������…
6972 Figure 7-5. Task Gate Indirectly Identifies Task
6974 LOCAL DESCRIPTOR TABLE INTERRUPT DESCRIPTOR TABLE
6975 ž�������������������������© ž�������������������������©
6976 | | | |
6977 | TASK GATE | | TASK GATE |
6978 ‚������Ð�����Ð�����Ð������ƒ ‚������Ð�����Ð�����Ð������ƒ
6979 € � � � € € � � � €
6980 Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘ Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
6981 ’‘‘Â � € ’‘‘Â � €
6982 � „������������¤������������… � „������������¤������������…
6983 � | | � | |
6984 � | | � | |
6985 � È�������������������������¥ � È�������������������������¥
6986 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘“ ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
6987 � � GLOBAL DESCRIPTOR TABLE
6988 � � ž�������������������������©
6989 � � | |
6990 � � | TASK DESCRIPTOR |
6991 � � ‚������Ð�����Ð�����Ð������ƒ
6992 � � € � � � €
6993 � ”‘\x10Ñ‘‘‘‘‘™‘‘‘‘‘š‘‘‘‘‘™‘‘‘‘‘‘Â
6994 ”‘‘‘‘\x10€ � Ñ‘“
6995 „������������¤������������… �
6996 | | �
6997 | | �
6998 È�������������������������¥ �
6999 �
7000 ‚�������������������������ƒ �
7001 € € �
7002 € € �
7003 € € �
7004 € TASK STATE € �
7005 € SEGMENT € �
7006 € € �
7007 € € �
7008 € € �
7009 „�������������������������…\x11‘•
7012 7.5 Task Switching
7014 The 80386 switches execution to another task in any of four cases:
7016 1. The current task executes a JMP or CALL that refers to a TSS
7017 descriptor.
7019 2. The current task executes a JMP or CALL that refers to a task gate.
7021 3. An interrupt or exception vectors to a task gate in the IDT.
7023 4. The current task executes an IRET when the NT flag is set.
7025 JMP, CALL, IRET, interrupts, and exceptions are all ordinary mechanisms of
7026 the 80386 that can be used in circumstances that do not require a task
7027 switch. Either the type of descriptor referenced or the NT (nested task) bit
7028 in the flag word distinguishes between the standard mechanism and the
7029 variant that causes a task switch.
7031 To cause a task switch, a JMP or CALL instruction can refer either to a TSS
7032 descriptor or to a task gate. The effect is the same in either case: the
7033 80386 switches to the indicated task.
7035 An exception or interrupt causes a task switch when it vectors to a task
7036 gate in the IDT. If it vectors to an interrupt or trap gate in the IDT, a
7037 task switch does not occur. Refer to Chapter 9 for more information on the
7038 interrupt mechanism.
7040 Whether invoked as a task or as a procedure of the interrupted task, an
7041 interrupt handler always returns control to the interrupted procedure in the
7042 interrupted task. If the NT flag is set, however, the handler is an
7043 interrupt task, and the IRET switches back to the interrupted task.
7045 A task switching operation involves these steps:
7047 1. Checking that the current task is allowed to switch to the designated
7048 task. Data-access privilege rules apply in the case of JMP or CALL
7049 instructions. The DPL of the TSS descriptor or task gate must be less
7050 than or equal to the maximum of CPL and the RPL of the gate selector.
7051 Exceptions, interrupts, and IRETs are permitted to switch tasks
7052 regardless of the DPL of the target task gate or TSS descriptor.
7054 2. Checking that the TSS descriptor of the new task is marked present
7055 and has a valid limit. Any errors up to this point occur in the
7056 context of the outgoing task. Errors are restartable and can be
7057 handled in a way that is transparent to applications procedures.
7059 3. Saving the state of the current task. The processor finds the base
7060 address of the current TSS cached in the task register. It copies the
7061 registers into the current TSS (EAX, ECX, EDX, EBX, ESP, EBP, ESI,
7062 EDI, ES, CS, SS, DS, FS, GS, and the flag register). The EIP field of
7063 the TSS points to the instruction after the one that caused the task
7064 switch.
7066 4. Loading the task register with the selector of the incoming task's
7067 TSS descriptor, marking the incoming task's TSS descriptor as busy,
7068 and setting the TS (task switched) bit of the MSW. The selector is
7069 either the operand of a control transfer instruction or is taken from
7070 a task gate.
7072 5. Loading the incoming task's state from its TSS and resuming
7073 execution. The registers loaded are the LDT register; the flag
7074 register; the general registers EIP, EAX, ECX, EDX, EBX, ESP, EBP,
7075 ESI, EDI; the segment registers ES, CS, SS, DS, FS, and GS; and PDBR.
7076 Any errors detected in this step occur in the context of the incoming
7077 task. To an exception handler, it appears that the first instruction
7078 of the new task has not yet executed.
7080 Note that the state of the outgoing task is always saved when a task switch
7081 occurs. If execution of that task is resumed, it starts after the
7082 instruction that caused the task switch. The registers are restored to the
7083 values they held when the task stopped executing.
7085 Every task switch sets the TS (task switched) bit in the MSW (machine
7086 status word). The TS flag is useful to systems software when a coprocessor
7087 (such as a numerics coprocessor) is present. The TS bit signals that the
7088 context of the coprocessor may not correspond to the current 80386 task.
7089 Chapter 11 discusses the TS bit and coprocessors in more detail.
7091 Exception handlers that field task-switch exceptions in the incoming task
7092 (exceptions due to tests 4 thru 16 of Table 7-1) should be cautious about
7093 taking any action that might load the selector that caused the exception.
7094 Such an action will probably cause another exception, unless the exception
7095 handler first examines the selector and fixes any potential problem.
7097 The privilege level at which execution resumes in the incoming task is
7098 neither restricted nor affected by the privilege level at which the outgoing
7099 task was executing. Because the tasks are isolated by their separate address
7100 spaces and TSSs and because privilege rules can be used to prevent improper
7101 access to a TSS, no privilege rules are needed to constrain the relation
7102 between the CPLs of the tasks. The new task begins executing at the
7103 privilege level indicated by the RPL of the CS selector value that is loaded
7104 from the TSS.
7107 Table 7-1. Checks Made during a Task Switch
7110 Test Test Description Exception
7111 NP = Segment-not-present exception, GP = General protection fault, TS =
7112 Invalid TSS, SF = Stack fault Error Code Selects
7114 1 Incoming TSS descriptor is NP Incoming TSS
7115 present
7116 2 Incoming TSS descriptor is GP Incoming TSS
7117 marked not-busy
7118 3 Limit of incoming TSS is TS Incoming TSS
7119 greater than or equal to 103
7121 ‘‘ All register and selector values are loaded ‘‘
7123 4 LDT selector of incoming TS Incoming TSS
7124 task is valid
7125 5 LDT of incoming task is TS Incoming TSS
7126 present
7127 6 CS selector is valid
7128 Validity tests of a selector check that the selector is in the proper
7129 table (eg., the LDT selector refers to the GDT), lies within the bounds of
7130 the table, and refers to the proper type of descriptor (e.g., the LDT
7131 selector refers to an LDT descriptor). TS Code segment
7132 7 Code segment is present NP Code segment
7133 8 Code segment DPL matches TS Code segment
7134 CS RPL
7135 9 Stack segment is valid
7136 Validity tests of a selector check that the selector is in the proper
7137 table (eg., the LDT selector refers to the GDT), lies within the bounds of
7138 the table, and refers to the proper type of descriptor (e.g., the LDT
7139 selector refers to an LDT descriptor). GP Stack segment
7140 10 Stack segment is present SF Stack segment
7141 11 Stack segment DPL = CPL SF Stack segment
7142 12 Stack-selector RPL = CPL GP Stack segment
7143 13 DS, ES, FS, GS selectors are GP Segment
7144 valid
7145 Validity tests of a selector check that the selector is in the proper
7146 table (eg., the LDT selector refers to the GDT), lies within the bounds of
7147 the table, and refers to the proper type of descriptor (e.g., the LDT
7148 selector refers to an LDT descriptor).
7151 14 DS, ES, FS, GS segments GP Segment
7152 are readable
7153 15 DS, ES, FS, GS segments NP Segment
7154 are present
7155 16 DS, ES, FS, GS segment DPL GP Segment
7156 � CPL (unless these are
7157 conforming segments)
7160 7.6 Task Linking
7162 The back-link field of the TSS and the NT (nested task) bit of the flag
7163 word together allow the 80386 to automatically return to a task that CALLed
7164 another task or was interrupted by another task. When a CALL instruction, an
7165 interrupt instruction, an external interrupt, or an exception causes a
7166 switch to a new task, the 80386 automatically fills the back-link of the new
7167 TSS with the selector of the outgoing task's TSS and, at the same time,
7168 sets the NT bit in the new task's flag register. The NT flag indicates
7169 whether the back-link field is valid. The new task releases control by
7170 executing an IRET instruction. When interpreting an IRET, the 80386 examines
7171 the NT flag. If NT is set, the 80386 switches back to the task selected by
7172 the back-link field. Table 7-2 summarizes the uses of these fields.
7175 Table 7-2. Effect of Task Switch on BUSY, NT, and Back-Link
7177 Affected Field Effect of JMP Effect of Effect of
7178 Instruction CALL Instruction IRET Instruction
7180 Busy bit of Set, must be Set, must be 0 Unchanged,
7181 incoming task 0 before before must be set
7183 Busy bit of Cleared Unchanged Cleared
7184 outgoing task (already set)
7186 NT bit of Cleared Set Unchanged
7187 incoming task
7189 NT bit of Unchanged Unchanged Cleared
7190 outgoing task
7192 Back-link of Unchanged Set to outgoing Unchanged
7193 incoming task TSS selector
7195 Back-link of Unchanged Unchanged Unchanged
7196 outgoing task
7199 7.6.1 Busy Bit Prevents Loops
7201 The B-bit (busy bit) of the TSS descriptor ensures the integrity of the
7202 back-link. A chain of back-links may grow to any length as interrupt tasks
7203 interrupt other interrupt tasks or as called tasks call other tasks. The
7204 busy bit ensures that the CPU can detect any attempt to create a loop. A
7205 loop would indicate an attempt to reenter a task that is already busy;
7206 however, the TSS is not a reentrable resource.
7208 The processor uses the busy bit as follows:
7210 1. When switching to a task, the processor automatically sets the busy
7211 bit of the new task.
7213 2. When switching from a task, the processor automatically clears the
7214 busy bit of the old task if that task is not to be placed on the
7215 back-link chain (i.e., the instruction causing the task switch is JMP
7216 or IRET). If the task is placed on the back-link chain, its busy bit
7217 remains set.
7219 3. When switching to a task, the processor signals an exception if the
7220 busy bit of the new task is already set.
7222 By these actions, the processor prevents a task from switching to itself or
7223 to any task that is on a back-link chain, thereby preventing invalid reentry
7224 into a task.
7226 The busy bit is effective even in multiprocessor configurations, because
7227 the processor automatically asserts a bus lock when it sets or clears the
7228 busy bit. This action ensures that two processors do not invoke the same
7229 task at the same time. (Refer to Chapter 11 for more on multiprocessing.)
7232 7.6.2 Modifying Task Linkages
7234 Any modification of the linkage order of tasks should be accomplished only
7235 by software that can be trusted to correctly update the back-link and the
7236 busy-bit. Such changes may be needed to resume an interrupted task before
7237 the task that interrupted it. Trusted software that removes a task from the
7238 back-link chain must follow one of the following policies:
7240 1. First change the back-link field in the TSS of the interrupting task,
7241 then clear the busy-bit in the TSS descriptor of the task removed from
7242 the list.
7244 2. Ensure that no interrupts occur between updating the back-link chain
7245 and the busy bit.
7248 7.7 Task Address Space
7250 The LDT selector and PDBR fields of the TSS give software systems designers
7251 flexibility in utilization of segment and page mapping features of the
7252 80386. By appropriate choice of the segment and page mappings for each task,
7253 tasks may share address spaces, may have address spaces that are largely
7254 distinct from one another, or may have any degree of sharing between these
7255 two extremes.
7257 The ability for tasks to have distinct address spaces is an important
7258 aspect of 80386 protection. A module in one task cannot interfere with a
7259 module in another task if the modules do not have access to the same address
7260 spaces. The flexible memory management features of the 80386 allow systems
7261 designers to assign areas of shared address space to those modules of
7262 different tasks that are designed to cooperate with each other.
7265 7.7.1 Task Linear-to-Physical Space Mapping
7267 The choices for arranging the linear-to-physical mappings of tasks fall
7268 into two general classes:
7270 1. One linear-to-physical mapping shared among all tasks.
7272 When paging is not enabled, this is the only possibility. Without page
7273 tables, all linear addresses map to the same physical addresses.
7275 When paging is enabled, this style of linear-to-physical mapping
7276 results from using one page directory for all tasks. The linear space
7277 utilized may exceed the physical space available if the operating
7278 system also implements page-level virtual memory.
7280 2. Several partially overlapping linear-to-physical mappings.
7282 This style is implemented by using a different page directory for each
7283 task. Because the PDBR (page directory base register) is loaded from
7284 the TSS with each task switch, each task may have a different page
7285 directory.
7287 In theory, the linear address spaces of different tasks may map to
7288 completely distinct physical addresses. If the entries of different page
7289 directories point to different page tables and the page tables point to
7290 different pages of physical memory, then the tasks do not share any physical
7291 addresses.
7293 In practice, some portion of the linear address spaces of all tasks must
7294 map to the same physical addresses. The task state segments must lie in a
7295 common space so that the mapping of TSS addresses does not change while the
7296 processor is reading and updating the TSSs during a task switch. The linear
7297 space mapped by the GDT should also be mapped to a common physical space;
7298 otherwise, the purpose of the GDT is defeated. Figure 7-6 shows how the
7299 linear spaces of two tasks can overlap in the physical space by sharing
7300 page tables.
7303 7.7.2 Task Logical Address Space
7305 By itself, a common linear-to-physical space mapping does not enable
7306 sharing of data among tasks. To share data, tasks must also have a common
7307 logical-to-linear space mapping; i.e., they must also have access to
7308 descriptors that point into a shared linear address space. There are three
7309 ways to create common logical-to-physical address-space mappings:
7311 1. Via the GDT. All tasks have access to the descriptors in the GDT. If
7312 those descriptors point into a linear-address space that is mapped to
7313 a common physical-address space for all tasks, then the tasks can
7314 share data and instructions.
7316 2. By sharing LDTs. Two or more tasks can use the same LDT if the LDT
7317 selectors in their TSSs select the same LDT segment. Those
7318 LDT-resident descriptors that point into a linear space that is mapped
7319 to a common physical space permit the tasks to share physical memory.
7320 This method of sharing is more selective than sharing by the GDT; the
7321 sharing can be limited to specific tasks. Other tasks in the system
7322 may have different LDTs that do not give them access to the shared
7323 areas.
7325 3. By descriptor aliases in LDTs. It is possible for certain descriptors
7326 of different LDTs to point to the same linear address space. If that
7327 linear address space is mapped to the same physical space by the page
7328 mapping of the tasks involved, these descriptors permit the tasks to
7329 share the common space. Such descriptors are commonly called
7330 "aliases". This method of sharing is even more selective than the
7331 prior two; other descriptors in the LDTs may point to distinct linear
7332 addresses or to linear addresses that are not shared.
7335 Figure 7-6. Partially-Overlapping Linear Spaces
7337 TSSs PAGE FRAMES
7338 ‚����������ƒ
7339 TASK A TSS PAGE DIRECTORIES PAGE TABLES € TASK A €
7340 ‚����������ƒ ‚�����������ƒ ‚�����������ƒ ’‘\x10€ PAGE €
7341 € € € € € € � „����������…
7342 € € †�����������‡ †�����������‡ � ‚����������ƒ
7343 € € € € € PTE Ñ‘• € TASK A €
7344 € € †�����������‡ †�����������‡ ’‘\x10€ PAGE €
7345 € € € € € PTE Ñ‘• „����������…
7346 †����������‡ †�����������‡ †�����������‡ ‚����������ƒ
7348 †����������‡ †�����������‡ „�����������… ”‘\x10€ PAGE €
7349 € € € PDE Ñ‘“ SHARED PT „����������…
7350 „����������… „�����������… � ‚�����������ƒ ‚����������ƒ
7351 � € € € SHARED €
7352 � †�����������‡ ’‘\x10€ PAGE €
7353 � € € � „����������…
7354 � †�����������‡ � ‚����������ƒ
7355 � € PTE Ñ‘• € SHARED €
7356 � †�����������‡ ’‘\x10€ PAGE €
7357 –‘\x10€ PTE Ñ‘• „����������…
7358 TASK B TSS � „�����������… ‚����������ƒ
7359 ‚����������ƒ ‚�����������ƒ � € TASK B €
7360 € € € € � ’‘‘\x10€ PAGE €
7361 € € †�����������‡ � ‚�����������ƒ � „����������…
7362 € € € € � € € � ‚����������ƒ
7363 € € †�����������‡ � †�����������‡ � € TASK B €
7364 € € € € � € € � ’\x10€ PAGE €
7365 †����������‡ †�����������‡ � †�����������‡ � � „����������…
7366 € PDBR Ñ‘‘‘\x10€ PDE Ñ‘• € PTE Ñ• � PAGE FRAMES
7367 †����������‡ †�����������‡ †�����������‡ �
7368 € € € PDE Ñ‘‘‘\x10€ PTE Ñ‘‘•
7369 „����������… „�����������… „�����������…
7370 TSSs PAGE DIRECTORIES PAGE TABLES
7373 Chapter 8 Input/Output
7375 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
7377 This chapter presents the I/O features of the 80386 from the following
7378 perspectives:
7380 Ž Methods of addressing I/O ports
7382 Ž Instructions that cause I/O operations
7384 Ž Protection as it applies to the use of I/O instructions and I/O port
7385 addresses.
7388 8.1 I/O Addressing
7390 The 80386 allows input/output to be performed in either of two ways:
7392 Ž By means of a separate I/O address space (using specific I/O
7393 instructions)
7395 Ž By means of memory-mapped I/O (using general-purpose operand
7396 manipulationinstructions).
7399 8.1.1 I/O Address Space
7401 The 80386 provides a separate I/O address space, distinct from physical
7402 memory, that can be used to address the input/output ports that are used for
7403 external 16 devices. The I/O address space consists of 2^(16) (64K)
7404 individually addressable 8-bit ports; any two consecutive 8-bit ports can be
7405 treated as a 16-bit port; and four consecutive 8-bit ports can be treated
7406 as a 32-bit port. Thus, the I/O address space can accommodate up to 64K
7407 8-bit ports, up to 32K 16-bit ports, or up to 16K 32-bit ports.
7409 The program can specify the address of the port in two ways. Using an
7410 immediate byte constant, the program can specify:
7412 Ž 256 8-bit ports numbered 0 through 255.
7413 Ž 128 16-bit ports numbered 0, 2, 4, . . . , 252, 254.
7414 Ž 64 32-bit ports numbered 0, 4, 8, . . . , 248, 252.
7416 Using a value in DX, the program can specify:
7418 Ž 8-bit ports numbered 0 through 65535
7419 Ž 16-bit ports numbered 0, 2, 4, . . . , 65532, 65534
7420 Ž 32-bit ports numbered 0, 4, 8, . . . , 65528, 65532
7422 The 80386 can transfer 32, 16, or 8 bits at a time to a device located in
7423 the I/O space. Like doublewords in memory, 32-bit ports should be aligned at
7424 addresses evenly divisible by four so that the 32 bits can be transferred in
7425 a single bus access. Like words in memory, 16-bit ports should be aligned at
7426 even-numbered addresses so that the 16 bits can be transferred in a single
7427 bus access. An 8-bit port may be located at either an even or odd address.
7429 The instructions IN and OUT move data between a register and a port in the
7430 I/O address space. The instructions INS and OUTS move strings of data
7431 between the memory address space and ports in the I/O address space.
7434 8.1.2 Memory-Mapped I/O
7436 I/O devices also may be placed in the 80386 memory address space. As long
7437 as the devices respond like memory components, they are indistinguishable to
7438 the processor.
7440 Memory-mapped I/O provides additional programming flexibility. Any
7441 instruction that references memory may be used to access an I/O port located
7442 in the memory space. For example, the MOV instruction can transfer data
7443 between any register and a port; and the AND, OR, and TEST instructions may
7444 be used to manipulate bits in the internal registers of a device (see Figure
7445 8-1). Memory-mapped I/O performed via the full instruction set maintains
7446 the full complement of addressing modes for selecting the desired I/O
7447 device (e.g., direct address, indirect address, base register, index
7448 register, scaling).
7450 Memory-mapped I/O, like any other memory reference, is subject to access
7451 protection and control when executing in protected mode. Refer to Chapter 6
7452 for a discussion of memory protection.
7455 8.2 I/O Instructions
7457 The I/O instructions of the 80386 provide access to the processor's I/O
7458 ports for the transfer of data to and from peripheral devices. These
7459 instructions have as one operand the address of a port in the I/O address
7460 space. There are two classes of I/O instruction:
7462 1. Those that transfer a single item (byte, word, or doubleword) located
7463 in a register.
7465 2. Those that transfer strings of items (strings of bytes, words, or
7466 doublewords) located in memory. These are known as "string I/O
7467 instructions" or "block I/O instructions".
7470 8.2.1 Register I/O Instructions
7472 The I/O instructions IN and OUT are provided to move data between I/O ports
7473 and the EAX (32-bit I/O), the AX (16-bit I/O), or AL (8-bit I/O) general
7474 registers. IN and OUT instructions address I/O ports either directly, with
7475 the address of one of up to 256 port addresses coded in the instruction, or
7476 indirectly via the DX register to one of up to 64K port addresses.
7478 IN (Input from Port) transfers a byte, word, or doubleword from an input
7479 port to AL, AX, or EAX. If a program specifies AL with the IN instruction,
7480 the processor transfers 8 bits from the selected port to AL. If a program
7481 specifies AX with the IN instruction, the processor transfers 16 bits from
7482 the port to AX. If a program specifies EAX with the IN instruction, the
7483 processor transfers 32 bits from the port to EAX.
7485 OUT (Output to Port) transfers a byte, word, or doubleword to an output
7486 port from AL, AX, or EAX. The program can specify the number of the port
7487 using the same methods as the IN instruction.
7490 Figure 8-1. Memory-Mapped I/O
7492 MEMORY
7493 ADDRESS SPACE I/O DEVICE 1
7494 ‚���������������ƒ ‚�������������������ƒ
7495 € € € INTERNAL REGISTER €
7496 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘€‘‚���������������ƒ €
7497 € € € € € €
7498 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘€‘„���������������… €
7499 € € „�������������������…
7500 € €
7501 € €
7502 € €
7503 € € I/O DEVICE 2
7504 € € ‚�������������������ƒ
7505 € € € INTERNAL REGISTER €
7506 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘€‘‚���������������ƒ €
7507 € € € € € €
7508 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘€‘„���������������… €
7509 € € „�������������������…
7510 „���������������…
7513 8.2.2 Block I/O Instructions
7515 The block (or string) I/O instructions INS and OUTS move blocks of data
7516 between I/O ports and memory space. Block I/O instructions use the DX
7517 register to specify the address of a port in the I/O address space. INS and
7518 OUTS use DX to specify:
7520 Ž 8-bit ports numbered 0 through 65535
7521 Ž 16-bit ports numbered 0, 2, 4, . . . , 65532, 65534
7522 Ž 32-bit ports numbered 0, 4, 8, . . . , 65528, 65532
7524 Block I/O instructions use either SI or DI to designate the source or
7525 destination memory address. For each transfer, SI or DI are automatically
7526 either incremented or decremented as specified by the direction bit in the
7527 flags register.
7529 INS and OUTS, when used with repeat prefixes, cause block input or output
7530 operations. REP, the repeat prefix, modifies INS and OUTS to provide a means
7531 of transferring blocks of data between an I/O port and memory. These block
7532 I/O instructions are string primitives (refer also to Chapter 3 for more on
7533 string primitives). They simplify programming and increase the speed of data
7534 transfer by eliminating the need to use a separate LOOP instruction or an
7535 intermediate register to hold the data.
7537 The string I/O primitives can operate on byte strings, word strings, or
7538 doubleword strings. After each transfer, the memory address in ESI or EDI is
7539 updated by 1 for byte operands, by 2 for word operands, or by 4 for
7540 doubleword operands. The value in the direction flag (DF) determines whether
7541 the processor automatically increments ESI or EDI (DF=0) or whether it
7542 automatically decrements these registers (DF=1).
7544 INS (Input String from Port) transfers a byte or a word string element from
7545 an input port to memory. The mnemonics INSB, INSW, and INSD are variants
7546 that explicitly specify the size of the operand. If a program specifies
7547 INSB, the processor transfers 8 bits from the selected port to the memory
7548 location indicated by ES:EDI. If a program specifies INSW, the processor
7549 transfers 16 bits from the port to the memory location indicated by ES:EDI.
7550 If a program specifies INSD, the processor transfers 32 bits from the port
7551 to the memory location indicated by ES:EDI. The destination segment register
7552 choice (ES) cannot be changed for the INS instruction. Combined with the REP
7553 prefix, INS moves a block of information from an input port to a series of
7554 consecutive memory locations.
7556 OUTS (Output String to Port) transfers a byte, word, or doubleword string
7557 element to an output port from memory. The mnemonics OUTSB, OUTSW, and OUTSD
7558 are variants that explicitly specify the size of the operand. If a program
7559 specifies OUTSB, the processor transfers 8 bits from the memory location
7560 indicated by ES:EDI to the the selected port. If a program specifies OUTSW,
7561 the processor transfers 16 bits from the memory location indicated by ES:EDI
7562 to the the selected port. If a program specifies OUTSD, the processor
7563 transfers 32 bits from the memory location indicated by ES:EDI to the the
7564 selected port. Combined with the REP prefix, OUTS moves a block of
7565 information from a series of consecutive memory locations indicated by
7566 DS:ESI to an output port.
7569 8.3 Protection and I/O
7571 Two mechanisms provide protection for I/O functions:
7573 1. The IOPL field in the EFLAGS register defines the right to use
7574 I/O-related instructions.
7576 2. The I/O permission bit map of a 80386 TSS segment defines the right
7577 to use ports in the I/O address space.
7579 These mechanisms operate only in protected mode, including virtual 8086
7580 mode; they do not operate in real mode. In real mode, there is no protection
7581 of the I/O space; any procedure can execute I/O instructions, and any I/O
7582 port can be addressed by the I/O instructions.
7585 8.3.1 I/O Privilege Level
7587 Instructions that deal with I/O need to be restricted but also need to be
7588 executed by procedures executing at privilege levels other than zero. For
7589 this reason, the processor uses two bits of the flags register to store the
7590 I/O privilege level (IOPL). The IOPL defines the privilege level
7591 needed to execute I/O-related instructions.
7593 The following instructions can be executed only if CPL ¾ IOPL:
7595 IN ‘‘ Input
7596 INS ‘‘ Input String
7597 OUT ‘‘ Output
7598 OUTS ‘‘ Output String
7599 CLI ‘‘ Clear Interrupt-Enable Flag
7600 STI ‘‘ Set Interrupt-Enable
7602 These instructions are called "sensitive" instructions, because they are
7603 sensitive to IOPL.
7605 To use sensitive instructions, a procedure must execute at a privilege
7606 level at least as privileged as that specified by the IOPL (CPL ¾ IOPL). Any
7607 attempt by a less privileged procedure to use a sensitive instruction
7608 results in a general protection exception.
7610 Because each task has its own unique copy of the flags register, each task
7611 can have a different IOPL. A task whose primary function is to perform I/O
7612 (a device driver) can benefit from having an IOPL of three, thereby
7613 permitting all procedures of the task to performI/O. Other tasks typically
7614 have IOPL set to zero or one, reserving the right to perform I/O
7615 instructions for the most privileged procedures.
7617 A task can change IOPL only with the POPF instruction; however, such
7618 changes are privileged. No procedure may alter IOPL (the I/O privilege level
7619 in the flag register) unless the procedure is executing at privilege level
7620 0. An attempt by a less privileged procedure to alter IOPL does not result
7621 in an exception; IOPL simply remains unaltered.
7623 The POPF instruction may be used in addition to CLI and STI to alter the
7624 interrupt-enable flag (IF); however, changes to IF by POPF are
7625 IOPL-sensitive. A procedure may alter IF with a POPF instruction only when
7626 executing at a level that is at least as privileged as IOPL. An attempt by a
7627 less privileged procedure to alter IF in this manner does not result in an
7628 exception; IF simply remains unaltered.
7631 8.3.2 I/O Permission Bit Map
7633 The I/O instructions that directly refer to addresses in the processor's
7634 I/O space are IN, INS, OUT, OUTS. The 80386 has the ability to selectively
7635 trap references to specific I/O addresses. The structure that enables
7636 selective trapping is the I/O Permission Bit Map in the TSS segment (see
7637 Figure 8-2). The I/O permission map is a bit vector. The size of the map
7638 and its location in the TSS segment are variable. The processor locates the
7639 I/O permission map by means of the I/O map base field in the fixed portion
7640 of the TSS. The I/O map base field is 16 bits wide and contains the offset
7641 of the beginning of the I/O permission map. The upper limit of the I/O
7642 permission map is the same as the limit of the TSS segment.
7644 In protected mode, when it encounters an I/O instruction (IN, INS, OUT, or
7645 OUTS), the processor first checks whether CPL ¾ IOPL. If this condition is
7646 true, the I/O operation may proceed. If not true, the processor checks the
7647 I/O permission map. (In virtual 8086 mode, the processor consults the map
7648 without regard for IOPL. Refer to Chapter 15.)
7650 Each bit in the map corresponds to an I/O port byte address; for example,
7651 the bit for port 41 is found at I/O map base + 5, bit offset 1. The
7652 processor tests all the bits that correspond to the I/O addresses spanned by
7653 an I/O operation; for example, a doubleword operation tests four bits
7654 corresponding to four adjacent byte addresses. If any tested bit is set,
7655 the processor signals a general protection exception. If all the tested bits
7656 are zero, the I/O operation may proceed.
7658 It is not necessary for the I/O permission map to represent all the I/O
7659 addresses. I/O addresses not spanned by the map are treated as if they had
7660 one bits in the map. For example, if TSS limit is equal to I/O map base +
7661 31, the first 256 I/O ports are mapped; I/O operations on any port greater
7662 than 255 cause an exception.
7664 If I/O map base is greater than or equal to TSS limit, the TSS segment has
7665 no I/O permission map, and all I/O instructions in the 80386 program cause
7666 exceptions when CPL > IOPL.
7668 Because the I/O permission map is in the TSS segment, different tasks can
7669 have different maps. Thus, the operating system can allocate ports to a task
7670 by changing the I/O permission map in the task's TSS.
7673 Figure 8-2. I/O Address Bit Map
7675 TSS SEGMEMT
7677 31 23 15 7 0
7678 ‚��������Ï��������Ï��������Ï��������ƒ
7679 LIMIT‘‘‘\x10€ €
7680 € ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ €
7684 € ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ €
7685 ’‘‘‘‘\x10€ €
7686 � Ñ‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘Â
7690 � Ñ‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘Â
7691 ”‘‘‘‘‘Â I/O MAP BASE �uuuuuuuu uuuuuuuT€64
7692 Ñ‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘Â
7693 €00000000 00000000� LOT €60
7694 Ñ‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘Â
7695 €00000000 00000000� GS €5C
7696 Ñ‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘Â
7697 € €58
7701 € €4
7702 Ñ‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘Â
7703 €00000000 00000000� TSS BACK LINK €0
7704 „��������Ï��������Ï��������Ï��������…
7707 Chapter 9 Exceptions and Interrupts
7709 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
7711 Interrupts and exceptions are special kinds of control transfer; they work
7712 somewhat like unprogrammed CALLs. They alter the normal program flow to
7713 handle external events or to report errors or exceptional conditions. The
7714 difference between interrupts and exceptions is that interrupts are used to
7715 handle asynchronous events external to the processor, but exceptions handle
7716 conditions detected by the processor itself in the course of executing
7717 instructions.
7719 There are two sources for external interrupts and two sources for
7720 exceptions:
7722 1. Interrupts
7724 Ž Maskable interrupts, which are signalled via the INTR pin.
7726 Ž Nonmaskable interrupts, which are signalled via the NMI
7727 (Non-Maskable Interrupt) pin.
7729 2. Exceptions
7731 Ž Processor detected. These are further classified as faults, traps,
7732 and aborts.
7734 Ž Programmed. The instructions INTO, INT 3, INT n, and BOUND can
7735 trigger exceptions. These instructions are often called "software
7736 interrupts", but the processor handles them as exceptions.
7738 This chapter explains the features that the 80386 offers for controlling
7739 and responding to interrupts when it is executing in protected mode.
7742 9.1 Identifying Interrupts
7744 The processor associates an identifying number with each different type of
7745 interrupt or exception.
7747 The NMI and the exceptions recognized by the processor are assigned
7748 predetermined identifiers in the range 0 through 31. Not all of these
7749 numbers are currently used by the 80386; unassigned identifiers in this
7750 range are reserved by Intel for possible future expansion.
7752 The identifiers of the maskable interrupts are determined by external
7753 interrupt controllers (such as Intel's 8259A Programmable Interrupt
7754 Controller) and communicated to the processor during the processor's
7755 interrupt-acknowledge sequence. The numbers assigned by an 8259A PIC can be
7756 specified by software. Any numbers in the range 32 through 255 can be used.
7757 Table 9-1 shows the assignment of interrupt and exception identifiers.
7759 Exceptions are classified as faults, traps, or aborts depending on the way
7760 they are reported and whether restart of the instruction that caused the
7761 exception is supported.
7763 Faults Faults are exceptions that are reported "before" the
7764 instruction causingthe exception. Faults are either detected before
7765 the instruction begins to execute, or during execution of the
7766 instruction. If detected during the instruction, the fault is
7767 reported with the machine restored to a state that permits the
7768 instruction to be restarted.
7770 Traps A trap is an exception that is reported at the instruction
7771 boundary immediately after the instruction in which the
7772 exception was detected.
7774 Aborts An abort is an exception that permits neither precise location
7775 of the instruction causing the exception nor restart of the program
7776 that caused the exception. Aborts are used to report severe errors,
7777 such as hardware errors and inconsistent or illegal values in system
7778 tables.
7781 Table 9-1. Interrupt and Exception ID Assignments
7783 Identifier Description
7785 0 Divide error
7786 1 Debug exceptions
7787 2 Nonmaskable interrupt
7788 3 Breakpoint (one-byte INT 3 instruction)
7789 4 Overflow (INTO instruction)
7790 5 Bounds check (BOUND instruction)
7791 6 Invalid opcode
7792 7 Coprocessor not available
7793 8 Double fault
7794 9 (reserved)
7795 10 Invalid TSS
7796 11 Segment not present
7797 12 Stack exception
7798 13 General protection
7799 14 Page fault
7800 15 (reserved)
7801 16 Coprecessor error
7802 17-31 (reserved)
7803 32-255 Available for external interrupts via INTR pin
7806 9.2 Enabling and Disabling Interrupts
7808 The processor services interrupts and exceptions only between the end of
7809 one instruction and the beginning of the next. When the repeat prefix is
7810 used to repeat a string instruction, interrupts and exceptions may occur
7811 between repetitions. Thus, operations on long strings do not delay interrupt
7812 response.
7814 Certain conditions and flag settings cause the processor to inhibit certain
7815 interrupts and exceptions at instruction boundaries.
7818 9.2.1 NMI Masks Further NMIs
7820 While an NMI handler is executing, the processor ignores further interrupt
7821 signals at the NMI pin until the next IRET instruction is executed.
7824 9.2.2 IF Masks INTR
7826 The IF (interrupt-enable flag) controls the acceptance of external
7827 interrupts signalled via the INTR pin. When IF=0, INTR interrupts are
7828 inhibited; when IF=1, INTR interrupts are enabled. As with the other flag
7829 bits, the processor clears IF in response to a RESET signal. The
7830 instructions CLI and STI alter the setting of IF.
7832 CLI (Clear Interrupt-Enable Flag) and STI (Set Interrupt-Enable Flag)
7833 explicitly alter IF (bit 9 in the flag register). These instructions may be
7834 executed only if CPL ¾ IOPL. A protection exception occurs if they are
7835 executed when CPL > IOPL.
7837 The IF is also affected implicitly by the following operations:
7839 Ž The instruction PUSHF stores all flags, including IF, in the stack
7840 where they can be examined.
7842 Ž Task switches and the instructions POPF and IRET load the flags
7843 register; therefore, they can be used to modify IF.
7845 Ž Interrupts through interrupt gates automatically reset IF, disabling
7846 interrupts. (Interrupt gates are explained later in this chapter.)
7849 9.2.3 RF Masks Debug Faults
7851 The RF bit in EFLAGS controls the recognition of debug faults. This permits
7852 debug faults to be raised for a given instruction at most once, no matter
7853 how many times the instruction is restarted. (Refer to Chapter 12 for more
7854 information on debugging.)
7857 9.2.4 MOV or POP to SS Masks Some Interrupts and Exceptions
7859 Software that needs to change stack segments often uses a pair of
7860 instructions; for example:
7862 MOV SS, AX
7863 MOV ESP, StackTop
7865 If an interrupt or exception is processed after SS has been changed but
7866 before ESP has received the corresponding change, the two parts of the stack
7867 pointer SS:ESP are inconsistent for the duration of the interrupt handler or
7868 exception handler.
7870 To prevent this situation, the 80386, after both a MOV to SS and a POP to
7871 SS instruction, inhibits NMI, INTR, debug exceptions, and single-step traps
7872 at the instruction boundary following the instruction that changes SS. Some
7873 exceptions may still occur; namely, page fault and general protection fault.
7874 Always use the 80386 LSS instruction, and the problem will not occur.
7877 9.3 Priority Among Simultaneous Interrupts and Exceptions
7879 If more than one interrupt or exception is pending at an instruction
7880 boundary, the processor services one of them at a time. The priority among
7881 classes of interrupt and exception sources is shown in Table 9-2. The
7882 processor first services a pending interrupt or exception from the class
7883 that has the highest priority, transferring control to the first
7884 instruction of the interrupt handler. Lower priority exceptions are
7885 discarded; lower priority interrupts are held pending. Discarded exceptions
7886 will be rediscovered when the interrupt handler returns control to the point
7887 of interruption.
7890 9.4 Interrupt Descriptor Table
7892 The interrupt descriptor table (IDT) associates each interrupt or exception
7893 identifier with a descriptor for the instructions that service the
7894 associated event. Like the GDT and LDTs, the IDT is an array of 8-byte
7895 descriptors. Unlike the GDT and LDTs, the first entry of the IDT may contain
7896 a descriptor. To form an index into the IDT, the processor multiplies the
7897 interrupt or exception identifier by eight. Because there are only 256
7898 identifiers, the IDT need not contain more than 256 descriptors. It can
7899 contain fewer than 256 entries; entries are required only for interrupt
7900 identifiers that are actually used.
7902 The IDT may reside anywhere in physical memory. As Figure 9-1 shows, the
7903 processor locates the IDT by means of the IDT register (IDTR). The
7904 instructions LIDT and SIDT operate on the IDTR. Both instructions have one
7905 explicit operand: the address in memory of a 6-byte area. Figure 9-2 shows
7906 the format of this area.
7908 LIDT (Load IDT register) loads the IDT register with the linear base
7909 address and limit values contained in the memory operand. This instruction
7910 can be executed only when the CPL is zero. It is normally used by the
7911 initialization logic of an operating system when creating an IDT. An
7912 operating system may also use it to change from one IDT to another.
7914 SIDT (Store IDT register) copies the base and limit value stored in IDTR
7915 to a memory location. This instruction can be executed at any privilege
7916 level.
7919 Table 9-2. Priority Among Simultaneous Interrupts and Exceptions
7921 Priority Class of Interrupt or Exception
7923 HIGHEST Faults except debug faults
7924 Trap instructions INTO, INT n, INT 3
7925 Debug traps for this instruction
7926 Debug faults for next instruction
7927 NMI interrupt
7928 LOWEST INTR interrupt
7931 Figure 9-1. IDT Register and Table
7933 INTERRUPT DESCRIPTOR TABLE
7934 ‚������Ð�����Ð�����Ð������ƒ
7935 ’‘‘‘‘\x10€ � � � €
7936 � Ñ GATE FOR INTERRUPT #N ‘Â
7937 � € � � � €
7938 � „������¤�����¤�����¤������…
7942 � ‚������Ð�����Ð�����Ð������ƒ
7943 � € � � � €
7944 � Ñ GATE FOR INTERRUPT #2 ‘Â
7945 � € � � � €
7946 � †������Ð�����Ð�����Ð������‡
7947 IDT REGISTER � € � � � €
7948 � Ñ GATE FOR INTERRUPT #1 ‘Â
7949 15 0 � € � � � €
7950 ‚���������������ƒ � †������Ð�����Ð�����Ð������‡
7951 € IDT LIMIT Ñ‘‘‘• € � � � €
7952 ‚����������������‰���������������‡ Ñ GATE FOR INTERRUPT #0 ‘Â
7953 € IDT BASE Ñ‘‘‘‘‘‘‘‘\x10€ � � � €
7954 „��������������������������������… „������¤�����¤�����¤������…
7955 31 0
7958 Figure 9-2. Pseudo-Descriptor Format for LIDT and SIDT
7960 31 23 15 7 0
7961 ‚�����������������Ï�����������������Ï�����������������Ï�����������������ƒ
7962 € BASE €2
7963 „�����������������Ï�����������������ˆ�����������������Ï�����������������‡
7964 € LIMIT €0
7965 „�����������������Ï�����������������…
7968 9.5 IDT Descriptors
7970 The IDT may contain any of three kinds of descriptor:
7972 Ž Task gates
7973 Ž Interrupt gates
7974 Ž Trap gates
7976 Figure 9-3 illustrates the format of task gates and 80386 interrupt gates
7977 and trap gates. (The task gate in an IDT is the same as the task gate
7978 already discussed in Chapter 7.)
7981 Figure 9-3. 80306 IDT Gate Descriptors
7983 80386 TASK GATE
7984 31 23 15 7 0
7985 ‚�����������������Ï�����������������Ï���Ð���Ð���������Ï�����������������ƒ
7986 €œœœœœœœœœœœœœ(NOT USED)œœœœœœœœœœœœ� P �DPL�0 0 1 0 1�œœœ(NOT USED)œœœœ€4
7987 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘™‘‘‘™‘‘‘‘‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
7988 € SELECTOR �œœœœœœœœœœœœœ(NOT USED)œœœœœœœœœœœœ€0
7989 „�����������������Ï�����������������Ï�����������������Ï�����������������…
7991 80386 INTERRUPT GATE
7992 31 23 15 7 0
7993 ‚�����������������Ï�����������������Ï���Ð���Ð���������Ï�����Ï�����������ƒ
7994 € OFFSET 31..16 � P �DPL�0 1 1 1 0�0 0 0�(NOT USED) €4
7995 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘™‘‘‘™‘‘‘‘‘‘‘‘‘™‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘Â
7996 € SELECTOR � OFFSET 15..0 €0
7997 „�����������������Ï�����������������Ï�����������������Ï�����������������…
7999 80386 TRAP GATE
8000 31 23 15 7 0
8001 ‚�����������������Ï�����������������Ï���Ð���Ð���������Ï�����Ï�����������ƒ
8002 € OFFSET 31..16 � P �DPL�0 1 1 1 1�0 0 0�(NOT USED) €4
8003 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘™‘‘‘™‘‘‘‘‘‘‘‘‘™‘‘‘‘‘™‘‘‘‘‘‘‘‘‘‘‘Â
8004 € SELECTOR � OFFSET 15..0 €0
8005 „�����������������Ï�����������������Ï�����������������Ï�����������������…
8008 9.6 Interrupt Tasks and Interrupt Procedures
8010 Just as a CALL instruction can call either a procedure or a task, so an
8011 interrupt or exception can "call" an interrupt handler that is either a
8012 procedure or a task. When responding to an interrupt or exception, the
8013 processor uses the interrupt or exception identifier to index a descriptor
8014 in the IDT. If the processor indexes to an interrupt gate or trap gate, it
8015 invokes the handler in a manner similar to a CALL to a call gate. If the
8016 processor finds a task gate, it causes a task switch in a manner similar to
8017 a CALL to a task gate.
8020 9.6.1 Interrupt Procedures
8022 An interrupt gate or trap gate points indirectly to a procedure which will
8023 execute in the context of the currently executing task as illustrated by
8024 Figure 9-4. The selector of the gate points to an executable-segment
8025 descriptor in either the GDT or the current LDT. The offset field of the
8026 gate points to the beginning of the interrupt or exception handling
8027 procedure.
8029 The 80386 invokes an interrupt or exception handling procedure in much the
8030 same manner as it CALLs a procedure; the differences are explained in the
8031 following sections.
8034 Figure 9-4. Interrupt Vectoring for Procedures
8036 IDT EXECUTABLE SEGMENT
8037 ‚���������������ƒ ‚���������������ƒ
8038 € € OFFSET€ €
8039 †���������������‡ ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘\x10€ ENTRY POINT €
8040 € € � LDT OR GDT € €
8041 †���������������‡ � ‚���������������ƒ € €
8042 € € � € € € €
8043 INTERRUPT †���������������‡ � †���������������‡ € €
8044 ID‘‘‘‘‘\x10€ TRAP GATE OR Ñ‘• € € € €
8045 €INTERRUPT GATE Ñ‘“ †���������������‡ € €
8046 †���������������‡ � € € € €
8047 € € � †���������������‡ € €
8048 †���������������‡ ”‘‘\x10€ SEGMENT Ñ“ € €
8049 € € € DESCRIPTOR € � € €
8050 †���������������‡ †���������������‡ � € €
8051 € € € € � € €
8052 †���������������‡ †���������������‡ � € €
8053 € € € € �BASE€ €
8054 „���������������… †���������������‡ ”‘‘‘\x10„���������������…
8055 € €
8056 € €
8057 € €
8058 „���������������…
8061 9.6.1.1 Stack of Interrupt Procedure
8063 Just as with a control transfer due to a CALL instruction, a control
8064 transfer to an interrupt or exception handling procedure uses the stack to
8065 store the information needed for returning to the original procedure. As
8066 Figure 9-5 shows, an interrupt pushes the EFLAGS register onto the stack
8067 before the pointer to the interrupted instruction.
8069 Certain types of exceptions also cause an error code to be pushed on the
8070 stack. An exception handler can use the error code to help diagnose the
8071 exception.
8074 9.6.1.2 Returning from an Interrupt Procedure
8076 An interrupt procedure also differs from a normal procedure in the method
8077 of leaving the procedure. The IRET instruction is used to exit from an
8078 interrupt procedure. IRET is similar to RET except that IRET increments EIP
8079 by an extra four bytes (because of the flags on the stack) and moves the
8080 saved flags into the EFLAGS register. The IOPL field of EFLAGS is changed
8081 only if the CPL is zero. The IF flag is changed only if CPL ¾ IOPL.
8084 Figure 9-5. Stack Layout after Exception of Interrupt
8086 WITHOUT PRIVILEGE TRANSITION
8088 D O 31 0 31 0
8089 I F †�������ˆ�������‡ †�������ˆ�������‡
8090 R €œœœœœœœ€œœœœœœœ€ OLD €œœœœœœœ€œœœœœœœ€ OLD
8091 E E †�������Š�������‡ SS:ESP †�������Š�������‡ SS:ESP
8092 C X €œœœœœœœ€œœœœœœœ€ � €œœœœœœœ€œœœœœœœ€ �
8094 I A € OLD EFLAGS € € OLD EFLAGS €
8095 O N †�������ˆ�������‡ †�������ˆ�������‡
8096 N S €œœœœœœœ€OLD CS € NEW €œœœœœœœ€OLD CS €
8097 I †�������‰�������‡ SS:ESP †�������‰�������‡
8098 � O € OLD EIP € � € OLD EIP € NEW
8099 � N †���������������‡\x11‘‘‘‘• †���������������‡ SS:ESP
8100 � € € € ERROR CODE € �
8104 WITHOUT ERROR CODE WITH ERROR CODE
8106 WITH PRIVILEGE TRANSITION
8108 D O 31 0 31 0
8110 R €œœœœœœœ€OLD SS € � €œœœœœœœ€OLD SS € �
8111 E E †�������‰�������‡ SS:ESP †�������‰�������‡ SS:ESP
8112 C X € OLD ESP € FROM TSS € OLD ESP € FROM TSS
8113 T P †���������������‡ †���������������‡
8114 I A € OLD EFLAGS € € OLD EFLAGS €
8115 O N †�������ˆ�������‡ †�������ˆ�������‡
8116 N S €œœœœœœœ€OLD CS € NEW €œœœœœœœ€OLD CS €
8117 I †�������‰�������‡ SS:EIP †�������‰�������‡
8118 � O € OLD EIP € � € OLD EIP € NEW
8119 � N †���������������‡\x11‘‘‘‘• †���������������‡ SS:ESP
8120 � € € € ERROR CODE € �
8124 WITHOUT ERROR CODE WITH ERROR CODE
8127 9.6.1.3 Flags Usage by Interrupt Procedure
8129 Interrupts that vector through either interrupt gates or trap gates cause
8130 TF (the trap flag) to be reset after the current value of TF is saved on the
8131 stack as part of EFLAGS. By this action the processor prevents debugging
8132 activity that uses single-stepping from affecting interrupt response. A
8133 subsequent IRET instruction restores TF to the value in the EFLAGS image on
8134 the stack.
8136 The difference between an interrupt gate and a trap gate is in the effect
8137 on IF (the interrupt-enable flag). An interrupt that vectors through an
8138 interrupt gate resets IF, thereby preventing other interrupts from
8139 interfering with the current interrupt handler. A subsequent IRET
8140 instruction restores IF to the value in the EFLAGS image on the stack. An
8141 interrupt through a trap gate does not change IF.
8144 9.6.1.4 Protection in Interrupt Procedures
8146 The privilege rule that governs interrupt procedures is similar to that for
8147 procedure calls: the CPU does not permit an interrupt to transfer control to
8148 a procedure in a segment of lesser privilege (numerically greater privilege
8149 level) than the current privilege level. An attempt to violate this rule
8150 results in a general protection exception.
8152 Because occurrence of interrupts is not generally predictable, this
8153 privilege rule effectively imposes restrictions on the privilege levels at
8154 which interrupt and exception handling procedures can execute. Either of the
8155 following strategies can be employed to ensure that the privilege rule is
8156 never violated.
8158 Ž Place the handler in a conforming segment. This strategy suits the
8159 handlers for certain exceptions (divide error, for example). Such a
8160 handler must use only the data available to it from the stack. If it
8161 needed data from a data segment, the data segment would have to have
8162 privilege level three, thereby making it unprotected.
8164 Ž Place the handler procedure in a privilege level zero segment.
8167 9.6.2 Interrupt Tasks
8169 A task gate in the IDT points indirectly to a task, as Figure 9-6
8170 illustrates. The selector of the gate points to a TSS descriptor in the GDT.
8172 When an interrupt or exception vectors to a task gate in the IDT, a task
8173 switch results. Handling an interrupt with a separate task offers two
8174 advantages:
8176 Ž The entire context is saved automatically.
8178 Ž The interrupt handler can be isolated from other tasks by giving it a
8179 separate address space, either via its LDT or via its page directory.
8181 The actions that the processor takes to perform a task switch are discussed
8182 in Chapter 7. The interrupt task returns to the interrupted task by
8183 executing an IRET instruction.
8185 If the task switch is caused by an exception that has an error code, the
8186 processor automatically pushes the error code onto the stack that
8187 corresponds to the privilege level of the first instruction to be executed
8188 in the interrupt task.
8190 When interrupt tasks are used in an operating system for the 80386, there
8191 are actually two schedulers: the software scheduler (part of the operating
8192 system) and the hardware scheduler (part of the processor's interrupt
8193 mechanism). The design of the software scheduler should account for the fact
8194 that the hardware scheduler may dispatch an interrupt task whenever
8195 interrupts are enabled.
8198 Figure 9-6. Interrupt Vectoring for Tasks
8200 IDT GDT
8201 ‚����������������ƒ ‚����������������ƒ
8202 € € € € TSS
8203 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ ‚����������������ƒ
8204 € € € € € €
8205 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ € €
8206 € € € € € €
8207 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ € €
8208 ’‘‘\x10€ TASK GATE Ñ‘‘“ € € € €
8209 � Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ � Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ € €
8210 � € € ”‘‘‘\x10€ TSS DESCRIPTOR Ñ‘‘“ € €
8211 � Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ � € €
8212 � € € € € � € €
8213 � Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ ”‘‘\x10„����������������…
8214 � € € € €
8215 � Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
8216 � € € € €
8217 � „����������������… „����������������…
8218 �
8219 ”‘INTERRUPT ID
8222 9.7 Error Code
8224 With exceptions that relate to a specific segment, the processor pushes an
8225 error code onto the stack of the exception handler (whether procedure or
8226 task). The error code has the format shown in Figure 9-7. The format of the
8227 error code resembles that of a selector; however, instead of an RPL field,
8228 the error code contains two one-bit items:
8230 1. The processor sets the EXT bit if an event external to the program
8231 caused the exception.
8233 2. The processor sets the I-bit (IDT-bit) if the index portion of the
8234 error code refers to a gate descriptor in the IDT.
8236 If the I-bit is not set, the TI bit indicates whether the error code refers
8237 to the GDT (value 0) or to the LDT (value 1). The remaining 14 bits are the
8238 upper 14 bits of the segment selector involved. In some cases the error code
8239 on the stack is null, i.e., all bits in the low-order word are zero.
8242 Figure 9-7. Error Code Format
8244 31 15 2 1 0
8245 ‚���������������Ï����������������Ð�����������������Ï�������Ð�Ð�Ð�ƒ
8246 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� �T� �E€
8247 €œœœœœœœœœœœUNDEFINEDœœœœœœœœœœœœ� SELECTOR INDEX � �I� €
8248 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� �I� �X€
8249 „���������������Ï����������������¤�����������������Ï�������¤�¤�¤�…
8252 9.8 Exception Conditions
8254 The following sections describe each of the possible exception conditions
8255 in detail. Each description classifies the exception as a fault, trap, or
8256 abort. This classification provides information needed by systems
8257 programmers for restarting the procedure in which the exception occurred:
8259 Faults The CS and EIP values saved when a fault is reported point to the
8260 instruction causing the fault.
8262 Traps The CS and EIP values stored when the trap is reported point to the
8263 instruction dynamically after the instruction causing the trap. If
8264 a trap is detected during an instruction that alters program flow,
8265 the reported values of CS and EIP reflect the alteration of program
8266 flow. For example, if a trap is detected in a JMP instruction, the
8267 CS and EIP values pushed onto the stack point to the target of the
8268 JMP, not to the instruction after the JMP.
8270 Aborts An abort is an exception that permits neither precise location of
8271 the instruction causing the exception nor restart of the program
8272 that caused the exception. Aborts are used to report severe errors,
8273 such as hardware errors and inconsistent or illegal values in
8274 system tables.
8277 9.8.1 Interrupt 0 ‘‘ Divide Error
8279 The divide-error fault occurs during a DIV or an IDIV instruction when the
8280 divisor is zero.
8283 9.8.2 Interrupt 1 ‘‘ Debug Exceptions
8285 The processor triggers this interrupt for any of a number of conditions;
8286 whether the exception is a fault or a trap depends on the condition:
8288 Ž Instruction address breakpoint fault.
8289 Ž Data address breakpoint trap.
8290 Ž General detect fault.
8291 Ž Single-step trap.
8292 Ž Task-switch breakpoint trap.
8294 The processor does not push an error code for this exception. An exception
8295 handler can examine the debug registers to determine which condition caused
8296 the exception. Refer to Chapter 12 for more detailed information about
8297 debugging and the debug registers.
8300 9.8.3 Interrupt 3 ‘‘ Breakpoint
8302 The INT 3 instruction causes this trap. The INT 3 instruction is one byte
8303 long, which makes it easy to replace an opcode in an executable segment with
8304 the breakpoint opcode. The operating system or a debugging subsystem can use
8305 a data-segment alias for an executable segment to place an INT 3 anywhere it
8306 is convenient to arrest normal execution so that some sort of special
8307 processing can be performed. Debuggers typically use breakpoints as a way of
8308 displaying registers, variables, etc., at crucial points in a task.
8310 The saved CS:EIP value points to the byte following the breakpoint. If a
8311 debugger replaces a planted breakpoint with a valid opcode, it must subtract
8312 one from the saved EIP value before returning. Refer also to Chapter 12 for
8313 more information on debugging.
8316 9.8.4 Interrupt 4 ‘‘ Overflow
8318 This trap occurs when the processor encounters an INTO instruction and the
8319 OF (overflow) flag is set. Since signed arithmetic and unsigned arithmetic
8320 both use the same arithmetic instructions, the processor cannot determine
8321 which is intended and therefore does not cause overflow exceptions
8322 automatically. Instead it merely sets OF when the results, if interpreted as
8323 signed numbers, would be out of range. When doing arithmetic on signed
8324 operands, careful programmers and compilers either test OF directly or use
8325 the INTO instruction.
8328 9.8.5 Interrupt 5 ‘‘ Bounds Check
8330 This fault occurs when the processor, while executing a BOUND instruction,
8331 finds that the operand exceeds the specified limits. A program can use the
8332 BOUND instruction to check a signed array index against signed limits
8333 defined in a block of memory.
8336 9.8.6 Interrupt 6 ‘‘ Invalid Opcode
8338 This fault occurs when an invalid opcode is detected by the execution unit.
8339 (The exception is not detected until an attempt is made to execute the
8340 invalid opcode; i.e., prefetching an invalid opcode does not cause this
8341 exception.) No error code is pushed on the stack. The exception can be
8342 handled within the same task.
8344 This exception also occurs when the type of operand is invalid for the
8345 given opcode. Examples include an intersegment JMP referencing a register
8346 operand, or an LES instruction with a register source operand.
8349 9.8.7 Interrupt 7 ‘‘ Coprocessor Not Available
8351 This exception occurs in either of two conditions:
8353 Ž The processor encounters an ESC (escape) instruction, and the EM
8354 (emulate) bit ofCR0 (control register zero) is set.
8356 Ž The processor encounters either the WAIT instruction or an ESC
8357 instruction, and both the MP (monitor coprocessor) and TS (task
8358 switched) bits of CR0 are set.
8360 Refer to Chapter 11 for information about the coprocessor interface.
8363 9.8.8 Interrupt 8 ‘‘ Double Fault
8365 Normally, when the processor detects an exception while trying to invoke
8366 the handler for a prior exception, the two exceptions can be handled
8367 serially. If, however, the processor cannot handle them serially, it signals
8368 the double-fault exception instead. To determine when two faults are to be
8369 signalled as a double fault, the 80386 divides the exceptions into three
8370 classes: benign exceptions, contributory exceptions, and page faults. Table
8371 9-3 shows this classification.
8373 Table 9-4 shows which combinations of exceptions cause a double fault and
8374 which do not.
8376 The processor always pushes an error code onto the stack of the
8377 double-fault handler; however, the error code is always zero. The faulting
8378 instruction may not be restarted. If any other exception occurs while
8379 attempting to invoke the double-fault handler, the processor shuts down.
8382 Table 9-3. Double-Fault Detection Classes
8384 Class ID Description
8386 1 Debug exceptions
8387 2 NMI
8388 3 Breakpoint
8389 Benign 4 Overflow
8390 Exceptions 5 Bounds check
8391 6 Invalid opcode
8392 7 Coprocessor not available
8393 16 Coprocessor error
8395 0 Divide error
8396 9 Coprocessor Segment Overrun
8397 Contributory 10 Invalid TSS
8398 Exceptions 11 Segment not present
8399 12 Stack exception
8400 13 General protection
8402 Page Faults 14 Page fault
8405 Table 9-4. Double-Fault Definition
8407 SECOND EXCEPTION
8409 Benign Contributory Page
8410 Exception Exception Fault
8413 Benign OK OK OK
8414 Exception
8416 FIRST Contributory OK DOUBLE OK
8417 EXCEPTION Exception
8419 Page
8420 Fault OK DOUBLE DOUBLE
8423 9.8.9 Interrupt 9 ‘‘ Coprocessor Segment Overrun
8425 This exception is raised in protected mode if the 80386 detects a page or
8426 segment violation while transferring the middle portion of a coprocessor
8427 operand to the NPX. This exception is avoidable. Refer to Chapter 11 for
8428 more information about the coprocessor interface.
8431 9.8.10 Interrupt 10 ‘‘ Invalid TSS
8433 Interrupt 10 occurs if during a task switch the new TSS is invalid. A TSS
8434 is considered invalid in the cases shown in Table 9-5. An error code is
8435 pushed onto the stack to help identify the cause of the fault. The EXT bit
8436 indicates whether the exception was caused by a condition outside the
8437 control of the program; e.g., an external interrupt via a task gate
8438 triggered a switch to an invalid TSS.
8440 This fault can occur either in the context of the original task or in the
8441 context of the new task. Until the processor has completely verified the
8442 presence of the new TSS, the exception occurs in the context of the original
8443 task. Once the existence of the new TSS is verified, the task switch is
8444 considered complete; i.e., TR is updated and, if the switch is due to a
8445 CALL or interrupt, the backlink of the new TSS is set to the old TSS. Any
8446 errors discovered by the processor after this point are handled in the
8447 context of the new task.
8449 To insure a proper TSS to process it, the handler for exception 10 must be
8450 a task invoked via a task gate.
8453 Table 9-5. Conditions That Invalidate the TSS
8455 Error Code Condition
8457 TSS id + EXT The limit in the TSS descriptor is less than 103
8458 LTD id + EXT Invalid LDT selector or LDT not present
8459 SS id + EXT Stack segment selector is outside table limit
8460 SS id + EXT Stack segment is not a writable segment
8461 SS id + EXT Stack segment DPL does not match new CPL
8462 SS id + EXT Stack segment selector RPL < > CPL
8463 CS id + EXT Code segment selector is outside table limit
8464 CS id + EXT Code segment selector does not refer to code
8465 segment
8466 CS id + EXT DPL of non-conforming code segment < > new CPL
8467 CS id + EXT DPL of conforming code segment > new CPL
8468 DS/ES/FS/GS id + EXT DS, ES, FS, or GS segment selector is outside
8469 table limits
8470 DS/ES/FS/GS id + EXT DS, ES, FS, or GS is not readable segment
8473 9.8.11 Interrupt 11 ‘‘ Segment Not Present
8475 Exception 11 occurs when the processor detects that the present bit of a
8476 descriptor is zero. The processor can trigger this fault in any of these
8477 cases:
8479 Ž While attempting to load the CS, DS, ES, FS, or GS registers; loading
8480 the SS register, however, causes a stack fault.
8482 Ž While attempting loading the LDT register with an LLDT instruction;
8483 loading the LDT register during a task switch operation, however,
8484 causes the "invalid TSS" exception.
8486 Ž While attempting to use a gate descriptor that is marked not-present.
8488 This fault is restartable. If the exception handler makes the segment
8489 present and returns, the interrupted program will resume execution.
8491 If a not-present exception occurs during a task switch, not all the steps
8492 of the task switch are complete. During a task switch, the processor first
8493 loads all the segment registers, then checks their contents for validity. If
8494 a not-present exception is discovered, the remaining segment registers have
8495 not been checked and therefore may not be usable for referencing memory. The
8496 not-present handler should not rely on being able to use the values found
8497 in CS, SS, DS, ES, FS, and GS without causing another exception. The
8498 exception handler should check all segment registers before trying to resume
8499 the new task; otherwise, general protection faults may result later under
8500 conditions that make diagnosis more difficult. There are three ways to
8501 handle this case:
8503 1. Handle the not-present fault with a task. The task switch back to the
8504 interrupted task will cause the processor to check the registers as it
8505 loads them from the TSS.
8507 2. PUSH and POP all segment registers. Each POP causes the processor to
8508 check the new contents of the segment register.
8510 3. Scrutinize the contents of each segment-register image in the TSS,
8511 simulating the test that the processor makes when it loads a segment
8512 register.
8514 This exception pushes an error code onto the stack. The EXT bit of the
8515 error code is set if an event external to the program caused an interrupt
8516 that subsequently referenced a not-present segment. The I-bit is set if the
8517 error code refers to an IDT entry, e.g., an INT instruction referencing a
8518 not-present gate.
8520 An operating system typically uses the "segment not present" exception to
8521 implement virtual memory at the segment level. A not-present indication in a
8522 gate descriptor, however, usually does not indicate that a segment is not
8523 present (because gates do not necessarily correspond to segments).
8524 Not-present gates may be used by an operating system to trigger exceptions
8525 of special significance to the operating system.
8528 9.8.12 Interrupt 12 ‘‘ Stack Exception
8530 A stack fault occurs in either of two general conditions:
8532 Ž As a result of a limit violation in any operation that refers to the
8533 SS register. This includes stack-oriented instructions such as POP,
8534 PUSH, ENTER, and LEAVE, as well as other memory references that
8535 implicitly use SS (for example, MOV AX, [BP+6]). ENTER causes this
8536 exception when the stack is too small for the indicated local-variable
8537 space.
8539 Ž When attempting to load the SS register with a descriptor that is
8540 marked not-present but is otherwise valid. This can occur in a task
8541 switch, an interlevel CALL, an interlevel return, an LSS instruction,
8542 or a MOV or POP instruction to SS.
8544 When the processor detects a stack exception, it pushes an error code onto
8545 the stack of the exception handler. If the exception is due to a not-present
8546 stack segment or to overflow of the new stack during an interlevel CALL, the
8547 error code contains a selector to the segment in question (the exception
8548 handler can test the present bit in the descriptor to determine which
8549 exception occurred); otherwise the error code is zero.
8551 An instruction that causes this fault is restartable in all cases. The
8552 return pointer pushed onto the exception handler's stack points to the
8553 instruction that needs to be restarted. This instruction is usually the one
8554 that caused the exception; however, in the case of a stack exception due to
8555 loading of a not-present stack-segment descriptor during a task switch, the
8556 indicated instruction is the first instruction of the new task.
8558 When a stack fault occurs during a task switch, the segment registers may
8559 not be usable for referencing memory. During a task switch, the selector
8560 values are loaded before the descriptors are checked. If a stack fault is
8561 discovered, the remaining segment registers have not been checked and
8562 therefore may not be usable for referencing memory. The stack fault handler
8563 should not rely on being able to use the values found in CS, SS, DS, ES,
8564 FS, and GS without causing another exception. The exception handler should
8565 check all segment registers before trying to resume the new task; otherwise,
8566 general protection faults may result later under conditions that make
8567 diagnosis more difficult.
8570 9.8.13 Interrupt 13 ‘‘ General Protection Exception
8572 All protection violations that do not cause another exception cause a
8573 general protection exception. This includes (but is not limited to):
8575 1. Exceeding segment limit when using CS, DS, ES, FS, or GS
8577 2. Exceeding segment limit when referencing a descriptor table
8579 3. Transferring control to a segment that is not executable
8581 4. Writing into a read-only data segment or into a code segment
8583 5. Reading from an execute-only segment
8585 6. Loading the SS register with a read-only descriptor (unless the
8586 selector comes from the TSS during a task switch, in which case a TSS
8587 exception occurs
8589 7. Loading SS, DS, ES, FS, or GS with the descriptor of a system segment
8591 8. Loading DS, ES, FS, or GS with the descriptor of an executable
8592 segment that is not also readable
8594 9. Loading SS with the descriptor of an executable segment
8596 10. Accessing memory via DS, ES, FS, or GS when the segment register
8597 contains a null selector
8599 11. Switching to a busy task
8601 12. Violating privilege rules
8603 13. Loading CR0 with PG=1 and PE=0.
8605 14. Interrupt or exception via trap or interrupt gate from V86 mode to
8606 privilege level other than zero.
8608 15. Exceeding the instruction length limit of 15 bytes (this can occur
8609 only if redundant prefixes are placed before an instruction)
8611 The general protection exception is a fault. In response to a general
8612 protection exception, the processor pushes an error code onto the exception
8613 handler's stack. If loading a descriptor causes the exception, the error
8614 code contains a selector to the descriptor; otherwise, the error code is
8615 null. The source of the selector in an error code may be any of the
8616 following:
8618 1. An operand of the instruction.
8619 2. A selector from a gate that is the operand of the instruction.
8620 3. A selector from a TSS involved in a task switch.
8623 9.8.14 Interrupt 14 ‘‘ Page Fault
8625 This exception occurs when paging is enabled (PG=1) and the processor
8626 detects one of the following conditions while translating a linear address
8627 to a physical address:
8629 Ž The page-directory or page-table entry needed for the address
8630 translation has zero in its present bit.
8632 Ž The current procedure does not have sufficient privilege to access the
8633 indicated page.
8635 The processor makes available to the page fault handler two items of
8636 information that aid in diagnosing the exception and recovering from it:
8638 Ž An error code on the stack. The error code for a page fault has a
8639 format different from that for other exceptions (see Figure 9-8). The
8640 error code tells the exception handler three things:
8642 1. Whether the exception was due to a not present page or to an access
8643 rights violation.
8645 2. Whether the processor was executing at user or supervisor level at
8646 the time of the exception.
8648 3. Whether the memory access that caused the exception was a read or
8649 write.
8651 Ž CR2 (control register two). The processor stores in CR2 the linear
8652 address used in the access that caused the exception (see Figure 9-9).
8653 The exception handler can use this address to locate the corresponding
8654 page directory and page table entries. If another page fault can occur
8655 during execution of the page fault handler, the handler should push CR2
8656 onto the stack.
8659 Figure 9-8. Page-Fault Error Code Format
8661 ‚�����Ð�����Ð������������������������������������������������������������ƒ
8662 €Field�Value� Description €
8663 Ñ‘‘‘‘š‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
8664 € U/S � 0 � The access causing the fault originated when the processor €
8665 € � � was executing in supervisor mode. €
8666 € � � €
8667 € � 1 � The access causing the fault originated when the processor €
8668 € � � was executing in user mode. €
8669 € � � €
8670 € W/R � 0 � The access causing the fault was a read. €
8671 € � � €
8672 € � 1 � The access causing the fault was a write. €
8673 € � � €
8674 € P � 0 � The fault was caused by a not-present page. €
8675 € � � €
8676 € � 1 � The fault was caused by a page-level protection violation. €
8677 „�����¤�����¤������������������������������������������������������������…
8679 31 15 7 3 2 1 0
8680 ‚��������������������������������Ï�������������������������Ð�Ð�Ð�ƒ
8681 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ�U�W� €
8682 €œœœœœœœœœœœœœœœœœœœœœœœœœœUNDEFINEDœœœœœœœœœœœœœœœœœœœœœœœ�/�/�P€
8683 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ�S�R� €
8684 „��������������������������������Ï�������������������������¤�¤�¤�…
8687 9.8.14.1 Page Fault During Task Switch
8689 The processor may access any of four segments during a task switch:
8691 1. Writes the state of the original task in the TSS of that task.
8693 2. Reads the GDT to locate the TSS descriptor of the new task.
8695 3. Reads the TSS of the new task to check the types of segment
8696 descriptors from the TSS.
8698 4. May read the LDT of the new task in order to verify the segment
8699 registers stored in the new TSS.
8701 A page fault can result from accessing any of these segments. In the latter
8702 two cases the exception occurs in the context of the new task. The
8703 instruction pointer refers to the next instruction of the new task, not to
8704 the instruction that caused the task switch. If the design of the operating
8705 system permits page faults to occur during task-switches, the page-fault
8706 handler should be invoked via a task gate.
8709 Figure 9-9. CR2 Format
8711 31 23 15 7 0
8712 ‚����������������Ï����������������Ï����������������Ï����������������ƒ
8713 € €
8714 € PAGE FAULT LINEAR ADDRESS €
8715 € €
8716 „����������������Ï����������������Ï����������������Ï����������������…
8719 9.8.14.2 Page Fault with Inconsistent Stack Pointer
8721 Special care should be taken to ensure that a page fault does not cause the
8722 processor to use an invalid stack pointer (SS:ESP). Software written for
8723 earlier processors in the 8086 family often uses a pair of instructions to
8724 change to a new stack; for example:
8726 MOV SS, AX
8727 MOV SP, StackTop
8729 With the 80386, because the second instruction accesses memory, it is
8730 possible to get a page fault after SS has been changed but before SP has
8731 received the corresponding change. At this point, the two parts of the stack
8732 pointer SS:SP (or, for 32-bit programs, SS:ESP) are inconsistent.
8734 The processor does not use the inconsistent stack pointer if the handling
8735 of the page fault causes a stack switch to a well defined stack (i.e., the
8736 handler is a task or a more privileged procedure). However, if the page
8737 fault handler is invoked by a trap or interrupt gate and the page fault
8738 occurs at the same privilege level as the page fault handler, the processor
8739 will attempt to use the stack indicated by the current (invalid) stack
8740 pointer.
8742 In systems that implement paging and that handle page faults within the
8743 faulting task (with trap or interrupt gates), software that executes at the
8744 same privilege level as the page fault handler should initialize a new stack
8745 by using the new LSS instruction rather than an instruction pair shown
8746 above. When the page fault handler executes at privilege level zero (the
8747 normal case), the scope of the problem is limited to privilege-level zero
8748 code, typically the kernel of the operating system.
8751 9.8.15 Interrupt 16 ‘‘ Coprocessor Error
8753 The 80386 reports this exception when it detects a signal from the 80287 or
8754 80387 on the 80386's ERROR# input pin. The 80386 tests this pin only at the
8755 beginning of certain ESC instructions and when it encounters a WAIT
8756 instruction while the EM bit of the MSW is zero (no emulation). Refer to
8757 Chapter 11 for more information on the coprocessor interface.
8760 9.9 Exception Summary
8763 Table 9-6 summarizes the exceptions recognized by the 386.
8765 Table 9-6. Exception Summary
8768 Description Interrupt Return Address Exception Function That Can Generate
8769 Number Points to Type the Exception
8770 Faulting
8771 Instruction
8773 Divide error 0 YES FAULT DIV, IDIV
8774 Debug exceptions 1
8775 Some debug exceptions are traps and some are faults. The exception
8776 handler can determine which has occurred by examining DR6. (Refer to
8777 Chapter 12.)
8778 Some debug exceptions are traps and some are faults. The exception
8779 handler can determine which has occurred by examining DR6. (Refer to
8780 Chapter 12.) Any instruction
8781 Breakpoint 3 NO TRAP One-byte INT 3
8782 Overflow 4 NO TRAP INTO
8783 Bounds check 5 YES FAULT BOUND
8784 Invalid opcode 6 YES FAULT Any illegal instruction
8785 Coprocessor not available 7 YES FAULT ESC, WAIT
8786 Double fault 8 YES ABORT Any instruction that can
8787 generate an exception
8788 Coprocessor Segment
8789 Overrun 9 NO ABORT Any operand of an ESC
8790 instruction that wraps around
8791 the end of a segment.
8792 Invalid TSS 10 YES FAULT
8793 An invalid-TSS fault is not restartable if it occurs during the
8794 processing of an external interrupt. JMP, CALL, IRET, any interrupt
8795 Segment not present 11 YES FAULT Any segment-register modifier
8796 Stack exception 12 YES FAULT Any memory reference thru SS
8797 General Protection 13 YES FAULT/ABORT
8798 All GP faults are restartable. If the fault occurs while attempting to
8799 vector to the handler for an external interrupt, the interrupted program is
8800 restartable, but the interrupt may be lost. Any memory reference or code
8801 fetch
8802 Page fault 14 YES FAULT Any memory reference or code
8803 fetch
8804 Coprocessor error 16 YES FAULT
8805 Coprocessor errors are reported as a fault on the first ESC or WAIT
8806 instruction executed after the ESC instruction that caused the error. ESC, WAIT
8807 Two-byte SW Interrupt 0-255 NO TRAP INT n
8810 9.10 Error Code Summary
8812 Table 9-7 summarizes the error information that is available with each
8813 exception.
8816 Table 9-7. Error-Code Summary
8818 Description Interrupt Error Code
8819 Number
8821 Divide error 0 No
8822 Debug exceptions 1 No
8823 Breakpoint 3 No
8824 Overflow 4 No
8825 Bounds check 5 No
8826 Invalid opcode 6 No
8827 Coprocessor not available 7 No
8828 System error 8 Yes (always 0)
8829 Coprocessor Segment Overrun 9 No
8830 Invalid TSS 10 Yes
8831 Segment not present 11 Yes
8832 Stack exception 12 Yes
8833 General protection fault 13 Yes
8834 Page fault 14 Yes
8835 Coprocessor error 16 No
8836 Two-byte SW interrupt 0-255 No
8839 Chapter 10 Initialization
8841 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
8843 After a signal on the RESET pin, certain registers of the 80386 are set to
8844 predefined values. These values are adequate to enable execution of a
8845 bootstrap program, but additional initialization must be performed by
8846 software before all the features of the processor can be utilized.
8849 10.1 Processor State After Reset
8851 The contents of EAX depend upon the results of the power-up self test. The
8852 self-test may be requested externally by assertion of BUSY# at the end of
8853 RESET. The EAX register holds zero if the 80386 passed the test. A nonzero
8854 value in EAX after self-test indicates that the particular 80386 unit is
8855 faulty. If the self-test is not requested, the contents of EAX after RESET
8856 is undefined.
8858 DX holds a component identifier and revision number after RESET as Figure
8859 10-1 illustrates. DH contains 3, which indicates an 80386 component. DL
8860 contains a unique identifier of the revision level.
8862 Control register zero (CR0) contains the values shown in Figure 10-2. The
8863 ET bit of CR0 is set if an 80387 is present in the configuration (according
8864 to the state of the ERROR# pin after RESET). If ET is reset, the
8865 configuration either contains an 80287 or does not contain a coprocessor. A
8866 software test is required to distinguish between these latter two
8867 possibilities.
8869 The remaining registers and flags are set as follows:
8871 EFLAGS =00000002H
8872 IP =0000FFF0H
8873 CS selector =000H
8874 DS selector =0000H
8875 ES selector =0000H
8876 SS selector =0000H
8877 FS selector =0000H
8878 GS selector =0000H
8879 IDTR:
8880 base =0
8881 limit =03FFH
8883 All registers not mentioned above are undefined.
8885 These settings imply that the processor begins in real-address mode with
8886 interrupts disabled.
8889 Figure 10-1. Contents of EDX after RESET
8891 EDX REGISTER
8893 31 23 15 7 0
8894 ‚����������������Ï����������������Ï����������������Ï����������������ƒ
8895 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� DH � DL €
8896 €œœœœœœœœœœœœUNDEFINEDœœœœœœœœœœœœ� DEVICE ID � STEPPING ID €
8897 €œœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœœ� 3 � (UNIQUE) €
8898 „����������������Ï����������������Ï����������������Ï����������������…
8901 Figure 10-2. Initial Contents of CR0
8903 CONTROL REGISTER ZERO
8905 31 23 15 7 4 3 1 0
8906 ‚�Ð���������������Ï�����������������Ï�������������������Ï�����Ð�Ð�Ð�Ð�Ð�ƒ
8907 €P� �E�T�E�M�P€
8908 € � UNDEFINED � � � � � €
8909 €G� �T�S�M�P�E€
8910 „Ф���������������Ï�����������������Ï�������������������Ï�����¤Ð¤Ð¤Ð¤Ð¤Ð…
8911 � � � � � �
8912 ”‘‘‘‘‘‘‘‘‘‘‘‘‘0 - PAGING DISABLED � � � � �
8913 * - INDICATES PRESENCE OF 80387‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � � �
8914 0 - NO TASK SWITCH‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � � �
8915 0 - DO NOT MONITOR COPROCESSOR‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• � �
8916 0 - COPROCESSOR NOT PRESENT‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘• �
8917 0 - PROTECTION NOT ENABLED (REAL ADDRESS MODE)‘‘‘‘‘‘‘‘‘‘•
8920 10.2 Software Initialization for Real-Address Mode
8922 In real-address mode a few structures must be initialized before a program
8923 can take advantage of all the features available in this mode.
8926 10.2.1 Stack
8928 No instructions that use the stack can be used until the stack-segment
8929 register (SS) has been loaded. SS must point to an area in RAM.
8932 10.2.2 Interrupt Table
8934 The initial state of the 80386 leaves interrupts disabled; however, the
8935 processor will still attempt to access the interrupt table if an exception
8936 or nonmaskable interrupt (NMI) occurs. Initialization software should take
8937 one of the following actions:
8939 Ž Change the limit value in the IDTR to zero. This will cause a shutdown
8940 if an exception or nonmaskable interrupt occurs. (Refer to the 80386
8941 Hardware Reference Manual to see how shutdown is signalled externally.)
8943 Ž Put pointers to valid interrupt handlers in all positions of the
8944 interrupt table that might be used by exceptions or interrupts.
8946 Ž Change the IDTR to point to a valid interrupt table.
8949 10.2.3 First Instructions
8951 After RESET, address lines A{31-20} are automatically asserted for
8952 instruction fetches. This fact, together with the initial values of CS:IP,
8953 causes instruction execution to begin at physical address FFFFFFF0H. Near
8954 (intrasegment) forms of control transfer instructions may be used to pass
8955 control to other addresses in the upper 64K bytes of the address space. The
8956 first far (intersegment) JMP or CALL instruction causes A{31-20} to drop
8957 low, and the 80386 continues executing instructions in the lower one
8958 megabyte of physical memory. This automatic assertion of address lines
8959 A{31-20} allows systems designers to use a ROM at the high end of
8960 the address space to initialize the system.
8963 10.3 Switching to Protected Mode
8965 Setting the PE bit of the MSW in CR0 causes the 80386 to begin executing in
8966 protected mode. The current privilege level (CPL) starts at zero. The
8967 segment registers continue to point to the same linear addresses as in real
8968 address mode (in real address mode, linear addresses are the same physical
8969 addresses).
8971 Immediately after setting the PE flag, the initialization code must flush
8972 the processor's instruction prefetch queue by executing a JMP instruction.
8973 The 80386 fetches and decodes instructions and addresses before they are
8974 used; however, after a change into protected mode, the prefetched
8975 instruction information (which pertains to real-address mode) is no longer
8976 valid. A JMP forces the processor to discard the invalid information.
8979 10.4 Software Initialization for Protected Mode
8981 Most of the initialization needed for protected mode can be done either
8982 before or after switching to protected mode. If done in protected mode,
8983 however, the initialization procedures must not use protected-mode features
8984 that are not yet initialized.
8987 10.4.1 Interrupt Descriptor Table
8989 The IDTR may be loaded in either real-address or protected mode. However,
8990 the format of the interrupt table for protected mode is different than that
8991 for real-address mode. It is not possible to change to protected mode and
8992 change interrupt table formats at the same time; therefore, it is inevitable
8993 that, if IDTR selects an interrupt table, it will have the wrong format at
8994 some time. An interrupt or exception that occurs at this time will have
8995 unpredictable results. To avoid this unpredictability, interrupts should
8996 remain disabled until interrupt handlers are in place and a valid IDT has
8997 been created in protected mode.
9000 10.4.2 Stack
9002 The SS register may be loaded in either real-address mode or protected
9003 mode. If loaded in real-address mode, SS continues to point to the same
9004 linear base-address after the switch to protected mode.
9007 10.4.3 Global Descriptor Table
9009 Before any segment register is changed in protected mode, the GDT register
9010 must point to a valid GDT. Initialization of the GDT and GDTR may be done in
9011 real-address mode. The GDT (as well as LDTs) should reside in RAM, because
9012 the processor modifies the accessed bit of descriptors.
9015 10.4.4 Page Tables
9017 Page tables and the PDBR in CR3 can be initialized in either real-address
9018 mode or in protected mode; however, the paging enabled (PG) bit of CR0
9019 cannot be set until the processor is in protected mode. PG may be set
9020 simultaneously with PE, or later. When PG is set, the PDBR in CR3 should
9021 already be initialized with a physical address that points to a valid page
9022 directory. The initialization procedure should adopt one of the following
9023 strategies to ensure consistent addressing before and after paging is
9024 enabled:
9026 Ž The page that is currently being executed should map to the same
9027 physical addresses both before and after PG is set.
9029 Ž A JMP instruction should immediately follow the setting of PG.
9032 10.4.5 First Task
9034 The initialization procedure can run awhile in protected mode without
9035 initializing the task register; however, before the first task switch, the
9036 following conditions must prevail:
9038 Ž There must be a valid task state segment (TSS) for the new task. The
9039 stack pointers in the TSS for privilege levels numerically less than or
9040 equal to the initial CPL must point to valid stack segments.
9042 Ž The task register must point to an area in which to save the current
9043 task state. After the first task switch, the information dumped in this
9044 area is not needed, and the area can be used for other purposes.
9047 10.5 Initialization Example
9049 $TITLE ('Initial Task')
9051 NAME INIT
9053 init_stack SEGMENT RW
9054 DW 20 DUP(?)
9055 tos LABEL WORD
9056 init_stack ENDS
9058 init_data SEGMENT RW PUBLIC
9059 DW 20 DUP(?)
9060 init_data ENDS
9062 init_code SEGMENT ER PUBLIC
9064 ASSUME DS:init_data
9066 nop
9067 nop
9068 nop
9069 init_start:
9070 ; set up stack
9071 mov ax, init_stack
9072 mov ss, ax
9073 mov esp, offset tos
9075 mov a1,1
9076 blink:
9077 xor a1,1
9078 out 0e4h,a1
9079 mov cx,3FFFh
9080 here:
9081 dec cx
9082 jnz here
9084 jmp SHORT blink
9086 hlt
9087 init_code ends
9089 END init_start, SS:init_stack, DS:init_data
9091 $TITLE('Protected Mode Transition -- 386 initialization')
9092 NAME RESET
9094 ;*****************************************************************
9095 ; Upon reset the 386 starts executing at address 0FFFFFFF0H. The
9096 ; upper 12 address bits remain high until a FAR call or jump is
9097 ; executed.
9098 ;
9099 ; Assume the following:
9100 ;
9101 ;
9102 ; - a short jump at address 0FFFFFFF0H (placed there by the
9103 ; system builder) causes execution to begin at START in segment
9104 ; RESET_CODE.
9105 ;
9106 ;
9107 ; - segment RESET_CODE is based at physical address 0FFFF0000H,
9108 ; i.e. at the start of the last 64K in the 4G address space.
9109 ; Note that this is the base of the CS register at reset. If
9110 ; you locate ROMcode above this address, you will need to
9111 ; figure out an adjustment factor to address things within this
9112 ; segment.
9113 ;
9114 ;*****************************************************************
9115 $EJECT ;
9117 ; Define addresses to locate GDT and IDT in RAM.
9118 ; These addresses are also used in the BLD386 file that defines
9119 ; the GDT and IDT. If you change these addresses, make sure you
9120 ; change the base addresses specified in the build file.
9122 GDTbase EQU 00001000H ; physical address for GDT base
9123 IDTbase EQU 00000400H ; physical address for IDT base
9125 PUBLIC GDT_EPROM
9126 PUBLIC IDT_EPROM
9127 PUBLIC START
9129 DUMMY segment rw ; ONLY for ASM386 main module stack init
9130 DW 0
9131 DUMMY ends
9133 ;*****************************************************************
9134 ;
9135 ; Note: RESET CODE must be USEl6 because the 386 initally executes
9136 ; in real mode.
9137 ;
9139 RESET_CODE segment er PUBLIC USE16
9141 ASSUME DS:nothing, ES:nothing
9143 ;
9144 ; 386 Descriptor template
9146 DESC STRUC
9147 lim_0_15 DW 0 ; limit bits (0..15)
9148 bas_0_15 DW 0 ; base bits (0..15)
9149 bas_16_23 DB 0 ; base bits (16..23)
9150 access DB 0 ; access byte
9151 gran DB 0 ; granularity byte
9152 bas_24_31 DB 0 ; base bits (24..31)
9153 DESC ENDS
9155 ; The following is the layout of the real GDT created by BLD386.
9156 ; It is located in EPROM and will be copied to RAM.
9157 ;
9158 ; GDT[O] ... NULL
9159 ; GDT[1] ... Alias for RAM GDT
9160 ; GDT[2] ... Alias for RAM IDT
9161 ; GDT[2] ... initial task TSS
9162 ; GDT[3] ... initial task TSS alias
9163 ; GDT[4] ... initial task LDT
9164 ; GDT[5] ... initial task LDT alias
9166 ;
9167 ; define entries in GDT and IDT.
9169 GDT_ENTRIES EQU 8
9170 IDT_ENTRIES EQU 32
9172 ; define some constants to index into the real GDT
9174 GDT_ALIAS EQU 1*SIZE DESC
9175 IDT_ALIAS EQU 2*SIZE DESC
9176 INIT_TSS EQU 3*SIZE DESC
9177 INIT_TSS_A EQU 4*SIZE DESC
9178 INIT_LDT EQU 5*SIZE DESC
9179 INIT_LDT_A EQU 6*SIZE DESC
9181 ;
9182 ; location of alias in INIT_LDT
9184 INIT_LDT_ALIAS EQU 1*SIZE DESC
9186 ;
9187 ; access rights byte for DATA and TSS descriptors
9189 DS_ACCESS EQU 010010010B
9190 TSS_ACCESS EQU 010001001B
9193 ;
9194 ; This temporary GDT will be used to set up the real GDT in RAM.
9196 Temp_GDT LABEL BYTE ; tag for begin of scratch GDT
9198 NULL_DES DESC <> ; NULL descriptor
9200 ; 32-Gigabyte data segment based at 0
9201 FLAT_DES DESC <0FFFFH,0,0,92h,0CFh,0>
9203 GDT_eprom DP ? ; Builder places GDT address and limit
9204 ; in this 6 byte area.
9206 IDT_eprom DP ? ; Builder places IDT address and limit
9207 ; in this 6 byte area.
9209 ;
9210 ; Prepare operand for loadings GDTR and LDTR.
9213 TGDT_pword LABEL PWORD ; for temp GDT
9214 DW end_Temp_GDT_Temp_GDT -1
9215 DD 0
9217 GDT_pword LABEL PWORD ; for GDT in RAM
9218 DW GDT_ENTRIES * SIZE DESC -1
9219 DD GDTbase
9221 IDT_pword LABEL PWORD ; for IDT in RAM
9222 DW IDT_ENTRIES * SIZE DESC -1
9223 DD IDTbase
9226 end_Temp_GDT LABEL BYTE
9228 ;
9229 ; Define equates for addressing convenience.
9231 GDT_DES_FLAT EQU DS:GDT_ALIAS +GDTbase
9232 IDT_DES_FLAT EQU DS:IDT_ALIAS +GDTbase
9234 INIT_TSS_A_OFFSET EQU DS:INIT_TSS_A
9235 INIT_TSS_OFFSET EQU DS:INIT_TSS
9237 INIT_LDT_A_OFFSET EQU DS:INIT_LDT_A
9238 INIT_LDT_OFFSET EQU DS:INIT_LDT
9241 ; define pointer for first task switch
9243 ENTRY POINTER LABEL DWORD
9244 DW 0, INIT_TSS
9246 ;******************************************************************
9247 ;
9248 ; Jump from reset vector to here.
9250 START:
9252 CLI ;disable interrupts
9253 CLD ;clear direction flag
9255 LIDT NULL_des ;force shutdown on errors
9257 ;
9258 ; move scratch GDT to RAM at physical 0
9260 XOR DI,DI
9261 MOV ES,DI ;point ES:DI to physical location 0
9264 MOV SI,OFFSET Temp_GDT
9265 MOV CX,end_Temp_GDT-Temp_GDT ;set byte count
9266 INC CX
9267 ;
9268 ; move table
9270 REP MOVS BYTE PTR ES:[DI],BYTE PTR CS:[SI]
9272 LGDT tGDT_pword ;load GDTR for Temp. GDT
9273 ;(located at 0)
9275 ; switch to protected mode
9277 MOV EAX,CR0 ;get current CRO
9278 MOV EAX,1 ;set PE bit
9279 MOV CRO,EAX ;begin protected mode
9280 ;
9281 ; clear prefetch queue
9283 JMP SHORT flush
9284 flush:
9286 ; set DS,ES,SS to address flat linear space (0 ... 4GB)
9288 MOV BX,FLAT_DES-Temp_GDT
9289 MOV US,BX
9290 MOV ES,BX
9291 MOV SS,BX
9292 ;
9293 ; initialize stack pointer to some (arbitrary) RAM location
9295 MOV ESP, OFFSET end_Temp_GDT
9297 ;
9298 ; copy eprom GDT to RAM
9300 MOV ESI,DWORD PTR GDT_eprom +2 ; get base of eprom GDT
9301 ; (put here by builder).
9303 MOV EDI,GDTbase ; point ES:EDI to GDT base in RAM.
9305 MOV CX,WORD PTR gdt_eprom +0 ; limit of eprom GDT
9306 INC CX
9307 SHR CX,1 ; easier to move words
9308 CLD
9309 REP MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
9311 ;
9312 ; copy eprom IDT to RAM
9313 ;
9314 MOV ESI,DWORD PTR IDT_eprom +2 ; get base of eprom IDT
9315 ; (put here by builder)
9317 MOV EDI,IDTbase ; point ES:EDI to IDT base in RAM.
9319 MOV CX,WORD PTR idt_eprom +0 ; limit of eprom IDT
9320 INC CX
9321 SHR CX,1
9322 CLD
9323 REP MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
9325 ; switch to RAM GDT and IDT
9326 ;
9327 LIDT IDT_pword
9328 LGDT GDT_pword
9330 ;
9331 MOV BX,GDT_ALIAS ; point DS to GDT alias
9332 MOV DS,BX
9333 ;
9334 ; copy eprom TSS to RAM
9335 ;
9336 MOV BX,INIT_TSS_A ; INIT TSS A descriptor base
9337 ; has RAM location of INIT TSS.
9339 MOV ES,BX ; ES points to TSS in RAM
9341 MOV BX,INIT_TSS ; get inital task selector
9342 LAR DX,BX ; save access byte
9343 MOV [BX].access,DS_ACCESS ; set access as data segment
9344 MOV FS,BX ; FS points to eprom TSS
9346 XOR si,si ; FS:si points to eprom TSS
9347 XOR di,di ; ES:di points to RAM TSS
9349 MOV CX,[BX].lim_0_15 ; get count to move
9350 INC CX
9352 ;
9353 ; move INIT_TSS to RAM.
9355 REP MOVS BYTE PTR ES:[di],BYTE PTR FS:[si]
9357 MOV [BX].access,DH ; restore access byte
9359 ;
9360 ; change base of INIT TSS descriptor to point to RAM.
9362 MOV AX,INIT_TSS_A_OFFSET.bas_0_15
9363 MOV INIT_TSS_OFFSET.bas_0_15,AX
9364 MOV AL,INIT_TSS_A_OFFSET.bas_16_23
9365 MOV INIT_TSS_OFFSET.bas_16_23,AL
9366 MOV AL,INIT_TSS_A_OFFSET.bas_24_31
9367 MOV INIT_TSS_OFFSET.bas_24_31,AL
9369 ;
9370 ; change INIT TSS A to form a save area for TSS on first task
9371 ; switch. Use RAM at location 0.
9373 MOV BX,INIT_TSS_A
9374 MOV WORD PTR [BX].bas_0_15,0
9375 MOV [BX].bas_16_23,0
9376 MOV [BX].bas_24_31,0
9377 MOV [BX].access,TSS_ACCESS
9378 MOV [BX].gran,O
9379 LTR BX ; defines save area for TSS
9381 ;
9382 ; copy eprom LDT to RAM
9384 MOV BX,INIT_LDT_A ; INIT_LDT_A descriptor has
9385 ; base address in RAM for INIT_LDT.
9387 MOV ES,BX ; ES points LDT location in RAM.
9389 MOV AH,[BX].bas_24_31
9390 MOV AL,[BX].bas_16_23
9391 SHL EAX,16
9392 MOV AX,[BX].bas_0_15 ; save INIT_LDT base (ram) in EAX
9394 MOV BX,INIT_LDT ; get inital LDT selector
9395 LAR DX,BX ; save access rights
9396 MOV [BX].access,DS_ACCESS ; set access as data segment
9397 MOV FS,BX ; FS points to eprom LDT
9399 XOR si,si ; FS:SI points to eprom LDT
9400 XOR di,di ; ES:DI points to RAM LDT
9402 MOV CX,[BX].lim_0_15 ; get count to move
9403 INC CX
9404 ;
9405 ; move initial LDT to RAM
9407 REP MOVS BYTE PTR ES:[di],BYTE PTR FS:[si]
9409 MOV [BX].access,DH ; restore access rights in
9410 ; INIT_LDT descriptor
9412 ;
9413 ; change base of alias (of INIT_LDT) to point to location in RAM.
9415 MOV ES:[INIT_LDT_ALIAS].bas_0_15,AX
9416 SHR EAX,16
9417 MOV ES:[INIT_LDT_ALIAS].bas_16_23,AL
9418 MOV ES:[INIT_LDT_ALIAS].bas_24_31,AH
9420 ;
9421 ; now set the base value in INIT_LDT descriptor
9423 MOV AX,INIT_LDT_A_OFFSET.bas_0_15
9424 MOV INIT_LDT_OFFSET.bas_0_15,AX
9425 MOV AL,INIT_LDT_A_OFFSET.bas_16_23
9426 MOV INIT_LDT_OFFSET.bas_16_23,AL
9427 MOV AL,INIT_LDT_A_OFFSET.bas_24_31
9428 MOV INIT_LDT_OFFSET.bas_24_31,AL
9430 ;
9431 ; Now GDT, IDT, initial TSS and initial LDT are all set up.
9432 ;
9433 ; Start the first task!
9434 '
9435 JMP ENTRY_POINTER
9437 RESET_CODE ends
9438 END START, SS:DUMMY,DS:DUMMY
9441 10.6 TLB Testing
9443 The 80386 provides a mechanism for testing the Translation Lookaside Buffer
9444 (TLB), the cache used for translating linear addresses to physical
9445 addresses. Although failure of the TLB hardware is extremely unlikely, users
9446 may wish to include TLB confidence tests among other power-up confidence
9447 tests for the 80386.
9449 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
9450 NOTE
9451 This TLB testing mechanism is unique to the 80386 and may not be
9452 continued in the same way in future processors. Sortware that uses
9453 this mechanism may be incompatible with future processors.
9454 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
9456 When testing the TLB it is recommended that paging be turned off (PG=0 in
9457 CR0) to avoid interference with the test data being written to the TLB.
9460 10.6.1 Structure of the TLB
9462 The TLB is a four-way set-associative memory. Figure 10-3 illustrates the
9463 structure of the TLB. There are four sets of eight entries each. Each entry
9464 consists of a tag and data. Tags are 24-bits wide. They contain the
9465 high-order 20 bits of the linear address, the valid bit, and three attribute
9466 bits. The data portion of each entry contains the high-order 20 bits of the
9467 physical address.
9470 10.6.2 Test Registers
9472 Two test registers, shown in Figure 10-4, are provided for the purpose of
9473 testing. TR6 is the test command register, and TR7 is the test data
9474 register. These registers are accessed by variants of the MOV
9475 instruction. A test register may be either the source operand or destination
9476 operand. The MOV instructions are defined in both real-address mode and
9477 protected mode. The test registers are privileged resources; in protected
9478 mode, the MOV instructions that access them can only be executed at
9479 privilege level 0. An attempt to read or write the test registers when
9480 executing at any other privilege level causes a general
9481 protection exception.
9483 The test command register (TR6) contains a command and an address tag to
9484 use in performing the command:
9486 C This is the command bit. There are two TLB testing commands:
9487 write entries into the TLB, and perform TLB lookups. To cause an
9488 immediate write into the TLB entry, move a doubleword into TR6
9489 that contains a 0 in this bit. To cause an immediate TLB lookup,
9490 move a doubleword into TR6 that contains a 1 in this bit.
9492 Linear On a TLB write, a TLB entry is allocated to this linear address;
9493 Address the rest of that TLB entry is set per the value of TR7 and the
9494 value just written into TR6. On a TLB lookup, the TLB is
9495 interrogated per this value; if one and only one TLB entry
9496 matches, the rest of the fields of TR6 and TR7 are set from the
9497 matching TLB entry.
9499 V The valid bit for this TLB entry. The TLB uses the valid bit to
9500 identify entries that contain valid data. Entries of the TLB
9501 that have not been assigned values have zero in the valid bit.
9502 All valid bits can be cleared by writing to CR3.
9504 D, D# The dirty bit (and its complement) for/from the TLB entry.
9506 U, U# The U/S bit (and its complement) for/from the TLB entry.
9508 W, W# The R/W bit (and its complement) for/from the TLB entry.
9510 The meaning of these pairs of bits is given by Table 10-1,
9511 where X represents D, U, or W.
9513 The test data register (TR7) holds data read from or data to be written to
9514 the TLB.
9516 Physical This is the data field of the TLB. On a write to the TLB, the
9517 Address TLB entry allocated to the linear address in TR6 is set to this
9518 value. On a TLB lookup, if HT is set, the data field (physical
9519 address) from the TLB is read out to this field. If HT is not
9520 set, this field is undefined.
9522 HT For a TLB lookup, the HT bit indicates whether the lookup was a
9524 to 1.
9526 REP For a TLB write, selects which of four associative blocks of the
9527 TLB is to be written. For a TLB read, if HT is set, REP reports
9528 in which of the four associative blocks the tag was found; if HT
9529 is not set, REP is undefined.
9532 Table 10-1. Meaning of D, U, and W Bit Pairs
9534 X X# Effect during Value of bit X
9535 TLB Lookup after TLB Write
9537 0 0 (undefined) (undefined)
9538 0 1 Match if X=0 Bit X becomes 0
9539 1 0 Match if X=1 Bit X becomes 1
9540 1 1 (undefined) (undefined)
9543 Figure 10-3. TLB Structure
9545 ‚�����������������ˆ����������������ƒ
9546 7€ TAG € DATA €
9547 †�����������������Š����������������‡
9551 � ’‘‘ †�����������������Š����������������‡
9552 � � 1€ TAG € DATA €
9553 � � †�����������������Š����������������‡
9554 � � 0€ TAG € DATA €
9555 � � „�����������������‰����������������…
9556 � �
9557 � � ‚�����������������ˆ����������������ƒ
9558 � � 7€ TAG € DATA €
9559 � � †�����������������Š����������������‡
9563 � ’‘‘ †�����������������Š����������������‡
9564 � � 1€ TAG € DATA €
9565 � D � � � †�����������������Š����������������‡
9566 � A � � � 0€ TAG € DATA €
9567 � T ”‘‘‘‘‘‘• � „�����������������‰����������������…
9568 � A �
9569 � ’‘‘‘‘‘‘“ � ‚�����������������ˆ����������������ƒ
9570 � B � � � 7€ TAG € DATA €
9571 � U � � � †�����������������Š����������������‡
9575 � ’‘‘ †�����������������Š����������������‡
9576 � � 1€ TAG € DATA €
9577 � � †�����������������Š����������������‡
9578 � � 0€ TAG € DATA €
9579 � � „�����������������‰����������������…
9580 � �
9581 � � ‚�����������������ˆ����������������ƒ
9582 � � 7€ TAG € DATA €
9583 � � †�����������������Š����������������‡
9587 ”‘‘‘‘‘‘‘ †�����������������Š����������������‡
9588 1€ TAG € DATA €
9589 †�����������������Š����������������‡
9590 0€ TAG € DATA €
9591 „�����������������‰����������������…
9594 Figure 10-4. Test Registers
9596 31 23 15 11 7 0
9597 ‚�����������������Ï���������������Ï����Ï�������Ï�����Ð�Ð���Ð���ƒ
9598 € � �H� � €
9599 € PHYSICAL ADDRESS �0 0 0 0 0 0 0� �REP�0 0€ TR7
9600 € � �T� � €
9601 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘˜‘˜‘˜‘˜‘˜‘˜‘š‘™‘‘‘™‘˜‘Â
9602 € � � �D� �U� �W� � €
9603 € LINEAR ADDRESS �V�D� �U� � � �0 0 0 0�C€ TR8
9604 € � � �#� �#� �#� � €
9605 „�����������������Ï���������������Ï����Ï�¤�¤�¤�Ï�¤�¤�¤�������¤�…
9607 NOTE: 0 INDICATES INTEL RESERVED. NO NOT DEFINE
9610 10.6.3 Test Operations
9612 To write a TLB entry:
9614 1. Move a doubleword to TR7 that contains the desired physical address,
9615 HT, and REP values. HT must contain 1. REP must point to the
9616 associative block in which to place the entry.
9618 2. Move a doubleword to TR6 that contains the appropriate linear
9619 address, and values for V, D, U, and W. Be sure C=0 for "write"
9620 command.
9622 Be careful not to write duplicate tags; the results of doing so are
9623 undefined.
9625 To look up (read) a TLB entry:
9627 1. Move a doubleword to TR6 that contains the appropriate linear address
9628 and attributes. Be sure C=1 for "lookup" command.
9630 2. Store TR7. If the HT bit in TR7 indicates a hit, then the other
9631 values reveal the TLB contents. If HT indicates a miss, then the other
9632 values in TR7 are indeterminate.
9634 For the purposes of testing, the V bit functions as another bit of
9635 addresss. The V bit for a lookup request should usually be set, so that
9636 uninitialized tags do not match. Lookups with V=0 are unpredictable if any
9637 tags are uninitialized.
9640 Chapter 11 Coprocessing and Multiprocessing
9642 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
9644 The 80386 has two levels of support for multiple parallel processing units:
9646 Ž A highly specialized interface for very closely coupled processors of
9647 a type known as coprocessors.
9649 Ž A more general interface for more loosely coupled processors of
9650 unspecified type.
9653 11.1 Coprocessing
9655 The components of the coprocessor interface include:
9657 Ž ET bit of control register zero (CR0)
9658 Ž The EM, and MP bits of CR0
9659 Ž The ESC instructions
9660 Ž The WAIT instruction
9661 Ž The TS bit of CR0
9662 Ž Exceptions
9665 11.1.1 Coprocessor Identification
9667 The 80386 is designed to operate with either an 80287 or 80387 math
9668 coprocessor. The ET bit of CR0 indicates which type of coprocessor is
9669 present. ET is set automatically by the 80386 after RESET according to the
9670 level detected on the ERROR# input. If desired, ET may also be set or reset
9671 by loading CR0 with a MOV instruction. If ET is set, the 80386 uses the
9672 32-bit protocol of the 80387; if reset, the 80386 uses the 16-bit protocol
9673 of the 80287.
9676 11.1.2 ESC and WAIT Instructions
9678 The 80386 interprets the pattern 11011B in the first five bits of an
9679 instruction as an opcode intended for a coprocessor. Instructions thus
9680 marked are called ESCAPE or ESC instructions. The CPU performs the following
9681 functions upon encountering an ESC instruction before sending the
9682 instruction to the coprocessor:
9684 Ž Tests the emulation mode (EM) flag to determine whether coprocessor
9685 functions are being emulated by software.
9687 Ž Tests the TS flag to determine whether there has been a context change
9688 since the last ESC instruction.
9690 Ž For some ESC instructions, tests the ERROR# pin to determine whether
9691 the coprocessor detected an error in the previous ESC instruction.
9693 The WAIT instruction is not an ESC instruction, but WAIT causes the CPU to
9694 perform some of the same tests that it performs upon encountering an ESC
9695 instruction. The processor performs the following actions for a WAIT
9696 instruction:
9698 Ž Waits until the coprocessor no longer asserts the BUSY# pin.
9700 Ž Tests the ERROR# pin (after BUSY# goes inactive). If ERROR# is active,
9701 the 80386 signals exception 16, which indicates that the coprocessor
9702 encountered an error in the previous ESC instruction.
9704 Ž WAIT can therefore be used to cause exception 16 if an error is
9705 pending from a previous ESC instruction. Note that, if no coprocessor
9706 is present, the ERROR# and BUSY# pins should be tied inactive to
9707 prevent WAIT from waiting forever or causing spurious exceptions.
9710 11.1.3 EM and MP Flags
9712 The EM and MP flags of CR0 control how the processor reacts to coprocessor
9713 instructions.
9715 The EM bit indicates whether coprocessor functions are to be emulated. If
9716 the processor finds EM set when executing an ESC instruction, it signals
9717 exception 7, giving the exception handler an opportunity to emulate the ESC
9718 instruction.
9720 The MP (monitor coprocessor) bit indicates whether a coprocessor is
9721 actually attached. The MP flag controls the function of the WAIT
9722 instruction. If, when executing a WAIT instruction, the CPU finds MP set,
9723 then it tests the TS flag; it does not otherwise test TS during a WAIT
9724 instruction. If it finds TS set under these conditions, the CPU signals
9725 exception 7.
9727 The EM and MP flags can be changed with the aid of a MOV instruction using
9728 CR0 as the destination operand and read with the aid of a MOV instruction
9729 with CR0 as the source operand. These forms of the MOV instruction can be
9730 executed only at privilege level zero.
9733 11.1.4 The Task-Switched Flag
9735 The TS bit of CR0 helps to determine when the context of the coprocessor
9736 does not match that of the task being executed by the 80386 CPU. The 80386
9737 sets TS each time it performs a task switch (whether triggered by software
9738 or by hardware interrupt). If, when interpreting one of the ESC
9739 instructions, the CPU finds TS already set, it causes exception 7. The WAIT
9740 instruction also causes exception 7 if both TS and MP are set. Operating
9741 systems can use this exception to switch the context of the coprocessor to
9742 correspond to the current task. Refer to the 80386 System Software Writer's
9743 Guide for an example.
9745 The CLTS instruction (legal only at privilege level zero) resets the TS
9746 flag.
9749 11.1.5 Coprocessor Exceptions
9751 Three exceptions aid in interfacing to a coprocessor: interrupt 7
9752 (coprocessor not available), interrupt 9 (coprocessor segment overrun), and
9753 interrupt 16 (coprocessor error).
9756 11.1.5.1 Interrupt 7 ‘‘ Coprocessor Not Available
9758 This exception occurs in either of two conditions:
9760 1. The CPU encounters an ESC instruction and EM is set. In this case,
9761 the exception handler should emulate the instruction that caused the
9762 exception. TS may also be set.
9764 2. The CPU encounters either the WAIT instruction or an ESC instruction
9765 when both MP and TS are set. In this case, the exception handler
9766 should update the state of the coprocessor, if necessary.
9769 11.1.5.2 Interrupt 9 ‘‘ Coprocessor Segment Overrun
9771 This exception occurs in protected mode under the following conditions:
9773 Ž An operand of a coprocessor instruction wraps around an addressing
9774 limit (0FFFFH for small segments, 0FFFFFFFFH for big segments, zero for
9775 expand-down segments). An operand may wrap around an addressing limit
9776 when the segment limit is near an addressing limit and the operand is
9777 near the largest valid address in the segment. Because of the
9778 wrap-around, the beginning and ending addresses of such an operand
9779 will be near opposite ends of the segment.
9781 Ž Both the first byte and the last byte of the operand (considering
9782 wrap-around) are at addresses located in the segment and in present and
9783 accessible pages.
9785 Ž The operand spans inaccessible addresses. There are two ways that such
9786 an operand may also span inaccessible addresses:
9788 1. The segment limit is not equal to the addressing limit (e.g.,
9789 addressing limit is FFFFH and segment limit is FFFDH); therefore,
9790 the operand will span addresses that are not within the segment
9791 (e.g., an 8-byte operand that starts at valid offset FFFC will span
9792 addresses FFFC-FFFF and 0000-0003; however, addresses FFFE and FFFF
9793 are not valid, because they exceed the limit);
9795 2. The operand begins and ends in present and accessible pages but
9796 intermediate bytes of the operand fall either in a not-present page
9797 or in a page to which the current procedure does not have access
9798 rights.
9800 The address of the failing numerics instruction and data operand may be
9801 lost; an FSTENV does not return reliable addresses. As with the 80286/80287,
9802 the segment overrun exception should be handled by executing an FNINIT
9803 instruction (i.e., an FINIT without a preceding WAIT). The return address on
9804 the stack does not necessarily point to the failing instruction nor to the
9805 following instruction. The failing numerics instruction is not restartable.
9807 Case 2 can be avoided by either aligning all segments on page boundaries or
9808 by not starting them within 108 bytes of the start or end of a page. (The
9809 maximum size of a coprocessor operand is 108 bytes.) Case 1 can be avoided
9810 by making sure that the gap between the last valid offset and the first
9811 valid offset of a segment is either no less than 108 bytes or is zero (i.e.,
9812 the segment is of full size). If neither software system design constraint
9813 is acceptable, the exception handler should execute FNINIT and should
9814 probably terminate the task.
9817 11.1.5.3 Interrupt 16 ‘‘ Coprocessor Error
9819 The numerics coprocessors can detect six different exception conditions
9820 during instruction execution. If the detected exception is not masked by a
9821 bit in the control word, the coprocessor communicates the fact that an error
9822 occurred to the CPU by a signal at the ERROR# pin. The CPU causes interrupt
9823 16 the next time it checks the ERROR# pin, which is only at the beginning of
9824 a subsequent WAIT or certain ESC instructions. If the exception is masked,
9825 the numerics coprocessor handles the exception according to on-board logic;
9826 it does not assert the ERROR# pin in this case.
9829 11.2 General Multiprocessing
9831 The components of the general multiprocessing interface include:
9833 Ž The LOCK# signal
9835 Ž The LOCK instruction prefix, which gives programmed control of the
9836 LOCK# signal.
9838 Ž Automatic assertion of the LOCK# signal with implicit memory updates
9839 by the processor
9842 11.2.1 LOCK and the LOCK# Signal
9844 The LOCK instruction prefix and its corresponding output signal LOCK# can
9845 be used to prevent other bus masters from interrupting a data movement
9846 operation. LOCK may only be used with the following 80386 instructions when
9847 they modify memory. An undefined-opcode exception results from using LOCK
9848 before any instruction other than:
9850 Ž Bit test and change: BTS, BTR, BTC.
9851 Ž Exchange: XCHG.
9852 Ž Two-operand arithmetic and logical: ADD, ADC, SUB, SBB, AND, OR, XOR.
9853 Ž One-operand arithmetic and logical: INC, DEC, NOT, and NEG.
9855 A locked instruction is only guaranteed to lock the area of memory defined
9856 by the destination operand, but it may lock a larger memory area. For
9857 example, typical 8086 and 80286 configurations lock the entire physical
9858 memory space. The area of memory defined by the destination operand is
9859 guaranteed to be locked against access by a processor executing a locked
9860 instruction on exactly the same memory area, i.e., an operand with
9861 identical starting address and identical length.
9863 The integrity of the lock is not affected by the alignment of the memory
9864 field. The LOCK signal is asserted for as many bus cycles as necessary to
9865 update the entire operand.
9868 11.2.2 Automatic Locking
9870 In several instances, the processor itself initiates activity on the data
9871 bus. To help ensure that such activities function correctly in
9872 multiprocessor configurations, the processor automatically asserts the LOCK#
9873 signal. These instances include:
9875 Ž Acknowledging interrupts.
9877 After an interrupt request, the interrupt controller uses the data bus
9878 to send the interrupt ID of the interrupt source to the CPU. The CPU
9879 asserts LOCK# to ensure that no other data appears on the data bus
9880 during this time.
9882 Ž Setting busy bit of TSS descriptor.
9884 The processor tests and sets the busy-bit in the type field of the TSS
9885 descriptor when switching to a task. To ensure that two different
9886 processors cannot simultaneously switch to the same task, the processor
9887 asserts LOCK# while testing and setting this bit.
9889 Ž Loading of descriptors.
9891 While copying the contents of a descriptor from a descriptor table into
9892 a segment register, the processor asserts LOCK# so that the descriptor
9893 cannot be modified by another processor while it is being loaded. For
9894 this action to be effective, operating-system procedures that update
9895 descriptors should adhere to the following steps:
9897 ‘‘ Use a locked update to the access-rights byte to mark the
9898 descriptor not-present.
9900 ‘‘ Update the fields of the descriptor. (This may require several
9901 memory accesses; therefore, LOCK cannot be used.)
9903 ‘‘ Use a locked update to the access-rights byte to mark the
9904 descriptor present again.
9906 Ž Updating page-table A and D bits.
9908 The processor exerts LOCK# while updating the A (accessed) and D
9909 (dirty) bits of page-table entries. Also the processor bypasses the
9910 page-table cache and directly updates these bits in memory.
9912 Ž Executing XCHG instruction.
9914 The 80386 always asserts LOCK during an XCHG instruction that
9915 references memory (even if the LOCK prefix is not used).
9918 11.2.3 Cache Considerations
9920 Systems programmers must take care when updating shared data that may also
9921 be stored in on-chip registers and caches. With the 80386, such shared
9922 data includes:
9924 Ž Descriptors, which may be held in segment registers.
9926 A change to a descriptor that is shared among processors should be
9927 broadcast to all processors. Segment registers are effectively
9928 "descriptor caches". A change to a descriptor will not be utilized by
9929 another processor if that processor already has a copy of the old
9930 version of the descriptor in a segment register.
9932 Ž Page tables, which may be held in the page-table cache.
9934 A change to a page table that is shared among processors should be
9935 broadcast to all processors, so that others can flush their page-table
9936 caches and reload them with up-to-date page tables from memory.
9938 Systems designers can employ an interprocessor interrupt to handle the
9939 above cases. When one processor changes data that may be cached by other
9940 processors, it can send an interrupt signal to all other processors that may
9941 be affected by the change. If the interrupt is serviced by an interrupt
9942 task, the task switch automatically flushes the segment registers. The task
9943 switch also flushes the page-table cache if the PDBR (the contents of CR3)
9944 of the interrupt task is different from the PDBR of every other task.
9946 In multiprocessor systems that need a cacheability signal from the CPU, it
9947 is recommended that physical address pin A31 be used to indicate
9948 cacheability. Such a system can then possess up to 2 Gbytes of physical
9949 memory. The virtual address range available to the programmer is not
9950 affected by this convention.
9953 Chapter 12 Debugging
9955 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
9957 The 80386 brings to Intel's line of microprocessors significant advances in
9958 debugging power. The single-step exception and breakpoint exception of
9959 previous processors are still available in the 80386, but the principal
9960 debugging support takes the form of debug registers. The debug registers
9961 support both instruction breakpoints and data breakpoints. Data breakpoints
9962 are an important innovation that can save hours of debugging time by
9963 pinpointing, for example, exactly when a data structure is being
9964 overwritten. The breakpoint registers also eliminate the complexities
9965 associated with writing a breakpoint instruction into a code segment
9966 (requires a data-segment alias for the code segment) or a code segment
9967 shared by multiple tasks (the breakpoint exception can occur in the context
9968 of any of the tasks). Breakpoints can even be set in code contained in ROM.
9971 12.1 Debugging Features of the Architecture
9973 The features of the 80386 architecture that support debugging include:
9975 Reserved debug interrupt vector
9977 Permits processor to automatically invoke a debugger task or procedure when
9978 an event occurs that is of interest to the debugger.
9980 Four debug address registers
9982 Permit programmers to specify up to four addresses that the CPU will
9983 automatically monitor.
9985 Debug control register
9987 Allows programmers to selectively enable various debug conditions
9988 associated with the four debug addresses.
9990 Debug status register
9992 Helps debugger identify condition that caused debug exception.
9994 Trap bit of TSS (T-bit)
9996 Permits monitoring of task switches.
9998 Resume flag (RF) of flags register
10000 Allows an instruction to be restarted after a debug exception without
10001 immediately causing another debug exception due to the same condition.
10003 Single-step flag (TF)
10005 Allows complete monitoring of program flow by specifying whether the CPU
10006 should cause a debug exception with the execution of every instruction.
10008 Breakpoint instruction
10010 Permits debugger intervention at any point in program execution and aids
10011 debugging of debugger programs.
10013 Reserved interrupt vector for breakpoint exception
10015 Permits processor to automatically invoke a handler task or procedure upon
10016 encountering a breakpoint instruction.
10018 These features make it possible to invoke a debugger that is either a
10019 separate task or a procedure in the context of the current task. The
10020 debugger can be invoked under any of the following kinds of conditions:
10022 Ž Task switch to a specific task.
10023 Ž Execution of the breakpoint instruction.
10024 Ž Execution of every instruction.
10025 Ž Execution of any instruction at a given address.
10026 Ž Read or write of a byte, word, or doubleword at any specified address.
10027 Ž Write to a byte, word, or doubleword at any specified address.
10028 Ž Attempt to change a debug register.
10031 12.2 Debug Registers
10033 Six 80386 registers are used to control debug features. These registers are
10034 accessed by variants of the MOV instruction. A debug register may be either
10035 the source operand or destination operand. The debug registers are
10036 privileged resources; the MOV instructions that access them can only be
10037 executed at privilege level zero. An attempt to read or write the debug
10038 registers when executing at any other privilege level causes a general
10039 protection exception. Figure 12-1 shows the format of the debug registers.
10042 Figure 12-1. Debug Registers
10044 31 23 15 7 0
10045 ‚���Ð���Ð���Ð���Ï���Ð���Ð���Ð���Ï���Ð�Ð�����Ð�Ð�Ï�Ð�Ð�Ð�Ð�Ð�Ð�Ð�ƒ
10046 €LEN�R/W�LEN�R/W�LEN�R/W�LEN�R/W� � � �G�L�G�L�G�L�G�L�G�L€
10047 € � � � � � � � �0 0�0�0 0 0� � � � � � � � � � € DR7
10048 € 3 � 3 � 2 � 2 � 1 � 1 � 0 � 0 � � � �E�E�3�3�2�2�1�1�0�0€
10049 Ñ‘‘™‘‘‘™‘‘‘™‘‘‘™‘‘‘™‘‘‘™‘‘‘™‘‘‘š‘˜‘š‘š‘‘‘‘‘™‘™‘™‘™‘™‘™‘š‘š‘š‘š‘Â
10050 € �B�B�B� �B�B�B�B€
10051 €0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0� � � �0 0 0 0 0 0 0 0 0� � � � € DR6
10052 € �T�S�D� �3�2�1�0€
10053 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘™‘™‘™‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘™‘™‘™‘™‘Â
10054 € €
10055 € RESERVED € DR5
10056 € €
10057 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
10058 € €
10059 € RESERVED € DR4
10060 € €
10061 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
10062 € €
10063 € BREAKPOINT 3 LINEAR ADDRESS € DR3
10064 € €
10065 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
10066 € €
10067 € BREAKPOINT 2 LINEAR ADDRESS € DR2
10068 € €
10069 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
10070 € €
10071 € BREAKPOINT 1 LINEAR ADDRESS € DR1
10072 € €
10073 Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
10074 € €
10075 € BREAKPOINT 0 LINEAR ADDRESS € DR0
10076 € €
10077 „���������������Ï���������������Ï����������������Ï��������������…
10079 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
10080 NOTE
10081 0 MEANS INTEL RESERVED. DO NOT DEFINE.
10082 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
10085 12.2.1 Debug Address Registers (DR0-DR3)
10087 Each of these registers contains the linear address associated with one of
10088 four breakpoint conditions. Each breakpoint condition is further defined by
10089 bits in DR7.
10091 The debug address registers are effective whether or not paging is enabled.
10092 The addresses in these registers are linear addresses. If paging is enabled,
10093 the linear addresses are translated into physical addresses by the
10094 processor's paging mechanism (as explained in Chapter 5). If paging is not
10095 enabled, these linear addresses are the same as physical addresses.
10097 Note that when paging is enabled, different tasks may have different
10098 linear-to-physical address mappings. When this is the case, an address in a
10099 debug address register may be relevant to one task but not to another. For
10100 this reason the 80386 has both global and local enable bits in DR7. These
10101 bits indicate whether a given debug address has a global (all tasks) or
10102 local (current task only) relevance.
10105 12.2.2 Debug Control Register (DR7)
10107 The debug control register shown in Figure 12-1 both helps to define the
10108 debug conditions and selectively enables and disables those conditions.
10110 For each address in registers DR0-DR3, the corresponding fields R/W0
10111 through R/W3 specify the type of action that should cause a breakpoint. The
10112 processor interprets these bits as follows:
10114 00 ‘‘ Break on instruction execution only
10115 01 ‘‘ Break on data writes only
10116 10 ‘‘ undefined
10117 11 ‘‘ Break on data reads or writes but not instruction fetches
10119 Fields LEN0 through LEN3 specify the length of data item to be monitored. A
10120 length of 1, 2, or 4 bytes may be specified. The values of the length fields
10121 are interpreted as follows:
10123 00 ‘‘ one-byte length
10124 01 ‘‘ two-byte length
10125 10 ‘‘ undefined
10126 11 ‘‘ four-byte length
10128 If RWn is 00 (instruction execution), then LENn should also be 00. Any other
10129 length is undefined.
10131 The low-order eight bits of DR7 (L0 through L3 and G0 through G3)
10132 selectively enable the four address breakpoint conditions. There are two
10133 levels of enabling: the local (L0 through L3) and global (G0 through G3)
10134 levels. The local enable bits are automatically reset by the processor at
10135 every task switch to avoid unwanted breakpoint conditions in the new task.
10136 The global enable bits are not reset by a task switch; therefore, they can
10137 be used for conditions that are global to all tasks.
10139 The LE and GE bits control the "exact data breakpoint match" feature of the
10140 processor. If either LE or GE is set, the processor slows execution so that
10141 data breakpoints are reported on the instruction that causes them. It is
10142 recommended that one of these bits be set whenever data breakpoints are
10143 armed. The processor clears LE at a task switch but does not clear GE.
10146 12.2.3 Debug Status Register (DR6)
10148 The debug status register shown in Figure 12-1 permits the debugger to
10149 determine which debug conditions have occurred.
10151 When the processor detects an enabled debug exception, it sets the
10152 low-order bits of this register (B0 thru B3) before entering the debug
10153 exception handler. Bn is set if the condition described by DRn, LENn, and
10154 R/Wn occurs. (Note that the processor sets Bn regardless of whether Gn or
10155 Ln is set. If more than one breakpoint condition occurs at one time and if
10156 the breakpoint trap occurs due to an enabled condition other than n, Bn may
10157 be set, even though neither Gn nor Ln is set.)
10159 The BT bit is associated with the T-bit (debug trap bit) of the TSS (refer
10160 to 7 for the location of the T-bit). The processor sets the BT bit before
10161 entering the debug handler if a task switch has occurred and the T-bit of
10162 the new TSS is set. There is no corresponding bit in DR7 that enables and
10163 disables this trap; the T-bit of the TSS is the sole enabling bit.
10165 The BS bit is associated with the TF (trap flag) bit of the EFLAGS
10166 register. The BS bit is set if the debug handler is entered due to the
10167 occurrence of a single-step exception. The single-step trap is the
10168 highest-priority debug exception; therefore, when BS is set, any of the
10169 other debug status bits may also be set.
10171 The BD bit is set if the next instruction will read or write one of the
10172 eight debug registers and ICE-386 is also using the debug registers at the
10173 same time.
10175 Note that the bits of DR6 are never cleared by the processor. To avoid any
10176 confusion in identifying the next debug exception, the debug handler should
10177 move zeros to DR6 immediately before returning.
10180 12.2.4 Breakpoint Field Recognition
10182 The linear address and LEN field for each of the four breakpoint conditions
10183 define a range of sequential byte addresses for a data breakpoint. The LEN
10184 field permits specification of a one-, two-, or four-byte field. Two-byte
10185 fields must be aligned on word boundaries (addresses that are multiples of
10186 two) and four-byte fields must be aligned on doubleword boundaries
10187 (addresses that are multiples of four). These requirements are enforced by
10188 the processor; it uses the LEN bits to mask the low-order bits of the
10189 addresses in the debug address registers. Improperly aligned code or data
10190 breakpoint addresses will not yield the expected results.
10192 A data read or write breakpoint is triggered if any of the bytes
10193 participating in a memory access is within the field defined by a breakpoint
10194 address register and the corresponding LEN field. Table 12-1 gives some
10195 examples of breakpoint fields with memory references that both do and do not
10196 cause traps.
10198 To set a data breakpoint for a misaligned field longer than one byte, it
10199 may be desirable to put two sets of entries in the breakpoint register such
10200 that each entry is properly aligned and the two entries together span the
10201 length of the field.
10203 Instruction breakpoint addresses must have a length specification of one
10204 byte (LEN = 00); other values are undefined. The processor recognizes an
10205 instruction breakpoint address only when it points to the first byte of an
10206 instruction. If the instruction has any prefixes, the breakpoint address
10207 must point to the first prefix.
10210 Table 12-1. Breakpoint Field Recognition Examples
10212 Address (hex) Length
10214 DR0 0A0001 1 (LEN0 = 00)
10215 Register Contents DR1 0A0002 1 (LEN1 = 00)
10216 DR2 0B0002 2 (LEN2 = 01)
10217 DR3 0C0000 4 (LEN3 = 11)
10219 Some Examples of Memory 0A0001 1
10220 References That Cause Traps 0A0002 1
10221 0A0001 2
10222 0A0002 2
10223 0B0002 2
10224 0B0001 4
10225 0C0000 4
10226 0C0001 2
10227 0C0003 1
10229 Some Examples of Memory 0A0000 1
10230 References That Don't Cause Traps 0A0003 4
10231 0B0000 2
10232 0C0004 4
10235 12.3 Debug Exceptions
10237 Two of the interrupt vectors of the 80386 are reserved for exceptions that
10238 relate to debugging. Interrupt 1 is the primary means of invoking debuggers
10239 designed expressly for the 80386; interrupt 3 is intended for debugging
10240 debuggers and for compatibility with prior processors in Intel's 8086
10241 processor family.
10244 12.3.1 Interrupt 1 ‘‘ Debug Exceptions
10246 The handler for this exception is usually a debugger or part of a debugging
10247 system. The processor causes interrupt 1 for any of several conditions. The
10248 debugger can check flags in DR6 and DR7 to determine what condition caused
10249 the exception and what other conditions might be in effect at the same time.
10250 Table 12-2 associates with each breakpoint condition the combination of
10251 bits that indicate when that condition has caused the debug exception.
10253 Instruction address breakpoint conditions are faults, while other debug
10254 conditions are traps. The debug exception may report either or both at one
10255 time. The following paragraphs present details for each class of debug
10256 exception.
10259 Table 12-2. Debug Exception Conditions
10261 Flags to Test Condition
10263 BS=1 Single-step trap
10264 B0=1 AND (GE0=1 OR LE0=1) Breakpoint DR0, LEN0, R/W0
10265 B1=1 AND (GE1=1 OR LE1=1) Breakpoint DR1, LEN1, R/W1
10266 B2=1 AND (GE2=1 OR LE2=1) Breakpoint DR2, LEN2, R/W2
10267 B3=1 AND (GE3=1 OR LE3=1) Breakpoint DR3, LEN3, R/W3
10268 BD=1 Debug registers not available; in use by ICE-386.
10269 BT=1 Task switch
10272 12.3.1.1 Instruction Addrees Breakpoint
10274 The processor reports an instruction-address breakpoint before it executes
10275 the instruction that begins at the given address; i.e., an instruction-
10276 address breakpoint exception is a fault.
10278 The RF (restart flag) permits the debug handler to retry instructions that
10279 cause other kinds of faults in addition to debug faults. When it detects a
10280 fault, the processor automatically sets RF in the flags image that it pushes
10281 onto the stack. (It does not, however, set RF for traps and aborts.)
10283 When RF is set, it causes any debug fault to be ignored during the next
10284 instruction. (Note, however, that RF does not cause breakpoint traps to be
10285 ignored, nor other kinds of faults.)
10287 The processor automatically clears RF at the successful completion of every
10288 instruction except after the IRET instruction, after the POPF instruction,
10289 and after a JMP, CALL, or INT instruction that causes a task switch. These
10290 instructions set RF to the value specified by the memory image of the EFLAGS
10291 register.
10293 The processor automatically sets RF in the EFLAGS image on the stack before
10294 entry into any fault handler. Upon entry into the fault handler for
10295 instruction address breakpoints, for example, RF is set in the EFLAGS image
10296 on the stack; therefore, the IRET instruction at the end of the handler will
10297 set RF in the EFLAGS register, and execution will resume at the breakpoint
10298 address without generating another breakpoint fault at the same address.
10300 If, after a debug fault, RF is set and the debug handler retries the
10301 faulting instruction, it is possible that retrying the instruction will
10302 raise other faults. The retry of the instruction after these faults will
10303 also be done with RF=1, with the result that debug faults continue to be
10304 ignored. The processor clears RF only after successful completion of the
10305 instruction.
10307 Real-mode debuggers can control the RF flag by using a 32-bit IRET. A
10308 16-bit IRET instruction does not affect the RF bit (which is in the
10309 high-order 16 bits of EFLAGS). To use a 32-bit IRET, the debugger must
10310 rearrange the stack so that it holds appropriate values for the 32-bit EIP,
10311 CS, and EFLAGS (with RF set in the EFLAGS image). Then executing an IRET
10312 with an operand size prefix causes a 32-bit return, popping the RF flag
10313 into EFLAGS.
10316 12.3.1.2 Data Address Breakpoint
10318 A data-address breakpoint exception is a trap; i.e., the processor reports
10319 a data-address breakpoint after executing the instruction that accesses the
10320 given memory item.
10322 When using data breakpoints it is recommended that either the LE or GE bit
10323 of DR7 be set also. If either LE or GE is set, any data breakpoint trap is
10324 reported exactly after completion of the instruction that accessed the
10325 specified memory item. This exact reporting is accomplished by forcing the
10326 80386 execution unit to wait for completion of data operand transfers before
10327 beginning execution of the next instruction. If neither GE nor LE is set,
10328 data breakpoints may not be reported until one instruction after the data is
10329 accessed or may not be reported at all. This is due to the fact that,
10330 normally, instruction execution is overlapped with memory transfers to such
10331 a degree that execution of the next instruction may begin before memory
10332 transfers for the prior instruction are completed.
10334 If a debugger needs to preserve the contents of a write breakpoint
10335 location, it should save the original contents before setting a write
10336 breakpoint. Because data breakpoints are traps, a write into a breakpoint
10337 location will complete before the trap condition is reported. The handler
10338 can report the saved value after the breakpoint is triggered. The data in
10339 the debug registers can be used to address the new value stored by the
10340 instruction that triggered the breakpoint.
10343 12.3.1.3 General Detect Fault
10345 This exception occurs when an attempt is made to use the debug registers at
10346 the same time that ICE-386 is using them. This additional protection feature
10347 is provided to guarantee that ICE-386 can have full control over the
10348 debug-register resources when required. ICE-386 uses the debug-registers;
10349 therefore, a software debugger that also uses these registers cannot run
10350 while ICE-386 is in use. The exception handler can detect this condition by
10351 examining the BD bit of DR6.
10354 12.3.1.4 Single-Step Trap
10356 This debug condition occurs at the end of an instruction if the trap flag
10357 (TF) of the flags register held the value one at the beginning of that
10358 instruction. Note that the exception does not occur at the end of an
10359 instruction that sets TF. For example, if POPF is used to set TF, a
10360 single-step trap does not occur until after the instruction that follows
10361 POPF.
10363 The processor clears the TF bit before invoking the handler. If TF=1 in
10364 the flags image of a TSS at the time of a task switch, the exception occurs
10365 after the first instruction is executed in the new task.
10367 The single-step flag is normally not cleared by privilege changes inside a
10368 task. INT instructions, however, do clear TF. Therefore, software
10369 debuggers that single-step code must recognize and emulate INT n or INTO
10370 rather than executing them directly.
10372 To maintain protection, system software should check the current execution
10373 privilege level after any single step interrupt to see whether single
10374 stepping should continue at the current privilege level.
10376 The interrupt priorities in hardware guarantee that if an external
10377 interrupt occurs, single stepping stops. When both an external interrupt and
10378 a single step interrupt occur together, the single step interrupt is
10379 processed first. This clears the TF bit. After saving the return address or
10380 switching tasks, the external interrupt input is examined before the first
10381 instruction of the single step handler executes. If the external interrupt
10382 is still pending, it is then serviced. The external interrupt handler is not
10383 single-stepped. To single step an interrupt handler, just single step an INT
10384 n instruction that refers to the interrupt handler.
10387 12.3.1.5 Task Switch Breakpoint
10389 The debug exception also occurs after a switch to an 80386 task if the
10390 T-bit of the new TSS is set. The exception occurs after control has passed
10391 to the new task, but before the first instruction of that task is executed.
10392 The exception handler can detect this condition by examining the BT bit of
10393 the debug status register DR6.
10395 Note that if the debug exception handler is a task, the T-bit of its TSS
10396 should not be set. Failure to observe this rule will cause the processor to
10397 enter an infinite loop.
10400 12.3.2 Interrupt 3 ‘‘ Breakpoint Exception
10402 This exception is caused by execution of the breakpoint instruction INT 3.
10403 Typically, a debugger prepares a breakpoint by substituting the opcode of
10404 the one-byte breakpoint instruction in place of the first opcode byte of the
10405 instruction to be trapped. When execution of the INT 3 instruction causes
10406 the exception handler to be invoked, the saved value of ES:EIP points to the
10407 byte following the INT 3 instruction.
10409 With prior generations of processors, this feature is used extensively for
10410 trapping execution of specific instructions. With the 80386, the needs
10411 formerly filled by this feature are more conveniently solved via the debug
10412 registers and interrupt 1. However, the breakpoint exception is still
10413 useful for debugging debuggers, because the breakpoint exception can vector
10414 to a different exception handler than that used by the debugger. The
10415 breakpoint exception can also be useful when it is necessary to set a
10416 greater number of breakpoints than permitted by the debug registers.
10419 PART III COMPATIBILITY
10422 Chapter 13 Executing 80286 Protected-Mode Code
10424 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
10426 13.1 80286 Code Executes as a Subset of the 80386
10428 In general, programs designed for execution in protected mode on an 80286
10429 execute without modification on the 80386, because the features of the 80286
10430 are a subset of those of the 80386.
10432 All the descriptors used by the 80286 are supported by the 80386 as long as
10433 the Intel-reserved word (last word) of the 80286 descriptor is zero.
10435 The descriptors for data segments, executable segments, local descriptor
10436 tables, and task gates are common to both the 80286 and the 80386. Other
10437 80286 descriptors‘‘TSS segment, call gate, interrupt gate, and trap
10438 gate‘‘are supported by the 80386. The 80386 also has new versions of
10439 descriptors for TSS segment, call gate, interrupt gate, and trap gate that
10440 support the 32-bit nature of the 80386. Both sets of descriptors can be
10441 used simultaneously in the same system.
10443 For those descriptors that are common to both the 80286 and the 80386, the
10444 presence of zeros in the final word causes the 80386 to interpret these
10445 descriptors exactly as 80286 does; for example:
10447 Base Address The high-order eight bits of the 32-bit base address are
10448 zero, limiting base addresses to 24 bits.
10450 Limit The high-order four bits of the limit field are zero,
10451 restricting the value of the limit field to 64K.
10453 Granularity bit The granularity bit is zero, which implies that the value
10454 of the 16-bit limit is interpreted in units of one byte.
10456 B-bit In a data-segment descriptor, the B-bit is zero, implying
10457 that the segment is no larger than 64 Kbytes.
10459 D-bit In an executable-segment descriptor, the D-bit is zero,
10460 implying that 16-bit addressing and operands are the
10461 default.
10463 For formats of these descriptors and documentation of their use refer to
10464 the iAPX 286 Programmer's Reference Manual.
10467 13.2 Two ways to Execute 80286 Tasks
10469 When porting 80286 programs to the 80386, there are two cases to consider:
10471 1. Porting an entire 80286 system to the 80386, complete with 80286
10472 operating system, loader, and system builder.
10474 In this case, all tasks will have 80286 TSSs. The 80386 is being used
10475 as a faster 286.
10477 2. Porting selected 80286 applications to run in an 80386 environment
10478 with an 80386 operating system, loader, and system builder.
10480 In this case, the TSSs used to represent 80286 tasks should be
10481 changed to 80386 TSSs. It is theoretically possible to mix 80286 and
10482 80386 TSSs, but the benefits are slight and the problems are great. It
10483 is recommended that all tasks in a 80386 software system have 80386
10484 TSSs. It is not necessary to change the 80286 object modules
10485 themselves; TSSs are usually constructed by the operating system, by
10486 the loader, or by the system builder. Refer to Chapter 16 for further
10487 discussion of the interface between 16-bit and 32-bit code.
10490 13.3 Differences From 80286
10492 The few differences that do exist primarily affect operating system code.
10495 13.3.1 Wraparound of 80286 24-Bit Physical Address Space
10497 With the 80286, any base and offset combination that addresses beyond 16M
10498 bytes wraps around to the first megabyte of the 80286 address space. With
10499 the 80386, since it has a greater physical address space, any such address
10500 falls into the 17th megabyte. In the unlikely event that any software
10501 depends on this anomaly, the same effect can be simulated on the 80386 by
10502 using paging to map the first 64K bytes of the 17th megabyte of logical
10503 addresses to physical addresses in the first megabyte.
10506 13.3.2 Reserved Word of Descriptor
10508 Because the 80386 uses the contents of the reserved word (last word) of
10509 every descriptor, 80286 programs that place values in this word may not
10510 execute correctly on the 80386.
10513 13.3.3 New Descriptor Type Codes
10515 Operating-system code that manages space in descriptor tables often uses an
10516 invalid value in the access-rights field of descriptor-table entries to
10517 identify unused entries. Access rights values of 80H and 00H remain invalid
10518 for both the 80286 and 80386. Other values that were invalid on for the
10519 80286 may be valid for the 80386 because of the additional descriptor types
10520 defined by the 80386.
10523 13.3.4 Restricted Semantics of LOCK
10525 The 80286 processor implements the bus lock function differently than the
10526 80386. Programs that use forms of memory locking specific to the 80286 may
10527 not execute properly when transported to a specific application of the
10528 80386.
10530 The LOCK prefix and its corresponding output signal should only be used to
10531 prevent other bus masters from interrupting a data movement operation. LOCK
10532 may only be used with the following 80386 instructions when they modify
10533 memory. An undefined-opcode exception results from using LOCK before any
10534 other instruction.
10536 Ž Bit test and change: BTS, BTR, BTC.
10537 Ž Exchange: XCHG.
10538 Ž One-operand arithmetic and logical: INC, DEC, NOT, and NEG.
10539 Ž Two-operand arithmetic and logical: ADD, ADC, SUB, SBB, AND, OR, XOR.
10541 A locked instruction is guaranteed to lock only the area of memory defined
10542 by the destination operand, but may lock a larger memory area. For example,
10543 typical 8086 and 80286 configurations lock the entire physical memory space.
10544 With the 80386, the defined area of memory is guaranteed to be locked
10545 against access by a processor executing a locked instruction on exactly the
10546 same memory area, i.e., an operand with identical starting address and
10547 identical length.
10550 13.3.5 Additional Exceptions
10552 The 80386 defines new exceptions that can occur even in systems designed
10553 for the 80286.
10555 Ž Exception #6 ‘‘ invalid opcode
10557 This exception can result from improper use of the LOCK instruction.
10559 Ž Exception #14 ‘‘ page fault
10561 This exception may occur in an 80286 program if the operating system
10562 enables paging. Paging can be used in a system with 80286 tasks as long
10563 as all tasks use the same page directory. Because there is no place in
10564 an 80286 TSS to store the PDBR, switching to an 80286 task does not
10565 change the value of PDBR. Tasks ported from the 80286 should be given
10566 80386 TSSs so they can take full advantage of paging.
10569 Chapter 14 80386 Real-Address Mode
10571 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
10573 The real-address mode of the 80386 executes object code designed for
10574 execution on 8086, 8088, 80186, or 80188 processors, or for execution in the
10575 real-address mode of an 80286:
10577 In effect, the architecture of the 80386 in this mode is almost identical
10578 to that of the 8086, 8088, 80186, and 80188. To a programmer, an 80386 in
10579 real-address mode appears as a high-speed 8086 with extensions to the
10580 instruction set and registers. The principal features of this architecture
10581 are defined in Chapters 2 and 3.
10583 This chapter discusses certain additional topics that complete the system
10584 programmer's view of the 80386 in real-address mode:
10586 Ž Address formation.
10587 Ž Extensions to registers and instructions.
10588 Ž Interrupt and exception handling.
10589 Ž Entering and leaving real-address mode.
10590 Ž Real-address-mode exceptions.
10591 Ž Differences from 8086.
10592 Ž Differences from 80286 real-address mode.
10595 14.1 Physical Address Formation
10597 The 80386 provides a one Mbyte + 64 Kbyte memory space for an 8086 program.
10598 Segment relocation is performed as in the 8086: the 16-bit value in a
10599 segment selector is shifted left by four bits to form the base address of a
10600 segment. The effective address is extended with four high order zeros and
10601 added to the base to form a linear address as Figure 14-1 illustrates. (The
10602 linear address is equivalent to the physical address, because paging is not
10603 used in real-address mode.) Unlike the 8086, the resulting linear address
10604 may have up to 21 significant bits. There is a possibility of a carry when
10605 the base address is added to the effective address. On the 8086, the carried
10606 bit is truncated, whereas on the 80386 the carried bit is stored in bit
10607 position 20 of the linear address.
10609 Unlike the 8086 and 80286, 32-bit effective addresses can be generated (via
10610 the address-size prefix); however, the value of a 32-bit address may not
10611 exceed 65535 without causing an exception. For full compatibility with 80286
10612 real-address mode, pseudo-protection faults (interrupt 12 or 13 with no
10613 error code) occur if an effective address is generated outside the range 0
10614 through 65535.
10617 Figure 14-1. Real-Address Mode Address Formation
10619 19 3 0
10620 ‚���������������������������������Ï���������ƒ
10621 BASE € 16-BIT SEGMENT SELECTOR � 0 0 0 0 €
10622 „���������������������������������Ï���������…
10624 +
10625 19 15 0
10626 ‚���������Ï���������������������������������ƒ
10627 OFFSET € 0 0 0 0 � 16-BIT EFFECTIVE ADDRESS €
10628 „���������Ï���������������������������������…
10630 =
10631 20 0
10632 LINEAR ‚���������������������������������������������ƒ
10633 ADDRESS € X X X X X X X X X X X X X X X X X X X X X X €
10634 „���������������������������������������������…
10637 14.2 Registers and Instructions
10639 The register set available in real-address mode includes all the registers
10640 defined for the 8086 plus the new registers introduced by the 80386: FS, GS,
10641 debug registers, control registers, and test registers. New instructions
10642 that explicitly operate on the segment registers FS and GS are available,
10643 and the new segment-override prefixes can be used to cause instructions to
10644 utilize FS and GS for address calculations. Instructions can utilize 32-bit
10645 operands through the use of the operand size prefix.
10647 The instruction codes that cause undefined opcode traps (interrupt 6)
10648 include instructions of the protected mode that manipulate or interrogate
10649 80386 selectors and descriptors; namely, VERR, VERW, LAR, LSL, LTR, STR,
10650 LLDT, and SLDT. Programs executing in real-address mode are able to take
10651 advantage of the new applications-oriented instructions added to the
10652 architecture by the introduction of the 80186/80188, 80286 and 80386:
10654 Ž New instructions introduced by 80186/80188 and 80286.
10656 ‘‘ PUSH immediate data
10657 ‘‘ Push all and pop all (PUSHA and POPA)
10658 ‘‘ Multiply immediate data
10659 ‘‘ Shift and rotate by immediate count
10660 ‘‘ String I/O
10661 ‘‘ ENTER and LEAVE
10662 ‘‘ BOUND
10664 Ž New instructions introduced by 80386.
10666 ‘‘ LSS, LFS, LGS instructions
10667 ‘‘ Long-displacement conditional jumps
10668 ‘‘ Single-bit instructions
10669 ‘‘ Bit scan
10670 ‘‘ Double-shift instructions
10671 ‘‘ Byte set on condition
10672 ‘‘ Move with sign/zero extension
10673 ‘‘ Generalized multiply
10674 ‘‘ MOV to and from control registers
10675 ‘‘ MOV to and from test registers
10676 ‘‘ MOV to and from debug registers
10679 14.3 Interrupt and Exception Handling
10681 Interrupts and exceptions in 80386 real-address mode work as much as they
10682 do on an 8086. Interrupts and exceptions vector to interrupt procedures via
10683 an interrupt table. The processor multiplies the interrupt or exception
10684 identifier by four to obtain an index into the interrupt table. The entries
10685 of the interrupt table are far pointers to the entry points of interrupt or
10686 exception handler procedures. When an interrupt occurs, the processor
10687 pushes the current values of CS:IP onto the stack, disables interrupts,
10688 clears TF (the single-step flag), then transfers control to the location
10689 specified in the interrupt table. An IRET instruction at the end of the
10690 handler procedure reverses these steps before returning control to the
10691 interrupted procedure.
10693 The primary difference in the interrupt handling of the 80386 compared to
10694 the 8086 is that the location and size of the interrupt table depend on the
10695 contents of the IDTR (IDT register). Ordinarily, this fact is not apparent
10696 to programmers, because, after RESET, the IDTR contains a base address of 0
10697 and a limit of 3FFH, which is compatible with the 8086. However, the LIDT
10698 instruction can be used in real-address mode to change the base and limit
10699 values in the IDTR. Refer to Chapter 9 for details on the IDTR, and the
10700 LIDT and SIDT instructions. If an interrupt occurs and the corresponding
10701 entry of the interrupt table is beyond the limit stored in the IDTR, the
10702 processor raises exception 8.
10705 14.4 Entering and Leaving Real-Address Mode
10707 Real-address mode is in effect after a signal on the RESET pin. Even if the
10708 system is going to be used in protected mode, the start-up program will
10709 execute in real-address mode temporarily while initializing for protected
10710 mode.
10713 14.4.1 Switching to Protected Mode
10715 The only way to leave real-address mode is to switch to protected mode. The
10716 processor enters protected mode when a MOV to CR0 instruction sets the PE
10717 (protection enable) bit in CR0. (For compatibility with the 80286, the LMSW
10718 instruction may also be used to set the PE bit.)
10720 Refer to Chapter 10 "Initialization" for other aspects of switching to
10721 protected mode.
10724 14.5 Switching Back to Real-Address Mode
10726 The processor reenters real-address mode if software clears the PE bit in
10727 CR0 with a MOV to CR0 instruction. A procedure that attempts to do this,
10728 however, should proceed as follows:
10730 1. If paging is enabled, perform the following sequence:
10732 Ž Transfer control to linear addresses that have an identity mapping;
10733 i.e., linear addresses equal physical addresses.
10735 Ž Clear the PG bit in CR0.
10737 Ž Move zeros to CR3 to clear out the paging cache.
10739 2. Transfer control to a segment that has a limit of 64K (FFFFH). This
10740 loads the CS register with the limit it needs to have in real mode.
10742 3. Load segment registers SS, DS, ES, FS, and GS with a selector that
10743 points to a descriptor containing the following values, which are
10744 appropriate to real mode:
10746 Ž Limit = 64K (FFFFH)
10747 Ž Byte granular (G = 0)
10748 Ž Expand up (E = 0)
10749 Ž Writable (W = 1)
10750 Ž Present (P = 1)
10751 Ž Base = any value
10753 4. Disable interrupts. A CLI instruction disables INTR interrupts. NMIs
10754 can be disabled with external circuitry.
10756 5. Clear the PE bit.
10758 6. Jump to the real mode code to be executed using a far JMP. This
10759 action flushes the instruction queue and puts appropriate values in
10760 the access rights of the CS register.
10762 7. Use the LIDT instruction to load the base and limit of the real-mode
10763 interrupt vector table.
10765 8. Enable interrupts.
10767 9. Load the segment registers as needed by the real-mode code.
10770 14.6 Real-Address Mode Exceptions
10772 The 80386 reports some exceptions differently when executing in
10773 real-address mode than when executing in protected mode. Table 14-1 details
10774 the real-address-mode exceptions.
10777 14.7 Differences From 8086
10779 In general, the 80386 in real-address mode will correctly execute ROM-based
10780 software designed for the 8086, 8088, 80186, and 80188. Following is a list
10781 of the minor differences between 8086 execution on the 80386 and on an 8086.
10783 1. Instruction clock counts.
10785 The 80386 takes fewer clocks for most instructions than the 8086/8088.
10786 The areas most likely to be affected are:
10788 Ž Delays required by I/O devices between I/O operations.
10790 Ž Assumed delays with 8086/8088 operating in parallel with an 8087.
10792 2. Divide Exceptions Point to the DIV instruction.
10794 Divide exceptions on the 80386 always leave the saved CS:IP value
10795 pointing to the instruction that failed. On the 8086/8088, the CS:IP
10796 value points to the next instruction.
10798 3. Undefined 8086/8088 opcodes.
10800 Opcodes that were not defined for the 8086/8088 will cause exception
10801 6 or will execute one of the new instructions defined for the 80386.
10803 4. Value written by PUSH SP.
10805 The 80386 pushes a different value on the stack for PUSH SP than the
10806 8086/8088. The 80386 pushes the value of SP before SP is incremented
10807 as part of the push operation; the 8086/8088 pushes the value of SP
10808 after it is incremented. If the value pushed is important, replace
10809 PUSH SP instructions with the following three instructions:
10811 PUSH BP
10812 MOV BP, SP
10813 XCHG BP, [BP]
10815 This code functions as the 8086/8088 PUSH SP instruction on the 80386.
10817 5. Shift or rotate by more than 31 bits.
10819 The 80386 masks all shift and rotate counts to the low-order five
10820 bits. This MOD 32 operation limits the count to a maximum of 31 bits,
10821 thereby limiting the time that interrupt response is delayed while
10822 the instruction is executing.
10824 6. Redundant prefixes.
10826 The 80386 sets a limit of 15 bytes on instruction length. The only
10827 way to violate this limit is by putting redundant prefixes before an
10828 instruction. Exception 13 occurs if the limit on instruction length
10829 is violated. The 8086/8088 has no instruction length limit.
10831 7. Operand crossing offset 0 or 65,535.
10833 On the 8086, an attempt to access a memory operand that crosses
10834 offset 65,535 (e.g., MOV a word to offset 65,535) or offset 0 (e.g.,
10835 PUSH a word when SP = 1) causes the offset to wrap around modulo
10836 65,536. The 80386 raises an exception in these cases‘‘exception 13 if
10837 the segment is a data segment (i.e., if CS, DS, ES, FS, or GS is being
10838 used to address the segment), exception 12 if the segment is a stack
10839 segment (i.e., if SS is being used).
10841 8. Sequential execution across offset 65,535.
10843 On the 8086, if sequential execution of instructions proceeds past
10844 offset 65,535, the processor fetches the next instruction byte from
10845 offset 0 of the same segment. On the 80386, the processor raises
10846 exception 13 in such a case.
10848 9. LOCK is restricted to certain instructions.
10850 The LOCK prefix and its corresponding output signal should only be
10851 used to prevent other bus masters from interrupting a data movement
10852 operation. The 80386 always asserts the LOCK signal during an XCHG
10853 instruction with memory (even if the LOCK prefix is not used). LOCK
10854 may only be used with the following 80386 instructions when they
10855 update memory: BTS, BTR, BTC, XCHG, ADD, ADC, SUB, SBB, INC, DEC,
10856 AND, OR, XOR, NOT, and NEG. An undefined-opcode exception
10857 (interrupt 6) results from using LOCK before any other instruction.
10859 10. Single-stepping external interrupt handlers.
10861 The priority of the 80386 single-step exception is different from that
10862 of the 8086/8088. The change prevents an external interrupt handler
10863 from being single-stepped if the interrupt occurs while a program is
10864 being single-stepped. The 80386 single-step exception has higher
10865 priority that any external interrupt. The 80386 will still single-step
10866 through an interrupt handler invoked by the INT instructions or by an
10867 exception.
10869 11. IDIV exceptions for quotients of 80H or 8000H.
10871 The 80386 can generate the largest negative number as a quotient for
10872 the IDIV instruction. The 8086/8088 causes exception zero instead.
10874 12. Flags in stack.
10876 The setting of the flags stored by PUSHF, by interrupts, and by
10877 exceptions is different from that stored by the 8086 in bit positions
10878 12 through 15. On the 8086 these bits are stored as ones, but in
10879 80386 real-address mode bit 15 is always zero, and bits 14 through 12
10880 reflect the last value loaded into them.
10882 13. NMI interrupting NMI handlers.
10884 After an NMI is recognized on the 80386, the NMI interrupt is masked
10885 until an IRET instruction is executed.
10887 14. Coprocessor errors vector to interrupt 16.
10889 Any 80386 system with a coprocessor must use interrupt vector 16 for
10890 the coprocessor error exception. If an 8086/8088 system uses another
10891 vector for the 8087 interrupt, both vectors should point to the
10892 coprocessor-error exception handler.
10894 15. Numeric exception handlers should allow prefixes.
10896 On the 80386, the value of CS:IP saved for coprocessor exceptions
10897 points at any prefixes before an ESC instruction. On 8086/8088
10898 systems, the saved CS:IP points to the ESC instruction.
10900 16. Coprocessor does not use interrupt controller.
10902 The coprocessor error signal to the 80386 does not pass through an
10903 interrupt controller (an 8087 INT signal does). Some instructions in
10904 a coprocessor error handler may need to be deleted if they deal with
10905 the interrupt controller.
10907 17. Six new interrupt vectors.
10909 The 80386 adds six exceptions that arise only if the 8086 program has
10910 a hidden bug. It is recommended that exception handlers be added that
10911 treat these exceptions as invalid operations. This additional
10912 software does not significantly affect the existing 8086 software
10913 because the interrupts do not normally occur. These interrupt
10914 identifiers should not already have been used by the 8086 software,
10915 because they are in the range reserved by Intel. Table 14-2 describes
10916 the new 80386 exceptions.
10918 18. One megabyte wraparound.
10920 The 80386 does not wrap addresses at 1 megabyte in real-address mode.
10921 On members of the 8086 family, it possible to specify addresses
10922 greater than one megabyte. For example, with a selector value 0FFFFH
10923 and an offset of 0FFFFH, the effective address would be 10FFEFH (1
10924 Mbyte + 65519). The 8086, which can form adresses only up to 20 bits
10925 long, truncates the high-order bit, thereby "wrapping" this address
10926 to 0FFEFH. However, the 80386, which can form addresses up to 32
10927 bits long does not truncate such an address.
10930 Table 14-1. 80386 Real-Address Mode Exceptions
10933 Description Interrupt Function that Can Return Address
10934 Number Generate the Exception Points to Faulting
10935 Instruction
10936 Divide error 0 DIV, IDIV YES
10937 Debug exceptions 1 All
10938 Some debug exceptions point to the faulting instruction, others to the
10939 next instruction. The exception handler can determine which has occurred by
10940 examining DR6.
10946 Breakpoint 3 INT NO
10947 Overflow 4 INTO NO
10948 Bounds check 5 BOUND YES
10949 Invalid opcode 6 Any undefined opcode or LOCK YES
10950 used with wrong instruction
10951 Coprocessor not available 7 ESC or WAIT YES
10952 Interrupt table limit too small 8 INT vector is not within IDTR YES
10953 limit
10954 Reserved 9-12
10955 Stack fault 12 Memory operand crosses offset YES
10956 0 or 0FFFFH
10957 Pseudo-protection exception 13 Memory operand crosses offset YES
10958 0FFFFH or attempt to execute
10959 past offset 0FFFFH or
10960 instruction longer than 15
10961 bytes
10962 Reserved 14,15
10963 Coprocessor error 16 ESC or WAIT YES
10964 Coprocessor errors are reported on the first ESC or WAIT instruction
10965 after the ESC instruction that caused the error.
10971 Two-byte SW interrupt 0-255 INT n NO
10974 Table 14-2. New 80386 Exceptions
10976 Interrupt Function
10977 Identifier
10979 5 A BOUND instruction was executed with a register value outside
10980 the limit values.
10982 6 An undefined opcode was encountered or LOCK was used improperly
10983 before an instruction to which it does not apply.
10985 7 The EM bit in the MSW is set when an ESC instruction was
10986 encountered. This exception also occurs on a WAIT instruction
10987 if TS is set.
10989 8 An exception or interrupt has vectored to an interrupt table
10990 entry beyond the interrupt table limit in IDTR. This can occur
10991 only if the LIDT instruction has changed the limit from the
10992 default value of 3FFH, which is enough for all 256 interrupt
10993 IDs.
10995 12 Operand crosses extremes of stack segment, e.g., MOV operation
10996 at offset 0FFFFH or push with SP=1 during PUSH, CALL, or INT.
10998 13 Operand crosses extremes of a segment other than a stack
10999 segment; or sequential instruction execution attempts to
11000 proceed beyond offset 0FFFFH; or an instruction is longer than
11001 15 bytes (including prefixes).
11004 14.8 Differences From 80286 Real-Address Mode
11006 The few differences that exist between 80386 real-address mode and 80286
11007 real-address mode are not likely to affect any existing 80286 programs
11008 except possibly the system initialization procedures.
11011 14.8.1 Bus Lock
11013 The 80286 processor implements the bus lock function differently than the
11014 80386. Programs that use forms of memory locking specific to the 80286 may
11015 not execute properly if transported to a specific application of the 80386.
11017 The LOCK prefix and its corresponding output signal should only be used to
11018 prevent other bus masters from interrupting a data movement operation. LOCK
11019 may only be used with the following 80386 instructions when they modify
11020 memory. An undefined-opcode exception results from using LOCK before any
11021 other instruction.
11023 Ž Bit test and change: BTS, BTR, BTC.
11024 Ž Exchange: XCHG.
11025 Ž One-operand arithmetic and logical: INC, DEC, NOT, and NEG.
11026 Ž Two-operand arithmetic and logical: ADD, ADC, SUB, SBB, AND, OR, XOR.
11028 A locked instruction is guaranteed to lock only the area of memory defined
11029 by the destination operand, but may lock a larger memory area. For example,
11030 typical 8086 and 80286 configurations lock the entire physical memory space.
11031 With the 80386, the defined area of memory is guranteed to be locked against
11032 access by a processor executing a locked instruction on exactly the same
11033 memory area, i.e., an operand with identical starting address and identical
11034 length.
11037 14.8.2 Location of First Instruction
11039 The starting location is 0FFFFFFF0H (sixteen bytes from end of 32-bit
11040 address space) on the 80386 rather than 0FFFFF0H (sixteen bytes from end of
11041 24-bit address space) as on the 80286. Many 80286 ROM initialization
11042 programs will work correctly in this new environment. Others can be made to
11043 work correctly with external hardware that redefines the signals on
11044 A{31-20}.
11047 14.8.3 Initial Values of General Registers
11049 On the 80386, certain general registers may contain different values after
11050 RESET than on the 80286. This should not cause compatibility problems,
11051 because the content of 8086 registers after RESET is undefined. If
11052 self-test is requested during the reset sequence and errors are detected in
11053 the 80386 unit, EAX will contain a nonzero value. EDX contains the component
11054 and revision identifier. Refer to Chapter 10 for more information.
11057 14.8.4 MSW Initialization
11059 The 80286 initializes the MSW register to FFF0H, but the 80386 initializes
11060 this register to 0000H. This difference should have no effect, because the
11061 bits that are different are undefined on the 80286. Programs that read the
11062 value of the MSW will behave differently on the 80386 only if they depend on
11063 the setting of the undefined, high-order bits.
11066 Chapter 15 Virtual 8086 Mode
11068 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
11070 The 80386 supports execution of one or more 8086, 8088, 80186, or 80188
11071 programs in an 80386 protected-mode environment. An 8086 program runs in
11072 this environment as part of a V86 (virtual 8086) task. V86 tasks take
11073 advantage of the hardware support of multitasking offered by the protected
11074 mode. Not only can there be multiple V86 tasks, each one executing an 8086
11075 program, but V86 tasks can be multiprogrammed with other 80386 tasks.
11077 The purpose of a V86 task is to form a "virtual machine" with which to
11078 execute an 8086 program. A complete virtual machine consists not only of
11079 80386 hardware but also of systems software. Thus, the emulation of an 8086
11080 is the result of cooperation between hardware and software:
11082 Ž The hardware provides a virtual set of registers (via the TSS), a
11083 virtual memory space (the first megabyte of the linear address space of
11084 the task), and directly executes all instructions that deal with these
11085 registers and with this address space.
11087 Ž The software controls the external interfaces of the virtual machine
11088 (I/O, interrupts, and exceptions) in a manner consistent with the
11089 larger environment in which it executes. In the case of I/O, software
11090 can choose either to emulate I/O instructions or to let the hardware
11091 execute them directly without software intervention.
11093 Software that helps implement virtual 8086 machines is called a V86
11094 monitor.
11097 15.1 Executing 8086 Code
11099 The processor executes in V86 mode when the VM (virtual machine) bit in the
11100 EFLAGS register is set. The processor tests this flag under two general
11101 conditions:
11103 1. When loading segment registers to know whether to use 8086-style
11104 address formation.
11106 2. When decoding instructions to determine which instructions are
11107 sensitive to IOPL.
11109 Except for these two modifications to its normal operations, the 80386 in
11110 V86 mode operated much as in protected mode.
11113 15.1.1 Registers and Instructions
11115 The register set available in V86 mode includes all the registers defined
11116 for the 8086 plus the new registers introduced by the 80386: FS, GS, debug
11117 registers, control registers, and test registers. New instructions that
11118 explicitly operate on the segment registers FS and GS are available, and the
11119 new segment-override prefixes can be used to cause instructions to utilize
11120 FS and GS for address calculations. Instructions can utilize 32-bit
11121 operands through the use of the operand size prefix.
11123 8086 programs running as V86 tasks are able to take advantage of the new
11124 applications-oriented instructions added to the architecture by the
11125 introduction of the 80186/80188, 80286 and 80386:
11127 Ž New instructions introduced by 80186/80188 and 80286.
11128 ‘‘ PUSH immediate data
11129 ‘‘ Push all and pop all (PUSHA and POPA)
11130 ‘‘ Multiply immediate data
11131 ‘‘ Shift and rotate by immediate count
11132 ‘‘ String I/O
11133 ‘‘ ENTER and LEAVE
11134 ‘‘ BOUND
11136 Ž New instructions introduced by 80386.
11137 ‘‘ LSS, LFS, LGS instructions
11138 ‘‘ Long-displacement conditional jumps
11139 ‘‘ Single-bit instructions
11140 ‘‘ Bit scan
11141 ‘‘ Double-shift instructions
11142 ‘‘ Byte set on condition
11143 ‘‘ Move with sign/zero extension
11144 ‘‘ Generalized multiply
11147 15.1.2 Linear Address Formation
11149 In V86 mode, the 80386 processor does not interpret 8086 selectors by
11150 referring to descriptors; instead, it forms linear addresses as an 8086
11151 would. It shifts the selector left by four bits to form a 20-bit base
11152 address. The effective address is extended with four high-order zeros and
11153 added to the base address to create a linear address as Figure 15-1
11154 illustrates.
11156 Because of the possibility of a carry, the resulting linear address may
11157 contain up to 21 significant bits. An 8086 program may generate linear
11158 addresses anywhere in the range 0 to 10FFEFH (one megabyte plus
11159 approximately 64 Kbytes) of the task's linear address space.
11161 V86 tasks generate 32-bit linear addresses. While an 8086 program can only
11162 utilize the low-order 21 bits of a linear address, the linear address can be
11163 mapped via page tables to any 32-bit physical address.
11165 Unlike the 8086 and 80286, 32-bit effective addresses can be generated (via
11166 the address-size prefix); however, the value of a 32-bit address may not
11167 exceed 65,535 without causing an exception. For full compatibility with
11168 80286 real-address mode, pseudo-protection faults (interrupt 12 or 13 with
11169 no error code) occur if an address is generated outside the range 0 through
11170 65,535.
11173 Figure 15-1. V86 Mode Address Formation
11175 19 3 0
11176 ‚���������������������������������Ï���������ƒ
11177 BASE € 16-BIT SEGMENT SELECTOR � 0 0 0 0 €
11178 „���������������������������������Ï���������…
11180 +
11181 19 15 0
11182 ‚���������Ï���������������������������������ƒ
11183 OFFSET € 0 0 0 0 � 16-BIT EFFECTIVE ADDRESS €
11184 „���������Ï���������������������������������…
11186 =
11187 20 0
11188 LINEAR ‚���������������������������������������������ƒ
11189 ADDRESS € X X X X X X X X X X X X X X X X X X X X X X €
11190 „���������������������������������������������…
11193 15.2 Structure of a V86 Task
11195 A V86 task consists partly of the 8086 program to be executed and partly of
11196 80386 "native mode" code that serves as the virtual-machine monitor. The
11197 task must be represented by an 80386 TSS (not an 80286 TSS). The processor
11198 enters V86 mode to execute the 8086 program and returns to protected mode to
11199 execute the monitor or other 80386 tasks.
11201 To run successfully in V86 mode, an existing 8086 program needs the
11202 following:
11204 Ž A V86 monitor.
11205 Ž Operating-system services.
11207 The V86 monitor is 80386 protected-mode code that executes at
11208 privilege-level zero. The monitor consists primarily of initialization and
11209 exception-handling procedures. As for any other 80386 program,
11210 executable-segment descriptors for the monitor must exist in the GDT or in
11211 the task's LDT. The linear addresses above 10FFEFH are available for the
11212 V86 monitor, the operating system, and other systems software. The monitor
11213 may also need data-segment descriptors so that it can examine the interrupt
11214 vector table or other parts of the 8086 program in the first megabyte of the
11215 address space.
11217 In general, there are two options for implementing the 8086 operating
11218 system:
11220 1. The 8086 operating system may run as part of the 8086 code. This
11221 approach is desirable for any of the following reasons:
11223 Ž The 8086 applications code modifies the operating system.
11225 Ž There is not sufficient development time to reimplement the 8086
11226 operating system as 80386 code.
11228 2. The 8086 operating system may be implemented or emulated in the V86
11229 monitor. This approach is desirable for any of the following reasons:
11231 Ž Operating system functions can be more easily coordinated among
11232 several V86 tasks.
11234 Ž The functions of the 8086 operating system can be easily emulated
11235 by calls to the 80386 operating system.
11237 Note that, regardless of the approach chosen for implementing the 8086
11238 operating system, different V86 tasks may use different 8086 operating
11239 systems.
11242 15.2.1 Using Paging for V86 Tasks
11244 Paging is not necessary for a single V86 task, but paging is useful or
11245 necessary for any of the following reasons:
11247 Ž To create multiple V86 tasks. Each task must map the lower megabyte of
11248 linear addresses to different physical locations.
11250 Ž To emulate the megabyte wrap. On members of the 8086 family, it is
11251 possible to specify addresses larger than one megabyte. For example,
11252 with a selector value of 0FFFFH and an offset of 0FFFFH, the effective
11253 address would be 10FFEFH (one megabyte + 65519). The 8086, which can
11254 form addresses only up to 20 bits long, truncates the high-order bit,
11255 thereby "wrapping" this address to 0FFEFH. The 80386, however, which
11256 can form addresses up to 32 bits long does not truncate such an
11257 address. If any 8086 programs depend on this addressing anomaly, the
11258 same effect can be achieved in a V86 task by mapping linear addresses
11259 between 100000H and 110000H and linear addresses between 0 and 10000H
11260 to the same physical addresses.
11262 Ž To create a virtual address space larger than the physical address
11263 space.
11265 Ž To share 8086 OS code or ROM code that is common to several 8086
11266 programs that are executing simultaneously.
11268 Ž To redirect or trap references to memory-mapped I/O devices.
11271 15.2.2 Protection within a V86 Task
11273 Because it does not refer to descriptors while executing 8086 programs, the
11274 processor also does not utilize the protection mechanisms offered by
11275 descriptors. To protect the systems software that runs in a V86 task from
11276 the 8086 program, software designers may follow either of these approaches:
11278 Ž Reserve the first megabyte (plus 64 kilobytes) of each task's linear
11279 address space for the 8086 program. An 8086 task cannot generate
11280 addresses outside this range.
11282 Ž Use the U/S bit of page-table entries to protect the virtual-machine
11283 monitor and other systems software in each virtual 8086 task's space.
11284 When the processor is in V86 mode, CPL is 3. Therefore, an 8086 program
11285 has only user privileges. If the pages of the virtual-machine monitor
11286 have supervisor privilege, they cannot be accessed by the 8086 program.
11289 15.3 Entering and Leaving V86 Mode
11291 Figure 15-2 summarizes the ways that the processor can enter and leave an
11292 8086 program. The processor can enter V86 by either of two means:
11294 1. A task switch to an 80386 task loads the image of EFLAGS from the new
11295 TSS. The TSS of the new task must be an 80386 TSS, not an 80286 TSS,
11296 because the 80286 TSS does not store the high-order word of EFLAGS,
11297 which contains the VM flag. A value of one in the VM bit of the new
11298 EFLAGS indicates that the new task is executing 8086 instructions;
11299 therefore, while loading the segment registers from the TSS, the
11300 processor forms base addresses as the 8086 would.
11302 2. An IRET from a procedure of an 80386 task loads the image of EFLAGS
11303 from the stack. A value of one in VM in this case indicates that the
11304 procedure to which control is being returned is an 8086 procedure. The
11305 CPL at the time the IRET is executed must be zero, else the processor
11306 does not change VM.
11308 The processor leaves V86 mode when an interrupt or exception occurs. There
11309 are two cases:
11311 1. The interrupt or exception causes a task switch. A task switch from a
11312 V86 task to any other task loads EFLAGS from the TSS of the new task.
11313 If the new TSS is an 80386 TSS and the VM bit in the EFLAGS image is
11314 zero or if the new TSS is an 80286 TSS, then the processor clears the
11315 VM bit of EFLAGS, loads the segment registers from the new TSS using
11316 80386-style address formation, and begins executing the instructions
11317 of the new task according to 80386 protected-mode semantics.
11319 2. The interrupt or exception vectors to a privilege-level zero
11320 procedure. The processor stores the current setting of EFLAGS on the
11321 stack, then clears the VM bit. The interrupt or exception handler,
11322 therefore, executes as "native" 80386 protected-mode code. If an
11323 interrupt or exception vectors to a conforming segment or to a
11324 privilege level other than three, the processor causes a
11325 general-protection exception; the error code is the selector of the
11326 executable segment to which transfer was attempted.
11328 Systems software does not manipulate the VM flag directly, but rather
11329 manipulates the image of the EFLAGS register that is stored on the stack or
11330 in the TSS. The V86 monitor sets the VM flag in the EFLAGS image on the
11331 stack or in the TSS when first creating a V86 task. Exception and interrupt
11332 handlers can examine the VM flag on the stack. If the interrupted procedure
11333 was executing in V86 mode, the handler may need to invoke the V86 monitor.
11336 Figure 15-2. Entering and Leaving the 8086 Program
11338 MODE TRANSITION DIAGRAM
11340 ‚�����������ƒ
11341 TASK SWITCH € INITIAL €
11342 ’‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â ENTRY €
11343 � OR IRET „�����������…
11344 �
11345 \x1f
11346 ‚��������������ƒ INTERRUPT, EXCEPTION ‚�������������ƒ
11347 € 8086 PROGRAM Ñ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘\x10€ V86 MONITOR €
11348 € (V86 MODE) €\x11‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â (PROTECTED €
11349 „�������Ð������… IRET € MODE) €
11350 \x1e � „�����Ð�������…
11351 � � � \x1e
11352 � � � �
11353 � � � �
11354 � �TASK SWITCH ‚�������������������ƒ TASK SWITCH �
11356 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘ (PROTECTED MODE) Ñ‘‘‘‘‘‘‘‘‘‘‘‘•
11357 TASK SWITCH „�������������������… TASK SWITCH
11360 15.3.1 Transitions Through Task Switches
11362 A task switch to or from a V86 task may be due to any of three causes:
11364 1. An interrupt that vectors to a task gate.
11365 2. An action of the scheduler of the 80386 operating system.
11366 3. An IRET when the NT flag is set.
11368 In any of these cases, the processor changes the VM bit in EFLAGS according
11369 to the image of EFLAGS in the new TSS. If the new TSS is an 80286 TSS, the
11370 high-order word of EFLAGS is not in the TSS; the processor clears VM in this
11371 case. The processor updates VM prior to loading the segment registers from
11372 the images in the new TSS. The new setting of VM determines whether the
11373 processor interprets the new segment-register images as 8086 selectors or
11374 80386/80286 selectors.
11377 15.3.2 Transitions Through Trap Gates and Interrupt Gates
11379 The processor leaves V86 mode as the result of an exception or interrupt
11380 that vectors via a trap or interrupt gate to a privilege-level zero
11381 procedure. The exception or interrupt handler returns to the 8086 code by
11382 executing an IRET.
11384 Because it was designed for execution by an 8086 processor, an 8086 program
11385 in a V86 task will have an 8086-style interrupt table starting at linear
11386 address zero. However, the 80386 does not use this table directly. For all
11387 exceptions and interrupts that occur in V86 mode, the processor vectors
11388 through the IDT. The IDT entry for an interrupt or exception that occurs in
11389 a V86 task must contain either:
11391 Ž A task gate.
11393 Ž An 80386 trap gate (type 14) or an 80386 interrupt gate (type 15),
11394 which must point to a nonconforming, privilege-level zero, code
11395 segment.
11397 Interrupts and exceptions that have 80386 trap or interrupt gates in the
11398 IDT vector to the appropriate handler procedure at privilege-level zero. The
11399 contents of all the 8086 segment registers are stored on the PL 0 stack.
11400 Figure 15-3 shows the format of the PL 0 stack after an exception or
11401 interrupt that occurs while a V86 task is executing an 8086 program.
11403 After the processor stores all the 8086 segment registers on the PL 0
11404 stack, it loads all the segment registers with zeros before starting to
11405 execute the handler procedure. This permits the interrupt handler to safely
11406 save and restore the DS, ES, FS, and GS registers as 80386 selectors.
11407 Interrupt handlers that may be invoked in the context of either a regular
11408 task or a V86 task, can use the same prolog and epilog code for register
11409 saving regardless of the kind of task. Restoring zeros to these registers
11410 before execution of the IRET does not cause a trap in the interrupt handler.
11411 Interrupt procedures that expect values in the segment registers or that
11412 return values via segment registers have to use the register images stored
11413 on the PL 0 stack. Interrupt handlers that need to know whether the
11414 interrupt occurred in V86 mode can examine the VM bit in the stored EFLAGS
11415 image.
11417 An interrupt handler passes control to the V86 monitor if the VM bit is set
11418 in the EFLAGS image stored on the stack and the interrupt or exception is
11419 one that the monitor needs to handle. The V86 monitor may either:
11421 Ž Handle the interrupt completely within the V86 monitor.
11422 Ž Invoke the 8086 program's interrupt handler.
11424 Reflecting an interrupt or exception back to the 8086 code involves the
11425 following steps:
11427 1. Refer to the 8086 interrupt vector to locate the appropriate handler
11428 procedure.
11430 2. Store the state of the 8086 program on the privilege-level three
11431 stack.
11433 3. Change the return link on the privilege-level zero stack to point to
11434 the privilege-level three handler procedure.
11436 4. Execute an IRET so as to pass control to the handler.
11438 5. When the IRET by the privilege-level three handler again traps to the
11439 V86 monitor, restore the return link on the privilege-level zero stack
11440 to point to the originally interrupted, privilege-level three
11441 procedure.
11443 6. Execute an IRET so as to pass control back to the interrupted
11444 procedure.
11447 Figure 15-3. PL 0 Stack after Interrupt in V86 Task
11450 WITHOUT ERROR CODE WITH ERROR CODE
11451 31 0 31 0
11453 €œœœœœœ€OLD GS € � €œœœœœœ€OLD GS € �
11454 †������Š�������‡ SS:ESP †������Š�������‡ SS:ESP
11455 D O €œœœœœœ€OLD FS € FROM TSS €œœœœœœ€OLD FS € FROM TSS
11456 I F †������Š�������‡ †������Š�������‡
11457 R €œœœœœœ€OLD DS € €œœœœœœ€OLD DS €
11458 E E †������Š�������‡ †������Š�������‡
11459 C X €œœœœœœ€OLD ES € €œœœœœœ€OLD ES €
11460 T P †������Š�������‡ †������Š�������‡
11461 I A €œœœœœœ€OLD SS € €œœœœœœ€OLD SS €
11462 O N †������‰�������‡ †������‰�������‡
11463 N S € OLD ESP € € OLD ESP €
11464 I †��������������‡ †��������������‡
11465 � O € OLD EFLAGS € € OLD EFLAGS €
11466 � N †������ˆ�������‡ †������ˆ�������‡
11467 � €œœœœœœ€OLD CS € NEW €œœœœœœ€OLD CS €
11468 \x1f †������‰�������‡ SS:EIP †������‰�������‡
11469 € OLD EIP € � € OLD EIP € NEW
11470 †��������������‡\x11‘‘‘• †��������������‡ SS:EIP
11471 € € € ERROR CODE € �
11477 15.4 Additional Sensitive Instructions
11479 When the 80386 is executing in V86 mode, the instructions PUSHF, POPF,
11480 INT n, and IRET are sensitive to IOPL. The instructions IN, INS, OUT, and
11481 OUTS, which are ordinarily sensitive in protected mode, are not sensitive
11482 in V86 mode. Following is a complete list of instructions that are sensitive
11483 in V86 mode:
11485 CLI ‘‘ Clear Interrupt-Enable Flag
11486 STI ‘‘ Set Interrupt-Enable Flag
11487 LOCK ‘‘ Assert Bus-Lock Signal
11488 PUSHF ‘‘ Push Flags
11489 POPF ‘‘ Pop Flags
11490 INT n ‘‘ Software Interrupt
11491 RET ‘‘ Interrupt Return
11493 CPL is always three in V86 mode; therefore, if IOPL < 3, these instructions
11494 will trigger a general-protection exceptions. These instructions are made
11495 sensitive so that their functions can be simulated by the V86 monitor.
11498 15.4.1 Emulating 8086 Operating System Calls
11500 INT n is sensitive so that the V86 monitor can intercept calls to the
11501 8086 OS. Many 8086 operating systems are called by pushing parameters onto
11502 the stack, then executing an INT n instruction. If IOPL < 3, INT n
11503 instructions will be intercepted by the V86 monitor. The V86 monitor can
11504 then emulate the function of the 8086 operating system or reflect the
11505 interrupt back to the 8086 operating system in V86 mode.
11508 15.4.2 Virtualizing the Interrupt-Enable Flag
11510 When the processor is executing 8086 code in a V86 task, the instructions
11511 PUSHF, POPF, and IRET are sensitive to IOPL so that the V86 monitor can
11512 control changes to the interrupt-enable flag (IF). Other instructions that
11513 affect IF (STI and CLI) are IOPL sensitive both in 8086 code and in
11514 80386/80386 code.
11516 Many 8086 programs that were designed to execute on single-task systems set
11517 and clear IF to control interrupts. However, when these same programs are
11518 executed in a multitasking environment, such control of IF can be
11519 disruptive. If IOPL is less than three, all instructions that change or
11520 interrogate IF will trap to the V86 monitor. The V86 monitor can then
11521 control IF in a manner that both suits the needs of the larger environment
11522 and is transparent to the 8086 program.
11525 15.5 Virtual I/O
11527 Many 8086 programs that were designed to execute on single-task systems use
11528 I/O devices directly. However, when these same programs are executed in a
11529 multitasking environment, such use of devices can be disruptive. The 80386
11530 provides sufficient flexibility to control I/O in a manner that both suits
11531 the needs of the new environment and is transparent to the 8086 program.
11532 Designers may take any of several possible approaches to controlling I/O:
11534 Ž Implement or emulate the 8086 operating system as an 80386 program and
11535 require the 8086 application to do I/O via software interrupts to the
11536 operating system, trapping all attempts to do I/O directly.
11538 Ž Let the 8086 program take complete control of all I/O.
11540 Ž Selectively trap and emulate references that a task makes to specific
11541 I/O ports.
11543 Ž Trap or redirect references to memory-mapped I/O addresses.
11545 The method of controlling I/O depends upon whether I/O ports are I/O mapped
11546 or memory mapped.
11549 15.5.1 I/O-Mapped I/O
11551 I/O-mapped I/O in V86 mode differs from protected mode only in that the
11552 protection mechanism does not consult IOPL when executing the I/O
11553 instructions IN, INS, OUT, OUTS. Only the I/O permission bit map controls
11554 the right for V86 tasks to execute these I/O instructions.
11556 The I/O permission map traps I/O instructions selectively depending on the
11557 I/O addresses to which they refer. The I/O permission bit map of each V86
11558 task determines which I/O addresses are trapped for that task. Because each
11559 task may have a different I/O permission bit map, the addresses trapped for
11560 one task may be different from those trapped for others. Refer to Chapter 8
11561 for more information about the I/O permission map.
11564 15.5.2 Memory-Mapped I/O
11566 In hardware designs that utilize memory-mapped I/O, the paging facilities
11567 of the 80386 can be used to trap or redirect I/O operations. Each task that
11568 executes memory-mapped I/O must have a page (or pages) for the memory-mapped
11569 address space. The V86 monitor may control memory-mapped I/O by any of
11570 these means:
11572 Ž Assign the memory-mapped page to appropriate physical addresses.
11573 Different tasks may have different physical addresses, thereby
11574 preventing the tasks from interfering with each other.
11576 Ž Cause a trap to the monitor by forcing a page fault on the
11577 memory-mapped page. Read-only pages trap writes. Not-present pages trap
11578 both reads and writes.
11580 Intervention for every I/O might be excessive for some kinds of I/O
11581 devices. A page fault can still be used in this case to cause intervention
11582 on the first I/O operation. The monitor can then at least make sure that the
11583 task has exclusive access to the device. Then the monitor can change the
11584 page status to present and read/write, allowing subsequent I/O to proceed at
11585 full speed.
11588 15.5.3 Special I/O Buffers
11590 Buffers of intelligent controllers (for example, a bit-mapped graphics
11591 buffer) can also be virtualized via page mapping. The linear space for the
11592 buffer can be mapped to a different physical space for each virtual 8086
11593 task. The V86 monitor can then assume responsibility for spooling the data
11594 or assigning the virtual buffer to the real buffer at appropriate times.
11597 15.6 Differences From 8086
11599 In general, V86 mode will correctly execute software designed for the 8086,
11600 8088, 80186, and 80188. Following is a list of the minor differences between
11601 8086 execution on the 80386 and on an 8086.
11603 1. Instruction clock counts.
11605 The 80386 takes fewer clocks for most instructions than the
11606 8086/8088. The areas most likely to be affected are:
11608 Ž Delays required by I/O devices between I/O operations.
11610 Ž Assumed delays with 8086/8088 operating in parallel with an 8087.
11612 2. Divide exceptions point to the DIV instruction.
11614 Divide exceptions on the 80386 always leave the saved CS:IP value
11615 pointing to the instruction that failed. On the 8086/8088, the CS:IP
11616 value points to the next instruction.
11618 3. Undefined 8086/8088 opcodes.
11620 Opcodes that were not defined for the 8086/8088 will cause exception
11621 6 or will execute one of the new instructions defined for the 80386.
11623 4. Value written by PUSH SP.
11625 The 80386 pushes a different value on the stack for PUSH SP than the
11626 8086/8088. The 80386 pushes the value of SP before SP is incremented
11627 as part of the push operation; the 8086/8088 pushes the value of SP
11628 after it is incremented. If the value pushed is important, replace
11629 PUSH SP instructions with the following three instructions:
11631 PUSH BP
11632 MOV BP, SP
11633 XCHG BP, [BP]
11635 This code functions as the 8086/8088 PUSH SP instruction on the
11636 80386.
11638 5. Shift or rotate by more than 31 bits.
11640 The 80386 masks all shift and rotate counts to the low-order five
11641 bits. This MOD 32 operation limits the count to a maximum of 31 bits,
11642 thereby limiting the time that interrupt response is delayed while
11643 the instruction is executing.
11645 6. Redundant prefixes.
11647 The 80386 sets a limit of 15 bytes on instruction length. The only
11648 way to violate this limit is by putting redundant prefixes before an
11649 instruction. Exception 13 occurs if the limit on instruction length
11650 is violated. The 8086/8088 has no instruction length limit.
11652 7. Operand crossing offset 0 or 65,535.
11654 On the 8086, an attempt to access a memory operand that crosses
11655 offset 65,535 (e.g., MOV a word to offset 65,535) or offset 0 (e.g.,
11656 PUSH a word when SP = 1) causes the offset to wrap around modulo
11657 65,536. The 80386 raises an exception in these cases‘‘exception 13 if
11658 the segment is a data segment (i.e., if CS, DS, ES, FS, or GS is
11659 being used to address the segment), exception 12 if the segment is a
11660 stack segment (i.e., if SS is being used).
11662 8. Sequential execution across offset 65,535.
11664 On the 8086, if sequential execution of instructions proceeds past
11665 offset 65,535, the processor fetches the next instruction byte from
11666 offset 0 of the same segment. On the 80386, the processor raises
11667 exception 13 in such a case.
11669 9. LOCK is restricted to certain instructions.
11671 The LOCK prefix and its corresponding output signal should only be
11672 used to prevent other bus masters from interrupting a data movement
11673 operation. The 80386 always asserts the LOCK signal during an XCHG
11674 instruction with memory (even if the LOCK prefix is not used). LOCK
11675 may only be used with the following 80386 instructions when they
11676 update memory: BTS, BTR, BTC, XCHG, ADD, ADC, SUB, SBB, INC, DEC,
11677 AND, OR, XOR, NOT, and NEG. An undefined-opcode exception (interrupt
11678 6) results from using LOCK before any other instruction.
11680 10. Single-stepping external interrupt handlers.
11682 The priority of the 80386 single-step exception is different from
11683 that of the 8086/8088. The change prevents an external interrupt
11684 handler from being single-stepped if the interrupt occurs while a
11685 program is being single-stepped. The 80386 single-step exception has
11686 higher priority that any external interrupt. The 80386 will still
11687 single-step through an interrupt handler invoked by the INT
11688 instructions or by an exception.
11690 11. IDIV exceptions for quotients of 80H or 8000H.
11692 The 80386 can generate the largest negative number as a quotient for
11693 the IDIV instruction. The 8086/8088 causes exception zero instead.
11695 12. Flags in stack.
11697 The setting of the flags stored by PUSHF, by interrupts, and by
11698 exceptions is different from that stored by the 8086 in bit positions
11699 12 through 15. On the 8086 these bits are stored as ones, but in V86
11700 mode bit 15 is always zero, and bits 14 through 12 reflect the last
11701 value loaded into them.
11703 13. NMI interrupting NMI handlers.
11705 After an NMI is recognized on the 80386, the NMI interrupt is masked
11706 until an IRET instruction is executed.
11708 14. Coprocessor errors vector to interrupt 16.
11710 Any 80386 system with a coprocessor must use interrupt vector 16 for
11711 the coprocessor error exception. If an 8086/8088 system uses another
11712 vector for the 8087 interrupt, both vectors should point to the
11713 coprocessor-error exception handler.
11715 15. Numeric exception handlers should allow prefixes.
11717 On the 80386, the value of CS:IP saved for coprocessor exceptions
11718 points at any prefixes before an ESC instruction. On 8086/8088
11719 systems, the saved CS:IP points to the ESC instruction itself.
11721 16. Coprocessor does not use interrupt controller.
11723 The coprocessor error signal to the 80386 does not pass through an
11724 interrupt controller (an 8087 INT signal does). Some instructions in
11725 a coprocessor error handler may need to be deleted if they deal with
11726 the interrupt controller.
11729 15.7 Differences From 80286 Real-Address Mode
11731 The 80286 processor implements the bus lock function differently than the
11732 80386. This fact may or may not be apparent to 8086 programs, depending on
11733 how the V86 monitor handles the LOCK prefix. LOCKed instructions are
11734 sensitive to IOPL; therefore, software designers can choose to emulate its
11735 function. If, however, 8086 programs are allowed to execute LOCK directly,
11736 programs that use forms of memory locking specific to the 8086 may not
11737 execute properly when transported to a specific application of the 80386.
11739 The LOCK prefix and its corresponding output signal should only be used to
11740 prevent other bus masters from interrupting a data movement operation. LOCK
11741 may only be used with the following 80386 instructions when they modify
11742 memory. An undefined-opcode exception results from using LOCK before any
11743 other instruction.
11745 Ž Bit test and change: BTS, BTR, BTC.
11746 Ž Exchange: XCHG.
11747 Ž One-operand arithmetic and logical: INC, DEC, NOT, and NEG.
11748 Ž Two-operand arithmetic and logical: ADD, ADC, SUB, SBB, AND, OR, XOR.
11750 A locked instruction is guaranteed to lock only the area of memory defined
11751 by the destination operand, but may lock a larger memory area. For example,
11752 typical 8086 and 80286 configurations lock the entire physical memory space.
11753 With the 80386, the defined area of memory is guaranteed to be locked
11754 against access by a processor executing a locked instruction on exactly the
11755 same memory area, i.e., an operand with identical starting address and
11756 identical length.
11759 Chapter 16 Mixing 16-Bit and 32 Bit Code
11761 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
11763 The 80386 running in protected mode is a 32-bit microprocessor, but it is
11764 designed to support 16-bit processing at three levels:
11766 1. Executing 8086/80286 16-bit programs efficiently with complete
11767 compatibility.
11769 2. Mixing 16-bit modules with 32-bit modules.
11771 3. Mixing 16-bit and 32-bit addresses and operands within one module.
11773 The first level of support for 16-bit programs has already been discussed
11774 in Chapter 13, Chapter 14, and Chapter 15. This chapter shows how 16-bit
11775 and 32-bit modules can cooperate with one another, and how one module can
11776 utilize both 16-bit and 32-bit operands and addressing.
11778 The 80386 functions most efficiently when it is possible to distinguish
11779 between pure 16-bit modules and pure 32-bit modules. A pure 16-bit module
11780 has these characteristics:
11782 Ž All segments occupy 64 Kilobytes or less.
11783 Ž Data items are either 8 bits or 16 bits wide.
11784 Ž Pointers to code and data have 16-bit offsets.
11785 Ž Control is transferred only among 16-bit segments.
11787 A pure 32-bit module has these characteristics:
11789 Ž Segments may occupy more than 64 Kilobytes (zero bytes to 4
11790 gigabytes).
11792 Ž Data items are either 8 bits or 32 bits wide.
11794 Ž Pointers to code and data have 32-bit offsets.
11796 Ž Control is transferred only among 32-bit segments.
11798 Pure 16-bit modules do exist; they are the modules designed for 16-bit
11799 microprocessors. Pure 32-bit modules may exist in new programs designed
11800 explicitly for the 80386. However, as systems designers move applications
11801 from 16-bit processors to the 32-bit 80386, it will not always be possible
11802 to maintain these ideals of pure 16-bit or 32-bit modules. It may be
11803 expedient to execute old 16-bit modules in a new 32-bit environment without
11804 making source-code changes to the old modules if any of the following
11805 conditions is true:
11807 Ž Modules will be converted one-by-one from 16-bit environments to
11808 32-bit environments.
11810 Ž Older, 16-bit compilers and software-development tools will be
11811 utilized in the new32-bit operating environment until new 32-bit
11812 versions can be created.
11814 Ž The source code of 16-bit modules is not available for modification.
11816 Ž The specific data structures used by a given module inherently utilize
11817 16-bit words.
11819 Ž The native word size of the source language is 16 bits.
11821 On the 80386, 16-bit modules can be mixed with 32-bit modules. To design a
11822 system that mixes 16- and 32-bit code requires an understanding of the
11823 mechanisms that the 80386 uses to invoke and control its 32-bit and 16-bit
11824 features.
11827 16.1 How the 80386 Implements 16-Bit and 32-Bit Features
11829 The features of the architecture that permit the 80386 to work equally well
11830 with 32-bit and 16-bit address and operand sizes include:
11832 Ž The D-bit (default bit) of code-segment descriptors, which determines
11833 the default choice of operand-size and address-size for the
11834 instructions of a code segment. (In real-address mode and V86 mode,
11835 which do not use descriptors, the default is 16 bits.) A code segment
11836 whose D-bit is set is known as a USE32 segment; a code segment whose
11837 D-bit is zero is a USE16 segment. The D-bit eliminates the need to
11838 encode the operand size and address size in instructions when all
11839 instructions use operands and effective addresses of the same size.
11841 Ž Instruction prefixes that explicitly override the default choice of
11842 operand size and address size (available in protected mode as well as
11843 in real-address mode and V86 mode).
11845 Ž Separate 32-bit and 16-bit gates for intersegment control transfers
11846 (including call gates, interrupt gates, and trap gates). The operand
11847 size for the control transfer is determined by the type of gate, not by
11848 the D-bit or prefix of the transfer instruction.
11850 Ž Registers that can be used both for 32-bit and 16-bit operands and
11851 effective-address calculations.
11853 Ž The B-bit (big bit) of data-segment descriptors, which determines the
11854 size of stack pointer (32-bit ESP or 16-bit SP) used by the CPU for
11855 implicit stack references.
11858 16.2 Mixing 32-Bit and 16-Bit Operations
11860 The 80386 has two instruction prefixes that allow mixing of 32-bit and
11861 16-bit operations within one segment:
11863 Ž The operand-size prefix (66H)
11864 Ž The address-size prefix (67H)
11866 These prefixes reverse the default size selected by the D-bit. For example,
11867 the processor can interpret the word-move instruction MOV mem, reg in any of
11868 four ways:
11870 Ž In a USE32 segment:
11872 1. Normally moves 32 bits from a 32-bit register to a 32-bit
11873 effective address in memory.
11875 2. If preceded by an operand-size prefix, moves 16 bits from a 16-bit
11876 register to 32-bit effective address in memory.
11878 3. If preceded by an address-size prefix, moves 32 bits from a 32-bit
11879 register to a16-bit effective address in memory.
11881 4. If preceded by both an address-size prefix and an operand-size
11882 prefix, moves 16 bits from a 16-bit register to a 16-bit effective
11883 address in memory.
11885 Ž In a USE16 segment:
11887 1. Normally moves 16 bits from a 16-bit register to a 16-bit
11888 effective address in memory.
11890 2. If preceded by an operand-size prefix, moves 32 bits from a 32-bit
11891 register to 16-bit effective address in memory.
11893 3. If preceded by an address-size prefix, moves 16 bits from a 16-bit
11894 register to a32-bit effective address in memory.
11896 4. If preceded by both an address-size prefix and an operand-size
11897 prefix, moves 32 bits from a 32-bit register to a 32-bit effective
11898 address in memory.
11900 These examples illustrate that any instruction can generate any combination
11901 of operand size and address size regardless of whether the instruction is in
11902 a USE16 or USE32 segment. The choice of the USE16 or USE32 attribute for a
11903 code segment is based upon these criteria:
11905 1. The need to address instructions or data in segments that are larger
11906 than 64 Kilobytes.
11908 2. The predominant size of operands.
11910 3. The addressing modes desired. (Refer to Chapter 17 for an explanation
11911 of the additional addressing modes that are available when 32-bit
11912 addressing is used.)
11914 Choosing a setting of the D-bit that is contrary to the predominant size of
11915 operands requires the generation of an excessive number of operand-size
11916 prefixes.
11919 16.3 Sharing Data Segments Among Mixed Code Segments
11921 Because the choice of operand size and address size is defined in code
11922 segments and their descriptors, data segments can be shared freely among
11923 both USE16 and USE32 code segments. The only limitation is the one imposed
11924 by pointers with 16-bit offsets, which can only point to the first 64
11925 Kilobytes of a segment. When a data segment that contains more than 64
11926 Kilobytes is to be shared among USE32 and USE16 segments, the data that is
11927 to be accessed by the USE16 segments must be located within the first 64
11928 Kilobytes.
11930 A stack that spans addresses less than 64K can be shared by both USE16 and
11931 USE32 code segments. This class of stacks includes:
11933 Ž Stacks in expand-up segments with G=0 and B=0.
11935 Ž Stacks in expand-down segments with G=0 and B=0.
11937 Ž Stacks in expand-up segments with G=1 and B=0, in which the stack is
11938 contained completely within the lower 64 Kilobytes. (Offsets greater
11939 than 64K can be used for data, other than the stack, that is not
11940 shared.)
11942 The B-bit of a stack segment cannot, in general, be used to change the size
11943 of stack used by a USE16 code segment. The size of stack pointer used by the
11944 processor for implicit stack references is controlled by the B-bit of the
11945 data-segment descriptor for the stack. Implicit references are those caused
11946 by interrupts, exceptions, and instructions such as PUSH, POP, CALL, and
11947 RET. One might be tempted, therefore, to try to increase beyond 64K the
11948 size of the stack used by 16-bit code simply by supplying a larger stack
11949 segment with the B-bit set. However, the B-bit does not control explicit
11950 stack references, such as accesses to parameters or local variables. A USE16
11951 code segment can utilize a "big" stack only if the code is modified so that
11952 all explicit references to the stack are preceded by the address-size
11953 prefix, causing those references to use 32-bit addressing.
11955 In big, expand-down segments (B=1, G=1, and E=1), all offsets are greater
11956 than 64K, therefore USE16 code cannot utilize such a stack segment unless
11957 the code segment is modified to employ 32-bit addressing. (Refer to Chapter
11958 6 for a review of the B, G, and E bits.)
11961 16.4 Transferring Control Among Mixed Code Segments
11963 When transferring control among procedures in USE16 and USE32 code
11964 segments, programmers must be aware of three points:
11966 Ž Addressing limitations imposed by pointers with 16-bit offsets.
11968 Ž Matching of operand-size attribute in effect for the CALL/RET pair and
11969 theInterrupt/IRET pair so as to manage the stack correctly.
11971 Ž Translation of parameters, especially pointer parameters.
11973 Clearly, 16-bit effective addresses cannot be used to address data or code
11974 located beyond 64K in a 32-bit segment, nor can large 32-bit parameters be
11975 squeezed into a 16-bit word; however, except for these obvious limits, most
11976 interfacing problems between 16-bit and 32-bit modules can be solved. Some
11977 solutions involve inserting interface procedures between the procedures in
11978 question.
11981 16.4.1 Size of Code-Segment Pointer
11983 For control-transfer instructions that use a pointer to identify the next
11984 instruction (i.e., those that do not use gates), the size of the offset
11985 portion of the pointer is determined by the operand-size attribute. The
11986 implications of the use of two different sizes of code-segment pointer are:
11988 Ž JMP, CALL, or RET from 32-bit segment to 16-bit segment is always
11989 possible using a 32-bit operand size.
11991 Ž JMP, CALL, or RET from 16-bit segment using a 16-bit operand size
11992 cannot address the target in a 32-bit segment if the address of the
11993 target is greater than 64K.
11995 An interface procedure can enable transfers from USE16 segments to 32-bit
11996 addresses beyond 64K without requiring modifications any more extensive than
11997 relinking or rebinding the old programs. The requirements for such an
11998 interface procedure are discussed later in this chapter.
12001 16.4.2 Stack Management for Control Transfers
12003 Because stack management is different for 16-bit CALL/RET than for 32-bit
12004 CALL/RET, the operand size of RET must match that of CALL. (Refer to Figure
12005 16-1.) A 16-bit CALL pushes the 16-bit IP and (for calls between privilege
12006 levels) the 16-bit SP register. The corresponding RET must also use a 16-bit
12007 operand size to POP these 16-bit values from the stack into the 16-bit
12008 registers. A 32-bit CALL pushes the 32-bit EIP and (for interlevel calls)
12009 the 32-bit ESP register. The corresponding RET must also use a 32-bit
12010 operand size to POP these 32-bit values from the stack into the 32-bit
12011 registers. If the two halves of a CALL/RET pair do not have matching operand
12012 sizes, the stack will not be managed correctly and the values of the
12013 instruction pointer and stack pointer will not be restored to correct
12014 values.
12016 When the CALL and its corresponding RET are in segments that have D-bits
12017 with the same values (i.e., both have 32-bit defaults or both have 16-bit
12018 defaults), there is no problem. When the CALL and its corresponding RET are
12019 in segments that have different D-bit values, however, programmers (or
12020 program development software) must ensure that the CALL and RET match.
12022 There are three ways to cause a 16-bit procedure to execute a 32-bit call:
12024 1. Use a 16-bit call to a 32-bit interface procedure that then uses a
12025 32-bit call to invoke the intended target.
12027 2. Bind the 16-bit call to a 32-bit call gate.
12029 3. Modify the 16-bit procedure, inserting an operand-size prefix before
12030 the call, thereby changing it to a 32-bit call.
12032 Likewise, there are three ways to cause a 32-bit procedure to execute a
12033 16-bit call:
12035 1. Use a 32-bit call to a 32-bit interface procedure that then uses a
12036 16-bit call to invoke the intended target.
12038 2. Bind the 32-bit call to a 16-bit call gate.
12040 3. Modify the 32-bit procedure, inserting an operand-size prefix before
12041 the call, thereby changing it to a 16-bit call. (Be certain that the
12042 return offset does not exceed 64K.)
12044 Programmers can utilize any of the preceding methods to make a CALL in a
12045 USE16 segment match the corresponding RET in a USE32 segment, or to make a
12046 CALL in a USE32 segment match the corresponding RET in a USE16 segment.
12049 Figure 16-1. Stack after Far 16-Bit and 32-Bit Calls
12051 WITHOUT PRIVILEGE TRANSITION
12053 AFTER 16-BIT CALL AFTER 32-BIT CALL
12056 D O € € € €
12057 I F †�������Ï�������‡ †�������Ï�������‡
12058 R €œœœœœœœœœœœœœœœ€ €œœœœœœœœœœœœœœœ€
12059 E E †�������Ï�������‡ †�������Ï�������‡
12060 C X € PARM2 � PARM1 € € PARM2 €
12061 T P †�������Ï�������‡ †�������Ï�������‡
12062 I A € CS � IP €\x11‘‘SP € PARM1 €
12063 O N †�������Ï�������‡ †�������Ï�������‡
12064 N S € € €œœœœœœœ� CS €
12065 I †�������Ï�������‡ †�������Ï�������‡
12066 � O € € € EIP €\x11‘‘ESP
12067 � N †�������Ï�������‡ †�������Ï�������‡
12068 � € € € €
12071 WITH PRIVILEGE TRANSITION
12073 AFTER 16-BIT CALL AFTER 32-BIT CALL
12075 D O 31 0 31 0
12076 I F ‚�������Ï�������ƒ ‚�������Ï�������ƒ
12077 R € SS � SP € €œœœœœœœ� SS €
12078 E E †�������Ï�������‡ †�������Ï�������‡
12079 C X € PARM2 � PARM1 € € ESP €
12080 T P †�������Ï�������‡ †�������Ï�������‡
12081 I A € CS � IP €\x11‘‘SP € PARM2 €
12082 O N †�������Ï�������‡ †�������Ï�������‡
12083 N S € € € PARM1 €
12084 I †�������Ï�������‡ †�������Ï�������‡
12085 � O € € €œœœœœœœ� CS €
12086 � N †�������Ï�������‡ †�������Ï�������‡
12087 � € € € EIP €\x11‘‘ESP
12088 \x1f †�������Ï�������‡ †�������Ï�������‡
12089 € € € €
12093 16.4.2.1 Controlling the Operand-Size for a Call
12095 When the selector of the pointer referenced by a CALL instruction selects a
12096 segment descriptor, the operand-size attribute in effect for the CALL
12097 instruction is determined by the D-bit in the segment descriptor and by any
12098 operand-size instruction prefix.
12100 When the selector of the pointer referenced by a CALL instruction selects a
12101 gate descriptor, the type of call is determined by the type of call gate. A
12102 call via an 80286 call gate (descriptor type 4) always has a 16-bit
12103 operand-size attribute; a call via an 80386 call gate (descriptor type 12)
12104 always has a 32-bit operand-size attribute. The offset of the target
12105 procedure is taken from the gate descriptor; therefore, even a 16-bit
12106 procedure can call a procedure that is located more than 64 kilobytes from
12107 the base of a 32-bit segment, because a 32-bit call gate contains a 32-bit
12108 target offset.
12110 An unmodified 16-bit code segment that has run successfully on an 8086 or
12111 real-mode 80286 will always have a D-bit of zero and will not use
12112 operand-size override prefixes; therefore, it will always execute 16-bit
12113 versions of CALL. The only modification needed to make a16-bit procedure
12114 effect a 32-bit call is to relink the call to an 80386 call gate.
12117 16.4.2.2 Changing Size of Call
12119 When adding 32-bit gates to 16-bit procedures, it is important to consider
12120 the number of parameters. The count field of the gate descriptor specifies
12121 the size of the parameter string to copy from the current stack to the stack
12122 of the more privileged procedure. The count field of a 16-bit gate specifies
12123 the number of words to be copied, whereas the count field of a 32-bit gate
12124 specifies the number of doublewords to be copied; therefore, the 16-bit
12125 procedure must use an even number of words as parameters.
12128 16.4.3 Interrupt Control Transfers
12130 With a control transfer due to an interrupt or exception, a gate is always
12131 involved. The operand-size attribute for the interrupt is determined by the
12132 type of IDT gate.
12134 A 386 interrupt or trap gate (descriptor type 14 or 15) to a 32-bit
12135 interrupt procedure can be used to interrupt either 32-bit or 16-bit
12136 procedures. However, it is not generally feasible to permit an interrupt or
12137 exception to invoke a 16-bit handler procedure when 32-bit code is
12138 executing, because a 16-bit interrupt procedure has a return offset of only
12139 16-bits on its stack. If the 32-bit procedure is executing at an address
12140 greater than 64K, the 16-bit interrupt procedure cannot return correctly.
12143 16.4.4 Parameter Translation
12145 When segment offsets or pointers (which contain segment offsets) are passed
12146 as parameters between 16-bit and 32-bit procedures, some translation is
12147 required. Clearly, if a 32-bit procedure passes a pointer to data located
12148 beyond 64K to a 16-bit procedure, the 16-bit procedure cannot utilize it.
12149 Beyond this natural limitation, an interface procedure can perform any
12150 format conversion between 32-bit and 16-bit pointers that may be needed.
12152 Parameters passed by value between 32-bit and 16-bit code may also require
12153 translation between 32-bit and 16-bit formats. Such translation requirements
12154 are application dependent. Systems designers should take care to limit the
12155 range of values passed so that such translations are possible.
12158 16.4.5 The Interface Procedure
12160 Interposing an interface procedure between 32-bit and 16-bit procedures can
12161 be the solution to any of several interface requirements:
12163 Ž Allowing procedures in 16-bit segments to transfer control to
12164 instructions located beyond 64K in 32-bit segments.
12166 Ž Matching of operand size for CALL/RET.
12168 Ž Parameter translation.
12170 Interface procedures between USE32 and USE16 segments can be constructed
12171 with these properties:
12173 Ž The procedures reside in a code segment whose D-bit is set, indicating
12174 a default operand size of 32-bits.
12176 Ž All entry points that may be called by 16-bit procedures have offsets
12177 that are actually less than 64K.
12179 Ž All points to which called 16-bit procedures may return also lie
12180 within 64K.
12182 The interface procedures do little more than call corresponding procedures
12183 in other segments. There may be two kinds of procedures:
12185 Ž Those that are called by 16-bit procedures and call 32-bit procedures.
12186 These interface procedures are called by 16-bit CALLs and use the
12187 operand-size prefix before RET instructions to cause a 16-bit RET.
12188 CALLs to 32-bit segments are 32-bit calls (by default, because the
12189 D-bit is set), and the 32-bit code returns with 32-bit RET
12190 instructions.
12192 Ž Those that are called by 32-bit procedures and call 16-bit procedures.
12193 These interface procedures are called by 32-bit CALL instructions, and
12194 return with 32-bit RET instructions (by default, because the D-bit is
12195 set). CALLs to 16-bit procedures use the operand-size prefix;
12196 procedures in the 16-bit code return with 16-bit RET instructions.
12199 PART IV INSTRUCTION SET
12202 Chapter 17 80386 Instruction Set
12204 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
12206 This chapter presents instructions for the 80386 in alphabetical order. For
12207 each instruction, the forms are given for each operand combination,
12208 including object code produced, operands required, execution time, and a
12209 description. For each instruction, there is an operational description and a
12210 summary of exceptions generated.
12213 17.1 Operand-Size and Address-Size Attributes
12215 When executing an instruction, the 80386 can address memory using either 16
12216 or 32-bit addresses. Consequently, each instruction that uses memory
12217 addresses has associated with it an address-size attribute of either 16 or
12218 32 bits. 16-bit addresses imply both the use of a 16-bit displacement in
12219 the instruction and the generation of a 16-bit address offset (segment
12220 relative address) as the result of the effective address calculation.
12221 32-bit addresses imply the use of a 32-bit displacement and the generation
12222 of a 32-bit address offset. Similarly, an instruction that accesses words
12223 (16 bits) or doublewords (32 bits) has an operand-size attribute of either
12224 16 or 32 bits.
12226 The attributes are determined by a combination of defaults, instruction
12227 prefixes, and (for programs executing in protected mode) size-specification
12228 bits in segment descriptors.
12231 17.1.1 Default Segment Attribute
12233 For programs executed in protected mode, the D-bit in executable-segment
12234 descriptors determines the default attribute for both address size and
12235 operand size. These default attributes apply to the execution of all
12236 instructions in the segment. A value of zero in the D-bit sets the default
12237 address size and operand size to 16 bits; a value of one, to 32 bits.
12239 Programs that execute in real mode or virtual-8086 mode have 16-bit
12240 addresses and operands by default.
12243 17.1.2 Operand-Size and Address-Size Instruction Prefixes
12245 The internal encoding of an instruction can include two byte-long prefixes:
12246 the address-size prefix, 67H, and the operand-size prefix, 66H. (A later
12247 section, "Instruction Format," shows the position of the prefixes in an
12248 instruction's encoding.) These prefixes override the default segment
12249 attributes for the instruction that follows. Table 17-1 shows the effect of
12250 each possible combination of defaults and overrides.
12253 17.1.3 Address-Size Attribute for Stack
12255 Instructions that use the stack implicitly (for example: POP EAX also have
12256 a stack address-size attribute of either 16 or 32 bits. Instructions with a
12257 stack address-size attribute of 16 use the 16-bit SP stack pointer register;
12258 instructions with a stack address-size attribute of 32 bits use the 32-bit
12259 ESP register to form the address of the top of the stack.
12261 The stack address-size attribute is controlled by the B-bit of the
12262 data-segment descriptor in the SS register. A value of zero in the B-bit
12263 selects a stack address-size attribute of 16; a value of one selects a stack
12264 address-size attribute of 32.
12267 Table 17-1. Effective Size Attributes
12269 Segment Default D = ... 0 0 0 0 1 1 1 1
12270 Operand-Size Prefix 66H N N Y Y N N Y Y
12271 Address-Size Prefix 67H N Y N Y N Y N Y
12273 Effective Operand Size 16 16 32 32 32 32 16 16
12274 Effective Address Size 16 32 16 32 32 16 32 16
12276 Y = Yes, this instruction prefix is present
12277 N = No, this instruction prefix is not present
12280 17.2 Instruction Format
12282 All instruction encodings are subsets of the general instruction format
12283 shown in Figure 17-1. Instructions consist of optional instruction
12284 prefixes, one or two primary opcode bytes, possibly an address specifier
12285 consisting of the ModR/M byte and the SIB (Scale Index Base) byte, a
12286 displacement, if required, and an immediate data field, if required.
12288 Smaller encoding fields can be defined within the primary opcode or
12289 opcodes. These fields define the direction of the operation, the size of the
12290 displacements, the register encoding, or sign extension; encoding fields
12291 vary depending on the class of operation.
12293 Most instructions that can refer to an operand in memory have an addressing
12294 form byte following the primary opcode byte(s). This byte, called the ModR/M
12295 byte, specifies the address form to be used. Certain encodings of the ModR/M
12296 byte indicate a second addressing byte, the SIB (Scale Index Base) byte,
12297 which follows the ModR/M byte and is required to fully specify the
12298 addressing form.
12300 Addressing forms can include a displacement immediately following either
12301 the ModR/M or SIB byte. If a displacement is present, it can be 8-, 16- or
12302 32-bits.
12304 If the instruction specifies an immediate operand, the immediate operand
12305 always follows any displacement bytes. The immediate operand, if specified,
12306 is always the last field of the instruction.
12308 The following are the allowable instruction prefix codes:
12310 F3H REP prefix (used only with string instructions)
12311 F3H REPE/REPZ prefix (used only with string instructions
12312 F2H REPNE/REPNZ prefix (used only with string instructions)
12313 F0H LOCK prefix
12315 The following are the segment override prefixes:
12317 2EH CS segment override prefix
12318 36H SS segment override prefix
12319 3EH DS segment override prefix
12320 26H ES segment override prefix
12321 64H FS segment override prefix
12322 65H GS segment override prefix
12323 66H Operand-size override
12324 67H Address-size override
12327 Figure 17-1. 80386 Instruction Format
12329 ‚���������������ˆ���������������ˆ���������������ˆ���������������ƒ
12330 € INSTRUCTION € ADDRESS- € OPERAND- € SEGMENT €
12331 € PREFIX € SIZE PREFIX € SIZE PREFIX € OVERRIDE €
12332 †���������������‰���������������‰���������������‰���������������‡
12333 € 0 OR 1 0 OR 1 0 OR 1 0 OR 1 €
12334 Ñ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘Â
12335 € NUMBER OF BYTES €
12336 „���������������������������������������������������������������…
12338 ‚����������ˆ�����������ˆ�������ˆ������������������ˆ�������������ƒ
12339 € OPCODE € MODR/M € SIB € DISPLACEMENT € IMMEDIATE €
12340 € € € € € €
12341 †����������‰�����������‰�������‰������������������‰�������������‡
12342 € 1 OR 2 0 OR 1 0 OR 1 0,1,2 OR 4 0,1,2 OR 4 €
12343 Ñ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘ ‘Â
12344 € NUMBER OF BYTES €
12345 „���������������������������������������������������������������…
12348 17.2.1 ModR/M and SIB Bytes
12350 The ModR/M and SIB bytes follow the opcode byte(s) in many of the 80386
12351 instructions. They contain the following information:
12353 Ž The indexing type or register number to be used in the instruction
12354 Ž The register to be used, or more information to select the instruction
12355 Ž The base, index, and scale information
12357 The ModR/M byte contains three fields of information:
12359 Ž The mod field, which occupies the two most significant bits of the
12360 byte, combines with the r/m field to form 32 possible values: eight
12361 registers and 24 indexing modes
12363 Ž The reg field, which occupies the next three bits following the mod
12364 field, specifies either a register number or three more bits of opcode
12365 information. The meaning of the reg field is determined by the first
12366 (opcode) byte of the instruction.
12368 Ž The r/m field, which occupies the three least significant bits of the
12369 byte, can specify a register as the location of an operand, or can form
12370 part of the addressing-mode encoding in combination with the field as
12371 described above
12373 The based indexed and scaled indexed forms of 32-bit addressing require the
12374 SIB byte. The presence of the SIB byte is indicated by certain encodings of
12375 the ModR/M byte. The SIB byte then includes the following fields:
12377 Ž The ss field, which occupies the two most significant bits of the
12378 byte, specifies the scale factor
12380 Ž The index field, which occupies the next three bits following the ss
12381 field and specifies the register number of the index register
12383 Ž The base field, which occupies the three least significant bits of the
12384 byte, specifies the register number of the base register
12386 Figure 17-2 shows the formats of the ModR/M and SIB bytes.
12388 The values and the corresponding addressing forms of the ModR/M and SIB
12389 bytes are shown in Tables 17-2, 17-3, and 17-4. The 16-bit addressing
12390 forms specified by the ModR/M byte are in Table 17-2. The 32-bit addressing
12391 forms specified by ModR/M are in Table 17-3. Table 17-4 shows the 32-bit
12392 addressing forms specified by the SIB byte
12395 Figure 17-2. ModR/M and SIB Byte Formats
12397 MODR/M BYTE
12399 7 6 5 4 3 2 1 0
12400 ‚��������ˆ�������������ˆ�������������ƒ
12401 € MOD € REG/OPCODE € R/M €
12402 „��������‰�������������‰�������������…
12404 SIB (SCALE INDEX BASE) BYTE
12406 7 6 5 4 3 2 1 0
12407 ‚��������ˆ�������������ˆ�������������ƒ
12408 € SS € INDEX € BASE €
12409 „��������‰�������������‰�������������…
12412 Table 17-2. 16-Bit Addressing Forms with the ModR/M Byte
12415 r8(/r) AL CL DL BL AH CH DH BH
12416 r16(/r) AX CX DX BX SP BP SI DI
12417 r32(/r) EAX ECX EDX EBX ESP EBP ESI EDI
12418 /digit (Opcode) 0 1 2 3 4 5 6 7
12419 REG = 000 001 010 011 100 101 110 111
12421 Effective
12422 ’‘‘‘Address
12423 disp8 denotes an 8-bit displacement following the ModR/M byte, to be
12424 sign-extended and added to the index. disp16 denotes a 16-bit displacement
12425 following the ModR/M byte, to be added to the index. Default segment
12426 register is SS for the effective addresses containing a BP index, DS for
12427 other effective addresses.‘‘“ ’Mod R/M“ ’‘‘‘‘‘‘‘‘ModR/M Values in Hexadecimal‘‘‘‘‘‘‘‘“
12429 [BX + SI] 000 00 08 10 18 20 28 30 38
12430 [BX + DI] 001 01 09 11 19 21 29 31 39
12431 [BP + SI] 010 02 0A 12 1A 22 2A 32 3A
12432 [BP + DI] 011 03 0B 13 1B 23 2B 33 3B
12433 [SI] 00 100 04 0C 14 1C 24 2C 34 3C
12434 [DI] 101 05 0D 15 1D 25 2D 35 3D
12435 disp16 110 06 0E 16 1E 26 2E 36 3E
12436 [BX] 111 07 0F 17 1F 27 2F 37 3F
12438 [BX+SI]+disp8 000 40 48 50 58 60 68 70 78
12439 [BX+DI]+disp8 001 41 49 51 59 61 69 71 79
12440 [BP+SI]+disp8 010 42 4A 52 5A 62 6A 72 7A
12441 [BP+DI]+disp8 011 43 4B 53 5B 63 6B 73 7B
12442 [SI]+disp8 01 100 44 4C 54 5C 64 6C 74 7C
12443 [DI]+disp8 101 45 4D 55 5D 65 6D 75 7D
12444 [BP]+disp8 110 46 4E 56 5E 66 6E 76 7E
12445 [BX]+disp8 111 47 4F 57 5F 67 6F 77 7F
12447 [BX+SI]+disp16 000 80 88 90 98 A0 A8 B0 B8
12448 [BX+DI]+disp16 001 81 89 91 99 A1 A9 B1 B9
12449 [BX+SI]+disp16 010 82 8A 92 9A A2 AA B2 BA
12450 [BX+DI]+disp16 011 83 8B 93 9B A3 AB B3 BB
12451 [SI]+disp16 10 100 84 8C 94 9C A4 AC B4 BC
12452 [DI]+disp16 101 85 8D 95 9D A5 AD B5 BD
12453 [BP]+disp16 110 86 8E 96 9E A6 AE B6 BE
12454 [BX]+disp16 111 87 8F 97 9F A7 AF B7 BF
12456 EAX/AX/AL 000 C0 C8 D0 D8 E0 E8 F0 F8
12457 ECX/CX/CL 001 C1 C9 D1 D9 E1 E9 F1 F9
12458 EDX/DX/DL 010 C2 CA D2 DA E2 EA F2 FA
12459 EBX/BX/BL 011 C3 CB D3 DB E3 EB F3 FB
12460 ESP/SP/AH 11 100 C4 CC D4 DC E4 EC F4 FC
12461 EBP/BP/CH 101 C5 CD D5 DD E5 ED F5 FD
12462 ESI/SI/DH 110 C6 CE D6 DE E6 EE F6 FE
12463 EDI/DI/BH 111 C7 CF D7 DF E7 EF F7 FF
12466 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
12467 NOTES:
12468 disp8 denotes an 8-bit displacement following the ModR/M byte, to be
12469 sign-extended and added to the index. disp16 denotes a 16-bit displacement
12470 following the ModR/M byte, to be added to the index. Default segment
12471 register is SS for the effective addresses containing a BP index, DS for
12472 other effective addresses.
12473 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
12476 Table 17-3. 32-Bit Addressing Forms with the ModR/M Byte
12479 r8(/r) AL CL DL BL AH CH DH BH
12480 r16(/r) AX CX DX BX SP BP SI DI
12481 r32(/r) EAX ECX EDX EBX ESP EBP ESI EDI
12482 /digit (Opcode) 0 1 2 3 4 5 6 7
12483 REG = 000 001 010 011 100 101 110 111
12485 Effective
12486 ’‘‘‘Address
12487 [--] [--] means a SIB follows the ModR/M byte. disp8 denotes an 8-bit
12488 displacement following the SIB byte, to be sign-extended and added to the
12489 index. disp32 denotes a 32-bit displacement following the ModR/M byte, to
12490 be added to the index.‘‘“ ’Mod R/M“ ’‘‘‘‘‘‘‘‘‘ModR/M Values in Hexadecimal‘‘‘‘‘‘‘“
12492 [EAX] 000 00 08 10 18 20 28 30 38
12493 [ECX] 001 01 09 11 19 21 29 31 39
12494 [EDX] 010 02 0A 12 1A 22 2A 32 3A
12495 [EBX] 011 03 0B 13 1B 23 2B 33 3B
12496 [--] [--] 00 100 04 0C 14 1C 24 2C 34 3C
12497 disp32 101 05 0D 15 1D 25 2D 35 3D
12498 [ESI] 110 06 0E 16 1E 26 2E 36 3E
12499 [EDI] 111 07 0F 17 1F 27 2F 37 3F
12501 disp8[EAX] 000 40 48 50 58 60 68 70 78
12502 disp8[ECX] 001 41 49 51 59 61 69 71 79
12503 disp8[EDX] 010 42 4A 52 5A 62 6A 72 7A
12504 disp8[EPX]; 011 43 4B 53 5B 63 6B 73 7B
12505 disp8[--] [--] 01 100 44 4C 54 5C 64 6C 74 7C
12506 disp8[ebp] 101 45 4D 55 5D 65 6D 75 7D
12507 disp8[ESI] 110 46 4E 56 5E 66 6E 76 7E
12508 disp8[EDI] 111 47 4F 57 5F 67 6F 77 7F
12510 disp32[EAX] 000 80 88 90 98 A0 A8 B0 B8
12511 disp32[ECX] 001 81 89 91 99 A1 A9 B1 B9
12512 disp32[EDX] 010 82 8A 92 9A A2 AA B2 BA
12513 disp32[EBX] 011 83 8B 93 9B A3 AB B3 BB
12514 disp32[--] [--] 10 100 84 8C 94 9C A4 AC B4 BC
12515 disp32[EBP] 101 85 8D 95 9D A5 AD B5 BD
12516 disp32[ESI] 110 86 8E 96 9E A6 AE B6 BE
12517 disp32[EDI] 111 87 8F 97 9F A7 AF B7 BF
12519 EAX/AX/AL 000 C0 C8 D0 D8 E0 E8 F0 F8
12520 ECX/CX/CL 001 C1 C9 D1 D9 E1 E9 F1 F9
12521 EDX/DX/DL 010 C2 CA D2 DA E2 EA F2 FA
12522 EBX/BX/BL 011 C3 CB D3 DB E3 EB F3 FB
12523 ESP/SP/AH 11 100 C4 CC D4 DC E4 EC F4 FC
12524 EBP/BP/CH 101 C5 CD D5 DD E5 ED F5 FD
12525 ESI/SI/DH 110 C6 CE D6 DE E6 EE F6 FE
12526 EDI/DI/BH 111 C7 CF D7 DF E7 EF F7 FF
12529 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
12530 NOTES:
12531 [--] [--] means a SIB follows the ModR/M byte. disp8 denotes an 8-bit
12532 displacement following the SIB byte, to be sign-extended and added to the
12533 index. disp32 denotes a 32-bit displacement following the ModR/M byte, to
12534 be added to the index.
12535 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
12538 Table 17-4. 32-Bit Addressing Forms with the SIB Byte
12541 r32 EAX ECX EDX EBX ESP [*]
12542 [*] means a disp32 with no base if MOD is 00, [ESP] otherwise. This provides
12543 the following addressing modes:
12544 disp32[index] (MOD=00)
12545 disp8[EBP][index] (MOD=01)
12546 disp32[EBP][index] (MOD=10) ESI EDI
12547 Base = 0 1 2 3 4 5 6 7
12548 Base = 000 001 010 011 100 101 110 111
12550 ’Scaled Index
12551 [*] means a disp32 with no base if MOD is 00, [ESP] otherwise. This provides
12552 the following addressing modes:
12553 disp32[index] (MOD=00)
12554 disp8[EBP][index] (MOD=01)
12555 disp32[EBP][index] (MOD=10)“’SS Index“ ’‘‘‘‘‘‘‘‘ModR/M Values in Hexadecimal‘‘‘‘‘‘‘‘“
12557 [EAX] 000 00 01 02 03 04 05 06 07
12558 [ECX] 001 08 09 0A 0B 0C 0D 0E 0F
12559 [EDX] 010 10 11 12 13 14 15 16 17
12560 [EBX] 011 18 19 1A 1B 1C 1D 1E 1F
12561 none 00 100 20 21 22 23 24 25 26 27
12562 [EBP] 101 28 29 2A 2B 2C 2D 2E 2F
12563 [ESI] 110 30 31 32 33 34 35 36 37
12564 [EDI] 111 38 39 3A 3B 3C 3D 3E 3F
12566 [EAX*2] 000 40 41 42 43 44 45 46 47
12567 [ECX*2] 001 48 49 4A 4B 4C 4D 4E 4F
12568 [ECX*2] 010 50 51 52 53 54 55 56 57
12569 [EBX*2] 011 58 59 5A 5B 5C 5D 5E 5F
12570 none 01 100 60 61 62 63 64 65 66 67
12571 [EBP*2] 101 68 69 6A 6B 6C 6D 6E 6F
12572 [ESI*2] 110 70 71 72 73 74 75 76 77
12573 [EDI*2] 111 78 79 7A 7B 7C 7D 7E 7F
12575 [EAX*4] 000 80 81 82 83 84 85 86 87
12576 [ECX*4] 001 88 89 8A 8B 8C 8D 8E 8F
12577 [EDX*4] 010 90 91 92 93 94 95 96 97
12578 [EBX*4] 011 98 89 9A 9B 9C 9D 9E 9F
12579 none 10 100 A0 A1 A2 A3 A4 A5 A6 A7
12580 [EBP*4] 101 A8 A9 AA AB AC AD AE AF
12581 [ESI*4] 110 B0 B1 B2 B3 B4 B5 B6 B7
12582 [EDI*4] 111 B8 B9 BA BB BC BD BE BF
12584 [EAX*8] 000 C0 C1 C2 C3 C4 C5 C6 C7
12585 [ECX*8] 001 C8 C9 CA CB CC CD CE CF
12586 [EDX*8] 010 D0 D1 D2 D3 D4 D5 D6 D7
12587 [EBX*8] 011 D8 D9 DA DB DC DD DE DF
12588 none 11 100 E0 E1 E2 E3 E4 E5 E6 E7
12589 [EBP*8] 101 E8 E9 EA EB EC ED EE EF
12590 [ESI*8] 110 F0 F1 F2 F3 F4 F5 F6 F7
12591 [EDI*8] 111 F8 F9 FA FB FC FD FE FF
12594 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
12595 NOTES:
12596 [*] means a disp32 with no base if MOD is 00, [ESP] otherwise. This
12597 provides the following addressing modes:
12598 disp32[index] (MOD=00)
12599 disp8[EBP][index] (MOD=01)
12600 disp32[EBP][index] (MOD=10)
12601 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
12604 17.2.2 How to Read the Instruction Set Pages
12606 The following is an example of the format used for each 80386 instruction
12607 description in this chapter:
12609 CMC ‘‘ Complement Carry Flag
12611 Opcode Instruction Clocks Description
12613 F5 CMC 2 Complement carry flag
12615 The above table is followed by paragraphs labelled "Operation,"
12616 "Description," "Flags Affected," "Protected Mode Exceptions," "Real
12617 Address Mode Exceptions," and, optionally, "Notes." The following sections
12618 explain the notational conventions and abbreviations used in these
12619 paragraphs of the instruction descriptions.
12622 17.2.2.1 Opcode
12624 The "Opcode" column gives the complete object code produced for each form
12625 of the instruction. When possible, the codes are given as hexadecimal bytes,
12626 in the same order in which they appear in memory. Definitions of entries
12627 other than hexadecimal bytes are as follows:
12629 /digit: (digit is between 0 and 7) indicates that the ModR/M byte of the
12630 instruction uses only the r/m (register or memory) operand. The reg field
12631 contains the digit that provides an extension to the instruction's opcode.
12633 /r: indicates that the ModR/M byte of the instruction contains both a
12634 register operand and an r/m operand.
12636 cb, cw, cd, cp: a 1-byte (cb), 2-byte (cw), 4-byte (cd) or 6-byte (cp)
12637 value following the opcode that is used to specify a code offset and
12638 possibly a new value for the code segment register.
12640 ib, iw, id: a 1-byte (ib), 2-byte (iw), or 4-byte (id) immediate operand to
12641 the instruction that follows the opcode, ModR/M bytes or scale-indexing
12642 bytes. The opcode determines if the operand is a signed value. All words and
12643 doublewords are given with the low-order byte first.
12645 +rb, +rw, +rd: a register code, from 0 through 7, added to the hexadecimal
12646 byte given at the left of the plus sign to form a single opcode byte. The
12647 codes are‘‘
12649 rb rw rd
12650 AL = 0 AX = 0 EAX = 0
12651 CL = 1 CX = 1 ECX = 1
12652 DL = 2 DX = 2 EDX = 2
12653 BL = 3 BX = 3 EBX = 3
12654 AH = 4 SP = 4 ESP = 4
12655 CH = 5 BP = 5 EBP = 5
12656 DH = 6 SI = 6 ESI = 6
12657 BH = 7 DI = 7 EDI = 7
12660 17.2.2.2 Instruction
12662 The "Instruction" column gives the syntax of the instruction statement as
12663 it would appear in an ASM386 program. The following is a list of the symbols
12664 used to represent operands in the instruction statements:
12666 rel8: a relative address in the range from 128 bytes before the end of the
12667 instruction to 127 bytes after the end of the instruction.
12669 rel16, rel32: a relative address within the same code segment as the
12670 instruction assembled. rel16 applies to instructions with an operand-size
12671 attribute of 16 bits; rel32 applies to instructions with an operand-size
12672 attribute of 32 bits.
12674 ptr16:16, ptr16:32: a FAR pointer, typically in a code segment different
12675 from that of the instruction. The notation 16:16 indicates that the value of
12676 the pointer has two parts. The value to the right of the colon is a 16-bit
12677 selector or value destined for the code segment register. The value to the
12678 left corresponds to the offset within the destination segment. ptr16:16 is
12679 used when the instruction's operand-size attribute is 16 bits; ptr16:32 is
12680 used with the 32-bit attribute.
12682 r8: one of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH.
12684 r16: one of the word registers AX, CX, DX, BX, SP, BP, SI, or DI.
12686 r32: one of the doubleword registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, or
12687 EDI.
12689 imm8: an immediate byte value. imm8 is a signed number between -128 and
12690 +127 inclusive. For instructions in which imm8 is combined with a word or
12691 doubleword operand, the immediate value is sign-extended to form a word or
12692 doubleword. The upper byte of the word is filled with the topmost bit of the
12693 immediate value.
12695 imm16: an immediate word value used for instructions whose operand-size
12696 attribute is 16 bits. This is a number between -32768 and +32767 inclusive.
12698 imm32: an immediate doubleword value used for instructions whose
12699 operand-size attribute is 32-bits. It allows the use of a number between
12700 +2147483647 and -2147483648.
12702 r/m8: a one-byte operand that is either the contents of a byte register
12703 (AL, BL, CL, DL, AH, BH, CH, DH), or a byte from memory.
12705 r/m16: a word register or memory operand used for instructions whose
12706 operand-size attribute is 16 bits. The word registers are: AX, BX, CX, DX,
12707 SP, BP, SI, DI. The contents of memory are found at the address provided by
12708 the effective address computation.
12710 r/m32: a doubleword register or memory operand used for instructions whose
12711 operand-size attribute is 32-bits. The doubleword registers are: EAX, EBX,
12712 ECX, EDX, ESP, EBP, ESI, EDI. The contents of memory are found at the
12713 address provided by the effective address computation.
12715 m8: a memory byte addressed by DS:SI or ES:DI (used only by string
12716 instructions).
12718 m16: a memory word addressed by DS:SI or ES:DI (used only by string
12719 instructions).
12721 m32: a memory doubleword addressed by DS:SI or ES:DI (used only by string
12722 instructions).
12724 m16:16, M16:32: a memory operand containing a far pointer composed of two
12725 numbers. The number to the left of the colon corresponds to the pointer's
12726 segment selector. The number to the right corresponds to its offset.
12728 m16 & 32, m16 & 16, m32 & 32: a memory operand consisting of data item pairs
12729 whose sizes are indicated on the left and the right side of the ampersand.
12730 All memory addressing modes are allowed. m16 & 16 and m32 & 32 operands are
12731 used by the BOUND instruction to provide an operand containing an upper and
12732 lower bounds for array indices. m16 & 32 is used by LIDT and LGDT to
12733 provide a word with which to load the limit field, and a doubleword with
12734 which to load the base field of the corresponding Global and Interrupt
12735 Descriptor Table Registers.
12737 moffs8, moffs16, moffs32: (memory offset) a simple memory variable of type
12738 BYTE, WORD, or DWORD used by some variants of the MOV instruction. The
12739 actual address is given by a simple offset relative to the segment base. No
12740 ModR/M byte is used in the instruction. The number shown with moffs
12741 indicates its size, which is determined by the address-size attribute of the
12742 instruction.
12744 Sreg: a segment register. The segment register bit assignments are ES=0,
12745 CS=1, SS=2, DS=3, FS=4, and GS=5.
12748 17.2.2.3 Clocks
12750 The "Clocks" column gives the number of clock cycles the instruction takes
12751 to execute. The clock count calculations makes the following assumptions:
12753 Ž The instruction has been prefetched and decoded and is ready for
12754 execution.
12756 Ž Bus cycles do not require wait states.
12758 Ž There are no local bus HOLD requests delaying processor access to the
12759 bus.
12761 Ž No exceptions are detected during instruction execution.
12763 Ž Memory operands are aligned.
12765 Clock counts for instructions that have an r/m (register or memory) operand
12766 are separated by a slash. The count to the left is used for a register
12767 operand; the count to the right is used for a memory operand.
12769 The following symbols are used in the clock count specifications:
12771 Ž n, which represents a number of repetitions.
12773 Ž m, which represents the number of components in the next instruction
12774 executed, where the entire displacement (if any) counts as one
12775 component, the entire immediate data (if any) counts as one component,
12776 and every other byte of the instruction and prefix(es) each counts as
12777 one component.
12779 Ž pm=, a clock count that applies when the instruction executes in
12780 Protected Mode. pm= is not given when the clock counts are the same for
12781 Protected and Real Address Modes.
12783 When an exception occurs during the execution of an instruction and the
12784 exception handler is in another task, the instruction execution time is
12785 increased by the number of clocks to effect a task switch. This parameter
12786 depends on several factors:
12788 Ž The type of TSS used to represent the current task (386 TSS or 286
12789 TSS).
12791 Ž The type of TSS used to represent the new task.
12793 Ž Whether the current task is in V86 mode.
12795 Ž Whether the new task is in V86 mode.
12797 Table 17-5 summarizes the task switch times for exceptions.
12800 Table 17-5. Task Switch Times for Exceptions
12802 New Task
12804 Old 386 TSS 286 TSS
12805 Task VM = 0
12807 386 VM = 0 309 282
12808 TSS
12810 386 VM = 1 314 231
12811 TSS
12813 286 307 282
12814 TSS
12817 17.2.2.4 Description
12819 The "Description" column following the "Clocks" column briefly explains the
12820 various forms of the instruction. The "Operation" and "Description" sections
12821 contain more details of the instruction's operation.
12824 17.2.2.5 Operation
12826 The "Operation" section contains an algorithmic description of the
12827 instruction which uses a notation similar to the Algol or Pascal language.
12828 The algorithms are composed of the following elements:
12830 Comments are enclosed within the symbol pairs "(*" and "*)".
12832 Compound statements are enclosed between the keywords of the "if" statement
12833 (IF, THEN, ELSE, FI) or of the "do" statement (DO, OD), or of the "case"
12834 statement (CASE ... OF, ESAC).
12836 A register name implies the contents of the register. A register name
12837 enclosed in brackets implies the contents of the location whose address is
12838 contained in that register. For example, ES:[DI] indicates the contents of
12839 the location whose ES segment relative address is in register DI. [SI]
12840 indicates the contents of the address contained in register SI relative to
12841 SI's default segment (DS) or overridden segment.
12843 Brackets also used for memory operands, where they mean that the contents
12844 of the memory location is a segment-relative offset. For example, [SRC]
12845 indicates that the contents of the source operand is a segment-relative
12846 offset.
12848 A \e B; indicates that the value of B is assigned to A.
12850 The symbols =, <>, �, and ¾ are relational operators used to compare two
12851 values, meaning equal, not equal, greater or equal, less or equal,
12852 respectively. A relational expression such as A = B is TRUE if the value of
12853 A is equal to B; otherwise it is FALSE.
12855 The following identifiers are used in the algorithmic descriptions:
12857 Ž OperandSize represents the operand-size attribute of the instruction,
12858 which is either 16 or 32 bits. AddressSize represents the address-size
12859 attribute, which is either 16 or 32 bits. For example,
12861 IF instruction = CMPSW
12862 THEN OperandSize \e 16;
12863 ELSE
12864 IF instruction = CMPSD
12865 THEN OperandSize \e 32;
12866 FI;
12867 FI;
12869 indicates that the operand-size attribute depends on the form of the CMPS
12870 instruction used. Refer to the explanation of address-size and operand-size
12871 attributes at the beginning of this chapter for general guidelines on how
12872 these attributes are determined.
12874 Ž StackAddrSize represents the stack address-size attribute associated
12875 with the instruction, which has a value of 16 or 32 bits, as explained
12876 earlier in the chapter.
12878 Ž SRC represents the source operand. When there are two operands, SRC is
12879 the one on the right.
12881 Ž DEST represents the destination operand. When there are two operands,
12882 DEST is the one on the left.
12884 Ž LeftSRC, RightSRC distinguishes between two operands when both are
12885 source operands.
12887 Ž eSP represents either the SP register or the ESP register depending on
12888 the setting of the B-bit for the current stack segment.
12890 The following functions are used in the algorithmic descriptions:
12892 Ž Truncate to 16 bits(value) reduces the size of the value to fit in 16
12893 bits by discarding the uppermost bits as needed.
12895 Ž Addr(operand) returns the effective address of the operand (the result
12896 of the effective address calculation prior to adding the segment base).
12898 Ž ZeroExtend(value) returns a value zero-extended to the operand-size
12899 attribute of the instruction. For example, if OperandSize = 32,
12900 ZeroExtend of a byte value of -10 converts the byte from F6H to
12901 doubleword with hexadecimal value 000000F6H. If the value passed to
12902 ZeroExtend and the operand-size attribute are the same size,
12903 ZeroExtend returns the value unaltered.
12905 Ž SignExtend(value) returns a value sign-extended to the operand-size
12906 attribute of the instruction. For example, if OperandSize = 32,
12907 SignExtend of a byte containing the value -10 converts the byte from
12908 F6H to a doubleword with hexadecimal value FFFFFFF6H. If the value
12909 passed to SignExtend and the operand-size attribute are the same size,
12910 SignExtend returns the value unaltered.
12912 Ž Push(value) pushes a value onto the stack. The number of bytes pushed
12913 is determined by the operand-size attribute of the instruction. The
12914 action of Push is as follows:
12916 IF StackAddrSize = 16
12917 THEN
12918 IF OperandSize = 16
12919 THEN
12920 SP \e SP - 2;
12921 SS:[SP] \e value; (* 2 bytes assigned starting at
12922 byte address in SP *)
12923 ELSE (* OperandSize = 32 *)
12924 SP \e SP - 4;
12925 SS:[SP] \e value; (* 4 bytes assigned starting at
12926 byte address in SP *)
12927 FI;
12928 ELSE (* StackAddrSize = 32 *)
12929 IF OperandSize = 16
12930 THEN
12931 ESP \e ESP - 2;
12932 SS:[ESP] \e value; (* 2 bytes assigned starting at
12933 byte address in ESP*)
12934 ELSE (* OperandSize = 32 *)
12935 ESP \e ESP - 4;
12936 SS:[ESP] \e value; (* 4 bytes assigned starting at
12937 byte address in ESP*)
12938 FI;
12939 FI;
12941 Ž Pop(value) removes the value from the top of the stack and returns it.
12942 The statement EAX \e Pop( ); assigns to EAX the 32-bit value that Pop
12943 took from the top of the stack. Pop will return either a word or a
12944 doubleword depending on the operand-size attribute. The action of Pop
12945 is as follows:
12947 IF StackAddrSize = 16
12948 THEN
12949 IF OperandSize = 16
12950 THEN
12951 ret val \e SS:[SP]; (* 2-byte value *)
12952 SP \e SP + 2;
12953 ELSE (* OperandSize = 32 *)
12954 ret val \e SS:[SP]; (* 4-byte value *)
12955 SP \e SP + 4;
12956 FI;
12957 ELSE (* StackAddrSize = 32 *)
12958 IF OperandSize = 16
12959 THEN
12960 ret val \e SS:[ESP]; (* 2 bytes value *)
12961 ESP \e ESP + 2;
12962 ELSE (* OperandSize = 32 *)
12963 ret val \e SS:[ESP]; (* 4 bytes value *)
12964 ESP \e ESP + 4;
12965 FI;
12966 FI;
12967 RETURN(ret val); (*returns a word or doubleword*)
12969 Ž Bit[BitBase, BitOffset] returns the address of a bit within a bit
12970 string, which is a sequence of bits in memory or a register. Bits are
12971 numbered from low-order to high-order within registers and within
12972 memory bytes. In memory, the two bytes of a word are stored with the
12973 low-order byte at the lower address.
12975 If the base operand is a register, the offset can be in the range 0..31.
12976 This offset addresses a bit within the indicated register. An example,
12977 "BIT[EAX, 21]," is illustrated in Figure 17-3.
12979 If BitBase is a memory address, BitOffset can range from -2 gigabits to 2
12980 gigabits. The addressed bit is numbered (Offset MOD 8) within the byte at
12981 address (BitBase + (BitOffset DIV 8)), where DIV is signed division with
12982 rounding towards negative infinity, and MOD returns a positive number.
12983 This is illustrated in Figure 17-4.
12985 Ž I-O-Permission(I-O-Address, width) returns TRUE or FALSE depending on
12986 the I/O permission bitmap and other factors. This function is defined as
12987 follows:
12989 IF TSS type is 286 THEN RETURN FALSE; FI;
12990 Ptr \e [TSS + 66]; (* fetch bitmap pointer *)
12991 BitStringAddr \e SHR (I-O-Address, 3) + Ptr;
12992 MaskShift \e I-O-Address AND 7;
12993 CASE width OF:
12994 BYTE: nBitMask \e 1;
12995 WORD: nBitMask \e 3;
12996 DWORD: nBitMask \e 15;
12997 ESAC;
12998 mask \e SHL (nBitMask, MaskShift);
12999 CheckString \e [BitStringAddr] AND mask;
13000 IF CheckString = 0
13001 THEN RETURN (TRUE);
13002 ELSE RETURN (FALSE);
13003 FI;
13005 Ž Switch-Tasks is the task switching function described in Chapter 7.
13008 17.2.2.6 Description
13010 The "Description" section contains further explanation of the instruction's
13011 operation.
13014 Figure 17-3. Bit Offset for BIT[EAX, 21]
13016 31 21 0
13017 ‚���������������������ˆ�ˆ�����������������������������������������������ƒ
13018 € € € €
13019 „���������������������‰�‰�����������������������������������������������…
13021 ”‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘BITOFFSET = 21‘‘‘‘‘‘‘‘‘‘‘‘‘‘•
13024 Figure 17-4. Memory Bit Indexing
13026 BIT INDEXING (POSITIVE OFFSET)
13028 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
13029 ‚����Ð�Ð���������Ð���������������Ð����������������ƒ
13030 € � � � � €
13031 „����¤�¤���������¤���������������Ï����������������…
13032 � BITBASE + 1 � BITBASE � BITBASE - 1 �
13033 \x1e �
13034 ”‘‘‘‘‘‘‘‘OFFSET = 13‘‘‘‘‘‘‘•
13036 BIT INDEXING (NEGATIVE OFFSET)
13038 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
13039 ‚����������������Ð���������������Ð���Ð�Ð����������ƒ
13040 € � � � � €
13041 „����������������Ï���������������¤���¤�¤����������…
13042 � BITBASE � BITBASE - 1 � BITBASE - 2 �
13043 � \x1e
13044 ”‘‘‘‘‘OFFSET = -11‘‘‘•
13047 17.2.2.7 Flags Affected
13049 The "Flags Affected" section lists the flags that are affected by the
13050 instruction, as follows:
13052 Ž If a flag is always cleared or always set by the instruction, the
13053 value is given (0 or 1) after the flag name. Arithmetic and logical
13054 instructions usually assign values to the status flags in the uniform
13055 manner described in Appendix C. Nonconventional assignments are
13056 described in the "Operation" section.
13058 Ž The values of flags listed as "undefined" may be changed by the
13059 instruction in an indeterminate manner.
13061 All flags not listed are unchanged by the instruction.
13064 17.2.2.8 Protected Mode Exceptions
13066 This section lists the exceptions that can occur when the instruction is
13067 executed in 80386 Protected Mode. The exception names are a pound sign (#)
13068 followed by two letters and an optional error code in parentheses. For
13069 example, #GP(0) denotes a general protection exception with an error code of
13070 0. Table 17-6 associates each two-letter name with the corresponding
13071 interrupt number.
13073 Chapter 9 describes the exceptions and the 80386 state upon entry to the
13074 exception.
13076 Application programmers should consult the documentation provided with
13077 their operating systems to determine the actions taken when exceptions
13078 occur.
13081 Table 17-6. 80386 Exceptions
13083 Mnemonic Interrupt Description
13085 #UD 6 Invalid opcode
13086 #NM 7 Coprocessor not available
13087 #DF 8 Double fault
13088 #TS 10 Invalid TSS
13089 #NP 11 Segment or gate not present
13090 #SS 12 Stack fault
13091 #GP 13 General protection fault
13092 #PF 14 Page fault
13093 #MF 16 Math (coprocessor) fault
13096 17.2.2.9 Real Address Mode Exceptions
13098 Because less error checking is performed by the 80386 in Real Address Mode,
13099 this mode has fewer exception conditions. Refer to Chapter 14 for further
13100 information on these exceptions.
13103 17.2.2.10 Virtual-8086 Mode Exceptions
13105 Virtual 8086 tasks provide the ability to simulate Virtual 8086 machines.
13106 Virtual 8086 Mode exceptions are similar to those for the 8086 processor,
13107 but there are some differences. Refer to Chapter 15 for details.
13110 AAA ‘‘ ASCII Adjust after Addition
13112 Opcode Instruction Clocks Description
13114 37 AAA 4 ASCII adjust AL after addition
13117 Operation
13119 IF ((AL AND 0FH) > 9) OR (AF = 1)
13120 THEN
13121 AL \e (AL + 6) AND 0FH;
13122 AH \e AH + 1;
13123 AF \e 1;
13124 CF \e 1;
13125 ELSE
13126 CF \e 0;
13127 AF \e 0;
13128 FI;
13130 Description
13132 Execute AAA only following an ADD instruction that leaves a byte result
13133 in the AL register. The lower nibbles of the operands of the ADD instruction
13134 should be in the range 0 through 9 (BCD digits). In this case, AAA adjusts
13135 AL to contain the correct decimal digit result. If the addition produced a
13136 decimal carry, the AH register is incremented, and the carry and auxiliary
13137 carry flags are set to 1. If there was no decimal carry, the carry and
13138 auxiliary flags are set to 0 and AH is unchanged. In either case, AL is left
13139 with its top nibble set to 0. To convert AL to an ASCII result, follow the
13140 AAA instruction with OR AL, 30H.
13142 Flags Affected
13144 AF and CF as described above; OF, SF, ZF, and PF are undefined
13146 Protected Mode Exceptions
13148 None
13150 Real Address Mode Exceptions
13152 None
13154 Virtual 8086 Mode Exceptions
13156 None
13159 AAD ‘‘ ASCII Adjust AX before Division
13161 Opcode Instruction Clocks Description
13163 D5 0A AAD 19 ASCII adjust AX before division
13166 Operation
13168 AL \e AH * 10 + AL;
13169 AH \e 0;
13171 Description
13173 AAD is used to prepare two unpacked BCD digits (the least-significant
13174 digit in AL, the most-significant digit in AH) for a division operation that
13175 will yield an unpacked result. This is accomplished by setting AL to
13176 AL + (10 * AH), and then setting AH to 0. AX is then equal to the binary
13177 equivalent of the original unpacked two-digit number.
13179 Flags Affected
13181 SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined
13183 Protected Mode Exceptions
13185 None
13187 Real Address Mode Exceptions
13189 None
13191 Virtual 8086 Mode Exceptions
13193 None
13196 AAM ‘‘ ASCII Adjust AX after Multiply
13198 Opcode Instruction Clocks Description
13200 D4 0A AAM 17 ASCII adjust AX after multiply
13203 Operation
13205 AH \e AL / 10;
13206 AL \e AL MOD 10;
13208 Description
13210 Execute AAM only after executing a MUL instruction between two unpacked
13211 BCD digits that leaves the result in the AX register. Because the result is
13212 less than 100, it is contained entirely in the AL register. AAM unpacks the
13213 AL result by dividing AL by 10, leaving the quotient (most-significant
13214 digit) in AH and the remainder (least-significant digit) in AL.
13216 Flags Affected
13218 SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined
13220 Protected Mode Exceptions
13222 None
13224 Real Address Mode Exceptions
13226 None
13228 Virtual 8086 Mode Exceptions
13230 None
13233 AAS ‘‘ ASCII Adjust AL after Subtraction
13235 Opcode Instruction Clocks Description
13237 3F AAS 4 ASCII adjust AL after subtraction
13240 Operation
13242 IF (AL AND 0FH) > 9 OR AF = 1
13243 THEN
13244 AL \e AL - 6;
13245 AL \e AL AND 0FH;
13246 AH \e AH - 1;
13247 AF \e 1;
13248 CF \e 1;
13249 ELSE
13250 CF \e 0;
13251 AF \e 0;
13252 FI;
13254 Description
13256 Execute AAS only after a SUB instruction that leaves the byte result in the
13257 AL register. The lower nibbles of the operands of the SUB instruction must
13258 have been in the range 0 through 9 (BCD digits). In this case, AAS adjusts
13259 AL so it contains the correct decimal digit result. If the subtraction
13260 produced a decimal carry, the AH register is decremented, and the carry and
13261 auxiliary carry flags are set to 1. If no decimal carry occurred, the carry
13262 and auxiliary carry flags are set to 0, and AH is unchanged. In either case,
13263 AL is left with its top nibble set to 0. To convert AL to an ASCII result,
13264 follow the AAS with OR AL, 30H.
13266 Flags Affected
13268 AF and CF as described above; OF, SF, ZF, and PF are undefined
13270 Protected Mode Exceptions
13272 None
13274 Real Address Mode Exceptions
13276 None
13278 Virtual 8086 Mode Exceptions
13280 None
13283 ADC ‘‘ Add with Carry
13286 Opcode Instruction Clocks Description
13288 14 ib ADC AL,imm8 2 Add with carry immediate byte to AL
13289 15 iw ADC AX,imm16 2 Add with carry immediate word to AX
13290 15 id ADC EAX,imm32 2 Add with carry immediate dword to EAX
13291 80 /2 ib ADC r/m8,imm8 2/7 Add with carry immediate byte to r/m
13292 byte
13293 81 /2 iw ADC r/m16,imm16 2/7 Add with carry immediate word to r/m
13294 word
13295 81 /2 id ADC r/m32,imm32 2/7 Add with CF immediate dword to r/m
13296 dword
13297 83 /2 ib ADC r/m16,imm8 2/7 Add with CF sign-extended immediate
13298 byte to r/m word
13299 83 /2 ib ADC r/m32,imm8 2/7 Add with CF sign-extended immediate
13300 byte into r/m dword
13301 10 /r ADC r/m8,r8 2/7 Add with carry byte register to r/m
13302 byte
13303 11 /r ADC r/m16,r16 2/7 Add with carry word register to r/m
13304 word
13305 11 /r ADC r/m32,r32 2/7 Add with CF dword register to r/m dword
13306 12 /r ADC r8,r/m8 2/6 Add with carry r/m byte to byte
13307 register
13308 13 /r ADC r16,r/m16 2/6 Add with carry r/m word to word
13309 register
13310 13 /r ADC r32,r/m32 2/6 Add with CF r/m dword to dword register
13313 Operation
13315 DEST \e DEST + SRC + CF;
13317 Description
13319 ADC performs an integer addition of the two operands DEST and SRC and the
13320 carry flag, CF. The result of the addition is assigned to the first operand
13321 (DEST), and the flags are set accordingly. ADC is usually executed as part
13322 of a multi-byte or multi-word addition operation. When an immediate byte
13323 value is added to a word or doubleword operand, the immediate value is first
13324 sign-extended to the size of the word or doubleword operand.
13326 Flags Affected
13328 OF, SF, ZF, AF, CF, and PF as described in Appendix C
13330 Protected Mode Exceptions
13332 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13333 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13334 #SS(0) for an illegal address in the SS segment; #PF(fault-code) if page
13335 fault
13337 Real Address Mode Exceptions
13339 Interrupt 13 if any part of the operand would lie outside of the effective
13340 address space from 0 to 0FFFFH
13342 Virtual 8086 Mode Exceptions
13344 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13347 ADD ‘‘ Add
13349 Opcode Instruction Clocks Description
13351 04 ib ADD AL,imm8 2 Add immediate byte to AL
13352 05 iw ADD AX,imm16 2 Add immediate word to AX
13353 05 id ADD EAX,imm32 2 Add immediate dword to EAX
13354 80 /0 ib ADD r/m8,imm8 2/7 Add immediate byte to r/m byte
13355 81 /0 iw ADD r/m16,imm16 2/7 Add immediate word to r/m word
13356 81 /0 id ADD r/m32,imm32 2/7 Add immediate dword to r/m dword
13357 83 /0 ib ADD r/m16,imm8 2/7 Add sign-extended immediate byte
13358 to r/m word
13359 83 /0 ib ADD r/m32,imm8 2/7 Add sign-extended immediate byte
13360 to r/m dword
13361 00 /r ADD r/m8,r8 2/7 Add byte register to r/m byte
13362 01 /r ADD r/m16,r16 2/7 Add word register to r/m word
13363 01 /r ADD r/m32,r32 2/7 Add dword register to r/m dword
13364 02 /r ADD r8,r/m8 2/6 Add r/m byte to byte register
13365 03 /r ADD r16,r/m16 2/6 Add r/m word to word register
13366 03 /r ADD r32,r/m32 2/6 Add r/m dword to dword register
13369 Operation
13371 DEST \e DEST + SRC;
13373 Description
13375 ADD performs an integer addition of the two operands (DEST and SRC). The
13376 result of the addition is assigned to the first operand (DEST), and the
13377 flags are set accordingly.
13379 When an immediate byte is added to a word or doubleword operand, the
13380 immediate value is sign-extended to the size of the word or doubleword
13381 operand.
13383 Flags Affected
13385 OF, SF, ZF, AF, CF, and PF as described in Appendix C
13387 Protected Mode Exceptions
13389 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13390 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13391 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
13392 fault
13394 Real Address Mode Exceptions
13396 Interrupt 13 if any part of the operand would lie outside of the effective
13397 address space from 0 to 0FFFFH
13399 Virtual 8086 Mode Exceptions
13401 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13404 AND ‘‘ Logical AND
13406 Opcode Instruction Clocks Description
13408 24 ib AND AL,imm8 2 AND immediate byte to AL
13409 25 iw AND AX,imm16 2 AND immediate word to AX
13410 25 id AND EAX,imm32 2 AND immediate dword to EAX
13411 80 /4 ib AND r/m8,imm8 2/7 AND immediate byte to r/m byte
13412 81 /4 iw AND r/m16,imm16 2/7 AND immediate word to r/m word
13413 81 /4 id AND r/m32,imm32 2/7 AND immediate dword to r/m dword
13414 83 /4 ib AND r/m16,imm8 2/7 AND sign-extended immediate byte
13415 with r/m word
13416 83 /4 ib AND r/m32,imm8 2/7 AND sign-extended immediate byte
13417 with r/m dword
13418 20 /r AND r/m8,r8 2/7 AND byte register to r/m byte
13419 21 /r AND r/m16,r16 2/7 AND word register to r/m word
13420 21 /r AND r/m32,r32 2/7 AND dword register to r/m dword
13421 22 /r AND r8,r/m8 2/6 AND r/m byte to byte register
13422 23 /r AND r16,r/m16 2/6 AND r/m word to word register
13423 23 /r AND r32,r/m32 2/6 AND r/m dword to dword register
13426 Operation
13428 DEST \e DEST AND SRC;
13429 CF \e 0;
13430 OF \e 0;
13432 Description
13434 Each bit of the result of the AND instruction is a 1 if both corresponding
13435 bits of the operands are 1; otherwise, it becomes a 0.
13437 Flags Affected
13439 CF = 0, OF = 0; PF, SF, and ZF as described in Appendix C
13441 Protected Mode Exceptions
13443 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13444 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13445 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
13446 fault
13448 Real Address Mode Exceptions
13450 Interrupt 13 if any part of the operand would lie outside of the effective
13451 address space from 0 to 0FFFFH
13453 Virtual 8086 Mode Exceptions
13455 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13458 ARPL ‘‘ Adjust RPL Field of Selector
13460 Opcode Instruction Clocks Description
13462 63 /r ARPL r/m16,r16 pm=20/21 Adjust RPL of r/m16 to not
13463 less than RPL of r16
13466 Operation
13468 IF RPL bits(0,1) of DEST < RPL bits(0,1) of SRC
13469 THEN
13470 ZF \e 1;
13471 RPL bits(0,1) of DEST \e RPL bits(0,1) of SRC;
13472 ELSE
13473 ZF \e 0;
13474 FI;
13476 Description
13478 The ARPL instruction has two operands. The first operand is a 16-bit
13479 memory variable or word register that contains the value of a selector. The
13480 second operand is a word register. If the RPL field ("requested privilege
13481 level"‘‘bottom two bits) of the first operand is less than the RPL field of
13482 the second operand, the zero flag is set to 1 and the RPL field of the
13483 first operand is increased to match the second operand. Otherwise, the zero
13484 flag is set to 0 and no change is made to the first operand.
13486 ARPL appears in operating system software, not in application programs. It
13487 is used to guarantee that a selector parameter to a subroutine does not
13488 request more privilege than the caller is allowed. The second operand of
13489 ARPL is normally a register that contains the CS selector value of the
13490 caller.
13492 Flags Affected
13494 ZF as described above
13496 Protected Mode Exceptions
13498 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13499 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13500 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
13501 fault
13503 Real Address Mode Exceptions
13505 Interrupt 6; ARPL is not recognized in Real Address Mode
13507 Virtual 8086 Mode Exceptions
13509 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13512 BOUND ‘‘ Check Array Index Against Bounds
13514 Opcode Instruction Clocks Description
13516 62 /r BOUND r16,m16&16 10 Check if r16 is within bounds
13517 (passes test)
13518 62 /r BOUND r32,m32&32 10 Check if r32 is within bounds
13519 (passes test)
13522 Operation
13524 IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + OperandSize/8])
13525 (* Under lower bound or over upper bound *)
13526 THEN Interrupt 5;
13527 FI;
13529 Description
13531 BOUND ensures that a signed array index is within the limits specified by a
13532 block of memory consisting of an upper and a lower bound. Each bound uses
13533 one word for an operand-size attribute of 16 bits and a doubleword for an
13534 operand-size attribute of 32 bits. The first operand (a register) must be
13535 greater than or equal to the first bound in memory (lower bound), and less
13536 than or equal to the second bound in memory (upper bound). If the register
13537 is not within bounds, an Interrupt 5 occurs; the return EIP points to the
13538 BOUND instruction.
13540 The bounds limit data structure is usually placed just before the array
13541 itself, making the limits addressable via a constant offset from the
13542 beginning of the array.
13544 Flags Affected
13546 None
13548 Protected Mode Exceptions
13550 Interrupt 5 if the bounds test fails, as described above; #GP(0) for an
13551 illegal memory operand effective address in the CS, DS, ES, FS, or GS
13552 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
13553 for a page fault
13555 The second operand must be a memory operand, not a register. If BOUND is
13556 executed with a ModRM byte representing a register as the second operand,
13557 #UD occurs.
13559 Real Address Mode Exceptions
13561 Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the
13562 operand would lie outside of the effective address space from 0 to 0FFFFH;
13563 Interrupt 6 if the second operand is a register
13565 Virtual 8086 Mode Exceptions
13567 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13570 BSF ‘‘ Bit Scan Forward
13572 Opcode Instruction Clocks Description
13574 0F BC BSF r16,r/m16 10+3n Bit scan forward on r/m word
13575 0F BC BSF r32,r/m32 10+3n Bit scan forward on r/m dword
13578 Notes
13580 is the number of leading zero bits.
13582 Operation
13584 IF r/m = 0
13585 THEN
13586 ZF \e 1;
13587 register \e UNDEFINED;
13588 ELSE
13589 temp \e 0;
13590 ZF \e 0;
13591 WHILE BIT[r/m, temp = 0]
13592 DO
13593 temp \e temp + 1;
13594 register \e temp;
13595 OD;
13596 FI;
13598 Description
13600 BSF scans the bits in the second word or doubleword operand starting with
13601 bit 0. The ZF flag is cleared if the bits are all 0; otherwise, the ZF flag
13602 is set and the destination register is loaded with the bit index of the
13603 first set bit.
13605 Flags Affected
13607 ZF as described above
13609 Protected Mode Exceptions
13611 #GP(0) for an illegal memory operand effective address in the CS, DS, ES,
13612 FS, or GS segments; #SS(0) for an illegal address in the SS segment;
13613 #PF(fault-code) for a page fault
13615 Real Address Mode Exceptions
13617 Interrupt 13 if any part of the operand would lie outside of the effective
13618 address space from 0 to 0FFFFH
13620 Virtual 8086 Mode Exceptions
13622 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13625 BSR ‘‘ Bit Scan Reverse
13627 Opcode Instruction Clocks Description
13629 0F BD BSR r16,r/m16 10+3n Bit scan reverse on r/m word
13630 0F BD BSR r32,r/m32 10+3n Bit scan reverse on r/m dword
13633 Operation
13635 IF r/m = 0
13636 THEN
13637 ZF \e 1;
13638 register \e UNDEFINED;
13639 ELSE
13640 temp \e OperandSize - 1;
13641 ZF \e 0;
13642 WHILE BIT[r/m, temp] = 0
13643 DO
13644 temp \e temp - 1;
13645 register \e temp;
13646 OD;
13647 FI;
13649 Description
13651 BSR scans the bits in the second word or doubleword operand from the most
13652 significant bit to the least significant bit. The ZF flag is cleared if the
13653 bits are all 0; otherwise, ZF is set and the destination register is loaded
13654 with the bit index of the first set bit found when scanning in the reverse
13655 direction.
13657 Flags Affected
13659 ZF as described above
13661 Protected Mode Exceptions
13663 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13664 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13665 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
13666 fault
13668 Real Address Mode Exceptions
13670 Interrupt 13 if any part of the operand would lie outside of the effective
13671 address space from 0 to 0FFFFH
13673 Virtual 8086 Mode Exceptions
13675 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13678 BT ‘‘ Bit Test
13680 Opcode Instruction Clocks Description
13682 0F A3 BT r/m16,r16 3/12 Save bit in carry flag
13683 0F A3 BT r/m32,r32 3/12 Save bit in carry flag
13684 0F BA /4 ib BT r/m16,imm8 3/6 Save bit in carry flag
13685 0F BA /4 ib BT r/m32,imm8 3/6 Save bit in carry flag
13688 Operation
13690 CF \e BIT[LeftSRC, RightSRC];
13692 Description
13694 BT saves the value of the bit indicated by the base (first operand) and the
13695 bit offset (second operand) into the carry flag.
13697 Flags Affected
13699 CF as described above
13701 Protected Mode Exceptions
13703 #GP(0) for an illegal memory operand effective address in the CS, DS, ES,
13704 FS, or GS segments; #SS(0) for an illegal address in the SS segment;
13705 #PF(fault-code) for a page fault
13707 Real Address Mode Exceptions
13709 Interrupt 13 if any part of the operand would lie outside of the effective
13710 address space from 0 to 0FFFFH
13712 Virtual 8086 Mode Exceptions
13714 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13716 Notes
13718 The index of the selected bit can be given by the immediate constant in the
13719 instruction or by a value in a general register. Only an 8-bit immediate
13720 value is used in the instruction. This operand is taken modulo 32, so the
13721 range of immediate bit offsets is 0..31. This allows any bit within a
13722 register to be selected. For memory bit strings, this immediate field gives
13723 only the bit offset within a word or doubleword. Immediate bit offsets
13724 larger than 31 are supported by using the immediate bit offset field in
13725 combination with the displacement field of the memory operand. The low-order
13726 3 to 5 bits of the immediate bit offset are stored in the immediate bit
13727 offset field, and the high-order 27 to 29 bits are shifted and combined with
13728 the byte displacement in the addressing mode.
13730 When accessing a bit in memory, the 80386 may access four bytes starting
13731 from the memory address given by:
13733 Effective Address + (4 * (BitOffset DIV 32))
13735 for a 32-bit operand size, or two bytes starting from the memory address
13736 given by:
13738 Effective Address + (2 * (BitOffset DIV 16))
13740 for a 16-bit operand size. It may do so even when only a single byte needs
13741 to be accessed in order to reach the given bit. You must therefore avoid
13742 referencing areas of memory close to address space holes. In particular,
13743 avoid references to memory-mapped I/O registers. Instead, use the MOV
13744 instructions to load from or store to these addresses, and use the register
13745 form of these instructions to manipulate the data.
13748 BTC ‘‘ Bit Test and Complement
13750 Opcode Instruction Clocks Description
13752 0F BB BTC r/m16,r16 6/13 Save bit in carry flag and complement
13753 0F BB BTC r/m32,r32 6/13 Save bit in carry flag and complement
13754 0F BA /7 ib BTC r/m16,imm8 6/8 Save bit in carry flag and complement
13755 0F BA /7 ib BTC r/m32,imm8 6/8 Save bit in carry flag and complement
13758 Operation
13760 CF \e BIT[LeftSRC, RightSRC];
13761 BIT[LeftSRC, RightSRC] \e NOT BIT[LeftSRC, RightSRC];
13763 Description
13765 BTC saves the value of the bit indicated by the base (first operand) and the
13766 bit offset (second operand) into the carry flag and then complements the
13767 bit.
13769 Flags Affected
13771 CF as described above
13773 Protected Mode Exceptions
13775 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13776 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13777 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
13778 fault
13780 Real Address Mode Exceptions
13782 Interrupt 13 if any part of the operand would lie outside of the effective
13783 address space from 0 to 0FFFFH
13785 Virtual 8086 Mode Exceptions
13787 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13789 Notes
13791 The index of the selected bit can be given by the immediate constant in the
13792 instruction or by a value in a general register. Only an 8-bit immediate
13793 value is used in the instruction. This operand is taken modulo 32, so the
13794 range of immediate bit offsets is 0..31. This allows any bit within a
13795 register to be selected. For memory bit strings, this immediate field gives
13796 only the bit offset within a word or doubleword. Immediate bit offsets
13797 larger than 31 are supported by using the immediate bit offset field in
13798 combination with the displacement field of the memory operand. The low-order
13799 3 to 5 bits of the immediate bit offset are stored in the immediate bit
13800 offset field, and the high-order 27 to 29 bits are shifted and combined with
13801 the byte displacement in the addressing mode.
13803 When accessing a bit in memory, the 80386 may access four bytes starting
13804 from the memory address given by:
13806 Effective Address + (4 * (BitOffset DIV 32))
13808 for a 32-bit operand size, or two bytes starting from the memory address
13809 given by:
13811 Effective Address + (2 * (BitOffset DIV 16))
13813 for a 16-bit operand size. It may do so even when only a single byte needs
13814 to be accessed in order to reach the given bit. You must therefore avoid
13815 referencing areas of memory close to address space holes. In particular,
13816 avoid references to memory-mapped I/O registers. Instead, use the MOV
13817 instructions to load from or store to these addresses, and use the register
13818 form of these instructions to manipulate the data.
13821 BTR ‘‘ Bit Test and Reset
13823 Opcode Instruction Clocks Description
13825 0F B3 BTR r/m16,r16 6/13 Save bit in carry flag and reset
13826 0F B3 BTR r/m32,r32 6/13 Save bit in carry flag and reset
13827 0F BA /6 ib BTR r/m16,imm8 6/8 Save bit in carry flag and reset
13828 0F BA /6 ib BTR r/m32,imm8 6/8 Save bit in carry flag and reset
13831 Operation
13833 CF \e BIT[LeftSRC, RightSRC];
13834 BIT[LeftSRC, RightSRC] \e 0;
13836 Description
13838 BTR saves the value of the bit indicated by the base (first operand) and the
13839 bit offset (second operand) into the carry flag and then stores 0 in the
13840 bit.
13842 Flags Affected
13844 CF as described above
13846 Protected Mode Exceptions
13848 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13849 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13850 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
13851 fault
13853 Real Address Mode Exceptions
13855 Interrupt 13 if any part of the operand would lie outside of the effective
13856 address space from 0 to 0FFFFH
13858 Virtual 8086 Mode Exceptions
13860 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13862 Notes
13864 The index of the selected bit can be given by the immediate constant in the
13865 instruction or by a value in a general register. Only an 8-bit immediate
13866 value is used in the instruction. This operand is taken modulo 32, so the
13867 range of immediate bit offsets is 0..31. This allows any bit within a
13868 register to be selected. For memory bit strings, this immediate field gives
13869 only the bit offset within a word or doubleword. Immediate bit offsets
13870 larger than 31 (or 15) are supported by using the immediate bit offset field
13871 in combination with the displacement field of the memory operand. The
13872 low-order 3 to 5 bits of the immediate bit offset are stored in the
13873 immediate bit offset field, and the high-order 27 to 29 bits are shifted and
13874 combined with the byte displacement in the addressing mode.
13876 When accessing a bit in memory, the 80386 may access four bytes starting
13877 from the memory address given by:
13879 Effective Address + 4 * (BitOffset DIV 32)
13881 for a 32-bit operand size, or two bytes starting from the memory address
13882 given by:
13884 Effective Address + 2 * (BitOffset DIV 16)
13886 for a 16-bit operand size. It may do so even when only a single byte needs
13887 to be accessed in order to reach the given bit. You must therefore avoid
13888 referencing areas of memory close to address space holes. In particular,
13889 avoid references to memory-mapped I/O registers. Instead, use the MOV
13890 instructions to load from or store to these addresses, and use the register
13891 form of these instructions to manipulate the data.
13894 BTS ‘‘ Bit Test and Set
13896 Opcode Instruction Clocks Description
13898 0F AB BTS r/m16,r16 6/13 Save bit in carry flag and set
13899 0F AB BTS r/m32,r32 6/13 Save bit in carry flag and set
13900 0F BA /5 ib BTS r/m16,imm8 6/8 Save bit in carry flag and set
13901 0F BA /5 ib BTS r/m32,imm8 6/8 Save bit in carry flag and set
13904 Operation
13906 CF \e BIT[LeftSRC, RightSRC];
13907 BIT[LeftSRC, RightSRC] \e 1;
13909 Description
13911 BTS saves the value of the bit indicated by the base (first operand) and the
13912 bit offset (second operand) into the carry flag and then stores 1 in the
13913 bit.
13915 Flags Affected
13917 CF as described above
13919 Protected Mode Exceptions
13921 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
13922 memory operand effective address in the CS, DS, ES, FS, or GS segments;
13923 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
13924 fault
13926 Real Address Mode Exceptions
13928 Interrupt 13 if any part of the operand would lie outside of the effective
13929 address space from 0 to 0FFFFH
13931 Virtual 8086 Mode Exceptions
13933 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
13935 Notes
13937 The index of the selected bit can be given by the immediate constant in the
13938 instruction or by a value in a general register. Only an 8-bit immediate
13939 value is used in the instruction. This operand is taken modulo 32, so the
13940 range of immediate bit offsets is 0..31. This allows any bit within a
13941 register to be selected. For memory bit strings, this immediate field gives
13942 only the bit offset within a word or doubleword. Immediate bit offsets
13943 larger than 31 are supported by using the immediate bit offset field in
13944 combination with the displacement field of the memory operand. The
13945 low-order 3 to 5 bits of the immediate bit offset are stored in the
13946 immediate bit offset field, and the high order 27 to 29 bits are shifted and
13947 combined with the byte displacement in the addressing mode.
13949 When accessing a bit in memory, the processor may access four bytes starting
13950 from the memory address given by:
13952 Effective Address + (4 * (BitOffset DIV 32))
13954 for a 32-bit operand size, or two bytes starting from the memory address
13955 given by:
13957 Effective Address + (2 * (BitOffset DIV 16))
13959 for a 16-bit operand size. It may do this even when only a single byte needs
13960 to be accessed in order to get at the given bit. Thus the programmer must be
13961 careful to avoid referencing areas of memory close to address space holes.
13962 In particular, avoid references to memory-mapped I/O registers. Instead, use
13963 the MOV instructions to load from or store to these addresses, and use the
13964 register form of these instructions to manipulate the data.
13967 CALL ‘‘ Call Procedure
13970 Opcode Instruction Clocks
13971 Values of ts are given by the following table:
13973 New Task
13974 386 TSS 386 TSS 286 TSS
13975 Old VM = 0 VM = 1
13976 Task Via Task Gate?
13978 N Y N Y N Y
13980 386 300 309 217 226 273 282
13981 TSS VM=0
13983 286 298 307 217 226 273 282
13984 TSS Description
13986 E8 cw CALL rel16 7+m Call near, displacement relative
13987 to next instruction
13988 FF /2 CALL r/m16 7+m/10+m Call near, register
13989 indirect/memory indirect
13990 9A cd CALL ptr16:16 17+m,pm=34+m Call intersegment, to full
13991 pointer given
13992 9A cd CALL ptr16:16 pm=52+m Call gate, same privilege
13993 9A cd CALL ptr16:16 pm=86+m Call gate, more privilege, no
13994 parameters
13995 9A cd CALL ptr16:16 pm=94+4x+m Call gate, more privilege, x
13996 parameters
13997 9A cd CALL ptr16:16 ts Call to task
13998 FF /3 CALL m16:16 22+m,pm=38+m Call intersegment, address at
13999 r/m dword
14000 FF /3 CALL m16:16 pm=56+m Call gate, same privilege
14001 FF /3 CALL m16:16 pm=90+m Call gate, more privilege, no
14002 parameters
14003 FF /3 CALL m16:16 pm=98+4x+m Call gate, more privilege, x
14004 parameters
14005 FF /3 CALL m16:16 5 + ts Call to task
14006 E8 cd CALL rel32 7+m Call near, displacement relative
14007 to next instruction
14008 FF /2 CALL r/m32 7+m/10+m Call near, indirect
14009 9A cp CALL ptr16:32 17+m,pm=34+m Call intersegment, to full
14010 pointer given
14011 9A cp CALL ptr16:32 pm=52+m Call gate, same privilege
14012 9A cp CALL ptr16:32 pm=86+m Call gate, more privilege, no
14013 parameters
14014 9A cp CALL ptr32:32 pm=94+4x+m Call gate, more privilege, x
14015 parameters
14016 9A cp CALL ptr16:32 ts Call to task
14017 FF /3 CALL m16:32 22+m,pm=38+m Call intersegment, address at
14018 r/m dword
14019 FF /3 CALL m16:32 pm=56+m Call gate, same privilege
14020 FF /3 CALL m16:32 pm=90+m Call gate, more privilege, no
14021 parameters
14022 FF /3 CALL m16:32 pm=98+4x+m Call gate, more privilege, x
14023 parameters
14024 FF /3 CALL m16:32 5 + ts Call to task
14027 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
14028 NOTE:
14029 Values of ts are given by the following table:
14031 New Task
14032 386 TSS 386 TSS 286 TSS
14033 Old VM = 0 VM = 1
14034 Task Via Task Gate?
14036 N Y N Y N Y
14038 386 300 309 217 226 273 282
14039 TSS VM=0
14041 286 298 307 217 226 273 282
14042 TSS
14043 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
14045 Operation
14047 IF rel16 or rel32 type of call
14048 THEN (* near relative call *)
14049 IF OperandSize = 16
14050 THEN
14051 Push(IP);
14052 EIP \e (EIP + rel16) AND 0000FFFFH;
14053 ELSE (* OperandSize = 32 *)
14054 Push(EIP);
14055 EIP \e EIP + rel32;
14056 FI;
14057 FI;
14059 IF r/m16 or r/m32 type of call
14060 THEN (* near absolute call *)
14061 IF OperandSize = 16
14062 THEN
14063 Push(IP);
14064 EIP \e [r/m16] AND 0000FFFFH;
14065 ELSE (* OperandSize = 32 *)
14066 Push(EIP);
14067 EIP \e [r/m32];
14068 FI;
14069 FI;
14071 IF (PE = 0 OR (PE = 1 AND VM = 1))
14072 (* real mode or virtual 8086 mode *)
14073 AND instruction = far CALL
14074 (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *)
14075 THEN
14076 IF OperandSize = 16
14077 THEN
14078 Push(CS);
14079 Push(IP); (* address of next instruction; 16 bits *)
14080 ELSE
14081 Push(CS); (* padded with 16 high-order bits *)
14082 Push(EIP); (* address of next instruction; 32 bits *)
14083 FI;
14084 IF operand type is m16:16 or m16:32
14085 THEN (* indirect far call *)
14086 IF OperandSize = 16
14087 THEN
14088 CS:IP \e [m16:16];
14089 EIP \e EIP AND 0000FFFFH; (* clear upper 16 bits *)
14090 ELSE (* OperandSize = 32 *)
14091 CS:EIP \e [m16:32];
14092 FI;
14093 FI;
14094 IF operand type is ptr16:16 or ptr16:32
14095 THEN (* direct far call *)
14096 IF OperandSize = 16
14097 THEN
14098 CS:IP \e ptr16:16;
14099 EIP \e EIP AND 0000FFFFH; (* clear upper 16 bits *)
14100 ELSE (* OperandSize = 32 *)
14101 CS:EIP \e ptr16:32;
14102 FI;
14103 FI;
14104 FI;
14106 IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
14107 AND instruction = far CALL
14108 THEN
14109 If indirect, then check access of EA doubleword;
14110 #GP(0) if limit violation;
14111 New CS selector must not be null else #GP(0);
14112 Check that new CS selector index is within its
14113 descriptor table limits; else #GP(new CS selector);
14114 Examine AR byte of selected descriptor for various legal values;
14115 depending on value:
14116 go to CONFORMING-CODE-SEGMENT;
14117 go to NONCONFORMING-CODE-SEGMENT;
14118 go to CALL-GATE;
14119 go to TASK-GATE;
14120 go to TASK-STATE-SEGMENT;
14121 ELSE #GP(code segment selector);
14122 FI;
14124 CONFORMING-CODE-SEGMENT:
14125 DPL must be ¾ CPL ELSE #GP(code segment selector);
14126 Segment must be present ELSE #NP(code segment selector);
14127 Stack must be big enough for return address ELSE #SS(0);
14128 Instruction pointer must be in code segment limit ELSE #GP(0);
14129 Load code segment descriptor into CS register;
14130 Load CS with new code segment selector;
14131 Load EIP with zero-extend(new offset);
14132 IF OperandSize=16 THEN EIP \e EIP AND 0000FFFFH; FI;
14134 NONCONFORMING-CODE-SEGMENT:
14135 RPL must be ¾ CPL ELSE #GP(code segment selector)
14136 DPL must be = CPL ELSE #GP(code segment selector)
14137 Segment must be present ELSE #NP(code segment selector)
14138 Stack must be big enough for return address ELSE #SS(0)
14139 Instruction pointer must be in code segment limit ELSE #GP(0)
14140 Load code segment descriptor into CS register
14141 Load CS with new code segment selector
14142 Set RPL of CS to CPL
14143 Load EIP with zero-extend(new offset);
14144 IF OperandSize=16 THEN EIP \e EIP AND 0000FFFFH; FI;
14146 CALL-GATE:
14147 Call gate DPL must be � CPL ELSE #GP(call gate selector)
14148 Call gate DPL must be � RPL ELSE #GP(call gate selector)
14149 Call gate must be present ELSE #NP(call gate selector)
14150 Examine code segment selector in call gate descriptor:
14151 Selector must not be null ELSE #GP(0)
14152 Selector must be within its descriptor table
14153 limits ELSE #GP(code segment selector)
14154 AR byte of selected descriptor must indicate code
14155 segment ELSE #GP(code segment selector)
14156 DPL of selected descriptor must be ¾ CPL ELSE
14157 #GP(code segment selector)
14158 IF non-conforming code segment AND DPL < CPL
14159 THEN go to MORE-PRIVILEGE
14160 ELSE go to SAME-PRIVILEGE
14161 FI;
14163 MORE-PRIVILEGE:
14164 Get new SS selector for new privilege level from TSS
14165 Check selector and descriptor for new SS:
14166 Selector must not be null ELSE #TS(0)
14167 Selector index must be within its descriptor
14168 table limits ELSE #TS(SS selector)
14169 Selector's RPL must equal DPL of code segment
14170 ELSE #TS(SS selector)
14171 Stack segment DPL must equal DPL of code
14172 segment ELSE #TS(SS selector)
14173 Descriptor must indicate writable data segment
14174 ELSE #TS(SS selector)
14175 Segment present ELSE #SS(SS selector)
14176 IF OperandSize=32
14177 THEN
14178 New stack must have room for parameters plus 16 bytes
14179 ELSE #SS(0)
14180 EIP must be in code segment limit ELSE #GP(0)
14181 Load new SS:eSP value from TSS
14182 Load new CS:EIP value from gate
14183 ELSE
14184 New stack must have room for parameters plus 8 bytes ELSE #SS(0)
14185 IP must be in code segment limit ELSE #GP(0)
14186 Load new SS:eSP value from TSS
14187 Load new CS:IP value from gate
14188 FI;
14189 Load CS descriptor
14190 Load SS descriptor
14191 Push long pointer of old stack onto new stack
14192 Get word count from call gate, mask to 5 bits
14193 Copy parameters from old stack onto new stack
14194 Push return address onto new stack
14195 Set CPL to stack segment DPL
14196 Set RPL of CS to CPL
14198 SAME-PRIVILEGE:
14199 IF OperandSize=32
14200 THEN
14201 Stack must have room for 6-byte return address (padded to 8 bytes)
14202 ELSE #SS(0)
14203 EIP must be within code segment limit ELSE #GP(0)
14204 Load CS:EIP from gate
14205 ELSE
14206 Stack must have room for 4-byte return address ELSE #SS(0)
14207 IP must be within code segment limit ELSE #GP(0)
14208 Load CS:IP from gate
14209 FI;
14210 Push return address onto stack
14211 Load code segment descriptor into CS register
14212 Set RPL of CS to CPL
14214 TASK-GATE:
14215 Task gate DPL must be � CPL ELSE #TS(gate selector)
14216 Task gate DPL must be � RPL ELSE #TS(gate selector)
14217 Task Gate must be present ELSE #NP(gate selector)
14218 Examine selector to TSS, given in Task Gate descriptor:
14219 Must specify global in the local/global bit ELSE #TS(TSS selector)
14220 Index must be within GDT limits ELSE #TS(TSS selector)
14221 TSS descriptor AR byte must specify nonbusy TSS
14222 ELSE #TS(TSS selector)
14223 Task State Segment must be present ELSE #NP(TSS selector)
14224 SWITCH-TASKS (with nesting) to TSS
14225 IP must be in code segment limit ELSE #TS(0)
14227 TASK-STATE-SEGMENT:
14228 TSS DPL must be � CPL else #TS(TSS selector)
14229 TSS DPL must be � RPL ELSE #TS(TSS selector)
14230 TSS descriptor AR byte must specify available TSS
14231 ELSE #TS(TSS selector)
14232 Task State Segment must be present ELSE #NP(TSS selector)
14233 SWITCH-TASKS (with nesting) to TSS
14234 IP must be in code segment limit ELSE #TS(0)
14236 Description
14238 The CALL instruction causes the procedure named in the operand to be
14239 executed. When the procedure is complete (a return instruction is executed
14240 within the procedure), execution continues at the instruction that follows
14241 the CALL instruction.
14243 The action of the different forms of the instruction are described below.
14245 Near calls are those with destinations of type r/m16, r/m32, rel16, rel32;
14246 changing or saving the segment register value is not necessary. The CALL
14247 rel16 and CALL rel32 forms add a signed offset to the address of the
14248 instruction following CALL to determine the destination. The rel16 form is
14249 used when the instruction's operand-size attribute is 16 bits; rel32 is used
14250 when the operand-size attribute is 32 bits. The result is stored in the
14251 32-bit EIP register. With rel16, the upper 16 bits of EIP are cleared,
14252 resulting in an offset whose value does not exceed 16 bits. CALL r/m16 and
14253 CALL r/m32 specify a register or memory location from which the absolute
14254 segment offset is fetched. The offset fetched from r/m is 32 bits for an
14255 operand-size attribute of 32 (r/m32), or 16 bits for an operand-size of 16
14256 (r/m16). The offset of the instruction following CALL is pushed onto the
14257 stack. It will be popped by a near RET instruction within the procedure. The
14258 CS register is not changed by this form of CALL.
14260 The far calls, CALL ptr16:16 and CALL ptr16:32, use a four-byte or six-byte
14261 operand as a long pointer to the procedure called. The CALL m16:16 and
14262 m16:32 forms fetch the long pointer from the memory location
14263 specified (indirection). In Real Address Mode or Virtual 8086 Mode, the long
14264 pointer provides 16 bits for the CS register and 16 or 32 bits for the EIP
14265 register (depending on the operand-size attribute). These forms of the
14266 instruction push both CS and IP or EIP as a return address.
14268 In Protected Mode, both long pointer forms consult the AR byte in the
14269 descriptor indexed by the selector part of the long pointer. Depending on
14270 the value of the AR byte, the call will perform one of the following types
14271 of control transfers:
14273 Ž A far call to the same protection level
14274 Ž An inter-protection level far call
14275 Ž A task switch
14277 For more information on Protected Mode control transfers, refer to
14278 Chapter 6 and Chapter 7.
14280 Flags Affected
14282 All flags are affected if a task switch occurs; no flags are affected if a
14283 task switch does not occur
14285 Protected Mode Exceptions
14287 For far calls: #GP, #NP, #SS, and #TS, as indicated in the list above
14289 For near direct calls: #GP(0) if procedure location is beyond the code
14290 segment limits; #SS(0) if pushing the return address exceeds the bounds of
14291 the stack segment; #PF (fault-code) for a page fault
14293 For a near indirect call: #GP(0) for an illegal memory operand effective
14294 address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address
14295 in the SS segment; #GP(0) if the indirect offset obtained is beyond the code
14296 segment limits; #PF(fault-code) for a page fault
14298 Real Address Mode Exceptions
14300 Interrupt 13 if any part of the operand would lie outside of the effective
14301 address space from 0 to 0FFFFH
14303 Virtual 8086 Mode Exceptions
14305 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
14307 Notes
14309 Any far call from a 32-bit code segment to 16-bit code segments should be
14310 made from the first 64K bytes of the 32-bit code segment, since the
14311 operand-size attribute of the instruction is set to 16, thus allowing only a
14312 16-bit return address offset to be saved.
14315 CBW/CWDE ‘‘ Convert Byte to Word/Convert Word to Doubleword
14317 Opcode Instruction Clocks Description
14319 98 CBW 3 AX \e sign-extend of AL
14320 98 CWDE 3 EAX \e sign-extend of AX
14323 Operation
14325 IF OperandSize = 16 (* instruction = CBW *)
14326 THEN AX \e SignExtend(AL);
14327 ELSE (* OperandSize = 32, instruction = CWDE *)
14328 EAX \e SignExtend(AX);
14329 FI;
14331 Description
14333 CBW converts the signed byte in AL to a signed word in AX by extending the
14334 most significant bit of AL (the sign bit) into all of the bits of AH. CWDE
14335 converts the signed word in AX to a doubleword in EAX by extending the most
14336 significant bit of AX into the two most significant bytes of EAX. Note that
14337 CWDE is different from CWD. CWD uses DX:AX rather than EAX as a destination.
14339 Flags Affected
14341 None
14343 Protected Mode Exceptions
14345 None
14347 Real Address Mode Exceptions
14349 None
14351 Virtual 8086 Mode Exceptions
14353 None
14356 CLC ‘‘ Clear Carry Flag
14358 Opcode Instruction Clocks Description
14360 F8 CLC 2 Clear carry flag
14363 Operation
14365 CF \e 0;
14367 Description
14369 CLC sets the carry flag to zero. It does not affect other flags or
14370 registers.
14372 Flags Affected
14374 CF = 0
14376 Protected Mode Exceptions
14378 None
14380 Real Address Mode Exceptions
14382 None
14384 Virtual 8086 Mode Exceptions
14386 None
14389 CLD ‘‘ Clear Direction Flag
14391 Opcode Instruction Clocks Description
14393 FC CLD 2 Clear direction flag; SI and DI
14394 will increment during string
14395 instructions
14398 Operation
14400 DF \e 0;
14402 Description
14404 CLD clears the direction flag. No other flags or registers are affected.
14405 After CLD is executed, string operations will increment the index registers
14406 (SI and/or DI) that they use.
14408 Flags Affected
14410 DF = 0
14412 Protected Mode Exceptions
14414 None
14416 Real Address Mode Exceptions
14418 None
14420 Virtual 8086 Mode Exceptions
14422 None
14425 CLI ‘‘ Clear Interrupt Flag
14427 Opcode Instruction Clocks Description
14429 FA CLI 3 Clear interrupt flag; interrupts disabled
14432 Operation
14434 IF \e 0;
14436 Description
14438 CLI clears the interrupt flag if the current privilege level is at least as
14439 privileged as IOPL. No other flags are affected. External interrupts are not
14440 recognized at the end of the CLI instruction or from that point on until the
14441 interrupt flag is set.
14443 Flags Affected
14445 IF = 0
14447 Protected Mode Exceptions
14449 #GP(0) if the current privilege level is greater (has less privilege) than
14450 the IOPL in the flags register. IOPL specifies the least privileged level at
14451 which I/O can be performed.
14453 Real Address Mode Exceptions
14455 None
14457 Virtual 8086 Mode Exceptions
14459 #GP(0) as for Protected Mode
14462 CLTS ‘‘ Clear Task-Switched Flag in CR0
14464 Opcode Instruction Clocks Description
14466 OF 06 CLTS 5 Clear task-switched flag
14469 Operation
14471 TS Flag in CR0 \e 0;
14473 Description
14475 CLTS clears the task-switched (TS) flag in register CR0. This flag is set by
14476 the 80386 every time a task switch occurs. The TS flag is used to manage
14477 processor extensions as follows:
14479 Ž Every execution of an ESC instruction is trapped if the TS flag is set.
14481 Ž Execution of a WAIT instruction is trapped if the MP flag and the TS
14482 flag are both set.
14484 Thus, if a task switch was made after an ESC instruction was begun, the
14485 processor extension's context may need to be saved before a new ESC
14486 instruction can be issued. The fault handler saves the context and resets
14487 the TS flag.
14489 CLTS appears in operating system software, not in application programs. It
14490 is a privileged instruction that can only be executed at privilege level 0.
14492 Flags Affected
14494 TS = 0 (TS is in CR0, not the flag register)
14496 Protected Mode Exceptions
14498 #GP(0) if CLTS is executed with a current privilege level other than 0
14500 Real Address Mode Exceptions
14502 None (valid in Real Address Mode to allow initialization for Protected
14503 Mode)
14505 Virtual 8086 Mode Exceptions
14507 Same exceptions as in Real Address Mode
14510 CMC ‘‘ Complement Carry Flag
14512 Opcode Instruction Clocks Description
14514 F5 CMC 2 Complement carry flag
14517 Operation
14519 CF \e NOT CF;
14521 Description
14523 CMC reverses the setting of the carry flag. No other flags are affected.
14525 Flags Affected
14527 CF as described above
14529 Protected Mode Exceptions
14531 None
14533 Real Address Mode Exceptions
14535 None
14537 Virtual 8086 Mode Exceptions
14539 None
14542 CMP ‘‘ Compare Two Operands
14545 Opcode Instruction Clocks Description
14547 3C ib CMP AL,imm8 2 Compare immediate byte to AL
14548 3D iw CMP AX,imm16 2 Compare immediate word to AX
14549 3D id CMP EAX,imm32 2 Compare immediate dword to EAX
14550 80 /7 ib CMP r/m8,imm8 2/5 Compare immediate byte to r/m
14551 byte
14552 81 /7 iw CMP r/m16,imm16 2/5 Compare immediate word to r/m
14553 word
14554 81 /7 id CMP r/m32,imm32 2/5 Compare immediate dword to r/m
14555 dword
14556 83 /7 ib CMP r/m16,imm8 2/5 Compare sign extended immediate
14557 byte to r/m word
14558 83 /7 ib CMP r/m32,imm8 2/5 Compare sign extended immediate
14559 byte to r/m dword
14560 38 /r CMP r/m8,r8 2/5 Compare byte register to r/m
14561 byte
14562 39 /r CMP r/m16,r16 2/5 Compare word register to r/m
14563 word
14564 39 /r CMP r/m32,r32 2/5 Compare dword register to r/m
14565 dword
14566 3A /r CMP r8,r/m8 2/6 Compare r/m byte to byte
14567 register
14568 3B /r CMP r16,r/m16 2/6 Compare r/m word to word
14569 register
14570 3B /r CMP r32,r/m32 2/6 Compare r/m dword to dword
14571 register
14574 Operation
14576 LeftSRC - SignExtend(RightSRC);
14577 (* CMP does not store a result; its purpose is to set the flags *)
14579 Description
14581 CMP subtracts the second operand from the first but, unlike the SUB
14582 instruction, does not store the result; only the flags are changed. CMP is
14583 typically used in conjunction with conditional jumps and the SETcc
14584 instruction. (Refer to Appendix D for the list of signed and unsigned flag
14585 tests provided.) If an operand greater than one byte is compared to an
14586 immediate byte, the byte value is first sign-extended.
14588 Flags Affected
14590 OF, SF, ZF, AF, PF, and CF as described in Appendix C
14592 Protected Mode Exceptions
14594 #GP(0) for an illegal memory operand effective address in the CS, DS, ES,
14595 FS, or GS segments; #SS(0) for an illegal address in the SS segment;
14596 #PF(fault-code) for a page fault
14598 Real Address Mode Exceptions
14600 Interrupt 13 if any part of the operand would lie outside of the effective
14601 address space from 0 to 0FFFFH
14603 Virtual 8086 Mode Exceptions
14605 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
14608 CMPS/CMPSB/CMPSW/CMPSD ‘‘ Compare String Operands
14610 Opcode Instruction Clocks Description
14612 A6 CMPS m8,m8 10 Compare bytes ES:[(E)DI] (second
14613 operand) with [(E)SI] (first
14614 operand)
14615 A7 CMPS m16,m16 10 Compare words ES:[(E)DI] (second
14616 operand) with [(E)SI] (first
14617 operand)
14618 A7 CMPS m32,m32 10 Compare dwords ES:[(E)DI]
14619 (second operand) with [(E)SI]
14620 (first operand)
14621 A6 CMPSB 10 Compare bytes ES:[(E)DI] with
14622 DS:[SI]
14623 A7 CMPSW 10 Compare words ES:[(E)DI] with
14624 DS:[SI]
14625 A7 CMPSD 10 Compare dwords ES:[(E)DI] with
14626 DS:[SI]
14629 Operation
14631 IF (instruction = CMPSD) OR
14632 (instruction has operands of type DWORD)
14633 THEN OperandSize \e 32;
14634 ELSE OperandSize \e 16;
14635 FI;
14636 IF AddressSize = 16
14637 THEN
14638 use SI for source-index and DI for destination-index
14639 ELSE (* AddressSize = 32 *)
14640 use ESI for source-index and EDI for destination-index;
14641 FI;
14642 IF byte type of instruction
14643 THEN
14644 [source-index] - [destination-index]; (* byte comparison *)
14646 ELSE
14647 IF OperandSize = 16
14648 THEN
14649 [source-index] - [destination-index]; (* word comparison *)
14651 ELSE (* OperandSize = 32 *)
14652 [source-index] - [destination-index]; (* dword comparison *)
14654 FI;
14655 FI;
14656 source-index = source-index + IncDec;
14657 destination-index = destination-index + IncDec;
14659 Description
14661 CMPS compares the byte, word, or doubleword pointed to by the source-index
14662 register with the byte, word, or doubleword pointed to by the
14663 destination-index register.
14665 If the address-size attribute of this instruction is 16 bits, SI and DI
14666 will be used for source- and destination-index registers; otherwise ESI and
14667 EDI will be used. Load the correct index values into SI and DI (or ESI and
14668 EDI) before executing CMPS.
14670 The comparison is done by subtracting the operand indexed by
14671 the destination-index register from the operand indexed by the source-index
14672 register.
14674 Note that the direction of subtraction for CMPS is [SI] - [DI] or
14675 [ESI] - [EDI]. The left operand (SI or ESI) is the source and the right
14676 operand (DI or EDI) is the destination. This is the reverse of the usual
14677 Intel convention in which the left operand is the destination and the right
14678 operand is the source.
14680 The result of the subtraction is not stored; only the flags reflect the
14681 change. The types of the operands determine whether bytes, words, or
14682 doublewords are compared. For the first operand (SI or ESI), the DS register
14683 is used, unless a segment override byte is present. The second operand (DI
14684 or EDI) must be addressable from the ES register; no segment override is
14685 possible.
14687 After the comparison is made, both the source-index register and
14688 destination-index register are automatically advanced. If the direction flag
14689 is 0 (CLD was executed), the registers increment; if the direction flag is 1
14690 (STD was executed), the registers decrement. The registers increment or
14691 decrement by 1 if a byte is compared, by 2 if a word is compared, or by 4 if
14692 a doubleword is compared.
14694 CMPSB, CMPSW and CMPSD are synonyms for the byte, word, and
14695 doubleword CMPS instructions, respectively.
14697 CMPS can be preceded by the REPE or REPNE prefix for block comparison of CX
14698 or ECX bytes, words, or doublewords. Refer to the description of the REP
14699 instruction for more information on this operation.
14701 Flags Affected
14703 OF, SF, ZF, AF, PF, and CF as described in Appendix C
14705 Protected Mode Exceptions
14707 #GP(0) for an illegal memory operand effective address in the CS, DS, ES,
14708 FS, or GS segments; #SS(0) for an illegal address in the SS segment;
14709 #PF(fault-code) for a page fault
14711 Real Address Mode Exceptions
14713 Interrupt 13 if any part of the operand would lie outside of the effective
14714 address space from 0 to 0FFFFH
14716 Virtual 8086 Mode Exceptions
14718 Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault
14721 CWD/CDQ ‘‘ Convert Word to Doubleword/Convert Doubleword to
14722 Quadword
14724 Opcode Instruction Clocks Description
14726 99 CWD 2 DX:AX \e sign-extend of AX
14727 99 CDQ 2 EDX:EAX \e sign-extend of EAX
14730 Operation
14732 IF OperandSize = 16 (* CWD instruction *)
14733 THEN
14735 ELSE (* OperandSize = 32, CDQ instruction *)
14737 FI;
14739 Description
14741 CWD converts the signed word in AX to a signed doubleword in DX:AX
14742 by extending the most significant bit of AX into all the bits of DX. CDQ
14743 converts the signed doubleword in EAX to a signed 64-bit integer in the
14744 register pair EDX:EAX by extending the most significant bit of EAX
14745 (the sign bit) into all the bits of EDX. Note that CWD is different from
14746 CWDE. CWDE uses EAX as a destination, instead of DX:AX.
14748 Flags Affected
14750 None
14752 Protected Mode Exceptions
14754 None
14756 Real Address Mode Exceptions
14758 None
14760 Virtual 8086 Mode Exceptions
14762 None
14765 DAA ‘‘ Decimal Adjust AL after Addition
14767 Opcode Instruction Clocks Description
14769 27 DAA 4 Decimal adjust AL after addition
14772 Operation
14774 IF ((AL AND 0FH) > 9) OR (AF = 1)
14775 THEN
14776 AL \e AL + 6;
14777 AF \e 1;
14778 ELSE
14779 AF \e 0;
14780 FI;
14781 IF (AL > 9FH) OR (CF = 1)
14782 THEN
14783 AL \e AL + 60H;
14784 CF \e 1;
14785 ELSE CF \e 0;
14786 FI;
14788 Description
14790 Execute DAA only after executing an ADD instruction that leaves a
14791 two-BCD-digit byte result in the AL register. The ADD operands should
14792 consist of two packed BCD digits. The DAA instruction adjusts AL to
14793 contain the correct two-digit packed decimal result.
14795 Flags Affected
14797 AF and CF as described above; SF, ZF, PF, and CF as described in
14798 Appendix C.
14800 Protected Mode Exceptions
14802 None
14804 Real Address Mode Exceptions
14806 None
14808 Virtual 8086 Mode Exceptions
14810 None
14813 DAS ‘‘ Decimal Adjust AL after Subtraction
14815 Opcode Instruction Clocks Description
14817 2F DAS 4 Decimal adjust AL after subtraction
14820 Operation
14822 IF (AL AND 0FH) > 9 OR AF = 1
14823 THEN
14824 AL \e AL - 6;
14825 AF \e 1;
14826 ELSE
14827 AF \e 0;
14828 FI;
14829 IF (AL > 9FH) OR (CF = 1)
14830 THEN
14831 AL \e AL - 60H;
14832 CF \e 1;
14833 ELSE CF \e 0;
14834 FI;
14836 Description
14838 Execute DAS only after a subtraction instruction that leaves a
14839 two-BCD-digit byte result in the AL register. The operands should consist
14840 of two packed BCD digits. DAS adjusts AL to contain the correct packed
14841 two-digit decimal result.
14843 Flags Affected
14845 AF and CF as described above; SF, ZF, and PF as described in Appendix C.
14847 Protected Mode Exceptions
14849 None
14851 Real Address Mode Exceptions
14853 None
14855 Virtual 8086 Mode Exceptions
14857 None
14860 DEC ‘‘ Decrement by 1
14862 Opcode Instruction Clocks Description
14864 FE /1 DEC r/m8 2/6 Decrement r/m byte by 1
14865 FF /1 DEC r/m16 2/6 Decrement r/m word by 1
14866 DEC r/m32 2/6 Decrement r/m dword by 1
14867 48+rw DEC r16 2 Decrement word register by 1
14868 48+rw DEC r32 2 Decrement dword register by 1
14871 Operation
14873 DEST \e DEST - 1;
14875 Description
14877 DEC subtracts 1 from the operand. DEC does not change the carry flag.
14878 To affect the carry flag, use the SUB instruction with an immediate
14879 operand of 1.
14881 Flags Affected
14883 OF, SF, ZF, AF, and PF as described in Appendix C.
14885 Protected Mode Exceptions
14887 #GP(0) if the result is a nonwritable segment; #GP(0) for an illegal
14888 memory operand effective address in the CS, DS, ES, FS, or GS
14889 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
14890 for a page fault
14892 Real Address Mode Exceptions
14894 Interrupt 13 if any part of the operand would lie outside of the effective
14895 address space from 0 to 0FFFFH
14897 Virtual 8086 Mode Exceptions
14899 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
14900 fault
14903 DIV ‘‘ Unsigned Divide
14905 Opcode Instruction Clocks Description
14907 F6 /6 DIV AL,r/m8 14/17 Unsigned divide AX by r/m byte
14908 (AL=Quo, AH=Rem)
14909 F7 /6 DIV AX,r/m16 22/25 Unsigned divide DX:AX by r/m
14910 word (AX=Quo, DX=Rem)
14911 F7 /6 DIV EAX,r/m32 38/41 Unsigned divide EDX:EAX by r/m
14912 dword (EAX=Quo, EDX=Rem)
14915 Operation
14917 temp \e dividend / divisor;
14918 IF temp does not fit in quotient
14919 THEN Interrupt 0;
14920 ELSE
14921 quotient \e temp;
14922 remainder \e dividend MOD (r/m);
14923 FI;
14925 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
14926 Note:
14927 Divisions are unsigned. The divisor is given by the r/m operand.
14928 The dividend, quotient, and remainder use implicit registers. Refer to
14929 the table under "Description."
14930 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
14932 Description
14934 DIV performs an unsigned division. The dividend is implicit; only the
14935 divisor is given as an operand. The remainder is always less than the
14936 divisor. The type of the divisor determines which registers to use as
14937 follows:
14939 Size Dividend Divisor Quotient Remainder
14940 byte AX r/m8 AL AH
14941 word DX:AX r/m16 AX DX
14942 dword EDX:EAX r/m32 EAX EDX
14944 Flags Affected
14946 OF, SF, ZF, AR, PF, CF are undefined.
14948 Protected Mode Exceptions
14950 Interrupt 0 if the quotient is too large to fit in the designated register
14951 (AL, AX, or EAX), or if the divisor is 0; #GP(0) for an illegal memory
14952 operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0)
14953 for an illegal address in the SS segment; #PF(fault-code) for a page fault
14955 Real Address Mode Exceptions
14957 Interrupt 0 if the quotient is too big to fit in the designated register
14958 (AL, AX, or EAX), or if the divisor is 0; Interrupt 13 if any part of the
14959 operand would lie outside of the effective address space from 0 to 0FFFFH
14961 Virtual 8086 Mode Exceptions
14963 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
14964 fault
14967 ENTER ‘‘ Make Stack Frame for Procedure Parameters
14969 Opcode Instruction Clocks Description
14971 C8 iw 00 ENTER imm16,0 10 Make procedure stack frame
14972 C8 iw 01 ENTER imm16,1 12 Make stack frame for procedure
14973 parameters
14974 C8 iw ib ENTER imm16,imm8 15+4(n-1) Make stack frame for
14975 procedure parameters
14978 Operation
14980 level \e level MOD 32
14981 IF OperandSize = 16 THEN Push(BP) ELSE Push (EBP) FI;
14982 (* Save stack pointer *)
14983 frame-ptr \e eSP
14984 IF level > 0
14985 THEN (* level is rightmost parameter *)
14986 FOR i \e 1 TO level - 1
14987 DO
14988 IF OperandSize = 16
14989 THEN
14990 BP \e BP - 2;
14991 Push[BP]
14992 ELSE (* OperandSize = 32 *)
14993 EBP \e EBP - 4;
14994 Push[EBP];
14995 FI;
14996 OD;
14997 Push(frame-ptr)
14998 FI;
15000 IF StackAddrSize = 16
15001 THEN SP \e SP - First operand;
15002 ELSE ESP \e ESP - ZeroExtend(First operand);
15003 FI;
15005 Description
15007 ENTER creates the stack frame required by most block-structured
15008 high-level languages. The first operand specifies the number of bytes of
15009 dynamic storage allocated on the stack for the routine being entered.
15010 The second operand gives the lexical nesting level (0 to 31) of the routine
15011 within the high-level language source code. It determines the number of
15012 stack frame pointers copied into the new stack frame from the preceding
15013 frame. BP (or EBP, if the operand-size attribute is 32 bits) is the current
15014 stack frame pointer.
15016 If the operand-size attribute is 16 bits, the processor uses BP as the
15017 frame pointer and SP as the stack pointer. If the operand-size attribute is
15018 32 bits, the processor uses EBP for the frame pointer and ESP for the stack
15019 pointer.
15021 If the second operand is 0, ENTER pushes the frame pointer (BP or
15022 EBP) onto the stack; ENTER then subtracts the first operand from the
15023 stack pointer and sets the frame pointer to the current stack-pointer
15024 value.
15026 For example, a procedure with 12 bytes of local variables would have an
15027 ENTER 12,0 instruction at its entry point and a LEAVE instruction
15028 before every RET. The 12 local bytes would be addressed as negative
15029 offsets from the frame pointer.
15031 Flags Affected
15033 None
15035 Protected Mode Exceptions
15037 #SS(0) if SP or ESP would exceed the stack limit at any point during
15038 instruction execution; #PF(fault-code) for a page fault
15040 Real Address Mode Exceptions
15042 None
15044 Virtual 8086 Mode Exceptions
15046 None
15049 HLT ‘‘ Halt
15051 Opcode Instruction Clocks Description
15053 F4 HLT 5 Halt
15056 Operation
15058 Enter Halt state;
15060 Description
15062 HALT stops instruction execution and places the 80386 in a HALT state.
15063 An enabled interrupt, NMI, or a reset will resume execution. If an
15064 interrupt (including NMI) is used to resume execution after HLT, the saved
15065 CS:IP (or CS:EIP) value points to the instruction following HLT.
15067 Flags Affected
15069 None
15071 Protected Mode Exceptions
15073 HLT is a privileged instruction; #GP(0) if the current privilege level is
15074 not 0
15076 Real Address Mode Exceptions
15078 None
15080 Virtual 8086 Mode Exceptions
15082 #GP(0); HLT is a privileged instruction
15085 IDIV ‘‘ Signed Divide
15087 Opcode Instruction Clocks Description
15089 F6 /7 IDIV r/m8 19 Signed divide AX by r/m byte
15090 (AL=Quo, AH=Rem)
15091 F7 /7 IDIV AX,r/m16 27 Signed divide DX:AX by EA word
15092 (AX=Quo, DX=Rem)
15093 F7 /7 IDIV EAX,r/m32 43 Signed divide EDX:EAX by DWORD
15094 byte (EAX=Quo, EDX=Rem)
15097 Operation
15099 temp \e dividend / divisor;
15100 IF temp does not fit in quotient
15101 THEN Interrupt 0;
15102 ELSE
15103 quotient \e temp;
15104 remainder \e dividend MOD (r/m);
15105 FI;
15107 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15108 Notes:
15109 Divisions are signed. The divisor is given by the r/m operand. The
15110 dividend, quotient, and remainder use implicit registers. Refer to the
15111 table under "Description."
15112 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15114 Description
15116 IDIV performs a signed division. The dividend, quotient, and remainder
15117 are implicitly allocated to fixed registers. Only the divisor is given as
15118 an explicit r/m operand. The type of the divisor determines which registers
15119 to use as follows:
15121 Size Divisor Quotient Remainder Dividend
15122 byte r/m8 AL AH AX
15123 word r/m16 AX DX DX:AX
15124 dword r/m32 EAX EDX EDX:EAX
15126 If the resulting quotient is too large to fit in the destination, or if the
15127 division is 0, an Interrupt 0 is generated. Nonintegral quotients are
15128 truncated toward 0. The remainder has the same sign as the dividend
15129 and the absolute value of the remainder is always less than the absolute
15130 value of the divisor.
15132 Flags Affected
15134 OF, SF, ZF, AR, PF, CF are undefined.
15136 Protected Mode Exceptions
15138 Interrupt 0 if the quotient is too large to fit in the designated register
15139 (AL or AX), or if the divisor is 0; #GP (0) for an illegal memory operand
15140 effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
15141 illegal address in the SS segment; #PF(fault-code) for a page fault
15143 Real Address Mode Exceptions
15145 Interrupt 0 if the quotient is too large to fit in the designated register
15146 (AL or AX), or if the divisor is 0; Interrupt 13 if any part of the operand
15147 would lie outside of the effective address space from 0 to 0FFFFH
15149 Virtual 8086 Mode Exceptions
15151 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
15152 fault
15155 IMUL ‘‘ Signed Multiply
15158 Opcode Instruction Clocks Description
15160 F6 /5 IMUL r/m8 9-14/12-17 AX\e AL * r/m byte
15161 F7 /5 IMUL r/m16 9-22/12-25 DX:AX \e AX * r/m word
15162 F7 /5 IMUL r/m32 9-38/12-41 EDX:EAX \e EAX * r/m dword
15163 0F AF /r IMUL r16,r/m16 9-22/12-25 word register \e word
15164 register * r/m word
15165 0F AF /r IMUL r32,r/m32 9-38/12-41 dword register \e dword
15166 register * r/m dword
15167 6B /r ib IMUL r16,r/m16,imm8 9-14/12-17 word register \e r/m16 *
15168 sign-extended immediate byte
15169 6B /r ib IMUL r32,r/m32,imm8 9-14/12-17 dword register \e r/m32 *
15170 sign-extended immediate byte
15171 6B /r ib IMUL r16,imm8 9-14/12-17 word register \e word
15172 register * sign-extended
15173 immediate byte
15174 6B /r ib IMUL r32,imm8 9-14/12-17 dword register \e dword
15175 register * sign-extended
15176 immediate byte
15177 69 /r iw IMUL r16,r/m16,imm16 9-22/12-25 word register \e r/m16 *
15178 immediate word
15179 69 /r id IMUL r32,r/m32,imm32 9-38/12-41 dword register \e r/m32 *
15180 immediate dword
15181 69 /r iw IMUL r16,imm16 9-22/12-25 word register \e r/m16 *
15182 immediate word
15183 69 /r id IMUL r32,imm32 9-38/12-41 dword register \e r/m32 *
15184 immediate dword
15187 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15188 NOTES:
15189 The 80386 uses an early-out multiply algorithm. The actual number of
15190 clocks depends on the position of the most significant bit in the
15191 optimizing multiplier, shown underlined above. The optimization occurs for
15192 positive and negative values. Because of the early-out algorithm, clock
15193 counts given are minimum to maximum. To calculate the actual clocks, use
15194 the following formula:
15195 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15197 Actual clock = if m <> 0 then max(ceiling(log{2} �m�), 3) + 6 clocks
15198 Actual clock = if m = 0 then 9 clocks
15199 (where m is the multiplier)
15201 Add three clocks if the multiplier is a memory operand.
15203 Operation
15205 result \e multiplicand * multiplier;
15207 Description
15209 IMUL performs signed multiplication. Some forms of the instruction
15210 use implicit register operands. The operand combinations for all forms
15211 of the instruction are shown in the "Description" column above.
15213 IMUL clears the overflow and carry flags under the following conditions:
15215 Instruction Form Condition for Clearing CF and OF
15216 r/m8 AL = sign-extend of AL to 16 bits
15217 r/m16 AX = sign-extend of AX to 32 bits
15218 r/m32 EDX:EAX = sign-extend of EAX to 32 bits
15219 r16,r/m16 Result exactly fits within r16
15220 r/32,r/m32 Result exactly fits within r32
15221 r16,r/m16,imm16 Result exactly fits within r16
15222 r32,r/m32,imm32 Result exactly fits within r32
15224 Flags Affected
15226 OF and CF as described above; SF, ZF, AF, and PF are undefined
15228 Protected Mode Exceptions
15230 #GP(0) for an illegal memory operand effective address in the CS, DS,
15231 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
15232 #PF(fault-code) for a page fault
15234 Real Address Mode Exceptions
15236 Interrupt 13 if any part of the operand would lie outside of the effective
15237 address space from 0 to 0FFFFH
15239 Virtual 8086 Mode Exceptions
15241 Same exeptions as in Real Address Mode; #PF(fault-code) for a page
15242 fault
15244 Notes
15246 When using the accumulator forms (IMUL r/m8, IMUL r/m16, or IMUL
15247 r/m32), the result of the multiplication is available even if the overflow
15248 flag is set because the result is two times the size of the multiplicand
15249 and multiplier. This is large enough to handle any possible result.
15252 IN ‘‘ Input from Port
15254 Opcode Instruction Clocks Description
15256 E4 ib IN AL,imm8 12,pm=6*/26** Input byte from immediate port
15257 into AL
15258 E5 ib IN AX,imm8 12,pm=6*/26** Input word from immediate port
15259 into AX
15260 E5 ib IN EAX,imm8 12,pm=6*/26** Input dword from immediate port
15261 into EAX
15262 EC IN AL,DX 13,pm=7*/27** Input byte from port DX into AL
15263 ED IN AX,DX 13,pm=7*/27** Input word from port DX into AX
15264 ED IN EAX,DX 13,pm=7*/27** Input dword from port DX into
15265 EAX
15268 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15269 NOTES:
15270 *If CPL ¾ IOPL
15271 **If CPL > IOPL or if in virtual 8086 mode
15272 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15274 Operation
15276 IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
15277 THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
15278 IF NOT I-O-Permission (SRC, width(SRC))
15279 THEN #GP(0);
15280 FI;
15281 FI;
15282 DEST \e [SRC]; (* Reads from I/O address space *)
15284 Description
15286 IN transfers a data byte or data word from the port numbered by the
15287 second operand into the register (AL, AX, or EAX) specified by the first
15288 operand. Access any port from 0 to 65535 by placing the port number
15289 in the DX register and using an IN instruction with DX as the second
15290 parameter. These I/O instructions can be shortened by using an 8-bit
15291 port I/O in the instruction. The upper eight bits of the port address will
15292 be 0 when 8-bit port I/O is used.
15294 Flags Affected
15296 None
15298 Protected Mode Exceptions
15300 #GP(0) if the current privilege level is larger (has less privilege) than
15301 IOPL and any of the corresponding I/O permission bits in TSS equals 1
15303 Real Address Mode Exceptions
15305 None
15307 Virtual 8086 Mode Exceptions
15309 #GP(0) fault if any of the corresponding I/O permission bits in TSS
15310 equals 1
15313 INC ‘‘ Increment by 1
15315 Opcode Instruction Clocks Description
15317 FE /0 INC r/m8 Increment r/m byte by 1
15318 FF /0 INC r/m16 Increment r/m word by 1
15319 FF /6 INC r/m32 Increment r/m dword by 1
15320 40 + rw INC r16 Increment word register by 1
15321 40 + rd INC r32 Increment dword register by 1
15324 Operation
15326 DEST \e DEST + 1;
15328 Description
15330 INC adds 1 to the operand. It does not change the carry flag. To affect
15331 the carry flag, use the ADD instruction with a second operand of 1.
15333 Flags Affected
15335 OF, SF, ZF, AF, and PF as described in Appendix C
15337 Protected Mode Exceptions
15339 #GP(0) if the operand is in a nonwritable segment; #GP(0) for an illegal
15340 memory operand effective address in the CS, DS, ES, FS, or GS
15341 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
15342 for a page fault
15344 Real Address Mode Exceptions
15346 Interrupt 13 if any part of the operand would lie outside of the effective
15347 address space from 0 to 0FFFFH
15349 Virtual 8086 Mode Exceptions
15351 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
15352 fault
15355 INS/INSB/INSW/INSD ‘‘ Input from Port to String
15357 Opcode Instruction Clocks Description
15359 6C INS r/m8,DX 15,pm=9*/29** Input byte from port DX into ES:(E)DI
15360 6D INS r/m16,DX 15,pm=9*/29** Input word from port DX into ES:(E)DI
15361 6D INS r/m32,DX 15,pm=9*/29** Input dword from port DX into ES:(E)DI
15362 6C INSB 15,pm=9*/29** Input byte from port DX into ES:(E)DI
15363 6D INSW 15,pm=9*/29** Input word from port DX into ES:(E)DI
15364 6D INSD 15,pm=9*/29** Input dword from port DX into ES:(E)DI
15367 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15368 NOTES:
15369 *If CPL ¾ IOPL
15370 **If CPL > IOPL or if in virtual 8086 mode
15371 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15373 Operation
15375 IF AddressSize = 16
15376 THEN use DI for dest-index;
15377 ELSE (* AddressSize = 32 *)
15378 use EDI for dest-index;
15379 FI;
15380 IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
15381 THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
15382 IF NOT I-O-Permission (SRC, width(SRC))
15383 THEN #GP(0);
15384 FI;
15385 FI;
15386 IF byte type of instruction
15387 THEN
15388 ES:[dest-index] \e [DX]; (* Reads byte at DX from I/O address space *)
15390 FI;
15391 IF OperandSize = 16
15392 THEN
15393 ES:[dest-index] \e [DX]; (* Reads word at DX from I/O address space *)
15395 FI;
15396 IF OperandSize = 32
15397 THEN
15398 ES:[dest-index] \e [DX]; (* Reads dword at DX from I/O address space *)
15400 FI;
15401 dest-index \e dest-index + IncDec;
15403 Description
15405 INS transfers data from the input port numbered by the DX register to
15406 the memory byte or word at ES:dest-index. The memory operand must
15407 be addressable from ES; no segment override is possible. The destination
15408 register is DI if the address-size attribute of the instruction is 16 bits,
15409 or EDI if the address-size attribute is 32 bits.
15411 INS does not allow the specification of the port number as an immediate
15412 value. The port must be addressed through the DX register value. Load
15413 the correct value into DX before executing the INS instruction.
15415 The destination address is determined by the contents of the destination
15416 index register. Load the correct index into the destination index register
15417 before executing INS.
15419 After the transfer is made, DI or EDI advances automatically. If the
15420 direction flag is 0 (CLD was executed), DI or EDI increments; if the
15421 direction flag is 1 (STD was executed), DI or EDI decrements. DI
15422 increments or decrements by 1 if a byte is input, by 2 if a word is input,
15423 or by 4 if a doubleword is input.
15425 INSB, INSW and INSD are synonyms of the byte, word, and doubleword
15426 INS instructions. INS can be preceded by the REP prefix for block input of
15427 CX bytes or words. Refer to the REP instruction for details of this
15428 operation.
15430 Flags Affected
15432 None
15434 Protected Mode Exceptions
15436 #GP(0) if CPL is numerically greater than IOPL and any of the
15437 corresponding I/O permission bits in TSS equals 1; #GP(0) if the
15438 destination is in a nonwritable segment; #GP(0) for an illegal memory
15439 operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for
15440 an illegal address in the SS segment; #PF(fault-code) for a page fault
15442 Real Address Mode Exceptions
15444 Interrupt 13 if any part of the operand would lie outside of the effective
15445 address space from 0 to 0FFFFH
15447 Virtual 8086 Mode Exceptions
15449 #GP(0) fault if any of the corresponding I/O permission bits in TSS
15450 equals 1; #PF(fault-code) for a page fault
15453 INT/INTO ‘‘ Call to Interrupt Procedure
15456 Opcode Instruction Clocks Description
15458 CC INT 3 33 Interrupt 3--trap to debugger
15459 CC INT 3 pm=59 Interrupt 3--Protected Mode, same
15460 privilege
15461 CC INT 3 pm=99 Interrupt 3--Protected Mode, more
15462 privilege
15463 CC INT 3 pm=119 Interrupt 3--from V86 mode to PL 0
15464 CC INT 3 ts Interrupt 3--Protected Mode, via
15465 task gate
15466 CD ib INT imm8 37 Interrupt numbered by immediate
15467 byte
15468 CD ib INT imm8 pm=59 Interrupt--Protected Mode, same
15469 privilege
15470 CD ib INT imm8 pm=99 Interrupt--Protected Mode, more
15471 privilege
15472 CD ib INT imm8 pm=119 Interrupt--from V86 mode to PL 0
15473 CD ib INT imm8 ts Interrupt--Protected Mode, via task
15474 gate
15475 CE INTO Fail:3,pm=3;
15476 Pass:35 Interrupt 4--if overflow flag is 1
15477 CE INTO pm=59 Interrupt 4--Protected Mode, same
15478 privilege
15479 CE INTO pm=99 Interrupt 4--Protected Mode, more
15480 privilege
15481 CE INTO pm=119 Interrupt 4--from V86 mode to PL 0
15482 CE INTO ts Interrupt 4--Protected Mode, via
15483 task gate
15486 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15487 NOTE:
15488 Approximate values of ts are given by the following table:
15490 New Task
15492 Old Task 386 TSS 386 TSS 286 TSS
15493 VM = 0 VM = 1
15495 386
15496 TSS VM=0 309 226 282
15498 386
15499 TSS VM=1 314 231 287
15501 286
15502 TSS 307 224 280
15503 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15505 Operation
15507 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15508 NOTE:
15509 The following operational description applies not only to the
15510 above instructions but also to external interrupts and exceptions.
15511 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15513 IF PE = 0
15514 THEN GOTO REAL-ADDRESS-MODE;
15515 ELSE GOTO PROTECTED-MODE;
15516 FI;
15518 REAL-ADDRESS-MODE:
15519 Push (FLAGS);
15520 IF \e 0; (* Clear interrupt flag *)
15521 TF \e 0; (* Clear trap flag *)
15522 Push(CS);
15523 Push(IP);
15524 (* No error codes are pushed *)
15525 CS \e IDT[Interrupt number * 4].selector;
15526 IP \e IDT[Interrupt number * 4].offset;
15528 PROTECTED-MODE:
15529 Interrupt vector must be within IDT table limits,
15530 else #GP(vector number * 8+2+EXT);
15531 Descriptor AR byte must indicate interrupt gate, trap gate, or task gate,
15532 else #GP(vector number * 8+2+EXT);
15533 IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *)
15534 THEN
15535 IF gate descriptor DPL < CPL
15536 THEN #GP(vector number * 8+2+EXT);
15537 FI;
15538 FI;
15539 Gate must be present, else #NP(vector number * 8+2+EXT);
15540 IF trap gate OR interrupt gate
15541 THEN GOTO TRAP-GATE-OR-INTERRUPT-GATE;
15542 ELSE GOTO TASK-GATE;
15543 FI;
15545 TRAP-GATE-OR-INTERRUPT-GATE:
15546 Examine CS selector and descriptor given in the gate descriptor;
15547 Selector must be non-null, else #GP (EXT);
15548 Selector must be within its descriptor table limits
15549 ELSE #GP(selector+EXT);
15550 Descriptor AR byte must indicate code segment
15551 ELSE #GP(selector + EXT);
15552 Segment must be present, else #NP(selector+EXT);
15553 IF code segment is non-conforming AND DPL < CPL
15554 THEN GOTO INTERRUPT-TO-INNER-PRIVILEGE;
15555 ELSE
15556 IF code segment is conforming OR code segment DPL = CPL
15557 THEN GOTO INTERRUPT-TO-SAME-PRIVILEGE-LEVEL;
15558 ELSE #GP(CS selector + EXT);
15559 FI;
15560 FI;
15562 INTERRUPT-TO-INNER-PRIVILEGE:
15563 Check selector and descriptor for new stack in current TSS;
15564 Selector must be non-null, else #GP(EXT);
15565 Selector index must be within its descriptor table limits
15566 ELSE #TS(SS selector+EXT);
15567 Selector's RPL must equal DPL of code segment, else #TS(SS
15568 selector+EXT);
15569 Stack segment DPL must equal DPL of code segment, else #TS(SS
15570 selector+EXT);
15571 Descriptor must indicate writable data segment, else #TS(SS
15572 selector+EXT);
15573 Segment must be present, else #SS(SS selector+EXT);
15574 IF 32-bit gate
15575 THEN New stack must have room for 20 bytes else #SS(0)
15576 ELSE New stack must have room for 10 bytes else #SS(0)
15577 FI;
15578 Instruction pointer must be within CS segment boundaries else #GP(0);
15579 Load new SS and eSP value from TSS;
15580 IF 32-bit gate
15581 THEN CS:EIP \e selector:offset from gate;
15582 ELSE CS:IP \e selector:offset from gate;
15583 FI;
15584 Load CS descriptor into invisible portion of CS register;
15585 Load SS descriptor into invisible portion of SS register;
15586 IF 32-bit gate
15587 THEN
15588 Push (long pointer to old stack) (* 3 words padded to 4 *);
15589 Push (EFLAGS);
15590 Push (long pointer to return location) (* 3 words padded to 4*);
15591 ELSE
15592 Push (long pointer to old stack) (* 2 words *);
15593 Push (FLAGS);
15594 Push (long pointer to return location) (* 2 words *);
15595 FI;
15596 Set CPL to new code segment DPL;
15597 Set RPL of CS to CPL;
15598 IF interrupt gate THEN IF \e 0 (* interrupt flag to 0 (disabled) *); FI;
15599 TF \e 0;
15600 NT \e 0;
15602 INTERRUPT-FROM-V86-MODE:
15603 TempEFlags \e EFLAGS;
15604 VM \e 0;
15605 TF \e 0;
15606 IF service through Interrupt Gate THEN IF \e 0;
15607 TempSS \e SS;
15608 TempESP \e ESP;
15609 SS \e TSS.SS0; (* Change to level 0 stack segment *)
15610 ESP \e TSS.ESP0; (* Change to level 0 stack pointer *)
15611 Push(GS); (* padded to two words *)
15612 Push(FS); (* padded to two words *)
15613 Push(DS); (* padded to two words *)
15614 Push(ES); (* padded to two words *)
15615 GS \e 0;
15616 FS \e 0;
15617 DS \e 0;
15618 ES \e 0;
15619 Push(TempSS); (* padded to two words *)
15620 Push(TempESP);
15621 Push(TempEFlags);
15622 Push(CS); (* padded to two words *)
15623 Push(EIP);
15624 CS:EIP \e selector:offset from interrupt gate;
15625 (* Starts execution of new routine in 80386 Protected Mode *)
15627 INTERRUPT-TO-SAME-PRIVILEGE-LEVEL:
15628 IF 32-bit gate
15629 THEN Current stack limits must allow pushing 10 bytes, else #SS(0);
15630 ELSE Current stack limits must allow pushing 6 bytes, else #SS(0);
15631 FI;
15632 IF interrupt was caused by exception with error code
15633 THEN Stack limits must allow push of two more bytes;
15634 ELSE #SS(0);
15635 FI;
15636 Instruction pointer must be in CS limit, else #GP(0);
15637 IF 32-bit gate
15638 THEN
15639 Push (EFLAGS);
15640 Push (long pointer to return location); (* 3 words padded to 4 *)
15641 CS:EIP \e selector:offset from gate;
15642 ELSE (* 16-bit gate *)
15643 Push (FLAGS);
15644 Push (long pointer to return location); (* 2 words *)
15645 CS:IP \e selector:offset from gate;
15646 FI;
15647 Load CS descriptor into invisible portion of CS register;
15648 Set the RPL field of CS to CPL;
15649 Push (error code); (* if any *)
15650 IF interrupt gate THEN IF \e 0; FI;
15651 TF \e 0;
15652 NT \e 0;
15654 TASK-GATE:
15655 Examine selector to TSS, given in task gate descriptor;
15656 Must specify global in the local/global bit, else #TS(TSS selector);
15657 Index must be within GDT limits, else #TS(TSS selector);
15658 AR byte must specify available TSS (bottom bits 00001),
15659 else #TS(TSS selector;
15660 TSS must be present, else #NP(TSS selector);
15661 SWITCH-TASKS with nesting to TSS;
15662 IF interrupt was caused by fault with error code
15663 THEN
15664 Stack limits must allow push of two more bytes, else #SS(0);
15665 Push error code onto stack;
15666 FI;
15667 Instruction pointer must be in CS limit, else #GP(0);
15669 Description
15671 The INT instruction generates via software a call to an interrupt
15672 handler. The immediate operand, from 0 to 255, gives the index number
15673 into the Interrupt Descriptor Table (IDT) of the interrupt routine to be
15674 called. In Protected Mode, the IDT consists of an array of eight-byte
15675 descriptors; the descriptor for the interrupt invoked must indicate an
15676 interrupt, trap, or task gate. In Real Address Mode, the IDT is an array
15677 of four byte-long pointers. In Protected and Real Address Modes, the
15678 base linear address of the IDT is defined by the contents of the IDTR.
15680 The INTO conditional software instruction is identical to the INT
15681 interrupt instruction except that the interrupt number is implicitly 4,
15682 and the interrupt is made only if the 80386 overflow flag is set.
15684 The first 32 interrupts are reserved by Intel for system use. Some of
15685 these interrupts are use for internally generated exceptions.
15687 INT n generally behaves like a far call except that the flags register is
15688 pushed onto the stack before the return address. Interrupt procedures
15689 return via the IRET instruction, which pops the flags and return address
15690 from the stack.
15692 In Real Address Mode, INT n pushes the flags, CS, and the return IP
15693 onto the stack, in that order, then jumps to the long pointer indexed by
15694 the interrupt number.
15696 Flags Affected
15698 None
15700 Protected Mode Exceptions
15702 #GP, #NP, #SS, and #TS as indicated under "Operation" above
15704 Real Address Mode Exceptions
15706 None; if the SP or ESP = 1, 3, or 5 before executing INT or INTO,
15707 the 80386 will shut down due to insufficient stack space
15709 Virtual 8086 Mode Exceptions
15711 #GP(0) fault if IOPL is less than 3, for INT only, to permit emulation;
15712 Interrupt 3 (0CCH) generates Interrupt 3; INTO generates Interrupt 4
15713 if the overflow flag equals 1
15716 IRET/IRETD ‘‘ Interrupt Return
15718 Opcode Instruction Clocks Description
15720 CF IRET 22,pm=38 Interrupt return (far return and pop
15721 flags)
15722 CF IRET pm=82 Interrupt return to lesser privilege
15723 CF IRET ts Interrupt return, different task (NT = 1)
15724 CF IRETD 22,pm=38 Interrupt return (far return and pop
15725 flags)
15726 CF IRETD pm=82 Interrupt return to lesser privilege
15727 CF IRETD pm=60 Interrupt return to V86 mode
15728 CF IRETD ts Interrupt return, different task (NT = 1)
15731 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15732 NOTE:
15733 Values of ts are given by the following table:
15735 New Task
15737 Old Task 386 TSS 386 TSS 286 TSS
15738 VM = 0 VM = 1
15740 386
15741 TSS VM=0 275 224 271
15743 286
15744 TSS 265 214 232
15745 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
15747 Operation
15749 IF PE = 0
15750 THEN (* Real-address mode *)
15751 IF OperandSize = 32 (* Instruction = IRETD *)
15752 THEN EIP \e Pop();
15753 ELSE (* Instruction = IRET *)
15754 IP \e Pop();
15755 FI;
15756 CS \e Pop();
15757 IF OperandSize = 32 (* Instruction = IRETD *)
15758 THEN EFLAGS \e Pop();
15759 ELSE (* Instruction = IRET *)
15760 FLAGS \e Pop();
15761 FI;
15762 ELSE (* Protected mode *)
15763 IF VM = 1
15764 THEN #GP(0);
15765 ELSE
15766 IF NT = 1
15767 THEN GOTO TASK-RETURN;
15768 ELSE
15769 IF VM = 1 in flags image on stack
15770 THEN GO TO STACK-RETURN-TO-V86;
15771 ELSE GOTO STACK-RETURN;
15772 FI;
15773 FI;
15774 FI;
15775 FI;STACK-RETURN-TO-V86: (* Interrupted procedure was in V86 mode *)
15776 IF return CS selector RPL < > 3
15777 THEN #GP(Return selector);
15778 FI;
15779 IF top 36 bytes of stack not within limits
15780 THEN #SS(0);
15781 FI;
15782 Examine return CS selector and associated descriptor:
15783 IF selector is null, THEN #GP(0); FI;
15784 IF selector index not within its descriptor table limits;
15785 THEN #GP(Return selector);
15786 FI;
15787 IF AR byte does not indicate code segment
15788 THEN #GP(Return selector);
15789 FI;
15790 IF code segment DPL not = 3;
15791 THEN #GP(Return selector);
15792 FI;
15793 IF code segment not present
15794 THEN #NP(Return selector);
15795 FI;
15797 Examine return SS selector and associated descriptor:
15798 IF selector is null THEN #GP(0); FI;
15799 IF selector index not within its descriptor table limits
15800 THEN #GP(SS selector);
15801 FI;
15802 IF selector RPL not = RPL of return CS selector
15803 THEN #GP(SS selector);
15804 FI;
15805 IF AR byte does not indicate a writable data segment
15806 THEN #GP(SS selector);
15807 FI;
15808 IF stack segment DPL not = RPL of return CS selector
15809 THEN #GP(SS selector);
15810 FI;
15811 IF SS not present
15812 THEN #NP(SS selector);
15813 FI;
15815 IF instruction pointer not within code segment limit THEN #GP(0);
15816 FI;
15817 EFLAGS \e SS:[eSP + 8]; (* Sets VM in interrupted routine *)
15818 EIP \e Pop();
15819 CS \e Pop(); (* CS behaves as in 8086, due to VM = 1 *)
15820 throwaway \e Pop(); (* pop away EFLAGS already read *)
15821 ES \e Pop(); (* pop 2 words; throw away high-order word *)
15822 DS \e Pop(); (* pop 2 words; throw away high-order word *)
15823 FS \e Pop(); (* pop 2 words; throw away high-order word *)
15824 GS \e Pop(); (* pop 2 words; throw away high-order word *)
15825 IF CS.RPL > CPL
15826 THEN
15827 TempESP \e Pop();
15828 TempSS \e Pop();
15829 SS:ESP \e TempSS:TempESP;
15830 FI;
15832 (* Resume execution in Virtual 8086 mode *)
15834 TASK-RETURN:
15835 Examine Back Link Selector in TSS addressed by the current task
15836 register:
15837 Must specify global in the local/global bit, else #TS(new TSS
15838 selector);
15839 Index must be within GDT limits, else #TS(new TSS selector);
15840 AR byte must specify TSS, else #TS(new TSS selector);
15841 New TSS must be busy, else #TS(new TSS selector);
15842 TSS must be present, else #NP(new TSS selector);
15843 SWITCH-TASKS without nesting to TSS specified by back link selector;
15844 Mark the task just abandoned as NOT BUSY;
15845 Instruction pointer must be within code segment limit ELSE #GP(0);
15847 STACK-RETURN:
15848 IF OperandSize=32
15849 THEN Third word on stack must be within stack limits, else #SS(0);
15850 ELSE Second word on stack must be within stack limits, else #SS(0);
15851 FI;
15852 Return CS selector RPL must be � CPL, else #GP(Return selector);
15853 IF return selector RPL = CPL
15854 THEN GOTO RETURN-SAME-LEVEL;
15855 ELSE GOTO RETURN-OUTER-LEVEL;
15856 FI;
15858 RETURN-SAME-LEVEL:
15859 IF OperandSize=32
15860 THEN
15861 Top 12 bytes on stack must be within limits, else #SS(0);
15862 Return CS selector (at eSP+4) must be non-null, else #GP(0);
15863 ELSE
15864 Top 6 bytes on stack must be within limits, else #SS(0);
15865 Return CS selector (at eSP+2) must be non-null, else #GP(0);
15866 FI;
15867 Selector index must be within its descriptor table limits, else #GP
15868 (Return selector);
15869 AR byte must indicate code segment, else #GP(Return selector);
15870 IF non-conforming
15871 THEN code segment DPL must = CPL;
15872 ELSE #GP(Return selector);
15873 FI;
15874 IF conforming
15875 THEN code segment DPL must be ¾ CPL, else #GP(Return selector);
15876 Segment must be present, else #NP(Return selector);
15877 Instruction pointer must be within code segment boundaries, else #GP(0);
15878 FI;
15879 IF OperandSize=32
15880 THEN
15881 Load CS:EIP from stack;
15882 Load CS-register with new code segment descriptor;
15883 Load EFLAGS with third doubleword from stack;
15884 Increment eSP by 12;
15885 ELSE
15886 Load CS-register with new code segment descriptor;
15887 Load FLAGS with third word on stack;
15888 Increment eSP by 6;
15889 FI;
15891 RETURN-OUTER-LEVEL:
15892 IF OperandSize=32
15893 THEN Top 20 bytes on stack must be within limits, else #SS(0);
15894 ELSE Top 10 bytes on stack must be within limits, else #SS(0);
15895 FI;
15896 Examine return CS selector and associated descriptor:
15897 Selector must be non-null, else #GP(0);
15898 Selector index must be within its descriptor table limits;
15899 ELSE #GP(Return selector);
15900 AR byte must indicate code segment, else #GP(Return selector);
15901 IF non-conforming
15902 THEN code segment DPL must = CS selector RPL;
15903 ELSE #GP(Return selector);
15904 FI;
15905 IF conforming
15906 THEN code segment DPL must be > CPL;
15907 ELSE #GP(Return selector);
15908 FI;
15909 Segment must be present, else #NP(Return selector);
15910 Examine return SS selector and associated descriptor:
15911 Selector must be non-null, else #GP(0);
15912 Selector index must be within its descriptor table limits
15913 ELSE #GP(SS selector);
15914 Selector RPL must equal the RPL of the return CS selector
15915 ELSE #GP(SS selector);
15916 AR byte must indicate a writable data segment, else #GP(SS selector);
15917 Stack segment DPL must equal the RPL of the return CS selector
15918 ELSE #GP(SS selector);
15919 SS must be present, else #NP(SS selector);
15921 Instruction pointer must be within code segment limit ELSE #GP(0);
15922 IF OperandSize=32
15923 THEN
15924 Load CS:EIP from stack;
15925 Load EFLAGS with values at (eSP+8);
15926 ELSE
15927 Load CS:IP from stack;
15928 Load FLAGS with values at (eSP+4);
15929 FI;
15930 Load SS:eSP from stack;
15931 Set CPL to the RPL of the return CS selector;
15932 Load the CS register with the CS descriptor;
15933 Load the SS register with the SS descriptor;
15934 FOR each of ES, FS, GS, and DS
15935 DO;
15936 IF the current value of the register is not valid for the outer level;
15937 THEN zero the register and clear the valid flag;
15938 FI;
15939 To be valid, the register setting must satisfy the following
15940 properties:
15941 Selector index must be within descriptor table limits;
15942 AR byte must indicate data or readable code segment;
15943 IF segment is data or non-conforming code,
15944 THEN DPL must be � CPL, or DPL must be � RPL;
15945 OD;
15947 Description
15949 In Real Address Mode, IRET pops the instruction pointer, CS, and the
15950 flags register from the stack and resumes the interrupted routine.
15952 In Protected Mode, the action of IRET depends on the setting of the
15953 nested task flag (NT) bit in the flag register. When popping the new
15954 flag image from the stack, the IOPL bits in the flag register are changed
15955 only when CPL equals 0.
15957 If NT equals 0, IRET returns from an interrupt procedure without a
15958 task switch. The code returned to must be equally or less privileged than
15959 the interrupt routine (as indicated by the RPL bits of the CS selector
15960 popped from the stack). If the destination code is less privileged, IRET
15961 also pops the stack pointer and SS from the stack.
15963 If NT equals 1, IRET reverses the operation of a CALL or INT that
15964 caused a task switch. The updated state of the task executing IRET is
15965 saved in its task state segment. If the task is reentered later, the code
15966 that follows IRET is executed.
15968 Flags Affected
15970 All; the flags register is popped from stack
15972 Protected Mode Exceptions
15974 #GP, #NP, or #SS, as indicated under "Operation" above
15976 Real Address Mode Exceptions
15978 Interrupt 13 if any part of the operand being popped lies beyond address
15979 0FFFFH
15981 Virtual 8086 Mode Exceptions
15983 #GP(0) fault if IOPL is less than 3, to permit emulation
15986 Jcc ‘‘ Jump if Condition is Met
15989 Opcode Instruction Clocks Description
15991 77 cb JA rel8 7+m,3 Jump short if above (CF=0 and
15992 ZF=0)
15993 73 cb JAE rel8 7+m,3 Jump short if above or equal
15994 (CF=0)
15995 72 cb JB rel8 7+m,3 Jump short if below (CF=1)
15996 76 cb JBE rel8 7+m,3 Jump short if below or equal
15997 (CF=1 or ZF=1)
15998 72 cb JC rel8 7+m,3 Jump short if carry (CF=1)
15999 E3 cb JCXZ rel8 9+m,5 Jump short if CX register is 0
16000 E3 cb JECXZ rel8 9+m,5 Jump short if ECX register is 0
16001 74 cb JE rel8 7+m,3 Jump short if equal (ZF=1)
16002 74 cb JZ rel8 7+m,3 Jump short if 0 (ZF=1)
16003 7F cb JG rel8 7+m,3 Jump short if greater (ZF=0 and
16004 SF=OF)
16005 7D cb JGE rel8 7+m,3 Jump short if greater or equal
16006 (SF=OF)
16007 7C cb JL rel8 7+m,3 Jump short if less (SF<>OF)
16008 7E cb JLE rel8 7+m,3 Jump short if less or equal
16009 (ZF=1 and SF<>OF)
16010 76 cb JNA rel8 7+m,3 Jump short if not above (CF=1 or
16011 ZF=1)
16012 72 cb JNAE rel8 7+m,3 Jump short if not above or equal
16013 (CF=1)
16014 73 cb JNB rel8 7+m,3 Jump short if not below (CF=0)
16015 77 cb JNBE rel8 7+m,3 Jump short if not below or equal
16016 (CF=0 and ZF=0)
16017 73 cb JNC rel8 7+m,3 Jump short if not carry (CF=0)
16018 75 cb JNE rel8 7+m,3 Jump short if not equal (ZF=0)
16019 7E cb JNG rel8 7+m,3 Jump short if not greater (ZF=1
16020 or SF<>OF)
16021 7C cb JNGE rel8 7+m,3 Jump short if not greater or
16022 equal (SF<>OF)
16023 7D cb JNL rel8 7+m,3 Jump short if not less (SF=OF)
16024 7F cb JNLE rel8 7+m,3 Jump short if not less or equal
16025 (ZF=0 and SF=OF)
16026 71 cb JNO rel8 7+m,3 Jump short if not overflow
16027 (OF=0)
16028 7B cb JNP rel8 7+m,3 Jump short if not parity (PF=0)
16029 79 cb JNS rel8 7+m,3 Jump short if not sign (SF=0)
16030 75 cb JNZ rel8 7+m,3 Jump short if not zero (ZF=0)
16031 70 cb JO rel8 7+m,3 Jump short if overflow (OF=1)
16032 7A cb JP rel8 7+m,3 Jump short if parity (PF=1)
16033 7A cb JPE rel8 7+m,3 Jump short if parity even (PF=1)
16034 7B cb JPO rel8 7+m,3 Jump short if parity odd (PF=0)
16035 78 cb JS rel8 7+m,3 Jump short if sign (SF=1)
16036 74 cb JZ rel8 7+m,3 Jump short if zero (ZF = 1)
16037 0F 87 cw/cd JA rel16/32 7+m,3 Jump near if above (CF=0 and
16038 ZF=0)
16039 0F 83 cw/cd JAE rel16/32 7+m,3 Jump near if above or equal
16040 (CF=0)
16041 0F 82 cw/cd JB rel16/32 7+m,3 Jump near if below (CF=1)
16042 0F 86 cw/cd JBE rel16/32 7+m,3 Jump near if below or equal
16043 (CF=1 or ZF=1)
16044 0F 82 cw/cd JC rel16/32 7+m,3 Jump near if carry (CF=1)
16045 0F 84 cw/cd JE rel16/32 7+m,3 Jump near if equal (ZF=1)
16046 0F 84 cw/cd JZ rel16/32 7+m,3 Jump near if 0 (ZF=1)
16047 0F 8F cw/cd JG rel16/32 7+m,3 Jump near if greater (ZF=0 and
16048 SF=OF)
16049 0F 8D cw/cd JGE rel16/32 7+m,3 Jump near if greater or equal
16050 (SF=OF)
16051 0F 8C cw/cd JL rel16/32 7+m,3 Jump near if less (SF<>OF)
16052 0F 8E cw/cd JLE rel16/32 7+m,3 Jump near if less or equal (ZF=1
16053 and SF<>OF)
16054 0F 86 cw/cd JNA rel16/32 7+m,3 Jump near if not above (CF=1 or
16055 ZF=1)
16056 0F 82 cw/cd JNAE rel16/32 7+m,3 Jump near if not above or equal
16057 (CF=1)
16058 0F 83 cw/cd JNB rel16/32 7+m,3 Jump near if not below (CF=0)
16059 0F 87 cw/cd JNBE rel16/32 7+m,3 Jump near if not below or equal
16060 (CF=0 and ZF=0)
16061 0F 83 cw/cd JNC rel16/32 7+m,3 Jump near if not carry (CF=0)
16062 0F 85 cw/cd JNE rel16/32 7+m,3 Jump near if not equal (ZF=0)
16063 0F 8E cw/cd JNG rel16/32 7+m,3 Jump near if not greater (ZF=1
16064 or SF<>OF)
16065 0F 8C cw/cd JNGE rel16/32 7+m,3 Jump near if not greater or
16066 equal (SF<>OF)
16067 0F 8D cw/cd JNL rel16/32 7+m,3 Jump near if not less (SF=OF)
16068 0F 8F cw/cd JNLE rel16/32 7+m,3 Jump near if not less or equal
16069 (ZF=0 and SF=OF)
16070 0F 81 cw/cd JNO rel16/32 7+m,3 Jump near if not overflow (OF=0)
16071 0F 8B cw/cd JNP rel16/32 7+m,3 Jump near if not parity (PF=0)
16072 0F 89 cw/cd JNS rel16/32 7+m,3 Jump near if not sign (SF=0)
16073 0F 85 cw/cd JNZ rel16/32 7+m,3 Jump near if not zero (ZF=0)
16074 0F 80 cw/cd JO rel16/32 7+m,3 Jump near if overflow (OF=1)
16075 0F 8A cw/cd JP rel16/32 7+m,3 Jump near if parity (PF=1)
16076 0F 8A cw/cd JPE rel16/32 7+m,3 Jump near if parity even (PF=1)
16077 0F 8B cw/cd JPO rel16/32 7+m,3 Jump near if parity odd (PF=0)
16078 0F 88 cw/cd JS rel16/32 7+m,3 Jump near if sign (SF=1)
16079 0F 84 cw/cd JZ rel16/32 7+m,3 Jump near if 0 (ZF=1)
16082 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
16083 NOTES:
16084 The first clock count is for the true condition (branch taken); the
16085 second clock count is for the false condition (branch not taken). rel16/32
16086 indicates that these instructions map to two; one with a 16-bit relative
16087 displacement, the other with a 32-bit relative displacement, depending on
16088 the operand-size attribute of the instruction.
16089 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
16091 Operation
16093 IF condition
16094 THEN
16095 EIP \e EIP + SignExtend(rel8/16/32);
16096 IF OperandSize = 16
16097 THEN EIP \e EIP AND 0000FFFFH;
16098 FI;
16099 FI;
16101 Description
16103 Conditional jumps (except JCXZ) test the flags which have been set by
16104 a previous instruction. The conditions for each mnemonic are given in
16105 parentheses after each description above. The terms "less" and "greater"
16106 are used for comparisons of signed integers; "above" and "below" are
16107 used for unsigned integers.
16109 If the given condition is true, a jump is made to the location provided as
16110 the operand. Instruction coding is most efficient when the target for the
16111 conditional jump is in the current code segment and within -128 to
16112 +127 bytes of the next instruction's first byte. The jump can also target
16113 -32768 thru +32767 (segment size attribute 16) or -2^(31) thru +2^(31) -1
16114 (segment size attribute 32) relative to the next instruction's first byte.
16115 When the target for the conditional jump is in a different segment, use
16116 the opposite case of the jump instruction (i.e., JE and JNE), and then
16117 access the target with an unconditional far jump to the other segment.
16118 For example, you cannot code‘‘
16120 JZ FARLABEL;
16122 You must instead code‘‘
16124 JNZ BEYOND;
16125 JMP FARLABEL;
16126 BEYOND:
16128 Because there can be several ways to interpret a particular state of the
16129 flags, ASM386 provides more than one mnemonic for most of the
16130 conditional jump opcodes. For example, if you compared two characters in
16131 AX and want to jump if they are equal, use JE; or, if you ANDed AX
16132 with a bit field mask and only want to jump if the result is 0, use JZ, a
16133 synonym for JE.
16135 JCXZ differs from other conditional jumps because it tests the contents of
16136 the CX or ECX register for 0, not the flags. JCXZ is useful at the beginning
16137 of a conditional loop that terminates with a conditional loop instruction
16138 (such as LOOPNE TARGET LABEL. The JCXZ prevents entering the loop with CX or
16139 ECX equal to zero, which would cause the loop to execute 64K or 32G times
16140 instead of zero times.
16142 Flags Affected
16144 None
16146 Protected Mode Exceptions
16148 #GP(0) if the offset jumped to is beyond the limits of the code segment
16150 Real Address Mode Exceptions
16152 None
16154 Virtual 8086 Mode Exceptions
16156 None
16159 JMP ‘‘ Jump
16162 Opcode Instruction Clocks Description
16164 EB cb JMP rel8 7+m Jump short
16165 E9 cw JMP rel16 7+m Jump near, displacement relative
16166 to next instruction
16167 FF /4 JMP r/m16 7+m/10+m Jump near indirect
16168 EA cd JMP ptr16:16 12+m,pm=27+m Jump intersegment, 4-byte
16169 immediate address
16170 EA cd JMP ptr16:16 pm=45+m Jump to call gate, same
16171 privilege
16172 EA cd JMP ptr16:16 ts Jump via task state segment
16173 EA cd JMP ptr16:16 ts Jump via task gate
16174 FF /5 JMP m16:16 43+m,pm=31+m Jump r/m16:16 indirect and
16175 intersegment
16176 FF /5 JMP m16:16 pm=49+m Jump to call gate, same
16177 privilege
16178 FF /5 JMP m16:16 5 + ts Jump via task state segment
16179 FF /5 JMP m16:16 5 + ts Jump via task gate
16180 E9 cd JMP rel32 7+m Jump near, displacement relative
16181 to next instruction
16182 FF /4 JMP r/m32 7+m,10+m Jump near, indirect
16183 EA cp JMP ptr16:32 12+m,pm=27+m Jump intersegment, 6-byte
16184 immediate address
16185 EA cp JMP ptr16:32 pm=45+m Jump to call gate, same
16186 privilege
16187 EA cp JMP ptr16:32 ts Jump via task state segment
16188 EA cp JMP ptr16:32 ts Jump via task gate
16189 FF /5 JMP m16:32 43+m,pm=31+m Jump intersegment, address at
16190 r/m dword
16191 FF /5 JMP m16:32 pm=49+m Jump to call gate, same
16192 privilege
16193 FF /5 JMP m16:32 5 + ts Jump via task state segment
16194 FF /5 JMP m16:32 5 + ts Jump via task gate
16197 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
16198 NOTE:
16199 Values of ts are given by the following table:
16201 New Task
16203 386 TSS 386 TASK 286 TSS
16204 VM = 0 VM = 1
16206 Old Task Via Task Gate?
16208 N Y N Y N Y
16209 386
16210 TSS VM=0 303 312 220 229 276 285
16212 286
16213 TSS 301 310 218 227 274 283
16214 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
16216 Operation
16218 IF instruction = relative JMP
16219 (* i.e. operand is rel8, rel16, or rel32 *)
16220 THEN
16221 EIP \e EIP + rel8/16/32;
16222 IF OperandSize = 16
16223 THEN EIP \e EIP AND 0000FFFFH;
16224 FI;
16225 FI;
16226 IF instruction = near indirect JMP
16227 (* i.e. operand is r/m16 or r/m32 *)
16228 THEN
16229 IF OperandSize = 16
16230 THEN
16231 EIP \e [r/m16] AND 0000FFFFH;
16232 ELSE (* OperandSize = 32 *)
16233 EIP \e [r/m32];
16234 FI;
16235 FI;
16237 IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or V86 mode *)
16238 AND instruction = far JMP
16239 (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *)
16240 THEN GOTO REAL-OR-V86-MODE;
16241 IF operand type = m16:16 or m16:32
16242 THEN (* indirect *)
16243 IF OperandSize = 16
16244 THEN
16245 CS:IP \e [m16:16];
16246 EIP \e EIP AND 0000FFFFH; (* clear upper 16 bits *)
16247 ELSE (* OperandSize = 32 *)
16248 CS:EIP \e [m16:32];
16249 FI;
16250 FI;
16251 IF operand type = ptr16:16 or ptr16:32
16252 THEN
16253 IF OperandSize = 16
16254 THEN
16255 CS:IP \e ptr16:16;
16256 EIP \e EIP AND 0000FFFFH; (* clear upper 16 bits *)
16257 ELSE (* OperandSize = 32 *)
16258 CS:EIP \e ptr16:32;
16259 FI;
16260 FI;
16261 FI;
16263 IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
16264 AND instruction = far JMP
16265 THEN
16266 IF operand type = m16:16 or m16:32
16267 THEN (* indirect *)
16268 check access of EA dword;
16269 #GP(0) or #SS(0) IF limit violation;
16270 FI;
16271 Destination selector is not null ELSE #GP(0)
16272 Destination selector index is within its descriptor table limits ELSE
16273 #GP(selector)
16274 Depending on AR byte of destination descriptor:
16275 GOTO CONFORMING-CODE-SEGMENT;
16276 GOTO NONCONFORMING-CODE-SEGMENT;
16277 GOTO CALL-GATE;
16278 GOTO TASK-GATE;
16279 GOTO TASK-STATE-SEGMENT;
16280 ELSE #GP(selector); (* illegal AR byte in descriptor *)
16281 FI;
16283 CONFORMING-CODE-SEGMENT:
16284 Descriptor DPL must be ¾ CPL ELSE #GP(selector);
16285 Segment must be present ELSE #NP(selector);
16286 Instruction pointer must be within code-segment limit ELSE #GP(0);
16287 IF OperandSize = 32
16288 THEN Load CS:EIP from destination pointer;
16289 ELSE Load CS:IP from destination pointer;
16290 FI;
16291 Load CS register with new segment descriptor;
16293 NONCONFORMING-CODE-SEGMENT:
16294 RPL of destination selector must be ¾ CPL ELSE #GP(selector);
16295 Descriptor DPL must be = CPL ELSE #GP(selector);
16296 Segment must be present ELSE # NP(selector);
16297 Instruction pointer must be within code-segment limit ELSE #GP(0);
16298 IF OperandSize = 32
16299 THEN Load CS:EIP from destination pointer;
16300 ELSE Load CS:IP from destination pointer;
16301 FI;
16302 Load CS register with new segment descriptor;
16303 Set RPL field of CS register to CPL;
16305 CALL-GATE:
16306 Descriptor DPL must be � CPL ELSE #GP(gate selector);
16307 Descriptor DPL must be � gate selector RPL ELSE #GP(gate selector);
16308 Gate must be present ELSE #NP(gate selector);
16309 Examine selector to code segment given in call gate descriptor:
16310 Selector must not be null ELSE #GP(0);
16311 Selector must be within its descriptor table limits ELSE
16312 #GP(CS selector);
16313 Descriptor AR byte must indicate code segment
16314 ELSE #GP(CS selector);
16315 IF non-conforming
16316 THEN code-segment descriptor, DPL must = CPL
16317 ELSE #GP(CS selector);
16318 FI;
16319 IF conforming
16320 THEN code-segment descriptor DPL must be ¾ CPL;
16321 ELSE #GP(CS selector);
16322 Code segment must be present ELSE #NP(CS selector);
16323 Instruction pointer must be within code-segment limit ELSE #GP(0);
16324 IF OperandSize = 32
16325 THEN Load CS:EIP from call gate;
16326 ELSE Load CS:IP from call gate;
16327 FI;
16328 Load CS register with new code-segment descriptor;
16329 Set RPL of CS to CPL
16331 TASK-GATE:
16332 Gate descriptor DPL must be � CPL ELSE #GP(gate selector);
16333 Gate descriptor DPL must be � gate selector RPL ELSE #GP(gate
16334 selector);
16335 Task Gate must be present ELSE #NP(gate selector);
16336 Examine selector to TSS, given in Task Gate descriptor:
16337 Must specify global in the local/global bit ELSE #GP(TSS selector);
16338 Index must be within GDT limits ELSE #GP(TSS selector);
16339 Descriptor AR byte must specify available TSS (bottom bits 00001);
16340 ELSE #GP(TSS selector);
16341 Task State Segment must be present ELSE #NP(TSS selector);
16342 SWITCH-TASKS (without nesting) to TSS;
16343 Instruction pointer must be within code-segment limit ELSE #GP(0);
16345 TASK-STATE-SEGMENT:
16346 TSS DPL must be � CPL ELSE #GP(TSS selector);
16347 TSS DPL must be � TSS selector RPL ELSE #GP(TSS selector);
16348 Descriptor AR byte must specify available TSS (bottom bits 00001)
16349 ELSE #GP(TSS selector);
16350 Task State Segment must be present ELSE #NP(TSS selector);
16351 SWITCH-TASKS (without nesting) to TSS;
16352 Instruction pointer must be within code-segment limit ELSE #GP(0);
16354 Description
16356 The JMP instruction transfers control to a different point in the
16357 instruction stream without recording return information.
16359 The action of the various forms of the instruction are shown below.
16361 Jumps with destinations of type r/m16, r/m32, rel16, and rel32 are near
16362 jumps and do not involve changing the segment register value.
16364 The JMP rel16 and JMP rel32 forms of the instruction add an offset to
16365 the address of the instruction following the JMP to determine the
16366 destination. The rel16 form is used when the instruction's operand-size
16367 attribute is 16 bits (segment size attribute 16 only); rel32 is used when
16368 the operand-size attribute is 32 bits (segment size attribute 32 only). The
16369 result is stored in the 32-bit EIP register. With rel16, the upper 16 bits
16370 of EIP are cleared, which results in an offset whose value does not exceed
16371 16 bits.
16373 JMP r/m16 and JMP r/m32 specifies a register or memory location from which
16374 the absolute offset from the procedure is fetched. The offset fetched from
16375 r/m is 32 bits for an operand-size attribute of 32 bits (r/m32), or 16 bits
16376 for an operand-size attribute of 16 bits (r/m16).
16378 The JMP ptr16:16 and ptr16:32 forms of the instruction use a four-byte
16379 or six-byte operand as a long pointer to the destination. The JMP
16380 and forms fetch the long pointer from the memory location
16381 specified (indirection). In Real Address Mode or Virtual 8086 Mode,
16382 the long pointer provides 16 bits for the CS register and 16 or 32 bits
16383 for the EIP register (depending on the operand-size attribute). In
16384 Protected Mode, both long pointer forms consult the Access Rights (AR)
16385 byte in the descriptor indexed by the selector part of the long pointer.
16387 Depending on the value of the AR byte, the jump will perform one of
16388 the following types of control transfers:
16390 Ž A jump to a code segment at the same privilege level
16391 Ž A task switch
16393 For more information on protected mode control transfers, refer to
16394 Chapter 6 and Chapter 7.
16396 Flags Affected
16398 All if a task switch takes place; none if no task switch occurs
16400 Protected Mode Exceptions
16402 Far jumps: #GP, #NP, #SS, and #TS, as indicated in the list above.
16404 Near direct jumps: #GP(0) if procedure location is beyond the code
16405 segment limits.
16407 Near indirect jumps: #GP(0) for an illegal memory operand effective
16408 address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal
16409 address in the SS segment; #GP if the indirect offset obtained is beyond
16410 the code segment limits; #PF(fault-code) for a page fault.
16412 Real Address Mode Exceptions
16414 Interrupt 13 if any part of the operand would be outside of the effective
16415 address space from 0 to 0FFFFH
16417 Virtual 8086 Mode Exceptions
16419 Same exceptions as under Real Address Mode; #PF(fault-code) for a
16420 page fault
16423 LAHF ‘‘ Load Flags into AH Register
16425 Opcode Instruction Clocks Description
16427 9F LAHF 2 Load: AH = flags SF ZF xx AF xx PF xx CF
16430 Operation
16432 AH \e SF:ZF:xx:AF:xx:PF:xx:CF;
16434 Description
16436 LAHF transfers the low byte of the flags word to AH. The bits, from
16437 MSB to LSB, are sign, zero, indeterminate, auxiliary, carry,
16438 indeterminate, parity, indeterminate, and carry.
16440 Flags Affected
16442 None
16444 Protected Mode Exceptions
16446 None
16448 Real Address Mode Exceptions
16450 None
16452 Virtual 8086 Mode Exceptions
16454 None
16457 LAR ‘‘ Load Access Rights Byte
16459 Opcode Instruction Clocks Description
16461 0F 02 /r LAR r16,r/m16 pm=15/16 r16 \e r/m16 masked by FF00
16462 0F 02 /r LAR r32,r/m32 pm=15/16 r32 \e r/m32 masked by 00FxFF00
16465 Description
16467 The LAR instruction stores a marked form of the second doubleword of
16468 the descriptor for the source selector if the selector is visible at the
16469 CPL (modified by the selector's RPL) and is a valid descriptor type. The
16470 destination register is loaded with the high-order doubleword of the
16471 descriptor masked by 00FxFF00, and ZF is set to 1. The x indicates that the
16472 four bits corresponding to the upper four bits of the limit are undefined in
16473 the value loaded by LAR. If the selector is invisible or of the wrong type,
16474 ZF is cleared.
16476 If the 32-bit operand size is specified, the entire 32-bit value is loaded
16477 into the 32-bit destination register. If the 16-bit operand size is
16478 specified, the lower 16-bits of this value are stored in the 16-bit
16479 destination register.
16481 All code and data segment descriptors are valid for LAR.
16483 The valid special segment and gate descriptor types for LAR are given
16484 in the following table:
16486 Type Name Valid/Invalid
16488 0 Invalid Invalid
16489 1 Available 80286 TSS Valid
16490 2 LDT Valid
16491 3 Busy 80286 TSS Valid
16492 4 80286 call gate Valid
16493 5 80286/80386 task gate Valid
16494 6 80286 trap gate Valid
16495 7 80286 interrupt gate Valid
16496 8 Invalid Invalid
16497 9 Available 80386 TSS Valid
16498 A Invalid Invalid
16499 B Busy 80386 TSS Valid
16500 C 80386 call gate Valid
16501 D Invalid Invalid
16502 E 80386 trap gate Valid
16503 F 80386 interrupt gate Valid
16505 Flags Affected
16507 ZF as described above
16509 Protected Mode Exceptions
16511 #GP(0) for an illegal memory operand effective address in the CS, DS,
16512 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
16513 #PF(fault-code) for a page fault
16515 Real Address Mode Exceptions
16517 Interrupt 6; LAR is unrecognized in Real Address Mode
16519 Virtual 8086 Mode Exceptions
16521 Same exceptions as in Real Address Mode
16524 LEA ‘‘ Load Effective Address
16526 Opcode Instruction Clocks Description
16528 8D /r LEA r16,m 2 Store effective address for m in register r16
16529 8D /r LEA r32,m 2 Store effective address for m in register r32
16530 8D /r LEA r16,m 2 Store effective address for m in register r16
16531 8D /r LEA r32,m 2 Store effective address for m in register r32
16534 Operation
16536 IF OperandSize = 16 AND AddressSize = 16
16537 THEN r16 \e Addr(m);
16538 ELSE
16539 IF OperandSize = 16 AND AddressSize = 32
16540 THEN
16541 r16 \e Truncate_to_16bits(Addr(m)); (* 32-bit address *)
16542 ELSE
16543 IF OperandSize = 32 AND AddressSize = 16
16544 THEN
16545 r32 \e Truncate_to_16bits(Addr(m));
16546 ELSE
16547 IF OperandSize = 32 AND AddressSize = 32
16548 THEN r32 \e Addr(m);
16549 FI;
16550 FI;
16551 FI;
16552 FI;
16554 Description
16556 LEA calculates the effective address (offset part) and stores it in the
16557 specified register. The operand-size attribute of the instruction
16558 (represented by OperandSize in the algorithm under "Operation" above) is
16559 determined by the chosen register. The address-size attribute (represented
16560 by AddressSize) is determined by the USE attribute of the segment containing
16561 the second operand. The address-size and operand-size attributes affect the
16562 action performed by LEA, as follows:
16564 Operand Size Address Size Action Performed
16566 16 16 16-bit effective address is calculated and
16567 stored in requested 16-bit register
16568 destination.
16570 16 32 32-bit effective address is calculated. The
16571 lower 16 bits of the address are stored in
16572 the requested 16-bit register destination.
16574 32 16 16-bit effective address is calculated. The
16575 16-bit address is zero-extended and stored
16576 in the requested 32-bit register destination.
16578 32 32 32-bit effective address is calculated and
16579 stored in the requested 32-bit register
16580 destination.
16582 Flags Affected
16584 None
16586 Protected Mode Exceptions
16588 #UD if the second operand is a register
16590 Real Address Mode Exceptions
16592 Interrupt 6 if the second operand is a register
16594 Virtual 8086 Mode Exceptions
16596 Same exceptions as in Real Address Mode
16599 LEAVE ‘‘ High Level Procedure Exit
16601 Opcode Instruction Clocks Description
16603 C9 LEAVE 4 Set SP to BP, then pop BP
16604 C9 LEAVE 4 Set ESP to EBP, then pop EBP
16607 Operation
16609 IF StackAddrSize = 16
16610 THEN
16611 SP \e BP;
16612 ELSE (* StackAddrSize = 32 *)
16613 ESP \e EBP;
16614 FI;
16615 IF OperandSize = 16
16616 THEN
16617 BP \e Pop();
16618 ELSE (* OperandSize = 32 *)
16619 EBP \e Pop();
16620 FI;
16622 Description
16624 LEAVE reverses the actions of the ENTER instruction. By copying the
16625 frame pointer to the stack pointer, LEAVE releases the stack space used
16626 by a procedure for its local variables. The old frame pointer is popped
16627 into BP or EBP, restoring the caller's frame. A subsequent RET
16628 instruction removes any arguments pushed onto the stack of the exiting
16629 procedure.
16631 Flags Affected
16633 None
16635 Protected Mode Exceptions
16637 #SS(0) if BP does not point to a location within the limits of the current
16638 stack segment
16640 Real Address Mode Exceptions
16642 Interrupt 13 if any part of the operand would lie outside of the effective
16643 address space from 0 to 0FFFFH
16645 Virtual 8086 Mode Exceptions
16647 Same exceptions as in Real Address Mode
16650 LGDT/LIDT ‘‘ Load Global/Interrupt Descriptor Table Register
16652 Opcode Instruction Clocks Description
16654 0F 01 /2 LGDT m16&32 11 Load m into GDTR
16655 0F 01 /3 LIDT m16&32 11 Load m into IDTR
16658 Operation
16660 IF instruction = LIDT
16661 THEN
16662 IF OperandSize = 16
16663 THEN IDTR.Limit:Base \e m16:24 (* 24 bits of base loaded *)
16664 ELSE IDTR.Limit:Base \e m16:32
16665 FI;
16666 ELSE (* instruction = LGDT *)
16667 IF OperandSize = 16
16668 THEN GDTR.Limit:Base \e m16:24 (* 24 bits of base loaded *)
16669 ELSE GDTR.Limit:Base \e m16:32;
16670 FI;
16671 FI;
16673 Description
16675 The LGDT and LIDT instructions load a linear base address and limit
16676 value from a six-byte data operand in memory into the GDTR or IDTR,
16677 respectively. If a 16-bit operand is used with LGDT or LIDT, the
16678 register is loaded with a 16-bit limit and a 24-bit base, and the
16679 high-order eight bits of the six-byte data operand are not used. If a 32-bit
16680 operand is used, a 16-bit limit and a 32-bit base is loaded; the high-order
16681 eight bits of the six-byte operand are used as high-order base address bits.
16683 The SGDT and SIDT instructions always store into all 48 bits of the
16684 six-byte data operand. With the 80286, the upper eight bits are undefined
16685 after SGDT or SIDT is executed. With the 80386, the upper eight bits
16686 are written with the high-order eight address bits, for both a 16-bit
16687 operand and a 32-bit operand. If LGDT or LIDT is used with a 16-bit
16688 operand to load the register stored by SGDT or SIDT, the upper eight
16689 bits are stored as zeros.
16691 LGDT and LIDT appear in operating system software; they are not used
16692 in application programs. They are the only instructions that directly load
16693 a linear address (i.e., not a segment relative address) in 80386 Protected
16694 Mode.
16696 Flags Affected
16698 None
16700 Protected Mode Exceptions
16702 #GP(0) if the current privilege level is not 0; #UD if the source operand
16703 is a register; #GP(0) for an illegal memory operand effective address in
16704 the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in
16705 the SS segment; #PF(fault-code) for a page fault
16707 Real Address Mode Exceptions
16709 Interrupt 13 if any part of the operand would lie outside of the effective
16710 address space from 0 to 0FFFFH; Interrupt 6 if the source operand is a
16711 register
16713 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
16714 Note:
16715 These instructions are valid in Real Address Mode to allow
16716 power-up initialization for Protected Mode
16717 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
16719 Virtual 8086 Mode Exceptions
16721 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
16722 fault
16725 LGS/LSS/LDS/LES/LFS ‘‘ Load Full Pointer
16727 Opcode Instruction Clocks Description
16729 C5 /r LDS r16,m16:16 7,p=22 Load DS:r16 with pointer from memory
16730 C5 /r LDS r32,m16:32 7,p=22 Load DS:r32 with pointer from memory
16731 0F B2 /r LSS r16,m16:16 7,p=22 Load SS:r16 with pointer from memory
16732 0F B2 /r LSS r32,m16:32 7,p=22 Load SS:r32 with pointer from memory
16733 C4 /r LES r16,m16:16 7,p=22 Load ES:r16 with pointer from memory
16734 C4 /r LES r32,m16:32 7,p=22 Load ES:r32 with pointer from memory
16735 0F B4 /r LFS r16,m16:16 7,p=25 Load FS:r16 with pointer from memory
16736 0F B4 /r LFS r32,m16:32 7,p=25 Load FS:r32 with pointer from memory
16737 0F B5 /r LGS r16,m16:16 7,p=25 Load GS:r16 with pointer from memory
16738 0F B5 /r LGS r32,m16:32 7,p=25 Load GS:r32 with pointer from memory
16741 Operation
16743 CASE instruction OF
16744 LSS: Sreg is SS; (* Load SS register *)
16745 LDS: Sreg is DS; (* Load DS register *)
16746 LES: Sreg is ES; (* Load ES register *)
16747 LFS: Sreg is FS; (* Load FS register *)
16748 LGS: Sreg is DS; (* Load GS register *)
16749 ESAC;
16750 IF (OperandSize = 16)
16751 THEN
16752 r16 \e [Effective Address]; (* 16-bit transfer *)
16753 Sreg \e [Effective Address + 2]; (* 16-bit transfer *)
16754 (* In Protected Mode, load the descriptor into the segment register *)
16755 ELSE (* OperandSize = 32 *)
16756 r32 \e [Effective Address]; (* 32-bit transfer *)
16757 Sreg \e [Effective Address + 4]; (* 16-bit transfer *)
16758 (* In Protected Mode, load the descriptor into the segment register *)
16759 FI;
16761 Description
16763 These instructions read a full pointer from memory and store it in the
16764 selected segment register:register pair. The full pointer loads 16 bits
16765 into the segment register SS, DS, ES, FS, or GS. The other register loads 32
16766 bits if the operand-size attribute is 32 bits, or loads 16 bits if the
16767 operand-size attribute is 16 bits. The other 16- or 32-bit register to be
16768 loaded is determined by the r16 or r32 register operand specified.
16770 When an assignment is made to one of the segment registers, the
16771 descriptor is also loaded into the segment register. The data for the
16772 register is obtained from the descriptor table entry for the selector
16773 given.
16775 A null selector (values 0000-0003) can be loaded into DS, ES, FS, or
16776 GS registers without causing a protection exception. (Any subsequent
16777 reference to a segment whose corresponding segment register is loaded
16778 with a null selector to address memory causes a #GP(0) exception. No
16779 memory reference to the segment occurs.)
16781 The following is a listing of the Protected Mode checks and actions taken in
16782 the loading of a segment register:
16784 IF SS is loaded:
16785 IF selector is null THEN #GP(0); FI;
16786 Selector index must be within its descriptor table limits ELSE
16787 #GP(selector);
16788 Selector's RPL must equal CPL ELSE #GP(selector);
16789 AR byte must indicate a writable data segment ELSE #GP(selector);
16790 DPL in the AR byte must equal CPL ELSE #GP(selector);
16791 Segment must be marked present ELSE #SS(selector);
16792 Load SS with selector;
16793 Load SS with descriptor;
16794 IF DS, ES, FS, or GS is loaded with non-null selector:
16795 Selector index must be within its descriptor table limits ELSE
16796 #GP(selector);
16797 AR byte must indicate data or readable code segment ELSE
16798 #GP(selector);
16799 IF data or nonconforming code
16800 THEN both the RPL and the CPL must be less than or equal to DPL in
16801 AR byte;
16802 ELSE #GP(selector);
16803 Segment must be marked present ELSE #NP(selector);
16804 Load segment register with selector and RPL bits;
16805 Load segment register with descriptor;
16806 IF DS, ES, FS or GS is loaded with a null selector:
16807 Clear descriptor valid bit;
16809 Flags Affected
16811 None
16813 Protected Mode Exceptions
16815 #GP(0) for an illegal memory operand effective address in the CS, DS,
16816 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
16817 the second operand must be a memory operand, not a register; #GP(0)
16818 if a null selector is loaded into SS; #PF(fault-code) for a page fault
16820 Real Address Mode Exceptions
16822 The second operand must be a memory operand, not a register; Interrupt
16823 13 if any part of the operand would lie outside of the effective address
16824 space from 0 to 0FFFFH
16826 Virtual 8086 Mode Exceptions
16828 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
16829 fault
16832 LLDT ‘‘ Load Local Descriptor Table Register
16834 Opcode Instruction Clocks Description
16836 0F 00 /2 LLDT r/m16 20 Load selector r/m16 into LDTR
16839 Operation
16841 LDTR \e SRC;
16843 Description
16845 LLDT loads the Local Descriptor Table register (LDTR). The word
16846 operand (memory or register) to LLDT should contain a selector to the
16847 Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor
16848 Table. If so, then the LDTR is loaded from the entry. The descriptor
16849 registers DS, ES, SS, FS, GS, and CS are not affected. The LDT field in the
16850 task state segment does not change.
16852 The selector operand can be 0; if so, the LDTR is marked invalid. All
16853 descriptor references (except by the LAR, VERR, VERW or LSL
16854 instructions) cause a #GP fault.
16856 LLDT is used in operating system software; it is not used in application
16857 programs.
16859 Flags Affected
16861 None
16863 Protected Mode Exceptions
16865 #GP(0) if the current privilege level is not 0; #GP(selector) if the
16866 selector operand does not point into the Global Descriptor Table, or if the
16867 entry in the GDT is not a Local Descriptor Table; #NP(selector) if the
16868 LDT descriptor is not present; #GP(0) for an illegal memory operand
16869 effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
16870 illegal address in the SS segment; #PF(fault-code) for a page fault
16872 Real Address Mode Exceptions
16874 Interrupt 6; LLDT is not recognized in Real Address Mode
16876 Virtual 8086 Mode Exceptions
16878 Same exceptions as in Real Address Mode (because the instruction is
16879 not recognized, it will not execute or perform a memory reference)
16881 Note
16883 The operand-size attribute has no effect on this instruction.
16886 LMSW ‘‘ Load Machine Status Word
16888 Opcode Instruction Clocks Description
16890 0F 01 /6 LMSW r/m16 10/13 Load r/m16 in machine status word
16893 Operation
16895 MSW \e r/m16; (* 16 bits is stored in the machine status word *)
16897 Description
16899 LMSW loads the machine status word (part of CR0) from the source
16900 operand. This instruction can be used to switch to Protected Mode; if so,
16901 it must be followed by an intrasegment jump to flush the instruction
16902 queue. LMSW will not switch back to Real Address Mode.
16904 LMSW is used only in operating system software. It is not used in
16905 application programs.
16907 Flags Affected
16909 None
16911 Protected Mode Exceptions
16913 #GP(0) if the current privilege level is not 0; #GP(0) for an illegal
16914 memory operand effective address in the CS, DS, ES, FS, or GS
16915 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
16916 for a page fault
16918 Real Address Mode Exceptions
16920 Interrupt 13 if any part of the operand would lie outside of the effective
16921 address space from 0 to 0FFFFH
16923 Virtual 8086 Mode Exceptions
16925 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
16926 fault
16928 Notes
16930 The operand-size attribute has no effect on this instruction. This
16931 instruction is provided for compatibility with the 80286; 80386 programs
16932 should use MOV CR0, ... instead.
16935 LOCK ‘‘ Assert LOCK# Signal Prefix
16937 Opcode Instruction Clocks Description
16939 F0 LOCK 0 Assert LOCK# signal for the next instruction
16942 Description
16944 The LOCK prefix causes the LOCK# signal of the 80386 to be asserted
16945 during execution of the instruction that follows it. In a multiprocessor
16946 environment, this signal can be used to ensure that the 80386 has
16947 exclusive use of any shared memory while LOCK# is asserted. The
16948 read-modify-write sequence typically used to implement test-and-set on the
16949 80386 is the BTS instruction.
16951 The LOCK prefix functions only with the following instructions:
16953 BT, BTS, BTR, BTC mem, reg/imm
16954 XCHG reg, mem
16955 XCHG mem, reg
16956 ADD, OR, ADC, SBB, AND, SUB, XOR mem, reg/imm
16957 NOT, NEG, INC, DEC mem
16959 An undefined opcode trap will be generated if a LOCK prefix is used
16960 with any instruction not listed above.
16962 XCHG always asserts LOCK# regardless of the presence or absence of
16963 the LOCK prefix.
16965 The integrity of the LOCK is not affected by the alignment of the
16966 memory field. Memory locking is observed for arbitrarily misaligned
16967 fields.
16969 Locked access is not assured if another 80386 processor is executing an
16970 instruction concurrently that has one of the following characteristics:
16972 Ž Is not preceded by a LOCK prefix
16974 Ž Is not one of the instructions in the preceding list
16976 Ž Specifies a memory operand that does not exactly overlap the
16977 destination operand. Locking is not guaranteed for partial overlap,
16978 even if one memory operand is wholly contained within another.
16980 Flags Affected
16982 None
16984 Protected Mode Exceptions
16986 #UD if LOCK is used with an instruction not listed in the "Description"
16987 section above; other exceptions can be generated by the subsequent
16988 (locked) instruction
16990 Real Address Mode Exceptions
16992 Interrupt 6 if LOCK is used with an instruction not listed in the
16993 "Description" section above; exceptions can still be generated by the
16994 subsequent (locked) instruction
16996 Virtual 8086 Mode Exceptions
16998 #UD if LOCK is used with an instruction not listed in the "Description"
16999 section above; exceptions can still be generated by the subsequent (locked)
17000 instruction
17003 LODS/LODSB/LODSW/LODSD ‘‘ Load String Operand
17005 Opcode Instruction Clocks Description
17007 AC LODS m8 5 Load byte [(E)SI] into AL
17008 AD LODS m16 5 Load word [(E)SI] into AX
17009 AD LODS m32 5 Load dword [(E)SI] into EAX
17010 AC LODSB 5 Load byte DS:[(E)SI] into AL
17011 AD LODSW 5 Load word DS:[(E)SI] into AX
17012 AD LODSD 5 Load dword DS:[(E)SI] into EAX
17015 Operation
17017 IF AddressSize = 16
17018 THEN use SI for source-index
17019 ELSE (* AddressSize = 32 *)
17020 use ESI for source-index;
17021 FI;
17022 IF byte type of instruction
17023 THEN
17024 AL \e [source-index]; (* byte load *)
17026 ELSE
17027 IF OperandSize = 16
17028 THEN
17029 AX \e [source-index]; (* word load *)
17031 ELSE (* OperandSize = 32 *)
17032 EAX \e [source-index]; (* dword load *)
17034 FI;
17035 FI;
17036 source-index \e source-index + IncDec
17038 Description
17040 LODS loads the AL, AX, or EAX register with the memory byte, word,
17041 or doubleword at the location pointed to by the source-index register.
17042 After the transfer is made, the source-index register is automatically
17043 advanced. If the direction flag is 0 (CLD was executed), the source index
17044 increments; if the direction flag is 1 (STD was executed), it decrements.
17045 The increment or decrement is 1 if a byte is loaded, 2 if a word is loaded,
17046 or 4 if a doubleword is loaded.
17048 If the address-size attribute for this instruction is 16 bits, SI is used
17049 for the source-index register; otherwise the address-size attribute is 32
17050 bits, and the ESI register is used. The address of the source data is
17051 determined solely by the contents of ESI/SI. Load the correct index value
17052 into SI before executing the LODS instruction. LODSB, LODSW, LODSD are
17053 synonyms for the byte, word, and doubleword LODS instructions.
17055 LODS can be preceded by the REP prefix; however, LODS is used more typically
17056 within a LOOP construct, because further processing of the data moved into
17057 EAX, AX, or AL is usually necessary.
17059 Flags Affected
17061 None
17063 Protected Mode Exceptions
17065 #GP(0) for an illegal memory operand effective address in the CS, DS,
17066 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
17067 #PF(fault-code) for a page fault
17069 Real Address Mode Exceptions
17071 Interrupt 13 if any part of the operand would lie outside of the effective
17072 address space from 0 to 0FFFFH
17074 Virtual 8086 Mode Exceptions
17076 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
17077 fault
17080 LOOP/LOOPcond ‘‘ Loop Control with CX Counter
17082 Opcode Instruction Clocks Description
17084 E2 cb LOOP rel8 11+m DEC count; jump short if count <> 0
17085 E1 cb LOOPE rel8 11+m DEC count; jump short if count <> 0 and ZF=1
17086 E1 cb LOOPZ rel8 11+m DEC count; jump short if count <> 0 and ZF=1
17087 E0 cb LOOPNE rel8 11+m DEC count; jump short if count <> 0 and ZF=0
17088 E0 cb LOOPNZ rel8 11+m DEC count; jump short if count <> 0 and ZF=0
17091 Operation
17093 IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; FI;
17094 CountReg \e CountReg - 1;
17095 IF instruction <> LOOP
17096 THEN
17097 IF (instruction = LOOPE) OR (instruction = LOOPZ)
17098 THEN BranchCond \e (ZF = 1) AND (CountReg <> 0);
17099 FI;
17100 IF (instruction = LOOPNE) OR (instruction = LOOPNZ)
17101 THEN BranchCond \e (ZF = 0) AND (CountReg <> 0);
17102 FI;
17103 FI;
17105 IF BranchCond
17106 THEN
17107 IF OperandSize = 16
17108 THEN
17109 IP \e IP + SignExtend(rel8);
17110 ELSE (* OperandSize = 32 *)
17111 EIP \e EIP + SignExtend(rel8);
17112 FI;
17113 FI;
17115 Description
17117 LOOP decrements the count register without changing any of the flags.
17118 Conditions are then checked for the form of LOOP being used. If the
17119 conditions are met, a short jump is made to the label given by the operand
17120 to LOOP. If the address-size attribute is 16 bits, the CX register is used
17121 as the count register; otherwise the ECX register is used. The operand
17122 of LOOP must be in the range from 128 (decimal) bytes before the
17123 instruction to 127 bytes ahead of the instruction.
17125 The LOOP instructions provide iteration control and combine loop index
17126 management with conditional branching. Use the LOOP instruction by
17127 loading an unsigned iteration count into the count register, then code the
17128 LOOP at the end of a series of instructions to be iterated. The
17129 destination of LOOP is a label that points to the beginning of the
17130 iteration.
17132 Flags Affected
17134 None
17136 Protected Mode Exceptions
17138 #GP(0) if the offset jumped to is beyond the limits of the current code
17139 segment
17141 Real Address Mode Exceptions
17143 None
17145 Virtual 8086 Mode Exceptions
17147 None
17150 LSL ‘‘ Load Segment Limit
17152 Opcode Instruction Clocks Description
17154 0F 03 /r LSL r16,r/m16 pm=20/21 Load: r16 \e segment limit,
17155 selector r/m16 (byte granular)
17156 0F 03 /r LSL r32,r/m32 pm=20/21 Load: r32 \e segment limit,
17157 selector r/m32 (byte granular)
17158 0F 03 /r LSL r16,r/m16 pm=25/26 Load: r16 \e segment limit,
17159 selector r/m16 (page granular)
17160 0F 03 /r LSL r32,r/m32 pm=25/26 Load: r32 \e segment limit,
17161 selector r/m32 (page granular)
17164 Description
17166 The LSL instruction loads a register with an unscrambled segment limit,
17167 and sets ZF to 1, provided that the source selector is visible at the CPL
17168 weakened by RPL, and that the descriptor is a type accepted by LSL.
17169 Otherwise, ZF is cleared to 0, and the destination register is unchanged.
17170 The segment limit is loaded as a byte granular value. If the descriptor
17171 has a page granular segment limit, LSL will translate it to a byte limit
17172 before loading it in the destination register (shift left 12 the 20-bit
17173 "raw" limit from descriptor, then OR with 00000FFFH).
17175 The 32-bit forms of this instruction store the 32-bit byte granular limit
17176 in the 16-bit destination register.
17178 Code and data segment descriptors are valid for LSL.
17180 The valid special segment and gate descriptor types for LSL are given
17181 in the following table:
17183 Type Name Valid/Invalid
17185 0 Invalid Invalid
17186 1 Available 80286 TSS Valid
17187 2 LDT Valid
17188 3 Busy 80286 TSS Valid
17189 4 80286 call gate Invalid
17190 5 80286/80386 task gate Invalid
17191 6 80286 trap gate Invalid
17192 7 80286 interrupt gate Invalid
17193 8 Invalid Valid
17194 9 Available 80386 TSS Valid
17195 A Invalid Invalid
17196 B Busy 80386 TSS Valid
17197 C 80386 call gate Invalid
17198 D Invalid Invalid
17199 E 80386 trap gate Invalid
17200 F 80386 interrupt gate Invalid
17202 Flags Affected
17204 ZF as described above
17206 Protected Mode Exceptions
17208 #GP(0) for an illegal memory operand effective address in the CS, DS,
17209 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
17210 #PF(fault-code) for a page fault
17212 Real Address Mode Exceptions
17214 Interrupt 6; LSL is not recognized in Real Address Mode
17216 Virtual 8086 Mode Exceptions
17218 Same exceptions as in Real Address Mode
17221 LTR ‘‘ Load Task Register
17223 Opcode Instruction Clocks Description
17225 0F 00 /3 LTR r/m16 pm=23/27 Load EA word into task register
17228 Description
17230 LTR loads the task register from the source register or memory location
17231 specified by the operand. The loaded task state segment is marked busy.
17232 A task switch does not occur.
17234 LTR is used only in operating system software; it is not used in
17235 application programs.
17237 Flags Affected
17239 None
17241 Protected Mode Exceptions
17243 #GP(0) for an illegal memory operand effective address in the CS, DS,
17244 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
17245 #GP(0) if the current privilege level is not 0; #GP(selector) if the object
17246 named by the source selector is not a TSS or is already busy;
17247 #NP(selector) if the TSS is marked "not present"; #PF(fault-code) for
17248 a page fault
17250 Real Address Mode Exceptions
17252 Interrupt 6; LTR is not recognized in Real Address Mode
17254 Virtual 8086 Mode Exceptions
17256 Same exceptions as in Real Address Mode
17258 Notes
17260 The operand-size attribute has no effect on this instruction.
17263 MOV ‘‘ Move Data
17266 Opcode Instruction Clocks Description
17268 88 /r MOV r/m8,r8 2/2 Move byte register to r/m byte
17269 89 /r MOV r/m16,r16 2/2 Move word register to r/m word
17270 89 /r MOV r/m32,r32 2/2 Move dword register to r/m dword
17271 8A /r MOV r8,r/m8 2/4 Move r/m byte to byte register
17272 8B /r MOV r16,r/m16 2/4 Move r/m word to word register
17273 8B /r MOV r32,r/m32 2/4 Move r/m dword to dword register
17274 8C /r MOV r/m16,Sreg 2/2 Move segment register to r/m word
17275 8D /r MOV Sreg,r/m16 2/5,pm=18/19 Move r/m word to segment register
17276 A0 MOV AL,moffs8 4 Move byte at (seg:offset) to AL
17277 A1 MOV AX,moffs16 4 Move word at (seg:offset) to AX
17278 A1 MOV EAX,moffs32 4 Move dword at (seg:offset) to EAX
17279 A2 MOV moffs8,AL 2 Move AL to (seg:offset)
17280 A3 MOV moffs16,AX 2 Move AX to (seg:offset)
17281 A3 MOV moffs32,EAX 2 Move EAX to (seg:offset)
17282 B0 + rb MOV reg8,imm8 2 Move immediate byte to register
17283 B8 + rw MOV reg16,imm16 2 Move immediate word to register
17284 B8 + rd MOV reg32,imm32 2 Move immediate dword to register
17285 C6 MOV r/m8,imm8 2/2 Move immediate byte to r/m byte
17286 C7 MOV r/m16,imm16 2/2 Move immediate word to r/m word
17287 C7 MOV r/m32,imm32 2/2 Move immediate dword to r/m dword
17290 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17291 NOTES:
17292 moffs8, moffs16, and moffs32 all consist of a simple offset relative
17293 to the segment base. The 8, 16, and 32 refer to the size of the data. The
17294 address-size attribute of the instruction determines the size of the
17295 offset, either 16 or 32 bits.
17296 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17298 Operation
17300 DEST \e SRC;
17302 Description
17304 MOV copies the second operand to the first operand.
17306 If the destination operand is a segment register (DS, ES, SS, etc.), then
17307 data from a descriptor is also loaded into the register. The data for the
17308 register is obtained from the descriptor table entry for the selector
17309 given. A null selector (values 0000-0003) can be loaded into DS and ES
17310 registers without causing an exception; however, use of DS or ES causes a
17311 #GP(0), and no memory reference occurs.
17313 A MOV into SS inhibits all interrupts until after the execution of the
17314 next instruction (which is presumably a MOV into eSP).
17316 Loading a segment register under 80386 Protected Mode results in special
17317 checks and actions, as described in the following listing:
17319 IF SS is loaded;
17320 THEN
17321 IF selector is null THEN #GP(0);
17322 FI;
17323 Selector index must be within its descriptor table limits else
17324 #GP(selector);
17325 Selector's RPL must equal CPL else #GP(selector);
17326 AR byte must indicate a writable data segment else #GP(selector);
17327 DPL in the AR byte must equal CPL else #GP(selector);
17328 Segment must be marked present else #SS(selector);
17329 Load SS with selector;
17330 Load SS with descriptor.
17331 FI;
17332 IF DS, ES, FS or GS is loaded with non-null selector;
17333 THEN
17334 Selector index must be within its descriptor table limits
17335 else #GP(selector);
17336 AR byte must indicate data or readable code segment else
17337 #GP(selector);
17338 IF data or nonconforming code segment
17339 THEN both the RPL and the CPL must be less than or equal to DPL in
17340 AR byte;
17341 ELSE #GP(selector);
17342 FI;
17343 Segment must be marked present else #NP(selector);
17344 Load segment register with selector;
17345 Load segment register with descriptor;
17346 FI;
17347 IF DS, ES, FS or GS is loaded with a null selector;
17348 THEN
17349 Load segment register with selector;
17350 Clear descriptor valid bit;
17351 FI;
17353 Flags Affected
17355 None
17357 Protected Mode Exceptions
17359 #GP, #SS, and #NP if a segment register is being loaded; otherwise,
17360 #GP(0) if the destination is in a nonwritable segment; #GP(0) for an
17361 illegal memory operand effective address in the CS, DS, ES, FS, or GS
17362 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
17363 for a page fault
17365 Real Address Mode Exceptions
17367 Interrupt 13 if any part of the operand would lie outside of the effective
17368 address space from 0 to 0FFFFH
17370 Virtual 8086 Mode Exceptions
17372 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
17373 fault
17376 MOV ‘‘ Move to/from Special Registers
17378 Opcode Instruction Clocks Description
17380 0F 20 /r MOV r32,CR0/CR2/CR3 6 Move (control register) to
17381 (register)
17382 0F 22 /r MOV CR0/CR2/CR3,r32 10/4/5 Move (register) to (control
17383 register)
17384 0F 21 /r MOV r32,DR0 -- 3 22 Move (debug register) to
17385 (register)
17386 0F 21 /r MOV r32,DR6/DR7 14 Move (debug register) to
17387 (register)
17388 0F 23 /r MOV DR0 -- 3,r32 22 Move (register) to (debug
17389 register)
17390 0F 23 /r MOV DR6/DR7,r32 16 Move (register) to (debug
17391 register)
17392 0F 24 /r MOV r32,TR6/TR7 12 Move (test register) to
17393 (register)
17394 0F 26 /r MOV TR6/TR7,r32 12 Move (register) to (test
17395 register)
17398 Operation
17400 DEST \e SRC;
17402 Description
17404 The above forms of MOV store or load the following special registers in
17405 or from a general purpose register:
17407 Ž Control registers CR0, CR2, and CR3
17408 Ž Debug Registers DR0, DR1, DR2, DR3, DR6, and DR7
17409 Ž Test Registers TR6 and TR7
17411 32-bit operands are always used with these instructions, regardless of the
17412 operand-size attribute.
17414 Flags Affected
17416 OF, SF, ZF, AF, PF, and CF are undefined
17418 Protected Mode Exceptions
17420 #GP(0) if the current privilege level is not 0
17422 Real Address Mode Exceptions
17424 None
17426 Virtual 8086 Mode Exceptions
17428 #GP(0) if instruction execution is attempted
17430 Notes
17432 The instructions must be executed at privilege level 0 or in real-address
17433 mode; otherwise, a protection exception will be raised.
17435 The reg field within the ModRM byte specifies which of the special
17436 registers in each category is involved. The two bits in the field are
17437 always 11. The r/m field specifies the general register involved.
17440 MOVS/MOVSB/MOVSW/MOVSD ‘‘ Move Data from String to String
17442 Opcode Instruction Clocks Description
17444 A4 MOVS m8,m8 7 Move byte [(E)SI] to ES:[(E)DI]
17445 A5 MOVS m16,m16 7 Move word [(E)SI] to ES:[(E)DI]
17446 A5 MOVS m32,m32 7 Move dword [(E)SI] to ES:[(E)DI]
17447 A4 MOVSB 7 Move byte DS:[(E)SI] to ES:[(E)DI]
17448 A5 MOVSW 7 Move word DS:[(E)SI] to ES:[(E)DI]
17449 A5 MOVSD 7 Move dword DS:[(E)SI] to ES:[(E)DI]
17452 Operation
17454 IF (instruction = MOVSD) OR (instruction has doubleword operands)
17455 THEN OperandSize \e 32;
17456 ELSE OperandSize \e 16;
17457 IF AddressSize = 16
17458 THEN use SI for source-index and DI for destination-index;
17459 ELSE (* AddressSize = 32 *)
17460 use ESI for source-index and EDI for destination-index;
17461 FI;
17462 IF byte type of instruction
17463 THEN
17464 [destination-index] \e [source-index]; (* byte assignment *)
17466 ELSE
17467 IF OperandSize = 16
17468 THEN
17469 [destination-index] \e [source-index]; (* word assignment *)
17471 ELSE (* OperandSize = 32 *)
17472 [destination-index] \e [source-index]; (* doubleword assignment *)
17474 FI;
17475 FI;
17476 source-index \e source-index + IncDec;
17477 destination-index \e destination-index + IncDec;
17479 Description
17481 MOVS copies the byte or word at [(E)SI] to the byte or word at
17482 ES:[(E)DI]. The destination operand must be addressable from the ES
17483 register; no segment override is possible for the destination. A segment
17484 override can be used for the source operand; the default is DS.
17486 The addresses of the source and destination are determined solely by the
17487 contents of (E)SI and (E)DI. Load the correct index values into (E)SI
17488 and (E)DI before executing the MOVS instruction. MOVSB, MOVSW,
17489 and MOVSD are synonyms for the byte, word, and doubleword MOVS
17490 instructions.
17492 After the data is moved, both (E)SI and (E)DI are advanced
17493 automatically. If the direction flag is 0 (CLD was executed), the registers
17494 are incremented; if the direction flag is 1 (STD was executed), the
17495 registers are decremented. The registers are incremented or decremented by 1
17496 if a byte was moved, 2 if a word was moved, or 4 if a doubleword was moved.
17498 MOVS can be preceded by the REP prefix for block movement of CX
17499 bytes or words. Refer to the REP instruction for details of this operation.
17501 Flags Affected
17503 None
17505 Protected Mode Exceptions
17507 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
17508 memory operand effective address in the CS, DS, ES, FS, or GS
17509 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
17510 for a page fault
17512 Real Address Mode Exceptions
17514 Interrupt 13 if any part of the operand would lie outside of the effective
17515 address space from 0 to 0FFFFH
17517 Virtual 8086 Mode Exceptions
17519 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
17520 fault
17523 MOVSX ‘‘ Move with Sign-Extend
17525 Opcode Instruction Clocks Description
17527 0F BE /r MOVSX r16,r/m8 3/6 Move byte to word with sign-extend
17528 0F BE /r MOVSX r32,r/m8 3/6 Move byte to dword, sign-extend
17529 0F BF /r MOVSX r32,r/m16 3/6 Move word to dword, sign-extend
17532 Operation
17534 DEST \e SignExtend(SRC);
17536 Description
17538 MOVSX reads the contents of the effective address or register as a byte
17539 or a word, sign-extends the value to the operand-size attribute of the
17540 instruction (16 or 32 bits), and stores the result in the destination
17541 register.
17543 Flags Affected
17545 None
17547 Protected Mode Exceptions
17549 #GP(0) for an illegal memory operand effective address in the CS, DS,
17550 ES, FS or GS segments; #SS(0) for an illegal address in the SS segment;
17551 #PF(fault-code) for a page fault
17553 Real Address Mode Exceptions
17555 Interrupt 13 if any part of the operand would lie outside of the effective
17556 address space from 0 to 0FFFFH
17558 Virtual 8086 Mode Exceptions
17560 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
17561 fault
17564 MOVZX ‘‘ Move with Zero-Extend
17566 Opcode Instruction Clocks Description
17568 0F B6 /r MOVZX r16,r/m8 3/6 Move byte to word with zero-extend
17569 0F B6 /r MOVZX r32,r/m8 3/6 Move byte to dword, zero-extend
17570 0F B7 /r MOVZX r32,r/m16 3/6 Move word to dword, zero-extend
17573 Operation
17575 DEST \e ZeroExtend(SRC);
17577 Description
17579 MOVZX reads the contents of the effective address or register as a byte
17580 or a word, zero extends the value to the operand-size attribute of the
17581 instruction (16 or 32 bits), and stores the result in the destination
17582 register.
17584 Flags Affected
17586 None
17588 Protected Mode Exceptions
17590 #GP(0) for an illegal memory operand effective address in the CS, DS,
17591 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
17592 #PF(fault-code) for a page fault
17594 Real Address Mode Exceptions
17596 Interrupt 13 if any part of the operand would lie outside of the effective
17597 address space from 0 to 0FFFFH
17599 Virtual 8086 Mode Exceptions
17601 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
17602 fault
17605 MUL ‘‘ Unsigned Multiplication of AL or AX
17607 Opcode Instruction Clocks Description
17609 F6 /4 MUL AL,r/m8 9-14/12-17 Unsigned multiply (AX \e AL * r/m byte)
17610 F7 /4 MUL AX,r/m16 9-22/12-25 Unsigned multiply (DX:AX \e AX * r/m
17611 word)
17612 F7 /4 MUL EAX,r/m32 9-38/12-41 Unsigned multiply (EDX:EAX \e EAX * r/m
17613 dword)
17616 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17617 NOTES:
17618 The 80386 uses an early-out multiply algorithm. The actual number of
17619 clocks depends on the position of the most significant bit in the
17620 optimizing multiplier, shown underlined above. The optimization occurs
17621 for positive and negative multiplier values. Because of the early-out
17622 algorithm, clock counts given are minimum to maximum. To calculate the
17623 actual clocks, use the following formula:
17625 Actual clock = if <> 0 then max(ceiling(log{2} �m�), 3) + 6 clocks;
17627 Actual clock = if = 0 then 9 clocks
17629 where m is the multiplier.
17630 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17632 Operation
17634 IF byte-size operation
17635 THEN AX \e AL * r/m8
17636 ELSE (* word or doubleword operation *)
17637 IF OperandSize = 16
17638 THEN DX:AX \e AX * r/m16
17639 ELSE (* OperandSize = 32 *)
17640 EDX:EAX \e EAX * r/m32
17641 FI;
17642 FI;
17644 Description
17646 MUL performs unsigned multiplication. Its actions depend on the size
17647 of its operand, as follows:
17649 Ž A byte operand is multiplied by AL; the result is left in AX. The
17650 carry and overflow flags are set to 0 if AH is 0; otherwise, they are
17651 set to 1.
17653 Ž A word operand is multiplied by AX; the result is left in DX:AX.
17654 DX contains the high-order 16 bits of the product. The carry and
17655 overflow flags are set to 0 if DX is 0; otherwise, they are set to 1.
17657 Ž A doubleword operand is multiplied by EAX and the result is left in
17658 EDX:EAX. EDX contains the high-order 32 bits of the product. The
17659 carry and overflow flags are set to 0 if EDX is 0; otherwise, they are
17660 set to 1.
17662 Flags Affected
17664 OF and CF as described above; SF, ZF, AF, PF, and CF are undefined
17666 Protected Mode Exceptions
17668 #GP(0) for an illegal memory operand effective address in the CS, DS,
17669 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
17670 #PF(fault-code) for a page fault
17672 Real Address Mode Exceptions
17674 Interrupt 13 if any part of the operand would lie outside of the effective
17675 address space from 0 to 0FFFFH
17677 Virtual 8086 Mode Exceptions
17679 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
17680 fault
17683 NEG ‘‘ Two's Complement Negation
17685 Opcode Instruction Clocks Description
17687 F6 /3 NEG r/m8 2/6 Two's complement negate r/m byte
17688 F7 /3 NEG r/m16 2/6 Two's complement negate r/m word
17689 F7 /3 NEG r/m32 2/6 Two's complement negate r/m dword
17692 Operation
17695 r/m \e - r/m;
17697 Description
17699 NEG replaces the value of a register or memory operand with its two's
17700 complement. The operand is subtracted from zero, and the result is placed
17701 in the operand.
17703 The carry flag is set to 1, unless the operand is zero, in which case the
17704 carry flag is cleared to 0.
17706 Flags Affected
17708 CF as described above; OF, SF, ZF, and PF as described in Appendix C
17710 Protected Mode Exceptions
17712 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
17713 memory operand effective address in the CS, DS, ES, FS, or GS
17714 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
17715 for a page fault
17717 Real Address Mode Exceptions
17719 Interrupt 13 if any part of the operand would lie outside of the effective
17720 address space from 0 to 0FFFFH
17722 Virtual 8086 Mode Exceptions
17724 Same exceptions as in real-address mode; #PF(fault-code) for a page
17725 fault
17728 NOP ‘‘ No Operation
17730 Opcode Instruction Clocks Description
17732 90 NOP 3 No operation
17735 Description
17737 NOP performs no operation. NOP is a one-byte instruction that takes
17738 up space but affects none of the machine context except (E)IP.
17740 NOP is an alias mnemonic for the XCHG (E)AX, (E)AX instruction.
17742 Flags Affected
17744 None
17746 Protected Mode Exceptions
17748 None
17750 Real Address Mode Exceptions
17752 None
17754 Virtual 8086 Mode Exceptions
17756 None
17759 NOT ‘‘ One's Complement Negation
17761 Opcode Instruction Clocks Description
17763 F6 /2 NOT r/m8 2/6 Reverse each bit of r/m byte
17764 F7 /2 NOT r/m16 2/6 Reverse each bit of r/m word
17765 F7 /2 NOT r/m32 2/6 Reverse each bit of r/m dword
17768 Operation
17770 r/m \e NOT r/m;
17772 Description
17774 NOT inverts the operand; every 1 becomes a 0, and vice versa.
17776 Flags Affected
17778 None
17780 Protected Mode Exceptions
17782 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
17783 memory operand effective address in the CS, DS, ES, FS, or GS
17784 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
17785 for a page fault
17787 Real Address Mode Exceptions
17789 Interrupt 13 if any part of the operand would lie outside of the effective
17790 address space from 0 to 0FFFFH
17792 Virtual 8086 Mode Exceptions
17794 Same exceptions as in real-address mode; #PF(fault-code) for a page
17795 fault
17798 OR ‘‘ Logical Inclusive OR
17800 Opcode Instruction Clocks Description
17802 0C ib OR AL,imm8 2 OR immediate byte to AL
17803 0D iw OR AX,imm16 2 OR immediate word to AX
17804 0D id OR EAX,imm32 2 OR immediate dword to EAX
17805 80 /1 ib OR r/m8,imm8 2/7 OR immediate byte to r/m byte
17806 81 /1 iw OR r/m16,imm16 2/7 OR immediate word to r/m word
17807 81 /1 id OR r/m32,imm32 2/7 OR immediate dword to r/m dword
17808 83 /1 ib OR r/m16,imm8 2/7 OR sign-extended immediate byte
17809 with r/m word
17810 83 /1 ib OR r/m32,imm8 2/7 OR sign-extended immediate byte
17811 with r/m dword
17812 08 /r OR r/m8,r8 2/6 OR byte register to r/m byte
17813 09 /r OR r/m16,r16 2/6 OR word register to r/m word
17814 09 /r OR r/m32,r32 2/6 OR dword register to r/m dword
17815 0A /r OR r8,r/m8 2/7 OR byte register to r/m byte
17816 0B /r OR r16,r/m16 2/7 OR word register to r/m word
17817 0B /r OR r32,r/m32 2/7 OR dword register to r/m dword
17820 Operation
17822 DEST \e DEST OR SRC;
17823 CF \e 0;
17824 OF \e 0
17826 Description
17828 OR computes the inclusive OR of its two operands and places the result
17829 in the first operand. Each bit of the result is 0 if both corresponding
17830 bits of the operands are 0; otherwise, each bit is 1.
17832 Flags Affected
17835 undefined
17837 Protected Mode Exceptions
17839 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
17840 memory operand effective address in the CS, DS, ES, FS, or GS
17841 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
17842 for a page fault
17844 Real Address Mode Exceptions
17846 Interrupt 13 if any part of the operand would lie outside of the effective
17847 address space from 0 to 0FFFFH
17849 Virtual 8086 Mode Exceptions
17851 Same exceptions as in real-address mode; #PF(fault-code) for a page
17852 fault
17855 OUT ‘‘ Output to Port
17857 Opcode Instruction Clocks Description
17859 E6 ib OUT imm8,AL 10,pm=4*/24** Output byte AL to immediate port
17860 number
17861 E7 ib OUT imm8,AX 10,pm=4*/24** Output word AL to immediate port
17862 number
17863 E7 ib OUT imm8,EAX 10,pm=4*/24** Output dword AL to immediate
17864 port number
17865 EE OUT DX,AL 11,pm=5*/25** Output byte AL to port number in
17866 DX
17867 EF OUT DX,AX 11,pm=5*/25** Output word AL to port number in
17868 DX
17869 EF OUT DX,EAX 11,pm=5*/25** Output dword AL to port number
17870 in DX
17873 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17874 NOTES:
17875 *If CPL ¾ IOPL
17876 **If CPL > IOPL or if in virtual 8086 mode
17877 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17879 Operation
17881 IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
17882 THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
17883 IF NOT I-O-Permission (DEST, width(DEST))
17884 THEN #GP(0);
17885 FI;
17886 FI;
17887 [DEST] \e SRC; (* I/O address space used *)
17889 Description
17891 OUT transfers a data byte or data word from the register (AL, AX, or
17892 EAX) given as the second operand to the output port numbered by the
17893 first operand. Output to any port from 0 to 65535 is performed by placing
17894 the port number in the DX register and then using an OUT instruction
17895 with DX as the first operand. If the instruction contains an eight-bit port
17896 ID, that value is zero-extended to 16 bits.
17898 Flags Affected
17900 None
17902 Protected Mode Exceptions
17904 #GP(0) if the current privilege level is higher (has less privilege) than
17905 IOPL and any of the corresponding I/O permission bits in TSS equals 1
17907 Real Address Mode Exceptions
17909 None
17911 Virtual 8086 Mode Exceptions
17913 #GP(0) fault if any of the corresponding I/O permission bits in TSS
17914 equals 1
17917 OUTS/OUTSB/OUTSW/OUTSD ‘‘ Output String to Port
17919 Opcode Instruction Clocks Description
17921 6E OUTS DX,r/m8 14,pm=8*/28** Output byte [(E)SI] to port in DX
17922 6F OUTS DX,r/m16 14,pm=8*/28** Output word [(E)SI] to port in DX
17923 6F OUTS DX,r/m32 14,pm=8*/28** Output dword [(E)SI] to port in DX
17924 6E OUTSB 14,pm=8*/28** Output byte DS:[(E)SI] to port in
17925 DX
17926 6F OUTSW 14,pm=8*/28** Output word DS:[(E)SI] to port in
17927 DX
17928 6F OUTSD 14,pm=8*/28** Output dword DS:[(E)SI] to port in
17929 DX
17932 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17933 NOTES:
17934 *If CPL ¾ IOPL
17935 **If CPL > IOPL or if in virtual 8086 mode
17936 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
17938 Operation
17940 IF AddressSize = 16
17941 THEN use SI for source-index;
17942 ELSE (* AddressSize = 32 *)
17943 use ESI for source-index;
17944 FI;
17946 IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
17947 THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
17948 IF NOT I-O-Permission (DEST, width(DEST))
17949 THEN #GP(0);
17950 FI;
17951 FI;
17952 IF byte type of instruction
17953 THEN
17954 [DX] \e [source-index]; (* Write byte at DX I/O address *)
17956 FI;
17957 IF OperandSize = 16
17958 THEN
17959 [DX] \e [source-index]; (* Write word at DX I/O address *)
17961 FI;
17962 IF OperandSize = 32
17963 THEN
17964 [DX] \e [source-index]; (* Write dword at DX I/O address *)
17966 FI;
17967 FI;
17968 source-index \e source-index + IncDec;
17970 Description
17972 OUTS transfers data from the memory byte, word, or doubleword at the
17973 source-index register to the output port addressed by the DX register. If
17974 the address-size attribute for this instruction is 16 bits, SI is used for
17975 the source-index register; otherwise, the address-size attribute is 32 bits,
17976 and ESI is used for the source-index register.
17978 OUTS does not allow specification of the port number as an immediate value.
17979 The port must be addressed through the DX register value. Load the correct
17980 value into DX before executing the OUTS instruction.
17982 The address of the source data is determined by the contents of
17983 source-index register. Load the correct index value into SI or ESI before
17984 executing the OUTS instruction.
17986 After the transfer, source-index register is advanced automatically. If
17987 the direction flag is 0 (CLD was executed), the source-index register is
17988 incremented; if the direction flag is 1 (STD was executed), it is
17989 decremented. The amount of the increment or decrement is 1 if a byte is
17990 output, 2 if a word is output, or 4 if a doubleword is output.
17992 OUTSB, OUTSW, and OUTSD are synonyms for the byte, word, and
17993 doubleword OUTS instructions. OUTS can be preceded by the REP
17994 prefix for block output of CX bytes or words. Refer to the REP
17995 instruction for details on this operation.
17997 Flags Affected
17999 None
18001 Protected Mode Exceptions
18003 #GP(0) if CPL is greater than IOPL and any of the corresponding I/O
18004 permission bits in TSS equals 1; #GP(0) for an illegal memory operand
18005 effective address in the CS, DS, or ES segments; #SS(0) for an illegal
18006 address in the SS segment; #PF(fault-code) for a page fault
18008 Real Address Mode Exceptions
18010 Interrupt 13 if any part of the operand would lie outside of the effective
18011 address space from 0 to 0FFFFH
18013 Virtual 8086 Mode Exceptions
18015 #GP(0) fault if any of the corresponding I/O permission bits in TSS
18016 equals 1; #PF(fault-code) for a page fault
18019 POP ‘‘ Pop a Word from the Stack
18021 Opcode Instruction Clocks Description
18023 8F /0 POP m16 5 Pop top of stack into memory word
18024 8F /0 POP m32 5 Pop top of stack into memory dword
18025 58 + rw POP r16 4 Pop top of stack into word register
18026 58 + rd POP r32 4 Pop top of stack into dword register
18027 1F POP DS 7,pm=21 Pop top of stack into DS
18028 07 POP ES 7,pm=21 Pop top of stack into ES
18029 17 POP SS 7,pm=21 Pop top of stack into SS
18030 0F A1 POP FS 7,pm=21 Pop top of stack into FS
18031 0F A9 POP GS 7,pm=21 Pop top of stack into GS
18034 Operation
18036 IF StackAddrSize = 16
18037 THEN
18038 IF OperandSize = 16
18039 THEN
18040 DEST \e (SS:SP); (* copy a word *)
18041 SP \e SP + 2;
18042 ELSE (* OperandSize = 32 *)
18043 DEST \e (SS:SP); (* copy a dword *)
18044 SP \e SP + 4;
18045 FI;
18046 ELSE (* StackAddrSize = 32 * )
18047 IF OperandSize = 16
18048 THEN
18049 DEST \e (SS:ESP); (* copy a word *)
18050 ESP \e ESP + 2;
18051 ELSE (* OperandSize = 32 *)
18052 DEST \e (SS:ESP); (* copy a dword *)
18053 ESP \e ESP + 4;
18054 FI;
18055 FI;
18057 Description
18059 POP replaces the previous contents of the memory, the register, or the
18060 segment register operand with the word on the top of the 80386 stack,
18061 addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP
18062 (addresssize attribute of 32 bits). The stack pointer SP is incremented
18063 by 2 for an operand-size of 16 bits or by 4 for an operand-size of 32 bits.
18064 It then points to the new top of stack.
18066 POP CS is not an 80386 instruction. Popping from the stack into the CS
18067 register is accomplished with a RET instruction.
18069 If the destination operand is a segment register (DS, ES, FS, GS, or
18070 SS), the value popped must be a selector. In protected mode, loading the
18071 selector initiates automatic loading of the descriptor information
18072 associated with that selector into the hidden part of the segment register;
18073 loading also initiates validation of both the selector and the descriptor
18074 information.
18076 A null value (0000-0003) may be popped into the DS, ES, FS, or GS
18077 register without causing a protection exception. An attempt to reference
18078 a segment whose corresponding segment register is loaded with a null
18079 value causes a #GP(0) exception. No memory reference occurs. The saved
18080 value of the segment register is null.
18082 A POP SS instruction inhibits all interrupts, including NMI, until after
18083 execution of the next instruction. This allows sequential execution of POP
18084 SS and POP eSP instructions without danger of having an invalid stack
18085 during an interrupt. However, use of the LSS instruction is the preferred
18086 method of loading the SS and eSP registers.
18088 Loading a segment register while in protected mode results in special
18089 checks and actions, as described in the following listing:
18091 IF SS is loaded:
18092 IF selector is null THEN #GP(0);
18093 Selector index must be within its descriptor table limits ELSE
18094 #GP(selector);
18095 Selector's RPL must equal CPL ELSE #GP(selector);
18096 AR byte must indicate a writable data segment ELSE #GP(selector);
18097 DPL in the AR byte must equal CPL ELSE #GP(selector);
18098 Segment must be marked present ELSE #SS(selector);
18099 Load SS register with selector;
18100 Load SS register with descriptor;
18102 IF DS, ES, FS or GS is loaded with non-null selector:
18103 AR byte must indicate data or readable code segment ELSE
18104 #GP(selector);
18105 IF data or nonconforming code
18106 THEN both the RPL and the CPL must be less than or equal to DPL in
18107 AR byte
18108 ELSE #GP(selector);
18109 FI;
18110 Segment must be marked present ELSE #NP(selector);
18111 Load segment register with selector;
18112 Load segment register with descriptor;
18114 IF DS, ES, FS, or GS is loaded with a null selector:
18115 Load segment register with selector
18116 Clear valid bit in invisible portion of register
18118 Flags Affected
18120 None
18122 Protected Mode Exceptions
18124 #GP, #SS, and #NP if a segment register is being loaded; #SS(0) if the
18125 current top of stack is not within the stack segment; #GP(0) if the result
18126 is in a nonwritable segment; #GP(0) for an illegal memory operand
18127 effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
18128 illegal address in the SS segment; #PF(fault-code) for a page fault
18130 Real Address Mode Exceptions
18132 Interrupt 13 if any part of the operand would lie outside of the effective
18133 address space from 0 to 0FFFFH
18135 Virtual 8086 Mode Exceptions
18137 Same exceptions as in real-address mode; #PF(fault-code) for a page
18138 fault
18141 POPA/POPAD ‘‘ Pop all General Registers
18143 Opcode Instruction Clocks Description
18145 61 POPA 24 Pop DI, SI, BP, SP, BX, DX, CX, and AX
18146 61 POPAD 24 Pop EDI, ESI, EBP, ESP, EDX, ECX, and EAX
18149 Operation
18151 IF OperandSize = 16 (* instruction = POPA *)
18152 THEN
18153 DI \e Pop();
18154 SI \e Pop();
18155 BP \e Pop();
18156 throwaway \e Pop (); (* Skip SP *)
18157 BX \e Pop();
18158 DX \e Pop();
18159 CX \e Pop();
18160 AX \e Pop();
18161 ELSE (* OperandSize = 32, instruction = POPAD *)
18162 EDI \e Pop();
18163 ESI \e Pop();
18164 EBP \e Pop();
18165 throwaway \e Pop (); (* Skip ESP *)
18166 EBX \e Pop();
18167 EDX \e Pop();
18168 ECX \e Pop();
18169 EAX \e Pop();
18170 FI;
18172 Description
18174 POPA pops the eight 16-bit general registers. However, the SP value is
18175 discarded instead of loaded into SP. POPA reverses a previous PUSHA,
18176 restoring the general registers to their values before PUSHA was
18177 executed. The first register popped is DI.
18179 POPAD pops the eight 32-bit general registers. The ESP value is
18180 discarded instead of loaded into ESP. POPAD reverses the previous
18181 PUSHAD, restoring the general registers to their values before PUSHAD
18182 was executed. The first register popped is EDI.
18184 Flags Affected
18186 None
18188 Protected Mode Exceptions
18190 #SS(0) if the starting or ending stack address is not within the stack
18191 segment; #PF(fault-code) for a page fault
18193 Real Address Mode Exceptions
18195 Interrupt 13 if any part of the operand would lie outside of the effective
18196 address space from 0 to 0FFFFH
18198 Virtual 8086 Mode Exceptions
18200 Same exceptions as in real-address mode; #PF(fault-code) for a page
18201 fault
18204 POPF/POPFD ‘‘ Pop Stack into FLAGS or EFLAGS Register
18206 Opcode Instruction Clocks Description
18208 9D POPF 5 Pop top of stack FLAGS
18209 9D POPFD 5 Pop top of stack into EFLAGS
18212 Operation
18214 Flags \e Pop();
18216 Description
18218 POPF/POPFD pops the word or doubleword on the top of the stack and
18219 stores the value in the flags register. If the operand-size attribute of
18220 the instruction is 16 bits, then a word is popped and the value is stored in
18221 FLAGS. If the operand-size attribute is 32 bits, then a doubleword is popped
18222 and the value is stored in EFLAGS.
18224 Refer to Chapter 2 and Chapter 4 for information about the FLAGS
18225 and EFLAGS registers. Note that bits 16 and 17 of EFLAGS, called
18226 VM and RF, respectively, are not affected by POPF or POPFD.
18228 The I/O privilege level is altered only when executing at privilege level
18229 0. The interrupt flag is altered only when executing at a level at least as
18230 privileged as the I/O privilege level. (Real-address mode is equivalent to
18231 privilege level 0.) If a POPF instruction is executed with insufficient
18232 privilege, an exception does not occur, but the privileged bits do not
18233 change.
18235 Flags Affected
18237 All flags except VM and RF
18239 Protected Mode Exceptions
18241 #SS(0) if the top of stack is not within the stack segment
18243 Real Address Mode Exceptions
18245 Interrupt 13 if any part of the operand would lie outside of the effective
18246 address space from 0 to 0FFFFH
18248 Virtual 8086 Mode Exceptions
18250 #GP(0) fault if IOPL is less than 3, to permit emulation
18253 PUSH ‘‘ Push Operand onto the Stack
18255 Opcode Instruction Clocks Description
18257 FF /6 PUSH m16 5 Push memory word
18258 FF /6 PUSH m32 5 Push memory dword
18259 50 + /r PUSH r16 2 Push register word
18260 50 + /r PUSH r32 2 Push register dword
18261 6A PUSH imm8 2 Push immediate byte
18262 68 PUSH imm16 2 Push immediate word
18263 68 PUSH imm32 2 Push immediate dword
18264 0E PUSH CS 2 Push CS
18265 16 PUSH SS 2 Push SS
18266 1E PUSH DS 2 Push DS
18267 06 PUSH ES 2 Push ES
18268 0F A0 PUSH FS 2 Push FS
18269 OF A8 PUSH GS 2 Push GS
18272 Operation
18274 IF StackAddrSize = 16
18275 THEN
18276 IF OperandSize = 16 THEN
18277 SP \e SP - 2;
18278 (SS:SP) \e (SOURCE); (* word assignment *)
18279 ELSE
18280 SP \e SP - 4;
18281 (SS:SP) \e (SOURCE); (* dword assignment *)
18282 FI;
18283 ELSE (* StackAddrSize = 32 *)
18284 IF OperandSize = 16
18285 THEN
18286 ESP \e ESP - 2;
18287 (SS:ESP) \e (SOURCE); (* word assignment *)
18288 ELSE
18289 ESP \e ESP - 4;
18290 (SS:ESP) \e (SOURCE); (* dword assignment *)
18291 FI;
18292 FI;
18294 Description
18296 PUSH decrements the stack pointer by 2 if the operand-size attribute of
18297 the instruction is 16 bits; otherwise, it decrements the stack pointer by
18298 4. PUSH then places the operand on the new top of stack, which is
18299 pointed to by the stack pointer.
18301 The 80386 PUSH eSP instruction pushes the value of eSP as it existed
18302 before the instruction. This differs from the 8086, where PUSH SP
18303 pushes the new value (decremented by 2).
18305 Flags Affected
18307 None
18309 Protected Mode Exceptions
18311 #SS(0) if the new value of SP or ESP is outside the stack segment limit;
18312 #GP(0) for an illegal memory operand effective address in the CS, DS,
18313 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
18314 #PF(fault-code) for a page fault
18316 Real Address Mode Exceptions
18318 None; if SP or ESP is 1, the 80386 shuts down due to a lack of stack
18319 space
18321 Virtual 8086 Mode Exceptions
18323 Same exceptions as in real-address mode; #PF(fault-code) for a page
18324 fault
18327 PUSHA/PUSHAD ‘‘ Push all General Registers
18329 Opcode Instruction Clocks Description
18331 60 PUSHA 18 Push AX, CX, DX, BX, original SP, BP, SI, and
18332 DI
18333 60 PUSHAD 18 Push EAX, ECX, EDX, EBX, original ESP, EBP,
18334 ESI, and EDI
18337 Operation
18339 IF OperandSize = 16 (* PUSHA instruction *)
18340 THEN
18341 Temp \e (SP);
18342 Push(AX);
18343 Push(CX);
18344 Push(DX);
18345 Push(BX);
18346 Push(Temp);
18347 Push(BP);
18348 Push(SI);
18349 Push(DI);
18350 ELSE (* OperandSize = 32, PUSHAD instruction *)
18351 Temp \e (ESP);
18352 Push(EAX);
18353 Push(ECX);
18354 Push(EDX);
18355 Push(EBX);
18356 Push(Temp);
18357 Push(EBP);
18358 Push(ESI);
18359 Push(EDI);
18360 FI;
18362 Description
18364 PUSHA and PUSHAD save the 16-bit or 32-bit general registers,
18365 respectively, on the 80386 stack. PUSHA decrements the stack pointer
18366 (SP) by 16 to hold the eight word values. PUSHAD decrements the
18367 stack pointer (ESP) by 32 to hold the eight doubleword values. Because
18368 the registers are pushed onto the stack in the order in which they were
18369 given, they appear in the 16 or 32 new stack bytes in reverse order. The
18370 last register pushed is DI or EDI.
18372 Flags Affected
18374 None
18376 Protected Mode Exceptions
18378 #SS(0) if the starting or ending stack address is outside the stack segment
18379 limit; #PF(fault-code) for a page fault
18381 Real Address Mode Exceptions
18383 Before executing PUSHA or PUSHAD, the 80386 shuts down if SP or
18384 ESP equals 1, 3, or 5; if SP or ESP equals 7, 9, 11, 13, or 15, exception
18385 13 occurs
18387 Virtual 8086 Mode Exceptions
18389 Same exceptions as in real-address mode; #PF(fault-code) for a page
18390 fault
18393 PUSHF/PUSHFD ‘‘ Push Flags Register onto the Stack
18395 Opcode Instruction Clocks Description
18397 9C PUSHF 4 Push FLAGS
18398 9C PUSHFD 4 Push EFLAGS
18401 Operation
18403 IF OperandSize = 32
18404 THEN push(EFLAGS);
18405 ELSE push(FLAGS);
18406 FI;
18408 Description
18410 PUSHF decrements the stack pointer by 2 and copies the FLAGS
18411 register to the new top of stack; PUSHFD decrements the stack pointer by
18412 4, and the 80386 EFLAGS register is copied to the new top of stack
18413 which is pointed to by SS:eSP. Refer to Chapter 2 and Chapter 4 for
18414 information on the EFLAGS register.
18416 Flags Affected
18418 None
18420 Protected Mode Exceptions
18422 #SS(0) if the new value of eSP is outside the stack segment boundaries
18424 Real Address Mode Exceptions
18426 None; the 80386 shuts down due to a lack of stack space
18428 Virtual 8086 Mode Exceptions
18430 #GP(0) fault if IOPL is less than 3, to permit emulation
18433 RCL/RCR/ROL/ROR ‘‘ Rotate
18436 Opcode Instruction Clocks Description
18438 D0 /2 RCL r/m8,1 9/10 Rotate 9 bits (CF,r/m byte) left
18439 once
18440 D2 /2 RCL r/m8,CL 9/10 Rotate 9 bits (CF,r/m byte) left CL
18441 times
18442 C0 /2 ib RCL r/m8,imm8 9/10 Rotate 9 bits (CF,r/m byte) left
18443 imm8 times
18444 D1 /2 RCL r/m16,1 9/10 Rotate 17 bits (CF,r/m word) left
18445 once
18446 D3 /2 RCL r/m16,CL 9/10 Rotate 17 bits (CF,r/m word) left
18447 CL times
18448 C1 /2 ib RCL r/m16,imm8 9/10 Rotate 17 bits (CF,r/m word) left
18449 imm8 times
18450 D1 /2 RCL r/m32,1 9/10 Rotate 33 bits (CF,r/m dword) left
18451 once
18452 D3 /2 RCL r/m32,CL 9/10 Rotate 33 bits (CF,r/m dword) left
18453 CL times
18454 C1 /2 ib RCL r/m32,imm8 9/10 Rotate 33 bits (CF,r/m dword) left
18455 imm8 times
18456 D0 /3 RCR r/m8,1 9/10 Rotate 9 bits (CF,r/m byte) right
18457 once
18458 D2 /3 RCR r/m8,CL 9/10 Rotate 9 bits (CF,r/m byte) right
18459 CL times
18460 C0 /3 ib RCR r/m8,imm8 9/10 Rotate 9 bits (CF,r/m byte) right
18461 imm8 times
18462 D1 /3 RCR r/m16,1 9/10 Rotate 17 bits (CF,r/m word) right
18463 once
18464 D3 /3 RCR r/m16,CL 9/10 Rotate 17 bits (CF,r/m word) right
18465 CL times
18466 C1 /3 ib RCR r/m16,imm8 9/10 Rotate 17 bits (CF,r/m word) right
18467 imm8 times
18468 D1 /3 RCR r/m32,1 9/10 Rotate 33 bits (CF,r/m dword) right
18469 once
18470 D3 /3 RCR r/m32,CL 9/10 Rotate 33 bits (CF,r/m dword) right
18471 CL times
18472 C1 /3 ib RCR r/m32,imm8 9/10 Rotate 33 bits (CF,r/m dword) right
18473 imm8 times
18474 D0 /0 ROL r/m8,1 3/7 Rotate 8 bits r/m byte left once
18475 D2 /0 ROL r/m8,CL 3/7 Rotate 8 bits r/m byte left CL
18476 times
18477 C0 /0 ib ROL r/m8,imm8 3/7 Rotate 8 bits r/m byte left imm8
18478 times
18479 D1 /0 ROL r/m16,1 3/7 Rotate 16 bits r/m word left once
18480 D3 /0 ROL r/m16,CL 3/7 Rotate 16 bits r/m word left CL
18481 times
18482 C1 /0 ib ROL r/m16,imm8 3/7 Rotate 16 bits r/m word left imm8
18483 times
18484 D1 /0 ROL r/m32,1 3/7 Rotate 32 bits r/m dword left once
18485 D3 /0 ROL r/m32,CL 3/7 Rotate 32 bits r/m dword left CL
18486 times
18487 C1 /0 ib ROL r/m32,imm8 3/7 Rotate 32 bits r/m dword left imm8
18488 times
18489 D0 /1 ROR r/m8,1 3/7 Rotate 8 bits r/m byte right once
18490 D2 /1 ROR r/m8,CL 3/7 Rotate 8 bits r/m byte right CL
18491 times
18492 C0 /1 ib ROR r/m8,imm8 3/7 Rotate 8 bits r/m word right imm8
18493 times
18494 D1 /1 ROR r/m16,1 3/7 Rotate 16 bits r/m word right once
18495 D3 /1 ROR r/m16,CL 3/7 Rotate 16 bits r/m word right CL
18496 times
18497 C1 /1 ib ROR r/m16,imm8 3/7 Rotate 16 bits r/m word right imm8
18498 times
18499 D1 /1 ROR r/m32,1 3/7 Rotate 32 bits r/m dword right once
18500 D3 /1 ROR r/m32,CL 3/7 Rotate 32 bits r/m dword right CL
18501 times
18502 C1 /1 ib ROR r/m32,imm8 3/7 Rotate 32 bits r/m dword right imm8
18503 times
18506 Operation
18508 (* ROL - Rotate Left *)
18509 temp \e COUNT;
18510 WHILE (temp <> 0)
18511 DO
18512 tmpcf \e high-order bit of (r/m);
18513 r/m \e r/m * 2 + (tmpcf);
18514 temp \e temp - 1;
18515 OD;
18516 IF COUNT = 1
18517 THEN
18518 IF high-order bit of r/m <> CF
18519 THEN OF \e 1;
18520 ELSE OF \e 0;
18521 FI;
18522 ELSE OF \e undefined;
18523 FI;
18524 (* ROR - Rotate Right *)
18525 temp \e COUNT;
18526 WHILE (temp <> 0 )
18527 DO
18528 tmpcf \e low-order bit of (r/m);
18529 r/m \e r/m / 2 + (tmpcf * 2^(width(r/m)));
18530 temp \e temp - 1;
18531 DO;
18532 IF COUNT = 1
18533 THEN
18534 IF (high-order bit of r/m) <> (bit next to high-order bit of r/m)
18535 THEN OF \e 1;
18536 ELSE OF \e 0;
18537 FI;
18538 ELSE OF \e undefined;
18539 FI;
18541 Description
18543 Each rotate instruction shifts the bits of the register or memory operand
18544 given. The left rotate instructions shift all the bits upward, except for
18545 the top bit, which is returned to the bottom. The right rotate instructions
18546 do the reverse: the bits shift downward until the bottom bit arrives at
18547 the top.
18549 For the RCL and RCR instructions, the carry flag is part of the rotated
18550 quantity. RCL shifts the carry flag into the bottom bit and shifts the top
18551 bit into the carry flag; RCR shifts the carry flag into the top bit and
18552 shifts the bottom bit into the carry flag. For the ROL and ROR
18553 instructions, the original value of the carry flag is not a part of the
18554 result, but the carry flag receives a copy of the bit that was shifted from
18555 one end to the other.
18557 The rotate is repeated the number of times indicated by the second
18558 operand, which is either an immediate number or the contents of the CL
18559 register. To reduce the maximum instruction execution time, the 80386
18560 does not allow rotation counts greater than 31. If a rotation count greater
18561 than 31 is attempted, only the bottom five bits of the rotation are used.
18562 The 8086 does not mask rotation counts. The 80386 in Virtual 8086 Mode does
18563 mask rotation counts.
18565 The overflow flag is defined only for the single-rotate forms of the
18566 instructions (second operand = 1). It is undefined in all other cases. For
18567 left shifts/rotates, the CF bit after the shift is XORed with the
18568 high-order result bit. For right shifts/rotates, the high-order two bits of
18569 the result are XORed to get OF.
18571 Flags Affected
18573 OF only for single rotates; OF is undefined for multi-bit rotates; CF as
18574 described above
18576 Protected Mode Exceptions
18578 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
18579 memory operand effective address in the CS, DS, ES, FS, or GS
18580 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
18581 for a page fault
18583 Real Address Mode Exceptions
18585 Interrupt 13 if any part of the operand would lie outside of the effective
18586 address space from 0 to 0FFFFH
18588 Virtual 8086 Mode Exceptions
18590 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
18591 fault
18594 REP/REPE/REPZ/REPNE/REPNZ ‘‘ Repeat Following String Operation
18597 Opcode Instruction Clocks Description
18599 F3 6C REP INS r/m8, DX 13+6*(E)CX,
18600 pm=7+6*(E)CX
18601 If CPL ¾ IOPL/
18602 27+6*(E)CX
18603 If CPL > IOPL or if in virtual 8086 mode Input (E)CX bytes from port
18604 DX into ES:[(E)DI]
18605 F3 6D REP INS r/m16,DX 13+6*(E)CX,
18606 pm=7+6*(E)CX
18607 If CPL ¾ IOPL/
18608 27+6*(E)CX
18609 If CPL > IOPL or if in virtual 8086 mode Input (E)CX words from port
18610 DX into ES:[(E)DI]
18611 F3 6D REP INS r/m32,DX 13+6*(E)CX,
18612 pm=7+6*(E)CX
18613 If CPL ¾ IOPL/
18614 27+6*(E)CX
18615 If CPL > IOPL or if in virtual 8086 mode Input (E)CX dwords from port
18616 DX into ES:[(E)DI]
18617 F3 A4 REP MOVS m8,m8 5+4*(E)CX Move (E)CX bytes from
18618 [(E)SI] to ES:[(E)DI]
18619 F3 A5 REP MOVS m16,m16 5+4*(E)CX Move (E)CX words from
18620 [(E)SI] to ES:[(E)DI]
18621 F3 A5 REP MOVS m32,m32 5+4*(E)CX Move (E)CX dwords from
18622 [(E)SI] to ES:[(E)DI]
18623 F3 6E REP OUTS DX,r/m8 5+12*(E)CX,
18624 pm=6+5*(E)CX
18625 If CPL ¾ IOPL/
18626 26+5*(E)CX
18627 If CPL > IOPL or if in virtual 8086 mode Output (E)CX bytes from
18628 [(E)SI] to port DX
18629 F3 6F REP OUTS DX,r/m16 5+12*(E)CX,
18630 pm=6+5*(E)CX
18631 If CPL ¾ IOPL/
18632 26+5*(E)CX
18633 If CPL > IOPL or if in virtual 8086 mode Output (E)CX words from
18634 [(E)SI] to port DX
18635 F3 6F REP OUTS DX,r/m32 5+12*(E)CX,
18636 pm=6+5*(E)CX
18637 If CPL ¾ IOPL/
18638 26+5*(E)CX
18639 If CPL > IOPL or if in virtual 8086 mode Output (E)CX dwords from
18640 [(E)SI] to port DX
18641 F3 AA REP STOS m8 5+5*(E)CX Fill (E)CX bytes at
18642 ES:[(E)DI] with AL
18643 F3 AB REP STOS m16 5+5*(E)CX Fill (E)CX words at
18644 ES:[(E)DI] with AX
18645 F3 AB REP STOS m32 5+5*(E)CX Fill (E)CX dwords at
18646 ES:[(E)DI] with EAX
18647 F3 A6 REPE CMPS m8,m8 5+9*N Find nonmatching bytes in
18648 ES:[(E)DI] and [(E)SI]
18649 F3 A7 REPE CMPS m16,m16 5+9*N Find nonmatching words in
18650 ES:[(E)DI] and [(E)SI]
18651 F3 A7 REPE CMPS m32,m32 5+9*N Find nonmatching dwords in
18652 ES:[(E)DI] and [(E)SI]
18653 F3 AE REPE SCAS m8 5+8*N Find non-AL byte starting
18654 at ES:[(E)DI]
18655 F3 AF REPE SCAS m16 5+8*N Find non-AX word starting
18656 at ES:[(E)DI]
18657 F3 AF REPE SCAS m32 5+8*N Find non-EAX dword starting
18658 at ES:[(E)DI]
18659 F2 A6 REPNE CMPS m8,m8 5+9*N Find matching bytes in
18660 ES:[(E)DI] and [(E)SI]
18661 F2 A7 REPNE CMPS m16,m16 5+9*N Find matching words in
18662 ES:[(E)DI] and [(E)SI]
18663 F2 A7 REPNE CMPS m32,m32 5+9*N Find matching dwords in
18664 ES:[(E)DI] and [(E)SI]
18665 F2 AE REPNE SCAS m8 5+8*N Find AL, starting at
18666 ES:[(E)DI]
18667 F2 AF REPNE SCAS m16 5+8*N Find AX, starting at
18668 ES:[(E)DI]
18669 F2 AF REPNE SCAS m32 5+8*N Find EAX, starting at
18670 ES:[(E)DI]
18673 Operation
18675 IF AddressSize = 16
18676 THEN use CX for CountReg;
18677 ELSE (* AddressSize = 32 *) use ECX for CountReg;
18678 FI;
18679 WHILE CountReg <> 0
18680 DO
18681 service pending interrupts (if any);
18682 perform primitive string instruction;
18683 CountReg \e CountReg - 1;
18684 IF primitive operation is CMPB, CMPW, SCAB, or SCAW
18685 THEN
18686 IF (instruction is REP/REPE/REPZ) AND (ZF=1)
18687 THEN exit WHILE loop
18688 ELSE
18689 IF (instruction is REPNZ or REPNE) AND (ZF=0)
18690 THEN exit WHILE loop;
18691 FI;
18692 FI;
18693 FI;
18694 OD;
18696 Description
18698 REP, REPE (repeat while equal), and REPNE (repeat while not equal)
18699 are prefix that are applied to string operation. Each prefix cause the
18700 string instruction that follows to be repeated the number of times
18701 indicated in the count register or (for REPE and REPNE) until the
18702 indicated condition in the zero flag is no longer met.
18704 Synonymous forms of REPE and REPNE are REPZ and REPNZ,
18705 respectively.
18707 The REP prefixes apply only to one string instruction at a time. To repeat
18708 a block of instructions, use the LOOP instruction or another looping
18709 construct.
18711 The precise action for each iteration is as follows:
18713 1. If the address-size attribute is 16 bits, use CX for the count
18714 register; if the address-size attribute is 32 bits, use ECX for the
18715 count register.
18717 2. Check CX. If it is zero, exit the iteration, and move to the next
18718 instruction.
18720 3. Acknowledge any pending interrupts.
18722 4. Perform the string operation once.
18724 5. Decrement CX or ECX by one; no flags are modified.
18726 6. Check the zero flag if the string operation is SCAS or CMPS. If
18727 the repeat condition does not hold, exit the iteration and move to
18728 the next instruction. Exit the iteration if the prefix is REPE and ZF
18729 is 0 (the last comparison was not equal), or if the prefix is REPNE
18730 and ZF is one (the last comparison was equal).
18732 7. Return to step 1 for the next iteration.
18734 Repeated CMPS and SCAS instructions can be exited if the count is
18735 exhausted or if the zero flag fails the repeat condition. These two cases
18736 can be distinguished by using either the JCXZ instruction, or by using
18737 the conditional jumps that test the zero flag (JZ, JNZ, and JNE).
18739 Flags Affected
18741 ZF by REP CMPS and REP SCAS as described above
18743 Protected Mode Exceptions
18745 #UD if a repeat prefix is used before an instruction that is not in the
18746 list above; further exceptions can be generated when the string operation is
18747 executed; refer to the descriptions of the string instructions themselves
18749 Real Address Mode Exceptions
18751 Interrupt 6 if a repeat prefix is used before an instruction that is not in
18752 the list above; further exceptions can be generated when the string
18753 operation is executed; refer to the descriptions of the string instructions
18754 themselves
18756 Virtual 8086 Mode Exceptions
18758 #UD if a repeat prefix is used before an instruction that is not in the
18759 list above; further exceptions can be generated when the string operation is
18760 executed; refer to the descriptions of the string instructions themselves
18762 Notes
18764 Not all input/output ports can handle the rate at which the REP INS
18765 and REP OUTS instructions execute.
18768 RET ‘‘ Return from Procedure
18770 Opcode Instruction Clocks Description
18772 C3 RET 10+m Return (near) to caller
18773 CB RET 18+m,pm=32+m Return (far) to caller, same
18774 privilege
18775 CB RET pm=68 Return (far), lesser privilege,
18776 switch stacks
18777 C2 iw RET imm16 10+m Return (near), pop imm16 bytes of
18778 parameters
18779 CA iw RET imm16 18+m,pm=32+m Return (far), same privilege, pop
18780 imm16 bytes
18781 CA iw RET imm16 pm=68 Return (far), lesser privilege, pop
18782 imm16 bytes
18785 Operation
18787 IF instruction = near RET
18788 THEN;
18789 IF OperandSize = 16
18790 THEN
18791 IP \e Pop();
18792 EIP \e EIP AND 0000FFFFH;
18793 ELSE (* OperandSize = 32 *)
18794 EIP \e Pop();
18795 FI;
18796 IF instruction has immediate operand THEN eSP \e eSP + imm16; FI;
18797 FI;
18799 IF (PE = 0 OR (PE = 1 AND VM = 1))
18800 (* real mode or virtual 8086 mode *)
18801 AND instruction = far RET
18802 THEN;
18803 IF OperandSize = 16
18804 THEN
18805 IP \e Pop();
18806 EIP \e EIP AND 0000FFFFH;
18807 CS \e Pop(); (* 16-bit pop *)
18808 ELSE (* OperandSize = 32 *)
18809 EIP \e Pop();
18810 CS \e Pop(); (* 32-bit pop, high-order 16-bits discarded *)
18811 FI;
18812 IF instruction has immediate operand THEN eSP \e eSP + imm16; FI;
18813 FI;
18815 IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
18816 AND instruction = far RET
18817 THEN
18818 IF OperandSize=32
18819 THEN Third word on stack must be within stack limits else #SS(0);
18820 ELSE Second word on stack must be within stack limits else #SS(0);
18821 FI;
18822 Return selector RPL must be � CPL ELSE #GP(return selector)
18823 IF return selector RPL = CPL
18824 THEN GOTO SAME-LEVEL;
18825 ELSE GOTO OUTER-PRIVILEGE-LEVEL;
18826 FI;
18827 FI;
18829 SAME-LEVEL:
18830 Return selector must be non-null ELSE #GP(0)
18831 Selector index must be within its descriptor table limits ELSE
18832 #GP(selector)
18833 Descriptor AR byte must indicate code segment ELSE #GP(selector)
18834 IF non-conforming
18835 THEN code segment DPL must equal CPL;
18836 ELSE #GP(selector);
18837 FI;
18838 IF conforming
18839 THEN code segment DPL must be ¾ CPL;
18840 ELSE #GP(selector);
18841 FI;
18842 Code segment must be present ELSE #NP(selector);
18843 Top word on stack must be within stack limits ELSE #SS(0);
18844 IP must be in code segment limit ELSE #GP(0);
18845 IF OperandSize=32
18846 THEN
18847 Load CS:EIP from stack
18848 Load CS register with descriptor
18849 Increment eSP by 8 plus the immediate offset if it exists
18850 ELSE (* OperandSize=16 *)
18851 Load CS:IP from stack
18852 Load CS register with descriptor
18853 Increment eSP by 4 plus the immediate offset if it exists
18854 FI;
18856 OUTER-PRIVILEGE-LEVEL:
18857 IF OperandSize=32
18858 THEN Top (16+immediate) bytes on stack must be within stack limits
18859 ELSE #SS(0);
18860 ELSE Top (8+immediate) bytes on stack must be within stack limits ELSE
18861 #SS(0);
18862 FI;
18863 Examine return CS selector and associated descriptor:
18864 Selector must be non-null ELSE #GP(0);
18865 Selector index must be within its descriptor table limits ELSE
18866 #GP(selector)
18867 Descriptor AR byte must indicate code segment ELSE #GP(selector);
18868 IF non-conforming
18869 THEN code segment DPL must equal return selector RPL
18870 ELSE #GP(selector);
18871 FI;
18872 IF conforming
18873 THEN code segment DPL must be ¾ return selector RPL;
18874 ELSE #GP(selector);
18875 FI;
18876 Segment must be present ELSE #NP(selector)
18877 Examine return SS selector and associated descriptor:
18878 Selector must be non-null ELSE #GP(0);
18879 Selector index must be within its descriptor table limits
18880 ELSE #GP(selector);
18881 Selector RPL must equal the RPL of the return CS selector ELSE
18882 #GP(selector);
18883 Descriptor AR byte must indicate a writable data segment ELSE
18884 #GP(selector);
18885 Descriptor DPL must equal the RPL of the return CS selector ELSE
18886 #GP(selector);
18887 Segment must be present ELSE #NP(selector);
18888 IP must be in code segment limit ELSE #GP(0);
18889 Set CPL to the RPL of the return CS selector;
18890 IF OperandMode=32
18891 THEN
18892 Load CS:EIP from stack;
18893 Set CS RPL to CPL;
18894 Increment eSP by 8 plus the immediate offset if it exists;
18895 Load SS:eSP from stack;
18896 ELSE (* OperandMode=16 *)
18897 Load CS:IP from stack;
18898 Set CS RPL to CPL;
18899 Increment eSP by 4 plus the immediate offset if it exists;
18900 Load SS:eSP from stack;
18901 FI;
18902 Load the CS register with the return CS descriptor;
18903 Load the SS register with the return SS descriptor;
18904 For each of ES, FS, GS, and DS
18905 DO
18906 IF the current register setting is not valid for the outer level,
18908 To be valid, the register setting must satisfy the following
18909 properties:
18910 Selector index must be within descriptor table limits;
18911 Descriptor AR byte must indicate data or readable code segment;
18912 IF segment is data or non-conforming code, THEN
18913 DPL must be � CPL, or DPL must be � RPL;
18914 FI;
18915 OD;
18917 Description
18919 RET transfers control to a return address located on the stack. The
18920 address is usually placed on the stack by a CALL instruction, and the
18921 return is made to the instruction that follows the CALL.
18923 The optional numeric parameter to RET gives the number of stack bytes
18924 (OperandMode=16) or words (OperandMode=32) to be released after the return
18925 address is popped. These items are typically used as input parameters to the
18926 procedure called.
18928 For the intrasegment (near) return, the address on the stack is a segment
18929 offset, which is popped into the instruction pointer. The CS register is
18930 unchanged. For the intersegment (far) return, the address on the stack
18931 is a long pointer. The offset is popped first, followed by the selector.
18933 In real mode, CS and IP are loaded directly. In Protected Mode, an
18934 intersegment return causes the processor to check the descriptor
18935 addressed by the return selector. The AR byte of the descriptor must
18936 indicate a code segment of equal or lesser privilege (or greater or equal
18937 numeric value) than the current privilege level. Returns to a lesser
18938 privilege level cause the stack to be reloaded from the value saved beyond
18939 the parameter block.
18941 The DS, ES, FS, and GS segment registers can be set to 0 by the RET
18942 instruction during an interlevel transfer. If these registers refer to
18943 segments that cannot be used by the new privilege level, they are set to
18944 0 to prevent unauthorized access from the new privilege level.
18946 Flags Affected
18948 None
18950 Protected Mode Exceptions
18952 #GP, #NP, or #SS, as described under "Operation" above; #PF(fault-code) for
18953 a page fault
18955 Real Address Mode Exceptions
18957 Interrupt 13 if any part of the operand would be outside the effective
18958 address space from 0 to 0FFFFH
18960 Virtual 8086 Mode Exceptions
18962 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
18963 fault
18966 SAHF ‘‘ Store AH into Flags
18968 Opcode Instruction Clocks Description
18970 9E SAHF 3 Store AH into flags SF ZF xx AF xx PF xx CF
18973 Operation
18975 SF:ZF:xx:AF:xx:PF:xx:CF \e AH;
18977 Description
18979 SAHF loads the flags listed above with values from the AH register,
18980 from bits 7, 6, 4, 2, and 0, respectively.
18982 Flags Affected
18984 SF, ZF, AF, PF, and CF as described above
18986 Protected Mode Exceptions
18988 None
18990 Real Address Mode Exceptions
18992 None
18994 Virtual 8086 Mode Exceptions
18996 None
18999 SAL/SAR/SHL/SHR ‘‘ Shift Instructions
19002 Opcode Instruction Clocks Description
19004 D0 /4 SAL r/m8,1 3/7 Multiply r/m byte by 2, once
19005 D2 /4 SAL r/m8,CL 3/7 Multiply r/m byte by 2, CL times
19006 C0 /4 ib SAL r/m8,imm8 3/7 Multiply r/m byte by 2, imm8
19007 times
19008 D1 /4 SAL r/m16,1 3/7 Multiply r/m word by 2, once
19009 D3 /4 SAL r/m16,CL 3/7 Multiply r/m word by 2, CL times
19010 C1 /4 ib SAL r/m16,imm8 3/7 Multiply r/m word by 2, imm8
19011 times
19012 D1 /4 SAL r/m32,1 3/7 Multiply r/m dword by 2, once
19013 D3 /4 SAL r/m32,CL 3/7 Multiply r/m dword by 2, CL
19014 times
19015 C1 /4 ib SAL r/m32,imm8 3/7 Multiply r/m dword by 2, imm8
19016 times
19017 D0 /7 SAR r/m8,1 3/7 Signed divide^(1) r/m byte by 2,
19018 once
19019 D2 /7 SAR r/m8,CL 3/7 Signed divide^(1) r/m byte by 2,
19020 CL times
19021 C0 /7 ib SAR r/m8,imm8 3/7 Signed divide^(1) r/m byte by 2,
19022 imm8 times
19023 D1 /7 SAR r/m16,1 3/7 Signed divide^(1) r/m word by 2,
19024 once
19025 D3 /7 SAR r/m16,CL 3/7 Signed divide^(1) r/m word by 2,
19026 CL times
19027 C1 /7 ib SAR r/m16,imm8 3/7 Signed divide^(1) r/m word by 2,
19028 imm8 times
19029 D1 /7 SAR r/m32,1 3/7 Signed divide^(1) r/m dword by 2,
19030 once
19031 D3 /7 SAR r/m32,CL 3/7 Signed divide^(1) r/m dword by 2,
19032 CL times
19033 C1 /7 ib SAR r/m32,imm8 3/7 Signed divide^(1) r/m dword by 2,
19034 imm8 times
19035 D0 /4 SHL r/m8,1 3/7 Multiply r/m byte by 2, once
19036 D2 /4 SHL r/m8,CL 3/7 Multiply r/m byte by 2, CL times
19037 C0 /4 ib SHL r/m8,imm8 3/7 Multiply r/m byte by 2, imm8
19038 times
19039 D1 /4 SHL r/m16,1 3/7 Multiply r/m word by 2, once
19040 D3 /4 SHL r/m16,CL 3/7 Multiply r/m word by 2, CL times
19041 C1 /4 ib SHL r/m16,imm8 3/7 Multiply r/m word by 2, imm8
19042 times
19043 D1 /4 SHL r/m32,1 3/7 Multiply r/m dword by 2, once
19044 D3 /4 SHL r/m32,CL 3/7 Multiply r/m dword by 2, CL
19045 times
19046 C1 /4 ib SHL r/m32,imm8 3/7 Multiply r/m dword by 2, imm8
19047 times
19048 D0 /5 SHR r/m8,1 3/7 Unsigned divide r/m byte by 2,
19049 once
19050 D2 /5 SHR r/m8,CL 3/7 Unsigned divide r/m byte by 2,
19051 CL times
19052 C0 /5 ib SHR r/m8,imm8 3/7 Unsigned divide r/m byte by 2,
19053 imm8 times
19054 D1 /5 SHR r/m16,1 3/7 Unsigned divide r/m word by 2,
19055 once
19056 D3 /5 SHR r/m16,CL 3/7 Unsigned divide r/m word by 2,
19057 CL times
19058 C1 /5 ib SHR r/m16,imm8 3/7 Unsigned divide r/m word by 2,
19059 imm8 times
19060 D1 /5 SHR r/m32,1 3/7 Unsigned divide r/m dword by 2,
19061 once
19062 D3 /5 SHR r/m32,CL 3/7 Unsigned divide r/m dword by 2,
19063 CL times
19064 C1 /5 ib SHR r/m32,imm8 3/7 Unsigned divide r/m dword by 2,
19065 imm8 times
19068 Not the same division as IDIV; rounding is toward negative infinity.
19070 Operation
19072 (* COUNT is the second parameter *)
19073 (temp) \e COUNT;
19074 WHILE (temp <> 0)
19075 DO
19076 IF instruction is SAL or SHL
19077 THEN CF \e high-order bit of r/m;
19078 FI;
19079 IF instruction is SAR or SHR
19080 THEN CF \e low-order bit of r/m;
19081 FI;
19082 IF instruction = SAL or SHL
19083 THEN r/m \e r/m * 2;
19084 FI;
19085 IF instruction = SAR
19086 THEN r/m \e r/m /2 (*Signed divide, rounding toward negative infinity*);
19087 FI;
19088 IF instruction = SHR
19089 THEN r/m \e r/m / 2; (* Unsigned divide *);
19090 FI;
19091 temp \e temp - 1;
19092 OD;
19093 (* Determine overflow for the various instructions *)
19094 IF COUNT = 1
19095 THEN
19096 IF instruction is SAL or SHL
19097 THEN OF \e high-order bit of r/m <> (CF);
19098 FI;
19099 IF instruction is SAR
19100 THEN OF \e 0;
19101 FI;
19102 IF instruction is SHR
19103 THEN OF \e high-order bit of operand;
19104 FI;
19105 ELSE OF \e undefined;
19106 FI;
19108 Description
19110 SAL (or its synonym, SHL) shifts the bits of the operand upward. The
19111 high-order bit is shifted into the carry flag, and the low-order bit is set
19112 to 0.
19114 SAR and SHR shift the bits of the operand downward. The low-order
19115 bit is shifted into the carry flag. The effect is to divide the operand by
19116 2. SAR performs a signed divide with rounding toward negative infinity (not
19117 the same as IDIV); the high-order bit remains the same. SHR performs an
19118 unsigned divide; the high-order bit is set to 0.
19120 The shift is repeated the number of times indicated by the second
19121 operand, which is either an immediate number or the contents of the CL
19122 register. To reduce the maximum execution time, the 80386 does not
19123 allow shift counts greater than 31. If a shift count greater than 31 is
19124 attempted, only the bottom five bits of the shift count are used. (The
19125 8086 uses all eight bits of the shift count.)
19127 The overflow flag is set only if the single-shift forms of the instructions
19128 are used. For left shifts, OF is set to 0 if the high bit of the answer is
19129 the same as the result of the carry flag (i.e., the top two bits of the
19130 original operand were the same); OF is set to 1 if they are different. For
19131 SAR, OF is set to 0 for all single shifts. For SHR, OF is set to the
19132 high-order bit of the original operand.
19134 Flags Affected
19136 OF for single shifts; OF is undefined for multiple shifts; CF, ZF, PF,
19137 and SF as described in Appendix C
19139 Protected Mode Exceptions
19141 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19142 memory operand effective address in the CS, DS, ES, FS, or GS
19143 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
19144 for a page fault
19146 Real Address Mode Exceptions
19148 Interrupt 13 if any part of the operand would lie outside of the effective
19149 address space from 0 to 0FFFFH
19151 Virtual 8086 Mode Exceptions
19153 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
19154 fault
19157 SBB ‘‘ Integer Subtraction with Borrow
19160 Opcode Instruction Clocks Description
19162 1C ib SBB AL,imm8 2 Subtract with borrow immediate byte
19163 from AL
19164 1D iw SBB AX,imm16 2 Subtract with borrow immediate word
19165 from AX
19166 1D id SBB EAX,imm32 2 Subtract with borrow immediate
19167 dword from EAX
19168 80 /3 ib SBB r/m8,imm8 2/7 Subtract with borrow immediate byte
19169 from r/m byte
19170 81 /3 iw SBB r/m16,imm16 2/7 Subtract with borrow immediate word
19171 from r/m word
19172 81 /3 id SBB r/m32,imm32 2/7 Subtract with borrow immediate
19173 dword from r/m dword
19174 83 /3 ib SBB r/m16,imm8 2/7 Subtract with borrow sign-extended
19175 immediate byte from r/m word
19176 83 /3 ib SBB r/m32,imm8 2/7 Subtract with borrow sign-extended
19177 immediate byte from r/m dword
19178 18 /r SBB r/m8,r8 2/6 Subtract with borrow byte register
19179 from r/m byte
19180 19 /r SBB r/m16,r16 2/6 Subtract with borrow word register
19181 from r/m word
19182 19 /r SBB r/m32,r32 2/6 Subtract with borrow dword register
19183 from r/m dword
19184 1A /r SBB r8,r/m8 2/7 Subtract with borrow byte register
19185 from r/m byte
19186 1B /r SBB r16,r/m16 2/7 Subtract with borrow word register
19187 from r/m word
19188 1B /r SBB r32,r/m32 2/7 Subtract with borrow dword register
19189 from r/m dword
19192 Operation
19194 IF SRC is a byte and DEST is a word or dword
19195 THEN DEST = DEST - (SignExtend(SRC) + CF)
19196 ELSE DEST \e DEST - (SRC + CF);
19198 Description
19200 SBB adds the second operand (DEST) to the carry flag (CF) and
19201 subtracts the result from the first operand (SRC). The result of the
19202 subtraction is assigned to the first operand (DEST), and the flags are
19203 set accordingly.
19205 When an immediate byte value is subtracted from a word operand, the
19206 immediate value is first sign-extended.
19208 Flags Affected
19210 OF, SF, ZF, AF, PF, and CF as described in Appendix C
19212 Protected Mode Exceptions
19214 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19215 memory operand effective address in the CS, DS, ES, FS, or GS
19216 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
19217 for a page fault
19219 Real Address Mode Exceptions
19221 Interrupt 13 if any part of the operand would lie outside of the effective
19222 address space from 0 to 0FFFFH
19224 Virtual 8086 Mode Exceptions
19226 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
19227 fault
19230 SCAS/SCASB/SCASW/SCASD ‘‘ Compare String Data
19232 Opcode Instruction Clocks Description
19234 AE SCAS m8 7 Compare bytes AL-ES:[DI], update (E)DI
19235 AF SCAS m16 7 Compare words AX-ES:[DI], update (E)DI
19236 AF SCAS m32 7 Compare dwords EAX-ES:[DI], update (E)DI
19237 AE SCASB 7 Compare bytes AL-ES:[DI], update (E)DI
19238 AF SCASW 7 Compare words AX-ES:[DI], update (E)DI
19239 AF SCASD 7 Compare dwords EAX-ES:[DI], update (E)DI
19242 Operation
19244 IF AddressSize = 16
19245 THEN use DI for dest-index;
19246 ELSE (* AddressSize = 32 *) use EDI for dest-index;
19247 FI;
19248 IF byte type of instruction
19249 THEN
19250 AL - [dest-index]; (* Compare byte in AL and dest *)
19252 ELSE
19253 IF OperandSize = 16
19254 THEN
19255 AX - [dest-index]; (* compare word in AL and dest *)
19257 ELSE (* OperandSize = 32 *)
19258 EAX - [dest-index];(* compare dword in EAX & dest *)
19260 FI;
19261 FI;
19262 dest-index = dest-index + IncDec
19264 Description
19266 SCAS subtracts the memory byte or word at the destination register from
19267 the AL, AX or EAX register. The result is discarded; only the flags are set.
19268 The operand must be addressable from the ES segment; no segment override is
19269 possible.
19271 If the address-size attribute for this instruction is 16 bits, DI is used
19272 as the destination register; otherwise, the address-size attribute is 32
19273 bits and EDI is used.
19275 The address of the memory data being compared is determined solely by the
19276 contents of the destination register, not by the operand to SCAS. The
19277 operand validates ES segment addressability and determines the data type.
19278 Load the correct index value into DI or EDI before executing SCAS.
19280 After the comparison is made, the destination register is automatically
19281 updated. If the direction flag is 0 (CLD was executed), the destination
19282 register is incremented; if the direction flag is 1 (STD was executed), it
19283 is decremented. The increments or decrements are by 1 if bytes are compared,
19284 by 2 if words are compared, or by 4 if doublewords are compared.
19286 SCASB, SCASW, and SCASD are synonyms for the byte, word and
19287 doubleword SCAS instructions that don't require operands. They are
19288 simpler to code, but provide no type or segment checking.
19290 SCAS can be preceded by the REPE or REPNE prefix for a block search
19291 of CX or ECX bytes or words. Refer to the REP instruction for further
19292 details.
19294 Flags Affected
19296 OF, SF, ZF, AF, PF, and CF as described in Appendix C
19298 Protected Mode Exceptions
19300 #GP(0) for an illegal memory operand effective address in the CS, DS,
19301 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
19302 #PF(fault-code) for a page fault
19304 Real Address Mode Exceptions
19306 Interrupt 13 if any part of the operand would lie outside of the effective
19307 address space from 0 to 0FFFFH
19309 Virtual 8086 Mode Exceptions
19311 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
19312 fault
19315 SETcc ‘‘ Byte Set on Condition
19318 Opcode Instruction Clocks Description
19320 0F 97 SETA r/m8 4/5 Set byte if above (CF=0 and ZF=0)
19321 0F 93 SETAE r/m8 4/5 Set byte if above or equal (CF=0)
19322 0F 92 SETB r/m8 4/5 Set byte if below (CF=1)
19323 0F 96 SETBE r/m8 4/5 Set byte if below or equal (CF=1 or (ZF=1)
19324 0F 92 SETC r/m8 4/5 Set if carry (CF=1)
19325 0F 94 SETE r/m8 4/5 Set byte if equal (ZF=1)
19326 0F 9F SETG r/m8 4/5 Set byte if greater (ZF=0 or SF=OF)
19327 0F 9D SETGE r/m8 4/5 Set byte if greater or equal (SF=OF)
19328 0F 9C SETL r/m8 4/5 Set byte if less (SF<>OF)
19329 0F 9E SETLE r/m8 4/5 Set byte if less or equal (ZF=1 and
19330 SF<>OF)
19331 0F 96 SETNA r/m8 4/5 Set byte if not above (CF=1)
19332 0F 92 SETNAE r/m8 4/5 Set byte if not above or equal (CF=1)
19333 0F 93 SETNB r/m8 4/5 Set byte if not below (CF=0)
19334 0F 97 SETNBE r/m8 4/5 Set byte if not below or equal (CF=0 and
19335 ZF=0)
19336 0F 93 SETNC r/m8 4/5 Set byte if not carry (CF=0)
19337 0F 95 SETNE r/m8 4/5 Set byte if not equal (ZF=0)
19338 0F 9E SETNG r/m8 4/5 Set byte if not greater (ZF=1 or SF<>OF)
19339 0F 9C SETNGE r/m8 4/5 Set if not greater or equal (SF<>OF)
19340 0F 9D SETNL r/m8 4/5 Set byte if not less (SF=OF)
19341 0F 9F SETNLE r/m8 4/5 Set byte if not less or equal (ZF=1 and
19342 SF<>OF)
19343 0F 91 SETNO r/m8 4/5 Set byte if not overflow (OF=0)
19344 0F 9B SETNP r/m8 4/5 Set byte if not parity (PF=0)
19345 0F 99 SETNS r/m8 4/5 Set byte if not sign (SF=0)
19346 0F 95 SETNZ r/m8 4/5 Set byte if not zero (ZF=0)
19347 0F 90 SETO r/m8 4/5 Set byte if overflow (OF=1)
19348 0F 9A SETP r/m8 4/5 Set byte if parity (PF=1)
19349 0F 9A SETPE r/m8 4/5 Set byte if parity even (PF=1)
19350 0F 9B SETPO r/m8 4/5 Set byte if parity odd (PF=0)
19351 0F 98 SETS r/m8 4/5 Set byte if sign (SF=1)
19352 0F 94 SETZ r/m8 4/5 Set byte if zero (ZF=1)
19355 Operation
19359 Description
19361 SETcc stores a byte at the destination specified by the effective address
19362 or register if the condition is met, or a 0 byte if the condition is not
19363 met.
19365 Flags Affected
19367 None
19369 Protected Mode Exceptions
19371 #GP(0) if the result is in a non-writable segment; #GP(0) for an illegal
19372 memory operand effective address in the CS, DS, ES, FS, or GS segments;
19373 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
19374 fault
19376 Real Address Mode Exceptions
19378 Interrupt 13 if any part of the operand would lie outside of the effective
19379 address space from 0 to 0FFFFH
19381 Virtual 8086 Mode Exceptions
19383 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
19384 fault
19387 SGDT/SIDT ‘‘ Store Global/Interrupt Descriptor Table Register
19389 Opcode Instruction Clocks Description
19391 0F 01 /0 SGDT m 9 Store GDTR to m
19392 0F 01 /1 SIDT m 9 Store IDTR to m
19395 Operation
19397 DEST \e 48-bit BASE/LIMIT register contents;
19399 Description
19401 SGDT/SIDT copies the contents of the descriptor table register the six
19402 bytes of memory indicated by the operand. The LIMIT field of the
19403 register is assigned to the first word at the effective address. If the
19404 operand-size attribute is 32 bits, the next three bytes are assigned the
19405 BASE field of the register, and the fourth byte is written with zero. The
19406 last byte is undefined. Otherwise, if the operand-size attribute is 16
19407 bits, the next four bytes are assigned the 32-bit BASE field of the
19408 register.
19410 SGDT and SIDT are used only in operating system software; they are
19411 not used in application programs.
19413 Flags Affected
19415 None
19417 Protected Mode Exceptions
19419 Interrupt 6 if the destination operand is a register; #GP(0) if the
19420 destination is in a nonwritable segment; #GP(0) for an illegal memory
19421 operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for
19422 an illegal address in the SS segment; #PF(fault-code) for a page fault
19424 Real Address Mode Exceptions
19426 Interrupt 6 if the destination operand is a register; Interrupt 13 if any
19427 part of the operand would lie outside of the effective address space from
19428 0 to 0FFFFH
19430 Virtual 8086 Mode Exceptions
19432 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
19433 fault
19435 Compatability Note
19437 The 16-bit forms of the SGDT/SIDT instructions are compatible with
19438 the 80286, if the value in the upper eight bits is not referenced. The
19439 80286 stores 1's in these upper bits, whereas the 80386 stores 0's if the
19440 operand-size attribute is 16 bits. These bits were specified as undefined
19441 by the SGDT/SIDT instructions in the iAPX 286 Programmer's
19442 Reference Manual.
19445 SHLD ‘‘ Double Precision Shift Left
19447 Opcode Instruction Clocks Description
19449 0F A4 SHLD r/m16,r16,imm8 3/7 r/m16 gets SHL of r/m16 concatenated
19450 with r16
19451 0F A4 SHLD r/m32,r32,imm8 3/7 r/m32 gets SHL of r/m32 concatenated
19452 with r32
19453 0F A5 SHLD r/m16,r16,CL 3/7 r/m16 gets SHL of r/m16 concatenated
19454 with r16
19455 0F A5 SHLD r/m32,r32,CL 3/7 r/m32 gets SHL of r/m32 concatenated
19456 with r32
19459 Operation
19461 (* count is an unsigned integer corresponding to the last operand of the
19462 instruction, either an immediate byte or the byte in register CL *)
19463 ShiftAmt \e count MOD 32;
19464 inBits \e register; (* Allow overlapped operands *)
19465 IF ShiftAmt = 0
19466 THEN no operation
19467 ELSE
19468 IF ShiftAmt � OperandSize
19469 THEN (* Bad parameters *)
19470 r/m \e UNDEFINED;
19471 CF, OF, SF, ZF, AF, PF \e UNDEFINED;
19472 ELSE (* Perform the shift *)
19473 CF \e BIT[Base, OperandSize - ShiftAmt];
19474 (* Last bit shifted out on exit *)
19475 FOR i \e OperandSize - 1 DOWNTO ShiftAmt
19476 DO
19477 BIT[Base, i] \e BIT[Base, i - ShiftAmt];
19478 OF;
19479 FOR i \e ShiftAmt - 1 DOWNTO 0
19480 DO
19481 BIT[Base, i] \e BIT[inBits, i - ShiftAmt + OperandSize];
19482 OD;
19483 Set SF, ZF, PF (r/m);
19484 (* SF, ZF, PF are set according to the value of the result *)
19485 AF \e UNDEFINED;
19486 FI;
19487 FI;
19489 Description
19491 SHLD shifts the first operand provided by the r/m field to the left as
19492 many bits as specified by the count operand. The second operand (r16 or r32)
19493 provides the bits to shift in from the right (starting with bit 0). The
19494 result is stored back into the r/m operand. The register remains unaltered.
19496 The count operand is provided by either an immediate byte or the contents
19497 of the CL register. These operands are taken MODULO 32 to provide a number
19498 between 0 and 31 by which to shift. Because the bits to shift are provided
19499 by the specified registers, the operation is useful for multiprecision
19500 shifts (64 bits or more). The SF, ZF and PF flags are set according to the
19501 value of the result. CS is set to the value of the last bit shifted out. OF
19502 and AF are left undefined.
19504 Flags Affected
19506 OF, SF, ZF, PF, and CF as described above; AF and OF are undefined
19508 Protected Mode Exceptions
19510 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19511 memory operand effective address in the CS, DS, ES, FS, or GS segments;
19512 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
19513 fault
19515 Real Address Mode Exceptions
19517 Interrupt 13 if any part of the operand would lie outside of the effective
19518 address space from 0 to 0FFFFH
19520 Virtual 8086 Mode Exceptions
19522 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
19525 SHRD ‘‘ Double Precision Shift Right
19527 Opcode Instruction Clocks Description
19529 0F AC SHRD r/m16,r16,imm8 3/7 r/m16 gets SHR of r/m16 concatenated
19530 with r16
19531 0F AC SHRD r/m32,r32,imm8 3/7 r/m32 gets SHR of r/m32 concatenated
19532 with r32
19533 0F AD SHRD r/m16,r16,CL 3/7 r/m16 gets SHR of r/m16 concatenated
19534 with r16
19535 0F AD SHRD r/m32,r32,CL 3/7 r/m32 gets SHR of r/m32 concatenated
19536 with r32
19539 Operation
19541 (* count is an unsigned integer corresponding to the last operand of the
19542 instruction, either an immediate byte or the byte in register CL *)
19543 ShiftAmt \e count MOD 32;
19544 inBits \e register; (* Allow overlapped operands *)
19545 IF ShiftAmt = 0
19546 THEN no operation
19547 ELSE
19548 IF ShiftAmt � OperandSize
19549 THEN (* Bad parameters *)
19550 r/m \e UNDEFINED;
19551 CF, OF, SF, ZF, AF, PF \e UNDEFINED;
19552 ELSE (* Perform the shift *)
19553 CF \e BIT[r/m, ShiftAmt - 1]; (* last bit shifted out on exit *)
19554 FOR i \e 0 TO OperandSize - 1 - ShiftAmt
19555 DO
19556 BIT[r/m, i] \e BIT[r/m, i - ShiftAmt];
19557 OD;
19558 FOR i \e OperandSize - ShiftAmt TO OperandSize - 1
19559 DO
19560 BIT[r/m,i] \e BIT[inBits,i+ShiftAmt - OperandSize];
19561 OD;
19562 Set SF, ZF, PF (r/m);
19563 (* SF, ZF, PF are set according to the value of the result *)
19564 Set SF, ZF, PF (r/m);
19565 AF \e UNDEFINED;
19566 FI;
19567 FI;
19569 Description
19571 SHRD shifts the first operand provided by the r/m field to the right as many
19572 bits as specified by the count operand. The second operand (r16 or r32)
19573 provides the bits to shift in from the left (starting with bit 31). The
19574 result is stored back into the r/m operand. The register remains unaltered.
19576 The count operand is provided by either an immediate byte or the contents
19577 of the CL register. These operands are taken MODULO 32 to provide a number
19578 between 0 and 31 by which to shift. Because the bits to shift are provided
19579 by the specified register, the operation is useful for multi-precision
19580 shifts (64 bits or more). The SF, ZF and PF flags are set according to the
19581 value of the result. CS is set to the value of the last bit shifted out. OF
19582 and AF are left undefined.
19584 Flags Affected
19586 OF, SF, ZF, PF, and CF as described above; AF and OF are undefined
19588 Protected Mode Exceptions
19590 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19591 memory operand effective address in the CS, DS, ES, FS, or GS
19592 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
19593 for a page fault
19595 Real Address Mode Exceptions
19597 Interrupt 13 if any part of the operand would lie outside of the effective
19598 address space from 0 to 0FFFFH
19600 Virtual 8086 Mode Exceptions
19602 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
19603 fault
19606 SLDT ‘‘ Store Local Descriptor Table Register
19608 Opcode Instruction Clocks Description
19610 0F 00 /0 SLDT r/m16 pm=2/2 Store LDTR to EA word
19613 Operation
19615 r/m16 \e LDTR;
19617 Description
19619 SLDT stores the Local Descriptor Table Register (LDTR) in the two-byte
19620 register or memory location indicated by the effective address operand.
19621 This register is a selector that points into the Global Descriptor Table.
19623 SLDT is used only in operating system software. It is not used in
19624 application programs.
19626 Flags Affected
19628 None
19630 Protected Mode Exceptions
19632 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19633 memory operand effective address in the CS, DS, ES, FS, or GS segments;
19634 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
19635 fault
19637 Real Address Mode Exceptions
19639 Interrupt 6; SLDT is not recognized in Real Address Mode
19641 Virtual 8086 Mode Exceptions
19643 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
19645 Notes
19647 The operand-size attribute has no effect on the operation of the
19648 instruction.
19651 SMSW ‘‘ Store Machine Status Word
19653 Opcode Instruction Clocks Description
19655 0F 01 /4 SMSW r/m16 2/3,pm=2/2 Store machine status word to EA
19656 word
19659 Operation
19661 r/m16 \e MSW;
19663 Description
19665 SMSW stores the machine status word (part of CR0) in the two-byte register
19666 or memory location indicated by the effective address operand.
19668 Flags Affected
19670 None
19672 Protected Mode Exceptions
19674 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19675 memory operand effective address in the CS, DS, ES, FS, or GS segments;
19676 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
19677 fault
19679 Real Address Mode Exceptions
19681 Interrupt 13 if any part of the operand would lie outside of the effective
19682 address space from 0 to 0FFFFH
19684 Virtual 8086 Mode Exceptions
19686 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
19688 Notes
19690 This instruction is provided for compatibility with the 80286; 80386
19691 programs should use MOV ..., CR0.
19694 STC ‘‘ Set Carry Flag
19696 Opcode Instruction Clocks Description
19698 F9 STC 2 Set carry flag
19701 Operation
19703 CF \e 1;
19705 Description
19707 STC sets the carry flag to 1.
19709 Flags Affected
19711 CF = 1
19713 Protected Mode Exceptions
19715 None
19717 Real Address Mode Exceptions
19719 None
19721 Virtual 8086 Mode Exceptions
19723 None
19726 STD ‘‘ Set Direction Flag
19728 Opcode Instruction Clocks Description
19730 FD STD 2 Set direction flag so (E)SI and/or (E)DI
19731 decrement
19734 Operation
19736 DF \e 1;
19738 Description
19740 STD sets the direction flag to 1, causing all subsequent string operations
19741 to decrement the index registers, (E)SI and/or (E)DI, on which they
19742 operate.
19744 Flags Affected
19746 DF = 1
19748 Protected Mode Exceptions
19750 None
19752 Real Address Mode Exceptions
19754 None
19756 Virtual 8086 Mode Exceptions
19758 None
19761 STI ‘‘ Set Interrupt Flag
19763 Opcode Instruction Clocks Description
19765 F13 STI 3 Set interrupt flag; interrupts enabled at the
19766 end of the next instruction
19769 Operation
19771 IF \e 1
19773 Description
19775 STI sets the interrupt flag to 1. The 80386 then responds to external
19776 interrupts after executing the next instruction if the next instruction
19777 allows the interrupt flag to remain enabled. If external interrupts are
19778 disabled and you code STI, RET (such as at the end of a subroutine),
19779 the RET is allowed to execute before external interrupts are recognized.
19780 Also, if external interrupts are disabled and you code STI, CLI, then
19781 external interrupts are not recognized because the CLI instruction clears
19782 the interrupt flag during its execution.
19784 Flags Affected
19786 IF = 1
19788 Protected Mode Exceptions
19790 #GP(0) if the current privilege level is greater (has less privilege) than
19791 the I/O privilege level
19793 Real Address Mode Exceptions
19795 None
19797 Virtual 8086 Mode Exceptions
19799 None
19802 STOS/STOSB/STOSW/STOSD ‘‘ Store String Data
19804 Opcode Instruction Clocks Description
19806 AA STOS m8 4 Store AL in byte ES:[(E)DI], update (E)DI
19807 AB STOS m16 4 Store AX in word ES:[(E)DI], update (E)DI
19808 AB STOS m32 4 Store EAX in dword ES:[(E)DI], update (E)DI
19809 AA STOSB 4 Store AL in byte ES:[(E)DI], update (E)DI
19810 AB STOSW 4 Store AX in word ES:[(E)DI], update (E)DI
19811 AB STOSD 4 Store EAX in dword ES:[(E)DI], update (E)DI
19814 Operation
19816 IF AddressSize = 16
19817 THEN use ES:DI for DestReg
19818 ELSE (* AddressSize = 32 *) use ES:EDI for DestReg;
19819 FI;
19820 IF byte type of instruction
19821 THEN
19822 (ES:DestReg) \e AL;
19823 IF DF = 0
19824 THEN DestReg \e DestReg + 1;
19825 ELSE DestReg \e DestReg - 1;
19826 FI;
19827 ELSE IF OperandSize = 16
19828 THEN
19829 (ES:DestReg) \e AX;
19830 IF DF = 0
19831 THEN DestReg \e DestReg + 2;
19832 ELSE DestReg \e DestReg - 2;
19833 FI;
19834 ELSE (* OperandSize = 32 *)
19835 (ES:DestReg) \e EAX;
19836 IF DF = 0
19837 THEN DestReg \e DestReg + 4;
19838 ELSE DestReg \e DestReg - 4;
19839 FI;
19840 FI;
19841 FI;
19843 Description
19845 STOS transfers the contents of all AL, AX, or EAX register to the memory
19846 byte or word given by the destination register relative to the ES segment.
19847 The destination register is DI for an address-size attribute of 16 bits or
19848 EDI for an address-size attribute of 32 bits.
19850 The destination operand must be addressable from the ES register. A segment
19851 override is not possible.
19853 The address of the destination is determined by the contents of the
19854 destination register, not by the explicit operand of STOS. This operand is
19855 used only to validate ES segment addressability and to determine the data
19856 type. Load the correct index value into the destination register before
19857 executing STOS.
19859 After the transfer is made, DI is automatically updated. If the direction
19860 flag is 0 (CLD was executed), DI is incremented; if the direction flag is
19861 1 (STD was executed), DI is decremented. DI is incremented or decremented by
19862 1 if a byte is stored, by 2 if a word is stored, or by 4 if a doubleword is
19863 stored.
19865 STOSB, STOSW, and STOSD are synonyms for the byte, word, and doubleword STOS
19866 instructions, that do not require an operand. They are simpler to use, but
19867 provide no type or segment checking.
19869 STOS can be preceded by the REP prefix for a block fill of CX or ECX bytes,
19870 words, or doublewords. Refer to the REP instruction for further details.
19872 Flags Affected
19874 None
19876 Protected Mode Exceptions
19878 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19879 memory operand effective address in the CS, DS, ES, FS, or GS segments;
19880 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
19881 fault
19883 Real Address Mode Exceptions
19885 Interrupt 13 if any part of the operand would lie outside of the effective
19886 address space from 0 to 0FFFFH
19888 Virtual 8086 Mode Exceptions
19890 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
19893 STR ‘‘ Store Task Register
19895 Opcode Instruction Clocks Description
19897 0F 00 /1 STR r/m16 pm=23/27 Load EA word into task register
19900 Operation
19902 r/m \e task register;
19904 Description
19906 The contents of the task register are copied to the two-byte register or
19907 memory location indicated by the effective address operand.
19909 STR is used only in operating system software. It is not used in application
19910 programs.
19912 Flags Affected
19914 None
19916 Protected Mode Exceptions
19918 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19919 memory operand effective address in the CS, DS, ES, FS, or GS segments;
19920 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
19921 fault
19923 Real Address Mode Exceptions
19925 Interrupt 6; STR is not recognized in Real Address Mode
19927 Virtual 8086 Mode Exceptions
19929 Same exceptions as in Real Address Mode
19931 Notes
19933 The operand-size attribute has no effect on this instruction.
19936 SUB ‘‘ Integer Subtraction
19938 Opcode Instruction Clocks Description
19940 2C ib SUB AL,imm8 2 Subtract immediate byte from AL
19941 2D iw SUB AX,imm16 2 Subtract immediate word from AX
19942 2D id SUB EAX,imm32 2 Subtract immediate dword from EAX
19943 80 /5 ib SUB r/m8,imm8 2/7 Subtract immediate byte from r/m byte
19944 81 /5 iw SUB r/m16,imm16 2/7 Subtract immediate word from r/m word
19945 81 /5 id SUB r/m32,imm32 2/7 Subtract immediate dword from r/m
19946 dword
19947 83 /5 ib SUB r/m16,imm8 2/7 Subtract sign-extended immediate byte
19948 from r/m word
19949 83 /5 ib SUB r/m32,imm8 2/7 Subtract sign-extended immediate byte
19950 from r/m dword
19951 28 /r SUB r/m8,r8 2/6 Subtract byte register from r/m byte
19952 29 /r SUB r/m16,r16 2/6 Subtract word register from r/m word
19953 29 /r SUB r/m32,r32 2/6 Subtract dword register from r/m
19954 dword
19955 2A /r SUB r8,r/m8 2/7 Subtract byte register from r/m byte
19956 2B /r SUB r16,r/m16 2/7 Subtract word register from r/m word
19957 2B /r SUB r32,r/m32 2/7 Subtract dword register from r/m
19958 dword
19961 Operation
19963 IF SRC is a byte and DEST is a word or dword
19964 THEN DEST = DEST - SignExtend(SRC);
19965 ELSE DEST \e DEST - SRC;
19966 FI;
19968 Description
19970 SUB subtracts the second operand (SRC) from the first operand (DEST). The
19971 first operand is assigned the result of the subtraction, and the flags are
19972 set accordingly.
19974 When an immediate byte value is subtracted from a word operand, the
19975 immediate value is first sign-extended to the size of the destination
19976 operand.
19978 Flags Affected
19980 OF, SF, ZF, AF, PF, and CF as described in Appendix C
19982 Protected Mode Exceptions
19984 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
19985 memory operand effective address in the CS, DS, ES, FS, or GS segments;
19986 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
19987 fault
19989 Real Address Mode Exceptions
19991 Interrupt 13 if any part of the operand would lie outside of the effective
19992 address space from 0 to 0FFFFH
19994 Virtual 8086 Mode Exceptions
19996 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
19999 TEST ‘‘ Logical Compare
20001 Opcode Instruction Clocks Description
20003 A8 ib TEST AL,imm8 2 AND immediate byte with AL
20004 A9 iw TEST AX,imm16 2 AND immediate word with AX
20005 A9 id TEST EAX,imm32 2 AND immediate dword with EAX
20006 F6 /0 ib TEST r/m8,imm8 2/5 AND immediate byte with r/m byte
20007 F7 /0 iw TEST r/m16,imm16 2/5 AND immediate word with r/m word
20008 F7 /0 id TEST r/m32,imm32 2/5 AND immediate dword with r/m dword
20009 84 /r TEST r/m8,r8 2/5 AND byte register with r/m byte
20010 85 /r TEST r/m16,r16 2/5 AND word register with r/m word
20011 85 /r TEST r/m32,r32 2/5 AND dword register with r/m dword
20014 Operation
20016 DEST : = LeftSRC AND RightSRC;
20017 CF \e 0;
20018 OF \e 0;
20020 Description
20022 TEST computes the bit-wise logical AND of its two operands. Each bit
20023 of the result is 1 if both of the corresponding bits of the operands are 1;
20024 otherwise, each bit is 0. The result of the operation is discarded and only
20025 the flags are modified.
20027 Flags Affected
20029 OF = 0, CF = 0; SF, ZF, and PF as described in Appendix C
20031 Protected Mode Exceptions
20033 #GP(0) for an illegal memory operand effective address in the CS, DS,
20034 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
20035 #PF(fault-code) for a page fault
20037 Real Address Mode Exceptions
20039 Interrupt 13 if any part of the operand would lie outside of the effective
20040 address space from 0 to 0FFFFH
20042 Virtual 8086 Mode Exceptions
20044 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
20045 fault
20048 VERR, VERW ‘‘ Verify a Segment for Reading or Writing
20050 Opcode Instruction Clocks Description
20052 0F 00 /4 VERR r/m16 pm=10/11 Set ZF=1 if segment can be read,
20053 selector in r/m16
20054 0F 00 /5 VERW r/m16 pm=15/16 Set ZF=1 if segment can be written,
20055 selector in r/m16
20058 Operation
20060 IF segment with selector at (r/m) is accessible
20061 with current protection level
20062 AND ((segment is readable for VERR) OR
20063 (segment is writable for VERW))
20064 THEN ZF \e 0;
20065 ELSE ZF \e 1;
20066 FI;
20068 Description
20070 The two-byte register or memory operand of VERR and VERW contains
20071 the value of a selector. VERR and VERW determine whether the
20072 segment denoted by the selector is reachable from the current privilege
20073 level and whether the segment is readable (VERR) or writable (VERW).
20074 If the segment is accessible, the zero flag is set to 1; if the segment is
20075 not accessible, the zero flag is set to 0. To set ZF, the following
20076 conditions must be met:
20078 Ž The selector must denote a descriptor within the bounds of the table
20079 (GDT or LDT); the selector must be "defined."
20081 Ž The selector must denote the descriptor of a code or data segment
20082 (not that of a task state segment, LDT, or a gate).
20084 Ž For VERR, the segment must be readable. For VERW, the segment
20085 must be a writable data segment.
20087 Ž If the code segment is readable and conforming, the descriptor
20088 privilege level (DPL) can be any value for VERR. Otherwise, the
20089 DPL must be greater than or equal to (have less or the same
20090 privilege as) both the current privilege level and the selector's RPL.
20092 The validation performed is the same as if the segment were loaded into
20093 DS, ES, FS, or GS, and the indicated access (read or write) were
20094 performed. The zero flag receives the result of the validation. The
20095 selector's value cannot result in a protection exception, enabling the
20096 software to anticipate possible segment access problems.
20098 Flags Affected
20100 ZF as described above
20102 Protected Mode Exceptions
20104 Faults generated by illegal addressing of the memory operand that
20105 contains the selector, the selector is not loaded into any segment
20106 register, and no faults attributable to the selector operand are generated
20108 #GP(0) for an illegal memory operand effective address in the CS, DS,
20109 ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
20110 #PF(fault-code) for a page fault
20112 Real Address Mode Exceptions
20114 Interrupt 6; VERR and VERW are not recognized in Real Address Mode
20116 Virtual 8086 Mode Exceptions
20118 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
20119 fault
20122 WAIT ‘‘ Wait until BUSY# Pin is Inactive (HIGH)
20124 Opcode Instruction Clocks Description
20126 9B WAIT 6 min. Wait until BUSY pin is inactive (HIGH)
20129 Description
20131 WAIT suspends execution of 80386 instructions until the BUSY# pin is
20132 inactive (high). The BUSY# pin is driven by the 80287 numeric processor
20133 extension.
20135 Flags Affected
20137 None
20139 Protected Mode Exceptions
20141 #NM if the task-switched flag in the machine status word (the lower 16 bits
20142 of register CR0) is set; #MF if the ERROR# input pin is asserted (i.e., the
20143 80287 has detected an unmasked numeric error)
20145 Real Address Mode Exceptions
20147 Same exceptions as in Protected Mode
20149 Virtual 8086 Mode Exceptions
20151 Same exceptions as in Protected Mode
20154 XCHG ‘‘ Exchange Register/Memory with Register
20156 Opcode Instruction Clocks Description
20158 90 + r XCHG AX,r16 3 Exchange word register with AX
20159 90 + r XCHG r16,AX 3 Exchange word register with AX
20160 90 + r XCHG EAX,r32 3 Exchange dword register with EAX
20161 90 + r XCHG r32,EAX 3 Exchange dword register with EAX
20162 86 /r XCHG r/m8,r8 3 Exchange byte register with EA byte
20163 86 /r XCHG r8,r/m8 3/5 Exchange byte register with EA byte
20164 87 /r XCHG r/m16,r16 3 Exchange word register with EA word
20165 87 /r XCHG r16,r/m16 3/5 Exchange word register with EA word
20166 87 /r XCHG r/m32,r32 3 Exchange dword register with EA dword
20167 87 /r XCHG r32,r/m32 3/5 Exchange dword register with EA dword
20170 Operation
20172 temp \e DEST
20173 DEST \e SRC
20174 SRC \e temp
20176 Description
20178 XCHG exchanges two operands. The operands can be in either order. If a
20179 memory operand is involved, BUS LOCK is asserted for the duration of the
20180 exchange, regardless of the presence or absence of the LOCK prefix or of the
20181 value of the IOPL.
20183 Flags Affected
20185 None
20187 Protected Mode Exceptions
20189 #GP(0) if either operand is in a nonwritable segment; #GP(0) for an
20190 illegal memory operand effective address in the CS, DS, ES, FS, or GS
20191 segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
20192 for a page fault
20194 Real Address Mode Exceptions
20196 Interrupt 13 if any part of the operand would lie outside of the effective
20197 address space from 0 to 0FFFFH
20199 Virtual 8086 Mode Exceptions
20201 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
20202 fault
20205 XLAT/XLATB ‘‘ Table Look-up Translation
20207 D7 XLAT m8 5 Set AL to memory byte DS:[(E)BX + unsigned AL]
20208 D7 XLATB 5 Set AL to memory byte DS:[(E)BX + unsigned AL]
20211 Operation
20213 IF AddressSize = 16
20214 THEN
20215 AL \e (BX + ZeroExtend(AL))
20216 ELSE (* AddressSize = 32 *)
20217 AL \e (EBX + ZeroExtend(AL));
20218 FI;
20220 Description
20222 XLAT changes the AL register from the table index to the table entry. AL
20223 should be the unsigned index into a table addressed by DS:BX (for an
20224 address-size attribute of 16 bits) or DS:EBX (for an address-size attribute
20225 of 32 bits).
20227 The operand to XLAT allows for the possibility of a segment override. XLAT
20228 uses the contents of BX even if they differ from the offset of the operand.
20229 The offset of the operand should have been moved intoBX/EBX with a previous
20230 instruction.
20232 The no-operand form, XLATB, can be used if the BX/EBX table will always
20233 reside in the DS segment.
20235 Flags Affected
20237 None
20239 Protected Mode Exceptions
20241 #GP(0) for an illegal memory operand effective address in the CS, DS, ES,
20242 FS, or GS segments; #SS(0) for an illegal address in the SS segment;
20243 #PF(fault-code) for a page fault
20245 Real Address Mode Exceptions
20247 Interrupt 13 if any part of the operand would lie outside of the effective
20248 address space from 0 to 0FFFFH
20250 Virtual 8086 Mode Exceptions
20252 Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
20255 XOR ‘‘ Logical Exclusive OR
20258 Opcode Instruction Clocks Description
20260 34 ib XOR AL,imm8 2 Exclusive-OR immediate byte to AL
20261 35 iw XOR AX,imm16 2 Exclusive-OR immediate word to AX
20262 35 id XOR EAX,imm32 2 Exclusive-OR immediate dword to EAX
20263 80 /6 ib XOR r/m8,imm8 2/7 Exclusive-OR immediate byte to r/m
20264 byte
20265 81 /6 iw XOR r/m16,imm16 2/7 Exclusive-OR immediate word to r/m
20266 word
20267 81 /6 id XOR r/m32,imm32 2/7 Exclusive-OR immediate dword to r/m
20268 dword
20269 83 /6 ib XOR r/m16,imm8 2/7 XOR sign-extended immediate byte
20270 with r/m word
20271 83 /6 ib XOR r/m32,imm8 2/7 XOR sign-extended immediate byte
20272 with r/m dword
20273 30 /r XOR r/m8,r8 2/6 Exclusive-OR byte register to r/m
20274 byte
20275 31 /r XOR r/m16,r16 2/6 Exclusive-OR word register to r/m
20276 word
20277 31 /r XOR r/m32,r32 2/6 Exclusive-OR dword register to r/m
20278 dword
20279 32 /r XOR r8,r/m8 2/7 Exclusive-OR byte register to r/m
20280 byte
20281 33 /r XOR r16,r/m16 2/7 Exclusive-OR word register to r/m
20282 word
20283 33 /r XOR r32,r/m32 2/7 Exclusive-OR dword register to r/m
20284 dword
20287 Operation
20289 DEST \e LeftSRC XOR RightSRC
20290 CF \e 0
20291 OF \e 0
20293 Description
20295 XOR computes the exclusive OR of the two operands. Each bit of the result
20296 is 1 if the corresponding bits of the operands are different; each bit is 0
20297 if the corresponding bits are the same. The answer replaces the first
20298 operand.
20300 Flags Affected
20302 CF = 0, OF = 0; SF, ZF, and PF as described in Appendix C; AF is undefined
20304 Protected Mode Exceptions
20306 #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal
20307 memory operand effective address in the CS, DS, ES, FS, or GS segments;
20308 #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page
20309 fault
20311 Real Address Mode Exceptions
20313 Interrupt 13 if any part of the operand would lie outside of the effective
20314 address space from 0 to 0FFFFH
20316 Virtual 8086 Mode Exceptions
20318 Same exceptions as in Real Address Mode; #PF(fault-code) for a page
20319 fault
20322 Appendix A Opcode Map
20324 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
20326 The opcode tables that follow aid in interpreting 80386 object code. Use
20327 the high-order four bits of the opcode as an index to a row of the opcode
20328 table; use the low-order four bits as an index to a column of the table. If
20329 the opcode is 0FH, refer to the two-byte opcode table and use the second
20330 byte of the opcode to index the rows and columns of that table.
20333 Key to Abbreviations
20335 Operands are identified by a two-character code of the form Zz. The first
20336 character, an uppercase letter, specifies the addressing method; the second
20337 character, a lowercase letter, specifies the type of operand.
20340 Codes for Addressing Method
20342 A Direct address; the instruction has no modR/M byte; the address of the
20343 operand is encoded in the instruction; no base register, index register,
20344 or scaling factor can be applied; e.g., far JMP (EA).
20346 C The reg field of the modR/M byte selects a control register; e.g., MOV
20347 (0F20, 0F22).
20349 D The reg field of the modR/M byte selects a debug register; e.g., MOV
20350 (0F21,0F23).
20352 E A modR/M byte follows the opcode and specifies the operand. The operand
20353 is either a general register or a memory address. If it is a memory
20354 address, the address is computed from a segment register and any of the
20355 following values: a base register, an index register, a scaling factor,
20356 a displacement.
20358 F Flags Register.
20360 G The reg field of the modR/M byte selects a general register; e.g., ADD
20361 (00).
20363 I Immediate data. The value of the operand is encoded in subsequent bytes
20364 of the instruction.
20366 J The instruction contains a relative offset to be added to the
20367 instruction pointer register; e.g., JMP short, LOOP.
20369 M The modR/M byte may refer only to memory; e.g., BOUND, LES, LDS, LSS,
20370 LFS, LGS.
20372 O The instruction has no modR/M byte; the offset of the operand is coded as
20373 a word or double word (depending on address size attribute) in the
20374 instruction. No base register, index register, or scaling factor can be
20375 applied; e.g., MOV (A0-A3).
20377 R The mod field of the modR/M byte may refer only to a general register;
20378 e.g., MOV (0F20-0F24, 0F26).
20380 S The reg field of the modR/M byte selects a segment register; e.g., MOV
20381 (8C,8E).
20383 T The reg field of the modR/M byte selects a test register; e.g., MOV
20384 (0F24,0F26).
20386 X Memory addressed by DS:SI; e.g., MOVS, COMPS, OUTS, LODS, SCAS.
20388 Y Memory addressed by ES:DI; e.g., MOVS, CMPS, INS, STOS.
20391 Codes for Operant Type
20393 a Two one-word operands in memory or two double-word operands in memory,
20394 depending on operand size attribute (used only by BOUND).
20396 b Byte (regardless of operand size attribute)
20398 c Byte or word, depending on operand size attribute.
20400 d Double word (regardless of operand size attribute)
20402 p 32-bit or 48-bit pointer, depending on operand size attribute.
20404 s Six-byte pseudo-descriptor
20406 v Word or double word, depending on operand size attribute.
20408 w Word (regardless of operand size attribute)
20411 Register Codes
20413 When an operand is a specific register encoded in the opcode, the register
20414 is identified by its name; e.g., AX, CL, or ESI. The name of the register
20415 indicates whether the register is 32-, 16-, or 8-bits wide. A register
20416 identifier of the form eXX is used when the width of the register depends on
20417 the operand size attribute; for example, eAX indicates that the AX register
20418 is used when the operand size attribute is 16 and the EAX register is used
20419 when the operand size attribute is 32.
20422 One-Byte Opcode Map
20425 0 1 2 3 4 5 6 7 8 9 A B C D E F
20426 ‚�����������������������������������������������������������Ð��������Ð��������Ð�����������������������������������������������������������Ð��������Ð��������ƒ
20427 € ADD � PUSH � POP � OR � PUSH � 2-byte €
20428 0Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � €
20429 € Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � ES � ES � Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � CS � escape €
20430 †���������¤���������¤���������¤���������¤���������¤���������Ï��������Ï��������Ï���������¤���������¤���������¤���������¤���������¤���������Ï��������Ï��������‡
20431 € ADC � PUSH � POP � SBB � PUSH � POP €
20432 1Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � €
20433 € Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � SS � SS � Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � DS � DS €
20434 †���������¤���������¤���������¤���������¤���������¤���������Ï��������Ï��������Ï���������¤���������¤���������¤���������¤���������¤���������Ï��������Ï��������‡
20435 € AND � SEG � � SUB � SEG � €
20436 2Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � DAA –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � DAS €
20437 € Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � =ES � � Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � =CS � €
20438 †���������¤���������¤���������¤���������¤���������¤���������Ï��������Ï��������Ï���������¤���������¤���������¤���������¤���������¤���������Ï��������Ï��������‡
20439 € XOR � SEG � � CMP � SEG � €
20440 3Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � AAA –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � AAS €
20441 € Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � =SS � � Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � AL,Ib � eAX,Iv � =CS � €
20442 †���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������Ï���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������‡
20443 € INC general register � DEC general register €
20444 4Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘Â
20445 € eAX � eCX � eDX � eBX � eSP � eBP � eSI � eDI � eAX � eCX � eDX � eBX � eSP � eBP � eSI � eDI €
20446 †���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������Ï���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������‡
20447 € PUSH general register � POP into general register €
20448 5Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘Â
20449 € eAX � eCX � eDX � eBX � eSP � eBP � eSI � eDI � eAX � eCX � eDX � eBX � eSP � eBP � eSI � eDI €
20450 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20451 € � � BOUND � ARPL � SEG � SEG � Operand� Address� PUSH � IMUL � PUSH � IMUL � INSB � INSW/D � OUTSB �OUTSW/D €
20452 6€ PUSHA � POPA � � � � � � � � � � � � � � €
20453 € � � Gv,Ma � Ew,Rw � =FS � =GS � Size � Size � Ib � GvEvIv � Ib � GvEvIv � Yb,DX � Yb,DX � Dx,Xb � DX,Xv €
20454 †���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������Ï���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������‡
20455 € Short displacement jump of condition (Jb) � Short-displacement jump on condition(Jb) €
20456 7Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘Â
20457 € JO � JNO � JB � JNB � JZ � JNZ � JBE � JNBE � JS � JNS � JP � JNP � JL � JNL � JLE � JNLE €
20458 †���������¤���������Ï���������Ï���������Ï���������¤���������Ï��������¤��������Ï���������¤���������¤���������¤���������Ï���������Ï���������Ï��������Ï��������‡
20459 € Immediate Grpl � � Grpl � TEST � XCNG � MOV � MOV � LEA � MOV � POP €
20460 8Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � � � €
20461 € Eb,Ib � Ev,Iv � � Ev,Iv � Eb,Gb � Ev,Gv � Eb,Gb � Ev,Gv � Eb,Gb � Ev,Gv � Gb,Eb � Gv,Ev � Ew,Sw � Gv,M � Sw,Ew � Ev €
20462 †���������Ï���������¤���������¤���������¤���������¤���������¤��������¤��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20463 € � XCHG word or double-word register with eAX � � � CALL � � PUSHF � POPF � � €
20464 9€ NOP –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘— CBW � CWD � � WAIT � � � SAHF � LAHF €
20465 € � eCX � eDX � eBX � eSP � eBP � eSI � eDI � � � Ap � � Fv � Fv � � €
20466 †���������¤���������¤���������¤���������Ï���������Ï���������Ï��������Ï��������Ï���������¤���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20467 € MOV � MOVSB � MOVSW/D � CMPSB �CMPSW/D � TEST � STOSB � STOSW/D � LODSB � LODSW/D � SCASB �SCASW/D €
20468 AÑ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � � � –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � � � � � €
20469 € AL,Ob � eAX,Ov � Ob,AL � Ov,eAX � Xb,Yb � Xv,Yv � Xb,Yb � Xv,Yv � AL,Ib � eAX,Iv � Yb,AL � Yv,eAX � AL,Xb � eAX,Xv � AL,Xb �eAX,Xv €
20470 †���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������Ï���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������‡
20471 € MOV immediate byte into byte register � MOV immediate word or double into word or double register €
20472 BÑ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘Â
20473 € AL � CL � DL � BL � AH � CH � DH � BH � eAX � eCX � eDX � eBX � eSP � eBP � eSI � eDI €
20474 †���������¤���������Ï���������¤���������Ï���������Ï���������Ï��������¤��������Ï���������Ï���������Ï���������¤���������Ï���������Ï���������Ï��������Ï��������‡
20475 € Shift Grp2 � RET near � LES � LDS � MOV � ENTER � � RET far � INT � INT � � €
20476 CÑ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � –‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘— � LEAVE –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— � � INTO � IRET €
20477 € Eb,Ib � Ev,Iv � Iw � � Gv,Mp � Gv,Mp � Eb,Ib � Ev,Iv � Iw,Ib � � Iw � � 3 � Ib � � €
20478 †���������¤���������¤���������¤���������Ï���������Ï���������Ï��������Ï��������Ï���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������‡
20479 € Shift Grp2 � � � � � €
20480 DÑ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘— AAM � AAD � � XLAT � ESC(Escape to coprocessor instruction set) €
20481 € Eb,1 � Ev,1 � Eb,CL � Ev,CL � � � � � €
20482 †���������Ï���������Ï���������Ï���������Ï���������¤���������Ï��������¤��������Ï���������Ð�����������������������������Ð�������������������Ð�����������������‡
20483 € LOOPNE � LOOPE � LOOP � JCXZ � IN � OUT � CALL � JNP � IN � OUT €
20484 E€ � � � –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘— –‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘Â
20485 € Jb � Jb � Jb � Jb � AL,Ib � eAX,Ib � Ib,AL � Ib,eAX � Av � Jv � Ap � Jb � AL,DX � eAX,DX � DX,AL � DX,eAX €
20486 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������¤��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20487 € � � � REP � � � Unary Grp3 � � � � � � �INC/DEC �Indirct €
20488 F€ LOCK � � REPNE � � HLT � CMC –‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘— CLC � STC � CLI � STI � CLD � STD � � €
20489 € � � � REPE � � � Eb � Ev � � � � � � � Grp4 � Grp5 €
20490 „���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������¤���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������…
20493 Two-Byte Opcode Map (first byte is 0FH)
20496 0 1 2 3 4 5 6 7 8 9 A B C D E F
20497 ‚���������Ð���������Ð���������Ð���������Ð���������Ð���������Ð��������Ð��������Ð���������Ð���������Ð���������Ð���������Ð���������Ð���������Ð��������Ð��������ƒ
20498 € � � LAR � LSL � � � � � � � � � � � � €
20499 0€ Grp6 � Grp7 � � � � � CLTS � � � � � � � � � €
20500 € � � Gw,Ew � Gv,Ew � � � � � � � � � � � � €
20501 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20502 € � � � � � � � � � � � � � � � €
20503 1€ � � � � � � � � � � � � � � � €
20504 € � � � � � � � � � � � � � � � €
20505 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20506 € MOV � MOV � MOV � MOV � MOV � � MOV � � � � � � � � � €
20507 2€ � � � � � � � � � � � � � � � €
20508 € Cd,Rd � Dd,Rd � Rd,Cd � Rd,Dd � Td,Rd � � Rd,Td � � � � � � � � � €
20509 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20510 € � � � � � � � � � � � � � � � €
20511 3€ � � � � � � � � � � � � � � � €
20512 € � � � � � � � � � � � � � � � €
20513 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20514 € � � � � � � � � � � � � � � � €
20515 4€ � � � � � � � � � � � � � � � €
20516 € � � � � � � � � � � � � � � � €
20517 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20518 € � � � � � � � � � � � � � � � €
20519 5€ � � � � � � � � � � � � � � � €
20520 € � � � � � � � � � � � � � � � €
20521 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20522 € � � � � � � � � � � � � � � � €
20523 6€ � � � � � � � � � � � � � � � €
20524 € � � � � � � � � � � � � � � � €
20525 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20526 € � � � � � � � � � � � � � � � €
20527 7€ � � � � � � � � � � � � � � � €
20528 € � � � � � � � � � � � � � � � €
20529 †���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������Ï���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������‡
20530 € Long-displacement jump on condition (Jv) � Long-displacement jump on condition (Jv) €
20531 8Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘š‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘Â
20532 € JO � JNO � JB � JNB � JZ � JNZ � JBE � JNBE � JS � JNS � JP � JNP � JL � JNL � JLE � JNLE €
20533 †���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20534 € Byte Set on condition (Eb) � � � � � � � � €
20535 9Ñ‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘— SETS � SETNS � SETP � SETNP � SETL � SETNL � SETLE � SETNLE €
20536 € SETO � SETNO � SETB � SETNB � SETZ � SETNZ � SETBE � SETNBE � � � � � � � � €
20537 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20538 € PUSH � POP � � BT � SHLD � SHLD � � � PUSH � POP � � BTS � SHRD � SHRD � � IMUL €
20539 A€ � � � � � � � � � � � � � � � €
20540 € FS � FS � � Ev,Gv � EvGvIb � EvGvCL � � � GS � GS � � Ev,Gv � EvGvIb � EvGvCL � � Gv,Ev €
20541 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������¤��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������¤��������‡
20542 € � � LSS � BTR � LFS � LGS � MOVZX � � � Grp-8 � BTC � BSF � BSR � MOVSX €
20543 B€ � � � � � –‘‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘‘— � � � � � –‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘Â
20544 € � � Mp � Ev,Gv � Mp � Mp � Gv,Eb � Gv,Ew � � � Ev,Ib � Ev,Gv � Gv,Ev � Gv,Ev � Gv,Eb Gv,Ew €
20545 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ð��������‡
20546 € � � � � � � � � � � � � � � � €
20547 C€ � � � � � � � � � � � � � � � €
20548 € � � � � � � � � � � � � � � � €
20549 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20550 € � � � � � � � � � � � � � � � €
20551 D€ � � � � � � � � � � � � � � � €
20552 € � � � � � � � � � � � � � � � €
20553 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20554 € � � � � � � � � � � � � � � � €
20555 E€ � � � � � � � � � � � � � � � €
20556 € � � � � � � � � � � � � � � � €
20557 †���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������Ï���������Ï���������Ï���������Ï���������Ï���������Ï���������Ï��������Ï��������‡
20558 € � � � � � � � � � � � � � � � €
20559 F€ � � � � � � � � � � � � � � � €
20560 € � � � � � � � � � � � � � � � €
20561 „���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������¤���������¤���������¤���������¤���������¤���������¤���������¤��������¤��������…
20564 Opcodes determined by bits 5,4,3 of modR/M byte:
20566 G ’‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘“
20567 r � mod � nnn � R/M �
20568 o ”‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘•
20569 u
20570 p 000 001 010 011 100 101 110 111
20571 ’‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘“
20572 1� ADD � OR � ADC � SBB � AND � SUB � XOR � CMP �
20573 � � � � � � � � �
20574 –‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘—
20575 2� ROL � ROR � RCL � RCR � SHL � SHR � � SAR �
20576 � � � � � � � � �
20577 –‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘—
20578 3� TEST � � NOT � NEG � MUL � IMUL � DIV � IDIV �
20579 � Ib/Iv � � � �AL/eAX �AL/eAX �AL/eAX �AL/eAX �
20580 –‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘—
20581 4� INC � DEC � � � � � � �
20582 � Eb � Eb � � � � � � �
20583 –‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘—
20584 5� INC � DEC � CALL � CALL � JMP � JMP � PUSH � �
20585 � Ev � Ev � Ev � eP � Ev � Ep � Ev � �
20586 ”‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘•
20589 Opcodes determined by bits 5,4,3 of modR/M byte:
20591 G ’‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘“
20592 r � mod � nnn � R/M �
20593 o ”‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘•
20594 u
20595 p 000 001 010 011 100 101 110 111
20596 ’‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘˜‘‘‘‘‘‘‘“
20597 6� SLDT � STR � LLDT � LTR � VERR � VERW � � �
20598 � Ew � Ew � Ew � Ew � Ew � Ew � � �
20599 –‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘—
20600 7� SGDT � SIDT � LGDT � LIDT � SMSW � � LMSW � �
20601 � Ms � Ms � Ms � Ms � Ew � � Ew � �
20602 –‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘š‘‘‘‘‘‘‘—
20603 8� � � � � BT � BTS � BTR � BTC �
20604 � � � � � � � � �
20605 ”‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘™‘‘‘‘‘‘‘•
20608 Appendix B Complete Flag Cross-Reference
20610 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
20612 Key to Codes
20614 T = instruction tests flag
20616 M = instruction modifies flag
20617 (either sets or resets depending on operands)
20619 0 = instruction resets flag
20621 1 = instruction sets flag
20623 ‘‘ = instruction's effect on flag is undefined
20625 R = instruction restores prior value of flag
20627 blank = instruction does not affect flag
20630 Instruction OF SF ZF AF PF CF TF IF DF NT RF
20632 AAA ‘‘ ‘‘ ‘‘ TM ‘‘ M
20633 AAD ‘‘ M M ‘‘ M ‘‘
20634 AAM ‘‘ M M ‘‘ M ‘‘
20635 AAS ‘‘ ‘‘ ‘‘ TM ‘‘ M
20636 ADC M M M M M TM
20637 ADD M M M M M M
20638 AND 0 M M ‘‘ M 0
20639 ARPL M
20640 BOUND
20641 BSF/BSR ‘‘ ‘‘ M ‘‘ ‘‘ ‘‘
20642 BT/BTS/BTR/BTC ‘‘ ‘‘ ‘‘ ‘‘ ‘‘ M
20643 CALL
20644 CBW
20645 CLC 0
20646 CLD 0
20647 CLI 0
20648 CLTS
20649 CMC M
20650 CMP M M M M M M
20651 CMPS M M M M M M T
20652 CWD
20653 DAA ‘‘ M M TM M TM
20654 DAS ‘‘ M M TM M TM
20655 DEC M M M M M
20656 DIV ‘‘ ‘‘ ‘‘ ‘‘ ‘‘ ‘‘
20657 ENTER
20658 ESC
20659 HLT
20660 IDIV ‘‘ ‘‘ ‘‘ ‘‘ ‘‘ ‘‘
20661 IMUL M ‘‘ ‘‘ ‘‘ ‘‘ M
20662 IN
20663 INC M M M M M
20664 INS T
20665 INT 0 0
20666 INTO T 0 0
20667 IRET R R R R R R R R R T
20668 Jcond T T T T T
20669 JCXZ
20670 JMP
20671 LAHF
20672 LAR M
20673 LDS/LES/LSS/LFS/LGS
20674 LEA
20675 LEAVE
20676 LGDT/LIDT/LLDT/LMSW
20677 LOCK
20678 LODS T
20679 LOOP
20680 LOOPE/LOOPNE T
20681 LSL M
20682 LTR
20683 MOV
20684 MOV control, debug ‘‘ ‘‘ ‘‘ ‘‘ ‘‘ ‘‘
20685 MOVS T
20686 MOVSX/MOVZX
20687 MUL M ‘‘ ‘‘ ‘‘ ‘‘ M
20688 NEG M M M M M M
20689 NOP
20690 NOT
20691 OR 0 M M ‘‘ M 0
20692 OUT
20693 OUTS T
20694 POP/POPA
20695 POPF R R R R R R R R R R
20696 PUSH/PUSHA/PUSHF
20697 RCL/RCR 1 M TM
20698 RCL/RCR count ‘‘ TM
20699 REP/REPE/REPNE
20700 RET
20701 ROL/ROR 1 M M
20702 ROL/ROR count ‘‘ M
20703 SAHF R R R R R
20704 SAL/SAR/SHL/SHR 1 M M M ‘‘ M M
20705 SAL/SAR/SHL/SHR count ‘‘ M M ‘‘ M M
20706 SBB M M M M M TM
20707 SCAS M M M M M M T
20708 SET cond T T T T T
20709 SGDT/SIDT/SLDT/SMSW
20710 SHLD/SHRD ‘‘ M M ‘‘ M M
20711 STC 1
20712 STD 1
20713 STI 1
20714 STOS T
20715 STR
20716 SUB M M M M M M
20717 TEST 0 M M ‘‘ M 0
20718 VERR/VERRW M
20719 WAIT
20720 XCHG
20721 XLAT
20722 XOR 0 M M ‘‘ M 0
20725 Appendix C Status Flag Summary
20727 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
20729 Status Flags' Functions
20731 Bit Name Function
20733 0 CF Carry Flag ‘‘ Set on high-order bit carry or borrow; cleared
20734 otherwise.
20735 2 PF Parity Flag ‘‘ Set if low-order eight bits of result contain
20736 an even number of 1 bits; cleared otherwise.
20737 4 AF Adjust flag ‘‘ Set on carry from or borrow to the low order
20738 four bits of AL; cleared otherwise. Used for decimal
20739 arithmetic.
20740 6 ZF Zero Flag ‘‘ Set if result is zero; cleared otherwise.
20741 7 SF Sign Flag ‘‘ Set equal to high-order bit of result (0 is
20742 positive, 1 if negative).
20743 11 OF Overflow Flag ‘‘ Set if result is too large a positive number
20744 or too small a negative number (excluding sign-bit) to fit in
20745 destination operand; cleared otherwise.
20747 Key to Codes
20749 T = instruction tests flag
20750 M = instruction modifies flag
20751 (either sets or resets depending on operands)
20752 0 = instruction resets flag
20753 ‘‘ = instruction's effect on flag is undefined
20754 blank = instruction does not affect flag
20758 Instruction OF SF ZF AF PF CF
20759 AAA ‘‘ ‘‘ ‘‘ TM ‘‘ M
20760 AAS ‘‘ ‘‘ ‘‘ TM ‘‘ M
20761 AAD ‘‘ M M ‘‘ M ‘‘
20762 AAM ‘‘ M M ‘‘ M ‘‘
20763 DAA ‘‘ M M TM M TM
20764 DAS ‘‘ M M TM M TM
20765 ADC M M M M M TM
20766 ADD M M M M M M
20767 SBB M M M M M TM
20768 SUB M M M M M M
20769 CMP M M M M M M
20770 CMPS M M M M M M
20771 SCAS M M M M M M
20772 NEG M M M M M M
20773 DEC M M M M M
20774 INC M M M M M
20775 IMUL M ‘‘ ‘‘ ‘‘ ‘‘ M
20776 MUL M ‘‘ ‘‘ ‘‘ ‘‘ M
20777 RCL/RCR 1 M TM
20778 RCL/RCR count ‘‘ TM
20779 ROL/ROR 1 M M
20780 ROL/ROR count ‘‘ M
20781 SAL/SAR/SHL/SHR 1 M M M ‘‘ M M
20782 SAL/SAR/SHL/SHR count ‘‘ M M ‘‘ M M
20783 SHLD/SHRD ‘‘ M M ‘‘ M M
20784 BSF/BSR ‘‘ ‘‘ M ‘‘ ‘‘ ‘‘
20785 BT/BTS/BTR/BTC ‘‘ ‘‘ ‘‘ ‘‘ ‘‘ M
20786 AND 0 M M ‘‘ M 0
20787 OR 0 M M ‘‘ M 0
20788 TEST 0 M M ‘‘ M 0
20789 XOR 0 M M ‘‘ M 0
20792 Appendix D Condition Codes
20794 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
20796 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
20797 Note:
20798 The terms "above" and "below" refer to the relation between two
20799 unsigned values (neither SF nor OF is tested). The terms "greater" and
20800 "less" refer to the relation between two signed values (SF and OF are
20801 tested).
20802 ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
20804 Definition of Conditions
20806 (For conditional instructions Jcond, and SETcond)
20809 Instruction Condition
20810 Mnemonic Meaning Subcode Tested
20812 O Overflow 0000 OF = 1
20814 NO No overflow 0001 OF = 0
20816 B Below
20817 NAE Neither above nor equal 0010 CF = 1
20819 NB Not below
20820 AE Above or equal 0011 CF = 0
20822 E Equal
20823 Z Zero 0100 ZF = 1
20825 NE Not equal
20826 NZ Not zero 0101 ZF = 0
20828 BE Below or equal
20829 NA Not above 0110 (CF or ZF) = 1
20831 NBE Neither below nor equal
20832 NA Above 0111 (CF or ZF) = 0
20834 S Sign 1000 SF = 1
20836 NS No sign 1001 SF = 0
20838 P Parity
20839 PE Parity even 1010 PF = 1
20841 NP No parity
20842 PO Parity odd 1011 PF = 0
20844 L Less
20845 NGE Neither greater nor equal 1100 (SF xor OF) = 1
20847 NL Not less
20848 GE Greater or equal 1101 (SF xor OF) = 0
20850 LE Less or equal
20851 NG Not greater 1110 ((SF xor OF) or ZF) = 1
20853 NLE Neither less nor equal
20854 G Greater 1111 ((SF xor OF) or ZF) = 0