Intel Computer Accessories 80286 Users Manual

210498-005_80286_and_80287_Programmers_Reference_Manual_1987 manual pdf -FilePursuit

80286 to the manual ff25534e-f7b1-4024-a6b6-b458f005728c

2015-02-02

: Intel Intel-Intel-Computer-Accessories-80286-Users-Manual-432125 intel-intel-computer-accessories-80286-users-manual-432125 intel pdf

Open the PDF directly: View PDF PDF.
Page Count: 515

DownloadIntel Intel-Intel-Computer-Accessories-80286-Users-Manual-  Intel-intel-computer-accessories-80286-users-manual
Open PDF In BrowserView PDF
LITERATURE
To order Intel literature write or call:
Intel Literature Sales
P.O. Box 58130
Santa Clara, CA 95052-8130

Intel Literature:
(800) 548-4725*

Use the order blank on the facing page or call our Toll Free Number listed above to order literature.
Remember to add your local sales tax and a 10% postage charge for U.S. and Canada customers, 20% for
outside u.S. customers. Prices are subject to change.

1987 HANDBOOKS
Product line handbooks contain data sheets, application notes, article reprints and other design information.

ORDER NUMBER

··PRICE IN
U.S. DOLLARS

COMPLETE SET OF 9 HANDBOOKS
Save $50.00 off the retail price of $175.00

231003

$125.00

MEMORY COMPONENTS HANDBOOK

210830

$18.00

MICROCOMMUNICATIONS HANDBOOK

231658

$20.00

EMBEDDED CONTROLLER HANDBOOK
(includes Microcontrollers and 8085,80186,80188)

210918

$18.00

MICROPROCESSOR AND PERIPHERAL HANDBOOK
(2 Volume Set)

230843

$25.00

DEVELOPMENT TOOLS HANDBOOK

210940

$18.00

OEM BOARDS AND SYSTEMS HANDBOOK

280407

$18.00

MILITARY HANDBOOK

210461

$18.00

COMPONENTS QUALITY /RELIABILITY HANDBOOK

210997

$20.00

SYSTEMS QUALITY/RELIABILITY HANDBOOK

231762

$20.00

PROGRAMMABLE LOGIC HANDBOOK
(Not included in Handbook Set)

296083

$18.00

DOS DEVELOPMENT SOFTWARE CATALOG

280199

N/C

PRODUCT GUIDE
Overview of Intel's complete product lines

210846

N/C

LITERATURE PRICE LIST
List of Intel Literature

210620

N/C

INTEL PACKAGING OUTLINES AND DIMENSIONS
Packaging types, number ofleads, etc.

231369

N/C

NAME

"Good in the U.S. and Canada
• • These prices are for the U.S. and Canada only. In Europe and other intemationallocations, please contact
your local Intel Sales Office or Distributor for literature prices.

infef
LITERATURE SALES ORDER FORM
NAME: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __
COMPANY: _ _ _ _ _ _ _ _ _ _ _ _

~

_ _ _ _ _ _ _ _ _ _ _ _ ___

ADDRESS: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____
CITY: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ STATE: _ _ _ _ ZIP: _ _ _ __
COUNTRY: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

~~

PHONE NO.: ('--_--'-_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __
ORDER NO.

TITLE

QTV.

PRICE

TOTAL

__ x ___ =
__ x ___ =
__ x ___ =
__ x ___ =
__ x ___ =
__ x ___ =
__ x ___ =
__ x ___ =
__ x ___ =
__ x ___ =
Subtotal
Must Add Your
Local Sales Tax
Must add appropriate postage to subtotal
(10% U.S. and Canada, 20% all other)

)

Postage
Total

Pay by Visa, MasterCard, American Express, Check, Money Order, or company purchase order payable
to Intel Literature Sales. Allow 2-4 weeks for delivery.
o Visa 0 MasterCard 0 American Express Expiration Date _ _ _ __
Account No. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __
Signature: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Mall To:

Intel Literature Sales
P.O. Box 58130
Santa Clara, CA
95052-8130

Prices good until 12/31/87.

_ _ _ _ _ __

International Customers outside the U.S. and Canada
should contact their local Intel Sales Office or Distributor
listed in the back of most Intel literature.

Call Toll Free: (800) 548-4725 for phone orders
Source HB

~

CUSTOMER SUPPORT
CUSTOMER SUPPORT
Customer Support is Intel's complete support service that provides Intel customers with hardware support, software
support, customer training, and consulting services. For more information contact your local sales offices.
After a customer purchases any system hardware or software product, service and support become major factors in
determining whether that product will continue to meet a customer's expectations. Such support requires an international support organization and a breadth of programs to meet a variety of customer needs. As you might expect,
Intel's customer support is quite extensive. It includes factory repair services and worldwide field service offices
providing hardware repair services, software support services, customer training classes, and consulting services.

HARDWARE SUPPORT SERVICES
Intel is committed to providing an international service support package through a wide variety of service offerings
available from Intel Hardware Support.

SOFTWARE SUPPORT SERVICES
Intel's software support consists of two levels of contracts. Standard support includes TIPS (Technical Information
Phone Service), updates and SUbscription service (product-specific troubleshooting guides and COMMENTS Magazine). Basic support includes updates and the subscription service. Contracts are sold in environments which represent product groupings (i.e., iRMX environment).

CONSULTING SERVICES
Intel provides field systems engineering services for any phase of your development or support effort. You can use
our systems engineers in a variety of ways ranging from assistance in using a new product, developing an application,
personalizing training, and customizing or tailoring an Intel product to providing technical and management consulting. Systems Engineers are well versed in technical areas such as microcommunications, real-time applications,
embedded microcontrollers, and network services. You know your application needs; we know our products. Working together we can help you get a successful product to market in the least possible time.

CUSTOMER TRAINING
Intel offers a wide range of instructional programs covering various aspects of system design and implementation. In
just three to ten days a limited number of individuals learn more in a single workshop than in weeks of self-study.
For optimum convenience, workshops are scheduled regularly at Training Centers worldwide or we can take our
workshops to you for on-site instruction. Covering a wide variety of topics, Intel's major course categories include:
architecture and assembly language, programming and operating systems, bitbus aud LAN applications.

80286 AND 80287 PROGRAMMER'S
REFERENCE MANUAL
1987

Intel Corporation makes no warranty for the use of its products and assumes no responsibility for any errors which may
appear in this document nor does it make a commitment to update the information contained herein.
Intel retains the right to make changes to these specifications at any time, without notice.
Contact your local sales office to obtain the latest specifications before placing your order.
The following are trademarks of Intel Corporation and may only be used to identify Intel Products:

t

Above, BITBUS, COMMputer, CREDIT, Data Pipeline, FASTPATH, Genius, i,
ICE, iCEL, iCS, iDBP, iDIS, I'ICE, iLBX, i m , iMDDX, iMMX, Inboard, Insite, Intel,
intel, intelBOS, Intel Certified, Intelevision, inteligent Identifier, inteligent
Programming, Intellec, Intellink, iOSP, iPDS, iPSC, iRMK, iRMX, iSBC, iSBX,
iSDM, iSXM, KEPROM, Library Manager, MAPNET, MCS, Megachassis,
MICROMAINFRAME, MULTIBUS, MULTICHANNEL, MULTIMODULE,
MultiSERVER, ONCE, OpenNET, OTP, PC BUBBLE, Plug-A-Bubble, PROMPT,
Promware, QUEST, QueX, Quick-Pulse Programming, Ripplemode, RMX/80,
RUPI, Seamless, SLD, SugarCube, SupportNET, UPI, and VLSiCEL, and the
combination of ICE, iCS, iRMX, iSBC, iSBX, iSXM, MCS, or UPI and a numerical
suffix, 4-SITE.
MDS is an ordering code only and is not used as a product name or trademark. MDS@ is a registered trademark of Mohawk
Data SCiences Corporation .
• MULTIBUS is a patented Intel bus.
Additional copies of this manual or other Intel literature may be obtained from:
Intel Corporation
Literature Distribution
Mail Stop SC6-59
3065 Bowers Avenue
Santa Clara, CA 95051

@INTELCORPORATION 1987

CG·S/26/87

PREFACE
This manual describes the 80286, the most powerful 16-bit microprocessor in the 8086 family, and the
80287 Numeric Processor Extension (NPX).

ORGANIZATION OF THIS MANUAL
This manual is, essentially, two books in one. The first book describes the 80286, the second the 80287
NPX.

80286
The 80286 contains a table of contents, eleven chapters, four appendices, and an index. For more
information on the 80286 book's organization, see its first chapter, Chapter 1, "Introduction to the
80286." Section 1.4 in that chapter explains the organization in detail.

80287 NPX
The 80287 NPX contains a preface, table of contents, four chapters, three appendices, and a glossary.
For more information on the 80287 NPX book's organization, see its preface.

iii

TABLE OF CONTENTS
CHAPTER 1
Page
INTRODUCTION TO THE 80286
General Attributes ... ....... .... ........... ....... ..................... .... ........... ....... ....... ..... ...... ............. 1-1
Modes of Operation .......... ..... ..... ................. ..... .............................. ....... ..... ...... ............. 1-2
Advanced Features ........................................................................................................ 1-2
Memory Management ................................................................................................. 1-2
Task Management ...................................................................................................... 1-3
Protection Mechanisms .............................................................................................. 1-3
Support for Operating Systems ................................................................................. 1-4
Organization of This Book ............................................. ................................................ 1-4
Related Publications ..... .............. ..... ......... ........................... ........... ......... ............. .......... 1-6
CHAPTER 2
80286 BASE ARCHITECTURE
Memory Organization and Segmentation ......................................................................
Data Types ............................................... ......................................................... .............
Registers .........................................................................................................................
General Registers .......................................................................................................
Memory Segmentation and Segment Registers .......... ,.............................................
Index, Pointer, and Base Registers ...........................................................................
Status and Control Registers .....................................................................................
Addressing Modes .........................................................................................................
Operands ..................................... .................................................... ...........................
Register and Immediate Modes ................................................................ .................
Memory Addressing Modes .......................................................................................
Segment Selection ........................ ............................................................ ..............
Offset Computation .................................................................................................
Memory Mode .........................................................................................................
Input/Output ...................................................................................................................
I/O Address Space ................................................................... ....... ............. ..............
Memory-Mapped I/O ..................................................................................................
Interrupts and Exceptions ..............................................................................................
Hierarchy of Instruction Sets .........................................................................................

2-1
2-1
2-7
2-7
2-8
2-9
2-14
2-16
2-16
2-17
2-17
2-18
2-19
2-20
2-21
2-23
2-23
2-24
2-25

CHAPTER 3
BASIC INSTRUCTION SET
Data Movement Instructions ..........................................................................................
General-Purpose Data Movement Instructions .........................................................
Stack Manipulation Instructions .................................................................................
Flag Operation with the Basic Instruction Set ...............................................................
Status Flags ................................................................................................................
Control Flags ...............................................................................................................
Arithmetic Instructions ...................................................................................................
Addition Instructions ...................................................................................................
Subtraction Instructions .............................................................................................
Multiplication Instructions ...........................................................................................
Division Instructions ...................................................................................................
Logical Instructions ........................................................................................................
Boolean Operation Instructions .................................................................................
Shift and Rotate Instructions ......................................................................................
Shift Instructions .....................................................................................................

3-1
3-1
3-2
3-4
3-4
3-4
3-5
3-7
3-7
3-8
3-9
3-9
3-9
3-10
3-10

v

TABLE OF CONTENTS

Page

Rotate Instructions ..................................................................................................
Type Conversion and No-Operation Instructions ......................................................
Test and Compare Instructions .....................................................................................
Control Transfer Instructions .........................................................................................
Unconditional Transfer Instructions ...........................................................................
Jump Instruction .....................................................................................................
Call Instruction ........................................................................................................
Return and Return from Interrupt Instruction ........................................................
Conditional Transfer Instructions ...............................................................................
Conditional Jump Instructions ............................................................................. ...
Loop Instructions ....................................................................................................
Executing a Loop or Repeat Zero Times .............................................. .................
Software-Generated Interrupts ..................................................................................
Software Interrupt Instruction .................................................................................
Character Translation and String Instructions ..............................................................
Translate Instruction ...................................................................................................
String Manipulation Instructions and Repeat Prefixes ..............................................
String Movement Instructions ............................................................................. ...
Other String Operations ............ .......... ................ ............ ............ ............. .... ....... ....
Address Manipulation Instructions ................................................................................
Flag Control Instructions ................................................................................................
Carry Flag Control Instructions ..................................................................................
Direction Flag Control Instructions ............................................................................
Flag Transfer Instructions ..........................................................................................
Binary-Coded Decimal Arithmetic Instructions ........................................... ..................
Packed BCD Adjustment Instructions ........................................................................
Unpacked BCD Adjustment Instructions ...................................................................
Trusted Instructions ... ............ ..... ........ .... ................................... ..... ....... ........................
Trusted and Privileged Restrictions on POPF and IRET ..........................................
Machine State Instructions .........................................................................................
Input and Output Instructions ....................................................................................
Processor Extension Instructions ..................................................................................
Processor Extension Synchronization Instructions ..................................................
Numeric Data Processor Instructions ........................................................................
Arithmetic Instructions ............................................................................................
Comparison Instructions .........................................................................................
Transcendental Instructions ...................................................................................
Data Transfer Instructions ......................................................................................
Constant Instructions ..............................................................................................

3-13
3-16
3-16
3-16
3-17
3-17
3-18
3-19
3-19
3-20
3-20
3.-21
3-21
3-21
3-22
3-22
3-22
3-23
3-23
3-24
3-25
3-25
3-25
3-26
3-27
3-27
3-27
3-28
3-28
3-28
3-29
3-29
3-30
3-30
3-30
3-30
3-30
3-31
3-31

CHAPTER 4
EXTENDED INSTRUCTION SET
Block I/O Instructions ...................................................................................................... 4-1
High-Level Instructions .................................................................................................... 4-2

CHAPTER 5
REAL ADDRESS MODE
Addressing and Segmentation .......................................................................................
Interrupt Handling ...........................................................................................................
Interrupt Vector Table .................................................................................................
Interrupt Priorities ...................................................................................................
Interrupt Procedures ...................................................................................................

vi

5-1
5-3
5-3
5-4
5-5

TABLE OF CONTENTS

Page
Reserved and Dedicated Interrupt Vectors ............................................................... 5-5
System Initialization ........................................................................................................ 5-7
CHAPTER 6
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING
Memory Management Overview .................................................................................... 6-1
Virtual Addresses ............. ......... ...... ..... ....... ....... .................. ........... ............ ....... ............ 6-2
Descriptor Tables ........................................................................................................... 6-4
Virtual-to-Physical Address Translation ... ....... .................. ........... ........... .......... ...... ...... 6-6
Segments and Segment Descriptors ............................................................................. 6-7
Memory Management Registers ......... ..... ........ .......... ........ ...... ............... ...................... 6-9
Segment Address Translation Registers ................................................................... 6-9
System Address Registers ............ ....... ....... ...... .... ......... ..... ............ ................ ..... ...... 6-12
CHAPTER 7
PROTECTION
Introduction .....................................................................................................................
Types of Protection ....................................................................................................
Protection Implementation .........................................................................................
Memory Management and Protection ...........................................................................
Separation of Address Spaces ..................................................................................
LDT and GDT Access Checks ...................................................................................
Type Validation ...........................................................................................................
Privilege Levels and Protection .....................................................................................
Example of Using Four Privilege Levels ....................................................................
Privilege Usage ...........................................................................................................
Segment Descriptor .......................................................................................................
Data Accesses ............................................................................................................
Code Segment Access ...............................................................................................
Data Access Restriction by Privilege Level ...............................................................
POinter Privilege Stamping via ARPL .........................................................................
Control Transfers .................................................... .......................................................
Gates ...........................................................................................................................
Call Gates ................................................................................................................
Intra-Level Transfers via Call Gate .........................................................................
Inter-Level Control Transfer via Call Gates ............................................................
Stack Changes Caused by Call Gates .............................................. .....................
Inter-Level Returns .....................................................................................................

7-1
7-1
7-2
7-4
7-5
7-5
7-6
7-8
7-8
7-9
7-10
7-12
7-13
7-13
7-14
7-15
7-16
7-17
7-18
7-19
7-20
7-20

CHAPTERS
TASKS AND STATE TRANSITIONS
Introduction .....................................................................................................................
Task State Segments and Descriptors ..........................................................................
Task State Segment Descriptors ...............................................................................
Task Switching ...............................................................................................................
Task Linking ...................................................................................................................
Task Gates .....................................................................................................................

8-1
8-1
8-3
8·4
8-7
8-8

CHAPTER 9
INTERRUPTS AND EXCEPTIONS
Interrupt Descriptor Table .............................................................................................. 9-1
Hardware Initiated Interrupts ......................................................................................... 9-2
vii

TABLE OF CONTENTS

Page
Software Initiated Interrupts ..........................................................................................
Interrupt Gates and Trap Gates .....................................................................................
Task Gates and Interrupt Tasks ....................................................................................
Scheduling Considerations ........... ...... ......... ...................................... ..... ............ ........
Deciding Between Task, Trap, and Interrupt Gates ................................ ..................
Protection Exceptions and Reserved Vectors ..............................................................
Invalid OP-Code (Interrupt 6) ......................................................................................
Double Fault (Interrupt 8) ............................................................................................
Processor Extension Segment Overrun (Interrupt 9) ................................................
Invalid Task State Segment (Interrupt 10) .................................................................
Not Present (Interrupt 11) ...........................................................................................
Stack Fault (Interrupt 12) ............................................................................................
General Protection Fault (Interrupt 13) ......................................................................
Additional Exceptions and Interrupts ............................................................................
Single Step Interrupt (Interrupt 1) ..............................................................................

9-3
9-3
9-7
9-8
9-8
9-9
9-10
9-10
9-10
9-11
9-11
9-12
9-13
9-13
9-14

CHAPTER 10
SYSTEM CONTROL AND INITIALIZATION
System Flags and Registers .... .......... ......... ......... ................ ...... ...................... ..... .......
Descriptor Table Registers .......................................................................................
System Control Instructions ........................................................................................
Machine Status Word ...............................................................................................
Other Instructions .................................................. ...................................................
Privileged and Trusted Instructions .............................................................................
Initialization ...................................................................................................................
Real Address Mode ..................................................................................................
Protected Mode ........................................................................................................

10-1
10-1
10-3
10-4
10-5
10-5
10-6
10-7
10-7

CHAPTER 11
ADVANCED TOPICS
Virtual Memory Management ......... ..................... ..... ........................................... .........
Special Segment Attributes ................................... ... ....................................................
Conforming Code Segments ....................................................................................
Expand-Down Data Segments ........ .......... ................. .......... ............................ ..... ...
Pointer Validation .........................................................................................................
Descriptor Validation ..................................................................... ...........................
Pointer Integrity: RPL and the "Trojan Horse Problem" ........................................
NPX Context Switching ................................................................................................
Multiprocessor Considerations ............................................................. .......................
Shutdown .............................................................................................;........................

11-1
11-1
11-1
11-2
11-3
11-4
11-4
11-5
11-5
11-7

APPENDIX A
80286 SYSTEM INITIALIZATION
APPENDIX B
THE 80286 INSTRUCTION SET
APPENDIX C

8086/8088 COMPATIBILITY CONSIDERATIONS
APPENDIX D

80286/80386 SOFTWARE COMPATIBILITY CONSIDERATIONS
INDEX

viii

TABLE OF CONTENTS

Figures
Figure

1-1
2-1
2-2
2-3
2-4
2-5
2-6
2-7
2-8
2-9
2-10
2-11
2-12
2-13
2-14
2-15
3-1
3-2
3-3
3-4
3-5
3-6
3-7
3-8
3-9
3-10
3-11
3-12
3-13
3-14
4-1
4-2
4-2a
4-2b
4-2c
4-2d
5-1 a
5-1 b
5-2
5-3
5-4
6-1
6-2
6-3
6-4
6-5
6-6
6-7
6-8
6-9

Title

Page

Four Privilege Levels ....... ..... ........... ...... ........ .......... .... .......... .... .......... .................... 1-4
Segmented Virtual Memory ... ................. ...................... ................. ........... ......... ...... 2-2
Bytes and Words in Memory................................................................................... 2-3
80286/80287 Supported Data Types .......... .................. .............. .......... ........ .......... 2-5
80286 Base Architecture Register Set ................................................................... 2-7
Real Address Mode Segment Selector Interpretation ........................................... 2-9
Protected Mode Segment Selector Interpretation ................................................. 2-10
80286 Stack ............................................................................................................. 2-11
Stack Operation ....................................................................................................... 2-12
BP Usage as a Stack Frame Base Pointer ............................................................. 2-13
Flags Register .......................................................................................................... 2-15
Two-Component Address ....................................................................................... 2-18
Use of Memory Segmentation ...................... :......................................................... 2-20
Complex Addressing Modes ................................................................................... 2-22
Memory-Mapped I/O ................................................................................................ 2-24
Hierarchy of Instructions ......................................................................................... 2-27
PUSH ....................... :............................................................................................... 3-2
PUSHA...................................................... .................... ........................ ................... 3-3
POP .......................................................................................................................... 3-4
POPA ........................................................................................................................ 3-5
Flag Word Contents .................................. ....................................... ..... ................... 3-6
SAL and SHL ........................................................................................................... 3-11
SHR .......................................................................................................................... 3-12
SAR .......................................................................................................................... 3-12
ROL .......................................................................................................................... 3-13
ROR ......................................................................................................................... 3-14
RCL .......................................................................................................................... 3-15
RCR .......................................................................................................................... 3-15
LAHF and SAHF ...................................................................................................... 3-26
PUSHF and POPF ................................................................................................... 3-27
Formal Definition of the ENTER Instruction ........................................................... 4-3
Variable Access in Nested Procedures .................................................................. 4-4
Stack Frame for MAIN at Level 1 ............................................................................ 4-4
Stack Frame for Procedure A ........ ...... ...... ................. .................. .......... ................ 4-5
Stack Frame for Procedure B at Level 3 Called from A ....... :................................ 4-5
Stack Frame for Procedure C at Level 3 Called from B ........................................ 4-6
Forming the Segment Base Address .... ........ .............. .......... .............. .................... 5-2
Forming the 20-Bit Physical Address in the Real Address Mode .... ........... .......... 5-2
Overlapping Segments to Save Physical Memory ...... .................. ...... ................... 5-3
Interrupt Vector Table for Real Address Mode ...................................................... 5-4
Stack Structure after Interrupt (Real Address Mode) .......................................:.... 5-5
Format of the Segment Selector Component ........................................................ 6-2
Address Spaces and Task Isolation ....................................................................... 6-3
Segment Descriptor (S = 1) ............ ............ ...... .......... .................. .......... ................. 6-5
Special Purpose Descriptors or System Segment Descriptors (S=O) ................. 6-6
LDT Descriptor ........................................................................................................ 6-7
Virtual-to-Physical Address Translation ...... ...... .......... .............. ............ ................. 6-8
Segment Descriptor Access Bytes ......................................................................... 6-9
Memory Management Registers ............................................................................. 6-10
Descriptor Loading .................................................................................................. 6-11
ix

TABLE OF CONTENTS

Figure

7-1
7-2
7-3
7-4
7-5
7-6
7-7
7-8
7-9
7-10
7-11
7-12
8-1
8-2
8-3
8-4
9-1
9-2
9-3
9-4
10-1
10-2
10-3
11-1
11-2
11-3
B-1
B-2

Title

Page

Addressing Segments of a Module within a Task .................................................. 7-3
Descriptor Cache Registers ............................................................. '" ..... ......... ...... 7-4
80286 Virtual Address Space ................. ......... ..... ....... ...... ....... ..... .................... ...... 7-6
Local and Global Descriptor Table Definitions ....................................................... 7-7
Error Code Format (on the stack) ........................................................................... 7-7
Code and Data Segments Assigned to a Privilege Level ........ ....... ........ ..... ........ ... 7-9
Selector Fields ......................................................................................................... 7-11
Access Byte Examples .............................................................................................. 7-12
Pointer Privilege Stamping ...................................................................................... 7-15
Gate Descriptor Format ........................................................................................... 7-17
Call Gate .................................................................................................................. 7-19
Stack Contents after an Inter-Level Call ................................................................. 7-21
Task State Segment and TSS Registers ................................................................ 8-2
TSS Descriptor ....... .......... ...... .... .... .................................. ....... .................... ............ 8-4
Task Gate Descriptor .............................................................................................. 8-8
Task Switch Through a Task Gate .........................................................................8-9
Interrupt Descriptor Table Definition ...................................................................... 9-1
IDT Selector Error Code .......................................................................................... 9-2
Trap/Interrupt Gate Descriptors ............................................................................. 9-4
Stack Layout after an Exception with an Error Code ..... ............. .............. ............ 9-5
Local and Global Descriptor Table Definition ......................................................... 10-2
Interrupt Descriptor Table Definition ...................................................................... 10-2
Data Type for Global Descriptor Table and Interrupt Descriptor Table ................ 10-3
Expand-Down Segment ... ..... ........ ...... .............. ................ ... .... .......... ...... ............... 11-2
Dynamic Segment Relocation and Expansion of Segment Limit .......................... 11-3
Example of NPX Context Switching ....................................................................... 11-6
In Instruction Byte Format ...................................................................................... B-2
Ir Instruction Byte Format ....................................................................................... B-4

Tables
Table

2-1
2-2
2-3
2-4
3-1
3-2
3-3
5-1
5-2
5-3
7-1
7-2
7-3
7-4
8-1
8-2
9-1
9-2

Title

Implied Segment Usage by Index, Pointer, and Base Registers ...........................
Segment Register Selection Rules ....... ..... ......... ..... .............. .......... ........ ...............
Memory Operand Addressing Modes ....................................................................
80286 Interrupt Vector Assignments (Real Address Mode) ..................................
Status Flags' Functions ...........................................................................................
Control Flags' Functions .........................................................................................
Interpretation of Conditional Transfers ..................................................................
Interrupt Processing Order .....................................................................................
Dedicated and Reserved Interrupt Vectors in Real Address Mode ......................
Processor State after RESET ...................................................... :..........................
Segment Access Rights Byte Format '" ..... .......... ....... ...... ......... ......... ...... ........ ......
Allowed Segment Types in Segment Registers ..........................; ..........................
Call Gate Checks .....................................................................................................
Inter-Level Return Checks ......................................................................................
Checks Made during a Task Switch .......................................................................
Effect of a Task Switch on BUSY and NT Bits and the Link Word .......................
Trap and Interrupt Gate Checks .............................................................................
Interrupt and Gate Interactions ...............................................................................

x

Page

2-14
2-19
2-21
2-26
3-6
3-7
3-20
5-4
5-6
5-7
7-11
7-12
7-18
7-22
8-6
8-7
9-6
9-7

TABLE OF CONTENTS

Table

9-3
9-4
9-5
10-1
10-2
11-1
8-1
8-2
8-3
C-1

Title

Page

Reserved Exceptions and Interrupts ...................................................................... 9-9
Interrupt Processing Order ... .... ...... ..... .............. .... ...... ............... .............. ...... ..... ... 9-9
Conditions That Invalidate the TSS ........................................................................ 9-12
MSW 8it Functions .................................................................................................. 10-4
Recommended MSW Encodings for Processor Extension Control...................... 10-5
NPXContextSwitching ........................................................................................... 11-7
ModRM Values ........................................................................................................ 8-3
Protection Exceptions of the 80286 ........... ... ....... ..... ...... ..... ......... ......... ..... ............ 8-8
Hexadecimal Values for the Access Rights 8yte ................................................... 8-14
New 80286 Interrupts .............................................................................................. C-1

xi

inter
CUSTOMER SUPPORT
CUSTOMER SUPPORT
Customer Support is Intel's complete support service that provides Intel customers with hardware support, software
support, customer training, and consulting services. For more information contact your local sales offices.
After a customer purchases any system hardware or software product, service and support become major factors in
determining whether that product will continue to meet a customer's expectations. Such support requires an international support organization and a breadth of programs to meet a variety of customer needs. As you might expect,
Intel's customer support is quite extensive. It includes factory repair services and worldwide field service offices
providing hardware repair services, software support services, customer training classes, and consulting services.

HARDWARE SUPPORT SERVICES
Intel is committed to providing an international service support package through a wide variety of service offerings
available from Intel Hardware Support.

SOFfWARE SUPPORT SERVICES
Intel's software support consists of two levels of contracts. Standard support includes TIPS (Technical Information
Phone Service), updates and SUbscription service (product-specific troubleshooting guides and COMMENTS Magazine). Basic support includes updates and the SUbscription service. Contracts are sold in environments which represent product groupings (Le., iRMX environment).

CONSULTING SERVICES
Intel provides field systems engineering services for any phase of your development or support effort. You can use
our systems engineers in a variety of ways ranging from assistance in using a new product, developing an application,
personalizing training, and customizing or tailoring an Intel product to providing technical and management consulting. Systems Engineers are welJ versed in technical areas such as microcommunications, real-time applications,
embedded microcontrolJers, and network services. You know your application needs; we know our products. Working together we can help you get a successful product to market in the least possible time.

CUSTOMER TRAINING
Intel offers a wide range of instructional programs covering various aspects of system design and implementation. In
just three to ten days a limited number of individuals learn more in a single workshop than in weeks of self-study.
For optimum convenience, workshops are scheduled regularly at Training Centers worldwide or we can take our
workshops to you for on-site instruction. Covering a wide variety of topics, Intel's major course categories include:
architecture and assembly language, programming and operating systems, bitbus and LAN applications.

Introduction to the 80286

1

CHAPTER 1
INTRODUCTION TO THE 80286
The 80286 is the most powerful 16-bit processor in the 8086 series of microprocessors, which includes
the 8086, the 8088, the 80186, the 80188, and the 80286. It is designed for applications that require
very high performance. It is also an excellent choice for sophisticated "high end" applications that will
benefit from its advanced architectural features: memory management, protection mechanisms, task
management, and virtual memory support. The 80286 provides, on a single VLSI chip, computational
and architectural characteristics normally associated with much larger minicomputers.
Sections 1.1, 1.2, and 1.3 of this chapter provide an overview of the 80286 architecture. Because the
80286 represents an extension of the 8086 architecture, some of this overview material may be new
and unfamiliar to previous users of the 8086 and similar microprocessors. But the 80286 is also an
evolutionary development, with the new architecture superimposed upon the industry standard 8086 in
such a way as to affect only the design and programming of operating systems and other such system
softwar~. Section 1.4 of this chapter provides a guide to the organization of this manual, suggesting
which chapters are relevant to the needs of particular readers.

1.1 GENERAL ATTRIBUTES
The 80286 base architecture has many features in common with the architecture of other members of
the 8086 family, such as byte addressable memory, I/O interfacing hardware, interrupt vectoring, and
support for both multiprocessing and processor extensions. The entire family has a common set of
addressing modes and basic instructions. The 80286 base architecture also includes a number of extensions which add to the versatility of the computer.
The 80286 processor can function in two modes of operation (see section 1.2 of this chapter, Modes of
Operation). In one of these modes only the base architecture is available to programmers, whereas in
the other mode a number of very powerful advanced features have been added, including support for
virtual memory, multitasking, and a sophisticated protection mechanism. These advanced features are
described in section 1.3 of this chapter.
The 80286 base architecture was designed to support programming in high-level languages, such as
Pascal, C or PL/M. The register set and instructions are well suited to compiler-generated code. The
addressing modes (see section 2.6.3 in Chapter 2) allow efficient addressing of complex data structures,
such as static and dynamic arrays, records, and arrays within records, which are commonly supported
by high-level languages. The data types supported by the architecture include, along with bytes and
words, high level language constructs such as strings, BCD, and floating point.
The memory architecture of the 80286 was designed to support modular programming techniques.
Memory is divided into segments, which may be of arbitrary size, that can be used to contain procedures and data structures. Segmentation has several advantages over more conventional linear memory
architectures. It supports structured software, since segments can contain meaningful program units
and data, and more compact code, since references within a segment can be shorter (and locality of
reference usually insures that the next few references will be within the same segment). Segmentation
also lends itself to efficient implementation of sophisticated memory management, virtual memory,
and memory protection.
In addition, new instructions have been added to the base architecture to give hardware support for
procedure invocations, parameter passing, and array bounds checking.

1-1

INTRODUCTION TO THE 80286

1.2 MODES OF OPERATION
The 80286 can be operated in either of two different modes: Real Address Mode or Protected Virtual
Address Mode (also referred to as Protected Mode). In either mode of operation, the 80286 represents
an upwardly compatible addition to the 8086 family of processors.
In Real Address Mode, the 80286 operates essentially as a very high-performance 8086. Programs
written for the 8086 or the 80186 can be executed in this mode without any modification (the few
exceptions are described in Appendix C, "Compatibility Considerations"). Such upward compatibility
extends even to the object code level; for example, an 8086 program stored in read-only memory will
execute successfully in 80286 Real Address Mode. An 80286 operating in Real Address Mode provides
a number of instructions not found on the 8086. These additional instructions, also present with the
80186, allow for efficient subroutine linkage, parameter validation, index calculations, and block 1/0
transfers.
The advanced architectural features and full capabilities of the 80286 are realized in its native Protected
Mode. Among these features are sophisticated mechanisms to support data protection, system integrity, task concurrency, and memory management, including virtual storage. Nevertheless, even in
Protected Mode, the 80286 remains upwardly compatible with most 8086 and 80186 application
programs. Most 8086 applications programs can be re-compiled or re-assembled and executed on the
80286 in Protected Mode.

1.3 ADVANCED FEATURES
The architectural features described in section 1.1 of this chaper are common to both operating modes
of the processor. In addition to these common features, Protected Mode provides a number of advanced
features, including a greatly extended physical and logical address space, new instructions, and support
for additional hardware-recognized data structures. The Protected Mode 80286 includes a sophisticated memory management and multilevel protection mechanism. Full hardware support is included
for multitasking and task switching operations.

1.3.1 Memory Management
The memory architecture of the Protected Mode 80286 represents a significant advance over that of
the 8086. The physical address space has been increased froml megabyte to 16 megabytes (2 24 byies),
while the virtual address space (i.e., the address space visible to a program) has been increased from
1 megabyte to 1 gigabyte (2 30 bytes). Moreover, separate virtual address spaces are provided for each
task in a multi-tasking system (see the next section, 1.3.2, "Task Management").
The 80286 supports on-chip memory management instead of relying on an external memory management unit. The one-chip solution is preferable because no software is required to manage an external
memory management unit, performance is much better, and hardware designs are significantly simpler.
Mechanisms have been included in the 80286 architecture to allow the efficient implementation of
virtual memory systems. (In virtual memory systems, the user regards the combination of main and
external storage as a single large memory. The user can write large programs without worrying about
the physical memory limitations of the system. To accomplish this, the operating system places some
of the user programs and data in external storage and brings them into main memory only as they are
needed.) All instructions that can cause a segment-riot-present fault are fully restart able. Thus, a notpresent segment can be loaded from external storage, and the task can be restarted at the point where
the fault occurred.

1-2

INTRODUCTION TO THE 80286

The 80286, like all members of the 8086 series, supports a segmented memory architecture. The 80286
also fully integrates memory segmentation into a comprehensive protection scheme. This protection
scheme includes hardware-enforced length and type checking to protect segments from inadvertent
misuse.

1.3.2 Task Management
The 80286 is designed to support multi-tasking systems. The architecture provides direct support for
the concept of a task. For example, task state segments (see section 8.2 in Chapter 8) are hardwarerecognized and hardware-manipulated structures that contain information on the current state of all
tasks in the system.
Very efficient context-switching (task-switching) can be invoked with a single instruction. Separate
logical address spaces are provided for each task in the system. Finally, mechanisms exist to support
intertask communication, synchronization, memory sharing, and task scheduling. Task Management is
described in Chapter 8.

1.3.3 Protection Mechanisms
The 80286 allows the system designer to define a comprehensive protection policy to be applied,
uniformly and continuously, to all ongoing operations of the system. Such a policy may be desirable to
ensure system reliability, privacy of data, rapid error recovery, and separation of multiple users.
The 80286 protection mechanisms are based on the notion of a "hierarchy of trust." Four privilege
levels are distinguished, ranging from Level 0 (most trusted) to Level 3 (least trusted). Level 0 is
usually reserved for the operating system kernel. The four levels may be visualized as concentric rings,
with the most privileged level in the center (see figure 1-1).
This four-level scheme offers system reliability, flexibility, and design options not possible with the
typical two-level (supervisor luser) separation provided by other processors. A four-level division is
capable of separating kernel, executive, system services, and application software, each with different
privileges.
At anyone time, a task executes at one of the four levels. Moreover, all data segments and code
segments are also assigned to privilege levels. A task executing at one level cannot access data at a
more privileged level, nor can it call a procedure at a less privileged level (i.e., trust a less privileged
procedure to do work for it). Thus, both access to data and transfer of control are restricted in appropriate ways.
A complete separation can exist between the logical address spaces local to different tasks, providing
users with automatic protection against accidental or malicious interference by other users. The hardware
also provides immediate detection of a number of fault and error conditions, a feature that can be
useful in the development and maintenance of software.
Finally, these protection mechanisms require relatively little system overhead because they are integrated
into the memory management and protection hardware of the processor itself.

1-3

INTRODUCTION TO THE 80286

LEAST TRUSTED

MOST TRUSTED

G30108

Figure 1-1. Four Privilege Levels

1.3.4 Support for Operating Systems
Most operating systems involve some degree of concurrency, with multiple tasks vying for system
resources. The task management mechanisms described above provide the 80286 with inherent support
for such multi-tasking systems. Moreover, the advanced memory management features of the 80286
allow the implementation of sophisticated virtual memory systems.
Operating system implementors have found that a multi-level approach to system services provides
better security and more reliable systems. For example, a very secure kernel might implement critical
functions such as task scheduling and resource aiiocation, while less fundamenlal [ulictions (such as
I/O) are built around the kernel. This layered approach also makes program development and
enhancement simpler and facilitates error detection and debugging. The 80286 supports the layered
approach through its four-level privilege scheme.

1.4 ORGANIZATION OF THIS BOOK
To facilitate the use of this book both as an introduction to the 80286 architecture and as a reference
guide, the remaining chapters are divided into three major parts.
Part I, comprising chapters 2 through 4, should be read by all those who wish to acquire a basic
familiarity with the 80286 architecture. These chapters provide detailed information on memory
segmentation, registers, addressing modes and the general (application level) 80286 instruction set. In
conjunction with the 80286 Assembly Language Reference Manual, these chapters provide sufficient
information for an assembly language programmer to design and write application programs.

1-4

INTRODUCTION TO THE 80286

The chapters in Part I are:
Chapter 2, "Architectural Features." This chapter discusses those features of the 80286 architecture
that are significant for application programmers. The information presented can also function as an
introduction to the machine for system programmers. Memory organization and segmentation, processor registers, addressing modes, and instruction formats are all discussed.
Chapter 3, "Basic Instruction Set." This chapter presents the core instructions of the 8086 family.
Chapter 4, "Extended Instruction Set." This chapter presents the extended instructions shared by the
80186 and 80286 processors.
Part II of the book consists of a single chapter:
Chapter 5, "Real Address Mode." This chapter presents the system programmer's view of the 80286
when the processor is operated in Real Address Mode.
Part III of the book comprises chapters 6 through 11. Aimed primarily at system programmers, these
chapters discuss the more advanced architectural features of the 80286, which are available when the
processor is. in Protected Mode. Details on memory management, protection mechanisms, and task
switching are provided.
The chapters in Part III are:
Chapter 6, "Virtual Memory." This chapter describes the 80286 address translation mechanisms that
support virtual memory. Segment descriptors, global and local descriptor tables, and descriptor caches
are discussed.
Chapter 7, "Protection." This chapter describes the protection features of the 80286. Privilege levels,
segment attributes, access restrictions, and call gates are discussed.
Chapter 8, "Tasks and State Transitions." This chapter describes the 80286 mechanisms that support
concurrent tasks. Context-switching, task state segments, task gates, and interrupt tasks are discussed.
Chapter 9, "Interrupts, Traps and Faults." This chapter describes interrupt and trap handling. Special
attention is paid to the exception traps, or faults, which may occur in Protected Mode. Interrupt gates,
trap gates, and the interrupt descriptor table are discussed.
Chapter 10, "System Control and Initialization." This chapter describes the actual instructions used
to implement the memory management, protection, and task support features of the 80286. System
registers, privileged instructions, and the initial machine state are discussed.
Chapter 11, "Advanced Topics." This chapter completes Part III with a description of several advanced
topics, including special segment attributes and pointer validation.

1.5 RELATED PUBLICATIONS
The following manuals also contain information of interest to programmers of 80287 systems:

Introduction to the 80286, order number 210308
ASM286 Assembly Language Reference Manual, order number 121924
80286 Operating System Writer's Guide, order number 121960

1-5

inter

INTRODUCTION TO THE 80286

80286 Hardware Reference Manual, order number 210760
Microprocessor and Peripheral Handbook, order number 230843
PL/M-286 User's Guide, order number 121945
80287 Support Library Reference Manual, order number 122129
8086 Software Toolbox Manual, order number 122203 (includes information about 80287
Emulator Software)

1-6

80286 Base Architecture

2

CHAPTER 2
80286 BASE ARCHITECTURE
This chapter describes the 80286 application programming environment as seen by assembly language
programmers. It is intended to introduce the programmer to those features of the 80286 architecture
that directly affect the design and implementation of 80286 application programs.

2.1 MEMORY ORGANIZATION AND SEGMENTATION
The main memory of an 80286 system makes up its physical address space. This address space is
organized as a sequence of 8-bit quantities, called bytes. Each byte is assigned a unique address ranging
from 0 up to a maximum of 220 (1 megabyte) in Real Address Mode, and up to 224 (16 megabytes) in
Protected Mode.
.
A virtual address space is the organization of memory as viewed by a program. Virtual address space
is also organized in units of bytes. (Other addressable units such as words, strings, and BCD digits are
described below in section 2.2, "Data Types.") In Real Address Mode, as with the 8086 itself, programs
view physical memory directly, inasmuch as they manipulate pure physical addresses. Thus, the virtual
address space is identical to the physical address space (1 megabyte).
In Protected Mode, however, programs have no direct access to physical addresses. Instead, memory
is viewed as a much larger virtual address space of 230 bytes (1 gigabyte). This 1 gigabyte virtual
address is mapped onto the Protected Mode's 16-megabyte physical address space by the address translation mechanisms described in Chapter 6.
The programmer views the virtual address space on the 80286 as a collection of up to sixteen thousand
linear subspaces, each with a specified size or length. Each of these linear address spaces is called a
segment. A segment is a logical unit of contiguous memory. Segment sizes may range from one byte
up to 64K (65,536) bytes.
80286 memory segmentation supports the logical structure of programs and data iq memory. Programs
are not written as single linear sequences of instructions and data, but rather as modules of code and
data. For example, program code may include a main routine and several separate procedures. Data
may also be organized into various data structures, some private and some shared with other programs
in the system. Run-time stacks constitute yet another data requirement. Each of these several modules
of code and data, moreover, may be very different in size or vary dynamically with program execution.
Segmentation supports this logical structure (see figure 2-1). Each meaningful module of a program
may be separately contained in individual segments. The degree of modularization, of course, depends
on the requirements of a particular application. Use of segmentation benefits almost all applications.
Programs execute faster and require less space. Segmentation also simplifies the design of structured
software.

2.2 DATA TYPES
Bytes and words are the fundamental units in which the 80286 manipulates data, i.e., the fundamental
data types.

2-1

80286 BASE ARCHITECTURE

r--------,
20000

CS
8000

r-----..,

MAIN
PROCEDURE

8600

PROCEDURE

0 _ _ _ _ _...

_ _ ___I

0'"-_ _ _ _..1

DATA (A)
L..-_ _- - I

DATA (B)
0 .._ _ _ _--1

O~

I

7253051

0 _ _ _ _ _...

2000

r-----.,

A

~----..,

o ___

...

~-

O~""';""';_

__I

L _______ ...J
CURRENTLY
ACCESSIBLE

G3010B

Figure 2-1. Segmented Virtual Memory

A byte is 8 contiguous bits starting on an addressable byte boundary. The bits are numbered 0 through
7, starting from the right. Bit 7 is the most significant bit:
o
I

I

i

BYTE
,

I

A word is defined as two contiguous bytes starting on an arbitrary byte boundary; a word thus contains
16 bits. The bits are numbered 0 through 15, starting from the right. Bit 15 is the most significant bit.
The byte containing bit 0 of the word is called the low byte; the byte containing bit 15 is called the
high byte.
15

I : : ~IGH:B+: I : :
:

LOCATION N + 1

0
+W:BY+:

LOCATION N

2-2

:

I

80286 BASE ARCHITECTURE

Each byte within a word has its own particular address, and the smaller of the two addresses is used
as the address of the word. The byte at this lower address contains the eight least significant bits of
the word, while the byte at the higher address contains the eight most significant bits. The arrangement
of bytes within words is illustrated in figure 2-2.
Note that a word need not be aligned at an even-numbered byte address. This allows maximum flexibility in data structures (e.g., records containing mixed byte and word entries) and efficiency in memory
utilization. Although actual transfers of data between the processor and memory take place at physically aligned word boundaries, the 80286 converts requests for unaligned words into the appropriate
sequences of requests acceptable to the memory interface. Such odd aligned word transfers, however,
may impact performance by requiring t'Yo memory cycles to transfer the word rather than one. Data
structures (e.g., stacks) should therefore be designed in such a way that word operands are aligned on
word boundaries whenever possible for maximum system performance. Due to instruction prefetching
and queueing within the CPU, there is no requirement for instructions to be aligned on word boundaries and no performance loss if they are not.
Although bytes and words are the fundamental data types of operands, the processor also supports
additional interpretations on these bytes or words. Depending on the instruction referencing the operand,
the following additional data types can be recognized:
Integer:
A signed binary numeric value contained in an 8-bit byte or a 16-bit word. All operations assume a
2's complement representation. (Signed 32- and 64-bit integers are supported using the 80287
Numeric Data Processor.)

BYTE
ADDRESS'

MEMORY
VALUES

'r

"

E
D

C

FE

B

06

I

WORD AT ADDRESS B
CONTAINS FE06

A
9

)

1F

8
7

23

6

OB

I
II

WORD AT ADDRESS 6
CONTAINS 230B

5
4

3

74

2

CB

BYTE AT ADDRESS 9
CONTAINS 1F

WORD AT ADDRESS 2
CONTAINS 74CB
WORD AT ADDRESS 1
CONTAINS CB31

31

o

'NOTE:
ALL VALUES IN HEXADECIMAL
G30108

Figure 2-2. Bytes and Words in Memory

2-3

80286 BASE ARCHITECTURE

Ordinal:
An unsigned binary numeric value contained in an 8-bit byte or 16-bit word.
Pointer:
A 32-bit address quantity composed of a segment selector component and an offset component.
Each component is a 16-bit word.
String:
A contiguous sequence of bytes or words. A string may contain from 1 byte to 64K bytes.
ASCII:
A byte representation of alphanumeric and control characters using the. ASCII standard of
character representation.
BCD:
A byte (unpacked) representation of the decimal digits (0-9).
Packed BCD:
A byte (packed) representation of two decimal digits (0-9). One digit is stored in each nibble of the
byte.
Floating Point:
A signed 32-, 64-, or 80-bit real number representation. (Floating operands are supported using the
80287 Numeric Processor Configuration.)
Figure 2-3 graphically represents the data types supported by the 80286. 80286 arithmetic operations
may be performed on five types of numbers: unsigned binary, signed binary (integers), unsigned pflcked
decimal, unsigned unpacked decimal, and floating point. Binary numbers may be 8 or 16 bits long.
Decimal numbers are stored in bytes; two digits per byte for packed decimal, one digit per byte for
unpacked decimal. The processor always assumes that the operands specified in arithmetic instructions
contain data that represent valid numbers for the type of instruction being performed. Invalid data
may produce unpredictable results.
Unsigned binary numbers may be either 8 or 16 bits long; all bits are considered in determining a
number's magnitude. The value range of an 8-bit unsigned binary number is 0-255; 16 bits can represent values from 0 through 65,535. Addition, subtraction, multiplication and division operations are
available for unsigned binary numbers.
Signed binary numbers (integers) may be either 8 or 16 bits long. The high-order (leftmost) bit is
interpreted as the number's sign: O=positive and 1 = negative. Negative numbers are represented in
standard two's complement notation. Since the high-order bit is used for a sign, the range of an 8-bit
integer is -128 through + 127; 16-bit integers may range from -.32,768 through + 32,767. The value
zero has a positive sign.

2-4

80286 BASE ARCHITECTURE

7

SI~~~~ II

I1 I I I
0

II

SIGN BIT -lj
I
MAGNITUDE

I
7

UNSI~~~~ I I I I I II

I

0

ILMSB
I
MAGNITUDE

+1

1514

s~~~g

SIGNED

87

0

II Ii I IIi

0

I

I Ii I

I II

SIGN BIT

-I j L-

MSB
MAGNITUDE

31

+3

D~~~~

11"

I
1

+2

+1

1615

II II II I I II I I I

Ii

0

0

I III I II II III I

SIGN BIT ...I IL MSB

+7

1
MAGNITUDE
+5 +4
+3 +2

+6

4847

63

I

SIGNED QUAD II
WORD'
SIGN BIT JIL MSB

+1

0

3231

1615

0

I

I

I

I

MAGNITUDE
~

UNS~~~g

1:1
I

+1

0

I II 11I1 I II

0

11I
I

I

MSB
MAGNITUDE

7

+N

0

II

DECIMAL I.._ _ _-'.

DI~7~ N

(BCD)

+N

7

+1

7

~~~~61'iiliijl

BCD
DIGIT 1
0

0

07

0

ill Iii 11111"1 I
BCD
DIGIT 0

+1

7

0

07

0

ASCIIIIIIIIIII

lilllllIlllIlllIl

ASCII
CHARACTER N

ASCII ASCII
CHARACTER, CHARACTER O

+N

7

PAC~~g II I I II I I

I

0

+1

I Iii
7

i Ii

MOST
SIGNIFICANT DIGIT

I

7/15+ N

STRING

0

0

II I I I" i I

LEAST
SIGNIFICANT DIGIT
7/15+ 1

0

I II II III

BYTE/WORD N

07

i

07/15 0

BYTE/WORD 1

BYTE/WORD 0

+3
+2 1615 + 1
0
POINTER I I i I II I I II I I II I I II I I II i I II I I I 1 I I
31

FLOATING
POINT'

II

I

0

I

I
79

I

0

I I I I III I II I I III I

+9

SELECTOR
+8
+7

+6

+5

OFFSET
+4
+3

+2

+1

0 0

I

SIGN BIT ...II
EXPONENT

MAGNITUDE

Figure 2·3. 80286/80287 Supported Data Types

2-5

'SUPPORTED BY
80287
NUMERIC DATA
PROCESSOR
CONFIGURATION

G30108

80286 BASE ARCHITECTURE

Separate multiplication and division operations are provided for both signed and unsigned binary
numbers. The same addition and subtraction instructions are used with signed or unsigned binary values.
Conditional jump instructions, as well as an "interrupt on overflow" instruction, can be used following
an unsigned operation on an integer to detect overflow into the sign bit.
Unpacked decimal numbers are stored as unsigned byte quantities. One digit is stored in each byte.
The magnitude of the number is determined from the low-order half-byte; hexadecimal values 0-9 are
valid and are interpreted as decimal numbers. The high-order half-byte must be zero for multiplication
and division; it may contain any value for addition and subtraction.
Arithmetic on unpacked decimal numbers is performed in two steps. The unsigned binary addition,
subtraction and multiplication operations are used to produce an intermediate result. An adjustment
instruction then changes the value to a final correct unpacked decimal number. Division is performed
similarly, except that the adjustment is carried out on the two digit numerator operand in register AX
first, followed by an unsigned binary division instruction that produces a correct result.
Unpacked decimal numbers are similar to the ASCII character representations of the digits 0-9. Note,
however, that the high-order half-byte of an ASCII numeral is always 3. Unpacked decimal arithmetic
may be performed on ASCII numeric characters under the following conditions:
•

the high-order half-byte of an ASCII numeral must be set to OR prior to multiplication or division.
unpacked decimal arithmetic leaves the high-order half-byte set to OR; it must be set to 3 to
produce a valid ASCII numeral.

Packed decimal numbers are stored as unsigned byte quantities. The byte is treated as having one
decimal digit in each half-byte (nibble); the digit in the high-order half-byte is the most significant.
Values 0-9 are valid in each half-byte, and the range of a packed decimal number is 0-99. Additions
and subtractions are performed in two steps. First, an addition or subtraction instruction is used to
produce an intermediate result. Then, an adjustment operation is performed which changes the intermediate value to a final correct packed decimal result. Multiplication and division adjustments are
only available for unpacked decimal numbers.
Pointers and addresses are described below in section 2.3.3, "Index, Pointer, and Base Registers," and
in section 3.8, "Address Manipulation Instructions."
Strings are contiguous bytes or words from 1 to 64K bytes in length. They generaiiy coniain ASCII Of
other character data representations. The 80286 provides string manipulation instructions to move,
examine, or modify a string (see section 3.7, "Character Translation and String Instructions").
If the 80287 numeric processor extension (NPX) is present in the system - see the 80287 NPX
book-the 80286 architecture also supports floating point numbers, 32- and 64-bit integers, and
18-digit BCD data types.

The 80287 Numeric Data Processor supports and stores real numbers in a three-field binary format as
required by IEEE standard 754 for floating point numerics (see figure 2-3). The number's significant
digits are held in the significand field, the exponent field locates the binary point within the significant
digits (and therefore determines the number's magnitude), and the sign field indicates whether the
number is positive or negative. (The exponent and significand are analogous to the terms "characteristic" and "mantissa," typically used to describe floating point numbers on some computers.) This
format is used by the 80287 with various length significands and exponents to support single precision,
double precision and extended (80-bit) precision floating point data types. Negative numbers differ
from positive numbers only in their sign bits.

2-6

inter

80286 BASE ARCHITECTURE

2.3 REGISTERS
The 80286 contains a total of fourteen registers that are of interest to the application programmer.
(Five additional registers used by system programmers are covered in section 10.1.) As shown in
figure 2-4, these registers may be grouped into four basic categories:
General registers. These eight 16-bit general-purpos~ registers are used primarily to contain operands
for arithmetic and logical operations.
Segment registers. These four special-purpose registers determine, at any given time, which
segments of memory are currently addressable.
Status and Control registers. These three special-purpose registers are used to record and alter
certain aspects of the 80286 processor state.

2.3.1 General Registers
The general registers of the 80286 are the 16-bit registers AX, BX, CX, DX, SP, BP, SI, and DI.
These registers are used interchangeably to contain the operands of logical and arithmetic operations.
Some instructions and addressing modes (see section 2.4), however, dedicate certain general registers
to specific uses. BX and BP are often used to contain the base address of data structures in memory
(for example, the starting address of an array); for this reason, they are often referred to as the base
registers. Similarly, SI and D1 are often used to contain an index value that will be incremented to
step through a data structure; these two registers are called the index registers. Finally, SP and BP are
used for stack manipulation. Both SP and BP normally contain offsets into the current stack. SP generally contains the offset of the top of the stack and BP contains the offset or base address of the current

16-BIT
REGISTER
NAME

,~

ADDRESSABLE
(S-BIT
REGISTER
NAMES
SHOWN)

I

SPECIAL
REGISTER
FUNCTIONS

o

07

AX

AH

AL

OX

DH

DL

CX

CH

CL

BX

BH

BL

o

15
MUL TIPL Y I DIVIDE
1/0 INSTRUCTIONS

1

LOOP ISHIFT I
REPEAT COUNT

CS

1-------1

DATA SEGMENT SELECTOR

SS

STACK SEGMENT SELECTOR

ES

}

CODE SEGMENT SELECTOR

OS

t-------f

EXTRA SEGMENT SELECTOR

BASE REGISTERS

BP

SEGMENT REGISTERS

SI

15

0

}) INDEX REGISTERS

01

F§FLAGS
SP

STACK POINTER

o

15

IP

INSTRUCTION POINTER

MSW·

GENERAL
REGISTERS

MACHINE STATUS WORD

STATUS AND CONTROL
REGISTERS

G3010B

Figure 2-4. 80286 Base Architecture Register Set

2-7

80286 BASE ARCHITECTURE

stack frame. The use of these general-purpose registers for operand addressing is discussed in section
2.3.3, "Index, Pointer, and Base Registers." Register usage for individual instructions is discussed in
chapters 3 and 4.
As shown in figure 2-4, eight byte registers overlap four of the 16-bit general registers. These registers
are named AH, BH, CH, and DH (high bytes); and AL, BL, CL, and DL (low bytes); they overlap
AX, BX, CX, and DX. These registers can be used either in their entirety or as individual 8-bit registers. This dual interpretation simplifies the handling of both 8- and 16-bit data elements.

2.3.2 Memory Segmentation and Segment Registers
Complete programs generally consist of many different code modules (or segments), and different
types of data segments. However, at any given time during program execution, only a small subset of
a program's segments are actually in use. Generally, this subset will include code, data, and possibly a
stack. The 80286 architecture takes advantage of this by providing mechanisms to support direct access
to the working set of a program's execution environment and access to additional segments on demand.
At any given instant, four segments of memory are immediately accessible to an executing 80286
program. The segment registers DS, ES, SS, and CS are used to identify these four current segments.
Each of these registers specifies a particular kind of segment, as characterized by the associated
mnemonics ("code," "stack," "data," or "extra") shown in figure 2-4.
An executing program is provided with concurrent access to the four individual segments of memorya code segment, a stack segment, and two data segments-by means of the four segment registers.
Each may be said to select a segment, since it uniquely determines the one particular segment from
among the numerous segments in memory, which is to be immediately accessible at highest speed.
Thus, the 16-bit contents of a segment register is called a segment selector.
Once a segment is selected, a base address is associated with it. To address an element within a segment,
a 16-bit offset from the segment's base address must be supplied. The 16-bit segment selector and the
16-bit offset taken together form the high and low order halves, respectively, of a 32-bit virtual address
pointer. Once a segment is selected, only the lower 16-bits of the pointer, called the offset, generally
need to be specified by an instruction. Simple rules define which segment register is used to form an
address when only a 16-bit offset is specified.
An executing program requires, first of all, that its instructions reside somewhere in memory. The
segment of memory containing the currently executing sequence of instructions is known as the current
code segment; it is specified by means of the CS register. All instructions are fetched from this code
segment, using as an offset the contents of the instruction pointer (IP). The CS:IP register combination
therefore forms the full 32-bit pointer for the next sequential program instruction. The CS register is
manipulated indirectly. Transitions from one code segment to another (e.g., a procedure call) are effected
implicitly as the result of control-transfer instructions, interrupts, and trap operations.
Stacks playa fundamental role in the 80286 architecture; subroutine calls, for example, involve a
number of implicit stack operations. Thus, an executing program will generally require a region of
memory for its stack. The segment containing this region is known as the current stack segment, and
it is specified by means of the SS register. All stack operations are performed within this segment,
usually in terms of address offsets contained in the stack pointer (SP) and stack frame base (BP)
registers. Unlike CS, the SS register can be loaded explicitly for dynamic stack definition.

2-8

80286 BASE ARCHITECTURE

Beyond their code and stack requirements, most programs must also fetch and store data in memory.
The DS and ES registers allow the specification of two data segments, each addressable by the currently
executing program. Accessibility to two separate data areas supports differentiation and access requirements like local procedure data and global process data. An operand within a data segment is addressed
by specifying its offset either directly in an instruction or indirectly via index and/or base registers
(described in the next subsection).
Depending on the data structure (e.g., the way data is parceled into one or more segments), a program
may require access to multiple data segments. To access additional segments, the DS and ES registers
can be loaded under program control during the course of a program's execution. This simply requires
loading the appropriate data pointer prior to accessing the data.
The interpretation of segment selector values depends on the operating mode of the processor. In Real
Address Mode, a segment selector is a physical address (figure 2-5). In Protected Mode, a segment
selector selects a segment of the user's virtual address space (figure 2-6). An intervening level of logicalto-physical address translation converts the logical address to a physical memory address. Chapter 6,
"Memory Management," provides a detailed discussion of Protected Mode addressing. In general,
considerations of selector formats and the details of memory mapping need not concern the application
programmer.

2.3.3 Index, Pointer, and Base Registers
Five of the general-purpose registers are available for offset address calculations. These five registers,
shown in figure 2-4, are SP, BP, BX, SI, and DL SP is called a pointer register; BP and BX are called
base registers; SI and DI are called index registers.

64K {
BYTES

SEGMENT

I

I

1 MEGABYTE PHYSICAL
ADDRESS SPACE

BASE ADDRESS

SELECTOR

NOTES:

SEG 1

I

0000

I

1. THE SELECTOR IDENTIFIES A SEGMENT IN PHYSICAL MEMORY.
2. A SELECTOR SPECIFIES THE SEGMENTS BASE ADDRESS, MODULO 16, WITHIN
THE 1 MEGABYTE ADDRESS SPACE.
3. THE SELECTOR IS THE 16 MOST SIGNIFICANT BITS OF A SEGMENTS PHYSICAL
BASE ADDRESS.
4. THE VALUES OF SELECTORS DETERMINES THE AMOUNT THEY OVERLAP IN REAL
MEMORY.
5. SEGMENTS MAY OVERLAP BY INCREMENTS OF 16 BYTES. OVERLAP RANGES FROM
COMPLETE (SEG 1 ~ SEG 1) TO NONE (SEG 1 SEG 2 ± 64K)

*

G3010a

Figure 2-5. Real Address Mode Segment Selector Interpretation

2-9

inl:el®

80286 BASE ARCHITECTURE

SEG 3FFF
SEG 3FFE
SEG 3FFD
SEG 3FFC
SEG 3FFB

,

I

SELECTOR

I

1 GIGABYTE
VIRTUAL ADDRESS
SPACE
SEG 4
SEG 3

1 TO 64K BYTES {

SEG 2
SEG 1
SEG 0

NOTES:

1. A SELECTOR UNIQUELY IDENTIFIES (NAMES) ONE OF 16K POSSIBLE SEGMENTS IN THE
TASK'S VIRTUAL ADDRESS SPACE.
2. THE SELECTOR VALUE DOES NOT SPECIFY THE SEGMENT'S LOCATION IN PHYSICAL
MEMORY.
3. THE SELECTOR DOES NOT IMPLY ANY OVERLAP WITH OTHER SEGMENTS (THIS
DEPENDS ON THE BASE ADDRESS OF THE SEGMENT AS SPECIFIED VIA THE MEMORY
MANAGEMENT AND PROTECTION INFORMATION).

G3010B

Figure 2-6. Protected Mode Segment Selector Interpretation

As described in the previous section, segment registers define the set of four segments currently
addressable by a program. A pointer, base, or index register may contain an offset value relative to the
start of one of these segments; it thereby points to a particular operand's location within that segment.
To allow for efficient computations of effective address offsets, all base and index registers may participate interchangeably as operands in most arithmetical operations.
Stack operations are facililattd by the stack pointer (SP) ~nd stack frame base (BP) register~_ By
specifying offsets into the current stack segment, each of these registers provides access to data on the
stack. The SP register is the customary top-of-stack pointer, addressing the uppermost datum on a
push-down stack. It is referenced implicitly by PUSH and POP operations, subroutine calls, and interrupt operations. The BP register provides yet another offset into the stack segment. The existence of
this stack relative base register, in conjunction with certain addressing modes described in section
2.6.3, is particularly useful for accessing data structures, variables and dynamically allocated work
space within the stack.

Stacks in the 80286 are implemented in memory and are located by the stack segment register (SS)
and the stack pointer register (SP). A system may have an unlimited number of stacks, and a stack
may be up to 64K bytes long, the maximum length of a segment.
One stack is directly addressable at a time; this is the current stack, often referred to simply as "the"
stack. SP contains the current top of the stack (TOS). In other words, SP contains the offset to the top
of the push down stack from the stack segment's base address. Note, however, that the stack's base
address (contained in SS) is not the "bottom" of the stack (figure 2-7).

2-10

inter

80286 BASE ARCHITECTURE

l

POP-UP
LOGICAL
TOP OF STACK

+
I

SS

I

SP

LOGICAL
BOTTOM OF STACK
(initial SP value)

PUSH-DOWN

I
STACK SEGMENT BASE ADDRESS

G3010B

Figure 2-7_ 80286 Stack

80286 stack entries are 16 bits wide. Instructions operate on the stack by adding and removing stack
items one word at a time, An item is pushed onto the stack (see figure 2-8) by decrementing SP by 2
and writing the item at the new TOS. An item is popped off the stack by copying it from TOS and
then incrementing SP by 2. In other words, the stack grows down in memory toward its base address.
Stack operations never move items on the stack; nor do they erase them. The top of the stack changes
only as a result of updating the stack pointer.
The stack frame base pointer (BP) is often used to access elements on the stack relative to a fixed
point on the stack rather than relative to the current TOS. It typically identifies the base address of
the current stack frame established for the current procedure (figure 2-9). If an index register is used
relative to BP (e.g., base + index addressing mode using BP as the base), the offset will be calculated
automatically in the current stack segment.
Accessing data structures in data segments is facilitated by the BX register, which has the same function
in addressing operands within data segments that BP does for stack segments. They are called base
registers because they may contain an offset to the base of a data structure. The similar usage of these
two registers is especially important when discussing addressing modes (see section 2.4, "Addressing
Modes").
Operations on data are also facilitated by the SI and DI registers. By specifying an offset relative to
the start of the currently addressable data segment, an index register can be used to address an operand
in the segment. If an index register is used in conjunction with the BX base register (i.e., base + index
addressing) to form an offset address, the data is also assumed to reside in the current data segment.
As a rule, data referenced through an index register or BX is presumed to reside in the current data
segment. That is, if an instruction invokes addressing for one of its operands using either BX, DI, SI,
or BX with SI or DI, the contents of the register(s) (BX, DI, or SI) implicitly specify an offset in the
current data segment. As previously mentioned, data referenced via SP, BP or BP with SI or DI implicitly specify an operand in the current stack segment (refer to table 2-1).

2-11

80286 BASE ARCHITECTURE

STACK OPERATION FOR CODE SEQUENCE:

STACK
SEGMENT

PUSH AX
POP AX
POPBX

1062

0

0

0

0

1"~~

1060

SS

I

SELECTOR

I

I

SP

OFFSET

I

I

lOSE

2

2

2

2

105C

3

3

3

3

105A

4

4

4

4

1058

5

5

5

5

6

1056

6

6

1054

7

7

1052

8

8

8

8

1050

9

9

9

9

OF STACK

6

7

I

00001

I

NOT PRESENTL V
USED

EXISTING STACK BEFORE PUSH
STACK
SEGMENT

SS

I

SELECTOR

I

I
OFFSET

SP

I

1062

0

1060

1

0

0

0

lOSE

2

2

2

105C

3

3

3

3

105A

4

4

4

4

1058

5

5

5

5

1056

A

A

A

1052

8

8

8

8

1050

9

9

9

9

A-4

PUSH AX
A

A

A

A

1054

I

00001

STACK
SEGMENT
1062

0

0

2

2

2

105C

3

3

3

:3

105A

4

4

4

4

0

0

1060
lOSE

SS

I

SELECTOR

I

I
OFFSET

SP

I

1058

5

5

5

5

1056

A

A

A

A

1054

7

7

7

7

1052

8

8

8

8

1050

9

9

9

9

00001

Figure 2-8. Stack Operation

2-12

POP BX

15

5

5

5

A

A

J
j

IA

A

I

POP AX

I

G30108

80286 BASE ARCHITECTURE

BP IS A CONSTANT POINTER TO STACK BASED VARIABLES AND WORK SPACE, ALL REFERENCES
USE BP AND ARE INDEPENDENT OF SP, WHICH MAY VARY DURING A ROUTINE EXECUTION,

PROC N
PUSH AX
PUSH ARRA LSIZE
CALL PROC_N+1 - - - - -.....~ PROC_N+1:
PUSH BP
PUSH CX
MOV BP, SP
SUB SP, WORK_SPACE

"PROCEDURE BODY"

MOV SP, BP
POP CX
POP BP
RET

BOTTO MOF
S TACK

t

1"'--'I

PARAMETERS
RETURN ADDR

.-

I

BP
L __
..I

r

'['

REGISTERS

PROCEDURE N STACK FRAME

WORK_SPACE

PARAMETERS
RETURN ADDR
REGISTERS

WORK_SPACE

--

---

I

PROCEDURE N+ 1 STACK FRAME

DYNAMICALLY ALLOCATED ON
DEMAND RATHER THAN STATICALLY

TOP OF STACK

STACK SEGMENT BASE

G30108

Figure 2-9. BP Usage as a Stack Frame Base Pointer

2-13

80286 BASE ARCHITECTURE

Table 2-1. Implied Segment Usage by Index, Pointer, and Base Registers
Register
SP
BP
BX
SI
01
BP
BX

Implied Segment
55
SS
OS
OS
OS, ES for String Operations
SS
OS

+ 51, 01
+ SI, 01

NOTE:
All implied Segment usage, except SP to SS and 01 to ES for String Operations, may be explicitly specified
with a segment override prefix for any of the four segments. The prefix precedes the instruction for which
explicit reference is desired.

There are two exceptions to the rules listed above. The first concerns the operation of certain 80286
string instructions. For the most flexibility, these instructions assume that the DI register addresses
destination strings not in the data segment, but rather in the extra segment (ES register). This allows
movement of strings between different segments. This has led to the descriptive names "source index"
and "destination index." In all cases other than string instructions, however, the SI and DI registers
may be used interchangeably to reference either source or destination operands.
A second more general override capability allows the programmer complete control of which segment
is used for a specific operation. Segment-override prefixes, discussed in section 2.4.3, allow the index
and base registers to address data in any of the four currently addressable segments.

2.3.4 Status and Control Registers
Two status and control registers are of immediate concern to applications programmers: the instruction
pointer and the FLAGS registers.
The instruction pointer register (IP) contains the offset address, relative to the start of the current code
segment, of the next sequential instruction to be executed. Together, the CS:IP registers thus define a
32-bit program-counter. The instmction pointer is not directly visible to the programmer; it is controlled
implicitly, by interrupts, traps, and control-transfer operations.
The FLAGS register encompasses eleven flag fields, mostly one-bit wide, as shown in figure 2-10. Six
of the flags are status flags that record processor status information. The status flags are affected by
the execution of arithmetic and logical instructions. The carry flag is also modifiable with instructions
that will clear, set or complement this flag bit. See Chapters 3 and 4.
The carry flag (CF) generally indicates a carry or borrow out of the most significant bit of an 8- or
16-bit operand after performing an arithmetic operation; this flag is also useful for bit manipuiation
operations involving the shift and rotate instructions. The effect on the remaining status flags, when
defined for a particular instruction, is generally as follows: the zero flag (ZF) indicates a zero result
when set; the sign flag (SF) indicates whether the result was negative (SF= 1) or positive (SF=O);
when set, the overflow flag (OF) indicates whether an operation results in a carry into the high order
bit of the result but not a carry out of the high-order bit, or vice versa; the parity flag (PF) indicates
whether the modulo 2 sum of the low-order eight bits of the operation is even (PF=O) or odd (PF= 1)
parity. The auxiliary carry flag (AF) represents a carry out of or borrow into the least significant 4-bit
digit when performing binary coded decimal (BCD) arithmetic.

2-14

80286 BASE ARCHITECTURE

STATUS FLAGS:
CARRY--------_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _- - ,

I

PARITY - - - - - - - -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _--,
AUXILIARY CARRY _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _-'-..,

I

ZERO
SIGN - - - - - - - - - - - - -_ _ _ _-,
OVERFLOW
15

FLAGS: _

14

NT

13

10rL

12

~
OF

11

I

10

OF

9

IF

B

7

I I I
TF

)1

SF

6

ZF

5

_

4

AF

3

2

1

o

_

::7~;~"
INTERRUPT ENABLE

' - - - - - - - - - DIRECTION FLAG
SPECIAL FIELDS:

' - - - - - - - - - - - - - - 1 / 0 PRIVILEGE LEVEL
' - - - - - - - - - - - - - - - - - - - - NESTED TASK FLAG

_

INTEL RESERVED
G30108

Figure 2-10. Flags Register

The FLAGS register also contains three control flags that are used, under program control, to direct
certain processor operations. The interrupt-enable flag (IF), if set, enables external interrupts; other·
wise, interrupts are disabled. The trap flag (TF), if set, puts the processor into a single-step mode for
debugging purposes where the target program is automatically interrupted to a user supplied debug
routine after the execution of each target program instruction. The direction flag (DF) controls the
forward or backward direction of string operations: 0 = forward or auto increment the address registeres) (SI, DI or SI and DI), 1 = backward or auto·decrement the address register(s) (SI, DI or SI
and DI).

In general, the interrupt enable flag may be set or reset with special instructions (STI = set,
CLI = clear) or by placing the flags on the stack, modifying the stack, and returning the flag image
from the stack to the flag register. If operating in Protected Mode, the ability to alter the IF bit is
subject to protection checks to prevent non·privileged programs from effecting the interrupt state of
the CPU. This applies to both instruction and stack options for modifying the IF bit.

The TF flag may only be modified by copying the flag register to the stack, setting the TF bit in the
stack image, and returning the modified stack image to the flag register. The trap interrupt occurs on
completion of the next instruction. Entry to the single step routine saves the flag register on the stack
with the TF bit set, and resets the TF bit in the register. After completion of the single step routine,
the TF bit is automatically set on return to the program being single stepped to interrupt the program
again arkr completion of the next instruction. Use of TF is not inhibited by the protection mechanism
in Proteckd Mode.

2-15

80286 BASE ARCHITECTURE

The DF flag, like the IF flag, is controlled by instructions (CLD = clear, STD = set) or flag register
modification through the stack. Typically, routines that use string instructions will save the flags on
the stack, modify DF as necessary via the instructions provided, and restore DF to its original state by
restoring the Flag register from the stack before returning. Access or control of the DF flag is not
inhibited by the protection mechanism in Protected Mode.
The Special Fields bits are only relevant in Protected Mode. Real Address Mode programs should treat
these bits as don't-care's, making no assumption about their status. Attempts to modify the 10PL and
NT fields are subject to protection checking in Protected Mode. In general, the application's programmer will not be able to and should not attempt to modify these bits. (See section 10.3, "Privileged and
Trusted Instructions" for more details.)

2.4 ADDRESSING MODES
The information encoded in an 80286 instruction includes a specification of the operation to be
performed, the type of the operands to be manipulated, and the location of these operands. If an operand
is located in memory, the instruction must also select, explicitly or implicitly, which of the currently
addressable segments contains the operand. This section covers the operand addressing mechanisms;
80286 operators are discussed in Chapter 3.
The five elements of a general in~truction are briefly described below. The exact format of 80286
instructions is specified in Appendix B.
The opcode is present in all instructions; in fact, it is the only required element. Its principal
function is the specification of the operation performed by the instruction.
A register specifier.
The addressing mode specifier, when present, is used to specify the addressing mode of an operand
for referencing data or performing indirect calls or jumps.
The displacement, when present, is used to compute the effective address of an operand in memory.
The immediate operand, when present, directly specifies one operand of the instruction.
Of the four elements, only one, the opcode, is always present. The other elements mayor may not be
present, depending on the particular operation involved and on the location and type of the operands.

2.4.1 Operands
Generally speaking, an instruction is an operation performed on zero, one, or two operands, which are
the data manipulated by the instruction. An operand can be located either in a register (AX, BX, ex,
ox, SI, DI, SP, or BP in the case of 16-bii operands; AR, AL, BR, BL, CR, CL, DIl, or DL in the
case of 8-bit operands; the FLAG register for flag operations in the instruction itself (as an immediate
operand», or in memory or an I/O port. Immediate operands and operands in registers can be accessed
more rapidly than operands in memory since memory operands must be fetched from memory while
immediate and register operands are available in the processor.
An 80286 instruction can reference zero, one, or two operands. The three forms are as follows:
Zero-operand instructions, such as RET, NOP, and HLT. Consult Appendix B.

2-16

80286 BASE ARCHITECTURE

One-operand instructions, such as INC or DEC. The location of the single operand can be specified implicitly, as in AAM (where the register AX contains the operand), or explicitly, as in INC
(where the operand can be in any register or memory location). Explicitly specified operands are
accessed via one of the addressing modes described in section 2.4.2.
Two operand instructions such as MOV, ADD, XOR, etc., generally overwrite one of the two
participating operands with the result. A distinction can thus be made between the source operand
(the one left unaffected by the operation) and the destination operand (the one overwritten by the
result). Like one-operand instructions, two-operand instructions can specify the location of operands
either explicitly or implicitly. If an instruction contains two explicitly specified operands, only one
of them-either the source or the destination-can be in a register or memory location. The other
operand must be in a register or be an immediate source operand. Special cases of two-operand
instructions are the string instructions and stack manipulation. Both operands of some string
instructions are in memory and are explicitly specified. Push and pop stack operations allow transfer between memory operands and the memory based stack.
Thus, the two-operand instructions of the 80286 permit operations of the following sort:
Register-to-register
Register-to-memory
Memory-to-register
Immediate-to-register
Immediate-to-memory
Memory-to-memory
Instructions can specify the location of their operands by means of eight addressing modes, which are
described in sections 2.4.2 and 2.4.3.

2.4.2 Register and Immediate Modes
Two addressing modes are used to reference operands contained in registers and instr.uctions:
Register Operand Mode. The operand is located in one of the 16-bit registers (AX, BX, CX, DX,
DI, SP, or BP) or in one of the 8-bit general registers (AR, BR, CR, DR, AL, BL, CL, or
DL).

sr,

Special instructions are also included for referencing the CS, DS, ES, SS, and Flag registers as
operands also.
Immediate Operand Mode. The operand is part of the instruction itself (the immediate operand
element).

2.4.3 Memory Addressing Modes
Six modes are used to access operands in memory. Memory operands are accessed by means of a
pointer consisting of a segment selector (see section 2.3.2) and an offset, which specifies the operand's
displacement in bytes from the beginning of the segment in which it resides. Both the segment selector
component and the offset component are 16-bit values. (See section 2.1 for a discussion of segmentation.) Only some instructions use a full 32-bit address.

2-17

80286 BASE ARCHITECTURE

Most memory references do not require the instruction to specify a full 32-bit pointer address. Operands
that are located within one of the currently addressable segments, as determined by the four segment
registers (see section 2.3.2, "Segment Registers"), can be referenced very efficiently simply by means
of the 16-bit offset. This form of address is called by short address. The choice of segment (CS, DS,
ES, or SS) is either implicit within the instruction itself or explicitly specified by means of a segment
override prefix (see below).
See figure 2-11 for a diagram of the addressing process.
2.4.3.1 SEGMENT SELECTION

All instructions that address operands in memory must specify the segment and the offset. For speed
and compact instruction encoding, segment selectors are usually stored in the high speed segment
registers. An instruction need specify only the desired segment register and an offset in order to address
a memory operand.
Most instructions need not explicitly specify which segment register is used. The correct segment register is automatically chosen according to the rules of table 2-1 and table 2-2. These rules follow the way
programs are written (see figure 2-12) as independent modules that require areas for code and data, a
stack, and access to external data areas.
There is a close connection between the type of memory reference and the segment in which that
operand resides (see the next section for a discussion of how memory addressing mode calculations are
performed). As a rule, a memory reference implies the current data segment (Le., the implicit segment
selector is in DS) unless the BP register is involved in the address specification, in which case the
current stack segment is implied (i.e, SS contains the selector).

POINTER

I

SEGMENT

OFFSET

-----r
31

16 15

0

OPERAND
SELECTED
~--~~------~

SELECTED
SEGMENT

1 1
MEMORY

G3010B

Figure 2-11. Two-Component Address

2-18

80286 eASE ARCHITECTURE

Table 2-2. Segment Register Selection Rules
Memory
Reference Needed

Implicit Segment
Selection Rule

Segment Register
Used

Instructions

Code (CS)

Automatic with instruction prefetch.

Stack

Stack (SS)

All stack pushes and pops. Any memory reference which uses BP as a base register.

Local Data

Data (OS)

All data references except when relative to stack
or string destination.

External (Global) Data

Extra (ES)

Alternate data segment and destination of string
operation.

The 80286 instruction set defines special instruction prefix elements (see Appendix B). One of these is
SEG, the segment-override prefix. Segment-override prefixes allow an explicit segment selection. Only
in two special cases-namely, the use of DI to reference destination strings in the ES segment, and the
use of SP to reference stack locations in the SS segment-is there an implied segment selection which
cannot be overridden. The format of segment override prefixes is shown in Appendix B.
2.4.3.2 OFFSET COMPUTATION

The offset within the desired segment is calculated in accordance with the desired addressing mode.
The offset is calculated by taking the sum of up to three components:
•

the displacement element in the instruction
the base (contents of BX or BP-a base register)
the index (contents of SI or DI-an index register)

Each of the three components of an offset may be either a positive or negative value. Offsets are
calculated modulo 216.
The six memory addressing modes are generated using various combinations of these three components. The six modes are used for accessing different types of data stored in memory:
addressing mode

offset calculation

direct address
register indirect
based
indexed
based indexed
based indexed with
displacement

displacement alone
base or index alone
base + displacement
index + displacement
base + index
base + index + disp

In all six modes, the operand is located at the specified offset within the selected segment. All displacements, except direct address mode, are optionally 8- or 16-bit values. 8-bit displacements are automatically sign-extended to 16 bits. The six addressing modes are described and demonstrated in the following
section on memory addressing modes.

2-19

80286 BASE ARCHITECTURE

r---...,
I

I

ODE

MODULE A

~
DATA

CPU

CODE
MODULE B

L I-

DATA

I

I

I

I

CODE
DATA

STACK

-

PROCESS
STACK

I-

EXTRA
SEGMENT
REGISTERS

I
I
PROCESS
DATA
BLOCK 1

I
I

[l

PRog~~~D
BLOCK 2

I

I

L ___ .J
MEMORY

G301uo

Figure 2-12. Use of Memory Segmentation

2.4.3.3 MEMORY MODE

Two modes are !.!sed for simple scalar operands located in memory:
Direct Address Mode. The offset of the operand is contained in the instruction as the displacement
element. The offset is a 16-bit quantity.
Register Indirect Mode. The offset of the operand is in one of the registers SI, DI, or BX. (BP is
excluded; if BP is used as a stack frame base, it requires an index or displacement component to
reference either parameters passed on the stack or temporary variables allocated on the stack. The
instruction level bit encoding for the BP only address mode is used to specify Direct Address
mode. See Chapter 12 for more details.)

2-20

80286 BASE ARCHITECTURE

The following four modes are used for accessing complex data structures in memory (see
figure 2-13):
Based Mode. The operand is located within the selected segment at an offset computed as the
sum of the displacement and the contents of a base register (BX or BP). Based mode is often used
to access the same field in different copies of a structure (often called a record). The base register
points to the base of the structure (hence the term "base" register), and the displacement selects
a particular field. Corresponding fields within a collection of structures can be accessed simply by
changing the base register. (See figure 2-13, example 1.)
•

Indexed Mode. The operand is located within the selected segment at an offset computed as the
sum of the displacement and the contents of an index register (SI or DI). Indexed mode is often
used to access elements in a static array (e.g., an array whose starting location is fixed at translation time). The displacement locates the beginning of the array, and the value of the index register
selects one element. Since all array elements are the same length, simple arithmetic on the index
register will select any element. (See figure 2-13, example 2.)
Based Indexed Mode. The operand is located within the selected segment at an offset computed
asthe sum of the base register's contents and an index register's contents. Based Indexed mode is
often used to access elements of a dynamic array (i.e., an array whose base address can change
during execution). The base register points to the base of the array, and the value of the index
register is used to select one element. (See figure 2-13, example 3.)

•

Based Indexed Mode with Displacement. The operand is located with the selected segment at an
offset computed as the sum of a base register's contents, an index register's contents, and the
displacement. This mode is often used to access elements of an array within a structure. For
example, the structure could be an activation record (i.e., a region of the stack containing the
register contents, parameters, and variables associated with one instance of a procedure); and one
variable could be an array. The base register points to the start of the activation record, the
displacement expresses the distance from the start of the record to the beginning of the array
variable, and the index register selects a particular element of the array. (See figure 2-13,
example 4.)

Table 2-3 gives a summary of all memory operand addressing options.

2.5 INPUT/OUTPUT
The 80286 allows input/output to be performed in either of two ways: by means of a separate I/0
address space (using specific I/O instructions) or by means of memory-mapped I/O (using generalpurpose operand manipulation instructions).
Table 2-3. Memory Operand A'ddressing Modes
Addressing Mode

Offset Calculation

Direct
Register Indirect
Based
Indexed
Based Indexed
Based Indexed + Displacement

16-bit Displacement in the instruction
BX, 51, 01
(BX or BP) + Displacement"
(51 or 01) + Displacement"
(BX or BP) + (51 or 01)
(BX or BP) + (SI or 01) + Displacement"

" The displacement can be a 0, 8 or 16-bit value.

2-21

80286 BASE ARCHITECTURE

,

'r

1. BASED MODE

+

DATE-CODE]
MOV AX, [BP
ADD [BX
BALANCE], CX

+

I

DISPL

L

BASE

I

SEGMENT

~

+

OPERAND

I

+

r

2. INDEXED MODE

r

MOV ID [SI], DX
SUB BX, DATA_TBL[SI]

I

INDEX

I

DISPL

L

+

~

OPERAND

J

,

'I'

MOV DX, [BP][ill]
AND [aX + S~, 3FFH

1
1

FIXED
ARRAY

+
SEGMENT

3. BASED INDEXED

I

)

INDEX

+

~

OPERAND

I

BASED
ARRAY

BASE

+
SEGMENT

MOV CX, [ap][si + CNT]
SHR [ax
01
MASK]

+

+

BASED
STRUCTURE
CONTAINING
ARRAY

G3010B

Figure 2-13. Complex Addressing Modes

2-22

80286 BASE ARCHITECTURE

2.5.1 1/0 Address Space
The 80286 provides a separate I/O address space, distinct from physical memory, to address the input/
output ports that are used for external devices. The I/0 address space consists of 216 (64K) individually
addressable 8-bit ports. Any two consecutive 8-bit ports can be treated as a 16-bit port. Thus, the I/0
address space can accommodate up to 64K 8-bit ports or up to 32K 16-bit ports. I/0 port addresses
00F8H to OOFFH are reserved by Intel.
The 80286 can transfer either 8 or 16 bits at a time to a device located in the I/O space. Like words
in memory, 16-bit ports should be aligned at even-numbered addresses so that the 16 bits will be
transferred in a single access. An 8-bit port may be located at either an even or odd address. The
internal registers in a given peripheral controller device should be assigned addresses as shown below.
Port Register

Port Addresses

16-bit

even word addresses

OUT

FE,AX

a-bit; device on lower half
of 16-bit data bus

even byte addresses

IN

AL,FE

a-bit; device on upper half
of 16-bit data bus

odd byte addresses

OUT

FF,AL

Example

The I/0 instructions IN and OUT (described in section 3.11.3) are provided to move data between
I/0 ports and the AX (l6-bit I/O) or AL (8-bit I/O) general registers. The block I/O instructions
INS and OUTS (described in section 4.1) move blocks of data between I/0 ports and memory space
(as shown below). In Protected Mode, an operating system may prevent a program from executing
these I/0 instructions. Otherwise, the function of the I/0 instructions and the structure of the I/0
space are identical for both modes of operation.

INS

es:byte ptr [dil,
byte ptr [sil

DX

OUTS DX,

IN and OUT instructions address I/O with either a direct address to one of up to 256 port addresses,
or indirectly via the DX register to one of up to 64K port addresses. Block I/0 uses the DX register
to specify the I/0 address and either SI or DI to designate the source or destination memory address.
For each transfer, SI or DI are either incremented or decremented as specified by the direction bit in
the flag word while DX is constant to select the I/0 device.

2.5.2 Memory-Mapped 1/0
I/0 devices also may be placed in the 80286 memory address space. So long as the devices respond
like memory components, they are indistinguishable to the processor.
Memory-mapped I/0 provides additional programming flexibility. Any instruction that references
memory may be used to access an I/0 port located in the memory space. For example, the MOY
instruction can transfer data between any register and a port; and the AND, OR, and TEST instructions may be used to manipulate bits in the internal registers of a device (see figure 2-14). Memorymapped I/0 performed via the full instruction set maintains the full complement of addressing modes
for selecting the desired I/0 device.
Memory-mapped I/O, like any other memory reference, is subject to access protection and control
when executing in protected mode.

2-23

80286 BASE ARCHITECTURE

MEMORY
ADDRESS SPACE

110 DEVICE 1
INTERNAL REGISTER

1-------11--

=====~I. . ___. . .
110 DEVICE 2
INTERNAL REGISTER

1-------1

======~I. . ___. . .
G30108

Figure 2-14. Memory-Mapped 1/0

2.6 INTERRUPTS AND EXCEPTIONS
The 80286 architecture supports several mechanisms for interrupting program execution. Internal
interrupts are synchronous events that are the responses of the CPU to certain events detected during
the execution of an instruction. External interrupts are asynchronous events typically triggered by
external devices needing attention. The 80286 supports both maskable (controlled by the IF flag) and
non-maskable interrupts. They cause the processor to temporarily suspend its present program execution in order to service the requesting device. The major distinction between these two kinds of interrupts is their origin; art internal interrupt is always repioducible by re-executing \vith the program and
data that caused the interrupt, whereas an external interrupt is generally independent of the currently
executing task.
Interrupts 0-31 are reserved by Intel.
Application programmers will normally not be concerned with servicing external interrupts. More
information on external interrupts for system programmers may be found in Chapter 5, section 5.2,
"Interrupt Handling for Real Address Mode," and in Chapter 9, "Interrupts, Traps and Faults for
Protected Virtual Address Mode."
In Real Address Mode, the application programmer is affected by two kinds of internal interrupts.
(Internal interrupts are the result of executing an instruction which causes the interrupt.) One type of
interrupt is called an exception because the interrupt only occurs if a particular fault condition exists.
The other type of interrupt generates the interrupt every time the instruction is executed.

2-24

80286 BASE ARCHITECTURE

The exceptions are: divide error, INTO detected overflow, bounds check, segment overrun, invalid
operation code, and processor extension error (see table 2-4). A divide error exception results when
the instructions DIY or IDlY are executed with a zero denominator; otherwise, the quotient will be too
large for the destination operand (see section 3.3.4 for a discussion of DIY and IDlY). An overflow
exception results when the INTO instruction is executed and the OF flag is set (after an arithmetic
operation that set the overflow (OF) flag). (See section 3.6.3, "Software Generated Interrupts," for a
discussion of INTO.) A bounds check exception results when the BOUND instruction is executed and
the array index it checks falls outside the bounds of the array. (See section 4.2 for a discussion of the
BOUND instruction.) The segment overrun exception occurs when a word memory reference is
attempted which extends beyond the end of a segment. An invalid operation code exception occurs if
an attempt is made to execute an undefined instruction operation code. A processor extension error is
generated when a processor extension detects an illegal operation. Refer to Chapter 5 for a more complete
description of these exception conditions.
The instruction INT generates an internal interrupt whenever it is executed. The effects of this interrupt (and the effects of all interrupts) is determined by the interrupt handler routines provided by the
application program or as part of the system software (provided by system programmers). See
Chapter 5 for more on this topic. The INT instruction itself is discussed in section 3.6.3.
In Protected Mode, many more fault conditions are detected and result in internal interrupts. Protected
Mode interrupts and faults are discussed in Chapter 9.

2.7 HIERARCHY OF INSTRUCTION SETS
For descriptive purposes, the 80286 instruction set is partitioned into three distinct subsets: the Basic
Instruction Set, the Extended Instruction Set, and the System Control Instruction Set. The "hierarchy" of instruction sets defined by this partitioning helps to clarify the relationships between the various
processors in the 8086 family (see figure 2-15).
The Basic Instruction Set, presented in Chapter 3, comprises the common subset of instructions found
on all processors of the 8086 family. Included are instructions for logical and arithmetic operations,
data movement, input/output, string manipulation, and transfer of control.
The Extended Instruction Set, presented in Chapter 4, consists of those instructions found only on the
80186, 80188, and 80286 processors. Included are instructions for block structured procedure entry
and exit, parameter validation, and block I/O transfers.
The System Control Instruction Set, presented in Chapter 10, consists of those instructions-,unique to
the 80286. These instructions control the memory management and protection mechanisms of the 80286.

2-25

80286 BASE ARCHITECTURE

Table 2-4. 80286 Interrupt Vector Assignments (Real Address Mode)

Function

Interupt
Number

Related
Instructions

Return Address
Before Instruction
Causing Exception?

Divide error exception

0

DIV,IDIV

Single step interrupt

1

All

NMI interrupt

2

All

Breakpoint interrupt

3

INT

INTO detected overflow exception

4

INTO

No

BOUND range exceeded exception

5

BOUND

Yes

Invalid opcode exception

6

Any undefined
opcode

Yes

Processor extension not available exception

7

ESC or WAIT

Yes

Interrupt table limit too small exception

8

INT vector is not
within table limit

Yes

Processor extension segment overrun
interrupt

9

ESC with memory
operand extending
beyond offset
FFFF(H)

No

Reserved

10-12

Segment overrun exception

13

Word memory
reference with
offset = FFFF(H) or
an attempt to
execute past the
end of a segment

Yes

Reserved

14, 15

Processor extension error interrupt

15

Reserved

17-31

User defined

32-255

2-26

ESC or \"}.A.!T

Yes

80286 BASE ARCHITECTURE

80186~
80188
8ASIC INSTRUCTION SET
80286

~

EXTENDED INSTRUCTION SET

SYSTEM CONTROL INSTRUCTION SET

G30108

Figure 2-15. Hierarchy of Instructions

2-27

Basic Instruction Set

3

CHAPTER 3
BASIC INSTRUCTION SET
!

The base architecture of the 80286 is identical to the complete instruction set of the 8086, 8088,
80188, and 80186 processors. The 80286 instruction set includes new forms of some instructions. These
new forms reduce program size and improve the performance and ease of implementation of source
code.
This chapter describes the instructions which programmers can use to write application software for
the 80286. The following chapters describe the operation of more complicated I/O and system control
instructions.
All instructions described in this chapter are available for both Real Address Mode and Protected
Virtual Address Mode operation. The instruction descriptions note any differences that exist between
the operation of an instruction in these two modes.
This chapter also describes the operation of each application program-relative instruction and includes
an example of using the instruction. The Instruction Dictionary in Appendix B contains formal descriptions of all instructions. Any opcode pattern that is not described in the Instruction Dictionary is
undefined and results in an opcode violation trap (interrupt 6).

3.1 DATA MOVEMENT INSTRUCTIONS
These instructions provide convenient methods for moving bytes or words of data between memory and
the registers of the base architecture.

3.1.1 General-Purpose Data Movement Instructions
MOV (Move) transfers a byte or a word from the source operand to the destination operand. The MOV
instruction is useful for transferring data to a register from memory, to memory from a register, between
registers, immediate-to-register, or immediate-to-memory. Memory-to-memory or segment register-tosegment register moves are not allowed.

Example:

MOV DS,AX. Replaces the contents of register DS with the contents of register AX.

XCHG (Exchange) swaps the contents of two operands. This instruction takes the place of three MOV
instructions. It does not require a temporary memory location to save the contents of one operand while
you load the other.

The XCHG instruction can swap two byte operands or two word operands, but not a byte for a word
or a word for a byte. The operands for the XCHG instruction may be two register operands, or a
register operand with a memory operand. When used with a memory operand, XCHG automatically
activates the LOCK signal.
Examplc:

XCHG BX,WORDOPRND. Swaps the contents of register BX with the contents of the
memory word identified by the label WORDOPRND after asserting bus lock.

3-1

BASIC INSTRUCTION seT

3.1.2 Stack Manipulation Instructions
PUSH (Push) decrements the stack pointer (SP) by two and then transfers a word from the source
operand to the top of stack indicated by SP. See figure 3-1. PUSH is often used to place parameters
on the stack before calling a procedure; it is also the basic means of storing temporary variables on the
stack. The PUSH instruction operates on memory operands, immediate operands (new with the 80286),
and register operands (including segment registers).

Example:

PUSH WORDOPRND. Transfers a 16-bit value from the memory word identified by the
label WORDOPRND to the memory location which represents the current top of stack
(byte transfers are not allowed).

PUSHA (Push All Registers) saves the contents of the eight general registers on the stack. See
figure 3-2. This instruction simplifies procedure calls by reducing the number of instructions required
to retain the contents of the general registers for use in a procedure. PUSHA is complemented by
POPA (see below).

The processor pushes the general registers on the stack in the following order: AX,
initial value of SP before AX was pushed, BP, sr, and Dr.
Example:

ex, DX, BX, the

PUSHA. Pushes onto the stack the contents of the eight general registers.

HIGH ADDRESS
SS LIMIT
OPERANDS FROM
PREVIOUS PUSH
INSTRUCTIONS
_

OPERAND

SP ALWAYS POINTS TO
THE LAST WORD PUSHED
ONTO THE STACK (TOS)

SS ALWAYS POINTS TO
LOWEST ADDRESS USED BY
THE STACK
LOW ADDRESS

1

i!

BEFORE
PUSH OPERAND

i

AFTER
PUSH OPERAND

PUSH decrements SP by 2 bytes and places the operand In the stack at the location to which SP points.

Figure 3-1. PUSH

3-2

G3010B

BASIC INSTRUCTION SET

HIGH ADDRESS
SS LIMIT

SP

SS
LOW ADDRESS

h

BEFORE
PUSHA

AFTER
PUSHA

PUSHA copies Ihe conlenls of Ihe elghl general reglslers 10 Ihe slack In Ihe above order. The Inslrucllon decremenls SP by 16 bytes
(8 words) 10 polnllo Ihe l.sl word pushed on Ihe slack.
G30108

Figure 3-2. PUSHA

POP (Pop) transfers the word at the current top of stack (indicated by SP) to the destination operand,
and then increments SP by two to point to the new top of stack. See figure 3-3. POP moves information
from the stack to either a register or memory. The only restriction on POP is that it cannot place a
value in register CS.

Example:

POP BX. Replaces the contents of register BX with the contents of the memory location
at the top of stack.

paPA (Pop All Registers) restores the registers saved on the stack by PUSHA, except that it ignores
the value of SP. See figure 3-4.

Example:

papA. Pops from the stack the saved contents of the general registers, and restores the
registers (except SP) to their original state.

3-3

BASIC INSTRUCTION SET

HIGH ADDRESS

..

hm====i

~n\\\\\\n\\l\~\\\\\\\
~\\\\\\\\\\\\\\\\\\\\\\\\

OPERANDS FROM
PREVIOUS PUSH
INSTRUCTIONS
SP_

LOW ADDRESS

OPERAND

SS

Ok

,

BEFORE
POP OPERAND

AFTER
POP OPERAND

POP copies the contents of the slsck location before SP to the operand In the Instruction. POP then Increments SP by 2 bytes
(1 word).

G3010e

Figure 3-3. POP

3.2 FLAG OPERATION WITH THE BASIC INSTRUCTION SET
3.2.1 Status Flags
The status flags of the FLAGS register reflect conditions that result from a previous instruction or
instructions. The arithmetic instructions use OF, SF, ZF, AF, PF, and CF.
The SCAS (Scan String), CMPS (Compare String), and LOOP instructions use ZF to signal that their
operations are complete. The base architecture includes instructions to set, clear, and complement CF
before execution of an arithmetic instruction. See figure 3-5 and tables 3-1 and 3-2.

3.2.2 Control Flags
The control flags of the FLAGS register determine processor operations for string instructions, maskable interrupts, and debugging.

3-4

BASIC INSTRUCTION SET

'r

,~y\

OPERANDS FROM
PREVIOUS PUSH
INSTRUCTIONS

m ,~~~

SP

""

AX

SS LIMIT

CX

DX
BX
SP
BP
SI
SP_

DI

~

1-------4

~

~r

SS
LOW ADDRESS

" AFTER

BEFORE
POPA

,

POPA

POPA copies the contents of seven stack locations to the corresponding general regl.ters. POPA discards the .tored value of SP.

G30108

Figure 3-4. POPA

Setting DF (direction flag) causes string instructions to auto-decrement; that is, to process strings from
high addresses to low addresses, or from "right-to-Ieft." Clearing DF causes string instructions to autoincrement, or to process strings from "left-to-right."
Setting IF (interrupt flag) allows the CPU to recognize external (maskable) interrupt requests. Clearing IF disables these interrupts. IF has no effect on either internally generated interrupts, nonmaskable
external interrupts, or processor extension segment overrun interrupts.
Setting TF (trap flag) puts the processor into single-step mode for debugging. In this mode, the CPU
automatically generates an internal interrupt after each instruction, allowing a program to be inspected
as it executes each instruction, instruction by instruction.

3.3 ARITHMETIC INSTRUCTIONS
The arithmetic instructions of the 8086-family processors simplify the manipulation of numerical data.
Multiplication and division instructions ease the handling of signed and unsigned binary integers as
well as unpacked decimal integers.

3-5

BASIC INSTRUCTION SET

STATUS FLAGS:
CARRY-----------------------------------------------------------,
PARITY - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ,
AUXILIARY CARRY - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ,

I1

ZERO - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ,
SIGN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ,
OVERFLOW

15
FLAGS:.

14
NT

13

12

Id."L

tI
11

OF

10
OF

9

B

7

I I I I
IF

TF

SF

6
ZF

5

_

4
AF

jlL_t_

3

1M

L
______________________

2
PF

1

0

_

CF

I

CONTROL FLAGS:
TRAP FLAG
INTERRUPT ENABLE

' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - DIRECTION FLAG
SPECIAL FIELDS:
' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I/O PRIVILEGE LEVEL
' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ' - - - - - - - - - - - - - - NESTED TASK FLAG
_

INTEL RESERVED

G3010B

Figure 3-5. Flag Word Contents

Table 3-1. Status Flags' Functions
Name

Function

0

CF

Carry Flag-Set on high-order bit carry or borrow; cleared
otherwise.

2

PF

Parity Flag-Set if low-order eight bits of result contain an
even number of 1 bits; cleared otherwise.

4

AF

Set on carry from or borrow to the low order four bits of
AL; cleared otherwise.

6

ZF

Zero Flag-Set if result is zero; cleared otherwise.

7

SF

Sign Flag-Set equal to high-order bit of result (0 if positive,
1 if negative).

11

OF

Overflow Flag-Set if result is too-large a positive number
or too-small a negative number (excluding sign-bit) to fit in
destination operand; cleared otherwise.

Bit Position

3-6

inter

BASIC INSTRUCTION SET

Table 3·2. Control Flags' Functions
Bit Position

Name

Function

8

TF

Trap (Single Step) Flag-Once set, a single step interrupt
occurs after the next instruction executes. TF is cleared by
the single step interrupt.

9

IF

Interrupt-enable Flag-When set, maskable interrupts will
cause the CPU to transfer control to an interrupt vectorspecified location.

10

OF

Direction Flag-Causes string instructions to auto deere·
ment the appropriate index registers when set. Clearing OF
causes auto increment.

An arithmetic operation may consist of two register operands, a general register source operand with a
memory destination operand, a memory source operand with a register destination operand, or an
immediate field with either a register or memory destination operand, but not two memory operands.
Arithmetic instructions can operate on either byte or word operands.

3.3.1 Addition Instructions
ADD (Add Integers) replaces the destination operand with the sum of the source and destination
operands. ADD affects OF, SF, AF, PF, CF, and ZF.

Example:

ADD BL, BYTEOPRND. Adds the contents of the memory byte labeled BYTEOPRND
to the contents of BL, and replaces BL with the resulting sum.

ADC (Add Integers with Carry) sums the operands, adds one if CF is set, and replaces the destination
operand with the result. ADC can be used to add numbers longer than 16 bits. ADt affects OF, SF,
AF, PF, CF, and ZF.

Example: ADC BX, Cx. Replaces the contents of the destination operand BX with the sum of BX,
. CS, and 1 (if CF is set). If CF is cleared, ADC performs the same operation as the ADD
instruction.
INC (Increment) adds one to the destination operand. The processor treats the operand as an unsigned
binary number. INC updates AF, OF, PF, SF, and ZF, but it does not affect CF. Use ADD with an
immediate value of 1 if an increment that updates carry (CF) is needed.

Example: INC BL. Adds 1 to the contents of BL.

3.3.2 Subtraction Instructions
SUB (Subtract Integers) subtracts the source operand from the destination operand and replaces the
destination operand with the result. If a borrow is required, carry flag is set. The operands may be
signed or unsigned bytes or words. SUB affects OF, SF, ZF, AF, PF, and CF.

3-7

BASIC INSTRUCTION SET

Example:

SUB WORDOPRND, AX. Replaces the contents of the destination operand
WORDOPRND with the result obtained by subtracting the contents of AX from the
contents of the memory word labeled WORDOPRND.

SBB (Subtract Integers with Borrow) subtracts the source operand from the destination operand,
subtracts 1 if CF is set, and returns the result to the destination operand. The operands may be signed
or unsigned bytes or words. SBB may be used to subtract numbers longer than 16 bits. This instruction
affects OF, SF, ZF, AF, PF, and CF. The carry flag is set if a borrow is required.
Example:

SBB BL, 32. Subtracts 32 from the contents of BL and then decrements the result of this
subtraction by one if CF is set. If CF is cleared, SBB performs the same operation as SUB.

DEC (Decrement) subtracts 1 from the destination operand. DEC updates AF, OF, PF, SF, and ZF,
but it does not affect CF. Use SUB with an immediate value of 1 to perform a decrement that affects
carry.
Example:

DEC BX. Subtracts 1 from the contents of BX and places the result back in BX.

3.3.3 Multiplication Instructions
MUL (Unsigned Integer Multiply) performs an unsigned multiplication of the source operand and the
accumulator. If the source is a byte, the processor multiplies it by the contents of AL and returns the
double-length result to AH and AL.
If the source operand is a word, the processor multiplies it by the contents of AX and returns the
double-length result to DX and AX. MUL sets CF and OF to indicate that the upper half of the result
is nonzero; otherwise, they are cleared. This instruction leaves SF, ZF, AF, and PF undefined.

Example:

MUL BX. Replaces the contents of DX and AX with the product of BX and AX. The loworder 16 bits of the result replace the contents of AX; the high-order word goes to DX. The
processor sets CF and OF if the unsigned result is greater than 16 bits.

IMUL (Signed Integer Multiply) performs a signed multiplication operation. IMUL uses AX and DX
in the same way as the MUL instruction, except when used in the immediate form.
The immediate form of IMUL aiiows the specificaiion of a destination register other than the combination of DX and AX. In this case, the result cannot exceed 16 bits without causing an overflow. If
the immediate operand is a byte, the processor automatically extends it to 16 bits before performing
the multiplication.
The immediate form of IMUL may also be used with unsigned operands because the low 16 bits of a
signed or unsigned multiplication of two 16-bit values will always be the same.
IMUL clears CF and OF to indicaie ihai iht: upper half of thc rcsult b the gig!'! of the low,,"! h~Jf This
instruction leaves SF, ZF, AF, and PF undefined.
Example:

IMUL BL. Replaces the contents of AX with the product of BL and AL. The processor
sets CF and OF if the result is more than 8 bits long.

Example:

IMUL BX, SI, 5. Replaces the contents of BX with the product of the contents of SI and
an immediate value of 5. The processor sets CF and OF if the signed result is longer than
16 bits.

3-8

BASIC INSTRUCTION SET

3.3.4 Division Instructions
DIV (Unsigned Integer Divide) performs an unsigned division of the accumulator by the source operand.
If the source operand is a byte, it is divided into the double-length dividend assumed to be in registers
AL and AH (AH = most significant byte; AL = least significant byte). The single-length quotient is
returned in AL, and the single-length remainder is returned in AH.
If the source operand is a word, it is divided into the double-length dividend in registers AX and DX.
The single-length quotient is returned in AX, and the single-length remainder is returned in DX. Nonintegral quotients are truncated to integers toward O. The remainder is always less than the quotient.
For unsigned byte division, the largest quotient is 255. For unsigned word division, the largest quotient
is 65,535. DIY leaves OF, SF, ZF, AF, PF, and CF undefined. Interrupt (INT 0) occurs if the divisor
is zero or if the quotient is too large for AL or AX.
Example:

DIY BX. Replaces the contents of AX with the unsigned quotient of the doubleword value
contained in DX and AX, divided by BX. The unsigned modulo replaces the contents of
DX.

Example:

DIY BL. Replaces the contents of AL with the unsigned quotient of the word value in AX,
divided by BL. The unsigned modulo replaces the contents of AH.

IDIV (Signed Integer Divide) performs a signed division of the accumulator by the source operand.
IDlY uses the same registers as the DIY instruction.
For signed byte division, the maximum positive quotient is + 127 and the minimum negative quotient
is -128. For signed word division, the maximum positive quotient.is + 32,767 and the minimum negative
quotient is - 32,768. Non-integral results are truncated towards O. The remainder will always have the
same sign as the dividend and will be less than the divisor in magnitude. IDlY leaves OF, SF, ZF, AF,
PF, and CF undefined. A division by zero causes an interrupt (INT 0) to occur if the divisor is 0 or if
the quotient is too large for AL or AX.
Example:

IDlY WORDOPRND. Replaces the contents of AX with the signed quotient of the doubleword value contained in DX and AX, divided by the value contained in the memory word
labeled WORDOPRND. The signed modulo replaces the contents of DX.

3.4 LOGICAL INSTRUCTIONS
The group of logical instructions includes the Boolean operation instructions, rotate and shift instructions, type conversion instructions, and the no-operation (NOP)instruction.

3.4.1 Boolean Operation Instructions
Except for the NOT and NEG instructions, the Boolean operation instructions can use two register
operands, a general purpose register operand with a memory operand, an immediate operand with a
general purpose register operand, or a memory operand. The NOT and NEG instructions are unary
operations that use a single operand in a register or memory.
AND (And) performs the logical "and" of the operands (byte or word) and returns the result to the
destination operand. AND clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF.

3-9

BASIC INSTRUCTION SET

Example:

AND WORDOPRND, BX. Replaces the contents of WORDOPRND with the logical
"and" of the contents of the memory word labeled WORDOPRND and the contents of
BX.

NOT (Not) inverts the bits in the specified operand to form a one's complement of the operand. NOT
has no effect on the flags.

Example:

NOT BYTEOPRND. Replaces the original contents of BYTEOPRND with the one's
complement of the contents of the memory word labeled BYTEOPRND.

OR (Or) performs the logical "inclusive or" of the two operands and returns the result to the destination operand. OR clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF.

Example:

OR AL,5. Replaces the original contents of AL with the logical "inclusive or" of the contents
of AL and the immediate value 5.

XOR (Exclusive OR) performs the logical "exclusive or" of the two operands and returns the result to
the destination operand. XOR clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF.

Example:

XOR DX, WORDOPRND. Replaces the original contents of DX with the logical "exclusive or" or the contents of DX and the contents of the memory word labeled
WORDOPRND.

NEG (Negate) forms a two's complement of a signed byte or word operand. The effect of NEG is to
reverse the sign of the operand from positive to negative or from negative to positive. NEG updates
OF, SF, ZF, AF, PF, and CF.

Example:

NEG AX. Replaces the original contents of AX with the two's complement of the contents
of AX.

3.4.2 Shift and Rotate Instructions
The shift and rotate instructions reposition the bits within the specified operand. The shift instructions
provide a convenient way to accomplish division or multiplication by binary power. The rotate instructions are useful for bit testing.
3.4.2.1 SHIFT INSTRUCTIONS

The bits in bytes and words may be shifted arithmetically or logically. Depending on the value of a
specified count, up to 31 shifts may be performed.
A shift instruction can specify the count in one of three ways. One form of shift instruction implicitly
specifies the count as a single shift. The second form specifies the count as an immediate value. The
third form specifies the count as the value contained in CL. This last form aiiows the shin ~OullL to t;;
a variable that the program supplies during execution. Only the low order 5 bits of CL are used.
Shift instructions affect the flags as follows. AF is always undefined following a shift operation. PF,
SF, and ZF are updated normally as in the logical instructions.
CF always contains the value of the last bit shifted out of the destination operand. In a single-bit shift,
OF is set if the value of the high-order (sign) bit was changed by the operation. Otherwise, OF is
cleared. Following a multibit shift, however, the content of OF is always undefined.

3-10

BASIC INSTRUCTION SET

SAL (Shift Arithmetic Left) shifts the destination byte or word operand left by one or by the number
of bits specified in the count operand (an immediate value or the value contained in CL). The processor
shifts zeros in from the right side of the operand as bits exit from the left side. See figure 3-6.
Example:

SAL BL,2. Shifts the contents of BL left by 2 bits and replaces the two low-order bits with
zeros.

Example:

SAL BL,l. Shifts the contents of BL left by 1 bit and replaces the low-order bit with a
zero. Because the processor does not have to decode the immediate count operand to obtain
the shift count, this form of the instruction takes 2 clock cycles rather than the 6 clock
9ycles (5 cycles + 1 cycle for each bit shifted) required by the previous example.

SHL (Shift Logical Left) is physically the same instruction as SAL (see SAL above).
SHR (Shift Logical Right) shifts the destination byte or word operand right by one or by the number
of bits specified in the count operand (an immediate value or the value contained in CL). The processor
shifts zeros in from the left side of the operand as bits exit from the right side. See figure 3-7.
Example:

SHR BYTEOPRND, CL. Shifts the contents of the memory byte labeled BYTEOPRND
right by the number of bits specified in CL, and pads the left side of BYTEOPRND with
an equal number of zeros.

SAR (Shift Arithmetic Right) shifts the destination byte or word operand to the right by one or by the
number of bits specified in the count operand (an immediate value or the value contained in CL). The
processor preserves the sign of the operand by shifting in zeros on the left side if the value is positive
or by shifting by ones if the value is negative. See figure 3-8.
Example:

SAR WORDPRND, 1. Shifts the contents of the memory byte labeled WORDPRND right
by one, and replaces the high-order sign bit with a value equal to the original sign of
WORDPRND.

00

, , , I, , 1 o 1
1

1

[!] O-i' , I, I,
1

0~-i , 1 , 1 , 1 ,
OF

CF

1

0

1

0

1

o 1 o 1

, I,

I, 1 , 1

0

1

0

I, 1 , 1 , I,

0

, I,

1

1

0

,I

0

o 1 '

o 1

, ,1oI

BEFORE

SAL OR
SHL

AFTER
SAL OR
SHL BY
181T

AFTER

1

0

1

0

o 1

0

o 1 o 1 o 1 o

I ~~t~~
8 BITS

OPERAND

Both SAL and SHL ahtft the blta In the reglater or memory operand to the lell by the specilled number 01 bit positions. CF receives the
laat bit ahilled out 01 the lell 01 the operand. SAL and SHL ahlltln zeroa to 1111 the vacated bit locations. Theae Inatructlona operate on
byte operand a aa well aa word operanda.

G30108

Figure 3-6. SAL and SHL

3-11

BASIC INSTRUCTION SET

01, I, I aI a1,1, I, I, I a1,1,1, I aI alai' I

BEFORE
SHR

01 aI, I, I aI aI, I, I, I, I aI, I, 1,1 aI aI aI--Q~~;~:Y
AFTER
SHR BY
10 BITS
OF

CF

OPERAND

SHR shilts the bits In the register or memory operand to the right by the specified number of bit positions. CF receives the last bit
shifted out of the right of the operand. SHR shifts in zeros to fill the vacated bit locations. This instruction operates on byte operands
as well as word operands.
G30108

Figure 3-7. SHR

BEFORE
SAR

Dlalalalalalalalalalalalalalalal'l

WITH A
POSITIVE
OPERAND

c:J I aI aI aI aI ala I aI aI aI aI aI aI aI aI aI aI--Q

AFTER
SAR

WITH A
POSITIVE
OPERAND
SHIFTED

1 BIT

01, I aI aI aI, I, I, I, I aI aI aI, I, I aI, I a1--0

iii:;r=Cn::'
SARWITH
A NEGATIVE
OPERAND

D I, I, I, I, I, I, I, 1a1a1aI, I, I, I,

WITHA
NEGATIVE

AFTER
SAR
OPERAND

SHIFTED
OF

OPERAND

CF

6DITS

SAR preserves the Sign 01 the register or memory operand as It shifts the operand to the right the specified number of bit positions.
CF receives the last bit shifted out of the right of the operand. This instruction also operates on byte operands.
G30108

Figure 3-8. SAR

3-12

BASIC INSTRUCTION SET

3.4.2.2 ROTATE INSTRUCTIONS

Rotate instructions allow bits in bytes and words to be rotated. Bits rotated out of an operand are not
lost as in a shift, but are "circled" back into the other "end" of the operand.
Rotates affect only the carry and overflow flags. CF may act as an extension of the operand in two of
the rotate instructions, allowing a bit to be isolated and then tested by a conditional jump instruction
(JC or 1NC). CF always contains the value of the last bit rotated out, even if the instruction does not
use this bit as an extension of the rotated operand.
In single-bit rotates, OF is set if the operation changes the high-order (sign) bit of the destination
operand. If the sign bit retains its original value, OF is cleared. On multibit rotates, the value of OF is
always undefined.
ROL (Rotate Left) rotates the byte or word destination operand left by one or by the number of bits
specified in the count operand (an immediate value or the value contained in CL). For each rotation
specified, the high-order bit that exists from the left of the operand returns at the right to become the
new low-order bit of the operand. See figure 3-9.
Example:

ROL AL, 8. Rotates the contents of AL left by 8 bits. This rotate instruction returns AL
to its original state but isolates the low-order bit in CF for testing by a 1C or 1NC
instruction.

ROR (Rotate Right) rotates the byte or word destination operand right by one or by the number of
bits specified in the count operand (an immediate value or the value contained in CL). For each rotation
specified, the low-order bit that exits from the right of the operand returns at the left to become the
new high-order bit of the operand. See figure 3-10.

1 ,0 10 01,

,1,101, 0101,1,

01 0 10 1
BEFORE ROL

ROL shills the bits In the memory or register operand to the lell by the specified number 01 bit positions. It copies the bit shilled out
01 the lell 01 the operand Into the right 01 the operand. The last bit shilled Into the least slgnilicant bit 01 the operand also appears In
CF. This Instruction also operates on byte operands.
G3010B

Figure 3-9. ROL

3-13

BASIC INSTRUCTION SET

111

o

11 l' 11o 1o 111o 1111111o I o I o I
BEFORE RDR

0

[I I 1I 1 I 0 1I 1 1I I I 1 I 1 I 1111010rrG
o

o

o

o

AFTER RDR BY 1 BIT

rl1

o

11I 1 l'

o

1o 1o 1111

o

111111101°'TD
AFTER RCR BY 8 BITS_

OPERAND

CF

ROR shifts the bits In the memory or register operand to the right by the specified number of bit positions. It caples each bit shifted
out of the right of the operand Into the left of the operand. The last bit shifted Into the most significant bit of the operand also appears
In CF. This instruction also operates on byte operands.

G30108

Figure 3-10. ROR

Example:

ROR WORDOPRND, CL. Rotates the contents of the memory word labeled
WORDOPRND by the number of bits specified by the value contained in CL. CF reflects
the value of the last bit rotated from the right to the left side of the operand.

RCL (Rotate Through Carry Left) rotates bits in the byte or word destination operand left by one or
by the number of bits specified in the count operand (an immediate value or the value contained in
CL).
This instruction differs from ROL in that it treats CF as a high-order I-bit extension of the destination
operand. Each high-order bit that exits from the left side of the operand moves to CF before it returns
to the operand as the low-order bit on the next rotation cycle. See figure 3-11.
Example:

RCL BX,l. Rotates the contents of BX left by one bit. The high-order bit of the operand
moves to CF, the remaining 15 bits move left one position, and the original value of CF
becomes the new low-order bit.

RCR (Rotate Through Carry Right) rotates bits in the byte or word destination operand right by one
or by the number of bits specified in the count operand (an immediate value or the value contained in
CL).
This instruction differs from ROR in that it treats CF as a low-order I-bit extension of the destination
operand. Each low-order bit that exits from the right side of the operand moves to CF before it returns
to the operand as the high-order bit on the next rotation cycle. See figure 3-12.
Example:

RCR BYTEOPRND,3. Rotates the contents of the memory byte labeled BYTEOPRND
to the right by 3 bits. Following the execution of this instruction, CF reflects the original
value of bit number 5 of BYTEOPRND, and the original value of CF becomes bit 2.

3-14

BASIC INSTRUCTION SET

[2J

l' 1 1 1
1

rO--i
0

1

--/1

1

0 1 0 1 0

1 1 111
1

1

0

0

l' l'

0

o

1 l'
1

1

1

1

o

1 l' l' 1

1

0 1 0 1 1

1 1 l' l' 1
o

0

0

o

0

o

l'

1

o

1

0

BEFORE RCL

l' 1

0

o 1 o

1 1 l'
0

0

Il

AFTER RCL BY 1 BIT _

1

0

o

1

0

AFTER RCL BY 16 BITS

OPERAND

RCL rotates the bits in the memory or register operand to the left In the same way as ROL except that RCL treats CF as a I·bit
extension of the operand. Note that a 16·bit RCL produces the same result as a I·blt RCR (though It takes much longer to execute).
This Instruction also operates on byte operands.

G30108

Figure 3-11. RCL

l' l' l' oI ol' l'
0

1 0

1 0

l' l' o1o1 1
0

0

[]

BEFORE RCA

r[1 11l' l' 1 o1ol' l' 1 1 l' l' lololo~~
0

0

0

AFTER RCR BY 1 BIT

I

0

ol'

___

l' l' l' o1 1 l' l' 1 ol' l' 1
0

0

0

0

AFTER RCA BY 3 BITS

OPERAND

RCR rotates the bits In the memory or register oporand to the right In the same way as ROR except that RCR treats CF as a I·blt
extension 01 the operand. This Instruction also operates on byte operands.

G30108

Figure 3-12. RCR

3-15

BASIC INSTRUCTION SET

3.4.3 Type Conversion and No-Operation Instructions
The type conversion instructions prepare operands for division. The NOP instruction is a I-byte filler
instruction with no effect on registers or flags.
CWD (Convert Word to Double-Word) extends the sign of the word in register AX throughout register
DX. CWD does not affect any flags. CWD can be used to produce a double-length (double-word)
dividend from a word before a word division.
CBW (Convert Byte to Word) extends the sign of the byte in register AL throughout AX. CBW does
not affect any flags.

Example:

CWD. Sign-extends the I6-bit value in AX to a 32-bit value in DX and AX with the highorder I6-bits occupying DX.

NOP (No Operation) occupies a byte of storage but affects nothing but the instruction pointer, IP. The
amount of time that a NOP instruction requires for execution varies in proportion to the CPU clocking
rate. This variation makes it inadvisable to use NOP instructions in the construction of timing loops
because the operation of such a program will not be independent of the system hardware configuration.

Example: NOP. The processor performs no operation for 2 clock cycles.

3.5 TEST AND COMPARE INSTRUCTIONS
The test and compare instructions are similar in that they do not alter their operands. Instead, these
instructions perform operations that only set the appropriate flags to indicate the relationship between
the two operands.
TEST (Test) performs the logical "and" of the two operands, clears OF and DF, leaves AF undefined,
and updates SF, ZF, and PF. The difference between TEST and AND is that TEST does not alter the
destination operand.

Example:

TEST BL,32. Performs a logical "and" and sets SF, ZF, and PF according to the results
of this operation. The contents of BL remain unchanged.

CMP (Compare) subtracts the source operand from the destination operand. It updates OF, SF, ZF,
AF, PF, and CF but does not alter the source and destination operands. A subsequent signed or unsigned
conditional transfer instruction can test the result using the appropriate flag result.

CMP can compare two register operands, a register operand and a memory operand, a register operand
and an immediate operand, or an immediate operand and a memory operand. The operands may be
words or bytes, but CMP cannot compare a byte with a word.
Example:

CMP BX,32. Subtracts the immediate operand, 32, from the contents of EX and sets OF,
SF, ZF, AF, PF, and CF to reflect the result. The contents of BX remain unchanged.

3.6 CONTROL TRANSFER INSTRUCTIONS
The 80286 provides both conditional and unconditional program transfer instructions to direct the flow
of execution. Conditional program transfers depend on the results of operations that affect the flag
register. Unconditional program transfers are always executed.

3-16

BASIC INSTRUCTION SET

3.6.1 Unconditional Transfer Instructions
JMP, CALL, RET, INT and IRET instructions transfer control from one code segment location to
another. These locations can be within the same code segment or in different code segments.
3.6.1.1 JUMP INSTRUCTION

JMP (Jump) unconditionally transfers control to the target location. JMP is a one-way transfer of
execution; it does not save a return address on the stack.
The JMP instruction always performs the same basic function of transferring control from the current
location to a new location. Its implementation varies depending on the following factors:
Is the address specified directly within the instruction or indirectly through a register or memory?
Is the target location inside or outside the current code segment selected in CS?
A direct JMP instruction includes the destination address as part of the instruction. An indirect JMP
instruction obtains the destination address indirectly through a register or a pointer variable.
Control transfers through a gate or to a task state segment are available only in Protected Mode operation of the 80286. The formats of the instructions that transfer control through a call gate, a task gate,
or to a task state segment are the same. The label included in the instruction selects one of these three
paths to a new code segment.

Direct JMP within the current code segment. A direct JMP that transfers control to a target location
within the current code segment uses a relative displacement value contained in the instruction. This
can be either a 16-bit value or an 8-bit value sign extended to 16 bits. The processor forms an effective
address by adding this relative displacement to the address contained in IP. IP refers to the next
instruction when the additions are performed.
Example: JMP NEAlLNEWCODE. Transfers control to the target location labeled NEAlL
NEWCODE, which is within the code segment currently selected in CS.

Indirect JMP within the current code segment. Indirect JMP instructions that transfer control to a
location within the current code segment specify an absolute address in one of several ways. First, the
program can JMP to a location specified by a 16-bit register (any of AX, DX, CX, BX, BP, SI, or DI).
The processor moves this 16-bit value into IP and resumes execution.
Example: JMP SI. Transfers control to the target address formed by adding the 16-bit value contained
in SI to the base address contained in CS.
The processor can also obtain the destination address within a current segment from a memory word
operand specified in the instruction.
Example: JMP PTlLX. Transfers control to the target address formed by adding the l6-bit value
contained in the memory word labeled PTR X to the base address contained in CS.
A register can modify the address of the memory word pointer to select a destination address.
Example: JMP CASE_TABLE [BX]. CASE_TABLE is the first word in an array of word pointers.
The value of BX determines which pointer the program selects from the array. The JMP
instruction then transfers control to the location specified by the selected pointer.

3-17

BASIC INSTRUCTION SET

Direct JMP outside of the current code segment. Direct JMP instructions that specify a target location
outside the current code segment contain a full 32-bit pointer. This pointer consists of a selector for
the new code segment and an offset within the new segment.

Example:

JMP F AR_NEWCODE_FOO. Places the selector contained in the instruction into CS and
the offset into IP. The program resumes execution at this location in the new code segment.

Indirect JMP outside of the current code segment. Indirect JMP instructions that specify a target
location outside the current code segment use a double-word variable to specify the pointer.

Example:

JMP NEW CODE. NEWCODE the first word of two consecutive words in memory which
represent the new pointer. NEWCODE contains the new offset for IP and the word following NEW CODE contains the selector for CS. The program resumes execution at this
location in the new code segment. (Protected mode programs treat this differently. See
Chapters 6 and 7).

Direct JMP outside of the current code segment to a call gate. If the selector included with the instruction refers to a call gate, then the processor ignores the offset in the instruction and takes the pointer
of the routine being entered from the call gate.

JMP outside of current code segment may only go to the same level.
Example:

JMP CALL_GATE_FOO. The selector in the instruction refers to the call gate
CALL_GATE]OO, and the call gate actually provides the new contents of CS and IP to
specify the address of the next instructions.

Indirect JMP outside the current code segment to a call gate. If the selector specified by the instruction refers to a call gate, the processor ignores the offset in the double-word and takes the address of
the routine being entered from the call gate. The JMP instruction uses the same format to indirectly
specify a task gate or a task state segment.

Example:

JMP CASE_TABLE [BX1. The instruction refers to the double-word in the array of pointers called CASE_TABLE. The specific double-word chosen depends on the value in BX
when the instruction executes. The selector portion of this double-word selects a call gate,
and the processor takes the address of the routine being entered from the call gate.

3.6.1.2 CALL INSTRUCTION

CALL (Call Procedure) activates an out-of-iine proceciure, saving on the sla"k iht; addre •• uf the
instruction following the CALL for later use by a RET (Return) instruction. An intrasegment CALL
places the current value of IP on the stack. An intersegment CALL places both the value of IP and
CS on the stack. The RET instruction in the called procedure uses this address to transfer control back
to the calling program.

A long CALL instruction that invokes a task-switch stores the outgoing task's task state segment selector in the incoming task state segment's link field and sets the nested task flag in the new task. In this
case, the IRET instruction takes the place of the RET instruction to return control to the nested task.

3-18

BASIC INSTRUCTION SET

Examples:
CALL NEAR_NEW CODE
, CALL SI
CALL PTR.
CALL CASE_TABLE [BP]
CALL FAR-NEWCODE_FOO
CALL NEWCODE
CALL CALLGATE_FOO
CALL CASE_TABLE [BX]

.x

See the previous treatment of JMP for a discussion of the operations of these instructions.
3.6.1.3 RETURN AND RETURN FROM INTERRUPT INSTRUCTION

RET (Return From Procedure) terminates the execution of a procedure and transfers control through
a back·link on the stack to the program that originally invoked the procedure.
An intra segment RET restores the value of IP that was saved on the stack by the previous intrasegment
CALL instruction. An intersegment RET restores the values of both CS and IP which were saved on
the stack by the previous intersegment CALL instruction.
RET instructions may optionally specify a constant to the stack pointer. This constant specifies the
new top of stack to effectively remove any arguments that the calling program pushed on the stack
before the execution of the CALL instruction.
Example:

RET. If the previous CALL instruction did not transfer control to a new code segment,
RET restores the value of IP pushed by the CALL instruction. If the previous CALL
instruction transferred control to a new segment, RET restores the values of both IP and
CS which were pushed on the stack by the CALL instruction.

Example:

RET n. This form of the RET instruction performs identically to the above example except
that it adds n (which must be an even value) to the value of SP to eliminate n bytes of
parameter information previously pushed by the calling program.

IRET (Return From Interrupt or Nested Task) returns control to an interrupted routine or, optionally,
reverses the action of a CALL or INT instruction that caused a task switch. See Chapter 8 for further
information on task switching.
Example:

IRET. Returns from an interrupt with or without a task switch based on the value of the
NT bit.

3.6.2 Conditional Transfer Instructions
The conditional transfer instructions are jumps that mayor may not transfer control, depending on the
state of the CPU flags when the instruction executes. Instruction encoding is most efficient when the
target for the conditional jumps is in the current code segment and within -128 to + 127 bytes of the
first byte of the next instruction. Alternatively, the opposite sense of the conditional jump can skip
around an unconditional jump to the destination.

3-19

BASIC INSTRUCTION SET

3.6.2.1 CONDITIONAL JUMP INSTRUCTIONS

Table 3·3 shows the conditional transfer mnemonics and their interpretations. The conditional jumps
that are listed as pairs are actually the same instruction. The assembler provides the alternate mnemonics for greater clarity within a program listing.
3.6.2.2 LOOP INSTRUCTIONS

The loop instructions are conditional jumps that use a value placed in ex to specify the number of
repetitions of a software loop. All loop instructions automatically decrement ex and terminate the
loop when ex =0. Four of the five loop instructions specify a condition of ZF that terminates the loop
before ex decrements to zero.
LOOP (Loop While ex Not Zero) is a conditional transfer that auto-decrements the ex register before
testing ex for the branch condition. If ex is non-zero, the program branches to the target label specified in the instruction. The LOOP instruction causes the repetition of a code section until the operation
of the LOOP instruction decrements ex to a value of zero. If LOOP finds ex =0, control transfers
to the instruction immediately following the LOOP instruction. If the value of ex is initially zero, then
the LOOP executes 65,536 times.

Example: LOOP START_LOOP. Each time the program encounters this instruction, it decrements
ex and then tests it. If the value of ex is non-zero, then: the program branches to the
instruction labeled START_LOOP. If the value in ex is zero, then the program continues
with the instruction that follows the LOOP instruction.
Table 3-3. Interpretation of Conditional Transfers
Unsigned Conditional Transfers
Mnemonic

JA/JNBE
JAE/JNB
JB/JNAE
JBE/JNA
JC
JE/JZ
JNC
JNE/JNZ
JNP/JPO
JP/JPE

"Jump If ... "

Condition Tested

(CF or ZF) = 0
CF = 0
CF = 1
(CF or ZF) = 1
CF = 1
ZF = 1
CF = 0
ZF = 0
PF = 0
PF = 1

above/not below nor equal
above or equal/not below
below/not above nor equal
below or equal/not above

carry
equal/zero
not carry
not equal/not zero
not parity/parity odd
parity/parity even

Signed Conditional Transfers

.....".IIVIl.V
-----:.......
JG/JNLE
JGE/JNL
JL/JNGE
JLE/JNG
JNO
JNS
JO
JS

C~!'!!!!t!o!'! T~~t~('I

((SF xor OF) or ZF) = 0
(SF xor OF) = 0
(SF xor OF) = 0
((SF xor OF) or ZF) = 1
OF = 0
SF = 0
OF = 1
SF = 1

3-20

"Jump If. .. "

greater/not less nor equal
greater or equal/not les~
less/not greater nor equal
less or equal/not greater
not overflow
not sign (positive, including 0)
overflow
sign (negative)

BASIC INSTRUCTION SET

LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are physically the same instruction.
These instructions auto-decrement the ex register before testing ex and ZF for the branch conditions.
If ex is non-zero and ZF= 1, the program branches to the target label specified in the instruction. If
LOOPE or LOOPZ finds that ex=o or ZF=O, control transfers to the instruction immediately
succeeding the LOOPE or LOOPZ instruction.

Example:

LOOPE START_LOOP (or LOOPZ START_LOOP). Each time the program encounters
this instruction, it decrements ex and tests ex and ZF. If the value in ex is non-zero and
the value of ZF is 1, the program branches to the instruction labeled START_LOOP. If
ex=o or ZF=O, the program continues with the instruction that follows the LOOPE (or
LOOPZ) instruction.

LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are physically the same
instruction. These instructions auto-decrement the ex register before testing ex and ZF for the branch
conditions. If ex is non-zero and ZF=O, the program branches to the target label specified in the
instruction. If LOOPNE or LOOPNZ finds that ex=o or ZF= 1, control transfers to the instruction
immediately succeeding the LOOPNE or LOOPNZ instruction.

Example:

LOOPNE START_LOOP (or LOOPNZ START_LOOP). Each time the program
encounters this instruction, it decrements ex and tests ex and ZF. If the value of ex is
non-zero and the value of ZF is 0, the program branches to the instruction labeled
START_LOOP. If ex=o or ZF= 1, the program continues with the instruction that
follows the LOOPNE (or LOOPNZ) instruction.

3.6.2.3 EXECUTING A LOOP OR REPEAT ZERO TIMES

JCXZ (Jump if CX Zero) branches to the label specified in the, instruction if it finds a value of zero
in ex. Sometimes, it is desirable to design a loop that executes zero times if the count variable in ex
is initialized to zero. Because the LOOP instructions (and repeat prefixes) decrement ex before they
test it, a loop will execute 65,536 times if the program enters the loop with a zero value in ex. A
programmer may conveniently overcome this problem with JeXZ, which enables the program to branch
around the code within the loop if ex is zero when JeXZ executes.

Example:

JeXZ TARGETLABEL. Causes the program to branch to the instruction labeled
TARGETLABEL if ex=o when the instruction executes.

3.6.3 Software-Generated Interrupts
The INT n and INTO instructions allow the programmer to specify a transfer to an interrupt service
routine from within a program. Interrupts 0-31 are reserved by Intel.
3.6.3.1 SOFTWARE INTERRUPT INSTRUCTION

INT n (Software Interrupt) activates the interrupt service routine that corresponds to the number
coded within the instruction. Interrupt type 3 is reserved for internal software-generated interrupts.
However, the INT instruction may specify any interrupt type to allow multiple types of internal interrupts or to test the operation of a service routine. The interrupt service routine terminates with an
IRET instruction that returns control to the instruction that follows INT.

Example:

INT 3. Transfers control to the interrupt service routine specified by a type 3 interrupt.

3-21

BASIC INSTRUCTION SET

Example:

INT O. Transfers control to the interrupt service routine specified by a type 0 interrupt,
which is reserved for a divide error.

INTO (Interrupt on Overflow) invokes a type 4 interrupt if OF is set when the INTO instruction
executes. The type 4 interrupt is reserved for this purpose.

Example:

INTO. If the result of a previous operation has set OF and no intervening operation has
reset OF, then INTO invokes a type 4 interrupt. The interrupt service routine terminates
with an IRET instruction, which returns control to the instruction following INTO.

3.7 CHARACTER TRANSLATION AND STRING INSTRUCTIONS
The instructions in this category operate on characters or string elements rather than on logical or
numeric values.

3.7.1 Translate Instruction
XLAT (Translate) replaces a byte in the AL register with a byte from a user-coded translation table.
When XLAT is executed, AL should have the unsigned index to the table addressed by BX. XLAT
changes the contents of AL from table index to table entry. BX is unchanged. The XLAT instruction
is useful for translating from one coding system to another, such as from ASCII to EBCDIC. The
translate table may be up to 256 bytes long. The value placed in the AL register serves as an index to
the location of the corresponding translation value. Used with a LOOP instruction, the XLAT instruction can translate a block of codes up to 64K bytes long.

Example:

XLAT. Replaces the byte in AL with the byte from the translate table that is selected by
the value in AL.

3.7.2 String Manipulation Instructions and Repeat Prefixes
The string instructions (also called primitives) operate on string elements to move, compare, and scan
byte or word strings. One-byte repeat prefixes can cause the operation of a string primitive to be repeated
to process stiings as long as 64K bytes.

The repeated string primitives use the direction flag, DF, to specify left-to-right or right-to-left string
processing, and use a count in CX to limit the processing operation. These instructions use the register
pair DS:SI to point to the source string element and the register pair ES:DI to point to the destination.
One of two possible opcodes represent each string primitive, depending on whether it is operating on
byte strings or word strings. The string primitives are generic and require one or more operands along
with the primitive ta deter!!!.!ne tht:' si 7 t:' of the string elements being processed. These operands do not
determine the addresses of the strings; the addresses must already be present in the appropriate
registers.
Each repetition of a string operation using the Repeat prefixes includes the following steps:
1.

'Acknowledge pending interrupts.

2.

Check CX for zero and stop repeating if CX is zero.

3.

Perform the string operation once.

3-22

BASIC INSTRUCTION SET

4.

Adjust the memory pointers in DS:SI and ES:DI by incrementing SI and DI if DF is 0 or by
decrementing SI and DI if DF is l.

5.

Decrement CX (this step does not affect the flags).

6.

For SCAS (Scan String) and CMPS(Compare String), check ZF for a match with the repeat
condition and stop repeating if the ZF fails to match.

The Load String and Store String instructions allow a program to perform arithmetic or logical operations on string characters (using AX for word strings and AL for byte strings). Repeated operations
that include instructions other than string primitives must use the loop instructions rather than a repeat
prefix.
3.7.2.1 STRING MOVEMENT INSTRUCTIONS

REP (Repeat While CX Not Zero) specifies a repeated operation of a string primitive. The REP prefix
causes the hardware to automatically repeat the associated string primitive until CX=O. This form of
iteration allows the CPU to process strings much faster than would be possible with a regular software
loop.
When the REP prefix accompanies a MOVS instruction, it operates as a memory-to-memory block
transfer. To set up for this operation, the program must initialize CX and the register pairs DS:SI and
ES:DI. CX specifies the number of bytes or words in the block.
If DF=O, the program must point DS:SI to the first element of the source string and point ES:DI to
the destination address for the first element. If DF= 1, the program must point these two register pairs
_ to the last element of the source string and to the destination address forthe last element, respectively.

Example:

REP MOVSW. The processor checks the value in CX for zero. If this value is not zero,
the processor moves a word from the location pointed to by DS:SI to the location pointed
to by ES:DI and increments SI and DI by two (if DF=O). Next, the processor decrements
CX by one and returns to the beginning of the repeat cycle to check CX again. After CX
decrements to zero, the processor executes the instruction that follows.

MOVS (Move String) moves the string character pointed to by the combination of DS and SI to the
location pointed to by the combination of ES and DI. This is the only memory-to-memory transfer
supported by the instruction set of the base architecture. MOVSB operates on byte elements. The
destination segment register cannot be overridden by a segment override prefix while the source segment
register can be overridden.
Example:

MOVSW. Moves the contents of the memory byte pointed to by DS:SI to the location
pointed to by ES:DI.

3.7.2.2 OTHER STRING OPERATIONS

CMPS (Compare Strings) subtracts the destination string element (ES:DI) from the source string
element (DS:SI) and updates the flags AF, SF, PF, CF and OF. If the string elements are equal,
ZF= 1; otherwise, ZF=O. If DF=O, the processor increments the memory pointers (SI and DI) for
the two strings. The segment register used for the source address can be changed with a segment
override prefix, while the destination segment register cannot be overridden.
Example:

CMPSB. Compares the source and destination string elements with each other and returns
the result of the comparison to ZF.

3-23

BASIC INSTRUCTION SET

seAS (Scan String) subtracts the destination string element at ES:DI from AX or AL and updates
the flags AF, SF, ZF, PF, CF and OF. If the values are equal, ZF= 1; otherwise, ZF=O. If DF=O,
the processor increments the memory pointer (DI) for the string. The segment register used for the
source address can be changed with a segment override prefix while the destination segment register
.
cannot be overridden.
Example: SCASW. Compares the value in AX with the destination string element.
REPE/REPZ (Repeat While ex Equal/Zero) and REPNE/REPNZ (Repeat While ex Not Equal/
Not Zero) are the prefixes that are used exclusively with the SCAS (ScanString) and CMPS (Compare
String) primitives.
The difference between these two types of prefix bytes is that REPE/REPZ terminates when ZF=O
and REPNE/REPNZ terminates when ZF= 1. ZF does not require initialization before execution of
a repeated string instruction.
When these prefixes modify either the SCAS or CMPS primitives, the processor compares the value
of the current string element with the value in AX for word elements or with the value in AL for byte
elements. The resulting state of ZF can then limit the operation of the repeated operation as well as a
zero value in CX.
Example:

REPE SCASB. Causes the processor to scan the string pointed to by ES:DI until it encounters a match with the byte value in AL or until CX decrements to zero.

LODS (Load String) places the source string element at DS:SI into AX for word strings or into AL
for byte strings.
Example:

LODSW. Loads AX with the value pointed to by DS:SI.

3.8 ADDRESS MANIPULATION INSTRUCTIONS
The set of address manipulation instructions provide a way to perform address calculations or to move
to a nc;v data segment or extra segment.

LEA (Load Effective Address) transfers the offset of the source operand (rather than its value) to the
destination operand. The source operand must be a memory operand, and the destination operand must
be a 16-bit general register (AX, DX, BX, CX, BP, SP, SI, or DI).
LEA does not affect any flags. This instruction is useful for initializing the registers before the execution of the string primitives or the XLAT instruction.
Example: LEA BX EBCDIC_TABLE. Causes the processor to place the address of the starting location
of the table labeled EBCDIC_TABLE intoBX.
LDS (Load Pointer Using DS) transfers a 32-bit pointer variable from the source operand to DS and
the destination register. The source operand must be a memory operand, and the destination operand
must be a 16-bit general register (AX, DX, BX, CX, BP, SP, SI or DI). DS receives the high-order
segment word of the pointer. The destination register receives the low-order word, which points to a
specific location within the segment.

3-24

intel"

BASIC INSTRUCTION SET

Example: LDS SI, STRING_X. Loads DS with the word identifying the segment pointed to by
STRING-X, and loads the offset of STRING-X into SI. Specifying SI as the destination
operand is a convenient way to prepare for a string operation on a source string that is not
in the current data segment.
LES (Load Pointer Using ES) operates identically to LDS except that ES receives the offset word
rather than DS.

Example: LES DI, DESTINATION-X. Loads ES with the word identifying the segment pointed to
by DESTINATION_X, and loads the offset of DESTINATION-X into DI. This instruction provides a convenient way to select a destination for a string operation if the desired
location is not in the current extra segment.

3.9 FLAG CONTROL INSTRUCTIONS
The flag control instructions provide a method of changing the state of bits in the flag register.

3.9.1 Carry Flag Control Instructions
The carry flag instructions are useful in conjunction with rotate-with-carry instructions RCL and RCR.
They can initialize the carry flag, CF, to a known state before execution of a rotate that moves the
carry bit into one end of the rotated operand.
STC (Set Carry Flag) sets the carry flag (CF) to 1.

Example: STC
CLC (Clear Carry Flag) zeros the carry flag (CF).

Example: CLC
CMC (Complement Carry Flag) reverses the current status of the carry flag (CF).

Example: CMC

3.9.2 Direction Flag Control Instructions
The direction flag control instructions are specifically included to set or clear the direction flag, DF,
which controls the left-to-right or right-to-left direction of string processing. IF DF=O, the processor
automatically increments the string memory pointers, SI and DI, after each execution of a string primitive. If DF= 1, the processor decrements these pointer values. The initial state of DF is O.
CLD (Clear Direction Flag) zeros DF, causing the string instructions to auto-increment SI and/or DI.
CLD does not affect any other flags.

Example: CLD
STD (Set Direction Flag) sets DF to 1, causing the string instructions to auto-decrement SI and/or
DI. STD does not affect any other flags.

Example: STD

3-25

BASIC INSTRUCTION SET

3.9.3 Flag Transfer Instructions
Though specific instructions exist to alter CF and DF, there is no direct method of altering the other
flags. The flag transfer instructions allow a program to alter the other flag bits with the bit manipulation instructions after transferring these flags to the stack or the AH register.
The PUSHF and POPF instructions are also useful for preserving the state of the flag register before
executing a procedure.
LAHF (Load AH from Flags) copies SF, ZF, AF, PF, and CF to AH bits 7, 6, 4, 2, and 0, respectively
(see figure 3-13). The contents of the remaining bits (5, 3, and 1) are undefined. The flags remain
unaffected. This instruction can assist in converting 8080/8085 assembly language programs to run on
the base architecture of the 8086,8088,80186,80188, and 80286.

Example: LAHF
SAHF (Store AH into Flags) transfers bits 7, 6, 4, 2, and 0 from AH into SF, ZF, AF, PF, and CF,
respectively (see figure 3-13). This instruction also provides 8080/8085 compatibility with the 8086,
8088,80186,80188, and 80286.

Example: SAHF
PUSHF (Push Flags) decrements SP by two and then transfers all flags to the word at the top of stack
pointed to by SP (see figure 3-14). The flags remain unaffected. This instruction enables a procedure
to save the state of the flag register for later use.

Example: PUSHF
POPF (Pop Flags) transfers specific bits from the word at the top of stack into the low-order byte of
the flag register (see figure 3-14). The processor then increments SP by two.

Note that an application program in the protected virtual address mode may not alter 10PL (the I/O
privilege level flag) unless the program is executing at privilege level O. A program may aiter IF (the
interrupt flag) only when executing at a level that is at least as privileged as IOPL.

I

76543210

ISFIZF.AF.PF.CFI
REGISTER AH

LAHF loads Ilva lIags Irom tha lIag raglstar Into raglstar AH. SAHF storas thasa sama IIva lIags Irom AH Into the lIag register. The bit
position 01 each lIag Is the sama In AH as It lain the lIag raglater. The remaining blta are Indeterminate.
G30108

Figure 3-13. LAHF and SAHF

3-26

BASIC INSTRUCTION SET

15

14

13

12

11

10

9

8

7

6

5

4

3

2

STACK WORD

PUSHF decrements SP by 2 bytes (1 word) and copies the contents of Ihe flag reglsler 10 Ihe lop of slack. POPF loads Ihe flag reg Isler
wllh Ihe conlenls of Ihe lasl word pushed onlo Ihe stack. The bit position of each flag Is the same In the stack word as It Is In Ihe flag
register. Only programs executing allhe hlghesl privilege level (level 0) may alter the 2-blt 10PL flag. Only programs executing al a
level at leasl as privileged as Ihallndlcated by 10PL may alter IF.

G30108

Figure 3-14. PUSHF and POPF

Procedures may use this instruction to restore the flag status from a previous value.
Example: POPF

3.10 BINARY-CODED DECIMAL ARITHMETIC INSTRUCTIONS
These instructions adjust the results of a previous arithmetic operation to produce a valid packed or
unpacked decimal result. These instructions operate only on AL or AH registers.

3.10.1 Packed BCD Adjustment Instructions
DAA (Decimal Adjust) corrects the result of adding two valid packed decimal operands in AL. DAA
must always follow the addition of two pairs of packed decimal numbers (one digit in each nibble) to
obtain a pair of valid packed decimal digits as results. The carry flag will be set if carry was needed.
Example: DAA

DAS (Decimal Adjust for Subtraction) corrects the result of subtracting two valid packed decimal
operands in AL. DAS must always follow the subtraction of one pair of packed decimal numbers (one
digit in each nibble) from another to obtain a pair of valid packed decimal digits as results. The carry
flag will be set if a borrow was needed.
Example: DAS

3.10.2 Unpacked BCD Adjustment Instructions
AAA (ASCII Adjust for Addition) changes the contents of register AL to a valid unpacked decimal
number, and zeros the top 4 bits. AAA must always follow the addition of two unpacked decimal
operands in AL. The carry flag will be set and AH will be incremented if a carry was necessary.
Example: AAA

3-27

BASIC INSTRUCTION SET

AAS (ASCII Adjust for Subtraction) changes the contents of register AL to a valid unpacked decimal
number, and zeros the top 4 bits. AAS must always follow the subtraction of one unpacked decimal
operand from another in AL. The carry flag will be set and AH decremented if a borrow was necessary.
Example: AAS
AAM (ASCII Adjust for Multiplication) corrects the result of a multiplication of two valid unpacked
decimal numbers. AAM must always follow the multiplication of two decimal numbers to produce a
valid decimal result. The high order digit will be left in AH, the low order digit in AL.
Example: AAM
AAD (ASCII Adjust for Division) modifies the numerator in AH and AL to prepare for the division
of two valid unpacked decimal operands so that the quotient produced by the division will be a valid
unpacked decimal number. AH should contain the high-order digit and AL the low-order digit. This
instruction will adjust the value and leave it in AL. AH will contain O.
Example: AAD

3.11 TRUSTED INSTRUCTIONS
When operating in Protected Mode (Chapter 6 and following), the 80286 processor restricts the execution of trusted instructions according to the Current Privilege Level (CPL) and the current value of
10PL, the 2-bit I/O privilege flag. Only a program operating at the highest privilege level (level 0)
may alter the value of 10PL. A program may execute trusted instructions only when executing at a
level that is at least as privileged as that specified by 10PL.
Trusted instructions control I/O operations, interprocessor communications in a multiprocessor system,
interrupt enabling, and the HLT instruction.
These protection considerations do not apply in the real address mode.

3.11.1 Trusted and Privileged Restrictions on POPF and IRET
POPF (POP Flags) and IRET (Interrupt Return) are not affected by IOPL unless ihey aUempi io
alter IF (flag register bit 9). To change IF, POPF must be part of a program that is executing at a
privilege level greater than or equal.to that specified by 10PL. Any attempt to change IF when CPL
;::: 0 will be ignored (i.e., the IF flag will be ignored). To change the 10PL field, CPL must be zero.

3.11.2 Machine State Instructions
These trusted instructions affect the machine state control interrupt response, the processor hair siate,
and the bus LOCK signal that regulates memory access in multiprocessor systems.
CLl (Clear Interrupt-Enable Flag) and STI (Set Interrupt-Enable Flag) alter bit 9 in the flag register.
When IF=O, the processor responds only to internal interrupts and to non-maskable external interrupts. When IF= 1, the processor responds to all interrupts. An interrupt service routine might use
these instructions to avoid further interruption while it processes a previous interrupt request. As with
the other flag bits, the processor clears IF during initialization. These instructions may be executed
only if CPL :::; 10PL. A protection exception will occur if they are executed when CPL > IOPL.

3-28

BASIC INSTRUCTION SET

Example: STI. Sets IF= 1, which enables the processing of maskable external interrupts.
Example: CLI. Sets IF=O to disable maskable interrupt processing.

HLT (Halt) causes the processor to suspend processing operations pending an interrupt or a system
reset. This trusted instruction provides an alternative to an endless software loop in situations where a
program must wait for an interrupt. The return address saved after the interrupt will point to the
instruction immediately following HLT. This instruction may be executed only when CPL = O.
Example: HLT

LOCK (Assert Bus Lock) is a i-byte prefix code that causes the processor to assert the bus LOCK
signal during execution of the instruction that follows. LOCK does not affect any flags. LOCK may
be used only when CPL :5 IOPL. A protection exception will occur if LOCK is used when CPL >
10PL.

3.11.3 Input and Output Instructions
These trusted instructions provide access to the processor's I/O ports to transfer data to and from
peripheral devices. In Protected Mode, these instructions may be executed only when CPL :5 IOPL.

IN (Input/rom Port) transfers a byte or a word from an input port to AL or AX. If a program specifies
AL with the IN instruction, the processor transfers 8 bits from the selected port to AL. Alternately, if
a program specifies AX with the IN instruction, the processor transfers 16 bits from the port to AX.
The program can specify the number of the port in two ways. Using an immediate byte constant, the
program can specify 256 8-bit ports numbered 0 through 255 or 128 16-bit ports numbered
0,2,4, ... ,252,254. Using the current value contained in DX, the program can specify 8-bit ports numbered
o through 65,535, or 16-bit ports using even-numbered ports in the same range.
Example: IN AL,
BYTEYORT_NUMBER. Transfers 8 bits to AL from the port identified by the immediate
constant BYTEYORT_NUMBER.

OUT (Output to Port) transfers a byte or a word to an output port from AL or AX. The program can
specify the number of the port using the same methods of the IN instruction.
Example: OUT AX, DX. Transfers 16 bits from AX to the port identified by the Hi-bit number
contained in DX.

INS and OUTS (Input String and Output String) cause block input or output operations using a Repeat
prefix. See Chapter 4 for more information on INS and OUTS.

3.12 PROCESSOR EXTENSION INSTRUCTIONS
Processor Extension provides an extension to the instruction set of the base architecture (e.g., 80287).
The NPX extends the instruction set of the CPU-based architecture to support high-precision integer
and floating-point calculations. This extended instruction set includes arithmetic, comparison, transcendental, and data transfer instructions. The NPX also contains a set of useful constants to enhance the
speed of numeric calculations.

3-29

BASIC INSTRUCTION SET

A program contains instructions for the NPX in line with the instructions for the CPU. The system
executes these instructions in the same order as they appear in the instruction stream. The NPX operates
concurrently with the CPU to provide maximum throughput for numeric calculations.
The software emulation of the NPX is transparent to application software but requires more time for
execution.

3.12.1 Processor Extension Synchronization Instructions
Escape and wait instructions allow a processor extension such as the 80287 NPX to obtain instructions
and data from the system bus and to wait for the NPX to return a result.
ESC (Escape) identifies floating point numeric instructions and allows the 80286 to send the opcode
to the NPX or to transfer a memory operand to the NPX. The 80287 NPX uses the Escape instructions
to perform high-performance, high-precision floating point arithmetic that conforms to the IEEE floating point standard 754.
Example: ESC 6, ARRAY [SIlo The CPU sends the escape opcode 6 and the location of the array
pointed to by SI to the NPX.

WAIT (Wait) suspends program execution until the 80286 CPU detects a signal on the BUSY pin. In
a configuration that includes a numeric processor extension, the NPX activates the BUSY pin to signal
that it has completed its processing task and that the CPU may obtain the results.
Example: WAIT

3.12.2 Numeric Data Processor Instructions
This section describes the categories of instructions available with Numeric Data Processor systems
that include a Numeric Processor Extension or a software emulation of this processor extension.
3.12.2.1 ARITHMETIC INSTRUCTIONS

The extended instruction set includes not only the four arithmetic operations (add, subtract, multiply,
and divide), but also subtract-reversed and divide-reversed instructions. The arithmetic functions include
square root, modulus, absolute value, integer part, change sign, scale exponent, and extract exponerit
instructions.
3.12.2.2 COMPARISON INSTRUCTIONS

The comparison operations are the compare, examine, and test instructions. Special forms of the compare
instruction can optimize algoriihms by ailuwiug cOiilpafisuii5 of binary integer:; .... ith real r.:um.ber~ in
memory.
3_12.2.3 TRANSCENDENTAL INSTRUCTIONS

The instructions in this group perform the otherwise time-consuming calculations for all common
trigonometric, inverse trigonometric, hyperbolic, inverse hyperbolic, logarithmic, and exponential
functions. The transcendental instructions include tangent, arctangent, 2 x-I, Y . log2X, and Y. log2
(X+l).

3-30

BASIC INSTRUCTION SET

3.12.2.4 DATA TRANSFER INSTRUCTIONS

The data transfer instructions move operands among the registers and between a register and memory.
This group includes the load, store, and exchange instructions.
3.12.2.5 CONSTANT INSTRUCTIONS

Each of the constant instructions loads a commonly used constant into an NPX register. The values
have a real precision of 64 bits and are accurate to approximately 19 decimal places. The constants
loaded by these instructions include 0, 1, Pi, log. 10, log2 e, 10glO 2, and log 2•.

3-31

Extended Instruction Set

4

CHAPTER 4
EXTENDED INSTRUCTION SET
The instructions described in this chapter extend the capabilities of the base architecture instruction
set described in Chapter 3. These extensions consist of new instructions and variations of some instructions that are not strictly part of the base architecture (in other words, not included on the 8086 and
8088). These instructions are also available on the 80186 and 80188. The instruction variations, described
in Chapter 3, include the immediate forms of the PUSH and MUL instructions, PUSHA, paPA, and
the privilege level restrictions on POPF.
New instructions described in this chapter include the string input and output instructions (INS and
OUTS), the ENTER procedure and LEAVE procedure instructions, and the check index BOUND
instruction.

4.1 BLOCK 1/0 INSTRUCTIONS
REP, the Repeat prefix, modifies INS and OUTS (the string I/O instructions) to provide a means of
transferring blocks of data between an I/O port and Memory. These block I/O instructions are string
primitives. They simplify programming and increase the speed of data transfer by eliminating the need
to use a separate LOOP instruction or an intermediate register to hold the data.
INS and OUTS are trusted instructions. To use trusted instructions, a program must execute at a
privilege level at least as privileged as that specified by the 2-bit IOPL flag (CPL ::s IOPL). Any
attempt by a less-privileged program to use a trusted instruction results in a protection exception. See
Chapter 7 for information on protection concepts.
One of two possible opcodes represents each string primitive depending on whether it operates on byte
strings or word strings. After each transfer, the memory address in SI or DI is updated by 1 for byte
values and by 2 for word values. The value in the DF field determines if SI or DI is to be auto incremented (DF=O) or auto decremented (DF= 1).
INS and OUTS use DX to specify I/O ports numbered 0 through 65,535 or 16-bit ports using only
even port addresses in the same range.
INS (Input String from Port) transfers a byte or a word string element from an input port to memory.
If a program specifies INSB, the processor transfers 8 bits from the selected port to the memory
location indicated by ES:DI. Alternately, if a program specifies INSW, the processor transfers 16 bits
from the port to the memory location indicated by ES:DI. The destination segment register choice
(ES) cannot be changed for the INS instruction.
Combined with the REP prefix, INS moves a block of information from an input port to a series of
consecutive memory locations.
Example:

REP INSB. The processor repeatedly transfers 8 bits to the memory location indicated by
ES:DI from the port selected by the 16-bit port number contained in DX. Following each
byte transfer, the CPU decrements CX. The instruction terminates the block transfer when
CX=O. After decrementing CX, the processor increments DI by one if DF=O. It decrements DI by one if DF= 1.

4-1

EXTENDED INSTRUCTION SET

OUTS (Output String to Port) transfers a byte or a word string element to an output port from memory.
Combined with the REP prefix, OUTS moves a block of information from a series of consecutive
memory locations indicated by DS:SI to an output port.
Example:

REP OUTS WSTRING. Assuming that the program declares WSTRING to be a wordlength string element, the assembler uses the 16-bit form of the OUTS instruction to create
the object code for the program. The processor repeatedly transfers words from the memory
locations indicated by DI to the output port selected by the 16-bit port number in DX.

Following each word transfer, the CPU decrements CX. The instruction terminates the block transfer
when CX=O. After decrementing CX, the processor increments SI by two to point to the next word in
memory if DF=O; it decrements SI by two if DF= 1.

4.2 HIGH-LEVEL INSTRUCTIONS
The instructions in this section provide machine-language functions normally found only in high-level
languages. These instructions include ENTER and LEA VE, which simplify the programming of procedures, and BOUND, which provides a simple method of testing an index against its predefined range.

ENTER (Enter Procedure) creates the stack frame required by most block-structured high-level
languages. A LEAVE instruction at the end of a procedure complements an ENTER at the beginning
of the procedure to simplify stack management and to control access to variables for nested procedures.
Example:

ENTER 2048,3. Allocates 2048 bytes of dynamic storage on the stack and sets up pointers
to two previous stack frames in the stack frame that ENTER creates for this procedure.

The ENTER instruction includes two parameters. The first parameter specifies the number of bytes
of dynamic storage to be allocated on the stack for the routine being entered. The second parameter
corresponds to the lexical nesting level (0-31) of the routine. (Note that the lexical level has no relationship to either the protection privilege levels or to the I/O privilege level.)

The specified lexical level determines hovv' many sets of stack frame pointers the CPU copies into the
new stack frame from the preceding frame. This list of stack frame pointers is sometimes called the
"display." The first word of the display is a pointer to the last stack frame. This pointer enables a
LEA VE instruction to reverse the action of the previous ENTER instruction by effectively discarding
the last stack frame.
After ENTER creates the new display for a procedure, it allocates the dynamic storage space for that
procedure by decrementing SP by the number of bytes specified in the first parameter. This new value
of:SP serves as a base for aU PUSH and POP operaiions wiihin ihai pro\;!:uun:.
To enable a procedure to address its display, ENTER leaves BP pointing to the beginning of the new
stack frame. Data manipUlation instructions that specify BP as a base register implicitly address locations
within the stack segment instead of tpe data segment. Two forms of the ENTER instruction exist:
nested and non-nested. If the lexical level is 0, the non-nested form is used. Since the second operand
is 0, ENTER pushes BP, copies SP to BP and then subtracts the first operand from SP. The nested
form of ENTER occurs when the second parameter (lexical level) is not o. Figure 4-1 gives the formal
definition of ENTER.

4-2

EXTENDED INSTRUCTION SET

The Formal Definition Of The ENTER Instruction For All Cases Is Given By The Following Listing. LEVEL Denotes The Value Of The
Second Operand.
Push BP
Set a temporary value FRAME_PTR : ~ SP
If LEVEL> 0 then
Repeat (LEVEL -1) times:
BP:~ BP-2
Push the word pOinted to by BP
End repeat
Push FRAME_PTR
End If
BP : ~ FRAME_PTR
SP : ~ SP - first operand.

Figure 4-1. Formal Definition of the ENTER Instruction

The main procedure (with other procedures nested within) operates at the highest lexical level, level 1.
The first procedure it calls operates at the next deeper lexical level, level 2. A level 2 procedure can
access the variables of the main program which are at fixed locations specified by the compiler. In the
case of levell, ENTER allocates only the requested dynamic storage on the stack because there is no
previous display to copy.
A program operating at a higher lexical level calling a program at a lower lexical level requires that
the called procedure should have access to the variables of the calling program. ENTER provides this
access through a display that provides address ability to the calling program's stack frame.
A procedure calling another procedure at the same lexical level implies that they are parallel procedures and that the called procedure should not have access to the variables of the calling procedure.
In this case, ENTER copies only that portion of the display from the calling procedure which refers to
previously nested procedures operating at higher lexical levels. The new stack frame does not include
the pointer for addressing the calling procedure's stack frame.
ENTER treats a reentrant procedure as a procedure calling another procedure at the same lexical
level. In this case, each succeeding iteration of the reentrant procedure can address only its own variables and the variables of the calling procedures at higher lexical levels. A reentrant procedure can
always address its own variables; it does not require pointers to the stack frames of previous iterations.
By copying only the stack frame pointers of procedures at higher lexical levels, ENTER makes sure
that procedures access only those variables of higher lexical levels, not those at parallel lexical levels
(see figure 4-2). Figures 4-2a through 4-2d demonstrate the actions of the ENTER instruction if the
modules shown in figure 4-1 were to call one another in alphabetic order.
Block-structured high-level languages can use the lexical levels defined by ENTER to control access
to the variables of previously nested procedures. For example, if PROCEDURE A calls
PROCEDURE B which, in turn, calls PROCEDURE C, then PROCEDURE C will have access to
the variables of MAIN and PROCEDURE A, but not PROCEDURE B because they operate at the
same lexical level. Following is the complete definition of the variable access for figure 4-2.
1.

MAIN PROGRAM has variables at fixed locations.

2.

PROCEDURE A can access only the fixed variables of MAIN.

3.

PROCEDURE B can access only the variables of PROCEDURE A and MAIN. PROCEDURE
B cannot access the variables of PROCEDURE C or PROCEDURE D.

4-3

EXTENDED INSTRUCTION SET

MAIN PROGRAM (LEXICAL LEVEL 1)
PROCEDURE A (LEXICAL LEVEL 2)
PROCEDURE B (LEXICAL LEVEL 3)

PROCEDURE C (LEXICAL LEVEL 3)
PROCEDURE D (LEXICAL LEVEL 4)

G30108

Figure 4-2. Variable Access in Nested Procedures

15

0
OLDBP

BPFOR
MAIN -

BPM'

} DISPLAY

• DYNAMIC
STORAGE
SP_
'BPM - BP VALUE FOR MAIN

G30108

Figure 4-2a. Stack Frame jor MAiN at Levei 1

4.

PROCEDURE C can access only the variables of PROCEDURE A and MAIN. PROCEDURE
C cannot access the variables of PROCEDURE B or PROCEDURE D.

5.

PROCEDURE D can access the variables of PROCEDURE C, PROCEDURE A, and MAIN.
PROCEDURE D cannot access the variables of PROCEDURE B.

ENTER at the beginning of the MAIN PROGRAM creates dynami\; sturage space fuf MAIN but
copies no pointers. The first and only word in the display points to itself because there is no previous
value for LEAVE to return to BP. See figure 4~2a.
After MAIN calls PROCEDURE A, ENTER creates a new display for PROCEDURE A with the
first word pointing to the previous value of BP (BPM for LEAVE to return to the MAIN stack frame)
and the second word pointing to the current value of BP. Procedure A can access variables in MAIN
since MAIN is at level 1. Therefore the base for the dynamic storage for MAIN is at [BP-2j. All
dynamic variables for MAIN will be at a fixed offset from this value. See figure 4-2b.

4-4

EXTENDED INSTRUCTION SET

15

0
OlOBP
BPM

I

BPM

BPFOR

A

-

BPM

DISPLAY

BPA"

OYNAMIC
) STORAGE
SP_

"BPA

~

BP VALUE FOR PROCEOURE A

G30108

Figure 4-2b. Stack Frame for Procedure A

15

0
OlO BP
BPM

BPM
BPM
BPA

BPA
BP_
BPM
SPA

)~~,

BPB

OYNAMIC
) STORAGE
SP_

G30108

Figure 4-2c. Stack Frame for ProcedureB at Level 3 Called from A

4-5

EXTENDED INSTRUCTION SET

15

0

OLDBP
BPM

BPM
BPM
BPA

BP_

BPA
BPM
BPA
BPB

I

DISPLAY

DYNAMIC
) STORAGE
SP_

G30108

Figure 4-2d. Stack Frame for Procedure C at Level 3 Called from B

After PROCEDURE A calls PROCEDURE B, ENTER creates a new display for PROCEDURE B
with the first word pointing to the previous value of BP, the second word pointing to the value of BP
for MAIN, and the third word pointing to the value of BP for A and the last word pointing to the
current BP. B can access variables in A and MAIN by fetching from the display the base addresses of
the respective dynamic storage areas. See figure 4-2c.
After PROCEDURE B calls PROCEDURE C, ENTER creates a new display for PROCEDURE C
with the first word pointing to the previous value of BP, the second word pointing to the value of BP
for MAIN, and the third word pointing to the BP value for A and the third word pointing to the current
value of BP. Because PROCEDURE B and PROCEDURE C have the same lexical level, PROCEDURE C is not allowed access to variables in B and therefore does not receive a pointer to the beginning of PROCEDURE B's stack frame. See figure 4-2d.

LEAVE (Leave Procedure) reverses the action of the previous ENTER instruction. The LEAVE
instruction does not include any operands.
Example:

LEAVE. First, LEAVE copies BP to SP to release all stack space allocated to the procedure by the most recent ENTER instruction. Next, LEAVE pops the old value of BP from
the stack. A subs~quent RET instruction can then remove anYl1rguments that were pushed
on the stack by the calling program for use by the called procedure.

4-6

EXTENDED INSTRUCTION SET

BOUND (Detect Value Out of Range) verifies that the signed value contained in the specified register
lies within specified limits. An interrupt (INT 5) occurs if the value contained in the register is less
than the lower bound or greater than the upper bound.
The BOUND instruction includes two operands. The first operand specifies the register being tested.
The second operand contains the effective relative address of the two signed BOUND limit values. The
BOUND instruction assumes that it can obtain the upper limit from the memory word that immediately follows the lower limit. These limit values cannot be register operands; if they are, an invalid
opcode exception occurs.
BOUND is useful for checking array bounds before using a new index value to access an element
within the array. BOUND provides a simple way to check the value of an index register before the
program overwrites information in a location beyond the limit of the array.
The two-word block of memory that specifies the lower and upper limits of an array might typically
reside just before the array itself. This makes the array bounds accessible at a constant offset of -4
from the beginning of the array. Because the address of the array will already be present in a register,
this practice avoids extra calculations to obtain the effective address of the array bounds.
Example:

BOUND BX,ARRAY-4. Compares the value in BX with the lower limit at address
ARRAY-4 and the upper limit at address ARRAY-2. If the signed value in BX is less
than the lower bound or greater than the upper bound, the interrupt for this instruction
(INT 5) occurs. Otherwise, this instruction has no effect.

4-7

Real Address Mode

5

CHAPTER 5
REAL ADDRESS MODE
The 80286 can be operated in either of two modes according to the status of the Protection Enabled
bit of the MSW status register. In contrast to the "modes" and "mode bits" 

,~

G30108

Figure 5·4. Stack Structure after Interrupt (Real Address Mode)

5-5

REAL ADDRESS MODE

Table 5-2. Dedicated and Reserved Interrupt Vectors in Real Address Mode
Interrupt
Number

Function

Related
Instructions

Return Address
Before Instruction
Causing Exception?

Divide error exception

0

DIV,IDIV

Yes

Single step interrupt

1

All

N/A

NMI interrupt

2

All

N/A

Breakpoint interrupt

3

INT

N/A

INTO detected overflow exception

4

INTO

No

BOUND range exceeded exception

5

BOUND

Yes

Invalid opcode exception

6

Any undefined opcode

Yes

ESC or WAIT

Yes

Processor extension not available 7
exception
Interrupt table limit too small

8

LlDT

Yes

Processor extension segment overrun
interrupt

9

ESC

Yes

Segment overrun exception

13

Any memory reference
instruction that attempts
to reference 16-bit word
at offset OFFFFH.

Yes

Reserved

10-12,14,15

Processor extension error interrupt

16

ESC or WAIT

N/A

Reserved

17-31

I

User defined

132-255

N/A = Not Applicable

Single-Step (Interrupt 1). This interrupt will occur after each instruction if the Trap Flag (TF)
bit of the FLAGS register is set. Of course, TF is cleared upon entry to this or any other interrupt
to prevent infinite recursion. The saved value of CS:IP will point to the next instruction.
Nonmaskable (Interrupt 2). This interrupt will occur upon receipt of an external signal on the
NMI pin. Typically, the nonmaskable interrupt is used to implement power-failJauto-restart
procedures. The saved value of CS:IP will.point to the first byte of the interrupted instruction.
Breakpoint (Interrupt 3). Execution of the one-byte breakpoint instruction causes this interrupt to
occur. This instruction is useful for the implementation of software debuggers since it requires
only one code byte and can be substituted for any instruction opcode byte. The saved value of
CS:IP will point to the next instruction.

5-6

REAL ADDRESS MODE

INTO Detected Overflow (Interrupt 4). Execution of the INTO conditional software interrupt
instruction will cause this interrupt to occur if the overflow bit (OF) of the FLAGS register is set.
The saved value of CS:IP will point to the next instruction.
BOUND Range Exceeded (Interrupt 5). Execution of the BOUND instruction will cause this
interrupt to occur if the specified array index is found to be invalid with respect to the given array
bounds. The saved value of CS:IP will point to the first byte of the BOUND instruction.
Invalid Opcode (Interrupt 6). This exception will occur if execution of an invalid opcode is
attempted. (In Real Address Mode, most of the Protected Virtual Address Mode instructions are
classified as invalid and should not be used). This interrupt can also occur if the effective address
given by certain instructions, notably BOUND, LDS, LES, and LIDT, specifies a register rather
than a memory location. The saved value of CS:IP will point to the first byte of the invalid
instruction or opcode.
Processor Extension Not Available (Interrupt 7). Execution of the ESC instruction will cause this
interrupt to occur if the status bits of the MSW indicate that processor extension functions are to
be emulated in software. Refer to section 10.2.2 for more details. The saved value of CS:IP will
point to the first byte of the ESC or the WAIT instruction.
Interrupt Table Limit Too Small (Interrupt 8). This interrupt will occur if the limit of the interrupt vector table was changed from 3FFH by the LIDT instruction and an interrupt whose vector
is outside the limit occurs. The saved value of CS:IP will point to the first byte of the instruction
that caused the interrupt or that was ready to execute before an external interrupt occurred. No
error code is pushed.
Processor Extension Segment Overrun Interrupt (Interrupt 9). The interrupt will occur if a
processor extension memory operand does not fit in a segment. The saved CS:IP will point at the
first byte of the instruction that caused the interrupt.
Segment Overrun Exception (Interrupt 13). This interrupt will occur if a memory operand does
not fit in a segment. In Real Mode this will occur only when a word operand begins at segment
offset OFFFFH. The saved CS:IP will point at the first byte of the instruction that caused the
interrupt. No error code is pushed.
Processor Extension Error (Interrupt 16). Thisinterrupt occurs after the numeric instruction that
caused the error. It can only occur while executing a subsequent WAIT or ESC. The saved value
of CS:IP will point to the first byte of the ESC or the WAIT instruction. The address of the failed
numeric instruction is saved in the NPX.

5.3 SYSTEM INITIALIZATION
The 80286 provides an orderly way to start or restart an executing system. Upon receipt of the RESET
signal, certain processor registers go into the determinate state shown in table 5-3.
Table 5-3. Processor State after RESET
Register

Contents

FLAGS
MSW

0002 (H)
FFFO(H)
FFFO (H)
FOOD (H)
0000 (H)
0000 (H)
0000 (H)

IP
CS
DS
SS
ES

5-7

REAL ADDRESS MODE

Since the CS register contains FOOO (thus specifying a code segment starting at physical address FOOOO)
and the instruction pointer contains FFFO, the processor will execute its first instruction at physical
address FFFFOH. The uppermost 16 bytes of physical memory are therefore reserved for initial startup
logic. Ordinarily, this location contains an intersegment direct JMP instruction whose target is the
actual beginning of a system initialization or restart program.
Some of the steps normally performed by a system initialization routine are as follows:
Allocate a stack.
Load programs and data from secondary storage into memory.
Initialize external devices.
Enable interrupts (i.e., set the IF bit of the FLAGS register). Set any other desired FLAGS bit
as well.
Set the appropriate MSW flags if a processor extension is present, or if processor extension functions
are to be emulated by software.
Set other registers, as appropriate, to the desired initial values.
Execute. (Ordinarily, this last step is performed as an intersegment JMP to the main system
program.)

5-8

·Memory Management
and Virtual Addressing

6

CHAPTER 6
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING
In Protected Virtual Address Mode, the 80286 provides an advanced architecture that retains substantial compatibility with the 8086 and other processors in the 8086 family. In many respects, the baseline
architecture of the processor remains constant regardless of the mode of operation. Application
programmers continue to use the same set of instructions, addressing modes, and data types in Protected
Mode as in Real Address Mode.
The major difference between the two modes of operation is that the Protected Mode provides system
programmers with additional architectural features, supplementary to the baseline architecture, that
can be used to good advantage in the design and implementation of advanced systems. Especially
noteworthy are the mechanisms provided for memory management, protection, and multitasking.
This chapter focuses on the memory management mechanisms of Protected Mode; the concept of a
virtual address and the process of virtual-to-physical address translation are described in detail in this
chapter. Subsequent chapters deal with other key aspects of Protected Mode operation. Chapter 7
discusses the issue of protection and the integrated mechanisms that support a system-wide protection
policy. Chapter 8 discusses the notion of a task and.its central role in the 80286 architecture. Chapters
9 through 11 discuss certain additional topics-interrupt handling, special instructions, system initialization, etc.-that complete the system programmer's view of 80286 Protected Mode.

6.1 MEMORY MANAGEMENT OVERVIEW
A memory management scheme interposes a mapping operation between logical addresses (Le., addresses
as they are viewed by programs) and physical addresses (i.e., actual addresses in real memory). Since
the logical address spaces are independent of physical memory (dynamically relocatable), the mapping
(the assignment of real address space to virtual address space) is transparent to software. This allows
the program development tools (for static systems) or the system software (for reprogrammable systems)
to control the allocation of space in real memory without regard to the specifics of individual programs.
Application programs may be translated and loaded independently since they deal strictly with virtual
addresses. Any program can be relocated to use any available segments of physical memory.
The 80286, when operated in Protected Mode, provides an efficient on-chip memory management
architecture. Moreover, as described in Chapter 11, the 80286 also supports the implementation of
virtual memory systems-that is, systems that dynamically swap chunks of code and data between real
memory and secondary storage devices (e.g., a disk) independent of and transparent to the executing
application programs. Thus, a program-visible address is more aptly termed a virtual address rather
than a logical address since it may actually refer to a location not currently present in real memory.
Memory management, then, consists of a mechanism for mapping the virtual addresses that are visible
to the program onto the physical addresses of real memory. With the 80286, segmentation is the key
to virtual memory addressing. Virtual. memory is partitioned into a number of individual segments,
which are the units of memory that are mapped into physical memory and swapped to and from
secondary storage devices. Most of this chapter is devoted to a detailed discussion of the mapping and
virtual memory mechanisms of the 80286.
The concept of a task also plays a significant role in memory management since distinct memory
mappings may be assigned to the different tasks in a multitask or multi-user environment. A complete
discussion of tasks is deferred until Chapter 8, "Tasks and State Transition." For present purposes, it

6-1

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

is sufficient to think of a task as an ongoing process, or execution path, that is dedicated to a particular
function. In a multi-user time-sharing environment, for example, the processing required to interact
with a particular user may be considered as a single task, functionally independent of the other tasks
(i.e., users) in the system.

6.2 VIRTUAL ADDRESSES
In Protected Mode, application programs deal exclusively with virtual addresses; programs have no
access whatsoever to the actual physical addresses generated by the processor. As discussed in Chapter
2, an address is specified by a program in terms of two components: (l) a l6-bit effective address offset
that determines the displacement, in bytes, of a location within a segment; and (2) a 16-bit segment
selector that uniquely references a particular segment. Jointly, these two components constitute a
complete 32-bit address (pointer data type), as shown in figure 6-1.
These 32-bit virtual addresses are manipulated by programs in exactly the same way as the twocomponent addresses of Real Address Mode. After a program loads the segment selector component
of an address into a segment register, each subsequent reference to locations within the selected segment
requires only a 16-bit offset be specified. Locality of reference will ordinarily insure that addresses can
be specified very efficiently using only l6-bit offsets.
An important difference between Real Address Mode and Protected Mode, however, concerns the
actual format and information content of segment selectors. In Real Address Mode, as with the 8086
and other processors in the 8086 family, a 16-bit selector is merely the upper bits of a segment's
physical base address. By contrast, segment selectors in Protected Mode follow an entirely different
format, as illustrated by figure 6-1.
Two of the selector bits, designated as the RPL field in figure 6-1, are not actually involved in the
selection and specification of segments; their use is discussed in Chapter 7.

32-BIT POINTER

o

16 15
SEGMENT SELECTOR

i

SEGMENT OFFSET

I

I

I

I

!.

I

INDEX

I

I

SELECTOR

G30108

Figure 6-1. Format of the Segment Selector Component

6-2

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

The remaining 14 bits of the selector component uniquely designate a particular segment. The virtual
address space of a program, therefore, may encompass as many as 16,384 (214) distinct segments.
Segments themselves are of variable size, ranging from as small as a single byte to as large as 64K
(2 16) bytes. Thus, a program's virtual address space may contain, altogether, up to a full gigabyte (2'0
= 214 X 2 16 ) of individually addressable byte locations.
The entirety of a program's virtual address space is further subdivided into two separate halves, as
distinguished by the TI ("table indicator") bit in the virtual address. These two halves are the global
address space and the local address space.
The global address space is used for system-wide data and procedures including operating system
software, library routines, runti.me language support and other commonly shared system services. (To
application programs, the operating system appears to be a set of service routines that are accessible
to all tasks.) Global space is shared by all tasks to avoid unnecessary replication of system service
routines and to facilitate shared data and interrupt handling. Global address space is defined by addresses
with a zero in the TI bit position; it is identically mapped for all tasks in the system.
The other half of the virtual address space-comprising those addresses with the TI bit set-is separately
mapped for each task in the system. Because such an address space is local to the task for which it is
defined, it is referred to as a local address space. In general, code and data segments within a task's
local address space are private to that particular task or user. Figure 6-2 illustrates the task isolation
made possible by partitioning the virtual address spaces into local and global regions.

TASK 1 VIRTUAL ADDRESS SPACE

TASK 2 VIRTUAL ADDRESS SPACE

TASK 3 VIRTUAL ADDRESS SPACE~

G30108

Figure 6-2. Address Spaces and Task Isolation

6-3

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

Within each of the two regions addressable by a program-either the global address space or a particular local address space-as many as 8,192 (2 13 ) distinct segments may be defined. The INDEX field
of the segment selector allows for a unique specification of each of these segments. This 13-bit quantity
acts as an index into a memory-resident table, called a descriptor table, that records the mapping
between segment address and the physical locations allocated to each distinct segment. (These descriptor tables, and their role in virtual-to-physical address translation, are described in the sections that
follow.)
In summary, a Protected Mode virtual address is a 32-bit pointer to a particular byte location within a
one-gigabyte virtual address space. Each such pointer consists of a 16-bit selector component and a
16-bit offset component. The selector component, in turn, comprises a 13-bit table index, a I-bit table
indicator (local versus global), and a 2-bit RPL field; all but this last field serve to select a particular
segment from among the 16K segments in a task's virtual address space. The offset component of a
full pointer is an unsigned 16-bit integer that specifies the desired byte location within the selected
segment.

6.3 DESCRIPTOR TABLES
A descriptor table is a memory-resident table either defined by program development tools in a static
system or controlled by operating system software in systems that are reprogrammable. The descriptor
table contents govern the interpretation of virtual addresses. Whenever the 80286 decodes a virtual
address, translating a full 32-bit pointer into a corresponding 24-bit physical address, it implicitly references one of these tables.
Within a Protected Mode system, there are ordinarily several descriptor tables resident in memory.
One of these is the global descriptor table (GDT); this table provides a complete description of the
global address space. In addition, there may be one or more local descriptor tables (LDTs), each
describing the local address space of one or more tasks.
For each task in the system, a pair of descriptor tables-consisting of the GDT (shared by all tasks)
and a particular LDT (private to the task or to a group of closely related tasks)-provides a complete
description of that task's virtual address space. The protection mechanism described in Chapter 7,
"Protection," ensures that a task is granted access only to its own virtual address space. In the simplest
of system configurations, tasks can reside entirely within the GDT without the use of local descriptor
tables. This will simplify system software by only requiring maintenance of one table (the GDT) at the
expense of no isolation between tasks. The point is: the 80286 memory management scheme is flexible
enough to accommodate a variety of implementations and does not require use of all possible facilities
when implementing a system.
The descriptor tables consist of a sequence of 8-byte entries called descriptors. A descriptor table may
contain from 1 to 8192 entries.
Within a descriptor table, two main classes of descriptors are recognized by the 80286 architecture.
The most important of these, from the standpoint oi memory managemellL, an; .:;alled segmeiit descriptors; these determine the set of segments that are included within a given address space. The other
class are special-purpose control descriptors-such as call gates and task descriptors-to implement
protection (described in succeeding chapters) and special system data segments.
Figure 6-3 shows the format of a segment descriptor. Note that it provides information about the
physical-memory base address and size of a segment, as well as certain access information. If a particular segment is to be included within a virtual address space, then a segment descriptor that describes
that segment must be included within the appropriate descriptor table. Thus, within the GDT, there

6-4

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

o

.

+7

i!:!

m +5

~a:

7

INTEL RESERVED'

MUST BE 0

piDPll~1

TYPE

+3

II
A

BASE23· 1e

BASE,s·o

t1
.

-4
+2

LIMIT 15.0

15

B

7

ACCESS RIGHTS BYTES:

P
DPL

S

•
•

PRESENT
DESCRIPTOR PRIVILEGE LEVEL

= SEGMENT DESCRIPTOR

TYPE -

SEGhfENT TYPE AND ACCESS INFORMATION

(I.e Figure 6·7)
A
= ACCESSED
.MUST BE SET TO 0 FOR
COMPATIBILITY WITH IApX 3B6

G30108

Figure 6·3. Code or Data Segment Descriptor (S

=

1)

are segment descriptors for all of the segments that comprise a system's global address space. Similarly,
within a task's LDT, there must be a descriptor for each of the segments that are to be included in
that task's local address space.
Each local descriptor table is itself a special system segment, recognizable as such by the 80286 architecture and described by a specific type of segment descriptor (see figure 6-4). Because there is only a
single GDT segment, it is not defined by a segment descriptor. Its base and size information is maintained
in a dedicated register, GDTR, as described below (section 6.6.2).
Similarly, there is another dedicated register within the 80286, LDTR, that records the base and size
of the current LDT segment (i.e., the LDT associated with the currently executing task). The LDTR
register state, however, is volatile: its contents are automatically altered whenever a task switch is made
from one task to another. An alternate specification independent of changeable register contents must
therefore exist for each LDT in the system. This independent specification is accomplished by means
of special system segment descriptors known as descriptor table descriptors or LDT descriptors.
Figure 6-4 shows the format of a descriptor' table descriptor. (Note that it is distinguished from an
ordinary segment descriptor by the contents of certain bits in the access byte.) This special type of
descriptor is used to specify the physical base address and size of a local descriptor table that defines
the virtual address space and address mapping for an individual user or task (figure 6-5).
Each LDT segment in a system must lie within that system's global address space. Thus, all of the
descriptor table descriptors must be included among the entries in the global descriptor table (the
GDT) of a system. In fact, these special descriptors may appear only in the GDT. Reference to an
LDT descriptor within an LDT will cause a protection violation. Even though they are in the global
address space available to all tasks, the descriptor table descriptors are protected from corruption within
the GDT since they are special system segments and can only be accessed for loading into the LDTR
register.

6-5

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

o

7

INTEL RESERVED'

+7

MUST BE 0

pIDPLI~1

+5

I

TYPE

+3

BASE 23' 16

BASE 15.0

+1

+6

+4
+2

LlMIT 15·0

15

8

7

ACCESS RIGHTS BYTES:

P

-

OPl

5

=
=

PRESENT
DESCRIPTOR PRIVILEGE LEVEL

:;::. SEGMENT DESCRIPTOR

TYPE

TYPE OF SPECIAL DESCRIPTOR
(Includes control and system segments)

o
1
2

3
4-7

8
9-F

=

=
=
=
=
=
=

INVALID DESCRIPTOR

AVAILABLE TASK STATE SEGMENT
LOT DESCRIPTOR
BUSY TASK STATE SEGMENT
CONTROL DESCRIPTOR (see Chapter 7)
INVALID DESCRIPTOR (reserved by Intel)
RESERVED BY INTEL

'",UST BE SET TO 0 FOR
COMPATIBILITY WITH IAPX 386

G3010B

Figure 6-4. System Segment Descriptor or Gate Descriptor (S = 0)

6.4 VIRTUAL-TO-PHYSICAL ADDRESS TRANSLATION
The translation of a full 32-bit virtual address pointer into a real 24-bit physical address is shown by
figure 6-6. When the segment's base address is determined as a result of the mapping process, the
offset value is added to the result to obtain the physical address.
The actual mapping is performed on the selector component of the virtual address. The 16-bit segment
selector is mapped to a 24-bit segment base address via a segment descriptor maintained in one of the
descriptor tables.
The TI bit in the segment selector (see figure 6-1) determines which of two descriptor tables, either
the GOT or the current LOT, is to be chosen for memory mapping. In either case, using the GOTR or
LOTR register, the processor can readily determine the physical base address of the memory-resident
table.
.
1 he INDEX fieici in the segment seiecwr speClIles a parliculaI ue,CIil"UI clIlly wi,llill the Cll0SeH
table. The processor simply multiplies this index value by 8 (the length of a descriptor), and adds the
result to the base address of the descriptor table in order to access the appropriate segment descriptor
in the table.

Finally, the segment descriptor contains the physical base address of the target segment, as well as size
(limit) and access information. The processor sums the 24-bit segment base and the specified 16-bit
offset to generate the resulting 24-bit physical address.

6-6

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

,

r

,J

I

C

,

RESERVED-ZERO

ONE
SEGMENT
OF THE
TASKS
LOCAL

1.

ADDRESS
SPACE

,
RESERVED-ZERO

I

(private)

1-

BASE 23-16

BASE 15-0

1-

BASE"_'6

BASE,S_O

SEGMENT
LIMIT

LIMIT '5-0

LIMIT '5-0

SEGMENT
BASE

LDT
DESCRIPTOR
IN THE
GDT
IN MEMORY
~

~

~

~
DESCRIPTOR
TABLES
IN RAM

SEGMENT
IN
RAM
f-,

h

G3010B

Figure 6-5. LOT Descriptor

6.5 SEGMENTS AND SEGMENT DESCRIPTORS

Segments are the basic units of 80286 memory management. In contrast to schemes based on fixedsize pages, segmentation allows for a very efficient implementation of software: variable-length segments
can be tailored to the exact requirements of an application_ Segmentation, moreover, is consistent with
the way a programmer naturally deals with his virtual address space: programmers are encouraged to
divide code and data into clearly defined modules and structures which are manipulated as consistent
entities. This reduces (minimizes) the potential for virtual memory thrashing_ Segmentation also eliminates the restrictions on data structures that span a page (e.g., a word that crosses page boundaries)_

Each segment within an 80286 system is defined by an associated segment descriptor, which may
appear in one or more descriptor tables. Its inclusion within a descriptor table represents the presence
of its associated segment within the virtual address space defined by that table. Conversely, its ommission from a descriptor table means that the segment is absent from the corresponding address space.

6-7

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

VIRTUAL ADDRESS

I

I

SELECTOR

OFFSET

0-

TI

DESCRIPTOR
TABLE

I

I

TARGET
SEGMENT

DATUM
PHYSICAL
ADDRESS

I
SEGMENT
BASE

SEGMENT
DESCRIPTOR

---INDEX

G3010B

Figure 6-6. Virtual-to-Physical Address Translation

As shown previously in figure 6-3, an 8-byte segment descriptor encodes the following information
about a particular segment:
Size. This 16-bit field, comprising bytes 0 and 1 of a segment descriptor, specifies an unsigned
integer as the size, in bytes (from 1 byte to 64K bytes), of the segment.
Unlike segments in the 8086 (or the 80286 in Real Address Mode)-which are never explicitly
limited to less than a full 64K bytes-Protected Mode segments are always assigned a specific
size value. In conjunction with the protection features described in Chapter 7, this assigned size
allows the enforcement of a very desirable and natural rule: inadvertent accesses to locations beyond
a segment's actual boundaries are prohibited.
Base. This 24-bit field, comprising bytes 2 through 4 of a segment descriptor, specifies the physical base address of the segment; it thus defines the actual location of the segment within the 16megabyte real memory space. The base may be any byte address within the 16-megabyte real
memory space.
Access. This 8-bit field comprises byte 5 of a segment descriptor. This access byte specifies a
variety of additional information about a segment, particularly in regard to the protection features
of the 80286. Fer example, cede seg!TI.ents are distinguished from d~t~ ~~ement~; ~nd certain special
access restrictions (such as Execute-Only or Read-Only) may be defined for segments of each
type. Access byte values of OOH or 80H will alway~ denote "invalid."
Figure 6-7 shows the access byte format for both code and data segment descriptors. Detailed discussion of the protection related fields within an access byte (Conforming, Execute-Only, Descriptor Privilege Level, Expand Down, and Write-Permitted), and their use in implementing protection policies, is
deferred to Chapter 7. The two fields Accessed and Present are used for virtual memory
implementations.

6-8

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

' - - - - - - - - - DESCRIPTOR PRIVILEGE LEVEL
' - - - - - - - - - - - PRESENT (I-yes)

DATA OR STACK SEGMENT
MSB
LSB

ACCESSED (I-yes)
WRITEABLE (I-yes)
' - - - - - EXPAND DOWN (I-down)
' - - - - - - EXECUTABLE (O-no for data)

' - - - - - - - (indicates segment descriptor)
' - - - - - - - - - DESCRIPTOR PRIVILEGE LEVEL
'--_ _ _ _ _ _ _ _ PRESENT (I-yes)

G30108

Figure 6-7. Segment Descriptor Access Bytes

6.6 MEMORY MANAGEMENT REGISTERS
The Protected Virtual Address Mode features of the 80286 operate at high performance due to extensions to the basic 8086 register set. Figure 6·8 illustrates that portion of the extended register structure
that pertains to memory management. (For a complete summary of all Protected Mode registers, refer
to section 10.1).

6.6.1 Segment Address Translation Registers
Figure 6-8 shows the segment registers CS,DS,ES, and SS. In contrast to their usual representation,
however, these registers are now depicted as 64-bit registers, each with "visible" and "hidden"
components.
The visible portions of these segment address translation registers are manipulated by programs exactly
as if they were simply the 16-bit segment registers of Real Address Mode. By loading a segment selector into one of these registers, the program makes the associated segment one of its four currently
addressable segments.

6-9

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING,

SEGMENT ADDRESS TRANSLATION REGISTERS
48-BIT HIDDEN DESCRIPTOR CACHE

16-BIT

I,~_,m ''''~'"
DATA SEGMENT REGISTER

EXTRA SEGMENT REGISTER
STACK SEGMENT REGISTER
63

48 47
4039
ACCESS
RIGHTS

16 15
SEGMENT BASE
ADDRESS

0
SEGMENT
SIZE

SYSTEM ADDRESS REGISTERS

II------------t------,I
40-BIT EXPLICIT REGISTER

GDTR

IDTR _

39

16-BIT VISIBLE
SELECTOR

INTERRUPT DESCRIPTOR TABLE REGISTER

o

16 15
BASE

GLOBAL DESCRIPTOR TABLE REGISTER

LIMIT

40-BIT HIDDEN DESCRIPTOR CACHE
(AUTOMATICALLY LOADED FROM LDTR WITHIN GDT)

I

LOCAL DESCRIPTOR TABLE REGISTER

L5-5--------4-0~3-9------------------1-6~1~5----------~0
BASE

LIMIT

G30108

Figure 6-8. Memory Management Registers

The operations that load these registers-or, more exactly, those that load the visible portion of these
registers-arc normal program instructions. These instructions may be divided into two categories:
I,

Direct segment-register load instructions_ These instructions (such as LDS, LES, MOV, POP,
etc.) can explicitly reference the SS, DS, or ES segment registers as the destination operand_

2.

Implied segment-register load instructions. These instructions (such as intersegment CALL and
JMP) implicitly reference the CS code segment register; as a result of these operations, the contents
of CS are altered.

Using these instructions, a program loads ine visiul~ pal i (If the s6giTierll register 'v',:ith u 16-bit ~ele~tGr
(i.e., the high-order word of a virtual address pointer). Whenever this is done, the processor automatically uses the selector to reference the appropriate descriptor and loads the 48-bit hidden descriptor
cache for that segment register.

The correspondence between selectors and descriptors has already been described. Remember that the
selector's TI bit indicates one of the two descriptor tables, either the LDT or the GDT. Within the
indicated table, a particular entry is chosen by the selector's 13-bit INDEX field. This index, scaled
by a factor of 8, represents the relative displacement of the chosen table entry (a descriptor).

6-10

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

Thus, so long as a particular selector value is valid (i.e., it points to a valid segment descriptor within
the bounds of the d()scriptor table), it can be readily associated with an 8-byte descriptor. When a
selector value is loaded into. the visible part of a segment register, the 80286 automatically loads 6
bytes of the associated descriptor into the hidden part of the register. These 6 bytes, therefore, contain
the size, base, and access type of the selected segment. Figure 6-9 illustrates this transparent process
of descriptor loading.
In effect, the hidden descriptor fields of the segment registers function as the memory management
cache of the 80286. All the information required to address the current working set of segments~that
is, the base address, size, and access rights of the currently addressable segments-is stored in this
memory cache. Unlike the probabilistic caches of other architectures, however, the 80286 cache is
completely deterministic: the caching of descriptors is explicitly controlled by the program.
Most memory references do not require the translation of a full 32-bit virtual address, or long pointer.
Operands that are located within one of the currently addressable segments, as determined by the four
segment registers, can be referenced very efficiently by means of a short pointer, which is simply a
16-bit offset.
In fact, .most 80286 instructions reference memory locations in precisely this way, specifying only a
16-bit offset with respect to one of the currently addressable segments. The choice of segments (CS,
DS, ES, or SS) is either implicit within the instruction itself, or explicitly specified by means of a
segment-override prefix (as described in Chapter 2).

ICPii:----- - - - - - - - - ,

-I I
APPLICATION
VISIBLE

-

SEGMENT
REGISTER

DESCRIPTOR
CACHE

SYSTEM
MEMORY

SEGMENT
DESCRIPTOR

SELE~TOR

TYPE

1

BASE

1

.1
I

LIMIT

1

TRANSPARENT
DESCRIPTOR
LOADING

I
1
1

I

I

I
L __ _
r----

-=--=--=1~~

DESCRIPTOR
TABLE

I

I
I
_ _ _ _ _ _ _ --1I
G30108

Figure 6-9. Descriptor Loading

6-11

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

Thus, in most cases, virtual-to-physical address translation is actually performed in two separate steps.
First, when a program loads a new value into a segment register, the processor immediately performs
a mapping operation; the physical base address of the selected segment (as well as certain additional
information) is automatically loaded into the hidden portion of the register. The internal cache registers
(virtual address translation hardware) are therefore dynamically shared among the 16K different
segments potentially addressable within the user's virtual address space. No software overhead (either
system or application) is required to perform this operation.
Subsequently, as the program utilizes a short pointer to reference a location within a segment, the
processor generates a 24-bit physical address simply by adding the specified offset value to the previously cached segment base address. By encouraging the use of short pointers in this way, rather than
requiring a full 32-bit virtual address for every memory reference, the 80286 provides a very efficient
on-chip mechanism for address translation, with minimum overhead for references to memory-based
tables or the need for external address-translation devices.

6.6.2 System Address Registers
The Global Descriptor Table Register (GDTR) is a dedicated 40-bit (5 byte) register used to record
the base and size of a system's global descriptor table (GDT). Thus, two of these bytes define the size
of the GDT, and three bytes define its base address.
In figure 6-8, the contents of the GDTR are referred to as a "hidden descriptor." The term "descriptor" here emphasizes the analogy with the segment descriptors ordinarily found in descriptor tables.
Just as these descriptors specify the base and size (limit) of ordinary segments, the GDTR register
specifies these same parameters for that segment of memory serving as the system GDT. The limit
prevents accesses to descriptors in the GDT from accessing beyond the end of the GDT and thus
provides address space isolation at the system level as well as at the task level. .
The register contents are "hidden" only in the sense that they are not accessible by means of ordinary
instructions. Instead, the dedicated protected instructions LGDT and SGDT are reserved for loading
and storing, respectively, the contents of the GDTR at Protected Mode initialization (refer to section
10.2 for details). Subsequent alteration of the GDT base and size values is not recommended but is a
system option at the most privileged level of software (see section 7.3 for a discussion of privilege
levels).
The Local Descriptor Table Register (LDTR) is a dedicated 40-bit register that contains, at any given
moment, the base and size of the local descriptor table (LDT) associated with the currently executing
task. Unlike GDTR, the LDTR register contains both a "visible" and a "hidden" component. Only the
visible component is accessible, while the hidden component remains truly inaccessible even to dedicated
instructions.
The visible component of the LDTR is a 16-bit "selector" field. The format of these 16 bits corresponds
exactly to that of a segment selector in a virtual address pointer. Thus, it contains a 13-bit INDEX
field, a I-bit TI field, and a 2-bit RPL field. The TI "table indicator" bit must be zero, indicating a
reference to the (JUT (i.e., to global address space). The INDEX field CUlls.oqiieiitly pro'video an index
to a particular entry within the GDT. This entry, in turn, must be an LDT descriptor (or descriptor
table descriptor), as defined in the previous section. In this way, the visible "selector" field of the
LDTR, by selecting an LDT descriptor, uniquely designates a particular LDT in the system.
The dedicated, protected instructions LLDT and SLDT are reserved for loading and storing, respectively, the visible selector component of the LDTR register (refer to section 10.2 for details). Whenever
a new value is loaded into the visible "selector" portion of LDTR, an LDT descriptor will have been
uniquely chosen (assuming, of course, that the "selector" value is valid). In this case, the 80286

6-12

MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

automatically loads the hidden "descriptor" portion of LDTR with five bytes from the chosen LDT
descriptor. Thus, size and base information about a particular LDT, as recorded in a memory-resident
global descriptor table entry, is cached in the LDTR register.
New values may be loaded into the visible portion of the LDTR (and, thus, into the hidden portion as
well) in either of two ways. The LLDT instruction, during system initialization, is used explicitly to set
an initial value for the LDTR register; in this way, a local address space is provided for the first task
in a multitasking environment. After system startup, explicit changes are not required since operations
that automatically invoke a task switch (described in section 8.4) appropriately manage the LDTR.
At all times, the LDTR register thus records the physical base address (and size) of the current task's
LDT; the descriptor table required for mapping the current local address space, therefore, is immediately accessible to the processor. Moreover, since GDTR always maintains the base address of the
GDT, the table that maps the global address space is similarly accessible. The two system address
registers, GDTR and LDTR, act as a special processor cache, maintaining current information about
the two descriptor tables required, at any given time, for addressing the entire current virtual address
space.

6-13

Protection

7

CHAPTER 7
PROTECTION

7.1 INTRODUCTION
In most microprocessor based products, the product's availability, quality, and reliability are determined by the software it contains. Software is often the key to a product's success. Protection is a tool
used to shorten software development time, and improve software quality and reliability.
Program testing is an important step in developing software. A system with protection will detect software
errors more quickly and accurately than a system without protection. Eliminating errors via protection
reduces the development time for a product.
Testing software is difficult. Many errors occur only under complex circumstances which are difficult
to anticipate. The result is that products are shipped with undetected errors. When such errors occur,
products appear unreliable. The impact of a software error is multiplied if it introduces errors in other
bug-free programs. Thus, the total system reliability reduces to that of the least reliable program running
at any given time.
Protection improves the reliability of an entire system by preventing software errors in one program
from affecting other programs. Protection can keep the system running even when some user program
attempts an invalid or prohibited operation.
Hardware protection performs run-time checks in parallel with the execution of the program. But,
hardware protection has traditionally resulted in a design that is more expensive and slower than a
system without protection. However, the 80286 provides hardware-enforced protection without the
performance or cost penalties normally associated with protection.
The protected mode 80286 implements extensive protection by integrating these functions on-chip. The
80286 protection is more comprehensive and flexible than comparable solutions. It can locate and
isolate a large number of program errors and prevent the propagation of such errors to other tasks or
programs. The protection of the total system detects and isolates bugs both during development and
installed usage. Chapter 9 discusses exceptions in more detail.
The remaining sections of this chapter explain the protection model implemented in the 80286.

7.1.1 Types of Protection
Protection in the 80286 has three basic aspects:
I.

Isolation of system software from user applications.

2.

Isolation of users from each other (Inter-task protection).

3.

Data-type checking.

The 80286 provides a four-level, ringed-type, increasingly-privileged protection mechanism to isolate
applications software from various layers of system software. This is a major improvement and extension over the simpler two-level user/supervisor mechanism found in many systems. Software modules
in a supervisor level are protected from modules in the application level and from software in less
privileged supervisor levels.

7-1

PROTECTION

Restricting the addressability of a software module enables an operating system to control system
resources and priorities. This is especially important in an environment that supports multiple concurrent users. Multi-user, multi-tasking, and distributed processing systems require this complete control
of system resources for efficient, reliable operation.
The second aspect of protection is isolating users from each other. Without such isolation an error in
one user program could affect the operation of another error-free user program. Such subtle interactions are difficult to diagnose and repair. The reliability of applications programs is greatly enhanced
by such isolation of users.
Within a system or application level program, the 80286 will ensure that all code and data segments
are properly used (e.g., data cannot be executed, programs cannot be modified, and offset must be
within defined limits, etc.). Such checks are performed on every memory access to provide full runtime error checking.

7_1.2 Protection Implementation
The protection hardware of the 80286 establishes constraints on memory and instruction usage. The
number of possible interactions between instructions, memory, and I/O devices is practically unlimited. Out of this very large field the protection mechanism limits interactions to a controlled, understandable subset. Within this subset fall the list of "correct" operations. Any operation that does not
fall into this subset is not allowed by the protection mechanism and is signalled as a protection
violation.
To understand protection on the 80286, you must begin with its basic parts: segments and tasks. 80286
segments are the smallest region of memory which have unique protection attributes. Modular
programming automatically produces separate regions of memory (segments) whose contents are treated
as a whole. Segments reflect the natural construction of a program, e.g., code for module A, data for
module A, stack for the task, etc. All parts of the segment are treated in the same way by the 80286.
Logically separate regions of memory should be in separate segments.
The memory segmentation model (see figure 7-1) of the 80286 was designed to optimally execute code
for software composed of independent modules. Modular programs are easier to construct and maintain.
Compared to monolithic software systems, modular software systems have enhanced capabilities, and
are typically easier to develop and test for proper operation.
Each segment in the system is defined by a memory-resident descriptor. The protection hardware
prevents accesses outside the data areas and attempts to modify instructions, etc., as defined by the
descriptors. Segmentation on the 80286 allows protection hardware to be integrated into the CPU for
full data access control without any performance impact.
The segmented memory architecture of the 80286 provides unique capabilities for regulating the transfer of control between programs.
Programs are given direct but controlled access to other procedures and modules. This capability is the
heart of isolating application and system programs. Since this access is provided and controlled directly
by the 80286 hardware, there is no performance penalty. A system designer can take advantage of the
80286 access control to design high-performance modular systems with a high degree of confidence in
the integrity of the system.
.

7-2

inter

PROTECTION

,---,
I

MODULEA

I

B
S
CODE
CPU

MODULEB
DATA
'I

I

I

L_

CODE
DATA

TASK
STACK

I
I

I

STACK

- -

EXTRA
SEGMENT
REGISTERS

TASK
DATA
BLOCK 1

o
I

TASK
DATA
BLOCK 2

I

I
I
1- _ _ ....1
MEMORY

G3010B

Figure 7-1. Addressing Segments of a Module within a Task

Access control between programs and the operating system is implemented via address space separation and a privilege mechanism. The address space control separates applications programs from each
other while the privilege mechanism isolates system software from applications software. The privilege
mechanism grants different capabilities to programs to access code, data, and I/O resources based on
the associated protection level. Trusted software that controls the whole system is typically placed at
the most privileged level. Ordinary application software does not have to deal with these control mechanisms. They come into play only when there is a transfer of control between tasks, or if the Operating
System routines have to be invoked.

The protection features of multiple privilege levels extend to ensuring reliable I/O control. However,
for a system designer to enable only one specific level to do I/O would excessively constrain subsequent
extensions or application development. Instead, the 80286 permits each task to be assigned a separate
minimum level where I/O is allowed. I/O privilege is discussed in section 10.3.

7-3

PROTECTION

An important distinction exists between tasks and programs. Programs (e.g., instructions in code
segments) are static and consist of a fixed set of code and data segments each with an associated
privilege level. The privilege assigned to a program determines what the program may do when executed
by a task. Privilege is assigned to a program w~en the system is built or when the program is loaded.
Tasks are dynamic; they execute one or more programs. Task privilege changes with time according to
the privilege level of the program being executed. Each task has a unique set of attributes that define
it, e.g., address space, register values, stack, data, etc. A task may execute a program if that program
appears in the task's address space. The rules of protection control determine when a program may be
executed by a task, and once executed, determine what the program may do.

7.2 MEMORY MANAGEMENT AND PROTECTION
The protection hardware of the 80286 is related to the memory management hardware. Since protection attributes are assigned to segments, they are stored along with the memory management information in the segment descriptor. The protection information is specified when the segment is created.
In addition to privilege levels, the descriptor defines the segment type (e.g., Code segment, Data segment,
~tc.). Descriptors may be created either by program development tools or by a loader in a dynamically
loaded reprogram mabie environment.
The protection control Information consists of a segment type, its privilege level, and size. These are
fields in the access byte of the segment descriptor (see figure 7-2). This information is saved on-chip
in the programmer invisible section of the segment register for fast access during execution. These
entries are changed only when a segment register is loaded. The protection data is used at two times:
upon loading a segment register and upon each reference to the selected segment.
The hardware performs several checks while loading a segment register. These checks enforce the
protection rules before any memory reference is generated. The hardware verifies that the selected
segment is valid (is identified by a descriptor, is in memory, and is accessible from the privilege level
in which the program is executing) and that the type is consistent with the target segment register. For
example, you cannot load a read-only segment descriptor into SS because the stack must always be
'
writable.

r- -

PROGRAM VISIBLE
SEGMENT SELECTORS'

::~,

I
I

ssr-----i i
I
I :
'

o

15

SEGMENT REGISTERS
(loaded by program)

I

I

--------P"R,-_.... o

t

OFFSET

!

,.--0......_

.... 0

L

65535

•

65535

I

OFFSET

OFFSET

~......_ ... o +

~,.I.-_.... o

65535

65535

t

+
OFFSET

...-."'-_-11)
8191

OFFSET

I

,.--0......._

L

I

65535

t

r::loFlsET

+

LJol

OFFSET

.... 0

.... 0

8191

,65535

'--1......._

I

TASK B PRIVATE ADDRESS SPACE

TASK A PRIVATE ADDRESS SPACE

10

~

8191

SHARED ADDRESS SPACE

TASK C PRIVATE ADDRESS SPACE

TASK B ADDRESS SPACE

G30108

Figure 7-3. 80286 Virluai Address Space

7.2.3 Type Validation
After checking that a selector reference is within the bounds of a descriptor table and refers to a nonempty descriptor, the type of segment defined by the descriptor is checked against the destination
reglster. Since each segmt:I1L n;gisit;'- ha.5 plcdcfin~d f~nctic!'!e, e2.ch !!1l!st !'~f~r to certain types of
segments (see section 7.4.1). An attempt to load a segment register in violation of the protection rules
causes an exception.
The "null" selector is a special type of segment selector. It has an index field of all zeros and a table
indicator of O. The null selector appears to refer to GDT descriptor entry #0 (see GDT in figure 7-3).
This selector value may be used as a place holder in the DS or ES segment registers; it may be loaded
into them without causing an exception. However, any attempt to use the null segment registers to
reference memory will cause an exception and prevent any memory cycle from occurring.

7-6

PROTECTION

15
23
GOTR

I
-r I

LOTR

I
I

I
I
IL

23

l

I

0

I--

GOT LIMIT

LIT1

15

0

J

--

LOT
SELECTOR

-15 -

-

···

I

GOT BASE

I

MEMORY

I'

CPU

-

"0 -,

LOT BASE

···

I
I
I

I

LOT LIMIT

LOT,

-r

r-; ..J-I

________

CURRENl
LOT

~
I

PROGRAM INVISIBLE

I

LOTn

I
....II

··

G30108

Figure 7-4. Local and Global Descriptor Table Definitions

15

3

T
I

INDEX

,

o

2

I

I

0
T

E
X
T

L

o

means that an event external to
the program caused the exception
(i.e., external interrupt, single step,
processor extension error)
means that an exception occurred
while processing the instructloft at
CS:IP saved on stack.

1 means use lOT and ignore bit 2.
~ o means bit 2 indicates table usage
1 means use LOT

:

o means use GOT

' - - - - - - - - - - - - - _ Entry in lOT, GOT, or LOT

G30108

Figure 7-5. Error Code Format (on the stack)

7-7

PROTECTION

7.3 PRIVILEGE LEVELS AND PROTECTION
As explained in section 6.2, each task has its own separate virtual address space defined by its LDT.
All tasks share a common address space defined by the GDT. The system software then has direct
access to task data and can treat all pointers in the same way.
Protection is required to prevent programs from improperly using code or data that belongs to the
operating system. The four privilege levels of the 80286 provide the isolation needed between the various
layers of the system. The 80286 privilege levels are numbered from 0 to 3, where 0 is the most trusted
level, 3 the least.
Privilege level is a protection attribute assigned to all segments. It determines which procedures can
access the segment. Like access rights and limit checks, privilege checks are automatically performed
by the hardware, and thus protect both data and code segments.
Privilege on the 80286 is hierarchical. Operating system code and data segments placed at the most
privileged level (0) cannot be accessed directly by programs at other privilege levels. Programs at
privilege level 0 may access data at all other levels. Programs at privilege levels 1-3 may only access
data at the same or less trusted (numerically greater) privilege levels. Figure 7-6 illustrates the privilege level protection of code or data within tasks.

In figure 7-6, programs can access data at the same or outer level, but not at inner levels. Code and
data segments placed at level 1 cannot be accessed by programs executing at levels 2 or 3. Programs
at privilege level 0 can access data at level 1 in the course of providing service to that level. 80286
provides mechanisms for inter-level transfer of control when needed (see section 7.5).
The four privilege levels of the 80286 are an extension of the typical two-level user/supervisor privilege
mechanism. Like user mode, application programs in the outer level are not permitted direct access to
data belonging to more privileged system services (supervisor mode). The 80286 adds two more
privilege levels to provide protection for different layers of system software (system services, I/O drivers,
etc.).

7.3.1 Example of Using Four Privilege Levels
Two extra privilege levels allow development of more reliable, and flexible system software. This is
achieved by dividing the system into small, independent units. Figure 7-6 shows an example of the
usage of different protection levels. Here, the most privileged level is called the kernel. This software
would provide basic, application-independent, CPU-oriented services to all tasks. Such services include
memory management, task isolation, multitasking, inter-task communication, and I/O resource control.
Since the kernel is only concerned with simple functions and cannot be affected by software at other
privilege levels, it can be kept small, safe, and understandable.
Privilege level one is designated system services. This software provides high-level functions like file
access scheduling, character I/O, data communcations, and resource allocation policy which are
commonly expected in all systems. Such software remains isolated from applications programs and
relies on the services of the kernel, yet cannot affect the integrity of level O.
Privilege level 2 is the custom operating system extensions level. It allows standard system software to
be customized. Such customizing can be kept isolated from errors in applications programs, yet cannot
affect the basic integrity of the system software. Examples of customized software are the data base
manager, logical file access services, etc.

7-8

PROTECTION

TASK C

G3010B

Figure 7-6. Code and Data Segments Assigned to a Privilege Level

This is just one example of protection mechanism usage. Levels 1 and 2 may be used in many different
ways. The usage (or non-usage) is up to the system designer.
Programs at each privilege level are isolated from programs at outer layers, yet cannot affect programs
in inner layers. Programs written for each privilege level can be smaller, easier to develop, and easier
to maintain than a monolithic system where all system software can affect all other system software.

7.3.2 Privilege Usage
Privilege applies to tasks and three types of descriptors:
1.

Main memory segments

2.

Gates (control descriptors for state or task transitions, discussed in sections 7.5.1, 7.5.3, 8.3, 8.4
and 9.2)

3.

Task state segments (discussed in Chapter 8).

7-9

PROTECTION

Task privilege is a dynamic value. It is derived from the code segment currently being executed. Task
privilege can change only when a control transfers to a different code segment.
Descriptor privilege, including code segment privilege, is assigned when the descriptor (and any associated segment) is created. The system designer assigns privilege directly when the system is constructed
with the system builder (see the 80286 Builder User's GUide) or indirectly via a loader.
Each task operates at only one privilege level at any given moment: namely that of the code segment
being executed. (The conforming segments discussed in section 11.2 permit some flexibility in this
regard.) However, as figure 7-6 indicates, the task may contain segments at one, two, three, or four
levels, all of which are to be used at appropriate times. The privilege level of the task, then, changes
under the carefully enforced rules for transfer of control from one code segment to another.
The descriptor privilege attribute is stored in the access byte of a descriptor and is called the Descriptor Privilege Level (DPL). Task privilege is called the Current Privilege Level (CPL). The least significant two bits of the CS register specify the CPL.
A few general rules of privilege can be stated before the detailed discussions of later sections. Data
access is restricted to those data segments whose privilege level is the same as or less privileged (numerically greater) than the current privilege level (CPL). Direct code access, e.g., via call or jump, is
restricted to code segments of equal privilege. A gate (section 7.5.1) is required for access to code at
more privileged levels ..

7.4 SEGMENT DESCRIPTOR
Although the format of access control information, discussed below, is similar for both data and code
segment descriptors, the rules for accessing data segments differ from those for transferring control to
code segments. Data: segments are meant to be accessible from many privilege levels, e.g., from other
programs at the same level or from deep within the operating system. The main restriction is that they
cannot be accessed by less privileged code.
Code segments, on the other hand, are meant to be executed at a single privilege level. Transfers of
control that cross privilege boundaries are tightly restricted, requiring the use of gates. Control transfers wiihin a privilege level can also usc gates, but they are not required. Control transfers are discussed
in section 7.5.
Protection checks are automatically invoked at several points in selecting and using new segments. The
process of addressing memory begins when the currently executing program attempts to load a selector
into one of the segment registers. As discussed in Chapter 6, the selector has the form shown in
figure 7-7.

When a new Sli;;lticiuf is loaded intv a segment regigter, the
to perform the necessary loading and privilege checks.

p!0~eSSOr ~~r.esses

the associated descriptor

The protection mechanism verifies that the selector points to a valid descriptor type for" the segment
register (see section 7.4.1). After verifying the descriptor type, the CPU compares the privilege level
of the task (CPL) to the privilege level in the descriptor (DPL) before loading the descriptor's information into the cache.
The general format of the eight bits in the segment descriptor's access rights byte is shown in
table 7-1.

7-10

PROTECTION

SELECTOR

I~~~/ do
8

BITS

I I LJ.
7

ITI~~
2

1-0

REQUESTED
PRIVILEGE
LEVEL (RPL)

INDICATES SELECTOR PRIVILEGE
LEVEL DESIRED

2

TABLE
INDICATOR
(TI)

TI ~ 0 USE GLOBAL DESCRIPTOR TABLE
(GOT)

INDEX

SELECT DESCRIPTOR ENTRY IN TABLE

15-3

1

0

FUNCTION

NAME

TI ~ 1 USE LOCAL DESCRIPTOR TABLE
(LOT)

G30108

Figure 7-7. Selector Fields

Table 7-1. Segment Access Rights Byte Format
Bit

Description

Name

7

Present

1 means Present and addressable in real memory; 0 means not
present. See section 11.3.

6,5

DPL

2-bit Descriptor Privilege Level, 0 to 3.

4

Segment

1 means Segment descriptor; 0 means control descriptor.

For Segment= 1, the remaining bits have the following meanings:

3

Executable

1 means code, 0 means data.

2

C or ED

If code, Conforming: 1 means yes, 0 no.
If data, Expand Down: 1 yes, 0 no-normal case.

1

RorW

If code, Readable: 1 means readable, 0 not.
If data, Writable: 1 means writable, 0 not.

0

Accessed

1 if segment descriptor has been Accessed, 0 if not.

NOTE: When the Segment bit (bit 4) is 0, the descriptor is for a gate, a task state segment, or a Local
Descriptor Table, and the meanings of bits 0 through 3 change. Control transfers and descriptors
are discussed in section 7.5.

For example, the access rights byte for a data and code segment present in real memory but not yet
accessed (at the same privilege level) is shown in figure 7-8.
Whenever a segment descriptor is loaded into a segment register, the accessed bit in the descriptor
table is set to I. This bit is useful for determining the usage profile of the segment.

7-11

PROTECTION

P

DPL

5

E

C

R

A

1

0

1

0

I
o

7

P

DPL

5

E

ED

1

01

1

0

0

W

o

7

Readable Code Segment

A

Writable Code Segment

G3010B

Figure 7-8. Access Byte Examples
Table 7-2. Allowed Segment Types in Segment Registers
(

Allowed Segnlent Types
Segment Register

Read Only
Data Segment

Read-Write
Data Segment

Execute Only
Code Segment

Execute'Read
Code Segment

Yes
Yes
No
No

Yes
Yes
Yes
No

No
No
No
Yes

Yes
Yes
No
Yes

OS
ES
SS
CS

NOTE

The Intel reserved bytes in the segment descriptor must be set to 0 for compatibility with
the 80386.

7.4.1 Data Accesses
Data may be accessed in data segments or readable code segments. When DS or ES is ioaded with a
new selector, e.g., by an LDS, LES, or MOV to ES, SS, or DS instruction, the bits in the access byte
are checked to verify legitimate descriptor type and access (see table 7-2). If any test fails, an error
code is pushed onto the stack identifying the selector involved (see figure 7-5 for the error code format).
A privilege check is made when the segment register is loaded. In general, a data segment's DPL must
be numerically greater than or equal to the CPL. The DPL of a descriptor loaded into the SS must
eq'1!"J the C.PL Conforming code segments are an exception to privilege checking rules (see
section 11. 2).
Once the segment descriptor and selector are loaded, the offset of subsequent accesses within the
segment are checked against the limit given in the segment descriptor. Violating the segment size limit
causes a General Protection exception with an error code of O.

A normal data segment is addressed with offset values ranging from 0 to the size of the segment. When
the ED bit of the access rights byte in the segment descriptor is 0, the allowed range of offsets is
OOOOH to the limit. If limit is OFFFFH, the data segment contains 65,536 bytes.

7-12

PROTECTION

Since stacks normally occupy different offset ranges (lower limit to OFFFFH) than data segments, the
limit field of a segment descriptor can be interpreted in two ways. The Expand Down (ED) bit in the
access byte allows offsets for stack segments to be greater than the limit field. When ED is 1, the
allowed range of offsets within the segment is limit + 1 to OFFFFH. To allow a full stack segment, set
ED to 1 and the limit to OFFFFH. The ED bit of a data segment descriptor does not have to be set for
use in SS (i.e., it will not cause an exception). Section 7.5.4 discusses stack segment usage in greater
detail. An expand down (ED= 1) segment can also be loaded into ES or DS.
Limit and access checks are performed before any memory reference is started. For stack push instructions (PUSH, PUSHA, ENTER, CALL, INT), a possible limit violation is identified before any internal registers are updated. Therefore, these instructions are fully restartable after a stack size violation.

7.4.2 Code Segment Access
Code segments are accessed via CS for execution. Segments that are execute-only can ONLY be
executed; they cannot be accessed via DS or ES, nor read via CS with a CS override prefix. If a
segment is executable (bit 3 = 1 in the access byte), access via DS or ES is possible only if it is also
readable. Thus, any code segment that also contains data must be readable. (Refer to Chapter 2 for a
discussion of segment override prefixes.)
An execute-only segment preserves the privacy of the code against any attempt to read it; such an
attempt causes a general protection fault with an error code of O. A code segment cannot be loaded
into SS and is never writable. Any attempted write will cause a general protection fault with an error
code of O.
The limit field of a code segment descriptor identifies the last byte in the segment. Any offset greater
than the limit value will cause a general protection fault. The prefetcher of the 80286 can never cause
a code segment limit violation with an error code of O. The program must actually attempt to execute
an instruction beyond the end of the code segment to cause an exception.
If a readable non-conforming code segment is to be loaded into DS or ES, the privilege level requirements are the same as those stated for data segments in 7.4.1.

Code segments are subject to different privilege checks when executed. The normal privilege requirement for a jump or call to another code segment is that the current privilege level equal the descriptor
privilege level of the new code segment. Jumps and calls within the current code segment automatically
obey this rule.
Return instructions may pass control to code segments at the same or less (numerically greater) privileged level. Code segments at more privileged levels may only be reached via a call through a call gate
as described in section 7.5.
An exception to this, previously stated, is the conforming code segment that allows the DPL of the
requested code segment to be numerically less than (of greater privilege than) the CPL. Conforming
code segments are discussed in section 11.2.

7.4.3 Data Access Restriction by Privilege Level
This section describes privilege verification when accessing either data segments (loading segment
selectors into DS, ES, or SS) or readable code segments. Privilege verification when loading CS for
transfer of control across privilege levels is described in the next section.

7-13

PROTECTION

Three basic kinds of privilege level indicators are used when determining accessibility to a segment for
reading and writing. They are termed Current Privilege Level (CPL), Descriptor Privilege Level (DPL),
and Requested Privilege Level (RPL). The CPL is simply the privilege level of the code segment that
is executing (except if the current code segment is conforming). The CPL is stored as bits 0 and 1 of
the CS and SS registers. Bits 0 and 1 of DS and ES are not related to CPL.
DPL is the privilege level of the segment; it is stored in bits 5 and 6 of the access byte of a descriptor.
For data access to data segments and non-conforming code segments, CPL must be numerically less
than or equal to DPL (the task must be of equal or greater privilege) for access to be granted. Violation
of this rule during segment load instruction causes a general protection exception with an error code
identifying the selector.
While the enforcement of DPL protection rules provides the mechanism for the isolation of code and
data at different privilege levels, it is conceivable that an erroneous pointer passed onto a more trusted
program might result in the illegal modification of data with a higher privilege level. This possibility is
prevented by the enforcement of effective privilege level protection rules and correct usage of the RPL
value.
The RPL (requested privilege level) is used for pointer validation. It is the least significant two bits in
the selector value loaded into any segment register. RPL is intended to indicate the privilege level of
the originator of that selector. A selector may be passed down through several procedures at different
levels. The RPL reflects the privilege level of the original supplier of the selector, not the privilege
level of the intermediate supplier. The RPL must be numerically less than or equal to the DPL of the
descriptor selected, thereby indicating greater or equal privilege of the supplier; otherwise, access is
denied and a general protection violation occurs.
Pointer validity testing is required in any system concerned with preventing program errors from
destroying system integrity. The 80286 provides hardware support for pointer validity testing. The
RPL field indicates the privilege level of the originator of the pointer to the hardware. Access will be
denied if the originator of the pointer did not have access to the selected segment even if the CPL is
numerically less than or equal to the DPL. RPL can reduce the effective privilege of a task when using
a particular selector. RPL never allows access to more privileged segments (CPL must always be
numerically less than or equal to DPL).
A fourth term is sometimes used: the Effective Privilege Level (EPL). It is defined as the numeric
maximum of the CPL and the RPL-meaning the one of lesser privilege. Access to a protected entity
is granted only whcn the EPL is numcrically less than or equal to the nPL of that entity. This is simply
another way of saying that both CPL and RPL must be numerically less than or equal to DPL for
access to be granted.

7.4.4 Pointer Privilege Stamping via ARPL
The ARPL instruction is provided in the 80286 to fill the RPL field of a selector with the minimum
privilege (maximum numeric value) of the seiector's currcnt RFI., "iid the c,,:lc.'s CPr., (given in an
instruction-specified register). A straight insertion of the caller's CPL would stamp the pointer with
the privilege level of the caller, but not necessarily the ultimate originator of the selector (e.g., Level 3
supplies a selector to a level 2 routine that calls a level 0 routine with the same selector).
Figure 7-9 shows a program with an example of such a situation. The program at privilege level 3 calls
a routine at level 2 via a gate. The routine at level 2 uses the ARPL instruction to assure that the
selector's RPL is 3. When the level 2 routine calls a routine at level 0 and passes the selector, the
ARPL instruction at level 0 leaves the RPL field unchanged.

7-14

PROTECTION

Level 3

PUSH
CALL
Level 2:

-E NTE R

Level 2

MOV
ARPL
PUSH
CALL

SELECTOR
LEVEL 2

RPL value doesn't matter at level 3

4, 0

AX, [BPJ+4
[BPJ+6, AX

GET CS of return address, RPL=3
Put 3 in RPL field

WORD PTR [BPJ+6j Pass selector
Level 0

Level 0:

-E NTE R

Level 0

MOV
ARPL

6,0

AX, [BPJ+4
[BPJ+6, AX

Get CS of return address, RPL=2
Leaves RPL unchanged

Figure 7-9. Pointer Privilege Stamping

Stamping a pointer with the originator's privilege eliminates the complex and time-consuming software
typically associated with pointer validation in less comprehensive architectures. The 80286 hardware
performs the pointer test automatically while loading the selector.
Privilege errors are trapped at the time the selector is loaded because pointers are commonly passed to
other routines, and it may not be possible to identify a pointer's originator. To verify the access capabilities of a pointer, it should be tested when the pointer is first received from an untrusted source. The
VERR (Verify Read), VERW (Verify Write), and LAR (Load Access Rights) instructions are provided
for this purpose.
Although pointer validation is fully supported in the 80286, its use is an option of the system designer.
To accommodate systems that do not require it, RPL can be ignored by setting selector RPLs to zero
(except stack segment selectors) and not adjusting them with the ARPL instruction.

7.5 CONTROL TRANSFERS
Three kinds of control transfers can occur within a task:
1.

Within a segment, causing no change of privilege level (a short jump, call, or return).

2.

Between segments at the same privilege level (a long jump, call, or return).

3.

Between segments at different privilege levels (a long call, or return). (NOTE: A JUMP to a
different privilege level is not allowed.)

The first two types of control transfers need no special controls (with respect to privilege protection)
beyond those discussed in section 7.4.
Inter-level transfers require special consideration to maintain system integrity. The protection hardware
must check that:
The task is currently allowed to access the destination address.
The correct entry address is used.

7-15

PROTECTION

To achieve control transfers, a special descriptor type called a gate is provided to mediate the change
in privilege level. Control transfer instructions call the gate rather than transfer directly to a code
segment. From the viewpoint of the program, a control transfer to a gate is the same as to another code
segment.
Gates allow programs to use other programs at more privileged levels in the same manner as a program
at the same privilege level. Programmers need never distinguish between programs or subroutines that
are more privileged than the current program and those that are not. The system designer may, however,
elect to use gates only for control transfers that cross privilege levels.

7.5.1 Gates
A gate is a four-word control descriptor used to redirect a control transfer to a different code segment
in the same or more privileged level or to a different task. There are four types of gates: call, trap,
interrupt, and task gates. The access rights byte distinguishes a gate from a segment descriptor, and
determines which type of gate is involved. Figure 7-10 shows the format of a gate descriptor.
A key feature of a gate is the re-direction it provides. All four gate types define a new address which
transfers control when invoked. This destination address normally cannot be accessed by a program.
Loading the selector to a call gate into SS, DS, or ES will cause a general protection fault with an
error code identifying the invalid selector.
Only the selector portion of an address is used to invoke a gate. The offset is ignored. All that a
program need know about the desired function is the selector required to invoke the gate. The 80286
will automatically start the execution at the correct address stored within the gate.
A further advantage of a gate is that it provides a fixed address for any program to invoke another
program. The calling program's address remains unaltered even if the entry address of the destination
program changes. Thus, gates provide a fixed set of entry points that allow a task to access Operating
System functions such as simple subroutines, yet the task is prohibited from simply jumping into the
middle of the Operating System.
Call gates, as described in the next section, are used for control transfers within a task which must
either be transparently redirected or which require an increase in privilege level. A call gate normally
specifies a subroutine at a greater privilege level, and the called routine returns via a return instruction.
Call gates also support delayed binding (resolution of target routine addresses at run-time rather than
program-generation-time).
Trap and interrupt gates handle interrupt operations that are to be serviced within the current task.
Interrupt gates cause interrupTs io Ot ui:sauitd~ trap gates do iict. Tr:lp :l!'!d i!~te!"!"12pt g~te.s both require
a return via the interrupt return instruction.
Task gates are used to control transfers between tasks and to make use of task state segments for task
control and status information. Tasks are discussed in Chapter 8, interrupts in Chapter 9.
In the 80286 protection model, each privilege level has its own stack. Therefore, a control transfer (call
or return) that changes the privilege level causes a new stack to be invoked,

7-16

PROTECTION

Gate Descriptor Fields
Name

TYPE

P

Value

4
5
6
7
0
1

D1

INTEL RESERVED'

+7

+5

pi DPL \01

+3

TYPE

jx X Xl

IX X

DPL

+4

WORD
COUNT

+2

DESTINATION OFFSET,s-a
IS

Call Gate.
Task Gate.
Interrupt Gate.
Trap Gate.
Descriptor Contents are
not valid.
Descriptor Contents are
valid.

+6
WORD
COUNT....,

DESTINATION SELECTOR'5-2

+1

Description

0-3

Descriptor Privilege Level.

0-31

Number of words to copy
from caller's stack to
called procedure's stack.
Only used with call gate.

• 7

'Must be set to 0 for compatibility
with 80386 (X is don't care)

DESTINATION
SELECTOR

DESTINATION
OFFSET

Selector to the target code
segment (Call, Interrupt or
16-bit
Trap Gate).
selector
Selector to the target task
state segment (Task Gate).
16-bit
offset

Entry point within the
target code segment.

G30108

Figure 7-10. Gate Descriptor Format
7.5.1.1 CALL GATES

Call gate descriptors are used by call and jump instructions in the same manner as a code segment
descriptor. The hardware automatically recognizes that the destination selector refers to a gate descriptor. Then, the operation of the instruction is expanded as determined by the contents of the call gate.
A jump instruction can access a call gate only if the target code segment is at the same privilege level.
A call instruction uses a call gate for the same or more privileged access.
A call gate descriptor may reside in either the GDT or the LDT, but not in the IDT. Figure 7-10 gives
the complete layout of a call gate descriptor.
A call gate can be referred to by either the long JMP or CALL instructions. From the viewpoint of
the program executing a JMP or CALL instruction, the fact that the destination was reached via a
call gate and not directly from the destination address of the instruction is not apparent.

7-17

PROTECTION

The following is a description of the protection checks performed while transferring control (with the
CALL instruction) through a call gate:
Verifying that access to the call gate is allowed. One of the protection features provided by call
gates is the access checks made to determine if the call gate may be used (i.e., checking if the
privilege level of the calling program is adequate).
Determining the destination address and whether a privilege transition is required. This feature
makes privilege transitions transparent to the caller.
Performing the privilege transition, if required.
Verifying access to a call gate is the same for any call gate and is independent of whether a JMP or
CALL instruction was used. The rules of privilege used to determine whether a data segment may be
accessed are employed to check if a call gate may be jumped-to or called. Thus, privileged subroutines
can be hidden from untrusted programs by the absence of a call gate.
When an inter-segment CALL or JMP instruction selects a call gate, the gate's privilege and presence
will be checked. The gate's DPL (in the access byte) is checked against the EPL (MAX (task CPL,
selector RPL)). If EPL > CPL, the program is less privileged than the gate and therefore it may not
make a transition. In this case, a general protection fault occurs with an error code identifying the
gate. Otherwise, the gate is accessible from the program executing the call, and the control transfer is
allowed to continue. After the privilege checks, the descriptor presence is checked. If the present bit
of the gate access rights byte is 0 (Le., the target code segment is not present), not present fault occurs
with an error code identifying the gate.
The checks indicated in table 7-3 are applied to the contents of the call gate. Violating any of them
causes the exception shown. The low order two bits of the error code are zero for these exceptions.

7.5.1.2 INTRA-LEVEL TRANSFERS VIA CALL GATE

The transfer is Intra-level if the destination code segment is at the same privilege level as CPL. Either
the code segment is non-conforming with DPL = CPL, or it is conforming, with DPL :$ CPL (see
section 11.2 for this case). The 32-bit destination address in the gate is loaded into CS:IP.
Table 7-3. Call Gate Checks
Type of Check

Fault(1)

Error Code

Se!eC!0r j" ,,(It NIIII
Selector is within Descriptor Table Limit
Descriptor is a Code Segment
Code Segment is Present
Nonconforming Code Segment DPL > CPL

GP
GP
GP
NP
GP

Selector id
Code Segment id
Code Segment id
Code Segment id

0

NOTES:
(1) GP = General Protection, NP = Not-Present Exception.
The offset portion of the JMP or CALL destination address which refers to a call gate is always ignored.

7-18

inter

PROTECTION

If the IP value is not within the limit of the code segment, a general protection fault occurs with an
error code of O. If a CALL instruction is used, the return address is saved in the normal manner. The
only effect of the call gate is to place a different address into CS:IP than that specified in the destination address of the JMP or CALL instruction. This feature is useful for systems which require that
a fixed address be provided to programs, even though the entry address for the routine may change
due to different functions, software changes, or segment relocation.
7.5.1.3 INTER-LEVEL CONTROL TRANSFER VIA CALL GATES

If the destination code segment of the call gate is at a different privilege level than the CPL, an interlevel transfer is being requested. However, if the destination code segment DPL > CPL, then a general
protection fault occurs with an error code identifying the destination code segment.

The gate guarantees that all transitions to a more privileged level will go to a valid entry point rather
than possibly into the middle of a procedure (or worse, into the middle of an instruction). See
figure 7-11.
Calls to more privileged levels may be performed only through call gates. A JMP instruction can never
cause a privilege change. Any attempt to use a call gate in this manner will cause a general protection
fault with an error code identifying the gate. Returns to more privileged levels are also prohibited.
Inter-level transitions due to interrupts use a different gate, as discussed in Chapter 9.
The RPL field of the CS selector saved as part of the return address will always identify the caller's
CPL. This information is necessary to correctly return to the caller's privilege level during the return
instruction. Since the CALL instruction places the CS value on the more privileged stack, and JMP
instructions cannot change privilege levels, it is not possible for a program to maliciously place an
invalid return address on the caller's stack.

CALL
OPCOOE

OFFSET

!

J

J

COOE
SEG.
DESCR.

J

SELECTOR

J

t

INSTRUCTION

c
J

DESCRIPTOR
TABLES

CALL
GATE

_, c
J

J

J

!

c

OFFSE T
J

TARGET
CODE
SEGMENT

ENTER

c
J

G3010B

Figure 7-11. Call Gate

7-19

PROTECTION

7.5.1.4 STACK CHANGES CAUSED BY CALL GATES

To maintain system integrity, each privilege level has a separate stack. Furthermore, each task normally
uses separate stacks from other tasks for each privilege level. These stacks assure sufficient stack space
to process calls from less privileged levels. Without them, trusted programs may not work correctly,
especially if the calling program does not provide sufficient space on the caller's stack.
When a call gate is used to change privilege levels, a new stack is selected as determined by the new
CPL. The new stack pointer value is loaded from the Task State Segment (TSS). The privilege level
of the new stack data segment must equal the new CPL; if it does not, a task stack fault occurs with
the saved machine state pointing at the CALL instruction and the error code identifying the invalid
stack selector.
The new stack should contain enough space to hold the old SS:SP, the return address, and all parameters and local variables required to process the call. The initial stack pointers for privilege levels 0-2
in the TSS are strictly read only values. They are never changed during the course of execution.
The normal technique for passing parameters to a subroutine is to place them onto the stack. To make
privilege transitions transparent to the called program, a call gate specifies that parameters are to be
copied from the old stack to the new stack. The word count field in a call gate (see figure 7-10)
specifies how many words (up to 31) are to be copied from the caller's stack to the new stack. If the
word count is zero, no parameters are copied.
Before copying the parameters, the new stack is checked to assure that it is large enough to hold the
parameters; if it is not, a stack fault occurs with an error code of O. After the parameters are copied,
the return link is on the new stack (i.e., a pointer to the old stack is placed in the new stack). In
particular, the return address is pointed at by SS:SP. The call and return example of figure 7-12
illustrate the stack contents after a successful inter-level call.
The stack pointer of the caller is saved above the caller's return address as the first two words pushed
onto the new stack. The caller's stack can only be saved for calls to procedures at privilege levels 2, 1,
and o. Since level 3 cannot be called by any procedure at any other privilege level, the level 3 stack
will never contain links to other stacks. '
Procedures requiring more than the 31 words for parameters that may be called from another privilege
level must use the saved SS:SP link to access all parameters beyond the last word copied.

The call gate does not check the values of the words copied onto the new stack. The called procedure
should check each parameter for validity. Section 11.3 discusses how the ARPL, VERR, VERW, LSL,
and LAR instructions can be used to check pointer values.

An inter-segment return instruction can also change levels, but only toward programs of equal or lesser
privilege (when code segment DPL is numerically greater or equal than the CPL). The RPL of the
selector popped off the stack by the return instruction identifies the privilege level to resume execution
of the calling program.
When the RET instruction encounters a saved CS value whose RPL
occurs. Checks shown in table 7-4 are made during such a return.

7-20

> CPL, an inter-level return

PROTECTION

t

SS:SP
FROM TSS

HIGHER
ADDRESSES

OLO SS
OLDSP
PARM3

DIRECTION
OF STACK
GROWTH

PARM 2

LOWER
ADDRESSES

~

PARM 3

PARM 1

PARM 2

OLDCS

PARM 1
OLDSS:SP_ ...._ _ _ _...

OLDIP
NEW SS

OLD STACK
(AT "OUTER"
PRIVILEGE
LEVEL)

+ SP
NEW STACK
(AT "INNER"
PRIVILEGE
LEVEL)

G30108

Figure 7-12. Stack Contents after an Inter-Level Call

The old SS:SP value is then adjusted by the number of bytes indicated in the RET instruction and
loaded into SS:SP. The new SP value is not checked for validity. If SP is invalid it is not recognized
until the first stack operation. The SS:SP value of the returning program is not saved. (Note: this value
normally is the same as that saved in the TSS.)
The last step in the return is checking the contents of the DS and ES descriptor register. If.DS or ES
refer to segments whose DPL is greater than the new CPL (excluding conforming code segments), the
segment registers are loaded with the null selector. Any subsequent memory reference that attempts
to use the segment register containing the null selector will cause a general protection fault. This prevents
less privileged code from accessing more privileged data previously accessed by the more privileged
program.

7-21

PROTECTION

Table 7-4. Inter-Level Return Checks
Type of Check

Exception·

Error Code

SP is not within Segment Limit
SP + N + 7 is not in Segment Limit·
RPL of Return CS is Greater than CPL
Return CS Selector is not null
Return CS segment is within Descriptor Table Limit
Return CS Descriptor is a Code Segment
Return CS Segment is Present
DPL of Return Non-Conforming Code Segment ~ RPL of CS
55 Selector at SP + N + 6 is not Null
55 Selector at SP + N + 6 is within Descriptor Table Limit
55 Descriptor is Writable Data Segment
55 Segment is Present
55 Segment DPL = RPL of CS

SF
SF
GP
GP
GP
GP
NP
GP
SF
SF
SF
SF
SF

0
0

'SF = Stack Fault, GP = General Protection Exception, NP = Not-Present Exception

7-22

Return
Return
Return
Return
Return
Return
Return
Return
Return
Return
Return

CS
CS
CS
CS
CS
CS
55
55
55
55
55

id
id
id
id
id
id
id
id
id
id
id

Tasks and State Transitions

8

CHAPTER 8
TASKS AND 5T ATE TRANSITIONS

8.1 INTRODUCTION
An 80286 task is a single, sequential thread of execution. Each task can be isolated from all other
tasks. There may be many tasks associated with an 80286 CPU, but only one task executes at any
time. Switching the CPU from executing one task to executing another can occur as the result of either
an interrupt or an inter-task CALL, JMP or IRET. A hardware-recognized data structure defines each
task.
The 80286 provides a high performance task switch/operation with complete isolation between tasks.
A full task-switch operation takes only 22 microseconds at 8 MHz (18 microseconds at 10 MHz). Highperformance, interrupt-driven, multi-application systems that need the benefits of protection are feasible with the 80286.
A performance advantage and system design advantage arise from the 80286 task switch:
Faster task switch: A task switch is a single instruction performed by microcode. Such a scheme
is 2-3 times faster than an explicit task switch instruction. A fast task switch translates to a significant performance boost for heavily multi-tasked systems over conventional methods.
More reliable, flexible systems: The isolation between tasks and the high speed task switch allows
interrupts to be handled by separate tasks rather than within the currently interrupted task. This
isolation of interrupt handling code from normal programs prevents undesirable interactions between
them. The interrupt system can become more flexible since adding an interrupt handler is as safe
and easy as adding a new task.
Every task is protected from all others via the separation of address spaces described in
Chapter 7, including allocation of unique stacks to each active privilege level in each task (unless
explicit sharing is planned in advance). If the address spaces of two tasks include no shared data,
one task cannot affect the data of another task. Code sharing is always safe since code segments
may never be written into.

8.2 TASK STATE SEGMENTS AND DESCRIPTORS
Tasks are defined by a special control segment called a Task State Segment (TSS). For each task,
there must be an unique TSS. The definition of a task includes its address space and execution state.
A task is invoked (made active) by inter-segment jump or call instructions whose destination address
refers to a task state segment or a task gate.
The Task State Segment (TSS) has a special descriptor. The Task Register within the CPU contains
a selector to that descriptor. Each TSS selector value is unique, providing an unambiguous "identifier"
for each task. Thus, an operating system can use the value of the TSS selector to uniquely identify the
task.
A TSS contains 22 words that define the contents of all registers and flags, the initial stacks for privilege levels 0-2, the LDT selector, and a link to the TSS of the previously executing task. Figure 8-1
shows the layout of the TSS. The TSS can not be written into like an ordinary data segment.

8-1

TASKS AND STATE TRANSITIONS

CPU

INTEL RESERVED

,

TYPE

plop+1

TASK REGISTER

0---

T55
-... DESCRIPTOR

TYPE

I

8A5E 23 . 16

r---------,I
I

8A5E,5_0

I

LIMIT,S·O

IS

I

I
I

:I

0

PROGRAM INVISIBLE
15
0

DESCRIPTION

1

AN AVAILABLE TASK STATE
SEGMENT MAY BE USED AS
THE DESTINATION OF A TASK

SWITCH OPERATION.

A BUSY TASK STATE SEGMENT
CANNOT BE USED AS THE
DESTINATION OF A TASK

I

LIMIT

BASE

I ____
L

0

---

]i

SWITCH.

------

-----------,

I

,

_...J

BYTE

IS

0
TASK LOT SELECTOR

OFFSET
/(1)

42 --------

OS SELECTOR

40

55 SelECTOR

38

CS SELECTOR

36

ES SELECTOR

34

01

32

P

DESCRIPTION

1

BASE AND LIMIT FIEL.DS ARE VALID

0

SEGMENT IS NOT PRESENT IN
MEMORY. BASE AND LIMIT ARE
NOT DEFINED

51

30

BP

28

CURRENT

SP

26

STATE

BX

24

TASK

TASK
STATE
SEGMENT

OX

22

ex

20

AX

18

FLAG WORD

16

IP {ENTRY POINT)

14

55 FOA CPL 2

12)

SP FOR CPL 2

10

55 FOR CPL 1
SP FOR CPt: 1

(2)

BJ STACKS
INITIAL
:

(1)

FOR CPL 0.1.2

58 FOR CPL 0

5P FDA CPl 0
BACK LINK SELECTOR TO TSS

0_

(1) NEVER ALTERED (STATIC) AFTER INITIALIZATION BY 0.5.
"!"~!: VAIJ)I=c:..4.~ INITIAliZED FOR THIS TASK ARE ALWAYS
VALID SS:SP VALUES TO USE UPON ENTRY TO THAT
PRIVILEGE LEVEL (0, 1, OR 2) FROM A LEVEL OF
LESSER PRIVILEGE.
(2) CHANGED DURING TASK SWITCH

G3010B

Figure 8-1. Task State Segment and TSS Registers

8-2

TASKS AND STATE TRANSITIONS

Each TSS consists of two parts, a static portion and a dynamic portion. The static entries are never
changed by the 80286, while the dynamic entries are changed by each task switch out of this task. The
static portions of this segment are the task LDT selector and the initial SS:SP stack pointer addresses
for levels 0-2.
The modifiable or dynamic portion of the task state segment consists of all dynamically-variable and
programmer-visible processor registers, including flags, segment registers, and the instruction pointer.
It also includes the linkage word used to chain nested invocations of different tasks.
The link word provides a history of which tasks invoked others~ The link word is important for restarting an interrupted task when the interrupt has been serviced. Placing the back link in the TSS protects
the identity of the interrupted task from changes by the interrupt task, since the TSS is not writable
by the interrupt task. (In most systems only the operating system has sufficient privilege to create or
use a writable data segment "alias" descriptor for the TSS.)
The stack pointer entries in the TSS for privilege levels 0-2 are static (i.e., never written during a
privilege or task switch). They define the stack to use upon entry to that privilege level. These stack
entries are initialized by the operating system when the task is created. If a privilege level is never
used, no stack need be allocated for it.
When entering a more privileged level, the caller's stack pointer is saved on the stack of the new
privilege level, not in the TSS. Leaving the privilege level requires popping the caller's return address
and stack pointer off the current stack. The stack pointer at that time will be the same as the initial
value loaded from the TSS upon entry to the privilege level.
There is only one stack active at any time, the one defined by the SS and SP registers. The only other
stacks that may be non-empty are those at outer (less privileged) levels that called the current level.
Stacks for inner levels must be empty, since outward (to numerically larger privilege levels) calls from
inner levels are not allowed.
.
The location of the stack pointer for an outer privilege level will always be found at the start of the
stack of the inner privilege level called by that level. That stack may be the initial stack for this
privilege level or an outer level. Look at the start of the stack for this privilege level. The TSS contains
the starting stack address for levels 0-2. If the RPL of the saved SS selector is the privilege level
required, then the stack pointer has been found. Otherwise, go to the beginning of the stack defined
by that value and look at the saved SS:SP value there.

8.2.1 Task State Segment Descriptors
A special descriptor is used for task state segments. This descriptor must be accessible at all times;
therefore, it can appear only in the GDT. The access byte distinguishes TSS descriptors from data or
code segment descriptors. When bits 0 through 4 of the access byte are 00001 or 00011, the descriptor
is for a TSS.
The complete layout of a task state segment descriptor is shown in figure 8-2.
Like a data segment, the descriptor contains a base address and limit field. The limit must be at least
002BH (43) to contain the minimum amount of information required for a TSS. An invalid task exception will occur if an attempt is made to switch to a task whose TSS descriptor limit is less than 43. The
error code will identify the bad TSS.

8-3

inter

TASKS AND STATE TRANSITIONS

o
+7

o

7

+6

INTEL RESERVED

+5

P

1 I 01 0 11 I
DPL

10_L B

+3

TSS BASE,s_o

+1

TSS LIMIT

+4

TSS BASE 23 _'6

+2

o

B ~ 1 MEANS TASK IS BUSY
AND NOT AVAILABLE

o

15

• MUST BE SET TO 0 FOR COMPATIBILITY WITH THE 80386
G3010B

Figure 8-2. TSS Descriptor

The P-bit (Present) flag indicates whether this descriptor contains currently valid information: 1 means
yes, 0 no. A task switch that attempts to reference a not-present TSS causes a not-present exception
code identifying the task state segment selector.
The descriptor privilege level (DPL) controls use of the TSS by JMP or CALL instructions. By the
same reasoning as that for call gates, DPL can prevent a program from calling the TSS and thereby
cause a task switch. Section 8.3 discusses privilege considerations during a task switch in greater detail.
Bit 4 is always 0 since TSS is a control segment descriptor. Control segments cannot be accessed by
SS, DS, or ES. Any attempt to load those segment registers with a selector that refers to a control
segment causes general protection trap. This rule prevents the program from improperly changing the
contents of a control segment.
TSS descriptors can have two states: idle and busy. Bit 1 of the access byte distinguishes them. The
distinction is necessary since tasks are not re-entrant; a busy TSS may not be invoked.

8.3 TASK SWITCHING
A task switch may occur in one of four ways:
1.

The destination selector of a long JMP or CALL instruction refers to a TSS descriptor. The offset
part!a!! of thE>. rl~~tination address is ignored.

2.

An IRET instruction is executed when the NT bit in the flag word
selector is in the back link field of the current TSS.

3.

The destination selector of a long JMP or CALL instruction refers to a task gate. The offset
portion of the destination address is ignored. The new task TSS selector is in the gate. (See section
8.5 for more information on task gates.)

4.

An interrupt occurs. This interrupt's vector refers to a task gate in the interrupt descriptor table.
The new task TSS selector is in the gate. See section 9.4 for more information on interrupt tasks.

8-4

=

1. The new task TSS

TASKS AND STATE TRANSITIONS

No new instructions are required for a task switch operation. The standard 8086 JMP, CALL, IRET,
or interrupt operations perform this function. The distinction between the standard instruction and a
task switch is made either by the type of descriptor referenced (for CALL, JMP, or INT) or by the
NT bit (for IRET) in flag word.
Using the CALL or INT instruction to switch tasks implies a return is expected from the calIed task.
The JMP and IRET instructions imply no return is expected from the new task.
When NT= 1, the IRET instruction causes a return to the task that calIed the current one via CALL
or INT instruction.
Access to TSS and task gate descriptors is restricted by the rules of privilege level. The data access
rules are used, thereby alIowing task switches to be restricted to programs of sufficidnt privilege. Address
space separation does not apply to TSS descriptors since they must be in the GDT. The access rules
for interrupts are discussed in section 9.4.
The task switch operation consists of the folIowing eight steps:
1.

Validate the requested task switch. For a task switch requested via a JMP, CALL, or an INT
instruction, check that the current task is alIowed to switch to the requested task. The DPL of the
gate or the TSS descriptor for the requested task must be greater than or equal to both the CPL
and the RPL of the requesting task. If it is not, the General Protection fault (#13) will occur with
an error code identifying the descriptor (i.e., the gate selector if the task switch is requested via a
task gate, or the selector for the TSS if the task switch is requested via a TSS descriptor).
These checks are not performed if a task switch occurs due to an IRET instruction.

2.

Check that the new TSS is present and that the new task is available (Le. not Busy). A Not
Present exception (#11) is signaled if the new TSS descriptor is marked 'Not Present' (P = 0).
The General Protection exception (#13) is raised if the new TSS is ll1arked 'Busy'.
The task switch operation actualIy begins now and a detailed verification of the new TSS is carried
out. Conditions which may disqualify the new TSS are listed in table 8-1 along with the exception
raised and the error code pushed on the stack for each case. These tests are performed at different
points during the course of the folIowing remaining steps of the task switch operation.

3.

Mark the new task to be BUSY by setting the 'BUSY' bit in the new TSS descriptor to 1.

4.

Save the dynamic portion of the old TSS and load TR with the selector, base and limit for the
new TSS. Set alI CPU registers to corresponding values from the new TSS except DS, ES, CS,
SS, and LDT.

5.

If nesting tasks, set the Nested Task (NT) flag in the new TSS to 1. Also set the Task Switched
flag (TS) of the CPU flag register to 1.

6.

Validate the LDT selector and the LDT descriptor of the new TSS. Load theLDT cache (LDTR)
with the LDT descriptor.

7.

Validate the SS, CS, DS, and ES fields of the new TSS and load these values in their respective
caches (Le., SS, CS, DS, and ES registers).

8.

Validate the IP field of the new TSS and then start executing the new task from CS:IP.

A more detailed explanation of steps 3-5 is given in Appendix B (80286 Instruction Set) under a pseudo
procedure 'SWITCH_TASKS'. Notice how the exceptions described in table 8-1 may actualIy occur
during a task switch. Similarly the exceptions that may occur during steps 1-2, and step 8 are explained
in greater detail in the pseudo code description of the 286 instructions CALL, JMP, INT, and IRET
in Appendix B. This information can be very helpful when debugging any protected mode code.

8-5

TASKS AND STATE TRANSITIONS

Note that the state of the outgoing task is always saved. If execution of that task is resumed, it will
start after the instruction that caused the task switch. The values of the registers will be the same as
that when the task stopped running.
Any task switch sets the Task Switched (TS) bit in the Machine Status Word (MSW). This flag is
used when processor extensions such as the 80287 Numeric Processor Extension are present. The TS
bit signals that the context of the processor extension may not belong to the current 80286 task.
Chapter 11 discusses the TS bit and processor extensions in more detail.
Validity tests on a selector ensure that the selector is in the proper table (i.e., the LDT selector refers
to GDT), lies within the bounds of the table, and refers to the proper type of descriptor (i.e., the LDT
selector refers to the LDT descriptor).
Note that between steps 3 and 4 in table 8-1, all the registers of the new task are loaded. Several
protection rule violations may exist in the new segment register contents. If an exception occurs in the
context of the new task due to checks performed on the newly loaded descriptors, the DS and ES
segments may not be accessible even though the segment registers contain non-zero values. These selector values must be saved for later reuse. When the exception handler reloads these segment registers,
another protection exception may occur unless the exception handler pre-examines them and fixes any
potential problems.
A task switch allows flexibility in the privilege level of the outgoing and incoming tasks. The privilege
level at which execution resumes in the incoming task is not restricted by the privilege level of the
outgoing task. This is reasonable, since both tasks are isolated from each other with separate address
spaces and machine states. The privilege rules prevent improper access to a TSS. The only interaction
between the tasks is to the extent that one started the other and the incoming task may restart the
outgoing task by executing an IRET instruction.
Table 8-1. Checks Made during a Task Switch

.
I

2
3
4
5
6

7
8
9
10
11
12
13
14
15
16

Test

Exception'

Error Code

Incoming TSS descriptor is present
Incoming TSS is idle
Limit of incoming TSS greater than 43
LOT selector of incoming TSS is valid
LOT of incoming TSS is present
CS selector is valid
Code segment is present
Code segment OPL matches CS RPL
Stack segment is valid
St~ck segment i", writ::lhlp. data segment
Stack segment is present
Stack segment OPL = CPL
OS/ES selectors are valid
OS/ES segments are r!3adable
OS/ES segments are present
OS/ES segment OPL ;::: CPL if not conform

NP
GP
Invalid TSS
Invalid TSS
Invalid TSS
Invalid TSS
NP
Invalid TSS
SF
GP
SF
SF
GP
GP
NP
GP

Incominq TSS'selector
Incoming TSS selector
Incoming TSS selector
LOT selector
LOT selector
Code segment selector
Code segment selector
Code segment selector
Stack segment selector
Stack segment selector
Stack segment selector
Stack segment selector
Segment selector
Segment selector
Segment selector
Segment selector

*NP = Not-Present Exception
GP = General Protection Fault
SF = Stack Fault

8-6

TASKS AND STATE TRANSITIONS

8.4 TASK LINKING
The TSS has a field called "back link" which contains the selector of the TSS of a task that should be
restarted when the current task completes. The back link field of an interrupt-initiated task is automatically written with the TSS selector of the interrupted task.
A task switch initiated by a CALL instruction also points the back link at the outgoing task's TSS.
Such task nesting is indicated to programs via the Nested Task (NT) bit in the flag word of the
incoming task.
Task nesting is necessary for interrupt functions to be processed as separate tasks. The interrupt function
is thereby isolated from all other tasks in the system. To restart the interrupted task, the interrupt
handler executes an IRET instruction much in the same manner as an 8086 interrupt handler. The
IRET instruction will then cause a task switch to the interrupted task.
Completion of a task occurs when the IRET instruction is executed with the NT bit in the flag word
set. The NT bit is automatically set/reset by task switch operations as appropriate. Executing an IRET
instruction with NT cleared causes the normal 8086 interrupt return function to be performed, and no
task switch occurs.
Executing IRET with NT set causes a task switch to the task defined. by the back link field of the
current TSS. The selector value is fetched and verified as pointing to a valid, accessible TSS. The
normal task switch operation described in section 8.3 then occurs. After the task switch is complete,
the outgoing task is now idle and considered ready to process another interrupt.
Table 8-2 shows how the busy bit, NT bit, and link word of the incoming and outgoing task are affected
by task switch operations caused by JMP, CALL, or IRETinstructions.
Violation of any of the busy bit requirements shown in table 8-2 causes a general protection fault with
the saved machine state appearing as if the instruction had not executed. The error code identifies the
selector of the TSS with the busy bit.

A bus lock is applied during the testing and setting of the TSS descriptor busy bit to ensure that two
processors do not invoke the same task at the same time. See also section 11.4 for other multi-processor
considerations.
Table 8-2. Effect of a Task Switch on BUSY and NT Bits and the Link Word
CALL/INT
Instruction
Effect

IRET
Instruction
Effect

Set, must be

Set, must be 0
before

Unchanged,
must be set

Busy bit of outgoing task TSS descriptor

Cleared

Unchanged (will
already be 1)

Cleared

NT bit in incoming task flag word

Cleared

Set

Unchanged

NT bit in outgoing task flag word

Unchanged

Unchanged

Cleared

Back link in incoming task TSS

Unchanged

Set to outgoing
task TSS selector

Unchanged

Back link of outgoing task TSS

Unchanged

Unchanged

Unchanged

JMP

Affected Field

Busy bit of incoming task TSS descriptor

Instruction
Effect

obefore

8-7

TASKS AND STATE TRANSITIONS

The linking order of tasks may need to be changed to restart an interrupted task before the task that
interrupted it completes. To remove a task from the list, trusted operating system software must change
the backlink field in the TSS of the interrupting task first, then clear the busy bit in the TSS descriptor
of the task removed from the list.
When trusted software deletes the link from one task to another, it should place a value in the backlink
field, which will pass control to that trusted software when the task attempts to resume execution of
another task via IRET.

8.5 TASK GATES
A task may be invoked by several different events. Task gates are provided to support this need. Task
gates are used in the same way as call and interrupt gates. The ultimate effect of jumping to or calling
a task gate is the same as jumping to or calling directly to the TSS in the task gate.
Figure 8-3 depicts the layout of a task gate.
A task gate is identified by the access byte field in bits 0 through 4 being 00101. The gate provides an
extra level of indirection between the destination address and theTSS selector value. The offset portion
of the JMP or CALL destination address is ignored.
Gate use provides flexibility in controlling access to tasks. Task gates can appear in the GDT, IDT, or
LDT. The TSS descriptors for all tasks must be kept in the GDT. They are normally placed at level 0
to prevent any task from improperly invoking another task. Task gates placed in the LDT allow private
access to selected tasks with full privilege control.
The data segment access rules apply to accessing a task gate via JMP, CALL, or INT instructions.
The effective privilege level (EPL) of the destination selector must be numerically less than or equal
to the DPL of the task gate descriptor. Any violation of this requirement causes a general protection
fault with an error code identifying the task gate involved.

0
+7

0

7

+6

INTEL RESERVED·

+5

PIDPLlolo

1

01 1 1

UNUSED

:~5 5=!,,=CT0~

,:1

UNUSED

15

+4
+2

10
0

·MUST BE SET TO 0 FOR
COMPATIBILITY WITH THE 80386

G30108

Figure 8-3. Task Gate Descriptor

8-8

TASKS AND STATE TRANSITIONS

Once access to the task gate has been verified, the TSS selector from the gate is read. The RPL of the
TSS selector is ignored. From this point, all the checks and actions performed for a JMP or CALL to
a TSS after access has been verified are performed (see section 8.4). Figure 8-4 illustrates an example
of a task switch through a task gate.

TASK A

I

I

SELECTOR

I----

TASK B

TAS~ {

f

LOT DESCRIPTOR
TSS DESCRIPTOR

TASK GATE

-

f

LOT

LOT SELECTOR

t

l'
LOT

LOT SELECTOR

L

LOT DESCRIPTOR

}~ASK

TSS DESCRIPTOR

_
BACK LINK
TSS

TSS

GOT

G30108

Figure 8-4. Task Switch Through a Task Gate

8-9

Interrupts and Exceptions

9

CHAPTER 9
INTERRUPTS AND EXCEPTIONS
Interrupts and exceptions are special cases of control transfer within a program. An interrupt occurs
as a result of an event that is independent of the currently executing program, while exceptions are a
direct result of the program currently being executed, Interrupts may be external or internal. External
interrupts are generated by either the INTR or NMI input pins. Internal interrupts are caused by the
INT instruction. Exceptions occur when an instruction cannot be completed normally. Although their
causes differ, interrupts and exceptions use the same control transfer techniques and privilege rules;
therefore, in the following discussions the term interrupt will also apply to exceptions.
The program used to service an interrupt may execute in the context of .the task that caused the
interrupt (i.e., used the same TSS, LDT, stacks, etc.) or may be a separate task. The choice depends
on the function to be performed and the level of isolation required.

9.1 INTERRUPT DESCRIPTOR TABLE
Many different events may cause an interrupt. To allow the reason for an interrupt to be easily identified, each interrupt source is given a number called the interrupt vector. Up to 256 different interrupt
vectors (numbers) are possible. See figure 9-1.
A table is used to define the handler for each interrupt vector. The Interrupt Descriptor Table (IDT)
defines the interrupt handlers for up to 256 different interrupts. The IDT is in physical memory, pointed
to by the contents of the on-chip IDT register that contains a 24-bit base and a 16-bit limit. The IDTR
is normally loaded with the LIDT instruction by code that executes at privilege level 0 during system
initialization. The IDT may be located anywhere in the physical address space of the 80286.

'I'

MEMORY

,

THE lOT MAY
CONTAIN
INTERRUPT
GATES, TRAPS
OR TASK GATES
ONLY.

GATE FOR
INTERRUPT #n
GATE FOR
INTERRUPT #n-1

15

J
IOTR

l

23

···

r+-

cPU

0
lOT LIMIT

INTERRUPT
DESCRIPTOR
TABLE
(lOT)

GATE FOR
INTERRUPT # 1

1-1-

GATE FOR
INTERRUPT #0

lOT BASE

0

,>,

"
G30108

Figure 9-1. Interrupt Descriptor Table Definition

9-1

INTERRUPTS AND EXCEPTIONS

Each IDT entry is a 4-word gate descriptor that contains a pointer to the handler. The three types of
gates permitted in the IDT are interrupt gates, trap gates (discussed in section 9.3), and task gates
(discussed in section 9.5). Interrupt and task gates process interrupts in the same task, while task gates
cause a task switch. Any other descriptor type in the IDT will cause an exception if it is referenced by
an interrupt.
The IDT need not contain all 256 entries: A 16-bit limit register allows less than the full number of
entries. Unused entries may be signaled by placing a zero in the access rights byte. If an attempt is
made to access an entry outside the table limit, or if the wrong descriptor type is found; a general
protection fault occurs with an error code pushed on the .stack identifying the invalid interrupt vector
(see figure 9-2).
. .
Exception error codes that tefer to an IDT entry can be identified by bit 1 of the error code that will
be set. Bit 0 of the error code is 1 if the interrupt was caused by an event external to the program
(Le., an external interrupt, a single step, a processor extension error, ora processor extension not present).
Interrupts 0-31 are reserved for use by InteL Some of the interrupts are used for instruction exceptions.
The IDT limit must be at least 255 (32X8-1) to accommodate the minimum number of interrupts.
The remaining 224 interrupts are available to the user.

9.2 HARDWARE INITIATED INTERRUPTS
Hardware-initiated interrupts are· caused by some external event that activates either the INTR or
NMI input pins of the processor. Events that use the INTR input are classified as maskable interrupts.
Events that use the NMI input are classified as non-maskable interrupts.
.
All 224 user-defined interrupt sources share the INTR input, blJt each has the ability to use a separate
interrupt handler. An 8-bit vector supplied by the interrupt controller identifies which interrupt is
being signaled. To read the interrupt id, the processor performs the interrupt acknowledge bus sequence.
Maskable interrupts (from the INTR input) can be inhibited by software by setting the interrupt flag
bit (IF) to 0 in the flag word. The IF bit does not inhibit exceptions or interrupts caused by the INT
instruction. The IF bit also does· IiOt inhibit processor extension interrupts.

15·14 13 12.11 10 9

0

0

0

0

o·

8: 7 ·6

5

IDTVECTOR

4

3

·2

1·; 0

0

1

E
X
T

1 An eve."! eXtern8~.~~ __t~~ _pr~~_~~~_1
fiOIIUtf"U "1e11

."~'CII"ILIUII

v .•. , ...... ,..........

Interrupt, ,Bingle step, processor
extension' error)

o

An exception occurred while
procesSing' an instruction at CS:IP
saved on stack

G30108

Figure 9-2. lOT Selector Error Code

9-2

INTERRUPTS AND EXCEPTIONS

The type of gate placed into the IDT for the interrupt vector will control whether other maskable
interrupts remain enabled or not during the servicing of that interrupt. The flag word that was saved
on the stack reflects the maskable interrupt enable status of the processor prior to the interrupt. The
procedure servicing a maskable interrupt can also prevent further maskable interrupts during its work
by resetting the IF flag.
Non-maskable interrupts are caused by the NMI input. They have a higher priority than the maskable
interrupts (meaning that in case of simultaneous requests, the non-maskable interrupt will be serviced
first). A non-maskable interrupt has a fixed vector (#2) and therefore does not require an interrupt
acknowledge sequence on the bus. A typical use of an NMI is to invoke a procedure to handle a power
failure or some other critical hardware exception.
A procedure servicing an NMI will not be further interrupted by other non-maskable interrupt requests
until an IRET instruction is executed. A further NMI request is remembered by the hardware and will
be serviced after the first IRET instruction. Only one NMI request can be remembered. To prevent a
maskable interrupt from interrupting the NMI interrupt handler, the IF flag should be cleared either
by using an interrupt gate in the IDT or by setting IF = D.in the flag word of the task involved.

9.3 SOFTWARE INITIATED INTERRUPTS
Software initiated interrupts occur explicitly as interrupt instructions or may arise as the result of an
exceptional condition that prevents the continuation of program execution. Software interrupts are not
maskable. Two interrupt instructions exist which explicitly cause an interrupt: INT nand INT 3. The
first allows specification of any interrupt vector; the second implies interrupt vector 3 (Breakpoint).
Other instructions like INTO, BOUND, DIY, and IDIY may cause an interrupt, depending on the
overflow flag or values of the operands. These instructions have predefined vectors associated with
them in the first 32 interrupts reserved by Intel.
A whole class of interrupts called exceptions are intended to detect faults or programming errors (in
the use of operands or privilege levels). Exceptions cannot be masked. They also have fixed vectors
within the first 32 interrupts. Many of these exceptions pass an error code on the stack, which is not
the case with the other interrupt types discussed in section 9.2. Section 9.5 discusses these error codes
as well as the priority among interrupts that can occur simultaneously.

9.4 INTERRUPT GATES AND TRAP GATES
Interrupt gates and trap gates are special types of descriptors that may only appear in the interrupt
descriptor table. The difference between a trap and an interrupt gate is whether the interrupt enable
flag is to be cleared or not. An interrupt gate specifies a procedure that enters with interrupts disabled
(i.e., with the interrupt enable flag cleared); entry via a trap gate leaves the interrupt enable status
unchanged. The NT flag is always cleared (after the old NT state is saved on the stack) when an
interrupt uses these gates. Interrupts that have either gate in the associated IDT entry will be processed
in the current task.
Interrupts and trap gates have the same structure as the call gates discussed in section 7.5.1. The
selector and entry point for a code segment to handle the interrupt or exception is contained in the
gate. See figure 9-3.

9-3

INTERRUPTS AND EXCEPTIONS

+7
+5

INTEL RESERVED'

PIDP21 0 10

1

1

+6
UNUSED

T I

+3

INTERRUPT CODE SEGMENT SELECTOR

+1

INTERRUPT CODE OFFSET

+4
+2

T = 1 FOR TRAP GATE
'MUST BE SET TO 0 FOR
COMPATIBILITY WITH THE 80386

T

=

0 FOR INTERRUPT GI\TE

G30108

Figure 9-3. Trap/Interrupt Gate Descriptors

The access byte contains the Present bit, the descriptor privilege level, and the type identifier. Bits
0-4 of the access byte have a value of 00110 for interrupt gates, 00111 for trap gates. Byte 5 of the
descriptor is not used by either of these gates; it is used only by the call gate, which uses it as the
parameter word-count.
Trap and interrupt gates allow a' privilege level transition to occur when passing control to a nonconforming code segment. Like a call gate, the DPL of the target code segment selected determines
the new CPL. The DPL of the new non-conforming code segment must be numerically less than or
equal to CPL.
No privilege transition occurs if the new code segment is conforming. If the DPL of the conforming
code segment is greater than the CPL, a general protection exception will occur.
As with all descriptors, these ,gates in the IDT carry a privilege level. The DPL controls access to
interrupts with the INT nand INT 3 instructions. For access, the CPL of the program must be less
than Oi equal to the gate DPL. If tile CPL is not, a general protection exception will result with an
error code identifying the selected IDT gate. For exceptions and external interrupts, the CPL of the
program is ignored while accessing the IDT.
Interrupts using a trap or an interrupt gate are handled in the same manner as an 8086 interrupt. The
flags and return address of the interrupted program are saved on the stack of the interrupt handler. To
return to the interrupted program, the interrupt handler executes an IRET instruction.
If an increase in privilege is required for handling the interrupt, a new stack will be Joaded from the
TSS. The stack pointer of the old privilege level will also be saved on the new stack in the same manner
as a call gate. Figure 9-4 shows the stack contents after an exception with an error code (with and
without a privilege level change).

If an interrupt or trap gate is used to handle an exception that passes an error code, the error code will
be pushed onto the new stack after the return address (as shown in figure 9-4). If a task gate is used,
the error code is pushed onto the stack of the new task. The return address is saved in the old TSS.

9-4

infel®

INTERRUPTS AND EXCEPTIONS

OLD SP

-

NO PRIVILEGE TRANSITION
OLD FLAGS
OLD CS
OLD IP
ERROR CODE

SP

,"
SP FROM TSS

--

"
WITH PRIVILEGE TRANSITION

OLD SS
OLDSP
OLD FLAGS
OLDCS
OLD IP
ERROR CODE

SP

"
SSFROMTSS--~.~'r~------

______

"
~l!

STACK SEGMENT

G30108

Figure 9-4. Stack Layout after an Exception with an Error Code

If an interrupt gate is used to handle an interrupt, it is assumed that the selected code segment has
sufficient privilege to re-enable interrupts. The IRET instruction will not re-enable interrupts if CPL
is numerically greater than IOPL.

Table 9-1 shows the checks performed during an interrupt operation that uses an interrupt or trap gate.
EXT equals 1 when an event external to the program is involved; 0 otherwise. EJ\ternal events are
maskable or non-maskable interrupts, single step interrupt, processor extension segment overrun interrupt, numeric processor not-present exception or numeric processor error. The EXT bit signals that the
interrupt or exception is not related to the instruction at CS:IP. Each error code has bit 1 set to indicate
an IDT entry is involved.
When the interrupt has been serviced, the service routine returns control via an IRET instruction to
the routine that was interrupted. If an error code was passed, the exception handler must remove the
error code from the stack before executing IRET.
The NT flag is cleared when an interrupt occurs which uses an interrupt or trap gate. Executing IRET
with NT=O causes the normal interrupt return function. Executing IRET with NT= leauses a task
switch (see section 8.4 for more details).

9-5

INTERRUPTS AND EXCEPTIONS

Table 9-1, Trap and Interrupt Gate Checks

Exception'

Check

GP

Interrupt vector is in lOT limit

Error Code
lOT entry X 8 + 2 + EXT

Trap, Interrupt, or Task Gate in lOT Entry

GP

IDTentry X 8 + 2 + EXT

If INT instruction, gate OPL

GP

lOT entry X 8 + 2 + EXT

P bit of gate is set

NP

lOT entry X 8 + 2 + EXT

Code segment selector is in descriptor table limit

GP

CS selector X 8 + EXT

CS selector refers to a code segment

GP

CS selector X 8 + EXT

If code segment is non-conforming, Code Segment
OPL =:; CPL

GP

CS selector X 8 + EXT

If code segment is non-conforming, and OPL < CPL and if
SS selector in TSS is in descriptor table limit

T8

88 selector X 8 + EXT

If code segment is non-conforming, and OPL < CPL and if
SS is a writable data segment

TS

SS selector X 8 + EXT

If code segment is non-conforming, and OPL < CPL and
code segment OPL = stack segment OPL

TS

Stack segment selector + EXT

If code segment is non-conforming, and OPL CPL
OS or ES segment selector is outside table limits
OS or ES are not readable segments

The error code has the form shown in Table 9-5. The EXT bit will be set if an event external to the
program caused an interrupt that subsequently referenced a not-present segment. Bit 1 will be set if
the error code refers to an IDT entry, e.g., an INT instruction referencing a not-present gate. The
.
upper 14 bits are the upper 14 bits of the segment selector involved.
During a task switch, when a not-present exception occurs, the ES and DS segment registers may not
be usable for referencing memory (the selector values are loaded before the descriptors are checked).
The not-present handler should not rely on being able to use the values found in ES, SS, and' DS
without causing another exception. This is because the task switch itself may have changed the values
in the registers. The exception occurs in the new task and the return pointer points to the first instruc~
tion oUhe new task. Caution: the loading of the DS or ES descriptors may not have been completed.
The exception II handler should ensure that the DS and ES descriptors have been properly loaded
before the execution of the first instruction of the new task.

9.6.6 Stack Fault (Interrupt 12)
Stack underflow or overflow causes exception 12, as does a not-present stack segment referenced during
an inter-task or inter-level transition. This exception is fully restartable. A limit violation of the current
stack results in an error code of O. The EXT bit of the error code tells whether an interrupt external to
the; pfugfiifii cau5ed the cAccption.
Any instruction that loads a selector to SS (e.g., POP SS, task switch) can cause this exception. This
exception must use a task gateifthere is a possibility that any level 0 stack may not be present.
When a stack fault occurs, the ES and DS segment registers may not be usable for referencing memory.
During a task switch, the selector values are loaded before the descriptors are checked. The stack fault
handler should check the saved values  BASE + LIMIT

BASE

+ LIMIT

EXPAND DOWN
SEGMENT

-~f'~=:=t J

G30108

Figure 11-1. Expand-Down Segment

11-2

ADVANCED TOPICS

BASE

+

10000H

-"''"''''"''""'''1
STACK

SEG.B
BASE

+

10000H

-..------1
SEG.B

. STACK

+ ~t~ ~~~

NEW BASE -~,",,7777,",""

-""*----1

OLD BASE

G3010a

Figure 11-2. Dynamic Segment Relocation and Expansion of Segment limit

11.3 POINTER VALIDATION
Pointer validation is an important part of locating programming errors. Pointer validation is necessary
for maintaining isolation between the privilege levels. Pointer validation consists of the following steps:
1.

Check if the supplier of the pointer is entitled to access the segment.

2.

Check if the segment type is appropriate to its intended use.

3.

Check if the pointer violates the segment limit.

The 80286 hardware automatically performs checks 2 and 3 during instruction execution, while software
must assist in performing the first check. This point is discussed in section 11.3.2. Software can explicitly perform steps 2 and 3 to check for potential violations (rather than causing an exception). The
unprivileged instructions LSL, LAR, VERR, and VERW are provided for this purpose.
The load access rights (LAR) instruction obtains the access rights byte of a descriptor pointed to by
the selector used in the instruction. If that selector is visible at the CPL, the instruction loads the
access byte into the specified destination register as the higher byte (the low byte is zero) and the zero
flag is set. Once loaded, the access bits can be tested. System segments such as a task state segment
or a descriptor table cannot be read or modified. This instruction is used to verify that a pointer refers
toa segment of the proper privilege level and type. If the RPL or CPL is greater than DPL, or the
selector is outside. the table limit, no access value is returned and the zero flag is cleared. Conforming
code segmentSinay be accessed from any RPL or CPL.
Additional parameter checking can be performed via the load segment limit (LSL) instruction. If the
descriptor denoted by the given selector (in memory or a register) is visible at the CPL, LSL loads the
specified register with a .word that consists of the limit field of that descriptor. This can only be done
for segments, task state segments, and local descriptor tables (i.e., words from control descriptors are
inaccessiblc). Interpreting the limit is a function of the segment type. For example, downward expandable data segments treat the limit differently than code segments do.

11-3

ADVANCED TOPICS

For both LAR and LSL, the zero flag (ZF) is set if the loading was performed; otherwise, the zero flag
is cleared. Both instructions are undefined in real address mode, causing an invalid opcode exception
(interrupt #6).

11.3.1 Descriptor Validation
The 80286 has two instructions, VERR and VERW, which determine whether a selector points to a
segment that can be read or written at the current privilege level. Neither instruction causes a protection fault if the result is negative.
VERR verifies a segment for reading and loads ZF with 1 if that segment is readable from the current
privilege level. The validation process checks that: 1) the selector points to a descriptor within the
bounds of the GDT or LDT, 2) it denotes a segment descriptor (as opposed to a control descriptor),
and 3) the segment is readable and of appropriate privilege level. The privilege check for data segments
and non-conforming code segments is that the DPL must be numerically greater than or equal to both
the CPL and the selector's RPL. Conforming segments are not checked for privilege level.
VERW provides the same capability as VERR for verifying writ ability. Like the VERR instruction,
VERW loads ZF if the result of the writability check is positive. The instruction checks that the
descriptor is within bounds, is a segment descriptor, is writable, and that its DPL is numerically greater
than or equal to both the CPL and the selector's RPL. Code segments are never writable, conforming
or not.

11.3.2 Pointer Integrity: RPL and the "Trojan Horse Problem"
The Requested Privilege Level (RPL) feature can prevent inappropriate use of pointers that could
corrupt the operation of more privileged code or data from a less privileged level.
A common example is a file system procedure, FREAD (file_id, nybytes, buffer-ptr). This hypothetical
procedure reads data from a file into a buffer, overwriting whatever is there. Normally, FREAD would
be available at the user level, supplying only pointers to the file system procedures and data located
and operating at a privileged level. Normally, such a procedure prevents user-level procedures from
directly changing the file tables. However, in the absence of a standard protocol for checking pointer
validity, a user-level procedure could supply a pointer into the file tables in place of its buffer pointer,
causing the FREAD procedure to corrupt them unwittingly.
By llsing the RPL, you can avoid such problems. The RPL field allows a privilege attribute to be
assigned to a selector. This privilege attribute would normally indicate the privilege level of the code
which generated the selector. The 80286 hardware will automatically check the RPL of any selector
loaded into a segment register or a control register to see if the RPL allows access.
To guard against invalid pointers, the called procedure need only ensure that all selectors passed to it
have an RPL at least as high (numerically) as the original caller's CPL. This indicates that the selecLvi'5 ',;,'Ci'C i'iGt ir.Gre tr~eted t!"!~!! t!"!eir 5l'vr 1i p.T If one of the selectors is used to access a segment that
the caller would not be able to access directly, i.e., the RPL is numerically greater than the DPL, then
a protection fault will result when loaded into a segment or control register.
The caller's CPL is available in the CS selector that was pushed on the stack as the return address. A
special instruction, ARPL, can be used to appropriately adjust the RPL field of the pointer. ARPL
(Adjust RPL field of selector instruction) adjusts the RPL field of a selector to become the larger of
its original value and the value of the RPL field in a specified register. The latter is normally loaded
from the caller's CS register which can be found on the stack. If the adjustment changes the selector's
RPL, ZF is set; otherwise, the zero flag is cleared.

11-4

ADVANCED TOPICS

11.4 NPX CONTEXT SWITCHING
The context of a processor extension (such as the 80287 numerics processor) is not changed by the task
switch operation. A processor extension context need only be changed when a different task attempts
to use the processor extension (which still contains the context of a previous task). The 80286 detects
the first use of a processor extension after a task switch by causing the processor extension not-present
exception (#7) if the TS bit is set. The interrupt handler may then decide whether a context change is
necessary.
The 286 services numeric errors only when it executes wait or escape instructions because the processor
extension is running independently. Therefore, the numerics error from one task may not be recorded
until the 286 is running a different task. If the 286 task has changed, it makes sense to defer handling
that error until the original task is restored. For example, interrupt handlers that use the NPX should
not have their timing upset by a numeric error interrupt that pertains to some earlier process. It is of
little value to service someone else's error.
If the task switch bit is set (bit 3 of MSW) when the CPU begins to execute a wait or escape instruc-

tion, the processor-extension not-present exception results (#7). The handler for this interrupt must
know who currently "owns" the NPX, i.e., the handler must know the last task to issue a command to
the NPX. If the owner is the same as the current task, then it was merely interrupted and the interrupt
handler has since returned; the handler for interrupt 7 simply clears the TS bit, restores the working
registers, and returns (restoring interrupts if enabled).
If the recorded owner is different from the current task, the handler must first save the existing NPX
context in the save area of the old task. It can then re-establish the correct NPX context from the

current task's save area.
The code example in figure 11-3 relies on the convention that each TSS entry in the GDT is followed
by an alias entry for a data segment that points to the same physical region of memory that contains
the TSS. The alias segment also contains an area for saving the NPX context, the kernel stack, and
certain kernel data. That is, the first 44 bytes in that segment are the 286 context, followed by 94 bytes
for the processor extension context, followed in some cases by the kernel stack and kernel private
data areas.
The implied convention is that the stack segment selector points to this data segment alias so that
whenever there is an interrupt at level zero and SS is automatically loaded, all of the above information
is immediately addressable.
It is assumed that the program example knows about only one data segment that points to a global
data area in which it can find the one word NPX owner to begin the processing described. The specific
operations needed, and shown in the figure, are listed in table 11-1.

11.5 MULTIPROCESSOR CONSIDERATIONS
As mentioned in Chapter 8, a bus lock is applied during the testing and setting of the task busy bit to
ensure that two processors do not invoke the same task at the same time. However, protection traps
and conflicting use of dynamically varying segments or descriptors must be addressed by an interprocessor synchronization protocol. The protocol can use the indivisible semaphore operation of the
base instruction set. Coordination of interrupt and trap vectoring must also be addressed when multiple
concurrent processors are operating.
The. interrupt bus cycles are locked so no interleaving occurs on those cycles. Descriptor caching is
locked so that a descriptor reference cannot be altered while it is being fetched.

11-5

intel"

ASSEJIIBLER
LOC

ADVANCED TOPICS

INVOKED BV:

DBJ

ASM286,86

LI HE
'.1
2
3

:FS:5WHPl.AB6

SOURCE
"lllaC'Swltch the NPl Cont!!!t on Ftrst Use Af.ter "Task Switch')
5'111 teh_npx_conhxt

~

5

publiC

6

utrn

7
8

nltch_"PCcontut
lut_npl_task :word

Thl! Interrupt hlndler '11111 !wltch thl! NPI cantu!

If I new tuk

'0

15 attU'lpt1ng to US! the NPl contelt of IInother task lifter 'a '"k
switch.
If the NPl context belong' \0 the current tuk. nothing hlppens.

'2

A trap ga\! should be placed In IDT entry 7 rehrrIng to thl! routine.
The DPt of thl! Slltl! sholl.)d be 0 to prevent spoofing. The"code uglll!nt

9

"

,

13
~

mu

'5

5t be at pr Iv IItge !eve 1 O.

The kernel ~tl.Ct 15 u'!UlIIed to overley the TSS Ind the'HPI uv'e area
II p laced at the end of the TSS artl.

'6
'7

18

II globll word vlfllble LAST_HPX_TASK Ident1Hu the TSS ulectar of
thl lilt tilt to UII! thl HPX.

'9

20

f,

liB

22
23

2~
DotD
DODD
DOD'
0002
ODDS
0007
DDDA
DDOC
oDOE

ID
IE
II··· .
81D8
DF 0 0 C8
2HC
DFOI

.FA

DO DF 3ID8 0 0 0 0
00'3 7 ~ 12

25
28
27
18
29
3D

3'

32
33

3~
36
38
37
38
39
~
~

DO IS
00'9
DD'C
ODIE
0022
0027
0027
0028
0029

87050000
050800
8ED8
DD362C 0 0
36DD26BOO
If

,0

<2
H
~ .~

45.
~

6

47
~8

9

58

~

CF

SO
5'
52
53

S4

II.

.,

npl_IIVI_lrt!:1
IIjut
tlrnll_udl
IW 1 t

IIgmen

..

c h_n p I_C 0 n t IX t

,ov
'"

".

proc

~ ~

urd ,ptr

eq,u

t

"

I

dl
IXtllg 11I'_npx_tllt
dl, IX

xchg
odd

,ov

hne
f r ~ \0 r
llIme_iul:

p.p
p.p

t .f HPX live Irel

.,

TSS

Savi worHng rlgllhr.

I 'Get, Iddrul of Id of lI~t HPI 'lit
Ge t Id of t hI! til t
Rell'lGve APL Held
Cll1r tilt ulhhed fllg
No interrupti 1II0wedi

c 1t I
,I •

I'

II!

far weCO)

"d

omp

I Off

publIC

IX, dllll' t_npl_ill
uml_tllt

t

I Sit 1 f

IX , d I l III t_ n p x_ t II k
11,8
dl,11
dl:npl_Ilve_lru
"lnpI_!IVI_lrll

"

d.

I

111111

\ II k

Set new tuk ld ud glt old
Go to TSS 11111
Address TSS of previoul HPI tllk
Sive old NPI S\I\I
I Get current NPX state
Retllrn to Interrupted program

lret
udp

kerneLcode

ends
WARNING '160. LINE 154, SEGIHHT CDHTAIHS PRIVILEGED INSTRUCTIOHS
55
ud

Figure 11-3. Example of NPX Context Switching

When a program changes a descriptor that is shared with other processors, it should broadcast this fact
to the other processors. This broadcasting can be done with .an inter-processor inierrupl. Tht; hiii,;11;;,
for this interrupt must ensure that the segment registers, the LDTR and the TR, are re-Ioaded. This
happens automatically if the interrupt is serviced by a.task switch.

Modification of descriptors of shared segments in multi-processor systems may require that the on-chip
descriptors also be updated. For example, one processor may attempt to mark the descriptor of a shared
segment as not-present while another is using it. Software has to ensure that the descriptors in the
segment register caches are updated with the new information. The segment register caches can be

11-6

ADVANCED TOPICS

Table 11-1. NPX Context Switching
Step

1.
2.
3.
4.
5.
6.
If same owner:
7a.
7b.
If owner is not
current task:
8a.
8b.

Operation

Lines
(Figure 11-3)

Save the working registers
Set up address for kernel work area
Get current task 10 from Task Register
Clear Task Switch flag to allow NPX work
Inhibit interrupts
Compare owner with current task 10

28,29
30,31
32

Restore working registers
and return

48,49
50

Use owner 10 to save old context in Its TSS
R,estore context of current task;
restore working registers;
and return

42,43,44
45
46
52

34
35
37

updated by a re-entrant procedure that is invoked by an inter-processor interrupt. The handler must
ensure that the segment registers, the LDTR and the TR, are re-loaded. This happens automatically if
the interrupt is serviced by a task switch.

11.6 SHUTDOWN
Shutdown occurs when a severe error condition prevents further processing. Shutdown is very similar
to HLT in that the 80286 stops executing instructions. The 80286 externally signals shutdown as a
Halt bus cycle with Al =0. The NMI or RESET input will force the 80286 out of shutdown. The
INTR input is ignored during shutdown.

11-7

Appendix
80286 System Initialization

A

APPENDIX A
80286 SYSTEM INITIALIZATION
flltl.('Swltch

the 80286 from Re.1 Addr •• s Mode 10 Prolecled Mode')
nom.
'witch 80286~mode.
publiC
ldl_de.c,gdt_d •• c

Switch the 80286 from real addr ••• mod. Into protect.d mode.
Th. lnilial EPROM GOT, lOT, TSS, .nd LOT (If any) con.tructed by BL0286
will be copied from EPROM In[o RAM. The RAM area • • ~e ~efln.d by data
•• gm.nt. alloc.ted a. fixed entrle. In the GOT. The CPU r.gl.ter. for
Ihe GOT, lOT, TSS, and LOT will be .el to point at the RAM-ba.ed
,"gm.nt •• Th. ba,e field. In the RAM-b •• ed GOT will 01.0 be updat.d to
pOint at Ihe RAM-ba.ed segmenls.
Thl.code, is u.ed by adding It to the. Il.tof objeci module. glv.n
to BL0286. BL0286 must Ih.n be told 10 place the •• gment
Inlt_code al addre •• FFFE10H. Execution of the mod. switch code begins
after RESET. This happ.n. bec.u.e the mode switch cod. will .• torl at
phy.lcal .ddre.s FFFFFOH, which Is the power up .dd ••••• This code th.n
.et. up RAM caples of Ihe EPROM-based .egmenls before jumping to the
Initial la.k placed at • fixed GOT .ntry. Afler the Jump, the CPU
• x e c ut e. I n the s tate of t h • fir. t to. k d e fin. d by BL0 2 8 6 •
Thl. code will not us. any of Ih. EPROM-bas.d tables dlr.ctly.
Such us. would r.sull In the 80286 writing Into EPROM to •• 1
the A bit. Any us. of a GOT or TSS will always be In the RAM copy.
The limit and .I,e of the EPROM-based GOT and lOT mu.t b. stored at
the public .ymbols Idt_d •• c and gdl_d.sc. The location commands of BL0286
provld •. thl. function
Intorrupts are disabled during Ihls mode .wltchlng cod •• Full error
ch.cklng I. m.de of the EPROM-ba •• d GOT, lOT, TSS, and LOT to a •• ur.
th.y or. valid b.for. copying th.m to RAM. If any of the RAM-ba.ed
alia • • egments are .m.ller Ihan the EPRDM .egm.nts th.y or. to hold,
halt or .huldown will occur. In g.n.ral, any "exc.ptlon or Hi'll will
cau.e shutdown to occur until the first ta.k Is Invok.d.
If the RAM s.gment I. larger Ihan the EPROM segm.nt, the RAM •• gm.nt
will be expanded with ,era •• If th. Initial TSS specifies an LOT,
th. LOT will also b. copied Into ldt_alla. with zero fill If needed.
The EPRDM-ba •• d or RAM-ba.ed GOT, lOT, TSS, and LOT .egment. may b. locat.d
anywhere In phy.lcal memory.

A-1

80286 SYSTEM INITIALIZATION

Define layout of a
des.
limit
bale_low
b a I!_h I g h
a •• ess
res
des.

desc~l~tor!

s t r uc

dw
dw
db
db
dw
ends

Offset of last byte In segment
Low 16 bits of 24-blt address
Hlgh,8 bit. of 24-blt addrels
,Access rlg~tl byte
Reserved wo'rd

'D e fin e 't h'e' fixe d GDT I! I e c tor, val u e s 1. 0 r the des c rip' tors ,t hat
de fin e 't hO EP ROM - ba,l! d tab I e I. B LD2 86m us t be in. t r u,c ted top I ace the
~pproprlat. des~rl~tors Int,o the GDT.
gdt_allas
I d t_alla.
s tar t_ T S S_a I I a s
s tar t_ t a I •
s tar t_L DT_a I I BI

equ
equ
equ
equ
e q'u

I "s I z'e
2"slze
3"slze
4,. 1,1 z e,
5 " s,l z!

des 'c
desc
desc
des cf
desc

.,

GDT (I)
GDH2)
GDH3)
GDH4)
GDHS)

II
I.
Is
I.
Is

date segm,ent I,n RAM' for
data segment In RAM for
data segment In RAM for
TSS for starting ta ••
da te segment I n, RAM for

GDT
IDT
TSS
LDT

Define machine Itatus word bit pOs'ltlonS,..
PE
MP
EM

Pro t e c t Ion en ab 'I e
Monitor procelsor extension
Emulate procelsor extension

I
2
4

Defl~e )artl~.ia~

DT_ACCESS
DS_ACCESS

equ
equ

82,H
92H

TS LA CCES S
DPL
ACCESSED
TI
TSS_SIZE
LDT_OFFSET
T 1R P L_MA S K

equ
equ
equ
equ
e q'u"
equ
equ

81H
60H
I

values of de.crlptor acce~Irlghts byte.

4

44
42
• I z e desc-I

.

Access byh value for an LDT
Acce.s byte value for date segment
which Is g row .u p. at level o • wrlteable
Access byte val u'e for an I die TSS
Privilege level f1 e I,d of a c,c e. s rights
Define acces.ed bit
Position of T I bit
Size of a TSS
Position of LDT In TSS
T I end RPL f1 e I d ~alk

Pass contr~1 from the power-up addresl to the mode Iwltch code.
The segme~t containing thll code must be at phy~l~al address FFFEIOH
.to place ~he JMP Inltructlon a~ phySical add~ess FFFFFOH. Jhe base
'cddr:~~ !~ chosen eC~Drdln~ t. the size of this segment.
legment er
cs_offlet

equ
org
jmp

OFEIOH
Low 16 bits of starting address
OFFFOH-cs_offset; Start at addresl FFFFFOH
Do not change CS!

80286 SYSTEM .INITIALIZATION

Define the templ.te for. temporary GDT u.ed to locate the Initial
GDT and .tock. Thl. data will be copied to location O.
Thl5 .pace Is 01.0 u.ed for a temporary stack and finally .erve'
a. the T55 wrillen inlo when entering Ihe Initial T55.
Place remaining code below power _u p

org
Inltlal_gdt
gdt_de.c
Idl_de!C
lemp_de.c

de.c
de.c
de. c
de.c

<)
<)
<)
<)

Fill e r and nul I IDT de.crlptor
De.crlptor for EPROM GDT
De.crlptor for EPROM IDT
Temporary de.crlptor

Define a de5Crlptor Ihat will point the GDT at location· D.
Thl. de.crlplor will al.o be loaded Inlo 5510 define Ihe Initial
prolected m~de slack .egmenl.
desc

< e n d_g d I - I n I I I a I_g d t - 1 , 0 , 0 , DS_A C C E5 S , 0 )

Define the TS5 descriptor u.ed to allow the t •• k .wltch to the
flr.t task to overwrite thl. region of memory. The TS5 will overlay
the Initial GDT and .tack at ·Iocatlon D.
desc
Define the Initial .tack space and filler

.tart_polnter

dw
I abe I

8 dup (0)

lobe I
dw

dword
o , • tar t_ t ask

the la.k definition 11.1.
Define layout of ta.k de.crlptlon
Selector for TSS
Data .egment all •• for TSS
Dolo .egment alia. for LDT If any

• I r uc

ta.k_entry
re.et_.tartup:
c II
cId
lor
mov

; Pointer to Inilial la.k

dw
dw
dw
end.
dw

the end of the TSS.

word

Define lemplate for
ta.k_entry
T55_.el
T55_alla.
LDT_alla.
ta.k_entry

fo~

<~tarl_task,.tart_TSS_alla.,.lar~_LDT_alla.)

0

; Terminate II.t
No Interrupt. allowed!
U.e autolncrement mode
Point ES:DI at phy.lcal addre •• DDDOODH

dI , dI

d.,dl

mov

!!!I,dl

mov
mov

• P , en d_g d t - I nit I a I_g d t

Set .tack at end of re.erved area

• • , dI

A-3

80286 SYSTEM INITIALIZATION

Form an adlij!lmenl faclor from Ihe r~al CS bale of FFOOOOH 10 Ihe
!egmenl bale address assumed by ASM286 •. Any data reference made
Inlo CS mij!1 add an Indexing lerm IBPI 10 compen!ale for Ihe difference
belween Ihe off!el genera led by ASM286 and Ihe off!el reqijlred from
Ihe bale of FFOOOOH.
Ia r I

proc
c a II

!larl1

pop
!ijb

bp
bp,offul !larl1

II d t

I n I I I a I_g d I I bpi

The valije of IP al rijn lime will nol be
Ihe lame a! Ihe one ij!ed by ASM286!
Get Irije off!el of !lart1

!larI1:
Sijblracl ASM286 offset of !lart1
leaving adlij!lment faclor In BP
Setijp nijll IDT 10 force shij1down
on any protecllon error or Inlerrijpt

Copy the EPROM-ba!ed lemporary GDT Inlo RAM.
lea
rep

mov
maY!

!I,lnlllal_gdllbpl

; Selijp polnler 10 lemporary GDT
templale In EPROM
c x , ( e n d_g d I - I n III a I_g d I ) I 2
5 e I len g I h
es:word plr Idll,cs:lslli Pijl Inlo reserved RAM area

Look for 80287 processor exten!lon. A!sijme all one! will. be read
If an 80287 15 nol pre!enl.
f nI nI I
mov
htsw
or
In z

bx,EM
ax
a I, a I
!el_mode

hetpm
mov

bx,MP

Inillalize 80287 If preunt
A!!ume no 80287
Look al !lah! of 80287
Ho error. !hould be pre!enl
Jump If no 80287
Put 80287 In t 0 protecled mode

Swllch to prolecled mode and !elup a stack, GDT, and LDT.
i

!el_mode:
!m!w
or

or

Im!w
Imp

Get current MSW
Sel PE bit
Sel HPX !lalu! flag!
Enter prolected mode!
Clear qijeij~ of In,lr"ctlon~ decoded
while In Real Addre!s Mode
CPL 15 now 0, CS !IIII polnl! at
FFFE10 In phy!lcal memory

ax
.. ,PE
ax,bx
ax
i .2

A-4

inter

80286 SYSTEM INITIALIZATION

I 9dI
mov
mov
xor
II d I
mov
IIr

U.e I n I I I a I GDT I n RAM arel
I em p_. I a c k [ bpi
ax, lemp_. tac k -I n I I lal_gdl ; Selup SS wI I h vall d prolected mode
.eleclor 10 Ihe RAM GDT and • I a ok
!!IS,IIX
Sel Ihe current LDT 10 null
ax I ax
Any references 10 I I will CIlU!!Ie
ax
an excepllon cau.lng .huld.wn
a x, • a v e_ I •• - I n I I I a I_g d I
Set I n I I I a I T S S I n I 0 I he 10. RAM
The I a • k .wllch need. a vall d TSS
ax

Copy Ihe EPROM-ba.ed GDT Inlo Ihe RAM data .egmenl 0110 •.
Flr.1 the descrlplor for the RAM data segmenl must be copied Into
the temporary GDT.
Gel size of GDT
Be .ure Ihe lasl enlry expecled by
this code Is Inside Ihe GDT
Jump If GDT I. not big enough

mov
cmp

a x , 9 d t_d e!C [ bpI. II mI I
ax,S'slze desc-!

Jb

bad_gdl

mov
mov
call
mov
mov

b x, 9 d t_d e. c - I nit lal_g d I
.I,gdt_allas
copy_EPROM_dt
s I , I d I_a II a s
b x, I d I_d esc - I n I I I a I_g d I
copy_EPROM_dl
a x , 9 d t _d esc - I nit I a I_g d I

ca I 1

mov
mov
mov

Form selector 10 EPROM GDT
Get selector of GDT alias
Copy Into EPROM
Get selector of lDT alias
[ndlcate EPROM [DT
Setup addre.slng Inlo EPROM GDT

ds, ax

Gel GDT alia. data segmenl .elector
Sel GDT to RAM GDT
SS and TR remain In low RAM

bx,gdt_allas

I 9dt

[b x I

Copy all task's TSS and LDT .• egmenls Inlo RAM
Define list of tasks 10 setup

I ea

copy_task_loop:
call
add
mov
or
Jnz

Copy them Inlo RAM
Go to next entry
See If Ihere Is another enlry

copy_la.ks
b x , s I z e I ask _e n try
ax,cl: [bxl. tss_sel
ax,.x
copy_la.k_loop

With TSS, GDT, and LDT set, .tarlup the Initial task!

II d

Jmp

Potnt DS at GDT

b x, 9 d t_a Ila.

mov
mov
mov

t

d. , b x
b x , I d .I_a I I a •
[b x I

Get lDT alias data .egment .elector
Set [DT for errors and Interrupt.
Slarl Ihe flrsl lask!
The low RAM area Is overwrllten with
Ihe current CPU conlexl

.tart_polnter[bpl

Halt here If GDT Is not big enough

A-5

intel·
.Iarl

80286 SYSTEM INITIALIZATION

endp

If
BX

Copy
Ihe
and

Ihe T55 and LDT for Ihe
la.k ha. an LDT II will
BP are Iran.parenl.

I •• k polnled 01 by C5:BX.
01.0 be copied down.

bad_I •• :
hI I
copy_lo.k.

mov
mov
mov
mov
I. I
mov
I ar

Hall

here

If

TSS

15

Invalid

proc
Gel

• I , g d I_a I I a •
d. , • I
• I , c. : I b x I • I •• _a Ila.

addre5.ablllly

10 GDT

1n z

d x I !!I 1
b a d_ 15.

Gel .eleclor for TSS alia.
Polnl ES al alia. dala .egmenl
Gel lenglh of TSS alia.
Gel T55 5eleclor
Gel alia. acee5' rlghl.
Jump If Invalid reference

mov
and
cmp
1n z

d I , dh
dh,nol DPL
dh,T55_ACCE55
b a d_ I ••

Save TSS de5crlplor
Ignore privilege
See If T5S
Jump If nol

I. I
cmp

C X I !!I 1
c x , T 5 5_5 I Z E - 1
b a d_ 15.

Gel lenglh of EPROM ba.ed TSS
Verify II 15 of proper .Ize
Jump if II 15 nol big enough

1b
D5

I! !!I ,

!!Ii

ex

!I

I

1

• I , c. : I b x I • I • '_' e I

Selup for moving
polnl. al GDT

mov
mov
call

5el
mov
mov
mov
mov
mov

Ihe

EPROM-ba5ed

GDT

T55

Ilmil

and

ba5e

I

RAM

10

Ihe

GDT

RAM

values.

addres51ng

ax

Gel TSS 5eleclor
G'et RAM alia. 5eleclor
Copy llmi I
Copylow 16 bi15 of addre55
Gel high 8 bil5 of address
Mark a5 TSS de5crlplor
Fill In high addre5s and access
Copy reserved word

d i , C 5: [b x I • 15 5_S e I
!I i ,e 5: [ b x] . t 5 :i_a 1 i c s

movsIII
mOV!!I1II

lod.w
mov
5 t 0 !!I \II

addre55
Reslore

ax,gdl_allas
d 5. 1 a x
e5

10

byle

Make TSS Inlo dala 5egmenl
Polnl DS al EPROM T5S
Copy DS 5egmenl 10 ES wllh zero fill
CX ha5 copy counl, AX-CX fill counl

[ • I I . a c c e •• , DS_A C C E 5 5
d5 I 5 1
cop y_w I I h_ f i I I

Ihe

T55

acce5'

ah,dI

movsw

A-6

byle5

80286 SYSTEM INITIALIZATION

See If a valid LOT I. 'peclfled for the .tartup ta.k
I f . 0 I hen cop Y I h e EPRO M ve .. .1 0 n I n lot heR AM a I I a •.
mov
mov
and

Jz

Addre •• TSS 10 get LOT
d • ,c. : [b x J . I •• _all a.
.I,d.:word plr LOT_OFFSET
Ignore TI and RPL
.I,nol TJRPL_MASK
Skip Ihl. If no LOT u.ed
n a_I d I
Save LDT .eleclor
Te.1 de.crlplor
Jump If Invalid .eleclor

pu.h
I ar

J nz
mov
and
cmp

Jn e
mov
mov
151

call
mov

Save LDT de.crlplor acce •• byle
[gnore privilege
Be .ure II I. an LDT de.crlptor
Jump If Invalid

d I ,d h

dh,nol DPL
dh, DT_ACCESS
bad_Idl

e.:[.IJ.acce.5,DS_ACCESS; Mark LDT a. dala .egmenl
d".1
Polnl OS al EPROM LOT
Gel LDT Ilmil
IS X 1 5 1
Verify II i!.valld
Ie. I_d t_ll·m I I
Save for later
ex 1 IS X

Examine Ihe LDT alia • • egment and,

e!l ,

51

I •I

IS X

!l1

call

le.l_dl_Ilmll
cop y_w I I h_ f I I I

ca I I

Gel Idl all ••• eleelor
Polnl ES al alia • • egmenl
Get I~nglhof alla~ segment
Verify II I. valid
Copy LDT Inlo RAM alia • • egmenl

• I , c. : I b x) . I d I_alia 5

mov
mov

I

If good, copy 10 RAM

Sel Ihe LDT Ilmil and ba.e addre •• 10 Ihe RAM copy of Ihe LOT .
mov
pop
mov
mov
mov
mov!w

Re.lore LDT alia • • eleelor
Re.lore LDT .eleclor
Re.lore GDT addre •• lng

• I ,c • : [ b x I . I d I _a I I ••
dI

ax.gdl_alla.
d!i

1

I!I X

e!l

1

1< X

mov!lw

Move Ihe RAM LDT Ilmil
Move Ihe low 16 bll. aero ••
Gel Ihe high 8 bit.
Mark a. LDT de.erlptor
Sel high addre •• and aeee •• rlghl •
Copy re.erved word

ret

All done

hit

Hall here If LDT I. Invalid

mov!iW

10 d • w
mov
• Io.w

ah, dI

bad_Idt:
endp

A-7

80286 SYSTEM INITIALIZATION

Telt Ihe ~elcrlptor lable Ilze In AX 10 yerlfy Ihat It II an
even number of delcrlptor! In [englh.
tel t_dt_Ilml I
pUlh
and
cmp
pop

Jn!

proc
Save lenglh
Look a I low order bit!
MUlt be all one!
Restore length

ax
01·,7
a 1,7
ax
b a d_d I_II mI I

AII DK

rei
bad_dl_Ilmll:
hit
tell_dt_Ilmll

Die!
endp

Copy the EPROM DT al leleclor ax In Ihe temporary GDT 10 Ihe allal
data legmenl 01 lel~ctor 51. Any Improper delcrlptors Dr Ilmltl
will caule Ihuldow~!
proc
mov
mov
mov
mov
II I
mov
call
mov
mov
mov
pUlh
lodlw
call
ItO!W
movSiW

Polnl ES:DI at

IS X t!!II

e! ,

!1:1bxl.accell,DS_ACCESS;
e I ': [ b x I . rei , 0
a x, b x
ex, II I
I e I t_d I_II mI I
dl,gdt~delc-Inltlal_gdt

dI

,

temporary delcrlptor

II X

Mark delcrlplor .1 a dala segmenl
Clear re.erved word
Get limit of EPROM DT
Save for later
Ve r I f,y I t I I apr 0 per I I mit
Addrell EPROM GDT In DS

dI

d I , t em p_d e I c - I nit I a I_g d I ; Gel leleclor tor temporary d~lcrlplor
Save offsel for laler ule ~I leleclor
dI
Get allal legment Ilze
Verify II Is an eVen muiliple of
delcrlptors In length
'
Pul length Into temporary
Copy remaining entrlel Into iemporary

mOV!iW

mOV5W

pop
mov

ES now polnll al Ihe GDT allal area
DS now polnll al EPROM DT 01 dala
Copy segmenl 10 allal wllh zero fill
CX II copy counl, AX-CX II fill count
F a I I I n I 0 cop y_w I I h_ f I I I

e!
dI

,

bx

endp

A-8

80286 SYSTEM INITIALIZATION

Copy the legment at DS to the legment at ES for length CX.
Fill the end with AX-CX zerol. Ule word operatlonl for Ipeed but
allow odd byte operatlonl.
cop y_w I t h_ f I II
xor
xor
lub
add
rcr
rep

proc
I I •I I
d I. d I

Start at beginning of legmentl

eltCI

Form fill count
Convert limit to count
Allow full 64K move
Copy DT Into allal area
Get fill count and zero AX
Jump If even byte count on copy

eXt

1

cx•1

mOV!5W

xchg
l nc

aX,cl

even_copy

movlb
or

Cit

Jz

exit_copy

Exit If no fill

cx

Even out the legment offlet
Adlult remaining fill count

Itolb
dec
even_copy:
Ihr
Itolw
rep
lnc

Copy odd byte
ex

Form word count on fill
Clear unuled wordl at end
Exit If no odd byte remalnl

cx• 1
exit_copy

Clear lalt odd byte

I taIb
exit_copy:
ret
copy_wi th_f III

endp

Inlt_code

endl
end

fB

A-9

·"

Appendix
The 80286 Instruction Set

B

APPENDIX B
THE 80286 INSTRUCTION SET
This section presents the 80286 instruction set using Intel's ASM286 notation. All possible operand
types are shown. Instructions are organized alphabetically according to generic operations. Within each
operation, many different instructions are possible depending on the operand. The pages are presented
in a standardized format, the elements of which are described in the following paragraphs.

Opeode
This column gives the complete object code produced for each form of the instruction. Where possible,
the codes are given as hexadecimal bytes, presented in the order in which they will appear in memory,
Several shorthand conventions are used for the parts of instructions which specify operands. These
conventions are as follows:
In: (n is a digit from 0 through 7) A ModRM byte, plus a possible immediate and displacement field
follow the opcode. See figure B-1 for the encoding of the fields. The digit n is the value of the REG
field of the ModRM byte. To obtain the possible hexadecimal values for / n, refer to column n of
table B-1. Each row gives a possible value for the effective address operand to the instruction. The
entry at the end of the row indicates whether the effective address operand is a register or memory; if
memory, the entry indicates what kind of indexing and/or displacement is used. Entries with D8 or
Dl6 signify that a one-byte or two-byte displacement quantity immediately follows the ModRM and
optional immediate field bytes. The signed displacement is added to the effective address offset.
I r: A ModRM byte that contains both a register operand and an effective address operand, followed
by a possible immediate and displacement field. See figure B-2 for the encoding of the fields. The
ModRM byte could be any value appearing in table B-1. The column determines which register operand
was selected; the row determines the form of effective address. If the row entry mentions D8 or D 16,
then a one-byte or two-byte displacement follows, as described in the previous paragraph.

cb: A one-byte signed displacement in the range of -128 to + 127 follows the opcode. The displacement is sign-extended to 16 bits, and added modulo 65536 to the offset of the instruction FOLLOWING this instruction to obtain the new IP value.
cw: A two-byte displacement is added modulo 65536 to the offset of the instruction FOLLOWING
this instruction to obtain the new IP value.
cd: A two-word pointer which will be the new CS:IP value. The offset is given first, followed by the
selector.
db: An immediate byte operand to the instruction which follows the opcode and ModRM bytes. The
opcode determines if it is a signed value.

dw: An immediate word operand to the instruction which follows the opcode and ModRM bytes. All
words are given in the 80286 with the low-order byte first.

+rb: A register code from 0 through 7 which is added to the hexadecimal byte given at the left of
the plus sign to form a single opcode byte. The codes are: AL=O, CL= 1, DL=2, BL=3, AH=4,
CH=5, DH=6, and BH=7.
8-1

THE 80286 INSTRUCTION SET

pp/n Instruction Byte Format

ModRM
"mod" Field Bit Assignments
mod

Displacement

00
01
10
11

OISP = 0(2), disp-Iow and disp-high are absent
OISP = disp-Iow sign-extended to 16-bits, disp-high is absent
OISP = disp-high: disp-Iow
rim is treated as a "reg" field

"rim" Field Bit Assignments

rIm

Operand Address

000
001
010
011
100
101
110
111

(BX) + (SI) + OISP
(BX) + (01) + OISP
(BP) + (SI) + OISP
(BP) + (01) + OISP
(SI) + OISP
(01) + OISP
(BP) + 0ISP(2)
(BX) + OISP

OISP follows 2nd byte of instruction (before data if required).
NOTES;
1.. Opcode indicates presence and size of immediate value.
2. Except if mod=OO and

r/m=110 then EA=disp-high: disp-Iow.

Figure B-1. In Instruction Byte Format

8-2

THE 80286 INSTRUCTION SET

Table B·1. ModRM Values
Rb
Rw
REG

=
=
=

AL
AX
0

CL
CX
1

OL
OX
2

BL
BX
3

AH
SP
4

CH
BP
5

OH
SI
6

BH
01
7

ModRM values

1E
1F

20
21
22
23
24
25
26
27

28
29
2A
2B
2C
20
2E
2F

30
31
32
33
34
35
36
37

38
39
3A
3B
3C
30
3E
3F

[BX + SI]
[BX + 01]
[BP + SI]
[BP + 01]
[SI]
[01]
016 (simple var)
[BX]

50
51
52
53
54
55
56
57

58
59
5A
5B
5C
50
5E
5F

60
61
62
63
64
65
66
67

68
69
6A
6B
6C
60
6E
6F

70
71
72
73
74
75
76

77

78
79
7A
7B
7C
70
7E
7F

[BX + SI] +
[BX + 01] +
[BP + SI] +
[BP + 01] +
[SI] + OS
[01] + OS
[BP] + DS(2)
[BX] + D8

88
89
8A
SB
SC
SO
SE
SF

90
91
92
93
94
95
96 .
97

98
99
9A
9B
9C
90
9E
9F

AO
A1
A2
A3
A4
A5
A6
A7

AS
A9
AA
AB
AC
AO
AE
AF

BO
B1
B2
B3
B4
B5
B6
B7

BS
B9
BA
BB
BC
BO
BE
BF

[BX + SI] + 016(3)
[BX + 01] + 016
[BP +SI] + 016
[BP + 01] + 016
[SI] + 016
[01] + 016
[BP] + 016(2)
[BX] + 016

CS
C9
CA
CB
CC
CO
CE
CF

00
01
02
03
04
05
06
07

OS
09
OA
OB
OC
00
OE
OF

EO
E1
E2
E3
E4
E5
E6
E7

ES
E9
EA
EB
EC
EO
EE
EF

FO
F1
F2
F3
F4
F5
F6
F7

FS
F9
FA
FB
FC
FO
FE
FF

Ew=AX Eb=AL
Ew=CX Eb=CL
Ew=OX Eb=OL
Ew=BX Eb=BL
Ew=SP Eb=AH
Ew=BP Eb=CH
Ew=SI Eb=OH
Ew=OI Eb=BH

00
01
02
03
04
05
06
07

08
09
OA
OB
OC
00
OE
OF

10
11
12
13
14
15
16
17

40
41
42
43
44
45
46
47

48
49
4A
4B
4C
40
4E
4F

mod=10

SO
81
S2
S3
S4
S5
S6
87

mod=11

CO
C1
C2
C3
C4
C5
C6
C7

mod=OO

mod=01

Effective address

18
19
1A
1B
1C

10

OS(l)
OS
OS
OS

NOTES:
1. OS denotes an 8-bit displacement following the ModRM byte that is sign-extended and added to the
index.

2. Oefault segment register is SS for effective addresses containing a BP index; OS is for other memory
effective addresses.
3. 016 denotes the 16-bit displacement following the ModRM byte that is added to the index.

B-3

THE 80286 U\lSTRUCTION SET

Ir Instruction Byte Format

"mod" Field Bit Assignments
mod

Displacement

00
01
10
11

DISP - 0(2), disp-Iow and disp-high are absent
OISP - disp-Iow sign-extended to 16-bits, disp-high is absent
OISP - disp-high; disp-Iow
rIm is treated as a "reg" field

"r" Field Bit Assignments
16-Blt (w - 1)
000
001
010
011
100
101
110
111

AX
CX
OX
BX
SP
BP
SI
01

Segment

B-Blt (w - 0)
000 AL
001 CL
010 OL
011 BL
100 AH
101 CH
1100H
111 BH

00
01
10
11

"rim" Field Bit Assignments

rim

Operand Address

000
001
010
'011
100
101
110
111

(BX) + (SI) + OISP
(BX) + (01) + OISP
(BP) + (SI) + OISP
(BP) + (01) + OISP
(SI) +OISP
(01) + OISP
(BP) + 0ISP(2)
(BX) + OISP

OISP follows 2nd byte of ,instruction (before data if required).
NOTES:
, ,1. Opcode indicates presence and size of immediate field.
2. Except If mod-OO and

r/m-110 then EA-disp-high: disp-Iow.

Figure B-2_ Ir Instruction Byte Format

8-4

ES
CS
SS
OS

THE 80286 INSTRUCTION SET

°

+ rw: A register code from through 7 which is added to the hexadecimal byte given at the left of
the plus sign to form a single opcode byte~ The codes are: AX=O, CX=I, DX=2, BX=3, SP=4,
BP=5, SI=6, and DI=7.
Instruction
This column gives the instruction mnemonic and possible operands. The type of operand used will
determine the opcode and operand encodings. The following entries list the type of operand which can
be encoded in the format shown in the instruction column. The Intel convention is to place the destination operand as the left hand operand. Source-only operands follow the destination operand.
In many cases, the same instruction can be encoded several ways. It is recommended that you use the
shortest encoding. The short encodings are provided to save memory space.
cb: a destination instruction offset in the range of 128 bytes before the end of this instruction to 127
bytes after the end of this instruction.
cw: a destination offset within the same code segment as this instruction. Some instructions allow a
short form of destination offset. See cb type for more information.
cd: a destination address, typically in a different code segment from this instruction. Using the cd:
address form with call instructions saves the code segment selector.

db: a signed value between -128 and + 127 inclusive which is an operand of the instruction. For
instructions in which the db is to be combined in some way with a word operand, the immediate value
is sign"extended to form a word. The upper byte of the word is filled with the topmost bit of the
immediate value.
dw: an immediate word value which is an operand of the instruction.
eb: a byte-sized oPllrand. This is either a byte register or a (possibly indexed) byte memory variable.
Either operand location may be encoded in the ModRM field. Any memory addressing mode may be
used.
ed: a memory-based pointer operand. Any memory addressing mode may be used. Use of a register
addressing mode will cause exception 6.

ew: a word-sized operand. This is either a word register or a (possibly index!!d) word memory variable.
Either operand location may be encoded in the ModRM field. Any memory 'addressing mode may be
used.

m: a memory location. Operands in registers do not have a memory address. Any memory addressing
mode may be used. Use of a register addressing mode will cause exception 6.
mb: a memory-based byte-sized operand. Any memory addressing mode may be used.

mw: a memory-based word operand. Any memory addressing mode may be used.
rb: one of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH; rb has the value 0,1,2,3,4,5,6,
. "
and 7, respectively.

rw: one of the word registers AX,CX, DX, BX, SP, BP, SI, or DI;
7, respectively.
8-5

rw has the value 0,1,2,3,4,5,6; and

THE 80286 INSTRUCTION SET

xb: a simple byte memory variable without a base or index register. MOY instructions between AL
..
and memory have this optimized form if no indexing is required.
xw: a simple word memory variable without a base or index register. MOY instructions between AX
and memory have this optimized form if no indexing is required.

Clocks
This column gives the number of clock cycles that this form of the instruction .takes to execute. The
amount of time for each clock cycle is computed by dividing one microsecond by the number of MHz
at which the 80286 is running. For example, a lO-MHz 80286 (with the eLK pin connected to a
20-MHz crystal) takes 100 nanoseconds for each clock cycle.
Add one clock to instructioris that use the base plus index plus displacement form of addressing. Add
two clocks for each 16-bit memory based operand reference located on an odd physical address. Add
one clock for each wait state added to each memory read. Wait states inserted in memory writes or
instruction fetches do not necessarily increase execution time.
The clock counts establish the maximum execution rate of the 80286. With no delays in bus cycles,
the actual clock count of an 80286 program will average 5-10% more than the calculated cl()ck count
due to instruction sequences that execute faster than they can be fetched from memory.
Some instruction forms give two clock counts, one unlabelled and one labelled. These counts indicate
that the instruction has two different clock times for two different circumstances. Following are the
circumstances for each possible label:
mem: The instruction has an operand that can either be a register or a memory variable. The unlabelled

time is for the register; the mem time is for the memory variable. Also, one additional clock cycle is
taken for indexed memory variables for which all three possible indices (base register, index register,
and displacement) must be added.
noj: The instruction involves a conditional jump or interrupt. The unlabelled time holds when the
jump is made; the noj time holds when the jump is not made.
pm: If the instruction takes more time to execute when the 80286 is in Protected Mode. The unlabelled
time is for Real Address Mode; the pm time is for Protected Mode.

Description
This is a concise description of the. operation performeulur ili;5 fviill Gf the
are given in the "Operation" section that appears later in this chapter.

:~~tr!!ct!0!!.

MOT" rletails

Flags Modified
This is a list of the flags that are set to a meaningful value by the instruction. If a flag is always set to
.
the same value by the instruction, the value is given ("=0" or "= I") after the flag name.

8-6

THE 80286 INSTRUCTION SET

Flags Undefined
This is a list of the flags that have an undefined (meaningiess) setting after the instruction is executed.
All flags not mentioned under "Flags Modified" or "Flags Undefined" are unchanged by the
instruction.

Operation
This section fully describes the operation performed by the instruction. For some of the more complicated instructions, suggested usage is also indicated.

Protected Mode Exceptions
The possible exceptions involved with this instruction when running under the 80286 Protected Mode
are listed below. These exceptions are abbreviated with a pound sign (#) followed by two capital letters
and an optional error code in parenthesis. For example, #GP(O) denotes the general protection exception with an error code of zero. The next section describes all of the 80286 exceptions and the machine
state upon entry to the exception.
If you are an applications programmer, consult the documentation provided with your operating system
to determine what actions are taken by the system when exceptions occur.

Real Address Mode Exceptions
Since less error checking is performed by the 80286 when it is in Real Address Mode, there are fewer
exceptions in this mode. One exception that is possible in many instructions is #GP(O). Exception 13 is
generated whenever a word operand is accessed from effective address OFFFFH in a segment. This
happens because the second byte of the word is considered located at location 10000H, not at location
0, and thus exceeds the segment's addressability limit.

Protection Exceptions
In parallel with the execution of instructions, the protected-mode 80286 checks all memory references
for validity of addressing and type of access. Violation of the memory protection rules built into the
processor will cause a transfer of program control to one of the interrupt procedures described in this
section. The interrupts have dedicated positions within the Interrupt Descriptor Table, which is shown
in table B-2. The interrupts are refen,nced within the instruction set pages by a pound sign (#) followed
by a two-letter mnemonic and the optional error code in parenthesis.

Error Codes
Some exceptions cause the 80286 to pass a 16-bit error code to the interrupt procedure. When this
happens, the error code is the last item pushed onto the stack before control is tranferred to the interrupt procedure. If stacks were switched as a result of the interrupt (causing a privilege change or task
switch), the error code appears on the interrupt procedure's stack, not on the stack of the task that was
interrupted.

8-7

THE 80286 INSTRUCTION SET

Table 8-2. Protection

Ex~eptlons

of the 80286

Abbreviation

Interrupt Number

Description

#UD
#NM
#DF
#MP
#TS
#NP
#SS
#GP
#MF

6

Undefined Opcode
No Math Unit Available
Double Fault
Math Unit Protection Fault
Invalid Task State Segment
Not Present
Stack Fault
General Protection
Math Fault

7

8
9

10
11
12
13
16

The error code generally contains the selector of the segment that caused the protection violation. The
RPL field (bottom two bits) of the error code does not, however, contain the privilege level. Instead, it
contains the following information:

•

Bit 0 contains the value 1 if the exception was detected during an interrupt caused by an event
external to the program (i.e., an external interrupt, a single step, a processor extension not-present
exception, or a processor extension segment overrun). Bit 0 is 0 if the exception was detected while
processing the regular instruction stream, even if the instruction stream is part of an external
interrupt handling procedure or task. If bit 0 is set, the instruction pointed to by the saved CS:IP
address is not responsible for the error. The current task can be restarted unless this is
exception 9.
Bit 1 is 1 if the selector points to the Interrupt Descriptor Table. In this case, bit 2 can be ignored,
and bits 3-10 contain the index into the IDT.
Bit 1 is 0 if the selector points to the Global or Local Descriptor Tables. In this case, bits 2-15
have their usual selector interpretation: bit 2 selects the table (1 = Local, O=Global), and bits
3-15 are the index into the table.

In some cases the 80286 chooses to pass an error code with no information in it. In these cases, all 16
bits of the error code are zero.
The existence and type of error codes are described under each of the following individual exceptions.

#DF 8 Double Fault (Zero Error Code)
This exception is generated when a second exception is detected while the processor is attempting to
transfer control to the handler for an exception. For instance, it is generated if the code segment
containing the exception handler is marked not present. It is also generated if invoking the exception
handler causes a stack overflow.
This exception is not generated during the execution of an exeception handler. Faults detected within
the instruction stream are handled by regular exceptions.
The error code is normally zero. The saved CS:IP will point at the instruction that was attempting to
execute when the double fault occurred. Since the error code is normally zero, no information on the
source of the exception is available. Restart is not possible.
The "double fault" exception does not occur when detecting a new exception while trying to invoke
handlers for the following exceptions: 1,2,3,4,5,6,7,9, and 16.

8-8

THE 80286 INSTRUCTION SET

If another exception is detected while attempting to perform the double fault exception, the 80286 will
enter shutdown (see section 11.5).

#GP 13 General Protection (Selector or Zero Error Code)
This exception is generated for all protection violations not covered by the other exceptions in this
section. Examples of this include:
1.

An attempt to address a memory location by using an offset that exceeds the limit for the segment
involved.

2.

An attempt to jump to a data segment.

3.

An attempt to load SS with a selector for a read-only segment.

4.

An attempt to write to a read-only segment.

5.

Exceeding the maximum instruction length of 10 bytes.

If #GP occurred while loading a descriptor, the error code passed contains the selector involved. Otherwise, the error code is zero.
If the error code is not zero, the instruction can be restarted if the erroneous condition is rectified. If

the error code is zero either a limit violation, a write protect violation, or an illegal usc of invalid
segment register occurred. An invalid segment register contains the values 0-3. A write protect fault
on ADC, SBB, RCL, RCR, or XCHG is not restartable.

#MF 16 Math Fault (No Error Code)
This exception is generated when the numeric processor extension (the 80287) detects an error signalled
by the ERROR input pin leading from the 80287 to the 80286. The ERROR pin is tested at the
beginning of most floating point instructions, and when a WAIT instruction is executed with the EM
bit of the Machine Status Word set to 0 (Le., no emulation of the math unit). The floating point
instructions that do not cause the ERROR pin to be tested are FNCLEX, FNINIT, FSETPM,
FNSTCW, FNSTSW, FNSA VE, and FNSTENV.
If the handler corrects the error condition causing the exception, the floating point instruction that
caused #MF can be restarted. This is not accomplished by IRET, however, since the fault occurs at
the floating point instruction that follows the offending instruction. Before restarting the numeric
instruction, the handler must obtain from the 80287 the address of the offending instruction and the
address of the optional numeric operand.

#MP 9 Math Unit Protection Fault (No Error Code)
This exception is generated if the numeric operand is larger than one word and has the second or
subsequent words outside the segment's limit. Not all math addressing errors cause exception 9. If the
effective address of an ESCAPE instruction is not in the segment's limit, or if a write is attempted on
a read-only segment, or if a one-word operand violates a segment limit, exception 13 will occur.
The #MP exception occurs during the execution of the numeric instruction by the 80287. Thus, the
80286 may be in an unrelated instruction stream at the time. Exception 9 may occur in a task unrelated
to the task that executed the ESC instruction. The operating system should keep track of which task
last used the NPX (see section 11.4).

8-9

THE 80286 INSTRUCTION SET

The offending floating point instruction cannot be restarted; the task which attempted to execute the
offending numeric instruction must be aborted. However, if exception 9 interrupted another ta~k, the
interrupted task may be restarted.
The exception 9 handler must execute FNINIT before executing any ESCAPE or WAIT instruction.

#NM 7 No Math Unit Available (No Error Code)
This exception occurs when any floating point instruction is executed while the EM bit or the TS bit
of the Machine Status Word is 1. It also occurs when a WAIT instruction is encountered and both the
MP and TS bits of the Machine Status Word are 1.
Depending on the setting of the MSW bits that caused this exception, the exception handler could
provide emulation of the 80287, or it could perform a context switch of the math processor to prepare
it for use by another task.
The instruction causing #NM can be restarted if the handler performs a numeric context switch. If the
handler provided emulation of the math unit, it should advance the return pointer beyond the floating
point instruction that caused NM.

#NP 11 Not Present (Selector Error Code)
This exception occurs when CS, DS, ES, or the Task Register is loaded with a descriptor that is
marked not present but is otherwise valid. It can occur in an LLDT instruction, but the #NP exception
will not occur if the processor attempts to load the LDT register during a task switch. A not-present
LDT encountered during a task switch causes the #TS exception.
The error code passed is the selector of the descriptor that is marked not present.
Typically, the Not Present exception handler is used to implement a virtual memory system. The
operating system can swap inactive memory segments to a mass-storage device such as a disk. Applications programs need not be told about this; the next time they attempt to access the swapped-out
memory segment, the Not Present handler will be invoked, the segment will be brought back into
memory, and the offending instruction within the applications program will be restarted.
If #NP is detected on loading CS, DS, or ES in a task switch, the exception occurs in the new task,
and the IRET from the exception handler jumps directly to the next instruction in the new task.

The Not Present exception handler must contain special code to complete the loading of segment
!"egi~ter~ ~~lhe!! #NP i~ tl",te>cte>ci in loading the CS orDS registers in a task switch and a trap or interrupt gate was used. T~e DS and ES registers have been loaded but their descriptors have not been
loaded. Any memory reference using the segment register may cause exception 13. The #NP exception
handler should execute code such as the following to ensure full loading of the segment registers:
MOV AX,DS
MOVDS,AX
MOV AX,ES
MOVES,AX

8-10

THE 80286 INSTRUCTION SET

#SS 12 Stack Fault (Selector or Zero Error Code)
This exception is generated when a limit violation is detected in addressing through the SS register. It
can occur on stack-oriented instructions such as PUSH or POP, as well as other types of memory
references using SS such as MOY AX,[BP+28]. It also can occur on an ENTER instruction when
there is not enough space on the stack for the indicated local variable space, even if the stack exception
is not triggered by pushing BP or copying the display stack. A stack exception can therefore indicate
a stack overflow, a stack underflow or a wild offset. The error code will- be zero.
#SS is also generated on an attempt to load SS with a descriptor that is marked not present but is
otherwise valid. This can occur in a task switch, an inter-level call, an inter-level return, a move to the
SS instruction or a pop to the SS instruction. The error code will be non-zero.
#SS is never generated when addressing through the DS or ES registers even if the offending register
points to the same segment as the SS register.
The #SS exception handler must contain special code to complete the loading of segment registers.
The DS and ES registers will not be fully loaded if a not-present condition is detected while loading
the SS register. Therefore, the #SS exception handler should execute code such as the following to
insure full loading of the segment registers:
MOY AX,DS
MOYDS,AX
MOY AX,ES
MOYES,AX
Generally, the instruction causing #SS can be restarted, but there is one special case when it cannot:
when a PUSHA orPOPA instruction attempts to wrap around the 64K boundary of a stack segment.
This condition is identified by the value of the saved SP, which can be either OOOOH, OOOIH; OFFFEH,
or OFFFFH.

#TS 10 Invalid Task State Segment (Selector Error Code)
This exception is generated during a task switch when the new task state segment is invalid, that is,
when a task state segment is too small; when the LDT indicated in a TSS is invalid or not present;
when the SS, CS, DS, or ES indicated ina TSS are invalid (task switch); when the back link in a TSS
is invalid (inter-task IRET).
#TS is not generated when the SS, CS, DS, or ES back link or privileged stack selectors point to a
descriptor that is not present but otherwise is valid. #NP is generated in these cases.
The error code passed to the exception handler contains the selector of the offending segment, which
caneitJIer be the Task State Segment itself, or it selector found within the Task State Segment.·
The instruction causing #TS can be restarted.
#TS must be handled through a task gate.
The exception handler must reset the busy bit in the new TSS.

8-11

THE 80286 INSTRUCTION SET

#UD 6 Undefined Opcode (No Error Code)
This exception is generated when an invalid operation code is detected in the instruction stream.
Following are the cases in which #UD can occur:
1.

The first byte of an instruction is completely invalid (e.g., 64H).

2.

The first byte indicates a 2-byte opcode and the second byte is invalid (e.g., OFH followed by
OFFH).

3.

An invalid register is used with an otherwise valid opcode (e.g., MOV CS,AX).

4.

An invalid opcode extension is given in the REG field of the ModRM byte (e.g., OF6H /1).

5.

A register operand is given in an instruction that requires a memory operand (e.g., LGDT AX).

Since the offending opcode will always be invalid, it cannot be restarted. However, the #UD handler
might be coded to implement an extension of the 80286 instruction set. In that case, the handler could
advance the return pointer beyond the extended instruction and return control to the program after the
extended instruction is emulated. Any such extensions may be incompatible with the 80386.

Privilege Level and Task Switching on the 80286
The 80286 supports many of the functions necessary to implement a protected, multi-tasking operating
system in hardware. This support is provided not by additional instructions, but by extension of the
semantics of 8086/8088 instructions that change the value of CS:IP.
Whenever the 80286 performs an inter-segment jump, call, interrupt, or return, it consults the Access
Rights (AR) byte found in the descriptor table entry of the selector associated with the new CS value.
The AR byte determines whether the long jump being made is through a gate, or is a task switch, or
is a simple long jump to the same privilege level. Table B-3 lists the possible values of the AR byte.
The "privilege" headings at the top of the table give the Descriptor Privilege Level, which is referred
to as the DPL within the instruction descriptions.
Each of the CALL, INT, IRET, JMP, and RET instructions contains on its instruction set pages a
listing of the access rights checking and actions taken to implement the instruction. Instructions involving task switches contain the symbol SWITCH_TASKS, which is an abbreviation for the following list
of checks and actions:
SWITCH_TASKS:
Locked set AR byte of new TSS descriptor to Busy TSS (Bit 1 = 1)
Current TSS cache must be valid with limit;::: 41 else #TS (error code will be new TSS, but back link
points at old TSS)
Save machine state in current TSS
If nesting tasks, set the new TSS link to the current TSS selector
Any exception will be in new context Else set the AR byte of current TSS
descriptor to Available TSS (Bit 1 = 0)
Set the current TR to selector, base, and limit of new 188
New TSS limit;::: 43 else #TS (new TSS)
Set all machine registers to values from newTSS without loading descriptors for OS, ES, CS, SS, LOT
Clear valid flags for LOT,SS,CS,OS,ES (not valid yet)
If nesting tasks, set the Nested Task flag to 1
Set the Task Switched flag to 1
LOT from the new TSS must be within GOT table limits else #TS(LOT)
AR byte from LOT descriptor must specify LOT segment else #TS(LOT)
AR byte from LOT descriptor must indicate PRESENT else #TS(LOT)
Load LOT cache with new LOT descriptor and set valid bit

B-12

THE 80286 INSTRUCTION SET

Set CPL to the RPL of the CS selector in the newTSS
If new stack selector is null #TS(SS)
SS selector must be within its descriptor table limits else #TS(SS)
SS selector RPL must be equal to CPL else #TS(SS)
OPL of SS descriptor must equal CPL else #TS(SS)
SS descriptor AR byte must indicate writable data segment else #TS(SS)
SS descriptor AR byte must indicate PRESENT else #SS(SS)
Load SS cache with new stack segment and set valid bit
New CS selector must not be null else #TS(CS)
CS selector must be within its descriptor table limits else #TS(CS)
CS descriptor AR byte must indicate code segment else #TS(CS)
If non-conforming then OPL must equal CPL else #TS(CS)
If conforming then OPL must be :::; CPL else #TS(CS)
CS descriptor AR byte must indicate PRESENT else #NP(CS)
Load CS cache with new code segment descriptor and set valid bit
For OS and ES:
If new selector is not null then perform following checks:
Index must be within its descriptor table limits else #TS(segment selector)
AR byte must indicate data or readable code else #TS(segment selector)
If data or non-conforming code then:
OPL must be 2': CPL else #TS(segment selector)
OPL must be 2': RPL else #TS(segment selector)
AR byte must indicate PRESENT else #NP(segment selector)
Load cache with new segment descriptor and set valid bit

8-13

THE 80286 INSTRUCTION SET

Table B-3. Hexadecimal Values for the Access Rights Byte

0
00
01
02
03
04
05
06
07
08
09
OA
OB
OC
00
OE
OF
10
11
12
13
14
15
16
17
18
19
1A
1B
1C
10
1E
1F

Not present,
privilege =
1
2
20
21
22
23
24
25
26
27
28
29
2A
2B
2C
20
2E
2F
30
31
32
33
34
35
36
37
38
39
3A
3B
3C
3D
3E
3F

40
41
42
43
44
45
46
47
48
49
4A
4B
4C
40
4E
4F
50
51
52
53
54
55
56
57
58
59
5A
5B
5C
50
5E
5F

3

0

60
61
62
63
64
65
66
67
68
69
6A
6B
6C
60
6E
6F
70
71
72
73
74
75
76

80
81
82
83
84
85
86
87
88
89
8A
8B
8C
80
8E
8F
90
91
92
93
94
95
96
97
98
99
9A
9B
9C
90
9E
9F

77
78
79
7A
7B
7C
70
7E
7F

Present,
privilege=
1
2
AO
A1
A2
A3

A4
A5
A6
A7
A8
A9
AA
AB
AC
AD
AE
AF
BO
B1
B2
B3
B4
B5
B6
B7
B8
B9
BA
BB
BC
BD
BE
BF

CO
C1
C2
C3
C4
C5
C6
C7
C8
C9
CA
CB
CC
CD
CE
CF
DO
01
02
03
04
05
06
07
08
09
DA
DB
DC
DO
DE
OF

Descriptor Type

3
EO
E1
E2
E3
E4
E5
E6
E7
E8
E9
EA
EB
EC
ED
EE
EF
FO
F1
F2
F3
F4
F5
F6
F7
F8
F9
FA
FB
FC
FD
FE
FF

Illegal
Available Task State Segment
Local Descriptor Table Segment
Busy Task State Segment
Call Gate
Task Gate
Interrupt Gate
Trap Gate
Illegal
Illegal
Illegal
Illegal
Illegal
Illegal
Illegal
Illegal
Expand-up, read only, ignored Data Segment
Expand-up, read only, accessed Data Segment
Expand-up, writable, ignored Data Segment
Expand-up, writable, accessed Data Segment
Expand-down, read only, ignored Data Segment
Expand-down, read only, accessed Data Segment
Expand-down, writable, ignored Data Segment
Expand-down, writable, accessed Data Segment
Non-conform, no read, ignored Code Segment
Non-conform, no read, accessed Code Segment
Non-conform, readable, ignored Code Segment
Non-conform, readable, accessed Code Segment
Conforming, no read, ignored Code Segment
Conforming, no read, accessed Code Segment
Conforming, readable, ignored Code Segment
Conforming, readable, accessed Code Segment

8-14

THE 80286 INSTRUCTION SET

AAA -

ASCII Adjust AL After Addition

Opcode

Instruction

Clocks

Description

37

AAA

3

ASCII adjust AL after addition

FLAGS MODIFIED

Auxiliary carry, carry
FLAGS UNDEFINED

Overflow, sign, zero, parity
OPERATION

AAA should be executed only after an ADD instruction which leaves a byte result in the AL register.
The lower nibbles of the operands to the ADD instruction should be in the range 0 through 9 (BCD
digits). In this case, the AAA instruction will adjust AL to contain the correct decimal digit result. If
the addition produced a decimal carry, the AH register is incremented, and the carry and auxiliary
carry flags are set to 1. If there was no decimal carry, the carry and auxiliary carry flags are set to 0,
and AH is unchanged. In any case, AL is left with its top nibble set to O. To convert AL to an ASCII
result, you can follow the AAA instruction with OR AL,30H.
The precise definition of AAA is as follows: if the lower 4 bits of AL are greater than nine, or if the
auxiliary carry flag is 1, then increment AL by 6, AH by 1, and set the carry and auxiliary carry flags.
Otherwise, reset the carry and auxiliary carry flags. In any case, conclude the AAA operation by
setting the upper four bits of AL to zero.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-15

THE 80286 INSTRUCTION SET

AAD -

ASCII Adjust AX Before Division

Opcode

Instruction

Clocks

Description

05

AAO

14

ASCII adjust AX before division

OA

FLAGS MODIFIED

Sign, zero, parity
FLAGS UNDEFINED

Overflow, auxiliary carry, carry
OPERATION

AAD is used to prepare two unpacked BCD digits (least significant in AL, most significant in AH) for
a division operation which will yield an unpacked result. This is accomplished by setting AL to AL +
(10 X AH), and then setting AH to O. This leaves AX equal to the binary equivalent of the original
unpacked 2-digit number.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-16

THE 80286 INSTRUCTION SET

AAM -

ASCII Adjust AX After Multiply ·

Opcode

Instruction

Clocks

Description

D4

AAM

16

ASCII adjust AX after multiply

OA

FLAGS MODIFIED

Sign, zero, parity
FLAGS UNDEFINED

Overflow, auxiliary carry, carry
OPERATION

AAM should be used only after executing a MUL instruction between two unpacked BCD digits,
leaving the result in the AX register. Since the result is less than one hundred, it is contained cntirely
in the AL register. AAM unpacks the AL result by dividing AL by ten, leaving the quotient (most
significant digit) in AH, and the remainder (least significant digit) in AL.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-17

THE 80286 INSTRUCTION SET

AAS-ASCII Adjust AL After Subtraction
Opcode

Instruction

Clocks

Description

3F

AAS

3

ASCII adjust AL after subtraction

FLAGS MODIFIED

Auxiliary carry, carry
FLAGS UNDEFINED

Overflow, sign, zero, parity
OPERATION

AASshould be executed only after a subtraction instruction which left the byte result in the AL
register. The lower nibbles of the operands to the SUB instruction should have been in the range 0
through 9 (BCD digits). In this case, the AAS instruction will adjust AL to contain the correct decimal
digit result. If the subtraction produced a decimal carry, the AH register is decremented, and the carry
and auxiliary carry flags are set to 1. If there was no decimal carry, the carry and auxiliary carry flags
are set to 0, and AH is unchanged. In any case, AL is left with its top nibble set to O. To convert.AL
to an ASCII result, you can follow the AAS instruction with OR AL,30H.
The precise definition of AAS is as follows: if the lower four bits of AL are greater than 9, or if the
auxiliary carry flag is 1, then decrement AL by 6, AH by I, and set the carry and auxiliary carry flags.
Otherwise, reset the carry and auxiliary carry flags. In any case, conclude the AAS operation by setting
the upper four bits of AL to zero.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

B-18

THE 80286 INSTRUCTION SET

ADC/ ADD-Integer Addition
Opcode

Instruction

Clocks

Description

10
11
12
13
14
15
80
81
83
00
01
02
03
04
05
80
81
83

ADC
ADC
ADC
ADC
ADC
ADC
ADC
ADC
ADC
ADD
ADD
ADD
ADD
ADD
ADD
ADD
ADD
ADD

2,mem=7
2,mem=7
2,mem=7
2,mem=7
3
3
3,mem=7
3,mem=7
3,mem=7
2,mem=7
2,mem=7
2,mem=7
2,mem=7
3
3
3,mem=7
3,mem=7
3,mem=7

Add with carry byte register into EA byte
Add with carry word register into EA word
Add with carry EA byte into byte register
Add with carry EA word into word register
Add with carry immediate byte into AL
Add with carry immediate word into AX
Add with carry immediate byte into EA byte
Add with carry immediate word into EA word
Add with carry immediate byte into EA word
Add byte register into EA byte
Add word register into EA word
Add EA byte into byte register
Add EA word into word register
Add immediate byte into AL
Add immediate word into AX
Add immediate byte into EA byte
Add immediate word into EA word
Add immediate byte into EA word

Ir
Ir
Ir
Ir
db
dw

12
12
12

db
dw
db

Ir
Ir
Ir
Ir
db
dw

10
10
10

db
dw
db

eb,rb
eW,rw
rb,eb
rW,ew
AL,db
AX,dw
eb,db
eW,dw
eW,db
eb,rb
eW,rw
rb,eb
rW,ew
AL,db
AX,dw
eb,db
eW,dw
eW,db

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

ADD and ADC perform an integer addition on the two operands. The ADC instruction also adds in
the initial state of the carry flag. The result of the addition goes to the first operand. ADC is usually
executed as part of a multi-byte or multi-word addition operation.

When a byte immediate value is added to a word operand, the immediate value is first sign-extended.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-19

THE 80286 INSTRUCTION SET

AND-Logical AND
Opcode

Instruction

Clocks

Description

20
21
22
23
24
25
80
81

AND
AND
AND
AND
AND
AND
AND
AND

2,mem=7
2,mem=7
2,mem=7
2,mem=7
3
3
3,mem=7
3,mem=7

Logical-AND byte register into EA byte
Logical-AND word register into EA word
Logical-AND EA byte into byte register
Logical-AND EA word into word register
Logical-AND immediate byte into AL
Logical-AND immediate word into AX
Logical-AND immediate byte into EA byte
Logical-AND immediate word into EA word

Ir
Ir
Ir
Ir
db
dw

14
14

db
dw

eb,rb
ew,rw
rb,eb
rw,ew
AL,db
AX,dw
eb,db
eW,dw

FLAGS MODIFIED

Overfiow=O, sign, zero, parity, carry=O
FLAGS UNDEFINED

Auxiliary carry
OPERATION

Each bit of the result is a 1 if both corresponding bits of the operands were 1; it is 0 otherwise.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-20

THE 80286 INSTRUCTION SET

ARPL -

Adjust RPL Field of Selector

Opcode

63

Ir

Instruction

Clocks.

Description

ARPL ew,rw

10,mem=11

Adjust RPL of EA word not less than RPL of
rw

FLAGS MODIFIED

Zero
FLAGS UNDEFINED

None
OPERATION

The ARPL instruction has two operands. The first operand is a 16-bit memory variable or word register
that contains the value of a selector. The second operand is a word register. If the RPL field (bottom
two bits) of the first operand is less than the RPL field of the second operand, then the zero flag is set
to 1 and the RPL field of the first operand is increased to match the second RPL. Otherwise, the zero
flag is set to 0 and no change is made to the first operand.
ARPL appears in operating systems software, not in applications programs. It is used to guarantee that
a selector parameter to a subroutine does not request more privilege than the caller was entitled to.
The second operand used by ARPL would normally be a register that contains the CS selector value
of the caller.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 6. ARPL is not recognized in Real Address mode.

8-21

THE 80286 INSTRUCTION SET

BOUND-Check Array Index Against Bounds
Opcode

62.

/r

Instruction

Clocks

Description

BOUND rw,md

noj=13

INT 5 if rw not within bounds

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

BOUND is used to ensure that a signed array index is within the limits defined by a two-word block
of memory. The first operand (a register) tnustbe greater than or equal to the first word in memory,
and ·less than or equal to the second word in memory. If the register is not within the bounds, an
INTERRUPT 5 occurs.
.
The two-word block might typically be found just before the array itself and therefore would be accessible at a constant offset of -4 from the array, simplifying the addressing.
PROTECTED MODE EXCEPTIONS.

INTERRUPT 5 if the bounds test fails, as described above. #GP(O) for an illegal memory operand
effective address in the C8, D8, or E8 segments; #88(0) for an illegal address in the 88 segment.
The second operand must be a memory operand, not a register. If the BOUND instruction is executed
with a ModRM byte representing a register second operand, then fault #UD will occUr.
REAL ADDRESS MODE EXCEPTIONS

INTERRUPT 5 if the bounds test fails, as described above. Interrupt 13 for a second operand at offset
OFFFDH or higher. Interrupt 6 if the second operand is a register,as described in the paragraph above.

B-22

THE 80286 INSTRUCTION SET

CALL-Call Procedure
Opcode

cw
/2
cd
cd
cd
cd
cd
cd
/3
/3
/3
/3
/3

E8

FF
9A
9A
9A
9A
9A
9A

FF
FF
FF
FF
FF
FF

/3

Instruction
CALL
CALL
CALL
CALL
CALL
CALL
CALL
CALL
CALL
CALL
CALL
CALL
CALL
CALL

cw
ew
cd
cd
cd
cd
cd
cd
ed
ed
ed
ed
ed
ed

Clocks'

Description

7
7,mem=11
13,pm=26
41
82
86+4X
177
182
16,mem=29
44
83
90+4X
180
185

Call
Call
Call
Call
Call
Call
Call
Call
Call
Call
Call
Call
Call
Call

near, offset relative to next instruction
near, offset absolute at EA word
inter-segment, immediate 4-byte address
gate, same privilege
gate, more privilege, no parameters
gate, more privilege, X parameters
via Task State Segment·
via task gate
inter-segment, address at EA doubleword
gate, same privilege
gate, more privilege, no parameters
gate, more privilege, X parameters
via Task State Segment
via task gate

·Add one clock for each byte in the next instruction executed.

FLAGS MODIFIED

None, except when a task switch occurs
FLAGS UNDEFINED

None
OPERATION

The CALL instruction causes the procedure named in the operand to be executed. When the procedure
is complete (a return instruction is executed within the procedure), execution continues at the instruction that follows the CALL instruction.
The CALL cw form of the instruction adds modulo 65536 (the 2-byte operand) to the offset of the
instruction following the CALL and sets IP to the resulting offset. The 2-byte offset of the instruction
that follows the CALL is pushed onto the stack. It will be popped by a near RET instruction within
the procedure. The CS register is not changed by this form.
The CALL ew form of the instruction is the same as CALL cw except· that the operand specifies a
memory location from which the absolute 2-byte offset for the procedure is fetched.
The CALL cd form of the instruction uses the 4-byte operand as a pointer to the procedure called.
The CALL ed form fetches the long pointer from the memory location specified. Both long pointer
forms consult the AR byte in the descriptor indexed by the selector part of the long pointer. The AR
byte can indicate one of the following descriptor types:
l.

Code Segment-The access rights are checked, the return pointer is pushed onto the stack, and
the procedure is jumped to.

B-23

THE 80286 INSTRUCTION SET

2.

Call Gate-The offset part of the pointer is ignored. Instead, the entire address of the procedure
is taken from the call gate descriptor entry. If the routine being entered is more privileged, then
a new stack (both SS and SP) is loaded from the task state segment for the new privilege level,
and parameters determined by the word count field of the call gate are copied from the old stack
to the new stack.

3.

Task Gate-The current task's context is saved in its Task State Segment (TSS), and the TSS
named in the task-gate is used to load the new context. The selector for the outgoing task (from
TR) is stored into the new TSS's link field, and the new task's Nested Task flag is set. The outgoing task is left marked busy, the new TSS is marked busy, and execution resumes at the point at
which the new task was last suspended.

4.

Task State Segment-The current task is suspended and the new task initiated as in 3 above
except that there is no intervening gate.

For long calls involving no task switch, the return link is the pointer of the instruction that follows the
CALL, Le., the caller's CS and updated IP. Task switches invoked by CALLs are linked by storing
the outgoing task's TSS. selector in the incoming TSS's link field and setting the Nested Task flag in
the new task. Nested tasks must be terminated by an IRET. IRET releases the nested task and follows
the back link to the calling task if the NT flag is set.
A precise list of the protection checks made and the actions taken is given by the following list:
CALL FAR:
If indirect then check access of EA doubleword #GP(O) if limit violation
New CS selector must not be null else #GP(O)
Check that new CS selector index is within its descriptor table limits; else #GP (new CS selector)
Examine AR byte of selected descriptor for various legal values:
CALL CONFORMING CODE SEGMENT:
DPL must be ~ CPL else #GP (code segment selector)
Segment must be PRESENT else #NP (code segment selector)
Stack must be big enough for return address else #SS(O)
IP must be in code segment limit else #GP(O)
Load code segment descriptor into CS cache
Load CS with new code segment selector
Load IP with new offset
CALL NONCONFORMING CODE SEGMENT:
RPL must be ~ CPL else #GP (code segment selector)
DPL must be = CPL else #GP (code segment selector)
Segment must be PRESENT else #NP (code segment selector)
Stack must be big enough forreturn address else #SS(O)
IP must be in code segment limit else #GP(O)
Load code segment descriptor into CS cache
Load CS with new code segment selector
Set RPL of CS to CPL
Load IP with new offset
CALL TO CALL GATE:
Call gate DPL must be ~ CPL else #GP (call gate selector)
Call gate DPL must be ~ RPL else #GP (call gate selector)
Call gate must be PRESENT else #NP (call gate selector)
Examine code segment selector in call gate descriptor:
Selector must not be null else #GP(O)
Selector must be within its descriptor table limits else #GP (code segment selector)
AR byte of selected descriptor must indicate code segment else #GP (code segment selector)
DPL of selected descriptor must be ~ CPL else #GP( code segment selector)
If non-conforming code segment and DPL < CPL then

8-24

THE 80286 INSTRUCTION SET

CALL GATE TO MORE PRIVILEGE:
Get new SS selector for new privilege level from TSS
Check selector and descriptor for new SS:
Selector must not be null else #TS(O)
Selector index must be within its descriptor table limits else #TS (SS selector)
Selector's RPL must equal DPL of code segment else #TS (SS selector)
Stack segment DPL must equal DPL of code segment else #TS (SS selector)
Descriptor must indicate writable data segment else #TS (SS selector)
Segment PRESENT else #SS (SS selector)
New stack must have room for parameters plus 8 bytes else #SS(O)
IP must be in code segment limit else #GP(O)
Load new SS:SP value from TSS
Load new CS:IP value from gate
Load CS descriptor
Load SS descriptor
Push long pOinter of old stack onto new stack
Get word count from call gate, mask to 5 bits
Copy parameters from old stack onto new stack
Push return address onto new stack
Set CPL to stack segment DPL
Set RPL of CS to CPL
Else
CALL GATE TO SAME PRIVILEGE:
Stack must have room for 4-byte return address else #SS(O)
IP must be in code segment limit else #GP(O)
Load CS:IP from gate
Push return address onto stack
Load code segment descriptor into CS-cache
Set RPL of CS to CPL
CALL TASK GATE:
Task gate DPL must be ~ CPL else #GP (gate selector)
Task gate DPL must be ~ RPL else #GP (gate selector)
Task Gate must be PRESENT else #NP (gate selector)
Examine selector to TSS, given in Task Gate descriptor:
Must specify global In the local/global bit else #GP (TSS selector)
Index must be within GOT limits else #GP (TSS selector)
TSS descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS
selector)
Task State Segment mUllt be PRESENT else #NP (TSS selector)
SWITCH_TASKS with nesting to TSS
IP must be In code segment limit else #GP(O)
TASK STATE SEGMENT:
TSS DPL must be ~ CPL else #GP (TSS selector)
TSS DPL must be ~ RPL else #GP (TSS selector)
TSS descriptor AR byte must specify available TSS else #GP (TSS selector)
Task State Segment must be PRESENT else #NP (TSS selector)
SWITCH3ASKS with nesting to TSS
IP must be in code segment limit else #GP(O)
ELSE #GP (code segment selector)
PROTECTED MODE EXCEPTIONS

FAR calls: #GP, #NP, #SS, and #TS, as indicated in the list above.
NEAR direct calls: #GP(O) if procedure location is beyond the code segment limits.

8-25

THE 80286 INSTRUCTION SET

NEAR indirect CALL: #GP(O) for an illegal memory operand effective address in the CS, DS, or ES
segments; #SS(O) for an illegal address in the SS segment. #GP if the indirect offset obtained is beyond
the code segment limits.
REAL ADDRESS MODE EXCEPTIONS

Interrupt l3 for a word operand at offset OFFFFH.

8-26

THE 80286 INSTRUCTION SET

caw -Convert Byte into Word
Opcode

Instruction

Clocks

Description

98

C8W

2

Convert byte into word (AH = top bit of AL)

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

CBW converts the signed byte in AL to a signed word in AX. It does so by extending the top bit of
AL into all of the bits of AH.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-27

THE 80286 INSTRUCTION SET

CLC-Clear Carry Flag
Opcode

Instruction

Clocks

Description

F8

CLC

2

Clear carry flag

FLAGS MODIFIED

Carry=O
FLAGS UNDEFINED

None
OPERATION

CLC sets the carry flag to zero. No other flags or registers are affected.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-28

THE 80286 INSTRUCTION SET

CLD-Clear Direction Flag
Opcode

Instruction

Clocks

Description

FC

CLO

2

Clear direction flag. SI and 01 will increment

FLAGS MODIFIED

Direction = 0
FLAGS UNDEFINED

None
OPERATION

CLD clears the direction flag. No other flags or registers are affected. After CLD is executed, string
operations will increment the index registers (SI and/or DI) that they use.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-29

THE 80286·INSTRUCTION SET

ell-Clear Interrupt Flag
Opcode

Instruction

Clocks

Description

FA

CLI

3

Clear interrupt flag; interrupts disabled

FLAGS MODIFIED

Interrupt = 0
FLAGS UNDEFINED

None
OPERATION

CLI clears the interrupt enable flag if the current privilege level is at least as privileged as 10PL. No
other flags are affected. External interrupts will not be recognized at the end of the CLI instruction or
thereafter until the interrupt flag is set.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is bigger (has less privilege) than the 10PL in the flags register.
10PL specifies the least privileged level at which I/O may be performed.
REAL ADDRESS MODE EXCEPTIONS

None

8-30

THE 80286 INSTRUCTION SET

CLTS-Clear Task Switched Flag
Opcode

Instruction

Clocks

Description

OF

CLTS

2

Clear task switched flag

06

FLAGS MODIFIED

Task switched=O
FLAGS UNDEFINED

None
OPERATION

CLTS clears the task switched flag in the Machine Status Word. This flag is set by the 80286 every
time a task switch occurs. The TS flag is used to manage processor extensions as follows: every execution of a WAIT or an ESC instruction will be trapped if the MP flag of MSW is set and the task
switched flag is set. Thus, if a processor extension is present and a task switch has been made since the
last ESC instruction was begun, the processor extension's context must be saved before a new instruction can be issued. The fault routine will save the context and reset the task switched flag or place the
task requesting the processor extension into a queue until the current processor extension instruction is
completed.
CLTS appears in operating systems software, not in applications programs. It is a privileged instruction
that can only be executed at level O.
PROTECTED MODE EXCEPTIONS

#GP(O) if CLTS is executed with a current privilege level other than

o.

REAL ADDRESS MODE EXCEPTIONS

None (valid in REAL ADDRESS MODE to allow power-up initialization for Protected Mode) ,

8-31

THE 80286 INSTRUCTION SET

CMC-Complement Carry Flag
Opcode

Instruction

F5

CMC

. Clocks

Description

Complement carry flag

2

FLAGS MODIFIED

Carry
FLAGS UNDEFINED

None
OPERATION

CMC reverses the setting of the carry flag. No other flags are affected.
PROTECTED MODE. EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-32

THE 80286 INSTRUCTION SET

CMP-Compare Two Operands
Opcode

Instruction

Clocks

Description

3C
3D
80
38
83
81
39
3A
38

CMP
CMP
CMP
CMP
CMP
CMP
CMP
CMP
CMP

3
3
3,mem=6
2,mem=7
3,mem=6
3,mem=6
2,mem=7
2,mem=6
2,mem=6

Compare
Compare
Compare
Compare
Compare
Compare
Compare
Compare
Compare

db
dw

17

db

Ir

17
17

db
dw

Ir
Ir
Ir

AL,db
AX,dw
eb,db
eb,rb
eW,db
eW,dw
eW,rw
rb,eb
rW,ew

immediate byte from AL
immediate word from AX
immediate byte from EA byte
byte register from EA byte
immediate byte from EA word
immediate word from EA word
word register from EA word
EA byte from byte register
EA word from word regisler

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

CMP subtracts the second operand from the first operand, but it does not place the result anywhere.
Only the flags are changed by this instruction. CMP is usually followed by a conditional jump instruction. See the "]cond" instructions in this chapter for the list of signed and unsigned flag tests provided
'.
by the 80286.

If a word operand is compared to an immediate byte value, the byte value is first sign-extended.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #8S(0) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-33

THE 80286 INSTRUCTION SET

CMPS/CMPSB/CMPSW-Compare string operands
Opcode
A6
A6
A7

Instruction
.CMPS mb,mb
CMPS8
CMPSW

Clocks

Description

8
8
8

Compare bytes ES:[DI] from [SI]
Compare bytes ES:[DI] from DS:[SI]
Compare words ES:[DI] from DS:[SI]

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

CMPS compares the byte or word pointed to by SI with the byte or word pointed to by OI by performing the subtraction [SI] - [OI]. The result is not placed anywhere; only the flags reflect the result of
the subtraction. The types of the operands to CMPS determine whether bytes or words are compared.
The segment address ability of the first (SI) operand determines whether a segment override byte will
be produced or whether the default segment register DS is used. The second (DI) operand must be
addressible from the ES register; no segment override is possible.
After the comparison is made, both SI and DI are automatically advanced. If the direction flag is 0
(CLD was executed), the registers increment; if the direction flag is 1 (STD was executed), the registers decrement. The registers increment or decrement by 1 if a byte was moved; by 2 if a word was
moved.
CMPS can be preceded by the REPE or REPNE prefix for block comparison of CX bytes or words.
Refer to the REP instruction for details of this operation.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Tntf"rrl1,.,t 11
fnr ~-- wnrn
()np.r~ nn "t ()ff~p.t
---------r-- -------1.

OFFFFH.

8-34

THE 80286 INSTRUCTION SET

CWO-Convert Word to Doubleword
Opcode

Instruction

Clocks

Description

99

CWD

2

Convert word to daubleword (DX:AX = AX)

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

CWDconverts the signed word in AX to a signed doubleword in DX:AX. It does so by extending the
top bit of AX into all the bits of DX.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-35

THE 80286 INSTRUCTION SET

DAA-Decimal Adjust AL After Addition
Opcode

Instruction

Clocks

Description

27

DAA

3

Decimal adjust AL after addition

FLAGS MODIFIED

Sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

Overflow
OPERATION

DAA should be executed only after an ADD instruction which leaves a two-BCD-digit byte result in
the AL register. The ADD operands should consist of two packed BCD digits. In this case, the DAA
instruction will adjust AL to contain the correct two-digit packed decimal result.
The precise definition of DAA is as follows:
1.

2.

If the lower 4 bits of ~L are greater than nine, or if the auxiliary carry flag is 1, then increment
AL by 6, and set the)l.uxiliary carry flag. Otherwise, reset the auxiliary carry flag.
I

.

.

If AL is now greater than 9FH, or if the carry flag is set, then increment AL by 60H, and set the
carry flag. Otherwise, clear the carry flag.

PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-36

THE 80286 INSTRUCTION SET

DAS-Decimal Adjust AL After Subtraction
Opcode

Instruction

Clocks

Description

2F

DAS

3

Decimal adjust AL after subtraction

FLAGS MODIFIED

Sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

Overflow
OPERATION

DAS should be executed only after a subtraction instruction which leaves a two-BCD-digit byte result
in the AL register. The operands should consist of two packed BCD digits. In this case, the DAS
instruction will adjust AL to contain the correct packed two-digit decimal result.
The precise definition of DAS is as follows:
1.

If the lower four bits of AL are greater than 9, or if the auxiliary carry flag is 1, then decrement
AL by 6, and set the auxiliary carry flag. Otherwise, reset the auxiliary carry flag.

2.

If AL is now greater than 9FH, or if the carry flag is set, then decrement AL by 60H, and set the

carry flag. Otherwise, clear the carry flag.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-37

THE 80286 INSTRUCTION SET

DEC-Decrement by 1
Opcode

I!'structlon

Clocks

Description

FE
FF
48+

DEC eb
DEC ew
DEC rw

2,mem=7
2,mem=7

Decrement EA byte by 1
Decrement EA word by 1
Decrement word register by 1

/1
/1
rw

2

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity
FLAGS UNDEFINED

None
OPERATION

1 is subtracted from the operand. Note that the carry flag is not changed by this instruction. If you
want the carry flag set, use the SUB instruction with a second operand of 1.
PROTECTED MODE EXCEPTIONS

#GP(O) if the operand is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-38

THE 80286 INSTRUCTION SET

DIV -Unsigned Divide
Opcode

Instruction

Clocks

Description

F6
F7

DIVeb
DIVew

14,mem=17
22,mem=25

Unsigned divide AX by EA byte
Unsigned divide DX:AX by EA word

/6
/6

FLAGS MODIFIED

None
FLAGS UNDEFINED

Overflow, sign, zero, auxiliary carry, parity, carry
OPERATION

DIY performs an unsigned divide. The dividend is implicit; only the divisor is given as an operand. If
the source operand is a BYTE operand, divide AX by the byte. The quotient is stored in AL, and the
remainder is stored in AH. If the source operand is a WORD operand, diyide DX:AX by the word.
The high-order 16 bits of the dividend are kept in DX. The quotient is stored in AX, and the remainder
is stored in DX. Non-integral quotients are truncated towards O. The remainder is always less than the
dividend.
PROTECTED MODE EXCEPTIONS

Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is
zero. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O)
for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is
zero. Interrupt 13 for a word operand at offset OFFFFH.

8-39

THE 80286 INSTRUCTION SET

ENTER-Make Stack Frame for Procedure Parameters
Opcode
C8
C8
C8

dw
dw

00
01

dw

db

FLAGS MODIFIED

Instruction

Clocks

Description

ENTER dw,O
ENTER dW,1
ENTER dW,db

11
15
12+4db

Make stack frame for procedure parameters
Make stack frame for procedure parameters
Make stack frame for procedure parameters

Cc

None

FLAGS UNDEFINED

None

OPERATION

ENTER is used to create the stack frame required by most block-structured high-level languages. The
first operand specifies how many bytes of dynamic storage are to be allocated on the stack for the
routine being entered. The second operand gives the lexical nesting level of the routine within the highlevel-language source code. It determines how many stack frame pointers are copied into the new stack
frame from the preceding frame. BP is used as the current stack frame pointer.

If the second operand is 0, ENTER pushes BP, sets BP to SP, and subtracts the first operand from
SP.
For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 instruction at
its entry point and a LEAVE instruction before every RET. The 12 local byteswou!d be addressed as
negative offsets from [BPj. See also section 4.2.
The formal definition of the ENTER instruction for all cases is given by the following listing. LEVEL
denotes the value of the second operand.
LEVEL: = LEVEL MOD 32
Push BP
Set a temporary value FRAM~PTR : =
If LEVEL> 0 then
Repeat (LEVEL -1) times:
BP:= BP - 2
. Push the word pOinted to by BP
End repeat
Push FRAM~PTR
End if
BP:= FRAME_PTR
SP : = SP - first operand.

sp

B-40

THE 80286 INSTRUCTION SET

PROTECTED MODE EXCEPTIONS

#SS(O) if SP were to go outside of the stack limit within any part of the instruction execution.
REAL ADDRESS MODE EXCEPTIONS

None

8-41

THE 80286 INSTRUCTION SET

HLT-Halt
Opcode

Instruction

Clocks

Description

F4

HLT

2

Halt

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

Successful execution of HL T causes the 80286 to cease executing instructions and to enter a HALT
state. Execution resumes only upon receipt of an enabled interrupt or a reset. If an interrupt is used to
resume program execution after HLT, the saved CS:IP value will point to the instruction that follows
HLT.
PROTECTED MODE EXCEPTIONS

HLT is a privileged instruction. #GP(O) if the current privilege level is not O.
REAL ADDRESS MODE EXCEPTIONS

None

8-42

THE 80286 INSTRUCTION SET

IDIV -Signed Divide
Opcode

Instruction

Clocks

Description

F6

/7

IDIVeb

17,mem=20

F7

/7

IDIVew

25,mem=28

Signed divide AX byEA byte (AL=Quo,
AH=Rem)
Signed divide DX:AX by EA word (AX=Quo,
DX=Rem)
/

FLAGS MODIFIED

None
FLAGS UNDEFINED

Overflow, sign, zero, auxiliary carry, parity, carry
OPERATION

IDlY performs a signed divide. The dividend is implicit; only the divisor is given as an operand. If the
source operand is a BYTE operand, divide AX by the byte. The quotient is· stored in AL, and the
remainder is stored in AH. If the source operand is a WORD operand, divide DX:AX by the word.
The high-order 16 bits of the dividend are in DX. The quotient is stored in AX, and the remainder is
stored in DX. Non-integral quotients are truncated towards o. The remainder has the same sign as the
dividend and always has less magnitude than the dividend.
PROTECTED MODE EXCEPTIONS

Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), 'or if the divisor is O.
#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment. . .
REAL ADDRESS MODE EXCEPTIONS

InterJillpt 0 if the quotient is too big to fit in. the designated register (AL or AX), orif the divisor is O.
Interrupt 13 for a word operand at offset OFFFFH.

8-43

THE 80286 INSTRUCTION SET

IMUL-Signed Multiply
Opcode
F6
F7
68
69
68

15
15

db
dw
db

Ir
Ir
Ir

Instruction

Clocks

Description

IMUL
IMUL
IMUL
IMUL
IMUL

13,mem=~6

21,mem=24
21,mem=24
21,mem=24
21,mem=24

Signed
Signed
Signed
Signed
Signed

eb
ew
rw,db
rw,ew,dw
rw,ew,db

multiply (AX = AL X EA byte)
multiply (DXAX = AX X EA word)
multiply imm. byte into word reg.
multiply (rw = EA word X imm. word)
multiply (rw = EA word X imm. byte)

FLAGS MODIFIED

Overflow, carry
FLAGS UNDEFINED

Sign, zero, auxiliary carry, parity
OPERATION

IMUL performs signed multiplication. If IMUL has a single byte source operand, then the source is
multiplied by AL and the 16-bit signed result is left in AX. Carry and overflow are set to 0 if AH is a
sign extension of AL; they are set to 1 otherwise.
If IMUL has a single word source operand, then the source operand is multiplied. by AX and the
32-bit signed result is left in DX:AX. DX contains the high-order 16 bits of the product. Carry and
overflow are set to 0 if DX is a sign extension of AX; they are set to 1 otherwise.
If IMUL has three operands, then the second operand (an effective address word) is multiplied by the
third operand (an immediate word), and the 16 bits of the result are placed in the first operand (a
word register). Carry and overflow are set to 0 if the result fits in a signed word (between - 32768 and
+32767, inclusive); they are set to 1 otherwise.

NOTE
The low 16 bits of the product of a 16-bit signed multiply are the same as those of an unsigned
mUltiply. The three operand IMUL instruction can be used for unsigned operands as well.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
~11~

__ 1 __ .l..J __

11111;:;5a1 a.UUl

~~!_

\.<,:),:)

~11

"-1.. ..... C'C' .... """'" ........ "" ..... +
LU...... UIJ ., ..... OJ.J.J. ..... u. ...

REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-44

THE 80286 INSTRUCTION SET

IN-Input from Port
Opcode

Instruction

ClockS

Description

E4
EC
E5
ED

IN
IN
IN
IN

5
5
5
5

Input byte from immediate port into AL
Input byte from port OX into AL
Input word from immediate port into AX
Input word from port OX into AX

db
db

AL,db
AL,OX
AX,db
AX,OX

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

IN transfers a data byte or data word from the port numbered by the second operand into the register
(AL or AX) given as the first operand. You can access any port from 0 to 65535 by placing the port
number in the DX register then using an IN instruction with DXas the second parameter. These I/O
instructions can be shortened by using an 8-bit port I/O in the instruction. The upper 8 bits of the port
address will be zero when an 8-bitport I/Ois used.
Intel has reserved I/O port addresses OOF8H through OOFFH; they should not be used.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is bigger (has less privilege) than IOPL; which is the privilege
level found in the flags register.
REAL ADDRESS MODE EXCEPTIONS

None

8-45

THE 80286 INSTRUCTION SET

INC-Increment by 1
Instruction

Opcode

FE
FF

/0
/0

40+rw

INC eb
"INC ew
INC rw

Clocks

Description

2,mem=7
2,mem=7

Increment EA byte by 1
Increment EA word by 1
Increment word register by 1

2

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity
FLAGS UNDEFINED

None
OPERATION

1 is added to the operand. Note that the carry flag is not changed by this instruction. If you want the
carry flag;set, use the ADD instruction with a second operand of 1.
PROTECTED MODE EXCEPTIONS

#GP(O) if the operand is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS! DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-46

THE 80286 INSTRUCTION SET

INS/INSB/INSW-Input from Port to String
Opcode

Instruction

Clocks

Description

6C

INS eb,OX
INS ew,OX
INSB
INSW

5
5
5
5

Input byte from port OX into ES:[OI)
Input word from port OX into ES:[OI)
Input byte from port OX into ES:[OI)
Input word from port OX into ES:[OI)

60
6C

60

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

INS transfers data from the input port numbered by the DX register to the memory byte or word at
ES:DI. The memory operand must be addressable from the ES register; no segment override is
possible.
INS does not allow the specification of the port number as an immediate value. The port must be
addressed through the DX register.
After the transfer is made, DI is automatically advanced. If the direction flag is 0 (CLD was executed),
DI increments; if the direction flag is 1 (STD was executed), DI decrements. DI increments or decrements by 1 if a byte was moved; by 2 if a word was moved.
INS can be preceded by the REP prefix for block input of CX bytes or words. Refer to the REP
instruction for details of this operation.
Intel has reserved I/O port addresses 00F8H through OOFFH; they should not be used.
NOTE
Not all input port devices can handle the rate at which this instruction transfers input data
to memory.
PROTECTED MODE EXCEPTIONS

#GP(O) if CPL > 10PL. #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal
memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the
SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

B-47

THE 80286 INSTRUCTION SET

INT IINTO-Call to Interrupt Procedure
Opcode

Instruction

Clocks(1)

Description

CC
CC
CC
CC
CD
CD
CD
CD
CE

.INT 3
INT 3
INT 3
INT3
INT db
INT db
INT db
INT db
INTO

23(2)
40

Interrupt 3 (trap to debugger)
Interrupt 3, protected mode, same privilege
Interrupt 3, protected mode, more privilege
Interrupt 3, protected mode, via task gate
Interrupt numbered by immediate byte
Interrupt, protected mode, same privilege
Interrupt, protected mode, more privilege
Interrupt, protected mode, via task gate
Interrupt 4 if overflow flag is 1

db
db
db
db

78
167

23(2)
40

78
167
24,noj = 3(2)

Add one clock for each byte of the next instruction executed.
(2) = (real mode)

(1) =

FLAGS MODIFIED

All if a task switch takes place; Trap Flag reset if no task switch takes place. Interrupt Flag is always
reset in Real Mode, and reset in Protected Mode when INT references an interrupt gate.
FLAGS UNDE'FINED

None
OPERATION

The INT instruction generates via software a call to an interrupt procedure. The immediate operand,
from 0 to 255, gives the index number into the Interrupt Descriptor Table of the interrupt routine to
be called. In protected mode, the IDT consists of 8-byte descriptors; the descriptor for the interrupt
invoked must indicate an interrupt gate, a trap gate, or a task gate. In real address mode, the IDT is
an array of 4-byte long pointers at the fixed location OOOOOH.
The INTO instruction is identical to the INT instruction except that the interrupt number is implicitly
4, and the interrupt is made only if the overflow flag of the 80286 is on. The clock counts for the four
forms of INT db are valid for INTO, with the number of clocks increased by 1 for the overflow flag
test.
The first 32 interrupts are reserved by Intel for systems use. Some of these interrupts are exception
handlers for internally-generated
faults. Most of these exception handlers should not be invoked with
! ... _
". _

T'1Irr.T'T"

~

___ ... ____ ...

LIlt;; .ll"1.l lU,:)U ",,","IVll,

Generally, interrupts behave like far CALLs except that the flags register is pushed onto the stack
before the return address. Interrupt procedures return via the IRET instruction, which pops the flags
from the stack.
In Real Address mode, INT pushes the flags, CS and the return IP onto the stack in that order, then
resets the Trap Flag, then jumps to the long pointer indexed by the interrupt number, in the interrupt
vector table.

8-48

THE 80286 INSTRUCTION SET

In Protected mode, INT also resets the Trap Flag. In Protected mode, the precise semantics of the
INT instruction are given by the following:
INTERRUPT
Interrupt vector must be within lOT table limits else #GP (vector number X 8+2+EXT)
Descriptor AR byte must indicate interrupt gate, trap gate, or task gate else #GP(vector number X
8+2+ EXT)
If INT instruction then gate descriptor DPL must be 2:: CPL else #GP (vector number X 8+2+EXT)
Gate must be PRESENT else #NP (vector number X 8+2+EXT)
If TRAP GATE or INTERRUPT GATE:
Examine CS selector and descriptor given in the gate descriptor:
Selector must be non-null else #GP (EXT)
Selector must be within its descriptor table limits else #GP (selector+EXT)
Descriptor AR byte must indicate code segment else #GP (selector + EXT)
Segment must be PRESENT else #NP (selector+ EXT)
If code segment is non-conforming and DPL < CPL then
INTERRUPT TO INNER PRIVILEGE:
Check selector and descriptor for new stack in current Task State Segment:
Selector must be non-null else #TS(EXT)
Selector index must be within its descriptor table limits else #TS (SS selector + EXT)
Selector's RPL must equal DPL of code segment else #TS (SS selector+EXT)
Stack segment DPL must equal DPL of code segment else #TS (SS selector+EXT)
Descriptor must indicate writable data segment else #TS (SS selector+ EXT)
Segment must be PRESENT else #SS (SS selector+EXT)
New stack must have room for 10 bytes else #SS(O)
IP must be in CS limit else #GP(O)
Load new SS and SP value from TSS
Load new CS and IP value from gate
Load CS descriptor
Load SS descriptor
Push long pointer to old stack onto new stack
Push return address onto new stack
Set CPL to new code segment DPL
Set RPL of CS to CPL
If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled)
Set the Trap Flag to 0
Set the Nested Task Flag to 0
If code segment is conforming or code segment DPL = CPL then
INTERRUPT TO SAME PRIVILEGE LEVEL:
Current stack limits must allow pushing 6 bytes else #SS(O)
If interrupt was caused by fault with error code then
Stack limits must allow push of two more bytes else #SS(O)
IP must be in CS limit else #GP(O)
Push flags onto stack
Push current CS selector onto stack
Push return offset onto stack
Load CS:IP from gate
Load CS descriptor
Set the RPL field of CS to CPL
Push error code (if any) onto stack
If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled)
Set the Trap Flag to 0
Set the Nested Task Flag to 0
Else #GP (CS selector + EXT)
If TASK GATE:
Examine selector to TSS, given in Task Gate descriptor:
Must specify global in the local/global bit else #GP (TSS selector)

8-49

THE 80286 INSTRUCTION SET

Index must be within GOT limits else #GP (TSS selector)
AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector)
Task State Segment must be PRESENT else #NP (TSS selector)
SWITCH3ASKS with nesting to TSS
If interrupt was caused by fault with error code then
Stack limits must allow push of two more bytes else #SS(O)
Push error code onto stack
IP must be in CS limit else #GP(O)

NOTE
EXT is 1 if an external event (Le., a single step, an external interrupt, an MF exception, or
an MP exception) caused the interrupt; 0 if not (Le., an INT instruction or other exceptions).
PROTECTED MODE EXCEPTIONS

#GP, #NP, #SS, and #TS, as indicated in the list above.
REAL ADDRESS MODE EXCEPTIONS

None; the 80286 will shut down if the SP
due to lack of stack space.

=

1, 3, or 5 before executing the INT or INTO instruction-

8-50

inter

THE 80286 INSTRUCTION SET

IRET -Interrupt Return
Opcode

Instruction

Clock.

Description

CF
CF
CF

IRET
IRET
IRET

17,pm=31

55
169

Interrupt return (far return and pop flags)
Interrupt return, lesser privilege
Interrupt return, different task (NT=1)

"Add one clock for each byte in the next instruction executed.

FLAGS MODIFIED

Entire flags register popped from stack
FLAGS UNDEFINED

None
OPERATION

In real address mode, IRET pops IP, CS, and FLAGS from the stack in that order, and resumes the
interrupted routine.
In protected mode, the action of IRET depends on the setting of the Nested Task Flag (NT) bit in the
flag register. When popping the new flag image from the stack, note that the IOPL bits in the flag
register are changed only when CPL=O.
If NT=O, IRET returns from an interrupt procedure without a task switch. The code returned to must
be equally or less privileged than the interrupt routine as indicated by the RPL bits of the CS selector
popped from the stack. If the destination code is of less privilege, IRET then also pops SP and SS
from the stack.
If NT= 1, IRET reverses Jhe operation of a CALL or INT that caused a task switch. The task executing IRET has its updated state saved in its Task State Segment. This means that. if the task is reentered, the code that follows IRET will be executed.

The exact checks and actions performed by IRET in protected mode are given on the following page.
INTERRUPT RETURN:
If Nested Task Flag=1'then
RETURN FROM NESTED TASK:
Examine Back Link Selector in TSS addressed by the current Task Register:
Must specify global in the local/global bit else #TS (new TSS selector)
Index must be within GDT limits else #TS (new TSS selector)
AR byte must specify TSS else #TS (new TSS selector)
New TSS must be busy else #TS (new TSS selector)
Task State Segment must be PRESENT else #NP (new TSS selector)
SWITCH_TASKS without nesting to TSS specified by back link selector
Mark the task just abandoned as NOT BUSY
IP must be in code segment limit else #GP(O)

B-51

THE 80286 INSTRUCTION SET

If Nested Task Flag=O then
INTERRUPT RETURN ON STACK:
Second word on stack must be within stack limits else #SS(O)
Return CS selector RPL must be ;::: CPL else #GP (Return selector)
If return selector RPL = CPL then
INTERRUPT RETURN TO SAME LEVEL:
Top 6 bytes on stack must be within limits else #SS(O)
Return CS selector (at SP+2) must be non-null else #GP(O)
Selector index must be within its descriptor table limits else #GP( Return selector)
AR byte mustJndicate code segment else #GP (Return selector)
If non-conforming then code segment OPL must = CPL else #GP (Return selector)
If conforming then code segment OPL must be ::s; CPL else #GP (Return selector)
Segment must be PRESENT else #NP (Return selector)
IP must be in code segment limit else #GP(O)
Load CS:IP from stack
Load CS-cache with new code segment descriptor
Load flags with third word on stack
Increment SP by 6
Else
INTERRUPT RETURN TO OUTER PRIVILEGE LEVEL:
Top 10 bytes on stack must be within limits else #SS(O)
Examine return 'CS selector (at SP+2) and associated descriptor:
Selector must be non-null else #GP(O)
Selector index must be within its descriptor table limits else #GP (Return selector)
AR byte must indicate code segment else #GP (Return selector)
If non-conforming then code segment OPL must = CS selector RPL else #GP (Return
selector)
If conforming then code segment OPL must be > CPL else #GP (Return selector)
Segment must be PRESENT else #NP (Return selector)
Examine return SS selector (at SP+8) and associated descriptor:
Selector must be non-nUll else #GP(O)
Selector index must be within its descriptor table limits else #GP (SS selector)
Selector RPL must equal the RPL of the return CS selector else #GP (SS selector)
AR byte must indicate a writable data segment else #GP (SS selector)
Stack segment OPL must equal the RPL of the return CS selector else #GP (SS selector)
SS must be PRESENT else #SS (SS selector)
IP must be in code segment limit else #GP(O)
Load C5:IP from stack
Load flags with values at (SP+4)
Load SS:SP from stack
Set CPL to the RPL of the return CS selector
Load the CS-cache with the CS descriptor
Load the 5S-cache with the SS descriptor
For each of ES and OS:
If the current register setting is not valid for the outer level, then zero the register and
clear the valid flag
To be valid, the register setting must satisfy the following properties:
Selector index must be within descriptor table limits
AR byte must indicate data or readable code segment
If segment is data or non-conforming code, then:
DPL must be ;::: CPL. or
OPL must be ;::: RPL.

8-52

THE 80286 INSTRUCTION SET

PROTECTED MODE EXCEPTIONS

#GP, #NP, or #88, as indicated in the above listing.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 if the stack is popped when it has offset OFFFFH.

8-53

THE 80286 INSTRUCTION SET

Jcond-Jump Short If Condition Met
Opcode

Instruction

Clocks·

Description
Jump short if above (CF=O and ZF=O)
Jump short if above or equal (CF=O)
Jump short if below (CF=1)
Jump short if below or equal (CF=1 or ZF=1)
Jump short if carry (CF=1)
Jump short if CX register is zero
Jump short if equal (ZF=1)
Jump short if greater (ZF=O and SF=OF)
Jump short if greater or equal (SF=OF)
Jump short if less (SF/=OF)
Jump short if less or equal (ZF=1 or SF/=OF)
Jump short if not above (CF=1 or ZF=1)
Jump short if not above/equal (CF=1)
Jump short if not below (CF=O)
Jump short if not below/equal (CF=O and
ZF=O)
Jump short if not carry (CF=O)
Jump short if not equal (ZF=O)
Jump short if not greater (ZF=1 or SF/=OF)
Jump short if not greater/equal (SF/=OF)
Jump short if not less (SF=OF)
Jump short if not less/equal (ZF=O and
SF=OF)
Jump short if not overflow (OF=O)
Jump short if not parity (PF=O)
Jump short if not sign (SF=O)
Jump short if not zero (ZF=O)
Jump short if overflow (OF=1)
Jump short if parity (PF=1)
Jump short if parity even (PF=1)
Jump short if parity odd (PF=O)
Jump short if sign (SF=1)
Jump short if zero (ZF=1)

77
73
72
76
72
E3
74
7F
70
7C
7E
76
72
73
77

cb
cb
cb
cb
cb
cb
cb
cb
cb
cb
cb
cb
cb
cb
cb

JA cb
JAE cb
JB cb
JBE cb
JC cb
JCXZ cb
JE cb
JG cb
JGE cb
JL cb
JLE cb
JNA cb
JNAE cb
JNB cb
JNBE cb

7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
8,noj=4
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3

73
75
7E
7C
70
7F

cb
cb
cb
cb
cb
cb

JNC cb
JNE cb
JNG cb
JNGE cb
JNL cb
JNLE cb

7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3

71
7B
79
75
70
7A
7A
7B
78
74

cb
cb
cb
cb
cb
cb
cb
cb
cb
cb

JNO cb
JNP cb
JNS cb
JNZ cb
JO cb
JP cb
JPE cb
JPO cb
JS cb
JZ cb

7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3
7,noj=3

'When a jump is taken, add one clock fo; eVery byte of the next instruction executed.

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

Conditional jumps (except for JCXZ, explained below) test the flags, which presumably have been set
in some meaningful way by a previous instruction. The conditions for each mnemonic are given in
parentheses after each description above. The terms "less" and "greater" are used for comparing signed
integers; "above" and "below" are used for unsigned integers.

B-54

THE 80286 INSTRUCTION SET

If the given condition is true, then a short jump is made to the label provided as the operand. Instruction encoding is most efficient when the target for the conditional jump is in the current code segment
and within -128 to + 127 bytes of the first byte of the next instruction. Alternatively, the opposite
sense (e.g., JNZ has opposite sense to that of JZ) of the conditional jump can skip around an unconditional jump to the destination.
This range is necessary for the assembler to construct a one-byte signed displilcement from the end of
the current instruction. If the label is out-of-range, or if the label is a FAR label, then you must perform
a jump with the opposite condition around an unconditional jump to the non-short label.
Because there are, in many instances, several ways to interpret a particular state of the flags, ASM286
provides more than one mnemonic for most of the conditional jump opcodes. For example, consider
that a programmer who has just compared a character to another in AL might wish to jump if the two
were equal (JE), while another programmer who had just ANDed AX with a bit field mask would
prefer to consider only whether the result was zero or not (he would use JZ, it synonym for JE).
JCXZ differs from the other conditional jumps in that it actually tests the contents of the CX register
for zero, rather than interrogating the flags. This instruction is useful following a conditionally repeated
string operation (REPE SCASB, for exampl!) or a conditional loop instruction (such as LOOPNE
TARGETLABEL). These instructions implicitly use a limiting count in the CX register. Looping
(repeating) ends when either the CX register goes to zero or the condition specified in the instruction
(flags indicating equals in both of the above cases) occurs. JCXZ is useful when the terminations must
be handled differently.
PROTECTED MODE EXCEPTIONS

#GP(O) if the offset jumped to is beyond the limits of the code segment.
REAL ADDRESS MODE EXCEPTIONS

None

8-55

THE 80286 INSTRUCTION SET

JMP-Jump
Opcode

Instruction

Clocks'

Description

EB
EA
E9
EA
EA
EA

7

Jump short
Jump to.task gate
Jump near
Jump far (4-byte immediate address)
Jump to call gate, same privilege
Jump via Task State Segment
Jump near to EA word (absolute offset)
Jump far (4-byte effective address in memory
doubleword)
Jump to call gate, same privilege
Jump via Task State Segment
Jump to task gate

FF
FF

/4
/5

JMP
JMP
JMP
JMP
JMP
JMP
JMP
JMP

FF
FF
FF

/5
/5
/5

JMP ed
JMP ed
JMP ed

cb
cd
cw
cd
cd
cd

cb
cd
cw
cd
cd
cd
ew
ed

180

7
11,pm=23
38
175
7,mem=11
15,pm=26
41
178
183

'Add one clock for every byte of the next instruction executed.
FLAGS MODIFIED

All if a task switch takes place; none if no task switch occurs.
FLAGS UNDEFINED

None
OPERATION

The JMP instruction transfers program control to a different instruction stream without recording any
return information.
For inter-segment jumps, the destination can be a code segment, a call gate, a task gate, or a Task
State Segment. The latter two destinations cause a complete task switch to take place.
Control transfers within a segment use the JMP cw or JMP cb forms. The operand is a relative offset
added modulo 65536 to the offset of the instruction that follows the JMP. The result is the new value
of IP; the value of CS is unchanged. The byte operand is sign-extended before it is added; it can
therefore be used to address labels within 128 bytes in either direction from the next instruction.
Indirect jumps within a segment use the JMP ew form. The contents of the register or memory operand
is an absolute offset, which becomes the new value of IP. Again, CS is unchanged.
Inter-segment jumps in real address mode simpiy set IP to tile offset part of inl:
CS to the selector part of the pointer.

iOIl!;; poilii,;;r .. iid ,,;; ..

In protected mode, inter-segment jumps cause the 80286 to consult the descriptor addressed by the
selector part of the long pointer. The AR byte of the descriptor determines the type of the destination.
(See table B-3 for possible values of the AR byte.) Following are the possible destinations:

1.

Code segment-The addressability and visibility of the destination are verified, and CS and IP
are loaded with the destination pointer values.

B-56

THE 80286 INSTRUCTION SET

2.
3.

4.

Call gate-The offset part of the destination pointer is ignored. After checking for validity, the
processor jumps to the location stored in the call gate descriptor.
Task gate-The current task's state is saved in its Task State Segment (TSS), and the TSS named
in the task gate is used to load a new context. The outgoing task is marked not busy, the new TSS
is marked busy, and execution resumes at the point at which the new task was last suspended.
TSS-The current task is suspended and the new task is initiated as in 3 above except that there
is no intervening gate.

Following is the list of checks and actions taken for long jumps in protected mode:
JUMP FAR:
If indirect then check access of EA doubleword #GP(O) or #SS(O) if limit violation
Destination selector is not null else #GP(O)
Destination selector index is within its descriptor table limits else #GP (selector)
Examine AR byte of destination selector for legal values:
JUMP CONFORMING CODE SEGMENT:
Descriptor DPL must be :s CPL else #GP (selector)
Segment must be PRESENT else #NP (selector)
IP must be in code segment limit else #GP(O)
Load CS:IP from destination pOinter
Load CS-cache with new segment descriptor
JUMP NONCONFORMING CODE SEGMENT:
RPL of destination selector must be :s CPL else #GP (selector)
Descriptor DPL must = CPL else #GP (selector)
Segment must be PRESENT else #NP (selector)
IP must be in code segment limit else #GP(O)
Load CS:IP from destination pOinter
Load CS-cache with new segment descriptor
Set RPL field of CS register to CPL
JUMP TO CALL GATE:
Descriptor DPL must be :::: CPL else #GP (gate selector)
Descriptor DPL must be :::: gate selector RPL else #GP (gate selector)
Gate must be PRESENT else #NP (gate selector)
Examine selector to code segment given in call gate descriptor:
Selector must not be null else #GP(O)
Selector must be within its descriptor table limits else #GP (CS selector)
Descriptor AR byte must indicate code segment else #GP (CS selector)
If non-conforming, code segment descriptor DPL must = CPL else #GP (CS selector)
If conforming, then code segment descriptor DPL must be :s CPL else #GP (CS selector)
Code Segment must be PRESENT else #NP (CS selector)
IP must be in code segment limit else #GP(O)
Load CS:IP from call gate
Load CS-cache with new code segment
Set RPL of CS to CPL
JUMP TASK GATE:
Gate descriptor DPL must be :::: CPL else #GP (gate selector)
Gate descriptor DPL must be :::: gate selector RPL else #GP (gate selector)
Task Gate must be PRESENT else #NP (gate selector)
Examine selector to TSS, given in Task Gate descriptor:
Must specify global in the local/global bit else #GP (TSS selector)
Index must be within GDT limits else #GP (TSS selector)
Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector)
Task State Segment must be PRESENT else #NP (TSS selector)
SWITCH_TASKS without nesting to TSS
IP must be in code segment limit else #GP(O)

8-57

THE 80286 INSTRUCTION SET

JUMP TASK STATE SEGMENT:
TSS DPL must be 2: CPL else #GP (TSS selector)
TSS DPL must be 2: TSS selector RPL else #GP (TSS selector)
Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector)
Task State Segment must be PRESENT else #NP (TSS selector)
SWITCH_TASKS with nesting to TS.
IP must be in code segment limit else #GP(O)
Else GP (selector)

PROTECTED MODE EXCEPTIONS

For NEAR jumps, #GP(O) if the destination offset is beyond the limits of the current code segment.
For FAR jumps, #GP, #NP, #SS, and #TS, as indicated above. #UD if indirect inter-segment jump
operand is a register.
REAL ADDRESS MODE EXCEPTIONS

#UD if indirect inter-segment jump operand is a register.

8-58

THE 80286 INSTRUCTION SET

LAHF-load Flags into AH Register
Opcode

Instruction

Clocks

Description

9F

LAHF

2

Load: AH

=

flags SF ZF xx AF xx PF xx CF

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The low byte of the flags word is transferred to AH. The bits, from MSB to LSB, are as follows: sign,
zero, indeterminate; auxiliary carry, indeterminate, parity, indeterminate, and carry. See figure 3-5.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-59

THE. 80286 INSTRUCTION SET

LAR-Load Access Rights Byte
Opcode

OF

02

Ir

Instruction

Clocks

Description

LAR rW,ew

14,mem=16

Load: high(rw)= Access Rights byte, selector ew

FLAGS MODIFIED

Zero
FLAGS UNDEFINED

None
OPERATION

LAR expects the second operand (memory or register word) to contain a selector. If the associated
descriptor is visible at the current privilege level and at the selector RPL, then the access rights byte
of the descriptor is loaded into the high byte of the first (register) operand, and the low byte is set to
zero. The zero flag is set if the loading was performed (i.e., the selector index is within the table limit,
descriptor DPL :2: CPL, and descriptor DPL :2: selector RPL); the zero flag is cleared otherwise.
Selector operands cannot cause protection exceptions.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTION

INTERRUPT 6; LAR is unrecognized in Real Address mode.

8-60

THE 80286 INSTRUCTION SET

LOS/ LES-Load Doubleword Pointer
Opcode

C5
C4

If
If

Instruction

Clocks

Description

LDS rw,ed
LES rw,ed

7,pm=21
7,pm=21

Load EA doubleword into DS and word register
Load EA doubleword into ES and word register

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The four-byte pointer at the memory location indicated by the second operand is loaded into a segment
register and a word register. The first word of the pointer (the offset) is loaded into the register indicated
by the first operand. The last word of the pointer (the selector) is loaded into the segment register (DS
or ES) given by the instruction opcode.
When the segment register is loaded, its associated cache is also loaded. The data for the cache is
obtained from the descriptor table entry for the selector given.
A null selector (values 0000-0003) can be loaded into DS or ES without a protection exception. Any
memory reference using such a segment register value will cause a #GP(O) exception but will not result
in a memory reference. The saved segment register value will be null.
Following is a list of checks and actions taken when loading the DS or ES registers:
If selector is non-null then:
Selector index must be within its descriptor table limits else #GP (selector)
Examine descriptor AR byte:
Data segment or readable non-conforming code segment
Descriptor DPL ~ CPL else #GP (selector)
Descriptor DPL ~ selector RPL else #GP(selector)
Readable conforming code segment
No DPL, RPL, or CPL checks
Else #GP (selector)
Segment must be present else #NP (selector)
Load registers from operand
Load segment register descriptor cache
If selector is null then:
Load registers from operand
Mark segment register cache as invalid

8-61

THE 80286 INSTRUCTION SET

PROTECTED MODE EXCEPTIONS

#GP or #NP, as indicated in the list above. #GP(O) or #S8(O) if operand lies outside segment limit.
#UD if the source operand is a register.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for operand at offset OFFFFH or OFFFDH. #UD if the source operand is a register.

8-62

inter

THE 80286 INSTRUCTION SET

LEA-load Effective Address Offset
Opcode

80

Ir

Instruction

Clocks

Description

LEA rW,m

3

Calculate EA offset given by m,

place in rw

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The effective address (offset part) of the second operand is placed in the first (register) operand.
PROTECTED MODE EXCEPTIONS

#UD if second operand is a register.
REAL ADDRESS MODE EXCEPTIONS

#UD if second operand is a register.

8-63

THE 80286 INSTRUCTION SET

LEAVE-High Level Procedure Exit
Opcode

Instruction

Clocks

Description

C9

LEAVE

5

Set SP to BP, then POP 8P

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

LEAVE is the complementary operation to ENTER; it reverses the effects of that instruction. By
copying BP to SP, LEAVE releases the stack space used by a procedure for its dynamics and display.
The old frame pointer is now popped into BP, restoring the caller's frame, and a subsequent RET nn
instruction will follow the back-link and remove any arguments pushed on the stack for the exiting
procedure.
PROTECTED MODE EXCEPTIONS
#S~(O)

if BP does not point to a location within the current stack segment.

REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-64

THE 80286 INSTRUCTION SET

LGDT ILIDT -Load Global/Interrupt
Descriptor Table Register
Opcode

OF
OF

01
01

/2
/3

Instruction

Clocks

Description

LGDT m
LlDT m

11

12

Load m into Global Descriptor Table reg
Load m into Interrupt Descriptor Table reg

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The Global or the Interrupt Descriptor Table Register is loaded from the six bytes of memory pointed
to by the effective address operand (see figure 10.3). The LIMIT field of the descriptor table register
loads from the first word; the next three bytes go to the BASE field of the register; the last byte is
ignored.
LGDT and LIDT appear in operating systems software; they are not used in application programs.
These are the only instructions that directly load a physical memory address in 80286 protected mode.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is not O.
#UD if source operand is a register.
#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

These instructions are valid in Real Address mode to allow the power-up initialization for Protected
mode.
Interrupt 13 for a word operand at offset OFFFFH. #UD if source operand is a register.

8-65

THE 80286 INSTRUCTION SET

LLDT -Load Local Descriptor Table Register
Opcode

OF

00

/2

Instruction

Clocks

Description

LLDT ew

17,mem=19

Load selector ew into Local Descriptor Table
register

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The word operand (memory or register) to LLDT should contain a selector pointing to the Global
Descriptor Table. The GDT entry should be a Local Descriptor Table Descriptor. If so, then the Local
Descriptor Table Register is loaded from the entry. The descriptor cache entries for DS, ES, SS, and
CS are not affected. The LDT field in the TSS is not changed.
The selector operand.is allowed to be zero. In that case, the Local Descriptor Table Register is marked
invalid. All descriptor references (except by LAR, VERR, VERW or LSL instructions) will cause a
#GP fault.
LLDT appears in operating systems software; it does not appear in applications programs.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is not O. #GP (selector) if the selector operand does not point into
the Global Descriptor Table, or if the entry in the GDT is not a Local Descriptor Table. #NP (selector)
if LDT descriptor is not present. #GP(O) for an illegal memory operand effective address in the CS,
DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 6; LLDT is not recognized in Real Address Mode.

B-66

THE 80286 INSTRUCTION SET

LMSW -Load Machine Status Word
Opcode

OF

01

/6

Instruction

Clocks

Description

LMSWew

3,mem=6

Load EA word into Machine Status Word

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The Machine Status Word is loaded from the source operand. This instruction may be used to switch
to protected mode. If so, then it must be followed byan intra-segment jump to flush the instruction
queue. LMSW will not switch back to Real Address Mode.
LMSW appears only in operating systems software. It does not appear in applications programs.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is not O. #GP(O) for an illegal memory operand effective address
in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-67

THE 80286 INSTRUCTION SET

LOCK-Assert BUS LOCK Signal
Opcode

Instruction

Clocks

Description

FO

LOCK

o

Assert BUSLOCK signal for the next instruction

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

LOCK is a prefix that will cause the BUS LOCK signal of the 80286 to be asserted for the duration
of the instruction that it prefixes. In a multiprocessor environment, this signal should be used to ensure
that the 80286 has exclusive use of any shared memory while BUS LOCK is asserted. The readmodify-write sequence typically used to implement TEST-AND-SET in the 80286 is the XCHG
instruction.
The 80286 LOCK prefix activates the lock signal for the following instructions: MOYS, INS, and
OUTS. XCHG always asserts BUS LOCK regardless of the presence or absence of the LOCK prefix.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is bigger (less privileged) than the .I/O privilege level.
Other exceptions may be generated by the subsequent (locked) instruction.
REAL ADDRESS MODE EXCEPTIONS

None. Exceptions may still be generated by the subsequent (locked) instruction.

B-68

THE 80286 INSTRUCTION SET

LODS/LODSB/LODSW-Load String Operand
Opcode

Instruction

Clocks

Description

AC
AD
AC
AD

LODS mb
LODS mw
LODS8
LODSW

5
5
5
5

Load
Load
Load
Load

byte [SI] into AL
word [SI] into AX
byte DS:[SI] into AL
word DS:[SI] into AX

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

LODS loads the AL or AX register with the memory byte or word at SI. After the transfer is made,
SI is automatically advanced. If the direction flag is 0 (CLD was executed), SI increments; if the
direction flag is 1 (STD was executed), SI decrements. SI increments or decrements by 1 if a byte was
moved; by 2 if a word was moved.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-69

THE 80286 INSTRUCTION SET

LOOP/LOOPcond-Loop Control with CX Counter
Opcode

Instruction

Clocks

Description
DEC CX; jump short if CX;toO
DEC CX; jump short if CX;to 0 and equal (ZF = 1)
DEC CX; jump short if CX;to 0 and not equal
(ZF=O)
DEC CX; jump short if CX;toO and ZF=O
DEC CX; jump short if CX;toO and zero (ZF=1)

E2
E1
EO

cb
cb
cb

LOOP cb
LOOPE cb
LOOPNE cb

8,noj=4
8,noj=4
8,noj=4

EO
E1

.cb
cb

LOOPNZ cb
LOOPZ cb

·8,noj=4
8,noj=4

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

LOOP first decrements the ex register without changing any of the flags. Then, conditions are checked
as given in the description above for the form of LOOP being used. If the conditions are met, then an
intra-segment jump is made. The destination to LOOP is in the range from 126 (decimal) bytes before
the instruction to 127 bytes beyond the instruction.
The LOOP instructions are intended to provide iteration control and to combine loop index management with conditional branching. To use the LOOP instruction you load an unsigned iteration count
into ex, then code the LOOP at the end of a series of instructions to be iterated. The destination of
LOOP is,a label that points to the beginning of the iteration.
PROTECTED MODE EXCEPTIONS

#GP(O) if the offset jumped to is beyond the limits of the current code segment.
REAL ADDRESS MODE EXCEPTIONS

None

8-70

THE 80286 INSTRUCTION SET

LSL-Load Segment Limit
Opcode
OF

03

/r

Instruction

Clocks

Description

LSL rw,ew

14,mem=16

Load: rw = Segment Limit, selector ew

FLAGS MODIFIED

Zero
FLAGS UNDEFINED

None
OPERATION

If the descriptor denoted by the selector in the second (memory or register) operand is visible at the

CPL, a word that consists of the limit field of the descriptor is loaded into the left operand, which
must be a register. The value is the limit field for that segment. The zero flag is set if the loading was
performed (that is, if the selector is non-null, the selector index is within the descriptor table limits,
the descriptor is a non-conforming segment descriptor with DPL ;::: CPL, and the descriptor DPL ;:::
selector RPL); the zero flag is cleared otherwise.
The LSL instruction returns only the limit field of segments,task state segments, and local descriptor
.
tables. The interpretation of the limit value depends on the type of segment.
The selector.operand's value cannot result in a protection exce,l?tion ..
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 6; LSL is not recognized in Real Address mode.

8-71

THE 80286 INSTRUCTION SET

LTR-Load Task Register
Opcode

OF

00

/3

Instruction

Clocks

Description

LTR ew

17,mem=19

Load EA word into Task Register

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The Task Register is loaded from the source register or memory location given by the operand. The
loaded TSS is marked busy.. A task switch operation does not occ.ur.
LTR appears.only in operating systems software. It is not used in applications programs.
PROTECTED MODE EXCEPTIONS

#GP for an illegal memory operand effective address in the CS, DS, or ES segments; #SS for an illegal
.
address in the SS segment.
#GP(O) if the current privilege level is not O. #GP (selector) if the object named by the source selector
is not a TSS or is already busy. #NP (selector) if the TSS is marked not present.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 6; LTR is not recognized in Real Address mode.

8-72

THE 80286 INSTRUCTION SET

MOV-Move Data
Opcode

Instruction

Clocks

Description

88
89
8A
88
8C
8C
8C
8C
8E
8E
8E
8E
8E
8E
AO
A1
A2
A3
80+
88+
C6
C7

MOVeb,'rb
MOVew,rw
MOV rb,eb
MOV rw,ew
MOVew,ES
MOVew,CS
MOVew,SS
MOVew,OS
MOV ES,mw
MOV ES,rw
MOV SS,mw
MOV SS,rw
MOV OS,mw
MOV OS,rw
MOV AL,xb
MOV AX,xw
MOV xb,AL
MOV xW,AX
MOV rb,db
MOV rw,dw
MOVeb,db
MOVew,dw

2,mem=3.
2,mem=3
2,mem=5
2,mem=5
2,mem=3
2,mem=3
2,mem=3
2,mem=3
5,pm=19
2,pm=17
5,pm=19
2,pm";'17
5,pm=19
2,pm=17
5
5
3
3
2
2
2,mem=3
2,mem=3

Move byte register into EA byte
Move word register into EA word
Move EA byte into byte register
Move EA Word into word register
Move ES into EA word
Move CS into EA word
Move SS into EA word
Move OS into EA word
Move memory word into ES
Move word register into ES
Move memory word. into SS
Move word register into SS
Move memory word into OS
Move word register into OS ,
Move byte variable (offset dw) into AL
Move word variable (offset dw) into AX
Move AL into byte variable (offset dw)
Move AX into word register (offset dw)
Move immediate byte into byte register
Move immediate word into word register
Move immediate byte into EA byte
Move Immediate word into EA word

/r
/r
/r
/r
/0
/1
/2
/3
/0
/0
/2
/2
/3
/3
dw
dw
dw
dw
rb
rw
/0
/0

db
dw
db
dw·

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The second operand is copied to the first operand.

If the destination operand is a segment register (OS, ES, or SS), then the associated segment register
cache is also loaded. The data for the cache is obtained from the descriptor table entry for the selector
given.
.
A null selector (values 0000-0003) can be loaded into OS and ES registers without causing a protection
exception. Any use of a segment register with a null selector to address memory will cause #GP(O)
exception. No memory reference will occur.
Any move into SS will inhibit all interrupts until after the execution of the next instruction.

8~73

THE 80286 INSTRUCTION SET

Following is a listing of the protected-mode checks and actions taken in the loading of a segment
register:
If SS is loaded:
If selector is null then #GP(O)
Selector index must be within its descriptor table limits else #GP (selector)
Selector's RPL must equal CPL else #GP (selector)
AR byte must indicate a writable data segment else #GP (selector)
DPL in the AR byte must equal CPL else #GP (selector)
Segment must be marked PRESENT else #SS (selector)
Load SS with selector
Load SS cache with descriptor
If ES or DS is loaded with non-null selector
Selector index must be within its descriptor table limits else #GP (selector)
AR byte must indicate data or readable code segment else #GP (selector)
If data or non-conforming code, then both the RPL and the
CPL must be less than or equal to DPL in AR byte else #GP (selector)
Segment must be marked PRESENT else #NP (selector)
Load segment register with selector
Load segment register cache with descriptor
If ES or DS is loaded with a null selector:
Load segment register with selector
Clear descriptor valid bit

PROTECTED MODE EXCEPTIONS

If a segment register is being loaded, #GP, #SS, and #NP, as described in the listing above.

Otherwise, #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand
effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-74

THE 80286 INSTRUCTION SET

MOVS/MOVSB/MOVSW-Move Data from String
to String
Opcode

Instruction

Clocks

Description

A4
A5
A4
A5

MOVS mb,mb
MOVS mW,mw
MOVS8
MOVSW

5
5
5
5

Move byte [SI] to ES:[OI]
Move word [SI] to ES:[OI]
Move byte OS:[SI] to ES:[OI]
Move word OS:[SI] to ES:[OI]

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

MOYS copies the byte or word at [Sl]to the byte or word at ES:[DI). The destination operand must
be addressable from the ESregister; no segment override is possible. A segment override may be used
for the source operand.
After the data movement is made, both SI and DI are automatically advanced. If the direction flag is
is 1 (STD was executed), the
registers decrement. The. registers increment or decrement by 1 if a byte was moved; by 2 if a word
was moved.

o (CLD was executed), the registers increment; if the direction flag

MOYS can be preceded by the REP prefix for block movement of CX bytes or words. Refer to the
REP instruction for details of this operation.
PROTECTED MODE EXCEPTIONS

#GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-75

THE 80286 INSTRUCTION SET

MUL-Unsigned Multiplication of AL or AX
Opcode

Instruction

Clocks

Description

F6
F7

MUL eb
MUL ew

13,mem=16
21,mem=24

Unsigned multiply (AX = AL X EA byte)
Unsigned multiply (DXAX = AX X EA word)

/4
/4

FLAGS MODIFIED

Overflow, carry
FLAGS UNDEFINED

Sign, zero, auxiliary carry, parity
OPERATION

If MUL has a byte operand, then the byte is multiplied by AL, and the result is left in AX. Carry and
overflow are set to 0 if AH is 0; they are set to 1 otherwise.
If MUL has a word operand, then the word is multiplied by AX, and the result is left in DX:AX. DX
contains the high order 16 bits of the product. Carry and overflow are set to 0 if DX is 0; they are set
to 1 otherwise.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-76

THE 80286 INSTRUCTION SET

NEG-Two's Complement Negation
Opcode

Instruction

Clocks

Description

F6
F7

NEG eb
NEG ew

2',mem=7
2,mem=7

Two's complement negate EA byte
Two's complement negate EA word

/3
/3

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

The two's complement of the register or memory operand replaces the old operand value. Likewise,
the operand is subtracted from zero, and the result is placed in the operand.
The carry flag is set to 1 except when the input operand is zero, iii which case the carry flag is Cleared
to O.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 1J for a word operand at offset OFFFFH.

8-77

THE 80286 INSTRUCTION SET

NOP-No OPERATION
Opcode

Instruction

Clocks

Description

90

NOP

3

No OPERATION

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

Performs no operation. NOP is a one-byte filler instruction that takes up space but affects none of the
machine context except IP.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-78

THE 80286 INSTRUCTION SET

NOT -One's Complement Negation
Opcode

Instruction

Clocks

Description

F6
F7

NOT eb
NOT ew

2,mem=7
2,mem=7

Reverse each bit of EA byte
Reverse each bit of EA word

/2
/2

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The operand is inverted; that is, every 1 becomes a 0 and vice versa.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the es, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for_ a word operand at offset OFFFFH.

8-79

THE 80286 INSTRUCTION SET

OR -

Logical Inclusive OR

Opcode

Instruction

Clocks

Description

08
09

OR
OR
OR
OR
OR
OR
OR
OR

2,mem=7
2,mem=7
2,mem=7
2,mem=7
3
3
3,mem=7
3,mem=7

Logical-OR
Logical-OR
Logical-OR
Logical-OR
Logical-OR
Logical-OR
Logical-OR
Logical-OR

OA

08
OC

00
80
81

Ir
Ir
Ir
Ir
db
dw

11
11

db
dw

eb,rb
eW,rw
rb,eb
rw,ew
AL,db
AX,dw
eb,db
eW,dw

byte register into EA byte
word register into EA word
EA byte into byte register
EA word into word register
immediate byte into AL
immediate word into AX
immediate byte into EA byte
immediate word into EA word

FLAGS MODIFIED

Overflow=O, sign, zero, parity, carry=O
FLAGS UNDEFINED

Auxiliary carry
OPERATION

This instruction computes the inclusive OR of the two operands. Each bit of the result is 0 if both
corresponding bits of the operands are 0; each bit is 1 otherwise. The result is placed in the first
operand.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-80

THE 80286 INSTRUCTION SET

OUT -Output to Port
Opcode
E6
E7
EE

db
db

EF

Instruction

Clocks

Description

OUT
OUT
OUT
OUT

3
3
3
3

Output
Output
Output
Output

db,AL
db,AX
OX,AL
OX,AX

byte AL to immediate port number db.
word AX to immediate port number db
byte AL to port number OX
word AX to port number OX

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

OUT transfers a data byte or data word from the register CAL or AX) given.as the second operand to
the output port numbered by the first operand. You can output to any port from{)-65535 by placing
the port number in the DX register then using an OUT instruction with DX as the first operand. If the
instruction contains an 8-bit port ID, that value is zero-extended to 16 bits.
Intel reserves I/0 port addresses OOF8H through OOFFH; these addresses should not be used.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is bigger (has less privilege) than IOPL, which is the privilege
level found in the flags register.
REAL ADDRESS MODE EXCEPTIONS

None

8-81

THE 80286 INSTRUCTION SET

OUTS/OUTSB/OUTSW-Output String to Port
Opcode

Instruction

Clocks

Description

6E
6F
6E
6F

OUTS OX,eb
OUTS OX,ew
OUTSB
OUTSW

5
5
5
5

Output byte [SI] to port number OX
Output word [SI] to port number OX
Output byte OS:[SI] to port number OX
Output word OS:[SI] to port number OX

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

OUTS transfers data from the memory byte or word at SI to the output port numbered by the DX
register.
OUTS does not allow the specification of the port number as an immediate value. The port must be
addressed through the DX register.
After the transfer is made, SI is automatically advanced. If the direction flag is 0 (CLD was executed),
SI increments; if the direction flag is 1 (STD was executed), SI decrements. SI increments or decrements by 1 if a byte was moved; by 2 if a word was moved.
OUTS can be preceded by the REP prefix for block output of CX bytes or words. Refer to the REP
instruction for details of this operation.
Intel reserves I/O port addresses OOF8H through OOFFH; these addresses should not be used.
NOTE
Not all output devices can handle the rate at which this instruction transfers data.
PROTECTED MODE EXCEPTIONS

#GP(O) if CPL > 10PL. #GP(O) for an illegal memory operand effective address in the CS, DS, or
FS segments; #SS(Q) for an ille,gal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

B-82

THE 80286 INSTRUCTION SET

POP-Pop a Word from the Stack
Opcode

Instruction

Clocks

Description

1F

POP
POP
POP
POP
POP

5,pm=20
5,pm=20
5,pm=20
5

Pop top
Pop top
Pop top
Pop top
Pop top

07
17

SF /0
58+rw

OS
ES
SS
mw
rw

5

of
of
of
of
of

stack
stack
stack
stack
stack

into OS
into ES
into SS
into memory word
into word register

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The word on the top of the 80286 stack, addressed by SS:SP, replaces the previous contents of the
memory, register, or segment register operand. The stack pointer SP is incremented by 2 to point to
the new top of stack.
If the destination operand is another segment register (DS, ES, or SS), the value popped must be a
selector. In protected mode, loading the selector initiates automatic loading of the descriptor information associated with that selector into the hidden part of the segment register; loading also initiates
validation of both the selector and the descriptor information.

A null value (0000-0003) may be loaded into the DS or ES register without causing a protection exception. Attempts to reference memory using a segment register with a null value will cause #GP(O)
exception. No memory reference will occur. The saved value of the segment register will be null.
A POP SS instruction will inhibit all interrupts, including NMI, until after the execution of the next
instruction. This permits a POP SP instruction to be performed first.
Following is a listing of the protected-mode checks and actions taken in the loading of a segment
register:
If SS is loaded:
If selector is null then #GP(O)
Selector index must be within its descriptor table limits else #GP (selector)
Selector's RPL must equal CPL else #GP (selector)
AR byte must indicate a writable data segment else #GP (selector)
DPL in the AR byte must equal CPL else #GP (selector)
Segment must be marked PRESENT else #SS (selector)
Load SS register with selector
Load SS cache with descriptor

8-83

inter

THE 80286 INSTRUCTION SET

If ES or OS is loaded with non-null selector:
AR byte must indicate data or readable code segment else #GP (selector)
If data or non-conforming code, then both the RPL and the
CPL must be less than or equal to OPL in AR byte else #GP (selector)
Segment must be marked PRESENT else #NP (selector)
Load segment register with selector
Load segment register cache with descriptor
If ES or OS is loaded with a null selector:
Load segment register with selector
Clear valid bit in cache

PROTECTED MODE EXCEPTIONS

If a segment register is being loaded, #GP, #SS, and #NP, as described in the listing above.

Otherwise, #SS(O) if the current top of stack is not within the stack segment.
#GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-84

THE 80286 INSTRUCTION SET

POPA-Pop All General Registers
Opcode

Instruction

Clocks

Description

61

POPA

19

Pop in order: DI,SI,8P,SP,8X,DX,CX,AX

FLAGS MODIFIED

None
FlAGS UNDEFINED

None
OPERATION

POPA pops the eight general registers given in the description above, except that the SP value is
discarded instead of loaded into SP. POPA reverses a previous PUSHA, restoring the general registers
to their values before PUSHA was executed. The first register popped is DI.
PROTECTED MODE EXCEPTIONS

#SS(O) if the starting or ending stack address is not within the stack segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-85

THE 80286 INSTRUCTION SET

POPF-Pop from Stack into the Flags Register
Opcode

Instruction

Clocks

Description

9D

POPF

5

Pop top of stack into flags register

FLAGS MODIFIED

Entire flags register is popped from stack
FLAGS UNDEFINED

None
OPERATION

The top of the 80286 stack, pointed to by SS:SP, is copied into the 80286 flags register. The stack
pointer SP is incremented by 2to point to the new top of stack. The flags, from the top bit (bit 15) to
the bottom (bit 0), are as follows: undefined, nested task, I/O privilege level (2 bits), overflow, direction, interrupts enabled, trap, sign, zero, undefined, auxiliary carry, undefined, parity, undefined, and
carry.
The I/O privilege level will be altered only when executing at privilege level O. The interrupt enable
flag will be altered only whim executing at a level at least as privileged as the I/O privilege level. If
you execute a POPF instruction with insufficient privilege, there will be no exception nor will the
privileged bits be changed.
PROTECTED MODE EXCEPTIONS

#SS(O).if the top of stack is not within the stack segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at OFFFFH.
In real mode the NT and 10PL bits will not be modified.

8-86

THE 80286 INSTRUCTION SET

PUSH-Push a Word

onto the Stack

Opcode

Instruction

Clocks

Description

06
OE
16
1E

PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH

3
3
3
3
3
5
3
3

Push
Push
Push
Push
Push
Push
Push
Push

50+ rw

FF
68
6A

/6

dw
db

ES
CS
SS
DS

rw
mw
dw
db

ES
CS
SS
DS
word register
memory word
immediate word
immediate sign-extended byte

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The stack pointer SP is decremented by 2, and the operand is placed on the new top of stack, which is
pointed to by SS:SP.
The 80286 PUSH SP instruction pushes the value of SP as it existed before the instruction. This differs
from the 8086, which pushes the new (decremented by 2) value.
PROTECTED MODE EXCEPTIONS

#SS(O) if the new value of SP is outside the stack segment limit.
#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

None; the 80286 will shut down if SP

=

I-due to lack of stack space.

8-87

THE 80286 INSTRUCTION SET

PUSHA-Push All General Registers
Opcode

Instruction

Clocks

Description

60

PUSHA

17

Push in order: AX,CX,DX,8X,original
SP,8P,SI,DI

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

PUSHA saves the registers noted above on the 80286 stack. The stack pointer SP is-decremented by
16 to hold the 8 word values. Since the registers are pushed onto the stack in the order in which they
were given, they will appear in the 16 new stack bytes in the reverse order. The last register pushed is
DI.
PROTECTED MODE EXCEPTIONS

#SS(O) if the starting or ending address is outside the stack segment limit.
REAL ADDRESS MODE EXCEPTIONS

The 80286 will shut down if SP = 1, 3, or 5 before executing PUSHA. If SP = 7, 9, 11, 13, or 15,
exception 13 will occur.

8-88

THE 80286 INSTRUCTION SET

PUSHF-Push Flags Register onto the Stack
Opcode

Instruction

Clocks

Description

9C

PUSHF

3

Push

flag~

register

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The stack pointer SP is decremented by 2, and the 80286 flags register is copied to the new top of
stack, which is pointed to by SS:SP. The flags, from the top bit (15) to the bottom bit (0), are as
follows: undefined, nested task, I/O privilege level (2 bits), overflow, direction, interrupts enabled,
trap, sign, zero, undefined, auxiliary carry, undefined, parity, undefined, and carry.
PROTECTED MODE EXCEPTIONS

#SS(O) if the new value of SP is outside the stack segment limit.
REAL ADDRESS MODE EXCEPTIONS

None; the 80286 will shut down if SP= I due-to lack of stack space.

8-89

THE 80286 INSTRUCTION SET

RCLI RCR I ROLl ROR-Rotate Instructions
Opcode

Instruction

Clocks-N°

Description

00
02
CO
01
03
C1
00
02
CO
01
03
C1
00
02
CO
01
03
C1
00
02
CO
01
03
C1

RCL
RCL
RCL
RCL
RCL
RCL
RCR
RCR
RCR
RCR
RCR
RCR
ROL
ROL
ROL
ROL
ROL
ROL
ROR
ROR
ROR
ROR
ROR
ROR

2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8

Rotate 9-bits (CF, EA byte) left once
Rotate 9-bits (CF, EA byte) left CL times
Rotate 9-bits (CF, EA byte) left db times
Rotate 17-bits (CF, EA word) left once
Rotate 17-bits (CF, EA word) left CL times
Rotate 17-bits (CF, EA word) left db times
Rotate 9-bits (CF, EA byte) right once
Rotate 9-bits (CF, EA byte) right CL times
Rotate 9-bits (CF, EA byte) right db times
Rotate 17-bits (CF, EA word) right once
Rotate 17-bits (CF, EA word) right CL times
Rotate 17-bits (CF, EA word) right db times
Rotate 8-bit EA byte left once
Rotate 8-bit EA byte left CL times
Rotate 8-bit EA byte left db times
Rotate 16-bit EA word left once
Rotate 16-bit EA word left CL times
Rotate 16-bit EA word left db times
Rotate 8-bit EA byte right once
Rotate 8-bit EA byte right CL times
Rotate 8-bit EA byte right db times
Rotate 16-bit EA word right once
Rotate 16-bit EA word right CL times
Rotate 16-bit EA word right db times

/2
/2
/2
/2
/2
/2
/3
/3
/3
/3
/3
/3
/0
/0
/0
/0
/0
/0
/1
/1
/1
/1
/1
/1

db

db

db

db

db

db

db

db

eb,1
eb,CL*
eb,db*
ew,1
ew,CL*
ew,db*
eb,1
eb,CL*
eb,db*
ew,1
ew,CL*
ew,db*
eb,1
eb,CL*
eb,db*
ew,1
ew,CL*
ew,db*
eb,1
eb,CL*
eb,db*
ew,1
ew,CL*
ew,db*

* Add 1 clock to the times shown for each rotate made

FLAGS MODIFIED

Overflow (only for single rotates), carry
FLAGS UNDEFINED

Overflow for multi-bit rotates
OPERATION

Each rotate instruction shifts the bits of the register or memory operand given. The left rotate instructions shift all of the bits upward, except for the top bit, whIch comes back arounu LU illt, uuliuiii. The
right rotate instructions do the reverse: the bits shift downward, with the bottom bit coming around to
the top.
For the RCL and RCR instructions, the carry flag is part of the rotated quantity. RCL shifts the carry
flag into the bottom bit and shifts the top bit into the carry flag; RCR shifts the carry flag into the top
bit and shifts the bottom bit into the carry flag. For the ROL and ROR instructions, the original value
of the carry flag is not a part of the result; nonetheless, the carry flag receives a copy of the bit that
was shifted from one end to the other.

8-90

THE 80286 INSTRUCTION SET

The rotate is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum execution time, the 80286 does
not allow rotation counts greater than 31. If a rotation count greater than 31 is attempted, only the
bottom five bits of the rotation are used. The 8086 does not mask rotate counts.
The overflow flag is set only for the single-rotate (second operand = 1) forms of the instructions. The
OF bit is set to be accurate if a shift of length 1 is done. Since it is undefined for all other values,
including a zero shift, it can always be set for the count-of-1 case regardless of the actual count. For
left shifts/rotates, the CF bit after the shift is XORed with the high-order result bit. For right shifts/
rotates, the high-order two bits of the result are XORed to get OF. Neither flag bit is modified when
the count value is zero.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-91

THE 80286 INSTRUCTION SET

REP IREPE/REPNE-Repeat Following. String Operation
Opcode

Instruction

Clocks·

Description

F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F3
F2
F2
F2
F2
F2
F2
F2
F2

REP INS eb,OX
REP INS ew,OX
REP INSB
REP INSW
REP MOVS mb,mb
REP MOVS mW,mw
REP MOVSB
REP MOVSW
REP OUTS OX,eb
REP OUTS OX,ew
REP OUTSB
REP OUTSW
REP STOS mb
REP STOS mw
REP STOSB
REP STOSW
REPE CMPS mb,mb
REPE CMPS mW,mw
REPE CMPSB
REPE CMPSW
REPE SCAS mb
REPE SCAS mw
REPE SCASB
REPE SCASW
REPNE CMPS mb,mb
REPNE CMPS mW,mw
REPNE CMPSB
REPNE CMPSW
REPNE SCAS mb
REPNE SCAS mw
REPNE SCASB
REPNE SCASW

5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
5+4*CX
4+3*CX
4+3*CX
4+3*CX
4+3*CX
5+9*N
5+9*N
5+9*N
5+9*N
5+S*N
5+S*N
5+S*N
5+S*N
5+9*N
5+9*N
5+9*N
5+9*N
5+S*N
5+S*N
5+S*N
5+S*N

Input CX bytes from port OX into ES:[OI]
Input CX words from port OX into ES:[OI]
Input CX bytes from port OX into ES:[OI]
Input CX words from port OX into ES:[OI]
Move CX bytes from [SI] to ES:[OI]
Move CX words from [SI] to ES:[OI]
Move CX bytes from OS:[SI] to ES:[OI]
Move CX words from OS:[SI] to ES:[OI]
Output CX bytes from [SI] to port OX
Output CX words from [SI] to port OX
Output CX bytes from OS:[SI] to port OX
Output CX words from OS:[SI] to port OX
Fill CX bytes at ES:[OI] with AL
Fill CX words at ES:[OI] with AX
Fill CX bytes at ES:[OI] with AL
Fill CX words at ES:[OI] with AX
Find non matching bytes in ES:[OI] and [SI]
Find non matching words in ES:[OI] and [SI]
Find nonmatching bytes in ES:[OI] and OS:[SI]
Find nonmatching words in ES:[OI] and OS:[SI]
Find non-AL byte starting at ES:[OI]
Find non-AX word starting at ES:[OI]
Find non-AL byte starting at ES:[OI]
Find non-AX word starting at ES:[OI]
Find matching bytes in ES:[OI] and [SI]
Find matching words in ES:[OI] and [SI]
Find matching bytes in ES:[OI] and OS:[SI]
Find matching words in ES:[OI] and OS:[SI]
Find AL, starting at ES:[OI]
Find AX, starting at ES:[OI]
Find AL, starting at ES:[OI]
Find AX, starting at ES:[OI]

6C
60
6C
60
A4
A5
A4
A5
6E
6F
6E
6F

AA
AB
AA
AB
A6
A7
A6
A7
AE
AF
AE
AF
A6
A7
A6
A7
AE
AF
AE
AF

* N denotes the number of iterations actually executed.

FLAGS MODIFIED

By CMPS and SCAS, none by REP
FLAGS UNDEFINED

None
OPERATION

REP, REPE, and REPNE are prefix operations. These prefixes cause the string instruction that follows
to be repeated CX times or (for REPE and REPNE) until the indicated condition in the zero flag is
no longer met. Thus, REPE stands for "Repeat while equal," REPNE for "Repeat while not equal."

B-92

THE 80286 INSTRUCTION SET

The REP prefixes make sense only in the contexts listed above. They cannot be applied to anything
other than string operations.
Synonymous forms of REPE and REPNE are REPZ and REPNZ, respectively.
The REP prefixes apply only to one string instruction at a time. To repeat a block of instructions, use
a LOOP construct.
The precise action for each iteration is as follows:
1.

Check the CX register. If it is zero, exit the iteration and move to the next instruction.

2.

Acknowledge any pending interrupts.

3.

Perform the string operation once.

4.

Decrement CX by 1; no flags are modified.

5.

If the string operation is SCAS or CMPS, check the zero flag. If the repeat condition does not
hold, then exit the iteration and move to the next instruction. Exit if the prefix is REPE and
ZF=O (the last comparison was not equal), or if the prefix is REPNE and ZF=1 (the last
comparison was equal).

6.

Go to step 1 for the next iteration.

As defined by the individual string-ops, the direction of movement through the block is determined by
the direction flag. If the direction flag is 1 (STD was executed), SI and/or DI start at the end of the
block and move backward; if the direction flag is 0 (CLD was executed), SI and/or DI start at the
beginning of the block and move forward.
For repeated SCAS and CMPS operations the repeat can be exited for one of two different reasons:
the CX count can be exhausted or the zero flag can fail the repeat condition. Your code will probably
want to distinguish between the two cases. It can do so via either the JCXZ instruction or the conditional jumps that test the zero flag (JZ, JNZ, JE, and JNE).

NOTE
Not all input/output ports can handle the rate at which the repeated I/O instructions execute.
PROTECTED MODE EXCEPTIONS

None by REP; exceptions can be generated when the string-op is executed.
REAL ADDRESS MODE EXCEPTIONS

None by REP; exceptions can be generated when the string-op is executed.

8-93

THE 80286 INSTRUCTION SET

RET -Return from Procedure
Opcode

Instruction

Clocks·

Description

CB
CB
C3
CA
CA
C2

RET
RET
RET
RET dw
RET dw
RET dw

15,pm=25
55
11
15,pm=25
55
11

Return to far caller, same privilege
Return, lesser privilege, switch stacks
Return to near caller, same privilege
RET (far), same privilege, pop dw bytes
RET (far), lesser privilege, pop dw bytes
RET (near), same privilege, pop dw bytes
pushed before Call

dw
dw
dw

• Add 1 clock for each byte in the next instruction executed.

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

RET transfers control to a return address located on the stack. The address is usually placed on the
stack by a CALL instruction; in that case, the return is made to the instruction that follows the CALL.
There is an optional numeric parameter to RET. It gives the number of stack bytes to be released after
the return address is popped. These bytes are typically used as input parameters to the procedure
called.
For the intra-segment return, the address on the stack is a 2-byte quantity popped into IP. The CS
register is unchanged.
For the inter-segment return, the address on the stack is a 4-byte-long pointer. The offset is popped
first, followed by the selector. In real address mode, CS and IP are directly loaded.
In protected mode, an inter-segment return causes the processor to consult the descriptor addressed by
the return selector. The AR byte of the descriptor must indicate a code segment of equal or less privilege (of greater or equal numeric value) than the current privilege level. Returns to a lesser privilege
level cause the stack to be reloaded from the value saved beyond the parameter block.
The DS u;;.d ES Geg:ne~t registers !!!'!y b~ 8f:'t to 7.~rn hy the inter-segment RET instruction. If these
registers refer to segments which cannot be used by the new privilege level, they are set to zero to
prevent unauthorized access.
The following list of checks and actions describes the protected-mode inter-segment return in detail.
Inter-segment RET:
Second word on stack must be within stack limits else #SS(O)
Return selector RPL must be 2:: CPL else #GP (return selector)
If return selector RPL = CPL then

B-94

THE 80286 INSTRUCTION SET

RETURN TO SAME LEVEL:
Return selector must be non-null else #GP(O)
Selector index must be within its descriptor table limits else #GP (selector)
Descriptor AR byte must indicate code segment else #GP (selector)
If non-conforming then code segment DPL must equal CPL else #GP (selector)
If conforming then code segment DPL must be :s; CPL else #GP (selector)
Code segment must be PRESENT else #NP (selector)
Top word on stack must be within stack limits else #SS(O)
IP must be in code segment limit else #GP(O)
Load CS:IP from stack
Load CS-cache with descriptor
Increment SP by 4 plus the immediate offset if it exists
Else
RETURN TO OUTER PRIVILEGE LEVEL:
Top (8 + immeqiate) bytes on stack must be within stack limits else #SS(O)
Examine return CS selector (at SP+2) and associated descriptor:
Selector must be non-null else #GP(O)
Selector index must be within its descriptor table limits else #GP (selector)
Descriptor AR byte must indicate code segment else #GP (selector)
If non-cohforming then code segment DPL must equal return selector RPL else #GP (selector)
If conforming then code segment DPL must be :s; return selector RPL else #GP (selector)
Segment must be PRESENT else #NP (selector)
Examine return SS selector (at SP+6+imm) and associated descriptor:
Selector must be non-null elSe #GP(O)
Selector index must be within its descriptor table limits else #GP (selector)
Selector RPL must equal the RPL of the return CS selector else #GP (selector)
Descriptor AR byte must indicate a writable data segment else #GP (selector)
Descriptor DPL must equal the RPL of the return CS selector else #GP (selector)
Segment must be PRESENT else #SS (selector)
IP must be in code segment limit else # GP(O)
Set CPL to the RPL of the return CS selector
Load CS:IP from stack
Set CS RPL to CPL
Increment SP by 4 plus the immediate offset if it exists
Load SS:SP from stack
Load the CS-cache with the return CS descriptor
Load the SS-cache with the return SS descriptor
For each of ES and DS:
If the current register setting is not valid for the outer level, set the
register to null (selector = AR = 0)
To be valid, the register setting must satisfy the following properties:
Selector index must be within descriptor table limits
Descriptor AR byte must indicate data or readable code segment
If segment is data or non-conforming code, then:
DPL must be 2:: CPL, or
DPL must be 2:: RPL

PROTECTED MODE EXCEPTIONS

#GP, #NP, or #SS, as described in the above listing.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 if the stack pop wraps around from OFFFFH to O.

8-95

THE 80286 INSTRUCTION SET

SAHF -Store AH into Flags
Opcode

Instruction

Clocks

Description

9E

SAHF

2

Store AH into flags SF ZF xx AF xx PF xx CF

FLAGS MODIFIED

Sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

The flags listed above are loaded with values from the AH register, from bits 7, 6, 4, 2, and 0,
respectively.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-96

THE 80286 INSTRUCTION SET

SAL/SARISHL/SHR-Shift Instructions
Opcode
DO
02
CO
01
03
C1
DO
02
CO
01
03
C1
DO
02
CO
01
03
C1

/4
/4
/4
/4
/4
/4
/7
/7
/7
/7
/7
/7
/5
/5
/5
/5
/5
/5

db

db

db

db

db

db

Instruction

Clocks-N'

Description

SAL
SAL
SAL
SAL
SAL
SAL
SAR
SAR
SAR
SAR
SAR
SAR
SHR
SHR
SHR
SHR
SHR
SHR

2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8
2,mem=7
5,mem=8
5,mem=8

Multiply EA byte by 2, once
Multiply EA byte by 2, CL times
Multiply EA byte by 2, db times
Multiply EA word by 2, once
Multiply EA word by 2, CL times
Multiply EA word by 2, db times
Signed divide EA byte by 2, once
Signed divide EA byte by 2, CL times
Signed divide EA byte by 2, db times
Signed divide EA word by 2, once
Signed divide EA word by 2, CL times
Signed divide EA word by 2, db times
Unsigned divide EA byte by 2, once
Unsigned divide EA byte by 2, CL times
Unsigned divide EA byte by 2, db times
Unsigned divide EA word by 2, once
Unsigned divide EA word by 2, CL times
Unsigned divide EA word by 2, db times

eb,1
eb,CL
eb,db
ew,1
ew,CL
ew,db
eb,1
eb,CL
eb,db
ew,1
ew,CL
ew,db
eb,1
eb,CL
eb,db
ew,1
ew,CL
ew,db

* Add 1 clock to the times shown for each shift performed

FLAGS MODIFIED

Overflow (only for single-shift form), carry, zero, parity, sign
FLAGS UNDEFINED

Auxiliary carry; also overflow for multi bit shifts (only).
OPERATION

SAL (or its synonym SHL) shifts the bits of the operand upward. The high-order bit is shifted into the
carry flag, and the low-order bit is set to O.
SAR and SHR shift the bits of the operand downward. The low-order bit is shifted into the carry flag.
The effect is to divide the operand by 2. SAR performs a signed divide: the high-order bit remains the
same. SHR performs an unsigned divide: the high-order bit is set to O.
The shift is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum execution time, the 80286 does
not allow shift counts greater than 31. If a shift count greater than 31 is attempted, only the bottom
five bits of the shift count are used. The 8086 uses all 8 bits of the shift count.
The overflow flag is set only if the single-shift forms of the instructions are used. For left shifts, it is
set to 0 if the high bit of the answer is the same as the result carry flag (Le., the top two bits of the
original operand were the same); it is set to 1 if they are different. For SAR it is set to 0 for all single
shifts. For SHR, it is set to the high-order bit of the original operand. Neither flag bit is modified when
the count value is zero.

8-97

THE 80286 INSTRUCTION SET

PROTECTED MODE EXCEPTIONS

#GP(O) if the operand is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-98

THE 80286 INSTRUCTION SET

SBB-Integer Subtraction With Borrow
Opcode

Instruction

Clocks

Description

18

Ir

SBB eb,rb

2,mem=7

19

jr

SBB eW,rw

2,mem=7

1A

Ir

SBB rb,eb

2,mem=7

1B

Ir

SBB rW,ew

2,mem=7

1C
10
80
81
83

db
dw

SBB
SBB
SBB
SBB
SBB

3
3
3,mem=7
3,mem=7
3,mem=7

Subtract with borrow byte register from EA
byte
Subtract with borrow word register from EA
word
Subtract with borrow EA byte from byte
register
Subtract with borrow EA word from word
register
Subtract with borrow imm. byte from AL
Subtract with borrow imm. word from AX
Subtract with borrow imm. byte from EA byte
Subtract with borrow imm. word from EA word
Subtract with borrow imm. byte from EA word

13
13
13

db
dw
db

AL,db
AX,dw
eb,db
eW,dw
eW,db

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

The second operand is added to the carry flag and the result is subtracted from the first operand. The
first operand is replaced with the result of the subtraction, and the flags are set accordingly.
When a byte-immediate value is subtracted from a word operand, the immediate value is first
sign-extended.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

B-99

THE 80286 INSTRUCTION SET

SCAS/SCASB/SCASW-Compare String Data
Opcode

Instruction

Clocks

Description

AE

SCAS mb
SCAS mw
SCASB
SCASW

7
7
7
7

Compare
Compare
Compare
Compare

AF
AE

AF

bytes AL - ES:[Olj, advance 01
words AX - ES:[Olj, advance 01
bytes AL - ES:[Olj, advance 01
words AX - ES:[Olj, advance 01

FLAGS MODIFIED

Overflow, sigri, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

SCAS subtracts the memory byte or word at ES:OI from the AL or AX register. The result is discarded;
only the flags are set. The operand must be addressable from the ES register; no segment override is
possible.
After the comparison is made, 01 is automatically advanced. If the direction flag is 0 (CLO was
executed), 01 increments; if the direction flag is I (STO was executed), 01 decrements. DI increments
or decrements by 1 if bytes were compared; by 2 if words were compared.
SCAS can be preceded by the REPE or REPNE prefix for a block search of CX bytes or words. Refer
to the REP instruction for details of this operation.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, OS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

B-100

THE 80286 INSTRUCTION SET

SGDT /SIDT -Store Global/Interrupt Descriptor Table
Register
Opcode

OF
OF

01
01

/0
/1

Instruction

Clocks

Description

SGDT m
SIDT m

11
12

Store Global Descriptor Table register to m
Store Interrupt Descriptor Table register to m

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The contents of the descriptor table register are copied to six bytes of memory indicated by the operand.
The LIMIT field of the register goes to the first word at the effective address; the next three bytes get
the BASE field of the register; and the last byte is undefined.
SGDT and SIDT appear only in operating systems software; they are not used in applications programs.
PROTECTED MODE EXCEPTIONS

#UD if the destination operand is a register. #GP(O) if the destination is in a non-writable segment.
#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

These instructions are valid in Real Address mode to facilitate power-up or to reset initialization prior
to entering Protected mode.
#UD if the destination operand is a register. Interrupt 13 for a word operand at offset OFFFFH.

8-101

THE 80286 INSTRUCTION SET

SLOT -Store Local
Opcode

OF

00

/0

Descriptor Table Register

Instruction

Clocks

Description

SLOT ew

2,mem=3

Store Local Descriptor Table register to EA
word

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The Local Descriptor Table register is stored in the 2-byte register or memory location indicated by
the effective address operand. This register is a selector that points into the Global Descriptor Table.
SLDT appears only in operating systems software. It is not used in applications programs.
PROTECTED MODE EXCEPTIONS

#GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 6; SLDT is not recognized in Real Address mode.

8-102

THE 80286 INSTRUCTION SET

SMSW -Store Machine Status Word
Opcode

OF

01

/4

Instruction

Clocks

Description

SMSWew

2,mem=3

Store Machine Status Word to EA word

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The Machine Status Word is stored in the 2-byte register or memory location indicated by the effective
address operand.
PROTECTED MODE EXCEPTIONS

#GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-103

THE 80286 INSTRUCTION SET

STe-Set Carry Flag
Opcode

Instruction

Clocks

Description

F9

STC

2

Set carry flag

FLAGS MODIFIED

Carry= 1
FLAGS UNDEFINED

None
OPERATION

The carry flag is set to 1. .
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-104

THE 80286 INSTRUCTION SET

STO"";'Set Direction Flag
Opcode

Instruction

Clocks

Description

FO

STO

2

Set direction flag 50 51 and 01 will decrement

FLAGS MODIFIED

Direction = 1
FLAGS UNDEFINED

None
OPERATION

The direction flag is set to 1. This causes all subsequent string operations to decrement the index
registers (SI and/or 01) on which they operate.
PROTECTED MODE EXCEPTIONS

None
REAL ADDRESS MODE EXCEPTIONS

None

8-105

THE 80286 INSTRUCTION SET

STI-Set Interrupt Enable Flag
Opcode

Instruction

Clocks

Description

FB

STI

2

Set interrupt enable flag, interrupts enabled

FLAGS MODIFIED

Interrupt = I (enabled)
FLAGS UNDEFINED

None
OPERATION

The interrupts-enabled flag is sct to 1. The 80286 will now respond to external interrupts after executing the STI instruction.
PROTECTED MODE EXCEPTIONS

#GP(O) if the current privilege level is bigger (has less privilege) than the I/O privilege level.
REAL ADDRESS MODE EXCEPTIONS

None

B-106

THE 80286 INSTRUCTION SET

STOS/STOSB/STOSW-Store String Data
Opcode

Instruction

Clocks

Description

AA
AS
AA
AS

STOS mb
STOS mw
STOSS
STOSW

3

Store
Store
Store
Store

3
3
3

AL to byte ES:[OI], advance 01
AX to word ES:[OI], advance 01
AL to byte ES:[OI], advance 01
AX to word ES:[OI], advance 01

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

STOS transfers the contents the AL or AX register to the memory byte or word at ES:DI. The operand
must be addressable from the ES register; no segment override is possible.
After the transfer is made, DI is automatically advanced. If the direction flag is 0 (CLD was executed),
DI increments; if the direction flag is 1 (STD was executed), DI decrements. DI increments or decrements by 1 if a byte was moved; by 2 if a word was moved.
STOS can be preceded by the REP prefix for a block fill of CX bytes or words. Refer to the REP
instruction for details of this operation.
PROTECTED MODE EXCEPTIONS

#GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

S-107

THE 80286 INSTRUCTION SET

STR-Store Task Register
Opcode

OF

00

/1

Instruction

Clocks

Description

STR ew

2,mem=3

Store Task Register to EA word

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The contents of the Task Register are copied to the 2-byte register or memory location indicated by
the effective address operand.
PROTECTED MODE EXCEPTIONS

#GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 6; STR is not recognized in Real Address mode.

8-108

THE 80286 INSTRUCTION SET

SUB-Integer Subtraction
Opcode

Instruction

Clocks

Description

28
29
2A
2B
2C
20
80
81
83

SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB

2,mem=7
2,mem=7
2,mem=7
2,mem=7
3
3
3,mem=7
3,mem=7
3,mem=7

Subtract byte register from EA byte
Subtract word register from EA word
Subtract EA byte from byte register
Subtract EA word from word register
Subtract immediate byte from AL
Subtract immediate word from AX
Subtract immediate byte from EA byte
Subtract immediate word from EA word
Subtract immediate byte from EA word

Ir
Ir
Ir
Ir
db
dw

15
15
15

db
dw
db

eb,rb
eW,rw
rb,eb
rW,ew
AL,db
AX,dw
eb,db
eW,dw
eW,db

FLAGS MODIFIED

Overflow, sign, zero, auxiliary carry, parity, carry
FLAGS UNDEFINED

None
OPERATION

The second operand is subtracted from the first operand, and the first operand is replaced with the
result.
When a byte-immediate value is subtracted from a word operand, the immediate value is first
sign-extended.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

B-109

THE 80286 INSTRUCTION SET

TEST -Logical Compare
Opcode

84
84
85
85
A8
A9

/r
/r
/r
/r

F6
F7

/0
/0

Instruction

db
dw
db
dw

TEST
TEST
TEST
. TEST
TEST
TEST
TEST
TEST

eb,rb
rb,eb
eW,rw
rw,ew
AL,db
AX,dw
eb,db
ew;dw

Clocks

Description

2,mem=6
2,mem=6
2,mem=6
2,mem=6

AND byte register into EA byte for flags only
AND EA byte into byte.register for flags only
AND word register into EA word for flags only
AND EA word into word register for flags only
AND immediate byte into AL for flags only
AND immediate word into AX for flags only
AND immediate byte into EA byte for flags only
AND immediate word into EA word for flags
.only

3
3
3,mem=6
3,mem=6

FLAGS MODIFIED

Overflow=O, sign, zero, parity, carry=O
FLAGS UNDEFINED

Auxiliary carry
OPERATION

TEST computes the bit-wise logical AND of the two operands given. Each bit of the result is 1 if both
of the corresponding bits of the operands are 1; each bit is 0 otherwise. The result of the operation is
discarded; only the flags are modified.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS
!

Interrupt 13 for a word operand at offset OFFFFH.

8.-110

THE 80286 INSTRUCTION SET

VERR,VERW-Verifya Segment for Reading or Writing
Opcode

OF
OF

00
00

/4
/5

Instruction

Clocks

Description

VERR ew
VERWew

14,mem=16
14,mem=16

Set ZF=1 if seg. can be read, selector ew
Set ZF= 1 if seg. can be written, selector ew

FLAGS MODIFIED

Zero
FLAGS UNDEFINED

None
OPERATION

VERR and VERW expect the 2-byte register or memory operand to contain the value of a selector.
The instructions determine whether the segment denoted by the selector is reachable from the current
privilege level; the instructions also determine whether it is readable or writable. If the segment is
determined to be accessible, the zero flag is set to 1; if the segment is not accessible, it is set to o. To
set ZF, the following conditions must be met:
I.

The selector must denote a descriptor within the bounds of the table (GDT or LDT); that is, the
selector must be "defined."

2.

The selector must denote the descriptor of a code or data segment.

3.

If the instruction is VERR, the segment must be readable. If the instruction is VERW, the segment

must be a writable data segment.
4.

If the code segment is readable and conforming, the descriptor privilege level (DPL) can be any

value for VERR. Otherwise, the DPL must be greater than or equal to (have less or the same
privilege as) both the current privilege level and the selector's RPL.
The validation performed is the same as if the segment were loaded into DS or ES and the indicated
access (read or write) were performed. The zero flag receives the result of the validation. The selector's
value cannot result in a protection exception. This enables the software to anticipate possible segment
access problems.
PROTECTED MODE EXCEPTIONS

The only faults that can occur are those generated by illegally addressing the memory operand which
contains the selector. The selector is not loaded into any segment register, and no faults attributable to
the selector operand are generated.
#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.

8-111

THE 80286 INSTRUCTION SET

REAL ADDRESS MODE EXCEPTIONS

Interrupt 6; VERR and VERW are not recognized in Real Address Mode.

8-112

THE 80286 INSTRUCTION SET

WAIT -Wait Until BUSY Pin Is Inactive (HIGH)
Opcode

Instruction

Clocks

Description

98

WAIT

3

Wait until 8USY pin is inactive (HIGH)

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

WAIT suspends execution of 80286 instructions until the BUSY pin is inactive (high). The BUSY pin
is driven by the 80287 numeric processor extension. WAIT is issued to ensure that the numeric instruc.
tion being executed is complete, and to check for a possible numeric fault (see below).
PROTECTED MODE EXCEPTIONS

#NM if task switch flag in MSW is set. #MF if 80287 has detected an unmasked numeric error.
REAL ADDRESS MODE EXCEPTIONS

Same as Protected mode.

8-113

THE 80286 INSTRUCTION SET

XCHG -

Exchange Memory/Register with Register

Opcode

Instruction

Clocks

Description

86
86
87
87

XCHG
XCHG
XCHG
XCHG
XCHG
XCHG

3,mem=5
3,mem=5
3,mem=5
3,mem=5

Exchange
Exchange
Exchange
Exchange
Exchange
Exchange

Ir
Ir
Ir
Ir
90+ rw
90+ rw

eb,rb
rb,eb
eW,rw
rW,ew
AX,rw
rW,AX

3
3

byte register with EA byte
EA byte with byte register
word register with EA word
EA word with word register
word register with AX
with word register

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

The two operands are exchanged. The order of the operands is immaterial. BUS LOCK is asserted for
the duration of the exchange, regardless of the presence or absence of the LOCK prefix or IOPL.
PROTECTED MODE EXCEPTIONS

#GP(O) if either operand is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-114

THE 80286 INSTRUCTION SET

XLAT -Table Look-up Translation
Opcode

Instruction

Clocks

Description

07

XLAT mb

5

07

XLATB

5

Set AL to memory byte OS:[BX
AL]
Set AL to memory byte OS:[BX
AL]

+

unsigned

+

unsigned

FLAGS MODIFIED

None
FLAGS UNDEFINED

None
OPERATION

When XLAT is executed, AL should be the unsigned index into a table addressed by DS:BX. XLAT
changes the AL register from the table index into the table entry. BX is unchanged.
PROTECTED MODE EXCEPTIONS

#GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an
illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

B-115

THE 80286 INSTRUCTION SET

XOR-Logical Exclusive OR
Opcode

Instruction

Clocks

Description

30
31
32
33
34
35
80
81

XOR
XOR
XOR
XOR
XOR
XOR
XOR
XOR

2,mem=7
2,mem=7
2,mem=7
2,mem=7
3
3
3,mem=7
3,mem=7

Exclusive-OR
Exclusive-OR
Exclusive-OR
Exclusive-OR
Exclusive-OR
Exclusive-OR
Exclusive-OR
Exclusive-OR

Ir
Ir
Ir
Ir
db
dw

16
16

db
dw

eb,rb
eW,rw
rb,eb
rw,ew
AL,db
AX,dw
eb,db
eW,dw

byte register into EA byte
word register into EA word
EA byte into byte register
EA word into word register
immediate byte into AL
immediate word into AX
immediate byte into EA byte
immediate word into EA word

FLAGS MODIFIED

Overflow =0, sign, zero, parity, carry=O
FLAGS UNDEFINED

Auxiliary carry
OPERATION

XOR computes the exclusive OR of the two operands. Each bit of the result is 1 if the corresponding
bits of the operands are different; each bit is 0 if the corresponding bits are the same. The answer
replaces the first operand.
PROTECTED MODE EXCEPTIONS

#GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective
address in the es, DS, or ES segments; #SS(O) for an illegal address in the SS segment.
REAL ADDRESS MODE EXCEPTIONS

Interrupt 13 for a word operand at offset OFFFFH.

8-116

Appendix
8086/8088 Compatibility
Considerations

C

APPENDIX C
8086/8088 COMPATIBILITY CONSIDERATIONS

SOFTWARE COMPATIBILITY CONSIDERATIONS
In general, the real address mode 80286 will correctly execute ROM-based 8086/8088 software. The
following is a list of the minor differences between 8086 and 80286 (Real mode).
1. Add Six Interrupt Vectors.

The 80286 adds six interrupts which arise only if the 8086 program has a hidden bug. These
interrupts occur only for instructions which were undefined on the 8086/8088 or if a segment
wraparound is attempted. It is recommended that you add an interrupt handler to the 8086 software
that is to be run on the 80286, which will treat these interrupts as invalid operations.
This additional software does not significantly effect the existing 8086 software because the interrupts do not normally occur and should not already have been used since they are in the interrupt
group reserved by Intel. Table Col describes the new 80286 interrupts.
2. Do not Rely on 8086/8088 Instruction Clock Counts.
The 80286 takes fewer clocks for most instructions than the 8086/8088. The areas to look into are
delays between I/0 operations, and assumed delays in 8086/8088 operating in parallel with an
8087.
3. Divide Exceptions Point at the DIV Instruction.
Any interrupt on the 80286 will always leave the saved CS:IP value pointing at the beginning of
the instruction that failed (including prefixes). On the 8086, the CS:IP value saved for a divide
exception points at the next instruction.
Table C-1. New 80286 Interrupts
Interrupt
Number

Function

5

A BOUND instruction was executed with a register value outside the two limit values.

6

An undefined opcode was encountered.

7

The EM bit in the MSW has been set and an ESC.instruction was executed. This
interrupt will also occur on WAIT instructions if TS is set.

8

The interrupt table limit was changed by the LlDT instruction to a value between
20H and 43H. The default limit after reset is 3FFH. enough for all 256 interrupts.

9

A processor extension data transfer exceeded offset OFFFFH in a segment. This
interrupt handler must execute FNINIT before any ESC or WAIT instruction is
executed.

13

Segment wraparound was attempted by a word operation at offset OFFFFH.

16

When 80286 attempted to execute a coprocessor instruction ERROR pin indicated
an unmasked exception from previous coprocessor instruction.

C-1

8086/8088 COMPATIBILITY CONSIDERATIONS

4. Use Interrupt 16 for Numeric Exceptions.
Any 80287 system must use interrupt vector 16 for the numeric error interrupt. If an 8086/8087
or 8088/8087 system uses another vector for the 8087 interrupt, both vectors should point at the
numeric error interrupt handler.
5. Numeric Exception Handlers Should allow Prefixes.
The saved CS:IP value in the NPX environment save area will point at any leading prefixes before
an ESC instruction. On 8086/8088 systems, this value points only at the ESC instruction.
6. Do Not Attempt Undefined 8086/8088 Operations.
Instructions like POP CS or MOV CS,op will either cause exception 6 (undefined opcode) or
perform a protection setup operation like LIDT on the 80286. Undefined bit encodings for bits
5-3 of the second byte of POP MEM or PUSH MEM will cause exception 13 on the 80286.
7. Place a Far JMP Instruction at FFFFOH.
After reset, CS:IP = FOOO:FFFO on the 80286 (versus FFFF:OOOO on the 8086/8088). This change
was made to allow sufficient code space to enter protected mode without reloading CS. Placing a
far JMP instruction at FFFFOH will avoid this difference. Note that the BOOTSTRAP option of
LOC86 will automatically generate this jump instruction.
8. Do not Rely on the Value Written by PUSH SP.
The 80286 will push a different value on the stack for PUSH SP than the 8086/8088. If the value
pushed is important, replace PUSH SP instructions with the following three instructions:
PUSH
MOV
XCHG

BP
BP,SP
BP,[BP]

This code functions as the 8086/8088 PUSH SP instruction on the 80286.
9. Do not Shift or Rotate by More than 31 Bits.
The 80286 masks all shift/rotate counts to the low 5 bits. This MOD 32 operation limits the count
to a maximum of 31 bits. With this change, the longest shift/rotate instruction is 39 clocks. Without
this change, the longest shift/rotate instruction would be 264 clocks, which delays interrupt response
until the instruction completes execution.
10. Do not Duplicate Prefixes.
The 80286 sets an instruction length limit of 10 bytes. The only way to violate this limit is by
duplicating a prefix two or more times before an instruction. Exception 6 occurs if the instruction
length limit is violated. The 8086/8088 has no instruction length limit.
11. Do not Rely on Odd 8086/8088 LOCK Characteristics.
The LOCK prefix and its corresponding output signal should only be used to prevent other bus
masters from interrupting a data movement operation. The 80286 will always assert LOCK during
an XCHG instruction with memory (even if the LOCK prefix was not used). LOCK should only
be used with the XCHG, MOV, MOVS, INS, and OUTS instructions.
The 80286 LOCK signal will not go active during an instruction prefetch.
12. Do not Single Step External Interrupt Handlers.
The priority of the 80286 single step interrupt is different from that of the 8086/8088. This change
was made to prevent an external interrupt from being single-stepped if it occurs while single stepping
through a program. The 80286 single step interrupt has higher priority than any external
interrupt.
The 80286 will still single step through an interrupt handler invoked by INT instructions or an
instruction exception.

C-2

aOB6/aoaa COMPATIBILITY CONSIDERATIONS
13. Do not Rely on IDIV Exceptions for Quotients of 80H or 8000H.
The 80286 can generate the largest negative number as a quotient for IDIV instructions. The 8086
will instead cause exception O.
14. Do not Rely on NMI Interrupting NMI Handlers.
After an NMI is recognized, the NMI input and processor extension limit error interrupt is masked
until the first IRET instruction is executed.
15. The NPX error signal does not pass through an interrupt controller (an 8087 INT signal does).
Any interrupt controller-oriented instructions for the 8087 may have to be deleted.
16. If any real-mode program relies on address space wrap-around (e.g., FFFO:0400=0000:0300),
then external hardware should be used to force the upper 4 addresses to zero during real mode.
17. Do not use I/O ports 00F8-00FFH. These are reserved for controlling 80287 and future processor
extensions.

HARDWARE COMPATIBILITY CONSIDERATIONS
l.

Address after Reset
8086 has CS:IP = ffff:OOOO and physical address ffffO.
80286 has CS:IP = fOOO:fffO and physical address fffffO.
Note: After 80286 reset, until the first 80286 far JMP or far CALL, the code segment base is
ffOOOO. This means A20-A23 will be high for CS-relative bus cycles (code fetch or use of CS
override prefix) after reset until the first far JMP or far CALL instruction is performed.

2.

Physical Address Formation
In real mode or protected mode, the 80286 always forms a physical address by adding a l6-bit
offset with a 24-bit segment base value (8086 has 20-bit base value). Therefore, if the 80286 in
real mode has a segment base within 64K of the top of the 1Mbyte address space, and the program
adds an offset of ffffh to the segment base, the physical address will be slightly above IMbyte.
Thus, to fully duplicate 1Mbyte wraparound that the 8086 has, it is always necessary to force A20
low externally when the 80286 is in real mode, but system hardware uses all 24 address lines.

3.

LOCK signal
On the 8086, LOCK asserted means this bus cycle is within a group of two or more locked bus
cycles. On the 80286, the LOCK signal means lock this bus cycle to the NEXT bus cycle. Therefore, on the 80286, the LOCK signal is not asserted on the last locked bus cycle of the group of
locked bus cycles.

4.

Coprocessor Interface
8086, synchronous to 8086, can become a bus master.
80287, asynchronous to 80286 and 80287, cannot become a bus master.
8087 pulls opcode and pointer information directly from data bus.
80286 passes opcode and pointer information to 80287.
8087 uses interrupt path to signal errors to 8086.
80287 uses dedicated ERROR signal.
8086 requires explicit WAIT opcode preceding all ESC instructions to synchronize with 8087.
80286 has automatic instruction synchronization with 80287.

5.

Bus Cycles
8086 has four-clock minimum bus cycle, with a time-multiplexed address/data bus.
80286 has two-clock minimum bus cycle, with separate buses for address and data.

C-3

Appendix

80286/80386 Software
Compatibility Considerations

D

APPENDIX D

80286/80386 SOFTVVARE
COMPATIBILITY CONSIDERATIONS
This appendix describes the considerations required in designing an Operating System for the protected
mode 80286 so that it will operate on an 80386. An 80286 Operating System running on the 80386
would not use any of the advanced features of the 80386 (Le., paging or segments larger than 64K),
but would run 80286 code faster. Use of the new 80386 features requires changes in the 80286
Operating System.
The 80386 is no different than any other software compatible processor in terms of requiring the same
system environment to run the same software; the 80386 must have the same amount of physical
memory and I/O devices in the system as the 80286 system to run the same software. Note that an
80386 system requires a different memory system to achieve the higher performance.
The 80286 design considerations can be generally characterized as avoiding use of functions or memory
that the 80386 will use. The exception to this rule is initialization code executed after power up. Such
code must be changed to configure the 80386 system to match that of the 80286 system.
The following are 80286/80386 software compatibility design considerations:
1.

2.

3.

4.

5.

Isolate the protected mode initialization code.
System initialization code will be required on the 80386 to program operating parameters before
executing any significant amount of 80286 software. The 80286 initialization software should be
isolated from the rest of the Operating System.
The initialization code in Appendix A is an example of isolated initialization code. Such code can
be extended to include programming of operating parameters before executing the initial protected
mode task.
Avoid wraparound of 80286 24-bit physical address space.
Since the 80386 has a larger physical address space, any segment whose base address is greater
than FFOOOO and whose limit is beyond FFFFFF will address the seventeenth megabyte of memory
in the 80386 32-bit physical address space instead of the first megabyte on an 80286.
No expand-down segments shouldhave a base address in the range FF00001-FFFFFF. No expandup segments should wrap around the 80286 address space (the sum of their base and limit is in
the range OOOOOO-OOFFFE).
Zero the last word of every 80286 descriptor.
The 80386 uses the last word of each descriptor to expand the base address and limit fields of
segments. Placing zeros in the descriptor will cause the 80386 to treat the segments the same way
as an 80286 (except for address space wraparound as mentioned above).
Use only 80H or OOH for invalid descriptors.
The 80386 uses more descriptor types than the 80286. Numeric values of 8-15 in bits 3-0 of the
access byte for control descriptors will cause a protection exception on the 80286, but may be
defined for other segment types on the 80386. Access byte values of 80H and OOH will remain
undefined descriptors on both the 80286 and the 80386.
Put error interrupt handlers in reserved interrupts 14, 15, 17-31.
Some of the unused, Intel-reserved interrupts of the 80286 will be used by the 80386 (Le., page
fault or bus error). These interrupts should not occur while executing an 80286 operating system
on an 80386. However, it is safest to place an interrupt handler in these interrupts to print an error
message and stop the system if they do occur.

0-1

80286/80386 SOFTWARE COMPATIBILITY CONSIDERATIONS

6.

Do not change bits 15-4 of MSW.
The 80386 uses some of the undefined bits in the machine status word. 80286 software should
ignore bits 15-4 of the MSW. To change the MSW on an 80286, read the old value first with
LMSW, change bits 3-0 only, then write the new value with SMSW.

7.

Use a restricted LOCK protocol for multiprocessor systems.
The 80386 supports the 8086/80286 LOCK functions for simple instructions, but not the string
move instructions. Any need for locked string moves can be satisfied by gaining control of a status,
semaphore before using the string move instruction. Any attempt to execute a locked string move
will cause a protection exception on the 80386.
The general 80286 LOCK protocol does not efficiently extend to large multiprocessor systems. If
all the processors in the system frequently use the 8086/80286 LOCK, they will prevent other
processors from accessing memory and thereby impact system performance.

Access to semaphores in the future, including current 80286 Operating Systems, should use a protocol
with the following restrictions:
.
"
,
Be sure the semaphore starts at a physical memory address that is a multiple of 4.
Do not use string moves to access the variable.
All accesses by any instruction or I/O device (even simple reads or writes) must use the LOCK
prefix or system LOCK signal.
'

0-2

INDEX

AAA, 3-27, B-15
AAD, 3-28, B-16
AAM, 3-28, B-17
AAS, 3-28, B-18
ADC, 3-7, B-19
ADD, 3-7, B-19
Addressing Modes,· 2-16
Based Indexed Mode, 2-21
Based Indexed Mode with Displacement,
2-20
Based Mode (on BX or BP
Registers), 2-20
Direct Address Mode, 2-20
Displacement, 2-16, B-1, B-2
Immediate Operand, 2-16, B-1, B-2, B-4,
B-5
Indexed Mode (by DI or SI), 2-21
Opcode, 2-16
Register Indirect Mode, 2-20
Summary, 2-21
AF Flag,
(see Flags)
AH Register, 2-7, 2-8, 2-17,3-9,3-25,3-27,
3-28, B-56
AL Register, 2-7, 2-8, 2-17, 3-9, 3-25, 3-27,
3-28, 3-30, B-73
AND Instruction, 2-23, 3-10, B-20
Arithmetic Instructions, 3-15
ASCII
(see Data Types),
AX Register, 2-7, 2-8, 2-12, 2-13, 2-16,
2-17,3-8,3-9,3-17,3-24,3-30, B-73
Based Index Mode
(see Addressing Modes),
Based Index Mode with Displacement
(see Addressing Modes),
Based Mode
(see Addressing Modes),
BCD Arithmetic
(see Data Management Instructions),

BH Register, 2-7, 2-8, 2-17,3-9
BL Register, 2-7, 2-8, 2-17
BOUND Instruction
(see Extended Instruction Set),
Bound Range Exceeded (Interrupt 5),
(see Interrupt Handling),
BP Register, 2-7 - 2-14,2-17, 2-19,
3-8 - 3-10,3-15,3-17,3-19,3-25,
3-26
Breakpoint Interrupt 3,
(see Interrupt Handling),
BUSY, 3-31
BX Register, 2-7 - 2-14,2-17,2-19;
3-8 - 3-10,3-15,3-17,3-19,3-25,
3-26
Byte
(See Data Types),
CALL Instructions, 3-18 - 3-20, 7-17,
B-23 - B-26
Call Gates, 7-16 - 7-20, B-24, B-25
CBW Instructions, 3-16, B-27
CF (Carry Flag)
(see Flags),
CH Register, 2-7, 2-8, 2-17
CL Register, 2-7, 2-8, 2-17,3-10 - 3-15
CLC Instruction, 3-25, B-28
CLD Instruction, 2-16, B-29
CLI Instruction, 2-15, 3-28, B-30
CLTS Instruction, 10-4, B-31
CMP Instruction, 3-16, B-33
Code Segment Access, 7-13, 11-1, 11-2
Comparison Instructions, 3-30
Conforming Code Segments, 7-12, 11-1,
11-2
Constant Instructions, 3-31
Control Transfers, 7-15, 7-16
CPL (Current Privilege Level), 7-10, 7-14
CS Register, 2-7, 2-8, 2-17, 2-18,
3-17 - 3-19,5-5

Index-1

INDEX

CWD Instruction, 3-16, B-35
CX Register, 2-7, 2-8, 2-17, 3-20,
3-22 - 3-24
DAA, 3-27, B-36
DAS, 3-27, B-37
Data Management Instructions, 4-1, 4-2,
5-5
Address Manipulation, 3-24
Arithmetic Instructions, 3-5
Addition Instructions, 3-7
Division Instructions, 3-9
MUltiplication Instructions, 3-8
Subtraction Instructions, 3-7
BCD Arithmetic, 2-4, 2-5
Character Transfer and String
Instructions, 3-22
Repeat Prefixes, 3-22, 3-23
String Move, 3-23 - 3-25
String Translate, 3-22
Control Transfer Instructions, 3-16
Conditional Transfer, 3-19, 3-20
Software Generated Interrupts, 3-21
Interrupt Instructions, 3-21
Unconditional Transfer, 3-17 - 3-19
Flag Control, 3-25, 3-26
Logical Instructions, 3-9
Shift and Rotate Instructions,
3-10 - 3-15
Type Conversion Instructions, 3-16
Processor Extension Intructions, 3-29,
3-30
Test and Compare Instructions, 3-16
Trusted Instructions, 3-28
Input/Output Instructions, 3-29
Stack Manipulation, 3-2 - 3-4
Data Transfer Instructions, 3-31
Data Types. 2-1 - 2-6
ASCII, 2-4 - 2-6, B-15 - B-18
BCD, 2-4
Byte, 2-2 - 2-4
Floating Point, 2-4
Integer, 2-4
Packed BCD, 2-4
Pointer, 2-4

Strings, 2-4
Word, 2-2, 2-3
DEC Instruction, 2-17, 3-8, B-38
Dedicated Interrupt Vector, 5-5
Descriptor Table, 6-4 - 6-6
Descriptor Table Register, 6-6, 6-9, 7-6,
10-1 - 10-3
DF Flag,
(see Flags),
DH Register, 2-7, 2-8, 2-17
DI Instruction, 2-7, 2-9, 2-14, 2-15 - 2-17,
2-19 - 2-21,3-17,3-23 - 3-25, 4-1
Direct Address Mode
(see Addressing Modes),
Divide Error (Interrupt 0)
(see Interrupt Handling),
DIV Instruction, 2-25, 3-9, B-37
DL Register, 2-8, 2-17
DPL (Descriptor Privilege Level), 6-8,
7-10 - 7-14, 7-18 - 7-22,8-4,9-4,
11-1 - 11-3
DS Register, 2-7, 2-8, 2-17, 2-18, 3-24,
B-60
DX Register, 2-7, 2-8, 2-17, 3-8, 3-9,
3-16, 3-17, 3-24, 3-29, 4-1
EM (Bit in MSW), 10-4, 10-5
ENTER Instruction, 4-2 - 4-7, B-40
ES Register, 2-7, 2-8, 2-17 - 2-19,
3-22 - 3-25, 4-1
ESC (Instructions for Coprocessor), 3-30
Extended Instruction Set (Chapter 4),
4-1 - 4-7
ENTER Build Stackframe, 4-2 - 4-6,
B-40
LEAVE Remove Stackframe, 4-2, 4-6,
B-64
Repeated IN and OUT String Instructions,
4-1,4-2, B-92
Flag Register, 2-14 - 2-16,3-4 - 3-7,
B-86, B-89
Flags, 2-14, 2-15,3-4 - 3-7,3-25, B-56
see also Use of Flags with Basic
Index-2

INDEX

Instructions, 2-14, 2-15, 3-4 - 3-7,
3-25, B-56
AF (Auxilliary Carry Flag), 2-14, 2-15,
3-6 - 3-10,3-16,3-23,3-26,3-27
CF (Carry Flag), 2-14, 3-4 - 3-16,3-20,
3-23 - 3-27, B-28, B-32, B-90,
B-I04
DF (Direction Flag), 2-15, 3-6, 3-7, 3-22,
3-23,3-25 - 3-27, 4-1, B-29
IF (Interrupt Flag), 2-15, 3-5, 3-7, 3-28,
5-5, 5-6, 9-2, 9-3, B-30, B-I06
IOPL (Privilege Level), 2-15, 3-6, 3-28,
3-29, B-30
NT (Nested Task Flag), 2-15, 3-6, 8-7,
9-3, 9-5, 9-7, 10-1
OF (Overflow Flag), 2-15,2-25,
3-6 - 3-13, 3-16, 3-20, 3-23, 3-24,
3-26,3-27
PF (Parity Flag), 2-14, 2-15, 3-6 - 3-10,
3-16,3-20,3-23,3-24, 3-26, 3-27
SF (Sign Flag), 2-14, 3-4, 3-6 - 3-10,
3-16,3-20,3-23,3-24
TF (Trap Flag), 2-15,3-5 - 3-7,
9-14
TS (Task Switch), 10-4, 10-5, B-31
ZF (Zero Flag), 2-14, 2-15, 3-4,
3-6 - 3-10,3-20,3-21, 3-23, 3-24,
3-26, 11-4
Floating Point
(see Data Types),
Gates, 7-16
GDT, 6-4 - 6-7,6-10,6-12,6-13,
7-5 - 7-8, 7-17
GDTR (Global Descriptor Register),
6-5,6-10,6-12,6-13, 10-1 - 10-3,
B-101
General Protection Fault (Interrupt 3),
(see Interrupt Handling)
General Registers, 2-7
HLT Instruction, 2-16, 3-29, 10-6, B-42
Hierarchy of 86, 186, 286 Instruction Sets,
2-25,2-27
Basic Instruction Set, 2-25, 2-27,

3-1 - 3-31
Extended Instruction Set, Chapter 4
Instruction Set Overview, 2-25, 2-27
System Control Register Set,
Chapter 4 - Chapter 10
1/0,2-23
IDlY Instruction, 2-25, 3-9, 9-3, B-43
IDT (Interrupt Descriptor Table),
9-1 - 9-9, 10-2, B-65
IDTR (Interrupt Descriptor Table
Register), 9-1, 10-1 - 10-3
IF (Interrupt Flag),
(see Flags)
IMUL Instruction, 3-8, B-44
IN Instruction, 2-23, 3-29, B-45
INC Instruction, 2-17, 3-7, B-46
INDEX Field, 6-4, 6-6, 6-10 - 6-12
Indexed Mode, 2-21, 2-22
Index, Pointer and Base Register,
2-9
Input/Output, 2-21, 2-22
Instructions, 3-29
Memory Mapped I/O, 2-23
Restrictions in Protected Mode, 3-28
Separate I/O Space, 2-21
INS/INSB/INSW Instruction, 3-29,4-1
INT Instruction,
(see Interrupt Handling)
Integer,
(see Data Types)
Interrupt Handling, 2-24, 2-25, 5-3 - 5-7,
9-2 - 9-13
Interrupt Priorities, 5-4
Interrupt 0 Divide Error, 2-24, 3-9, 5-5,
5-6, 9-8, 9-9, 9-13
Interrupt 1 Single-Step, 5-6, 9-9, 9-13
Interrupt 2 Nonmaskable, 5-6,9-9,9-13
Interrupt 3 Breakpoint, 2-26, 5-6, 9-9
Interrupt 4 INTO Detected Overflow,
2-26, 5-6, 9-9
Interrupt 5 BOUND Range Exceeded,
2-26,4-7,5-6,5-7,9-9,9-13, B-22
Interrupt 6 Invalid Opcode, 2-26, 5-6,
9-9,9-10

Index-3

INDEX

LOOPNZ, 3-21, B-70
LSL Instruction, 11-3, B-71

Interrupt 7 Processor Extension Not
Available, 5-6, 5-7,9-9
Interrupt 8, Interrupt Table Limit
Too Small, 5-6, 5-7, 9-9, 9-10
Interrupt Vectors, 5-3 - 5-7
Reserved Vectors, 5-5, 5-7
Interrupt Vector Table, 5-3
Interrupts and Exceptions,
(see Interrupt Handling and Interrupt
Priorities)
INTO Detected Overflow (Interrupt 4),
(see Interrupt Handling and Interrupt
Priorities)
INTO Instruction, 2-25, 3-22, B-48
INTR, 5-3, 5-4, 9-1, 9-2, 9-7, 11-7
Invalid opcode (Interrupt 6),
(see Interrupt Handling and Interrupt
Priorities)
10PL (I/O Privilege Level),
(see Flags)
IP Register, 2-8, 3-18, 3-19, 5-4
IRET Instruction, 3-17, 3-19, 3-21, 5-5,
8-5 - 8-8, 9-5 - 9-8,9-14, B-51
JCXZ Instruction, 3-21, B-54, B-55
JMP Instruction, 3-17, 3-18, B-56 - B-58
LAHF Instruction, 3-26, B-59
LAR Instruction, 11-3, B-60
LDS Instruction, 3-25, 5-1, B-61
LDT (Local Descriptor Table), 6-5 - 6-7,
6-10,6-12,7-5 -7-8, 7-17, 8-5, 8-6,
8-8,8-9,9-11 - 9-13, 10-1 - 10-4
LEA Instruction, 3-24,-B-63
LEAVE Instruction, 4-2, 4-6, B-64
LES Instruction, 3-25, 5-1, B-61
LGDT Instruction, 6-12, 10-3, 10-5, B-65
LIDT Instruction, 5-6, 5-7, 10-3, 10-6, B-65
LLDT Instruction, 6-12, 10-3, 10-5, B-66
LMSW Instruction, 10-4, 10-6, B-67
LOCK Prefix, 3-29, B-68
LODS/LODSB/LODSW, 3-24, B-69
LOOP Instruction, 3-4, 3-20, 3-21, B-70
LOOPE Instruction, 3-21, B-70
LOOPNE, 3-21, B-70

Memory,
Physical Size, 2-1
Segmentation, 2-1
Implied Usage, 2-14
Interpretation in Protected Mode, 2-9,
2-10
Interpretation in Real Mode, 2-9,
5-1 - 5-5
Modularity, 2-1
Virtual Size, 2-1
Memory Addressing Modes, 2-17 - 2-21
Memory Management, 6-1, 7-4
Task Managment, 6-1, 6-2, Chapter 8
Context Switching (Task Switching),
8-5, 8-6
Overview, 6-1
Memory Management Registers,
Chapter 6
Memory Mapped I/O,
(see Input/Output)
Memory Mode, 2-20
Memory Segmentation and Segment
Registers, 2-8 - 2-9
MOV Instructions, 2-17, 2-23, 3-1, B-73
MOVS Instructions, 3-23, B-75
MOVSB Instructions, 3-23, B-75
MOVSW Instruction, 3-23, B-75
MSW Register, 5-7, 8-6, 10-4 - 10-7,
B-67
MUL Instruction, 3-8, B-76
NEG Instruction, 3-9, B-n
NMI (Non maskable Interrupt), 5-6,
9-1 - 9-3, 9-9, 9-10
Nonmaskable (interrupt 2),
(see Interrupt Priorities)
NOP Instruction, 2-16, B-78
NOT Instruction, 3-9, 3-10, B-78
Not Present (Interrupt 11)
(see Interrupt Priorities)
NPX Processor Extension, 3-29 - 3-31

Index-4

INDEX

NT (Nested Task Flag),
(see Flags)
Numeric Data Processor Instructions, 3-30
OF (Overflow Flag),
(see Flags)
Offset Computation, 2-19
Operands, 2-16, 2-17
OR Instruction, 2-23, 3-10, B-80
OUT/OUTW, 2-23,3-29, 10-6, B-81
OUTS/OUTSB/OUTSW Instruction, 3-29,
4-1, B-82
PF (Parity Flag),
(see Flags)
Pointer,
(see Data Types)
POP Instruction, 3-3, B-83
POPA Instruction, 3-2, 3-5, B-85
POPF Instruction, 3-26, 3-28, B-86
Processor Extension Error (Interrupt 6),
(see Interrupt Handling and Interrupt
Priorities)
Processor Extension Not Available,
(Interrupt 7),
(see Interrupt and Interrupt Priorities)
Processor Extension Segment Overrun
Interrupt (Interrupt 9),
(see Interrupt and Interrupt Priorities)
Protected Mode, 1-2, 1-3,6-1
Protected Virtual Address Mode, 1-2,
Protection Implementation, 7-2 - 7-4
Protection Mechanisms, 1-2, 1-3
PUSH, 2-12, 3-2, B-87
PUSHA, 3-2, 3-3, B-85
PUSHF, B-89
Real Address Mode, 6-1, 6-2
Register,
Base Architecture Diagram, 2-7
Base Register BX, 2-9, 2-17, 2-19, 2-20,
3-1,3-7,3-8 - 3-10,3-14,3-16,
3-17,3-22,4-7
Flags Register, 2-14, 2-15
General Registers, 2-7

Index Registers DI, SI, 2-9
Overview, 2-7
Pointer Registers BP and SP, 2-9
Segment Registers, 2-8
Status and Control, 2-14
Register Direct Mode, 2-20
Register and Immediate Modes, 2-17
Register Indirect Mode, 2-20
(see Addressing Modes)
Reserved Interrupt Vectors,
(see Interrupt Handling and Interrupt
Priorities)
RESET, 10-7
RCL Instruction, 3-14, 3-15,9-10, B-90
RCR Instruction, 3-15, B-90
REP Prefix, 3-23,4-1,4-2, B-92
REPE Prefix, 3-24, B-92
REPNE Prefix, 3-24, B-92
REPNZ Prefix, 3-24
REPZ Prefix, 3-24
RET Instructon, 2-16, 3-17 - 3-19, B-94
ROL Instruction, 3-13, B-90
ROR Instruction, 3-14, B-90
RPL, 7-13, 8-9, 9-6, 11-3, 11-4
SAL Instruction, 3-11, B-97
SAR Instruction, 3-12, B-97
SBB Instruction, 3-8, B-99
SCAS Instruction, 3-4, 3-24, B-100
SEG (Segment Override Prefix), 2-19
Segment Address Translation Registers,
6-9 - 6-12
Segment Descriptor, 7-10 -7-12
Segment Overrun Exception (Interrupt 13),
(see Interrupt Handling and Interrupt
Priorities)
Segment Selection, 2-18
SF (Sign Flag),
(see Flags)
SGDT Instruction, 6-12, 10-3, B-I0l
SHL Instruction, 3-11, B-97
SHR Instruction, 3-12
SI Register, 2-7, 2-9, 2-11, 2-14 - 2-17,
2-19,3-17,3-23 - 3-25, 4-1
SmT Instruction, 10-3, B-I0l

Index-5

INDEX

Single Step (Interrupt 1),
(see Interrupt Priorities)
SMSW Instruction, 10-4, B-I03
SP Register, 2-7 - 2-14,2-19,
3-24 - 3-26, 4-2, 7-20, 7-21, 10-7
SS Register, 2-7, 2-8, 2-10 - 2-14,
2-17 - 2-19, 5-7,6-9 - 6-11,
7-12 - 7-14, 7-16, 7-20 - 7-22, 8-5,
9-12, 10-7
Status and Control Registers, 2-14 - 2-16
Stack Flag,
(see Flags)
Stack Fault (Interrupt 12),
(see Interrupt Priorities)
Stack Manipulation Instructions,
3-2, 3-3
Stack Operations, 2-10
Grow Down, 2-11
Overview, 2-10 - 2-14
Segment Register Usage, 2-11
Segment Usage Override, 2-11
Stack Frame Base Pointer BP, 2-11
Top of Stack, 2-10, 2-11
TOS, 2-10, 2-11
with BP and SP Registers, 2-10
Status Flags, 3-4
STC Instructions, 3-25, B-I04
STD Instructions, 3-27, B-I05
STI Instructions, 2-15, 3-28,B-106

String Instructions, 3-22 - 3-24
SUB Instruction, 3-7, 3-8, B-I09
System Address Registers, 6-12
System Initialization, 10-6, 10-7
System Control Instructions, 10-3, 10-4
TEST Instruction, 3-16, B-110
TF (Trap Flags),
(see Flags)
TOS (Top of Stack),
(see Stack Operation)
TR (Task Register), 7-5
Transcendental Instruction, 3-30
TSS (Task State Segment), 8-1 -

8-9

Use of Flags with Basic Instructions, 3-4,
3-5
Virtual Address, 6-2 -

6-4

WAIT Instruction, 3-30, B-I13
XCHG Instruction, 3-1, B-114
XLAT Instruction, 3-22, B-115
XOR Instruction, 2-6, 3-10, B-116
ZF (Zero Flag),
(see Flags)

Index-6

80287 Numeric Processor Extension
(NPX)

PREFACE

AN INTRODUCTION TO THE 80286
This supplement describes the 80287 Numeric Processor Extension (NPX) for the 80286 microprocessor. Below is a brief overview of 80286 concepts, along with some of the nomenclature used throughout
this and other Intel publications.

The 80286 Microsystem
The 80286 is a new VLSI microprocessor system with exceptional capabilities for supporting largesystem applications. Based on a new-generation CPU (the Intel 80286), this powerful microsystem is
designed to support multiuser reprogrammable and real-time multitasking applications. Its dedicated
system support circuits simplify system hardware; sophisticated hardware and software tools reduce
both the time and the cost of product development.
The 80286 is a virtual-memory microprocessor with on-chip memory management and protection. The
80286 microsystem offers a total-solution approach, enabling you to develop high-speed, interactive,
multiuser, multitasking-and multiprocessor-systems more rapidly and at higher performance than
ever before.
•

Reliability and system up-time are becoming increasingly important in all applications. Information
must be protected from misuse or accidental loss. The 80286 includes a sophisticated and flexible
four-level protection mechanism that isolates layers of operating system programs from application
programs to maintain a high degree of system integrity.

• The 80286 provides 16 megabytes of physical address space to support today's application requirements. This large physical memory enables the 80286 to keep many large programs and data structures simultaneously in memory for high-speed access.
•

For applications with dynamically changing memory requirements, such as multiuser business
systems, the 80286 CPU provides on-chip memory management and virtual memory support. On
an 80286-based system, each user can have up to a gigabyte (2 30 bytes) of virtual-address space.
This large address space virtually eliminates restrictions on the number or size of programs that
may be part of the system.

•

Large multiuser or real-time multitasking systems are easily supported by the 80286. High~perform­
ance features, such as a very high-speed task switch, fast interrupt-response time, inter-task protection, and a quick and direct operating system interface, make the 80286 highly suited to multiuser/
multitasking applications.

• The 80286 has two operating modes: Real-Address mode and Protected-Address mode. In RealAddress mode, the 80286 is fully compatible with the 8086, 8088, 80186, and 80188 microprocessors; all of the extensive libraries of 8086 and 8088 software execute four to six times faster on the
80286, without any modification.
•

In Protected-Address mode, the advanced memory management and protection features of the 80286
become available, without any. reduction in performance. Upgrading 8086 and 8088 application
programs to use these new memory management and protection features usually requires only
reassembly or recompilation (some programs may require minor modification). This compatibility
iii

PREFACE

between 80286 and 8086 processor families reduces both the time and the cost of software
development.

The Organization of This Manual
This manual describes the 80287 Numeric Processor Extension (NPX) for the 80286 microprocessor.
The material in this manual is presented from the perspective of software designers, both at an applications and at a systems software level.
•

Chapter One, "Overview of Numeric Processing," gives an overview of the 80287 NPX and reviews
the concepts of numeric computation using the 80287.

•

Chapter Two, "Programming Numeric Applications," provides detailed information for software
designers generating applications for systems containing an 80286 CPU with an 80287 NPX. The
80286/80287 instruction set mnemonics are explained in detail, along with a description of
programming facilities for these systems. A comparative 80287 programming example is given.

•

Chapter Three, "System-Level Numeric Programming," provides information of interest to systems
software writers, including details of the 80287 architecture and operational characteristics.

•

Chapter Four, "Numeric Programming Examples," provides several detailed programming examples
for the 80287, including conditional branching, the conversion between floating-point values and
their ASCII representations, and the calculation of several trigonometric functions. These examples
illustrate assembly-language programming on the 80287 NPX.

•

Appendix A, "Machine Instruction Encoding and Decoding," gives reference information on the
encoding of NPX instructions.

•

Appendix B, "Compatability between the 80287 NPX and the 8087," describes the differences
between the 80287 and the 8087.

•

Appendix C, "Implementing the IEEE P754 Standard," gives details of the IEEE P754 Standard.

•

The Glossary defines 80287 and floating-point terminology. Refer to it as needed.

Related Publications
To best use the material in this manual, readers should be familiar with the operation and architecture
of 80286 systems. The following manuals contain information related to the content of this supplement
and of interest to programmers of 80287 systems:

• Introduction to the 80286, order number 210308
• ASM286 Assembly Language Reference Manual, order number 121924
• 80286 Operating System Writer's Guide, order number 121960
• 80286 Hardware Reference Manual, order number 210760
•

Microprocessor and Peripheral Handbook, order number 210844

• PL/M-286 User's Guide, order number 121945
• 80287 Support Library Reference Manual, order number 122129
• 8086 Software Toolbox Manual, order number 122203 (includes information about 80287 Emulator
Software)

iv

TABLE OF CONTENTS
CHAPTER 1
Page
OVERVIEW OF NUMERIC PROCESSING
Introduction to the 80287 Numeric Processor Extension ............................................. 1-1
Performance ...................... ........... ....... ................................................ ............ ........... 1-1
Ease of Use ................................................................................................................. 1-2
Applications ................................................................................................................. 1-3
Upgradability ............................................................................................................... 1-4
Programming Interface ................................................. ..... ......................................... 1-5
Hardware Interface ..................................................................................................... 1-6
80287 Numeric Processor Architecture ........................................................................ 1-8
The NPX Register Stack ......................... '.................................................................... 1-8
The NPX Status Word ................................................................................................ 1-9
Control Word ............................................................................................................... 1-10
The NPXTag Word ..................................................................................................... 1-12
The NPX Instruction and Data Pointers ..................................................................... 1-12
Computation Fundamentals ........................................................................................... 1-14
Number System .......................................................................................................... 1-14
Data Types and Formats ............................................................................................ 1-15
Binary Integers ........................................................................................................ 1-17
Decimal Integers ..................................................... ..... ........................................... 1-17
Real Numbers .......................................................................................................... 1-17
Rounding Control ........................................................................................................ 1-18
Precision Control ........................................................................................................ 1-19
Infinity Control ............................................................................................................. 1-19
Special Computational Situations .................................................................................. 1-20
Special Numeric Values ............................................................................... ............... 1-21
Nonnormal Real Numbers ...................................................................................... 1-21
Denormals and Gradual Underflow.................................................................... 1-21
Un normals-Descendents of Denormal Operands ........................................... 1-23
Zeros and Pseudo Zeros ....... ....................................................... ............... ........... 1-24
Infinity ...................................................................................................................... 1-25
NaN (Not a Number) ................................................................................................ 1-25
Indefinite .................................................................................................................. 1-29
Encoding of Data Types .......... ....... ................................................ ........................ 1-29
Numeric Exceptions .................................................................................................... 1-33
Invalid Operation ..................................................................................................... 1-33
Zero Divisor ............................................................................................................. 1-33
Denormalized Operand ........................................................................................... 1-34
Numeric Overflow and Underflow.......................................................................... 1-34
Inexact Result .......................................................................................................... 1-34
Handling Numeric Errors ........................................... ............................................. 1-34
Automatic Exception Handling .............................................. .............................. 1-37
Software Exception Handling .............................................................................. 1-38
CHAPTER 2
PROGRAMMING NUMERIC APPLICATIONS
The 80287 NPX Instruction Set .....................................................................;...............
Compatibility with the 8087 NPX ................................................................................
Numeric Operands ......................................................................................................
Data Transfer Instructions ......................................................................... .................
Arithmetic Instructions ................................................................................................

v

2-1
2-1
2-1

2-2
2-4

TABLE OF CONTENTS

Page

Comparison Instructions ............................................................................................
Transcendental Instructions ....... ........ ......................... ............................. ..................
Constant Instructions .................................................................................................
Processor Control Instructions ......... ........ ....... .................. ....... ....................... ..... .....
Instruction Set Reference Information .......................................................................
Instruction Execution Time ..................................................................................
Bus Transfers .......... ............... ..................... ........................................................
Instruction Length ................................................................................................
Programming Facilities ...................................................................................................
High-Level Languages ................................................................................................
PL/M-286 ............ ................................. ....... ................................................................
ASM286 .......................................................................................................................
Defining Data ...........................................................................................................
Records and Structures ......................................................... .................................
Addressing Modes ..................................................................................................
COlTlparative Programming Example .........................................................................
80287 Emulation ..................................... ....................................................... .............
Concurrent Processing with the 80287 .......... .................. ........................ .....................
Managing Concurrency.......................................................................... ....................
Instruction Synchronization ........................................................................................
Data Synchronization .................................................................................................
Error Synchronization .................................................................................................
, Incorrect Error Synchronization .............................................................................
Proper Error Synchronization ................................................................ .................

2-10
2-12
2-14
2-15
2-21
2-21
2-22
2-23
2-38
2-38
2-39
2-40
2-40
2-41
2-42
2-43
2-45
2-45
2-48
2-48
2-49
2-50
2-52
2-52

CHAPTER 3
SYSTEM-LEVEL NUMERIC PROGRAMMING
80287 Architecture ......... ........ ........... ......... ....................................................... .............
Processor Extension Data Channel ............ ...................... .................... .....................
Real-Address Mode and Protected Virtual-Address Mode .......................................
Dedicated and Reserved I/O Locations ........ ................ ........ .................. ...................
Processor Initialization and Control..............................................................................
System Initialization ....................................................................................................
Recognizing the 80287 NPX .......................................................................................
Configuring the Numerics Environment .................... ........ .............. ........ .......... .........
Initializing the 80287 ...................................................................................................
80287 Emulation . ............................................................... ....................... ...................
Handling Numeric Processing Exceptions .................................................................
Simultaneous Exception Response ........ ................................. ...................... ............
Exception Recovery· Examples ..................................................................................

3-1
3-1
3-1
3-2
3-2
3-2
3-2
3-4
3-5
3-5
3-6
3-7
3-7

CHAPTER 4

Conditional Bra,nching Examples ...................................................................................
Exception Handling Examples .......................................................................................
Floating-point to ASCII Conversion Examples .............................................................
Function Partitioning ...................................................................................................
Exception Considerations .................................. ................. ...................... .................
Special Instructions ....................................................................................................
Description of Operation ..... .................. ....... ....... .......................................................
Scalin"g the Value ........................................................................................................
Inaccur~cy in Scaling ..............................................................................................

vi

4-1
4-3
4-7
4-14
4-15
4-15
4-15
4-16
4-16

TABLE OF CONTENTS

Page

Avoiding Underflow and Overflow ..........................................................................
Final Adjustments ............................ ....... .............. ........... .............. ..........................
Output Format ................ .............. ............ ....................................... ......... .............. .....
Trigonometric Calculation Examples ...... ...... .............. ............ .............. .................. .......
FPTAN and FPREM ....................................................................................................
Cosine Uses Sine Code ..............................................................................................

4-16
4-17
4-17
4-17
4-17
4-18

APPENDIX A
MACHINE INSTRUCTION ENCODING AND DECODING
APPENDIX B
COMPATIBILITY BETWEEN THE 80287 NPX AND THE 8087
APPENDIX C
IMPLEMENTING THE IEEE P754 STANDARD
Options Implemented in the 80287 ................................................................................ C-1
Areas of the Standard Implemented in Software ................... ~...................................... C-1
Additional Software to Meet the Standard .... .................. ....... ..... ................... ............... C-2
GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY
INDEX

Figures
Figure

1-1
1-2
1-3
1-4
1-5
1-6
1-7
1-8
1-9
1-10
1-11·
2-1
2-2
2-3
2-4
2-5
2-6
2-7
2-8
2-9
2-10
2-11
2-12

Title
Evolution and Performance of Numeric Processors ..............................................
'80287 NPX Block Diagram ......................................................................................
80287 Register Set ........................... ....... .............. ..... ...... .............. .........................
80287 Status Word ............ ..... ............... ......... ........ ..... ...... ...... ......... .......... ........ .......
80287 Control Word Format ........ ...... ............ ..... ....... ....... ....................... ...............
80287 Tag Word Format ..........................................................................................
80287 Instruction and Data Pointer Image in Memory ..........................................
80287 Number System ............................................. ,..............................................
Data Formats .............................................................: ..............................................
Projective versus Affine Closure ...... ................ ........... ....... ......... ....... ........ .............
Arithmetic Example Using Infinity ............................................. :.... ;.........................
FSAVE/FRSTOR Memory Layout ...........................................................................
FSTENV/FLDENV Memory Layout ........................ ;.................................... ;...........
Sample 80287 Constants ........................................................................................
Status Word RECORD Definition ............................................................................
Structure Definition .....................................................;............. ~ ......................... ;.....
Sample PL/M-286 Program ....................................................................................
Sample ASM286 Program .......................................................................................
Instructions and Register Stack ..............................................................................
Synchronizing References to Shared Data ...................... ..... ..... ........... ........... ......
Documenting Data Synchronization ........ ......... ......... ...... ...... ......... ........................
Nonconcurrent FIST Instruction Code Macro ........................................................
Error Synchronization Examples .............................................................................
vii

Page

1-1
1-7
1-9
1-10
1-12
1-13
1-13
1-15
1-16
1-20
1-37
2-18
2-19
2-41
2-42
2-42
2-44
2-46
2-47
2-50
2-51
2-51
2-52

inter
Figure

3-1
4-1
4-2
4-3
4-4
4-5
4-6
4-7

TABLE OF CONTENTS

Title

Software Routine to Recognize the 80287 .............................................................
Conditional Branching for Compares .....................................................................
Conditional Branching for FXAM ............................................................................
Full-State Exception Handler ..................................................................................
Reduced-Latency Exception Handler .....................................................................
Reentrant Exception Handler ..................................................................................
Floating-Point to ASCII Conversion Routine ..........................................................
Calculating Trigonometric Functions ......................................................................

Page

3-3
4-2
4-2
4-5
4-5
4-6
4-7
4-18

Tables
Table

1-1
1-2
1-3
1-4
1-5
1-6
1-7
1-8
1-9
1-10
1-11
1-12
1-13
1-14
1-15
1-16
1-17
2-1
2-2
2-3
2-4
2-5
2-6
2-7
2-8
2-9
2-10
2-11
2-12

Title

Numeric Processing Speed Comparisons ..............................................................
Numeric Data Types ................................................................................................
Principal NPX Instructions .......................................................................................
Interpreting the NPX Condition Codes ...................................................................
Real Number Notation .............................................................................................
Rounding Modes .....................................................................................................
Denormalization Process ........................................................................................
Exceptions Due to Denormal Operands ........................................ .........................
Unnormal Operands and Results ............................................................................
Zero Operands and Results ....................................................................................
Masked Overflow Response with Directed Rounding ...........................................
Infinity Operands and Results .................................................................................
Binary Integer Encodings .....................................................................,..................
Packed Decimal Encodings .....................................................................................
Real and Long Real Encodings ...............................................................................
Temporary Real Encodings .....................................................................................
Exception Conditions and Masked Responses .....................................................
Data Transfer Instructions ......................................................................................
Arithmetic Instructions .............................................................................................
Basic Arithmetic Instructions and Operands ..........................................................
Condition Code Interpretation after FPREM ......................... ;................................
Comparison Instructions .........................................................................................
Condition Code Interpretation after FCOM ............................................................
Condition Code Interpretation after FTST ..............................................................
FXAM Condition Code Settings ........................ .............. .................. ......................
Transcendental Instructions ....................................................................................
Constant Instructions ..............................................................................................
Processor Control Instructions .............. ............................ ...... ...............................
Key to Operand Types ............................................................................................

Page

1-2
1-6
1-6
1-11
1-17
1-19
1-22
1-23
1-24
1-26
1-27
1-28
1-29
1-30
1-31
1-32
1-35
2-3
2-5
2-6
2-9
2-10
2-10
2-11
2-12
2-13
2-14
2-15
2-21

2- ~i 3

Execuiiur I PE:naitiE:5 ................................................................................................. 2-22

2-14
2-15
2-16
2-17
3-1
3-2
A-1
A-2

Instruction Set Reference Data ...............................................................................
PLfM-286 Built-In Procedures ................................................................................
80287 Storage Allocation Directives .................................. ........................ .............
Addressing Mode Examples ...................................................................................
NPX Processor State Following Initialization .........................................................
Precedence of NPX Exceptions ..............................................................................
80287 Instruction Encoding ....................................................................................
Machine Instruction Decoding Guide ......................................................................
viii

2-24
2-39
2-40
2-43
3-5
3-7
A-1
A-2

Overview of Numeric Processing

1

CHAPTER 1
OVERVIEW OF NUMERIC PROCESSING
The 80287 NPX is a high-performance numerics processing element that extends the 80286 architecture by adding significant numeric capabilities and direct support for floating-point, extended-integer,
and BCD data types. The 80286 CPU with 80287 NPX easily supports powerful and accurate numeric
applications through its implementation of the proposed IEEE 754 Standard for Binary Floating-Point
Arithmetic.

INTRODUCTION TO THE 80287 NUMERIC PROCESSOR EXTENSION
The 80287 Numeric Processor Extension (NPX) is highly compatible with its predecessor, the earlier
Intel 8087 NPX.
The 8087 NPX was designed for use in 8086-family systems. The 8086 was the first microprocessor
family to partition the processing unit to permit high-performance numeric capabilities. The 8087 NPX
for this processor family implemented a complete numeric processing environment in compliance with
the proposed IEEE 754 Floating-Point Standard.
With the 80287 Numeric Processor Extension, high-speed numeric computations have been extended
to 80286 high-performance multi-tasking and multi-user systems. Multiple tasks using the numeric
processor extension are afforded the full protection of the 80286 memory management and protection
features.
Figure 1-1 illustrates the relative performance of 8-MHz 8086/8087 and 80286/80287 systems in
executing numerics-oriented applications.

Performance
Table 1-1 compares the execution times of several 80287 instructions with the equivalent operations
executed in software on an 8-MHz 80286. The software equivalents are highly-optimized assemblylanguage procedures from the 80287 emulator. As indicated in the table, the 80287 NPX provides
about 50 to 100 times the performance of software numeric routines on the 80286 CPU. An 8-MHz
80287 multiplies 32-bit and 64-bit real numbers in about 11.9 and 16.9 microseconds, respectively. Of
course, the actual performance of the NPX in a given system depends on the characteristics of the
individual application.
Although the performance figures shown in table 1-1 refer to operations on real (floating-point) numbers,
the 80287 also manipulates fixed-point binary and decimal integers of up to 64 bits or 18 digits, respectively. The 80287 can improve the speed of multiple-precision software algorithms for integer operations by 10 to 100 times.
Because the 80287 NPX is an extension of the 80286 CPU, no software overhead is incurred in setting
up the NPX for computation. The 80287 and 80286 processors coordinate their activities in a manner
transparent to software. Moreover, built-in coordination facilities allow the 80286 CPU to proceed with
other instructions while the 80287 NPX is simultaneously executing numeric instructions. Programs
can exploit this concurrency of execution to further increase system performance and throughput.

1-1

OVERVIEW OF NUMERIC PROCESSING

DOUBLE-PRECISION
WHETSTONE PERFORMANCE
(KOPS)

( 80286/80287 )
200

.-------...../

(

8086/8087)

100

STACK TOP POINTER'"

1980
1983
YEAR INTRODUCED

G30108

Figure 1-1. Evolution and Performance of Numeric Processors

Table 1-1. Numeric Processing Speed Comparisons
Approximate Performance Ratios:
8 MHz 80287 to
8 MHz Protected Mode IAPX using E80287

Floatlng'Polnt Instruction

FADD ST,ST (Temp Real)
FDIV DWORD PTR (Single-Precision)
FXAM (Stack(O) assumed)
FYL2X (Stack(O),(1) assumed)
FPATAN (Stack(O) assumed)
F2XM1 (Stack(O) assumed)

Addition
Division
Examine
Logarithm
Arctangent
Exponentiation

1: 42
1:266
1:139
1: 99
1:153
1: 41

Ease of Use
The 80287 NPX offers more than raw execution speed for computation-intensive tasks. The 80287
brii:.g3 the f!!ncticn::!lity ~nd power of Accurate numeric computation into the hands of the general user.
Like the 8087 NPX that preceded it, the 80287 is explicitly designed to deliver stable, accurate results
when programmed using straightforward "pencil and paper" algorithms. The IEEE 754 standard
specifically addresses this issue, recognizing the fundamental importance of making numeric computations both easy and safe to use.
For example, most computers can overflow when two single-precision floating-point numbers are multiplied together and then divided by a third, even if the final result is a perfectly valid 32-bit number.

1-2

OVERVIEW OF NUMERIC PROCESSING

The 80287 delivers the correctly rounded result. Other typical examples of undesirable machine behavior in straightforward calculations occur when solving for the roots. of a quadratic equation:
-b ±

Vb

2 -

4ac

2a

or computing financial rate of return, which involves the expression: (1 +i)n. On most machlnes,
straightforward algorithms will not deliver consistently correct results (and will not indicate when they
are incorrect). To obtain correct results on traditional machines under all conditions usually requires
sophisticated numerical techniques that are foreign to most programmers. General application
programmers using straightforward algorithms will produce much more reliable programs using the
80287. This simple fact greatly reduces the software investment required to develop safe, accurate
computation-based products.
Beyond traditional numerics support for scientific applications, the 80287 has built-in facilities for
commercial computing. It can process decimal numbers of up to 18 digits without round-off errors,
performing exact arithmetic on integers as large as 264 or 1018• Exact arithmetic is vital in accounting
applications where rounding errors may introduce monetary losses that cannot be reconciled.
The NPX contains a number of optional facilities that can be invoked by sophisticated users. These
advanced features include two models of infinity, directed rounding, gradual underflow, and either
automatic or programmed exception-handling facilities.
These automatic exception-handling facilities permit a high degree of flexibility in numeric processing
software, without burdening the programmer. While performing numeric calculations, the NPX
automatically detects exception conditions that can potentially damage a calculation. By default, onchip exception handlers may be invoked to field these exceptions so that a reasonable result is produced,
and execution may proceed without program interruption. Alternatively, the NPX can signal the CPU,
invoking a software exception handler whenever various types of exceptions are detected.

Applications
The NPX's versatility and performance make it appropriate to a broad array of numeric applications.
In general, applications that exhibit any of the following characteristics can benefit by implementing
numeric processing on the 80287:
•

Numeric data vary over a wide range of values, or include nonintegral values.

• Algorithms produce very large or very small intermediate results.
• Computations must be very precise; i.e., a large number of significant digits must be maintained.
• Performance requirements exceed the capacity of traditional microprocessors.
•

Consistently safe, reliable results must be delivered using a programming staff that is not expert in
numerical techniques.

Note also that the 80287 can reduce software development costs and improve the performance of
systems that use not only real numbers, but operate on multi precision binary or decimal integer values
as well.

1-3

OVERVIEW OF NUMERIC PROCESSING

A few examples, which show how the 80287 might be used in specific numerics applications, are
described below. In many cases, these types of systems have been implemented in the past with
minicomputers. The advent of the 80287 brings the size and cost savings of microprocessor technology
to these applications for the first time.
•

Business data processing-The NPX's ability to accept decimal operands and produce exact decimal
results of up to 18 digits greatly simplifies accounting programming. Financial calculations that use
power functions can take advantage of the 80287's exponentiation and logarithmic instructions.
Process control-The 80287 solves dynamic range problems automatically, and its extended precision allows control functions to be fine-tuned for more accurate and efficient performance. Control
algorithms implemented with the NPX also contribute to improved reliability and safety, while the
80287's speed can be exploited in real-time operations.
Computer numerical control (CNC)-The 80287 can move and position machine tool heads with
accuracy in real-time. Axis positioning also benefits from the hardware trigonometric support provided
by the 80287.
Robotics-Coupling small size and modest power requirements with powerful computational abilities, the NPX is ideal for on-board six-axis positioning.
Navigation-Very small, lightweight, and accurate inertial guidance systems can be implemented
with the 80287. Its built-in trigonometric functions can speed and simplify the calculation of position
from bearing data.

•

Graphics terminals-The 80287 can be used in graphics terminals to locally perform many functions
that normally demand the attention of a main computer; these include rotation, scaling, and interpolation. By also using an 82720 Graphics Display Controller to perform high speed data transfers,
very powerful and highly self-sufficient terminals can be built from a relatively small number of
80286 family parts.
Data acquisition-The 80287 can be used to scan, scale, and reduce large quantities of data as it is
collected, thereby lowering storage requirements and time required to process the data for analysis.

The preceding examples are oriented toward traditional numerics applications. There are, in addition,
many other types of systems that do not appear to the end user as computational, but can employ the
80287 to advantage. Indeed, the 80287 presents the imaginative system designer with an opportunity
similar to that created by the introduction of the microprocessor itself. Many applications can be viewed
as numerically-based if sufficient computational power is available to support this view. This is analogous to the thousands of successful products that have been built around "buried" microprocessors,
even though the products themselves bear little resemblance to computers.

Upgradability
The architecture of the 80286 CPU is specifically adapted to allow easy upgradability to use an 80287,
simply by plugging in the 80287 NPX. For this reason, designers of 80286 systems may wish to incorporate the 80287 NPX into their designs in order to offer two levels of price and performance at little
2dditi0!!~! GOSt.

Two features of the 80286 CPU make the design and support of upgradable 80286 systems particularly
simple:
• The 80286 can be programmed to recognize the presence of an 80287 NPX; that is, software can
recognize whether it is running on an 80286 or an 80287 system.
After determining whether the 80287 NPX is available, the 80286 CPU can be instructed to let the
NPX execute all numeric instructions. If an 80287 NPX is not available, the 80286 CPU can emulate

1-4

OVERVIEW OF NUMERIC PROCESSING

all 80287 numeric instructions in software. This emulation is completely transparent to the application software-the same object code may be used by both 80286 and 80287 systems. No relinking
or recompiling of application software is necessary; the same code will simply execute faster on the
80287 than on the 80286 system.
To facilitate this design of upgradable 80286 systems, Intel provides a software emulator for the 80287
that provides the functional equivalent of the 80287 hardware, implemented in software on the 80286.
Except for timing, the operation of this 80287 emulator (E80287) is the same as
for the 80287 NPX hardware. When the emulator is combined as part of the systems software, the
80286 system with 80287 emulation and the 80286 with 80287 hardware are virtually indistinguishable
to an application program. This capability makes it easy for software developers to maintain a single:
set of programs for both systems. System manufacturers can offer the NPX as a simple plug-in
performance option without necessitating any changes in the user's software.

Programming Interface
The 80286/80287 pair is programmed as a single processor; all of the 80287 registers appear to a
programmer as extensions of the basic 80286 register set. The 80286 has a class of instructions known
as ESCAPE instructions, all having a common format. These ESC instructions are numeric instructions for the 80287 NPX. These numeric instructions for the 80287 are simply encoded into the instruction stream along with 80286 instructions.
All of the CPU memory-addressing modes may be used in programming the NPX, allowing convenient
access to record structures, numeric arrays, and other memory-based data structures. All of the memory
management and protection features of the CPU are extended to the NPX as well.
Numeric processing in the 80287 centers around the NPX register stack. Programmers can treat these
eight 80-bit registers as either a fixed register set, with instructions operating on explicitly-designated
registers, or a classical stack, with instructions operating on the top one or two stack elements.
Internally, the 80287 holds all numbers in a uniform 80-bit temporary-real format. Operands that may
be represented in memory as 16-, 32-, or 64-bit integers, 32-, 64-, or 80-bit floating-point numbers, or
18-digit packed BCD numbers, are automatically converted into temporary-real format as they are
loaded into the NPX registers. Computation results are subsequently converted back into one of these
destination data formats when they are stored into memory from the NPX registers.
Table 1-2 lists each of the seven data types supported by the 80287, showing the data format for each
type. All operands are stored in memory with the least significant digits starting at the initial (lowest)
memory address. Numeric instructions access and store memory operands using only this initial address.
For maximum system performance, all operands should start at even memory addresses.
Table 1-3 lists the 80287 instructions by class. No special programming tools are necessary to use the
80287, because all of the NPX instructions and data types are directly supported by the ASM286
Assembler and Intel's appropriate high-level languages.
Software routines for the 80287 may be written in ASM286 Assembler or any of the following higherlevel languages:
PL/M-286
PASCAL-286
FORTRAN-286
C-286

1-5

OVERVIEW OF NUMERIC PROCESSING

Table 1-2. Numeric Data Types
Data Type

Bits

Significant
Digits (Decimal)

Approximate Range (Decimal)

Word integer

16

4

-32,768 ::s X ::s +32,767

Short integer

32

9

-2X10 9 ::S X::s +2X10 9

Long integer

64

18

-9X10 '8 ::S X::s +9X10'8

Packed decimal

80

18

-99 ... 99::S X::s +99 ... 99 (18 digits)

Short real'

32

6-7

8.43X 10.37 ::s1 X I::s 3.37X1038

Long real'

64

15-16

4.19X 10.307 ::S I X I ::S 1.67X 10308

Temporary real

80

19

3.4 X 10.4932 ::S I X I ::S 1.2 X 104932

Table 1-3. Principal NPX Instructions
Instruction Types

Class

Data Transfer

Load (all data types), Store (all data types), Exchange

Arithmetic

Add, Subtract, Multiply, Divide, Subtract Reversed, Divide
Reversed, Square Root, Scale, Remainder, Integer Part, Change
Sign, Absolute Value, Extract

Comparison

Compare, Examine, Test

Transcendental

Tangent, Arctangent, 2x -1, Y·Log 2(X + 1), Y·Log 2(X)

Constants

0, 1,

Processor Control

Load Control Word, Store Control Word, Store Status Word,
Load Environment, Store Environment, Save, Restore, Clear
Exceptions, Initialize, Set Protected Mode

71",

Log ,0 2, Log.2, Log 2 10, Log 2e

In addition, all of the development tools supporting the 8086 and 8087 can also be used to develop
software for the 80286 and 80287 operating in Real-Address mode.
All of these high-level languages provide programmers with access to the computational power and
speed of the 80287 without requiring an understanding of the architecture of the 80286 and 80287
chips. Such architectural considerations as concurrency and data synchronization are handled automatically by these high-level languages. For the ASM286 programmer, specific rules for handling these
issues are discussed in a later section of this supplement.

Hardware Interface
As an extension of the 80286 processor, the 80287 is wired very much in parallel with the 80286 CPU.
Four special status signals, PEREQ, PEACK, BUSY, and ERROR, permit the two processors to
coordinate their activities. The 80287 NPX also monitors the 80286 Sl, SO, COD/INTA, READY,
HLDA, and CLK pins to monitor the execution of ESC instructions (numeric instructions) by the
80286.

1-6

OVERVIEW OF NUMERIC PROCESSING

As shown in figure 1-2, the 80287 NPX is divided internally into two processing elements; the Bus
Interface Unit (BIU) and the Numeric Execution Unit (NEU). The two units operate independently
of one another: the BIU receives and decodes instructions, requests operand transfers with memory,
and executes processor control instructions, whereas the NEU processes individual numeric
instructions.
The BIU handles all of the status and signal lines between the 80287 and the 80286. The NEU executes
all instructions that involve the register stack. These instructions include arithmetic, logical, transcendental, constant, and data transfer instructions. The data path in the NEU is 84 bits wide (68 fraction
bits, 15 exponent bits, and a sign bit), allowing internal operand transfers to be performed at very high
speeds.
The 80287 executes a single numeric instruction at· a time. Before executing most ESC instructions,
the 80286 tests the BUSY pin and, before initiating the command, waits until the 80287 indicates that
it is not busy. Once initiated, the 80286 continues program execution, while the 80287 executes the
numeric instruction. Unlike the 8087, which required aWAIT instruction to test the BUSY signal
before each ESC opcode, these WAIT instructions are permissible, but not necessary, in 80287 programs.
In all cases, a WAIT or ESC instruction should be inserted after any 80287 store to memory (except
FSTSW or FSTCW)or load from memory (except FLDENV, FLDCW, or FRSTOR) before the 80286
reads or changes the memory value.
When needed, all data transfers between memory and the 80287 NPX are performed by the 80286
CPU, using its Processor Extension Data Channel. Numeric data transfers performed by the 80286
use the same timing as any other bus cycle, and all such transfers come under the supervision of the

MICROCODE

CONTROL

UNOT

DATA
OPERANDS
QUEUE

II

T

•

~~==~~C7lIII
I-

1-----;'51

G

w

o

•o

STATUS

ADDRESS

REGISTER STACK

I~J

I-----;~:

~
~I
r:=~;;:=~'"
_____ L _____~_
...!!II!!. _~ _ _ _ _ .J

G30108

Figure 1-2. 80287 NPX Block Diagram

1-7

OVERVIEW OF NUMERIC PROCESSING

80286 memory management and protection mechanisms. The 80286 Processor Extension Data Channel
and the hardware interface between the 80286 and 80287 processors are described in Chapter Six of
the 80286 Hardware Reference Manual.
From the programmer's perspective, the 80287 can be considered just an extension of the 80286
processor. All interaction between the 80286 and the 80287 processors on the hardware level is handled
.
"
automatically by the 80286 and is transparent to the software.
To communicate with the 80287, the 80286 uses the reserved I/O port addresses 00F8H, OOFAH, and
OOFCH (I/O ports numbered 00F8H through OOFFH are reserved for the 80286/80287 interface).
These I/O operations are performed automatically by the 80286 and are distinct from I/O operations
that result from program I/O instructions. I/O operations resulting from the execution of ESC instructions are completely transparent to software. Any program may execute ESCAPE (numeric) instructions, without regard to its current I/O Privilege Level (IOPL).
.
To guarantee correct operation of the 80287, 'programs must not perform any explicit I/O operations
to any of the eight ports reserved for the 80287. The 10PL of the 80286 can be used to protect the
integrity of 80287 computations in multiuser reprogrammable applications, preventing any accidental
or other tampering with the 80287 (see Chapter Eight of the 80286 Operating System Writer's Guide).

80287 NUMERIC PROCESSOR ARCHITECTURE
To the programmer, the 80287 NPX appears as a set of additional registers complementing those of
the 80286. These additional registers consist of
•

Eight indi~idually-addressable 80-bit numeric registers, organized as a register stack

• Three sixteen-bit registers containing;
an NPX status word
an NPX control word
a tag word
• Four 16-bit registers containing the NPX instruction and data pointers
All of the NPX numeric "instructions focus on the contents of these NPX registers.

The NPX Register Stack
The 80287 register :;tack h; :;hc'.'"/n in fig!!re 1-3. E2.,=h of the. e.ight ~l)mp.ric registers in the 80287's
register stack is 80 bits wide and is divided into fields corresponding to the NPX's temporary-real data
type.
Numeric instructions address the data registers relative to the register on the top of the stack. At any
point in time, this top-of-stack register is indicated by the ST (Stack Top) field in the NPX status
word. Load or push operations decrement ST by one and load a value into the new top register. A storeand-pop operation stores the value from the current ST register and then increments ST by one. Like
80286 stacks in memory, the 80287 register stack grows down toward lower-addressed registers.

1-8

OVERVIEW OF NUMERIC PROCESSING

80287 STACK:

79
Rl

78

SIGN

TAG FIELD

64 63
EXPONENT

0

1

0

SIGNIFICAND

R2
R3

r--

-

R4
R5
R6
R7
R8

0

15
CONTROL REGISTER
STATUS REGISTER
TAG WORD

t- INSTRUCTION POINTER

DATA POINTER

G3010B

Figure 1-3_ 80287 Register Set

Many numeric instructions have several addressing modes that permit the programmer to implicitly
operate on the top of the stack, or to explicitly operate on specific registers relative to the ST. The
ASM286 Assembler supports these register addressing modes, using the expression ST(O), or simply
ST, to represent the current Stack Top and STeil to specify the ith register from ST in the stack (0 ::s
i ::s 7). For example, if ST contains OllB (register 3 is the top of the stack), the following statement
would add the contents of the top two registers on the stack (registers 3 and 5):
FADD

ST,ST(2)

The stack organization and top-relative addressing of the numeric registers simplify subroutine
programming by allowing routines to pass parameters on the register stack. By using the stack to pass
parameters rather than using "dedicated" registers, calling routines gain more flexibility in how they
use the stack. As long as the stack is not full, each routine simply loads the parameters onto the stack
before calling a particular subroutine to perform a numeric calculation. The subroutine then addresses
its parameters as ST, ST(l), etc., even though ST may, for example, refer to physical register 3 in one
invocation and physical register 5 in another.

The NPX Status Word
The l6-bit status word shown in figure 1-4 reflects the overall state of the 80287. This status word may
be stored into memory using the FSTSW/FNSTSW,'FSTENV/FNSTENV, and FSAVEjFNSAVE
instructions, and can be transferred into the 80286 AX register with the FSTSW AX/FNSTSW AX
instructions, allowing the NPX status to be inspected by the CPU.

1-9

OVERVIEW OF NUMERIC PROCESSING

15
I B I

Co I

ST

I

c" I

c,

I

eoJEsl X I PE IUEIOEIZEIDEIIE I

I

EXCE PTION FLAGS (1

~

EXCEPTION HAS OCCURRED)

INVALID OPERATION'
DENORMALIZED OPERAND'
ZERO DIVIDE'
OVERFLOW'
UNDERFLOW'
PRECISION'
(RESE RVED)
ERRO R SUMMARY STATUS(1)
COND ITION CODE(2)
STACK TOP POINTER(3)
NEU BUSY

(1) ES IS SET IF ANY UNMASKED EXCEPTION BIT IS SET, CLEARED OTHERWISE.
(2) SEE TABLE 1-4 FOR CONDITION CODE INTERPRETATION.
(3) ST VALUES
000 ~ REGISTER 0 IS TOP OF STACK
00 1 ~ REGISTER 1 IS TOP OF STACK

111

~

REGISTER 7 IS TOP OF STACK

'FOR DEFINITIONS, SEE THE SECTION ON EXCEPTION HANDLING

G30108

Figure 1-4. 80287 Status Word

The Busy bit (bit 15) and the BUSY pin indicate whether the 80287's execution unit is idle (B=O) or
is executing a numeric instruction or signalling an exception (B= 1). (The instructions FNSTSW,
FNSTSW AX, FNSTENV, and FNSAVE do not set the Busy bit themselves, nor do they require the
Busy bit to be clear in order to execute.)
The four NPX condition code bits (C O-C 3) are similar to the flags in a CPU: the 80287 updates these
bits to reflect the outcome of arithmetic operations. The effect of these instructions on the condition
code bits is summarized in table 1-4. These condition code bits are used principally for conditional
branching. The FSTW AX instruction stores the NPX status word directly into the CPU AX register,
allowing these condition codes to be inspected efficiently by 80286 code.
Bits 12-14 of the status word point to the 80287 register that is the currentStack Top (ST). The
significance of the stack top has been described in the section on the Register Stack.
Figure 1-4 shows the six error flags in bits 0-5 of the status word. Bit 7 is the error summary status
(ES) bit. ES is set if any unmasked exception bits are set, and is cleared otherwise. If this bit is set,
the ERROR signal is asserted. Bits 0-5 indicate whether the NPX has detected one of six possible
:::i:::::pti~!), c~!),d!t!a!!~ ~im:o:' tho:'5o:' 5t~hl~ hit~ were last cleared or reset.

Control Word
The NPX provides the programmer with several processing options, which are selected by loading a
word from memory into the control word. Figure 1-5 shows the format and encoding of the fields in
the control word.

1-10

OVERVIEW OF NUMERIC PROCESSING

Table 1-4. Interpreting the NPX Condition Codes
Instruction
Type

Compare, Test

C.

C.

C,

C.

0
0

0
0
0

0

1

X
X
X
X

Q,

0

Q.

Q.

U

1

U

U

0
0
0
0
0
0
0
0

0
0
0
0

0
0

0

1
1

0

1
1
1
1

0
0

0

1
1

0

1
1
1
1
1
1
1
1

0
0
0
0

0
0

0

1
1

0

1
1

Remainder

Examine

1
1
1
1

1

0
1

1
1
1
1
1
1

a

0

0

1

1
1

0
1

Interpretation

ST > Source or 0 (FTST)
ST < Source or 0 (FTST)
ST = Source or 0 (FTST)
ST is not comparable
Complete reduction with three
low bits of quotient in Co, C3 ,
and C,
Incomplete Reduction
Valid, positive unnormalized
Invalid, positive, exponent = 0
Valid, negative, un normalized
Invalid, negative, exponent = 0
Valid, positive, normalized
Infinity, positive
Valid, negative, normalized
Infinity, negative
Zero, positive
Empty Register
Zero, negative
Empty Register
Invalid, positive, exponent = 0
Empty Register
Invalid, negative, exponent = 0
Empty Register

NOTES:
1. ST =

Top of stack
2. X = value is not affected by instruction
3. U = value is undefined following instruction
4. Qn = Quotient bit n following complete reduction (C.=O)
The low-order byte of this control word configures the 80287 error and exception masking. Bits 0-5 of
the control word contain individual masks for each of the six exception conditions recognized by the
80287. The high-order byte of the control word configures the 80287 processing options, including
• Precision control
• Rounding control
• Infinity control
The Precision control bits (bits 8-9) can be used to set the 80287 internal operating precision at less
than the default precision (64-bit significand). These control bits can be used to provide compatibility
with the earlier-generation arithmetic processors having less precision than the 80287, as required by
the IEEE 754 standard. Setting a lower precision, however, will not affect the execution time of numeric
calculations.
The rounding control bits (bits 10-11) provide for directed rounding and true chop as well as the unbiased
round-to-Ilearest-even mode specified in the IEEE 754 standard.

1-11

inter

OVERVIEW OF NUMERIC PROCESSING

15
I

xxx

I

IC I

R

cL

PC I

xI

X IPMIUMIOMIZMIDMIIM I

I

EXCEPTION MASKS (1 ~EXCEPTION IS MASKED)
INVALID OPERATION
DENORMALIZED OPERAND
ZERO DIVIDE
OVERFLOW
UNDERFLOW
PRECISION
(RESERVED)
(RESERVED)
PRECISION CONTROL

(1)

ROUNDING CONTROL(2 )
INFINITY CONTROL (0
(RESERVED)
(1)

~

PROJECTIVE, 1

~

AFFINE)

(2) ROUNDING CONTROL
PRECISION CONTROL
00 ~ ROUND TO NEAREST OR EVEN
00 ~ 24-BIT SIGNIFICAND
01 ~ ROUND DOWN (TOWARD -co)
o1 ~ RESERVED
10 ~ ROUND UP (TOWARD +co)
10 ~ 53-BIT SIGNIFICAND
11 ~ CHOP (TRUNCATE TOWARD ZERO)
11 ~ 64-BIT SIGNIFICAND

G30108

Figure 1-5_ 80287 Control Word Format

The infinity control bit (bit 12) determines the manner in which the 80287 treats the special values of
infinity. Either affine closure (where positive infinity is distinct from negative infinity) or projective
closure (infinity is treated as a single unsigned quantity) may be specified. These two alternative views
of infinity are discussed in the section on Computation Fundamentals.

The NPX Tag Word
The tag word indicates the contents of each register in the register stack, as shown in figure 1-6. The
tag word is used by the NPX itself in order to track its numeric registers and optimize performance.
Programmers may use this tag information to interpret the contents of the numeric registers, The tag
values are stored in the tag word corresponding to the physical registers 0-7. Programmers must use
the current Stack Top (ST) pointer stored in the NPX status word to associate these tag values with
the relative stack registers ST(O) through ST(7).

The NPX Instruction and Data Pointers
The NPX instruction and data registers provide support for programmed exception-handlers. Whenever
the 80287 executes a math instruction, the NPX internally saves the instruction address, the operand
address (if present), and the instruction opcode. The 80287 FSTENV and FSA VE instructions store
this data into memory, allowing exception handlers to determine the precise nature of any numeric
exceptions that may be encountered.

1-12

OVERVIEW OF NUMERIC PROCESSING

TAG VALUES:
00 ~ VALID
01 ~ ZERO
10 ~ INVALID OR INFINITY
11 ~ EMPTY

G30108

Figure 1-6. 80287 Tag Word Format

MEMORY
OFFSET

15

MEMORY OFFSET

15
CONTROL WORD

to

CONTROL WORD

'.

STATUS WORD

STATUS WORD

+2

TAG WORD

+4

TAG WORD

+4

INSTRUCTION POINTER (15-0)

+6

IPOFFSET

+6

+8·

CSSELECTOR

+8

+10

DATA OPERAND OFFSET

+10

+12

DATA OPERAND SELECTOR

+12

;)1 'I

INSTRUCTION
POINTER (19-16) 0

INSTRUCTION
OPCODE (10-0)

DATA POINTER (15-01
DATA POINTER
(19-16)

15

+0

1

0

1211
REAL MODE

PROTECTED MODE

G30108

Figure 1-7. 80287 Instruction and Data POinter Image in Memory

When stored in memory, the instruction and data pointers appear in one of two formats, depending on
the operating mode of the 80287. Figure 1-7 shows these pointers as they are stored following an
FSTENV instruction. In Real-Address mode, these values are the 20-bit physical address and ll-bit
opcode formatted like the 8087. In Protected mode, these values are the 32-bit virtual addresses used
by the program that executed the ESC instruction.

1-13

OVERVIEW OF NUMERIC PROCESSING

The instruction address saved in the 80287 will point to any prefixes that preceded the instruction.
This is different from the 8087, for which the instruction address pointed only to the ESC instruction
opcode.

COMPUTATION FUNDAMENTALS
This section covers 80287 programming concepts that are common to all applications. It describes the
80287's internal number system and the various types of numbers that can be employed in NPX
programs. The most commonly used options for rounding, precision, and infinity (selected by fields in
the control word) are described, with exhaustive coverage of less frequently used facilities deferred to
later sections. Exception conditions that may arise during execution of NPX instructions are also
described along with the options that are available for responding to these exceptions.

Number System
The system of real numbers that people use for pencil and paper calculations is conceptually infinite
and continuous. There is no upper or lower limit to the magnitude of the numbers one can employ in a
calculation, or to the precision (number of significant digits) that the numbers can represent. When
considering any real number, there is always an infinity of numbers both larger and smaller. There is
also an infinity of numbers between (i.e., with more significant digits than) any two real numbers. For
example, between 2.5 and 2.6 are 2.51,2.5897,2.500001, etc.
While ideally it would be desirable for a computer to be able to operate on the entire real number
system, in practice this is not possible. Computers, no matter how large, ultimately have fixed-size
registers and memories that limit the system of numbers that can be accommodated. These limitations
determine both the range and the precision of numbers. The result is a set of numbers that is finite
and discrete, rather than infinite and continuous. This sequence is a subset of the r~al numbers that is
designed to form a useful approximation of the real number system.
Figure 1-8 superimposes the basic 80287 real number system on a real number line (decimal numbers
are shown for clarity, although the 80287 actually represents numbers in binary). The dots indicate the
subset of real numbers the 80287 can represent as data and final results of calculations. The 80287's
range is approximately ±4.19XlO·307 to ±1.67X10 308. Applications that are required to deal with
data and final results outside this range are rare. For reference, the range of the IBM 370 is about
±0.54X10·78 to ±0.72X1076.
The finite spacing in figure 1-8 illustrates that the NPX can represent a great many, but not all, of the
real numbers in its range. There is always a gap between two adjacent 80287 numbers, and it is possible
for the result of a calculation to fall in this space. When this occurs, the NPX rounds the true result
to a number that it can represent. Thus, a real number that requires more digits than the 80287 can
accommodate (e.g., a 20-digit number) is represented with some loss of accuracy. Notice also that the
80287's representable numbers are not distributed evenly along the real number line. In fact, an equal
llulliber of representable !!umb~r~ p.xists between successive powers of 2 (i.e., as many representable
numbers exist between 2 and 4 as between 65,536 and 131,072). Therefore, the gaps between representable numbers are larger as the numbers increase in magnitude. All integers in the range ± 264
(approximately ± 10 18), however, are exactly representable.
In its internal operations, the 80287 actually employs a number system that is a substantial superset of
that shown in figure 1-8. The internal format (called temporary real) extends the 80287's range to
about ± 3.4X 10-4932 to ± 1.2X 104932 , and its precision to about 19 (equivalent decimal) digits. This
format is designed to provide extra range and precision for constants and intermediate results, and is
not normally intended for data or final results.

1-14

OVERVIEW OF NUMERIC PROCESSING

NEGATIVE RANGE
(NORMALIZED)

1'1

-5

L'

-4

I ,

• I

-3

-2

-1

POSITIVE RANGE
(NORMALIZED)

iii I

:

.J'" I'" 1''''1''''1'''''1' ]

-1.67x10308

-4.19x10-a07

G30108

Figure 1-8. 80287 Number System

From a practical standpoint, the 80287's set of real numbers is sufficiently large and dense so as not
to limit the vast majority of microprocessor applications. Compared to most computers, including
mainframes, the NPX provides a very good approximation of the real number system. It is important
to remember, however, that it is not an exact representation, and that arithmetic on real numbers is
inherently approximate.
Conversely, and equally important, the 80287 does perform exact arithmetic on integer operands. That
is, an operation on two integers returns an exact integral result, provided that the true result is an
integer and is in range. For example, 4 + 2 yields an exact integer. I + 3 does not, and 240 X 230 + 1
does not, because the result requires greater than 64 bits of precision.

Data Types and Formats
The 80287 recognizes seven numeric data types, divided into three classes: binary integers, packed
decimal integers, and binary reals. A later section describes how these formats are stored in memory
(the sign is always located in the highest-addressed byte). Figure 1-9 summarizes the format of each
data type. In the figure, the most significant digits of all numbers (and fields within numbers) are the
leftmost digits. Table 1-5 provides the range and number of signficant (decimal) digits that each format
can accommodate.

1-15

OVERVIEW OF NUMERIC PROCESSING

_ _ INCREASING SIGNIFICANCE

WORD INTEGER

SHORT INTEGER

lSi MAGNITUDE

I

15

0

I~ I

(TWO'S
COMPLEMENT)

MAGNITUDE

(TWO'S

L
. ..1."--_ _ _ _ _ _ _ _ _ _...... COMPLEMENT)

31

II

I

U

0

(TWO'S
LONG INTEGER LS..I"--_ _"--_ _ _ _ _ _ _
M_A_G_N_IT_U_D_E_ _ _ _ _ _ _ _ _- . I COMPLEMENT)

PACKED DECIMAL

d17

79

d 6 d '5
'

d ' 4 d '3 d '2 d 11

MAGNITUDE
d10 d g dB d 7

d6

d5

d4

d3

d2

d,

dO

72

SHORT REAL

LONG REAL

S

BIASED
EXPONENT

SIGNIFICAND

63

E_X_~_~_~_i_~_T

TEMPORARY REAL LIS..lI"--__

79

__

..II~I~I_ _ _ _ _ _ _ _ _

S_IG_N_1_F_IC_A_N_D_ _ _ _ _ _ _ _

6463~

NOTES:
5
Sign bit (0 = positive, 1
dn

o

1!

~

~
0

negative)

Decimal digit (two per byte)

X
Bits have no significance; 80287 Ignores when loading, zeros when storing.
•
Position of implicit binary point
Integer bit of signi1icand: stored in temporary real, implicit (always 1) in short and long real
1
Exponent Bias (normalized values):
Short Real: .127 (7FH)
Long Real: 1023 (3FFH)
Temporary Real:. 16383 (3FFFH)

G30108

Figure 1-9. Data Formats

1-16

OVERVIEW OF NUMERIC PROCESSING

Table 1-5. Real Number Notation
Notation

Value

Ordinary Decimal

178.125

Scientific Decimal

1A78125E2

Scientific Binary

1A0110010001E111

Scientific Binary
(Biased Exponent)

1A0110010001E10000110

80287 Short Real
(Normalized)

Sign

Biased Exponent

0

10000110

Significand

~100100010000000000000
1A (implicit)

BINARY INTEGERS

The three binary integer formats are identical except for length, which governs the range that can be
accommodated in each format. The leftmost bit is interpreted as the number's sign: O=positive and
1 = negative. Negative numbers are represented in standard two's complement notation (the binary
integers are the only 80287 format to use two's complement). The quantity zero is represented with a
positive sign (all bits are 0). The 80287 word integer format is identical to the 16-bit signed integer
data type of the 80286.
DECIMAL INTEGERS

Decimal integers are stored in packed decimal notation, with two decimal digits "packed" into each
byte, except the leftmost byte, which carries the sign bit (O=positive, 1 = negative). Negative numbers
are not stored in two's complement form and are distinguished from positive numbers only by the
sign bit. The most significant digit of the number is the leftmost digit. All digits must be in the range
OH-9H.
REAL NUMBERS

The 80287 stores real numbers in a three-field binary format that resembles scientific, or exponential,
notation. The number's significant digits are held in the significand field, the exponent field locates
the binary point within the significant digits (and therefore determines the number's magnitude), and
the sign field indicates whether the number is positive or negative. (The exponent and significand are
analogous to the terms "characteristic" and "mantissa" used to describe floating point numbers on
some computers.) Negative numbers differ from positive numbers only in the sign bits of their
significands.
Table 1-5 shows how the real number 178.125 (decimal) is stored in the 80287 short real format. The
table lists a progression of equivalent notations that express the same value to show how a number can
be converted from one form to another. The ASM286 and PL/M-286 language translators perform a
similar process when they encounter programmer-defined real number constants. Note that not every
decimal fraction has an exact binary equivalent. The decimal number 1/10, for example, cannot be
expressed exactly in binary Gust as the number 1/3 cannot be expressed exactly in decimal). When a
translator encounters such a value, it produces a rounded binary approximation of the decimal value.

1-17

OVERVIEW OF NUMERIC PROCESSING

The NPX usually carries the digits of the significand in normalized form. This means that, except for
the value zero, the significand is an integer and a fraction as follows:
l~fff.. .ff

where ~ indicates an assumed binary point. The number of fraction bits varies according to the real
format: 23 for short, 52 for long, and 63 for temporary real. By normalizing real numbers so that their
integer bit is always a 1, the 80287 eliminates leading zeros in small values (Ix! < 1). This technique
maximizes the number of significant digits that can be accommodated in a significand of a given width.
Note that, in the short and long real formats, the integer bit is implicit and is not actually stored; the
integer bit is physically present in the temporary real format only.
If one were to examine only the signficand with its assumed binary point, all normalized real numbers
would have values between 1 and 2. The exponent field locates the actual binary point in the significant
digits. Just as in decimal scientific notation, a positive exponent has the effect of moving the binary
point to the right, and a negative exponent effectively moves the binary point to the left, inserting
leading zeros as necessary. An unbiased exponent of zero indicates that the position of the assumed
binary point is also the position of the actual binary point. The exponent field, then, determines a real
number's magnitude.

In order to simplify comparing real numbers (e.g., for sorting), the 80287 stores exponents in a biased
form. This means that a constant is added to the true exponent described above. The value of this bias
is different for each real format (see figure 1-9). It has been chosen so as to force the biased exponent
to be a positive value. This allows two real numbers (of the same format and sign) to be compared as
if they are unsigned binary integers. That is, when comparing them bitwise from left to right (beginning with the leftmost exponent bit), the first bit position that differs orders the numbers; there is no
need to proceed further with the comparison. A number's true exponent can be determined simply by
subtracting the bias value of its format.
The short and long real formats exist in memory only. If a number in one of these formats is loaded
into an 80287 register, it is automatically converted to temporary real, the format used for all internal
operations. Likewise, data in registers can be converted to short or long real for storage in memory.
The temporary real format may be used in memory also, typically to store intermediate results that
cannot be held in registers.
Most applications should use the long real form to store real number data and results; it provides
sufficient range and precision to return correct results with a minimum of programmer attention. The
short real format is appropriate for applications that are constrained by memory, but it should be
recognized that this format provides a smaller margin of safety. It is also useful for debugging algorithms,
because roundoff problems will manifest themselves more quickly in this format. The temporary real
format should normally be reserved for holding intermediate results, loop accumulations, and constants.
Its extra length is designed to shield final results from the effects of rounding and overflow/underflow
in intermediate calculations. However, the range and precision of the long real form are adequate for
most microcomputer applications.

Rounding Control
Internally, the 80287 employ~ three extra bits (guard, round, and sticky bits) that enable it to represent
the infinitely precise true result of a computation; these bits are not accessible to programmers. Whenever
the destination can represent the infinitely precise true result, the 80287 delivers it. Rounding occurs

1-18

inter

OVERVIEW OF NUMERIC PROCESSING

in arithmetic and store operations when the format of the destination cannot exactly represent the
infinitely precise true result. For example, a real number may be rounded if it is stored in a shorter
real format, or in an integer format. Or, the infinitely precise true result may be rounded when it is
returned to a register.
The NPX has four rounding modes, selectable by the RC field in the control word (see figure 1-5).
Given a true result b that cannot be represented by the target data type, the 80287 determines the two
representable numbers a and c that most closely bracket b in value (a < b < c). The processor then
rounds (changes) b to a or to c according to the mode selected by the RC field as shown in table 1-6.
Round introduces an error in a result that is less than one unit in the last place to which the result is
rounded. "Round to nearest" is the default mode and is suitable for most applications; it provides the
most accurate and statistically unbiased estimate of the true result. The chop mode is provided for
integer arithmetic applications.
"Round up" and "round down" are termed directed rounding and can be used to implement interval
arithmetic. Interval arithmetic generates a certifiable result independent of the occurrence of rounding
and other errors. The upper and lower bounds of an interval may be computed by executing an algorithm
twice, rounding up in one pass and down in the other.

Precision Control
The 80287 allows results to be calculated with either 64, 53, or 24 bits of precision in the significand
as selected by the precision control (PC) field of the control word. The default setting, and the one
that is best suited for most applications, is the full 64 bits of significance provided by the temporaryreal format. The other settings are required by the proposed IEEE standard, and are provided to obtain
compatibility with the specifications of certain existing programming languages. Specifying less precision nullifies the advantages of the temporary real format's extended fraction length, and does not
increase execution speed. When reduced precision is specified, the rounding of the fractional value
clears the unused bits on the right to zeros.

Infinity Control
The 80287's system of real numbers may be closed by either of two models of infinity. These two means
of closing the number system, projective and affine closure, are illustrated schematically in
figure 1-10. The setting of the IC field in the control word selects one model or the other. The default

Table 1·6. Rounding Modes
RC Field

Rounding Mode

Rounding Action

Round to nearest

Closer to b of a or c; if equally close,
select even number (the one whose
least significant bit is zero).

01

Round down (toward -00)

a

10

Round up (toward +00)

c

11

Chop (toward 0)

Smaller in magnitude of a or c

00

NOTE: a

B

FTST
±O
FCHS
+0
-0
FABS
±O
F2XM1
+0
-0
FRNDINT
+0
-0
FXTRACT
+0

-0

Zero
-0
+0
+0
+0
-0
+0
-0
Both +0
Both -0

I

NOTES:
(1) Arithmetic and compare operations with real memory operands interpret the memory operand signs in
the same way.

(2) Arithmetic and compare operations with binary integers interpret the integer sign in the same manner.

1-26

OVERVIEW OF NUMERIC PROCESSING

(3)

Severe underflows in storing to short or long real may generate zeros.

(4)

Small values ( Ixl < 1) stored into integers may round to zero.

(5)

(6)

(7)

(8)

(9)

Sign is determined by round mode:
* = + for nearest, up, or chop
* = - for down

t

= sign of X.

Very small values of X and Y may yield zeros, after rounding of true result. NPX signals underflow to
warn that zero has been yielded by nonzero operands.
Very small X and very large Y may yield zero, after rounding of true result. NPX signals underflow to
warn that zero has been yielded from nonzero operands.
When Y divides into X exactly.

NaNs could also be used to speed up debugging. In its early testing phase, a program often contains
multiple errors. An exception handler could be written to save diagnostic information in memory
whenever it was invoked. After storing the diagnostic data, it could supply a NaN as the result of the
erroneous instruction, and that NaN could point to its associated diagnostic area in memory. The
program would then continue, creating a different NaN for each error. When the program ended, the
NaN results could be used to access the diagnostic data saved at the time the errors occurred. Many
errors could thus be diagnosed and corrected in one test run.

Table 1-11. Masked Overflow Response with Directed Rounding
True Result

Rounding
Mode

Result Delivered

Normalization

Sign

Normal
Normal

+
+

Down

Largest finite positive numberl ')

Normal

-

Up

Largest finite negative numberl')

Normal

-

Down

Unnormal

+

Up

Unnormal

-

Down

Largest exponent, result's significand (2)

Unnormal

+

Up

Largest exponent, result's significand (2)

Un normal

-

Down

+co

Up

-co
+co

-co

NOTES:
I')

(2)

The largest valid representable reals are encoded:
exponent: 11...108
significand: (1 ),:l11 ... 108
The significand retains its identity as an un normal; the true result is rounded as usual (effectively chopped
toward 0 in this case). The exponent is encoded 11 ... 108.

1-27

OVERVIEW OF NUMERIC PROCESSING

Table 1-12. Infinity Operands and Results
Operation
Addition
+00 plus +00
-00 plus-oo
+00 plus-oo
-00 plus +00
±oo plus ±X
±X plus ±oo

Projective Result

Affine Result

Invalid operation
Invalid operation
Invalid operation
Invalid operation

Invalid operation
Invalid operation

'00
'00

'00
'00

Invalid operation
Invalid operation
Invalid operation
Invalid operation

+00
-00

+00
-00

Subtraction
+00 minus -00
-00 minus +00
+00 minus +00
-00 minus -00
±oo minus ±X
±X minus ±oo

'00

'00

too

too

Multiplication
±oo·±oo
±oo· ±y
±O· ±oo, ±oo' ±O

E9
E9
Invalid operation

E9
E9
Invalid operation

Division
±oo -+- ±oo
±oo -+- ±X
±X -+- ±oo

Invalid operation
E9
E9

Invalid operation
E9
E9

Invalid operation
Invalid operation

Invalid operation

FPREM
±oo rem ±oo
±oo rem ±X
±Y rem ±oo
±O rem ±oo

Invalid operation
Invalid operation
'Y
'0

Invalid operation
Invalid operation
'Y
'0

FRNDINT
±oo

'00

'00

Invalid operation
Invalid operation

FSQRT
-00
+00

FSCp..LE
± 00 scaled by ± 00
± 00 scaled by ± X
± 0 scaled by ± 00
± Y scaled by ± 00

+00

Invalid operation

Invalid operation

'00

'00

'0
Invalid operation

'0
Invalid operation

FXTRACT
±oo

Invalid operation

Invalid operation

Compare
±oo: ±oo
±oo: ±Y
±oo: ±O

A=B
A ? B (and) invalid operation
A '? 8 (andi invaiiu UI-'tll i:liiu;-I

-00 < +00
___
n <
__ +00
~,.......
-00
 16,383.

Return properly signed
exception.

(FST, FSTP instructions only): rounding is
nearest or chop, and exponent of true result
> +127 (short real destination) or> +1023
(long real destination).

Return properly signed 00 and Signal precision
exception.

00

and signal precision

Underflow
(Arithmetic operations only): exponent of true
result < -16,382 (true).

Denormalize until exponent rises to -16,382
(true), round significand to 64 bits. If denormali zed rounded significand = 0, then return
true 0; else, return denormal (tag = special,
biased exponent = 0).

(FST, FSTP instructions only): destination is
short real and exponent of true result < -126
(true).

Denormalize until exponent rises to -126
(true), round significand to 24 bits, store true 0
if denormalized rounded significand = 0; else,
store denormal (biased exponent = 0).

(FST, FSTP instructions only): destination is
long real and exponent of true result < -1022
(true).

Denormalize until exponent rises to -1022
(true), round significand to 53 bits, store true 0
if rounded denormalized significand = 0; else,
store denormal (biased exponent = 0).

Precision
True rounding error occurs.

No special action.

Masked response to overflow exception earlier
in instruction.

No special action.

Note that when exceptions are masked, the NPX may detect multiple exceptions in a single instruction,
because it continues executing the instruction after performing its masked response. For example, the
80287 could detect a denormalized operand, perform its masked response to this exception, and then
detect an underflow.
1-36

inter

OVERVIEW OF NUMERIC PROCESSING

Automatic Exception Handling

As described in the previous section, when the 80287 NPX encounters an exception condition whose
corresponding mask bit in the NPX control word is set, the NPX automatically performs an internal
fix-up (masked-exception) response. The 80287 NPX has a default fix-up activity for every possible
exception condition it may encounter.. These masked~exception responses are designed to be safe and
are generally acceptable for most numeric applications.
As an example of how even severe exceptions can be handled safely and automatically using the NPX's
default exception responses, consider a calculation of the parallel resistance of several values using
only the standard formula (figure I-II). If Rl becomes zero, the circuit resistance becomes zero. With
the divide-by-zero and precision exceptions masked, the 80287 NPX will produce the correct result.
By masking or unmasking specific numeric exceptions in the NPX control word, NPX programmers
can delegate responsibility for most exceptions to the NPX, reserving the most severe exceptions for
programmed exception handlers. Exception-handling software is often difficult to write, and the NPX's
masked responses have been tailored to deliver the most reasonable result for each condition. For the
majority of applications, programmers will find that masking all exceptions other than Invalid Operation will yield satisfaotory results with the least programming effort. An Invalid Operation exception
normally indicates afatal error in a program that must b~ corrected; this exception should not normally
be.masked.
The exception flags in the NPX status word provide a cumulative record of exceptions that have occurred
since these flags were last cleared. Once set, these flags can be cleared only by executing the FCLEX
(clear exceptions) instruction, by reinitializing the NPX, or by overwriting the flags with an FRSTOR
or· FLDENV instruction. This allows a programmer to mask all exceptions (except invalid operation),
run a calculation, and then inspect the status word to see if any exceptions were detected at any point
.
in the calculation.

R3

EQUIVALENT RESISTANCE -

1

G30108

Figure 1-11. Arithmetic Example Using Infinity

1-37

OVERVIEW OF NUMERIC PROCESSING

Software Exception Handling

If the NPX encounters an unmasked exception condition, it signals the exception to the 80286 CPU
using the ERROR status line between the two processors.

The next time the 80286 CPU encounters aWAIT or ESC instruction in its instruction stream, the
80286 will detect the active condition of the ERROR status line and automatically trap to an exception
response routine using interrupt #16-the Processor Extension Error exception.
This exception response routine is typically a part of the systems software. Typical exception responses
may include:
•

Incrementing an exception counter for later display or printing

•

Printing or displaying diagnostic information (e.g., the 80287 environment and registers)

• Aborting further execution
Using the exception pointers to build an instruction that will run without exception and
executing it
Application programmers on 80286 systems having systems software support for the 80287 NPX should
consult their references for the appropriate system response to NPX exceptions. For systems programmers, specific details on writing software exception handlers are included in the section "System-Level
Numeric Programming" later in this manual.
The 80287 NPX differs from the 8087 NPX in the manner in which numeric exceptions are signalled
to the CPU; the 8087 requires an interrupt controller (8259A) to interrupt the CPU, while the 80287
does not. Programmers upgrading 8087 software to operate on an 80287 should be aware of these
differences and any implications they might have on numeric exception-handling software.
Appendix B explains the differences between the 80287 and the 8087 NPX in greater detail.

1-38

Programming Numeric
Applications

2

CHAPTER 2
PROGRAMMING NUMERIC APPLICATIONS
Programmers developing applications for the 80287 have a wide range of instructions and programming alternatives from which to choose.
The following sections describe the 80287 instruction set in detail, and follow up with a discussion of
several of the programming facilities that are available to programmers of 80287.

THE 80287 NPX INSTRUCTION SET
This section describes the operation of all 80287 instructions. Within this section, the instructions are
divided into six functional classes:
•

Data Transfer instructions

• Arithmetic instructions
•

Comparison instructions

•

Transcendental instructions

•

Constant instructions

•

Processor Control instructions

At the end of this section, each of the instructions is described in terms of its execution speed, bus
transfers, and exceptions, as well as a coding example for each combination of operands accepted by
the instruction. For easy reference, this information is concentrated into a table, organized alphabetically by instruction mnemonic.
Throughout this section, the instruction set is described as it appears to the ASM286 programmer who
is coding a program. Appendix A covers the actual machine instruction encodings, which are principally of use to those reading unformatted memory dumps, monitoring instruction fetches on the bus,
or writing exception handlers.

Compatibility with the 8087 NPX
The instruction set for the 80287 NPX is largely the same as that for the 8087 NPX used with 8086
and 8088 systems. Most object programs generated for the 8087 will execute without change on the
80287. Several instructions are new to the 80287, and several 8087 instructions perform no useful
function on the 80287. Appendix B at the back of this manual gives details of these instruction set
differences and of the differences in the ASM86 and ASM286 assemblers.

Numeric Operands
The typical NPX instruction accepts one or two operands as inputs, operates on these, and produces a
result as an output. Operands are most often (the contents of) register or memory locations. The operands
of some instructions are predefined; for example, FSQRT always takes the square root of the number
in the top stack element. Others allow, or require, the programmer to explicitly code the operand(s)
along with the instruction mnemonic. Still others accept one explicit operand and one implicit operand,
which is usually the top stack element.

2-1

PROGRAMMING NUMERIC APPLICATIONS

Whether supplied by the programmer or utilized automatically, the two basic types of operands are
sources and destinations. A source operand simply supplies one of the inputs to an instruction; it is not
altered by the instruction. Even when an instruction converts the source operand from one format to
another (e.g., real to integer), the conversion is actually performed in an internal work area to avoid
altering the source operand. A destination operand may also provide an input to an instruction. It is
distinguished from a source operand, however, because its content may be altered when it receives the
result produced by the operation; that is, the destination is replaced by the result.
Many instructions allow their operands to be coded in more than one way. For example, FADD (add
real) may be written without operands, with only a source or with a destination and a source. The
instruction descriptions in this section employ the simple convention of separating alternative operand
forms with slashes; the slashes, however, are not coded. Consecutive slashes indicate an option of no
explicit operands. The operands for FADD are thus described as

//source/destination, source
This means that FADD may be written in any of three ways:

FADD
FAD D source
FAD D destination, source
When reading this section, it is important to bear in mind that memory operands may be coded with
any of the CPU's memory addressing modes. To review these modes-direct, register indirect, based,
indexed, based indexed-refer to the 80286 Programmer's Reference Manual. Table 2-17 later in this
chapter also provides several addressing mode examples.

Data Transfer Instructions
These instructions (summarized in table 2-1) move operands among elements of the register stack, and
between the stack top and memory. Any of the seven data types can be converted to temporary real
and loaded (pushed) onto the stack in a single operation; they can be stored to memory in the same
manner. The data transfer instructions automatically update the 80287 tag word to reflect the register
contents following the instruction.
FLO source

FLD (load real) loads (pushes) the source operand onto the top of the register stack. This is done by
decrementing the stack pointer by one and then copying the content of the source to the new stack top.
The source may be a register on the stack (ST(i)) or any of the real data types in memory. Short and
long real source operancis are conveneu lu lempunuy fed: dutvllla.tica.lly. CGdir:g FLD ST(O) d!!p!!c!!.te~
the stack top.
FST destination

FST (store real) transfers the stack top to the destination, which may be another register on the stack
or a short or long real memory operand. If the destination is short or long real, the significand is
rounded to the width of the destination according to the RC field of the control word, and the exponent
is converted to the width and bias of the destination format.

2-2

PROGRAMMING NUMERIC APPLICATIONS

Table 2-1. Data Transfer Instructions
Real Transfers
FLD
FST
FSTP
FXCH

Load real
Store real
Store real and pop
Exchange registers
Integer Transfers

FILD
FIST
FISTP

Integer load
Integer store
Integer store and pop
Packed Decimal Transfers

FBLD
FBSTP

Packed decimal (BCD) load
Packed decimal (BCD) store and pop

If, however, the stack top is tagged special (it contains 00, a NaN, or a denormal) then the stack top's
significand is not rounded but is chopped (on the right) to fit the destination. Neither is the exponent
converted, but it also is chopped on the right and transferred "as is." This preserves the value's identification as co or a NaN (exponent all ones) or a denormal (exponent all zeros) so that it can be properly
loaded and tagged later in the program if desired.
FSTP destination

FSTP (store real and pop) operates identically to FST except that the stack is popped following the
transfer. This is done by tagging the top stack element empty and then incrementing ST. FSTP permits
storing to a temporary real memory variable, whereas FST does not. Coding FSTP ST(O) is equivalent
to popping the stack with no data transfer.
FXCH//des tina tion

FXCH (exchange registers) swaps the contents of the destination and the stack top registers. If the
destination is not coded explicitly, ST(l) is used. Many 80287 instructions operate only on the stack
top; FXCH provides a simple means of effectively using these instructions on lower stack elements.
For example, the following sequence takes the square root of the third register from the top:

FXCH

ST(3)

FSGRT
FXCH

ST(3)

FILD source

FILD (integer load) converts the source memory operand from its binary integer format (word, short,
or long) to temporary real and loads (pushes) the result onto the stack. The (new) stack top is tagged
zero if all bits in the source were zero, and is tagged valid otherwise.

2-3

PROGRAMMING NUMERIC APPLICATIONS

FIST destination

FIST (integer store) rounds the content of the stack top to an integer according to the RC field of the
control word and transfers the result to the destination. The destination may define a word or short
integer variable. Negative zero is stored in the same encoding as positive zero: 0000 ... 00.
FISTP destination

FISTP (integer and pop) operates like FIST and also pops the stack following the transfer. The destination may be any of the binary integer data types.
FBLD source

FBLD (packed decimal (BCD) load) converts the content of the source operand from packed decimal
to temporary real and loads (pushes) the result onto the stack. The sign of the source is preserved,
including the case where the value is negative zero. FBLD is an exact operation; the source is loaded
with no rounding error.
The packed decimal digits of the source are assumed to be in the range 0-9H. The instruction does not
check for invalid digits (A-FH) and the result of attempting to load an invalid encoding is undefined.
FBSTP destination

FBSTP (packed decimal (BCD) store and pop) converts the content of the stack top to a packed
decimal integer, stores the result at the destination in memory, and pops the stack. FBSTP produces a
rounded integer from a nonintegral value by adding 0.5 to the value and then chopping. Users who arc
concerned about rounding may precede FBSTP with FRNDINT.

Arithmetic Instructions
The 80287's arithmetic instruction set (table 2-2) provides a wealth of variations on the basic add,
subtract, multiply, and divide operations, and a number of other useful functions. These range from a
simple absolute value to a square root instruction that executes faster than ordinary division; 80287
programmers no longer need to spend valuable time eliminating square roots from algorithms because
they run too slowly. Other arithmetic instructions perform exact modulo division, round real numbers
to integers, and scale values by powers of two.
The 80287's basic arithmetic instructions (addition, subtraction, multiplication, and division) are
designed to encourage the development of very efficient algorithms. In particular, they allow the
programmer to minimize memory references and to make optimum use of the NPX register stack.
Table 2-3 summarizes the available operation/operand forms that are provided for basic arithmetic. In
addition io the fuur 11u1111&1 opcrati0li3, t;;"G "re\'er~ed" i!!st!'~ctiQn5 !!l~k-~ ~l1htr;:tction and division
"symmetrical" like addition and multiplication. The variety of instruction and operand forms give the
programmer unusual flexibility:
Operands may be located in registers or memory.
Results may be deposited in a choice of registers.
•

Operands may be a variety of NPX data types: temporary real, long real, short real, short integer
or word integer, with automatic conversion to temporary real performed by the 80287.

2-4

PROGRAMMING NUMERIC APPLICATIONS

Table 2-2. Arithmetic Instructions
Addition
Add real
Add real and pop
Integer add

FADD
FADDP
FIADD

Subtraction
FSUB
FSUBP
FISUB
FSUBR
FSUBRP
FISUBR

Subtract real
Subtract real and pop
Integer subtract
Subtract real reversed
Subtract real reversed and pop
Integer subtract reversed
Multiplication

FMUL
FMULP
FIMUL

Multiply real
Multiply real and pop
Integer multiply
Division

FDIV
FDIVP
FIDIV
FDIVR
FDIVRP
FIDIVR

Divide real
Divide real and pop
Integer divide
Divide real reversed
Divide real reversed and pop
Integer divide reversed
Other Operations

FSQRT
FSCALE
FPREM
FRNDINT
FXTRACT
FABS
FCHS

Square root
Scale
Partial remainder
Round to integer
Extract exponent and significand
Absolute value
Change sign

Five basic instruction forms may be used across all six operations, as shown in table 2-3. The classicial
stack form may be used to make the 80287 operate like a classical stack machine. No operands are
coded in this form, only the instruction mnemonic. The NPX picks the source operand from the stack
top and the destination from the next stack element. It then pops the stack, performs the operation,
and returns the result to the new stack top, effectively replacing the operands by the result.
The register form is a generalization of the classical stack form; the programmer specifies the stack
top as one operand and any register on the stack as the other operand. Coding the stack top as the
destination provides a convenient way to access a constant, held elsewhere in the stack, from the stack
top. The converse coding (ST is the source operand) allows, for example, adding the top into a register
used as an accumulator.

2-5

PROGRAMMING NUMERIC APPLICATIONS

Table 2-3. Basic Arithmetic Instructions and Operands
Instruction Form

Mnemonic
Form

Operand Forms
destination, source

ASM286 Example

Register

Fop
Fop

ST(i),ST or ST,ST(i)

FSUB

ST,ST(3)

Register pop

FopP

ST(i),ST

FMULP

ST(2),ST

Real memory

Fop

{ ST,} short-realflong-real

FDIV

AZIMUTH

Integer memory

Flop

{ ST,} word-integerfshort-integer

FIDIV

N_PULSES

Classical stack

{ST(1),ST}

FADD

NOTES:
Braces ({ }) surround implicit operands; these are not coded, and are shown here for information only.

op

=

ADD
SUB
SUBR
MUL
DIV
DIVR

destination
destination
destination
destination
destination
destination

++++++-

destination + source
destination - source
source - destination
destination· source
destination -7- source
source -7- destination

Often the operand in the stack top is needed for one operation but then is of no further use in the
computation. The register pop form can be used to pick up the stack top as the source operand, and
then discard it by popping the stack. Coding operands of ST(1),ST with a register pop mnemonic is
equivalent to a classical stack operation: the top is popped and the result is left at the new top.
The two memory forms increase the flexibility of the 80287's arithmetic instructions. They permit a
real number or a binary integer in memory to be used directly as a source operand. This is a very useful
facility in situations where operands are not used frequently enough to justify holding them in registers.
Note that any memory addressing mode may be used to define these operands, so they may be elements
in arrays, structures, or other data organizations, as well as simple scalars.
The six basic operations are discussed further in the next paragraphs, and descriptions of the remaining
seven arithmetic operations follow.
ADDITION
FADD
/ /source/destination,source
/ /destination/source
FADDP
FIADD
source

The addition instructions (add real, add real and pop, integer add) add the source and destination
operands and return the sum to the destination. The operand at the stack top may be doubled by
coding:

FADD

ST,ST(O)

NORMAL
FSUB
FSUBP
FISUB

SUBTRACTION
/ /source/destination,source
/ /destination/source
source

2-6

PROGRAMMING NUMERIC APPLICATIONS

The normal subtraction instructions (subtract real, subtract real and pop, integer subtract) subtract
the source operand from the destination and return the difference to the destination.
REVERSED SUBTRACTION
/ /source/destination, source
FSUBR
FSUBRP / /destination/source
FISUBR source

The reversed subtraction instructions (subtract real reversed, subtract real reversed and pop, integer
subtract reversed) subtract the destination from the source and return the difference to the destination.
MULTIPLICATION
FMUL
/ /source/destination, source
FMULP
destination, source
FIMUL
source

The multiplication instructions (multiply real, multiply real and pop, integer mUltiply) multiply the
source and destination operands and return the product to the destination. Coding FMUL ST,ST(O)
squares the content of the stack top.
NORMAL DIVISION
FDIV
/ /source/destination,source
FDIVP
destination, source
FIDIV
source

The normal division instructions (divide real, divide real and pop, integer divide) divide the destination
by the source and return the quotient to the destination.
REVERSED DIVISION
FDIVR
/ /source/destination, source
FDIVRP destination, source
FIDIVR
source

The reversed division instructions (divide real reversed, divide real reversed and pop, integer divide
reversed) divide the source operand by the destination and return the quotient to the destination.
FSQRT

FSQRT (square root) replaces the content of the top stack element with its square root. (Note: The
square root of -0 is defined to be -0.)
FSCALE

FSCALE (scale) interprets the value contained in ST(l) as an integer and adds this value to the exponent
of the number in ST. This is equivalent to
ST

~ST.

2ST(I)

Thus, FSCALE provides rapid multiplication or division by integral powers of 2. It is particularly
useful for scaling the elements of a vector.

2-7

PROGRAMMING NUMERIC APPLICATIONS

Note that FSCALE assumes the scale factor in ST(l) is an integral value in the range -2 15 :sX<21'.
If the value is not integral, but is in-range and is greater in magnitude than 1, FSCALE uses the
nearest integer smaller in magnitude; i.e., it chops the value toward O. If the value is out of range, or 0

< I X I < 1, the instruction will produce an undefined result and will not signal an exception, ,The
recommended practice is to load the scale factor from a word integer to ensure correct operation.

FPREM

FPREM (partial remainder) performs modulo division of the top stack element by the next stack
element, i.e., ST(l) is the modulus. FPREM produces an exact result; the precision exception does not
occur. The sign of the remainder is the same as the sign of the original dividend.
FPREM operates by performing successive scaled subtractions; obtaining the exact remainder when
the operands differ greatly in magnitude can consume large amounts of execution time. Because the
80287 can only be preempted between instructions, the remainder function could seriously increase
interrupt latency in these cases. Accordingly, the instruction is designed to be executed iteratively in a
software-controlled loop.
FPREM can reduce a magnitude difference of up to 264 in one execution. If FPREM produces a
remainder that is less than the modulus, the function is complete and bit C2 of the status word condition code is cleared. If the function is incomplete, C2 is set to 1; the result in ST is then called the
partial remainder. Software can inspect C2 by storing the status word following execution of FPREM
and re-execute the instruction (using the partial remainder in ST as the dividend), until C2 is cleared.
Alternatively, a program can determine when the function is complete by comparing ST to ST(1). If
ST>ST(1),then FPREM must be executed again; if ST=ST(1), then the remainder is 0; if ST source
ST < source
ST = source
ST is not comparable

PROGRAMMING NUMERIC APPLICATIONS

NaNs and co (projective) cannot be compared and return C3 =CO= 1 as shown in the table.
FCOMP / /source

FCOMP (compare real and pop) operates like FCOM, and in addition pops the stack.
FCOMPP

FCOMPP (compare real and pop twice) operates like FCOM and additionally pops the stack twice,
discarding both operands. The comparison is of the stack top to ST(1); no operands may be explicitly
coded.
FICOM source

FICOM (integer compare) converts the source operand, which may reference a word or short binary
integer variable, to temporary real and compares the stack top to it.
FICOMP source

FICOMP (integer compare and pop) operates identically to FICOM and additionally discards the
value in ST by popping the stack.
FTST

FTST (test) tests the top stack element by comparing it to zero. The result is posted to the condition
codes as shown in table 2-7.
FXAM

FXAM (examine) reports the content of the top stack element as positive/negative and NaN/unnormal/denormal/normal/zero, or empty. Table 2-8 lists and interprets all the condition code values that
FXAM generates. Although four different encodings may be returned for an empty register, bits C3
and CO of the condition code are both 1 in all encodings. Bits C2 and Cl should be ignored when
examining for empty.
Table 2-7. Condition Code Interpretation after FTST
Condition Code
Interpretation after FTST
C3

C2

C1

CO

0
0
1
1

0
0
0
1

X
X
X
X

0
1
0
1

ST> 0
ST< 0
ST = 0
ST is not comparable; (i.e., it is a NaN or projective infinity)

2-11

PROGRAMMING NUMERIC APPLICATIONS

Table 2-8. FXAM Condition Code Settings
Condition Code
Interpretation
C3

C2

C1

CO

0
0
0
0
0
0
0
0
1
1
1
1
1
1
1
1

0
0
0
0
1
1
1
1
0
0
0
0
1
1
1
1

0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1

0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1

+ Un normal
+ NaN
- Unnormal
- NaN
+ Normal
+00
- Normal
- 00
+0
Empty
-0
Empty
+ Denormal
Empty
-·Denormal
Empty

Transcendental Instructions
The instructions in this group (table 2-9) perform the time-consuming core calculations for all common
trigonometric, inverse trigonometric, hyperbolic, inverse hyperbolic, logarithmic, and exponential
functions. Prologue and epilogue software may be used to reduce arguments to the range accepted by
the instructions and to adjust the result to correspond to the original arguments if necessary. The
transcendentals operate on the top one or two stack elements, and they return their results to the stack,
also.
NOTE
The transcendental instructions assume that their operands are valid and in-range. The
instruction descriptions in this section provide the allowed operand range of each instruction.
All operands to a transcendental must be normalized; denormals, unnormals, infinities, and NaNs are
considered invalid. (Zero operands are accepted by some functions and are considered out-of-range by
others). If a transcendental operand is invalid or out-of-range, the instruction will produce an undefined
result without signalling an exception. It is the programmer's responsibility to ensure that operands are
valid and in-range before executing a transcendental. For periodic functions, FPREM may be used to
bring a valid operand into range.

FPTAN

o ::; ST(O) ::; 1r 14
FPTAN (partial tangent) computes the function Y IX = TAN (0). 0 is taken from the top stack
element; it must lie in the range 0 ::; 0 ::; 7r14. The result of the operation is a ratio; Y replaces 0 in
the stack and X is pushed, becoming the new stack top.

2-12

PROGRAMMING NUMERIC APPLICATIONS

Table 2-9. Transcendental Instructions
FPTAN
FPATAN
F2XM1
FYL2X
FYL2XP1

Partial tangent
Partial arctangent

2X-1
Y ·log.X
Y .log.(X

+ 1)

The ratio result of FPTAN and the ratio argument of FPATAN are designed to optimize the calculatiori of the other trigonometric functions, including SIN, COS, ARCSIN, and ARCCOS. These can
be derived from TAN and ARCTAN via standard trigonometric identities.
FPATAN
0.:5 ST(1)

<

ST(O)

<

00

FPATAN (partial arctangent) computes the function 8 = ARCTAN (Y IX). X is taken from the top
stack element and Y from ST(l). Y and X must observe the inequality 0 .:5 Y < X < 00. The
instruction pops the stack and returns 8 to the (new) stack top, overwriting the Yoperand.
F2XM1

o .:5 ST(O) .:5 0.5
F2XMl (2 to the X minus 1) calculates the function Y = 2X -1. X is taken from the stack top and
must be in the range 0 .:5 X .:5 0.5. The result Y replaces X at the stack top.
This instruction is designed to produce a very accurate result even when X is close to O. To obtain
Y=2 x, add 1 to the result delivered by F2XM1.
The following formulas show how values other than 2 may be raised to a power of X:
lOx

=

2xoLOG210

eX = 2x•LOG2•
yX = 2xoLOG2Y

As shown in the next section, the 80287 has built-in instructions for loading the constants LOG 2 1O and
LOG2e, and the FYL2X instruction may be used to calculate X·LOG2Y.
FYL2X
0< ST(O) <

00-00

< ST(1) <

00
,

FYL2X (Y log base 2 of X) calculates the function Z = Y.LOG 2X. X is taken from the stack top and
Y from ST(l). The operands must be in the ranges 0 < X < 00 and - 00 < Y < + 00. The
instruction pops the stack and returns Z at the (new) stack top, replacing the Yoperand.
This function optimizes the calculations of log to any base other than two, because a multiplication is
always required: ,

2-13

PROGRAMMING NUMERIC APPLICATIONS

FYL2XP1
0::::; I ST(O) 1< (1-(y2l2»
- co < ST(1) < co

FYL2XPI (Y log base 2 of (X + 1)) calculates the function Z = Y·LOG 2 (X + 1). X is taken from
the stack top and must be in the range 0 ::::; I X I < (1-( Y2/2)). Y is taken from ST(1) and must
be in the range - co < Y < co. FYL2XPI pops the stack and returns Z at the (new) stack top,
replacing Y.
The instruction provides improved accuracy over FYL2X when computing the log of a number very
close to 1, for example 1 + E where E < < 1. Providing E rather than 1 + E as the input to the function
allows more significant digits to be retained.

Constant Instructions
Each of these instructions (table 2-10) loads (pushes) a commonly-used constant onto the stack. The
values have full temporary real precision (64 bits) and are accurate to approximately 19 decimal digits.
Because a temporary real constant occupies 10 memory bytes, the constant instructions, which are only
two bytes long, save storage and improve execution speed, in addition to simplifying programming.
FLDZ

FLDZ (load zero) loads (pushes) +0.0 onto the stack.
FLD1

FLDI (load one) loads (pushes) + 1.0 onto the stack.
FLDPI

FLDPI (load 71') loads (pushes) 71' onto the stack.
FLDL2T

FLDL2T (load log base 2 of 10) loads (pushes) the value LOG2 10 onto the stack.
FLDL2E

FLDL2E (load log base 2 of e) loads (pushes) the value LOG 2e onto the stack.
Table 2-10. Constant Instructions
FLDZ
FLD1
FLDPI
FLDL2T
FLDL2E
FLDLG2
FLDLN2

Load
Load
Load
Load
Load
Load
Load

2-14

+ 0.0
+ 1.0
71'

109210
1092e
109,02
109.2

PROGRAMMING NUMERIC APPLICATIONS

FLDLG2
FLDLG2 (load log base 10 of 2) loads (pushes) the value LOG lO 2 onto the stack.

FLDLN2
FLDLN2 (load log base e of 2) loads (pushes) the value LOGe 2 onto the stack.

Processor Control Instructions
The processor control instructions shown in table 2-11 are not typically used in calculations; they provide
control over the 80287 NPX for system-level activities. These activities include initialization, exception
handling, and task switching.
As shown in table 2-11, many of the NPX processor control instructions have two forms of assembler
mnemonic:
• A wait form, where the mnemonic is prefixed only with an F, such as FSTSW. This form checks
for unmasked numeric errors.
• A no-wait form, where the mnemonic is prefixed with an FN, such as FNSTSW. This form ignores
unmasked numeric errors.
When the control instruction is coded using the no-wait form of the mnemonic, the ASM286 assembler
does not precede the ESC instruction with a wait instruction, and the CPU does not test the ERROR
status line from the NPX before executing the processor control instruction.
Only the processor control class of instructions have this alternate no-wait form. All numeric instructions are automatically synchronized by the 80286, with the CPU testing the BUSY status line and
only executing the numeric instruction when this line is inactive. Because of this automatic synchronization by the 80286, numeric instructions for the 80287 need not be preceded by a CPU wait instruction in order to execute correctly.
Table 2-11. Processor Control Instructions
FINITjFNINIT
FSETPM
FLDCW
FSTCWjFNSTCW
FSTSWjFNSTSW
FSTSW AXjFNSTSW AX
FCLEXjFNCLEX
FSTENVjFNSTENV
FLDENV
FSAVEjFNSAVE
FRSTOR
FINCSTP
FDECSTP
FFREE
FNOP
FWAIT

Initialize processor
Set Protected Mode
Load control word
Store control word
Store status word
Store status word to AX
Clear exceptions
Store Environment
Load environment
Save state
Restore state
Increment stack pointer
Decrement stack pointer
Free register
No operation
CPU Wait

2-15

PROGRAMMING NUMERIC APPLICATIONS

It should also be noted that the 8087 instructions FENI and FDISI perform no function in the 80287.
If these opcodes are detected in an 80286/80287 instruction stream, the 80287 will perform no specific
operation and no internal states will be affected. For programmers interested in porting numeric software
from 8087 environments to the 80286, however, it should be noted that program sections containing
these exception-handling instructions are not likely to be completely portable to the 80287. Appendix
B contains a more complete description of the differences between the 80287 and the 8087 NPX.

FINIT IFNINIT

FINIT /FNINIT (initialize processor) sets the 80287 NPX into a known state, unaffected by any
previous activity. The no-wait form of this instruction will cause the 80287 to abort any previous numeric
operations currently executing in the NEU. This instruction performs the functional equivalent of a
hardware RESET, with one exception; FINIT /FNINIT does not affect the current 80287 operating
mode (either Real-Address mode or Protected mode). FINIT checks for unmasked numeric exceptions,
FNINIT does not.
Note that if FNINIT is executed while a previous 80287 memory-referencing instruction is running,
80287 bus cycles in progress will be aborted. This instruction may be necessary to clear the 80287 if a
Processor Extension Segment Overrun Exception (Interrupt 9) is detected by the CPU.

FSETPM

FSETPM (set Protected mode) sets the operating mode of the 80287 to Protected Virtual-Address
mode. When the 80287 is first initialized following hardware RESET, it operates in Real-Address
mode, just as does the 80286 CPU. Once the 80287 NPX has been set into Protected mode, only a
hardware RESET can return the NPX to operation in Real-Address mode.
When the 80287 operates in Protected mode, the NPX exception pointers are represented differently
than they are in Real-Address mode (see the FSAVE and FSTENV instructions that follow). This
distinction is evident primarily to writers of numeric exception handlers, however. Forgeneral application programmers, the operating mode of the 80287 need not be a concern.
.

FLDCW source

FLDCW (load control word) replaces the current processor control word with the .word defined by the
source operand. This instruction is typically used to establish or change the·80287's mode of operation.
Note that if an exception bit in the status word is set, loading a new control word that unmasks that
exception and clears the interrupt enable mask will generate an immediate interrupt request before the
ne~t instr!!o::ti0!! is ~x~~nt""L When changing modes, the recomme\1ded procedure is to first clear any
exceptions and then load the new control word.

FSTCW/FNSTCW destination

FSTCW /FNSTCW (store control word) writes the current processor control word to the memory
location defined by the destination. FSTCW checks for unmasked numeric exceptions, FNSTCW
does not.

2-16

PROGRAMMING NUMERIC APPLICATIONS

FSTSW IFNSTSW destination

FSTSW /FNSTCW (store status word) writes the current value of the 80287 status word to the destination operand in memory. The instruction is used to
•

Implement conditional branching following a comparison or FPREM instruction (FSTSW)

•

Poll the 80287 to determine if it is busy (FNSTSW)

•

Invoke exception handlers in environments that do not use interrupts (FSTSW).

FSTSW checks for unmasked numeric exceptions, FNSTSW does not.
FSTSW AX/FNSTSW AX

FSTSW AX/FNSTSW AX (store status word to AX) is a special 80287 instruction that writes the
current value of the 80287 status word directly into the 80286 AX register. This instruction optimizes
conditional branching in numeric programs, where the 80286 CPU must test the condition of various
NPX status bits. The waited form checks for unmasked numeric exceptions, the non-waited for
does not.
When this instruction is executed, the 80286 AX register is updated with the NPX status word before
the CPU executes any further instructions. In this way, the 80286 can immediately test the NPX status
word without any WAIT or other synchronization instructions required.
FCLEX/FNCLEX

FCLEX/FNCLEX (clear exceptions) clears all exception flags, the error status flag and the busy flag
in the status word. As a consequence, the 80287's ERROR line goes inactive. FCLEX checks for
unmasked numeric exceptions, FNCLEX does not.
FSAVE/FNSAVE destination

FSAVE/FNSAVE (save state) writes the full 80287 state-environment plus register stack-to the
memory location defined by the destination operand. Figure 2-1 shows the layout of the 94-byte save
area; typically the instruction will be coded to save this image on the CPU stack. FNSA VE delays its
execution until all NPX activity completes normally. Thus, the save image reflects the state of the
NPX following the completion of any running instruction. After writing the state image to memory,
FSAVE/FNSAVE initializes the 80287 as if FINIT /FNINIT had been executed.
FSAVE/FNSAVE is useful whenever a program wants to save the current state of the NPX and
initialize it for a new routine. Three examples are
•

An operating system needs to perform a context switch (suspend the task that had been running
and give control to a new task).

•

An exception handler needs to use the 80287.

•

An application task wants to pass a "clean" 80287 to a subroutine.

FSA VE checks for unmasked numeric errors before executing, FNSA VE does not. An FW AIT should
be executed before CPU interrupts are enabled or any subsequent 80287 instruction is executed. Other
CPU instructions may be executed between the FNSA VE/FSA VE and the FWAIT.

2-17

PROGRAMMING NUMERIC APPLICATIONS

~

15
CONTROL WORD
STATUS WORD

INSTRUCTION {
POINTER

DATA POINTER (15-0)

OPERAND {
POINTER

DATA POINTER
(19-16)

'"{

TOPSTA
ELEMENT; ST

NEXTSTAC K
ELEMENT:ST(1 )

Sl

+6

CS SELECTOR

+8

0

·10

DATA OPERAND OFFSET

+10

.12

DATA OPERAND SELECTOR

+12

SIGNIFICAND 15-0

+14

SIGNIFICAND 15-0

+14

+1.

51GNIFICAND 31·16

+1.

SIGNIFICAND 47·32

+\8

SIGNIFICANO 47·32

+18

SIGNIFICAND 63·48

+20

SIGNIFICAND 63·48

+20

EXPONENT 14·0

+22

SIGNIFICAND 15·0

+2'

L

~{

IP OFFSET

-8

SIGNIFICAND 31·16

s\

LAST STAC
ELEMENT:ST

I

-0

STATUS WORD

-6

INSTRUCTION POINTER (15-0)
INSTRUCTION
OPCODE (10-0)

CONTROL WORD

+4

+4

;)1' I

15

TAG WORD

TAG WORD

INSTRUCTION
POINTER (19-16) 0

. 1
INCREASING ADDRESSES

INCREASING ADDRESSES

SIGNIFICANO 31·16

+2.

51GNIFICAND 47·32

+28

SIGNIFICAND 63·48

+30

EXPONENT 14·0

+32

TOP STA
ELEMENT :ST

'"{

NEXT STAC K
ElEMENT:ST (I)

5\

EXPONENT 14-0

+22

SIGNIFICAND 15-0

+"

SIGNIFICAND 31·16

+2.

SIGNIFICAND 47·32

+28

SIGNIFICAND 63·48

+30

L

EXPONENT 14-0

+32

SIGNIFICAND 15·0

+84

SIGNIFICAND 15-0

+8'

SIGNIFICAND 31-16

+8.

SlGNIF1CAND 31·16

+8.

SIGNIFfCAND 47·32

+88

SIGNIFICAND 63·48

+90

14-0

+92

EXpm~Em

'"{

LAST STA
ELEMENT:S T(7)

5\

SIGNIFICAND 47·32

+88

SIGNIFICAND 63·48

+90

EXPONENT 14-0

+92

PROTECTED MODE

REAL MODE

NOTES:
S Sign
Bit 0 01 each field is rightmost. least slgnilicant bit of corresponding
register field.
Bit 63 of signiflcand is integer bit (assumed binary point is Immediately
to the righl).

=

G30108

Figure 2-1. FSAVE/FRSTOR Memory Layout

2-18

PROGRAMMING NUMERIC APPLICATIONS

FRSTOR source

FRSTOR (restore state) reloads the 80287 from the 94-byte memory area defined by the source operand.
This information should have been written by a previous FSA VEjFNSA VE instruction and not altered
by any other instruction. An FW AIT is not required after FRSTOR. FRSTOR will automatically wait
and check for interrupts until all data transfers are completed before continuing to the next instruction.
Note that the 80287 "reacts" to its new state at the conclusion of the FRSTOR; it will, for example,
generate an exception request if the exception and mask bits in the memory image so indicate when
the next WAIT or error-checking-ESC instruction is executed.

FSTENV IFNSTENV destination

FSTENV jFNSTENV (store environment) writes the 80287's basic status-control, status, and tag
words, and exception pointers-to the memory location defined by the destination operand. Typically,
the environment is saved on the CPU stack. FSTENV jFNSTENV is often used by exception handlers
because it provides access to the exception pointers that identify the offending instruction and operand.
After saving the environment, FSTENV /FNSTENV sets all exception masks in the processor. FSTENV
checks for pending errors before executing, FNSTENV does not.
Figure 2-2 shows the format of the environment data in memory. FNSTENV does not store the
environment until all NPX activity has completed. Thus, the data saved by the instruction reflects the
80287 after any previously decoded instruction has been executed. After writing the environment image
to memory, FNSTENV jFSTENV initializes the 80287 state as if FNINIT jFINIT had been executed.

MEMORY
OFFSET

CONTROL WORD

+0

CONTROL WORD

+0

STATUS WORD

+2

STATUS WORD

+2

TAG WORD

+4

TAG WORD

+4

INSTRUCTION POINTER (15-0)

+6

IPOFFSET

+6

+6

CSSELECTOR

+8

+10

DATA OPERAND OFFSET

+10

+12

DATA OPERAND SELECTOR

+12

INSTRUCTION 1)1
POINTER (19-16) 0

I

INSTRUCTION
OPCODE (10-0)

DATA POINTER (15-0)
DATA POINTER
(19-16)
15

MEMORY OFFSET

15

15

I

0

1211
PROTECTED MODE

REAL MODE

G30108

Figure 2-2. FSTENV IFLDENV Memory Layout

2-19

PROGRAMMING NUMERIC APPLICATIONS

FSTENV /FNSTENV must be allowed to complete before any other 80287 instruction is decoded.
When FSTENV is coded, an explicit FWAIT, or assembler-generated WAIT, should precede any
subsequent 80287 instruction.

FLDENV source

FLDENV (load environment) reloads the environment from the memory area defined by the source
operand. This data should have been written by a previous FSTENV /FNSTENV instruction. CPU
instructions (that do not reference the environment image) may immediately follow FLDENV. An
FWAIT is not required after FLDENV. FLDENV will automatically wait for all data transfers to
complete before executing the next instruction.
Note that loading an environment image that contains an unmasked exception will cause a numeric
exception when the next WAIT or error-checking-ESC instruction is executed.

FINCSTP

FINCSTP (increment stack pointer) adds 1 to the stack top pointer (ST) in the status word. It does
not alter tags or register contents, nor does it transfer data. It is not equivalent to popping the stack,
because it does not set the tag of the previous stack top to empty. Incrementing the stack pointer when
ST=7 produces ST=O.

FDECSTP

FDECSTP (decrement stack pointer) subtracts 1 from ST, the stack top pointer in the status word.
No tags or registers are altered, nor is any data transferred. Executing FDECSTP when ST=O produces
ST=7.

FFREE destination

FFREE (free register) changes the destination register's tag to empty; the content of the register is
unaffected.

FNOP

FNOP (no operation) stores the stack top to the stack top (FST ST,ST(O)) and thus effectively performs
no operation.
'

FWAIT (CPU INSTRUCTION)

FW AIT is not actually an 80287 instruction, but an alternate mnemonic for the CPU WAIT instruction. The FW AIT or WAIT mnemonic should be coded whenever the programmer wants to synchronize the CPU to the NPX, that is, to suspend further instruction decoding until the NPX has completed
the current instruction. FW AIT will check for unmasked numeric exceptions.

2-20

PROGRAMMING NUMERIC APPLICATIONS

NOTE
A CPU instruction should not attempt to access a memory operand until the 80287 instruction has completed. For example, the following coding shows how FWAIT can be used to
force the CPU instruction to wait for the 80287:

F 1ST
FWAIT

VALUE

MDV

AX,VALUE

Walt for FIST to complete

More information on when to code an FWAIT instruction is given in a following section of this chapter,
"Concurrent Processing with the 80287."
.

Instruction Set Reference Information
Table 2-14 later in this chapter lists the operating characteristics of all the 80287 instructions. There
is one table entry for each instruction mnemonic; the entries are in alphabetical order for quick lookup.
Each entry provides the general operand forms accepted by the instruction as well as a list of all
exceptions that may be detected during the operation. .
One entry exists for each combination of operand types that can be coded with the mnemonic.
Table 2-12 explains the operand identifiers allowed in table 2-14. Following this entry are columns that
provide execution time in clocks, the number of bus transfers run during the operation, the length of
the instruction in bytes, and an ASM286 coding sample.
INSTRUCTION EXECUTION TIME

The execution of an 80287 instruction involves three principal activities, each of which may contribute
to the overall execution time of the instruction:
•

80286 CPU overhead involved in handling the ESC instruction opcode and setting up the 80287
NPX
Table 2-12. Key to Operand Types
Explanation

Identifier
ST

Stack top; the register currently at the top of the stack.

ST(i)

A register in the stack i (0:::;i:::;7) stack elements from the
top. ST(1) is the next-on-stack register, ST(2) is below
ST(1), etc.

Short-real

A short real (32 bits) number in memory.

Long-real

A long real (64 bits) number in memory.

Temp-real

A temporary real (80 bits) number in memory.

Packed-decimal

A packed decimal integer (18 digits, 10 bytes) in memory.

Word-integer

A word binary integer (16 bits) in memory.

Short-integer

A short binary integer (32 bits) in memory.

Long-integer

A long binary integer (64 bits) in rJ1emory.

nn-bytes

A memory area nn bytes long.

2-21

PROGRAMMING NUMERIC APPLICATIONS

Instruction execution by the 80287 NPX
Operand transfers between the 80287 NPX and memory or a CPU register
The timing of these various activities is affected by the individual clock frequencies of the 80286 CPU
and the 80287 NPX. In addition, slow memories requiring the insertion of wait states in bus cycles,
and bus contention due to other processors in the system, may lengthen operand transfer times.
In calculating an overall execution time for an individual numeric instruction, analysts must take each
of these activities into account. In most cases, it can be assumed that the numeric instructions have
already been prefetched by the 80286 and are awaiting execution.
•

The CPU overhead in handling the ESC instruction opcode takes only a single CPU bus cycle
before the 80287 begins its execution of the numeric instruction. The timing of this bus cycle is
determined by the CPU clock. Additional CPU activity is required to set up the 80287's instruction
and data pointer registers, but this activity occurs after the 80287 has begun executing its instruction, and so this parallel activity does not affect total execution time.

•

The duration of individual numeric instructions executing on the 80287 varies for each instruction.
Table 2-14 quotes a typical execution clock count and a range for each 80287 instruction. Dividing
the figures in the table by 10 (for a lO-MHz 80287 NPX clock) produces an execution time in
microseconds. The typical case is an estimate for operand values that normally characterize most
applications. The range encompasses best- and worst-case operand values that may be found in
extreme circumstances.

•

The operand transfer time required to transfer operands between the 80287 and memory or a CPU
register depends on the number of words to be transferred, the frequency of the CPU clock controlling bus timing, the number of wait statcs added to accommodate slower memories, and whether
operands are based at even or odd memory addresses. Some (small) additional number of bus cycles
may also be lost due to the asynchronous nature of the PEREQ/PEACK handshaking between the
80286 and 80287, and this interaction varies with relative frequencies of the CPU and NPX clocks.

The execution clock counts for the NPX execution of instructions shown in table 2-14 assume that no
exceptions are detected during execution. Invalid operation, denormalized operand (unmasked), and
zero divide exceptions usually decrease execution time from the typical figure, but execution still falls
within the indicated range. The precision exception has no effect on execution time. Unmasked overflow
and underflow, and masked denormalized exceptions impose additional execution penalties as shown
in table 2-13. Absolute worst-case execution times are therefore the high range figure plus the largest
penalty that may be encountered.
BUS TRANSFERS

NPX instructions that reference memory require bus cycles to transfer operands between the NPX and
memory. The actual number of transfers depends on the length of the operand and the alignment of
Table 2-13. Execution Penalties
Additional Clocks

Exception

Overflow (unmasked)

14

Underflow (unmasked)

16

Denormalized (masked)

33

2-22

PROGRAMMING NUMERIC APPLICATIONS

the operand in memory. In table 2-14, the first figure gives execution clocks for even-addressed operands,
while the second gives the clock count for odd-addressed operands.
For operands aligned at word boundaries, that is, based at even memory addresses, each word to be
transferred requires one bus cycle between the 80286 data channel and memory, and one bus cycle to
the NPX. For operands based at odd memory addresses, each' word transfer requires two bus cycles to
transfer individual bytes ,between the 80286 data channel and memory, and one bus cycle to the NPX.

NOTE
For best performance, operands for the 80287 should be aligned along word boundaries; that
is, based at even memory addresses. Operands based at odd memory addresses are transferred
to memory essentially- byte-at-a-time and may take half again as long to transfer as wordaligned operands.
Additional transfer time is required if slow memories are being used, requiring the insertion of wait
states into the CPU bus cycle. In multiprocessor environments, the bus may not be available immediately; this overhead can also increase effective transfer time.
INSTRUCTION LENGTH

80287 instructions that do not reference memory are two bytes long. Memory reference instructions
vary between two and four bytes. The third and fourth bytes are for the 8- or 16-bit displacement
values used in conjunction with the standard 80286 memory-addressing modes.
Note that the lengths quoted in table 2-14 for the processor control instructions (FNINIT, FNSTCW,
FNSTSW, FNSTSW AX, FNCLEX, FNSTENV, and FNSA VE) do not include the one-byte CPU
wait instruction inserted by the ASM286 assembler if the control instruction is coded using the wait
form of the mnemonic (e.g. FINIT, FSTCW, FSTSW, FSTSW AX, FCLEX, FSTENV, and FSAVE).
wait and no-wait forms of the processor control instructions have been described in the preceding section
titled "Processor Control Instructions."

2-23

PROGRAMMING NUMERIC APPLICATIONS

Table 2·14. Instruction Set Reference Data

FABS

FABS (no operands)
Absolute value

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

14

10·17

0

2

Operands

(no operands)

FADD

FADD //source/destination,source
Add real

Coding Example

FABS

Exceptions: I, D, 0, U, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

85
105
110

70-100
90-120
95-125

0
2
4

2
2-4
2-4

Operands

//ST,ST(i)/ST(i),ST
short-real
long-real

Coding Example

FADD ST,ST(4)
FADD AIR_TEMP [SI]
FADD [BX].MEAN

..

FADDP

FADDP destination, source
Add real and pop

Exceptions: I, D, 0, U, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

90

75-105

0

2

Operands

ST(i),ST

FBLD

FBLD source
Packed decimal (BCD) load

Coding Example

FADDP ST(2),ST

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

300

290-310

5

2-4

Operands

packed-decimal

FBSTP

FBSTP destination
Packed decimal (BCD) store and pop

Coding Example

FBLD YTD_SALES

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

530

520-540

5

2-4

Operands

packed-decimal

2-24

Coding Example

FBSTP [BX].FORECAST

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FCHS

FCHS (no operands)
Change sign

Exceptions: I

Execution Clocks
Range

Operand Word
Transfers

Code
Bytes

10-17

0

2

Operands

(no operands)

FClEX/FNClEX

Typical
15

FClEX/FNClEX(no operands)
Clear exceptions

Coding Example

FCHS

Exceptions: None

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

5

2-8

0

2

Operands

(no operands)

FCOM

FCOM j jsource
Compare real
Execution Clocks

jjST(i)
short-real
long-real

FCOMP

Range

Operand Word
Transfers

Code
Bytes

45
65
70

40-50
60-70
65-75

0
2
4

2
2-4
2-4

FCOMP j jsource
Compare real and pop
Execution Clocks

FCOMPP

FCOM ST(1)
FCOM [BP].UPPER_LlMIT
FCOM WAVELENGTH

Exceptions: I, D

Operand Word
Transfers

Code
Bytes

Coding Example

Range

47
68
72

42-52
63-73
67-77

0
2
4

2
2-4
2-4

FCOMP ST(2)
FCOMP [BP + 2].N_READINGS
FCOMP DENSITY

FCOMPP (no operands)
Compare real and pop twice
Execution Clocks

Exceptions: I, D

Typical

Range

Operand Word
Transfers

Code
Bytes

50

45-55

0

2

Operands

(no operands)

Coding Example

Typical

Operands

jjST(i)
short-real
long-real

FNCLEX

Exceptions: I, D

Typical

Operands

Coding Example

2-25

Coding Example

FCOMPP

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FDECSTP

FDECSTP (no operands)
Decrement stack pointer

Exceptions: None

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

9

6-12

0

2

Operands

(no operands)

FDIV

FDIV //source/destination,source
Divide real

Coding Example

FDECSTP

Exceptions: I, D, Z, 0, U, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

198
220
225

193-203
215-225
220-230

0
2
4

2
2-4
2-4

Operands

//ST(i),ST
short·real
long-real

FDIVP

FDIVP destination, source
Divide real and pop
Execution Clocks

ST(i),ST

FDIVR

Range

Operand Word
Transfers

Code
Bytes

202

197-207

0

2

FDIVR //source/destination, source
Divide real reversed
Execution Clocks

FDiVnF

Coding Example

FDIVP ST(4),ST

Exceptions: I, D, Z, 0, U, P

Range

Operand Word
Transfers

Code
Bytes

Coding Example

Typical
199
221
226

194-204
216-226
221-231

0
2
4

2
2·4
2-4

FDIVR ST(2),ST
FDIVR [8X].PULSE_RATE
FDIVR RECORDER.FREQUENCY

Operands

//ST,ST(i)/ST(i),ST
short-real
long-real

FDIV
FDIV DISTANCE
FDIV ARC [DI]

Exceptions: I, D, Z, 0, U, P

Typical

Operands

Coding Example

i=iirv"nr uestiiiCitiCiii, SvuiGo

Exceptions: I, D, Z, 0, U, P

Divide real reversed and pop
Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

203

198-208

0

2

Operands

ST(i),ST

2-26

Coding Example

FDIVRP ST(1 ),ST

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FFREE

FFREE destination
Free register
Execution Clocks

FIADD

Typical

Range

11

9-16

0

Execution Clocks

FICOM

Code
Bytes
2

Coding Example

FFREE ST(1)

/

FIADD source
Integer add

Exceptions: I, D, 0, P

Typical

Range

Operand Word
Transfers

Code
Bytes

120
125

102-137'
108-143

1
2

2-4
2-4

Operands

word-integer
short-Integer

,
Operand Word
Transfers

Operands

ST(i)

Exceptions: None

FICOM source
Integer compare

Coding Example

FIADD DISTANCE..TRAVELLED
FIADD PULSE_COUNT [SI]

Exceptions: I, D

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

80
85

72-86
78-91

1
2

2-4
2-4

Operands

word-integer
short-integer

FICOMP

FICOMP source
Integer compare and pop
Execution Clocks

word-Integer
short-integer

FIDIV

Typical

Range

82
87

74-88
80-93

1
2

FIDIV source
Integer divide
Execution Clocks

Code
Bytes
2-4
2-4

Coding Example

FICOMP [BP].LlMIT [SI]
FICOMP N_SAMPLES

Exceptions: I, D, Z, 0, U, P

Range

Operand Word
Tranefers

Code
Bytes

Coding Example

Typical
230
236

224-238
230-243

1
2

2-4
2-4

FIDIV SURVEY.OBSERVATIONS
FIDIV RELATIVE..ANGLE [01]

Operands

word-integer
short-Integer

FICOM TOOL.N_PASSES
FICOM [BP+4].PARM_COUNT

Exceptions: I, D

Operand Word
Transfers

Operands

Coding Example

2-27

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FIDIVR

FIDIVR source
Integer divide reversed

Exceptions: I, D, Z, 0, U, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

230
237

225-239
231-245

1
2

2-4
2-4

Operands

word-integer
short-integer

FILD

FILD source
Integer load

Coding Example

FIDIVR [BPj.)LCOORD
FIDIVR FREQUENCY

Exceptions: I

Execution Clocks
OPE7rands

word-integer
short-integer
long-integer

FIMUL

Typical

Range

Operand Word
Transfers

Code
Bytes

50
56
64

46-54
52-60
60-68

1
2
4

2-4
2-4
2-4

FIMUL source
Integer multiply

Coding Example

FILD [BXj.SEQUENCE
FILD STANDOFF [DI]
FILD RESPONSE.COUNT

Exceptions: I, D, 0, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

130
136

124-138
130-144

1
2

2-4
2-4

Operands

word-integer
short-integer

FINCSTP

FINCSTP (no operands)
Increment stack pointer
Execution Clocks

(no operands)
..........

I~.II ..IIT

r"'1I11 I . . . . . . . . .

FIMUL BEARING
FIMUL POSITION.Z..AXIS

Exceptions: None

Typical

Range

Operand Word
Transfers

Code
Bytes

9

6-12

0

2

Operands

Coding Example

Coding Example

FINCSTP

Inn.

..II•...
nn.ar'~nri~\
•~III"'
• I 11:"1Ilt.IIT
• • ,. . . . . . \ ' . _ _ .... _ . _ •• _ _ ,

ExCeptions: i'liofle

Initialize processor
Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

5

2-8

0

2

Operands

(no operands)

2-28

Coding Example

FINIT

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FIST

FIST destination
Integer store
Execution Clocks
Range

Operand Word
Transfers

Code
Bytes

Coding Example

Typical

86
88

80-90
82-92

1
2

2-4
2-4

FIST OBS.COUNT[SI]
FIST [BP;].FACTORED_PULSES

Operands

word·integer
short-integer

FISTP

FISTP destination
Integer store and pop
Execution Clocks

FISUB

Exceptions: I, P

Typical

Range

Operand Word
Transfers

Code
Bytes

88
90
100

82-92
84-94
94-105

1
2
4

2-4
2-4
2-4

Operands

word-integer
short-integer
long-integer

Exceptions: I, P

FISUB source
Integer subtract

Coding Example

FISTP [BX].ALPHA_COUNT [SI]
FISTP CORRECTED_TIME
FISTP PANEL.N_READINGS

Exceptions: 1,0,0, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

120
125

102-137
108-143

1
2

2-4
2-4

Operands

word-integer
short-integer

FISUBR

FISUBR source
Integer subtract reversed

Coding Example

FISUB BASEJREQUENCY
FISUB TRAIN_SIZE [01]

Exceptions: 1,0,0, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

120
125

103-139
109-144

1
2

2-4
2-4

Operands

word-integer
short-integer

2-29

Coding Example

FISUBR FLOOR [BX] [SI]
FISUBR BALANCE

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FLO

FLD source
Load real

Exceptions: I, D

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

20
43
46
57

17-22
38-56
40-60
53-65

0
2
4
5

2
2-4
2-4
2-4

Operands

8T(i)
short-real '
long-real
temp-real

FLOCW

FLDCW source
Load control word
Execution Clocks

2-bytes

FLOENV

FLD
FLD
FLO
FLO

8T(0)
READING [81].PRE88URE
[BPj.TEMPERATURE
8AVEREADING

Exceptions: None

Typical

Range

Operand Word
Transfers

Code
Bytes

10

7-14

1

2-4

Operands

Coding Example

FLDENV source
Load environment

Coding Example

FLDCW CONTROLWORD

Exceptions: None

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

40

35-45

7

2-4

Operands

14-bytes

FLOLG2

FLDLG2 (no operands)
Load IOg102
Execution Clocks

(no operands)

FLOLN2

FLDENV [BP

+ 6]

Exceptions: I

Typical

Range

Operand Word
Transfers

Code
Bytes

21

18-24

0

2

Operands

Coding Example

FLDLN2 (no operands)

Coding Example

FLDLG2

Exceptions: I

I-n"rllnn.?
- - - --';''0'-

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

20

17-23

0

2

Operands

(no operands)

2-30

Coding Example

FLDLN2

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FLDL2E

FLOL2E (no operands)
Loadl092e

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

18

15-21

0

2

Operands

(no operands)

FLDL2T

FLOL2T (no operands)
Load 109210

Coding Example

FLOL2E

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

19

16-22

0

2

Operands

(no operands)

FLDPI

FLOPI (no operands)
Load 11"

Coding Example

FLOL2T

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

19

16-22

0

2

Operands

(no operands)

FLDZ

FLOZ (no operands)
Load +0.0

Coding Example

FLOPI

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

14

11-17

0

2

Operands

(no operands)

FLD1

FL01 (no operands)
Load +1.0

Coding Example

FLOZ

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

18

15-21

0

Operands

(no operands)

2-31

Code
Bytes
2

Coding Example

FL01

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FMUL

FMUL //source/destination,source
Multiply real

Exceptions: I, D, 0, U, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

97
138
118
120
161

90-105
130-145
110-125
112-126
154-168

0
0
2
4
4

2
2
2-4
2-4
2-4

Operands

//ST(i),ST/ST,ST(j)1
//ST(i),ST/ST,ST(i)
short-real
long-reaP
long-real

FMULP

FMULP destination, source
Multiply real and pop

Coding Example

FMUL
FMUL
FMUL
FMUL
FMUL

ST,ST(3)
ST,ST(3)
SPEED_FACTOR
[BPj.HEIGHT
[BPj.HEIGHT

Exceptions: I, D, 0, U, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

100
142

94-108
134-148

0
0

2
2

Operands

ST(i),ST1
ST(i),ST

FNOP

FNOP (no operands)
No operation
Execution Clocks

(no operands)

FPATAN

Range

Operand Word
Transfers

Code
Bytes

13

10-16

0

2

FPATAN (no operands)
Partial arctangent
Execution Clocks

(no operands)

FPREM

Range

Operand Word
Transfers

Code
Bytes

650

250-800

0

2

FPREM (no operands)
Partial remainder
Execution Clocks

(no operands)

FNOP

Coding Example

FPATAN

Exceptions: I, D, U

Typical

Range

Operand Word
Transfers

Code
Bytes

125

15-190

0

2

Operands

Coding Example

Exceptions: U, P (operands not checked)

Typical

Operands

FMULP ST(1),ST
FMULP ST(1),ST

Exceptions: None

Typical

Operands

Coding Example

2-32

Coding Example

FPREM

PROGRAMMING NUMERIC APPLICATIONS

Table 2·14. Instruction Set Reference Data (Cont'd.)

FPTAN

FPTAN (no operands)
Partial tangent

Exceptions: I, P (operands not checked)

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

450

30·540

0

2

Operands

(no operands)

FRNDINT

FRNDINT (no operands)
Round to integer

Coding Example

FPTAN

Exceptions: I, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

45

16·50

0

2

Operands

(no operands)

FRSTOR

FRSTOR source
Restore saved state
Execution Clocks
Typical

94-bytes

FSAVE/FNSAVE

Operand Word
Transfers

Code
Bytes

2

47

2-4

FSAVE/FNSAVE destination
Save state
Execution Clocks
Typical

94-bytes

FSCALE

Coding Example

FRSTOR [BP]

Exceptions: None

Range

Operand Word
Transfers

Code
Bytes

3

47

2-4

Operands

FRNDINT

Exceptions: None

Range

Operands

Coding Example

FSCALE (no operands)
Scale

Coding Example

FSAVE [BP]

Exceptions: I, 0, U

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

35

32-38

0

2

Operands

(no operands)

2-33

Coding Example

FSCALE

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FSETPM

FSETPM (no operands)
Set protected mode
Execution Clocks
Range

Operand Word
Transfers

Code
Bytes

2-8

0

2

Operands
Typical
(no operands)

FSQRT

FSQRT (no operands)
Square root
Execution Clocks
Typical

Operand Word
Transfers

Code
Bytes

180-186

0

2

(no operands)

183

FST

FST destination
Store real
Execution Clocks

FSTCW/

FNSTCW

FSETPM

Coding Example

FSQRT

Exceptions: 1,0, U, P

Typical

Range

Operand Word
Transfers

Code
Bytes

18
87
100

15·22
84-90
96-104

0
2
4

2
2-4
2-4

Operands

Coding Example

Exceptions: I, 0, P

Range

Operands

ST(i)
short-real
long-real

Exceptions: None

FSTCW destination
Store control word

Coding Example

FST ST(3)
FST CORRELATION [01]
FST MEAN_READING

Exceptions: None

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

15

12-18

1

2-4

Operands

2-bytes

FSTENV/

FNSTENV

FSTENV destination
Store environment
Execution Clocks

14-bytes

FSTCW SAVE_CONTROL

Exceptions: None

Typical

Range

Operand Word
Transfers

Code
Bytes

45

40-50

7

2-4

Operands

Coding Example

2-34

Coding Example

FSTENV [SP]

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FSTP

FSTP destination
Store real and pop
Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

20
89
102
55

17-24
86-92
98-106
52-58

0
2
4
5

2
2-4
2-4
2-4

Operands

ST(i)
short-real
long-real
temp-real

FSTSW/
FNSTSW

FSTSW destination
Store status word
Execution Clocks

FSTSW AX/
FNSTSWAX

Range

Operand Word
Transfers

Code
Bytes

15

12-18

1

2-4

FSTSW AX
Store status word to AX
Execution Clocks
Typical

AX

FSUB

Operand Word
Transfers

Code
Bytes

10-16

1

2

FSUB / /source/destination,source
Subtract real
Execution Clocks

/ /ST,ST(i)/ST(i),ST
short-real
long-real

FSUBP

Range

Operand Word
Transfers

Code
Bytes

85
105
110

70-100
90-120
95-125

0
2
4

2
2-4
2-4

FSUBP destination, source
Subtract real and pop
Execution Clocks

ST(i),ST

Coding Example

FSTSW SAVE_STATUS

Coding Example

FSTSW AX

Coding Example

FSUB ST,ST(2)
FSUB BASE_VALUE
FSUB COORDINATE.X

Exceptions: I, D, 0, U, P

Typical

Range

Operand Word
Transfers

Code
Bytes

90

75-105

0

2

Operands

ST(2)
[BX].ADJUSTED_RPM
TOTAL_DOSAGE
REG_SAVE [SI]

Exceptions: I, D, 0, U, P

Typical

Operands

FSTP
FSTP
FSTP
FSTP

Exceptions: None

Range

Operands

Coding Example

Exceptions: None

Typical

Operands

2-bytes

Exceptions: 1,0, U, P

2-35

Coding Example

FSUBP ST(2),ST

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FSUBR

FSUBR / /source/destination, source
Subtract real reversed

Exceptions: I, D, 0, U, P

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

87
105
110

70-100
90-120
95-125

0
2
4

2
2-4
2-4

Operands

/ /ST,ST(i)/ST(i),ST
short-real
long-real

FSUBRP

FSUBRP destination, source
Subtract real reversed and pop
Execution Clocks

ST(i),ST

FTST

Range

Operand Word
Transfers

Code
Bytes

90

75-105

0

2

FTST (no operands)
Test stack top against +0.0
Execution Clocks

(no operands)

FWAIT

Coding Example

FSUBRP ST(1),ST

Exceptions: I, D

Typical

Range

Operand Word
Transfers

Code
Bytes

42

38-48

0

2

Operands

FSUBR ST,ST(1)
FSUBR VECTOR[SI]
FSUBR [BX].INDEX

Exceptions: I, D, 0, U, P

Typical

Operands

Coding Example

FWAIT (no operands)
(CPU) Wait while 80287 is busy

Coding Example

FTST

Exceptions: None (CPU instruction)

Execution Clocks
Typical

Range

Operand Word
Transfers

Bytes

3+5n*

3+5n 4

0

1

Operands

(no operands)

FXAM

FXAM (no operands)
Examine stack top

Coda

Coding Example

FWAIT

Exceptions: None

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

17

12-23

0

2

Operands

(no operands)

2-36

Coding Example

FXAM

PROGRAMMING NUMERIC APPLICATIONS

Table 2-14. Instruction Set Reference Data (Cont'd.)

FXCH

FXCH //destination
Exchange registers

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

12

10-15

0

2

Operands

I/ST(i)

FXTRACT

FXTRACT (no operands)
Extract exponent and significant

Coding Example

FXCH ST(2)

Exceptions: I

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

50

27-55

0

2

Operands

(no operands)

FYL2X

FYL2X (no operands)
y. Log 2X

Coding Example

FXTRACT

Exceptions: P (operands not checked)

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

950

900-1100

0

2

Operands

(no operands)

FYL2XP1

FYL2XP1 (no operands)
Y .log2(X + 1)

Coding Example

FYL2X

Exceptions: P (operands not checked)

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

850

700-1000

0

2

Operands

(no operands)

F2XM1

F2XM1 (no operands)
2x-1

Coding Example

FYL2XP1

Exceptions: U, P (operands not checked)

Execution Clocks
Typical

Range

Operand Word
Transfers

Code
Bytes

500

310-630

0

2

Operands

(no operands)

2-37

Coding Example

F2XM1

PROGRAMMING NUMERIC APPLICATIONS

10ccurs when one or both operands is "short"-it has 40 trailing zeros in its fraction (e.g., it was loaded
from a short-real memory operand.
2The 80287 execution clock count for this instruction is not meaningful in determining overall instruction
execution time. For typical frequency ratios of the 80286 and 80287 clocks, 80287 execution occurs in
parallel with the operand transfers, with the operand transfers determining the overall execution time of
the instruction. For 80286:80287 clock frequency ratios of 4:8,1:1, and 8:5, the overall execution clock
count for this instruction is estimated at 490,302, and 22780287 clocks, respectively.
3The 80287 execution clock count for this instruction is not meaningful in determining overall instruction
execution time. For typical frequency rations of the 80286 and 80287 clocks, 80287 execution Occurs in
parallel with the operand transfers, with the operand transfers determining the overall execution time of
the instruction. For 80286:80287 clock frequency ratios of 4:8, 1:1, and 8:5, the overall execution clock
count for this instruction is estimated at 376,233, and 17480287 clocks, respectively.
4n = number of times CPU examines BUSY line before 80287 completes execution of previous instruction.

PROGRAMMING FACILITIES
As described previously, the 80287 NPX is programmed simply as an extension of the 80286 CPU.
This section describes how programmers in ASM286 and in a variety of higher-level languages can
work with the 80287.
The level of detail in this section is intended to give programmers a basic understanding of the software
tools that can be used with the 80287, but this information does not document the full capabilities of
these facilities. For a complete list of documentation on all the languages available for 80286 systems,
readers should consult Intel's Literature Guide.

High-Level Languages
For programmers using high-level languages, the programming and operation of the NPX is handled
automatically by the compiler. A variety of Intel high-level languages are available that automatically
make use of the 80287 NPX when appropriate. These languages include
PL/M-286
FORTRAN-286
PASCAL-286
C-286
hach of these .high-h;vd li:i.iigiiagcs hus ~peci:l! n!!mer!<: \ihrllries allowing programs to take advantage
of the capabilities of the 80287 NPX. No special programming conventions are necessary to make use
of the 80287 NPX when programming numeric applications in any of these languages.
Programmers in PL/M-286 and ASM286 can also make use of many of these library routines by using
routines contained in the 80287 Support Library, described in the 80287 Support Library Reference
Manual, Order Number 122129. These library routines provide many of the functions provided by
higher-level languages, including exception handlers, ASCII-to-floating-point conversions, and a more
complete set of transcendental functions than that provided by the 80287 instruction set.

2-38

PROGRAMMING NUMERIC APPLICATIONS

PL/M-286
ProgrammersinPLfM-286 can access a very useful subset of the 80287's numeric capabilities. The
PLfM-286 REAL data type corresponds to the NPX's short real (32-bit) format. This data type provides
a range of about 8.43*10- 37 ~ ABS(X) :$ 3.38*1038 , with about seven significant decimal digits. This
representation is adequate for the data manipulated by many microcomputer applications.
The utility of the REAL data type is extended by the PLfM-286 compiler's practice of holding intermediate results in the 80287's temporary real format. This means that the-'full range and precision of
the processor are utilized for intermediate results. Underflow, overflow, and rounding errors are most
likely to occur during intermediate computations rather than during calculation of an expression's final
result. Holding intermediate results in temporary real format greatly reduces the likelihood of overflow
and underflow and eliminates roundoff as a serious source of error until the final assignment of the
result is performed.
The compiler generates 80287 code to evaluate expressions that contain REAL data types, whether
variables or constants or both. This means that addition, subtraction, multiplication, division, comparison, and assignment of REALs will be performed by the NPX. INTEGER expressions, on the other
hand, are evaluated on the CPU.
Five built-in procedures (table 2-15) give the PLfM-286 programmer access to 80287 functions manipulated by the processor control instructions. Prior to any arithmetic operations, a typical PLfM-286
program will set up the NPX after power up using the INIT$REAL$MATH$UNIT procedure and
then issue SET$REAL$MODE to configure the NPX. SET$REAL$MODE loads the 80287 control
word, and its 16-bit parameter has the format shown in figure 1-5. The recommended value of this
parameter is 033EH (projective closure, round to nearest, 64-bit precision, all exceptions masked except
invalid operation). Other settings may be used at the programmer's discretion.
If any exceptions are unmasked, an exception handler must be provided in the form of an interrupt
procedure that is designated to be invoked by CPU interrupt pointer (vector) number 16. The exception handler can use the GET$REAL$ERROR procedure to obtain the low-order byte of the 80287
status word and to then clear the exception flags. The byte returned by GET$REAL$ERROR contains
the exception flags; these can be examined to determine the source of the exception.
TheSAVE$REAL$STATUS and RESTORE$REAL$STATUS procedures are provided for multitasking environments where a running task that uses the 80287 may be preempted by another task that
also uses the 80287. It is the responsibility of the preempting task to issue SAVE$REAUSTATUS
before it executes any statements that affect the 80287; these include the INIT$REAL$MATH$UNIT
Table 2-15. PLlM-286 Built-In Procedures
Procedure

80287 Instruction

Description

INIT$REAL$MATH$UNIT(1)

FINIT

Initialize processor.

SET$REAL$MODE

FLDCW

Set exception masks, rounding
preCision, and infinity controls.

GET$REAL$ERROR(2)

FNSTSW & FNCLEX

Store, then clear, exception flags.

SAVE$REAL$STATUS

FNSAVE

Save processor state.

RESTORE$REAL$STATUS

FRSTOR

Restore processor state.

(1)Also initializes interrupt pOinters for emulation.
(')Returns low-order byte of status word.

2-39

PROGRAMMING NUMERIC APPLICATIONS

and SET$REAL$MODE procedures as well as arithmetic expressions. SAVE$REAL$STATUS saves
the 80287 state (registers, status, and control words, etc.) on the CPU's stack.
RESTORE$REAL$STATUS reloads the state information; the preempting task must invoke this
procedure before terminating in order to restore the 80287 to its state at the time the running task was
preempted. This enables the preempted task to resume execution from the point of its preemption.

ASM286
The ASM286 assembly language provides programmmers with complete access to all of the facilities
of the 80286 and 80287 processors.
The programmer's view of the 80286/80287 hardware is a single machine with these resources:
160 instructions
12 data types
•

8 general registers

• 4 segment registers
• 8 floating-point registers, organized as a stack
DEFINING DATA

The ASM286 directives shown in table 2-16 allocate storage for 80287 variables and constants. As
with other storage allocation directives, the assembler associates a type with any variable defined with
these directives. The type value is equal to the length of the storage unit in bytes (10 for DT, 8 for
DQ, etc.). The assembler checks the type of any variable coded in an instruction to be certain that it
is compatible with the instruction. For example, the coding FIADD ALPHA will be flagged as an
error if ALPHA's type is not 2 or 4, because.integer addition is only available for word and short
integer data types. The operand's type also tells the assembler which machine instruction to produce;
although to the programmer there is only an FIADD instruction, a different machine instruction is
required for each operand type.
On occasion it is desirable to use an instruction with an operand that has no declared type. For example,
if register BX points to a short integer variable, a programmer may want to code FIADD [BX]. This
can be done by informing the assembler of the operand's type in the instruction, coding FIADD DWORD
PTR [BX]. The corresponding overrides for the other storage allocations are WORD PTR, QWORD
PTR, and TBYTE PTR.

Directive

Data Types

Interpretation

DW

Define Word

DD

Define Doubleword

Word integer
Short integer, short real

DQ

Define Quadword

Long integer, long real

DT

Define Tenbyte

Packed decimal, temporary real

2-40

PROGRAMMING NUMERIC APPLICATIONS

The assembler does not, however, check the types of operands used in processor control instructions.
Coding FRSTOR [BP] implies that the programmer has set up register BP to point to the stack location
where the processor's 94-byte state record has been previously saved.
The initial values for 80287 constants may be coded in several different ways. Binary integer constants
may be specified as bit strings, decimal integers, octal integers, or hexadecimal strings. Packed decimal
values are normally written as decimal integers, although the assembler will accept and convert other
representations of integers. Real values may be written as ordinary decimal real numbers (decimal
point required), as decimal numbers in scientific notation, or as hexadecimal strings. Using hexadecimal strings is primarily intended for defining special values such as infinities, NaNs, and nonnormalized numbers. Most programmers will find that ordinary decimal and scientific decimal provide the
simplest way to initialize 80287 constants. Figure 2-3 compares several ways of setting the various
80287 data types to the same initial value.
Note that preceding 80287 variables and constants with the ASM286 EVEN directive ensures that the
operands will be word-aligned in memory. This will produce the best system performance. All 80287
data types occupy integral numbers of words so that no storage is "wasted" if blocks of variables are
defined together and preceded by a single EVEN declarative.
RECORDS AND STRUCTURES

The ASM286 RECORD and STRUC (structure) declaratives can be very useful in NPX programming. The record facility can be used to define the bit fields of the control, status, and tag words.
Figure 2-4 shows one definition of the status word and how it might be used in a routine that polls the
80287 until it has completed an instruction.
Because STRUCtures allow different but related data types to be grouped together, they often provide
a natural way to represent "real world" data organizations. The fact that the structure template may
be "moved" about in memory adds to its flexibility. Figure 2-5 shows a simple structure that might be
used to represent data consisting of a series of test score samples. A structure could also be used to
define the organization of the information stored and loaded by the FSTENV and FLDENV instructions.

THE FOLLOWING ALL ALLOCATE THI CONSTANT: -126
NOTE TWO'S COMPLETE STORAGE OF NEGATIVE BINARY INTEGERS,
EVEN
WORD_I NTEGER
SHORT_I NTEGER

FORCE WORD ALIGNMENT
BIT STRING
HEX STRING MUST START
WITH DIGIT
LONG_INTEGER
DQ -126
ORDINARY DECIMAL
SHORT_REAL
DD -126,0
NOTE PRESENCE OF ' ,
LONG_REAL
DD -1,26E2
"SCIENTIFIC"
PACKED_DECIMAL DT -126
ORDINARY DECIMAL INTEGER
IN THE FOLLOWING, SIGN AND EXPONENT IS 'COOS'
SIGNIFICAND IS '7EOO" ,00', 'R' INFORMS ASSEMBLER THAT
THE STRING REPRESENTS A REAL DATA TYPE,
DW
DD

111111111000010B
OFFFFFF82H

DT

OCOOS7EOOOOOOOOOOOOOOR
Figure 2-3. Sample 80287 Constants

2-41

HEX STRING

PROGRAMMING NUMERIC APPLICATIONS

; RESERVE SPACE FOR STATUS WORD
STAT ULW 0 RD
; LAY OUT STATUS WORD FIELDS
STATUS RECORD
BUS Y:
1,
6
CoND_CoDE3:
1,
6
STACK_TOP:
3,
6
CoND_CoDE2:
1,
6
CoND_CoDE1:
1,
CoND_CoDED:
1,
IN T_R E Q :
1,
6
RESERVED:
1,
6
P_FLAG:
1,
U_FLAG:
1,
o_F LAG:
1,
Z_FLAG:
1,
6
D_FLAG:
1,
6
LF LAG:
1
POLL STATUS WORD UNTIL 80287 IS NOT BUSY
POLL:
FNSTSW STATUS_WORD
TEST
STATUS_WORD, MASK_BUSY
HZ
POLL
Figure 2-4. Status Word RECORD Definition

SAMPLE

STRUC

DD
SHORT INTEGER
LOBS
DQ
LONG REAL
MEAN
DW
WORD INTEGER
MODE
STD_DEV
DQ
LONG REAL
; ARRAY OF OBSERVATIONS -- WORD INTEGER
TEST_SCORES
DW
1000 DUP (?>
SAMPLE ENDS
Figure 2-5. Structure Definition

ADDRESSING MODES

80287 memory data can be accessed with any of the CPU's five memory addressing modes. This means
that 80287 data types can be incorporated in data aggregates ranging from simple to complex according to the needs of the application. The addressing modes, and the ASM286 notation used to specify
them in instructions, make the accessing of structures, arrays, arrays of structures, and other organizations direct and straightforward. Table 2-17 gives several examples of 80287 instructions coded with
operands that illustrate different addressing modes.

2-42

PROGRAMMING NUMERIC APPLICATIONS

Table 2-17. Addressing Mode Examples
Interpretation

Coding
FIAOO

ALPHA

ALPHA is a simple scalar (mode is direct).

FOIVR

ALPHA.BETA

BETA is a field in a structure that is
"overlaid" on ALPHA (mode is direct).

FMUL

aWORO PTR [BX]

BX contains the address of a long real
variable (mode is register indirect).

FSUB

ALPHA [SI]

ALPHA is an array and SI contains the
offset of an array element from the start of
the array (mode is indexed).

FILO

[BP].BETA

BP contains the address of a structure on
the CPU stack and BETA is a field in the
structure (mode is based).

FBLO

TBYTE PTR [BX] [01]

BX contains the address of a packed
decimal array and 01 contains the offset of
an array element (mode is based indexed).

Comparative Programming Example
Figures 2-6 and 2-7 show the PLjM-286 and ASM286 code for a simple 80287 program, called
ARRSUM. The program references an array (X$ARRA Y), which contains 0-100 short real values;
the integer variable N$OF$X indicates the number of array elements the program is to consider.
ARRSUM steps through X$ARRAY accumulating three sums:
• SUM$X, the sum of the array values
• SUM$INDEXES, the sum of each array value times its index, where the index of the first element
is 1, the second is 2, etc.
• SUM$SQUARES, the sum of each array element squared
(A true program, of course, would go beyond these steps to store and use the results of these calculations.) The control word is set with the recommended values: projective closure, round to nearest,
64-bit precision, interrupts enabled, and all exceptions masked invalid operation. It is assumed that an
exception handler has been written to field the invalid operation, if it occurs, and that it is invoked by
interrupt pointer 16. Either version of the program will run on an actual or an emulated 80287 without
altering the code shown.
The PLjM-286 version of ARRSUM (figure 2-6) is very straightforward and illustrates how easily the
80287 can be used in this language. After declaring variables the program calls built-in procedures to
initialize the processor (or its emulator) and to load to the control word. The program clears the sum
variables and then steps through X$ARRAY with a DO-loop. The loop control takes into account
PLjM-286's practice of considering the index of the first element of an array to be o. In the computation of SUM$INDEXES, the built-in procedure FLOAT converts 1+1 from integer to real because
the language does not support "mixed mode" arithmetic. One of the strengths of the NPX, of course,
is that it does support arithmetic on mixed data types (because all values are converted internally to
the 80-bit temporary real format).

2-43

PROGRAMMING NUMERIC APPLICATIONS

PL/M--;'~86

COt1P ILER

ARRAYSUt1

SER IES-- I I I PL/M-286 V1. 0 Cot1P I LAT ION OF MODULE ARRAVSUM
OBJECT MODULE PLACED It-l : F6: D. Du.)
COMPILER IfNO KED BY
PLM286 86
F6: D. SRC XREF

/ *** ** ***'*** * *** *** ****** *** ***** * * ***""* ************
*
A R RAY SUM
MOD
* ******** **** **** ** *******'I't * it ** ********** ********** /
arT'ay$sum:

2

dec lare
declare
declare
declare

3
4

5

do;

(sum$x, sum$indexes, sum$sq,uares) real;
x$array(100) reaL
(n$of$)(, i ) integer;
control$287 literally '033eh ';

1* Assume x$array and n$o;$x are initialized *1
1* Prepare the 80287 of its emulator *1
call init$real$math$uniti
call set$real$mode{control$287)j

6
7

1* Clear sums -It/
8

sum$x,

9
10

:2

11

2

12
13

2
2

5um$indexes,

sum$squaT'es = 0.0;

1* Loop through array, accumulating
*1
do i = 0 to n$of$x-l;
sum$x = sum$x + x$array (i);
sum$indexes = sum$indexes +
(x$array(i) * float(i+l»;
sum$sli.uares = sum$squares + {x$array (i )*x$array (i»;
end;

1

1* etc.
14

*1

end array$sumi

PLlM-286 COMP I LER

DEFN

4

2
2

:2
3

AD DR

ARRAYSUM
CROSS-REFERENCE LISTING

SIZE

00Q6H

117

019EH

2

019CH

2

0004H
0008H
OOOOH
OOOCH

4
4
4
400

NAME.

ATTRIBUTES.

ARRAysur1
CONTROL287
FLOAT.
I.
INITREALMATHUNIT
NOFX
SETREAU10DE.
SUMINDEXES
SUMSQUARES
SUMX
XARRAV

AND REFERENCES

PROCEDURE STACK=OO02H
LITERALLY '033eh I
BUlL TIN
11
INTEGER
9*
BUlL TIN
6
INTEGER
9
BUlL TIN
7
REAL
11
8*
REAL
12
8*
REAL
10
8*
REAL ARRAY( !DO)

7
9

=

12*
10*
10

119D
40
416D
2D

o PROGRAM ERRORS
DICTIONARY SUMMARY,
96KB MEMORY AVAILABLE
3KB t1EMORY USED
(31.)
OKe DISK SPACE USED
END OF PL1t1-286 COMPILATION

Figure 2-6_ Sample PL/M-286 Program

2-44

11

11

12

11*

MODULE INFORMATION,
CODE AREA SIZE
0077H
CONSTANT AREA SIZE = 0004H
VARIABLE AREA SIZE
01AOH
MAXIMUM STACK SIZE = 0002H
33 LINES READ

10

12

13

PROGRAMMING NUMERIC APPLICATIONS

The ASM286 version (figure 2-7) defines the external procedure INIT287, which makes the different
initialization requirements of the processor and its emulator transparent to the source code. After defining
the data and setting up the segment registers and stack pointer, the program calls INIT287 and loads
the control word. The computation begins with the next three instructions, which clear three registers
by loading (pushing) zeros onto the stack. As shown in figure 2-8, these registers remain at the bottom
of the stack throughout the computation while temporary values are pushed on and popped off the
'
stack above them.
The program uses the CPU LOOP instruction to control its iteration through )CARRAY; register CX,
which LOOP automatically decrements, is loaded with N_OF.J(, the number of array elements to be
summed. Register SI is used to select (index) the array elements. The program steps through )CARRAY
from back to front, so SI is initialized to point at the element just beyond the first element to be
processed. The ASM286 TYPE operator is used to determine the number of bytes in each array element.
This permits changing )CARRAY to a long real array by simply changing its definition (DD to DQ)
and reassembling.
Figure 2-8 shows the effect of the instructions in the program loop. on the NPX register stack. The
figure assumes that the program is in its first iteration, that N_OF.J( is 20, and that }CARRAY(19)
(the 20th element) contains the value 2.5. When the loop terminates, the three sums are left as the top
stack elements so that the program ends by simply popping them into memory variables.

80287 Emulation
I

The programming of applications to execute on both 80286 and 802~7 is made much easier by the
existence of an 80287 emulator for 80286 systems. The Intel E80287 emulator offers a complete software
counterpart to the 80287 hardware; NPX instructions can be simply emulated in softwar~ rather than
being executed in hardware. With software emulation, the distinction between 80286 arid 80287 systems
is reduced to a simple performance differential (see Table 1-2 for a performance comparison between
an actual 80287 and an emulator 80287). Identical numeric programs will simply execute more slowly
on 80286 systems (using software emulation of NPX instructions) than on executing NPX instructions
directly.
'
When incorporated into the systems software, the emulation of NPX instructions on the 80286 systems
is completely transparent to the programmer. Applications software needs no special libraries, linking,
or other activity to allow it to run on an 80286 with 80287 emulation.
To the applications programmer, the development of programs for 80286 systems is the same ~hether
the 80287 NPX hardware is available or not. The full 80287 instruction set is available for use, with
NPX instructions being either emulated or executed directly. Applications programmers need not be
concerned with the hardware configuration of the computer systems on which their applications will
eventually run.
For systems programmers, details relating to 80287 emulators are described in a later section of this
supplement. An E80287 software emulator for 80286 systems is contained in the iMDX 364 8086
Software Toolbox, available from Intel and described in the 8086 Software Toolbox Manual.

CONCURRENT PROCESSING WITH THE 80287
Because the 80286 CPU and the 80287 NPX have separate execution units, it is possible for the NPX
to execute numeric instructions in parallel with instructions executed by the CPU. This simultaneous
execution of different instructions is called concurrency.

2-45

intel"

PROGRAMMING NUMERIC APPLICATIONS

"iAPX286 MACRO ASSEMBLER

EXAMPLE_ASM286_PROGRAM

SERIES-I I I iAPX286 MACRO ASSEMBLER X10B ASSEMBLY OF MODULE EXAMPLE_ASM286_PROGRAM
OBJECT MODULE PLACED IN : F6: 287EXP, OBJ
ASSEMBLER INVOKED BY:
ASM286.86: F6: 287EXP. SRC XREF

LOC

OBJ

LINE

SOURCE
name

1

2
S
6
7
8

0000 3E03
0002 ????
0004 ( 100

9

example_ASM28b_pT'ogram

Define initialization routine

extl'n

3
4

init287: faT'

Allocate 'space foT' data
data
se!Jment T'W public
control_287
dw
033eh
?
n of
dU/
_array
dd
100 dup

,
,- -

(1)

????????
)

0194 ????????
0198 ????????
019C ????????

10
11
12
13
14

15
16
17

Ie

19
20
0000
0000
0003
0005
0008
OOOA

B8---8ED8
B8---8EDO
BCFEFF

OOOD 9AOOOO---0012 D92EOOOO

R
R

E
R

0016 D9EE
0018 D9EE
001A D9EE

001C 8BOE0200
0020 F7E9
0022 8BFO'

R

0024
0024
0027
002B
002D
002F
0031

83EE04
D9840400
DCC3
D9CO
DCC8
DEC2

0033 FFOE0200
0037 E2EB

0039
0039
003D
0041
0045

D91E9401
D91E9801
D91E9COl
9B

R

R

21
22
23
24
25
26
'Z7
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Qc.

R

63
64
65
66
67
68
69
70

sum_squaT'es
sum

,

data

?
?
?

dd
dd
dd

sum_indexes
ends

; Allocate CPU stack spaclt
stack
stackseg 400

;

Begi"n code
code
segment
assume
start:
mov
mov
mov

eT' public
ds: data. 55:

ax.
ds.
ax.
ss.
sp.

stack.

es:

nothing

data
ax
stack
ax
sta.ckstsrt stack

Assume x_array and "_of_x are initialized
this pprogram zeroes n_of_lC
Prepare the 80287 or its emulator.
call
init287
fldclll
control_287
Clear three reg isters to hold running sums
fldz
fld z
fld z

j

Setup CX as loop counter imd
SI as index to x_array
mov
c lC. n of
imul
mov
si. ax

- -,

; Sl now contains index of last element + 1
; Loop thru lC_array. accumulat.ing ~ums
sum_next:
backup one element
sub
si. type x_array
x_array[siJ
push it on the stac k
fld
st(3)' st
add into sum of x
fadd
duplicate x on top
st
fld
square i t
fmul
st.st
add into sum of (index+x)
st(2). st
faddp
and discard
reduce index for next iteration
dec
; continue
loop

Pop running sums into memory
pop_results:
fstp
sum_squares
.tc.t.!"I
sum indexes
fstp
fwai t

;

Etc.
code

ends
end

start

Figure 2·7. Sample ASM286 Program

2-46

PROGRAMMING NUMERIC APPLICATIONS

iAPX286 MACRO ASSEMBLER

EXAMPLE~ASM286]ROGRAM

XREF SYMBOL TABLE LISTING

NAME

TYPE

CODE
CONTROL_287

SEGMENT
V WORD
SEGMENT
L FAR
V WORD
L NEAR
STACK
L NEAR
V DWORD
L NEAR
V DWORD
V DWORD
V DWORD

DATA.
INIT287
N_OFJ.
POP_RESULTS
STACK
START
SUM_INDEXES
SUM_NEXT.
SUM_SQUARES
SUMJ
X_ARRAY

VALUE

ATTR IBUTES,

19# 69

OOOOH

SIZE=OQ46H ER PUBLIC
DATA 7# 33

SIZE=OlAOH RW PUBLIC

6# 13 20 22

QOOOH
Q002H
0039H
OOOOH
0198H
0024H
0194H
019CH
0004H

XREFS

E:XTRN 3# 32
DATA
8# 42 56
CODE
60#
SIZE=0190H Rt; PUBLIC
CODE
21# 70
DATA
11# 62
CODE
48# 57
DATA
10# 61
DATA
12# 63
( 100) DATA
9# 49 50

16# 20 24 26

END OF SYMBOL TABLE LISTING
ASSEMELY COMPLETE,

NO ERRORS

Figure 2-7. Sample ASM286 Program (Cont'd.)
FLO X ARRAy[5Il

FLOZ, FLOZ, FLOZ
ST(O)

0.0

SU M_SQUARES

5 T(O)

ST(l)

0.0

5 UM_INDEXES

5 T(l)

ST(2)

0.0

SU

SUM_SQUARES

ST(2)

- - -ST(3)

FAOO 5TO)

5T

X_ARRAY (19)

2.5

0.0

SUM_INDEXES

0.0

SUM_X

FLO 5T

ST(O)

2.5

X_A RRAY (19)

ST (0)

2.5

X_ARRAY (19)

ST(l)

0.0

SUM _SQUARES

ST (1)

2.5

X_ARRAY (19)

ST(2)

0.0

SUM _INDEXES

ST (2)

0.0

SUM_SQUARES

ST(3)

2.5

SUM

ST (3)

0.0

SUM_INDEXES

----

-

2.5

ST (4)

FMUL 5T

5T

FAOOP

5T(2)

5T

ST(O)

6.25

X_ARRAY(19)2

ST(O)

2.5

X_ARRAY(19)

ST(l)

2.5

X_ARRAY(19)

ST(l)

6.25

SUM_SQUARES

ST(2)

0.0

SUM_SQUARES

ST(2)

0.0

SUM_INDEXES

ST(3)

2.5

ST(3)

0.0

SUM_INDEXES

ST(4)

2.5

SUM_X

........
F I MU L N OF X
ST(O)

50.0

....

........
-ffiFAO
5T(2),5T
OP

X_A RRAY(19)'20

ST(O)

6.25

SUM_SQUARES

50.0

SUM_INDEXES

2.5

SUM_X

ST(l)

6.25

SUM _SQUARES

ST(l)

ST(2)

0.0

SUM _INDEXES

ST(2)

ST(3)

2.5

SUM
G3010a

Figure 2-8. Instructions and Register Stack

2-47

PROGRAMMING NUMERIC APPLICATIONS

No special programming techniques are required to gain the advantages of concurrent execution; numeric
instructions for the NPX are simply placed in line with the instructions for the CPU. CPU and numeric
instructions are initiated in the same order as they are encountered by the CPU in its instruction
stream. However, because numeric operations performed by the NPX generally require more time than
operations performed by the CPU, the CPU can often execute several of its instructions before the
NPX completes a numeric instruction previously initiated.
This concurrency offers obvious advantages in terms of execution performance, but concurrency also
imposes several rules that must be observed in order to assure proper synchronization of the 80286
CPU and 80287 NPX.
All Intel high-level languages automatically provide for and manage concurrency in the NPX.
Assembly-language programmers, however, must understand and manage some areas of concurrency
in exchange for the flexibility and performance of programming in assembly language. This section is
for the assembly-language programmer or well-informed high-level-language programmer.

Managing Concurrency
Concurrent execution of the host and 80287 is easy to establish and maintain. The activities of numeric
programs can be split into two major areas: program control and arithmetic. The program control part
performs activities such as deciding what functions to perform, calculating addresses of numeric
operands, and loop control. The arithmetic part simply adds, subtracts, multiplies, and performs other
operations on the numeric operands. The NPX and host are designed to handle these two parts separately
and efficiently.
Managing concurrency is necessary because both the arithmetic and control areas must converge to a
well-defined state before starting another numeric operation. A well-defined state means all previous
arithmetic and control operations are complete and valid.
Normally, the host waits for the 80287 to finish the current numeric operation before starting another.
This waiting is called synchronization.
Managing concurrent execution of the 80287 involves
1.

Instruction synchronization

2.

Data synchronization

3.

Error synchronization

_~ree

types of synchronization:

For programmers in higher-level languages, all three types of synchronization are automatically provided
by the appropriate compiler. For assembly-language programmers, instruction synchronization is
guaranteed by the NPX interface, but data and error synchronization are the responsibility of the
_____ 1-1 •• 1 .... _ ..... ~ ......... "" .,..... .. nt'l'1'""l't'Y1n-,pr
a.",,""JUUJ.y-LUJ. 1 6U.U. O .... 1"'" '-'0& ....................... __ .

Instruction Synchronization
Instruction synchronization is required because the 80287 can perform only one numeric operation at
a time. Before any numeric operation is started, the 80287 must have completed all activity from its
previous instruction.

2-48

PROGRAMMING NUMERIC APPLICATIONS

Instruction synchronization is guaranteed for most ESC instructions because the 80286 automatically
checks the BUSY status line from the 80287 before commencing execution of most ESC instructions.
No explicit WAIT instructions are necessary to ensure proper instruction synchronization.

Data Synchronization
Data synchronization addresses the issue of both the CPU and the NPX referencing the same memory
values within a given block of code. Synchronization ensures that these two processors access the memory
operands in the proper sequence, just as they would be accessed by a single processor with no concurrency. Data synchronization is not a concern when the CPU and NPX are using different memory
operands during the course of one numeric instruction.
The two cases where data synchronization might be a concern are
1.

The 80286 CPU reads or alters a memory operand first, then invokes the 80287 to load or alter
the same operand.

2.

The 80287 is invoked to load or alter a memory operand, after which the 80286 CPU reads or
alters the same location.

Due to the instruction synchronization of the NPX interface, data synchronization is automatically
provided for the first case-the 80286 will always complete its operation before invoking the 80287.
For the second case, data synchronization is not always automatic. In general, there is no guarantee
that the 80287 will have finished its processing and accessed the memory operand before the 80286
accesses the same location.
Figure 2-9 shows examples of the two possible cases of the CPU and NPX sharing a memory value. In
the examples of the first case, the CPU will finish with the operand before the 80287 can reference it.
The NPX interface guarantees this. In the examples of the second case, the CPU must wait for the
80287 to finish with the memory operand before proceeding to reuse it. The FW AIT instructions shown
in these examples are required in order to ensure this data synchronization.
There are several NPX control instructions where automatic data synchronization is provided; however,
the FSTSW /FNSTSW, FSTCW /FNSTCW, FLDCW, FRSTOR, and FLDENV instructions are all
guaranteed to finish their execution before the CPU can read or alter the referenced memory locations.
The 80287 provides data synchronization for these instructions by making a request on the Processor
Extension Data Channel before the CPU executes its next instruction. Since the NPX data transfers
occur before the CPU regains control of the local bus, the CPU cannot change a memory value before
the NPX has had a chance to reference it. In the case of the FSTSW AX instruction, the 80286 AX
register is explicitly updated before the CPU continues execution of the next instruction.
For the numeric instructions not listed above, the assembly-language programmer must remain aware
of synchronization and recognize cases requiring explicit data synchronization. Data synchronization
can be provided either by programming an explicit FWAIT instruction, or by initiating a subsequent
numeric instruction before accessing the operands or results of a previous instruction. After the subsequent numeric instruction has started execution, all memory references in earlier numeric instructions
are complete. Reaching the next host instruction after the synchronizing numeric instruction indicates
that previous numeric operands in memory are available.

2-49

PROGRAMMING NUMERIC APPLICATIONS

Case 1:

Case 2:

M0 V

I ,

F I LD

I

F IL D
FWAIT
M0 V

MOV
AX,I
FISTP I

I., 5

F 1ST P

FWAIT
MOV

AX,I

Figure 2-9. Synchronizing References to Shared Data

The data-synchronization function of any FW AIT or numeric instruction must be well-documented, as
shown in figure 2-10. Otherwise, a change to the program at a later time may remove the synchronizing
numeric instruction and cause program failure.
High-level languages automatically establish data synchronization and manage it, but there may be
applications where a high-level language may not be appropriate.
For assembly-language programmers, automatic data synchronization can be obtained using the assembler, although concurrency of execution is lost as a result. To perform automatic data synchronization,
the assembler can be changed to always place a WAIT instruction after the ESCAPE instruction.
Figure 2-11 shows an example of how to change the ASM286 Code Macro for the FIST instruction to
automatically place aWAIT instruction after the ESCAPE instruction. This Code Macro is included
in the ASM286 source module. The price paid for this automatic data synchronization is the lack of
any possible concurrency between the CPU and NPX.

Error Synchronization
Almost any numeric instruction can, under the wrong circumstances, produce a numeric error. Concurrent execution of the CPU and NPX requires synchronization for these errors just as it does for data
references and numeric instructions. In fact, the synchronization required for data and instructions
automatically provides error synchronization.
However, incorrect data or instruction synchronization may not be discovered until a numeric error
occurs. A further complication is that a programmer may not expect his numeric program to cause
numeric errors, but in some systems, they may regularly happen. To better understand these points,
let's look at what can happen when the NPX detects an error.
T!!e NPX

t:'~_!!

l'"rfnrm one of two things when a numeric exception occurs:

• The NPX can provide a default fix-up for selected numeric errors. Programs can mask individual
error types to indicate that the NPX should generate a safe, reasonable result whenever that error
occurs. The default error fix-up activity is treated by the NPX as part of the instruction causing
the error; no external indication of the error is given. When errors are detected, a flag is set in the
numeric status register, but no information regarding where or when is available. If the NPX performs
its default action for all errors, then error synchronization is never exercised. This is no reason to
ignore error synchronization, however.

2-50

PROGRAMMING NUMERIC APPLICATIONS

F 1ST P
FMUL

MOV

AX,I

Is updated before FMUL
Is now safe to use

Is executed

Figure 2-10. Documenting Data Synchronization

This Is an ASM286 code macro to redefine the
Instruction to prevent any concurrency
while the Instruction runs. A walt
Instruction Is placed Immediately after the
escape to ensure the store Is done
before the pr09ram may continue.

FIST

;

CodeMacro FIST memop:
RflxM 111B, memop
ModRM 010B, memop
RWf I x
EndM

Mw

FIgure 2-11. Nonconcurrent FIST InstructIon Code Macro

• As an alternative to the NPX default fix-up of numeric errors, the 80286 CPU can be notified
whenever an exception occurs. The CPU can then implement any sort of recovery procedures desired,
for any numeric error detectable by the NPX. When a numeric error is unmasked and the error
occurs, the NPX stops further execution of the numeric instruction and signals this event to the
CPU. On the next occurrence of an ESC or WAIT instruction, the CPU traps to a software excep·
tion handler. Some ESC instructions do not check for errors. These are the nonwaited forms FNINIT,
FNSTENV, FNSA VE, FNSTSW, FNSTCW, and FNCLEX.
When the NPX signals an unmasked exception condition, it is requesting help. The fact that the error
was unmasked indicates that further numeric program execution under the arithmetic and program·
ming rules of the NPX is unreasonable.
If concurrent execution is allowed, the state of the CPU when it recognizes the exception is undefined.
The CPU may have changed many of its internal registers and be executing a totally different program
by the time the exception occurs. To handle this situation, the NPX has special registers updated at
the start of each numeric instruction to describe the state of the numeric program when the failed
instruction was attempted.
Error synchronization ensures that the NPX is in a well·defined state after an unmasked numeric error
occurs. Without a well-defined state, it would be impossible for exception recovery routines to figure
out why the numeric error occurred, or to recover successfully from the error.

2-51

PROGRAMMING NUMERIC APPLICATIONS

INCORRECT ERROR SYNCHRONIZATION

An example of how some instructions written without error synchronization will work initially, but fail
when moved into a new environment is shown in figure 2-12.
In figure 2-12, three instructions are shown to load an integer, calculate its square root, then increment
the integer. The NPX interface and synchronous execution of the NPX emulator will allow this program
to execute correctly when no errors occur on the FILD instruction.
This situation changes if the 80287 numeric register stack is extended to memory. To extend the NPX
stack to memory, the invalid error is unmasked. A push to a full register or pop from an empty register
will cause an invalid error. The recovery routine for the error must recognize this situation, fix up the
stack, then perform the original operatioll.
The recovery routine will not work correctly in the first example shown in the figure. The problem is
that the value of COUNT is incremented before the NPX can signal the exception to the CPU. Because
COUNT is incremented before the exception handler is invoked, the recovery routine will load an
incorrect value of COUNT, causing the program to fail or behave unreliably
PROPER ERROR SYNCHRONIZATION

Error Synchronization relies on the WAIT instructions required by instruction and data synchronization and the BUSY and ERROR signals of the 80287. When an unmasked error occurs in the 80287,
it asserts the ERROR signal, signalling to the CPU that a numeric error has occurred. The next time
the CPU encounters an error-cliecking ESC or WAIT instruction, the CPU acknowledges the ERROR
signal by trapping automatically to Interrupt #16, the Processor Extension Error vector. If the following ESC or WAIT instruction is properly placed, the CPU will not yet have disturbed any information
vital to recovery from the error.

INCORRECT ERROR SYNCHRONIZATION

F I LD

FSGRT

COUNT
COUNT
COUNT

NPX instruction
CPU instruction alters operand
subsequent NPX instruction -- error from
previous NPX instruction detected here

F I LD

COUNT

NPX instruction
subsequent NPX instruction -- error from
previous NPX instruction detected here
CPU instruction aiiers op"rollu

1M C

PROPER ERROR SYNCHRONIZATION

FSGRT
INC

COUNT

Figure 2-12. Error Synchronization Examples

2-52

System-Level Numeric
Programming

3

CHAPTER 3
SYSTEM-LEVEL NUMERIC PROGRAMMING
System programming for 80287 systems requires a more detailed understanding of the 80287 NPX
than does application programming. Such things as emulation, initialization, exception handling, and
datil and error synchronization are all the responsibility of the systems programmer. These topics are
covered in detail in the sections that follow.

./

80287 ARCHITECTURE

On a software level, the 80287 NPX appears as an extension of the 80286 CPU. On the hardware
level, however, the mechanisms by which the 80286 and 80287 interact are a bit more complex. This
section describes how the 80287 NPX and 80286 CPU interact and points out features of this interaction that are of interest tdsystems programmers.

Processor Extension Data Channel
All transfers of operands between the 80287 and system memory are performed by the 80286's internal
Processor Extension Data Channel. This independent, DMA-like data channel permits all operand
transfers of the 80287 to come under the supervision of the 80286 memory-management and protection
mechanisms. The operation of this data channel is completely transparent to software.
Because the 80286 actually performs all transfers between the 80287 and memory, no additional bus
drivers, controllers, or other components are necessary to interface the 80287'NPX to the local bus.
Any memory accessible to the 80286 CPU is accessible by the 80287. The Processor Extension Data
Channel is described in more detail in Chapter Six of the 80286 Hardware Reference Manual.

Real-Address Mode and Protected Virtual-Address Mode
Like the 80286 CPU, the 80287 NPX can operate in both Real-Address mode and in Protected mode.
Following a hardware RESET, the 80287 is initially activated in Real-Address mode. A single, privileged instruction (FSETPM) is necessary to set the 80287 into Protected mode.
.
As an extension to the 80286 CPU, the 80287 can access any memory location accessible by the task
currently executing on the 80286. When operating in Protected mode, aU memory references by the
80287 are automatically verified by the 80286's memory management and protection mechanisms as
for any other memory references by the currently-executing task. Protection violations associated with
NPX instrilctionsautomatically cause the 80286 to trap to an appropriate exception handler.
To the programmer, these two 80287 operating modes differ only in the manner in which the NPX
instruction and datapointets ate represented in memory following an FSAVE or FSTENV instruction.
When the 80287 operates in Protected mode, its NPX instruction and data pointers are each represented in memory as a 16-bit segment selector and a 16-bit offset. When the 80287 operates in RealAdd' .:ss mode, these same instruction and data pointers are represented. simply as the 20-bit physical
ad" ;'esses of the operands in question (see figure 1-7 in Chapter One).

3-1

SYSTEM-LEVEL NUMERIC PROGRAMMING

Dedicated and Reserved 1/0 Locations
The 80287 NPX does not require that any memory addresses be set aside for special purposes. The
80287 does make use of 1/0 port addresses in the range 00F8H through OOFFH, although these 1/0
operations are completely transparent to the 80286 software. 80286 programs must not reference these
reserved 1/0 addresses directly.
To prevent any accidental misuse or other tampering with numeric instructions in the 80287, the 80286's
1/0 Privilege Level (IOPL) should be used in multiuser reprogrammable environments to restrict
application program access to the 1/0 address space and so guarantee the integrity of 80287 computations. Chapter Eight of the 80286 Operating System Writer's Guide contains more details regarding
the use of the 1/0 Privilege Level.

PROCESSOR INITIALIZATION AND CONTROL
One of the principal responsibilities of systems software is the initialization, monitoring, and control of
the hardware and software resources of the system, including the 80287 NPX. In this section, issues
related to system initialization and control are described, including recognition of the NPX, emulation
of the 80287 NPX in software if the hardware is not available, and the handling of exceptions that
may occur during the execution of the 80287.

System Initialization
During initialization of an 80286 system, systems software must
•

Recognize the presence or absence of the NPX

•

Set flags in the 80286 MSW to reflect the state of the numeric environment

If an 80287 NPX is present in the system, the NPX must be

•

Initialized

•

Switched into Prolecled mode (if desired)

All of these activities can be quickly and easily performed as part of the overall system initialization.

Recognizing. the 80287 NPX
figure 3-1 shuVv's ali cAulliplc cf:(l reccgr..iti~n rc!!ti~e th9..t det~-!'!!line.5 Ulh~thp.r:!n NPX is present~ and
distinguishes between the 80387 and the 8087/80287. This routine can be executed on any 80386,
80286, or 8086 hardware configuration that has an NPX socket.

The example guards against the possibility of accidentally reading an expected value from a floating
data bus when no NPX is present. Data read from a floating bus is undefined. By expecting to read a
specific bit pattern from the NPX, the routine protects itself from the indeterminate state of the bus.
The example also avoids depending on any values in: reserved bits, thereby maintaining compatibility
with future numerics coprocessors.

3-2

SYSTEM-LEVEL NUMERIC PROGRAMMING

8086/87/88/186 MACRO ASSEMBLER

Test for presence of

8

Nuner;cs Chip, Revision 1.0

PAGE

DOS 3.20 (033·N) 8086/87/88/186 MACRO ASSEMBLER V2.0 ASSEMBLY OF MOOULE TEST_NPX
OBJECT MOOULE PLACEO IN FINDNPX.OBJ

LOC

OBJ

LINE

1 +1

SOURCE

Stitle('Test for presence of a Nuner;cs Chip, Revision 1.0 1 )

2

name

3

0000 (100

4
5
6

stack

Test_NPX

segment stack I stack I
dw

100 dup (1)

1??7
)

00C8 ?171

0000 0000

0000

0000
0000
0003
0006
OOOA

900BE3
BEOOOO
C7045A5A
90003C

0000 803COO
0010 752A

0015
0017
001A
0010

001F
0022
0025
0028
0028
DD2E
0031
OD34
0036
0037

8804
253Fl0
303FOO
751D

9809E8
9B09EE
9BOEF9
9B09CO
9BD9EO
9BDED9
9BD03C
8B04
9E
7406

7

sst

8
9

stack

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

data
t"""

data

dw
ends
segment publ ie 'datal
dw
Oh
ends

dsroup group
cgroup group
code

data, stack
code

segment publ ic 'code'
assune cs:cgroup, ds:dgroup

start:
Look for an 8087. 80287. or 80387 NPX.

Note that we cannot execute \lA1T on 8086/88 if no 8087 is present.
test_npx:
tninit

; Must use non-wait form

moy
mov

si ,offset dgroup:tefl1J
word ptr [si] ,SASAH ; Initial ize tenp to non-zero value

fnstsw

[si]

cnp
jne

; Must use non-wait form of fstsw
It is not necessary to -use a WAIT instruction
after fnstsw or fnstew. 00 not use one here.
byte ptr [si] ,0 ; See if correct status with zeroes was read
no_npx
; JUTp if not a val id status word, meaning no NPX

Now see if ones can be correctly written from the control word.
fnstcw

[si]

moy

ax, [si]
aX,10lfh
aX,lfh
no_npx

and
c""

jne

; Look at the control word; do not use \iAIT form
; Do not use a \iAIT instruction here!
; See if ones can be written by NPX
; See if selected parts of control word look OK
i Check that ones and zeroes were correct l y read
; Jurp if no NPX ;s installed

Some rn.merics chip h installed. NPX instructions and \iAIT are now safe.
See if the NPX· is an 8087, 80287, or 80387.

This code is necessary if a denormal exception handler is used or the
new 80387 instructions wi II be used.
fldl
fld.
fdiv
fld
fchs
fconw
fstSN

st

IIIOY

ax, [sf]

; Must use default control word from fNINIT
; form infinity
; 8087/287 says +fnf

[si]

sahf
je

II

•

inf

; Form negative Infinity
; 80387 says +Inf <> • inf
i See if they are the same and remove them
i Look at status from FCOMPP
See if the infinities matched

fOAJnd_87_287

; J"", if 8087/287 is present

Figure 3-1. Software Routine to Recognize the 80287

3-3

SYSTEM-LEVEL NUMERIC PROGRAMMING

8086/87/88/186 MACRO ASSEMBLER
LOC

OBJ

Test for presence of a NUIIOr;cs Chip. Rev;slon 1.0

LINE

PAGE

SOURCE
An 80387 Is present.
they "",t be mosked.

60
61
6Z

If denormol e.cepttons are used for an 8087/Z87,
Th. 80387 will automatically normalize denormol

operands faster than an exception handler can.

63
0039 EB0790
D03C

003C EB0490
003F

j""

64

founct387

65
66
67
68
69

70
71

set up for no NPX

j"" e.tt
found_87_Z87:
.et up for 87/Z87

7Z
003F EB0190
004Z

73
74

75
76

77
D04Z

78
79
80
81

j"" exit
found 387:
- set up for 387

,
•• tt.
code

end.

end

start,ds.:dgroup, •• :dgroup:8at

ASSEHBL Y COMPLETE, NO ERRORS FOUND

Figure 3-1. Software Routine to Recognize the 80287 (Cont'd.)

Configuring the Numerics Environment
Once the 80286 CPU has determined the presence or absence of the 80287 NPX, the 80286 must set
either the MP or the EM bit in its own machine status word accordingly. The initialization routine can
either
•

Set the MP bit in the 80286 MSW to allow numeric instructions to be executed directly by the
80287 NPX component

• Set the EM bit in the 80286 MSW to permit software emulation of the 80287 numeric instructions
The Math Present (MP) flag of the 80286 machine status word indicates to the CPU whether an 80287
NPX is physically avaiiabie in the system. The MP flag controls the function of the WAIT instruction.
When executing aWAIT instruction, the 80286 tests only the Task Switched (TS) bit if MP is set; if
it finds TS set under these conditions, the 'CPU traps to exception #7.
The Emulation Mode (EM) bit of the 80286 machine status word indicates to the CPU whether NPX
functions are to be emulated. If the CPU finds EM set when it executes an ESC instruction, program
control is automatically trapped to exception #7, giving the exception handler the opportunity to emulate
the functions of an 80287. The 80286 EM flag can be changed only by using the LMSW (load machine
status word) instruction (legal only at privilege ievei 0) ami examiut;d with the aid of th~ SMSW (~t0re
machine status word) instruction (legal at any privilege level).
The EM bit also controls the function of the WAIT instruction. If the CPU finds EM set while ~xecut­
ing a WAIT, the CPU does not check the ERROR pin for an error indication.
For correct 80286 operation, the EM bit must never be set concurrently with MP. The EM and MP
bits of the 80286 are described in more detail in the 80286 Operating System Writer's Guide. More

3-4

SYSTEM-LEVEL NUMERIC PROGRAMMING

information on software emulation for the 80287 NPX is described in the "80287 Emulation" section
later in this chapter.
In any case, if ESC instructions are to be executed, either the MP or EM bit must be set, but not both.

Initializing the 80287
Initializing the 80287 NPX simply means placing the NPX in a known state unaffected by any activity
performed earlier. The example software routine to recognize the 80287 (table 3-1) performed this
initialization using a single FNINIT instruction. This instruction causes the NPX to be initialized in
the same way as that caused by the hardware RESET signal to the 80287. All the error masks are set,
all registers are tagged empty, the ST is set to zero, and default rounding, precision, and infinity
controls are set. Table 3-1 shows the state of the 80287 NPX following initialization.
Following a hardware RESET signal, such as after initial power-up, the 80287 is initialized in RealAddress mode. Once the 80287 has been switched to Protected mode (using the FSETPM instruction),
only another hardware RESET can switch the 80287 back to Real-Address mode. The FNINIT
instruction does not switch the operating state of the 80287.

80287 Emulation
If it is determined that no 80287 NPX is available in the system, systems software may decide to
emulate ESC instructions in software. This emulation is easily supported by the 80286 hardware, because
the 80286 can be configured to trap to a software emulation routine whenever it encounters an ESC
instruction in its instruction stream.
Table 3-1. NPX Processor State Following Initialization
Field

Value

Interpretation

Control Word
Infinity Control
Rounding Control
Precision Control
Interrupt-Enable Mask
Exception Masks

0
00
11
.1
111111

Projective
Round to nearest
64 bits
Interrupts disabled
All exceptions masked

0
000
0
000000

Not busy
(Indeterminate)
Empty stack
No interrupt
No exceptions

Tag Word
Tags

11

Empty

Registers

N.C.

Not changed

Exception Pointers
Instruction Code
Instruction Address
Operand Address

N.C.
N.C.
N.C.

Not changed
Not changed
Not changed

Status Word
Busy
Condition Code
Stack Top
Interrupt Request
Exception Flags

????

3-5

inter

SYSTEM-LEVEL NUMERIC PROGRAMMING

As described previously, whenever the 80286 CPU encounters an ESC instruction, and its MP and
EM status bits are set appropriately (MP=O, EM = I), the 80286 will automatically trap to interrupt
#7, the Processor Extension Not Available exception. The return link stored on the stack points to the
first byte of the ESC instruction, including the prefix byte(s), if any. The exception handler can use
this return link to examine the ESC instruction and proceed to emulate the numeric instruction in
software.
The emulator must step the return pointer so that, upon return from the exception handler, execution
can resume at the first instruction following the ESC instruction.
To an application program, execution on an 80286 system with 80287 emulation is almost indistinguishable from execution on an 80287 system, except for the difference in execution speeds.
There are several important considerations when using emulation on an 80286 system:
When operating in Protected-Address mode, numeric applications using the emulator must be
executed in execute-readable code segments. Numeric software cannot be emulated if it is executed
in execute-only code segments. This is because the emulator must be able to examine the particular
numeric instruction that caused the Emulation trap.
Only privileged tasks can place the 80286 in emulation mode. The instructions necessary to place
the 80286 in Emulatio,n mode are privileged instructions, and are not typically accessible to an
application.
\
An emulator package (E80287) that runs on 80286 systems is available from Intel in the 8086 Software
Toolbox, Order Number 122203. This emulation package operates in both Real and Protected mode,
providing a complete functional equivalent for the 80287 emulated in software.
When using the E80287 emulator, writers of numeric exception handlers should be aware of one slight
difference between the emulated 80287 and the 80287 hardware:
On the 80287 hardware, exception handlers are invoked by the 80286 at the first WAIT or ESC
instruction following the instruction causing the exception. The return link, stored on the 80286
stack, points to this second WAIT or ESC instruction where execution will resume following a
retu~n

from the exception handler.

Using the E80287 emulator, numeric exception handlers are invoked from within the emulator itself.
The return link stored on the stack when the exception handler is invoked will therefore point back
to the E80287 emulator, rather than to the program code actually being executed (emulated). An
IRET return from the exception handler returns to the emulator, which then returns immediately
to the emulated program. This added layer of indirection should not cause confusion, however,
because the instruction causing the exception can always be identified from the 80287's instruction
and data pointers.

Handling Numeric Processing Exceptions
Once the 80287 has been initialized and normal execution of applications has been commenced, the
80287 NPX may occasionally require attention in order to recover from numeric processing errors.
This section provides details for writing software exception handlers for numeric exceptions. Numeric
processing exceptions have already been introduced in previous sections of this manual.

3-6

SYSTEM-LEVEL NUMERIC PROGRAMMING

As discussed previously, the 80287 NPX can take one of two actions when it recognizes a numeric
exception:
• If the exception is masked, the NPX will automatically perform its own masked exception response,
correcting the exception condition according to fixed rules, and then continuing with its instruction
execution.
• If the exception is unmasked, the NPX signals the exception to the 80286 CPU using the ERROR
status line between the two processors. Each time the 80286 encounters an ESC or WAIT instruction in its instruction stream, the CPU checks the condition of this ERROR status line. If ERROR
is active, the CPU automatically traps to Interrupt vector #16, the Processor Extension Error trap.

Interrupt vector #16 typically points to a software exception handler, which mayor may not be a part
of systems software. This exception handler takes the form of an 80286 interrupt procedure.
When handling numeric errors, the CPU has two responsibilities:
• The CPU must not disturb the numeric context when an error is detected.
• The CPU must clear the error and attempt recovery from the error.
Although the manner in which programmers may treat these responsibilities varies from one implementation to the next, most exception handlers will include these basic steps:
• Store the NPX environment (control, status, and tag words, operand and instruction pointers) as it
existed at the time of the exception.
• Clear the exception bits in the status word.
• Enable interrupts on the CPU.
• Identify the exception by examining the status and control words in the save environment.
• Take some system"dependent action to rectify the exception.
• Return to the interrupted program and resume normal execution.
It should be noted that the NPX exception pointers contained in the stored NPX environment will take
different forms, depending on whether the NPX is operating in Real-Address mode or in Protected
mode. The earlier discussion of Real versus Protected mode details how this information is presented
in each of the two operating modes.

Simultaneous Exception Response
In cases where multiple exceptions arise simultaneously, the 80287 signals one exception according to
the precedence sequence shown in table 3-2. This means, for example, that zero divided by zero will
result in an invalid operation, and not a zero divide exception.

Exception Recovery Examples
Recovery routines for NPX exceptions can take a variety of forms. They can change the arithmetic
and programming rules of the NPX. These changes may redefine the default fix-up for an error, change
the appearance of the NPX to the programmer, or change how arithmetic is defined on the NPX.
A change to an error response might be to automatically normalize all denormals loaded from memory.
A change in appearance might be extending the register stack into memory to provide an "infinite"

3-7

SYSTEM-LEVEL NUMERIC PROGRAMMING

Table 3-2. Precedence of NPX Exceptions
Signaled First:

Denormalized operand (if unmasked)
Invalid operation
Zero divide
Denormalized (if masked)
Over/U nderflow
Precision

Signaled Last:

number of numeric registers. The arithmetic of the NPX can be changed to automatically extend the
precision and range of variables when exceeded. All these functions can be implemented on the NPX
via numeric errors and associated recovery routines in a manner transparent to the application
programmer.
Some other possible system-dependent actions, mentioned previously, may include:
Incrementing an exception counter for later display or printing
Printing or displaying diagnostic information (e.g., the 80287 environment and registers)
•

Aborting further execution
Storing a diagnostic value (a NaN) in the result and continuing with the computation

Notice that an exception mayor may not constitute an error, depending on the implementation. Once
the exception handler corrects the error condition causing the exception, the floating-point instruction
that caused the exception can be restarted, if appropriate. This cannot be accomplished using the
IRET instruction, however, because the trap occurs at the ESC or WAIT instruction following the
offending ESC instruction. The exception handler must obtain from the NPX the address of the
offending instruction in thetask that initiated it, make a copy of it, execute the copy in the context of
the offending task, and then return via IRET to the current CPU instruction stream.
In order to correct the condition causing the numeric exception, exception handlers must recognize the
precise state of the NPX at the time the exception handler was invoked, and be able to reconstruct the
state of the NPX when the exception initially occurred. To reconstruct the state of the NPX, programmers must understand when, during the execution of an NPX instruction, exceptions are actually
recognized.
.
Invalid operation, zero divide, and denormalized exceptions are detected before an operation begins,
whereas overflow, underflow, and precision exceptions are not raised until a true result has been
computed. When a before exception is detected, the NPX register stack and memory have ilOt yet been
updated, and appear as if the offending instructions has not been executed.
When an after exception is detected, the register stack and memory appear as if the instruction has
run to completion; i.e., they may be updated. (However, in a store or store-and-pop operation, unmasked
crvci"/uud:.:rfbw i~ hf!~d!erllike a before exception; memory is not updated and the stack is not popped.)
The programming examples contained in Chapter Four include an outiine of severai t:lI.(;<";pti0ii halld!er~
to process numeric exceptions for the 80287.

3-8

Numeric Programming Examples

4

CHAPTER 4
NUMERIC PROGRAMMING EXAMPLES
The following sections contain examples of numeric programs for the 80287 NPX written in ASM286.
These examples are intended to illustrate some of the techniques for programming the 80287 computing system for numeric applications.

CONDITIONAL BRANCHING EXAMPLES
As discussed in Chapter Two, several numeric instructions post their results to the condition code bits
of the 80287 status word. Although there are many ways to implement conditional branching following
a comparison, the basic approach is as follows:
• Execute the comparison.
• Store the status word. (80287 allows storing status directly into AX register.)
•

Inspect the condition code bits.

• Jump on the result.
r

Figure 4-1 is a code fragment that illustrates how two memory-resident long real numbers might be
compared (similar code could be used with the FTST instruction). The numbers are called A and B,
and the comparison is A to B.
The comparison itself requires loading A onto the top of the 80287 register stack and then comparing
it to B, while popping the stack with the same instruction. The status word is then written into the
80286 AX register.
A and B have four possible orderings, and bits C3, C2, and CO of the condition code indicate which
ordering holds. These bits are positioned in the upper byte of the NPX status word so as to correspond
to the CPU's zero, parity, and carry flags (ZF, PF, and CF), when the byte is written into the flags.
The code fragment sets ZF, PF, and CF of the CPU status word to the values of C3, C2, and CO of
the NPX status word, and then uses the CPU conditional jump instructions to test the flags. The
resulting codi: is extremely compact, requiring only seven instructions.
The FXAM instruction updates all four condition code bits. Figure 4-2 shows how a jump table can be
used to determine the characteristics of the value examined. The jump table (FXA~TBL) is initialized to contain the 16-bit displacement of 16 labels, one for each possible condition code setting. Note
that four of the table entries contain the same value, because four condition code settings correspond
to "empty."
The program fragment performs the FXAM and stores the status word. It then manipulates the condition code bits to finally produce a number in register BX that equals the condition code times 2. This
involves zeroing the unused bits in the byte that contains the code, shifting C3 to the right so that it is
adjacent to C2, and then shifting the code to multiply it by 2. The resulting value is used as an index
that selects one of the displacements from FXA~TBL (the multiplication of the condition code is
required because of the 2-byte length of each value in FXAM_TBL). The unconditional JMP instruction effectively vectors through the jump table to the labelled routine that contains code (not shown in
the example) to process each possible result of the FXAM instruction.

4-1

NUMERIC PROGRAMMING EXAMPLES

A
B

DQ
DQ

FLD
FCOMP
FSTSW

A
B
AX

,

LOAD A ONTO TOP OF 287 STACK
COMPARE A:B, POP A
STORE RESULT TO CPU AX REGISTER

; CPU AX REGISTER CONTAINS CONDITION CODES (RESULTS OF
; COMPARE>
;
LOAD CONDITION CODES INTO CPU FLAGS
SAHF
;

; USE CONDITIONAL JUMPS TO DETERMINE ORDERING OF A TO
; B

,

TE ST C2
LLU NOR DERE D
TE ST CO
LLESS
LEQUAL
; TE ST C3
o , C3
CO (C F>

JP

JB
JE

LG REA TE R:

CO ( CF )
CO ( CF )
C2 (PF)

LLUNORDERED:

·
· o,
·
1,

(P F>
( CF)
(Z F)
( ZF)

C3

(ZF )

C3

(ZF )

·
·
·

0

1

0

• 1

Figure 4-1. Conditional Branching for Compares

JUMP TABLE FOR EXAMINE ROUTINE
FXAM_TBL

DW POS_UNNORM, POS_NAN, NEG_UNNORM, NEG_NAN,
POS NORM. POS_INFINITY, NEG_NORM,
NEG_INFINITY, POS_ZERO, EMPTY, NE~_Z£RO,
EM PTY, PO S_D ENOR M, EM PTY, NEG_D ENOR M, EM PTY
;

EXAMINE ST AND STORE RESULT (CONDITION CODES)

F XAM

FSTSW AX
Figure 4-2. Conditional Branching for FXAM

4-2

NUMERIC PROGRAMMING EXAMPLES

CALCULATE OFFSET INTO JUMP TABLE
BH,O
i CLEAR UPPER HALF OF BX,
Bl,AH
i lOAD CONDITION CODE INTO BL
BL,OOOOOIIIB
i CLE~R ALL BITS EXCEPT C2-CO
AH,01000000B
i CLEAR ALL BITS EXCEPT C3
AH,2
SHIFT C3 TWO PLACES RIGHT
BX,1
SHIFT C2-CO 1 PLACE LEFT (MULTIPLY
BY 2)
OR
Bl,AH
DROP C3 BACK IN ADJACENT TO C2
(OOOXXXXO)
i

MOV
MOV
AND
AND
SHR
SAL

JMP

JUMP TO THE ROUTINE 'ADDRESSED' BY CONDITION CODE
FXAM_TBLIBXl

i

HERE ARE THE JUMP TARGETS, ONE TO HANDLE
EACH POSSIBLE RESULT OF fXAM

i

PO LU NNOR M:
POS_NAN:
NELU NNOR M:
NELN AN:
PO LN 0 RM:
POLINFINITY:
NE LH 0 RM:

NELINFINITY:
PO LZ E: R0:
EMPTY:
NELZERO:
PO LDE H0 RM:
HELDENORM:
Figure 4-2. Conditional Branching for FXAM (Cont'd.)

EXCEPTION HANDLING EXAMPLES
There are many approaches to writing exception handlers. One useful technique is to consider the
exception handler procedure as consisting of "prologue," "body," and "epilogue" sections of code. (For
compatibility with the 80287 emulators, this procedure should be invoked by interrupt pointer (vector)
number 16.)

4-3

t,jUMERIC PROGRAMMING EXAMPLES

At the beginning of the prologue, CPU interrupts have been disabled. The prologue performs all
functions that must be protected from possible interruption by higher-priority sources. Typically, this
will involve saving CPU registers and transferring diagnostic information from the 80287 to memory.
When the critical processing has been completed, the prologue may enable CPU interrupts to allow
higher-priority interrupt handlers to preempt the exception handler.
The exception handler body examines the diagnostic information and makes a response that is necessarily application-dependent. This response may range from halting execution, to displaying a message,
to attempting to repair the problem and proceed with normal execution.
The epilogue essentially reverses the actions of the prologue, restoring the CPU and the NPX so that
normal execution can be resumed. The epilogue must not load an unmasked exception flag into the
80287 or another exception will be requested immediately.
Figure 4-3 through 4-5 show the ASM286 coding of three skeleton exception handlers. They show how
prologues and epilogues can be written for various situations, but provide comments indicating only
where the application-dependent exception handling body should be placed.
Figure 4-3 and 4-4 are very similar; their only substantial difference is their choice of instructions to
save and restore the 80287. The tradeoff here is between the increased diagnostic information provided
by FNSAVE and the faster execution of FNSTENV. For applications that are sensitive to interrupt
latency or that do not need to examine register contents, FNSTENV reduces the duration of the "critical region," during which the CPU will not recognize another interrupt request (unless it is a nonmaskable interrupt).
'
After the exception handler body, the epilogues prepare the CPU and the NPX to resume execution
from the point of interruption (Le., the instruction following the one that generated the unmasked
exception). Notice that the exception flags in the memory image that is loaded into the 80287 are
cleared to zero prior to reloading (in fact, in these examples, the entire status word image is cleared).
The examples in figures 4-3 and 4-4 assume that the exception handler itself will not cause an unmasked
exception. Where this is a possibility, the general approach shown in figure 4-5 can be employed. The
basic technique is to save the full 80287 state and then to load a new control word in the prologue.
Note that considerable care should be taken when designing an exception handler of this type to prevent
the handler from being reentered endlessly.

PROC
SAVE CPU REGISTERS, ALLOCATE STACK SPACE
FOR 80287 STATE IMAGE
PUSH
BP
MOV
BP,SP
SUB
SP,94
SAVE ~ULL 80287 STATE. WAIT FOR COMPLETION,
ENABLE CPU INTERRUPTS
FNSAVE
[BP-941
FWAIT
STl
APPLICATION-DEPENDENT EXCEPTION HANDLING
CODE GOES HERE
Figure 4-3. Full-State Exception Handler

4-4

NUMERIC PROGRAMMING EXAMPLES

CLEAR EXCEPTION FLAGS IN STATUS WORD
RESTORE MODIFIED STATE
IMAGE
BYTE PTR IBP-921, OH
MOV
IBP-941
FRSTOR
DE-ALLOCATE STACK SPACE, RtSTORE CPU REGISTERS
SP,BP
MOV
POP

BP
/

RETURN TO INTERRUPTED CALCULATION
IRET
SAVE_ALL
ENDP
Figure 4-3. Full-State Exception Handler (Cont'd.)

SAVE_ENVIRONMENT PROC
SAVE CPU REGISTERS, ALLOCATE STACK SPACE
FOR 80287 ENVIRONMENT
PUSH
BP
MOV
BP,SP
SUB
SP,14
SAVE ENVIRONMENT, WAIT FOR COMPLETION,
ENABLE CPU INTERRUPTS
FNSTENV IBP-141
FWAIT
ST I

APPLICATION EXCEPTION-HANDLING CODE GOES HERE
CLEAR EXCEPTION FLAGS IN STATUS WORD
RESTORE MODIFIED
ENVIRONMENT IMAGE
MOV
BYTE PTR IBP-121, OH
FLDENV
IBP-141
DE-ALLOCATE STACK SPACE, RESTORE CPU REGISTERS
MOV
SP,BP
POP
BP
RETURN TO INTERRUPTED CALCULATION
IRE T
SAVE_ENVIRONMENT ENDP
Figure 4-4. Reduced-Latency Exception Handler

4-5

NUMERIC PROGRAMMING EXAMPLES

ASSUME INITIALIZED

REENTRANT

PROC

SAVE CPU REGISTERS, ALLOCATE STACK SPACE FOR
80287 STATE IMAGE
PUSH
BP

MOV
BP,SP
SUB
SP,94
SAVE STATE, LOAD NEW CONTROL WORD,
FOR COMPLETION, ENABLE CPU INTERRUPTS
FNSAVE
[BP-941
FLDCW
LOCAL_CONTROL
ST I

APPLICATION EXCEPTION HANDLING CODE GOES HERE.
AN UNMASKED EXCEPTION GENERATED HERE WILL
CAUSE THE EXCEPTION HANDLER TO BE REENTERED.
IF LOCAL STORAGE IS NEEDED, IT MUST BE
ALLOCATED ON THE CPU STACK.

CLEAR EXCEPTION FLAGS IN STATUS WORD
RESTORE MODIFIED STATE IMAGE
MOV
BVTE PTR [BP-921, OH
FRSTOR
[BP-941
DE-ALLOCATE STACK SPACE, RESTORE CPU REGISTERS
MOV
SP,BP

POP
BP
RETURN ~O POINT OF INTERRUPTIOH
IRET
REENTRANT
ENDP

Figure 4-5. Reentrant Exception Handler

4-6

NUMERIC PROGRAMMING EXAMPLES

FLOATING-POINT TO ASCII CONVERSION EXAMPLES
Numeric programs must typically format their results at some point for presentation and inspection by
the program user. In many cases, numeric results are formatted as ASCII strings for printing or display.
This example shows how floating-.point values can be converted to decimal ASCII character strings.
The function shown in figure 4-6 can be invoked from PL/M-286, Pascal-286, FORTRAN-286, or
ASM2lS6 routines.
Shortness, speed, and accuracy were chosen rather than providing the maximum number of significant
digits possible. An attempt is made to keep integers in their own domain to avoid unnecessary conversion errors.
Using the extended precision real number format, this. routine achieves a worst case accuracy of three
units in the 16th decimal position for a noninteger value or integers greater than 10 '8 • This is double
precision accuracy. With values having decimal exponents less than 100 in magnitude, the accuracy is
one unit in the 17th decimal position.
Higher precision can be achieved with greater care in programming, larger program size, and lower
performance.

iAPX2B6 MACRO ASSEMBLER

80287 Floating-Point to 18-Digit ASCII Conversion

10: 12: 38

09/25/83

PAGE

SERIES-III iAPX286 MACRO ASSEMBLER XIC8 ASSEMBLY OF MODULE FLOATING TO ASCII
ODJECT MODULE PLACED IN : F3: FPASC. DBJ
ASSEMBLER INVOKED BY:
ASM286.86: F3: FPASC. AP2

LOC

DB')

LINE
1 +1
2

,
••

SOURCE

$title("B0287 Floating-Point to lS-Digit ASCII Conversion")

4

7
8

•

10

11
12
13

14

,.I.
17
18

I.
20
21

2.

public
.. xtrn

0'

The status of the convlI'T'sion is identified bl,! the retUT'n value.
it can be:

o

23
24

1

2.
2.

2
3
4

27
28

5
6

2.
'0

,."
,."
,.
,.'8
.,
35

37

40
41
42

floatin9_to_8Scii
get-pollllll' _10: neaT'. tos_st.tus: near

This subroutine will t'onvert the floating poiflt numbeT' in tne
top of the 80287 "tack to  1.
Unnof'mal values.
denormal values. and psuedo zeroes will be correctl.., converted.
A returnli!d value lIIill indicate hOIll many bin"r.., bits
precision "'aT'e lost in an unnormal OT' denormal value.
The Iftagnituda
(in terms of binary pOlliaf') of iii psuedo zero will al.o be indicated.
Integers les. than 10 .... 18 in magnitude are accuratell,! converted if the
dntinstion ASCII string 'ield is wide enough to hold all the
digits.
Otherlllis.e the valull' i5 converted to scientific notation.

7

8

conversion complete. string_size is defined
invalid arguments
exact integer conversion. !ltring_size is defined
indehnite
+ NAN (Not A Number)
- NAN
+ InfinitlJ
- lnfinit..,
psuedo zero found, string_size is defined

The PLM/286 calling convention is:
Iloating_to_asc ii:
procedure (number. denormalJltr, stT'ingJltr, sizeJltr. field_5iH"
power Jltr) lUord external;
dec: lare (d anormalJl tr. stringJl tr. power Jltr. s i z eJltr) poi nter;
declare field_Size word, string_size based sizeJltr wordi
declare number reali
declare denoT'mal integar based denormal_ptri
declare power integer basad power_ptT'i
and 'loatin9_to_asc i ii

44

4.
4.
47
48

4.
50

The floating point value is expected to bll' on the top of tha NP)C
.tack.
This .ubroutini' •• peets 3 free ent1'ies on the NP)c stack and
pop the passed value
when done.
The geneT'ated ASCII stT'ing
lull have a leading character eitha1' '-' or '+' indicilting the sign
of the value.
Ttle ASCII decimal digits liJill immediately Pollolil.
The numeric viillue of the ASCII string is (ASCII STRINQ. )*10**POWER.

0'"

!d~ll

Figure 4-6. Floating-Point to ASCII Conversion Routine

4-7

NUMERIC PROGRAMMING EXAMPLES

iAPX2Sb MACRO ASSEMBLER

LOC

aSJ

80287 Floating-Point to IS-Digit ASCII

LINE

'8
59
60
61
63

64
65
66
67

68
69

0004[1
0006[]

OOOSt]
CODAr]

oOOetl
OOOEt]

78
79
80
81
82

83

The following

OOOA

0012
0002

OOOA
0001

0004
0006
0003
0008
-0002
-0004
-0006

-oooa
0000
0002

90
91

92
93
94
95

.6

97
98
9.
100
101
102

103

bp_save
es_save
returnJtr
power -ptr
field_size
SileJltr
string-ptr
denormal_ptr
parms_sl ze

•

105
-0004C]

106
107

108

-COObC]

109

-OOIOC]
-OOIOC]
-OOIOC]

110
III
112
113
114

0010

It.

are not transpart'nt:

'0·
'0·
'0·
'0·
'0·
'0·
'0·
'0·
'0·

word ptr [bpJ
bp_save + size bp_save
es_save + size es_save
return_ptr + size returnJltr
powerJltr + sile power_ptr
field_size + size field_sil,e
size_ptr + size sizeJltr
string_ptr + size stringJtr
size power_ptr + !;ize field_size + size size-ptr +
size stringJltr + size denormalJtT·

Define constants used

,

BCD_DIGITS
WORD_SIZE
BCD_SIZE
MINUS
NAN
INFINITY
INDEFINITE
PSUEDO_ZERO
INVALID
ZERO
DENORMAL
UNNORMAL
NORMAL
EXACT

104
-OOOiii![]

regist.~rs

Dt'fine the stack lallout.

,

84

8.
86
87
88
89

PAGE

This subroutine is accurate up to a maximum of 18 decimal diilits for
integers.
Integer values will have a decimal power of zero associated
with them.
For non integers. the result will be accurate to within 2
dIJcimal digits of the 16th decimal place (double precision>.
The
exponentiate instruction is also used for scaling thIJ value into the
range acceptable for the BCD data t~pe.
The rounding mode in effect
on entrv to the subroutine is used for thIJ conversion.

62

0002t:]

09/25/83

If the given number Ula!> zero, the ASCII string will contain a sign
and a single zero chacter.
The value string_size indicates. the total
length of the ASCII string including the sign character.
StringeD) will
alwal,ls hold the sign.
It is possible for string_sile to be less than
field_sileo
This occurs for zeroes or integer values.
A pauedo zero
will return a special return code.
The denormal count will indicate
the power of two original III associated with the vlillue.
The power of
ten and ASCII string will be as if the value was an o'f'dinar~ lero.

56
57

OOOOC]

10: 12: 38

SOURCE

51
52
53
54
55

70
71
72 +1
73
74
75
76
77

Conv~1"6ion

,

Define

status
power _two
power _ten
bcd_value
bcd_byte
fr.c t i on

'0·
eo·
'0·
eo·
'0·
'0.
'0·
'0·
'0·
'0·
'0·
'0·
'0·
'0·

.,.

la~out

'0·
'0·
'0·
eo·
'0·

,

18

Number of iigits in bcd_value

2

10

,
,
,

I
4

6
3
8
-2

-.

Define return values
The exact values chosen here are
important.
The\! must correspond to
the possible return v .. lu •• and b. in
the same numeric order as tested b~
the program.

-6
-8
0
2

of temporOlr\! storage area.
ptr tbp-WORD_SIZEl
status - WORD_SIZE
power_two - WORD_SIZE
tbyte ptr power _ten - BCD_SIZE
bl,lte ptr bcd_value
bcd_value

word

size status + size power_two + 6ize power_ten
+ size bcd_v.lue

116
lt7

118 +1

119
120

segment e1" pub I ic
ext1"n
power_tab I.: q,ward

121

12.

Constant. used blJ this function.

123
124

0000 DADO

12.
126
127
128

0002 FB
0003 04

0004
uuv;;;
0006
0007
0008
0009

129
130

con.tlD

even
d.

j

10

J

Optimize for 16 bits
AdJustment value floT" too big BCD

Convert the C3.C2.Cl.CO encoding fir om tos_stOltus into meaningful bit
fllags OInd values.
db

UNNORMAL.

NAN. VNNORMAl. + MINUS.

NAN + MINUS.

F9

u;;;

00
06
01 '
07

OOOA Fe
0009 FE

131

NORMAL.

132

ZERO,

133

DENORMAL,

INFINITY. NORMAL + MINUS.

INVAl.lD.

ZERO + MINUS,

INFINITY + MINUS.

INVALID,

Dooe FD

0000 FE

DOOE FA
DOOF FE

INVALID,

OENORMAL + MINUS.

INVALID

0010 FB
0011 FE

Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.)

4-8

NUMERIC PROGRAMMING EXAMPLES

iAPX286 MACRO ASSEMBLER

LOC

DB..}

0012
0012 EBOODO

0015
0017
ODIC
ODIE

81308
2EBAB70200
3CFE
7528

0020 C20AOO

0023
0023 ODDS
0025 EB02

0027
0027 BOFE

0029

0029 C9
002A 07

00213 C20AOO

002E
002E DI37EFO
0031 A801

0033 98
0034 74F3

0086 DBDoeo
0039 285EF6
003C OBSEF4
003F OB5EF2

0042 OB5EFO

0045 75E2
0047 B003
0049 EBDE

0048
0048 06

004C eS100aoo
0050 884EOB
0053 B3F902
0056 7CCF
0058 49

0059 83F912
Dose 7603
DOSE B91200

OD61

0061 3C06
0063 ?DBE
0065 3C04
0067 7DCS

0069 D9El
006B 8800
0060 33CO
006F 8B7EOE

0072 8905
0074 BB5E06
0077 8907
0079 eOFAFC

007C 7828
D07E SOFAFA
0081 732C

80287 Floating-Point to 18-Dig.it ASCII Conversion

LINE
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
17.
177
178
179
180
181
182
183
184
185
18.
187
188
189
190
191
192
193
19'
195
19.
197
198
199
200
201
202
203
204
205
20.
207
208
209
210
211
212
213
21.
215
21.
217
218
219
220
221
222
223
22.
225
226
227

10: 12: 38

09/25/83

PAGE

SOURCE

call

ST(O)

b 1, ax

Look at status of ST(O)
Get descriptor frOm table

a1,status_table[bx]
OIL INVALID

Look for empty STeO)

tos_status

is empty!

Return the status value.

RE'move infinity from stack and exit.

fstp
Jm,

st (0)
short exit_proc

String space is too small!

;

OK to leave fstp running

Return invalld code

OIL INVALID

leave
pop
ret

i

RestorE.' stack

es
parms_size

ST(O) is NAN or indefinite.
Store the value in memory and look
at the fraction field to separate indefinite from an ordinary NAN.

fstp
test
fwait
JZ

fraction
ai, MINUS

mov
sub
or
Jnz

bx.OCOOOH
bx.word ptr
bx. word ptr
bx. word ptr
bx. word ptr
9xit..JH·OC

Jmp

al, INDEFINITE
exit.JIroc

Remove value from stack for examination
Look at sign bit
Insure stoT'e is done
Can't be indefinite if positive

exit.JIroc
fraction+6
fraction+4
fraction+2
fraction

Match against upper 16 bits· of fraction
CompaT'e bits 63-48
Bits 32-47 must be zero
Bits,l'31-16 must be zero
Bits 15-0 must be zero

Set return value for indefinite value

Allocate stack space for local variables and establish parameter
addressibility.
not_empty:
push
enter

"10cal_size.O

Save working register
FOT'mat stOiC II

mov
 if it is too small 01' large. than adJust it by ten and
adJust th. powe" of ten value

testJower:

37.

f!com

380
381
382
383
38.
38.
386
387
388
39.
3.0

fstsw
test
J"'
f:Ldiv

an'
in'
Jmp

power_tableCsiJ+type power_table) Compare against exact power
J entry.
U!ie thf! ne~t entry since cx
J
has been decremented by one
) No lIIait is necessart,!
ax. 4100H
) If C3 - CO .. 0 than too big
test_fo" _sm,all

.,

const10
d 1. not EXACT
word ptr tb xJ
.ho"t; in_ranga

I
J

..

3.3

pOWIi!1"_hbhCsiJ

394

39.

j

1U.IOOH
1n_range

396
397
399
39'
400

Umul
dac

401
40.
403

constiO
LIIo"d pt,.

I

"
Cbx~

Elu adJust value
Rli!mova axact fllag
AdJust power of tan value
Convart the value to a BCD int.g.r

Test relative size
No wait is naca.sart,!
If! CO - 0 than st(O) >- low.,. bound
Conv.rt tha valua to a BCD intager
AdJust valu. into range
AdJu.t powar of t.n valua

flrndint

404

0140

I
I

'"f"ndint
fcomp
J"'

33.

40S
406
407
408
40.
410
411
41.
413
414
415

,ax,poLlla,,_ten
ax, ex
adJust_"luult

fscal a

3.,
39.

0137

PAGE

Wait for power_ten to be valid
Get powe" of tan of value
Form scaling factor nacaIl5.,,1,1 in ax
Jump if number will not fit

i'Li/ait
mov
sub
J,a

373
37.
375
376
377
378

0'1'/25/83

SOURCE

32.
323
3.4
32S
326

372

011E

10: 12: 38

,
J

A.... rt: 0 <- TOS <- 999.999.999.999.999.999
The TOS number will ba . . . c:tll,l repraunhble in 19 digit BCD format.

convart_i nteg.,.:

Whih the .to,..e BCD "uns . . . etup ragi.tns for the conversion to
ASCII.
I Initial BCD index valua

Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.)

4-11

NUMERIC PROGRAMMING EXAMPLES

iAPX286 MACRO ASSEMBLER
LOC

ODJ

0153 B9040F

0156
0159
DISC
015E
0160
0161
0163
0166

80287 Floatlnll-Paint to IS-Digit ASCII Conve,.si!)"
LINE

416
417
418
419
4.0
421
4.2
423
424
4 ••
426
4.7

BBOI00
BD7EOC
BCDS
eEeD
Fe
B02B
F6(:201
7402

0168 802D
016A

4.B

cx.Of04h
bll,l
di. ~trinIlJt,.
ax. ds

mov
cld
mov
tnt
JI

016E 98

.. I, '+'
dl.I1INUS
positive_result

stosb
.and
flilait

016F BA62FO
0174 D2EB

0176 22C5
017A BAC4

0181 79EC

0183 0030
0185 AA

01B6 43
0187 EU6

0189

from the number.

JU

enter _odd
0111. ah
al, eh
ente1' _even

Get BCD bute again
Get low order digit
Exit loop i f non IBro digit found

...

and

.hr

JU

dec
Jno

ah. bed_buteCsil

I

a!. ah
0111. cl
0111. eh

I
I

I Decrlment BCD indu

5i

skip_lead ing_IB1'oes

The significand lIIas all
mov
stosb
inc
Jmp

al. '0'

I Set initial

bx
short exit_1II1th_value

mo.
mov
'hr

ah. bcd_byte[siJ
0111. ah
0111. cl

0430
AA
BAC4
22C5
43

add
stosb
mo.
and
inc

.79

'BO
481
4B.
4B,

0198
Ol9A
0198
019C
019D

4B5
.80
4B7

0430
AA
43
4E
79EA

0111. ah
al, ch

4BB

b,

Dump field size counte"

add

011. '0'

stosb
inc
dec
In.

.,digit_loop

Convert to ASCII
Put digit into ASCI I area
Dump field size counter
00 to next DCD byte

b,

49.

019F

019F BB7EaA
01A2 891D

,

Conversion complete.

01A6 E9BOFE

50'
504

ASSEMIILY··COMPLETE.

NO ·WARNINGS.

Set the string size IillJld remainder.

ex it_lilith_value:
6i.slzeJtr
lIIoT'd ptr [dil, bx

497

49B
.. ;r;;
500
001
50.

VIA.. aa\..,:

Convert to ASCII
Put digit into ASCII string
Get 10. order digit

enter _even:

489
490
491
49'
494
495
496

get high order digit

,

al. '0'

4B4
0198

Get BCD tU,Ite

enter _odd:

.7B
0190
0192
0193
0195
0197

Bump st1'ing length

NOIII elpand the BCD stTing into digit per byte values 0-9 .

47'
474

'77

BCD byte value in use
ASCII character v.alue
Return value
BCD mask. Ofh
BCD shift count. 4
ASCII string field width
BCD field index
ASCII strihg field pointer
ASCII string segment ba.e

mo.
and

mo.

'75
.70

0190

Bump string pointer past sign
Turn off sign bit
W,.it for fbstp to finish

get BCD byte
Cop" value
Get high ordar digit
Set lero flag
Exit loop if leading non ze1'O found

•• 0
451

.7.

0189 BA62FO
alBC 8AC4
018E 02E8

Set .. utoinere.ent mode
C ....r sign fhld
Look 'or ne.ative v .. lue

sk ip_l e .. di ng_1 erolt.:

. .0
457
458
459
400
401
40.
40'
40.
'05
400
407
46B
469
• 70
.71

0180 4E

Remove leading

,

4""
4'4

0178 7516

I

I
I

ah:
al:
dx:
eh:
c1:
bx:
si:
di:
ds •• s:

4.2

al7e 22C5
017E 7518

Set shift count .nd mlillsk

S.t initial sin of ASCII .hld for aign
Get .. ddre . . of start of ASCII string
CoPu ds to es

I

443

0172 BAC4

I

I

dl. not MINUS

430
437
438
439
440
441
44.

016F

PAQE

al. '-'

4,.

444
44.
440
447
448
449

09/25/83

posi tive_resul t:

429
430
431
43.
433
434

016A AA
0168 BOE2FE

10: 12: 38

SOURCE

Jmp

. "'.;,,

ex i tJroc

floating_to_... cii
code

endp
ends
end

NO ERRORS

Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.)

4-12

NUMERIC PROGRAMMING EXAMPLES

12: 11:

IAPX2B6 _AD _,",LEA

os· 09/25183

PAQE

SEAlES-III IAPX2S6 "",CRD ASSEKILEA XlOS ASSEKILY OF I10IIULE OET.,pOWER_10
aaJECT I'IDDULE PLACED IN : F3: PDW10. a ...
ASSEJ1BLER INVOKED IV:
A8M286.86: F3: PDWIO. AP~

LOC . DI~

LINE
1+1

SOURCE

.UU.C-C.lcuhh th v.lua a,1 lo*••• ·~

2
3

Thh lub1'DUUnW will c.leul.t. the v.lue of 10 ••••.

4

5
6
7

a

.J

I

Fa," ..,alu •• of 0 c- a. < I', the " •• ult 111111 . . . ct.
All 80286 ".ght." • •". 'II,..n., • .,..nt .nd th. v.lu. is .,..tu"n,d on
th. TDB •• two nu_b.r •••• pon.nt in STet) .nd '".cUon in STeO).
Th • •«.on.nt v.lu. c.n II. 1.,. ..... than th. l.", •• t ... ,on.nt 0' .n
•• t.nd.d " •• 1 fo" •• t: nu ..... ". Th" • • • t.cll .nt,,:i'• •". u •• d.

9

g.t:-polII'T' _10

10
II

I.
13
14
IS

pu" lic
.t.cll

.'I •• nt

16
17
la

.,t-P0IlltT'_10. palll." _tab It

.t.c .... B
." pubUc

Us •••• ct valu,. f"alll 1.0 to leiS.

19

20

0000 OOOOOOOOooOOFO

3F
0008 00000000000024
40

J

.1

Optill111 16 bit ac:c ...

1. O. 1.1. 1.2. h3

0010 00000000000059

40
001B ooOOOoooo0408F
40
0020 0OOOOO0OOO8BC3

40

••

d,

h4. 1.5. h6. h7

d.

1116. h17. hiS

0028 000000000061\F8

40
0030 0000000080842E
41
0038 00000000001263
41
0040 0000000084D797
41

.3

0048 aOOOOO0065CDCD

41

0050

00OO0020~M02

4.

4.
4.

0058 000000E8764837
OObO OOQOOOA2941A6D

.4

0068 000040E59C3DA2

4.

0070 0000901EC4oC06

••

0078 00003426F5680C
43
0080 0080E03779C341
43
0088 001'100885573476
43
0090 OOCB4E676DC1AD
43

.9

0098 301200

0098 770F
0090
009E
OOAO
O0A3
OOAS
DDA'

26

.7

0098

,m,

••• 1B

30

J.

out_a, _".nl'

32
33

pu.h
mov

...

34
35
36

,lei

3.

53
8108
C1E303
2EDD870000
51
09F4

OOAB C3

.8

• hl

•••

as

43
44

0012 a946FE
0085 OE4EFE
ooae 9BD97EFC

OOIC a.46FC
008F 25FFF3
OOC2 Ol)C)O()i

oacs .746FC

4S

49
SO
51

52
53
54
55

56

I.

sa

<-

a.

<

19

, O.t ••• ct v.lu.
, R•• to" ...... ish ... vah.
S.p ....... pOIll..... nd .".ctian
aM to haY. f.tr.ct "'unninl

.

aut_of _r.ng.:

...
.....

'IdI2'
.nt."
U.ul
f.tclil

.nd

Ichg

TOS - LOOaUOI

4.0

tbp-.!21. a •
ward Ittr CIIp-2]
wo"d ptr tbp-4]
••• 1II0rd ptr Cbp-41
••• not OCOOH
a •• 040DH
••• wo... d pt ... tbp-41

57
DOCS OCIE8

0

Th. followinl .... I.Uon. at'. u •• d:
10". - 2.*e la.2C 10)*.)
2"( I+F) - 2**1 • .!2'*F
If .ut) • 1 .nd .UO) - .!2.ttF then hc.le p... aduc •• .!2"(I+F)

4.

GOAC D9E9
OOAE C8040000

'OT'

C.lcul.h th. v.lu. u.ing th ••• pon.nU.h inst ... uction.

40
41

45
46
47

T.I'st

, O.t lIIa"Ung ind •• ".gut."
, Fa,.. t.blt ind ••

b .. , ••
.... ,3

pa ..tT'_tabht .... l
pop
b.
ht".ct

37
39

OOAC

I

Fa" . . t .t.c.
I S.v. po".,. 0' 10 v.lu.
I TOS. X - LO02C 10ltP • LD02110"P)
I G.t cu... .,..nt cont.,.ol wa.,.d
I
I
I

G.t cont.,.ol lIfo.,.d. no w.it n.c .....,.u
off cu.,.,..nt. ".oundinl 'Ulel
S.t nund to n'latlv. 1nfinitu
Put: nil. cont"al wo,.d in ••ao1'U
old cant"ul wo,.d is in a ..

.... 11

" S.t

flell

ros •

-1. 0

Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.)

4-13

NUMERIC PROGRAMMING EXAMPLES

iAPX2Bb MACRO ASSEMBLER

LOC

LINE

OBJ

ooce

60
61
6.
63
6'
65
66
67
68
6.
70
71
7.
73
7.
75
76
77
78

0006 D9bEFC
0009
DaDa
DODD
OOEO
00E2

D9CA
08E2
BB46FE
D9FD
D9FO
00E4 C9
ODES DEE1

OOE7 Dcca
00E9 C3

A8SEMBL V COMPLETE,

PAGE

-Fchs

n.

st( 1)

I COPV power value in base two

word ptr [bp-4J
fIldcw
f'rndint
mav
word ptr [bp-4], ax
fidew
wOl'd ptr [bp-4J
st(2)
Fxch
st, st(2)
hub
ax, Cbp-2J
mov

I

v.

l ...
fsubl'

get_power _10
code

TOS .. X. 91(U "" -1.0.
TOS. F -.. X-I: a <.. TOS

Restore power of ten
TOS ... F/2:

f'2xml

flmul
rot

Set new control word value
TOS
I: -inf < I <= X. I is an int~g~r
R~5tor~ original rounding control

=

I

flscale
I

J

st. steOl
j

a <..

TOS

<

51(2) '" I

<

1.

a

0.5

TOS '" 2**(F/21 - 1. 0
Restore stack
Form 2**(F/2)
Form 2**F
OK to leave fmul running

endp
ends

en.

NO WARNINGS,

iAPX28b MACRO ASSEMBLER

09/25/83

SOURCE

5.

COCA O'9EO
D9Cl
DOCE D96EFC
0001 D9FC
0003 8946FC

12: 11: 08

Calculate the value of 10**ax

NO ERRORS

Det~rmin~

TOS

r~gist~r

12: 12: 13

cont~nts

09/25/83

PAGE

SERtES-I11 iAPX28b MACRO ASSEMBLER XI08 ASSEMBLV OF MODULE TOS_STATUS
OBJECT MODULE PLACED IN : F3: TOS8T. OBJ
ASSEMBLER INVOKED BV:
ASM28b.86: F3: T09ST. AP2

LaC

LINE

OBJ

1 +1
2
3
4
5
6
7

SOURCE
$title("D~t~rmine

8

tos_status

•

10
11
12
13

I.

0000
0002
0005
0007

pub lic

stack

stacks8g 6

code

se!lment

15
16
17
18

0000

fxam
fstsw

20
21
22
23

250740
OOOA COEC03
0000 OAC4
OOOF B400

2.
2.

OIl. ah

an.
,hr

al,4007h
ah,3

mov

OIl. ah
ah.O

NO WARNINGS,

Fi!!~lrA 4-~~

) Get register contents status
) Get status
Put bit 10-8 into bits 2-0
Mask out bits c3,c2.c1.cO
) Put bit c3 into bit 11
J Put c3 into bit 3
I
Clear return value

endp
code

30
ASSEMBLV COMPLETE,

a.

mov

ret

25
26
27
28

0011 C3

) Allocate space on the stack
pub 1 ic

proc

,.

09E5
9BDFEO
8AC4

TOS register contents")

This subr.outine will return a value from 0-15 in AX corres,ponding
to the contents of 80287 T09.
All re!listlH's are transparent and no
errors are possible
The return value corresponds to c3,c2,cl.cO
of FXAM instruction.

ends
end

NO ERRORS

Flnllting-Point to ASCII Conversion Routine (Cont'd.l

Function. Partitioning
Three separate modules implement the conversion. Most of the work of the conversion is done in the
module FLOATING_TO_ASCII. The other modules are provided separately, because they have a
more general use. One of them, GET_POWER_IO, is also used by the ASCII to floating-point conversion routine. The other small module, TOS_STATUS, will identify what, if anything, is in the top of
the numeric register stack.

4-14

NUMERIC PROGRAMMING EXAMPLES

Exception Considerations
Care is taken inside the function to avoid generating exceptions. Any possible numeric value will be
accepted. The only exceptions possible would occur if insufficient space exists on the numeric register
stack.
The value passed in the numeric stack is checked for existence, type (NaN or infinity), and status
(unnormal, denormal, zero, sign). The string size is tested for a minimum and maximum value. If the
top of the register stack is empty, or the string size is too small, the function will return with an error
code.
Overflow and underflow is avoided inside the function for very large or very small numbers.

Special Instructions
The functions demonstrate the operation of several numeric instructions, different data types, and
precision control. Shown are instructions for automatic conversion to BCD, calculating the value of 10
raised to an integer value, establishing and maintaining concurrency, data synchronization, and use of
directed rounding on the NPX.
Without the extended precision data type and built-in exponential function, the double precision accuracy
of this function could not be attained with the size and speed of the shown example.
The function relies on the numeric BCD data type for conversion from binary floating-point to decimal.
It is not difficult to unpack the BCD digits into separate ASCII decimal digits. The major work involves
scaling the floating-point value to the comparatively limited range of BCD values. To print a 9-digit
result requires accurately scaling the given value to an integer between 10 8 and 109 • For example, the
number +0.123456789 requires a scaling factor of 109 to produce the value + 123456789.0, which
can be stored in 9 BCD digits. The scale factor must be an exact power of 10 to avoid to changing any
of the printed digit values.
These routines should exactly convert all values exactly representable in decimal in the field size given.
Integer values that fit in the given string size will not be scaled, but directly stored into the BCD form.
Noninteger values exactly representable in decimal within the string size limits will also be exactly
converted. For example, 0.125 is exactly representable in binary or decimal. To convert this floatingpoint value to decimal, the scaling factor will be 1000, resulting in 125. When scaling a value, the
function must keep track of where the decimal point lies in the final decimal value.

Description of Operation
Converting a floating-point number to decimal ASCII takes three major steps: identifying the magnitude of the number, scaling it for the BCD data type, and converting the BCD data type to a decimal
ASCII string.
Identifying the magnitude of the result requires finding the value X such that the number is represented by 1* lOX, where 1.0 < = I < 10.0. Scaling the number requires multiplying it by a scaling
factor lOS, so that the result is an integer requiring no more decimal digits than provided for in the
ASCII string.
Once scaled, the numeric rounding modes and BCD conversion put the number in a form easy to
convert to decimal ASCII by host software.

4-15

NUMERIC PROGRAMMING EXAMPLES

Implementing each of these three steps requires attention to detail. To begin with, not all floating-point
values have a numeric meaning. Values such as infinity, indefinite, or Not a Number (NaN) may be
encountered by the conversion routine. The conversion routine should recognize these values and identify
them uniquely.
Special cases of numeric values also exist. Denormals, unnormals, and pseudo zero all have a numeric
value but should be recognized, because all of them indicate that precision was lost during some earlier
calculations.
Once it has been determined that the number has a numeric value, and it is normalized setting appropriate unnormal flags, the value must be scaled to the BCD range.

Scaling the Value
To scale the number, its magnitude must be determined. It is sufficient to calculate the magnitude to
an accuracy of 1 unit, or within a factor of 10 of the given value. After scaling the number, a check
will be made to see if the result falls in the range expected. If not, the result can be adjusted one
decimal order of magnitude up or down. The adjustment test after the scaling is necessary due to
inevitable inaccuracies in the scaling value.
Because the magnitude estimate need only be close, a fast technique is used. The magnitude is estimated
by multiplying the power of 2, the unbiased floating-point exponent, associated with the number by
log 102. Rounding the result to an integer will produce an estimate of sufficient accuracy. Ignoring the
fraction value can introduce a maximum error of 0.32 in the result.
Using the magnitude of the value and size of the number string, the scaling factor can be calculated.
Calculating the scaling factor is the most inaccurate operation of the conversion process. The relation
IOx=2**(X*log210) is used for this function. The exponentiate instruction (F2XMl) will be used.
Due to restrictions on the range of values allowed by the F2XMl instruction, the power of 2 value will
be split into integer and fraction components. The relation 2**(1 + F) = 2**1 * 2**F allows using
the FSCALE instruction to recombine the 2**F value, calculated through F2XMl, and the 2**1 part.
INACCURACY IN SCALING

The inaccuracy of these operations arises because of the trailing zeros placed into the fraction value
when stripping off the integer valued bits. For each integer valued bit in the power of 2 value separated
from the fraction bits, one bit of precision is lost in the fraction field due to the zero fill occurring in
the least significant bits.
Up to 14 bits may be lost in the fraction because the largest allowed floating point exponent value is
214-\.
AVOIDING UNDERFLOW AND OVERFLOW

The fraction and exponent fields of the number are separated to avoid underflow and overflow in
calculating the scaling values. For example, to scale 10- 4932 to 108 requires a scaling factor of lO49S o,
which cannot be represented by the NPX.
By separating the exponent and fraction, the scaling operation involves adding the exponents separate
from multiplying the fractions. The exponent arithmetic will involve small integers, all easily represented by the NPX.

4-16

inter

NUMERIC PROGRAMMING EXAMPLES

FINAL ADJUSTMENTS

It is possible that the power function (GeLPowec10) could produce a scaling value such that it forms
a scaled result larger than the ASCII field could allow. For example, scaling 9.9999999999999999 X
104900 by 1.00000000000000010 X 10- 4883 would produce 1.00000000000000009 X 10". The scale
factor is within the accuracy of the NPX and the result is within the conversion accuracy, but it cannot
be represented in BCD format. This is why there is a post-scaling test on the magnitude of the result.
The result can be multiplied or divided by 10, depending on whether the result was too small or too
large, respectively.

Output Format
For maximum flexibility in output formats, the position of the decimal point is indicated by a binary
integer called the power value. If the power value is zero, then the decimal point is assumed to be at
the right of the rightmost digit. Power values greater than zero indicate how many trailing zeros are
not shown. For each unit below zero, move the decimal point to the left in the string.
The last step of the conversion is storing the result in BCD and indicating where the decimal point lies.
The BCD string is then unpacked into ASCII decimal characters. The ASCII sign is set corresponding
to the sign of the original value.

TRIGONOMETRIC CALCULATION EXAMPLES
The 80287 instruction set does not provide a complete set of trigonometric'functions that can be used
directly in calculations. Rather, the basic building blocks for implementing trigonometric functions are
provided by the FPTAN and FPREM instructions. The example in figure 4-7 shows how three trigonometric functions (sine, cosine, and tangent) can be implementing using the 80287. All three functions
accept a valid angle argument between - 262 and +262. These functions may be called from
PL/M-286, Pascal-286, FORTRAN-286, or ASM286 routines.
These trigonometric functions use the partial tangent instruction together with trigonometric identities
to calculate the result. They are accurate to within 16 units of the low 4 bits of an extended precision
value. The functions are coded for speed and small size, with tradeoffs available for greater accuracy.

FPT AN and FPREM
These trigonometric functions use the FPTAN instruction of the NPX. FPTAN requires that the angle
argument be between 0 and 7r / 4 radians, 0 to 45 degrees. The FPREM instruction is used to reduce
the argument down to this range. The low three quotient bits set by FPREM identify which octant the
original angle was in.
One FPREM instruction iteration can reduce angles of 10 18 radians or less in magnitude to 7r / 4! Larger
values can be reduced, but the meaning of the result is questionable, because any errors in the least
significant bits of that value represent changes of 45 degrees or more in the reduced angle.

4-17

NUMERIC PROGRAMMING EXAMPLES

Cosine Uses Sine Code
To save code space, the cosine function uses most of the sine function code. The relation sin ( I A I +
7r /2) = cos (A) is used to convert the cosine a.rgument into a sine argument. Adding 7r /2 to the angle
is performed by adding 010 2 to the FPREM quotient bits identifying the argument's octant.
It would be very inaccurate to add 7r /2 to the cosine argument if it was very much different

from 7r/2.
Depending on which octant the argument falls in, a different relation will be used in the sine and
tangent functions. The program listings show which relations are used.
For the tangent function, the ratio produced by FPTAN will be directly evaluated. The sine function
will use either a sine or cosine relation depending on which octant the angle fell into. On exit, these
functions will normally leave a divide instruction in progress to maintain concurrency.

If the input angles are of a restricted range, such as from 0 to 45 degrees, then considerable optimization is possible since full angle reduction and octant identification is not necessary.
All three functions begin by looking at the value given to them. Not a Number (NaN), infinity, or
empty registers must be specially treated. Unnormals need to be converted to normal values before the
FPTAN instruction will work correctly. Denormals will be converted to very small unnormals that do
work correctly for the FPT AN instruction. The sign of the angle is saved to control the sign of the
result.
Within the functions, close attention was paid to maintain concurrent execution of the 80287 and host.
The concurrent execution will effectively hide the execution time of the decision logic used in the
program.

iAPX286 MACRO A.SSEMBLER

80287 Trignoltletric Functions

10: 13: 51

OQ/25/83

SERIES-III iAPX286 MACRO ASSEMBLER XI08 ASSEMBLY OF MODULE TRIO FUNCTIONS
OBJECT MODULE PLACED IN : F3: TRIO. OBJ
ASSEMBLER INVOKED BY:
ASM:!86.96; F3: TRIQ. AP2

LOC

OBJ

LINE

1 +1

SOURCE

ttitle("80287 Trignometric Functions")

2
3
4

trig_function~

nama
public

sine. cosine. tangent

res1: 1, tend3: I. top: 3. tend:?: 1. tend1: 1, condO: 1.

5

0000 35CO;!b821A2DAOF
C9FE3F
OOOA OOOOCOFF

6
7

stack

8
9

SIIl_2B7
tc

record

11
12
13
14
15

code

segment el'" public

16

pi_ltuarter

dt

3FFEC90FDAA2216BC:235R,

Pl/4

17
18 +1

indefinite

dd

OFFCOOOOOR

Indefinite special ..... lu.

I Ra.erve local space

,..,2: 8

Define local constants.

aven
,

$eJllct

Figure 4-7. Calculating Trigonometric Functions

4-18

PAGE

NUMERIC PROGRAMMING EXAMPLES

iAPX286 MACRO ASSEMBLER
LOC

OS,)

10: 13: 51

80287 Trillnometric Function5
LINE

,.

091:25/83

PAGE

SOURCE

20
21
22
23

This subroutine calculate. the 51ne OT' cosina of th. 4I"gle. giv.n in
Nldi.nll.
Tha angle is in SHO), thll T'llturnod valu. will ba in STeO),
Th. r •• ult h ju:c:u"at. to within 7 unUs of th. lI'i!IIst significant three
bitll of th. NPX utend&d ,.ul format.
Tha PL.M/B6 d.flinition ill:

.7

sina:

prot_durl (angla) 1'1.1 axternall
daclare angla '1' • • 11
and sin.,

COlina:

procadu,.a  2*".62
radians.
Any roundoff error in the calculation of the angle given
could completellJ change the result of this function.
It is safE'st to
call this verlJ rare c:ase an E'rror.
enter _sine:
fprem

I
I

xchg
fstsw

ax. b x
ax

xchg
test
Jnz

ax. b x
bh, high(mask cond2l
angle_too_big

I

Reduce angle
Note that fprem will force a
denormal to a verlJ small unnormal
Fptan of a very small unnormal
will be the same very small
unnormal. which is correct.
Save old status in EX
Check if reduction was complete
Quotient in CO. C3. Cl
Put new status in bx
sin(2*N*PI+~)
sin(x)

=

Set sign flags and test for whic:h eighth of the revolution the
angle fell into
Assert·

-PI/4

<

st(O)

< PI/4

fabs

Force the al'gument positive
cond1 bit in bx holds the sign
Test for sine Ol' cosine function
,Jump if sine function

cLcl
sine_select

Dr

J'

This is a cosine function.
Ignol'e the origlnal sign of the angle
and add a G.uarter revolution to the octant id from the fpl'em instruction.
cos (A) :::: sin(A+PI/2) and c:os( :A:) :::: cosCA)
and

ah,not high(mask condll
bh, SOH

add
mov
rol

bh, high (mask con(3)
a}, 0
al,l
bh, al

Turn Off sign of argument
Prepare to add 010 to CO, C3, Cl
status value in ax
Set busy bit so carry out from
C3 will go into the carry flag
Extract carrlJ flag
Put carrlJ flag in low bit
Add carry to CO not changing
Cl flag

See if the argument should be revel'sed,
which the argument fell during fprem.

test

bh, high(mask condU

J

depending on the octant in

Reverse angle if' Cl

Angle was in oct ... nt~ 1.3.5,7.
Invert sense of rotation

fsub

o <

Jmp

arg

<=

PI/4

Angle was in octants 0,2,4,6.
Test for a zero aT'gument since fptan will not WOT'k if st(O) :::: 0

ftst
xchg
fstsw
xchg
fstp
te~t

Jnz

Test for
ax, cx
ax
ax, c x
st( 1)
ch,high(mask cond3)
sine_argument_zero

c,c'ind3

=

zero angle
1 if' st(Q)

Figure 4-7. Calculating Trigonometric Functions (Cont'd.)

4-20

=

0

Remove PI/4
I If C3==1. argument is zero

NUMERIC PROGRAMMING EXAMPLES

i AP X:286 MACRO ASSEMBLER
LOC

08,)

007F
007F D9F2

10: 13: 51

B0287 T1'ignometl'ic Functioni;
LINE
207
20B
20.
210
211
212

09/25/83

PAGE

SOURCE

,

Assert:: 0 ( steOl

<-

PII4

dD_sine_fphn:
,

flpten

TAN 9nO) •

STeu/snol ... V/X

213
OOBI
0081 F6C742

0094 ?BIA

.14
210
21.
.17
21B

IIfte" _sine_flpten:

.1.

OOBS EllA

OOSA
DOBA DDDS

OOSC 7404
OOBE 7002

0090 D9FB

0092
0092
0092 C3

'Id
Jmp

,

0o,3

2 ••
.47

0093 D9ES

•••

I Cop V V value
Put V value in numeT'atoT'

stCl)
shoT't finhh_sine

The top

0'

i f tenCA) ... V/X then

I

the stack is eUheT' NAN.

infinitv. OT' emptv .

, Remove PII4
Return empt\l if no paT'm

fstp
J'

steO)
retuT'n_empt"

I

JPO

T'.tuT'n..NAN

I

st(O) is infinit".

0097
0097 OED.
0099 2ED9060AOO
009E 99
009F C3

'pT'em

I STell can be ·.n\lthing

T'etuT'n..NAN:
T'etuT'n_emp tV:
•• t

,
I

Simuleh 'ptan lIIith

~tCO)

I

Ok to hillve fpT'em T'unning

I
I

Simulate tanCO)
RetuT'n the zeT'O value

... 0

Il.ne_aT'gument_zeT'o:

2.0
201
2.2
253
2 ••
•• 5
2 ••
257
25B

OOAO
OOAO D9CO

00A2 D9CA
00A4

00A4
OOA6
00A8
OOAA

Dcea
D9C9
DCCB
DEC!

OOAC D9FA

OOAE
0001
0094
0006

80E701
80E402DAFe
7A02

OODB 09EO

OOBA
OOBA DEF'
DOBC C3

The anllh ilia. tao laT'lIe.
Remove the modulull and divl.dend fT'om the
stack and retuT'n an indefinite T'e~ult.

fcompp
Hd
flllOl1t

•••
2 ••
2.7
2.B
2 ••
270
271
272
27.
274
27S

,

=

III

V/X then

fld

st(O)

fxch

~t(2)

,

COP\! X value
Put X in numeT'atoT'

,

st. st(O)
st,st(O)

FOT'm x*x + V.V

.

st

2**b2 in magnitude

o

correct value

o

correct denormal
indefinite

NAN

NAN

infinity
empty

indefinite
Itmptl,!

The tangent in.tt'uction uses the fptan instruction.
relations are used:
a
langle HOD PI/41
B ... -lor 1 depend ing

Four possible

l..et R

32.
3.6
327
328
32.
330
331
332
333
334
335
336
337
338
33.
340
341
34.
343
344
34S
346
347
348
34'

09/25/83

SOURCE

301
302
303
304
30S
306
307
308
30.
310
311
31'
313
314
31S
316
317
318
31'
320
321
32.
323
324

OOBD

10: 13: 51

80287 Trignometric Functions

teneR)

1l

2)

the sign of the angle

tan1PI/4-Rl

3)

l/tanlR)

4)

l/tanCPI/4-R)

The fo1101111"g table is used to decide which relation to use depending
on in IIIhich octant the angle fell.
octant

,
tangent proc
fxam
fstslll
fld
sahf
JC

l.ook at tfie parameter
get ham .tatus
I get PI/4
I CF
co. PF"'C2. ZF"'C3

ax
pi_Cl.uilrte,.

=

funn\lJilrameter

350

·OOCA D9CQ
7i117

coce

aOCE
DOCE D9FB

0000 93
0001 9BDFEO
OOD4 93
0005 F6C704
OODS 7S0D

351
352
353

fxch

354

JPe

or denol'mal.

355
356
357
358
35.
360
361
36.
363
364
365
366
367
368
36.
370
371

I steO) ... angle.

Angle is either an normal 01' denormal.
Reduce the angle to the range -PI/4 < result < PI/4.
If fprem cannot perform this operation in one try. the magnitude of the
angle must be ) 2**b2.
Such an angle is so large that an\! rounding
errors could make a verI,! large difference in the reduced angle.
It ls safest to call tllis verl,l rare case an et'ror.

• Quotient in CO. C3. Cl
Convert denormals into unnormals

fprem
xchg
fstsbl

ax. bx

372

xchg
test
Jnz

ax. bx
bh, highlmask cond2)
angle_tao_big

373
374
375
376

Assert: -PI/4

I

CODe F6C702
OODF 740E

OOEI DEE9
OOE3 EBIS

ODES

ODE' DDD9
OOE7 7405

378
37.
380
381
38.
383
380
385
386
387
388
38.
3.0
3"
392
3.3

3"
3.5

Quotient identifies octant
original angle fell into

Test for complete reduction
I Exit if angle bias too big

See if the angle must be reversed.

<

steO)

<

PI/4

377

OODA D9El

stll) ... PI/4

I 0 <= stlO) < P1I4
C3 In bl has the sign flag
I must be revet-sed

fabs
test
J'

bh. highlmask condl)
no_tan_reverse

Angle fell in octants 1.3.5.7.
fsub
Jmp

,

Neverse It,

sUO'li'ratl; ii. i"um

I Reverse angle
short do_tangent

Angle is either zero or an unnormal.

tan_zero_unnormal:
; Remove PI/4

stll)
Angle is an unnormal.

Figure 4-7. Calculating Trigonometric Functions (Cont'd.)

4-22

~:;,;..;.

NUMERIC PROGRAMMING EXAMPLES

iAPX286 MACRO ASSEMBLER

lOC

ODJ

80287 rrignometric Functions
LINE

39.
00E9 E83300
OOEe EDEO

OOEE
OOEE C3

COEF

DOEF D9E4
OOF! 91

OOF2 '9BDFEO
OOF5 91
OOF6 DDD9

OOFS F6C'40
OOFS 7515

caFD

3.7
3.8
3 ••
400
401
402
403
404
40S
40.
407
408
40.
410
411
412
413
414
415
41.
417

OOFD D9F2

"B
41.

DOFF

420
.21
.22
• 23
42'

OOFF BAC?
0101 254002
0104 F6C742
0107 7BOD

0109 OAC4

0108 7A02
0100 D9EO

OIOF

OIOF DEF9
0111 C3

0112
0112 D9EB
0114 EBE9

0116

0116 OAC4
011B 7A02

011A D9EO

oue
OllC DEF1
ailE C3

a11F

011F D9El
0121 D9F4

0123 D9EB
0125 DeCl
0127
0129
0128
0120
0132
0134

DEE9
D9FD
DDD9
2EDB2£0000
09C9
C3

ASSEMBLY COMPLETE.

xchg

PAGE

Test for 5t(O) - 0,

flpti!ln won't work.

Test for zero engle

.,

.u:.cx

I C3 = 1 H

xchg

ex,

htp
test
J"'

ste 1)
ch, high(mask cond3)
tan_zero

st(O) .. 0

Cl

I Removtt PI/4

J

fptan

ttm

sno) ..

ST(!)/ST(O)

aft.r _tangent:
Decide on the o"der of the op.rands and their sign for the divide
operation while the fptan instruction is working .
mov
and
test
Jpo

d. btl
I Qet a cop", of 'prem C3 P1oI9
a •• mask cond1 + high(mask cond3), Elamine fprem C3 flag and
j
FXAH CI flag
bh. high(mask condl + mask cond3)l Use rttverse divide if in
, octants 1.2, S. D
reverse_divid..
Nate! parit", wo"ks
low
B bits onllJ!

Angle was in octant. 0.3.4.7.
Test fo" the sign of the r.sult.
or
Jpe

Tlilo negatives cancel.

al,ah
positive_divide

IIdiv

J

IIdl
Jmp

Form r.sult

I Ok to leave fdiv running

rot

J

Force 1/0 -

tanCP1I2)

J

Form reciprocal oil result
Ok to leave fdiv running

aftttr _tangent

Angle lIIas in octant. 1.2.5.0.
Set the correct sign of the result.

,

reverse_divide:
or
Jpe

ai, ah
positive_r_divide

fdivr

ret
tangent endp

This function 111111 normalize the vilh.l. in steOL
The" PII4 i . placed into .telL

,

normal i ze_value:
fabs
fxtract
fldl
f.dd
ste!), st
flub
fscale
flstp
stCI)
fld
pi_lI.uart."
fxch

476-

.7.
NO W"'RNINQS.

tan_normal

flht

477
47B

.BO
4Bl
482
4B3
4B4
4B5

normalize_valu.

Jmp

fstsw

•••

470
471
472
.73
474
475

call

Angle fell in octants 0.2.4.6.

.OS

.6.

09/25/83

rot

42.
.27
42B
42.
430
.31
432
'33
43'
.35
43.
.37
.3B
43.
440
441
442
443
44'
44'
446
447
44B

4.0
451
452
453
454
•• 5
456
457
45B
4 ••
460
'61
462
463
464
465
4.6
467
46B

10: 13: 51

SOURCE

Force value positive
steO) < I
get normalize bit
I
Normali Ztt fraction
Restor. original value
I Form ori91nal normali zed value
I
Remove scala .pactor
Get PII4

I

o <-

I

ret
code

.n.

end.

NO ERRORS

Figure 4-7. Calculating Trigonometric Functions (Cont'd.)

4-23

Append~

Machine Instruction
Encoding and Decoding

A

APPENDIX A
MACHINE INSTRUCTION ENCODING AND DECODING
Machine instructions for the 80287 come in one of five different forms as shown in table A-I. In all
cases, the instructions are at least two bytes long and begin with the bit pattern 11011B, which identifies the ESCAPE class of instructions. Instructions that reference memory operands are encoded much
like similar CPU instructions, because all of the CPU memory-addressing modes may be used with
ESCAPE instructions.
Note that several of the processor control instruction~ (see table 2-11 in Chapter Two) may be preceded
by an assembler-generated CPU WAIT instruction (encoding: 10011011B) if they are programmed
using the WAIT form of their mnemonics. The ASM286 assembler inserts a WAIT instruction only
before these specific processor control instructions-all of the numeric instructions are automatically
synchronized by the 80286 CPU and an explicit WAIT instruction, though allowed, is not necessary.
Table A-1. 80287 Instruction Encoding

0, 1, or 2 bytes

Higher-Addressed Byte

Lower-Addressed Byte
(1)

1

1

0

1

1

(2)

1

1

0

1

1 FORMAT

(3)

1

1

0

1

1

R

P

OP-A 1

1

(4)

1

1

0

1

1

0

0

1

1

1

1

OP

(5)

1

1

0

1

1

0

1

1

1

1

1

OP

7

6

5

4

3

2

OP-A

1

MOD

1

OP-AMOD

OP-S

R/M

DISPLACEMENT

OP-S

R/M

DISPLACEMENT

OP~S

REG

0765432

o

NOTES:

(l)Memory transfers, including applicable processor control instructions; 0, 1, or 2 displacement bytes may
follow.
(2)Memory arithmetic and comparison instructions; 0, 1, or 2 displacement bytes may follow.
(3)Stack arithmetic and comparison instructions.
(4)Constant, transcendental, some arithmetic instructions.
(5)Processor control instructions that do not reference memory.
OP, OP-A, OP-S: Instruction opcode, possibly split into two fields.
MOD: Same as 80286 CPU mode field.
R/M: Same as 80286 CPU register/memory field.
FORMAT: Defines memory operand
00 = short real
01 = short integer
10 = long real
11 = word integer
R: 0 = return result to stack top
1 = return result to other register

A-1

MACHINE INSTRUCTION ENCODING AND DECODING

P: 0 = do not pop stack
1 = pop stack after operation
REG: register stack element
000 = stack top
001 = next on stack
010 = third stack element, etc.

Table A-2 lists all 80287 machine instructions in binary sequence. This table may be used to "disassemble" instructions in unformatted memory dumps or instructions monitored from the data bus. Users
writing exception handlers may also find this information useful to identify the offending instruction.
Table A·2. Machine Instruction Decodin.9 Guide
1st Byte

ASM286 Instruction
Format

Bytes 3,4

2nd Byte
Hex

Binary

08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
08
09
09
09
09
09
09
09
09
09
09
09
09
09
09

1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101

D9

1101 1001

09
09
09
09
09
09
09

1101
1101
1101
1101
1101
1101
1101

1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001

MOOOO
MOOOO
M0001
M0001
M0010
M0010
M0011
M0011
1100
1100
1101
1101
1110
1110
1111
1111
MOOOO
MOOOO
M0001
M0001
M0010
M0010
M0011
M0011
1100
1100
1101
1101
1101
1101
1101
1110
1110
1110
1110
1110
1110
1110

OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
OREG
1REG
OREG
1REG
OREG
1REG
OREG
1REG
OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
OREG
1REG
0000
0001
00101-1RFG
0000
0001
001·
0100
0101
011·
1000

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

A-2

~

FAOO
FMUL
FCOM
FCOMP
FSUB
FSUBR
FOIV
FOIVR
FAOO
FMUL
FCOM
FCOMP
FSUB
FSUBR
FOIV
FOIVR
FLO
reserved
FST
FSTP
FLOENV
FLOCW
FSTENV
FSTCW
FLO
FXCH
FNOP
reserved
reserved
reserved
*(1 )
FCHS
FABS
reserved
FTST
FXAM
reserved
FL01

short-real
short-real
short-real
short-real
short-real
short-real
short-real
short-real
ST,ST(i)
ST,ST(i)
ST(i)
ST(i)
ST,ST(i)
ST,ST(i)
ST,ST(i)
ST,ST(i)
short-real
short-real
short-real
14-bytes
2-bytes
14-bytes
2-bytes
ST(i)
ST(i)

MACHINE INSTRUCTION ENCODING AND DECODING

Table A-2. Machine Instruction Decoding Guide (Cont'd.)
1st Byte
Bytes 3,4

2nd Byte
Hex
D9
D9
09
09
09
09
09
D9
09
09
09
09
D9
D9
D9
D9
D9
D9
D9
D9
D9
D9
DA
DA
DA
DA
DA
DA
DA
DA
DA
OB
DB
OB
DB
DB
DB
DB
DB
DB
DB
DB
DB
DB
DB
DB
DB
DC
DC
DC
DC
DC

Binary
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101

1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1001
1010
1010
1010

1010 r
1010
1010
1010
1010,
1010
1011
1011
1011
1011
1011
1011
1011
1011
1011
1011
1011
1011
1011
1011
1011
1011
1100
1100
1100
1100
1100

1001
1110
1010
1110
1110
1011
1100
1110
1101
1110
1110
1110
1111
1110
1111
0000
0001
1111
1111
0010
0011
1111
1111
0100
1111
0101
0110
1111
0111
1111
1111
1000
1111
1001
1010
1111
1111
1011
1111
1100
1111
1101
1111
111MODOO OR/M
MODOO 1R/M
MOD01 OR/M
MOD01 1R/M
MOD10 OR/M
MOD10 1R/M
MOD11 OR/M
MOD11 1R/M
-- ...
11-MODOO OR/M
MODOO 1R/M
M0001 OR/M
MOD01 1R/M
MOD10 OR/M
MOD10·1R/M
MOD11 OR/M
MOD11 1R/M
110---1110
0000
0001
1110
0010
1110
1110
0011
1110
0100
1--1110
--- ..
1111
MODOO OR/M
MODOO 1R/M
MOD01 OR/M
MOD01 1R/M
MOD10 OR/M

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

A-3

ASM286 Instruction
Format
FLOL2T
FLOL2E
FLOPI
FLOLG2
FLOLN2
FLOZ
reserved
F2XM1
FYL2X
FPTAN
FPATAN
FXTRACT
reserved
FOECSTP
FINCSTP
FPREM
FYL2XP1
FSQRT
reserved
FRNDINT
FSCALE
reserved
short-integer
FIADD
short-integer
FIMUL
short-integer
FICOM
FICOMP
short-integer
short-integer
FISUB
FISUBR
short-integer
short-integer
FIDIV
FIOIVR
short-integer
reserved
FILD
short-integer
reserved
FIST
short-integer
short-integer
FISTP
reserved
FLD
temp-real
reserved
temp-real
FSTP
reserved
reserved (8087 FENI)
reserved (8087 FOISI)
FCLEX
FINIT
FSETPM
reserved
reserved
long-real
FADD
long-real
FMUL
long-real
FCOM
long-real
FCOMP
long-real
FSUB

MACHINE INSTRUCTION ENCODING AND DECODING

Table A-2. Machine Instruction Decoding Guide (Cont'd.)
1st Byte
2nd Byte
Hex
DC
DC
DC
DC
DC
DC
DC
DC
DC
DC
DC
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DE
DF
OF
OF
OF
OF
OF
OF
OF
OF

ASM286 Instruction
Format

Bytes 3, 4

Binary
1100
1100
1100
1100
1100
1100
1100
1100
1100·
1100
1100
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110
1110

1R/M
OR/M
1R/M
DREG
1REG
DREG
1REG
DREG
1REG
DREG
1REG
OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
DREG
1REG
DREG
1REG

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
DREG
1REG
0--1000
1001
10111-DREG
1REG
DREG
1REG
nnll..
Vll/IVI

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

110. 1111

MOD10
MOD11
MOD11
1100
1100
1101
1101
1110
1110
1111
1111
MODOO
MODOO
MOD01
MOD01
MOD10
MOD10
MOD11
MOD11
1100
1100
1101
1101
111MODOO
MODOO
MOD01
MOD01
MOD10
MOD10
MOD11
MOD11
1100
1100
1101
1101
1101
1101
1101
1110
1110
1111
1111
• "",.,.n"
IVIVIJUV

, .... ; ....... 1,...\ I,.Ur-n_hi\
\,....... ,.. ..'·'/1\ ... •.... ,.. 1"/

!"!!..D

1101
1101
1101
1101
1101
1101
1101
1101

MODOO
MOD01
MOD01
MOD10
MOD10
MOD11
MOD11
1100

1R/M
OR/M
1R/M
OR/M
1R/M
OR/M
1R/M
DREG

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

reserved
FIST
FISTP
FBLD
FILD
FBSTP
FISTP

1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101
1101

1111
1111
1111
1111
1111
1111
1111
1111

----

FSUBR
FDIV
FDIVR
FADD
FMUL
'(2)

long-real
long-real
long-real
ST(i),ST
ST(i),ST

'(3)

(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)
(disp-Io),(disp-hi)

FSUB
FSUBR
FDIV
FDIVR
FLO
reserved
FST
FSTP
FRSTOR
reserved
FSAVE
FSTSW
FFREE
'(4)
FST
FSTP
reserved
FIADD
FIMUL
FICOM
FICOMP
FISUB
FISUBR
FIDIV
FIDIVR
FADDP
FMULP

ST(i),ST
ST(i),ST
ST(i),ST
ST(i),ST
long-real
long-real
long-real
94-bytes
94-bytes
2-bytes
STeil
STeil
STeil
word-integer
word-integer
word-integer
word-integer
word-integer
word-integer
word-integer
word-integer
ST(i),ST
ST(i),ST

'(5)
reserved
FCOMPP
reserved
reserved
FSUBP
FSUBRP
FDIVP
FDIVRP

'(6)

A-4

ST(i),ST
ST(i),ST
ST(i),ST
ST(i),ST
\A/nrrl_intpn~r

._-- -

..

-.-~-.

word-integer
word-integer
packed-decimal
long-integer
packed-decimal
long-integer

MACHINE INSTRUCTION ENCODING AND DECODING

Table A-2. Machine Instruction Decoding Guide (Cont'd.)
1st Byte
2nd Byte

Bytes 3, 4

Binary

Hex
DF
OF
OF
OF
OF

1101
1101
1101
1101
1101

1111
1111
1111
1111
1111

1100
1101
1101
1110
1111

ASM286 Instruction
Format
*(7)
*(8)
*(9)
FSTSWAX
reserved

1REG
OREG
1REG
000
XXX

NOTE:

* The marked encodings are not generated by the language translators. If, however, the 80287 encounters
one of these encodings in the instruction stream, it will execute it as follows:
(1) FSTP

STeil

(2) FCOM

STeil

(3) FCOMP
(4) FXCH
(5) FCOMP
(6) FFREE

STeil
STeil
STeil
STeil and pop stack

(7) FXCH

STeil

(8) FSTP

STeil

(9) FSTP

STeil

A-5

Appendix
Compatibility Between the
80287 NPX and the 8087

B

APPENDIX B
COMPATIBILITY BETWEEN
THE 80287 NPX AND THE 8087
The 80286/80287 operating in Real-Address mode will execute 8087 programs without major modification. However, because of differences in the handling of numeric exceptions by the 80287 NPX and
the 8087 NPX, exception-handling routines may need to be changed.
This appendix summarizes the differences between the 80287 NPX and the 8087 NPX, and provides
details showing how 8087 programs can be ported to the 80287.
1.

The 80287 signals exceptions through a dedicated ERROR line to the 80286. The 80287 error
signal does not pass through an interrupt controller (the 8087 INT signal does). Therefore, any
interrupt-controller-oriented instructions in numeric exception handlers for the 8087 should be
deleted.

2.

The 8087 instructions FENI/FNENI and FDISI/FNDISI perform no useful function in the 80287.
If the 80287 encounters one of these opcodes in its instruction stream, the instruction will effectively be ignored-none of the 80287 internal states will be updated. While 8087 code containing
these instructions may be executed on the 80287, it is unlikely that the exception-handling routines
containing these instructions will be completely portable to the 80287.

3.

Interrupt vector 16 must point to the numeric exception handling routine.

4.

The ESC instruction address saved in the 80287 includes any leading prefixes before the ESC
opcode. The corresponding address saved in the 8087 does not include leading prefixes.

S.

In Protected-Address mode, the format of the 80287's saved instruction and address pointers is
different than for the 8087. The instruction opcode is not saved in Protected mode-exception
handlers will have to retrieve the opcode from memory if needed.

6.

Interrupt 7 will occur in the 80286 when executing ESC instructions with either TS (task switched)
or EM (emulation) of the 80286 MSW set (TS = 1 or EM = 1). If TS is set, then a WAIT instruction will also cause interrupt 7. An exception handler should be included in 80287 code to handle
these situations.

7.

Interrupt 9 will occur if the second or subsequent words of a floating-point operand fall outside a
segment's size. Interrupt 13 will occur if the starting address of a numeric operand falls outside a
segment's size. An exception handler should be included in 80287 code to report these programming errors.

8.

Except for the processor control instructions, all of the 80287 numeric instructions are automatically synchronized by the 80286 CPU-the 80286 automatically tests the BUSY line from the
80287 to ensure that the 80287 has completed its previous instruction before executing the next
ESC instruction. No explicit W1AIT instructions are required to assure this synchronization. For
the 8087 used with 8086 and 8088 processors, explicit WAITs are required before each numeric
instruction to ensure synchronization. Although 8087 programs having explicit WAIT instructions
will execute perfectly on the 80287 without reassembly, these WAIT instructions are unnecessary.

9.

Since the 80287 does not require WAIT instructions before each numeric instruction, the ASM286
assembler does not automatically generate these WAIT instructions. The ASM86 assembler,
however, automatically precedes every ESC instruction with a WAIT instruction. Although numeric
routines generated using the ASM86 assembler will generally execute correctly on the 80286/20,
reassembly using ASM286 may result in a more compact code image.

8-1

COMPATIBILITY BETWEEN THE 80287 NPX AND THE 8087

The processor control instructions for the 80287 may be coded using either a WAIT or No-WAIT
form of mnemonic. The WAIT forms of these instructions cause ASM286 to precede the ESC
instruction with a CPU WAIT instruction, in the identical manner as does ASM86.
10. A recommended way to detect the presence of an 80287 in an 80286 system (or an 8087 in an
8086 system) is shown below. It assumes that the sytem hardware causes the data bus to be high
if no 80287 is present to drive the data lines during the FSTSW (Store 80287 Status Word)
instruction.
FND_287: F NI NIT
initialize numeric p,roce550r.
FSTSTW STAT
5tore 5tatu5 word into location
STAT.
MOV
AX,STAT
AL , AL
OR
Zero Flag reflect5 re5ult of OR.
JZ
GOL2 8 7
Zero in AL mean5 80287 i5
pre5ent.

No 80287 Pre5ent
SMSW
OR

AX
AX,0004H

LMSW

AX

JMP

CONTINUE

5et EM bit in Machine Statu5
W0 rd.
to enable 50ftware emulation of
287.

80287 i5 pre5ent in 5ystem
GOT_287: SMSW
OR
LMSW

AX

AX,0002H

5et MP bit in Machine Statu5 Word
to permit normal 80287 operation

AX

Continue
CONTINUE:

i

and off we go

An 80286/80287 design must place a pullupresistor on one of the low eight data bus bits of the
80286 to be sure it is read as a high when no 80287 is present.

B-2

Appendix
Implementing the
IEEE P754 Standard

c·

APPENDIX C
IMPLEMENTING THE IEEE P754 STANDARD
The 80287 NPX and standard support library software, provides an implementation of the IEEE "A
Proposed Standard for Binary Floating-Point Arithmetic," Draft 10.0, Task P754, of December 2,
1982. The 80287 Support Library, described in 80287 Support Library Reference Manual, Order
Number 122129, is an example of such a support library.
This appendix describes the relationship between the 80287 NPX and the IEEE Standard. Where the
Standard has options, Intel's choices in implementing the 80287 are described. Where portions of the
Standard are implemented through software, this appendix indicates which modules of the 80287
Support Library implement the Standard. Where special software in addition to the Support Library
may be required by your application, this appendix indicates how to write this software.
This appendix contains many terms with precise technical meanings, specified in the 754 Standard.
Where these terms are used, they have been capitalized to emphasize the precision of their meanings.
The Glossary provides the definitions for all capitalized phrases in this appendix.

OPTIONS IMPLEMENTED IN THE 80287
The 80287 SHORT_REAL and LONG_REAL formats conform precisely to the Standard's Single
and Double Floating-Point Numbers, respectively. The 80287 TEMP_REAL format is the same as the
Standard's Double Extended format. The Standard allQws a choice of Bias in representing the exponent;
.
the 80287 uses the Bias 16383 decimal.
For the Double Extended format, the Standard contains an option for the meaning of the minimum
exponent combined with a nonzero significand. The Bias for this special case can be either 16383, as
in all the other cases, or 16382, making the smallest exponent equivalent to the second-smallest exponent.
The 80287 uses the Bias 16382 for this case. This allows the 80287 to distinguish between Denormal
numbers (integer part is zero, fraction is nonzero, Biased exponent is 0) and Unnormal numbers of the
Same value (same as the denormal except the Biased Exponent is 1).
The Standard allows flexibility in specifying which NaNs are trapping and which are nontrapping. The
EH287.LIB module of the 80287 Support Library provides a software implementation of nontrapping
NaNs, and defines one distinction between trapping and nontrapping NaNs: If the most significant bit
of the fractional part of a NaN is 1, the NaN is nontrapping. If it is 0, the NaN is trapping.
When a masked Invalid Operation error involves two NaN inputs, the Standard allows flexibility in
choosing which NaN is output. The 80287 selects the NaN whose absolute value is greatest.

AREAS OF THE STANDARD IMPLEMENTED IN SOFTWARE
There are five areas of the Standard that are not implemented directly in the 80287 hardware; these
areas are instead implemented in software as part of the 80287 Support Library.

C-1

IMPLEMENTING THE IEEE P754 STANDARD

1.

The Standard requires that a Normalizing Mode be provided, in which any nonnormal operands
to functions are automatically normalized before the function is performed. The NPX provides a
"Denormal operand" exception for this case, allowing the exception handler the opportunity to
perform the normalization specified by the Standard. The Denormal operand exception handler
provided by EH287.LIB implements the Standard's Normalizing Mode completely for Single- and
Double-precision arguments. Normalizing mode for Double Extended operands is implemented in
EH287.LIB with one non-Standard feature, discussed in the next section.

2.

The Standard specifies that in comparing two operands whose relationship is "unordered," the
equality test yield an answer of FALSE, with no errors or exceptions. The 80287 FCOM and
FTST instructions themselves issue an Invalid Operation exception in this case. The error handler
EH287.LIB filters out this Invalid Operation error using the following convention: Whenever an
FCOM or FTST instruction is followed by a MOV AX,AX instruction (8BCO Hex), and neither
argument is a trapping NaN, the error handler will assume that a Standard equality comparison
was intended, and return the correct answer with the Invalid Operation exception flag erased.
Note that the Invalid Operation exception must be unmasked for this action to occur.

3.

The Standard requires that two kinds of NaN's be provided: trapping and nontrapping. Nontrapping NaNs will not cause further Invalid Operation errors when they occur as operands to calculations. The NPX hardware directly supports only trapping NaN's; the EH287.LIB software
implements nontrapping NaNs by returning the correct answer with the Invalid Operation exception flag erased. Note that the Invalid Operation exception must be unmasked for this action to
occur.

4.

The Standard requires that all functions that convert real numbers to integer formats automatically normalize the inputs if necessary. The integer conversion functions contained in CEL287.LIB
fully meet the Standard in this respect; the 80287 FIST instruction alone does not perform this
normalization.

5.

The Standard specifies the remainder function which is provided by mqerRMD in CEL287.LIB.
The 80287 FPREM instruction returns answers within a different range.

ADDITIONAL SOFTWARE TO MEET THE STANDARD
There are two cases in which additional software is required in conjunction with the 80287 Support
Library in order to meet the standard. The 80287 Support Library does not provide this software in
the interest of saving space and because the vast majority of applications will never encounter these
cases.
1.

When the Invalid Operation exception is masked, Nontrapping NaNs are not implemented fully.
Likewise, the Standard's equality test for "unordered" operands is not implemented when the
Invalid Operation exception is masked. Programmers can simulate the Standard notion of a masked
Invalid Operation exception by unmasking the 80287 Invalid Operation exception, and providing
an Invalid Operation exception handler that supports nontrapping NaNs and the equality test, but
otherwise acts just as ii {he invaiid Opt::raiiull cA0~pi.l0iJ. Vv-~lC li-..a:;kcd. Th~ 802B7 S:;.ppc~t L!,br~!"y
Reference Manual contains examples for programming this handler in both ASM286 and
PL/M-286.

2.

In Normalizing Mode, Denormal operands in the TEMP_REAL format are converted to 0 by
EH287.LIB, giving sharp Underflow to O. The Standard specifies that the operation be performed
on the real numbers represented by the denormals, giving gradual underflow. To correctly perform
such arithmetic while in Normalizing Mode, programmers would have to normalize the operands
into a format identical to TEMP_REAL except for two extra exponent bits, then perform the
operation on those numbers. Thus, software must be written to handle the 17-bit exponent explicitly.

C-2

inter

IMPLEMENTING THE IEEE P754 STANDARD

In designing the EH287.LIB, it was felt that it would be a disadvantage to most users to increase the
size of the Normalizing routine by the amount necessary to provide this expanded arithmetic. Because
the TEMP_REAL exponent field is so much larger than the LONG_REAL exponent field, it is
extremely unlikely that TEMP_REAL underflow will be encountered in most applications.
If meeting the Standard is a more important criterion for your application than the choice between

Normalizing and warning modes, then you can select warning mode (Denormal operand exceptions
masked), which fully meets the Standard.
If you do wish to implement the Normalization of denormal operands in TEMP_REAL format using

extra exponent bits, the list below indicates some useful pointers about handling Denormal operand
exceptions:
1.

TEMP_REAL numbers are considered Denormal by the NPX whenever the Biased Exponent is
o (minimum exponent). This is true even if the explicit integer bit of the significand is 1. Such
numbers can occur as the result of Underflow.

2.

The 80287 FLD instruction can cause a Denormal Operand error if a number is being loaded
from memory. It will not cause this exception if the number is being loaded from elsewhere in the
80287 stack.

3.

The 80287 FCOM and FTST instructions will cause a Denormal Operand exception for un normal
operands as well as for denormal operands.

4.

In cases where both the Denormal Operand and Invalid Operation exceptions occur, you will want
to know which is signalled first. When a comparison instruction operates between a nonexistent
stack element and a denormal number in 80286 memory, the D and I exceptions are issued simultaneously In all other situations, a Denormal Operand exception takes precedence over a nons tack
Invalid operation exception, while a stack Invalid Operation exception takes precedence over a
Denormal Operand exception.

C-3

Glossary of 80287 and
Floating-Point Terminology

GLOSSARY OF 80287
AND FLOATING-POINT TERMINOLOGY
This glossary defines many terms that have precise technical meanings as specified in the IEEE 754
Standard. Where these terms are used, they have been capitalized to emphasize the precision of their
meanings. In reading these definitions, you may therefore interpret any capitalized terms or phrases as
cross-references.
Affine Mode: a state of the 80287, selected in the 80287 Control Word, in which infinities are treated
as having a sign. Thus, the values +INFINITY and - INFINITY are considered different; they can
be compared with finite numbers and with each other.
Base: (1) a term used in logarithms and exponentials. In both contexts, it is a number that is being
raised to a power. The two equations (y = log base b of x) and (bY = x) are the same.
Base: (2) a number that defines the representation being used for a string of digits. Base 2 is the binary
representation; Base 10 is the decimal representation; Base 16 is the hexadecimal representation. In
each case, the Base is the factor of increased significance for each succeeding digit (working up from
the bottom).
Bias: the difference between the unsigned Integer that appears in the Exponent field of a FloatingPoint Number and the true Exponent that it represents. To obtain the true Exponent, you must subtract
the Bias from the given Exponent. For example, the Short Real format has a Bias of 127 whenever the
given Exponent is nonzero. If the 8-bit Exponent field contains 10000011, which IS 131, the true
Exponent is 131-127,or +4.
Biased Exponent: the Exponent as it appears in a Floating-Point Number, interpreted as an unsigned,
positive number. In the above example, 131 is the Biased Exponent.
Binary Coded Decimal: a method of storing numbers that retains a base 10 representation. ,Each decimal
digit occupies 4 full bits (one hexadecimal digit). The hex values A through F (1010 through 1111)
are not used. The 80287~supports a Packed Decimal format that consists of 9 bytes of Binary Coded
Decimal (18 decimal digits) and one sign byte.
Binary Point: an entity just like a decimal point, except that it exists in binary numbers. Each binary
digit to the right of the Binary Point is multiplied by an increasing negative power of two.
C3-CO: the four "condition code" bits of the 80287 Status Word. These bits are set to certain values
by the compare, test, examine, and remainder functions of the 80287.
Characteristic: a term used for some non-Intel computers, meaning the Exponent field of a FloatirtgPoint Number.
Chop: to set the fractional part of a real number to zero, yielding the nearest integer in the direction
of zero.
Control Word: a 16-bit 80287 register that the user can set, to determine the modes of computation
the 80287 will usc, and the error interrupts that will be enabled.

Glossary-1

inter

GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY

Denormal: a special form of Floating-Point Number, produced when an Underflow occurs. On the
80287, a Denormal is defined as a number with a Biased Exponent that is zero. By providing a Significand with leading zeros, the range of possible negative Exponents can be extended by the number of
bits in the Significand. Each leading zero is a bit of lost accuracy, so the extended Exponent range is
obtained by reducing significance.
Double Extended: the Standard's term for the 80287 Temporary Real format, with more Exponent
and Significand bits than the Double (Long Real) format, and an explicit Integer bit in the Significand.
Double Floating Point Number: the Standard's term for the 80287's 64-bit Long Real format.
Environment: the 14 bytes of 80287 registers affected by the FSTENV and FLDENV instructions. It
encompasses the entire state of the 80287, except for the 8 Temporary Real numbers of the 80287
stack. Included are the Control Word, Status Word, Tag Word, and the instruction, opcode, and operand
information provided by interrupts.
Exception: any of the six error conditions (I, D, 0, U, Z, P) signalled by the 80287.
Exponent: (1) any power that is raised by an exponential function. For example, the operand to the
function mqerEXP is an Exponent. The Integer operand to mqerYI2 is an Exponent.
Exponent: (2) the field of a Floating-Point Number that indicates the magnitude of the number. This
would fall under the above more general definition (1), except that a Bias sometimes needs to be
subtracted to obtain the correct power.
Floating-Point Number: a sequence of data bytes that, when interpreted in a standardized way, represents a Real number. Floating-Point Numbers are more versatile than Integer representations in two
ways. First, they include fractions. Second, their Exponent parts allow a much wider range of magni.
tude than possible with fixed-length Integer representations.
Gradual Underflow: a method of handling the Underflow error condition that minimizes the loss of
accuracy in the result. If there is a Denormal number that represents the correct result, that Denormal
is returned. Thus, digits are lost only to the extent of denormalization. Most computers return zero
when Underflow occurs, losing all significant digits.
Implicit Integer Bit: a part of the Significand in the Short Real and Long Real formats that is not
explicitly given. In these formats, the entire given Significand is considered to be to the right of the
Binary Point. A single Implicit Integer Bit to the left of the Binary Point is always 1, except in one
case. When the Exponent is the minimum (Biased Exponent is 0), the Implicit Integer Bit is O.
Indefinite: a special value that is returned by functions when the inputs are such that no other sensible
answer is possible. For each Floating-Point format there exists one Nontrapping NaN that is designated
as the IndetImte value. For binary Integer iormals, the negative number funnesl frum zt:ru is UlLt:1l
considered the Indefinite value. For the 80287 Packed Decimal format, the Indefinite value contains
all 1's in the sign byte and the uppermost digits byte.
Infinity: a value that has greater magnitude than any Integer or any Real number. The existence of
Infinity is subject to heated philosophical debate. However, it is often useful to consider Infinity as
another number, subject to special rules of arithmetic. All three Intel Floating-Point formats provide
representations for + INFINITY and - INFINITY. They support two ways of dealing with Infinity:
Projective (unsigned) and Affine (signed).

Glossary-2

GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY

Integer: a number (positive, negative, or zero) that is finite and has no fractional part. Integer can also
mean the computer representation for such a number: a sequence of data bytes, interpreted in a standard
way. It is perfectly reasonable for Integers to be represented in a Floating-Point format; this is what
the 80287 does whenever an Integer is pushed onto the 80287 stack.
Invalid Operation: the error condition for the 80287 that covers all cases not covered by other errors.
Included are 80287 stack overflow and underflow, NaN inputs, illegal infinite inputs, out-of-range
inputs, and illegal unnormal inputs.
Long Integer: an Integer format supported by the 80287 that consists of a 64-bit Two's Complement
quantity.
Long Real: a Floating-Point Format supported by the 80287 that consists of a sign, an II-bit Biased
Exponent, an Implicit Integer Bit, and a 52-bit Significand-a total of 64 explicit bits.
Mantissa: a term used for some non-Intel computers, meaning the Significand of a Floating-Point
Number.
Masked: a term that applies to each of the six 80287 Exceptions I,D,Z,O,U,P. An exception is Masked
if a corresponding bit in the 80287 Control Word is set to 1. If an exception is Masked, the 80287 will
not generate an interrupt when the error condition occurs; it will instead provide its own error recovery.
NaN: an abbreviation for Not a Number; a Floating-Point quantity that does not represent any numeric
or infinite quantity. NaNs should be returned by functions that encounter serious errors. If created
during a sequence of calculations, they are transmitted to the final answer and can contain information
about where the error occurred.
Nontrapping NaN: a NaN in which the most significant bit of the fractional part of the Significand is
1. By convention, these NaNs can undergo certain operations without visible error. Nontrapping NaNs
are implemented for the 80287 via the software in EH87.LIB.
Normal: the representation of a number in a Floating-Point format in which the Significandhas an
Integer bit I (either explicit or Implicit).
Normalizing Mode: a state in which nonnormal inputs are automatically converted to normal inputs
whenever they are used in arithmetic. Normalizing Mode is implemented for the 80287 via the software
in EH87.LIB.
NPX: Numeric Processor Extension. This is the 80287.
Overflow: an error condition in which the correct answer is finite, but has magnitude too great to be
represented in the destination format.
Packed Decimal: an Integer format supported by the 80287. A Packed Decimal number is a lO-byte
quantity, with nine bytes of 18 Binary Coded Decimal digits, and one byte for the sign.
Pop: to remove from a stack the last item that was placed on the stack.
Precision Control: an option, programmed through the 80287 Control Word, that allows all 80287
arithmetic to be performed with reduced precision. Because no speed advantage results from this option,
its only use is for strict compatibility with the IEEE Standard, and with other computer systems.

Glossary-3

GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY

Precision Exception: an 80287 error condition that results when a calculation does not return an exact
answer. This exception is usually Masked and ignored; it is used only in extremely critical applications,
when the user must know if the results are exact.
Projective Mode: a state of the 80287, selected in the 80287 Control Word, in which infinities are
treated as not having a sign. Thus the values + INFINITY and - INFINITY are considered the same.
Certain operations, such as comparison to finite numbers, are illegal in Projective Mode but legal.in
Affine Mode. Thus Projective Mode gives you a greater degree of error control over infinite inputs.
Pseudo Zero: a special value of the Temporary Real format. It is a number with a zero significand
and an Exponent that is neither all zeros or all ones. Pseudo zeros can come about as the result of
multiplication of two Unnormal numbers; but they are very rare.
Real: any finite value (negative, positive, or zero) that can be represented by a decimal expansion. The
fractional part of the decimal expansion can contain an infinite number of digits. Reals can be represented as the points of a line marked off like a ruler. The term Real can also refer to a Floating-Point
Number that represents a Real value.
Short Integer: an Integer format supported by the 80287 that consists of a 32-bit Two's Complement
quantity. Short Integer is not theshortest 80287 Integer format-the 16-bit Word Integer is.
Short Real: a Floating-Point Format supported by the 80287, which consists of a sign, an 8-bit Biased
Exponent, an Implicit Integer Bit, and a 23-bit Significand-a total of 32 explicit bits.
Significand: the part of a Floating-Point Number that consists of the most significant nonzero bits of
the number, if the number were written out in an unlimited binary format. The Significand alone is
considered to have a Binary Point after the first (possibly Implicit) bit; the Binary Point is then moved
according to the value of the Exponent.
Single Extended: a Floating-Point format, required by the Standard, that provides greater precision
than Single; it also provides an explicit Integer Significand bit. The 80287's Temporary Real format
meets the Single Extended requirement as well as the Double Extended requirement.
Single Floating-Point Number: the Standard's term for the 80287's 32-bit Short Real format.
Standard: "a Proposed Standard for Binary Floating-Point Arithmetic," Draft 10.0 of IEEE Task P754,
December 2, 1982.
'.
Status Word: A 16-bit 80287 register that can be manually set,.but which is usually controlled by side
effects to 80287 instructions. It contains condition codes, the 80287 stack pointer, busy and interrupt
bits, and error flags.
Tag Word: a 16-bit 80287 register that is automatically maintained by the 80287. For each space in
the 80287 stack, it tells if the space 1S occupied by a number; ii so, it gives infunll
Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.3
Linearized                      : No
XMP Toolkit                     : Adobe XMP Core 4.2.1-c043 52.372728, 2009/01/18-15:56:37
Create Date                     : 2012:08:12 18:15:07-08:00
Modify Date                     : 2012:08:12 22:37:50-07:00
Metadata Date                   : 2012:08:12 22:37:50-07:00
Producer                        : Adobe Acrobat 9.51 Paper Capture Plug-in
Format                          : application/pdf
Document ID                     : uuid:96d38c7d-ea79-4955-b694-5742c35e8a1b
Instance ID                     : uuid:493258a5-380f-4382-8fea-0983484c3ffe
Page Layout                     : SinglePage
Page Mode                       : UseNone
Page Count                      : 515
EXIF Metadata provided by EXIF.tools

Navigation menu