Intel Computer Accessories 80286 Users Manual
210498-005_80286_and_80287_Programmers_Reference_Manual_1987 manual pdf -FilePursuit
80286 to the manual ff25534e-f7b1-4024-a6b6-b458f005728c
2015-02-02
: Intel Intel-Intel-Computer-Accessories-80286-Users-Manual-432125 intel-intel-computer-accessories-80286-users-manual-432125 intel pdf
Open the PDF directly: View PDF .
Page Count: 515
Download | |
Open PDF In Browser | View PDF |
LITERATURE To order Intel literature write or call: Intel Literature Sales P.O. Box 58130 Santa Clara, CA 95052-8130 Intel Literature: (800) 548-4725* Use the order blank on the facing page or call our Toll Free Number listed above to order literature. Remember to add your local sales tax and a 10% postage charge for U.S. and Canada customers, 20% for outside u.S. customers. Prices are subject to change. 1987 HANDBOOKS Product line handbooks contain data sheets, application notes, article reprints and other design information. ORDER NUMBER ··PRICE IN U.S. DOLLARS COMPLETE SET OF 9 HANDBOOKS Save $50.00 off the retail price of $175.00 231003 $125.00 MEMORY COMPONENTS HANDBOOK 210830 $18.00 MICROCOMMUNICATIONS HANDBOOK 231658 $20.00 EMBEDDED CONTROLLER HANDBOOK (includes Microcontrollers and 8085,80186,80188) 210918 $18.00 MICROPROCESSOR AND PERIPHERAL HANDBOOK (2 Volume Set) 230843 $25.00 DEVELOPMENT TOOLS HANDBOOK 210940 $18.00 OEM BOARDS AND SYSTEMS HANDBOOK 280407 $18.00 MILITARY HANDBOOK 210461 $18.00 COMPONENTS QUALITY /RELIABILITY HANDBOOK 210997 $20.00 SYSTEMS QUALITY/RELIABILITY HANDBOOK 231762 $20.00 PROGRAMMABLE LOGIC HANDBOOK (Not included in Handbook Set) 296083 $18.00 DOS DEVELOPMENT SOFTWARE CATALOG 280199 N/C PRODUCT GUIDE Overview of Intel's complete product lines 210846 N/C LITERATURE PRICE LIST List of Intel Literature 210620 N/C INTEL PACKAGING OUTLINES AND DIMENSIONS Packaging types, number ofleads, etc. 231369 N/C NAME "Good in the U.S. and Canada • • These prices are for the U.S. and Canada only. In Europe and other intemationallocations, please contact your local Intel Sales Office or Distributor for literature prices. infef LITERATURE SALES ORDER FORM NAME: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ COMPANY: _ _ _ _ _ _ _ _ _ _ _ _ ~ _ _ _ _ _ _ _ _ _ _ _ _ ___ ADDRESS: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____ CITY: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ STATE: _ _ _ _ ZIP: _ _ _ __ COUNTRY: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ~~ PHONE NO.: ('--_--'-_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ ORDER NO. TITLE QTV. PRICE TOTAL __ x ___ = __ x ___ = __ x ___ = __ x ___ = __ x ___ = __ x ___ = __ x ___ = __ x ___ = __ x ___ = __ x ___ = Subtotal Must Add Your Local Sales Tax Must add appropriate postage to subtotal (10% U.S. and Canada, 20% all other) ) Postage Total Pay by Visa, MasterCard, American Express, Check, Money Order, or company purchase order payable to Intel Literature Sales. Allow 2-4 weeks for delivery. o Visa 0 MasterCard 0 American Express Expiration Date _ _ _ __ Account No. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ Signature: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Mall To: Intel Literature Sales P.O. Box 58130 Santa Clara, CA 95052-8130 Prices good until 12/31/87. _ _ _ _ _ __ International Customers outside the U.S. and Canada should contact their local Intel Sales Office or Distributor listed in the back of most Intel literature. Call Toll Free: (800) 548-4725 for phone orders Source HB ~ CUSTOMER SUPPORT CUSTOMER SUPPORT Customer Support is Intel's complete support service that provides Intel customers with hardware support, software support, customer training, and consulting services. For more information contact your local sales offices. After a customer purchases any system hardware or software product, service and support become major factors in determining whether that product will continue to meet a customer's expectations. Such support requires an international support organization and a breadth of programs to meet a variety of customer needs. As you might expect, Intel's customer support is quite extensive. It includes factory repair services and worldwide field service offices providing hardware repair services, software support services, customer training classes, and consulting services. HARDWARE SUPPORT SERVICES Intel is committed to providing an international service support package through a wide variety of service offerings available from Intel Hardware Support. SOFTWARE SUPPORT SERVICES Intel's software support consists of two levels of contracts. Standard support includes TIPS (Technical Information Phone Service), updates and SUbscription service (product-specific troubleshooting guides and COMMENTS Magazine). Basic support includes updates and the subscription service. Contracts are sold in environments which represent product groupings (i.e., iRMX environment). CONSULTING SERVICES Intel provides field systems engineering services for any phase of your development or support effort. You can use our systems engineers in a variety of ways ranging from assistance in using a new product, developing an application, personalizing training, and customizing or tailoring an Intel product to providing technical and management consulting. Systems Engineers are well versed in technical areas such as microcommunications, real-time applications, embedded microcontrollers, and network services. You know your application needs; we know our products. Working together we can help you get a successful product to market in the least possible time. CUSTOMER TRAINING Intel offers a wide range of instructional programs covering various aspects of system design and implementation. In just three to ten days a limited number of individuals learn more in a single workshop than in weeks of self-study. For optimum convenience, workshops are scheduled regularly at Training Centers worldwide or we can take our workshops to you for on-site instruction. Covering a wide variety of topics, Intel's major course categories include: architecture and assembly language, programming and operating systems, bitbus aud LAN applications. 80286 AND 80287 PROGRAMMER'S REFERENCE MANUAL 1987 Intel Corporation makes no warranty for the use of its products and assumes no responsibility for any errors which may appear in this document nor does it make a commitment to update the information contained herein. Intel retains the right to make changes to these specifications at any time, without notice. Contact your local sales office to obtain the latest specifications before placing your order. The following are trademarks of Intel Corporation and may only be used to identify Intel Products: t Above, BITBUS, COMMputer, CREDIT, Data Pipeline, FASTPATH, Genius, i, ICE, iCEL, iCS, iDBP, iDIS, I'ICE, iLBX, i m , iMDDX, iMMX, Inboard, Insite, Intel, intel, intelBOS, Intel Certified, Intelevision, inteligent Identifier, inteligent Programming, Intellec, Intellink, iOSP, iPDS, iPSC, iRMK, iRMX, iSBC, iSBX, iSDM, iSXM, KEPROM, Library Manager, MAPNET, MCS, Megachassis, MICROMAINFRAME, MULTIBUS, MULTICHANNEL, MULTIMODULE, MultiSERVER, ONCE, OpenNET, OTP, PC BUBBLE, Plug-A-Bubble, PROMPT, Promware, QUEST, QueX, Quick-Pulse Programming, Ripplemode, RMX/80, RUPI, Seamless, SLD, SugarCube, SupportNET, UPI, and VLSiCEL, and the combination of ICE, iCS, iRMX, iSBC, iSBX, iSXM, MCS, or UPI and a numerical suffix, 4-SITE. MDS is an ordering code only and is not used as a product name or trademark. MDS@ is a registered trademark of Mohawk Data SCiences Corporation . • MULTIBUS is a patented Intel bus. Additional copies of this manual or other Intel literature may be obtained from: Intel Corporation Literature Distribution Mail Stop SC6-59 3065 Bowers Avenue Santa Clara, CA 95051 @INTELCORPORATION 1987 CG·S/26/87 PREFACE This manual describes the 80286, the most powerful 16-bit microprocessor in the 8086 family, and the 80287 Numeric Processor Extension (NPX). ORGANIZATION OF THIS MANUAL This manual is, essentially, two books in one. The first book describes the 80286, the second the 80287 NPX. 80286 The 80286 contains a table of contents, eleven chapters, four appendices, and an index. For more information on the 80286 book's organization, see its first chapter, Chapter 1, "Introduction to the 80286." Section 1.4 in that chapter explains the organization in detail. 80287 NPX The 80287 NPX contains a preface, table of contents, four chapters, three appendices, and a glossary. For more information on the 80287 NPX book's organization, see its preface. iii TABLE OF CONTENTS CHAPTER 1 Page INTRODUCTION TO THE 80286 General Attributes ... ....... .... ........... ....... ..................... .... ........... ....... ....... ..... ...... ............. 1-1 Modes of Operation .......... ..... ..... ................. ..... .............................. ....... ..... ...... ............. 1-2 Advanced Features ........................................................................................................ 1-2 Memory Management ................................................................................................. 1-2 Task Management ...................................................................................................... 1-3 Protection Mechanisms .............................................................................................. 1-3 Support for Operating Systems ................................................................................. 1-4 Organization of This Book ............................................. ................................................ 1-4 Related Publications ..... .............. ..... ......... ........................... ........... ......... ............. .......... 1-6 CHAPTER 2 80286 BASE ARCHITECTURE Memory Organization and Segmentation ...................................................................... Data Types ............................................... ......................................................... ............. Registers ......................................................................................................................... General Registers ....................................................................................................... Memory Segmentation and Segment Registers .......... ,............................................. Index, Pointer, and Base Registers ........................................................................... Status and Control Registers ..................................................................................... Addressing Modes ......................................................................................................... Operands ..................................... .................................................... ........................... Register and Immediate Modes ................................................................ ................. Memory Addressing Modes ....................................................................................... Segment Selection ........................ ............................................................ .............. Offset Computation ................................................................................................. Memory Mode ......................................................................................................... Input/Output ................................................................................................................... I/O Address Space ................................................................... ....... ............. .............. Memory-Mapped I/O .................................................................................................. Interrupts and Exceptions .............................................................................................. Hierarchy of Instruction Sets ......................................................................................... 2-1 2-1 2-7 2-7 2-8 2-9 2-14 2-16 2-16 2-17 2-17 2-18 2-19 2-20 2-21 2-23 2-23 2-24 2-25 CHAPTER 3 BASIC INSTRUCTION SET Data Movement Instructions .......................................................................................... General-Purpose Data Movement Instructions ......................................................... Stack Manipulation Instructions ................................................................................. Flag Operation with the Basic Instruction Set ............................................................... Status Flags ................................................................................................................ Control Flags ............................................................................................................... Arithmetic Instructions ................................................................................................... Addition Instructions ................................................................................................... Subtraction Instructions ............................................................................................. Multiplication Instructions ........................................................................................... Division Instructions ................................................................................................... Logical Instructions ........................................................................................................ Boolean Operation Instructions ................................................................................. Shift and Rotate Instructions ...................................................................................... Shift Instructions ..................................................................................................... 3-1 3-1 3-2 3-4 3-4 3-4 3-5 3-7 3-7 3-8 3-9 3-9 3-9 3-10 3-10 v TABLE OF CONTENTS Page Rotate Instructions .................................................................................................. Type Conversion and No-Operation Instructions ...................................................... Test and Compare Instructions ..................................................................................... Control Transfer Instructions ......................................................................................... Unconditional Transfer Instructions ........................................................................... Jump Instruction ..................................................................................................... Call Instruction ........................................................................................................ Return and Return from Interrupt Instruction ........................................................ Conditional Transfer Instructions ............................................................................... Conditional Jump Instructions ............................................................................. ... Loop Instructions .................................................................................................... Executing a Loop or Repeat Zero Times .............................................. ................. Software-Generated Interrupts .................................................................................. Software Interrupt Instruction ................................................................................. Character Translation and String Instructions .............................................................. Translate Instruction ................................................................................................... String Manipulation Instructions and Repeat Prefixes .............................................. String Movement Instructions ............................................................................. ... Other String Operations ............ .......... ................ ............ ............ ............. .... ....... .... Address Manipulation Instructions ................................................................................ Flag Control Instructions ................................................................................................ Carry Flag Control Instructions .................................................................................. Direction Flag Control Instructions ............................................................................ Flag Transfer Instructions .......................................................................................... Binary-Coded Decimal Arithmetic Instructions ........................................... .................. Packed BCD Adjustment Instructions ........................................................................ Unpacked BCD Adjustment Instructions ................................................................... Trusted Instructions ... ............ ..... ........ .... ................................... ..... ....... ........................ Trusted and Privileged Restrictions on POPF and IRET .......................................... Machine State Instructions ......................................................................................... Input and Output Instructions .................................................................................... Processor Extension Instructions .................................................................................. Processor Extension Synchronization Instructions .................................................. Numeric Data Processor Instructions ........................................................................ Arithmetic Instructions ............................................................................................ Comparison Instructions ......................................................................................... Transcendental Instructions ................................................................................... Data Transfer Instructions ...................................................................................... Constant Instructions .............................................................................................. 3-13 3-16 3-16 3-16 3-17 3-17 3-18 3-19 3-19 3-20 3-20 3.-21 3-21 3-21 3-22 3-22 3-22 3-23 3-23 3-24 3-25 3-25 3-25 3-26 3-27 3-27 3-27 3-28 3-28 3-28 3-29 3-29 3-30 3-30 3-30 3-30 3-30 3-31 3-31 CHAPTER 4 EXTENDED INSTRUCTION SET Block I/O Instructions ...................................................................................................... 4-1 High-Level Instructions .................................................................................................... 4-2 CHAPTER 5 REAL ADDRESS MODE Addressing and Segmentation ....................................................................................... Interrupt Handling ........................................................................................................... Interrupt Vector Table ................................................................................................. Interrupt Priorities ................................................................................................... Interrupt Procedures ................................................................................................... vi 5-1 5-3 5-3 5-4 5-5 TABLE OF CONTENTS Page Reserved and Dedicated Interrupt Vectors ............................................................... 5-5 System Initialization ........................................................................................................ 5-7 CHAPTER 6 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING Memory Management Overview .................................................................................... 6-1 Virtual Addresses ............. ......... ...... ..... ....... ....... .................. ........... ............ ....... ............ 6-2 Descriptor Tables ........................................................................................................... 6-4 Virtual-to-Physical Address Translation ... ....... .................. ........... ........... .......... ...... ...... 6-6 Segments and Segment Descriptors ............................................................................. 6-7 Memory Management Registers ......... ..... ........ .......... ........ ...... ............... ...................... 6-9 Segment Address Translation Registers ................................................................... 6-9 System Address Registers ............ ....... ....... ...... .... ......... ..... ............ ................ ..... ...... 6-12 CHAPTER 7 PROTECTION Introduction ..................................................................................................................... Types of Protection .................................................................................................... Protection Implementation ......................................................................................... Memory Management and Protection ........................................................................... Separation of Address Spaces .................................................................................. LDT and GDT Access Checks ................................................................................... Type Validation ........................................................................................................... Privilege Levels and Protection ..................................................................................... Example of Using Four Privilege Levels .................................................................... Privilege Usage ........................................................................................................... Segment Descriptor ....................................................................................................... Data Accesses ............................................................................................................ Code Segment Access ............................................................................................... Data Access Restriction by Privilege Level ............................................................... POinter Privilege Stamping via ARPL ......................................................................... Control Transfers .................................................... ....................................................... Gates ........................................................................................................................... Call Gates ................................................................................................................ Intra-Level Transfers via Call Gate ......................................................................... Inter-Level Control Transfer via Call Gates ............................................................ Stack Changes Caused by Call Gates .............................................. ..................... Inter-Level Returns ..................................................................................................... 7-1 7-1 7-2 7-4 7-5 7-5 7-6 7-8 7-8 7-9 7-10 7-12 7-13 7-13 7-14 7-15 7-16 7-17 7-18 7-19 7-20 7-20 CHAPTERS TASKS AND STATE TRANSITIONS Introduction ..................................................................................................................... Task State Segments and Descriptors .......................................................................... Task State Segment Descriptors ............................................................................... Task Switching ............................................................................................................... Task Linking ................................................................................................................... Task Gates ..................................................................................................................... 8-1 8-1 8-3 8·4 8-7 8-8 CHAPTER 9 INTERRUPTS AND EXCEPTIONS Interrupt Descriptor Table .............................................................................................. 9-1 Hardware Initiated Interrupts ......................................................................................... 9-2 vii TABLE OF CONTENTS Page Software Initiated Interrupts .......................................................................................... Interrupt Gates and Trap Gates ..................................................................................... Task Gates and Interrupt Tasks .................................................................................... Scheduling Considerations ........... ...... ......... ...................................... ..... ............ ........ Deciding Between Task, Trap, and Interrupt Gates ................................ .................. Protection Exceptions and Reserved Vectors .............................................................. Invalid OP-Code (Interrupt 6) ...................................................................................... Double Fault (Interrupt 8) ............................................................................................ Processor Extension Segment Overrun (Interrupt 9) ................................................ Invalid Task State Segment (Interrupt 10) ................................................................. Not Present (Interrupt 11) ........................................................................................... Stack Fault (Interrupt 12) ............................................................................................ General Protection Fault (Interrupt 13) ...................................................................... Additional Exceptions and Interrupts ............................................................................ Single Step Interrupt (Interrupt 1) .............................................................................. 9-3 9-3 9-7 9-8 9-8 9-9 9-10 9-10 9-10 9-11 9-11 9-12 9-13 9-13 9-14 CHAPTER 10 SYSTEM CONTROL AND INITIALIZATION System Flags and Registers .... .......... ......... ......... ................ ...... ...................... ..... ....... Descriptor Table Registers ....................................................................................... System Control Instructions ........................................................................................ Machine Status Word ............................................................................................... Other Instructions .................................................. ................................................... Privileged and Trusted Instructions ............................................................................. Initialization ................................................................................................................... Real Address Mode .................................................................................................. Protected Mode ........................................................................................................ 10-1 10-1 10-3 10-4 10-5 10-5 10-6 10-7 10-7 CHAPTER 11 ADVANCED TOPICS Virtual Memory Management ......... ..................... ..... ........................................... ......... Special Segment Attributes ................................... ... .................................................... Conforming Code Segments .................................................................................... Expand-Down Data Segments ........ .......... ................. .......... ............................ ..... ... Pointer Validation ......................................................................................................... Descriptor Validation ..................................................................... ........................... Pointer Integrity: RPL and the "Trojan Horse Problem" ........................................ NPX Context Switching ................................................................................................ Multiprocessor Considerations ............................................................. ....................... Shutdown .............................................................................................;........................ 11-1 11-1 11-1 11-2 11-3 11-4 11-4 11-5 11-5 11-7 APPENDIX A 80286 SYSTEM INITIALIZATION APPENDIX B THE 80286 INSTRUCTION SET APPENDIX C 8086/8088 COMPATIBILITY CONSIDERATIONS APPENDIX D 80286/80386 SOFTWARE COMPATIBILITY CONSIDERATIONS INDEX viii TABLE OF CONTENTS Figures Figure 1-1 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 2-9 2-10 2-11 2-12 2-13 2-14 2-15 3-1 3-2 3-3 3-4 3-5 3-6 3-7 3-8 3-9 3-10 3-11 3-12 3-13 3-14 4-1 4-2 4-2a 4-2b 4-2c 4-2d 5-1 a 5-1 b 5-2 5-3 5-4 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 Title Page Four Privilege Levels ....... ..... ........... ...... ........ .......... .... .......... .... .......... .................... 1-4 Segmented Virtual Memory ... ................. ...................... ................. ........... ......... ...... 2-2 Bytes and Words in Memory................................................................................... 2-3 80286/80287 Supported Data Types .......... .................. .............. .......... ........ .......... 2-5 80286 Base Architecture Register Set ................................................................... 2-7 Real Address Mode Segment Selector Interpretation ........................................... 2-9 Protected Mode Segment Selector Interpretation ................................................. 2-10 80286 Stack ............................................................................................................. 2-11 Stack Operation ....................................................................................................... 2-12 BP Usage as a Stack Frame Base Pointer ............................................................. 2-13 Flags Register .......................................................................................................... 2-15 Two-Component Address ....................................................................................... 2-18 Use of Memory Segmentation ...................... :......................................................... 2-20 Complex Addressing Modes ................................................................................... 2-22 Memory-Mapped I/O ................................................................................................ 2-24 Hierarchy of Instructions ......................................................................................... 2-27 PUSH ....................... :............................................................................................... 3-2 PUSHA...................................................... .................... ........................ ................... 3-3 POP .......................................................................................................................... 3-4 POPA ........................................................................................................................ 3-5 Flag Word Contents .................................. ....................................... ..... ................... 3-6 SAL and SHL ........................................................................................................... 3-11 SHR .......................................................................................................................... 3-12 SAR .......................................................................................................................... 3-12 ROL .......................................................................................................................... 3-13 ROR ......................................................................................................................... 3-14 RCL .......................................................................................................................... 3-15 RCR .......................................................................................................................... 3-15 LAHF and SAHF ...................................................................................................... 3-26 PUSHF and POPF ................................................................................................... 3-27 Formal Definition of the ENTER Instruction ........................................................... 4-3 Variable Access in Nested Procedures .................................................................. 4-4 Stack Frame for MAIN at Level 1 ............................................................................ 4-4 Stack Frame for Procedure A ........ ...... ...... ................. .................. .......... ................ 4-5 Stack Frame for Procedure B at Level 3 Called from A ....... :................................ 4-5 Stack Frame for Procedure C at Level 3 Called from B ........................................ 4-6 Forming the Segment Base Address .... ........ .............. .......... .............. .................... 5-2 Forming the 20-Bit Physical Address in the Real Address Mode .... ........... .......... 5-2 Overlapping Segments to Save Physical Memory ...... .................. ...... ................... 5-3 Interrupt Vector Table for Real Address Mode ...................................................... 5-4 Stack Structure after Interrupt (Real Address Mode) .......................................:.... 5-5 Format of the Segment Selector Component ........................................................ 6-2 Address Spaces and Task Isolation ....................................................................... 6-3 Segment Descriptor (S = 1) ............ ............ ...... .......... .................. .......... ................. 6-5 Special Purpose Descriptors or System Segment Descriptors (S=O) ................. 6-6 LDT Descriptor ........................................................................................................ 6-7 Virtual-to-Physical Address Translation ...... ...... .......... .............. ............ ................. 6-8 Segment Descriptor Access Bytes ......................................................................... 6-9 Memory Management Registers ............................................................................. 6-10 Descriptor Loading .................................................................................................. 6-11 ix TABLE OF CONTENTS Figure 7-1 7-2 7-3 7-4 7-5 7-6 7-7 7-8 7-9 7-10 7-11 7-12 8-1 8-2 8-3 8-4 9-1 9-2 9-3 9-4 10-1 10-2 10-3 11-1 11-2 11-3 B-1 B-2 Title Page Addressing Segments of a Module within a Task .................................................. 7-3 Descriptor Cache Registers ............................................................. '" ..... ......... ...... 7-4 80286 Virtual Address Space ................. ......... ..... ....... ...... ....... ..... .................... ...... 7-6 Local and Global Descriptor Table Definitions ....................................................... 7-7 Error Code Format (on the stack) ........................................................................... 7-7 Code and Data Segments Assigned to a Privilege Level ........ ....... ........ ..... ........ ... 7-9 Selector Fields ......................................................................................................... 7-11 Access Byte Examples .............................................................................................. 7-12 Pointer Privilege Stamping ...................................................................................... 7-15 Gate Descriptor Format ........................................................................................... 7-17 Call Gate .................................................................................................................. 7-19 Stack Contents after an Inter-Level Call ................................................................. 7-21 Task State Segment and TSS Registers ................................................................ 8-2 TSS Descriptor ....... .......... ...... .... .... .................................. ....... .................... ............ 8-4 Task Gate Descriptor .............................................................................................. 8-8 Task Switch Through a Task Gate .........................................................................8-9 Interrupt Descriptor Table Definition ...................................................................... 9-1 IDT Selector Error Code .......................................................................................... 9-2 Trap/Interrupt Gate Descriptors ............................................................................. 9-4 Stack Layout after an Exception with an Error Code ..... ............. .............. ............ 9-5 Local and Global Descriptor Table Definition ......................................................... 10-2 Interrupt Descriptor Table Definition ...................................................................... 10-2 Data Type for Global Descriptor Table and Interrupt Descriptor Table ................ 10-3 Expand-Down Segment ... ..... ........ ...... .............. ................ ... .... .......... ...... ............... 11-2 Dynamic Segment Relocation and Expansion of Segment Limit .......................... 11-3 Example of NPX Context Switching ....................................................................... 11-6 In Instruction Byte Format ...................................................................................... B-2 Ir Instruction Byte Format ....................................................................................... B-4 Tables Table 2-1 2-2 2-3 2-4 3-1 3-2 3-3 5-1 5-2 5-3 7-1 7-2 7-3 7-4 8-1 8-2 9-1 9-2 Title Implied Segment Usage by Index, Pointer, and Base Registers ........................... Segment Register Selection Rules ....... ..... ......... ..... .............. .......... ........ ............... Memory Operand Addressing Modes .................................................................... 80286 Interrupt Vector Assignments (Real Address Mode) .................................. Status Flags' Functions ........................................................................................... Control Flags' Functions ......................................................................................... Interpretation of Conditional Transfers .................................................................. Interrupt Processing Order ..................................................................................... Dedicated and Reserved Interrupt Vectors in Real Address Mode ...................... Processor State after RESET ...................................................... :.......................... Segment Access Rights Byte Format '" ..... .......... ....... ...... ......... ......... ...... ........ ...... Allowed Segment Types in Segment Registers ..........................; .......................... Call Gate Checks ..................................................................................................... Inter-Level Return Checks ...................................................................................... Checks Made during a Task Switch ....................................................................... Effect of a Task Switch on BUSY and NT Bits and the Link Word ....................... Trap and Interrupt Gate Checks ............................................................................. Interrupt and Gate Interactions ............................................................................... x Page 2-14 2-19 2-21 2-26 3-6 3-7 3-20 5-4 5-6 5-7 7-11 7-12 7-18 7-22 8-6 8-7 9-6 9-7 TABLE OF CONTENTS Table 9-3 9-4 9-5 10-1 10-2 11-1 8-1 8-2 8-3 C-1 Title Page Reserved Exceptions and Interrupts ...................................................................... 9-9 Interrupt Processing Order ... .... ...... ..... .............. .... ...... ............... .............. ...... ..... ... 9-9 Conditions That Invalidate the TSS ........................................................................ 9-12 MSW 8it Functions .................................................................................................. 10-4 Recommended MSW Encodings for Processor Extension Control...................... 10-5 NPXContextSwitching ........................................................................................... 11-7 ModRM Values ........................................................................................................ 8-3 Protection Exceptions of the 80286 ........... ... ....... ..... ...... ..... ......... ......... ..... ............ 8-8 Hexadecimal Values for the Access Rights 8yte ................................................... 8-14 New 80286 Interrupts .............................................................................................. C-1 xi inter CUSTOMER SUPPORT CUSTOMER SUPPORT Customer Support is Intel's complete support service that provides Intel customers with hardware support, software support, customer training, and consulting services. For more information contact your local sales offices. After a customer purchases any system hardware or software product, service and support become major factors in determining whether that product will continue to meet a customer's expectations. Such support requires an international support organization and a breadth of programs to meet a variety of customer needs. As you might expect, Intel's customer support is quite extensive. It includes factory repair services and worldwide field service offices providing hardware repair services, software support services, customer training classes, and consulting services. HARDWARE SUPPORT SERVICES Intel is committed to providing an international service support package through a wide variety of service offerings available from Intel Hardware Support. SOFfWARE SUPPORT SERVICES Intel's software support consists of two levels of contracts. Standard support includes TIPS (Technical Information Phone Service), updates and SUbscription service (product-specific troubleshooting guides and COMMENTS Magazine). Basic support includes updates and the SUbscription service. Contracts are sold in environments which represent product groupings (Le., iRMX environment). CONSULTING SERVICES Intel provides field systems engineering services for any phase of your development or support effort. You can use our systems engineers in a variety of ways ranging from assistance in using a new product, developing an application, personalizing training, and customizing or tailoring an Intel product to providing technical and management consulting. Systems Engineers are welJ versed in technical areas such as microcommunications, real-time applications, embedded microcontrolJers, and network services. You know your application needs; we know our products. Working together we can help you get a successful product to market in the least possible time. CUSTOMER TRAINING Intel offers a wide range of instructional programs covering various aspects of system design and implementation. In just three to ten days a limited number of individuals learn more in a single workshop than in weeks of self-study. For optimum convenience, workshops are scheduled regularly at Training Centers worldwide or we can take our workshops to you for on-site instruction. Covering a wide variety of topics, Intel's major course categories include: architecture and assembly language, programming and operating systems, bitbus and LAN applications. Introduction to the 80286 1 CHAPTER 1 INTRODUCTION TO THE 80286 The 80286 is the most powerful 16-bit processor in the 8086 series of microprocessors, which includes the 8086, the 8088, the 80186, the 80188, and the 80286. It is designed for applications that require very high performance. It is also an excellent choice for sophisticated "high end" applications that will benefit from its advanced architectural features: memory management, protection mechanisms, task management, and virtual memory support. The 80286 provides, on a single VLSI chip, computational and architectural characteristics normally associated with much larger minicomputers. Sections 1.1, 1.2, and 1.3 of this chapter provide an overview of the 80286 architecture. Because the 80286 represents an extension of the 8086 architecture, some of this overview material may be new and unfamiliar to previous users of the 8086 and similar microprocessors. But the 80286 is also an evolutionary development, with the new architecture superimposed upon the industry standard 8086 in such a way as to affect only the design and programming of operating systems and other such system softwar~. Section 1.4 of this chapter provides a guide to the organization of this manual, suggesting which chapters are relevant to the needs of particular readers. 1.1 GENERAL ATTRIBUTES The 80286 base architecture has many features in common with the architecture of other members of the 8086 family, such as byte addressable memory, I/O interfacing hardware, interrupt vectoring, and support for both multiprocessing and processor extensions. The entire family has a common set of addressing modes and basic instructions. The 80286 base architecture also includes a number of extensions which add to the versatility of the computer. The 80286 processor can function in two modes of operation (see section 1.2 of this chapter, Modes of Operation). In one of these modes only the base architecture is available to programmers, whereas in the other mode a number of very powerful advanced features have been added, including support for virtual memory, multitasking, and a sophisticated protection mechanism. These advanced features are described in section 1.3 of this chapter. The 80286 base architecture was designed to support programming in high-level languages, such as Pascal, C or PL/M. The register set and instructions are well suited to compiler-generated code. The addressing modes (see section 2.6.3 in Chapter 2) allow efficient addressing of complex data structures, such as static and dynamic arrays, records, and arrays within records, which are commonly supported by high-level languages. The data types supported by the architecture include, along with bytes and words, high level language constructs such as strings, BCD, and floating point. The memory architecture of the 80286 was designed to support modular programming techniques. Memory is divided into segments, which may be of arbitrary size, that can be used to contain procedures and data structures. Segmentation has several advantages over more conventional linear memory architectures. It supports structured software, since segments can contain meaningful program units and data, and more compact code, since references within a segment can be shorter (and locality of reference usually insures that the next few references will be within the same segment). Segmentation also lends itself to efficient implementation of sophisticated memory management, virtual memory, and memory protection. In addition, new instructions have been added to the base architecture to give hardware support for procedure invocations, parameter passing, and array bounds checking. 1-1 INTRODUCTION TO THE 80286 1.2 MODES OF OPERATION The 80286 can be operated in either of two different modes: Real Address Mode or Protected Virtual Address Mode (also referred to as Protected Mode). In either mode of operation, the 80286 represents an upwardly compatible addition to the 8086 family of processors. In Real Address Mode, the 80286 operates essentially as a very high-performance 8086. Programs written for the 8086 or the 80186 can be executed in this mode without any modification (the few exceptions are described in Appendix C, "Compatibility Considerations"). Such upward compatibility extends even to the object code level; for example, an 8086 program stored in read-only memory will execute successfully in 80286 Real Address Mode. An 80286 operating in Real Address Mode provides a number of instructions not found on the 8086. These additional instructions, also present with the 80186, allow for efficient subroutine linkage, parameter validation, index calculations, and block 1/0 transfers. The advanced architectural features and full capabilities of the 80286 are realized in its native Protected Mode. Among these features are sophisticated mechanisms to support data protection, system integrity, task concurrency, and memory management, including virtual storage. Nevertheless, even in Protected Mode, the 80286 remains upwardly compatible with most 8086 and 80186 application programs. Most 8086 applications programs can be re-compiled or re-assembled and executed on the 80286 in Protected Mode. 1.3 ADVANCED FEATURES The architectural features described in section 1.1 of this chaper are common to both operating modes of the processor. In addition to these common features, Protected Mode provides a number of advanced features, including a greatly extended physical and logical address space, new instructions, and support for additional hardware-recognized data structures. The Protected Mode 80286 includes a sophisticated memory management and multilevel protection mechanism. Full hardware support is included for multitasking and task switching operations. 1.3.1 Memory Management The memory architecture of the Protected Mode 80286 represents a significant advance over that of the 8086. The physical address space has been increased froml megabyte to 16 megabytes (2 24 byies), while the virtual address space (i.e., the address space visible to a program) has been increased from 1 megabyte to 1 gigabyte (2 30 bytes). Moreover, separate virtual address spaces are provided for each task in a multi-tasking system (see the next section, 1.3.2, "Task Management"). The 80286 supports on-chip memory management instead of relying on an external memory management unit. The one-chip solution is preferable because no software is required to manage an external memory management unit, performance is much better, and hardware designs are significantly simpler. Mechanisms have been included in the 80286 architecture to allow the efficient implementation of virtual memory systems. (In virtual memory systems, the user regards the combination of main and external storage as a single large memory. The user can write large programs without worrying about the physical memory limitations of the system. To accomplish this, the operating system places some of the user programs and data in external storage and brings them into main memory only as they are needed.) All instructions that can cause a segment-riot-present fault are fully restart able. Thus, a notpresent segment can be loaded from external storage, and the task can be restarted at the point where the fault occurred. 1-2 INTRODUCTION TO THE 80286 The 80286, like all members of the 8086 series, supports a segmented memory architecture. The 80286 also fully integrates memory segmentation into a comprehensive protection scheme. This protection scheme includes hardware-enforced length and type checking to protect segments from inadvertent misuse. 1.3.2 Task Management The 80286 is designed to support multi-tasking systems. The architecture provides direct support for the concept of a task. For example, task state segments (see section 8.2 in Chapter 8) are hardwarerecognized and hardware-manipulated structures that contain information on the current state of all tasks in the system. Very efficient context-switching (task-switching) can be invoked with a single instruction. Separate logical address spaces are provided for each task in the system. Finally, mechanisms exist to support intertask communication, synchronization, memory sharing, and task scheduling. Task Management is described in Chapter 8. 1.3.3 Protection Mechanisms The 80286 allows the system designer to define a comprehensive protection policy to be applied, uniformly and continuously, to all ongoing operations of the system. Such a policy may be desirable to ensure system reliability, privacy of data, rapid error recovery, and separation of multiple users. The 80286 protection mechanisms are based on the notion of a "hierarchy of trust." Four privilege levels are distinguished, ranging from Level 0 (most trusted) to Level 3 (least trusted). Level 0 is usually reserved for the operating system kernel. The four levels may be visualized as concentric rings, with the most privileged level in the center (see figure 1-1). This four-level scheme offers system reliability, flexibility, and design options not possible with the typical two-level (supervisor luser) separation provided by other processors. A four-level division is capable of separating kernel, executive, system services, and application software, each with different privileges. At anyone time, a task executes at one of the four levels. Moreover, all data segments and code segments are also assigned to privilege levels. A task executing at one level cannot access data at a more privileged level, nor can it call a procedure at a less privileged level (i.e., trust a less privileged procedure to do work for it). Thus, both access to data and transfer of control are restricted in appropriate ways. A complete separation can exist between the logical address spaces local to different tasks, providing users with automatic protection against accidental or malicious interference by other users. The hardware also provides immediate detection of a number of fault and error conditions, a feature that can be useful in the development and maintenance of software. Finally, these protection mechanisms require relatively little system overhead because they are integrated into the memory management and protection hardware of the processor itself. 1-3 INTRODUCTION TO THE 80286 LEAST TRUSTED MOST TRUSTED G30108 Figure 1-1. Four Privilege Levels 1.3.4 Support for Operating Systems Most operating systems involve some degree of concurrency, with multiple tasks vying for system resources. The task management mechanisms described above provide the 80286 with inherent support for such multi-tasking systems. Moreover, the advanced memory management features of the 80286 allow the implementation of sophisticated virtual memory systems. Operating system implementors have found that a multi-level approach to system services provides better security and more reliable systems. For example, a very secure kernel might implement critical functions such as task scheduling and resource aiiocation, while less fundamenlal [ulictions (such as I/O) are built around the kernel. This layered approach also makes program development and enhancement simpler and facilitates error detection and debugging. The 80286 supports the layered approach through its four-level privilege scheme. 1.4 ORGANIZATION OF THIS BOOK To facilitate the use of this book both as an introduction to the 80286 architecture and as a reference guide, the remaining chapters are divided into three major parts. Part I, comprising chapters 2 through 4, should be read by all those who wish to acquire a basic familiarity with the 80286 architecture. These chapters provide detailed information on memory segmentation, registers, addressing modes and the general (application level) 80286 instruction set. In conjunction with the 80286 Assembly Language Reference Manual, these chapters provide sufficient information for an assembly language programmer to design and write application programs. 1-4 INTRODUCTION TO THE 80286 The chapters in Part I are: Chapter 2, "Architectural Features." This chapter discusses those features of the 80286 architecture that are significant for application programmers. The information presented can also function as an introduction to the machine for system programmers. Memory organization and segmentation, processor registers, addressing modes, and instruction formats are all discussed. Chapter 3, "Basic Instruction Set." This chapter presents the core instructions of the 8086 family. Chapter 4, "Extended Instruction Set." This chapter presents the extended instructions shared by the 80186 and 80286 processors. Part II of the book consists of a single chapter: Chapter 5, "Real Address Mode." This chapter presents the system programmer's view of the 80286 when the processor is operated in Real Address Mode. Part III of the book comprises chapters 6 through 11. Aimed primarily at system programmers, these chapters discuss the more advanced architectural features of the 80286, which are available when the processor is. in Protected Mode. Details on memory management, protection mechanisms, and task switching are provided. The chapters in Part III are: Chapter 6, "Virtual Memory." This chapter describes the 80286 address translation mechanisms that support virtual memory. Segment descriptors, global and local descriptor tables, and descriptor caches are discussed. Chapter 7, "Protection." This chapter describes the protection features of the 80286. Privilege levels, segment attributes, access restrictions, and call gates are discussed. Chapter 8, "Tasks and State Transitions." This chapter describes the 80286 mechanisms that support concurrent tasks. Context-switching, task state segments, task gates, and interrupt tasks are discussed. Chapter 9, "Interrupts, Traps and Faults." This chapter describes interrupt and trap handling. Special attention is paid to the exception traps, or faults, which may occur in Protected Mode. Interrupt gates, trap gates, and the interrupt descriptor table are discussed. Chapter 10, "System Control and Initialization." This chapter describes the actual instructions used to implement the memory management, protection, and task support features of the 80286. System registers, privileged instructions, and the initial machine state are discussed. Chapter 11, "Advanced Topics." This chapter completes Part III with a description of several advanced topics, including special segment attributes and pointer validation. 1.5 RELATED PUBLICATIONS The following manuals also contain information of interest to programmers of 80287 systems: Introduction to the 80286, order number 210308 ASM286 Assembly Language Reference Manual, order number 121924 80286 Operating System Writer's Guide, order number 121960 1-5 inter INTRODUCTION TO THE 80286 80286 Hardware Reference Manual, order number 210760 Microprocessor and Peripheral Handbook, order number 230843 PL/M-286 User's Guide, order number 121945 80287 Support Library Reference Manual, order number 122129 8086 Software Toolbox Manual, order number 122203 (includes information about 80287 Emulator Software) 1-6 80286 Base Architecture 2 CHAPTER 2 80286 BASE ARCHITECTURE This chapter describes the 80286 application programming environment as seen by assembly language programmers. It is intended to introduce the programmer to those features of the 80286 architecture that directly affect the design and implementation of 80286 application programs. 2.1 MEMORY ORGANIZATION AND SEGMENTATION The main memory of an 80286 system makes up its physical address space. This address space is organized as a sequence of 8-bit quantities, called bytes. Each byte is assigned a unique address ranging from 0 up to a maximum of 220 (1 megabyte) in Real Address Mode, and up to 224 (16 megabytes) in Protected Mode. . A virtual address space is the organization of memory as viewed by a program. Virtual address space is also organized in units of bytes. (Other addressable units such as words, strings, and BCD digits are described below in section 2.2, "Data Types.") In Real Address Mode, as with the 8086 itself, programs view physical memory directly, inasmuch as they manipulate pure physical addresses. Thus, the virtual address space is identical to the physical address space (1 megabyte). In Protected Mode, however, programs have no direct access to physical addresses. Instead, memory is viewed as a much larger virtual address space of 230 bytes (1 gigabyte). This 1 gigabyte virtual address is mapped onto the Protected Mode's 16-megabyte physical address space by the address translation mechanisms described in Chapter 6. The programmer views the virtual address space on the 80286 as a collection of up to sixteen thousand linear subspaces, each with a specified size or length. Each of these linear address spaces is called a segment. A segment is a logical unit of contiguous memory. Segment sizes may range from one byte up to 64K (65,536) bytes. 80286 memory segmentation supports the logical structure of programs and data iq memory. Programs are not written as single linear sequences of instructions and data, but rather as modules of code and data. For example, program code may include a main routine and several separate procedures. Data may also be organized into various data structures, some private and some shared with other programs in the system. Run-time stacks constitute yet another data requirement. Each of these several modules of code and data, moreover, may be very different in size or vary dynamically with program execution. Segmentation supports this logical structure (see figure 2-1). Each meaningful module of a program may be separately contained in individual segments. The degree of modularization, of course, depends on the requirements of a particular application. Use of segmentation benefits almost all applications. Programs execute faster and require less space. Segmentation also simplifies the design of structured software. 2.2 DATA TYPES Bytes and words are the fundamental units in which the 80286 manipulates data, i.e., the fundamental data types. 2-1 80286 BASE ARCHITECTURE r--------, 20000 CS 8000 r-----.., MAIN PROCEDURE 8600 PROCEDURE 0 _ _ _ _ _... _ _ ___I 0'"-_ _ _ _..1 DATA (A) L..-_ _- - I DATA (B) 0 .._ _ _ _--1 O~ I 7253051 0 _ _ _ _ _... 2000 r-----., A ~----.., o ___ ... ~- O~""';""';_ __I L _______ ...J CURRENTLY ACCESSIBLE G3010B Figure 2-1. Segmented Virtual Memory A byte is 8 contiguous bits starting on an addressable byte boundary. The bits are numbered 0 through 7, starting from the right. Bit 7 is the most significant bit: o I I i BYTE , I A word is defined as two contiguous bytes starting on an arbitrary byte boundary; a word thus contains 16 bits. The bits are numbered 0 through 15, starting from the right. Bit 15 is the most significant bit. The byte containing bit 0 of the word is called the low byte; the byte containing bit 15 is called the high byte. 15 I : : ~IGH:B+: I : : : LOCATION N + 1 0 +W:BY+: LOCATION N 2-2 : I 80286 BASE ARCHITECTURE Each byte within a word has its own particular address, and the smaller of the two addresses is used as the address of the word. The byte at this lower address contains the eight least significant bits of the word, while the byte at the higher address contains the eight most significant bits. The arrangement of bytes within words is illustrated in figure 2-2. Note that a word need not be aligned at an even-numbered byte address. This allows maximum flexibility in data structures (e.g., records containing mixed byte and word entries) and efficiency in memory utilization. Although actual transfers of data between the processor and memory take place at physically aligned word boundaries, the 80286 converts requests for unaligned words into the appropriate sequences of requests acceptable to the memory interface. Such odd aligned word transfers, however, may impact performance by requiring t'Yo memory cycles to transfer the word rather than one. Data structures (e.g., stacks) should therefore be designed in such a way that word operands are aligned on word boundaries whenever possible for maximum system performance. Due to instruction prefetching and queueing within the CPU, there is no requirement for instructions to be aligned on word boundaries and no performance loss if they are not. Although bytes and words are the fundamental data types of operands, the processor also supports additional interpretations on these bytes or words. Depending on the instruction referencing the operand, the following additional data types can be recognized: Integer: A signed binary numeric value contained in an 8-bit byte or a 16-bit word. All operations assume a 2's complement representation. (Signed 32- and 64-bit integers are supported using the 80287 Numeric Data Processor.) BYTE ADDRESS' MEMORY VALUES 'r " E D C FE B 06 I WORD AT ADDRESS B CONTAINS FE06 A 9 ) 1F 8 7 23 6 OB I II WORD AT ADDRESS 6 CONTAINS 230B 5 4 3 74 2 CB BYTE AT ADDRESS 9 CONTAINS 1F WORD AT ADDRESS 2 CONTAINS 74CB WORD AT ADDRESS 1 CONTAINS CB31 31 o 'NOTE: ALL VALUES IN HEXADECIMAL G30108 Figure 2-2. Bytes and Words in Memory 2-3 80286 BASE ARCHITECTURE Ordinal: An unsigned binary numeric value contained in an 8-bit byte or 16-bit word. Pointer: A 32-bit address quantity composed of a segment selector component and an offset component. Each component is a 16-bit word. String: A contiguous sequence of bytes or words. A string may contain from 1 byte to 64K bytes. ASCII: A byte representation of alphanumeric and control characters using the. ASCII standard of character representation. BCD: A byte (unpacked) representation of the decimal digits (0-9). Packed BCD: A byte (packed) representation of two decimal digits (0-9). One digit is stored in each nibble of the byte. Floating Point: A signed 32-, 64-, or 80-bit real number representation. (Floating operands are supported using the 80287 Numeric Processor Configuration.) Figure 2-3 graphically represents the data types supported by the 80286. 80286 arithmetic operations may be performed on five types of numbers: unsigned binary, signed binary (integers), unsigned pflcked decimal, unsigned unpacked decimal, and floating point. Binary numbers may be 8 or 16 bits long. Decimal numbers are stored in bytes; two digits per byte for packed decimal, one digit per byte for unpacked decimal. The processor always assumes that the operands specified in arithmetic instructions contain data that represent valid numbers for the type of instruction being performed. Invalid data may produce unpredictable results. Unsigned binary numbers may be either 8 or 16 bits long; all bits are considered in determining a number's magnitude. The value range of an 8-bit unsigned binary number is 0-255; 16 bits can represent values from 0 through 65,535. Addition, subtraction, multiplication and division operations are available for unsigned binary numbers. Signed binary numbers (integers) may be either 8 or 16 bits long. The high-order (leftmost) bit is interpreted as the number's sign: O=positive and 1 = negative. Negative numbers are represented in standard two's complement notation. Since the high-order bit is used for a sign, the range of an 8-bit integer is -128 through + 127; 16-bit integers may range from -.32,768 through + 32,767. The value zero has a positive sign. 2-4 80286 BASE ARCHITECTURE 7 SI~~~~ II I1 I I I 0 II SIGN BIT -lj I MAGNITUDE I 7 UNSI~~~~ I I I I I II I 0 ILMSB I MAGNITUDE +1 1514 s~~~g SIGNED 87 0 II Ii I IIi 0 I I Ii I I II SIGN BIT -I j L- MSB MAGNITUDE 31 +3 D~~~~ 11" I 1 +2 +1 1615 II II II I I II I I I Ii 0 0 I III I II II III I SIGN BIT ...I IL MSB +7 1 MAGNITUDE +5 +4 +3 +2 +6 4847 63 I SIGNED QUAD II WORD' SIGN BIT JIL MSB +1 0 3231 1615 0 I I I I MAGNITUDE ~ UNS~~~g 1:1 I +1 0 I II 11I1 I II 0 11I I I MSB MAGNITUDE 7 +N 0 II DECIMAL I.._ _ _-'. DI~7~ N (BCD) +N 7 +1 7 ~~~~61'iiliijl BCD DIGIT 1 0 0 07 0 ill Iii 11111"1 I BCD DIGIT 0 +1 7 0 07 0 ASCIIIIIIIIIII lilllllIlllIlllIl ASCII CHARACTER N ASCII ASCII CHARACTER, CHARACTER O +N 7 PAC~~g II I I II I I I 0 +1 I Iii 7 i Ii MOST SIGNIFICANT DIGIT I 7/15+ N STRING 0 0 II I I I" i I LEAST SIGNIFICANT DIGIT 7/15+ 1 0 I II II III BYTE/WORD N 07 i 07/15 0 BYTE/WORD 1 BYTE/WORD 0 +3 +2 1615 + 1 0 POINTER I I i I II I I II I I II I I II I I II i I II I I I 1 I I 31 FLOATING POINT' II I 0 I I 79 I 0 I I I I III I II I I III I +9 SELECTOR +8 +7 +6 +5 OFFSET +4 +3 +2 +1 0 0 I SIGN BIT ...II EXPONENT MAGNITUDE Figure 2·3. 80286/80287 Supported Data Types 2-5 'SUPPORTED BY 80287 NUMERIC DATA PROCESSOR CONFIGURATION G30108 80286 BASE ARCHITECTURE Separate multiplication and division operations are provided for both signed and unsigned binary numbers. The same addition and subtraction instructions are used with signed or unsigned binary values. Conditional jump instructions, as well as an "interrupt on overflow" instruction, can be used following an unsigned operation on an integer to detect overflow into the sign bit. Unpacked decimal numbers are stored as unsigned byte quantities. One digit is stored in each byte. The magnitude of the number is determined from the low-order half-byte; hexadecimal values 0-9 are valid and are interpreted as decimal numbers. The high-order half-byte must be zero for multiplication and division; it may contain any value for addition and subtraction. Arithmetic on unpacked decimal numbers is performed in two steps. The unsigned binary addition, subtraction and multiplication operations are used to produce an intermediate result. An adjustment instruction then changes the value to a final correct unpacked decimal number. Division is performed similarly, except that the adjustment is carried out on the two digit numerator operand in register AX first, followed by an unsigned binary division instruction that produces a correct result. Unpacked decimal numbers are similar to the ASCII character representations of the digits 0-9. Note, however, that the high-order half-byte of an ASCII numeral is always 3. Unpacked decimal arithmetic may be performed on ASCII numeric characters under the following conditions: • the high-order half-byte of an ASCII numeral must be set to OR prior to multiplication or division. unpacked decimal arithmetic leaves the high-order half-byte set to OR; it must be set to 3 to produce a valid ASCII numeral. Packed decimal numbers are stored as unsigned byte quantities. The byte is treated as having one decimal digit in each half-byte (nibble); the digit in the high-order half-byte is the most significant. Values 0-9 are valid in each half-byte, and the range of a packed decimal number is 0-99. Additions and subtractions are performed in two steps. First, an addition or subtraction instruction is used to produce an intermediate result. Then, an adjustment operation is performed which changes the intermediate value to a final correct packed decimal result. Multiplication and division adjustments are only available for unpacked decimal numbers. Pointers and addresses are described below in section 2.3.3, "Index, Pointer, and Base Registers," and in section 3.8, "Address Manipulation Instructions." Strings are contiguous bytes or words from 1 to 64K bytes in length. They generaiiy coniain ASCII Of other character data representations. The 80286 provides string manipulation instructions to move, examine, or modify a string (see section 3.7, "Character Translation and String Instructions"). If the 80287 numeric processor extension (NPX) is present in the system - see the 80287 NPX book-the 80286 architecture also supports floating point numbers, 32- and 64-bit integers, and 18-digit BCD data types. The 80287 Numeric Data Processor supports and stores real numbers in a three-field binary format as required by IEEE standard 754 for floating point numerics (see figure 2-3). The number's significant digits are held in the significand field, the exponent field locates the binary point within the significant digits (and therefore determines the number's magnitude), and the sign field indicates whether the number is positive or negative. (The exponent and significand are analogous to the terms "characteristic" and "mantissa," typically used to describe floating point numbers on some computers.) This format is used by the 80287 with various length significands and exponents to support single precision, double precision and extended (80-bit) precision floating point data types. Negative numbers differ from positive numbers only in their sign bits. 2-6 inter 80286 BASE ARCHITECTURE 2.3 REGISTERS The 80286 contains a total of fourteen registers that are of interest to the application programmer. (Five additional registers used by system programmers are covered in section 10.1.) As shown in figure 2-4, these registers may be grouped into four basic categories: General registers. These eight 16-bit general-purpos~ registers are used primarily to contain operands for arithmetic and logical operations. Segment registers. These four special-purpose registers determine, at any given time, which segments of memory are currently addressable. Status and Control registers. These three special-purpose registers are used to record and alter certain aspects of the 80286 processor state. 2.3.1 General Registers The general registers of the 80286 are the 16-bit registers AX, BX, CX, DX, SP, BP, SI, and DI. These registers are used interchangeably to contain the operands of logical and arithmetic operations. Some instructions and addressing modes (see section 2.4), however, dedicate certain general registers to specific uses. BX and BP are often used to contain the base address of data structures in memory (for example, the starting address of an array); for this reason, they are often referred to as the base registers. Similarly, SI and D1 are often used to contain an index value that will be incremented to step through a data structure; these two registers are called the index registers. Finally, SP and BP are used for stack manipulation. Both SP and BP normally contain offsets into the current stack. SP generally contains the offset of the top of the stack and BP contains the offset or base address of the current 16-BIT REGISTER NAME ,~ ADDRESSABLE (S-BIT REGISTER NAMES SHOWN) I SPECIAL REGISTER FUNCTIONS o 07 AX AH AL OX DH DL CX CH CL BX BH BL o 15 MUL TIPL Y I DIVIDE 1/0 INSTRUCTIONS 1 LOOP ISHIFT I REPEAT COUNT CS 1-------1 DATA SEGMENT SELECTOR SS STACK SEGMENT SELECTOR ES } CODE SEGMENT SELECTOR OS t-------f EXTRA SEGMENT SELECTOR BASE REGISTERS BP SEGMENT REGISTERS SI 15 0 }) INDEX REGISTERS 01 F§FLAGS SP STACK POINTER o 15 IP INSTRUCTION POINTER MSW· GENERAL REGISTERS MACHINE STATUS WORD STATUS AND CONTROL REGISTERS G3010B Figure 2-4. 80286 Base Architecture Register Set 2-7 80286 BASE ARCHITECTURE stack frame. The use of these general-purpose registers for operand addressing is discussed in section 2.3.3, "Index, Pointer, and Base Registers." Register usage for individual instructions is discussed in chapters 3 and 4. As shown in figure 2-4, eight byte registers overlap four of the 16-bit general registers. These registers are named AH, BH, CH, and DH (high bytes); and AL, BL, CL, and DL (low bytes); they overlap AX, BX, CX, and DX. These registers can be used either in their entirety or as individual 8-bit registers. This dual interpretation simplifies the handling of both 8- and 16-bit data elements. 2.3.2 Memory Segmentation and Segment Registers Complete programs generally consist of many different code modules (or segments), and different types of data segments. However, at any given time during program execution, only a small subset of a program's segments are actually in use. Generally, this subset will include code, data, and possibly a stack. The 80286 architecture takes advantage of this by providing mechanisms to support direct access to the working set of a program's execution environment and access to additional segments on demand. At any given instant, four segments of memory are immediately accessible to an executing 80286 program. The segment registers DS, ES, SS, and CS are used to identify these four current segments. Each of these registers specifies a particular kind of segment, as characterized by the associated mnemonics ("code," "stack," "data," or "extra") shown in figure 2-4. An executing program is provided with concurrent access to the four individual segments of memorya code segment, a stack segment, and two data segments-by means of the four segment registers. Each may be said to select a segment, since it uniquely determines the one particular segment from among the numerous segments in memory, which is to be immediately accessible at highest speed. Thus, the 16-bit contents of a segment register is called a segment selector. Once a segment is selected, a base address is associated with it. To address an element within a segment, a 16-bit offset from the segment's base address must be supplied. The 16-bit segment selector and the 16-bit offset taken together form the high and low order halves, respectively, of a 32-bit virtual address pointer. Once a segment is selected, only the lower 16-bits of the pointer, called the offset, generally need to be specified by an instruction. Simple rules define which segment register is used to form an address when only a 16-bit offset is specified. An executing program requires, first of all, that its instructions reside somewhere in memory. The segment of memory containing the currently executing sequence of instructions is known as the current code segment; it is specified by means of the CS register. All instructions are fetched from this code segment, using as an offset the contents of the instruction pointer (IP). The CS:IP register combination therefore forms the full 32-bit pointer for the next sequential program instruction. The CS register is manipulated indirectly. Transitions from one code segment to another (e.g., a procedure call) are effected implicitly as the result of control-transfer instructions, interrupts, and trap operations. Stacks playa fundamental role in the 80286 architecture; subroutine calls, for example, involve a number of implicit stack operations. Thus, an executing program will generally require a region of memory for its stack. The segment containing this region is known as the current stack segment, and it is specified by means of the SS register. All stack operations are performed within this segment, usually in terms of address offsets contained in the stack pointer (SP) and stack frame base (BP) registers. Unlike CS, the SS register can be loaded explicitly for dynamic stack definition. 2-8 80286 BASE ARCHITECTURE Beyond their code and stack requirements, most programs must also fetch and store data in memory. The DS and ES registers allow the specification of two data segments, each addressable by the currently executing program. Accessibility to two separate data areas supports differentiation and access requirements like local procedure data and global process data. An operand within a data segment is addressed by specifying its offset either directly in an instruction or indirectly via index and/or base registers (described in the next subsection). Depending on the data structure (e.g., the way data is parceled into one or more segments), a program may require access to multiple data segments. To access additional segments, the DS and ES registers can be loaded under program control during the course of a program's execution. This simply requires loading the appropriate data pointer prior to accessing the data. The interpretation of segment selector values depends on the operating mode of the processor. In Real Address Mode, a segment selector is a physical address (figure 2-5). In Protected Mode, a segment selector selects a segment of the user's virtual address space (figure 2-6). An intervening level of logicalto-physical address translation converts the logical address to a physical memory address. Chapter 6, "Memory Management," provides a detailed discussion of Protected Mode addressing. In general, considerations of selector formats and the details of memory mapping need not concern the application programmer. 2.3.3 Index, Pointer, and Base Registers Five of the general-purpose registers are available for offset address calculations. These five registers, shown in figure 2-4, are SP, BP, BX, SI, and DL SP is called a pointer register; BP and BX are called base registers; SI and DI are called index registers. 64K { BYTES SEGMENT I I 1 MEGABYTE PHYSICAL ADDRESS SPACE BASE ADDRESS SELECTOR NOTES: SEG 1 I 0000 I 1. THE SELECTOR IDENTIFIES A SEGMENT IN PHYSICAL MEMORY. 2. A SELECTOR SPECIFIES THE SEGMENTS BASE ADDRESS, MODULO 16, WITHIN THE 1 MEGABYTE ADDRESS SPACE. 3. THE SELECTOR IS THE 16 MOST SIGNIFICANT BITS OF A SEGMENTS PHYSICAL BASE ADDRESS. 4. THE VALUES OF SELECTORS DETERMINES THE AMOUNT THEY OVERLAP IN REAL MEMORY. 5. SEGMENTS MAY OVERLAP BY INCREMENTS OF 16 BYTES. OVERLAP RANGES FROM COMPLETE (SEG 1 ~ SEG 1) TO NONE (SEG 1 SEG 2 ± 64K) * G3010a Figure 2-5. Real Address Mode Segment Selector Interpretation 2-9 inl:el® 80286 BASE ARCHITECTURE SEG 3FFF SEG 3FFE SEG 3FFD SEG 3FFC SEG 3FFB , I SELECTOR I 1 GIGABYTE VIRTUAL ADDRESS SPACE SEG 4 SEG 3 1 TO 64K BYTES { SEG 2 SEG 1 SEG 0 NOTES: 1. A SELECTOR UNIQUELY IDENTIFIES (NAMES) ONE OF 16K POSSIBLE SEGMENTS IN THE TASK'S VIRTUAL ADDRESS SPACE. 2. THE SELECTOR VALUE DOES NOT SPECIFY THE SEGMENT'S LOCATION IN PHYSICAL MEMORY. 3. THE SELECTOR DOES NOT IMPLY ANY OVERLAP WITH OTHER SEGMENTS (THIS DEPENDS ON THE BASE ADDRESS OF THE SEGMENT AS SPECIFIED VIA THE MEMORY MANAGEMENT AND PROTECTION INFORMATION). G3010B Figure 2-6. Protected Mode Segment Selector Interpretation As described in the previous section, segment registers define the set of four segments currently addressable by a program. A pointer, base, or index register may contain an offset value relative to the start of one of these segments; it thereby points to a particular operand's location within that segment. To allow for efficient computations of effective address offsets, all base and index registers may participate interchangeably as operands in most arithmetical operations. Stack operations are facililattd by the stack pointer (SP) ~nd stack frame base (BP) register~_ By specifying offsets into the current stack segment, each of these registers provides access to data on the stack. The SP register is the customary top-of-stack pointer, addressing the uppermost datum on a push-down stack. It is referenced implicitly by PUSH and POP operations, subroutine calls, and interrupt operations. The BP register provides yet another offset into the stack segment. The existence of this stack relative base register, in conjunction with certain addressing modes described in section 2.6.3, is particularly useful for accessing data structures, variables and dynamically allocated work space within the stack. Stacks in the 80286 are implemented in memory and are located by the stack segment register (SS) and the stack pointer register (SP). A system may have an unlimited number of stacks, and a stack may be up to 64K bytes long, the maximum length of a segment. One stack is directly addressable at a time; this is the current stack, often referred to simply as "the" stack. SP contains the current top of the stack (TOS). In other words, SP contains the offset to the top of the push down stack from the stack segment's base address. Note, however, that the stack's base address (contained in SS) is not the "bottom" of the stack (figure 2-7). 2-10 inter 80286 BASE ARCHITECTURE l POP-UP LOGICAL TOP OF STACK + I SS I SP LOGICAL BOTTOM OF STACK (initial SP value) PUSH-DOWN I STACK SEGMENT BASE ADDRESS G3010B Figure 2-7_ 80286 Stack 80286 stack entries are 16 bits wide. Instructions operate on the stack by adding and removing stack items one word at a time, An item is pushed onto the stack (see figure 2-8) by decrementing SP by 2 and writing the item at the new TOS. An item is popped off the stack by copying it from TOS and then incrementing SP by 2. In other words, the stack grows down in memory toward its base address. Stack operations never move items on the stack; nor do they erase them. The top of the stack changes only as a result of updating the stack pointer. The stack frame base pointer (BP) is often used to access elements on the stack relative to a fixed point on the stack rather than relative to the current TOS. It typically identifies the base address of the current stack frame established for the current procedure (figure 2-9). If an index register is used relative to BP (e.g., base + index addressing mode using BP as the base), the offset will be calculated automatically in the current stack segment. Accessing data structures in data segments is facilitated by the BX register, which has the same function in addressing operands within data segments that BP does for stack segments. They are called base registers because they may contain an offset to the base of a data structure. The similar usage of these two registers is especially important when discussing addressing modes (see section 2.4, "Addressing Modes"). Operations on data are also facilitated by the SI and DI registers. By specifying an offset relative to the start of the currently addressable data segment, an index register can be used to address an operand in the segment. If an index register is used in conjunction with the BX base register (i.e., base + index addressing) to form an offset address, the data is also assumed to reside in the current data segment. As a rule, data referenced through an index register or BX is presumed to reside in the current data segment. That is, if an instruction invokes addressing for one of its operands using either BX, DI, SI, or BX with SI or DI, the contents of the register(s) (BX, DI, or SI) implicitly specify an offset in the current data segment. As previously mentioned, data referenced via SP, BP or BP with SI or DI implicitly specify an operand in the current stack segment (refer to table 2-1). 2-11 80286 BASE ARCHITECTURE STACK OPERATION FOR CODE SEQUENCE: STACK SEGMENT PUSH AX POP AX POPBX 1062 0 0 0 0 1"~~ 1060 SS I SELECTOR I I SP OFFSET I I lOSE 2 2 2 2 105C 3 3 3 3 105A 4 4 4 4 1058 5 5 5 5 6 1056 6 6 1054 7 7 1052 8 8 8 8 1050 9 9 9 9 OF STACK 6 7 I 00001 I NOT PRESENTL V USED EXISTING STACK BEFORE PUSH STACK SEGMENT SS I SELECTOR I I OFFSET SP I 1062 0 1060 1 0 0 0 lOSE 2 2 2 105C 3 3 3 3 105A 4 4 4 4 1058 5 5 5 5 1056 A A A 1052 8 8 8 8 1050 9 9 9 9 A-4 PUSH AX A A A A 1054 I 00001 STACK SEGMENT 1062 0 0 2 2 2 105C 3 3 3 :3 105A 4 4 4 4 0 0 1060 lOSE SS I SELECTOR I I OFFSET SP I 1058 5 5 5 5 1056 A A A A 1054 7 7 7 7 1052 8 8 8 8 1050 9 9 9 9 00001 Figure 2-8. Stack Operation 2-12 POP BX 15 5 5 5 A A J j IA A I POP AX I G30108 80286 BASE ARCHITECTURE BP IS A CONSTANT POINTER TO STACK BASED VARIABLES AND WORK SPACE, ALL REFERENCES USE BP AND ARE INDEPENDENT OF SP, WHICH MAY VARY DURING A ROUTINE EXECUTION, PROC N PUSH AX PUSH ARRA LSIZE CALL PROC_N+1 - - - - -.....~ PROC_N+1: PUSH BP PUSH CX MOV BP, SP SUB SP, WORK_SPACE "PROCEDURE BODY" MOV SP, BP POP CX POP BP RET BOTTO MOF S TACK t 1"'--'I PARAMETERS RETURN ADDR .- I BP L __ ..I r '[' REGISTERS PROCEDURE N STACK FRAME WORK_SPACE PARAMETERS RETURN ADDR REGISTERS WORK_SPACE -- --- I PROCEDURE N+ 1 STACK FRAME DYNAMICALLY ALLOCATED ON DEMAND RATHER THAN STATICALLY TOP OF STACK STACK SEGMENT BASE G30108 Figure 2-9. BP Usage as a Stack Frame Base Pointer 2-13 80286 BASE ARCHITECTURE Table 2-1. Implied Segment Usage by Index, Pointer, and Base Registers Register SP BP BX SI 01 BP BX Implied Segment 55 SS OS OS OS, ES for String Operations SS OS + 51, 01 + SI, 01 NOTE: All implied Segment usage, except SP to SS and 01 to ES for String Operations, may be explicitly specified with a segment override prefix for any of the four segments. The prefix precedes the instruction for which explicit reference is desired. There are two exceptions to the rules listed above. The first concerns the operation of certain 80286 string instructions. For the most flexibility, these instructions assume that the DI register addresses destination strings not in the data segment, but rather in the extra segment (ES register). This allows movement of strings between different segments. This has led to the descriptive names "source index" and "destination index." In all cases other than string instructions, however, the SI and DI registers may be used interchangeably to reference either source or destination operands. A second more general override capability allows the programmer complete control of which segment is used for a specific operation. Segment-override prefixes, discussed in section 2.4.3, allow the index and base registers to address data in any of the four currently addressable segments. 2.3.4 Status and Control Registers Two status and control registers are of immediate concern to applications programmers: the instruction pointer and the FLAGS registers. The instruction pointer register (IP) contains the offset address, relative to the start of the current code segment, of the next sequential instruction to be executed. Together, the CS:IP registers thus define a 32-bit program-counter. The instmction pointer is not directly visible to the programmer; it is controlled implicitly, by interrupts, traps, and control-transfer operations. The FLAGS register encompasses eleven flag fields, mostly one-bit wide, as shown in figure 2-10. Six of the flags are status flags that record processor status information. The status flags are affected by the execution of arithmetic and logical instructions. The carry flag is also modifiable with instructions that will clear, set or complement this flag bit. See Chapters 3 and 4. The carry flag (CF) generally indicates a carry or borrow out of the most significant bit of an 8- or 16-bit operand after performing an arithmetic operation; this flag is also useful for bit manipuiation operations involving the shift and rotate instructions. The effect on the remaining status flags, when defined for a particular instruction, is generally as follows: the zero flag (ZF) indicates a zero result when set; the sign flag (SF) indicates whether the result was negative (SF= 1) or positive (SF=O); when set, the overflow flag (OF) indicates whether an operation results in a carry into the high order bit of the result but not a carry out of the high-order bit, or vice versa; the parity flag (PF) indicates whether the modulo 2 sum of the low-order eight bits of the operation is even (PF=O) or odd (PF= 1) parity. The auxiliary carry flag (AF) represents a carry out of or borrow into the least significant 4-bit digit when performing binary coded decimal (BCD) arithmetic. 2-14 80286 BASE ARCHITECTURE STATUS FLAGS: CARRY--------_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _- - , I PARITY - - - - - - - -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _--, AUXILIARY CARRY _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _-'-.., I ZERO SIGN - - - - - - - - - - - - -_ _ _ _-, OVERFLOW 15 FLAGS: _ 14 NT 13 10rL 12 ~ OF 11 I 10 OF 9 IF B 7 I I I TF )1 SF 6 ZF 5 _ 4 AF 3 2 1 o _ ::7~;~" INTERRUPT ENABLE ' - - - - - - - - - DIRECTION FLAG SPECIAL FIELDS: ' - - - - - - - - - - - - - - 1 / 0 PRIVILEGE LEVEL ' - - - - - - - - - - - - - - - - - - - - NESTED TASK FLAG _ INTEL RESERVED G30108 Figure 2-10. Flags Register The FLAGS register also contains three control flags that are used, under program control, to direct certain processor operations. The interrupt-enable flag (IF), if set, enables external interrupts; other· wise, interrupts are disabled. The trap flag (TF), if set, puts the processor into a single-step mode for debugging purposes where the target program is automatically interrupted to a user supplied debug routine after the execution of each target program instruction. The direction flag (DF) controls the forward or backward direction of string operations: 0 = forward or auto increment the address registeres) (SI, DI or SI and DI), 1 = backward or auto·decrement the address register(s) (SI, DI or SI and DI). In general, the interrupt enable flag may be set or reset with special instructions (STI = set, CLI = clear) or by placing the flags on the stack, modifying the stack, and returning the flag image from the stack to the flag register. If operating in Protected Mode, the ability to alter the IF bit is subject to protection checks to prevent non·privileged programs from effecting the interrupt state of the CPU. This applies to both instruction and stack options for modifying the IF bit. The TF flag may only be modified by copying the flag register to the stack, setting the TF bit in the stack image, and returning the modified stack image to the flag register. The trap interrupt occurs on completion of the next instruction. Entry to the single step routine saves the flag register on the stack with the TF bit set, and resets the TF bit in the register. After completion of the single step routine, the TF bit is automatically set on return to the program being single stepped to interrupt the program again arkr completion of the next instruction. Use of TF is not inhibited by the protection mechanism in Proteckd Mode. 2-15 80286 BASE ARCHITECTURE The DF flag, like the IF flag, is controlled by instructions (CLD = clear, STD = set) or flag register modification through the stack. Typically, routines that use string instructions will save the flags on the stack, modify DF as necessary via the instructions provided, and restore DF to its original state by restoring the Flag register from the stack before returning. Access or control of the DF flag is not inhibited by the protection mechanism in Protected Mode. The Special Fields bits are only relevant in Protected Mode. Real Address Mode programs should treat these bits as don't-care's, making no assumption about their status. Attempts to modify the 10PL and NT fields are subject to protection checking in Protected Mode. In general, the application's programmer will not be able to and should not attempt to modify these bits. (See section 10.3, "Privileged and Trusted Instructions" for more details.) 2.4 ADDRESSING MODES The information encoded in an 80286 instruction includes a specification of the operation to be performed, the type of the operands to be manipulated, and the location of these operands. If an operand is located in memory, the instruction must also select, explicitly or implicitly, which of the currently addressable segments contains the operand. This section covers the operand addressing mechanisms; 80286 operators are discussed in Chapter 3. The five elements of a general in~truction are briefly described below. The exact format of 80286 instructions is specified in Appendix B. The opcode is present in all instructions; in fact, it is the only required element. Its principal function is the specification of the operation performed by the instruction. A register specifier. The addressing mode specifier, when present, is used to specify the addressing mode of an operand for referencing data or performing indirect calls or jumps. The displacement, when present, is used to compute the effective address of an operand in memory. The immediate operand, when present, directly specifies one operand of the instruction. Of the four elements, only one, the opcode, is always present. The other elements mayor may not be present, depending on the particular operation involved and on the location and type of the operands. 2.4.1 Operands Generally speaking, an instruction is an operation performed on zero, one, or two operands, which are the data manipulated by the instruction. An operand can be located either in a register (AX, BX, ex, ox, SI, DI, SP, or BP in the case of 16-bii operands; AR, AL, BR, BL, CR, CL, DIl, or DL in the case of 8-bit operands; the FLAG register for flag operations in the instruction itself (as an immediate operand», or in memory or an I/O port. Immediate operands and operands in registers can be accessed more rapidly than operands in memory since memory operands must be fetched from memory while immediate and register operands are available in the processor. An 80286 instruction can reference zero, one, or two operands. The three forms are as follows: Zero-operand instructions, such as RET, NOP, and HLT. Consult Appendix B. 2-16 80286 BASE ARCHITECTURE One-operand instructions, such as INC or DEC. The location of the single operand can be specified implicitly, as in AAM (where the register AX contains the operand), or explicitly, as in INC (where the operand can be in any register or memory location). Explicitly specified operands are accessed via one of the addressing modes described in section 2.4.2. Two operand instructions such as MOV, ADD, XOR, etc., generally overwrite one of the two participating operands with the result. A distinction can thus be made between the source operand (the one left unaffected by the operation) and the destination operand (the one overwritten by the result). Like one-operand instructions, two-operand instructions can specify the location of operands either explicitly or implicitly. If an instruction contains two explicitly specified operands, only one of them-either the source or the destination-can be in a register or memory location. The other operand must be in a register or be an immediate source operand. Special cases of two-operand instructions are the string instructions and stack manipulation. Both operands of some string instructions are in memory and are explicitly specified. Push and pop stack operations allow transfer between memory operands and the memory based stack. Thus, the two-operand instructions of the 80286 permit operations of the following sort: Register-to-register Register-to-memory Memory-to-register Immediate-to-register Immediate-to-memory Memory-to-memory Instructions can specify the location of their operands by means of eight addressing modes, which are described in sections 2.4.2 and 2.4.3. 2.4.2 Register and Immediate Modes Two addressing modes are used to reference operands contained in registers and instr.uctions: Register Operand Mode. The operand is located in one of the 16-bit registers (AX, BX, CX, DX, DI, SP, or BP) or in one of the 8-bit general registers (AR, BR, CR, DR, AL, BL, CL, or DL). sr, Special instructions are also included for referencing the CS, DS, ES, SS, and Flag registers as operands also. Immediate Operand Mode. The operand is part of the instruction itself (the immediate operand element). 2.4.3 Memory Addressing Modes Six modes are used to access operands in memory. Memory operands are accessed by means of a pointer consisting of a segment selector (see section 2.3.2) and an offset, which specifies the operand's displacement in bytes from the beginning of the segment in which it resides. Both the segment selector component and the offset component are 16-bit values. (See section 2.1 for a discussion of segmentation.) Only some instructions use a full 32-bit address. 2-17 80286 BASE ARCHITECTURE Most memory references do not require the instruction to specify a full 32-bit pointer address. Operands that are located within one of the currently addressable segments, as determined by the four segment registers (see section 2.3.2, "Segment Registers"), can be referenced very efficiently simply by means of the 16-bit offset. This form of address is called by short address. The choice of segment (CS, DS, ES, or SS) is either implicit within the instruction itself or explicitly specified by means of a segment override prefix (see below). See figure 2-11 for a diagram of the addressing process. 2.4.3.1 SEGMENT SELECTION All instructions that address operands in memory must specify the segment and the offset. For speed and compact instruction encoding, segment selectors are usually stored in the high speed segment registers. An instruction need specify only the desired segment register and an offset in order to address a memory operand. Most instructions need not explicitly specify which segment register is used. The correct segment register is automatically chosen according to the rules of table 2-1 and table 2-2. These rules follow the way programs are written (see figure 2-12) as independent modules that require areas for code and data, a stack, and access to external data areas. There is a close connection between the type of memory reference and the segment in which that operand resides (see the next section for a discussion of how memory addressing mode calculations are performed). As a rule, a memory reference implies the current data segment (Le., the implicit segment selector is in DS) unless the BP register is involved in the address specification, in which case the current stack segment is implied (i.e, SS contains the selector). POINTER I SEGMENT OFFSET -----r 31 16 15 0 OPERAND SELECTED ~--~~------~ SELECTED SEGMENT 1 1 MEMORY G3010B Figure 2-11. Two-Component Address 2-18 80286 eASE ARCHITECTURE Table 2-2. Segment Register Selection Rules Memory Reference Needed Implicit Segment Selection Rule Segment Register Used Instructions Code (CS) Automatic with instruction prefetch. Stack Stack (SS) All stack pushes and pops. Any memory reference which uses BP as a base register. Local Data Data (OS) All data references except when relative to stack or string destination. External (Global) Data Extra (ES) Alternate data segment and destination of string operation. The 80286 instruction set defines special instruction prefix elements (see Appendix B). One of these is SEG, the segment-override prefix. Segment-override prefixes allow an explicit segment selection. Only in two special cases-namely, the use of DI to reference destination strings in the ES segment, and the use of SP to reference stack locations in the SS segment-is there an implied segment selection which cannot be overridden. The format of segment override prefixes is shown in Appendix B. 2.4.3.2 OFFSET COMPUTATION The offset within the desired segment is calculated in accordance with the desired addressing mode. The offset is calculated by taking the sum of up to three components: • the displacement element in the instruction the base (contents of BX or BP-a base register) the index (contents of SI or DI-an index register) Each of the three components of an offset may be either a positive or negative value. Offsets are calculated modulo 216. The six memory addressing modes are generated using various combinations of these three components. The six modes are used for accessing different types of data stored in memory: addressing mode offset calculation direct address register indirect based indexed based indexed based indexed with displacement displacement alone base or index alone base + displacement index + displacement base + index base + index + disp In all six modes, the operand is located at the specified offset within the selected segment. All displacements, except direct address mode, are optionally 8- or 16-bit values. 8-bit displacements are automatically sign-extended to 16 bits. The six addressing modes are described and demonstrated in the following section on memory addressing modes. 2-19 80286 BASE ARCHITECTURE r---..., I I ODE MODULE A ~ DATA CPU CODE MODULE B L I- DATA I I I I CODE DATA STACK - PROCESS STACK I- EXTRA SEGMENT REGISTERS I I PROCESS DATA BLOCK 1 I I [l PRog~~~D BLOCK 2 I I L ___ .J MEMORY G301uo Figure 2-12. Use of Memory Segmentation 2.4.3.3 MEMORY MODE Two modes are !.!sed for simple scalar operands located in memory: Direct Address Mode. The offset of the operand is contained in the instruction as the displacement element. The offset is a 16-bit quantity. Register Indirect Mode. The offset of the operand is in one of the registers SI, DI, or BX. (BP is excluded; if BP is used as a stack frame base, it requires an index or displacement component to reference either parameters passed on the stack or temporary variables allocated on the stack. The instruction level bit encoding for the BP only address mode is used to specify Direct Address mode. See Chapter 12 for more details.) 2-20 80286 BASE ARCHITECTURE The following four modes are used for accessing complex data structures in memory (see figure 2-13): Based Mode. The operand is located within the selected segment at an offset computed as the sum of the displacement and the contents of a base register (BX or BP). Based mode is often used to access the same field in different copies of a structure (often called a record). The base register points to the base of the structure (hence the term "base" register), and the displacement selects a particular field. Corresponding fields within a collection of structures can be accessed simply by changing the base register. (See figure 2-13, example 1.) • Indexed Mode. The operand is located within the selected segment at an offset computed as the sum of the displacement and the contents of an index register (SI or DI). Indexed mode is often used to access elements in a static array (e.g., an array whose starting location is fixed at translation time). The displacement locates the beginning of the array, and the value of the index register selects one element. Since all array elements are the same length, simple arithmetic on the index register will select any element. (See figure 2-13, example 2.) Based Indexed Mode. The operand is located within the selected segment at an offset computed asthe sum of the base register's contents and an index register's contents. Based Indexed mode is often used to access elements of a dynamic array (i.e., an array whose base address can change during execution). The base register points to the base of the array, and the value of the index register is used to select one element. (See figure 2-13, example 3.) • Based Indexed Mode with Displacement. The operand is located with the selected segment at an offset computed as the sum of a base register's contents, an index register's contents, and the displacement. This mode is often used to access elements of an array within a structure. For example, the structure could be an activation record (i.e., a region of the stack containing the register contents, parameters, and variables associated with one instance of a procedure); and one variable could be an array. The base register points to the start of the activation record, the displacement expresses the distance from the start of the record to the beginning of the array variable, and the index register selects a particular element of the array. (See figure 2-13, example 4.) Table 2-3 gives a summary of all memory operand addressing options. 2.5 INPUT/OUTPUT The 80286 allows input/output to be performed in either of two ways: by means of a separate I/0 address space (using specific I/O instructions) or by means of memory-mapped I/O (using generalpurpose operand manipulation instructions). Table 2-3. Memory Operand A'ddressing Modes Addressing Mode Offset Calculation Direct Register Indirect Based Indexed Based Indexed Based Indexed + Displacement 16-bit Displacement in the instruction BX, 51, 01 (BX or BP) + Displacement" (51 or 01) + Displacement" (BX or BP) + (51 or 01) (BX or BP) + (SI or 01) + Displacement" " The displacement can be a 0, 8 or 16-bit value. 2-21 80286 BASE ARCHITECTURE , 'r 1. BASED MODE + DATE-CODE] MOV AX, [BP ADD [BX BALANCE], CX + I DISPL L BASE I SEGMENT ~ + OPERAND I + r 2. INDEXED MODE r MOV ID [SI], DX SUB BX, DATA_TBL[SI] I INDEX I DISPL L + ~ OPERAND J , 'I' MOV DX, [BP][ill] AND [aX + S~, 3FFH 1 1 FIXED ARRAY + SEGMENT 3. BASED INDEXED I ) INDEX + ~ OPERAND I BASED ARRAY BASE + SEGMENT MOV CX, [ap][si + CNT] SHR [ax 01 MASK] + + BASED STRUCTURE CONTAINING ARRAY G3010B Figure 2-13. Complex Addressing Modes 2-22 80286 BASE ARCHITECTURE 2.5.1 1/0 Address Space The 80286 provides a separate I/O address space, distinct from physical memory, to address the input/ output ports that are used for external devices. The I/0 address space consists of 216 (64K) individually addressable 8-bit ports. Any two consecutive 8-bit ports can be treated as a 16-bit port. Thus, the I/0 address space can accommodate up to 64K 8-bit ports or up to 32K 16-bit ports. I/0 port addresses 00F8H to OOFFH are reserved by Intel. The 80286 can transfer either 8 or 16 bits at a time to a device located in the I/O space. Like words in memory, 16-bit ports should be aligned at even-numbered addresses so that the 16 bits will be transferred in a single access. An 8-bit port may be located at either an even or odd address. The internal registers in a given peripheral controller device should be assigned addresses as shown below. Port Register Port Addresses 16-bit even word addresses OUT FE,AX a-bit; device on lower half of 16-bit data bus even byte addresses IN AL,FE a-bit; device on upper half of 16-bit data bus odd byte addresses OUT FF,AL Example The I/0 instructions IN and OUT (described in section 3.11.3) are provided to move data between I/0 ports and the AX (l6-bit I/O) or AL (8-bit I/O) general registers. The block I/O instructions INS and OUTS (described in section 4.1) move blocks of data between I/0 ports and memory space (as shown below). In Protected Mode, an operating system may prevent a program from executing these I/0 instructions. Otherwise, the function of the I/0 instructions and the structure of the I/0 space are identical for both modes of operation. INS es:byte ptr [dil, byte ptr [sil DX OUTS DX, IN and OUT instructions address I/O with either a direct address to one of up to 256 port addresses, or indirectly via the DX register to one of up to 64K port addresses. Block I/0 uses the DX register to specify the I/0 address and either SI or DI to designate the source or destination memory address. For each transfer, SI or DI are either incremented or decremented as specified by the direction bit in the flag word while DX is constant to select the I/0 device. 2.5.2 Memory-Mapped 1/0 I/0 devices also may be placed in the 80286 memory address space. So long as the devices respond like memory components, they are indistinguishable to the processor. Memory-mapped I/0 provides additional programming flexibility. Any instruction that references memory may be used to access an I/0 port located in the memory space. For example, the MOY instruction can transfer data between any register and a port; and the AND, OR, and TEST instructions may be used to manipulate bits in the internal registers of a device (see figure 2-14). Memorymapped I/0 performed via the full instruction set maintains the full complement of addressing modes for selecting the desired I/0 device. Memory-mapped I/O, like any other memory reference, is subject to access protection and control when executing in protected mode. 2-23 80286 BASE ARCHITECTURE MEMORY ADDRESS SPACE 110 DEVICE 1 INTERNAL REGISTER 1-------11-- =====~I. . ___. . . 110 DEVICE 2 INTERNAL REGISTER 1-------1 ======~I. . ___. . . G30108 Figure 2-14. Memory-Mapped 1/0 2.6 INTERRUPTS AND EXCEPTIONS The 80286 architecture supports several mechanisms for interrupting program execution. Internal interrupts are synchronous events that are the responses of the CPU to certain events detected during the execution of an instruction. External interrupts are asynchronous events typically triggered by external devices needing attention. The 80286 supports both maskable (controlled by the IF flag) and non-maskable interrupts. They cause the processor to temporarily suspend its present program execution in order to service the requesting device. The major distinction between these two kinds of interrupts is their origin; art internal interrupt is always repioducible by re-executing \vith the program and data that caused the interrupt, whereas an external interrupt is generally independent of the currently executing task. Interrupts 0-31 are reserved by Intel. Application programmers will normally not be concerned with servicing external interrupts. More information on external interrupts for system programmers may be found in Chapter 5, section 5.2, "Interrupt Handling for Real Address Mode," and in Chapter 9, "Interrupts, Traps and Faults for Protected Virtual Address Mode." In Real Address Mode, the application programmer is affected by two kinds of internal interrupts. (Internal interrupts are the result of executing an instruction which causes the interrupt.) One type of interrupt is called an exception because the interrupt only occurs if a particular fault condition exists. The other type of interrupt generates the interrupt every time the instruction is executed. 2-24 80286 BASE ARCHITECTURE The exceptions are: divide error, INTO detected overflow, bounds check, segment overrun, invalid operation code, and processor extension error (see table 2-4). A divide error exception results when the instructions DIY or IDlY are executed with a zero denominator; otherwise, the quotient will be too large for the destination operand (see section 3.3.4 for a discussion of DIY and IDlY). An overflow exception results when the INTO instruction is executed and the OF flag is set (after an arithmetic operation that set the overflow (OF) flag). (See section 3.6.3, "Software Generated Interrupts," for a discussion of INTO.) A bounds check exception results when the BOUND instruction is executed and the array index it checks falls outside the bounds of the array. (See section 4.2 for a discussion of the BOUND instruction.) The segment overrun exception occurs when a word memory reference is attempted which extends beyond the end of a segment. An invalid operation code exception occurs if an attempt is made to execute an undefined instruction operation code. A processor extension error is generated when a processor extension detects an illegal operation. Refer to Chapter 5 for a more complete description of these exception conditions. The instruction INT generates an internal interrupt whenever it is executed. The effects of this interrupt (and the effects of all interrupts) is determined by the interrupt handler routines provided by the application program or as part of the system software (provided by system programmers). See Chapter 5 for more on this topic. The INT instruction itself is discussed in section 3.6.3. In Protected Mode, many more fault conditions are detected and result in internal interrupts. Protected Mode interrupts and faults are discussed in Chapter 9. 2.7 HIERARCHY OF INSTRUCTION SETS For descriptive purposes, the 80286 instruction set is partitioned into three distinct subsets: the Basic Instruction Set, the Extended Instruction Set, and the System Control Instruction Set. The "hierarchy" of instruction sets defined by this partitioning helps to clarify the relationships between the various processors in the 8086 family (see figure 2-15). The Basic Instruction Set, presented in Chapter 3, comprises the common subset of instructions found on all processors of the 8086 family. Included are instructions for logical and arithmetic operations, data movement, input/output, string manipulation, and transfer of control. The Extended Instruction Set, presented in Chapter 4, consists of those instructions found only on the 80186, 80188, and 80286 processors. Included are instructions for block structured procedure entry and exit, parameter validation, and block I/O transfers. The System Control Instruction Set, presented in Chapter 10, consists of those instructions-,unique to the 80286. These instructions control the memory management and protection mechanisms of the 80286. 2-25 80286 BASE ARCHITECTURE Table 2-4. 80286 Interrupt Vector Assignments (Real Address Mode) Function Interupt Number Related Instructions Return Address Before Instruction Causing Exception? Divide error exception 0 DIV,IDIV Single step interrupt 1 All NMI interrupt 2 All Breakpoint interrupt 3 INT INTO detected overflow exception 4 INTO No BOUND range exceeded exception 5 BOUND Yes Invalid opcode exception 6 Any undefined opcode Yes Processor extension not available exception 7 ESC or WAIT Yes Interrupt table limit too small exception 8 INT vector is not within table limit Yes Processor extension segment overrun interrupt 9 ESC with memory operand extending beyond offset FFFF(H) No Reserved 10-12 Segment overrun exception 13 Word memory reference with offset = FFFF(H) or an attempt to execute past the end of a segment Yes Reserved 14, 15 Processor extension error interrupt 15 Reserved 17-31 User defined 32-255 2-26 ESC or \"}.A.!T Yes 80286 BASE ARCHITECTURE 80186~ 80188 8ASIC INSTRUCTION SET 80286 ~ EXTENDED INSTRUCTION SET SYSTEM CONTROL INSTRUCTION SET G30108 Figure 2-15. Hierarchy of Instructions 2-27 Basic Instruction Set 3 CHAPTER 3 BASIC INSTRUCTION SET ! The base architecture of the 80286 is identical to the complete instruction set of the 8086, 8088, 80188, and 80186 processors. The 80286 instruction set includes new forms of some instructions. These new forms reduce program size and improve the performance and ease of implementation of source code. This chapter describes the instructions which programmers can use to write application software for the 80286. The following chapters describe the operation of more complicated I/O and system control instructions. All instructions described in this chapter are available for both Real Address Mode and Protected Virtual Address Mode operation. The instruction descriptions note any differences that exist between the operation of an instruction in these two modes. This chapter also describes the operation of each application program-relative instruction and includes an example of using the instruction. The Instruction Dictionary in Appendix B contains formal descriptions of all instructions. Any opcode pattern that is not described in the Instruction Dictionary is undefined and results in an opcode violation trap (interrupt 6). 3.1 DATA MOVEMENT INSTRUCTIONS These instructions provide convenient methods for moving bytes or words of data between memory and the registers of the base architecture. 3.1.1 General-Purpose Data Movement Instructions MOV (Move) transfers a byte or a word from the source operand to the destination operand. The MOV instruction is useful for transferring data to a register from memory, to memory from a register, between registers, immediate-to-register, or immediate-to-memory. Memory-to-memory or segment register-tosegment register moves are not allowed. Example: MOV DS,AX. Replaces the contents of register DS with the contents of register AX. XCHG (Exchange) swaps the contents of two operands. This instruction takes the place of three MOV instructions. It does not require a temporary memory location to save the contents of one operand while you load the other. The XCHG instruction can swap two byte operands or two word operands, but not a byte for a word or a word for a byte. The operands for the XCHG instruction may be two register operands, or a register operand with a memory operand. When used with a memory operand, XCHG automatically activates the LOCK signal. Examplc: XCHG BX,WORDOPRND. Swaps the contents of register BX with the contents of the memory word identified by the label WORDOPRND after asserting bus lock. 3-1 BASIC INSTRUCTION seT 3.1.2 Stack Manipulation Instructions PUSH (Push) decrements the stack pointer (SP) by two and then transfers a word from the source operand to the top of stack indicated by SP. See figure 3-1. PUSH is often used to place parameters on the stack before calling a procedure; it is also the basic means of storing temporary variables on the stack. The PUSH instruction operates on memory operands, immediate operands (new with the 80286), and register operands (including segment registers). Example: PUSH WORDOPRND. Transfers a 16-bit value from the memory word identified by the label WORDOPRND to the memory location which represents the current top of stack (byte transfers are not allowed). PUSHA (Push All Registers) saves the contents of the eight general registers on the stack. See figure 3-2. This instruction simplifies procedure calls by reducing the number of instructions required to retain the contents of the general registers for use in a procedure. PUSHA is complemented by POPA (see below). The processor pushes the general registers on the stack in the following order: AX, initial value of SP before AX was pushed, BP, sr, and Dr. Example: ex, DX, BX, the PUSHA. Pushes onto the stack the contents of the eight general registers. HIGH ADDRESS SS LIMIT OPERANDS FROM PREVIOUS PUSH INSTRUCTIONS _ OPERAND SP ALWAYS POINTS TO THE LAST WORD PUSHED ONTO THE STACK (TOS) SS ALWAYS POINTS TO LOWEST ADDRESS USED BY THE STACK LOW ADDRESS 1 i! BEFORE PUSH OPERAND i AFTER PUSH OPERAND PUSH decrements SP by 2 bytes and places the operand In the stack at the location to which SP points. Figure 3-1. PUSH 3-2 G3010B BASIC INSTRUCTION SET HIGH ADDRESS SS LIMIT SP SS LOW ADDRESS h BEFORE PUSHA AFTER PUSHA PUSHA copies Ihe conlenls of Ihe elghl general reglslers 10 Ihe slack In Ihe above order. The Inslrucllon decremenls SP by 16 bytes (8 words) 10 polnllo Ihe l.sl word pushed on Ihe slack. G30108 Figure 3-2. PUSHA POP (Pop) transfers the word at the current top of stack (indicated by SP) to the destination operand, and then increments SP by two to point to the new top of stack. See figure 3-3. POP moves information from the stack to either a register or memory. The only restriction on POP is that it cannot place a value in register CS. Example: POP BX. Replaces the contents of register BX with the contents of the memory location at the top of stack. paPA (Pop All Registers) restores the registers saved on the stack by PUSHA, except that it ignores the value of SP. See figure 3-4. Example: papA. Pops from the stack the saved contents of the general registers, and restores the registers (except SP) to their original state. 3-3 BASIC INSTRUCTION SET HIGH ADDRESS .. hm====i ~n\\\\\\n\\l\~\\\\\\\ ~\\\\\\\\\\\\\\\\\\\\\\\\ OPERANDS FROM PREVIOUS PUSH INSTRUCTIONS SP_ LOW ADDRESS OPERAND SS Ok , BEFORE POP OPERAND AFTER POP OPERAND POP copies the contents of the slsck location before SP to the operand In the Instruction. POP then Increments SP by 2 bytes (1 word). G3010e Figure 3-3. POP 3.2 FLAG OPERATION WITH THE BASIC INSTRUCTION SET 3.2.1 Status Flags The status flags of the FLAGS register reflect conditions that result from a previous instruction or instructions. The arithmetic instructions use OF, SF, ZF, AF, PF, and CF. The SCAS (Scan String), CMPS (Compare String), and LOOP instructions use ZF to signal that their operations are complete. The base architecture includes instructions to set, clear, and complement CF before execution of an arithmetic instruction. See figure 3-5 and tables 3-1 and 3-2. 3.2.2 Control Flags The control flags of the FLAGS register determine processor operations for string instructions, maskable interrupts, and debugging. 3-4 BASIC INSTRUCTION SET 'r ,~y\ OPERANDS FROM PREVIOUS PUSH INSTRUCTIONS m ,~~~ SP "" AX SS LIMIT CX DX BX SP BP SI SP_ DI ~ 1-------4 ~ ~r SS LOW ADDRESS " AFTER BEFORE POPA , POPA POPA copies the contents of seven stack locations to the corresponding general regl.ters. POPA discards the .tored value of SP. G30108 Figure 3-4. POPA Setting DF (direction flag) causes string instructions to auto-decrement; that is, to process strings from high addresses to low addresses, or from "right-to-Ieft." Clearing DF causes string instructions to autoincrement, or to process strings from "left-to-right." Setting IF (interrupt flag) allows the CPU to recognize external (maskable) interrupt requests. Clearing IF disables these interrupts. IF has no effect on either internally generated interrupts, nonmaskable external interrupts, or processor extension segment overrun interrupts. Setting TF (trap flag) puts the processor into single-step mode for debugging. In this mode, the CPU automatically generates an internal interrupt after each instruction, allowing a program to be inspected as it executes each instruction, instruction by instruction. 3.3 ARITHMETIC INSTRUCTIONS The arithmetic instructions of the 8086-family processors simplify the manipulation of numerical data. Multiplication and division instructions ease the handling of signed and unsigned binary integers as well as unpacked decimal integers. 3-5 BASIC INSTRUCTION SET STATUS FLAGS: CARRY-----------------------------------------------------------, PARITY - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - , AUXILIARY CARRY - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - , I1 ZERO - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - , SIGN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - , OVERFLOW 15 FLAGS:. 14 NT 13 12 Id."L tI 11 OF 10 OF 9 B 7 I I I I IF TF SF 6 ZF 5 _ 4 AF jlL_t_ 3 1M L ______________________ 2 PF 1 0 _ CF I CONTROL FLAGS: TRAP FLAG INTERRUPT ENABLE ' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - DIRECTION FLAG SPECIAL FIELDS: ' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I/O PRIVILEGE LEVEL ' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ' - - - - - - - - - - - - - - NESTED TASK FLAG _ INTEL RESERVED G3010B Figure 3-5. Flag Word Contents Table 3-1. Status Flags' Functions Name Function 0 CF Carry Flag-Set on high-order bit carry or borrow; cleared otherwise. 2 PF Parity Flag-Set if low-order eight bits of result contain an even number of 1 bits; cleared otherwise. 4 AF Set on carry from or borrow to the low order four bits of AL; cleared otherwise. 6 ZF Zero Flag-Set if result is zero; cleared otherwise. 7 SF Sign Flag-Set equal to high-order bit of result (0 if positive, 1 if negative). 11 OF Overflow Flag-Set if result is too-large a positive number or too-small a negative number (excluding sign-bit) to fit in destination operand; cleared otherwise. Bit Position 3-6 inter BASIC INSTRUCTION SET Table 3·2. Control Flags' Functions Bit Position Name Function 8 TF Trap (Single Step) Flag-Once set, a single step interrupt occurs after the next instruction executes. TF is cleared by the single step interrupt. 9 IF Interrupt-enable Flag-When set, maskable interrupts will cause the CPU to transfer control to an interrupt vectorspecified location. 10 OF Direction Flag-Causes string instructions to auto deere· ment the appropriate index registers when set. Clearing OF causes auto increment. An arithmetic operation may consist of two register operands, a general register source operand with a memory destination operand, a memory source operand with a register destination operand, or an immediate field with either a register or memory destination operand, but not two memory operands. Arithmetic instructions can operate on either byte or word operands. 3.3.1 Addition Instructions ADD (Add Integers) replaces the destination operand with the sum of the source and destination operands. ADD affects OF, SF, AF, PF, CF, and ZF. Example: ADD BL, BYTEOPRND. Adds the contents of the memory byte labeled BYTEOPRND to the contents of BL, and replaces BL with the resulting sum. ADC (Add Integers with Carry) sums the operands, adds one if CF is set, and replaces the destination operand with the result. ADC can be used to add numbers longer than 16 bits. ADt affects OF, SF, AF, PF, CF, and ZF. Example: ADC BX, Cx. Replaces the contents of the destination operand BX with the sum of BX, . CS, and 1 (if CF is set). If CF is cleared, ADC performs the same operation as the ADD instruction. INC (Increment) adds one to the destination operand. The processor treats the operand as an unsigned binary number. INC updates AF, OF, PF, SF, and ZF, but it does not affect CF. Use ADD with an immediate value of 1 if an increment that updates carry (CF) is needed. Example: INC BL. Adds 1 to the contents of BL. 3.3.2 Subtraction Instructions SUB (Subtract Integers) subtracts the source operand from the destination operand and replaces the destination operand with the result. If a borrow is required, carry flag is set. The operands may be signed or unsigned bytes or words. SUB affects OF, SF, ZF, AF, PF, and CF. 3-7 BASIC INSTRUCTION SET Example: SUB WORDOPRND, AX. Replaces the contents of the destination operand WORDOPRND with the result obtained by subtracting the contents of AX from the contents of the memory word labeled WORDOPRND. SBB (Subtract Integers with Borrow) subtracts the source operand from the destination operand, subtracts 1 if CF is set, and returns the result to the destination operand. The operands may be signed or unsigned bytes or words. SBB may be used to subtract numbers longer than 16 bits. This instruction affects OF, SF, ZF, AF, PF, and CF. The carry flag is set if a borrow is required. Example: SBB BL, 32. Subtracts 32 from the contents of BL and then decrements the result of this subtraction by one if CF is set. If CF is cleared, SBB performs the same operation as SUB. DEC (Decrement) subtracts 1 from the destination operand. DEC updates AF, OF, PF, SF, and ZF, but it does not affect CF. Use SUB with an immediate value of 1 to perform a decrement that affects carry. Example: DEC BX. Subtracts 1 from the contents of BX and places the result back in BX. 3.3.3 Multiplication Instructions MUL (Unsigned Integer Multiply) performs an unsigned multiplication of the source operand and the accumulator. If the source is a byte, the processor multiplies it by the contents of AL and returns the double-length result to AH and AL. If the source operand is a word, the processor multiplies it by the contents of AX and returns the double-length result to DX and AX. MUL sets CF and OF to indicate that the upper half of the result is nonzero; otherwise, they are cleared. This instruction leaves SF, ZF, AF, and PF undefined. Example: MUL BX. Replaces the contents of DX and AX with the product of BX and AX. The loworder 16 bits of the result replace the contents of AX; the high-order word goes to DX. The processor sets CF and OF if the unsigned result is greater than 16 bits. IMUL (Signed Integer Multiply) performs a signed multiplication operation. IMUL uses AX and DX in the same way as the MUL instruction, except when used in the immediate form. The immediate form of IMUL aiiows the specificaiion of a destination register other than the combination of DX and AX. In this case, the result cannot exceed 16 bits without causing an overflow. If the immediate operand is a byte, the processor automatically extends it to 16 bits before performing the multiplication. The immediate form of IMUL may also be used with unsigned operands because the low 16 bits of a signed or unsigned multiplication of two 16-bit values will always be the same. IMUL clears CF and OF to indicaie ihai iht: upper half of thc rcsult b the gig!'! of the low,,"! h~Jf This instruction leaves SF, ZF, AF, and PF undefined. Example: IMUL BL. Replaces the contents of AX with the product of BL and AL. The processor sets CF and OF if the result is more than 8 bits long. Example: IMUL BX, SI, 5. Replaces the contents of BX with the product of the contents of SI and an immediate value of 5. The processor sets CF and OF if the signed result is longer than 16 bits. 3-8 BASIC INSTRUCTION SET 3.3.4 Division Instructions DIV (Unsigned Integer Divide) performs an unsigned division of the accumulator by the source operand. If the source operand is a byte, it is divided into the double-length dividend assumed to be in registers AL and AH (AH = most significant byte; AL = least significant byte). The single-length quotient is returned in AL, and the single-length remainder is returned in AH. If the source operand is a word, it is divided into the double-length dividend in registers AX and DX. The single-length quotient is returned in AX, and the single-length remainder is returned in DX. Nonintegral quotients are truncated to integers toward O. The remainder is always less than the quotient. For unsigned byte division, the largest quotient is 255. For unsigned word division, the largest quotient is 65,535. DIY leaves OF, SF, ZF, AF, PF, and CF undefined. Interrupt (INT 0) occurs if the divisor is zero or if the quotient is too large for AL or AX. Example: DIY BX. Replaces the contents of AX with the unsigned quotient of the doubleword value contained in DX and AX, divided by BX. The unsigned modulo replaces the contents of DX. Example: DIY BL. Replaces the contents of AL with the unsigned quotient of the word value in AX, divided by BL. The unsigned modulo replaces the contents of AH. IDIV (Signed Integer Divide) performs a signed division of the accumulator by the source operand. IDlY uses the same registers as the DIY instruction. For signed byte division, the maximum positive quotient is + 127 and the minimum negative quotient is -128. For signed word division, the maximum positive quotient.is + 32,767 and the minimum negative quotient is - 32,768. Non-integral results are truncated towards O. The remainder will always have the same sign as the dividend and will be less than the divisor in magnitude. IDlY leaves OF, SF, ZF, AF, PF, and CF undefined. A division by zero causes an interrupt (INT 0) to occur if the divisor is 0 or if the quotient is too large for AL or AX. Example: IDlY WORDOPRND. Replaces the contents of AX with the signed quotient of the doubleword value contained in DX and AX, divided by the value contained in the memory word labeled WORDOPRND. The signed modulo replaces the contents of DX. 3.4 LOGICAL INSTRUCTIONS The group of logical instructions includes the Boolean operation instructions, rotate and shift instructions, type conversion instructions, and the no-operation (NOP)instruction. 3.4.1 Boolean Operation Instructions Except for the NOT and NEG instructions, the Boolean operation instructions can use two register operands, a general purpose register operand with a memory operand, an immediate operand with a general purpose register operand, or a memory operand. The NOT and NEG instructions are unary operations that use a single operand in a register or memory. AND (And) performs the logical "and" of the operands (byte or word) and returns the result to the destination operand. AND clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF. 3-9 BASIC INSTRUCTION SET Example: AND WORDOPRND, BX. Replaces the contents of WORDOPRND with the logical "and" of the contents of the memory word labeled WORDOPRND and the contents of BX. NOT (Not) inverts the bits in the specified operand to form a one's complement of the operand. NOT has no effect on the flags. Example: NOT BYTEOPRND. Replaces the original contents of BYTEOPRND with the one's complement of the contents of the memory word labeled BYTEOPRND. OR (Or) performs the logical "inclusive or" of the two operands and returns the result to the destination operand. OR clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF. Example: OR AL,5. Replaces the original contents of AL with the logical "inclusive or" of the contents of AL and the immediate value 5. XOR (Exclusive OR) performs the logical "exclusive or" of the two operands and returns the result to the destination operand. XOR clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF. Example: XOR DX, WORDOPRND. Replaces the original contents of DX with the logical "exclusive or" or the contents of DX and the contents of the memory word labeled WORDOPRND. NEG (Negate) forms a two's complement of a signed byte or word operand. The effect of NEG is to reverse the sign of the operand from positive to negative or from negative to positive. NEG updates OF, SF, ZF, AF, PF, and CF. Example: NEG AX. Replaces the original contents of AX with the two's complement of the contents of AX. 3.4.2 Shift and Rotate Instructions The shift and rotate instructions reposition the bits within the specified operand. The shift instructions provide a convenient way to accomplish division or multiplication by binary power. The rotate instructions are useful for bit testing. 3.4.2.1 SHIFT INSTRUCTIONS The bits in bytes and words may be shifted arithmetically or logically. Depending on the value of a specified count, up to 31 shifts may be performed. A shift instruction can specify the count in one of three ways. One form of shift instruction implicitly specifies the count as a single shift. The second form specifies the count as an immediate value. The third form specifies the count as the value contained in CL. This last form aiiows the shin ~OullL to t;; a variable that the program supplies during execution. Only the low order 5 bits of CL are used. Shift instructions affect the flags as follows. AF is always undefined following a shift operation. PF, SF, and ZF are updated normally as in the logical instructions. CF always contains the value of the last bit shifted out of the destination operand. In a single-bit shift, OF is set if the value of the high-order (sign) bit was changed by the operation. Otherwise, OF is cleared. Following a multibit shift, however, the content of OF is always undefined. 3-10 BASIC INSTRUCTION SET SAL (Shift Arithmetic Left) shifts the destination byte or word operand left by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). The processor shifts zeros in from the right side of the operand as bits exit from the left side. See figure 3-6. Example: SAL BL,2. Shifts the contents of BL left by 2 bits and replaces the two low-order bits with zeros. Example: SAL BL,l. Shifts the contents of BL left by 1 bit and replaces the low-order bit with a zero. Because the processor does not have to decode the immediate count operand to obtain the shift count, this form of the instruction takes 2 clock cycles rather than the 6 clock 9ycles (5 cycles + 1 cycle for each bit shifted) required by the previous example. SHL (Shift Logical Left) is physically the same instruction as SAL (see SAL above). SHR (Shift Logical Right) shifts the destination byte or word operand right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). The processor shifts zeros in from the left side of the operand as bits exit from the right side. See figure 3-7. Example: SHR BYTEOPRND, CL. Shifts the contents of the memory byte labeled BYTEOPRND right by the number of bits specified in CL, and pads the left side of BYTEOPRND with an equal number of zeros. SAR (Shift Arithmetic Right) shifts the destination byte or word operand to the right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). The processor preserves the sign of the operand by shifting in zeros on the left side if the value is positive or by shifting by ones if the value is negative. See figure 3-8. Example: SAR WORDPRND, 1. Shifts the contents of the memory byte labeled WORDPRND right by one, and replaces the high-order sign bit with a value equal to the original sign of WORDPRND. 00 , , , I, , 1 o 1 1 1 [!] O-i' , I, I, 1 0~-i , 1 , 1 , 1 , OF CF 1 0 1 0 1 o 1 o 1 , I, I, 1 , 1 0 1 0 I, 1 , 1 , I, 0 , I, 1 1 0 ,I 0 o 1 ' o 1 , ,1oI BEFORE SAL OR SHL AFTER SAL OR SHL BY 181T AFTER 1 0 1 0 o 1 0 o 1 o 1 o 1 o I ~~t~~ 8 BITS OPERAND Both SAL and SHL ahtft the blta In the reglater or memory operand to the lell by the specilled number 01 bit positions. CF receives the laat bit ahilled out 01 the lell 01 the operand. SAL and SHL ahlltln zeroa to 1111 the vacated bit locations. Theae Inatructlona operate on byte operand a aa well aa word operanda. G30108 Figure 3-6. SAL and SHL 3-11 BASIC INSTRUCTION SET 01, I, I aI a1,1, I, I, I a1,1,1, I aI alai' I BEFORE SHR 01 aI, I, I aI aI, I, I, I, I aI, I, 1,1 aI aI aI--Q~~;~:Y AFTER SHR BY 10 BITS OF CF OPERAND SHR shilts the bits In the register or memory operand to the right by the specified number of bit positions. CF receives the last bit shifted out of the right of the operand. SHR shifts in zeros to fill the vacated bit locations. This instruction operates on byte operands as well as word operands. G30108 Figure 3-7. SHR BEFORE SAR Dlalalalalalalalalalalalalalalal'l WITH A POSITIVE OPERAND c:J I aI aI aI aI ala I aI aI aI aI aI aI aI aI aI aI--Q AFTER SAR WITH A POSITIVE OPERAND SHIFTED 1 BIT 01, I aI aI aI, I, I, I, I aI aI aI, I, I aI, I a1--0 iii:;r=Cn::' SARWITH A NEGATIVE OPERAND D I, I, I, I, I, I, I, 1a1a1aI, I, I, I, WITHA NEGATIVE AFTER SAR OPERAND SHIFTED OF OPERAND CF 6DITS SAR preserves the Sign 01 the register or memory operand as It shifts the operand to the right the specified number of bit positions. CF receives the last bit shifted out of the right of the operand. This instruction also operates on byte operands. G30108 Figure 3-8. SAR 3-12 BASIC INSTRUCTION SET 3.4.2.2 ROTATE INSTRUCTIONS Rotate instructions allow bits in bytes and words to be rotated. Bits rotated out of an operand are not lost as in a shift, but are "circled" back into the other "end" of the operand. Rotates affect only the carry and overflow flags. CF may act as an extension of the operand in two of the rotate instructions, allowing a bit to be isolated and then tested by a conditional jump instruction (JC or 1NC). CF always contains the value of the last bit rotated out, even if the instruction does not use this bit as an extension of the rotated operand. In single-bit rotates, OF is set if the operation changes the high-order (sign) bit of the destination operand. If the sign bit retains its original value, OF is cleared. On multibit rotates, the value of OF is always undefined. ROL (Rotate Left) rotates the byte or word destination operand left by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). For each rotation specified, the high-order bit that exists from the left of the operand returns at the right to become the new low-order bit of the operand. See figure 3-9. Example: ROL AL, 8. Rotates the contents of AL left by 8 bits. This rotate instruction returns AL to its original state but isolates the low-order bit in CF for testing by a 1C or 1NC instruction. ROR (Rotate Right) rotates the byte or word destination operand right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). For each rotation specified, the low-order bit that exits from the right of the operand returns at the left to become the new high-order bit of the operand. See figure 3-10. 1 ,0 10 01, ,1,101, 0101,1, 01 0 10 1 BEFORE ROL ROL shills the bits In the memory or register operand to the lell by the specified number 01 bit positions. It copies the bit shilled out 01 the lell 01 the operand Into the right 01 the operand. The last bit shilled Into the least slgnilicant bit 01 the operand also appears In CF. This Instruction also operates on byte operands. G3010B Figure 3-9. ROL 3-13 BASIC INSTRUCTION SET 111 o 11 l' 11o 1o 111o 1111111o I o I o I BEFORE RDR 0 [I I 1I 1 I 0 1I 1 1I I I 1 I 1 I 1111010rrG o o o o AFTER RDR BY 1 BIT rl1 o 11I 1 l' o 1o 1o 1111 o 111111101°'TD AFTER RCR BY 8 BITS_ OPERAND CF ROR shifts the bits In the memory or register operand to the right by the specified number of bit positions. It caples each bit shifted out of the right of the operand Into the left of the operand. The last bit shifted Into the most significant bit of the operand also appears In CF. This instruction also operates on byte operands. G30108 Figure 3-10. ROR Example: ROR WORDOPRND, CL. Rotates the contents of the memory word labeled WORDOPRND by the number of bits specified by the value contained in CL. CF reflects the value of the last bit rotated from the right to the left side of the operand. RCL (Rotate Through Carry Left) rotates bits in the byte or word destination operand left by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). This instruction differs from ROL in that it treats CF as a high-order I-bit extension of the destination operand. Each high-order bit that exits from the left side of the operand moves to CF before it returns to the operand as the low-order bit on the next rotation cycle. See figure 3-11. Example: RCL BX,l. Rotates the contents of BX left by one bit. The high-order bit of the operand moves to CF, the remaining 15 bits move left one position, and the original value of CF becomes the new low-order bit. RCR (Rotate Through Carry Right) rotates bits in the byte or word destination operand right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). This instruction differs from ROR in that it treats CF as a low-order I-bit extension of the destination operand. Each low-order bit that exits from the right side of the operand moves to CF before it returns to the operand as the high-order bit on the next rotation cycle. See figure 3-12. Example: RCR BYTEOPRND,3. Rotates the contents of the memory byte labeled BYTEOPRND to the right by 3 bits. Following the execution of this instruction, CF reflects the original value of bit number 5 of BYTEOPRND, and the original value of CF becomes bit 2. 3-14 BASIC INSTRUCTION SET [2J l' 1 1 1 1 rO--i 0 1 --/1 1 0 1 0 1 0 1 1 111 1 1 0 0 l' l' 0 o 1 l' 1 1 1 1 o 1 l' l' 1 1 0 1 0 1 1 1 1 l' l' 1 o 0 0 o 0 o l' 1 o 1 0 BEFORE RCL l' 1 0 o 1 o 1 1 l' 0 0 Il AFTER RCL BY 1 BIT _ 1 0 o 1 0 AFTER RCL BY 16 BITS OPERAND RCL rotates the bits in the memory or register operand to the left In the same way as ROL except that RCL treats CF as a I·bit extension of the operand. Note that a 16·bit RCL produces the same result as a I·blt RCR (though It takes much longer to execute). This Instruction also operates on byte operands. G30108 Figure 3-11. RCL l' l' l' oI ol' l' 0 1 0 1 0 l' l' o1o1 1 0 0 [] BEFORE RCA r[1 11l' l' 1 o1ol' l' 1 1 l' l' lololo~~ 0 0 0 AFTER RCR BY 1 BIT I 0 ol' ___ l' l' l' o1 1 l' l' 1 ol' l' 1 0 0 0 0 AFTER RCA BY 3 BITS OPERAND RCR rotates the bits In the memory or register oporand to the right In the same way as ROR except that RCR treats CF as a I·blt extension 01 the operand. This Instruction also operates on byte operands. G30108 Figure 3-12. RCR 3-15 BASIC INSTRUCTION SET 3.4.3 Type Conversion and No-Operation Instructions The type conversion instructions prepare operands for division. The NOP instruction is a I-byte filler instruction with no effect on registers or flags. CWD (Convert Word to Double-Word) extends the sign of the word in register AX throughout register DX. CWD does not affect any flags. CWD can be used to produce a double-length (double-word) dividend from a word before a word division. CBW (Convert Byte to Word) extends the sign of the byte in register AL throughout AX. CBW does not affect any flags. Example: CWD. Sign-extends the I6-bit value in AX to a 32-bit value in DX and AX with the highorder I6-bits occupying DX. NOP (No Operation) occupies a byte of storage but affects nothing but the instruction pointer, IP. The amount of time that a NOP instruction requires for execution varies in proportion to the CPU clocking rate. This variation makes it inadvisable to use NOP instructions in the construction of timing loops because the operation of such a program will not be independent of the system hardware configuration. Example: NOP. The processor performs no operation for 2 clock cycles. 3.5 TEST AND COMPARE INSTRUCTIONS The test and compare instructions are similar in that they do not alter their operands. Instead, these instructions perform operations that only set the appropriate flags to indicate the relationship between the two operands. TEST (Test) performs the logical "and" of the two operands, clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF. The difference between TEST and AND is that TEST does not alter the destination operand. Example: TEST BL,32. Performs a logical "and" and sets SF, ZF, and PF according to the results of this operation. The contents of BL remain unchanged. CMP (Compare) subtracts the source operand from the destination operand. It updates OF, SF, ZF, AF, PF, and CF but does not alter the source and destination operands. A subsequent signed or unsigned conditional transfer instruction can test the result using the appropriate flag result. CMP can compare two register operands, a register operand and a memory operand, a register operand and an immediate operand, or an immediate operand and a memory operand. The operands may be words or bytes, but CMP cannot compare a byte with a word. Example: CMP BX,32. Subtracts the immediate operand, 32, from the contents of EX and sets OF, SF, ZF, AF, PF, and CF to reflect the result. The contents of BX remain unchanged. 3.6 CONTROL TRANSFER INSTRUCTIONS The 80286 provides both conditional and unconditional program transfer instructions to direct the flow of execution. Conditional program transfers depend on the results of operations that affect the flag register. Unconditional program transfers are always executed. 3-16 BASIC INSTRUCTION SET 3.6.1 Unconditional Transfer Instructions JMP, CALL, RET, INT and IRET instructions transfer control from one code segment location to another. These locations can be within the same code segment or in different code segments. 3.6.1.1 JUMP INSTRUCTION JMP (Jump) unconditionally transfers control to the target location. JMP is a one-way transfer of execution; it does not save a return address on the stack. The JMP instruction always performs the same basic function of transferring control from the current location to a new location. Its implementation varies depending on the following factors: Is the address specified directly within the instruction or indirectly through a register or memory? Is the target location inside or outside the current code segment selected in CS? A direct JMP instruction includes the destination address as part of the instruction. An indirect JMP instruction obtains the destination address indirectly through a register or a pointer variable. Control transfers through a gate or to a task state segment are available only in Protected Mode operation of the 80286. The formats of the instructions that transfer control through a call gate, a task gate, or to a task state segment are the same. The label included in the instruction selects one of these three paths to a new code segment. Direct JMP within the current code segment. A direct JMP that transfers control to a target location within the current code segment uses a relative displacement value contained in the instruction. This can be either a 16-bit value or an 8-bit value sign extended to 16 bits. The processor forms an effective address by adding this relative displacement to the address contained in IP. IP refers to the next instruction when the additions are performed. Example: JMP NEAlLNEWCODE. Transfers control to the target location labeled NEAlL NEWCODE, which is within the code segment currently selected in CS. Indirect JMP within the current code segment. Indirect JMP instructions that transfer control to a location within the current code segment specify an absolute address in one of several ways. First, the program can JMP to a location specified by a 16-bit register (any of AX, DX, CX, BX, BP, SI, or DI). The processor moves this 16-bit value into IP and resumes execution. Example: JMP SI. Transfers control to the target address formed by adding the 16-bit value contained in SI to the base address contained in CS. The processor can also obtain the destination address within a current segment from a memory word operand specified in the instruction. Example: JMP PTlLX. Transfers control to the target address formed by adding the l6-bit value contained in the memory word labeled PTR X to the base address contained in CS. A register can modify the address of the memory word pointer to select a destination address. Example: JMP CASE_TABLE [BX]. CASE_TABLE is the first word in an array of word pointers. The value of BX determines which pointer the program selects from the array. The JMP instruction then transfers control to the location specified by the selected pointer. 3-17 BASIC INSTRUCTION SET Direct JMP outside of the current code segment. Direct JMP instructions that specify a target location outside the current code segment contain a full 32-bit pointer. This pointer consists of a selector for the new code segment and an offset within the new segment. Example: JMP F AR_NEWCODE_FOO. Places the selector contained in the instruction into CS and the offset into IP. The program resumes execution at this location in the new code segment. Indirect JMP outside of the current code segment. Indirect JMP instructions that specify a target location outside the current code segment use a double-word variable to specify the pointer. Example: JMP NEW CODE. NEWCODE the first word of two consecutive words in memory which represent the new pointer. NEWCODE contains the new offset for IP and the word following NEW CODE contains the selector for CS. The program resumes execution at this location in the new code segment. (Protected mode programs treat this differently. See Chapters 6 and 7). Direct JMP outside of the current code segment to a call gate. If the selector included with the instruction refers to a call gate, then the processor ignores the offset in the instruction and takes the pointer of the routine being entered from the call gate. JMP outside of current code segment may only go to the same level. Example: JMP CALL_GATE_FOO. The selector in the instruction refers to the call gate CALL_GATE]OO, and the call gate actually provides the new contents of CS and IP to specify the address of the next instructions. Indirect JMP outside the current code segment to a call gate. If the selector specified by the instruction refers to a call gate, the processor ignores the offset in the double-word and takes the address of the routine being entered from the call gate. The JMP instruction uses the same format to indirectly specify a task gate or a task state segment. Example: JMP CASE_TABLE [BX1. The instruction refers to the double-word in the array of pointers called CASE_TABLE. The specific double-word chosen depends on the value in BX when the instruction executes. The selector portion of this double-word selects a call gate, and the processor takes the address of the routine being entered from the call gate. 3.6.1.2 CALL INSTRUCTION CALL (Call Procedure) activates an out-of-iine proceciure, saving on the sla"k iht; addre •• uf the instruction following the CALL for later use by a RET (Return) instruction. An intrasegment CALL places the current value of IP on the stack. An intersegment CALL places both the value of IP and CS on the stack. The RET instruction in the called procedure uses this address to transfer control back to the calling program. A long CALL instruction that invokes a task-switch stores the outgoing task's task state segment selector in the incoming task state segment's link field and sets the nested task flag in the new task. In this case, the IRET instruction takes the place of the RET instruction to return control to the nested task. 3-18 BASIC INSTRUCTION SET Examples: CALL NEAR_NEW CODE , CALL SI CALL PTR. CALL CASE_TABLE [BP] CALL FAR-NEWCODE_FOO CALL NEWCODE CALL CALLGATE_FOO CALL CASE_TABLE [BX] .x See the previous treatment of JMP for a discussion of the operations of these instructions. 3.6.1.3 RETURN AND RETURN FROM INTERRUPT INSTRUCTION RET (Return From Procedure) terminates the execution of a procedure and transfers control through a back·link on the stack to the program that originally invoked the procedure. An intra segment RET restores the value of IP that was saved on the stack by the previous intrasegment CALL instruction. An intersegment RET restores the values of both CS and IP which were saved on the stack by the previous intersegment CALL instruction. RET instructions may optionally specify a constant to the stack pointer. This constant specifies the new top of stack to effectively remove any arguments that the calling program pushed on the stack before the execution of the CALL instruction. Example: RET. If the previous CALL instruction did not transfer control to a new code segment, RET restores the value of IP pushed by the CALL instruction. If the previous CALL instruction transferred control to a new segment, RET restores the values of both IP and CS which were pushed on the stack by the CALL instruction. Example: RET n. This form of the RET instruction performs identically to the above example except that it adds n (which must be an even value) to the value of SP to eliminate n bytes of parameter information previously pushed by the calling program. IRET (Return From Interrupt or Nested Task) returns control to an interrupted routine or, optionally, reverses the action of a CALL or INT instruction that caused a task switch. See Chapter 8 for further information on task switching. Example: IRET. Returns from an interrupt with or without a task switch based on the value of the NT bit. 3.6.2 Conditional Transfer Instructions The conditional transfer instructions are jumps that mayor may not transfer control, depending on the state of the CPU flags when the instruction executes. Instruction encoding is most efficient when the target for the conditional jumps is in the current code segment and within -128 to + 127 bytes of the first byte of the next instruction. Alternatively, the opposite sense of the conditional jump can skip around an unconditional jump to the destination. 3-19 BASIC INSTRUCTION SET 3.6.2.1 CONDITIONAL JUMP INSTRUCTIONS Table 3·3 shows the conditional transfer mnemonics and their interpretations. The conditional jumps that are listed as pairs are actually the same instruction. The assembler provides the alternate mnemonics for greater clarity within a program listing. 3.6.2.2 LOOP INSTRUCTIONS The loop instructions are conditional jumps that use a value placed in ex to specify the number of repetitions of a software loop. All loop instructions automatically decrement ex and terminate the loop when ex =0. Four of the five loop instructions specify a condition of ZF that terminates the loop before ex decrements to zero. LOOP (Loop While ex Not Zero) is a conditional transfer that auto-decrements the ex register before testing ex for the branch condition. If ex is non-zero, the program branches to the target label specified in the instruction. The LOOP instruction causes the repetition of a code section until the operation of the LOOP instruction decrements ex to a value of zero. If LOOP finds ex =0, control transfers to the instruction immediately following the LOOP instruction. If the value of ex is initially zero, then the LOOP executes 65,536 times. Example: LOOP START_LOOP. Each time the program encounters this instruction, it decrements ex and then tests it. If the value of ex is non-zero, then: the program branches to the instruction labeled START_LOOP. If the value in ex is zero, then the program continues with the instruction that follows the LOOP instruction. Table 3-3. Interpretation of Conditional Transfers Unsigned Conditional Transfers Mnemonic JA/JNBE JAE/JNB JB/JNAE JBE/JNA JC JE/JZ JNC JNE/JNZ JNP/JPO JP/JPE "Jump If ... " Condition Tested (CF or ZF) = 0 CF = 0 CF = 1 (CF or ZF) = 1 CF = 1 ZF = 1 CF = 0 ZF = 0 PF = 0 PF = 1 above/not below nor equal above or equal/not below below/not above nor equal below or equal/not above carry equal/zero not carry not equal/not zero not parity/parity odd parity/parity even Signed Conditional Transfers .....".IIVIl.V -----:....... JG/JNLE JGE/JNL JL/JNGE JLE/JNG JNO JNS JO JS C~!'!!!!t!o!'! T~~t~('I ((SF xor OF) or ZF) = 0 (SF xor OF) = 0 (SF xor OF) = 0 ((SF xor OF) or ZF) = 1 OF = 0 SF = 0 OF = 1 SF = 1 3-20 "Jump If. .. " greater/not less nor equal greater or equal/not les~ less/not greater nor equal less or equal/not greater not overflow not sign (positive, including 0) overflow sign (negative) BASIC INSTRUCTION SET LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are physically the same instruction. These instructions auto-decrement the ex register before testing ex and ZF for the branch conditions. If ex is non-zero and ZF= 1, the program branches to the target label specified in the instruction. If LOOPE or LOOPZ finds that ex=o or ZF=O, control transfers to the instruction immediately succeeding the LOOPE or LOOPZ instruction. Example: LOOPE START_LOOP (or LOOPZ START_LOOP). Each time the program encounters this instruction, it decrements ex and tests ex and ZF. If the value in ex is non-zero and the value of ZF is 1, the program branches to the instruction labeled START_LOOP. If ex=o or ZF=O, the program continues with the instruction that follows the LOOPE (or LOOPZ) instruction. LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are physically the same instruction. These instructions auto-decrement the ex register before testing ex and ZF for the branch conditions. If ex is non-zero and ZF=O, the program branches to the target label specified in the instruction. If LOOPNE or LOOPNZ finds that ex=o or ZF= 1, control transfers to the instruction immediately succeeding the LOOPNE or LOOPNZ instruction. Example: LOOPNE START_LOOP (or LOOPNZ START_LOOP). Each time the program encounters this instruction, it decrements ex and tests ex and ZF. If the value of ex is non-zero and the value of ZF is 0, the program branches to the instruction labeled START_LOOP. If ex=o or ZF= 1, the program continues with the instruction that follows the LOOPNE (or LOOPNZ) instruction. 3.6.2.3 EXECUTING A LOOP OR REPEAT ZERO TIMES JCXZ (Jump if CX Zero) branches to the label specified in the, instruction if it finds a value of zero in ex. Sometimes, it is desirable to design a loop that executes zero times if the count variable in ex is initialized to zero. Because the LOOP instructions (and repeat prefixes) decrement ex before they test it, a loop will execute 65,536 times if the program enters the loop with a zero value in ex. A programmer may conveniently overcome this problem with JeXZ, which enables the program to branch around the code within the loop if ex is zero when JeXZ executes. Example: JeXZ TARGETLABEL. Causes the program to branch to the instruction labeled TARGETLABEL if ex=o when the instruction executes. 3.6.3 Software-Generated Interrupts The INT n and INTO instructions allow the programmer to specify a transfer to an interrupt service routine from within a program. Interrupts 0-31 are reserved by Intel. 3.6.3.1 SOFTWARE INTERRUPT INSTRUCTION INT n (Software Interrupt) activates the interrupt service routine that corresponds to the number coded within the instruction. Interrupt type 3 is reserved for internal software-generated interrupts. However, the INT instruction may specify any interrupt type to allow multiple types of internal interrupts or to test the operation of a service routine. The interrupt service routine terminates with an IRET instruction that returns control to the instruction that follows INT. Example: INT 3. Transfers control to the interrupt service routine specified by a type 3 interrupt. 3-21 BASIC INSTRUCTION SET Example: INT O. Transfers control to the interrupt service routine specified by a type 0 interrupt, which is reserved for a divide error. INTO (Interrupt on Overflow) invokes a type 4 interrupt if OF is set when the INTO instruction executes. The type 4 interrupt is reserved for this purpose. Example: INTO. If the result of a previous operation has set OF and no intervening operation has reset OF, then INTO invokes a type 4 interrupt. The interrupt service routine terminates with an IRET instruction, which returns control to the instruction following INTO. 3.7 CHARACTER TRANSLATION AND STRING INSTRUCTIONS The instructions in this category operate on characters or string elements rather than on logical or numeric values. 3.7.1 Translate Instruction XLAT (Translate) replaces a byte in the AL register with a byte from a user-coded translation table. When XLAT is executed, AL should have the unsigned index to the table addressed by BX. XLAT changes the contents of AL from table index to table entry. BX is unchanged. The XLAT instruction is useful for translating from one coding system to another, such as from ASCII to EBCDIC. The translate table may be up to 256 bytes long. The value placed in the AL register serves as an index to the location of the corresponding translation value. Used with a LOOP instruction, the XLAT instruction can translate a block of codes up to 64K bytes long. Example: XLAT. Replaces the byte in AL with the byte from the translate table that is selected by the value in AL. 3.7.2 String Manipulation Instructions and Repeat Prefixes The string instructions (also called primitives) operate on string elements to move, compare, and scan byte or word strings. One-byte repeat prefixes can cause the operation of a string primitive to be repeated to process stiings as long as 64K bytes. The repeated string primitives use the direction flag, DF, to specify left-to-right or right-to-left string processing, and use a count in CX to limit the processing operation. These instructions use the register pair DS:SI to point to the source string element and the register pair ES:DI to point to the destination. One of two possible opcodes represent each string primitive, depending on whether it is operating on byte strings or word strings. The string primitives are generic and require one or more operands along with the primitive ta deter!!!.!ne tht:' si 7 t:' of the string elements being processed. These operands do not determine the addresses of the strings; the addresses must already be present in the appropriate registers. Each repetition of a string operation using the Repeat prefixes includes the following steps: 1. 'Acknowledge pending interrupts. 2. Check CX for zero and stop repeating if CX is zero. 3. Perform the string operation once. 3-22 BASIC INSTRUCTION SET 4. Adjust the memory pointers in DS:SI and ES:DI by incrementing SI and DI if DF is 0 or by decrementing SI and DI if DF is l. 5. Decrement CX (this step does not affect the flags). 6. For SCAS (Scan String) and CMPS(Compare String), check ZF for a match with the repeat condition and stop repeating if the ZF fails to match. The Load String and Store String instructions allow a program to perform arithmetic or logical operations on string characters (using AX for word strings and AL for byte strings). Repeated operations that include instructions other than string primitives must use the loop instructions rather than a repeat prefix. 3.7.2.1 STRING MOVEMENT INSTRUCTIONS REP (Repeat While CX Not Zero) specifies a repeated operation of a string primitive. The REP prefix causes the hardware to automatically repeat the associated string primitive until CX=O. This form of iteration allows the CPU to process strings much faster than would be possible with a regular software loop. When the REP prefix accompanies a MOVS instruction, it operates as a memory-to-memory block transfer. To set up for this operation, the program must initialize CX and the register pairs DS:SI and ES:DI. CX specifies the number of bytes or words in the block. If DF=O, the program must point DS:SI to the first element of the source string and point ES:DI to the destination address for the first element. If DF= 1, the program must point these two register pairs _ to the last element of the source string and to the destination address forthe last element, respectively. Example: REP MOVSW. The processor checks the value in CX for zero. If this value is not zero, the processor moves a word from the location pointed to by DS:SI to the location pointed to by ES:DI and increments SI and DI by two (if DF=O). Next, the processor decrements CX by one and returns to the beginning of the repeat cycle to check CX again. After CX decrements to zero, the processor executes the instruction that follows. MOVS (Move String) moves the string character pointed to by the combination of DS and SI to the location pointed to by the combination of ES and DI. This is the only memory-to-memory transfer supported by the instruction set of the base architecture. MOVSB operates on byte elements. The destination segment register cannot be overridden by a segment override prefix while the source segment register can be overridden. Example: MOVSW. Moves the contents of the memory byte pointed to by DS:SI to the location pointed to by ES:DI. 3.7.2.2 OTHER STRING OPERATIONS CMPS (Compare Strings) subtracts the destination string element (ES:DI) from the source string element (DS:SI) and updates the flags AF, SF, PF, CF and OF. If the string elements are equal, ZF= 1; otherwise, ZF=O. If DF=O, the processor increments the memory pointers (SI and DI) for the two strings. The segment register used for the source address can be changed with a segment override prefix, while the destination segment register cannot be overridden. Example: CMPSB. Compares the source and destination string elements with each other and returns the result of the comparison to ZF. 3-23 BASIC INSTRUCTION SET seAS (Scan String) subtracts the destination string element at ES:DI from AX or AL and updates the flags AF, SF, ZF, PF, CF and OF. If the values are equal, ZF= 1; otherwise, ZF=O. If DF=O, the processor increments the memory pointer (DI) for the string. The segment register used for the source address can be changed with a segment override prefix while the destination segment register . cannot be overridden. Example: SCASW. Compares the value in AX with the destination string element. REPE/REPZ (Repeat While ex Equal/Zero) and REPNE/REPNZ (Repeat While ex Not Equal/ Not Zero) are the prefixes that are used exclusively with the SCAS (ScanString) and CMPS (Compare String) primitives. The difference between these two types of prefix bytes is that REPE/REPZ terminates when ZF=O and REPNE/REPNZ terminates when ZF= 1. ZF does not require initialization before execution of a repeated string instruction. When these prefixes modify either the SCAS or CMPS primitives, the processor compares the value of the current string element with the value in AX for word elements or with the value in AL for byte elements. The resulting state of ZF can then limit the operation of the repeated operation as well as a zero value in CX. Example: REPE SCASB. Causes the processor to scan the string pointed to by ES:DI until it encounters a match with the byte value in AL or until CX decrements to zero. LODS (Load String) places the source string element at DS:SI into AX for word strings or into AL for byte strings. Example: LODSW. Loads AX with the value pointed to by DS:SI. 3.8 ADDRESS MANIPULATION INSTRUCTIONS The set of address manipulation instructions provide a way to perform address calculations or to move to a nc;v data segment or extra segment. LEA (Load Effective Address) transfers the offset of the source operand (rather than its value) to the destination operand. The source operand must be a memory operand, and the destination operand must be a 16-bit general register (AX, DX, BX, CX, BP, SP, SI, or DI). LEA does not affect any flags. This instruction is useful for initializing the registers before the execution of the string primitives or the XLAT instruction. Example: LEA BX EBCDIC_TABLE. Causes the processor to place the address of the starting location of the table labeled EBCDIC_TABLE intoBX. LDS (Load Pointer Using DS) transfers a 32-bit pointer variable from the source operand to DS and the destination register. The source operand must be a memory operand, and the destination operand must be a 16-bit general register (AX, DX, BX, CX, BP, SP, SI or DI). DS receives the high-order segment word of the pointer. The destination register receives the low-order word, which points to a specific location within the segment. 3-24 intel" BASIC INSTRUCTION SET Example: LDS SI, STRING_X. Loads DS with the word identifying the segment pointed to by STRING-X, and loads the offset of STRING-X into SI. Specifying SI as the destination operand is a convenient way to prepare for a string operation on a source string that is not in the current data segment. LES (Load Pointer Using ES) operates identically to LDS except that ES receives the offset word rather than DS. Example: LES DI, DESTINATION-X. Loads ES with the word identifying the segment pointed to by DESTINATION_X, and loads the offset of DESTINATION-X into DI. This instruction provides a convenient way to select a destination for a string operation if the desired location is not in the current extra segment. 3.9 FLAG CONTROL INSTRUCTIONS The flag control instructions provide a method of changing the state of bits in the flag register. 3.9.1 Carry Flag Control Instructions The carry flag instructions are useful in conjunction with rotate-with-carry instructions RCL and RCR. They can initialize the carry flag, CF, to a known state before execution of a rotate that moves the carry bit into one end of the rotated operand. STC (Set Carry Flag) sets the carry flag (CF) to 1. Example: STC CLC (Clear Carry Flag) zeros the carry flag (CF). Example: CLC CMC (Complement Carry Flag) reverses the current status of the carry flag (CF). Example: CMC 3.9.2 Direction Flag Control Instructions The direction flag control instructions are specifically included to set or clear the direction flag, DF, which controls the left-to-right or right-to-left direction of string processing. IF DF=O, the processor automatically increments the string memory pointers, SI and DI, after each execution of a string primitive. If DF= 1, the processor decrements these pointer values. The initial state of DF is O. CLD (Clear Direction Flag) zeros DF, causing the string instructions to auto-increment SI and/or DI. CLD does not affect any other flags. Example: CLD STD (Set Direction Flag) sets DF to 1, causing the string instructions to auto-decrement SI and/or DI. STD does not affect any other flags. Example: STD 3-25 BASIC INSTRUCTION SET 3.9.3 Flag Transfer Instructions Though specific instructions exist to alter CF and DF, there is no direct method of altering the other flags. The flag transfer instructions allow a program to alter the other flag bits with the bit manipulation instructions after transferring these flags to the stack or the AH register. The PUSHF and POPF instructions are also useful for preserving the state of the flag register before executing a procedure. LAHF (Load AH from Flags) copies SF, ZF, AF, PF, and CF to AH bits 7, 6, 4, 2, and 0, respectively (see figure 3-13). The contents of the remaining bits (5, 3, and 1) are undefined. The flags remain unaffected. This instruction can assist in converting 8080/8085 assembly language programs to run on the base architecture of the 8086,8088,80186,80188, and 80286. Example: LAHF SAHF (Store AH into Flags) transfers bits 7, 6, 4, 2, and 0 from AH into SF, ZF, AF, PF, and CF, respectively (see figure 3-13). This instruction also provides 8080/8085 compatibility with the 8086, 8088,80186,80188, and 80286. Example: SAHF PUSHF (Push Flags) decrements SP by two and then transfers all flags to the word at the top of stack pointed to by SP (see figure 3-14). The flags remain unaffected. This instruction enables a procedure to save the state of the flag register for later use. Example: PUSHF POPF (Pop Flags) transfers specific bits from the word at the top of stack into the low-order byte of the flag register (see figure 3-14). The processor then increments SP by two. Note that an application program in the protected virtual address mode may not alter 10PL (the I/O privilege level flag) unless the program is executing at privilege level O. A program may aiter IF (the interrupt flag) only when executing at a level that is at least as privileged as IOPL. I 76543210 ISFIZF.AF.PF.CFI REGISTER AH LAHF loads Ilva lIags Irom tha lIag raglstar Into raglstar AH. SAHF storas thasa sama IIva lIags Irom AH Into the lIag register. The bit position 01 each lIag Is the sama In AH as It lain the lIag raglater. The remaining blta are Indeterminate. G30108 Figure 3-13. LAHF and SAHF 3-26 BASIC INSTRUCTION SET 15 14 13 12 11 10 9 8 7 6 5 4 3 2 STACK WORD PUSHF decrements SP by 2 bytes (1 word) and copies the contents of Ihe flag reglsler 10 Ihe lop of slack. POPF loads Ihe flag reg Isler wllh Ihe conlenls of Ihe lasl word pushed onlo Ihe stack. The bit position of each flag Is the same In the stack word as It Is In Ihe flag register. Only programs executing allhe hlghesl privilege level (level 0) may alter the 2-blt 10PL flag. Only programs executing al a level at leasl as privileged as Ihallndlcated by 10PL may alter IF. G30108 Figure 3-14. PUSHF and POPF Procedures may use this instruction to restore the flag status from a previous value. Example: POPF 3.10 BINARY-CODED DECIMAL ARITHMETIC INSTRUCTIONS These instructions adjust the results of a previous arithmetic operation to produce a valid packed or unpacked decimal result. These instructions operate only on AL or AH registers. 3.10.1 Packed BCD Adjustment Instructions DAA (Decimal Adjust) corrects the result of adding two valid packed decimal operands in AL. DAA must always follow the addition of two pairs of packed decimal numbers (one digit in each nibble) to obtain a pair of valid packed decimal digits as results. The carry flag will be set if carry was needed. Example: DAA DAS (Decimal Adjust for Subtraction) corrects the result of subtracting two valid packed decimal operands in AL. DAS must always follow the subtraction of one pair of packed decimal numbers (one digit in each nibble) from another to obtain a pair of valid packed decimal digits as results. The carry flag will be set if a borrow was needed. Example: DAS 3.10.2 Unpacked BCD Adjustment Instructions AAA (ASCII Adjust for Addition) changes the contents of register AL to a valid unpacked decimal number, and zeros the top 4 bits. AAA must always follow the addition of two unpacked decimal operands in AL. The carry flag will be set and AH will be incremented if a carry was necessary. Example: AAA 3-27 BASIC INSTRUCTION SET AAS (ASCII Adjust for Subtraction) changes the contents of register AL to a valid unpacked decimal number, and zeros the top 4 bits. AAS must always follow the subtraction of one unpacked decimal operand from another in AL. The carry flag will be set and AH decremented if a borrow was necessary. Example: AAS AAM (ASCII Adjust for Multiplication) corrects the result of a multiplication of two valid unpacked decimal numbers. AAM must always follow the multiplication of two decimal numbers to produce a valid decimal result. The high order digit will be left in AH, the low order digit in AL. Example: AAM AAD (ASCII Adjust for Division) modifies the numerator in AH and AL to prepare for the division of two valid unpacked decimal operands so that the quotient produced by the division will be a valid unpacked decimal number. AH should contain the high-order digit and AL the low-order digit. This instruction will adjust the value and leave it in AL. AH will contain O. Example: AAD 3.11 TRUSTED INSTRUCTIONS When operating in Protected Mode (Chapter 6 and following), the 80286 processor restricts the execution of trusted instructions according to the Current Privilege Level (CPL) and the current value of 10PL, the 2-bit I/O privilege flag. Only a program operating at the highest privilege level (level 0) may alter the value of 10PL. A program may execute trusted instructions only when executing at a level that is at least as privileged as that specified by 10PL. Trusted instructions control I/O operations, interprocessor communications in a multiprocessor system, interrupt enabling, and the HLT instruction. These protection considerations do not apply in the real address mode. 3.11.1 Trusted and Privileged Restrictions on POPF and IRET POPF (POP Flags) and IRET (Interrupt Return) are not affected by IOPL unless ihey aUempi io alter IF (flag register bit 9). To change IF, POPF must be part of a program that is executing at a privilege level greater than or equal.to that specified by 10PL. Any attempt to change IF when CPL ;::: 0 will be ignored (i.e., the IF flag will be ignored). To change the 10PL field, CPL must be zero. 3.11.2 Machine State Instructions These trusted instructions affect the machine state control interrupt response, the processor hair siate, and the bus LOCK signal that regulates memory access in multiprocessor systems. CLl (Clear Interrupt-Enable Flag) and STI (Set Interrupt-Enable Flag) alter bit 9 in the flag register. When IF=O, the processor responds only to internal interrupts and to non-maskable external interrupts. When IF= 1, the processor responds to all interrupts. An interrupt service routine might use these instructions to avoid further interruption while it processes a previous interrupt request. As with the other flag bits, the processor clears IF during initialization. These instructions may be executed only if CPL :::; 10PL. A protection exception will occur if they are executed when CPL > IOPL. 3-28 BASIC INSTRUCTION SET Example: STI. Sets IF= 1, which enables the processing of maskable external interrupts. Example: CLI. Sets IF=O to disable maskable interrupt processing. HLT (Halt) causes the processor to suspend processing operations pending an interrupt or a system reset. This trusted instruction provides an alternative to an endless software loop in situations where a program must wait for an interrupt. The return address saved after the interrupt will point to the instruction immediately following HLT. This instruction may be executed only when CPL = O. Example: HLT LOCK (Assert Bus Lock) is a i-byte prefix code that causes the processor to assert the bus LOCK signal during execution of the instruction that follows. LOCK does not affect any flags. LOCK may be used only when CPL :5 IOPL. A protection exception will occur if LOCK is used when CPL > 10PL. 3.11.3 Input and Output Instructions These trusted instructions provide access to the processor's I/O ports to transfer data to and from peripheral devices. In Protected Mode, these instructions may be executed only when CPL :5 IOPL. IN (Input/rom Port) transfers a byte or a word from an input port to AL or AX. If a program specifies AL with the IN instruction, the processor transfers 8 bits from the selected port to AL. Alternately, if a program specifies AX with the IN instruction, the processor transfers 16 bits from the port to AX. The program can specify the number of the port in two ways. Using an immediate byte constant, the program can specify 256 8-bit ports numbered 0 through 255 or 128 16-bit ports numbered 0,2,4, ... ,252,254. Using the current value contained in DX, the program can specify 8-bit ports numbered o through 65,535, or 16-bit ports using even-numbered ports in the same range. Example: IN AL, BYTEYORT_NUMBER. Transfers 8 bits to AL from the port identified by the immediate constant BYTEYORT_NUMBER. OUT (Output to Port) transfers a byte or a word to an output port from AL or AX. The program can specify the number of the port using the same methods of the IN instruction. Example: OUT AX, DX. Transfers 16 bits from AX to the port identified by the Hi-bit number contained in DX. INS and OUTS (Input String and Output String) cause block input or output operations using a Repeat prefix. See Chapter 4 for more information on INS and OUTS. 3.12 PROCESSOR EXTENSION INSTRUCTIONS Processor Extension provides an extension to the instruction set of the base architecture (e.g., 80287). The NPX extends the instruction set of the CPU-based architecture to support high-precision integer and floating-point calculations. This extended instruction set includes arithmetic, comparison, transcendental, and data transfer instructions. The NPX also contains a set of useful constants to enhance the speed of numeric calculations. 3-29 BASIC INSTRUCTION SET A program contains instructions for the NPX in line with the instructions for the CPU. The system executes these instructions in the same order as they appear in the instruction stream. The NPX operates concurrently with the CPU to provide maximum throughput for numeric calculations. The software emulation of the NPX is transparent to application software but requires more time for execution. 3.12.1 Processor Extension Synchronization Instructions Escape and wait instructions allow a processor extension such as the 80287 NPX to obtain instructions and data from the system bus and to wait for the NPX to return a result. ESC (Escape) identifies floating point numeric instructions and allows the 80286 to send the opcode to the NPX or to transfer a memory operand to the NPX. The 80287 NPX uses the Escape instructions to perform high-performance, high-precision floating point arithmetic that conforms to the IEEE floating point standard 754. Example: ESC 6, ARRAY [SIlo The CPU sends the escape opcode 6 and the location of the array pointed to by SI to the NPX. WAIT (Wait) suspends program execution until the 80286 CPU detects a signal on the BUSY pin. In a configuration that includes a numeric processor extension, the NPX activates the BUSY pin to signal that it has completed its processing task and that the CPU may obtain the results. Example: WAIT 3.12.2 Numeric Data Processor Instructions This section describes the categories of instructions available with Numeric Data Processor systems that include a Numeric Processor Extension or a software emulation of this processor extension. 3.12.2.1 ARITHMETIC INSTRUCTIONS The extended instruction set includes not only the four arithmetic operations (add, subtract, multiply, and divide), but also subtract-reversed and divide-reversed instructions. The arithmetic functions include square root, modulus, absolute value, integer part, change sign, scale exponent, and extract exponerit instructions. 3.12.2.2 COMPARISON INSTRUCTIONS The comparison operations are the compare, examine, and test instructions. Special forms of the compare instruction can optimize algoriihms by ailuwiug cOiilpafisuii5 of binary integer:; .... ith real r.:um.ber~ in memory. 3_12.2.3 TRANSCENDENTAL INSTRUCTIONS The instructions in this group perform the otherwise time-consuming calculations for all common trigonometric, inverse trigonometric, hyperbolic, inverse hyperbolic, logarithmic, and exponential functions. The transcendental instructions include tangent, arctangent, 2 x-I, Y . log2X, and Y. log2 (X+l). 3-30 BASIC INSTRUCTION SET 3.12.2.4 DATA TRANSFER INSTRUCTIONS The data transfer instructions move operands among the registers and between a register and memory. This group includes the load, store, and exchange instructions. 3.12.2.5 CONSTANT INSTRUCTIONS Each of the constant instructions loads a commonly used constant into an NPX register. The values have a real precision of 64 bits and are accurate to approximately 19 decimal places. The constants loaded by these instructions include 0, 1, Pi, log. 10, log2 e, 10glO 2, and log 2•. 3-31 Extended Instruction Set 4 CHAPTER 4 EXTENDED INSTRUCTION SET The instructions described in this chapter extend the capabilities of the base architecture instruction set described in Chapter 3. These extensions consist of new instructions and variations of some instructions that are not strictly part of the base architecture (in other words, not included on the 8086 and 8088). These instructions are also available on the 80186 and 80188. The instruction variations, described in Chapter 3, include the immediate forms of the PUSH and MUL instructions, PUSHA, paPA, and the privilege level restrictions on POPF. New instructions described in this chapter include the string input and output instructions (INS and OUTS), the ENTER procedure and LEAVE procedure instructions, and the check index BOUND instruction. 4.1 BLOCK 1/0 INSTRUCTIONS REP, the Repeat prefix, modifies INS and OUTS (the string I/O instructions) to provide a means of transferring blocks of data between an I/O port and Memory. These block I/O instructions are string primitives. They simplify programming and increase the speed of data transfer by eliminating the need to use a separate LOOP instruction or an intermediate register to hold the data. INS and OUTS are trusted instructions. To use trusted instructions, a program must execute at a privilege level at least as privileged as that specified by the 2-bit IOPL flag (CPL ::s IOPL). Any attempt by a less-privileged program to use a trusted instruction results in a protection exception. See Chapter 7 for information on protection concepts. One of two possible opcodes represents each string primitive depending on whether it operates on byte strings or word strings. After each transfer, the memory address in SI or DI is updated by 1 for byte values and by 2 for word values. The value in the DF field determines if SI or DI is to be auto incremented (DF=O) or auto decremented (DF= 1). INS and OUTS use DX to specify I/O ports numbered 0 through 65,535 or 16-bit ports using only even port addresses in the same range. INS (Input String from Port) transfers a byte or a word string element from an input port to memory. If a program specifies INSB, the processor transfers 8 bits from the selected port to the memory location indicated by ES:DI. Alternately, if a program specifies INSW, the processor transfers 16 bits from the port to the memory location indicated by ES:DI. The destination segment register choice (ES) cannot be changed for the INS instruction. Combined with the REP prefix, INS moves a block of information from an input port to a series of consecutive memory locations. Example: REP INSB. The processor repeatedly transfers 8 bits to the memory location indicated by ES:DI from the port selected by the 16-bit port number contained in DX. Following each byte transfer, the CPU decrements CX. The instruction terminates the block transfer when CX=O. After decrementing CX, the processor increments DI by one if DF=O. It decrements DI by one if DF= 1. 4-1 EXTENDED INSTRUCTION SET OUTS (Output String to Port) transfers a byte or a word string element to an output port from memory. Combined with the REP prefix, OUTS moves a block of information from a series of consecutive memory locations indicated by DS:SI to an output port. Example: REP OUTS WSTRING. Assuming that the program declares WSTRING to be a wordlength string element, the assembler uses the 16-bit form of the OUTS instruction to create the object code for the program. The processor repeatedly transfers words from the memory locations indicated by DI to the output port selected by the 16-bit port number in DX. Following each word transfer, the CPU decrements CX. The instruction terminates the block transfer when CX=O. After decrementing CX, the processor increments SI by two to point to the next word in memory if DF=O; it decrements SI by two if DF= 1. 4.2 HIGH-LEVEL INSTRUCTIONS The instructions in this section provide machine-language functions normally found only in high-level languages. These instructions include ENTER and LEA VE, which simplify the programming of procedures, and BOUND, which provides a simple method of testing an index against its predefined range. ENTER (Enter Procedure) creates the stack frame required by most block-structured high-level languages. A LEAVE instruction at the end of a procedure complements an ENTER at the beginning of the procedure to simplify stack management and to control access to variables for nested procedures. Example: ENTER 2048,3. Allocates 2048 bytes of dynamic storage on the stack and sets up pointers to two previous stack frames in the stack frame that ENTER creates for this procedure. The ENTER instruction includes two parameters. The first parameter specifies the number of bytes of dynamic storage to be allocated on the stack for the routine being entered. The second parameter corresponds to the lexical nesting level (0-31) of the routine. (Note that the lexical level has no relationship to either the protection privilege levels or to the I/O privilege level.) The specified lexical level determines hovv' many sets of stack frame pointers the CPU copies into the new stack frame from the preceding frame. This list of stack frame pointers is sometimes called the "display." The first word of the display is a pointer to the last stack frame. This pointer enables a LEA VE instruction to reverse the action of the previous ENTER instruction by effectively discarding the last stack frame. After ENTER creates the new display for a procedure, it allocates the dynamic storage space for that procedure by decrementing SP by the number of bytes specified in the first parameter. This new value of:SP serves as a base for aU PUSH and POP operaiions wiihin ihai pro\;!:uun:. To enable a procedure to address its display, ENTER leaves BP pointing to the beginning of the new stack frame. Data manipUlation instructions that specify BP as a base register implicitly address locations within the stack segment instead of tpe data segment. Two forms of the ENTER instruction exist: nested and non-nested. If the lexical level is 0, the non-nested form is used. Since the second operand is 0, ENTER pushes BP, copies SP to BP and then subtracts the first operand from SP. The nested form of ENTER occurs when the second parameter (lexical level) is not o. Figure 4-1 gives the formal definition of ENTER. 4-2 EXTENDED INSTRUCTION SET The Formal Definition Of The ENTER Instruction For All Cases Is Given By The Following Listing. LEVEL Denotes The Value Of The Second Operand. Push BP Set a temporary value FRAME_PTR : ~ SP If LEVEL> 0 then Repeat (LEVEL -1) times: BP:~ BP-2 Push the word pOinted to by BP End repeat Push FRAME_PTR End If BP : ~ FRAME_PTR SP : ~ SP - first operand. Figure 4-1. Formal Definition of the ENTER Instruction The main procedure (with other procedures nested within) operates at the highest lexical level, level 1. The first procedure it calls operates at the next deeper lexical level, level 2. A level 2 procedure can access the variables of the main program which are at fixed locations specified by the compiler. In the case of levell, ENTER allocates only the requested dynamic storage on the stack because there is no previous display to copy. A program operating at a higher lexical level calling a program at a lower lexical level requires that the called procedure should have access to the variables of the calling program. ENTER provides this access through a display that provides address ability to the calling program's stack frame. A procedure calling another procedure at the same lexical level implies that they are parallel procedures and that the called procedure should not have access to the variables of the calling procedure. In this case, ENTER copies only that portion of the display from the calling procedure which refers to previously nested procedures operating at higher lexical levels. The new stack frame does not include the pointer for addressing the calling procedure's stack frame. ENTER treats a reentrant procedure as a procedure calling another procedure at the same lexical level. In this case, each succeeding iteration of the reentrant procedure can address only its own variables and the variables of the calling procedures at higher lexical levels. A reentrant procedure can always address its own variables; it does not require pointers to the stack frames of previous iterations. By copying only the stack frame pointers of procedures at higher lexical levels, ENTER makes sure that procedures access only those variables of higher lexical levels, not those at parallel lexical levels (see figure 4-2). Figures 4-2a through 4-2d demonstrate the actions of the ENTER instruction if the modules shown in figure 4-1 were to call one another in alphabetic order. Block-structured high-level languages can use the lexical levels defined by ENTER to control access to the variables of previously nested procedures. For example, if PROCEDURE A calls PROCEDURE B which, in turn, calls PROCEDURE C, then PROCEDURE C will have access to the variables of MAIN and PROCEDURE A, but not PROCEDURE B because they operate at the same lexical level. Following is the complete definition of the variable access for figure 4-2. 1. MAIN PROGRAM has variables at fixed locations. 2. PROCEDURE A can access only the fixed variables of MAIN. 3. PROCEDURE B can access only the variables of PROCEDURE A and MAIN. PROCEDURE B cannot access the variables of PROCEDURE C or PROCEDURE D. 4-3 EXTENDED INSTRUCTION SET MAIN PROGRAM (LEXICAL LEVEL 1) PROCEDURE A (LEXICAL LEVEL 2) PROCEDURE B (LEXICAL LEVEL 3) PROCEDURE C (LEXICAL LEVEL 3) PROCEDURE D (LEXICAL LEVEL 4) G30108 Figure 4-2. Variable Access in Nested Procedures 15 0 OLDBP BPFOR MAIN - BPM' } DISPLAY • DYNAMIC STORAGE SP_ 'BPM - BP VALUE FOR MAIN G30108 Figure 4-2a. Stack Frame jor MAiN at Levei 1 4. PROCEDURE C can access only the variables of PROCEDURE A and MAIN. PROCEDURE C cannot access the variables of PROCEDURE B or PROCEDURE D. 5. PROCEDURE D can access the variables of PROCEDURE C, PROCEDURE A, and MAIN. PROCEDURE D cannot access the variables of PROCEDURE B. ENTER at the beginning of the MAIN PROGRAM creates dynami\; sturage space fuf MAIN but copies no pointers. The first and only word in the display points to itself because there is no previous value for LEAVE to return to BP. See figure 4~2a. After MAIN calls PROCEDURE A, ENTER creates a new display for PROCEDURE A with the first word pointing to the previous value of BP (BPM for LEAVE to return to the MAIN stack frame) and the second word pointing to the current value of BP. Procedure A can access variables in MAIN since MAIN is at level 1. Therefore the base for the dynamic storage for MAIN is at [BP-2j. All dynamic variables for MAIN will be at a fixed offset from this value. See figure 4-2b. 4-4 EXTENDED INSTRUCTION SET 15 0 OlOBP BPM I BPM BPFOR A - BPM DISPLAY BPA" OYNAMIC ) STORAGE SP_ "BPA ~ BP VALUE FOR PROCEOURE A G30108 Figure 4-2b. Stack Frame for Procedure A 15 0 OlO BP BPM BPM BPM BPA BPA BP_ BPM SPA )~~, BPB OYNAMIC ) STORAGE SP_ G30108 Figure 4-2c. Stack Frame for ProcedureB at Level 3 Called from A 4-5 EXTENDED INSTRUCTION SET 15 0 OLDBP BPM BPM BPM BPA BP_ BPA BPM BPA BPB I DISPLAY DYNAMIC ) STORAGE SP_ G30108 Figure 4-2d. Stack Frame for Procedure C at Level 3 Called from B After PROCEDURE A calls PROCEDURE B, ENTER creates a new display for PROCEDURE B with the first word pointing to the previous value of BP, the second word pointing to the value of BP for MAIN, and the third word pointing to the value of BP for A and the last word pointing to the current BP. B can access variables in A and MAIN by fetching from the display the base addresses of the respective dynamic storage areas. See figure 4-2c. After PROCEDURE B calls PROCEDURE C, ENTER creates a new display for PROCEDURE C with the first word pointing to the previous value of BP, the second word pointing to the value of BP for MAIN, and the third word pointing to the BP value for A and the third word pointing to the current value of BP. Because PROCEDURE B and PROCEDURE C have the same lexical level, PROCEDURE C is not allowed access to variables in B and therefore does not receive a pointer to the beginning of PROCEDURE B's stack frame. See figure 4-2d. LEAVE (Leave Procedure) reverses the action of the previous ENTER instruction. The LEAVE instruction does not include any operands. Example: LEAVE. First, LEAVE copies BP to SP to release all stack space allocated to the procedure by the most recent ENTER instruction. Next, LEAVE pops the old value of BP from the stack. A subs~quent RET instruction can then remove anYl1rguments that were pushed on the stack by the calling program for use by the called procedure. 4-6 EXTENDED INSTRUCTION SET BOUND (Detect Value Out of Range) verifies that the signed value contained in the specified register lies within specified limits. An interrupt (INT 5) occurs if the value contained in the register is less than the lower bound or greater than the upper bound. The BOUND instruction includes two operands. The first operand specifies the register being tested. The second operand contains the effective relative address of the two signed BOUND limit values. The BOUND instruction assumes that it can obtain the upper limit from the memory word that immediately follows the lower limit. These limit values cannot be register operands; if they are, an invalid opcode exception occurs. BOUND is useful for checking array bounds before using a new index value to access an element within the array. BOUND provides a simple way to check the value of an index register before the program overwrites information in a location beyond the limit of the array. The two-word block of memory that specifies the lower and upper limits of an array might typically reside just before the array itself. This makes the array bounds accessible at a constant offset of -4 from the beginning of the array. Because the address of the array will already be present in a register, this practice avoids extra calculations to obtain the effective address of the array bounds. Example: BOUND BX,ARRAY-4. Compares the value in BX with the lower limit at address ARRAY-4 and the upper limit at address ARRAY-2. If the signed value in BX is less than the lower bound or greater than the upper bound, the interrupt for this instruction (INT 5) occurs. Otherwise, this instruction has no effect. 4-7 Real Address Mode 5 CHAPTER 5 REAL ADDRESS MODE The 80286 can be operated in either of two modes according to the status of the Protection Enabled bit of the MSW status register. In contrast to the "modes" and "mode bits",~ G30108 Figure 5·4. Stack Structure after Interrupt (Real Address Mode) 5-5 REAL ADDRESS MODE Table 5-2. Dedicated and Reserved Interrupt Vectors in Real Address Mode Interrupt Number Function Related Instructions Return Address Before Instruction Causing Exception? Divide error exception 0 DIV,IDIV Yes Single step interrupt 1 All N/A NMI interrupt 2 All N/A Breakpoint interrupt 3 INT N/A INTO detected overflow exception 4 INTO No BOUND range exceeded exception 5 BOUND Yes Invalid opcode exception 6 Any undefined opcode Yes ESC or WAIT Yes Processor extension not available 7 exception Interrupt table limit too small 8 LlDT Yes Processor extension segment overrun interrupt 9 ESC Yes Segment overrun exception 13 Any memory reference instruction that attempts to reference 16-bit word at offset OFFFFH. Yes Reserved 10-12,14,15 Processor extension error interrupt 16 ESC or WAIT N/A Reserved 17-31 I User defined 132-255 N/A = Not Applicable Single-Step (Interrupt 1). This interrupt will occur after each instruction if the Trap Flag (TF) bit of the FLAGS register is set. Of course, TF is cleared upon entry to this or any other interrupt to prevent infinite recursion. The saved value of CS:IP will point to the next instruction. Nonmaskable (Interrupt 2). This interrupt will occur upon receipt of an external signal on the NMI pin. Typically, the nonmaskable interrupt is used to implement power-failJauto-restart procedures. The saved value of CS:IP will.point to the first byte of the interrupted instruction. Breakpoint (Interrupt 3). Execution of the one-byte breakpoint instruction causes this interrupt to occur. This instruction is useful for the implementation of software debuggers since it requires only one code byte and can be substituted for any instruction opcode byte. The saved value of CS:IP will point to the next instruction. 5-6 REAL ADDRESS MODE INTO Detected Overflow (Interrupt 4). Execution of the INTO conditional software interrupt instruction will cause this interrupt to occur if the overflow bit (OF) of the FLAGS register is set. The saved value of CS:IP will point to the next instruction. BOUND Range Exceeded (Interrupt 5). Execution of the BOUND instruction will cause this interrupt to occur if the specified array index is found to be invalid with respect to the given array bounds. The saved value of CS:IP will point to the first byte of the BOUND instruction. Invalid Opcode (Interrupt 6). This exception will occur if execution of an invalid opcode is attempted. (In Real Address Mode, most of the Protected Virtual Address Mode instructions are classified as invalid and should not be used). This interrupt can also occur if the effective address given by certain instructions, notably BOUND, LDS, LES, and LIDT, specifies a register rather than a memory location. The saved value of CS:IP will point to the first byte of the invalid instruction or opcode. Processor Extension Not Available (Interrupt 7). Execution of the ESC instruction will cause this interrupt to occur if the status bits of the MSW indicate that processor extension functions are to be emulated in software. Refer to section 10.2.2 for more details. The saved value of CS:IP will point to the first byte of the ESC or the WAIT instruction. Interrupt Table Limit Too Small (Interrupt 8). This interrupt will occur if the limit of the interrupt vector table was changed from 3FFH by the LIDT instruction and an interrupt whose vector is outside the limit occurs. The saved value of CS:IP will point to the first byte of the instruction that caused the interrupt or that was ready to execute before an external interrupt occurred. No error code is pushed. Processor Extension Segment Overrun Interrupt (Interrupt 9). The interrupt will occur if a processor extension memory operand does not fit in a segment. The saved CS:IP will point at the first byte of the instruction that caused the interrupt. Segment Overrun Exception (Interrupt 13). This interrupt will occur if a memory operand does not fit in a segment. In Real Mode this will occur only when a word operand begins at segment offset OFFFFH. The saved CS:IP will point at the first byte of the instruction that caused the interrupt. No error code is pushed. Processor Extension Error (Interrupt 16). Thisinterrupt occurs after the numeric instruction that caused the error. It can only occur while executing a subsequent WAIT or ESC. The saved value of CS:IP will point to the first byte of the ESC or the WAIT instruction. The address of the failed numeric instruction is saved in the NPX. 5.3 SYSTEM INITIALIZATION The 80286 provides an orderly way to start or restart an executing system. Upon receipt of the RESET signal, certain processor registers go into the determinate state shown in table 5-3. Table 5-3. Processor State after RESET Register Contents FLAGS MSW 0002 (H) FFFO(H) FFFO (H) FOOD (H) 0000 (H) 0000 (H) 0000 (H) IP CS DS SS ES 5-7 REAL ADDRESS MODE Since the CS register contains FOOO (thus specifying a code segment starting at physical address FOOOO) and the instruction pointer contains FFFO, the processor will execute its first instruction at physical address FFFFOH. The uppermost 16 bytes of physical memory are therefore reserved for initial startup logic. Ordinarily, this location contains an intersegment direct JMP instruction whose target is the actual beginning of a system initialization or restart program. Some of the steps normally performed by a system initialization routine are as follows: Allocate a stack. Load programs and data from secondary storage into memory. Initialize external devices. Enable interrupts (i.e., set the IF bit of the FLAGS register). Set any other desired FLAGS bit as well. Set the appropriate MSW flags if a processor extension is present, or if processor extension functions are to be emulated by software. Set other registers, as appropriate, to the desired initial values. Execute. (Ordinarily, this last step is performed as an intersegment JMP to the main system program.) 5-8 ·Memory Management and Virtual Addressing 6 CHAPTER 6 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING In Protected Virtual Address Mode, the 80286 provides an advanced architecture that retains substantial compatibility with the 8086 and other processors in the 8086 family. In many respects, the baseline architecture of the processor remains constant regardless of the mode of operation. Application programmers continue to use the same set of instructions, addressing modes, and data types in Protected Mode as in Real Address Mode. The major difference between the two modes of operation is that the Protected Mode provides system programmers with additional architectural features, supplementary to the baseline architecture, that can be used to good advantage in the design and implementation of advanced systems. Especially noteworthy are the mechanisms provided for memory management, protection, and multitasking. This chapter focuses on the memory management mechanisms of Protected Mode; the concept of a virtual address and the process of virtual-to-physical address translation are described in detail in this chapter. Subsequent chapters deal with other key aspects of Protected Mode operation. Chapter 7 discusses the issue of protection and the integrated mechanisms that support a system-wide protection policy. Chapter 8 discusses the notion of a task and.its central role in the 80286 architecture. Chapters 9 through 11 discuss certain additional topics-interrupt handling, special instructions, system initialization, etc.-that complete the system programmer's view of 80286 Protected Mode. 6.1 MEMORY MANAGEMENT OVERVIEW A memory management scheme interposes a mapping operation between logical addresses (Le., addresses as they are viewed by programs) and physical addresses (i.e., actual addresses in real memory). Since the logical address spaces are independent of physical memory (dynamically relocatable), the mapping (the assignment of real address space to virtual address space) is transparent to software. This allows the program development tools (for static systems) or the system software (for reprogrammable systems) to control the allocation of space in real memory without regard to the specifics of individual programs. Application programs may be translated and loaded independently since they deal strictly with virtual addresses. Any program can be relocated to use any available segments of physical memory. The 80286, when operated in Protected Mode, provides an efficient on-chip memory management architecture. Moreover, as described in Chapter 11, the 80286 also supports the implementation of virtual memory systems-that is, systems that dynamically swap chunks of code and data between real memory and secondary storage devices (e.g., a disk) independent of and transparent to the executing application programs. Thus, a program-visible address is more aptly termed a virtual address rather than a logical address since it may actually refer to a location not currently present in real memory. Memory management, then, consists of a mechanism for mapping the virtual addresses that are visible to the program onto the physical addresses of real memory. With the 80286, segmentation is the key to virtual memory addressing. Virtual. memory is partitioned into a number of individual segments, which are the units of memory that are mapped into physical memory and swapped to and from secondary storage devices. Most of this chapter is devoted to a detailed discussion of the mapping and virtual memory mechanisms of the 80286. The concept of a task also plays a significant role in memory management since distinct memory mappings may be assigned to the different tasks in a multitask or multi-user environment. A complete discussion of tasks is deferred until Chapter 8, "Tasks and State Transition." For present purposes, it 6-1 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING is sufficient to think of a task as an ongoing process, or execution path, that is dedicated to a particular function. In a multi-user time-sharing environment, for example, the processing required to interact with a particular user may be considered as a single task, functionally independent of the other tasks (i.e., users) in the system. 6.2 VIRTUAL ADDRESSES In Protected Mode, application programs deal exclusively with virtual addresses; programs have no access whatsoever to the actual physical addresses generated by the processor. As discussed in Chapter 2, an address is specified by a program in terms of two components: (l) a l6-bit effective address offset that determines the displacement, in bytes, of a location within a segment; and (2) a 16-bit segment selector that uniquely references a particular segment. Jointly, these two components constitute a complete 32-bit address (pointer data type), as shown in figure 6-1. These 32-bit virtual addresses are manipulated by programs in exactly the same way as the twocomponent addresses of Real Address Mode. After a program loads the segment selector component of an address into a segment register, each subsequent reference to locations within the selected segment requires only a 16-bit offset be specified. Locality of reference will ordinarily insure that addresses can be specified very efficiently using only l6-bit offsets. An important difference between Real Address Mode and Protected Mode, however, concerns the actual format and information content of segment selectors. In Real Address Mode, as with the 8086 and other processors in the 8086 family, a 16-bit selector is merely the upper bits of a segment's physical base address. By contrast, segment selectors in Protected Mode follow an entirely different format, as illustrated by figure 6-1. Two of the selector bits, designated as the RPL field in figure 6-1, are not actually involved in the selection and specification of segments; their use is discussed in Chapter 7. 32-BIT POINTER o 16 15 SEGMENT SELECTOR i SEGMENT OFFSET I I I I !. I INDEX I I SELECTOR G30108 Figure 6-1. Format of the Segment Selector Component 6-2 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING The remaining 14 bits of the selector component uniquely designate a particular segment. The virtual address space of a program, therefore, may encompass as many as 16,384 (214) distinct segments. Segments themselves are of variable size, ranging from as small as a single byte to as large as 64K (2 16) bytes. Thus, a program's virtual address space may contain, altogether, up to a full gigabyte (2'0 = 214 X 2 16 ) of individually addressable byte locations. The entirety of a program's virtual address space is further subdivided into two separate halves, as distinguished by the TI ("table indicator") bit in the virtual address. These two halves are the global address space and the local address space. The global address space is used for system-wide data and procedures including operating system software, library routines, runti.me language support and other commonly shared system services. (To application programs, the operating system appears to be a set of service routines that are accessible to all tasks.) Global space is shared by all tasks to avoid unnecessary replication of system service routines and to facilitate shared data and interrupt handling. Global address space is defined by addresses with a zero in the TI bit position; it is identically mapped for all tasks in the system. The other half of the virtual address space-comprising those addresses with the TI bit set-is separately mapped for each task in the system. Because such an address space is local to the task for which it is defined, it is referred to as a local address space. In general, code and data segments within a task's local address space are private to that particular task or user. Figure 6-2 illustrates the task isolation made possible by partitioning the virtual address spaces into local and global regions. TASK 1 VIRTUAL ADDRESS SPACE TASK 2 VIRTUAL ADDRESS SPACE TASK 3 VIRTUAL ADDRESS SPACE~ G30108 Figure 6-2. Address Spaces and Task Isolation 6-3 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING Within each of the two regions addressable by a program-either the global address space or a particular local address space-as many as 8,192 (2 13 ) distinct segments may be defined. The INDEX field of the segment selector allows for a unique specification of each of these segments. This 13-bit quantity acts as an index into a memory-resident table, called a descriptor table, that records the mapping between segment address and the physical locations allocated to each distinct segment. (These descriptor tables, and their role in virtual-to-physical address translation, are described in the sections that follow.) In summary, a Protected Mode virtual address is a 32-bit pointer to a particular byte location within a one-gigabyte virtual address space. Each such pointer consists of a 16-bit selector component and a 16-bit offset component. The selector component, in turn, comprises a 13-bit table index, a I-bit table indicator (local versus global), and a 2-bit RPL field; all but this last field serve to select a particular segment from among the 16K segments in a task's virtual address space. The offset component of a full pointer is an unsigned 16-bit integer that specifies the desired byte location within the selected segment. 6.3 DESCRIPTOR TABLES A descriptor table is a memory-resident table either defined by program development tools in a static system or controlled by operating system software in systems that are reprogrammable. The descriptor table contents govern the interpretation of virtual addresses. Whenever the 80286 decodes a virtual address, translating a full 32-bit pointer into a corresponding 24-bit physical address, it implicitly references one of these tables. Within a Protected Mode system, there are ordinarily several descriptor tables resident in memory. One of these is the global descriptor table (GDT); this table provides a complete description of the global address space. In addition, there may be one or more local descriptor tables (LDTs), each describing the local address space of one or more tasks. For each task in the system, a pair of descriptor tables-consisting of the GDT (shared by all tasks) and a particular LDT (private to the task or to a group of closely related tasks)-provides a complete description of that task's virtual address space. The protection mechanism described in Chapter 7, "Protection," ensures that a task is granted access only to its own virtual address space. In the simplest of system configurations, tasks can reside entirely within the GDT without the use of local descriptor tables. This will simplify system software by only requiring maintenance of one table (the GDT) at the expense of no isolation between tasks. The point is: the 80286 memory management scheme is flexible enough to accommodate a variety of implementations and does not require use of all possible facilities when implementing a system. The descriptor tables consist of a sequence of 8-byte entries called descriptors. A descriptor table may contain from 1 to 8192 entries. Within a descriptor table, two main classes of descriptors are recognized by the 80286 architecture. The most important of these, from the standpoint oi memory managemellL, an; .:;alled segmeiit descriptors; these determine the set of segments that are included within a given address space. The other class are special-purpose control descriptors-such as call gates and task descriptors-to implement protection (described in succeeding chapters) and special system data segments. Figure 6-3 shows the format of a segment descriptor. Note that it provides information about the physical-memory base address and size of a segment, as well as certain access information. If a particular segment is to be included within a virtual address space, then a segment descriptor that describes that segment must be included within the appropriate descriptor table. Thus, within the GDT, there 6-4 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING o . +7 i!:! m +5 ~a: 7 INTEL RESERVED' MUST BE 0 piDPll~1 TYPE +3 II A BASE23· 1e BASE,s·o t1 . -4 +2 LIMIT 15.0 15 B 7 ACCESS RIGHTS BYTES: P DPL S • • PRESENT DESCRIPTOR PRIVILEGE LEVEL = SEGMENT DESCRIPTOR TYPE - SEGhfENT TYPE AND ACCESS INFORMATION (I.e Figure 6·7) A = ACCESSED .MUST BE SET TO 0 FOR COMPATIBILITY WITH IApX 3B6 G30108 Figure 6·3. Code or Data Segment Descriptor (S = 1) are segment descriptors for all of the segments that comprise a system's global address space. Similarly, within a task's LDT, there must be a descriptor for each of the segments that are to be included in that task's local address space. Each local descriptor table is itself a special system segment, recognizable as such by the 80286 architecture and described by a specific type of segment descriptor (see figure 6-4). Because there is only a single GDT segment, it is not defined by a segment descriptor. Its base and size information is maintained in a dedicated register, GDTR, as described below (section 6.6.2). Similarly, there is another dedicated register within the 80286, LDTR, that records the base and size of the current LDT segment (i.e., the LDT associated with the currently executing task). The LDTR register state, however, is volatile: its contents are automatically altered whenever a task switch is made from one task to another. An alternate specification independent of changeable register contents must therefore exist for each LDT in the system. This independent specification is accomplished by means of special system segment descriptors known as descriptor table descriptors or LDT descriptors. Figure 6-4 shows the format of a descriptor' table descriptor. (Note that it is distinguished from an ordinary segment descriptor by the contents of certain bits in the access byte.) This special type of descriptor is used to specify the physical base address and size of a local descriptor table that defines the virtual address space and address mapping for an individual user or task (figure 6-5). Each LDT segment in a system must lie within that system's global address space. Thus, all of the descriptor table descriptors must be included among the entries in the global descriptor table (the GDT) of a system. In fact, these special descriptors may appear only in the GDT. Reference to an LDT descriptor within an LDT will cause a protection violation. Even though they are in the global address space available to all tasks, the descriptor table descriptors are protected from corruption within the GDT since they are special system segments and can only be accessed for loading into the LDTR register. 6-5 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING o 7 INTEL RESERVED' +7 MUST BE 0 pIDPLI~1 +5 I TYPE +3 BASE 23' 16 BASE 15.0 +1 +6 +4 +2 LlMIT 15·0 15 8 7 ACCESS RIGHTS BYTES: P - OPl 5 = = PRESENT DESCRIPTOR PRIVILEGE LEVEL :;::. SEGMENT DESCRIPTOR TYPE TYPE OF SPECIAL DESCRIPTOR (Includes control and system segments) o 1 2 3 4-7 8 9-F = = = = = = = INVALID DESCRIPTOR AVAILABLE TASK STATE SEGMENT LOT DESCRIPTOR BUSY TASK STATE SEGMENT CONTROL DESCRIPTOR (see Chapter 7) INVALID DESCRIPTOR (reserved by Intel) RESERVED BY INTEL '",UST BE SET TO 0 FOR COMPATIBILITY WITH IAPX 386 G3010B Figure 6-4. System Segment Descriptor or Gate Descriptor (S = 0) 6.4 VIRTUAL-TO-PHYSICAL ADDRESS TRANSLATION The translation of a full 32-bit virtual address pointer into a real 24-bit physical address is shown by figure 6-6. When the segment's base address is determined as a result of the mapping process, the offset value is added to the result to obtain the physical address. The actual mapping is performed on the selector component of the virtual address. The 16-bit segment selector is mapped to a 24-bit segment base address via a segment descriptor maintained in one of the descriptor tables. The TI bit in the segment selector (see figure 6-1) determines which of two descriptor tables, either the GOT or the current LOT, is to be chosen for memory mapping. In either case, using the GOTR or LOTR register, the processor can readily determine the physical base address of the memory-resident table. . 1 he INDEX fieici in the segment seiecwr speClIles a parliculaI ue,CIil"UI clIlly wi,llill the Cll0SeH table. The processor simply multiplies this index value by 8 (the length of a descriptor), and adds the result to the base address of the descriptor table in order to access the appropriate segment descriptor in the table. Finally, the segment descriptor contains the physical base address of the target segment, as well as size (limit) and access information. The processor sums the 24-bit segment base and the specified 16-bit offset to generate the resulting 24-bit physical address. 6-6 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING , r ,J I C , RESERVED-ZERO ONE SEGMENT OF THE TASKS LOCAL 1. ADDRESS SPACE , RESERVED-ZERO I (private) 1- BASE 23-16 BASE 15-0 1- BASE"_'6 BASE,S_O SEGMENT LIMIT LIMIT '5-0 LIMIT '5-0 SEGMENT BASE LDT DESCRIPTOR IN THE GDT IN MEMORY ~ ~ ~ ~ DESCRIPTOR TABLES IN RAM SEGMENT IN RAM f-, h G3010B Figure 6-5. LOT Descriptor 6.5 SEGMENTS AND SEGMENT DESCRIPTORS Segments are the basic units of 80286 memory management. In contrast to schemes based on fixedsize pages, segmentation allows for a very efficient implementation of software: variable-length segments can be tailored to the exact requirements of an application_ Segmentation, moreover, is consistent with the way a programmer naturally deals with his virtual address space: programmers are encouraged to divide code and data into clearly defined modules and structures which are manipulated as consistent entities. This reduces (minimizes) the potential for virtual memory thrashing_ Segmentation also eliminates the restrictions on data structures that span a page (e.g., a word that crosses page boundaries)_ Each segment within an 80286 system is defined by an associated segment descriptor, which may appear in one or more descriptor tables. Its inclusion within a descriptor table represents the presence of its associated segment within the virtual address space defined by that table. Conversely, its ommission from a descriptor table means that the segment is absent from the corresponding address space. 6-7 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING VIRTUAL ADDRESS I I SELECTOR OFFSET 0- TI DESCRIPTOR TABLE I I TARGET SEGMENT DATUM PHYSICAL ADDRESS I SEGMENT BASE SEGMENT DESCRIPTOR ---INDEX G3010B Figure 6-6. Virtual-to-Physical Address Translation As shown previously in figure 6-3, an 8-byte segment descriptor encodes the following information about a particular segment: Size. This 16-bit field, comprising bytes 0 and 1 of a segment descriptor, specifies an unsigned integer as the size, in bytes (from 1 byte to 64K bytes), of the segment. Unlike segments in the 8086 (or the 80286 in Real Address Mode)-which are never explicitly limited to less than a full 64K bytes-Protected Mode segments are always assigned a specific size value. In conjunction with the protection features described in Chapter 7, this assigned size allows the enforcement of a very desirable and natural rule: inadvertent accesses to locations beyond a segment's actual boundaries are prohibited. Base. This 24-bit field, comprising bytes 2 through 4 of a segment descriptor, specifies the physical base address of the segment; it thus defines the actual location of the segment within the 16megabyte real memory space. The base may be any byte address within the 16-megabyte real memory space. Access. This 8-bit field comprises byte 5 of a segment descriptor. This access byte specifies a variety of additional information about a segment, particularly in regard to the protection features of the 80286. Fer example, cede seg!TI.ents are distinguished from d~t~ ~~ement~; ~nd certain special access restrictions (such as Execute-Only or Read-Only) may be defined for segments of each type. Access byte values of OOH or 80H will alway~ denote "invalid." Figure 6-7 shows the access byte format for both code and data segment descriptors. Detailed discussion of the protection related fields within an access byte (Conforming, Execute-Only, Descriptor Privilege Level, Expand Down, and Write-Permitted), and their use in implementing protection policies, is deferred to Chapter 7. The two fields Accessed and Present are used for virtual memory implementations. 6-8 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING ' - - - - - - - - - DESCRIPTOR PRIVILEGE LEVEL ' - - - - - - - - - - - PRESENT (I-yes) DATA OR STACK SEGMENT MSB LSB ACCESSED (I-yes) WRITEABLE (I-yes) ' - - - - - EXPAND DOWN (I-down) ' - - - - - - EXECUTABLE (O-no for data) ' - - - - - - - (indicates segment descriptor) ' - - - - - - - - - DESCRIPTOR PRIVILEGE LEVEL '--_ _ _ _ _ _ _ _ PRESENT (I-yes) G30108 Figure 6-7. Segment Descriptor Access Bytes 6.6 MEMORY MANAGEMENT REGISTERS The Protected Virtual Address Mode features of the 80286 operate at high performance due to extensions to the basic 8086 register set. Figure 6·8 illustrates that portion of the extended register structure that pertains to memory management. (For a complete summary of all Protected Mode registers, refer to section 10.1). 6.6.1 Segment Address Translation Registers Figure 6-8 shows the segment registers CS,DS,ES, and SS. In contrast to their usual representation, however, these registers are now depicted as 64-bit registers, each with "visible" and "hidden" components. The visible portions of these segment address translation registers are manipulated by programs exactly as if they were simply the 16-bit segment registers of Real Address Mode. By loading a segment selector into one of these registers, the program makes the associated segment one of its four currently addressable segments. 6-9 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING, SEGMENT ADDRESS TRANSLATION REGISTERS 48-BIT HIDDEN DESCRIPTOR CACHE 16-BIT I,~_,m ''''~'" DATA SEGMENT REGISTER EXTRA SEGMENT REGISTER STACK SEGMENT REGISTER 63 48 47 4039 ACCESS RIGHTS 16 15 SEGMENT BASE ADDRESS 0 SEGMENT SIZE SYSTEM ADDRESS REGISTERS II------------t------,I 40-BIT EXPLICIT REGISTER GDTR IDTR _ 39 16-BIT VISIBLE SELECTOR INTERRUPT DESCRIPTOR TABLE REGISTER o 16 15 BASE GLOBAL DESCRIPTOR TABLE REGISTER LIMIT 40-BIT HIDDEN DESCRIPTOR CACHE (AUTOMATICALLY LOADED FROM LDTR WITHIN GDT) I LOCAL DESCRIPTOR TABLE REGISTER L5-5--------4-0~3-9------------------1-6~1~5----------~0 BASE LIMIT G30108 Figure 6-8. Memory Management Registers The operations that load these registers-or, more exactly, those that load the visible portion of these registers-arc normal program instructions. These instructions may be divided into two categories: I, Direct segment-register load instructions_ These instructions (such as LDS, LES, MOV, POP, etc.) can explicitly reference the SS, DS, or ES segment registers as the destination operand_ 2. Implied segment-register load instructions. These instructions (such as intersegment CALL and JMP) implicitly reference the CS code segment register; as a result of these operations, the contents of CS are altered. Using these instructions, a program loads ine visiul~ pal i (If the s6giTierll register 'v',:ith u 16-bit ~ele~tGr (i.e., the high-order word of a virtual address pointer). Whenever this is done, the processor automatically uses the selector to reference the appropriate descriptor and loads the 48-bit hidden descriptor cache for that segment register. The correspondence between selectors and descriptors has already been described. Remember that the selector's TI bit indicates one of the two descriptor tables, either the LDT or the GDT. Within the indicated table, a particular entry is chosen by the selector's 13-bit INDEX field. This index, scaled by a factor of 8, represents the relative displacement of the chosen table entry (a descriptor). 6-10 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING Thus, so long as a particular selector value is valid (i.e., it points to a valid segment descriptor within the bounds of the d()scriptor table), it can be readily associated with an 8-byte descriptor. When a selector value is loaded into. the visible part of a segment register, the 80286 automatically loads 6 bytes of the associated descriptor into the hidden part of the register. These 6 bytes, therefore, contain the size, base, and access type of the selected segment. Figure 6-9 illustrates this transparent process of descriptor loading. In effect, the hidden descriptor fields of the segment registers function as the memory management cache of the 80286. All the information required to address the current working set of segments~that is, the base address, size, and access rights of the currently addressable segments-is stored in this memory cache. Unlike the probabilistic caches of other architectures, however, the 80286 cache is completely deterministic: the caching of descriptors is explicitly controlled by the program. Most memory references do not require the translation of a full 32-bit virtual address, or long pointer. Operands that are located within one of the currently addressable segments, as determined by the four segment registers, can be referenced very efficiently by means of a short pointer, which is simply a 16-bit offset. In fact, .most 80286 instructions reference memory locations in precisely this way, specifying only a 16-bit offset with respect to one of the currently addressable segments. The choice of segments (CS, DS, ES, or SS) is either implicit within the instruction itself, or explicitly specified by means of a segment-override prefix (as described in Chapter 2). ICPii:----- - - - - - - - - , -I I APPLICATION VISIBLE - SEGMENT REGISTER DESCRIPTOR CACHE SYSTEM MEMORY SEGMENT DESCRIPTOR SELE~TOR TYPE 1 BASE 1 .1 I LIMIT 1 TRANSPARENT DESCRIPTOR LOADING I 1 1 I I I L __ _ r---- -=--=--=1~~ DESCRIPTOR TABLE I I I _ _ _ _ _ _ _ --1I G30108 Figure 6-9. Descriptor Loading 6-11 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING Thus, in most cases, virtual-to-physical address translation is actually performed in two separate steps. First, when a program loads a new value into a segment register, the processor immediately performs a mapping operation; the physical base address of the selected segment (as well as certain additional information) is automatically loaded into the hidden portion of the register. The internal cache registers (virtual address translation hardware) are therefore dynamically shared among the 16K different segments potentially addressable within the user's virtual address space. No software overhead (either system or application) is required to perform this operation. Subsequently, as the program utilizes a short pointer to reference a location within a segment, the processor generates a 24-bit physical address simply by adding the specified offset value to the previously cached segment base address. By encouraging the use of short pointers in this way, rather than requiring a full 32-bit virtual address for every memory reference, the 80286 provides a very efficient on-chip mechanism for address translation, with minimum overhead for references to memory-based tables or the need for external address-translation devices. 6.6.2 System Address Registers The Global Descriptor Table Register (GDTR) is a dedicated 40-bit (5 byte) register used to record the base and size of a system's global descriptor table (GDT). Thus, two of these bytes define the size of the GDT, and three bytes define its base address. In figure 6-8, the contents of the GDTR are referred to as a "hidden descriptor." The term "descriptor" here emphasizes the analogy with the segment descriptors ordinarily found in descriptor tables. Just as these descriptors specify the base and size (limit) of ordinary segments, the GDTR register specifies these same parameters for that segment of memory serving as the system GDT. The limit prevents accesses to descriptors in the GDT from accessing beyond the end of the GDT and thus provides address space isolation at the system level as well as at the task level. . The register contents are "hidden" only in the sense that they are not accessible by means of ordinary instructions. Instead, the dedicated protected instructions LGDT and SGDT are reserved for loading and storing, respectively, the contents of the GDTR at Protected Mode initialization (refer to section 10.2 for details). Subsequent alteration of the GDT base and size values is not recommended but is a system option at the most privileged level of software (see section 7.3 for a discussion of privilege levels). The Local Descriptor Table Register (LDTR) is a dedicated 40-bit register that contains, at any given moment, the base and size of the local descriptor table (LDT) associated with the currently executing task. Unlike GDTR, the LDTR register contains both a "visible" and a "hidden" component. Only the visible component is accessible, while the hidden component remains truly inaccessible even to dedicated instructions. The visible component of the LDTR is a 16-bit "selector" field. The format of these 16 bits corresponds exactly to that of a segment selector in a virtual address pointer. Thus, it contains a 13-bit INDEX field, a I-bit TI field, and a 2-bit RPL field. The TI "table indicator" bit must be zero, indicating a reference to the (JUT (i.e., to global address space). The INDEX field CUlls.oqiieiitly pro'video an index to a particular entry within the GDT. This entry, in turn, must be an LDT descriptor (or descriptor table descriptor), as defined in the previous section. In this way, the visible "selector" field of the LDTR, by selecting an LDT descriptor, uniquely designates a particular LDT in the system. The dedicated, protected instructions LLDT and SLDT are reserved for loading and storing, respectively, the visible selector component of the LDTR register (refer to section 10.2 for details). Whenever a new value is loaded into the visible "selector" portion of LDTR, an LDT descriptor will have been uniquely chosen (assuming, of course, that the "selector" value is valid). In this case, the 80286 6-12 MEMORY MANAGEMENT AND VIRTUAL ADDRESSING automatically loads the hidden "descriptor" portion of LDTR with five bytes from the chosen LDT descriptor. Thus, size and base information about a particular LDT, as recorded in a memory-resident global descriptor table entry, is cached in the LDTR register. New values may be loaded into the visible portion of the LDTR (and, thus, into the hidden portion as well) in either of two ways. The LLDT instruction, during system initialization, is used explicitly to set an initial value for the LDTR register; in this way, a local address space is provided for the first task in a multitasking environment. After system startup, explicit changes are not required since operations that automatically invoke a task switch (described in section 8.4) appropriately manage the LDTR. At all times, the LDTR register thus records the physical base address (and size) of the current task's LDT; the descriptor table required for mapping the current local address space, therefore, is immediately accessible to the processor. Moreover, since GDTR always maintains the base address of the GDT, the table that maps the global address space is similarly accessible. The two system address registers, GDTR and LDTR, act as a special processor cache, maintaining current information about the two descriptor tables required, at any given time, for addressing the entire current virtual address space. 6-13 Protection 7 CHAPTER 7 PROTECTION 7.1 INTRODUCTION In most microprocessor based products, the product's availability, quality, and reliability are determined by the software it contains. Software is often the key to a product's success. Protection is a tool used to shorten software development time, and improve software quality and reliability. Program testing is an important step in developing software. A system with protection will detect software errors more quickly and accurately than a system without protection. Eliminating errors via protection reduces the development time for a product. Testing software is difficult. Many errors occur only under complex circumstances which are difficult to anticipate. The result is that products are shipped with undetected errors. When such errors occur, products appear unreliable. The impact of a software error is multiplied if it introduces errors in other bug-free programs. Thus, the total system reliability reduces to that of the least reliable program running at any given time. Protection improves the reliability of an entire system by preventing software errors in one program from affecting other programs. Protection can keep the system running even when some user program attempts an invalid or prohibited operation. Hardware protection performs run-time checks in parallel with the execution of the program. But, hardware protection has traditionally resulted in a design that is more expensive and slower than a system without protection. However, the 80286 provides hardware-enforced protection without the performance or cost penalties normally associated with protection. The protected mode 80286 implements extensive protection by integrating these functions on-chip. The 80286 protection is more comprehensive and flexible than comparable solutions. It can locate and isolate a large number of program errors and prevent the propagation of such errors to other tasks or programs. The protection of the total system detects and isolates bugs both during development and installed usage. Chapter 9 discusses exceptions in more detail. The remaining sections of this chapter explain the protection model implemented in the 80286. 7.1.1 Types of Protection Protection in the 80286 has three basic aspects: I. Isolation of system software from user applications. 2. Isolation of users from each other (Inter-task protection). 3. Data-type checking. The 80286 provides a four-level, ringed-type, increasingly-privileged protection mechanism to isolate applications software from various layers of system software. This is a major improvement and extension over the simpler two-level user/supervisor mechanism found in many systems. Software modules in a supervisor level are protected from modules in the application level and from software in less privileged supervisor levels. 7-1 PROTECTION Restricting the addressability of a software module enables an operating system to control system resources and priorities. This is especially important in an environment that supports multiple concurrent users. Multi-user, multi-tasking, and distributed processing systems require this complete control of system resources for efficient, reliable operation. The second aspect of protection is isolating users from each other. Without such isolation an error in one user program could affect the operation of another error-free user program. Such subtle interactions are difficult to diagnose and repair. The reliability of applications programs is greatly enhanced by such isolation of users. Within a system or application level program, the 80286 will ensure that all code and data segments are properly used (e.g., data cannot be executed, programs cannot be modified, and offset must be within defined limits, etc.). Such checks are performed on every memory access to provide full runtime error checking. 7_1.2 Protection Implementation The protection hardware of the 80286 establishes constraints on memory and instruction usage. The number of possible interactions between instructions, memory, and I/O devices is practically unlimited. Out of this very large field the protection mechanism limits interactions to a controlled, understandable subset. Within this subset fall the list of "correct" operations. Any operation that does not fall into this subset is not allowed by the protection mechanism and is signalled as a protection violation. To understand protection on the 80286, you must begin with its basic parts: segments and tasks. 80286 segments are the smallest region of memory which have unique protection attributes. Modular programming automatically produces separate regions of memory (segments) whose contents are treated as a whole. Segments reflect the natural construction of a program, e.g., code for module A, data for module A, stack for the task, etc. All parts of the segment are treated in the same way by the 80286. Logically separate regions of memory should be in separate segments. The memory segmentation model (see figure 7-1) of the 80286 was designed to optimally execute code for software composed of independent modules. Modular programs are easier to construct and maintain. Compared to monolithic software systems, modular software systems have enhanced capabilities, and are typically easier to develop and test for proper operation. Each segment in the system is defined by a memory-resident descriptor. The protection hardware prevents accesses outside the data areas and attempts to modify instructions, etc., as defined by the descriptors. Segmentation on the 80286 allows protection hardware to be integrated into the CPU for full data access control without any performance impact. The segmented memory architecture of the 80286 provides unique capabilities for regulating the transfer of control between programs. Programs are given direct but controlled access to other procedures and modules. This capability is the heart of isolating application and system programs. Since this access is provided and controlled directly by the 80286 hardware, there is no performance penalty. A system designer can take advantage of the 80286 access control to design high-performance modular systems with a high degree of confidence in the integrity of the system. . 7-2 inter PROTECTION ,---, I MODULEA I B S CODE CPU MODULEB DATA 'I I I L_ CODE DATA TASK STACK I I I STACK - - EXTRA SEGMENT REGISTERS TASK DATA BLOCK 1 o I TASK DATA BLOCK 2 I I I 1- _ _ ....1 MEMORY G3010B Figure 7-1. Addressing Segments of a Module within a Task Access control between programs and the operating system is implemented via address space separation and a privilege mechanism. The address space control separates applications programs from each other while the privilege mechanism isolates system software from applications software. The privilege mechanism grants different capabilities to programs to access code, data, and I/O resources based on the associated protection level. Trusted software that controls the whole system is typically placed at the most privileged level. Ordinary application software does not have to deal with these control mechanisms. They come into play only when there is a transfer of control between tasks, or if the Operating System routines have to be invoked. The protection features of multiple privilege levels extend to ensuring reliable I/O control. However, for a system designer to enable only one specific level to do I/O would excessively constrain subsequent extensions or application development. Instead, the 80286 permits each task to be assigned a separate minimum level where I/O is allowed. I/O privilege is discussed in section 10.3. 7-3 PROTECTION An important distinction exists between tasks and programs. Programs (e.g., instructions in code segments) are static and consist of a fixed set of code and data segments each with an associated privilege level. The privilege assigned to a program determines what the program may do when executed by a task. Privilege is assigned to a program w~en the system is built or when the program is loaded. Tasks are dynamic; they execute one or more programs. Task privilege changes with time according to the privilege level of the program being executed. Each task has a unique set of attributes that define it, e.g., address space, register values, stack, data, etc. A task may execute a program if that program appears in the task's address space. The rules of protection control determine when a program may be executed by a task, and once executed, determine what the program may do. 7.2 MEMORY MANAGEMENT AND PROTECTION The protection hardware of the 80286 is related to the memory management hardware. Since protection attributes are assigned to segments, they are stored along with the memory management information in the segment descriptor. The protection information is specified when the segment is created. In addition to privilege levels, the descriptor defines the segment type (e.g., Code segment, Data segment, ~tc.). Descriptors may be created either by program development tools or by a loader in a dynamically loaded reprogram mabie environment. The protection control Information consists of a segment type, its privilege level, and size. These are fields in the access byte of the segment descriptor (see figure 7-2). This information is saved on-chip in the programmer invisible section of the segment register for fast access during execution. These entries are changed only when a segment register is loaded. The protection data is used at two times: upon loading a segment register and upon each reference to the selected segment. The hardware performs several checks while loading a segment register. These checks enforce the protection rules before any memory reference is generated. The hardware verifies that the selected segment is valid (is identified by a descriptor, is in memory, and is accessible from the privilege level in which the program is executing) and that the type is consistent with the target segment register. For example, you cannot load a read-only segment descriptor into SS because the stack must always be ' writable. r- - PROGRAM VISIBLE SEGMENT SELECTORS' ::~, I I ssr-----i i I I : ' o 15 SEGMENT REGISTERS (loaded by program) I I --------P"R ,-_.... o t OFFSET ! ,.--0......_ .... 0 L 65535 • 65535 I OFFSET OFFSET ~......_ ... o + ~,.I.-_.... o 65535 65535 t + OFFSET ...-."'-_-11) 8191 OFFSET I ,.--0......._ L I 65535 t r::loFlsET + LJol OFFSET .... 0 .... 0 8191 ,65535 '--1......._ I TASK B PRIVATE ADDRESS SPACE TASK A PRIVATE ADDRESS SPACE 10 ~ 8191 SHARED ADDRESS SPACE TASK C PRIVATE ADDRESS SPACE TASK B ADDRESS SPACE G30108 Figure 7-3. 80286 Virluai Address Space 7.2.3 Type Validation After checking that a selector reference is within the bounds of a descriptor table and refers to a nonempty descriptor, the type of segment defined by the descriptor is checked against the destination reglster. Since each segmt:I1L n;gisit;'- ha.5 plcdcfin~d f~nctic!'!e, e2.ch !!1l!st !'~f~r to certain types of segments (see section 7.4.1). An attempt to load a segment register in violation of the protection rules causes an exception. The "null" selector is a special type of segment selector. It has an index field of all zeros and a table indicator of O. The null selector appears to refer to GDT descriptor entry #0 (see GDT in figure 7-3). This selector value may be used as a place holder in the DS or ES segment registers; it may be loaded into them without causing an exception. However, any attempt to use the null segment registers to reference memory will cause an exception and prevent any memory cycle from occurring. 7-6 PROTECTION 15 23 GOTR I -r I LOTR I I I I IL 23 l I 0 I-- GOT LIMIT LIT1 15 0 J -- LOT SELECTOR -15 - - ··· I GOT BASE I MEMORY I' CPU - "0 -, LOT BASE ··· I I I I LOT LIMIT LOT, -r r-; ..J-I ________ CURRENl LOT ~ I PROGRAM INVISIBLE I LOTn I ....II ·· G30108 Figure 7-4. Local and Global Descriptor Table Definitions 15 3 T I INDEX , o 2 I I 0 T E X T L o means that an event external to the program caused the exception (i.e., external interrupt, single step, processor extension error) means that an exception occurred while processing the instructloft at CS:IP saved on stack. 1 means use lOT and ignore bit 2. ~ o means bit 2 indicates table usage 1 means use LOT : o means use GOT ' - - - - - - - - - - - - - _ Entry in lOT, GOT, or LOT G30108 Figure 7-5. Error Code Format (on the stack) 7-7 PROTECTION 7.3 PRIVILEGE LEVELS AND PROTECTION As explained in section 6.2, each task has its own separate virtual address space defined by its LDT. All tasks share a common address space defined by the GDT. The system software then has direct access to task data and can treat all pointers in the same way. Protection is required to prevent programs from improperly using code or data that belongs to the operating system. The four privilege levels of the 80286 provide the isolation needed between the various layers of the system. The 80286 privilege levels are numbered from 0 to 3, where 0 is the most trusted level, 3 the least. Privilege level is a protection attribute assigned to all segments. It determines which procedures can access the segment. Like access rights and limit checks, privilege checks are automatically performed by the hardware, and thus protect both data and code segments. Privilege on the 80286 is hierarchical. Operating system code and data segments placed at the most privileged level (0) cannot be accessed directly by programs at other privilege levels. Programs at privilege level 0 may access data at all other levels. Programs at privilege levels 1-3 may only access data at the same or less trusted (numerically greater) privilege levels. Figure 7-6 illustrates the privilege level protection of code or data within tasks. In figure 7-6, programs can access data at the same or outer level, but not at inner levels. Code and data segments placed at level 1 cannot be accessed by programs executing at levels 2 or 3. Programs at privilege level 0 can access data at level 1 in the course of providing service to that level. 80286 provides mechanisms for inter-level transfer of control when needed (see section 7.5). The four privilege levels of the 80286 are an extension of the typical two-level user/supervisor privilege mechanism. Like user mode, application programs in the outer level are not permitted direct access to data belonging to more privileged system services (supervisor mode). The 80286 adds two more privilege levels to provide protection for different layers of system software (system services, I/O drivers, etc.). 7.3.1 Example of Using Four Privilege Levels Two extra privilege levels allow development of more reliable, and flexible system software. This is achieved by dividing the system into small, independent units. Figure 7-6 shows an example of the usage of different protection levels. Here, the most privileged level is called the kernel. This software would provide basic, application-independent, CPU-oriented services to all tasks. Such services include memory management, task isolation, multitasking, inter-task communication, and I/O resource control. Since the kernel is only concerned with simple functions and cannot be affected by software at other privilege levels, it can be kept small, safe, and understandable. Privilege level one is designated system services. This software provides high-level functions like file access scheduling, character I/O, data communcations, and resource allocation policy which are commonly expected in all systems. Such software remains isolated from applications programs and relies on the services of the kernel, yet cannot affect the integrity of level O. Privilege level 2 is the custom operating system extensions level. It allows standard system software to be customized. Such customizing can be kept isolated from errors in applications programs, yet cannot affect the basic integrity of the system software. Examples of customized software are the data base manager, logical file access services, etc. 7-8 PROTECTION TASK C G3010B Figure 7-6. Code and Data Segments Assigned to a Privilege Level This is just one example of protection mechanism usage. Levels 1 and 2 may be used in many different ways. The usage (or non-usage) is up to the system designer. Programs at each privilege level are isolated from programs at outer layers, yet cannot affect programs in inner layers. Programs written for each privilege level can be smaller, easier to develop, and easier to maintain than a monolithic system where all system software can affect all other system software. 7.3.2 Privilege Usage Privilege applies to tasks and three types of descriptors: 1. Main memory segments 2. Gates (control descriptors for state or task transitions, discussed in sections 7.5.1, 7.5.3, 8.3, 8.4 and 9.2) 3. Task state segments (discussed in Chapter 8). 7-9 PROTECTION Task privilege is a dynamic value. It is derived from the code segment currently being executed. Task privilege can change only when a control transfers to a different code segment. Descriptor privilege, including code segment privilege, is assigned when the descriptor (and any associated segment) is created. The system designer assigns privilege directly when the system is constructed with the system builder (see the 80286 Builder User's GUide) or indirectly via a loader. Each task operates at only one privilege level at any given moment: namely that of the code segment being executed. (The conforming segments discussed in section 11.2 permit some flexibility in this regard.) However, as figure 7-6 indicates, the task may contain segments at one, two, three, or four levels, all of which are to be used at appropriate times. The privilege level of the task, then, changes under the carefully enforced rules for transfer of control from one code segment to another. The descriptor privilege attribute is stored in the access byte of a descriptor and is called the Descriptor Privilege Level (DPL). Task privilege is called the Current Privilege Level (CPL). The least significant two bits of the CS register specify the CPL. A few general rules of privilege can be stated before the detailed discussions of later sections. Data access is restricted to those data segments whose privilege level is the same as or less privileged (numerically greater) than the current privilege level (CPL). Direct code access, e.g., via call or jump, is restricted to code segments of equal privilege. A gate (section 7.5.1) is required for access to code at more privileged levels .. 7.4 SEGMENT DESCRIPTOR Although the format of access control information, discussed below, is similar for both data and code segment descriptors, the rules for accessing data segments differ from those for transferring control to code segments. Data: segments are meant to be accessible from many privilege levels, e.g., from other programs at the same level or from deep within the operating system. The main restriction is that they cannot be accessed by less privileged code. Code segments, on the other hand, are meant to be executed at a single privilege level. Transfers of control that cross privilege boundaries are tightly restricted, requiring the use of gates. Control transfers wiihin a privilege level can also usc gates, but they are not required. Control transfers are discussed in section 7.5. Protection checks are automatically invoked at several points in selecting and using new segments. The process of addressing memory begins when the currently executing program attempts to load a selector into one of the segment registers. As discussed in Chapter 6, the selector has the form shown in figure 7-7. When a new Sli;;lticiuf is loaded intv a segment regigter, the to perform the necessary loading and privilege checks. p!0~eSSOr ~~r.esses the associated descriptor The protection mechanism verifies that the selector points to a valid descriptor type for" the segment register (see section 7.4.1). After verifying the descriptor type, the CPU compares the privilege level of the task (CPL) to the privilege level in the descriptor (DPL) before loading the descriptor's information into the cache. The general format of the eight bits in the segment descriptor's access rights byte is shown in table 7-1. 7-10 PROTECTION SELECTOR I~~~/ do 8 BITS I I LJ. 7 ITI~~ 2 1-0 REQUESTED PRIVILEGE LEVEL (RPL) INDICATES SELECTOR PRIVILEGE LEVEL DESIRED 2 TABLE INDICATOR (TI) TI ~ 0 USE GLOBAL DESCRIPTOR TABLE (GOT) INDEX SELECT DESCRIPTOR ENTRY IN TABLE 15-3 1 0 FUNCTION NAME TI ~ 1 USE LOCAL DESCRIPTOR TABLE (LOT) G30108 Figure 7-7. Selector Fields Table 7-1. Segment Access Rights Byte Format Bit Description Name 7 Present 1 means Present and addressable in real memory; 0 means not present. See section 11.3. 6,5 DPL 2-bit Descriptor Privilege Level, 0 to 3. 4 Segment 1 means Segment descriptor; 0 means control descriptor. For Segment= 1, the remaining bits have the following meanings: 3 Executable 1 means code, 0 means data. 2 C or ED If code, Conforming: 1 means yes, 0 no. If data, Expand Down: 1 yes, 0 no-normal case. 1 RorW If code, Readable: 1 means readable, 0 not. If data, Writable: 1 means writable, 0 not. 0 Accessed 1 if segment descriptor has been Accessed, 0 if not. NOTE: When the Segment bit (bit 4) is 0, the descriptor is for a gate, a task state segment, or a Local Descriptor Table, and the meanings of bits 0 through 3 change. Control transfers and descriptors are discussed in section 7.5. For example, the access rights byte for a data and code segment present in real memory but not yet accessed (at the same privilege level) is shown in figure 7-8. Whenever a segment descriptor is loaded into a segment register, the accessed bit in the descriptor table is set to I. This bit is useful for determining the usage profile of the segment. 7-11 PROTECTION P DPL 5 E C R A 1 0 1 0 I o 7 P DPL 5 E ED 1 01 1 0 0 W o 7 Readable Code Segment A Writable Code Segment G3010B Figure 7-8. Access Byte Examples Table 7-2. Allowed Segment Types in Segment Registers ( Allowed Segnlent Types Segment Register Read Only Data Segment Read-Write Data Segment Execute Only Code Segment Execute'Read Code Segment Yes Yes No No Yes Yes Yes No No No No Yes Yes Yes No Yes OS ES SS CS NOTE The Intel reserved bytes in the segment descriptor must be set to 0 for compatibility with the 80386. 7.4.1 Data Accesses Data may be accessed in data segments or readable code segments. When DS or ES is ioaded with a new selector, e.g., by an LDS, LES, or MOV to ES, SS, or DS instruction, the bits in the access byte are checked to verify legitimate descriptor type and access (see table 7-2). If any test fails, an error code is pushed onto the stack identifying the selector involved (see figure 7-5 for the error code format). A privilege check is made when the segment register is loaded. In general, a data segment's DPL must be numerically greater than or equal to the CPL. The DPL of a descriptor loaded into the SS must eq'1!"J the C.PL Conforming code segments are an exception to privilege checking rules (see section 11. 2). Once the segment descriptor and selector are loaded, the offset of subsequent accesses within the segment are checked against the limit given in the segment descriptor. Violating the segment size limit causes a General Protection exception with an error code of O. A normal data segment is addressed with offset values ranging from 0 to the size of the segment. When the ED bit of the access rights byte in the segment descriptor is 0, the allowed range of offsets is OOOOH to the limit. If limit is OFFFFH, the data segment contains 65,536 bytes. 7-12 PROTECTION Since stacks normally occupy different offset ranges (lower limit to OFFFFH) than data segments, the limit field of a segment descriptor can be interpreted in two ways. The Expand Down (ED) bit in the access byte allows offsets for stack segments to be greater than the limit field. When ED is 1, the allowed range of offsets within the segment is limit + 1 to OFFFFH. To allow a full stack segment, set ED to 1 and the limit to OFFFFH. The ED bit of a data segment descriptor does not have to be set for use in SS (i.e., it will not cause an exception). Section 7.5.4 discusses stack segment usage in greater detail. An expand down (ED= 1) segment can also be loaded into ES or DS. Limit and access checks are performed before any memory reference is started. For stack push instructions (PUSH, PUSHA, ENTER, CALL, INT), a possible limit violation is identified before any internal registers are updated. Therefore, these instructions are fully restartable after a stack size violation. 7.4.2 Code Segment Access Code segments are accessed via CS for execution. Segments that are execute-only can ONLY be executed; they cannot be accessed via DS or ES, nor read via CS with a CS override prefix. If a segment is executable (bit 3 = 1 in the access byte), access via DS or ES is possible only if it is also readable. Thus, any code segment that also contains data must be readable. (Refer to Chapter 2 for a discussion of segment override prefixes.) An execute-only segment preserves the privacy of the code against any attempt to read it; such an attempt causes a general protection fault with an error code of O. A code segment cannot be loaded into SS and is never writable. Any attempted write will cause a general protection fault with an error code of O. The limit field of a code segment descriptor identifies the last byte in the segment. Any offset greater than the limit value will cause a general protection fault. The prefetcher of the 80286 can never cause a code segment limit violation with an error code of O. The program must actually attempt to execute an instruction beyond the end of the code segment to cause an exception. If a readable non-conforming code segment is to be loaded into DS or ES, the privilege level requirements are the same as those stated for data segments in 7.4.1. Code segments are subject to different privilege checks when executed. The normal privilege requirement for a jump or call to another code segment is that the current privilege level equal the descriptor privilege level of the new code segment. Jumps and calls within the current code segment automatically obey this rule. Return instructions may pass control to code segments at the same or less (numerically greater) privileged level. Code segments at more privileged levels may only be reached via a call through a call gate as described in section 7.5. An exception to this, previously stated, is the conforming code segment that allows the DPL of the requested code segment to be numerically less than (of greater privilege than) the CPL. Conforming code segments are discussed in section 11.2. 7.4.3 Data Access Restriction by Privilege Level This section describes privilege verification when accessing either data segments (loading segment selectors into DS, ES, or SS) or readable code segments. Privilege verification when loading CS for transfer of control across privilege levels is described in the next section. 7-13 PROTECTION Three basic kinds of privilege level indicators are used when determining accessibility to a segment for reading and writing. They are termed Current Privilege Level (CPL), Descriptor Privilege Level (DPL), and Requested Privilege Level (RPL). The CPL is simply the privilege level of the code segment that is executing (except if the current code segment is conforming). The CPL is stored as bits 0 and 1 of the CS and SS registers. Bits 0 and 1 of DS and ES are not related to CPL. DPL is the privilege level of the segment; it is stored in bits 5 and 6 of the access byte of a descriptor. For data access to data segments and non-conforming code segments, CPL must be numerically less than or equal to DPL (the task must be of equal or greater privilege) for access to be granted. Violation of this rule during segment load instruction causes a general protection exception with an error code identifying the selector. While the enforcement of DPL protection rules provides the mechanism for the isolation of code and data at different privilege levels, it is conceivable that an erroneous pointer passed onto a more trusted program might result in the illegal modification of data with a higher privilege level. This possibility is prevented by the enforcement of effective privilege level protection rules and correct usage of the RPL value. The RPL (requested privilege level) is used for pointer validation. It is the least significant two bits in the selector value loaded into any segment register. RPL is intended to indicate the privilege level of the originator of that selector. A selector may be passed down through several procedures at different levels. The RPL reflects the privilege level of the original supplier of the selector, not the privilege level of the intermediate supplier. The RPL must be numerically less than or equal to the DPL of the descriptor selected, thereby indicating greater or equal privilege of the supplier; otherwise, access is denied and a general protection violation occurs. Pointer validity testing is required in any system concerned with preventing program errors from destroying system integrity. The 80286 provides hardware support for pointer validity testing. The RPL field indicates the privilege level of the originator of the pointer to the hardware. Access will be denied if the originator of the pointer did not have access to the selected segment even if the CPL is numerically less than or equal to the DPL. RPL can reduce the effective privilege of a task when using a particular selector. RPL never allows access to more privileged segments (CPL must always be numerically less than or equal to DPL). A fourth term is sometimes used: the Effective Privilege Level (EPL). It is defined as the numeric maximum of the CPL and the RPL-meaning the one of lesser privilege. Access to a protected entity is granted only whcn the EPL is numcrically less than or equal to the nPL of that entity. This is simply another way of saying that both CPL and RPL must be numerically less than or equal to DPL for access to be granted. 7.4.4 Pointer Privilege Stamping via ARPL The ARPL instruction is provided in the 80286 to fill the RPL field of a selector with the minimum privilege (maximum numeric value) of the seiector's currcnt RFI., "iid the c,,:lc.'s CPr., (given in an instruction-specified register). A straight insertion of the caller's CPL would stamp the pointer with the privilege level of the caller, but not necessarily the ultimate originator of the selector (e.g., Level 3 supplies a selector to a level 2 routine that calls a level 0 routine with the same selector). Figure 7-9 shows a program with an example of such a situation. The program at privilege level 3 calls a routine at level 2 via a gate. The routine at level 2 uses the ARPL instruction to assure that the selector's RPL is 3. When the level 2 routine calls a routine at level 0 and passes the selector, the ARPL instruction at level 0 leaves the RPL field unchanged. 7-14 PROTECTION Level 3 PUSH CALL Level 2: -E NTE R Level 2 MOV ARPL PUSH CALL SELECTOR LEVEL 2 RPL value doesn't matter at level 3 4, 0 AX, [BPJ+4 [BPJ+6, AX GET CS of return address, RPL=3 Put 3 in RPL field WORD PTR [BPJ+6j Pass selector Level 0 Level 0: -E NTE R Level 0 MOV ARPL 6,0 AX, [BPJ+4 [BPJ+6, AX Get CS of return address, RPL=2 Leaves RPL unchanged Figure 7-9. Pointer Privilege Stamping Stamping a pointer with the originator's privilege eliminates the complex and time-consuming software typically associated with pointer validation in less comprehensive architectures. The 80286 hardware performs the pointer test automatically while loading the selector. Privilege errors are trapped at the time the selector is loaded because pointers are commonly passed to other routines, and it may not be possible to identify a pointer's originator. To verify the access capabilities of a pointer, it should be tested when the pointer is first received from an untrusted source. The VERR (Verify Read), VERW (Verify Write), and LAR (Load Access Rights) instructions are provided for this purpose. Although pointer validation is fully supported in the 80286, its use is an option of the system designer. To accommodate systems that do not require it, RPL can be ignored by setting selector RPLs to zero (except stack segment selectors) and not adjusting them with the ARPL instruction. 7.5 CONTROL TRANSFERS Three kinds of control transfers can occur within a task: 1. Within a segment, causing no change of privilege level (a short jump, call, or return). 2. Between segments at the same privilege level (a long jump, call, or return). 3. Between segments at different privilege levels (a long call, or return). (NOTE: A JUMP to a different privilege level is not allowed.) The first two types of control transfers need no special controls (with respect to privilege protection) beyond those discussed in section 7.4. Inter-level transfers require special consideration to maintain system integrity. The protection hardware must check that: The task is currently allowed to access the destination address. The correct entry address is used. 7-15 PROTECTION To achieve control transfers, a special descriptor type called a gate is provided to mediate the change in privilege level. Control transfer instructions call the gate rather than transfer directly to a code segment. From the viewpoint of the program, a control transfer to a gate is the same as to another code segment. Gates allow programs to use other programs at more privileged levels in the same manner as a program at the same privilege level. Programmers need never distinguish between programs or subroutines that are more privileged than the current program and those that are not. The system designer may, however, elect to use gates only for control transfers that cross privilege levels. 7.5.1 Gates A gate is a four-word control descriptor used to redirect a control transfer to a different code segment in the same or more privileged level or to a different task. There are four types of gates: call, trap, interrupt, and task gates. The access rights byte distinguishes a gate from a segment descriptor, and determines which type of gate is involved. Figure 7-10 shows the format of a gate descriptor. A key feature of a gate is the re-direction it provides. All four gate types define a new address which transfers control when invoked. This destination address normally cannot be accessed by a program. Loading the selector to a call gate into SS, DS, or ES will cause a general protection fault with an error code identifying the invalid selector. Only the selector portion of an address is used to invoke a gate. The offset is ignored. All that a program need know about the desired function is the selector required to invoke the gate. The 80286 will automatically start the execution at the correct address stored within the gate. A further advantage of a gate is that it provides a fixed address for any program to invoke another program. The calling program's address remains unaltered even if the entry address of the destination program changes. Thus, gates provide a fixed set of entry points that allow a task to access Operating System functions such as simple subroutines, yet the task is prohibited from simply jumping into the middle of the Operating System. Call gates, as described in the next section, are used for control transfers within a task which must either be transparently redirected or which require an increase in privilege level. A call gate normally specifies a subroutine at a greater privilege level, and the called routine returns via a return instruction. Call gates also support delayed binding (resolution of target routine addresses at run-time rather than program-generation-time). Trap and interrupt gates handle interrupt operations that are to be serviced within the current task. Interrupt gates cause interrupTs io Ot ui:sauitd~ trap gates do iict. Tr:lp :l!'!d i!~te!"!"12pt g~te.s both require a return via the interrupt return instruction. Task gates are used to control transfers between tasks and to make use of task state segments for task control and status information. Tasks are discussed in Chapter 8, interrupts in Chapter 9. In the 80286 protection model, each privilege level has its own stack. Therefore, a control transfer (call or return) that changes the privilege level causes a new stack to be invoked, 7-16 PROTECTION Gate Descriptor Fields Name TYPE P Value 4 5 6 7 0 1 D1 INTEL RESERVED' +7 +5 pi DPL \01 +3 TYPE jx X Xl IX X DPL +4 WORD COUNT +2 DESTINATION OFFSET,s-a IS Call Gate. Task Gate. Interrupt Gate. Trap Gate. Descriptor Contents are not valid. Descriptor Contents are valid. +6 WORD COUNT...., DESTINATION SELECTOR'5-2 +1 Description 0-3 Descriptor Privilege Level. 0-31 Number of words to copy from caller's stack to called procedure's stack. Only used with call gate. • 7 'Must be set to 0 for compatibility with 80386 (X is don't care) DESTINATION SELECTOR DESTINATION OFFSET Selector to the target code segment (Call, Interrupt or 16-bit Trap Gate). selector Selector to the target task state segment (Task Gate). 16-bit offset Entry point within the target code segment. G30108 Figure 7-10. Gate Descriptor Format 7.5.1.1 CALL GATES Call gate descriptors are used by call and jump instructions in the same manner as a code segment descriptor. The hardware automatically recognizes that the destination selector refers to a gate descriptor. Then, the operation of the instruction is expanded as determined by the contents of the call gate. A jump instruction can access a call gate only if the target code segment is at the same privilege level. A call instruction uses a call gate for the same or more privileged access. A call gate descriptor may reside in either the GDT or the LDT, but not in the IDT. Figure 7-10 gives the complete layout of a call gate descriptor. A call gate can be referred to by either the long JMP or CALL instructions. From the viewpoint of the program executing a JMP or CALL instruction, the fact that the destination was reached via a call gate and not directly from the destination address of the instruction is not apparent. 7-17 PROTECTION The following is a description of the protection checks performed while transferring control (with the CALL instruction) through a call gate: Verifying that access to the call gate is allowed. One of the protection features provided by call gates is the access checks made to determine if the call gate may be used (i.e., checking if the privilege level of the calling program is adequate). Determining the destination address and whether a privilege transition is required. This feature makes privilege transitions transparent to the caller. Performing the privilege transition, if required. Verifying access to a call gate is the same for any call gate and is independent of whether a JMP or CALL instruction was used. The rules of privilege used to determine whether a data segment may be accessed are employed to check if a call gate may be jumped-to or called. Thus, privileged subroutines can be hidden from untrusted programs by the absence of a call gate. When an inter-segment CALL or JMP instruction selects a call gate, the gate's privilege and presence will be checked. The gate's DPL (in the access byte) is checked against the EPL (MAX (task CPL, selector RPL)). If EPL > CPL, the program is less privileged than the gate and therefore it may not make a transition. In this case, a general protection fault occurs with an error code identifying the gate. Otherwise, the gate is accessible from the program executing the call, and the control transfer is allowed to continue. After the privilege checks, the descriptor presence is checked. If the present bit of the gate access rights byte is 0 (Le., the target code segment is not present), not present fault occurs with an error code identifying the gate. The checks indicated in table 7-3 are applied to the contents of the call gate. Violating any of them causes the exception shown. The low order two bits of the error code are zero for these exceptions. 7.5.1.2 INTRA-LEVEL TRANSFERS VIA CALL GATE The transfer is Intra-level if the destination code segment is at the same privilege level as CPL. Either the code segment is non-conforming with DPL = CPL, or it is conforming, with DPL :$ CPL (see section 11.2 for this case). The 32-bit destination address in the gate is loaded into CS:IP. Table 7-3. Call Gate Checks Type of Check Fault(1) Error Code Se!eC!0r j" ,,(It NIIII Selector is within Descriptor Table Limit Descriptor is a Code Segment Code Segment is Present Nonconforming Code Segment DPL > CPL GP GP GP NP GP Selector id Code Segment id Code Segment id Code Segment id 0 NOTES: (1) GP = General Protection, NP = Not-Present Exception. The offset portion of the JMP or CALL destination address which refers to a call gate is always ignored. 7-18 inter PROTECTION If the IP value is not within the limit of the code segment, a general protection fault occurs with an error code of O. If a CALL instruction is used, the return address is saved in the normal manner. The only effect of the call gate is to place a different address into CS:IP than that specified in the destination address of the JMP or CALL instruction. This feature is useful for systems which require that a fixed address be provided to programs, even though the entry address for the routine may change due to different functions, software changes, or segment relocation. 7.5.1.3 INTER-LEVEL CONTROL TRANSFER VIA CALL GATES If the destination code segment of the call gate is at a different privilege level than the CPL, an interlevel transfer is being requested. However, if the destination code segment DPL > CPL, then a general protection fault occurs with an error code identifying the destination code segment. The gate guarantees that all transitions to a more privileged level will go to a valid entry point rather than possibly into the middle of a procedure (or worse, into the middle of an instruction). See figure 7-11. Calls to more privileged levels may be performed only through call gates. A JMP instruction can never cause a privilege change. Any attempt to use a call gate in this manner will cause a general protection fault with an error code identifying the gate. Returns to more privileged levels are also prohibited. Inter-level transitions due to interrupts use a different gate, as discussed in Chapter 9. The RPL field of the CS selector saved as part of the return address will always identify the caller's CPL. This information is necessary to correctly return to the caller's privilege level during the return instruction. Since the CALL instruction places the CS value on the more privileged stack, and JMP instructions cannot change privilege levels, it is not possible for a program to maliciously place an invalid return address on the caller's stack. CALL OPCOOE OFFSET ! J J COOE SEG. DESCR. J SELECTOR J t INSTRUCTION c J DESCRIPTOR TABLES CALL GATE _, c J J J ! c OFFSE T J TARGET CODE SEGMENT ENTER c J G3010B Figure 7-11. Call Gate 7-19 PROTECTION 7.5.1.4 STACK CHANGES CAUSED BY CALL GATES To maintain system integrity, each privilege level has a separate stack. Furthermore, each task normally uses separate stacks from other tasks for each privilege level. These stacks assure sufficient stack space to process calls from less privileged levels. Without them, trusted programs may not work correctly, especially if the calling program does not provide sufficient space on the caller's stack. When a call gate is used to change privilege levels, a new stack is selected as determined by the new CPL. The new stack pointer value is loaded from the Task State Segment (TSS). The privilege level of the new stack data segment must equal the new CPL; if it does not, a task stack fault occurs with the saved machine state pointing at the CALL instruction and the error code identifying the invalid stack selector. The new stack should contain enough space to hold the old SS:SP, the return address, and all parameters and local variables required to process the call. The initial stack pointers for privilege levels 0-2 in the TSS are strictly read only values. They are never changed during the course of execution. The normal technique for passing parameters to a subroutine is to place them onto the stack. To make privilege transitions transparent to the called program, a call gate specifies that parameters are to be copied from the old stack to the new stack. The word count field in a call gate (see figure 7-10) specifies how many words (up to 31) are to be copied from the caller's stack to the new stack. If the word count is zero, no parameters are copied. Before copying the parameters, the new stack is checked to assure that it is large enough to hold the parameters; if it is not, a stack fault occurs with an error code of O. After the parameters are copied, the return link is on the new stack (i.e., a pointer to the old stack is placed in the new stack). In particular, the return address is pointed at by SS:SP. The call and return example of figure 7-12 illustrate the stack contents after a successful inter-level call. The stack pointer of the caller is saved above the caller's return address as the first two words pushed onto the new stack. The caller's stack can only be saved for calls to procedures at privilege levels 2, 1, and o. Since level 3 cannot be called by any procedure at any other privilege level, the level 3 stack will never contain links to other stacks. ' Procedures requiring more than the 31 words for parameters that may be called from another privilege level must use the saved SS:SP link to access all parameters beyond the last word copied. The call gate does not check the values of the words copied onto the new stack. The called procedure should check each parameter for validity. Section 11.3 discusses how the ARPL, VERR, VERW, LSL, and LAR instructions can be used to check pointer values. An inter-segment return instruction can also change levels, but only toward programs of equal or lesser privilege (when code segment DPL is numerically greater or equal than the CPL). The RPL of the selector popped off the stack by the return instruction identifies the privilege level to resume execution of the calling program. When the RET instruction encounters a saved CS value whose RPL occurs. Checks shown in table 7-4 are made during such a return. 7-20 > CPL, an inter-level return PROTECTION t SS:SP FROM TSS HIGHER ADDRESSES OLO SS OLDSP PARM3 DIRECTION OF STACK GROWTH PARM 2 LOWER ADDRESSES ~ PARM 3 PARM 1 PARM 2 OLDCS PARM 1 OLDSS:SP_ ...._ _ _ _... OLDIP NEW SS OLD STACK (AT "OUTER" PRIVILEGE LEVEL) + SP NEW STACK (AT "INNER" PRIVILEGE LEVEL) G30108 Figure 7-12. Stack Contents after an Inter-Level Call The old SS:SP value is then adjusted by the number of bytes indicated in the RET instruction and loaded into SS:SP. The new SP value is not checked for validity. If SP is invalid it is not recognized until the first stack operation. The SS:SP value of the returning program is not saved. (Note: this value normally is the same as that saved in the TSS.) The last step in the return is checking the contents of the DS and ES descriptor register. If.DS or ES refer to segments whose DPL is greater than the new CPL (excluding conforming code segments), the segment registers are loaded with the null selector. Any subsequent memory reference that attempts to use the segment register containing the null selector will cause a general protection fault. This prevents less privileged code from accessing more privileged data previously accessed by the more privileged program. 7-21 PROTECTION Table 7-4. Inter-Level Return Checks Type of Check Exception· Error Code SP is not within Segment Limit SP + N + 7 is not in Segment Limit· RPL of Return CS is Greater than CPL Return CS Selector is not null Return CS segment is within Descriptor Table Limit Return CS Descriptor is a Code Segment Return CS Segment is Present DPL of Return Non-Conforming Code Segment ~ RPL of CS 55 Selector at SP + N + 6 is not Null 55 Selector at SP + N + 6 is within Descriptor Table Limit 55 Descriptor is Writable Data Segment 55 Segment is Present 55 Segment DPL = RPL of CS SF SF GP GP GP GP NP GP SF SF SF SF SF 0 0 'SF = Stack Fault, GP = General Protection Exception, NP = Not-Present Exception 7-22 Return Return Return Return Return Return Return Return Return Return Return CS CS CS CS CS CS 55 55 55 55 55 id id id id id id id id id id id Tasks and State Transitions 8 CHAPTER 8 TASKS AND 5T ATE TRANSITIONS 8.1 INTRODUCTION An 80286 task is a single, sequential thread of execution. Each task can be isolated from all other tasks. There may be many tasks associated with an 80286 CPU, but only one task executes at any time. Switching the CPU from executing one task to executing another can occur as the result of either an interrupt or an inter-task CALL, JMP or IRET. A hardware-recognized data structure defines each task. The 80286 provides a high performance task switch/operation with complete isolation between tasks. A full task-switch operation takes only 22 microseconds at 8 MHz (18 microseconds at 10 MHz). Highperformance, interrupt-driven, multi-application systems that need the benefits of protection are feasible with the 80286. A performance advantage and system design advantage arise from the 80286 task switch: Faster task switch: A task switch is a single instruction performed by microcode. Such a scheme is 2-3 times faster than an explicit task switch instruction. A fast task switch translates to a significant performance boost for heavily multi-tasked systems over conventional methods. More reliable, flexible systems: The isolation between tasks and the high speed task switch allows interrupts to be handled by separate tasks rather than within the currently interrupted task. This isolation of interrupt handling code from normal programs prevents undesirable interactions between them. The interrupt system can become more flexible since adding an interrupt handler is as safe and easy as adding a new task. Every task is protected from all others via the separation of address spaces described in Chapter 7, including allocation of unique stacks to each active privilege level in each task (unless explicit sharing is planned in advance). If the address spaces of two tasks include no shared data, one task cannot affect the data of another task. Code sharing is always safe since code segments may never be written into. 8.2 TASK STATE SEGMENTS AND DESCRIPTORS Tasks are defined by a special control segment called a Task State Segment (TSS). For each task, there must be an unique TSS. The definition of a task includes its address space and execution state. A task is invoked (made active) by inter-segment jump or call instructions whose destination address refers to a task state segment or a task gate. The Task State Segment (TSS) has a special descriptor. The Task Register within the CPU contains a selector to that descriptor. Each TSS selector value is unique, providing an unambiguous "identifier" for each task. Thus, an operating system can use the value of the TSS selector to uniquely identify the task. A TSS contains 22 words that define the contents of all registers and flags, the initial stacks for privilege levels 0-2, the LDT selector, and a link to the TSS of the previously executing task. Figure 8-1 shows the layout of the TSS. The TSS can not be written into like an ordinary data segment. 8-1 TASKS AND STATE TRANSITIONS CPU INTEL RESERVED , TYPE plop+1 TASK REGISTER 0--- T55 -... DESCRIPTOR TYPE I 8A5E 23 . 16 r---------,I I 8A5E,5_0 I LIMIT,S·O IS I I I :I 0 PROGRAM INVISIBLE 15 0 DESCRIPTION 1 AN AVAILABLE TASK STATE SEGMENT MAY BE USED AS THE DESTINATION OF A TASK SWITCH OPERATION. A BUSY TASK STATE SEGMENT CANNOT BE USED AS THE DESTINATION OF A TASK I LIMIT BASE I ____ L 0 --- ]i SWITCH. ------ -----------, I , _...J BYTE IS 0 TASK LOT SELECTOR OFFSET /(1) 42 -------- OS SELECTOR 40 55 SelECTOR 38 CS SELECTOR 36 ES SELECTOR 34 01 32 P DESCRIPTION 1 BASE AND LIMIT FIEL.DS ARE VALID 0 SEGMENT IS NOT PRESENT IN MEMORY. BASE AND LIMIT ARE NOT DEFINED 51 30 BP 28 CURRENT SP 26 STATE BX 24 TASK TASK STATE SEGMENT OX 22 ex 20 AX 18 FLAG WORD 16 IP {ENTRY POINT) 14 55 FOA CPL 2 12) SP FOR CPL 2 10 55 FOR CPL 1 SP FOR CPt: 1 (2) BJ STACKS INITIAL : (1) FOR CPL 0.1.2 58 FOR CPL 0 5P FDA CPl 0 BACK LINK SELECTOR TO TSS 0_ (1) NEVER ALTERED (STATIC) AFTER INITIALIZATION BY 0.5. "!"~!: VAIJ)I=c:..4.~ INITIAliZED FOR THIS TASK ARE ALWAYS VALID SS:SP VALUES TO USE UPON ENTRY TO THAT PRIVILEGE LEVEL (0, 1, OR 2) FROM A LEVEL OF LESSER PRIVILEGE. (2) CHANGED DURING TASK SWITCH G3010B Figure 8-1. Task State Segment and TSS Registers 8-2 TASKS AND STATE TRANSITIONS Each TSS consists of two parts, a static portion and a dynamic portion. The static entries are never changed by the 80286, while the dynamic entries are changed by each task switch out of this task. The static portions of this segment are the task LDT selector and the initial SS:SP stack pointer addresses for levels 0-2. The modifiable or dynamic portion of the task state segment consists of all dynamically-variable and programmer-visible processor registers, including flags, segment registers, and the instruction pointer. It also includes the linkage word used to chain nested invocations of different tasks. The link word provides a history of which tasks invoked others~ The link word is important for restarting an interrupted task when the interrupt has been serviced. Placing the back link in the TSS protects the identity of the interrupted task from changes by the interrupt task, since the TSS is not writable by the interrupt task. (In most systems only the operating system has sufficient privilege to create or use a writable data segment "alias" descriptor for the TSS.) The stack pointer entries in the TSS for privilege levels 0-2 are static (i.e., never written during a privilege or task switch). They define the stack to use upon entry to that privilege level. These stack entries are initialized by the operating system when the task is created. If a privilege level is never used, no stack need be allocated for it. When entering a more privileged level, the caller's stack pointer is saved on the stack of the new privilege level, not in the TSS. Leaving the privilege level requires popping the caller's return address and stack pointer off the current stack. The stack pointer at that time will be the same as the initial value loaded from the TSS upon entry to the privilege level. There is only one stack active at any time, the one defined by the SS and SP registers. The only other stacks that may be non-empty are those at outer (less privileged) levels that called the current level. Stacks for inner levels must be empty, since outward (to numerically larger privilege levels) calls from inner levels are not allowed. . The location of the stack pointer for an outer privilege level will always be found at the start of the stack of the inner privilege level called by that level. That stack may be the initial stack for this privilege level or an outer level. Look at the start of the stack for this privilege level. The TSS contains the starting stack address for levels 0-2. If the RPL of the saved SS selector is the privilege level required, then the stack pointer has been found. Otherwise, go to the beginning of the stack defined by that value and look at the saved SS:SP value there. 8.2.1 Task State Segment Descriptors A special descriptor is used for task state segments. This descriptor must be accessible at all times; therefore, it can appear only in the GDT. The access byte distinguishes TSS descriptors from data or code segment descriptors. When bits 0 through 4 of the access byte are 00001 or 00011, the descriptor is for a TSS. The complete layout of a task state segment descriptor is shown in figure 8-2. Like a data segment, the descriptor contains a base address and limit field. The limit must be at least 002BH (43) to contain the minimum amount of information required for a TSS. An invalid task exception will occur if an attempt is made to switch to a task whose TSS descriptor limit is less than 43. The error code will identify the bad TSS. 8-3 inter TASKS AND STATE TRANSITIONS o +7 o 7 +6 INTEL RESERVED +5 P 1 I 01 0 11 I DPL 10_L B +3 TSS BASE,s_o +1 TSS LIMIT +4 TSS BASE 23 _'6 +2 o B ~ 1 MEANS TASK IS BUSY AND NOT AVAILABLE o 15 • MUST BE SET TO 0 FOR COMPATIBILITY WITH THE 80386 G3010B Figure 8-2. TSS Descriptor The P-bit (Present) flag indicates whether this descriptor contains currently valid information: 1 means yes, 0 no. A task switch that attempts to reference a not-present TSS causes a not-present exception code identifying the task state segment selector. The descriptor privilege level (DPL) controls use of the TSS by JMP or CALL instructions. By the same reasoning as that for call gates, DPL can prevent a program from calling the TSS and thereby cause a task switch. Section 8.3 discusses privilege considerations during a task switch in greater detail. Bit 4 is always 0 since TSS is a control segment descriptor. Control segments cannot be accessed by SS, DS, or ES. Any attempt to load those segment registers with a selector that refers to a control segment causes general protection trap. This rule prevents the program from improperly changing the contents of a control segment. TSS descriptors can have two states: idle and busy. Bit 1 of the access byte distinguishes them. The distinction is necessary since tasks are not re-entrant; a busy TSS may not be invoked. 8.3 TASK SWITCHING A task switch may occur in one of four ways: 1. The destination selector of a long JMP or CALL instruction refers to a TSS descriptor. The offset part!a!! of thE>. rl~~tination address is ignored. 2. An IRET instruction is executed when the NT bit in the flag word selector is in the back link field of the current TSS. 3. The destination selector of a long JMP or CALL instruction refers to a task gate. The offset portion of the destination address is ignored. The new task TSS selector is in the gate. (See section 8.5 for more information on task gates.) 4. An interrupt occurs. This interrupt's vector refers to a task gate in the interrupt descriptor table. The new task TSS selector is in the gate. See section 9.4 for more information on interrupt tasks. 8-4 = 1. The new task TSS TASKS AND STATE TRANSITIONS No new instructions are required for a task switch operation. The standard 8086 JMP, CALL, IRET, or interrupt operations perform this function. The distinction between the standard instruction and a task switch is made either by the type of descriptor referenced (for CALL, JMP, or INT) or by the NT bit (for IRET) in flag word. Using the CALL or INT instruction to switch tasks implies a return is expected from the calIed task. The JMP and IRET instructions imply no return is expected from the new task. When NT= 1, the IRET instruction causes a return to the task that calIed the current one via CALL or INT instruction. Access to TSS and task gate descriptors is restricted by the rules of privilege level. The data access rules are used, thereby alIowing task switches to be restricted to programs of sufficidnt privilege. Address space separation does not apply to TSS descriptors since they must be in the GDT. The access rules for interrupts are discussed in section 9.4. The task switch operation consists of the folIowing eight steps: 1. Validate the requested task switch. For a task switch requested via a JMP, CALL, or an INT instruction, check that the current task is alIowed to switch to the requested task. The DPL of the gate or the TSS descriptor for the requested task must be greater than or equal to both the CPL and the RPL of the requesting task. If it is not, the General Protection fault (#13) will occur with an error code identifying the descriptor (i.e., the gate selector if the task switch is requested via a task gate, or the selector for the TSS if the task switch is requested via a TSS descriptor). These checks are not performed if a task switch occurs due to an IRET instruction. 2. Check that the new TSS is present and that the new task is available (Le. not Busy). A Not Present exception (#11) is signaled if the new TSS descriptor is marked 'Not Present' (P = 0). The General Protection exception (#13) is raised if the new TSS is ll1arked 'Busy'. The task switch operation actualIy begins now and a detailed verification of the new TSS is carried out. Conditions which may disqualify the new TSS are listed in table 8-1 along with the exception raised and the error code pushed on the stack for each case. These tests are performed at different points during the course of the folIowing remaining steps of the task switch operation. 3. Mark the new task to be BUSY by setting the 'BUSY' bit in the new TSS descriptor to 1. 4. Save the dynamic portion of the old TSS and load TR with the selector, base and limit for the new TSS. Set alI CPU registers to corresponding values from the new TSS except DS, ES, CS, SS, and LDT. 5. If nesting tasks, set the Nested Task (NT) flag in the new TSS to 1. Also set the Task Switched flag (TS) of the CPU flag register to 1. 6. Validate the LDT selector and the LDT descriptor of the new TSS. Load theLDT cache (LDTR) with the LDT descriptor. 7. Validate the SS, CS, DS, and ES fields of the new TSS and load these values in their respective caches (Le., SS, CS, DS, and ES registers). 8. Validate the IP field of the new TSS and then start executing the new task from CS:IP. A more detailed explanation of steps 3-5 is given in Appendix B (80286 Instruction Set) under a pseudo procedure 'SWITCH_TASKS'. Notice how the exceptions described in table 8-1 may actualIy occur during a task switch. Similarly the exceptions that may occur during steps 1-2, and step 8 are explained in greater detail in the pseudo code description of the 286 instructions CALL, JMP, INT, and IRET in Appendix B. This information can be very helpful when debugging any protected mode code. 8-5 TASKS AND STATE TRANSITIONS Note that the state of the outgoing task is always saved. If execution of that task is resumed, it will start after the instruction that caused the task switch. The values of the registers will be the same as that when the task stopped running. Any task switch sets the Task Switched (TS) bit in the Machine Status Word (MSW). This flag is used when processor extensions such as the 80287 Numeric Processor Extension are present. The TS bit signals that the context of the processor extension may not belong to the current 80286 task. Chapter 11 discusses the TS bit and processor extensions in more detail. Validity tests on a selector ensure that the selector is in the proper table (i.e., the LDT selector refers to GDT), lies within the bounds of the table, and refers to the proper type of descriptor (i.e., the LDT selector refers to the LDT descriptor). Note that between steps 3 and 4 in table 8-1, all the registers of the new task are loaded. Several protection rule violations may exist in the new segment register contents. If an exception occurs in the context of the new task due to checks performed on the newly loaded descriptors, the DS and ES segments may not be accessible even though the segment registers contain non-zero values. These selector values must be saved for later reuse. When the exception handler reloads these segment registers, another protection exception may occur unless the exception handler pre-examines them and fixes any potential problems. A task switch allows flexibility in the privilege level of the outgoing and incoming tasks. The privilege level at which execution resumes in the incoming task is not restricted by the privilege level of the outgoing task. This is reasonable, since both tasks are isolated from each other with separate address spaces and machine states. The privilege rules prevent improper access to a TSS. The only interaction between the tasks is to the extent that one started the other and the incoming task may restart the outgoing task by executing an IRET instruction. Table 8-1. Checks Made during a Task Switch . I 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Test Exception' Error Code Incoming TSS descriptor is present Incoming TSS is idle Limit of incoming TSS greater than 43 LOT selector of incoming TSS is valid LOT of incoming TSS is present CS selector is valid Code segment is present Code segment OPL matches CS RPL Stack segment is valid St~ck segment i", writ::lhlp. data segment Stack segment is present Stack segment OPL = CPL OS/ES selectors are valid OS/ES segments are r!3adable OS/ES segments are present OS/ES segment OPL ;::: CPL if not conform NP GP Invalid TSS Invalid TSS Invalid TSS Invalid TSS NP Invalid TSS SF GP SF SF GP GP NP GP Incominq TSS'selector Incoming TSS selector Incoming TSS selector LOT selector LOT selector Code segment selector Code segment selector Code segment selector Stack segment selector Stack segment selector Stack segment selector Stack segment selector Segment selector Segment selector Segment selector Segment selector *NP = Not-Present Exception GP = General Protection Fault SF = Stack Fault 8-6 TASKS AND STATE TRANSITIONS 8.4 TASK LINKING The TSS has a field called "back link" which contains the selector of the TSS of a task that should be restarted when the current task completes. The back link field of an interrupt-initiated task is automatically written with the TSS selector of the interrupted task. A task switch initiated by a CALL instruction also points the back link at the outgoing task's TSS. Such task nesting is indicated to programs via the Nested Task (NT) bit in the flag word of the incoming task. Task nesting is necessary for interrupt functions to be processed as separate tasks. The interrupt function is thereby isolated from all other tasks in the system. To restart the interrupted task, the interrupt handler executes an IRET instruction much in the same manner as an 8086 interrupt handler. The IRET instruction will then cause a task switch to the interrupted task. Completion of a task occurs when the IRET instruction is executed with the NT bit in the flag word set. The NT bit is automatically set/reset by task switch operations as appropriate. Executing an IRET instruction with NT cleared causes the normal 8086 interrupt return function to be performed, and no task switch occurs. Executing IRET with NT set causes a task switch to the task defined. by the back link field of the current TSS. The selector value is fetched and verified as pointing to a valid, accessible TSS. The normal task switch operation described in section 8.3 then occurs. After the task switch is complete, the outgoing task is now idle and considered ready to process another interrupt. Table 8-2 shows how the busy bit, NT bit, and link word of the incoming and outgoing task are affected by task switch operations caused by JMP, CALL, or IRETinstructions. Violation of any of the busy bit requirements shown in table 8-2 causes a general protection fault with the saved machine state appearing as if the instruction had not executed. The error code identifies the selector of the TSS with the busy bit. A bus lock is applied during the testing and setting of the TSS descriptor busy bit to ensure that two processors do not invoke the same task at the same time. See also section 11.4 for other multi-processor considerations. Table 8-2. Effect of a Task Switch on BUSY and NT Bits and the Link Word CALL/INT Instruction Effect IRET Instruction Effect Set, must be Set, must be 0 before Unchanged, must be set Busy bit of outgoing task TSS descriptor Cleared Unchanged (will already be 1) Cleared NT bit in incoming task flag word Cleared Set Unchanged NT bit in outgoing task flag word Unchanged Unchanged Cleared Back link in incoming task TSS Unchanged Set to outgoing task TSS selector Unchanged Back link of outgoing task TSS Unchanged Unchanged Unchanged JMP Affected Field Busy bit of incoming task TSS descriptor Instruction Effect obefore 8-7 TASKS AND STATE TRANSITIONS The linking order of tasks may need to be changed to restart an interrupted task before the task that interrupted it completes. To remove a task from the list, trusted operating system software must change the backlink field in the TSS of the interrupting task first, then clear the busy bit in the TSS descriptor of the task removed from the list. When trusted software deletes the link from one task to another, it should place a value in the backlink field, which will pass control to that trusted software when the task attempts to resume execution of another task via IRET. 8.5 TASK GATES A task may be invoked by several different events. Task gates are provided to support this need. Task gates are used in the same way as call and interrupt gates. The ultimate effect of jumping to or calling a task gate is the same as jumping to or calling directly to the TSS in the task gate. Figure 8-3 depicts the layout of a task gate. A task gate is identified by the access byte field in bits 0 through 4 being 00101. The gate provides an extra level of indirection between the destination address and theTSS selector value. The offset portion of the JMP or CALL destination address is ignored. Gate use provides flexibility in controlling access to tasks. Task gates can appear in the GDT, IDT, or LDT. The TSS descriptors for all tasks must be kept in the GDT. They are normally placed at level 0 to prevent any task from improperly invoking another task. Task gates placed in the LDT allow private access to selected tasks with full privilege control. The data segment access rules apply to accessing a task gate via JMP, CALL, or INT instructions. The effective privilege level (EPL) of the destination selector must be numerically less than or equal to the DPL of the task gate descriptor. Any violation of this requirement causes a general protection fault with an error code identifying the task gate involved. 0 +7 0 7 +6 INTEL RESERVED· +5 PIDPLlolo 1 01 1 1 UNUSED :~5 5=!,,=CT0~ ,:1 UNUSED 15 +4 +2 10 0 ·MUST BE SET TO 0 FOR COMPATIBILITY WITH THE 80386 G30108 Figure 8-3. Task Gate Descriptor 8-8 TASKS AND STATE TRANSITIONS Once access to the task gate has been verified, the TSS selector from the gate is read. The RPL of the TSS selector is ignored. From this point, all the checks and actions performed for a JMP or CALL to a TSS after access has been verified are performed (see section 8.4). Figure 8-4 illustrates an example of a task switch through a task gate. TASK A I I SELECTOR I---- TASK B TAS~ { f LOT DESCRIPTOR TSS DESCRIPTOR TASK GATE - f LOT LOT SELECTOR t l' LOT LOT SELECTOR L LOT DESCRIPTOR }~ASK TSS DESCRIPTOR _ BACK LINK TSS TSS GOT G30108 Figure 8-4. Task Switch Through a Task Gate 8-9 Interrupts and Exceptions 9 CHAPTER 9 INTERRUPTS AND EXCEPTIONS Interrupts and exceptions are special cases of control transfer within a program. An interrupt occurs as a result of an event that is independent of the currently executing program, while exceptions are a direct result of the program currently being executed, Interrupts may be external or internal. External interrupts are generated by either the INTR or NMI input pins. Internal interrupts are caused by the INT instruction. Exceptions occur when an instruction cannot be completed normally. Although their causes differ, interrupts and exceptions use the same control transfer techniques and privilege rules; therefore, in the following discussions the term interrupt will also apply to exceptions. The program used to service an interrupt may execute in the context of .the task that caused the interrupt (i.e., used the same TSS, LDT, stacks, etc.) or may be a separate task. The choice depends on the function to be performed and the level of isolation required. 9.1 INTERRUPT DESCRIPTOR TABLE Many different events may cause an interrupt. To allow the reason for an interrupt to be easily identified, each interrupt source is given a number called the interrupt vector. Up to 256 different interrupt vectors (numbers) are possible. See figure 9-1. A table is used to define the handler for each interrupt vector. The Interrupt Descriptor Table (IDT) defines the interrupt handlers for up to 256 different interrupts. The IDT is in physical memory, pointed to by the contents of the on-chip IDT register that contains a 24-bit base and a 16-bit limit. The IDTR is normally loaded with the LIDT instruction by code that executes at privilege level 0 during system initialization. The IDT may be located anywhere in the physical address space of the 80286. 'I' MEMORY , THE lOT MAY CONTAIN INTERRUPT GATES, TRAPS OR TASK GATES ONLY. GATE FOR INTERRUPT #n GATE FOR INTERRUPT #n-1 15 J IOTR l 23 ··· r+- cPU 0 lOT LIMIT INTERRUPT DESCRIPTOR TABLE (lOT) GATE FOR INTERRUPT # 1 1-1- GATE FOR INTERRUPT #0 lOT BASE 0 ,>, " G30108 Figure 9-1. Interrupt Descriptor Table Definition 9-1 INTERRUPTS AND EXCEPTIONS Each IDT entry is a 4-word gate descriptor that contains a pointer to the handler. The three types of gates permitted in the IDT are interrupt gates, trap gates (discussed in section 9.3), and task gates (discussed in section 9.5). Interrupt and task gates process interrupts in the same task, while task gates cause a task switch. Any other descriptor type in the IDT will cause an exception if it is referenced by an interrupt. The IDT need not contain all 256 entries: A 16-bit limit register allows less than the full number of entries. Unused entries may be signaled by placing a zero in the access rights byte. If an attempt is made to access an entry outside the table limit, or if the wrong descriptor type is found; a general protection fault occurs with an error code pushed on the .stack identifying the invalid interrupt vector (see figure 9-2). . . Exception error codes that tefer to an IDT entry can be identified by bit 1 of the error code that will be set. Bit 0 of the error code is 1 if the interrupt was caused by an event external to the program (Le., an external interrupt, a single step, a processor extension error, ora processor extension not present). Interrupts 0-31 are reserved for use by InteL Some of the interrupts are used for instruction exceptions. The IDT limit must be at least 255 (32X8-1) to accommodate the minimum number of interrupts. The remaining 224 interrupts are available to the user. 9.2 HARDWARE INITIATED INTERRUPTS Hardware-initiated interrupts are· caused by some external event that activates either the INTR or NMI input pins of the processor. Events that use the INTR input are classified as maskable interrupts. Events that use the NMI input are classified as non-maskable interrupts. . All 224 user-defined interrupt sources share the INTR input, blJt each has the ability to use a separate interrupt handler. An 8-bit vector supplied by the interrupt controller identifies which interrupt is being signaled. To read the interrupt id, the processor performs the interrupt acknowledge bus sequence. Maskable interrupts (from the INTR input) can be inhibited by software by setting the interrupt flag bit (IF) to 0 in the flag word. The IF bit does not inhibit exceptions or interrupts caused by the INT instruction. The IF bit also does· IiOt inhibit processor extension interrupts. 15·14 13 12.11 10 9 0 0 0 0 o· 8: 7 ·6 5 IDTVECTOR 4 3 ·2 1·; 0 0 1 E X T 1 An eve."! eXtern8~.~~ __t~~ _pr~~_~~~_1 fiOIIUtf"U "1e11 ."~'CII"ILIUII v .•. , ...... ,.......... Interrupt, ,Bingle step, processor extension' error) o An exception occurred while procesSing' an instruction at CS:IP saved on stack G30108 Figure 9-2. lOT Selector Error Code 9-2 INTERRUPTS AND EXCEPTIONS The type of gate placed into the IDT for the interrupt vector will control whether other maskable interrupts remain enabled or not during the servicing of that interrupt. The flag word that was saved on the stack reflects the maskable interrupt enable status of the processor prior to the interrupt. The procedure servicing a maskable interrupt can also prevent further maskable interrupts during its work by resetting the IF flag. Non-maskable interrupts are caused by the NMI input. They have a higher priority than the maskable interrupts (meaning that in case of simultaneous requests, the non-maskable interrupt will be serviced first). A non-maskable interrupt has a fixed vector (#2) and therefore does not require an interrupt acknowledge sequence on the bus. A typical use of an NMI is to invoke a procedure to handle a power failure or some other critical hardware exception. A procedure servicing an NMI will not be further interrupted by other non-maskable interrupt requests until an IRET instruction is executed. A further NMI request is remembered by the hardware and will be serviced after the first IRET instruction. Only one NMI request can be remembered. To prevent a maskable interrupt from interrupting the NMI interrupt handler, the IF flag should be cleared either by using an interrupt gate in the IDT or by setting IF = D.in the flag word of the task involved. 9.3 SOFTWARE INITIATED INTERRUPTS Software initiated interrupts occur explicitly as interrupt instructions or may arise as the result of an exceptional condition that prevents the continuation of program execution. Software interrupts are not maskable. Two interrupt instructions exist which explicitly cause an interrupt: INT nand INT 3. The first allows specification of any interrupt vector; the second implies interrupt vector 3 (Breakpoint). Other instructions like INTO, BOUND, DIY, and IDIY may cause an interrupt, depending on the overflow flag or values of the operands. These instructions have predefined vectors associated with them in the first 32 interrupts reserved by Intel. A whole class of interrupts called exceptions are intended to detect faults or programming errors (in the use of operands or privilege levels). Exceptions cannot be masked. They also have fixed vectors within the first 32 interrupts. Many of these exceptions pass an error code on the stack, which is not the case with the other interrupt types discussed in section 9.2. Section 9.5 discusses these error codes as well as the priority among interrupts that can occur simultaneously. 9.4 INTERRUPT GATES AND TRAP GATES Interrupt gates and trap gates are special types of descriptors that may only appear in the interrupt descriptor table. The difference between a trap and an interrupt gate is whether the interrupt enable flag is to be cleared or not. An interrupt gate specifies a procedure that enters with interrupts disabled (i.e., with the interrupt enable flag cleared); entry via a trap gate leaves the interrupt enable status unchanged. The NT flag is always cleared (after the old NT state is saved on the stack) when an interrupt uses these gates. Interrupts that have either gate in the associated IDT entry will be processed in the current task. Interrupts and trap gates have the same structure as the call gates discussed in section 7.5.1. The selector and entry point for a code segment to handle the interrupt or exception is contained in the gate. See figure 9-3. 9-3 INTERRUPTS AND EXCEPTIONS +7 +5 INTEL RESERVED' PIDP21 0 10 1 1 +6 UNUSED T I +3 INTERRUPT CODE SEGMENT SELECTOR +1 INTERRUPT CODE OFFSET +4 +2 T = 1 FOR TRAP GATE 'MUST BE SET TO 0 FOR COMPATIBILITY WITH THE 80386 T = 0 FOR INTERRUPT GI\TE G30108 Figure 9-3. Trap/Interrupt Gate Descriptors The access byte contains the Present bit, the descriptor privilege level, and the type identifier. Bits 0-4 of the access byte have a value of 00110 for interrupt gates, 00111 for trap gates. Byte 5 of the descriptor is not used by either of these gates; it is used only by the call gate, which uses it as the parameter word-count. Trap and interrupt gates allow a' privilege level transition to occur when passing control to a nonconforming code segment. Like a call gate, the DPL of the target code segment selected determines the new CPL. The DPL of the new non-conforming code segment must be numerically less than or equal to CPL. No privilege transition occurs if the new code segment is conforming. If the DPL of the conforming code segment is greater than the CPL, a general protection exception will occur. As with all descriptors, these ,gates in the IDT carry a privilege level. The DPL controls access to interrupts with the INT nand INT 3 instructions. For access, the CPL of the program must be less than Oi equal to the gate DPL. If tile CPL is not, a general protection exception will result with an error code identifying the selected IDT gate. For exceptions and external interrupts, the CPL of the program is ignored while accessing the IDT. Interrupts using a trap or an interrupt gate are handled in the same manner as an 8086 interrupt. The flags and return address of the interrupted program are saved on the stack of the interrupt handler. To return to the interrupted program, the interrupt handler executes an IRET instruction. If an increase in privilege is required for handling the interrupt, a new stack will be Joaded from the TSS. The stack pointer of the old privilege level will also be saved on the new stack in the same manner as a call gate. Figure 9-4 shows the stack contents after an exception with an error code (with and without a privilege level change). If an interrupt or trap gate is used to handle an exception that passes an error code, the error code will be pushed onto the new stack after the return address (as shown in figure 9-4). If a task gate is used, the error code is pushed onto the stack of the new task. The return address is saved in the old TSS. 9-4 infel® INTERRUPTS AND EXCEPTIONS OLD SP - NO PRIVILEGE TRANSITION OLD FLAGS OLD CS OLD IP ERROR CODE SP ," SP FROM TSS -- " WITH PRIVILEGE TRANSITION OLD SS OLDSP OLD FLAGS OLDCS OLD IP ERROR CODE SP " SSFROMTSS--~.~'r~------ ______ " ~l! STACK SEGMENT G30108 Figure 9-4. Stack Layout after an Exception with an Error Code If an interrupt gate is used to handle an interrupt, it is assumed that the selected code segment has sufficient privilege to re-enable interrupts. The IRET instruction will not re-enable interrupts if CPL is numerically greater than IOPL. Table 9-1 shows the checks performed during an interrupt operation that uses an interrupt or trap gate. EXT equals 1 when an event external to the program is involved; 0 otherwise. EJ\ternal events are maskable or non-maskable interrupts, single step interrupt, processor extension segment overrun interrupt, numeric processor not-present exception or numeric processor error. The EXT bit signals that the interrupt or exception is not related to the instruction at CS:IP. Each error code has bit 1 set to indicate an IDT entry is involved. When the interrupt has been serviced, the service routine returns control via an IRET instruction to the routine that was interrupted. If an error code was passed, the exception handler must remove the error code from the stack before executing IRET. The NT flag is cleared when an interrupt occurs which uses an interrupt or trap gate. Executing IRET with NT=O causes the normal interrupt return function. Executing IRET with NT= leauses a task switch (see section 8.4 for more details). 9-5 INTERRUPTS AND EXCEPTIONS Table 9-1, Trap and Interrupt Gate Checks Exception' Check GP Interrupt vector is in lOT limit Error Code lOT entry X 8 + 2 + EXT Trap, Interrupt, or Task Gate in lOT Entry GP IDTentry X 8 + 2 + EXT If INT instruction, gate OPL GP lOT entry X 8 + 2 + EXT P bit of gate is set NP lOT entry X 8 + 2 + EXT Code segment selector is in descriptor table limit GP CS selector X 8 + EXT CS selector refers to a code segment GP CS selector X 8 + EXT If code segment is non-conforming, Code Segment OPL =:; CPL GP CS selector X 8 + EXT If code segment is non-conforming, and OPL < CPL and if SS selector in TSS is in descriptor table limit T8 88 selector X 8 + EXT If code segment is non-conforming, and OPL < CPL and if SS is a writable data segment TS SS selector X 8 + EXT If code segment is non-conforming, and OPL < CPL and code segment OPL = stack segment OPL TS Stack segment selector + EXT If code segment is non-conforming, and OPL CPL OS or ES segment selector is outside table limits OS or ES are not readable segments The error code has the form shown in Table 9-5. The EXT bit will be set if an event external to the program caused an interrupt that subsequently referenced a not-present segment. Bit 1 will be set if the error code refers to an IDT entry, e.g., an INT instruction referencing a not-present gate. The . upper 14 bits are the upper 14 bits of the segment selector involved. During a task switch, when a not-present exception occurs, the ES and DS segment registers may not be usable for referencing memory (the selector values are loaded before the descriptors are checked). The not-present handler should not rely on being able to use the values found in ES, SS, and' DS without causing another exception. This is because the task switch itself may have changed the values in the registers. The exception occurs in the new task and the return pointer points to the first instruc~ tion oUhe new task. Caution: the loading of the DS or ES descriptors may not have been completed. The exception II handler should ensure that the DS and ES descriptors have been properly loaded before the execution of the first instruction of the new task. 9.6.6 Stack Fault (Interrupt 12) Stack underflow or overflow causes exception 12, as does a not-present stack segment referenced during an inter-task or inter-level transition. This exception is fully restartable. A limit violation of the current stack results in an error code of O. The EXT bit of the error code tells whether an interrupt external to the; pfugfiifii cau5ed the cAccption. Any instruction that loads a selector to SS (e.g., POP SS, task switch) can cause this exception. This exception must use a task gateifthere is a possibility that any level 0 stack may not be present. When a stack fault occurs, the ES and DS segment registers may not be usable for referencing memory. During a task switch, the selector values are loaded before the descriptors are checked. The stack fault handler should check the saved values BASE + LIMIT BASE + LIMIT EXPAND DOWN SEGMENT -~f'~=:=t J G30108 Figure 11-1. Expand-Down Segment 11-2 ADVANCED TOPICS BASE + 10000H -"''"''''"''""'''1 STACK SEG.B BASE + 10000H -..------1 SEG.B . STACK + ~t~ ~~~ NEW BASE -~,",,7777,","" -""*----1 OLD BASE G3010a Figure 11-2. Dynamic Segment Relocation and Expansion of Segment limit 11.3 POINTER VALIDATION Pointer validation is an important part of locating programming errors. Pointer validation is necessary for maintaining isolation between the privilege levels. Pointer validation consists of the following steps: 1. Check if the supplier of the pointer is entitled to access the segment. 2. Check if the segment type is appropriate to its intended use. 3. Check if the pointer violates the segment limit. The 80286 hardware automatically performs checks 2 and 3 during instruction execution, while software must assist in performing the first check. This point is discussed in section 11.3.2. Software can explicitly perform steps 2 and 3 to check for potential violations (rather than causing an exception). The unprivileged instructions LSL, LAR, VERR, and VERW are provided for this purpose. The load access rights (LAR) instruction obtains the access rights byte of a descriptor pointed to by the selector used in the instruction. If that selector is visible at the CPL, the instruction loads the access byte into the specified destination register as the higher byte (the low byte is zero) and the zero flag is set. Once loaded, the access bits can be tested. System segments such as a task state segment or a descriptor table cannot be read or modified. This instruction is used to verify that a pointer refers toa segment of the proper privilege level and type. If the RPL or CPL is greater than DPL, or the selector is outside. the table limit, no access value is returned and the zero flag is cleared. Conforming code segmentSinay be accessed from any RPL or CPL. Additional parameter checking can be performed via the load segment limit (LSL) instruction. If the descriptor denoted by the given selector (in memory or a register) is visible at the CPL, LSL loads the specified register with a .word that consists of the limit field of that descriptor. This can only be done for segments, task state segments, and local descriptor tables (i.e., words from control descriptors are inaccessiblc). Interpreting the limit is a function of the segment type. For example, downward expandable data segments treat the limit differently than code segments do. 11-3 ADVANCED TOPICS For both LAR and LSL, the zero flag (ZF) is set if the loading was performed; otherwise, the zero flag is cleared. Both instructions are undefined in real address mode, causing an invalid opcode exception (interrupt #6). 11.3.1 Descriptor Validation The 80286 has two instructions, VERR and VERW, which determine whether a selector points to a segment that can be read or written at the current privilege level. Neither instruction causes a protection fault if the result is negative. VERR verifies a segment for reading and loads ZF with 1 if that segment is readable from the current privilege level. The validation process checks that: 1) the selector points to a descriptor within the bounds of the GDT or LDT, 2) it denotes a segment descriptor (as opposed to a control descriptor), and 3) the segment is readable and of appropriate privilege level. The privilege check for data segments and non-conforming code segments is that the DPL must be numerically greater than or equal to both the CPL and the selector's RPL. Conforming segments are not checked for privilege level. VERW provides the same capability as VERR for verifying writ ability. Like the VERR instruction, VERW loads ZF if the result of the writability check is positive. The instruction checks that the descriptor is within bounds, is a segment descriptor, is writable, and that its DPL is numerically greater than or equal to both the CPL and the selector's RPL. Code segments are never writable, conforming or not. 11.3.2 Pointer Integrity: RPL and the "Trojan Horse Problem" The Requested Privilege Level (RPL) feature can prevent inappropriate use of pointers that could corrupt the operation of more privileged code or data from a less privileged level. A common example is a file system procedure, FREAD (file_id, nybytes, buffer-ptr). This hypothetical procedure reads data from a file into a buffer, overwriting whatever is there. Normally, FREAD would be available at the user level, supplying only pointers to the file system procedures and data located and operating at a privileged level. Normally, such a procedure prevents user-level procedures from directly changing the file tables. However, in the absence of a standard protocol for checking pointer validity, a user-level procedure could supply a pointer into the file tables in place of its buffer pointer, causing the FREAD procedure to corrupt them unwittingly. By llsing the RPL, you can avoid such problems. The RPL field allows a privilege attribute to be assigned to a selector. This privilege attribute would normally indicate the privilege level of the code which generated the selector. The 80286 hardware will automatically check the RPL of any selector loaded into a segment register or a control register to see if the RPL allows access. To guard against invalid pointers, the called procedure need only ensure that all selectors passed to it have an RPL at least as high (numerically) as the original caller's CPL. This indicates that the selecLvi'5 ',;,'Ci'C i'iGt ir.Gre tr~eted t!"!~!! t!"!eir 5l'vr 1i p.T If one of the selectors is used to access a segment that the caller would not be able to access directly, i.e., the RPL is numerically greater than the DPL, then a protection fault will result when loaded into a segment or control register. The caller's CPL is available in the CS selector that was pushed on the stack as the return address. A special instruction, ARPL, can be used to appropriately adjust the RPL field of the pointer. ARPL (Adjust RPL field of selector instruction) adjusts the RPL field of a selector to become the larger of its original value and the value of the RPL field in a specified register. The latter is normally loaded from the caller's CS register which can be found on the stack. If the adjustment changes the selector's RPL, ZF is set; otherwise, the zero flag is cleared. 11-4 ADVANCED TOPICS 11.4 NPX CONTEXT SWITCHING The context of a processor extension (such as the 80287 numerics processor) is not changed by the task switch operation. A processor extension context need only be changed when a different task attempts to use the processor extension (which still contains the context of a previous task). The 80286 detects the first use of a processor extension after a task switch by causing the processor extension not-present exception (#7) if the TS bit is set. The interrupt handler may then decide whether a context change is necessary. The 286 services numeric errors only when it executes wait or escape instructions because the processor extension is running independently. Therefore, the numerics error from one task may not be recorded until the 286 is running a different task. If the 286 task has changed, it makes sense to defer handling that error until the original task is restored. For example, interrupt handlers that use the NPX should not have their timing upset by a numeric error interrupt that pertains to some earlier process. It is of little value to service someone else's error. If the task switch bit is set (bit 3 of MSW) when the CPU begins to execute a wait or escape instruc- tion, the processor-extension not-present exception results (#7). The handler for this interrupt must know who currently "owns" the NPX, i.e., the handler must know the last task to issue a command to the NPX. If the owner is the same as the current task, then it was merely interrupted and the interrupt handler has since returned; the handler for interrupt 7 simply clears the TS bit, restores the working registers, and returns (restoring interrupts if enabled). If the recorded owner is different from the current task, the handler must first save the existing NPX context in the save area of the old task. It can then re-establish the correct NPX context from the current task's save area. The code example in figure 11-3 relies on the convention that each TSS entry in the GDT is followed by an alias entry for a data segment that points to the same physical region of memory that contains the TSS. The alias segment also contains an area for saving the NPX context, the kernel stack, and certain kernel data. That is, the first 44 bytes in that segment are the 286 context, followed by 94 bytes for the processor extension context, followed in some cases by the kernel stack and kernel private data areas. The implied convention is that the stack segment selector points to this data segment alias so that whenever there is an interrupt at level zero and SS is automatically loaded, all of the above information is immediately addressable. It is assumed that the program example knows about only one data segment that points to a global data area in which it can find the one word NPX owner to begin the processing described. The specific operations needed, and shown in the figure, are listed in table 11-1. 11.5 MULTIPROCESSOR CONSIDERATIONS As mentioned in Chapter 8, a bus lock is applied during the testing and setting of the task busy bit to ensure that two processors do not invoke the same task at the same time. However, protection traps and conflicting use of dynamically varying segments or descriptors must be addressed by an interprocessor synchronization protocol. The protocol can use the indivisible semaphore operation of the base instruction set. Coordination of interrupt and trap vectoring must also be addressed when multiple concurrent processors are operating. The. interrupt bus cycles are locked so no interleaving occurs on those cycles. Descriptor caching is locked so that a descriptor reference cannot be altered while it is being fetched. 11-5 intel" ASSEJIIBLER LOC ADVANCED TOPICS INVOKED BV: DBJ ASM286,86 LI HE '.1 2 3 :FS:5WHPl.AB6 SOURCE "lllaC'Swltch the NPl Cont!!!t on Ftrst Use Af.ter "Task Switch') 5'111 teh_npx_conhxt ~ 5 publiC 6 utrn 7 8 nltch_"PCcontut lut_npl_task :word Thl! Interrupt hlndler '11111 !wltch thl! NPI cantu! If I new tuk '0 15 attU'lpt1ng to US! the NPl contelt of IInother task lifter 'a '"k switch. If the NPl context belong' \0 the current tuk. nothing hlppens. '2 A trap ga\! should be placed In IDT entry 7 rehrrIng to thl! routine. The DPt of thl! Slltl! sholl.)d be 0 to prevent spoofing. The"code uglll!nt 9 " , 13 ~ mu '5 5t be at pr Iv IItge !eve 1 O. The kernel ~tl.Ct 15 u'!UlIIed to overley the TSS Ind the'HPI uv'e area II p laced at the end of the TSS artl. '6 '7 18 II globll word vlfllble LAST_HPX_TASK Ident1Hu the TSS ulectar of thl lilt tilt to UII! thl HPX. '9 20 f, liB 22 23 2~ DotD DODD DOD' 0002 ODDS 0007 DDDA DDOC oDOE ID IE II··· . 81D8 DF 0 0 C8 2HC DFOI .FA DO DF 3ID8 0 0 0 0 00'3 7 ~ 12 25 28 27 18 29 3D 3' 32 33 3~ 36 38 37 38 39 ~ ~ DO IS 00'9 DD'C ODIE 0022 0027 0027 0028 0029 87050000 050800 8ED8 DD362C 0 0 36DD26BOO If ,0 <2 H ~ .~ 45. ~ 6 47 ~8 9 58 ~ CF SO 5' 52 53 S4 II. ., npl_IIVI_lrt!:1 IIjut tlrnll_udl IW 1 t IIgmen .. c h_n p I_C 0 n t IX t ,ov '" ". proc ~ ~ urd ,ptr eq,u t " I dl IXtllg 11I'_npx_tllt dl, IX xchg odd ,ov hne f r ~ \0 r llIme_iul: p.p p.p t .f HPX live Irel ., TSS Savi worHng rlgllhr. I 'Get, Iddrul of Id of lI~t HPI 'lit Ge t Id of t hI! til t Rell'lGve APL Held Cll1r tilt ulhhed fllg No interrupti 1II0wedi c 1t I ,I • I' II! far weCO) "d omp I Off publIC IX, dllll' t_npl_ill uml_tllt t I Sit 1 f IX , d I l III t_ n p x_ t II k 11,8 dl,11 dl:npl_Ilve_lru "lnpI_!IVI_lrll " d. I 111111 \ II k Set new tuk ld ud glt old Go to TSS 11111 Address TSS of previoul HPI tllk Sive old NPI S\I\I I Get current NPX state Retllrn to Interrupted program lret udp kerneLcode ends WARNING '160. LINE 154, SEGIHHT CDHTAIHS PRIVILEGED INSTRUCTIOHS 55 ud Figure 11-3. Example of NPX Context Switching When a program changes a descriptor that is shared with other processors, it should broadcast this fact to the other processors. This broadcasting can be done with .an inter-processor inierrupl. Tht; hiii,;11;;, for this interrupt must ensure that the segment registers, the LDTR and the TR, are re-Ioaded. This happens automatically if the interrupt is serviced by a.task switch. Modification of descriptors of shared segments in multi-processor systems may require that the on-chip descriptors also be updated. For example, one processor may attempt to mark the descriptor of a shared segment as not-present while another is using it. Software has to ensure that the descriptors in the segment register caches are updated with the new information. The segment register caches can be 11-6 ADVANCED TOPICS Table 11-1. NPX Context Switching Step 1. 2. 3. 4. 5. 6. If same owner: 7a. 7b. If owner is not current task: 8a. 8b. Operation Lines (Figure 11-3) Save the working registers Set up address for kernel work area Get current task 10 from Task Register Clear Task Switch flag to allow NPX work Inhibit interrupts Compare owner with current task 10 28,29 30,31 32 Restore working registers and return 48,49 50 Use owner 10 to save old context in Its TSS R,estore context of current task; restore working registers; and return 42,43,44 45 46 52 34 35 37 updated by a re-entrant procedure that is invoked by an inter-processor interrupt. The handler must ensure that the segment registers, the LDTR and the TR, are re-loaded. This happens automatically if the interrupt is serviced by a task switch. 11.6 SHUTDOWN Shutdown occurs when a severe error condition prevents further processing. Shutdown is very similar to HLT in that the 80286 stops executing instructions. The 80286 externally signals shutdown as a Halt bus cycle with Al =0. The NMI or RESET input will force the 80286 out of shutdown. The INTR input is ignored during shutdown. 11-7 Appendix 80286 System Initialization A APPENDIX A 80286 SYSTEM INITIALIZATION flltl.('Swltch the 80286 from Re.1 Addr •• s Mode 10 Prolecled Mode') nom. 'witch 80286~mode. publiC ldl_de.c,gdt_d •• c Switch the 80286 from real addr ••• mod. Into protect.d mode. Th. lnilial EPROM GOT, lOT, TSS, .nd LOT (If any) con.tructed by BL0286 will be copied from EPROM In[o RAM. The RAM area • • ~e ~efln.d by data •• gm.nt. alloc.ted a. fixed entrle. In the GOT. The CPU r.gl.ter. for Ihe GOT, lOT, TSS, and LOT will be .el to point at the RAM-ba.ed ,"gm.nt •• Th. ba,e field. In the RAM-b •• ed GOT will 01.0 be updat.d to pOint at Ihe RAM-ba.ed segmenls. Thl.code, is u.ed by adding It to the. Il.tof objeci module. glv.n to BL0286. BL0286 must Ih.n be told 10 place the •• gment Inlt_code al addre •• FFFE10H. Execution of the mod. switch code begins after RESET. This happ.n. bec.u.e the mode switch cod. will .• torl at phy.lcal .ddre.s FFFFFOH, which Is the power up .dd ••••• This code th.n .et. up RAM caples of Ihe EPROM-based .egmenls before jumping to the Initial la.k placed at • fixed GOT .ntry. Afler the Jump, the CPU • x e c ut e. I n the s tate of t h • fir. t to. k d e fin. d by BL0 2 8 6 • Thl. code will not us. any of Ih. EPROM-bas.d tables dlr.ctly. Such us. would r.sull In the 80286 writing Into EPROM to •• 1 the A bit. Any us. of a GOT or TSS will always be In the RAM copy. The limit and .I,e of the EPROM-based GOT and lOT mu.t b. stored at the public .ymbols Idt_d •• c and gdl_d.sc. The location commands of BL0286 provld •. thl. function Intorrupts are disabled during Ihls mode .wltchlng cod •• Full error ch.cklng I. m.de of the EPROM-ba •• d GOT, lOT, TSS, and LOT to a •• ur. th.y or. valid b.for. copying th.m to RAM. If any of the RAM-ba.ed alia • • egments are .m.ller Ihan the EPRDM .egm.nts th.y or. to hold, halt or .huldown will occur. In g.n.ral, any "exc.ptlon or Hi'll will cau.e shutdown to occur until the first ta.k Is Invok.d. If the RAM s.gment I. larger Ihan the EPROM segm.nt, the RAM •• gm.nt will be expanded with ,era •• If th. Initial TSS specifies an LOT, th. LOT will also b. copied Into ldt_alla. with zero fill If needed. The EPRDM-ba •• d or RAM-ba.ed GOT, lOT, TSS, and LOT .egment. may b. locat.d anywhere In phy.lcal memory. A-1 80286 SYSTEM INITIALIZATION Define layout of a des. limit bale_low b a I!_h I g h a •• ess res des. desc~l~tor! s t r uc dw dw db db dw ends Offset of last byte In segment Low 16 bits of 24-blt address Hlgh,8 bit. of 24-blt addrels ,Access rlg~tl byte Reserved wo'rd 'D e fin e 't h'e' fixe d GDT I! I e c tor, val u e s 1. 0 r the des c rip' tors ,t hat de fin e 't hO EP ROM - ba,l! d tab I e I. B LD2 86m us t be in. t r u,c ted top I ace the ~pproprlat. des~rl~tors Int,o the GDT. gdt_allas I d t_alla. s tar t_ T S S_a I I a s s tar t_ t a I • s tar t_L DT_a I I BI equ equ equ equ e q'u I "s I z'e 2"slze 3"slze 4,. 1,1 z e, 5 " s,l z! des 'c desc desc des cf desc ., GDT (I) GDH2) GDH3) GDH4) GDHS) II I. Is I. Is date segm,ent I,n RAM' for data segment In RAM for data segment In RAM for TSS for starting ta •• da te segment I n, RAM for GDT IDT TSS LDT Define machine Itatus word bit pOs'ltlonS,.. PE MP EM Pro t e c t Ion en ab 'I e Monitor procelsor extension Emulate procelsor extension I 2 4 Defl~e )artl~.ia~ DT_ACCESS DS_ACCESS equ equ 82,H 92H TS LA CCES S DPL ACCESSED TI TSS_SIZE LDT_OFFSET T 1R P L_MA S K equ equ equ equ e q'u" equ equ 81H 60H I values of de.crlptor acce~Irlghts byte. 4 44 42 • I z e desc-I . Access byh value for an LDT Acce.s byte value for date segment which Is g row .u p. at level o • wrlteable Access byte val u'e for an I die TSS Privilege level f1 e I,d of a c,c e. s rights Define acces.ed bit Position of T I bit Size of a TSS Position of LDT In TSS T I end RPL f1 e I d ~alk Pass contr~1 from the power-up addresl to the mode Iwltch code. The segme~t containing thll code must be at phy~l~al address FFFEIOH .to place ~he JMP Inltructlon a~ phySical add~ess FFFFFOH. Jhe base 'cddr:~~ !~ chosen eC~Drdln~ t. the size of this segment. legment er cs_offlet equ org jmp OFEIOH Low 16 bits of starting address OFFFOH-cs_offset; Start at addresl FFFFFOH Do not change CS! 80286 SYSTEM .INITIALIZATION Define the templ.te for. temporary GDT u.ed to locate the Initial GDT and .tock. Thl. data will be copied to location O. Thl5 .pace Is 01.0 u.ed for a temporary stack and finally .erve' a. the T55 wrillen inlo when entering Ihe Initial T55. Place remaining code below power _u p org Inltlal_gdt gdt_de.c Idl_de!C lemp_de.c de.c de.c de. c de.c <) <) <) <) Fill e r and nul I IDT de.crlptor De.crlptor for EPROM GDT De.crlptor for EPROM IDT Temporary de.crlptor Define a de5Crlptor Ihat will point the GDT at location· D. Thl. de.crlplor will al.o be loaded Inlo 5510 define Ihe Initial prolected m~de slack .egmenl. desc < e n d_g d I - I n I I I a I_g d t - 1 , 0 , 0 , DS_A C C E5 S , 0 ) Define the TS5 descriptor u.ed to allow the t •• k .wltch to the flr.t task to overwrite thl. region of memory. The TS5 will overlay the Initial GDT and .tack at ·Iocatlon D. desc Define the Initial .tack space and filler .tart_polnter dw I abe I 8 dup (0) lobe I dw dword o , • tar t_ t ask the la.k definition 11.1. Define layout of ta.k de.crlptlon Selector for TSS Data .egment all •• for TSS Dolo .egment alia. for LDT If any • I r uc ta.k_entry re.et_.tartup: c II cId lor mov ; Pointer to Inilial la.k dw dw dw end. dw the end of the TSS. word Define lemplate for ta.k_entry T55_.el T55_alla. LDT_alla. ta.k_entry fo~ <~tarl_task,.tart_TSS_alla.,.lar~_LDT_alla.) 0 ; Terminate II.t No Interrupt. allowed! U.e autolncrement mode Point ES:DI at phy.lcal addre •• DDDOODH dI , dI d.,dl mov !!!I,dl mov mov • P , en d_g d t - I nit I a I_g d t Set .tack at end of re.erved area • • , dI A-3 80286 SYSTEM INITIALIZATION Form an adlij!lmenl faclor from Ihe r~al CS bale of FFOOOOH 10 Ihe !egmenl bale address assumed by ASM286 •. Any data reference made Inlo CS mij!1 add an Indexing lerm IBPI 10 compen!ale for Ihe difference belween Ihe off!el genera led by ASM286 and Ihe off!el reqijlred from Ihe bale of FFOOOOH. Ia r I proc c a II !larl1 pop !ijb bp bp,offul !larl1 II d t I n I I I a I_g d I I bpi The valije of IP al rijn lime will nol be Ihe lame a! Ihe one ij!ed by ASM286! Get Irije off!el of !lart1 !larI1: Sijblracl ASM286 offset of !lart1 leaving adlij!lment faclor In BP Setijp nijll IDT 10 force shij1down on any protecllon error or Inlerrijpt Copy the EPROM-ba!ed lemporary GDT Inlo RAM. lea rep mov maY! !I,lnlllal_gdllbpl ; Selijp polnler 10 lemporary GDT templale In EPROM c x , ( e n d_g d I - I n III a I_g d I ) I 2 5 e I len g I h es:word plr Idll,cs:lslli Pijl Inlo reserved RAM area Look for 80287 processor exten!lon. A!sijme all one! will. be read If an 80287 15 nol pre!enl. f nI nI I mov htsw or In z bx,EM ax a I, a I !el_mode hetpm mov bx,MP Inillalize 80287 If preunt A!!ume no 80287 Look al !lah! of 80287 Ho error. !hould be pre!enl Jump If no 80287 Put 80287 In t 0 protecled mode Swllch to prolecled mode and !elup a stack, GDT, and LDT. i !el_mode: !m!w or or Im!w Imp Get current MSW Sel PE bit Sel HPX !lalu! flag! Enter prolected mode! Clear qijeij~ of In,lr"ctlon~ decoded while In Real Addre!s Mode CPL 15 now 0, CS !IIII polnl! at FFFE10 In phy!lcal memory ax .. ,PE ax,bx ax i .2 A-4 inter 80286 SYSTEM INITIALIZATION I 9dI mov mov xor II d I mov IIr U.e I n I I I a I GDT I n RAM arel I em p_. I a c k [ bpi ax, lemp_. tac k -I n I I lal_gdl ; Selup SS wI I h vall d prolected mode .eleclor 10 Ihe RAM GDT and • I a ok !!IS,IIX Sel Ihe current LDT 10 null ax I ax Any references 10 I I will CIlU!!Ie ax an excepllon cau.lng .huld.wn a x, • a v e_ I •• - I n I I I a I_g d I Set I n I I I a I T S S I n I 0 I he 10. RAM The I a • k .wllch need. a vall d TSS ax Copy Ihe EPROM-ba.ed GDT Inlo Ihe RAM data .egmenl 0110 •. Flr.1 the descrlplor for the RAM data segmenl must be copied Into the temporary GDT. Gel size of GDT Be .ure Ihe lasl enlry expecled by this code Is Inside Ihe GDT Jump If GDT I. not big enough mov cmp a x , 9 d t_d e!C [ bpI. II mI I ax,S'slze desc-! Jb bad_gdl mov mov call mov mov b x, 9 d t_d e. c - I nit lal_g d I .I,gdt_allas copy_EPROM_dt s I , I d I_a II a s b x, I d I_d esc - I n I I I a I_g d I copy_EPROM_dl a x , 9 d t _d esc - I nit I a I_g d I ca I 1 mov mov mov Form selector 10 EPROM GDT Get selector of GDT alias Copy Into EPROM Get selector of lDT alias [ndlcate EPROM [DT Setup addre.slng Inlo EPROM GDT ds, ax Gel GDT alia. data segmenl .elector Sel GDT to RAM GDT SS and TR remain In low RAM bx,gdt_allas I 9dt [b x I Copy all task's TSS and LDT .• egmenls Inlo RAM Define list of tasks 10 setup I ea copy_task_loop: call add mov or Jnz Copy them Inlo RAM Go to next entry See If Ihere Is another enlry copy_la.ks b x , s I z e I ask _e n try ax,cl: [bxl. tss_sel ax,.x copy_la.k_loop With TSS, GDT, and LDT set, .tarlup the Initial task! II d Jmp Potnt DS at GDT b x, 9 d t_a Ila. mov mov mov t d. , b x b x , I d .I_a I I a • [b x I Get lDT alias data .egment .elector Set [DT for errors and Interrupt. Slarl Ihe flrsl lask! The low RAM area Is overwrllten with Ihe current CPU conlexl .tart_polnter[bpl Halt here If GDT Is not big enough A-5 intel· .Iarl 80286 SYSTEM INITIALIZATION endp If BX Copy Ihe and Ihe T55 and LDT for Ihe la.k ha. an LDT II will BP are Iran.parenl. I •• k polnled 01 by C5:BX. 01.0 be copied down. bad_I •• : hI I copy_lo.k. mov mov mov mov I. I mov I ar Hall here If TSS 15 Invalid proc Gel • I , g d I_a I I a • d. , • I • I , c. : I b x I • I •• _a Ila. addre5.ablllly 10 GDT 1n z d x I !!I 1 b a d_ 15. Gel .eleclor for TSS alia. Polnl ES al alia. dala .egmenl Gel lenglh of TSS alia. Gel T55 5eleclor Gel alia. acee5' rlghl. Jump If Invalid reference mov and cmp 1n z d I , dh dh,nol DPL dh,T55_ACCE55 b a d_ I •• Save TSS de5crlplor Ignore privilege See If T5S Jump If nol I. I cmp C X I !!I 1 c x , T 5 5_5 I Z E - 1 b a d_ 15. Gel lenglh of EPROM ba.ed TSS Verify II 15 of proper .Ize Jump if II 15 nol big enough 1b D5 I! !!I , !!Ii ex !I I 1 • I , c. : I b x I • I • '_' e I Selup for moving polnl. al GDT mov mov call 5el mov mov mov mov mov Ihe EPROM-ba5ed GDT T55 Ilmil and ba5e I RAM 10 Ihe GDT RAM values. addres51ng ax Gel TSS 5eleclor G'et RAM alia. 5eleclor Copy llmi I Copylow 16 bi15 of addre55 Gel high 8 bil5 of address Mark a5 TSS de5crlplor Fill In high addre5s and access Copy reserved word d i , C 5: [b x I • 15 5_S e I !I i ,e 5: [ b x] . t 5 :i_a 1 i c s movsIII mOV!!I1II lod.w mov 5 t 0 !!I \II addre55 Reslore ax,gdl_allas d 5. 1 a x e5 10 byle Make TSS Inlo dala 5egmenl Polnl DS al EPROM T5S Copy DS 5egmenl 10 ES wllh zero fill CX ha5 copy counl, AX-CX fill counl [ • I I . a c c e •• , DS_A C C E 5 5 d5 I 5 1 cop y_w I I h_ f i I I Ihe T55 acce5' ah,dI movsw A-6 byle5 80286 SYSTEM INITIALIZATION See If a valid LOT I. 'peclfled for the .tartup ta.k I f . 0 I hen cop Y I h e EPRO M ve .. .1 0 n I n lot heR AM a I I a •. mov mov and Jz Addre •• TSS 10 get LOT d • ,c. : [b x J . I •• _all a. .I,d.:word plr LOT_OFFSET Ignore TI and RPL .I,nol TJRPL_MASK Skip Ihl. If no LOT u.ed n a_I d I Save LDT .eleclor Te.1 de.crlplor Jump If Invalid .eleclor pu.h I ar J nz mov and cmp Jn e mov mov 151 call mov Save LDT de.crlplor acce •• byle [gnore privilege Be .ure II I. an LDT de.crlptor Jump If Invalid d I ,d h dh,nol DPL dh, DT_ACCESS bad_Idl e.:[.IJ.acce.5,DS_ACCESS; Mark LDT a. dala .egmenl d".1 Polnl OS al EPROM LOT Gel LDT Ilmil IS X 1 5 1 Verify II i!.valld Ie. I_d t_ll·m I I Save for later ex 1 IS X Examine Ihe LDT alia • • egment and, e!l , 51 I •I IS X !l1 call le.l_dl_Ilmll cop y_w I I h_ f I I I ca I I Gel Idl all ••• eleelor Polnl ES al alia • • egmenl Get I~nglhof alla~ segment Verify II I. valid Copy LDT Inlo RAM alia • • egmenl • I , c. : I b x) . I d I_alia 5 mov mov I If good, copy 10 RAM Sel Ihe LDT Ilmil and ba.e addre •• 10 Ihe RAM copy of Ihe LOT . mov pop mov mov mov mov!w Re.lore LDT alia • • eleelor Re.lore LDT .eleclor Re.lore GDT addre •• lng • I ,c • : [ b x I . I d I _a I I •• dI ax.gdl_alla. d!i 1 I!I X e!l 1 1< X mov!lw Move Ihe RAM LDT Ilmil Move Ihe low 16 bll. aero •• Gel Ihe high 8 bit. Mark a. LDT de.erlptor Sel high addre •• and aeee •• rlghl • Copy re.erved word ret All done hit Hall here If LDT I. Invalid mov!iW 10 d • w mov • Io.w ah, dI bad_Idt: endp A-7 80286 SYSTEM INITIALIZATION Telt Ihe ~elcrlptor lable Ilze In AX 10 yerlfy Ihat It II an even number of delcrlptor! In [englh. tel t_dt_Ilml I pUlh and cmp pop Jn! proc Save lenglh Look a I low order bit! MUlt be all one! Restore length ax 01·,7 a 1,7 ax b a d_d I_II mI I AII DK rei bad_dl_Ilmll: hit tell_dt_Ilmll Die! endp Copy the EPROM DT al leleclor ax In Ihe temporary GDT 10 Ihe allal data legmenl 01 lel~ctor 51. Any Improper delcrlptors Dr Ilmltl will caule Ihuldow~! proc mov mov mov mov II I mov call mov mov mov pUlh lodlw call ItO!W movSiW Polnl ES:DI at IS X t!!II e! , !1:1bxl.accell,DS_ACCESS; e I ': [ b x I . rei , 0 a x, b x ex, II I I e I t_d I_II mI I dl,gdt~delc-Inltlal_gdt dI , temporary delcrlptor II X Mark delcrlplor .1 a dala segmenl Clear re.erved word Get limit of EPROM DT Save for later Ve r I f,y I t I I apr 0 per I I mit Addrell EPROM GDT In DS dI d I , t em p_d e I c - I nit I a I_g d I ; Gel leleclor tor temporary d~lcrlplor Save offsel for laler ule ~I leleclor dI Get allal legment Ilze Verify II Is an eVen muiliple of delcrlptors In length ' Pul length Into temporary Copy remaining entrlel Into iemporary mOV!iW mOV5W pop mov ES now polnll al Ihe GDT allal area DS now polnll al EPROM DT 01 dala Copy segmenl 10 allal wllh zero fill CX II copy counl, AX-CX II fill count F a I I I n I 0 cop y_w I I h_ f I I I e! dI , bx endp A-8 80286 SYSTEM INITIALIZATION Copy the legment at DS to the legment at ES for length CX. Fill the end with AX-CX zerol. Ule word operatlonl for Ipeed but allow odd byte operatlonl. cop y_w I t h_ f I II xor xor lub add rcr rep proc I I •I I d I. d I Start at beginning of legmentl eltCI Form fill count Convert limit to count Allow full 64K move Copy DT Into allal area Get fill count and zero AX Jump If even byte count on copy eXt 1 cx•1 mOV!5W xchg l nc aX,cl even_copy movlb or Cit Jz exit_copy Exit If no fill cx Even out the legment offlet Adlult remaining fill count Itolb dec even_copy: Ihr Itolw rep lnc Copy odd byte ex Form word count on fill Clear unuled wordl at end Exit If no odd byte remalnl cx• 1 exit_copy Clear lalt odd byte I taIb exit_copy: ret copy_wi th_f III endp Inlt_code endl end fB A-9 ·" Appendix The 80286 Instruction Set B APPENDIX B THE 80286 INSTRUCTION SET This section presents the 80286 instruction set using Intel's ASM286 notation. All possible operand types are shown. Instructions are organized alphabetically according to generic operations. Within each operation, many different instructions are possible depending on the operand. The pages are presented in a standardized format, the elements of which are described in the following paragraphs. Opeode This column gives the complete object code produced for each form of the instruction. Where possible, the codes are given as hexadecimal bytes, presented in the order in which they will appear in memory, Several shorthand conventions are used for the parts of instructions which specify operands. These conventions are as follows: In: (n is a digit from 0 through 7) A ModRM byte, plus a possible immediate and displacement field follow the opcode. See figure B-1 for the encoding of the fields. The digit n is the value of the REG field of the ModRM byte. To obtain the possible hexadecimal values for / n, refer to column n of table B-1. Each row gives a possible value for the effective address operand to the instruction. The entry at the end of the row indicates whether the effective address operand is a register or memory; if memory, the entry indicates what kind of indexing and/or displacement is used. Entries with D8 or Dl6 signify that a one-byte or two-byte displacement quantity immediately follows the ModRM and optional immediate field bytes. The signed displacement is added to the effective address offset. I r: A ModRM byte that contains both a register operand and an effective address operand, followed by a possible immediate and displacement field. See figure B-2 for the encoding of the fields. The ModRM byte could be any value appearing in table B-1. The column determines which register operand was selected; the row determines the form of effective address. If the row entry mentions D8 or D 16, then a one-byte or two-byte displacement follows, as described in the previous paragraph. cb: A one-byte signed displacement in the range of -128 to + 127 follows the opcode. The displacement is sign-extended to 16 bits, and added modulo 65536 to the offset of the instruction FOLLOWING this instruction to obtain the new IP value. cw: A two-byte displacement is added modulo 65536 to the offset of the instruction FOLLOWING this instruction to obtain the new IP value. cd: A two-word pointer which will be the new CS:IP value. The offset is given first, followed by the selector. db: An immediate byte operand to the instruction which follows the opcode and ModRM bytes. The opcode determines if it is a signed value. dw: An immediate word operand to the instruction which follows the opcode and ModRM bytes. All words are given in the 80286 with the low-order byte first. +rb: A register code from 0 through 7 which is added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte. The codes are: AL=O, CL= 1, DL=2, BL=3, AH=4, CH=5, DH=6, and BH=7. 8-1 THE 80286 INSTRUCTION SET pp/n Instruction Byte Format ModRM "mod" Field Bit Assignments mod Displacement 00 01 10 11 OISP = 0(2), disp-Iow and disp-high are absent OISP = disp-Iow sign-extended to 16-bits, disp-high is absent OISP = disp-high: disp-Iow rim is treated as a "reg" field "rim" Field Bit Assignments rIm Operand Address 000 001 010 011 100 101 110 111 (BX) + (SI) + OISP (BX) + (01) + OISP (BP) + (SI) + OISP (BP) + (01) + OISP (SI) + OISP (01) + OISP (BP) + 0ISP(2) (BX) + OISP OISP follows 2nd byte of instruction (before data if required). NOTES; 1.. Opcode indicates presence and size of immediate value. 2. Except if mod=OO and r/m=110 then EA=disp-high: disp-Iow. Figure B-1. In Instruction Byte Format 8-2 THE 80286 INSTRUCTION SET Table B·1. ModRM Values Rb Rw REG = = = AL AX 0 CL CX 1 OL OX 2 BL BX 3 AH SP 4 CH BP 5 OH SI 6 BH 01 7 ModRM values 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 20 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 30 3E 3F [BX + SI] [BX + 01] [BP + SI] [BP + 01] [SI] [01] 016 (simple var) [BX] 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 50 5E 5F 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 60 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 70 7E 7F [BX + SI] + [BX + 01] + [BP + SI] + [BP + 01] + [SI] + OS [01] + OS [BP] + DS(2) [BX] + D8 88 89 8A SB SC SO SE SF 90 91 92 93 94 95 96 . 97 98 99 9A 9B 9C 90 9E 9F AO A1 A2 A3 A4 A5 A6 A7 AS A9 AA AB AC AO AE AF BO B1 B2 B3 B4 B5 B6 B7 BS B9 BA BB BC BO BE BF [BX + SI] + 016(3) [BX + 01] + 016 [BP +SI] + 016 [BP + 01] + 016 [SI] + 016 [01] + 016 [BP] + 016(2) [BX] + 016 CS C9 CA CB CC CO CE CF 00 01 02 03 04 05 06 07 OS 09 OA OB OC 00 OE OF EO E1 E2 E3 E4 E5 E6 E7 ES E9 EA EB EC EO EE EF FO F1 F2 F3 F4 F5 F6 F7 FS F9 FA FB FC FO FE FF Ew=AX Eb=AL Ew=CX Eb=CL Ew=OX Eb=OL Ew=BX Eb=BL Ew=SP Eb=AH Ew=BP Eb=CH Ew=SI Eb=OH Ew=OI Eb=BH 00 01 02 03 04 05 06 07 08 09 OA OB OC 00 OE OF 10 11 12 13 14 15 16 17 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 40 4E 4F mod=10 SO 81 S2 S3 S4 S5 S6 87 mod=11 CO C1 C2 C3 C4 C5 C6 C7 mod=OO mod=01 Effective address 18 19 1A 1B 1C 10 OS(l) OS OS OS NOTES: 1. OS denotes an 8-bit displacement following the ModRM byte that is sign-extended and added to the index. 2. Oefault segment register is SS for effective addresses containing a BP index; OS is for other memory effective addresses. 3. 016 denotes the 16-bit displacement following the ModRM byte that is added to the index. B-3 THE 80286 U\lSTRUCTION SET Ir Instruction Byte Format "mod" Field Bit Assignments mod Displacement 00 01 10 11 DISP - 0(2), disp-Iow and disp-high are absent OISP - disp-Iow sign-extended to 16-bits, disp-high is absent OISP - disp-high; disp-Iow rIm is treated as a "reg" field "r" Field Bit Assignments 16-Blt (w - 1) 000 001 010 011 100 101 110 111 AX CX OX BX SP BP SI 01 Segment B-Blt (w - 0) 000 AL 001 CL 010 OL 011 BL 100 AH 101 CH 1100H 111 BH 00 01 10 11 "rim" Field Bit Assignments rim Operand Address 000 001 010 '011 100 101 110 111 (BX) + (SI) + OISP (BX) + (01) + OISP (BP) + (SI) + OISP (BP) + (01) + OISP (SI) +OISP (01) + OISP (BP) + 0ISP(2) (BX) + OISP OISP follows 2nd byte of ,instruction (before data if required). NOTES: , ,1. Opcode indicates presence and size of immediate field. 2. Except If mod-OO and r/m-110 then EA-disp-high: disp-Iow. Figure B-2_ Ir Instruction Byte Format 8-4 ES CS SS OS THE 80286 INSTRUCTION SET ° + rw: A register code from through 7 which is added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte~ The codes are: AX=O, CX=I, DX=2, BX=3, SP=4, BP=5, SI=6, and DI=7. Instruction This column gives the instruction mnemonic and possible operands. The type of operand used will determine the opcode and operand encodings. The following entries list the type of operand which can be encoded in the format shown in the instruction column. The Intel convention is to place the destination operand as the left hand operand. Source-only operands follow the destination operand. In many cases, the same instruction can be encoded several ways. It is recommended that you use the shortest encoding. The short encodings are provided to save memory space. cb: a destination instruction offset in the range of 128 bytes before the end of this instruction to 127 bytes after the end of this instruction. cw: a destination offset within the same code segment as this instruction. Some instructions allow a short form of destination offset. See cb type for more information. cd: a destination address, typically in a different code segment from this instruction. Using the cd: address form with call instructions saves the code segment selector. db: a signed value between -128 and + 127 inclusive which is an operand of the instruction. For instructions in which the db is to be combined in some way with a word operand, the immediate value is sign"extended to form a word. The upper byte of the word is filled with the topmost bit of the immediate value. dw: an immediate word value which is an operand of the instruction. eb: a byte-sized oPllrand. This is either a byte register or a (possibly indexed) byte memory variable. Either operand location may be encoded in the ModRM field. Any memory addressing mode may be used. ed: a memory-based pointer operand. Any memory addressing mode may be used. Use of a register addressing mode will cause exception 6. ew: a word-sized operand. This is either a word register or a (possibly index!!d) word memory variable. Either operand location may be encoded in the ModRM field. Any memory 'addressing mode may be used. m: a memory location. Operands in registers do not have a memory address. Any memory addressing mode may be used. Use of a register addressing mode will cause exception 6. mb: a memory-based byte-sized operand. Any memory addressing mode may be used. mw: a memory-based word operand. Any memory addressing mode may be used. rb: one of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH; rb has the value 0,1,2,3,4,5,6, . " and 7, respectively. rw: one of the word registers AX,CX, DX, BX, SP, BP, SI, or DI; 7, respectively. 8-5 rw has the value 0,1,2,3,4,5,6; and THE 80286 INSTRUCTION SET xb: a simple byte memory variable without a base or index register. MOY instructions between AL .. and memory have this optimized form if no indexing is required. xw: a simple word memory variable without a base or index register. MOY instructions between AX and memory have this optimized form if no indexing is required. Clocks This column gives the number of clock cycles that this form of the instruction .takes to execute. The amount of time for each clock cycle is computed by dividing one microsecond by the number of MHz at which the 80286 is running. For example, a lO-MHz 80286 (with the eLK pin connected to a 20-MHz crystal) takes 100 nanoseconds for each clock cycle. Add one clock to instructioris that use the base plus index plus displacement form of addressing. Add two clocks for each 16-bit memory based operand reference located on an odd physical address. Add one clock for each wait state added to each memory read. Wait states inserted in memory writes or instruction fetches do not necessarily increase execution time. The clock counts establish the maximum execution rate of the 80286. With no delays in bus cycles, the actual clock count of an 80286 program will average 5-10% more than the calculated cl()ck count due to instruction sequences that execute faster than they can be fetched from memory. Some instruction forms give two clock counts, one unlabelled and one labelled. These counts indicate that the instruction has two different clock times for two different circumstances. Following are the circumstances for each possible label: mem: The instruction has an operand that can either be a register or a memory variable. The unlabelled time is for the register; the mem time is for the memory variable. Also, one additional clock cycle is taken for indexed memory variables for which all three possible indices (base register, index register, and displacement) must be added. noj: The instruction involves a conditional jump or interrupt. The unlabelled time holds when the jump is made; the noj time holds when the jump is not made. pm: If the instruction takes more time to execute when the 80286 is in Protected Mode. The unlabelled time is for Real Address Mode; the pm time is for Protected Mode. Description This is a concise description of the. operation performeulur ili;5 fviill Gf the are given in the "Operation" section that appears later in this chapter. :~~tr!!ct!0!!. MOT" rletails Flags Modified This is a list of the flags that are set to a meaningful value by the instruction. If a flag is always set to . the same value by the instruction, the value is given ("=0" or "= I") after the flag name. 8-6 THE 80286 INSTRUCTION SET Flags Undefined This is a list of the flags that have an undefined (meaningiess) setting after the instruction is executed. All flags not mentioned under "Flags Modified" or "Flags Undefined" are unchanged by the instruction. Operation This section fully describes the operation performed by the instruction. For some of the more complicated instructions, suggested usage is also indicated. Protected Mode Exceptions The possible exceptions involved with this instruction when running under the 80286 Protected Mode are listed below. These exceptions are abbreviated with a pound sign (#) followed by two capital letters and an optional error code in parenthesis. For example, #GP(O) denotes the general protection exception with an error code of zero. The next section describes all of the 80286 exceptions and the machine state upon entry to the exception. If you are an applications programmer, consult the documentation provided with your operating system to determine what actions are taken by the system when exceptions occur. Real Address Mode Exceptions Since less error checking is performed by the 80286 when it is in Real Address Mode, there are fewer exceptions in this mode. One exception that is possible in many instructions is #GP(O). Exception 13 is generated whenever a word operand is accessed from effective address OFFFFH in a segment. This happens because the second byte of the word is considered located at location 10000H, not at location 0, and thus exceeds the segment's addressability limit. Protection Exceptions In parallel with the execution of instructions, the protected-mode 80286 checks all memory references for validity of addressing and type of access. Violation of the memory protection rules built into the processor will cause a transfer of program control to one of the interrupt procedures described in this section. The interrupts have dedicated positions within the Interrupt Descriptor Table, which is shown in table B-2. The interrupts are refen,nced within the instruction set pages by a pound sign (#) followed by a two-letter mnemonic and the optional error code in parenthesis. Error Codes Some exceptions cause the 80286 to pass a 16-bit error code to the interrupt procedure. When this happens, the error code is the last item pushed onto the stack before control is tranferred to the interrupt procedure. If stacks were switched as a result of the interrupt (causing a privilege change or task switch), the error code appears on the interrupt procedure's stack, not on the stack of the task that was interrupted. 8-7 THE 80286 INSTRUCTION SET Table 8-2. Protection Ex~eptlons of the 80286 Abbreviation Interrupt Number Description #UD #NM #DF #MP #TS #NP #SS #GP #MF 6 Undefined Opcode No Math Unit Available Double Fault Math Unit Protection Fault Invalid Task State Segment Not Present Stack Fault General Protection Math Fault 7 8 9 10 11 12 13 16 The error code generally contains the selector of the segment that caused the protection violation. The RPL field (bottom two bits) of the error code does not, however, contain the privilege level. Instead, it contains the following information: • Bit 0 contains the value 1 if the exception was detected during an interrupt caused by an event external to the program (i.e., an external interrupt, a single step, a processor extension not-present exception, or a processor extension segment overrun). Bit 0 is 0 if the exception was detected while processing the regular instruction stream, even if the instruction stream is part of an external interrupt handling procedure or task. If bit 0 is set, the instruction pointed to by the saved CS:IP address is not responsible for the error. The current task can be restarted unless this is exception 9. Bit 1 is 1 if the selector points to the Interrupt Descriptor Table. In this case, bit 2 can be ignored, and bits 3-10 contain the index into the IDT. Bit 1 is 0 if the selector points to the Global or Local Descriptor Tables. In this case, bits 2-15 have their usual selector interpretation: bit 2 selects the table (1 = Local, O=Global), and bits 3-15 are the index into the table. In some cases the 80286 chooses to pass an error code with no information in it. In these cases, all 16 bits of the error code are zero. The existence and type of error codes are described under each of the following individual exceptions. #DF 8 Double Fault (Zero Error Code) This exception is generated when a second exception is detected while the processor is attempting to transfer control to the handler for an exception. For instance, it is generated if the code segment containing the exception handler is marked not present. It is also generated if invoking the exception handler causes a stack overflow. This exception is not generated during the execution of an exeception handler. Faults detected within the instruction stream are handled by regular exceptions. The error code is normally zero. The saved CS:IP will point at the instruction that was attempting to execute when the double fault occurred. Since the error code is normally zero, no information on the source of the exception is available. Restart is not possible. The "double fault" exception does not occur when detecting a new exception while trying to invoke handlers for the following exceptions: 1,2,3,4,5,6,7,9, and 16. 8-8 THE 80286 INSTRUCTION SET If another exception is detected while attempting to perform the double fault exception, the 80286 will enter shutdown (see section 11.5). #GP 13 General Protection (Selector or Zero Error Code) This exception is generated for all protection violations not covered by the other exceptions in this section. Examples of this include: 1. An attempt to address a memory location by using an offset that exceeds the limit for the segment involved. 2. An attempt to jump to a data segment. 3. An attempt to load SS with a selector for a read-only segment. 4. An attempt to write to a read-only segment. 5. Exceeding the maximum instruction length of 10 bytes. If #GP occurred while loading a descriptor, the error code passed contains the selector involved. Otherwise, the error code is zero. If the error code is not zero, the instruction can be restarted if the erroneous condition is rectified. If the error code is zero either a limit violation, a write protect violation, or an illegal usc of invalid segment register occurred. An invalid segment register contains the values 0-3. A write protect fault on ADC, SBB, RCL, RCR, or XCHG is not restartable. #MF 16 Math Fault (No Error Code) This exception is generated when the numeric processor extension (the 80287) detects an error signalled by the ERROR input pin leading from the 80287 to the 80286. The ERROR pin is tested at the beginning of most floating point instructions, and when a WAIT instruction is executed with the EM bit of the Machine Status Word set to 0 (Le., no emulation of the math unit). The floating point instructions that do not cause the ERROR pin to be tested are FNCLEX, FNINIT, FSETPM, FNSTCW, FNSTSW, FNSA VE, and FNSTENV. If the handler corrects the error condition causing the exception, the floating point instruction that caused #MF can be restarted. This is not accomplished by IRET, however, since the fault occurs at the floating point instruction that follows the offending instruction. Before restarting the numeric instruction, the handler must obtain from the 80287 the address of the offending instruction and the address of the optional numeric operand. #MP 9 Math Unit Protection Fault (No Error Code) This exception is generated if the numeric operand is larger than one word and has the second or subsequent words outside the segment's limit. Not all math addressing errors cause exception 9. If the effective address of an ESCAPE instruction is not in the segment's limit, or if a write is attempted on a read-only segment, or if a one-word operand violates a segment limit, exception 13 will occur. The #MP exception occurs during the execution of the numeric instruction by the 80287. Thus, the 80286 may be in an unrelated instruction stream at the time. Exception 9 may occur in a task unrelated to the task that executed the ESC instruction. The operating system should keep track of which task last used the NPX (see section 11.4). 8-9 THE 80286 INSTRUCTION SET The offending floating point instruction cannot be restarted; the task which attempted to execute the offending numeric instruction must be aborted. However, if exception 9 interrupted another ta~k, the interrupted task may be restarted. The exception 9 handler must execute FNINIT before executing any ESCAPE or WAIT instruction. #NM 7 No Math Unit Available (No Error Code) This exception occurs when any floating point instruction is executed while the EM bit or the TS bit of the Machine Status Word is 1. It also occurs when a WAIT instruction is encountered and both the MP and TS bits of the Machine Status Word are 1. Depending on the setting of the MSW bits that caused this exception, the exception handler could provide emulation of the 80287, or it could perform a context switch of the math processor to prepare it for use by another task. The instruction causing #NM can be restarted if the handler performs a numeric context switch. If the handler provided emulation of the math unit, it should advance the return pointer beyond the floating point instruction that caused NM. #NP 11 Not Present (Selector Error Code) This exception occurs when CS, DS, ES, or the Task Register is loaded with a descriptor that is marked not present but is otherwise valid. It can occur in an LLDT instruction, but the #NP exception will not occur if the processor attempts to load the LDT register during a task switch. A not-present LDT encountered during a task switch causes the #TS exception. The error code passed is the selector of the descriptor that is marked not present. Typically, the Not Present exception handler is used to implement a virtual memory system. The operating system can swap inactive memory segments to a mass-storage device such as a disk. Applications programs need not be told about this; the next time they attempt to access the swapped-out memory segment, the Not Present handler will be invoked, the segment will be brought back into memory, and the offending instruction within the applications program will be restarted. If #NP is detected on loading CS, DS, or ES in a task switch, the exception occurs in the new task, and the IRET from the exception handler jumps directly to the next instruction in the new task. The Not Present exception handler must contain special code to complete the loading of segment !"egi~ter~ ~~lhe!! #NP i~ tl",te>cte>ci in loading the CS orDS registers in a task switch and a trap or interrupt gate was used. T~e DS and ES registers have been loaded but their descriptors have not been loaded. Any memory reference using the segment register may cause exception 13. The #NP exception handler should execute code such as the following to ensure full loading of the segment registers: MOV AX,DS MOVDS,AX MOV AX,ES MOVES,AX 8-10 THE 80286 INSTRUCTION SET #SS 12 Stack Fault (Selector or Zero Error Code) This exception is generated when a limit violation is detected in addressing through the SS register. It can occur on stack-oriented instructions such as PUSH or POP, as well as other types of memory references using SS such as MOY AX,[BP+28]. It also can occur on an ENTER instruction when there is not enough space on the stack for the indicated local variable space, even if the stack exception is not triggered by pushing BP or copying the display stack. A stack exception can therefore indicate a stack overflow, a stack underflow or a wild offset. The error code will- be zero. #SS is also generated on an attempt to load SS with a descriptor that is marked not present but is otherwise valid. This can occur in a task switch, an inter-level call, an inter-level return, a move to the SS instruction or a pop to the SS instruction. The error code will be non-zero. #SS is never generated when addressing through the DS or ES registers even if the offending register points to the same segment as the SS register. The #SS exception handler must contain special code to complete the loading of segment registers. The DS and ES registers will not be fully loaded if a not-present condition is detected while loading the SS register. Therefore, the #SS exception handler should execute code such as the following to insure full loading of the segment registers: MOY AX,DS MOYDS,AX MOY AX,ES MOYES,AX Generally, the instruction causing #SS can be restarted, but there is one special case when it cannot: when a PUSHA orPOPA instruction attempts to wrap around the 64K boundary of a stack segment. This condition is identified by the value of the saved SP, which can be either OOOOH, OOOIH; OFFFEH, or OFFFFH. #TS 10 Invalid Task State Segment (Selector Error Code) This exception is generated during a task switch when the new task state segment is invalid, that is, when a task state segment is too small; when the LDT indicated in a TSS is invalid or not present; when the SS, CS, DS, or ES indicated ina TSS are invalid (task switch); when the back link in a TSS is invalid (inter-task IRET). #TS is not generated when the SS, CS, DS, or ES back link or privileged stack selectors point to a descriptor that is not present but otherwise is valid. #NP is generated in these cases. The error code passed to the exception handler contains the selector of the offending segment, which caneitJIer be the Task State Segment itself, or it selector found within the Task State Segment.· The instruction causing #TS can be restarted. #TS must be handled through a task gate. The exception handler must reset the busy bit in the new TSS. 8-11 THE 80286 INSTRUCTION SET #UD 6 Undefined Opcode (No Error Code) This exception is generated when an invalid operation code is detected in the instruction stream. Following are the cases in which #UD can occur: 1. The first byte of an instruction is completely invalid (e.g., 64H). 2. The first byte indicates a 2-byte opcode and the second byte is invalid (e.g., OFH followed by OFFH). 3. An invalid register is used with an otherwise valid opcode (e.g., MOV CS,AX). 4. An invalid opcode extension is given in the REG field of the ModRM byte (e.g., OF6H /1). 5. A register operand is given in an instruction that requires a memory operand (e.g., LGDT AX). Since the offending opcode will always be invalid, it cannot be restarted. However, the #UD handler might be coded to implement an extension of the 80286 instruction set. In that case, the handler could advance the return pointer beyond the extended instruction and return control to the program after the extended instruction is emulated. Any such extensions may be incompatible with the 80386. Privilege Level and Task Switching on the 80286 The 80286 supports many of the functions necessary to implement a protected, multi-tasking operating system in hardware. This support is provided not by additional instructions, but by extension of the semantics of 8086/8088 instructions that change the value of CS:IP. Whenever the 80286 performs an inter-segment jump, call, interrupt, or return, it consults the Access Rights (AR) byte found in the descriptor table entry of the selector associated with the new CS value. The AR byte determines whether the long jump being made is through a gate, or is a task switch, or is a simple long jump to the same privilege level. Table B-3 lists the possible values of the AR byte. The "privilege" headings at the top of the table give the Descriptor Privilege Level, which is referred to as the DPL within the instruction descriptions. Each of the CALL, INT, IRET, JMP, and RET instructions contains on its instruction set pages a listing of the access rights checking and actions taken to implement the instruction. Instructions involving task switches contain the symbol SWITCH_TASKS, which is an abbreviation for the following list of checks and actions: SWITCH_TASKS: Locked set AR byte of new TSS descriptor to Busy TSS (Bit 1 = 1) Current TSS cache must be valid with limit;::: 41 else #TS (error code will be new TSS, but back link points at old TSS) Save machine state in current TSS If nesting tasks, set the new TSS link to the current TSS selector Any exception will be in new context Else set the AR byte of current TSS descriptor to Available TSS (Bit 1 = 0) Set the current TR to selector, base, and limit of new 188 New TSS limit;::: 43 else #TS (new TSS) Set all machine registers to values from newTSS without loading descriptors for OS, ES, CS, SS, LOT Clear valid flags for LOT,SS,CS,OS,ES (not valid yet) If nesting tasks, set the Nested Task flag to 1 Set the Task Switched flag to 1 LOT from the new TSS must be within GOT table limits else #TS(LOT) AR byte from LOT descriptor must specify LOT segment else #TS(LOT) AR byte from LOT descriptor must indicate PRESENT else #TS(LOT) Load LOT cache with new LOT descriptor and set valid bit B-12 THE 80286 INSTRUCTION SET Set CPL to the RPL of the CS selector in the newTSS If new stack selector is null #TS(SS) SS selector must be within its descriptor table limits else #TS(SS) SS selector RPL must be equal to CPL else #TS(SS) OPL of SS descriptor must equal CPL else #TS(SS) SS descriptor AR byte must indicate writable data segment else #TS(SS) SS descriptor AR byte must indicate PRESENT else #SS(SS) Load SS cache with new stack segment and set valid bit New CS selector must not be null else #TS(CS) CS selector must be within its descriptor table limits else #TS(CS) CS descriptor AR byte must indicate code segment else #TS(CS) If non-conforming then OPL must equal CPL else #TS(CS) If conforming then OPL must be :::; CPL else #TS(CS) CS descriptor AR byte must indicate PRESENT else #NP(CS) Load CS cache with new code segment descriptor and set valid bit For OS and ES: If new selector is not null then perform following checks: Index must be within its descriptor table limits else #TS(segment selector) AR byte must indicate data or readable code else #TS(segment selector) If data or non-conforming code then: OPL must be 2': CPL else #TS(segment selector) OPL must be 2': RPL else #TS(segment selector) AR byte must indicate PRESENT else #NP(segment selector) Load cache with new segment descriptor and set valid bit 8-13 THE 80286 INSTRUCTION SET Table B-3. Hexadecimal Values for the Access Rights Byte 0 00 01 02 03 04 05 06 07 08 09 OA OB OC 00 OE OF 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 10 1E 1F Not present, privilege = 1 2 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 20 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 40 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 50 5E 5F 3 0 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 60 6E 6F 70 71 72 73 74 75 76 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 80 8E 8F 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 90 9E 9F 77 78 79 7A 7B 7C 70 7E 7F Present, privilege= 1 2 AO A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF BO B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF CO C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF DO 01 02 03 04 05 06 07 08 09 DA DB DC DO DE OF Descriptor Type 3 EO E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF FO F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF Illegal Available Task State Segment Local Descriptor Table Segment Busy Task State Segment Call Gate Task Gate Interrupt Gate Trap Gate Illegal Illegal Illegal Illegal Illegal Illegal Illegal Illegal Expand-up, read only, ignored Data Segment Expand-up, read only, accessed Data Segment Expand-up, writable, ignored Data Segment Expand-up, writable, accessed Data Segment Expand-down, read only, ignored Data Segment Expand-down, read only, accessed Data Segment Expand-down, writable, ignored Data Segment Expand-down, writable, accessed Data Segment Non-conform, no read, ignored Code Segment Non-conform, no read, accessed Code Segment Non-conform, readable, ignored Code Segment Non-conform, readable, accessed Code Segment Conforming, no read, ignored Code Segment Conforming, no read, accessed Code Segment Conforming, readable, ignored Code Segment Conforming, readable, accessed Code Segment 8-14 THE 80286 INSTRUCTION SET AAA - ASCII Adjust AL After Addition Opcode Instruction Clocks Description 37 AAA 3 ASCII adjust AL after addition FLAGS MODIFIED Auxiliary carry, carry FLAGS UNDEFINED Overflow, sign, zero, parity OPERATION AAA should be executed only after an ADD instruction which leaves a byte result in the AL register. The lower nibbles of the operands to the ADD instruction should be in the range 0 through 9 (BCD digits). In this case, the AAA instruction will adjust AL to contain the correct decimal digit result. If the addition produced a decimal carry, the AH register is incremented, and the carry and auxiliary carry flags are set to 1. If there was no decimal carry, the carry and auxiliary carry flags are set to 0, and AH is unchanged. In any case, AL is left with its top nibble set to O. To convert AL to an ASCII result, you can follow the AAA instruction with OR AL,30H. The precise definition of AAA is as follows: if the lower 4 bits of AL are greater than nine, or if the auxiliary carry flag is 1, then increment AL by 6, AH by 1, and set the carry and auxiliary carry flags. Otherwise, reset the carry and auxiliary carry flags. In any case, conclude the AAA operation by setting the upper four bits of AL to zero. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-15 THE 80286 INSTRUCTION SET AAD - ASCII Adjust AX Before Division Opcode Instruction Clocks Description 05 AAO 14 ASCII adjust AX before division OA FLAGS MODIFIED Sign, zero, parity FLAGS UNDEFINED Overflow, auxiliary carry, carry OPERATION AAD is used to prepare two unpacked BCD digits (least significant in AL, most significant in AH) for a division operation which will yield an unpacked result. This is accomplished by setting AL to AL + (10 X AH), and then setting AH to O. This leaves AX equal to the binary equivalent of the original unpacked 2-digit number. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-16 THE 80286 INSTRUCTION SET AAM - ASCII Adjust AX After Multiply · Opcode Instruction Clocks Description D4 AAM 16 ASCII adjust AX after multiply OA FLAGS MODIFIED Sign, zero, parity FLAGS UNDEFINED Overflow, auxiliary carry, carry OPERATION AAM should be used only after executing a MUL instruction between two unpacked BCD digits, leaving the result in the AX register. Since the result is less than one hundred, it is contained cntirely in the AL register. AAM unpacks the AL result by dividing AL by ten, leaving the quotient (most significant digit) in AH, and the remainder (least significant digit) in AL. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-17 THE 80286 INSTRUCTION SET AAS-ASCII Adjust AL After Subtraction Opcode Instruction Clocks Description 3F AAS 3 ASCII adjust AL after subtraction FLAGS MODIFIED Auxiliary carry, carry FLAGS UNDEFINED Overflow, sign, zero, parity OPERATION AASshould be executed only after a subtraction instruction which left the byte result in the AL register. The lower nibbles of the operands to the SUB instruction should have been in the range 0 through 9 (BCD digits). In this case, the AAS instruction will adjust AL to contain the correct decimal digit result. If the subtraction produced a decimal carry, the AH register is decremented, and the carry and auxiliary carry flags are set to 1. If there was no decimal carry, the carry and auxiliary carry flags are set to 0, and AH is unchanged. In any case, AL is left with its top nibble set to O. To convert.AL to an ASCII result, you can follow the AAS instruction with OR AL,30H. The precise definition of AAS is as follows: if the lower four bits of AL are greater than 9, or if the auxiliary carry flag is 1, then decrement AL by 6, AH by I, and set the carry and auxiliary carry flags. Otherwise, reset the carry and auxiliary carry flags. In any case, conclude the AAS operation by setting the upper four bits of AL to zero. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None B-18 THE 80286 INSTRUCTION SET ADC/ ADD-Integer Addition Opcode Instruction Clocks Description 10 11 12 13 14 15 80 81 83 00 01 02 03 04 05 80 81 83 ADC ADC ADC ADC ADC ADC ADC ADC ADC ADD ADD ADD ADD ADD ADD ADD ADD ADD 2,mem=7 2,mem=7 2,mem=7 2,mem=7 3 3 3,mem=7 3,mem=7 3,mem=7 2,mem=7 2,mem=7 2,mem=7 2,mem=7 3 3 3,mem=7 3,mem=7 3,mem=7 Add with carry byte register into EA byte Add with carry word register into EA word Add with carry EA byte into byte register Add with carry EA word into word register Add with carry immediate byte into AL Add with carry immediate word into AX Add with carry immediate byte into EA byte Add with carry immediate word into EA word Add with carry immediate byte into EA word Add byte register into EA byte Add word register into EA word Add EA byte into byte register Add EA word into word register Add immediate byte into AL Add immediate word into AX Add immediate byte into EA byte Add immediate word into EA word Add immediate byte into EA word Ir Ir Ir Ir db dw 12 12 12 db dw db Ir Ir Ir Ir db dw 10 10 10 db dw db eb,rb eW,rw rb,eb rW,ew AL,db AX,dw eb,db eW,dw eW,db eb,rb eW,rw rb,eb rW,ew AL,db AX,dw eb,db eW,dw eW,db FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION ADD and ADC perform an integer addition on the two operands. The ADC instruction also adds in the initial state of the carry flag. The result of the addition goes to the first operand. ADC is usually executed as part of a multi-byte or multi-word addition operation. When a byte immediate value is added to a word operand, the immediate value is first sign-extended. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-19 THE 80286 INSTRUCTION SET AND-Logical AND Opcode Instruction Clocks Description 20 21 22 23 24 25 80 81 AND AND AND AND AND AND AND AND 2,mem=7 2,mem=7 2,mem=7 2,mem=7 3 3 3,mem=7 3,mem=7 Logical-AND byte register into EA byte Logical-AND word register into EA word Logical-AND EA byte into byte register Logical-AND EA word into word register Logical-AND immediate byte into AL Logical-AND immediate word into AX Logical-AND immediate byte into EA byte Logical-AND immediate word into EA word Ir Ir Ir Ir db dw 14 14 db dw eb,rb ew,rw rb,eb rw,ew AL,db AX,dw eb,db eW,dw FLAGS MODIFIED Overfiow=O, sign, zero, parity, carry=O FLAGS UNDEFINED Auxiliary carry OPERATION Each bit of the result is a 1 if both corresponding bits of the operands were 1; it is 0 otherwise. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-20 THE 80286 INSTRUCTION SET ARPL - Adjust RPL Field of Selector Opcode 63 Ir Instruction Clocks. Description ARPL ew,rw 10,mem=11 Adjust RPL of EA word not less than RPL of rw FLAGS MODIFIED Zero FLAGS UNDEFINED None OPERATION The ARPL instruction has two operands. The first operand is a 16-bit memory variable or word register that contains the value of a selector. The second operand is a word register. If the RPL field (bottom two bits) of the first operand is less than the RPL field of the second operand, then the zero flag is set to 1 and the RPL field of the first operand is increased to match the second RPL. Otherwise, the zero flag is set to 0 and no change is made to the first operand. ARPL appears in operating systems software, not in applications programs. It is used to guarantee that a selector parameter to a subroutine does not request more privilege than the caller was entitled to. The second operand used by ARPL would normally be a register that contains the CS selector value of the caller. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 6. ARPL is not recognized in Real Address mode. 8-21 THE 80286 INSTRUCTION SET BOUND-Check Array Index Against Bounds Opcode 62. /r Instruction Clocks Description BOUND rw,md noj=13 INT 5 if rw not within bounds FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION BOUND is used to ensure that a signed array index is within the limits defined by a two-word block of memory. The first operand (a register) tnustbe greater than or equal to the first word in memory, and ·less than or equal to the second word in memory. If the register is not within the bounds, an INTERRUPT 5 occurs. . The two-word block might typically be found just before the array itself and therefore would be accessible at a constant offset of -4 from the array, simplifying the addressing. PROTECTED MODE EXCEPTIONS. INTERRUPT 5 if the bounds test fails, as described above. #GP(O) for an illegal memory operand effective address in the C8, D8, or E8 segments; #88(0) for an illegal address in the 88 segment. The second operand must be a memory operand, not a register. If the BOUND instruction is executed with a ModRM byte representing a register second operand, then fault #UD will occUr. REAL ADDRESS MODE EXCEPTIONS INTERRUPT 5 if the bounds test fails, as described above. Interrupt 13 for a second operand at offset OFFFDH or higher. Interrupt 6 if the second operand is a register,as described in the paragraph above. B-22 THE 80286 INSTRUCTION SET CALL-Call Procedure Opcode cw /2 cd cd cd cd cd cd /3 /3 /3 /3 /3 E8 FF 9A 9A 9A 9A 9A 9A FF FF FF FF FF FF /3 Instruction CALL CALL CALL CALL CALL CALL CALL CALL CALL CALL CALL CALL CALL CALL cw ew cd cd cd cd cd cd ed ed ed ed ed ed Clocks' Description 7 7,mem=11 13,pm=26 41 82 86+4X 177 182 16,mem=29 44 83 90+4X 180 185 Call Call Call Call Call Call Call Call Call Call Call Call Call Call near, offset relative to next instruction near, offset absolute at EA word inter-segment, immediate 4-byte address gate, same privilege gate, more privilege, no parameters gate, more privilege, X parameters via Task State Segment· via task gate inter-segment, address at EA doubleword gate, same privilege gate, more privilege, no parameters gate, more privilege, X parameters via Task State Segment via task gate ·Add one clock for each byte in the next instruction executed. FLAGS MODIFIED None, except when a task switch occurs FLAGS UNDEFINED None OPERATION The CALL instruction causes the procedure named in the operand to be executed. When the procedure is complete (a return instruction is executed within the procedure), execution continues at the instruction that follows the CALL instruction. The CALL cw form of the instruction adds modulo 65536 (the 2-byte operand) to the offset of the instruction following the CALL and sets IP to the resulting offset. The 2-byte offset of the instruction that follows the CALL is pushed onto the stack. It will be popped by a near RET instruction within the procedure. The CS register is not changed by this form. The CALL ew form of the instruction is the same as CALL cw except· that the operand specifies a memory location from which the absolute 2-byte offset for the procedure is fetched. The CALL cd form of the instruction uses the 4-byte operand as a pointer to the procedure called. The CALL ed form fetches the long pointer from the memory location specified. Both long pointer forms consult the AR byte in the descriptor indexed by the selector part of the long pointer. The AR byte can indicate one of the following descriptor types: l. Code Segment-The access rights are checked, the return pointer is pushed onto the stack, and the procedure is jumped to. B-23 THE 80286 INSTRUCTION SET 2. Call Gate-The offset part of the pointer is ignored. Instead, the entire address of the procedure is taken from the call gate descriptor entry. If the routine being entered is more privileged, then a new stack (both SS and SP) is loaded from the task state segment for the new privilege level, and parameters determined by the word count field of the call gate are copied from the old stack to the new stack. 3. Task Gate-The current task's context is saved in its Task State Segment (TSS), and the TSS named in the task-gate is used to load the new context. The selector for the outgoing task (from TR) is stored into the new TSS's link field, and the new task's Nested Task flag is set. The outgoing task is left marked busy, the new TSS is marked busy, and execution resumes at the point at which the new task was last suspended. 4. Task State Segment-The current task is suspended and the new task initiated as in 3 above except that there is no intervening gate. For long calls involving no task switch, the return link is the pointer of the instruction that follows the CALL, Le., the caller's CS and updated IP. Task switches invoked by CALLs are linked by storing the outgoing task's TSS. selector in the incoming TSS's link field and setting the Nested Task flag in the new task. Nested tasks must be terminated by an IRET. IRET releases the nested task and follows the back link to the calling task if the NT flag is set. A precise list of the protection checks made and the actions taken is given by the following list: CALL FAR: If indirect then check access of EA doubleword #GP(O) if limit violation New CS selector must not be null else #GP(O) Check that new CS selector index is within its descriptor table limits; else #GP (new CS selector) Examine AR byte of selected descriptor for various legal values: CALL CONFORMING CODE SEGMENT: DPL must be ~ CPL else #GP (code segment selector) Segment must be PRESENT else #NP (code segment selector) Stack must be big enough for return address else #SS(O) IP must be in code segment limit else #GP(O) Load code segment descriptor into CS cache Load CS with new code segment selector Load IP with new offset CALL NONCONFORMING CODE SEGMENT: RPL must be ~ CPL else #GP (code segment selector) DPL must be = CPL else #GP (code segment selector) Segment must be PRESENT else #NP (code segment selector) Stack must be big enough forreturn address else #SS(O) IP must be in code segment limit else #GP(O) Load code segment descriptor into CS cache Load CS with new code segment selector Set RPL of CS to CPL Load IP with new offset CALL TO CALL GATE: Call gate DPL must be ~ CPL else #GP (call gate selector) Call gate DPL must be ~ RPL else #GP (call gate selector) Call gate must be PRESENT else #NP (call gate selector) Examine code segment selector in call gate descriptor: Selector must not be null else #GP(O) Selector must be within its descriptor table limits else #GP (code segment selector) AR byte of selected descriptor must indicate code segment else #GP (code segment selector) DPL of selected descriptor must be ~ CPL else #GP( code segment selector) If non-conforming code segment and DPL < CPL then 8-24 THE 80286 INSTRUCTION SET CALL GATE TO MORE PRIVILEGE: Get new SS selector for new privilege level from TSS Check selector and descriptor for new SS: Selector must not be null else #TS(O) Selector index must be within its descriptor table limits else #TS (SS selector) Selector's RPL must equal DPL of code segment else #TS (SS selector) Stack segment DPL must equal DPL of code segment else #TS (SS selector) Descriptor must indicate writable data segment else #TS (SS selector) Segment PRESENT else #SS (SS selector) New stack must have room for parameters plus 8 bytes else #SS(O) IP must be in code segment limit else #GP(O) Load new SS:SP value from TSS Load new CS:IP value from gate Load CS descriptor Load SS descriptor Push long pOinter of old stack onto new stack Get word count from call gate, mask to 5 bits Copy parameters from old stack onto new stack Push return address onto new stack Set CPL to stack segment DPL Set RPL of CS to CPL Else CALL GATE TO SAME PRIVILEGE: Stack must have room for 4-byte return address else #SS(O) IP must be in code segment limit else #GP(O) Load CS:IP from gate Push return address onto stack Load code segment descriptor into CS-cache Set RPL of CS to CPL CALL TASK GATE: Task gate DPL must be ~ CPL else #GP (gate selector) Task gate DPL must be ~ RPL else #GP (gate selector) Task Gate must be PRESENT else #NP (gate selector) Examine selector to TSS, given in Task Gate descriptor: Must specify global In the local/global bit else #GP (TSS selector) Index must be within GOT limits else #GP (TSS selector) TSS descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) Task State Segment mUllt be PRESENT else #NP (TSS selector) SWITCH_TASKS with nesting to TSS IP must be In code segment limit else #GP(O) TASK STATE SEGMENT: TSS DPL must be ~ CPL else #GP (TSS selector) TSS DPL must be ~ RPL else #GP (TSS selector) TSS descriptor AR byte must specify available TSS else #GP (TSS selector) Task State Segment must be PRESENT else #NP (TSS selector) SWITCH3ASKS with nesting to TSS IP must be in code segment limit else #GP(O) ELSE #GP (code segment selector) PROTECTED MODE EXCEPTIONS FAR calls: #GP, #NP, #SS, and #TS, as indicated in the list above. NEAR direct calls: #GP(O) if procedure location is beyond the code segment limits. 8-25 THE 80286 INSTRUCTION SET NEAR indirect CALL: #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. #GP if the indirect offset obtained is beyond the code segment limits. REAL ADDRESS MODE EXCEPTIONS Interrupt l3 for a word operand at offset OFFFFH. 8-26 THE 80286 INSTRUCTION SET caw -Convert Byte into Word Opcode Instruction Clocks Description 98 C8W 2 Convert byte into word (AH = top bit of AL) FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION CBW converts the signed byte in AL to a signed word in AX. It does so by extending the top bit of AL into all of the bits of AH. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-27 THE 80286 INSTRUCTION SET CLC-Clear Carry Flag Opcode Instruction Clocks Description F8 CLC 2 Clear carry flag FLAGS MODIFIED Carry=O FLAGS UNDEFINED None OPERATION CLC sets the carry flag to zero. No other flags or registers are affected. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-28 THE 80286 INSTRUCTION SET CLD-Clear Direction Flag Opcode Instruction Clocks Description FC CLO 2 Clear direction flag. SI and 01 will increment FLAGS MODIFIED Direction = 0 FLAGS UNDEFINED None OPERATION CLD clears the direction flag. No other flags or registers are affected. After CLD is executed, string operations will increment the index registers (SI and/or DI) that they use. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-29 THE 80286·INSTRUCTION SET ell-Clear Interrupt Flag Opcode Instruction Clocks Description FA CLI 3 Clear interrupt flag; interrupts disabled FLAGS MODIFIED Interrupt = 0 FLAGS UNDEFINED None OPERATION CLI clears the interrupt enable flag if the current privilege level is at least as privileged as 10PL. No other flags are affected. External interrupts will not be recognized at the end of the CLI instruction or thereafter until the interrupt flag is set. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is bigger (has less privilege) than the 10PL in the flags register. 10PL specifies the least privileged level at which I/O may be performed. REAL ADDRESS MODE EXCEPTIONS None 8-30 THE 80286 INSTRUCTION SET CLTS-Clear Task Switched Flag Opcode Instruction Clocks Description OF CLTS 2 Clear task switched flag 06 FLAGS MODIFIED Task switched=O FLAGS UNDEFINED None OPERATION CLTS clears the task switched flag in the Machine Status Word. This flag is set by the 80286 every time a task switch occurs. The TS flag is used to manage processor extensions as follows: every execution of a WAIT or an ESC instruction will be trapped if the MP flag of MSW is set and the task switched flag is set. Thus, if a processor extension is present and a task switch has been made since the last ESC instruction was begun, the processor extension's context must be saved before a new instruction can be issued. The fault routine will save the context and reset the task switched flag or place the task requesting the processor extension into a queue until the current processor extension instruction is completed. CLTS appears in operating systems software, not in applications programs. It is a privileged instruction that can only be executed at level O. PROTECTED MODE EXCEPTIONS #GP(O) if CLTS is executed with a current privilege level other than o. REAL ADDRESS MODE EXCEPTIONS None (valid in REAL ADDRESS MODE to allow power-up initialization for Protected Mode) , 8-31 THE 80286 INSTRUCTION SET CMC-Complement Carry Flag Opcode Instruction F5 CMC . Clocks Description Complement carry flag 2 FLAGS MODIFIED Carry FLAGS UNDEFINED None OPERATION CMC reverses the setting of the carry flag. No other flags are affected. PROTECTED MODE. EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-32 THE 80286 INSTRUCTION SET CMP-Compare Two Operands Opcode Instruction Clocks Description 3C 3D 80 38 83 81 39 3A 38 CMP CMP CMP CMP CMP CMP CMP CMP CMP 3 3 3,mem=6 2,mem=7 3,mem=6 3,mem=6 2,mem=7 2,mem=6 2,mem=6 Compare Compare Compare Compare Compare Compare Compare Compare Compare db dw 17 db Ir 17 17 db dw Ir Ir Ir AL,db AX,dw eb,db eb,rb eW,db eW,dw eW,rw rb,eb rW,ew immediate byte from AL immediate word from AX immediate byte from EA byte byte register from EA byte immediate byte from EA word immediate word from EA word word register from EA word EA byte from byte register EA word from word regisler FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION CMP subtracts the second operand from the first operand, but it does not place the result anywhere. Only the flags are changed by this instruction. CMP is usually followed by a conditional jump instruction. See the "]cond" instructions in this chapter for the list of signed and unsigned flag tests provided '. by the 80286. If a word operand is compared to an immediate byte value, the byte value is first sign-extended. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #8S(0) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-33 THE 80286 INSTRUCTION SET CMPS/CMPSB/CMPSW-Compare string operands Opcode A6 A6 A7 Instruction .CMPS mb,mb CMPS8 CMPSW Clocks Description 8 8 8 Compare bytes ES:[DI] from [SI] Compare bytes ES:[DI] from DS:[SI] Compare words ES:[DI] from DS:[SI] FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION CMPS compares the byte or word pointed to by SI with the byte or word pointed to by OI by performing the subtraction [SI] - [OI]. The result is not placed anywhere; only the flags reflect the result of the subtraction. The types of the operands to CMPS determine whether bytes or words are compared. The segment address ability of the first (SI) operand determines whether a segment override byte will be produced or whether the default segment register DS is used. The second (DI) operand must be addressible from the ES register; no segment override is possible. After the comparison is made, both SI and DI are automatically advanced. If the direction flag is 0 (CLD was executed), the registers increment; if the direction flag is 1 (STD was executed), the registers decrement. The registers increment or decrement by 1 if a byte was moved; by 2 if a word was moved. CMPS can be preceded by the REPE or REPNE prefix for block comparison of CX bytes or words. Refer to the REP instruction for details of this operation. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Tntf"rrl1,.,t 11 fnr ~-- wnrn ()np.r~ nn "t ()ff~p.t ---------r-- -------1. OFFFFH. 8-34 THE 80286 INSTRUCTION SET CWO-Convert Word to Doubleword Opcode Instruction Clocks Description 99 CWD 2 Convert word to daubleword (DX:AX = AX) FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION CWDconverts the signed word in AX to a signed doubleword in DX:AX. It does so by extending the top bit of AX into all the bits of DX. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-35 THE 80286 INSTRUCTION SET DAA-Decimal Adjust AL After Addition Opcode Instruction Clocks Description 27 DAA 3 Decimal adjust AL after addition FLAGS MODIFIED Sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED Overflow OPERATION DAA should be executed only after an ADD instruction which leaves a two-BCD-digit byte result in the AL register. The ADD operands should consist of two packed BCD digits. In this case, the DAA instruction will adjust AL to contain the correct two-digit packed decimal result. The precise definition of DAA is as follows: 1. 2. If the lower 4 bits of ~L are greater than nine, or if the auxiliary carry flag is 1, then increment AL by 6, and set the)l.uxiliary carry flag. Otherwise, reset the auxiliary carry flag. I . . If AL is now greater than 9FH, or if the carry flag is set, then increment AL by 60H, and set the carry flag. Otherwise, clear the carry flag. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-36 THE 80286 INSTRUCTION SET DAS-Decimal Adjust AL After Subtraction Opcode Instruction Clocks Description 2F DAS 3 Decimal adjust AL after subtraction FLAGS MODIFIED Sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED Overflow OPERATION DAS should be executed only after a subtraction instruction which leaves a two-BCD-digit byte result in the AL register. The operands should consist of two packed BCD digits. In this case, the DAS instruction will adjust AL to contain the correct packed two-digit decimal result. The precise definition of DAS is as follows: 1. If the lower four bits of AL are greater than 9, or if the auxiliary carry flag is 1, then decrement AL by 6, and set the auxiliary carry flag. Otherwise, reset the auxiliary carry flag. 2. If AL is now greater than 9FH, or if the carry flag is set, then decrement AL by 60H, and set the carry flag. Otherwise, clear the carry flag. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-37 THE 80286 INSTRUCTION SET DEC-Decrement by 1 Opcode I!'structlon Clocks Description FE FF 48+ DEC eb DEC ew DEC rw 2,mem=7 2,mem=7 Decrement EA byte by 1 Decrement EA word by 1 Decrement word register by 1 /1 /1 rw 2 FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity FLAGS UNDEFINED None OPERATION 1 is subtracted from the operand. Note that the carry flag is not changed by this instruction. If you want the carry flag set, use the SUB instruction with a second operand of 1. PROTECTED MODE EXCEPTIONS #GP(O) if the operand is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-38 THE 80286 INSTRUCTION SET DIV -Unsigned Divide Opcode Instruction Clocks Description F6 F7 DIVeb DIVew 14,mem=17 22,mem=25 Unsigned divide AX by EA byte Unsigned divide DX:AX by EA word /6 /6 FLAGS MODIFIED None FLAGS UNDEFINED Overflow, sign, zero, auxiliary carry, parity, carry OPERATION DIY performs an unsigned divide. The dividend is implicit; only the divisor is given as an operand. If the source operand is a BYTE operand, divide AX by the byte. The quotient is stored in AL, and the remainder is stored in AH. If the source operand is a WORD operand, diyide DX:AX by the word. The high-order 16 bits of the dividend are kept in DX. The quotient is stored in AX, and the remainder is stored in DX. Non-integral quotients are truncated towards O. The remainder is always less than the dividend. PROTECTED MODE EXCEPTIONS Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is zero. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is zero. Interrupt 13 for a word operand at offset OFFFFH. 8-39 THE 80286 INSTRUCTION SET ENTER-Make Stack Frame for Procedure Parameters Opcode C8 C8 C8 dw dw 00 01 dw db FLAGS MODIFIED Instruction Clocks Description ENTER dw,O ENTER dW,1 ENTER dW,db 11 15 12+4db Make stack frame for procedure parameters Make stack frame for procedure parameters Make stack frame for procedure parameters Cc None FLAGS UNDEFINED None OPERATION ENTER is used to create the stack frame required by most block-structured high-level languages. The first operand specifies how many bytes of dynamic storage are to be allocated on the stack for the routine being entered. The second operand gives the lexical nesting level of the routine within the highlevel-language source code. It determines how many stack frame pointers are copied into the new stack frame from the preceding frame. BP is used as the current stack frame pointer. If the second operand is 0, ENTER pushes BP, sets BP to SP, and subtracts the first operand from SP. For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 instruction at its entry point and a LEAVE instruction before every RET. The 12 local byteswou!d be addressed as negative offsets from [BPj. See also section 4.2. The formal definition of the ENTER instruction for all cases is given by the following listing. LEVEL denotes the value of the second operand. LEVEL: = LEVEL MOD 32 Push BP Set a temporary value FRAM~PTR : = If LEVEL> 0 then Repeat (LEVEL -1) times: BP:= BP - 2 . Push the word pOinted to by BP End repeat Push FRAM~PTR End if BP:= FRAME_PTR SP : = SP - first operand. sp B-40 THE 80286 INSTRUCTION SET PROTECTED MODE EXCEPTIONS #SS(O) if SP were to go outside of the stack limit within any part of the instruction execution. REAL ADDRESS MODE EXCEPTIONS None 8-41 THE 80286 INSTRUCTION SET HLT-Halt Opcode Instruction Clocks Description F4 HLT 2 Halt FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION Successful execution of HL T causes the 80286 to cease executing instructions and to enter a HALT state. Execution resumes only upon receipt of an enabled interrupt or a reset. If an interrupt is used to resume program execution after HLT, the saved CS:IP value will point to the instruction that follows HLT. PROTECTED MODE EXCEPTIONS HLT is a privileged instruction. #GP(O) if the current privilege level is not O. REAL ADDRESS MODE EXCEPTIONS None 8-42 THE 80286 INSTRUCTION SET IDIV -Signed Divide Opcode Instruction Clocks Description F6 /7 IDIVeb 17,mem=20 F7 /7 IDIVew 25,mem=28 Signed divide AX byEA byte (AL=Quo, AH=Rem) Signed divide DX:AX by EA word (AX=Quo, DX=Rem) / FLAGS MODIFIED None FLAGS UNDEFINED Overflow, sign, zero, auxiliary carry, parity, carry OPERATION IDlY performs a signed divide. The dividend is implicit; only the divisor is given as an operand. If the source operand is a BYTE operand, divide AX by the byte. The quotient is· stored in AL, and the remainder is stored in AH. If the source operand is a WORD operand, divide DX:AX by the word. The high-order 16 bits of the dividend are in DX. The quotient is stored in AX, and the remainder is stored in DX. Non-integral quotients are truncated towards o. The remainder has the same sign as the dividend and always has less magnitude than the dividend. PROTECTED MODE EXCEPTIONS Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), 'or if the divisor is O. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. . . REAL ADDRESS MODE EXCEPTIONS InterJillpt 0 if the quotient is too big to fit in. the designated register (AL or AX), orif the divisor is O. Interrupt 13 for a word operand at offset OFFFFH. 8-43 THE 80286 INSTRUCTION SET IMUL-Signed Multiply Opcode F6 F7 68 69 68 15 15 db dw db Ir Ir Ir Instruction Clocks Description IMUL IMUL IMUL IMUL IMUL 13,mem=~6 21,mem=24 21,mem=24 21,mem=24 21,mem=24 Signed Signed Signed Signed Signed eb ew rw,db rw,ew,dw rw,ew,db multiply (AX = AL X EA byte) multiply (DXAX = AX X EA word) multiply imm. byte into word reg. multiply (rw = EA word X imm. word) multiply (rw = EA word X imm. byte) FLAGS MODIFIED Overflow, carry FLAGS UNDEFINED Sign, zero, auxiliary carry, parity OPERATION IMUL performs signed multiplication. If IMUL has a single byte source operand, then the source is multiplied by AL and the 16-bit signed result is left in AX. Carry and overflow are set to 0 if AH is a sign extension of AL; they are set to 1 otherwise. If IMUL has a single word source operand, then the source operand is multiplied. by AX and the 32-bit signed result is left in DX:AX. DX contains the high-order 16 bits of the product. Carry and overflow are set to 0 if DX is a sign extension of AX; they are set to 1 otherwise. If IMUL has three operands, then the second operand (an effective address word) is multiplied by the third operand (an immediate word), and the 16 bits of the result are placed in the first operand (a word register). Carry and overflow are set to 0 if the result fits in a signed word (between - 32768 and +32767, inclusive); they are set to 1 otherwise. NOTE The low 16 bits of the product of a 16-bit signed multiply are the same as those of an unsigned mUltiply. The three operand IMUL instruction can be used for unsigned operands as well. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an ~11~ __ 1 __ .l..J __ 11111;:;5a1 a.UUl ~~!_ \.<,:),:) ~11 "-1.. ..... C'C' .... """'" ........ "" ..... + LU...... UIJ ., ..... OJ.J.J. ..... u. ... REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-44 THE 80286 INSTRUCTION SET IN-Input from Port Opcode Instruction ClockS Description E4 EC E5 ED IN IN IN IN 5 5 5 5 Input byte from immediate port into AL Input byte from port OX into AL Input word from immediate port into AX Input word from port OX into AX db db AL,db AL,OX AX,db AX,OX FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION IN transfers a data byte or data word from the port numbered by the second operand into the register (AL or AX) given as the first operand. You can access any port from 0 to 65535 by placing the port number in the DX register then using an IN instruction with DXas the second parameter. These I/O instructions can be shortened by using an 8-bit port I/O in the instruction. The upper 8 bits of the port address will be zero when an 8-bitport I/Ois used. Intel has reserved I/O port addresses OOF8H through OOFFH; they should not be used. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is bigger (has less privilege) than IOPL; which is the privilege level found in the flags register. REAL ADDRESS MODE EXCEPTIONS None 8-45 THE 80286 INSTRUCTION SET INC-Increment by 1 Instruction Opcode FE FF /0 /0 40+rw INC eb "INC ew INC rw Clocks Description 2,mem=7 2,mem=7 Increment EA byte by 1 Increment EA word by 1 Increment word register by 1 2 FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity FLAGS UNDEFINED None OPERATION 1 is added to the operand. Note that the carry flag is not changed by this instruction. If you want the carry flag;set, use the ADD instruction with a second operand of 1. PROTECTED MODE EXCEPTIONS #GP(O) if the operand is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS! DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-46 THE 80286 INSTRUCTION SET INS/INSB/INSW-Input from Port to String Opcode Instruction Clocks Description 6C INS eb,OX INS ew,OX INSB INSW 5 5 5 5 Input byte from port OX into ES:[OI) Input word from port OX into ES:[OI) Input byte from port OX into ES:[OI) Input word from port OX into ES:[OI) 60 6C 60 FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION INS transfers data from the input port numbered by the DX register to the memory byte or word at ES:DI. The memory operand must be addressable from the ES register; no segment override is possible. INS does not allow the specification of the port number as an immediate value. The port must be addressed through the DX register. After the transfer is made, DI is automatically advanced. If the direction flag is 0 (CLD was executed), DI increments; if the direction flag is 1 (STD was executed), DI decrements. DI increments or decrements by 1 if a byte was moved; by 2 if a word was moved. INS can be preceded by the REP prefix for block input of CX bytes or words. Refer to the REP instruction for details of this operation. Intel has reserved I/O port addresses 00F8H through OOFFH; they should not be used. NOTE Not all input port devices can handle the rate at which this instruction transfers input data to memory. PROTECTED MODE EXCEPTIONS #GP(O) if CPL > 10PL. #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. B-47 THE 80286 INSTRUCTION SET INT IINTO-Call to Interrupt Procedure Opcode Instruction Clocks(1) Description CC CC CC CC CD CD CD CD CE .INT 3 INT 3 INT 3 INT3 INT db INT db INT db INT db INTO 23(2) 40 Interrupt 3 (trap to debugger) Interrupt 3, protected mode, same privilege Interrupt 3, protected mode, more privilege Interrupt 3, protected mode, via task gate Interrupt numbered by immediate byte Interrupt, protected mode, same privilege Interrupt, protected mode, more privilege Interrupt, protected mode, via task gate Interrupt 4 if overflow flag is 1 db db db db 78 167 23(2) 40 78 167 24,noj = 3(2) Add one clock for each byte of the next instruction executed. (2) = (real mode) (1) = FLAGS MODIFIED All if a task switch takes place; Trap Flag reset if no task switch takes place. Interrupt Flag is always reset in Real Mode, and reset in Protected Mode when INT references an interrupt gate. FLAGS UNDE'FINED None OPERATION The INT instruction generates via software a call to an interrupt procedure. The immediate operand, from 0 to 255, gives the index number into the Interrupt Descriptor Table of the interrupt routine to be called. In protected mode, the IDT consists of 8-byte descriptors; the descriptor for the interrupt invoked must indicate an interrupt gate, a trap gate, or a task gate. In real address mode, the IDT is an array of 4-byte long pointers at the fixed location OOOOOH. The INTO instruction is identical to the INT instruction except that the interrupt number is implicitly 4, and the interrupt is made only if the overflow flag of the 80286 is on. The clock counts for the four forms of INT db are valid for INTO, with the number of clocks increased by 1 for the overflow flag test. The first 32 interrupts are reserved by Intel for systems use. Some of these interrupts are exception handlers for internally-generated faults. Most of these exception handlers should not be invoked with ! ... _ ". _ T'1Irr.T'T" ~ ___ ... ____ ... LIlt;; .ll"1.l lU,:)U ",,","IVll, Generally, interrupts behave like far CALLs except that the flags register is pushed onto the stack before the return address. Interrupt procedures return via the IRET instruction, which pops the flags from the stack. In Real Address mode, INT pushes the flags, CS and the return IP onto the stack in that order, then resets the Trap Flag, then jumps to the long pointer indexed by the interrupt number, in the interrupt vector table. 8-48 THE 80286 INSTRUCTION SET In Protected mode, INT also resets the Trap Flag. In Protected mode, the precise semantics of the INT instruction are given by the following: INTERRUPT Interrupt vector must be within lOT table limits else #GP (vector number X 8+2+EXT) Descriptor AR byte must indicate interrupt gate, trap gate, or task gate else #GP(vector number X 8+2+ EXT) If INT instruction then gate descriptor DPL must be 2:: CPL else #GP (vector number X 8+2+EXT) Gate must be PRESENT else #NP (vector number X 8+2+EXT) If TRAP GATE or INTERRUPT GATE: Examine CS selector and descriptor given in the gate descriptor: Selector must be non-null else #GP (EXT) Selector must be within its descriptor table limits else #GP (selector+EXT) Descriptor AR byte must indicate code segment else #GP (selector + EXT) Segment must be PRESENT else #NP (selector+ EXT) If code segment is non-conforming and DPL < CPL then INTERRUPT TO INNER PRIVILEGE: Check selector and descriptor for new stack in current Task State Segment: Selector must be non-null else #TS(EXT) Selector index must be within its descriptor table limits else #TS (SS selector + EXT) Selector's RPL must equal DPL of code segment else #TS (SS selector+EXT) Stack segment DPL must equal DPL of code segment else #TS (SS selector+EXT) Descriptor must indicate writable data segment else #TS (SS selector+ EXT) Segment must be PRESENT else #SS (SS selector+EXT) New stack must have room for 10 bytes else #SS(O) IP must be in CS limit else #GP(O) Load new SS and SP value from TSS Load new CS and IP value from gate Load CS descriptor Load SS descriptor Push long pointer to old stack onto new stack Push return address onto new stack Set CPL to new code segment DPL Set RPL of CS to CPL If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled) Set the Trap Flag to 0 Set the Nested Task Flag to 0 If code segment is conforming or code segment DPL = CPL then INTERRUPT TO SAME PRIVILEGE LEVEL: Current stack limits must allow pushing 6 bytes else #SS(O) If interrupt was caused by fault with error code then Stack limits must allow push of two more bytes else #SS(O) IP must be in CS limit else #GP(O) Push flags onto stack Push current CS selector onto stack Push return offset onto stack Load CS:IP from gate Load CS descriptor Set the RPL field of CS to CPL Push error code (if any) onto stack If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled) Set the Trap Flag to 0 Set the Nested Task Flag to 0 Else #GP (CS selector + EXT) If TASK GATE: Examine selector to TSS, given in Task Gate descriptor: Must specify global in the local/global bit else #GP (TSS selector) 8-49 THE 80286 INSTRUCTION SET Index must be within GOT limits else #GP (TSS selector) AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) Task State Segment must be PRESENT else #NP (TSS selector) SWITCH3ASKS with nesting to TSS If interrupt was caused by fault with error code then Stack limits must allow push of two more bytes else #SS(O) Push error code onto stack IP must be in CS limit else #GP(O) NOTE EXT is 1 if an external event (Le., a single step, an external interrupt, an MF exception, or an MP exception) caused the interrupt; 0 if not (Le., an INT instruction or other exceptions). PROTECTED MODE EXCEPTIONS #GP, #NP, #SS, and #TS, as indicated in the list above. REAL ADDRESS MODE EXCEPTIONS None; the 80286 will shut down if the SP due to lack of stack space. = 1, 3, or 5 before executing the INT or INTO instruction- 8-50 inter THE 80286 INSTRUCTION SET IRET -Interrupt Return Opcode Instruction Clock. Description CF CF CF IRET IRET IRET 17,pm=31 55 169 Interrupt return (far return and pop flags) Interrupt return, lesser privilege Interrupt return, different task (NT=1) "Add one clock for each byte in the next instruction executed. FLAGS MODIFIED Entire flags register popped from stack FLAGS UNDEFINED None OPERATION In real address mode, IRET pops IP, CS, and FLAGS from the stack in that order, and resumes the interrupted routine. In protected mode, the action of IRET depends on the setting of the Nested Task Flag (NT) bit in the flag register. When popping the new flag image from the stack, note that the IOPL bits in the flag register are changed only when CPL=O. If NT=O, IRET returns from an interrupt procedure without a task switch. The code returned to must be equally or less privileged than the interrupt routine as indicated by the RPL bits of the CS selector popped from the stack. If the destination code is of less privilege, IRET then also pops SP and SS from the stack. If NT= 1, IRET reverses Jhe operation of a CALL or INT that caused a task switch. The task executing IRET has its updated state saved in its Task State Segment. This means that. if the task is reentered, the code that follows IRET will be executed. The exact checks and actions performed by IRET in protected mode are given on the following page. INTERRUPT RETURN: If Nested Task Flag=1'then RETURN FROM NESTED TASK: Examine Back Link Selector in TSS addressed by the current Task Register: Must specify global in the local/global bit else #TS (new TSS selector) Index must be within GDT limits else #TS (new TSS selector) AR byte must specify TSS else #TS (new TSS selector) New TSS must be busy else #TS (new TSS selector) Task State Segment must be PRESENT else #NP (new TSS selector) SWITCH_TASKS without nesting to TSS specified by back link selector Mark the task just abandoned as NOT BUSY IP must be in code segment limit else #GP(O) B-51 THE 80286 INSTRUCTION SET If Nested Task Flag=O then INTERRUPT RETURN ON STACK: Second word on stack must be within stack limits else #SS(O) Return CS selector RPL must be ;::: CPL else #GP (Return selector) If return selector RPL = CPL then INTERRUPT RETURN TO SAME LEVEL: Top 6 bytes on stack must be within limits else #SS(O) Return CS selector (at SP+2) must be non-null else #GP(O) Selector index must be within its descriptor table limits else #GP( Return selector) AR byte mustJndicate code segment else #GP (Return selector) If non-conforming then code segment OPL must = CPL else #GP (Return selector) If conforming then code segment OPL must be ::s; CPL else #GP (Return selector) Segment must be PRESENT else #NP (Return selector) IP must be in code segment limit else #GP(O) Load CS:IP from stack Load CS-cache with new code segment descriptor Load flags with third word on stack Increment SP by 6 Else INTERRUPT RETURN TO OUTER PRIVILEGE LEVEL: Top 10 bytes on stack must be within limits else #SS(O) Examine return 'CS selector (at SP+2) and associated descriptor: Selector must be non-null else #GP(O) Selector index must be within its descriptor table limits else #GP (Return selector) AR byte must indicate code segment else #GP (Return selector) If non-conforming then code segment OPL must = CS selector RPL else #GP (Return selector) If conforming then code segment OPL must be > CPL else #GP (Return selector) Segment must be PRESENT else #NP (Return selector) Examine return SS selector (at SP+8) and associated descriptor: Selector must be non-nUll else #GP(O) Selector index must be within its descriptor table limits else #GP (SS selector) Selector RPL must equal the RPL of the return CS selector else #GP (SS selector) AR byte must indicate a writable data segment else #GP (SS selector) Stack segment OPL must equal the RPL of the return CS selector else #GP (SS selector) SS must be PRESENT else #SS (SS selector) IP must be in code segment limit else #GP(O) Load C5:IP from stack Load flags with values at (SP+4) Load SS:SP from stack Set CPL to the RPL of the return CS selector Load the CS-cache with the CS descriptor Load the 5S-cache with the SS descriptor For each of ES and OS: If the current register setting is not valid for the outer level, then zero the register and clear the valid flag To be valid, the register setting must satisfy the following properties: Selector index must be within descriptor table limits AR byte must indicate data or readable code segment If segment is data or non-conforming code, then: DPL must be ;::: CPL. or OPL must be ;::: RPL. 8-52 THE 80286 INSTRUCTION SET PROTECTED MODE EXCEPTIONS #GP, #NP, or #88, as indicated in the above listing. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 if the stack is popped when it has offset OFFFFH. 8-53 THE 80286 INSTRUCTION SET Jcond-Jump Short If Condition Met Opcode Instruction Clocks· Description Jump short if above (CF=O and ZF=O) Jump short if above or equal (CF=O) Jump short if below (CF=1) Jump short if below or equal (CF=1 or ZF=1) Jump short if carry (CF=1) Jump short if CX register is zero Jump short if equal (ZF=1) Jump short if greater (ZF=O and SF=OF) Jump short if greater or equal (SF=OF) Jump short if less (SF/=OF) Jump short if less or equal (ZF=1 or SF/=OF) Jump short if not above (CF=1 or ZF=1) Jump short if not above/equal (CF=1) Jump short if not below (CF=O) Jump short if not below/equal (CF=O and ZF=O) Jump short if not carry (CF=O) Jump short if not equal (ZF=O) Jump short if not greater (ZF=1 or SF/=OF) Jump short if not greater/equal (SF/=OF) Jump short if not less (SF=OF) Jump short if not less/equal (ZF=O and SF=OF) Jump short if not overflow (OF=O) Jump short if not parity (PF=O) Jump short if not sign (SF=O) Jump short if not zero (ZF=O) Jump short if overflow (OF=1) Jump short if parity (PF=1) Jump short if parity even (PF=1) Jump short if parity odd (PF=O) Jump short if sign (SF=1) Jump short if zero (ZF=1) 77 73 72 76 72 E3 74 7F 70 7C 7E 76 72 73 77 cb cb cb cb cb cb cb cb cb cb cb cb cb cb cb JA cb JAE cb JB cb JBE cb JC cb JCXZ cb JE cb JG cb JGE cb JL cb JLE cb JNA cb JNAE cb JNB cb JNBE cb 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 8,noj=4 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 73 75 7E 7C 70 7F cb cb cb cb cb cb JNC cb JNE cb JNG cb JNGE cb JNL cb JNLE cb 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 71 7B 79 75 70 7A 7A 7B 78 74 cb cb cb cb cb cb cb cb cb cb JNO cb JNP cb JNS cb JNZ cb JO cb JP cb JPE cb JPO cb JS cb JZ cb 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 7,noj=3 'When a jump is taken, add one clock fo; eVery byte of the next instruction executed. FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION Conditional jumps (except for JCXZ, explained below) test the flags, which presumably have been set in some meaningful way by a previous instruction. The conditions for each mnemonic are given in parentheses after each description above. The terms "less" and "greater" are used for comparing signed integers; "above" and "below" are used for unsigned integers. B-54 THE 80286 INSTRUCTION SET If the given condition is true, then a short jump is made to the label provided as the operand. Instruction encoding is most efficient when the target for the conditional jump is in the current code segment and within -128 to + 127 bytes of the first byte of the next instruction. Alternatively, the opposite sense (e.g., JNZ has opposite sense to that of JZ) of the conditional jump can skip around an unconditional jump to the destination. This range is necessary for the assembler to construct a one-byte signed displilcement from the end of the current instruction. If the label is out-of-range, or if the label is a FAR label, then you must perform a jump with the opposite condition around an unconditional jump to the non-short label. Because there are, in many instances, several ways to interpret a particular state of the flags, ASM286 provides more than one mnemonic for most of the conditional jump opcodes. For example, consider that a programmer who has just compared a character to another in AL might wish to jump if the two were equal (JE), while another programmer who had just ANDed AX with a bit field mask would prefer to consider only whether the result was zero or not (he would use JZ, it synonym for JE). JCXZ differs from the other conditional jumps in that it actually tests the contents of the CX register for zero, rather than interrogating the flags. This instruction is useful following a conditionally repeated string operation (REPE SCASB, for exampl!) or a conditional loop instruction (such as LOOPNE TARGETLABEL). These instructions implicitly use a limiting count in the CX register. Looping (repeating) ends when either the CX register goes to zero or the condition specified in the instruction (flags indicating equals in both of the above cases) occurs. JCXZ is useful when the terminations must be handled differently. PROTECTED MODE EXCEPTIONS #GP(O) if the offset jumped to is beyond the limits of the code segment. REAL ADDRESS MODE EXCEPTIONS None 8-55 THE 80286 INSTRUCTION SET JMP-Jump Opcode Instruction Clocks' Description EB EA E9 EA EA EA 7 Jump short Jump to.task gate Jump near Jump far (4-byte immediate address) Jump to call gate, same privilege Jump via Task State Segment Jump near to EA word (absolute offset) Jump far (4-byte effective address in memory doubleword) Jump to call gate, same privilege Jump via Task State Segment Jump to task gate FF FF /4 /5 JMP JMP JMP JMP JMP JMP JMP JMP FF FF FF /5 /5 /5 JMP ed JMP ed JMP ed cb cd cw cd cd cd cb cd cw cd cd cd ew ed 180 7 11,pm=23 38 175 7,mem=11 15,pm=26 41 178 183 'Add one clock for every byte of the next instruction executed. FLAGS MODIFIED All if a task switch takes place; none if no task switch occurs. FLAGS UNDEFINED None OPERATION The JMP instruction transfers program control to a different instruction stream without recording any return information. For inter-segment jumps, the destination can be a code segment, a call gate, a task gate, or a Task State Segment. The latter two destinations cause a complete task switch to take place. Control transfers within a segment use the JMP cw or JMP cb forms. The operand is a relative offset added modulo 65536 to the offset of the instruction that follows the JMP. The result is the new value of IP; the value of CS is unchanged. The byte operand is sign-extended before it is added; it can therefore be used to address labels within 128 bytes in either direction from the next instruction. Indirect jumps within a segment use the JMP ew form. The contents of the register or memory operand is an absolute offset, which becomes the new value of IP. Again, CS is unchanged. Inter-segment jumps in real address mode simpiy set IP to tile offset part of inl: CS to the selector part of the pointer. iOIl!;; poilii,;;r .. iid ,,;; .. In protected mode, inter-segment jumps cause the 80286 to consult the descriptor addressed by the selector part of the long pointer. The AR byte of the descriptor determines the type of the destination. (See table B-3 for possible values of the AR byte.) Following are the possible destinations: 1. Code segment-The addressability and visibility of the destination are verified, and CS and IP are loaded with the destination pointer values. B-56 THE 80286 INSTRUCTION SET 2. 3. 4. Call gate-The offset part of the destination pointer is ignored. After checking for validity, the processor jumps to the location stored in the call gate descriptor. Task gate-The current task's state is saved in its Task State Segment (TSS), and the TSS named in the task gate is used to load a new context. The outgoing task is marked not busy, the new TSS is marked busy, and execution resumes at the point at which the new task was last suspended. TSS-The current task is suspended and the new task is initiated as in 3 above except that there is no intervening gate. Following is the list of checks and actions taken for long jumps in protected mode: JUMP FAR: If indirect then check access of EA doubleword #GP(O) or #SS(O) if limit violation Destination selector is not null else #GP(O) Destination selector index is within its descriptor table limits else #GP (selector) Examine AR byte of destination selector for legal values: JUMP CONFORMING CODE SEGMENT: Descriptor DPL must be :s CPL else #GP (selector) Segment must be PRESENT else #NP (selector) IP must be in code segment limit else #GP(O) Load CS:IP from destination pOinter Load CS-cache with new segment descriptor JUMP NONCONFORMING CODE SEGMENT: RPL of destination selector must be :s CPL else #GP (selector) Descriptor DPL must = CPL else #GP (selector) Segment must be PRESENT else #NP (selector) IP must be in code segment limit else #GP(O) Load CS:IP from destination pOinter Load CS-cache with new segment descriptor Set RPL field of CS register to CPL JUMP TO CALL GATE: Descriptor DPL must be :::: CPL else #GP (gate selector) Descriptor DPL must be :::: gate selector RPL else #GP (gate selector) Gate must be PRESENT else #NP (gate selector) Examine selector to code segment given in call gate descriptor: Selector must not be null else #GP(O) Selector must be within its descriptor table limits else #GP (CS selector) Descriptor AR byte must indicate code segment else #GP (CS selector) If non-conforming, code segment descriptor DPL must = CPL else #GP (CS selector) If conforming, then code segment descriptor DPL must be :s CPL else #GP (CS selector) Code Segment must be PRESENT else #NP (CS selector) IP must be in code segment limit else #GP(O) Load CS:IP from call gate Load CS-cache with new code segment Set RPL of CS to CPL JUMP TASK GATE: Gate descriptor DPL must be :::: CPL else #GP (gate selector) Gate descriptor DPL must be :::: gate selector RPL else #GP (gate selector) Task Gate must be PRESENT else #NP (gate selector) Examine selector to TSS, given in Task Gate descriptor: Must specify global in the local/global bit else #GP (TSS selector) Index must be within GDT limits else #GP (TSS selector) Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) Task State Segment must be PRESENT else #NP (TSS selector) SWITCH_TASKS without nesting to TSS IP must be in code segment limit else #GP(O) 8-57 THE 80286 INSTRUCTION SET JUMP TASK STATE SEGMENT: TSS DPL must be 2: CPL else #GP (TSS selector) TSS DPL must be 2: TSS selector RPL else #GP (TSS selector) Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) Task State Segment must be PRESENT else #NP (TSS selector) SWITCH_TASKS with nesting to TS. IP must be in code segment limit else #GP(O) Else GP (selector) PROTECTED MODE EXCEPTIONS For NEAR jumps, #GP(O) if the destination offset is beyond the limits of the current code segment. For FAR jumps, #GP, #NP, #SS, and #TS, as indicated above. #UD if indirect inter-segment jump operand is a register. REAL ADDRESS MODE EXCEPTIONS #UD if indirect inter-segment jump operand is a register. 8-58 THE 80286 INSTRUCTION SET LAHF-load Flags into AH Register Opcode Instruction Clocks Description 9F LAHF 2 Load: AH = flags SF ZF xx AF xx PF xx CF FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The low byte of the flags word is transferred to AH. The bits, from MSB to LSB, are as follows: sign, zero, indeterminate; auxiliary carry, indeterminate, parity, indeterminate, and carry. See figure 3-5. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-59 THE. 80286 INSTRUCTION SET LAR-Load Access Rights Byte Opcode OF 02 Ir Instruction Clocks Description LAR rW,ew 14,mem=16 Load: high(rw)= Access Rights byte, selector ew FLAGS MODIFIED Zero FLAGS UNDEFINED None OPERATION LAR expects the second operand (memory or register word) to contain a selector. If the associated descriptor is visible at the current privilege level and at the selector RPL, then the access rights byte of the descriptor is loaded into the high byte of the first (register) operand, and the low byte is set to zero. The zero flag is set if the loading was performed (i.e., the selector index is within the table limit, descriptor DPL :2: CPL, and descriptor DPL :2: selector RPL); the zero flag is cleared otherwise. Selector operands cannot cause protection exceptions. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTION INTERRUPT 6; LAR is unrecognized in Real Address mode. 8-60 THE 80286 INSTRUCTION SET LOS/ LES-Load Doubleword Pointer Opcode C5 C4 If If Instruction Clocks Description LDS rw,ed LES rw,ed 7,pm=21 7,pm=21 Load EA doubleword into DS and word register Load EA doubleword into ES and word register FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The four-byte pointer at the memory location indicated by the second operand is loaded into a segment register and a word register. The first word of the pointer (the offset) is loaded into the register indicated by the first operand. The last word of the pointer (the selector) is loaded into the segment register (DS or ES) given by the instruction opcode. When the segment register is loaded, its associated cache is also loaded. The data for the cache is obtained from the descriptor table entry for the selector given. A null selector (values 0000-0003) can be loaded into DS or ES without a protection exception. Any memory reference using such a segment register value will cause a #GP(O) exception but will not result in a memory reference. The saved segment register value will be null. Following is a list of checks and actions taken when loading the DS or ES registers: If selector is non-null then: Selector index must be within its descriptor table limits else #GP (selector) Examine descriptor AR byte: Data segment or readable non-conforming code segment Descriptor DPL ~ CPL else #GP (selector) Descriptor DPL ~ selector RPL else #GP(selector) Readable conforming code segment No DPL, RPL, or CPL checks Else #GP (selector) Segment must be present else #NP (selector) Load registers from operand Load segment register descriptor cache If selector is null then: Load registers from operand Mark segment register cache as invalid 8-61 THE 80286 INSTRUCTION SET PROTECTED MODE EXCEPTIONS #GP or #NP, as indicated in the list above. #GP(O) or #S8(O) if operand lies outside segment limit. #UD if the source operand is a register. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for operand at offset OFFFFH or OFFFDH. #UD if the source operand is a register. 8-62 inter THE 80286 INSTRUCTION SET LEA-load Effective Address Offset Opcode 80 Ir Instruction Clocks Description LEA rW,m 3 Calculate EA offset given by m, place in rw FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The effective address (offset part) of the second operand is placed in the first (register) operand. PROTECTED MODE EXCEPTIONS #UD if second operand is a register. REAL ADDRESS MODE EXCEPTIONS #UD if second operand is a register. 8-63 THE 80286 INSTRUCTION SET LEAVE-High Level Procedure Exit Opcode Instruction Clocks Description C9 LEAVE 5 Set SP to BP, then POP 8P FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION LEAVE is the complementary operation to ENTER; it reverses the effects of that instruction. By copying BP to SP, LEAVE releases the stack space used by a procedure for its dynamics and display. The old frame pointer is now popped into BP, restoring the caller's frame, and a subsequent RET nn instruction will follow the back-link and remove any arguments pushed on the stack for the exiting procedure. PROTECTED MODE EXCEPTIONS #S~(O) if BP does not point to a location within the current stack segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-64 THE 80286 INSTRUCTION SET LGDT ILIDT -Load Global/Interrupt Descriptor Table Register Opcode OF OF 01 01 /2 /3 Instruction Clocks Description LGDT m LlDT m 11 12 Load m into Global Descriptor Table reg Load m into Interrupt Descriptor Table reg FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The Global or the Interrupt Descriptor Table Register is loaded from the six bytes of memory pointed to by the effective address operand (see figure 10.3). The LIMIT field of the descriptor table register loads from the first word; the next three bytes go to the BASE field of the register; the last byte is ignored. LGDT and LIDT appear in operating systems software; they are not used in application programs. These are the only instructions that directly load a physical memory address in 80286 protected mode. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is not O. #UD if source operand is a register. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS These instructions are valid in Real Address mode to allow the power-up initialization for Protected mode. Interrupt 13 for a word operand at offset OFFFFH. #UD if source operand is a register. 8-65 THE 80286 INSTRUCTION SET LLDT -Load Local Descriptor Table Register Opcode OF 00 /2 Instruction Clocks Description LLDT ew 17,mem=19 Load selector ew into Local Descriptor Table register FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The word operand (memory or register) to LLDT should contain a selector pointing to the Global Descriptor Table. The GDT entry should be a Local Descriptor Table Descriptor. If so, then the Local Descriptor Table Register is loaded from the entry. The descriptor cache entries for DS, ES, SS, and CS are not affected. The LDT field in the TSS is not changed. The selector operand.is allowed to be zero. In that case, the Local Descriptor Table Register is marked invalid. All descriptor references (except by LAR, VERR, VERW or LSL instructions) will cause a #GP fault. LLDT appears in operating systems software; it does not appear in applications programs. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is not O. #GP (selector) if the selector operand does not point into the Global Descriptor Table, or if the entry in the GDT is not a Local Descriptor Table. #NP (selector) if LDT descriptor is not present. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 6; LLDT is not recognized in Real Address Mode. B-66 THE 80286 INSTRUCTION SET LMSW -Load Machine Status Word Opcode OF 01 /6 Instruction Clocks Description LMSWew 3,mem=6 Load EA word into Machine Status Word FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The Machine Status Word is loaded from the source operand. This instruction may be used to switch to protected mode. If so, then it must be followed byan intra-segment jump to flush the instruction queue. LMSW will not switch back to Real Address Mode. LMSW appears only in operating systems software. It does not appear in applications programs. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is not O. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-67 THE 80286 INSTRUCTION SET LOCK-Assert BUS LOCK Signal Opcode Instruction Clocks Description FO LOCK o Assert BUSLOCK signal for the next instruction FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION LOCK is a prefix that will cause the BUS LOCK signal of the 80286 to be asserted for the duration of the instruction that it prefixes. In a multiprocessor environment, this signal should be used to ensure that the 80286 has exclusive use of any shared memory while BUS LOCK is asserted. The readmodify-write sequence typically used to implement TEST-AND-SET in the 80286 is the XCHG instruction. The 80286 LOCK prefix activates the lock signal for the following instructions: MOYS, INS, and OUTS. XCHG always asserts BUS LOCK regardless of the presence or absence of the LOCK prefix. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is bigger (less privileged) than the .I/O privilege level. Other exceptions may be generated by the subsequent (locked) instruction. REAL ADDRESS MODE EXCEPTIONS None. Exceptions may still be generated by the subsequent (locked) instruction. B-68 THE 80286 INSTRUCTION SET LODS/LODSB/LODSW-Load String Operand Opcode Instruction Clocks Description AC AD AC AD LODS mb LODS mw LODS8 LODSW 5 5 5 5 Load Load Load Load byte [SI] into AL word [SI] into AX byte DS:[SI] into AL word DS:[SI] into AX FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION LODS loads the AL or AX register with the memory byte or word at SI. After the transfer is made, SI is automatically advanced. If the direction flag is 0 (CLD was executed), SI increments; if the direction flag is 1 (STD was executed), SI decrements. SI increments or decrements by 1 if a byte was moved; by 2 if a word was moved. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-69 THE 80286 INSTRUCTION SET LOOP/LOOPcond-Loop Control with CX Counter Opcode Instruction Clocks Description DEC CX; jump short if CX;toO DEC CX; jump short if CX;to 0 and equal (ZF = 1) DEC CX; jump short if CX;to 0 and not equal (ZF=O) DEC CX; jump short if CX;toO and ZF=O DEC CX; jump short if CX;toO and zero (ZF=1) E2 E1 EO cb cb cb LOOP cb LOOPE cb LOOPNE cb 8,noj=4 8,noj=4 8,noj=4 EO E1 .cb cb LOOPNZ cb LOOPZ cb ·8,noj=4 8,noj=4 FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION LOOP first decrements the ex register without changing any of the flags. Then, conditions are checked as given in the description above for the form of LOOP being used. If the conditions are met, then an intra-segment jump is made. The destination to LOOP is in the range from 126 (decimal) bytes before the instruction to 127 bytes beyond the instruction. The LOOP instructions are intended to provide iteration control and to combine loop index management with conditional branching. To use the LOOP instruction you load an unsigned iteration count into ex, then code the LOOP at the end of a series of instructions to be iterated. The destination of LOOP is,a label that points to the beginning of the iteration. PROTECTED MODE EXCEPTIONS #GP(O) if the offset jumped to is beyond the limits of the current code segment. REAL ADDRESS MODE EXCEPTIONS None 8-70 THE 80286 INSTRUCTION SET LSL-Load Segment Limit Opcode OF 03 /r Instruction Clocks Description LSL rw,ew 14,mem=16 Load: rw = Segment Limit, selector ew FLAGS MODIFIED Zero FLAGS UNDEFINED None OPERATION If the descriptor denoted by the selector in the second (memory or register) operand is visible at the CPL, a word that consists of the limit field of the descriptor is loaded into the left operand, which must be a register. The value is the limit field for that segment. The zero flag is set if the loading was performed (that is, if the selector is non-null, the selector index is within the descriptor table limits, the descriptor is a non-conforming segment descriptor with DPL ;::: CPL, and the descriptor DPL ;::: selector RPL); the zero flag is cleared otherwise. The LSL instruction returns only the limit field of segments,task state segments, and local descriptor . tables. The interpretation of the limit value depends on the type of segment. The selector.operand's value cannot result in a protection exce,l?tion .. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 6; LSL is not recognized in Real Address mode. 8-71 THE 80286 INSTRUCTION SET LTR-Load Task Register Opcode OF 00 /3 Instruction Clocks Description LTR ew 17,mem=19 Load EA word into Task Register FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The Task Register is loaded from the source register or memory location given by the operand. The loaded TSS is marked busy.. A task switch operation does not occ.ur. LTR appears.only in operating systems software. It is not used in applications programs. PROTECTED MODE EXCEPTIONS #GP for an illegal memory operand effective address in the CS, DS, or ES segments; #SS for an illegal . address in the SS segment. #GP(O) if the current privilege level is not O. #GP (selector) if the object named by the source selector is not a TSS or is already busy. #NP (selector) if the TSS is marked not present. REAL ADDRESS MODE EXCEPTIONS Interrupt 6; LTR is not recognized in Real Address mode. 8-72 THE 80286 INSTRUCTION SET MOV-Move Data Opcode Instruction Clocks Description 88 89 8A 88 8C 8C 8C 8C 8E 8E 8E 8E 8E 8E AO A1 A2 A3 80+ 88+ C6 C7 MOVeb,'rb MOVew,rw MOV rb,eb MOV rw,ew MOVew,ES MOVew,CS MOVew,SS MOVew,OS MOV ES,mw MOV ES,rw MOV SS,mw MOV SS,rw MOV OS,mw MOV OS,rw MOV AL,xb MOV AX,xw MOV xb,AL MOV xW,AX MOV rb,db MOV rw,dw MOVeb,db MOVew,dw 2,mem=3. 2,mem=3 2,mem=5 2,mem=5 2,mem=3 2,mem=3 2,mem=3 2,mem=3 5,pm=19 2,pm=17 5,pm=19 2,pm";'17 5,pm=19 2,pm=17 5 5 3 3 2 2 2,mem=3 2,mem=3 Move byte register into EA byte Move word register into EA word Move EA byte into byte register Move EA Word into word register Move ES into EA word Move CS into EA word Move SS into EA word Move OS into EA word Move memory word into ES Move word register into ES Move memory word. into SS Move word register into SS Move memory word into OS Move word register into OS , Move byte variable (offset dw) into AL Move word variable (offset dw) into AX Move AL into byte variable (offset dw) Move AX into word register (offset dw) Move immediate byte into byte register Move immediate word into word register Move immediate byte into EA byte Move Immediate word into EA word /r /r /r /r /0 /1 /2 /3 /0 /0 /2 /2 /3 /3 dw dw dw dw rb rw /0 /0 db dw db dw· FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The second operand is copied to the first operand. If the destination operand is a segment register (OS, ES, or SS), then the associated segment register cache is also loaded. The data for the cache is obtained from the descriptor table entry for the selector given. . A null selector (values 0000-0003) can be loaded into OS and ES registers without causing a protection exception. Any use of a segment register with a null selector to address memory will cause #GP(O) exception. No memory reference will occur. Any move into SS will inhibit all interrupts until after the execution of the next instruction. 8~73 THE 80286 INSTRUCTION SET Following is a listing of the protected-mode checks and actions taken in the loading of a segment register: If SS is loaded: If selector is null then #GP(O) Selector index must be within its descriptor table limits else #GP (selector) Selector's RPL must equal CPL else #GP (selector) AR byte must indicate a writable data segment else #GP (selector) DPL in the AR byte must equal CPL else #GP (selector) Segment must be marked PRESENT else #SS (selector) Load SS with selector Load SS cache with descriptor If ES or DS is loaded with non-null selector Selector index must be within its descriptor table limits else #GP (selector) AR byte must indicate data or readable code segment else #GP (selector) If data or non-conforming code, then both the RPL and the CPL must be less than or equal to DPL in AR byte else #GP (selector) Segment must be marked PRESENT else #NP (selector) Load segment register with selector Load segment register cache with descriptor If ES or DS is loaded with a null selector: Load segment register with selector Clear descriptor valid bit PROTECTED MODE EXCEPTIONS If a segment register is being loaded, #GP, #SS, and #NP, as described in the listing above. Otherwise, #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-74 THE 80286 INSTRUCTION SET MOVS/MOVSB/MOVSW-Move Data from String to String Opcode Instruction Clocks Description A4 A5 A4 A5 MOVS mb,mb MOVS mW,mw MOVS8 MOVSW 5 5 5 5 Move byte [SI] to ES:[OI] Move word [SI] to ES:[OI] Move byte OS:[SI] to ES:[OI] Move word OS:[SI] to ES:[OI] FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION MOYS copies the byte or word at [Sl]to the byte or word at ES:[DI). The destination operand must be addressable from the ESregister; no segment override is possible. A segment override may be used for the source operand. After the data movement is made, both SI and DI are automatically advanced. If the direction flag is is 1 (STD was executed), the registers decrement. The. registers increment or decrement by 1 if a byte was moved; by 2 if a word was moved. o (CLD was executed), the registers increment; if the direction flag MOYS can be preceded by the REP prefix for block movement of CX bytes or words. Refer to the REP instruction for details of this operation. PROTECTED MODE EXCEPTIONS #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-75 THE 80286 INSTRUCTION SET MUL-Unsigned Multiplication of AL or AX Opcode Instruction Clocks Description F6 F7 MUL eb MUL ew 13,mem=16 21,mem=24 Unsigned multiply (AX = AL X EA byte) Unsigned multiply (DXAX = AX X EA word) /4 /4 FLAGS MODIFIED Overflow, carry FLAGS UNDEFINED Sign, zero, auxiliary carry, parity OPERATION If MUL has a byte operand, then the byte is multiplied by AL, and the result is left in AX. Carry and overflow are set to 0 if AH is 0; they are set to 1 otherwise. If MUL has a word operand, then the word is multiplied by AX, and the result is left in DX:AX. DX contains the high order 16 bits of the product. Carry and overflow are set to 0 if DX is 0; they are set to 1 otherwise. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-76 THE 80286 INSTRUCTION SET NEG-Two's Complement Negation Opcode Instruction Clocks Description F6 F7 NEG eb NEG ew 2',mem=7 2,mem=7 Two's complement negate EA byte Two's complement negate EA word /3 /3 FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION The two's complement of the register or memory operand replaces the old operand value. Likewise, the operand is subtracted from zero, and the result is placed in the operand. The carry flag is set to 1 except when the input operand is zero, iii which case the carry flag is Cleared to O. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 1J for a word operand at offset OFFFFH. 8-77 THE 80286 INSTRUCTION SET NOP-No OPERATION Opcode Instruction Clocks Description 90 NOP 3 No OPERATION FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION Performs no operation. NOP is a one-byte filler instruction that takes up space but affects none of the machine context except IP. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-78 THE 80286 INSTRUCTION SET NOT -One's Complement Negation Opcode Instruction Clocks Description F6 F7 NOT eb NOT ew 2,mem=7 2,mem=7 Reverse each bit of EA byte Reverse each bit of EA word /2 /2 FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The operand is inverted; that is, every 1 becomes a 0 and vice versa. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the es, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for_ a word operand at offset OFFFFH. 8-79 THE 80286 INSTRUCTION SET OR - Logical Inclusive OR Opcode Instruction Clocks Description 08 09 OR OR OR OR OR OR OR OR 2,mem=7 2,mem=7 2,mem=7 2,mem=7 3 3 3,mem=7 3,mem=7 Logical-OR Logical-OR Logical-OR Logical-OR Logical-OR Logical-OR Logical-OR Logical-OR OA 08 OC 00 80 81 Ir Ir Ir Ir db dw 11 11 db dw eb,rb eW,rw rb,eb rw,ew AL,db AX,dw eb,db eW,dw byte register into EA byte word register into EA word EA byte into byte register EA word into word register immediate byte into AL immediate word into AX immediate byte into EA byte immediate word into EA word FLAGS MODIFIED Overflow=O, sign, zero, parity, carry=O FLAGS UNDEFINED Auxiliary carry OPERATION This instruction computes the inclusive OR of the two operands. Each bit of the result is 0 if both corresponding bits of the operands are 0; each bit is 1 otherwise. The result is placed in the first operand. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-80 THE 80286 INSTRUCTION SET OUT -Output to Port Opcode E6 E7 EE db db EF Instruction Clocks Description OUT OUT OUT OUT 3 3 3 3 Output Output Output Output db,AL db,AX OX,AL OX,AX byte AL to immediate port number db. word AX to immediate port number db byte AL to port number OX word AX to port number OX FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION OUT transfers a data byte or data word from the register CAL or AX) given.as the second operand to the output port numbered by the first operand. You can output to any port from{)-65535 by placing the port number in the DX register then using an OUT instruction with DX as the first operand. If the instruction contains an 8-bit port ID, that value is zero-extended to 16 bits. Intel reserves I/0 port addresses OOF8H through OOFFH; these addresses should not be used. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is bigger (has less privilege) than IOPL, which is the privilege level found in the flags register. REAL ADDRESS MODE EXCEPTIONS None 8-81 THE 80286 INSTRUCTION SET OUTS/OUTSB/OUTSW-Output String to Port Opcode Instruction Clocks Description 6E 6F 6E 6F OUTS OX,eb OUTS OX,ew OUTSB OUTSW 5 5 5 5 Output byte [SI] to port number OX Output word [SI] to port number OX Output byte OS:[SI] to port number OX Output word OS:[SI] to port number OX FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION OUTS transfers data from the memory byte or word at SI to the output port numbered by the DX register. OUTS does not allow the specification of the port number as an immediate value. The port must be addressed through the DX register. After the transfer is made, SI is automatically advanced. If the direction flag is 0 (CLD was executed), SI increments; if the direction flag is 1 (STD was executed), SI decrements. SI increments or decrements by 1 if a byte was moved; by 2 if a word was moved. OUTS can be preceded by the REP prefix for block output of CX bytes or words. Refer to the REP instruction for details of this operation. Intel reserves I/O port addresses OOF8H through OOFFH; these addresses should not be used. NOTE Not all output devices can handle the rate at which this instruction transfers data. PROTECTED MODE EXCEPTIONS #GP(O) if CPL > 10PL. #GP(O) for an illegal memory operand effective address in the CS, DS, or FS segments; #SS(Q) for an ille,gal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. B-82 THE 80286 INSTRUCTION SET POP-Pop a Word from the Stack Opcode Instruction Clocks Description 1F POP POP POP POP POP 5,pm=20 5,pm=20 5,pm=20 5 Pop top Pop top Pop top Pop top Pop top 07 17 SF /0 58+rw OS ES SS mw rw 5 of of of of of stack stack stack stack stack into OS into ES into SS into memory word into word register FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The word on the top of the 80286 stack, addressed by SS:SP, replaces the previous contents of the memory, register, or segment register operand. The stack pointer SP is incremented by 2 to point to the new top of stack. If the destination operand is another segment register (DS, ES, or SS), the value popped must be a selector. In protected mode, loading the selector initiates automatic loading of the descriptor information associated with that selector into the hidden part of the segment register; loading also initiates validation of both the selector and the descriptor information. A null value (0000-0003) may be loaded into the DS or ES register without causing a protection exception. Attempts to reference memory using a segment register with a null value will cause #GP(O) exception. No memory reference will occur. The saved value of the segment register will be null. A POP SS instruction will inhibit all interrupts, including NMI, until after the execution of the next instruction. This permits a POP SP instruction to be performed first. Following is a listing of the protected-mode checks and actions taken in the loading of a segment register: If SS is loaded: If selector is null then #GP(O) Selector index must be within its descriptor table limits else #GP (selector) Selector's RPL must equal CPL else #GP (selector) AR byte must indicate a writable data segment else #GP (selector) DPL in the AR byte must equal CPL else #GP (selector) Segment must be marked PRESENT else #SS (selector) Load SS register with selector Load SS cache with descriptor 8-83 inter THE 80286 INSTRUCTION SET If ES or OS is loaded with non-null selector: AR byte must indicate data or readable code segment else #GP (selector) If data or non-conforming code, then both the RPL and the CPL must be less than or equal to OPL in AR byte else #GP (selector) Segment must be marked PRESENT else #NP (selector) Load segment register with selector Load segment register cache with descriptor If ES or OS is loaded with a null selector: Load segment register with selector Clear valid bit in cache PROTECTED MODE EXCEPTIONS If a segment register is being loaded, #GP, #SS, and #NP, as described in the listing above. Otherwise, #SS(O) if the current top of stack is not within the stack segment. #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-84 THE 80286 INSTRUCTION SET POPA-Pop All General Registers Opcode Instruction Clocks Description 61 POPA 19 Pop in order: DI,SI,8P,SP,8X,DX,CX,AX FLAGS MODIFIED None FlAGS UNDEFINED None OPERATION POPA pops the eight general registers given in the description above, except that the SP value is discarded instead of loaded into SP. POPA reverses a previous PUSHA, restoring the general registers to their values before PUSHA was executed. The first register popped is DI. PROTECTED MODE EXCEPTIONS #SS(O) if the starting or ending stack address is not within the stack segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-85 THE 80286 INSTRUCTION SET POPF-Pop from Stack into the Flags Register Opcode Instruction Clocks Description 9D POPF 5 Pop top of stack into flags register FLAGS MODIFIED Entire flags register is popped from stack FLAGS UNDEFINED None OPERATION The top of the 80286 stack, pointed to by SS:SP, is copied into the 80286 flags register. The stack pointer SP is incremented by 2to point to the new top of stack. The flags, from the top bit (bit 15) to the bottom (bit 0), are as follows: undefined, nested task, I/O privilege level (2 bits), overflow, direction, interrupts enabled, trap, sign, zero, undefined, auxiliary carry, undefined, parity, undefined, and carry. The I/O privilege level will be altered only when executing at privilege level O. The interrupt enable flag will be altered only whim executing at a level at least as privileged as the I/O privilege level. If you execute a POPF instruction with insufficient privilege, there will be no exception nor will the privileged bits be changed. PROTECTED MODE EXCEPTIONS #SS(O).if the top of stack is not within the stack segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at OFFFFH. In real mode the NT and 10PL bits will not be modified. 8-86 THE 80286 INSTRUCTION SET PUSH-Push a Word onto the Stack Opcode Instruction Clocks Description 06 OE 16 1E PUSH PUSH PUSH PUSH PUSH PUSH PUSH PUSH 3 3 3 3 3 5 3 3 Push Push Push Push Push Push Push Push 50+ rw FF 68 6A /6 dw db ES CS SS DS rw mw dw db ES CS SS DS word register memory word immediate word immediate sign-extended byte FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The stack pointer SP is decremented by 2, and the operand is placed on the new top of stack, which is pointed to by SS:SP. The 80286 PUSH SP instruction pushes the value of SP as it existed before the instruction. This differs from the 8086, which pushes the new (decremented by 2) value. PROTECTED MODE EXCEPTIONS #SS(O) if the new value of SP is outside the stack segment limit. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS None; the 80286 will shut down if SP = I-due to lack of stack space. 8-87 THE 80286 INSTRUCTION SET PUSHA-Push All General Registers Opcode Instruction Clocks Description 60 PUSHA 17 Push in order: AX,CX,DX,8X,original SP,8P,SI,DI FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION PUSHA saves the registers noted above on the 80286 stack. The stack pointer SP is-decremented by 16 to hold the 8 word values. Since the registers are pushed onto the stack in the order in which they were given, they will appear in the 16 new stack bytes in the reverse order. The last register pushed is DI. PROTECTED MODE EXCEPTIONS #SS(O) if the starting or ending address is outside the stack segment limit. REAL ADDRESS MODE EXCEPTIONS The 80286 will shut down if SP = 1, 3, or 5 before executing PUSHA. If SP = 7, 9, 11, 13, or 15, exception 13 will occur. 8-88 THE 80286 INSTRUCTION SET PUSHF-Push Flags Register onto the Stack Opcode Instruction Clocks Description 9C PUSHF 3 Push flag~ register FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The stack pointer SP is decremented by 2, and the 80286 flags register is copied to the new top of stack, which is pointed to by SS:SP. The flags, from the top bit (15) to the bottom bit (0), are as follows: undefined, nested task, I/O privilege level (2 bits), overflow, direction, interrupts enabled, trap, sign, zero, undefined, auxiliary carry, undefined, parity, undefined, and carry. PROTECTED MODE EXCEPTIONS #SS(O) if the new value of SP is outside the stack segment limit. REAL ADDRESS MODE EXCEPTIONS None; the 80286 will shut down if SP= I due-to lack of stack space. 8-89 THE 80286 INSTRUCTION SET RCLI RCR I ROLl ROR-Rotate Instructions Opcode Instruction Clocks-N° Description 00 02 CO 01 03 C1 00 02 CO 01 03 C1 00 02 CO 01 03 C1 00 02 CO 01 03 C1 RCL RCL RCL RCL RCL RCL RCR RCR RCR RCR RCR RCR ROL ROL ROL ROL ROL ROL ROR ROR ROR ROR ROR ROR 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 Rotate 9-bits (CF, EA byte) left once Rotate 9-bits (CF, EA byte) left CL times Rotate 9-bits (CF, EA byte) left db times Rotate 17-bits (CF, EA word) left once Rotate 17-bits (CF, EA word) left CL times Rotate 17-bits (CF, EA word) left db times Rotate 9-bits (CF, EA byte) right once Rotate 9-bits (CF, EA byte) right CL times Rotate 9-bits (CF, EA byte) right db times Rotate 17-bits (CF, EA word) right once Rotate 17-bits (CF, EA word) right CL times Rotate 17-bits (CF, EA word) right db times Rotate 8-bit EA byte left once Rotate 8-bit EA byte left CL times Rotate 8-bit EA byte left db times Rotate 16-bit EA word left once Rotate 16-bit EA word left CL times Rotate 16-bit EA word left db times Rotate 8-bit EA byte right once Rotate 8-bit EA byte right CL times Rotate 8-bit EA byte right db times Rotate 16-bit EA word right once Rotate 16-bit EA word right CL times Rotate 16-bit EA word right db times /2 /2 /2 /2 /2 /2 /3 /3 /3 /3 /3 /3 /0 /0 /0 /0 /0 /0 /1 /1 /1 /1 /1 /1 db db db db db db db db eb,1 eb,CL* eb,db* ew,1 ew,CL* ew,db* eb,1 eb,CL* eb,db* ew,1 ew,CL* ew,db* eb,1 eb,CL* eb,db* ew,1 ew,CL* ew,db* eb,1 eb,CL* eb,db* ew,1 ew,CL* ew,db* * Add 1 clock to the times shown for each rotate made FLAGS MODIFIED Overflow (only for single rotates), carry FLAGS UNDEFINED Overflow for multi-bit rotates OPERATION Each rotate instruction shifts the bits of the register or memory operand given. The left rotate instructions shift all of the bits upward, except for the top bit, whIch comes back arounu LU illt, uuliuiii. The right rotate instructions do the reverse: the bits shift downward, with the bottom bit coming around to the top. For the RCL and RCR instructions, the carry flag is part of the rotated quantity. RCL shifts the carry flag into the bottom bit and shifts the top bit into the carry flag; RCR shifts the carry flag into the top bit and shifts the bottom bit into the carry flag. For the ROL and ROR instructions, the original value of the carry flag is not a part of the result; nonetheless, the carry flag receives a copy of the bit that was shifted from one end to the other. 8-90 THE 80286 INSTRUCTION SET The rotate is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum execution time, the 80286 does not allow rotation counts greater than 31. If a rotation count greater than 31 is attempted, only the bottom five bits of the rotation are used. The 8086 does not mask rotate counts. The overflow flag is set only for the single-rotate (second operand = 1) forms of the instructions. The OF bit is set to be accurate if a shift of length 1 is done. Since it is undefined for all other values, including a zero shift, it can always be set for the count-of-1 case regardless of the actual count. For left shifts/rotates, the CF bit after the shift is XORed with the high-order result bit. For right shifts/ rotates, the high-order two bits of the result are XORed to get OF. Neither flag bit is modified when the count value is zero. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-91 THE 80286 INSTRUCTION SET REP IREPE/REPNE-Repeat Following. String Operation Opcode Instruction Clocks· Description F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F2 F2 F2 F2 F2 F2 F2 F2 REP INS eb,OX REP INS ew,OX REP INSB REP INSW REP MOVS mb,mb REP MOVS mW,mw REP MOVSB REP MOVSW REP OUTS OX,eb REP OUTS OX,ew REP OUTSB REP OUTSW REP STOS mb REP STOS mw REP STOSB REP STOSW REPE CMPS mb,mb REPE CMPS mW,mw REPE CMPSB REPE CMPSW REPE SCAS mb REPE SCAS mw REPE SCASB REPE SCASW REPNE CMPS mb,mb REPNE CMPS mW,mw REPNE CMPSB REPNE CMPSW REPNE SCAS mb REPNE SCAS mw REPNE SCASB REPNE SCASW 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 5+4*CX 4+3*CX 4+3*CX 4+3*CX 4+3*CX 5+9*N 5+9*N 5+9*N 5+9*N 5+S*N 5+S*N 5+S*N 5+S*N 5+9*N 5+9*N 5+9*N 5+9*N 5+S*N 5+S*N 5+S*N 5+S*N Input CX bytes from port OX into ES:[OI] Input CX words from port OX into ES:[OI] Input CX bytes from port OX into ES:[OI] Input CX words from port OX into ES:[OI] Move CX bytes from [SI] to ES:[OI] Move CX words from [SI] to ES:[OI] Move CX bytes from OS:[SI] to ES:[OI] Move CX words from OS:[SI] to ES:[OI] Output CX bytes from [SI] to port OX Output CX words from [SI] to port OX Output CX bytes from OS:[SI] to port OX Output CX words from OS:[SI] to port OX Fill CX bytes at ES:[OI] with AL Fill CX words at ES:[OI] with AX Fill CX bytes at ES:[OI] with AL Fill CX words at ES:[OI] with AX Find non matching bytes in ES:[OI] and [SI] Find non matching words in ES:[OI] and [SI] Find nonmatching bytes in ES:[OI] and OS:[SI] Find nonmatching words in ES:[OI] and OS:[SI] Find non-AL byte starting at ES:[OI] Find non-AX word starting at ES:[OI] Find non-AL byte starting at ES:[OI] Find non-AX word starting at ES:[OI] Find matching bytes in ES:[OI] and [SI] Find matching words in ES:[OI] and [SI] Find matching bytes in ES:[OI] and OS:[SI] Find matching words in ES:[OI] and OS:[SI] Find AL, starting at ES:[OI] Find AX, starting at ES:[OI] Find AL, starting at ES:[OI] Find AX, starting at ES:[OI] 6C 60 6C 60 A4 A5 A4 A5 6E 6F 6E 6F AA AB AA AB A6 A7 A6 A7 AE AF AE AF A6 A7 A6 A7 AE AF AE AF * N denotes the number of iterations actually executed. FLAGS MODIFIED By CMPS and SCAS, none by REP FLAGS UNDEFINED None OPERATION REP, REPE, and REPNE are prefix operations. These prefixes cause the string instruction that follows to be repeated CX times or (for REPE and REPNE) until the indicated condition in the zero flag is no longer met. Thus, REPE stands for "Repeat while equal," REPNE for "Repeat while not equal." B-92 THE 80286 INSTRUCTION SET The REP prefixes make sense only in the contexts listed above. They cannot be applied to anything other than string operations. Synonymous forms of REPE and REPNE are REPZ and REPNZ, respectively. The REP prefixes apply only to one string instruction at a time. To repeat a block of instructions, use a LOOP construct. The precise action for each iteration is as follows: 1. Check the CX register. If it is zero, exit the iteration and move to the next instruction. 2. Acknowledge any pending interrupts. 3. Perform the string operation once. 4. Decrement CX by 1; no flags are modified. 5. If the string operation is SCAS or CMPS, check the zero flag. If the repeat condition does not hold, then exit the iteration and move to the next instruction. Exit if the prefix is REPE and ZF=O (the last comparison was not equal), or if the prefix is REPNE and ZF=1 (the last comparison was equal). 6. Go to step 1 for the next iteration. As defined by the individual string-ops, the direction of movement through the block is determined by the direction flag. If the direction flag is 1 (STD was executed), SI and/or DI start at the end of the block and move backward; if the direction flag is 0 (CLD was executed), SI and/or DI start at the beginning of the block and move forward. For repeated SCAS and CMPS operations the repeat can be exited for one of two different reasons: the CX count can be exhausted or the zero flag can fail the repeat condition. Your code will probably want to distinguish between the two cases. It can do so via either the JCXZ instruction or the conditional jumps that test the zero flag (JZ, JNZ, JE, and JNE). NOTE Not all input/output ports can handle the rate at which the repeated I/O instructions execute. PROTECTED MODE EXCEPTIONS None by REP; exceptions can be generated when the string-op is executed. REAL ADDRESS MODE EXCEPTIONS None by REP; exceptions can be generated when the string-op is executed. 8-93 THE 80286 INSTRUCTION SET RET -Return from Procedure Opcode Instruction Clocks· Description CB CB C3 CA CA C2 RET RET RET RET dw RET dw RET dw 15,pm=25 55 11 15,pm=25 55 11 Return to far caller, same privilege Return, lesser privilege, switch stacks Return to near caller, same privilege RET (far), same privilege, pop dw bytes RET (far), lesser privilege, pop dw bytes RET (near), same privilege, pop dw bytes pushed before Call dw dw dw • Add 1 clock for each byte in the next instruction executed. FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION RET transfers control to a return address located on the stack. The address is usually placed on the stack by a CALL instruction; in that case, the return is made to the instruction that follows the CALL. There is an optional numeric parameter to RET. It gives the number of stack bytes to be released after the return address is popped. These bytes are typically used as input parameters to the procedure called. For the intra-segment return, the address on the stack is a 2-byte quantity popped into IP. The CS register is unchanged. For the inter-segment return, the address on the stack is a 4-byte-long pointer. The offset is popped first, followed by the selector. In real address mode, CS and IP are directly loaded. In protected mode, an inter-segment return causes the processor to consult the descriptor addressed by the return selector. The AR byte of the descriptor must indicate a code segment of equal or less privilege (of greater or equal numeric value) than the current privilege level. Returns to a lesser privilege level cause the stack to be reloaded from the value saved beyond the parameter block. The DS u;;.d ES Geg:ne~t registers !!!'!y b~ 8f:'t to 7.~rn hy the inter-segment RET instruction. If these registers refer to segments which cannot be used by the new privilege level, they are set to zero to prevent unauthorized access. The following list of checks and actions describes the protected-mode inter-segment return in detail. Inter-segment RET: Second word on stack must be within stack limits else #SS(O) Return selector RPL must be 2:: CPL else #GP (return selector) If return selector RPL = CPL then B-94 THE 80286 INSTRUCTION SET RETURN TO SAME LEVEL: Return selector must be non-null else #GP(O) Selector index must be within its descriptor table limits else #GP (selector) Descriptor AR byte must indicate code segment else #GP (selector) If non-conforming then code segment DPL must equal CPL else #GP (selector) If conforming then code segment DPL must be :s; CPL else #GP (selector) Code segment must be PRESENT else #NP (selector) Top word on stack must be within stack limits else #SS(O) IP must be in code segment limit else #GP(O) Load CS:IP from stack Load CS-cache with descriptor Increment SP by 4 plus the immediate offset if it exists Else RETURN TO OUTER PRIVILEGE LEVEL: Top (8 + immeqiate) bytes on stack must be within stack limits else #SS(O) Examine return CS selector (at SP+2) and associated descriptor: Selector must be non-null else #GP(O) Selector index must be within its descriptor table limits else #GP (selector) Descriptor AR byte must indicate code segment else #GP (selector) If non-cohforming then code segment DPL must equal return selector RPL else #GP (selector) If conforming then code segment DPL must be :s; return selector RPL else #GP (selector) Segment must be PRESENT else #NP (selector) Examine return SS selector (at SP+6+imm) and associated descriptor: Selector must be non-null elSe #GP(O) Selector index must be within its descriptor table limits else #GP (selector) Selector RPL must equal the RPL of the return CS selector else #GP (selector) Descriptor AR byte must indicate a writable data segment else #GP (selector) Descriptor DPL must equal the RPL of the return CS selector else #GP (selector) Segment must be PRESENT else #SS (selector) IP must be in code segment limit else # GP(O) Set CPL to the RPL of the return CS selector Load CS:IP from stack Set CS RPL to CPL Increment SP by 4 plus the immediate offset if it exists Load SS:SP from stack Load the CS-cache with the return CS descriptor Load the SS-cache with the return SS descriptor For each of ES and DS: If the current register setting is not valid for the outer level, set the register to null (selector = AR = 0) To be valid, the register setting must satisfy the following properties: Selector index must be within descriptor table limits Descriptor AR byte must indicate data or readable code segment If segment is data or non-conforming code, then: DPL must be 2:: CPL, or DPL must be 2:: RPL PROTECTED MODE EXCEPTIONS #GP, #NP, or #SS, as described in the above listing. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 if the stack pop wraps around from OFFFFH to O. 8-95 THE 80286 INSTRUCTION SET SAHF -Store AH into Flags Opcode Instruction Clocks Description 9E SAHF 2 Store AH into flags SF ZF xx AF xx PF xx CF FLAGS MODIFIED Sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION The flags listed above are loaded with values from the AH register, from bits 7, 6, 4, 2, and 0, respectively. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-96 THE 80286 INSTRUCTION SET SAL/SARISHL/SHR-Shift Instructions Opcode DO 02 CO 01 03 C1 DO 02 CO 01 03 C1 DO 02 CO 01 03 C1 /4 /4 /4 /4 /4 /4 /7 /7 /7 /7 /7 /7 /5 /5 /5 /5 /5 /5 db db db db db db Instruction Clocks-N' Description SAL SAL SAL SAL SAL SAL SAR SAR SAR SAR SAR SAR SHR SHR SHR SHR SHR SHR 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 2,mem=7 5,mem=8 5,mem=8 Multiply EA byte by 2, once Multiply EA byte by 2, CL times Multiply EA byte by 2, db times Multiply EA word by 2, once Multiply EA word by 2, CL times Multiply EA word by 2, db times Signed divide EA byte by 2, once Signed divide EA byte by 2, CL times Signed divide EA byte by 2, db times Signed divide EA word by 2, once Signed divide EA word by 2, CL times Signed divide EA word by 2, db times Unsigned divide EA byte by 2, once Unsigned divide EA byte by 2, CL times Unsigned divide EA byte by 2, db times Unsigned divide EA word by 2, once Unsigned divide EA word by 2, CL times Unsigned divide EA word by 2, db times eb,1 eb,CL eb,db ew,1 ew,CL ew,db eb,1 eb,CL eb,db ew,1 ew,CL ew,db eb,1 eb,CL eb,db ew,1 ew,CL ew,db * Add 1 clock to the times shown for each shift performed FLAGS MODIFIED Overflow (only for single-shift form), carry, zero, parity, sign FLAGS UNDEFINED Auxiliary carry; also overflow for multi bit shifts (only). OPERATION SAL (or its synonym SHL) shifts the bits of the operand upward. The high-order bit is shifted into the carry flag, and the low-order bit is set to O. SAR and SHR shift the bits of the operand downward. The low-order bit is shifted into the carry flag. The effect is to divide the operand by 2. SAR performs a signed divide: the high-order bit remains the same. SHR performs an unsigned divide: the high-order bit is set to O. The shift is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum execution time, the 80286 does not allow shift counts greater than 31. If a shift count greater than 31 is attempted, only the bottom five bits of the shift count are used. The 8086 uses all 8 bits of the shift count. The overflow flag is set only if the single-shift forms of the instructions are used. For left shifts, it is set to 0 if the high bit of the answer is the same as the result carry flag (Le., the top two bits of the original operand were the same); it is set to 1 if they are different. For SAR it is set to 0 for all single shifts. For SHR, it is set to the high-order bit of the original operand. Neither flag bit is modified when the count value is zero. 8-97 THE 80286 INSTRUCTION SET PROTECTED MODE EXCEPTIONS #GP(O) if the operand is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-98 THE 80286 INSTRUCTION SET SBB-Integer Subtraction With Borrow Opcode Instruction Clocks Description 18 Ir SBB eb,rb 2,mem=7 19 jr SBB eW,rw 2,mem=7 1A Ir SBB rb,eb 2,mem=7 1B Ir SBB rW,ew 2,mem=7 1C 10 80 81 83 db dw SBB SBB SBB SBB SBB 3 3 3,mem=7 3,mem=7 3,mem=7 Subtract with borrow byte register from EA byte Subtract with borrow word register from EA word Subtract with borrow EA byte from byte register Subtract with borrow EA word from word register Subtract with borrow imm. byte from AL Subtract with borrow imm. word from AX Subtract with borrow imm. byte from EA byte Subtract with borrow imm. word from EA word Subtract with borrow imm. byte from EA word 13 13 13 db dw db AL,db AX,dw eb,db eW,dw eW,db FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION The second operand is added to the carry flag and the result is subtracted from the first operand. The first operand is replaced with the result of the subtraction, and the flags are set accordingly. When a byte-immediate value is subtracted from a word operand, the immediate value is first sign-extended. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. B-99 THE 80286 INSTRUCTION SET SCAS/SCASB/SCASW-Compare String Data Opcode Instruction Clocks Description AE SCAS mb SCAS mw SCASB SCASW 7 7 7 7 Compare Compare Compare Compare AF AE AF bytes AL - ES:[Olj, advance 01 words AX - ES:[Olj, advance 01 bytes AL - ES:[Olj, advance 01 words AX - ES:[Olj, advance 01 FLAGS MODIFIED Overflow, sigri, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION SCAS subtracts the memory byte or word at ES:OI from the AL or AX register. The result is discarded; only the flags are set. The operand must be addressable from the ES register; no segment override is possible. After the comparison is made, 01 is automatically advanced. If the direction flag is 0 (CLO was executed), 01 increments; if the direction flag is I (STO was executed), 01 decrements. DI increments or decrements by 1 if bytes were compared; by 2 if words were compared. SCAS can be preceded by the REPE or REPNE prefix for a block search of CX bytes or words. Refer to the REP instruction for details of this operation. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, OS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. B-100 THE 80286 INSTRUCTION SET SGDT /SIDT -Store Global/Interrupt Descriptor Table Register Opcode OF OF 01 01 /0 /1 Instruction Clocks Description SGDT m SIDT m 11 12 Store Global Descriptor Table register to m Store Interrupt Descriptor Table register to m FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The contents of the descriptor table register are copied to six bytes of memory indicated by the operand. The LIMIT field of the register goes to the first word at the effective address; the next three bytes get the BASE field of the register; and the last byte is undefined. SGDT and SIDT appear only in operating systems software; they are not used in applications programs. PROTECTED MODE EXCEPTIONS #UD if the destination operand is a register. #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS These instructions are valid in Real Address mode to facilitate power-up or to reset initialization prior to entering Protected mode. #UD if the destination operand is a register. Interrupt 13 for a word operand at offset OFFFFH. 8-101 THE 80286 INSTRUCTION SET SLOT -Store Local Opcode OF 00 /0 Descriptor Table Register Instruction Clocks Description SLOT ew 2,mem=3 Store Local Descriptor Table register to EA word FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The Local Descriptor Table register is stored in the 2-byte register or memory location indicated by the effective address operand. This register is a selector that points into the Global Descriptor Table. SLDT appears only in operating systems software. It is not used in applications programs. PROTECTED MODE EXCEPTIONS #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 6; SLDT is not recognized in Real Address mode. 8-102 THE 80286 INSTRUCTION SET SMSW -Store Machine Status Word Opcode OF 01 /4 Instruction Clocks Description SMSWew 2,mem=3 Store Machine Status Word to EA word FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The Machine Status Word is stored in the 2-byte register or memory location indicated by the effective address operand. PROTECTED MODE EXCEPTIONS #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-103 THE 80286 INSTRUCTION SET STe-Set Carry Flag Opcode Instruction Clocks Description F9 STC 2 Set carry flag FLAGS MODIFIED Carry= 1 FLAGS UNDEFINED None OPERATION The carry flag is set to 1. . PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-104 THE 80286 INSTRUCTION SET STO"";'Set Direction Flag Opcode Instruction Clocks Description FO STO 2 Set direction flag 50 51 and 01 will decrement FLAGS MODIFIED Direction = 1 FLAGS UNDEFINED None OPERATION The direction flag is set to 1. This causes all subsequent string operations to decrement the index registers (SI and/or 01) on which they operate. PROTECTED MODE EXCEPTIONS None REAL ADDRESS MODE EXCEPTIONS None 8-105 THE 80286 INSTRUCTION SET STI-Set Interrupt Enable Flag Opcode Instruction Clocks Description FB STI 2 Set interrupt enable flag, interrupts enabled FLAGS MODIFIED Interrupt = I (enabled) FLAGS UNDEFINED None OPERATION The interrupts-enabled flag is sct to 1. The 80286 will now respond to external interrupts after executing the STI instruction. PROTECTED MODE EXCEPTIONS #GP(O) if the current privilege level is bigger (has less privilege) than the I/O privilege level. REAL ADDRESS MODE EXCEPTIONS None B-106 THE 80286 INSTRUCTION SET STOS/STOSB/STOSW-Store String Data Opcode Instruction Clocks Description AA AS AA AS STOS mb STOS mw STOSS STOSW 3 Store Store Store Store 3 3 3 AL to byte ES:[OI], advance 01 AX to word ES:[OI], advance 01 AL to byte ES:[OI], advance 01 AX to word ES:[OI], advance 01 FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION STOS transfers the contents the AL or AX register to the memory byte or word at ES:DI. The operand must be addressable from the ES register; no segment override is possible. After the transfer is made, DI is automatically advanced. If the direction flag is 0 (CLD was executed), DI increments; if the direction flag is 1 (STD was executed), DI decrements. DI increments or decrements by 1 if a byte was moved; by 2 if a word was moved. STOS can be preceded by the REP prefix for a block fill of CX bytes or words. Refer to the REP instruction for details of this operation. PROTECTED MODE EXCEPTIONS #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. S-107 THE 80286 INSTRUCTION SET STR-Store Task Register Opcode OF 00 /1 Instruction Clocks Description STR ew 2,mem=3 Store Task Register to EA word FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The contents of the Task Register are copied to the 2-byte register or memory location indicated by the effective address operand. PROTECTED MODE EXCEPTIONS #GP(O) if the destination is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 6; STR is not recognized in Real Address mode. 8-108 THE 80286 INSTRUCTION SET SUB-Integer Subtraction Opcode Instruction Clocks Description 28 29 2A 2B 2C 20 80 81 83 SUB SUB SUB SUB SUB SUB SUB SUB SUB 2,mem=7 2,mem=7 2,mem=7 2,mem=7 3 3 3,mem=7 3,mem=7 3,mem=7 Subtract byte register from EA byte Subtract word register from EA word Subtract EA byte from byte register Subtract EA word from word register Subtract immediate byte from AL Subtract immediate word from AX Subtract immediate byte from EA byte Subtract immediate word from EA word Subtract immediate byte from EA word Ir Ir Ir Ir db dw 15 15 15 db dw db eb,rb eW,rw rb,eb rW,ew AL,db AX,dw eb,db eW,dw eW,db FLAGS MODIFIED Overflow, sign, zero, auxiliary carry, parity, carry FLAGS UNDEFINED None OPERATION The second operand is subtracted from the first operand, and the first operand is replaced with the result. When a byte-immediate value is subtracted from a word operand, the immediate value is first sign-extended. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. B-109 THE 80286 INSTRUCTION SET TEST -Logical Compare Opcode 84 84 85 85 A8 A9 /r /r /r /r F6 F7 /0 /0 Instruction db dw db dw TEST TEST TEST . TEST TEST TEST TEST TEST eb,rb rb,eb eW,rw rw,ew AL,db AX,dw eb,db ew;dw Clocks Description 2,mem=6 2,mem=6 2,mem=6 2,mem=6 AND byte register into EA byte for flags only AND EA byte into byte.register for flags only AND word register into EA word for flags only AND EA word into word register for flags only AND immediate byte into AL for flags only AND immediate word into AX for flags only AND immediate byte into EA byte for flags only AND immediate word into EA word for flags .only 3 3 3,mem=6 3,mem=6 FLAGS MODIFIED Overflow=O, sign, zero, parity, carry=O FLAGS UNDEFINED Auxiliary carry OPERATION TEST computes the bit-wise logical AND of the two operands given. Each bit of the result is 1 if both of the corresponding bits of the operands are 1; each bit is 0 otherwise. The result of the operation is discarded; only the flags are modified. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS ! Interrupt 13 for a word operand at offset OFFFFH. 8.-110 THE 80286 INSTRUCTION SET VERR,VERW-Verifya Segment for Reading or Writing Opcode OF OF 00 00 /4 /5 Instruction Clocks Description VERR ew VERWew 14,mem=16 14,mem=16 Set ZF=1 if seg. can be read, selector ew Set ZF= 1 if seg. can be written, selector ew FLAGS MODIFIED Zero FLAGS UNDEFINED None OPERATION VERR and VERW expect the 2-byte register or memory operand to contain the value of a selector. The instructions determine whether the segment denoted by the selector is reachable from the current privilege level; the instructions also determine whether it is readable or writable. If the segment is determined to be accessible, the zero flag is set to 1; if the segment is not accessible, it is set to o. To set ZF, the following conditions must be met: I. The selector must denote a descriptor within the bounds of the table (GDT or LDT); that is, the selector must be "defined." 2. The selector must denote the descriptor of a code or data segment. 3. If the instruction is VERR, the segment must be readable. If the instruction is VERW, the segment must be a writable data segment. 4. If the code segment is readable and conforming, the descriptor privilege level (DPL) can be any value for VERR. Otherwise, the DPL must be greater than or equal to (have less or the same privilege as) both the current privilege level and the selector's RPL. The validation performed is the same as if the segment were loaded into DS or ES and the indicated access (read or write) were performed. The zero flag receives the result of the validation. The selector's value cannot result in a protection exception. This enables the software to anticipate possible segment access problems. PROTECTED MODE EXCEPTIONS The only faults that can occur are those generated by illegally addressing the memory operand which contains the selector. The selector is not loaded into any segment register, and no faults attributable to the selector operand are generated. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. 8-111 THE 80286 INSTRUCTION SET REAL ADDRESS MODE EXCEPTIONS Interrupt 6; VERR and VERW are not recognized in Real Address Mode. 8-112 THE 80286 INSTRUCTION SET WAIT -Wait Until BUSY Pin Is Inactive (HIGH) Opcode Instruction Clocks Description 98 WAIT 3 Wait until 8USY pin is inactive (HIGH) FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION WAIT suspends execution of 80286 instructions until the BUSY pin is inactive (high). The BUSY pin is driven by the 80287 numeric processor extension. WAIT is issued to ensure that the numeric instruc. tion being executed is complete, and to check for a possible numeric fault (see below). PROTECTED MODE EXCEPTIONS #NM if task switch flag in MSW is set. #MF if 80287 has detected an unmasked numeric error. REAL ADDRESS MODE EXCEPTIONS Same as Protected mode. 8-113 THE 80286 INSTRUCTION SET XCHG - Exchange Memory/Register with Register Opcode Instruction Clocks Description 86 86 87 87 XCHG XCHG XCHG XCHG XCHG XCHG 3,mem=5 3,mem=5 3,mem=5 3,mem=5 Exchange Exchange Exchange Exchange Exchange Exchange Ir Ir Ir Ir 90+ rw 90+ rw eb,rb rb,eb eW,rw rW,ew AX,rw rW,AX 3 3 byte register with EA byte EA byte with byte register word register with EA word EA word with word register word register with AX with word register FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION The two operands are exchanged. The order of the operands is immaterial. BUS LOCK is asserted for the duration of the exchange, regardless of the presence or absence of the LOCK prefix or IOPL. PROTECTED MODE EXCEPTIONS #GP(O) if either operand is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-114 THE 80286 INSTRUCTION SET XLAT -Table Look-up Translation Opcode Instruction Clocks Description 07 XLAT mb 5 07 XLATB 5 Set AL to memory byte OS:[BX AL] Set AL to memory byte OS:[BX AL] + unsigned + unsigned FLAGS MODIFIED None FLAGS UNDEFINED None OPERATION When XLAT is executed, AL should be the unsigned index into a table addressed by DS:BX. XLAT changes the AL register from the table index into the table entry. BX is unchanged. PROTECTED MODE EXCEPTIONS #GP(O) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. B-115 THE 80286 INSTRUCTION SET XOR-Logical Exclusive OR Opcode Instruction Clocks Description 30 31 32 33 34 35 80 81 XOR XOR XOR XOR XOR XOR XOR XOR 2,mem=7 2,mem=7 2,mem=7 2,mem=7 3 3 3,mem=7 3,mem=7 Exclusive-OR Exclusive-OR Exclusive-OR Exclusive-OR Exclusive-OR Exclusive-OR Exclusive-OR Exclusive-OR Ir Ir Ir Ir db dw 16 16 db dw eb,rb eW,rw rb,eb rw,ew AL,db AX,dw eb,db eW,dw byte register into EA byte word register into EA word EA byte into byte register EA word into word register immediate byte into AL immediate word into AX immediate byte into EA byte immediate word into EA word FLAGS MODIFIED Overflow =0, sign, zero, parity, carry=O FLAGS UNDEFINED Auxiliary carry OPERATION XOR computes the exclusive OR of the two operands. Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same. The answer replaces the first operand. PROTECTED MODE EXCEPTIONS #GP(O) if the result is in a non-writable segment. #GP(O) for an illegal memory operand effective address in the es, DS, or ES segments; #SS(O) for an illegal address in the SS segment. REAL ADDRESS MODE EXCEPTIONS Interrupt 13 for a word operand at offset OFFFFH. 8-116 Appendix 8086/8088 Compatibility Considerations C APPENDIX C 8086/8088 COMPATIBILITY CONSIDERATIONS SOFTWARE COMPATIBILITY CONSIDERATIONS In general, the real address mode 80286 will correctly execute ROM-based 8086/8088 software. The following is a list of the minor differences between 8086 and 80286 (Real mode). 1. Add Six Interrupt Vectors. The 80286 adds six interrupts which arise only if the 8086 program has a hidden bug. These interrupts occur only for instructions which were undefined on the 8086/8088 or if a segment wraparound is attempted. It is recommended that you add an interrupt handler to the 8086 software that is to be run on the 80286, which will treat these interrupts as invalid operations. This additional software does not significantly effect the existing 8086 software because the interrupts do not normally occur and should not already have been used since they are in the interrupt group reserved by Intel. Table Col describes the new 80286 interrupts. 2. Do not Rely on 8086/8088 Instruction Clock Counts. The 80286 takes fewer clocks for most instructions than the 8086/8088. The areas to look into are delays between I/0 operations, and assumed delays in 8086/8088 operating in parallel with an 8087. 3. Divide Exceptions Point at the DIV Instruction. Any interrupt on the 80286 will always leave the saved CS:IP value pointing at the beginning of the instruction that failed (including prefixes). On the 8086, the CS:IP value saved for a divide exception points at the next instruction. Table C-1. New 80286 Interrupts Interrupt Number Function 5 A BOUND instruction was executed with a register value outside the two limit values. 6 An undefined opcode was encountered. 7 The EM bit in the MSW has been set and an ESC.instruction was executed. This interrupt will also occur on WAIT instructions if TS is set. 8 The interrupt table limit was changed by the LlDT instruction to a value between 20H and 43H. The default limit after reset is 3FFH. enough for all 256 interrupts. 9 A processor extension data transfer exceeded offset OFFFFH in a segment. This interrupt handler must execute FNINIT before any ESC or WAIT instruction is executed. 13 Segment wraparound was attempted by a word operation at offset OFFFFH. 16 When 80286 attempted to execute a coprocessor instruction ERROR pin indicated an unmasked exception from previous coprocessor instruction. C-1 8086/8088 COMPATIBILITY CONSIDERATIONS 4. Use Interrupt 16 for Numeric Exceptions. Any 80287 system must use interrupt vector 16 for the numeric error interrupt. If an 8086/8087 or 8088/8087 system uses another vector for the 8087 interrupt, both vectors should point at the numeric error interrupt handler. 5. Numeric Exception Handlers Should allow Prefixes. The saved CS:IP value in the NPX environment save area will point at any leading prefixes before an ESC instruction. On 8086/8088 systems, this value points only at the ESC instruction. 6. Do Not Attempt Undefined 8086/8088 Operations. Instructions like POP CS or MOV CS,op will either cause exception 6 (undefined opcode) or perform a protection setup operation like LIDT on the 80286. Undefined bit encodings for bits 5-3 of the second byte of POP MEM or PUSH MEM will cause exception 13 on the 80286. 7. Place a Far JMP Instruction at FFFFOH. After reset, CS:IP = FOOO:FFFO on the 80286 (versus FFFF:OOOO on the 8086/8088). This change was made to allow sufficient code space to enter protected mode without reloading CS. Placing a far JMP instruction at FFFFOH will avoid this difference. Note that the BOOTSTRAP option of LOC86 will automatically generate this jump instruction. 8. Do not Rely on the Value Written by PUSH SP. The 80286 will push a different value on the stack for PUSH SP than the 8086/8088. If the value pushed is important, replace PUSH SP instructions with the following three instructions: PUSH MOV XCHG BP BP,SP BP,[BP] This code functions as the 8086/8088 PUSH SP instruction on the 80286. 9. Do not Shift or Rotate by More than 31 Bits. The 80286 masks all shift/rotate counts to the low 5 bits. This MOD 32 operation limits the count to a maximum of 31 bits. With this change, the longest shift/rotate instruction is 39 clocks. Without this change, the longest shift/rotate instruction would be 264 clocks, which delays interrupt response until the instruction completes execution. 10. Do not Duplicate Prefixes. The 80286 sets an instruction length limit of 10 bytes. The only way to violate this limit is by duplicating a prefix two or more times before an instruction. Exception 6 occurs if the instruction length limit is violated. The 8086/8088 has no instruction length limit. 11. Do not Rely on Odd 8086/8088 LOCK Characteristics. The LOCK prefix and its corresponding output signal should only be used to prevent other bus masters from interrupting a data movement operation. The 80286 will always assert LOCK during an XCHG instruction with memory (even if the LOCK prefix was not used). LOCK should only be used with the XCHG, MOV, MOVS, INS, and OUTS instructions. The 80286 LOCK signal will not go active during an instruction prefetch. 12. Do not Single Step External Interrupt Handlers. The priority of the 80286 single step interrupt is different from that of the 8086/8088. This change was made to prevent an external interrupt from being single-stepped if it occurs while single stepping through a program. The 80286 single step interrupt has higher priority than any external interrupt. The 80286 will still single step through an interrupt handler invoked by INT instructions or an instruction exception. C-2 aOB6/aoaa COMPATIBILITY CONSIDERATIONS 13. Do not Rely on IDIV Exceptions for Quotients of 80H or 8000H. The 80286 can generate the largest negative number as a quotient for IDIV instructions. The 8086 will instead cause exception O. 14. Do not Rely on NMI Interrupting NMI Handlers. After an NMI is recognized, the NMI input and processor extension limit error interrupt is masked until the first IRET instruction is executed. 15. The NPX error signal does not pass through an interrupt controller (an 8087 INT signal does). Any interrupt controller-oriented instructions for the 8087 may have to be deleted. 16. If any real-mode program relies on address space wrap-around (e.g., FFFO:0400=0000:0300), then external hardware should be used to force the upper 4 addresses to zero during real mode. 17. Do not use I/O ports 00F8-00FFH. These are reserved for controlling 80287 and future processor extensions. HARDWARE COMPATIBILITY CONSIDERATIONS l. Address after Reset 8086 has CS:IP = ffff:OOOO and physical address ffffO. 80286 has CS:IP = fOOO:fffO and physical address fffffO. Note: After 80286 reset, until the first 80286 far JMP or far CALL, the code segment base is ffOOOO. This means A20-A23 will be high for CS-relative bus cycles (code fetch or use of CS override prefix) after reset until the first far JMP or far CALL instruction is performed. 2. Physical Address Formation In real mode or protected mode, the 80286 always forms a physical address by adding a l6-bit offset with a 24-bit segment base value (8086 has 20-bit base value). Therefore, if the 80286 in real mode has a segment base within 64K of the top of the 1Mbyte address space, and the program adds an offset of ffffh to the segment base, the physical address will be slightly above IMbyte. Thus, to fully duplicate 1Mbyte wraparound that the 8086 has, it is always necessary to force A20 low externally when the 80286 is in real mode, but system hardware uses all 24 address lines. 3. LOCK signal On the 8086, LOCK asserted means this bus cycle is within a group of two or more locked bus cycles. On the 80286, the LOCK signal means lock this bus cycle to the NEXT bus cycle. Therefore, on the 80286, the LOCK signal is not asserted on the last locked bus cycle of the group of locked bus cycles. 4. Coprocessor Interface 8086, synchronous to 8086, can become a bus master. 80287, asynchronous to 80286 and 80287, cannot become a bus master. 8087 pulls opcode and pointer information directly from data bus. 80286 passes opcode and pointer information to 80287. 8087 uses interrupt path to signal errors to 8086. 80287 uses dedicated ERROR signal. 8086 requires explicit WAIT opcode preceding all ESC instructions to synchronize with 8087. 80286 has automatic instruction synchronization with 80287. 5. Bus Cycles 8086 has four-clock minimum bus cycle, with a time-multiplexed address/data bus. 80286 has two-clock minimum bus cycle, with separate buses for address and data. C-3 Appendix 80286/80386 Software Compatibility Considerations D APPENDIX D 80286/80386 SOFTVVARE COMPATIBILITY CONSIDERATIONS This appendix describes the considerations required in designing an Operating System for the protected mode 80286 so that it will operate on an 80386. An 80286 Operating System running on the 80386 would not use any of the advanced features of the 80386 (Le., paging or segments larger than 64K), but would run 80286 code faster. Use of the new 80386 features requires changes in the 80286 Operating System. The 80386 is no different than any other software compatible processor in terms of requiring the same system environment to run the same software; the 80386 must have the same amount of physical memory and I/O devices in the system as the 80286 system to run the same software. Note that an 80386 system requires a different memory system to achieve the higher performance. The 80286 design considerations can be generally characterized as avoiding use of functions or memory that the 80386 will use. The exception to this rule is initialization code executed after power up. Such code must be changed to configure the 80386 system to match that of the 80286 system. The following are 80286/80386 software compatibility design considerations: 1. 2. 3. 4. 5. Isolate the protected mode initialization code. System initialization code will be required on the 80386 to program operating parameters before executing any significant amount of 80286 software. The 80286 initialization software should be isolated from the rest of the Operating System. The initialization code in Appendix A is an example of isolated initialization code. Such code can be extended to include programming of operating parameters before executing the initial protected mode task. Avoid wraparound of 80286 24-bit physical address space. Since the 80386 has a larger physical address space, any segment whose base address is greater than FFOOOO and whose limit is beyond FFFFFF will address the seventeenth megabyte of memory in the 80386 32-bit physical address space instead of the first megabyte on an 80286. No expand-down segments shouldhave a base address in the range FF00001-FFFFFF. No expandup segments should wrap around the 80286 address space (the sum of their base and limit is in the range OOOOOO-OOFFFE). Zero the last word of every 80286 descriptor. The 80386 uses the last word of each descriptor to expand the base address and limit fields of segments. Placing zeros in the descriptor will cause the 80386 to treat the segments the same way as an 80286 (except for address space wraparound as mentioned above). Use only 80H or OOH for invalid descriptors. The 80386 uses more descriptor types than the 80286. Numeric values of 8-15 in bits 3-0 of the access byte for control descriptors will cause a protection exception on the 80286, but may be defined for other segment types on the 80386. Access byte values of 80H and OOH will remain undefined descriptors on both the 80286 and the 80386. Put error interrupt handlers in reserved interrupts 14, 15, 17-31. Some of the unused, Intel-reserved interrupts of the 80286 will be used by the 80386 (Le., page fault or bus error). These interrupts should not occur while executing an 80286 operating system on an 80386. However, it is safest to place an interrupt handler in these interrupts to print an error message and stop the system if they do occur. 0-1 80286/80386 SOFTWARE COMPATIBILITY CONSIDERATIONS 6. Do not change bits 15-4 of MSW. The 80386 uses some of the undefined bits in the machine status word. 80286 software should ignore bits 15-4 of the MSW. To change the MSW on an 80286, read the old value first with LMSW, change bits 3-0 only, then write the new value with SMSW. 7. Use a restricted LOCK protocol for multiprocessor systems. The 80386 supports the 8086/80286 LOCK functions for simple instructions, but not the string move instructions. Any need for locked string moves can be satisfied by gaining control of a status, semaphore before using the string move instruction. Any attempt to execute a locked string move will cause a protection exception on the 80386. The general 80286 LOCK protocol does not efficiently extend to large multiprocessor systems. If all the processors in the system frequently use the 8086/80286 LOCK, they will prevent other processors from accessing memory and thereby impact system performance. Access to semaphores in the future, including current 80286 Operating Systems, should use a protocol with the following restrictions: . " , Be sure the semaphore starts at a physical memory address that is a multiple of 4. Do not use string moves to access the variable. All accesses by any instruction or I/O device (even simple reads or writes) must use the LOCK prefix or system LOCK signal. ' 0-2 INDEX AAA, 3-27, B-15 AAD, 3-28, B-16 AAM, 3-28, B-17 AAS, 3-28, B-18 ADC, 3-7, B-19 ADD, 3-7, B-19 Addressing Modes,· 2-16 Based Indexed Mode, 2-21 Based Indexed Mode with Displacement, 2-20 Based Mode (on BX or BP Registers), 2-20 Direct Address Mode, 2-20 Displacement, 2-16, B-1, B-2 Immediate Operand, 2-16, B-1, B-2, B-4, B-5 Indexed Mode (by DI or SI), 2-21 Opcode, 2-16 Register Indirect Mode, 2-20 Summary, 2-21 AF Flag, (see Flags) AH Register, 2-7, 2-8, 2-17,3-9,3-25,3-27, 3-28, B-56 AL Register, 2-7, 2-8, 2-17, 3-9, 3-25, 3-27, 3-28, 3-30, B-73 AND Instruction, 2-23, 3-10, B-20 Arithmetic Instructions, 3-15 ASCII (see Data Types), AX Register, 2-7, 2-8, 2-12, 2-13, 2-16, 2-17,3-8,3-9,3-17,3-24,3-30, B-73 Based Index Mode (see Addressing Modes), Based Index Mode with Displacement (see Addressing Modes), Based Mode (see Addressing Modes), BCD Arithmetic (see Data Management Instructions), BH Register, 2-7, 2-8, 2-17,3-9 BL Register, 2-7, 2-8, 2-17 BOUND Instruction (see Extended Instruction Set), Bound Range Exceeded (Interrupt 5), (see Interrupt Handling), BP Register, 2-7 - 2-14,2-17, 2-19, 3-8 - 3-10,3-15,3-17,3-19,3-25, 3-26 Breakpoint Interrupt 3, (see Interrupt Handling), BUSY, 3-31 BX Register, 2-7 - 2-14,2-17,2-19; 3-8 - 3-10,3-15,3-17,3-19,3-25, 3-26 Byte (See Data Types), CALL Instructions, 3-18 - 3-20, 7-17, B-23 - B-26 Call Gates, 7-16 - 7-20, B-24, B-25 CBW Instructions, 3-16, B-27 CF (Carry Flag) (see Flags), CH Register, 2-7, 2-8, 2-17 CL Register, 2-7, 2-8, 2-17,3-10 - 3-15 CLC Instruction, 3-25, B-28 CLD Instruction, 2-16, B-29 CLI Instruction, 2-15, 3-28, B-30 CLTS Instruction, 10-4, B-31 CMP Instruction, 3-16, B-33 Code Segment Access, 7-13, 11-1, 11-2 Comparison Instructions, 3-30 Conforming Code Segments, 7-12, 11-1, 11-2 Constant Instructions, 3-31 Control Transfers, 7-15, 7-16 CPL (Current Privilege Level), 7-10, 7-14 CS Register, 2-7, 2-8, 2-17, 2-18, 3-17 - 3-19,5-5 Index-1 INDEX CWD Instruction, 3-16, B-35 CX Register, 2-7, 2-8, 2-17, 3-20, 3-22 - 3-24 DAA, 3-27, B-36 DAS, 3-27, B-37 Data Management Instructions, 4-1, 4-2, 5-5 Address Manipulation, 3-24 Arithmetic Instructions, 3-5 Addition Instructions, 3-7 Division Instructions, 3-9 MUltiplication Instructions, 3-8 Subtraction Instructions, 3-7 BCD Arithmetic, 2-4, 2-5 Character Transfer and String Instructions, 3-22 Repeat Prefixes, 3-22, 3-23 String Move, 3-23 - 3-25 String Translate, 3-22 Control Transfer Instructions, 3-16 Conditional Transfer, 3-19, 3-20 Software Generated Interrupts, 3-21 Interrupt Instructions, 3-21 Unconditional Transfer, 3-17 - 3-19 Flag Control, 3-25, 3-26 Logical Instructions, 3-9 Shift and Rotate Instructions, 3-10 - 3-15 Type Conversion Instructions, 3-16 Processor Extension Intructions, 3-29, 3-30 Test and Compare Instructions, 3-16 Trusted Instructions, 3-28 Input/Output Instructions, 3-29 Stack Manipulation, 3-2 - 3-4 Data Transfer Instructions, 3-31 Data Types. 2-1 - 2-6 ASCII, 2-4 - 2-6, B-15 - B-18 BCD, 2-4 Byte, 2-2 - 2-4 Floating Point, 2-4 Integer, 2-4 Packed BCD, 2-4 Pointer, 2-4 Strings, 2-4 Word, 2-2, 2-3 DEC Instruction, 2-17, 3-8, B-38 Dedicated Interrupt Vector, 5-5 Descriptor Table, 6-4 - 6-6 Descriptor Table Register, 6-6, 6-9, 7-6, 10-1 - 10-3 DF Flag, (see Flags), DH Register, 2-7, 2-8, 2-17 DI Instruction, 2-7, 2-9, 2-14, 2-15 - 2-17, 2-19 - 2-21,3-17,3-23 - 3-25, 4-1 Direct Address Mode (see Addressing Modes), Divide Error (Interrupt 0) (see Interrupt Handling), DIV Instruction, 2-25, 3-9, B-37 DL Register, 2-8, 2-17 DPL (Descriptor Privilege Level), 6-8, 7-10 - 7-14, 7-18 - 7-22,8-4,9-4, 11-1 - 11-3 DS Register, 2-7, 2-8, 2-17, 2-18, 3-24, B-60 DX Register, 2-7, 2-8, 2-17, 3-8, 3-9, 3-16, 3-17, 3-24, 3-29, 4-1 EM (Bit in MSW), 10-4, 10-5 ENTER Instruction, 4-2 - 4-7, B-40 ES Register, 2-7, 2-8, 2-17 - 2-19, 3-22 - 3-25, 4-1 ESC (Instructions for Coprocessor), 3-30 Extended Instruction Set (Chapter 4), 4-1 - 4-7 ENTER Build Stackframe, 4-2 - 4-6, B-40 LEAVE Remove Stackframe, 4-2, 4-6, B-64 Repeated IN and OUT String Instructions, 4-1,4-2, B-92 Flag Register, 2-14 - 2-16,3-4 - 3-7, B-86, B-89 Flags, 2-14, 2-15,3-4 - 3-7,3-25, B-56 see also Use of Flags with Basic Index-2 INDEX Instructions, 2-14, 2-15, 3-4 - 3-7, 3-25, B-56 AF (Auxilliary Carry Flag), 2-14, 2-15, 3-6 - 3-10,3-16,3-23,3-26,3-27 CF (Carry Flag), 2-14, 3-4 - 3-16,3-20, 3-23 - 3-27, B-28, B-32, B-90, B-I04 DF (Direction Flag), 2-15, 3-6, 3-7, 3-22, 3-23,3-25 - 3-27, 4-1, B-29 IF (Interrupt Flag), 2-15, 3-5, 3-7, 3-28, 5-5, 5-6, 9-2, 9-3, B-30, B-I06 IOPL (Privilege Level), 2-15, 3-6, 3-28, 3-29, B-30 NT (Nested Task Flag), 2-15, 3-6, 8-7, 9-3, 9-5, 9-7, 10-1 OF (Overflow Flag), 2-15,2-25, 3-6 - 3-13, 3-16, 3-20, 3-23, 3-24, 3-26,3-27 PF (Parity Flag), 2-14, 2-15, 3-6 - 3-10, 3-16,3-20,3-23,3-24, 3-26, 3-27 SF (Sign Flag), 2-14, 3-4, 3-6 - 3-10, 3-16,3-20,3-23,3-24 TF (Trap Flag), 2-15,3-5 - 3-7, 9-14 TS (Task Switch), 10-4, 10-5, B-31 ZF (Zero Flag), 2-14, 2-15, 3-4, 3-6 - 3-10,3-20,3-21, 3-23, 3-24, 3-26, 11-4 Floating Point (see Data Types), Gates, 7-16 GDT, 6-4 - 6-7,6-10,6-12,6-13, 7-5 - 7-8, 7-17 GDTR (Global Descriptor Register), 6-5,6-10,6-12,6-13, 10-1 - 10-3, B-101 General Protection Fault (Interrupt 3), (see Interrupt Handling) General Registers, 2-7 HLT Instruction, 2-16, 3-29, 10-6, B-42 Hierarchy of 86, 186, 286 Instruction Sets, 2-25,2-27 Basic Instruction Set, 2-25, 2-27, 3-1 - 3-31 Extended Instruction Set, Chapter 4 Instruction Set Overview, 2-25, 2-27 System Control Register Set, Chapter 4 - Chapter 10 1/0,2-23 IDlY Instruction, 2-25, 3-9, 9-3, B-43 IDT (Interrupt Descriptor Table), 9-1 - 9-9, 10-2, B-65 IDTR (Interrupt Descriptor Table Register), 9-1, 10-1 - 10-3 IF (Interrupt Flag), (see Flags) IMUL Instruction, 3-8, B-44 IN Instruction, 2-23, 3-29, B-45 INC Instruction, 2-17, 3-7, B-46 INDEX Field, 6-4, 6-6, 6-10 - 6-12 Indexed Mode, 2-21, 2-22 Index, Pointer and Base Register, 2-9 Input/Output, 2-21, 2-22 Instructions, 3-29 Memory Mapped I/O, 2-23 Restrictions in Protected Mode, 3-28 Separate I/O Space, 2-21 INS/INSB/INSW Instruction, 3-29,4-1 INT Instruction, (see Interrupt Handling) Integer, (see Data Types) Interrupt Handling, 2-24, 2-25, 5-3 - 5-7, 9-2 - 9-13 Interrupt Priorities, 5-4 Interrupt 0 Divide Error, 2-24, 3-9, 5-5, 5-6, 9-8, 9-9, 9-13 Interrupt 1 Single-Step, 5-6, 9-9, 9-13 Interrupt 2 Nonmaskable, 5-6,9-9,9-13 Interrupt 3 Breakpoint, 2-26, 5-6, 9-9 Interrupt 4 INTO Detected Overflow, 2-26, 5-6, 9-9 Interrupt 5 BOUND Range Exceeded, 2-26,4-7,5-6,5-7,9-9,9-13, B-22 Interrupt 6 Invalid Opcode, 2-26, 5-6, 9-9,9-10 Index-3 INDEX LOOPNZ, 3-21, B-70 LSL Instruction, 11-3, B-71 Interrupt 7 Processor Extension Not Available, 5-6, 5-7,9-9 Interrupt 8, Interrupt Table Limit Too Small, 5-6, 5-7, 9-9, 9-10 Interrupt Vectors, 5-3 - 5-7 Reserved Vectors, 5-5, 5-7 Interrupt Vector Table, 5-3 Interrupts and Exceptions, (see Interrupt Handling and Interrupt Priorities) INTO Detected Overflow (Interrupt 4), (see Interrupt Handling and Interrupt Priorities) INTO Instruction, 2-25, 3-22, B-48 INTR, 5-3, 5-4, 9-1, 9-2, 9-7, 11-7 Invalid opcode (Interrupt 6), (see Interrupt Handling and Interrupt Priorities) 10PL (I/O Privilege Level), (see Flags) IP Register, 2-8, 3-18, 3-19, 5-4 IRET Instruction, 3-17, 3-19, 3-21, 5-5, 8-5 - 8-8, 9-5 - 9-8,9-14, B-51 JCXZ Instruction, 3-21, B-54, B-55 JMP Instruction, 3-17, 3-18, B-56 - B-58 LAHF Instruction, 3-26, B-59 LAR Instruction, 11-3, B-60 LDS Instruction, 3-25, 5-1, B-61 LDT (Local Descriptor Table), 6-5 - 6-7, 6-10,6-12,7-5 -7-8, 7-17, 8-5, 8-6, 8-8,8-9,9-11 - 9-13, 10-1 - 10-4 LEA Instruction, 3-24,-B-63 LEAVE Instruction, 4-2, 4-6, B-64 LES Instruction, 3-25, 5-1, B-61 LGDT Instruction, 6-12, 10-3, 10-5, B-65 LIDT Instruction, 5-6, 5-7, 10-3, 10-6, B-65 LLDT Instruction, 6-12, 10-3, 10-5, B-66 LMSW Instruction, 10-4, 10-6, B-67 LOCK Prefix, 3-29, B-68 LODS/LODSB/LODSW, 3-24, B-69 LOOP Instruction, 3-4, 3-20, 3-21, B-70 LOOPE Instruction, 3-21, B-70 LOOPNE, 3-21, B-70 Memory, Physical Size, 2-1 Segmentation, 2-1 Implied Usage, 2-14 Interpretation in Protected Mode, 2-9, 2-10 Interpretation in Real Mode, 2-9, 5-1 - 5-5 Modularity, 2-1 Virtual Size, 2-1 Memory Addressing Modes, 2-17 - 2-21 Memory Management, 6-1, 7-4 Task Managment, 6-1, 6-2, Chapter 8 Context Switching (Task Switching), 8-5, 8-6 Overview, 6-1 Memory Management Registers, Chapter 6 Memory Mapped I/O, (see Input/Output) Memory Mode, 2-20 Memory Segmentation and Segment Registers, 2-8 - 2-9 MOV Instructions, 2-17, 2-23, 3-1, B-73 MOVS Instructions, 3-23, B-75 MOVSB Instructions, 3-23, B-75 MOVSW Instruction, 3-23, B-75 MSW Register, 5-7, 8-6, 10-4 - 10-7, B-67 MUL Instruction, 3-8, B-76 NEG Instruction, 3-9, B-n NMI (Non maskable Interrupt), 5-6, 9-1 - 9-3, 9-9, 9-10 Nonmaskable (interrupt 2), (see Interrupt Priorities) NOP Instruction, 2-16, B-78 NOT Instruction, 3-9, 3-10, B-78 Not Present (Interrupt 11) (see Interrupt Priorities) NPX Processor Extension, 3-29 - 3-31 Index-4 INDEX NT (Nested Task Flag), (see Flags) Numeric Data Processor Instructions, 3-30 OF (Overflow Flag), (see Flags) Offset Computation, 2-19 Operands, 2-16, 2-17 OR Instruction, 2-23, 3-10, B-80 OUT/OUTW, 2-23,3-29, 10-6, B-81 OUTS/OUTSB/OUTSW Instruction, 3-29, 4-1, B-82 PF (Parity Flag), (see Flags) Pointer, (see Data Types) POP Instruction, 3-3, B-83 POPA Instruction, 3-2, 3-5, B-85 POPF Instruction, 3-26, 3-28, B-86 Processor Extension Error (Interrupt 6), (see Interrupt Handling and Interrupt Priorities) Processor Extension Not Available, (Interrupt 7), (see Interrupt and Interrupt Priorities) Processor Extension Segment Overrun Interrupt (Interrupt 9), (see Interrupt and Interrupt Priorities) Protected Mode, 1-2, 1-3,6-1 Protected Virtual Address Mode, 1-2, Protection Implementation, 7-2 - 7-4 Protection Mechanisms, 1-2, 1-3 PUSH, 2-12, 3-2, B-87 PUSHA, 3-2, 3-3, B-85 PUSHF, B-89 Real Address Mode, 6-1, 6-2 Register, Base Architecture Diagram, 2-7 Base Register BX, 2-9, 2-17, 2-19, 2-20, 3-1,3-7,3-8 - 3-10,3-14,3-16, 3-17,3-22,4-7 Flags Register, 2-14, 2-15 General Registers, 2-7 Index Registers DI, SI, 2-9 Overview, 2-7 Pointer Registers BP and SP, 2-9 Segment Registers, 2-8 Status and Control, 2-14 Register Direct Mode, 2-20 Register and Immediate Modes, 2-17 Register Indirect Mode, 2-20 (see Addressing Modes) Reserved Interrupt Vectors, (see Interrupt Handling and Interrupt Priorities) RESET, 10-7 RCL Instruction, 3-14, 3-15,9-10, B-90 RCR Instruction, 3-15, B-90 REP Prefix, 3-23,4-1,4-2, B-92 REPE Prefix, 3-24, B-92 REPNE Prefix, 3-24, B-92 REPNZ Prefix, 3-24 REPZ Prefix, 3-24 RET Instructon, 2-16, 3-17 - 3-19, B-94 ROL Instruction, 3-13, B-90 ROR Instruction, 3-14, B-90 RPL, 7-13, 8-9, 9-6, 11-3, 11-4 SAL Instruction, 3-11, B-97 SAR Instruction, 3-12, B-97 SBB Instruction, 3-8, B-99 SCAS Instruction, 3-4, 3-24, B-100 SEG (Segment Override Prefix), 2-19 Segment Address Translation Registers, 6-9 - 6-12 Segment Descriptor, 7-10 -7-12 Segment Overrun Exception (Interrupt 13), (see Interrupt Handling and Interrupt Priorities) Segment Selection, 2-18 SF (Sign Flag), (see Flags) SGDT Instruction, 6-12, 10-3, B-I0l SHL Instruction, 3-11, B-97 SHR Instruction, 3-12 SI Register, 2-7, 2-9, 2-11, 2-14 - 2-17, 2-19,3-17,3-23 - 3-25, 4-1 SmT Instruction, 10-3, B-I0l Index-5 INDEX Single Step (Interrupt 1), (see Interrupt Priorities) SMSW Instruction, 10-4, B-I03 SP Register, 2-7 - 2-14,2-19, 3-24 - 3-26, 4-2, 7-20, 7-21, 10-7 SS Register, 2-7, 2-8, 2-10 - 2-14, 2-17 - 2-19, 5-7,6-9 - 6-11, 7-12 - 7-14, 7-16, 7-20 - 7-22, 8-5, 9-12, 10-7 Status and Control Registers, 2-14 - 2-16 Stack Flag, (see Flags) Stack Fault (Interrupt 12), (see Interrupt Priorities) Stack Manipulation Instructions, 3-2, 3-3 Stack Operations, 2-10 Grow Down, 2-11 Overview, 2-10 - 2-14 Segment Register Usage, 2-11 Segment Usage Override, 2-11 Stack Frame Base Pointer BP, 2-11 Top of Stack, 2-10, 2-11 TOS, 2-10, 2-11 with BP and SP Registers, 2-10 Status Flags, 3-4 STC Instructions, 3-25, B-I04 STD Instructions, 3-27, B-I05 STI Instructions, 2-15, 3-28,B-106 String Instructions, 3-22 - 3-24 SUB Instruction, 3-7, 3-8, B-I09 System Address Registers, 6-12 System Initialization, 10-6, 10-7 System Control Instructions, 10-3, 10-4 TEST Instruction, 3-16, B-110 TF (Trap Flags), (see Flags) TOS (Top of Stack), (see Stack Operation) TR (Task Register), 7-5 Transcendental Instruction, 3-30 TSS (Task State Segment), 8-1 - 8-9 Use of Flags with Basic Instructions, 3-4, 3-5 Virtual Address, 6-2 - 6-4 WAIT Instruction, 3-30, B-I13 XCHG Instruction, 3-1, B-114 XLAT Instruction, 3-22, B-115 XOR Instruction, 2-6, 3-10, B-116 ZF (Zero Flag), (see Flags) Index-6 80287 Numeric Processor Extension (NPX) PREFACE AN INTRODUCTION TO THE 80286 This supplement describes the 80287 Numeric Processor Extension (NPX) for the 80286 microprocessor. Below is a brief overview of 80286 concepts, along with some of the nomenclature used throughout this and other Intel publications. The 80286 Microsystem The 80286 is a new VLSI microprocessor system with exceptional capabilities for supporting largesystem applications. Based on a new-generation CPU (the Intel 80286), this powerful microsystem is designed to support multiuser reprogrammable and real-time multitasking applications. Its dedicated system support circuits simplify system hardware; sophisticated hardware and software tools reduce both the time and the cost of product development. The 80286 is a virtual-memory microprocessor with on-chip memory management and protection. The 80286 microsystem offers a total-solution approach, enabling you to develop high-speed, interactive, multiuser, multitasking-and multiprocessor-systems more rapidly and at higher performance than ever before. • Reliability and system up-time are becoming increasingly important in all applications. Information must be protected from misuse or accidental loss. The 80286 includes a sophisticated and flexible four-level protection mechanism that isolates layers of operating system programs from application programs to maintain a high degree of system integrity. • The 80286 provides 16 megabytes of physical address space to support today's application requirements. This large physical memory enables the 80286 to keep many large programs and data structures simultaneously in memory for high-speed access. • For applications with dynamically changing memory requirements, such as multiuser business systems, the 80286 CPU provides on-chip memory management and virtual memory support. On an 80286-based system, each user can have up to a gigabyte (2 30 bytes) of virtual-address space. This large address space virtually eliminates restrictions on the number or size of programs that may be part of the system. • Large multiuser or real-time multitasking systems are easily supported by the 80286. High~perform ance features, such as a very high-speed task switch, fast interrupt-response time, inter-task protection, and a quick and direct operating system interface, make the 80286 highly suited to multiuser/ multitasking applications. • The 80286 has two operating modes: Real-Address mode and Protected-Address mode. In RealAddress mode, the 80286 is fully compatible with the 8086, 8088, 80186, and 80188 microprocessors; all of the extensive libraries of 8086 and 8088 software execute four to six times faster on the 80286, without any modification. • In Protected-Address mode, the advanced memory management and protection features of the 80286 become available, without any. reduction in performance. Upgrading 8086 and 8088 application programs to use these new memory management and protection features usually requires only reassembly or recompilation (some programs may require minor modification). This compatibility iii PREFACE between 80286 and 8086 processor families reduces both the time and the cost of software development. The Organization of This Manual This manual describes the 80287 Numeric Processor Extension (NPX) for the 80286 microprocessor. The material in this manual is presented from the perspective of software designers, both at an applications and at a systems software level. • Chapter One, "Overview of Numeric Processing," gives an overview of the 80287 NPX and reviews the concepts of numeric computation using the 80287. • Chapter Two, "Programming Numeric Applications," provides detailed information for software designers generating applications for systems containing an 80286 CPU with an 80287 NPX. The 80286/80287 instruction set mnemonics are explained in detail, along with a description of programming facilities for these systems. A comparative 80287 programming example is given. • Chapter Three, "System-Level Numeric Programming," provides information of interest to systems software writers, including details of the 80287 architecture and operational characteristics. • Chapter Four, "Numeric Programming Examples," provides several detailed programming examples for the 80287, including conditional branching, the conversion between floating-point values and their ASCII representations, and the calculation of several trigonometric functions. These examples illustrate assembly-language programming on the 80287 NPX. • Appendix A, "Machine Instruction Encoding and Decoding," gives reference information on the encoding of NPX instructions. • Appendix B, "Compatability between the 80287 NPX and the 8087," describes the differences between the 80287 and the 8087. • Appendix C, "Implementing the IEEE P754 Standard," gives details of the IEEE P754 Standard. • The Glossary defines 80287 and floating-point terminology. Refer to it as needed. Related Publications To best use the material in this manual, readers should be familiar with the operation and architecture of 80286 systems. The following manuals contain information related to the content of this supplement and of interest to programmers of 80287 systems: • Introduction to the 80286, order number 210308 • ASM286 Assembly Language Reference Manual, order number 121924 • 80286 Operating System Writer's Guide, order number 121960 • 80286 Hardware Reference Manual, order number 210760 • Microprocessor and Peripheral Handbook, order number 210844 • PL/M-286 User's Guide, order number 121945 • 80287 Support Library Reference Manual, order number 122129 • 8086 Software Toolbox Manual, order number 122203 (includes information about 80287 Emulator Software) iv TABLE OF CONTENTS CHAPTER 1 Page OVERVIEW OF NUMERIC PROCESSING Introduction to the 80287 Numeric Processor Extension ............................................. 1-1 Performance ...................... ........... ....... ................................................ ............ ........... 1-1 Ease of Use ................................................................................................................. 1-2 Applications ................................................................................................................. 1-3 Upgradability ............................................................................................................... 1-4 Programming Interface ................................................. ..... ......................................... 1-5 Hardware Interface ..................................................................................................... 1-6 80287 Numeric Processor Architecture ........................................................................ 1-8 The NPX Register Stack ......................... '.................................................................... 1-8 The NPX Status Word ................................................................................................ 1-9 Control Word ............................................................................................................... 1-10 The NPXTag Word ..................................................................................................... 1-12 The NPX Instruction and Data Pointers ..................................................................... 1-12 Computation Fundamentals ........................................................................................... 1-14 Number System .......................................................................................................... 1-14 Data Types and Formats ............................................................................................ 1-15 Binary Integers ........................................................................................................ 1-17 Decimal Integers ..................................................... ..... ........................................... 1-17 Real Numbers .......................................................................................................... 1-17 Rounding Control ........................................................................................................ 1-18 Precision Control ........................................................................................................ 1-19 Infinity Control ............................................................................................................. 1-19 Special Computational Situations .................................................................................. 1-20 Special Numeric Values ............................................................................... ............... 1-21 Nonnormal Real Numbers ...................................................................................... 1-21 Denormals and Gradual Underflow.................................................................... 1-21 Un normals-Descendents of Denormal Operands ........................................... 1-23 Zeros and Pseudo Zeros ....... ....................................................... ............... ........... 1-24 Infinity ...................................................................................................................... 1-25 NaN (Not a Number) ................................................................................................ 1-25 Indefinite .................................................................................................................. 1-29 Encoding of Data Types .......... ....... ................................................ ........................ 1-29 Numeric Exceptions .................................................................................................... 1-33 Invalid Operation ..................................................................................................... 1-33 Zero Divisor ............................................................................................................. 1-33 Denormalized Operand ........................................................................................... 1-34 Numeric Overflow and Underflow.......................................................................... 1-34 Inexact Result .......................................................................................................... 1-34 Handling Numeric Errors ........................................... ............................................. 1-34 Automatic Exception Handling .............................................. .............................. 1-37 Software Exception Handling .............................................................................. 1-38 CHAPTER 2 PROGRAMMING NUMERIC APPLICATIONS The 80287 NPX Instruction Set .....................................................................;............... Compatibility with the 8087 NPX ................................................................................ Numeric Operands ...................................................................................................... Data Transfer Instructions ......................................................................... ................. Arithmetic Instructions ................................................................................................ v 2-1 2-1 2-1 2-2 2-4 TABLE OF CONTENTS Page Comparison Instructions ............................................................................................ Transcendental Instructions ....... ........ ......................... ............................. .................. Constant Instructions ................................................................................................. Processor Control Instructions ......... ........ ....... .................. ....... ....................... ..... ..... Instruction Set Reference Information ....................................................................... Instruction Execution Time .................................................................................. Bus Transfers .......... ............... ..................... ........................................................ Instruction Length ................................................................................................ Programming Facilities ................................................................................................... High-Level Languages ................................................................................................ PL/M-286 ............ ................................. ....... ................................................................ ASM286 ....................................................................................................................... Defining Data ........................................................................................................... Records and Structures ......................................................... ................................. Addressing Modes .................................................................................................. COlTlparative Programming Example ......................................................................... 80287 Emulation ..................................... ....................................................... ............. Concurrent Processing with the 80287 .......... .................. ........................ ..................... Managing Concurrency.......................................................................... .................... Instruction Synchronization ........................................................................................ Data Synchronization ................................................................................................. Error Synchronization ................................................................................................. , Incorrect Error Synchronization ............................................................................. Proper Error Synchronization ................................................................ ................. 2-10 2-12 2-14 2-15 2-21 2-21 2-22 2-23 2-38 2-38 2-39 2-40 2-40 2-41 2-42 2-43 2-45 2-45 2-48 2-48 2-49 2-50 2-52 2-52 CHAPTER 3 SYSTEM-LEVEL NUMERIC PROGRAMMING 80287 Architecture ......... ........ ........... ......... ....................................................... ............. Processor Extension Data Channel ............ ...................... .................... ..................... Real-Address Mode and Protected Virtual-Address Mode ....................................... Dedicated and Reserved I/O Locations ........ ................ ........ .................. ................... Processor Initialization and Control.............................................................................. System Initialization .................................................................................................... Recognizing the 80287 NPX ....................................................................................... Configuring the Numerics Environment .................... ........ .............. ........ .......... ......... Initializing the 80287 ................................................................................................... 80287 Emulation . ............................................................... ....................... ................... Handling Numeric Processing Exceptions ................................................................. Simultaneous Exception Response ........ ................................. ...................... ............ Exception Recovery· Examples .................................................................................. 3-1 3-1 3-1 3-2 3-2 3-2 3-2 3-4 3-5 3-5 3-6 3-7 3-7 CHAPTER 4 Conditional Bra,nching Examples ................................................................................... Exception Handling Examples ....................................................................................... Floating-point to ASCII Conversion Examples ............................................................. Function Partitioning ................................................................................................... Exception Considerations .................................. ................. ...................... ................. Special Instructions .................................................................................................... Description of Operation ..... .................. ....... ....... ....................................................... Scalin"g the Value ........................................................................................................ Inaccur~cy in Scaling .............................................................................................. vi 4-1 4-3 4-7 4-14 4-15 4-15 4-15 4-16 4-16 TABLE OF CONTENTS Page Avoiding Underflow and Overflow .......................................................................... Final Adjustments ............................ ....... .............. ........... .............. .......................... Output Format ................ .............. ............ ....................................... ......... .............. ..... Trigonometric Calculation Examples ...... ...... .............. ............ .............. .................. ....... FPTAN and FPREM .................................................................................................... Cosine Uses Sine Code .............................................................................................. 4-16 4-17 4-17 4-17 4-17 4-18 APPENDIX A MACHINE INSTRUCTION ENCODING AND DECODING APPENDIX B COMPATIBILITY BETWEEN THE 80287 NPX AND THE 8087 APPENDIX C IMPLEMENTING THE IEEE P754 STANDARD Options Implemented in the 80287 ................................................................................ C-1 Areas of the Standard Implemented in Software ................... ~...................................... C-1 Additional Software to Meet the Standard .... .................. ....... ..... ................... ............... C-2 GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY INDEX Figures Figure 1-1 1-2 1-3 1-4 1-5 1-6 1-7 1-8 1-9 1-10 1-11· 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 2-9 2-10 2-11 2-12 Title Evolution and Performance of Numeric Processors .............................................. '80287 NPX Block Diagram ...................................................................................... 80287 Register Set ........................... ....... .............. ..... ...... .............. ......................... 80287 Status Word ............ ..... ............... ......... ........ ..... ...... ...... ......... .......... ........ ....... 80287 Control Word Format ........ ...... ............ ..... ....... ....... ....................... ............... 80287 Tag Word Format .......................................................................................... 80287 Instruction and Data Pointer Image in Memory .......................................... 80287 Number System ............................................. ,.............................................. Data Formats .............................................................: .............................................. Projective versus Affine Closure ...... ................ ........... ....... ......... ....... ........ ............. Arithmetic Example Using Infinity ............................................. :.... ;......................... FSAVE/FRSTOR Memory Layout ........................................................................... FSTENV/FLDENV Memory Layout ........................ ;.................................... ;........... Sample 80287 Constants ........................................................................................ Status Word RECORD Definition ............................................................................ Structure Definition .....................................................;............. ~ ......................... ;..... Sample PL/M-286 Program .................................................................................... Sample ASM286 Program ....................................................................................... Instructions and Register Stack .............................................................................. Synchronizing References to Shared Data ...................... ..... ..... ........... ........... ...... Documenting Data Synchronization ........ ......... ......... ...... ...... ......... ........................ Nonconcurrent FIST Instruction Code Macro ........................................................ Error Synchronization Examples ............................................................................. vii Page 1-1 1-7 1-9 1-10 1-12 1-13 1-13 1-15 1-16 1-20 1-37 2-18 2-19 2-41 2-42 2-42 2-44 2-46 2-47 2-50 2-51 2-51 2-52 inter Figure 3-1 4-1 4-2 4-3 4-4 4-5 4-6 4-7 TABLE OF CONTENTS Title Software Routine to Recognize the 80287 ............................................................. Conditional Branching for Compares ..................................................................... Conditional Branching for FXAM ............................................................................ Full-State Exception Handler .................................................................................. Reduced-Latency Exception Handler ..................................................................... Reentrant Exception Handler .................................................................................. Floating-Point to ASCII Conversion Routine .......................................................... Calculating Trigonometric Functions ...................................................................... Page 3-3 4-2 4-2 4-5 4-5 4-6 4-7 4-18 Tables Table 1-1 1-2 1-3 1-4 1-5 1-6 1-7 1-8 1-9 1-10 1-11 1-12 1-13 1-14 1-15 1-16 1-17 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 2-9 2-10 2-11 2-12 Title Numeric Processing Speed Comparisons .............................................................. Numeric Data Types ................................................................................................ Principal NPX Instructions ....................................................................................... Interpreting the NPX Condition Codes ................................................................... Real Number Notation ............................................................................................. Rounding Modes ..................................................................................................... Denormalization Process ........................................................................................ Exceptions Due to Denormal Operands ........................................ ......................... Unnormal Operands and Results ............................................................................ Zero Operands and Results .................................................................................... Masked Overflow Response with Directed Rounding ........................................... Infinity Operands and Results ................................................................................. Binary Integer Encodings .....................................................................,.................. Packed Decimal Encodings ..................................................................................... Real and Long Real Encodings ............................................................................... Temporary Real Encodings ..................................................................................... Exception Conditions and Masked Responses ..................................................... Data Transfer Instructions ...................................................................................... Arithmetic Instructions ............................................................................................. Basic Arithmetic Instructions and Operands .......................................................... Condition Code Interpretation after FPREM ......................... ;................................ Comparison Instructions ......................................................................................... Condition Code Interpretation after FCOM ............................................................ Condition Code Interpretation after FTST .............................................................. FXAM Condition Code Settings ........................ .............. .................. ...................... Transcendental Instructions .................................................................................... Constant Instructions .............................................................................................. Processor Control Instructions .............. ............................ ...... ............................... Key to Operand Types ............................................................................................ Page 1-2 1-6 1-6 1-11 1-17 1-19 1-22 1-23 1-24 1-26 1-27 1-28 1-29 1-30 1-31 1-32 1-35 2-3 2-5 2-6 2-9 2-10 2-10 2-11 2-12 2-13 2-14 2-15 2-21 2- ~i 3 Execuiiur I PE:naitiE:5 ................................................................................................. 2-22 2-14 2-15 2-16 2-17 3-1 3-2 A-1 A-2 Instruction Set Reference Data ............................................................................... PLfM-286 Built-In Procedures ................................................................................ 80287 Storage Allocation Directives .................................. ........................ ............. Addressing Mode Examples ................................................................................... NPX Processor State Following Initialization ......................................................... Precedence of NPX Exceptions .............................................................................. 80287 Instruction Encoding .................................................................................... Machine Instruction Decoding Guide ...................................................................... viii 2-24 2-39 2-40 2-43 3-5 3-7 A-1 A-2 Overview of Numeric Processing 1 CHAPTER 1 OVERVIEW OF NUMERIC PROCESSING The 80287 NPX is a high-performance numerics processing element that extends the 80286 architecture by adding significant numeric capabilities and direct support for floating-point, extended-integer, and BCD data types. The 80286 CPU with 80287 NPX easily supports powerful and accurate numeric applications through its implementation of the proposed IEEE 754 Standard for Binary Floating-Point Arithmetic. INTRODUCTION TO THE 80287 NUMERIC PROCESSOR EXTENSION The 80287 Numeric Processor Extension (NPX) is highly compatible with its predecessor, the earlier Intel 8087 NPX. The 8087 NPX was designed for use in 8086-family systems. The 8086 was the first microprocessor family to partition the processing unit to permit high-performance numeric capabilities. The 8087 NPX for this processor family implemented a complete numeric processing environment in compliance with the proposed IEEE 754 Floating-Point Standard. With the 80287 Numeric Processor Extension, high-speed numeric computations have been extended to 80286 high-performance multi-tasking and multi-user systems. Multiple tasks using the numeric processor extension are afforded the full protection of the 80286 memory management and protection features. Figure 1-1 illustrates the relative performance of 8-MHz 8086/8087 and 80286/80287 systems in executing numerics-oriented applications. Performance Table 1-1 compares the execution times of several 80287 instructions with the equivalent operations executed in software on an 8-MHz 80286. The software equivalents are highly-optimized assemblylanguage procedures from the 80287 emulator. As indicated in the table, the 80287 NPX provides about 50 to 100 times the performance of software numeric routines on the 80286 CPU. An 8-MHz 80287 multiplies 32-bit and 64-bit real numbers in about 11.9 and 16.9 microseconds, respectively. Of course, the actual performance of the NPX in a given system depends on the characteristics of the individual application. Although the performance figures shown in table 1-1 refer to operations on real (floating-point) numbers, the 80287 also manipulates fixed-point binary and decimal integers of up to 64 bits or 18 digits, respectively. The 80287 can improve the speed of multiple-precision software algorithms for integer operations by 10 to 100 times. Because the 80287 NPX is an extension of the 80286 CPU, no software overhead is incurred in setting up the NPX for computation. The 80287 and 80286 processors coordinate their activities in a manner transparent to software. Moreover, built-in coordination facilities allow the 80286 CPU to proceed with other instructions while the 80287 NPX is simultaneously executing numeric instructions. Programs can exploit this concurrency of execution to further increase system performance and throughput. 1-1 OVERVIEW OF NUMERIC PROCESSING DOUBLE-PRECISION WHETSTONE PERFORMANCE (KOPS) ( 80286/80287 ) 200 .-------...../ ( 8086/8087) 100 STACK TOP POINTER'" 1980 1983 YEAR INTRODUCED G30108 Figure 1-1. Evolution and Performance of Numeric Processors Table 1-1. Numeric Processing Speed Comparisons Approximate Performance Ratios: 8 MHz 80287 to 8 MHz Protected Mode IAPX using E80287 Floatlng'Polnt Instruction FADD ST,ST (Temp Real) FDIV DWORD PTR (Single-Precision) FXAM (Stack(O) assumed) FYL2X (Stack(O),(1) assumed) FPATAN (Stack(O) assumed) F2XM1 (Stack(O) assumed) Addition Division Examine Logarithm Arctangent Exponentiation 1: 42 1:266 1:139 1: 99 1:153 1: 41 Ease of Use The 80287 NPX offers more than raw execution speed for computation-intensive tasks. The 80287 brii:.g3 the f!!ncticn::!lity ~nd power of Accurate numeric computation into the hands of the general user. Like the 8087 NPX that preceded it, the 80287 is explicitly designed to deliver stable, accurate results when programmed using straightforward "pencil and paper" algorithms. The IEEE 754 standard specifically addresses this issue, recognizing the fundamental importance of making numeric computations both easy and safe to use. For example, most computers can overflow when two single-precision floating-point numbers are multiplied together and then divided by a third, even if the final result is a perfectly valid 32-bit number. 1-2 OVERVIEW OF NUMERIC PROCESSING The 80287 delivers the correctly rounded result. Other typical examples of undesirable machine behavior in straightforward calculations occur when solving for the roots. of a quadratic equation: -b ± Vb 2 - 4ac 2a or computing financial rate of return, which involves the expression: (1 +i)n. On most machlnes, straightforward algorithms will not deliver consistently correct results (and will not indicate when they are incorrect). To obtain correct results on traditional machines under all conditions usually requires sophisticated numerical techniques that are foreign to most programmers. General application programmers using straightforward algorithms will produce much more reliable programs using the 80287. This simple fact greatly reduces the software investment required to develop safe, accurate computation-based products. Beyond traditional numerics support for scientific applications, the 80287 has built-in facilities for commercial computing. It can process decimal numbers of up to 18 digits without round-off errors, performing exact arithmetic on integers as large as 264 or 1018• Exact arithmetic is vital in accounting applications where rounding errors may introduce monetary losses that cannot be reconciled. The NPX contains a number of optional facilities that can be invoked by sophisticated users. These advanced features include two models of infinity, directed rounding, gradual underflow, and either automatic or programmed exception-handling facilities. These automatic exception-handling facilities permit a high degree of flexibility in numeric processing software, without burdening the programmer. While performing numeric calculations, the NPX automatically detects exception conditions that can potentially damage a calculation. By default, onchip exception handlers may be invoked to field these exceptions so that a reasonable result is produced, and execution may proceed without program interruption. Alternatively, the NPX can signal the CPU, invoking a software exception handler whenever various types of exceptions are detected. Applications The NPX's versatility and performance make it appropriate to a broad array of numeric applications. In general, applications that exhibit any of the following characteristics can benefit by implementing numeric processing on the 80287: • Numeric data vary over a wide range of values, or include nonintegral values. • Algorithms produce very large or very small intermediate results. • Computations must be very precise; i.e., a large number of significant digits must be maintained. • Performance requirements exceed the capacity of traditional microprocessors. • Consistently safe, reliable results must be delivered using a programming staff that is not expert in numerical techniques. Note also that the 80287 can reduce software development costs and improve the performance of systems that use not only real numbers, but operate on multi precision binary or decimal integer values as well. 1-3 OVERVIEW OF NUMERIC PROCESSING A few examples, which show how the 80287 might be used in specific numerics applications, are described below. In many cases, these types of systems have been implemented in the past with minicomputers. The advent of the 80287 brings the size and cost savings of microprocessor technology to these applications for the first time. • Business data processing-The NPX's ability to accept decimal operands and produce exact decimal results of up to 18 digits greatly simplifies accounting programming. Financial calculations that use power functions can take advantage of the 80287's exponentiation and logarithmic instructions. Process control-The 80287 solves dynamic range problems automatically, and its extended precision allows control functions to be fine-tuned for more accurate and efficient performance. Control algorithms implemented with the NPX also contribute to improved reliability and safety, while the 80287's speed can be exploited in real-time operations. Computer numerical control (CNC)-The 80287 can move and position machine tool heads with accuracy in real-time. Axis positioning also benefits from the hardware trigonometric support provided by the 80287. Robotics-Coupling small size and modest power requirements with powerful computational abilities, the NPX is ideal for on-board six-axis positioning. Navigation-Very small, lightweight, and accurate inertial guidance systems can be implemented with the 80287. Its built-in trigonometric functions can speed and simplify the calculation of position from bearing data. • Graphics terminals-The 80287 can be used in graphics terminals to locally perform many functions that normally demand the attention of a main computer; these include rotation, scaling, and interpolation. By also using an 82720 Graphics Display Controller to perform high speed data transfers, very powerful and highly self-sufficient terminals can be built from a relatively small number of 80286 family parts. Data acquisition-The 80287 can be used to scan, scale, and reduce large quantities of data as it is collected, thereby lowering storage requirements and time required to process the data for analysis. The preceding examples are oriented toward traditional numerics applications. There are, in addition, many other types of systems that do not appear to the end user as computational, but can employ the 80287 to advantage. Indeed, the 80287 presents the imaginative system designer with an opportunity similar to that created by the introduction of the microprocessor itself. Many applications can be viewed as numerically-based if sufficient computational power is available to support this view. This is analogous to the thousands of successful products that have been built around "buried" microprocessors, even though the products themselves bear little resemblance to computers. Upgradability The architecture of the 80286 CPU is specifically adapted to allow easy upgradability to use an 80287, simply by plugging in the 80287 NPX. For this reason, designers of 80286 systems may wish to incorporate the 80287 NPX into their designs in order to offer two levels of price and performance at little 2dditi0!!~! GOSt. Two features of the 80286 CPU make the design and support of upgradable 80286 systems particularly simple: • The 80286 can be programmed to recognize the presence of an 80287 NPX; that is, software can recognize whether it is running on an 80286 or an 80287 system. After determining whether the 80287 NPX is available, the 80286 CPU can be instructed to let the NPX execute all numeric instructions. If an 80287 NPX is not available, the 80286 CPU can emulate 1-4 OVERVIEW OF NUMERIC PROCESSING all 80287 numeric instructions in software. This emulation is completely transparent to the application software-the same object code may be used by both 80286 and 80287 systems. No relinking or recompiling of application software is necessary; the same code will simply execute faster on the 80287 than on the 80286 system. To facilitate this design of upgradable 80286 systems, Intel provides a software emulator for the 80287 that provides the functional equivalent of the 80287 hardware, implemented in software on the 80286. Except for timing, the operation of this 80287 emulator (E80287) is the same as for the 80287 NPX hardware. When the emulator is combined as part of the systems software, the 80286 system with 80287 emulation and the 80286 with 80287 hardware are virtually indistinguishable to an application program. This capability makes it easy for software developers to maintain a single: set of programs for both systems. System manufacturers can offer the NPX as a simple plug-in performance option without necessitating any changes in the user's software. Programming Interface The 80286/80287 pair is programmed as a single processor; all of the 80287 registers appear to a programmer as extensions of the basic 80286 register set. The 80286 has a class of instructions known as ESCAPE instructions, all having a common format. These ESC instructions are numeric instructions for the 80287 NPX. These numeric instructions for the 80287 are simply encoded into the instruction stream along with 80286 instructions. All of the CPU memory-addressing modes may be used in programming the NPX, allowing convenient access to record structures, numeric arrays, and other memory-based data structures. All of the memory management and protection features of the CPU are extended to the NPX as well. Numeric processing in the 80287 centers around the NPX register stack. Programmers can treat these eight 80-bit registers as either a fixed register set, with instructions operating on explicitly-designated registers, or a classical stack, with instructions operating on the top one or two stack elements. Internally, the 80287 holds all numbers in a uniform 80-bit temporary-real format. Operands that may be represented in memory as 16-, 32-, or 64-bit integers, 32-, 64-, or 80-bit floating-point numbers, or 18-digit packed BCD numbers, are automatically converted into temporary-real format as they are loaded into the NPX registers. Computation results are subsequently converted back into one of these destination data formats when they are stored into memory from the NPX registers. Table 1-2 lists each of the seven data types supported by the 80287, showing the data format for each type. All operands are stored in memory with the least significant digits starting at the initial (lowest) memory address. Numeric instructions access and store memory operands using only this initial address. For maximum system performance, all operands should start at even memory addresses. Table 1-3 lists the 80287 instructions by class. No special programming tools are necessary to use the 80287, because all of the NPX instructions and data types are directly supported by the ASM286 Assembler and Intel's appropriate high-level languages. Software routines for the 80287 may be written in ASM286 Assembler or any of the following higherlevel languages: PL/M-286 PASCAL-286 FORTRAN-286 C-286 1-5 OVERVIEW OF NUMERIC PROCESSING Table 1-2. Numeric Data Types Data Type Bits Significant Digits (Decimal) Approximate Range (Decimal) Word integer 16 4 -32,768 ::s X ::s +32,767 Short integer 32 9 -2X10 9 ::S X::s +2X10 9 Long integer 64 18 -9X10 '8 ::S X::s +9X10'8 Packed decimal 80 18 -99 ... 99::S X::s +99 ... 99 (18 digits) Short real' 32 6-7 8.43X 10.37 ::s1 X I::s 3.37X1038 Long real' 64 15-16 4.19X 10.307 ::S I X I ::S 1.67X 10308 Temporary real 80 19 3.4 X 10.4932 ::S I X I ::S 1.2 X 104932 Table 1-3. Principal NPX Instructions Instruction Types Class Data Transfer Load (all data types), Store (all data types), Exchange Arithmetic Add, Subtract, Multiply, Divide, Subtract Reversed, Divide Reversed, Square Root, Scale, Remainder, Integer Part, Change Sign, Absolute Value, Extract Comparison Compare, Examine, Test Transcendental Tangent, Arctangent, 2x -1, Y·Log 2(X + 1), Y·Log 2(X) Constants 0, 1, Processor Control Load Control Word, Store Control Word, Store Status Word, Load Environment, Store Environment, Save, Restore, Clear Exceptions, Initialize, Set Protected Mode 71", Log ,0 2, Log.2, Log 2 10, Log 2e In addition, all of the development tools supporting the 8086 and 8087 can also be used to develop software for the 80286 and 80287 operating in Real-Address mode. All of these high-level languages provide programmers with access to the computational power and speed of the 80287 without requiring an understanding of the architecture of the 80286 and 80287 chips. Such architectural considerations as concurrency and data synchronization are handled automatically by these high-level languages. For the ASM286 programmer, specific rules for handling these issues are discussed in a later section of this supplement. Hardware Interface As an extension of the 80286 processor, the 80287 is wired very much in parallel with the 80286 CPU. Four special status signals, PEREQ, PEACK, BUSY, and ERROR, permit the two processors to coordinate their activities. The 80287 NPX also monitors the 80286 Sl, SO, COD/INTA, READY, HLDA, and CLK pins to monitor the execution of ESC instructions (numeric instructions) by the 80286. 1-6 OVERVIEW OF NUMERIC PROCESSING As shown in figure 1-2, the 80287 NPX is divided internally into two processing elements; the Bus Interface Unit (BIU) and the Numeric Execution Unit (NEU). The two units operate independently of one another: the BIU receives and decodes instructions, requests operand transfers with memory, and executes processor control instructions, whereas the NEU processes individual numeric instructions. The BIU handles all of the status and signal lines between the 80287 and the 80286. The NEU executes all instructions that involve the register stack. These instructions include arithmetic, logical, transcendental, constant, and data transfer instructions. The data path in the NEU is 84 bits wide (68 fraction bits, 15 exponent bits, and a sign bit), allowing internal operand transfers to be performed at very high speeds. The 80287 executes a single numeric instruction at· a time. Before executing most ESC instructions, the 80286 tests the BUSY pin and, before initiating the command, waits until the 80287 indicates that it is not busy. Once initiated, the 80286 continues program execution, while the 80287 executes the numeric instruction. Unlike the 8087, which required aWAIT instruction to test the BUSY signal before each ESC opcode, these WAIT instructions are permissible, but not necessary, in 80287 programs. In all cases, a WAIT or ESC instruction should be inserted after any 80287 store to memory (except FSTSW or FSTCW)or load from memory (except FLDENV, FLDCW, or FRSTOR) before the 80286 reads or changes the memory value. When needed, all data transfers between memory and the 80287 NPX are performed by the 80286 CPU, using its Processor Extension Data Channel. Numeric data transfers performed by the 80286 use the same timing as any other bus cycle, and all such transfers come under the supervision of the MICROCODE CONTROL UNOT DATA OPERANDS QUEUE II T • ~~==~~C7lIII I- 1-----;'51 G w o •o STATUS ADDRESS REGISTER STACK I~J I-----;~: ~ ~I r:=~;;:=~'" _____ L _____~_ ...!!II!!. _~ _ _ _ _ .J G30108 Figure 1-2. 80287 NPX Block Diagram 1-7 OVERVIEW OF NUMERIC PROCESSING 80286 memory management and protection mechanisms. The 80286 Processor Extension Data Channel and the hardware interface between the 80286 and 80287 processors are described in Chapter Six of the 80286 Hardware Reference Manual. From the programmer's perspective, the 80287 can be considered just an extension of the 80286 processor. All interaction between the 80286 and the 80287 processors on the hardware level is handled . " automatically by the 80286 and is transparent to the software. To communicate with the 80287, the 80286 uses the reserved I/O port addresses 00F8H, OOFAH, and OOFCH (I/O ports numbered 00F8H through OOFFH are reserved for the 80286/80287 interface). These I/O operations are performed automatically by the 80286 and are distinct from I/O operations that result from program I/O instructions. I/O operations resulting from the execution of ESC instructions are completely transparent to software. Any program may execute ESCAPE (numeric) instructions, without regard to its current I/O Privilege Level (IOPL). . To guarantee correct operation of the 80287, 'programs must not perform any explicit I/O operations to any of the eight ports reserved for the 80287. The 10PL of the 80286 can be used to protect the integrity of 80287 computations in multiuser reprogrammable applications, preventing any accidental or other tampering with the 80287 (see Chapter Eight of the 80286 Operating System Writer's Guide). 80287 NUMERIC PROCESSOR ARCHITECTURE To the programmer, the 80287 NPX appears as a set of additional registers complementing those of the 80286. These additional registers consist of • Eight indi~idually-addressable 80-bit numeric registers, organized as a register stack • Three sixteen-bit registers containing; an NPX status word an NPX control word a tag word • Four 16-bit registers containing the NPX instruction and data pointers All of the NPX numeric "instructions focus on the contents of these NPX registers. The NPX Register Stack The 80287 register :;tack h; :;hc'.'"/n in fig!!re 1-3. E2.,=h of the. e.ight ~l)mp.ric registers in the 80287's register stack is 80 bits wide and is divided into fields corresponding to the NPX's temporary-real data type. Numeric instructions address the data registers relative to the register on the top of the stack. At any point in time, this top-of-stack register is indicated by the ST (Stack Top) field in the NPX status word. Load or push operations decrement ST by one and load a value into the new top register. A storeand-pop operation stores the value from the current ST register and then increments ST by one. Like 80286 stacks in memory, the 80287 register stack grows down toward lower-addressed registers. 1-8 OVERVIEW OF NUMERIC PROCESSING 80287 STACK: 79 Rl 78 SIGN TAG FIELD 64 63 EXPONENT 0 1 0 SIGNIFICAND R2 R3 r-- - R4 R5 R6 R7 R8 0 15 CONTROL REGISTER STATUS REGISTER TAG WORD t- INSTRUCTION POINTER DATA POINTER G3010B Figure 1-3_ 80287 Register Set Many numeric instructions have several addressing modes that permit the programmer to implicitly operate on the top of the stack, or to explicitly operate on specific registers relative to the ST. The ASM286 Assembler supports these register addressing modes, using the expression ST(O), or simply ST, to represent the current Stack Top and STeil to specify the ith register from ST in the stack (0 ::s i ::s 7). For example, if ST contains OllB (register 3 is the top of the stack), the following statement would add the contents of the top two registers on the stack (registers 3 and 5): FADD ST,ST(2) The stack organization and top-relative addressing of the numeric registers simplify subroutine programming by allowing routines to pass parameters on the register stack. By using the stack to pass parameters rather than using "dedicated" registers, calling routines gain more flexibility in how they use the stack. As long as the stack is not full, each routine simply loads the parameters onto the stack before calling a particular subroutine to perform a numeric calculation. The subroutine then addresses its parameters as ST, ST(l), etc., even though ST may, for example, refer to physical register 3 in one invocation and physical register 5 in another. The NPX Status Word The l6-bit status word shown in figure 1-4 reflects the overall state of the 80287. This status word may be stored into memory using the FSTSW/FNSTSW,'FSTENV/FNSTENV, and FSAVEjFNSAVE instructions, and can be transferred into the 80286 AX register with the FSTSW AX/FNSTSW AX instructions, allowing the NPX status to be inspected by the CPU. 1-9 OVERVIEW OF NUMERIC PROCESSING 15 I B I Co I ST I c" I c, I eoJEsl X I PE IUEIOEIZEIDEIIE I I EXCE PTION FLAGS (1 ~ EXCEPTION HAS OCCURRED) INVALID OPERATION' DENORMALIZED OPERAND' ZERO DIVIDE' OVERFLOW' UNDERFLOW' PRECISION' (RESE RVED) ERRO R SUMMARY STATUS(1) COND ITION CODE(2) STACK TOP POINTER(3) NEU BUSY (1) ES IS SET IF ANY UNMASKED EXCEPTION BIT IS SET, CLEARED OTHERWISE. (2) SEE TABLE 1-4 FOR CONDITION CODE INTERPRETATION. (3) ST VALUES 000 ~ REGISTER 0 IS TOP OF STACK 00 1 ~ REGISTER 1 IS TOP OF STACK 111 ~ REGISTER 7 IS TOP OF STACK 'FOR DEFINITIONS, SEE THE SECTION ON EXCEPTION HANDLING G30108 Figure 1-4. 80287 Status Word The Busy bit (bit 15) and the BUSY pin indicate whether the 80287's execution unit is idle (B=O) or is executing a numeric instruction or signalling an exception (B= 1). (The instructions FNSTSW, FNSTSW AX, FNSTENV, and FNSAVE do not set the Busy bit themselves, nor do they require the Busy bit to be clear in order to execute.) The four NPX condition code bits (C O-C 3) are similar to the flags in a CPU: the 80287 updates these bits to reflect the outcome of arithmetic operations. The effect of these instructions on the condition code bits is summarized in table 1-4. These condition code bits are used principally for conditional branching. The FSTW AX instruction stores the NPX status word directly into the CPU AX register, allowing these condition codes to be inspected efficiently by 80286 code. Bits 12-14 of the status word point to the 80287 register that is the currentStack Top (ST). The significance of the stack top has been described in the section on the Register Stack. Figure 1-4 shows the six error flags in bits 0-5 of the status word. Bit 7 is the error summary status (ES) bit. ES is set if any unmasked exception bits are set, and is cleared otherwise. If this bit is set, the ERROR signal is asserted. Bits 0-5 indicate whether the NPX has detected one of six possible :::i:::::pti~!), c~!),d!t!a!!~ ~im:o:' tho:'5o:' 5t~hl~ hit~ were last cleared or reset. Control Word The NPX provides the programmer with several processing options, which are selected by loading a word from memory into the control word. Figure 1-5 shows the format and encoding of the fields in the control word. 1-10 OVERVIEW OF NUMERIC PROCESSING Table 1-4. Interpreting the NPX Condition Codes Instruction Type Compare, Test C. C. C, C. 0 0 0 0 0 0 1 X X X X Q, 0 Q. Q. U 1 U U 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 1 0 0 0 1 1 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 0 1 1 Remainder Examine 1 1 1 1 1 0 1 1 1 1 1 1 1 a 0 0 1 1 1 0 1 Interpretation ST > Source or 0 (FTST) ST < Source or 0 (FTST) ST = Source or 0 (FTST) ST is not comparable Complete reduction with three low bits of quotient in Co, C3 , and C, Incomplete Reduction Valid, positive unnormalized Invalid, positive, exponent = 0 Valid, negative, un normalized Invalid, negative, exponent = 0 Valid, positive, normalized Infinity, positive Valid, negative, normalized Infinity, negative Zero, positive Empty Register Zero, negative Empty Register Invalid, positive, exponent = 0 Empty Register Invalid, negative, exponent = 0 Empty Register NOTES: 1. ST = Top of stack 2. X = value is not affected by instruction 3. U = value is undefined following instruction 4. Qn = Quotient bit n following complete reduction (C.=O) The low-order byte of this control word configures the 80287 error and exception masking. Bits 0-5 of the control word contain individual masks for each of the six exception conditions recognized by the 80287. The high-order byte of the control word configures the 80287 processing options, including • Precision control • Rounding control • Infinity control The Precision control bits (bits 8-9) can be used to set the 80287 internal operating precision at less than the default precision (64-bit significand). These control bits can be used to provide compatibility with the earlier-generation arithmetic processors having less precision than the 80287, as required by the IEEE 754 standard. Setting a lower precision, however, will not affect the execution time of numeric calculations. The rounding control bits (bits 10-11) provide for directed rounding and true chop as well as the unbiased round-to-Ilearest-even mode specified in the IEEE 754 standard. 1-11 inter OVERVIEW OF NUMERIC PROCESSING 15 I xxx I IC I R cL PC I xI X IPMIUMIOMIZMIDMIIM I I EXCEPTION MASKS (1 ~EXCEPTION IS MASKED) INVALID OPERATION DENORMALIZED OPERAND ZERO DIVIDE OVERFLOW UNDERFLOW PRECISION (RESERVED) (RESERVED) PRECISION CONTROL (1) ROUNDING CONTROL(2 ) INFINITY CONTROL (0 (RESERVED) (1) ~ PROJECTIVE, 1 ~ AFFINE) (2) ROUNDING CONTROL PRECISION CONTROL 00 ~ ROUND TO NEAREST OR EVEN 00 ~ 24-BIT SIGNIFICAND 01 ~ ROUND DOWN (TOWARD -co) o1 ~ RESERVED 10 ~ ROUND UP (TOWARD +co) 10 ~ 53-BIT SIGNIFICAND 11 ~ CHOP (TRUNCATE TOWARD ZERO) 11 ~ 64-BIT SIGNIFICAND G30108 Figure 1-5_ 80287 Control Word Format The infinity control bit (bit 12) determines the manner in which the 80287 treats the special values of infinity. Either affine closure (where positive infinity is distinct from negative infinity) or projective closure (infinity is treated as a single unsigned quantity) may be specified. These two alternative views of infinity are discussed in the section on Computation Fundamentals. The NPX Tag Word The tag word indicates the contents of each register in the register stack, as shown in figure 1-6. The tag word is used by the NPX itself in order to track its numeric registers and optimize performance. Programmers may use this tag information to interpret the contents of the numeric registers, The tag values are stored in the tag word corresponding to the physical registers 0-7. Programmers must use the current Stack Top (ST) pointer stored in the NPX status word to associate these tag values with the relative stack registers ST(O) through ST(7). The NPX Instruction and Data Pointers The NPX instruction and data registers provide support for programmed exception-handlers. Whenever the 80287 executes a math instruction, the NPX internally saves the instruction address, the operand address (if present), and the instruction opcode. The 80287 FSTENV and FSA VE instructions store this data into memory, allowing exception handlers to determine the precise nature of any numeric exceptions that may be encountered. 1-12 OVERVIEW OF NUMERIC PROCESSING TAG VALUES: 00 ~ VALID 01 ~ ZERO 10 ~ INVALID OR INFINITY 11 ~ EMPTY G30108 Figure 1-6. 80287 Tag Word Format MEMORY OFFSET 15 MEMORY OFFSET 15 CONTROL WORD to CONTROL WORD '. STATUS WORD STATUS WORD +2 TAG WORD +4 TAG WORD +4 INSTRUCTION POINTER (15-0) +6 IPOFFSET +6 +8· CSSELECTOR +8 +10 DATA OPERAND OFFSET +10 +12 DATA OPERAND SELECTOR +12 ;)1 'I INSTRUCTION POINTER (19-16) 0 INSTRUCTION OPCODE (10-0) DATA POINTER (15-01 DATA POINTER (19-16) 15 +0 1 0 1211 REAL MODE PROTECTED MODE G30108 Figure 1-7. 80287 Instruction and Data POinter Image in Memory When stored in memory, the instruction and data pointers appear in one of two formats, depending on the operating mode of the 80287. Figure 1-7 shows these pointers as they are stored following an FSTENV instruction. In Real-Address mode, these values are the 20-bit physical address and ll-bit opcode formatted like the 8087. In Protected mode, these values are the 32-bit virtual addresses used by the program that executed the ESC instruction. 1-13 OVERVIEW OF NUMERIC PROCESSING The instruction address saved in the 80287 will point to any prefixes that preceded the instruction. This is different from the 8087, for which the instruction address pointed only to the ESC instruction opcode. COMPUTATION FUNDAMENTALS This section covers 80287 programming concepts that are common to all applications. It describes the 80287's internal number system and the various types of numbers that can be employed in NPX programs. The most commonly used options for rounding, precision, and infinity (selected by fields in the control word) are described, with exhaustive coverage of less frequently used facilities deferred to later sections. Exception conditions that may arise during execution of NPX instructions are also described along with the options that are available for responding to these exceptions. Number System The system of real numbers that people use for pencil and paper calculations is conceptually infinite and continuous. There is no upper or lower limit to the magnitude of the numbers one can employ in a calculation, or to the precision (number of significant digits) that the numbers can represent. When considering any real number, there is always an infinity of numbers both larger and smaller. There is also an infinity of numbers between (i.e., with more significant digits than) any two real numbers. For example, between 2.5 and 2.6 are 2.51,2.5897,2.500001, etc. While ideally it would be desirable for a computer to be able to operate on the entire real number system, in practice this is not possible. Computers, no matter how large, ultimately have fixed-size registers and memories that limit the system of numbers that can be accommodated. These limitations determine both the range and the precision of numbers. The result is a set of numbers that is finite and discrete, rather than infinite and continuous. This sequence is a subset of the r~al numbers that is designed to form a useful approximation of the real number system. Figure 1-8 superimposes the basic 80287 real number system on a real number line (decimal numbers are shown for clarity, although the 80287 actually represents numbers in binary). The dots indicate the subset of real numbers the 80287 can represent as data and final results of calculations. The 80287's range is approximately ±4.19XlO·307 to ±1.67X10 308. Applications that are required to deal with data and final results outside this range are rare. For reference, the range of the IBM 370 is about ±0.54X10·78 to ±0.72X1076. The finite spacing in figure 1-8 illustrates that the NPX can represent a great many, but not all, of the real numbers in its range. There is always a gap between two adjacent 80287 numbers, and it is possible for the result of a calculation to fall in this space. When this occurs, the NPX rounds the true result to a number that it can represent. Thus, a real number that requires more digits than the 80287 can accommodate (e.g., a 20-digit number) is represented with some loss of accuracy. Notice also that the 80287's representable numbers are not distributed evenly along the real number line. In fact, an equal llulliber of representable !!umb~r~ p.xists between successive powers of 2 (i.e., as many representable numbers exist between 2 and 4 as between 65,536 and 131,072). Therefore, the gaps between representable numbers are larger as the numbers increase in magnitude. All integers in the range ± 264 (approximately ± 10 18), however, are exactly representable. In its internal operations, the 80287 actually employs a number system that is a substantial superset of that shown in figure 1-8. The internal format (called temporary real) extends the 80287's range to about ± 3.4X 10-4932 to ± 1.2X 104932 , and its precision to about 19 (equivalent decimal) digits. This format is designed to provide extra range and precision for constants and intermediate results, and is not normally intended for data or final results. 1-14 OVERVIEW OF NUMERIC PROCESSING NEGATIVE RANGE (NORMALIZED) 1'1 -5 L' -4 I , • I -3 -2 -1 POSITIVE RANGE (NORMALIZED) iii I : .J'" I'" 1''''1''''1'''''1' ] -1.67x10308 -4.19x10-a07 G30108 Figure 1-8. 80287 Number System From a practical standpoint, the 80287's set of real numbers is sufficiently large and dense so as not to limit the vast majority of microprocessor applications. Compared to most computers, including mainframes, the NPX provides a very good approximation of the real number system. It is important to remember, however, that it is not an exact representation, and that arithmetic on real numbers is inherently approximate. Conversely, and equally important, the 80287 does perform exact arithmetic on integer operands. That is, an operation on two integers returns an exact integral result, provided that the true result is an integer and is in range. For example, 4 + 2 yields an exact integer. I + 3 does not, and 240 X 230 + 1 does not, because the result requires greater than 64 bits of precision. Data Types and Formats The 80287 recognizes seven numeric data types, divided into three classes: binary integers, packed decimal integers, and binary reals. A later section describes how these formats are stored in memory (the sign is always located in the highest-addressed byte). Figure 1-9 summarizes the format of each data type. In the figure, the most significant digits of all numbers (and fields within numbers) are the leftmost digits. Table 1-5 provides the range and number of signficant (decimal) digits that each format can accommodate. 1-15 OVERVIEW OF NUMERIC PROCESSING _ _ INCREASING SIGNIFICANCE WORD INTEGER SHORT INTEGER lSi MAGNITUDE I 15 0 I~ I (TWO'S COMPLEMENT) MAGNITUDE (TWO'S L . ..1."--_ _ _ _ _ _ _ _ _ _...... COMPLEMENT) 31 II I U 0 (TWO'S LONG INTEGER LS..I"--_ _"--_ _ _ _ _ _ _ M_A_G_N_IT_U_D_E_ _ _ _ _ _ _ _ _- . I COMPLEMENT) PACKED DECIMAL d17 79 d 6 d '5 ' d ' 4 d '3 d '2 d 11 MAGNITUDE d10 d g dB d 7 d6 d5 d4 d3 d2 d, dO 72 SHORT REAL LONG REAL S BIASED EXPONENT SIGNIFICAND 63 E_X_~_~_~_i_~_T TEMPORARY REAL LIS..lI"--__ 79 __ ..II~I~I_ _ _ _ _ _ _ _ _ S_IG_N_1_F_IC_A_N_D_ _ _ _ _ _ _ _ 6463~ NOTES: 5 Sign bit (0 = positive, 1 dn o 1! ~ ~ 0 negative) Decimal digit (two per byte) X Bits have no significance; 80287 Ignores when loading, zeros when storing. • Position of implicit binary point Integer bit of signi1icand: stored in temporary real, implicit (always 1) in short and long real 1 Exponent Bias (normalized values): Short Real: .127 (7FH) Long Real: 1023 (3FFH) Temporary Real:. 16383 (3FFFH) G30108 Figure 1-9. Data Formats 1-16 OVERVIEW OF NUMERIC PROCESSING Table 1-5. Real Number Notation Notation Value Ordinary Decimal 178.125 Scientific Decimal 1A78125E2 Scientific Binary 1A0110010001E111 Scientific Binary (Biased Exponent) 1A0110010001E10000110 80287 Short Real (Normalized) Sign Biased Exponent 0 10000110 Significand ~100100010000000000000 1A (implicit) BINARY INTEGERS The three binary integer formats are identical except for length, which governs the range that can be accommodated in each format. The leftmost bit is interpreted as the number's sign: O=positive and 1 = negative. Negative numbers are represented in standard two's complement notation (the binary integers are the only 80287 format to use two's complement). The quantity zero is represented with a positive sign (all bits are 0). The 80287 word integer format is identical to the 16-bit signed integer data type of the 80286. DECIMAL INTEGERS Decimal integers are stored in packed decimal notation, with two decimal digits "packed" into each byte, except the leftmost byte, which carries the sign bit (O=positive, 1 = negative). Negative numbers are not stored in two's complement form and are distinguished from positive numbers only by the sign bit. The most significant digit of the number is the leftmost digit. All digits must be in the range OH-9H. REAL NUMBERS The 80287 stores real numbers in a three-field binary format that resembles scientific, or exponential, notation. The number's significant digits are held in the significand field, the exponent field locates the binary point within the significant digits (and therefore determines the number's magnitude), and the sign field indicates whether the number is positive or negative. (The exponent and significand are analogous to the terms "characteristic" and "mantissa" used to describe floating point numbers on some computers.) Negative numbers differ from positive numbers only in the sign bits of their significands. Table 1-5 shows how the real number 178.125 (decimal) is stored in the 80287 short real format. The table lists a progression of equivalent notations that express the same value to show how a number can be converted from one form to another. The ASM286 and PL/M-286 language translators perform a similar process when they encounter programmer-defined real number constants. Note that not every decimal fraction has an exact binary equivalent. The decimal number 1/10, for example, cannot be expressed exactly in binary Gust as the number 1/3 cannot be expressed exactly in decimal). When a translator encounters such a value, it produces a rounded binary approximation of the decimal value. 1-17 OVERVIEW OF NUMERIC PROCESSING The NPX usually carries the digits of the significand in normalized form. This means that, except for the value zero, the significand is an integer and a fraction as follows: l~fff.. .ff where ~ indicates an assumed binary point. The number of fraction bits varies according to the real format: 23 for short, 52 for long, and 63 for temporary real. By normalizing real numbers so that their integer bit is always a 1, the 80287 eliminates leading zeros in small values (Ix! < 1). This technique maximizes the number of significant digits that can be accommodated in a significand of a given width. Note that, in the short and long real formats, the integer bit is implicit and is not actually stored; the integer bit is physically present in the temporary real format only. If one were to examine only the signficand with its assumed binary point, all normalized real numbers would have values between 1 and 2. The exponent field locates the actual binary point in the significant digits. Just as in decimal scientific notation, a positive exponent has the effect of moving the binary point to the right, and a negative exponent effectively moves the binary point to the left, inserting leading zeros as necessary. An unbiased exponent of zero indicates that the position of the assumed binary point is also the position of the actual binary point. The exponent field, then, determines a real number's magnitude. In order to simplify comparing real numbers (e.g., for sorting), the 80287 stores exponents in a biased form. This means that a constant is added to the true exponent described above. The value of this bias is different for each real format (see figure 1-9). It has been chosen so as to force the biased exponent to be a positive value. This allows two real numbers (of the same format and sign) to be compared as if they are unsigned binary integers. That is, when comparing them bitwise from left to right (beginning with the leftmost exponent bit), the first bit position that differs orders the numbers; there is no need to proceed further with the comparison. A number's true exponent can be determined simply by subtracting the bias value of its format. The short and long real formats exist in memory only. If a number in one of these formats is loaded into an 80287 register, it is automatically converted to temporary real, the format used for all internal operations. Likewise, data in registers can be converted to short or long real for storage in memory. The temporary real format may be used in memory also, typically to store intermediate results that cannot be held in registers. Most applications should use the long real form to store real number data and results; it provides sufficient range and precision to return correct results with a minimum of programmer attention. The short real format is appropriate for applications that are constrained by memory, but it should be recognized that this format provides a smaller margin of safety. It is also useful for debugging algorithms, because roundoff problems will manifest themselves more quickly in this format. The temporary real format should normally be reserved for holding intermediate results, loop accumulations, and constants. Its extra length is designed to shield final results from the effects of rounding and overflow/underflow in intermediate calculations. However, the range and precision of the long real form are adequate for most microcomputer applications. Rounding Control Internally, the 80287 employ~ three extra bits (guard, round, and sticky bits) that enable it to represent the infinitely precise true result of a computation; these bits are not accessible to programmers. Whenever the destination can represent the infinitely precise true result, the 80287 delivers it. Rounding occurs 1-18 inter OVERVIEW OF NUMERIC PROCESSING in arithmetic and store operations when the format of the destination cannot exactly represent the infinitely precise true result. For example, a real number may be rounded if it is stored in a shorter real format, or in an integer format. Or, the infinitely precise true result may be rounded when it is returned to a register. The NPX has four rounding modes, selectable by the RC field in the control word (see figure 1-5). Given a true result b that cannot be represented by the target data type, the 80287 determines the two representable numbers a and c that most closely bracket b in value (a < b < c). The processor then rounds (changes) b to a or to c according to the mode selected by the RC field as shown in table 1-6. Round introduces an error in a result that is less than one unit in the last place to which the result is rounded. "Round to nearest" is the default mode and is suitable for most applications; it provides the most accurate and statistically unbiased estimate of the true result. The chop mode is provided for integer arithmetic applications. "Round up" and "round down" are termed directed rounding and can be used to implement interval arithmetic. Interval arithmetic generates a certifiable result independent of the occurrence of rounding and other errors. The upper and lower bounds of an interval may be computed by executing an algorithm twice, rounding up in one pass and down in the other. Precision Control The 80287 allows results to be calculated with either 64, 53, or 24 bits of precision in the significand as selected by the precision control (PC) field of the control word. The default setting, and the one that is best suited for most applications, is the full 64 bits of significance provided by the temporaryreal format. The other settings are required by the proposed IEEE standard, and are provided to obtain compatibility with the specifications of certain existing programming languages. Specifying less precision nullifies the advantages of the temporary real format's extended fraction length, and does not increase execution speed. When reduced precision is specified, the rounding of the fractional value clears the unused bits on the right to zeros. Infinity Control The 80287's system of real numbers may be closed by either of two models of infinity. These two means of closing the number system, projective and affine closure, are illustrated schematically in figure 1-10. The setting of the IC field in the control word selects one model or the other. The default Table 1·6. Rounding Modes RC Field Rounding Mode Rounding Action Round to nearest Closer to b of a or c; if equally close, select even number (the one whose least significant bit is zero). 01 Round down (toward -00) a 10 Round up (toward +00) c 11 Chop (toward 0) Smaller in magnitude of a or c 00 NOTE: a B FTST ±O FCHS +0 -0 FABS ±O F2XM1 +0 -0 FRNDINT +0 -0 FXTRACT +0 -0 Zero -0 +0 +0 +0 -0 +0 -0 Both +0 Both -0 I NOTES: (1) Arithmetic and compare operations with real memory operands interpret the memory operand signs in the same way. (2) Arithmetic and compare operations with binary integers interpret the integer sign in the same manner. 1-26 OVERVIEW OF NUMERIC PROCESSING (3) Severe underflows in storing to short or long real may generate zeros. (4) Small values ( Ixl < 1) stored into integers may round to zero. (5) (6) (7) (8) (9) Sign is determined by round mode: * = + for nearest, up, or chop * = - for down t = sign of X. Very small values of X and Y may yield zeros, after rounding of true result. NPX signals underflow to warn that zero has been yielded by nonzero operands. Very small X and very large Y may yield zero, after rounding of true result. NPX signals underflow to warn that zero has been yielded from nonzero operands. When Y divides into X exactly. NaNs could also be used to speed up debugging. In its early testing phase, a program often contains multiple errors. An exception handler could be written to save diagnostic information in memory whenever it was invoked. After storing the diagnostic data, it could supply a NaN as the result of the erroneous instruction, and that NaN could point to its associated diagnostic area in memory. The program would then continue, creating a different NaN for each error. When the program ended, the NaN results could be used to access the diagnostic data saved at the time the errors occurred. Many errors could thus be diagnosed and corrected in one test run. Table 1-11. Masked Overflow Response with Directed Rounding True Result Rounding Mode Result Delivered Normalization Sign Normal Normal + + Down Largest finite positive numberl ') Normal - Up Largest finite negative numberl') Normal - Down Unnormal + Up Unnormal - Down Largest exponent, result's significand (2) Unnormal + Up Largest exponent, result's significand (2) Un normal - Down +co Up -co +co -co NOTES: I') (2) The largest valid representable reals are encoded: exponent: 11...108 significand: (1 ),:l11 ... 108 The significand retains its identity as an un normal; the true result is rounded as usual (effectively chopped toward 0 in this case). The exponent is encoded 11 ... 108. 1-27 OVERVIEW OF NUMERIC PROCESSING Table 1-12. Infinity Operands and Results Operation Addition +00 plus +00 -00 plus-oo +00 plus-oo -00 plus +00 ±oo plus ±X ±X plus ±oo Projective Result Affine Result Invalid operation Invalid operation Invalid operation Invalid operation Invalid operation Invalid operation '00 '00 '00 '00 Invalid operation Invalid operation Invalid operation Invalid operation +00 -00 +00 -00 Subtraction +00 minus -00 -00 minus +00 +00 minus +00 -00 minus -00 ±oo minus ±X ±X minus ±oo '00 '00 too too Multiplication ±oo·±oo ±oo· ±y ±O· ±oo, ±oo' ±O E9 E9 Invalid operation E9 E9 Invalid operation Division ±oo -+- ±oo ±oo -+- ±X ±X -+- ±oo Invalid operation E9 E9 Invalid operation E9 E9 Invalid operation Invalid operation Invalid operation FPREM ±oo rem ±oo ±oo rem ±X ±Y rem ±oo ±O rem ±oo Invalid operation Invalid operation 'Y '0 Invalid operation Invalid operation 'Y '0 FRNDINT ±oo '00 '00 Invalid operation Invalid operation FSQRT -00 +00 FSCp..LE ± 00 scaled by ± 00 ± 00 scaled by ± X ± 0 scaled by ± 00 ± Y scaled by ± 00 +00 Invalid operation Invalid operation '00 '00 '0 Invalid operation '0 Invalid operation FXTRACT ±oo Invalid operation Invalid operation Compare ±oo: ±oo ±oo: ±Y ±oo: ±O A=B A ? B (and) invalid operation A '? 8 (andi invaiiu UI-'tll i:liiu;-I -00 < +00 ___ n < __ +00 ~,....... -00 16,383. Return properly signed exception. (FST, FSTP instructions only): rounding is nearest or chop, and exponent of true result > +127 (short real destination) or> +1023 (long real destination). Return properly signed 00 and Signal precision exception. 00 and signal precision Underflow (Arithmetic operations only): exponent of true result < -16,382 (true). Denormalize until exponent rises to -16,382 (true), round significand to 64 bits. If denormali zed rounded significand = 0, then return true 0; else, return denormal (tag = special, biased exponent = 0). (FST, FSTP instructions only): destination is short real and exponent of true result < -126 (true). Denormalize until exponent rises to -126 (true), round significand to 24 bits, store true 0 if denormalized rounded significand = 0; else, store denormal (biased exponent = 0). (FST, FSTP instructions only): destination is long real and exponent of true result < -1022 (true). Denormalize until exponent rises to -1022 (true), round significand to 53 bits, store true 0 if rounded denormalized significand = 0; else, store denormal (biased exponent = 0). Precision True rounding error occurs. No special action. Masked response to overflow exception earlier in instruction. No special action. Note that when exceptions are masked, the NPX may detect multiple exceptions in a single instruction, because it continues executing the instruction after performing its masked response. For example, the 80287 could detect a denormalized operand, perform its masked response to this exception, and then detect an underflow. 1-36 inter OVERVIEW OF NUMERIC PROCESSING Automatic Exception Handling As described in the previous section, when the 80287 NPX encounters an exception condition whose corresponding mask bit in the NPX control word is set, the NPX automatically performs an internal fix-up (masked-exception) response. The 80287 NPX has a default fix-up activity for every possible exception condition it may encounter.. These masked~exception responses are designed to be safe and are generally acceptable for most numeric applications. As an example of how even severe exceptions can be handled safely and automatically using the NPX's default exception responses, consider a calculation of the parallel resistance of several values using only the standard formula (figure I-II). If Rl becomes zero, the circuit resistance becomes zero. With the divide-by-zero and precision exceptions masked, the 80287 NPX will produce the correct result. By masking or unmasking specific numeric exceptions in the NPX control word, NPX programmers can delegate responsibility for most exceptions to the NPX, reserving the most severe exceptions for programmed exception handlers. Exception-handling software is often difficult to write, and the NPX's masked responses have been tailored to deliver the most reasonable result for each condition. For the majority of applications, programmers will find that masking all exceptions other than Invalid Operation will yield satisfaotory results with the least programming effort. An Invalid Operation exception normally indicates afatal error in a program that must b~ corrected; this exception should not normally be.masked. The exception flags in the NPX status word provide a cumulative record of exceptions that have occurred since these flags were last cleared. Once set, these flags can be cleared only by executing the FCLEX (clear exceptions) instruction, by reinitializing the NPX, or by overwriting the flags with an FRSTOR or· FLDENV instruction. This allows a programmer to mask all exceptions (except invalid operation), run a calculation, and then inspect the status word to see if any exceptions were detected at any point . in the calculation. R3 EQUIVALENT RESISTANCE - 1 G30108 Figure 1-11. Arithmetic Example Using Infinity 1-37 OVERVIEW OF NUMERIC PROCESSING Software Exception Handling If the NPX encounters an unmasked exception condition, it signals the exception to the 80286 CPU using the ERROR status line between the two processors. The next time the 80286 CPU encounters aWAIT or ESC instruction in its instruction stream, the 80286 will detect the active condition of the ERROR status line and automatically trap to an exception response routine using interrupt #16-the Processor Extension Error exception. This exception response routine is typically a part of the systems software. Typical exception responses may include: • Incrementing an exception counter for later display or printing • Printing or displaying diagnostic information (e.g., the 80287 environment and registers) • Aborting further execution Using the exception pointers to build an instruction that will run without exception and executing it Application programmers on 80286 systems having systems software support for the 80287 NPX should consult their references for the appropriate system response to NPX exceptions. For systems programmers, specific details on writing software exception handlers are included in the section "System-Level Numeric Programming" later in this manual. The 80287 NPX differs from the 8087 NPX in the manner in which numeric exceptions are signalled to the CPU; the 8087 requires an interrupt controller (8259A) to interrupt the CPU, while the 80287 does not. Programmers upgrading 8087 software to operate on an 80287 should be aware of these differences and any implications they might have on numeric exception-handling software. Appendix B explains the differences between the 80287 and the 8087 NPX in greater detail. 1-38 Programming Numeric Applications 2 CHAPTER 2 PROGRAMMING NUMERIC APPLICATIONS Programmers developing applications for the 80287 have a wide range of instructions and programming alternatives from which to choose. The following sections describe the 80287 instruction set in detail, and follow up with a discussion of several of the programming facilities that are available to programmers of 80287. THE 80287 NPX INSTRUCTION SET This section describes the operation of all 80287 instructions. Within this section, the instructions are divided into six functional classes: • Data Transfer instructions • Arithmetic instructions • Comparison instructions • Transcendental instructions • Constant instructions • Processor Control instructions At the end of this section, each of the instructions is described in terms of its execution speed, bus transfers, and exceptions, as well as a coding example for each combination of operands accepted by the instruction. For easy reference, this information is concentrated into a table, organized alphabetically by instruction mnemonic. Throughout this section, the instruction set is described as it appears to the ASM286 programmer who is coding a program. Appendix A covers the actual machine instruction encodings, which are principally of use to those reading unformatted memory dumps, monitoring instruction fetches on the bus, or writing exception handlers. Compatibility with the 8087 NPX The instruction set for the 80287 NPX is largely the same as that for the 8087 NPX used with 8086 and 8088 systems. Most object programs generated for the 8087 will execute without change on the 80287. Several instructions are new to the 80287, and several 8087 instructions perform no useful function on the 80287. Appendix B at the back of this manual gives details of these instruction set differences and of the differences in the ASM86 and ASM286 assemblers. Numeric Operands The typical NPX instruction accepts one or two operands as inputs, operates on these, and produces a result as an output. Operands are most often (the contents of) register or memory locations. The operands of some instructions are predefined; for example, FSQRT always takes the square root of the number in the top stack element. Others allow, or require, the programmer to explicitly code the operand(s) along with the instruction mnemonic. Still others accept one explicit operand and one implicit operand, which is usually the top stack element. 2-1 PROGRAMMING NUMERIC APPLICATIONS Whether supplied by the programmer or utilized automatically, the two basic types of operands are sources and destinations. A source operand simply supplies one of the inputs to an instruction; it is not altered by the instruction. Even when an instruction converts the source operand from one format to another (e.g., real to integer), the conversion is actually performed in an internal work area to avoid altering the source operand. A destination operand may also provide an input to an instruction. It is distinguished from a source operand, however, because its content may be altered when it receives the result produced by the operation; that is, the destination is replaced by the result. Many instructions allow their operands to be coded in more than one way. For example, FADD (add real) may be written without operands, with only a source or with a destination and a source. The instruction descriptions in this section employ the simple convention of separating alternative operand forms with slashes; the slashes, however, are not coded. Consecutive slashes indicate an option of no explicit operands. The operands for FADD are thus described as //source/destination, source This means that FADD may be written in any of three ways: FADD FAD D source FAD D destination, source When reading this section, it is important to bear in mind that memory operands may be coded with any of the CPU's memory addressing modes. To review these modes-direct, register indirect, based, indexed, based indexed-refer to the 80286 Programmer's Reference Manual. Table 2-17 later in this chapter also provides several addressing mode examples. Data Transfer Instructions These instructions (summarized in table 2-1) move operands among elements of the register stack, and between the stack top and memory. Any of the seven data types can be converted to temporary real and loaded (pushed) onto the stack in a single operation; they can be stored to memory in the same manner. The data transfer instructions automatically update the 80287 tag word to reflect the register contents following the instruction. FLO source FLD (load real) loads (pushes) the source operand onto the top of the register stack. This is done by decrementing the stack pointer by one and then copying the content of the source to the new stack top. The source may be a register on the stack (ST(i)) or any of the real data types in memory. Short and long real source operancis are conveneu lu lempunuy fed: dutvllla.tica.lly. CGdir:g FLD ST(O) d!!p!!c!!.te~ the stack top. FST destination FST (store real) transfers the stack top to the destination, which may be another register on the stack or a short or long real memory operand. If the destination is short or long real, the significand is rounded to the width of the destination according to the RC field of the control word, and the exponent is converted to the width and bias of the destination format. 2-2 PROGRAMMING NUMERIC APPLICATIONS Table 2-1. Data Transfer Instructions Real Transfers FLD FST FSTP FXCH Load real Store real Store real and pop Exchange registers Integer Transfers FILD FIST FISTP Integer load Integer store Integer store and pop Packed Decimal Transfers FBLD FBSTP Packed decimal (BCD) load Packed decimal (BCD) store and pop If, however, the stack top is tagged special (it contains 00, a NaN, or a denormal) then the stack top's significand is not rounded but is chopped (on the right) to fit the destination. Neither is the exponent converted, but it also is chopped on the right and transferred "as is." This preserves the value's identification as co or a NaN (exponent all ones) or a denormal (exponent all zeros) so that it can be properly loaded and tagged later in the program if desired. FSTP destination FSTP (store real and pop) operates identically to FST except that the stack is popped following the transfer. This is done by tagging the top stack element empty and then incrementing ST. FSTP permits storing to a temporary real memory variable, whereas FST does not. Coding FSTP ST(O) is equivalent to popping the stack with no data transfer. FXCH//des tina tion FXCH (exchange registers) swaps the contents of the destination and the stack top registers. If the destination is not coded explicitly, ST(l) is used. Many 80287 instructions operate only on the stack top; FXCH provides a simple means of effectively using these instructions on lower stack elements. For example, the following sequence takes the square root of the third register from the top: FXCH ST(3) FSGRT FXCH ST(3) FILD source FILD (integer load) converts the source memory operand from its binary integer format (word, short, or long) to temporary real and loads (pushes) the result onto the stack. The (new) stack top is tagged zero if all bits in the source were zero, and is tagged valid otherwise. 2-3 PROGRAMMING NUMERIC APPLICATIONS FIST destination FIST (integer store) rounds the content of the stack top to an integer according to the RC field of the control word and transfers the result to the destination. The destination may define a word or short integer variable. Negative zero is stored in the same encoding as positive zero: 0000 ... 00. FISTP destination FISTP (integer and pop) operates like FIST and also pops the stack following the transfer. The destination may be any of the binary integer data types. FBLD source FBLD (packed decimal (BCD) load) converts the content of the source operand from packed decimal to temporary real and loads (pushes) the result onto the stack. The sign of the source is preserved, including the case where the value is negative zero. FBLD is an exact operation; the source is loaded with no rounding error. The packed decimal digits of the source are assumed to be in the range 0-9H. The instruction does not check for invalid digits (A-FH) and the result of attempting to load an invalid encoding is undefined. FBSTP destination FBSTP (packed decimal (BCD) store and pop) converts the content of the stack top to a packed decimal integer, stores the result at the destination in memory, and pops the stack. FBSTP produces a rounded integer from a nonintegral value by adding 0.5 to the value and then chopping. Users who arc concerned about rounding may precede FBSTP with FRNDINT. Arithmetic Instructions The 80287's arithmetic instruction set (table 2-2) provides a wealth of variations on the basic add, subtract, multiply, and divide operations, and a number of other useful functions. These range from a simple absolute value to a square root instruction that executes faster than ordinary division; 80287 programmers no longer need to spend valuable time eliminating square roots from algorithms because they run too slowly. Other arithmetic instructions perform exact modulo division, round real numbers to integers, and scale values by powers of two. The 80287's basic arithmetic instructions (addition, subtraction, multiplication, and division) are designed to encourage the development of very efficient algorithms. In particular, they allow the programmer to minimize memory references and to make optimum use of the NPX register stack. Table 2-3 summarizes the available operation/operand forms that are provided for basic arithmetic. In addition io the fuur 11u1111&1 opcrati0li3, t;;"G "re\'er~ed" i!!st!'~ctiQn5 !!l~k-~ ~l1htr;:tction and division "symmetrical" like addition and multiplication. The variety of instruction and operand forms give the programmer unusual flexibility: Operands may be located in registers or memory. Results may be deposited in a choice of registers. • Operands may be a variety of NPX data types: temporary real, long real, short real, short integer or word integer, with automatic conversion to temporary real performed by the 80287. 2-4 PROGRAMMING NUMERIC APPLICATIONS Table 2-2. Arithmetic Instructions Addition Add real Add real and pop Integer add FADD FADDP FIADD Subtraction FSUB FSUBP FISUB FSUBR FSUBRP FISUBR Subtract real Subtract real and pop Integer subtract Subtract real reversed Subtract real reversed and pop Integer subtract reversed Multiplication FMUL FMULP FIMUL Multiply real Multiply real and pop Integer multiply Division FDIV FDIVP FIDIV FDIVR FDIVRP FIDIVR Divide real Divide real and pop Integer divide Divide real reversed Divide real reversed and pop Integer divide reversed Other Operations FSQRT FSCALE FPREM FRNDINT FXTRACT FABS FCHS Square root Scale Partial remainder Round to integer Extract exponent and significand Absolute value Change sign Five basic instruction forms may be used across all six operations, as shown in table 2-3. The classicial stack form may be used to make the 80287 operate like a classical stack machine. No operands are coded in this form, only the instruction mnemonic. The NPX picks the source operand from the stack top and the destination from the next stack element. It then pops the stack, performs the operation, and returns the result to the new stack top, effectively replacing the operands by the result. The register form is a generalization of the classical stack form; the programmer specifies the stack top as one operand and any register on the stack as the other operand. Coding the stack top as the destination provides a convenient way to access a constant, held elsewhere in the stack, from the stack top. The converse coding (ST is the source operand) allows, for example, adding the top into a register used as an accumulator. 2-5 PROGRAMMING NUMERIC APPLICATIONS Table 2-3. Basic Arithmetic Instructions and Operands Instruction Form Mnemonic Form Operand Forms destination, source ASM286 Example Register Fop Fop ST(i),ST or ST,ST(i) FSUB ST,ST(3) Register pop FopP ST(i),ST FMULP ST(2),ST Real memory Fop { ST,} short-realflong-real FDIV AZIMUTH Integer memory Flop { ST,} word-integerfshort-integer FIDIV N_PULSES Classical stack {ST(1),ST} FADD NOTES: Braces ({ }) surround implicit operands; these are not coded, and are shown here for information only. op = ADD SUB SUBR MUL DIV DIVR destination destination destination destination destination destination ++++++- destination + source destination - source source - destination destination· source destination -7- source source -7- destination Often the operand in the stack top is needed for one operation but then is of no further use in the computation. The register pop form can be used to pick up the stack top as the source operand, and then discard it by popping the stack. Coding operands of ST(1),ST with a register pop mnemonic is equivalent to a classical stack operation: the top is popped and the result is left at the new top. The two memory forms increase the flexibility of the 80287's arithmetic instructions. They permit a real number or a binary integer in memory to be used directly as a source operand. This is a very useful facility in situations where operands are not used frequently enough to justify holding them in registers. Note that any memory addressing mode may be used to define these operands, so they may be elements in arrays, structures, or other data organizations, as well as simple scalars. The six basic operations are discussed further in the next paragraphs, and descriptions of the remaining seven arithmetic operations follow. ADDITION FADD / /source/destination,source / /destination/source FADDP FIADD source The addition instructions (add real, add real and pop, integer add) add the source and destination operands and return the sum to the destination. The operand at the stack top may be doubled by coding: FADD ST,ST(O) NORMAL FSUB FSUBP FISUB SUBTRACTION / /source/destination,source / /destination/source source 2-6 PROGRAMMING NUMERIC APPLICATIONS The normal subtraction instructions (subtract real, subtract real and pop, integer subtract) subtract the source operand from the destination and return the difference to the destination. REVERSED SUBTRACTION / /source/destination, source FSUBR FSUBRP / /destination/source FISUBR source The reversed subtraction instructions (subtract real reversed, subtract real reversed and pop, integer subtract reversed) subtract the destination from the source and return the difference to the destination. MULTIPLICATION FMUL / /source/destination, source FMULP destination, source FIMUL source The multiplication instructions (multiply real, multiply real and pop, integer mUltiply) multiply the source and destination operands and return the product to the destination. Coding FMUL ST,ST(O) squares the content of the stack top. NORMAL DIVISION FDIV / /source/destination,source FDIVP destination, source FIDIV source The normal division instructions (divide real, divide real and pop, integer divide) divide the destination by the source and return the quotient to the destination. REVERSED DIVISION FDIVR / /source/destination, source FDIVRP destination, source FIDIVR source The reversed division instructions (divide real reversed, divide real reversed and pop, integer divide reversed) divide the source operand by the destination and return the quotient to the destination. FSQRT FSQRT (square root) replaces the content of the top stack element with its square root. (Note: The square root of -0 is defined to be -0.) FSCALE FSCALE (scale) interprets the value contained in ST(l) as an integer and adds this value to the exponent of the number in ST. This is equivalent to ST ~ST. 2ST(I) Thus, FSCALE provides rapid multiplication or division by integral powers of 2. It is particularly useful for scaling the elements of a vector. 2-7 PROGRAMMING NUMERIC APPLICATIONS Note that FSCALE assumes the scale factor in ST(l) is an integral value in the range -2 15 :sX<21'. If the value is not integral, but is in-range and is greater in magnitude than 1, FSCALE uses the nearest integer smaller in magnitude; i.e., it chops the value toward O. If the value is out of range, or 0 < I X I < 1, the instruction will produce an undefined result and will not signal an exception, ,The recommended practice is to load the scale factor from a word integer to ensure correct operation. FPREM FPREM (partial remainder) performs modulo division of the top stack element by the next stack element, i.e., ST(l) is the modulus. FPREM produces an exact result; the precision exception does not occur. The sign of the remainder is the same as the sign of the original dividend. FPREM operates by performing successive scaled subtractions; obtaining the exact remainder when the operands differ greatly in magnitude can consume large amounts of execution time. Because the 80287 can only be preempted between instructions, the remainder function could seriously increase interrupt latency in these cases. Accordingly, the instruction is designed to be executed iteratively in a software-controlled loop. FPREM can reduce a magnitude difference of up to 264 in one execution. If FPREM produces a remainder that is less than the modulus, the function is complete and bit C2 of the status word condition code is cleared. If the function is incomplete, C2 is set to 1; the result in ST is then called the partial remainder. Software can inspect C2 by storing the status word following execution of FPREM and re-execute the instruction (using the partial remainder in ST as the dividend), until C2 is cleared. Alternatively, a program can determine when the function is complete by comparing ST to ST(1). If ST>ST(1),then FPREM must be executed again; if ST=ST(1), then the remainder is 0; if ST source ST < source ST = source ST is not comparable PROGRAMMING NUMERIC APPLICATIONS NaNs and co (projective) cannot be compared and return C3 =CO= 1 as shown in the table. FCOMP / /source FCOMP (compare real and pop) operates like FCOM, and in addition pops the stack. FCOMPP FCOMPP (compare real and pop twice) operates like FCOM and additionally pops the stack twice, discarding both operands. The comparison is of the stack top to ST(1); no operands may be explicitly coded. FICOM source FICOM (integer compare) converts the source operand, which may reference a word or short binary integer variable, to temporary real and compares the stack top to it. FICOMP source FICOMP (integer compare and pop) operates identically to FICOM and additionally discards the value in ST by popping the stack. FTST FTST (test) tests the top stack element by comparing it to zero. The result is posted to the condition codes as shown in table 2-7. FXAM FXAM (examine) reports the content of the top stack element as positive/negative and NaN/unnormal/denormal/normal/zero, or empty. Table 2-8 lists and interprets all the condition code values that FXAM generates. Although four different encodings may be returned for an empty register, bits C3 and CO of the condition code are both 1 in all encodings. Bits C2 and Cl should be ignored when examining for empty. Table 2-7. Condition Code Interpretation after FTST Condition Code Interpretation after FTST C3 C2 C1 CO 0 0 1 1 0 0 0 1 X X X X 0 1 0 1 ST> 0 ST< 0 ST = 0 ST is not comparable; (i.e., it is a NaN or projective infinity) 2-11 PROGRAMMING NUMERIC APPLICATIONS Table 2-8. FXAM Condition Code Settings Condition Code Interpretation C3 C2 C1 CO 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 + Un normal + NaN - Unnormal - NaN + Normal +00 - Normal - 00 +0 Empty -0 Empty + Denormal Empty -·Denormal Empty Transcendental Instructions The instructions in this group (table 2-9) perform the time-consuming core calculations for all common trigonometric, inverse trigonometric, hyperbolic, inverse hyperbolic, logarithmic, and exponential functions. Prologue and epilogue software may be used to reduce arguments to the range accepted by the instructions and to adjust the result to correspond to the original arguments if necessary. The transcendentals operate on the top one or two stack elements, and they return their results to the stack, also. NOTE The transcendental instructions assume that their operands are valid and in-range. The instruction descriptions in this section provide the allowed operand range of each instruction. All operands to a transcendental must be normalized; denormals, unnormals, infinities, and NaNs are considered invalid. (Zero operands are accepted by some functions and are considered out-of-range by others). If a transcendental operand is invalid or out-of-range, the instruction will produce an undefined result without signalling an exception. It is the programmer's responsibility to ensure that operands are valid and in-range before executing a transcendental. For periodic functions, FPREM may be used to bring a valid operand into range. FPTAN o ::; ST(O) ::; 1r 14 FPTAN (partial tangent) computes the function Y IX = TAN (0). 0 is taken from the top stack element; it must lie in the range 0 ::; 0 ::; 7r14. The result of the operation is a ratio; Y replaces 0 in the stack and X is pushed, becoming the new stack top. 2-12 PROGRAMMING NUMERIC APPLICATIONS Table 2-9. Transcendental Instructions FPTAN FPATAN F2XM1 FYL2X FYL2XP1 Partial tangent Partial arctangent 2X-1 Y ·log.X Y .log.(X + 1) The ratio result of FPTAN and the ratio argument of FPATAN are designed to optimize the calculatiori of the other trigonometric functions, including SIN, COS, ARCSIN, and ARCCOS. These can be derived from TAN and ARCTAN via standard trigonometric identities. FPATAN 0.:5 ST(1) < ST(O) < 00 FPATAN (partial arctangent) computes the function 8 = ARCTAN (Y IX). X is taken from the top stack element and Y from ST(l). Y and X must observe the inequality 0 .:5 Y < X < 00. The instruction pops the stack and returns 8 to the (new) stack top, overwriting the Yoperand. F2XM1 o .:5 ST(O) .:5 0.5 F2XMl (2 to the X minus 1) calculates the function Y = 2X -1. X is taken from the stack top and must be in the range 0 .:5 X .:5 0.5. The result Y replaces X at the stack top. This instruction is designed to produce a very accurate result even when X is close to O. To obtain Y=2 x, add 1 to the result delivered by F2XM1. The following formulas show how values other than 2 may be raised to a power of X: lOx = 2xoLOG210 eX = 2x•LOG2• yX = 2xoLOG2Y As shown in the next section, the 80287 has built-in instructions for loading the constants LOG 2 1O and LOG2e, and the FYL2X instruction may be used to calculate X·LOG2Y. FYL2X 0< ST(O) < 00-00 < ST(1) < 00 , FYL2X (Y log base 2 of X) calculates the function Z = Y.LOG 2X. X is taken from the stack top and Y from ST(l). The operands must be in the ranges 0 < X < 00 and - 00 < Y < + 00. The instruction pops the stack and returns Z at the (new) stack top, replacing the Yoperand. This function optimizes the calculations of log to any base other than two, because a multiplication is always required: , 2-13 PROGRAMMING NUMERIC APPLICATIONS FYL2XP1 0::::; I ST(O) 1< (1-(y2l2» - co < ST(1) < co FYL2XPI (Y log base 2 of (X + 1)) calculates the function Z = Y·LOG 2 (X + 1). X is taken from the stack top and must be in the range 0 ::::; I X I < (1-( Y2/2)). Y is taken from ST(1) and must be in the range - co < Y < co. FYL2XPI pops the stack and returns Z at the (new) stack top, replacing Y. The instruction provides improved accuracy over FYL2X when computing the log of a number very close to 1, for example 1 + E where E < < 1. Providing E rather than 1 + E as the input to the function allows more significant digits to be retained. Constant Instructions Each of these instructions (table 2-10) loads (pushes) a commonly-used constant onto the stack. The values have full temporary real precision (64 bits) and are accurate to approximately 19 decimal digits. Because a temporary real constant occupies 10 memory bytes, the constant instructions, which are only two bytes long, save storage and improve execution speed, in addition to simplifying programming. FLDZ FLDZ (load zero) loads (pushes) +0.0 onto the stack. FLD1 FLDI (load one) loads (pushes) + 1.0 onto the stack. FLDPI FLDPI (load 71') loads (pushes) 71' onto the stack. FLDL2T FLDL2T (load log base 2 of 10) loads (pushes) the value LOG2 10 onto the stack. FLDL2E FLDL2E (load log base 2 of e) loads (pushes) the value LOG 2e onto the stack. Table 2-10. Constant Instructions FLDZ FLD1 FLDPI FLDL2T FLDL2E FLDLG2 FLDLN2 Load Load Load Load Load Load Load 2-14 + 0.0 + 1.0 71' 109210 1092e 109,02 109.2 PROGRAMMING NUMERIC APPLICATIONS FLDLG2 FLDLG2 (load log base 10 of 2) loads (pushes) the value LOG lO 2 onto the stack. FLDLN2 FLDLN2 (load log base e of 2) loads (pushes) the value LOGe 2 onto the stack. Processor Control Instructions The processor control instructions shown in table 2-11 are not typically used in calculations; they provide control over the 80287 NPX for system-level activities. These activities include initialization, exception handling, and task switching. As shown in table 2-11, many of the NPX processor control instructions have two forms of assembler mnemonic: • A wait form, where the mnemonic is prefixed only with an F, such as FSTSW. This form checks for unmasked numeric errors. • A no-wait form, where the mnemonic is prefixed with an FN, such as FNSTSW. This form ignores unmasked numeric errors. When the control instruction is coded using the no-wait form of the mnemonic, the ASM286 assembler does not precede the ESC instruction with a wait instruction, and the CPU does not test the ERROR status line from the NPX before executing the processor control instruction. Only the processor control class of instructions have this alternate no-wait form. All numeric instructions are automatically synchronized by the 80286, with the CPU testing the BUSY status line and only executing the numeric instruction when this line is inactive. Because of this automatic synchronization by the 80286, numeric instructions for the 80287 need not be preceded by a CPU wait instruction in order to execute correctly. Table 2-11. Processor Control Instructions FINITjFNINIT FSETPM FLDCW FSTCWjFNSTCW FSTSWjFNSTSW FSTSW AXjFNSTSW AX FCLEXjFNCLEX FSTENVjFNSTENV FLDENV FSAVEjFNSAVE FRSTOR FINCSTP FDECSTP FFREE FNOP FWAIT Initialize processor Set Protected Mode Load control word Store control word Store status word Store status word to AX Clear exceptions Store Environment Load environment Save state Restore state Increment stack pointer Decrement stack pointer Free register No operation CPU Wait 2-15 PROGRAMMING NUMERIC APPLICATIONS It should also be noted that the 8087 instructions FENI and FDISI perform no function in the 80287. If these opcodes are detected in an 80286/80287 instruction stream, the 80287 will perform no specific operation and no internal states will be affected. For programmers interested in porting numeric software from 8087 environments to the 80286, however, it should be noted that program sections containing these exception-handling instructions are not likely to be completely portable to the 80287. Appendix B contains a more complete description of the differences between the 80287 and the 8087 NPX. FINIT IFNINIT FINIT /FNINIT (initialize processor) sets the 80287 NPX into a known state, unaffected by any previous activity. The no-wait form of this instruction will cause the 80287 to abort any previous numeric operations currently executing in the NEU. This instruction performs the functional equivalent of a hardware RESET, with one exception; FINIT /FNINIT does not affect the current 80287 operating mode (either Real-Address mode or Protected mode). FINIT checks for unmasked numeric exceptions, FNINIT does not. Note that if FNINIT is executed while a previous 80287 memory-referencing instruction is running, 80287 bus cycles in progress will be aborted. This instruction may be necessary to clear the 80287 if a Processor Extension Segment Overrun Exception (Interrupt 9) is detected by the CPU. FSETPM FSETPM (set Protected mode) sets the operating mode of the 80287 to Protected Virtual-Address mode. When the 80287 is first initialized following hardware RESET, it operates in Real-Address mode, just as does the 80286 CPU. Once the 80287 NPX has been set into Protected mode, only a hardware RESET can return the NPX to operation in Real-Address mode. When the 80287 operates in Protected mode, the NPX exception pointers are represented differently than they are in Real-Address mode (see the FSAVE and FSTENV instructions that follow). This distinction is evident primarily to writers of numeric exception handlers, however. Forgeneral application programmers, the operating mode of the 80287 need not be a concern. . FLDCW source FLDCW (load control word) replaces the current processor control word with the .word defined by the source operand. This instruction is typically used to establish or change the·80287's mode of operation. Note that if an exception bit in the status word is set, loading a new control word that unmasks that exception and clears the interrupt enable mask will generate an immediate interrupt request before the ne~t instr!!o::ti0!! is ~x~~nt""L When changing modes, the recomme\1ded procedure is to first clear any exceptions and then load the new control word. FSTCW/FNSTCW destination FSTCW /FNSTCW (store control word) writes the current processor control word to the memory location defined by the destination. FSTCW checks for unmasked numeric exceptions, FNSTCW does not. 2-16 PROGRAMMING NUMERIC APPLICATIONS FSTSW IFNSTSW destination FSTSW /FNSTCW (store status word) writes the current value of the 80287 status word to the destination operand in memory. The instruction is used to • Implement conditional branching following a comparison or FPREM instruction (FSTSW) • Poll the 80287 to determine if it is busy (FNSTSW) • Invoke exception handlers in environments that do not use interrupts (FSTSW). FSTSW checks for unmasked numeric exceptions, FNSTSW does not. FSTSW AX/FNSTSW AX FSTSW AX/FNSTSW AX (store status word to AX) is a special 80287 instruction that writes the current value of the 80287 status word directly into the 80286 AX register. This instruction optimizes conditional branching in numeric programs, where the 80286 CPU must test the condition of various NPX status bits. The waited form checks for unmasked numeric exceptions, the non-waited for does not. When this instruction is executed, the 80286 AX register is updated with the NPX status word before the CPU executes any further instructions. In this way, the 80286 can immediately test the NPX status word without any WAIT or other synchronization instructions required. FCLEX/FNCLEX FCLEX/FNCLEX (clear exceptions) clears all exception flags, the error status flag and the busy flag in the status word. As a consequence, the 80287's ERROR line goes inactive. FCLEX checks for unmasked numeric exceptions, FNCLEX does not. FSAVE/FNSAVE destination FSAVE/FNSAVE (save state) writes the full 80287 state-environment plus register stack-to the memory location defined by the destination operand. Figure 2-1 shows the layout of the 94-byte save area; typically the instruction will be coded to save this image on the CPU stack. FNSA VE delays its execution until all NPX activity completes normally. Thus, the save image reflects the state of the NPX following the completion of any running instruction. After writing the state image to memory, FSAVE/FNSAVE initializes the 80287 as if FINIT /FNINIT had been executed. FSAVE/FNSAVE is useful whenever a program wants to save the current state of the NPX and initialize it for a new routine. Three examples are • An operating system needs to perform a context switch (suspend the task that had been running and give control to a new task). • An exception handler needs to use the 80287. • An application task wants to pass a "clean" 80287 to a subroutine. FSA VE checks for unmasked numeric errors before executing, FNSA VE does not. An FW AIT should be executed before CPU interrupts are enabled or any subsequent 80287 instruction is executed. Other CPU instructions may be executed between the FNSA VE/FSA VE and the FWAIT. 2-17 PROGRAMMING NUMERIC APPLICATIONS ~ 15 CONTROL WORD STATUS WORD INSTRUCTION { POINTER DATA POINTER (15-0) OPERAND { POINTER DATA POINTER (19-16) '"{ TOPSTA ELEMENT; ST NEXTSTAC K ELEMENT:ST(1 ) Sl +6 CS SELECTOR +8 0 ·10 DATA OPERAND OFFSET +10 .12 DATA OPERAND SELECTOR +12 SIGNIFICAND 15-0 +14 SIGNIFICAND 15-0 +14 +1. 51GNIFICAND 31·16 +1. SIGNIFICAND 47·32 +\8 SIGNIFICANO 47·32 +18 SIGNIFICAND 63·48 +20 SIGNIFICAND 63·48 +20 EXPONENT 14·0 +22 SIGNIFICAND 15·0 +2' L ~{ IP OFFSET -8 SIGNIFICAND 31·16 s\ LAST STAC ELEMENT:ST I -0 STATUS WORD -6 INSTRUCTION POINTER (15-0) INSTRUCTION OPCODE (10-0) CONTROL WORD +4 +4 ;)1' I 15 TAG WORD TAG WORD INSTRUCTION POINTER (19-16) 0 . 1 INCREASING ADDRESSES INCREASING ADDRESSES SIGNIFICANO 31·16 +2. 51GNIFICAND 47·32 +28 SIGNIFICAND 63·48 +30 EXPONENT 14·0 +32 TOP STA ELEMENT :ST '"{ NEXT STAC K ElEMENT:ST (I) 5\ EXPONENT 14-0 +22 SIGNIFICAND 15-0 +" SIGNIFICAND 31·16 +2. SIGNIFICAND 47·32 +28 SIGNIFICAND 63·48 +30 L EXPONENT 14-0 +32 SIGNIFICAND 15·0 +84 SIGNIFICAND 15-0 +8' SIGNIFICAND 31-16 +8. SlGNIF1CAND 31·16 +8. SIGNIFfCAND 47·32 +88 SIGNIFICAND 63·48 +90 14-0 +92 EXpm~Em '"{ LAST STA ELEMENT:S T(7) 5\ SIGNIFICAND 47·32 +88 SIGNIFICAND 63·48 +90 EXPONENT 14-0 +92 PROTECTED MODE REAL MODE NOTES: S Sign Bit 0 01 each field is rightmost. least slgnilicant bit of corresponding register field. Bit 63 of signiflcand is integer bit (assumed binary point is Immediately to the righl). = G30108 Figure 2-1. FSAVE/FRSTOR Memory Layout 2-18 PROGRAMMING NUMERIC APPLICATIONS FRSTOR source FRSTOR (restore state) reloads the 80287 from the 94-byte memory area defined by the source operand. This information should have been written by a previous FSA VEjFNSA VE instruction and not altered by any other instruction. An FW AIT is not required after FRSTOR. FRSTOR will automatically wait and check for interrupts until all data transfers are completed before continuing to the next instruction. Note that the 80287 "reacts" to its new state at the conclusion of the FRSTOR; it will, for example, generate an exception request if the exception and mask bits in the memory image so indicate when the next WAIT or error-checking-ESC instruction is executed. FSTENV IFNSTENV destination FSTENV jFNSTENV (store environment) writes the 80287's basic status-control, status, and tag words, and exception pointers-to the memory location defined by the destination operand. Typically, the environment is saved on the CPU stack. FSTENV jFNSTENV is often used by exception handlers because it provides access to the exception pointers that identify the offending instruction and operand. After saving the environment, FSTENV /FNSTENV sets all exception masks in the processor. FSTENV checks for pending errors before executing, FNSTENV does not. Figure 2-2 shows the format of the environment data in memory. FNSTENV does not store the environment until all NPX activity has completed. Thus, the data saved by the instruction reflects the 80287 after any previously decoded instruction has been executed. After writing the environment image to memory, FNSTENV jFSTENV initializes the 80287 state as if FNINIT jFINIT had been executed. MEMORY OFFSET CONTROL WORD +0 CONTROL WORD +0 STATUS WORD +2 STATUS WORD +2 TAG WORD +4 TAG WORD +4 INSTRUCTION POINTER (15-0) +6 IPOFFSET +6 +6 CSSELECTOR +8 +10 DATA OPERAND OFFSET +10 +12 DATA OPERAND SELECTOR +12 INSTRUCTION 1)1 POINTER (19-16) 0 I INSTRUCTION OPCODE (10-0) DATA POINTER (15-0) DATA POINTER (19-16) 15 MEMORY OFFSET 15 15 I 0 1211 PROTECTED MODE REAL MODE G30108 Figure 2-2. FSTENV IFLDENV Memory Layout 2-19 PROGRAMMING NUMERIC APPLICATIONS FSTENV /FNSTENV must be allowed to complete before any other 80287 instruction is decoded. When FSTENV is coded, an explicit FWAIT, or assembler-generated WAIT, should precede any subsequent 80287 instruction. FLDENV source FLDENV (load environment) reloads the environment from the memory area defined by the source operand. This data should have been written by a previous FSTENV /FNSTENV instruction. CPU instructions (that do not reference the environment image) may immediately follow FLDENV. An FWAIT is not required after FLDENV. FLDENV will automatically wait for all data transfers to complete before executing the next instruction. Note that loading an environment image that contains an unmasked exception will cause a numeric exception when the next WAIT or error-checking-ESC instruction is executed. FINCSTP FINCSTP (increment stack pointer) adds 1 to the stack top pointer (ST) in the status word. It does not alter tags or register contents, nor does it transfer data. It is not equivalent to popping the stack, because it does not set the tag of the previous stack top to empty. Incrementing the stack pointer when ST=7 produces ST=O. FDECSTP FDECSTP (decrement stack pointer) subtracts 1 from ST, the stack top pointer in the status word. No tags or registers are altered, nor is any data transferred. Executing FDECSTP when ST=O produces ST=7. FFREE destination FFREE (free register) changes the destination register's tag to empty; the content of the register is unaffected. FNOP FNOP (no operation) stores the stack top to the stack top (FST ST,ST(O)) and thus effectively performs no operation. ' FWAIT (CPU INSTRUCTION) FW AIT is not actually an 80287 instruction, but an alternate mnemonic for the CPU WAIT instruction. The FW AIT or WAIT mnemonic should be coded whenever the programmer wants to synchronize the CPU to the NPX, that is, to suspend further instruction decoding until the NPX has completed the current instruction. FW AIT will check for unmasked numeric exceptions. 2-20 PROGRAMMING NUMERIC APPLICATIONS NOTE A CPU instruction should not attempt to access a memory operand until the 80287 instruction has completed. For example, the following coding shows how FWAIT can be used to force the CPU instruction to wait for the 80287: F 1ST FWAIT VALUE MDV AX,VALUE Walt for FIST to complete More information on when to code an FWAIT instruction is given in a following section of this chapter, "Concurrent Processing with the 80287." . Instruction Set Reference Information Table 2-14 later in this chapter lists the operating characteristics of all the 80287 instructions. There is one table entry for each instruction mnemonic; the entries are in alphabetical order for quick lookup. Each entry provides the general operand forms accepted by the instruction as well as a list of all exceptions that may be detected during the operation. . One entry exists for each combination of operand types that can be coded with the mnemonic. Table 2-12 explains the operand identifiers allowed in table 2-14. Following this entry are columns that provide execution time in clocks, the number of bus transfers run during the operation, the length of the instruction in bytes, and an ASM286 coding sample. INSTRUCTION EXECUTION TIME The execution of an 80287 instruction involves three principal activities, each of which may contribute to the overall execution time of the instruction: • 80286 CPU overhead involved in handling the ESC instruction opcode and setting up the 80287 NPX Table 2-12. Key to Operand Types Explanation Identifier ST Stack top; the register currently at the top of the stack. ST(i) A register in the stack i (0:::;i:::;7) stack elements from the top. ST(1) is the next-on-stack register, ST(2) is below ST(1), etc. Short-real A short real (32 bits) number in memory. Long-real A long real (64 bits) number in memory. Temp-real A temporary real (80 bits) number in memory. Packed-decimal A packed decimal integer (18 digits, 10 bytes) in memory. Word-integer A word binary integer (16 bits) in memory. Short-integer A short binary integer (32 bits) in memory. Long-integer A long binary integer (64 bits) in rJ1emory. nn-bytes A memory area nn bytes long. 2-21 PROGRAMMING NUMERIC APPLICATIONS Instruction execution by the 80287 NPX Operand transfers between the 80287 NPX and memory or a CPU register The timing of these various activities is affected by the individual clock frequencies of the 80286 CPU and the 80287 NPX. In addition, slow memories requiring the insertion of wait states in bus cycles, and bus contention due to other processors in the system, may lengthen operand transfer times. In calculating an overall execution time for an individual numeric instruction, analysts must take each of these activities into account. In most cases, it can be assumed that the numeric instructions have already been prefetched by the 80286 and are awaiting execution. • The CPU overhead in handling the ESC instruction opcode takes only a single CPU bus cycle before the 80287 begins its execution of the numeric instruction. The timing of this bus cycle is determined by the CPU clock. Additional CPU activity is required to set up the 80287's instruction and data pointer registers, but this activity occurs after the 80287 has begun executing its instruction, and so this parallel activity does not affect total execution time. • The duration of individual numeric instructions executing on the 80287 varies for each instruction. Table 2-14 quotes a typical execution clock count and a range for each 80287 instruction. Dividing the figures in the table by 10 (for a lO-MHz 80287 NPX clock) produces an execution time in microseconds. The typical case is an estimate for operand values that normally characterize most applications. The range encompasses best- and worst-case operand values that may be found in extreme circumstances. • The operand transfer time required to transfer operands between the 80287 and memory or a CPU register depends on the number of words to be transferred, the frequency of the CPU clock controlling bus timing, the number of wait statcs added to accommodate slower memories, and whether operands are based at even or odd memory addresses. Some (small) additional number of bus cycles may also be lost due to the asynchronous nature of the PEREQ/PEACK handshaking between the 80286 and 80287, and this interaction varies with relative frequencies of the CPU and NPX clocks. The execution clock counts for the NPX execution of instructions shown in table 2-14 assume that no exceptions are detected during execution. Invalid operation, denormalized operand (unmasked), and zero divide exceptions usually decrease execution time from the typical figure, but execution still falls within the indicated range. The precision exception has no effect on execution time. Unmasked overflow and underflow, and masked denormalized exceptions impose additional execution penalties as shown in table 2-13. Absolute worst-case execution times are therefore the high range figure plus the largest penalty that may be encountered. BUS TRANSFERS NPX instructions that reference memory require bus cycles to transfer operands between the NPX and memory. The actual number of transfers depends on the length of the operand and the alignment of Table 2-13. Execution Penalties Additional Clocks Exception Overflow (unmasked) 14 Underflow (unmasked) 16 Denormalized (masked) 33 2-22 PROGRAMMING NUMERIC APPLICATIONS the operand in memory. In table 2-14, the first figure gives execution clocks for even-addressed operands, while the second gives the clock count for odd-addressed operands. For operands aligned at word boundaries, that is, based at even memory addresses, each word to be transferred requires one bus cycle between the 80286 data channel and memory, and one bus cycle to the NPX. For operands based at odd memory addresses, each' word transfer requires two bus cycles to transfer individual bytes ,between the 80286 data channel and memory, and one bus cycle to the NPX. NOTE For best performance, operands for the 80287 should be aligned along word boundaries; that is, based at even memory addresses. Operands based at odd memory addresses are transferred to memory essentially- byte-at-a-time and may take half again as long to transfer as wordaligned operands. Additional transfer time is required if slow memories are being used, requiring the insertion of wait states into the CPU bus cycle. In multiprocessor environments, the bus may not be available immediately; this overhead can also increase effective transfer time. INSTRUCTION LENGTH 80287 instructions that do not reference memory are two bytes long. Memory reference instructions vary between two and four bytes. The third and fourth bytes are for the 8- or 16-bit displacement values used in conjunction with the standard 80286 memory-addressing modes. Note that the lengths quoted in table 2-14 for the processor control instructions (FNINIT, FNSTCW, FNSTSW, FNSTSW AX, FNCLEX, FNSTENV, and FNSA VE) do not include the one-byte CPU wait instruction inserted by the ASM286 assembler if the control instruction is coded using the wait form of the mnemonic (e.g. FINIT, FSTCW, FSTSW, FSTSW AX, FCLEX, FSTENV, and FSAVE). wait and no-wait forms of the processor control instructions have been described in the preceding section titled "Processor Control Instructions." 2-23 PROGRAMMING NUMERIC APPLICATIONS Table 2·14. Instruction Set Reference Data FABS FABS (no operands) Absolute value Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 14 10·17 0 2 Operands (no operands) FADD FADD //source/destination,source Add real Coding Example FABS Exceptions: I, D, 0, U, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 85 105 110 70-100 90-120 95-125 0 2 4 2 2-4 2-4 Operands //ST,ST(i)/ST(i),ST short-real long-real Coding Example FADD ST,ST(4) FADD AIR_TEMP [SI] FADD [BX].MEAN .. FADDP FADDP destination, source Add real and pop Exceptions: I, D, 0, U, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 90 75-105 0 2 Operands ST(i),ST FBLD FBLD source Packed decimal (BCD) load Coding Example FADDP ST(2),ST Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 300 290-310 5 2-4 Operands packed-decimal FBSTP FBSTP destination Packed decimal (BCD) store and pop Coding Example FBLD YTD_SALES Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 530 520-540 5 2-4 Operands packed-decimal 2-24 Coding Example FBSTP [BX].FORECAST PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FCHS FCHS (no operands) Change sign Exceptions: I Execution Clocks Range Operand Word Transfers Code Bytes 10-17 0 2 Operands (no operands) FClEX/FNClEX Typical 15 FClEX/FNClEX(no operands) Clear exceptions Coding Example FCHS Exceptions: None Execution Clocks Typical Range Operand Word Transfers Code Bytes 5 2-8 0 2 Operands (no operands) FCOM FCOM j jsource Compare real Execution Clocks jjST(i) short-real long-real FCOMP Range Operand Word Transfers Code Bytes 45 65 70 40-50 60-70 65-75 0 2 4 2 2-4 2-4 FCOMP j jsource Compare real and pop Execution Clocks FCOMPP FCOM ST(1) FCOM [BP].UPPER_LlMIT FCOM WAVELENGTH Exceptions: I, D Operand Word Transfers Code Bytes Coding Example Range 47 68 72 42-52 63-73 67-77 0 2 4 2 2-4 2-4 FCOMP ST(2) FCOMP [BP + 2].N_READINGS FCOMP DENSITY FCOMPP (no operands) Compare real and pop twice Execution Clocks Exceptions: I, D Typical Range Operand Word Transfers Code Bytes 50 45-55 0 2 Operands (no operands) Coding Example Typical Operands jjST(i) short-real long-real FNCLEX Exceptions: I, D Typical Operands Coding Example 2-25 Coding Example FCOMPP PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FDECSTP FDECSTP (no operands) Decrement stack pointer Exceptions: None Execution Clocks Typical Range Operand Word Transfers Code Bytes 9 6-12 0 2 Operands (no operands) FDIV FDIV //source/destination,source Divide real Coding Example FDECSTP Exceptions: I, D, Z, 0, U, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 198 220 225 193-203 215-225 220-230 0 2 4 2 2-4 2-4 Operands //ST(i),ST short·real long-real FDIVP FDIVP destination, source Divide real and pop Execution Clocks ST(i),ST FDIVR Range Operand Word Transfers Code Bytes 202 197-207 0 2 FDIVR //source/destination, source Divide real reversed Execution Clocks FDiVnF Coding Example FDIVP ST(4),ST Exceptions: I, D, Z, 0, U, P Range Operand Word Transfers Code Bytes Coding Example Typical 199 221 226 194-204 216-226 221-231 0 2 4 2 2·4 2-4 FDIVR ST(2),ST FDIVR [8X].PULSE_RATE FDIVR RECORDER.FREQUENCY Operands //ST,ST(i)/ST(i),ST short-real long-real FDIV FDIV DISTANCE FDIV ARC [DI] Exceptions: I, D, Z, 0, U, P Typical Operands Coding Example i=iirv"nr uestiiiCitiCiii, SvuiGo Exceptions: I, D, Z, 0, U, P Divide real reversed and pop Execution Clocks Typical Range Operand Word Transfers Code Bytes 203 198-208 0 2 Operands ST(i),ST 2-26 Coding Example FDIVRP ST(1 ),ST PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FFREE FFREE destination Free register Execution Clocks FIADD Typical Range 11 9-16 0 Execution Clocks FICOM Code Bytes 2 Coding Example FFREE ST(1) / FIADD source Integer add Exceptions: I, D, 0, P Typical Range Operand Word Transfers Code Bytes 120 125 102-137' 108-143 1 2 2-4 2-4 Operands word-integer short-Integer , Operand Word Transfers Operands ST(i) Exceptions: None FICOM source Integer compare Coding Example FIADD DISTANCE..TRAVELLED FIADD PULSE_COUNT [SI] Exceptions: I, D Execution Clocks Typical Range Operand Word Transfers Code Bytes 80 85 72-86 78-91 1 2 2-4 2-4 Operands word-integer short-integer FICOMP FICOMP source Integer compare and pop Execution Clocks word-Integer short-integer FIDIV Typical Range 82 87 74-88 80-93 1 2 FIDIV source Integer divide Execution Clocks Code Bytes 2-4 2-4 Coding Example FICOMP [BP].LlMIT [SI] FICOMP N_SAMPLES Exceptions: I, D, Z, 0, U, P Range Operand Word Tranefers Code Bytes Coding Example Typical 230 236 224-238 230-243 1 2 2-4 2-4 FIDIV SURVEY.OBSERVATIONS FIDIV RELATIVE..ANGLE [01] Operands word-integer short-Integer FICOM TOOL.N_PASSES FICOM [BP+4].PARM_COUNT Exceptions: I, D Operand Word Transfers Operands Coding Example 2-27 PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FIDIVR FIDIVR source Integer divide reversed Exceptions: I, D, Z, 0, U, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 230 237 225-239 231-245 1 2 2-4 2-4 Operands word-integer short-integer FILD FILD source Integer load Coding Example FIDIVR [BPj.)LCOORD FIDIVR FREQUENCY Exceptions: I Execution Clocks OPE7rands word-integer short-integer long-integer FIMUL Typical Range Operand Word Transfers Code Bytes 50 56 64 46-54 52-60 60-68 1 2 4 2-4 2-4 2-4 FIMUL source Integer multiply Coding Example FILD [BXj.SEQUENCE FILD STANDOFF [DI] FILD RESPONSE.COUNT Exceptions: I, D, 0, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 130 136 124-138 130-144 1 2 2-4 2-4 Operands word-integer short-integer FINCSTP FINCSTP (no operands) Increment stack pointer Execution Clocks (no operands) .......... I~.II ..IIT r"'1I11 I . . . . . . . . . FIMUL BEARING FIMUL POSITION.Z..AXIS Exceptions: None Typical Range Operand Word Transfers Code Bytes 9 6-12 0 2 Operands Coding Example Coding Example FINCSTP Inn. ..II•... nn.ar'~nri~\ •~III"' • I 11:"1Ilt.IIT • • ,. . . . . . \ ' . _ _ .... _ . _ •• _ _ , ExCeptions: i'liofle Initialize processor Execution Clocks Typical Range Operand Word Transfers Code Bytes 5 2-8 0 2 Operands (no operands) 2-28 Coding Example FINIT PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FIST FIST destination Integer store Execution Clocks Range Operand Word Transfers Code Bytes Coding Example Typical 86 88 80-90 82-92 1 2 2-4 2-4 FIST OBS.COUNT[SI] FIST [BP;].FACTORED_PULSES Operands word·integer short-integer FISTP FISTP destination Integer store and pop Execution Clocks FISUB Exceptions: I, P Typical Range Operand Word Transfers Code Bytes 88 90 100 82-92 84-94 94-105 1 2 4 2-4 2-4 2-4 Operands word-integer short-integer long-integer Exceptions: I, P FISUB source Integer subtract Coding Example FISTP [BX].ALPHA_COUNT [SI] FISTP CORRECTED_TIME FISTP PANEL.N_READINGS Exceptions: 1,0,0, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 120 125 102-137 108-143 1 2 2-4 2-4 Operands word-integer short-integer FISUBR FISUBR source Integer subtract reversed Coding Example FISUB BASEJREQUENCY FISUB TRAIN_SIZE [01] Exceptions: 1,0,0, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 120 125 103-139 109-144 1 2 2-4 2-4 Operands word-integer short-integer 2-29 Coding Example FISUBR FLOOR [BX] [SI] FISUBR BALANCE PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FLO FLD source Load real Exceptions: I, D Execution Clocks Typical Range Operand Word Transfers Code Bytes 20 43 46 57 17-22 38-56 40-60 53-65 0 2 4 5 2 2-4 2-4 2-4 Operands 8T(i) short-real ' long-real temp-real FLOCW FLDCW source Load control word Execution Clocks 2-bytes FLOENV FLD FLD FLO FLO 8T(0) READING [81].PRE88URE [BPj.TEMPERATURE 8AVEREADING Exceptions: None Typical Range Operand Word Transfers Code Bytes 10 7-14 1 2-4 Operands Coding Example FLDENV source Load environment Coding Example FLDCW CONTROLWORD Exceptions: None Execution Clocks Typical Range Operand Word Transfers Code Bytes 40 35-45 7 2-4 Operands 14-bytes FLOLG2 FLDLG2 (no operands) Load IOg102 Execution Clocks (no operands) FLOLN2 FLDENV [BP + 6] Exceptions: I Typical Range Operand Word Transfers Code Bytes 21 18-24 0 2 Operands Coding Example FLDLN2 (no operands) Coding Example FLDLG2 Exceptions: I I-n"rllnn.? - - - --';''0'- Execution Clocks Typical Range Operand Word Transfers Code Bytes 20 17-23 0 2 Operands (no operands) 2-30 Coding Example FLDLN2 PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FLDL2E FLOL2E (no operands) Loadl092e Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 18 15-21 0 2 Operands (no operands) FLDL2T FLOL2T (no operands) Load 109210 Coding Example FLOL2E Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 19 16-22 0 2 Operands (no operands) FLDPI FLOPI (no operands) Load 11" Coding Example FLOL2T Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 19 16-22 0 2 Operands (no operands) FLDZ FLOZ (no operands) Load +0.0 Coding Example FLOPI Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 14 11-17 0 2 Operands (no operands) FLD1 FL01 (no operands) Load +1.0 Coding Example FLOZ Exceptions: I Execution Clocks Typical Range Operand Word Transfers 18 15-21 0 Operands (no operands) 2-31 Code Bytes 2 Coding Example FL01 PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FMUL FMUL //source/destination,source Multiply real Exceptions: I, D, 0, U, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 97 138 118 120 161 90-105 130-145 110-125 112-126 154-168 0 0 2 4 4 2 2 2-4 2-4 2-4 Operands //ST(i),ST/ST,ST(j)1 //ST(i),ST/ST,ST(i) short-real long-reaP long-real FMULP FMULP destination, source Multiply real and pop Coding Example FMUL FMUL FMUL FMUL FMUL ST,ST(3) ST,ST(3) SPEED_FACTOR [BPj.HEIGHT [BPj.HEIGHT Exceptions: I, D, 0, U, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 100 142 94-108 134-148 0 0 2 2 Operands ST(i),ST1 ST(i),ST FNOP FNOP (no operands) No operation Execution Clocks (no operands) FPATAN Range Operand Word Transfers Code Bytes 13 10-16 0 2 FPATAN (no operands) Partial arctangent Execution Clocks (no operands) FPREM Range Operand Word Transfers Code Bytes 650 250-800 0 2 FPREM (no operands) Partial remainder Execution Clocks (no operands) FNOP Coding Example FPATAN Exceptions: I, D, U Typical Range Operand Word Transfers Code Bytes 125 15-190 0 2 Operands Coding Example Exceptions: U, P (operands not checked) Typical Operands FMULP ST(1),ST FMULP ST(1),ST Exceptions: None Typical Operands Coding Example 2-32 Coding Example FPREM PROGRAMMING NUMERIC APPLICATIONS Table 2·14. Instruction Set Reference Data (Cont'd.) FPTAN FPTAN (no operands) Partial tangent Exceptions: I, P (operands not checked) Execution Clocks Typical Range Operand Word Transfers Code Bytes 450 30·540 0 2 Operands (no operands) FRNDINT FRNDINT (no operands) Round to integer Coding Example FPTAN Exceptions: I, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 45 16·50 0 2 Operands (no operands) FRSTOR FRSTOR source Restore saved state Execution Clocks Typical 94-bytes FSAVE/FNSAVE Operand Word Transfers Code Bytes 2 47 2-4 FSAVE/FNSAVE destination Save state Execution Clocks Typical 94-bytes FSCALE Coding Example FRSTOR [BP] Exceptions: None Range Operand Word Transfers Code Bytes 3 47 2-4 Operands FRNDINT Exceptions: None Range Operands Coding Example FSCALE (no operands) Scale Coding Example FSAVE [BP] Exceptions: I, 0, U Execution Clocks Typical Range Operand Word Transfers Code Bytes 35 32-38 0 2 Operands (no operands) 2-33 Coding Example FSCALE PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FSETPM FSETPM (no operands) Set protected mode Execution Clocks Range Operand Word Transfers Code Bytes 2-8 0 2 Operands Typical (no operands) FSQRT FSQRT (no operands) Square root Execution Clocks Typical Operand Word Transfers Code Bytes 180-186 0 2 (no operands) 183 FST FST destination Store real Execution Clocks FSTCW/ FNSTCW FSETPM Coding Example FSQRT Exceptions: 1,0, U, P Typical Range Operand Word Transfers Code Bytes 18 87 100 15·22 84-90 96-104 0 2 4 2 2-4 2-4 Operands Coding Example Exceptions: I, 0, P Range Operands ST(i) short-real long-real Exceptions: None FSTCW destination Store control word Coding Example FST ST(3) FST CORRELATION [01] FST MEAN_READING Exceptions: None Execution Clocks Typical Range Operand Word Transfers Code Bytes 15 12-18 1 2-4 Operands 2-bytes FSTENV/ FNSTENV FSTENV destination Store environment Execution Clocks 14-bytes FSTCW SAVE_CONTROL Exceptions: None Typical Range Operand Word Transfers Code Bytes 45 40-50 7 2-4 Operands Coding Example 2-34 Coding Example FSTENV [SP] PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FSTP FSTP destination Store real and pop Execution Clocks Typical Range Operand Word Transfers Code Bytes 20 89 102 55 17-24 86-92 98-106 52-58 0 2 4 5 2 2-4 2-4 2-4 Operands ST(i) short-real long-real temp-real FSTSW/ FNSTSW FSTSW destination Store status word Execution Clocks FSTSW AX/ FNSTSWAX Range Operand Word Transfers Code Bytes 15 12-18 1 2-4 FSTSW AX Store status word to AX Execution Clocks Typical AX FSUB Operand Word Transfers Code Bytes 10-16 1 2 FSUB / /source/destination,source Subtract real Execution Clocks / /ST,ST(i)/ST(i),ST short-real long-real FSUBP Range Operand Word Transfers Code Bytes 85 105 110 70-100 90-120 95-125 0 2 4 2 2-4 2-4 FSUBP destination, source Subtract real and pop Execution Clocks ST(i),ST Coding Example FSTSW SAVE_STATUS Coding Example FSTSW AX Coding Example FSUB ST,ST(2) FSUB BASE_VALUE FSUB COORDINATE.X Exceptions: I, D, 0, U, P Typical Range Operand Word Transfers Code Bytes 90 75-105 0 2 Operands ST(2) [BX].ADJUSTED_RPM TOTAL_DOSAGE REG_SAVE [SI] Exceptions: I, D, 0, U, P Typical Operands FSTP FSTP FSTP FSTP Exceptions: None Range Operands Coding Example Exceptions: None Typical Operands 2-bytes Exceptions: 1,0, U, P 2-35 Coding Example FSUBP ST(2),ST PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FSUBR FSUBR / /source/destination, source Subtract real reversed Exceptions: I, D, 0, U, P Execution Clocks Typical Range Operand Word Transfers Code Bytes 87 105 110 70-100 90-120 95-125 0 2 4 2 2-4 2-4 Operands / /ST,ST(i)/ST(i),ST short-real long-real FSUBRP FSUBRP destination, source Subtract real reversed and pop Execution Clocks ST(i),ST FTST Range Operand Word Transfers Code Bytes 90 75-105 0 2 FTST (no operands) Test stack top against +0.0 Execution Clocks (no operands) FWAIT Coding Example FSUBRP ST(1),ST Exceptions: I, D Typical Range Operand Word Transfers Code Bytes 42 38-48 0 2 Operands FSUBR ST,ST(1) FSUBR VECTOR[SI] FSUBR [BX].INDEX Exceptions: I, D, 0, U, P Typical Operands Coding Example FWAIT (no operands) (CPU) Wait while 80287 is busy Coding Example FTST Exceptions: None (CPU instruction) Execution Clocks Typical Range Operand Word Transfers Bytes 3+5n* 3+5n 4 0 1 Operands (no operands) FXAM FXAM (no operands) Examine stack top Coda Coding Example FWAIT Exceptions: None Execution Clocks Typical Range Operand Word Transfers Code Bytes 17 12-23 0 2 Operands (no operands) 2-36 Coding Example FXAM PROGRAMMING NUMERIC APPLICATIONS Table 2-14. Instruction Set Reference Data (Cont'd.) FXCH FXCH //destination Exchange registers Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 12 10-15 0 2 Operands I/ST(i) FXTRACT FXTRACT (no operands) Extract exponent and significant Coding Example FXCH ST(2) Exceptions: I Execution Clocks Typical Range Operand Word Transfers Code Bytes 50 27-55 0 2 Operands (no operands) FYL2X FYL2X (no operands) y. Log 2X Coding Example FXTRACT Exceptions: P (operands not checked) Execution Clocks Typical Range Operand Word Transfers Code Bytes 950 900-1100 0 2 Operands (no operands) FYL2XP1 FYL2XP1 (no operands) Y .log2(X + 1) Coding Example FYL2X Exceptions: P (operands not checked) Execution Clocks Typical Range Operand Word Transfers Code Bytes 850 700-1000 0 2 Operands (no operands) F2XM1 F2XM1 (no operands) 2x-1 Coding Example FYL2XP1 Exceptions: U, P (operands not checked) Execution Clocks Typical Range Operand Word Transfers Code Bytes 500 310-630 0 2 Operands (no operands) 2-37 Coding Example F2XM1 PROGRAMMING NUMERIC APPLICATIONS 10ccurs when one or both operands is "short"-it has 40 trailing zeros in its fraction (e.g., it was loaded from a short-real memory operand. 2The 80287 execution clock count for this instruction is not meaningful in determining overall instruction execution time. For typical frequency ratios of the 80286 and 80287 clocks, 80287 execution occurs in parallel with the operand transfers, with the operand transfers determining the overall execution time of the instruction. For 80286:80287 clock frequency ratios of 4:8,1:1, and 8:5, the overall execution clock count for this instruction is estimated at 490,302, and 22780287 clocks, respectively. 3The 80287 execution clock count for this instruction is not meaningful in determining overall instruction execution time. For typical frequency rations of the 80286 and 80287 clocks, 80287 execution Occurs in parallel with the operand transfers, with the operand transfers determining the overall execution time of the instruction. For 80286:80287 clock frequency ratios of 4:8, 1:1, and 8:5, the overall execution clock count for this instruction is estimated at 376,233, and 17480287 clocks, respectively. 4n = number of times CPU examines BUSY line before 80287 completes execution of previous instruction. PROGRAMMING FACILITIES As described previously, the 80287 NPX is programmed simply as an extension of the 80286 CPU. This section describes how programmers in ASM286 and in a variety of higher-level languages can work with the 80287. The level of detail in this section is intended to give programmers a basic understanding of the software tools that can be used with the 80287, but this information does not document the full capabilities of these facilities. For a complete list of documentation on all the languages available for 80286 systems, readers should consult Intel's Literature Guide. High-Level Languages For programmers using high-level languages, the programming and operation of the NPX is handled automatically by the compiler. A variety of Intel high-level languages are available that automatically make use of the 80287 NPX when appropriate. These languages include PL/M-286 FORTRAN-286 PASCAL-286 C-286 hach of these .high-h;vd li:i.iigiiagcs hus ~peci:l! n!!mer!<: \ihrllries allowing programs to take advantage of the capabilities of the 80287 NPX. No special programming conventions are necessary to make use of the 80287 NPX when programming numeric applications in any of these languages. Programmers in PL/M-286 and ASM286 can also make use of many of these library routines by using routines contained in the 80287 Support Library, described in the 80287 Support Library Reference Manual, Order Number 122129. These library routines provide many of the functions provided by higher-level languages, including exception handlers, ASCII-to-floating-point conversions, and a more complete set of transcendental functions than that provided by the 80287 instruction set. 2-38 PROGRAMMING NUMERIC APPLICATIONS PL/M-286 ProgrammersinPLfM-286 can access a very useful subset of the 80287's numeric capabilities. The PLfM-286 REAL data type corresponds to the NPX's short real (32-bit) format. This data type provides a range of about 8.43*10- 37 ~ ABS(X) :$ 3.38*1038 , with about seven significant decimal digits. This representation is adequate for the data manipulated by many microcomputer applications. The utility of the REAL data type is extended by the PLfM-286 compiler's practice of holding intermediate results in the 80287's temporary real format. This means that the-'full range and precision of the processor are utilized for intermediate results. Underflow, overflow, and rounding errors are most likely to occur during intermediate computations rather than during calculation of an expression's final result. Holding intermediate results in temporary real format greatly reduces the likelihood of overflow and underflow and eliminates roundoff as a serious source of error until the final assignment of the result is performed. The compiler generates 80287 code to evaluate expressions that contain REAL data types, whether variables or constants or both. This means that addition, subtraction, multiplication, division, comparison, and assignment of REALs will be performed by the NPX. INTEGER expressions, on the other hand, are evaluated on the CPU. Five built-in procedures (table 2-15) give the PLfM-286 programmer access to 80287 functions manipulated by the processor control instructions. Prior to any arithmetic operations, a typical PLfM-286 program will set up the NPX after power up using the INIT$REAL$MATH$UNIT procedure and then issue SET$REAL$MODE to configure the NPX. SET$REAL$MODE loads the 80287 control word, and its 16-bit parameter has the format shown in figure 1-5. The recommended value of this parameter is 033EH (projective closure, round to nearest, 64-bit precision, all exceptions masked except invalid operation). Other settings may be used at the programmer's discretion. If any exceptions are unmasked, an exception handler must be provided in the form of an interrupt procedure that is designated to be invoked by CPU interrupt pointer (vector) number 16. The exception handler can use the GET$REAL$ERROR procedure to obtain the low-order byte of the 80287 status word and to then clear the exception flags. The byte returned by GET$REAL$ERROR contains the exception flags; these can be examined to determine the source of the exception. TheSAVE$REAL$STATUS and RESTORE$REAL$STATUS procedures are provided for multitasking environments where a running task that uses the 80287 may be preempted by another task that also uses the 80287. It is the responsibility of the preempting task to issue SAVE$REAUSTATUS before it executes any statements that affect the 80287; these include the INIT$REAL$MATH$UNIT Table 2-15. PLlM-286 Built-In Procedures Procedure 80287 Instruction Description INIT$REAL$MATH$UNIT(1) FINIT Initialize processor. SET$REAL$MODE FLDCW Set exception masks, rounding preCision, and infinity controls. GET$REAL$ERROR(2) FNSTSW & FNCLEX Store, then clear, exception flags. SAVE$REAL$STATUS FNSAVE Save processor state. RESTORE$REAL$STATUS FRSTOR Restore processor state. (1)Also initializes interrupt pOinters for emulation. (')Returns low-order byte of status word. 2-39 PROGRAMMING NUMERIC APPLICATIONS and SET$REAL$MODE procedures as well as arithmetic expressions. SAVE$REAL$STATUS saves the 80287 state (registers, status, and control words, etc.) on the CPU's stack. RESTORE$REAL$STATUS reloads the state information; the preempting task must invoke this procedure before terminating in order to restore the 80287 to its state at the time the running task was preempted. This enables the preempted task to resume execution from the point of its preemption. ASM286 The ASM286 assembly language provides programmmers with complete access to all of the facilities of the 80286 and 80287 processors. The programmer's view of the 80286/80287 hardware is a single machine with these resources: 160 instructions 12 data types • 8 general registers • 4 segment registers • 8 floating-point registers, organized as a stack DEFINING DATA The ASM286 directives shown in table 2-16 allocate storage for 80287 variables and constants. As with other storage allocation directives, the assembler associates a type with any variable defined with these directives. The type value is equal to the length of the storage unit in bytes (10 for DT, 8 for DQ, etc.). The assembler checks the type of any variable coded in an instruction to be certain that it is compatible with the instruction. For example, the coding FIADD ALPHA will be flagged as an error if ALPHA's type is not 2 or 4, because.integer addition is only available for word and short integer data types. The operand's type also tells the assembler which machine instruction to produce; although to the programmer there is only an FIADD instruction, a different machine instruction is required for each operand type. On occasion it is desirable to use an instruction with an operand that has no declared type. For example, if register BX points to a short integer variable, a programmer may want to code FIADD [BX]. This can be done by informing the assembler of the operand's type in the instruction, coding FIADD DWORD PTR [BX]. The corresponding overrides for the other storage allocations are WORD PTR, QWORD PTR, and TBYTE PTR. Directive Data Types Interpretation DW Define Word DD Define Doubleword Word integer Short integer, short real DQ Define Quadword Long integer, long real DT Define Tenbyte Packed decimal, temporary real 2-40 PROGRAMMING NUMERIC APPLICATIONS The assembler does not, however, check the types of operands used in processor control instructions. Coding FRSTOR [BP] implies that the programmer has set up register BP to point to the stack location where the processor's 94-byte state record has been previously saved. The initial values for 80287 constants may be coded in several different ways. Binary integer constants may be specified as bit strings, decimal integers, octal integers, or hexadecimal strings. Packed decimal values are normally written as decimal integers, although the assembler will accept and convert other representations of integers. Real values may be written as ordinary decimal real numbers (decimal point required), as decimal numbers in scientific notation, or as hexadecimal strings. Using hexadecimal strings is primarily intended for defining special values such as infinities, NaNs, and nonnormalized numbers. Most programmers will find that ordinary decimal and scientific decimal provide the simplest way to initialize 80287 constants. Figure 2-3 compares several ways of setting the various 80287 data types to the same initial value. Note that preceding 80287 variables and constants with the ASM286 EVEN directive ensures that the operands will be word-aligned in memory. This will produce the best system performance. All 80287 data types occupy integral numbers of words so that no storage is "wasted" if blocks of variables are defined together and preceded by a single EVEN declarative. RECORDS AND STRUCTURES The ASM286 RECORD and STRUC (structure) declaratives can be very useful in NPX programming. The record facility can be used to define the bit fields of the control, status, and tag words. Figure 2-4 shows one definition of the status word and how it might be used in a routine that polls the 80287 until it has completed an instruction. Because STRUCtures allow different but related data types to be grouped together, they often provide a natural way to represent "real world" data organizations. The fact that the structure template may be "moved" about in memory adds to its flexibility. Figure 2-5 shows a simple structure that might be used to represent data consisting of a series of test score samples. A structure could also be used to define the organization of the information stored and loaded by the FSTENV and FLDENV instructions. THE FOLLOWING ALL ALLOCATE THI CONSTANT: -126 NOTE TWO'S COMPLETE STORAGE OF NEGATIVE BINARY INTEGERS, EVEN WORD_I NTEGER SHORT_I NTEGER FORCE WORD ALIGNMENT BIT STRING HEX STRING MUST START WITH DIGIT LONG_INTEGER DQ -126 ORDINARY DECIMAL SHORT_REAL DD -126,0 NOTE PRESENCE OF ' , LONG_REAL DD -1,26E2 "SCIENTIFIC" PACKED_DECIMAL DT -126 ORDINARY DECIMAL INTEGER IN THE FOLLOWING, SIGN AND EXPONENT IS 'COOS' SIGNIFICAND IS '7EOO" ,00', 'R' INFORMS ASSEMBLER THAT THE STRING REPRESENTS A REAL DATA TYPE, DW DD 111111111000010B OFFFFFF82H DT OCOOS7EOOOOOOOOOOOOOOR Figure 2-3. Sample 80287 Constants 2-41 HEX STRING PROGRAMMING NUMERIC APPLICATIONS ; RESERVE SPACE FOR STATUS WORD STAT ULW 0 RD ; LAY OUT STATUS WORD FIELDS STATUS RECORD BUS Y: 1, 6 CoND_CoDE3: 1, 6 STACK_TOP: 3, 6 CoND_CoDE2: 1, 6 CoND_CoDE1: 1, CoND_CoDED: 1, IN T_R E Q : 1, 6 RESERVED: 1, 6 P_FLAG: 1, U_FLAG: 1, o_F LAG: 1, Z_FLAG: 1, 6 D_FLAG: 1, 6 LF LAG: 1 POLL STATUS WORD UNTIL 80287 IS NOT BUSY POLL: FNSTSW STATUS_WORD TEST STATUS_WORD, MASK_BUSY HZ POLL Figure 2-4. Status Word RECORD Definition SAMPLE STRUC DD SHORT INTEGER LOBS DQ LONG REAL MEAN DW WORD INTEGER MODE STD_DEV DQ LONG REAL ; ARRAY OF OBSERVATIONS -- WORD INTEGER TEST_SCORES DW 1000 DUP (?> SAMPLE ENDS Figure 2-5. Structure Definition ADDRESSING MODES 80287 memory data can be accessed with any of the CPU's five memory addressing modes. This means that 80287 data types can be incorporated in data aggregates ranging from simple to complex according to the needs of the application. The addressing modes, and the ASM286 notation used to specify them in instructions, make the accessing of structures, arrays, arrays of structures, and other organizations direct and straightforward. Table 2-17 gives several examples of 80287 instructions coded with operands that illustrate different addressing modes. 2-42 PROGRAMMING NUMERIC APPLICATIONS Table 2-17. Addressing Mode Examples Interpretation Coding FIAOO ALPHA ALPHA is a simple scalar (mode is direct). FOIVR ALPHA.BETA BETA is a field in a structure that is "overlaid" on ALPHA (mode is direct). FMUL aWORO PTR [BX] BX contains the address of a long real variable (mode is register indirect). FSUB ALPHA [SI] ALPHA is an array and SI contains the offset of an array element from the start of the array (mode is indexed). FILO [BP].BETA BP contains the address of a structure on the CPU stack and BETA is a field in the structure (mode is based). FBLO TBYTE PTR [BX] [01] BX contains the address of a packed decimal array and 01 contains the offset of an array element (mode is based indexed). Comparative Programming Example Figures 2-6 and 2-7 show the PLjM-286 and ASM286 code for a simple 80287 program, called ARRSUM. The program references an array (X$ARRA Y), which contains 0-100 short real values; the integer variable N$OF$X indicates the number of array elements the program is to consider. ARRSUM steps through X$ARRAY accumulating three sums: • SUM$X, the sum of the array values • SUM$INDEXES, the sum of each array value times its index, where the index of the first element is 1, the second is 2, etc. • SUM$SQUARES, the sum of each array element squared (A true program, of course, would go beyond these steps to store and use the results of these calculations.) The control word is set with the recommended values: projective closure, round to nearest, 64-bit precision, interrupts enabled, and all exceptions masked invalid operation. It is assumed that an exception handler has been written to field the invalid operation, if it occurs, and that it is invoked by interrupt pointer 16. Either version of the program will run on an actual or an emulated 80287 without altering the code shown. The PLjM-286 version of ARRSUM (figure 2-6) is very straightforward and illustrates how easily the 80287 can be used in this language. After declaring variables the program calls built-in procedures to initialize the processor (or its emulator) and to load to the control word. The program clears the sum variables and then steps through X$ARRAY with a DO-loop. The loop control takes into account PLjM-286's practice of considering the index of the first element of an array to be o. In the computation of SUM$INDEXES, the built-in procedure FLOAT converts 1+1 from integer to real because the language does not support "mixed mode" arithmetic. One of the strengths of the NPX, of course, is that it does support arithmetic on mixed data types (because all values are converted internally to the 80-bit temporary real format). 2-43 PROGRAMMING NUMERIC APPLICATIONS PL/M--;'~86 COt1P ILER ARRAYSUt1 SER IES-- I I I PL/M-286 V1. 0 Cot1P I LAT ION OF MODULE ARRAVSUM OBJECT MODULE PLACED It-l : F6: D. Du.) COMPILER IfNO KED BY PLM286 86 F6: D. SRC XREF / *** ** ***'*** * *** *** ****** *** ***** * * ***""* ************ * A R RAY SUM MOD * ******** **** **** ** *******'I't * it ** ********** ********** / arT'ay$sum: 2 dec lare declare declare declare 3 4 5 do; (sum$x, sum$indexes, sum$sq,uares) real; x$array(100) reaL (n$of$)(, i ) integer; control$287 literally '033eh '; 1* Assume x$array and n$o;$x are initialized *1 1* Prepare the 80287 of its emulator *1 call init$real$math$uniti call set$real$mode{control$287)j 6 7 1* Clear sums -It/ 8 sum$x, 9 10 :2 11 2 12 13 2 2 5um$indexes, sum$squaT'es = 0.0; 1* Loop through array, accumulating *1 do i = 0 to n$of$x-l; sum$x = sum$x + x$array (i); sum$indexes = sum$indexes + (x$array(i) * float(i+l»; sum$sli.uares = sum$squares + {x$array (i )*x$array (i»; end; 1 1* etc. 14 *1 end array$sumi PLlM-286 COMP I LER DEFN 4 2 2 :2 3 AD DR ARRAYSUM CROSS-REFERENCE LISTING SIZE 00Q6H 117 019EH 2 019CH 2 0004H 0008H OOOOH OOOCH 4 4 4 400 NAME. ATTRIBUTES. ARRAysur1 CONTROL287 FLOAT. I. INITREALMATHUNIT NOFX SETREAU10DE. SUMINDEXES SUMSQUARES SUMX XARRAV AND REFERENCES PROCEDURE STACK=OO02H LITERALLY '033eh I BUlL TIN 11 INTEGER 9* BUlL TIN 6 INTEGER 9 BUlL TIN 7 REAL 11 8* REAL 12 8* REAL 10 8* REAL ARRAY( !DO) 7 9 = 12* 10* 10 119D 40 416D 2D o PROGRAM ERRORS DICTIONARY SUMMARY, 96KB MEMORY AVAILABLE 3KB t1EMORY USED (31.) OKe DISK SPACE USED END OF PL1t1-286 COMPILATION Figure 2-6_ Sample PL/M-286 Program 2-44 11 11 12 11* MODULE INFORMATION, CODE AREA SIZE 0077H CONSTANT AREA SIZE = 0004H VARIABLE AREA SIZE 01AOH MAXIMUM STACK SIZE = 0002H 33 LINES READ 10 12 13 PROGRAMMING NUMERIC APPLICATIONS The ASM286 version (figure 2-7) defines the external procedure INIT287, which makes the different initialization requirements of the processor and its emulator transparent to the source code. After defining the data and setting up the segment registers and stack pointer, the program calls INIT287 and loads the control word. The computation begins with the next three instructions, which clear three registers by loading (pushing) zeros onto the stack. As shown in figure 2-8, these registers remain at the bottom of the stack throughout the computation while temporary values are pushed on and popped off the ' stack above them. The program uses the CPU LOOP instruction to control its iteration through )CARRAY; register CX, which LOOP automatically decrements, is loaded with N_OF.J(, the number of array elements to be summed. Register SI is used to select (index) the array elements. The program steps through )CARRAY from back to front, so SI is initialized to point at the element just beyond the first element to be processed. The ASM286 TYPE operator is used to determine the number of bytes in each array element. This permits changing )CARRAY to a long real array by simply changing its definition (DD to DQ) and reassembling. Figure 2-8 shows the effect of the instructions in the program loop. on the NPX register stack. The figure assumes that the program is in its first iteration, that N_OF.J( is 20, and that }CARRAY(19) (the 20th element) contains the value 2.5. When the loop terminates, the three sums are left as the top stack elements so that the program ends by simply popping them into memory variables. 80287 Emulation I The programming of applications to execute on both 80286 and 802~7 is made much easier by the existence of an 80287 emulator for 80286 systems. The Intel E80287 emulator offers a complete software counterpart to the 80287 hardware; NPX instructions can be simply emulated in softwar~ rather than being executed in hardware. With software emulation, the distinction between 80286 arid 80287 systems is reduced to a simple performance differential (see Table 1-2 for a performance comparison between an actual 80287 and an emulator 80287). Identical numeric programs will simply execute more slowly on 80286 systems (using software emulation of NPX instructions) than on executing NPX instructions directly. ' When incorporated into the systems software, the emulation of NPX instructions on the 80286 systems is completely transparent to the programmer. Applications software needs no special libraries, linking, or other activity to allow it to run on an 80286 with 80287 emulation. To the applications programmer, the development of programs for 80286 systems is the same ~hether the 80287 NPX hardware is available or not. The full 80287 instruction set is available for use, with NPX instructions being either emulated or executed directly. Applications programmers need not be concerned with the hardware configuration of the computer systems on which their applications will eventually run. For systems programmers, details relating to 80287 emulators are described in a later section of this supplement. An E80287 software emulator for 80286 systems is contained in the iMDX 364 8086 Software Toolbox, available from Intel and described in the 8086 Software Toolbox Manual. CONCURRENT PROCESSING WITH THE 80287 Because the 80286 CPU and the 80287 NPX have separate execution units, it is possible for the NPX to execute numeric instructions in parallel with instructions executed by the CPU. This simultaneous execution of different instructions is called concurrency. 2-45 intel" PROGRAMMING NUMERIC APPLICATIONS "iAPX286 MACRO ASSEMBLER EXAMPLE_ASM286_PROGRAM SERIES-I I I iAPX286 MACRO ASSEMBLER X10B ASSEMBLY OF MODULE EXAMPLE_ASM286_PROGRAM OBJECT MODULE PLACED IN : F6: 287EXP, OBJ ASSEMBLER INVOKED BY: ASM286.86: F6: 287EXP. SRC XREF LOC OBJ LINE SOURCE name 1 2 S 6 7 8 0000 3E03 0002 ???? 0004 ( 100 9 example_ASM28b_pT'ogram Define initialization routine extl'n 3 4 init287: faT' Allocate 'space foT' data data se!Jment T'W public control_287 dw 033eh ? n of dU/ _array dd 100 dup , ,- - (1) ???????? ) 0194 ???????? 0198 ???????? 019C ???????? 10 11 12 13 14 15 16 17 Ie 19 20 0000 0000 0003 0005 0008 OOOA B8---8ED8 B8---8EDO BCFEFF OOOD 9AOOOO---0012 D92EOOOO R R E R 0016 D9EE 0018 D9EE 001A D9EE 001C 8BOE0200 0020 F7E9 0022 8BFO' R 0024 0024 0027 002B 002D 002F 0031 83EE04 D9840400 DCC3 D9CO DCC8 DEC2 0033 FFOE0200 0037 E2EB 0039 0039 003D 0041 0045 D91E9401 D91E9801 D91E9COl 9B R R 21 22 23 24 25 26 'Z7 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 Qc. R 63 64 65 66 67 68 69 70 sum_squaT'es sum , data ? ? ? dd dd dd sum_indexes ends ; Allocate CPU stack spaclt stack stackseg 400 ; Begi"n code code segment assume start: mov mov mov eT' public ds: data. 55: ax. ds. ax. ss. sp. stack. es: nothing data ax stack ax sta.ckstsrt stack Assume x_array and "_of_x are initialized this pprogram zeroes n_of_lC Prepare the 80287 or its emulator. call init287 fldclll control_287 Clear three reg isters to hold running sums fldz fld z fld z j Setup CX as loop counter imd SI as index to x_array mov c lC. n of imul mov si. ax - -, ; Sl now contains index of last element + 1 ; Loop thru lC_array. accumulat.ing ~ums sum_next: backup one element sub si. type x_array x_array[siJ push it on the stac k fld st(3)' st add into sum of x fadd duplicate x on top st fld square i t fmul st.st add into sum of (index+x) st(2). st faddp and discard reduce index for next iteration dec ; continue loop Pop running sums into memory pop_results: fstp sum_squares .tc.t.!"I sum indexes fstp fwai t ; Etc. code ends end start Figure 2·7. Sample ASM286 Program 2-46 PROGRAMMING NUMERIC APPLICATIONS iAPX286 MACRO ASSEMBLER EXAMPLE~ASM286]ROGRAM XREF SYMBOL TABLE LISTING NAME TYPE CODE CONTROL_287 SEGMENT V WORD SEGMENT L FAR V WORD L NEAR STACK L NEAR V DWORD L NEAR V DWORD V DWORD V DWORD DATA. INIT287 N_OFJ. POP_RESULTS STACK START SUM_INDEXES SUM_NEXT. SUM_SQUARES SUMJ X_ARRAY VALUE ATTR IBUTES, 19# 69 OOOOH SIZE=OQ46H ER PUBLIC DATA 7# 33 SIZE=OlAOH RW PUBLIC 6# 13 20 22 QOOOH Q002H 0039H OOOOH 0198H 0024H 0194H 019CH 0004H XREFS E:XTRN 3# 32 DATA 8# 42 56 CODE 60# SIZE=0190H Rt; PUBLIC CODE 21# 70 DATA 11# 62 CODE 48# 57 DATA 10# 61 DATA 12# 63 ( 100) DATA 9# 49 50 16# 20 24 26 END OF SYMBOL TABLE LISTING ASSEMELY COMPLETE, NO ERRORS Figure 2-7. Sample ASM286 Program (Cont'd.) FLO X ARRAy[5Il FLOZ, FLOZ, FLOZ ST(O) 0.0 SU M_SQUARES 5 T(O) ST(l) 0.0 5 UM_INDEXES 5 T(l) ST(2) 0.0 SU SUM_SQUARES ST(2) - - -ST(3) FAOO 5TO) 5T X_ARRAY (19) 2.5 0.0 SUM_INDEXES 0.0 SUM_X FLO 5T ST(O) 2.5 X_A RRAY (19) ST (0) 2.5 X_ARRAY (19) ST(l) 0.0 SUM _SQUARES ST (1) 2.5 X_ARRAY (19) ST(2) 0.0 SUM _INDEXES ST (2) 0.0 SUM_SQUARES ST(3) 2.5 SUM ST (3) 0.0 SUM_INDEXES ---- - 2.5 ST (4) FMUL 5T 5T FAOOP 5T(2) 5T ST(O) 6.25 X_ARRAY(19)2 ST(O) 2.5 X_ARRAY(19) ST(l) 2.5 X_ARRAY(19) ST(l) 6.25 SUM_SQUARES ST(2) 0.0 SUM_SQUARES ST(2) 0.0 SUM_INDEXES ST(3) 2.5 ST(3) 0.0 SUM_INDEXES ST(4) 2.5 SUM_X ........ F I MU L N OF X ST(O) 50.0 .... ........ -ffiFAO 5T(2),5T OP X_A RRAY(19)'20 ST(O) 6.25 SUM_SQUARES 50.0 SUM_INDEXES 2.5 SUM_X ST(l) 6.25 SUM _SQUARES ST(l) ST(2) 0.0 SUM _INDEXES ST(2) ST(3) 2.5 SUM G3010a Figure 2-8. Instructions and Register Stack 2-47 PROGRAMMING NUMERIC APPLICATIONS No special programming techniques are required to gain the advantages of concurrent execution; numeric instructions for the NPX are simply placed in line with the instructions for the CPU. CPU and numeric instructions are initiated in the same order as they are encountered by the CPU in its instruction stream. However, because numeric operations performed by the NPX generally require more time than operations performed by the CPU, the CPU can often execute several of its instructions before the NPX completes a numeric instruction previously initiated. This concurrency offers obvious advantages in terms of execution performance, but concurrency also imposes several rules that must be observed in order to assure proper synchronization of the 80286 CPU and 80287 NPX. All Intel high-level languages automatically provide for and manage concurrency in the NPX. Assembly-language programmers, however, must understand and manage some areas of concurrency in exchange for the flexibility and performance of programming in assembly language. This section is for the assembly-language programmer or well-informed high-level-language programmer. Managing Concurrency Concurrent execution of the host and 80287 is easy to establish and maintain. The activities of numeric programs can be split into two major areas: program control and arithmetic. The program control part performs activities such as deciding what functions to perform, calculating addresses of numeric operands, and loop control. The arithmetic part simply adds, subtracts, multiplies, and performs other operations on the numeric operands. The NPX and host are designed to handle these two parts separately and efficiently. Managing concurrency is necessary because both the arithmetic and control areas must converge to a well-defined state before starting another numeric operation. A well-defined state means all previous arithmetic and control operations are complete and valid. Normally, the host waits for the 80287 to finish the current numeric operation before starting another. This waiting is called synchronization. Managing concurrent execution of the 80287 involves 1. Instruction synchronization 2. Data synchronization 3. Error synchronization _~ree types of synchronization: For programmers in higher-level languages, all three types of synchronization are automatically provided by the appropriate compiler. For assembly-language programmers, instruction synchronization is guaranteed by the NPX interface, but data and error synchronization are the responsibility of the _____ 1-1 •• 1 .... _ ..... ~ ......... "" .,..... .. nt'l'1'""l't'Y1n-,pr a.",,""JUUJ.y-LUJ. 1 6U.U. O .... 1"'" '-'0& ....................... __ . Instruction Synchronization Instruction synchronization is required because the 80287 can perform only one numeric operation at a time. Before any numeric operation is started, the 80287 must have completed all activity from its previous instruction. 2-48 PROGRAMMING NUMERIC APPLICATIONS Instruction synchronization is guaranteed for most ESC instructions because the 80286 automatically checks the BUSY status line from the 80287 before commencing execution of most ESC instructions. No explicit WAIT instructions are necessary to ensure proper instruction synchronization. Data Synchronization Data synchronization addresses the issue of both the CPU and the NPX referencing the same memory values within a given block of code. Synchronization ensures that these two processors access the memory operands in the proper sequence, just as they would be accessed by a single processor with no concurrency. Data synchronization is not a concern when the CPU and NPX are using different memory operands during the course of one numeric instruction. The two cases where data synchronization might be a concern are 1. The 80286 CPU reads or alters a memory operand first, then invokes the 80287 to load or alter the same operand. 2. The 80287 is invoked to load or alter a memory operand, after which the 80286 CPU reads or alters the same location. Due to the instruction synchronization of the NPX interface, data synchronization is automatically provided for the first case-the 80286 will always complete its operation before invoking the 80287. For the second case, data synchronization is not always automatic. In general, there is no guarantee that the 80287 will have finished its processing and accessed the memory operand before the 80286 accesses the same location. Figure 2-9 shows examples of the two possible cases of the CPU and NPX sharing a memory value. In the examples of the first case, the CPU will finish with the operand before the 80287 can reference it. The NPX interface guarantees this. In the examples of the second case, the CPU must wait for the 80287 to finish with the memory operand before proceeding to reuse it. The FW AIT instructions shown in these examples are required in order to ensure this data synchronization. There are several NPX control instructions where automatic data synchronization is provided; however, the FSTSW /FNSTSW, FSTCW /FNSTCW, FLDCW, FRSTOR, and FLDENV instructions are all guaranteed to finish their execution before the CPU can read or alter the referenced memory locations. The 80287 provides data synchronization for these instructions by making a request on the Processor Extension Data Channel before the CPU executes its next instruction. Since the NPX data transfers occur before the CPU regains control of the local bus, the CPU cannot change a memory value before the NPX has had a chance to reference it. In the case of the FSTSW AX instruction, the 80286 AX register is explicitly updated before the CPU continues execution of the next instruction. For the numeric instructions not listed above, the assembly-language programmer must remain aware of synchronization and recognize cases requiring explicit data synchronization. Data synchronization can be provided either by programming an explicit FWAIT instruction, or by initiating a subsequent numeric instruction before accessing the operands or results of a previous instruction. After the subsequent numeric instruction has started execution, all memory references in earlier numeric instructions are complete. Reaching the next host instruction after the synchronizing numeric instruction indicates that previous numeric operands in memory are available. 2-49 PROGRAMMING NUMERIC APPLICATIONS Case 1: Case 2: M0 V I , F I LD I F IL D FWAIT M0 V MOV AX,I FISTP I I., 5 F 1ST P FWAIT MOV AX,I Figure 2-9. Synchronizing References to Shared Data The data-synchronization function of any FW AIT or numeric instruction must be well-documented, as shown in figure 2-10. Otherwise, a change to the program at a later time may remove the synchronizing numeric instruction and cause program failure. High-level languages automatically establish data synchronization and manage it, but there may be applications where a high-level language may not be appropriate. For assembly-language programmers, automatic data synchronization can be obtained using the assembler, although concurrency of execution is lost as a result. To perform automatic data synchronization, the assembler can be changed to always place a WAIT instruction after the ESCAPE instruction. Figure 2-11 shows an example of how to change the ASM286 Code Macro for the FIST instruction to automatically place aWAIT instruction after the ESCAPE instruction. This Code Macro is included in the ASM286 source module. The price paid for this automatic data synchronization is the lack of any possible concurrency between the CPU and NPX. Error Synchronization Almost any numeric instruction can, under the wrong circumstances, produce a numeric error. Concurrent execution of the CPU and NPX requires synchronization for these errors just as it does for data references and numeric instructions. In fact, the synchronization required for data and instructions automatically provides error synchronization. However, incorrect data or instruction synchronization may not be discovered until a numeric error occurs. A further complication is that a programmer may not expect his numeric program to cause numeric errors, but in some systems, they may regularly happen. To better understand these points, let's look at what can happen when the NPX detects an error. T!!e NPX t:'~_!! l'"rfnrm one of two things when a numeric exception occurs: • The NPX can provide a default fix-up for selected numeric errors. Programs can mask individual error types to indicate that the NPX should generate a safe, reasonable result whenever that error occurs. The default error fix-up activity is treated by the NPX as part of the instruction causing the error; no external indication of the error is given. When errors are detected, a flag is set in the numeric status register, but no information regarding where or when is available. If the NPX performs its default action for all errors, then error synchronization is never exercised. This is no reason to ignore error synchronization, however. 2-50 PROGRAMMING NUMERIC APPLICATIONS F 1ST P FMUL MOV AX,I Is updated before FMUL Is now safe to use Is executed Figure 2-10. Documenting Data Synchronization This Is an ASM286 code macro to redefine the Instruction to prevent any concurrency while the Instruction runs. A walt Instruction Is placed Immediately after the escape to ensure the store Is done before the pr09ram may continue. FIST ; CodeMacro FIST memop: RflxM 111B, memop ModRM 010B, memop RWf I x EndM Mw FIgure 2-11. Nonconcurrent FIST InstructIon Code Macro • As an alternative to the NPX default fix-up of numeric errors, the 80286 CPU can be notified whenever an exception occurs. The CPU can then implement any sort of recovery procedures desired, for any numeric error detectable by the NPX. When a numeric error is unmasked and the error occurs, the NPX stops further execution of the numeric instruction and signals this event to the CPU. On the next occurrence of an ESC or WAIT instruction, the CPU traps to a software excep· tion handler. Some ESC instructions do not check for errors. These are the nonwaited forms FNINIT, FNSTENV, FNSA VE, FNSTSW, FNSTCW, and FNCLEX. When the NPX signals an unmasked exception condition, it is requesting help. The fact that the error was unmasked indicates that further numeric program execution under the arithmetic and program· ming rules of the NPX is unreasonable. If concurrent execution is allowed, the state of the CPU when it recognizes the exception is undefined. The CPU may have changed many of its internal registers and be executing a totally different program by the time the exception occurs. To handle this situation, the NPX has special registers updated at the start of each numeric instruction to describe the state of the numeric program when the failed instruction was attempted. Error synchronization ensures that the NPX is in a well·defined state after an unmasked numeric error occurs. Without a well-defined state, it would be impossible for exception recovery routines to figure out why the numeric error occurred, or to recover successfully from the error. 2-51 PROGRAMMING NUMERIC APPLICATIONS INCORRECT ERROR SYNCHRONIZATION An example of how some instructions written without error synchronization will work initially, but fail when moved into a new environment is shown in figure 2-12. In figure 2-12, three instructions are shown to load an integer, calculate its square root, then increment the integer. The NPX interface and synchronous execution of the NPX emulator will allow this program to execute correctly when no errors occur on the FILD instruction. This situation changes if the 80287 numeric register stack is extended to memory. To extend the NPX stack to memory, the invalid error is unmasked. A push to a full register or pop from an empty register will cause an invalid error. The recovery routine for the error must recognize this situation, fix up the stack, then perform the original operatioll. The recovery routine will not work correctly in the first example shown in the figure. The problem is that the value of COUNT is incremented before the NPX can signal the exception to the CPU. Because COUNT is incremented before the exception handler is invoked, the recovery routine will load an incorrect value of COUNT, causing the program to fail or behave unreliably PROPER ERROR SYNCHRONIZATION Error Synchronization relies on the WAIT instructions required by instruction and data synchronization and the BUSY and ERROR signals of the 80287. When an unmasked error occurs in the 80287, it asserts the ERROR signal, signalling to the CPU that a numeric error has occurred. The next time the CPU encounters an error-cliecking ESC or WAIT instruction, the CPU acknowledges the ERROR signal by trapping automatically to Interrupt #16, the Processor Extension Error vector. If the following ESC or WAIT instruction is properly placed, the CPU will not yet have disturbed any information vital to recovery from the error. INCORRECT ERROR SYNCHRONIZATION F I LD FSGRT COUNT COUNT COUNT NPX instruction CPU instruction alters operand subsequent NPX instruction -- error from previous NPX instruction detected here F I LD COUNT NPX instruction subsequent NPX instruction -- error from previous NPX instruction detected here CPU instruction aiiers op"rollu 1M C PROPER ERROR SYNCHRONIZATION FSGRT INC COUNT Figure 2-12. Error Synchronization Examples 2-52 System-Level Numeric Programming 3 CHAPTER 3 SYSTEM-LEVEL NUMERIC PROGRAMMING System programming for 80287 systems requires a more detailed understanding of the 80287 NPX than does application programming. Such things as emulation, initialization, exception handling, and datil and error synchronization are all the responsibility of the systems programmer. These topics are covered in detail in the sections that follow. ./ 80287 ARCHITECTURE On a software level, the 80287 NPX appears as an extension of the 80286 CPU. On the hardware level, however, the mechanisms by which the 80286 and 80287 interact are a bit more complex. This section describes how the 80287 NPX and 80286 CPU interact and points out features of this interaction that are of interest tdsystems programmers. Processor Extension Data Channel All transfers of operands between the 80287 and system memory are performed by the 80286's internal Processor Extension Data Channel. This independent, DMA-like data channel permits all operand transfers of the 80287 to come under the supervision of the 80286 memory-management and protection mechanisms. The operation of this data channel is completely transparent to software. Because the 80286 actually performs all transfers between the 80287 and memory, no additional bus drivers, controllers, or other components are necessary to interface the 80287'NPX to the local bus. Any memory accessible to the 80286 CPU is accessible by the 80287. The Processor Extension Data Channel is described in more detail in Chapter Six of the 80286 Hardware Reference Manual. Real-Address Mode and Protected Virtual-Address Mode Like the 80286 CPU, the 80287 NPX can operate in both Real-Address mode and in Protected mode. Following a hardware RESET, the 80287 is initially activated in Real-Address mode. A single, privileged instruction (FSETPM) is necessary to set the 80287 into Protected mode. . As an extension to the 80286 CPU, the 80287 can access any memory location accessible by the task currently executing on the 80286. When operating in Protected mode, aU memory references by the 80287 are automatically verified by the 80286's memory management and protection mechanisms as for any other memory references by the currently-executing task. Protection violations associated with NPX instrilctionsautomatically cause the 80286 to trap to an appropriate exception handler. To the programmer, these two 80287 operating modes differ only in the manner in which the NPX instruction and datapointets ate represented in memory following an FSAVE or FSTENV instruction. When the 80287 operates in Protected mode, its NPX instruction and data pointers are each represented in memory as a 16-bit segment selector and a 16-bit offset. When the 80287 operates in RealAdd' .:ss mode, these same instruction and data pointers are represented. simply as the 20-bit physical ad" ;'esses of the operands in question (see figure 1-7 in Chapter One). 3-1 SYSTEM-LEVEL NUMERIC PROGRAMMING Dedicated and Reserved 1/0 Locations The 80287 NPX does not require that any memory addresses be set aside for special purposes. The 80287 does make use of 1/0 port addresses in the range 00F8H through OOFFH, although these 1/0 operations are completely transparent to the 80286 software. 80286 programs must not reference these reserved 1/0 addresses directly. To prevent any accidental misuse or other tampering with numeric instructions in the 80287, the 80286's 1/0 Privilege Level (IOPL) should be used in multiuser reprogrammable environments to restrict application program access to the 1/0 address space and so guarantee the integrity of 80287 computations. Chapter Eight of the 80286 Operating System Writer's Guide contains more details regarding the use of the 1/0 Privilege Level. PROCESSOR INITIALIZATION AND CONTROL One of the principal responsibilities of systems software is the initialization, monitoring, and control of the hardware and software resources of the system, including the 80287 NPX. In this section, issues related to system initialization and control are described, including recognition of the NPX, emulation of the 80287 NPX in software if the hardware is not available, and the handling of exceptions that may occur during the execution of the 80287. System Initialization During initialization of an 80286 system, systems software must • Recognize the presence or absence of the NPX • Set flags in the 80286 MSW to reflect the state of the numeric environment If an 80287 NPX is present in the system, the NPX must be • Initialized • Switched into Prolecled mode (if desired) All of these activities can be quickly and easily performed as part of the overall system initialization. Recognizing. the 80287 NPX figure 3-1 shuVv's ali cAulliplc cf:(l reccgr..iti~n rc!!ti~e th9..t det~-!'!!line.5 Ulh~thp.r:!n NPX is present~ and distinguishes between the 80387 and the 8087/80287. This routine can be executed on any 80386, 80286, or 8086 hardware configuration that has an NPX socket. The example guards against the possibility of accidentally reading an expected value from a floating data bus when no NPX is present. Data read from a floating bus is undefined. By expecting to read a specific bit pattern from the NPX, the routine protects itself from the indeterminate state of the bus. The example also avoids depending on any values in: reserved bits, thereby maintaining compatibility with future numerics coprocessors. 3-2 SYSTEM-LEVEL NUMERIC PROGRAMMING 8086/87/88/186 MACRO ASSEMBLER Test for presence of 8 Nuner;cs Chip, Revision 1.0 PAGE DOS 3.20 (033·N) 8086/87/88/186 MACRO ASSEMBLER V2.0 ASSEMBLY OF MOOULE TEST_NPX OBJECT MOOULE PLACEO IN FINDNPX.OBJ LOC OBJ LINE 1 +1 SOURCE Stitle('Test for presence of a Nuner;cs Chip, Revision 1.0 1 ) 2 name 3 0000 (100 4 5 6 stack Test_NPX segment stack I stack I dw 100 dup (1) 1??7 ) 00C8 ?171 0000 0000 0000 0000 0000 0003 0006 OOOA 900BE3 BEOOOO C7045A5A 90003C 0000 803COO 0010 752A 0015 0017 001A 0010 001F 0022 0025 0028 0028 DD2E 0031 OD34 0036 0037 8804 253Fl0 303FOO 751D 9809E8 9B09EE 9BOEF9 9B09CO 9BD9EO 9BDED9 9BD03C 8B04 9E 7406 7 sst 8 9 stack 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 data t""" data dw ends segment publ ie 'datal dw Oh ends dsroup group cgroup group code data, stack code segment publ ic 'code' assune cs:cgroup, ds:dgroup start: Look for an 8087. 80287. or 80387 NPX. Note that we cannot execute \lA1T on 8086/88 if no 8087 is present. test_npx: tninit ; Must use non-wait form moy mov si ,offset dgroup:tefl1J word ptr [si] ,SASAH ; Initial ize tenp to non-zero value fnstsw [si] cnp jne ; Must use non-wait form of fstsw It is not necessary to -use a WAIT instruction after fnstsw or fnstew. 00 not use one here. byte ptr [si] ,0 ; See if correct status with zeroes was read no_npx ; JUTp if not a val id status word, meaning no NPX Now see if ones can be correctly written from the control word. fnstcw [si] moy ax, [si] aX,10lfh aX,lfh no_npx and c"" jne ; Look at the control word; do not use \iAIT form ; Do not use a \iAIT instruction here! ; See if ones can be written by NPX ; See if selected parts of control word look OK i Check that ones and zeroes were correct l y read ; Jurp if no NPX ;s installed Some rn.merics chip h installed. NPX instructions and \iAIT are now safe. See if the NPX· is an 8087, 80287, or 80387. This code is necessary if a denormal exception handler is used or the new 80387 instructions wi II be used. fldl fld. fdiv fld fchs fconw fstSN st IIIOY ax, [sf] ; Must use default control word from fNINIT ; form infinity ; 8087/287 says +fnf [si] sahf je II • inf ; Form negative Infinity ; 80387 says +Inf <> • inf i See if they are the same and remove them i Look at status from FCOMPP See if the infinities matched fOAJnd_87_287 ; J"", if 8087/287 is present Figure 3-1. Software Routine to Recognize the 80287 3-3 SYSTEM-LEVEL NUMERIC PROGRAMMING 8086/87/88/186 MACRO ASSEMBLER LOC OBJ Test for presence of a NUIIOr;cs Chip. Rev;slon 1.0 LINE PAGE SOURCE An 80387 Is present. they "",t be mosked. 60 61 6Z If denormol e.cepttons are used for an 8087/Z87, Th. 80387 will automatically normalize denormol operands faster than an exception handler can. 63 0039 EB0790 D03C 003C EB0490 003F j"" 64 founct387 65 66 67 68 69 70 71 set up for no NPX j"" e.tt found_87_Z87: .et up for 87/Z87 7Z 003F EB0190 004Z 73 74 75 76 77 D04Z 78 79 80 81 j"" exit found 387: - set up for 387 , •• tt. code end. end start,ds.:dgroup, •• :dgroup:8at ASSEHBL Y COMPLETE, NO ERRORS FOUND Figure 3-1. Software Routine to Recognize the 80287 (Cont'd.) Configuring the Numerics Environment Once the 80286 CPU has determined the presence or absence of the 80287 NPX, the 80286 must set either the MP or the EM bit in its own machine status word accordingly. The initialization routine can either • Set the MP bit in the 80286 MSW to allow numeric instructions to be executed directly by the 80287 NPX component • Set the EM bit in the 80286 MSW to permit software emulation of the 80287 numeric instructions The Math Present (MP) flag of the 80286 machine status word indicates to the CPU whether an 80287 NPX is physically avaiiabie in the system. The MP flag controls the function of the WAIT instruction. When executing aWAIT instruction, the 80286 tests only the Task Switched (TS) bit if MP is set; if it finds TS set under these conditions, the 'CPU traps to exception #7. The Emulation Mode (EM) bit of the 80286 machine status word indicates to the CPU whether NPX functions are to be emulated. If the CPU finds EM set when it executes an ESC instruction, program control is automatically trapped to exception #7, giving the exception handler the opportunity to emulate the functions of an 80287. The 80286 EM flag can be changed only by using the LMSW (load machine status word) instruction (legal only at privilege ievei 0) ami examiut;d with the aid of th~ SMSW (~t0re machine status word) instruction (legal at any privilege level). The EM bit also controls the function of the WAIT instruction. If the CPU finds EM set while ~xecut ing a WAIT, the CPU does not check the ERROR pin for an error indication. For correct 80286 operation, the EM bit must never be set concurrently with MP. The EM and MP bits of the 80286 are described in more detail in the 80286 Operating System Writer's Guide. More 3-4 SYSTEM-LEVEL NUMERIC PROGRAMMING information on software emulation for the 80287 NPX is described in the "80287 Emulation" section later in this chapter. In any case, if ESC instructions are to be executed, either the MP or EM bit must be set, but not both. Initializing the 80287 Initializing the 80287 NPX simply means placing the NPX in a known state unaffected by any activity performed earlier. The example software routine to recognize the 80287 (table 3-1) performed this initialization using a single FNINIT instruction. This instruction causes the NPX to be initialized in the same way as that caused by the hardware RESET signal to the 80287. All the error masks are set, all registers are tagged empty, the ST is set to zero, and default rounding, precision, and infinity controls are set. Table 3-1 shows the state of the 80287 NPX following initialization. Following a hardware RESET signal, such as after initial power-up, the 80287 is initialized in RealAddress mode. Once the 80287 has been switched to Protected mode (using the FSETPM instruction), only another hardware RESET can switch the 80287 back to Real-Address mode. The FNINIT instruction does not switch the operating state of the 80287. 80287 Emulation If it is determined that no 80287 NPX is available in the system, systems software may decide to emulate ESC instructions in software. This emulation is easily supported by the 80286 hardware, because the 80286 can be configured to trap to a software emulation routine whenever it encounters an ESC instruction in its instruction stream. Table 3-1. NPX Processor State Following Initialization Field Value Interpretation Control Word Infinity Control Rounding Control Precision Control Interrupt-Enable Mask Exception Masks 0 00 11 .1 111111 Projective Round to nearest 64 bits Interrupts disabled All exceptions masked 0 000 0 000000 Not busy (Indeterminate) Empty stack No interrupt No exceptions Tag Word Tags 11 Empty Registers N.C. Not changed Exception Pointers Instruction Code Instruction Address Operand Address N.C. N.C. N.C. Not changed Not changed Not changed Status Word Busy Condition Code Stack Top Interrupt Request Exception Flags ???? 3-5 inter SYSTEM-LEVEL NUMERIC PROGRAMMING As described previously, whenever the 80286 CPU encounters an ESC instruction, and its MP and EM status bits are set appropriately (MP=O, EM = I), the 80286 will automatically trap to interrupt #7, the Processor Extension Not Available exception. The return link stored on the stack points to the first byte of the ESC instruction, including the prefix byte(s), if any. The exception handler can use this return link to examine the ESC instruction and proceed to emulate the numeric instruction in software. The emulator must step the return pointer so that, upon return from the exception handler, execution can resume at the first instruction following the ESC instruction. To an application program, execution on an 80286 system with 80287 emulation is almost indistinguishable from execution on an 80287 system, except for the difference in execution speeds. There are several important considerations when using emulation on an 80286 system: When operating in Protected-Address mode, numeric applications using the emulator must be executed in execute-readable code segments. Numeric software cannot be emulated if it is executed in execute-only code segments. This is because the emulator must be able to examine the particular numeric instruction that caused the Emulation trap. Only privileged tasks can place the 80286 in emulation mode. The instructions necessary to place the 80286 in Emulatio,n mode are privileged instructions, and are not typically accessible to an application. \ An emulator package (E80287) that runs on 80286 systems is available from Intel in the 8086 Software Toolbox, Order Number 122203. This emulation package operates in both Real and Protected mode, providing a complete functional equivalent for the 80287 emulated in software. When using the E80287 emulator, writers of numeric exception handlers should be aware of one slight difference between the emulated 80287 and the 80287 hardware: On the 80287 hardware, exception handlers are invoked by the 80286 at the first WAIT or ESC instruction following the instruction causing the exception. The return link, stored on the 80286 stack, points to this second WAIT or ESC instruction where execution will resume following a retu~n from the exception handler. Using the E80287 emulator, numeric exception handlers are invoked from within the emulator itself. The return link stored on the stack when the exception handler is invoked will therefore point back to the E80287 emulator, rather than to the program code actually being executed (emulated). An IRET return from the exception handler returns to the emulator, which then returns immediately to the emulated program. This added layer of indirection should not cause confusion, however, because the instruction causing the exception can always be identified from the 80287's instruction and data pointers. Handling Numeric Processing Exceptions Once the 80287 has been initialized and normal execution of applications has been commenced, the 80287 NPX may occasionally require attention in order to recover from numeric processing errors. This section provides details for writing software exception handlers for numeric exceptions. Numeric processing exceptions have already been introduced in previous sections of this manual. 3-6 SYSTEM-LEVEL NUMERIC PROGRAMMING As discussed previously, the 80287 NPX can take one of two actions when it recognizes a numeric exception: • If the exception is masked, the NPX will automatically perform its own masked exception response, correcting the exception condition according to fixed rules, and then continuing with its instruction execution. • If the exception is unmasked, the NPX signals the exception to the 80286 CPU using the ERROR status line between the two processors. Each time the 80286 encounters an ESC or WAIT instruction in its instruction stream, the CPU checks the condition of this ERROR status line. If ERROR is active, the CPU automatically traps to Interrupt vector #16, the Processor Extension Error trap. Interrupt vector #16 typically points to a software exception handler, which mayor may not be a part of systems software. This exception handler takes the form of an 80286 interrupt procedure. When handling numeric errors, the CPU has two responsibilities: • The CPU must not disturb the numeric context when an error is detected. • The CPU must clear the error and attempt recovery from the error. Although the manner in which programmers may treat these responsibilities varies from one implementation to the next, most exception handlers will include these basic steps: • Store the NPX environment (control, status, and tag words, operand and instruction pointers) as it existed at the time of the exception. • Clear the exception bits in the status word. • Enable interrupts on the CPU. • Identify the exception by examining the status and control words in the save environment. • Take some system"dependent action to rectify the exception. • Return to the interrupted program and resume normal execution. It should be noted that the NPX exception pointers contained in the stored NPX environment will take different forms, depending on whether the NPX is operating in Real-Address mode or in Protected mode. The earlier discussion of Real versus Protected mode details how this information is presented in each of the two operating modes. Simultaneous Exception Response In cases where multiple exceptions arise simultaneously, the 80287 signals one exception according to the precedence sequence shown in table 3-2. This means, for example, that zero divided by zero will result in an invalid operation, and not a zero divide exception. Exception Recovery Examples Recovery routines for NPX exceptions can take a variety of forms. They can change the arithmetic and programming rules of the NPX. These changes may redefine the default fix-up for an error, change the appearance of the NPX to the programmer, or change how arithmetic is defined on the NPX. A change to an error response might be to automatically normalize all denormals loaded from memory. A change in appearance might be extending the register stack into memory to provide an "infinite" 3-7 SYSTEM-LEVEL NUMERIC PROGRAMMING Table 3-2. Precedence of NPX Exceptions Signaled First: Denormalized operand (if unmasked) Invalid operation Zero divide Denormalized (if masked) Over/U nderflow Precision Signaled Last: number of numeric registers. The arithmetic of the NPX can be changed to automatically extend the precision and range of variables when exceeded. All these functions can be implemented on the NPX via numeric errors and associated recovery routines in a manner transparent to the application programmer. Some other possible system-dependent actions, mentioned previously, may include: Incrementing an exception counter for later display or printing Printing or displaying diagnostic information (e.g., the 80287 environment and registers) • Aborting further execution Storing a diagnostic value (a NaN) in the result and continuing with the computation Notice that an exception mayor may not constitute an error, depending on the implementation. Once the exception handler corrects the error condition causing the exception, the floating-point instruction that caused the exception can be restarted, if appropriate. This cannot be accomplished using the IRET instruction, however, because the trap occurs at the ESC or WAIT instruction following the offending ESC instruction. The exception handler must obtain from the NPX the address of the offending instruction in thetask that initiated it, make a copy of it, execute the copy in the context of the offending task, and then return via IRET to the current CPU instruction stream. In order to correct the condition causing the numeric exception, exception handlers must recognize the precise state of the NPX at the time the exception handler was invoked, and be able to reconstruct the state of the NPX when the exception initially occurred. To reconstruct the state of the NPX, programmers must understand when, during the execution of an NPX instruction, exceptions are actually recognized. . Invalid operation, zero divide, and denormalized exceptions are detected before an operation begins, whereas overflow, underflow, and precision exceptions are not raised until a true result has been computed. When a before exception is detected, the NPX register stack and memory have ilOt yet been updated, and appear as if the offending instructions has not been executed. When an after exception is detected, the register stack and memory appear as if the instruction has run to completion; i.e., they may be updated. (However, in a store or store-and-pop operation, unmasked crvci"/uud:.:rfbw i~ hf!~d!erllike a before exception; memory is not updated and the stack is not popped.) The programming examples contained in Chapter Four include an outiine of severai t:lI.(;<";pti0ii halld!er~ to process numeric exceptions for the 80287. 3-8 Numeric Programming Examples 4 CHAPTER 4 NUMERIC PROGRAMMING EXAMPLES The following sections contain examples of numeric programs for the 80287 NPX written in ASM286. These examples are intended to illustrate some of the techniques for programming the 80287 computing system for numeric applications. CONDITIONAL BRANCHING EXAMPLES As discussed in Chapter Two, several numeric instructions post their results to the condition code bits of the 80287 status word. Although there are many ways to implement conditional branching following a comparison, the basic approach is as follows: • Execute the comparison. • Store the status word. (80287 allows storing status directly into AX register.) • Inspect the condition code bits. • Jump on the result. r Figure 4-1 is a code fragment that illustrates how two memory-resident long real numbers might be compared (similar code could be used with the FTST instruction). The numbers are called A and B, and the comparison is A to B. The comparison itself requires loading A onto the top of the 80287 register stack and then comparing it to B, while popping the stack with the same instruction. The status word is then written into the 80286 AX register. A and B have four possible orderings, and bits C3, C2, and CO of the condition code indicate which ordering holds. These bits are positioned in the upper byte of the NPX status word so as to correspond to the CPU's zero, parity, and carry flags (ZF, PF, and CF), when the byte is written into the flags. The code fragment sets ZF, PF, and CF of the CPU status word to the values of C3, C2, and CO of the NPX status word, and then uses the CPU conditional jump instructions to test the flags. The resulting codi: is extremely compact, requiring only seven instructions. The FXAM instruction updates all four condition code bits. Figure 4-2 shows how a jump table can be used to determine the characteristics of the value examined. The jump table (FXA~TBL) is initialized to contain the 16-bit displacement of 16 labels, one for each possible condition code setting. Note that four of the table entries contain the same value, because four condition code settings correspond to "empty." The program fragment performs the FXAM and stores the status word. It then manipulates the condition code bits to finally produce a number in register BX that equals the condition code times 2. This involves zeroing the unused bits in the byte that contains the code, shifting C3 to the right so that it is adjacent to C2, and then shifting the code to multiply it by 2. The resulting value is used as an index that selects one of the displacements from FXA~TBL (the multiplication of the condition code is required because of the 2-byte length of each value in FXAM_TBL). The unconditional JMP instruction effectively vectors through the jump table to the labelled routine that contains code (not shown in the example) to process each possible result of the FXAM instruction. 4-1 NUMERIC PROGRAMMING EXAMPLES A B DQ DQ FLD FCOMP FSTSW A B AX , LOAD A ONTO TOP OF 287 STACK COMPARE A:B, POP A STORE RESULT TO CPU AX REGISTER ; CPU AX REGISTER CONTAINS CONDITION CODES (RESULTS OF ; COMPARE> ; LOAD CONDITION CODES INTO CPU FLAGS SAHF ; ; USE CONDITIONAL JUMPS TO DETERMINE ORDERING OF A TO ; B , TE ST C2 LLU NOR DERE D TE ST CO LLESS LEQUAL ; TE ST C3 o , C3 CO (C F> JP JB JE LG REA TE R: CO ( CF ) CO ( CF ) C2 (PF) LLUNORDERED: · · o, · 1, (P F> ( CF) (Z F) ( ZF) C3 (ZF ) C3 (ZF ) · · · 0 1 0 • 1 Figure 4-1. Conditional Branching for Compares JUMP TABLE FOR EXAMINE ROUTINE FXAM_TBL DW POS_UNNORM, POS_NAN, NEG_UNNORM, NEG_NAN, POS NORM. POS_INFINITY, NEG_NORM, NEG_INFINITY, POS_ZERO, EMPTY, NE~_Z£RO, EM PTY, PO S_D ENOR M, EM PTY, NEG_D ENOR M, EM PTY ; EXAMINE ST AND STORE RESULT (CONDITION CODES) F XAM FSTSW AX Figure 4-2. Conditional Branching for FXAM 4-2 NUMERIC PROGRAMMING EXAMPLES CALCULATE OFFSET INTO JUMP TABLE BH,O i CLEAR UPPER HALF OF BX, Bl,AH i lOAD CONDITION CODE INTO BL BL,OOOOOIIIB i CLE~R ALL BITS EXCEPT C2-CO AH,01000000B i CLEAR ALL BITS EXCEPT C3 AH,2 SHIFT C3 TWO PLACES RIGHT BX,1 SHIFT C2-CO 1 PLACE LEFT (MULTIPLY BY 2) OR Bl,AH DROP C3 BACK IN ADJACENT TO C2 (OOOXXXXO) i MOV MOV AND AND SHR SAL JMP JUMP TO THE ROUTINE 'ADDRESSED' BY CONDITION CODE FXAM_TBLIBXl i HERE ARE THE JUMP TARGETS, ONE TO HANDLE EACH POSSIBLE RESULT OF fXAM i PO LU NNOR M: POS_NAN: NELU NNOR M: NELN AN: PO LN 0 RM: POLINFINITY: NE LH 0 RM: NELINFINITY: PO LZ E: R0: EMPTY: NELZERO: PO LDE H0 RM: HELDENORM: Figure 4-2. Conditional Branching for FXAM (Cont'd.) EXCEPTION HANDLING EXAMPLES There are many approaches to writing exception handlers. One useful technique is to consider the exception handler procedure as consisting of "prologue," "body," and "epilogue" sections of code. (For compatibility with the 80287 emulators, this procedure should be invoked by interrupt pointer (vector) number 16.) 4-3 t,jUMERIC PROGRAMMING EXAMPLES At the beginning of the prologue, CPU interrupts have been disabled. The prologue performs all functions that must be protected from possible interruption by higher-priority sources. Typically, this will involve saving CPU registers and transferring diagnostic information from the 80287 to memory. When the critical processing has been completed, the prologue may enable CPU interrupts to allow higher-priority interrupt handlers to preempt the exception handler. The exception handler body examines the diagnostic information and makes a response that is necessarily application-dependent. This response may range from halting execution, to displaying a message, to attempting to repair the problem and proceed with normal execution. The epilogue essentially reverses the actions of the prologue, restoring the CPU and the NPX so that normal execution can be resumed. The epilogue must not load an unmasked exception flag into the 80287 or another exception will be requested immediately. Figure 4-3 through 4-5 show the ASM286 coding of three skeleton exception handlers. They show how prologues and epilogues can be written for various situations, but provide comments indicating only where the application-dependent exception handling body should be placed. Figure 4-3 and 4-4 are very similar; their only substantial difference is their choice of instructions to save and restore the 80287. The tradeoff here is between the increased diagnostic information provided by FNSAVE and the faster execution of FNSTENV. For applications that are sensitive to interrupt latency or that do not need to examine register contents, FNSTENV reduces the duration of the "critical region," during which the CPU will not recognize another interrupt request (unless it is a nonmaskable interrupt). ' After the exception handler body, the epilogues prepare the CPU and the NPX to resume execution from the point of interruption (Le., the instruction following the one that generated the unmasked exception). Notice that the exception flags in the memory image that is loaded into the 80287 are cleared to zero prior to reloading (in fact, in these examples, the entire status word image is cleared). The examples in figures 4-3 and 4-4 assume that the exception handler itself will not cause an unmasked exception. Where this is a possibility, the general approach shown in figure 4-5 can be employed. The basic technique is to save the full 80287 state and then to load a new control word in the prologue. Note that considerable care should be taken when designing an exception handler of this type to prevent the handler from being reentered endlessly. PROC SAVE CPU REGISTERS, ALLOCATE STACK SPACE FOR 80287 STATE IMAGE PUSH BP MOV BP,SP SUB SP,94 SAVE ~ULL 80287 STATE. WAIT FOR COMPLETION, ENABLE CPU INTERRUPTS FNSAVE [BP-941 FWAIT STl APPLICATION-DEPENDENT EXCEPTION HANDLING CODE GOES HERE Figure 4-3. Full-State Exception Handler 4-4 NUMERIC PROGRAMMING EXAMPLES CLEAR EXCEPTION FLAGS IN STATUS WORD RESTORE MODIFIED STATE IMAGE BYTE PTR IBP-921, OH MOV IBP-941 FRSTOR DE-ALLOCATE STACK SPACE, RtSTORE CPU REGISTERS SP,BP MOV POP BP / RETURN TO INTERRUPTED CALCULATION IRET SAVE_ALL ENDP Figure 4-3. Full-State Exception Handler (Cont'd.) SAVE_ENVIRONMENT PROC SAVE CPU REGISTERS, ALLOCATE STACK SPACE FOR 80287 ENVIRONMENT PUSH BP MOV BP,SP SUB SP,14 SAVE ENVIRONMENT, WAIT FOR COMPLETION, ENABLE CPU INTERRUPTS FNSTENV IBP-141 FWAIT ST I APPLICATION EXCEPTION-HANDLING CODE GOES HERE CLEAR EXCEPTION FLAGS IN STATUS WORD RESTORE MODIFIED ENVIRONMENT IMAGE MOV BYTE PTR IBP-121, OH FLDENV IBP-141 DE-ALLOCATE STACK SPACE, RESTORE CPU REGISTERS MOV SP,BP POP BP RETURN TO INTERRUPTED CALCULATION IRE T SAVE_ENVIRONMENT ENDP Figure 4-4. Reduced-Latency Exception Handler 4-5 NUMERIC PROGRAMMING EXAMPLES ASSUME INITIALIZED REENTRANT PROC SAVE CPU REGISTERS, ALLOCATE STACK SPACE FOR 80287 STATE IMAGE PUSH BP MOV BP,SP SUB SP,94 SAVE STATE, LOAD NEW CONTROL WORD, FOR COMPLETION, ENABLE CPU INTERRUPTS FNSAVE [BP-941 FLDCW LOCAL_CONTROL ST I APPLICATION EXCEPTION HANDLING CODE GOES HERE. AN UNMASKED EXCEPTION GENERATED HERE WILL CAUSE THE EXCEPTION HANDLER TO BE REENTERED. IF LOCAL STORAGE IS NEEDED, IT MUST BE ALLOCATED ON THE CPU STACK. CLEAR EXCEPTION FLAGS IN STATUS WORD RESTORE MODIFIED STATE IMAGE MOV BVTE PTR [BP-921, OH FRSTOR [BP-941 DE-ALLOCATE STACK SPACE, RESTORE CPU REGISTERS MOV SP,BP POP BP RETURN ~O POINT OF INTERRUPTIOH IRET REENTRANT ENDP Figure 4-5. Reentrant Exception Handler 4-6 NUMERIC PROGRAMMING EXAMPLES FLOATING-POINT TO ASCII CONVERSION EXAMPLES Numeric programs must typically format their results at some point for presentation and inspection by the program user. In many cases, numeric results are formatted as ASCII strings for printing or display. This example shows how floating-.point values can be converted to decimal ASCII character strings. The function shown in figure 4-6 can be invoked from PL/M-286, Pascal-286, FORTRAN-286, or ASM2lS6 routines. Shortness, speed, and accuracy were chosen rather than providing the maximum number of significant digits possible. An attempt is made to keep integers in their own domain to avoid unnecessary conversion errors. Using the extended precision real number format, this. routine achieves a worst case accuracy of three units in the 16th decimal position for a noninteger value or integers greater than 10 '8 • This is double precision accuracy. With values having decimal exponents less than 100 in magnitude, the accuracy is one unit in the 17th decimal position. Higher precision can be achieved with greater care in programming, larger program size, and lower performance. iAPX2B6 MACRO ASSEMBLER 80287 Floating-Point to 18-Digit ASCII Conversion 10: 12: 38 09/25/83 PAGE SERIES-III iAPX286 MACRO ASSEMBLER XIC8 ASSEMBLY OF MODULE FLOATING TO ASCII ODJECT MODULE PLACED IN : F3: FPASC. DBJ ASSEMBLER INVOKED BY: ASM286.86: F3: FPASC. AP2 LOC DB') LINE 1 +1 2 , •• SOURCE $title("B0287 Floating-Point to lS-Digit ASCII Conversion") 4 7 8 • 10 11 12 13 14 ,.I. 17 18 I. 20 21 2. public .. xtrn 0' The status of the convlI'T'sion is identified bl,! the retUT'n value. it can be: o 23 24 1 2. 2. 2 3 4 27 28 5 6 2. '0 ,." ,." ,. ,.'8 ., 35 37 40 41 42 floatin9_to_8Scii get-pollllll' _10: neaT'. tos_st.tus: near This subroutine will t'onvert the floating poiflt numbeT' in tne top of the 80287 "tack to 1. Unnof'mal values. denormal values. and psuedo zeroes will be correctl.., converted. A returnli!d value lIIill indicate hOIll many bin"r.., bits precision "'aT'e lost in an unnormal OT' denormal value. The Iftagnituda (in terms of binary pOlliaf') of iii psuedo zero will al.o be indicated. Integers les. than 10 .... 18 in magnitude are accuratell,! converted if the dntinstion ASCII string 'ield is wide enough to hold all the digits. Otherlllis.e the valull' i5 converted to scientific notation. 7 8 conversion complete. string_size is defined invalid arguments exact integer conversion. !ltring_size is defined indehnite + NAN (Not A Number) - NAN + InfinitlJ - lnfinit.., psuedo zero found, string_size is defined The PLM/286 calling convention is: Iloating_to_asc ii: procedure (number. denormalJltr, stT'ingJltr, sizeJltr. field_5iH" power Jltr) lUord external; dec: lare (d anormalJl tr. stringJl tr. power Jltr. s i z eJltr) poi nter; declare field_Size word, string_size based sizeJltr wordi declare number reali declare denoT'mal integar based denormal_ptri declare power integer basad power_ptT'i and 'loatin9_to_asc i ii 44 4. 4. 47 48 4. 50 The floating point value is expected to bll' on the top of tha NP)C .tack. This .ubroutini' •• peets 3 free ent1'ies on the NP)c stack and pop the passed value when done. The geneT'ated ASCII stT'ing lull have a leading character eitha1' '-' or '+' indicilting the sign of the value. Ttle ASCII decimal digits liJill immediately Pollolil. The numeric viillue of the ASCII string is (ASCII STRINQ. )*10**POWER. 0'" !d~ll Figure 4-6. Floating-Point to ASCII Conversion Routine 4-7 NUMERIC PROGRAMMING EXAMPLES iAPX2Sb MACRO ASSEMBLER LOC aSJ 80287 Floating-Point to IS-Digit ASCII LINE '8 59 60 61 63 64 65 66 67 68 69 0004[1 0006[] OOOSt] CODAr] oOOetl OOOEt] 78 79 80 81 82 83 The following OOOA 0012 0002 OOOA 0001 0004 0006 0003 0008 -0002 -0004 -0006 -oooa 0000 0002 90 91 92 93 94 95 .6 97 98 9. 100 101 102 103 bp_save es_save returnJtr power -ptr field_size SileJltr string-ptr denormal_ptr parms_sl ze • 105 -0004C] 106 107 108 -COObC] 109 -OOIOC] -OOIOC] -OOIOC] 110 III 112 113 114 0010 It. are not transpart'nt: '0· '0· '0· '0· '0· '0· '0· '0· '0· word ptr [bpJ bp_save + size bp_save es_save + size es_save return_ptr + size returnJltr powerJltr + sile power_ptr field_size + size field_sil,e size_ptr + size sizeJltr string_ptr + size stringJtr size power_ptr + !;ize field_size + size size-ptr + size stringJltr + size denormalJtT· Define constants used , BCD_DIGITS WORD_SIZE BCD_SIZE MINUS NAN INFINITY INDEFINITE PSUEDO_ZERO INVALID ZERO DENORMAL UNNORMAL NORMAL EXACT 104 -OOOiii![] regist.~rs Dt'fine the stack lallout. , 84 8. 86 87 88 89 PAGE This subroutine is accurate up to a maximum of 18 decimal diilits for integers. Integer values will have a decimal power of zero associated with them. For non integers. the result will be accurate to within 2 dIJcimal digits of the 16th decimal place (double precision>. The exponentiate instruction is also used for scaling thIJ value into the range acceptable for the BCD data t~pe. The rounding mode in effect on entrv to the subroutine is used for thIJ conversion. 62 0002t:] 09/25/83 If the given number Ula!> zero, the ASCII string will contain a sign and a single zero chacter. The value string_size indicates. the total length of the ASCII string including the sign character. StringeD) will alwal,ls hold the sign. It is possible for string_sile to be less than field_sileo This occurs for zeroes or integer values. A pauedo zero will return a special return code. The denormal count will indicate the power of two original III associated with the vlillue. The power of ten and ASCII string will be as if the value was an o'f'dinar~ lero. 56 57 OOOOC] 10: 12: 38 SOURCE 51 52 53 54 55 70 71 72 +1 73 74 75 76 77 Conv~1"6ion , Define status power _two power _ten bcd_value bcd_byte fr.c t i on '0· eo· '0· eo· '0· '0. '0· '0· '0· '0· '0· '0· '0· '0· .,. la~out '0· '0· '0· eo· '0· , 18 Number of iigits in bcd_value 2 10 , , , I 4 6 3 8 -2 -. Define return values The exact values chosen here are important. The\! must correspond to the possible return v .. lu •• and b. in the same numeric order as tested b~ the program. -6 -8 0 2 of temporOlr\! storage area. ptr tbp-WORD_SIZEl status - WORD_SIZE power_two - WORD_SIZE tbyte ptr power _ten - BCD_SIZE bl,lte ptr bcd_value bcd_value word size status + size power_two + 6ize power_ten + size bcd_v.lue 116 lt7 118 +1 119 120 segment e1" pub I ic ext1"n power_tab I.: q,ward 121 12. Constant. used blJ this function. 123 124 0000 DADO 12. 126 127 128 0002 FB 0003 04 0004 uuv;;; 0006 0007 0008 0009 129 130 con.tlD even d. j 10 J Optimize for 16 bits AdJustment value floT" too big BCD Convert the C3.C2.Cl.CO encoding fir om tos_stOltus into meaningful bit fllags OInd values. db UNNORMAL. NAN. VNNORMAl. + MINUS. NAN + MINUS. F9 u;;; 00 06 01 ' 07 OOOA Fe 0009 FE 131 NORMAL. 132 ZERO, 133 DENORMAL, INFINITY. NORMAL + MINUS. INVAl.lD. ZERO + MINUS, INFINITY + MINUS. INVALID, Dooe FD 0000 FE DOOE FA DOOF FE INVALID, OENORMAL + MINUS. INVALID 0010 FB 0011 FE Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.) 4-8 NUMERIC PROGRAMMING EXAMPLES iAPX286 MACRO ASSEMBLER LOC DB..} 0012 0012 EBOODO 0015 0017 ODIC ODIE 81308 2EBAB70200 3CFE 7528 0020 C20AOO 0023 0023 ODDS 0025 EB02 0027 0027 BOFE 0029 0029 C9 002A 07 00213 C20AOO 002E 002E DI37EFO 0031 A801 0033 98 0034 74F3 0086 DBDoeo 0039 285EF6 003C OBSEF4 003F OB5EF2 0042 OB5EFO 0045 75E2 0047 B003 0049 EBDE 0048 0048 06 004C eS100aoo 0050 884EOB 0053 B3F902 0056 7CCF 0058 49 0059 83F912 Dose 7603 DOSE B91200 OD61 0061 3C06 0063 ?DBE 0065 3C04 0067 7DCS 0069 D9El 006B 8800 0060 33CO 006F 8B7EOE 0072 8905 0074 BB5E06 0077 8907 0079 eOFAFC 007C 7828 D07E SOFAFA 0081 732C 80287 Floating-Point to 18-Dig.it ASCII Conversion LINE 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 17. 177 178 179 180 181 182 183 184 185 18. 187 188 189 190 191 192 193 19' 195 19. 197 198 199 200 201 202 203 204 205 20. 207 208 209 210 211 212 213 21. 215 21. 217 218 219 220 221 222 223 22. 225 226 227 10: 12: 38 09/25/83 PAGE SOURCE call ST(O) b 1, ax Look at status of ST(O) Get descriptor frOm table a1,status_table[bx] OIL INVALID Look for empty STeO) tos_status is empty! Return the status value. RE'move infinity from stack and exit. fstp Jm, st (0) short exit_proc String space is too small! ; OK to leave fstp running Return invalld code OIL INVALID leave pop ret i RestorE.' stack es parms_size ST(O) is NAN or indefinite. Store the value in memory and look at the fraction field to separate indefinite from an ordinary NAN. fstp test fwait JZ fraction ai, MINUS mov sub or Jnz bx.OCOOOH bx.word ptr bx. word ptr bx. word ptr bx. word ptr 9xit..JH·OC Jmp al, INDEFINITE exit.JIroc Remove value from stack for examination Look at sign bit Insure stoT'e is done Can't be indefinite if positive exit.JIroc fraction+6 fraction+4 fraction+2 fraction Match against upper 16 bits· of fraction CompaT'e bits 63-48 Bits 32-47 must be zero Bits,l'31-16 must be zero Bits 15-0 must be zero Set return value for indefinite value Allocate stack space for local variables and establish parameter addressibility. not_empty: push enter "10cal_size.O Save working register FOT'mat stOiC II mov if it is too small 01' large. than adJust it by ten and adJust th. powe" of ten value testJower: 37. f!com 380 381 382 383 38. 38. 386 387 388 39. 3.0 fstsw test J"' f:Ldiv an' in' Jmp power_tableCsiJ+type power_table) Compare against exact power J entry. U!ie thf! ne~t entry since cx J has been decremented by one ) No lIIait is necessart,! ax. 4100H ) If C3 - CO .. 0 than too big test_fo" _sm,all ., const10 d 1. not EXACT word ptr tb xJ .ho"t; in_ranga I J .. 3.3 pOWIi!1"_hbhCsiJ 394 39. j 1U.IOOH 1n_range 396 397 399 39' 400 Umul dac 401 40. 403 constiO LIIo"d pt,. I " Cbx~ Elu adJust value Rli!mova axact fllag AdJust power of tan value Convart the value to a BCD int.g.r Test relative size No wait is naca.sart,! If! CO - 0 than st(O) >- low.,. bound Conv.rt tha valua to a BCD intager AdJust valu. into range AdJu.t powar of t.n valua flrndint 404 0140 I I '"f"ndint fcomp J"' 33. 40S 406 407 408 40. 410 411 41. 413 414 415 ,ax,poLlla,,_ten ax, ex adJust_"luult fscal a 3., 39. 0137 PAGE Wait for power_ten to be valid Get powe" of tan of value Form scaling factor nacaIl5.,,1,1 in ax Jump if number will not fit i'Li/ait mov sub J,a 373 37. 375 376 377 378 0'1'/25/83 SOURCE 32. 323 3.4 32S 326 372 011E 10: 12: 38 , J A.... rt: 0 <- TOS <- 999.999.999.999.999.999 The TOS number will ba . . . c:tll,l repraunhble in 19 digit BCD format. convart_i nteg.,.: Whih the .to,..e BCD "uns . . . etup ragi.tns for the conversion to ASCII. I Initial BCD index valua Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.) 4-11 NUMERIC PROGRAMMING EXAMPLES iAPX286 MACRO ASSEMBLER LOC ODJ 0153 B9040F 0156 0159 DISC 015E 0160 0161 0163 0166 80287 Floatlnll-Paint to IS-Digit ASCII Conve,.si!)" LINE 416 417 418 419 4.0 421 4.2 423 424 4 •• 426 4.7 BBOI00 BD7EOC BCDS eEeD Fe B02B F6(:201 7402 0168 802D 016A 4.B cx.Of04h bll,l di. ~trinIlJt,. ax. ds mov cld mov tnt JI 016E 98 .. I, '+' dl.I1INUS positive_result stosb .and flilait 016F BA62FO 0174 D2EB 0176 22C5 017A BAC4 0181 79EC 0183 0030 0185 AA 01B6 43 0187 EU6 0189 from the number. JU enter _odd 0111. ah al, eh ente1' _even Get BCD bute again Get low order digit Exit loop i f non IBro digit found ... and .hr JU dec Jno ah. bed_buteCsil I a!. ah 0111. cl 0111. eh I I I Decrlment BCD indu 5i skip_lead ing_IB1'oes The significand lIIas all mov stosb inc Jmp al. '0' I Set initial bx short exit_1II1th_value mo. mov 'hr ah. bcd_byte[siJ 0111. ah 0111. cl 0430 AA BAC4 22C5 43 add stosb mo. and inc .79 'BO 481 4B. 4B, 0198 Ol9A 0198 019C 019D 4B5 .80 4B7 0430 AA 43 4E 79EA 0111. ah al, ch 4BB b, Dump field size counte" add 011. '0' stosb inc dec In. .,digit_loop Convert to ASCII Put digit into ASCI I area Dump field size counter 00 to next DCD byte b, 49. 019F 019F BB7EaA 01A2 891D , Conversion complete. 01A6 E9BOFE 50' 504 ASSEMIILY··COMPLETE. NO ·WARNINGS. Set the string size IillJld remainder. ex it_lilith_value: 6i.slzeJtr lIIoT'd ptr [dil, bx 497 49B .. ;r;; 500 001 50. VIA.. aa\..,: Convert to ASCII Put digit into ASCII string Get 10. order digit enter _even: 489 490 491 49' 494 495 496 get high order digit , al. '0' 4B4 0198 Get BCD tU,Ite enter _odd: .7B 0190 0192 0193 0195 0197 Bump st1'ing length NOIII elpand the BCD stTing into digit per byte values 0-9 . 47' 474 '77 BCD byte value in use ASCII character v.alue Return value BCD mask. Ofh BCD shift count. 4 ASCII string field width BCD field index ASCII strihg field pointer ASCII string segment ba.e mo. and mo. '75 .70 0190 Bump string pointer past sign Turn off sign bit W,.it for fbstp to finish get BCD byte Cop" value Get high ordar digit Set lero flag Exit loop if leading non ze1'O found •• 0 451 .7. 0189 BA62FO alBC 8AC4 018E 02E8 Set .. utoinere.ent mode C ....r sign fhld Look 'or ne.ative v .. lue sk ip_l e .. di ng_1 erolt.: . .0 457 458 459 400 401 40. 40' 40. '05 400 407 46B 469 • 70 .71 0180 4E Remove leading , 4"" 4'4 0178 7516 I I I ah: al: dx: eh: c1: bx: si: di: ds •• s: 4.2 al7e 22C5 017E 7518 Set shift count .nd mlillsk S.t initial sin of ASCII .hld for aign Get .. ddre . . of start of ASCII string CoPu ds to es I 443 0172 BAC4 I I dl. not MINUS 430 437 438 439 440 441 44. 016F PAQE al. '-' 4,. 444 44. 440 447 448 449 09/25/83 posi tive_resul t: 429 430 431 43. 433 434 016A AA 0168 BOE2FE 10: 12: 38 SOURCE Jmp . "'.;,, ex i tJroc floating_to_... cii code endp ends end NO ERRORS Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.) 4-12 NUMERIC PROGRAMMING EXAMPLES 12: 11: IAPX2B6 _AD _,",LEA os· 09/25183 PAQE SEAlES-III IAPX2S6 "",CRD ASSEKILEA XlOS ASSEKILY OF I10IIULE OET.,pOWER_10 aaJECT I'IDDULE PLACED IN : F3: PDW10. a ... ASSEJ1BLER INVOKED IV: A8M286.86: F3: PDWIO. AP~ LOC . DI~ LINE 1+1 SOURCE .UU.C-C.lcuhh th v.lua a,1 lo*••• ·~ 2 3 Thh lub1'DUUnW will c.leul.t. the v.lue of 10 ••••. 4 5 6 7 a .J I Fa," ..,alu •• of 0 c- a. < I', the " •• ult 111111 . . . ct. All 80286 ".ght." • •". 'II,..n., • .,..nt .nd th. v.lu. is .,..tu"n,d on th. TDB •• two nu_b.r •••• pon.nt in STet) .nd '".cUon in STeO). Th • •«.on.nt v.lu. c.n II. 1.,. ..... than th. l.", •• t ... ,on.nt 0' .n •• t.nd.d " •• 1 fo" •• t: nu ..... ". Th" • • • t.cll .nt,,:i'• •". u •• d. 9 g.t:-polII'T' _10 10 II I. 13 14 IS pu" lic .t.cll .'I •• nt 16 17 la .,t-P0IlltT'_10. palll." _tab It .t.c .... B ." pubUc Us •••• ct valu,. f"alll 1.0 to leiS. 19 20 0000 OOOOOOOOooOOFO 3F 0008 00000000000024 40 J .1 Optill111 16 bit ac:c ... 1. O. 1.1. 1.2. h3 0010 00000000000059 40 001B ooOOOoooo0408F 40 0020 0OOOOO0OOO8BC3 40 •• d, h4. 1.5. h6. h7 d. 1116. h17. hiS 0028 000000000061\F8 40 0030 0000000080842E 41 0038 00000000001263 41 0040 0000000084D797 41 .3 0048 aOOOOO0065CDCD 41 0050 00OO0020~M02 4. 4. 4. 0058 000000E8764837 OObO OOQOOOA2941A6D .4 0068 000040E59C3DA2 4. 0070 0000901EC4oC06 •• 0078 00003426F5680C 43 0080 0080E03779C341 43 0088 001'100885573476 43 0090 OOCB4E676DC1AD 43 .9 0098 301200 0098 770F 0090 009E OOAO O0A3 OOAS DDA' 26 .7 0098 ,m, ••• 1B 30 J. out_a, _".nl' 32 33 pu.h mov ... 34 35 36 ,lei 3. 53 8108 C1E303 2EDD870000 51 09F4 OOAB C3 .8 • hl ••• as 43 44 0012 a946FE 0085 OE4EFE ooae 9BD97EFC OOIC a.46FC 008F 25FFF3 OOC2 Ol)C)O()i oacs .746FC 4S 49 SO 51 52 53 54 55 56 I. sa <- a. < 19 , O.t ••• ct v.lu. , R•• to" ...... ish ... vah. S.p ....... pOIll..... nd .".ctian aM to haY. f.tr.ct "'unninl . aut_of _r.ng.: ... ..... 'IdI2' .nt." U.ul f.tclil .nd Ichg TOS - LOOaUOI 4.0 tbp-.!21. a • ward Ittr CIIp-2] wo"d ptr tbp-4] ••• 1II0rd ptr Cbp-41 ••• not OCOOH a •• 040DH ••• wo... d pt ... tbp-41 57 DOCS OCIE8 0 Th. followinl .... I.Uon. at'. u •• d: 10". - 2.*e la.2C 10)*.) 2"( I+F) - 2**1 • .!2'*F If .ut) • 1 .nd .UO) - .!2.ttF then hc.le p... aduc •• .!2"(I+F) 4. GOAC D9E9 OOAE C8040000 'OT' C.lcul.h th. v.lu. u.ing th ••• pon.nU.h inst ... uction. 40 41 45 46 47 T.I'st , O.t lIIa"Ung ind •• ".gut." , Fa,.. t.blt ind •• b .. , •• .... ,3 pa ..tT'_tabht .... l pop b. ht".ct 37 39 OOAC I Fa" . . t .t.c. I S.v. po".,. 0' 10 v.lu. I TOS. X - LO02C 10ltP • LD02110"P) I G.t cu... .,..nt cont.,.ol wa.,.d I I I G.t cont.,.ol lIfo.,.d. no w.it n.c .....,.u off cu.,.,..nt. ".oundinl 'Ulel S.t nund to n'latlv. 1nfinitu Put: nil. cont"al wo,.d in ••ao1'U old cant"ul wo,.d is in a .. .... 11 " S.t flell ros • -1. 0 Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont'd.) 4-13 NUMERIC PROGRAMMING EXAMPLES iAPX2Bb MACRO ASSEMBLER LOC LINE OBJ ooce 60 61 6. 63 6' 65 66 67 68 6. 70 71 7. 73 7. 75 76 77 78 0006 D9bEFC 0009 DaDa DODD OOEO 00E2 D9CA 08E2 BB46FE D9FD D9FO 00E4 C9 ODES DEE1 OOE7 Dcca 00E9 C3 A8SEMBL V COMPLETE, PAGE -Fchs n. st( 1) I COPV power value in base two word ptr [bp-4J fIldcw f'rndint mav word ptr [bp-4], ax fidew wOl'd ptr [bp-4J st(2) Fxch st, st(2) hub ax, Cbp-2J mov I v. l ... fsubl' get_power _10 code TOS .. X. 91(U "" -1.0. TOS. F -.. X-I: a <.. TOS Restore power of ten TOS ... F/2: f'2xml flmul rot Set new control word value TOS I: -inf < I <= X. I is an int~g~r R~5tor~ original rounding control = I flscale I J st. steOl j a <.. TOS < 51(2) '" I < 1. a 0.5 TOS '" 2**(F/21 - 1. 0 Restore stack Form 2**(F/2) Form 2**F OK to leave fmul running endp ends en. NO WARNINGS, iAPX28b MACRO ASSEMBLER 09/25/83 SOURCE 5. COCA O'9EO D9Cl DOCE D96EFC 0001 D9FC 0003 8946FC 12: 11: 08 Calculate the value of 10**ax NO ERRORS Det~rmin~ TOS r~gist~r 12: 12: 13 cont~nts 09/25/83 PAGE SERtES-I11 iAPX28b MACRO ASSEMBLER XI08 ASSEMBLV OF MODULE TOS_STATUS OBJECT MODULE PLACED IN : F3: TOS8T. OBJ ASSEMBLER INVOKED BV: ASM28b.86: F3: T09ST. AP2 LaC LINE OBJ 1 +1 2 3 4 5 6 7 SOURCE $title("D~t~rmine 8 tos_status • 10 11 12 13 I. 0000 0002 0005 0007 pub lic stack stacks8g 6 code se!lment 15 16 17 18 0000 fxam fstsw 20 21 22 23 250740 OOOA COEC03 0000 OAC4 OOOF B400 2. 2. OIl. ah an. ,hr al,4007h ah,3 mov OIl. ah ah.O NO WARNINGS, Fi!!~lrA 4-~~ ) Get register contents status ) Get status Put bit 10-8 into bits 2-0 Mask out bits c3,c2.c1.cO ) Put bit c3 into bit 11 J Put c3 into bit 3 I Clear return value endp code 30 ASSEMBLV COMPLETE, a. mov ret 25 26 27 28 0011 C3 ) Allocate space on the stack pub 1 ic proc ,. 09E5 9BDFEO 8AC4 TOS register contents") This subr.outine will return a value from 0-15 in AX corres,ponding to the contents of 80287 T09. All re!listlH's are transparent and no errors are possible The return value corresponds to c3,c2,cl.cO of FXAM instruction. ends end NO ERRORS Flnllting-Point to ASCII Conversion Routine (Cont'd.l Function. Partitioning Three separate modules implement the conversion. Most of the work of the conversion is done in the module FLOATING_TO_ASCII. The other modules are provided separately, because they have a more general use. One of them, GET_POWER_IO, is also used by the ASCII to floating-point conversion routine. The other small module, TOS_STATUS, will identify what, if anything, is in the top of the numeric register stack. 4-14 NUMERIC PROGRAMMING EXAMPLES Exception Considerations Care is taken inside the function to avoid generating exceptions. Any possible numeric value will be accepted. The only exceptions possible would occur if insufficient space exists on the numeric register stack. The value passed in the numeric stack is checked for existence, type (NaN or infinity), and status (unnormal, denormal, zero, sign). The string size is tested for a minimum and maximum value. If the top of the register stack is empty, or the string size is too small, the function will return with an error code. Overflow and underflow is avoided inside the function for very large or very small numbers. Special Instructions The functions demonstrate the operation of several numeric instructions, different data types, and precision control. Shown are instructions for automatic conversion to BCD, calculating the value of 10 raised to an integer value, establishing and maintaining concurrency, data synchronization, and use of directed rounding on the NPX. Without the extended precision data type and built-in exponential function, the double precision accuracy of this function could not be attained with the size and speed of the shown example. The function relies on the numeric BCD data type for conversion from binary floating-point to decimal. It is not difficult to unpack the BCD digits into separate ASCII decimal digits. The major work involves scaling the floating-point value to the comparatively limited range of BCD values. To print a 9-digit result requires accurately scaling the given value to an integer between 10 8 and 109 • For example, the number +0.123456789 requires a scaling factor of 109 to produce the value + 123456789.0, which can be stored in 9 BCD digits. The scale factor must be an exact power of 10 to avoid to changing any of the printed digit values. These routines should exactly convert all values exactly representable in decimal in the field size given. Integer values that fit in the given string size will not be scaled, but directly stored into the BCD form. Noninteger values exactly representable in decimal within the string size limits will also be exactly converted. For example, 0.125 is exactly representable in binary or decimal. To convert this floatingpoint value to decimal, the scaling factor will be 1000, resulting in 125. When scaling a value, the function must keep track of where the decimal point lies in the final decimal value. Description of Operation Converting a floating-point number to decimal ASCII takes three major steps: identifying the magnitude of the number, scaling it for the BCD data type, and converting the BCD data type to a decimal ASCII string. Identifying the magnitude of the result requires finding the value X such that the number is represented by 1* lOX, where 1.0 < = I < 10.0. Scaling the number requires multiplying it by a scaling factor lOS, so that the result is an integer requiring no more decimal digits than provided for in the ASCII string. Once scaled, the numeric rounding modes and BCD conversion put the number in a form easy to convert to decimal ASCII by host software. 4-15 NUMERIC PROGRAMMING EXAMPLES Implementing each of these three steps requires attention to detail. To begin with, not all floating-point values have a numeric meaning. Values such as infinity, indefinite, or Not a Number (NaN) may be encountered by the conversion routine. The conversion routine should recognize these values and identify them uniquely. Special cases of numeric values also exist. Denormals, unnormals, and pseudo zero all have a numeric value but should be recognized, because all of them indicate that precision was lost during some earlier calculations. Once it has been determined that the number has a numeric value, and it is normalized setting appropriate unnormal flags, the value must be scaled to the BCD range. Scaling the Value To scale the number, its magnitude must be determined. It is sufficient to calculate the magnitude to an accuracy of 1 unit, or within a factor of 10 of the given value. After scaling the number, a check will be made to see if the result falls in the range expected. If not, the result can be adjusted one decimal order of magnitude up or down. The adjustment test after the scaling is necessary due to inevitable inaccuracies in the scaling value. Because the magnitude estimate need only be close, a fast technique is used. The magnitude is estimated by multiplying the power of 2, the unbiased floating-point exponent, associated with the number by log 102. Rounding the result to an integer will produce an estimate of sufficient accuracy. Ignoring the fraction value can introduce a maximum error of 0.32 in the result. Using the magnitude of the value and size of the number string, the scaling factor can be calculated. Calculating the scaling factor is the most inaccurate operation of the conversion process. The relation IOx=2**(X*log210) is used for this function. The exponentiate instruction (F2XMl) will be used. Due to restrictions on the range of values allowed by the F2XMl instruction, the power of 2 value will be split into integer and fraction components. The relation 2**(1 + F) = 2**1 * 2**F allows using the FSCALE instruction to recombine the 2**F value, calculated through F2XMl, and the 2**1 part. INACCURACY IN SCALING The inaccuracy of these operations arises because of the trailing zeros placed into the fraction value when stripping off the integer valued bits. For each integer valued bit in the power of 2 value separated from the fraction bits, one bit of precision is lost in the fraction field due to the zero fill occurring in the least significant bits. Up to 14 bits may be lost in the fraction because the largest allowed floating point exponent value is 214-\. AVOIDING UNDERFLOW AND OVERFLOW The fraction and exponent fields of the number are separated to avoid underflow and overflow in calculating the scaling values. For example, to scale 10- 4932 to 108 requires a scaling factor of lO49S o, which cannot be represented by the NPX. By separating the exponent and fraction, the scaling operation involves adding the exponents separate from multiplying the fractions. The exponent arithmetic will involve small integers, all easily represented by the NPX. 4-16 inter NUMERIC PROGRAMMING EXAMPLES FINAL ADJUSTMENTS It is possible that the power function (GeLPowec10) could produce a scaling value such that it forms a scaled result larger than the ASCII field could allow. For example, scaling 9.9999999999999999 X 104900 by 1.00000000000000010 X 10- 4883 would produce 1.00000000000000009 X 10". The scale factor is within the accuracy of the NPX and the result is within the conversion accuracy, but it cannot be represented in BCD format. This is why there is a post-scaling test on the magnitude of the result. The result can be multiplied or divided by 10, depending on whether the result was too small or too large, respectively. Output Format For maximum flexibility in output formats, the position of the decimal point is indicated by a binary integer called the power value. If the power value is zero, then the decimal point is assumed to be at the right of the rightmost digit. Power values greater than zero indicate how many trailing zeros are not shown. For each unit below zero, move the decimal point to the left in the string. The last step of the conversion is storing the result in BCD and indicating where the decimal point lies. The BCD string is then unpacked into ASCII decimal characters. The ASCII sign is set corresponding to the sign of the original value. TRIGONOMETRIC CALCULATION EXAMPLES The 80287 instruction set does not provide a complete set of trigonometric'functions that can be used directly in calculations. Rather, the basic building blocks for implementing trigonometric functions are provided by the FPTAN and FPREM instructions. The example in figure 4-7 shows how three trigonometric functions (sine, cosine, and tangent) can be implementing using the 80287. All three functions accept a valid angle argument between - 262 and +262. These functions may be called from PL/M-286, Pascal-286, FORTRAN-286, or ASM286 routines. These trigonometric functions use the partial tangent instruction together with trigonometric identities to calculate the result. They are accurate to within 16 units of the low 4 bits of an extended precision value. The functions are coded for speed and small size, with tradeoffs available for greater accuracy. FPT AN and FPREM These trigonometric functions use the FPTAN instruction of the NPX. FPTAN requires that the angle argument be between 0 and 7r / 4 radians, 0 to 45 degrees. The FPREM instruction is used to reduce the argument down to this range. The low three quotient bits set by FPREM identify which octant the original angle was in. One FPREM instruction iteration can reduce angles of 10 18 radians or less in magnitude to 7r / 4! Larger values can be reduced, but the meaning of the result is questionable, because any errors in the least significant bits of that value represent changes of 45 degrees or more in the reduced angle. 4-17 NUMERIC PROGRAMMING EXAMPLES Cosine Uses Sine Code To save code space, the cosine function uses most of the sine function code. The relation sin ( I A I + 7r /2) = cos (A) is used to convert the cosine a.rgument into a sine argument. Adding 7r /2 to the angle is performed by adding 010 2 to the FPREM quotient bits identifying the argument's octant. It would be very inaccurate to add 7r /2 to the cosine argument if it was very much different from 7r/2. Depending on which octant the argument falls in, a different relation will be used in the sine and tangent functions. The program listings show which relations are used. For the tangent function, the ratio produced by FPTAN will be directly evaluated. The sine function will use either a sine or cosine relation depending on which octant the angle fell into. On exit, these functions will normally leave a divide instruction in progress to maintain concurrency. If the input angles are of a restricted range, such as from 0 to 45 degrees, then considerable optimization is possible since full angle reduction and octant identification is not necessary. All three functions begin by looking at the value given to them. Not a Number (NaN), infinity, or empty registers must be specially treated. Unnormals need to be converted to normal values before the FPTAN instruction will work correctly. Denormals will be converted to very small unnormals that do work correctly for the FPT AN instruction. The sign of the angle is saved to control the sign of the result. Within the functions, close attention was paid to maintain concurrent execution of the 80287 and host. The concurrent execution will effectively hide the execution time of the decision logic used in the program. iAPX286 MACRO A.SSEMBLER 80287 Trignoltletric Functions 10: 13: 51 OQ/25/83 SERIES-III iAPX286 MACRO ASSEMBLER XI08 ASSEMBLY OF MODULE TRIO FUNCTIONS OBJECT MODULE PLACED IN : F3: TRIO. OBJ ASSEMBLER INVOKED BY: ASM:!86.96; F3: TRIQ. AP2 LOC OBJ LINE 1 +1 SOURCE ttitle("80287 Trignometric Functions") 2 3 4 trig_function~ nama public sine. cosine. tangent res1: 1, tend3: I. top: 3. tend:?: 1. tend1: 1, condO: 1. 5 0000 35CO;!b821A2DAOF C9FE3F OOOA OOOOCOFF 6 7 stack 8 9 SIIl_2B7 tc record 11 12 13 14 15 code segment el'" public 16 pi_ltuarter dt 3FFEC90FDAA2216BC:235R, Pl/4 17 18 +1 indefinite dd OFFCOOOOOR Indefinite special ..... lu. I Ra.erve local space ,..,2: 8 Define local constants. aven , $eJllct Figure 4-7. Calculating Trigonometric Functions 4-18 PAGE NUMERIC PROGRAMMING EXAMPLES iAPX286 MACRO ASSEMBLER LOC OS,) 10: 13: 51 80287 Trillnometric Function5 LINE ,. 091:25/83 PAGE SOURCE 20 21 22 23 This subroutine calculate. the 51ne OT' cosina of th. 4I"gle. giv.n in Nldi.nll. Tha angle is in SHO), thll T'llturnod valu. will ba in STeO), Th. r •• ult h ju:c:u"at. to within 7 unUs of th. lI'i!IIst significant three bitll of th. NPX utend&d ,.ul format. Tha PL.M/B6 d.flinition ill: .7 sina: prot_durl (angla) 1'1.1 axternall daclare angla '1' • • 11 and sin., COlina: procadu,.a 2*".62 radians. Any roundoff error in the calculation of the angle given could completellJ change the result of this function. It is safE'st to call this verlJ rare c:ase an E'rror. enter _sine: fprem I I xchg fstsw ax. b x ax xchg test Jnz ax. b x bh, high(mask cond2l angle_too_big I Reduce angle Note that fprem will force a denormal to a verlJ small unnormal Fptan of a very small unnormal will be the same very small unnormal. which is correct. Save old status in EX Check if reduction was complete Quotient in CO. C3. Cl Put new status in bx sin(2*N*PI+~) sin(x) = Set sign flags and test for whic:h eighth of the revolution the angle fell into Assert· -PI/4 < st(O) < PI/4 fabs Force the al'gument positive cond1 bit in bx holds the sign Test for sine Ol' cosine function ,Jump if sine function cLcl sine_select Dr J' This is a cosine function. Ignol'e the origlnal sign of the angle and add a G.uarter revolution to the octant id from the fpl'em instruction. cos (A) :::: sin(A+PI/2) and c:os( :A:) :::: cosCA) and ah,not high(mask condll bh, SOH add mov rol bh, high (mask con(3) a}, 0 al,l bh, al Turn Off sign of argument Prepare to add 010 to CO, C3, Cl status value in ax Set busy bit so carry out from C3 will go into the carry flag Extract carrlJ flag Put carrlJ flag in low bit Add carry to CO not changing Cl flag See if the argument should be revel'sed, which the argument fell during fprem. test bh, high(mask condU J depending on the octant in Reverse angle if' Cl Angle was in oct ... nt~ 1.3.5,7. Invert sense of rotation fsub o < Jmp arg <= PI/4 Angle was in octants 0,2,4,6. Test for a zero aT'gument since fptan will not WOT'k if st(O) :::: 0 ftst xchg fstsw xchg fstp te~t Jnz Test for ax, cx ax ax, c x st( 1) ch,high(mask cond3) sine_argument_zero c,c'ind3 = zero angle 1 if' st(Q) Figure 4-7. Calculating Trigonometric Functions (Cont'd.) 4-20 = 0 Remove PI/4 I If C3==1. argument is zero NUMERIC PROGRAMMING EXAMPLES i AP X:286 MACRO ASSEMBLER LOC 08,) 007F 007F D9F2 10: 13: 51 B0287 T1'ignometl'ic Functioni; LINE 207 20B 20. 210 211 212 09/25/83 PAGE SOURCE , Assert:: 0 ( steOl <- PII4 dD_sine_fphn: , flpten TAN 9nO) • STeu/snol ... V/X 213 OOBI 0081 F6C742 0094 ?BIA .14 210 21. .17 21B IIfte" _sine_flpten: .1. OOBS EllA OOSA DOBA DDDS OOSC 7404 OOBE 7002 0090 D9FB 0092 0092 0092 C3 'Id Jmp , 0o,3 2 •• .47 0093 D9ES ••• I Cop V V value Put V value in numeT'atoT' stCl) shoT't finhh_sine The top 0' i f tenCA) ... V/X then I the stack is eUheT' NAN. infinitv. OT' emptv . , Remove PII4 Return empt\l if no paT'm fstp J' steO) retuT'n_empt" I JPO T'.tuT'n..NAN I st(O) is infinit". 0097 0097 OED. 0099 2ED9060AOO 009E 99 009F C3 'pT'em I STell can be ·.n\lthing T'etuT'n..NAN: T'etuT'n_emp tV: •• t , I Simuleh 'ptan lIIith ~tCO) I Ok to hillve fpT'em T'unning I I Simulate tanCO) RetuT'n the zeT'O value ... 0 Il.ne_aT'gument_zeT'o: 2.0 201 2.2 253 2 •• •• 5 2 •• 257 25B OOAO OOAO D9CO 00A2 D9CA 00A4 00A4 OOA6 00A8 OOAA Dcea D9C9 DCCB DEC! OOAC D9FA OOAE 0001 0094 0006 80E701 80E402DAFe 7A02 OODB 09EO OOBA OOBA DEF' DOBC C3 The anllh ilia. tao laT'lIe. Remove the modulull and divl.dend fT'om the stack and retuT'n an indefinite T'e~ult. fcompp Hd flllOl1t ••• 2 •• 2.7 2.B 2 •• 270 271 272 27. 274 27S , = III V/X then fld st(O) fxch ~t(2) , COP\! X value Put X in numeT'atoT' , st. st(O) st,st(O) FOT'm x*x + V.V . st 2**b2 in magnitude o correct value o correct denormal indefinite NAN NAN infinity empty indefinite Itmptl,! The tangent in.tt'uction uses the fptan instruction. relations are used: a langle HOD PI/41 B ... -lor 1 depend ing Four possible l..et R 32. 3.6 327 328 32. 330 331 332 333 334 335 336 337 338 33. 340 341 34. 343 344 34S 346 347 348 34' 09/25/83 SOURCE 301 302 303 304 30S 306 307 308 30. 310 311 31' 313 314 31S 316 317 318 31' 320 321 32. 323 324 OOBD 10: 13: 51 80287 Trignometric Functions teneR) 1l 2) the sign of the angle tan1PI/4-Rl 3) l/tanlR) 4) l/tanCPI/4-R) The fo1101111"g table is used to decide which relation to use depending on in IIIhich octant the angle fell. octant , tangent proc fxam fstslll fld sahf JC l.ook at tfie parameter get ham .tatus I get PI/4 I CF co. PF"'C2. ZF"'C3 ax pi_Cl.uilrte,. = funn\lJilrameter 350 ·OOCA D9CQ 7i117 coce aOCE DOCE D9FB 0000 93 0001 9BDFEO OOD4 93 0005 F6C704 OODS 7S0D 351 352 353 fxch 354 JPe or denol'mal. 355 356 357 358 35. 360 361 36. 363 364 365 366 367 368 36. 370 371 I steO) ... angle. Angle is either an normal 01' denormal. Reduce the angle to the range -PI/4 < result < PI/4. If fprem cannot perform this operation in one try. the magnitude of the angle must be ) 2**b2. Such an angle is so large that an\! rounding errors could make a verI,! large difference in the reduced angle. It ls safest to call tllis verl,l rare case an et'ror. • Quotient in CO. C3. Cl Convert denormals into unnormals fprem xchg fstsbl ax. bx 372 xchg test Jnz ax. bx bh, highlmask cond2) angle_tao_big 373 374 375 376 Assert: -PI/4 I CODe F6C702 OODF 740E OOEI DEE9 OOE3 EBIS ODES ODE' DDD9 OOE7 7405 378 37. 380 381 38. 383 380 385 386 387 388 38. 3.0 3" 392 3.3 3" 3.5 Quotient identifies octant original angle fell into Test for complete reduction I Exit if angle bias too big See if the angle must be reversed. < steO) < PI/4 377 OODA D9El stll) ... PI/4 I 0 <= stlO) < P1I4 C3 In bl has the sign flag I must be revet-sed fabs test J' bh. highlmask condl) no_tan_reverse Angle fell in octants 1.3.5.7. fsub Jmp , Neverse It, sUO'li'ratl; ii. i"um I Reverse angle short do_tangent Angle is either zero or an unnormal. tan_zero_unnormal: ; Remove PI/4 stll) Angle is an unnormal. Figure 4-7. Calculating Trigonometric Functions (Cont'd.) 4-22 ~:;,;..;. NUMERIC PROGRAMMING EXAMPLES iAPX286 MACRO ASSEMBLER lOC ODJ 80287 rrignometric Functions LINE 39. 00E9 E83300 OOEe EDEO OOEE OOEE C3 COEF DOEF D9E4 OOF! 91 OOF2 '9BDFEO OOF5 91 OOF6 DDD9 OOFS F6C'40 OOFS 7515 caFD 3.7 3.8 3 •• 400 401 402 403 404 40S 40. 407 408 40. 410 411 412 413 414 415 41. 417 OOFD D9F2 "B 41. DOFF 420 .21 .22 • 23 42' OOFF BAC? 0101 254002 0104 F6C742 0107 7BOD 0109 OAC4 0108 7A02 0100 D9EO OIOF OIOF DEF9 0111 C3 0112 0112 D9EB 0114 EBE9 0116 0116 OAC4 011B 7A02 011A D9EO oue OllC DEF1 ailE C3 a11F 011F D9El 0121 D9F4 0123 D9EB 0125 DeCl 0127 0129 0128 0120 0132 0134 DEE9 D9FD DDD9 2EDB2£0000 09C9 C3 ASSEMBLY COMPLETE. xchg PAGE Test for 5t(O) - 0, flpti!ln won't work. Test for zero engle ., .u:.cx I C3 = 1 H xchg ex, htp test J"' ste 1) ch, high(mask cond3) tan_zero st(O) .. 0 Cl I Removtt PI/4 J fptan ttm sno) .. ST(!)/ST(O) aft.r _tangent: Decide on the o"der of the op.rands and their sign for the divide operation while the fptan instruction is working . mov and test Jpo d. btl I Qet a cop", of 'prem C3 P1oI9 a •• mask cond1 + high(mask cond3), Elamine fprem C3 flag and j FXAH CI flag bh. high(mask condl + mask cond3)l Use rttverse divide if in , octants 1.2, S. D reverse_divid.. Nate! parit", wo"ks low B bits onllJ! Angle was in octant. 0.3.4.7. Test fo" the sign of the r.sult. or Jpe Tlilo negatives cancel. al,ah positive_divide IIdiv J IIdl Jmp Form r.sult I Ok to leave fdiv running rot J Force 1/0 - tanCP1I2) J Form reciprocal oil result Ok to leave fdiv running aftttr _tangent Angle lIIas in octant. 1.2.5.0. Set the correct sign of the result. , reverse_divide: or Jpe ai, ah positive_r_divide fdivr ret tangent endp This function 111111 normalize the vilh.l. in steOL The" PII4 i . placed into .telL , normal i ze_value: fabs fxtract fldl f.dd ste!), st flub fscale flstp stCI) fld pi_lI.uart." fxch 476- .7. NO W"'RNINQS. tan_normal flht 477 47B .BO 4Bl 482 4B3 4B4 4B5 normalize_valu. Jmp fstsw ••• 470 471 472 .73 474 475 call Angle fell in octants 0.2.4.6. .OS .6. 09/25/83 rot 42. .27 42B 42. 430 .31 432 '33 43' .35 43. .37 .3B 43. 440 441 442 443 44' 44' 446 447 44B 4.0 451 452 453 454 •• 5 456 457 45B 4 •• 460 '61 462 463 464 465 4.6 467 46B 10: 13: 51 SOURCE Force value positive steO) < I get normalize bit I Normali Ztt fraction Restor. original value I Form ori91nal normali zed value I Remove scala .pactor Get PII4 I o <- I ret code .n. end. NO ERRORS Figure 4-7. Calculating Trigonometric Functions (Cont'd.) 4-23 Append~ Machine Instruction Encoding and Decoding A APPENDIX A MACHINE INSTRUCTION ENCODING AND DECODING Machine instructions for the 80287 come in one of five different forms as shown in table A-I. In all cases, the instructions are at least two bytes long and begin with the bit pattern 11011B, which identifies the ESCAPE class of instructions. Instructions that reference memory operands are encoded much like similar CPU instructions, because all of the CPU memory-addressing modes may be used with ESCAPE instructions. Note that several of the processor control instruction~ (see table 2-11 in Chapter Two) may be preceded by an assembler-generated CPU WAIT instruction (encoding: 10011011B) if they are programmed using the WAIT form of their mnemonics. The ASM286 assembler inserts a WAIT instruction only before these specific processor control instructions-all of the numeric instructions are automatically synchronized by the 80286 CPU and an explicit WAIT instruction, though allowed, is not necessary. Table A-1. 80287 Instruction Encoding 0, 1, or 2 bytes Higher-Addressed Byte Lower-Addressed Byte (1) 1 1 0 1 1 (2) 1 1 0 1 1 FORMAT (3) 1 1 0 1 1 R P OP-A 1 1 (4) 1 1 0 1 1 0 0 1 1 1 1 OP (5) 1 1 0 1 1 0 1 1 1 1 1 OP 7 6 5 4 3 2 OP-A 1 MOD 1 OP-AMOD OP-S R/M DISPLACEMENT OP-S R/M DISPLACEMENT OP~S REG 0765432 o NOTES: (l)Memory transfers, including applicable processor control instructions; 0, 1, or 2 displacement bytes may follow. (2)Memory arithmetic and comparison instructions; 0, 1, or 2 displacement bytes may follow. (3)Stack arithmetic and comparison instructions. (4)Constant, transcendental, some arithmetic instructions. (5)Processor control instructions that do not reference memory. OP, OP-A, OP-S: Instruction opcode, possibly split into two fields. MOD: Same as 80286 CPU mode field. R/M: Same as 80286 CPU register/memory field. FORMAT: Defines memory operand 00 = short real 01 = short integer 10 = long real 11 = word integer R: 0 = return result to stack top 1 = return result to other register A-1 MACHINE INSTRUCTION ENCODING AND DECODING P: 0 = do not pop stack 1 = pop stack after operation REG: register stack element 000 = stack top 001 = next on stack 010 = third stack element, etc. Table A-2 lists all 80287 machine instructions in binary sequence. This table may be used to "disassemble" instructions in unformatted memory dumps or instructions monitored from the data bus. Users writing exception handlers may also find this information useful to identify the offending instruction. Table A·2. Machine Instruction Decodin.9 Guide 1st Byte ASM286 Instruction Format Bytes 3,4 2nd Byte Hex Binary 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 09 09 09 09 09 09 09 09 09 09 09 09 09 09 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 D9 1101 1001 09 09 09 09 09 09 09 1101 1101 1101 1101 1101 1101 1101 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 MOOOO MOOOO M0001 M0001 M0010 M0010 M0011 M0011 1100 1100 1101 1101 1110 1110 1111 1111 MOOOO MOOOO M0001 M0001 M0010 M0010 M0011 M0011 1100 1100 1101 1101 1101 1101 1101 1110 1110 1110 1110 1110 1110 1110 OR/M 1R/M OR/M 1R/M OR/M 1R/M OR/M 1R/M OREG 1REG OREG 1REG OREG 1REG OREG 1REG OR/M 1R/M OR/M 1R/M OR/M 1R/M OR/M 1R/M OREG 1REG 0000 0001 00101-1RFG 0000 0001 001· 0100 0101 011· 1000 (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) A-2 ~ FAOO FMUL FCOM FCOMP FSUB FSUBR FOIV FOIVR FAOO FMUL FCOM FCOMP FSUB FSUBR FOIV FOIVR FLO reserved FST FSTP FLOENV FLOCW FSTENV FSTCW FLO FXCH FNOP reserved reserved reserved *(1 ) FCHS FABS reserved FTST FXAM reserved FL01 short-real short-real short-real short-real short-real short-real short-real short-real ST,ST(i) ST,ST(i) ST(i) ST(i) ST,ST(i) ST,ST(i) ST,ST(i) ST,ST(i) short-real short-real short-real 14-bytes 2-bytes 14-bytes 2-bytes ST(i) ST(i) MACHINE INSTRUCTION ENCODING AND DECODING Table A-2. Machine Instruction Decoding Guide (Cont'd.) 1st Byte Bytes 3,4 2nd Byte Hex D9 D9 09 09 09 09 09 D9 09 09 09 09 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 DA DA DA DA DA DA DA DA DA OB DB OB DB DB DB DB DB DB DB DB DB DB DB DB DB DC DC DC DC DC Binary 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1001 1010 1010 1010 1010 r 1010 1010 1010 1010, 1010 1011 1011 1011 1011 1011 1011 1011 1011 1011 1011 1011 1011 1011 1011 1011 1011 1100 1100 1100 1100 1100 1001 1110 1010 1110 1110 1011 1100 1110 1101 1110 1110 1110 1111 1110 1111 0000 0001 1111 1111 0010 0011 1111 1111 0100 1111 0101 0110 1111 0111 1111 1111 1000 1111 1001 1010 1111 1111 1011 1111 1100 1111 1101 1111 111MODOO OR/M MODOO 1R/M MOD01 OR/M MOD01 1R/M MOD10 OR/M MOD10 1R/M MOD11 OR/M MOD11 1R/M -- ... 11-MODOO OR/M MODOO 1R/M M0001 OR/M MOD01 1R/M MOD10 OR/M MOD10·1R/M MOD11 OR/M MOD11 1R/M 110---1110 0000 0001 1110 0010 1110 1110 0011 1110 0100 1--1110 --- .. 1111 MODOO OR/M MODOO 1R/M MOD01 OR/M MOD01 1R/M MOD10 OR/M (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) A-3 ASM286 Instruction Format FLOL2T FLOL2E FLOPI FLOLG2 FLOLN2 FLOZ reserved F2XM1 FYL2X FPTAN FPATAN FXTRACT reserved FOECSTP FINCSTP FPREM FYL2XP1 FSQRT reserved FRNDINT FSCALE reserved short-integer FIADD short-integer FIMUL short-integer FICOM FICOMP short-integer short-integer FISUB FISUBR short-integer short-integer FIDIV FIOIVR short-integer reserved FILD short-integer reserved FIST short-integer short-integer FISTP reserved FLD temp-real reserved temp-real FSTP reserved reserved (8087 FENI) reserved (8087 FOISI) FCLEX FINIT FSETPM reserved reserved long-real FADD long-real FMUL long-real FCOM long-real FCOMP long-real FSUB MACHINE INSTRUCTION ENCODING AND DECODING Table A-2. Machine Instruction Decoding Guide (Cont'd.) 1st Byte 2nd Byte Hex DC DC DC DC DC DC DC DC DC DC DC DO DO DO DO DO DO DO DO DO DO DO DO DO DE DE DE DE DE DE DE DE DE DE DE DE DE DE DE DE DE DE DE DF OF OF OF OF OF OF OF OF ASM286 Instruction Format Bytes 3, 4 Binary 1100 1100 1100 1100 1100 1100 1100 1100 1100· 1100 1100 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1110 1R/M OR/M 1R/M DREG 1REG DREG 1REG DREG 1REG DREG 1REG OR/M 1R/M OR/M 1R/M OR/M 1R/M OR/M 1R/M DREG 1REG DREG 1REG (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) OR/M 1R/M OR/M 1R/M OR/M 1R/M OR/M 1R/M DREG 1REG 0--1000 1001 10111-DREG 1REG DREG 1REG nnll.. Vll/IVI (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) 110. 1111 MOD10 MOD11 MOD11 1100 1100 1101 1101 1110 1110 1111 1111 MODOO MODOO MOD01 MOD01 MOD10 MOD10 MOD11 MOD11 1100 1100 1101 1101 111MODOO MODOO MOD01 MOD01 MOD10 MOD10 MOD11 MOD11 1100 1100 1101 1101 1101 1101 1101 1110 1110 1111 1111 • "",.,.n" IVIVIJUV , .... ; ....... 1,...\ I,.Ur-n_hi\ \,....... ,.. ..'·'/1\ ... •.... ,.. 1"/ !"!!..D 1101 1101 1101 1101 1101 1101 1101 1101 MODOO MOD01 MOD01 MOD10 MOD10 MOD11 MOD11 1100 1R/M OR/M 1R/M OR/M 1R/M OR/M 1R/M DREG (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) reserved FIST FISTP FBLD FILD FBSTP FISTP 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1101 1111 1111 1111 1111 1111 1111 1111 1111 ---- FSUBR FDIV FDIVR FADD FMUL '(2) long-real long-real long-real ST(i),ST ST(i),ST '(3) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) (disp-Io),(disp-hi) FSUB FSUBR FDIV FDIVR FLO reserved FST FSTP FRSTOR reserved FSAVE FSTSW FFREE '(4) FST FSTP reserved FIADD FIMUL FICOM FICOMP FISUB FISUBR FIDIV FIDIVR FADDP FMULP ST(i),ST ST(i),ST ST(i),ST ST(i),ST long-real long-real long-real 94-bytes 94-bytes 2-bytes STeil STeil STeil word-integer word-integer word-integer word-integer word-integer word-integer word-integer word-integer ST(i),ST ST(i),ST '(5) reserved FCOMPP reserved reserved FSUBP FSUBRP FDIVP FDIVRP '(6) A-4 ST(i),ST ST(i),ST ST(i),ST ST(i),ST \A/nrrl_intpn~r ._-- - .. -.-~-. word-integer word-integer packed-decimal long-integer packed-decimal long-integer MACHINE INSTRUCTION ENCODING AND DECODING Table A-2. Machine Instruction Decoding Guide (Cont'd.) 1st Byte 2nd Byte Bytes 3, 4 Binary Hex DF OF OF OF OF 1101 1101 1101 1101 1101 1111 1111 1111 1111 1111 1100 1101 1101 1110 1111 ASM286 Instruction Format *(7) *(8) *(9) FSTSWAX reserved 1REG OREG 1REG 000 XXX NOTE: * The marked encodings are not generated by the language translators. If, however, the 80287 encounters one of these encodings in the instruction stream, it will execute it as follows: (1) FSTP STeil (2) FCOM STeil (3) FCOMP (4) FXCH (5) FCOMP (6) FFREE STeil STeil STeil STeil and pop stack (7) FXCH STeil (8) FSTP STeil (9) FSTP STeil A-5 Appendix Compatibility Between the 80287 NPX and the 8087 B APPENDIX B COMPATIBILITY BETWEEN THE 80287 NPX AND THE 8087 The 80286/80287 operating in Real-Address mode will execute 8087 programs without major modification. However, because of differences in the handling of numeric exceptions by the 80287 NPX and the 8087 NPX, exception-handling routines may need to be changed. This appendix summarizes the differences between the 80287 NPX and the 8087 NPX, and provides details showing how 8087 programs can be ported to the 80287. 1. The 80287 signals exceptions through a dedicated ERROR line to the 80286. The 80287 error signal does not pass through an interrupt controller (the 8087 INT signal does). Therefore, any interrupt-controller-oriented instructions in numeric exception handlers for the 8087 should be deleted. 2. The 8087 instructions FENI/FNENI and FDISI/FNDISI perform no useful function in the 80287. If the 80287 encounters one of these opcodes in its instruction stream, the instruction will effectively be ignored-none of the 80287 internal states will be updated. While 8087 code containing these instructions may be executed on the 80287, it is unlikely that the exception-handling routines containing these instructions will be completely portable to the 80287. 3. Interrupt vector 16 must point to the numeric exception handling routine. 4. The ESC instruction address saved in the 80287 includes any leading prefixes before the ESC opcode. The corresponding address saved in the 8087 does not include leading prefixes. S. In Protected-Address mode, the format of the 80287's saved instruction and address pointers is different than for the 8087. The instruction opcode is not saved in Protected mode-exception handlers will have to retrieve the opcode from memory if needed. 6. Interrupt 7 will occur in the 80286 when executing ESC instructions with either TS (task switched) or EM (emulation) of the 80286 MSW set (TS = 1 or EM = 1). If TS is set, then a WAIT instruction will also cause interrupt 7. An exception handler should be included in 80287 code to handle these situations. 7. Interrupt 9 will occur if the second or subsequent words of a floating-point operand fall outside a segment's size. Interrupt 13 will occur if the starting address of a numeric operand falls outside a segment's size. An exception handler should be included in 80287 code to report these programming errors. 8. Except for the processor control instructions, all of the 80287 numeric instructions are automatically synchronized by the 80286 CPU-the 80286 automatically tests the BUSY line from the 80287 to ensure that the 80287 has completed its previous instruction before executing the next ESC instruction. No explicit W1AIT instructions are required to assure this synchronization. For the 8087 used with 8086 and 8088 processors, explicit WAITs are required before each numeric instruction to ensure synchronization. Although 8087 programs having explicit WAIT instructions will execute perfectly on the 80287 without reassembly, these WAIT instructions are unnecessary. 9. Since the 80287 does not require WAIT instructions before each numeric instruction, the ASM286 assembler does not automatically generate these WAIT instructions. The ASM86 assembler, however, automatically precedes every ESC instruction with a WAIT instruction. Although numeric routines generated using the ASM86 assembler will generally execute correctly on the 80286/20, reassembly using ASM286 may result in a more compact code image. 8-1 COMPATIBILITY BETWEEN THE 80287 NPX AND THE 8087 The processor control instructions for the 80287 may be coded using either a WAIT or No-WAIT form of mnemonic. The WAIT forms of these instructions cause ASM286 to precede the ESC instruction with a CPU WAIT instruction, in the identical manner as does ASM86. 10. A recommended way to detect the presence of an 80287 in an 80286 system (or an 8087 in an 8086 system) is shown below. It assumes that the sytem hardware causes the data bus to be high if no 80287 is present to drive the data lines during the FSTSW (Store 80287 Status Word) instruction. FND_287: F NI NIT initialize numeric p,roce550r. FSTSTW STAT 5tore 5tatu5 word into location STAT. MOV AX,STAT AL , AL OR Zero Flag reflect5 re5ult of OR. JZ GOL2 8 7 Zero in AL mean5 80287 i5 pre5ent. No 80287 Pre5ent SMSW OR AX AX,0004H LMSW AX JMP CONTINUE 5et EM bit in Machine Statu5 W0 rd. to enable 50ftware emulation of 287. 80287 i5 pre5ent in 5ystem GOT_287: SMSW OR LMSW AX AX,0002H 5et MP bit in Machine Statu5 Word to permit normal 80287 operation AX Continue CONTINUE: i and off we go An 80286/80287 design must place a pullupresistor on one of the low eight data bus bits of the 80286 to be sure it is read as a high when no 80287 is present. B-2 Appendix Implementing the IEEE P754 Standard c· APPENDIX C IMPLEMENTING THE IEEE P754 STANDARD The 80287 NPX and standard support library software, provides an implementation of the IEEE "A Proposed Standard for Binary Floating-Point Arithmetic," Draft 10.0, Task P754, of December 2, 1982. The 80287 Support Library, described in 80287 Support Library Reference Manual, Order Number 122129, is an example of such a support library. This appendix describes the relationship between the 80287 NPX and the IEEE Standard. Where the Standard has options, Intel's choices in implementing the 80287 are described. Where portions of the Standard are implemented through software, this appendix indicates which modules of the 80287 Support Library implement the Standard. Where special software in addition to the Support Library may be required by your application, this appendix indicates how to write this software. This appendix contains many terms with precise technical meanings, specified in the 754 Standard. Where these terms are used, they have been capitalized to emphasize the precision of their meanings. The Glossary provides the definitions for all capitalized phrases in this appendix. OPTIONS IMPLEMENTED IN THE 80287 The 80287 SHORT_REAL and LONG_REAL formats conform precisely to the Standard's Single and Double Floating-Point Numbers, respectively. The 80287 TEMP_REAL format is the same as the Standard's Double Extended format. The Standard allQws a choice of Bias in representing the exponent; . the 80287 uses the Bias 16383 decimal. For the Double Extended format, the Standard contains an option for the meaning of the minimum exponent combined with a nonzero significand. The Bias for this special case can be either 16383, as in all the other cases, or 16382, making the smallest exponent equivalent to the second-smallest exponent. The 80287 uses the Bias 16382 for this case. This allows the 80287 to distinguish between Denormal numbers (integer part is zero, fraction is nonzero, Biased exponent is 0) and Unnormal numbers of the Same value (same as the denormal except the Biased Exponent is 1). The Standard allows flexibility in specifying which NaNs are trapping and which are nontrapping. The EH287.LIB module of the 80287 Support Library provides a software implementation of nontrapping NaNs, and defines one distinction between trapping and nontrapping NaNs: If the most significant bit of the fractional part of a NaN is 1, the NaN is nontrapping. If it is 0, the NaN is trapping. When a masked Invalid Operation error involves two NaN inputs, the Standard allows flexibility in choosing which NaN is output. The 80287 selects the NaN whose absolute value is greatest. AREAS OF THE STANDARD IMPLEMENTED IN SOFTWARE There are five areas of the Standard that are not implemented directly in the 80287 hardware; these areas are instead implemented in software as part of the 80287 Support Library. C-1 IMPLEMENTING THE IEEE P754 STANDARD 1. The Standard requires that a Normalizing Mode be provided, in which any nonnormal operands to functions are automatically normalized before the function is performed. The NPX provides a "Denormal operand" exception for this case, allowing the exception handler the opportunity to perform the normalization specified by the Standard. The Denormal operand exception handler provided by EH287.LIB implements the Standard's Normalizing Mode completely for Single- and Double-precision arguments. Normalizing mode for Double Extended operands is implemented in EH287.LIB with one non-Standard feature, discussed in the next section. 2. The Standard specifies that in comparing two operands whose relationship is "unordered," the equality test yield an answer of FALSE, with no errors or exceptions. The 80287 FCOM and FTST instructions themselves issue an Invalid Operation exception in this case. The error handler EH287.LIB filters out this Invalid Operation error using the following convention: Whenever an FCOM or FTST instruction is followed by a MOV AX,AX instruction (8BCO Hex), and neither argument is a trapping NaN, the error handler will assume that a Standard equality comparison was intended, and return the correct answer with the Invalid Operation exception flag erased. Note that the Invalid Operation exception must be unmasked for this action to occur. 3. The Standard requires that two kinds of NaN's be provided: trapping and nontrapping. Nontrapping NaNs will not cause further Invalid Operation errors when they occur as operands to calculations. The NPX hardware directly supports only trapping NaN's; the EH287.LIB software implements nontrapping NaNs by returning the correct answer with the Invalid Operation exception flag erased. Note that the Invalid Operation exception must be unmasked for this action to occur. 4. The Standard requires that all functions that convert real numbers to integer formats automatically normalize the inputs if necessary. The integer conversion functions contained in CEL287.LIB fully meet the Standard in this respect; the 80287 FIST instruction alone does not perform this normalization. 5. The Standard specifies the remainder function which is provided by mqerRMD in CEL287.LIB. The 80287 FPREM instruction returns answers within a different range. ADDITIONAL SOFTWARE TO MEET THE STANDARD There are two cases in which additional software is required in conjunction with the 80287 Support Library in order to meet the standard. The 80287 Support Library does not provide this software in the interest of saving space and because the vast majority of applications will never encounter these cases. 1. When the Invalid Operation exception is masked, Nontrapping NaNs are not implemented fully. Likewise, the Standard's equality test for "unordered" operands is not implemented when the Invalid Operation exception is masked. Programmers can simulate the Standard notion of a masked Invalid Operation exception by unmasking the 80287 Invalid Operation exception, and providing an Invalid Operation exception handler that supports nontrapping NaNs and the equality test, but otherwise acts just as ii {he invaiid Opt::raiiull cA0~pi.l0iJ. Vv-~lC li-..a:;kcd. Th~ 802B7 S:;.ppc~t L!,br~!"y Reference Manual contains examples for programming this handler in both ASM286 and PL/M-286. 2. In Normalizing Mode, Denormal operands in the TEMP_REAL format are converted to 0 by EH287.LIB, giving sharp Underflow to O. The Standard specifies that the operation be performed on the real numbers represented by the denormals, giving gradual underflow. To correctly perform such arithmetic while in Normalizing Mode, programmers would have to normalize the operands into a format identical to TEMP_REAL except for two extra exponent bits, then perform the operation on those numbers. Thus, software must be written to handle the 17-bit exponent explicitly. C-2 inter IMPLEMENTING THE IEEE P754 STANDARD In designing the EH287.LIB, it was felt that it would be a disadvantage to most users to increase the size of the Normalizing routine by the amount necessary to provide this expanded arithmetic. Because the TEMP_REAL exponent field is so much larger than the LONG_REAL exponent field, it is extremely unlikely that TEMP_REAL underflow will be encountered in most applications. If meeting the Standard is a more important criterion for your application than the choice between Normalizing and warning modes, then you can select warning mode (Denormal operand exceptions masked), which fully meets the Standard. If you do wish to implement the Normalization of denormal operands in TEMP_REAL format using extra exponent bits, the list below indicates some useful pointers about handling Denormal operand exceptions: 1. TEMP_REAL numbers are considered Denormal by the NPX whenever the Biased Exponent is o (minimum exponent). This is true even if the explicit integer bit of the significand is 1. Such numbers can occur as the result of Underflow. 2. The 80287 FLD instruction can cause a Denormal Operand error if a number is being loaded from memory. It will not cause this exception if the number is being loaded from elsewhere in the 80287 stack. 3. The 80287 FCOM and FTST instructions will cause a Denormal Operand exception for un normal operands as well as for denormal operands. 4. In cases where both the Denormal Operand and Invalid Operation exceptions occur, you will want to know which is signalled first. When a comparison instruction operates between a nonexistent stack element and a denormal number in 80286 memory, the D and I exceptions are issued simultaneously In all other situations, a Denormal Operand exception takes precedence over a nons tack Invalid operation exception, while a stack Invalid Operation exception takes precedence over a Denormal Operand exception. C-3 Glossary of 80287 and Floating-Point Terminology GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY This glossary defines many terms that have precise technical meanings as specified in the IEEE 754 Standard. Where these terms are used, they have been capitalized to emphasize the precision of their meanings. In reading these definitions, you may therefore interpret any capitalized terms or phrases as cross-references. Affine Mode: a state of the 80287, selected in the 80287 Control Word, in which infinities are treated as having a sign. Thus, the values +INFINITY and - INFINITY are considered different; they can be compared with finite numbers and with each other. Base: (1) a term used in logarithms and exponentials. In both contexts, it is a number that is being raised to a power. The two equations (y = log base b of x) and (bY = x) are the same. Base: (2) a number that defines the representation being used for a string of digits. Base 2 is the binary representation; Base 10 is the decimal representation; Base 16 is the hexadecimal representation. In each case, the Base is the factor of increased significance for each succeeding digit (working up from the bottom). Bias: the difference between the unsigned Integer that appears in the Exponent field of a FloatingPoint Number and the true Exponent that it represents. To obtain the true Exponent, you must subtract the Bias from the given Exponent. For example, the Short Real format has a Bias of 127 whenever the given Exponent is nonzero. If the 8-bit Exponent field contains 10000011, which IS 131, the true Exponent is 131-127,or +4. Biased Exponent: the Exponent as it appears in a Floating-Point Number, interpreted as an unsigned, positive number. In the above example, 131 is the Biased Exponent. Binary Coded Decimal: a method of storing numbers that retains a base 10 representation. ,Each decimal digit occupies 4 full bits (one hexadecimal digit). The hex values A through F (1010 through 1111) are not used. The 80287~supports a Packed Decimal format that consists of 9 bytes of Binary Coded Decimal (18 decimal digits) and one sign byte. Binary Point: an entity just like a decimal point, except that it exists in binary numbers. Each binary digit to the right of the Binary Point is multiplied by an increasing negative power of two. C3-CO: the four "condition code" bits of the 80287 Status Word. These bits are set to certain values by the compare, test, examine, and remainder functions of the 80287. Characteristic: a term used for some non-Intel computers, meaning the Exponent field of a FloatirtgPoint Number. Chop: to set the fractional part of a real number to zero, yielding the nearest integer in the direction of zero. Control Word: a 16-bit 80287 register that the user can set, to determine the modes of computation the 80287 will usc, and the error interrupts that will be enabled. Glossary-1 inter GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY Denormal: a special form of Floating-Point Number, produced when an Underflow occurs. On the 80287, a Denormal is defined as a number with a Biased Exponent that is zero. By providing a Significand with leading zeros, the range of possible negative Exponents can be extended by the number of bits in the Significand. Each leading zero is a bit of lost accuracy, so the extended Exponent range is obtained by reducing significance. Double Extended: the Standard's term for the 80287 Temporary Real format, with more Exponent and Significand bits than the Double (Long Real) format, and an explicit Integer bit in the Significand. Double Floating Point Number: the Standard's term for the 80287's 64-bit Long Real format. Environment: the 14 bytes of 80287 registers affected by the FSTENV and FLDENV instructions. It encompasses the entire state of the 80287, except for the 8 Temporary Real numbers of the 80287 stack. Included are the Control Word, Status Word, Tag Word, and the instruction, opcode, and operand information provided by interrupts. Exception: any of the six error conditions (I, D, 0, U, Z, P) signalled by the 80287. Exponent: (1) any power that is raised by an exponential function. For example, the operand to the function mqerEXP is an Exponent. The Integer operand to mqerYI2 is an Exponent. Exponent: (2) the field of a Floating-Point Number that indicates the magnitude of the number. This would fall under the above more general definition (1), except that a Bias sometimes needs to be subtracted to obtain the correct power. Floating-Point Number: a sequence of data bytes that, when interpreted in a standardized way, represents a Real number. Floating-Point Numbers are more versatile than Integer representations in two ways. First, they include fractions. Second, their Exponent parts allow a much wider range of magni. tude than possible with fixed-length Integer representations. Gradual Underflow: a method of handling the Underflow error condition that minimizes the loss of accuracy in the result. If there is a Denormal number that represents the correct result, that Denormal is returned. Thus, digits are lost only to the extent of denormalization. Most computers return zero when Underflow occurs, losing all significant digits. Implicit Integer Bit: a part of the Significand in the Short Real and Long Real formats that is not explicitly given. In these formats, the entire given Significand is considered to be to the right of the Binary Point. A single Implicit Integer Bit to the left of the Binary Point is always 1, except in one case. When the Exponent is the minimum (Biased Exponent is 0), the Implicit Integer Bit is O. Indefinite: a special value that is returned by functions when the inputs are such that no other sensible answer is possible. For each Floating-Point format there exists one Nontrapping NaN that is designated as the IndetImte value. For binary Integer iormals, the negative number funnesl frum zt:ru is UlLt:1l considered the Indefinite value. For the 80287 Packed Decimal format, the Indefinite value contains all 1's in the sign byte and the uppermost digits byte. Infinity: a value that has greater magnitude than any Integer or any Real number. The existence of Infinity is subject to heated philosophical debate. However, it is often useful to consider Infinity as another number, subject to special rules of arithmetic. All three Intel Floating-Point formats provide representations for + INFINITY and - INFINITY. They support two ways of dealing with Infinity: Projective (unsigned) and Affine (signed). Glossary-2 GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY Integer: a number (positive, negative, or zero) that is finite and has no fractional part. Integer can also mean the computer representation for such a number: a sequence of data bytes, interpreted in a standard way. It is perfectly reasonable for Integers to be represented in a Floating-Point format; this is what the 80287 does whenever an Integer is pushed onto the 80287 stack. Invalid Operation: the error condition for the 80287 that covers all cases not covered by other errors. Included are 80287 stack overflow and underflow, NaN inputs, illegal infinite inputs, out-of-range inputs, and illegal unnormal inputs. Long Integer: an Integer format supported by the 80287 that consists of a 64-bit Two's Complement quantity. Long Real: a Floating-Point Format supported by the 80287 that consists of a sign, an II-bit Biased Exponent, an Implicit Integer Bit, and a 52-bit Significand-a total of 64 explicit bits. Mantissa: a term used for some non-Intel computers, meaning the Significand of a Floating-Point Number. Masked: a term that applies to each of the six 80287 Exceptions I,D,Z,O,U,P. An exception is Masked if a corresponding bit in the 80287 Control Word is set to 1. If an exception is Masked, the 80287 will not generate an interrupt when the error condition occurs; it will instead provide its own error recovery. NaN: an abbreviation for Not a Number; a Floating-Point quantity that does not represent any numeric or infinite quantity. NaNs should be returned by functions that encounter serious errors. If created during a sequence of calculations, they are transmitted to the final answer and can contain information about where the error occurred. Nontrapping NaN: a NaN in which the most significant bit of the fractional part of the Significand is 1. By convention, these NaNs can undergo certain operations without visible error. Nontrapping NaNs are implemented for the 80287 via the software in EH87.LIB. Normal: the representation of a number in a Floating-Point format in which the Significandhas an Integer bit I (either explicit or Implicit). Normalizing Mode: a state in which nonnormal inputs are automatically converted to normal inputs whenever they are used in arithmetic. Normalizing Mode is implemented for the 80287 via the software in EH87.LIB. NPX: Numeric Processor Extension. This is the 80287. Overflow: an error condition in which the correct answer is finite, but has magnitude too great to be represented in the destination format. Packed Decimal: an Integer format supported by the 80287. A Packed Decimal number is a lO-byte quantity, with nine bytes of 18 Binary Coded Decimal digits, and one byte for the sign. Pop: to remove from a stack the last item that was placed on the stack. Precision Control: an option, programmed through the 80287 Control Word, that allows all 80287 arithmetic to be performed with reduced precision. Because no speed advantage results from this option, its only use is for strict compatibility with the IEEE Standard, and with other computer systems. Glossary-3 GLOSSARY OF 80287 AND FLOATING-POINT TERMINOLOGY Precision Exception: an 80287 error condition that results when a calculation does not return an exact answer. This exception is usually Masked and ignored; it is used only in extremely critical applications, when the user must know if the results are exact. Projective Mode: a state of the 80287, selected in the 80287 Control Word, in which infinities are treated as not having a sign. Thus the values + INFINITY and - INFINITY are considered the same. Certain operations, such as comparison to finite numbers, are illegal in Projective Mode but legal.in Affine Mode. Thus Projective Mode gives you a greater degree of error control over infinite inputs. Pseudo Zero: a special value of the Temporary Real format. It is a number with a zero significand and an Exponent that is neither all zeros or all ones. Pseudo zeros can come about as the result of multiplication of two Unnormal numbers; but they are very rare. Real: any finite value (negative, positive, or zero) that can be represented by a decimal expansion. The fractional part of the decimal expansion can contain an infinite number of digits. Reals can be represented as the points of a line marked off like a ruler. The term Real can also refer to a Floating-Point Number that represents a Real value. Short Integer: an Integer format supported by the 80287 that consists of a 32-bit Two's Complement quantity. Short Integer is not theshortest 80287 Integer format-the 16-bit Word Integer is. Short Real: a Floating-Point Format supported by the 80287, which consists of a sign, an 8-bit Biased Exponent, an Implicit Integer Bit, and a 23-bit Significand-a total of 32 explicit bits. Significand: the part of a Floating-Point Number that consists of the most significant nonzero bits of the number, if the number were written out in an unlimited binary format. The Significand alone is considered to have a Binary Point after the first (possibly Implicit) bit; the Binary Point is then moved according to the value of the Exponent. Single Extended: a Floating-Point format, required by the Standard, that provides greater precision than Single; it also provides an explicit Integer Significand bit. The 80287's Temporary Real format meets the Single Extended requirement as well as the Double Extended requirement. Single Floating-Point Number: the Standard's term for the 80287's 32-bit Short Real format. Standard: "a Proposed Standard for Binary Floating-Point Arithmetic," Draft 10.0 of IEEE Task P754, December 2, 1982. '. Status Word: A 16-bit 80287 register that can be manually set,.but which is usually controlled by side effects to 80287 instructions. It contains condition codes, the 80287 stack pointer, busy and interrupt bits, and error flags. Tag Word: a 16-bit 80287 register that is automatically maintained by the 80287. For each space in the 80287 stack, it tells if the space 1S occupied by a number; ii so, it gives infunll
Source Exif Data:File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.3 Linearized : No XMP Toolkit : Adobe XMP Core 4.2.1-c043 52.372728, 2009/01/18-15:56:37 Create Date : 2012:08:12 18:15:07-08:00 Modify Date : 2012:08:12 22:37:50-07:00 Metadata Date : 2012:08:12 22:37:50-07:00 Producer : Adobe Acrobat 9.51 Paper Capture Plug-in Format : application/pdf Document ID : uuid:96d38c7d-ea79-4955-b694-5742c35e8a1b Instance ID : uuid:493258a5-380f-4382-8fea-0983484c3ffe Page Layout : SinglePage Page Mode : UseNone Page Count : 515EXIF Metadata provided by EXIF.tools