View MILITARYI386_2993974.PDF datasheet online --- IC-ON-LINE

Datasheet File OCR Text:

february 1994 order number: 271110-003 military i386 tm sx microprocessor y full 32-bit internal architecture e 8-, 16-, 32-bit data types e 8 general purpose 32-bit registers y runs intel386 tm software in a cost effective 16-bit hardware environment e runs same applications and o.s.'s as the military i386 tm dx processor e object code compatible with m8086, m80186, m80286, and i386 processors e runs ms-dos * , os/2 * and unix ** y very high performance 16-bit data bus e 20 mhz clock e two-clock bus cycles e 20 megabytes/sec bus bandwidth e address pipelining allows use of slower/cheaper memories y integrated memory management unit e virtual memory support e optional on-chip paging e 4 levels of hardware enforced protection e mmu fully compatible with those of the m80286 and i386 dx cpus y large uniform address space e 16 megabyte physical e 64 terabyte virtual e 4 gigabyte maximum segment size y virtual m8086 mode allows execution of m8086 software in a protected and paged system y high speed numerics support with the military i387 tm sx coprocessor y on-chip debugging support including breakpoint registers y complete system development support e software: c, pl/m, assembler e debuggers: pmon-i386 dx, ice tm -i386 sx e extensive third-party support: c, pascal, fortran, basic, ada *** on vax, unix ** , ms-dos * , and other hosts y high speed chmos iv technology y 88-lead pin grid array package (see packaging specification, order y 231369) y 100-lead plastic flat pack package y available in four product grades: e mil-std-883 (pga), b 55 cto a 125 c(t c ) e military temperature only (pga), b 55 cto a 125 c(t c ) e extended temperature (pga), b 40 cto a 110 c(t c ) e extended temperature (pqfp), b 20 cto a 100 c(t c ) the military i386 sx microprocessor is a 32-bit cpu with a 16-bit external data bus and a 24-bit external address bus. the i386 sx cpu brings the high-performance software of the intel386 architecture to midrange systems. it provides the performance benefits of a 32-bit programming architecture with the cost savings associated with 16-bit hardware systems. 271110 1 i386 tm sx pipelined 32-bit microarchitecture * ms-dos and os/2 are trademarks of microsoft corporation. ** unix is a trademark of at&t. *** ada is a trademark of the department of defense.
military i386 tm sx microprocessor military i386 tm sx microprocessor contents page 1.0 pin description 3 2.0 base architecture 8 2.1 register set 8 2.2 instruction set 11 2.3 memory organization 12 2.4 addressing modes 13 2.5 data types 16 2.6 i/o space 16 2.7 interrupts and exceptions 18 2.8 reset and initialization 21 2.9 testability 21 2.10 debugging support 22 3.0 real mode architecture 23 3.1 memory addressing 23 3.2 reserved locations 24 3.3 interrupts 24 3.4 shutdown and halt 24 3.5 lock operations 24 4.0 protected mode architecture 25 4.1 addressing mechanism 25 4.2 segmentation 25 4.3 protection 30 4.4 paging 34 4.5 virtual 8086 environment 37 contents page 5.0 functional data 40 5.1 signal description overview 40 5.2 bus transfer mechanism 47 5.3 memory and i/o spaces 47 5.4 bus functional description 47 5.5 self-test signature 65 5.6 component and revision identifiers 65 5.7 coprocessor interfacing 65 6.0 package thermal specifications 66 7.0 electrical specifications 66 7.1 power and grounding 66 7.2 maximum ratings 67 7.3 operating conditions 68 7.4 dc specifications 69 7.5 ac specifications 70 8.0 differences between the i386 tm sx cpu and the i386 tm dx cpu 75 9.0 instruction set 76 9.1 i386 tm sx cpu instruction encoding and clock count summary 76 9.2 instruction encoding 91 2
military i386 tm sx microprocessor 1.0 pin description the following are the i386 sx microprocessor pin descriptions. the following definitions are used in the pin descriptions: i input signal o output signal i/o input and output signal e no electrical connection symbol type name and function clk2 i clk2 provides the fundamental timing for the i386 sx microprocessor. * see clock for additional information. reset i reset suspends any operation in progress and places the i386 sx microprocessor in a known reset state. * see interrupt signals for additional information. d 15 d 0 i/o data bus inputs data during memory, i/o and interrupt acknowledge read cycles and outputs data during memory and i/o write cycles. * see data bus for additional information. a 23 a 1 o address bus outputs physical memory or port i/o addresses. * see address bus for additional information. w/r o write/read is a bus cycle definition pin that distinguishes write cycles from read cycles. * see bus cycle definition signals for additional information. d/c o data/control is a bus cycle definition pin that distinguishes data cycles, either memory or i/o, from control cycles which are: interrupt acknowledge, halt, and code fetch. * see bus cycle definition signals for additional information. m/io o memory/io is a bus cycle definition pin that distinguishes memory cycles from input/output cycles. * see bus cycle definition signals for additional information. lock o bus lock is a bus cycle definition pin that indicates that other system bus masters are not to gain control of the system bus while it is active. * see bus cycle definition signals for additional information. ads o address status indicates that a valid bus cycle definition and address (w/r , d/c , m/io , bhe , ble and a 23 a 1 ) is being driven at the i386 sx microprocessor pins. * see bus control signals for additional information. na i next address is used to request address pipelining. * see bus control signals for additional information. ready i bus ready terminates the bus cycle. * see bus control signals for additional information. bhe , ble o byte enables indicate which data bytes of the data bus take part in a bus cycle. * see address bus for additional information. * located in section 5.1. 3
military i386 tm sx microprocessor 1.0 pin description (continued) symbol type name and function hold i bus hold request input allows another bus master to request control of the local bus. * see bus arbitration signals for additional information. hlda o bus hold acknowledge output indicates that the i386 sx microprocessor has surrendered control of its local bus to another bus master. * see bus arbitration signals for additional information. intr i interrupt request is a maskable input that signals the i386 sx microprocessor to suspend execution of the current program and execute an interrupt acknowledge function. * see interrupt signals for additional information. nmi i non-maskable interrupt request is a non-maskable input that signals the i386 sx microprocessor to suspend execution of the current program and execute an interrupt acknowledge function. * see interrupt signals for additional information. busy i busy signals a busy condition from a processor extension. * see coprocessor interface signals for additional information. error i error signals an error condition from a processor extension. * see coprocessor interface signals for additional information. pereq i processor extension request indicates that the processor has data to be transferred by the i386 sx microprocessor. * see coprocessor interface signals for additional information. n/c e no connects should always be left unconnected. connection of a n/c pin may cause the processor to malfunction or be incompatible with future steppings of the i386 sx microprocessor. v cc i system power provides the a 5v nominal dc supply input. v ss i system ground provides the 0v connection from which all inputs and outputs are measured. * located in section 5.1. 4
military i386 tm sx microprocessor 1.0 pin description (continued) top view (component side) 271110 2 bottom view (pin side) 271110 3 figure 1.1. i386 tm sx 88-lead pin grid array pinout table 1.1. 88-lead pin grid array pin assignments address data control v cc v ss n/c a1 . . . k1 d0 . . . f1 ads . . . j1 b2 b11 l1 a2 . . . m10 d1 . . . e2 bhe . . . k2 b12 c2 a3 . . . m11 d2 . . . e1 ble . . . j2 c1 d1 a4 . . . m12 d3 . . . d2 busy . . . m7 m2 m1 a5 . . . l12 d4 . . . b3 clk2 . . . h2 n3 n4 a6 . . . k13 d5 . . . a4 d/c . . . m3 n5 n9 a7 . . . k12 d6 . . . b4 error . . . n8 n10 n11 a8 . . . j12 d7 . . . b5 hlda . . . f2 a1 a2 a9 . . . j13 d8 . . . a5 hold . . . g1 a3 a12 a10 . . . h12 d9 . . . b6 intr . . . m9 a11 b1 a11 . . . h13 d10 . . . a6 lock . . . m5 a13 b13 a12 . . . g13 d11 . . . b7 m/io . . . l2 c13 m13 a13 . . . g12 d12 . . . a7 na . . . g2 l13 n2 a14 . . . f13 d13 . . . b8 nmi . . . m8 n1 n6 a15 . . . f12 d14 . . . a8 pereq. . . n7 n13 n12 a16 . . . e13 d15 b9 ready ... h1 a17 . . . e12 reset . . . m6 a18 . . . d12 w/r m4 a19 . . . d13 a20 . . . c12 a21 . . . b10 a22 . . . a10 a23 . . . a9 note: n/c (no connect) pins must not be connected. 5
military i386 tm sx microprocessor 1.0 pin description (continued) note: 271110 47 nc e no connect figure 1.2. i386 tm sx microprocessor pin out top view table 1.2 alphabetical pin assignments address data control n/c v cc v ss a 1 18 d 0 1 ads 16 20 8 2 a 2 51 d 1 100 bhe 19 27 9 5 a 3 52 d 2 99 ble 17 29 10 11 a 4 53 d 3 96 busy 34 30 21 12 a 5 54 d 4 95 clk2 15 31 32 13 a 6 55 d 5 94 d/c 24 43 39 14 a 7 56 d 6 93 error 36 44 42 22 a 8 58 d 7 92 flt 28 45 48 35 a 9 59 d 8 90 hlda 3 46 57 41 a 10 60 d 9 89 hold 4 47 69 49 a 11 61 d 10 88 intr 40 71 50 a 12 62 d 11 87 lock 26 84 63 a 13 64 d 12 86 m/io 23 91 67 a 14 65 d 13 83 na 69768 a 15 66 d 14 82 nmi 38 77 a 16 70 d 15 81 pereq 37 78 a 17 72 ready 785 a 18 73 reset 33 98 a 19 74 w/r 25 a 20 75 a 21 76 a 22 79 a 23 80 note: n/c (no connect) pins must not be connected. 6
military i386 tm sx microprocessor 271110 4 figure 2.1. i386 tm sx microprocessor registers 7
military i386 tm sx microprocessor introduction the i386 sx microprocessor is 100% object code compatible with the i386 dx, m286 and m8086 mi- croprocessors. system manufacturers can provide i386 dx cpu based systems optimized for perform- ance and i386 sx cpu based systems optimized for cost, both sharing the same operating systems and application software. systems based on the i386 sx cpu can access the world's largest existing micro- computer software base, including the growing 32-bit software base. only the intel386 architecture can run unix, os/2 and ms-dos. instruction pipelining, high bus bandwidth, and a very high performance alu ensure short average instruction execution times and high system throughput. the i386 sx cpu is capable of execu- tion at sustained rates of 2.5 3.0 million instructions per second. the integrated memory management unit (mmu) in- cludes an address translation cache, advanced mul- ti-tasking hardware, and a four-level hardware-en- forced protection mechanism to support operating systems. the virtual machine capability of the i386 sx cpu allows simultaneous execution of ap- plications from multiple operating systems such as ms-dos and unix. the i386 sx cpu offers on-chip testability and de- bugging features. four breakpoint registers allow conditional or unconditional breakpoint traps on code execution or data accesses for powerful de- bugging of even rom-based systems. other testa- bility features include self-test, tri-state of output buffers, and direct access to the page translation cache. 2.0 base architecture the i386 sx microprocessor consists of a central processing unit, a memory management unit and a bus interface. the central processing unit consists of the execu- tion unit and the instruction unit. the execution unit contains the eight 32-bit general purpose registers which are used for both address calculation and data operations and a 64-bit barrel shifter used to speed shift, rotate, multiply, and divide operations. the instruction unit decodes the instruction opcodes and stores them in the decoded instruction queue for immediate use by the execution unit. the memory management unit (mmu) consists of a segmentation unit and a paging unit. segmentation allows the managing of the logical address space by providing an extra addressing component, one that allows easy code and data relocatability, and effi- cient sharing. the paging mechanism operates be- neath and is transparent to the segmentation pro- cess, to allow management of the physical address space. the segmentation unit provides four levels of pro- tection for isolating and protecting applications and the operating system from each other. the hardware enforced protection allows the design of systems with a high degree of integrity. the i386 sx microprocessor has two modes of oper- ation: real address mode (real mode), and protect- ed virtual address mode (protected mode). in real mode the i386 sx microprocessor operates as a very fast m8086, but with 32-bit extensions if de- sired. real mode is required primarily to set up the processor for protected mode operation. within protected mode, software can perform a task switch to enter into tasks designated as virtual 8086 mode tasks. each such task behaves with m8086 semantics, thus allowing m8086 software (an appli- cation program or an entire operating system) to ex- ecute. the virtual 8086 tasks can be isolated and protected from one another and the host i386 sx microprocessor operating system by use of paging. finally, to facilitate high performance system hard- ware designs, the i386 sx microprocessor bus inter- face offers address pipelining and direct byte en- able signals for each byte of the data bus. 2.1 register set the i386 sx microprocessor has thirty-four registers as shown in figure 2-1. these registers are grouped into the following seven categories: general purpose registers: the eight 32-bit gen- eral purpose registers are used to contain arithmetic and logical operands. four of these (eax, ebx, ecx, and edx) can be used either in their entirety as 32-bit registers, as 16-bit registers, or split into pairs of separate 8-bit registers. segment registers: six 16-bit special purpose reg- isters select, at any given time, the segments of memory that are immediately addressable for code, stack, and data. flags and instruction pointer registers: the two 32-bit special purpose registers in figure 2.1 record or control certain aspects of the i386 sx microproc- essor state. the eflags register includes status and control bits that are used to reflect the outcome of many instructions and modify the semantics of 8
military i386 tm sx microprocessor some instructions. the instruction pointer, called eip, is 32 bits wide. the instruction pointer controls instruction fetching and the processor automatically increments it after executing an instruction. control registers: the four 32-bit control registers are used to control the global nature of the i386 sx microprocessor. the cr0 register contains bits that set the different processor modes (protected, real, paging and coprocessor emulation). cr2 and cr3 registers are used in the paging operation. system address registers: these four special registers reference the tables or segments support- ed by the m80286/i386 sx/i386 dx cpu's protec- tion model. these tables or segments are: gdtr (global descriptor table register), idtr (interrupt descriptor table register), ldtr (local descriptor table register), tr (task state segment register). debug registers: the six programmer accessible debug registers provide on-chip support for debug- ging. the use of the debug registers is described in section 2.10 debugging support . test registers: two registers are used to control the testing of the ram/cam (content addressable memories) in the translation lookaside buffer por- tion of the i386 sx microprocessor. their use is dis- cussed in testability . eflags register the flag register is a 32-bit register named eflags. the defined bits and bit fields within eflags, shown in figure 2.2, control certain operations and indicate the status of the i386 sx microprocessor. the lower 16 bits (bits 0 15) of eflags contain the 16- bit flag register named flags. this is the de- fault flag register used when executing m8086, m80286, or real mode code. the functions of the flag bits are given in table 2.1. 271110 5 figure 2.2. status and control register bit functions 9
military i386 tm sx microprocessor table 2.1. flag definitions bit position name function 0 cf carry flageset on high-order bit carry or borrow; cleared otherwise. 2 pf parity flageset if low-order 8 bits of result contain an even number of 1-bits; cleared otherwise. 4 af auxiliary carry flageset on carry from or borrow to the low order four bits of al; cleared otherwise. 6 zf zero flageset if result is zero; cleared otherwise. 7 sf sign flageset equal to high-order bit of result (0 if positive, 1 if negative). 8 tf single step flageonce set, a single step interrupt occurs after the next instruction executes. tf is cleared by the single step interrupt. 9 if interrupt-enable flagewhen set, maskable interrupts will cause the cpu to transfer control to an interrupt vector specified location. 10 df direction flagecauses string instructions to auto-increment (default) the appropriate index registers when cleared. setting df causes auto- decrement. 11 of overflow flageset if the operation resulted in a carry/borrow into the sign bit (high-order bit) of the result but did not result in a carry/borrow out of the high-order bit or vice-versa. 12, 13 iopl i/o privilege leveleindicates the maximum cpl permitted to execute i/o instructions without generating an exception 13 fault or consulting the i/o permission bit map while executing in protected mode. for virtual 86 mode it indicates the maximum cpl allowing alteration of the if bit. 14 nt nested taskeindicates that the execution of the current task is nested within another task. 16 rf resume flageused in conjunction with debug register breakpoints. it is checked at instruction boundaries before breakpoint processing. if set, any debug fault is ignored on the next instruction. 17 vm virtual 8086 modeeif set while in protected mode, the i386 sx microprocessor will switch to virtual 8086 operation, handling segment loads as the 8086 does, but generating exception 13 faults on privileged opcodes. 1 set bit to one. 3, 5, 15 set bits to zero. 10
military i386 tm sx microprocessor control registers the i386 sx microprocessor has three control registers of 32 bits, cr0, cr2 and cr3, to hold the machine state of a global nature. these registers are shown in figures 2.1 and 2.2. the defined cr0 bits are described in table 2.2. table 2.2. cr0 definitions bit position name function 0 pe protection mode enableeplaces the i386 sx microprocessor into protected mode. if pe is reset, the processor operates again in real mode. pe may be set by loading msw or cr0. pe can be reset only by loading cr0, it cannot be reset by the lmsw instruction. 1 mp monitor coprocessor extensioneallows wait instructions to cause a processor extension not present exception (number 7). 2 em emulate processor extensionecauses a processor extension not present exception (number 7) on esc instructions to allow emulating a processor extension. 3 ts task switchedeindicates the next instruction using a processor extension will cause exception 7, allowing software to test whether the current processor extension context belongs to the current task. 31 pg paging enable biteis set to enable the on-chip paging unit. it is reset to disable the on-chip paging unit. 4 set bit to zero. 2.2 instruction set the instruction set is divided into nine categories of operations: data transfer arithmetic shift/rotate string manipulation bit manipulation control transfer high level language support operating system support processor control these instructions are listed in table 9.1 instruc- tion set clock count summary . all i386 sx microprocessor instructions operate on either 0, 1, 2 or 3 operands; an operand resides in a register, in the instruction itself, or in memory. most zero operand instructions (e.g cli, sti) take only one byte. one operand instructions generally are two bytes long. the average instruction is 3.2 bytes long. since the i386 sx microprocessor has a 16 byte prefetch instruction queue, an average of 5 instructions will be prefetched. the use of two oper- ands permits the following types of common instruc- tions: register to register memory to register immediate to register memory to memory register to memory immediate to memory. 11
military i386 tm sx microprocessor the operands can be either 8, 16, or 32 bits long. as a general rule, when executing code written for the i386 sx microprocessor (32-bit code), operands are 8 bits or 32 bits; when executing existing m8086 or m80286 code (16-bit code), operands are 8 bits or 16 bits. prefixes can be added to all instructions which override the default length of the operands (i.e. use 32-bit operands for 16-bit code, or 16-bit operands for 32-bit code). 2.3 memory organization memory on the i386 sx microprocessor is divided into 8-bit quantities (bytes), 16-bit quantities (words), and 32-bit quantities (dwords). words are stored in two consecutive bytes in memory with the low-order byte at the lowest address. dwords are stored in four consecutive bytes in memory with the low-order byte at the lowest address. the address of a word or dword is the byte address of the low-order byte. in addition to these basic data types, the i386 sx microprocessor supports two larger units of memory: segments and pages. memory can be divided up into one or more variable length segments, which can be swapped to disk or shared between pro- grams. memory can also be organized into one or more 4k byte pages. finally, both segmentation and paging can be combined, gaining the advantages of both systems. the i386 sx microprocessor supports both segmentation and pages in order to provide maximum flexibility to the system designer. segmen- tation and paging are complementary. segmentation is useful for organizing memory in logical modules, and as such is a tool for the application programmer, while pages are useful to the system programmer for managing the physical memory of a system. address spaces the i386 sx microprocessor has three types of ad- dress spaces: logical , linear , and physical .a logi- cal address (also known as a virtual address) con- sists of a selector and an offset. a selector is the contents of a segment register. an offset is formed by summing all of the addressing components (base, index, displacement), discussed in sec- tion 2.4 addressing modes , into an effective ad- dress. this effective address along with the selector is known as the logical address. since each task on the i386 sx microprocessor has a maximum of 16k (2 14 b 1) selectors, and offsets can be 4 gigabytes (with paging enabled) this gives a total of 2 46 bits, or 64 terabytes, of logical address space per task. the programmer sees the logical address space. the segmentation unit translates the logical ad- dress space into a 32-bit linear address space. if the paging unit is not enabled then the 32-bit linear ad- dress is truncated into a 24-bit physical address. the physical address is what appears on the ad- dress pins. the primary differences between real mode and protected mode are how the segmentation unit per- forms the translation of the logical address into the linear address, size of the address space, and pag- ing capability. in real mode, the segmentation unit shifts the selector left four bits and adds the result to the effective address to form the linear address. this linear address is limited to 1 megabyte. in addi- tion, real mode has no paging capability. protected mode will see one of two different ad- dress spaces, depending on whether or not paging is enabled. every selector has a logical base ad- dress associated with it that can be up to 32 bits in length. this 32-bit logical base address is added to the effective address to form a final 32-bit linear 12
military i386 tm sx microprocessor 271110 6 figure 2.3. address translation address. if paging is disabled this final linear ad- dress reflects physical memory and is truncated so that only the lower 24 bits of this address are used to address the 16 megabyte memory address space. if paging is enabled this final linear address reflects a 32-bit address that is translated through the pag- ing unit to form a 16-megabyte physical address. the logical base address is stored in one of two operating system tables (i.e. the local descriptor table or global descriptor table). figure 2.3 shows the relationship between the vari- ous address spaces. segment register usage the main data structure used to organize memory is the segment. on the i386 sx microprocessor, seg- ments are variable sized blocks of linear addresses which have certain attributes associated with them. there are two main types of segments, code and data. the segments are of variable size and can be as small as 1 byte or as large as 4 gigabytes (2 32 bits). in order to provide compact instruction encoding and increase processor performance, instructions do not need to explicitly specify which segment reg- ister is used. the segment register is automatically chosen according to the rules of table 2.3 (segment register selection rules). in general, data refer- ences use the selector contained in the ds register, stack references use the ss register and instruction fetches use the cs register. the contents of the in- struction pointer provide the offset. special segment override prefixes allow the explicit use of a given segment register, and override the implicit rules list- ed in table 2.3. the override prefixes also allow the use of the es, fs and gs segment registers. there are no restrictions regarding the overlapping of the base addresses of any segments. thus, all 6 segments could have the base address set to zero and create a system with a four gigabyte linear ad- dress space. this creates a system where the virtual address space is the same as the linear address space. further details of segmentation are dis- cussed in section 4, protected mode archi- tecture . 2.4 addressing modes the i386 sx microprocessor provides a total of 8 addressing modes for instructions to specify oper- ands. the addressing modes are optimized to allow the efficient execution of high level languages such as c and fortran, and they cover the vast majori- ty of data references needed by high-level lan- guages. register and immediate modes two of the addressing modes provide for instruc- tions that operate on register or immediate oper- ands: 13
military i386 tm sx microprocessor table 2.3. segment register selection rules type of implied (default) segment override memory reference segment use prefixes possible code fetch cs none destination of push, pushf, int, call, pusha instructons ss none source of pop, popa, popf, iret, ret instructions ss none destination of stos, move, rep stos, and rep movs instructions es none other data references, with effective address using base register of: [ eax ] ds cs,ss,es,fs,gs [ ebx ] ds cs,ss,es,fs,gs [ ecx ] ds cs,ss,es,fs,gs [ edx ] ds cs,ss,es,fs,gs [ esi ] ds cs,ss,es,fs,gs [ edi ] ds cs,ss,es,fs,gs [ ebp ] ss cs,ds,es,fs,gs [ esp ] ss cs,ds,es,fs,gs register operand mode: the operand is located in one of the 8, 16 or 32-bit general registers. immediate operand mode: the operand is includ- ed in the instruction as part of the opcode. 32-bit memory addressing modes the remaining 6 modes provide a mechanism for specifying the effective address of an operand. the linear address consists of two components: the seg- ment base address and an effective address. the effective address is calculated by summing any combination of the following three address elements (see figure 2.3): displacement: an 8-, 16- or 32-bit immediate val- ue, following the instruction. base: the contents of any general purpose regis- ter. the base registers are generally used by compil- ers to point to the start of the local variable area. index: the contents of any general purpose regis- ter except for esp. the index registers are used to access the elements of an array, or a string of char- acters. the index register's value can be multiplied by a scale factor, either 1, 2, 4 or 8. the scaled index is especially useful for accessing arrays or struc- tures. combinations of these 3 components make up the 6 additional addressing modes. there is no perform- ance penalty for using any of these addressing com- binations, since the effective address calculation is pipelined with the execution of other instructions. the one exception is the simultaneous use of base and index components which requires one addition- al clock. as shown in figure 2.4, the effective address (ea) of an operand is calculated according to the following formula: ea e base register a (index register * scaling) a displacement 1. direct mode: the operand's offset is contained as part of the instruction as an 8-, 16- or 32-bit displacement. 2. register indirect mode: a base register con- tains the address of the operand. 3. based mode: a base register's contents are added to a displacement to form the oper- and's offset. 4. scaled index mode: an index register's con- tents are multiplied by a scaling factor, and the result is added to a displacement to form the operand's offset. 14
military i386 tm sx microprocessor 271110 7 figure 2.4. addressing mode calculations 5. based scaled index mode: the contents of an index register are multiplied by a scaling fac- tor, and the result is added to the contents of a base register to obtain the operand's offset. 6. based scaled index mode with displacement: the contents of an index register are multiplied by a scaling factor, and the result is added to the contents of a base register and a displace- ment to form the operand's offset. differences between 16-bit and 32-bit addresses in order to provide software compatibility with the m8086 and the m80286, the i386 sx microproces- sor can execute 16-bit instructions in real and pro- tected modes. the processor determines the size of the instructions it is executing by examining the d bit in a segment descriptor. if the d bit is 0 then all operand lengths and effective addresses are as- sumed to be 16 bits long. if the d bit is 1 then the default length for operands and addresses is 32 bits. in real mode the default size for operands and ad- dresses is 16 bits. regardless of the default precision of the operands or addresses, the i386 sx microprocessor is able to execute either 16- or 32-bit instructions. this is specified through the use of override prefixes. two prefixes, the operand length prefix and the ad- dress length prefix , override the value of the d bit on an individual instruction basis. these prefixes are automatically added by assemblers. the operand length and address length prefixes can be applied separately or in combination to any instruction. the address length prefix does not al- low addresses over 64 kbytes to be accessed in real mode. a memory address which exceeds 0ffffh will result in a general protection fault. an address length prefix only allows the use of the ad- ditional i386 sx microprocessor addressing modes. when executing 32-bit code, the i386 sx microproc- essor uses either 8- or 32-bit displacements, and any register can be used as base or index registers. when executing 16-bit code, the displacements are either 8- or 16-bits, and the base and index register conform to the m80286 model. table 2.4 illustrates the differences. 15
military i386 tm sx microprocessor table 2.4. base and index registers for 16- and 32-bit addresses 16-bit addressing 32-bit addressing base register bx,bp any 32-bit gp register index register si,di any 32-bit gp register except esp scale factor none 1, 2, 4, 8 displacement 0, 8, 16-bits 0, 8, 32-bits 2.5 data types the i386 sx microprocessor supports all of the data types commonly used in high level languages: bit: a single bit quantity. bit field: a group of up to 32 contiguous bits, which spans a maximum of four bytes. bit string: a set of contiguous bits; on the i386 sx microprocessor, bit strings can be up to 4 gigabits long. byte: a signed 8-bit quantity. unsigned byte: an unsigned 8-bit quantity. integer (word): a signed 16-bit quantity. long integer (double word): a signed 32-bit quan- tity. all operations assume a 2's complement repre- sentation. unsigned integer (word): an unsigned 16-bit quantity. unsigned long integer (double word): an un- signed 32-bit quantity. signed quad word: a signed 64-bit quantity. unsigned quad word: an unsigned 64-bit quantity. pointer: a 16- or 32-bit offset-only quantity which indirectly references another memory location. long pointer: a full pointer which consists of a 16-bit segment selector and either a 16- or 32-bit offset. char: a byte representation of an ascii alphanu- meric or control character. string: a contiguous sequence of bytes, words or dwords. a string may contain between 1 byte and 4 gigabytes bcd: a byte (unpacked) representation of decimal digits 0 9. packed bcd: a byte (packed) representation of two decimal digits 0 9 storing one digit in each nibble. when the i386 sx microprocessor is coupled with its numerics coprocessor, the i387 sx, then the follow- ing common floating point types are supported: floating point: a signed 32-, 64-, or 80-bit real num- ber representation. floating point numbers are sup- ported by the i387 sx numerics coprocessor. figure 2.5 illustrates the data types supported by the i386 sx microprocessor and the i387 sx numerics coprocessor. 2.6 i/o space the i386 sx microprocessor has two distinct physi- cal address spaces: physical memory and i/o. gen- erally, peripherals are placed in i/o space although the i386 sx microprocessor also supports memory- mapped peripherals. the i/o space consists of 64 kbytes which can be divided into 64k 8-bit ports or 32k 16-bit ports, or any combination of ports which add up to no more than 64 kbytes. the 64k i/o address space refers to physical addresses rather than linear addresses since i/o instructions do not go through the segmentation or paging hardware. the m/io pin acts as an additional address line, thus allowing the system designer to easily deter- mine which address space the processor is access- ing. the i/o ports are accessed by the in and out in- structions, with the port address supplied as an im- mediate 8-bit constant in the instruction or in the edx register. all 8-bit and 16-bit port addresses are zero extended on the upper address lines. the i/o instructions cause the m/io pin to be driven low. i/o port addresses 00f8h through 00ffh are re- served for use by intel. 16
military i386 tm sx microprocessor 271110 8 figure 2.5. i386 tm sx microprocessor supported data types 17
military i386 tm sx microprocessor table 2.5. interrupt vector assignments return address interrupt instruction which points to function number can cause faulting type exception instruction divide error 0 div, idiv yes fault debug exception 1 any instruction yes trap * nmi interrupt 2 int 2 or nmi no nmi one byte interrupt 3 int no trap interrupt on overflow 4 into no trap array bounds check 5 bound yes fault invalid op-code 6 any illegal instruction yes fault device not available 7 esc, wait yes fault double fault 8 any instruction that can abort generate an exception coprocessor segment overrun 9 esc no abort invalid tss 10 jmp, call, iret, int yes fault segment not present 11 segment register instructions yes fault stack fault 12 stack references yes fault general protection fault 13 any memory reference yes fault page fault 14 any memory access or code fetch yes fault coprocessor error 16 esc, wait yes fault intel reserved 17 32 two byte interrupt 0 255 int n no trap * some debug exceptions may report both traps on the previous instruction and faults on the next instruction. 2.7 interrupts and exceptions interrupts and exceptions alter the normal program flow in order to handle external events, report errors or exceptional conditions. the difference between interrupts and exceptions is that interrupts are used to handle asynchronous external events while ex- ceptions handle instruction faults. although a pro- gram can generate a software interrupt via an int n instruction, the processor treats software interrupts as exceptions. hardware interrupts occur as the result of an exter- nal event and are classified into two types: maskable or non-maskable. interrupts are serviced after the execution of the current instruction. after the inter- rupt handler is finished servicing the interrupt, exe- cution proceeds with the instruction immediately af- ter the interrupted instruction. exceptions are classified as faults, traps, or aborts, depending on the way they are reported and wheth- er or not restart of the instruction causing the excep- tion is supported. faults are exceptions that are de- tected and serviced before the execution of the faulting instruction. traps are exceptions that are reported immediately after the execution of the in- struction which caused the problem. aborts are ex- ceptions which do not permit the precise location of the instruction causing the exception to be deter- mined. thus, when an interrupt service routine has been completed, execution proceeds from the instruction immediately following the interrupted instruction. on the other hand, the return address from an excep- tion fault routine will always point to the instruction causing the exception and will include any leading instruction prefixes. table 2.5 summarizes the possi- ble interrupts for the i386 sx microprocessor and shows where the return address points to. 18
military i386 tm sx microprocessor the i386 sx microprocessor has the ability to han- dle up to 256 different interrupts/exceptions. in or- der to service the interrupts, a table with up to 256 interrupt vectors must be defined. the interrupt vec- tors are simply pointers to the appropriate interrupt service routine. in real mode, the vectors are 4-byte quantities, a code segment plus a 16-bit offset; in protected mode, the interrupt vectors are 8 byte quantities, which are put in an interrupt descriptor table. of the 256 possible interrupts, 32 are re- served for use by intel and the remaining 224 are free to be used by the system designer. interrupt processing when an interrupt occurs, the following actions hap- pen. first, the current program address and flags are saved on the stack to allow resumption of the interrupted program. next, an 8-bit vector is supplied to the i386 sx microprocessor which identifies the appropriate entry in the interrupt table. the table contains the starting address of the interrupt service routine. then, the user supplied interrupt service routine is executed. finally, when an iret instruc- tion is executed the old processor state is restored and program execution resumes at the appropriate instruction. the 8-bit interrupt vector is supplied to the i386 sx microprocessor in several different ways: exceptions supply the interrupt vector internally; software int instructions contain or imply the vector; maskable hardware interrupts supply the 8-bit vector via the interrupt acknowledge bus sequence. non-maska- ble hardware interrupts are assigned to interrupt vector 2. maskable interrupt maskable interrupts are the most common way to respond to asynchronous external hardware events. a hardware interrupt occurs when the intr is pulled high and the interrupt flag bit (if) is enabled. the processor only responds to interrupts between in- structions (string instructions have an ``interrupt win- dow'' between memory moves which allows inter- rupts during long string moves). when an interrupt occurs the processor reads an 8-bit vector supplied by the hardware which identifies the source of the interrupt (one of 224 user defined interrupts). interrupts through interrupt gates automatically reset if, disabling intr requests. interrupts through trap gates leave the state of the if bit unchanged. inter- rupts through a task gate change the if bit accord- ing to the image of the eflags register in the task's task state segment (tss). when an iret instruc- tion is executed, the original state of the if bit is restored. non-maskable interrupt non-maskable interrupts provide a method of servic- ing very high priority interrupts. when the nmi input is pulled high it causes an interrupt with an internal- ly supplied vector value of 2. unlike a normal hard- ware interrupt, no interrupt acknowledgment se- quence is performed for an nmi. while executing the nmi servicing procedure, the i386 sx microprocessor will not service any further nmi request or int requests until an interrupt return (iret) instruction is executed or the processor is reset. if nmi occurs while currently servicing an nmi, its presence will be saved for servicing after execut- ing the first iret instruction. the if bit is cleared at the beginning of an nmi interrupt to inhibit further intr interrupts. software interrupts a third type of interrupt/exception for the i386 sx microprocessor is the software interrupt. an int n instruction causes the processor to execute the in- terrupt service routine pointed to by the n th vector in the interrupt table. a special case of the two byte software interrupt int n is the one byte int 3, or breakpoint interrupt. by inserting this one byte instruction in a program, the user can set breakpoints in his program as a debug- ging tool. a final type of software interrupt is the single step interrupt. it is discussed in single step trap . 19
military i386 tm sx microprocessor interrupt and exception priorities interrupts are externally generated events. maska- ble interrupts (on the intr input) and non-maskable interrupts (on the nmi input) are recognized at in- struction boundaries. when nmi and maskable intr are both recognized at the same instruction boundary, the i386 sx microprocessor invokes the nmi service routine first. if maskable interrupts are still enabled after the nmi service routine has been invoked, then the i386 sx microprocessor will in- voke the appropriate interrupt service routine. as the i386 sx microprocessor executes instruc- tions, it follows a consistent cycle in checking for exceptions, as shown in table 2.6. this cycle is re- peated as each instruction is executed, and occurs in parallel with instruction decoding and execution. instruction restart the i386 sx microprocessor fully supports restarting all instructions after faults. if an exception is detect- ed in the instruction to be executed (exception cate- gories 4 through 10 in table 2.6), the i386 sx micro- processor invokes the appropriate exception service routine. the i386 sx microprocessor is in a state that permits restart of the instruction, for all cases but those given in table 2.7. note that all such cas- es will be avoided by a properly designed operating system. table 2.6. sequence of exception checking consider the case of the i386 sx microprocessor having just completed an instruction. it then performs the following checks before reaching the point where the next instruction is completed: 1. check for exception 1 traps from the instruction just completed (single-step via trap flag, or data breakpoints set in the debug registers). 2. check for external nmi and intr. 3. check for exception 1 faults in the next instruction (instruction execution breakpoint set in the debug registers for the next instruction). 4. check for segmentation faults that prevented fetching the entire next instruction (exceptions 11 or 13). 5. check for page faults that prevented fetching the entire next instruction (exception 14). 6. check for faults decoding the next instruction (exception 6 if illegal opcode; exception 6 if in real mode or in virtual 8086 mode and attempting to execute an instruction for protected mode only; or exception 13 if instruction is longer than 15 bytes, or privilege violation in protected mode (i.e. not at iopl or at cpl e 0). 7. if wait opcode, check if ts e 1 and mp e 1 (exception 7 if both are 1). 8. if escape opcode for numeric coprocessor, check if em e 1orts e 1 (exception 7 if either are 1). 9. if wait opcode or escape opcode for numeric coprocessor, check error input signal (exception 16 if error input is asserted). 10. check in the following order for each memory reference required by the instruction: a. check for segmentation faults that prevent transferring the entire memory quantity (exceptions 11, 12, 13). b. check for page faults that prevent transferring the entire memory quantity (exception 14). note: segmentation exceptions are generated before paging exceptions. table 2.7. conditions preventing instruction restart 1. an instruction causes a task switch to a task whose task state segment is partially ``not present'' (an entirely ``not present'' tss is restartable). partially present tss's can be avoided either by keeping the tss's of such tasks present in memory, or by aligning tss segments to reside entirely within a single 4k page (for tss segments of 4 kbytes or less). 2. a coprocessor operand wraps around the top of a 64 kbyte segment o r a 4 gbyte segment, and spans three pages, and the page holding the middle portion of the operand is ``not present''. this condition can be avoided by starting at a page boundary any segments containing coprocessor operands if the segments are approximately 64k-200 bytes or larger (i.e. large enough for wraparound of the coproces- sor operand to possibly occur). note that these conditions are avoided by using the operating system designs mentioned in this table. 20
military i386 tm sx microprocessor table 2.8. register values after reset flag word (eflags) uuuu0002h note 1 machine status word (cr0) uuuuuu10h instruction pointer (eip) 0000fff0h code segment (cs) f000h note 2 data segment (ds) 0000h note 3 stack segment (ss) 0000h extra segment (es) 0000h note 3 extra segment (fs) 0000h extra segment (gs) 0000h eax register 0000h note 4 edx register component and stepping id note 5 all other registers undefined note 6 notes: 1. eflag register. the upper 14 bits of the eflags register are undefined, all defined flag bits are zero. 2. the code segment register (cs) will have its base address set to 0ffff0000h and limit set to 0ffffh. 3. the data and extra segment registers (ds, es) will have their base address set to 000000000h and limit set to 0ffffh. 4. if self-test is selected, the eax register should contai n a 0 value. if a value of 0 is not found then the self-test has detected a flaw in the part. 5. edx register always holds component and stepping identifier. 6. all undefined bits are intel reserved and should not be used. double fault a double fault (exception 8) results when the proc- essor attempts to invoke an exception service rou- tine for the segment exceptions (10, 11, 12 or 13), but in the process of doing so detects an exception other than a page fault (exception 14). one other cause of generating a double fault is the i386 sx microprocessor detecting any other excep- tion when it is attempting to invoke the page fault (exception 14) service routine (for example, if a page fault is detected when the i386 sx microprocessor attempts to invoke the page fault service routine). of course, in any functional system, not only in i386 sx microprocessor-based systems, the entire page fault service routine must remain ``present'' in mem- ory. 2.8 reset and initialization when the processor is initialized or reset the regis- ters have the values shown in table 2.8. the i386 sx microprocessor will then start executing instruc- tions near the top of physical memory, at location 0fffff0h. when the first intersegment jump or call is executed, address lines a 20 a 23 will drop low for cs-relative memory cycles, and the i386 sx microprocessor will only execute instructions in the lower one megabyte of physical memory. this allows the system designer to use a shadow rom at the top of physical memory to initialize the system and take care of resets. reset forces the i386 sx microprocessor to termi- nate all execution and local bus activity. no instruc- tion execution or bus activity will occur as long as reset is active. between 350 and 450 clk2 periods after reset becomes inactive, the i386 sx micro- processor will start executing instructions at the top of physical memory. 2.9 testability the i386 sx microprocessor, like the i386 micro- processor, offers testability features which include a self-test and direct access to the page translation cache. self-test the i386 sx microprocessor has the capability to perform a self-test. the self-test checks the function of all of the control rom and most of the non-ran- dom logic of the part. approximately one-half of the i386 sx microprocessor can be tested during self- test. self-test is initiated on the i386 sx microprocessor when the reset pin transitions from high to low, and the busy pin is low. the self-test takes about 2 20 clocks, or approximately 33 milliseconds with a 16 mhz i386 sx cpu. at the completion of self-test the processor performs reset and begins normal op- eration. the part has successfully passed self-test if the contents of the eax are zero. if the results of the eax are not zero then the self-test has detected a flaw in the part. 21
military i386 tm sx microprocessor 271110 9 figure 2.6. test registers tlb testing the i386 sx microprocessor also provides a mecha- nism for testing the translation lookaside buffer (tlb) if desired. this particular mechanism may not be continued in the same way in future processors. there are two tlb testing operations: 1) writing en- tries into the tlb, and, 2) performing tlb lookups. two test registers, shown in figure 2.6, are provid- ed for the purpose of testing. tr6 is the ``test com- mand register'', and tr7 is the ``test data register''. 2.10 debugging support the i386 sx microprocessor provides several fea- tures which simplify the debugging process. the three categories of on-chip debugging aids are: 1. the code execution breakpoint opcode (0cch). 2. the single-step capability provided by the tf bit in the flag register. 3. the code and data breakpoint capability provided by the debug registers dr0 3, dr6, and dr7. breakpoint instruction a single-byte software interrupt (int 3) breakpoint in- struction is available for use by software debuggers. the breakpoint opcode is 0cch, and generates an exception 3 trap when executed. single-step trap if the single-step flag (tf, bit 8) in the eflag regis- ter is found to be set at the end of an instruction, a single-step exception occurs. the single-step ex- ception is auto vectored to exception number 1. debug registers the debug registers are an advanced debugging feature of the i386 sx microprocessor. they allow data access breakpoints as well as code execution breakpoints. since the breakpoints are indicated by on-chip registers, an instruction execution break- point can be placed in rom code or in code shared by several tasks, neither of which can be supported by the int 3 breakpoint opcode. the i386 sx microprocessor contains six debug registers, consisting of four breakpoint address reg- isters and two breakpoint control registers. initially after reset, breakpoints are in the disabled state; therefore, no breakpoints will occur unless the de- bug registers are programmed. breakpoints set up in the debug registers are auto-vectored to exception 1. figure 2.7 shows the breakpoint status and con- trol registers. 22
military i386 tm sx microprocessor 271110 10 figure 2.7. debug registers 3.0 real mode architecture when the processor is reset or powered up it is ini- tialized in real mode. real mode has the same base architecture as the m8086, but allows access to the 32-bit register set of the i386 sx microprocessor. the addressing mechanism, memory size, and inter- rupt handling are all identical to the real mode on the m80286. the default operand size in real mode is 16 bits, as in the m8086. in order to use the 32-bit registers and addressing modes, override prefixes must be used. in addition, the segment size on the i386 sx micro- processor in real mode is 64 kbytes so 32-bit ad- dresses must have a value less then 0000ffffh. the primary purpose of real mode is to set up the processor for protected mode operation. 3.1 memory addressing in real mode the linear addresses are the same as physical addresses (paging is not allowed). physical addresses are formed in real mode by adding the contents of the appropriate segment register which is shifted left by four bits to an effective address. this addition results in a 20-bit physical address or a 1 megabyte address space. since segment registers are shifted left by 4 bits, real mode segments al- ways start on 16-byte boundaries. all segments in real mode are exactly 64 kbytes long, and may be read, written, or executed. the i386 sx microprocessor will generate an exception 13 if a data operand or instruction fetch occurs past the end of a segment. 23
military i386 tm sx microprocessor table 3.1. exceptions in real mode function interrupt related return number instructions address location interrupt table limit 8 int vector is not before too small within table limit instruction cs, ds, es, fs, gs 13 word memory reference before segment overrun exception with offset e 0ffffh. instruction an attempt to execute past the end of cs segment. ss segment overrun 12 stack reference before exception beyond offset e 0ffffh instruction 3.2 reserved locations there are two fixed areas in memory which are re- served in real address mode: the system initializa- tion area and the interrupt table area. locations 00000h through 003ffh are reserved for interrupt vectors. each one of the 256 possible interrupts has a 4-byte jump vector reserved for it. locations 0fffff0h through 0ffffffh are reserved for sys- tem initialization. 3.3 interrupts many of the exceptions discussed in section 2.7 are not applicable to real mode operation; in particular, exceptions 10, 11 and 14 do not occur in real mode. other exceptions have slightly different meanings in real mode; table 3.1 identifies these exceptions. 3.4 shutdown and halt the hlt instruction stops program execution and prevents the processor from using the local bus until restarted. either nmi, intr with interrupts enabled (if e 1), or reset will force the i386 sx microproc- essor out of halt. if interrupted, the saved cs:ip will point to the next instruction after the hlt. shutdown will occur when a severe error is detected that prevents further processing. in real mode, shutdown can occur under two conditions: 1. an interrupt or an exception occurs (exceptions 8 or 13) and the interrupt vector is larger than the interrupt descriptor table. 2. a call, int or push instruction attempts to wrap around the stack segment when sp is not even. an nmi input can bring the processor out of shut- down if the interrupt descriptor table limit is large enough to contain the nmi interrupt vector (at least 000fh) and the stack has enough room to contain the vector and flag information (i.e. sp is greater that 0005h). otherwise, shutdown can only be exited by a processor reset. 3.5 lock operation the lock prefix on the i386 sx microprocessor, even in real mode, is more restrictive than on the m80286. this is due to the addition of paging on the i386 sx microprocessor in protected mode and vir- tual m8086 mode. the lock prefix is not supported during repeat string instructions. the only instruction forms where the lock prefix is legal on the i386 sx microprocessor are shown in table 3.2. table 3.2. legal instructions for the lock prefix opcode operands (dest, source) bit test and set/reset mem, reg/immediate /complement xchg reg, mem xchg mem, reg add, or, adc, sbb, and, sub, xor mem, reg/immediate not, neg, inc, dec mem an exception 6 will be generated if a lock prefix is placed before any instruction form or opcode not listed above. the lock prefix allows indivisible read/modify/write operations on memory operands using the instructions above. the lock prefix is not iopl-sensitive on the i386 sx microprocessor. the lock prefix can be used at any privilege level, but only on the instruction forms listed in table 3.2. 24
military i386 tm sx microprocessor 4.0 protected mode architecture the complete capabilities of the i386 sx microproc- essor are unlocked when the processor operates in protected virtual address mode (protected mode). protected mode vastly increases the linear address space to four gigabytes (2 32 bytes) and allows the running of virtual memory programs of almost unlim- ited size (64 terabytes (2 46 bytes)). in addition, pro- tected mode allows the i386 sx microprocessor to run all of the existing i386 dx cpu (using only 16 megabytes of physical memory), m80286 and m8086 cpu's software, while providing a sophisti- cated memory management and a hardware-assist- ed protection mechanism. protected mode allows the use of additional instructions specially optimized for supporting multitasking operating systems. the base architecture of the i386 sx microprocessor re- mains the same; the registers, instructions, and ad- dressing modes described in the previous sections are retained. the main difference between protect- ed mode and real mode from a programmer's view- point is the increased address space and a different addressing mechanism. 4.1 addressing mechanism like real mode, protected mode uses two compo- nents to form the logical address; a 16-bit selector is used to determine the linear base address of a seg- ment, the base address is added to a 32-bit effective address to form a 32-bit linear address. the linear address is then either used as a 24-bit physical ad- dress, or if paging is enabled the paging mechanism maps the 32-bit linear address into a 24-bit physical address. the difference between the two modes lies in calcu- lating the base address. in protected mode, the se- lector is used to specify an index into an operating system defined table (see figure 4.1). the table contains the 32-bit base address of a given seg- ment. the physical address is formed by adding the base address obtained from the table to the offset. paging provides an additional memory management mechanism which operates only in protected mode. paging provides a means of managing the very large segments of the i386 sx microprocessor, as paging operates beneath segmentation. the page mecha- nism translates the protected linear address which comes from the segmentation unit into a physical address. figure 4.2 shows the complete i386 sx mi- croprocessor addressing mechanism with paging enabled. 4.2 segmentation segmentation is one method of memory manage- ment. segmentation provides the basis for protec- tion. segments are used to encapsulate regions of memory which have common attributes. for exam- ple, all of the code of a given program could be con- tained in a segment, or an operating system table may reside in a segment. all information about each segment is stored in an 8 byte data structure called a descriptor. all of the descriptors in a system are contained in descriptor tables which are recognized by hardware. terminology the following terms are used throughout the discus- sion of descriptors, privilege levels and protection: pl: privilege leveleone of the four hierarchical privilege levels. level 0 is the most privileged level and level 3 is the least privileged. rpl: requestor privilege levelethe privilege level of the original supplier of the selector. rpl is determined by the least two significant bits of a selector. dpl: descriptor privilege levelethis is the least privileged level at which a task may access that descriptor (and the segment associated with that descriptor). descriptor privilege lev- el is determined by bits 6:5 in the access right byte of a descriptor. cpl: current privilege levelethe privilege level at which a task is currently executing, which equals the privilege level of the code segment being executed. cpl can also be determined by examining the lowest 2 bits of the cs regis- ter, except for conforming code segments. epl: effective privilege levelethe effective privi- lege level is the least privileged of the rpl and the dpl. epl is the numerical maximum of rpl and dpl. task: one instance of the execution of a program. tasks are also referred to as processes. descriptor tables the descriptor tables define all of the segments which are used in a i386 sx microprocessor system. there are three types of tables which hold descrip- tors: the global descriptor table, local descriptor table, and the interrupt descriptor table. all of the tables are variable length memory arrays and can vary in size from 8 bytes to 64 kbytes. each table can hold up to 8192 8-byte descriptors. the upper 13 bits of a selector are used as an index into the descriptor table. the tables have registers associat- ed with them which hold the 32-bit linear base ad- dress and the 16-bit limit of each table. 25
military i386 tm sx microprocessor 271110 11 figure 4.1. protected mode addressing 271110 12 figure 4.2. paging and segmentation 271110 13 figure 4.3. descriptor table registers 26
military i386 tm sx microprocessor each of the tables has a register associated with it: gdtr, ldtr, and idtr; see figure 2.1. the lgdt, lldt, and lidt instructions load the base and limit of the global, local, and interrupt descriptor tables into the appropriate register. the sgdt, sldt, and sidt store the base and limit values. these are priv- ileged instructions. global descriptor table the global descriptor table (gdt) contains de- scriptors which are available to all of the tasks in a system. the gdt can contain any type of segment descriptor except for interrupt and trap descriptors. every i386 sx cpu system contains a gdt. the first slot of the global descriptor table corre- sponds to the null selector and is not used. the null selector defines a null pointer value. local descriptor table ldts contain descriptors which are associated with a given task. generally, operating systems are de- signed so that each task has a separate ldt. the ldt may contain only code, data, stack, task gate, and call gate descriptors. ldts provide a mecha- nism for isolating a given task's code and data seg- ments from the rest of the operating system, while the gdt contains descriptors for segments which are common to all tasks. a segment cannot be ac- cessed by a task if its segment descriptor does not exist in either the current ldt or the gdt. this pro- vides both isolation and protection for a task's seg- ments while still allowing global data to be shared among tasks. unlike the 6-byte gdt or idt registers which contain a base address and limit, the visible portion of the ldt register contains only a 16-bit selector. this se- lector refers to a local descriptor table descriptor in the gdt (see figure 2.1). interrupt descriptor table the third table needed for i386 sx microprocessor systems is the interrupt descriptor table. the idt contains the descriptors which point to the location of the up to 256 interrupt service routines. the idt may contain only task gates, interrupt gates, and trap gates. the idt should be at least 256 bytes in size in order to hold the descriptors for the 32 intel reserved interrupts. every interrupt used by a sys- tem must have an entry in the idt. the idt entries are referenced by int instructions, external interrupt vectors, and exceptions. descriptors the object to which the segment selector points to is called a descriptor. descriptors are eight byte quantities which contain attributes about a given re- gion of linear address space. these attributes in- clude the 32-bit base linear address of the segment, the 20-bit length and granularity of the segment, the protection level, read, write or execute privileges, the default size of the operands (16-bit or 32-bit), and the type of segment. all of the attribute informa- tion about a segment is contained in 12 bits in the segment descriptor. figure 4.4 shows the general format of a descriptor. all segments on the i386 sx microprocessor have three attribute fields in com- mon: the p bit, the dpl bit, and the s bit. the p 31 0 byte segment base 1 5...0 segment limit 1 5...0 address 0 base 3 1...24 g d 0 avl limit p dpl s type a base a 4 19...16 23...16 base base address of the segment limit the length of the segment p present bit 1 e present 0 e not present dpl descriptor privilege level 0 3 s segment descriptor 0 e system descriptor 1 e code or data segment descriptor type type of segment a accessed bit g granularity bit 1 e segment length is page granular 0 e segment length is byte granular d default operation size (recognized in code segment descriptors only) 1 e 32-bit segment 0 e 16-bit segment 0 bit must be zero (0) for compatibility with future processors avl available field for user or os figure 4.4. segment descriptors 27
military i386 tm sx microprocessor (present) bit is 1 if the segment is loaded in physical memory. if p e 0 then any attempt to access this segment causes a not present exception (exception 11). the descriptor privilege level, dpl, is a two bit field which specifies the protection level, 0 3, asso- ciated with a segment. the i386 sx microprocessor has two main catego- ries of segments: system segments and non-system segments (for code and data). the segment bit, s, determines if a given segment is a system segment or a code or data segment. if the s bit is 1 then the segment is either a code or data segment; if it is 0 then the segment is a system segment. code and data descriptors (s e 1) figure 4.5 shows the general format of a code and data descriptor and table 4.1 illustrates how the bits in the access right byte are interpreted. 31 0 segment base 1 5...0 segment limit 1 5...0 0 limit access base base 3 1...24 g d 0 avl 19...16 rights 23...16 a 4 byte d/b 1 e default instructions attributes are 32-bits 0 e default instruction attributes are 16-bits avl available field for user or os g granularity bit 1 e segment length is page granular 0 e segment length is byte granular 0 bit must be zero (0) for compatibility with future processors figure 4.5. code and data descriptors table 4.1. access rights byte definition for code and data descriptors bit name function position 7 present (p) p e 1 segment is mapped into physical memory. p e 0 no mapping to physical memory exists, base and limt are not used. 6 5 descriptor privilege segment privilege attribute used in privilege tests. level (dpl) 4 segment descrip- s e 1 code or data (includes stacks) segment descriptor tor (s) s e 0 system segment descriptor or gate descriptor 3 executable (e) e e 0 descriptor type is data segment: if 2 expansion direc- ed e 0 expand up segment, offsets must be s limit. data tion (ed) ed e 1 expand down segment, offsets must be l limit. segment 1 writeable (w) w e 0 data segment may not be written into. (s e 1, w e 1 data segment may be written into. * e e 0) 3 executable (e) e e 1 descriptor type is code segment: if 2 conforming (c) c e 1 code segment may only be executed code when cpl t dpl and cpl segment remains unchanged. (s e 1, 1 readable (r) r e 0 code segment may not be read. e e 1) r e 1 code segment may be read. * 0 accessed (a) a e 0 segment has not been accessed. a e 1 segment selector has been loaded into segment register or used by selector test instructions. 28
military i386 tm sx microprocessor 31 16 0 segment base 1 5...0 segment limit 1 5...0 0 base 3 1...24 g 0 0 0 limit p dpl 0 type base a 4 19...16 23...16 type defines 0 invalid 1 available 80286 tss 2 ldt 3 busy 80286 tss 4 80286 call gate 5 task gate (for 80286 or i386 tm sx microprocessor task) 6 80286 interrupt gate 7 80286 trap gate type defines 8 invalid 9 available i386 sx microprocessor tss a undefined (intel reserved) b busy i386 sx microprocessor tss c i386 sx microprocessor call gate d undefined (intel reserved) e i386 sx microprocessor interrupt gate f i386 sx microprocessor trap gate figure 4.6. system descriptors code and data segments have several descriptor fields in common. the accessed bit, a, is set when- ever the processor accesses a descriptor. the gran- ularity bit, g, specifies if a segment length is byte- granular or page-granular. system descriptor formats (s e 0) system segments describe information about oper- ating system tables, tasks, and gates. figure 4.6 shows the general format of system segment de- scriptors, and the various types of system segments. i386 sx system descriptors (which are the same as i386 dx cpu system descriptors) contain a 32-bit base linear address and a 20-bit segment limit. m80286 system descriptors have a 24-bit base ad- dress and a 16-bit segment limit. m80286 system descriptors are identified by the upper 16 bits being all zero. differences between i386 tm sx microprocessor and m80286 descriptors in order to provide operating system compatibility with the m80286 the i386 sx cpu supports all of the m80286 segment descriptors. the m80286 system segment descriptors contain a 24-bit base address and 16-bit limit, while the i386 sx cpu system seg- ment descriptors have a 32-bit base address, a 20-bit limit field, and a granularity bit. the word count field specifies the number of 16-bit quantities to copy for m80286 call gates and 32-bit quantities for i386 sx cpu call gates. selector fields a selector in protected mode has three fields: local or global descriptor table indicator (ti), descriptor entry index (index), and requestor (the selector's) privilege level (rpl) as shown in figure 4.7. the ti bit selects either the global descriptor table or the local descriptor table. the index selects one of 8k descriptors in the appropriate descriptor table. the rpl bits allow high speed testing of the selector's privilege attributes. segment descriptor cache in addition to the selector value, every segment reg- ister has a segment descriptor cache register asso- ciated with it. whenever a segment register's con- tents are changed, the 8-byte descriptor associated with that selector is automatically loaded (cached) on the chip. once loaded, all references to that seg- ment use the cached descriptor information instead of reaccessing the descriptor. the contents of the descriptor cache are not visible to the programmer. since descriptor caches only change when a seg- ment register is changed, programs which modify the descriptor tables must reload the appropriate segment registers after changing a descriptor's value. 29
military i386 tm sx microprocessor 271110 14 figure 4.7. example descriptor selection 4.3 protection the i386 sx microprocessor has four levels of pro- tection which are optimized to support a multi-task- ing operating system and to isolate and protect user programs from each other and the operating system. the privilege levels control the use of privileged in- structions, i/o instructions, and access to segments and segment descriptors. the i386 sx microproces- sor also offers an additional type of protection on a page basis when paging is enabled. the four-level hierarchical privilege system is an ex- tension of the user/supervisor privilege mode com- monly used by minicomputers. the user/supervisor mode is fully supported by the i386 sx microproces- sor paging mechanism. the privilege levels (pl) are numbered 0 through 3. level 0 is the most privileged level. rules of privilege the i386 sx microprocessor controls access to both data and procedures between levels of a task, ac- cording to the following rules. e data stored in a segment with privilege level p can be accessed only by code executing at a privilege level at least as privileged as p . e a code segment/procedure with privilege level p can only be called by a task executing at the same or a lesser privilege level than p . privilege levels at any point in time, a task on the i386 sx micro- processor always executes at one of the four privi- lege levels. the current privilege level (cpl) speci- fies what the task's privilege level is. a task's cpl may only be changed by control transfers through gate descriptors to a code segment with a different privilege level. thus, an application program running at pl e 3 may call an operating system routine at pl e 1 (via a gate) which would cause the task's cpl to be set to 1 until the operating system routine was finished. selector privilege (rpl) the privilege level of a selector is specified by the rpl field. the selector's rpl is only used to estab- lish a less trusted privilege level than the current privilege level of the task for the use of a segment. this level is called the task's effective privilege level (epl). the epl is defined as being the least privi- leged (numerically larger) level of a task's cpl and a selector's rpl. the rpl is most commonly used to verify that pointers passed to an operating system procedure do not access data that is of higher privi- lege than the procedure that originated the pointer. since the originator of a selector can specify any rpl value, the adjust rpl (arpl) instruction is pro- vided to force the rpl bits to the originator's cpl. 30
military i386 tm sx microprocessor table 4.2. descriptor types used for control transfer control transfer types operation types descriptor descriptor referenced table intersegment within the same privilege level jmp, call ret, iret * code segment gdt/ldt intersegment to the same or higher privilege level call call gate gdt/ldt interrupt within task may change cpl interrupt instruction trap or idt exception external interrupt interrupt gate intersegment to a lower privilege level ret, iret * code segment gdt/ldt (changes task cpl) call, jmp task state gdt segment task switch call, jmp task gate gdt/ldt iret ** task gate idt interrupt instruction, exception, external interrupt * nt (nested task bit of flag register) e 0 ** nt (nested task bit of flag register) e 1 i/o privilege the i/o privilege level (iopl) lets the operating sys- tem code executing at cpl e 0 define the least privi- leged level at which i/o instructions can be used. an exception 13 (general protection violation) is gener- ated if an i/o instruction is attempted when the cpl of the task is less privileged then the iopl. the iopl is stored in bits 13 and 14 of the eflags reg- ister. the following instructions cause an exception 13 if the cpl is greater than iopl: in, ins, out, outs, sti, cli, lock prefix. descriptor access there are basically two types of segment accesses: those involving code segments such as control transfers, and those involving data accesses. deter- mining the ability of a task to access a segment in- volves the type of segment to be accessed, the in- struction used, the type of descriptor used and cpl, rpl, and dpl as described above. any time an instruction loads a data segment regis- ter (ds, es, fs, gs) the i386 sx microprocessor makes protection validation checks. selectors load- ed in the ds, es, fs, gs registers must refer only to data segment or readable code segments. finally the privilege validation checks are performed. the cpl is compared to the epl and if the epl is more privileged than the cpl, an exception 13 (gen- eral protection fault) is generated. the rules regarding the stack segment are slightly different than those involving data segments. in- structions that load selectors into ss must refer to data segment descriptors for writeable data seg- ments. the dpl and rpl must equal the cpl of all other descriptor types or a privilege level violation will cause an exception 13. a stack not present fault causes an exception 12. privilege level transfers inter-segment control transfers occur when a selec- tor is loaded in the cs register. for a typical system most of these transfers are simply the result of a call or a jump to another routine. there are five types of control transfers which are summarized in table 4.2. many of these transfers result in a privilege level transfer. changing privilege levels is done only by control transfers, using gates, task switches, and in- terrupt or trap gates. control transfers can only occur if the operation which loaded the selector references the correct de- scriptor type. any violation of these descriptor usage rules will cause an exception 13. 31
military i386 tm sx microprocessor 271110 15 type e 9: available i386 sx microprocessor tss. type e b: busy i386 sx microprocessor tss. figure 4.8. i386 tm sx microprocessor tss and tss registers 32
military i386 tm sx microprocessor 271110 16 i/o ports accessible: 2 x 9, 12, 13, 15, 20 x 24, 27, 33, 34, 40, 41, 48, 50, 52, 53, 58 x 60, 62, 63, 96 x 127 figure 4.9. sample i/o permission bit map call gates gates provide protected indirect calls. one of the major uses of gates is to provide a secure method of privilege transfers within a task. since the operating system defines all of the gates in a system, it can ensure that all gates only allow entry into a few trust- ed procedures. task switching a very important attribute of any multi-tasking/multi- user operating system is its ability to rapidly switch between tasks or processes. the i386 sx micro- processor directly supports this operation by provid- ing a task switch instruction in hardware. the task switch operation saves the entire state of the ma- chine (all of the registers, address space, and a link to the previous task), loads a new execution state, performs protection checks, and commences execu- tion in the new task. like transfer of control by gates, the task switch operation is invoked by exe- cuting an inter-segment jmp or call instruction which refers to a task state segment (tss), or a task gate descriptor in the gdt or ldt. an int n instruction, exception, trap, or external interrupt may also invoke the task switch operation if there is a task gate descriptor in the associated idt descriptor slot. the tss descriptor points to a segment (see figure 4.8) containing the entire execution state. a task gate descriptor contains a tss selector. the i386 sx microprocessor supports both 286 and i386 sx cpu tsss. the limit of a i386 sx microprocessor tss must be greater than 64h (2bh for a 286 tss), and can be as large as 16 megabytes. in the addi- tional tss space, the operating system is free to store additional information such as the reason the task is inactive, time the task has spent running, or open files belonging to the task. each task must have a tss associated with it. the current tss is identified by a special register in the i386 sx microprocessor called the task state seg- ment register (tr). this register contains a selector referring to the task state segment descriptor that defines the current tss. a hidden base and limit register associated with tss descriptor are loaded whenever tr is loaded with a new selector. return- ing from a task is accomplished by the iret instruc- tion. when iret is executed, control is returned to the task which was interrupted. the currently exe- cuting task's state is saved in the tss and the old task state is restored from its tss. several bits in the flag register and machine status word (cr0) give information about the state of a task which is useful to the operating system. the nested task bit, nt, controls the function of the iret instruction. if nt e 0 the iret instruction per- forms the regular return. if nt e 1 iret performs a task switch operation back to the previous task. the nt bit is set or reset in the following fashion: when a call or int instruction initiates a task switch, the new tss will be marked busy and the back link field of the new tss set to the old tss selector. the nt bit of the new task is set by call or int initiated task switches. an in- terrupt that does not cause a task switch will clear nt (the nt bit will be restored after exe- cution of the interrupt handler). nt may also be set or cleared by popf or iret instructions. the i386 sx microprocessor task state segment is marked busy by changing the descriptor type field from type 9 to type 0bh. a 286 tss is marked busy by changing the descriptor type field from type 1 to type 3. use of a selector that references a busy task state segment causes an exception 13. the vm (virtual mode) bit is used to indicate if a task is a virtual 8086 task. if vm e 1 then the tasks will use the real mode addressing mechanism. the vir- tual 8086 environment is only entered and exited by a task switch. the coprocessor's state is not automatically saved when a task switch occurs. the task switched bit, ts, in the cr0 register helps deal with the coproces- sor's state in a multi-tasking environment. whenever the i386 sx microprocessor switches task, it sets the ts bit. the i386 sx microprocessor detects the first use of a processor extension instruction after a task switch and causes the processor extension not available exception 7. the exception handler for ex- ception 7 may then decide whether to save the state of the coprocessor. the t bit in the i386 sx microprocessor tss indi- cates that the processor should generate a debug exception when switching to a task. if t e 1 then upon entry to a new task a debug exception 1 will be generated. 33
military i386 tm sx microprocessor initialization and transition to protected mode since the i386 sx microprocessor begins executing in real mode immediately after reset it is neces- sary to initialize the system tables and registers with the appropriate values. the gdt and idt registers must refer to a valid gdt and idt. the idt should be at least 256 bytes long, and the gdt must con- tain descriptors for the initial code and data seg- ments. protected mode is enabled by loading cr0 with pe bit set. this can be accomplished by using the mov cr0, r/m instruction. after enabling protected mode, the next instruction should execute an inter- segment jmp to load the cs register and flush the instruction decode queue. the final step is to load all of the data segment registers with the initial selector values. an alternate approach to entering protected mode is to use the built in task-switch to load all of the regis- ters. in this case the gdt would contain two tss descriptors in addition to the code and data descrip- tors needed for the first task. the first jmp instruc- tion in protected mode would jump to the tss caus- ing a task switch and loading all of the registers with the values stored in the tss. the task state seg- ment register should be initialized to point to a valid tss descriptor. 4.4 paging paging is another type of memory management use- ful for virtual memory multi-tasking operating systems. unlike segmentation, which modularizes programs and data into variable length segments, paging divides programs into multiple uniform size pages. pages bear no direct relation to the logical structure of a program. while segment selectors can be considered the logical `name' of a program mod- ule or data structure, a page most likely corresponds to only a portion of a module or data structure. page organization the i386 sx microprocessor uses two levels of ta- bles to translate the linear address (from the seg- mentation unit) into a physical address. there are three components to the paging mechanism of the i386 sx microprocessor: the page directory, the page tables, and the page itself (page frame). all memory-resident elements of the i386 sx micro- processor paging mechanism are the same size, namely 4 kbytes. a uniform size for all of the ele- ments simplifies memory allocation and reallocation schemes, since there is no problem with memory fragmentation. figure 4.10 shows how the paging mechanism works. 271110 17 figure 4.10. paging mechanism 31 1211 10 9876543210 system u r page table address 31..12 software 0 0 d a 0 0 e e p defineable s w figure 4.11. page directory entry (points to page table) 34
military i386 tm sx microprocessor 31 1211 10 9876543210 system u r page frame address 31..12 software 0 0 d a 0 0 e e p defineable s w figure 4.12. page table entry (points to page) page fault register cr2 is the page fault linear address register. it holds the 32-bit linear address which caused the last page fault detected. page descriptor base register cr3 is the page directory physical base address register. it contains the physical starting address of the page directory (this value is truncated to a 24-bit value associated with the i386 sx cpu's 16 mega- byte physical memory limitation). the lower 12 bits of cr3 are always zero to ensure that the page di- rectory is always page aligned. loading it with a mov cr3, reg instruction causes the page table en- try cache to be flushed, as will a task switch through a tss which changes the value of cr0. page directory the page directory is 4 kbytes long and allows up to 1024 page directory entries. each page directory en- try contains information about the page table and the address of the next level of tables, the page tables. the contents of a page directory entry are shown in figure 4.11. the upper 10 bits of the linear address (a 31 a 22 ) are used as an index to select the correct page directory entry. the page table address contains the upper 20 bits of a 32-bit physical address that is used as the base address for the next set of tables, the page tables. the lower 12 bits of the page table address are zero so that the page table addresses appear on 4 kbyte boundaries. for a i386 dx cpu system the upper 20 bits will select one of 2 20 page tables, but for a i386 sx microprocessor system the upper 20 bits only select one of 2 12 page tables. again, this is because the i386 sx microprocessor is limited to a 24-bit physical address and the upper 8 bits (a 24 a 31 ) are truncated when the address is output on its 24 address pins. page tables each page table is 4 kbytes long and allows up to 1024 page table entries. each page table entry contains information about the page frame and its address. the contents of a page table entry are shown in figure 4.12. the middle 10 bits of the linear address (a 21 a 12 ) are used as an index to select the correct page table entry. the page frame address contains the upper 20 bits of a 32-bit physical address that is used as the base address for the page frame. the lower 12 bits of the page frame address are zero so that the page frame addresses appear on 4 kbyte boundaries. for a i386 dx cpu system the upper 20 bits will select one of 2 20 page frames, but for a i386 sx microprocessor system the upper 20 bits only select one of 2 12 page frames. again, this is because the i386 sx microprocessor is limited to a 24-bit physical address space and the upper 8 bits (a 24 a 31 ) are truncated when the address is output on its 24 ad- dress pins. page directory/table entries the lower 12 bits of the page table entries and page directory entries contain statistical information about pages and page tables respectively. the p (present) bit indicates if a page directory or page table entry can be used in address translation. if p e 1, the entry can be used for address translation. if p e 0, the entry cannot be used for translation. all of the other bits are available for use by the soft- ware. for example, the remaining 31 bits could be used to indicate where on disk the page is stored. the a (accessed) bit is set by the i386 sx cpu for both types of entries before a read or write access occurs to an address covered by the entry. the d (dirty) bit is set to 1 before a write to an address covered by that page table entry occurs. the d bit is undefined for page directory entries. when the p, a and d bits are updated by the i386 sx cpu, the processor generates a read- modify-write cycle which locks the bus and prevents conflicts with oth- er processors or peripherals. software which modi- fies these bits should use the lock prefix to ensure the integrity of the page tables in multi-master sys- tems. the 3 bits marked system software definable in fig- ures 4.11 and figure 4.12 are software definable. system software writers are free to use these bits for whatever purpose they wish. 35
military i386 tm sx microprocessor page level protection (r/w, u/s bits) the i386 sx microprocessor provides a set of pro- tection attributes for paging systems. the paging mechanism distinguishes between two levels of pro- tection: user, which corresponds to level 3 of the segmentation based protection, and supervisor which encompasses all of the other protection levels (0, 1, 2). programs executing at level 0, 1 or 2 by- pass the page protection, although segmentation- based protection is still enforced by the hardware. the u/s and r/w bits are used to provide user/su- pervisor and read/write protection for individual pages or for all pages covered by a page table di- rectory entry. the u/s and r/w bits in the second level page table entry apply only to the page de- scribed by that entry. while the u/s and r/w bits in the first level page directory table apply to all pages described by the page table pointed to by that direc- tory entry. the u/s and r/w bits for a given page are obtained by taking the most restrictive of the u/s and r/w from the page directory table entries and using these bits to address the page. translation lookaside buffer the i386 sx microprocessor paging hardware is de- signed to support demand paged virtual memory systems. however, performance would degrade substantially if the processor was required to access two levels of tables for every memory reference. to solve this problem, the i386 sx microprocessor keeps a cache of the most recently accessed pages, this cache is called the translation lookaside buffer (tlb). the tlb is a four-way set associative 32-en- try page table cache. it automatically keeps the most commonly used page table entries in the processor. the 32-entry tlb coupled with a 4k page size re- sults in coverage of 128 kbytes of memory address- es. for many common multi-tasking systems, the tlb will have a hit rate of greater than 98%. this means that the processor will only have to access the two-level page structure for less than 2% of all memory references. paging operation the paging hardware operates in the following fash- ion. the paging unit hardware receives a 32-bit lin- ear address from the segmentation unit. the upper 20 linear address bits are compared with all 32 en- tries in the tlb to determine if there is a match. if there is a match (i.e. a tlb hit), then the 24-bit phys- ical address is calculated and is placed on the ad- dress bus. if the page table entry is not in the tlb, the i386 sx microprocessor will read the appropriate page direc- tory entry. if p e 1 on the page directory entry, indi- cating that the page table is in memory, then the i386 sx microprocessor will read the appropriate page table entry and set the access bit. if p e 1on the page table entry, indicating that the page is in memory, the i386 sx microprocessor will update the access and dirty bits as needed and fetch the oper- and. the upper 20 bits of the linear address, read from the page table, will be stored in the tlb for future accesses. if p e 0 for either the page directo- ry entry or the page table entry, then the processor will generate a page fault exception 14. the processor will also generate a page fault (ex- ception 14) if the memory reference violated the page protection attributes. cr2 will hold the linear address which caused the page fault. since excep- tion 14 is classified as a fault, cs:eip will point to the instruction causing the page-fault. the 16-bit error code pushed as part of the page fault handler will contain status bits which indicate the cause of the page fault. the 16-bit error code is used by the operating sys- tem to determine how to handle the page fault. fig- ure 4.13 shows the format of the page fault error code and the interpretation of the bits. even though the bits in the error code (u/s, w/r, and p) have similar names as the bits in the page directory/ta- ble entries, the interpretation of the error code bits is different. figure 4.14 indicates what type of access caused the page fault. 15 3210 uw uuuuuuuuuuuuuueep sr figure 4.13. page fault error code format u/s : the u/s bit indicates whether the access causing the fault occurred when the processor was executing in user mode (u/s e 1) or in supervisor mode (u/s e 0) w/r : the w/r bit indicates whether the access causing the fault was a read (w/r e 0) or a write (w/r e 1) p : the p bit indicates whether a page fault was caused by a not-present page (p e 0), or by a page level protection violation (p e 1) u e undefined u/s w/r access type 0 0 supervisor * read 0 1 supervisor write 1 0 user read 1 1 user write * descriptor table access will fault with u/s e 0, even if the program is executing at level 3. figure 4.14. type of access causing page fault 36
military i386 tm sx microprocessor operating system responsibilities when the operating system enters or exits paging mode (by setting or resetting bit 31 in the cr0 regis- ter) a short jmp must be executed to flush the i386 sx microprocessor's prefetch queue. this en- sures that all instructions executed after the address mode change will generate correct addresses. the i386 sx microprocessor takes care of the page address translation process, relieving the burden from an operating system in a demand-paged sys- tem. the operating system is responsible for setting up the initial page tables and handling any page faults. the operating system also is required to inval- idate (i.e. flush) the tlb when any changes are made to any of the page table entries. the operating system must reload cr3 to cause the tlb to be flushed. setting up the tables is simply a matter of loading cr3 with the address of the page directory, and allocating space for the page directory and the page tables. the primary responsibility of the oper- ating system is to implement a swapping policy and handle all of the page faults. a final concern of the operating system is to ensure that the tlb cache matches the information in the paging tables. in particular, any time the operating systems sets the p (present) bit of page table entry to zero. the tlb must be flushed by reloading cr3. operating systems may want to take advantage of the fact that cr3 is stored as part of a tss, to give every task or group of tasks its own set of page tables. 4.5 virtual 8086 environment the i386 sx microprocessor allows the execution of 8086 application programs in both real mode and in the virtual 8086 mode. the virtual 8086 mode al- lows the execution of 8086 applications, while still allowing the system designer to take full advantage of the i386 sx cpu's protection mechanism. virtual 8086 addressing mechanism one of the major differences between i386 sx cpu real and protected modes is how the segment se- lectors are interpreted. when the processor is exe- cuting in virtual 8086 mode, the segment registers are used in a fashion identical to real mode. the contents of the segment register are shifted left 4 bits and added to the offset to form the segment base linear address. the i386 sx microprocessor allows the operating system to specify which programs use the 8086 ad- dress mechanism and which programs use protect- ed mode addressing on a per task basis. through the use of paging, the one megabyte address space of the virtual mode task can be mapped to any- where in the 4 gigabyte linear address space of the i386 sx microprocessor. like real mode, virtual mode addresses that exceed one megabyte will cause an exception 13. however, these restrictions should not prove to be important, because most tasks running in virtual 8086 mode will simply be existing 8086 application programs. paging in virtual mode the paging hardware allows the concurrent running of multiple virtual mode tasks, and provides protec- tion and operating system isolation. although it is not strictly necessary to have the paging hardware enabled to run virtual mode tasks, it is needed in order to run multiple virtual mode tasks or to relo- cate the address space of a virtual mode task to physical address space greater than one megabyte. the paging hardware allows the 20-bit linear ad- dress produced by a virtual mode program to be divided into as many as 256 pages. each one of the pages can be located anywhere within the maximum 16 megabyte physical address space of the i386 sx microprocessor. in addition, since cr3 (the page di- rectory base register) is loaded by a task switch, each virtual mode task can use a different mapping scheme to map pages to different physical locations. finally, the paging hardware allows the sharing of the 8086 operating system code between multiple 8086 applications. protection and i/o permission bit map all virtual mode programs execute at privilege level 3. as such, virtual mode programs are subject to all of the protection checks defined in protected mode. this is different than real mode, which implicitly is executing at privilege level 0. thus, an attempt to execute a privileged instruction in virtual mode will cause an exception 13 fault. the following are privileged instructions, which may be executed only at privilege level 0. attempting to execute these instructions in virtual 8086 mode (or anytime cpl t 0) causes an exception 13 fault: lidt; mov drn,reg; mov reg,drn; lgdt; mov trn,reg; mov reg,trn; lmsw; mov crn,reg; mov reg,crn; clts; hlt; 37
military i386 tm sx microprocessor several instructions, particularly those applying to the multitasking and the protection model, are avail- able only in protected mode. therefore, attempting to execute the following instructions in real mode or in virtual 8086 mode generates an exception 6 fault: ltr; str; lldt; sldt; lar; verr; lsl; verw; arpl; the instructions which are iopl sensitive in protect- ed mode are: in; sti; out; cli ins; outs; rep ins; rep outs; in virtual 8086 mode the following instructions are iopl-sensitive: int n; sti; pushf; cli; popf; iret; the pushf, popf, and iret instructions are iopl- sensitive in virtual 8086 mode only. this provision allows the if flag to be virtualized to the virtual 8086 mode program. the int n software interrupt instruc- tion is also iopl-sensitive in virtual 8086 mode. note that the int 3, into, and bound instructions are not iopl-sensitive in virtual 8086 mode. the i/o instructions that directly refer to addresses in the processor's i/o space are in, ins, out, and outs. the i386 sx microprocessor has the ability to selectively trap references to specific i/o ad- dresses. the structure that enables selective trap- ping is the i/o permission bit map in the tss seg- ment (see figures 4.8 and 4.9). the i/o permission map is a bit vector. the size of the map and its loca- tion in the tss segment are variable. the processor locates the i/o permission map by means of the i/o map base field in the fixed portion of the tss. the i/o map base field is 16 bits wide and contains the offset of the beginning of the i/o permission map. in protected mode when an i/o instruction (in, ins, out or outs) is encountered, the processor first checks whether cpl s iopl. if this condition is true, the i/o operation may proceed. if not true, the proc- essor checks the i/o permission map (in virtual 8086 mode, the processor consults the map without regard for the iopl). each bit in the map corresponds to an i/o port byte address; for example, the bit for port 41 is found at i/o map base a 5, bit offset 1. the processor tests all the bits that correspond to the i/o addresses spanned by an i/o operation; for example, a double word operation tests four bits corresponding to four adjacent byte addresses. if any tested bit is set, the processor signals a general protection exception. if all the tested bits are zero, the i/o operations may proceed. it is not necessary for the i/o permission map to represent all the i/o addresses. i/o addresses not spanned by the map are treated as if they had one- bits in the map. the i/o map base should be at least one byte less than the tss limit, the last byte beyond the i/o mapping information must contain all 1's. because the i/o permission map is in the tss seg- ment, different tasks can have different maps. thus, the operating system can allocate ports to a task by changing the i/o permission map in the task's tss. important implementation note: beyond the last byte of i/o mapping information in the i/o permission bit map must be a byte containing all 1's. the byte of all 1's must be within the limit of the i386 sx cpu tss segment (see figure 4.8). interrupt handling in order to fully support the emulation of an 8086 machine, interrupts in virtual 8086 mode are han- dled in a unique fashion. when running in virtual mode all interrupts and exceptions involve a privi- lege change back to the host i386 sx microproces- sor operating system. the i386 sx microprocessor operating system determines if the interrupt comes from a protected mode application or from a virtual mode program by examining the vm bit in the eflags image stored on the stack. when a virtual mode program is interrupted and ex- ecution passes to the interrupt routine at level 0, the vm bit is cleared. however, the vm bit is still set in the eflag image on the stack. the i386 sx microprocessor operating system in turn handles the exception or interrupt and then re- turns control to the 8086 program. the i386 sx mi- croprocessor operating system may choose to let the 8086 operating system handle the interrupt or it may emulate the function of the interrupt handler. for example, many 8086 operating system calls are accessed by pushing parameters on the stack, and then executing an int n instruction. if the iopl is set to 0 then all int n instructions will be intercepted by the i386 sx microprocessor operating system. 38
military i386 tm sx microprocessor an i386 sx microprocessor operating system can provide a virtual 8086 environment which is totally transparent to the application software by intercept- ing and then emulating 8086 operating system's calls, and intercepting in and out instructions. entering and leaving virtual 8086 mode virtual 8086 mode is entered by executing a 32-bit iret instruction at cpl e 0 where the stack has a 1 in the vm bit of its eflags image, or a task switch (at any cpl) to a i386 sx microprocessor task whose i386 sx cpu tss has a eflags image con- taining a 1 in the vm bit position while the processor is executing in the protected mode. popf does not affect the vm bit but a pushf always pushes a 0 in the vm bit. the transition out of virtual 8086 mode to protected mode occurs only on receipt of an interrupt or ex- ception. in virtual 8086 mode, all interrupts and ex- ceptions vector through the protected mode idt, and enter an interrupt handler in protected mode. as part of the interrupt processing the vm bit is cleared. because the matching iret must occur from level 0, interrupt or trap gates used to field an interrupt or exception out of virtual 8086 mode must perform an inter-level interrupt only to level 0. interrupt or trap gates through conforming segments, or through segments with dpl l 0, will raise a gp fault with the cs selector as the error code. task switches to/from virtual 8086 mode tasks which can execute in virtual 8086 mode must be described by a tss with the i386 sx cpu format (type 9 or 11 descriptor). a task switch out of virtual 8086 mode will operate exactly the same as any oth- er task switch out of a task with a i386 sx cpu tss. all of the programmer visible state, including the eflags register with the vm bit set to 1, is stored in the tss. the segment registers in the tss will con- tain 8086 segment base values rather than selec- tors. a task switch into a task described by a i386 sx cpu tss will have an additional check to determine if the incoming task should be resumed in virtual 8086 mode. tasks described by 286 format tsss cannot be resumed in virtual 8086 mode, so no check is required there (the flags image in 286 format tss has only the low order 16 flags bits). before loading the segment register images from a i386 sx cpu tss, the flags image is loaded, so that the segment registers are loaded from the tss image as 8086 segment base values. the task is now ready to resume in virtual 8086 mode. transitions through trap and interrupt gates, and iret a task switch is one way to enter or exit virtual 8086 mode. the other method is to exit through a trap or interrupt gate, as part of handling an interrupt, and to enter as part of executing an iret instruction. the transition out must use a i386 sx cpu trap gate (type 14), or i386 sx cpu interrupt gate (type 15), which must point to a non-conforming level 0 segment (dpl e 0) in order to permit the trap han- dler to iret back to the virtual 8086 program. the gate must point to a non-conforming level 0 seg- ment to perform a level switch to level 0 so that the matching iret can change the vm bit. i386 sx cpu gates must be used since 286 gates save only the low 16 bits of the eflags register (the vm bit will not be saved). also, the 16-bit iret used to termi- nate the 286 interrupt handler will pop only the lower 16 bits from flags, and will not affect the vm bit. the action taken for a i386 sx cpu trap or interrupt gate if an interrupt occurs while the task is executing in virtual 8086 mode is given by the following se- quence: 1. save the flags register in a temp to push later. turn off the vm, tf, and if bits. 2. interrupt and trap gates must perform a level switch from 3 (where the virtual 8086 mode pro- gram executes) to level 0 (so iret can return). 3. push the 8086 segment register values onto the new stack, in this order: gs, fs, ds, es. these are pushed as 32-bit quantities. then load these 4 registers with null selectors (0). 4. push the old 8086 stack pointer onto the new stack by pushing the ss register (as 32-bits), then pushing the 32-bit esp register saved above. 5. push the 32-bit eflags register saved in step 1. 6. push the old 8086 instruction onto the new stack by pushing the cs register (as 32-bits), then push- ing the 32-bit eip register. 7. load up the new cs:eip value from the interrupt gate, and begin execution of the interrupt routine in protected mode. the transition out of v86 mode performs a level change and stack switch, in addition to changing back to protected mode. also all of the 8086 seg- ment register images are stored on the stack (be- hind the ss:esp image), and then loaded with null (0) selectors before entering the interrupt handler. this will permit the handler to safely save and re- store the ds, es, fs, and gs registers as 286 selec- tors. this is needed so that interrupt handlers which don't care about the mode of the interrupted pro- gram can use the same prologue and epilogue code for state saving regardless of whether or not a ``na- tive'' mode or virtual 8086 mode program was inter- rupted. restoring null selectors to these registers 39
military i386 tm sx microprocessor before executing the iret will cause a trap in the interrupt handler. interrupt routines which expect or return values in the segment registers will have to obtain/return values from the 8086 register images pushed onto the new stack. they will need to know the mode of the interrupted program in order to know where to find/return segment registers, and also to know how to interpret segment register val- ues. the iret instruction will perform the inverse of the above sequence. only the extended iret instruc- tion (operand size e 32) can be used and must be executed at level 0 to change the vm bit to 1. 1. if the nt bit in the flags register is on, an inter- task return is performed. the current state is stored in the current tss, and the link field in the current tss is used to locate the tss for the in- terrupted task which is to be resumed. otherwise, continue with the following sequence: 2. read the flags image from ss:8 [ esp ] into the flags register. this will set vm to the value ac- tive in the interrupted routine. 3. pop off the instruction pointer cs:eip. eip is popped first, then a 32-bit word is popped which contains the cs value in the lower 16 bits. if vm e 0, this cs load is done as a protected mode segment load. if vm e 1, this will be done as an 8086 segment load. 4. increment the esp register by 4 to bypass the flags image which was `popped' in step 1. 5. if vm e 1, load segment registers es, ds, fs, and gs from memory locations ss: [ esp a 8 ] , ss: [ esp a 12 ] , ss: [ esp a 16 ] , and ss: [ esp e 20 ] , respectively, where the new value of esp stored in step 4 is used. since vm e 1, these are done as 8086 segment register loads. else if vm e 0, check that the selectors in es, ds, fs, and gs are valid in the interrupted routine. null out invalid selectors to trap if an attempt is made to access through them. 6. if rpl(cs) l cpl, pop the stack pointer ss:esp from the stack. the esp register is popped first, followed by 32-bits containing ss in the lower 16 bits. if vm e 0, ss is loaded as a protected mode segment register load. if vm e 1, an 8086 seg- ment register load is used. 7. resume execution of the interrupted routine. the vm bit in the flags register (restored from the interrupt routine's stack image in step 1) deter- mines whether the processor resumes the inter- rupted routine in protected mode or virtual 8086 mode. 5.0 functional data the i386 sx microprocessor features a straightfor- ward functional interface to the external hardware. the i386 sx microprocessor has separate parallel buses for data and address. the data bus is 16-bits in width, and bi-directional. the address bus outputs 24-bit address values using 23 address lines and two byte enable signals. the i386 sx microprocessor has two selectable ad- dress bus cycles: address pipelined and non-ad- dress pipelined. the address pipelining option al- lows as much time as possible for data access by starting the pending bus cycle before the present bus cycle is finished. a non-pipelined bus cycle gives the highest bus performance by executing ev- ery bus cycle in two processor clk cycles. for maxi- mum design flexibility, the address pipelining option is selectable on a cycle-by-cycle basis. the processor's bus cycle is the basic mechanism for information transfer, either from system to proc- essor, or from processor to system. i386 sx micro- processor bus cycles perform data transfer in a mini- mum of only two clock periods. the maximum trans- fer bandwidth at 16 mhz is therefore 16 mbytes/ sec. however, any bus cycle will be extended for more than two clock periods if external hardware withholds acknowledgement of the cycle. the i386 sx microprocessor can relinquish control of its local buses to allow mastership by other devic- es, such as direct memory access (dma) channels. when relinquished, hlda is the only output pin driv- en by the i386 sx microprocessor, providing near- complete isolation of the processor from its system (all other output pins are in a float condition). 5.1 signal description overview ahead is a brief description of the i386 sx micro- processor input and output signals arranged by func- tional groups. note the overbar above the signal name indicates the active, or asserted, state occurs when the signal is at a high voltage. when no over- bar is present over the signal name, the signal is asserted when at the low voltage level. example signal: m/io e high voltage indicates memory selected e low voltage indicates i/o selected the signal descriptions sometimes refer to ac tim- ing parameters, such as `t 25 reset setup time' and `t 26 reset hold time.' the values of these parame- ters can be found in table 7.4. 40
military i386 tm sx microprocessor clock (clk2) clk2 provides the fundamental timing for the i386 sx microprocessor. it is divided by two internal- ly to generate the internal processor clock used for instruction execution. the internal clock is com- prised of two phases, `phase one' and `phase two'. each clk2 period is a phase of the internal clock. figure 5.2 illustrates the relationship. if desired, the phase of the internal processor clock can be syn- chronized to a known phase by ensuring the falling edge of the reset signal meets the applicable set- up and hold times t 25 and t 26 , as shown in figure 7.7. data bus (d 15 d 0 ) these three-state bidirectional signals provide the general purpose data path between the i386 sx mi- croprocessor and other devices. the data bus out- puts are active high and will float during bus hold acknowledge. data bus reads require that read-data setup and hold times t 21 and t 22 , as shown in figure 7.4, be met relative to clk2 for correct operation. 271110 18 figure 5.1. functional signal groups 271110 19 figure 5.2. clk2 signal and internal processor clock 41
military i386 tm sx microprocessor address bus (a 23 a 1 , bhe , ble ) these three-state outputs provide physical memory addresses or i/o port addresses. a 23 a 16 are low during i/o transfers except for i/o transfers auto- matically generated by coprocessor instructions. during coprocessor i/o transfers, a 22 a 16 are driv- en low, and a 23 is driven high so that this ad- dress line can be used by external logic to generate the coprocessor select signal. thus, the i/o address driven by the i386 sx microprocessor for coproces- sor commands is 8000f8h, the i/o addresses driv- en by the i386 sx microprocessor for coprocessor data are 8000fch or 8000feh for cycles to the i387 sx numerics coprocessor. see figure 5.3. the address bus is capable of addressing 16 mega- bytes of physical memory space (000000h through ffffffh), and 64 kilobytes of i/o address space (000000h through 00ffffh) for programmed i/o. the address bus is active high and will float during bus hold acknowledge. the byte enable outputs, bhe and ble , directly in- dicate which bytes of the 16-bit data bus are in- volved with the current transfer. bhe applies to d 15 d 8 and ble applies to d 7 d 0 . if both bhe and ble are asserted, then 16 bits of data are being transferred. see table 5.1 for a complete decoding of these signals. the byte enables are active low and will float during bus hold acknowledge. bus cycle definition signals (w/r , d/c , m/io , lock ) these three-state outputs define the type of bus cy- cle being performed: w/r distinguishes between write and read cycles, d/c distinguishes between data and control cycles, m/io distinguishes between memory and i/o cycles, and lock distinguishes be- tween locked and unlocked bus cycles. all of these signals are active low and will float during bus hold acknowledge. the primary bus cycle definition signals are w/r , d/c and m/io , since these are the signals driven valid as ads (address status output) becomes ac- tive. the lock is driven valid at the same time the bus cycle begins, which due to address pipelining, could be after ads becomes active. exact bus cycle definitions, as a function of w/r , d/c , and m/io are given in table 5.2. lock indicates that other system bus masters are not to gain control of the system bus while it is ac- tive. lock is activated on the clk2 edge that be- gins the first locked bus cycle (i.e., it is not active at the same time as the other bus cycle definition pins) and is deactivated when ready is returned at the end of the last bus cycle which is to be locked. the be- ginning of a bus cycle is determined when ready is returned in a previous bus cycle and another is pending (ads is active) or the clock in which ads is driven active if the bus was idle. this means that it follows more closely with the write data rules when it is valid, but may cause the bus to be locked longer than desired. the lock signal may be explicitly acti- vated by the lock prefix on certain instructions. lock is always asserted when executing the xchg instruction, during descriptor updates, and during the interrupt acknowledge sequence. table 5.1. byte enable definitions bhe ble function 0 0 word transfer 0 1 byte transfer on upper byte of the data bus, d 15 d 8 1 0 byte transfer on lower byte of the data bus, d 7 d 0 1 1 never occurs table 5.2. bus cycle definition m/io d/c w/r bus cycle type locked? 0 0 0 interrupt acknowledge yes 0 0 1 does not occur e 0 1 0 i/o data read no 0 1 1 i/o data write no 1 0 0 memory code read no 1 0 1 halt: shutdown: no address e 2 address e 0 bhe e 1 bhe e 1 ble e 0 ble e 0 1 1 0 memory data read some cycles 1 1 1 memory data write some cycles 42
military i386 tm sx microprocessor bus control signals (ads , ready ,na ) the following signals allow the processor to indicate when a bus cycle has begun, and allow other system hardware to control address pipelining and bus cycle termination. address status (ads ) this three-state output indicates that a valid bus cy- cle definition and address (w/r , d/c , m/io , bhe , ble and a 23 a 1 ) are being driven at the i386 sx microprocessor pins. ads is an active low output. once ads is driven active, valid address, byte en- ables, and definition signals will not change. in addi- tion, ads will remain active until its associated bus cycle begins (when ready is returned for the previ- ous bus cycle when running pipelined bus cycles). when address pipelining is utilized, maximum throughput is achieved by initiating bus cycles when ads and ready are active in the same clock cycle. ads will float during bus hold acknowledge. see sections non-pipelined address and pipelined address in section 5.4 for additional information on how ads is asserted for different bus states. transfer acknowledge (ready ) this input indicates the current bus cycle is com- plete, and the active bytes indicated by bhe and ble are accepted or provided. when ready is sampled active during a read cycle or interrupt ac- knowledge cycle, the i386 sx microprocessor latch- es the input data and terminates the cycle. when ready is sampled active during a write cycle, the processor terminates the bus cycle. ready is ignored on the first bus state of all bus cycles, and sampled each bus state thereafter until asserted. ready must eventually be asserted to ac- knowledge every bus cycle, including halt indication and shutdown indication bus cycles. when being sampled, ready must always meet setup and hold times t 19 and t 20 , shown in section 7.4, for correct operation. next address request (na ) this is used to request address pipelining. this input indicates the system is prepared to accept new val- ues of bhe , ble ,a 23 a 1 , w/r , d/c and m/io from the i386 sx microprocessor even if the end of the current cycle is not being acknowledged on ready . if this input is active when sampled, the next address is driven onto the bus, provided the next bus request is already pending internally. na is ignored in clk cycles in which ads or ready is activated. this signal is active low and must sat- isfy setup and hold times t 15 and t 16 , shown in sec- tion 7.4, for correct operation. see pipelined ad- dress and read and write cycles for additional information. bus arbitration signals (hold, hlda) this section describes the mechanism by which the processor relinquishes control of its local buses when requested by another bus master device. see entering and exiting hold acknowledge in sec- tion 5.4 for additional information. bus hold request (hold) this input indicates some device other than the i386 sx microprocessor requires bus mastership. when control is granted, the i386 sx microproces- sor floats a 23 a 1 , bhe , ble ,d 15 d 0 , lock , m/io , d/c , w/r and ads , and then activates hlda, thus entering the bus hold acknowledge state. the local bus will remain granted to the requesting master un- til hold becomes inactive. when hold becomes inactive, the i386 sx microprocessor will deactivate hlda and drive the local bus (at the same time), thus terminating the hold acknowledge condition. hold must remain asserted as long as any other device is a local bus master. external pull-up resis- tors may be required when in the hold acknowledge state since none of the i386 sx microprocessor floated outputs have internal pull-up resistors. see resistor recommendations in section 7.1 for ad- ditional information. hold is not recognized while reset is active. if reset is asserted while hold is asserted, reset has priority and places the bus into an idle state, rather than the hold acknowledge (high-impedance) state. hold is a level-sensitive, active high, synchronous input. hold signals must always meet setup and hold times t 23 and t 24 , shown in figure 7.4, for cor- rect operation. bus hold acknowledge (hlda) when active (high), this output indicates the i386 sx microprocessor has relinquished control of its lo- cal bus in response to an asserted hold signal, and is in the bus hold acknowledge state. the bus hold acknowledge state offers near-com- plete signal isolation. in the hold acknowledge state, hlda is the only signal being driven by the i386 sx microprocessor. the other output signals or bidirectional signals (d 15 d 0 , bhe , ble ,a 23 a 1 , w/r , d/c , m/io , lock and ads ) are in a high-im- pedance state so the requesting bus master may 43
military i386 tm sx microprocessor control them. these pins remain off throughout the time that hlda remains active (see table 5.3). pull- up resistors may be desired on several signals to avoid spurious activity when no bus master is driving them. see resistor recommendations in section 7.1 for additional information. when the hold signal is made inactive, the i386 sx microprocessor will deactivate hlda and drive the bus. one rising edge on the nmi input is remem- bered for processing after the hold input is negat- ed. table 5.3. output pin state during hold pin value pin names 1 hlda float lock , m/io , d/c , w/r , ads ,a 23 a 1 , bhe , ble ,d 15 d 0 in addition to the normal usage of hold acknowl- edge with dma controllers or master peripherals, the near-complete isolation has particular attractive- ness during system test when test equipment drives the system, and in hardware fault-tolerant applica- tions. hold latencies the maximum possible hold latency depends on the software being executed. the actual hold la- tency at any time depends on the current bus activi- ty, the state of the lock signal (internal to the cpu) activated by the lock prefix, and interrupts. the i386 sx microprocessor will not honor a hold re- quest until the current bus operation is complete. table 5.4 shows the types of bus operations that can affect hold latency, and indicates the types of delays that these operations may introduce. when considering maximum hold latencies, designers must select which of these bus operations are possi- ble, and then select the maximum latency from among them. the i386 sx microprocessor breaks 32-bit data or i/o accesses into 2 internally locked 16-bit bus cy- cles; the lock signal is not asserted. the i386 sx microprocessor breaks unaligned 16-bit or 32-bit data or i/o accesses into 2 or 3 internally locked 16-bit bus cycles. again, the lock signal is not as- serted but a hold request will not be recognized until the end of the entire transfer. wait states affect hold latency. the i386 sx micro- processor will not honor a hold request until the end of the current bus operation, no matter how many wait states are required. systems with dma where data transfer is critical must insure that ready returns sufficiently soon. table 5.4. locked bus operations affecting hold latency in systems clocks real mode hold latency times int n 2 * (2 a wc) nmi 2 * (2 a wc) intr 2 * (2 a wc) a 5 call long (direct) 2 a wc jmp long (direct) 2 a wc call long (indirect) 2 a wc * jmp long (indirect) 2 a wc * protected mode hold latency times int n 9 * (2 a wc) a 19 nmi 9 * (2 a wc) a 18 intr 9 * (2 a wc) a 18 call (same p.l.) 5 * (2 a wc) a 4 ** call indirect (same p.l.) 5 * (2 a wc) a 4 ** call (different p.l.) 9 * (2 a wc) a 17 ** call indirect (different p.l.) 9 * (2 a wc) a 17 ** jmp (same p.l.) 5 * (2 a wc) a 4 *** jmp indirect (same p.l.) 5 * (2 a wc) a 4 *** task switch 5 * (2 a wc) a 17 notes: * jmp long indirect and call long indirect are not supported features of the i386 sx cpu in real mode. ** call direct and call indirect to a different privi- lege level must be done via a call gate and from a less privileged level only. *** jmp direct and jmp indirect to a different privilege level are not allowed even via a call gate. coprocessor interface signals (pereq, busy , error ) in the following sections are descriptions of signals dedicated to the numeric coprocessor interface. in addition to the data bus, address bus, and bus cycle definition signals, these following signals control communication between the i386 sx microproces- sor and its i387 sx processor extension. 44
military i386 tm sx microprocessor coprocessor request (pereq) when asserted (high), this input signal indicates a coprocessor request for a data operand to be trans- ferred to/from memory by the i386 sx microproces- sor. in response, the i386 sx microprocessor trans- fers information between the coprocessor and memory. because the i386 sx microprocessor has internally stored the coprocessor opcode being exe- cuted, it performs the requested data transfer with the correct direction and memory address. pereq is a level-sensitive active high asynchro- nous signal. setup and hold times, t 29 and t 30 , shown in section 7.4, relative to the clk2 signal must be met to guarantee recognition at a particular clock edge. this signal is provided with a weak inter- nal pull-down resistor of around 20 k-ohms to ground so that it will not float active when left uncon- nected. coprocessor busy (busy ) when asserted (low), this input indicates the co- processor is still executing an instruction, and is not yet able to accept another. when the i386 sx micro- processor encounters any coprocessor instruction which operates on the numerics stack (e.g. load, pop, or arithmetic operation), or the wait instruc- tion, this input is first automatically sampled until it is seen to be inactive. this sampling of the busy input prevents overrunning the execution of a previous co- processor instruction. the fninit, fnstenv, fnsave, fnstsw, fnstcw and fnclex coprocessor instructions are allowed to execute even if busy is active, since these instructions are used for coprocessor initializa- tion and exception-clearing. busy is an active low, level-sensitive asynchro- nous signal. setup and hold times, t 29 and t 30 , shown in figure 7.4, relative to the clk2 signal must be met to guarantee recognition at a particular clock edge. this pin is provided with a weak internal pull- up resistor of around 20 k-ohms to v cc so that it will not float active when left unconnected. busy serves an additional function. if busy is sam- pled low at the falling edge of reset, the i386 sx microprocessor performs an internal self-test (see bus activity during and following reset in sec- tion 5.4). if busy is sampled high, no self-test is performed. coprocessor error (error ) when asserted (low), this input signal indicates that the previous coprocessor instruction generated a coprocessor error of a type not masked by the coprocessor's control register. this input is automat- ically sampled by the i386 sx microprocessor when a coprocessor instruction is encountered, and if ac- tive, the i386 sx microprocessor generates excep- tion 16 to access the error-handling software. several coprocessor instructions, generally those which clear the numeric error flags in the coproces- sor or save coprocessor state, do execute without the i386 sx microprocessor generating exception 16 even if error is active. these instructions are fninit, fnclex, fnstsw, fnstswax, fnstcw, fnstenv and fnsave. error is an active low, level-sensitive asynchro- nous signal. setup and hold times, t 29 and t 30 , shown in figure 7.4, relative to the clk2 signal must be met to guarantee recognition at a particular clock edge. this pin is provided with a weak internal pull- up resistor of around 20 k-ohms to v cc so that it will not float active when left unconnected. interrupt signals (intr, nmi, reset) the following descriptions cover inputs that can in- terrupt or suspend execution of the processor's cur- rent instruction stream. maskable interrupt request (intr) when asserted, this input indicates a request for in- terrupt service, which can be masked by the i386 sx cpu flag register if bit. when the i386 sx micro- processor responds to the intr input, it performs two interrupt acknowledge bus cycles and, at the end of the second, latches an 8-bit interrupt vector on d 7 d 0 to identify the source of the interrupt. intr is an active high, level-sensitive asynchro- nous signal. setup and hold times, t 27 and t 28 , shown in figure 7.4, relative to the clk2 signal must be met to guarantee recognition at a particular clock edge. to assure recognition of an intr request, intr should remain active until the first interrupt ac- knowledge bus cycle begins. intr is sampled at the beginning of every instruction in the i386 sx micro- processor's execution unit. in order to be recog- nized at a particular instruction boundary, intr must be active at least eight clk2 clock periods before the beginning of the instruction. if recognized, the i386 sx microprocessor will begin execution of the interrupt. 45
military i386 tm sx microprocessor non-maskable interrupt request (nmi)) this input indicates a request for interrupt service which cannot be masked by software. the non- maskable interrupt request is always processed ac- cording to the pointer or gate in slot 2 of the interrupt table. because of the fixed nmi slot assignment, no interrupt acknowledge cycles are performed when processing nmi. nmi is an active high, rising edge-sensitive asyn- chronous signal. setup and hold times, t 27 and t 28 , shown in figure 7.4, relative to the clk2 signal must be met to guarantee recognition at a particular clock edge. to assure recognition of nmi, it must be inac- tive for at least eight clk2 periods, and then be ac- tive for at least eight clk2 periods before the begin- ning of the instruction boundary in the i386 sx mi- croprocessor's execution unit. once nmi processing has begun, no additional nmi's are processed until after the next iret in- struction, which is typically the end of the nmi serv- ice routine. if nmi is re-asserted prior to that time, however, one rising edge on nmi will be remem- bered for processing after executing the next iret instruction. interrupt latency the time that elapses before an interrupt request is serviced (interrupt latency) varies according to sev- eral factors. this delay must be taken into account by the interrupt source. any of the following factors can affect interrupt latency: 1. if interrupts are masked, an intr request will not be recognized until interrupts are reenabled. 2. if an nmi is currently being serviced, an incoming nmi request will not be recognized until the i386 sx microprocessor encounters the iret in- struction. 3. an interrupt request is recognized only on an in- struction boundary of the i386 sx microproces- sor's execution unit except for the following cas- es: e repeat string instructions can be interrupted after each iteration. e if the instruction loads the stack segment reg- ister, an interrupt is not processed until after the following instruction, which should be an esp. this allows the entire stack pointer to be loaded without interruption. e if an instruction sets the interrupt flag (enabling interrupts), an interrupt is not processed until after the next instruction. the longest latency occurs when the interrupt re- quest arrives while the i386 sx microprocessor is executing a long instruction such as multiplication, division, or a task-switch in the protected mode. 4. saving the flags register and cs:eip registers. 5. if interrupt service routine requires a task switch, time must be allowed for the task switch. 6. if the interrupt service routine saves registers that are not automatically saved by the i386 sx micro- processor. the following table 5.5 summarizes the unobvious nmi latency times for real and protected mode oper- ations. the time is given in processor clocks. one processor clock is equal to two clk2 periods. the variable wc contains the number of wait states. table 5.5. locked bus operations affecting hold latency in systems clocks real mode nmi latency times int n 11 * (2 a wc) a 55 call long (direct) 6 * (2 a wc) a 46 jmp long (direct) 6 * (2 a wc) a 55 call long (indirect) 8 * (2 a wc) a 50 * jmp long (indirect) 8 * (2 a wc) a 51 * protected mode nmi latency times int n 26 * (2 a wc) a 83 call (same p.l.) 20 * (2 a wc) a 69 ** call indirect (same p.l.) 23 * (2 a wc) a 71 ** call (different p.l.) 33 * (2 a wc) a 104 ** call indirect (different p.l.) 36 * (2 a wc) a 104 ** jmp (same p.l.) 18 * (2 a wc) a 64 *** jmp indirect (same p.l.) 21 * (2 a wc) a 66 *** task switch 97 * (2 a wc) a 230 notes: * jmp long indirect and call long indirect are not supported features of the i386 sx cpu in real mode. ** call direct and call indirect to a different privi- lege level must be done via a call gate and from a less privileged level only. *** jump direct and jmp indirect to a different privi- lege level are not allowed even via a call gate. 46
military i386 tm sx microprocessor reset this input signal suspends any operation in progress and places the i386 sx microprocessor in a known reset state. the i386 sx microprocessor is reset by asserting reset for 15 or more clk2 periods (80 or more clk2 periods before requesting self-test). when reset is active, all other input pins are ig- nored, and all other bus pins are driven to an idle bus state as shown in table 5.5. if reset and hold are both active at a point in time, reset takes priority even if the i386 sx microprocessor was in a hold acknowledge state prior to reset active. reset is an active high, level-sensitive synchro- nous signal. setup and hold times, t 25 and t 26 , shown in figure 7.7, must be met in order to assure proper operation of the i386 sx microprocessor. table 5.6. pin state (bus idle) during reset pin name signal level during reset ads 1 d 15 d 0 float bhe , ble 0 a 23 a 1 1 w/r 0 d/c 1 m/io 0 lock 1 hlda 0 5.2 bus transfer mechanism all data transfers occur as a result of one or more bus cycles. logical data operands of byte and word lengths may be transferred without restrictions on physical address alignment. any byte boundary may be used, although two physical bus cycles are per- formed as required for unaligned operand transfers. the i386 sx microprocessor address signals are de- signed to simplify external system hardware. higher- order address bits are provided by a 23 a 1 . bhe and ble provide linear selects for the two bytes of the 16-bit data bus. byte enable outputs bhe and ble are asserted when their associated data bus bytes are involved with the present bus cycle, as listed in table 5.6. table 5.7. byte enables and associated data and operand bytes byte enable associated data bus signals signal ble d 7 d 0 (byt e 0 e least significant) bhe d 15 d 8 (byt e 1 e most significant) each bus cycle is composed of at least two bus states. each bus state requires one processor clock period. additional bus states added to a single bus cycle are called wait states. see section 5.4 bus functional description . 5.3 memory and i/o spaces bus cycles may access physical memory space or i/o space. peripheral devices in the system may ei- ther be memory-mapped, or i/o-mapped, or both. as shown in figure 5.3, physical memory addresses range from 000000h to 0ffffffh (16 megabytes) and i/o addresses from 000000h to 00ffffh (64 kilobytes). note the i/o addresses used by the auto- matic i/o cycles for coprocessor communication are 8000f8h to 8000ffh, beyond the address range of programmed i/o, to allow easy generation of a co- processor chip select signal using the a 23 and m/io signals. 5.4 bus functional description the i386 sx microprocessor has separate, parallel buses for data and address. the data bus is 16-bits in width, and bidirectional. the address bus provides a 24-bit value using 23 signals for the 23 upper-order address bits and 2 byte enable signals to directly indicate the active bytes. these buses are interpret- ed and controlled by several definition signals. the definition of each bus cycle is given by three signals: m/io , w/r and d/c . at the same time, a valid address is present on the byte enable signals (bhe and ble ) and the other address signals (a 23 a 1 ). a status signal, ads , indicates when the i386 sx microprocessor issues a new bus cycle definition and address. 47
military i386 tm sx microprocessor note: 271110 20 since a23 is high during automatic communication with coprocessor, a23 high and m/io low can be used to easily generate a coprocessor select signal. figure 5.3. physical memory and i/o spaces 271110 21 fastest non-pipelined bus cycles consist of t1 and t2 figure 5.4. fastest read cycles with non-pipelined address timing 48
military i386 tm sx microprocessor collectively, the address bus, data bus and all asso- ciated control signals are referred to simply as `the bus'. when active, the bus performs one of the bus cycles below: 1. read from memory space 2. locked read from memory space 3. write to memory space 4. locked write to memory space 5. read from i/o space (or coprocessor) 6. write to i/o space (or coprocessor) 7. interrupt acknowledge (always locked) 8. indicate halt, or indicate shutdown table 5.2 shows the encoding of the bus cycle defi- nition signals for each bus cycle. see bus cycle definition signals in section 5.1 for additional infor- mation. when the i386 sx microprocessor bus is not per- forming one of the activities listed above, it is either idle, in reset, or in the hold acknowledge state, which may be detected externally. the idle state can be identified by the i386 sx microprocessor giving no further assertions on its address strobe output (ads ) since the beginning of its most recent bus cycle, and the most recent bus cycle having been terminated. the hold acknowledge state is identified by the i386 sx microprocessor asserting its hold ac- knowledge (hlda) output. the shortest time unit of bus activity is a bus state. a bus state is one processor clock period (two clk2 periods) in duration. a complete data transfer occurs during a bus cycle, composed of two or more bus states. the fastest i386 sx microprocessor bus cycle re- quires only two bus states. for example, three con- secutive bus read cycles, each consisting of two bus states, are shown by figure 5.4. the bus states in each cycle are named t1 and t2. any memory or i/o address may be accessed by such a two-state bus cycle, if the external hardware is fast enough. 271110 22 fastest pipelined bus cycles consist of t1p and t2p figure 5.5. fastest read cycles with pipelined address timing 49
military i386 tm sx microprocessor every bus cycle continues until it is acknowledged by the external system hardware, using the i386 sx microprocessor ready input. acknowledging the bus cycle at the end of the first t2 results in the shortest bus cycle, requiring only t1 and t2. if ready is not immediately asserted however, t2 states are repeated indefinitely until the ready in- put is sampled active. the address pipelining option provides a choice of bus cycle timings. pipelined or non-pipelined ad- dress timing is selectable on a cycle-by-cycle basis with the next address (na ) input. when address pipelining is selected the address (bhe , ble and a 23 a 1 ) and definition (w/r , d/c , m/io and lock ) of the next cycle are available be- fore the end of the current cycle. to signal their availability, the i386 sx microprocessor address status output (ads ) is asserted. figure 5.5 illustrates the fastest read cycles with pipelined address tim- ing. note from figure 5.5 that the fastest bus cycles us- ing pipelined address require only two bus states, named t1p and t2p . therefore cycles with pipe- lined address timing allow the same data bandwidth as non-pipelined cycles, but address-to-data access time is increased by one t-state time compared to that of a non-pipelined cycle. read and write cycles data transfers occur as a result of bus cycles, classi- fied as read or write cycles. during read cycles, data is transferred from an external device to the proces- sor. during write cycles, data is transferred from the processor to an external device. 271110 23 idle states are shown here for diagram variety only. write cycles are not always followed by an idle state. an active bus cycle can immediately follow the write cycle. figure 5.6. various bus cycles with non-pipelined address (zero wait states) 50
military i386 tm sx microprocessor two choices of address timing are dynamically se- lectable: non-pipelined or pipelined. after an idle bus state, the processor always uses non-pipelined ad- dress timing. however the na (next address) input may be asserted to select pipelined address timing for the next bus cycle. when pipelining is selected and the i386 sx microprocessor has a bus request pending internally, the address and definition of the next cycle is made available even before the current bus cycle is acknowledged by ready . terminating a read or write cycle, like any bus cycle, requires acknowledging the cycle by asserting the ready input. until acknowledged, the processor in- serts wait states into the bus cycle, to allow adjust- ment for the speed of any external device. external hardware, which has decoded the address and bus cycle type, asserts the ready input at the appropri- ate time. at the end of the second bus state within the bus cycle, ready is sampled. at that time, if external hardware acknowledges the bus cycle by asserting ready , the bus cycle terminates as shown in figure 5.6. if ready is negated as in figure 5.7, the i386 sx microprocessor executes another bus state (a wait state) and ready is sampled again at the end of that state. this continues indefinitely until the cy- cle is acknowledged by ready asserted. when the current cycle is acknowledged, the i386 sx microprocessor terminates it. when a read cycle is acknowledged, the i386 sx microprocessor latches the information present at its data pins. when a write cycle is acknowledged, the i386 sx cpu's write data remains valid throughout phase one of the next bus state, to provide write data hold time. 271110 24 idle states are shown here for diagram variety only. write cycles are not always followed by an idle state. an active bus cycle can immediately follow the write cycle. figure 5.7. various bus cycles with non-pipelined address (various number of wait states) 51
military i386 tm sx microprocessor non-pipelined address any bus cycle may be performed with non-pipelined address timing. for example, figure 5.6 shows a mixture of read and write cycles with non-pipelined address timing. figure 5.6 shows that the fastest possible cycles with non-pipelined address have two bus states per bus cycle. the states are named t1 and t2. in phase one of t1, the address signals and bus cycle definition signals are driven valid and, to signal their availability, address strobe (ads )is simultaneously asserted. during read or write cycles, the data bus behaves as follows. if the cycle is a read, the i386 sx microproc- essor floats its data signals to allow driving by the external device being addressed. the i386 sx mi- croprocessor requires that all data bus pins be at a valid logic state (high or low) at the end of each read cycle, when ready is asserted. the system must be designed to meet this require- ment. if the cycle is a write, data signals are driven by the i386 sx microprocessor beginning in phase two of t1 until phase one of the bus state following cycle acknowledgment. figure 5.7 illustrates non-pipelined bus cycles with one wait state added to cycles 2 and 3. ready is sampled inactive at the end of the first t2 in cycles 2 and 3. therefore cycles 2 and 3 have t2 repeated again. at the end of the second t2, ready is sam- pled active. when address pipelining is not used, the address and bus cycle definition remain valid during all wait states. when wait states are added and it is desir- able to maintain non-pipelined address timing, it is necessary to negate na during each t2 state except the last one, as shown in figure 5.7 cycles 2 and 3. if na is sampled active during a t2 other than the last one, the next state would be t2i or t2p instead of another t2. when address pipelining is not used, the bus states and transitions are completely illustrated by figure 5.8. the bus transitions between four possible states, t1, t2, ti, and th. bus cycles consist of t1 and t2, with t2 being repeated for wait states. oth- erwise the bus may be idle, ti, or in the hold ac- knowledge state th. 271110 25 bus states: t1efirst clock of a non-pipelined bus cycle (i386 tm sx cpu drives new address and asserts ads ). t2esubsequent clocks of a bus cycle when na has not been sampled asserted in the current bus cycle. tieidle state. thehold acknowledge state (i386 sx cpu asserts hlda). the fastest bus cycle consists of two states t1 and t2. four basic bus states describe bus operation when not using pipelined address. figure 5.8. bus states (not using pipelined address) 52
military i386 tm sx microprocessor bus cycles always begin with t1. t1 always leads to t2. if a bus cycle is not acknowledged during t2 and na is inactive, t2 is repeated. when a cycle is ac- knowledged during t2, the following state will be t1 of the next bus cycle if a bus request is pending internally, or t i if there is no bus request pending, or t h if the hold input is being asserted. use of pipelined address allows the i386 sx micro- processor to enter three additional bus states not shown in figure 5.8. figure 5.12 is the complete bus state diagram, including pipelined address cycles. pipelined address address pipelining is the option of requesting the address and the bus cycle definition of the next in- ternally pending bus cycle before the current bus cycle is acknowledged with ready asserted. ads is asserted by the i386 sx microprocessor when the next address is issued. the address pipelining op- tion is controlled on a cycle-by-cycle basis with the na input signal. once a bus cycle is in progress and the current ad- dress has been valid for at least one entire bus state, the na input is sampled at the end of every phase one until the bus cycle is acknowledged. dur- ing non-pipelined bus cycles na is sampled at the end of phase one in every t2. an example is cycle 2 in figure 5.9, during which na is sampled at the end of phase one of every t2 (it was asserted once dur- ing the first t2 and has no further effect during that bus cycle). 271110 26 following any idle bus state (ti), addresses are non-pipelined. within non-pipelined bus cycles, na is only sampled during wait states. therefore, to begin address pipelining during a group of non-pipelined bus cycles requires a non-pipe- lined cycle with at least one wait state (cycle 2 above). figure 5.9. transitioning to pipelined address during burst of bus cycles 53
military i386 tm sx microprocessor if na is sampled active, the i386 sx microprocessor is free to drive the address and bus cycle definition of the next bus cycle, and assert ads , as soon as it has a bus request internally pending. it may drive the next address as early as the next bus state, whether the current bus cycle is acknowledged at that time or not. regarding the details of address pipelining, the i386 sx microprocessor has the following character- istics: 1. the next address may appear as early as the bus state after na was sampled active (see figures 5.9 or 5.10). in that case, state t2p is entered immediately. however, when there is not an inter- nal bus request already pending, the next address will not be available immediately after na is as- serted and t2i is entered instead of t2p (see fig- ure 5.11 cycle 3). provided the current bus cycle isn't yet acknowledged by ready asserted, t2p will be entered as soon as the i386 sx microproc- essor does drive the next address. external hard- ware should therefore observe the ads output as confirmation the next address is actually being driven on the bus. 2. any address which is validated by a pulse on the ads output will remain stable on the address pins for at least two processor clock periods. the i386 sx microprocessor cannot produce a new ad- dress more frequently than every two processor clock periods (see figures 5.9, 5.10, and 5.11). 3. only the address and bus cycle definition of the very next bus cycle is available. the pipelining ca- pability cannot look further than one bus cycle ahead (see figure 5.11 cycle 1). 271110 27 following any bus state (ti) the address is always non-pipelined and na is only sampled during wait states. to start address pipelining after an idle state requires a non-pipelined cycle with at least one wait state (cycle 1 above) the pipelined cycles (2, 3, 4 above) are shown with various numbers of wait states. figure 5.10. fastest transition to pipelined address following idle bus state 54
military i386 tm sx microprocessor the complete bus state transition diagram, including operation with pipelined address is given by figure 5.12. note it is a superset of the diagram for non- pipelined address only with the three additional bus states for pipelined address drawn in. the fastest bus cycle with pipelined address con- sists of just two bus states, t1p and t2p (recall for non-pipelined address it is t1 and t2). t1p is the first bus state of a pipelined cycle. 271110 28 figure 5.11. details of address pipelining during cycles with wait states 55
military i386 tm sx microprocessor bus states: t1efirst clock of a non-pipelined bus cycle (i386 sx cpu drives new address and asserts ads ). t2esubsequent clocks of a bus cycle when na has not been sampled asserted in the current bus cycle. t2iesubsequent clocks of a bus cycle when na has been sampled asserted in the current bus cycle but there is not yet an internal bus request pending (i386 sx cpu will not drive new address or assert ads ). t2pesubsequent clocks of a bus cycle when na has been sampled asserted in the current bus cycle and there is an inter- nal bus request pending (i386 sx cpu drives new address and asserts ads ). t1pefirst clock of a pipelined bus cycle. tieidle state. 271110 29 thehold acknowledge state (i386 sx cpu asserts hlda). asserting na for pipelined address gives access to three more bus states: t2i, t2p and t1p. using pipelined address, the fastest bus cycle consists of t1p and t2p. figure 5.12. complete bus states (including pipelined address) 56
military i386 tm sx microprocessor initiating and maintaining pipelined address using the state diagram figure 5.12, observe the transitions from an idle state, ti, to the beginning of a pipelined bus cycle t1p. from an idle state, ti, the first bus cycle must begin with t1, and is therefore a non-pipelined bus cycle. the next bus cycle will be pipelined, however, provided na is asserted and the first bus cycle ends in a t2p state (the address for the next bus cycle is driven during t2p). the fastest path from an idle state to a bus cycle with pipelined address is shown in bold below: ti, ti, ti, t1 - t2 - t2p, t1p - t2p, idle non-pipelined pipelined states cycle cycle t1-t2-t2p are the states of the bus cycle that es- tablish address pipelining for the next bus cycle, which begins with t1p. the same is true after a bus hold state, shown below: th, th, th, t1 - t2 - t2p, t1p - t2p, hold acknowledge non-pipelined pipelined states cycle cycle the transition to pipelined address is shown func- tionally by figure 5.10 cycle 1. note that cycle 1 is used to transition into pipelined address timing for the subsequent cycles 2, 3 and 4, which are pipe- lined. the na input is asserted at the appropriate time to select address pipelining for cycles 2, 3 and 4. once a bus cycle is in progress and the current ad- dress has been valid for one entire bus state, the na input is sampled at the end of every phase one until the bus cycle is acknowledged. sampling begins in t2 during cycle 1 in figure 5.10. once na is sam- pled active during the current cycle, the i386 sx mi- croprocessor is free to drive a new address and bus cycle definition on the bus as early as the next bus state. in figure 5.10 cycle 1 for example, the next address is driven during state t2p. thus cycle 1 makes the transition to pipelined address timing, since it begins with t1 but ends with t2p. because the address for cycle 2 is available before cycle 2 begins, cycle 2 is called a pipelined bus cycle, and it begins with t1p. cycle 2 begins as soon as ready asserted terminates cycle 1. examples of transition bus cycles are figure 5.10 cycle 1 and figure 5.9 cycle 2. figure 5.10 shows transition during the very first cycle after an idle bus state, which is the fastest possible transition into ad- dress pipelining. figure 5.9 cycle 2 shows a tran- sition cycle occurring during a burst of bus cycles. in any case, a transition cycle is the same whenever it occurs: it consists at least of t1, t2 (na is asserted at that time), and t2p (provided the i386 sx micro- processor has an internal bus request already pend- ing, which it almost always has). t2p states are re- peated if wait states are added to the cycle. note that only three states (t1, t2 and t2p) are required in a bus cycle performing a transition from non-pipelined address into pipelined address timing, for example figure 5.10 cycle 1. figure 5.10 cycles 2, 3 and 4 show that address pipelining can be main- tained with two-state bus cycles consisting only of t1p and t2p. once a pipelined bus cycle is in progress, pipelined timing is maintained for the next cycle by asserting na and detecting that the i386 sx microprocessor enters t2p during the current bus cycle. the current bus cycle must end in state t2p for pipelining to be maintained in the next cycle. t2p is identified by the assertion of ads . figures 5.9 and 5.10 however, each show pipelining ending after cycle 4 because cycle 4 ends in t2i. this indicates the i386 sx mi- croprocessor didn't have an internal bus request pri- or to the acknowledgement of cycle 4. if a cycle ends with a t2 or t2i, the next cycle will not be pipelined. realistically, address pipelining is almost always maintained as long as na is sampled asserted. this is so because in the absence of any other request, a code prefetch request is always internally pending until the instruction decoder and code prefetch queue are completely full. therefore, address pipe- lining is maintained for long bursts of bus cycles, if the bus is available (i.e., hold inactive) and na is sampled active in each of the bus cycles. 57
military i386 tm sx microprocessor interrupt acknowledge (inta) cycles in response to an interrupt request on the intr in- put when interrupts are enabled, the i386 sx micro- processor performs two interrupt acknowledge cy- cles. these bus cycles are similar to read cycles in that bus definition signals define the type of bus ac- tivity taking place, and each cycle continues until ac- knowledged by ready sampled active. the state of a 2 distinguishes the first and second interrupt acknowledge cycles. the byte address driven during the first interrupt acknowledge cycle is 4(a 23 a 3 ,a 1 , ble low, a 2 and bhe high). the byte address driven during the second interrupt ac- knowledge cycle is 0 (a 23 a 1 , ble low, and bhe high). the lock output is asserted from the beginning of the first interrupt acknowledge cycle until the end of the second interrupt acknowledge cycle. four idle bus states, ti, are inserted by the i386 sx micro- processor between the two interrupt acknowledge cycles for compatibility with spec trhrl of the 8259a interrupt controller. during both interrupt acknowledge cycles, d 15 d 0 float. no data is read at the end of the first interrupt acknowledge cycle. at the end of the second inter- rupt acknowledge cycle, the i386 sx microprocessor will read an external interrupt vector from d 7 d 0 of the data bus. the vector indicates the specific inter- rupt number (from 0 255) requiring service. 271110 30 interrupt vector (0 255) is read on d0 d7 at end of second interrupt acknowledge bus cycle. because each interrupt acknowledge bus cycle is followed by idle bus states. asserting na has no practical effect. choose the approach which is simplest for your system hardware design. figure 5.13. interrupt acknowledge cycles 58
military i386 tm sx microprocessor halt indication cycle the execution unit halts as a result of executing a hlt instruction. signaling its entrance into the halt state, a halt indication cycle is performed. the halt indication cycle is identified by the state of the bus definition signals shown in section 5.1, bus cycle definition signals , and an address of 2. the halt indication cycle must be acknowledged by ready asserted. a halted i386 sx microprocessor resumes execution when intr (if interrupts are enabled), nmi or reset is asserted. 271110 31 figure 5.14. example halt indication cycle from non-pipelined cycle 59
military i386 tm sx microprocessor shutdown indication cycle the i386 sx microprocessor shuts down as a result of a protection fault while attempting to process a double fault. signaling its entrance into the shut- down state, a shutdown indication cycle is per- formed. the shutdown indication cycle is identified by the state of the bus definition signals shown in bus cycle definition signals , section 5.1, and an address of 0. the shutdown indication cycle must be acknowledged by ready asserted. a shutdown i386 sx microprocessor resumes execution when nmi or reset is asserted. entering and exiting hold acknowledge the bus hold acknowledge state, th, is entered in response to the hold input being asserted. in the bus hold acknowledge state, the i386 sx microproc- essor floats all outputs or bidirectional signals, ex- cept for hlda. hlda is asserted as long as the i386 sx microprocessor remains in the bus hold ac- knowledge state. in the bus hold acknowledge state, all inputs except hold and reset are ignored. 271110 32 figure 5.15. example shutdown indication cycle from pipelined cycle 60
military i386 tm sx microprocessor th may be entered from a bus idle state as in figure 5.16 or after the acknowledgement of the current physical bus cycle if the lock signal is not asserted, as in figures 5.17 and 5.18. th is exited in response to the hold input being negated. the following state will be ti as in figure 5.16 if no bus request is pending. the following bus state will be t1 if a bus request is internally pending, as in figures 5.17 and 5.18. th is also exited in re- sponse to reset being asserted. if a rising edge occurs on the edge-triggered nmi input while in th, the event is remembered as a non- maskable interrupt 2 and is serviced when th is exit- ed unless the i386 sx microprocessor is reset be- fore th is exited. reset during hold acknowledge reset being asserted takes priority over hold be- ing asserted. if reset is asserted while hold re- mains asserted, the i386 sx microprocessor drives its pins to defined states during reset, as in table 5.5 pin state during reset , and performs internal reset activity as usual. if hold remains asserted when reset is inactive, the i386 sx microprocessor enters the hold ac- knowledge state before performing its first bus cy- cle, provided hold is still asserted when the i386 sx microprocessor would otherwise perform its first bus cycle. float (100-lead pqfp package) activating the flt input floats all i386 sx bidirec- tional and output signals, including hlda. asserting flt isolates the i386 sx from the surrounding cir- cuitry. as the i386 sx is packaged in a surface mount pqfp, it cannot be removed from the motherboard when in-circuit emulation (ice) is needed. the flt 271110 33 note: for maximum design flexibility the i386 sx cpu has no internal pullup resistors on its outputs. your design may require an external pullup on ads and other outputs to keep them negated during float periods. figure 5.16. requesting hold from idle bus 61
military i386 tm sx microprocessor input allows the i386 sx to be electrically isolated from the surrounding circuitry. this allows connec- tion of an emulator to the i386 sx pqfp without removing it from the pcb. this method of emulation is referred to as on-circuit emulation (once). entering and exiting float flt is an asynchronous, active-low input. it is recog- nized on the rising edge of clk2. when recognized, it aborts the current bus cycle and floats the outputs of the i386 sx (figure 5.20). flt must be held low for a minimum of 16 clk2 cycles. reset should be asserted and held asserted until after flt is deas- serted. this will ensure that the i386 sx will exit float in a valid state. asserting the flt input unconditionally aborts the current bus cycle and forces the i386 sx into the float mode. since activating flt unconditionally forces the i386 sx into float mode, the i386 sx is not guaranteed to enter float in a valid state. after deactivating flt , the i386 sx is not guaranteed to exit float mode in a valid state. this is not a prob- lem as the flt pin is meant to be used only during once. after exiting float, the i386 sx must be reset to return it to a valid state. reset should be asserted before flt is deasserted. this will ensure that the i386 sx will exit float in a valid state. flt has an internal pull-up resistor, and if it is not used it should be unconnected. bus activity during and following reset reset is the highest priority input signal, capable of interrupting any processor activity when it is assert- ed. a bus cycle in progress can be aborted at any stage, or idle states or bus hold acknowledge states discontinued so that the reset state is established. 271110 34 note: hold is a synchronous input and can be asserted at any clk2 edge, provided setup and hold (t 23 and t 24 , shown in figure 7.4) requirements are met. this waveform is useful for determining hold acknowledge latency. figure 5.17. requesting hold from active bus (na inactive) 62
military i386 tm sx microprocessor reset should remain asserted for at least 15 clk2 periods to ensure it is recognized throughout the i386 sx microprocessor, and at least 80 clk2 peri- ods if self-test is going to be requested at the falling edge, see figure 5.19. reset asserted pulses less than 15 clk2 periods may not be recognized. re- set pulses less than 80 clk2 periods followed by a self-test may cause the self-test to report a failure when no true failure exists. provided the reset falling edge meets setup and hold times t 25 and t 26 , the internal processor clock phase is defined at that time as illustrated by figure 5.19 and figure 7.7. a self-test may be requested at the time reset goes inactive by having the busy input at a low level as shown in figure 5.19. the self-test requires approximately (2 20 a 60) clk2 periods to com- plete. the self-test duration is not affected by the test results. even if the self-test indicates a problem, the i386 sx microprocessor attempts to proceed with the reset sequence afterwards. after the reset falling edge (and after the self-test if it was requested) the i386 sx microprocessor per- forms an internal initialization sequence for approxi- mately 350 to 450 clk2 periods. 271110 35 note: hold is a synchronous input and can be asserted at any clk2 edge, provided setup and hold (t23 and t24, shown in figure 7.4) requirements are met. this waveform is useful for determining hold acknowledge latency. figure 5.18. requesting hold from idle bus (na active) 63
military i386 tm sx microprocessor 271110 36 notes: 1. busy should be held stable for 8 clk2 periods before and after the clk2 period in which reset falling edge occurs. 2. if self-test is requested the outputs remain in their reset state as shown here. figure 5.19. bus activity from reset until first code fetch 271110 48 figure 5.20. entering and exiting, flt 64
military i386 tm sx microprocessor 5.5 self-test signature upon completion of self-test (if self-test was re- quested by driving busy low at the falling edge of reset) the eax register will contain a signature of 00000000h indicating the i386 sx microprocessor passed its self-test of microcode and major pla contents with no problems detected. the passing signature in eax, 00000000h, applies to all revision levels. any non-zero signature indicates the unit is faulty. 5.6 component and revision identifiers to assist users, the i386 sx microprocessor after reset holds a component identifier and revision iden- tifier in its edx register. the upper 8 bits of edx hold 23h as identification of the i386 sx microprocessor (the lower nibble, 03h, refers to the intel386 dx ar- chitecture. the upper nibble, 02h, refers to the sec- ond member of the intel386 dx family). the lower 8 bits of edx hold an 8-bit unsigned binary number related to the component revision level. the revision identifier will, in general, chronologically track those component steppings which are intended to have certain improvements or distinction from previous steppings. the i386 sx microprocessor revision identifier will track that of the i386 dx cpu where possible. the revision identifier is intended to assist users to a practical extent. however, the revision identifier val- ue is not guaranteed to change with every stepping revision, or to follow a completely uniform numerical sequence, depending on the type or intention of re- vision, or manufacturing materials required to be changed. intel has sole discretion over these char- acteristics of the component. table 5.8. component and revision identifier history stepping revision identifier a0 04h b 05h c 08h 5.7 coprocessor interfacing the i386 sx microprocessor provides an automatic interface for the intel387 sx numeric floating-point coprocessor. the i387 sx coprocessor uses an i/o mapped interface driven automatically by the i386 sx microprocessor and assisted by three dedicated signals: busy , error and pereq. as the i386 sx microprocessor begins supporting a coprocessor instruction, it tests the busy and error signals to determine if the coprocessor can accept its next instruction. thus, the busy and error inputs eliminate the need for any `pre- amble' bus cycles for communication between proc- essor and coprocessor. the i387 sx can be given its command opcode immediately. the dedicated sig- nals provide instruction synchronization, and elimi- nate the need of using the wait opcode (9bh) for i387 sx instruction synchronization (the wait op- code was required when the m8086 or m8088 was used with the m8087 coprocessor). custom coprocessors can be included in i386 sx microprocessor based systems by memory-mapped or i/o-mapped interfaces. such coprocessor inter- faces allow a completely custom protocol, and are not limited to a set of coprocessor protocol ``primi- tives''. instead, memory-mapped or i/o-mapped in- terfaces may use all applicable instructions for high- speed coprocessor communication. the busy and error inputs of the i386 sx microprocessor may also be used for the custom coprocessor interface, if such hardware assist is desired. these signals can be tested by the wait opcode (9bh). the wait in- struction will wait until the busy input is inactive (in- terruptable by an nmi or enabled intr input), but generates an exception 16 fault if the error pin is active when the busy goes (or is) inactive. if the custom coprocessor interface is memory-mapped, protection of the addresses used for the interface can be provided with the i386 sx cpu's on-chip paging or segmentation mechanisms. if the custom interface is i/o-mapped, protection of the interface can be provided with the iopl (i/o privilege level) mechanism. the i387 sx numeric coprocessor interface is i/o mapped as shown in table 5.9. note that the i387 sx coprocessor interface addresses are be- yond the 0h-0ffffh range for programmed i/o. when the i386 sx microprocessor supports the i387 sx coprocessor, the i386 sx microprocessor auto- matically generates bus cycles to the coprocessor interface addresses. table 5.9. numeric coprocessor port addresses address in i386 tm sx i387 tm sx coprocessor cpu i/o space register 8000f8h opcode register 8000fch/8000feh * operand register * generated as 2nd bus cycle during dword transfer. to correctly map the i387 sx registers to the appro- priate i/o addresses, connect the cmd0 and cmd1 lines of the i387 sx as listed in table 5.10. table 5.10. connections for cmd0 and cmd1 inputs for the i387 tm sx signal connection cmd0 connect directly to i386 tm sx cpu a2 signal cmd1 connect to ground. 65
military i386 tm sx microprocessor software testing for coprocessor presence when software is used to test for coprocessor (i387 sx) presence, it should use only the following coprocessor opcodes: finit, fninit, fstcw mem, fstsw mem and fstsw ax. to use other coproc- essor opcodes when it is known a coprocessor is not present, first set em e 1 in the i386 sx cpu's cr0 register. 6.0 package thermal specifications the case temperature may be measured in any envi- ronment, to determine whether the i386 sx micro- processor is within specified operating range. the case temperature should be measured at the center of the top surface opposite the pins. the ambient temperature is guaranteed as long as t c is not violated. the ambient temperature can be calculated from the i jc and i ja from the following equations: t j e t c a p * i jc t a e t j b p * i ja t c e t a a p * [ i ja b i jc ] values for i ja and i jc are given in table 6.1 for the 100-lead pqfp and 88-lead pga. i ja is given at vari- ous airflows. note that t a can be improved further by attaching `fins' or a `heat sink' to the package. 7.0 electrical specifications the following sections describe recommended elec- trical connections and electrical specifications for the i386 sx microprocessor. 7.1 power and grounding the i386 sx microprocessor is implemented in chmos iii technology and has modest power re- quirements. however, its high clock frequency and 47 output buffers (address, data, control, and hlda) can cause power surges as multiple output buffers drive new signal levels simultaneously. for clean on- chip power distribution at high frequency, 15 v cc and 15 v ss pins separately feed functional units of the i386 sx microprocessor. power and ground connections must be made to all external v cc and v ss pins of the i386 sx microproc- essor. on the circuit board, all v cc pins should be connected on a v cc plane and all v ss pins should be connected on a gnd plane. power decoupling recommendations liberal decoupling capacitors should be placed near the i386 sx microprocessor. the i386 sx microproc- essor driving its 24-bit address bus and 16-bit data bus at high frequencies can cause transient power surges, particularly when driving large capacitive loads. low inductance capacitors and interconnects are recommended for best high frequency electrical performance. inductance can be reduced by short- ening circuit board traces between the i386 sx mi- croprocessor and decoupling capacitors as much as possible. table 6.1. thermal resistances ( c/watt) i jc and i ja (see note). i ja versus airflow - ft/min (m/sec) package i jc 0 200 400 600 800 1000 (0) (1.01) (2.03) (3.04) (4.06) (5.07) 88-lead pga 2 25 20 17 14 12 11 100-lead pqfp 7.5 34.5 29.5 25.5 22.5 21.5 21.0 fine pitch max. t a calculated at 5.0v and max i cc . 66
military i386 tm sx microprocessor table 7.1. recommended resistor pull-ups to v cc pin signal pull-up value purpose j1 ads 20 k-ohm g 10% lightly pull ads inactive during i386 tm sx cpu hold acknowledge states m5 lock 20 k-ohm g 10% lightly pull lock inactive during i386 tm sx cpu hold acknowledge states resistor recommendations the error and busy inputs have internal pull-up resistors of approximately 20 k-ohms and the per- eq input has an internal pull-down resistor of ap- proximately 20 k-ohms built into the i386 sx micro- processor to keep these signals inactive when the i387 npx is not present in the system (or temporarily removed from its socket). in typical designs, the external pull-up resistors shown in table 7.1 are recommended. however, a particular design may have reason to adjust the re- sistor values recommended here, or alter the use of pull-up resistors in other ways. other connection recommendations for reliable operation, always connect unused in- puts to an appropriate signal level. n/c pins should always remain unconnected. connection of n/c pins to v cc or v ss will result in component mal- function or incompatibility with future steppings of the i386 sx microprocessor . particularly when not using interrupts or bus hold (as when first prototyping), prevent any chance of spuri- ous activity by connecting these associated inputs to gnd: pin signal m9 intr m8 nmi g1 hold if not using address pipelining, connect pin g2, na , through a pull-up in the range of 20 k-ohms to v cc . 7.2 maximum ratings table 7.2. maximum ratings parameter maximum rating storage temperature b 65 cto a 150 c case temperature under bias b 55 cto a 125 c supply voltage with respect to v ss b 0.5v to 6.5v voltage on other pins b 0.5v to (v cc a 0.5)v table 7.2 gives stress ratings only, and functional operation at the maximums is not guaranteed. func- tional operating conditions are given in section 7.3, dc specifications , and section 7.4, ac specifica- tions . extended exposure to the maximum ratings may af- fect device reliability. furthermore, although the i386 sx microprocessor contains protective circuitry to resist damage from static electric discharge, al- ways take precautions to avoid high static voltages or electric fields. 67
military i386 tm sx microprocessor 7.3 operating conditions mil-std-883 (pga package) symbol description min max units t c case temperature (instant on) b 55 a 125 c v cc digital supply voltage 4.75 5.25 v extended temperature (pga package) symbol description min max units t c case temperature (instant on) b 40 a 110 c v cc digital supply voltage 4.75 5.25 v extended temperature (pqfp package) symbol description min max units t c case temperature (instant on) b 20 a 100 c v cc digital supply voltage 4.75 5.25 v military temperature only (pga package) symbol description min max units t c case temperature (instant on) b 55 a 125 c v cc digital supply voltage 4.75 5.25 v 68
military i386 tm sx microprocessor 7.4 dc specifications (over specified operating conditions) table 7.3. dc characteristics symbol parameter min max unit comments v il input low voltage b 0.3 * a 0.8 v v ih input high voltage 2.0 v cc a 0.3 * v v ilc clk2 input low voltage b 0.3 * a 0.8 v v ihc clk2 input high voltage v cc b 0.8 v cc a 0.3 * v v ol output low voltage i ol e 4ma: a 23 a 1 ,d 15 d 0 0.45 v i ol e 5ma: bhe , ble , w/r , 0.45 v d/c , m/io , lock , ads , hlda v oh output high voltage i oh eb 1ma: a 23 a 1 ,d 15 d 0 2.4 v i oh eb 0.2 ma: a 23 a 1 ,d 15 d 0 v cc b 0.5 v i oh eb 0.9ma: bhe , ble , w/r , 2.4 v d/c , m/io , lock , ads , hlda i oh eb 0.18 ma: bhe , ble , w/r ,v cc b 0.5 d/c , m/io , lock , ads , hlda i li input leakage current g 15 m a0v s v in s v cc (for all pins except pereq, busy and error ) i ih input leakage current 200 m av ih e 2.4v, note 1 (pereq pin) i il input leakage current b 400 m av il e 0.45v, note 2 (busy and error pins) i lo output leakage current g 15 m a 0.45v s v out s v cc i cc supply current clk2 e 32 mhz 275 ma i cc typ e 175 ma, note 3 clk2 e 40 mhz 305 ma i cc typ e 200 ma, note 3 c in input capacitance 10 * pf fc e 1 mhz c out output or i/o capacitance 12 * pf fc e 1 mhz c clk clk2 capacitance 20 * pf fc e 1 mhz tested at the minimum operating frequency of the part. * guaranteed, not tested. notes: 1. pereq input has an internal pull-down resistor. 2. busy and error inputs each have an internal pull-up resistor. 3. icc max measurement at worst case load, frequency, v cc and temperature. 69
military i386 tm sx microprocessor 7.5 ac specifications the ac specifications given in table 7.4 consist of output delays, input setup requirements and input hold requirements. all ac specifications are relative to the clk2 rising edge crossing the 2.0v level. ac spec measurement is defined by figure 7.1. in- puts must be driven to the voltage levels indicated by figure 7.1 when ac specifications are measured. output delays are specified with minimum and maxi- mum limits measured as shown. the minimum delay times are hold times provided to external circuitry. input setup and hold times are specified as mini- mums, defining the smallest acceptable sampling window. within the sampling window, a synchronous input signal must be stable for correct operation. outputs na , w/r , d/c , m/io , lock , bhe , ble , a 23 a 1 and hlda only change at the beginning of phase one. d 15 d 0 (write cycles) only change at the beginning of phase two. the ready , hold, busy , error , pereq and d 15 d 0 (read cycles) inputs are sampled at the beginning of phase one. the na , intr and nmi inputs are sampled at the beginning of phase two. 271110 37 legend a e maximum output delay spec b e minimum output delay spec c e minimum input setup spec d e minimum input hold spec figure 7.1. drive levels and measurement points for ac specifications 70
military i386 tm sx microprocessor ac specifications tables (over specified operating conditions) table 7.4. ac characteristics symbol parameter 16 mhz 20 mhz unit figure comments min max min max operating frequency 4 16 4 20 mhz half clk2 freq t 1 clk2 period 31 125 25 125 ns 7.3 t 2a clk2 high time 9 8 ns 7.3 at 2v (4) t 2b clk2 high time 5 5 ns 7.3 at (v cc b 0.8)v (4) t 3a clk2 low time 9 8 ns 7.3 at 2v (4) t 3b clk2 low time 7 6 ns 7.3 at 0.8v (4) t 4 clk2 fall time 8 8 ns 7.3 (v cc b 0.8)v to 0.8v (4) t 5 clk2 rise time 8 8 ns 7.3 0.8v to (v cc b 0.8)v (4) t 6 a 23 a 1 valid delay 4 36 4 30 ns 7.5 c l e 120pf t 7 a 23 a 1 float delay 4 40 4 32 ns 7.6 (note 1) t 8 bhe , ble , lock 4 36 4 30 ns 7.5 c l e 75pf (3) valid delay t 9 bhe , ble , lock 4 40 4 32 ns 7.6 (note 1) float delay t 10 w/r , m/io , d/c , 6 33 6 26 ns 7.5 c l e 75pf (3) ads valid delay t 11 w/r , m/io , d/c 6 35 6 30 ns 7.6 (note 1) ads float delay t 12 d 15 d 0 write data 4 40 4 38 ns 7.5 c l e 120pf (3) valid delay t 13 d 15 d 0 write data 4 35 4 27 ns 7.6 (note 1) float delay t 14 hlda valid delay 6 33 4 28 ns 7.5 c l e 75pf (3) t 15 na setup time 5 5 ns 7.4 t 16 na hold time 21 12 ns 7.4 t 19 ready setup time 19 12 ns 7.4 t 20 ready hold time 4 4 ns 7.4 t 21 d 15 d 0 read data 9 9 ns 7.4 setup time t 22 d 15 d 0 read data 6 6 ns 7.4 hold time notes: 1. float condition occurs when maximum output current becomes less than i lo in magnitude, float timings not tested. 2. these inputs are allowed to be asynchronous to clk2. the setup and hold specifications are given for testing purposes, to assure recognition within a specific clk2 period. 3. tested with c l set at 50 pf and derated to support the indicated distributed capacitive load. see figure 7.8 for the capacitive derating curve. 4. guaranteed, not tested. 71
military i386 tm sx microprocessor table 7.4. ac characteristics (continued) symbol parameter 16 mhz 20 mhz unit figure comments min max min max t 23 hold setup time 26 17 ns 7.4 t 24 hold hold time 5 5 ns 7.4 t 25 reset setup time 13 12 ns 7.7 t 26 reset hold time 4 4 ns 7.7 t 27 nmi, intr setup time 16 16 ns 7.4 (note 1) t 28 nmi, intr hold time 16 16 ns 7.4 (note 1) t 29 pereq, error , busy 16 14 ns 7.4 (note 1) setup time t 30 pereq, error , busy 5 5 ns 7.4 (note 1) hold time note: 1. float conditions occur when maximum output current becomes less than i lo in magnitude, float timings not tested. ac test loads 271110 38 ac timing waveforms 271110 39 figure 7.2. ac test loads figure 7.3. clk2 waveform 72
military i386 tm sx microprocessor 271110 40 note: 1. to assure recognition of nmi, it must be inactive for at least eight clk2 periods, and then be active for at least eight clk2 periods before the beginning of the instruction boundary in the i386 sx microprocessor's execution unit. figure 7.4. ac timing waveformseinput setup and hold timing 271110 41 figure 7.5. ac timing waveformseoutput valid delay timing 73
military i386 tm sx microprocessor 271110 42 figure 7.6. ac timing waveformseoutput float delay and hlda valid delay timing 271110 43 figure 7.7. ac timing waveformsereset setup and hold timing and internal phase 74
military i386 tm sx microprocessor 271110 44 figure 7.8. typical output valid delay versus load capacitance at maximum operating temperature (c l e 120 pf) 271110 45 figure 7.9. typical output valid delay versus load capacitance at maximum operating temperature (c l e 75 pf) 271110 46 figure 7.10. typical output valid delay versus load capacitance at maximum operating temperature (c l e 50 pf) 8.0 differences between the i386 tm sx cpu and the i386 dx cpu the following are the major differences between the i386 sx cpu and the i386 dx cpu: 1. the i386 sx cpu has no bus sizing option. the i386 dx cpu can select between either a 32-bit bus or a 16-bit bus by use of the bs16 input. the i386 sx cpu has a 16-bit bus size. 2. the i386 sx cpu generates byte selects on bhe and ble (like the m8086 and m80286) to distin- guish the upper and lower bytes on its 16-bit data bus. the i386 dx cpu uses four byte selects, be0 be3 , to distinguish between the different bytes on its 32-bit bus. 3. the i386 dx cpu uses a 31 and m/io as selects for the numerics coprocessor. the i386 sx cpu uses a 23 and m/io as selects. 4. both i386 dx cpu and i386 sx cpu have the same logical address space. the only difference is that the i386 dx cpu has a 32-bit physical ad- dress space and the i386 sx cpu has a 24-bit physical address space. the i386 sx cpu has a physical memory address space of up to 16 megabytes instead of the 4 gigabytes available to the i386 dx cpu. therefore, in i386 sx cpu sys- tems, the operating system must be aware of this physical memory limit and should allocate memo- ry for applications programs within this limit. if a i386 dx cpu system uses only the lower 16 megabytes of physical address, then there will be no extra effort required to migrate i386 dx cpu software to the i386 sx cpu. any application which uses more than 16 megabytes of memory can run on the i386 sx cpu if the operating sys- tem utilizes the i386 sx cpu's paging mecha- nism. in spite of this difference in physical ad- dress space, the i386 sx cpu and i386 dx cpu can run the same operating systems and applica- tions within their respective physical memory con- straints. 75
military i386 tm sx microprocessor 5. the na pin operation in the i386 sx cpu is identi- cal to that of the na pin on the i386 dx cpu with one exception: the i386 dx cpu na cannot be activated on 16-bit bus cycles (where bs16 is low in the i386 dx cpu case), whereas na can be activated on any i386 sx cpu bus cycle. 6. the i386 dx cpu prefetch unit fetches code in four-byte units. the i386 sx cpu prefetch unit reads two bytes as one unit (like the m80286). in bs16 mode, the i386 dx cpu takes two consecu- tive bus cycles to complete a prefetch request. if there is a data read or write request after the pre- fetch starts, the i386 dx cpu will fetch all four bytes before addressing the new request. 7. the contents of all i386 sx cpu registers at reset are identical to the contents of the i386 dx cpu registers at reset, except the dx register. the dx register contains a component-stepping identifier at reset, i.e. in i386 dx cpu, dh e 3 indicates i386 dx cpu after reset dl e revision number; in i386 sx cpu, dh e 23h indicates i386 sx after reset cpu dl e revision number. 9.0 instruction set this section describes the instruction set. table 9.1 lists all instructions along with instruction encoding diagrams and clock counts. further details of the instruction encoding are then provided in the follow- ing sections, which completely describe the encod- ing structure and the definition of all fields occurring within instructions. 9.1 i386 tm sx cpu instruction encoding and clock count summary to calculate elapsed time for an instruction, multiply the instruction clock count, as listed in table 9.1 be- low, by the processor clock period (e.g. 62.5 ns for an i386 sx microprocessor operating at 16 mhz). the actual clock count of an i386 sx microproces- sor program will average 5% more than the calculat- ed clock count due to instruction sequences which execute faster than they can be fetched from memo- ry. instruction clock count assumptions 1. the instruction has been prefetched, decoded, and is ready for execution. 2. bus cycles do not require wait states. 3. there are no local bus hold requests delaying processor access to the bus. 4. no exceptions are detected during instruction ex- ecution. 5. if an effective address is calculated, it does not use two general register components. one regis- ter, scaling and displacement can be used within the clock counts shown. however, if the effective address calculation uses two general register components, add 1 clock to the clock count shown. instruction clock count notation 1. if two clock counts are given, the smaller refers to a register operand and the larger refers to a mem- ory operand. 2. n e number of times repeated. 3. m e number of components in the next instruc- tion executed, where the entire displacement (if any) counts as one component, the entire imme- diate data (if any) counts as one component, and all other bytes of the instruction and prefix(es) each count as one component. misaligned or 32-bit operand accesses e if instructions accesses a misaligned 16-bit oper- and or 32-bit operand on even address add: 2 * clocks for read or write 4 ** clocks for read and write e if instructions accesses a 32-bit operand on odd address add: 4 * clocks for read or write 8 ** clocks for read and write wait states wait states add 1 clock per wait state to instruction execution for each data access. 76
military i386 tm sx microprocessor table 9-1. instruction set clock count summary clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode general data transfer mov e move: register to register/memory 1000100w modreg r/m 2/2 2/2 * 28 register/memory to register 1000101w modreg r/m 2/4 2/4 * 28 immediate to register/memory 1100011w mod000 r/m immediate data 2/2 2/2 * 28 immediate to register (short form) 1011 w reg immediate data 2 2 memory to accumulator (short form) 1010000w full displacement 4 * 4 * 28 accumulator to memory (short form) 1010001w full displacement 2 * 2 * 28 register memory to segment register 10001110 mod sreg3 r/m 2/5 22/23 2 8, 10, 11 segment register to register/memory 10001100 mod sreg3 r/m 2/2 2/2 2 8 movsx e move with sign extension register from register/memory 00001111 1011111w modreg r/m 3/6 * 3/6 * 28 movzx e move with zero extension register from register/memory 00001111 1011011w modreg r/m 3/6 * 3/6 * 28 push e push: register/memory 11111111 mod110 r/m 5/7 * 7/9 * 28 register (short form) 01010 reg 2 4 2 8 (short form) segment register (es, cs, ss or ds) 0 0 0 sreg 2110 2 4 2 8 fs or gs) segment register (es, cs, ss, ds, 00001111 10 sreg 3000 2 4 2 8 immediate 011010s0 immediate data 2 4 2 8 pusha e push all 01100000 18 34 2 8 pop e pop register/memory 10001111 mod000 r/m 5/7 7/9 2 8 register (short form) 01011 reg 6 6 2 8 (short form) segment register (es, cs, ss or ds) 000sreg2111 7 25 2 8,9,10 fs or gs segment register (es, cs, ss or ds), 00001111 10 sreg3001 7 25 2 8,9,10 popa e pop all 01100001 24 40 2 8 xchg e exchange register/memory with register 1000011w modreg r/m 3/5 ** 3/5 ** 2, 6 6, 8 register with accumulator (short form) 10010 reg 8086 mode clk count virtual 33 in e input from: fixed port 1110010w port number 2 26 12 * 6 * /26 * 19, 13 variable port 1110110w 2 27 13 * 7 * /27 * 19, 13 out e output to: fixed port 1110011w port number 2 24 10 * 4 * /24 * 19, 13 variable port 1110111w 2 25 11 * 5 * /25 * 19, 13 lea e load ea to register 10001101 modreg r/m 2 2 77
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode segment control lds e load pointer to ds 11000101 modreg r/m 7 * 26 * /28 * 2 8, 10, 11 les e load pointer to es 11000100 modreg r/m 7 * 26 * /28 * 2 8, 10, 11 lfs e load pointer to fs 00001111 10110100 modreg r/m 7 * 29 * /31 * 2 8, 10, 11 lgs e load pointer to gs 00001111 10110101 modreg r/m 7 * 26 * /28 * 2 8, 10, 11 lss e load pointer to ss 00001111 10110010 modreg r/m 7 * 26 * /28 * 2 8, 10, 11 flag control clc e clear carry flag 11111000 2 2 cld e clear direction flag 11111100 2 2 cli e clear interrupt enable flag 11111010 8 8 13 clts e clear task switched flag 00001111 00000110 5 5 3 12 cmc e complement carry flag 11110101 2 2 lahf e load ah into flag 10011111 2 2 popf e pop flags 10011101 5 5 2 8,14 pushf e push flags 10011100 4 4 2 8 sahf e store ah into flags 10011110 3 3 stc e set carry flag 11111001 2 2 std e set direction flag 11111101 sti e set interrupt enable flag 11111011 8 8 13 arithmetic add e add register to register 000000dw modreg r/m 2 2 register to memory 0000000w modreg r/m 7 ** 7 ** 28 memory to register 0000001w modreg r/m 6 * 6 * 28 immediate to register/memory 100000sw mod000 r/m immediate data 2/7 ** 2/7 ** 28 immediate to accumulator (short form) 0000010w immediate data 2 2 adc e add with carry register to register 000100dw modreg r/m 2 2 register to memory 0001000w modreg r/m 7 ** 7 ** 28 memory to register 0001001w modreg r/m 6 * 6 * 28 immediate to register/memory 100000sw mod010 r/m immediate data 2/7 ** 2/7 ** 28 immediate to accumulator (short form) 0001010w immediate data 2 2 inc e increment register/memory 1111111w mod000 r/m 2/6 ** 2/6 ** 28 register (short form) 01000 reg 2 2 sub e subtract register from register 001010dw modreg r/m 2 2 78
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode arithmetic (continued) register from memory 0010100w modreg r/m 7 ** 7 ** 28 memory from register 0010101w modreg r/m 6 * 6 * 28 immediate from register/memory 100000sw mod101 r/m immediate data 2/7 ** 2/7 ** 28 immediate from accumulator (short form) 0010110w immediate data 2 2 sbb e subtract with borrow register from register 000110dw modreg r/m 2 2 register from memory 0001100w modreg r/m 7 ** 7 ** 28 memory from register 0001101w modreg r/m 6 * 6 * 28 immediate from register/memory 100000sw mod011 r/m immediate data 2/7 ** 2/7 ** 28 immediate from accumulator (short form) 0001110w immediate data 2 2 dec e decrement register/memory 1111111w reg001 r/m 2/6 2/6 2 8 register (short form) 01001 reg 2 2 cmp e compare register with register 001110dw modreg r/m 2 2 memory with register 0011100w modreg r/m 5 * 5 * 28 register with memory 0011101w modreg r/m 6 * 6 * 28 immediate with register/memory 100000sw mod111 r/m immediate data 2/5 * 2/5 * 28 immediate with accumulator (short form) 0011110w immediate data 2 2 neg e change sign 1111011w mod011 r/m 2/6 * 2/6 * 28 aaa e ascii adjust for add 00110111 4 4 aas e ascii adjust for subtract 00111111 4 4 daa e decimal adjust for add 00100111 4 4 das e decimal adjust for subtract 00101111 4 4 mul e multiply (unsigned) accumulator with register/memory 1111011w mod100 r/m multiplier-byte 1217/1520 * 1217/1520 * 2, 4 4, 8 -word 1225/1528 * 1225/1528 * 2, 4 4, 8 -doubleword 1241/1746 * 1241/1746 * 2, 4 4, 8 imul e integer multiply (signed) accumulator with register/memory 1111011w mod101 r/m multiplier-byte 1217/1520 * 1217/1520 * 2, 4 4, 8 -word 1225/1528 * 1225/1528 * 2, 4 4, 8 -doubleword 1241/1746 * 1241/1746 * 2, 4 4, 8 register with register/memory 00001111 10101111 modreg r/m multiplier-byte 1217/1520 * 1217/1520 * 2, 4 4, 8 -word 1225/1528 * 1225/1528 * 2, 4 4, 8 -doubleword 1241/1746 * 1241/1746 * 2, 4 4, 8 register/memory with immediate to register 011010s1 modreg r/m immediate data -word 1326 1326/1427 2, 4 4, 8 -doubleword 1342 1342/1645 2, 4 4, 8 79
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode arithmetic (continued) div e divide (unsigned) accumulator by register/memory 1111011w mod110 r/m divisorebyte 14/17 14/17 2, 5 5, 8 eword 22/25 22/25 2, 5 5, 8 edoubleword 38/43 38/43 2, 5 5, 8 idiv e integer divide (signed) accumulator by register/memory 1111011w mod111 r/m divisorebyte 19/22 19/22 2, 5 5, 8 eword 27/30 27/30 2, 5 5, 8 edoubleword 43/48 43/48 2, 5 5, 8 aad e ascii adjust for divide 11010101 00001010 19 19 aam e ascii adjust for multiply 11010100 00001010 17 17 cbw e convert byte to word 10011000 3 3 cwd e convert word to double word 10011001 2 2 logic shift rotate instructions not through carry (rol, ror, sal, sar, shl, and shr) register/memory by 1 1101000w modttt r/m 3/7 ** 3/7 ** 28 register/memory by cl 1101001w modttt r/m 3/7 * 3/7 * 28 register/memory by immediate count 1100000w modttt r/m immed 8-bit data 3/7 * 3/7 * 28 through carry (rcl and rcr) register/memory by 1 1101000w modttt r/m 9/10 * 9/10 * 28 register/memory by cl 1101001w modttt r/m 9/10 * 9/10 * 28 register/memory by immediate count 1100000w modttt r/m immed 8-bit data 9/10 * 9/10 * 28 t t t instruction 000 rol 001 ror 010 rcl 011 rcr 1 0 0 shl/sal 101 shr 111 sar shld e shift left double register/memory by immediate 00001111 10100100 modreg r/m immed 8-bit data 3/7 ** 3/7 ** register/memory by cl 00001111 10100101 modreg r/m 3/7 ** 3/7 ** shrd e shift right double register/memory by immediate 00001111 10101100 modreg r/m immed 8-bit data 3/7 ** 3/7 ** register/memory by cl 00001111 10101101 modreg r/m 3/7 ** 3/7 ** and e and register to register 001000dw modreg r/m 2 2 80
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode logic (continued) register to memory 0010000w modreg r/m 7 ** 7 ** 28 memory to register 0010001w modreg r/m 6 * 6 * 28 immediate to register/memory 1000000w mod100 r/m immediate data 2/7 * 2/7 ** 28 immediate to accumulator (short form) 0010010w immediate data 2 2 test e and function to flags, no result register/memory and register 1000010w modreg r/m 2/5 * 2/5 * 28 immediate data and register/memory 1111011w mod000 r/m immediate data 2/5 * 2/5 * 28 immediate data and accumulator (short form) 1010100w immediate data 2 2 or e or register to register 000010dw modreg r/m 2 2 register to memory 0000100w modreg r/m 7 ** 7 ** 28 memory to register 0000101w modreg r/m 6 * 6 * 28 immediate to register/memory 1000000w mod001 r/m immediate data 2/7 ** 2/7 ** 28 immediate to accumulator (short form) 0000110w immediate data 2 2 xor e exclusive or register to register 001100dw modreg r/m 2 2 register to memory 0011000w modreg r/m 7 ** 7 ** 28 memory to register 0011001w modreg r/m 6 * 6 * 28 immediate to register/memory 1000000w mod110 r/m immediate data 2/7 ** 2/7 ** 28 immediate to accumulator (short form) 0011010w immediate data 2 2 not e invert register/memory 1111011w mod010 r/m 2/6 ** 2/6 ** 28 string manipulation cmps e compare byte word 1010011w virtual count mode 8086 clk 10 * 10 * 28 ins e input byte/word from dx port 0110110w 2 29 15 9 * /29 ** 2 19, 8, 13 lods e load byte/word to al/ax/eax 1010110w 5 5 * 28 movs e move byte word 1010010w 7 7 ** 28 outs e output byte/word to dx port 0110111w 2 28 14 8 * /28 * 2 19, 8, 13 scas e scan byte word 1010111w 7 * 7 * 28 stos e store byte/word from al/ax/ex 1010101w 4 * 4 * 28 xlat e translate string 11010111 5 * 5 * 8 repeated string manipulation repeated by count in cx or ecx repe cmps e compare string (find non-match) 11110011 1010011w 5 a 9n ** 5 a 9n ** 28 81
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode repeated string manipulation (continued) repne cmps e compare string (find match) 11110010 1010011w 8086 mode clk count virtual 5 a 9n ** 5 a 9n ** 28 rep ins e input string 11110010 0110110w 2 13 a 6n * 7 a 6n * / 2 19, 8, 13 27 a 6n * rep lods e load string 11110010 1010110w 5 a 6n * 5 a 6n * 28 rep movs e move string 11110010 1010010w 7 a 4n * 7 a 4n ** 28 rep outs e output string 11110010 0110111w 2 12 a 5n * 6 a 5n * / 2 19, 8, 3 26 a 5n * repe scas e scan string (find non-al/ax/eax) 11110011 1010111w 5 a 8n * 5 a 8n * 28 repne scas e scan string (find al/ax/eax) 11110010 1010111w 5 a 8n * 5 a 8n * 28 rep stos e store string 11110010 1010101w 5 a 5n * 5 a 5n * 28 bit manipulation bsf e scan bit forward 00001111 10111100 modreg r/m 10 a 3n * 10 a 3n ** 28 bsr e scan bit reverse 00001111 10111101 modreg r/m 10 a 3n * 10 a 3n ** 28 bt e test bit register/memory, immediate 00001111 10111010 mod100 r/m immed 8-bit data 3/6 * 3/6 * 28 register/memory, register 00001111 10100011 modreg r/m 3/12 * 3/12 * 28 btc e test bit and complement register/memory, immediate 00001111 10111010 mod111 r/m immed 8-bit data 6/8 * 6/8 * 28 register/memory, register 00001111 10111011 modreg r/m 6/13 * 6/13 * 28 btr e test bit and reset register/memory, immediate 00001111 10111010 mod110 r/m immed 8-bit data 6/8 * 6/8 * 28 register/memory, register 00001111 10110011 modreg r/m 6/13 * 6/13 * 28 bts e test bit and set register/memory, immediate 00001111 10111010 mod101 r/m immed 8-bit data 6/8 * 6/8 * 28 register/memory, register 00001111 10101011 modreg r/m 6/13 * 6/13 * 28 control transfer call e call direct within segment 11101000 full displacement 7 a m * 9 a m * 218 register/memory indirect within segment 11111111 mod010 r/m 7 a m * /10 a m * 9 a m/ 2 8, 18 12 a m * direct intersegment 10011010 unsigned full offset, selector 17 a m * 42 a m * 2 10, 11, 18 note: 2 clock count shown applies if i/o permission allows i/o to the port in virtual 8086 mode. if i/o bit map denies permission exception 13 fault occurs; refer to clock counts for int 3 instruction. 82
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode control transfer (continued) protected mode only (direct intersegment) via call gate to same privilege level 64 a m 8, 10, 11, 18 via call gate to different privilege level, (no parameters) 98 a m 8, 10, 11, 18 via call gate to different privilege level, (x parameters) 106 a 8x a m 8, 10, 11, 18 from 286 task to 286 tss 285 8, 10, 11, 18 from 286 task to i386 sx cpu tss 310 8, 10, 11, 18 from 286 task to virtual 8086 task (i386 sx cpu tss) 229 8, 10, 11, 18 from i386 sx cpu task to 286 tss 285 8, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss 392 8, 10, 11, 18 from i386 sx cpu task to virtual 8086 task (i386 sx cpu tss) 309 8, 10, 11, 18 indirect intersegment 11111111 mod011 r/m 30 a m46 a m 2 8, 10, 11, 18 protected mode only (indirect intersegment) via call gate to same privilege level 68 a m 8, 10, 11, 18 via call gate to different privilege level, (no parameters) 102 a m 8, 10, 11, 18 via call gate to different privilege level, (x parameters) 110 a 8x a m 8, 10, 11, 18 from 286 task to 286 tss 8, 10, 11, 18 from 286 task to i386 sx cpu tss 8, 10, 11, 18 from 286 task to virtual 8086 task (i386 sx cpu tss) 8, 10, 11, 18 from i386 sx cpu task to 286 tss 8, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss 399 8, 10, 11, 18 from i386 sx cpu task to virtual 8086 task (i386 sx cpu tss) 8, 10, 11, 18 jmp e unconditional jump short 11101011 8-bit displacement 7 a m7 a m18 direct within segment 11101001 full displacement 7 a m7 a m18 register/memory indirect within 11111111 mod100 r/m 9 a m/14 a m9 a m/14 a m 2 8, 18 segment direct intersegment 11101010 unsigned full offset, selector 16 a m31 a m 10, 11, 18 protected mode only (direct intersegment) via call gate to same privilege level 53 a m 8, 10, 11, 18 from 286 task to 286 tss 8, 10, 11, 18 from 286 task to i386 sx cpu tss 8, 10, 11, 18 from 286 task to virtual 8086 task (i386 sx cpu tss) 8, 10, 11, 18 from i386 sx cpu task to 286 tss 8, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss 8, 10, 11, 18 from i386 sx cpu task to virtual 8086 task (i386 sx cpu tss) 395 8, 10, 11, 18 indirect intersegment 11111111 mod101 r/m 17 a m31 a m 2 8, 10, 11, 18 protected mode only (indirect intersegment) via call gate to same privilege level 49 a m 8, 10, 11, 18 from 286 task to 286 tss 8, 10, 11, 18 from 286 task to i386 sx cpu tss 8, 10, 11, 18 from 286 task to virtual 8086 task (i386 sx cpu tss) 8, 10, 11, 18 from i386 sx cpu task to 286 tss 8, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss 328 8, 10, 11, 18 from i386 sx cpu task to virtual 8086 task (i386 sx cpu tss) 8, 10, 11, 18 83
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode control transfer (continued) ret e return from call: within segment 11000011 12 a m 2 7, 8, 18 within segment adding immediate to sp 11000010 16-bit displ 12 a m 2 7, 8, 18 intersegment 11001011 36 a m 2 7, 8, 10, 11, 18 intersegment adding immediate to sp 11001010 16-bit displ 36 a m 2 7, 8, 10, 11, 18 protected mode only (ret): to different privilege level intersegment 72 8, 10, 11, 18 intersegment adding immediate to sp 72 8, 10, 11, 18 conditional jumps note: times are jump ``taken or not taken'' jo e jump on overflow 8-bit displacement 01110000 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000000 full displacement 7 a mor3 7 a mor3 18 jno e jump on not overflow 8-bit displacement 01110001 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000001 full displacement 7 a mor3 7 a mor3 18 jb/jnae e jump on below/not above or equal 8-bit displacement 01110010 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000010 full displacement 7 a mor3 7 a mor3 18 jnb/jae e jump on not below/above or equal 8-bit displacement 01110011 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000011 full displacement 7 a mor3 7 a mor3 18 je/jz e jump on equal/zero 8-bit displacement 01110100 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000100 full displacement 7 a mor3 7 a mor3 18 jne/jnz e jump on not equal/not zero 8-bit displacement 01110101 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000101 full displacement 7 a mor3 7 a mor3 18 jbe/jna e jump on below or equal/not above 8-bit displacement 01110110 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000110 full displacement 7 a mor3 7 a mor3 18 jnbe/ja e jump on not below or equal/above 8-bit displacement 01110111 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10000111 full displacement 7 a mor3 7 a mor3 18 js e jump on sign 8-bit displacement 01111000 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001000 full displacement 7 a mor3 7 a mor3 18 84
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode conditional jumps (continued) jns e jump on not sign 8-bit displacement 01111001 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001001 full displacement 7 a mor3 7 a mor3 18 jp/jpe e jump on parity/parity even 8-bit displacement 01111010 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001010 full displacement 7 a mor3 7 a mor3 18 jnp/jpo e jump on not parity/parity odd 8-bit displacement 01111011 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001011 full displacement 7 a mor3 7 a mor3 18 jl/jnge e jump on less/not greater or equal 8-bit displacement 01111100 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001100 full displacement 7 a mor3 7 a mor3 18 jnl/jge e jump on not less/greater or equal 8-bit displacement 01111101 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001101 full displacement 7 a mor3 7 a mor3 18 jle/jng e jump on less or equal/not greater 8-bit displacement 01111110 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001110 full displacement 7 a mor3 7 a mor3 18 jnle/jg e jump on not less or equal/greater 8-bit displacement 01111111 8-bit displ 7 a mor3 7 a mor3 18 full displacement 00001111 10001111 full displacement 7 a mor3 7 a mor3 18 jcxz e jump on cx zero 11100011 8-bit displ 9 a mor5 9 a mor5 18 jecxz e jump on ecx zero 11100011 8-bit displ 9 a mor5 9 a mor5 18 (address size prefix differentiates jcxz from jecxz) loop e loop cx times 11100010 8-bit displ 11 a m11 a m18 loopz/loope e loop with zero/equal 11100001 8-bit displ 11 a m11 a m18 loopnz/loopne e loop while not zero 11100000 8-bit displ 11 a m11 a m18 conditional byte set note: times are register/memory seto e set byte on overflow to register/memory 00001111 10010000 mod000 r/m 4/5 * 4/5 * 8 setno e set byte on not overflow to register/memory 00001111 10010001 mod000 r/m 4/5 * 4/5 * 8 setb/setnae e set byte on below/not above or equal to register/memory 00001111 10010010 mod000 r/m 4/5 * 4/5 * 8 85
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode conditional byte set (continued) setnb e set byte on not below/above or equal to register/memory 00001111 10010011 mod000 r/m 4/5 * 4/5 * 8 sete/setz e set byte on equal/zero to register/memory 00001111 10010100 mod000 r/m 4/5 * 4/5 * 8 setne/setnz e set byte on not equal/not zero to register/memory 00001111 10010101 mod000 r/m 4/5 * 4/5 * 8 setbe/setna e set byte on below or equal/not above to register/memory 00001111 10010110 mod000 r/m 4/5 * 4/5 * 8 setnbe/seta e set byte on not below or equal/above to register/memory 00001111 10010111 mod000 r/m 4/5 * 4/5 * 8 sets e set byte on sign to register/memory 00001111 10011000 mod000 r/m 4/5 * 4/5 * 8 setns e set byte on not sign to register/memory 00001111 10011001 mod000 r/m 4/5 * 4/5 * 8 setp/setpe e set byte on parity/parity even to register/memory 00001111 10011010 mod000 r/m 4/5 * 4/5 * 8 setnp/setpo e set byte on not parity/parity odd to register/memory 00001111 10011011 mod000 r/m 4/5 * 4/5 * 8 setl/setnge e set byte on less/not greater or equal to register/memory 00001111 10011100 mod000 r/m 4/5 * 4/5 * 8 setnl/setge e set byte on not less/greater or equal to register/memory 00001111 01111101 mod000 r/m 4/5 * 4/5 * 8 setle/setng e set byte on less or equal/not greater to register/memory 00001111 10011110 mod000 r/m 4/5 * 4/5 * 8 setnle/setg e set byte on not less or equal/greater to register/memory 00001111 10011111 mod000 r/m 4/5 * 4/5 * 8 enter e enter procedure 11001000 16-bit displacement, 8-bit level l e 0 10 10 2 8 l e 1 14 14 2 8 l l 1 17 a 17 a 28 8(n b 1) 8(n b 1) leave e leave procedure 11001001 4 4 2 8 86
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode interrupt instructions int e interrupt: type specified 11001101 type 37 2 type 3 11001100 33 2 into e interrupt 4 if overflow flag set 11001110 if of e 1 35 2, 5 if of e 0 3 3 2, 5 bound e interrupt 5 if detect value 01100010 modreg r/m out of range if out of range 44 2, 5 5, 7, 8, 10, 11, 18 if in range 10 10 2, 5 5, 7, 8, 10, 11, 18 protected mode only (int) int: type specified via interrupt or trap gate via interrupt or trap gate to same privilege level 71 7, 10, 11, 18 to different privilege level 111 7, 10, 11, 18 from 286 task to 286 tss via task gate 438 7, 10, 11, 18 from 286 task to i386 sx cpu tss via task gate 465 7, 10, 11, 18 from 286 task to virt 8086 md via task gate 382 7, 10, 11, 18 from i386 sx cpu task to 286 tss via task gate 440 7, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss via task gate 467 7, 10, 11, 18 from i386 sx cpu task to virt 8086 md via task gate 384 7, 10, 11, 18 from virt 8086 md to 286 tss via task gate 445 7, 10, 11, 18 from virt 8086 md to i386 sx cpu tss via task gate 472 7, 10, 11, 18 from virt 8086 md to priv level 0 via trap gate or interrupt gate 275 int: type 3 via interrupt or trap gate to same privilege level 71 7, 10, 11, 18 via interrupt or trap gate to different privilege level 111 7, 10, 11, 18 from 286 task to 286 tss via task gate 382 7, 10, 11, 18 from 286 task to i386 sx cpu tss via task gate 409 7, 10, 11, 18 from 286 task to virt 8086 md via task gate 326 7, 10, 11, 18 from i386 sx cpu task to 286 tss via task gate 384 7, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss via task gate 411 7, 10, 11, 18 from i386 sx cpu task to virt 8086 md via task gate 328 7, 10, 11, 18 from virt 8086 md to 286 tss via task gate 389 7, 10, 11, 18 from virt 8086 md to i386 sx cpu tss via task gate 416 7, 10, 11, 18 from virt 8086 md to priv level 0 via trap gate or interrupt gate 223 into: via interrupt or trap grate to same privilege level 71 7, 10, 11, 18 via interrupt or trap gate to different privilege level 111 7, 10, 11, 18 from 286 task to 286 tss via task gate 384 7, 10, 11, 18 from 286 task to i386 sx cpu tss via task gate 411 7, 10, 11, 18 from 286 task to virt 8086 md via task gate 328 7, 10, 11, 18 from i386 sx cpu task to 286 tss via task gate i386 dx 7, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss via task gate 413 7, 10, 11, 18 from i386 sx cpu task to virt 8086 md via task gate 329 7, 10, 11, 18 from virt 8086 md to 286 tss via task gate 391 7, 10, 11, 18 from virt 8086 md to i386 sx cpu tss via task gate 418 7, 10, 11, 18 from virt 8086 md to priv level 0 via trap gate or interrupt gate 223 87
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode interrupt instructions (continued) bound: via interrupt or trap gate to same privilege level 71 7, 10, 11, 18 via interrupt or trap gate to different privilege level 111 7, 10, 11, 18 from 286 task to 286 tss via task gate 358 7, 10, 11, 18 from 286 task to i386 sx cpu tss via task gate 388 7, 10, 11, 18 from 268 task to virt 8086 mode via task gate 335 7, 10, 11, 18 from i386 sx cpu task to 286 tss via task gate 368 7, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss via task gate 398 7, 10, 11, 18 from i386 sx cpu task to virt 8086 mode via task gate 347 7, 10, 11, 18, from virt 8086 mode to 286 tss via task gate 368 7, 10, 11, 18 from virt 8086 mode to i386 sx cpu tss via task gate 398 7, 10, 11, 18 from virt 8086 md to priv level 0 via trap gate or interrupt gate 223 interrupt return iret e interrupt return 11001111 24 7,8,10,11,18 protected mode only (iret) to the same privilege level (within task) 42 7, 8, 10, 11, 18 to different privilege level (within task) 86 7, 8, 10, 11, 18 from 286 task to 286 tss 285 8, 10, 11, 18 from 286 task to i386 sx cpu tss 318 8, 10, 11, 18 from 286 task to virtual 8086 task 267 8, 10, 11, 18 from 286 task to virtual 8086 mode (within task) 113 from i386 sx cpu task to 286 tss 324 8, 10, 11, 18 from i386 sx cpu task to i386 sx cpu tss 328 8, 10, 11, 18 from i386 sx cpu task to virtual 8086 task 377 8, 10, 11, 18 from i386 sx cpu task to virtual 8086 mode (within task) 113 processor control hlt e halt 11110100 5 5 12 mov e move to and from control/debug/test registers cr0/cr2/cr3 from register 00001111 00100010 11eeereg 10/4/5 10/4/5 12 register from cr03 00001111 00100000 11eeereg 6 6 12 dr03 from register 00001111 00100011 11eeereg 22 22 12 dr67 from register 00001111 00100011 11eeereg 16 16 12 register from dr67 00001111 00100001 11eeereg 14 14 12 register from dr03 00001111 00100001 11eeereg 22 22 12 tr67 from register 00001111 00100110 11eeereg 12 12 12 register from tr67 00001111 00100100 11eeereg 12 12 12 nop e no operation 10010000 3 3 wait e wait until busy y pin is negated 10011011 6 6 88
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode processor extension instructions processor extension escape 11011ttt modlll r/m see 8 ttt and lll bits are opcode i387 sx processor information for coprocessor. data sheet for clock counts prefix bytes address size prefix 01100111 0 0 lock e bus lock prefix 11110000 0 0 13 operand size prefix 01100110 0 0 segment override prefix cs: 00101110 0 0 ds: 00111110 0 0 es: 00100110 0 0 fs: 01100100 0 0 gs: 01100101 0 0 ss: 00110110 0 0 protection control arpl e adjust requested privilege level from register/memory 01100011 modreg r/m n/a 20/21 ** 18 lar e load access rights from register/memory 00001111 00000010 modreg r/m n/a 15/16 * 1 7, 8, 10, 16 lgdt e load global descriptor table register 00001111 00000001 mod010 r/m 11 * 11 * 2, 3 8, 12 lidt e load interrupt descriptor table register 00001111 00000001 mod011 r/m 11 * 11 * 2, 3 8, 12 lldt e load local descriptor table register to register/memory 00001111 00000000 mod010 r/m n/a 20/24 * 1 7, 8, 10, 12 lmsw e load machine status word from register/memory 00001111 00000001 mod110 r/m 10/13 10/13 * 2, 3 8, 12 lsl e load segment limit from register/memory 00001111 00000011 modreg r/m byte-granular limit n/a 20/21 * 1 7, 8, 10, 16 page-granular limit n/a 25/26 * 1 7, 8, 10, 16 ltr e load task register from register/memory 00001111 00000000 mod001 r/m n/a 23/27 * 1 7, 8, 10, 12 sgdt e store global descriptor table register 00001111 00000001 mod000 r/m 9 * 9 * 2, 3 8 sidt e store interrupt descriptor table register 00001111 00000001 mod001 r/m 9 * 9 * 2, 3 8 sldt e store local descriptor table register to register/memory 00001111 00000000 mod000 r/m n/a 2/2 * 18 89
military i386 tm sx microprocessor table 9-1. instruction set clock count summary (continued) clock count notes real real instruction format address protected address protected mode or virtual mode or virtual virtual address virtual address 8086 mode 8086 mode mode mode protection control (continued) smsw e store machine status word 00001111 00000001 mod100 r/m 2/2 * 2/2 * 2, 3 8, 12 str e store task register to register/memory 00001111 00000000 mod001 r/m n/a 2/2 * 18 verr e verify read access register/memory 00001111 00000000 mod100 r/m n/a 10/11 * 1 7, 8, 10, 16 verw e verify write access 00001111 00000000 mod101 r/m n/a 15/16 * 1 7, 8, 10, 16 instruction notes for table 9-1 notes 1 through 3 apply to real address mode only: 1. this is a protected mode instruction. attempted execution in real mode will result in exception 6 (invalid opcode). 2. exception 13 fault (general protection) will occur in real mode if an operand reference is made that partially or fully extends beyond the maximum cs, ds, es, fs or gs limit, ffffh. exception 12 fault (stack segment limit violation or not present) will occur in real mode if an operand reference is made that partially or fully extends beyond the maximum ss limit. 3. this instruction may be executed in real mode. in real mode, its purpose is primarily to initialize the cpu for protected mode. notes 4 through 7 apply to real address mode and protected virtual address mode: 4. the i386 sx cpu uses an early-out multiply algorithm. the actual number of clocks depends on the position of the most significant bit in the operand (multiplier). clock counts given are minimum to maximum. to calculate actual clocks use the following formula: actual clock e if m kl 0 then max ( [ log 2 l m l ] ,3) a b clocks: if m e 0 then 3 a b clocks in this formula, m is the multiplier, and b e 9 for register to register, b e 12 for memory to register, b e 10 for register with immediate to register, b e 11 for memory with immediate to register. 5. an exception may occur, depending on the value of the operand. 6. lock is automatically asserted, regardless of the presence or absence of the lock prefix. 7. lock is asserted during descriptor table accesses. notes 8 through 18 apply to protected virtual address mode only: 8. exception 13 fault (general protection violation) will occur if the memory operand in cs, ds, es, fs or gs cannot be used due to either a segment limit violation or access rights violation. if a stack limit is violated, an exception 12 (stack segment limit violation or not present) occurs. 9. for segment load operations, the cpl, rpl, and dpl must agree with the privilege rules to avoid an exception 13 fault (general protection violation). the segment's descriptor must indicate ``present'' or exception 11 (cs, ds, es, fs, gs not present). if the ss register is loaded and a stack segment not present is detected, an exception 12 (stack segment limit violation or not present) occurs. 10. all segment descriptor accesses in the gdt or ldt made by this instruction will automatically assert lock to maintain descriptor integrity in multiprocessor systems. 11. jmp, call, int, ret and iret instructions referring to another code segment will cause an exception 13 (general protection violation) if an applicable privilege rule is violated. 12. an exception 13 fault occurs if cpl is greater than 0 (0 is the most privileged level). 13. an exception 13 fault occurs if cpl is greater than iopl. 14. the if bit of the flag register is not updated if cpl is greater than iopl. the iopl and vm fields of the flag register are updated only if cpl e 0. 15. the pe bit of the msw (cr0) cannot be reset by this instruction. use mov into cr0 if desiring to reset the pe bit. 16. any violation of privilege rules as applied to the selector operand does not cause a protection exception; rather, the zero flag is cleared. 17. if the coprocessor's memory operand violates a segment limit or segment access rights, an exception 13 fault (general protection exception) will occur before the esc instruction is executed. an exception 12 fault (stack segment limit violation or not present) will occur if the stack limit is violated by the operand's starting address. 18. the destination of a jmp, call, int, ret or iret must be in the defined limit of a code segment or an exception 13 fault (general protection violation) will occur. 19. the instruction will execute in s clocks if cpl s iopl. if cpl l iopl, the instruction will take t clocks. 90
military i386 tm sx microprocessor 9.2 instruction encoding 9.2.1 overview all instruction encodings are subsets of the general instruction format shown in figure 8-1. instructions consist of one or two primary opcode bytes, possibly an address specifier consisting of the ``mod r/m'' byte and ``scaled index'' byte, a displacement if re- quired, and an immediate data field if required. within the primary opcode or opcodes, smaller en- coding fields may be defined. these fields vary ac- cording to the class of operation. the fields define such information as direction of the operation, size of the displacements, register encoding, or sign ex- tension. almost all instructions referring to an operand in memory have an addressing mode byte following the primary opcode byte(s). this byte, the mod r/m byte, specifies the address mode to be used. certain encodings of the mod r/m byte indicate a second addressing byte, the scale-index-base byte, follows the mod r/m byte to fully specify the addressing mode. addressing modes can include a displacement im- mediately following the mod r/m byte, or scaled in- dex byte. if a displacement is present, the possible sizes are 8, 16 or 32 bits. if the instruction specifies an immediate operand, the immediate operand follows any displacement bytes. the immediate operand, if specified, is always the last field of the instruction. figure 9-1 illustrates several of the fields that can appear in an instruction, such as the mod field and the r/m field, but the figure does not show all fields. several smaller fields also appear in certain instruc- tions, sometimes within the opcode bytes them- selves. table 9-2 is a complete list of all fields ap- pearing in the instruction set. further ahead, follow- ing table 9-2, are detailed tables for each field. tttttttt tttttttt modtttr/m ss index base d32 l 16 l 8 l none data32 l 16 l 8 l none 7 0 7 0 765320 765320 x ? yx ? yx ? yx ? yx ? y opcode ``mod r/m'' ``s-i-b'' address immediate (one or two bytes) byte byte displacement data x ? y (t represents an (4, 2, 1 bytes (4, 2, 1 bytes opcode bit.) register and address or none) or none) mode specifier figure 9-1. general instruction format table 9-2. fields within instructions field name description number of bits w specifies if data is byte or full size (full size is either 16 or 32 bits) 1 d specifies direction of data operation 1 s specifies if an immediate data field must be sign-extended 1 reg general register specifier 3 mod r/m address mode specifier (effective address can be a general register) 2 for mod; 3 for r/m ss scale factor for scaled index address mode 2 index general register to be used as index register 3 base general register to be used as base register 3 sreg2 segment register specifier for cs, ss, ds, es 2 sreg3 segment register specifier for cs, ss, ds, es, fs, gs 3 tttn for conditional instructions, specifies a condition asserted or a condition negated 4 note: table 9-1 shows encoding of individual instructions. 91
military i386 tm sx microprocessor 9.2.2 32-bit extensions of the instruction set with the i386 sx cpu, the 8086/80186/80286 in- struction set is extended in two orthogonal direc- tions: 32-bit forms of all 16-bit instructions are added to support the 32-bit data types, and 32-bit address- ing modes are made available for all instructions ref- erencing memory. this orthogonal instruction set ex- tension is accomplished having a default (d) bit in the code segment descriptor, and by having 2 prefix- es to the instruction set. whether the instruction defaults to operations of 16 bits or 32 bits depends on the setting of the d bit in the code segment descriptor, which gives the de- fault length (either 32 bits or 16 bits) for both oper- ands and effective addresses when executing that code segment. in the real address mode or virtual 8086 mode, no code segment descriptors are used, but a d value of 0 is assumed internally by the i386 sx cpu when operating in those modes (for 16-bit default sizes compatible with the m8086/ m80186/m80286). two prefixes, the operand size prefix and the effec- tive address size prefix, allow overriding individually the default selection of operand size and effective address size. these prefixes may precede any op- code bytes and affect only the instruction they pre- cede. if necessary, one or both of the prefixes may be placed before the opcode bytes. the presence of the operand size prefix and the effective address prefix will toggle the operand size or the effective address size, respectively, to the value ``opposite'' from the default setting. for example, if the default operand size is for 32-bit data operations, then pres- ence of the operand size prefix toggles the instruc- tion to 16-bit data operation. as another example, if the default effective address size is 16 bits, pres- ence of the effective address size prefix toggles the instruction to use 32-bit effective address computa- tions. these 32-bit extensions are available in all modes, including the real address mode or the virtual 8086 mode. in these modes the default is always 16 bits, so prefixes are needed to specify 32-bit operands or addresses. for instructions with more than one pre- fix, the order of prefixes is unimportant. unless specified otherwise, instructions with 8-bit and 16-bit operands do not affect the contents of the high-order bits of the extended registers. 9.2.3 encoding of instruction fields within the instruction are several fields indicating register selection, addressing mode and so on. the exact encodings of these fields are defined immedi- ately ahead. 9.2.3.1 encoding of operand length (w) field for any given instruction performing a data opera- tion, the instruction is executing as a 32-bit operation or a 16-bit operation. within the constraints of the operation size, the w field encodes the operand size as either one byte or the full operation size, as shown in the table below. operand size operand size w field during 16-bit during 32-bit data operations data operations 0 8 bits 8 bits 1 16 bits 32 bits 9.2.3.2 encoding of the general register (reg) field the general register is specified by the reg field, which may appear in the primary opcode bytes, or as the reg field of the ``mod r/m'' byte, or as the r/m field of the ``mod r/m'' byte. encoding of reg field when w field is not present in instruction register selected register selected reg field during 16-bit during 32-bit data operations data operations 000 ax eax 001 cx ecx 010 dx edx 011 bx ebx 100 sp esp 101 bp ebp 101 si esi 101 di edi encoding of reg field when w field is present in instruction register specified by reg field during 16-bit data operations: reg function of w field (when w e 0) (when w e 1) 000 al ax 001 cl cx 010 dl dx 011 bl bx 100 ah sp 101 ch bp 110 dh si 111 bh di 92
military i386 tm sx microprocessor register specified by reg field during 32-bit data operations reg function of w field (when w e 0) (when w e 1) 000 al eax 001 cl ecx 010 dl edx 011 bl ebx 100 ah esp 101 ch ebp 110 dh esi 111 bh edi 9.2.3.3 encoding of the segment register (sreg) field the sreg field in certain instructions is a 2-bit field allowing one of the four 80286 segment registers to be specified. the sreg field in other instructions is a 3-bit field, allowing the i386 sx cpu fs and gs seg- ment registers to be specified. 2-bit sreg2 field 2-bit segment sreg2 field register selected 00 es 01 cs 10 ss 11 ds 3-bit sreg3 field 3-bit segment sreg3 field register selected 000 es 001 cs 010 ss 011 ds 100 fs 101 gs 110 do not use 111 do not use 9.2.3.4 encoding of address mode except for special instructions, such as push or pop, where the addressing mode is pre-determined, the addressing mode for the current instruction is specified by addressing bytes following the primary opcode. the primary addressing byte is the ``mod r/m'' byte, and a second byte of addressing informa- tion, the ``s-i-b'' (scale-index-base) byte, can be specified. the s-i-b byte (scale-index-base byte) is specified when using 32-bit addressing mode and the ``mod r/m'' byte has r/m e 100 and mod e 00, 01 or 10. when the sib byte is present, the 32-bit addressing mode is a function of the mod, ss, index, and base fields. the primary addressing byte, the ``mod r/m'' byte, also contains three bits (shown as ttt in figure 8-1) sometimes used as an extension of the primary op- code. the three bits, however, may also be used as a register field (reg). when calculating an effective address, either 16-bit addressing or 32-bit addressing is used. 16-bit ad- dressing uses 16-bit address components to calcu- late the effective address while 32-bit addressing uses 32-bit address components to calculate the ef- fective address. when 16-bit addressing is used, the ``mod r/m'' byte is interpreted as a 16-bit addressing mode specifier. when 32-bit addressing is used, the ``mod r/m'' byte is interpreted as a 32-bit addressing mode specifier. tables on the following three pages define all en- codings of all 16-bit addressing modes and 32-bit addressing modes. 93
military i386 tm sx microprocessor encoding of 16-bit address mode with ``mod r/m'' byte mod r/m effective address 00 000 ds: [ bx a si ] 00 001 ds: [ bx a di ] 00 010 ss: [ bp a si ] 00 011 ss: [ bp a di ] 00 100 ds: [ si ] 00 101 ds: [ di ] 00 110 ds:d16 00 111 ds: [ bx ] 01 000 ds: [ bx a si a d8 ] 01 001 ds: [ bx a di a d8 ] 01 010 ss: [ bp a si a d8 ] 01 011 ss: [ bp a di a d8 ] 01 100 ds: [ si a d8 ] 01 101 ds: [ di a d8 ] 01 110 ss: [ bp a d8 ] 01 111 ds: [ bx a d8 ] mod r/m effective address 10 000 ds: [ bx a si a d16 ] 10 001 ds: [ bx a di a d16 ] 10 010 ss: [ bp a si a d16 ] 10 011 ss: [ bp a di a d16 ] 10 100 ds: [ si a d16 ] 10 101 ds: [ di a d16 ] 10 110 ss: [ bp a d16 ] 10 111 ds: [ bx a d16 ] 11 000 registeresee below 11 001 registeresee below 11 010 registeresee below 11 011 registeresee below 11 100 registeresee below 11 101 registeresee below 11 110 registeresee below 11 111 registeresee below register specified by r/m during 16-bit data operations mod r/m function of w field (when w e 0) (when w e 1) 11 000 al ax 11 001 cl cx 11 010 dl dx 11 011 bl bx 11 100 ah sp 11 101 ch bp 11 110 dh si 11 111 bh di register specified by r/m during 32-bit data operations mod r/m function of w field (when w e 0) (when w e 1) 11 000 al eax 11 001 cl ecx 11 010 dl edx 11 011 bl ebx 11 100 ah esp 11 101 ch ebp 11 110 dh esi 11 111 bh edi 94
military i386 tm sx microprocessor encoding of 32-bit address mode with ``mod r/m'' byte (no ``s-i-b'' byte present): mod r/m effective address 00 000 ds: [ eax ] 00 001 ds: [ ecx ] 00 010 ds: [ edx ] 00 011 ds: [ ebx ] 00 100 s-i-b is present 00 101 ds:d32 00 110 ds: [ esi ] 00 111 ds: [ edi ] 01 000 ds: [ eax a d8 ] 01 001 ds: [ ecx a d8 ] 01 010 ds: [ edx a d8 ] 01 011 ds: [ ebx a d8 ] 01 100 s-i-b is present 01 101 ss: [ ebp a d8 ] 01 110 ds: [ esi a d8 ] 01 111 ds: [ edi a d8 ] mod r/m effective address 10 000 ds: [ eax a d32 ] 10 001 ds: [ ecx a d32 ] 10 010 ds: [ edx a d32 ] 10 011 ds: [ ebx a d32 ] 10 100 s-i-b is present 10 101 ss: [ ebp a d32 ] 10 110 ds: [ esi a d32 ] 10 111 ds: [ edi a d32 ] 11 000 registeresee below 11 001 registeresee below 11 010 registeresee below 11 011 registeresee below 11 100 registeresee below 11 101 registeresee below 11 110 registeresee below 11 111 registeresee below register specified by reg or r/m during 16-bit data operations: mod r/m function of w field (when w e 0) (when w e 1) 11 000 al ax 11 001 cl cx 11 010 dl dx 11 011 bl bx 11 100 ah sp 11 101 ch bp 11 110 dh si 11 111 bh di register specified by reg or r/m during 32-bit data operations: mod r/m function of w field (when w e 0) (when w e 1) 11 000 al eax 11 001 cl ecx 11 010 dl edx 11 011 bl ebx 11 100 ah esp 11 101 ch ebp 11 110 dh esi 11 111 bh edi 95
military i386 tm sx microprocessor encoding of 32-bit address mode (``mod r/m'' byte and ``s-i-b'' byte present): mod base effective address 00 000 ds: [ eax a (scaled index) ] 00 001 ds: [ ecx a (scaled index) ] 00 010 ds: [ edx a (scaled index) ] 00 011 ds: [ ebx a (scaled index) ] 00 100 ss: [ esp a (scaled index) ] 00 101 ds: [ d32 a (scaled index) ] 00 110 ds: [ esi a (scaled index) ] 00 111 ds: [ edi a (scaled index) ] 01 000 ds: [ eax a (scaled index) a d8 ] 01 001 ds: [ ecx a (scaled index) a d8 ] 01 010 ds: [ edx a (scaled index) a d8 ] 01 011 ds: [ ebx a (scaled index) a d8 ] 01 100 ss: [ esp a (scaled index) a d8 ] 01 101 ss: [ ebp a (scaled index) a d8 ] 01 110 ds: [ esi a (scaled index) a d8 ] 01 111 ds: [ edi a (scaled index) a d8 ] 10 000 ds: [ eax a (scaled index) a d32 ] 10 001 ds: [ ecx a (scaled index) a d32 ] 10 010 ds: [ edx a (scaled index) a d32 ] 10 011 ds: [ ebx a (scaled index) a d32 ] 10 100 ss: [ esp a (scaled index) a d32 ] 10 101 ss: [ ebp a (scaled index) a d32 ] 10 110 ds: [ esi a (scaled index) a d32 ] 10 111 ds: [ edi a (scaled index) a d32 ] note: mod field in ``mod r/m'' byte; ss, index, base fields in ``s-i-b'' byte. ss scale factor 00 x1 01 x2 10 x4 11 x8 index index register 000 eax 001 ecx 010 edx 011 ebx 100 no index reg ** 101 ebp 110 esi 111 edi ** important note: when index field is 100, indicating ``no index register,'' then ss field must equal 00. if index is 100 and ss does not equal 00, the effective address is undefined. 96
military i386 tm sx microprocessor 9.2.3.5 encoding of operation direction (d) field in many two-operand instructions the d field is pres- ent to indicate which operand is considered the source and which is the destination. d direction of operation 0 register/memory k - - register ``reg'' field indicates source operand; ``mod r/m'' or ``mod ss index base'' indicates destination operand 1 register k - - register/memory ``reg'' field indicates destination operand; ``mod r/m'' or ``mod ss index base'' indicates source operand 9.2.3.6 encoding of sign-extend (s) field the s field occurs primarily to instructions with im- mediate data fields. the s field has an effect only if the size of the immediate data is 8 bits and is being placed in a 16-bit or 32-bit destination. s effect on effect on immediate data8 immediate data 16 l 32 0 none none 1 sign-extend data8 to fill none 16-bit or 32-bit destination 9.2.3.7 encoding of conditional test (tttn) field for the conditional instructions (conditional jumps and set on condition), tttn is encoded with n indicat- ing to use the condition (n e 0) or its negation (n e 1), and ttt giving the condition to test. mnemonic condition tttn o overflow 0000 no no overflow 0001 b/nae below/not above or equal 0010 nb/ae not below/above or equal 0011 e/z equal/zero 0100 ne/nz not equal/not zero 0101 be/na below or equal/not above 0110 nbe/a not below or equal/above 0111 s sign 1000 ns not sign 1001 p/pe parity/parity even 1010 np/po not parity/parity odd 1011 l/nge less than/not greater or equal 1100 nl/ge not less than/greater or equal 1101 le/ng less than or equal/greater than 1110 nle/g not less or equal/greater than 1111 9.2.3.8 encoding of control or debug or test register (eee) field for the loading and storing of the control, debug and test registers. when interpreted as control register field eee code reg name 000 cr0 010 cr2 011 cr3 do not use any other encoding when interpreted as debug register field eee code reg name 000 dr0 001 dr1 010 dr2 011 dr3 110 dr6 111 dr7 do not use any other encoding when interpreted as test register field eee code reg name 110 tr6 111 tr7 do not use any other encoding 97
military i386 tm sx microprocessor disclaimer ``intel reserves the right to enhance future products by using opcodes that are currently defined as invalid. use of invalid opcodes to extend the instruction set may not be compatible with future intel products and is therefore discouraged.'' 98

▲Up To Search▲

Price & Availability of MILITARYI386

	To Download MILITARYI386 Datasheet File
If you can't view the Datasheet, Please click here to try to view without PDF Reader .