a o S a B O O F T

Aavmbly

Lulguge

htgmmmer's
o

Gtitfufor the [y tnss llnl$ol

80386

/
T H E . A O S A 6 . B O O K

ly Inss
Rllnlsnn
7
I
PUBIISI.IED BY

A Division of MicrGoft Co.poration

16011NE 36dr \vay, Box 97017,Redmond,washinBton 98073-9717
copyright @ 1988by RossP Nelson
All righls reserved. No pan of the contents of this booli oay
be reprod!.ed or transnifted in any lorm or by any meanswithom
the writren pdnission of the publishei
Library oi CongresscaraloSing in Publication Ddta

Thc 30336book assenbly languageprogrammc/s guide fd the 80386/

1. lnrcl 81386(Microproce$or)-l,rqra'n'ning 2 Assembletl,nguage

(Comprtcrprogran l{ntuage) L Titlc
QA768.I2928N45 l98a 88-21106
005265-dd9 CIP
ISIIN1-t56lt-138-1
Prinrcdlnd hou.d in dlc UnitcdSrdresoi Amc.ica,
1 2 3 4 5 6 1 8 9 M r , M r 3, 2 r 0 9 8
Diskibutcdto thc b@k lr{de in Lhcunncd StatcsbI Harper& Row
PublkhlneCompary,Ltd
Distributcdto thc book ftadc in C?nadaDyCcneral
to thc l$ok Mdc olt6idc thc UniredstaresandCanadaby Pengui.tsookrLtd.
Di$rribtrrcd
lcnguin looks Ltd , Hlmondsworth, Mlddlcsex,Engl,nd
Pcqtui. BooksAustraliahd., Ringwood,vi.tdi!, Austiaxa
PeqtuinDooksNZ. Ltd , 182-190'q/air!ultodd,Auckland10,Ncwzeala.d
Brnjshcdkbging in PublicarionDara
avail.ble
IDM@is a tr.dehdrk oilntcrnatlon.lDusincssMxchiresCorPoration, Incorporaledlnrclo is a
registeredrradenalk oflntcl Corporation.MjcrosoltoandMS-DOS@ are rcCistered
trademarks
of Miclosoffcorpo.ation.Al I mnemonicscotyrlShtIntcl corporation1986,1987

Acqutsttlotr Edltoi: ClNdeue Mooie ProJecrB.Utor: Deb Lewy

Techntcll Edttor: David Rygmir Mmusc.tpt Erlttoi Mi.heleTomiak
ToRobertanclArdell Nelson
 Contents

Introduction

Evolution of the 80386Architecturc 1

The 80386Architecturc '13

MemoryArchitecturerSegmentation 43

4 The 80386Instruction Ser 63

5 The 80386ProtectionMechanism 93

6 MemoryArchitecrurerPaging 125

7 Three in One 135

a The 80386/80387Instruction Set 147

Reference

Appandlx A Poncrs ofTWo 381.

AppndlxB ASCII CharacterSt 383

Appondlx C Opcode Table Jd)

Appondlx D Instruction Formatand Timing 397

Appondk E Insftuction DisassemblyTable 433

Appendix F 8086-FamilyProcessorDifferences 441,

Index 445
Acknowledgments

A nurnber of people deserve credit for helping make this book a realiry. Some
I have spoken with and worked with directly; others have worked behind the
scenes,doing a wonderful job nonetheless.Y/orking with the people at Microsoft
Presswas a positive experience,and I sincerely thank them all for their support and
encouragement.In addition, my thanks to RayDuncan for getting the ball rolling, to
Intel corporation for its cooperation, () Matt Trask for his technical review, to my
covr'orkersat Answer Soft$/arefor thct support, and especi^lly to Pamfor always
believingin me.
This is a book about microprocessortechnology, so of courseit was written wilh
the assistanceof microprocessortechnology, I completed a large Portion of the
manuscriptusing a ToshibaT1000portable computer while riding ShntaClara
County Transit,

RossNlson
June 1988

tx
INTRODUCTION

The Intcl 80386microprocessor is probablythe mostwidelydiscu$sed centralPro-

cessingunit (CPU)chip sinccihe introductionof the 8080in the earlydaysof per-
sonal computir\g. This book lets you know whal all the slrcr.rtingis about
Aftr presenting a history of the 80i|6 microprocessorfhmily in chapter 1, erch sub-
sequentchaptcr discusses a portionof the 80386designThe oanizationof the
CPUis prcscnted in Chapter2. Thc basicmemoryarchitectureis discussedin Chap-
ter 3. Cbapter4 introducesrhe instructionsetof b(nh tlle 80386proccssorand the
80387numericcoprocessorCh4pter5 is an exPlanAtion of Prolccled-mode opera-
tbn. Chnpter6 explains how paging extends thc memory sysicm Compatibility
wilh previousprocessors via renlmode,virtualll0ti6mode,ancllhc 80286is covcrcd
in chapter7. Finally,ChaptcrSprovidesa fullinstructionsetrclcrcnce
This book focuse$cntirelyon programmiqg.l! doesnol discussthe hardwarcfea_
turesofth proccssorunlesstlmsefcaturesrelateto spccificinstructionslfyou are
interestdin thc hardwarecharaclcristicsof the 80386,refet ta the a0i86 Data
ShL\lt^nd rhe 80386H.$duarc RelbrenceManual both pubiisheclby Intel
Corporation.
To gel the most from this book, you shouldbe familiar with computer syste,ns.h
particular,an underslanding ofbinary anclhexadecimal arithmeticand machinc-
language programming for some othef processor(s)will bc hclpful
A large poriion of the book is devoted to the i10386'sprotected mode Alrhough you
d6 norneedro under.l"rJrhr.learure l ' t'.8rm lhc 80Jd6rr i.rmponanttuur_
derstandprotected mode to grasp why systemdesignershavc made the choices
rh<yhJvein implememinJt rhc Os 2. wiadoss J8o.PCN'tOsJM ard I NIX
operating environments.
The conventionsthroughout thjs book are summarizedon the following pages.If
you are famili2r with other Intel microprocessors,you are probably alreadyfamiliar
with theseconceots.
 THE A03A6BOOK

Number Formats
I use numbersin tluee differenr bases,binary (base 2), decimal (base 10),and hexa-
decinal (base 16).You can assune that all numbers are base10unlessthey are fol-
lowed by the suffix "B" (for binary) or "H" (for hexadecimal).F'oroc?mple,
lAH=26=000110i0B

Data Types
Tire 80386can operate on a variety of data rypes.The most common afe 8-bit, 16-
bit, and 32'bitquantities.Inthis book, an 8 bit quantityis calleda byte,a 16-bit
quaniiry is calLeda word, and a 32-bit quantity is called a doubleword, or dword.
This nomenclatureis unusualbecausethe standa.ddataitem sizeof a computeris
conmonly calleda worcL.In thc DigitalEquipmentVAXcomputers,for example,a
32-tri1quantity is a worcl, and a 16-bit quantity is a halfvord. The sameis true for the
Moroftta 6i]000farrily ancithe IBM 370 mainframes.
Althoughthc slandard80386operandsizeis 32-bits,Intcl rctaincdthc namingcon-
ventions of its carlicr processds becausethe 80386is a descendantof thc 8086and
the 80286(16 bit proccssors). This simplifiesrunningsoftwarefrom the 8086or rh
80286and lets you usc thc samcassemblerto generatecode for any of lhe three

Thc smallcstaddrcssable dataitem on thc 80386is thc bylc. Allothcrdata items

canbc bft)kcndown into byles.The 80386storeslargcrdataitcmsin mcmorylow-
ordcrbylc first, aslhe fbllowingdiagramshowsl

7 0

Rirr 7 t5
k'l hi
16$it wod
Bits 7 015 24

32 bir dword

Assumethxt the 32-bilvaluc100F755DH is storedin memory,beginningar locarion

10.Thc individual mcmory bytes are:

10 71 12 13
5DH 75H otH 1oH
 ||nrcducrbn

It is unnecessa.ilycomplex, however,ro show words and doublewordsbroken down

in byte order. and illustratlons in this book treat the quantity as a unit. For example,
the book would presentthe previolrs value asr

The 80386can perfbrmoperationson itcmssmallerlhan a singlebyte,fbr cxampie,

on a single bit or on x bit field. H()wcvcr,the pr@:essorihvays fetchcs llt leastone
byte from memorywhen perfirrningtheseoPerati()ns

Assembler l{otation
An 80386instructionis a bin.rryPatterntl1.| is dccodedby tl)c logicinsiderhc CPU.
An insiructioncanbe fr'()m{l to 120brtsin lcngth Becausccodingn progrxmusing
bioary pa crns would be r.dious,progrxnrmc.sLrsea typc (t programcallcdan as
semblcrThc simplestrypc ofassemble.txkesr sctof keywoftls.rndsvmbolsxnd
translatcs l-hesel of ky$(nds xnd symboltis cxllcd the
them ink) ^n instrLrctioo.
asscml)lcr lan|Lr^gc.lypically,dlerc is I onc to-onc DrxPpingbetwccnan instruc-
in)n in assembly l^nguagc and an xcrLral m:rchineinstrLdhn lhe ^ssemblcrwould
Iakc nn insiructionsuch rs:
AOO E B X 5,
mcrning,"Ad(I 5 k) thc valuein rqtisle.lillx and st(ncthc resullin llllx," l'nd
wouldt.anshtciI inlo thc I)i! pattcrn
000101101010101010101010r0100i111r1110111118
Thc namesofthc inslrucrionsarc callcdmnenx)nics,.rnd occuPylhe
thc'yLrslrelly
li$t ficld in an inslrucli.rnline. Thc sul)sequentficlds.tc the ()pcflnds ofthc in-
stfuclion and can takca numlxr oilirrns The snnplcsr is a numcfic value'suchrs
thc 5 in the previ()uscxample. A rcgisrer nnme is xnother forln (n oper.rnd An cx
prcssbnwithin brackcts,suchastlllP+2], sisniliesan opersrd thrt is a memofv

'lhroughouirhe book,I uscstandardIntcl mncmonics.N()tc,howevef'tlretx mne_

monicciocsnol necessarily spccifythe exac!ctlcoclingofan instfucln)n.Forex-
ample,thc "incremenl" insirucrionhasa gcncfalform in which anv opcran.lmav
be encoded,anclthe instrucLi()n INCEAX would be encodcd.rs!'FH 00II Tlrereis
alsoa singlebylc instructionfbr incremenijnga generalrcgislcr lnthis fbfm' 40H
cncodesthe INC EAX instfr.rcti.rn. will gencmllychoosethc mosr
An assenrblcr
compactform ofinsructio. Rr anygivenmncmonic,bul rhc cfttct ofex(uring
cifier form is lhc same.
I alsousea coolmonconventi()nin.Lis.ussions xbcrulsettingbils I usethe lcrm
"scf' when assigningthe valuc of I to a bit, an.l rhe term 'resct" when xssigningtbe
valueof0babit.
 tHE 40306 SOOK

Syntax
This book usesthe followingsyniax:

t-
Or

Shiftright
Shifrleft

crerterdranorequdlro

32.bit Instruction Set

The 1J0386 supportsseveralmodcsthat arc compatiblewiih previou$Inrelproces-
sors(thc 161)i18086 and8028('.Fbwcvcf,this book focuscson thc 80386'snew fea-
turcsand doesnot discussthe 16-bitarchitecluesofthe 8086and rhc 80286,even
rhoughthcy arc I subsetof dtc 80386'scapabiliriesprogrammcrsLrsingrhe 80386as
a replatcmcnt lbr previor.rsprocessorsshoLrldbe able to do so wirh refercncc mate-
rialsfor dre 8086andthe 80286.

Operating System Seruices

The 80386implcmcntsa complexco&purcrarchirecture, and ir is nor rcasonable
Io expecla s(and-irloneprogramto takc:rdvantage ofall rhe CpU'scapabilirics. At
varioustimesI makcstatements suchas "Thc ()peratingsystemwill . . " or ,,Arrhis
point, the operatingsyslem...."In thesecasesI am not referringro anyparticular
operatingsystcm.Instead,I am highlighringa featureof ihe 80386rharwill be
implemented by lhc operating systemsofrware and nor by an applicarion.
 I
E\'OLT'TION OF
THE 8(,346
AFIGHTTEGTI.'RE

Eventhough I have spent the last eight yearsworking with microcomputers,the

phras"computersystem"still bringsio mind imagesof the installationinthe base-
ment of the campuslibrary at MontanaStateUniversity. There, in air-conditiond
comfort, behind glasswalls, lived Siggie,the univrsity computer system(a Xerox
Sigma7). Housed in severalrefrigerator-si7-eunits, SiSgieserved the computing
needsof the entire university.
Now, the 80386microprocessor,born of a technology that was first realized while
Siggiwas still consideredstate-of-the-art,can serve as the heart of a desktop
microcomputer,which has greater computing power than Si88ie.

The First Gomponents

The 80386is the latestmember of a line of microprocessorsbuilt by Intel corpora-
tlon. Intel claims to have invented th microprocessorin 1971,when it was ap-
proachedby a (now defunc0Japanesecorporation to build a custom circuit to serve
asthe "brains" for a new calculator Intel designerTed Hoff proposed that a pro-
grammable,general-purposecomputing circuit be built instead,and the 4004
becamereality. The 4et0 and the 8008chips soon followed, but these chips lacked
many characteristicsof microprocessorsas we know them today.

The8O80
The chip that, by most accounts,led to the birth of the microcomputer industry was
the 8O8O, which Intel introduced in 1974.An article in the September1975issueof
Popular Electronicsbrarght the idea of a "personal" computer to the massmarket,
and, as they say,the rest is history. The 8080was the CPU(cenrral processingunit)
 lxE ao3a6BooK

in such pioneering sysrcmsas the Altair and the IMSAI. Intel did nor enjoy a
monopoly on the market for long, howeveri Motorola inrroduced the 6800,MOS
Tchnology .espondedwith the 6502,and rwo designersof rhe 8080left Intel for
Zilog Corpo.:rtion,wlich soon produced rhe 280. Unlike the 6800and the 6502,
which had completely differenr archirecrures,rhc 280 was ompariblewith rhe 8080
bur hadan expandedinstructbn setand ran rwicc asfasr.The battlefor CPU

The 8080was an 8'bit machinc;thal is, it processeddata8 bits at a time.Ir hada

singleaccumulabr(theA register)and six secondaryregisters(8, C, D, E, H, and I,
shown in Figurc l-1).These six registerscould be used in 8-bit arirhmeric opcralions
or combined as pai.s (BC, Hl) to hold 16-birmemory addresses.A 16-bit addrcss
allowedtire 8080to access216,or 64 KB, of memory.

PS\q

uc B c
DI t) E
TIL H I

sf
PC

Blgore \-1,.'t hetntn roAtstcr

sel

Intel also dcvcbpcd a refinement of lhc 1J0f]lcdled the 8085,an 8o8o-compatible

processordrat icalufcd beftefperformanceand a simplerhardwareinlerface.

The 8O86
In 1978,under pressurcliom other manufacrurers'faster,more powerful micropro-
ccssors,Intel moved to a 16-bit architecture.The 8086was touteclas the successorto
the 8080microprocessor, and,althoughthe instructionserwas new, it retained
compatibilitywith the 8080'sinstructionser.Figuret 2 showshow the new regisrers
of the 80815could be mapped into the sei of 8080registcrs.
Programsthat wcrc written for the 8080could nor be run on the 8086i however,
almost every 8086 instruction correspondedio an t1080insrrucrion. Ar worst, an
8080instructbn could be simularcdby rwo or three 8086operarions.An Inlel
translalorprogram could convert 8080assemblerprograms inro 8086assemblerp.o
grams,and thc firsr versionsof Microsofr'sBASICand MicroPro'sVordsrar for rhc
8086were portcd from 8080 sysremsvia rhe Intel rmnslator This concern for com,
patibility has charactcrizedIntel's preseflcc in the microcompurer market. Every
new generationof microprocessorhas been able ro run software v'.ritten for rhe
orevroussenerrlron.
AX
BX
cx
DX

FIEEe\-Z. Thesaga 866 registetsetnaf.

In additionto providingsoftwarccompatibiliry,rntelwas intcrcstcdin slrpporting

high-lcvcllanguagcs.At Intel,almoslall programmingwas donc in xn Algol-likc
languagccallcdPLIM.Inicl belicvccllhat a languagcsuchasPLIM or t'a*-alwoulcl
bcomethe dominantmicrocomputerdcvelopmcntlanttuagc, so Intel clcclicatecl
many8086rcTistersto specificpurposcs,asshownin riglrrc 1-3.

AH
BX BH al
CX crl ct
DX DH DI

DI Destinrtbn index rcgister

SI Soufceindex regisler
tsP Stnckfmme basepointer
SP
IP

cs
DS
ss
ES

Flgldrel-3. The3]0116
registetset.

The next two examplesshow dedicaled rcgistcrs in use. Figure 1-4 showshow high-
level languagessuch as Pascaluse the stack pointer (sP) and base pointer (BP)
registers.

3
7
rHE 00306 BOO(

Pascalcode vJflrble Addrelsin8mode

p r o c e d u r ep r o c l ( a , b : i r t )
int ii
BP
real J j
Deg1n

: IBP - offsetl

old tP
tsP OId BP
i
0ocals)
I B P+ o f f s e t l
j
5P

Blgof,el-4. S bto tine context.

In a Pas.alpr(Eram,the conlextof rhe currentlyc'xcuringsubroutineis maintained

on the stack.The values(parameteroprovidedto th subroutineby the callinSrou-
tine arefirst on thc stack,thenthe savedIP of the callingrourine,and finally rhe
savedBP of the calling routine, The context also contains stack spacefor any tem-
porary or local variablesthat the subroutine uses,Accessto either the parametersor
local variablcs is rclative to the cuffent value of BP.
Considerthe Pascalassignmentstatementin Figure 1-5,Becausean entire record
mustbe copied,the compilcrgeneratesa block moveinstructiontha!usesthe SI,
DI, and CX registers.

oegln leas1,j
I n o vc x . S I Z E 0 fFe(c)
r :- Ji
:

Flgnre1-5. Bl&b n1oue.

4
 1r E olqtlo 0l $. aoaaaarchlr.ct!re

The advantage oidedicatinSreglstersls that il allowcclIntcl Io encodethe instruc-

ri()nsin a compacr,mcmory-cfticicmmanncr.Thc opcodespecifiesexactlywhat is
to takc place;for cxampLc, in thc MOVstsinstruction,specifyingdre threeoperands
(sourcc,destinatbn,and count)is unncss.1ry. As a rcsuh,the MOVSBopcodeis
only 1bylc. The disadvantage of dedicalcd&gistcrsis tharifyou areusingSIorDI
andw,rntk) do a MOVSIIinstruclion,yotl can'tuscanothcrregisler
'l he 8086also introduced segmentationto the microprocessorworld. A sgmentis a
block of mcmory beginning ai a fixed addresstlut is determined by the value in the
approprixtesegmentregister.This concept,probablythe nost despisedfeaturcof
the 8086becar$eof the restrictionsit imposes,was incol?oratedfor compatibility
wtth the 8080ieachsegmentwas 64 KU,equivalentto one 8080addressspacc.
Using segmentation,softwarc can maintain dre 16 bit addressjnguseclin thc ij080
while expanding (through fie use of multiple segments)the menofy thar rhc chip
8086provictes
can adcLress.'the four segmentreglstersthatcan pojnt anywhercin
ihe I MB nddressspace.They aredefinedasfollows:
CS-Ihe co.le segment /egrstr: All cxlls and jrmps rcfcr to k)caiions within the

DS-me data segrnentr.egr.ster Mostmenx)ryrefarcnccinstructk)nsrele.k) an

offscrwilhin dre darasegmcnt.
SS-The srack segrneflt/egtrte,.i All I,USFInnd POPinstructbnsacccssdatain
lhe s(ncksegment.Acldilionally, any mcmoryrelercncedonc rclalivct()drc BP
fcrister is alsoclifcltscltothc slackscgmenl.
ES-Ihe extra segrr@n ,'Stsreri 'l his segmcntspecifics tbc dcstinatk)n scg-
mcnt in certrin stringprc(essinginstrrrtbns.
'lhc wxy an rpplicalionmrnagcsmcmofy(thc
memorymodel)is usuallyconsisrenl
throughouta progr.m.whcn Intcl introduce.lthc 8086,tl ee memorymodelswerc
postLxted,which are shownin Figure1-6.
'liny

E-]
t l
L-] F;I
.ode

L"
::
in
.,J"u
Flgael'6. Mmory madels.
a
t||E eo3e5EooK

The tiny model mimicked the 8080addressspace.The code segmentand data seg-
ment were in the samearea of memory and the progfam was limited to 64 KB. The
small model was expected to be prevalentbec se it allowed pmgrams to double in
size.By having separatecode and data segments,programs could expand to 128KB
and still retain 16-bit addressing.The large memory model allo$d the use of mul-
tiple code and data segments.In this model, the entire 1 MB addressspaceof the
Processorcould be used.
Vhen the 8086was introduced in 1978,most mirocomputerswere limited to 64
KBi almost no one realizd how quickly the 64 KB segmentlimit would become a
serious problem. Although the large model allowed programs to fill the entire 1MB
of 8086addressspace,using the large model meant using 32-bir pointers. On a 15-bit
machine, 32-bit pointers exacteda size and perfcrmance penalty that mosr pro-
grammerswere unwilling tc)pay. By the early 1980s,even the 1 MB limit became
confining. Additional memory models with namessuch a$ "compact" and "medium"
were inFoduced to optimize performance for specialprogfamming needs.
Other processorsin the 8086family were fie 8088,the 80186,and the 80188.The
8088,introduced a 'ar after the 8086,had the same16-bit internal architecture but
a restricted 8-bit e\ternal bus. The 8088could run the sameproSramsas rhe 8086,
but rtpically 30 percent sloRer,The 8088becamewildly successfulwhen IBM chose
it for the PC and the PCIXT. The 80186and 80188were announced much latet, in
1982.These processorskept the samebasearchitecture but included features such
as direct memory access(DMA) controllers, on-chip counter/timers, and a simpli-
fied hardware interface.They also operated more quickly than did the 8086/8088
andbecamepopularin conkollerapplicaLions.

Tho 8087
An innovative part of the 8086family of CPUSis the coprocessor The ESCor
coprocessorescapeclassof instructions only generateda memory addresson the
8086.Mditional, special-purposeCPUScould be createdto monitor the instruction
streamand watch for ESCsequences,as shown in Figure 1-7.Vhenever an ESCwas
detected,the coprccessorcould decode the escapeas an instnrction for itself and
peform a function that the 8086was incapableof doing efficiently on its own.

ESCT=nMULST(2)

figuer-7, &a6 coprocexortnte{ace.

6
 i: Evolurlonol the aoitaGarchit*turo

The first (and only) coprocessor developed for the 8086 was thc 8087. The U0871m
plementc.l a floating point instructlon set, capableofas much as 80 bits of pfcci
sjon. Inrel workecl closely $ith the lnDn and prcfessof at the Universiry of
California, Berkelcy, to crcatc x fft)ating point representationthat was flcxiblc rnd
accurltc. This rcprcscntati(n and its numeric pfoperties have sincc becn fornaliT-cd
as lElti StandafclIEEE75'i.
The 8087 contdbuted to the populrrity of thc 80i16.,^ deskbp compLrterdrat con
tained both an 8086 an.l an 8087 corl.l &) scri()Lrsscientific work. Implementing
fbating point functions in hardware improvcd rhc pcrfbrmrnce ofmathemxtical
celculalionsover existiqg software routincs. tlowcvcr, lhc {]087pointecl out the
prcblems oldre 61KB segmentsize. Once scicntistsand cn!!ineeN had the comput
in8 powef k) hanctlereal world problems, they oftcn nccdcd t() dcal with largc ar-
rxys of numbers The 6/1KB segmenthnit restrictcd a vcll(tr ol doublc'prc{is( 11
fl()ating point numbeF to no morc than 1024clcmcnts. Sofiwafe capableofgeuing
xft)und Lheresrriction $,assoon available,but thc "lrrgc" mcmory m(dcl wxs dilli-
cult to progmm in and was slow.

The 80286
'I 'l
hc ncxt mxjor int()duction fr(rn hr|cl, thc 80286,carnc in 1982. hc 80286is com
prtiltc with the u0il(rfumily, bul il rlso p()vi(lcs .r signilicxnt pcdb nancc iDprove-
Drcnt.11boxsrslw() opcrrtinit nrxlcs: rcrl nx)dc nnd p!orcclccl Drcdc. li(.iirl roclc.
which eDnrhlcs the in86, is thc defiurh |l11)dc.1hc ncw noclc is crllcd p.orcdcd
nx)clc.In prorcdc(l )clc,thc 80286supporls lhc u0U6inslfuction sct but phces a
new intcrprclrlion ()n thc coltcnts oflhc s.gnrcnt ltgistc|s th:u.|ontml bow
me|ll(xy is lcccsscd
AlthoLrghopcr^ting systernsthal arc nnplcmcntccl undc. pftnc'ctedrnodc dfc clilfcf
cnt f.onr those lbrt are designcd fof rcrl modc, .rpplicationscrn bc clcvcl()pedtlut
run in either mode.'l'he clcsignoirhcsc du.rl nnxlc xpplicati()osfequi.es thxLLhc
application observe certain mcnnry rcstriclions.

llnib.tunalcly, MS Dos, shich is the dominrting operating systemfor 8086$ased

ruchincs, placcs no rcstriclions on ho*'an application addressesmemory, and pro-
rccted m(xlc pft)vcd inc(rnpalible wiih a najority ofMS-DOS applicarhns. As 1
rcsult, ftra mrmbcr ofycaft the 80286was generally treared as a fxst 8086 becausc
no onc kncw how to Lrscpi)tc{led mode.

This was unforlunarc bccalrscrhc 80286ofierccl x bencfrixl new felture pro

Iccteclmode. ProtL'ctcdmo.lc cxpands lhe amount of physically addressable
memory from I MB to 16 MB, xlbws fie implementdion oivinual memofy, a..l
provi.Lcsfor thc scpafation of tasks i. a multitasking or multiuser envifon,nent.
Versions(r1UNIX run jn p()L6le.l mode. hut IINIX has not been su..essful on thc
80286becausecomperirive producls usually .Lrnon n1o.cpo$,erfl 32-bit com-
purers. More recendy, Microsofr inrocLuced OS/2, which uscs almosr all protecred-
 txE ao3a5 Boo(

Tlre 80286 is thc firsr I cLnicroprcccssor dc'signc.lfor "sc.ious" computing. Con-

'rhe
sidefalions were made for mullitasking. clata integrity, ancLsecurity. designers
examined the architecture of minicomputers and mainframes as they developed the
80286. In addition, two of the main influences on fie 80286 deslgners w--re the Muf
tics project and a continued belief in Pascal.
Rcrdhg thc conLrcncc papc$ about thc Muitics p.ojecl will enlighren anyonc who
thinks llnt p()rcltcd noclc is rhe pro.lucl of some Inteldesigner's fevered in1agina'
tn)n. Multics bcgan in the mid r(Xos as a joint researchproject xDrongMIT, Ilell
Lrbs, xnd Gcncral Elcctric.The projcct combincd hxKlwarc and sofrwarc arld was
br sed on the GE 645. l he following is a pxrtiai list of rrchitcat ural leat urcs dlat the
ML tics group pioneered:
. Virtuxlnienxtryi
. hotcction rings
. Scgnrcmcd.LddrcssinS'
. D.'s(r'ipto accessrights

. (l)nli)rnri g codc scgnrcn$

somc lcxtLrcs ol Multics Nisornrclc thcir way into cxistir\q 80286-bascdsoitwarc

syslcms Mic()sofr's OS/2, lbr cx|rnplc, Lrscsdynarnic iinking, ano(hcr Mullics

'fh!
influcncc ol l)a*-alon rhc dcsign oftbc 80286 is shown by the addition ofthe
liN l rtl instructi()ll to (hc 802U6inslruclion sct. Thc nNTER instfucrion simplilics
crcrting a slack liamc such.s the onc sh()wn in thc subroutinc c()n!cx! illuslrati()n
in tigurc 1-4. tjN'l tslt crn.ls(r copy thc c()ntextor stack li nc ofthc prcvious sub-
'l
roulinc. his ability is not ncccsslry i. lxnguagcssuch as FORTRAN or C, bul
it is uselul in langLngessuch lls Pis.:rl and Adr drat alk)w ncstcclp()cccllrc

The 80287
lntel xlso introduccd a ncw copf.rccs\o. for lhc 80286,bur thc 80287was a bit oflr
clisippoinlmcnt Altholrgh thc 80286cxcculcs programs two () th.cc limes iaster
tlun the 8086,fie perforrnancc oflhc 80287 is about thc samc as lhe il)87 Intel did
not really modify thc conpuhtional cngine ofthc 8087 in crcaling the 80287 so the
new coproccssor (locs not run any fxster. Intel clid changc the inrerface between the
CPU and the coprocessor, howcvcr. climinating the nccd ibr thc coprocessor to
monitor the instruction srcam of fie main CPU.
lnthis new interface meth.xl, illusLratcdin ligufc I 8, Lhc main CPU decodes the
ESCinsructions and rhen passes fic jnformati()n to thc coproccssor via the I/O

''lhe r\1ulli(s
srcup did not inve dese features,butdrywef an intaralpait oldrc sysrcm.

a
 ll Evolltion ot th6 ao3a5Archlrctur.

channel. Because addressing is treated differently in rcal modc rhan jt is in pro-

tected mode, the coprocessor would have had to operate ifl diffcrcnt modes as well,
using the old interface method. lnsiead, the new intedace requires the 80286 ro vali
date all addresses before sign.rling the 80287 This interface allows thc coprocessor
to run at a clock rate ctiffercnt lrun that of the main CPU, and it also allows the
80287to be used wlth CPUSothcr than the 80286.

-Er- "..,-p
EF@AE
Fr$r e t a, 8 O2a6 capr ocesn t i, te{a.e.

Competitive Pressu?es
Ilctwccn ihc inhr)du(lionofthe 8086and thc u0286,Mo()fok dcvelopcdwhat
l)ccxmerbe strongestcompetitionto Inrel'sdominanceoithe nricroprocessor
mxrkct,thc 68000f^mily.Severalfcaturcsoirhe Mokxol,rmicroproccssors were at-
tradivc k) thc dcvelopmentcommuniry.Thc 611000 familyincorporates
a 32$ir in-
tcrnalrcAi$terfile for dataand.dcLrcssing.
This albws a largeapplicatbnaddrss
spnccwithoutthe limitationof64 Ktsscgmcnls.This 32-bitcapabilityalsomakesit
casyk) port opcratingsyslems(suchas UNIX) andminicomplrlcrapplicatbnsk)
thc (}!1000familyprocessors.
Motorolaalsoboastedabolrllhc 'l)rthogonality"of the 6a000instrucrionset.Unlike
the 8086and the 80286,wifi thcir spc(ial-purposeregjsters, the 68000allowedpro-
grammersto speciiyanyregisicrfo. a giveninskuction.Althoughail68000micro-
processorshad 32-bit register filcs, thc first two CPUS(68000and 68010)were
limited b 24+it addresses ancLa 16 bir meDDryinierface.In 1985,however,
Molorolabegansampling the 68020,which had a full 32,bit addressbus and a 32iit
clxtabus.Althoughlntel hadmostof thc busincssmicfocomputermarket,makersof
scientificandengineeringworkstationsalmo$ unanimouslychoseMotorolaCPUS
for theirproducts.

Intel's 32.Bit Microprocessor

Inrcl's dcsign cnginee.s faced two problems: comparibility and pcrfomance. They
neededto mainrain compatibility with the previous generationof processorsto re-
tain lheir shareof fie PCbusinessmarket; Intel's marketing force frequently
referred to the "billions and billions" of bytes of code (applicriions) that the 80386
 fl|E ao3a6BOOK

had to be able to run. At the sametime, they neededa product that would address
the shortcomingsof the 8086family architecture,which gave Motorola an edge in
scientific and engineering markets.The resulting product, the 80386,addresses
these issuesby operating in a nunber of modes.At boot time, it operatesin real
mode like the 80286and is nothing more than a very fast 8086.It uses16-bit
registersand the 8086segmentationscheme,and it is subjectto the 1MB memory
limitation.
But the 80386can also be ser'itchedkr protected mode. In proteted mode, each
segmentis marked by a bit that designateswhether the segmentis a protected-
mode segmentcontaining 16-bir 80286code or a 32-bit protected-mode segment.
Programsresiding in ,2-bit segmentscan use the extended addressspace(sgments
larger than 64 KB) and additional features,including array indexing, orthogonal use
of the register set, and special debugging capabilitiesnot found in previous

A protcted-modeoperating systemcan also create a task that runs in virtual 8086

mode. An application running in this mode believesthat it is running in real mode
or on an 8086,However,the operaling systemcan designatecertain classesof in-
put/output(l/O) operationsthatit will not allow.Ifthe applicationattemptsto vio-
late any operating systemrules, an interrupt is generatedthat tran$ferscontrol from
the application to the operating system,By examining the in$truction that the appli-
cation was trying to execute,the operating systemcan chooseto block the applica-
rion from running, simulatethe operation, or ignore it and let the applicatbn
continue. The operating systemalso mapsthe 1MB 8086addressspacethat the ap-
plication believesit is running under to the actuai memory spacethat the operating
systemwants the application to use, A protecled-mode operating systefi can estab-
lish multiple virtual 8086tasks.
The 80386also e,xtendsthe similarities betvr'eenthe Intel architecture and the Mul-
tics system.Like Multics, the 80386integratesthe ability to perforo demand paging
(a virtualmemory technique used in minicomputers and mainframes)with
segmentation,

Ths 80387
The most rccent mlcroprocessorline from Intel also boastsa new coprocessor,the
80387 The interface between the CPUand the coprocessoris the sameone defined
for rhe 80286and the 80287 The 80386can be coupied with the 80287to provide a
lower-cost floating-point environment.The 80387provides a significant perfor-
mance improvementover its predecessor,executing floating-point benchmarks
about five times faster

8O386Family Extensions
htel has indicated that the 80386product line will continue to evolve. The next
generationprocessorwill be called the 80486and will include capabilities beyond
those of the 803a6.However Intel hascommitted to broadening support for the

lo
 i: Eyolution ol th. AO3a6Arclril.cto6

80386as well. Intel recently introduced the 80386SXand the 80387SX,which are
fully compatible with the 80386/80387but support only a 16-bitexrernal data bus
and a 24'bit external addressbus. Intel plans to introduce other processorsthat use
ihe 80386native mode instruction set but that do not supporl compatibility features
such as real mode or V86 mode.

Summary
As you can seefrom the follo!,r'ingtable, the 80386technology has significantly
ad nced beyond thar of its prcdcessorsihowever,the road to 32-bit computing
fl"asnot necessarilystraight and naffow. The 80386hasbeen shapedby a number of
forces,the idalsof thc designers, the limits of compatibility(somestemmingfrom
the early days of the 8080),threats from the comperition (both real and perceived),
and other facrorssuch as Pascal.Multis, and UNIX. Now that I've shown the
origins of the 80386,the remaindcr of the book will show what the 80386is and

Relath"e Peiformance
&ts6/e7 80286/247 N3A6/387
Integet 1.0 2.'7
noartagpold, 1.0 1.7 10.0

Ii the 8086/87performaneis 1.0,lhe 80386/387 6.7rimesfasrer

is approximarely
performing integercalculationsandapproximately 10timesfasterpedormingfloat-
ing-point(?lculations.

11
 2
THE AOSA 6
ARCHITECTI,R E

Back in 1837,when CharlesBabbagewas musing ovcr the idea of cumPutation

"analytical engine " At that tim,
automata,he refefied to his grandests.heme as an
especiallyconsideringthe mechanicalaspectsof Babbage'sidea, an engine w"asan
apr metaphorfor a computing device: fuel, combustion, and power ,s input, com-
putation, ancloutput.

A Data-Prccessing Factory
In recent years,however,this machinelik cycle led to limitations on lhe amountof
work that could be accomplished.A modern microprocessorsuch as the 80386
might be more successfullycomParedwith a factory than with an engine. Ai the
heartofthis data-processing factory,the computational enginerem4ins,but it is suF
roun.ledby a bevy otsuppor(ingdepar(mcnls.
Figure 2-1on the following page illustrates our imaginary widgel factory lt is com_
posed of three departrnents:Shipping and Re.eivinS,Materials,and Manuiacturing
The Shipping and Receivingdepartment deaLswith the world outside the factory' It
orders truckloads of raw materialsfrom suppliers and passesthem to the Materials
daparhne . The goods are sorted here and warehouseduntii needed The Manu-
facturing depar[nent, the "engine" of the factory, forgesthe finished widgets from
the raw materialsand routes them to Shipping and Recelving,where ftey arc sent to
the outside world.
The efficiency of this model lies in the parallel nature of the different activities At
rhe samerimeasrhe Mareri.rlrdepa.henr reque$sthe raw Soodsn(e\\ary |o
build widgets, Manufacturingbuilds the current supply of widgets, and Shipping and
Receivingdealswith the outside world, buys unfinished goods,and ships the newlv
finished widgets.
Conventionalcomputersreceive two lassesof data: inslruclions and operands
The instructions tell the computer which operations to perform on the operands

t3
tHt aog6Boo!(

Similar to the operation of our imaginary factory, the 80386can work on more than
one instruction simultaneously.In the jargon of the computer industry, this is called
PiPetining.

shipplng
& Wictgets
leceiving

Fl8r,Ie 2"L wugetjactoty.

In Figure 2-2, I recastthe widget faclory as a data-processingfactory analogous!o

the operarion of rhe 80386.The shipping and Receivingdepartment pulls in bytes
of data from rnernory,Instructions then move to the Matedalsdepartment,where
they are decoded and stored,vhen requested,the new instructions and any neces-
sary operands passto the Manufacturingdepartrnent,the computational engine.
The results ofan opelation passback !o Shipping and Receiving,which storesthe
resuhsoutside the CPU.in memorv.

Shipping M
& E
Rcelvlng M
o
R

Rlgwe 2-2.Ihta-p.acettt A.t'actofy.

Ahhough simple, this picture of the flow of information through the 80386is fairly
accurate.The three departunentsin the example coffespond to six logical units in
the 80386,as shown in Figure 2-3.Eachunit operatesin parallel with the other
units. later sectionsof this chapter describethe operation of each unit.

14
 2! lh. a0306 lrchlt.crur.

shipping & Receiving

s.8.-J",t""I
l u t u r l M
E
f"""*
I unit
I
i
M
o
-------------- R
f l
b"-;l !^-^".r;l
| ,n,t I I n*'*'" I
I tt unrr I

Flgure 2"3. e03t6Jactart.

Keeping the tactory rnoving

The 80386runsto r hcartbeatcalledthe clock signal.This rcgularclctronipulse
keepsall unitsol the 80386synchroniTed. The clock signalis x squarewave
o..(illatingat a spcificfrequency,asshownin Figurc2-4.Instructiontimings,
lneflrcryaccesstimes,and operationaldela,$are mcasLrrcclin lenns ofclocks,or
()ne completc square-wavecycle. A typicd frcqucncy for lrn 80386-basedsystemis
16MIJZ.At 16MHz.onc clock is 62.5nano$econds.

1 6M l l z

*Actual hardwarcsignalis rwo-phascirhatis,

it oscill.testwicetor everyprccessorclock.

AIAlJne2-4-t squre Me qcle.

Thc timingsofeach processingunit afc alsomeasuredin clocks.The sbrtesl pos-

sible execution time is * clock. This is possiblebecausedle square-waveinput to
Ihc 80386CPUchip oscillxtesa! lwicc thc clock frequency,makinga two phase

Perfornance advantages of parallelism

The pipclinedoperationof the 80386"hides"portionsof insrucrion exe.ution
time. Somcoperations necessaryto execute an insrruction occur during the pre
vious insruction. The table that folbws illustrates the difference between execuling
a rypicalinstruction(ADD ECX,[nBP+8])on the 80386and executingit on a similar
imaginaryprocessorwithout pipclining.

l5
v
tHE ao5a5 BOOK

Operand addres xlate 2 ll clocks

5-tti6cks io:Teiiocks

Pipelining lets the 80386executean instruction about twice as quickly as a similar

processof thal performs each step of the instruction sequentially,some instructions
that have no operands appear to execute in "zero" time becauseof the parallel na-
ture of80386operatingunits.

80386 ilicroarchitecture
Figure 2-5" shows a block diagram of lhe internal operating units of the 80386.
Althoughthe progfammersesthe 80386asa sinSleentily,il is instructivcto see
how th 80386achievesthe division of labor that ontributes to its speed.

80386ovryiew
full 32-bitafchitectuf
e

32-bi,r

32,bi,r

Flexible on'chip memory manaaement

. 32-bir insruction set . 32-bit addressingmodes

Flg$e 2-5. ao3a6 nbftnrchttectu.e.

! Reprinted by permi$ion of Intel Corporation, .lpyrigbt 1946.

t6
 * th gO3A5lrchil.clure

Bus interface unit

The bus interfaceunit (llllD is the 803i:l6s gatewayto thc cxtc.nal workl. Any.rthcr
unit that neds data irom the ouiside asksthc tsIU to pcrform thc opcration Similarly,
whenan instructjon.eeds to wire clatat()mcmofy or t()Ihc I/O channcl, rheBIU is
presentedwith the data and actdressa.d is askedt()plxcc iton lhc bus. Thc bus intcr-
f:ce unit dealswith physical(hardwnre) addfesscsonly, so opcrandaddrcsscsmust
firctpass thrcr.h the segmentatio. unit anclthc paging unit, ifneccssary.

lnstruction prefetch unit

The job of the p.efetchunlt is relativebsnrrple.The insnuctn)ndccGlc Lrnir
emptiesa 16 byte queue,and the prefetchunit triesto kccp tlte qucuclull thc
prefetchunit continuallyasksthe IIll to fetchLhecontcnls()fnrcmoryaI rhc next
insnudion address.As soonasthe p.efetchunit rcccivcsthc datx,it phcesit in the
queueand,if the queueis not ful I, requestsanother32-bitpieccof ncmory 'l hc
BIU trcatsrequestsfionr the prefetchLnlilasslighllylcssi!np(r't.rntthanrequcsts
from olher rnits. In this w.Ly,cu ently executinginslrt(li()ns rcqucstingopc..rnds
receivefte highestpriorityand are nol slowcdcl<)wn, but prelclclresstilloccuras
frequentlyxs possiblc.Thc prcfatchunit is n({ilicd whencvcrthc cxecutionunit
processes I C.^11.,a Jlvll',or rn interrupts()th,rtit canbcltin lttching inslruc(ions
from rbe new address.The quclreis fllrshcdwhencvcrr CALL,nJMP,or rn inter-
rupt occurs,wbich prevcntslhe cxeclrlionunit lknn rcceivinginvrlkl jnstnrtionr

Instruction decodo unit

The instructionclccodeunit hasa job silnilnrk) tllal ofthc pfel-ctchunit. lL Lckcsin-
diviclualbytesfrom lhe prefetchquer.le nnd detc nincs rhc numl)cfofbytes ncedcd
to completedre next instructk)n.A singlcinstrlrctionin drc 80386canbc anywhere
liom lhc prcfctchqueue,the
from I to 16bytes After pulling thc cnlirc instfr.rcrion
instructionde(odeunit refornratsthe opc.odcin!) xn jotcrnalinslructionforrnrl and
placesthe decodedinstructbn into thc inslructi()nquclrc,which js threeoperntions
deep.The instructiondecodeuni! alsosignalslhe BItl lf the insructionjust de-
codedwill causea memoryreferencc.This alk,wsthc opcran.lsoi the instructions
ro be obtrinedprior io the execuli()nofthc insulrcLi()ns.

Execution unit
The execution unil is the part ot'lhe CPt.llhal d()cs computrlions.lt performs 3ny
shifts, additions, muhiplications, and so on that arc ncccssa.yio accomplish an in-
strr.rtion. The register set is contained inside the execution u.it. Thc unit also con-
tains a logic component called ir barrel shifter, which can pcrfbrm multiple-bit shifts
in a single clock cycle. The exelution unituses this capabiliry nol only in slrift in-
sructions butin acceleratingmultiplications and in generaringindcxed acldresses.
The execution unit xlso tclls thc bus intcrfacc unit whcfl it has data that needs to be
sent to the memory or I/o bus.

17
 tHE 00346 BOOK

Segnentation unit
The segmentationunit translatessegmentedaddressesinto linear addresses.Seg-
ment banslation time is almost entirely hidden by the parallelism of the 80386.At
the most, one clock is required to complete the addresstranslation.The typical case
is zero clocks. The segmentationunit contains a cachethat holds descriptorrable in-
formation for each of the six segmentregisters.This unit is described further in
Chapter3.

Pagingunit
The paging unit takesthe linear addressesgeneratedby the segmentationunit and
convertsthem to phtsical addresses.If paging is disabled,the linear addressesof
the segmentationunit become the physical addresses.\X/henpaging is enabled, the
linear addressspaceof the 80386is divided into 4096-byteblocks cralledpages,Each
page can be mapped into an entirely different physicaiaddress.Chapter6 discusses
the pagingprocessin detail.
The 80386microprocessorusesa page table to translateevery linear addressto a
physicaladdress.The paging unit contains an associativecachecalled the transla-
tion lookasidebuffer (TLB). whlch contalns the entries (new addresses)for the 32
most recently used pages.If a page table entry is not found in the TLB, a 32-bit
memory read cycle fetchesthe entry from RAM. Under typical operating conditions,
lessthan 2 percent of all memory referencesrequire the 80386!o look outside the
TLB for a page table enrry.
The time required !o pefform the translation variesbetwen 0 and 5 clocks. Thanks
to the TlB, the typicaldelayis only y, clock.

lnstruction Set Alchitecture

The execution unit presentsthe programmerwith the model for instruction e.xecu-
tion, It containsthe logic to processinstructions, to operate on various data types,
and to interpret control information.
Be.causethe 80386is a 32-bit machin, the tpical size of an 80386operand is a
32-bit quantity. Also, becausethe 80386procssesdata 32 bits at a time, it is said to
h^ve a uord slze of 32bits. Unfortunately, the term "word" is ambiguouswhen
referring to the 80386.
For compatibility, !r,D/drefers to a 16bit quantity, as it did in the 8086and 80286
environments.The term dz,o/4 ot 32-bit ller.l, tefers ta ^ 32-bit quantity.

Bits and bit strings

Although the basic(default) operaod size on the 80386is 32 bits, it can manipulate
quantities of rious sizes.The most elementaryis the bit. A bit is a single binary
digit, and the 80386implernentsa number of instructions that test and modify indi-
vidual bits. Bits are addressedas an offset from a resister or memorv location. The

la
 * lhe aO306 Archit ctu..

low-order bit of the operand is designaredas bit 0, the high-order bit in the 1ow
oder byte is bit Z and thc low order bit of the ncxr byte is bit 8. Figure 2-6 shoss
the bits in a registerand in mcmory. If the operand residesin memory, negarivebit
offscts can also be used. Bit -1 is rhe high-order bit of the byte immdiarelypreced-
ing the memory address.

Dit N Dlr Bir Bit tsit Bit tsit N

I 7
1
07
6 8
()7
0
O7
- 8
o7
-16

r+2 :r+1 a .r-1 a-2

l1
EAX

RlqjDre2-6. Bt sttlnas.

Bytes
The byte is thc basicunit of addressability on the 80386irharis, address3 refersto
the third byte in mcmory,not the third dword.A byte is an 8-bitquantityrhatcan
be interpreted as cithcr ^ signedor an unsignedvalue. l'igurc 2-7 shows the layour
of a byte and fic range of i?lues thar it can specify.

7 0
Signedvaluc128 <r< 127
UnsigncdvnluoS r < 255

FIAufe2-7. B:"teMlue nnge

vhen a byte is interpfeled as an unsignednumbcr, it can take on a value ranging

liom 0 through255.Ifa bytc is interpretedasa signednumber,it is assumed to be
in tllY)'scomplement^oralion. This notarion allows a single byre ro store values
ranging from -128 through +127.To determine rhe value oi a two's complemenr
number,follow these sleps:
1. Examine the most significant bit (MSB)of the value. If the MSBis 0, rhe nurber
is positive and can be read as if il were an unsEned value. Ifrhe MSBis 1, the
value is negative.
2. You c?n find the absolutevalue of the number by t^kingthe comptementc,f the
numbe. (inverting the value of each bit) and adding 1-
For example,considerthe binary value 10ttr1008.The mosr significmr b , 1, indj
catesthat the number is negative.To find the absolurevalue, rakethe complemenr

t9
,
tHE ao3a6BOOK

(010000118) is 68 d*-nnal, so i0111100B

and adct1.The rcsult,010001008, represents
the value-68.

Words
words, as pfeviously deflned, arc l6-bit quantities. Figure 2 8 shows the range of
vilues that can be stored in a word. Vhen a worci is written k) mcmory. it is stored
in two bytes. The low order bylc is written to the specified address, and the hlgh
or.ler byte is written to the next consc'cutivememory iocation.

signedvaluc-32768<r< 32767
Unsigncdvalue0 < r < 65535

FlgDre2.a. war.l Mhrc ranlje.

vorcl vxlucsarc intcrpretedassignedorunsigncdin thc sameway xs xrc hytc

valucs.The only diffcrencesxre tlut bit 15is thc MSBand d1arrbcrc is n grcater
r.'ngcol possiblevalues.

Dwolds
l)worclsarc 32-bi!quantitiesl-ikel)yicsand words,they cnnbc siSncdor unsigned.
Thc cxlrr bits allow represenlxtion olinlcgral valuesgrenterlhln 2 billion. ligure
2-9illLrskatcs thc rangeof valuc$fbr dw()ds:lnd the way thcy arc $k)rcdin
mcmory.likc words,cLwords are s(xed in mcmorylow-oftlerbylc first lf thc low-
o.dcr bylc is sloredat address,r, thc high4rdcr bylc is storednt {dclress,t + 3.

< ..rS 2147483647

Signcdvnlue 2147443648
Unsignedvaluc0 <rS 4294r\t7295

^+3 ^+2

Rlgutre2-9. DuDrdtahte tunge.

The compurerindustrydoesnot agreeon the propermeihodof bteakingup large

valuesinlo bytes for memory storage.Computcrslike the DECVAX usc thc same
te(hniquc as fie 80386.Others, such as the IBM 370or the Motorola 68020,slore fie
high-oder bytc firsl This canbe a consideration when poning programsfiom onc
computcr Io another

Ouadwords
Qu3dwods are 64 bir numcric quantities. No instructions rcference quadwotd
memofy opcrands. However,the 32-bit Multiply instruction generatesa 64 bir valuc,
with the high-order bits in registerEDX and the loworcler bits in regirter DAX.
Converscly,the Divide instruction acceptsa 64 bit dividend stored in the same
register format. Storinga quadword in memory rcquires two MOV instructions.

m
 2: th aO3A6Archit.crure

ASCII and BCD

In the prcvbus examples,the valuesdiscussedrepresentnumbers.F'orASCII ancl
BCD, thc binary pauerns representencodingsof information. ASCII siandsfor
Amcrican Standad Code for Inforuution Interchange.ASCII valuesare 7 bils of in-
formation stored in a single byte. The most significant bit is 0. A particular bir pat-
Icrn rcprescnts a predefined value. For example,the binary pattern 01010118
rcPrcscnlsrhe plus character(+). 10100118 represents the le$erS,and 0110101rcprc-
sentsthe digit 5. AppendixB containsa tableofall ASCIIcharactcrs.
Similarly,BCD,which standsforbinary codcddccimxl,encodesrcpresentations of
decimalnumbersin a binaryformat.Encodinga dcrnnal digit requires4 bits.
Becauseusingonly 4 bitsofa byte is inefficicni,2 Bcl) diSitsxre ofien storedin a
single byte. This represent^rionis cl\llc(l pacheclBc?" I?igure2 10shors how values
are stofedin BCDnotation.

D c D D c c n n x l r T 9 3 2
. ' - m
m - @O
n c o+
, o,,,..'.
;i; ; '.' ,-. J''
0011 3
0100 I
0 1 0 s1 l - 9 { 2 " ,
o l l 9 : f f i -i ; i r l *
0111 7
1000 lJ A.l.lrcss
- d+1
r00t 9 ^+2
1010
r )tnvil
llll
Rlg$re z-rc. ACDstoage.

Ilec se ASCII and nCD provide ways to encode numeric valuesand do nor have a
fixed length, they can be used to implement variable-precisionnumbers.1he 80386
supportsASCIIand BCDarithmeticvh fie DcimalA.ljusrandASCIiA.Ljusrin
structions.Chapter.idiscusses ASCIIxnclBCDarithmetic.

The 8O386Register Set

In addition to implementing dre logic to excuteinstructions, the 80386b.s a num-
ber of storagelocations on the chip, callcd /egrster Becausethey are inside the
CPU,registerscan be accessedas operands much morc rapi.ly than can external
memory.'I he generalregistersarc used by thc 80386ro store frequently accessed
operands.Other registerscontain spc'cialvaluesfiat control specific aspectsof
80386operation.

21
 lllE 00345BooK

The 8036 register sel is partitioned into five classes:the geneml registers,whjch
applications use fbr daia storageand computaiion. seqmenttegbters, whi'.h alfecr
memory addressing;protection rcgisters,whichhelP suppo.t the operating qftemi
control regtste5, llhiah tivrdify the behavior of the pro.esso\ ^nd .lebug and test
/eg,ste,'qwhich are used as their name implies.

Gene?alregisters
The generalfegisters are named EAx, EBX,EO(, EDX, ESI,EDI, EBP,and ESP,as
shown in Figure 2-11.As a rule, any instruction can use any general registerexept
ESqeither as an operand or as a pointer to an operand in memory. ExcePtionsare
notedin Chapter4 in the discussionof the instructionset

l 1or5 ,3
Il3"\ AX CS
t A H I A L s5
llBx Bx DS
B H I B L E5
licx cx FS
r c H r c l GS
tsDX DX
I D H I D I
EBP
DP
ESI
r s l
EDI
D1
ESP
t s P
Generalregisters

Itgarc 2-1L A03A6basereg*telsel.

In the 80385,you can addressselectcdportions of these registers.The part of the

regis@raccesseddepends on whclher you are performing an 8-bi1,16-bit, or 32_bit
operation. Eachdivision of a regisler has ,r separatename. For example)EAX is the
name of one of the 32-bit registers.The lower 16bits are addressableasAX, and thal
half of the regisler is accessibleas AL (the low-order 8 bits) or AH (the high-order I
bits). These namesare left over from previous generation microprocessors,the 8080
and 8086,as dis.ussed in chapter 1 The 80386extends the 80286register set to 32
bits. similar to the way that the 8086and 80286er.aendedthe I-bit registersof the
U080to 16bils. Figure 2 12showsa map of lhe register extensions.

22
 2r flr. aOSaGArchlt.crur.

3l 1
E!*:iii!!:::i:,:
:::a:r|::ta:At::

i::@1:l::1rr:
Fitf:t i iii* iil
ionror,
EE'::l::::l::li::l
i::::l:!9iil:lii

I 15I

5!
senera' reEDreF
GeneralreSisters
I sozaercgisrer

! s03s6registers
extensions

Flgtte 2-12.386/286rcBlsterc.

Two aclditionalregisiershold statusinformationaboutthc cuffcntinstruction

stream.The EIP rcgisrcrcontainsthe addressof the currentlyexccutinginslruction,
andthe EFLAGSregistcrcontainsa numberof fieidsrelevantto different

like the otherregisters,EIPand EFIACShave16-bitcomponents, IP andFLACS.

The 16-bitformsof theseregistcrsarc usedin virtual8086modeand in runoing
code written for the 80286.

EFLAGS regist.r
A breakdown of the EFLAGSrcgister looks like this:

Vu-Vlrtuar 8086 mode: \qhen this bit is set, it indicatesthat the currently exe-
cuiing instruction streamis &86 code. The implications of virtual 8086mode are
coveredin Chapter7. Applications cannol changethe vM (virtual machine) bit, and
instructiofls that modify EFLAGSleavethe \44 bit unchanged.only the task-switch
operation or an interrupy'interrupt return can alter fie VM bit.

zt
rHE 40365BOOK

B.F-Resunefag This bit controls whcthcr a debr. fault cln be generated dur
ing the executi()n of an instruction. Ii(hcn an exception occurs during progra'r cx-
ecution, the 80186 pushes the cu.rcnl CS,ElP, and RFLAGSregisrersonto thc slack
and transfers control to the proper exccption handler.The stack image ofthe
EILAGS register has the RF'bit set b l. whcn the exception hrndlcr returns to the
inteffuptecl i.struction, the RF bit is on, anclthe 80386 pfevents a cLebugfault f.om
being generaied. Any otherfaults (such as Prge faults or protection faults) occur as
uslral. fhe debw cxccption has the higbesr priority of all 80386exccptionsi il
thercfore, an insrrucrion caL$es muhiplc faulrs,the first one Processcdis the debug
cxception. Vhcn conrrol returns t() thc inlcfftpted instructi()n,thc lt-t bit is set. and
the instruction is completed without rcriggeriqg the clebugfalrlt. 1he 80386clcars
the ltF bii upon completion ot'thc imcrrupied inst[tciion. (sec ChaPter5 fbr 2
discnssion of cxccptions rnd support fdr debugging.)

NT-Nestcd,tlskJlag. Thc 80386sets this bitwhcnevcr r CALL, inteilupt, trap,

orcx.cption c.rusesn task swilch. lhe bit is sct in thc EITLAGSregistcr ()l thc new
task and indicrtcs tbat x revcl.seusk switch (IRET) is vxlid.'lhsk sw1lching in the
80386is discusscd ftr.ther in Chrptcr 5.
rcPL- lO prtatleAe leael Tl)is 2])it liclcl lDlcls x valuc of 0-3 thal jndicx(esthe
pr ivilcge lcvcl rcqlrircd to pcrfit m I/O instructions. Akhough iOl'L is in the
HITIACSrcislcr, no p.occdr.r.ccnn modily it rnless thc proccdurc is rulning at
privilcic lcvcl0, rnd (bcn only l)y usinS lhc l'Ol' f inst'ucti(tl.

A p()cedurc s currem pfivilcgc lcvcl (Cl' l) nnrsrbc cquxl !o or morc Privilegcd thxn
rhc IOI)L to cxccutc xny ofrhc litk)wing insh\rcrnrrsr IN. lNs, OU'l OllTS, CLI, or
Sl l. ,{ p()cudurc tlul can cxc{r.rlelhcsc instnrti(nrs is sLridio havc //O/rirltu8?
OF-OoerJloroJl4g. whcn xn rfilhn]clic intcger inslrlrcli()n is cxccutcd, thc OI
bir is sct ifthc rcslrlt is too large or t(x) smdll to fit io the destinalion register or
nlcrno.y ^ddfess. Bcc,rusclhe OF flag is scl rcl.rtive to inlcgcf insl.uclions, thc
80386 presunrcsth.rt lhc .lestinatbn fcgister is one bit smxllc. in size to rlk)w fi).
litc sign bil Thc ti)lbwing lnstructions ilh$trate some exx'nplcs
H o vA L , 1 2 7 A L * 7 F H ,l a r q e s t 8 - b i t
s i g n e dj n t e g e r 0 F : 0
ADO
AL,2 r e s u l t , A L - - 8 1 H( l ? 7 )
s h o u l db e A x : - 0 0 8 1( 1 2 9 ) , 0 F - I

t10\/cx, 35000 cx -- 7748H0 , F- 0

SUB CX,7OO2 result, cx:: sBEEH ( 4 2 0 0 )2
s h o u l db e E C X- F F F F 5 B E (E I4T2 0 0 2 ) ,
0 F - 1

Note that the Ol' bir is ignored if Lrflsignedarithmclic is intended R)r cxirnPle,
acl.ling 127 and 2 in fegistcr Al generates a vxlicl, unsigned reslrh ol 129
 U lh. ao:ta5 Archlt.cruE

DF-I re.dor.flag The direction flag bit modifies the behavior of the string in-
structions:MOVS,STOS,LODS,CMPS,SCAS,INS, and OUTS.Vhen DF is 0, rhe
string instructions operate on incrementally higher addresses.Vhen DF is 1, rhe
memory addressesare decrementedjand the operand addressesbecome progres-
sively lower. The Sm instruction sets the direction flag bit, and the CLD instruction
clearst}le bit.
IF*Inrct rpt etalieflag Vhen ihis bir is ser,the 80386respondsto external
hardware intefiupts. When the bit is reset, inrerupts are disabled,and the 80386ig-
nores the hardw?re inre(upt pin. Note that this bir does nor affect the NMI inter-
rupt. The processoralflays respondsio fauhs (exceptions) and software interrupts
regardlessof the setting of the IF bit. rx/hen IF is 0, irnerupts xe sai tobe masked.
The STI instruction stslF to 1,and the CLI instruction clearsIF to 0. The interrupt
enableflag is also rnodified when an IRET is executed.A POPFinsrruction modifies
the interrupt enableflag only if the procedure executing the instrucrion hasI/O
privilege.
|E-TfapJlI4g: The trap flag bir assisrsin debugging programs on the 80386.
'Vhen the TF bit is st, an intefiupt 1 occurs immediately after lhe nexr insrruction
executes.The trap flag is usually set by a debuggerithe debug capablliriesof rhe
80386are covered in Chapter5.
sF-stAnlr4g The sign flag bit changeswhen arifimeric or logical instructions
are executed.The siSnflag bit rceivesthe lue of the high-order bir of the result
and, when set to 1, indicatesrhat the result of the instrrrction is nesative,
I'tovEox,-1 : Slgn flag unchangedby M0V
A00tox, 3 : EDX-- 2, SFnov 0
IiEG EOX : EDX-- -2, SF nor I
ZF-Zerafla& The zeroflag bit is serwhenarithmeticinstructionsgenemrea 0
result,
r 1 0 vA L , 0 ; Zeroflag unchangdby 0V
; AL unchanged,
ZF no|{I
A,F-Auxtttat! canlJ aE, The auxiliary caffy flag bit indicatesthat a carry out ot
the low-order nibble of the AL register occufied in an arithmetic instruction. This
bit is used by the ASCII and BCD instructions. It allows implementation of multiple-
digit precision decimal arithmetic. The following e{ample assumesan ASCII encod-
ing oFthecharacters 4 and 7
: AL - 34H,AF unchanged by t{ov
400AL, '7' ; AL - 68H,AF nox I
: A s c I I A d l u s t ,A L- - 1 , A H- A H+ I

E
 PF-Parttf fa& The parity flag bit is sct to 1 when an arithmetic insklrclion
resulrs in x value with an even numbcr of I bils. lbr exall1ple, if you issued the fol-
lowing instructions, the resuhing parity flag bit wot d be 0.
t 4 0 vA H , 9 1 H : AH- 100100018, by Mov
Pr unchansed
ADD AH, O5H : AH- 100101108,
PFno|{I
CF-Crrry fla.g, The crr.y flag bi1 is sct whcn the result of an arithmctic opera-
tion is too largeor smallfor the deslinationregisterormenory adclfcss. ft is similar
in operalionto the oF bit but indicitesan unsigncdoverflowoftbe destination.
r'r0v
AL, 127 j A L - - 7 F H , C F u r c l r a n g e db y l 4 0 v
AOOAL, 2 ; AL -- 81H, CF no|{0
AOOAL, AL ; A L - - 0 2 H , C F n o | {I ( r e s u l t i s 1 0 2 t 1 )

t ' t o vA L , 3 C F u n c h a n g e db y f i 0 v
SI]B AL,4 A L - - F F N ,c F n o l l 1 ( b o r f o v b
i it)

Sogment regi$tets
Thc scgmentregistershold the l".rluesthat dll{t which portionsofmcmory a pro-
gramuses.lbur segmen!rcgistcrsarc uscdunderspecificcondilbns,ancltwo are
availahlcas pointersto frequendyuscdarcasoi mcmory.The CS,DS,SS,and tsS
rcgis@rs were inheritedf,om thc 802U6and performthe samefunctbns asthey did
in rll.uCPU1$o. dinor.rlre8rir.r., fS rnd GS.rrc ncu to the 803U6.
Associared with thc scgmcntrcgisiersis a descriptorcache,which hoklsthe starling
addressof the mcmoryscgmcntand otherrelaledinformatk)n.chapter3 detailsthe
relntionshipbctwccn scgmcnlsand memoryaddresses in thc 110386.
The descriPior
cachefor thc scgmcntrcgistcrsis not accessibleb the programmcrionly the 16$it
'egistcrp()rlioncanbe rcpesseddireclly.Figure2-13illlrstfa(esthe segmentregis-
tersand thc intcrnalclcscriptor
cache.

0 Base Limit rights

cs
ss
DS
!s r.og.u..". o"""..tr"
!
cs E Not accesible
' lnvisible'
descripror
crche

Flgre 2-1r. kqment reqlste/s.

26
 2 th6 ao:ta6archll.ctur.

Protection model registers

Four registerssupport the protection model of the 80386,as sho$.nin Figure 2-14.

Base
! Programmeraccesible CDTR F::r
IDTR
n Not accesible

Visibleponion 'Invisible descripbrcache

Flgtte 2-14.fratection regiJters.

Thc protetion model regislersarel

CDff,- Clot/al Descriptorlable Register
,DfR- Interrupt DcscriptorTable Register
ZDm-hcal Dcscriptor Table Register
fR-Task Register
The GDTR and IDTIi contain linear basc addresssthat point to the siart of the
cDT andthe IDT descriDtortables.Thevalsocontainlimit fieldsthatdescribethe
sizeofthe CDT and IDT tables.
The LDTRand TR registershold 16-bit selector lus,similar to lhe segmentregis-
ters.Like thc segmentregisters,an inaccessibledescripk)f cachcexists for both the
IDTR and TR. The LDTRholds a selectorfor an IDT descriptor,and lhe TR holds a
selectorfor the TSS(task statesegment)of the currently excudng process.Chapter
5 discusseshow these registerswork.

Control registers
The ontrol registersregulatethe paging and numeric cop(ressor operation of the
80386.A generaldescription of rhe registersfollowsi refer to lhe specific chapters
on paging and coprocessorsfor more detailed information. A programmer can only
read or modify control registersby instructions of the fbfln MOV CR , /eg where
,?g standsfor one of the general registers.A procedure must bc running at the
highest privilege level to exe.ute these instructions.

2l
fl{E 40305 BOOX

CRO-Control rgister o
The foilowingillustrationshowsthe contentsof controlregister0. TheLMSVand
SMSWinstructionsallow accessto the low-order16bits of CRoasthe machine

Itc-Pagrrrg Pagingis enabled by setting the PG bit to 1. Tlpically, the operating

systemdoesthis once,at initialization.Chapter6 discusses the 80386paging

m-Bx,esslor. btre: The 80386setsthe ET bit !o l at boot time if the processor

determines that an 80387is present.If this bit is 0, the coprocessoris either an
80287or is not present at all. vhen ET is 1, the 80386usesa 32-bit protocol to com-
municatewith the coprocessor;otherwise, it usesa 16-bit prolocol,
Is-fash srobchcd The 80386setsthe TSbit whn a task switch opemtion oc-
curs, When the TS bit is on, the next coprocssorinstruction qluses a trap to the
operating system.This feature lets the opef4ting systemirnplement multitasking
withou! requiring the operating systemto saveth stateof the math coProcessorev-
ery time a task switch occurs.The context of the 80387is more than 100bytes, so
savinglhe coprocessorstate at every task switch would waste valuableCPUtime,
Bu-Bmrlatz math coprocesso/r '{7hen thb bit is set, floating-point instruc-
tions that would normally control coprocessoroperation trap to the operating sys'
tem instead.Proper use of this bit allows proSrammersto write applications as if a
coprocessorwere prsent. If an 80287o! 80387is present,the operating sysiemini
tializes the EM bit to 0, and the applicatlon'sfloating-point instructions will be exe-
cured by the coproessor.If an 80287or 80387is not present,the operatidS system
setsthe EM bit to l. Then, when an application executesa floating-point instr\rction,
the 80386will trap back to the operating system,which either emulatesthe instruc-
tion in software or passesth operands to other floating-point hardware in the

MP-Math lrrcsent; The operating systemsets this bit to 1 al boot time if a math
coprocessor(either the 80287or 80387)is present.The MP bit affects the operation
of the rvAIT instrwtion, as described in chapter 8.
PB-Pntaect ena.bla. Settingthe PEbit placesthe processorinto protected mode.
Typically, this is done once, at initialization. Unlike the eadier 80286,the 80386
makes it possibleto switch the CPUback into real mode after entering protected
mode. Someimplementationsof the OS/2 operating systemuse this technique io
allow real-mode MS-DOSprograms to run concurrently with protected-modeOS/2

n
 2! th. ao3a6 archli.ctu..

CRI-Control iogister I
Controlregister1 is not usedin the 80386andis reservedfor futureIntel processors.

CR2-Control reglster 2
Whena pagefaultoccurs,the CR2registeris loadedwith the linearaddressthat
causedthe exception.Referto Chapter6 for moredetailson pagingin the 80386.

CB3-Control registor 3
The 80386paginghardwarealsouseslhis registerIt containsthe linearaddressof
the startingpoint of the pagedirectory.The implementation
of pagingis covered
fully in Chapter6.

Debug and test registers

The 80386contains svendebug registersand two test registrs.The test registers,
TR6 and TRZ allow diagnosticsoftware to test the rranslation lookasidebuffer
OfB). Becausethe TLB is part of the paging hardware,thse registersare dis.ussed
in ChaDter6.
The dbug rgisters,labeled DR0-DRZ allow the 80386to implement a hardware
breakpointcapabilitythatprviouslyrequiredan cxtrnalin-circuitemulatorBy
setting the addressregister (DRo-DR3)and control bils (DR6-DR7),the program-
mr can halt the 80386when a particular mcmory location is read from, written !o,
or execuicd. The breakpoints are noninvasiv(they don't require modification of
the programunderdebug),and they arealsoreal-lime(theydont degradethe peF
formancc of lhe program). chapter 5 dcscribcs dc'buggingtcrhniques using the
clebugregisters.

GoprocessorSupport
The 80386can operale wiih either the 80287or 80387numeric data processor
(NDP).Because rhesespecul-purposechipsoperatein parallelwiththc80386.they
^re calledcoprocessors.'lhe 80287is a slower chip with a 16-bit interface,original ly
designedfor usewith the 80286.Floating-point performancewith the 80287is ap"
proximately 320,000whetstoneswhn running at 10MHz. The 32-bit 80387offers
higher performance.This processoris software compatiblewith the 80287and can
executeabout 1,8'00,000 whetstoneswhen running at 16MHz. Appendix F notesthe
differencesbetween the 80287and 80387 Referencesto the 80387in the following
text also refer to the 80287unlessotherwise noted.
In addition 1othe raw performance advantageof hardware support for floating-
point arithmetic, the NDPSintroduce another levi of parailelism into the system.
As soon as lhe 80386passesan instruction to the 80387,it begins operating on the
next instruction regardlessof how long the 80387takesto complete its opemtion. Of
course,if the 8036 encountersanother floating-point inslrution, it must wait for
the coprocessorto completethe curent operation before the 80386can give it

A
 tHE eo3a6BOOK

To use a \alue computed by the 80387and written Io memory, you must ensurethat
the 80387has completed the write operation. The F,firAlTinstruction ensuressyn-
chronizationbetweenthe 80386and 80387
If a coprocessoris absent,the 80386allows an operating q'stem to emulate one and
remain invisible to thc applicarion. For derails on coprocessoremulation, seethe
discussionof the EM bit in control register0 of the 80386earlier in this chapter.

Additional data formats

Adding either the 80287or the 80387coprocessorto an 80386adds diret hardware
support for three floating-point number formats and one BCD integer format. The
80287and 80387also support three integerformats that the 80386recognizes.These
are the 16-bit,32-bit, and 64-bit two's complefient (signed) integers,idenricalto
their counterpartson the 80386.Figure 2-15showsthe additional numeric formats.

15
f--l__l*o.ain,.g..
3l
f--_lu.on'n,"g",
6 3 ---_-l 0
| , , tong,n,"g",

d r 7d r 6d l ed t { d r , . . . . d 4 , d 1 d 2 d r 4 BCD inteSer

Sign l-\ponent
31 30 23 22

I'T-*-l---___-.]'r'on'""r
63 62 52 5l

AlglJfe 2-15. FlMtine-polnt for nats.

30
 a Th ao3l5 Archit@l(b

Floating.pointnumbers
The 80387supportsthree floating-point formats. This allows a programmerlo make
compromisesbetween the amount of mmory required and the Fecision of the
results-The srorl /eal format lets programmersspecify numbersof about six deci-
mal digits of accuracy.This format is also known ^s sinele-Wcklon bec usea
short real number fits into a single 32-bil machine word . Iong reak, also U,^oa"nas
double-precision, rcVesent floating-point nlunbers of up to 15decinul digits of ac-
curacy. Holding a long real mnnber requires a double machine word (64 bits). The
rhird format is called tenp (temporary) real ot extended-preclslan.'lemp re l nnm-
bers are 80 bits and representabout 19decimal digits of precision.

Jusr as scientific notation representsfloaring-point quantities in decimal notation

(for erample, 4.74x 103),the 80387floating-point format is a type of binary scien-
tific notation. The generalformat of a floating-point number on the 80387is lirx 2',
where/rpresentsa biMryfraction and e i$ an exponentialpowrof 2.Three
fields are requird to make up a floating-point numben the sign, the exponent, and
the flaction, or siSrllflcand.
The sign field is a single bit that is set to 1 to indicate a negativenumber and reset to
Ofor a positive v4lue. Unlike the two's complementnotation of the integers,no
lue manipulation is necess?lryto changethe number from Positive to negative(or
vice versa)other than toggling the sign bit. This notational format ailows the repre-
sentationof +0.0and-0.0, which is usefulin certaincircumstances.
The exponent field representsa multiplier of 24. This field rangesfrom 8 bits in the
shorr real format !o 11bits in the long real format to 15bits in the temp real format.
To accommodatenegativeexponents (such as 2-6), the value in the exFDnentfield
is bl.ased;that is, rhe ^.tral exponent is determined by subtEcting the appropriate
bias value from the value in the exponent field. For example,the bies for short reals
is 127.If the value in the exponent field is 130,the exponnt representsa value of
2r3o-r27, or23.The biasfor longrealsis 1023,andthe biasfor temp realsis 16383.
The lues 0 and all ls (binary) are rese ed for reprsentingsPecialvaluesand
cannot be used to represeni floating-point flunbers.
The significandfield containsthe fractional part of the floating-point number.The
significandoccupies 23 bits in short reJs, 52 bits in long reals, and 64 bits in temp
reals.Figure 2-16shcws how to interpret floating-point fractions.The significand
is encoded in two different ways on the 80387 In lmp real format, the siSnificand
field holds the binary fraction in the form so.qs2. . .s63,where s" is bit '? of the
signilicand.
In short format and in long real format, the authorsof the IEEE-754format took ad-
vantageof a representationaltfick to squeezeout an extra bit of precision.A review
of scientific notation showsthat the lues 40.103x 107,4.0103x 103.and 0.0040103
x 10roall representthe samenumber.A binary notation has the sameFoperty.

3l
fltE ao3a6BooK

Shifting rhe fracrion by one position sin be compensatedfor by incrementir\g or

.l(1rcmcnrinerhevalueolrhcexponenr.Becruseahinarynurnbercon\i$solon
0s and ls, the designersof the floating-point forrnat decided that the fractional por-
tion of the short and long reals would be shifted left until the most significant bit
was 1. Sincc this bit was now defined as r, rhete was ro point in storing it, and it
was assumedto exist. The fraction for a short or long reat, therefore, hasthe value
1.soEs,...s,,, where '' is 22 for shortrealsand 51forlongrcals.

Decimal fn.tior Binary fracrion

,1il1,[[
;[|i,ff]:
Dccimalpoint
37 2101dccimal
Birary poini
6.5625decimal

Sinsledisit befo.c l
F
"',..
""': .-",1L
,Longrcr l.l Sirnttlcand | - IracrionrMSBimpliuJ)
l
Slgnificand
rempreatITTT --Tl F.acrion
dirctlyrepresented

Flg0.ie2-16.FIM nS-potntfuctions.

Single

- t sosr..,sz2x2rctp-127)
Abslutevalue

The bias for the short real exponent is 127.The signifiond includes the "implied 1"
bit and dlows a precision of about six decimal digits. Representativevalues range
from 11.18x 10-33to i3.40 x 1033.

32
 2: lh. AO3a6ArchltcruE

LongrcaI

value= l.sosr,.. ssrx2 (cxp r02r)

Absolute

"implied 1"
The bias for rhe long real exponent is 1023.The significand includes the
bit and allows a preision of about 15decimal digits. Representativevaluesrange
from 12.23 x 10-303to 11.80x 10303.
TefiP tcdt:

Extended

so s63

value- s0.sr...s63
Absolurc x 2(cxp-16r,)

The bias for the temp real exponent is 16383.The significand representsthe frac-
tional portion of the value (with no implied bits) and allows a precision of about 19
dcimal digits. Representativevaluesrange from t3.30 x 10-4e32to !7.2 x li4e32
sttec-r^rlaa nA-Irornt ta&res.' In addition to intuitive valuessuch as 3 14159and
6.03x 1013, the 80387represcnts luesthat ariseunderunusualconditions.These
"not a number"')
val\es ue . lle<l lnfinlttes, denornals, ^nd NaNs<NaNstandsfor
Infinity, positive or negative,is representedby a value whose exponent field is all ls
andwhosefractionis 1.0B.Notethat in shortand longrealnumbers,1.0Bis rePre-
sentedby a sig:nificandofall 0$,whereasin lemp real numbers,the significand is a
binary10000000...0B.
Denormals are valuesthal are too small to representin the standard (or normalized)
fashion. Denormals are representedby a !?lue with an exponent field of0 and any
nonzero lue in rhe significand. A floating-point number with t$th an exponent of
0 and a significand of 0 represents0.0.
NaNsare invalid representationsof floating-point numbers.They are identified by
an exponer{ field of all ls and a significand other than the one representinginfinity
The two kinds of NaNsare the slgnaling NaN and the quiel NaN.A signaling NaN
hasa fraction of the form l.ojc.tx. . .rB, where , representsany bit value. The 80387
generatesan e{ception whenever a signaling NaN is used.The 8037 never creates

33
 fl|E aoi[6 toox

a signaling NaN,but a Fogrammer can use one to indicate some erfor condirion
such as an uninitialized floating-point variable.The quiet NaN hasa fractional for,
mat of l.Lrro(rrB. Recallthat the leading 1 is not implied in the significand of short
and long reals but must be present in temp reals.The 80387generatesa quiet NaN
insteadof a numeric rcsult whenever a floating-point instruction causesan in\,?lid
operation. Any instruction that receiveseither tt?e of NaN as an operand genemtes
a NaN ai a result. The following table lists specialvaluesused by the 80387

JrEa Btp<mettt Fractloi ualt@

11...118 Quiet NaN
11...118 SignalinSNaN
11...118 1.00...04 Infhity
00...008 0rooooorB
00...00B 0.00,..08 Zerc

The "x" indicatesthat it makes no difference whether the bit is 0 or l. The .1" before
the decimal in the fraction is physically prsentonly in temporary real format. It is
implied in the short and the long real fomats. Denormalsare recognizedin rhe
short and the lonS format by the 0 exponent value.

BCDIntogor
The other new data type that the 80387supporrsis a packed decimal integer of 18
digits siored in 10 consecuth byte6 of memory. The high-order bit of the high-
order byte is interpreted as a sign bit in the sameway as floating-point numbers.
The rest of the hlSh-order byte is unused.The remaining bytes each conrain two
BCDdicits.

7211 64 0
0 dd

The wlue range of the BCD integer is 0 through 1r9,yD,999,D9,W,999. Pt tarA-

mers who work with BCD numbersmight want to run rhe 80387with the precision
exception unmasked.BecauseBCD formats often representmonetary values,it is
importanl to avoid lossesdu to rounding or truncation,

Goprocessor reglster 3et

The 80287and 8O3a7are nearly ideftical in rerms of their programming model6.
Both contain registerfiles of eight 80-bit floaring-point registersand a nurnber of
statusregisters.(SeeFigure 2-17)

3{
 2: rlt. ao306 lrchit*l{r.

0
t
2
3
4 FIP
5 !cs
6 FOO
7 tos
Iloatlng-pointreSisters Errorpoinlels

Eignrc 2-r7. 80387legbterftb.

Unlike the generalregistersof the 80386,however,the NDP registe$ are addressed

as a stack.Tbe current top-of-stack (the l?lue most recently pushd) is indicatd by
a field in the statusword registerand is addressedas STor ST(0) The next register
(he previous value pushed) is ST(1),and so on This is best illustrated by th fol_
lowing example.
Assumethat the confrgpration in Figure 2-18(on the following page) showsthe ini-
tial state of the 80387 Register2 is designatedasthe current top-of-stack, but
nothinS ls stored in the registers.The ta8 word (Tw) registerholds a 2_bitfield for
each registet marking it asvalid, 0, special,or unused To evaluatethe pollnomial I
. 3rr - 7rc+ 4, w will use the followir8 code fragmeni. (Figufe 2-18showshow
the function evaluation pfogresseson the 80387stack)
"x"
X D D ? ; short real vsfjable
v D 0 ? ; f e su l t o f c o n p u t a t j 0 n
const Dll ? : nenory |{ord for lnteger constants

FLD load x to top of stack

FLO s T ()0 d u p l i c a t ec o p y o f x
FI.IUL sT(0) squarecopy of x at top of stack
t0v 3 i n t e g e r m u tl i p l i e r
FI I.IU
L nultjply top of stack by 3
H0v 7
FILD load 7 to top of stack
F$ULP s r { 2 ) , ST(2)-x.7,popST
F S U B R Ps T1
( ), ST S T ( 1 )- S T S T ( l ) , p o p S I
0v
FIADD
FSTP store result andpop, clearinqstack

35
fl|E ao:p6 !o0l(

sT(0)

E;,ol

o sT(o) 0 sT(o)
1 ST(r) 1 ST(r)
2 2
3 3
4 4
5 5
6 6
7 7

0 0 sT(l)
I I ST(2)
2 2
3 3
stp,"rl
5 ; FMITTP
6 o
1 7 ST(0)

0 sT(o)
I ST(r) sT(o)
2
J FSUBRPST(1),ST trov;*q r l
4 I r'AJ'r con$ |
5

Elgttr. 2-1a-tualuatlne aplfnorniaL

36
 2: lho ao3a6 lrchlbcrur.

Elgsre 2-1E. cortinue.l

0 0
I ST(0) I
2 2
3 3
4 4
5 5
6 6

'I
he 80387 registcr iddressd by sT(t) varies llccor(Ling to the valuc of the ToP field
in the statuswod rcister.The following section (Lscribesthe ottrer fields in the
statusworc1reSrslcr

Status word aogiste?

canbe illuslrxtc.l
Thest.rluswordrcTister asfoLlowsr

ll c3 'roP c2 c l c0 !5 sf Pu TJE oli zI:, DI] I I

,-arrsJ. l'his bit is 1 whcn thc 80387is exccutingan insructbn or whcn an un-
maskeclcxceptbn(bits 0 5) is indicnted.lxccutc lhe instructionINS'ISV AX,
wirich copiesrhc slxtuswod registerlo lhc AX registeroithci303861o lestthis bi!
ca, C2, cb Co-condltton coles.' The 80387setsthesc bi$ when a fk)aling-
point comparc,tesl,orexaminc inslructionis exctu|cd.'Ihe variouscombinalions
thatcurarc discussed in chaPter8.
undcr thc rclcvantinstructi()ns
11oP-Top'o:f-stack: This iield indicaleswhich of the 80387naclrine registers
functions as the &)p of stack.\(/hen a new valuc is Pushedonio thc register stack,
(hc valueof ToP is dccremented by 1.vhcn ^ valueis poppedfrom the stack,ToP
is incrementecl by l. The resultsof thc incrcme or decrementaretruncatecl!o
Ihreebits to allow addressir\gofeight fk)aling-poinlregisters.
ES-Er''olr sutmnarJr The 80387scrsthis bit to I whencver a floating poinl in-
struction generatesan unmaskeclcxccplion. The exceplion indicatorsare birs 0-5
The exccption masksthemselvesarc located in the control word register.
SF- Stack Jault The 80387sets this bit to 1 if an instruction causcsa stack over
flow by pushing loo many operands or a siack underflow by popping the stack
when there arc no more values.This field does not exist jn lhc 80282 so floating-
point code that must run on eithef coprocessorshouldnot rely on having the bir' A
stackfaultalsoresultsin an invalidopcrationexception.

37
tHE to3e6 EOOK

Beforediscussingeach field, iI is worth noting a couple of things about bits 0-5 of

the statusword register These bits correspondto exceptional conditions that can
occur $/hile executing 80387instructions.
Vhenever a condition representedby an exception bit occurs, the 80387first sets
the appropriate bit in the statusword register.Next, it checks the corresponding
mask bit in the control word register.If the mask bit is 0 (unmasked),the 80387trig-
gers the coprocessorfault (inteffupt 16)on the 80386.If the mask bit is 1 (masked),
the 80387continues by executing the next instruction.
Additionally, the 80387exception bits are "sticky." Once set, tley remain set until
the programmer loads the statusword registerwith a new value.This lets the pro-
grammer w te a seriesof flrneric instruclions and place a test for errors at the end
of the instnrction sneam rather than after each instruction.
PB-PteclsLm etceptl@r: This exception occurs when the 8037 cannot repre-
sent the exact result of a floating-point instruction. For exampie,thc fraction yr can-
not be representedexactly as a decimal fraction becauseit producesan infinitely
repating result. Any finite representationsuch as 0.3, 0.333333333,ot even
0.333333133333333333333333333333 is only an approximation. similarly,the 80387
cannot representthis flraclion exactly in birary format. Dividing 1by 3 results in the
infinite binaryfraction0.018.
This exception also occurs when a temp real number is converted to a lowr preci-
sion and bits are lost in the conversion,
The precision xception is almost alwaysmaskedbecausea rounded or truncated
result will suffice in most cases.
UE-Unde4flow exceprtot The underflow exception is triggered when the
result ofan operand is too small for the 80387to represent.For example,the
smallestvalue that can be representedin th 80387's80-bit qxtended-precisionfor-
mat is 3.37x 10-4e32.Attempting to squarea numbf such as 10-3ooo results in an
underflosr'exception.
OE-Orerlflao exceptt$: This exception is the converseof the underflc,s/ ex-
ception. It occurs when the result of a floating-point operation is loo large for rhe
8037 to represeni.Like the precision exception, UE and OE can be generated
when a number representableon the 80387is convertedto a format in which it is
not representable.
ZE-Zer..t dhlde excet tlofl: Whenever division by zero is atlempted, rhe ZE ex-
ception occurs.This exception ctn be ausedby floating-point operations other
than the divide instruction, $ch as sine, cosine,remainder and so on.
DE-Ibflomal etcepnor!. This exception occurs whenever an operand of a
floating-point instructioo is a denormal. Denormal flunbers are discussedearlier in
this chapter.

3a
 2r lh. 40306 lrchti*hrr.

IE-IreaUd oper.a,Lm etcceptkm: Thise\ceprion traps all effor conditions not

handledby the previouslydiscussedexceptions.Thesecan include arithmetic fauits
(suchasan attemptto takethe squareroot of a ne9tive nulrber) or programmer
faults (suchasspecifying a regisler that containsno valueasan instruction operand).

Contrpl word rogbtsr

A programmer modifies the control word register (C\V) of the 8037 to alter its
behavior The format of the control word register and the definition of eachfield

l2 a 7
x x x x RC PC x x PM UM ZM DM IM

Bt 12-O (r4Fnry con rnt on A02A7): Bit 12is ignored on the 80387 On the
80282 this bit selectseither affine or projective closure.Affine closure allows the
use of both positive and negativeinfinity. In projective closure,very large or very
small numbers overflow to a single unsignedinfinity. The 80387only supports
affine closure,
Rc-Roundtsg cott el: This field specifieshow the 80387handlesvaluesthat it
cannot representexiKdy, The RCfield can be set to one of the following modes:
oo-Round 0owardnearest(choose even number lf equidistano
o1-Round toward neSativeinfinity
10-Round toward positive infinity
ll-Round toward zero (truncate)
To seehow the rounding control affectsthe results ofa computation, assumethat
the 80387can representonly the integers-5 through +5. Figure 2-19on the follow-
ing page showsthe results of rounding the values21/t,7'/r,-11/t,a d-zth ineach
rounding mode.
Pc-PrccTator, cont ol: The PCfleld tells the 80387which floating-point format
to usewhen generatingthe results of add, subtract,multiply, divide, and squareroot
operations,This field can hold one of the following valuesl
00-Single-precision (32-bit)
o1-Reseffed for future coprocessors
10-Double-precision (64-bit)
ll-Extended-precision (80-bit)
Instructions other than those affectedby the Pc field generateextended-precision
results or have a precision specified by the operand.

39
THE A03A6 EOOK

f i - + - -
- , , - 2 - 1 0 1

<-j <-i

Blgofrc2-19,Roundtw contral

PM, AM, OI4 ZM, DIL IM-Mask bltst The remaining bit$ in the control word
regisier are the mask bits for the exeption conditions and correspond to bits 0-5 of
the statusword rcltistcr.The maskbitsarel
Prcisionmask(PM)
Underflow mask (UM)
Overflow mask (OM)
Zero divide mask (ZM)
Denormal operand mask (DM)
Invalidoperationmask(IM)

Tag wo?d registor

The final 16-bit register on the 80387is the tag word register.This register co$ists
of eight 2-bit fields tlut correspondto each ftoating-point register.T0 is lhe field for
register0 (not ST0),T1 is assoiatedwith register 1, and so on. Eachtag field holds
one of the following valuesthat gives additional information about the contents of
the correspondingregister:
00-The register containsa valid floating-point nurnbei.
01-The regislercontainsthe value0.0.

n
 2! lh. ao0a6 aEhlroctur.

10 The registe. contains the value infinity or an invalid nunber

11-The regisieris empty(unuscd).
The tag word regjstr is normally not used by the programmer A debuggerthat dis-
playsthe contentsof the 80387stack must examine the contentsof the tag word
registerto properly interpret the contents of the coprocessorregisters.

Error pointer registeas

The only other registerson the 80387are the error pointer registers.These registers
are updated each time a new floating-point instruction is executed.Vhen a float-
ing point instruciion causesan exception, these registerscan be queried to deter-
mine which instructionis at fault.Notetlut no 80387instructionsdirectlyaddress
theseregisters. The storeenvironmentoperationcopiesthe contentsofall 80387
regtsrersrc memory.
becxuseoflhe paralleloperationof the
Thc crror F)intcr registersarencessxry
80386and 80387The 80386,which is exocutingsimpler,fasterinstruclions,mighr
bc cxccutingcodc in r diftarentsegmentwhen the U0387generalcsan cxccptbn.
'1hceffor pintcr rcistcrsmakcit muchcasicr!o dctcrmincwhatwcnt wror\g
whcn nn 803i17 cxccplionocclrrs.

1 t5
F

00000 | FOP FCS

F( o

0 ros

FlP-Floanng'potnt tnstr.tc,ton pol ter: This register is loadedwiih the con-

tcntsof the 80386EIP registerwhen a coprocessor instructionis executed.
FCS- Phrattag-Intnt code segrreri' This registeris loadedwith the value of the
80386CSregisterwhen a floaling-point instruciion is executed.
FoP-Flaatlng-ltornt ofcod"r This registeris loadedwith 11birs of opcode in-
firmation. A coprocessorinstruction alwrys hasthe format:

7 0 7 0
l r l 0 r l r l ?? l ?
FFll(op,i.M,
Fl.'lT{' b},es)
Firsrbrre Scco.d blte

41
IHE ao3a6 BOOK

The secondbrte ofthe instruction is concatenatedwith the 3low-order bits of the

first byte to form the contents of the FoP register.Earlyversions of the 80386do not
generatethis information for the 80382 nor is it availablen'hen using the 80386in
protected mode with the 80287coprocessor.It might be simpler to use the FCSand
FIP valuesto find the instruction at fault.
I;()S-Fba,t tg-Itolit operarrd segn eaf This registercontains th segment
register of the memory operand (if any) referred !o by the most recent floating-
point instruction,
FAo-tloatt tg-liots, opelad qlfsea This register holds rhe offset wirhin se8-
ment FOSof the memory operand (if arry) refeffed to by the most recent coproces-

42
 MEMORY
ARGHITECTURE=
SEGMENTATTON

A segmenteclmmory archilecrurc is a hallmark of the Intel 8086family of pro-

cessors.The 80386is the fhst of lhesc processorsin which segmentationis nor an
impediment to the programmer,

Linear vs Segmentod Memory

Th hanCwareinterfacebetween rhe CPUand memorv is virtual Iv identicalin almosr
cvcrycomputer.andthc 80386is no exccpri(rn. A serofaddrcssIinergoesout from
the processorto memory.The CPUplacesan addresson rhe bus,and memory re-
spondsby returning thc valuestoredat that location or by accepringa new lue.
Figure3-1showsthe hardwarerelationship between the CpUand memory.

32lines,2" possibleaddresses

80386

El81urcr-t. CPU- nemorr intetace.

43
IHE 036 BOOK

Becauseof th binary nature of the digital comp le! a systemwith , addresslines

nllows the syslemto reference 2' elementsof memory. The hardwarebehavesin a
/ir?eal fashioq that is, for each of the 2' possiblecombinations of addresslines, a
separatemcmofy elementresponds.
Most computersalso have ^ Iircar ,nemory model They allow programmatic ac-
cessIo memory,beginningwith add.ess0 and contiNing throughaddress2" - 1.
Theoretically an applicalion could read the byte at lGation 0, then read the next
byte,and so on until it readsthe lastbyle of memoryin the systemThis model
pa.allels the hardwarc interface.
However likc the 8086and ihc 80286,the 80385has a programmatic memory
modeLdifferent from the hardwarememory model These processorshave a s8-
mente.l rr,emoty n'r,del.'lo a program, the addressspaceis divided into chunks,
or seam?nar,and the pfogram can onLyaccessdata contained in drosesegments.
vithin eachsegment,adclrcssing is linear,and the Programcanaccessbyte 0, byte
1,byte 2, and so on. The addrcssingis relative to the start of thc segment,howcYer,
and the hadwarc addressassociatecl with soflwarcacldress 0 is hiddenfrom thc

This approach() mcmorymanagement is natural.l'rogramsare typicallydivided

ink) se:mentsof codc ancldata.In thc 80386,programscanbe madcup of singlor
mrny codexnd Jltr jcgments.In a mLtltil$kingenvironmenlie8mcntrriondlsu
isdntcsorocesses from one anotherIf ni, programcanlook at only my codeand
my data,i! cannotillicitly modifylcrr Program'scodc or dala Figur3-2 showsa
multiproccssingsystemwith manysegmcntscoexistingln memory

H\X/

c1

c2
ca
0

c1

Rl{nxe 3-2- MeMr! .lirlded into eSmmts

4
 3: Itomory Archilectur.: S.gmontrtlon

The 80386lus six segmcm registers.The vllllrcs in these registcrsdeternine rhe

memory scamentsthat a pmgran can access.The cs registef poims ro the segment
that contajns lhe p.ograrn's codc. CAI-L andJMP insrructjons implicirly refer to rhe
current co.lc segment.lhe DS rcgister points to the pfogram's main dara a.en. For
example. dre instruction:
It0v AL,t0l
copiesthe first byte (byrc 0) ()frhe &ra scgmcnrinro fegisrcrAl.
Thc ij0386alsosupportsa stacksegmcm(.egisterSS)Thc sLacksegmenris com-
monly(but not neccssarily) The pLlslrrncl
the srmescgnrentasrhe (lat.rscgmenr.
POPinst'uctionssrorcdarato or removcil from the stackscgnrenr.
Threeaclditbnalregisters(ES,Fs,.nd cS) point r(rxuxiliarydrta thatrhc p.ogram
needsto .rcccsslessfrequemly,srch asCOMMONvariablesin.r FORTRANpro
gram.Youcan.rpplya specialprcfix &)an instrucri()nrharnccesscs thc dxrx sc!!
The prefix calrscsltrc insrructionk) acLon one ofthc lrcldili(rnxl
mentrcigistcr.
segmenlsinstcad.Fore*rmplc,lhc previorFinsrrLrri()nolight bc wri((cnrs:
l.t0v AL,ES:[0]
to fctdl thc lirst bylc from onc ol thc ahcrnntc dt(n scgnrcnts,or cvcn lrsl

t0v A L , C Sl:0 l
k) fatchlhe firsl byte from thc codescgmcnl.
Previursgcncrntionsofthc l.l0il6lzn ily :rlsodcalt\\,i!h scgmcnrodlncnl()fyihow-
cvci thcseprcccssors lnnircdthc sizeol a scgnrcnrro 64 Kll, wl)ich w:lsofrcn t]r((h
too snull. A singlescgmcn!in 1hc80386crn l)c 1|"5 lxrgcxs,i cB.
An opcr^tingsystcmcicsigner canch(x)sclo simuhlc I lincaf mcnxr.ymodcl(.lso
calledx/at nbdcl) on rhe 80386by crcatingone vc.y hrgc codc sc3menranclonc
very largedalasq]menland luving .rll progrltmsuscrhc sanrevahEsf.r CS.rndDs.
Tbis is a conmon lcchrique when porLingsysremsrharluvc fLnr()n Iinerr:rd.Lrcss
machines. The UNIX operatingsysrcDr-wirh its VAXhcritxge-is rypjcallyilnple
mcntedon linearmcrnorymachincs.

Virtual Addressing
Ixcept when operating in .cal mode, rhe 80lM) is ! rirtual memory .tracess<)t.
\vhcn an instructionrequcsrsrhe contentsofa menory location.rbe insrudion
rclcrs to dle location not by an actual b.rdwarc memory addressblrr by x /l,.rral
,rddress. The vitual addressis really a namefor a rnemorylocarion.The processor
translatcs thc bcation namcim()an appropriatcphysicallocarion.Thc operaring
systemmustDaintaintire propcrmappingberwccnvirruatand physicalmemory.
This conccpt is not as convolured as ir mighr sound.For examplc, supposethat
someonesaysl() me,liPutfiis .cport on the boss'sdesk.,,In my parriclrlar

45
 tHEao3a6BOOK

deparhent, thatmight mean,"PuIrhisreporton SimonLegree'sdesk."If, how-

ever I transferto a ncw dcparrment, l might be placingmy reporton Ebcnezer
Scrooge's desk."The boss'sclesk"is a virtuallocation,andI cancarrt out the in-
struction to turn in my report even dlough the desk on which I place lhe report
variesaccordingk) Ihe circumstances.
A vlrtual addresson the 80386ls speciiied by two numbcrs, a seftrctorand an o/Jet.
Thc selctoris a 16-bitvaluethatservesasavirrual namclbr a memorysegment.lt
is rhc sclcctor thit is loadedinto the segmentregisrers(cs, Ds, and so on). The oftl
sct is the distancefrom the beginningofrhc scAmenl,and it is a 32 bit value.Ex-
amplesof virtual addresses include:

Int 4treted vlrtual Ad4ress

3F1100000000 Offsct 0l I fiorn sclccLor3!1 l ri

0149:0001FF00 Offsct I IIO0It fronr sclector01A9H
EC2C:J1887004 Ollset 3l!N97004Hfrom selector!C2Cl I

'l
he cPU translatesa vjrtual addrcs$to a singlc 32-bir nltnhet calle.l ^ linear ad-
lr".$ Figure3-3 showsan examplcoiaddresstranslation.Tbis lincarrcldrcssgoes
out on the sysrcnblrsLrnlcss thc pagir\gfcalureis enablecl. Pagingis anotherlevcl
of acldresstr^nslationand is dis.ussccL
fully in Ch.pter 6.

4 CI'] Mc'nory

Flgtre 3-3, Iineat atidrcs tnalation.

Vidual.to-linear addres$ translation

The cPU r.lsesthe selector as an index to a sct of sysrem lables called ,lsscrbtor
tables. A descriptor is ^block of mcmory that describes the characteristics ofa
given element of thc syslcm. In the case of a memory segment, the chaftctedslics
include the scgmenfs linear base ad.dress, Iimit, ^cce$ rights, an(l priuile+e \elEl.

46
 3r flmoly&ciltectu..: Sqm.d.tton

The baseaddressis the starting point in the segmeor,slinear addressspace.The off

set poflion of a virtual addressis addedro the baseacldressto senerarethe linear
acldressof the desired memory etement.Figure 3-4 illusrrates an exanple. The vir-
tual address13A7:0010F405H is broken down intlr irs segmentand offser compo-
ncnts. The sysiem usesrhe selecror13A7Has an index into its descriDtortabtes.ft
pJll: uu' a de\cnpro, rhr, say,.forcxJmple. rlrr rh...gmenrhls J h;\ Jddre$in
thc linearaddressspaceof00032DI)000H. The vinrualaddressoffseris combined
with the base,an.lthe resultingvalue,338C405H, is the translarcdlinearaddress.
The 80386hardware suppofts a 32 bit linear addressspacc(2n,, or slighrly in ex
cessof 4 billion bytes).The lyrse addressof a segmentis 1Ra1edsomewhcrein rhis
'xnge.As the bascaddressdefinesrhe srxrtingpoinr ofa scgmenr,rhe limit ficld
dciinesthe end poinr.The limit specifiesthc segmenCs lastrddressable bytc.The
110386 checksevcryinstructionthxt addrsscs memoryto dcrcrminewherhcrrhe
inslructionis allcmptiqgto rcador ro writc memorywithin the boundariesoflhe
scmenfsdescripk)rAn our-olboundsrefercncecarBesan interruprcalleda 8el,-
erul trotection/ault ta occur.Frults are discr$sed in rhc scrlion on interfupls and
cxceptionsin Chapler5. 1he accessrighrsficld definesthe rypc of segmentand rhe
privilcgelevelrequirc.lto acccssir.

,( OB Mcmory

33EC405[l

tsaseaddrcssis nddcd to offset

yieldinglinearacldrcss.

Flgre 3-4. Virtml-toJinear a.1d/e$ tttnslation

47
rHE Ao('a6tOOl(

Segnent descriptors
At this point, )ou probably visualize a descriptoras something like the itern in
Figure 3-5. Indeed, all the data in this figure is in an 80386descriptoq however
becauseof spaceand compatibility constraints,the rgal thing is not quite so pretty.
Figure 3-6 showsthe actual format of an 80386segmentdescriptor

Etglo,rc3-5. vtsuauzeddescrtotor

80386
48 32 ) l lo
Base I s
Llmit Limit
c 1 6 .. 1 9 DPT T}PE 0..23 0..15
2 4. . 3 7 L I 0
-
A"*r"
rights
80286

63 4a 47 3r t6 15
I
limit
P DPI : Tvpe 0..23 0..15
I 0

A.**
ign6

BIlgnEcS-6-Achlal80286 and 8qA6 descriptors.

ilo
 3: I.m.ry Archh+ture:3.gn. .rto

Flgue 3-6. contlnued

80286descripro.
as storeo n memory
15

limit

rights 1 6. . 2 3

80385descdptor

Limit
0..15 0..15 I
II
GD
Limit
16. . 1,9
J
L
.ights 16. 23 High

Base add|ss: The baseaddresspo(ion of the desriploris rhe addressof offser 0

in the segment.This field is 32 bits and is consrructedfrom byres 2, 3, 4, and 7 of
the descriptor.In rhe 80286,the base addressis only 24 contiguousbjts. However,
Intel specified that bytes 6 and 7 of the 80286descriptorwerc ro be set ro 0 to en_
sure that 80286code would run properly on an 80386,basedcomputer
,rmr* The iimit field determinesthe lastaddressablernir of rhe secfient. The iimit
lield is 20 bil.. comprisinCb',res(r.rndI o' rhede.criplorandrheb;-orJer fourbirsof
byte 6. Again,the split js due ro rhe difference in rhe limir field sizesbetween the
80286and the e,0386. Those ofyou handywith binary arirhmeticmighr notethat a 20_
bit limit field allows the addressingof only 2ro,or approximately1million, irems.
At first glance,this seems!o mean that an 80386segmeniis limited to 1 megabyte.
This is not the case,although rhe segmenttr limited to 1 million rarrs. The c fur in
byre6ofrh( descriprorstand.bt BMnuturil and80jgo jegmenrs ( ome in r$o
rorms,,-rrpSmndd rG - 0l andpage granuh rc - tJ

49
tHE ao3a5EOOK

'fhe Notrl granularity is similar to the worcl /esolrrior?.A ligh-resolution image is

madc of vcry tiny items, and a lower-resolurion image is made of larger items.The
limit of a byte granular segmentis measuredin bytes;a pagegranular segmentis
measuredin larger piecescalled pases.
A pageon the 80386is 2r', or 4096,bytes.This makesthe linii on lhc sizeof a seg-
ment 2,o pagesot' 21, bytes, fbr a total of 23, bytes (,i GB). Again, a scgmentof code
ported from the 80286is alwaysa byte granular segmcnibccauscthc scventh and
eighth descriptor bytes are required to be 0.
For ej(1mple,assune that the DS register points to a byte granular segmentwith a
limit of 001FH.The sizeof the segmentis 20H(32 decimal)bytes,and the lastad-
dressablebyte is byte 001FH.

Itl4gal lnsatu tlott Reasort

Mov EAx,l123.1Hl Memoryaddressbeyondlnnit
MOV EAX, [o0:lDHl Sizeof item ,ead extends beyod linrit
MOV A1, I0O20Hj Memory 3ddressbeyond lnnit
MOV I001|lHl,AX SiTcofitcnr wrntcn bcyondlimit

Iegal Insrntcttott Reason

MOV llAX, {0000111 La$ bylc rcadis 3lJ
MOV IIAX, [001CH] Lrs! byte rerd is 1FII
MOv AL, 1001m1 Llsr bytc readis lFH
MOv l001EHl,AX Lastlrytewitten is UiH

Now imagine^ pagegranularsegnentwith a limit of0000H.The sizeofthe seg-

ment is one pxge,and pagc 0 is fie lasl addressablepage.A page has 1000H(4096
decimal)bytesin it, so the lastaddressable byte is 0FF!]H

Illegol lNrnctlon Reasoa

Mov EAX, I1?34H1 Memoryiddressbeyondlimit
MOV EAX, IoFIDH] sizeofi(em readextendsbeyondknit
Mov AL, n020Hl Menbry adclressbeyond limit
MOv [0f!Fr ,lx Sizcolitem wrilte. b.aond limit

Iegallnsrrlrcdorr Reason
MOV !AX, I0000Hl last byte rsd is 3H
MOV llAX,lolFCIll tast bytc readis 0fI|8
MOv Ar, [0FF!rI k$ byle rcad is oFIFH
MOV IoFFEH,AX last byle Mitten is oFM

50
 3r lo.rt Archtt.ctw.! S.Cfrrr.tbn

Access ,.tghts: The accessrights trxlrion of the derriptor hasthe following formatl

7 6 5 4 3 2 \ 0

The P bit srandsfor "present.',Ir is set ro 1 when the segmentindicated by the selec_
ior is presentin phtsical memory. In a virtual memory system,rhe operating sysrem
can move the contenrsof somesegmentsto disk if physicalmemory is full. it tiren
marks the descriptor as not present by resetting rhe p bir to O.If an application loads
a selectorirto a segmenrregister and the descriptorassociaredwilh the selectorhas
P * 0, the not present inteffupt (11decimal) is gederared.
The operaring systemthen looks for a free areaof physicalmmory copies the con_
tents of the segmenrfrom disk back into memory, upclatesthe d9scriptorwirh the
new baseaddress,sets P to 1,afld restartsthe inteftupted instruction"
The DP^Ifield conrainsthe privilege level of the descriptor.The privilege level
rangsfrom 0 (mosr pdvileged) through 3 (ea$t privileged). A task can;cess seg_
ments of equal or lesserprivilege, A task can only read data from or store data in;
segmentsof equal or lesserprivilege. A rask can call only code segmentsof th; same
privileSe:]pwever accessto segmen(sof higher prMlege may b4ranred
indtrecrly
v|arne durdoprotectionmechanism, A taskcan neverinvokea codesegmentof
lower privilege.
The prMlege level of a t^*., calkdrhe curreht prtuttege leuel <Cpl), is the p|.:lihfJge
le.r'elof fte currendy exe(urin8 code segment.Trpicaliy, the most secureporuionJ
or rne operatjngsysremrun ar level0, oher systemsofiwarem ight run at a less
applicarionstypically run at level 3. SeeChe;rer 5 for a descrip_
fivileffd
tion of rhell:el_anq
80386privilege mechanism.
The s (for segment)bit is als,q,s ser to 1 for a memory segmen!..when s is equal to
0, a descriptordescdbesan object other than a memory segment.These obj;ts are
described in the chapteron the 80386protecrion mechaniJm,Chapter5,
Th TYPE field indicatesrhe types of operations allowed on the seAment.Valid
cypsare:
0 Rsd-only daraseSmenr
r Read/wfitedatasegmenr

3 Read/writex?and-downdarasegmenr
4 Execute-onlycodesegmenr
5 Execure^eadable codseament
O Execute-only,,conforming,,
codesesmeD!
7 LKut/readabte,,onformina,codesegment
The tt?e indicator defines the accessrules applied to a segmenr.The CSregister
cannot be loadedwith a selectorof a segmentof rlpe aata 1O3;. No prograir can

5t
tHE AO3A5
aOOK

modify a segmentthat cannot be written. Segmentsthat are not readablecan be ex-

eutedbut not read as data. An aftempt to violate any of these rules results in a pro-
tection fauh. Conforming segmentsare discussedin Chapter5- Expand-down
segmenrsare covefed later in this chapter.
The 8036 sets the A (accessed)bit when the selectorfor the descriptoris toaded
into a segmentregister.The operating systemcan use lhis bit to find out which seg-
ments are not frequendy used and can therefore be swappedto disk if necessary.
Ad.dttto,talfrewt: Four additional fields in the segmentdesriptorare located in
the high-order nibblc of byte 6.
'I'he G bit, described previoush regulatesthe granularity of the segmenl.

llit 6 is refrred to as the D bit if the descriptoris for an executablesegmentor as

the B bit ii the dcscriptof type is a data segDent.The D bit is set to I to indicate the
def^ulr, ot naliLe fiode, lnstruction set.\{hen D is equal to 0, thc code segmentis
assumedto bc an 80286odesegment,and itruns with 16-biloffsetsand the 80286-
compatibleinstructbn sct.
The B bit is setto 1 in any dalascltmcntwhosesizeis greaterthan64 KB.
Bit 5 must be set !o 0. It is for use in a future Intel microprcrccssor.
Bit 4 (A\4) is a\"ailablcfor use by systemprogrammers.Possibleuscs include mark-
ing segmentsfor garbagecollc'ction or indic?tir\g segmentswhose baseaddresscs
shouldnot be modified.
Expand-downsegments, indicatedby TYPE- 3, are 4 specialkind of datasegment
dcsignedfor usewith the stack.I'igure3-7 showsa stackthatresidcsin its own

Flgare 3-7, stackresidinain itsoM seqrnent.

As more data is pushed onto the stack,the stack pointer (ESP)nears0. If too much
data is pushed onto the slack, the program nftemptsto decrementESPbeyond 0,
resultingin a stackfauh.At this point,the operatingsystemhasno choicebul to ter-
mnate the program,
Placingthe stack in an expand <lownsegmentrather than in a normal dala se8:ment,
however wiLl changethe way mcmory is addressedinside the segment.

52
 3! l|ffy lr.hit.crw.! s.gm.nt.fion

Although normal segmentsare addressedbeginning ar 0 and exrendingto /intt,

ex?and-down segmentsbegin ^ Iimit + 1^nd extend ro FFFFFFFFH.Fieure 3-8
illustrates the difference-

'*'-l In* | |I
2048
FF!FFFTFH

ISS
L \,_ lo
Nornal dataseSment Exparddown segment
Expard'down segment

llglfe 3-A,Normaldatasesne asand ekpand-doum

Wments.

The ad ntageofthis approachis rhar when the stack pointer is decrementedpast

the limit and triggers a stack fault, the operering s",stemcan extend rhe size of the
segmentand decremed the limit. The faufting instruction is then restarted,allowing
the program !o run with a larger stack segmenr.Figure 3-9 show; how this is
accomplished.

FTFFIFFTH

,-{

3@6

Old limlt

Ftgare a-9. Er'tendinArhesizeafthesegment

Note that when a descriptorfor an expand-cl,ownsegmentis created,the basead-

dressmust be set to the linear addressof rhe first byre after the end of rhe segment
rather than to the addressof the start of the segmenr.Beauseaddressingarithmetic
is limited to 32 bits, large offset valuescan be viewed as if they were negativemun-

base + FFFFFFFFH= ba5e + -1 = base -1

5:l
rHE 00306 BOOK

Descriptor tables
All the derriptors are grouped together in dcscriptor tables.The two sysremde-
scriptor tablesare the Global Descriplor Table (GDT) and the Inrcrupt Descripior
Table (IDT). The IDT contains flo scgmcntdes.riptors, so ir is not dis.usscd here.
A full descriptionof the IDr and othcr facetsof the 80386p.otectionmcchanismis
givenin Chapter5.
An operating q'stem can also implement various local DescriptorTables(LDTS).
Segmentdescriptorsare found either in the GDT or in the cuffently active lDT. The
selectorused to identify the descriptordetermines yhich table to use. The location
oithe tablesin memoryis cleterminedby the GDTR,IDTR,and LDTRregisters.

Soloctors
A segmcnt,as wc hxve seen,is da*:ribe.l by ^ descriptorthar has been J?/ecrcl by a
selcctor.A sciccloris madeofthree c'omponents, asshownin the following
illustration.

15
INDIiX TI RPI

The INDEXand TI (tablcindicatorbit)fieldstelllhc 80386whereb find the de-

scriptor.Whendre TI bit is sct to 0, thc clescripbris in the GDT.WhenTl is setro 1,
the 80386usesthe currentLDT instead.The INDEXidentifieswhich entry in the
descriptortablc to usc. The RI'L field is the requestedprivilege level. Note that the
RPLcandiffcr from the actual dscripbrprivileglevel.The reasonforthis is dis-
cussedin dehil in Chaflcr 5.
As an exAmplcof how the slection mechanismworks, assumethat the value
1A3BHis a valid sclecbr. The selectoris divided as followsl
Selector= 1A3BFI INDEX - 0347H(839decimal)
00011010001110118
TI-0 (CDT)

RPI = 3 (lowest)
To use a selcctor,hardware must first break it into three fields, INDEX, TI, and RPL.
Figure 3-10jllustrates how hardware separatesa selocrorinro its comfx)neors.

54
 3! X6.ry Archhetur.! S.!6trt.tlon

GDT LD13
Blgnrc 3-1O.Selector.anponents.

Games Segments Play

Using the vidual addressingcapabilities of rhe 80386,an operaring systemdesigner
can provide a number of interesting features,One srrchfeatur is vinual memory,
Virtual memory gives the apparanceof physicalmemory where none exists.
To illustrate how this can be accomplished,imagine an environment such as the
one pictured in Figure 3-11.The figure symbolizesa multiraskinSststeIr1in which
four tasksare to be run. One MB of memory is availablefor running rhe four appli
cations.Application A rquires 400 KB, applicarion B requires 100KB, application C
requires400KB, and applicationD requires200KB.Also assumethathalfofthe
application spaceis dedicatedro code and thar the other half is required for data.

Systemmmory

FI
T t--._l
1 |
*o'o,
|
^
llooKBS

|
a I

t t l I l I

TL] 'TTf__l.o*uT L ''

l " 1 . . :f;_l
Frgue ,-1lJ..Initial stateof a multitasking Vstem.

55
 fllE ao:86 BOOX

Becausethe combined memory requirement of the four applications exceeds1 MB,

they cannol all be in memory slmultaneously.Afrer A, B, and C are loaded (see
Figure 3-12),not enough room remains for all of iask D. The operating systemloads
ihe codc portion of iask D but not the data segment.It cloes,howevet create
des.riptors for both the code and the data segnents of task D, marking the data seg-
ment descrlptor as not Present,

osit: ,.r""I[;_-]
B
c
1oo
KBI
El$trc 3-12.Initial tasbslaadedlnto nemar!.

This is a 'rultitaskingsystem,so the slarlingaddress(CSTEIP) ol eachiaskis passed

to thc schcdulcrportionof the operalingsyste,n,and excrutionbegins.TaskA
slartsand is allowedto execulefor a few milli$econds.The schedulerthen takes
control and allows task B to run for a few millise(onds. However,part i,r'aythrough
its alkntedlimc slice,taskB readsrhe keyboardfor input from the operatorBecxuse
no keys have yct bcen pressed,the operating systemlakcs control and marks task Il

The schedulerthen givescontrolb taskc, which runsthroughits allottedexecu-

tion time, Control now passesk) task D, It begins to !'xecute, but as soon as it tries to
refer to the data segment,thc 80386gcncratesthe not present interrupl.
Thc opcratingsystemdetermineswhich taskwasexecutingwhen the interruPtoc-
curredIlnd what causcdthe interrupt.Ir detenninesthd taskD needsaccessto its
d4a segment,so i! evaluates so
lhe statusof the othertasks.TaskB is suspended,
the operating sysicm dccidesto temporarily remove it from memory to make room
for the data segmentof rask D.
The memory image of B is written to disk, and thc descriptorsfor B are marked as
not present.Task B is said to have been swappedout, and operating systemsthal
implement virtual memory in a similar manner are implementing swaPping.
The data segmentfor D is copied into memory at the physjc?l location just vacated
by B, and the descriptor for D is updald to reflect the new baseaddressand to
show that the segmentis now presenl in memory. Figure 3 13reflects the new staie

56
 * l|.n.ryArchlt.crurcls.ln.nt ttotr

Disk

rlgure 3-r1. Suappw tasksB and D.

The schedulernow totates execution time amongtasksA, C, and D. At somepoint

the computer operator seesthe prompt for input from task B and in response
pressesa key on the keyboard.This action ca\rsesa hardwareinteffupr, and the
operating systemrealizesthat it must now scheduletask B, However,becausenone
of the othertasksare suspended, the systemmighrchoose!o suspenci taskA
temporarily,
Becausetask B is small, ir displacesonly part of raskA. The code segmentof task A
is marked as nor present,and the descriptorsfor task B are updated as shown in
Figure 3-14.Notice that task B is now running at a complerelydifferent physicalad-
dressthan it was when it bcgan.This is invisible to the applicarion,hosever,
becausethe selectorsloaded into the segmentrgistersdo not changeand because
th memory offsets used by lhe instructions in rhe code segmentare rlative to the
starting point of the segment,regardlessof the physicalorigin of the segment.

Descriploruble

Etg0ae 3-14. SMpplnC tatbsA a .l B.

57
 tl ao3a6900x

The sysremwill coffinue to operareas previously described,v/ilh occasionalswap-

ping and shifting of segmetus.If no external condition exists that causesa segment
to swap,the operating systemmight swap segments,basedeither on which tasks
have run the longestor on another systemof priority.

Pe?formanee considerations
As the previous cxamplc shows,virtual memory doesn't createRAM out of thin air;
it.usessecondary slolage,usually disk, to supplementthe p/lnrdry (RAM) storage
and give thc appcarance of moreprimarystoragethanexistsin the system.Th
cost of keeping up appearancesis the amounl of time it takesto move data between
primary and secondarystorage.The mofe time the systemhas !o spend swapping,
the lesstime it an spend executing th(r applications.On extreme occasions,a sys-
tem can be so overextndedthat it spendsall its time swapping segmentsin and
out. This pAthologicalsitr rion is <?'lledthtushing.
An opemting syslemdesignercan improve the performanceof a virtual memory
system.On the 80386,for example,code segmentsare immutable, Becausethe con-
tents of a code segmentdo no! change,it doesn't have to be swapped out, You can
recreatethe contentsfrom the originalexecutable imageofthe program,Only
swapping in requires accessto secondarymemory. The operating system,therefore,
can swap code segmentstwice as fas! as it can swap data segments,Actually, if 'ou
recall the contents of a descriptor,you will rememberthat certain kinds of data seg-
ments can be marked as read-only, Like code segments,read-only data segmentsdo
not have to be written !o secondarystoragewhen swappedout.
Another trick that designerscan use also relies on knowledge about code segments,
Thc technique of sggmert shallng lels lwo or fiore taskssharethe samecode, This
is primarily effective in multiuser systems.In the previous example,assumethat
tasksA, B, C, and D representusersrunning applications,Supposethat usersA 4nd
C are running the sameapplicatioo, perhapsa spreadsheet,Now usersA and C are
operating on different data and require separatedata segments,They are, however,
executing the samecode. Figure 3-15showshow all four applications can fit in
physicalmemory in this situation. The usersmaintain separatedescriptorsfor their
code and daia, but the baseaddressesfor the code segmentsofA and C point !o the

Finally, a segment-orientedvirtual memory systemcan pr(xjde a way to compact

memory. Compactingmemory belps solve a problem calle.aflagnentatlotr. tuag-
mentationoccurs when memory that is not contiguousis availableto run additional
applications.To put it another way, the piecesof availablememory are small and
scatteredthroughout physicalmemory, and to be useful they need to be next to one
another.Fgure 3 16illustrates this problem. Becauseapplications deal with virtual
addresses,they are not affecredby a changein loation.The processdoes take up

5a
 3! fl6tmy irchllclN! S.lhdtt.tl.n

Elgnre 345, TashiA, B, C, and D h phtstcal metnoly

1OO
KB lOOKB

Sgment 5KB
l:.llll
rtiti 20 KB
20KB

f_-lrre 80 KB
iiiiriirliiii300K3

3OOKB
i:iiiiiiiiii
1OO
KB lOOKB
15KB
100KB freemmory
B'{,ufe 3-16.Memorylra4nen attan.

Why bother?
Becausvirtual memory is plaguedwith porential performanceFoblems and adds
to the complqxity of operating systemsby forcing rhem to deal with fragmentation
and with identifing shareablesegme s, ),ou mighr be tempredto ask, ,.Isit wo(h
the effort?" In most cases,rhe answeris yes.
One clear advantageof virrual memory is that a user doesn,thave ro spend monev
for enra memorys'mplyro geran ,ppl'calion|o rlrn. Any rppli( arionwill run in
existing memory it will simply run more slowly if it hasro be swappedour. lefs
saythat I have a systemwith 2 MB of physicalmemory and thar 90 percenrof my

59
 fl{E ao:F6 BOOK

applicationsfit into physicalmemory. However,10 percent of the time I run an ap-

plicatioo that requires 5 MB of memory. Vithout virtual memory, I cant run the
large application unlessI spend the extra money to buy 3 MB of memory that will
remain unused 90 percent of the time. With virtual memory, I can at leastrun the
application and decidewhether I want to spend money to improve its performance.
Viriual memory also makeslife easierfor the application designer What ifyou are
writing a program thar manipulatesa large affay?If virrual memory js not available,
you hav to worry about how much memory your Rpical user will have and how to
make your program fit into a systcmof that sjze.As a designer,)ou can no ionger
worry about simply solving the problem at hand (the array manipulation). You must
also b concerned about breaking ',our program inio piecesthat will fit on the t'?i-
cal system.The complexityof your applicationincfeases, and the applicationis
more likely to contain bugs.
This situationmight be likenedto givinga speechsimultaneoudyin two different
languages.By letting someoneelse handle the translationi you can concentrateon
your job-presenting your information,

The dark side of the force

so far, only the advantagesof segmentationhave been discussed,lfs take another
look at segmentsand seeif we can uncover someproblem areas,one ad ntageof
segmentationis virtual addressing.The application dealswith seleclors,whereas
the linear memory addressfor lhe segmentis in the descripior Thus, every time a
selectoris loaded into a segmentregister,the contentsof the descriptormust be
fetchedaswell. Everyinstructionthatcausesa segmentregisterto be loadedalso
causesthe 8-byte descripoorfor the segmenr!o load. In addition, the descriplor is
marked as accessedwhen it is loaded,so a memory wlite is required to set the bit in
the descriptor
At a minimum, therefore, a segmentregistef load has an overheadof lwo memory
read cyclesand one memory write cycle in addition to any memory cycles required
to felch the operand of the load instruction. Becauseof this and the protection
hecking that the 80386does basedon the tlpe of segment,size of descriplor table,
and privilege level, loading a sgmentrgistertakesbetween 18and 19clocks as op-
posed !o the 2 to 5 clo.ks that it rakesto load a general-purposeregister.
Anolher advantageof segmentalionis the limit checking tbai the 80346performs. If
a data object such as an affay is placed in its own segmenl,the CPUmonitors all ref-
erences!o the object and triggers an interrupt if any instruction refers to a poiff
beyond the bounds of the object. limit checking is an excellent tool for helping
programmersdiscover flaws in their programs.Unfortunately, using this tool means
having many data segments.Having many data segmenisimplies many segment
register load operalions, which slow down the program. You must also deal with
48-bit poiffers-16 bits of selecrorand 32 bits of offset.

60.
 + lr.mory lrchh.ctur.! S.gm. .rbn

The 80386does not provide many inskuctions for handliqg these iffegularly sized
items, nor do many Fogramming languages.Consequently,they are awkward to
manipulate and they causemore work for the programmer.
Finally, you must deal with the problem of fragmentation. Becausesegmentscome
in odd sizes,the operating systemmusl work harder to anange physical memory
spacein which to load applications.

Summary
As you have seen,segmentationis a mixed blessing.On one hand, it pro/ides a
method for implementing virtual memory, it provides a mechanismfor implement-
ing a secureoperating ryrstemvia prMlege levels, and the segmentlimits assistpro-
grammersin tracking bugs that arise from in\alid pointers or array boundary erro$.
on the other hand, segmentationgives rise to unwieldy 48-bit pointers, extracts a
performance penally, and can causefragmentationwhen used to implment virtual

The flexibility of the 80386offers systemdesignersthree choices.You can ignore

segmentationcompletely by creating only one code segmentand one data segment
that encompassthe entire addressspace,Another alternative is to use a limited
form of segmentationwhere only two segments,code and data, exist for every user
or (askon rhe sys(em,In this inslance. (he applicatjon see; a uniform addressspace.
and only the operating systemneeds!o deal with segments.Or you can implement
a fully segmentedsystemin which each large data obiect and each module of code
is in a separateseSment.
Eachimplementation has advanrages.The first method gives you an alchitecture
similar to the M68000or vAX. Although it fiight seemthat you lose the capabiliry to
implement virtual memory with this method, you can implement a form of virtual
memory other than the one des.ribed herc by using paSing,which is discussedin
chaprer 6. A systemof this dcsig:n,however,loscsthe privilege-level protection fea-
tures provided by segmentation.
The secondmethod srikes a balancebetween the olher two, Protction is provided
on a lask-by-taskbasis,and virtual memory can be implemented through segmenta-
tion, paging, or both.
The thid method is the most similar to th4t provided by oS/2 on the 80286and to
programming in the large memory model. This rype of systemcan provide a very
secureenvironment.but the svstemwill run somewhatslower
One beauty of the 80386is that it suppods these divergent environments and
allows designersto build systemsthat meet their needs,from high security to high

6l
 THE 8(,386
TNSTRUGTION
SET

The 80386is a classicstored,proqram, or lon Neunxarr, processorithat is, the

memory attahedto the CPUstoresnor only data to be operated on bLrtlhe instnrc-
tions that spcify the operations.The term iff N?&rTMrttis used in honor of the
mathematiian Johnvon Neumann,who wrotc a scriesof papersin thc mid-1940s
outliningthe designof storedproglamcomputers. Almostall commerciallyavail-
abl computcrs are designedafter the von Neumannmodel, and the 80386is no

Built into evry siored progmm computer is a set of commandsthat causethe CPU
to read from a loation in memory, interplet the contnts as an instruction (that is,
as a command to perform somc funclion), execute the function, and start the cycle
over again. Becausethis sequenceis often implemented in microcode, it is com-
fi\only rcfetred !. as the ,nlcrccycle.
In one of the earliest sooredprogram computers,the EDVAC,each machine instruc-
tion was broken doEn into five tieldsr A bit pattern in one field designatedthe
operation 1obe performed, two fields designatedinput oPerands,one field spci-
fied where the resuit was to be stored,and the final field speified the location of
the next inslruction. Computerdesignerssoon learnedthat if they placed one in-
struction alter another they could eliminate the ficld that specified the addressof
the next instruction- A register called the program colurter or instruction pointer
was used 1opoint to the ner:t instruction and was incremented to pojd 10the nen
one as soon as each instruction was fetched.

a:l
 t1|E ao:F6 BOOK

This method has never been modified, and the 80386microcycle can be expressed
algorithmicallylike this:

fbrch the instruction at EIP

increment EIP by the size (in byres) of the insrruction
execute the instruction
goto top
This is, of course,a simple view of the microcycle. In actuality, it is much more
complex becauseof the parallelism built into the 80386(see Chapter1) and becausc
of the neessityof savingthe state of the pr()ces.{orif an instruction faults and has to
be restarted.However,the basicalgorirhm is all that is necessaryto understandthe

Instruction Format
Instructions are siored in memory in rhe sameway that characters,floating-point
numbers,inleSers,or any other type of data is siored in memory.The yalue 0F5H,
for example,is the encoding for the CMC(complemenrcarry flag) insrruction. An
80386instruction can range from I bytc to 16byres.
In general,the formatofan 80386instructionlookslik this;

The opcode is 1 or 2 bytes.The mod r/m and s-i-b bytes specify the operands and
memory addressingmodes.The displ (displacement)field is part of the memory
addressand can be 1, 2, or 4 bytes.The dara field specifies alt immediare operand
valueand canalsobe 1,2, or 4 bytes.
Not all fields are presenrin all insrructions. The CMCinstrucrion, as shown pre-
viously, consistsof only a single opcode byte. The instrucrion:
XCHG
EAX,EBX
consistsof only the opode and mod r/m fields. All fields are presenrin the

A D DI E S P + S ] [ E S I *147] ,
Appendix D specifiesthe bit patterns used to encode instrucrions, and Appendix E
containsa table that lets you decodebit pafterns inro the original assemblylanguage

64
 4! th. ao3a6 h.lrucriotr sot

Instruction Operands
The inslructions stored in memory command the CPU lo manipulate one or more
operands.'lbe ao3t36tnstruction opcrands can be spcified in onc of five vavs:
TI\ey c^nbe implicit, register, i/nmediate, I/O, $ memoUr refeqlce opeftnds

lmplicit operands
An operanclis implicit iflhc instructiot itsclf specifiesir' TIle CLI nlsrruction'for
, u m p l < . ' ' t , r J r e s o n r h . l l ' r rI n l h ( F l l A L , S r e g i ' r e r ' l r , c p r o g r J m r n ( r d o e s n ' I
haveto spclify anythingbcyondthe insrruction.Thc stackis an nrpLicitoperandin
a numberofinstructions,fof example,I'USH,POP,CALI, andIRET Howevet
becausethc stackresidcsin memory,I will discus\stackoperandsin the sectionon
memofyrcferenceoperands.The fitk)wing instructbnshaveimplicitoperands

AdjustreSisterAL aiier ASCIIadd

cMc complcmcft rhe vnlucof dre carLyrlxs
ct.t) Clcxrdkectionflalj to0

Registet operands
An ifftruction wilh a rcTislef()Pcrandperfbnnsan actionon dle valucthat is sk)rccl
in onc ofthc 803116 intern^lrcsistcrs(shownin ligLue4-1on lhe folk)wingpxgc)
Specifyrcgistcropcranclsl)y usinlllhc nameofthc registcrin the oPcrandficld of
the inslructbn.Notetha!not ^ll rcgisters^re lcgaloperandsfor allinstrlations' Ihc
jn
llcncmlrcgislcrs(llAX, Cl, nnd so on) are mostcommonlyused dalamaniPula-
iion in\tru(rron\V\riJ.1nor,li 'r (xrrnnlc, rn(rqm(nlIh( \rrnrenlrI 'f r :egmr'nt
regislcror Lrse^ cont|olor dehugrcgjslerk) st()rca memoryaddress
'l illustrxterypicalinstrudionsusingrcgjsteroPerands
hc followingcLamPLes

INC ESI Add I to contenlsof DSI

suR Ecx,licx subffactLCXftomitscli lcNving0
MOV AI,,DL copy c()ntentsol DL into AL
MOV EAX,CRO CopyCRo.o.lcnts into EIX
CAI,J, EDI Invokesubroulinewhoseaddres is in IDI

65
 tHE 803A6 BOOX

31 1615 7 il 0 15
EAX AX cs
IAn,,cr ss
EtsX BX DS
l Bu, BL TS
ECX CX FS
cH,cl GS
EDX DX
DH, DL
E]JI
AP

I]SI
SI J1
L]DI EFI"{GS
DI EIP
ui" '.
Gcncrul fcgislers

Flgnre 4-L 8QJ86 rcBistel!et.

Immediate opetandg
An immediateoperandis spcriiiedwhen a valucis parroflhe instructionitsell
ConsiderdreinstrucrbnADD liAX, 3.In additionro the registeroperandEAX,rhe
numeric!"lue 3 is codcdin the instrlKthn and is storedin the codesegmcnrwith
thc bit pattemthatrcprcscntsADD. Orhercxamplcsoiinsrructionsrhatuseim-
mcdiatcoperandsincludc:

MOV EA-\,7 Storethe value 7 in rcgister E,\x

AND CL,OIOH Maskotl the low-order bits oi Cl-
BT EDI,3 Copy bit 3 of EDI to carry flag
JC 3C1H Brrnch to offset3C1HifC! is ser

l/O operands
External devicesthat Fansfbr data from the computer to anorherenvironment are
cailed input/output (I/O) devices.The 80386communicrreswith rhesedevicesin
two erays.The devicc can accessa portion oi 80386memory to read valuesfrom or
write valuesto memory addresses.The device can aiso have irs own address(or sei
of addresses).The 80386supports 65,536I/o device addresses,called /oro,.rri
I/O communication is done in 8-bir or 16 bit quantiries.'1he accumulatoris always
the sourceor the destinationof the I/O insrruction,and rhe I/O port is specified

65
 ar th. actgo ltrrtructl.n s.t

with an immediate opemnd or by the contents of the DX register.Examplesof in-

structions that use I/O operands include:

IN A1, O4H Inpur a byte tom port 04H

OUT ICH,AX Output a word Io port 1CH
IN AX, DX Inpu! a wotd from pon specilied by Dx
IN EAX, DX lnpul a doubleword from port DX

Memory refetence oprands

To operate on the conlents of memory, Jrcumust specify the addressof the data
value you want to use.The 80386provides a number of addressingmodes Therc is
rarely a performance penalty on the 80386for using a complex addressingmod, so
userhe addressing modelhat is mo<lapproPriatcto yourproSrrms needs
'when you
specify a rnemory address,you specify the offset from the bSinning of
the appropriate segmeft. Address0 is the first byte of the memory segment,address
1 is the secondbyte, and so on, fegardlessof the segmedt'sphttical starting address
Chapter3 contains a detailed description of how segmentationi$ used to generate
memory addresseson the 80386.
By default, the segmentused in most instructions is the one pointed to by the DS
register,Forcing an iqstruction to operate on valuesin other segmentsis Posslble,
hovr'ever,by programminS a segmentprefix opcode immediately before the instruc-
tion. Normally, the instruction MOV AL, [0] readsthe first byte of the data segment
into registerAL, By applying a segmentpreflx, you can force the data to be fetched
from another secment,The instructionsl
SSI
0v AL, [0]

load the AL registerwith the first byte of the stack segment,AlthouSh the segmnt
prefix byte comesbefore the instruction in the code stream,the prefix is usually
written as part of the memory oPeland fof readability. The previous example is nor-
mally $ritten:
Hov A L , S St:o l

Diroct addre3sing
The simplestform of memory referenceis called llrcct addressinS,wherettie n-
struction itself includes the location of the operand. The location is specified as a
16-bit or 32-bit olfset in the curent segment.This offset is also known as the
d.tptacement.Tbe r^tle on the following page showsthree examPlesof direct ad-
dressing.The brackets differentiate data values (no brackets) and memory ad-

67
 ]NC DWORD PTRI17HI dd I to dre 32 bir valuc at offset 17
rvrov At, t1,\33D4Hl Copy the menory byte !o .cgistcr ,{L
SHT BYIIJI''IR [lFTH],3 shift the memory byte left 3 bts

In the exxmplesin this chapter,Igc.eraUyusenumericncmory addresses ro illus-

trate wherc thc adclfessvaluesarc used in an insrrucrion. Y()u may never need to
use numcric nrenroryaddrcsscsYoUrprogramming cnvironmenr wiU provlde as-
sembiersan.l compilersthat namelocarionsin memory,and you will usethese
nanresin your pfosram. This techniquc is called .rynbotic .lddresting
Symbolicrddressinghasa nlrmb$of a&?nragesovcr absolurenumericadcLressing.
You .rrenruchlcsslikely to makea misrakeif you crn rcferr()a variableby a mnc-
monicn.rmc,sl'ch asqueue_top,ralherfian a numbcf sr(h as32081A3H. Also,if
you usesymbolicnxnres,the rsscmblcrkeepsrrackof thc rypeof dre datairem.For
example,thc opc<)dcfor the incrcmcntinstrucrionis INC,bur the sane opcodccan
applyto 8$it, 16-bit,or 32-biropcrands.If you definca symb(ticvaliable,thc cor-
rccl inslructioncncodingis drosenlbr y()u \I/irhou symbolicnddrcssing, you mL$t
spc(ily l)odr the sizcxnd the locnrionofthc opcrand l'or exrmple,noricethe differ,
enccDerwcenthcsctw() operations:
INC D I I O RPD
T Rt I 5 F 2 N |l 3 2 - b i ! o p e r a n o

COUNT OD ? i A l l o c a t e 3 2 b i t s r i t h r a m eC o U N T
INC COUNT : I n c f e m e n vt a r i a b l e
I Icrc xrc someadcliti()nale&xDplcs
ofinstrucri.)nsrhairNesymbolicaclclrcssjng.

COL]NT DD , Rcsove32-l)i!valuc,initialvxllre10
ll,Ac D\(/ RcscNea sinAleword
NANI]] DI] 20 DUP(?) Rescrvc20.onseculivchytcs
Dlic COIJNT Subtracr1 liom fie valuc rl COtrNT
MOV At, NAME Copy first hytc of NAME
MOV AI,, NAMI]III Copy secoddbytc of N,\ME ro AL
OR FI,AG.,IOOOH scl onc bit in rbe sfc(ificd word

Ba3ed addressing
In basedaddrcssing,a regisrcr holds the addre\s of an opcrand. The regisrcr con
tainingthe memoryaddressis calledthe bascrcgister,and you canuseanyofrhe
scvengeneralrc,listersasa b^scrcgisterVhcn y()uuseESpor Drlpas a bascresis
rcr rtredddre$r. J*I-ed ro be Jn,,tf:erfromrh( {r. k \eqmenrtssrrdrne,I ha;
lrornrhc(liu.esrn;n|lD5,.You.pe,ilyr",edaddres,inshlpljcrng,l-,.regis
namein brackets,asthe followingexamplcsiltusrrare.

6a
 4: th. ao3a6 h.lrlctlotr 5.t

r,t0v AL, IECX] : C o p yb y t e o f n e n o r Y a t E c x i n t o

DEC I , l O RP
DT RI E S I] ; D e o e m e n t1 6 b i t l , , o r da t E S I
XCHG E B X ,I E B X ] ; S w d pc o n t e n t s o f E B x{ i t h d w o r d A t E B X
CALL I EAX] ; E A Xh o l d s p o i n t e r t o
; a d d r e s so f s u b r o u t j n e

Base plus displacement addrassing

plusdisplacement
B.1se addressing thatusesa base
is a variantofbasedaddressiqq
registerto speciiy a nearby locatbn. An integer offset then modifies the besead-
dressto form ihe final destination. tsaseplus displaccmenladdressingis commonlv
useclin xcldressiqg componentsof datastructuresand in stackrelativcaddressing.
For examplc, if ESIpoints to a icrord of tlpe poir,, where poirt is a slruciure
whose firsl clement is the $ coor.linate and whose scrcondelement is thc t coordi'
nate,thcn you couldusethe instructionMOVEAX, [ESl+4]to fetchthc./

simrlrrl).l)(rr.c Ihu I'r.c poinrerFllPc,'mmonl)pornr\I'trhccurrenl:rrtk

frame, any !'alucs pushed onto the stack can be addressedby an offset fronl EBP
Offsetscanbc positivcor negativeand nrc inteQretedassigncd,32-L-rit intcgers
The assemblcr providesa construct called a strc that makeskeePingtrack of off-
I lerc is the abovc"Point"datalyPc cxample
setswithin dala snucnrressimplc.
redoncsymbolically:
P0INT struc Define record layout
X D D ?
Y D D ?
P0INI ends

C O R N EP
RO I N T < >

LEA- E S I ,C O R N E R c e t a d d r e s so f v a f i a b l e
E A X t, E Slr. X Fetch the x conponent
INC IESI].Y I n c r e m e n tt h e y c o n p o n e n t

Indox plua dbplacement add?essing

Incl!'xing is implemented by using the conlcffs of a registef as a componenl of ^n
ad.lress.Any oi tbe sevcn generalregislcrs (except ESP)is a legal index rcgisre. In-
dcx plus displacementaddressingis most Lseful in dealing with arrays.A direct ad'
d.ess points to the starting addressof the array, and the indcx specifiesthe element
of thc array. Here are lhrcc examplesof indej{ plus displacemcnraddressing:
l.lov AL, TACHtESll ; Get bvte of arrav basedat 7ACtr/jndex
ItluL 1/ECTORtECxI; llultiplv EAXbv elementindexedbv Ecx
suB 2 : Subtract2 fron elenert of arrav
ARRAYIEAXI,
It might appearthat index plus displacementis the sameasbase plus displacemetu
However,indoring offers an i cresting capability lhat baseda.ldressingcannot

69
tHE 0034oBoo(

The c languagecode fragment in the following erample computesthe sum of the

squaresof an afray.
int vtv- AXl;
r e g j s t e fi n t i :

s u n- 0 :
for (i - 0; I < V-fiAx!l++)
s u n+ - v l i ] * v l i l :
Assuming that the size of an ioter is 32 biis, two separatevaluesare required to
progressthrough the array: the index riable dand the offset in memory ofvtll.
For example,when I is 3, the addressofv[3] is the addressofv plus 12(4 x 3)
byt$. Every time I is used as an index inoothe array, it must be multiplied by the
slze of the aftay element.The assemblycode to executethe above loop mrght look
like this:
XOR E C X ,E C X ; C l e a r E C X( c o u n t e f )t o 0
t'10v sul4,Ecx ; C o p y0 t o S U t l
Llr CllP E C X ,V - t l A X ; Is counter> v-l{Ax?
.JGE DOIIE : T e s- 9 0 0 n

II,IUL s q u a r et
ADD su , EAX Comput the sun
I lic ECX
dt{P LI Loopbackto the top
00E:
The highlighted code shoe/sthe conversionfrcm array inde,,<to memory offset and
the addressingof the selecteditem.
The 80386provides a speclaloptimization for affays whose elementsare 1, 2, 4, or 8
bytes. The 80386adiusis the index to produce a memory offset. This adjustrnentis
called scalirngand is indicated in assemblylanguageby placing a multiply operation
in the bracketsthat enclosethe index register The above e)mpl becomes:
x0R E C X ,E C X i C l e a rE C X( c o u n t e r t)o 0
lt0v s u, E C X i Copy0 to Sljll
ct!P EC)(, Is counter > l/-l,lAx?
,tGI DOIIE

I}IUL [AX ; Squarethe array element

A00 SU}4.EAX
Iltc ECX : Bunplhe counter
JIIP L1 : Loopbackto tne top
DOE:

70
 4r th. 40365h.tru.tlon s.t

The secondversion of the program does not require rhe index value to be copied
and multiplied, so the program runs faster.Also, the instruction:
r'10v EAx,vI Ecx*4]
takesno lor\ger to execute than the instruclion:
ri40v EAx,l/[ EAx]
vrhen EBPis used as a scaldindex regisler, it does not force the memoly reference
relative to the stack segmentas it does when used as a baseregister.When an in-
strrction specifies both a tvdsercgister and an index register and one of them is
EBq EBPis assumedto be the basercgister unlessa salefaclor is present. If n sale
factor exists, it is assumedto be thc index regisler. The following list showsfour
xampls:

A D D IECX]IEtsP],7 lBP 's base,SSsegmentusecl

MOV AX,ARRAY[EBP] EBPis base,SSsegmentuscd
MOV EAX,tlicxltlraP,4l ECXis base,DS segmentused
INC BYTIIPTRIECXi81IEtsP].X EBPis basc,SSsegmentused

Unlikethe 8086and the 8088,which requireanywherefrom 5 !o 17clocksto om-

pute the operand addres$(depending on the complerdty of the operands),th
803M requires no additional time to compute the effective addressunlessboth a
base register 4r?dan index rcgister are used to select!h operand, 'J(/henboth
registersselectthe oper4nd,executiontime increases by only one clock cycle

Bare plu! dl.phcemont plua Indgx add.o.llng

Baseplus displacementplus index addlessingis the most complex 80386addrcssing
mode,This addressing f(nm is usedto addressdatastructuresstoredon the stackor
to addressnffays whose base addressis contained in a register.vhen addressing
these affays, the displacementvalue is 0 and the programmer need not sPecify it,
afthough the assemblerencodesa 0 dispiacementinto the iostruction. The index
registercan contain a scalevalue as il does in index plus displacementaddressing
mode. Following are examplesof base plus displacementplus index addressing:

MOV EAX,tEtsP+8]
{ESII Array is on stack beginning at EBI' + 8
INC I/ORD PTR[EBX+tsAX.2] 16-bit vstor based at EBx, with index
MOV EDx, PTIEAX.Sl[ESI].Y Array of "point" da(a slrDctures

The final example above appearsto conlain two displacementvalues:the initiai

displacementthat spcifiesthe start of the array, and the disPlacementof structure
elementY in the indexed array element.The assemblersimply offers these values
for clarity. In the machine instruction, the displacementfield contains rhe srun of
fte two values.as calculatedbv the assembler.

71
rHE 60306 BOOK

Stack based addressing

A stack is a data slnrcture in which the value most recendy stored is the fi$I lalue
retrieved. The acronvm LIFO (last in. first out) describesthe action of a stack and
contrastswith the FIFO (first in, firct ouo structure. Figure 4 2 illustrates the IIFO
and FIFO structures.

T ,'f,
-
1
-

AA+& A6&A
Queu- firsr in, firsrou!
B'{l0,te4-2. LIFO,IIIO.

Th 803i16instruction$ implicitly refer to a stack.The 80386hard$?re assumesthat

all memory in the stack segment(that is, the segmentpointed to by the SSregister)
belongsto the stack, but this is no! alwaystrue. Often, DS and SSpoint to lhe same
segmentipart of the segmentcontainsprogram data, and part is reservedfor the
stack. In this situation, the programmer may need to wdte code to check for stack
overflow, which occurs if too many items are pushed onto the stack and it runs over

\7hen a value is stored on thc stack, or pushed,the ESPregister is testedto see if it

is greater than or equal to 4. If it is not, a stack fauft (inteffupt 12) is generatedi
otherwise, ESPis decrementedby 4, and the operand is stored at SS:[ESP]. The most
recently pushedvalue, to which register ESPalwayspoints, is called rhe top o/stdc,.
The POPoperation retrievesthe most recently pushed value from the stack.First,
ESPis comparedwith the limit of the stack segment.If the memory referenceis out-
side the limit, a stack fault is genemted;otherwise, the value at SS:[ESP]
is read,and
ESPis incremenledby 4.
The PUSHand POP instructions causeimmediate lalues, regisler values,or the con-
tents of a memory location to be stored to and retrieved from lhe sta.k. Also, some
instrucrions that causea transferof contol (change the EIP register) push the old

72
 4! th. ao3a6 h.ttlctlon 3.1

execution addressonto the stack.This allows the subroutine to return to the pre-
vious point of execution.
The most commonly used instruction that changesthe EIP register is CALL.The
CALLinstruction hasone operand, the addressof a routine to be excuted.The
value of EIP (whih points to the instruction immediately following the CAIL) is
pushed onto the stack, and EIP is set to the addressspecified by the CALI operand.
The RET(or "return') instruclion pops the urrent top of stack into the EIP register,
returning control to the instruction after the initial CAIL.
A routine passesinformation to another routine by storing valueson the stack
beforc exeuting a CALLinstruction. The standardway this information is strlrc-
tured is called thetdrr? of the calld routin or the call stack.FiSure4-3 illustrates
a subrourinecall and showshoer'the stack frame is structured.

38 38
34
30 30
2C 2C
28 2A
24 24
20 20
1C 1C
18 1E

PUSHr

38 38
34 34
30 30
zc 2C
28 28
24
20 20
1C 1C
18 18

CAl,l subr LEAW

subr: ENTER8 RET 4

n srrk framefor'\ubr"

I hcd veiabte spacein ftame

Bl81urc4-3. Useofthe 8a386srack.

73
 Programscm push and pop 16-bit valuesby specifying registersAX, BX, SI, and so
on, or by specifying 16'bit memory references.It is more efficient, however,to push
the contentsof the 32 bit register(for example,EAX for AX) andto disregardtbe
high-order bits. Use dre MOVSXor MOVZX instructions to copy memory operands
to a register and extend them to 32 bits before they are pushed onto the stack.The
reasonfor doing this relatesto how the 80386interfaceswith memory. Ifthe physi
cal nEmory addressis a nultipLeof,i, thatis, if the addressis on a dwod boundary,
then a single memory referencecycie can fetch as many as 4 bytes.If the physical
memory addressis offset from the dword boundary, then at leasttwo additional
clock cyclesare requiredb feadorto wdte a 32 bitvalue.
'l
herciore,afterexeutinga 16-bitpush,aLlsubsequent 32$it st.rckreferences
dcgradein performanceby at least30 percenl lhe 80386generates 32-bitrefer
cnceswhen the 16-bitsegmentregisters(CS,SS,DS,tjs, FS,andGS)nre pushedor
popped,so pcrformanccdcgrxdntionis nor an issucin this case.

Instruction Gategories
The operationsth^t 80386instrr.(rionspcform varywidely,reflcctingboth thc
wide mngeofthc Drachine's capabilitier^nd irs compalibilitywith previouspro-
cessors.
In this secrion,Idividethe instructionsetink) ^ nurrrbcrof rclatcdcrlcgo-
desan.lidcntify thc rrost itnportantinslrucrionsof e^chcaicgory.

Aiithmetic
Arilhmelicinstruclionspcrformsignedanclunsigncclintelleroperalionson
opcrandsof8, 16,ancl32 birs virh fcw cxccplions,theseinstrLrrionshaverhc

0PC0Dtdest, src
Generally,arithmeticinstructionsoperateon sourceand destinationoper4ndsand
storethe resuhin the locationspeciiiedbythe destinationoperand.The dcslinati{)n
operand can be a memory referenceor a register,and the sourceoperand can bc
memory,a register,or an immediatedatavalue.Boththe sourceandthe destinaiion
operandscannotbe mernoryreferences, howeverThe instructionsthatfit dris lbf

ADD
ADC
sua
SBB
CN'P

74
 4: lhc o3a6 h.tilctlo. s.t

Thcsc instructions alTd the CR OF, PF, SF,and ZF bits of the EFLAGS rcgistcr dc-
pencling on the rcsulrs of thc operation.

In acldition to the ctouble opeftnd(or dyadic) insrructions, thcrc arc single-

operand (or rror14 /.) insftuctions:

INC
DDC

Eachof theseinstructionstakesa sir\qleoperand,eiihera rcTistefor a memoryrcf-

ercnce.Theseinstructionsalsoaffectthe sameBFIAGbits,cxccptrharlhey do not
nx)dify the carryflag (CF).
l'inally,therearedr irreguhrarithmclicinslr ctionsl

I)IV
lDlv
MIJI,
IMTJI, signcdnn'ltiply

Thc l)IV, Il)IV, and MULiostructionstakea singlcsourccopcrand.The destination

opcrnndis nrplicitly the accrxnulator
and dependson thc sizcofthc operands.
Dcstinationonerandsarc definedasfoLlowsr

1 6b i t $
32I)its IiAX
64 bits EDX,EAX

Becauaeofits uscfulncssin computinga|rayand structue elemenloffseis,the

lMUl instructionhasthrsc cliffcfcntforms:

IMUL .v.

'lhe
DIV lDlY and MUL instruclions lciv Lhestatusflags in undefined stales.The
IMUL instruction modifies Cl' and OF, lcaving SF,ZF, AF, and PF undefined.

75
 tHE 0396 BOOX

Decinal arithmetic
Sjxinsr.ucrionshelp implementdecimalmath routines.Thc standardintegerin
structionsperformcomputations, andthe fbllowinginstructionsadjustthe fesult
becausc the operands are not integersbut BCD encodings.The followiqg instruc
tions havccither rhe AI- or the AX accumulator asan nnDlicitoperand:

ASCIIadju$ afteraddition
AscII adjust b--foredivision
nSCll adjus!aftcrmultiply
ASCIIadjuslrfter strhr.ction
D,\,\ Dc.imrl rdjuslxfteracLlition
DAS Decinr.ladjlst alier subtraction

Logical
The followinginstructions^rcc lled loglcalbec usethey mxkc no scmantic
xssumplions xhoutthcir opcrandsithatis,fiey do not regad the opcrandsas in_
rcgers,BCD(ligits,characterstrings,anclso on Thc inslructionsare snjcdy
tsoolcan,or llit-by bit, operations.Firstis a selof clyadiciunctionssimilarto thc
nrithmcricinstructionsl

Insttltcttorl EtPkuaton
ANI)
OR
XOR DxclusiveOlt
TIS'I l,crformsrn AND bur modiiiesonlythe EFl,IGsrc3ist$

A singlemonadicinsrruction,NOT,performsa k)gicalcomplementof dre opcrancl.

with the exception of NOT,dre logical instfr.rctionsmodify each of the OF,SF,ZF,
Pl'.anclcF flagsaccordingro lhe outcomeoiLhc opcrarion.'Ihe AF flag is lef!

havcihc lbrm:
A seriesofinstruclionsopcftucson bil strings.Theseinstructi()ns
0PC0DE
dest, trde)(
where desl sclectsa bit srring, eirher in memory or in a regi$let and irder identifies
the parrjcularbit in rhe bit strjngtharis the subjectof the operaUoo.The irdet
valueis eilhcr conlaincdin a regisleror specifiedasan immediatevaluc.If destis a
memory bcation, rrden is trcated as a signedinteger and can iake on any value
from -2G through +2G. Instruclions that operate on bit strings are BT, BTC.BTR,
ANdBTS.

76
 a: th. 0306 lrsti@tlon S.t

Iustmctlon B4rlaaatl@
m Bit test (sve the value of the seleded bit in cF)
mc Bit test and complement(savebit, then omplemenr deri bi!)
BTR Bit test and set (Mve bir, then clear A?srbit to 0)
BTS Bit lest and set (saveb]t, then ser dasrbir to 1)

Figure 4-4 showsbit indexing in these instructions.

Index--26

2ABH 2ACH
Dest

Flfllfe 4-4. Btt lnderine ln BT lnstructlons.

Two instructions search bit strings, These instructions have the fa,rml

BSr ,tesi s/c

where src indicatesthe locatbn of a bit string. The Aestoperand must be a register
that receivesthe index of the first nonzero bir. The dest opcrand can be only a 16-
bit or 32-bit register and indicateriwhether the src operand is a l6-bit or 32-bir quan-
tity. Figure 4-5 shows how these insiructions work.

BSFEAX,EAX EAX
3r
-To T o 0 1 0 0 I I 1. . .00I00 1o!_o-lBitscanfbrward
+ Start
EAX
3
BSREAX,E{X
101. 001001000 l B i ts c i nr e v e s e
- t
30

Blgae 4-5. BUscannlne.

The final logical inslrutions are shift and rotate instructions. Figure 4-6 on the fol-
lowirrg page illustrates what shift and rotate instructions do.

77
IHE O3A BOOK

Flgarc 4-6. ShA anellatatetnslructtons.

Mostofthese instructionshavethe form:

0PC00Edest, C0!t!T
The destinationis eithera memoryrefernccora registerThe COUNTis eitheran
immediatevalueor the CL register.The folbwing insiructionsfit this format:

t6.rscioi BxtrthffiUorl
SHL Shift lcft loSical
SHR Shiftrigh! Iogical
SN.L
SAR
ROI,
ROR
RCL Rotatethrough.ary lcft
RCR Rotatehrough cary right

The foltowing double shift instructions arc also provided:

SHLD derr, ff, COUNT Shifr lefr doublc

SHRD lest, J7c,COUNT Shift rigbt double

In the above instructions. the sourcc and the destination are concatenatedand
shifted, and the result is t.uncatcd and stored in the destination operand. Figure 4-7
illustrates double shifl instructions.

7A
 4! lh. aott6 lrtEctld s.r

Rl8.ore4-7. Doubleshtfts.

Data transfet
Probablythe most frequently used instructions are in the dara iransfer categgry.To
the assemblyprogrammr,a single instruction appearsro do almost all the work.
Actually, the MOV mnemonic is encoded into one of severalopcodes,depending
on the operands involved. The generalform of the MOV instruction is:
MoV dest, src
Either the /es, or the s,"coperand can be a memory referenc,but not both. Both
operands can be registers,and the src operand can be an immediate value for most
choicesof dart This instruction is not restricted to operating on the general regis-
ters, The MOV instruction is the only instruction you can use to read or modify th
control registers(CRo-CR3)and the debug and test registers(DRo'DR7,TR6:TR7).
You can also use the MOV insFuction to load and store the segmentregistersDS,SS,
ES,FS,and GS.
Not all possiblecombinations of s/c and lest are leSal80386instructions. The
restrictions are covered in Chapter8.
Here are four additional data transfer instructions:

XCHC dert, src Exchangethe contentsofthe two operands

MOVSX den, src Move src inlo derrsign-extending s/c
MOVZX de$, s]l"c Move sr inio dsrzero-extendinSsrc
SETcc desl ser desrro 0 or 1 dpending on condirion codes

The XCHC instruction takestwo operands and swapstheir contents,One operand

must be a registeri the other can be a register or a memory referenc.Becausethis
instruction is frequendy used to implement sernaphores,the hardware bus LOCK
signalis assertedwhenever one of the operands is a memory reference,
The MOVSXand MOVZX instructions are similar to MOV but thev take an s/c
operandof a singleb}1ernd eiLhersign-extendrr ( MOVSBr or zero-exrendrr
(MOVZB) into a 16-bit or 32-bil inteqer at the dest location.

?9
 tHE aoBa6aooK

SETC.insnuclions move a 0 or a 1 into the destination, depending on the lue of

the condition codes in the EFLAGSregister The conditions supported are:

Insttuctld E4naiatlon
SE]A deil Setto 1 if above(unsignedx >y) /Ct'= 0& zF= 0
SITAE dalr Setto 1 if aboveor equal / ct = 0
SETB d6r Se!to if below (unsignedx < y) / CF = I
SETBE d6t 5e! () ii below o. equal / Cl' = 1 | zF - I
SETC desr sel ro ilGry / Cf = I
SETE ../eix set Io
SETG de.v st to if greater (siSnedx > y) / 5F = OI & z! = 0
SETGE dat Sct to I if Sreateror equal / SI = OF
sETl Asr setto 1 if lessGignedx < y) / sFl- oI
SETLE .le! setto I ifless orequ /$l"OFandZF-1
sllTNA 4r, setto I if not above(SETBE)
SETNA! des, set to I if no! above or equal (SETB)
SETNB des, Setto I if nol below (SETAX)
SETNBE desr Selto 1 if .ot below or equal (SETA)
SBTNC dest SctI() 1 ii no carry / C! - 0
sEtNE det st to 1 if not equal / zt' - 0
SETNG d6r sitto 1 if not 8.eater (SETLE)
' SETNGEderr Setto 1 if not greater or equal (SETI)
SETNL dert Settol if not less(SEIGE)
SETNLE ,Je!t Setto 1 if not lessor cqual / SF- OF & ZF " 0
SETNO derr setto 1 lf no ovcrflow/ oF - 0
SETNP larr Setto 1 lf no parity/ PI - 0
SETNS le$ Setto 1 if no sign / SF- 0
sETNz lesr Selto l itnoto/ zF - 0
SETO dest 5(r IU ]di o\ ertlow/ OF _ I
SETP tl6t set !o 1 ii parity / PI - 1
SIiTHj ,tesr Setto 1 il parity even / PF - I
SETPO dat xr ro I ifparity odd PF- 0
SETS dest Sct to ifsign / SI - l
ff'lz dest Setto i f O / Z l - |

Stack
The stack instructions siore and retrieve data from lhe stack.The PUSHinslruction
writes its opemnd to the stack,and the POPjnstruclion removesthe top-of-stack
elementand storesit in the location specified by its operand.
The PUSHADand POPADinslructions require no operands and saveor restoreall
the generalregistersto the stack. Figure 4'8 showsthe stack after a PUSHADhas
been executed.Although PUSHADsto(esthe value of the ESPregister,POPADdoes
not reload ESPfrom the savedimage.The new ESPvalue is always the old ESPvalue
plus the number of bytes required to store the generairegister context.

ao
 4! thc AO3A5h.ttuciiotr 5.i

BeforePUSHAD

ESP

Btglore4-4. PatSAD cantext

Control transtcl
Control transfer inshllctions affect the flow of excution, Norrr,allv, an instruction is
fetchcdfrom the addresshcld in rhe EIP regis(er.rnd thcn EIPiJiin(rementedby
rhe sizeofthe instrucrion\r rharit poinrsto the nexrinsrrucri(,n. Thc n(; opcode
is fetched,and the cyclecontinucs.
The 80386supportshranchinstrutions, which alrerEIB and subrourinecall in-
structioN, which savethe old EIP and then modify ir. The sofrware interrupt in-
struction is siftilar to the subroutine call cxcept that 4n interrupt nunbet is
specified for EIP rather than a new value. The addressof the desrination routine is
then determined by a gate in the IDT. Figure 4-9 show$howJMP and CALI instruc-
tions affect the flow of excrution.

at
tHE aooaa gooK

Branch instructions exist in both condilional and unconditional torms Uncondi-

tional jumps occur immediately when rhe appropriate instruction is encountercd
All calls and software interrupts arc unconditbflal

conditional branches tesr certain bits in the EFLAGSregisterto detcrmine whether

to branch or not. These birs are usually sct as the result ofa compare instruction
(CMP) or as the resuh of an arithmetic or a logical opcralion These branches are to
relativc x.ldressesi the oftset is a I displacement from ihe current []P The foll(Ning
list shows the conditions lhrt can be teslcd for and thc mnemonic for each

= =
ollset Jump lbove (unsiSnedx > y) / cF 0 & zi- 0
oflset Junp rlFve or cqual / cF = 0
JAT =
JB oflsct Jump below (ursigned x < y) / cI 1
arrret Juop b e l o w o r e q o . l /C f = I Z F -1
JLIi
JC ollsel Ju pifcarry/cF=t
.laxz ollset Jutupifcx " 0
JECXZ o[sel JumpiLECX= 0
JD onset
-
Jc aJJset Jump grcatcr (signcd x > y) / Sr = Ol' & ZI 0
anflt Jump gre.ltef or cqunl/S! - Ol'
JCE =
JL oJlset Jumples,(signcdx < y) /sf lF ol'& zI 0
Jl,li 9lset Jump lcst or cqurl/ sl-l- olr
JNA oliet Jumpnot abovc(JIIE)
JNAD ollset lu,np not above(Jtcqual(Jll)
JNIJ olfscl Ju p not below UA].l)
JNI]I] oIJscl Jumpnot blowor cqual(JA)
JNC ollset Junrpno caffy/ cl - 0
JNrl olJKl J'.'nlPnot cqual / Z! - 0
JNC otrsel Jumpnol grcrler s! l- OI& ZF = 1
JNGIi allsel Jump nd greatcror cqurl (J!)
JNL aJJsel Jumpnol less(Jcll)
JNI,I] ol/el Jump not lessor cqual (JG)
JNO ol|sel Jump no ovcrtlow / o! - 0
JNP ,'Isct Junp no parily / I'F - cr
JNS o"lfsct Jumpno siln / SF= 0
JNZ oIIset
JO otiet Ju'np if ovcrflow / oF = r
JP allsel Junp ifplrity / r! - r
JPE alJsel Jumpprrity even/ l'li = 1
JPO ollser Jumppadryodd / PF= 0
Js oxset Jumpifsign / SI = 1
Jz ofs"l J u m pi f 0 / Z F= I

Three other conditional branch instructions are re loop instructions lI)op instruc-
rions de$cmenl re ECXrcgister and brunch if the conditbns outlined in lhe fol-

a2
 4: th. ao3a6 lGttuction 5t

LooP olfset Deoement, bran h if ECXl- 0

LOOPZ olJaet Decrement,bfanch ]f Ecx l= 0 and ZF = 1
LooPNZ o/:? Dccrement,bfanch lflicx l= 0 and Zli = 0

IOOPE and LOOPNEare s)'nonymsfor LOOPZand LOOPNZ.

String
Srringinstructions handle large blocks of memory with ease.A string instruction
can move ll block from one location in memory to another,compare one block with
another,or searcha slring for a specific \alue. Striqq instructlons use specific regis
ters for storing operands.DS and tsSIalwayspoint to the sor.rcememory block. ES
ancitjDl point to the destination.Thesepointersare incremented(or decremented)
by thc sizcofthc opcrand(1,2, or 4 byies)everytime thc siringinstruction

The directionflag (Dl.) detennines$/hctherthc sourccxnd drc dcsrinationpointcrs

xre incrcncnlcd or dc{-rcmcnted. Vhcn thc clircrtionlhg is 0, rireadclrcsscs
arc in-
crcmentccl.\vhen the flag is 1,aclclrcsscs
arc decrcmcntcd. The stringinslructions
p()vidc thc fitlowing cnpnbilitics:

MQVS Move$fting .opy stinS rr DSIISIk) liStjDI

CMPS ComprrcstrinS-comparc DS:llSIto liS:liDl
slos Skxcthe rclumulakx{t ts:tlDI
I,OI)S Loaddre.rccumulatorwith DSDSI
scAs Stnnstring,coorparcDSDSIwith a.{mutator

You canexecute,rnyofthese insructionsrepealedlyby placinga counlvalucin thc

ECXrcsislerand precedingthe sring instructionwithdre REPprefix The comparc
andscaninstructions,which modify the flag bils, canalsobe prefixeclby the REI'E
(rcpeatwhile equal)and REPNE(repeatwhile not equal)instfuctions,albwing fast
comPafcand searchoPerations.

Pointer manipulation
Poinle.manipulationinstructionsloada 48-bitpointerinto any pairofthe segment
'I
and gcner.rlrcgislcrs. he fofmat of these instructions is:
feg, nen
where ,crcshnds for the segmentregister (SS,DS,ES,FS,or GS), rcg is any gcncral
register,ancl ,lem is a memory operand.
The LEA (load effective address)instruction computes 32-bit addresses.LEA loadsa
32-bit registerwiih thc addressdefined by the memory operand, which is unusual
becauseother instrrlclions operate on the value stored at the memory operancl

a3
 tHC AO3aGBOO|(

locarion.The folk)wing example shows irow to use the LEA insrucrion k) cpmpure

V E C T o RD D 2 0 D U P( ? ) : Array of 20 e'lenents
MoV E A X ,9 ; Array index
LEA E A x ,y E C T 0 R I E A X ;+ 4G1e t p o i n t e r t o 9 t h a r r a y e l e n e n t
PUSU EAX : . P u s hp o j n t e f o n s t a c k
CALL HYSUBR ; l n v o k es u b f o u t i n e
Becausethe LBA instrLrctnrncsscntially pertbrms only additions and shifls on ihc
values ofthe displacemcnt rnd lhc base and index registers,ir can perform simplc
nNltiplicatbns fasterthan the hlrdware mLrltiplyinstmctions can. l'or a value storcd
in x generul fegister (such as EAX in thc srmplc opemtions), these operations can

M l^x,lEAX.zl M u l t i p l yb y 2 ( i n d c x )
l,li,\ !dx, LEAX+EAX.2l MulriplybyJ (base+ rmexr
LIjA liAX, ili^X.4i Muhifly hy 4 (indcx)
LUA rAX, [iAx+liA&4] Mulridy l)y 5 (brse + indcx)
LlA EAX,lEAx"rll ^4ultiplyby u (index)
LliA IAX, lDr\X+EAx"ilj Mtrhiplyby 9 (b,rse+ index)

tlsing thc ItjA instruclk)nin rhiswlly doesnot lffc.ctthc llags.Y(N cannorlcllwhcn

xdlhureticoverlbw has()ccur'rcd, when thc rcsuhis 0, and s()on. tj$c LEAonly ro
c{t)rPutcn klrcssessuch^s nrr^yor s lrcturcindcxcswhcfc ovcribw is not likely
io occu..YoLrcrn xlsovicw the Ll.lAins(uction rs .ln addilioninsrrucrionwith four
opc nds instqKl()l !wo. Thc conrentofrhc indcx rcgislcris addcdr) tbc base
rcaisterxnd lhc displaceDrcnl. Ily treatingrhe displacemenl simplyas I constanr,
thc fi)llowingforlnulacxplcsscsthc actionofItjA
desl reg <- intlcx rag+ basereq + canst
li.n cxample,dre resultof Lhcl,EABCX,IFIAXtFlsll[3]insrmcrionis cquivalenrb rhe
followingoperxtions:
IIOV ECX,EAX
AOO E C XE , SI
ADD E C X 3,

Input/Output
BecauseI/O ports irle usually conncrrcd b systemdevices,it is imporram ro protecl
againsrindis.riminxteaccessto them.S.'curcsystemroutinesrharrun wirh I/O
privilege (CPL<IOPI) may execuremy l/O inslruction. A lessprivileged task may
execule an l/O insrfuction; however,a gcnc.al p()re.tion faulr (inrernrpt 13)will
occurunlessthe operatingsystemhasgrantedthc iaskpermissionro accessfie
spe.ific port(s). The operating slstem grants permission by setrin8 the appropriate
biLsin the l/O permissionbitmapof the task'sISS.

a4
 a: the 603aG
In.r.uctlons.r

Bodr the input and output instnrctions have three forms. The simplestform is:
IN acc, port
OUT part, acc
whcrc dcc is onc of the accumulatofregisterc(AL, AX, or EAX) and po,.t is a value
from 0 to oFFH.Thcseinskuclbns canbe usedto xddressonly the first 256IlO ad-
drcsscs,and the 803ii6suppots asmanyas65j536IlO ports.To access the enrire
range,uscthc followingi()rmofdle instructionsr
I a.c, DX
oUT D X ,a c c
In the aboveinstructions,the I/O rcldressis containcdin thc I)X rcgis[er.
Srdnginsl.uctionsare the thnll tlpe of I/O instnrctions.INS(input srring)rakcsin-
pul from the porl specifiedby DX and storesthe resultat ES:tsDI,
adjustingEDl rc-
coding to the directionflag bit. OUTS(ouDut strind readsthe valueat DS:tjSlrnd
writesit to the port specifiedbyDX.INS and OUTScxn bc prefixcdby thc Rlil, in-
slrucrion,which clusesthe I/O iostructionto repeatuntil tsCXis d$rcnentcd to 0.

Prefix
Irrcfix inslruclionsprc(edeother80386instructions.l,refixesmodify the actionof
thc instructionslhcy preccde.You canapplymorc dnn onc prcfix to an instruction
Thc mostcommonLyusedprclixcsarc the rcpca!prcfixcs,dis(r"rsscd prcvn)usly
with the stringinstruction$.
Il a rcpca!prcfix is applic.lk) any instructbnoiher
thena stringinstructbn,an undcfincdopcodcfault(interrupt6) occurs.The folbw-
ing tablclistsihc rcpcatprefix inslructbnr.

REP Repeatufltil ECX= 0

R]]P! / RI]PZ RepenruntilECX= 0or Z! = 0
RI]PND/ RDPNZ Repeatuntil ECX- 0 o. Z! = I

You can apply a segmentoverricleprefix to almost any mcmory rcfcrcncc instruc-

tion. Eachof rhe six segmenrregistershasa prefix instrucrion. Thc ovcri.lc fbrccs
thc nemory refi:rence of the modified instruction to the segmentspecified by dre
prefix rather than to the default segment.The following table lists seementoverride

CSI Rebr ro the .ode segment

SS: Relr to the stack seSmenr
DS: Refe.ro the data segmenL
tis: Referrc the segmentpoinred to by ES
FS: Returto the segmentpoinred to by IS
GS: Refer&r the segmetupoinled to by GS

a5
tHE ao3g6BOOK

For example,the instruction MoV EAx, l42rX copies the dword at oflset 42H of the
data segmentinto EAX. vhen the insEuction is prefixed with Ssr,the dword is rcad
from the stack segment.Most assemblerslet you specify the prefix before the in-
struction or as part of the instruction. For examplel
55:
l{0v EAX,t42Hl

l'lov EAX,SS:t42Nl
The only memory referenceinstructions that cannot be prefixed by a segmedtover-
ride are SCAS,STOS,and INS.These are string instructions that operate on memory
at ESrlEDIl.Vhen a prefix instruction is applied !o any other string instruction, it
overridesthe DS:[ESI]pointer only. The MOVSand CMPSstring instructions have
both a source(EsI) and a destination (EDI) pointer aod are allowed a single prefix
instructionthatoveffidesthe DSTIESII pointer.
You can apply the LocK prefix to any of the following instrrrctionswhen reading or
modifying a memory l ationl
A D CA , D DA. I I DB
. T , B T C , 8 T RB, T S ,D T C I, I I C ,I { E GN, O TO
. R,
S 8 B ,S U BT, C N GX,O R
The LocK prefix assertsthe hardware signal LOCK\, which ensuresexclusiveac-
cessto a memory location in a multiprocessorenvironment.
The assemblerusually inserts two additional prefix instructions, but Intel does not
give them mnemonics.I call them OPSIZ(operand size prefix) and ADRSIZ(ad-
dresssize prefix).
OPSIZtogglesthe operand word size of the processorfor the next instruction. Nor-
mally, the machine word size is 32 bits. Prefixlng a 32-bit instruction with OPSIZ
convertsit to a l6-bit instnrction. Similarly, erhen code is run in 8086-compatibleor
80286-compatiblemode, the default machine word size is 16bits; appMng the
OPSIZprefix converrsa 16-bit instruction to a 32-bit instnrction.
In real mode, virtual 8086 mode)and 80286-compatiblemode, the byte 40H is inter-
preted as INC AX, but in native (32-bit) mode, it is interpreted as INC EAX. To in-
cremenl the AX register in native mode, ],ou must prefirathe instfl.rctionbyte with
the OPSIZinstruction. The assemblerdoes all the wo(k, however.Iflou enter the
instruction INC AX in a native mode code segment,the assemblergeneratesthe
bytes 66H and 40H. The following table illustrates the bltes that the assembler

OFode Gneratlon ln fnffernt Mods

ReaL vrdr.at, d @2#cdt dbb rtode
rNcAx+66H,40H INCAX r 40H
INCEAX-J 4OH INCBAX-9 66H,4OH

a6
 4: th. ao3a6 h.truction S.t

Similarly, tbe ADRSIZprefix togglesbetween 16 bit addressingand 32 bit address

ing. This prefix is usefulfor programmerswiting 80386codethatwill .un undera
16-bilopcratingsystem.In t6-bit modc (rcal,virlual, or 80286-compatiblc), memofy
ofi:scrsarc limitcd to t6 bits,and morc rulesrcstriclwhich registcrsyo canuseas
baseand index ralucsin gcneralingaddresses. Theseresrriclionsarc listcdin
AppcndixD. Thc ADRSIZlogglclcts you uscthc fLrlladdressing crpabilitiesof the
{]0386.
lf you use 32-bit addressingunder a 16-bit operating system,be consistentabout
register usage.For example,a programmer who wants to use the scaledinclex iea
ture of the 80386jn a programthat runsunderMS DOSmight codethe following
rnstructronsequencel
of a'r array of l6 bit jntesers
; Incrementeachmembef
|'lov cX, count : Get size of array
L1: Illc affay2tECX*21: I n c r e m e fat r r a ye l e m e n t
L00P Ll ; Decfenent index, branchif not 0
Thcscinstruclionswould probablynot work bcuusc thc scrlc'daddrcssfcaturere-
quircsthe full32-bit tsCXregistcrand thc programmcrhasloadedonlythe 16+it CX
rcgister.'Ihcvalucof the high-order16bits is unknown.The correc!approachis:
; Increnenteachmember of af array of l6-blt integers
0 V Z X E C X c, o u n t ; G e t a r r a ys i z e , z e r o ' e x t e nl dn t o E C X
L1: lllc a f f a y - 2 [ E C X * 2; ] l n * e m e f ta r r a ye l e m e n t
L00P Ll ; Decfenent index, branchif fot 0

System
Applicationprogramsdo not c'xecutesystcDinslructi()ns. In somccasesisystemin-
skuctionsqnnot be cxcrutcdunlcsslhc prcccs$hasa high privilegelevel The fol-
N'torcdctailcclinformationxboutthese
lowingtabllisls sysrcminstfr.rctions.
instructionsis given in Chapter8.

Instntcltot Et ol4i4ll6

LGD'r' mem LoadCDT bascaddrcssand Iimit

SCD| nem Skrc GDT baseand limit
l-lDT LoaclIDT baseaddres and lnnit
SIDT StorelD'l baseand lilnit
LIR Loxd a selcctorinto thc l$k rcgistcr
sTR .lest Sto.c rhc TR sclcc!ff
LIDT k- Loada select{ninto fte IDT reSister
SLDI Llr store lhe LDT selector
VERR reg, zlar veriii Reada.cessibr desrselector
vERIL/ reg,,l6r verify write accessfor L\t sclcctof
rAR rcq, d6t Loadacccss.ighls for .*r,t selector
LSl. ftg, d6t Loid limit for 216rsegment
ARPL d6r, v. Adjust privileSelsel io. dat
HII Halt the CPUuntil reseror iorerrupl

a7
 THEA036BOOK

Miscellaneous
A few instructionsdon'tfit inlo anycatego,y. Forexample,the NOPinstructbn per-
rormsno oPerat'on.
l he 'ifAlT instruciion reststhe lurdware pin callectREADY\ . If the READY\ pin is
not active, the CPUwaits until it becomesactive. If the 80386is waitins, it continues
to respond to hardware interrupts; howeve! iI returns to ihe VAIT after the inter
rupt completes. The 80287and 80387hold READY\inactivewhile they perform
floating-point operations. You shouldexecute a WAll instruction before you use
the result of a floating point computation to ensurethat the coprocessorhas fin
ishedexecution.

Floating.Point Extensions
As cliscussed
in Chxpter2, the 80387NDP extendsthe instructionsetofthe tl03ll6
by providinghxrdwarcsLrppoflfbr fk)xting-pointoperarions.tlnlike thc 803ii6,thc
80387prr)grxnrmingmodelis a stxck<nientedmodelratherthanthe two-operand
rcgister/mcmorymodcl.Mosrarithmeticinstrucrionsc^n be spccifiedin thrcc
wnys,with no opcrancls,with a singlcoperand,or wilh Iwo opcrands.Frollowing
afc somccxnmplcsrh.rtilllrstrnterhe floating-poinrnddilioninsrructions.

IIADD
IIADD ST(3)
IADD IEI}P+6I sintjlc-nrcnnny opc nd
ti\DD sT(2), ST

Vhen no operanclsare specified, lhc opcrands are impiicil. The following

pseudocode illr.Etrateswhat happens whcn no operand is specifjedl

t e m p < - p o p ()
ST <- ST <function> temp

Vhen a single operand is specified, the top of stnck is nnplicitly fie first operand,
so the instructbn becomes:
S T < " S T < f u n c t j o n >o p
'whcn
two opcrands afe specified, borh operands must be 80387 registers,and one
nrust be the k)p of stack. You can store the result of the operation in eidrer register,
which you dsignateby making it the first operand.

op1 < op1 <functjon> op2

S.'veral instructions have a form that discards the cuffent top of stack after the func
tion is performed. A snffiJ{ of P (tbr pop) is added to tbe instruction mnemonic. F(f
exalnple, the instruction:
FMULP ST{3),5T

aa
 4: Th.603A6 h.truction Sot

causesthe top of siack and ST(3)to be multiplied and storesthe result j. ST(3).
Then rhe top of stack is discarded,leaving the newly createdrJlue ai ST(2).

Load and store

The load instructions push a new value onto the top of the 80387stack,but the store
instructions do not pop a value off unlessexplicitly indicated. The relevant jnstfuc

IN,ruc,loi Brpl4notld

FBID Push.n lo-bir tsCDlnteger

FILD hrsh a 16-,32-,or64-bitintcc.
fLD slG) Pusha (opy of 1 valuc akcady l(,adc{
l.l.D Puslta 32-,64-,(r80 bn rc.1
FLDl
FLDL2E
FLDL2T l\Eh 1oA, l0
FLDLO2 hsh loaLo2
II-DLN2
T'LDPI
FLDZ
rBSII) StorcSl h rn 80-bitp.rckcdDCDintcgcrmd pop
(discardfro'n stack)
FIS'I SL(rcSl in a 16-or32-bilintcl#r
Flslt, Stde ST in a 16-,32-,or(l-bit inrcilcfrnd pop
!S l ST(iD Storen copy of STin ST(n)
FST StoreSTin a 32-oi&-bit rell
I,STP Slore Sl in a 32-, Cq-,or 80-bii rcitl dnd pop

Because operatesin parallelwithlhe 80386and becrusc803u6in'

the coprocessor
sructionsgenerallyexecutemorerapidlythan80387opcralions,issuca VAIT (of
FWAIT)instructionbeforeusingthe resultof a iloaling'poin!s&rc opcration.This
ensuresrhatrhe NDP haswritten io memoryand thatthe 80386codecan^cccsslhc

Arithmetic
The following table lists the arithmetic operations that tbe 8,03117
pcrforms. Scc
Chapter8 for a description of the types of ope, anclstha! each instruction supporls.

Iwtntcrlott Bt bl4lrtlon
F2xMl C o m p u t2
es r l w h c r e 1 < S T < 1
IAAS Trke absolurevilue of ST
FADD top(rl Md rwo floating poi numbers
FADDP op1, op2 Md opl ^nd op2, pop sr^.k
FIADD Add 16 or 32 bit integer to ST
FCHS Changerhe sign of sT
lcoM o, cotnpare sT with op Geaisteror metndy)

a9
 ICOMP oP compare sT wi$ op and pop
ICOMPP ComparesT with sT(l), pop bo$
FICOM CotnpareSTwith 16 or 32 bit integer
Comparewith ioteSerand pop
lucoM oP Comparcauowing quier NaNs
IUcoMP oP LikeFCOMP
IUCoMPP oP Like FCOMPP
l:cos
FDIV tolrtn
FDI\,? op1,op2 Dt\I<Ie aql by aP2, pop
DivideSTby 16-or 32-bitintecr
fDIvR lo4sn Reve$edivide (op2 by opr)
IDIVRP op1,ap2 Reversedivide oP2 by oP7 add pop
Divide integer by ST
IMUL taf@l Florling-point nultiply
IMtJtP ot1, op2 Multiply oP1,by o?2 and pop stak
TIMUL MultiplysT by 16.or 32,bitinteSer
IPA1AN tuctangent of ST(1)/ST
FPREM P tid remalnder of sT/sT(l)
FPREMl Computcpartialrcmaindc|rouiEEspec
FPTAN computc unScnt oi ST,push(l .0)
IIIiNDINT
I.SCAI,D MultiplysT by 2s(1)
ISIN Compute slne oi ST
FSINCOS temp - sT, sT - sin(temp), push(cos(enp))
FSQRT 'lhke
th squarroot of sT
FSUI] I1N,J IrloatinA.poinlsubfaction
fSUrlP oPI, oP2 subtrac! op2 from op, and pop
IISUA Subhact16- or 32ltt tnteger iiom ST
ISUBR IOP(O]
ISIIBRI ap1, op2 Subtrad opl from or2 and pop srack
!ISUI]R Subtnc! STfrom 16- or 32-bir iffe8er
III ST CompareSTagdnst 0.0
Exnmine sT and set condition codes
FXTRACT Decompose5T to er?oneff and signlficand, ST - exponent,

FYI,2X 5T(1) = ST(l) x loSrST,pop stack

F'YI2X'1 sr(1) = sT(l) x log,(sT + 1), pop siick

Contrcl
Control instructions saveor alter fie state of fte NDP.Somehave a special "no
wait" form, indicated by lhe letter N as the secondcharacterof the mnemonic. The
"no wait" instructions executewithour the implicir WAIT that occurs berween two
f loating-point instruclions.

90
 4! lh. 903A6 h.t.ucilon 3.t

Normally a \qAIT instruction is implied before every coprocessoroperation The

two instruction streamsthat follow are equivalent.
FADD ST(3),ST
F UL Sr(1) FADD ST(3),ST
IIAIT
F I i 4 U L S T (1 )

VAIT causesthe 80386to check the hardware ERROR\signalassertedby the NDP

if unmaskedexceptions have occuffed. If a cop'ocessoreffor is signaled,a floatinS-
point exception (interrupt 16)occurs. "No wait" instructions allow you to savethe
NDP statewithout worrying about proces{ing any floating-fDint exceptions
The processorstate of the 80387is held in the registersdiscussedin chapter 3.
Someof these registersare addressableindividually, but others,such asthe tag word
and error pointer fegisters,are not, The ombination of the control word, status
word, and error pointers is calledthe erxulronment The instructions for loading and
storingthis prccessorstatein the memoryformatareoudinedin Figurc4-10

31, 16 L '
0 c\( 0
I 0 s'{/ 4
I 0 T'!( 8
I FIP 12

I
HiSh
0
FOO
FCS 16
20
FCS 24

Blgllre 4"1O.En"lronneflt latr'ut.

The following table lists the 80387's conttol instructions and their functions.

rblclEx clear all excepliot flags

TDECSTP Decrementlhe ToP fild i. the C,w
FFREE ST(n) Mark sTG) asunused
FINCSTP Increment the co.trol word TO! field
FbI]INIT Innialzethe NDP
Loadthe rcntrol word regisrer
FIDENV -em r,ozdthe floating-po'nt environmenl
INOP
FRSTORrrem Rel@dthe entire 80387machine state
FIN]SAVE Storethe entire 80387s!a!eIo memory
!INISTC\X/ Sio.e the control $onl ro mmory
!IN]STENV Stoe the floaing point environmeni
FIII]STSW
F[N]STSIi(AX copy rhe statuswod !o 80386AX

9t
IHE aoi|a6looK

The entle NDP state,including all registers,tags,and pointers, must be savedand

restoredwhen multitasking between two or more programs that rely on the 80387
The FSAVEand FRSTORinstructions load and savethe memory image shown in
Fure 4 11.
The memory imagesdescribed in Figure 4-11are slightly different in a systemusing
the 80287 SeeAppendix F for information pertaining to the 80287

31
c\{ 0
S\q 4
T\q 8
FIP 12
0 FCS 16
FOO 20
0 FCS 24
sT(o)o I 2A
sT(o)v 6,
sT(l)o I sT(0)64 D 36
sr(l),,, 4? 40
sr(l) $ .,,
sr(2)d n 48
sT(z)D 61
sT(3)d,5 IST(2/,,, 56
sT(3)re.o 60
sT(3)r n
68
sT(4J, d 72
sT(5)ou sT(4) & 19
sT(5)rr. l 80
84
sT(6)o..r 88
92
sr(7) o 1 ST(6)er p 96
sTo) rs ar 100
sr(7)r" ,. 104

it$are 4-lJ. FSAVT,

a1ld FRSTORnenor! Ia!tut.

92
 5
THE ao3a6
PROTECTTON
MEGHANISM

The role of computers in srcicty is becoming more and more significant,computers

processour financial transactions,count our votes at election time, control medical
equipment, and more, As our dependencyon computers grows, we neeclsystems
tharcanprocessmultipletasksancimaintainreliabiliryatthe sametime.
In support of these goals,Intel designersimplemcntcclthe protected virtual addrss
mode (protccted mode) on the 80286,Protectedm(XleaLlowsmultiple applications
1orun concurrently but isolatesthem from one another so that failurs in one appli
cation do not affect any other application. Although it was possibleto imPlement
multitaskingon previousIntel microp(rccssors, everyapplicalionhadacce$sto all
portions of the system.A flaw in one application could easily crash the entire sys-
tem or coffuptdataassociatedwith anothertask,
The 80386is the secondIntel processorto support protected mode. However,the
80386'scapabilities are exended by use of 32-bit addressing.This chapler discusses
how the 80386protection mechanismworks, including privilege levels,task separa-
tion, and how virtual ^ddressingis used to support the pmtection model.

Selectors
The central feature of the 80386protection mechanismis the sefucto,1 RathertMn
directly accessingany part of the system,a program dealswith a selector which
grants accessto a systemobject. Asseialed with each obiect is information about it,
for example,the object's bcation, size,and rype, and any restrictions on its use.
This information is not stored in the selectorfor two reasons.The selectorwould be
very large,and passingit frcm routine io routine would take a lot of compuler time
More importantly, keepiog the object inJormation in a separatelocation prevents an
unscrupulousor errant program from corrupting the information.

9:'
 tHE A03A6BOOX

A selector is like a sealcd envelope. Inside the envelope is imporram data that musr
be kept secure. Like a mcsscnger pefmiued only to see envelopes and pass rhen k)
olhef messengers, a program can skne and retrieve selectors and pass rhem ro orhcr
rouLines.Only the operating sysrcm has accessto the data inside fie cnvclopc,
lich on the 80386 is callc(l ^ .le$riptor.

Descriptors
Aptly naDred,descriptorsdcscdbcx systemobjectin detail.Memorysegments, .rsii-
lustfalcdin chaptef3, are one kind of stsrcm(,bject.OrhersysremobjectsinclMe
tablcstharsuppo the protectionmcchanism,spccixlsegme.rsrhatsrorethe pro-
cessorst.lte,and eccesscontrolobjectscallcdgales.
I)cs.riplo$ are groupeclindcsdipL(' tables.Byenmining a sclcctorthc 80386
hadwxre determineswhich dcx-riptoris associated with thc scicc()rllnd wilh thc
(i)icct ro which the ctescrDtor
poinls.One item rharrhe descriptorin.lic.rtcsjs thc
privilegelevelofthc objccl.This valueis storedin the DPLiicld ol thc dcscriptor
whcn a prcgramrequestsirccc$s to x systenobjectwith a sclcltor,one ofthc lit-

. Accssis clcniecl.Iflhc rcqucstviolatsa rulc ofthc protectn)nnrcf,hrni$m(,norc

on this lutef),controlpxsscsfrorr the programto:r designatc.lrourincin rhc
opcrxtingsystem.l hc operxringsystemusuallyterminatesthc pr(rccss
. Acccssis pcnnnlcd blrr irnp()ssible
1()granl.I.bfcxamplc,ifdre objccris not cur'-
rentlyin rrcnr)ry, xn opemtingsystc (Ntinc is callcdtha! swxpsthc objcrt inro
nlenxxyxnd rcnrns conlrol () Lhcpfogmm.Thc programis lhcn pcrmirrcd!o
rctry rcccssk) lhe object.
. ,^cccssis grantedd thc rcqlrcstcdprivilegelevel.

Privilege
'lhc 80386processor
supportsfour lcvclsofincreasingprivilege,mmbered 3,2, r,
and 0. I,rivilegelevel0 is thc mostprivilegedlevel.
The priviLege levelofrhc sclcctorin the CSregisteridcnrificsdrc precedenceof rhe
currently executing rourinc and is called rhe crlrent pririleEie lercl (aPL). Fot rcli-
ability,onlythe mostruslworlhyand crash-resistanr codein rhc opcraringsystem
shouldrun at fie mosrprivilcgedlevel(CPL= 0).Applicationsrharmighi fail or
compromise lhe intcgrity of fie systemshouldrun ar rhc lowest prioriiy (CPt = 3).
BecauscLhenumberof programsfiat canrun at high privilegelevelsdiminishes
ncarlcvel0 and be. selevel0 codc is likely to existonly in the coreof rhe opcrar-
ing sysrcm,the classicillustrationof rhe privilegesystemis one of concenrricrings,
asshownin ligure 5 :l

94
 5r th. aoaoa PEl.crid il.ch.nls

Flgt|trct-1. Ptluttegettngs

The concentric ring image is so well integrated intcr the understandingof Privilege
_in rjng 0 or_inringJ -rnother
ihu, o,o".rrn...r_ott.n-.peak ofcode thatruns (that is
*ru'of slvinc that tne cpi of rhe procedure is 0 or 3 Every syrlcm ohicq
evervrhlngr;ferred to by a dcscriPtor) is arsocialcdwilh a privilcgelc\ el anLl
'lesides"in a
Particularring.
The word pll! /k8e connotesriEhrsor advantages not normallygranted On lhc
80386,procedure.s runninSin the innermostringscanaccess daraobiectsin lhe
accessoD-
outerrings(which haveLcssprivileger'bol outcrring proccdurescannot
lrom crasn-
iectswiti qrearerprjvilegeln additronto preventthe oPcralingsyslem
i* a* ,""u"a -a., p.iedures (annotcdll olher Procedures thatmiShtbe lcss
reiiable (procedures in outer rings)
segmcnt, residing,in
Forexample.a procedurerunningin nng I m ay accessa drta ^
a 'egmcnr qho'e privilegc ievelrs u
rinq 2 or ijne 3 but it preventedfrom accessrng
A rine I proiedure.however'cannorinvokea suhrouLine residingin ring 2 or flng ''
nor cln it call one in rine 0. Figure5-2 on rhe following oage rllusl"xreslhi'

U\IX syt-
An ooeri(inq rystemdoesnor needro 'uppon all four privilegelevcl'
2 suppon 5 th-ce
i.t,, f", "*i^pf.. ryei."llv i'nplemenronlv rwo levelc 0 Jnd J Os
ring and
i*"i", rr'. "pi'"ii"g .v"tem code runs in ring 0, applications run in 3'
specialroutines that need accessto I/O devicesrun in ring 2'

95
 THEAOSA6BOOK

A Data

tr code(prosramt
+ teSal acccss
----> Illcgal ac.ess

Flgtrtc 5-2. Accasshcten tinljs

Inte;level corrmunication
s a $ecuritymcaslrfc,concenrricringsof privilegework wcll, but the possibilirycx-
iststhat an applicatfunfunnin{;in rinS3 might needscrviccfrom rhe operaringsys-
rcm.l he opcratingsystcm,howcvcr,rhoughomnipoicntin ring 0, is not acccssiblc
to the lrpplicntk)nThe applicatbn,in effecr,mighr say,"Oh mostgreatanclworrhy
ofopclating syslcms,plasegranl me,dly humbleand()bcdienlservant,additional
RAM for my srack,"bul becauscofthc accessrestrictionsit hasno way ofcalling on
lhc operrting systcn.
Variouscuhufcs have esiablisheda priesthood whose job is to act as intermccliator,
but lhe Intcl clcsignenginccrs apparendydcspaired ot firting somclhing rhat c!m-
plicxrcdin() only 250,000rrxnsisbrs,so they rcs(xledro somethingsimplcr.tr,s
calle.lr ga!c.

Gato6
A gate is a systcmobjecr (rhar is, it has its own dc{-riptor) rhat poinrs to a prcccdure
in a code scgmcni, but the garc hasa privitege levcl separatefrom thar ofrhe code
segmenl Figure 5-3 showshow this changesthe legal subroutine call parh.
.Agaie allows execulc only accessro a rourine in an inncr ring fiom a lessprivilcgcd
procedure.The resrricrion on outward calls, however,rcmains in force. The 803S6
supportsfour types of gates c.tll, intelrupL trap, ^nd ras&.Call gatesare invokcd
via the standardsubrourinecall insrruction. Inreffupr garcsand rrap gatesare in,
vokcd by the INT instrucrion or by hardware interruprs. Taskgatesare invoked by
JMP.CALL,or INT instructions or by barcLwareinterrupts.

96
 5: the ao3A5 Pbt6cllon l|*h!ni.n

O crte
n codc (prcsnms)
+ Itsgal access
-_--) t l l c S a l! . . e s s

Flgurc5-3.aaUl)dthrthtauuhAdks

In I strndardslrb(Ntinc c:lll,lhc rcnrrnlddressand llny Paranrcte$rre storcdon

thc shck, und cxcrution conlinucs t the s1a(ofthe subroutine\(hcn invokingn
subrolrtincth,oughn gatc,thc Privilcgelevcl()f lhe exccl(ing rorrlinechanljcst()
tlrc lcvelofthc coclcscgtncnr() which thc grlc poinls Whcn thc sul)roulinc
rctLr.ns,lhc Privilcgclcvcl is sct backt()dr^1()fthc cxllinll pro(edurc.lbr examplc,
.n npplicatbncxcljiling in ring 3 mjght cnll thc opemlingsyslc'nto Llllocxte some
nrcnx)fy.l he operatingsyslcmc(xlc rLrnsin ring 0, xncl a call Satc in dng 3 points
to the allocrtion(n'tinc
This approachsolveslhc communicationproblembui inlroducesanolhcrone'
llclausethc rclurn addfcss(andpossiblyso re systclncall Prrameters)is on thc
slackand lhc slackis a fing 3 (aPPlication) dxrascrment,drc addressand paramc-
teff are no longcrsecure.Thc apPLicalion co! d co|fupl them while thc operating
systcmis pn)ccssingthe rcqucst.To s()lvcthis p()blem,partoflhe slackis copied
to a more privilcgcd stack segntlrntas il movesthrough the gxte' as shown ifl ligurc
5 ,i on the fol l()wiflg page. tllch call Salc .LescriPtorconrairs a l ield callc.l lhe
dwor<lcoun!,which indicatcsthe nunrbdol32 bit siackwordsIo copv liom the
ou[cFringstxckto the inner riflg stack
Everyapplicationmus!hive asmanystacksegmentsasthcre are pdvilegelevels
in the operatingenvironmenrunderwhich it is nrnning lfthis seemsexcessivc'
'cmembe'thatyou canusc the virtualmemorycaPabilitvofthe 80386Iovour ad-
vantage.An application can have des.riptors fbr more than one stack segment,but
stack segmeffs can be marked as nor presenrand never lake up anv plrvsical
memory if fiey are not used.

97
 tHE 003a6 EOOK

SS:ESP

(Rins3) call through galc with

Flg$e 5-4 StackpliukEe tncrcay.

If the idea of four staksegmenrshasyou flipping back to the 80386registr dia-

gram looking for addirional registers,you won't find them. The active srackpoinrer
is held in the SSand BSPregisters.The orhers are stored in a systemobiect called
rhe l^tk stateseSmoni ot'lSS.

Tglk st.tg rogment.

A TSSis a specialmemory segmentthat the 80386usesro support mulritasking. Its
format is outlined in Figure 5-5, and ir contaiff a copy of alllhe registersthat-must
be savedto preserve the siate of a task, It also contains valusthat are associated
with the taskbut that arenor sloredin CpUregisrers.
The TSSconrainsrhreeadditionalsuck segmentselecbrsrSSO, SSl.and SS2)and
threesuck pointers(Espo.ESpl,and ESP2J, ajjshownln Fipure5_5.when a cali or
interruptrhrougha Sarecausesa changein privilege.the n;w SSand ESpale loadd
trom thc TSS.Thc taskregisrer(Tfu conrainsrhe selectorofrhe currenrlyactivc
TSS,
'When
a task switch occurs, all the executing task'sregistersare savedin the active
TSS.The task register is then toadedwith the selectorof a new TSS,and each gen_
eral register is loaded wirh the valusfrom rhe new TSS.Other fields in the TSi and
mulritdskingar<discu.s<dLarerin rhischapre,.

Descriptor tables
As mentioned earlier, rhe descriptorsfor the memory segments,TSSS,gares,and
other systemobjects are grouped inro descripbr tabtes.The three tr?es of descrip_
tor tablesare: the inteffupt descriprortable (rDT), rhe globat descriprorrable (cDi),
and the local descriplor tablesoDTs).
The IDT contains descriptorsthat relate ro hardware and software intetuDts. A sDe,
ci.rlregis'erIDTR.conrJinsrhe tinearbaseaddres.,rndsize(timn, ot rhe tDT.Tire
IDT is discussedin derail later in this chaprerin the section ..Interruptsand
Exceptions."

9a
 & th. ao5a6 Plot.ctld f..h.nl.m

31 15
0 B3ck link
usP0 4
0 ss0 8
ESPl 12
0 551
't6
ISP2 20
SS2 24
cR3 2A
EIP
EFLAGS 3b
EAX 40
ECX
EDX 48
EBX
ESP
EBP
BSI 64
EDI
0 ES 72
0
0 5S 80
0 DS 84
0 !s 88
0 GS 92
0 LDTR
0 t T 100
104

TSS
limit
F|{]ote 5-5. Tatkstatesegnent(TSS)

The cDT is the primary descriptortable. The GDTR registercontains the lineff
baseaddressand limit of lhe GDT. Important descriptorsthat the operating system
usesresidein the GDT. An operating systemcan be built using only the Gm and
the IDT. The LDTS,however,provide an additional 1a)rof Protection and are help-
ful in building reliable systems.
The following illustration showsthe mechanismused to identify a descriptorgiven
a 16-bit selector.The selectoris composedof three fields: the index, the table indica-
tor (TI), and the requestedprivilege level (RPL).

99
t5
T R
I

The RPLcan be used to requestaccessto an objecr at a /esrprivileged level than is

normally grantcd. If ll)u're a canny operating systemdesigner,you don,r necessarily
want accessat lhe most privilegecllevel awilable to you. Using rhe RPLin this man-
ner guards againstmisuse of highly privileged routines to subverrrhe sysrem.
Considera programmer wk) ries to snoop in a "secure" system.This programmer
knows thxl an application prcgram that aftempts to accessrhe operatir\g sysrem,s
code will fail. However,the progranrmertries anorherractic.The snooplr\g applica-
tioncalls thc operatingsystem'sdisk write rourineand passesit a poinrerto the sys-
tem scgmenl1()which it wants access.The opefiring systemroutine has enough
privilege to gain accessto the scgment,so no protetion violation occurs, and the
cleverprogrammerhasa ciiskfiic rharconrainsthe desifedsegment.Figure5-6
illustrntesthis scenario.
A seclrrcoperatir\gsystcn canfoil attemptssuchasthis by ensurirgthat the RpL
field of any sclectoris setk) the CPI.of the callingfourine.The ARPL(adiustre-
qLrcstccl privilegelevel)instrlrclionpedormsthis function.'Whenrhis is done,rhc

Application passesfte rina 0 selecror(which is illegal fo! n to use) to lhe .ing 0 routine.
The dng 0 rounne gains acess to the ring segment and writes it !o disk.

Flglm 5-6. ,4.i6 /a da Llpating rred \eawt.

too
 5: th.AO3A6 Protetion cch.nl$

system can detect that the requested privilege level (RPL) of the selector is less than
(nurerically higher than) the DPL of the desired segmcnt and rcfusc to complete
the operation. Figure 5 7 shows the behavbr of a sccLrre opcrating system in this

ARPLadj!'stsselcctor

Blguft 5"1. S.'curoolNtalinesystenLnneARI)L

The TI bii of a selccloridentifiesthe tableff()lnwhich thc dcscriptoris selecled.

Vhen TI is sct1()0, the selecklrrefersto the indcx/r descriptorin the CDT.A selec-
tor valueof0033H,lbr cxamplc,poinlsb the GI)T dcscriptornumber6. The first
slot in the gbbal descriplor table, cDT(0), is ncver used.A sclcctorvalue of 0t is
usedasa nullselector.The null selectofcanbe ft)adedinlo a datasegmentregister
wiLholrttriggcring a protcction fhult.
vhen TI is set to 1,the index refers to a descriptorin the current LDT. rDT(0) can
be used to hold a valid descriptor.LDTSare usually createdon a pcr task basisand
serve two purposes.First, becausea selectoris 16bits and the index field is only 13
bits, you can addressa maximur of 8192descrlptors.MuLtipleLDTSallow you b
slore more descriptors.If there were only one LDT as there is only onc GDT, an
operating systemmight run out of spaceto sbre des.riptors.
Second,the LDT aLsogives you increasedsecurity. Figure i-8 on the following page
repfesentsan opefati.g systemthatusesonly the GDT to sbre descfipto$.The
' The RPLportio. of the nnll sclectd is ignded, so .ny of the values0, r, 2, or I arevrlid null

tor
iHE 60345 AOOK

descriptorsbelow 100point to various operating systemobjects and are all ring 0

objects. GDT(100)is a ring 3 descriptorfor the code segmentof application A, and
Gm(101) is the data segmentdescriptor also in ring 3- Descriptors102and 103are
the descriptorsfor the code and the data of appiication B.
Any attempt by application A to accessoutside its code and data segmentsresults in
a protection violation. However,whal if application A attemptsto forge a seleclor?
That is, what if the application iries to cfearean otherwise lid seletorfor a seg-
ment that doesn't belong to it?Creatinga selectorfor any of the firsr 100cDT slots
results in a protection violation becausethe operating systemdescriptorsare ring 0
objects. If application A createsa selectorfor CDT(103),however,it can potentially
access(or destroy) data for application B. The 80386prevents accessbetween rinss
but not inside the samering.
Figure 5-9 showsthe 80386solution to the problem. Ifeach application is given its
own LDT, the GDT can be rcsrved for sysremuse. All descriprorsin rhe GDT point
to objects in rings 0, 1,or 2. The LDT for each task contains the ring 3 (application)
code and data segments.Eachappliciarionhasa separateIDT, so a forged selecior
can refer to objecls only in the GDT, which are more privileged and therefore inac-
cessible,or to objects in its own LDT Thus, the LDT defines a virtual addre,lsspace
for the application, and each task hasa separate,nonwerlapping addressspace.

0
I
2

100
101
LQ2
103

BrlgElJf,e
5-4. Opetuting slstem usine onu the GDT.

702
 + lh. AO3a6 Ftotetlon tl.chari$

,,' AddressspaceB

Rlgnre,-9. Operuting$,stem ' nea GDI .tn.l4n LDT

As Figurc5-9 indicatcs,an IDl is alsoa systemobjeclwith ils own descriPtoThe

next scctionillusratcsthc gcneraLformatof descriptors
in thc 80386.

Descriptor Formats
Figurc 5-10on the following page illustraies the three forms of a des.riptor' The iol-
lo$ing Jre lhe dercrinlorryPe\:orogrammemorvsegment..sy.rem'egmcnl. and
gates.Progrnm memory segmentdescriplorswere introduccd in Chapter3 System
rgmcnr descriptoF.l.rribe LDT: an.l l5\\. Like prugf.r'nmemoryrgmenr de-
scriptors,systemsegmcntdescripto$ dcscribe regions of memory and have a base
and a limil However,you cannot lod a descriptorfor an IDT or a TSSinto a seg-
ment regisier and read or write the contenls as data. For an oPeratjng systemto up
date an LDT or a TSS,it must create a memory segmentdescriplor wjth lhe same
baseaddrcssand limit, calledan allas Programssuchasdebuggers, which let vou
modify yoLr program's code segments,must also create aliasesbecausecode seg
ments are not writable under the 8036 protection rules

t03
tHE ao3a6 BOOX

63 48 47 31 r6 1 5
"*'"ld
I'i sl _
0t '-
Limit

63 48 3L 16
otr:,,., sl
rYP" 0 Offset
1,,DPI il
Blg!,f,e5-1O,Galeraldes.rtptorforrrar slstem,menory,and gatedescrtptors.

Systemsegmentsare identified by a value of 0 in the S bir of the descriptor Th

TYPE field can hold any ofthe following lues:
O-Unused (invalid descriptor)
1-80286 TSS
2-Lm
3-Busy 80286TSS
9-80386TSS
ll-Busy 80386TSS
A gate descriptordoes not delineate a memory region and therefore has no basead-
dless or limit fields. Insread,a gate points ro anorher desriptorvia a selector.Call,
rntefiupt, and trap gatesmust contain the selectorfor a code segmentand an offset
into the segment.Taskgateshold a selectorfor a TSS,and the offset portion of the
descriptoris unused.
cate descriplors,like systemsegmentdescriptors,have the Sbir set to 0 and can
conkin one of the following values in rhe TypE field:
4-80286 (:all g te
5-Task gate
6-80286 intenupt gate
7-80286 trap gare
12-8035 call gate
14-80386 intefupt gate
l5-80J86lrap grre
TYPE field valuesof 8, 10,and 13are resetred for future Intel processors.

lo4
 5! lh. 00366 l''ot.ctlor f.ch.nlm

Descriptortlpes 1, 3, 4, 6, and 7 are used on the 80286.operating systemsdesigned

for the 80286(such as OS/2) run without modification on the 80386,so these de-
scriprortypes are fully supported.A native mode system,howevet or one that sup-
porr5horh lb-brrand J2-bitprograms.usesfull J2-birdescriprors. You(an use i6-brr
code and data descriptorsin a 32-bit s'stem, but using 16-bit systemdescriptorssuch
,i usk srarcsegmenr \ can lerd to difticulries.

Multitasking
I have previously shown how the 80386usescall gatesto implement interlevel sub-
routine alls. Interrupt and trap gatesare discussedlater in this chaPter.The follow_
ing sectionsshow how the 80386can use the remaining s)stem objcts (TSSS,LDTS,
and task gates)to implement robust multitasking operating systems.
Simply defined, a task is "a sequenceof related actions leading to the accomplish-
ment of some goal," In a computer,ihe resourcesrequired to accomplishthe goal
are usually included in the definition ofa task-that is, the amount of memory, CPU
time,disk space,and so on.
The tetm multl\^skiflg tefers !o the ability of a computer to execute more than one
task simultaneously,The 80386cannot executemor than one instruction streamat
once, but it can executeone instrrrction stream,$witch to another,execute it, switch
!o a thirdj execute it, switch back to the original, and so on. Becausethe CPUexe-
cutes so rapidly, all tasksappear !o executesimultanecl.rgly,Concutrenc! ^n!l
mul tipr ogranxnlng are synonymsfor multitasking.
An executing task is called a p,"ocess.
Thus, some people refer to multltasking as
multiprocessing,Others, however,use the word t tlttp,'ocessrl,8to refer to systems
in which multiple CPUSor processorsare running simultaneously.To avoid confu-
sion, I do not use the term multiprocessins,and I rfer to computerswith more than
one CPUas multiprocessorsystem9,
Assumethat each task in a computer is implementedby a single programi therefore,
multiple programs must shareth cPU. various strategiesexist for sluring the CPU,
but !o discussand compare these strategiesis beyond the scopeof this book. At
some level, each systemmust turn over conFol of the CPUfrom one task to another.
The first task might be in the middle of a computation when control is wrested
from it ard passed10another taski when the first task resumes,it must be able to
continue processingas though nothing had happened.All the registersthat the lask
was using must be restoredto their original lues when that task regins control.
The 80386hardware supports this kind of task switching via the TSS Figure 5-l1 oo
the following page depicts the $emory layout ofthe TSS.EachTSShas only one de-
scriptor,which defines its basememory addressand limit. FiSure5-11showsthe TSS
descriptorformat immediately below the TSS.To allow accessto the TSSby differ-
ent privilege levels or via interupts, you must use task gates.

l05
fl{E ao:|a6 BOOX

63
"r;",1c
r.,it'1.1P
l"lt ot4;
47

T)?e
a2 31 15
limit

aL 16 15
Backlink
f"sP0
sso: 8
:LsP1. L2
arir: I6
2A
ss2 24
cR.} 2A
EIP 32
EFI,\CS 36
EAX 40
ECX 14
EDX 4a
EI]X
ESP 56
EBP @
ESI 64
EDI 6ll
0 ES 72
0 cs 76
ss 80
0 DS a4
0 FS 88
0 GS .)2
0 IDTR i 96
b ,
loP blunrD 0 l Tl 100
t04

TS5

F!8rte 5-11.Taskstateesmut and descrlptor

The TSSdescriptoris similar to that of a tlpical memory segmentbecausethe TSSis

a syslemsegment;however,rhe S bit is 0. The TYPE field for a TSScontains either a
binary 10018or 10118(9 or 1l). The variable bit is called the &r.st blr. This bir is ser
to 1 in the curently executing task and in any tasksrhat have called the cuffent rask,
establishinga chain of nestediasks.Any auempt to invoke a task rhat is markd as
lrusy kiggers an exception.

l06
 * th. AO3a6PElcctio fl.ch.ntm

Thc selectorin the task register (TR) idctuifies rhe current task. Usually, rhis registef
is loadedonce at initlalizalionlime andthen is managedby thc iaskswitchopera
tion.I-oadingTR doesn(n causea taskswitch;it doesidentifythe rctiveTSS,

Vhen a taskswitchoccurs,the stateof the currcntlyexecutingtaskis savedin its

TSS,anclrhc CPUregistersare loadedfron rhc image of the new or destination TSS
The teskrcgistercontainsa selectorfbr ihc currcntlyactiveTSS.TSSdescdptors can
be locatedonly in thc GDT.
Partof the TSSin figurc 5-11is 8ray.'Ihe grayportionindicatesvaluesthatarenot
storedin the ou[loing TSSduringataskswitch,altlx,ughnew valuesare badcd
from the destinxtion 1SS.lf anygrxy vaLueclungcsduringexecutionof lhc task,the
operatingsyslcmmusrcnsureth.rtthe TSSis kcPtcLrffenl lhe apPlicxti()n cmnot
chaqqethesevxlucsithey requirekernelsupPorr(privilegcle\l 0) to be m(Xlified
Thc bLrlkof the TSShdclsc()piesol thc f]0386generalrellislersct:EAX EDI,thc
segmcntreSistersi andrIP. ln addition,the TSSc()ntainsthesefieldsr
I]FLAGS,
Back link-Thc sclcctoroi the TSSthrt wrs prcviouslyexecuting.
ss , EsPn-Thc strck pointcrsfor ring , execlrti()n, in lhc sctionon
lrsdiscussed
gates.
c1lll
CR3-control rcgister3, which dcfincslhe physicalnemory addressofthe Page
iiblcs fbr thc ta$k.
LDTR-The selcck)rollhell)I lor drc trsk.
T-Thc '!r!p on taskswitcb"bit. A dcl)ugiault (interrtPt1)occurswhen this bit is
scl&) I in lhc incomingTSS.
I/OP bttrnap base A r6-bitoffsetin() thc TSSdut indicalesthc starlol'dre 1/O
permissionbitmap.Ifthis field is setto 0, no I/O pcrmissionbihrp cxists.
S]stem depndnt-The p()rtonofthe TSStha!lhc opcralingsystemcan useto
informationaboulthc tlrsk.
snrc anyoperatingsystenr-specific
l/O lrrmlsslon bitmap-The field tha!slllrtsat re offsetinclicaredby the I/OP
bihap bascand continuesto the end of Lhc'lss or to the hascplus 8192

lask switching
Four events can czusc a task switch on the 803861
. The current task executesa FAR CALI orJMP instruction inwhich the sclector
points to a TSSdescripk).
. Thecurfc lask execuresa FARCALLoTJMP instruction, andthe selectorPoints
to a lask gaie.

t07
. Thc curent task executesan IRET instruction to rcturn to ihc pr.wious task. An
IRET causcsa task switcb onLyif the NT (nested task) bit ofthe EFLAGSrcgisrer
is set to 1.
. An inteffupt or exception occurs, and the IDT enny for the vector is a task gate.
For any task swirch, ihe f(tlowing events take place:
L I I r \ ( r r \ k s i r c h r s n o r . J u . c ( l h y a h J n J $ r r c n r ( T u t l . a n e : \ ,e p r i o n .o r J n
IRFjT, the descriptor privilcgc rules are checked. The DPL of the descriptor
(TsS o. task gate) must be nLunericallylessrhan rhe cuffent task's CPLand the

2. The present bii and limit of the descriptor for the current (outgoing)'l SSis
checked to ensure IlnI thc TSS is present and can hold xt leasr 104 bytcs of s1.Ic
information. Ifso,Ihe currcnt machine state is savediothcrwisc an cxccption

3. The presentbit and limi! of thc descriplorfi)r the new (incon)ing)TSSis

chcckcd.lfthe TSSis not prescntorls kx) small,an exceprion(Ecursiorher-
wisc all thc rcgislerimngesare loaded.Ifthc valucof CR3haschlngcd,rhc
TLB cachc(secCh^pter7) is flushed.
At this fx)inr,al1the generalandscgmcntrcgislcfs^re k)adcd,bur the 80386
shadowrcgislcrsare not. CSmight havea valucof217nFI,bu11hcdes4riptorfor
sclclkx 217FHhasnot becn badcd.Thc skrlcofthc ourgoingtaskhasbeen
savcd,howevcr,and anyexceptbnsth4toccurrre in rbc contextofthc new
stalc,cvcn if fic CSdcscriplorisno! pfcscn!or is invalid.
Thc linkageto thc outgoinlttaskis established.
what luppcns ncxL.lcpendson
what causedthe taskswitch.
a. If thc taskswitchwascausedby aJMP ins(rlKlion,lhe TSSdcs.riptorof the
olrlgoingtaskis markedasnot busy,and thc incomingtaskdescriptoris
identificcl as a husy TSS.
b. Ifthe taskswilch wascauscdby an inreffuprora CALLinsrructjon,thc
olrtgoingtaskremainsbusy,and the incomingtaskis alsomarkedasa busy
TsS.Additionally,the NT bit ofrhc EFLAGSregisteris serro t, andrhe back
link field ofthe incomingTsSis scLb the selectofof the outgoing'lSS.
c. If the taskswirchwascausedby an IRETinsrruction,thc ourgoingraskjs ser

Thc rask switched (TS) bit in CRois scr to 1, and rhe current privilege level for
the incomingtaskis takenfrom the RPLfield ofthe CSselectorin the TSS.

to0
 5! rhe ao3a Protectlon echanrim

6. The IDTR shadowregistersare loaded if dlc IDl R contains a valid sclcctor lf

the LDTRvalue is 0 (the null selector),no :rction is raken.lf the selectoris in-
valid or ifthe new LDT is not present,an exceptionoccurs.
'fhe descriptors for CS,SS,DS,ES,rs, and Gs 1rc loadedinkr thc 80386shadow
7
registersin rhatorder A1ldcsc.ipft,sife lcstcdfir pri\.ilcgcvi(narions(cl)L has
alreadybeenestablished) rnd rsibc nxrkcclprescmiothcfwisean cxccption

U. Thc localenablebits in DR7are clearedto 0.

9. Ifthe T bit of the jncoming'[SSis setto l, a clebugliult (interrupt1) occurs.
10. Ihe ncw taskbcginscxccutingby fctchingrhc instrucrion2r cs lli).

l/O permission bitmap

'lwo con.litn)nsdctcrftinc whctherx txskis xlk)wedi() pefi)rm I/O: the i/O pri\.i-
legelevelxnd the l/O pc|fiissnn bitmap.The IoPl. bits in ihe FIILAGSregislerdc
lcrlnine thc l/o pLivilcgclcvcl.The IOI'I. dcfincsrhe lexstprivilegccllevclrh{t can
performrn l/O instrlrclionwitholrtrcslriclion.lin cxxnplc, il lOI)1.= 2, I/O in-
strlrctionscanbc pcrfonncclbyproccdurescxcculinSrt lcvcls0, 1,or 2.An r(tcDpl
k) exc'cr.rtc
an instfuctbn l)y a ring 3 rppli(rtn)n olrsl l)c lirrhcr vrli.lxlcd l)y thc
I/O pennissionbirnrap.
lflhc CI'Lof rhe currcmraskis gre^tcrthln IOI,L(rlrr is, il l/O is rcsrft:rcd fbf rhrl
lask),lhc I/O pc|nrissi(nrbihnp is chcckcd,whiclr prolccrsrhc r/O x(ldrcsssPn(c
on rn individlralI/O por l)rsis.The TSSskxesan I/O Dcnrisshn l)itrnrplif evcry
task.Thc bitm p l)cginsal thc oftsctin (hc TSSsp.{iticd by thc l6$ir I/O nrrp basc
v.tllre.Thc I/O mapbrsc v llrc mlrstbc gre tcr llun (n cquxl106ilII.
The I/O permissn)nbihrap is n mrxinnnn oi 8192bytes,with onc bit fof crch ofthe
65,536I/Oports.Il ihe bir in the bitmlp conespondiogro rhe 1/O port is serk) l,
thcn thc task.locsnol h.rvexcccss!o ihe porl, xnd r genernlDfoiectk)nflulr $ill oc-
cuf iflhc trsk aLlcmpls!) cxcculcan J/O inslrrriion :r1thalpori.
The I/O permissionbitmapis nol reqdrcd Io bc 8192l)ytcs. 'l hc linit ficld ofthc
TSSdescriptorspecifiesthe end ofthe biturap.lf thc l/O nup bxsev.rlueis greiter
thanorequalto the limitvalue,the TSSconrainsno I/O permissionLrinnapAll
ports ihat do not havea bitmappositionin lhe TSSareprotecledf|om access.
!'igure5-12on the followingpageshowsa samplel)ilmrp.lhc laskwith this'lSS
canaccessports8,9, r0, lt, and 12.A subroutinein this laskcanicccssbylc po|ts 8,
9, 10,11,and 12,word ports I aM 10,or dword port L

t09
 Lifti!

1,10

l/oP 100

Blgnrc 5-\2. la pertui$ian bitnap in 1SS.

Interrupts and Exceptions

x variely of control iransferson tlle i:103{16.
Interrupt is ^ rc:.ln:q:i]:F,r(lefines The
spccificitc'ns implicclby this term xre IrL|c interrupts (hadwa!e intcrruPts)and
"r.?prrorr', which afe further subdiviclccl into lr?r5,faults, .n aborts
Allinle upts ^nd exccptionssharea commonfeaturc:'lhc currentexccuti()nbca-
tk)n (Cs:llIP)rnd l'lagsrcgister(HFJ-AGS) ^rc srvcdon lhc stack,andcontroltrxns-
icrs&)x softwxrcrN)rltinc c llc.l ^n interrupt han.llel via a galein the inlerruPt
clcscnpk)rt^blc (IIx ). l hc 80386supporrsa mnximumof 256descriPtors in thc
IDL llvcry inlcrLrptorcxceptionis associalcd with onc ofthcsc intefruPtnumbcrs
lntcrupl nunrl)crs0 thft)Lrgh31arc .eservedfor spcciiicpurposesrcl^tin{ik) thc
U0386proccss(r;lhe opcuting systeDCanassignnuml)crs32 drrough255
Thc hindsoi inlerruptsandcxceptr()ns
arc:
Internrpts-Trlc internrptsarecrrNedby harclware signalsthat origjnalcoulside
the CPU.Tw()pins on lhe 80386,NMI 1nclINTR,signalinterrupts.Pullingthc NMI
pin l()wactivaLcs
x nonmaskable interrupi.Thc NMI inieffupl alwaysinvokcsthe
lvith inlerruptvector(II)T cnry) 2.
roulineass()ci.rtcd
An activesignalon the INTR line cluscsa maskableinierrupt.Thc 80386doesnot
respondto a maskablcinrcrruptunlessthe IF bit ofthc EFLAGSregisteris setto 1
'when
the IF bit is 0, inicffuptsarenot recognizedand aresxiclto be mas&?d.Iiihc
processorresponcls, it issucsm inlerrupt-acknowledgcbus cycle,and the interrupl
ing devicemustrespondwith an i errupl number.Useonly values32-255for
maskableinterrupts.
Traps Thcsc are conditions that the 80386rcgardsas errors and detects alier rhe
executk)nofr softwareinstruction.The savcdinstructionpointer(CS|EIP) on the
stackpoi s to the instructionimnkdialcly afteran instructionthat hastapped.

tto
 5: th A03A6 Prot*tior X*henisn

A classicexampleofa trap is the INTO instruction.When INTO is executed,the

processorchecks the value of the overflor- flag (OF). If OF = 1,the U0386vectors
throughIDT des.riptor4.
,^ll softw.rreinterrupt(IN't) instrucrionsare handledastraps.To issueone of these
instruclions,howcvcr,a procedufemusib.?veaccessprivilegeto the IDT descriptor
fitr thc inrcrrlrprnumber lor example,ifa rins 3 applicationexecr.rtes
an INT.i7 in
srruciion,thc descriptorllt IDT(47)musthaveDPL= 3; otherwise,a protectionfault
occlr.s.This mc'$anismprcvcntsapplicarbnsfrom issuinglN'I instructionsfor
rccbrs associared with hrrdwarcinteffrpts bc{ausethe $tes for thesevectors
poinr ro operatingsystemcodethatruns at high privilegelevels,usuallyring 0.
Faul6 vhen rhe {]03U6rlerc.rs ^i cttor durtng lhc processingof an instruction
(forexample,when the instructi()n's operandis storcdin x pagcfrllmc markednot
present),a lault occurs.A qreciiicintcrruprnumbcris .rssocixtecL
with cachfault
condition.The instructi()np()intersavcdon thc slxckaltcr I l-aultoccurspointsto
fie instructionthatcausedthe fxuh.Thus,thc ()perlringsystcmc.rncorrectthe con'
dition anclresumeexecutingd1einsttucti()n.
Aborts-whcn an effor is so severethatsomecrontextis lost,tl)c rcsLrltis an abort.
It miglrt be impossibleto determinedle causcof rn xb()rt,ol it might bc dratthe
insklrthn causingth nbortis not ablcto be restartcd.
Thc fblk)wingtrl)le Iistsall oi tbe cxccplionshancucdl)y lhc 80386:
80386 Excptlons

Nunber CLrss
0 Fnult Diviclceno.
I FaLrk
or(ap Dcbug!!$nrtcrrupi
2 NonnMskahlc intcmupt

lntcrruplon overllow(lN'l O)
5 Aray bound.ry violatbn ( ROIlN D)
6
coproccssornor avNilablc

copro.esor segme.rovenun
l0
ll
12
IJ Generalprotcctionviolation
14
15
16
) , 13 7
Interrupr or r.ap S)stcm dependem

tll
 trE @aa6BooK

One classof error is more severethan an abort. If the proces"soris unable to con-
tinue processingan exception, it shutsdown. In a protected-mode environment,the
systemshould shut down only if a hardwarefailure occurs.To prevent shutdown,
the vectors tlut handle the double fault (interrupt 8) and in lid TSS(inlerrupt 10)
conditions should be separatetasks,and IDT entries 8 and 10should be task gates-
This approach allows the 80386to load a new machine state from which to handle
the exceptions.If this is not done, the exception handler might be running in the
sameenvironment that causedthe failures and oisht not be able to continue
processmg.

Int6rrupt gat6s, trap gates, and task gates

The only typs of descriptorsthat can residein the IDT are interrupt gates,trap
gates,and task gates.Task gatesin the Im are identical to those in the GDT and
operateln me samemanner,
'i/hen a task gate is invoked with an inteffupt or with an exception, the machine
state is savedin the existing TSS,and a new state is loaded from the TSs associated
with the task gate. Thus, an interrupt can have its own addressspace,including its
own page tableslnd LDT. In addition, the interrupt handler is preventedfrom using
too much of the interrupted application'sstack and from orrupting any registers.A
task switch takeslonger to execute than a gate transfer,however,and the advantages
of invoking a task gate must be weighed againstpcrformance considerations.
The most common entries in the IDT are interrupt gatesand trap gates,These de-
sriptorshave identical formats-only the type code is different. Figure 5-13illus-
trates the descriptor format for interrupt gates.The only difference in behavior
between the two gatesis that when an interrupt gate is actil4atedthe IF bit of the
EFLAGSreSisteris cleared to 0. Hardware interrupts are maskeduntil the inteffupt
handler deemsit safe!o reenablethem. Transferring control through a trap 8at
does not modify the interrupt flag.
The behavior of interrupt gatesand trap gatesis similar to that of call gates.Al'
though intenupt gatesand trap gatesdo not iontain a word count field, they can
point to code segmentsof specific privileg levels or to conforming segments.
Figure 5-14showsthe layout of the stackwhen an inteffupt handler is invoked.

03 4A 16 15
otrsel,, Offset
I, )PLl: Type

Fl'Elfe5-13. lnretrupt Bateand tnp gate d^. ttptot Iornar.

112
 5: tho aoiB6 Prol.crbn f,*hani.n

ufL{Gs
0 cs
EIP
ESP

Interrupr or exceplion flilh

no Pfivilegc $ansition.

EFLAOS
ESPar initializarion 0 cs
pointed to other stack EII)
ESP

with tmnsition
Intmrptor exception
to ncw stacksegment.
F g$e 5.11,tnterrupt stetckunhout and ulth prltllege trunsnb

An interrupthendlermustretum to thc callingroutinevia an IRETinstructionThe

IRETrsioresthe originalinskuctionpointer,flags,and stacksegmen!.Ifthe NT
(nestedtasld bit was sei in the EFTAGSregister,a task switch lo the original TSs
also occurs.The programmer shouldremove any erfor c(xle (generaled by the fault)
from the stack before returning from the interrupt handler.

80386 prqcessor cxceptions

The following sectionsexplain the faults,traps, and aborls ftat can occur during
80386program execution, some exceptionscausea control transfervia the IDTi
others c?usean error code to be pushed onlo the stack aswell. If an effor codc is
pushed,it is pushd onto the stack of the interrupt handleri that is, it is pushed after
any privilege level or task transition. Exceptionsthat causeeffor codesto be pushed
onto the stack are indicated in the following sectionswith tlle symbol1ec/.The
value of the error code is either 0 or as defined in the following illustrationl

31 1 61 5 2 1 0
T E
I x

tl3
tHE ao306BOOK

Thc setector index and TI fields are taken from the selecto. of the segment associ
iled with the excepiion. lnstead ofan RPr ficld, howevet thc effor code has an I bit
and an EX bit. Thc I bit is set to 1 when the index refers to an IDT index, and the TI
bit is ignored. vhcn I = 0, the TI bit indicates whether the selector is from rhe GDT
or l-rom the cumem lDT. lf the EX bit is set to l, the fault was caused by an event
outside the executing proSram.

lntorrupt O-Divide (faultl

A divide fault occu.s ii division by zero is a(empted or if the rcsult of a djvide
opcration does noL fit into the destinaln)n operand.

Interrupt l-Dobugger (fault or trapl

This exceptionis triggerdby one ofrhcsc conditionsl
Debugregistcrbreakpoint
SinSlcstcp trap

'lhc'Debugging"scctionlaterinthischaptcroverslhclriSgeringandhandling
dcbugt|aps in dctail.

Inter?upt2-NMl (intetruptl
ll)l vectof2 is rc$crycdior the haftlwnrcNMI condition.N()cxccptionstrap
thr(Nghvcctor2.

Interrupt 3-Brsakpoint lttaPl 'Debug-

l)cl)uggcrsusc lhc brcakpointinterrupt(INT 3), which is covcredin the
ging" sectionlaterin this chapter

Interrupi 4-Ovetllow (trapl

Thc overflowtrap (rccursafteran INTO iostfuctionhrs exculcdifthe OFblt is set
t.) L Thc INTO instructionis usefulin l4nguagcs suchasAda that requirearithmetic
instrlalionseitherb produce a valid result
orlo flise an exccption

Int6.rupt 5-Bounds check (faultl

likc inierrupt 4, the bounds checktrapoclLrrsasthe resultof a softwareinslruc-
tion. The BOUND instruction comparesan array index with an upper bound and a
lower boufld. If the index is our of range,the processortraps to vector 5

Interrupt 6-lnvalid opcode (faultl

An inter.upl6 faultoccursif:
. The processortries to decode a bit panern that docs not correspondto anv legal
machineinstruction.

tl4
 5: th. ao3a6 Plol*tlo. xeh.nls

. The processortries to execute an instruction that contains invalid operands.

. The processortries to execute a protected-modeinstruciion while running in
real mode or in virtual 8086mode.
Opcodesthat are illegal on the 8086or causean invalid opcode fauit on the 80286
do not alwayscausean exception when the 80386executesin reai mode. The op-
codesmighrr orr*pond |o new in.rruclionsrhatrrc r"lid in Jnv 80386operating

Interrupt 7-Cop.ocos.or not available (faultl

\? hen a computer does not support an 80287or 8037 coprocssor,the operating
sysremcan set the EM bit of register CRoto indicate NDP software emulation. If the
EM bit of register CRois set, an intefiupt 7 fault occurs each time a floating-point
insuuction is encountered,
This fault also occurs if the MP bil of CRois set and the 80386executesa VAIT or
floating-point instruction after a task swilch. The task switch sets the TS bit to 1.
The operating systemcan clear TS after a task switch to prevent ihe fault from oc-
curring. The 80386usesthis method to signal lhat the state of the math coprocessor
needsto be savedso that it can be used bv another task.

Interlupt 6-Double leult labortl locl

Processingan exception sometimestriggers a secondexception, For example,sup-
pose that a divide fault occurs during the processingof an applicalion and that the
trap gate for interrupt 0 points to a conforming segmentso that the Privilege level
does not change.Now supposethat the user stack does not hav room for the cs,
EIP,and EFLAGSpushed by the divide fault. The condition of being unable to
processthe divide exception correcdy would result in a double fault.
Not all exception paits result in double faults. In some cases,most notably when
getting accessto the fault handle! causesa page fault, the secondfault is Processed
first, and then control transfersto the initial exception handler The followjng table
showsthe exception pairs that lrigger a double fault:

I\'sbte Fault {fFoloued Br

0 (Divide hult) 0,9,10,11,12,13
9 (NDP sgmentoverunl o,9,to,tt,12,13
10 (lnvalid Tss) 0 ,9 ,1 0 , 1 1 , 1 2 , 1 3
0,9,10,11,t2,73
12(Stackfauh) 0 ,9 ,1 0 , 1 1 , 1 2 , 1 3
13 (ceneral protection) 0, q 10,11,12,13
14 (Pasefauh) 0.9:ro, 11,12,13,14

A task gate c?o be$ handle the double fault vector,although a securering 0 segment
usually works. You shoulduse the method best suited for placing the systemin a

tt5
THEAO3A5
BOOK

known state b.tausc lhc proccssorshuts down ifa third fault occurs while the
is trying l() stari thc i crrupr S exception Mndler.
u03i:16
The shutdo*n srateis simjlarro the hah sLarc.only a proccss.rrreset of NMI (if the
NMI vector is valid) can bdng the pfocessor our of shurd()wn A special shutdown
signal is placed on the bus so that external hardwa.e can detLtt thc shutdown.
An error c()dc of0 is pushed onlo thc stack when a double fault exception occurs.

Interrupt g-Coprocessor sogr|rent oveitun (abortl

The copr<ressorscgmcntovcrruncxccptionis signaledwhen a floatingpoint in-
structi()ncauscsa mcmoryac:ccss th:li runsbeyondthe end ofn segment.Ifthe
stxrtingxddrcssoiI floating-pointopcrandis or.rtside the segmentlimit, a gencnl
p()tcrtn)n fxlrl((interrupt13)occursratherthrn an interrupt9.
'lhc
sc:mentovrrunexceptionis classifiedasan alrrt becausethc instruction
c.rnnotbe restarted. You nnrstr$e dre FNINIT instrucli()nt()rcinitillizc the 80387
coproccssor. l he Cs:Ell'srveclonth stackwill pointto the offcnclinginstruction

Inlerrupt lO-lnvalid task state eogrnont (faultl ]ocl

A varietyol cxusescxn lrililie, xn intc upl 1(lbcrauscthc TSscontainsa numberof
'l
descriptors. he 80386pr$hsan errofn)de onk) the strck k) aid in diAgnosing thc
'Ihe
crx)r con(litbn. fbllowingtxblc lisrsinvrlid Tss faLrltconditnxrsand thc vAhre
ofthc crxxcodc pushcclonto thc srackfor crch c(rrdirion.Thc ilemsarc listeclin
fic orclefjn which thcy mrcchcckcdby thc cPtl

OutgoinSlss lhrii < l{)J

'l 'I SSnrdcx:'l l : lix l'
Inc'o.ring SSlnnit < 103
l , D l s c l . d o r h . sI I = I l.Dl inctcx fI liXT
l.Dl dcscrift(r'hasS = l LDT index Tl I ExT
LDl dcscfiFtrl Yllj l= 2 LDT index TI I EXT
LDTdescri or not present LDT nrdex I I: DX'l'

CS.le$riptor hxs S = 0
cs de$riptor not execuriblc CSindcx
Cs conforming,DPl.> CPL
CS ooronbtrDing, DPL I= CPI-of CS inclet
DPI < RPI

SSseledor RPL = CPI

ss descriprof has S = 0
55 dcsc.ipd noi rviiiNblc
| . p l o l l o v n s ' h r . k ' r , r m | c l u r" | " r h r r \ 1 , 1 , u ,i.n r L r ,u r J ( , D ) . f - . F \ . ' _ Jc \
DS,ES,1,5,or GSinctex
only
Dcs..ipbr is cxe.cute DS,E5,FS,orGS index
Desc.iplor nor contorming, DPL < CPlor DS, ES,fj, orGS index
DPL < RPI

tt6
 !! ln. 0oag6 Prcr.crion f,&h.ni.n

The CPLvalue is taken from the RPLof the incoming CSseiector If one of the
memory segmentdescriptorsis marked no! present,a not presentfault or stack fault
occurs rather than the invalid TSSfault. The TSSload stopsat the point of the fa lt,
and the other exception handler must ensurethat the remaining segmentregisters
get loaded.

Interrupt ll-Not present (taultl l9cl

The not presentinterrupt lets you implement virtual memory via the 80386segmen-
tation mechanism.An operating systemcan mark a mernory segmentas not present
and swap its contents out to disk. The interrupt 11fault is triggered when an applica-
tion needsto accessthe segment.
This fault occurs when the 80386tries to gain access!o a descriptorthat is not pres-
ent (P = 0), loading DS,ES,FS,or CS triggersthe fault, as does a FARCALLorJMP
ftat either loads CSwith a scgmentmarked not presentor accessesa gatewhose
descriptor is marked not present.In addition, the LLDT and IITR instrutions cause
descriptorsto be loaded and can trigger the fault.
A segmentfault that occurs when loading the SSregister results in a stack fault (in-
teftupt 12) rather than in a not presentfault. Additionally, when lhe IDTR is loaded
during a task switch rather than by the IDTR instruction, an invalid TSSexception
occurs if the descriptof hasP - 0.
The CSand EIP that are pushed onto the stack as a resuh of the exceplion usually
point !o the offending instruction. Also pushed is an error code that identifies the
selectorinvolved in the fault. The only time that CSTEIP does not point to the of-
fending insiruclion is when a task switch occurs and a selectorin thc tu'w task im-
agecausesthe not presentexception,
In this case,the CSTEIP pointsto the first instrwtion of the new task.The selectors
ar loaded in the order SS,DS, ES,FS,and GS,and the tashswitch terminates at the
point of the fault. The interrupt 11fault handler must handle the fault and validate
the remaining selectors.If the inteffupt 11fault handler is invoked via a task garc,
this happenson the IRET that ends inteffupt 11.If a trap gate invokes the interrupt,
however,the fault handle! must tesl each selectorwifi the IAR instruction.

Intorrupt l2-Stack itaultl lecl

A task gate should handle this exception becausethe stateof the stack is unknown
when a stack fault occurs.You can use a level 0 trap gate,but if a stack fault occurs
at ring 0, the trap to the inteffupl 12handler resuits in an immediate doubie fault.
A stack fault with an error code of 0 occurs if a normal instruction refers to memory
beyond the limits of the stack segment.This includes instructions such as PUSHand
POq and instructions that use ao SS:segmentoverride or use EBPas a base register.
In addition, the ENTERinstrrction causesthe samefault if it causesESPto be decre-
mented beyond lhe lower bound of the segment.Instructions such as SUBESP,l0 do
not causestack falrlts.

117
it{E ao3a6BooK

If the slack far t is rriggered by loading SSwith a not presentselectoror if the fault
occurs during gated transition between privilege rings, an error code indicating the
offending selectoris pushed onto the stack.Loading sSwith invalid descriptors(out
of range, segmentnot writable, and so on) results in a generalprotection fault rather
thana stackfault.
Vhen the effor code is 0, this usually meansthat a given stack segmentis too small.
If the operating systemsupports expand-do$'n segments,it can expand the stack of
the faulting npplication.The savedCS:EIPpoints to the Paultinginstruction, which
can alwaysbe restartedrhovr'ever,the samecaveatthat applies to task switches and
not presentexceptions also applies to stack faults. Seethe final paragraphunder
"Interrupt ll*Not present(fault)[ec]" for more details.

Intorrupt l3-G.noral proteetion (faultl lecl

Any condition not covered by someother eraceptiontriggers a general protection
fault. This fault usually indicales that the program hasbeen conupted and should be
'terminatedwith prejudice,"asthe old UNIXphrasegoes.

The exception to this rule is that \6-mode taskstrigger generalprotection faults

whn the systemneedsto be "virtualized." For example,a v86 task that tries to dis-
able interrupts or issuea software interrupt instruction trjggers a generalpmtection
faultwhen IOPL< 3. In sucha case,the interrupthandlermustdetrminethe
pfoper behavior ard return control to the faulting task.
The operating systemcan restart any instruction that tdggers a generalprotection
fault, although doing so is often inappropriate. An effor code is alwayspushed onto
lhe stack as part of the exceptioni jn many cases,however,the value is 0. ',J(/henthe
value is not 0, the value indic?testhe selc'ctorthat causedthe exception.

lnterrupt l4-Pego (l.ultl [.cl

The pagefault inteffupi lets you implement virtual memory on a demand-paged
basis,An interrupt 14occurs whenever an accessto a page directory entry or page
table enrry refers to an entry with the presentbit set to 0. The operating system
makesthe pagepresent, updatesthe table entry and restartsthe faulting instruc-
tlon. A page fault also occurs when a paging protection rule is violated. In this case,
the operating systemneedsto take other appropriate action.
vhen a page fault occurs,the CM register is loadedwith the linear addressthat
causedthe fault, and an error code is pushed onlo the stack.The page fault error
code is different from that of the other exceptionsand hasthis format:

31
U P
s R

tta
 + th. ao3a6 trclccllo ll.ch. .m

The three low-order bits of the error code provide more information about why the
addressin cR2 causedthe fault. The P bit is set to l if the fault was a page protection
. fault sther than a page not presentfault. The w/R bit is set to I if the faulting in
struction was attempting !o write to memory. The bit is cleared to 0 if the fault oc-
curred during a read. Finally, the U/s bit is set to 1 if the faulting instruction was
executing in user mode and is cleared to 0 if the instruction $"s a suPefvisorin_
struction. (User mde and supervisormode are discussedin Chapter7)
Beauseof the large flunber of divergentmemory accessestMt occur during a task
svr'itch,operating systemdesigne$ shouldensurethat important task tables(the
CDT, application TSS,and application LDT) are residentin memory before excut-
ing the task switch. The siluations that arise if page faults occur durinS a task switch
are not impossibleto deal with, but sysremdesignis simpler ifyou avoid them.

Intorrupt l5
This vector is reservedfor future Intel processors.

Intgrrupt l6-CoDrocealoi grtot (laultl

This exceptionoccursundertwo conditions:
. Vhen the ERRoR\ pin is active at the start of an ESC(numeric coprocessor)
instruction
. vhen the EM bit of CRois 0 at the start of a WAIT instruction

Intorruptr I 7-31
Thse vectorsare reserved for future Intel processors.

Intelruptr 32-45
These veclors are availablefor use by an operating system.The systemcan install
interrupt, trap, or task gatesin any IDT slol coffesponding to one of these intenupts
The interrupt handlerscan be invoked by software INT ', instrrctions or by hard'
warethatsignalsthe 80386via lhe INTR pjn.

Interrupt masking and ptiorlty

The only programming mechanismsfor masking interrupts are the CLVSTI instruc'
tions, which affect the hardwareINTR line. Howevr,other siluations prevent cer_
tain types of interrupts, ither by desiSnor becausea more imporiant inteffupt is
pending. Intenupts have the following priority ranking:
1. Nondebugfaults
2. Trap instructions (software interrupts INT 0, lNT 3, INT ,)
3. Debug traps fbr the current instruction
4. Debug faults for the pending inskuction
5. Hardware NMI
6- Hardware INTR intenuor
lt9
 tHEaoSasBOOX

lor exalllple, if a page fault anct a ctebug fault arc triggcred on the sxme instruction,
the page fault takes prior ity, and the dcbug faull is masked. However, s'hen the
page fault handlef completcs ils operilion and resiartsthe faulting instruction. lhe
debug far. t is retriggered.
other interupt masking conclitionsoccur when:
. An NMI is triggered. Fudher NMIS arc nuskcrl uniil thc ncxt IRE I instruction

. A dcbug Iarlt occurs. Debug fauits causethe RF bit in the FIFL.AGS

rcgistcrto be
se1,nasking iddjtional debug interrupts. The prccessorclexrs RI upon suc-
ccssfully completing an instruction.
. The SSregister is k)adcd.IIxrdlvrrc intcrrupis (both NMI and INTR) and debuS
cxceptions (inclucling singlc srcp) irc m.rskcdforthc.luratjon of one instructiol
aftef SSis baded Tl)ur, thc IISI' rcgis(ef can lorcLwithout risk of invokin:t an in'
'lhc
terrupt handlerwiLh an invxlicl stxck pointcr insruction that londs RSPcan,
however receive a prSc fxulr, and (l)c imeffupt 14 routinc will be invoked wirh
xn invxlid stack poirllcr, possibly lcading to a doublc fnult. You can xv()iclrhis by
k)xding bo(l) SSxnd ISI'using x single instruction, LSS.

Debugging
'li:rdir
nnrxlly, ,) kx)p(Ecssors hrvc ncvcf()m.ilNtcd mLrh tu solving Lhc prcblcrr
oldclruggiot:. Dchugging on ll1icft)proccss(xshas bcen accorDplishcdwith brcak-
pojnt inslru(Iiors rnd wirh thc abiliry k) singlc stcl (cxcrlrlc one inslruclion rl x
tnnc); but fbr (lifficult pr(trlenrs, prr)grannrcrs l)ave hxd k) (urn li) in-circuir cmula-
tors or hxrdwrrc-nssistcd dehuggcfs.
As D icfocomputcr'syslcrnsbccomc more sophisticrted, hrrdwrfc's xbilily k) clcter
rninc whrt is going on insiclc the Cl'Ll diminishes. FofexaDrple,assLnnctha! r pm'
gftrmmcr wrnts ro bc notificd llnt.r particulardata strucnre hlls heen nx)dilicd.
Bccrlrsc of prgjng, re srructLre might not be in rcntiguous menxny. Thc opcr.rl-
ing systcln s vinurl rremory capebility allows itto rnove the progrrm out from
undcr lhc cyc of drc .lcblrggjng har.LwaLe,.ndlhus the prograrn'slinear ancl synr
bolic nd.Lrcsses bear no relation to the generaredhardware adcl esscs.

Fodunalcly, thc 803M) dssignc.s rccognizccl drcsc problcms rnd added features to
the p()ccssofllut syslcm soflwlrc can use to aid in debugging. F'orirmechanjsnrs
tfigger clsbug i crfuprs u.dcfdiltrcnt conditions: trap flag, rask switch trap,
breakpoi.t fegisters,and soflwafe breekponlr.

Trap flag
Setting dreTF bit i. lbe DIiLAGSrcllistcr causcse singlc-stepfault (inteffupt 1) to
occur beforc the next instruction. The 80386clears the T!'bit before invoking thc
handler pointed b by lD l (l). xldDugh the saved image of EFLAGS on the stack has
Ihe trap flag set.

12l)
 !! th.ao3a6trct Grbn lt*h.nl.n

'Vhen a software interrupt instrucrion (lNl INTO) is executed,the TF bit is

cleared.A debuggershould not attemptto single stePan INT instruction bul should
place a breakpoint either at the destination ofrthe gate pointed 0oby INT or imme_
.li2relvafterthe INT instruction.
A call gate does not clear the trap flag, so a debuggershot d check all FARcALLs
andJMPsto seewhether they causea changein privilege level lfso, programmers
shouldnot be allowed to single step into code more privileged than rheir
applications.

Taak .wltch trap

Vhen the T bit of a TSSis set to 1,switching to the TSS'Siask invokes the debugger
fault (inteffupt 1).The fault does not occur until aftef the cotuentsof the TSSare
loaded and before the first instruction of the task is executed.

Brorkpolnt rggbtorr
The debug registers(DRo-DR7) implement four addressbreakpoints.vhen the
registersare correctly initialized, each identifies a linear address.If the processol
accessesthat address,a debuggerfault (interrupt 1) occurs The debug regist$ are
describedin detailin "Prosrammingthedebugrgisters"in this chapter'

Soltware b.oakpolnt
The single-byte INT 3 (0CCH) instruction triSgersthis interruPt By replacing the
first byte of an instrrction with an INT 3, a debuggel can causea breakpoint to oc-
cur when the execution streamreachesthe INT 3 Becausethe software interrupts
are classifiedas traps, the savedcS and EIP on lhe stack point to the byte immed!
ately after INT 3. To restart the program, the debuggermust replacethe ocCH value
with th first byte of the original instrution, decrementEIP so that it Pojnts to the
stari of the instruction, and execute an IRET to return from the interupt handler'
This method of implementing breakpoints is much clumsier than using the debug
registersbecauseit requires creating a sritable allas for a code segment'saviogthe
original instruction byte, replacing the instnrction with an INT 3, and undoing the
abovewhen the breakpoint hasbeen triggered Hoer'ever,becausethe debug regis-
ters allow only foul active brakpoints at once, a reasonabletradeoff is to use debug
registersfor data spacebrsdkpoints and INT 3 for code spacebreakpoints

Programmlngthe dobug reglst.ra

Figrre 5-15oo the following page showsthe layout of the debug registers To load a
value into one of the registers,use a MOV DRji, reg instruction. Similarly' using
MoV reg, DRJfreadsthe contentsof a debug register into one of the 32-bit geneml
rgisters.
The fir$ four registers(DRo-DR3) are addressregisters The linear addressof a
desired breakpoint must be loaded into one of these registers The debug registers
are not affected by paging. Only the linear address(from the descriPtors)is used to
march a breakpoint address.Debug registersDR4and DR5are reservedfor future
Intel microprocessors.
121
tHE aoita6 Boox

J1

tsreakpolnt address0

tsreakpoint addressI DRl

Brerkpointaddress2

Breakpointaddress3 DR3

RESERWD DR4

RESER\'ED DR5
B B B B B aB
0 T sD 3 2 1 0 DR6
LEN R\( ulN R\J( LEN R't( LEN R\( G L G L G L G L G L
3 3 2 2 1 1 0 0 0 E E 3 3 2 2 I 1 0 0 DR7
31 16 \5 8 7
Ft$re 5-15.Debugreetsters.

RegisterDR6is the statusregister.Ir indicatesthe condition(s) that lead to lhe inter-

rupt.A bit is serro 1 in DR5ifthc conditionassociated with the bit hasbeen met.
The following table idcntifics thc bits and the reasonsfor the interrupt.

BO Brcakpoi regislcr 0 triggered

u1 Brcakpointrcghter1 triggered
82 Brerkpointregister2 triggered
B3 areakpoin fegister 3 trigSered
BD Intel ICE hardware active
BS Singlesrep(1f sct ro 1)
'lSST bit serro 1
BT

Bits 80*83 are ser Io I if dre breakpoint in DR0-DR3was malched during execu-
tion, evco if the breakpoint was ,ot enabled and did not causethe debug fault.
vhen Intel ICE 386 hardware is used,the debug registersare reservedfor the in-
circuil emulator.The BD bit is set to 1, and any attempt to place (MOV) a value in
one of the debug registerstriggers an interrupt 1.
The debug iderrupt handler must clear the contents of register DR6.The CPUsets
bits,but bits canbe clearedonly programmatic?lly.

122
 3! Th.aOOa5 Prct ction lrlch.trl'd

enablea
DR7is the debug conrol register Placing an addressin DRo-DR3!r'ill not
set, as must the breakpojnt length and
trreal-point. The"enablebi(s) in DR7must be

ralues"re
The LE\l? fieldslet you rpecilv r he leng h of brerkPoinr'1 l he lengh
encoded as followsr
Oo-Byte / breakpoint legal at any address
O1-vord (2 bytes) / breakpoint must be on even address
1o-Reserved for fulure use
ll-Dword (4 bytes) / breakpoint addressmust be on dvr'ordboundary
breakpoint
The R/v, field lets 'r)u specify the tlpe of memory acccssthat triggers
'?. This field is encoded as shown belowl
o0-Execution breakPoint
ol-Memory write breakPoint
lo-Reserved for firture use
ll-Memory read or write breakpoint
'When also
R/v is set to O0B,an execution breakpoint' the correspondingLEN field
th breakpoint ad-
must be set to OOBAn execution breakpoint is triggered only if
part of the in-
dress is set to the first byte of the instruction. If any Prefix bytes are
byte
struction, the breakpoint must be set to the addrcssat the first Prefix
lf neither
The L, and C, bits allow breakpoints to be locally or globally enabled
is disabled and does not triSger an inteF
the ! nor the G bit is set, the breakpoint
DR6 is set if the breakpoint condition is met
rupt, although the correspondingbit in
clearslhe L
ItonLv the L bit is se(,the breakpojnris localLyenabledA taskswjtch
uring locally en' D|ed
bils ihe syslemshouldmark fte T bit in the TSSof the tasl<
Thn' the L
U."rto.f"i" .. ,tt"t an itteffupt 1 occurs when the task is reaciivated
bits cin be reset.
only by
If the G bit is set, the brakpoint is globally enabled and can be disabled
clearing C to O.Settiogboth the L and G bits equals setting the G bit
it enables
ResisterDR7contains two other bits, tE and GE When elther bit is set'
80386 processor slows
ttEexa"t rnat.tt cona;tion when exact match is nabled,the
triggered the break-
to ensure that the intenupt 1 faull reports the instruction that
becau<e of
ooinr it r-eana ce are o, rhe 8038omighr geraheadof thc debu8uni(
andrheCSandEIPonthe inrerrug hrn
ir,. i",.,rrr p"r"rr"rl'-;n rheptocessoi
a...".f. - 'Sh, p"ln, one or lwo Insrrrntions beyondthe one I hJr.ltiggercllthe, ,
'hould he enabled I ne
frulr.The pe;formancelossis not \ignili\anr' anLlLE'rnd GE
diflerence betvreen the two bits is tbat LE is cleared after a task switch' as are the
L4 bits.

1Zt
fllE ao:F6 BOOK

triggering the debug intorrupt

The following table showshow the addressand conlrol fields define a breakpoint
condition a.d gives examplesof lnstnrctions that do or do not trigger the break-
point. The table assumesa baseaddressofCS = 0003A000Hand DS = 0004C000H.

Deb, g RegtsI et Sentttgs

DRo:OOO4C020H
DR7:LEo= 1,R\vo" 00B,LENo' 008 MOVAL,[20]
DR0!0004C020H
DR7:lEo - 1,Rwo- 1lB, LENo- 00B MOVAL,[20] Byte4C020H
DR0:O0O4CO2Ofi
DR7:LEo- 1, RIrc - 108,1EN0- 00B MOVAL,I20l

Df,o! 0004C020H
DR7:tEo - 1,R\vo- 118,LENo-118 MOVAL,[23]

DRo!0004C020H
DR7:lEo - 1,R\vo- 11B,LENo-118 INCDVORDPTRI01El

DR0!0004C020H
DRT|!E0- 0,R\vo- 114,LENo'11B INCD'{9ORD
PTRlolEl Breakpointnot
DRo:O0O3A0O0H
DR7:!E0 - 1,Rvo - 008,LlNo - 008 CSr0000
MovAr,37H
DBo! 0003A001H
DRTILEo- 1,Rwo- 008,IEN0 - 008 CS:0000
MOvAI, 37H

12i|
 MEMORY
AFICHITECTURE:

Pagingis used to implement virtual memory bascdon fixed-sizc blocks called

pager, Pagingis probably the ftost widely used virtual memory technique on today's
minicomputersandmainframes,
like segmentation,paging trans)atesvirtual addressesinto physicaladdresses
Addressesare translatedby mappjng fixed'size blocks of memory into Physical
mmory locations called pagelranes. cofisidet a physicalmemory systemcom-
posed of page framcs o, 1, 2, and 3, each having 10bytes of memory. A virtual ad-
dressconsistsof a frame name and an offset, so assumcthat the frameshave the
namesA, B, c, and D. The memory systemal6o containsa page table lbr converting
the virtual addressinto a physic2laddress.Figure 6-1 showshow virtual addressc7
is mapped into physicaladdress17.The arows indicate the page mapping.

Physical

RI{rJfe6-1,Tra$L4tinga tlrtual ad&es ta a phfncal atldrN

Segmentatiooand paging are similar: A name and an offset are translatedto an ad-
dress.This mapping is the essenceofvirtual memory. However,segme ation ancl
mapping are also different- Assumethat any virtual addressfrom ttle Previousex-
ample consistsof a two-digit number and thal the digit in the ro's place is the fiame
name,rather than a letter, as in Figure 6-1.A virtual memory translation would re-
sembleFigure 6-2 on the following Page.In this examPle,virtual address27 is
translatedto ohvsicrl address17
 t||E 036 BOOX

Becausepageshave a fixed size,a virtual addresscan be easily separatedinto a

name and an offset. A page table lookup converts every virlual addressinto a physi-

Physicalmemory page frames

9--,,, etv"l.rt
2
3

\d8.E|Jtre
6-2. vi/t al aid6 trandation off&cn'sze eteneflts.

Advantages and Disadvantages

A fixed page size is the key to the ad ntagesof paging over segmentation.Because
a disk is usually the secondarystoragefor a virtual memory system,you can choose
page sizesthat map well into the sectorsize of the disk. Pagingalso avoids the frag-
mentation problem of segmentation,Every time a page is swappedout, another
page fits s.actly into the freed page frame.
Another advantageof paging is that allocation for a large object (for example,a
memory segmnt)does not have to be contiguous.An object that was contained in
virtual pagesl and 2 in Figure 6-2 would not be stored in consecutivephysical

Finally, paglnSis invisible to the prcgrammer. Unlike segmentation,which requires

you to know the virtual name (segment)and offset of an obiect in memory paging
requires you !o know only one address.The virtual addressis broken down into its
componentsby the virtual memory mechanismin the hardware,
Pagingisn't perfect. Using paging meanslosing the protection rings implemented
with segmentation.Pagingis also subjectto a different kind of fragmentation,called
t tternalhagmentatlan, which occurs when you store objects that do not fit into a
page or a sequenceof pages.For example,if the page size is 10bytes, an ll-byte
object requires two pages,which wastesmemory.
Additionally, paging incurs more overheadthan does segmenlation.In a segm.ted
system,the table lookups that are neededto convert a virtual addressto a physical
one occur only when a new segmentis loaded. In a pagedsystem,a virtual-to-
phyrical translation must be pedormed for every memory access.This would not be
an issueif the entire page table could be stored in the CPU,but processorswith
gigabyte addressspacesrequire very large page tables.
These problems are not insurmountable,however.You can implement a simple pro-
tection schernewith paging alone,plus, on the 80386,'ou can use segmentation
and paging together.Internal fragmentationis not usually as seriousas segmnt
fragmentation,and the 80386usesparallelism ald a specialcachecalled the transla-
tion lookasidebuffer (TLB) to help alleviate the page Eanslation overhead.

18
 e .m.ry ^rcht*lut.! P.dng

Paging on the 80386

The size of a page frame on the 80386is 4096,or 21', bvtes Pagingis enabledwhen
the PG bit of CROis set to 1. (Once Pagingis enabled,usually bv opeIating s'Etem
software, it will probably not be disabled.)Translation treats the linear addressgen-
erated by the segmentationunit as a virtual addressand performs page mapping on
it. Thus. memory referenceson the 80386go rhrough the following stagesr
Sgment:offset-> linear address-> physicaladdress
A linear addressis a 32-bit value.To interpret it as a virtual address,take the bigh-
order 20 bits as a frame name, and use the low-order 12bits as an offset into the
4096-bytepage.To generatea 32-bit physicaladdress,each entry in the page table
must translatethe frame name to a frame address.Frameaddress0 correspondsto
physical addresses0-4095, frame addressl identifies physicaladdresses4096-8191,
and so on. A page table entry must also provide additional page statusbits for a pro-
tection model and for s$?pping. Thus, an 80386page table entry hasthis format:

3r 12 1 1
Pageframeaddress31.. .12 0 l) 0 0
? R
( P

The bits marked Oare reservedfor use by future Intel Processors,The field marked
.4a?ll can be used by systemprogrammersto mark pagcsthat are sharedamong
tasks,to hold usaginformation, or to store other paging data. The Pagefram acl'
dressbecomesth high-order bits of the physicaladdrss The 80386setsthe D
(dirty) bit to l when a write operation occurs vr'ithin the specified Page The cPU
sets the A (accessed)bit to l when any memory access(read,write, or fetch) occurs
within the page.
The U/S and R/v bits are part of paging'sProiection mechanism They are dis-
"PageProtection" sction
cussedin this chapter's
vhen the P (present) bit is set to 1)the page is Presentin memory lf P - 0, the Page
is assumedto be swapped to disk, and any attemPtto accessthe page resuLtsin a
page fault (interrupt 13).Y.rhenP - 0, all other bits in th Pagetable (31-D are ir-
ielivant to the aa6 and can be used by the systemprogrammer Frequently,a
swappd page'slocation on disk is storedin those bits when the page is not preseot

Page Tables and Page Directories

Eachpage is 212bytes, and physicaladdressspaceis 232bytes' so 22o(more than 1
million) page table entries are required to implement a virlual-to-physical transla-
tion table. Becauseach entry takesup 4 bltes, a page table requires 4 MB of
memory. If a frame addressalone indicated the page table entry, the pagetable
would require 4 MB of contiguousmemory ln a multitasking svstemthat provides a
separatevitual addressspacefor each task, each task requires a 4 MB block of
memorv in addition to its code and data.

127
Thc'$olutionto this spaceproblem,swappjngour the pagctable,ca.not be imple-
mcntcd aith a simple, one level p3getablc. For example,if a program tdes ro access
adctrcssr., the page table cmry (PTE) for jlj lnusr be brought inio mcmofy. Because
the pigc tableis itselfpagcd,the PTEfor pTE(jr) 'rust be broughrimo memory
first. Swappiqgcontinucsuntil the initial pageof rhe pagerablcis swappedin.
A bettersolutbn. the one nnplcrrcnredby rhe 80386.is a two levelpxgetablc.rn
this schemc,thc virtualnamecomponentofrhe vi ual address(the high-odcr 20
lrits)is split into two parts.Thc high order10birsare usedas an index inro a 1)dge
director! A paue.lnecbty entry (PDE)points to a scaled down page rablc thar <)n
tains1024entric's. The l0 bits lelt ove. in dre virrualaddressselectthe pagcrablc
cnties from thc pagetable.Figurc6-3 illusrratesthe two,levetpagestructurc
'this
stfLlcturesolvesthc p()blem of swappingour rhe pagetablebecausethe initi:rl
lookLrpgoesdrroughthc paSedirectory.Thc pagedirectory,wi$ 102432 bit en
trics,lakcsup only 4 Ktsand is permancnrlysr)redin memory.Eachpagetat)leatso
txkcsup 1rKB (fits right imo x pagel)and hxs 1024pagetablccntrics.
RegisterCll3 containsthe physicaiiddfessofrhe pagedirccrofyfor a task.Clt3is
thc only 80386rcTisicrtbat containsa physicalmemoryrddress.A pagedirectory
cntry lus the samcform^t asx pagetableenrryexceprthat rhc t) bil is unusedand
thc A bil is setb I whcneverone ofthc paSctablespoinrcdk) by lhc pagedifc{k)ry

[-.l t til
t
I- t s
:
- ro23

lndcxf lPasctii'ne

Figre 6-3. 8A386page taqellircctory structure.

124
 6! [.mry Archil.ctuF: P.gine

A detailed oxamPle
Fique 6 4 showsa linear addressthat is tmnslated to a physicaladdressvia paging'
As;ume that an instruction refers to the lingrr address13A49F01HThe frame name
(13A49H)is split inlo a directory index (04EH) and a pagetable index (249H) The
page directory is at the addressspecified bv register CR3'location 1C000HThe
page direcrory elementnumber O4EHis selected.It containsthe lue 3A7A2rrc'H,
where ,rjcn representsthe Pagestatusbits lf the presentbit is set,the Pagetable
begins al location 3A7A2000H,and page table entry number 249His selected ln the
anample,this entry containsthe value 2c115rrtH, where ,rn rcpresentsme con-
tents of the statusbits. The offset of the linear addressis aPPendedto the page
frame to yield a physicaladdressof 2C115F01H

- 0 0 0 1 0 0 1 1 1 0 1 0 0 1 0 0 t 0 0 1 1 r 1 1 0B0 0 0 0 0 1
L n e a ra d J r e s < l J A 4 g F O t H
__----T------ ------- ------

04EH(7810) 249H(t8510) F01H

102)

Pagetable
2C115101H
cR3

Blgpre 6-4. PaSetansl4tlonyocas

As the e)(ampleshows,referring to a single memory location when pagiog is en-

abled requires three referencesra memory read of the page directory, a read of
the page table, and the targel memory access

The Translation Lookaside Buffer

To eiiminalelhe errra buscyctc. rharpagineimpors on memoryreferencer'rhe
80386containsthe TLB, a oftent-addresMble cachememory. The TLB storesthe
J2 mostfrequenllyu.ed pagel2bleenlriesand pagedireclot) enlrieson ' hip
\0henever a Pagetable requestoccurs,the TLB is checked first. If the table entry is

125
 tHE 40386 BOOK

found (a "cachehit"), the 80386translatesthe addresswith no addirional memory

overhead.More than 98 percent of all referencesresult in a cahehit, leaving less
than 2 percentof all memory referencesdegradedby additional cycles.
The TIB is flushed whenever register CR3is loadedwith a new baseaddress.
Becausethe tabie entriesare cachedon the 80386chip, maintaining page table con-
sistencyin multiprocessorenvironments is important. When one processormodifies
a page table (that may be in another proces.soiscahe)or a page direcbory,the pro-
cessormust signalthe other proces.so$and force them to flush their TLBS.The
other processorsmust then load the modified tables.The LOCKprefix should pre-
cede any accessesto the page tablesto eliminate simultaneousaccess,

Page Faults
If a page descriptoris marked not present(p = 0), a page fault (interrupt 14) occurs.
When this happens,reSisterCR2storesthe linear addfessthat causedthe fault,
anCan error code is pushed onto the stack,Pagefaults can also be causedby viola-
tions of lhe page protection rules, described in the nexr section. Chaprer5 conrains
additional information about pagefaufts in the section called "Interrupts
and Bxceptions,"

Page p?otoction
The format ofa paSedircctory entry and of a page table enrry includesbirs marked
U/S and R/W The U/S bit specifieswhether a paSeis a user page (U/S . 1) or a
supervisor page (U/S - 0). A supervisorpage cannot be used by any procedure run-
ning with a CPLof 3. However,a Focedure wirh a CPI of 0, l, or 2 can accessa
supervisor page. User pagesare accessiblereardlessof the CPL.If a page direcrory
entry is marked with U/S - 0, only a supervisorprocedure can acce$ pagesin the
pag table pointed !o by that directory entry, regardlessof the U/S seiting in rhe in-
dividual pagetable entries.
For a user level program (CPL- 3), accessto individual pagescan be restricted fur-
ther with the R/r / bit, A user level program can read or can executeany user level
pagesbut can wdte to a page only lf rhe R/!7 bit is st to 1 in the pagedirectory and
in the page table enlries. A supervisor level program can read or can wdte pages
regardlessof the sttingsof the R/\i, birs. The rules are summarizedby these
fbrmulas:
- (cpl< 3)l GDE(U/S)= 1& pTE(u/s) = l)
read-access(addr)
wdterccess(addr) = (CPL< 3) | (read,access(addr)& PDE(R/\O = 1 &
PTE(R/V) = 1)
Vhen a user level processloads a selector,issuesa software interrupt, or generates
an accessto the GDT, LD! TSS,or IDT to load a descriptor,systemtable readsand
$'rites are treated as supervisor level accesses.Pushingvaluesonto an inner-ring

l3tt
 6: fmo.y Archh.clur.: Pasinq

srack segme is also treated as a supervisor l*el access lf the systcm tables had Io
be stofed in Lrserlevel pages, Ihcy would be lcss secure dran if storcd in supervis.rr

Gombined Paging and Segmentation

space is possible in thc 80386,most systcmswill
Ahhough snnulaijng a fhl adcLress
p()brbly use some segmcntalion.No spccial restrictionsxpply when combining
segmcnurion 3nd paging, rlthough observing ccrtain rules can mxke life easicrior
thc opcrating system dcsisner.

!'or examPle,sc*ments do not nced to fit int() I single page or into a mr. tiPlc ol ,?
pagesr2 Pxgc can contain porlions of more than one segmcnt,or vice versa l bw"
ever, men)ry managementis casicr if alLsegmcntsare nruhiPlcsof 4096 lrvlcs You
can mark xll scgmcnt hrits xs Pagc granular ((l = I jn the segncnt clescript(x ). rn.l
each segmenl limit field willcontain the ntrmbcr of pagesrcquiredto hold thc seg

T() slrppo|t page protcltion, nn openting systemshould implement 1ltlcrst level 0

'lhis
xnd lcvcl3 segmcnt protcrtion rings is noi I problcm, even in svstc,is simul.rG
ing n flrt mcnrory xrchits:tufe. ll uscr lcvel Progfrms can slurc thc scme lcvcl 3
c(rde scgmcnt .rnd lcvcl 3 daia segnrcnl,and the operating systcnrcrn usc tw() lcvcl
0 scgnrcnts.lloth scls ()isegncnts cAn nrap into lhc sxmc lincafadclrcsssP.tcc'so
1hc use of(lilfcrcnl seleck)rswill l)c invisjl)lc exccpr for the P ivilcgc lsvel

Multitasking
Opsralingsyslcmdcsignerscanchooscio suPporteilhcra singlcmctnorymap (onc
forcrch lxsk)()f muiripiemenxxy maps(onc fbr dtc systemnnd one for caclr.iPPli
clltion).A singlcvirrualrnemofyspaceis dre siNpLcstaPproachihowevcr,anvsys-
tcln thal supponsmultipievirtual8086-modctasksnedsa cliifcrcnlsetof Pxgc
txblcsforeachvs6lask.In vu6 mode,eachiaskaccesses 0 ro I MB
lincar.rddresscs
Thcrc mustbe a scparxlephysicaladdress spaccfor eachlincaradcLressspacc
Figlrrc6-5 on 1hefbllowingpagcsbowshow Vu6taskscanbc mappedto phvsical

The s03s6supportsdiftcrcnrpagetablesfor eachtaskby savingand resloringthc

CR3regisrcfin the taskstatesegmen!To &1veitselff.om havingonc 4 MB pagc
tableper !xsk,an operalingsyslemcanlimir the linexreddressspaceofan applica
Iion to a subsctofpaging's32-bit,1GB vi|tual memorysizc
R)r cxampLe, ifan operatingsystemlimits eachapplicitionto 8 MB oflinear eddress
sprce,it needs1omanageonly two pagetablesirndthe Pagedi.cctory Eachunused
pxge directory enrry is marked not prcsenr(P = 0). Tryiflg to accessan illegxl
memory addressresults i' e pagc fault, and the operating sfslcm can tell whether
the fault representsa swappe.l-out page or an illcgal memofy reference.rigure 6 6
on the followingpagejlluslmtcssucha systeD.

t3l
THE AOi|a6 BOOK

4MB
lMB

640KB 3MB

2MB
0
1MB
V86task1
1MB
0
640 KB
[ach pair of affows indicates
a set of PagemaPpings.
Unearaddress
Et$ilrre6-5,.!4awtng186 tatkttophys(al r4enaL.

8 MB virtual addressspace
007Fr000H

00040000H

00002000H
00001000H
00000000H
Page table 0
Illegal addresses Swapped pages

Flgte 6-5. Pagendes rc4uired to vWfi a MB of Mory.

132
 & ia.mory Archlt*tur.! F.chg

Application desigaersshouldknow addressspaerestrictions.Someoperating

systemsmight have a way to requesta larger virtual addfessspacewith a system
call, but others might not.
Performanceis another concern for application designersin a demand-pageds'5_
tem. A key io systemperformance is the size of the applk^rion's urcrking set.'fl
working set is the number of application pagesthat the operating systemlries to
keep in physicalmemory ai one time.
For example,asslunethat an application is computing the sum of two arraysinto a
thid array, as representedby the following program fragmentl
1 n t a C r 0 2 4 lb, t 1 0 2 4 1c. t I 0 2 4 l ;

i o r t i ' o ; i < 1 0 2 4 ;i + )
atll-bllI+ctlll
The code for the program residesin one page,and each array (a, b, and c) residesin
a separxtepase. If the operating systemprovided a wo(king set of three pagespr
application, this program would run slowly becausetwo pageswould have 1obe
swapped to disk for every,6/ loop iteration. Figure 6-7 iLlustratesthe swap.

only 3 pagesln
mmorystmultaDeously.
.1 musrbe swappedout
andd swapped ln, then
d swappdout and,4
in 1024times.

aEDft 6-7. sfuapptnsa u,othinqset.

Most operating systemsprovide working sets much larger than three pagesper
application, but applicationswith large memory requirementsmiSht seesimilar
results.If J,ouwrite an application that requires a large amountof memory, ycu
might improve its performance by changingthe ptogtalJ\'s locality oJreferefice.
The previous program ftagment needs accessto many pagesfor every rycte
through the loop. If this program were running under the operaling systemde
scribed previously,you could increaseits performanceby changingthe data struc-
ture so that at, bt, and ci reside in the samepage.

133
fl{E 40365 BgOX

int a, b, c:
) blockl1024l;
.

f o r ( l - 0 r J < 1 0 2 4 :j + l )
b l o c k t i l . a- b l o c k t i l . b+ b l o c k t i l . c ;

The program now runs with only two page ss?ps, as shoNn in Figure 6-8.

Initial working set allows

67% of rhe loop to execute
without any swaPPjngithen,
first block is swapped o t
and lasl block is swapped in
to complete the loop.

Bl{.xe 6-8, Reductne

suapptnguta\o.ahryof refercnce.

Application designersshould considerhow paging affltts their programs.Although

many designerswill sc'eno impact on their programs,others m*ht need to modify
code. A classicexample is a program such as a LISPinterpreter,which manipulates
a large number of linkedlist data structures.Unlessa mechanismforceslocality of
referenceon the lists, a user could end up $r'ithlists that have pointels to cells scaF
tered throughout the addressspacerresulting in excessiveswapping overhead,

134
 7
THRE E
TN ON E

In earlierchapters
I alludcdto the 80386'sabilitylo run sofrwarcwrittenfor pre-
viouslntel microprocessors.This chapterexplorcsthis ability and disclrsscs
how ro
makethc mosrofit.
The 80386provides an almost ideal upgradc parh from previous gcncralions of Inrel
processors. In realmodc,the 80386canrun U086-family programs.Il canswirch
inlo protected modc and execuie 80286soirw"re. The native modc of rhe 80386ex-
pandsfie prolecrcd-mode capabilities
with 32-bitoperationsand climin4resthc 64
KB segmentrcstrictionsof lhe 80286.Virrual8086modealsolcts you run real-mode
prcgramsin protecledmodeithis is advanlageous becauscthcrc aremanymore
real-modeapplic4tionsavailablethanprotected-mode applications.

Beal Mode
When the 80386is poweredup orreinirializdvia rhe hardwareRESET\line, rhe
CPUis in real(reafaddress)mode.Io rcal mode,all of rhe CPU'Sprotccrionfcarures
are disabled, paging is not supporred,anclprogram addressescorrcspond |o physi-
cal memory addresscs.The addressspaceis limited to 1 MB of physicalmemory.
Realmodeis compatiblewirh rhe 8086,rhe 8088,the 80186, rhe 80188,and rhe real
modeof the 80286.Minor differencesbetweenfealmodeon rhe 80386and orhel
processorsare listed in Appendix F.
Vhen lhe 80386is reset,the regisrersare initialized ro rhe valuesshown in the tablc
on the fbllowingpage.

135
 t||E 003a5 BooK

DH 3 3 for 80386
DI Identiies revision number ofCPU
ETTAGS 2
IDl'R 0 (base), 3IFH (linit)

CS r000tI Descriplc,rba-scset to IFF|00OOH

IP FFIOH lirst inshuctiona! FIFFIFFoH
SS 0
ESP ? Undefined, load SS:ESP
belorc usina stack
DS 0
IS 0
!S 0
GS 0
cR0 0000000*OH Bit4 - 1if80387prcsent,0otherwise
Bits 5-30 ,! undefined

Memory addresslng
The 80386'suse of shadowregisters(segmentdescriptorcaches)provides a key to
underslanding real-mode memory addressing.Each80386segmentreSislerthat
holds a seleclorhas an invisible component called a shadowregister.In protected
mode, evefy time a selectoris loaded into a segmentregister,lhe contents of the de-
scriplor indicated by the selectorare loaded into the shadowportion. In real mode,
lhe shadow register is loadedwith a computed lue rather than with a value
extracted from a descriptor.Figure 7-l illustrates the shadowregisters,
'when
the 80386is resct, fie shadowfegistersfor segmentsother lhan CSare loaded
with a base addressvalue of 0 and e limi! of oFFFFH.wth attributes set to 16-bit ad-
dressin$16-bitinstructionsetiread,write,andexecuteabilityiand privilegelevel0.
The CSshadowregistersare set with the samelimit and accessbits as the other
shadowregisters,but have a baseaddressofFFilFooooH. Except for the registers
listedin the abovetable,80386registersareundefincd.

1
CS
SS
DS
ES lrogmminer accessible
I
rc
GS n No! accessible
Invnible' descriprorcache

Flgure 7-1. aA386shadou reqste^.

t36
 7: rhree h On.

Ar reser,rhe limir porrions or thc shado$,regislersare set ro 0IFFFH, which indi

catcsa 64 KB segmcnr.The accessdghtsportionis setto a valuci.djcatingtharthe
seSmenlis readable,wrirable,and cxe.utableandrhar16-biraddfessing andope.
and modesare enabled.Thesevaluesfemainconsranrwtrilethc p.ocessoris in real
modc,andonly thc bxseaddressvalueis alrercd.Eachrime a segmentreSisrcris
loacte.l,lhebaseaddrcssportionofrhe sludow reSisteris serto 16rimesrhe valueof
the sclcctof. For example,ioading Ds wirh thc vatueof 001AHscts the baseadclress
of thc l)S segnEntto 01A0H.BecauseaLlthe scgmenrsin rcal modeare64 Kts,rhe
segmcntacldress.lblcvia DS exrendsfrom 0t AoH ro 1019tli Figurc 7 2 illLErarcs
physicalacldress gencrationin realmocle.
'lhc
highestsegmcntbasea.ldressdratc;tnbc generatedh realrmde is oFrrFFOH,
16bylcs short oI I Mll. Becauscthxr segmentcxrendsfor 64 Kt], memory bcyond I
MB canbe adclresscd. Thus,80386reafmodeddressing is somewharinc(rmparible
with tllat of the 80ij6,which hardwareacldress lineslimjt ro 1 MB. ccncn ly, rtris
limitatk)ncan be ignoredbec.rusc i]086programsdo nor usc ir. tfneedcd,cxrernal
hardwxrecanbc addedto the 80386ro limit sysremaddrcssspxcero 20 birswhile
opcratingin realm(xle.
'1
he rcsetstatcol the CSsl clowregislerdocsnot follow rhc .,selecbriimes16"
rLrlc.llclausc thc iniriall)usckldressfor rhc codc scgmcnris serto I]I:FFoooOH!
ItOMsrh^t handlcpft)cessor rcscrcxn bc phccd at thc cnd ofrhc adclress $pacc.
'1
hc firsl CALL()rJMPinstructionthntlxds CSafrdrrcsetlbrccsthc bascaddress
inlo thc fhst ,ncgabyrcofa(ldrcssspacc.

1 t\,tR
0140 MB+6'1KB

00001400 2CB
Baseaddtcss

Flgufe 7 -2. Real-ho.le a.1dt6.tu!t.

l6.bit instruction set

The predefined shadowregistef vatucscauseanorhcr side effecr.Thc D bit in the
accessdghts field is alwaysser to 0 in rcal mode. Thus, rhe 80386is forcccl to oper_
arein 16 bit mode unlcssit encounters an OPSIZor ADRSIZprefix.

137
 THE 603A5 BOOX

To unde.srand how the D bit works, examine the 8086 instruction set Most 8086in-
strutions executewith either a byte operand or a word operand The byte/word
indicator is encoded in one bit in the instruction. For example,the oPcodefbr negaF
ing a byte operand is 111101108, and the opcode for negatinga word operand is
111101118.
RJlherrhaninvenrnew op-odesfot J2-birI dwordI operands.80J86de{isners
changedthe meaning of the opcode bit that signifies a lord operand \I/hen exe_
cuting in a native-mode (32-bit) segment,where the D bit in the segmentdescriptor
is set to 1, executinSopcode 111101108 meansnegate,/te and 111101118 mans
negate drrorl The instructions refer to bytes and rather
drrv'ords than to bytes and
woKls. Vhen the D bit of a descriptoris set to 0, however,the opcodes retain their
or'Sinalmeanings.
The D bit also affectsaddresscomputation for memory operands and the slack.
when D = 0, coffespondinS to the 8086,the 16-bit registersare used in calculating
segmentoffsetq as in MOV AL, [SI+8].r /hen D - 1, correspondingto the 32-bit
native mode of the 80386,the sameopcode bits causethe memory addressto be
calculatecl and the instructionbecornes
usingthe 32-bitregisters, MOVAL, [ESl+8].
\(/hen D - Oin stack segmentdescriptors,PUSHand POP instructions access16_bit
operands,Vhen D = 1, 32-bitPushesand popsare executed.
The OPSIZand ADRSIZprefixes qan oveftide the cuffent D bit setting for an in-
struction.Thus;32-bitnative-modeinstructionscanb Preflxedto use16'bit
operands,and 16-bit c.()decan be prefixed to access32-bit opelands and 32_bitad-
dressingmodes.The new 80386addressingfeatures(such as indexino are not
availablein segmentsthat have the D bit se! to Ounlessthe ADRSIZprefix is used.
You need not speciiy the prefix instfuctionsi use extended_addressing mode' and
the assemblerwillinsertthe prefix.
'when
using extended addrssingin real mode, observe the 64 KB segmentsize
limitation. In real mode, addrssoffsets greater than 65535return an inteffupt 13

Interrupt processlng
Intenupt handling is different in real mode than it is in protected mode. As in Pro-
tected mode, the IDTR contains the baseaddrssand limit of the interrupt table For
8086compatibility, lhe baseis initialized to physicaladdress0 with a limit of 3FFH.
In rsal mode, however,the interrupt table does not hold descriptorsieach interrupl
hasa 32-bit selectonoffsetaddressthat points to the routioe to be invoked when an
interrup! occurs.Thus, each enlry is 4 bytes rather than 8 bytes Figure 7-3 illus-
trates the real-mode interrupt vector table
Processingof an interupt in real mode is similar to that in protected mode except
for the use of vectors insteadof descriptors.A software or hardware interrupt causes
the 16-bit FLAGSregisterto be pushed onto the stack, followed by the current cs
and IP The IF and TF flags are cleared to 0, disabling interrupts and single-
stePpmg.

t3a
 Physical memory

3t 16 75 0

Vector255

F1gorc1-3,Real-mode
interlupt tEctortaqe.

The pointer from the interrupt table is loadedinto CSand Iq and processingcon-
tinues at the new location, Automatic task switching and interrupt gatesare not
presentbecauseno descriptortablesexist in real mode, The vector in the inteftupt
table specifiesa new excurion addressonly.

Real.mode yestrictions
You canuseall the instructionsaddedto the Iniel80386archirecturesincethe in-
troduction of the 8086,with the exception ofl
IAR
ILDT
ISL
LTR
SIDT
STR
VERR
VERW
Realmode does not support the ways that these instructions accessprotected-mode
selectorsand descriptors,Executing one of these instructions returns nn undefined
opcode fault (interrupt 6).
You can exeuteall other 80386instrutions. Real-modeprograms can accessany
80386register,including the control, debug, and resrregisters.
Realmode does not support paging. Settingthe PG bit in register CR3ro enablepag-
ing causesa protection fauit.
Appendix F outlines the differencesamongthe operarionsof rhe U086,rhe 80286in
real mode, and rhe 80386.

139
 fltt aoaa6 300x

Prctected Mode
Sttingthe lo*order bit of CROto 1 switchesthe processo into protected mode.
The processorwill run in protected mode even if no setup is done. Thai is, it will
nul unril the first inteffupt, FARprogram transfer,or segmentregister load. At this
point, the processorneeds to accessa descriptortable. Becausethe 80386depends
on descriptor tables,the systemwill shut down if the descriptor tableshave not been
initialized.
Protected-modeinitialization requires you to set up a global descriptortable and in-
terrupt dcscriptor tablesand to createa task statesegmentfor the first process.The
initial descripior tablesmay be stored in ROM,but lhey must be copied to RAM
before stting the GDTR and ImR to point to them becausethe 80386needs to
writc to the descriptorsns well as read from them.
-.4
Figure .how<a simpleinilialGDI. thi{ CDT wouldhe.ufficientro run ddi-
tional startup code. You could also build the operating systemimagc in real mode
and then switch inooprotected mode. An advantageof$witching into protcctcd
mode as soon as possibleafter reset is that the 80386hardwarc can hclp trap startup
bugs early in the codc devebpment cycl.
In Figure7-4,GDT(o)is uft)sedbecausea selectorwlue ofo is treatedas a special
case,a NULI pointer Thus,any descriptorat GDT(o)will neverbe used.CDT(I)
points to rhe GDT as a witabie data segment,allowing the operating systemto add,
delete,and changedescriptorsas needed.GDT(2) points to the IDT as a writable
data segmentfor the samereason.cDT(3) defines the TSs for the startup task,
cDT(4) defines lhe task'sdata segment,and cDT(5) defines the task'scode seg-
ments.which are in ROM.

0
I
2
3
4
5

E {lJfeT-4. A nnple aDT.

140
 7: threeinone

Before enabling p.otected mode, the GDTR mlrsLbe loaded wirh rhe address.rn.l
l i n i ro l l , eC D T .T l - , I D T : l u u d . o n . J r ng J r , - , 1- r t , , . r r r J . J J e . i , r r i p \ J n )
far. ts that occur dlring staflup. The ID IIT is initi.rlizccl ro p( )inr ro rhe IDT, and t R is
loxded with the selcck)f ofcDT(3). The PM bii is ihen scr in the CROregisterto en-
xble protected modc. Next. a FARjunp instrrrrion loads rhe CS registerwirh a v. i.l
prctected mode descript()r Finally, the stack s.gmcnl, srack poinrer, and data seg-
nrentregistersareloadcd'rheinitializationwillbuildrheresrofrheoperaringsys-
tem, enable prging, .rnd start application pfograms.

8(,286 compatibility
Protectedmode80286cocleexecuteson the u03il6if rhe lburrhwold of eachdc-
scriptofis initializedk) 0. I)cscfiptorsare 64 bits ()n thc u0286.xs on the 80386,but
rhe lastl6 bits .uc unLrscd. Il1the 80386,thc cxlm bits spccifyrhe high ordcr.,fthe
lraseaddressan.lthc lhit fielclsnnd containthc (l xnd I) controlbirs.'lhcscncw
ficldsshouldbe sct k) 0, resrricrinS segr'entlimits 1064 KII and a(ivaring thc 16])it
insin'ctionsct (which is (\rmFrible *,ith thc 80211(t.
'lhe
u02il6xnd the 80386operatesimilxrly;the few clilfcrenccsin opcr.xri( con,
cern pcrlormxnccxnclnewly xnplenrcntc.lli ||fcsxnd insirrrrrcns.t hc i10386
rllows thc IOCK prcfix to pfececlcthe followinginsr[cLionsonly whcn (l)cy
nodily mcmory:

AI)C INC
AI)I) Nll(;
A Nl ) NO'I"
lJt- OR
BTC 51]I]
B'l]t sua
BTS xci IG
DEC XOR
Illcgaluseofthe LOCKprcfix rcsul!sin a protecrionlluh on rhc 80386.Addi-
rionally,the 80286locksrll of physicalmemoryduringrlrc insLruction;
on rhe
80386,the lockedareais thc mcmoryfegionwith rhe sarrcsraring xdclfessand
lsngthrs the operandofrhc lockedinstruction.
The machincstitus word (MSV) is thc low o cr 16bits of regisrerCR0.Thc MS\v
is initjalizedto 0F|F0H on the 80286,bur ir is inirixlizedb 0 on rhe 80386.Rcgisicrs
that are spccified as undeiined ar reset mighr havc diferenr valuesthan drcy do on
rheU0286.
A! reser,fie baseaddfessofthe CSregistcris diffcre.r on rhe 80386thanir is on rhe
U0286. The CSregisteris setto the last16byrcsofaddressspaceon both processo.s,
but the 80286supporrsonly 2,i bit addresses;rc 80J86slll)porLs32 bir addresses.

141
 tHE ao3a5BOO|<

Retulning to real mode

In general, an opcraling system sholrld nol switch the U0386 to real mode aflcr run
njng in protected node. Returni.g to rcal mode comPiomjses operating system
sccuriiy becausereaLmode is more vulnerable to crashes To run reaLmodc pro-
gr.rms, create special tasksthat run in vinual8086 (V86) mode lhe next scciion
discussesthis prcccss.

If you must rcturn to real mode, follow this pro.cdurc: lfpaging is cnabled, turn it
offby b.anching to a routine whose linear and physical addressesarc the same'
cleadng rhe PG bjt in CRO,xnd moving 0 inLocR3 io flush the TrB
'lhe
attrjbute bits in cach segmentclcscriptormrisl bc sct to valLEscrtnPrtible with
rcaL-modeopcrxtn)n (that is, they mLrslbe byte granulxr scSmentswilh a ]nnit of
oliFf!'H, ancl the 1l xnd D bits must bc 0) CS must bc m.rrked executablc,ilnd SS,
l)S, ljs, !S, and GS shoukLbe "'dtablc scgments.(Changc thc CS selectorby issuing
.r lAlt jLnnpofcxll instruction.)

Disablc intcrrupts, ancl loxd tlre IDl lt with .l bxse addtssot' 0 xncl x litnit of 3FII I
Clcxr rl)c Ptj bit oiihc CROrcgister !o return to real mode, xnd exc{ute a FAn iu'Ip
to llush thc 803u6 instrl|clbn queLrexnd iniiializc CS to x vxlid rcrl-modc bxse

Oncc yoo loa.llhe stack poinlcr (ss rsl' ) nd (hc olhcrscl]drc registe.s,prcgrams
cxn contintrc proccssingjn '!^lnrxlc

Virtual 8086 Mode

lrNt rs vinual metnoryrll()wsthc processor to cfcatcthc nnPressi()n ol memorylhrt
isn'trcallythcrc,virtualll0u6mode rllows thc 80386 to cre,(c lhc illusion ofmul-
trple80U6prcccssoN.This illusbn is so nearly complcte fb,rtmuhiplc 8086$asccl
operatingsystcrnscan nrn undcf a suPervisory p(nccted-moclcoperatingsystem.
lbr exrmplc,issumethrt thc n:rtive{ode opefxting systemfor x'r 110386 complncf
is UNIX and lhal suppoltfbr V86 nbde is built ii ln ,rddition t() runnjng multiplc
UNIXtasks,thc usercanrun a <)py of MS-DOSa.d a word Prccessor in x V86win
dow Thc Lrscrcrn aLsoinvokc ,rnodrer virtual 8086 scssion runn ing i sPreadshecr
undefvindows. Eich V86laskl)elicveslhat i! is runningon a separare 8086mr
chine bul aclualLymns corcurcffly with host oPcr^ting systen lasks
V86modewas designcdfor the 803U6in responseto the ncgatjvereacliontor'"ard
80286prorected mocle.AppLjcariondesigners.leveloped lr largc sofNare basc lor
the 8086f,lmily under MS DoS. l'he 8086and 8088 processorsslrpport onlv fcal-
modc progranming,andMS-DOSjs sensiliveto the maPpingbelweenseleclor
valuesand physicalactdresscs.when Intel introduced the 80286,developerslbund
tha! MS DOS prograDrshad problems running in protected mode

142
 7: thre. Ir OE

If MS-DOSwere lesssensitiveto physicaladdressing,most applicationscould be

easily ported to 80286protected mode. Operating sysremssuch as Concuffent CplM
and Miffosoft Windows createdenvironments thar relied lesson the idio$alcrasies
of real mode.bur be.auseof DOs s wide popularil)lhe rnarkerplr"edernanded
support of real mode.
V86 mode was Intel's responseto the demand for support of real mode. The 80386,s
paging and multitasking capabilities enableddesignersto implement V86 mode,
which overcomesthe 1 MB nonprotecredlimirations of real mode. Becausea TSS
ontainsan image of all the generalregisrers,it is the basisof a registerimage for a
virtual machine (in this case,an 8086).Addirionallv, the TSSconrainst}le xtra in-
torm;tronneededfor prorecredmode:rhe inner-ringsLackpointersand lhe page
map baseregister (CR ). Th operaring sysremcreatesa \6 task by setting rhe VM
bit in the EFLAGSimage of the task'sTSS.
'When
a rask is invokd and the EFLAGSrgi$teris loaded(setting the processor,s
\M bit), the task'scode porrion behavesas if it were running in real mode. The task
does not use desriplorsibase addresssare generatedby multiplying the selector
value by 16.The difference berween real mode and V86 mode is thar real-mode ad-
drcssesarephyslcal addftssesand V86-modeaddressesare ltnear ad.dresses tl:.,l
can be mapped via paging hardware.
Thus, the executing progtam makesthe sameassumptionsabout selectorsand ad-
dressesthat a real-mode program does, but the paging hardware,under control of
the native-mode supervisor,conrrols which physicaladdressesare used by rhe V86
task.The entire 4 cB addressspaceis a ilable for remapping the V86 task,sad-
dresses.The other issuethar desiSnersof the 80386had ro face was integrating real-
mode programs into a secure,protected-modeenvitonment.
Mmory referenceswere flot a problem. The paging hardware can isolate the V86-
mode program addressspacefrom protected-modeprograms,preventing data cor-
ruption, Besidesmemory, rhe only external inrerfacesto the 80386CPUare I/O
ports ancllntefrupts,

UOin V86 mode

In protected mode, the I/O privilege level (IOPL) determines whether a procedure
can pedorm I/O instrucrions. In V86 mode, IOPLprorects the inteffupr flag (IF),
and I/O port protection is performed through the I/O permission birs in the TSS.
V86-modeprograms run in ring 3; rhus, they cannot alter the value of IOPL.
The CPLof a V86-modetask is alwats 3. If the systemIOPL is lessthan 3, rhe in-
structions on the following page return a generalprotection faulr (inteffupt 13)with
an error code of 0. I/O instructions are not IoPl-sensilive in V86 mode.

143
tHE A03A6BOOK

CLI
INT
IRET
LOCK
POPF
PUSHF
STI
Ifthc systemruns with an IOPLof 3, the V86-modetaskwill executethe instruc-
Iions above withoul triggering the gcneral proteclion fault. This createsa problem
becauscthcscinstruclionsmodify the inteffuptflag.Although80386performance
may be higherrr'henIOpL = 3, this operatingmo.lc is not recommended. Allowing
a V86-modc task to disablc interrupts col cl result in a data loss or a systemshur'
down. Forexample,rhe followingtwoline asscmblyprogramlocksthe systemand
requircsa complctcpowcr cycleb bring thc syslcmback on line:
cli
11r Jn'p 1l

Designinga reliablesystemthatrunsV86-mo<le taskswith IOPL= 3 requiresbard-

ware support and cannot be implemented with software alone, For example,a
watchdog timer can be connected to the NMI interrupt, forcing control back to the
opcratingsystcmif an applicationappearslo havecrashcdthe systcm.
The I/O permissionbihr4p ofthe V86taskstatesegmentdetermineswhcthcrthc
I/O instructionexe.utesor causesan exception.Figure7-5 illuslratcsthc I/O pcr-
missionbitmapin a V86taskstatesegment.

Flg0ie7-5. UOperminlon bltnap.

1.4
 7! thre. in on.

A tradeoff exists between performance and prorr:crion.If you a ow all rasksto issue
I/O instructions, more rhan one rask might accessa device simultaneously.How
ever,if you trap all I/O instructions, prcgrams might run slowly_A compromise is
to mark I/O addressspaceas inaccessibleuntil rhe firsr fault occurs.By trapping the
first I/O instruction to a given port, the operaring systemcm derermine wherher
another task is using the device. If not, the permission bits for the faultine raskcan
be modified to granr accessto ihe specific device, and the rask can resumeprocess_
ing it iull ipeed. Il someolher ra:k is acce\\in8rhe de\ i. e. rhe ldultinraskc.rnbe
suspended or terminared.
Memory-mappeddevicesmust be controlled rhrough paging hardware.pagesthar
correspondto device addressescan be rtarked ,.not presenf'to causea fault, or
they can be mapped to other devicesor memory locations for subseaucntDrocess_
ing.(The larrerrscilecri\e lor Jisplry devrcu!.,

Inter?upthandling in V86 mode

BecauseV86 mode is part of the protccled-mode cnvironment. interruols are
handledthrouShrhe srandarrd protecrcd-mode lDT. The inreffuprc ;s rhe pro-
cessorto switch k) an inneFring stack segment,The stack segmenfsselectoris
takn from lhe TSSand is a standardprotccted-mode seleclor,as opposed !o lhe
value of SSthat the V86-modtask is using. Hardware inteffupls arc flelded by rhe
routinesor tasksdesignated by ihe gatesin the IDT. &)frwareinteffuptinsrrucrions
in the V86 task usually refer () routines in the virtual rnachine opcrating system;
thy are unlikely to coffesfiond !o the vectorsimplemented by thc supervisory
operating sysrem.Therefore, any operating systemthat supports V86 tasksmusr be
aware of two possibleourcomesofa software INT insrruction executedby a V86_
mode Program,
The most likely outcome is a generalprotection fault (interrupt 13).BecauseV86
tasksexecutear privilege level 3, accessinga morc pfivileged ring's descriptor
causesa generalprotection fault. The intenupt 13faulr handler musr detect when ir
hasbeen invoked due ro a sofrware inrerrupt inskuction from a V86 usk.
The error code on the stack indicales lhc vecrorthat causedthe EeneralDrotection
[auk.The handlercanlerchthc onrenrs ofrhe V8oinr{rruprve; lrL}mrhe \ 86
Laskimageand branchba(k lo thc v86 rourin<.
A lesslikely outcome occurs only when IOpt = 3 and when the garein the lDT has
a levelJ descriprorIn rhis case.the sofrwareinrerruprcausesa branchtl) rhe rou-
tine poinled to by the gate.This rourine musr be in ring 0 to prevent a generalpro_
tection faull. Any inteffupt .ourine thar can be invoked by a level 3 gate in the IDT
must examine ihe \7l4 bit in the EFLAGSimage on the stack ro determine whether
the_interrupthandler was invoked by a standardprotecred-moclerouline or by a
V86 task.

145
tHE AO3e5 BOOK

'!/henever
an interrupt occurs while the processoris executing a V86-modetask,
control movesto a ring 0 code segment.Control may rransferdirectly to ring 0r or it
may transfer to the generalprotection fault handler (which must be in ring 0). The
ring 0 stack is slightly different when control comesfrom a V86 task than when it
comesfrom a protected mode procedure.All segmedtregistersare pushed onlo the
ring 0 stack when an inteffupt or trap occurs in a vll6 task. Figure 7-6 illustrates the
differences in the stacks.Note that an effor code will also be pushed for certain ex-

In addition to the exrra valuespushed onto the stack,all segmentregistersare

reloadedduring the transition through the gate. DS,ES,PS,and GSare loaded with
a null selector(0), SSjs lc/adedfrom the ring 0 stack selectorin the TSSfor th V86
task, and CSis loadedwith the descriptorfrom the inteffupt or task gate.
The segmentregistersmust be loadedwith new lalues if the excuting task is a V86
task, Before an interrupt, the segmentregisterscontain real-mode style segmentad-
dresses,which are not valid selectorsfor the protected-modeinterrupt handler.
vhen th inteffupthandlerreturnsvia rhe IRETinstruction,the 80386chcksthe
savedEFLACSimage in the level 0 stack.If the savedvM bit is set, the cPU recog-
nizes thar it is returning to a v86-mode task and reloadsthe segmentregisterswith
the savedvalueson the stack,

lTr
I Ral"mo

Interiupt stack after

rmnsitionto ring 0
in protected node
Fl$rre 7'6- RinA A inblrupt stach:: lA6 vs ptcttecteclnode.

t46
 THE
ao3a6/ao387
TNSTRUGTION
SET
REFERENGE

'lhis
chapterof 7h? 8O3a6Eook provides a referencefor thc 80386and 80387in-
slructionsets.The instructions^re in alphabetical
order,with floating-pointinstruc-
tions following the 80386instruction pages.
The experienced user can find information with a quick glance at the first part of an
inskuctionr a lessexperienceduscr can refer to the detailed descriptions and

Operators
The following referencepagesuse these ope*tors:

OPenrot Meanlng qpmbt Mealttng

+ Addition
- Sublraction
. Muliplication
+ Division
- Not
= Equalto
l- \or Fqurl r^
I Or
^ ExclusiveOR
& Boolem AND
> crearer than
< Lessrhan
>> Shiir right
<< Shif! left
< Lessthanorcrquallo
: C.errerthrn or eourlro
* Asi8nmell

147
 THEao:ra6'OOX

MNEMOMC. PROCESSORTYPE. OPERAND SIZES.

Usedby the assemblerto Processorsthat suwrt When nany different
relnesentthe instruction. the instruction. Notethat oryrands may be used,
earlier plocessors thisfield indicates legal
NAMI. srrpportedonlJ)g-bit or sizes.If the insttuction
Nane of the instructian. 16bit forns. requires nnre thon olE
opered, the! are
asstmed to be the sane
size. Unl6s otheruise
slabd, 8 = 8-bit
oper^nds; 16 = 16btt
SYNTAX operands;32 = 32-bit
Generk operands;16p = The
instructian instluction accepts16-
fort/tot. bit olElan^ b)/ ltsing the
32-bitform and the
OPERAIION. OPSIZ instruc tion prefhi
k\eudocode
qeratton LEGAI TORMS.
descr$rtion. Ipgalfollts of the
instrudion. rcg = one oJf
DESCRIPTION. \\ D...'rPdd thegereral registers
Des(Wion of ---r-.._ ,- EAX, ES],BX, DI, BP,
llilt,'l,lltlull,iiiliili."liiil:::il:i::-:,illit,tit:l-..:,il1,-"'".,
the inslrucllon. DX, etc.n\em = a
memory opwand
FAItnS. -_1 to2ulll, IEBP+EAXr 31,
Fau.ltsthat na! \ Fr"' [ECX+7J,etc. idata = 6n
\ or or
oern88ere4 01 \ ffTtfflTTT-J irntnediate dakl oath@
the instruction. 62 17A3H,etc.) $eg =
The abbreoiairor,s \ F urt' a Wmerrt register.offset
',,* * * - an offsetfrom the'
u s e di n c l u d e :
*UD (undefinedopcode) ii :1.,,,,..11 X,li.ll current CS:IP
#l'lP (not Dr6ent)
. , Erel.
*tJ lt4sQs:tuvcn) FII\GS.
*GP &ereral DroteclioD OF = OLerflou flag.
#SF(stackfault) ;( i6,'!^'.,1 DF = Dlrection fla.g.
#PF(pagefault) IF - Intellupt enableflag.
A tnlue in parentheses TF = Trapflae.
hdicat6 that qn SF= Signflog.
error code ispushed zF = Zeroflag.
onto the stach. AF - Atuciliqr! flog.
PF = Parityflag.
CF = Carry flag.
EXAMPI.E. An 'r" in 6 box indi4etes
Codethot that the Wcified Ut is
illustrates nodified W the ins uc-
useof the tion. An "-" in a bo2c
insltuctian. rrBarls that the strecified.
bit Mhre refiains
unchanged.A "?" meens
that the instluction setsthe
to an unknour, tvlue.
flag "O"
Ifa or "1" is in q box,
the instruction setsthe
specifiedbit to that ?.ulue.

l4a
 6: flE ao56/4o367 ltrltrucrbn 3t R.lcr6.c

AAA 8086/80186/80286/80386
ASCII Adiust After Addtdon (8)

Syntax

Ope.atlon
i f ( A F ( ( A L & 0 F H )> 9 ) ) t h e n
ALE(AL+6)&OFH

endif

Legal Form

Dercrlptlon
This instrlrctionensurestharan ASCIIor BCDaddirionresultsin a lid BCDdigit.
After executinganADD orADC instructiontharleavesa singleBCDoTASCIIdigjt
in registerAL, execureAAA ro produce a lid BCD result,
If the value in AL producesa decimal overflow, rhe BCD digit is forced inlo lhe legal
range (0-9), and AH is incremented.The high-order nibble is zmed so that AL
contains only the resulting single BCD digit, and the AF and CFflags are set !o 1.
If no overflow occurs, rhe AF and CF flags are reset to 0.

Flagg
OFDF IF 1T SF T AI PF CT

Fault!
None,

Examplo
tl0v AL, '5' I B i n a r y3 5 n
ADD AL, '7' ; A d d b i n a r y 3 7 Hy j e l d i n q 6 C N
^aa : A L e 0 2 H , A H e A H+ 1 , d e c i n a t c a r r y s e r
0R AL, 30H : c o n v r tr e s u l t j n s d i s j t t o A s c l r . 2 .

149
 fltE ao3a6 Bool(

AAD 8086/80186/80286/80386
ASCII Adiust Before Dtvision (16)

Synlax

Operation
A L e A H * 1 0 + A L

Log.l Forrn

Deacriplion
This instruction supports BCD division. Before execution, the AL regbter should
contain a single, unpacked BCD digit. The AH register shouldhold the next higher-
orderBCD digit.Afrerexecutingthe AAD instruction,Ax containsthe binaryequiv-
alent ofthe two BCD digits. You can then issuethe divide instruction, which leaves
a binary result,

Flag.
OFDF IF TF SF A AF PF CT
x ?

F.ults
None.

Erample
f10v A H ,' 4 ' I H i g h - o r d edf1 g 1 t
flov AL, '2' I L o w - o r d edr1 9 1 t( A x - A S C I 4 I 2)
AND AX, 0F0FH ; convertto unpacked 8cD
AAD ; Ax e 2AH(42 declnal)
llov BL, 6 ; Djvisor for 4216
DIV BL : A L e 7 ( q u o t i e n t )A, He o ( r e n a j n d e r )
0R AL,30H I C o n v e rrt s u l t t o A S C I I' 7 '

150
 A: th. lOSaAraO3aT lEtdctlon 3t R6t.Enc.

AAM 8086/80186/80286/80386
ASCII Adiust Aftr Multtpltcatton (8)

Syntax

Operation

legal Form

Do.c.lptlon
TheAAM instructionconvertsthe resultofa sinSle-digitBCDmultiplication(a
value 0-81) in the AX registerto two unpacked BCD digits, the high"order digit in
AH and the low-order digit in AL.

Flag.
OFDF II TF SF zF A.F [F CT

Frult!
None,

Erlmplo
t'tov aL,4 I tlultlplaid
i40v AH,I : l4ulti pl l er
I.IIJL AH : A Xe 2 0 H ,3 2 d e c i m a l
: 4 H 6 3 , 4 1t s 2
0R AX. 3030H '32'
; C o n v e r tt o A S C I I

t5l
 tHE 603t8 EOOK

AAS 8086/80186/802a6/80386
AscII Adiust Alter subtractloo (8)

Syntax

Opgratlon
l f ( A F | ( A La 0 F H )> 9 ) t h e n
ALe(AL_6)&oFH

Logal Form

Dorcrlptlon
This instructionensuresthat an ASCIIor BCDsubtractionresultsin a validBCD
digit. After executing a slJB or SBBinstruction that leavesa single BCD or ASCII
digit in registerAL, executeAASto produce a valid BCD result
If lhe value in Al producesa decimal boffow, the BCD diSit is forced into the Iegal
range (O-9) and AH is decremented.The high-ordef nibble is zeroed so that AL
containsonly lhe resulting single BcD di8it, and the AF and CF flags are set !o 1
If no boffow occurs,the AF and CFfiags are resetto 0.

Flag!
OT DT IA TF 3F ZF AI PF CF
? ?

Fault.
None.

Example
t40v AL,'5' 35H
SUB AL, '7' S u b t r a c t 3 7 Hy j e l d i n s o F E H
A L e 0 8 H ,c a r r y s e t i n d i c a t j n s " b o r r o { '
OR AL,3OH C o n v e r tr e s u l t b a c k t o A S C I I ' 8 '

152
 g: lh.8ooa6/aoea7 h.tr@tlon Sel n.t.r.nc.

ADC 8086/80186/80286/80386
Addwtth carry (8/r6p/32)

Syntax

Operation
destedest+src+CF

Legal Form.
4eJt
ADC reg, ldata
Aoc nen, ldata
ADC reg, res
ADC reg,
AI)C reg

Dcacrlptlon
This instruction adds the contentsof the dest and s/c operands,incrementsthe
resuh by 1 if the carry flag is set, and storesthe result in thc location specilied by
dert The operands must be of the samesize.If the operands afe signedintegers,
the OF flag indicatesan invalid result. If the operands are unsigned,the CF flag in-
dicatesa carry out of the destination.

Flr9.
OFDF IB TF SI U AT PF CF
x

Faulig
PM RTT VEE6
12 #SS(0)
13 #CP(0) rNT 13 #GP(o)
14 #PF(e)

Erample
: S u b r o u t l n et o a d d t l l l o 6 4 _ b i t integers
tllTER 0, 0 ; Create stack frane
r10V E A X ,I E B P + 8 ] ; Get lo!-order of first valu
tiov E D X ,I E B P + I 2 l : Get high'order of first value
ADD E A X ,[ E g P + 1 6 ] : Add low-ofder bits, senerating carry
ADC E D X ,I E B P + 2 0 ] ; Add hish-order bits Bith previous carry
LEAVE : U n d os t a c k f r a n e
RET : Return tlith val'1e 1n EoX:EAX

l5:,
 rHE 0306 SOOK

ADD 8086/aor86/802E6/EO3E6
Integer Addltlon (8/76p/32t

Syntax

Oporation
destedest+sr.

Lsgal Forms
dest sr"c
A00 reg. idata
A00 nen, idata
AoD reg, reg
A00 reg,
400 reg

Do!c.lptlon
This instruction adds the contentsof the /est and s/c operands and storesthe result
in the locationspecifiedby dArl.The operandsmustbe ofthe samesize.Ifthe
opefandsar signedintegers,the OF flag indicatesan in lid resuit.If the operands
are unsigned,the CF flag indicales a carry out of the destination, If the operands are
unpakdBCD digits,theAF flag indicatesa decimalcarry.

Fl.g!
OF DT IF TT SF ZF AF PF CF

Faults
RM I&R6
12 *SS(0)
13 *GP(o) rNT 13 #GP(o)
14 *PI(e)

Example
aDD AL, [4211A] ;8-bjt addition
400 AX, 34 r 1 6 - b i t i n n r ' e d i a t ev a l u e a d d i t i o n
400 ESI, IEBP+8] : 3 2 - b i t m e m o r ay d d i t i o n t o r e s i s t e r

154
 ar ThG 40306/00367 lr.trucllon St nl.rerc6

AND 8086/80186/80286/Eo386
Boolean AND (8/r6p/32)

Synt.x

Oporatlon
deit6dest&src
C Fe 0
0 F e 0

Logal Formt
dest stc
AllD reg, idata
allD idata
Al{0 res, reg
ANo reg,
AND mem, feg

Deacrlptlon
on thelest ands/coPemnds
pelformsa bit-by-bxANDoperation
Thisinstruction
andstores TheANDoperation
theresultin thedestoperand, is defin!{lasfollowsl
0&0-0
0&1=0
1&0-0
1&1=1

Flag.
OF DF IF TT ST IrB AF PF CF
0

Faultr
Prl RM tAOa6
12 *SS(0)
13 *GP(o) rNT 13 #GP(o_)
14 #PF(ec)

Example
AND AL,oFH ; z e r oh i s h - o r d enr i b b l eo f A L
ANo EBx.EcX ; comPute EBxe EBx& Ecx
AllD 7FH: l{askoff hish-orderbit of nenorvoperand
BYTEPIRIEBP+6],

155
 tHE AOSAA
BOOK

ARPL 80286,/80386
Adiust RPL Fteld of Selector (r6)

Syntax

Operation
i f ( d e s t . R P L< s r c . R P L )t h e n
dest,RPL e s r c .R P L
Z F e l

Z Fe 0

Logal Forma
dest src
ARPL reg, reg
ARPL reg

Dgrcrlptlon
Systemsoftware usesthis inslruction to modify a sel!'ctofs requestedprivilege level
(RPD field. Both the desl and s/c operands mus! be valid selectors.
Ii thc Rl,L of the ,rert operand is numerically lessrhan the RPLof the src, that is, if
the desl sclecior is morc privileSd,the dssl selector'sRPI is lowerd to match that
of the s,"c,and lhc ZF flag is setto 1.Ifthe /esi selectoris lessprivileged(numeri
cally higher) than the src, the ZF flag is cleared to 0, and the lert operand is not
modified.
operntjng systemroutines that are passedselctorsfrom applications shouid use
ARPLto ensurethar fie calling routine has not passeda selectorwith a higher privi-
lege than the npplicatiofl is allowed. Use the calling routine's CSregister as the s/c

Flags
OFDF IF TF SF A AF PF CF

156
 ar lh. 0ota6/aGa7 hdl*tlon S'r Bdd'nc'

Faults
PM &t4 lw66
6 tNT6 #UDo
12 *SS(0)
13 #CP(o)
14 #PF(e)

Example
MoV A)(, IEBP+121 ; Get paraneteroff the stack
AR?L AX,[EBP+21 ; A d J u stto c 6 l l e f ' s R P L( p f e v l o u C
s P L )b v
i using CSof return addfess0n st!ck
,JNZ bad-param I granchlf caller passeda badselector

157
 txE oo35Boox

BOUND 80186/80286/803E6
Check Array Boundades (r6p/jz\

Syntax

Operation
l f ( ( d e s t< s r c l 0 l ) I ( d e s t> s r c t l l ) ) t h e n
Illt 5

Logal Form

80U10 reg, nen

Derc?lptlon
This insruction comparesthe d?stoperand,which mustbe a registercontaininga
signed integer,with rwo values,a bwer bound sroredat the addressspecified by srq
and an upper bound stored in th following location. The bounds can be 16-bil or
32-bitvalues.
If the dai value is lessthan the lower bound or greater rhan the upper bound, an in-
terrupt5 occurs.The returnaddresspushedonrothe stackbyrhe exceprionis the
slartingaddressof the BOUND instlucrionrhatcausedthe inrerrupt,

Flaga
OTDF IF fi SF ZF AF PT CF

Fault3
PM R-n 'AO{t6
5 INT5 INT5 lNTj
6" iuDO rNT6 #uDo
12 $SS(0)
13 *GP(0) INT 13 *cP(0)

tThe undefi.ed opcode lault oc.urs only if rhe insrruction encoding

of the BoUND insrrution speci,
tiesan s/. oper2ndlhat is a rcgister

150
 a: lh. AO36/aO3A7In.truction Srt Befercn@

Examplg
V C L I I I I T SI
DD 1, 20 ; B o u n d sf o r 2 0 - e l e m e n ta r r a y
V C D D 2 0 D U P( ? ) ; A r r a y s t o r a g ea r e a

1 . 1 0 VE A X , I E B P ' 6 1 : Get array index

B 0 U l l DE A X , V C - L I f I I T S ; C h e c ka s a j n s t l i m i t s

r59
 rHCeo306toox

BSF 80386
Btt Scar Forward (16p/32)

Syntax

Operation
1f (src- 0) the
ZFeI

Z F+ 0
lempe 0
| { h l l e ( b i t ( s f c , t e n p )- 0 )
tempFtemp+1

logal Forms
src
8SF reg, reg
BSF reg, nem

Do.crlptlon
This instruction scansthe s/c oprand and writes the bit position of rhe first I bir in
src to the destination register.If rhe src operand is 0, rhe ZF flag is ser to 1, and the
instructionendswith rhe der, registerinan undefinedstare.
If the src operand is not 0, each bit is e{amined, beginning with bit 0, unril a 1 bit is
found. The bit position of the first l bir (indeD is stored in the /?st register.

Flag!
OFDF IF TT SF ? AI PT CF

Fault.
PM RM IA86
12 #SS(0)
13 *CP(0) rNT 13 #CP(o)

r60
 a! fl!. ooata/ooaAt h.rrstion a.r id@E.

Example
XoR ECX,ECX ; Indexinto sectornap
L1r BSF EAX,SECToRSIECX*41
; Scana dword
,lrlz GoT-0llE : Bfanchif any blts set
IllC ECI : Goon to next dltord
CHP Ecx, TABLE-SIzE : Donesearchjng?
,JL Ll ; l{0, scannext table entry
,JHP 110-SECT0RS ! l{o bits set in entlre table
GOT-OIE:

t6t
 rHE 00086300K

BSR 80386
Blt Scan Rvise A6p/32)

Syntax

Operatlon
i f ( d e s t l n I A x , B X , C X , D X ,S L 0 t , B P , S P ] ) t h e n
staftbit e 15

staftbit e 3l

1f (src - 0) then
Z F e l
dest + ???

ZF6 0
tenp e startbit
llhlle (b1t(irc, tenp)- 0)
tenp F tenp 1

La99l Formi
d.<f .fi

8SR feg, reg

BSR feq, mem

Dogcrlptlon
This instruction scansrhe src operand in reverse,searchingfor a 1 bir beginning at
the high order of the src operand. If the s/c operand is 0, lhe ZF flag is set to 1, and
the instruction ends with rhe desrregister in an undefined srate.
If the srE operand is not 0, each bit is examined, beginning with rhe high-order bit
(either 15for word operands or 31for byte operands),until a I bit is found. The bit
position (index) of the first 1 bit is sroredin the dest register.

Flags
OFDF IF TF ST T AF PF CT

162
 a! rh. 6036/00467 h.rt@tlon S.i h.td{@

Faultt
PM RM VEN6
12 *SS(0)
13 *cP(o) rNT 13 #GP(o)

Examplg
l{ov ECX,SElt_ttA)(-1; lndex of last entry in
' semaphore table
Llr 8sR i Scanfor non-zeroblts
EAX,SMAPH0REIECX*41
Jllz found-lt : Branch lf valld lndex
LOOP LI : Decfnent CX, loop back

i Get here
; lf entiretable is zefo

t63
 TI{E AO:|a5 BOOK

BT 80386
Blt Test (r6p/32)

Syntax

Operation
C Fe B l T ( d e s l , i r d e x )

Legal Forms

BT reg, idata
BT men, idata
BT reg, reg
BT neri, reg

Dolc.lpilon
This instruclionteststhe bit spccificdby rhe operandsand placeslhe valueof the
bit into th(j carryflag.
Tl\e index opet^ndholds a bit index into the bit string specified by desr,which can
be a 16-bitor 32-bitregisreror a memorylocarion,The stateofthe bi! is copiedinto
lhe carryflag.
Ifthc mrlsn operandis an immdiatedatavalue,ir canrangefrom Othrough31.If
thc lr?der is held in a register,il can take on any integral value. Someassembler$
might lcl you specify immediate lrdarc valuesgrearerthan 31.If so, they modify rhe
effcttiv rddress by an appropriate value so that the lrdef can be scaledback to
betwccn0 and 31.
BT does not acccprbyte operandq so do not use it with memory-mappedI/O
devicesbecauscrhe instruction causeseither the 16-bitword or the 32-bit word con-
taining rhc sclcrted bit to be read.This could affecr more than onc I/O device regis-
ter You should use a single-byteMOV instrution to red the I/O regisier and then
test the contcnts of the register

Fla96
OF DF zn AI PT CF

164
 a! th. 00006/00007rn.t{crrd !.t R.rmm.

Fault!
PM RM \ry)46
12 #SS(0)
13 #GP(o) rM13 #GP(o)
14 *PI(ec) #Pl(ec)

Examplo
llov EAX,192 i Bit lndex
BT SEI4APHoRES,
EAX I Test senaphorenumber 192
,lc sefLset ; Branchif th bit {as set

t65
 l'|E ao3a6 BOOK

BTC 80386
Blt Test and Complemenl (16p/32)

Syntax

Operation
CFe 9ll(dest, index)
BIT\dest, lndex) -81\(dest, index)

Legal Foam6
dest index
8TC reS,
BTC
BTC reg,
BIC

Doacripiion
This instructioncopiesthe bit specificdby the opcrandsinto Cl then complements
the originalvalucofthe bit in the &J_,opcrand.
Thc infur operanclholclsa bit indcx into the bit slringspecifieclbydcrt,which can
bc n 16-bitor 32-bitrcgistcrora memorylocation.Thc statcofthc bir is copiedink)
thc cnrryflag, and the bir ofthc dert operandis complemented.
lf ll\e lnrler openlndis ^n immediateda|avaluc,it can rangefrom 0 rhrough31.If
the tt?denis held in a register,it can take on any inte!ruI value. Someassemblers
might le! yolr spccifyimmediateirder valuesgreatcrthan31.lf$o, theyrnodifythe
effective adclfcssby an appropriate value so that the lrdan can be scaledback to
between0 and 31.
BTC does not accept byte operands,so do not use it wirh memory-mappedI/O
devicesbecnusethc instuction causeseither the 16-bi1word or rhe 32-bir word con-
tainingthe selectedbitto be read.Tbis couldaffecrmorethanonc I/O d.,viceregis
rer. You should use a singlc-byle MOV insrruction to read rhe I/O rcgisrcr and rhen
lcst the contentsof the rcqistc.,

Flags
OF DF I CF

166
 a: lh.6Ot06/AOi'a? hdncrld a.t R6t s@

Faulta
PA RM |ma6
12 iFs(0)
13 #GP(o) rNT13 *cP(o)
14 sPF(ec) #P(ec)

Exanrplo
I'loVZt EAX,8YTEPTRt01A2Hl; Radnenorybyte tnto 32-bjt regtster
8TC EAX,2 ; Test and complenent blt number
2
tlov t04A2Hl,AL , lrite nodlfled byte backto nenory
JC b lt s e t r Bronchlf the blt l{as st

167
 tHE AO3a6 BOOK

BTR 80386
Blt Test and Reset (r6p/32')

Syntax

Opgi.tion
CF+ B\I(dest, lndex)
BIT(desr, trder) e 0

Logal Forms
dest lndex
BTR TEg, I data
BTR nen, I data
STR reS, fe9
8TR fe9

Do.crlptlon
This instructioncopisthe bit spccifiedby the operandsinlo CF,then clcarsthe
originalbit in deslro 0.
the lndex opera dholds a bit index into the bit string speified by /est, which can
bc a 16-bitor 32-bitregisteror a memorylocation,The stateof the bit is copiedinto
lhc cafty flag, and the bit of the lest operand is cleafed !o 0.
If the irder. opcrand is an immediate data value, it can range from 0 through 31.If
the lndex is hel<lin ^ rcgisler,it can be any integer Someassemble$might let lrcu
specify immediatc lrden valucsgrealer than 31.If so, they modify the effective ad-
dressby an Appropriatevalue so that the lr?r/er can be scaledback to between 0
^n<l31.
BTR does not acceptbyte operandq so do not use it with memory-mappedI/O
dcvicesbecausethe instruction cau6seither the 16-bitword or the 32-bit wofd con-
laining the selectedbit to be read.This could affect more than one I/O device regis-
ter You should use a single-byte MOV instruction to read the I/O fegister and then
test the contents of the register.
\0hcn usinga ttTR insrru(rionro imllemenra srenalinglunclion in a multiprocessor
environment, the LOCK instruction prefix shouldimmediately preedeany BTR in-
struction thar mdifies sharedm(]mory.

Flags
O F D F I F T F S F A

l6a
 a! ih. 00396/90i[7 ltr.tlEtion s.t Rclcrcnc.

Faults
PM Rtr VAOA6
12 *SS(0)
13 *CP(o) rNT 13 #GP(o)
14 *PF(ec) "r'F(<)

Example
BTR I { Y - F L A G7, ; z e r o t h e h i 9 h _ o r d e r b i t o f b y t e r ' 4 YF L A G
JNC N o TS E T ; 8lt {as already reset

t59
 tHE go3a6 BOOK

BTS 80386
Blt Test and set (16p/32)

Syntax

Oper.tion
CFe Bll(dest, index)
BlIldest, index) |

Logal Forms
dest index
B-fS res, idata
BTS men, idata
8TS reg, feg
BTS feg

Do.c.lptlon
This instructioncopiesthe specifiedbit into CF,then $etsthc originalbit in

'lhe
lndex opefan<ll1!.1<lsa bir index inio thc bi! string specified by d?st,which can
bc a l6Jlir or 32-hitregistcror a mcmorybc4tion.Thc stateoflhc bit is copicdinto
lhc carryflag, and the bil oilhe /esl opcrandis serlo 1.
Ifthe irlerc operandis an immediatedata lue,iI canrangefrom 0 through31.If
the irrrlexis held in a register,it canbe any integerSomeassemblers might let you
spc{ify immediate t/r/"r, valusgreater than 31.If so, they modify the effectivc ad-
dressby an appropriate valu so that the Irdre can be scaledback to betwecn 0
and 31.
BTSdocs not accept bytc opcrandsi so do not usc it with memory-mappcd I/O
dcviccs bc.:use the instruction causeseither the l6-bii word or the 32 bit word con-
lainingthc sclectedbi! to bc rcad.This col d aff&t morc thanone I/O deviceregis-
tcr. You should use a singlc-byrc MOV inslructbn to fcad the I/O register and then
tcsl thc contcnts of ih rEiisler.
When using a BTSinstruction tlr implement a semaphorefunction in a
multiprocessorenvironmenl, the I-OCKinstruction prefix should immediately
precede any BTSinstruction that modifies sharedmemory.

Flags
OFDF IF TF SF A AF PF CF

170
 a: th aO3a6/aOiF7 In.lructlon S.r B.ts.nc.

Faults
PM R-tr taoa6
12 *SS(0)
13 *GP(o) rNT 13 +GP(0)

Exanple
8TS | ' 1 Y _ F L A 7G , ; Set the hish-order bit of byre |IY,FLAG
JC llASSET ; Blt {as already set

171
 fl|E ao3a BOOX

CALL 8086/80186/aO286/80386
Far Procedure Call (32p/48)

Syntax

Oporatlon
push(cs)
push(EIP)
C 5 :E I P e d e s t

legal Form.

CALL idata : CSTEIe

P idara
CALL men ; CSTEIe
P tmeml

Dolcrlptlon
The far procedure call savesthe current code segmentselectotand the addressof
the next instruction(EIP)on rhe stack.Controlthentransfersto the desrination
specified by the operand. The operand can be an immedlate selctor:offsetvalue or
the addressofa 48-bi(FARpoinrerin memory.
The selectorcan point to another code segment,a call gate, a task gate,or a task
state segment.If the seleclorpoints to a gareor TSS,the offset portion of the CALL
is ignored. If the selectorpoints to a code segment,conrrol transfersto the specified
offsetwithin thatsegmenr.
All flags are affected by a task switch.

Flagr
OFDT IF TF SF A AF PF CF

Faulta
PM RU V8IR6
10 #TS(0)
10 #Ts(sel) #TS(sel)
11 +N?(sel) #NP(seD
12 *SS(0)
12 #ss(ss)
13 +GP(o) INT 13 #cP(0)
+GP(CS) INT 13 iGP(o)

172
 a: th.4o366/ao3a7 herruclior set Rel.renc.

Example
CALL t6A3:0000 ; 0irect call
CALL F l l 0 R DP T Rl 0 0 5 A H l : indi fect call

173
 tHE 0346 BOOX

CALL 8086/80186/80286/80386
Near Procedure Call (16p/32)

Syntax

Ope.atlon
push(EIP)

Logal Forns

CALL offset : EIP e EIP+ offset

CALL nem ; EIP F tnenl
CALL reg : E I Pe t r e g l

Do3crlptlon
This instructionpushesthe addressof thc nxt instruction(EIP)ontothe stack.The
instructionpointeris then setto the valuespccifidby the operand.
Ifthe operandis an immediatevalue,the new instructionpointeris relativeto the
currentposition.Ifthe oprandis a memoryaddressor a reltister,the subroutine
addressis takenindirectlyfrom the operand.

Flag!
OFDF IT TI SF A AF PF CF

F.ultr
PM RM V6O66
12 #S(0)
13 #GPio) INT 13 *cP(o)

Exarnplo
CALL SQRT ; Cal] dj rect
LEA E B X ,F l l T A B L E ; G e t p o j n t e f t o a d d r e s st a b t e
I'lov EAX,3 ; Selectthird function
CALL [EBX+EAX*4] ; Call it

174
 ar th. lo36/Oa0t In.truction 3.t not.H6

cBw 8086/80186/E0286/80386
Convent B:nteto Word (8)

Syntax
cB14

Operatlon
i f B I T ( A L ,7 ) t h e n

Lggal Form
cBI
Dolcrlptlon
This instructionsign-extends
the bytein Al to AX.

Flagt
OT DF IT TI SF ZF A.I PF CiF

Faulta
None,

Exarf|plo
llov AL, TIIIY : Reada byte lnto AL
CBI{ I Convertto l6-bit signedlnteger
ADD BX, AX

t75
 rHE AOa6aaOOX

cDo 80386
convert Doubleword to Quadword (32)

Syntar
CDQ

Oporatlon
1 f ( 8 1 T ( E A X , 3 -1 )1 ) t h e n
E D Xe 0 F F F F F F F F H

EDXe0
endif

Logal Fortfl
c0Q

Dolorlptlon
This instruction sign-ntendsthe 32-bit EAX register to a &-blt dword. Ir ls most
frequently used before the inteSerdivide instruction, which operateson a 64-bit
dMdend,

Fl!g!
OF DF II TF ST ZA AI PF CA

F ult.
None,

Exqmplg
I'loV EAx, I400Hl I Copydividendto EAx
C00 ; Extendto 64 bjts
IDM|0RD PIR t20Hl ; Dlvide

176
 A! th. aoita6l8o:|a7 lFtruction 5.t n.f]dc.

cLc 8086/80186/80286/80386
Clear Caffy Flag ()

Syntax
cLc
Oporatlon
C F e 0

Logal Form
cLc

Deccrlptlon
This imtruction clearsthe caffy flag in the EFIAGSregister to 0.

Flatr
OF DT IF TF SF A A.A PF CF
0

Faulta
None.

Ex.nplo
NO-ERROR:
cLc ; C l e a rc a r r y
RET ; Returnfrom subroutinel{jth success
; i n d j c a t e db y C F

177
 fltE ao46 300K

CLD 8086/80186/80286/80386
Clear Dhectlon Flag ()

Syntar
cL0

Oporatlon
0 F e 0

Logal Forrn
CLD

Delcrlptlon
This instructloncleaBthe dirctionflag in the EFLAGS
regisrerto 0. WhenDFis 0,
anystringinstnrctionsincrementth indexregisters(ESIor EDI).

Fllgr
OF DF If TF SF ZF AT PF CF
0

Fault!
None,

Examplo
llov ECX,STR-LEIi I Strlng novecount
CLD I C l e a rd i r e c t j o nf l a g
REPIIoVSB ; Copylhe stfing

t?8
 Ar th. AO3A6/8Oa8t IndrEilon a.t R.i.he

cLl a086/80$6/80286/80386
Clear Interupt Flag ()

Syntar
CLI

Opergtion
IF e 0

Log.l Form
CLI

D9!crlptlon
This instnrction clearsthe interrupt bit in rhe EFLAGSfegister to 0, disabltng hard-
ware inteffupts (eJrceptNMI). The procedure s.ecuringthe CLI instruction musr be
of equal or higher privilege than the cuffent IOPL, that is, CPL< IOPL, or a general
Protection fault occurs,

Flrgr
OTDF IF TF SF Z A? PF CI
0

Faulta
PM RM IM86
13 *CP(o) #cP(0)

Ex!mplo
CLI I D l s a b l el n t e r r u p t s
t'10V
AL, SEI1APH0RE r cet menorJvalue
DECAL i oecrenentcounter
JZ done ; Skip if value l{as 0
l { o v 5 E | { A P H o RAEL, : Update
D0litl
SII : E n a b l ei n t e r r u p t

174
 tHE ao3a6BOOX

CLTS 80286/80386
Clear Task Switchd Btt ()

Syntax
CLTS

Operation
8 I T ( C R 0 3, ) e 0

Legal Form
CLTS

D.!crlptlon
This instruction clearsthe task switched (TS) bit in the CRoregbter to 0. The TS bit
allows the 80386to efficiently managethe 80387 t*/henever a task switch occuls on
the 80386,the CPUsersrhe TS bit to 1. If the TS bit is I when a coprocessorescape
(ESC)or \VAIT instruction executes,a coprocessornot availablefault (int 7) occurs,
The fault handler can clear the TS bit, savethe NDP state,load the NDP statefor the
cuftent task, and retum to the insruction that faulted, Switchlng between tasksthat
do not use the 80387will not causethe fault, and you can avoid the overheadof sav-
ing and restoring lhe NDP srate.
Only procedures running at a cPL of 0 c4n execute CITS without causinga general

CITS is valid in real mode to allow initialization for protected mode.

Flrgt
OT DF IF TF SF ZF AT PF CF

F.ult.
RM

13 *GP(o) #cPt0)

Exa|nple
CLTS C l e a r t a s k s w i t c h e db i t
C A L LS | A P N D PS T A T E S a v e / r e s t o f e m a t h c o p r o c e s s o rs t a t e

lao
 a! nr. O316/aOOa?h.tiuctid 3.t tlLmc.

CMG 8086/80186/80286/80386
Complement the Caffy Flag o
Syntax
cl'tc
Oporatlon
C F - C F

Legal Form
cl'1c

Dglcrlptlon
Thecarrybit of the EFLAGS registeris complemenrdi thatis, if the iditial valueof
thecarryblt is 0, ir is set!o 1.Ifthe initial lueis l, rheflagis cleared ro0 asa
resultof the iNtrlrction.

Flagr
OF DF IF TF SI ZI A.A PF CF

F ult!
None.

Examplg
8T lAX, I , T e s t . b j t , s a v e1 n C F
JC EXIT ; B i t N r s s t - - w e , r ed o n e
J P TRY_AGAI ; t{ot feady yet
tXITI
CtlC i Return, CF clear
RET

lal
 tHE aoita6 BooK

CMP 8086/80186/80286/80386
Colnpare Integers (846P/32)

Syntax

Operation

Logal Forms
desl
cl,P feg, r-data
cllP nen, r-data
CMP feg, reg
CMP feg,
CflP res

D..c.iption
This instrucrion subtraclsthe contents of op2 from op, and discardsthe resuit. Only
thc EFLACSregisteris affected.The followingtableillustrateshow the flagsare set
basdon fie operanclvalues.

cotdttton stA edcorrrtroe Unsgned@npaft

o p 1 >a p 2 Z!-0andsl=OF CF-oandz!-o
a P 1 >o P 2 SF-OI Cf-o
ool^ aP2 zr-r zr-r
opl<op2 ZI-lmdSFl-OF CF-lofzf-1
o P 1 <a P 2 SFI=OI CF-I

If opl is a 16-bitor 32-bitoperandand op2is an 8-bitimmediatevalue,opz is sign-

extendedto matchthe sizeof opl

Flags
OF DI IT TF SF ZF A.F PF CF

Faults
PM ruI 'ts0A6
12 #SS(0.)
13 *CP(0) rNT 13 +CP(o)

1a2
 ar lhe 0346/4036? h.rrs otr A.r B.td.nc.

Examples
CllP AL, [42114] ;8-bit compare
CliP AX, tBX+31 | 15-bit feal/virtual node
CllP C X , t E B P + 8 1 [ E A X * 2 ;] 1 6 - b i t p r o t e c t e d n o d e
CriP ESL T ; 3 2 - b l t c o n p a r ew i t h s i g n - e x t e n d eodp e r a n d

ta3
 tHE aoiF6 BOOX

CMPS 8086/80186/80286/80386
Compare Striflg (a46p/32)

Syntax
c PS

Operation
{ h e n o p c o d ei s ( C r i P S BC
, l l P S UC
, P S D )s e t o p s j z e l l , 2, 4)
N U L Le D S T I E S I I E S I: E 0 1 ]
i f ( D F- 0 ) t h e n
ESIeESI+opsize
EDIeEDI+opsize

Logal Forrn3
CI{PSB ; Compare
strlng byte
Cl{PSl,l ; Compare
strins wofd
Cl.iPSD ; Conpare
strlng doubleword

Do.crlptlon
This instructionsubtractsthe memoryoperandpoi ed to by DS:ESIfrom the
operandat ES:EDIand dis.ads the result,asin the CMPlnstruction.The sizeof
the operand is either a byte, word, or doubleword, depending on the opcode used.
The flagsare setasthe comparisondictates,and the contentsofESI and EDI are
modified, either incrementedby the size of the operand, or decremented,depend-
ing on the setting of the DF bit in the EFIAGSregister ESIand EDI are incremented
whcn DF = 0.
You can precede the CMPSinsrruction with either the REPEor REPNEprefix to re-
peatdly compare operandswhile the ZF bit remains I (REPE)or 0 (REPNE).Regis-
ter ECXholdsthe maximumcomparecount.
You can also apply a segmentoverride prefix to the CMPSinstruction to override
the DS seg.mentof lhe DS:IESIIoperand. You cannot ovenide the ESsegment
assumptionfor the EDI operand.

Fl.ge
OF DF IF TF SF ZF AF PF CF

144
 Ar th. aO:|aA/6Olt6? lndrFtlon S.t i.tr.m.

Fault!
PM RM IE]A6
12 *S(0)
13 #CP(o) rNT 13 #cP(o)
14 #PF(ec) #pr(ec)

Ex.mple
LEA E S I ,s t a n d a r d ; D S : E SpIo i n t st o d e f a u t t
LES lDL [EBP+12] ; ESTEDI loadedfrom stack frme
t0V ECX,31 i C o u n it s a c o n s t a n t
CLD : Ensuredlrection flag set coarectly
R E P EC I I P S B ; Compare byte stfi ng
Jl{E not-eq ; Branch l f s t r l n g sn o t e q u a l

ta5
 fltE ao3a6aoor

cwD 80E6/E0185/80286/80386
CjonYert Word to Doubleword (16)

Syntax
Cl'lD

Opsration
, 5- 1 ) ) t h e n
if (BlT(Ax1
DXe oFFFFH

D X e 0

Lggal Forfi
cl,{D

Deacription
This insiruclionsign-extends the word inAXtothe DXrAXregisterpair.The
prefeded 16-bit to 32-bii conversioninstruclion is C\flDE, C\flD is usd by the 8086
and 80286,which do not have 32-bit registers.

Flag!
OF DF IT TF SF A A.F PF CF

Faultg
None.

Examplo
1.10V A X ,d i v i s o r ; G e tl 6 _ b i t d i v i s o l
Cl,{D ; txtend to DX|AX
DMX : l 6 - b J ! d l v l s io n

taa
 ar Th. ao3a66o3a7 harructior 5.t notdencc

CWDE 40346
convert word to Doubleword trxtended (16)

Syntax
Cl,l0E

Operation
i f ( B I T ( E A Xl 5, ) - 1 ) t h e n
E A Xe E A xl F F F F 0 0 0 0 H

EAXeEAX&0000FFF|-H

Legal Form
C!IDE

Deacrlptlon
Thisinstruction thc16-bi!valueinAXto a full32 bitsin theEAX
sign-xtcnds
register,

Flagl
OF DF IF TF SF ZIF AF P8 CF

F.ult.
None.

Erampls
tt0v A X ,s h o r t - j n t : G e t1 6 - b i t s i s n e dv a l u e
NfG AX. : Convrtto nesativenumber
CNoE t R e t u r n3 2 _ b i tf e s u l t

147
 fltE ao:F6 BOOX

DAA 8086/80186/80286/80386
Dectfral Adiust AL Aftef Addttlon (8)

Synt.x

Operation
i f ( A F | ( A L & 0 F H )> 9 ) t h e n

i f ( C F ( A L ) 9 F N ) )t h e n
ALeAL+60H
C F e l

C F e 0

Logll Form

Delcrlptlon
This instructionensuresthatAL containsa vallddecimalresulrafreran addirionof
two packed BCD values.

Flegr
OF DF IF TF ST ZF AF PB CF
x

Faultt
None,

Example
0Y AL,72H ; 7 2 i n p a c k e dd e c l n a l
AOD AL, 19I] ; Y i e l d s 8 B Hi n A L
; Adjusts AL to 9IH

laa
 a: th. eo35/aooa7h3ttuctid S.t hcl.rc.e

DAS 8086/80186/80286/80386
Declrnal Adlust AL After Subtmctlon (8)

Syntax
0As
Operatlon
i f ' ( A F | ( ( A L & 0 r - H ) )> 9 ) t h e n

i f ( C F | ( A L ) 9 F N ) )t h e n
ALeAL-60H
C F e l

Logll Form
DAS

Dolcrlptlon
This instructionensuresthatAI containsa validdecimalrsultaftera subtractionof
two packedBCDvalus.

Flagr
OF DT IF TF SF 2tr AT PF CT

F.ult3
None.

Exarnple
HOY AL, 42H ; 4 2 i n p a c k e dd e c i m a l
SUB AL, 13H ; Y i e l d s 2 F t l1 n A L
DAS ; A d J u s t sA L t o Z 9 H

ra0
 rHEtdtS6 toox

DEC 8086/80186/80286/80386
Dcrement G/r6P/32)
Syntax
DECopl

Opor.tion

Lcg.l Form!
0p1
DEC re{t
DEC men

Do!crlptlon
This instruction subtractsrhe value 1 from opt DECis frequently used to decrement
indexes arld rhereforedoes not affect the cafiy flag (CF).In other respects,ir is
equi lerit to the instrirction:

su8 opl, 1

Fhlr
OF DF IT TI 3FU AI PF CF
x

F ulta
PLt nM V8lXt6
12 #S{0) #ss(o)
13 #GP(0) INT13 ircP(o)
14 #PF(ec)

Examplo
DEC ESI ; Decrement
contentsof ESI

190
 ar lho aoiF6/4o307 h.rlGtion s.t i.feenc.

Dtv 8086/e0186/80286/80386
Ursigned Dfu'tston (8/16p/32)

Syntax
Dll opl

Opgi.tion
loNlacc)+acc/apj
h j g h ( a c . ) e a c c n o d u l oo p l

Logal Formg

DiV feS
DIV

De.crlptlon
This instructiondividesthe valuein the accumulak)r rgisteror registerpair by op1,
storing the quotient in the low-order portion of the accumulalorand the reflraindcr
in th high-orderportion.The followingtablc illustratesthe registersused4sac-
cumulators,depending on the size of op.l,

sr oJfopt Dtue,td guott4fl! Reft.ttntter

Byte AH
Vord DX,AX AX DX
Dword DDX,EAX EAX IIDX

If the dMdendis 0 or if the quoticntis too largeto fil in the resultaccumulator,

a di-
videerrorfault(interrupt0) occurs.

Flage
OT DF IF TF SF ZT AF PF CF

Faults
PL' RM VN86
O INTO INTO INTO
12 #SS(0)
13 #GP(o) rNT 13 +GP(o)

t9t
tltE 004a6 Eoox

Example
rlov EAx,di vidend
CI,{DE ; C o n v e r t 3 2 , b j t o p e r a n dt o 6 4 b r ' t s
oMBX ; 32-bit divroe
r40V quotient, EAX : Saveresulr
MoY renainder, EoX

192
 ar rh. ao3a5/603a7herruction scl B.ld.nc.

ENTER 80186/80286/80386
B ter Neq'Stack Frame o
Syntax
E N T E lRo c d l r , r e s t i r g

Ope.ation
, e s t t r g e n a x ( n e s t i n g ,3 l )
p u s h( E B P )
I E M P1 - E S P
if (restirg > 0) then
nestlngenesting-l
,hlle (resting > 0)
E B P E B P 4
p ! s h ( s s : t E B P)I
nestingenesting'I

E B Pe t e n p
E S P e E S P -l o c d l s

Logal Fotms
locals nestlng
ENTER idata, ldata

De3cripiion
Theform
setsup theslackframcusedby highlevellmguages.
Thisinstf.rction
ENTER n,0is equivalenl to lhe instrr.rctions:
PUSH EBP
I4OVEBP,ESP
S U BE S P n
,
This savesthe prcvious frame pointer (EBP),seISlhe framc io the cunent stack lop
(ESP),and al krales spacefor local variables Parameterspassedb the procedurc
a.e addressedas positive offsels from EBII and local variablesare acldressedas
negativeoffsets from EBP.
vhen the secondoperand is greater than 0 (which happensonly in languagesthat
allow nesting of procedure definitions), the pointers to previous stack framesare
pushed otuo the stack to allow addressingof stack-residentvariableswhose s.opes
are outside the curent stack frame.

193
rr{E 8036tooK

Ianguagessuch as FORTRANand C do nor alloqr lexical procedure nesting, so they

alwaysuse ENTERwith a nesting operand of 0. pascal,Modula-Il, and Ada allow
procedue nesting, and compilers for those languagesgeneratelhe more complex
form of ENTER.

Fla93
OFDI IF IT SF 3 AT PF CF

Faultr
Pltt RIt tw6
12 *SS(0)
14 #PF(ec) "PF(ec)

Ex.rnple
EIITER 4, 0 ; Create stlck frafie {jth
: spacefor a d*ord local

t9a
 A: rhe 00O06/gOiF7 lNrruGrion S.t tLlcme

HLT 8086/80186/80286/80386
Halt o
Syht.x
HLT

Logal Form
HLT

Degcrlptlon
This instruction stopsall fu(her processingon the 80386.No other instructions will
executeuntil the processoris reset or an interrupt occufs. An NMI interrupt always
brings the processorout of the halt state.The IF flag must be 1 for any other hard-
ware interrupt to be acknowledged.After processingthe interupt, execution con-
tinues with the instnrction immediately following HllT.
You must execute at a CPLof 0 to issuea HLT instructioni otherwise, a genelal pro-
tection fault occurs,

Flag!
OFDT F TF SF ZF AF PF CF

F!ultr
PM &M V8IR6
13 *GP(o) *cP(0)

Examplo
sTt
LI I HLT : I d l e , p r o c e s s i n go n l y i f t e r r u p t s
,Jl'lP 11

195
 rHE ao3a6 BOOK

tDtv 8086/80186/80286/80386
lnteger (Stgned) Division (ah6p/32)

Syntar

Oporalion
los(acc)eacc/apj
h i q h ( r . . ) F a c c n o d u l oo p 1

Log.l Forma

I 0 lV reg

Desctiption
Thisinstructiondividesthevaluein theaccumulator rcgistcror rcgislcrpairbyopl,
$i(xingthequotienxin thelow-order portionoftlle accumlrlatoranclthercmainclcr
portion.Thefollowingtable
in lhc high-(xdcr illustratcs
lhercgistcrs uscdrs ac-
cumulalffs,depeoding on dresizeof opl.

stzeoJopl Dtardend Quotten, Rern4tndet

AX AI, AH
DX,AX AX DX
tiDx,li^x IlAx EDX

Ifthc dividcndis 0 or ifthe quotientistoolargeto fit in rhercsultaccumulalor,

a di-
viclccrrorf:Lrlt(interrupt0) occurs.

Flags
OT DF IF TF SF ZF AF PT CF
?

Faults
RM VaOa6
O INTO INT O IN'I'O
12 'SS(0)
13 "CP(o) rNT 13 +GP(o)

196
 a3 the A03A6/6030? In.ltucrlm 3t R.lc6ncc

Examplo
Mov E A X ,I E S P + 1 4 ] : Get dividend
CDo : Convertto 64 bits
1DIV ECX

197
 tl|E ao3a6 Eoox

IMUL 8086/80186/80286/80386
Integer (Sigred) Multiplicatton <a/ftp/32)

Syntax
l t 4 U Lo p 1 , l o p ? , L o p j l l

Opgration
dest e mu'ltipllef* multlplicand

Loggl Forms
opl opz op3
I UL res : acce acc * reg
IHUL mem i acce acc * nen
IHUL res, res i opl opl * op2
IiIUL reg, nem I opl e opl . op2
IIUL feg, idata I opl <- opl * opz
IIIUL feg, reg, Jdata i op.l<- op2 + ap3
I UL reg. men, idata I opl op2 * ap3

Dercriptlon
This instructionmultipliessigned,two's complemcnlintcgcrs.Thc flagsare leli in
an unknownstatcc'xceptfor OF and CF,which areclearedto 0 if thc rcsultofthc
multiplicatbnis the samesize(byte, wod, or dworcl)asthe mulriplicand.
In the singleoperandform of&c instruction,the resuhis placedinAX if opl is a
byte, DX$X if op] is a word, and EDX:EAX if op-lis a dword.
In the formsofIMUI lhat use2 or 3 operands,the operandsmustall bc the same

Flag.
OT DT IF TF ST ZF AF PT CF

Faults
PM B.LI 'EA6
12 *SS(0)
13 *GP(o) tN r'13 *GP(o)

Example
IIIUL ECX : E D X : E AeX E A X* E C x
IIIUL AL,CH,7 : A L - C H * 7

l9a
 a: th. ao3aoEosaTh.l.uctlotr 5.r Bdr.nc.

IN 8086/80186/802E6/80386
Input from I/O Port (a/ftP/32)

Synlax

Op6ration

Lagal Forrna

Ill
Ili DX

Deccrlptlon
This instruction readsa byte, word, or dword into the specified accumulatorfrom
the designatedI/O port. If rcu use an immediate data value in the instructioni
'ou can addressonly the first 256ports. If the port is specified in the DX register,
you can accessany of the 65536ports.
IN is a privileged instruction, A procedure that attempts!o eraecutean input instruc-
tion must satisfy one of two conditions to avoid a general protection fault.
If the procedure that executesan IN inslruction hasI/o privilege (that is, if its CPL
is numerically lessthan or equal to th IOPI fild in the EFLAGSregister), the input
instruction executsimmediately.
If the procedure does not have I/O privilege, the I/O permission bitmap for the cur-
rent task is checked.lf the bit(s) coffesponding to the I/O port(s) is cleared lo 0, the
input instruction executes.If rhe bit(s) is set to 1, or the pon(s) is outside the range
of the bitmap, a generalprotection fault occu$, Sechapter 5 for more details on
this feature.
If the IN instruction is encounteredwhile in V86 mode, only the I/O permission bit-
map is tested.The IOPL value is not a factor in validating accssto the port.

Fl.gr
OFDFITTFSTA

Faults

13 #GP(o) #cP(o)

199
Exar|iple
IN AX,72N : I n P u ta 1 6 b i t v a l u e
; f r o n P o r t s 7 2 H a r t d1 3 1
l,lov DX, crt port
iN AL, DX ; I r p u t a b Y t e v a lu e

200
 4 th. AO:|a5/aOaa?hdrFtlotr l.t R.td.nc.

tNc 8086/80186/EO2E6/80386
(an6p/32')

Syntax
INC op1

Operation

Legal Form!

IliC reg
I lic

Doac.lptlon
This instruction adds the value 1 to opl. This insrructlon is ofren used to increment
indexes and therefore does not affect the carry flag (CF).In orher respects,it is
equi lentto the instruction:

ADD opl, 1

Flag!
OF DT IT TF ST ZF AI PF CF

Fgultt
PDT RM IWI'6
12 *SS(0)
13 #GP(o) rNT 13 #GP(o)
14 #PI(c) #Pl(ec)

Eramplg
IllC ESI ; Increnent contents of ESI

m1
 THE A03A6 BOOK

tNs EOra6/a0286/80Ja6
lnput Strtng from I/O Port (a/$p/3zl

Syntax
INS

Opgration
w h e no p c o d jes ( l N S B ,I N S l i ,I N S 0 ) ,s e t o p s i z e ( r , 2 , 4 )
E S : I E 0 I ]e p o r t (D X )
lf (0F- 0) then
EDIeEDI+opslze

E D IF E o l o p s iz e

Legal Forns
IrtlsB i Inputstring byte
lllsl,l r Inputstring word
II1SD : Inplt strjng double*ord

Do3cription
This instruction4llowsthe locationspecifiedby IiS:lEDIltoreceivcdatainput fiom
the I/O porr containcdin the DX register.An 8-bit operation(INSII)acljusts
thc ad-
dressin EDI by 1,a 16-bitoperation(INS\q) adjustsEDI by 2, ,lnd a 32-bitoperxtion
ONSD)adjustsEDI by 4. l he memoryoffsctin tlDI is incrementdiflhe D!'bit is 0
or is dccfcmcntedif DF is 1.
Like$e lN instructbn,thc INSinstructionis privilcgcd.The executingProccdure
mus! have a CPLequal to or nLrmcricallylessthan the IOPL, or accessto thc port
specifiedin DX mustbc granredby the I/O permissionbit11lpin theTSS.
You c1nusethe REPprefixwith the INS inslruction.Usingtheprcfix causesregis-
ter ECXto be interpreled as an instruction count.
A segmentoveffideprefix doesnot affectthe INS inslruction.The destinalionseg-
ment is alwaysES.

Flags
OF DF IF TF ST ZF AF PF CF

202
 a: the aooa6/aot0? ltr.tructlon 5.i i.Ltdc.

Faulta
PM RM 'W86
13 #GP(0) INT 13 *CP(o)
14 #PF(e) #PF(e)

Exaniple
LEA EDL nelll-va'l ; Set up destination pointer
I'loV DX, 370H ; Set uP Port address
CLD
I llsD ; Input 32-blt value to ner-val
I IiSD ; Input value to ne[-va] + 4

20it
 flfi ao5a5 BooK

INT 8086/80186/80286/80386
Software Interupt ()

Synt.x
IllT vecto.

Oporation
p u s h (E F L A G S )
push(cs)
p u s hE ( IP )
T F e 0
1 f ( I 0 T ( v e c t o r ) . T Y P E- I I I T E R R I J P T _ G A
t hI e
En)
IFe 0

C S : E I Pe d e s t ln a t l o n (I D l ( y e c t o r ) )

Legal Fonn

IllT idata

Dclcrlptlon
This instruction savesthe current flags and execution location on the stack,and the
,vclol operand indicatesthe Im eftry that is selected.The gate from rhe IDT de-
termines the new execution location,
If the processorencountersthe INT instrrrcrion while in V86 mode, the 803M
switchesto the dng 0 stack (SS0|ESPo) taken from the V86 task state segmenrbefore
processingthe inteffupt. Bcausethe processoris running ln rlng 0, the IDT entry
must have a DPL of 0i otherwise, a generalprotection fault occurs,
The INT 3 instruction is usually encodedas a single byte (oCCH) and used as a
breakpoint instnrction for debuggers.

Flag!
OFDT IF TT SF A AI PF CF
x 0

m4
 0: lh6 ao3a6/ao3a7h.truction sot nelGtonco

Faults
PM Rtt twa6
10 *Ts{sel)
rI #NP(sel)
12 #SS(0)
13 #GP(o) rNT 13 *GP(0)

Example
INT 42 ; M a k ea s y s t e n ' d e p e r d e 0
nSt call

205
 fltE 6036 BOOK

INTO 8086/80186/80286/80386
Interrupt on Overflow o
Stmtax
IIlTO

Operation
if (0F) then
IIlT 4

Logal Form
INTO

DoEc ptlon
This instruction executesan INT 4 instruction if the overflow bit (OF) in the
EFLAGSregisteris 1. Seethe INT instructionfor furtherdetails.

Flags
OF DF IF 1T SF ZF AF PF CF
0

Fault!
PM RM IA0{}6
10 *Ts(sel)
11 #NP(sel)
12 $SS(0)
13 #Cl (0) INT 13 jFGP(0)
14 #PF(ec)

E .mple
ADD ECX,VECToRIEDI*41
i Arithnetlc operatlon
IllT0 : C h e c kf o r o v e r f l o N

206
 5: th. 0Oa6/Oo367 h.t ucrlo S.t R.l.6n6

IRET 8086/80186/80286/80386
Inteffupt Return ()

Syhtax
IRET

Operation
if 0,lT- I) then
lask-return (TSS.
back_]lnk)

p o p( E r P )
p o p( c s )
pop ( EFLAGS )

Legal Fotm
IRET

Doacrlptlon
Thisinstruction a rerurnfromaninterruptor,if theNT(nested
signals task)biris
set to 1,a task switch from the current task to the one that invoked it,
Vhen the new value of EFLAGSis popped from rhe stackj the IOPL btts are mod!
fied only if the CPLis 0.
Chapter5 dlscussestransitions acrossprotection rings 4nd task switching,
If the IRET instructlon executeswhile the processoris ln V86 mode, a general pro-
tection fault occurs.It is the responsibiltryof rhe fault handler !o emulate the real-
mode IRET for the V86 rask.

Flag.
OFDFIT fi SFU AX PF CF
x

Faultg
PM RM '&E6
11
12 #ss(o)
13 #GP(o) rNT13 +GF(o)
14 *PF(<) +PF(<)

Exarlipla
I RET

m7
 fl|E aoa6looK

Jcc 8086/80186/80286/80386
Jlrfl.p lI Cot dltlofi
()

Syntar

Operation

E I P E I P+ s i g r e x t e n d ( o f f s e t )

Legal Form3 o; - ;lyorfk,

JA offset ; J u n pa b o v (eu n s l g n ex d> v ) / C F - 0 & z F - 0
,lAt offset ; Junpaboveof equal / CF- 0
,Jg offset ; Jumpbelo{ (unsignedx < y) / CF- I
,JsE offset ; Junpbelo{ or equal / CF- 1 | zF - I
Jc offsdt | ,lumpjf carry / CF- 1
Jcxz offset ; Jumpjf cx - 0
JECXZ offseN : Jumplf CX- 0
dt offset ; 'lunpequal / ZF- I
,lG offset ; ' l u r i pg r e a t e r( s l g n e dx > v ) / S F ' 0 F & z F - 0
JoE offset ; Jumpgreatef of equal / SF- 0F
,JL offset i ,lunpless (signedx < v) / SF l- 0F & ZF - 0
,JLE offset I Junpless or equal / SF l- 0F
,Jl,lA offset | ,Jump not above(,JBE)
JIIAE offset : Jumpnot aboveor equal (JB)
JNB offset : Jumpnot belovi(,JAE)
,JllBE offset ; Junpnot belolllor equal (,JA)
JllC offset ; dunpro caffy / CF- 0
,Jl{E offset ; Jumpnot equal / zF - 0
,JNG offset : Jumpnot greater / SF l- 0F & ZF- I
JllcE offset | ,Junpnot greater or equal (JL)
JliL offiet r , J u n pn o t l e s s ( J C E )
JIILE offset : Jumpnot less or equal (JG)
Jtlo offset : Junpno overflow/ 0F - 0
,Jt{P offset : Junpno parlly / PF- 0
,llls offst ; Junpno sign / SF- 0
,ll{Z offset ; Jumpnot 0 / ZF - 0
J0 offset : Junplf ovefflor / 0F - 1
J? otfset | ,lumplf parlty / PF- I
JPE offset I Jumpparjty even/ PF- I
JPo offset i Jumpparity odd / PF- 0
,ls offset : Junpif sisn / sF - 1
JZ offset : Jun'pif 0 / ZF- 1

204
 a: lh. 80346/A03A7 h.lru.tid S.t R.ld.nc.

Descrlption
TheJcc instructions te$ rhe conditions described for each mnemonic. If rhe condi
tion holds true, the processorbranchesto the specified location. If the condition is
false, execution continues with the instruction following the junp.
More than one mnemonic exists for the samecondition. This lets you writc rhe resl
in a manner most appropriatefof the condition. For example,after OR EAX, EAX
you $/ould useJZ, and after CMPEAX,ESIlou would useJE; both mnemonicstest
lor ZF = 1.

Flag.
OF DF IF TF SF ZT AF PF CF

Faults
Plt' RIt \eA6
13 #GP(o)

Examplo
DEC AL : D e c r e n e n tA L
,JZ rached_zero : Bfanchif zero

209
 tHE eo366 BOOX

JMP 8086/80186/80286/80386
NearJump ()

Syntax

Opor.tlon
ElP e dst

Logal Formr

,l,tP offset I EIP e EIP + offset

,JllP res i EIP e req
,JttP ne|n : EIP e lmnl

Delcrlptlon
This instruction loads a new value into the instnrction pointer (EIP). Subsequentin-
structions are fetched beginning at the new location
'$ifheny)u
use the immediate form of the instruction, the data lue is an offset
from the current EIP The other forms are indirect bmnches,that is, ihe new lue
of EIP is taken from the operand register or memory location.

Flalr
OF DF IF TF SI ZF AF PF CF

F9ult.
PM NlI WR6
12 *SS(0)
13 *CP(o) rNT 13 *GP(o)
14 #PF(ec) #pr(ec)

Eramplo
Jl'lP nell-label 0 i r e c t . r e l a t i v b r a n c h
,lilP ECX
.JHP D I I O RP
DT RI E B P + l 2 ] Branchto ioutine shose
a d d r e s iss o n s t a c k

2to
 & lhc 0{Fa6EO3aZ h.tr*tlotr a.t B.l4.nc.

JiIP 8086/80186/80286/80386
FarJump ()

Syntax

Opgration
C S : E l Pe d e s t

Logal Form3

,lllP ldata : C S T E I eP d a t a
JtlP : C S T E I Pe I m e m l

De3crlptlon
A far jump instruction modifies both CSand EIP, In the immediate form of the in-
struction, a rlew 48-bit poinrer is specified. In th indirect form, rhe mem operand
points to a 48-bit selecloroffser poinrer.
The new CSselectorcan be a code segmentselecoor(where the branch is to the
specifled offset within rhe code segment),or the selectorcan be a call gate,task
gate, or task state segment.In this case,the offser portion of theJMP is ignored, and
the new lue of EIP is taken from the gate or the incoming TSS,If the iump causes
a task srwitch,all flags are subjectto changeas EFLACSreloadsfrom the new rask,s
TSS.Chapter5 discussesthe task switch operation and rhe use of gates.

Flag!
OPDF II TF SF za AT PF CF

Faultt
4M VNtt6
10 #'Is(sel)
11 #NP(sel)
12 *Sqo)
13 *GP(o) rNT 13 *cP(o)
14 #PF(ec)

Eramplo
JllP 21A7:0002IIF3H : 0i fect branch
JliP Fl'loRD
P T Rn e { t a s k : S r a n c hl n d l r e c t

217
 tltE 00.t04 Boox

LAHF 8086/80186/802E6/80386
Irad AH wtth Flags (8)

Syntax

Opgretlon
AHFEFLAGS&oFFN

L9991Forrr

Dolcrlptlon
This instruction copies the low-order byte of the EFIAGSregister into AH. After the
instruction executes,the AH register has the follo!r'ing contents:

Fl!9r
OF DF IF ZF AI PP

Frult!
None.

Examplo

SHR AH,6
AtIO AH,1 i AHnolrcontalrs !he zF flag

212
 A! the 8O366/AOOa?h.iructlm 5.t i.frdc.

LAR 80286/80386
I-oad Access Rtghts (rcp/32)

Syntax

Oporatlon
l f ( c h e c k , a c c e s s ( s e l e c tt )h)e n
Z F L
d e s t e a c c e s s - f lg h t s( d e s c r ip t o r ( s e l e c t ) ) & O O F ? F F O O H

Z F e 0
endif

Logal Forma
dest select
LAR res, res
LAR reg,

Dolc.lpilon
This instruction allows a program to determine whether a givn selectoris acces-
sible to it without causinga protection fault.
If the selecloperand containsa !"llid 80386selectorthat is accessibleto the execur-
ing procedure and the selectorr'?e is one defined below, the zero flag (ZF) is set to
1,and the accessrights field of the descriplor indicatd by the selectoris loaded inlo
the destination register
If the destination register is a 15-bit register,the high-order 8 bits of the regisrer
contain the accessrights fild of the descriptor

TYPB

If the destination is a 32-bit rgister,bits 8-15 contain the accessrights, and birs 20-
23 contain the accessextension bits found in bvte 6 of the descrioror.
31 23 20 16 15 8 7 0

If the selectorreferencesa nonmemory segmentwith an invalid tlpe (Tlpe = 0, 8,

oAH, oDH), ZF is reset and the dstregister is not modified.

213
rHEaoaaaBooK

Flags
OFDF IF TF SF T AF PF CF

F.ults
Ptt nI tex6
INT6 #UDO
12 #SS(0)
i3 #cP(o) rNT 13 *GP(o)

Exrmplg
i Verlfy that varlableX contalrsthe selectorof a call gate
i t h a ! c a n b e l e g a l l y i n v o k e db y t h e e x e c u t l n gr o u t i n e .
LAR AX, X ; L o a da c c e s sr l g h t s
JllZ no-access i g r a n c h1 f c a n ' t a c c s s
SHR AX, I : llove accessrights to lol1 ofder
Al,lD AX, IFH : S a v eo f l y S b i t a n d T Y P E
CllP AX, oCH : Test for 385 ca'll gate
,Jt ls,gate ; E r a n c hi f a c c e s s l b l e g a t e

214
 a3 th. aoa6/803at Inlrructiotr l.t i.lr.nc.

LEA 8086/80186/80286/80386
Irad Effecttv Address (r6p/32)

Syntax

Operation
d e r t e a d d r e s s( s r c )

Logal Form!
dest
LEA reS,

Dglcrlptlon
This instrrrction loads the addressspecified by the memory operand into the dcsti
nation register,No memory acesscycle takesplace,
You can also use LEA to perform simple multiplication or addition asdiscussedin
Chapter4.

Flag!
OF Df IF TF SF Z1 A.F PF CF

Faulta
RM rA0a6
6 +UDO INT6 *UDO
' Thc undefined opcode fauh only ccurs when the w opednd ls enco<lcdas a regisler

Example3
LEA E S I , V E C T o R I E B X t 4:I L o a d a d d r e s so f a r r a y l e m e f t
LEA EDI, IEAX][ECX] : A d d c o n t e n t s o f E A x a n d E C X ,s t o r e i n E D I

215
 tHE ao3e5 BOOK

LEAVE 80186/80286/80386
Iav Cuffent Stack Frame ()

Syntax
LEAVE

Operatlon
ftovsP, EBP
P O PE B P

Lcgal Forn
LEAVE

Do.crlptlon
LEAVEis the counterpartof the ENTERinstrrctlon.ENTERis executedimmediately
aftera procedurecallto setup a newstackframe,LEAVEis elxecuted
befofea RET
inskuctionto releasethe returningprocedure'sstackframe,

Fl.gt
OFDF IF TT SF A AT PF CF

Fault!
PM Rtl W)e6
12 #Sq0)
lj 13 *G0(0)

Exatfrplo
EI1TER 4,4 ; F j . s t i n s t r u c t l o no f p f o c e d u r

; Procedur
contents

LEAVE ; Cleanup Stackfrane

RET ; A n dr e t u f nt o c a l l e r

216
 0! lh. 00306/0ot0t h.rrucdon sot Rer.H6

LGDT 80286/80386
I-oad GDT Regtster ()

Stmt.x
LGDT
op

Opelation
GDTR.I
imit e topl
GDTR.baseelop+21

Legal Form

LGDT

Do.crlptlon
This instruction loads the GDTR registerspeclfying the addressand limit of the
global desriptortable (CDT). The operand must point to a data structure in
memory whose first 16bits contain the limit of the global descriplor table and
s/hose dext 32 bits cor{ain the linear baseaddressof the GDT.
Loading the GDTR does nol invalidate th cuffently active descriptors'hovr'ever,
subsequentreferences!o seleclorsload descriptorsfrom the new GDT.
A procedure must have a CPI of 0 to issuethe LCDT insruction.

Flag!
OF DT IF II SF ZF AF PF CF

Faulti
P M N V W
6 +I,DO INT 6 #UDO
12 *SS(0)
13 *CP(o) rNT 13 +GP(o)
14 *PF(ec)
' The undefi.ed opcode fauli only oc.uis when the instrution is enoded wnh a reglster v.lue for op

Eranple
LGDT lnitial_table

217
 tHE ao3s6 BOOX

LIDT 80286/80386
Load IDT Reglster o
Syntax
LIDT op

Operation
I D T R i. m
I it e I o p ]
loTR.baseFtop+21

Logal Form

LIDT NEM

Doacription
This instr\rcrionloadsthe IDTR registerandspecifiesthe addrssandlimit of the
interrupt descriptortable (IDT). The oprand must point to a data structure in
memory whosc first 16bits contain the limit of the interrupt descriptortable and
whose next 32 bits contain the ljnar baseaddressof the IDT.
After loading lhe IDTR, any soflware or hardq?re interrupts, faults, or traps will
causean accessto the new IDT,
A procedure must have a CPLof 0 to issuethe LIDT instruction.

Fl.g3
OT DF IF fi SF ZF A.F PT CF

Faultt
PM RM VW86
6 *UDO INT6 "UDO
12 rSS(0)
13 *CP(o) rNT13 *GP(o)
14 *PI(c)
' The u.defined opcode lauh o.ly occurs when the opoperand is en o<ledds! tgistei

Erarnple
LIDT n e wi n t t a b l e : L o a dI D T r e q i s t e r

214
 a: lhc ao3a6/00347 h.truction s.t R.frdco

LLDT 80286/80386
Load LDT Register (16)

Syntrx
LLDT OP

Opgration
L o T Re o p

L9gal Fofins

LLoT feg
LLoT mem

Do3crlptlon
This in$truction loads a selecto!into the IDTR registerand specifiesa new local de-
scriptor table (lDT). The operand to ILDT must contain a l".rlid local descfiplor table
selectoror the lue 0.
Active descriptorsthat refer to th previousLDT are not invalidated; howevef, subse-
quent selectorreferencesload descriptorsfrom the new LDT,
If the IDTR is loadedwith lhe value 0, all IDT seleclorreferencesthat causea
memory referenceresult in a generalprotection fault,
The executing procedure must havea CPLof 0 to issuethe LIDT instruction.

Fl.g.
OIDF IF TF AF T AP PF CF

Fault.
Ptl lext6
6 INT6 sLDo
11 JrNP(sel)
12 irss(o)
13 *GP(o)
13 #GPGel)
14 #PF(ec)

Exarnple
LL0T task-8.I dtr

219
 tHE to305 aooK

LMSW 80286/80386
Load Machine Status Word (16)

Synt.x
Ll'lsI op

Opsration
c R oe ( c R o& F F F F 0 0 0 0l oHp)

legal Forma

Ltlsl{ reg
Ltlsli mem

Deicrlptlon
This instruction loads the low-order 16 bits of the CRoregister Use it only when
running 80286operating ststem code. On 32-bit systems,use the instruction Mov
CRo,re& Note that you can use LMS\Wto enter protected mode but not to leAveit
and that you can use MoV cRo, reg to both enter and leare protected mode.
A procedur must be running in ring 0 to executeIlvlSW:

Flagr
OF DF II TI ST ZF AF PF CF

F.ultr
PM RM \,86
12 #SS(0)
13 *GP(o) rNT 13 #GP(o)
14 *PI(ec) *PF(ec)

Exampla
Lflsli i nit_state

220
 a! Th. aoaa6/ao3a7In*ruction f6t nGtorc.e

LOCK ao86/80186/aO286/803a6
Assert Hardvare LOCK\ Stsnal Prefix ()

Syntax
LOCK

Legal Fo ns
LOCK

Deectiption
The LOCKinst,uclionprclx supportsmultipr(x,ess)r har.lwareconfigrations.You
can use the hardwarc LOCK\ signalto ensufe exclusivc accessto a particular mem-
ory byte,word, or clfford.The LOCKinstructionis vali.lonly ifit precedesan in-
structionin the lisr below.If you useit in combinalionwith anotherinstructbnor
in an unsupportedform of one of the iistedinstructions,an unclefinedoPcodclault

llT OR
Dls SRB
R'IR sUu
BTC xoR
xcHc DDC
XCHG INC
ADD NI]C
,\l)c NOT
AND

The IOCK\ siqnalis asserted for the dumlion of dre instructi()n,incluciingthe limc
required for a rcad-modify-write cyclc. Thc XCHG instructbn docs not require thu
IOCK pfefix bc.causethe LOCK\ signal is alwaysassertedduring a memory XCHG
when writing software for multiprocessorsystems,cnsure that locked accessibr
particular memory addresscsalwaysoccurs to opcmnds of ihe samesizc ln other
words, if you use the dword ar physicaladdress100,alwaysget accessto iI as a
d$,,ordand never as a bytc or word. Locking is not guaranteedto operate coffectly
unlcssvou observethis restriction

Flags
OF DF TF TF SF CF

221
tHE AOaA6BOOK

Faults
PM RM TAOA6
6 #[JDO rNT6 +UDo

Example
LOCK
BTS senaphore,3

222
 A: lh. go3a6/ao3a7 In.trucllon sot Rol.renc.

LODS 8086/80186/80286/80J86
Irad Strirg (a/ftp/32')

Syntax
LODS

Operation
N h e no p c o d i s ( L 0 D S BL, o D S N1, 0 0 5 0 )s e t o p s i z ee ( 1 , 2 , 4 )
acc e DS:Itsl]
i f ( D F- 0 ) t h e n
ESIeESI+opslze

ESIe ESI opsize

endif

Logal Form.
L00SB ; Loadstrlng byte
L00Sf ; Loadstrlns *ord
LoDSD I Loadstrlns doublewofd

Delcrlptlon
This insruction loadsthe byte, wod, or dword at DSTESI into the accumulator.If the
DF bir in the EFLAGS registeris 0)ESIis incremented
by the sjzeof the operand
(1,2, or 4 bytes).IfDF is 1,ESIis decremented,
BecauseLODSis one of the 80386string inslructions, you can precede it with thc
REPprefixi howevn the resulting instruction is useless,as it continLlouslyover-
writes the contentsof the accumulator
You can precede the LODSiAstruction with a segmentoverride preiix. ln such a
case,the operand is taken from the specificd segmnt.

Flage
OIDF IF TT SF T AI PI CF

Faults
PM RM V8IB6
12 *SS(0)
13 #GKo) rNT 13 +CP(o)

223
tHE A0B86 BOOX

Examplo
LEA E B X ,A _ t o _ E ; A d d r e s so f t r a n s l a t i o r t a b t e
t10v Esr, |EEP+121 : source dooress
LES EDI, IEBP+16] i Destjnatr'on
Ll: LoDSB ; Fetch byte from source
0R AL, AL ; Test byte for zefo
JZ 00NE , B r a n c hi f z e r o
XLATB ; Translate the byre
5T058 ; S a v et r a r s l a t e d v e r s t o n
,tftP L1
DONE:

24
 a! tn. 0o3aa/0046?In.tructid s.t R.t.rcm.

LOOPcc 8086/80186/8o286/8o386
Decrmrxt ECX and Branch o
Syntax

Operation
E C X e E C X - I
i f ( c c & ( E C Xt - 0 ) ) t h e n
EIPeEIP+offset
endif

Legal Form!
L00P ,ffset
L00Pz offset
L00Pt{Zoffset
L00PE offset
L00PE offset

Dglcrlptlon
These insffuctions support a dcrementand branch ope{ation, For all variants other
than LOOB the decfement and branch ls combined with a test on the ZF bit. A loop
counter is assumedin registerEcx, The instrrction decremntsthe register,and if
the lue of ECXis 0, no branch is taken. No flags are set as a result of the decre-

Ifthe lue ofEC)( is not 0, the branchis takenunlessthe conditionin the LOOPcc
forms is noi true.

Flrg!
OF DF IF TF SF ZI AF PT CF

F.ulta
RM tAO86
13 *GP(o) rNT13 *GP(o)

225
rHE 60366 000X

Ex.mple
; I n i t i a l i z e a r r a yo f t e m pf e a t s t 0 1 O
FL01 t Push1.0 onto Dp stack
LEA ESL array ; StartinE addressof array
{tlov ECX,sjze ; Loadtoop counter
l1: FLD S T ( 1 ) ,S T ; D u p t t c a t 1e . 0 v a t u eo n t { D ps t a c k
FSTP IESII ; Store 1.0. pop t{opstack
L00P 11 ; Contlnue{h e ECXnot 0
F S T P S T ( 0 ) ,S T I D o n e - - p ot ap s t t . O c o n s t a not f f
; N0Pstack

2fr
 8: tho aO.?45/AO3a7h.truction S.t iotdence

Lseg 8086/80186/80286/80386
Irad Segment Register (16p/32)

Stmtax

Operatlon
dest e ls.cl
segeisrc+41

Legal Fo?nrr

LoS feg,
LES reg,
LFS reg,
LGS r9, heh
LSS reg, nem

Dercrlptlon
The src addressspecifiesa 48-bit pointer (32-bit in real mode or V86 mode) consist-
ing of a 32-bit offset followed by a 16-bit seletor.The 32-bit offset is loaded into the
dest registerand the selectoris loaded into the segmentregisterspecified by the in-
struction mnemonic.The 80386protection mehanismvalidatesthc descriptor
associatedwith the selector.
Use only rhe ESPreSisterwith the Lseginstruction.

Flag!
OFDT II TF ST T AI PF CF

Faultt
PM BTT 'A0A6
12 #SS(0)
13 *CP(o) rNT 13 #GP(0)
14 *PF(ec) #PF(ec)

Exarnplo!
LES ESL BIGPTR ; L o a d a d d r e s so f a r r a y e l e m e n t [ E B X ]
LSS E S P ,o L D S T A C K ; L o a da n e w s t a c k p o i n t e r

227
 tHE 004a6 BooK

LSL 80286/80386
Ioad Segment Llmit (r6p/32)

Syntax

Operatlon
i f ( a c c e s s - 0 X ( s e l e c) t t)h e n
d e s t e d e s c rp l t ( s e ? e c t ) . iIm i t
Z F e I

Z F F 0

Legal Form.
dest sele.!
LSL reg, reg
LSL reE,

Delcriplion
Ifthe serec,operand is accessibleto the executing program as a valid selectorundel
the protectionrules,this instructionloadsthe dat registerwith the segmenrlimir
from the clescriptorindicaredby selctand setsZF to 1.
If the operand is not acccssibleor the descriptorassociatc{ with selscidoes not con-
tain a limjt field,ZF is setto 0.
The value sbred in the ,/cst regisreris alwaysrhe offset of the last adclressablebyre
in the segmenl(page granular limits are converredto byte granular limits). There-
fore, do not use a 16-bit register as lhe dest operand, as the resulting value might be
too large.

Flaga
OF DF IT IT SF T A.F PF CF

Faultc
PM RM 'A$6
INT6 #UDo
12 *SS(0)
13 #GP(o)
14 *PF(s)

228
 a: th. ao36/4o387 In.ttuc d soi R.tc6ne

Exafiple
LSL E A x ,t B P + l z l ; Getlinit of selectoron stack

229
 ?rE 40306goox

LTR 80286/80386
Ioad Task Reglster (16)

Syntax

Oporation

Logal Forma

LTR res
LIR

DgEcrlptlon
This instruction loads the task registerwith rhe selectorspecified by the oprand.
The TSSdes.riptor for the seletoris marked "busy." lDading the task register does
not causea task switch,
If the pfocedure thar executesthe ITR insirurion is not running with a CPLof 0, a
general protection fault occurs.

Fl!g!
OFDT IF TF ST ? AF PF CF

Fault.
PM tm86
INT6 *UD(.)
10 *NP(sel)
12 *SS(0)
13 *CP(o)
13 *GPGel)
14 #PF(ec)

Eranplo
LTR AX ; L o a dt a s k . e g is t e l

230
 0: lho 0Gta6/aO:F7 h.truction 3.t R.ld.nc.

MOV 8086/80186/80286/80386
Move Data (e/a6p/32)

Syhtax

Oporation

Logrl Forn!

l{ov reg, ldata

li0v nem, ldata
l{ov reg, reg
I'loV reg, fiem
I'loV feg

Dslcrlptlon
This instruction copies the contentsof the s/c ope|and into dest,

Flrg.
OTDF IF IT 3F A AI PF CF

Frult!
Ptv Nt ve86
12 #SS(0)
13 JfGP(0) INT 13 #GP(o)
1{ *PF(ec) #PF(ec)

Exanpler
l{0V AL, IECXI ; Get byte from nemofy
t10V ESI, l82H ; L o a dE S I l , { i t h d a t a v a l u e
1.10V Bx. Dx ; 16-bit movc
l10\/ AH, 7FH ; L o a dA H y i t h 8 - b i t d a t a

81
 rHE AOa6BOOK

MOV 8086/80186/80286/80386
MoYe Slector (16)

Syntax

Oporation

Logal Forms
dest src
l40V sreg, reS
l40y sreg, iren
liov reg, sreg
li0v mem, sreg

Do3crlptlon
This instruction copies the contentsof the e operand into the dest operand. If the
destoperand is a segmentregister,the inskuction loadsthe descriptorassociated
with the seleclor into the 80386shadowregisters.Privilege checks and tests for de-
scripror legality are made unlessrhe selectorvalue is 0. A prorecrion faul! occurs if 0
is loaded into the SSregister
when the SSregister is loaded,all hardsare interrupts (including NMI) are maskd
until afterthc ncxt in$tructionxecutes,
to allow loadingof th ESPrgister.

Flagr
OF DT IF TF SF ZT AF PF CF

Faults
RM V8'R6
10 rFNl,(sel)
12 #SS(0)
13 #Cl,(0) rNT 13 #GP(o)
14 *PF(ccJ

Examples
HoV DS, AX ; L o a dn e { d a t a s e q n e n t
r40V ES, heapses ; LoadES reglstel
Hov save ss, SS : Store copy of SS resister

zt2
 6: th. AO$6lBOaa7 h.rruc otr S.r Bdr.nc.

MOV 80386
Move speclal (32)

Syntax

Oporaiion

Logal Form.
dest sra
tlov feg, reg

Descrlptlon
Thi$ instruction copies or loadsa speclalCPUregister to or from an 80386general
register.The specialregistersare CRo,CR2,CR3,DRo,DRl, DRz, DR3,DR6,DRZ
TR6,andTR7
A procedure must be running at a CPLofo to executethis instruction,

Flaer
OFDFIFfiSFA AF PF CX

Faultt
PM RM IW'6
13 #CP(o) 'GP(0)

Examplo!
HoY tAx, CRo : SaveCRoin EAX
HoV TR7,ECI i Loadtest register7

zt3
 fl{E A03A6 BOOX

MOVS 8086/80186/80286/E0386
Move Sttlng (8n6P/32')

Syntax
t40vs
Operation
v h e r o p c o d ei s 0 4 0 v S BH, o v S ! ,H 0 V S 0s) e t o p s i z ee \ L 2,4)
E s r l E D I l D S I: E S ]I
i f ( D F- 0 ) t h e n
ESIeESI+opsize
EoIeEoI+opsize

ESIeESl-opsize
ESIeESI_opsize

L99al Formt
t4ovsB ; Moveshlng byte
|JoVSl{ : Move
str1ng{ord
l10VSD : l ' 1 o v es t r i n g d o u b l e l l l o r d

Dgrcrlptlon
This inslructioncopiesthe memoryoperandpointedto by DS:ESIto lhe destination
addressspecifiedby ES:EDLThe operandis a byte,word, or doubleword,depend-
ing on the opcodespecified.The EDI and ESIregistersareincrementedby the size
of rhe operandifthe DF bir is 0 of decremenred
ifthe DF bit is 1.
You can apply the REPprefix !o the MOVSinslruction 1orepeat the instruction. You
must placc the value specifying the repeal count in the ECXregister.
A segmentoverride prefix may be applied to the MOVSinstrrcrion. It will override
the DS segmentof the DS:[ESI]operand. You cannot override the Es segment
assumptionfor the EDI operand.
lbr dword-aligned strings,a REPMOVSDtransfersdata quicker than does fie equiv-
alent REPMOVSBor REPMOVSWHowever,if the sourceand desiinalion stdnfls
overlap, only the REPMOVSBoperation works correctly.

Flags
OFDF IF TF SF A AF PF CF

234
 & th. aoi|a6rao3aTh.tructt n 3.t lt l.de

Fauli.
PM R'I 'UB6
12 #SS(0)
13 #GP(o) rNT 13 #GP(o)
14 #Pl(ec) #Pr(ec)

Ex.mplo
LEA ESI, copyrlghtisg i Get sourcestrjng
LES EoI, [EBP+12] ; ES:EDIloadedfrom stack frane
llov ECX,31 ; 51zeof soufcstring
CLD ; Ensuredltectlon flag set correctly
REPI.iOVSB i coDybyte string

2;t5
 fl aota6 BooK

ilovsx 80386
Move wlth Slgn nxrcnslon (e/r6p/12)

Syntax
t'10VSX
dest, src

Oporation
dest e slgn extend(src)

Legal Form!

oVSX reg, feS

I'!0V5X reg,

Do.crlptlon
This instruction copies an 8-bit operand to a 16-bit or 32"bit destination or a 16-bir
operand to a 32-bit destination and sign-e{tends the sourceopefand !o fit, Signex-
tension is performed by duplicating the hiSh-order bit of the src throughout the up-
per bits ofthe dsloperand.

Fl.g!
OF DF TF TF SF U A.F PT CF

Frult.
PM EM I&)46
12 *SS(01
13 sGP(o) rNT 13 #GP(o)
14 *PF(ec)

Exarnplea
tl0vst TAI AL ; Extendbyte to dwofd
lloVSX EoI. l,{oRD
PTRIESI] ; Extendwofd t0 dword
l'loVSX CX, DL : Extendbyte to {ofd

4$
 a: lhe ao3a5/ao3a7 h.ttuction 5.r Rd.r.nc.

MOVZX 80386
Move wlth Zefo E Ftenslon (a/fip/32)

Synlax
l40VZX
dest, sr.

Ope.ation

legal Foams
5rc
HoVZX reS, reg
HoVZX reS, mem

Doscrlptlon
This instructioncopiesan 8-bitoperandtoa 16-hitor 32$i! destinarionor a 16-bir
operandb 4 32-bitdestinationand zero-extends ihc sourccoperanclrc fil. Signex-
tensionis performedby filling the upperbits of thc deslopcflrndwith 0.

Flags
OF DT IT TF SF A A.F PF CF

Faulta
BM W@6
12 *SS(0)
13 *GP(o) rNT 13 *CP(0)

Exanpl6s
l l 0 V Z X E A X .A L ; Exterd byte to dwofd
ll0vZX EDL I'I0RD P T RI E S I ] ; E x t e n dl l o r d t o d l l o r d
I40VZX CX, DL I E x t e n db y t e t o w o f d

237
 fltE 40365 BOOK

MUL 8086/80186/802E6/80386
Unstgned Multtpltcattorl (a/16p/32)

Syntax
I'lULsrc

Operation

Legal Forms

llUL reS
MUL

De3crlptlon
This instructionperformsunsignedintegermultiplicationandrequiresonly one
operand, the multiplier. Th multiplicand is the accumulator,and the product is also
stored in the accumulatof.The size of the sr operand determineswhich registe$
will be used,as illu$tfatedin the foilowingtable:

Mtu ter <.tc) Muw kitu Prvduc.

AL AX
AX DXrAX
EAX EDX:EAX

The flagsareleft in anundeterminedstateexceptfor oF andcF,whicharecleared

to 0 if the high-orderbyte,s/ord,or dwordof the productis 0.

Flat!
OFDFlr TFSTT AN P! CF
? x

Fault.
PM RM '4086
12 *SS(0)
13 #GP(o) rNT 13 *cP(0)

234
 Ar Th. aO3A6/6O34?hdructlon S.t iol.rdc6

Example
r'r0v EAX,3
Ii4UL D I 4 O RPDT RI E S I ]
Jc res 64 B r a n c hi f r e s u l t r e q u i r e s6 4 b l t s
r,40v res 32, EAX Elsestofe product

ztg
 tHE O35 BOO|(

NEG 8086/80185/80286/80386
Ngat lnteger (an6p/32\

Syntax
EG op

Ope?ation

Logal Forng

llEG reg
IlEG

Dglcrlptlon
This instructionsubtractsits operandfrom 0, whichresullsln a two'scomplement
(integer)negationof the oprand.

Fl.gi
OF DF IF TF SF ZF AI PF CF
x x x

Fault.
P]t n t&R6
12 #SS(01
13 *GP(o) rNT 13 #GP(o)
14 #PF(ec)

Ersmplg
; Conpute absolutevalue
0R EAX,EAX : Test for +/'
,llls SKIP ; J u n p i f n o t s i s n e d( p o s i t l v e )
llEG EAX : l{egatenesativenunber
S KPI :

240
 a! lh. o:F6/ao3a7 h.tructld s.t R.l.retrE

NOP 8086/80186/80286/80386
No Olrratlon ()

Syntax
NOP

Logrl Form
NOP

Dercription
This iostructionperformsno functionotherthantakingup spacein the code
segmeft,

Flag!
OFDFIFfiSI? AF FF CF

F!ult!
None.

Exrmplo
lloP : l{othjngoccurs

41
 tHE 40365 EOOK

t{oT 8086/80186/80286/80386
Boolean Complement (aA6P/32)

Syntax
NoTop

Opsration

Legal Fo na

NoT reg
NOT

Dg.crlptlon
This instructioninvertsthe stateof eachbit in the opemnd

Fl.gr
OF DI IF TF SF ZF AF PF CF

F.ult.
PM R.M VaO86
12 *SS(0)
13 ,rCP(o) INT 13 *GP(o)
14 #PF(ec) "P(ec)

Exampl
ll0T ECX ; Insert ECX

42
 A: flF ao:|a6/ao:|a7 ltr.irrctlon 5.1B.ld.nco

OR aoa6/ aola6/ ao2a6/ ao3a6

Boolean OR (8/r6p/32>

Stht.x

Oporation
destedestlsrc

Lggal Fornt

0R r9, ldata
0R nen, ldata
0R reg, reg
0R reE.
0R nen, reg

Dorcrlptlon
This instruction performs a Boolean OR operarion berween each bit of the src
operand and the destoperand. The result is stored in .&st The trurh rable defining
the OR operation is as follows:
o lo - o
ol1-1
1lo-1
111-l

Flag!
OFDF IF TT SF ? At PF CF
0 0

F.ulta
PM nM tU66
72
13 *GP(o) rNT i3 #cP(o)
14 #PI(ec)

Exampla
0R AL, 80H ; Set high bit of AL

43
 tHE OO(|a6BOOK

OUT 8086/80186/80286/80386
Output to Porrt (a/ftp/32)

Syntax

Operation

Legal Forlni
DOrt
oUT data,
OUT OX,

Dgrcrlptlon
This instruction outputs the value in the accumulator!o the specified data p,rrt.
Placing an immediate value in the ,ort operand field lets you addressports 0-255.
You can addressport addresses0-65,535 by storing the port number in the Dx
register.
OUT is a privileged instruction. A procedure executlng an ourput instrrrction must
satisfy one of two conditionsi otherwise, a generalprotection fault occurs,
Ifth procedurethatexecutesan OUT instrrrctionhasI/O privilege(if its CPLis
numerically lessthan or equal to the 1OPI field in the EFLAGSregister),the output
instruction executesimmediateiv.
If the procedure dos n(n have I/O privilege, the I/O permission bitmap for the cur-
rent task is cheked.If the bit(s) corresfnnding to the I/O port(s) is cleared !o 0, the
output iqstruction xecutes.If fie bit(s) is set to 1, or the port(s) is outside the range
of the bitmap, a generalprotection fault occu$. SeeChapter5 for more details on

If the OUT instrucrion is encounteredwhile in V86 mode, only the I/O permission
bitmaprs lested.The IOPLvalueis not a faclor.

Flags
OTDF IT TF SF T AI PF CF

Faulta
PM RM 'A0A6
13 *GP(o) #GP(o)

244
 ar th. oll66/8o3a7 In.ttuction s.t Retereco

Example
flov DX, 378N : Set port address
oUT DX, AX i t{rjte t0 ports 378 and 3/9

24tt
 fltE ao3a6 BooK

OUTS 80186/80286/80386
Output Strlng (a/ftp/32)

Syhtax
OUTS

Operation
r p c o di es ( 0 u T s B0 ,u 1 s ! 1 , 0 u TsSe0t )o p s j z e ( 1 , 2 , 4 )
| { h eo
p o f t ( D X )e D S : I E S I ]
1 f ( D F- 0 ) t h e f
ESIESI+opsize

ESIeESI-opsize

Legal Form3
oUTSB ; out stfing bYte
oUTSl,l ; o u t s t r l n gw o r d
0UTS0 :0ut strlngdoublewond

Dorcrlptlon
This instruction outputs the byle, word, or doubleword at offset Esl to the port
specified in rcister DX. The ESIregister is adjustedby the size of the memory
operand-incrementedif the DF bit is 0 or decremenled if DF is 1
You can precede the OUTSinstrution with the REPinstructioni however,register
ECx must contain a count of the number of times the OUTS inskuction is to be
executed,
You can apply one of the segmen!override prefixes to the OUTSinstruction, caus-
ing the operand to be takn from the specified segmentrather than the segment
pointed to by DS.
outpur insructions are privileged lnstructions. The protection checks for the ouTS
iostructions are the sameas those for the OUT instruction

Flags
OF DF IF TF SF ZA AI PF CF

26
 a: th. 6o365/looa7 In.t u.tton a.t lt.t rac.

F.ult3
PM R,I 'ryN6
12 #SS(0) #s(0)
13 #GP(o) rNT 13 #GP(o)
14 +PI(ec) ,*pF(ec)

Exarnplo
tEA ESL I0_CHI|L_C140
i cet pointer to strjng
l(ov DX,C0|{TRoL[ER i cet I/0 port nLrnber
Itlov ECx,8 | Sjze of I/0 strjng
REP 0UTSD ; output I doubtewofds

47
 tHE 603a6 BOOK
.

IIOP 8o86/8o1E6/8o286/80386
Pop segment Reglster (r6)

Syntax

Oporation
s e g e S S I: E S P ]
ESPeESP+4

Logal Fornr

PoP sres

Delcrlptlon
This instruction pops a 32-bit value off the stack and storesthe low-order 16bits in
the spcified segmentregister.RegisterCSis not a valid destination oPerand,but
the othrsegmentregisiers(DS,ES,SS,FS,and GS)arewlid.
The wlue slored in the segmentregistermust be a lid selectoror 0i otherwise, a
protection fault occurs. (RegisterSScannot be loadedwith a 0 ) Note also that a
POPSSinstruction heslimited usefulnessbecauseSSand ESPare required to imple_
ment a stack. Ho\,,ver,if you execute a PoP SS,the 80386inhibits all hardwafe in_
terrupts to enable the loading of ESPand the guarding againstintefiupts while the
stackpointeris invalicl.
If the PoP instflrction is executedby a V86 mode task, only 16 bits are popped off

Flag!
OF DI IT m AF PF CF

Faults
PM RM te)a6
t0 *NP(seD
L2 *ss(0) #ss(0)
t3 #GP(0) tNT 13 #GP(0)

Eramples
POP GS
POP DS

28
 a! th. aog6/ao3a?In.trucllon 3.t i.Lm..

POP 8086/80186/80286/80386
Pop Value off Stack (16p/32)

Slmtax

Operatlon
derte ss:IEsP]
if (slzeof (dest) - 16) then
ESPeESP+2

ESPeESP+4

legal Foam!

PoP reg
PoP nen

Dorcilptlon
This instructionpopsthe cuffedtvalueat the lop-of-stack,sloresit in the dest
operand,and adiuststhe stackpointer
Foroptimumperformance, keepthe stackon a doublewordboundary.Pustingand
poppingl6-bit luesmight alterthis alignment.Forthis reason,it is preferableto
sign-extendor zero-extenda 16-bitopefand!o 32bits beforepushingor poppingit,
W'henyou executePOPin V86mode,the srackwill generallybe usedonly for 16-
bit lues.This doesnot degradesystemperformance.Pushirgandpopping16-bit
valuesleadsio problemsonly whenboth 32-bitand16-bitpuslrcsandpopsare
mixedin the samecode,

Flag.
OTDA IA TF SF ? AT PF F

Fault!
PM nM VUA6
12 *SS(0)
13 *cP(o) rNT 13 *CP(o)
14 *PF(ec)

Examplo
POP ECX

249
 |E ao0a6 BooK

POPA 80186/80286/80386
Pop All General Registers (16)

Syntax

Oporatlon
OI
SI
POP BP
ADD
POP BX
POP DX
POP CX
POP

Legal Forrn

D.rcrlpllon
This insir!rction pops all 16-bitgeneral fegislers excePtSPfrom the stack Because
thc registersare sbrcd asa 16-byteblock of data,the POPAinstructiondoesnot
aff!'ct dolbleword alignmcn! of the stack.

Flagr
OFDFIF TF SF A AF P8 CF

Faulta
PM ra0a6
\2 *ss(0)
13 INT13 #GP(0)
't4

Exanple

2t;o
 a: the ao3a6/ao:w h.rrucrton S.t i.td.tu.

POPAD 80386
Pop AI Grxeral Registers (32)

Syntax

Oper.tlon
EDI
ESI
POP EBP
ADD ESP,4
POP EBX
POP EDX
ECX
POP EAX

Lggal Fotm
POPAO

Dorcilptlon
This instr\rctionpopsall 32-bitgeneralregistersexceptESpfrom the slack.

Flags
OBDF IF IT SF 3 AI PF CF

F!!lta
lwt6
12 irss(o)
L3 INT 13 #cP(0)
14 *PF(ec) *PF(ec)

Examplo

1
 tHE aoa6 Boox

POPF 8086/80186/80286/80386
Pop Srack tnto FLAGS (16)

Syntax

Opor.tion
FLAGS
e S S :I E S P
]
ESPeESP+2

Logal Form
POPF

Doacrlptlon
This instruction pops the low-order word of the EFLAGSregister from the stack.
POPFprovids compatibility with previous Intel microprocessors.Use the POPFD
instruction in native-mode programming,

Flagl
OFDF IF TF SF A AF PF CF
x x x

Fault!
PM R.IT IW6
12 #SS(0)
13 tNT 13 *GP(o)
14 *Pltec) *PF(ec)

Examplo

2
 : tho ao.?06/003a7 lFtruction 3.t t l.Enc.

POPFD 4o366
Pop Stack tnto EFLAGS G2)

Syntar

Oporation
E F L A GeS S S| [ E S P ]
ESPeESP+4

Lsgal Form
POPFO

Do3crlptloh
This instructionpopsthe top-of-stackinto the EFLAGS regisrerTheVMandp.Fbits
initiallypresentin EFIAGS arenotmodified. Theinteffuprflagi$modifiedonlyif
CPL< IOPIbeforethePOPFD, thatis,ifthe executing
procedure hasI/O privilege.
The IOPLfield is alteredonly if CPL- 0.

Flr93
OT DF II TF SF ZF AT PF CF
x x x

Fault.
PM RM V8O86
12 *S5(0)
't3 *GP(O)
INT 13
$pr(ec)

Er.mple
POPFD

253
 tltl @t06 300K

PUSH 8086/80186/80286/a0386
Pushvalue onto stack (a/$p/32')

Syntax
PU5Hop

Operaiion
j f ( s j z e o f ( o p )- 1 6 )
ESPeESP-2

ESPESP-4

s s : [ E S P ]e o p

Log.l Form.

PUSH ldata
PUSH res
PUSH sreg
PUSH men

Do.crlptlon
This instructionpushesthe opemndonrothe stack.The stackpointerisdecre-
mented before the lalue is pushed.Ifthe operand is the ESPregister,the value
stored on the stack is the value thar ESPhad before the instruction was executed.
(Thb instruction is different from the 8086instruction, which pushesthe new
value.)
Note that pushing 16-bit registersand memory operands onto the stack changesthe
stack'smemofy alignment, It is more efficient to sign-extend or zero-extend the
operand to 32 bits and push th dword. The 80386usessegmentregistersto push
an instruction lu onto the stack,
when 'ou execute the PUSHinstruction in v86 mode, segmentregistersare pushed
as 16-bit values.The stack will generally be used only for 16-bitvalues in V86 mode.
This does not affect systempedormance bcausestack misalignment only occurs
when both l6-bit and 32-bit lues are pushed onio the stack.

Flaga
OFDF IF TF SF A Af PF CF

4
 ar Tho aO3A6/AO3a7h.l.uctld S.l Felcrsce

Faulls
Rir tao86
12 #SS(0)
13 #GP(o)

Examplea
PUSH 7
IIOVSX E A X ,A X
PUSH EAX
PUSH a r r a y t E SNI 4 l P us h n e n o f y v a l u e

5
 tHE AOaaABOOK

PUSHA 80186/80286/80386
Push l6-Btt Gneral Registers (16)

Syntax
PUSHA

Opgratlon

PUSH AX
PUSH CX
PUSH DX
PUSH BX
PUSH tenp
PUSH BP
PUSH SI
PUSH DI

Logal Form
PUSHA

DoEcrlptlon
Thisinsrrucrion
srores on(hestack.Thisinstruc-
a copyof all eight16-bitregisters
tion provides compatibility with 80186and 80286software. Use the PUSHADin-
struction in native-modeenvironments,

Flag!
O F D T I T T ? S F A CF

F.ults
tao86
L2 *ss(0)
la
't4 tNT 13 i*GP(0)

Example
PU5HA

256
 ar th.O36/Oildt In.trucrbr E tnd.rc.6

PUSHAD 80386
Push 32-Elt General Reglstefs (32)

Syntax
PUSHAD

Oper.tlon
tempe EsP
PUSH E A X
PU5H E C X
PUSH ED)(
PUSH E B X
PUSN
PUSH E 8 P
PIJSH E S I
PIJSH E D I

Log.l Form
PUSHAI)

Dorcrlptlon
This instruction sioresa copy of 4ll eight general registerson the stack,The l?lue
of ESPthat is savedto the stack is the ESPvalue before e,xecutionol the PUSHAD
instruction,

Flag!
OF DF II TF 38 ZI AF PT cr

Fault!
Prt teB6
t2 rss(0) *oP(0)
13 INT 13
't4

Eramplg
PUSHAD

E7
 fl{E ao3a6 BOOX

PUSHF 8086/80186/80286/80386
Push 16-Btt EFLAGS Regster (16)

Syntar
PUSHF

Oporation
E S P- E S P 2
ss:tEsPle FrAGs

Logal Form
PUSHF

D.icrlptlon
This instflrctionpushesthe low-order15bits of the EFLAGSregisterontothe stack.
PUSHF providescompatibilitywith 16-bitprocessors andcaNesmisalignmentof
the stackif usedin nativemode.Or y 32"bitprogramsshouldusePUSHFD,
PUSHF causesa generalprotectionfaultin V86modeif the executingprocedure's
IOPLis numericallylessthan3.

Flrg!
OT DF IF TF ST U A.F PF CF

Fauli!
PM R.tt W)86
12 #SS(0)
L3 +cP(0)
14 #PF(ec) *PI(ec)

Example
P U SFH

254
 a! th. ao3a6/aooa7 h3ttuclld Lt hd.Mo

PUSHFD 80386
Push EFI,\GS Reglster (32)

Stmtax
PUSHF0

Opgralion
ESP-ESP.4
S S r t E S P ]e E F L A G S

Logal Form
PUSHFD

Dercrlptlon
Thls idstructiod pushesthe contentsof the EFLAGSregister onlo the srack. PUSHF
will causea generalprotectlon fault in V86 mode lf IOPLis lessthan 3.

Flrgr
OADF IF TF SF zF AI PF CF

Flultr
RM V8o86
12 *SS(0)
1,3 #GP(0)
14 #Pr(ec) #PI(c)

Exanplo
PUSHFD

259
 rraE@306Boox

RCL 80M/80186/80286/80386
Rotate Tlrough carry Lft (a/ftp/32)

Syntax

Opgration
t e m pF n a x ( c o r r t , 3 l )
l f ( t e n p- 1 ) t h e n
0 F ( h l g h b J t ( d e s t )t - C F )

0Fts?

v a l u e e c o n c a t e n a t e( c F , d e s l )
l{hlle (tenp !- 0)
x e h j g h b j t ( v a lu e )
v a l u ee ( v a l u e< < 1 ) + x
tempetenp-I

C F F h l g h b l t ( v a lu e )

Legal Fo.mr
dest count
RCL reg, idata
RcL ld6ta
RCL reg, CL
RCL CL

Oe3crlptlon
This instruction concatenatesthe cafiy flag (CF) with the des, operand and rotates
the \alue the specified number of times.A rotation is implemented by shifting the
lue once and transferling the bit shifted off the high end to th los/-order position

The OF bit is defined only if the rotate count i6 1. Th 80386never rotatesa pattern
more than 31 times. Countsgreater than 31are maskedby the bit pattern
0000001FH.

Flage
OF DF IF TF SF ZF AF PF qF

260
 a! th. ao36/to3O? t..tfucttor 3.t i.tcEn.

Faults
PM RM I\N6
12 *SS(0)
13 *GP(O) rNT 13 #cP(o)
14 #PF(ec) *Pf(ec)

Example
RCL E A X ,3 ; R o t a t e E A X3 b i t s t e f t

261
 THE 60346 BOOK

RCR 8086/80re6/80286/80386
Rotate Tlrough CanyRight @/r6p/32)

Syntax

Opoiation
temp+ nax (courl, 31)
J f ( t e m p- 1 ) t h e n
0 F e ( h l g h b l t ( d e s N I) - h i s h b i t ( d e s t< < 1 ) )

0 F e ?
e f d if
v a l u e e c o n c a t e n a t (ed e s t , c F )
{file (tenp !- 0)
x e v a l u e & 1
v a l u ee ( v a l u e > > 1 )
highbit (value)e x
tempetenp-1

C Fe h l g h b l t ( v a l u e )

Legal Form.

RCR feg, idata

RcR idata
RCR feg, CL
RCR CL

Daac.iption
This instruction concatenatesthe caffy flag (CF) with the des, operand and rotates
the value the specified number of times.A rotation is implementedby shifting the
value once and transfeffing the bit shifted off the low end () the high-order position

The OF bit is defined only if the rotate count is 1. The 80386never rotatesa pattern
more than 31times. Countsgreater than 31are maskedby the bil pattern
000000rFH.

Flags
OFDF IF TF SF A AF PF CF

x2
 ar th. ao3a5/acia7 In.ttucll.n S6t Bclcrencc

Faults
PM RII IAIB6
12 #SS(0)
13 #CP(o) rNT 13 *GP(o)

Er.mple
RCR E A X ,3 ; R o t a t e E A X3 b i t s r i g h t

263
 fltE ao3a6 BooK

. REP 8086/80186/802E6/8oi86
Repeat Strtng Irreftx ()

Syntax
REP

legal Form!
REP
REPE
REPZ
R EP I l E
R EP I l Z

Do3crlptlon
The repeat prefix may be applied to any string lnstruction (CMPS,INS, lODs,
MOVS,OUTS,SCAS,STOS).'Whenthe prefix is present,the string instructlon exe-
cutes rpeatdlybasedon the cowrt lue in the ECXregister The ZF flag ls also
testedwhen executing CMPSor SCAS,
If EC)(is 0 when a repeated strinS lnstruction is encountered,the string instrucrion
will not be executed.
Referto the individual string instructions in this chapterfor additional information.

Fl.g.
OF DI II TF ST ZF AF PF CF

Faultt
PM RM I&)46
6 *UDO INT6 #UDO

Exgmple
t{ov EAx,0
0Y ECX,tO24/4
REP STOSD ; j n i t i a l i z e I ( 8 o f n e n o r yt o 0

264
 0! llr. o:t66Eo3a?hdrEtton l.r n.t@m.

RET 8086/80186/802E6/80386
Near Retum f.om Subroutlne o
Syhtax
RETcourt

Oporatlon
E I P p o p ( ) l
ESPeESP+count

Logal Form.

RET
RET ldata

Dolcrlptlon
This instrirction restoresthe insrruction pointer to the value ir held before the
previous CALL instrrction. The !"lue of EIP that had been savedon rh 6tackis
popped.If the count operand is present,the cornt lue is added ro EsB removing
any operands that were pushed onlo the stackfor the subrourincall,

Fl.g!
OFDF II TT ST U AJ PT CI

Fault!
PM R.LI IM86
12 #SS(0)
13 #GP(o) rNT 13 #cP(o)
14 #P!(ec)

Exarrplo
R E T4

265
 tHE ao3a6BOOK

RETF 8086/80186/80286/80386
Far Relur'l from Subroutlne o
Syntax
R E T Fc o u n t

Ope.aiion
E I P e p o p ()
c s e p o p ()
ESPeESP+couri

Logal Fotm.

RETF
RETF JdAtA

Descrlptlon
This variation of the RETinstruction poPsboth a new cS and EIP from the stAck.
The instruction assurnesthat the CSvalu is stored as the low-ofder 16 bits of a
dword on the stack.
Ifthis instructioncausesa privilegeleveltransition,the protectionchecks
described in chapter 5 |ake Place

Fls93
OF DT IF TF 3I ZF PF CF

Faults
RII vN86
10 #M(sel)
12 #SS(0)
13 #CP(o) INT 13 #GP(O)
*pFiec)

Example
RETF : R o t a t e E A X3 b i t s l e f t

28
 a. th. lo35/ao3g? lBtructlon S.t i.t*.nc.

ROL 80E6/80186/80286/80386
Rotate kft (an6p/32)

Syntax

Operation
t e m pe m a x ( . a r r t , 3 1 )
if (tenp- 1) then
0F e (hlghbit(dert) l- CF)

0FF ?

{hlle (tenp l- 0)
x e hlghbJt(dest)
dest e (dest << l) + x
tenp e temp I

cF e hishblt (desi)

Legal Formo
caunt
RoL reS, jdata
RoL ldata
RoL res. CL
RoL nem, CL

Do!crlpilon
This instructionroktes the /rt operandthe specifiednumberof times.A rolation
is implemented by shifting the value ence and transferring rhe bir shifted off the
hiShend ro lhc low-orderposrrronofthc value.
The OF bit is defined only if the rorate count is 1.The 80386never rotatesa paltern
more than 31times. Couds grgater than 31are maskedby rhe bit panern
0000001FH.

Flag$
OFDF II TF SF A AF PI. CF

a7
fllE aoaa6 gooK

Faultg
PM RT' 'EI'6
12 *SS(0)
13 *GP(o) rNT13 #G(0)
14 *PF(.) *PF(ec)

Exarnp19
RoL E A X ,3 ; R o t a t e E A X3 b i t s l e f t

2Aa
 a: th 40386/o03A? In.ttuction St Rol.Hc.

ROR 8086/80r86/80286/80386
Rotate Rtght G/r6p/32)
Syntar

Operatlon
t e m pe m a x ( c o r r t , 3 1 )
i f ( t e m p- 1 ) t h e n
0 F e ( h i 9 h b l t ( d s t ) ! - h i g h b i t ( d e s N< < 1 ) )

0Fe ?

H h J l e( t e n p l - 0 )
x e v a l u e & 1
v a l u e ( v a l u e) ) 1 )
h 1 9 h b 1 t ( v a l u ee) x
t e m pe t e m p 1

C Ft s h l g h b j t ( v a l u e )

Logal Forma
d.<f .a,,.r

RoR feg, Jd a t a
RoR idata
RoR reg, CL
RoR neit, CL

Do.crlptlon
This instruction rotatesthe /e.rt operand rhe specified number of timcs. A rotation
is implemented by shifting the value once and transfefiing the bit shifted off the low
end to the high-order position of rhe value.
The OF bit is defined only if the rotarecounr is 1. The 80386never rotatesa pauern
more than 31times. Countsgrerter than 31are maskcdby the bit pattern
0000001FrJ.

Flags
OFDT IF TF SF T AF PF CF

259
rHE 00306 BOOX

Feulta
PM RM IAOA6
12 +SS(0)
13 *CP(o) rNT 13 *GP(o)
U #P!(ec) *PF(<)

EramDlo
RoR EAX,3 ; RotateEAx3 blts rJght

270
 0! th.6o365/60o0? h.ttucrion aer B.t rm..

SAHF 8086/80186/80286/80386
Stor AE ttr EFLIGS (8)

Syntax
5AHF

ODeratlon
EFLA6S | (AH & 0D5H)
e EFLAGS

Logal Form
SAHF

Do3crlptlon
This instruction loads the conrentsof the AH rgisterinto bits Z 6, 4, 2, and Oof the
EFLAGSregister.

Flrgr
OIDF IT TT SI zF AF P8 CF
x

Fault!
None,

Eramplc
SAHF

zr1
 tHE O03A6 60ltx

SAL 8086/80186/80286/80386
Shlft Irfr Arlthmettc (8/r6p/32,

Stmt.x

Opgr.tlon
tempecount&001FH
, h 1 l e ( t e f l pI - 0 )
CFe hjghorder( dest)
dest e dest << I
tempetemp_l

lfcount-lthen
0 F e h i g h o r d e(rd e s t ) l - C F

0 F e ?

Lggll Form!
dest count
SAI feg, ldata
SAL men, ldata
SAL reg, CL
SAL nem, CL

Dgrcrlptlon
This instruction shifts the dest ope:andcount bits to the left, The arithmetic shift
left (SAL)and loSical shift left (SHL)are equivalentinstructions,
The cornt operand must either b an immediate data lue or be stored in register
CL.The 80386masksthe corrt operand with lFH so that the corrt value is never
Sreaterthan 31,
If the corrt operand is 1,the overflow flag is reset to 0 when the high-order bit and
the carry flag have the same lue after the shift. If the high-order bit and CF have
different lues, OF is set !o 1.If cor,rt is greater than 1, oF is undefined.
A left shilt is equivalentto multiplying the d?st operandby 2ctu"t.

Flagt
OF DF IF II SF ZF AI PF CT

272
 * th. ao3a6/ao3a7Instruction St R6l.renc

Faults
PM RM WNA6
i2 *ss(o)
13 +GP(o) rNT13 *GP(o)
1.i #l,F(<) *PF(d

Examples
SAL E C X ,7
SAL NORO P T RI E B P + 8 ] C
, L

273
 t||E ao3a6 gooK

SAR 8086/80186/80286/80386
Shft Rtght Artthmettc <a/$p/52)

Syntax

Operation
tenpecorrt&00lFH
! l h i l e ( t e m p! - 0 )
s a v ee h i s h o f d e f ( d e s t )
CF-dest&1
dest e dest >> t
h j 9 h o r d r( d e r t ) - s a v e
t e m pe t e m p 1

lfcount-1thei
0 F e 0

0 F e ?

Lggal Forrr!

SAR feg, idata

SAR i data
SAR feg, CL
SAR CL

Dolcrlptlon
This instruction shifts thc dest opeftnd count birs to the right The shift is called
arithmeric becauseit prescrvesfie sign bit of the ,test operand
The corrt operand must be an immediate data value or it must be slored in tegisler
cl. The 80386masksthe corrt operand with 1FHso that the corrt value is never
greater rhan 31.
If corrt is 1, the overflow is feset to 0. If corrt is greaterthan 1, OF is undefined
The arithmetic righl shift is simila. to dividing destby 2'a"' s{cept that negative
valuesare rounded toward negtive jrfinity, rather than toward 0 (that is, -3 shifted
left I rounds to -2, whereas-3 divided by 2r rounds to -l).

Flags
OTDF IF TF SF 2rr AI PF CT

274
 A: flF gG?e6/ao3a7 h.trrcilotr a.i nd.r.nc.

Faults
RM ttsO86
12 #SS(0)
13 *cp(o) rNT 13 #cp(o)
14 *PF(ec) #PF(ec)

Exarnplgs
SAR E C X ,7
SAR I'I0RD P T RI E B P + 8 ] ,C L

275
 tNE goea6 BooK

SBB 8086/80186/80286/80386
subtractlon wlth Boffow (alftp/32)

Syntax
S B Bd e s t , s r c

Oporation
dest P dest - src - cF

Logal Formr
dest src
Sss reg, i data
s88 i data
s88 reg, reg
s88 reg, nem
s8B nen. feg

Delctlptlon
This instruction subtractsthe trc operand from the desl operand and decrements
the dest operand by 1 if the CF flag is set.The result is stored in dest

Flag.
OFDF IT TT SF 3 AP PF CF
x

Faultl
RM rts046
12 #SS(0)
13 ,fOP(o) rNT 13 *GP(o)
14 #PF(c)

Examplg
: 6 4 - b i t s u b t r a c t l o n o p e r a t i o n E D ) ( T E A- XE B X : E C X
SUB E A X ,E C X ; Lor-order Dlts
SBB E D X ,E B X : H i q h - o r d e rb l t s

z'6
 0! th. A036/A03A7 h.rr* .tr 3.t B.l*.nc.

SGAS 8086/80186/802a6/a0386
Scan Strlng (8/r6p/rz)

Syniax
scAs
Opgratlon
r h e n o p c o d el s ( S C A S BS
, C A S I ,S{ ,C A S Ds)e t o p s l : e e ( L 2.4)
ULLacc-ES:[t0I]
i f ( D F- 0 ) t h e n
EoIeEDI+opslze

Lur!LUl . opsrze

Legal Form!
SCASB I Scanstrlng byte
SCASI i Scanstrlng ,ord
SCAS0 i Scanstrjng doublerord

Doacrlptlon
This instruction comparesthe lue in the accumulator(AL, AX, or EAX) with the
operand at ES:IEDII.The flags are set accordingto the compare operarion, and the
BDI reglster ls adlisted by the size of the operand. If the direction flag (DF) is 0,
EDI is incrementedi othrwise, it is decremented,
You can apply the REPEor REPNEprefix to the SC"{Sinstruction. The ECXregister
contalns a repeat count, indicating the maximum number of times the instruction
shouldbe repeated.The instnrction will repeat only whlle the repear condition is
true, that ls, when ZF - 1 for REPE(REPZ)or ZF - 0 irr REPNE(REPNZ).
You cannot use a segmentoveffide prefix with SCAS,The ESregister is alwaysthe
destination of the string io be s.anned.

Flag!
OFDFIl TT SF? AI PF CF
x

277
t{E 80aa6 EOOX

Faults
PM RLI 'AOE6

12 #SS@)
13 #GP(o) INT i3 *GP(o)
14 +PF(ec) #PF(ec)

Example
I S a r c fho r a n a s t r i s k1 n a s t f i n g
LES EDl, LEBP+121 i Strlng pointer on stack
l10l/ ECX,tEBP+2OI : Strlng slze on stack
CLD
; Characterto searchfor
REPIIE SCASB : scan
.JE I.IATCH ; granchlf found

274
 ! th. AOSaa/lOa87 In.lr*ttff 3.t nd.rcno

se9 8086/80186/80286/80386
Segment Overtde I'refh o
Logal Fo.ma
cs:
DS:
5S:
E5:
F5:
GS:

Delcalptlon
Theinstruction
thatfollowstheseprefixes
takesitsmemoryoperand
fromthespec-
Ified segmentrather rhan from the defaulr seSment.
You cannot override the following string instructionsl
INS
scAs
sTos
Flatr
OADI IF TF SF A AF PI CF

Flult!
None,

Examplo
tl0v EAX,FSTIESII I Rad
fron FSrathrthin 0S
Al)D D S : l E B P ] ,7 | llrlte to DS father than SS

275
 fl{E A0365 aOOX

SETcc 80386
Setrye oncorrdt lort (8)

Syntax
S E T c cd e s t

" Oporatlon
1f (cc) then
desl e I

dest e 0

Legal Form!
SETA dest i S e t l f a b o v e ( u n s l g n exd > y ) / c F - 0 t Z F - 0
SETAE dest : S e t i f a b o v eo r e q u a l / C F - 0
SETS dest : S e t l f b e l o l , v( u n s i g n e dx < y ) / C F - 1
SETBE dest , set 1f belotl or equal / CF- 1 | ZF - 1
i 5er rr carry / LF - r
i ) e r r r e q u a r/ . f - r
SETG dest ; s e t l f g r e a t e r ( s J g n e dx > y ) / s F ' 0 F & z F - 0
SETGE dest ; Set lf greater of equal / SF - 0F
SETL dest : S e t l f l e s s ( s j g n e dx < y ) / S F l - 0 F
SETLE dest : S e t l f l e s s o r e q u a l/ S F l - 0 F & Z F - 1
SETIA dest ! set if not obove(SETBE)
S E TA E d e s t i S e t l f n o t a b o v eo f e q u a l ( S E T B )
S E TB dest I Set 1f not below (SEIAE)
SETIBE dest ; set 1f not below of equal (SETA)
SETNC dest ; Set 1f no carry / CF- 0
SETl,lE dest ; Set 1f not equal / ZF - 0
SETNG dest ; Set if not greater (SEILE)
S E T N G Ed e s t ; Set 1f rot greater or equal (SETL)
SETNL dest ; set lf not less (stTGE)
S T TL E d e s t I Set lf not less or equal / sF - 0F & ZF - 0
S E T0 dest I Set lf no overflor / 0F - 0
SETNP dest , Set if no parlty / PF- 0
SETNS dest ; Set if no sjgn / 5F - 0
SETNZ dest ; Set if not 0 / ZF - 0
SETo dest ; Set if overflor / 0F - 1
SErP dest : S e t i f p a r i t y / P F- L
SETPE dest ; St if parity even / PF- I
SETPo dest : Set if parity odd / PF- 0
STS dest ; Set if sisn / sF - I
STz dest ; Set if 0 / zF - 1

2n
 l! ttr. O:Lt/tloil6jt In.trcttor &r Bdd.nc.

Doscrlptlon
This instuction sets the dert blte to 1 if the condition described by the opcode is
meq otherwise, the instnrction clearsrhe b''te to 0.

Fl.gg
OT DF IF TF SI U AT PF CF

F.ult!
PM RM IW6
12 #SS(0) #SS(0)
13 *OP(o) rM13 #GP(o)
14 *PF(ec) #PF(c)

Eramplo
SETIIZ AL
I'tovzx EAx, AL

nl
 THE A03A6 BOOX

SGDT 80286/80386
Store CDT Reglster o
Syntar(
S G o Td e s l

Operation
d e s t e G D I RL. I r ' 1 I T
dest+2eGoTR.BASE

Legal Form

SGDT

Do.cription
This inslructionwdtesthe limit portionof the GDTRto the lest memoryaddress
,nd writesthe lincarbaseaddressofthc GDTto the dwordat dest+ 2.

Flags
OT DF IF TF SF ZT A.F PF CF

Faultr
PM R.M tW6
6' #uDO rNT6 *UDo
12 *SS(0)
13 *GP(o) INT 13 *GP(o)

' The undefincd opcode fnult onlt oc.us whcn the let opetand is cncoded as x egistei

Example
s00TI300H
l ; S a v eG D T R

2a2
 A: th. AO3A5/aOOa?Instrucrion 3d nel.rence

SHL 8o86/80186/80286/80386
Shft I-ft Logtcal (8/r6p/32)

Syntax

Operation
ten'pecourt&001FH
while (tenp !- 0)
C F e h i s h o r d e r( d e s t )
dest e desl << I
tempetemp-l

ifcourt-lthen
0 F e h i g h o f d e r( d e s t ) 1 - C F

Lo99l Form!
dest caunt
SllL reg, i data
SllL nem, idata
SllL feg. CL
StlL men, CL

Dorc.lptlon
This instruction shifts the dest opet^t\d count bits to the lcft. Thc arirh'ncric left
shift (SAL)and logical left shift (SHL)are equivalent instructions.
The corr,t operandmusteitherbe an immcdiatedatavalueor be storedin regisrer
CL.The 80386masksthe cowlt operand wilh lF:H so that the co&rt vallre is nevcr
greaterthan 31.
If the corzr operand is 1,the overflow flag is reset to 0 when rhe high-order bit and
the carry flag have the samevalue after the shift. If the high-order bir and CFhave
different values,OF is settol.lf count is grearerthan 1, OF is undefined.
A left shift is equivalentto muliiplying the dest opc:dandby2n'r-t.

Fla93
OTDF IF IT SF A AF PF qF

n3
tHE eo3a6aoox

Faults
NA tA(t86
12 +SS(0)
13 #GP(0) rNT 13 #GP(o)
14 #PF(ec) *Pr(ec)

Erample3
sHL E C X7,
SHL P T RI E S P + 8 ] ,C L
NORD

244
 6i th. 004a6/ao3a7 h.ltuctld S.t F.1.retr6

SHLD ao386
shtft Ifft Double <16p/32)

Syntar
S H L Dd e s t , s r c , c o u n t

Opo.ation
tenp e max(count, 31)
value e concatenate (dest, src)
v a l u ee v a l u e< < t e n p

Log.l Form.
dest src
SHLD reg, feg, idata
SHLD nen, reg, ldata
SHLD res, reg, cL
SHLD reg, cL

Dolcrlptlon
This insiructionconcatenates the s,"coperandto the t&st oPerandand shiftsthe
resultiAg double-sizevalue left. The low-order bits are stored in des,
The corr?i operand is maskedvr'ith 1FHso lhat no shift counts Srealerthan 31 are
used,

Fl!93
OF Df IF TF ST ZT AT PF CF
? x

Fault.
R t ' 8 6
12 #SS(0)
13 JfGP(0) INT 13 *GP(0)
14 #PF(ec)

Examplo
lrov EAx. IESII ; Get lor-ofdef dword
SHLD E A X ,I E S I + 4 1 ,7 ;64'bit shlft

n5
 tfiE 40306 000x

SHR 8086/80186/80286/80386
Shtft Rtght Irgtcal (a/L6p/32)

Syntax

Oporetion
temptscourt&001FH
l{hile (tenp !- 9)
CF-dest&1
dest e dest >> I
tempe tenp I

ifcount-1then
0 F e h l s h o r d e r( d e s t )

0 F F ?

logal Form!
dest count
SHR feg, 1 d at a
SHR ldata
SHR feg, CL
SHR CI

Dolcalptlon
This instruction shifts rhe dest ope|3'ndcount bits to the right. The high-ordcr bits
are cleared to 0 as the low-order birs are shifred.
The co&rt operandmusteilherbe an immediatedatawlue or be storedin register
CL.The 80386masksthe corrrt operand with lFH so that the count lue is never
greater than 31.
If the coar?loperand is 1,the overflow flng is set to the high-order bir of the dest
operand. If co&r?,is greater rhan 1, OF is undefioed.

Flags
OFDF IF Tf SF T AT PF q8

M
 a: Th. aO3a6/aO0B7ltrstructlon S.r R.td6nce

Faults
PM R l tm86

12 #SS(0)
13 #GP(o) INT 13 *GP(o)
14 *PF(ec) +PF(ec)

Example3
sHR E C X7,
SHR P T R[ E S P + 8 ] ,C L
UORD

a7
 fliE aooa6 goox

S}IRD 80386
Shft Rtght Double A6p/32)

Stmtax
S H R Dd e s t , s , " c , c o u n t

Operatlon
tenp max(courr, 31)
v a l u ee c a t { s . c , d s t )
v a l u ee l a l u e > > t e n p

Logal Form.
src count
SHRo feg, res, ldata
SHRD res, idata
SHRD reg, reg, CL
SHRD reS, CL

D9!calptlon
This inshuction concatenatesth srE operand to rhe dest operand and shifts the
resulting double-$izevalue righr. The low-order bits are srffed in r,/es,
The count opefar.d is maskedwith lFH so that no shift counts greater than 31arc

Flagr
OFDF IF TT SF A AI PF CF

Fault3
RM tm86
12 *SS(0)
13 #Gr(0) rNT 13 *cP(o)
14 .fPF(ec)

Eramplo
flov E A X ,[ 0 0 2 A H ] ; Cet lo|{ ordef ororo
SHRD E A x ,l 0 0 2 E h l ; 64-bjt shjft

2aa
 a: th. oo3a6/aoaa7h.l.Etl.n s.l R.l.Em.

srDr 80286/80386
()
Store IDT Reglster

Syntar
SIDTdest

Oporation
d E S t E I D T RL. I I II I
dest+2eIDrR.SASE

Logal Fotm

SIDT NCM

Dg.crlpllon
This instructionwritesthe limit Portionof the IDTRto the de$ memoryaddress
andthe linearbaseaddressof the IDT !o the dwod al dest+ 2.

Flrg!
O! DB IF TT S! ZI Af PF CT

Faulta
RM re86
6 #UDO INT6 *UDO
12 #SS(0)
13 *GP(o) INT13 #cP(o)
14 *PF(ec)
. The undefined op.ode fault only occuB whcn the ds, oPerand is encoded as a leSister'

Example
Sl0T int,tab : Get addfessand limlt of I0T

4g
 r||E aoaaEoof,

SLDT 80286/80386
Store LDI Regtster (16)

Syntar
S L D Td e s t

Oporation
dest e LDTR

Logal Formt

SLoT r9
SLoT mem

Dalcrlptlon
This instruction storesthe selectorin the LDTRin the desiinarion location.

Fllgr
OFDF TF TF SI T AF P8

Frultt
PM
6 INT 6 #UDO
12 #SS(0)
13 #GP(o)
14 #P!(ec)

Examplo
SLOT DX i Put LDTselector into 0x

290
 a! th. ao3o6rao3a? h.ttuclld S.t i.LHc.

sMsw 80286/80386
(16)
Store Machlne Status Vord

Syntax
S H S Ud e s t

Oporation

Lggal Form3

Sllsll reg
sl4sl{ nm

Dolcrlptlon
This instructionstoresthe low'order16bits of registercRo(the80286machine
statuswofd) in the &st oPerand
Thls instrrrctionis providedfor compatibilityonly Usethe Mov CRoinstrlrctionin
nativemodeprogramming

Flagr
OFDF IF IT 3F A AT FF CF

Faultr
PM RU wo86
6
12 #SS(0)
13 #GP(o) INT 13 *GP(o)
14 #PF(c) *PF(c)

ExamDle
slrslltDrl

231
 r|tE aoiFa Boot(

sTc 8086/80186/802a6/803a5
Set Carry Flag ()

Syntax
STC

Opo.atlon
C Fs 1

Lagal Form
sTc

Do.crlptlon
This instruction sets the caffy flag (CF) in the EFLAGSreghter ro 1.

Fl!g!
OFDF IF TT SF U AX PF CF

F.ult!
None,

Er!mplo
sTC ; Caffy ftag set t o l

n2
 a: th. aoo06lto5a7 b.lructlon S.t B.lmm.

STD / aora6
aoa6 / ao3a6
/ ao2a6
Set Dlrectlon Flag o
Syntax
sr0

Operation

Log.l Forn
STD

Dslcrlptlon
This instruction set6the direction fleg (DF) in the EFLAGSregister to 1. This in'
strirction indicate6reversedirection in the string instructions tg decrementthe ln_
dex registerswhen DF ' 1,

Flagr
OTDTlF TBSFU AF PF C8

Frult!
None,

Exanpla
STD ; Preparefor reversestring operatlon

29:l
 rHE 00446 3|,0x

srl 8086/80186/80285/80386
Set Inteffupt Flag ()

Syntar
STI

Operation
IF e I

Logrl Forn
STI

Dolc.lptlon
This instruction sets the Inreffupt flag (IF) in the EFLAGSregister to 1, enabling
hardware interrupts.
Th eyecuting program must have a high enough privilege (CPl < IOPL) io lssuethe
STI command to avoid a generalprotection fauft.

Fl.gr
OIDTIl TFSFzF AT PF CX

F.ult
R.Lt te)66
13 *GP(o)

Exrmpla
CLI I D l s a b l ei n t e r r u p t s
lrov AL, sehaphore : Get mnofyvalue
DEC AL ; Decrenent countef
,12 DollE : Sklp 1f vatuewas0
l10V senaphore.
AL : Update
DONE:
STI jnterrupts
: Reenabte

4A
 ar lh. ao56/ao3a7 h.tEctlon 36t BoLrdc.

sTos 8086/EO186/80286/80386
Store Stalng (a/fip/32t

Syntax
sT0s

Operation
{ h e n o p c o d e1 s ( S T 0 S BS, T o S NS, T 0 S D )s, e t o P s i z et s ( 1 , 2 , 4 )
E5:lEoll e accln
lf (0F- 0) then
EDIeEDI+opsize

E D I+ - E D I _ o P s i z e

Log.l Forma
sTosB; storestringbyte
: Store strln9 rord
ST0SI'I
SToSDr Store strjng double{ord

Dsrcrlpllon
This instruction \erites the current contents of the accumulabor(AL, AX, or EAx, de-
pending on the opcod used) !o the memory location pointed to by ES:EDI.It then
increments or decrmentsEDI by the size of the operand, accordingto the DF bit in
the EFLAGSregister.
If you precede the STOSinstruction with the REPprefix, register ECI(must contain
a count of the number of times STOSis to be executed.This fills memory with the
value in the accumulator,
You cannot use a segmentoverride prefix with the STOSinstruction. The destina-
tion segmentwlll alwaysbe selectdby Es.

Fl.g!
OT DF IT T} SF ? A.T PF C!

Faultt
PM RM Iry'86
12 *SS(0)
13 #cP(o) rNT 13 *GP(o)

85
tHE ao3a6 BOOX

Erample
: C l e a r 1 0 0 b y t e s o f m e n o r yb e g i n n l n ga t l o c a t r ' o n0
t10V EoL 0 : B a s ea d d r e s s
flov ECx, 100 / 4 : Count (in dvords)
XoR E A X ,E A X ; C l e a f a c c u n u l a t o tro 0
cL0
REP SToSD ; Zero menory

295
 O: lh. 004t6/6o367 h.tructLon S.r hd.EF.

STR ffi2a6/ao3a6
Store Task Reglstr (16)

Syntax
STRdest

Opor.tlon

Logal Forrra

STR feg
STR

De.ctlptlon
This instruction storesthe task register selecoorin d?Jr,

Flag!
OF DT TF TB ST Z} AF PF CT

Flultt
PM tw86
6 INT6 #UDO
12 #SS(0)
13 *GP(o)
14 *PF(ec)

ExanDle
STR CX ; Store current task's selctor

,,t7
 tHC AOa6ABOOK

SUB aoa6/ aola6/ ao2a6

/ ao3a6
Subtractlon G/r6p/32)

Syntax
SIJBdert, rl"c

Oporatlon
dest r- dest - sac

Logal Formt
dest trc
SUB reg, ldata
5UB men, idata
SUB reg, reg
SUB aeg, nen
SU8 Dem, reg

Dolcrlptlon
This instruction subtractsthe s/c operand from the d4r, operand and storesthe
resuh in desl

Fhgr
OBDT IF TT SI A AX PT CA
x

F!ultr
PM R.U V$46
12 *SS(0)
13 +GP(o) rM 13 #GP(o)
14 *PF(e)

Eramplc
; 64'blt subtractionoperationEDxrEAx EBx:ECX
SUB EAX,ECX : Lor"orderbits
SBB El]X,[81 ; Hish-orderblts rlth possib]eboffor'r

294
 ar fir. 6oga6rioita? In.tructlon 5.t F.lddc.

TEST so86/80186/80286/80386
Test Blts (8/r6p/32)

Syntax

Opgration
ULLedest&rrc

Legal Form!
dest
TEST reg, ldata
TEST r data
'IEST reg
reg,
IEST reg,
TEST NEM, TEg

Dolcrlptlon
This instruction performs a bit-by-bi! AND operation on the t/c and dett oPerands
and discardsthe result,The flag bits, however,are set asthey would be after an
AND instruction,

Fl.gt
OF DF IF 1T SF A A.A PF CF
0 x 0

F ulta
PM nM lm86
12 #SS(0)
13 *GP(o) INT 13 #CP(o)
14 *PF(<)

Examplor
TEST AL, (]FH C h e c lkf a n Yb i t s s e t i r

TEST E8X, ECX Tst EgXundermaskin ECX

TEST l l o R DP T R [ E B P + 6 8
] ,0 0 0 H
1 6 ' b i t i n t e s e ri s n s a t l v e

299 ;
 rxE 600t6 BooK

VERR ao2a6/ao3a6
vedfy Read Access (r6)
Syntax
V E R sRe l e c t

Opgration
i f ( a c c e s s i b l e ( s e i e c t )&) r e a d a c c e s s ( i e i e c t ) )t h e n
Z Fe I

Z F e 0

Log.l Form!
.FIF.t'

VERR reg
VERR nen

D9!ctlptlon
This instruction sets the ZF bit in EFLACSro 1 if rhe current procedure can load the
sslectoperand into DS, ES,FS,or GSand can read a lue from the memory seg-
ment without causinga privilege violation.
If th selectoris for a descripior that is not a memory segment,jf the memory seg-
ment is not readable,or if the current procedure does not have a hi8h enough privi-
lege levl to Sain accessto rhe segmenr,VERRclears ZF to O.The VERRinstnrction
does not generatea fault for refeffing to a seleclorthat is invalid; however,a fault oc-
curs if the instruction operand is a memory operand and the operand addressis
in lid.
Nole that this instruction does not check the 'presenf bit of the descriptor,nor does
it check accessat the page protection level (U/S and R/V bits of page table enrries).

Fla93
OFDF IT TF ST ? AI PF CT

Faulta
PM RM VA!86
6 INT6 #UDO
12 *SS(0)
13 #GP(o)
14 #P!(ec)

300
 6: lh. ao3a6/ao3a?h.trucrbn 3t nd.Hc.

Exanple
VERR i I O R DP T R[ E B P + 8 ] C h e c ks e l e c t o f o n s t a c k
JZ COIITINUE B f a n c hi f 0 K
STC
LEAVT A n dr e t u r n i f s e l e c t o r i s i n v a l i d
RETF
CONTITUE:

30r
 rHE 40396 BOOX

VERW 80286/80386
Veflfy Wrlte Access (16)

Stmtax
V E R l ,sle l e c t

Operatlon
i f ( a c c e s s i b l e ( s e r e c) t )a { r 1 t e _ a c c e s s ( s e i e . t )t)h e n
Z F e L

Z Fe 0

Logal Forns
<e1e.r

VERII reg
v!Rt{

Dercilptlon
This instructionsetsthe zF bit in EFLAGS to 1 ifth cuffentprocedurecanloadthe
selec,operand inlo DS,SS,ES,FS,or CS and can wrire a value to the memory seg-
ment without causinSa pridlege violation.
If lhe selectorb for a descriptorthat is not a memory segmenr,if rhe memory seg-
ment is not writable, or if the current procedure does not have a high enough privi-
legelevel to gain accessto the segment,VERV clears ZF !o 0. The VERWjnstrucrion
does not generatea fault for referring io a selectorthar is inr?lidi however,a fauh oc-
curs if the insuuction operand is a memory operand and the operand addressis
in!?lid.

Note that this i$struction does not check the 'preseni bir of the descdpror,nor does
it check accessat the page protection level (U/S and R/W bits of page rable entries).

Flage
OF DF IF TT SI ZP AF PF CF

Fault.
PM R lwtt6
6 INT6 *UDO
12 #SS(0)
13 *GP(o)

n2
 ar th.ll(xta6llosaT h.trctlon alr id@m.

Erample
VERI{ l { 0 R 0P T RI E B t + 8 ] : C h e c ks e l e c t o r o n s t a c k
JZ CoNTItil.lE ; B r a n c hi f 0 K
STC ; Set carry flas
LEAVE ; A n df e t u r n i f s e l e c t o r i s j n v a l i d
RET
C OT ] N U E :

303
 tHE O<tO6BOOK

watt 8086/80186/80286/80386
Walt Ur{ll Not Busy ()

Synlax
I{AIT

Legal Forrn

Doacrlptlon
This instruction placesthe 80386into an idle srateunril the BUSY\ pin is iMcrive. If
the BUSY\ pin is inactive when the instruction executes,no idle occurs.The BUSY\
pin is usually connected to a numeric coprocessor,You shouldexecutethis instruc-
tion before any 80386instruction that will accessa value stored by the coprocessor.
If both the TS (task switched) bit in regisrerCRoand rhe MP (monitor coprocessor)
bit are set, a coprocessorfaulr occurs.If the ERROR\pin of rhe 80386is active, indi-
cating 4n unmaskedexception on the coprocessor,a math fault occurs,

Fl.gr
OFDF IF TF SF U AI PT CT

Fault!
PM tw86
7 *NMo INTT *NMO
16 *MFo INT 16 *MIO

Examplo
S t o r ef l o a t i n g - p o 1 nr te s utl
I.IA
IT liajt ior copfocessor to flnlsh
PUSH result Pushthe result onto the stack
CALL fp_print

304
 0: lhc AOSaG,!OSaTh.trstlotr 3.t R.l.6nc.

XGHG 8086/80186/80286/80386
Exchang (a/MP/32')

Stmtar
XCHGop1, ap2

Opor.tlon

Lcgal Forrnr
api op2
XCHG reg, reg
XCHG reg, men
XCHG reg

Dorcrlptlon
This instructiongwapsthe contentsof two operands,If eitheroperandis a memory
operard,the busLOCK\signalis heldactivedurin8rhereadandwrite memory

Flagr
OF DT IF TF 3F '!F AI PF CI

Frult.
PM nM tm86
12 *SS(0)
13 #GP(o) rNT 13 #GP(o)
14 #Pr(ec) sPI(ec)

Examploa
XC|IG E A X ,E C X I S*ap IAX and ECX
XCll6 AL, IESI+101 i E x c h a n s eA L | / i t h n e n o r y

305
 rrrE 90486Boox

XLATB 8086/80186/80286/EO386
Translate Btte ()

Syntax
XLATB

Operatlon
A L e D S I: E B X + A L ]

Legal Form
XLATB

Doscrlptlon
This instruction usesthe lue ofAL as a positive index into a table located at
DS:EBX.lt then storesthe indexed table byte in Al, replacing the original value.
You can apply a segmentoverride prefix to XLATB so that the lable accesslocarion
will be at EBX + AL in the specified segment.

Fhg!
OFDT IT TF SF A AF PF CF

Fault!
PM R]' VNI]6
12 #ss(o)
13 *GP(o) INT 13 i*CP(o)
14 *PF(O *PF(ec)

Eramplo
LEA E B X ,A Z E _ T A B I L o a do f f s e t o f A S C I I t o E B C o I Ct a b l e
LDS ESL SRC ; L o a ds o u f c e s t r l n g p o i n t e f
LES EDI, 0EST_BUFF ; L o a dd e s t j n a t l o ns t r i n g p o i n t e r
CLD ; setDF-o
Ll: 10058 ; cet byte of source stfjng
C5: ; A s s u n et r a n s l a t e t a b l e f e s i d e s i n C S
XLATB ; Translate byte
5T0SB ; Store fesutting character
0R AL, AL ; Test fof liULcharacter
JNZ Lt : L o o pi f n o t N U L

306
 a: the gGt06/AO3a7 h.ttuctld 3.t neLH@

xoR aoa6/ aofi 6/ a02a6/ ao3a6

Boolean Excluslve OR (a/76p/32)

Syntax

Oporation
destedest"src

Logal Forrni

XoR reg, idata

XoR ldata
XoR res, feS
XoR rq,
XoR mem, feg

Do.crlptlon
This instruction performs a bit-by-bit exclusiveOR operarion on rhe src and dest
operands, storing the result in the &st operand. The XORoperation is defined as
followsl
0^0-0
0^1-1
1^0-1
1^l-0

Flagr
OFDF IF TF SF ? AF PF CI
0 0

Fsultt
PM RM VWJ6
12 #SS{0)
t3 #cp(o) tNT t3 *cp(o)

Exa|nples
XOR AL, OFFH : C h a n g e0 s t o 1 s a n d v i c e v e r s a i n A L
XOR E B X ,E C X ; c o m p u t eE 8 x e E B X^ E C X

307
 TtrE ao3a6 Boox

Floating-Point Instruction Set

The floating-point instruction set adds support for arithmetic functions using real
numbers. The 80386 cannot directly execute floatinS-point instructions. However,
when coupled with the 80387 numeric coprocessor, the insffuction set is extended
to include the instructions that are described on the following pages.

PROCESSORS
Proc6sors that suq@rt
the instructian.

MI\EMOl\tIC
UsedW ,he asseubler,r
rE)r6ent the instruction.

NAME
Name of irtstru.tian.
rhcbpdrix.k lrrheqxxteisFlcoMethsitkislx ptdxrt$rheomprdgr

LEGAI, FORMS
Iegal forms of the
insttuction.

DESCRIPTION
Description of the
instruction. fitem =
memor! olrerand.

EXCEPTIONS
An 'r" in a botc
indicates that the
sPecified etccePtion m4)
begeneratedfor the
b6tru.ction. A "-" in a
box indic&testhot the
sPecifiedexcePtionis not
possibb. SF= Srackfault.
PE = Precision exception.
UE = Underflou
excePtion.OE =
OLelflow excePtian.ZE
= Zero divide exception.
DE = Denorrrwl
exce?tion.IE = lntolid EXAMPLE
oPelqtion etcception. Eqch etaampleshous the
80387 stack beforeand
after execution ofthe
iftstluctton.

304
 0: flF 4o3a6i60367 ltr.trucrld s.t hGlsrcne

FABS aoa7/ao2a7/ao3a7
Abolute Value

Legal Form
FABS : If (ST < 0) then 5T e ST * -1

Dloriptlon
This instructionreplacesthe or8inal valueof the elementat rhetop of stackwith irs

Excoptlon.
SF PE I'E OE A DB IB

Exampl.

Before

ST -3.71 ST

FABS

309
 fl{E AO3a6 BOOX

FADD aoa7/ao2a7
/ao3a7
Addttion

Lggal Forma
FAoD ; S T ( 1 )e S T+ S T ( 1 ) :p o p ( ) l
FADo nem32 : STe ST+ mem32
FA00 mem64 : ST F ST+ nem64
FADD 5T(r) ; STi- ST+ sT(n)
F A 0 0 S T ,S T ( n ) | S Te S T+ S T ( n )
F A 0 0 S T ( n ) ,S T I S T ( n )e S T ( n )+ S f
F A 0 0 PS T , S T ( n ) I S T S T+ S T ( n ) :p o p ( ) l
F A D D PS T ( n ) ,S T : S T ( n )t s S T ( n )+ S T rp o p ( ) l

Do3crlptlon
This instruction adds the specjfied floating-point operands and optionally pops the
top ofstack,
If you specify a memory opemnd, ir is converredto temp re l (80-bir) former before
it is added to the top of stack.
If you add a floating-point value to infinity, the result is the original irfinity, If you
add two infinities, they must have the samesign, and the result is the sameirfinity,

Ercopllona
SF PE UE OE 2IE DE IE
x x x

Examplo3

ST 4.66
sT(1) o,2l ST 4.47
sT(2) 13.00 sT (1) 1300

FADD

3to
 ar rrE aoOaosottT h.rrE$d br nd.He

ST 4.6 ST 4.6
sT(1) o.2L sT(1) 0.21
sT(2) 13.00 sT(2)

FADD ST(2), ST

3tt
 tHE A036 BOOK

FBLD aoa7/ao2a7
/ao3a7
BCD Irad

Legal Fortr
FSLD m e m 8 0 ; p u s h ( f l o a t ( n e n 8 0)

Doicrlptlon
This instruction convertsan 80-bx, l9-digit BCD integer to a temp reai and pushesit
onto the stack.If the memory operand is not a !?lid BCD integer,an undefined
value is pushed onto the stack.

Exceptlon.
SF PE UE OE ZIE DE IA
x

Er.mplo

ST 17.00
ST 102.04 sT (1) 102.08

IBLD IESI]
ESIpoints ro 17 BCD.

312
 a: tho aO3g6/AOa8?
hniucrtd acr ndcrenco

FBSTP aoa7/ao2a7/ao3a7
BCD Store and Pop

legal Form
FBSTP nem80 | n e n 8 0e B C D ( S T ) p
: op():

Do.c.lptlon
This instruction rounds the top of stack to an integer,storesin memory in BCD f(f-
mat,and then popsthe stack.
Unlike most arithmetic operations, FBST?signalsrhe invalid (I) exception if eittrer
opemnd is a quiet NaN,

Excoptlona
9I PE IJE OE 4 DB IB

Examplo

ST 3.09
sT (1) s]'

FBSTPIOA2FI]

BCD 3 is stored in memory.

313
 tlll00t86 BooK

FCHS ao87/ao2a7/ao3a7
Charge Stgn

Logal Forn
FCHS ;sTesT*_1

Doacription
the signbii of the top of stack.
This insrructioncomplements

Excaptlon.
SF PE I'E OE ZlE DB IE

Exanple

5T -to2a.9
sT (1) 5.2001

ICHS

314
 a! lh. 00306/003t? h.rrFtro Lr R.r.retrE

FCLEX aoaT
/ao2a7
/ao3a7
Clear Excptlons

Logal Fornr!
FCLEX : SHeSx&07F00H
FliCtEx I Sl,leSf &07F00H

Dosc Dtlon
This idstruction clearsthe exception flags in the statusword and the busy bit to 0.
The FCLEXform of the instnrction checks for unmaskedexceptionsfrom previous
operations before clearing the statusword. The FNCLEXform clearsthe S\7 bit
without checking.

Excgptlonr
SF PE IJB OE U DD IE

3r5
 tHE ao3a6 BOOK

FGOM aoa7/ao2a7/ao3a7
Coltrpafe

Legal Forms
FC0tl c o n P a r es T , s T ( 1 )
Fcoll mem32 c o n P a r e( s T , m e m 3 2 )
Fcoli nrem64 c o m p a r e( s T , m e m 6 4 )
Fcoll ST(n) c o n p a f e( s T , s T ( n ) )
FCoHP mem32 c o n p a r e( S I , n e n 3 2 )
c o r n p a r e( S T , m e m 6 4 )
FC0I4P5T(n) compare ( S T , S T ( f) )
c o n p a r e( s T , s T (1 ) )

Doscription
This instruction performs thc ftl/].cti(mcomparc (op-l,op2) and scrs the 80387con-
dition code accorcLing k) Ihc resuhoffie comparison. Thc 80387$tackis optionaliy
Popped once or twice.
'l
he following ublc showsthe condition code setrirytsthar result from the compare
frnction. FCOMconsidcrs+0.0and-0.0 to b equal.

Con Utton Ca C2 Cl @
apl>at)2 0 0 0
0 0 1
l 0 - 0
citbc..'pis a NaN 1 1 - I

Thc U0387conditioncodesare arrangedin the slatusword so thatC3,C2,and C0

nrapinto the &1mebil positionsasthc ZE PF,and CFbirsof rhe 80386EFLAGS
registerThus,issuingthc followinginstructionssetsthc 80386flagsasifthe com-
parehrd been performedon the 80386.

FC0l{ op : F l o a t i n gp o l n t c o m p a r e
FSTSII AX : Store status tofd to AX
; S t o r eA Ni n t o f l a s s
You canthenuseanycondilionaljump instruction(Jts,JNE,lA,JAn,JB, orJBE)1o
branch on the result of the compare.You can useJP to test for NaN opcrands.
U.like mostarithmeticoperations,FCOMsignalsthe invalid(I) exceptionif either
operandis a quiet NaN.

Exceptions
SFPEUBOBZDEIE

3t6
 a! th. ao3a6Eoa87 lndrEtlon !.t R.l.mo

Examplea

ST 21,.0
sT(1) ST
ST Q) 0.1114 ST

FCOM ST (2)

Before

-21.0
sT(1) 6.0
sT(2) 0.1114 5T 0.1114

!COMPP

317
 tHE 004o BooK

FCOS 80387
Coslne

Legal Form
FCoS ; STecos(ST)

Doscrlptlon
This instruction computes the cosine of the \.?lue in radiansat the lop of stack and
replacesSTwith cosine.
The operand processedby Fcos must be a %lue betweeo t 263or the instnrction
does nor execureand conditioo code C2 is set to 1. C2 is cleared io 0 if the lnstruc-
tion is executed.

Exceptlona
SF PB I]B OB ZE DE IB
x

Erlmplo

Before

ST 0.785399
sT (1)

3ta
 a! the gctlt6ia(x|aT In.lrFtlotr 8.t i.t.6n4

FDECSTP aoa7/ao287/ao3a7
Decrernent Stack Polnter

Logal Fo?m
FDECSTP : ToPe (ToP_ 1) & 07H

Do.c.lption
This instructionallows'nu to manipulatethe 80387stackpointe. IssuingFDECSTP
is equivalentto pushinga newvalueontolhe stack,but no valr.re
is supplied.The
tagregistersarenot modified,

Ercoptlonr
SF PB IJD OB 4 DE IE

Ex.mplo

Befofe

ST
ST 4.201 sT(1) 8.201
sT (1 999.9 sT(2) 999.9

FDECSTP

3t9
 fl{E ao5a6 BOOI(

FDIV aoa7/ao2a7/ao3a7
DtYtsion

Legal Forma
F DI V S T ( 1 )e S T ( 1 )/ S T rp o p ( ) ;
F DI V men32 ST ST / nen32
FDIV men64 ST ST / hem64
F DV I sT(n) sTF sT / Sl(n)
F DV I S T ,S T ( n ) S Te S T/ S T ( n )
FDIV s T ( n ) ,s T s T ( n )e s T ( n )/ s T
FDIVP S T ,S T ( n ) S Te S T/ S T ( n ) !p o p o ;
FDIVP S T ( n ) ,5 T S T ( n )e S T ( n )/ S T : p o pO ;

Dolcriptlon
This inskuction executesa divide operation with rhe above operands.If )iou
specify a rnemory operand, ir b converted!o temp real (80-bit) format befcre the
division is performd.A stack pop operarion is performed if specified by the
opcode.
Division by infinity results in 0. Infinity divided by a feal nunber results in infinity,
Infinity divided by infiniry is not a valid operation.

Exceptlon!
SFPBUEOBUD!IE
x x

Examplog

ST 4.0
sT(1) 0.4
sTc) 5.0

!Dry

3N
 0! lha 0o006lgxtaz hdt@tlor 3.t lt t.mo

ST 4.0 4.0
sT(1) 0.4 sT(1) 0.4
sT(2) sT(2) t.2,

FDIV ST(2), ST

321
 IHE aoa6 BooK

FDIVR aoa7/ao2a7/ao3a7
Dlvblon Reve$d

Logal Forn!
FoM S T ( 1 )e S T/ S 1 ( 1 ) ;p o p o :
FDM rnen32 STe nen32/ ST
FDIVR mem64 5T e nen64/ ST
FoIVR ST(n) 5Te Sl(n) / ST
FDM SI, ST(n) S Te S T ( n )/ ST
FDM S T ( n ) ,S T S T ( n ) S T/ ST{n)
FoMP 5T,ST(n) S Te S T ( n )/ S T ;p o p o ;
FDMP sT(i), ST S T ( n )+ , 5 T / S T ( n ) rp o p( ) ;

Deacrlptlon
This instruction executesa divide operation wirh rhe above operands.This instruc-
tion is equivaleft to mIY but the divisor and dividend operands are exchanged.If
'ou specify a memory operand, it is convertedto temp real (80-bit) format before
the division is performed. A srackpop operation ts performed if specified by the
opcode.
DMsion by infiniry results in 0. Infinlty divided by a real number results in infinity,
Infinity divided by infinity is not a valid opr4tion,

Erceptlonr
SF PB I]B OB 2'E DE IE
x x

Eramplo!

ST 4.0
sT(1) 0.4 ST 10.0
sT(2) 50 sT (1)

FDI\,'R

322
 a! lh. ao35/aoca7In.ttuction 361R.t r*c.

ST 4.0 ST 4.0
ST(1) 0.4 sT(1) 0.4
sT (2) sTc) 0.8

FDn? ST(2),ST

323
 tltE 8035 BOOX

FFREE aoa7/ao2a7/ao3a7
Free NDP Register

Logal Forn
FFREE ST(n) ; Tl,l(i) e UIiUSED

Deacrlptlon
This instruction marks th specified stack element as unusedby setting the tag
s/ord ior th corresponding80387register.The stack pointer is not modified, no( is
fie actual content of the NDP register

Exceptlons
SFPEUEOE4DEIE

Examplo

ST 190000.3 ST 190000.3
sT(1) sT(1)
sT(2) 0.001 sT(2) 0.001

!FR!E ST(1)

324
 a! th. 60lE6rao:ta7 h.tretlon l.t R.lm|E

FIADD aoa7/ao2a7/ao3a7
Intgei Addldon

Legal Form!
FIA00 nem16 : ST F ST+ float{nen16)
FlA00 nen32 ; SI e ST+ float(nen32)

Delcrlptlon
This instnrction converts the !flo's complementlnteger at the specified addressto
temp real foimat and adds it to the top of stack.Other than the difference in
operand ttpe, this instnrction is equhdent to FADD.

Excoptlon3
SF PE I,E OB U DE IE

Exrmplo

Before

t7,6 ST
sro) 0,333 sT (1) 0.333

FTADDVORD PIR IEC)C

ECX points ao integer -2.

3
 tHE AO35 BOOK

FICOM aoaT/ao2a7/ao3a7
Integer Compare

Leg6l Forr s
FlColl men16 | compare(ST, neml6)
Flcoll nen32 | conpare(ST, mem32)
FICOI{Pnen16 : conpare(ST, neml6);pop()l
FIco P mem32 : conpare(ST, nem32):pop() |

Do3crlption
The two's complementinteger is converted !o iemp real format and comParedwith
th top of stack. If the opcode is FlcoMq the stack is popped after the comparison
The condition codes are set in the samemanner as those for FCoM

Excgptlon.
SFPEUEOB4DEIE
x

Examplo

Befo!

ST 6.0
sT(1) 13792.29731 ST t37922973r

tIcoMPwoRDPTRlorc6tl c, " , " , ".

Memory pointer is integer 6.

326
 & th. aot8a/lota? h.truc$.r &t Ad.h.o

FIDIV aoa7/ao2a7/ao3a7
Integef Dlvlslol

Logal Forrng
FIDII/ mem16 r STe ST / rest(nen16)
FIoIV nem32 : ST ST / real(mem32)

Dgacrlptlon
This instruction fetches the t$/o's cornplementinteger from memory, converts it to
temp real furmat, and usesit as a divisor of the top of stack.The results generared
by thi6 instruction ar the sameas rhosegeneratedby $e FDMnstrucrion.

Excoptlon!
SFPEUBOEADEIB
x

Errmpla

ST 1.0 ST -0.25
sTo) 2.2 sT (1) 2.2

IDTV D!{ORD PTRIEBP+16J

Memory poidter is integer -4.

327
 tfiE 503A6 IOOK

FIDIVR aoa7/ao2a7/ao3a7
Integer Dft'lslon Reversd

Lcgal Fotma
FIDIVR nenl6 ; s T e r e a l ( m e m l 6 )/ S T
FIDM m e n 3 2 : S T t s r e a l ( m e m 3 2 /) S T

Do.criplion
This instruction convertsthe two's complementinteger at th sPecifiedmemory
locarion to temp real format and divides it by the top of stack The results generated
bv this insrruction are lhe sameas those generatedby the FDIVRinstruction

Excoption!
3F PB UE OB Zts DE IE
x

Examplo

Before

-4.0
sT(1) 2.2

nDM D\{/ORDPTR[EBP+161
Memorypointer is integer-4.

324
 a! lh. aoat/4o367 Inatructtd a.t a.i.r6c.

FILD aoa7/ao2a7/ao3a7
Integer Irad

Legal Forma
FILD meml6 ; push (float (meml6)
FILD mem32 ; push (float (mem32)
FILD mem64 : push (float (mem64)

Descrlptlon
This instruction converts a two's complementinteger to temp real format and
pushesthe vaiue onto rhe 80387stack.

Excoptlohr
SI PB I]E OE Z DE II

Eramplo

Befo.e

666.0
ST 1.2@ sT(1) 1 209

FIID Q\{ORD PTRIEAX]

Memorypointeris integer666.

329
 tHE 603A6 aOOK

FIIIUL aoa7/80247/ao3a7
Integer Multlpllcatlon

legal Form3
FIIIUL meml5 ; STe S T * r e a l ( m e m 1) 6
FIITUL nem32 ; ST t s S I * r e a l ( m e n 3)2

Delcfiptlon
This instruction converts the t\to's complementintegpr at the specified memory
location to temp real format and multiplies it by the oopof stack.The results of this
instruction are identical to those obtained by FMUL.

Exceptlona
SF PE I.'E OE Z DB IE

Examplg

Befo.e

ST 0.16
't7.9
STO)

FIMUI, !{ORD PTA IESI+EAX]

Memorypointer is integer-4.

330
 * th. 0oata/6o367 l..r.Erlo a.t tr.Lm..

FINCSTP aoa7/ao2a7/ao3a7
Increment stack Poldter

Log.l Form
F I n C S T P ; T o P F ( T o P + 1 )& 0 7 H

D9lcription
This instruction incrementsthe TOP field in the 80387sratusword. The conrentsof
the 80387register previously at the top of stack and th regisrer'sassociaredtag
word are not affected.

Exceptlont
SFPBUEOBADBIB

Exanple

ST 72 32
sT (1)

331
 fl{E A0366 SOOX

Ftl{tT aoaT/ao2a7/ao3a7
Inlttallze NDP

Lggal Form!
FINIT ; Cl{e 037FH: TI e oFFFFH
S}l sl'{& 4700Hr
FNINIT ; C l i e 0 3 7 F H rS l , le s l , J& 4 7 0 0 H :T I e o F F F F l i

Drcrlptlon
This instruction sets the 80387machine stateto its default value All registersare
marked unused, all exceptions are masked,rcunding conhol is set to nearest,and
the operating ntode is set to double-precision
The FINIT instruction testsfor any unmaskedexceptiod in the 80387before clear-
ing the NDP state,unlike FNINI! which does not codsequently, the first floating-
poin! instruction of an application shouldbe FNINIT

Erccptlona
SF PB I,E OE A DB IE

332
 Ai th. AO3A6/0Oaa7h.truc{on a.t iGtcftre

FIST aoaT/ao2a7/ao3a7
Integef Stofe

Legal Forfts
FIST menl6 m e n l 6e i nt( ST)
FIST ne'n32 n e m 3 2e i nt(ST)
FISTP mernl6 m e n 1 6e i n t ( s T ) : p o p () :
FISTP n'en'32 m e m 3e2 i n t ( S T ) , p o p () ;
m e m 6e4 i n t ( S T ) : p o p () |

Deacrlptlon
This instruction rounds the currenr top of stack to an integr accordingto tlle on-
trol bits and storesthe lue in the specified operand. Ifthe opcode js FIS'P, the
stack is popped afrer the store operatlon. Note that rhe sign of a floating-point 0 is
iost upon conversionto th two's complementinteger format,
Two differences exist between FIST and FISTP.The FISTPinstrucrion, which Dops
rhe sLac k afrerrhe sroreoperarion.canitore a 6{ -bit inreser:FISTcannor Thc FIIT
instrlrction generatesan in lid operarion exceprion if the bp of stack is a quier
NaNi FISI? does nor.

Excoptlon!
SF PE !'E OE U DE IE
x *

Ex.nplo

ST 32.1 ST 32.1
sT(1) 456.78 sT(r) 456.78

IIST DTi{ORDPTR[EBP+421
Integer 32 stored into memory.

333
 lHE got96 BOOK

FISUB aoaT/ao2a7/ao3a7
Integer Subtractlon

Logal Forms
F1SUB meml6 : 5T e ST real(nen16)
FISUB nen32 : sT e Sr - real(mem32)

Descriptlon
This instruction convertsthe two's complementinteger at the specified memory
location to temp real format and subtractsit from the lop of stack.The rsults of this
instruction ar identical to those obtained by FSIJB.

Excgptlons
SF PE UE OE ZTE DB IB
x

Er.mplo

Before

ST a6.99 ST 33.99
sT (1) 0.0 sT (1) 0.0

FISIJBWORD PTRIA72HI

Memory poinler is integer 3.

334
 ar th. 6oad6/ao3a7 Instructlon 3.t h.tdE.

FISUBR aoa7/ao2a7/ao3a7
InGger Subt.actlon Rversed

Legal Forms
F I S U B R m e m 1 6 : S T e r e a l ( m e m 1 6 -) S T
F I S U B R n e m 3 2 : S T e r e a l ( m e m 3 2 -) S T

Delcrlptlon
This instruction converts the two's complemntinregerat rhe specified memory
location to temp real format and subrractsthe top of slack from ir. The results of this
insrucrion are identical to those obtained by FSUBR.

Erceptlons
SF PB IJE OE ZE DE IE
x

Example

Before

ST 36.99 ST -3399
sT (1) 0.5 sT (1) 0.6

'WORD
FISUBR PTR[A72H1
Memory pointer is integer 3.

335
 tflE 60(|a6Eoor

FLD 8087/80?87180387
Irad Real

Logal Forms
FLD nen32 : push(mem32)
FLD nem64 ; push(mem64 )
FLD neng0 : Push(men8o)
FLD ST(n) : p u s h ( S T () n )

Do3ctiption
This instruction pushesa copy of the specified operand onto the 80387stack.If you
specify a 32-bit or 64-bil floating-point memory operand, it is converted to temP
real format before being stored,
lf the operand is a single- or double-precisionvalue, the 80387might generatea
denormal exception. A dnormal exception is not Seneratedby a value already in
temp real format.

Exccptlon!
SB PE IJE OE U DE IB
x

Examplg

ST
ST t9a62.o ST(1) t9362.0
sT (1) 7.11 sT (2) 7.11

FLDD\(ORD PIR tEDi

Memory pointer is sho( real 6.1.

336
 a! th. aooa6/00307Instruclion a.r Bd4cnc.

FLDconst aoa7/ao2a7/ao3a7
ut dlconstan

Logal Forn!
FL01 ; push(I.0)
FLDL2E ; push(I og2(e))
FLoL2T ; push(los2(10))
FLoLG2 : push(1os10(2))
FLDLN2 : p u s hI (n (2 ))
FLDPI ; p u s hP( I)
FLDZ ; push(+o.o)

Deacrlptlon
This instruction pushesthe consranr lue spccified by the opcodc ono the stack.
The function ln standsfor log base e

Ercoptlona
Sf PE I]B OE ZA DB ID

Exanrplo

ST 3.141196...
ST 4.0 sT (1)

FLDPI

337
 fl{E a0388 BOOK

FLDCTI' aoa7/ao2a7/ao3a7
Load cnntrol Word

Legal Form
FLDCl,l meml6 ; Cl'l e nenl6

Descriptlon
This instruction loads a new value for lhe control word from memory. FLDcv can
unmask previously maskedexceptions,triSgering an unmaskedexception

Excepilons
SFPBI]EOEADElB
x

334
 a! th. O366/aO3A7h.t ucitd 3!t R.t@nc.

FLDENV EO87/80287/80387
Load Envhonment

Logal Fo.m
FLDENV ,renp ; NDPe memp

Doacrlptlon
This instruction loads the 28-byte blok pointed ro by memp into t}te envhonmedt
registersof the 80387 The memory operand contains a new control word, sratus
word, tag word, and effor block. The memory format for the environment is shown
in Figure8-1,

3r 16 15 q Blte offset
0
4
8
Eror offser(EIP) L2
Inor sleclor(cs) 16
20

32-bit format

Byteoffset
0
2
4
6
lPro r 8
l0
9P,cui t2
16-bitformat
Blgl'fe A-L a0387entronmen'

Loading a new statusword and con(ol word can causean unmaskedexception.

Excoptlon3
SF PE IJE OE ZB DE IE

339
 fllE ao3a6 aooK

FMUL aoa7/ao2a7/ao387
Multtpltcatton

Legal Forms
FI'{UL S I ( 1 ) e S T ( 1 )+ S T ; p o p ( ) ;
FHUL nen32 SIeST*mem32
FI1UL nen64 STeST*mem64
Fl'lUL s T ( n) ST6ST*ST(n)
Fri4UL S T , S T ( n) STeST*ST(f)
FtlUL ST(n),ST ST(n)eST(n)*ST
FI'1ULP ST, ST(n) sT e sT * sT(r): pop():
F|IULP S T ( n) , S T s T ( n ) e S T ( n )+ S T ; p o p o ;

Doscrlptlon
This instructbn ,nultipliesthe specifiedoperandsand storesthem asindicated
above. If't'ou specify 32-bit or 64-bit memory operands,they are converted to temp
real format before the multiplication takes place.If the opcode specifies,the stack is
poPpedafterthe oPeration.
Multiplyinganyvalueotherthan0 by infinity resultsin infinity.Multiplying0 by in-
finity is an in\"alidoperation.

Ercaptlon!
SFPBUEOE4DEIE

Examplo3

ST 2.O
sT(1) 0.0:t 5T o.o2
sT(2) 7.6 sT (1) 7.6

FMIJI,

tro
 0! th. to36/a(l!t7 rBttucito a.l i.t.Erc.

2.0 ST o.o2
sT(1) 0.0r sT(1) 0.01
sT(2) sT(2)

FMU! ST(1)

34t
 tHE ao3a6 BOOr

FNOP aoaT/ao2a7
/ao3a7
No Operatlorx

Legal Form
FNOP

Doscrlptlon
FNOPis an alias for the FSTST,ST instruction. It does nothing.

ExcoDtlon3
ST PE UE OB 2ts DI IB

Er.mplg

Before

ST 3.3 ST 3.3
sT (1) r9.6 sTo) 19.6

rNOP

g2
 a: th. O306/aO3A7h3ttuctlon aet BcLmc.

FPATAN aoa7
/ao2a7
/ao3a7
Partlal Arctangent

Legal Fo.m
FPATAI1 : S T ( 1 )e a t a n ( S I ( 1 )/ S T ) ; p o p ( ) ;

De3crlptlon
This instruction computesthe arcrangenrin radiansof ST(1)+ ST The mnemonic
"partial arctangent"is inherited from
earlier NDPS,which placed restricrionson the
\,?luesof ST and ST(1).These \dues are not testricted on the 80387

Exceptlons
SF PE UE OE ZB DE IE

Ex!mplo

ST 2.0 0.4616...
sT (1) 1.0 sT(1) 1,0

FPATAN

34:l
 tl|E ao:[6 EOOX

FPREM aoa7 /ao3a7

/ao2a7
Partlal Rmalnder

Legal Form
FPREI'I ; s T e r e n a i n d e(r5 T / S T ( 1 ) )

Doscription
This idstfl.rctionusesrepeatedsubtractionsto compute the remainder of STdMded
by sT(l). Becausethis operation could require 4 large number of itetations (during
which time the NDP would be inaccessible),the 80387halts after producing a par-
tial remainder.The 80387reducesthe value in STby a faclor of up lo 2@in a single

If the remainder is a partial value (that is, the operation does not complete), the C2
statusbit b set to 1. If the remainder is lessthan the lue of ST(1),the operation is
complete and bit C2 is cleared to 0. By testing the lue of C2, the FPREMinstruc-
tion may be executedrepatedlyuntil the remainder operation yields an exact
result.Mditionally, when the insta.rctionis complete (C2 - 0), the three leastsig-
nificant bits of the quotint of ST+ ST(1)can be computed by the following formula:

e!C0x4+C3x2+Cl
where C0, Cl, and C3 are ihe remaining statw bits.
The FPREMinstruction reducesoperands for the kanscndentalfunctions of the
-1
80387to legal lues. For e,xamPle,the operand to F2xMl must b < ST< 1'
FPREMproduces an exact result, and th Precisioncontrol and rounding control bits
are ignored durinS execution,
The FPREMIinstruction producesthe IEEE-754standardPartial remainder lalue'
which may be different from FPREMwhen ther are two integersequally close to
ST+ ST(1).FPREMrounds toward 0, and FPREM1choosesthe even value

Excoptlona
SFPBUBOEADEIE

344
 0! lh. aooa6/ao3Ott[tructton 3.t h.f.r.rc.

Example

ST 6 ST 2
sT (1) 4 ST(D 4

FPREM
C2-0

3t5
 IHI OO3a6BOOX

FPREMI 80367
IEEE Parttal Rematnder

Logal Fonr
FPREIiI ; S T e r e n a i n d e r( S T + S T ( I ) )

Dacrlption
This instruction usesrepeated subtractionsto compute the remainder of STdivided
by ST(1).Becauserhis operation could require a large number of iterations (during
which time the NDP would be inaccessible),the 80387halts afier produ.ing a par_
tial remainder The 80387will reduce the value in STby a factor of up to 2s in a
singleiteration.
If the remainder is a partial v3lue (that is, the operation is not complete),the c2
statusbit is 6ct to 1. If the remainder is lessthan the value of ST(1),the operation is
completeand bit C2 is cleard to 0. By testjng the value of C2,the FPREM1instruc_
tion may be executedrepeatedly until the rmainder operations yield an exact
result. Additionally, when the instruction is complete (C2 ' 0), the three lea$ sig_
nificant bits of the q.Dlient of ST+ ST(1)can be computed by the following formulal
e=C0x4+C3x2+C1
whefe C0,Cl, and C3are the remainingstatusbits.
The FPREM1instruction reducesoperands for the transcendentalfunctions of the
80387to legalvalues.For o<ample,the operand to Fr(Ivfl must be -1< ST< 1.
FPREM1always producesan xact result, and th Precisioncontrol and rounding
control bits are iSnoredduring xecution,
The FPREM1instruction producesthe IEEE-754standardPartial remainder value,
which may be different from FPREMwhen there are two inteSersequally close to
ST+ sT(l). FPREMalwaysrounds toward 0, and FPREMIalsr'ayschooseslhe even

ExcaDtion3
SF PE UE OE ZTE DE IE

346
 ! lh.00iro6/0o3tt rDrruc on3ttd.E*.

Exaanplc
Before

ST 6.0 ST 2.0
sT (1) 4.0 sT (1) 4.0

IPREMl c2-0

347
 rHE aota6 loo(

FPTAN aoa7
/ao2a7
/ao3a7
Partlal Tangent

Lggal Form
FPTAII : S T e t a n ( S T ) :p u s h ( 1 . 0 ) :

Description
This instruction computesthe tangentof the top of stack and arrangesthe NDP
stackswh that:

:=i = lan (orisinalST)

The denominator is always1.0after the FPTANinstruction.

The operand lue must be a positive number that is expressedin radianslessthan
PI x 262,or no operation takesplace and rhe C2 condltion code bit is set to 1. If the
input operand is legal, C2 is cleared to 0.

Exceptlonr
SF PE UE OE 2I DE IE
x x

Examplo

Before

ST 1.0
ST 0.78549... sT(1) 1.0
sT (1) b.2 sT(2)

FPTAN

344
 & th. ao3a6/4o307 lntlrFtlotr l.t i.lmm.

FRNDINT aoa7
/ao2a7
/ao3a7
Round to Integer

Log.l Forn
FRllDIl{T ; STe lnt(ST)

Drcriptlon
at the top of stack to an integer basedon the set-
This instnrction rounds the %%%%%%%%%%%%%%%%lue
tings of the round orltrol (RC)field in the control word. see chapter 2 for a discus-
sion of the 80387rounding modes.

Exceptlon3
ST PE UE OE 'IE DE IE
x

Ex!mplc

ST 1.06 ST 1,0
sT (1) 601 sT (1) 60.1

FRNDIM

349
 it! aota6 BooK

FBSTOR aoaT
/ao2a7
/ao3a7
Restore NDP State

Lggal Form
FRST0R ,eDp

D6!cription
This instructioo loadsthe entire 80387proces.sorstate from the 108-byteblock of
dat^ begir.ni,..gat rnenp. Use the FSAVEinsrruction to siore rhe NDP state.F8ure
8-2 showsthe format of the state block.

t5 Btte offse!
0
2
4
Instrucrionpoinrero.,1
lPn 8
t0
Ji OP* 12
Sn0) o a
Registef sT(o)v 6 18
sroo r I sr(0)61, 22
sT(1)16.'
sr(l)- * 30
sT(2)or 34
sT(2)3'. 6l 3A
sT6)o s ST(2)d ,o 42
sT(3)16.
r
sT(3)4 '
sT(4)o.r
sT(4)' 6
sT6)0. rr ST(4)& D 62

70
sT(6)0 i
sr(6b 6l 7a
sT(7)oE I sT(6/... a2
STOL .i7 86
STO)o r t9
16'bit fornat (real & v86 modes)

FEte a-2. ao3a7 mchine state.

350
 6r licocla6iaoat? h.ttuctlols0t i.t dc.

fic'rJKB'}2. cohhnued

a1 15
0
4
8
Enor ofist (ElP) t2
16
20
24
sT(0)or 2a
Regisler
sT(r)b.
E I Srto\.- 36
5T(1)16. {7 40
ST(1)4 rs
ST(2)or 4A
STQ)] ..63
STe). s I sT(z)ar 56
ST(3)rso o0
sT(3) it

sT(4)r, 61 72
sr(5)o.x I s!11&..L 70
5T(5)rr..o 80
ST(5)a..re 84
sr(6)0. ,1 88
5T(6), 63
sro)^ ( | sT(6)6{, 96
100
104
32-bl!forma!
New unmaskedexceptions miSht be triggered bec?usea new statuswold and con'
trol *!rd are loaded.

Ercaptlona
ST PB I]B OE Its DE IE

351
 IHE AOiE6 EOOK

FSAVE aoaT/ao2a7/40387
Save NDP State

Legal Forms
FSAVE Derrp ; menpe NoP
FNSAVErerp I mempe rilDP

Description
This instructionstorcsthe completeprocesrorstareof the 80387in memorybegin-
ningar locationmempFigure8 3 showsrheformatof the stareblock.

L5
0
2
4
6
8
10
31 oPr,srql \2
sr(o)or 14
llJ
sTo),," sr(0)i" 22
26
sT(1)4d ,q 30
sr(2)o l 34
ST(2)r' A 38
Sll3)u r( | S T ( 2 ) L.i D 42
sr(3),6'
ST(3)4 rq 50
sr(4)on 54
sT(4)r,e 58
sr{5)or I sT(4)&- 62
sT6)i6,
sT(5)$., 70
sT(6)0 l
ST(6h or 7A
sT(7)o D ST(O6a.' 82
sT(7)j6 t 86
sr(7\s 7e 90
16 bil forma! (real & v86 modet

Ftg\\rc a-3. AA3a7nachine state.

352
 a! lho ao3a6Eo3t? ltr.tructlo. 3.r Rdd.nc.

figirc a-3. continued

3\ 16 1 5
0
4
a
Errcr ofTsel(EIP) t2
i6
20
24
sT(0)o 31 2a
sr(oh 6. 32
sT(l\.6 | sT(o)d 19 3o
sT(1),6.4? 40
sr(t)s..'!
sT(2)d{ 48
sT(2)e:.o:
sTa3)^ ,. 5T(2)d i
STG)16 o 60
STc)as D
sT(4)d 1 68
ST(4)r .6' 72
sT(5)o ,t I ST(4)d D
sT(5)rr.I 80
a4
sT(oo 4 88
sr(6):rr: 92
sT(7)oF I S16to,, 9b
STO)rao 100
sT(7)ls.., 104
32-bitlormat
After the FSAVEis completed,the NDP stateis set to the initialized state,as if an
FNINIT instruction had been executed,
The FSAVEform of the instruction testsfor any unmaskedexcePtionsbefor execut-
ing the save,while FSAVEdoes not. If you use FSAVE,pending e\ceptions are re-
instatedwhen the statblock is loadedby an FRSTORinstruction. FSAVEis not
executeduntil previous floating-point instructions complete

Exceptiona
Sf PE T',E OE A DE IE

353
 rrrE 0006gooK

FSCALE aoa7/ao2a7/ao3a7
Scale by 2"

Lg.l Form
FSCALE : sT e sT * 2inr(sr(r))

Degcription
This instruction scalesthe rop of stackvalue by the povr'erof 2 in ST(1).If the value
in ST(l) is not an integer,ir is ',chopped" before being used as an exponent. chop-
ping generatesthe nearestlnteger smaller than the orlginal value.
The 80387does not perform a muftiply operation, but it usesthe identity (.t x 2n)
(1.0x 2n) - r x 2n+mand adds the integral porrion of ST(1)to rhe exponent of ST.

Excgptlon!
SF PE IJE OE U DE IE
x x x

Exgmplo

Bfore

ST 1,0 ST
sT(1) 3.01 ST
sT(2) 92.6 ST

FSCAI

354
 & th. O@46/aO3t7 tn itucllon 3.r R.lf,.nc'

FSETPM ao2a7/ao3a7
st Protectd Mode

Logal Form
FSITPI'1

Dtcrlptlon
This instnrction performs no operatlon on the 80387 It is required on the 80287to
signalthat the ciu i6 entering protected mode and is supporrcd for compatibility
only.

Excoptlon!
STFEUDOEUDEIE

355
 IHE ao3a6 BOOX

FSIN 80387
Slne

Legal Forrh
FSIII ; S Tt s s i n ( S T ) ,

Doscription
This instructioncomputesthe sinc ofthe rop of stackand sroresrhe resultin ST.
Thc value in STis assumedto be in radians.
The input operandto FSINmustbe a valuesuchthat I ST | < 263,or no operation
takes placc and the C2 condjtion code is ser ro 1. If the operand is a legal value, C2 is
clearedto 0.

Excoptlona
SFPEUEOEUDEIE

Exgmplo

ST 3.14159.. ST 0.0
sT (1) 88.6 sT (1) 88.6

FSIN

354
 a! th. 6035/10367 h.ldcil{ a.t nd.@@

FStI{COS 40347
Slne add Coslne

Legrl Fo.m
FSINCoS i t e m pe S T , S T e s l n ( t e n p )
: p u s h (c o s( t e m p ))

Deacription
This insrruction computesboth the sine and cosine of the top of stack,although the
lues might be lessprecise than those generatedby FSINand FCoS.The lue in
ST is assumedto be in radians.
The input operand !o FslNcos must be a value 6uchthat I sT < 263or no open-
tion takes place and the C2 condition code is set to 1. If the operand is a legal lue,
c2 is cleared to 0, the top of stack is the cosine lue, and ST(1)containsthe sine.

Excoptlon!
SF PE I'B OE A DE IE
x

Examplo

Before

ST -1,0
ST 3,14159... sT(1) 0.0
sT (1) 88.6 sT(2) 88.6

ISINCOS

357
 tHE 036 BOOi

FSORT aoaT/ao2a7
/ao3a7
Squar Root

Legal Form
FSQRT ; S Te s q r t ( S T )

Dorcrlpllon
This instruction replacesthe top of stack with the squarercot of the original lue.
Taking the squareroot of a negative lue results in an invalid operation, except
that the squareroot of oegativezero (-0.0) is defined as-0-0. The squareroot of in,
finity (positive) is defined to be infiniry.

Ercoptlon!
SFPBUEOEUDEIE

ExanrDlo

Bfore

354
 4 lho 00306/00'A7 h.rrsflotr l.t B.lmm.

FST aoa7/40247/ao3a7
Store Floatlng Polnt

Log.l Formg
FST men32 men32e ST
FST nen64 ST
FST ST(n) S T ( n )6 ST
FSTP mem32 men32e S T ; p o p)(i
FSTP men64 S T ; p o p( ) ;
FSTP mem80 nn80F s I ; p o p)(;
FSTP ST(n) S T ( n )e S l I p o p)(r

Dercrlptlon
Thls instruction storesrhe top of stack in the designateddestination. If the opcode
is FSTP,the stack top is popped (discarded)after the siore operation. If the destina-
tion is a 32-bit or 64-bit real memory operand, the top of stack is rounded according
to the rounding control (RC)bits of the control word.
Note that the FSTPform of thls insFuction can store a remDreal (80-bit) value.while
the FSTform cannot.

Excoptlona
ST PE IJB OB 4

E amplg

Before

ST 69.0
sT (1) 98.6

FSTQWOBD PTR IESII

Memorypointer is long real 69.0.

359
 tltE 003.4 BooK

FSTCW aoaT /ao3a7

/ao2a7
Store Control Wo.d

Legal Fo?irs
FSTCI menl6 ; meml6F Cl{
F N S T C }m
i e m 1 6 : h e m 1 6e C f

Do.c.lptlon
This instruction storesthe contents of the control rord (Cw) register in memory.
The FSTCV form of the instnrction checks for unmaskedoceptions before the
control word is stored,while FNSTC\/ does not,

Ercottloni
SF PB I]B OB 4 DE IE

360
 a! th. SOOaOI8OaAT
h.trFtlon S.t n.t.Me

FSTENV aoa7/ao2a7/ao3a7
Store EN'troonrent

Legal Forns
F S T E I I V, ? e r ? p n e n p e e n v ( N D P )
FllSTEllV r ? e r ? p n e m p e n v ( N D P )

Descrlptlon
This instruction storesthe contents of the 80387eflvironment registers(CV, S\v,
T.Ii(/,and error pointers) in memory beginning at ,rarp Figure 8-4 outlines the for-
ma! of the 28-byte environment block.

31 16 1t I Blte offset
0
4
6
Errcroffset(EIP) L2
Eror selectof(Cs) 16
2A
24
32-bit formal
rt B'1eollset
0
2

Instruction Dointern x 6
IP,. 8
10
o&c rl t2
16-bitfomat

F gate A-4.80387entlrcnnenL

The FSTEIWform of the insquction checksfor unmaskedexcptionsbefore the

environment is slored, while FNSTENVdoes not. If unmaskedelceptions are pend-
ing before FNSTEI'Wis executed,they are reactilated if the environment block is
loaded with FLDENY

Exceptlo|rg
SF PB tJE OE U DE TE

351
 rdE 00aoaEooK

FSTSW aoa7/ao2a7/ao3a7
store status word

Legal Forns
FSTSI,{ AX AX F Sli
FSTSI'I meml6 menl6 Sll
FllSTSl,l AX AX Sl'l
F STSI'J meml6 neml5 Sl'J

Dercrlptlon
This instruction storesthe conients of the 80387statusword in memory or in the
AX register of the 80386.The FSTSVform of the instruction checks for unmasked
exceptionsbefore the control word is slored, while FNSTS1V does not.

ErccDtlonr
SF PB IJE OE 2T DB If,

362
 6! lh. ao3aGEGtaT h.trrtlon S.l Ad@rc.

FSUB aoaT/ao2a7/ao3a7
Subtractlon

Legal Form3
FSUB ; S T ( 1 )e 5 T - S T ( l ) j p o p ( ) :
FSUB men32 : Sr e 5T - nen32
FSUB nen64 ; ST 5T - nem64
FsUB ST(n) i S T S T - S T ( n )
FSUB ST, ST(n) : S T S T - S T ( n )
FSUB ST(n),ST : S T ( n )e S T ( n ) 5 T
FSUBP ST, ST(n) : S Te S T - 5 T ( n ) : p o p ( ) :
FSUBP ST(n), ST : S T ( n )e 5 T ( n ) - 5 T ; p o p ( ) ;

Do.crlptlon
This instruction subtractsthe specifled operands and storesthe result on the 80387
stack 4s shown aboj,,e.Optionally, the top of stack is also popped.
If you spe.ify a 32-bit or 64-bit real memory operand, it is convertedto temp real
format before it is subtractedfrom ST.
If any real value is subtractedfrom infinity or infinity is subtractedirom any real
value,the resultis infinity.Subtracting two infinitiesoflhe samesignis an invalid
operation.

Exceptlona
SF PE I]E OE ZE DE IE

Examploa

ST 9.81
sT(1) 6.1 ST 1.51
sT(2) 72.O STO) 72.0

FSUB

35:t
tlt! 00406 tooK

ST 9.81 ST 7.61
sT(1) 6,3 sT(r)
sT(2) 7Z.O sT(2) 72.0

FSUBDWORD PTRIESI+4]
Memorypoinreris shortreal 2.2.

3A4
 a: fh. ao366/ao3a7 h.l.ucllor 3.i R.l*de

FSUBR aoa7/ao2a7/ao3a7
Subtr"actlon Reversd

Legal Fo.m!
FSUSR I S T ( 1 )e 5 T ( 1 )- S T ; p o p ( ) ;
FSUBR nem32 | STe nen32_ 5T
FSUBR mem64 ; STe men64_ ST
FSUBR Sr(n) ; s T e s T ( n )_ S T
FSUBR sT, sT(n) : sTe Sl(n) - sT
FSUBR S T ( n ) ,S T ; S T ( n )e S T ' S T ( n )
FSUSRP 5T,ST(n) | S Te s T ( n )- s T ; p o p o r
FSUBRP S T ( n ) .S T I S T ( n )e s T - s T ( n ) ;p o p ( ) j

De.crlptlon
This instruction subtractsthe specified operands and storesthe result on the 80387
stack as shown above.This insta.rctionis equivalentto FSUBexcept that the
subtrahendand mlnuend are exchanged.optionally, the lop of stack is also
poPPed.
If you specify a 32-bit or 64-bit real memory operand, it is convertedto temp real
format before it is subtractedfrom ST.
If any real value is subtractedfrom infinity or inJinity is subtractedfrom any fed
value,the resultis infinity. Subtracting two infinitiesof the samesignis an invalicl

Excspilon!
9F PE I,E OE ZB DE IB
x x

Era|nplgg

ST 9.81
sT(1) 6.3 ST -3.t1
sT(2) 72.4 sT (1.) 72.0

FSUBR

345
rHE 60366 aOOK

9.81 ST 7.61
sT(1) 6.3 sT(1) 6.3
sT(2) 72.O sT(2) 72.0

FSUBDWORDPTRIESI+4]
Memory pointer is short real 2.2.

366
 a: lh. eo3araoolT lBtruc.llon aet B.f.rdc.

FTST aoa7/ao2a7/eo3a7
Test for Zero

logal Form
FTST ; c o n p a r(eS T , 0 . 0 )

Deacription
This instnrctioncomparesthe top of stackwith 0.0andststhe 80387condition
codesaccordingto the resultsof the comparison,
The followingtableshowsthe conditioncodesettingsthatresultfrom the com-
parisonfunction.FTSTconsiders+0.0and-0.0 to be equal.
C6dttloa C3 Q CI <P
sT>0.0 0 0 - 0
sT< 0.0 0 0 - 1
ST- 0.0 1 0 - 0
S T i s a N a N l l - l
The 80387condition codesare arranSd in the statusword so that C3, C2,and C0
rnap into the samebit posilions asthe ZR PF,and CFbits of the 80386EFLAGS
reSister.Thus, issuing the following idstructions setsth 80386flags as if the com-
parison had been performd on the 80386:

i F l o a t i n g - p o i nc to n p a r e
FSTSll AX I Stofe status vord to AX
SAHF ; Store AHinto flags
You can then use any conditional jurnp instruction (JE,JNE,JA,JAf, JB, orJBE) lo
branch on the result of the comparison.UseJP to test e/hether STis a NaN.
Unlik most arithmetic operations, PTSTwill sl8nalthe In%lid (IE) excePtionif ST
is a quiet NaN.

Exc.ptlont
SF PB IJE OE ZE DI II

87
lt{E ao3a6 aool(

Exarrplo

ST -37.37 ST
sT(r) 1.0 sT(1) 1,0

FTST

a6a
 a: flF 0o.te6/ao3a7 lFtruciion l.t R.td.nc.

FUCOtul ao3a7
Unofdered Compare

Logal Forfia
FUC0I4 ; compare (ST, ST(1))
FUCoMnen32 ; compare (Si, nen3z)
FUC0Mmem64 ; compafe (ST, mem64)
F U C 0 l 4S I ( n ) ; c o m p a r(eS T ,S T ( n ) )
FUCotlP : c o n p a r (eS T ,S T ( 1 ) ) :p o p o
FUCoP mem32 i conpar(ST, men32)rpopo:
FUCoP mem64 | compare (ST, men64);pop();
F U CPo ST(n) i c o n p a r (eS T , S T ( n ) ) rp o p ( ) :
FUC0|,4PP ; c o n p a r (eS T , S T ( 1 ) ) ;p o p ( ) rp o p O l

Doac ptlon
This inskuction is identical to FCOMexcept that no exceptions are signalcd ifeirher
oPerand in the comparefunction is a quiet NaN,(the comparisonis unordered).
FUCOMexecutesthe func\ior\ compare (opl, op2) and sets rhe 80387condition
code accordingto the resuhsof the comparison.The tll387 stack is optionally
poppeoonce or rwrce,
The followinS table showsthe condition code settingsthar result frdn the compare
function,FUCOMconsiders+0.0and -0.0to be equal.

Con tttton C3 C2 CI CO
op1> Qp2 0 0 - 0
o?l <oP2 0 0 - I
opt - oP2 1 0 - 0
1 1 - 1

The 80387condition codesare affanged in the statusvr'od so rhar C3,C2,and C0

map into the samebit positions as the ZF,PF,and CFbils of rhe 80386EFLAGS
register.Thus, the following instructions set the 8035 flags as if the comparison
had been performed on the 80386:

FUColl op ; F l o a t i n s - p o i ncto n p a r e
FSTSN AX : Store status {ord to AX
SAHF : S t o r eA Hi n t o f l a 9 s
You can then use any conditional iump insrrucrion (JE,JNE,JA,JAE,JB, orJBE) ro
branch on the result of the comparison.UseJP to test for unodered comparison.

369
tFt 00406 rooK

Exqeptlon3
SF PE I'E OB A DE IE

Examplo

sr (1) 72rO.0 ST 7270.0

0.1 sT (1) 0.1

3m
 a: th6 aooa6/0o39?lEtruc{on 5.r i.td.nc.

FWAIT aoa7/ao2a7/ao3a7
Walt Untll Not Busy

Legal Form

Do3criplion
This is the 80386VAIT instnxtion, but many assemblersallow ],ou to encode it as
FWAIT becauseit relatesto the NDp. FWAIT placesthe 80386inlo an idle state until
the BUSY\ pin is inacrive. If rhe BUSY\ pin is inactive when the instruction is exe-
cuted, no idle occurs.The BUSY\ pin on the 80387is held active while the NDP is
performing a floating-point instruction. Executerhis insrruction before any 80386
instruction that will use a value stored by the coprocessor.

Excoptlon!
SFPEUEOBZDDIE

371
 tlt! @306 Boox

FXAI,I a0a7/ao2a7/aota7
Examlne Top ofstack

Logal Forrn
: C ce e x a n i n e( S T )

Dgacriptlon
This instruction sets the condition ode bits in the 80387statusword (SW) accord-
ing to the value of the top of stack.The following table indicatesthe settingsthat
can arise basedon different valuesof ST.

c3 c2 cl a1,
Unsupported' 0 0 0
NaN 0 0 I
valid (normrD 0 1 0
lnfinity 0 1 I
0 0
Unused(T\v - enpty) I 0 I
Deno.mal I 1 0
Unused(Tw - mpty) 1 1 1

The s bit in Cl is set to the sign of the value of ST,with 0 indicating a Positive lue
and 1 indicating a negative.

Excoptlonr
SF PB I]E OE A DB

'Unsupported values are sPcclalblt Patreds th.t rere %lid for lhe 8087 ot 80287but are no lo!8et
supponed.lhesein.lude Pseudo-NaN, pseudo.zc.o,pseud,c_inflnity, and unnomals

372
 ar rh.lOaOo/AOOat h.tflc d a.r i.t r16

Examplo
Before

ST
sT (1) 44.0 ST(1) 45.0

FXAM

373
. tHE AO3a5 aOOK

FXCH aoa7/ao2a7
/ao3a7
Exchange Stack Blements

Legal Forms
FXCH ; tenp STi ST e ST(1); ST(I) e tenp
FXCH ST(n) ; t e m pe S T r S T e S T ( n ) : S T ( n )e t e m p

Descrlption
This instruction swapsthe contents of the specified stack registers.This allows
valuesto move to the top of stack,which is the standardoperand locatlon for many
80387instructions.

Ercoptlona
SF PE T'E OB 4 DE IE
x

Eramplo

ST ST 1.0
sT(1) 2.0 sT(1) 2.0
sT(2) 10 sT(2) 3.0

FXCH

374
 a: flr. ao:Fa/Eo3?h.rruc d 3.r RdFnc.

FXTRACT aoa7/ao2a7/ao3a7
Extract Floatlng-Polnt Components

Logal Form
FXTRACT ; tenpe sI: 5T exponent(temp)
; p u s h ( f r a c toi n ( t e m p) )

Dorcrlptlon
This instruction breaks rhe top of srackinto irs constituent pans, the significand and
the exponent,The exponent is slored as a true, unbiased lue. not as iust the bit
parcrn in the exr onenrFieldol rhe floaLins-poinr represenution.This operarion
leavest}Ie fraction or significand on the rop of stack and the er.ponentat ST(1).The
original value is desrroyed.
If the original top of stack is O,the ewonent pofiion is set to ne9rive irfinity.

Excoptlonr
SF PB I]B OB Z DE ID

Ex.mplo

Before

ST r.59x I

FXIRACT

3?5
 flG ao3a6 BOOX

FYL2X aoa7/ao2a7/ao3a7
Compute Y x log2x

Legal Form
FYL2X ; t e m p+ l o s , ( S T ) r p o p ( ) ; S T e S T * t e m p

Doacription
This insiruction pops rhe top of stak,takesthe base2 logarithm, and multiPlies the
rcsult by the ne top of stack.Anothcr way of expressingthe function is:
ST(1)x log2ST
The initial top of siackmustbe a positivevalue,0lhrcugh infinity lfit is not, the
rcsultsofthe opcrationareundefind.
You canalsousethis inslructiontocomputelogarithmswith a baseotherthan2,
relying on the idenlity:
log,, 'c = (log2 x) / <log2n)
Thc following code fragment illustrats this computarion

FLol : 1.0
FLO i ;n, 1.0
FYL2X ; log, n
FLD1 : 1 , 0 , 1 o g ,n
F D I V P S T ( r ) ,S T I l / 1 o 9 ,n
FLo x I x, 1/109n ,
FYL?X : logrx* l/logrn

Exceptlons
ST PE IJ'E OE ZE DB IE

Exarnple

ST 8.0
sT (1) 0.01 ST 0.03
sT (2) 0.333 sT (1) 0.331

FYL2X

376
 A! lh. aoata/0o347 harruc o. Sct R.ld.nc.

FYL2XPI aoaT/ao2a1/ao3a7
computerxbg2(x+1)

Legal Forn
FYL2XP1 ; t e n p e l o s , ( S T + l . o ) ;p o p ( ) : S T e S T * t e m p

Doscription
This instruction pops the top of stack,adds 1.0to the value, takesrhe base 2
logarithm, and muhiplies the resulr by the new rop of stack.Another way of ex
Pressingthe instruction is:
ST(1)x log, (ST+ 1.0)
The jnitial top of stack must be within rhe range -l + ',L /2 < X < I -',L /2, or the
resultofthe instructionis undefined.
This instruction is provided so tha! adding 1.0ro rhe top of srack and cxecutirtg
FYL2Xdoesflot resultin a precisionloss.Because the FyL2Xpl funcrionis com-
puteddifferendythanthe FYI2X instruction,a specialrangeresrricrionexists.
FYLDGI iS also uscful in computing the arcsinh,arccosh,And arctanhinvcrse
hyperbolic rrigonometric ftnctions.

Excoptlons
ST PB !'B OE ZE DE TI
x

Exal|tplo

5T 15.0
sT (1) 10.0 ST 40.Q
sT (2) sT (1)

FI].D(P1

377
 t||E 60346 BOOK

F2XMI aoaT/ao2a7/ao3a7
compute 2. -l

Legal Form
F2xfll ;srezsr-1

Descriptiolr
This instruction replacesthe current lop of stack (ST) with the value of the function
2sr - 1. Horr'ever,the initial operand lue must be within the range-0 5 < x < +0 5
or the result of the operalion is undefined.
The fiinction 2* - 1,rather than the simpler 2x, is provided on the 80387to ensure
precision when x is near 0 (for e{ample, when computing h}perbolic trigonometric
functions).
'Becausethe range of the FIO'41 instruction is narrow, subroutines!o compute 2n
must use FRNDINT and FSCALEto bring the instruction into a legal range and scale
the result !o I proper \alue.
You can compute the generalfunction ,cvby using the ide iryl
x! = 2t x log2tc
4nd using the FYL2X and F2XM1instructions.

Excoptlont
SF PE I]B OE ZE DB IE
x

Exalfrple

ST 0.01 ST 0.0069
ST(:I) 3.0 sT (1) 3.0

F2XM1

374
APPENDTXES

379
 Appendix A
POWERS
OFTWO

0 1 I
I 2 2
2 4
3 ii E
4 16 t0
5 20
6 &
128 u0
8 100
9 512 200
10 LO24 400
11 2044 u00
t2 4096 1000
)3 at92 2000
74 16344 4000
i5 327/.a 8000
16 "": 10000

20 1048576 trr:

32 429196725k 100000000

3at
 Appendix B
ASGTI
GHARACTEll
SET

Hreh-(r.le1" Blts
Blts 0000 0001 0010 0011 0100 0101 0lro 0r1r
0000 NUL DlE space 0 @ P p
o00l soH Dcl l ^ a n q
0010 STX DCz I 2 B l t b
o01l ETX DC3 3 C S (
0100 EOT DC4 5 4 D t d r
0101 ENQ NAK 5 E I l e
0110 ACK SYN
0111 BEI I]TB f 6
7 G
F
\
V
( 8
f

1000 BS CAN ( 8 l l x b
lool HT EM ) 9 I Y i y
1010 LF SUts , J Z j
loll VT tsSC i K l k l
1100 F! r's < L \ 1 1
1101 CR GS - = M l n l
1110 so Rs > N
t1t1 st us ? O o R U B

343
 Appendix G
apgoDE
TABLE-

The following opco<]etablesaid in interpretir\g 80386object code. Use the hiSh-

order 4 bits of the opcode as an index 0oa row of the opcode tablei use the low-
order 4 bits as an index !o a column of the rable. If the opcode is oFH, refer ro rhe
2-byte opcode table, and use the secondbyte of rhe opcode to index the rows and
columns of that table.

Key to Abbreviations
Operands are identified by a two-character code of the form Zz. The first character,
an uppercaseletter, specifiesthe addressingmethod; the secondcharacter,a lower-
caseletter, specifies the type of operand.

Godes for Addressing Method

.4.' Direct address.The instruction has no mod r/m byte; the addressof the operand
is ncoded in the instructioni no baseregister,index register,or s.aling factor can
be applied-for example,farJMP GD.
C,' The reg field of the mod r/m byte selectsa control register,for example,MOV
(OFH2OH,OFH22D,
I). The reg field of the mod r/m byle selecisa debug register,for example,MOV
(oFH 21H,0Fl1 23H).
f.' A mod r/m byte follows the opcode and specifiesthe operand. The operand is
either a generalregister or a memory address.If it is a memory address,the address
is computed from a segmentregister and any of the following values:a baseregister,
an index register,a scaling factor or a displacement.

'Adapted r'nd rFpr,nr"dq prmis'onof InrelCo po.rron, (vplIrshr !.85

305
 Tl|e ao33aBOOK

f.. Fl^gs register.

c.' The reg field of the mod r/m byte selectsa Seneralregister fbr cxample, ADD
(00H).
r.' Immediate data. The \'.rlue of the operand is enodedin subsequentbytes of the

Jf. The instruction contains a relative offset to be added to the instruction pointer
register-for cxample,JMPshort, LOOP-
tt; The mode r/m byte may refer only to memory-for example,BOUND, lEs,
IDS, I,SS,LFS,IGS.
o.' The instruction has no mod r/m bytei the offset of the operanclis coded as a
word or doubleword (depending on addresssize attribute) in thc instruction. No
base register,index register,or scalingfactor can be applied-for cxample, MoV
(AOH-A3H).
R. The llx)d field ol the mod r/m byte may rcfcr only to a generalregister-for cx-
ample,MoV (oFH20H,oFH 26H).
s, The reg field of thc mod r/m byte selectsa segmentregister-for example,Mov
(8CH,8EH).
?.' Thc rcg ficld ofthe mod r/m bytc sclcctsa testregisler-for examplc)Mov
(oFH24H).
by DSrSI*for example,MOVS,COMPS,OUTS,LODS,SCAS
X, Memoryaddresscd
by ES:DI-for example,MOVS,CMPS,INS,SToS
r. Mcmoryaddressed

Godesfor Operand Type

u.' Two single-word operands in memory or lwo double-word opcrands in
memory, depending on operand size attribute (used only by BOUND).
A.' tsytc(regadlessofoperand sizeattribute).
c.' Byte or word, depcnding on operand sizeattribute.
.t.. Doubleword (regardlessof operanclsize attribute).

,. 32 bi! or 4a-bit pointer, depending on opemnd size attribute.

s.' 6-byte pseudodes.riptor.
.!(oft1or
r.' doubleword, depending on operand sirc attribute.
rr. \ ord (regadless ofopcrand size attribute).

346
 ADD.ndlt e ODcod. Lbl.

RegisterCodes
'{qhm an opemnd is a register encoded
in the opcode, the regisreris idenrified by
its name,for example,AX, CL, or ESLThe name of the register indicareswhether
the register is 32 bits, 16bits, or 8 birs. A regisreridentifier of rhe folm e)O(is used
when the width of the register depends on the operand size attributq for q,(ample,
eAJ(indicatesthat the AX regisreris used when the operand size atrribute is 16and
tllat the EAX register is used when the operand size attribute is 32.

347
 tHE ao3a6 BOOX

One.Byte Opcode Table

0 1 2 3 4 5 6 1
ADD ADI) ADD DD ILJSH POP
!b,cb Ev,Gv Gb,Eb Gf,Fiv US ES

ADC ^DC ADC ,\DC ADC ,\DC PI;SH POt

Eb,Gb !v,cv Gb,Eb Gv,Ev eIX,lv ss SS
AND AND AND AND
Ev,G! Gb,!b Gv,Ev
ES,

xoR XOR xoR XOR xoR XOR

!b,Gb Er.Cv Gl),Eb Gv,liv AI,Ib

tNc tN'c INC INC INC INc INC lNc

e('( cDX ellX eill, cDI
PUSTI PIJSll PI;SII PLJSH PT]SII Plisl I I USH PI]SII
cDX eDI

N O IJ NI ) ARPI,
l,lJsllAD 1'S: Ol)SlZtil ADltslzE:
ljw,ltw

.IO JN() JD ,1NR tz JNZ Jr)l .)Nllti

Jb .tb Jl) .1b Jl) .ll)
1 1.:s
t '1E51-
XCIIC XCIIG
Eb,tb liv,lv ljv,lb liv,Gv Ev,Gb Ilv,(lv

NOP
xqto XCI IG XCI IG XCHG xct I(i XCIIG XCHG

MOV MOV MOV MOV

MOVSII !{ovs!0/t) ci\lPsB JMISVTD

MOV MOV MOV t\{ov MOV MOV MOV MOV

At,,ltl CL,Ib DI-,lb B].,Ib CH,Ib DII,Ib llH,tb

Grn'p 2 RET(ne!t lEs I-DS MOV MOV

Eb,lb Ev,lb RET(nerr)
Gv,Mp Gv,Mp Eb,Ib Ev,lv

Ev,l ub,cL E!,CL

XI,AT

I-OOPNE I.OOPIi looP Jaxz IN IN OLT OI]T

Jb Jb
R!P
I,OCK R]JPNE llLl' cMc
REPIJ Eb Ev

NOTE ALL numb.rs rre in hex

3aa
 ADpddir c: oFcod. LbL.

oae-E't. opc.'e Tabk (continued)

S 9 A B C D E F

OR OR OR OR OR OR PUSH 2-t'.4e
Eb,Gb Ev,Gv Gb,Eb Gv,Ev AL,Ib CS
SBB SBB SBB SBB SBB SBB PUSH POP
!b,Gb Ev,Ov Gb,Eb Gv,Ev eAX,lv DS DS
SUB SUB sua STJB SUB SUB
Eb,Gb Ev,Gv Gb,Eb Cv,Ev CSI DAS
Al,tb eAX,lv
CMP CMP CMP CMP CMP CMP
a Eb,Gb Ev,Gv Gb,Eb Gv,Ev AL,Ib eAX,Iv DS:

DEC DEC DEC DEC DEC DEC DEC DEC

4
AX ecx eDX eBX esP EBP esl DI
POP POP POP POP POP POP POP POP
5
ecx eDX eBX sP eBP esI EDI

6 PUSH IMUI, PUSH IMUL INSB INS\q/D OUTSB )UTSw/t

Iv Gv,Ev,Iv Ib Gv,Ev,Ib l'b,DX Yv,DX DX,Xb DX,xv

7 Js JNS JNP JL JNL JLE JNLE

Jb Jb Jb Jb Jb Jb Jb Jb
MOV MOV MOV MOV MOV !EA MOV POP
8
Eb,Gb Ev,Gv cb,Bb Gv,Ev Ew,Sw Gv,M Sw,Ew Ev

CAI,! .V'AIT PUSTIF POPF

9 cB\( cvD
Fv
S,{HF IAHF

TEST TEST
AI,,Ib eAX,Iv sTosa sTos\(/D LODSB LoDsv/,D SCASB scAsI{,/D
MOV MOV MOV MOV MOV MOV MOY MOV
AX,lv eCX,lv eDX,Iv eBX,Iv eSqIv EBP,IV eSI,Iv Dl,Iv
ENTER RETfar INT INT
LEAVE INTO IRET
lw,lb Iw 3 tb
ESC ESC ESC ESC ESC BSC ESC ESC
D
0 I 2 3 4 5
CAIL JMP JMP JMP IN IN oUT ottr
Jv Jb A!,DX eAX,DX DX,AL DX,eAX

ctc sTc clI STI CLD STD croup5

349
 tHE ao3a6 BOOK

Tiro.Byte Opcode Table (first byte is OFH)

0 1 2 3 4 5 6
IAR !sl,
croup 6 clIS
Gv,Ew Gv,Ew

MOV MOV MOV MOV MOV MOV

cd,Rd Dd,Rd Rd,cd Rd,Dd Td,Rd Rd,Td

Jo JNO JI] JN8 Jz JNZ JBE JNAE

Jv Jv Jv Jv Jv Jv Jv Jv
SElO SETNO SETB SETNB SETZ SETNZ SETI]E SETNtsE
Iib Eb Eb lb Eb Eb Eb
PUSH POP BT SHLD SH],D
FS fs Ev,Gv Ev,Gv,Ib Ev,Gv,CL
LSS BTR tts Ics MOVZX MOVZX
Mp Ev,Gv MP Mp Gv,Eb G\Ew

390
 ApPrdir c: Opco.l6 t blc

Two-Byl Oprode Tablc (cantinuetl)

8 9 A B C D E F

JS JNS JP JNP JL JNI JTE JNLE

Jv Jv Jv Jv Jv Jv Jv Jv
SETS SETNS SETP SETNP SETL SETNI SETI,E SETNLE
Eb Eb Eb Eb Eb Eb

PUSH POP BTS SIIRD SHRD IMUL

GS cs Ev,Gv Ev,Gv,Ib Ev,Gv,CL Cv,Ev

Group8 BTC BSF BSR MOVSX MOVSX

Ev,Ib Ev,Gv Cv,Ev Cv,Ev Cv,Eb Gv,Ew

391
 tHE aoaa5Boox

Opcodes Determined by Bits 5, 4,

and 3 of mod r/m Byte: mod nnn r/m
000 00t 0r0 O:t:l 100 101 110 111

G 1 ADD OR ADC SBB AND suB xoR CMP

o
ROL ROR RCr RCR SHI SIIR

TEST NOT NEG MUI IMUL DIV IDIV

lb/lv
INC DEC
Eb Eb
INC DEC CALL c,\.I-L JMI JMI' PTiSII
Ev Ev l]v llv Ev
SI,DT STR LIDT LIR VI]RR VER\(/
Ew Ew liw
SCDT SIDl' l,GDl' LIDl' SMS\/ I,MSV/
MS Dw Ew

uT ULS Ilt R RIC

80387 Extensions
'Ihe following
lablesshowthe opcodemapro the 803U6insrructk)nsetlbr the 80387
extensions. opernndabbreviations
The for dreset4blcsarcl
fs.' IlTs:livc acldrcss,short rcal (32-bit)
Xr.. Effecriveaddress,longreal(64-bit)
.8 .' Effcrtjvc ^cldress,tenp real (80-bit)
l9r. Hffectiveaddress,word (16+it)
.Ed. Effccrive ad.lress,doublewod (32-bit)
,4.' Effective address,quadword (64-bit)
-E i Effective address,BCD (80-bit)
I.a. Effective acldress(no operand size)
slal).' Stackelementi
Sf.'Stacktop

392
 APP.ndirc: Opcod.t hL

FomaC

ESC0

001 010 011 100 101 110 111

00 FADD FMUT FCOM ICOMP FSUB FSUBR FDIV IDTVR
10 Es Es Es ES Es ES Es ES
FADD FMUL TCOM FCOMP FSUB ISUBR IDIV FDIVR
ST,ST(i) sT,sT(i)5T,ST(i) sT.sTai)sT,sT(i) sT,sT(i) sT.sT(i) sT.sT(i)

ESCI

010 011 100 10I 110 l1l

00 FLD
mod-o1 TST fSTP FLDENV rLDCW ISTEN'1/ FSTCW
10 Es Es Es E^ Ew E^ Ew
FID FXCH
FNOP FCHS FLDl F2XMI IPR!M
000 sT(0) sT(0)
001 TLD FXCH
FABS FIDL2T FYL2X F\'1,2XP1
sT(1) sT(1)
FLD FXCH
010 FLDL2E PPTAN FSQRT
sT(2) sTo)
0 1 1 FI,D TXCH
STG) FIiDPI PPATAN TSIN@S
6)
mod-11
100 FLD FXCH
I!DI,G2 FXTRACT
FRN'DINT
sT(4) sT(4)
101 FLD FXCH
IXAM FLDlN2 IPRIMI FSCALE
sT(5) sr(5)
1 1 0 FI,D FXCH
FLDZ FDECSI? FSIN
ST(6) ST(6)
lll FlD n<cH
sT(7) sT(7) NNCSTP !cos

39:l
tflE ao:|a6 BOOK

ESC2

000 001 010 0ll r00 r0r lr0 llr

00 IIADD FIMUl FICOM FTCOMP FISUB NSUBR FIDIV NDryR
l0 Ev Ev EW Ew Ew Ew Ev Dw
;l@/PP

ESC3

000 001 010 011 100 101 110 111

00 FIID IIST FISTP ILD FSTP
10 Ew Bs Iiw Et

Cfl{'3d

Group3a: mod-11,nnn-100
m 000 001 010 011 100 101 110 111
GENI) (FDISI) FCLEX FINIT GSEI?I\O

BSC4

000 001 010 011 100 101 t10 111

00
FADD TMUL ICOM FCOMP ISUB FSUBR TDIV FDIVR
l0 EI EI EI EI EI EI EI EI
FADD IMUL fcoM FCOMP ISUB FSTIBR TDIV !DIVR
sT(i),sT sT(i),sT sT(D,STST(D.ST ST(D.ST sT(i),sTsT(i),sT sT0),sT

394
 Atf.r4x e OFo.L Lbla

ESC5

000 001 010 011 100 101 110 111

00 FLD FST FSTP FRSTOR m4\'E ISTS'w'
10 EI EI E^ EA Ew
TFREE FST FSTP FUCOM FUCOMP
sTo) sT(i) sT(i) ST(') ST(D

ESC6

000 001 010 011 100 101 110 r11

FIADD FIMUL fICOM NCOMP FISUB NSUBR FIDTV FIDl\?
Ed Ed Ed Ed Ed Ed Ed
FADDP FMULP FSUDP ISUtsRP FDI\? FDI\IRP
sr(i),srsT(i),sT ST(D,ST ST(D.STsT(t).sTsT(i).sT
rrlm-001

ESC7

000 001 010 011 100 101 110 111

FII,D IIST FIST? IBI,D III,D FBSTP FIST?
Ed Ed Eb Ed Eb Eo
FSTSIf'
AX
1/m-000

395
 Appendix D
TNSTRUCTTON
FORMATAND
TTMTN(G-

This appendix describesthe 80386instruction se!.A table lists all instructions $/ith
instructionencodingdiagmmsand clockcounts.Detailsof the inslructionencoding
are provided in the following sections,which describe the encodinli structure and
lhe definitionof fieldsoccurringwithin 80386instructions.

80385 lnstruction Encoding

and Glock Gount Summary
To calculateelapsedlime for an instnrction, multiply the instruction clock count, as
listed in the table on the follovr'ingpage,by lhe processorclock period (for ex-
ample,62.5ns for an 80386"16 operaringat 16MHz (32 MHz clK2 signal)).
Formoreinformationon the encodingsofinstructions,referto "InstructionEncod-
ing,"which explainsthe structureofinstructionen(odingsand definesthe encod-
ingsof instructionfields.

Instruction clock count assumptions

1. The instructionhasbeenprefetchedand decodedand is readyfor execution.
2. Bus cycles do nol require wait states.
3. There are no local bus HoLD requestsdelaying processoraccessto the bus.
4. No exceptions are detected during instruclion execution.
5. If an effective 2ddressis calculated,it does not use two general registercompo-
nents.One registerscalingand d;splacement canbe uscdwithin the clock counts

'Maptd and reprintd by pe.missio. of Intel corpor2tion, 1936

397
 tHE 60364 BOOX

shown. However,if the effetive addresscalculation usestwo general-register

omponents,add one clock to the clock count shown.
Instruciion clock count notation
1. If tl'o clock counts are given, the smaller one refers to a register operand, and
the larger one refers to a memory operand.
2. '' - number of times repeated.
3, ,n = number of componentsin the next instruction executed,where any
displacementcounts as one component, any immediate data counts as one com-
ponent, and each of the other bytes of the instruction and prefix(es) counts as
one comPoneff.
To compute 80286clock counts, add one clock io each effective addresscalculation
that usesthe base + index form of addressing.To compute 8086clock counts, add
the count from the table below accordingto the t)?e of addresscalculationused.

EATrpe
Displacement or y 6
Baseor indexonly 5
lndex+ displacement 9
Base+ displrcement 9
Base+ index 7or8
Base+ index+ 11or12

Inatruction noto3 for Tablo

The follovr'ing are insrruction noresfor rhe rable titld "80386Instrucrion SetClock
Count Summary,"which bgins on page 400.
Notesa through c apply to 80386real addressmode only.
a. This is a protected-mode instruction. Trying to execute in real mode results in
excePtion6 (in lid oPcode).
b. Exception 13 fault (geneml protection) occurs in real mode if an operand refer-
ence is made that padally or fully extendsbeyond the maximum CS,DS,ES,Fs,
or GSlimit, FFFFH.Exception 12 fault (stack segmentlimit \aolation or not pres-
eqt) occurs in real mode if an operand referenceis made that partiaUyor fully
extends beyond the maximum SSlimit.
c. This instruction may be executedin real mod where it initializes the CPUfor
protected mode,
Notesd through g apply to 80386real addressmode and 80386protected virtual

d. The 80386usesan early-out multiply algorithm. The number of clocks depends

on the position of the most signif:icantbit in the operand (multiplier).

394
 atr*dlr Dr lr.ituciron Ford.t ed ?lnlng

Clock counts are minimum to maximut{ To calculareacrualclocks, use the

following formula:
Actualclock = if m < > 0 tlen max (llos, I m I l, 3) + 6 clocksi
ifm = 0 rhen 9 clocks (where m is the mulriDlier)
e. An exception might occur, depending on th value of the operand.
I LOCKis asserred,regardlessof the presenceor absenceof rhe LOCKprefix.
g. LOCK is assertedduring descriptortable accesses.
Notesh through r apply ro 80386prolected virtual addressmode only:
h. Exception 13 faulr (general protecrion violation) occurs if the memory operand
in CS,DS,ES,FS,or cS cannot be used due to a seSmenrlimit violation or ro an
accessrights violation. If a $tacklimit is violated, an exception 12 (stack segment
limit violation or not presnt) occurs,
i. For segmntload operarions, rhe CPl, RPL,and DPL musr agreewith the privi-
lege rules to avoid an exception 13 fault (general protecrion violation). The seg-
ment's descriptor must indicate "ptesenr" or xceprion 11 (CS,DS,ES,FS,or cS
not present). If the SSregister is loadedand a stack segmentnor present is
detected,an srception l2 (stack seSmentlimi! violation or not present) occurs,
j. All segmentdescriptoraccessesin rhe cDT or LDT made by this instrrction
assertLOCK to maintain descriplor integrity in multiprocessorenvironments,
k. JMB CALL,INT, RET,and IRET insrructions refeffing to anorher cod segment
c4usean exception 13 (general protecdon violatiorD if an applicableprivilege
rule is violated.
l. An exception 13fault occurs if CPLis greater than 0. (0 is rhe most privile8ed
level.)
m. An exception 13 fault occurs if CPLis greater rtlan IOPL.
n. The IF bit of the flag rgisteris not updaredif CPLis greater rhan IOPL,The IOPI
and VM fields of the flag register are updated only if CPLis equal to 0.
o. The PEbit of the MS\v (CRo)cannot be reset by rhis instrucrion. UseMOV inro
CRoto rcset the PEbit.
p. Any violation of privilege rules as applied to the selectoroperand does not cau6e
a protection exception; rather, the zero flag is cleared.
q. If the coprocesso/smemory operand violales a segmentlimir or segmentaccess
rights, an exception 13 fault General protection exceprion) occurs before the
ESCinstruction execures.An exception 12 fault (stack segmentlimit violation or
not present) occurs if the stack limir is violated by the operand's staring address.
r The destination of aJMq C.ALL,INT, RE! or IRET must be in the defined limit of
a coclesegmentor an exception 13 fault (eneralprotection violation) occurs.

399
 i a
BTE
.UE ;
E F E - = = $ ii
! = = : : : i " :
i -

ts9
Ht 1 {
E

f N , P " - n
3
0
r ' r r - n P
U E l 1 l ' 1 I I t

'!
d

! HE
EEHiiiHiIHEH
i
x EEEEEEEE
ssiH
sgL#
$*ggggggiis
6
E
-

400
 : . {
!;
3!g
!
i i ; ; ;
gq

f i : .
E
x ; i - : ! 9 = d

E:$ FIFIFI
t9E|3
flt
I
l'
FFfl[]f]
lsllsl: l: lEl
u
ta
n
5l
3t
I
nn
:l
tpl I
i E tt - l
FFFFF]
tltltltlUUU
tEtEt: t: t:
lEl

I
t:t
tll
l8tt;l
El tll b]F]E]E]E] F]E]E]F]E]E]E]F]
t
: .
g : e .
E g r
"zt t 2 t ? 4
3 '-q n t9r"
i z i t iei " aa. I i : ! i ! i ! E 1E =1=
T !,EK d : i M * E
9 : : 3 : : t
U : : i a l F r F ;
i + i c ! ; i " ' + i 5 +: ! r
g ati 4i e
i ti
= -6 * J ' i l r L ! l oi i; E i + IE
e i 3 I * 3! i n : 5 ; : 4 g : : - . !a : F :

401
 " -
EQE " " : 1 i : . : i
' t i
.r: ; t - t - :
? : .- ' -
;

e - - - : - - - - : - : - - - - ^ r -
g9

- . . : . - . - ; 6 : - . " . i -
d

E
5
^ " . - i . - " - : " ^ e ^ " . - i ^

BBEBuBB
r! N N F F
l:l l. l. l:
i
a EtEEtEl
E
E

g gFi,
g
gE;'
:

s;s ; Iis;igs

i
5

402
 I
:
8

d l r - o

XQ

5 - - . : - 5 - - - -

E
E
a

5 T ^ - ! ' ! . : . - " -

8
T
d x - " - - s -x . . - - i I
; i i
i

i i i
J FI TIIFIFIFI
F]FIFIFI i FI F] It :
E H [] hli l?l lillil|;
l; i |;l ;l
t t r t t t T F T r F t t f l t l t l | l If l
lll|:llil Elll l=l;l=llJ
iclllI lEl'l l:l. lEl
lel
rl
e E]E]F]E]E]
L]11
E]F]F]E]E]
E]b]E]E]E]
E] t-l
i . > F F
! , i' - . ! -r : 6 : r' "E 6t ; E
* i i
t t r r r i ! i r y i l E : : i ; :' .&i "n "" ' { ;
c ! : : 5i :Ei , r F. E
R j j :5 -s" :d l. 9
9 3i 5 !
; ! i! !; F; : = t i : - E i !
: .b ig
t E E
! 5 i FE { : : 5 ! E i d : d : : : 3v E = ; : " ! l
! s e $ s : ! : . s 9 g $ 5 9 E 4t ra tZ i = t t ; i

403
 tsae
@dE

SP
! ! 1 l l ; * '""
5 "!ff;*"-"

e
E
i * r , ir i i k ;i$*"'^
B : : i ! i i :
U
: i i i i i i nN-R ss$*""

tEt :
l-l lsl rn nn
-t
l1
I
t
fll:l |]
t:l
te tE

T
:
t-t
n
t -
t:t
lel
t t -
lcl

tal
l:l
f t] u
:I :I
l Bl 3 l
| | | |
; l l 3 ll c l l E l
5t 13tt:t t:l
!
a
x E E n ll Efl fl fl
E
I

Eg,rE,, x

; E
j

eii,,
i E.i

EU
!
z is' ;i,, iil!
tLO4
E !i
9 ?".
i :E
3',24
 s
"65
s i 'I i '
t F
: : : i . f- + i "
- ;
? i
; - :
:
3
" f- { S
EE \ 1 E P
xg
r e t ! s
6 \ < I ! I 1 { { 3

E
a

2I a d F ll -{

B E
s s s ;

lllin EF ; :
lJlll,lll ! i
I
- - : F]E]E]b] i E
- - :
l1l'l l1 lit til til
EUUI FtFtFtFt
FrF
l,|,|,1 l-|-|-l
tF-tiF-ttEl l:l l:l l:l
tEttfl tEl T'I T1 T1 !! d "_",""
E i z i z i lE|fl
tErFr|;llEll;ll;
|;ll
Hfi flll flflflfln liI
l r l : l : l lall:l l:l
EE6:r!e: l =l l, ' l =l l= l l gr cr,: r cr c r t Er i l
I lel l:l lEl tit tEttgl
l:l l:l l:l t - t t - t l - l E]F]
F]F]
E]E]E]E
F]E = F
g ! I , [ - E
q a i
r E E . F
- b- b . b F b - h . R . ,
E.,E-
s i : 4 1 - , i
E c! t l
. ; ! ?

e
C EEE :d -E: E- E
i i ; : : :
; ; 3 ;r Fs a g ! ;
: : : E : i : I s I 3 :E? : i
a ,g !e H# n& 8[ ! s #?* 33 "e 1 3 i 1 AA; 5 &$ i> &t &;"tFE i_
! IF
. E : I=a I

405
 3ae < . ; : < r f , f d 5 N -
- t - d
- 3 6 *
.dY

E8
3E
- d F F : - - . . ; -
- - \

i i "
E 6. . ^ . - 5 - - ^ . S . : e 1 f F {

d
t n ^ F : F 5 6
d

Eis*l.l
6-
n

l,l
u
u
E :
5 ;
I E

;
i tl
! ilHtlEliEEEU
t g tt g tt g t c t ; Et .'t Pt :t ;
l:l
i I
l:lhllslsl! L;l:l
l:ll""l rr
:
.!
i
!
r! e
IlEl n
l:l
I
-r

!
nTlnfllillltu
lElsl J lEllE lg lsllJ lsllil l:l
l:l :l :l lE l-
lalfl e lFllE
JrrLL

,
lE l: l:l l:l l:l
ld lElElEl
lEl
r-r-r-r-r-
lEl
r:l
lll EEHH
o
2
:q
?
8 i
f
F ! F
, _-iE
a
: i ; E S re i,
g P
r
-
9
i , ;
4 3 n
.!
E
: "
-
9
. - ;
E e , ,
E i
;
; i i s E : !! ,B!
I j. Ee : i. r"? ? 7 t 1=d l i i
?9 i Fi :
E
9
D
= E+ ! ; ; i i t E: ; ; ei i ! : g f E ,l ii {, { } F
'3 E4- g F 5 E b9 " F F 5 E i: 6 l
z g = . 3 " 9 " " . = ! E 2r ' q : E l X S i ' ;
4{r6
385 { f < S , s r F 6
a z ; * z i . e * ,

e E 6 5 5 5 t 5 5 ; 5
Xg
5 F 5 5 S S
d

E 5 ; f s sf
+ i s i
5
, i F i -i o; : ss ss
et ;p
i 9 9
I
F
g
o E 5 $ G s i
J : , t i ! f i
! !
s s " { gs 3 s s
"E : .E lu n
lilHHH
!;el*l
;l
ill
t-.1 u
lsl

HHHH
:
HHHEEHHH
HEHH
tr' r
a b E ! . q
H : H * P
E i H E t i l l i E
!5 5.*: ir ,HiHI! !HSE
-

9
g E ! F ; l 5l" JErq l f E : 9 x : 9 t .
S 6 . : 5 A ! o !

" ! E EE F Ei E i EEEF
E 4Eg Ei a i i i t 3 : ? ? i i l : 2 ; E r ; z t E
i l P : ; E = i : P [ : ? :
* 9 8 = J - P E E * E = E
f =2 E
r r i E Y r 9 f r g g c P B

407
 d

_ e ! i : i i : : i r : ;
E ; ! , c < <

:R

E ; F ? ? ; f : ; ; ; ;
F
z

E 3
.t
!
F R : I 8 !
* a 8 K g F
E a &
x
B A

3
n

l:l
lEl

s
!
t8t t:l t-l u
t:l

E E
i * p
-
l p p
{ - = ; h = = e
" i i i ^ ' ;t t { : : { i i:-i zzi
. t . F ei l + i i ! : : I t E g ; i * !{ i: : E
o

!
0
ti r ;i E i r i : i i l i Ei i ; 6 ; , ;7.\!?=tFsr ir ?i igi i?EiI it {
; i i t F r r i rj :i ? ? ? ?" ,i" ;, "g
5 :
F : ' ; i ! ; ! !; ; t ! Fi r ! s ! i i g [ 3! i 5I 5 :

408
3!e I:
EEE .1
3
E
. 4 < F ; i i
2 2 2 .E rE : E
i qE
! <
L ) "
<
" z " !
< ; 3
1 t
F
E8
t
t ; : A : - ? ? F

F
c c ;
e
6
N R S i i : * s ( H A - P H R E 6 n s nK 8
d :
F

l l li n r : F;]
lEl : I'l E
t1
t:l
l3
Ft Tt Tt Fl
t t t t t t t l
t:t t;t t:t t:l ft
t:l
t:l
t - Lt - | _ t t- l:l

r ; -b !i I
! q 4 t * i 4 E Z z ? z z? E l a a Ev e
3 s s ;
r ,i :
E
g ; t
i;g! i ; i3l d F f i ! ! g
0 l i d i !E ; E i-r!*sq?*:iF:*4{
f
E ! ! ! i i s i i : i F H si :! i ; S E l i F E
i ssE e
sI
e 5 = .

409
 3iE i r i l i r ! 1
"du

E I F ! b < b < b . E <

i i i i
X9
t a : < b . t <
0
i i i i

E * 2 2
E ; ; i i

E :

g g
E - A

, ! ;
E t l Tt T_1 T_t T_l n-] Tln
l:1 :1 la lcl l:l l3l i:'l :l lil l:l
l:t :l t:t tEt t:ttgl
t;t t8t t;t 3l l:l El l:l lEl
t;t -l
l - t - l ft :t t + tt : l
l:l :l t ; tt - t
I tltl
l:l l:
ftl
:l :l
t | t t l
T]]T]]
t t t
Ft t-l
t l

I tat tal :t :l
i
6 t:ttBt :t El :l L8l :l Bl
ftt1 ftfl aa aL1
E t " 6 6
I r " ; : ! I

T 5 E : s ? r; 3 t i F E : F E i ; C 4 | C
4 1 + E E 2_ ! t t $ _ :
-
*
*
E
e
: i L 9
q
F : r
7
i E F
:
) . E

!
i5 E i i ! c q l ; e * : E e A
? i : ! ; i i i i
E E :
1 : t ! :
! E * l ; i P E a Ey F ; . f , E E : { ! : = i = : V - " : =
F a E + 5 ' - E ' "
B

E E: ^ ; : I ; : :t ; ; 9E ; :
5 - " H t t E ! ! E E d ! ! e

4to
EAE
.dE
-
;
t a
:
: = {
!
b < b < b < b < b < b < b .
4 E i i i
E5
E b < b < 6 < b < b r 5 <
E
i i i , i i i i i

E
a

E
E
d
:

I I I i I g
E

: - : : : 1 ? : : i
E tl El-l E[
l:llEl l:1lal l:lli
E t l E r E t l E U [ l T [ tlel
,,:1
,l tglEl 13lJ 13lJ lll" l:"1
]
lJlgl ll Lgl l;LlEl l;llEl l:llE lJlal lJlsl l: lE hllal
F]FI=]FIFIH FIFIFIFIFIFIIIiI F]FIFIF
lJll l,ll=l lJlJ lJl=llel=l lEl
lJ |:llJ l;ll=ll:lll
t E]E]
E]b]E]E]E]E]

E]E] E]EIEE] E]E
EIF]
" i g g
i: g ; i . , * . , t ..u, i 1
E
= iEg: ; 55;ff igi* iE Fi E5: a5l-
q i : ; i ; I ; : ; i i5Ei
5 i
S
z 3 i ; i ; = f i s :F E . : :i':
4tt
 3q<
eE5 : )"
E ;E i- it - "z ; i "z ! 3 ! 1 { {
i t

b / a 4 b < b < b b b

E8
b { E - b < b < b b E
n : i n , & a

b : f t b b b b F E e
E E E E E E E E : : I

E
5
;A

F F
HI EtI HTIEIH
j . l l
EHEI
1 1 3E E t i t l t i f l t ;
:t "t tat1ta:| t:l:t t;
lu ntnt ttI
EH
I
i
8
I
I

e !:
It i tt l: l
trt t;l
E] E]
E
l1I el
11l1el
ElEl ElElu
r "
lllEl
lc
Ll blu u
l i F
EE E
! " . = E e i t
d
t l'- i ; (j* ,f : i:
fi 4. 2 < |
:
t ;E
9r
:

! a 5 :r;:F E : i F g ; i ' r : i ;6ai q E:

? ! i : 1 : i ; = i * i e i r - r ! = e E P -: ! r
E+ i E
-'" ! <: !
! I r i : i z lI : i 5 : : : ; J " ! : qi q : :i
5 , . { "= L ' z { - - - ' i i i : , E i
412
tsae I
-dE 2 > i ) !
e
2 i
E9
c
6 ; = { ; ; " < ; ; ; ; ; ; 4

e E

e 5 5 S $ S S e e S S S S

0 s s s s S $ s $ s s $

EEHBEBHH
:

*
HEEEHEEEE F " E
ir ?Ei ; * Eg ; f
A gi,rieLsir
Ei:
Fitigi cia
ii,FLEIs
F
J

4
Fr B s g a F FliI rgg
;i i ii t; rlbig
i ;i f; ;i
413
 3Q<
'du { < { < < 1 {

F e - > > > >

3C
;T E
- $ :

4 d r r i a g t K ;
U
' 6 i
I : 9 : t +

rn r-l
t-|1
l 3 ll i l

l:l lFl
t! t:l
ft
I
Ft
tsl
H t ;
! ufl tluu u "
:
E
t: tt
ll ::l l: ll:: l l "|l ,E 'i a
r t'lt- t; . . , lr . ,
= - ; - e - e + S f l
x l L " E E" 1j d1 Z 1
; ; i 3i i i
E
T
E
; e 9. i ;
1 '
iI :
I
:
:
E !,"F+fi;
: 6 : : ; s E o s e
? F ,!r e F f 9 " : i ! 1 * . i [ ; i ; r i i ' ]
F !a E 3
q : gin l ! i i "*- ! " :* f b ! g E E* d { | $
!
E
H 3 *E
E. - - :
? < +- . 5
; -! -! 1 ! E ; ; r t , ; ;l :: $ t i i 5 F ,
414
3!e :
-nts
ir
E
sl
Hi
o

a ; a a d n n a n a
g AE ; i ; ; ; ; ; $ ; ; ; ; i i

, E FR
l : 9 n $ f n f i R H K r g s s R R X f ; 9 X F :
F H
d
g

n = s
g H
; ;
6 " &
3 . 3 * !
*iF: g i 6! - -i i " i,, !a;, ;i :li i ' i ib!
il;; {=i-,i.";;i
i ! : ( s E i * * ? i ? ! : i n1 E $ ? ! { g ! ( (
E E i : Fi z , ; ; 4 l i Et ,i ii i t ; { ' ; { ; }
E ; l F EF F E E I I e t : $: +: A ; ; E q ; : :
i : H } E E ; : : : : : : 8 f r ; ; I t C : : : T T
E E ; ; ; i : F i ii ii ; ; : ; ; s i dd$ ; ;j ; I
H i : : : t :. j : i t ! : ; ! ! i ! 2 i l t i E r 5f 5 1
a

4t5
 < F E F
5 > + F , ! z z z : 2 2 > - > i i " - , , 2 z ' z z >
89
c a
E

p
E .a

ss , x f i 5 e { : I s g f l d { F F : F F ^ l t
I
d ti

;, i,
P !
E , A
* l s I
I !geE $ , q e " - !tl -i ll
E
I * (;'$'1
e ! A
l B a i l:l
A i ; ; ; tl
- t u
!i ; a z+' r t g t r : 5 k 3i
" i i , a i t a ? t ?
rt rt
E i t . . 4 4" " A d
!! r * ; r E : ;E! t ! . ; . i F r d E E 8 E ! E
t 3 i ! i i : ? i i { E
: tr3trtAZZ!1
5
9
U
=
E ; " i T I I I E ; !FH ?
:t::?
? ! i
: : $ g E : : : : i ; i i " i
c - . Fi I f { nl d a a BE

E F
e
E ! : ! ; F F ; F F FF- F
: sF
9i : : : :l : : Y :?

4t6
3!E IE
e5E
s
6 " ;
1 1
BR
a : '
E > 2 2 2 2 2 " -

q
6 { A l 9 l d ! ! 6 a
8
I ' I
d S - * : : s : : 6 ,t

EEEHHEEH
HHHHHHHEH
!l !3

r
$
ll
lsl
ld
lEl
B"-'"
lEl
lel
lEl
lEl
lEl
iEl HHHH I E J- E

^ a
3 &
! s 6 : !
E ! * i & i

i,E$sgsEFgggi
! 3
B l r { :
F c I B e F a a i e s 4

417
 EiE
.EE

6 9 i " - " i * s c
*U

.3
6 *-A "6 ts
p
E

F F S F i
e e R Fi : ; ; " - i

5 E
f , { = = ; E
t

HEEI
IIEH FI
_ElhlhlElElE
FIFIFIFIFI FIFI
lEl lEl la lEl lEllEl lEl lql
t:t tH til tfl tittfl tH trl
6 E

E :

|;llEl |:l|:llcllal H
lEl EHEEE
EH
.i
F]F]F]F]F]F]F] Ffl F1fl FFlF]F]
t-t t-t t-t t-i t-t t-t t-l l-l l-l l:l l:l l=ll:l l:l l:l
v q

8
b
E
x F]E]EEE]
E]H lit t:t t:t tEt t:ttEtt:t t:l
ElElFl Fl Fltg t9 Fl
6 9

6 9

d
t

fs$'l,i{igisE,
;$s is$,
fu
igEl'u*
$
d
a F 6 E F
E
: O A U E

s
ata
 lpp.ndlr D: rBrructl.n Fomri .nd nnhg

lnstruction Encoding
All instruction encodingsare subsetsof the geneml instruction fomat sho.rvnin
Figure D-1. Instnrctions consisrof one or rwo primary opcode byres,possibly an ad-
dressspecifief consisting of the mod r/m byre and scaledindex byre, a djsplace-
menrif requ'red.Jnd an rmmerlia(e drlr ficld it requjred.
Within the primary opcode or opcodes,smaller encoding fields can be defined.
These fields vary accordingto the cla$ of operation. The fields define information
such as direction of the operarion, size of the displacements,register encoding, and

Almost all instrutions rhat refer to an operand in memory have an addressingmode

byte following the primary opcode byte(s).This byte, rhe nod r/m byre, specifies
the addressmode to be used. Certain encodingsofthe mod r/m byte indicate a sec-
ond addressingbyte, the scale-index-basebyre, which fully spe(ifies the acldressing

Addressingmodes can include a displacemntimmediarelyfollowing rhe mod r/m

byte or the saledindex byte. If a displacementis present,the possiblsizesare 8,

If the instruction specifies an immediate operand, rhe immediare operand follows

any displacementbyres.The immediate operand is alwaysrhe lasrfield of the

Figure D{ illusrrates some of the fields thar can appear in an instrucrion, such as
the mod field and the r/m field. Severalsmaller fields also appear in cerrain instruc-
tions, sometimeswithin the opcode bytes.The follovr'ingtabl is a complete lisr of
all fields appearing ln the 80386insrruction ser.Detailed tablesfor each field aDDear
laterin this aDoendix.

lrrrrrfr I ITTTITIT d3211618

nonedata32
16 8lnone
0 7 0 . 76 5 3 2 0 7 6 5 3 2 0
rmod /m" 's-i-b' address immediate
byte
,.-___r-- byte , displacement .)^ta
(4,2, l bytes (4,2, L btles
re8isler and address or none) or none)

fi8lJfe D"L Gefleql btstruction.for maL

419
 tlrE 0oat6 BooK

Fteldswtd n a03a6Insaucdons

of,Bt s
Specifiesvhether data is b)1e size or li l size (full slze I
is either 16 or 32 bts)
Specifiesdirection of data openrion 1
Specifieswhether an immediaredata field musrbe I

Gneralregisterspecifier 3
Addres, mode specifier (effective addresscan be a
3tor m
Scalefactor for saled indq add.essmode 2
ceneral registerto be used as index registef 3
ceneral rgjsterto be used asbaseregiste. 3
{e82 Segmentrcgister spectfier for CS,SS,DS, ES 2
s.e83 Segmentregisterspecifief fof CS,SS,DS, ES,tS, GS 3
lor conditional i.s!.!tctions, specifiesa condlrton 4
assertedor a condirion neSated

NOTEI Flg!rc Dt shws endxllng of lndlvld!.I lnstructiG,

3abft extenrlons of the lnst;uctlon sot

!(/ith the 80385,the 8086/80186/80286 instrucriod set is exrendedin two orthogonal
directions: 32-bit forms of all 16-bit instructlons support the 32-bit data types, and
32-bit addressingmodesare availablefor all instructions referring !o memory.This
orthogonal instruction set extension is accompllstredby having a default (D) bit in
the code segmentdes.riplor and by having two prefixes to the instruction set.
'lirhether
the instrlrction defaults to operations of 16bits ot 32 bits depends on the
setting of the D bit in the code segmentdes.riptor, The D bit specifiesthe default
length (elther 16bits or 32 bits) for both operands and effeciive addresseswhen
executing that code segment,Rsaladdressmode and virtual 8086mode use no code
segmentdes.rlptors, but the 80386internauy assumesa D value of 0 when operaF
ing in those modes(for 16-bit default sizescompariblewith the 8086/80186/80286).
Two prefixes, the operand size prefix and the effective addresssize prefix, allow
overridingthe defaultselectionoFoperardsjzeandeffectiveadd;esssize.These
pre8xes can precde any opcode bytes and affect only the instrlrctlon they precede.
If necessary,one or both prfixes can be placedbefore the opcode bytes. The pres-
ence of the operand size prefix and the effective addressprefix togglesthe operand
size or the effective addresssize to the value opposite from rhat of the default seF
ting. For example,if the default operand size is for 32-bit data operations, the pres-
ence of the operand size prefix loggles rhe instruction to 16-bit data operation. If
the default effective addresssize is 16bits, the presenceof lhe eflective addresssize
prefix togglesthe instruction to use 32-bit effective addresscomputations.

42l'
 ApD.ndlx Dl tmttuction Fm.t .nd ttfrtnt

These 32-bit extensionsare availablein all 80386modes,including real address

mode or virtual 8086mode. In these modesthe defauli is alqals 16bits, so prefixes
are nededto specify 32 bit operands or addresses.
Unlessspeified, instructions with 8-bit and 16-bit operands do not affect the con-
tents of the high-order bits of the extended registers.

Encodingof instruction filds

Severalfields indicate registerselection,addressingmode, and so on within the in-
struction. The encodingsof these fields are defined in the following tables.

Encodlngoltho oporand longth lwl llold

For any given instruction performing a data operation, the instruction executesas a
32-bir operation or a 16-biroperation. Vithin the constraints of the operation size,
the w field encodesthe operand siz as either 1 byte or the full operarion size,as
shown in the table below

Opcrand Lngth E rcodlng

open 4 srza Dnttg Operad SlzeDu,.r,tg
16-8, Data Operanons 32-Bltlbra Opetanons
0 8 bits 8 bits
I 16btts 32 bits

Encodlngoltho gonoral rogllter (regl fleld

The geneml register is specified by the reg field, which can appear in the primary
opcode bytes or as the reg field of the mod r/m byte, or as the r/m field of rhe mod
r/m byte. The following tablesillusffate reg field encoding.

Ercodilrg of reg Fteld When w Fteld 16Not Present ln Inotrucdon

Reg,J,e? S*.ted Drrh A ReAb'et selected D.r'b A
nSIWU 16-e, Datd Oltera,lons 3zM Data Oterarto,.s
000 AX EAX
001 cx Ec)<
010 DX EDX
011 BX EBX
100 SP ESP
101 BP EBP
101 SI ESI
101 DI EDI

421
tHE g0396 BOOX

Encoding of reg Field whe,l w Field Is Present in Instructton

Regktcf sp@tfred bt reg FbA lr.rtng 16-Btt Dard Qpemtlorrs
Fun llonoJu FlaA Futudofofu F eU

000 AX
001 cl, c)(
0t0 DI DX
0tt tsL BX
100 AH
t0l CH tsP
110 DII SI
1t1 BH DI

Encodlng of reg Fleld when w Fleld Is Pr$ent ln Instrucdon

RegLstq Spqfud br rea FleA ,t rinA 32"Dlt Datd qeradoB
Fgn donoJlt Fl4A

000 ]]AX
001 CL Ec)(
010 DL EDX
0tl Bl. EDX
r00 ,\ll ljsP
t0l cit uE!
110 DII tssl
111 BII ]]DI

Encodlngol the segment roglste. (rregl fleld

The sregfield in cert,rininstructionsis a 2-bil field tha!allowsone of the four 80286
sqgmcntregistcrsto b specified.The sregfield in otherinstructionsis a 3-bitfield
that allows the 80386FSand cS segmentregistersto be specified. The following
two tablesshow the sele(ted segmenlregisters.

2-Blt sreg2 Fleld

ZBlt sreA2 FbA Segndt Realstd Selzcled

C\J ES
01 cs
lo
11 DS

422
 ADF.ndlr D! h.tructlon Fotfr.t.nd tldltr9

3-Btt srg3 rield

3-aA stq3 FleU S n4ttt Reaktd SElecretl

000 ES
001 cs
010 ss
011 DS
100 IS
101 GS
110
111

Encodingof addrera mode

Except for special instructions such as PUSHand POB where the addressingmode
is prederermined, the addressingmode for the currenr instruction is specified by
addressingbytes following the primary opcode. The primary addressingbyte is the
mod r/m byte, and a secondbyte of addressinginflormation,the s-i-b (scale-index-
base)byte, qan be specified.
The s-ib byte is specified when using 32-bit addressingmode and the mod r/m
byte hasr/m = 100and mod = 00, 01,or 10.Vhen the s-i-b byte is present,the 32-bit
addressingmode is a function of the mod, ss,index, and basefields.
The primary addressingbyte, the mod r/m byte, also contains 3 bits (shown as TTT
in Feure D-1)sometim$ usedasan extensionof the primaryopcode.The 3 bits,
however,can also be used as a registerfield (reg).
'Vhen calculating an effctive address,either 16-bit addrssingor 32-bjt addfessing
is used. 16-bit addressinguss16-bit addresscomponentsto caiculatethe ffective
address,while 32-bit addressinguses32-bit addres componentsto calculatethe
effective address.when 16-bitaddressingis used, the mod r/m byte is interpreted
as a 16-bit addressingmode specifier.rx/hen 32-bit addressingis used,the mod r/m
byte is interpreted as a 32-bit addressingmode specifier.
The following tablesdefine all encodingsof all l6-bit addressingmodesand 32-bit
addressinsmodes,

4n
 tE ao3a6 tooK

Encodtng of 32-Btt Address Mode wtth 'nod r/m Byte

(no s-l-b Br/t Present)
,,mdr/n Efre.n1'eAddress
00 000 DS:[EA)0
00 001 DS:tlCX
OOO1O DSdEDX
OOO11 DS{EBX
00100 s-i-bis present
00101 DS:d32
0O110 DS:IESI]
0O111 DS:tDDl

01000 Ds{EAX+dsl
01001 DS,{ECX+d8j
01010 DS,IEDX+d8]
01011 DS,tEBX{d8l
01 100 s'i-b is presen!
01 101 SS;IEBP+d8I
01 110 DS:tESI+d8l
01111 DS,IEDI+d8]

10000 DST[EAX+d321
10001 DST[EO(+d321
10010 DS,tEDx+d3z1
10011 DS{EBX+d32j
10100 s-i-bis present
10101 SSdEBP+d321
10110 DS,lESr+d321
10111. DST[EDI+d321

11000 registr-see below

11001 fegister-see below
11010 register-se below
11011 reSister-seebelow
11 100 regirter-see blow
11 101 register-see belc{r'
11 110 register-se below
11111 register-see below

R rtbl speclfcd b! ,ee ot r/m Dnlt ta 16-8l, Datc otteranotrt

Fta<tloaoIuFtew Fractlorofufieu
,n rdr/6 whenw-O Vhenu - |
11000 AL AX
11001 cI
11010 DI DX
11011 BI BX
11100 AH SP
11101 CH BP
11110 DH sl
ll ll1 BH DI

42/|
 Apptrd|l D! In.tructi.n Forn.t.nd timi.s

Encodtng of 32-Btt Addfess Mode with firod r/m Byte

(Iro s-t-b B}ne Pfesent)
Registq Spulfred b! fee or ltn Dar:lnA 32"Nt Ihta Openti^s
Fafdronofu fteA Ft t rtot of,1oFkA

11000 EAX
11001 CL ECX
11010 DL EDX
ll0tl Bl- EtsX
1 11 0 0 A]I TSP
1 11 0 1 CH EBP
: 1 11 1 0 DH ESI
11111 DH EDI

Encodlng of 32-Btt Addrss Mode (mod r/m Blte and s-l,b Btte present)

00000 Ds:tE^x+(sNledind(x)l
00001 DS,tDcx+(scaled index)l
00010 Ds:lEDx+(scalcd indeDl
00011 DS:IEBX+(sc2lcd indcdl
00 100 Ds,lEsl,+(scrled
index)l
00 101 Ds:1d32+(scnledindcx)l
00110 Ds:IDSI+(sc^led
incicx)J
00111 DStEDI+(s(alcd index)l

0r 000 Ds,tEAX+(scalcd indcx)+d8l

01001 Ds,lEcX+(sc!lcd indd)+d8l
01010 Ds,lliDx+(sc ed index)+d8l
01011 DStxax+Gcnled index)+d8l
01100 SStEsP+(scaL{ inder+d8l
01101 ss,{EBP+(scalcdindcx)+d81
01110 Ds:lEsl+(sclled
indcx)+d8l
01111 DS:LIDl+(scaled index)+d81

10000 DSIEAX+(saledindex)+d321
10001 Ds:IECX+Gcaled index)+d32j
10010 Ds:lEDx+(sc,led indcx)+d321
10011 Ds:DBx+(scaled indei+d321
l0 100 sslEsP+(saled index)+.1321
10101 sslEBP+(saled index)+d32]
10110 Ds:IESI+($aled index)+d321
10111 Ds:IEDI+(s!alcdindex)+d321
NOTni Mod lieLl in mod r/n byrq ss, ind.x, llse fiekls in s i b byte

ss 5.414 Factor

00
01
:10
:l:l x8

425
tHE A0306 BOOX

000 EAX
00:t ECX
0:10 EDX
0:L:l EtsX
100
101 TBP
ll0 tisl
111 FDI
' Vhen index ficld is 100,indiati.g no indq rcgistcr, sslield 'nust equal 00. Il index is 100and ssd@s
not eaual()0. the etTdtive addre$ is undeJind.

Encodlng of l6-blt Address Mode *'tth mod r/m Bt't

Blecaoe Address
00 000 DS:tRX+SIl
00001 DS:[BX+DI]
00010 SS:[B?+S!
00011 SS,Llllj+Dll
00 100 Ds:tsll
00 101 DSrlDIl
00110 DS:td16l
0 01 1 1 DS:ltsX

01000 D5:lBX+SI+d81
01001 DS:lIlX+Dl+dill
01010 ss,lBP+sr+d8l
01011 sslRP+Dl+d8l
01 100 DS:lsr+d8l
0r 101 D5:lDI+d81
01110 ssttsP+d8l
0 11 1 1 DS:U]X+d8l

10000 DS:t8X+Sr+d161
10001 DSTIBX+Dt+d16il
r0010 ss,lBP+sI+dl6l
l00ll ss,lBP+DI+d161
10100 DS:lSI+d161
l0 101 DS,tDl+d161
10110 SS:tBP+d16il
l0llt Ds,[BX+cl16i]

1r 000 regisre.-see page427

11001 register-seepage427
11010 leSister seepage427
11011 registef-se paSe.127
11100 register-ee paae.i27
ll l0l register seeprge427
11110 .egister se page427
11111 reSistef- seepaSe427

425
 lpp.ndlr O:Irtrrlcrlo rormat.nd llmlne

Encoding of 16'btt Address Mode wlth mod r/m B''te

Regtster $'ec7fi.d W r/n Dwira I6-Bit l\xa qptattoB
Funct onof,u FieA FsncriM oJu FieA

11000 AX
11001 CL (x
11010 DL llx
11011 BL BX
11100
11101 CH BP
11110 DFI 5l
11111 BH DI

Encodtng of l6"btt Address Mode with mod r/m Blte

ReAlstet Slrecwd bf r/it lrlt7nA 32-Blt It ta Qpeatlo6
Ft lctlon olut FleU Fu@tbnoJu FleU

1 10 0 0 EAX
11001 CL uc-x
11010 |'I, ltDx
11011 llL Iillx
ll100 ,\H tisP
ll 101 CH I]I]P
11110 DLI ESI
11111 BII EI)I

Encodlhg ot oporation direction (dl tiold

In many2-operand
instructions
thcd ficldindicatcs
whichoperandis rhesource
andwhichisthedestination,
asshownin lhc followingtable.

Operatlon DLecdon Encodlng

Dlrectloi oJlOpet ttlott
Rcgislcr/Mcmory<- ReSisler
reg field indicues $urce opcrand! nui /nr or mod ss index b.se
indicalesdestinllnJnopctand
ReSisler< Regisre/Memo.y
rea fieid indiores destin2tion operandi mod r/m or mod ss indcx
baseindicatessourceoperand

Encodlng of sign extend (ol lield

The s field occu$ in instructions vith immediate data fieids. The s field has an
effect only if the size of the immediatc dala is 8 bits and is being placed in a 16-bit
or 32 bit destination. The following table shows s field cnc(xling.

427
THE A03A6BOOK

Slgn Extend E rcodlng

Elfqt or Intudlate Data a Wect ott lwdt4te Dato 16/32

Signexreoddata8 ro fill
16 bit or 32'bndestination

Encoding ol conditional te6t (tttnl lield

Forthe conctitionalinstructions(condiriooaljumpsand seton condirion),trrnis en-
coded with n indicating to use thc condirion (n = 0) or irs negarion(n - 1) and ttr
giving the condition to test. The following table showsencoding of the Btn field.

condttlonal Test Encodlng

o Ovcriio'w 0000
NO No overflow 0001
1]/NAE Rek)Vnot aboveorcqual 0010
NIJ/ ll Not belovabove or equal 0011
ta/7, [quil/zero 0100
NIANZ Notcqul/not zero 0101
BI]/NA Dclow or equal/not rbove 0110
NI]E/A Not bclowor cqual/abovc 0111
sign 1000
NS Ndsign 1001
P/PE Prrity/prrityeven 1010
NP/PO Not parity/prrityodd 1011
L/^_Gli Lessthan/notgreateror equal 1100
NI,/CE Not lessrhan/8.cateror cqual 1101
I,I]/NG Lcssthm orqual/grcatcr tha. 1110
NIE/G Not lessor equrl/greatcrthrn 1111

Encoding ofcontrol, dobug,.nd toot regiators leool tield

The eeelield loadsandstoresthe control,debug,andtcstregisrers.

Encodlng of eee When I nterpreted as Cootrol Reglster Fleld

000 cR0
010 cR2
011 cR3
Donotuseanyotheren oding.

424
 apD.ndx D! In.ltFilotr Fom.t .trd tlnlnt

Encodlng of eee when Inte4rreted as Debug Rgister Fteld

000 DRO
001 DRl
010 DRZ
011 DII3
ll0 DR6
111 DR7
Do nor useany otheren(odin8

Encodlng of eee when Interpreted as Test Reglster Fleld

110 TR6
111 TR7
Do not use any other encoding

80387 Extensions
The table beginning on the iollowing pag shows80387extensionsto the 80386
instrrctionset.

4n
 Instructlon Encoding/Tlmlng

rnrcn r/rtrl ftmoryiosTo

rd3 inrqermemory ro sr(o)

Exk.ded Frl mc'$ry ro sl(0)

s r'(0)roi,ncrcr/Qr mefrry
s 110)roron!inrct.r Dcnory

rntr$ fte.d iNirtry r )sT(o)

ri(ioMP- (i.niptrexodpop

FCOM}P-coinfrcandpp

430
I!futronEnodtlgr'nntrr*i @!,kl

ay& 3'r I oflronal 32Brr | 32Brr 64Dft I 1dBr.

| 4e3 2.6 &ar I hesd kr I h&s.

FLDZ - red + 03 im sT(o) -Ellm Tmmr{---l

FLDI - Load+ 1.0i.bs'f(o) -!lim Tmmm--
- -l
Tiaa-ial-Tn nox
-T-moLoo,----l
FLDL2T- rfad loa:OO)Inb ST(0) rEscoor
FLDL2E- L.adl{z(e) inb ST(0) r lllm Ttrum---
FLDLC2 . Loid kar.(2) inbST(0) r lllm Txum----l
T Escooi Tnrolhi---

InreSeleal tumy$,lth S(0) T lsc,1F0 T'100000R/N T'B/os----l 24-12 '1-12 29-17

T-C"Ti-fimoo snp-
-r
tnte3e/dl ftmy wllh sT(o) T--irm-A-rroormi lvg'o;p z4-32 t7-32 23-36
T-!al-t-6-11ii-o'i i/i - 26_34d

hr.g.r/Eal rum-ywi.h S'I(0) r--isc-fi.-Tiii-i6i- i-Tnfii!!----l

T lscdPoT,rotsTN---

hqe/re mywlthsT(o) 0 Tr'00'LRR/r Tsrs/pe----

T--i3a-'1r
f-T3idPoTm'Ri/n-
----l
T-tiii-Tm, 'oro
PSC{LE- S.aleST(0)byST(r) T-:a-6ii-Tfi rrrr-nti---
T--i!i-6ii-Tiiiu-di----.l 74-rtt
FPREMI - Ptd.l rcoal.der (IEEE) T-S-6i-T'Lr1o'oi---
FRNDINI - P@nd ST(O)F Inegg r--TL-66i-TiIn Nt---l
r flm Tirfiiroo---l

FABS. abdolutevdk ofsT(o) r-- ria-ooi-Tii,ii@a--l

-_-.l
FcHs - ch.n3e si3lotsr(o) T tm Tntm

4it1
bredonn'codrng^tntns, .,,n !./

T I Y .
-
: :: ,rr-zr" . ,t
FP1!\Nr=rxdirLknsed.f sT(0) at]m TU]m---]
I lrm Txmdi--_l
| s. @r T11lffi l

I rm Tnmm----l
rYr.2xtr-s1(l).toFrGT(o)) f !s.io, Tllm I
l_l
-lsmol T,11roor-

f s or TlMtn---
I sc 1I lrL000N I
[D(:\v.Jdd.rrr01*ortt s o0r I H 0 0r 0 ! R / f sJvorsP
|s1(:\u-srk(ndwi)d -"s ri--T@lih^ rri,rcr-N-
-ri 'oi--l-iot ,,, R/,i-f-mp'spl
-Tinooori---
r !sa-o
IsrriNv-sr&envtonfunr - rsr @i--rHooro ra-r srslo;
f s ooi--TNoo mtH rr!m;i-
f Es-n Tioo im-friTilr--r
I s( r0 i00r@ F/N I srsiory l
rrNcslP-r'rcicfunrrx.k|nid.r
---.l
--ismi---Tmw,
FDrCSlr'-D(rc'nenr!!.k|sink' f-rm Tnmd---l
I rs. 1or Tm; $nt-l
Il
I rs. ou Th,oooo
Sh4dul arca\ t .licate inntrcti.ns ttut a/e frat avilahte b t]'057la12117.
NOTIS
a. when loadin8 single-p..rision or doublc-pr(nion 0 from memory,.dd 5 ct..ks.
b. ,^d<lI clocks to rhc linjle wh.n d - L
c ^dd I .lk ro cr.lr ran,jewhcn i - l
.l Add I .locks to rnc ranse wher d = 0.
e rypical - 52 (whcn d - 0,.16-54, r''pi.!t = ,19.)
I Add1cl@k b lhe mngcvhen lt = 1.

h Add 3 clocks b fie r.r\qe whed d = r.

j. Thesc tnnings hold for operands in rhc range x <,r/.1 r.oropmnds nol jn this rangc, up
!o 76
-dJr' ,tu ,lo.Ln rhr b. nap wrrdu.c ..\ .prr.nd.

m . 0< s T ( o <
) 6,-@<sT0)< + 6.
n.0 <lsT(o) < (2 - SQRT(2))/2, -* < sTO) < + *
432
 Appendix E
TNSTRT.'GTION
DISASSEMBI.Y
TABLE

The tabl in this appendix allows you to deccdc 80386inskuctions lt presentsthe

sameinformatlon as the opcode table in ApPendix C but is easiertC)use
The tablehasthe followingformatl
hequired byte(s)l loperand byte(s)] linstfl.rctionl
At leastone of the required bytes is an 8-bit hexadecimalvalue, and additional bytes
may follow. The operand bytes hav one of the follovr'ingformsr
ea.' The sourceand destination operands are cncoded in the standardmod reg r/m
formatdescribedin AppendixD
eal,ry. The destination operand is encoded in the mod r/m Portion of the ea field,
and the reg bits are set to /N.
ddtaN.' N bytes of immediate data follow the inslruction.
-/rr/rq: 'lhc sr^ndxd mod reg r/m encoding is interpreted so that the mod bits
are ignored, the reg bits specify registe of a group (such as CR3),and the r/m bits
selecta general 32-bit register
dktN.' A signed displacement(N bits in length) from the cuffent instruction
pointer (EIP) follows the instruction.
The abbreviationsEa,Eb, Ew. and Ed standfor the effective address'byte, vord,
and doubleword indicated by lhe ea bits in the instrrrcIion.
'
Insrrudionspre(ede.lbv an isterisk| I are J2-bilin{ru rlonsthdropemteon l6-
bit quantiti; when precededwilh the oPslz: instruction prefix. For real mode, V86
mode, and 286-compatiblecode segments,the behavioris reversed; that is, the in-
structions operate on 16-bit operandsunlessprecededwith the OPSIZ:prefix

4:t3
THE A03A6 BOOK

Instf uction Disassernbly Table

Bttes b,tes
ADD Ib, reglj .0F 8Cdisp32 JLdisp32(JLIJNGE)
ADD Ed, reg32 .0F 8D disp32 JNrdisp32(JNIrcE)
ADD rc8,Eb ,0F8E disp32 Jr! disp32(JrllrN(;)
dDD regl2,!d '0I8Fdhp32 IIX disp32(JNLIj4CE)
ADDAT, dAIAS SETOUb
.0t.1dr!32 ADD EAX,d!u32 sEfNo !b
,06 PI]5II I.]S SETI]Eb(SIJ'I'B/SETNAE)
'07 POP!S 0F 93 ca surNtsEb(SI'iNIJ/SETAE)
08 ca Olt Eb, rc88 sril z ljb (sETzstlft)
Olt Ed, rcg32 0f 95 er SE'I'NZ Ib (SETNZ/5IJ'1NE)
OR fegti, Eb Oti(Xe. sETaritib (SETRE/slil\A)
ORreg32,Ed sETNRli!b (SETNBD/SI11)
0F 98 ca SITSEb
10Ddata32 oR IiAX, drtd32 (Ir 99 ca stlT\'s Eb
"0li PIJSI I CS srlP Eb(sETr,/sli't?E)
sLl)T Dw sli'tNPtb (SETNP/s[tPo)
51lt ]]w SETI, Iib (SITLISETNGI')
0f C\)cr/2 LLryt |w 0l:9t) cr $j rNLBb(sti INL/SETGE)
0l' 00 er/3 L-tR ltw 0I 9li cx sul tE lrb (sril t_,j/sltTNc)
VEItli liw sriINLEEb(sli'r'Nr.D/
oir00 cx/5 VIIRV liw 5'ilcE)
(JIr0l cr'/0 SGl)| lir PIJSII l{i
0l:01ca/l Sll)1 [a POPIS
0l 0l cn/2 I(lltl lln llT lid, rcg32
olj 0l cr/3 l,ll)l na SHLDt:d, rc!32,data8
0f 01 cnl,1 SMSV!w SHLDEd,rqt32,CL
0f 0l crl6 IMS\V Ii$, PLJSLI GS
. 0 F 0 2c . I- R reg32,Lw IOP GS
Lsl-reg32,liw llTS lil, rc832
0! 06 cns SHRDEd,rc832,.lxrl|tl
01j20-/n/r.! lilov cR., reg32 sHltD Ed,rcx32,cl
0I2l -/n/rc8 Mov DFq reg32 lMLiLreg32,ljd
oF 22 /nheg Mov rc832,cRn l.SSre832,!a
OF23 /nheg MOV rcg32,DRn r 0 F8 3 c r BTREd,rell3z
MoVTRn, rc832 LFSrc832,Ea
oir 26 -/nrcg MOVrc932,TRn .Oli 85 ea LGS.eg:12,lia
.0f 80 dhp32 lo dispj2 MOVZX reg32,!b
.0f 8l disp32 JNo.lisp32 MOVZ\ re&32,liw
'0F82 disp32 JB disp32(JB4NA|) BT !d, darail
'0F83 disp32 JNtsdispj2 (JNB/JAIj)
"0F8,1disp32 Jz tisp32 (JZf)E) tsTRFil, data8
,0Fil5disp32 Jh'Z disp32 (JNr7JNE) BTCEd,data8
.0F86disp32 JRBdisp32(JBrlNA) ' 0 F B B e a B'l c Ed, reg32
,oli87dhp32 JNBEdisp32 (JNBI/ ' 0 F B Cc a BSI reg32,!d
JA] '0I BD ea BSRfeg32,Ed
'0! il8.lisp32 JSdisp32 '01B! ea MOVSXrc332,Eb
.0F89dhp32 JNs <lisp32 MOVSXre!32, !v
.0F8Adisp32 JI, disp32(I,PE) ADC Eb,regs
.0FilR disp32 JNl, disp32 (JNPfPo) ADC ljd, reg32

434
 App.ndix Er h.rrmtion Dis...mhly Lble

Itrtructton Dts6semblYTable.

Aftes Bttes
ADCreg8,Eb rNctcx
. 1 3e a ADcre832,Id r42 INC EDX
INC EBX
i15 dara32 ADC !AX, dan32 .44 INC ESP
i16 PUSHSS .45 INC EBP
.17 l,ol ss '46 tNc Esl
18ca SDREb, re88 INC EDI
SBBEd, reg32 .18 Drc lrAx
ststsreg8, Eb ,19 DECECX
ststsfe832, Ed DIC EDX
lc dltaS SBDAL, datas DECE]]X
'lDdata32 SaBEAx, data32 '4C DECIiSI
.1ll I'USIIDS tlD DEC1]BI
.1I POPDS DlC 1]SI
AND Eb, reg8 .4f DECIiDI
AND td, rc32 .50 PUSHEAX
22 ca AND rcg8,Eb .51 PUSHECX
,23c) AND re832,Ed r52 PUSHI]DX
AND At, data8 '53 PUSII I]RX
'2t <l^t^32 AND EAX,data32 PUSLII]SP
26 ESI ,55 PUSII EI,}P
27 ,54 I'USII ESI
28ea SUBljb, rcSiJ '51 PUSHEDI
'29e sUB l,n, reg32 POPEAX
SUareA8,Eb "59 POPICX
r2B a^ SUB!eg32,Ed POPIJDX
2c datnli SUll A!, data8 .51] I OP EBX
'2D.lIa32 SUtsEAX,daul2 POPESP
2E CS: '5D POPEtsP
2t DAS 15E PO! DSI
xOR nb, regli "5F POPI]DI
XOREd, re832 I USIIAD
32 e^ XoR fegu, Db i6l POPAT)
,33ea XOR.e932,lld BOUNDre832,[a
34 drns xoR ,{t-, darail 63ea ARPLEw, rc816
'35 dat^32 xOR EAX,dan32 64 FS:
36 SS: 65 cs:
37 OPSIZI
3aea CMPEb, regS 61 ADRSIZ:
cMP Ed, !c932 .@ dat^32 PUSHdata32
CMl, reg8,Eb .69 eadxa32 IMUr re832,Ed,.lara32
CM? reg32,Ed PUSHdataS
3Cdatd CMPAL, dala8 IMUL reg32,Ed, data8
"3Dd^t^32 CMPEAx, dara32 6C INSB
3E DS: .6D INSD
3F 6E oulsB
INC EAX OUTSD

435
fltE ao3a6BooK

rnstruction Dtsd*mbly Table.

Bltes Attes
70 disp8 JOdisps i8B ca MOV re832,Ed
71disp8 INO disp8 8Ccals MOV Ew, veg
72 dispS .lB clisp8(lElJNAll) . 8Dea rEA rcgl2, L
JNB.lisp8(JNts/JAE)8Eets MOV src8, Ew
Jzdispa(JaJD 18Fea
75 disps JNz.lisps(JNzfNE) 90 NOP
JBlldisps(JRli4NA) i9l xcltc EAx, licx
JNBIidisp8(JNBtj/J ) .92 XCI1CEAX,EDX
Jsdisp8 .93 XCTIGEAX, EtsX
7t displ.] JNs.lisp8 '94 XCFIGI]r\X, ESP
Jr clhps(JPIIE) '95 XCHG EA\ IIJP
JNr dispeUNldl,o) "'6 XCHGEAX,I]SI
Tcdisp8 JLdispu(.llrNc!) .97 XCHGEAX,EDI
7l)disp8 JNLdisps(JNL4cx) .98 cBv// clr'DE
JLlidisps(.lLEllNc) 99 c-!(D
JNLEdisp8(JNLE/Jcli) 9]\ oifset32 CArl,offsct32
,\DD Eb,dara8 98 \fr\IT
Olt !b, datx8 '9C PUSTIFD
.9D POP]ID
SBIIlib, &talJ 'E SAIIII
,{ND lib, drta8 9r I,AIII:
SUII[b, dxta8 MOv AI-,ldisp]
XOlt Eb, d2rn8 MOVnAX, klispl
CMI)Eb,darr8 MOVldispl,AL
AI)D Ed,data32 MOVldhpl,llAX
OR ril, datN32 MOV$]l
ADC f.il, drn32 .A5 MOVSD
sDBEd,dxu32 A6 CMPSR
AND Ed,data32 CMPSD
SURDd,data32 'I' lgt
AL, data8
. 8 1 e a / 6 d a r a 3 2 XORtkl, dara3z ' A9.tar^32 1lST EAx, da1a32
'81 c., dNr$2 cMP Ed,.lata32 STOSA
.,\lJ STOSD
OREd,dr1a8 LODSB
ADc Ed,d a8 LODST)
SBRE l, .lara8 scAsu
AND lld, dara{l scAsD
sUB Ed, data8 B0 da!i8 MOV ,\r, dara8
XOREcl,dataS Br d2a8 MOV CL .lata8
CMPEd,datas 82.lara8 Mov DL, data8
'I
IjST Eb, fc88 B3 dataS MOV BL, data8
TtS I Ed,reg32
XCIIC Eb, reg8 85 datas MOVCH,data8
XCHC !d, reg32 ts6dda8 MOV DH, dara8
MOV Eb, .c88 87 dari8 MOV BH, daraS
MOv Ed, reg32 ! Ba data32 MOV EAX, data32
MOV reg8, Eb ' 89 data32 MOV EC( data32

435
 ADp.ndlr E! lFlrucilon Dl-..{blt t l|.

Lrstruc"donDtsa3re$bly\^bE continued

BJ'tes ryos
!BA daa32 MOv EDX, data32 .Dle^n SAREd, 1
.BBdaa32 MOv EB)q data3z D2e /O ROI Eb, CL
.Be daa32 Mov EsP,dita3z D2ea/1 ROREb, CL
.BDdata32 MOV EBB data32 D2ea/2 RCLEb, C!
rBEdara32 MOV ESI,dara32 Dze/a RCREb, CL
rBF data32 MOV EDI, data32 DZea/4 sHL Eb,Cl
c0 ealo data8 ROLEb, data8 DZe /5 SHREb,CT
c0 eall dalaS ROREb, daa8 DZean SAREb, CL
C0 e^/2 dxr^8 RCl,Eb, data8 'D3 e^10 RO! Ed, CL
C0 e^/3 d^r^8 RcREb, dataS iD3 e^lr ROREd, CL
COe2/4 d^^A SHr Eb, dataS tD3ea/z RCLEd, CL
co ea./sd^a8 SHREb,data8 RCREd, CI,
c0 et7 datas SAREb, d1ta8 ,D3 ea/4 sHL Ed, Cl,
.CLealod^aA ROl,Ed, dataS .D3 ea/s SHREd,CL
.Cleal1data8 ROREd, dat.8 .D3 e /7 SAREd, CL
.C1e /2 dx^A RcL Ed, data8 D4
.ct e /3 d^taa RCR!d, data8 D5 AAD
'cl e /4 dar^8 SHLEd, dara8 D7 )OAI
'C't e /5 da6A SHREd,data8 D8 ESC0 (NDP)
'Cl eal1 dataa SAREd, data8 D9 ESC1 (NDP)
C2dara16 RETdara16 DA ESC2 (NDP)
RET DB ESC3 (NDP)
LESre832,Ed DC ESC4 NDP)
,C5e IDS reg32,Ed DD ESC5 WDP)
c6 adataS MOv reg8,dataS DE ESC6 NDP)
Mo\ rc932,d^t^32 DF ESC7 NDP)
C8dara16 data8 ENTERdata16,data8 E0dispS LOOPNBdhp8
LEAYE OOOPNE/,I,OOPNZ)
cAdatal6 RETFdatal6 El dtspS LOOPEdtsp8
CB RETT (LOOPE/LOOPZ)
cc INT 3 E2dispS IOOP dtspS
CD d*a8 INTdata8 E3dispS JcxZdtspS
CE INTO E4 dltl8 IN AL, dataS
CF IRET iE data8 tN EAx, dara8
D0 ea/o ROt Eb, 1 E6 dataS OUT dara8,AL
D0 eal1 ROREb, 1 ouT dara8,EAX
D0 ea/z RCLEb, I rE8 e$2 CALLea32
Do ea./3 RCREb, 1 E9disp3z JMPdisp3z
lxe /4 SHLEb, 1 .EA ea48 JMPFARea48
IX ea/5 SHREb, 1 EBdisp8 JMPdisp8
DOekn SAREb, 1 EC IN AL, DX
.D1ea/0 ROLEd, 1 iBD IN EAX,DX
tDl eaJL ROREd, 1 EE OUT DX, AL
'Dl ea!2 RCr Ed, 1 "EF OUT DX, E,{X
.D7 e /a RCREd, 1 !! LOCX
.Dlea./4 SHI,Ed, 1 E2 REPNE/,REPNZ
"DL e2/5 SHREd, 1 F3 RNP/REPE/lREPZ

4i37
rNtrucdon Dlsa$embly Table.

Bttcs Bttcs
HII !8 cLc
!5 cMc
'l
1,9 sTc
LiSl Ib, data8 cLt
16 ea/2 NOT!b !B sTl
NI]GEb CLD
MIiL AL, Eb ID S-I'D
IMUI AL, Eb INC I]b
Dlv ,|.r, tib DECEb
IDIVAI-,I]h INC Ed
-lliSTlid, DECEd
dara32
NOT Ed C,\LL td
NEGEd CALI,Ii\RCA
MUI EAX,Ed JMPEd
IMULEAX,!d "|1. ct5
DIV E X, Ed ?IJSIJKI
I D I VI J A XI,i d

80387Bxtnstons(NDP Escapes)

B!tes ales
lr8 crlo E{DI) Iienlr2 D9 DO IINOP
D8crvl IiMULlteal32 D9rio IICIIS
D8en/2 I'COMRcal32 D9 til FAI]S
D8cd3 ICOMPRcal32 D9 E.4 !'TS1'
D8 a!/4 FSIIBRerl32 D9 E5 IX{M
D8 e/5 FSUBR Real32 D9 D8 II,D]
FDIVIteil32 tD ii9 FLDI,2T
lDM Rcrl32 D9 UA FTDL2E
D8Co+i IADD Sf, ST(i) D9 EI] FLDPI
D8C8+i fN'tu.sT,sT(i) D9 EC I]IDG2
D8 Do+i FCOM STST(D D9 ED IIDN2
D8 D8+i FCOMPST,ST(i) D9 Etr t \.Dz
DI] EO+i FSUtsST,ST(i) D9 FA f2xM1
DUE8+i rsuaR sll sr(D D9 FI !YL2X
l:Drvstl s](i) D9 F2 IPTAN
DS la+i FDIVR ST,5T(O D9 F3
D9.a/O FtD Rerl32 D9 F4 !](,I'RACT
D9 aa/2 FSTReal32 D9 F5 IJPRI]M1
D9 e,/3 FSTPReal32 D9 F6 IDNCSTP
FLDENVEa D9 F/ I]INCSTP
D9 ex/5 FLDCWEw D9IB FPREM
Fli l ENv !a D9 T9 FYI''PI
D9 cal7 l-STCwF-w D9IA FSQRI'
D9 C0+i FLD ST(i) D9IB fslNcos
D9 C8+i FXCHST(i) D9 TC FRNDINT

434
 ADpddlt E In.td.tion d..smuy l.hl.

a0347 Extenstoff (NDP Estpes). cannnued

Btttes Bttes
D9 FD FSCALE DD ea,t2 FSTReal64
D9IE FSIN DD ea/3 FSTPReal64
D9 FF FCOS DD s/4 F&STOR!a
IIADD Ind(t DD eal6 FSAVEEa
IlMUl,lntlo DD ean FSTSVEw
DA ealz FICoM Irt16 DDCo+i TIRDE ST(i)
DAe /3 FICOMPlnt16 DD DO+i TSTST(i)
DA.ea/4 FISUDInt16 DD D8+i ISTP ST(i)
DAd/5 t-IsUBRIntlo DD EO+i FUCOMSTC)
FlDIvlntlO DD I]8+i FUCOMPST(i)
DA ean FIDII'R Inr16 DE eto FIADD Int32
DA E9 FUCOMPP DE eall FIMULInt32
DB ealo FILDInt16 DB e^/2 i_ICOMlnt32
DB ea/2 FISTIntl6 DE e^/3 FICOMPIn62
DB ea,/3 !lsTP Int16 DEe /4 IISUB Int32
ILD Real8o DE ea/5 IISUBRInI32
Dtsea/6 ISTP Real8o D Ee J 6 IIDIvlnt32
DB E2 FCLEX DEe /7 IIDIVR Int32
DB E3 FINIT DE Co+i FADDPST(D,ST
DC e^/O FADD Real64 DE C8+i FMULPST(i),ST
DCe /1 FMUI,Real64 D]I D9 FCOMPP
DCe /2 FCoM Real& DE EO+i FSUBRPST(i),ST
Dce /3 FCOMPReal64 DE E8+i rSuBP ST(i),ST
DCe /4 FSIIB Real64 DE FO+i IDI\TP ST(t),ST
DC e^/5 ISL]BRReal54 DE F8+i FDIW ST(I),ST
Dc e^/6 IDIV Real64 DI eal0 llLD Int32
DC ea/7 FDIVRRed64 D\1e.Jz IISTI.t32
DC Co+i txDD sT(t),sT DFe /3 IISTP Int32
DC C8+i FMUTSTO,ST DFe /4 rBlD Bcd80
DC Eo+i FSUBR STO,ST DF eal5 FIID Int64
DC E8+i FSUBST(i),ST DFe /O FaSTPBcd80
DCro+i FIDI\'RST(I),ST FISTPlnt64
DC F8+i !DMT(), ST D! n0 FSTS!(AX
DD ealo IID Realtr

439
 Appendix F
aoaG-FAMlLy
PROGESSOR
DTFFERENGES

Although the 8086,80286,and 80386are object-code compatible, minor differences

have arisen during the evolution of this microprocessorfamiLy.This appendix
describesthese differences.

Real.Modo Differences
Between the 8085 and the 8O386
The 8086 processordoes not generateexceptions6, 8-13, and 16.
Instructions execut more rapidly on fie 80386;in most cases,addressdecode time

On the 80386,the divide fault (INT 0) leavesthe savedCS:EIPpointing to the faulF

ing instruction.On the 8086,rhe lue of CS:IPon the stackpointsto the instruclion
after the one that causedthe fault.
opcodes that were not explicitly defined on the 8086are interFeted as new in-
structions or causethe undefined opcode fault (INT O when executedon the
80386.
\x/henlhe Pt SHSPIn.rrucrroni. execured,rhe vilue on rhe suck of rhc 80JM i5
the preincremenredvalue,where the value pushed on the 8086is the postincre-
mented value of SP If it is necessaryto recreatethe samestack lue, use the follow-
ing sequenceof instructions on the 80386in place of PUSHSP.
PUSH 8P
t10v BP. sP
X C H G B P ,t 8 P ]

441
The count vatue for shift and rotate instrucrions is taken modulo 32 in rhe 80386.
The full valuc(up k) 255)is usedon the 8086,which canresultin long instntction

An insructlon (inchding prefixcs)cannorexceed15byteson the 80386.Ifirdoes,

I gcncralprotectionfault occurs.This doesnot occurundernormalcircumstances
but might o.rur if you usemultiplcredundantprefixes.Thc 8086hasno such

Operands cannot c'xtcnd acrossthe segmentbounds on rhe 80386.Il for examplc,

an instruction refcrs b a r6-bit operand at offset 65535,a generalprorection fault
occurs.Ifthe stackpcrintcris setto low memory(offscr2) an.la 32 birvalr.Fis
ptshcd, a stackfaultocclrrs.In the 80i16, addresses wrap aroumlrbe segment
boundaryand are continuousfiom 65535to 0. insrructioncxe.Lrrn)n bebaveslike

On the 80386,you cxn usethe LOCKinstructbn only wilh cerraininstructions;

otherwisc,an unclcfinedopcoclcfaultocclrrs.Sccchapter8 for a lisr ofthc lcal
r:on' lh( irr\i h/. n! 5(r(lL
In\lrr.L redrl.lion!
Somctimcsthc 11086 hxngswhile singlc-stcppingThe 80386cloesnot hangbecausc
thc intcrruptprioririeson the 80386.re slightlydifterent l his prcvcntsI single-
steptrap lKrn occurringuntil thc handlcrrctlrmsif a hardwareintcnupt is invokcd.
'Ihc 80116gcncratesa divkle fuul1ifrhe quolienrof an lI)lV in$trrrrion is the largcst
possiblcncgativcnumbcr.Thc U03fl6gc cratcslhc corrccrrcsuh.Seerhe earlier
discussbnolthc dividc tlulr in this appendix.
'Whcn
the conlenlofthe ILACSrcllistcris pushe(lonbothc stack,l)i!s12-15arc
alwaysls on ttrc 8086.Thesebirsreprcscnrncw ihgs on the 80386.
The NMI interruptmasksall subscquent NMISon rhc 80386Lrnrilrn IRETis exe-
cuted.Nlvllsare nor maskcd()nrhe 8r)86.
The 80386uscsINT 16asthe coproccssor erro.vcltor. On rhe 8086.rhc sysrem
hardwarc musLbe programmed to gcncrarc a. interrupt vecrot and it can be any

vhen a. NDP exceptionoccurson an 80386,the s.1ved CS:EIPpointsto fie faulting

insiruction,includinganyprcfixesthatmight be parrof rhe insr.uction.On rhe
80ib. lhc savedCS:IPpoinrsonly !o rhe ISC portionof rhe faultingNDP insrruction.
Additionalinlcrupts canoccuron rhc 803t16 if Lheprogramcontainsundcrected
bugs,such as rhc use of unimplemcnrcd .)pcodcs()r addressingbeyond scgmenr

Thc 80M is limited to i Mts of addressspaceby having 20 physicalhardware ad-

dress1incs.Usingselectors suchasFFFFHcanresulrin linearaddrcsses beyondI
MB,but bcrausethereareonly 20 addressli.es, tbe addresses wrap aroundto 0.

442
 tFC.ndir tr aoo6.Fsily Pr6..er Dlll.EnM

Becausethere are 32 addresslines on the 80386,addressesgreater than 1 MB can be

generatedin real mode (up to 1oFFEFH).If systemsoftware clependson the ability
to wrap around to 0 after 1 MB, hardware must be added Io lhe systemto force ad-
dress line 21to 0 in real mode.

Virtual 8o85.Mode Differences Between the

8086 and the 80386
All th previousLylisred differencesalso apply to V86 mode on the 80386in com-
parison to real mode on the 8086.Following are someadditional differences.
I/O instructions in v86 mode are allowed only if the I/O permission bitmap for the
V86 mode task is set up.
All exceptions (hardw.rre and software interrupts) vector to the protected-mode
IDT enkics rather than through the real-modeinterrupt mechanisrn.The protecred-
modc handlersmust simulatethe reafmode vector processwhen apprcpriale,

Differences Between the 8O286and the 80386

As implemented on the 80286,th LOCKprefix causdmemory to be locked during
the prefixedinstruction.on th(:80386,only the memoryaccesscd
by the prefixed
instructioniri lockcd,
On RESET,any of the registerswhich contained undefined valueson the 80286may
contain different valueson the 80386.

Differences Between the 8087 and the 80387

Errors are signalled via a dedicatedhardware pin on the 80387instead of the stan-
dard CPUinterrupt mechanism.The 80386respondsto coprocessoreffors via inter-
rupts 7, 9, and 16instead of an external hardware inteffupt.
The formatofthe effor informationin the 80387environmentvariesdependingon
whether the processoris in renl mode or in prote.ted mode. The 8087only supports
real-modeinformation.
The instructionsFEN/FDISIareno-opson the 80387
The 8087does not perform automaticnormalization of denormalized reals.Instead,
it signalsa denormal exception and relies on the application to perform this opera-
tion. The 80387will normalize thesevaluesand mighi executefaster if the denor-
mal exception is maskedwhen running 8087programs.
The 8087requires oyplicil 'VAIT insructions before each floating-point instruction
to slnchronize with the 8086.The 80386and rhe 80387perform automaricslnchro-
nizalion. The WAIT instructions are unnecessary,but they will not causethe pro-
gram to operate ncorrectly,

443
 tHt oo:t66aoox

Dillerences Between the 8O287and the 8O387

The FSETPMinstruction is tleated as a no-op on the 80387
The 80287supports both affine and projective closure. Only affine closure is sup-
ported on the 80387 Programsthat rely on projective closure may genemtediffer-
ent results on the 80387than thev did on the 80287

u

A B
AAA(AscllAdju$AfterAddnion)
149
AAD(AscII AdjusrBefde
DMsion)l'
MM(ASCIlAdjustAfter
Multipli.atidD151
AAs(ASCIIAdjustAfte.
subtB.tion)l52
abdt (d.eption .las)
cop!@e$orseSnrntovdun
(lNT 9) 116
deflned111-t2
doublerauh(lNT 8) 115
acce$ed(A) bit 52
a.ce$ itghts51-12,8Z 137
accumulaor 2,66,75,83
Aoc (Addwnh ca!9 153
ADD(InteAtrA<lditlor)154
addreses
effetireI,83
pht*al18,45,125-27,129,
132,137
sesmnt/offser46-47
ent! t45-41.\02,125-27
addlessin8 rDdes..t@Irstructior blt strlngs18-1176-7
operands
addle$ ffaNlatlon
vhual !o llner 46-47
vinualio physiqll2'-26
afiineclosule39
AH register22
alL5segrenrs103,121
AL .gl6te.22
AND(B@leanAND)155
architerure
mlDlion ot l-U
mic@hiteture 16-18
dtthfttlc lnstr@tios
floadng-poha9-9o
i,nreg*7415
arithneticshifts7a
ARPL(AdjustRPL)156-57
day indding. .ta salioA
ASCIIinsf(tions 76
ASCUnmeric lomat a
ASCnbbb3S3
auiliary c.rryfLg (AF)25
available(A\a)bit52
lndex
c
bkklink. S li.kffeld cacne, pageBble18,129 30
bdeaddres CALL(P@ed!rc Calls)17274
of theGDTt c^l gare96+1, ]04.12r
ofthelDT2T cary flag(cF)26
<nase96enr16-49,r.9e-,9,CBw(convertBtretovbrd)l7t
L36 CDQ(Coftrt Doublmrd io
b6ed addresi.g Quadrurd)t6
alone58 59 ctr rcgisrer22
plu dbplenent 69 CrC(Cler Carryllad 177
plu displ2@ment plus cl,D (cle^r Dnerion rlas) 178
index71 ctl (cle Inteflupr!l.d 179
basepointd (EBP)regGter Cl,reglster22
3-4.59 CLIS(clea.l sk swnchedBID
ba6eregistes6a-71 r80
BCDltrkErlons CMC(CotoplenedC2riyFIag)
floarlrs-poinr89 181
intese'76 anP (comprreI eg*)
BCDnumcic tonat 21,30,34 B2-V
BHrcglstr22 cMPs(conpareSring)184-5
bias,fl@tlng.pointexponent codesegnc s 5r-t2
t-33 compatibilitywith 8046441+3
big(B) blt 52 @mpatibllltywlth 80286443
binaryfretion! 3rj3,38 @ndirlon<odes
bit lnsrlMriom76-7 8038738-40
EFLACS rcai$ter23-26,80,82
BLreglsre!22 Jd (ltmpif Cond,toDa2
Boolearlm$ualons76 SE'|.. <*rBytc on Cddtiofl,
BOUND(Chek Array 79-O
B@rdfjeo 158 @rfqming scgmnrstl
boundschek fault(lNT t) &.kollsructiors 92
111,11,{ .ontrolcgiltcD (CRo-CF3)
BPrca\st* 3-4,22 Z7:29.79,\07,77A,D8
b..nch instr@tiorua1-8, contrcl0ansferinsrlutions
bekpoinireSi$e6121-24 at-82
berkpoi kap114 controlwod (CW)rcgister39
BS!(Bit S.anFdMd) 160-61
BSR(Bir &m Beverse) 162 etulation of 28
mGnTsr164-65 envionoent91
BrcGnTe andcomplemot) insr.@do!s8a-92
166-67 iarrcdNtionof6-7
BTR(Bil Teslmd Refo .ucric fdnaG 30-34
1@-69 resisr635
BTS(BnTstmd Seo00-Z coprocsu{jlu faultONT16)
BsI df&e Unft(BIU) 17 119
busldk (LcK\) 79,86,130 @pr@sw noraBilablefault
burtB)bit106 0NT7)115
blsyTSS104,1OA oprdsu sg@t mnun
ax rSisrer 22 (IM9)116
tl4i
 tHE AO3a6 BOO|(
cs segmentrejliste.t, 26,45,tl,
94,136 31
cutrent priviLge level (cPL) 2 i,
130
5r,9.1-95,
r\\ teMrd) 1s6
CWD!(Conve(Wod to
DoublewodExtendcd)
D FARCALIr a
D ,^ (l ){ nnxl Adju$ AL llier
DAs (Dc.imil AdjL$tAL Aftcr
drla lrrnslcrinsru.tions79 80
SCII2I
IlcD 2t,3,1
doubl$ods(lqodt
bnl{ Mls (doul)le-preision)
!74
(t!.dwods (tq)(h) 20
shortr..ls ($inglcprctisi()n)
)1-42
rcNDrc!rs(cxtcndcd
dcbu,j br.akponns 114,120-24
dcblg cx.cprion(INT 1)109,lt4
dcfilg ' clrislcrs 2q Dl-24
d e i n r ( D ) b n 5 2 , 1 3 73 8
dcnoirn.l f lati.g-point numbers
33
dcnomrl oFrlnd mask(DM)
descriptorcrchc 13,26, 35. Ji?
,ls shadowrcgisletr
de*ri orlbrmab 46 t,i,
104 5
desdprd privilege lsel (DPL)
94)a
de{ripror hblcs 5-1,100 r02
dcsripr.r rype (TYPE) field
51,104
dnedion flag (DF) 65, 83
446
dn{dy, pager$le rt8, i27 n
Dr register22
dniy (D) bit r27
dhabrcinter4lr (cLD 25j
144-41
DIV (UnsignedDivjsion) t9l
83337(Zti e{.eprion) 38
doublefauli(INT 3) 111,115
double Prsision forut (long
doublsods (dwo(ls) 20
Ds sqhcrt rcgister5,45.3J
E
20
licx rclislcr 22,1J2,83
85
D:I,ACSrqtistcr23-26,82
cnNlxrcrlt.th $pr@cs{r (riM)
rnrble intctrlpts(Sl l) 25,
143-44
lNTll (HnrcrN.{ srxckIdNc)
193
equrl (b0rch c.ndibn) 82
ctror Pointer rqjistc6 41-42,tr
ctrorsu hary(ES)bir37
.x.ePti.n 0asks l7-la, 40
protcctcd mode handling
:Ll0-20
real nodcnandlinsrjg 39
vitual 8086 mdle (V36-
modc)lD.dling r45 46
80387
maskbits 37 33, 40
exeute o.ty segmdrs t1-52
expmd .losr scginnrt 51 5l
erFnent, flmting-poi 3t 3l
cxrende<lPredsion floarin8 point
(enPrenD 3r,33,13-39
dcnsior type (I'r') bft 23
F
IABS (,\breluie VaILE)309
JMI,S107,lrz i21,
FBLD(BcD li,d) Jr2
rBSTP(RCD Skr and Pop) 313
rCI Is (chan8csign)314
rCL!:x (clcar[xcc$iont 315
FCOM(Comprrc, 316-17
FDICSI?(D{f crcnl Stack
liDlVl (l)ivisionltcvc6cd)
IDiDD (lrrccNl)lr llcgistcr)324
llIADD (inlclcr Addnion)32t
fICOM (litcgu Conrpr(, 326
f ll)lv (lntcgcrDivi$ion)327
I,ll)Ml (Intc1lcrDivisnrn
f IMUL(Ift cgerMulripli.rrio.)
330
frNcsl P (ln(rorcot stdck
IINIl 0nirillizr NDP)312
FIsUa (Incgcr subrretion) 33.i
|_ISU]]R(Intcgcr Sulrka.rion
23 26,42
FLDanst (LaarJ(k sanDa37
FLDCW(Loxd ConrrdlWoRl) 333
I_LDENV(lrid E.vnonhe.t) 339
l loltinA point condition codes
3a-{0
rbnring P.i.r environncnr91
tlorti.a'poid d.eplion! 37 ,0,
115,119
fl@ting point formts 31,33
flotinB poinl instrution sct 303
FMUL(Mnliipli.atio.) 3,10-41
FNoP (No operlrion) 3,12
 lnt r

FPATAN(Partial A(tangdt 343 IDIV (Integd (sig.eo Division)

FPRIM (Panit Remainded 196+7 eftMre 25,al 1n,1a,145
34445 IDTRregister
2Z54,98,136,
Ba, in virrual8086 node145 {5
FPRtMl onEE Pinkl Rmai.dtr) INTo (l enw on ovedl@)
34647 mEDTAfl oating-poimformat 206
FPTAN(Panial Tangdo 343 1,3l invzlid opcode faul (INT O
fnction, binary 31-33,3a 1t4-t5
invalid opsation *epdon (l!)
fmme points. ,t# stack frame bit 39
FRNDINT (Rdnd to l ege!) 349 MultipUetior)r9a inqlld TSSfauh (INT 10)116-17
FRSTOR(RestoreNDP shte) IN (InputfromI/o Pon)199-200 t/o
350-51 iturutiG 66-67 85

352-13 with baseplusdkplaceftnt 7.l prmlsston bltmap109-10,

143
(scale
FscAtiE by2') 354 plusdisplacemmi69-71 permission .h4ks 109,143
FSEI?M(SetPrcteted Mode)355 in p.ore.tednode 109
FslN(slne)355 infinity 33,39 in vi'tual 8086node 143
FSINCOS (SInemd C@ln9)3t7 I/o privilcelwel (los) 24,84,
FSQRT (sq're Roo0358 inirkl pr@esornate135-36 1@,143-45
FSsgmdr leSiste!26,45,8t IRET(lnteiupt Reru.n)207
FsT(stde FloatirgPoino359
FSTC\V(SrorcCortrcl Vbrd) 360 protetion checks109,143 .r-
FSTENV (Sroernvironhert) 361 INS(lnput Stlng fromI/O Pon) lcc (JtmPit ConZtttu) 2@-9
FSTS\V(SbreStatusVbrd) 362 202_3 JMP(Nar, Arjump) 210-u
LAHF(Ied AH wlth Flag, 212
NUB (subtn tiqt 363-54 Irstltedon de.odeult U
(Subtractton LAR(L@dAcce$Rlghrs)
FSUBR ?ft ed) lnstrk on diskdbly table
213-it4
45-46 4at4a Lcs(L@<lCS)229
FTST(lest for zerc) 367-68 lrokwdon foma$ and rlmtrE
LDS(Lo6dDS)229
FUCOM(Unordered Compare) 64,W
LDTRregkter2Z 102109,117
re-70 rEA (ldd !ffedve Add.$)21t
IWAIT (rXAtUntil NotBUSY)37r
IEAVE(L.aveCulmt Siack
FXAM(Eemlne Topof $acld
312-7' vo 66-67
LES(LoadE5)229
FXCH(ExchanSe StackElemnts) mmoy rcference(w
16 rhan(b6rch ddltldt 82
374 memoryrdcrcnce
rFs Qed !s) 229
IXTRrcT Gxtret Flo.tlrg-Point
LGDT(LoadGm Reglster) 2r7
components)375
rGS0oad Gs)229
FIL2X (Cmpute Yx logr,l) 376 irst wrlq pleferchqucue17
LIm 0,oadIm Reglstd aa
FYL2XPI(compurerx logr' irst wrlon plefet h unlt 17
link 49-fr,136
rJitD>3n INT (Softw IntEupD204-5
linq! addrss 18,2Z 44-47 121,
F2)o.tl(conpute 2" - 1)378
127_.ry
8038619-20
G-l 8038730
g tes%, - ,LM-r,112'13,tOIqloupl Dsipto. TableODT) LLDT(Lo!d Lm Regl5ter)
219
GmR .elsier2Z 54,9, 141 LMsv (l,oadMachlreStaru6
gmet pro@donfau[ (INa 1) 110-13,1r, 141,145
ituemP| enablefbg (lF) 25
41,U, \\t, \\4, U3 lol dstiplq lable(tDr) %,
clob.l Desriptorlable (cDT) 2Z 101-4
54,a7,9A-n3,fi4 l@l emble(10-L) bits123
disbling/mablilg 25,U&
slcbalemble(c0-c3) bits123 14a-44
LOCI((Bu As.i HardMre
grdll,nty (O) bn 4q 111,142 LOCK\SrStal Preix)
g.srtr than(bnnch odftio.) *eptions, faults,dd traps
221-22
1t04
a2 LODS(Idd &ring) 223 24
GSsegmenr Fgislq 26,45,85
Hl,T(Halo8Z 19t longr@lfqmi (dobie-

tutT
 tHE AO3A5BOOX
LOP.! (,Np De.rement E()( NoT (B@la. complement) 212
and Ban.h) 225-26 not PresenllaultONTn) lr7
LA [oad scgnmr Rcghtc, 229
LSI-(LGd SesmentLinil)
227 28
rTR odd TaskRcgisrcr)230
nxchnre statuswoid (Msw) 23,
l4l
mrth present(lvtP)bit 23,r15
nrcnort rcad/writc breakpoinrs
t20 21
tredorY relerence operands
bxscdplusdisplrement69
bxscdplusindcxplus
indexplrNdisphcment
6r-1r
mcmory scgmcnts5 i, 43 53
mic(r.hncctuc 16-lli
0ror.{ted 7-3, 23,93-124,
110-1r
r4r'7.14r-9.142
txnsitionsbctwccn28,142
vktrd a0a610,l3l-32,
MOV (Mdc Drrtsclcct(t
MOVS(Mde Stiql) 234-3t
IIOVSX(Movcwith Sign
MOVZ( (Nlovc with Zcro
MUL (Unsqn { Mnlriplietion)
2N-39
nultitaskingsupFtrl 28,.14,
5t,
9n.n5,9
lt-P
NaN(NotaNumbeO33 34
ndivc modc 36, 135,138
NIc (NcgateImcgcr) 240
.eartive number fo.mts
nctcd hsk (NT) llag 24, roa
Non-Maskablelntcrupt (NMI) 25,
110,120,14.1
NOP (No OperariorD24r
,|44
prdision excptio. (PE) bit JB
,\DnsrzS687,rl7,138
LOCK36, 13O,141
BCD21,30,34 OP5IZ36, DZ r33
legnent oEdide 45, 67,
85 36, r17 18
op.odcs, tablc of33t92
in ddr4to. 51,117,137
ouT (output ro Portl 244-45
.utrenl (cPr, 24,tl,14 r5,B0
prMlcSs ch(king 109,14il .lcrriptor (DrL) 94-95
oUTs (output sdnd 2.i6 ,7 pagi.8 a.d privilc8c 130-31
derflq cxception (oE) bit 33
.vcrfkN f lrg(O!) 24,80,82,111, ttunlitions between t6 r0l
wcrf low t.ap(INT 4) 111,
114
inro.lution ro 7-a
addrcss8t 36, l37 la hcchanism, 3on8693 124
opednd sizc 36, ll7-3, swit.hinS inro/x*ry ho'n
scghcnt 45, 67,85-34t, t40-42
117-18 prorcctcnrblc(PD)bit 2s,f,i2
PrAcDn ltqy [ntt (PD[) la9,
130 oi t.recs11819,130ll
pr8. c.2blc (l,o) bil28,127,1,12
Prgeiduh(IN l 14)118-12127Ul PUSH(!ush vxlucomo sirk)
prgc Irdnullriry(C) bft 4r-50 214-51
Plgc T.ble Int.t (!'r'f:) 127-31 I'USH,\(l'ushrGIJitCcncral
PUSIIAD(P!sh 32-Bit6c.crxl
F ry flag(Pr) 26,80,82
PUSHf(PL$hl6-uii ht-l,AGS
t/o 10r,141
betweo p.ivilc8c rings PUSHFD(Pusbll[L,{CS Rcgistq)
segnent a.ces\ 93 r\5
O-R
Dlrysi.aladdresks 18,4t,
12521,129,r32,t3J
p o r n r c r r c S i s r c r s r , r z ,/ bl
ItCl, (lt(rlte l hrougb Crry ltfr)
260 61
POP(liop Sqment Resister/vrlue
RCR (RoratcTbrcugh Cary tughr)
offsB.k) 248 ,19
2-63
IOPA (Pop All Ceneral tegisrers
readablecode s.Smdts 51
read-only daa fSme.ts 51,53
PoPAD (Pop All o.ncral
Registers32-bir) 251
ItPF (Pop Srnckinto FLACS)2t2
PoPFD (Pop nack inro EFLAGS)
p.ision, tlqting-point 31-33
real nmber forna$ 3r 35
pr<ision control (?c) field 39

s.letd 46 47,54-55,93-94,
100102,107
.a rcl 21-29,
19,rO1,
rA, 1A sET.c(SerByteon C@dtro4)
debugandtest29,121-24 2AO-41
SGDT(StdeCm ReSisrer) 232
136 37 .td4lro de* ptd Taskstatesgment
segme.talor(w segnenr
slBredse8@rs 58-59,131
REP/REPE/REPZlREPN!/REPNZ sHr (Shiftlft Lgial) 283-{4
(Repet SirinAPreffx)264 sHr-D(shifrrft Dqlblo 285
requested prlvuegelwel (RPl)54, shortreal(singl-pKision)
9)-102,t@. \\7
RXSET D5-37 sHR(shlftRlghlLogtcal)
2ffi-47
SIRD (ShifttughtOouble)2e
SIDT(StoeIDT Rebttu)289
sirr flag(S!) 25,80,82
frominttrupt113,146 sirgle-precision (shortreal)
fron task.wilch 108,rr3 slralcstepplrg120-22,138
rin$, potetion 8, 94-96
ROL(RorateLfr)267-68 SI-DT(SlorcLDTReSister) 290 urde.flos crce$ion (UE)bit 3Z
ROR(Rotate!U8hD269-70 SMSV(Sbcre Ma.hineSBtus
vblo 291
'oundins@ rcI(rc)39-40 eftwde bMkpoinrs114
s ofrw.rc lntnuFs25,81,111,
121.145
SAHF(SioreAH ln EFLAOS) 271
s,{L(shft reft Arlrhmtlc)
SSse8re register26,45,72,t8, \86 rDde &? vi'tual 806mode
272_73
145
sAR(shiftRlghtArnhneri.)
$ackfaultONT12)52-53,72,
274-75
n7-18
SDB(Subketionwith Bqrw)
(s!an ackpolDter(EsP)re8t6ter22,68 vi.tual8086mde 10,23,
scAs st.lnd 27-78
atusword(Sw)reglste.35,
sqgGes(mt ovdde !e x) 279
3719
sTc (sercany Flag)292
addre$trosLtion in 43-47
sm (serDhetto lh9 293
sTI (setltu@upl Flad 294
sToS(stde Sting) 295-96
sTR(S!o!eTaskRegisre,297
sesmentqenlde p.eflx45,62
s$ingimtrkriotu 25,43,a5
85-86,t17-1f'
p e4 t26-2a,L)3-.14
l@di.a md sding 79,l01,107,
segmenrs52,t6 60,117
in vlftu.l .ddrssing 46,60
lndd
f-2
tableindicab (Tr) bit 54,9,
l0l,1l4
tagwod (Iw) regisrer35,41
t2skgare96,105,11H3, 117
task(TR)re8istc 2z 98,107
(TsS)t,
98-100,103-10,116,112l2l
ask swilched(TS)bil 28,115
laskswnchtrap(T) bir 121,123
rmp real(srended-pruidor)
rormat31,33,38-39
TEST(TestBitO299
iop-oist ck (ToP) f,eld37
Mnslarionlook2sidebuffer(ILB)
la, fig,129-N,142
irapflag (TF) 25,120-21,138
trapSates96,104,112,117
$aPr110-I, 114,120-21
t)?e (TYPD field51,104-6
undefinedopcodcfauh(lM 6)
1t4-15
38
lndasked ex.ePtions38
unslgnedconpaftons80,82
urerauPwisof (u/s) blt 119,
130-31
VIRR(\trify Red Ae6)
300-301
vlRrv (verifyrvriteAccess)
302-3
142-46
vi.tual addrses 4t-47, 102,
125-27
virtualnemdy 45-42 5r,
55-n0.Q5-27
vhual modeot4) bir 23,143,146
VAIT (Velt UnrilNorBust)30.1
wd .oul field.str .hud cont
w.itabledaa seSndts 51
XCHCGrchange)305
I<LAIB(Tra.slaieBfe) 306
xOR(Bolqn EklusiveOru307
2eo divideexcepd@(zE) bir 38
zrc dividf2ult(INT 0) n4
tl.4tt
 ROSS P. l{Et-rSOl{

RossNelson has several yearsof programming eyperience,all with Intel micropro-

cessors.After eaming his B.S. in computer sciencefrom Montana StateUniversity,
he joined Intel Corporation in 1979.There he worked on the development of the
80286and was an adviser in the early stagesof the 80386chip's development.He is
cuffently the managerof softrvare engineering at Answer Software,which pncduces
software development tools for the PCand a databaseline for the Macintosh.
Nelson has.lvrirrenfor '8.trr?and Dt Dobb'sJournal. His article on programming rhe
80386was chosen as the leadfe t\rc tor Dr. Dobbb lourtal in7986.

The manus.ript for this book ras preparedand submitted to Microsoft Pressin
electronic form. Text files were processedand formatted using Microsoftltbrd.
cover dsign by Hornall Anderson Design.works
Interior text design by Darcie S.Furlan
Illustrations by Becky ceisleFJohnson
Princlpal typography by Lisa c. Iversen
Text composition by Microsoft Pressin Garamondwith display in Helvetica
Black, using the Magnacomposition systemand the Linotronic 300 laser
imaaesetter,
ffiyffirlss
ffiffiefistlm
He.eis a clear,comprehensive, andauthoritotive introduction
to the chip
that isthefoundation of today'spopular,high+oweaed micaocomputers.
Wfittenfor everysefious programmer, THE80386 BOOKincludes
scoresof superbassemblylanguage examples alongwitha detailedanalysis
ofthe chipitself.RossNelson,o fofmerlntelprogrammer, mvers:
r the CplJ: its organization,
registers,and80287 6nd80387 math
copTocessors
'the momoryarchitoctuti linearyssegmented addressing,virtual
addTess space,segmentdescriptofs,selectors,sndvirtualmemory
. the instruction 6dts of the 80386 microprocessor andthe 80387
mathcoprocessor
. the 80386 protsction schoms:globoldescriptorandlnterruptdescrip-
tortables;selectorsisegmentandsystemdescdptors; inte.rupts,trops,
andfaults; anddebugsupport
. the implementation ofoviftual mEmorysystem throughpaging
. compatibility withprevious generations of Intelomicroprocessors
Of specislimportance isthe comprehensive, clearlyorganizedinstruction
set rcferencethat willbea valuable
resoufcefor 80386 programmers.
Everyassembiy-language programmef, microprocessor designengineer,
andstudentof computerarchitecture willfindTHE80386 BOOKan
excellentreference.

ISBN I- 551t5-138-1

u.s.A.
u.K.
Austral.
Irecommended]
s24"S5
f22.e5
$37.35 ilillilili
lfii
ilt