# Table of Contents

## CHAPTER 1
### INTRODUCTION TO iAPX 286
- General Attributes .................................................. 1-1
- Modes of Operation ................................................. 1-2
- Advanced Features .................................................. 1-2
- Memory Management .............................................. 1-2
- Task Management ................................................... 1-3
- Protection Mechanisms ........................................... 1-3
- Support for Operating Systems ................................. 1-4
- Organization of This Manual ................................... 1-4

## CHAPTER 2
### iAPX 286 BASE ARCHITECTURE
- Memory Organization and Segmentation ..................... 2-1
- Data Types ............................................................. 2-1
- Registers .................................................................. 2-6
  - General Registers .................................................. 2-6
  - Memory Segmentation and Segment Registers ............. 2-7
  - Index, Pointer, and Base Registers ........................... 2-10
- Status and Control Registers .................................... 2-14
- Addressing Modes .................................................. 2-15
  - Operands ................................................................ 2-16
  - Register and Immediate Modes ................................. 2-17
  - Memory Addressing Modes ..................................... 2-17
    - Segment Selection ............................................ 2-17
    - Offset Computation ......................................... 2-19
    - Memory Mode .................................................. 2-20
- Input/Output .......................................................... 2-22
- I/O Address Space .................................................. 2-22
- Memory-Mapped I/O ................................................ 2-23
- Interrupts and Exceptions ....................................... 2-23
- Hierarchy of Instruction Sets ..................................... 2-24

## CHAPTER 3
### BASIC INSTRUCTION SET
- Data Movement Instructions ...................................... 3-1
  - General-Purpose Data Movement Instructions .......... 3-1
  - Stack Manipulation Instructions ............................ 3-1
- Flag Operation with the Basic Instruction Set .............. 3-5
  - Status Flags ....................................................... 3-5
  - Control Flags ..................................................... 3-5
- Arithmetic Instructions .......................................... 3-6
  - Addition Instructions .......................................... 3-7
  - Subtraction Instructions ....................................... 3-7
  - Multiplication Instructions .................................... 3-8
  - Division Instructions .......................................... 3-9
- Logical Instructions .............................................. 3-10
  - Boolean Operation Instructions .............................. 3-10
  - Shift and Rotate Instructions ................................ 3-10
  - Shift Instructions .............................................. 3-11
  - Rotate Instructions ............................................ 3-13
- Type Conversion and No-Operation Instructions .......... 3-17
- Test and Compare Instructions ................................. 3-17
# Table of Contents (cont.)

<table>
<thead>
<tr>
<th>Section</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>Control Transfer Instructions</td>
<td>3-17</td>
</tr>
<tr>
<td>Unconditional Transfer Instructions</td>
<td>3-18</td>
</tr>
<tr>
<td>Jump Instruction</td>
<td>3-18</td>
</tr>
<tr>
<td>Call Instruction</td>
<td>3-20</td>
</tr>
<tr>
<td>Return and Return From Interrupt Instruction</td>
<td>3-20</td>
</tr>
<tr>
<td>Conditional Transfer Instructions</td>
<td>3-21</td>
</tr>
<tr>
<td>Conditional Jump Instructions</td>
<td>3-21</td>
</tr>
<tr>
<td>Loop Instructions</td>
<td>3-21</td>
</tr>
<tr>
<td>Executing a Loop or Repeat Zero Times</td>
<td>3-22</td>
</tr>
<tr>
<td>Software-Generated Interrupts</td>
<td>3-23</td>
</tr>
<tr>
<td>Software Interrupt Instruction</td>
<td>3-23</td>
</tr>
<tr>
<td>Character Translation and String Instructions</td>
<td>3-23</td>
</tr>
<tr>
<td>Translate Instruction</td>
<td>3-23</td>
</tr>
<tr>
<td>String Manipulation Instructions and Repeat Prefixes</td>
<td>3-23</td>
</tr>
<tr>
<td>String Movement Instructions</td>
<td>3-24</td>
</tr>
<tr>
<td>Other String Operations</td>
<td>3-25</td>
</tr>
<tr>
<td>Address Manipulation Instructions</td>
<td>3-25</td>
</tr>
<tr>
<td>Flag Control Instructions</td>
<td>3-26</td>
</tr>
<tr>
<td>Carry Flag Control Instructions</td>
<td>3-26</td>
</tr>
<tr>
<td>Direction Flag Control Instructions</td>
<td>3-26</td>
</tr>
<tr>
<td>Flag Transfer Instructions</td>
<td>3-27</td>
</tr>
<tr>
<td>Binary-Coded Decimal Arithmetic Instructions</td>
<td>3-27</td>
</tr>
<tr>
<td>Packed BCD Adjustment Instructions</td>
<td>3-28</td>
</tr>
<tr>
<td>Unpacked BCD Adjustment Instructions</td>
<td>3-28</td>
</tr>
<tr>
<td>Trusted Instructions</td>
<td>3-29</td>
</tr>
<tr>
<td>Trusted and Privileged Instructions on POPF and IRET</td>
<td>3-29</td>
</tr>
<tr>
<td>Machine State Instructions</td>
<td>3-29</td>
</tr>
<tr>
<td>Input and Output Instructions</td>
<td>3-29</td>
</tr>
<tr>
<td>Processor Extension Instructions</td>
<td>3-30</td>
</tr>
<tr>
<td>Processor Extension Synchronization Instructions</td>
<td>3-30</td>
</tr>
<tr>
<td>Numeric Data Processor Instructions</td>
<td>3-31</td>
</tr>
<tr>
<td>Arithmetic Instructions</td>
<td>3-31</td>
</tr>
<tr>
<td>Comparison Instructions</td>
<td>3-31</td>
</tr>
<tr>
<td>Transcendental Instructions</td>
<td>3-31</td>
</tr>
<tr>
<td>Data Transfer Instructions</td>
<td>3-31</td>
</tr>
<tr>
<td>Constant Instructions</td>
<td>3-31</td>
</tr>
</tbody>
</table>

## CHAPTER 4
### EXTENDED INSTRUCTION SET
- Block I/O Instructions                                                 | 4-1 |
- High-Level Instructions                                                | 4-2 |

## CHAPTER 5
### REAL ADDRESS MODE
- Addressing and Segmentation                                            | 5-1 |
- Interrupt Handling                                                      | 5-3 |
- Interrupt Vector Table                                                 | 5-3 |
- Interrupt Priorities                                                    | 5-4 |
- Interrupt Procedures                                                    | 5-4 |
- Reserved and Dedicated Interrupt Vectors                                | 5-5 |
- System Initialization                                                   | 5-7 |
Table of Contents (cont.)

CHAPTER 6
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING
- Memory Management Overview ................................................................. 6-1
- Virtual Addresses .......................................................................................... 6-2
- Descriptor Tables ............................................................................................ 6-4
- Virtual-to-Physical Address Translation ........................................................ 6-6
- Segments and Segment Descriptors ............................................................... 6-7
- Memory Management Registers .................................................................... 6-8
- Segment Address Translation Registers ....................................................... 6-9
- System Address Registers ............................................................................. 6-11

CHAPTER 7
PROTECTION
- Introduction ..................................................................................................... 7-1
- Types of Protection ........................................................................................ 7-1
- Protection Implementation ............................................................................. 7-2
- Memory Management and Protection .......................................................... 7-4
- Separation of Address Spaces ...................................................................... 7-5
- LDT and GDT Access Checks ....................................................................... 7-5
- Type Validation ............................................................................................... 7-8
- Privilege Levels and Protection ................................................................... 7-8
- Example of Using Four Privilege Levels ...................................................... 7-8
- Privilege Usage .............................................................................................. 7-10
- Segment Descriptor ....................................................................................... 7-10
- Data Accesses ............................................................................................... 7-12
- Code Segment Access .................................................................................. 7-13
- Data Access Restriction by Privilege Level ................................................. 7-14
- Pointer Privilege Stamping via ARPL ......................................................... 7-14
- Control Transfers .......................................................................................... 7-15
- Gates ............................................................................................................. 7-16
- Call Gates ..................................................................................................... 7-17
- Intra-Level Transfers via Call Gate ............................................................... 7-18
- Inter-Level Control Transfer via Call Gates ................................................ 7-19
- Stack Changes Caused by Call Gates ............................................................ 7-20
- Inter-Level Returns ....................................................................................... 7-20

CHAPTER 8
TASKS AND STATE TRANSITIONS
- Introduction .................................................................................................... 8-1
- Task State Segments and Descriptors ......................................................... 8-1
- Task State Segment Descriptors .................................................................. 8-3
- Task Switching ............................................................................................. 8-4
- Task Linking ................................................................................................. 8-6
- Task Gates ................................................................................................... 8-8

CHAPTER 9
INTERRUPTS AND EXCEPTIONS
- Interrupt Descriptor Table ........................................................................... 9-1
- Hardware Initiated Interrupts ......................................................................... 9-2
- Software Initiated Interrupts .......................................................................... 9-3
- Interrupt Gates and Trap Gates ................................................................... 9-3
- Task Gates and Interrupt Tasks .................................................................... 9-7
Table of Contents (cont.)

<table>
<thead>
<tr>
<th>Topic</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>Scheduling Considerations</td>
<td>9-8</td>
</tr>
<tr>
<td>Deciding Between Task, Trap, and Interrupt Gates</td>
<td>9-8</td>
</tr>
<tr>
<td>Protection Exceptions and Reserved Vectors</td>
<td>9-9</td>
</tr>
<tr>
<td>Invalid OP-Code (Interrupt 6)</td>
<td>9-10</td>
</tr>
<tr>
<td>Double Fault (Interrupt 8)</td>
<td>9-10</td>
</tr>
<tr>
<td>Processor Extension Segment Overrun (Interrupt 9)</td>
<td>9-10</td>
</tr>
<tr>
<td>Invalid Task State Segment (Interrupt 10)</td>
<td>9-11</td>
</tr>
<tr>
<td>Not Present (Interrupt 11)</td>
<td>9-11</td>
</tr>
<tr>
<td>Stack Fault (Interrupt 12)</td>
<td>9-12</td>
</tr>
<tr>
<td>General Protection Fault (Interrupt 13)</td>
<td>9-12</td>
</tr>
<tr>
<td>Additional Exceptions and Interrupts</td>
<td>9-13</td>
</tr>
<tr>
<td>Single Step Interrupt (Interrupt 1)</td>
<td>9-13</td>
</tr>
</tbody>
</table>

CHAPTER 10
SYSTEM CONTROL AND INITIALIZATION

<table>
<thead>
<tr>
<th>Topic</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>System Flags and Registers</td>
<td>10-1</td>
</tr>
<tr>
<td>Descriptor Table Registers</td>
<td>10-1</td>
</tr>
<tr>
<td>System Control Instructions</td>
<td>10-3</td>
</tr>
<tr>
<td>Machine Status Word</td>
<td>10-4</td>
</tr>
<tr>
<td>Other Instructions</td>
<td>10-4</td>
</tr>
<tr>
<td>Privileged and Trusted Instructions</td>
<td>10-4</td>
</tr>
<tr>
<td>Initialization</td>
<td>10-5</td>
</tr>
<tr>
<td>Real Address Mode</td>
<td>10-6</td>
</tr>
<tr>
<td>Protected Mode</td>
<td>10-6</td>
</tr>
</tbody>
</table>

CHAPTER 11
ADVANCED TOPICS

<table>
<thead>
<tr>
<th>Topic</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>Virtual Memory Management</td>
<td>11-1</td>
</tr>
<tr>
<td>Special Segment Attributes</td>
<td>11-1</td>
</tr>
<tr>
<td>Conforming Code Segments</td>
<td>11-1</td>
</tr>
<tr>
<td>Expand-Down Data Segments</td>
<td>11-2</td>
</tr>
<tr>
<td>Pointer Validation</td>
<td>11-2</td>
</tr>
<tr>
<td>Descriptor Validation</td>
<td>11-3</td>
</tr>
<tr>
<td>Pointer Integrity: RPL and The &quot;Trojan Horse Problem&quot;</td>
<td>11-4</td>
</tr>
<tr>
<td>NPX Context Switching</td>
<td>11-4</td>
</tr>
<tr>
<td>Multiprocessor Considerations</td>
<td>11-5</td>
</tr>
</tbody>
</table>

APPENDIX A
iAPX 286 SYSTEM INITIALIZATION

APPENDIX B
THE iAPX 286 INSTRUCTION SET

APPENDIX C
iAPX 286/10

APPENDIX D
iAPX 86/88 SOFTWARE COMPATIBILITY CONSIDERATIONS
Introduction To
iAPX 286
CHAPTER 1
INTRODUCTION TO iAPX 286

The iAPX 286 is the most powerful processor in the iAPX 86 series of microprocessors, which includes the iAPX 86 (8086), the iAPX 88 (8088), the iAPX 186 (80186), and now the iAPX 286 (80286). It is designed for applications that require very high performance. It is also an excellent choice for sophisticated “high end” applications that will benefit from its advanced architectural features: memory management, protection mechanisms, task management, and virtual memory support. The iAPX 286 provides, on a single VLSI chip, computational and architectural characteristics normally associated with much larger minicomputers.

Sections 1.1, 1.2, and 1.3 provide an overview of the iAPX 286 architecture. Because the iAPX 286 represents a revolutionary extension of the iAPX 86 architecture, some of this overview material may be new and unfamiliar to previous users of the iAPX 86 and similar microprocessors. But the iAPX 286 is also an evolutionary development, with the new architecture superimposed upon the industry standard iAPX 86 in such a way as to affect only the design and programming of operating systems and other such system software. Section 1.4 provides a guide to the organization of this manual, suggesting which chapters are relevant to the needs of particular readers.

1.1 GENERAL ATTRIBUTES

The iAPX 286 base architecture was designed to support programming in high-level languages, such as Pascal or PL/M. The register set and instructions are well suited to compiler-generated code. The addressing modes (see section 2.6.3) allow efficient addressing of complex data structures, such as static and dynamic arrays, records, and arrays within records, which are commonly supported by high-level languages. The data types supported by the architecture include, along with bytes and words, high level language constructs such as strings, BCD, and floating point.

The memory architecture of the iAPX 286 was designed to support modular programming techniques. Memory is divided into segments, which may be of arbitrary size, that can be used to contain procedures and data structures. Segmentation has several advantages over more conventional linear memory architectures. It supports structured software, since segments can contain meaningful program units and data, and more compact code, since references within a segment can be shorter (and locality of reference usually...
insures that the next few references will be within the same segment). Segmentation also lends itself to efficient implementation of sophisticated memory management, virtual memory, and memory protection.

In addition, new instructions have been added to the base architecture to give hardware support for procedure invocations, parameter passing, and array bounds checking.

1.2 MODES OF OPERATION
The iAPX 286 can be operated in either of two different modes: Real Address Mode or Protected Virtual Address Mode (also referred to as Protected Mode). In either mode of operation, the iAPX 286 represents an upwardly compatible addition to the iAPX 86 family of processors.

In Real Address Mode, the iAPX 286 operates essentially as a very high-performance iAPX 86 (8086). Programs written for the iAPX 86 or the iAPX 186 can be executed in this mode without any modification (the few exceptions are described in Appendix D, "Compatibility Considerations"). Such upward compatibility extends even to the object code level; for example, an 8086 program stored in read-only memory will execute successfully in iAPX 286 Real Address Mode. An iAPX 286 operating in Real Address Mode provides a number of instructions not found on the iAPX 86. These additional instructions, also present with the iAPX 186, allow for efficient subroutine linkage, parameter validation, index calculations, and block I/O transfers.

The advanced architectural features and full capabilities of the iAPX 286 are realized in its native Protected Mode. Among these features are sophisticated mechanisms to support data protection, system integrity, task concurrency, and memory management, including virtual storage. Nevertheless, even in Protected Mode, the iAPX 286 remains upwardly compatible with most iAPX 86 and iAPX 186 application programs. Most iAPX 86 applications programs can be re-compiled or re-assembled and executed on the iAPX 286 in Protected Mode.

1.3 ADVANCED FEATURES
The architectural features described in section 1.1 are common to both operating modes of the processor. In addition to these common features, Protected Mode provides a number of advanced features, including a greatly extended physical and logical address space, new instructions, and support for additional hardware-recognized data structures. The Protected Mode iAPX 286 includes a sophisticated memory management and multilevel protection mechanism. Full hardware support is included for multitasking and task switching operations.

1.3.1 Memory Management
The memory architecture of the Protected Mode iAPX 286 represents a significant advance over that of the iAPX 86. The physical address space has been increased from 1 megabyte to 16 megabytes (2^24 bytes), while the virtual address space (i.e., the address space visible to a program) has been increased from 1 megabyte to 1 gigabyte (2^30 bytes). Moreover, separate virtual address spaces are provided for each task in a multitasking system (see section 1.3.2, "Task Management").

The iAPX 286 supports on-chip memory management instead of relying on an external memory management unit. The one-chip solution is preferable because no software is required to manage an external memory management unit, performance is much better, and hardware designs are significantly simpler.
Mechanisms have been included in the iAPX 286 architecture to allow the efficient implementation of virtual memory systems. (In virtual memory systems, the user regards the combination of main and external storage as a single large memory. The user can write large programs without worrying about the physical memory limitations of the system. To accomplish this, the operating system places some of the user programs and data in external storage and brings them into main memory only as they are needed.) All instructions that can cause a segment-not-present fault are fully restartable. Thus, a not-present segment can be loaded from external storage, and the task can be restarted at the point where the fault occurred.

The iAPX 286, like all members of the iAPX 86 series, supports a segmented memory architecture. The iAPX 286 also fully integrates memory segmentation into a comprehensive protection scheme. This protection scheme includes hardware-enforced length and type checking to protect segments from inadvertent misuse.

1.3.2 Task Management

The iAPX 286 is designed to support multitasking systems. The architecture provides direct support for the concept of a task. For example, task state segments (see section 8.2) are hardware-recognized and hardware-manipulated structures that contain information on the current state of all tasks in the system.

Very efficient context-switching (task-switching) can be invoked with a single instruction. Separate logical address spaces are provided for each task in the system. Finally, mechanisms exist to support inter-task communication, synchronization, memory sharing, and task scheduling. Task Management is described in Chapter 8.

1.3.3 Protection Mechanisms

The iAPX 286 allows the system designer to define a comprehensive protection policy to be applied, uniformly and continuously, to all ongoing operations of the system. Such a policy may be desirable to ensure system reliability, privacy of data, rapid error recovery, and separation of multiple users.

The iAPX 286 protection mechanisms are based on the notion of a "hierarchy of trust." Four privilege levels are distinguished, ranging from Level 0 (most trusted) to Level 3 (least trusted). Level 0 is usually reserved for the operating system kernel. The four levels may be visualized as concentric rings, with the most privileged level in the center (see figure 1-1).

This four-level scheme offers system reliability, flexibility, and design options not possible with the typical two-level (supervisor/user) separation provided by other processors. A four-level division is capable of separating kernel, executive, system services, and application software, each with different privileges.

At any one time, a task executes at one of the four levels. Moreover, all data segments and code segments are also assigned to privilege levels. A task executing at one level cannot access data at a more privileged level, nor can it call a procedure at a less privileged level (i.e., trust a less privileged procedure to do work for it). Thus, both access to data and transfer of control are restricted in appropriate ways.

A complete separation can exist between the logical address spaces local to different tasks, providing users with automatic protection against accidental or malicious interference by other users. The hardware also provides immediate detection of a number of fault and
error conditions, a feature that can be useful in the development and maintenance of software.

Finally, these protection mechanisms require relatively little system overhead because they are integrated into the memory management and protection hardware of the processor itself.

1.3.4 Support for Operating Systems

Most operating systems involve some degree of concurrency, with multiple tasks vying for system resources. The task management mechanisms described above provide the iAPX 286 with inherent support for such multi-tasking systems. Moreover, the advanced memory management features of the iAPX 286 allow the implementation of sophisticated virtual memory systems.

Operating system implementors have found that a multi-level approach to system services provides better security and more reliable systems. For example, a very secure kernel might implement critical functions such as task scheduling and resource allocation, while less fundamental functions (such as I/O) are built around the kernel. This layered approach also makes program development and enhancement simpler and facilitates error detection and debugging. The iAPX 286 supports the layered approach through its four-level privilege scheme.

1.4 ORGANIZATION OF THIS MANUAL

To facilitate the use of this manual both as an introduction to the iAPX 286 architecture and as a reference guide, the remaining chapters are divided into three major parts.
INTRODUCTION TO IAPX 286

Part I, comprising chapters 2 through 4, should be read by all those who wish to acquire a basic familiarity with the iAPX 286 architecture. These chapters provide detailed information on memory segmentation, registers, addressing modes and the general (application level) iAPX 286 instruction set. In conjunction with the *iAPX 286 Assembly Language Reference Manual*, these chapters provide sufficient information for an assembly language programmer to design and write application programs.

The chapters in Part I are:

Chapter 2, “Architectural Features.” This chapter discusses those features of the iAPX 286 architecture that are significant for application programmers. The information presented can also function as an introduction to the machine for system programmers. Memory organization and segmentation, processor registers, addressing modes, and instruction formats are all discussed.

Chapter 3, “Basic Instruction Set.” This chapter presents the core instructions of the iAPX 86 family.

Chapter 4, “Extended Instruction Set.” This chapter presents the extended instructions shared by the iAPX 186 and iAPX 286 processors.

Part II of the manual consists of a single chapter:

Chapter 5, “Real Address Mode.” This chapter presents the system programmer’s view of the iAPX 286 when the processor is operated in Real Address Mode.

Part III of the manual comprises chapters 6 through 11. Aimed primarily at system programmers, these chapters discuss the more advanced architectural features of the iAPX 286, which are available when the processor is in Protected Mode. Details on memory management, protection mechanisms, and task switching are provided.

The chapters in Part III are:

Chapter 6, “Virtual Memory.” This chapter describes the iAPX 286 address translation mechanisms that support virtual memory. Segment descriptors, global and local descriptor tables, and descriptor caches are discussed.

Chapter 7, “Protection.” This chapter describes the protection features of the iAPX 286. Privilege levels, segment attributes, access restrictions, and call gates are discussed.

Chapter 8, “Tasks and State Transitions.” This chapter describes the iAPX 286 mechanisms that support concurrent tasks. Context-switching, task state segments, task gates, and interrupt tasks are discussed.

Chapter 9, “Interrupts, Traps and Faults.” This chapter describes interrupt and trap handling. Special attention is paid to the exception traps, or faults, which may occur in Protected Mode. Interrupt gates, trap gates, and the interrupt descriptor table are discussed.

Chapter 10, “System Control and Initialization.” This chapter describes the actual instructions used to implement the memory management, protection, and task support features of the iAPX 286. System registers, privileged instructions, and the initial machine state are discussed.

Chapter 11, “Advanced Topics.” This chapter completes Part III with a description of several advanced topics, including special segment attributes and pointer validation.
iAPX 286 Base Architecture
This chapter describes the iAPX 286 application programming environment as seen by assembly language programmers. It is intended to introduce the programmer to those features of the iAPX 286 architecture that directly affect the design and implementation of iAPX 286 application programs.

2.1 MEMORY ORGANIZATION AND SEGMENTATION

The main memory of an iAPX 286 system makes up its physical address space. This address space is organized as a sequence of 8-bit quantities, called bytes. Each byte is assigned a unique address ranging from 0 up to a maximum of $2^{20}$ (1 megabyte) in Real Address Mode, and up to $2^{24}$ (16 megabytes) in Protected Mode.

A virtual address space is the organization of memory as viewed by a program. Virtual address space is also organized in units of bytes. (Other addressable units such as words, strings, and BCD digits are described below in section 2.2, “Data Types.”) In Real Address Mode, as with the 8086 itself, programs view physical memory directly, inasmuch as they manipulate pure physical addresses. Thus, the virtual address space is identical to the physical address space (1 megabyte).

In Protected Mode, however, programs have no direct access to physical addresses. Instead, memory is viewed as a much larger virtual address space of $2^{30}$ bytes (1 gigabyte). This 1 gigabyte virtual address is mapped onto the Protected Mode's 16-megabyte physical address space by the address translation mechanisms described in Chapter 6.

The programmer views the virtual address space on the iAPX 286 as a collection of up to sixteen thousand linear subspaces, each with a specified size or length. Each of these linear address spaces is called a segment. A segment is a logical unit of contiguous memory. Segment sizes may range from one byte up to 64K (65,536) bytes.

iAPX 286 memory segmentation supports the logical structure of programs and data in memory. Programs are not written as single linear sequences of instructions and data, but rather as modules of code and data. For example, program code may include a main routine and several separate procedures. Data may also be organized into various data structures, some private and some shared with other programs in the system. Run-time stacks constitute yet another data requirement. Each of these several modules of code and data, moreover, may be very different in size or vary dynamically with program execution.

Segmentation supports this logical structure (see figure 2-1). Each meaningful module of a program may be separately contained in individual segments. The degree of modularization, of course, depends on the requirements of a particular application. Use of segmentation benefits almost all applications. Programs execute faster and require less space. Segmentation also simplifies the design of structured software.

2.2 DATA TYPES

Bytes and words are the fundamental units in which the iAPX 286 manipulates data, i.e., the fundamental data types.
A byte is 8 contiguous bits starting on an addressable byte boundary. The bits are numbered 0 through 7, starting from the right. Bit 7 is the most significant bit:

```
7 6 5 4 3 2 1 0
```

A word is defined as two contiguous bytes starting on an arbitrary byte boundary; a word thus contains 16 bits. The bits are numbered 0 through 15, starting from the right. Bit 15 is the most significant bit. The byte containing bit 0 of the word is called the low byte; the byte containing bit 15 is called the high byte.

Each byte within a word has its own particular address, and the smaller of the two addresses is used as the address of the word. The byte at this lower address contains the eight least significant bits of the word, while the byte at the higher address contains the eight most significant bits. The arrangement of bytes within words is illustrated in figure 2-2.

Note that a word need not be aligned at an even-numbered byte address. This allows maximum flexibility in data structures (e.g., records containing mixed byte and word entries) and efficiency in memory utilization. Although actual transfers of data between the processor and memory take place at physically aligned word boundaries, the iAPX 286 converts requests for unaligned words into the appropriate sequences of requests acceptable to the memory interface. Such odd aligned word transfers, however, may impact performance by requiring two memory cycles.
to transfer the word rather than one. Data structures (e.g., stacks) should therefore be designed in such a way that word operands are aligned on word boundaries whenever possible for maximum system performance. Due to instruction prefetching and queueing within the CPU, there is no requirement for instructions to be aligned on word boundaries and no performance loss if they are not.

Although bytes and words are the fundamental data types of operands, the processor also supports additional interpretations on these bytes or words. Depending on the instruction referencing the operand, the following additional data types can be recognized:

**Integer:**
A signed binary numeric value contained in an 8-bit byte or a 16-bit word. All operations assume a 2's complement representation. (Signed 32- and 64-bit integers are supported using the iAPX 286/20 Numeric Data Processor.)

**Ordinal:**
An unsigned binary numeric value contained in an 8-bit byte or 16-bit word.

**Pointer:**
A 32-bit address quantity composed of a segment selector component and an offset component. Each component is a 16-bit word.

**String:**
A contiguous sequence of bytes or words. A string may contain from 1 byte to 64K bytes.

**ASCII:**
A byte representation of alphanumerical and control characters using the ASCII standard of character representation.

**BCD:**
A byte (unpacked) representation of the decimal digits (0-9).

**Packed BCD:**
A byte (packed) representation of two decimal digits (0-9). One digit is stored in each nibble of the byte.

**Floating Point:**
A signed 32-, 64-, or 80-bit real number representation. (Floating operands are supported using the iAPX 286/20 Numeric Processor Configuration.)

Figure 2-3 graphically represents the data types supported by the iAPX 286. iAPX 286 arithmetic operations may be performed on five types of numbers: unsigned binary, signed binary (integers), unsigned packed decimal, unsigned unpacked decimal, and floating point. Binary numbers may be 8 or 16 bits
Figure 2-3. IAPX 286 Supported Data Types
long. Decimal numbers are stored in bytes; two digits per byte for packed decimal, one digit per byte for unpacked decimal. The processor always assumes that the operands specified in arithmetic instructions contain data that represent valid numbers for the type of instruction being performed. Invalid data may produce unpredictable results.

Unsigned binary numbers may be either 8 or 16 bits long; all bits are considered in determining a number’s magnitude. The value range of an 8-bit unsigned binary number is 0-255; 16 bits can represent values from 0 through 65,535. Addition, subtraction, multiplication and division operations are available for unsigned binary numbers.

Signed binary numbers (integers) may be either 8 or 16 bits long. The high-order (leftmost) bit is interpreted as the number’s sign: 0 = positive and 1 = negative. Negative numbers are represented in standard two’s complement notation. Since the high-order bit is used for a sign, the range of an 8-bit integer is -128 through +127; 16-bit integers may range from -32,768 through +32,767. The value zero has a positive sign.

Separate multiplication and division operations are provided for both signed and unsigned binary numbers. The same addition and subtraction instructions are used with signed or unsigned binary values. Conditional jump instructions, as well as an “interrupt on overflow” instruction, can be used following an unsigned operation on an integer to detect overflow into the sign bit.

Unpacked decimal numbers are stored as unsigned byte quantities. One digit is stored in each byte. The magnitude of the number is determined from the low-order half-byte; hexadecimal values 0-9 are valid and are interpreted as decimal numbers. The high-order half-byte must be zero for multiplication and division; it may contain any value for addition and subtraction.

Arithmetic on unpacked decimal numbers is performed in two steps. The unsigned binary addition, subtraction and multiplication operations are used to produce an intermediate result. An adjustment instruction then changes the value to a final correct unpacked decimal number. Division is performed similarly, except that the adjustment is carried out on the two digit numerator operand in register AX first, followed by an unsigned binary division instruction that produces a correct result.

Unpacked decimal numbers are similar to the ASCII character representations of the digits 0-9. Note, however, that the high-order half-byte of an ASCII numeral is always 3. Unpacked decimal arithmetic may be performed on ASCII numeric characters under the following conditions:

- the high-order half-byte of an ASCII numeral must be set to 0H prior to multiplication or division.
- unpacked decimal arithmetic leaves the high-order half-byte set to 0H; it must be set to 3 to produce a valid ASCII numeral.

Packed decimal numbers are stored as unsigned byte quantities. The byte is treated as having one decimal digit in each half-byte (nibble); the digit in the high-order half-byte is the most significant. Values 0-9 are valid in each half-byte, and the range of a packed decimal number is 0-99. Additions and subtractions are performed in two steps. First, an addition or subtraction instruction is used to produce an intermediate result. Then, an adjustment operation is performed which changes the intermediate value to a final
2.3 REGISTERS

The iAPX 286 contains a total of fourteen registers that are of interest to the application programmer. (Five additional registers used by system programmers are covered in section 10.1.) As shown in figure 2-4, these registers may be grouped into four basic categories:

- **General registers.** These eight 16-bit general-purpose registers are used primarily to contain operands for arithmetic and logical operations.

- **Segment registers.** These four special-purpose registers determine, at any given time, which segments of memory are currently addressable.

- **Status and Control registers.** These three special-purpose registers are used to record and alter certain aspects of the iAPX 286 processor state.

2.3.1 General Registers

The general registers of the iAPX 286 are the 16-bit registers AX, BX, CX, DX, SP, BP, SI, and DI. These registers are used interchangeably to contain the operands of logical and arithmetic operations.

Some instructions and addressing modes (see section 2.4), however, dedicate certain general registers to specific uses. BX and BP are often used to contain the base address of data structures in memory (for example, the starting address of an array); for this reason, they are often referred to as the base registers. Similarly, SI and DI are often used to contain an index value that will be incremented to step through a data structure; these two registers are called the index registers. Finally, SP and BP are used for stack manipulation. Both SP and BP normally contain offsets into the current stack. SP generally contains the offset of the top of the stack and BP contains the correct packed decimal result. Multiplication and division adjustments are only available for unpacked decimal numbers.

Strings are contiguous bytes or words from 1 to 64K bytes in length. They generally contain ASCII or other character data representations. The iAPX 286 provides string manipulation instructions to move, examine, or modify a string (see section 3.7, “Character Translation and String Instructions”).

If the 80287 numerics processor extension (NPX) is present in the system (the iAPX 286/20 configuration), the iAPX 286 architecture also supports floating point numbers, 32- and 64-bit integers, and 18-digit BCD data types.

The iAPX 286/20 Numeric Data Processor supports and stores real numbers in a three-field binary format as required by IEEE standard 754 for floating point numerics (see figure 2-3). The number's significant digits are held in the significand field, the exponent field locates the binary point within the significant digits (and therefore determines the number's magnitude), and the sign field indicates whether the number is positive or negative. (The exponent and significand are analogous to the terms “characteristic” and “mantissa,” typically used to describe floating point numbers on some computers.) This format is used by the iAPX 286/20 with various length significands and exponents to support single precision, double precision and extended (80-bit) precision floating point data types. Negative numbers differ from positive numbers only in their sign bits.
offset or base address of the current stack frame. The use of these general-purpose registers for operand addressing is discussed in section 2.3.3, "Index, Pointer, and Base Registers." Register usage for individual instructions is discussed in chapters 3 and 4.

As shown in figure 2-4, eight byte registers overlap four of the 16-bit general registers. These registers are named AH, BH, CH, and DH (high bytes); and AL, BL, CL, and DL (low bytes); they overlap AX, BX, CX, and DX. These registers can be used either in their entirety or as individual 8-bit registers. This dual interpretation simplifies the handling of both 8- and 16-bit data elements.

2.3.2 Memory Segmentation and Segment Registers

Complete programs generally consist of many different code modules (or segments), and different types of data segments. However, at any given time during program execution, only a small subset of a program's segments are actually in use. Generally, this subset will include code, data, and possibly a stack. The iAPX 286 architecture takes advantage of this by providing mechanisms to support direct access to the working set of a program's execution environment and access to additional segments on demand.

At any given instant, four segments of memory are immediately accessible to an executing iAPX 286 program. The segment registers DS, ES, SS, and CS are used to identify these four current segments. Each of these registers specifies a particular kind of segment, as characterized by the associated mnemonics ("code," "stack," "data," or "extra") shown in figure 2-4.

An executing program is provided with concurrent access to the four individual segments of memory—a code segment, a stack segment, and two data segments—by means of the four segment registers. Each may be said to select a segment, since it uniquely
determines the one particular segment from among the numerous segments in memory, which is to be immediately accessible at highest speed. Thus, the 16-bit contents of a segment register is called a segment selector.

Once a segment is selected, a base address is associated with it. To address an element within a segment, a 16-bit offset from the segment’s base address must be supplied. The 16-bit segment selector and the 16-bit offset taken together form the high and low order halves, respectively, of a 32-bit virtual address pointer. Once a segment is selected, only the lower 16-bits of the pointer, called the offset, generally need to be specified by an instruction. Simple rules define which segment register is used to form an address when only a 16-bit offset is specified.

An executing program requires, first of all, that its instructions reside somewhere in memory. The segment of memory containing the currently executing sequence of instructions is known as the current code segment; it is specified by means of the CS register. All instructions are fetched from this code segment, using as an offset the contents of the instruction pointer (IP). The CS:IP register combination therefore forms the full 32-bit pointer for the next sequential program instruction. The CS register is manipulated indirectly. Transitions from one code segment to another (e.g., a procedure call) are effected implicitly as the result of control-transfer instructions, interrupts, and trap operations.

Stacks play a fundamental role in the iAPX 286 architecture; subroutine calls, for example, involve a number of implicit stack operations. Thus, an executing program will generally require a region of memory for its stack. The segment containing this region is known as the current stack segment, and it is specified by means of the SS register. All stack operations are performed within this segment, usually in terms of address offsets contained in the stack pointer (SP) and stack frame base (BP) registers. Unlike CS, the SS register can be loaded explicitly for dynamic stack definition.

Beyond their code and stack requirements, most programs must also fetch and store data in memory. The DS and ES registers allow the specification of two data segments, each addressable by the currently executing program. Accessibility to two separate data areas supports differentiation and access requirements like local procedure data and global process data. An operand within a data segment is addressed by specifying its offset either directly in an instruction or indirectly via index and/or base registers (described in the next subsection).

Depending on the data structure (e.g., the way data is parceled into one or more segments), a program may require access to multiple data segments. To access additional segments, the DS and ES registers can be loaded under program control during the course of a program’s execution. This simply requires loading the appropriate data pointer prior to accessing the data.

The interpretation of segment selector values depends on the operating mode of the processor. In Real Address Mode, a segment selector is a physical address (figure 2-5). In Protected Mode, a segment selector selects a segment of the user’s virtual address space (figure 2-6). An intervening level of logical-to-physical address translation converts the logical address to a physical memory address. Chapter 6, “Memory Management,” provides a detailed discussion of Protected Mode addressing. In general, considerations of selector formats and the details of memory mapping need not concern the application programmer.
NOTES:
1. THE SELECTOR IDENTIFIES A SEGMENT IN PHYSICAL MEMORY.
2. A SELECTOR SPECIFIES THE SEGMENT'S BASE ADDRESS, MODULE 16, WITHIN THE 1 MEGABYTE ADDRESS SPACE.
3. THE SELECTOR IS THE 16 MOST SIGNIFICANT BITS OF A SEGMENT'S PHYSICAL ADDRESS.
4. THE VALUES OF SELECTORS DETERMINE THE AMOUNT THEY OVERLAP IN REAL MEMORY.
5. SEGMENTS MAY OVERLAP BY INCREMENTS OF 16 BYTES. OVERLAP RANGES FROM COMPLETE (SEG 1 = SEG 1) TO NONE (SEG 1 ≠ SEG 2 ≠ 64K).

Figure 2-5. Real Address Mode Segment Selector Interpretation

NOTES:
1. A SELECTOR UNIQUELY IDENTIFIES (NAMES) ONE OF 16K POSSIBLE SEGMENTS IN THE TASK'S VIRTUAL ADDRESS SPACE.
2. THE SELECTOR VALUE DOES NOT SPECIFY THE SEGMENT'S LOCATION IN PHYSICAL MEMORY.
3. THE SELECTOR DOES NOT IMPLY ANY OVERLAP WITH OTHER SEGMENTS (THIS DEPENDS ON THE BASE ADDRESS OF THE SEGMENT AS SPECIFIED VIA THE MEMORY MANAGEMENT AND PROTECTION INFORMATION).

Figure 2-6. Protected Mode Segment Selector Interpretation
2.3.3 Index, Pointer, and Base Registers

Five of the general-purpose registers are available for offset address calculations. These five registers, shown in figure 2-4, are SP, BP, BX, SI, and DI. SP is called a pointer register; BP and BX are called base registers; SI and DI are called index registers.

As described in the previous section, segment registers define the set of four segments currently addressable by a program. A pointer, base, or index register may contain an offset value relative to the start of one of these segments; it thereby points to a particular operand's location within that segment. To allow for efficient computations of effective address offsets, all base and index registers may participate interchangeably as operands in most arithmetical operations.

Stack operations are facilitated by the stack pointer (SP) and stack frame base (BP) registers. By specifying offsets into the current stack segment, each of these registers provides access to data on the stack. The SP register is the customary top-of-stack pointer, addressing the uppermost datum on a push-down stack. It is referenced implicitly by PUSH and POP operations, subroutine calls, and interrupt operations. The BP register provides yet another offset into the stack segment. The existence of this stack relative base register, in conjunction with certain addressing modes described in section 2.6.3, is particularly useful for accessing data structures, variables and dynamically allocated work space within the stack.

Stacks in the iAPX 286 are implemented in memory and are located by the stack segment register (SS) and the stack pointer register (SP). A system may have an unlimited number of stacks, and a stack may be up to 64K bytes long, the maximum length of a segment.

One stack is directly addressable at a time; this is the current stack, often referred to simply as “the” stack. SP contains the current top of the stack (TOS). In other words, SP contains the offset to the top of the push down stack from the stack segment’s base address. Note, however, that the stack’s base address (contained in SS) is not the “bottom” of the stack (figure 2-7).

Figure 2-7. IAPX 286 Stack
iAPX 286 stack entries are 16 bits wide. Instructions operate on the stack by adding and removing stack items one word at a time. An item is pushed onto the stack (see figure 2-8) by decrementing SP by 2 and writing the item at the new TOS. An item is popped off the stack by copying it from TOS and then incrementing SP by 2. In other words, the stack grows down in memory toward its base address. Stack operations never move items on the stack; nor do they erase them. The top of the stack changes only as a result of updating the stack pointer.

The stack frame base pointer (BP) is often used to access elements on the stack relative to a fixed point on the stack rather than relative to the current TOS. It typically identifies the base address of the current stack frame established for the current procedure (figure 2-9). If an index register is used relative to BP (e.g., base + index addressing mode using BP as the base), the offset will be calculated automatically in the current stack segment.

Accessing data structures in data segments is facilitated by the BX register, which has the same function in addressing operands within data segments that BP does for stack segments. They are called base registers because they may contain an offset to the base of a data structure. The similar usage of these two registers is especially important when discussing addressing modes (see section 2.4, "Addressing Modes").

Operations on data are also facilitated by the SI and DI registers. By specifying an offset relative to the start of the currently addressable data segment, an index register can be used to address an operand in the segment. If an index register is used in conjunction with the BX base register (i.e., base + index addressing) to form an offset address, the data is also assumed to reside in the current data segment. As a rule, data referenced through an index register or BX is presumed to reside in the current data segment. That is, if an instruction invokes addressing for one of its operands using either BX, DI, SI, or BX with SI or DI, the contents of the register(s) (BX, DI, or SI) implicitly specify an offset in the current data segment. As previously mentioned, data referenced via SP, BP or BP with SI or DI implicitly specify an operand in the current stack segment (refer to table 2-1).

There are two exceptions to the rules listed above. The first concerns the operation of certain iAPX 286 string instructions. For the most flexibility, these instructions assume that the DI register addresses destination strings not in the data segment, but rather in the extra segment (ES register). This allows movement of strings between different segments. This has led to the descriptive names “source index” and “destination index.” In all cases other than string instructions, however, the SI and DI registers may be used interchangeably to reference either source or destination operands.

Table 2-1. Implied Segment Usage by Index, Pointer and Base Registers

<table>
<thead>
<tr>
<th>Register</th>
<th>Implied Segment</th>
</tr>
</thead>
<tbody>
<tr>
<td>SP</td>
<td>SS</td>
</tr>
<tr>
<td>BP</td>
<td>SS</td>
</tr>
<tr>
<td>BX</td>
<td>DS</td>
</tr>
<tr>
<td>SI</td>
<td>DS</td>
</tr>
<tr>
<td>DI</td>
<td>DS, ES for String Operations</td>
</tr>
<tr>
<td>BP + SI, DI</td>
<td>SS</td>
</tr>
<tr>
<td>BX + SI, DI</td>
<td>DS</td>
</tr>
</tbody>
</table>

NOTE:
All implied Segment usage, except SP to SS and DI to ES for String Operations, may be explicitly specified with a segment override prefix for any of the four segments. The prefix precedes the instruction for which explicit reference is desired.
Figure 2-8. Stack Operation
BP is a constant pointer to stack based variables and work space. All references use BP and are independent of SP, which may vary during a routine execution.

PROC N
PUSH AX
PUSH ARRAY_SIZE
CALL PROC_N - 1

PROC_N + 1:
PUSH BP
PUSH CX
MOV BP, SP
SUB SP, WORK_SPACE

"PROCEDURE BODY"
MOV SP, BP
POP CX
POP BP
RET

Figure 2-9. BP Usage as a Stack Frame Base Pointer
A second more general override capability allows the programmer complete control of which segment is used for a specific operation. Segment-override prefixes, discussed in section 2.4.3, allow the index and base registers to address data in any of the four currently addressable segments.

### 2.3.4 Status and Control Registers

Two status and control registers are of immediate concern to applications programmers: the instruction pointer and the FLAGS registers.

The instruction pointer register (IP) contains the offset address, relative to the start of the current code segment, of the next sequential instruction to be executed. Together, the CS:IP registers thus define a 32-bit program counter. The instruction pointer is not directly visible to the programmer; it is controlled implicitly, by interrupts, traps, and control-transfer operations.

The FLAGS register encompasses eleven flag fields, mostly one-bit wide, as shown in figure 2-10. Six of the flags are status flags that record processor status information. The status flags are affected by the execution of arithmetic and logical instructions. The carry flag is also modifiable with instructions that will clear, set or complement this flag bit. See Chapters 3 and 4.

The carry flag (CF) generally indicates a carry or borrow out of the most significant bit of an 8- or 16-bit operand after performing an arithmetic operation; this flag is also useful for bit manipulation operations involving the shift and rotate instructions. The effect on the remaining status flags, when defined for a particular instruction, is generally as follows: the zero flag (ZF) indicates a zero result when set; the sign flag (SF) indicates whether the result was negative (SF = 1) or positive (SF = 0); when set, the overflow flag (OF) indicates whether an operation results

---

**Figure 2-10. Flags Register**
in a carry into the high order bit of the result but not a carry out of the high-order bit, or vice versa; the parity flag (PF) indicates whether the modulo 2 sum of the low-order eight bits of the operation is even (PF = 0) or odd (PF = 1) parity. The auxiliary carry flag (AF) represents a carry out of or borrow into the least significant 4-bit digit when performing binary coded decimal (BCD) arithmetic.

The FLAGS register also contains three control flags that are used, under program control, to direct certain processor operations. The interrupt-enable flag (IF), if set, enables external interrupts; otherwise, interrupts are disabled. The trap flag (TF), if set, puts the processor into a single-step mode for debugging purposes where the target program is automatically interrupted to a user supplied debug routine after the execution of each target program instruction. The direction flag (DF) controls the forward or backward direction of string operations: 0 = forward or auto increment the address register(s) (SI, DI or SI and DI), 1 = backward or auto-decrement the address register(s) (SI, DI or SI and DI).

In general, the interrupt enable flag may be set or reset with special instructions (STI = set, CLI = clear) or by placing the flags on the stack, modifying the stack, and returning the flag image from the stack to the flag register. If operating in Protected Mode, the ability to alter the IF bit is subject to protection checks to prevent non-privileged programs from effecting the interrupt state of the CPU. This applies to both instruction and stack options for modifying the IF bit.

The TF flag may only be modified by copying the flag register to the stack, setting the TF bit in the stack image, and returning the modified stack image to the flag register. The trap interrupt occurs on completion of the next instruction. Entry to the single step routine saves the flag register on the stack with the TF bit set, and resets the TF bit in the register. After completion of the single step routine, the TF bit is automatically set on return to the program being single stepped to interrupt the program again after completion of the next instruction. Use of TF is not inhibited by the protection mechanism in Protected Mode.

The DF flag, like the IF flag, is controlled by instructions (CLD = clear, STD = set) or flag register modification through the stack. Typically, routines that use string instructions will save the flags on the stack, modify DF as necessary via the instructions provided, and restore DF to its original state by restoring the Flag register from the stack before returning. Access or control of the DF flag is not inhibited by the protection mechanism in Protected Mode.

The Special Fields bits are only relevant in Protected Mode. Real Address Mode programs should treat these bits as don't-care's, making no assumption about their status. Attempts to modify the IOPL and NT fields are subject to protection checking in Protected Mode. In general, the application's programmer will not be able to and should not attempt to modify these bits. (See section 9.4, "Privileged and Trusted Instructions" for more details.)

2.4 ADDRESSING MODES

The information encoded in an iAPX 286 instruction includes a specification of the operation to be performed, the type of the operands to be manipulated, and the location of these operands. If an operand is located in memory, the instruction must also select, explicitly or implicitly, which of the currently addressable segments contains the operand.
This section covers the operand addressing mechanisms; iAPX 286 operators are discussed in Chapter 3.

The five elements of a general instruction are briefly described below. The exact format of iAPX 286 instructions is specified in Appendix B.

- The opcode is present in all instructions; in fact, it is the only required element. Its principal function is the specification of the operation performed by the instruction.
- A register specifier.
- The addressing mode specifier, when present, is used to specify the addressing mode of an operand for referencing data or performing indirect calls or jumps.
- The displacement, when present, is used to compute the effective address of an operand in memory.
- The immediate operand, when present, directly specifies one operand of the instruction.

Of the four elements, only one, the opcode, is always present. The other elements may or may not be present, depending on the particular operation involved and on the location and type of the operands.

2.4.1 Operands

Generally speaking, an instruction is an operation performed on zero, one, or two operands, which are the data manipulated by the instruction. An operand can be located either in a register (AX, BX, CX, DX, SI, DI, SP, or BP in the case of 16-bit operands; AH, AL, BH, BL, CH, CL, DH, or DL in the case of 8-bit operands; the FLAG register for flag operations in the instruction itself (as an immediate operand)), or in memory or an I/O port. Immediate operands and operands in registers can be accessed more rapidly than operands in memory since memory operands must be fetched from memory while immediate and register operands are available in the processor.

An iAPX 286 instruction can reference zero, one, or two operands. The three forms are as follows:

- Zero-operand instructions, such as RET, NOP, and HLT. Consult Appendix B.
- One-operand instructions, such as INC or DEC. The location of the single operand can be specified implicitly, as in AAM (where the register AX contains the operand), or explicitly, as in INC (where the operand can be in any register or memory location). Explicitly specified operands are accessed via one of the addressing modes described in section 2.4.2.
- Two operand instructions such as MOV, ADD, XOR, etc., generally overwrite one of the two participating operands with the result. A distinction can thus be made between the source operand (the one left unaffected by the operation) and the destination operand (the one overwritten by the result). Like one-operand instructions, two-operand instructions can specify the location of operands either explicitly or implicitly. If an instruction contains two explicitly specified operands, only one of them—either the source or the destination—can be in a register or memory location. The other operand must be in a register or be an immediate source operand. Special cases of two-operand instructions are the string instructions and stack manipulation. Both operands of some string instructions are in memory and are explicitly specified. Push and pop
stack operations allow transfer between memory operands and the memory based stack.

Thus, the two-operand instructions of the iAPX 286 permit operations of the following sort:

- Register-to-register
- Register-to-memory
- Memory-to-register
- Immediate-to-register
- Immediate-to-memory
- Memory-to-memory

Instructions can specify the location of their operands by means of eight addressing modes, which are described in sections 2.4.2 and 2.4.3.

2.4.2 Register and Immediate Modes

Two addressing modes are used to reference operands contained in registers and instructions:

- Register Operand Mode. The operand is located in one of the 16-bit registers (AX, BX, CX, DX, SI, DI, SP, or BP) or in one of the 8-bit general registers (AH, BH, CH, DH, AL, BL, CL, or DL).

Special instructions are also included for referencing the CS, DS, ES, SS, and Flag registers as operands also.

- Immediate Operand Mode. The operand is part of the instruction itself (the immediate operand element).

2.4.3 Memory Addressing Modes

Six modes are used to access operands in memory. Memory operands are accessed by means of a pointer consisting of a segment selector (see section 2.3.2) and an offset, which specifies the operand's displacement in bytes from the beginning of the segment in which it resides. Both the segment selector component and the offset component are 16-bit values. (See section 2.1 for a discussion of segmentation.) Only some instructions use a full 32-bit address.

Most memory references do not require the instruction to specify a full 32-bit pointer address. Operands that are located within one of the currently addressable segments, as determined by the four segment registers (see section 2.3.2, "Segment Registers"), can be referenced very efficiently simply by means of the 16-bit offset. This form of address is called by short address. The choice of segment (CS, DS, ES, or SS) is either implicit within the instruction itself or explicitly specified by means of a segment override prefix (see below).

See figure 2-11 for a diagram of the addressing process.

2.4.3.1 SEGMENT SELECTION

All instructions that address operands in memory must specify the segment and the offset. For speed and compact instruction encoding, segment selectors are usually stored in the high speed segment registers. An instruction need specify only the desired segment register and an offset in order to address a memory operand.

Most instructions need not explicitly specify which segment register is used. The correct segment register is automatically chosen according to the rules of table 2-1 and table 2-2. These rules follow the way programs are written (see figure 2-12) as independent modules that require areas for code and data, a stack, and access to external data areas.
There is a close connection between the type of memory reference and the segment in which that operand resides (see the next section for a discussion of how memory addressing mode calculations are performed). As a rule, a memory reference implies the current data segment (i.e., the implicit segment selector is in DS) unless the BP register is involved in the address specification, in which case the current stack segment is implied (i.e., SS contains the selector).

The iAPX 286 instruction set defines special instruction prefix elements (see Appendix B). One of these is SEG, the segment-override prefix. Segment-override prefixes allow an explicit segment selection. Only in two special cases—namely, the use of DI to reference

---

**Table 2-2. Segment Register Selection Rules**

<table>
<thead>
<tr>
<th>Memory Reference Needed</th>
<th>Segment Register Used</th>
<th>Implicit Segment Selection Rule</th>
</tr>
</thead>
<tbody>
<tr>
<td>Instructions</td>
<td>Code (CS)</td>
<td>Automatic with instruction prefetch.</td>
</tr>
<tr>
<td>Stack</td>
<td>Stack (SS)</td>
<td>All stack pushes and pops. Any memory reference which uses BP as a base register.</td>
</tr>
<tr>
<td>Local Data</td>
<td>Data (DS)</td>
<td>All data references except when relative to stack or string destination.</td>
</tr>
<tr>
<td>External (Global) Data</td>
<td>Extra (ES)</td>
<td>Alternate data segment and destination of string operation.</td>
</tr>
</tbody>
</table>
2.4.3.2 OFFSET COMPUTATION

The offset within the desired segment is calculated in accordance with the desired addressing mode. The offset is calculated by taking the sum of up to three components:

- the displacement element in the instruction
- the base (contents of BX or BP—a base register)
- the index (contents of SI or DI—an index register)

Each of the three components of an offset may be either a positive or negative value. Offsets are calculated modulo $2^{16}$.

The six memory addressing modes are generated using various combinations of these three components. The six modes are used for accessing different types of data stored in memory:

<table>
<thead>
<tr>
<th>Addressing Mode</th>
<th>Offset Calculation</th>
</tr>
</thead>
<tbody>
<tr>
<td>Direct Address</td>
<td>Displacement alone</td>
</tr>
<tr>
<td>Register Indirect</td>
<td>Base or index alone</td>
</tr>
<tr>
<td>Based</td>
<td>Base + displacement</td>
</tr>
<tr>
<td>Indexed</td>
<td>Index + displacement</td>
</tr>
<tr>
<td>Based Indexed</td>
<td>Base + index</td>
</tr>
<tr>
<td>Based Indexed with Displacement</td>
<td>Base + index + disp</td>
</tr>
</tbody>
</table>

In all six modes, the operand is located at the specified offset within the selected segment. All displacements, except direct address mode, are optionally 8- or 16-bit values. 8-bit displacements are automatically sign-extended to 16 bits. The six addressing modes are described and demonstrated in the following section on memory addressing modes.
2.4.3.3 MEMORY MODE

Two modes are used for simple scalar operands located in memory:

- Direct Address Mode. The offset of the operand is contained in the instruction as the displacement element. The offset is a 16-bit quantity.

- Register Indirect Mode. The offset of the operand is in one of the registers SI, DI, or BX. (BP is excluded; if BP is used as a stack frame base, it requires an index or displacement component to reference either parameters passed on the stack or temporary variables allocated on the stack. The instruction level bit encoding for the BP only address mode is used to specify Direct Address mode. See Chapter 12 for more details.)

The following four modes are used for accessing complex data structures in memory (see figure 2-13):

- Based Mode. The operand is located within the selected segment at an offset computed as the sum of the displacement and the contents of a base register (BX or BP). Based mode is often used to access the same field in different copies of a structure (often called a record). The base register points to the base of the structure (hence the term “base” register), and the displacement selects a particular field. Corresponding fields within a collection of structures can be accessed simply by changing the base register. (See figure 2-13, example 1.)

- Indexed Mode. The operand is located within the selected segment at an offset computed as the sum of the displacement and the contents of an index register (SI or DI). Indexed mode is often used to access elements in a static array (e.g., an array whose starting location is fixed at translation time). The displacement locates the beginning of the array, and the value of the index register selects one element. Since all array elements are the same length, simple arithmetic on the index register will select any element. (See figure 2-13, example 2.)

- Based Indexed Mode. The operand is located within the selected segment at an offset computed as the sum of the base register’s contents and an index register’s contents. Based Indexed mode is often used to access elements of a dynamic array (i.e., an array whose base address can change during execution). The base register points to the base of the array, and the value of the index register is used to select one element. (See figure 2-13, example 3.)

- Based Indexed Mode with Displacement. The operand is located with the selected segment at an offset computed as the sum of a base register’s contents, an index register’s contents, and the displacement. This mode is often used to access elements of an array within a structure. For example, the structure could be an activation record (i.e., a region of the stack containing the register contents, parameters, and variables associated with one instance of a procedure); and one variable could be an array. The base register points to the start of the activation record, the displacement expresses the distance from the start of the record to the beginning of the array variable, and the index register selects a particular element of the array. (See figure 2-13, example 4.)

Table 2-3 gives a summary of all memory operand addressing options.
1. BASED MODE

MOV AX, [BP - DATE_CODE]
ADD [BX + BALANCE], CX

2. INDEXED MODE

MOV ID [SI], DX
SUB BX, DATA_TBL[SI]

3. BASED INDEXED

MOV DX, [BP][SI]
AND [BX + SI], 3FFH

4. BASED INDEXED MODE WITH DISPLACEMENT

MOV CX, [BP][SI + CNT]
SHR [BX + DI + MASK]

Figure 2-13. Complex Addressing Modes
### Table 2-3. Memory Operand Addressing Modes

<table>
<thead>
<tr>
<th>Addressing Mode</th>
<th>Offset Calculation</th>
</tr>
</thead>
<tbody>
<tr>
<td>Direct</td>
<td>16-bit Displacement in the instruction</td>
</tr>
<tr>
<td>Register Indirect</td>
<td>BX, SI, DI</td>
</tr>
<tr>
<td>Based</td>
<td>(BX or BP) + Displacement*</td>
</tr>
<tr>
<td>Indexed</td>
<td>(SI or DI) + Displacement*</td>
</tr>
<tr>
<td>Based Indexed</td>
<td>(BX or BP) + (SI or DI) + Displacement*</td>
</tr>
<tr>
<td>Based Indexed + Displacement</td>
<td>(BX or BP) + (SI or DI) + Displacement*</td>
</tr>
</tbody>
</table>

#### 2.5 INPUT/OUTPUT

The iAPX 286 allows input/output to be performed in either of two ways: by means of a separate I/O address space (using specific I/O instructions) or by means of memory-mapped I/O (using general-purpose operand manipulation instructions).

##### 2.5.1 I/O Address Space

The iAPX 286 provides a separate I/O address space, distinct from physical memory, to address the input/output ports that are used for external devices. The I/O address space consists of $2^{16}$ (64K) individually addressable 8-bit ports. Any two consecutive 8-bit ports can be treated as a 16-bit port. Thus, the I/O address space can accommodate up to 64K 8-bit ports or up to 32K 16-bit ports.

The iAPX 286 can transfer either 8 or 16 bits at a time to a device located in the I/O space. Like words in memory, 16-bit ports should be aligned at even-numbered addresses so that the 16 bits will be transferred in a single access. An 8-bit port may be located at either an even or odd address. The internal registers in a given peripheral controller device should be assigned addresses as shown below.

#### Port Register

- 16-bit
- 8-bit; device on lower half of 16-bit data bus
- 8-bit; device on upper half of 16-bit data bus

#### Port Addresses

- even word addresses
- even byte addresses
- odd byte addresses

#### Example

- `OUT FE,AX`  
- `IN AL,FE`  
- `OUT FF,AL`
2.5.2 Memory-Mapped I/O

I/O devices also may be placed in the iAPX 286 memory address space. So long as the devices respond like memory components, they are indistinguishable to the processor.

Memory-mapped I/O provides additional programming flexibility. Any instruction that references memory may be used to access an I/O port located in the memory space. For example, the MOV instruction can transfer data between any register and a port; and the AND, OR, and TEST instructions may be used to manipulate bits in the internal registers of a device (see figure 2-14). Memory-mapped I/O performed via the full instruction set maintains the full complement of addressing modes for selecting the desired I/O device.

Memory-mapped I/O, like any other memory reference, is subject to access protection and control when executing in protected mode.

2.6 INTERRUPTS AND EXCEPTIONS

The iAPX 286 architecture supports several mechanisms for interrupting program execution. Internal interrupts are synchronous events that are the responses of the CPU to certain events detected during the execution of an instruction. External interrupts are asynchronous events typically triggered by external devices needing attention. The iAPX 286 supports both maskable (controlled by the IF flag) and non-maskable interrupts. They cause the processor to temporarily suspend its present program execution in order to service the requesting device. The major distinction between these two kinds of interrupts is their origin: an internal interrupt is always reproducible by re-executing with the program and data that caused the interrupt, whereas an external interrupt is generally independent of the currently executing task.

Application programmers will normally not be concerned with servicing external interrupts. More information on external interrupts for system programmers may be found in Chapter 5, section 5.2, “Interrupt Handling for Real Address Mode,” and in Chapter 9, “Interrupts, Traps and Faults for Protected Virtual Address Mode.”

Figure 2-14. Memory-Mapped I/O
In Real Address Mode, the application programmer is affected by two kinds of internal interrupts. (Internal interrupts are the result of executing an instruction which causes the interrupt.) One type of interrupt is called an exception because the interrupt only occurs if a particular fault condition exists. The other type of interrupt generates the interrupt every time the instruction is executed.

The exceptions are: divide error, INTO detected overflow, bounds check, segment overrun, invalid operation code, and processor extension error (see table 2-4). A divide error exception results when the instructions DIV or IDIV are executed with a zero denominator; otherwise, the quotient will be too large for the destination operand (see section 3.3.4 for a discussion of DIV and IDIV). An overflow exception results when the INTO instruction is executed and the OF flag is set (after an arithmetic operation that set the overflow (OF) flag). (See section 3.6.3, "Software Generated Interrupts," for a discussion of INTO.) A bounds check exception results when the BOUND instruction is executed and the array index it checks falls outside the bounds of the array. (See section 4.2 for a discussion of the BOUND instruction.) The segment overrun exception occurs when a word memory reference is attempted which extends beyond the end of a segment.

An invalid operation code exception occurs if an attempt is made to execute an undefined instruction operation code. A processor extension error is generated when a processor extension detects an illegal operation. Refer to Chapter 5 for a more complete description of these exception conditions.

The instruction INT generates an internal interrupt whenever it is executed. The effects of this interrupt (and the effects of all interrupts) is determined by the interrupt handler routines provided by the application program or as part of the system software (provided by system programmers). See Chapter 5 for more on this topic. The INT instruction itself is discussed in section 3.6.3.

In Protected Mode, many more fault conditions are detected and result in internal interrupts. Protected Mode interrupts and faults are discussed in Chapter 10.

### 2.7 HIERARCHY OF INSTRUCTION SETS

For descriptive purposes, the iAPX 286 instruction set is partitioned into three distinct subsets: the Basic Instruction Set, the Extended Instruction Set, and the System Control Instruction Set. The “hierarchy” of instruction sets defined by this partitioning helps to clarify the relationships between the various processors in the iAPX 86 family (see figure 2-15).

<table>
<thead>
<tr>
<th>Function</th>
<th>Related Instructions</th>
</tr>
</thead>
<tbody>
<tr>
<td>Divide error exception</td>
<td>DIV,IDIV</td>
</tr>
<tr>
<td>INTO detected overflow exception</td>
<td>INTO</td>
</tr>
<tr>
<td>BOUND range exceeded exception</td>
<td>BOUND</td>
</tr>
<tr>
<td>Invalid opcode exception</td>
<td>Any undefined opcode</td>
</tr>
<tr>
<td>Segment overrun exception</td>
<td>Word memory reference with offset = FFFF(H) or an attempt to execute past the end of a segment</td>
</tr>
<tr>
<td>Processor extension error interrupt</td>
<td>ESC or WAIT</td>
</tr>
</tbody>
</table>
The Basic Instruction Set, presented in Chapter 3, comprises the common subset of instructions found on all processors of the iAPX 86 family. Included are instructions for logical and arithmetic operations, data movement, input/output, string manipulation, and transfer of control.

The Extended Instruction Set, presented in Chapter 4, consists of those instructions found only on the iAPX 186 and iAPX 286 processors. Included are instructions for block structured procedure entry and exit, parameter validation, and block I/O transfers.

The System Control Instruction Set, presented in Chapter 10, consists of those instructions unique to the iAPX 286. These instructions control the memory management and protection mechanisms of the iAPX 286.
Basic Instruction Set
CHAPTER 3
BASIC INSTRUCTION SET

The base architecture of the iAPX 286 is identical to the complete instruction set of the iAPX 86, 88, and 186 processors. The iAPX 286 instruction set includes new forms of some instructions. These new forms reduce program size and improve the performance and ease of implementation of source code.

This chapter describes the instructions which programmers can use to write application software for the iAPX 286. The following chapters describe the operation of more complicated I/O and system control instructions.

All instructions described in this chapter are available for both Real Address Mode and Protected Virtual Address Mode operation. The instruction descriptions note any differences that exist between the operation of an instruction in these two modes.

This chapter also describes the operation of each application program-relative instruction and includes an example of using the instruction. The Instruction Dictionary in Appendix B contains formal descriptions of all instructions. Any opcode pattern that is not described in the Instruction Dictionary results in an opcode violation trap (interrupt 6).

3.1 DATA MOVEMENT INSTRUCTIONS

These instructions provide convenient methods for moving bytes or words of data between memory and the registers of the base architecture.

3.1.1 General-Purpose Data Movement Instructions

MOV (Move) transfers a byte or a word from the source operand to the destination operand. The MOV instruction is useful for transferring data to a register from memory, to memory from a register, between registers, immediate-to-register, or immediate-to-memory. Memory-to-memory or segment register-to-segment register moves are not allowed.

Example: MOV DS,AX
Replaces the contents of register DS with the contents of register AX.

XCHG (Exchange) swaps the contents of two operands. This instruction takes the place of three MOV instructions. It does not require a temporary memory location to save the contents of one operand while you load the other.

The XCHG instruction can swap two byte operands or two word operands, but not a byte for a word or a word for a byte. The operands for the XCHG instruction may be two register operands, or a register operand with a memory operand.

Example: XCHG BX,WORDOPRND
Swaps the contents of register BX with the contents of the memory word identified by the label WORDOPRND after asserting bus lock.

3.1.2 Stack Manipulation Instructions

PUSH (Push) decrements the stack pointer (SP) by two and then transfers a word from the source operand to the top of stack indicated by SP. See figure 3-1. PUSH is often used to place parameters on the stack.
before calling a procedure; it is also the basic means of storing temporary variables on the stack. The PUSH instruction operates on memory operands, immediate memory operands (new with the iAPX 286), and register operands (including segment registers).

Example:  
PUSH WORDOPRND  
Transfers a 16-bit value from the memory word identified by the label WORDOPRND to the memory location which represents the current top of stack (byte transfers are not allowed).

Figure 3-1. PUSH  

PUSH decrements SP by 2 bytes and places the operand in the stack at the location to which SP points.
**PUSHA (Push All Registers)** saves the contents of the eight general registers on the stack. See figure 3-2. This instruction simplifies procedure calls by reducing the number of instructions required to retain the contents of the general registers for use in a procedure. PUSHA is complemented by POPA (see below).

The processor pushes the general registers on the stack in the following order: AX, CX, DX, BX, the initial value of SP before AX was pushed, BP, SI, and DI.

Example: **PUSHA**

![PUSHA diagram](image_url)

PUSH A copies the contents of the eight general registers to the stack in the above order. The instruction decrements SP by 16 bytes (8 words) to point to the last word pushed on the stack.

*Figure 3-2. PUSHA*
**BASIC INSTRUCTION SET**

*POP (Pop)* transfers the word at the current top of stack (indicated by SP) to the destination operand, and then increments SP by two to point to the new top of stack. See figure 3-3. POP moves information from the stack to either a register or memory. The only restriction on POP is that it cannot place a value in register CS.

**Example:** POP BX

Replaces the contents of register BX with the contents of the memory location at the top of stack.

*POPA (Pop All Registers)* restores the registers saved on the stack by PUSH

---

*Figure 3-3. POP*

POP copies the contents of the stack location before SP to the operand in the instruction. POP then increments SP by 2 bytes (1 word).
except that it ignores the value of SP. See figure 3-4.

Example: **POPA**

Pops from the stack the saved contents of the general registers, and restores the registers (except SP) to their original state.

### 3.2 FLAG OPERATION WITH THE BASIC INSTRUCTION SET

#### 3.2.1 Status Flags

The status flags of the FLAGS register reflect conditions that result from a previous instruction or instructions. The arithmetic instructions use **OF, SF, ZF, AF, PF, and CF**.

The SCAS (Scan String), CMPS (Compare String), and LOOP instructions use **ZF** to signal that their operations are complete. The base architecture includes instructions to set, clear, and complement CF before execution of an arithmetic instruction. See figure 3-4a and tables 3-1 and 3-2.

#### 3.2.2 Control Flags

The control flags of the FLAGS register determine processor operations for string instructions, maskable interrupts, and debugging.

---

**Figure 3-4. POPA**

POP**A** copies the contents of seven stack locations to the corresponding general registers. POPA discards the stored value of SP.
Setting DF (direction flag) causes string instructions to auto-decrement; that is, to process strings from high addresses to low addresses, or from “right-to-left.” Clearing DF causes string instructions to auto-increment, or to process strings from “left-to-right.”

Setting IF (interrupt flag) allows the CPU to recognize external (maskable) interrupt requests. Clearing IF disables these interrupts. IF has no effect on either internally generated interrupts, nonmaskable external interrupts, or processor extension segment overrun interrupts.

Setting TF (trap flag) puts the processor into single-step mode for debugging. In this mode, the CPU automatically generates an internal interrupt after each instruction, allowing a program to be inspected as it executes each instruction, instruction by instruction.

3.3 ARITHMETIC INSTRUCTIONS

The arithmetic instructions of the iAPX 86-family processors simplify the manipulation of numerical data. Multiplication and division instructions ease the handling of signed and unsigned binary integers as well as unpacked decimal integers.

An arithmetic operation may consist of two register operands, a general register source operand with a memory destination operand, a memory source operand with a register destination operand, or an immediate field with either a register or memory destination operand, but not two memory operands. Arithmetic instructions can operate on either byte or word operands.
### Table 3-1. Status Flags’ Functions

<table>
<thead>
<tr>
<th>Bit Position</th>
<th>Name</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>CF</td>
<td>Carry Flag—Set on high-order bit carry or borrow; cleared otherwise</td>
</tr>
<tr>
<td>2</td>
<td>PF</td>
<td>Parity Flag—Set if low-order eight bits of result contain an even number of 1 bits; cleared otherwise</td>
</tr>
<tr>
<td>4</td>
<td>AF</td>
<td>Set on carry from or borrow to the low order four bits of AL; cleared otherwise</td>
</tr>
<tr>
<td>6</td>
<td>ZF</td>
<td>Zero Flag—Set if result is zero; cleared otherwise</td>
</tr>
<tr>
<td>7</td>
<td>SF</td>
<td>Sign Flag—Set equal to high-order bit of result (0 if positive, 1 if negative)</td>
</tr>
<tr>
<td>11</td>
<td>OF</td>
<td>Overflow Flag—Set if result is too-large a positive number or too-small a negative number (excluding sign-bit) to fit in destination operand; cleared otherwise</td>
</tr>
</tbody>
</table>

### Table 3-2. Control Flags’ Functions

<table>
<thead>
<tr>
<th>Bit Position</th>
<th>Name</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>8</td>
<td>TF</td>
<td>Single Step Flag—Once set, a single step interrupt occurs after the next instruction executes. TF is cleared by the single step interrupt.</td>
</tr>
<tr>
<td>9</td>
<td>IF</td>
<td>Interrupt-enable Flag—When set, maskable interrupts will cause the CPU to transfer control to an interrupt vector-specified location.</td>
</tr>
<tr>
<td>10</td>
<td>DF</td>
<td>Direction Flag—Causes string instructions to auto decrement the appropriate index registers when set. Clearing DF causes auto increment.</td>
</tr>
</tbody>
</table>

### 3.3.1 Addition Instructions

**ADD (Add Integers)** replaces the destination operand with the sum of the source and destination operands. ADD affects OF, SF, AF, PF, CF, and ZF.

Example: ADD BL, BYTEOPRND

Adds the contents of the memory byte labeled BYTEOPRND to the contents of BL, and replaces BL with the resulting sum.

**ADC (Add Integers with Carry)** sums the operands, adds one if CF is set, and replaces the destination operand with the result. ADC can be used to add numbers longer than 16 bits. ADC affects OF, SF, AF, PF, CF, and ZF.

Example: ADC BX, CX

Replaces the contents of the destination operand BX with the sum of BX, CS, and 1 (if CF is set). If CF is cleared, ADC performs the same operation as the ADD instruction.

**INC (Increment)** adds one to the destination operand. The processor treats the operand as an unsigned binary number. INC updates AF, OF, PF, SF, and ZF, but it does not affect CF. Use ADD with an immediate value of 1 if an increment that updates carry (CF) is needed.

Example: INC BL

Adds 1 to the contents of BL.

### 3.3.2 Subtraction Instructions

**SUB (Subtract Integers)** subtracts the source operand from the destination operand and replaces the destination operand with the result. If a borrow is required, carry flag is
BASIC INSTRUCTION SET

set. The operands may be signed or unsigned bytes or words. SUB affects OF, SF, ZF, AF, PF, and CF.

Example:  SUB WORDOPRND, AX

Replaces the contents of the destination operand WORDOPRND with the result obtained by subtracting the contents of AX from the contents of the memory word labeled WORDOPRND.

SBB (Subtract Integers with Borrow) subtracts the source operand from the destination operand, subtracts 1 if CF is set, and returns the result to the destination operand. The operands may be signed or unsigned bytes or words. SBB may be used to subtract numbers longer than 16 bits. This instruction affects OF, SF, ZF, AF, PF, and CF. The carry flag is set if a borrow is required.

Example:  SBB BL, 32

Subtracts 32 from the contents of BL and then decrements the result of this subtraction by one if CF is set. If CF is cleared, SBB performs the same operation as SUB.

DEC (Decrement) subtracts 1 from the destination operand. DEC updates AF, OF, PF, SF, and ZF, but it does not affect CF. Use SUB with an immediate value of 1 to perform a decrement that affects carry.

Example:  DEC BX

Subtracts 1 from the contents of BX and places the result back in BX.

3.3.3 Multiplication Instructions

MUL (Unsigned Integer Multiply) performs an unsigned multiplication of the source operand and the accumulator. If the source is a byte, the processor multiplies it by the contents of AL and returns the double-length result to AH and AL.

If the source operand is a word, the processor multiplies it by the contents of AX and returns the double-length result to DX and AX. MUL sets CF and OF to indicate that the upper half of the result is nonzero; otherwise, they are cleared. This instruction leaves SF, ZF, AF, and PF undefined.

Example:  MUL BX

Replaces the contents of DX and AX with the product of BX and AX. The low-order 16 bits of the result replace the contents of AX; the high-order word goes to DX. The processor sets CF and OF if the unsigned result is greater than 16 bits.

IMUL (Signed Integer Multiply) performs a signed multiplication operation. IMUL uses AX and DX in the same way as the MUL instruction, except when used in the immediate form.

The immediate form of IMUL allows the specification of a destination register other than the combination of DX and AX. In this case, the result cannot exceed 16 bits without causing an overflow. If the immediate operand is a byte, the processor automatically extends it to 16 bits before performing the multiplication.

The immediate form of IMUL may also be used with unsigned operands because the low 16 bits of a signed or unsigned multiplication of two 16-bit values will always be the same.

IMUL clears CF and OF to indicate that the upper half of the result is the sign of the lower
This instruction leaves SF, ZF, AF, and PF undefined.

Example: \texttt{IMUL BL}

Replaces the contents of AX with the product of BL and AL. The processor sets CF and OF if the result is more than 8 bits long.

Example: \texttt{IMUL BX, SI, 5}

Replaces the contents of BX with the product of the contents of SI and an immediate value of 5. The processor sets CF and OF if the signed result is longer than 16 bits.

### 3.3.4 Division Instructions

\textit{DIV (Unsigned Integer Divide)} performs an unsigned division of the accumulator by the source operand. If the source operand is a byte, it is divided into the double-length dividend assumed to be in registers AL and AH (AH = most significant byte; AL = least significant byte). The single-length quotient is returned in AL, and the single-length remainder is returned in AH.

If the source operand is a word, it is divided into the double-length dividend in registers AX and DX. The single-length quotient is returned in AX, and the single-length remainder is returned in DX. Non-integral quotients are truncated to integers toward 0. The remainder is always less than the quotient.

For unsigned byte division, the largest quotient is 255. For unsigned word division, the largest quotient is 65,535. DIV leaves OF, SF, ZF, AF, PF, and CF undefined. Interrupt (INT 0) occurs if the divisor is zero or if the quotient is too large for AL or AX.

Example: \texttt{DIV BX}

Replaces the contents of AX with the unsigned quotient of the doubleword value contained in DX and AX, divided by BX. The unsigned modulo replaces the contents of DX.

Example: \texttt{DIV BL}

Replaces the contents of AL with the unsigned quotient of the word value in AX, divided by BL. The unsigned modulo replaces the contents of AH.

\textit{IDIV (Signed Integer Divide)} performs a signed division of the accumulator by the source operand. IDIV uses the same registers as the DIV instruction.

For signed byte division, the maximum positive quotient is +127 and the minimum negative quotient is \(-128\). For signed word division, the maximum positive quotient is +32,767 and the minimum negative quotient is \(-32,768\). Non-integral results are truncated towards 0. The remainder will always have the same sign as the dividend and will be less than the divisor in magnitude. IDIV leaves OF, SF, ZF, AF, PF, and CF undefined. A division by zero causes an interrupt (INT 0) to occur if the divisor is 0 or if the quotient is too large for AL or AX.

Example: \texttt{IDIV WORDOPRND}

Replaces the contents of AX with the signed quotient of the doubleword value contained in DX and AX, divided by the value contained in the memory word labeled \texttt{WORDOPRND}. The signed modulo replaces the contents of DX.
3.4 LOGICAL INSTRUCTIONS

The group of logical instructions includes the Boolean operation instructions, rotate and shift instructions, type conversion instructions, and the no-operation (NOP) instruction.

3.4.1 Boolean Operation Instructions

Except for the NOT and NEG instructions, the Boolean operation instructions can use two register operands, a general purpose register operand with a memory operand, an immediate operand with a general purpose register operand, or a memory operand. The NOT and NEG instructions are unary operations that use a single operand in a register or memory.

AND (And) performs the logical “and” of the operands (byte or word) and returns the result to the destination operand. AND clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF.

Example: AND WORDOPRND, BX

Replaces the contents of WORDOPRND with the logical “and” of the contents of the memory word labeled WORDOPRND and the contents of BX.

NOT (Not) inverts the bits in the specified operand to form a one’s complement of the operand. NOT has no effect on the flags.

Example: NOT BYTEOPRND

Replaces the original contents of BYTEOPRND with the one’s complement of the contents of the memory word labeled BYTEOPRND.

OR (Or) performs the logical “inclusive or” of the two operands and returns the result to the destination operand. OR clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF.

Example: OR AL,5

Replaces the original contents of AL with the logical “inclusive or” of the contents of AL and the immediate value 5.

XOR (Exclusive OR) performs the logical “exclusive or” of the two operands and returns the result to the destination operand. XOR clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF.

Example: XOR DX, WORDOPRND

Replaces the original contents of DX with the logical “exclusive or” or the contents of DX and the contents of the memory word labeled WORDOPRND.

NEG (Negate) forms a two’s complement of a signed byte or word operand. The effect of NEG is to reverse the sign of the operand from positive to negative or from negative to positive. NEG updates OF, SF, ZF, AF, PF, and CF.

Example: NEG AX

Replaces the original contents of AX with the two’s complement of the contents of AX.

3.4.2 Shift and Rotate Instructions

The shift and rotate instructions reposition the bits within the specified operand. The shift instructions provide a convenient way to accomplish division or multiplication by binary power. The rotate instructions are useful for bit testing.
3.4.2.1 SHIFT INSTRUCTIONS

The bits in bytes and words may be shifted arithmetically or logically. Depending on the value of a specified count, up to 31 shifts may be performed.

A shift instruction can specify the count in one of three ways. One form of shift instruction implicitly specifies the count as a single shift. The second form specifies the count as an immediate value. The third form specifies the count as the value contained in CL. This last form allows the shift count to be a variable that the program supplies during execution.

Shift instructions affect the flags as follows. AF is always undefined following a shift operation. PF, SF, and ZF are updated normally as in the logical instructions.

CF always contains the value of the last bit shifted out of the destination operand. In a single-bit shift, OF is set if the value of the high-order (sign) bit was changed by the operation. Otherwise, OF is cleared. Following a multibit shift, however, the content of OF is always undefined.

*SAL (Shift Arithmetic Left)* shifts the destination byte or word operand left by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). The processor shifts zeros in from the right side of the operand as bits exit from the left side. See figure 3-5.

Example: SAL BL,2

Shifts the contents of BL left by 2 bits and replaces the two low-order bits with zeros.

Example: SAL BL,1

Shifts the contents of BL left by 1 bit and replaces the low-order bit with a zero. Because the processor does not have to decode the immediate count operand to obtain the shift count, this form of the instruction takes 2 clock cycles rather than the 6 clock cycles (5 cycles + 1 cycle for each bit shifted) required by the previous example.

*SHL (Shift Logical Left)* is physically the same instruction as SAL (see SAL above).

*SHR (Shift Logical Right)* shifts the destination byte or word operand right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). The processor shifts zeros in from the left side of the operand as bits exit from the right side. See figure 3-6.

Both SAL and SHL shift the bits in the register or memory operand to the left by the specified number of bit positions. CF receives the last bit shifted out of the left of the operand. SAL and SHL shift in zeros to fill the vacated bit locations. These instructions operate on byte operands as well as word operands.

Figure 3-5. SAL and SHL
Example:  SHR BYTEOPRND, CL

Shifts the contents of the memory byte labeled BYTEOPRND right by the number of bits specified in CL, and pads the left side of BYTEOPRND with an equal number of zeros.

*SAR (Shift Arithmetic Right)* shifts the destination byte or word operand to the right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). The processor preserves the sign of the operand by shifting in zeros on the left side if the value is positive or by shifting by ones if the value is negative. See figure 3-7.

Example:  SAR WORDPRND, l

Shifts the contents of the memory byte labeled WORDPRND right by one, and replaces the high-order sign bit with a value equal to the original sign of WORDPRND.

---

<table>
<thead>
<tr>
<th>Before SHR</th>
<th>After SHR</th>
<th>After SHR By 1 Bit</th>
<th>After SHR By 10 Bits</th>
</tr>
</thead>
<tbody>
<tr>
<td>1 1 0 0 1 1 1 1 0 1 1 1 0 0 0 1</td>
<td>X</td>
<td>0 1 1 0 0 1 1 1 1 0 1 1 1 0 0 0 1</td>
<td>0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 1</td>
</tr>
<tr>
<td>OPERAND</td>
<td>CF</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

*SHR* shifts the bits in the register or memory operand to the right by the specified number of bit positions. *CF* receives the last bit shifted out of the right of the operand. SHR shifts in zeros to fill the vacated bit locations. This instruction operates on byte operands as well as word operands.

**Figure 3-6. SHR**

<table>
<thead>
<tr>
<th>Before SAR With A Positive Operand</th>
<th>After SAR With A Positive Operand Shifted 1 Bit</th>
<th>Before SAR With A Negative Operand</th>
<th>After SAR With A Negative Operand Shifted 6 Bits</th>
</tr>
</thead>
<tbody>
<tr>
<td>0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1</td>
<td>X</td>
<td>0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0</td>
<td>1</td>
</tr>
<tr>
<td>OPERAND</td>
<td>CF</td>
<td>OPERAND</td>
<td>CF</td>
</tr>
</tbody>
</table>

*SAR* preserves the sign of the register or memory operand as it shifts the operand to the right the specified number of bit positions. *CF* receives the last bit shifted out of the right of the operand. This instruction also operates on byte operands.

**Figure 3-7. SAR**

3-12
3.4.2.2 ROTATE INSTRUCTIONS

Rotate instructions allow bits in bytes and words to be rotated. Bits rotated out of an operand are not lost as in a shift, but are "circled" back into the other "end" of the operand.

Rotates affect only the carry and overflow flags. CF may act as an extension of the operand in two of the rotate instructions, allowing a bit to be isolated and then tested by a conditional jump instruction (JC or JNC). CF always contains the value of the last bit rotated out, even if the instruction does not use this bit as an extension of the rotated operand.

In single-bit rotates, OF is set if the operation changes the high-order (sign) bit of the destination operand. If the sign bit retains its original value, OF is cleared. On multibit rotates, the value of OF is always undefined.

**ROL (Rotate Left)** rotates the byte or word destination operand left by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). For each rotation specified, the high-order bit that exists from the left of the operand returns at the right to become the new low-order bit of the operand. See figure 3-8.

Example: ROL AL, 8

Rotates the contents of AL left by 8 bits. This rotate instruction returns AL to its original state but isolates the low-order bit in CF for testing by a JC or JNC instruction.

ROL shifts the bits in the memory or register operand to the left by the specified number of bit positions. It copies the bit shifted out of the left of the operand into the right of the operand. The last bit shifted into the least significant bit of the operand also appears in CF. This instruction also operates on byte operands.

Figure 3-8. ROL
ROR (Rotate Right) rotates the byte or word destination operand right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL). For each rotation specified, the low-order bit that exits from the right of the operand returns at the left to become the new high-order bit of the operand. See figure 3-9.

Example:  
ROR WORDOPRND, CL  
Rotates the contents of the memory word labeled WORDOPRND by the number of bits specified by the value contained in CL. CF reflects the value of the last bit rotated from the right to the left side of the operand.

![Diagram](image-url)

ROR shifts the bits in the memory or register operand to the right by the specified number of bit positions. It copies each bit shifted out of the right of the operand into the left of the operand. The last bit shifted into the most significant bit of the operand also appears in CF. This instruction also operates on byte operands.

Figure 3-9. ROR
RCL (Rotate Through Carry Left) rotates bits in the byte or word destination operand left by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL).

This instruction differs from ROL in that it treats CF as a high-order 1-bit extension of the destination operand. Each high-order bit that exits from the left side of the operand moves to CF before it returns to the operand as the low-order bit on the next rotation cycle. See figure 3-10.

Example: RCL BX,1

Rotates the contents of BX left by one bit. The high-order bit of the operand moves to CF, the remaining 15 bits move left one position, and the original value of CF becomes the new low-order bit.

Figure 3-10. RCL
RCR (Rotate Through Carry Right) rotates bits in the byte or word destination operand right by one or by the number of bits specified in the count operand (an immediate value or the value contained in CL).

This instruction differs from ROR in that it treats CF as a low-order 1-bit extension of the destination operand. Each low-order bit that exits from the right side of the operand moves to CF before it returns to the operand as the high-order bit on the next rotation cycle. See figure 3-11.

Example: RCR BYTEOPRND,3
Rotates the contents of the memory byte labeled BYTEOPRND to the right by 3 bits. Following the execution of this instruction, CF reflects the original value of bit number 5 of BYTEOPRND, and the original value of CF becomes bit 2.

Figure 3-11. RCR
3.4.3 Type Conversion and No-Operation Instructions

The type conversion instructions prepare operands for division. The NOP instruction is a 1-byte filler instruction with no effect on registers or flags.

*CWD (Convert Word to Double-Word)* extends the sign of the word in register AX throughout register DX. CWD does not affect any flags. CWD can be used to produce a double-length (double-word) dividend from a word before a word division.

*CBW (Convert Byte to Word)* extends the sign of the byte in register AL throughout AX. CBW does not affect any flags.

Example: CWD

Sign-extends the 16-bit value in AX to a 32-bit value in DX and AX with the high-order 16-bits occupying DX.

*NOP (No Operation)* occupies a byte of storage but affects nothing but the instruction pointer, IP. The amount of time that a NOP instruction requires for execution varies in proportion to the CPU clocking rate. This variation makes it inadvisable to use NOP instructions in the construction of timing loops because the operation of such a program will not be independent of the system hardware configuration.

Example: NOP

The processor performs no operation for 2 clock cycles.

3.5 TEST AND COMPARE INSTRUCTIONS

The test and compare instructions are similar in that they do not alter their operands. Instead, these instructions perform operations that only set the appropriate flags to indicate the relationship between the two operands.

*TEST (Test)* performs the logical “and” of the two operands, clears OF and DF, leaves AF undefined, and updates SF, ZF, and PF. The difference between TEST and AND is that TEST does not alter the destination operand.

Example: TEST BL,32

Performs a logical “and” and sets SF, ZF, and PF according to the results of this operation. The contents of BL remain unchanged.

*CMP (Compare)* subtracts the source operand from the destination operand. It updates OF, SF, ZF, AF, PF, and CF but does not alter the source and destination operands. A subsequent signed or unsigned conditional transfer instruction can test the result using the appropriate flag result.

CMP can compare two register operands, a register operand and a memory operand, a register operand and an immediate operand, or an immediate operand and a memory operand. The operands may be words or bytes, but CMP cannot compare a byte with a word.

Example: CMP BX,32

Subtracts the immediate operand, 32, from the contents of BX and sets OF, SF, ZF, AF, PF, and CF to reflect the result. The contents of BX remain unchanged.

3.6 CONTROL TRANSFER INSTRUCTIONS

The iAPX 286 provides both conditional and unconditional program transfer instructions to direct the flow of execution. Conditional program transfers depend on the results of operations that affect the flag register. Unconditional program transfers are always executed.
3.6.1 Unconditional Transfer Instructions

JMP, CALL, RET, INT and IRET instructions transfer control from one code segment location to another. These locations can be within the same code segment or in different code segments.

3.6.1.1 JUMP INSTRUCTION

JMP (Jump) unconditionally transfers control to the target location. JMP is a one-way transfer of execution; it does not save a return address on the stack.

The JMP instruction always performs the same basic function of transferring control from the current location to a new location. Its implementation varies depending on the following factors:

- Is the address specified directly within the instruction or indirectly through a register or memory?
- Is the target location inside or outside the current code segment selected in CS?

A direct JMP instruction includes the destination address as part of the instruction. An indirect JMP instruction obtains the destination address indirectly through a register or a pointer variable.

Control transfers through a gate or to a task state segment are available only in Protected Mode operation of the iAPX 286. The formats of the instructions that transfer control through a call gate, a task gate, or to a task state segment are the same. The label included in the instruction selects one of these three paths to a new code segment.

Direct JMP within the current code segment. A direct JMP that transfers control to a target location within the current code segment uses a relative displacement value contained in the instruction. This can be either a 16-bit value or an 8-bit value sign extended to 16 bits. The processor forms an effective address by adding this relative displacement to the address contained in IP. IP refers to the next instruction when the additions are performed.

Example: JMP NEAR_NEWCODE

Transfers control to the target location labeled NEAR_NEWCODE, which is within the code segment currently selected in CS.

Indirect JMP within the current code segment. Indirect JMP instructions that transfer control to a location within the current code segment specify an absolute address in one of several ways. First, the program can JMP to a location specified by a 16-bit register (any of AX, DX, CX, BX, BP, SI, or DI). The processor moves this 16-bit value into IP and resumes execution.

Example: JMP SI

Transfers control to the target address formed by adding the 16-bit value contained in SI to the base address contained in CS.

The processor can also obtain the destination address within a current segment from a memory word operand specified in the instruction.

Example: JMP PTR_X

Transfers control to the target address formed by adding the 16-bit value contained in the memory word labeled PTR X to the base address contained in CS.

A register can modify the address of the memory word pointer to select a destination address.
Example:  JMP CASE_TABLE [BX]

CASE_TABLE is the first word in an array of word pointers. The value of BX determines which pointer the program selects from the array. The JMP instruction then transfers control to the location specified by the selected pointer.

Direct JMP outside of the current code segment. Direct JMP instructions that specify a target location outside the current code segment contain a full 32-bit pointer. This pointer consists of a selector for the new code segment and an offset within the new segment.

Example:  JMP FAR_NEWCODE_FOO

Places the selector contained in the instruction into CS and the offset into IP. The program resumes execution at this location in the new code segment.

Indirect JMP outside of the current code segment. Indirect JMP instructions that specify a target location outside the current code segment use a double-word variable to specify the pointer.

Example:  JMP NEWCODE

NEWCODE the first word of two consecutive words in memory which represent the new pointer. NEWCODE contains the new offset for IP and the word following NEWCODE contains the selector for CS. The program resumes execution at this location in the new code segment. (Protected mode programs treat this differently. See Chapters 6 and 7).

Direct JMP outside of the current code segment to a call gate. If the selector included with the instruction refers to a call gate, then the processor ignores the offset in the instruction and takes the pointer of the routine being entered from the call gate.

JMP outside of current code segment may only go to the same level.

Example:  JMP CALL_GATE_FOO

The selector in the instruction refers to the call gate CALL_GATE_FOO, and the call gate actually provides the new contents of CS and IP to specify the address of the next instructions.

Indirect JMP outside the current code segment to a call gate. If the selector specified by the instruction refers to a call gate, the processor ignores the offset in the double-word and takes the address of the routine being entered from the call gate. The JMP instruction uses the same format to indirectly specify a task gate or a task state segment.

Example:  JMP CASE_TABLE [BX]

The instruction refers to the double-word in the array of pointers called CASE_TABLE. The specific double-word chosen depends on the value in BX when the instruction executes. The selector portion of this double-word selects a call gate, and the processor takes the address of the routine being entered from the call gate.
3.6.1.2 CALL INSTRUCTION

CALL (Call Procedure) activates an out-of-line procedure, saving on the stack the address of the instruction following the CALL for later use by a RET (Return) instruction. An intrasegment CALL places the current value of IP on the stack. An intersegment CALL places both the value of IP and CS on the stack. The RET instruction in the called procedure uses this address to transfer control back to the calling program.

A long CALL instruction that invokes a task-switch stores the outgoing task's task state segment selector in the incoming task state segment's link field and sets the nested task flag in the new task. In this case, the IRET instruction takes the place of the RET instruction to return control to the nested task.

Examples:

CALL NEAR_NEWCODE
CALL SI
CALL PTR_X
CALL CASE_TABLE [BP]
CALL FAR_NEWCODE_FOO
CALL NEWCODE
CALL CALL_GATE_FOO
CALL CASE_TABLE [BX]

See the previous treatment of JMP for a discussion of the operations of these instructions.

3.6.1.3 RETURN AND RETURN FROM INTERRUPT INSTRUCTION

RET (Return From Procedure) terminates the execution of a procedure and transfers control through a back-link on the stack to the program that originally invoked the procedure.

An intrasegment RET restores the value of IP that was saved on the stack by the previous intrasegment CALL instruction. An intersegment RET restores the values of both CS and IP which were saved on the stack by the previous intersegment CALL instruction.

RET instructions may optionally specify a constant to the stack pointer. This constant specifies the new top of stack to effectively remove any arguments that the calling program pushed on the stack before the execution of the CALL instruction.

Example: RET

If the previous CALL instruction did not transfer control to a new code segment, RET restores the value of IP pushed by the CALL instruction. If the previous CALL instruction transferred control to a new segment, RET restores the values of both IP and CS which were pushed on the stack by the CALL instruction.

Example: RET n

This form of the RET instruction performs identically to the above example except that it adds n (must be an even value) to the value of SP to eliminate 8 bytes of parameter information previously pushed by the calling program.

IRET (Return From Interrupt or Nested Task) returns control to an interrupted routine or, optionally, reverses the action of a CALL or INT instruction that caused a task switch. See Chapter 8 for further information on task switching.

Example: IRET

Returns from an interrupt with or without a task-switch based on the value of the NT bit.
BASIC INSTRUCTION SET

3.6.2 Conditional Transfer Instructions
The conditional transfer instructions are jumps that may or may not transfer control, depending on the state of the CPU flags when the instruction executes. The target for all conditional jumps must be in the current code segment and within $-128$ to $+127$ bytes of the first byte of the next instruction.

3.6.2.1 CONDITIONAL JUMP INSTRUCTIONS
Table 3-3 shows the conditional transfer mnemonics and their interpretations. The conditional jumps that are listed as pairs are actually the same instruction. The instruction set provides the alternate mnemonics for greater clarity within a program listing.

3.6.2.2 LOOP INSTRUCTIONS
The loop instructions are conditional jumps that use a value placed in CX to specify the number of repetitions of a software loop. All loop instructions automatically decrement CX and terminate the loop when CX=0. Four of the five loop instructions specify a condition of ZF that terminates the loop before CX decrements to zero.

LOOP (Loop While CX Not Zero) is a conditional transfer that auto-decrements the CX register before testing CX for the branch condition. If CX is non-zero, the program branches to the target label specified in the instruction. The LOOP instruction causes the repetition of a code section until the operation of the LOOP instruction decrements CX to a value of zero. If LOOP finds CX=0, control transfers to the instruction immediately following the LOOP instruction. If the value of CX is initially zero, then the LOOP executes 65536 times.

<table>
<thead>
<tr>
<th>Mnemonic</th>
<th>Condition Tested</th>
<th>&quot;Jump If...&quot;</th>
</tr>
</thead>
<tbody>
<tr>
<td>JA/JNBE</td>
<td>(CF or ZF) = 0</td>
<td>above/not below nor equal</td>
</tr>
<tr>
<td>JAE/JNB</td>
<td>CF = 0</td>
<td>above or equal/not below</td>
</tr>
<tr>
<td>JB/JNAE</td>
<td>CF = 1</td>
<td>below/not above nor equal</td>
</tr>
<tr>
<td>JBE/JNA</td>
<td>(CF or ZF) = 1</td>
<td>below or equal/not above</td>
</tr>
<tr>
<td>JC</td>
<td>CF = 1</td>
<td>carry</td>
</tr>
<tr>
<td>JE/JZ</td>
<td>ZF = 1</td>
<td>equal/zero</td>
</tr>
<tr>
<td>JNC</td>
<td>CF = 0</td>
<td>not carry</td>
</tr>
<tr>
<td>JNE/JNZ</td>
<td>ZF = 0</td>
<td>not equal/not zero</td>
</tr>
<tr>
<td>JNP/JPO</td>
<td>PF = 0</td>
<td>not parity/parity odd</td>
</tr>
<tr>
<td>JP/JPE</td>
<td>PF = 1</td>
<td>parity/parity even</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Mnemonic</th>
<th>Condition Tested</th>
<th>&quot;Jump If...&quot;</th>
</tr>
</thead>
<tbody>
<tr>
<td>JG/JNLE</td>
<td>((SF xor OF) or ZF) = 0</td>
<td>greater/not less nor equal</td>
</tr>
<tr>
<td>JGE/JNL</td>
<td>(SF xor OF) = 0</td>
<td>greater or equal/not less</td>
</tr>
<tr>
<td>JL/JNGE</td>
<td>(SF xor OF) = 0</td>
<td>less/not greater nor equal</td>
</tr>
<tr>
<td>JLE/JNGE</td>
<td>((SF xor OF) or ZF) = 1</td>
<td>less or equal/not greater</td>
</tr>
<tr>
<td>JNO</td>
<td>OF = 0</td>
<td>not overflow</td>
</tr>
<tr>
<td>JNS</td>
<td>SF = 0</td>
<td>not sign</td>
</tr>
<tr>
<td>JO</td>
<td>OF = 1</td>
<td>overflow</td>
</tr>
<tr>
<td>JS</td>
<td>SF = 1</td>
<td>sign</td>
</tr>
</tbody>
</table>

Table 3-3. Interpretation of Conditional Transfers
Example: LOOP START_LOOP

Each time the program encounters this instruction, it decrements CX and then tests it. If the value of CX is non-zero, then the program branches to the instruction labeled START_LOOP. If the value in CX is zero, then the program continues with the instruction that follows the LOOP instruction.

**LOOPE** (Loop While Equal) and **LOOPZ** (Loop While Zero) are physically the same instruction. These instructions auto-decrement the CX register before testing CX and ZF for the branch conditions. If CX is non-zero and ZF=1, the program branches to the target label specified in the instruction. If LOOPE or LOOPZ finds that CX=0 or ZF=0, control transfers to the instruction immediately succeeding the LOOPE or LOOPZ instruction.

Example: LOOPE START_LOOP (or LOOPZ START_LOOP)

Each time the program encounters this instruction, it decrements CX and tests CX and ZF. If the value of CX is non-zero and the value of ZF is 0, the program branches to the instruction labeled START_LOOP. If CX=0 or ZF = 1, the program continues with the instruction that follows the LOOPE (or LOOPZ) instruction.

**LOOPNE** (Loop While Not Equal) and **LOOPNZ** (Loop While Not Zero) are physically the same instruction. These instructions auto-decrement the CX register before testing CX and ZF for the branch conditions. If CX is non-zero and ZF=0, the program branches to the target label specified in the instruction. If LOOPNE or LOOPNZ finds that CX=0 or ZF=1, control transfers to the instruction immediately succeeding the LOOPNE or LOOPNZ instruction.

Example: LOOPNE START_LOOP (or LOOPNZ START_LOOP)

Each time the program encounters this instruction, it decrements CX and tests CX and ZF. If the value of CX is non-zero and the value of ZF is 0, the program branches to the instruction labeled START_LOOP. If CX=0 or ZF = 1, the program continues with the instruction that follows the LOOPNE (or LOOPNZ) instruction.

3.6.2.3 EXECUTING A LOOP OR REPEAT ZERO TIMES

**JCXZ** (Jump if CX Zero) branches to the label specified in the instruction if it finds a value of zero in CX. Sometimes, it is desirable to design a loop that executes zero times if the count variable in CX is initialized to zero. Because the loop instructions (and repeat prefixes) decrement CX before they test it, a loop will execute 65536 times if the program enters the loop with a zero value in CX. A programmer may conveniently overcome this problem with JCXZ, which enables the program to branch around the code within the loop if CX is zero when JCXZ executes.

Example: JCXZ TARGETLABEL

Causes the program to branch to the instruction labeled TARGETLABEL if CX=0 when the instruction executes.
3.6.3 Software-Generated Interrupts

The INT and INTO instructions allow the programmer to specify a transfer to an interrupt service routine from within a program.

3.6.3.1 SOFTWARE INTERRUPT INSTRUCTION

INT (Software Interrupt) activates the interrupt service routine that corresponds to the number coded within the instruction. Interrupt type 3 is reserved for internal software-generated interrupts. However, the INT instruction may specify any interrupt type to allow multiple types of internal interrupts or to test the operation of a service routine. The interrupt service routine terminates with an IRET instruction that returns control to the instruction that follows INT.

Example: INT 3
Transfers control to the interrupt service routine specified by a type 3 interrupt.

Example: INT 0
Transfers control to the interrupt service routine specified by a type 0 interrupt, which is reserved for a divide error.

INTO (Interrupt on Overflow) invokes a type 4 interrupt if OF is set when the INTO instruction executes. The type 4 interrupt is reserved for this purpose.

Example: INTO
If the result of a previous operation has set OF and no intervening operation has reset OF, then INTO invokes a type 4 interrupt. The interrupt service routine terminates with an IRET instruction, which returns control to the instruction following INTO.

3.7 CHARACTER TRANSLATION AND STRING INSTRUCTIONS

The instructions in this category operate on characters or string elements rather than on logical or numeric values.

3.7.1 Translate Instruction

XLAT (Translate) replaces a byte in the AL register with a byte from a user-coded translation table. When XLAT is executed, AL should have the unsigned index to the table addressed by BX. XLAT changes the contents of AL from table index to table entry. BX is unchanged. The XLAT instruction is useful for translating from one coding system to another such as from ASCII to EBCDIC. The translate table may be up to 256 bytes long. The value placed in the AL register serves as an index to the location of the corresponding translation value. Used with a LOOP instruction, the XLAT instruction can translate a block of codes up to 64K bytes long.

Example: XLAT
Replaces the byte in AL with the byte from the translate table that is selected by the value in AL.

3.7.2 String Manipulation Instructions and Repeat Prefixes

The string instructions (also called primitives) operate on string elements to move, compare, and scan byte or word strings. One-byte repeat prefixes can cause the operation of a string primitive to be repeated to process strings as long as 64K bytes.

The repeated string primitives use the direction flag, DF, to specify left-to-right or right-to-left string processing, and use a count in CX to limit the processing operation. These instructions use the register pair DS:SI to point to the source string element and the register pair ES:DI to point to the destination.
One of two possible opcodes represent each string primitive, depending on whether it is operating on byte strings or word strings. The string primitives are generic and require one or more operands along with the primitive to determine the size of the string elements being processed. These operands do not determine the addresses of the strings; the addresses must already be present in the appropriate registers.

Each repetition of a string operation using the Repeat prefixes includes the following steps:

1. Acknowledge pending interrupts.
2. Check CX for zero and stop repeating if CX is zero.
3. Perform the string operation once.
4. Adjust the memory pointers in DS:SI and ES:DI by incrementing SI and DI if DF is 0 or by decrementing SI and DI if DF is 1.
5. Decrement CX (this step does not affect the flags).
6. For SCAS (Scan String) and CMPS (Compare String), check ZF for a match with the repeat condition and stop repeating if the ZF fails to match.

The Load String and Store String instructions allow a program to perform arithmetic or logical operations on string characters (using AX for word strings and AL for byte strings). Repeated operations that include instructions other than string primitives must use the loop instructions rather than a repeat prefix.

### 3.7.2.1 STRING MOVEMENT INSTRUCTIONS

**REP** (Repeat While CX Not Zero) specifies a repeated operation of a string primitive. The REP prefix causes the hardware to automatically repeat the associated string primitive until CX=0. This form of iteration allows the CPU to process strings much faster than would be possible with a regular software loop.

When the REP prefix accompanies a MOVS instruction, it operates as a memory-to-memory block transfer. To set up for this operation, the program must initialize CX and the register pairs DS:SI and ES:DI. CX specifies the number of bytes or words in the block.

If DF=0, the program must point DS:SI to the first element of the source string and point ES:DI to the destination address for the first element. If DF=1, the program must point these two register pairs to the last element of the source string and to the destination address for the last element, respectively.

Example: **REP MOVSW**

The processor checks the value in CX for zero. If this value is not zero, the processor moves a word from the location pointed to by DS:SI to the location pointed to by ES:DI and increments SI and DI by two (if DF=0). Next, the processor decrements CX by one and returns to the beginning of the repeat cycle to check CX again. After CX decrements to zero, the processor executes the instruction that follows.

**MOVS** (Move String) moves the string character pointed to by the combination of DS and SI to the location pointed to by the combination of ES and DI. This is the only memory-to-memory transfer supported by the instruction set of the base architecture. MOVSB operates on byte elements. The destination segment register cannot be overridden by a segment override prefix while the source segment register can be overridden.
Example: MOVSW

Moves the contents of the memory byte pointed to by DS:SI to the location pointed to by ES:DI.

3.7.2.2 OTHER STRING OPERATIONS

**CMPS (Compare String)** subtracts the destination string element (ES:DI) from the source string element (DS:SI) and updates the flags AF, SF, PF, CF and OF. If the string elements are equal, $ZF=1$; otherwise, $ZF=0$. If $DF=0$, the processor increments the memory pointers (SI and DI) for the two strings. The segment register used for the source address can be changed with a segment override prefix while the destination segment register cannot be overridden.

Example: CMPSB

Compares the source and destination string elements with each other and returns the result of the comparison to $ZF$.

**SCAS (Scan String)** subtracts the destination string element at ES:DI from AX or AL and updates the flags AF, SF, ZF, PF, CF and OF. If the values are equal, $ZF=1$; otherwise, $ZF=0$. If $DF=0$, the processor increments the memory pointer (DI) for the string. The segment register used for the source address can be changed with a segment override prefix while the destination segment register cannot be overridden.

Example: SCASW

Compares the value in AX with the destination string element.

**REPE/REPZ (Repeat While CX Equal/Zero)** and **REPNE/REPNZ (Repeat While CX Not Equal/Not Zero)** are the prefixes that are used exclusively with the SCAS (Scan String) and CMPS (Compare String) primitives.

The difference between these two types of prefix bytes is that REPE/REPZ terminates when $ZF=0$ and REPNE/REPNZ terminates when $ZF=1$. $ZF$ does not require initialization before execution of a repeated string instruction.

When these prefixes modify either the SCAS or CMPS primitives, the processor compares the value of the current string element with the value in AX for word elements or with the value in AL for byte elements. The resulting state of $ZF$ can then limit the operation of the repeated operation as well as a zero value in CX.

Example: REPE SCASB

Causes the processor to scan the string pointed to by ES:DI until it encounters a match with the byte value in AL or until CX decrements to zero.

**LODS (Load String)** places the source string element at DS:SI into AX for word strings or into AL for byte strings.

Example: LODSW

Loads AX with the value pointed to by DS:SI.

3.8 ADDRESS MANIPULATION INSTRUCTIONS

The set of address manipulation instructions provide a way to perform address calculations or to move to a new data segment or extra segment.

**LEA (Load Effective Address)** transfers the offset of the source operand (rather than its value) to the destination operand. The source operand must be a memory operand, and the destination operand must be a 16-bit general register (AX, DX, BX, CX, BP, SP, SI, or DI).
LEA does not affect any flags. This instruction is useful for initializing the registers before the execution of the string primitives or the XLAT instruction.

Example: LEA BX EBCDIC_TABLE
Causes the processor to place the address of the starting location of the table labeled EBCDIC_TABLE into BX.

LDS (Load Pointer Using DS) transfers a 32-bit pointer variable from the source operand to DS and the destination register. The source operand must be a memory operand, and the destination operand must be a 16-bit general register (AX, DX, BX, CX, BP, SP, SI or DI). DS receives the high-order segment word of the pointer. The destination register receives the low-order word, which points to a specific location within the segment.

Example: LDS SI, STRING_X
Loads DS with the word identifying the segment pointed to by STRING_X, and loads the offset of STRING_X into SI. Specifying SI as the destination operand is a convenient way to prepare for a string operation on a source string that is not in the current data segment.

LES (Load Pointer Using ES) operates identically to LDS except that ES receives the offset word rather than DS.

Example: LES DI, DESTINATION_X
Loads ES with the word identifying the segment pointed to by DESTINATION_X, and loads the offset of DESTINATION_X into DI. This instruction provides a convenient way to select a destination for a string operation if the desired location is not in the current extra segment.

3.9 FLAG CONTROL INSTRUCTIONS
The flag control instructions provide a method of changing the state of bits in the flag register.

3.9.1 Carry Flag Control Instructions
The carry flag instructions are useful in conjunction with rotate-with-carry instructions RCL and RCR. They can initialize the carry flag, CF, to a known state before execution of a rotate that moves the carry bit into one end of the rotated operand.

STC (Set Carry Flag) sets the carry flag (CF) to 1.

Example: STC

CLC (Clear Carry Flag) zeros the carry flag (CF).

Example: CLC

CMC (Complement Carry Flag) reverses the current status of the carry flag (CF).

Example: CMC

3.9.2 Direction Flag Control Instructions
The direction flag control instructions are specifically included to set or clear the direction flag, DF, which controls the left-to-right or right-to-left direction of string processing. If DF=0, the processor automatically increments the string memory pointers, SI and DI, after each execution of a string primitive. If DF=1, the processor decrements these pointer values. The initial state of DF is 0.
CLD (Clear Direction Flag) zeros DF, causing the string instructions to auto-increment SI and/or DI. CLD does not affect any other flags.

Example: CLD

STD (Set Direction Flag) sets DF to 1, causing the string instructions to auto-decrement SI and/or DI. STD does not affect any other flags.

3.9.3 Flag Transfer Instructions

Though specific instructions exist to alter CF and DF, there is no direct method of altering the other flags. The flag transfer instructions allow a program to alter the other flag bits with the bit manipulation instructions after transferring these flags to the stack or the AH register.

The PUSHF and POPF instructions are also useful for preserving the state of the flag register before executing a procedure.

LAHF (Load AH from Flags) copies SF, ZF, AF, PF, and CF to AH bits 7, 6, 4, 2, and 0, respectively (see figure 3-12). The contents of the remaining bits (5, 3, and 1) are undefined. The flags remain unaffected. This instruction can assist in converting 8080/8085 assembly language programs to run on the base architecture of the iAPX 86, 88, 186, and 286.

Example: LAHF

SAHF (Store AH into Flags) transfers bits 7, 6, 4, 2, and 0 from AH into SF, ZF, AF, PF, and CF, respectively (see figure 3-12). This instruction also provides 8080/8085 compatibility with the iAPX 86, 88, 186, and 286.

Example: SAHF

PUSHF (Push Flags) decrements SP by two and then transfers all flags to the word at the top of stack pointed to by SP (see figure 3-13). The flags remain unaffected. This instruction enables a procedure to save the state of the flag register for later use.

Example: PUSHF

POPF (Pop Flags) transfers specific bits from the word at the top of stack into the low-order byte of the flag register (see figure 3-13). The processor then increments SP by two.

Note that an application program in the protected virtual address mode may not alter IOPL (the I/O privilege level flag) unless the program is executing at privilege level 0. A program may alter IF (the interrupt flag) only when executing at a level that is at least as privileged as IOPL.

Procedures may use this instruction to restore the flag status from a previous value.

Example: POPF

3.10 BINARY-CODED DECIMAL ARITHMETIC INSTRUCTIONS

These instructions adjust the results of a previous arithmetic operation to produce a valid packed or unpacked decimal result. These instructions operate only on AL or AH registers.
**BASIC INSTRUCTION SET**

![Stack Word Diagram](image)

**Figure 3-13. PUSHF and POPF**

### 3.10.1 Packed BCD Adjustment Instructions

**DAA (Decimal Adjust)** corrects the result of adding two valid packed decimal operands in AL. DAA must always follow the addition of two pairs of packed decimal numbers (one digit in each nibble) to obtain a pair of valid packed decimal digits as results. The carry flag will be set if carry was needed.

Example: DAA

**DAS (Decimal Adjust for Subtraction)** corrects the result of subtracting two valid packed decimal operands in AL. DAS must always follow the subtraction of one pair of packed decimal numbers (one digit in each nibble) from another to obtain a pair of valid packed decimal digits as results. The carry flag will be set if a borrow was needed.

Example: DAS

### 3.10.2 Unpacked BCD Adjustment Instructions

**AAA (ASCII Adjust for Addition)** changes the contents of register AL to a valid unpacked decimal number, and zeros the top 4 bits. AAA must always follow the addition of two unpacked decimal operands in AL. The carry flag will be set and AH will be incremented if a carry was necessary.

Example: AAA

**AAS (ASCII Adjust for Subtraction)** changes the contents of register AL to a valid unpacked decimal number, and zeros the top 4 bits. AAS must always follow the subtraction of one unpacked decimal operand from another in AL. The carry flag will be set and AH decremented if a borrow was necessary.

Example: AAS

**AAM (ASCII Adjust for Multiplication)** corrects the result of a multiplication of two valid unpacked decimal numbers. AAM must always follow the multiplication of two decimal numbers to produce a valid decimal result. The high order digit will be left in AH, the low order digit in AL.

Example: AAM

**AAD (ASCII Adjust for Division)** modifies the numerator in AH and AL to prepare for the division of two valid unpacked decimal operands so that the quotient produced by the division will be a valid unpacked decimal number. AH should contain the high-order digit and AL the low-order digit. This instruction will adjust the value and leave it in AL. AH will contain 0.

Example: AAD
3.11 TRUSTED INSTRUCTIONS

When operating in Protected Mode, the iAPX 286 processor restricts the execution of trusted instructions according to the CPL and the current value of IOPL, the 2-bit I/O privilege flag. Only a program operating at the highest privilege level (level 0) may alter the value of IOPL. A program may execute trusted instructions only when executing at a level that is at least as privileged as that specified by IOPL.

Trusted instructions control I/O operations, interprocessor communications in a multiprocessor system, interrupt enabling, and the HLT instruction.

These protection considerations do not apply in the real address mode.

3.11.1 Trusted and Privileged Restrictions on POPF and IRET

POPF (POP Flags) and IRET (Interrupt Return) are not affected by IOPL unless they attempt to alter IF (flag register bit 9). To change IF, POPF must be part of a program that is executing at a privilege level greater than or equal to that specified by IOPL. Any attempt to change IF when CPL ± 0 will be ignored. To change the IOPL field, CPL must be zero.

3.11.2 Machine State Instructions

These trusted instructions affect the machine state control interrupt response, the processor halt state, and the bus LOCK signal that regulates memory access in multiprocessor systems.

CLI (Clear Interrupt-Enable Flag) and STI (Set Interrupt-Enable Flag) alter bit 9 in the flag register. When IF = 1, the processor responds to all interrupts. An interrupt service routine might use these instructions to avoid further interruption while it processes a previous interrupt request. As with the other flag bits, the processor clears IF during initialization. These instructions may be executed only if CPL ≤ IOPL. A protection exception will occur if they are executed when CPL > IOPL.

Example: STI
Sets IF = 1, which enables the processing of maskable external interrupts.

Example: CLI
Sets IF = 0 to disable maskable interrupt processing.

HLT (Halt) causes the processor to suspend processing operations pending an interrupt or a system reset. This trusted instruction provides an alternative to an endless software loop in situations where a program must wait for an interrupt. The return address saved after the interrupt will point to the instruction immediately following HLT. This instruction may be executed only when CPL = 0.

Example: HLT

LOCK (Assert Bus Lock) is a 1-byte prefix code that causes the processor to assert the bus LOCK signal during execution of the instruction that follows. LOCK does not affect any flags. LOCK may be used only when CPL ≤ IOPL. A protection exception will occur if LOCK is used when CPL > IOPL.

3.11.3 Input and Output Instructions

These trusted instructions provide access to the processor's I/O ports to transfer data to and from peripheral devices. In the protected
mode, these instructions may be executed only when CPL ≤ IOPL.

**IN (Input from Port)** transfers a byte or a word from an input port to AL or AX. If a program specifies AL with the IN instruction, the processor transfers 8 bits from the selected port to AL. Alternately, if a program specifies AX with the IN instruction, the processor transfers 16 bits from the port to AX.

The program can specify the number of the port in two ways. Using an immediate byte constant, the program can specify 256 8-bit ports numbered 0 through 255 or 128 16-bit ports numbered 0, 2, 4, ..., 252, 254. Using the current value contained in DX, the program can specify 8-bit ports numbered 0 through 65,535, or 16-bit ports using even-numbered ports in the same range.

Example:  
```plaintext
IN AL, BYTE_PORT_NUMBER
```
Transfers 8 bits to AL from the port identified by the immediate constant `BYTE_PORT_NUMBER`.

**OUT (Output to Port)** transfers a byte or a word to an output port from AL or AX. The program can specify the number of the port using the same methods of the IN instruction.

Example:  
```plaintext
OUT AX, DX
```
Transfers 16 bits from AX to the port identified by the 16-bit number contained in DX.

**INS and OUTS (Input String and Output String)** cause block input or output operations using a Repeat prefix. See Chapter 4 for more information on INS and OUTS.

### 3.12 Processor Extension Instructions

Processor Extension provides an extension to the instruction set of the base architecture (e.g., 80287). The NPX extends the instruction set of the CPU-based architecture to support high-precision integer and floating-point calculations. This extended instruction set includes arithmetic, comparison, transcendental, and data transfer instructions. The NPX also contains a set of useful constants to enhance the speed of numeric calculations.

A program contains instructions for the NPX in line with the instructions for the CPU. The system executes these instructions in the same order as they appear in the instruction stream. The NPX operates concurrently with the CPU to provide maximum throughput for numeric calculations.

The software emulation of the NPX is transparent to application software but requires more time for execution.

#### 3.12.1 Processor Extension Synchronization Instructions

Escape and wait instructions allow a processor extension such as the 80287 NPX to obtain instructions and data from the system bus and to wait for the NPX to return a result.

**ESC (Escape)** identifies floating point numeric instructions and allows the iAPX 286 to send the opcode to the NPX or to transfer a memory operand to the NPX. The 80287 NPX uses the Escape instructions to perform high-performance, high-precision floating point arithmetic that conforms to the IEEE floating point standard.

Example:  
```plaintext
ESC 6, ARRAY [SI]
```
The CPU sends the escape opcode 6 and the location of the array pointed to by SI to the NPX.
WAIT (Wait) suspends program execution until the iAPX 286 CPU detects a signal on the BUSY pin. In an iAPX 286/20 configuration that includes a numeric processor extension, the NPX activates the TEST pin to signal that it has completed its processing task and that the CPU may obtain the results.

Example: WAIT

3.12.2 Numeric Data Processor Instructions

This section describes the categories of instructions available with Numeric Data Processor systems that include a Numeric Processor Extension or a software emulation of this processor extension. Refer to the 80287 data sheet for more information.

3.12.2.1 ARITHMETIC INSTRUCTIONS

The extended instruction set includes not only the four arithmetic operations (add, subtract, multiply, and divide), but also subtract-reversed and divide-reversed instructions. The arithmetic functions include square root, modulus, absolute value, integer part, change sign, scale exponent, and extract exponent instructions.

3.12.2.2 COMPARISON INSTRUCTIONS

The comparison operations are the compare, examine, and test instructions. Special forms of the compare instruction can optimize algorithms by allowing comparisons of binary integers with real numbers in memory.

3.12.2.3 TRANSCENDENTAL INSTRUCTIONS

The instructions in this group perform the otherwise time-consuming calculations for all common trigonometric, inverse trigonometric, hyperbolic, inverse hyperbolic, logarithmic, and exponential functions. The transcendental instructions include tangent, arctangent, $2x - 1$, $Y \cdot \log_2 X$, and $Y \cdot \log_2 (X + 1)$.

3.12.2.4 DATA TRANSFER INSTRUCTIONS

The data transfer instructions move operands among the registers and between a register and memory. This group includes the load, store, and exchange instructions.

3.12.2.5 CONSTANT INSTRUCTIONS

Each of the constant instructions loads a commonly used constant into an NPX register. The values have a real precision of 64 bits and are accurate to approximately 19 decimal places. The constants loaded by these instructions include 0, 1, $\pi$, $\log_e 10$, $\log_e e$, $\log_{10} 2$, and $\log_2 e$. 
Extended Instruction Set
The instructions described in this chapter extend the capabilities of the base architecture instruction set described in Chapter 3. These extensions consist of new instructions and variations of some instructions that are not strictly part of the base architecture (in other words, not included in the iAPX 86, 88). These instructions are also available in the iAPX 186, 188. The instruction variations, described in Chapter 3, include the immediate forms of the PUSH and MUL instructions (PUSHA, POPA) and the privilege level restrictions on POPF.

New instructions described in this chapter include the string input and output instructions (INS and OUTS), the ENTER procedure and LEAVE procedure instructions, and the check index BOUND instruction.

4.1 BLOCK I/O INSTRUCTIONS

REP, the Repeat prefix, modifies INS and OUTS (the string I/O instructions) to provide a means of transferring blocks of data between an I/O port and Memory. These block I/O instructions are string primitives. They simplify programming and increase the speed of data transfer by eliminating the need to use a separate LOOP instruction or an intermediate register to hold the data.

INS (Input String from Port) transfers a byte or a word string element from an input port to memory. If a program specifies INSB, the processor transfers 8 bits from the selected port to the memory location indicated by ES:DI. Alternately, if a program specifies INSW, the processor transfers 16 bits from the port to the memory location indicated by ES:DI. The destination segment register cannot be overridden.

One of two possible opcodes represents each string primitive depending on whether it operates on byte strings or word strings. After each transfer, the memory address in SI or DI is updated by 1 for byte values and by 2 for word values. The value in the DF field determines if SI or DI is to be auto incremented (DF=0) or auto decremented (DF=1).

INS and OUTS use DX to specify I/O ports numbered 0 through 65,535 or 16-bit ports using only even port addresses in the same range.

Example: REP INSB

The processor repeatedly transfers 8 bits to the memory location indicated by ES:DI from the port selected by the 16-bit port number contained in DX. Following each byte transfer, the CPU decrements CX. The instruction terminates the block transfer when CX=0. After decrementing CX, the processor increments DI by one if DF=0. It decrements DI by one if DF=1.
OUTS (*Output String to Port*) transfers a byte or a word string element to an output port from memory. Combined with the REP prefix, OUTS moves a block of information from a series of consecutive memory locations indicated by DS:SI to an output port.

Example: REP OUTS WSTRING

Assuming that the program declares WSTRING to be a word-length string element, the assembler uses the 16-bit form of the OUTS instruction to create the object code for the program. The processor repeatedly transfers words from the memory locations indicated by DI to the output port selected by the 16-bit port number in DX.

Following each word transfer, the CPU decrements CX. The instruction terminates the block transfer when CX=0. After decrementing CX, the processor increments SI by two to point to the next word in memory if DF=0, it decrements SI by two if DF=1.

4.2 HIGH-LEVEL INSTRUCTIONS

The instructions in this section provide machine-language functions normally found only in high-level languages. These instructions include ENTER and LEAVE, which simplify the programming of procedures, and BOUND, which provides a simple method of testing an index against its predefined range.

ENTER (*Enter Procedure*) creates the stack frame required by most block-structured high-level languages. A LEAVE instruction at the end of a procedure complements an ENTER at the beginning of the procedure to simplify stack management and to control access to variables for nested procedures.

The ENTER instruction includes two parameters. The first parameter specifies the number of bytes of dynamic storage to be allocated on the stack for the routine being entered. The second parameter corresponds to the lexical nesting level of the routine. (Note that the lexical level has no relationship to either the protection privilege levels or to the I/O privilege level.)

The specified lexical level determines how many sets of stack frame pointers the CPU copies into the new stack frame from the preceding frame. This list of stack frame pointers is sometimes called the “display.” The first word of the display is a pointer to the last stack frame. This pointer enables a LEAVE instruction to reverse the action of the previous ENTER instruction by effectively discarding the last stack frame.

After ENTER creates the new display for a procedure, it allocates the dynamic storage space for that procedure by decrementing SP by the number of bytes specified in the first parameter. This new value of SP serves as a base for all PUSH and POP operations within that procedure.

To enable a procedure to address its display, ENTER leaves BP pointing to the beginning of the new stack frame. Data manipulation instructions that specify BP as a base register implicitly address locations within the stack segment instead of the data segment. Two forms of the ENTER instruction exist: nested and non-nested. If the lexical level is 0, the non-nested form is used. Since the second operand is 0, ENTER pushes BP, copies SP to BP and then subtracts the first operand from SP. The nested form of ENTER occurs when the second parameter (lexical level) is not 0. Figure 4-1 gives the formal definition of ENTER.
The Formal Definition of the ENTER Instruction for all cases is given by the following listing. LEVEL denotes the value of the second operand.

```
Push BP
Set a temporary value FRAME_PTR := SP
If LEVEL > 0 then
  Repeat (LEVEL - 1) times:
    BP := BP - 2
    Push the word pointed to by BP
  End repeat
Push FRAME_PTR
End if
BP := FRAME_PTR
SP := SP - first operand.
```

Figure 4-1. Formal Definition of the ENTER Instruction

The main procedure (with other procedures nested within) operates at the highest lexical level, level 1. The first procedure it calls operates at the next deeper lexical level, level 2. A level 2 procedure can access the variables of the main program which are at fixed locations specified by the compiler. In the case of level 1, ENTER allocates only the requested dynamic storage on the stack because there is no previous display to copy.

A program operating at a higher lexical level calling a program at a lower lexical level requires that the called procedure should have access to the variables of the calling program. ENTER provides this access through a display that provides addressability to the calling program's stack frame.

A procedure calling another procedure at the same lexical level implies that they are parallel procedures and that the called procedure should not have access to the variables of the calling procedure. In this case, ENTER copies only that portion of the display from the calling procedure which refers to previously nested procedures operating at higher lexical levels. The new stack frame does not include the pointer for addressing the calling procedure's stack frame.

ENTER treats a reentrant procedure as a procedure calling another procedure at the same lexical level. In this case, each succeeding iteration of the reentrant procedure can address only its own variables and the variables of the calling procedures at higher lexical levels. A reentrant procedure can always address its own variables; it does not require pointers to the stack frames of previous iterations.

By copying only the stack frame pointers of procedures at higher lexical levels, ENTER makes sure that procedures access only those variables of higher lexical levels, not those at parallel lexical levels (see figure 4-2). Figures 4-2a through 4-2d demonstrate the actions of the ENTER instruction if the modules shown in figure 4-1 were to call one another in alphabetic order.

Example: ENTER 2048,3

Allocates 2048 bytes of dynamic storage on the stack and sets up pointers to two previous stack frames in the stack frame that ENTER creates for this procedure.

Block-structured high-level languages can use the lexical levels defined by ENTER to control access to the variables of previously nested procedures. For example, if PROCEDURE A calls PROCEDURE B which, in turn, calls PROCEDURE C, then PROCEDURE C will have access to the variables of MAIN and PROCEDURE A, but not PROCEDURE B because they operate at the same lexical level. Following is the complete definition of the variable access for figure 4-2.

1. MAIN PROGRAM has variables at fixed locations.
2. PROCEDURE A can access only the fixed variables of MAIN.
ENTER at the beginning of the MAIN PROGRAM creates dynamic storage space for MAIN but copies no pointers. The first and only word in the display points to itself because there is no previous value for LEAVE to return to BP. See figure 4-2a.

After MAIN calls PROCEDURE A, ENTER creates a new display for PROCEDURE A with the first word pointing to the previous value of BP (BPM for LEAVE to return to the MAIN stack frame) and the second word pointing to the current value of BP. Procedure A can access variables in MAIN since MAIN is at level 1. Therefore the base for the dynamic storage for MAIN is at [BP − 2]. All dynamic variables for MAIN will be at a fixed offset from this value. See figure 4-2b.

After PROCEDURE A calls PROCEDURE B, ENTER creates a new display for PROCEDURE B with the first word pointing to the previous value of BP, the second word pointing to the value of BP for MAIN, and the third word pointing to the value of BP for A and the last word pointing to the current BP. B can access variables in A and MAIN by fetching from the display the base addresses of the respective dynamic storage areas. See figure 4-2c.

After PROCEDURE B calls PROCEDURE C, ENTER creates a new display for PROCEDURE C with the first word pointing to the previous value of BP, the second word pointing to the value of BP for MAIN, and the third word pointing to the BP value for A and the third word pointing to the current value of BP. Because PROCEDURE B and PROCEDURE C have the same lexical level, PROCEDURE C is not allowed access to variables in B and therefore does not receive a pointer to the beginning of PROCEDURE B's stack frame. See figure 4-2d.

Figure 4-2. Variable Access in Nested Procedures

3. PROCEDURE B can access only the variables of PROCEDURE A and MAIN. PROCEDURE B cannot access the variables of PROCEDURE C or PROCEDURE D.

4. PROCEDURE C can access only the variables of PROCEDURE A and MAIN. PROCEDURE C cannot access the variables of PROCEDURE B or PROCEDURE D.

5. PROCEDURE D can access the variables of PROCEDURE C, PROCEDURE A, and MAIN. PROCEDURE D cannot access the variables of PROCEDURE B.
"LEAVE (Leave Procedure)" reverses the action of the previous ENTER instruction. The LEAVE instruction does not include any operands.

Example: LEAVE

First, LEAVE copies BP to SP to release all stack space allocated to the procedure by the most recent ENTER instruction. Next, LEAVE pops the old value of BP from the stack. A subsequent RET instruction can then remove any arguments that were pushed on the stack by the calling program for use by the called procedure.
The BOUND instruction includes two operands. The first operand specifies the register being tested. The second operand contains the effective relative address of the two signed BOUND limit values. The BOUND instruction assumes that it can obtain the upper limit from the memory word that immediately follows the lower limit. These limit values cannot be register operands; if they are, an invalid opcode exception occurs.

BOUND is useful for checking array bounds before using a new index value to access an element within the array. BOUND provides a simple way to check the value of an index register before the program overwrites information in a location beyond the limit of the array.

The two-word block of memory that specifies the lower and upper limits of an array might typically reside just before the array itself. This makes the array bounds accessible at a constant offset of $-4$ from the beginning of the array. Because the address of the array will already be present in a register, this practice avoids extra calculations to obtain the effective address of the array bounds.

Example: $\text{BOUND BX,ARRAY} - 4$

Compares the value in BX with the lower limit at address ARRAY$-4$ and the upper limit at address ARRAY$-2$. If the signed value in BX is less than the lower bound or greater than the upper bound, the interrupt for this instruction (INT 5) occurs. Otherwise, this instruction has no effect.
Real Address Mode
The iAPX 286 can be operated in either of two modes according to the status of the Protection Enabled bit of the MSW status register. In contrast to the "modes" and "mode bits" of some processors, however, the iAPX 286 modes do not represent a radical transition between conflicting architectures. Instead, the setting of the Protection Enabled bit simply determines whether certain advanced features, in addition to the baseline architecture of the iAPX 286, are to be made available to system designers and programmers.

If the Protection Enabled (PE) bit is set by the programmer, the processor changes into Protected Virtual Address Mode. In this mode of operation, memory addressing is performed in terms of virtual addresses, with on-chip mapping mechanisms performing the virtual-to-physical translation. Only in this mode can the system designer make use of the advanced architectural features of the iAPX 286: virtual memory support, system-wide protection, and built-in multitasking mechanisms are among the new features provided in this mode of operation. Refer to Part II of this manual (Chapters 6 through 11) for details on Protected Mode operation.

An address is specified by a 32-bit pointer containing two components: (1) a 16-bit effective address offset that determines the displacement, in bytes, of a particular location within a segment; and (2) a 16-bit segment selector component that determines the starting address of the segment. Both components of an address may be referenced explicitly by an instruction (such as JMP, LES, LDS, or CALL); more often, however, the segment selector is simply the contents of a segment register.

The interpretation of the first component, the effective address offset, is straight-forward. Segments are at most 64K (2^16) bytes in length, so an unsigned 16-bit quantity is sufficient to address any arbitrary byte location within a segment. The lowest-addressed byte within a segment has an offset of 0, and the highest-addressed byte has an offset of FFFFH. Data operands must be completely contained within a segment and must be contiguous. (These rules apply in both modes.)

A segment selector is the second component of a logical address. This 16-bit quantity specifies the starting address of a segment within a physical address space of 2^{20} bytes.
Whenever the iAPX 286 accesses memory in Real Address Mode, it generates a 20-bit physical address from a segment selector and offset value. The segment selector value is left-shifted four bit positions to form the segment base address. The offset is extended with 4 high order zeroes and added to the base to form the physical address (see figure 5-1.)

Therefore, every segment is required to start at a byte address that is evenly divisible by 16; thus, each segment is positioned at a 20-bit physical address whose least significant four bits are zeroes. This arrangement allows the iAPX 286 to interpret a segment selector as the high-order 16 bits of a 20-bit segment base address.

No limit or access checks are performed by the iAPX 286 in the Real Address Mode. All segments are readable, writable, executable, and have a limit of 0FFFFH (65535 bytes). To save physical memory, you can use unused portions of a segment as another segment by overlapping the two (see figure 5-2). The Intel iAPX 86 software development tools support this feature via the segment override and group operators. However, programs that access segment B from segment A become incompatible in the protected virtual address mode.

---

**Figure 5-1a. Forming the Segment Base Address**

**Figure 5-1b. Forming the 20-Bit Physical Address in the Real Address Mode**
5.2 INTERRUPT HANDLING

Program interrupts may be generated in either of two distinct ways. An *internal* interrupt is caused directly by the currently executing program. The execution of a particular instruction results in the occurrence of an interrupt, whether intentionally (e.g., an INT instruction) or as an unanticipated exception (e.g., invalid opcode). On the other hand, an *external* interrupt occurs asynchronously as the result of an event external to the processor, and bears no necessary relationship with the currently executing program. The INTR and NMI pins of the iAPX 286 provide the means by which external hardware signals the occurrence of such events.

### 5.2.1 Interrupt Vector Table

Whatever its origin, whether internal or external, an interrupt demands immediate attention from an associated service routine. Control must be transferred, at least for the moment, from the currently executing program to the appropriate interrupt service routine. By means of interrupt vectors, the iAPX 286 handles such control transfers uniformly for both kinds of interrupts.

An interrupt vector is an unsigned integer in the range of 0-255; every interrupt is assigned such a vector. In some cases, the assignment is predetermined and fixed: for example, an external NMI interrupt is invariably associated with vector 2, while an internal divide exception is always associated with vector 0. In most cases, however, the association of an interrupt and a vector is established dynamically. An external INTR interrupt, for example, supplies a vector in response to an interrupt acknowledge bus cycle, while the INT instruction supplies a vector incorporated within the instruction itself. The vector is shifted two places left to form a byte address into the table (see figure 5-3).

In any case, the iAPX 286 uses the interrupt vector as an index into a table in order to determine the address of the corresponding interrupt service routine. For Real Address Mode, this table is known as the Interrupt Vector Table. Its format is illustrated in figure 5-3.

The Interrupt Vector Table consists of as many as 256 consecutive entries, each four bytes long. Each entry defines the address of a service routine to be associated with the correspondingly numbered interrupt vector code. Within each entry, an address is specified by a full 32-bit pointer that consists of a 16-bit offset and a 16-bit segment selector.

In Real Address Mode, the interrupt table can be accessed directly at physical memory location 0 through 1023. In the protected virtual address mode, however, the interrupt vector table has no fixed physical address and cannot be directly accessed. Therefore, *Real Address mode programs that directly manipulate the interrupt vector table will not work in the protected virtual address mode*
5.2.1.1 INTERRUPT PRIORITIES
When simultaneous interrupt requests occur, they are processed in a fixed order as shown in table 5-1. Interrupt processing involves saving the flags, the return address, and setting CS:IP to point at the first instruction of the interrupt handler. If other interrupts remain enabled, they are processed before the first instruction of the current interrupt handler is executed. The last interrupt processed is therefore the first one serviced.

5.2.2 Interrupt Procedures
When an interrupt occurs in Real Address Mode, the iAPX 86 performs the following sequence of steps. First, the FLAGS register, as well as the old values of CS and IP, are pushed onto the stack (see figure 5-4). The IF and TF flag bits are cleared. The vector number is then used to read the address of the interrupt service routine from the interrupt table. Execution begins at this address.
Thus, when control is passed to an interrupt service routine, the return linkage is placed on the stack, interrupts are disabled, and single-step trace (if in effect) is turned off. The IRET instruction at the end of the interrupt service routine will reverse these steps before transferring control to the program that was interrupted.

An interrupt service routine may affect registers other than other IP, CS, and FLAGS. It is the responsibility of an interrupt routine to save additional context information before proceeding so that the state of the machine can be restored upon completion of the interrupt service routine (PUSHA and POPA instructions are intended for these operations). Finally, execution of the IRET instruction pops the old IP, CS, and FLAGS from the stack and resumes the execution of the interrupted program.

5.2.3 Reserved and Dedicated Interrupt Vectors

In general, the system designer is free to use almost any interrupt vectors for any given purpose. Some of the lowest-numbered vectors, however, are reserved by Intel for dedicated functions; their use is specifically implied by certain types of exceptions. None of the first 32 vectors should be defined by the user; these vectors are either invoked by pre-defined exceptions or reserved by Intel for future expansion. Table 5-2 shows the dedicated and reserved vectors of the iAPX 286 in Real Address Mode.

The purpose and function of the dedicated interrupt vectors may be summarized as follows (the saved value of CS:IP will include all leading prefixes):

- **Divide error (Interrupt 0)**. This exception will occur if the quotient is too large or an attempt is made to divide by zero using either the DIV or IDIV instruction. The saved CS:IP points at the first byte of the failing instruction. DX and AX are unchanged.

- **Single-Step (Interrupt 1)**. This interrupt will occur after each instruction if the Trace Flag (TF) bit of the FLAGS register is set. Of course, TF is cleared upon entry to this or any other interrupt to prevent infinite recursion. The saved value of CS:IP will point to the next instruction.

- **Nonmaskable (Interrupt 2)**. This interrupt will occur upon receipt of an external signal on the NMI pin. Typically, the nonmaskable interrupt is used to implement power-fail/auto-restart procedures. The saved value of CS:IP will point to the first byte of the interrupted instruction.

- **Breakpoint (Interrupt 3)**. Execution of the one-byte breakpoint instruction causes this interrupt to occur. This instruction is useful for the implementation of software debuggers since it requires only one code byte and can be substituted for any instruction opcode byte. The saved value of CS:IP will point to the next instruction.

- **INTO Detected Overflow (Interrupt 4)**. Execution of the INTO instruction will cause this interrupt to occur if the overflow bit (OF) of the FLAGS register is set. The saved value of CS:IP will point to the next instruction.

- **BOUND Range Exceeded (Interrupt 5)**. Execution of the BOUND instruction will cause this interrupt to occur if the specified array index is found to be invalid with respect to the given array bounds. The saved value of CS:IP will point to the first byte of the BOUND instruction.
Table 5-2. Dedicated and Reserved Interrupt Vectors in Real Address Mode

<table>
<thead>
<tr>
<th>Function</th>
<th>Interrupt Number</th>
<th>Related Instructions</th>
<th>Return Address Before Instruction Causing Exception?</th>
</tr>
</thead>
<tbody>
<tr>
<td>Divide error exception</td>
<td>0</td>
<td>DIV, IDIV</td>
<td>Yes</td>
</tr>
<tr>
<td>Single step interrupt</td>
<td>1</td>
<td>All</td>
<td>N/A</td>
</tr>
<tr>
<td>NMI interrupt</td>
<td>2</td>
<td>All</td>
<td>N/A</td>
</tr>
<tr>
<td>Breakpoint interrupt</td>
<td>3</td>
<td>INT</td>
<td>N/A</td>
</tr>
<tr>
<td>INTO detected overflow exception</td>
<td>4</td>
<td>INTO</td>
<td>No</td>
</tr>
<tr>
<td>BOUND range exceeded exception</td>
<td>5</td>
<td>BOUND</td>
<td>Yes</td>
</tr>
<tr>
<td>Invalid opcode exception</td>
<td>6</td>
<td>Any undefined opcode</td>
<td>Yes</td>
</tr>
<tr>
<td>Processor extension not available exception</td>
<td>7</td>
<td>ESC or WAIT with</td>
<td>Yes</td>
</tr>
<tr>
<td>Interrupt table limit too small</td>
<td>8</td>
<td>LIDT</td>
<td>Yes</td>
</tr>
<tr>
<td>Processor extension segment overrun interrupt</td>
<td>9</td>
<td>ESC</td>
<td>Yes</td>
</tr>
<tr>
<td>Segment overrun exception</td>
<td>13</td>
<td>All memory reference instructions</td>
<td>Yes</td>
</tr>
<tr>
<td>Reserved</td>
<td>10-12, 14, 15</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Processor extension error interrupt</td>
<td>16</td>
<td>ESC or WAIT</td>
<td>N/A</td>
</tr>
<tr>
<td>Reserved</td>
<td>17-31</td>
<td></td>
<td></td>
</tr>
<tr>
<td>User defined</td>
<td>32-255</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

N/A = Not Applicable

- **Invalid Opcode (Interrupt 6).** This exception will occur if execution of an invalid opcode is attempted. (In Real Address Mode, most of the Protected Virtual Address Mode instructions are classified as invalid and should not be used). This interrupt can also occur if the effective address given by certain instructions, notably BOUND, LDS, LES, and LIDT, specifies a register rather than a memory location. The saved value of CS:IP will point to the first byte of the invalid instruction or opcode.

- **Processor Extension Not Available (Interrupt 7).** Execution of the ESC instruction will cause this interrupt to
occur if the status bits of the MSW indicate that processor extension functions are to be emulated in software. Refer to section 3.10 for more details. The saved value of CS:IP will point to the first byte of the ESC or the WAIT instruction.

- **Interrupt Table Limit Too Small (Interrupt 8)**. This interrupt will occur if the limit of the interrupt vector table was changed from 3FFH by the LIDT instruction. The saved value of CS:IP will point to the first byte of the instruction that caused the interrupt or that was ready to execute before an external interrupt occurred.

- **Processor Extension Segment Overrun Interrupt (Interrupt 9)**. The interrupt will occur if a processor extension memory operand does not fit in a segment. The saved CS:IP will point at the first byte of the instruction that caused the interrupt.

- **Segment Overrun Exception (Interrupt 13)**. This interrupt will occur if a memory operand does not fit in a segment. The saved CS:IP will point at the first byte of the instruction that caused the interrupt.

- **Processor Extension Error (Interrupt 16)**. This interrupt occurs after the numeric instruction that caused the error. It can only occur while executing a subsequent WAIT or ESC. The saved value of CS:IP will point to the first byte of the ESC or the WAIT instruction. The address of the failed numeric instruction is saved in the NPX.

### Table 5-3. Processor State After RESET

<table>
<thead>
<tr>
<th>Register</th>
<th>Contents</th>
</tr>
</thead>
<tbody>
<tr>
<td>FLAGS</td>
<td>0002</td>
</tr>
<tr>
<td>MSW</td>
<td>FFF0</td>
</tr>
<tr>
<td>IP</td>
<td>FFF0</td>
</tr>
<tr>
<td>CS</td>
<td>F000</td>
</tr>
<tr>
<td>DS</td>
<td>0000</td>
</tr>
<tr>
<td>SS</td>
<td>0000</td>
</tr>
<tr>
<td>ES</td>
<td>0000</td>
</tr>
</tbody>
</table>

Since the CS register contains F000 (thus specifying a code segment starting at physical address F0000) and the instruction pointer contains FFF0, the processor will execute its first instruction at physical address FFFFF0H. The uppermost 16 bytes of physical memory are therefore reserved for initial startup logic. Ordinarily, this location contains an intersegment direct JMP instruction whose target is the actual beginning of a system initialization or restart program.

Some of the steps normally performed by a system initialization routine are as follows:

- Allocate a stack.
- Load programs and data from secondary storage into memory.
- Enable interrupts (i.e., set the IF bit of the FLAGS register). Set any other desired FLAGS bit as well.
- Set the appropriate MSW flags if a processor extension is present, or if processor extension functions are to be emulated by software.
- Set other registers, as appropriate, to the desired initial values.
- Execute. (Ordinarily, this last step is performed as an intersegment JMP to the main system program.)

### 5.3 SYSTEM INITIALIZATION

The iAPX 286 provides an orderly way to start or restart an executing system. Upon receipt of the RESET signal, certain processor registers go into the determinate state shown in table 5-3.
Memory Management And Virtual Addressing
In Protected Virtual Address Mode, the iAPX 286 provides an advanced architecture that retains substantial compatibility with the 8086 and other processors in the iAPX 86 family. In many respects, the baseline architecture of the processor remains constant regardless of the mode of operation. Application programmers continue to use the same set of instructions, addressing modes, and data types in Protected Mode as in Real Address Mode.

The major difference between the two modes of operation is that the Protected Mode provides system programmers with additional architectural features, supplementary to the baseline architecture, that can be used to good advantage in the design and implementation of advanced systems. Especially noteworthy are the mechanisms provided for memory management, protection, and multitasking.

This chapter focuses on the memory management mechanisms of Protected Mode; the concept of a virtual address and the process of virtual-to-physical address translation are described in detail in this chapter. Subsequent chapters deal with other key aspects of Protected Mode operation. Chapter 7 discusses the issue of protection and the integrated mechanisms that support a system-wide protection policy. Chapter 8 discusses the notion of a task and its central role in the iAPX 286 architecture. Chapters 9 through 11 discuss certain additional topics—interrupt handling, special instructions, system initialization, etc.—that complete the system programmer’s view of iAPX 286 Protected Mode.

6.1 MEMORY MANAGEMENT OVERVIEW

A memory management scheme interposes a mapping operation between logical addresses (i.e., addresses as they are viewed by programs) and physical addresses (i.e., actual addresses in real memory). Since the logical address spaces are independent of physical memory (dynamically relocatable), the mapping (the assignment of real address space to virtual address space) is transparent to software. This allows the program development tools (for static systems) or the system software (for reprogrammable systems) to control the allocation of space in real memory without regard to the specifics of individual programs.

Application programs may be translated and loaded independently since they deal strictly with virtual addresses. Any program can be relocated to use any available segments of physical memory.

The iAPX 286, when operated in Protected Mode, provides an efficient on-chip memory management architecture. Moreover, as described in Chapter 11, the iAPX 286 also supports the implementation of virtual memory systems—that is, systems that dynamically swap chunks of code and data between real memory and secondary storage devices (e.g., a disk) independent of and transparent to the executing application programs. Thus, a program-visible address is more aptly termed a virtual address rather than a logical address since it may actually refer to a location not currently present in real memory.

Memory management, then, consists of a mechanism for mapping the virtual addresses that are visible to the program onto the physical addresses of real memory. With the iAPX 286, segmentation is the key to virtual memory addressing. Virtual memory is parti-
tioned into a number of individual segments, which are the units of memory that are mapped into physical memory and swapped to and from secondary storage devices. Most of this chapter is devoted to a detailed discussion of the mapping and virtual memory mechanisms of the iAPX 286.

The concept of a task also plays a significant role in memory management since distinct memory mappings may be assigned to the different tasks in a multitask or multi-user environment. A complete discussion of tasks is deferred until Chapter 8, “Tasks and State Transition.” For present purposes, it is sufficient to think of a task as an ongoing process, or execution path, that is dedicated to a particular function. In a multi-user time-sharing environment, for example, the processing required to interact with a particular user may be considered as a single task, functionally independent of the other tasks (i.e., users) in the system.

6.2 VIRTUAL ADDRESSES

In Protected Mode, application programs deal exclusively with virtual addresses; programs have no access whatsoever to the actual physical addresses generated by the processor. As discussed in Chapter 2, an address is specified by a program in terms of two components: (1) a 16-bit effective address offset that determines the displacement, in bytes, of a location within a segment; and (2) a 16-bit segment selector that uniquely references a particular segment. Jointly, these two components constitute a complete 32-bit address (pointer data type), as shown in figure 6-1.

These 32-bit virtual addresses are manipulated by programs in exactly the same way as the two-component addresses of Real Address Mode. After a program loads the segment selector component of an address into a segment register, each subsequent reference to locations within the selected segment requires only a 16-bit offset be specified. Locality of reference will ordinarily insure that addresses can be specified very efficiently using only 16-bit offsets.

An important difference between Real Address Mode and Protected Mode, however, concerns the actual format and information content of segment selectors. In Real Address Mode, as with the 8086 and other processors in the iAPX 86 family, a 16-bit selector is merely the upper bits of a segment’s physical base address. By contrast, segment selectors in Protected Mode follow an entirely different format, as illustrated by figure 6-2.

Two of the selector bits, designated as the RPL field in figure 6-2, are not actually involved in the selection and specification of segments; their use is discussed in Chapter 7.
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

The remaining 14 bits of the selector component uniquely designate a particular segment. The virtual address space of a program, therefore, may encompass as many as 16,384 ($2^{14}$) distinct segments. Segments themselves are of variable size, ranging from as small as a single byte to as large as 64K ($2^{16}$) bytes. Thus, a program’s virtual address space may contain, altogether, up to a full gigabyte ($2^{30} = 2^{14} \times 2^{16}$) of individually addressable byte locations.

The entirety of a program’s virtual address space is further subdivided into two separate halves, as distinguished by the TI (“table indicator”) bit in the virtual address. These two halves are the global address space and the local address space.

The global address space is used for system-wide data and procedures including operating system software, library routines, runtime language support and other commonly shared system services. (To application programs, the operating system appears to be a set of service routines that are accessible to all tasks.) Global space is shared by all tasks to avoid unnecessary replication of system service routines and to facilitate shared data and interrupt handling. Global address space is defined by addresses with a zero in the TI bit position; it is identically mapped for all tasks in the system.

The other half of the virtual address space—comprising those addresses with the TI bit set—is separately mapped for each task in the system. Because such an address space is local to the task for which it is defined, it is referred to as a local address space. In general, code and data segments within a task’s local address space are private to that particular task or user. Figure 6-3 illustrates the task isolation made possible by partitioning the virtual address spaces into local and global regions.

![Figure 6-3. Address Spaces and Task Isolation](image-url)
Within each of the two regions addressable by a program—either the global address space or a particular local address space—as many as 8,192 \(2^{13}\) distinct segments may be defined. The INDEX field of the segment selector allows for a unique specification of each of these segments. This 13-bit quantity acts as an index into a memory-resident table, called a descriptor table, that records the mapping between segment address and the physical locations allocated to each distinct segment. (These descriptor tables, and their role in virtual-to-physical address translation, are described in the sections that follow.)

In summary, a Protected Mode virtual address is a 32-bit pointer to a particular byte location within a one-gigabyte virtual address space. Each such pointer consists of a 16-bit selector component and a 16-bit offset component. The selector component, in turn, comprises a 13-bit table index, a 1-bit table indicator (local versus global), and a 2-bit RPL field; all but this last field serve to select a particular segment from among the 16K segments in a task's virtual address space. The offset component of a full pointer is an unsigned 16-bit integer that specifies the desired byte location within the selected segment.

### 6.3 DESCRIPTOR TABLES

A descriptor table is a memory-resident table either defined by program development tools in a static system or controlled by operating system software in systems that are reprogrammable. The descriptor table contents govern the interpretation of virtual addresses. Whenever the iAPX 286 decodes a virtual address, translating a full 32-bit pointer into a corresponding 24-bit physical address, it implicitly references one of these tables.

Within a Protected Mode system, there are ordinarily several descriptor tables resident in memory. One of these is the global descriptor table (GDT); this table provides a complete description of the global address space. In addition, there may be one or more local descriptor tables (LDTs), each describing the local address space of one or more tasks.

For each task in the system, a pair of descriptor tables—consisting of the GDT (shared by all tasks) and a particular LDT (private to the task or to a group of closely related tasks)—provides a complete description of that task's virtual address space. The protection mechanism described in Chapter 7, "Protection," ensures that a task is granted access only to its own virtual address space. In the simplest of system configurations, tasks can reside entirely within the GDT without the use of local descriptor tables. This will simplify system software by only requiring maintenance of one table (the GDT) at the expense of no isolation between tasks. The point is: the iAPX 286 memory management scheme is flexible enough to accommodate a variety of implementations and does not require use of all possible facilities when implementing a system.

The descriptor tables consist of a sequence of 8-byte entries called descriptors. A descriptor table may contain from 1 to 8192 entries.

Within a descriptor table, two main classes of descriptors are recognized by the iAPX 286 architecture. The most important of these, from the standpoint of memory management, are called segment descriptors; these determine the set of segments that are included within a given address space. The other class of special-purpose control descriptors—such as call gates and task descriptors—are provided to implement protection (described in succeeding chapters) and special system data segments.
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

Figure 6-4 shows the format of a segment descriptor. Note that it provides information about the physical-memory base address and size of a segment, as well as certain access information. If a particular segment is to be included within a virtual address space, then a segment descriptor that describes that segment must be included within the appropriate descriptor table. Thus, within the GDT, there are segment descriptors for all of the segments that comprise a system’s global address space. Similarly, within a task’s LDT, there must be a descriptor for each of the segments that are to be included in that task’s local address space.

Each local descriptor table is itself a special system segment, recognizable as such by the iAPX 286 architecture and described by a specific type of segment descriptor (see figure 6-5). Because there is only a single GDT segment, it is not defined by a segment descriptor. Its base and size information is maintained in a dedicated register, GDTR, as described below (section 6.6.2).

Similarly, there is another dedicated register within the iAPX 286, LDTR, that records the base and size of the current LDT segment (i.e., the LDT associated with the currently executing task). The LDTR register state, however, is volatile: its contents are automatically altered whenever a task switch is made from one task to another. An alternate specification independent of changeable register contents must therefore exist for each LDT in the system. This independent specification is accomplished by means of special system segment descriptors known as descriptor table descriptors or LDT descriptors.

Figure 6-5 shows the format of a descriptor table descriptor. (Note that it is distinguished from an ordinary segment descriptor by the contents of certain bits in the access byte.)

This special type of descriptor is used to specify the physical base address and size of a local descriptor table that defines the virtual address space and address mapping for an individual user or task (figure 6-6).
Each LDT segment in a system must lie within that system's global address space. Thus, all of the descriptor table descriptors must be included among the entries in the global descriptor table (the GDT) of a system. In fact, these special descriptors may appear only in the GDT. Reference to an LDT descriptor within an LDT will cause a protection violation. Even though they are in the global address space available to all tasks, the descriptor table descriptors are protected from corruption within the GDT since they are special system segments and can only be accessed for loading into the LDTR register.

6.4 VIRTUAL-TO-PHYSICAL ADDRESS TRANSLATION

The translation of a full 32-bit virtual address pointer into a real 24-bit physical address is shown by figure 6-7. When the segment's base address is determined as a result of the mapping process, the offset value is added to the result to obtain the physical address.

The actual mapping is performed on the selector component of the virtual address. The 16-bit segment selector is mapped to a 24-bit segment base address via a segment descriptor maintained in one of the descriptor tables.
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING

6.5 SEGMENTS AND SEGMENT DESCRIPTORS

Segments are the basic units of iAPX 286 memory management. In contrast to schemes based on fixed-size pages, segmentation allows for a very efficient implementation of software: variable-length segments can be tailored to the exact requirements of an application. Segmentation, moreover, is consistent with the way a programmer naturally deals with his virtual address space: programmers are encouraged to divide code and data into clearly defined modules and structures which are manipulated as consistent entities. This reduces (minimizes) the potential for virtual memory thrashing. Segmentation also eliminates the restrictions on data structures that span a page (e.g., a word that crosses page boundaries).

Each segment within an iAPX 286 system is defined by an associated segment descriptor, which may appear in one or more descriptor tables. Its inclusion within a descriptor table represents the presence of its associated segment within the virtual address space defined by that table. Conversely, its omission from a descriptor table means that the segment is absent from the corresponding address space.

As shown previously in figure 6-4, an 8-byte segment descriptor encodes the following information about a particular segment:

- **Size.** This 16-bit field, comprising the first two bytes of a segment descriptor, specifies an unsigned integer as the size, in bytes (from 1 byte to 64K bytes), of the segment. Unlike segments in the 8086 (or the iAPX 286 in Real Address Mode)—which are never explicitly limited to less than a full 64K bytes—Protected Mode segments are always assigned a specific size value. In
conjunction with the protection features described in Chapter 7, this assigned size allows the enforcement of a very desirable and natural rule: inadvertent accesses to locations beyond a segment’s actual boundaries are prohibited.

- Base. This 24-bit field, comprising bytes 2 through 4 of a segment descriptor, specifies the physical base address of the segment; it thus defines the actual location of the segment within the 16-megabyte real memory space. The base may be any byte address within the 16-megabyte real memory space.

- Access. This 8-bit field comprises byte 5 of a segment descriptor. This access byte specifies a variety of additional information about a segment, particularly in regard to the protection features of the iAPX 286. For example, code segments are distinguished from data segments; and certain special access restrictions (such as Execute-Only or Read-Only) may be defined for segments of each type.

Figure 6-8 shows the access byte format for both code and data segment descriptors. Detailed discussion of the protection related fields within an access byte (Conforming, Execute-Only, Descriptor Privilege Level, Expand Down, and Write-Permitted), and their use in implementing protection policies, is deferred to Chapter 7. The two fields Accessed and Present are used for virtual memory implementations.

6.6 MEMORY MANAGEMENT REGISTERS

The Protected Virtual Address Mode features of the iAPX 286 operate at high performance due to extensions to the basic iAPX 86 register set. Figure 6-9 illustrates that portion of the extended register structure that pertains to memory management. (For a complete summary of all Protected Mode registers, refer to section 10.1).
6.6.1 Segment Address Translation Registers

Figure 6-9 shows the segment registers CS, DS, ES, and SS. In contrast to their usual representation, however, these registers are now depicted as 64-bit registers, each with "visible" and "hidden" components.

The visible portions of these segment address translation registers are manipulated by programs exactly as if they were simply the 16-bit segment registers of Real Address Mode. By loading a segment selector into one of these registers, the program makes the associated segment one of its four currently addressable segments.

The operations that load these registers—or, more exactly, those that load the visible portion of these registers—are normal program instructions. These instructions may be divided into two categories:

1. Direct load instructions. These instructions (such as LDS, LES, MOV, POP, etc.) explicitly reference the SS, DS, or ES segment registers as the destination operand.

2. Implied load instructions. These instructions (such as CALL and JMP) implicitly reference the CS code segment register; as a result of these operations, the contents of CS are altered.
Using these instructions, a program loads the visible part of the segment register with a 16-bit selector (i.e., the high-order word of a virtual address pointer). Whenever this is done, the processor automatically references the appropriate descriptor table and loads the hidden part of the segment register with a corresponding 48-bit descriptor.

The correspondence between selectors and descriptors has already been described. Remember that the selector's TI bit indicates one of the two descriptor tables, either the LDT or the GDT. Within the indicated table, a particular entry is chosen by the selector's 13-bit INDEX field. This index, scaled by a factor of 8, represents the relative displacement of the chosen table entry (a descriptor).

Thus, so long as a particular selector value is valid (i.e., it points to a valid segment descriptor within the bounds of the descriptor table), it can be readily associated with an 8-byte descriptor. When a selector value is loaded into the visible part of a segment register, the iAPX 286 automatically loads 6 bytes of the associated descriptor into the hidden part of the register. These 6 bytes, therefore, contain the size, base, and access type of the selected segment. Figure 6-10 illustrates this transparent process of descriptor loading.
In effect, the hidden descriptor fields of the segment registers function as the memory management cache of the iAPX 286. All the information required to address the current working set of segments—that is, the base address, size, and access rights of the currently addressable segments—is stored in this memory cache. Unlike the probabilistic caches of other architectures, however, the iAPX 286 cache is completely deterministic: the caching of descriptors is explicitly controlled by the program.

Most memory references do not require the translation of a full 32-bit virtual address, or long pointer. Operands that are located within one of the currently addressable segments, as determined by the four segment registers, can be referenced very efficiently by means of a short pointer, which is simply a 16-bit offset.

In fact, most iAPX 286 instructions reference memory locations in precisely this way, specifying only a 16-bit offset with respect to one of the currently addressable segments. The choice of segments (CS, DS, ES, or SS) is either implicit within the instruction itself, or explicitly specified by means of a segment-override prefix (as described in Chapter 2).

Thus, in most cases, virtual-to-physical address translation is actually performed in two separate steps. First, when a program loads a new value into a segment register, the processor immediately performs a mapping operation; the physical base address of the selected segment (as well as certain additional information) is automatically loaded into the hidden portion of the register. The internal cache registers (virtual address translation hardware) are therefore dynamically shared among the 16K different segments potentially addressable within the user's virtual address space. No software overhead (either system or application) is required to perform this operation.

Subsequently, as the program utilizes a short pointer to reference a location within a segment, the processor generates a 24-bit physical address simply by adding the specified offset value to the previously cached segment base address. By encouraging the use of short pointers in this way, rather than requiring a full 32-bit virtual address for every memory reference, the iAPX 286 provides a very efficient on-chip mechanism for address translation, with minimum overhead for references to memory-based tables or the need for external address-translation devices.

6.6.2 System Address Registers
The Global Descriptor Table Register (GDTR) is a dedicated 40-bit (5 byte) register used to record the base and size of a system's global descriptor table (GDT). Thus, two of these bytes define the size of the GDT, and three bytes define its base address.

In figure 6-9, the contents of the GDTR are referred to as a "hidden descriptor." The term "descriptor" here emphasizes the analogy with the segment descriptors ordinarily found in descriptor tables. Just as these descriptors specify the base and size (limit) of ordinary segments, the GDTR register specifies these same parameters for that segment of memory serving as the system GDT. The limit prevents accesses to descriptors in the GDT from accessing beyond the end of the GDT and thus provides address space isolation at the system level as well as at the task level.

The register contents are "hidden" only in the sense that they are not accessible by means of ordinary instructions. Instead, the dedicated protected instructions LGDT and SGDT are reserved for loading and storing, respectively, the contents of the GDTR at Protected Mode initialization (refer to section 10.2 for details). Subsequent alteration of the GDT base and size values is not recommended but is a system option at the most
privileged level of software (see section 7.3 for a discussion of privilege levels).

The Local Descriptor Table Register (LDTR) is a dedicated 40-bit register that contains, at any given moment, the base and size of the local descriptor table (LDT) associated with the currently executing task. Unlike GDTR, the LDTR register contains both a “visible” and a “hidden” component. Only the visible component is accessible, while the hidden component remains truly inaccessible even to dedicated instructions.

The visible component of the LDTR is a 16-bit “selector” field. The format of these 16 bits corresponds exactly to that of a segment selector in a virtual address pointer. Thus, it contains a 13-bit INDEX field, a 1-bit TI field, and a 2-bit RPL field. The TI “table indicator” bit must be zero, indicating a reference to the GDT (i.e., to global address space). The INDEX field consequently provides an index to a particular entry within the GDT. This entry, in turn, must be an LDT descriptor (or descriptor table descriptor), as defined in the previous section. In this way, the visible “selector” field of the LDTR, by selecting an LDT descriptor, uniquely designates a particular LDT in the system.

The dedicated, protected instructions LLDT and SLDT are reserved for loading and storing, respectively, the visible selector component of the LDTR register (refer to section 10.2 for details). Whenever a new value is loaded into the visible “selector” portion of LDTR, an LDT descriptor will have been uniquely chosen (assuming, of course, that the “selector” value is valid). In this case, the iAPX 286 automatically loads the hidden “descriptor” portion of LDTR with five bytes from the chosen LDT descriptor. Thus, size and base information about a particular LDT, as recorded in a memory-resident global descriptor table entry, is cached in the LDTR register.

New values may be loaded into the visible portion of the LDTR (and, thus, into the hidden portion as well) in either of two ways. The LLDT instruction, during system initialization, is used explicitly to set an initial value for the LDTR register; in this way, a local address space is provided for the first task in a multitasking environment. After system startup, explicit changes are not required since operations that automatically invoke a task switch (described in section 8.4) appropriately manage the LDTR.

At all times, the LDTR register thus records the physical base address (and size) of the current task’s LDT; the descriptor table required for mapping the current local address space, therefore, is immediately accessible to the processor. Moreover, since GDTR always maintains the base address of the GDT, the table that maps the global address space is similarly accessible. The two system address registers, GDTR and LDTR, act as a special processor cache, maintaining current information about the two descriptor tables required, at any given time, for addressing the entire current virtual address space.
Protection
7.1 INTRODUCTION

In most microprocessor based products, the product's availability, quality, and reliability are determined by the software it contains. Software is often the key to a product's success. Protection is a tool used to shorten software development time, and improve software quality and reliability.

Program testing is an important step in developing software. A system with protection will detect software errors more quickly and accurately than a system without protection. Eliminating errors via protection reduces the development time for a product.

Testing software is difficult. Many errors occur only under complex circumstances which are difficult to anticipate. The result is that products are shipped with undetected errors. When such errors occur, products appear unreliable. The impact of a software error is multiplied if it introduces errors in other bug-free programs. Thus, the total system reliability reduces to that of the least reliable program running at any given time.

Protection improves the reliability of an entire system by preventing software errors in one program from affecting other programs. Protection can keep the system running even when some user program attempts an invalid or prohibited operation.

Hardware protection performs run-time checks in parallel with the execution of the program. But, hardware protection has traditionally resulted in a design that is more expensive and slower than a system without protection. However, the iAPX 286 provides hardware-enforced protection without the performance or cost penalties normally associated with protection.

The protected mode iAPX 286 implements extensive protection by integrating these functions on-chip. The iAPX 286 protection is more comprehensive and flexible than comparable solutions. It can locate and isolate a large number of program errors and prevent the propagation of such errors to other tasks or programs. The protection of the total system detects and isolates bugs both during development and installed usage.

The remaining sections of this chapter explain the protection model implemented in the iAPX 286.

7.1.1 Types of Protection

Protection in the iAPX 286 has three basic aspects:

1. Isolation of system software from user applications.
2. Isolation of users from each other (Inter-task protection).
3. Data-type checking.

The iAPX 286 provides a four-level, ringed-type, increasingly-privileged protection mechanism to isolate applications software from various layers of system software. This is a major improvement and extension over the simpler two-level user/supervisor mechanism found in many systems. Software modules in a supervisor level are protected from modules in the application level and from software in less privileged supervisor levels.

Restricting the addressability of a software module enables an operating system to control system resources and priorities. This is especially important in an environment that
supports multiple concurrent users. Multi-user, multi-tasking, and distributed processing systems require this complete control of system resources for efficient, reliable operation.

The second aspect of protection is isolating users from each other. Without such isolation an error in one user program could affect the operation of another error-free user program. Such subtle interactions are difficult to diagnose and repair. The reliability of applications programs is greatly enhanced by such isolation of users.

Within a system or application level program, the iAPX 286 will ensure that all code and data segments are properly used (e.g., data cannot be executed, programs cannot be modified, and offset must be within defined limits, etc.). Such checks are performed on every memory access to provide full run-time error checking.

7.1.2 Protection Implementation

The protection hardware of the iAPX 286 establishes constraints on memory and instruction usage. The number of possible interactions between instructions, memory, and I/O devices is practically unlimited. Out of this very large field the protection mechanism limits interactions to a controlled, understandable subset. Within this subset fall the list of “correct” operations. Any operation that does not fall into this subset is not allowed by the protection mechanism and is signalled as a protection violation.

To understand protection on the iAPX 286, you must begin with its basic parts: segments and tasks. iAPX 286 segments are the smallest region of memory which have unique protection attributes. Modular programming automatically produces separate regions of memory (segments) whose contents are treated as a whole. Segments reflect the natural construction of a program, e.g., code for module A, data for module A, stack for the task, etc. All parts of the segment are treated in the same way by the iAPX 286. Logically separate regions of memory should be in separate segments.

The memory segmentation model (see figure 7-1) of the iAPX 286 was designed to optimally execute code for software composed of independent modules. Modular programs are easier to construct and maintain. Compared to monolithic software systems, modular software systems have enhanced capabilities, and are typically easier to develop and test for proper operation.

Each segment in the system is defined by a memory-resident descriptor. The protection hardware prevents accesses outside the data areas and attempts to modify instructions, etc., as defined by the descriptors. Segmentation on the iAPX 286 allows protection hardware to be integrated into the CPU for full data access control without any performance impact.

The segmented memory architecture of the iAPX 286 provides unique capabilities for regulating the transfer of control between programs.

Programs are given direct but controlled access to other procedures and modules. This capability is the heart of isolating application and system programs. Since this access is provided and controlled directly by the iAPX 286 hardware, there is no performance penalty. A system designer can take advantage of the iAPX 286 access control to design high-performance modular systems with a high degree of confidence in the integrity of the system.
Access control between programs and the operating system is implemented via address space separation and a privilege mechanism. The address space control separates applications programs from each other while the privilege mechanism isolates system software from applications software. The privilege mechanism grants different capabilities to programs to access code, data, and I/O resources based on the associated protection level. Trusted software that controls the whole system is typically placed at the most privileged level. Ordinary application software does not have to deal with these control mechanisms. They come into play only when there is a transfer of control between tasks, or if the Operating System routines have to be invoked.

The protection features of multiple privilege levels extend to ensuring reliable I/O control. However, for a system designer to enable only one specific level to do I/O would excessively constrain subsequent extensions or application development. Instead, the iAPX 286 permits each task to be assigned a separate minimum level where I/O is allowed. I/O privilege is discussed in section 10.3.
An important distinction exists between tasks and programs. Programs (e.g., instructions in code segments) are static and consist of a fixed set of code and data segments each with an associated privilege level. The privilege assigned to a program determines what the program may do when executed by a task. Privilege is assigned to a program when the system is built or when the program is loaded.

Tasks are dynamic; they execute one or more programs. Task privilege changes with time according to the privilege level of the program being executed. Each task has a unique set of attributes that define it, e.g., address space, register values, stack, data, etc. A task may execute a program if that program appears in the task's address space. The rules of protection control determine when a program may be executed by a task, and once executed, determine what the program may do.

**7.2 MEMORY MANAGEMENT AND PROTECTION**

The protection hardware of the iAPX 286 is related to the memory management hardware. Since protection attributes are assigned to segments, they are stored along with the memory management information in the segment descriptor. The protection information is specified when the segment is created. In addition to privilege levels, the descriptor defines the segment type (e.g., Code segment, Data segment, etc.). Descriptors may be created either by program development tools or by a loader in a dynamically loaded reprogrammable environment.

The protection control information consists of a segment type, its privilege level, and size. These are fields in the access byte of the segment descriptor (see figure 7-2). This information is saved on-chip in the programmer invisible section of the segment register for fast access during execution. These entries are changed only when a segment register is loaded. The protection data is used at two times: upon loading a segment register and upon each reference to the selected segment.

The hardware performs several checks while loading a segment register. These checks...
enforce the protection rules before any memory reference is generated. The hardware verifies that the selected segment is valid (is identified by a descriptor, is in memory, and is accessible from the privilege level in which the program is executing) and that the type is consistent with the target segment register. For example, you cannot load a read-only segment descriptor into SS because the stack must always be writable.

Each reference into the segment defined by a segment register is checked by the hardware to verify that it is within the defined limits of the segment and is of the proper type. For example, a code segment or read-only data segment cannot be written. All these checks are made before the memory cycle is started; any violation will prevent that cycle from starting and cause an exception to occur. Since the checks are performed concurrently with address formation, there is no performance penalty.

By controlling the access rights and privilege attributes of segments, the system designer can assure a program will not change its code or overwrite data belonging to another task. Such assurances are vital to maintaining system integrity in the face of error-prone programs.

7.2.1 Separation of Address Spaces

As described in Chapter 6, each task can address up to a gigabyte (2^{14} - 1 segments of up to 65536 bytes each) of virtual memory defined by the task's LDT (Local Descriptor Table) and the system GDT. Up to one-half gigabyte (2^{13} - 1 segments of up to 65536 bytes each) of the task's address space is defined by the LDT and represents the task's private address space. The remaining virtual address space is defined by the GDT and is common to all tasks in the system.

Each descriptor table is itself a special kind of segment recognized by the iAPX 286 architecture. These tables are defined by descriptors in the GDT (Global Descriptor Table). The CPU has a set of base and limit registers that point to the GDT and the LDT of the currently running task. The descriptor table registers are loaded by a task switch operation.

An active task can only load selectors that reference segments defined by descriptors in either the GDT or its private LDT. Since a task cannot reference descriptors in other LDTs, and no descriptors in its LDT refer to data or code belonging to other tasks, it cannot gain access to another tasks' private code and data (see figure 7-3).

Since the GDT contains information that is accessible by all users (e.g., library routines, common data, Operating System services, etc.), the iAPX 286 uses privilege levels and special descriptor types to control access (see section 7.2.2). Privilege levels protect more trusted data and code (in GDT and LDT) from less trusted access (WITHIN a task), while the private virtual address spaces defined by unique LDTs provide protection BETWEEN tasks (see figure 7-4).

7.2.2 LDT and GDT Access Checks

All descriptor tables have a limit used by the protection hardware to ensure address space separation of tasks. Each task's LDT can be a different size as defined by its descriptor in the GDT. The GDT may also contain less than 8091 descriptors as defined by the GDT limit value. The descriptor table limit identifies the last valid byte of the last descriptor in that table. Since each descriptor is eight bytes long, the limit value is N \times 8 - 1 for N descriptors.
Any attempt by a program to load a segment register, local descriptor table register (LDTR), or task register (TR) with a selector that refers to a descriptor outside the corresponding limit causes an exception with an error code identifying the invalid selector used (see figure 7-5).

Not all descriptor entries in the GDT or LDT need contain a valid descriptor. There can be holes, or "empty" descriptors, in the LDT and GDT. "Empty" descriptors allow dynamic allocation and deletion of segments or other system objects without changing the size of the GDT or LDT. Any descriptor with an access byte equal to zero is considered empty. Any attempt to load a segment register with a selector that refers to an empty descriptor will cause an exception with an error code identifying the invalid selection.

Figure 7-3. IAPX 286 Virtual Address Space
Figure 7-4. Local and Global Descriptor Table Definition

Figure 7-5. Error Code Format (on the Stack)
7.2.3 Type Validation

After checking that a selector reference is within the bounds of a descriptor table and refers to a non-empty descriptor, the type of segment defined by the descriptor is checked against the destination register. Since each segment register has predefined functions, each must refer to certain types of segments (see section 7.4.1). An attempt to load a segment register in violation of the protection rules causes an exception.

The "null" selector is a special type of segment selector. It has an index field of all zeros and a table indicator of 0. The null selector appears to refer to GDT descriptor entry #0. This selector value may be used as a place holder in the DS or ES segment registers; it may be loaded into them without causing an exception. However, any attempt to use the null segment registers to reference memory will cause an exception and prevent any memory cycle from occurring.

7.3 PRIVILEGE LEVELS AND PROTECTION

As explained in section 6.2, each task has its own separate virtual address space defined by its LDT. All tasks share a common address space defined by the GDT. The system software then has direct access to task data and can treat all pointers in the same way.

Protection is required to prevent programs from improperly using code or data that belongs to the operating system. The four privilege levels of the iAPX 286 provide the isolation needed between the various layers of the system. The iAPX 286 privilege levels are numbered from 0 to 3, where 0 is the most trusted level, 3 the least.

Privilege level is a protection attribute assigned to all segments. It determines which procedures can access the segment. Like access rights and limit checks, privilege checks are automatically performed by the hardware, and thus protects both data and code segments.

Privilege on the iAPX 286 is hierarchical. Operating system code and data segments placed at the most privileged level (0) cannot be accessed directly by programs at other privilege levels. Programs at privilege level 0 may access data at all other levels. Programs at privilege levels 1-3 may only access data at the same or less trusted (numerically greater) privilege levels. Figure 7-6 illustrates the privilege level protection of code or data within tasks.

In figure 7-6, programs can access data at the same or outer level, but not at inner levels. Code and data segments placed at level 1 cannot be accessed by programs executing at levels 2 or 3. Programs at privilege level 0 can access data at level 1 in the course of providing service to that level. iAPX 286 provides mechanisms for inter-level transfer of control when needed (see section 7.5).

The four privilege levels of the iAPX 286 are an extension of the typical two-level user/supervisor privilege mechanism. Like user mode, application programs in the outer level are not permitted direct access to data belonging to more privileged system services (supervisor mode). The iAPX 286 adds two more privilege levels to provide protection for different layers of system software (system services, I/O drivers, etc.).

7.3.1 Example of Using Four Privilege Levels

Two extra privilege levels allow development of more reliable, and flexible system software. This is achieved by dividing the system into small, independent units. Figure 7-6 shows an example of the usage of different protection levels. Here, the most privileged level is called
the kernel. This software would provide basic, application-independent, CPU-oriented services to all tasks. Such services include memory management, task isolation, multitasking, inter-task communication, and I/O resource control. Since the kernel is only concerned with simple functions and cannot be affected by software at other privilege levels, it can be kept small, safe, and understandable.

Privilege level one is designated system services. This software provides high-level functions like file access scheduling, character I/O, data communications, and resource allocation policy which are commonly expected in all systems. Such software remains isolated from applications programs and relies on the services of the kernel, yet cannot affect the integrity of level 0.

Privilege level 2 is the custom operating system extensions level. It allows standard system software to be customized. Such customizing can be kept isolated from errors in applications programs, yet cannot affect the basic integrity of the system software. Examples of customized software are the database manager, logical file access services, etc.

This is just one example of protection mechanism usage. Levels 1 and 2 may be used in many different ways. The usage (or non-usage) is up to the system designer.
Programs at each privilege level are isolated from programs at outer layers, yet cannot affect programs in inner layers. Programs written for each privilege level can be smaller, easier to develop, and easier to maintain than a monolithic system where all system software can affect all other system software.

7.3.2 Privilege Usage
Privilege applies to tasks and three types of descriptors:

1. Main memory segments
2. Gates (control descriptors for state or task transitions, discussed in sections 7.5.1, 7.5.3, 8.3, 8.4 and 9.2)
3. Task state segments (discussed in Chapter 8).

Task privilege is a dynamic value. It is derived from the code segment currently being executed. Task privilege can change only when a control transfers to a different code segment.

Descriptor privilege, including code segment privilege, is assigned when the descriptor (and any associated segment) is created. The system designer assigns privilege directly when the system is constructed with the system builder (see the iAPX 286 Builder User's Guide) or indirectly via a loader.

Each task operates at only one privilege level at any given moment: namely that of the code segment being executed. (The conforming segments discussed in section 11.2 permit some flexibility in this regard.) However, as figure 7-5 indicates, the task may contain segments at one, two, three, or four levels, all of which are to be used at appropriate times. The privilege level of the task, then, changes under the carefully enforced rules for transfer of control from one code segment to another.

The descriptor privilege attribute is stored in the access byte of a descriptor and is called the Descriptor Privilege Level (DPL). Task privilege is called the Current Privilege Level (CPL). The least significant two bits of the CS register specify the CPL.

A few general rules of privilege can be stated before the detailed discussions of later sections. Data access is restricted to those segments whose privilege level is the same or less privileged (numerically greater) than the current privilege level (CPL). Direct code access, e.g., via call or jump, is restricted to code segments of equal privilege. A gate (section 7.5.1) is required for access to code at more privileged levels.

7.4 SEGMENT DESCRIPTOR
Although the format of access control information, discussed below, is similar for both data and code segment descriptors, the rules for accessing data segments differ from those for transferring control to code segments. Data segments are meant to be accessible from many privilege levels, e.g., from other programs at the same level or from deep within the operating system. The main restriction is that they cannot be accessed by less privileged code.

Code segments, on the other hand, are meant to be executed at a single privilege level. Transfers of control that cross privilege boundaries are tightly restricted, requiring the use of gates. Control transfers within a privilege level can also use gates, but they are not required. Control transfers are discussed in section 7.5.

Protection checks are automatically invoked at several points in selecting and using new segments. The process of addressing memory begins when the currently executing program attempts to load a selector into one of the segment registers. As discussed in Chapter 6, the selector has the form shown in figure 7-7.
When a new selector is loaded into a segment register, the processor accesses the associated descriptor to perform the necessary loading and privilege checks.

The protection mechanism verifies that the selector points to a valid descriptor type for the segment register (see section 7.4.1). After verifying the descriptor type, the CPU compares the privilege level of the task (CPL) to the privilege level in the descriptor (DPL) before loading the descriptor’s information into the cache.

The general format of the eight bits in the segment descriptor’s access rights byte is shown in table 7-1.

<table>
<thead>
<tr>
<th>Bit</th>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>7</td>
<td>Present</td>
<td>1 means Present and addressable in real memory; 0 means not present. See section 11.3.</td>
</tr>
<tr>
<td>6,5</td>
<td>DPL</td>
<td>2-bit Descriptor Privilege Level, 0 to 3.</td>
</tr>
<tr>
<td>4</td>
<td>Segment</td>
<td>1 means Segment descriptor; 0 means control descriptor.</td>
</tr>
</tbody>
</table>

For Segment=1, the remaining bits have the following meanings:

- **3** Executable: 1 means code, 0 means data.
- **2** C or ED: If code, Conforming: 1 means yes, 0 no. If data, Expand Down: 1 yes, 0 no—normal case.
- **1** R or W: If code, Readable: 1 means readable, 0 not. If data, Writable: 1 means writable, 0 not.
- **0** Accessed: 1 if segment descriptor has been Accessed, 0 if not.

**NOTE:** When the Segment bit (bit 4) is 0, the descriptor is for a gate, a task state segment, or a Local Descriptor Table, and the meanings of bits 0 through 3 change. Control transfers and descriptors are discussed in section 7.5.
For example, the access rights byte for a data and code segment present in real memory but not yet accessed (at the same privilege level) are shown in figure 7-8.

Whenever a segment descriptor is loaded into a segment register, the accessed bit in the descriptor table is set to 1. This bit is useful for determining the usage profile of the segment.

**NOTE**

The Intel reserved bytes in the segment descriptor must be set to 0 for compatibility with iAPX 386.

### 7.4.1 Data Accesses

Data may be accessed in data segments or readable code segments. When DS or ES is loaded with a new selector, e.g., by an LDS, LES, or MOV to ES, SS, or DS instruction, the bits in the access byte are checked to verify legitimate descriptor type and access (see table 7-2). If any test fails, an error code is pushed onto the stack identifying the selector involved (see figure 7-5 for the error code format).

A privilege check is made when the segment register is loaded. In general, a data segment’s DPL must be numerically greater than or equal to the CPL. The DPL of a descriptor loaded into the SS must equal the CPL. Conforming (readable) code segments are an exception to privilege checking rules.

Once the segment descriptor and selector are loaded, the offset of subsequent accesses within the segment are checked against the limit given in the segment descriptor. Violating the segment size limit causes a General Protection exception with an error code of 0.

![Figure 7-8. Access Byte Example](image)

**Table 7-2. Allowed Segment Types in Segment Registers**

<table>
<thead>
<tr>
<th>Segment Register</th>
<th>Read Only Data Segment</th>
<th>Read-Write Data Segment</th>
<th>Execute Only Code Segment</th>
<th>Execute-Read Code Segment</th>
</tr>
</thead>
<tbody>
<tr>
<td>DS</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>ES</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>SS</td>
<td>No</td>
<td>Yes</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>CS</td>
<td>No</td>
<td>No</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tbody>
</table>
A normal data segment is addressed with offset values ranging from 0 to the size of the segment. When the ED bit of the access rights byte in the segment descriptor is 0, the allowed range of offsets is 0000H to the limit. If limit is OFFFFH, the data segment contains 65536 bytes.

Since stacks normally occupy different offset ranges (lower limit to 0FFFFH) than data segments, the limit field of a segment descriptor can be interpreted in two ways. The Expand Down (ED) bit in the access byte allows offsets for stack segments to be greater than the limit field. When ED is 1, the allowed range of offsets within the segment is limit +1 to 0FFFFH. To allow a full stack segment, set ED to 1 and the limit to 0FFFFH. The ED bit of a data segment descriptor does not have to be set for use in SS (i.e., it will not cause an exception). Section 7.5.4 discusses stack segment usage in greater detail. An expand down (ED=1) segment can be loaded into ES or DS.

Limit and access checks are performed before any memory reference is started. For stack push instructions (PUSH, PUSHA, ENTER, CALL, INT), a possible limit violation is identified before any internal registers are updated. Therefore, these instructions are fully restartable after a stack size violation.

**7.4.2 Code Segment Access**

Code segments are accessed via CS for execution. Segments that are execute-only can ONLY be executed; they cannot be accessed via DS or ES, nor read via CS with a CS override prefix. If a segment is executable (bit 3 = 1 in the access byte), access via DS or ES is possible only if it is also readable. Thus, any code segment that also contains data must be readable. (Refer to Chapter 2 for a discussion of segment override prefixes.)

An execute-only segment preserves the privacy of the code against any attempt to read it; such an attempt causes a general protection fault with an error code of 0. A code segment cannot be loaded into SS and is never writable. Any attempted write will cause a general protection fault with an error code of 0.

The limit field of a code segment descriptor identifies the last byte in the segment. Any offset greater than the limit value will cause general protection. The prefetcher of the iAPX 286 can never cause a code segment limit violation. The program must attempt to execute an instruction beyond the end of the code segment to cause an exception.

If a readable non-conforming code segment is to be loaded into DS or ES, the privilege level requirements are the same as those stated for data segments in 7.4.1.

Code segments are subject to different privilege checks when executed. The normal privilege requirement for a jump or call to another code segment is that the current privilege level equal the descriptor privilege level of the new code segment. Jumps and calls within the current code segment automatically obey this rule.

Return instructions may pass control to code segments at the same or less (numerically greater) privileged level. Code segments at more privileged levels may only be reached via a call through a call gate as described in section 7.5.

An exception to this, previously stated, is the conforming code segment that allows the DPL of the requested code segment to be numerically less than (of greater privilege than) the CPL. Conforming code segments are discussed in section 11.2.
7.4.3 Data Access Restriction by Privilege Level

This section describes privilege verification when accessing either data segments (loading segment selectors into DS, ES, or SS) or readable code segments. Privilege verification when loading CS for transfer of control across privilege levels is described in the next section.

Three basic kinds of privilege level indicators are used when determining accessibility to a segment for reading and writing. They are termed Current Privilege Level (CPL), Descriptor Privilege Level (DPL), andRequested Privilege Level (RPL). The CPL is simply the privilege level of the code segment that is executing (except if the current code segment is conforming). It is stored as bits 0 and 1 of the CS and SS registers.

DPL is the privilege level of the segment; it is stored in bits 5 and 6 of the access byte of a descriptor. For data access to data segments and non-conforming code segments, CPL must be numerically less than or equal to DPL (the task must be of equal or greater privilege) for access to be granted. Violation of this rule during segment load instruction causes a general protection exception with an error code identifying the selector.

While the enforcement of DPL protection rules provides the mechanism for the isolation of code and data at different privilege levels, it is conceivable that an erroneous pointer passed onto a more trusted program might result in the illegal modification of data with a higher privilege level. This possibility is prevented by the enforcement of effective privilege level protection rules and correct usage of the RPL value.

The RPL (requested privilege level) is used for pointer validation. It is the least significant two bits in the selector value loaded into the segment register. RPL is intended to indicate the privilege level of the originator of that selector. A selector may be passed down through several procedures at different levels. The RPL reflects the privilege level of the original supplier of the selector, not the privilege level of the intermediate supplier. The RPL must be numerically less than or equal to the DPL of the descriptor selected, thereby indicating greater or equal privilege of the supplier; otherwise, access is denied and a general protection violation occurs.

Pointer validity testing is required in any system concerned with preventing program errors from destroying system integrity. The iAPX 286 provides hardware support for pointer validity testing. The RPL field indicates the privilege level of the originator of the pointer to the hardware. Access will be denied if the originator of the pointer did not have access to the selected segment even if the CPL is numerically less than or equal to the DPL. RPL can reduce the effective privilege of a task when using a particular selector. RPL never allows access to more privileged segments (CPL must always be less than or equal to DPL).

A fourth term is sometimes used: the Effective Privilege Level (EPL). It is defined as the numeric maximum of the CPL and the RPL—meaning the one of lesser privilege. Access to a protected entity is granted only when the EPL is numerically less than or equal to the DPL of that entity. This is simply another way of saying that both CPL and RPL must be less than or equal to DPL for access to be granted.

7.4.4 Pointer Privilege Stamping via ARPL

The ARPL instruction is provided in the iAPX 286 to fill the RPL field of a selector with the minimum privilege (maximum
PROTECTION

numeric value) of the selector's current RPL and the caller's CPL (given in an instruction-specified register). A straight insertion of the caller's CPL would mark the pointer with the privilege level of the caller, but not necessarily the ultimate originator of the selector (e.g., Level 3 supplies a selector to a level 2 routine that calls a level 0 routine with the same selector).

Figure 7-9 shows a program with an example of such a situation. The program at privilege level 3 calls a routine at level 2 via a gate. The routine at level 2 uses the ARPL instruction to assure that the selector's RPL is 3. When the level 2 routine calls a routine at level 0 and passes the selector, the ARPL instruction at level 0 leaves the RPL field unchanged.

Marking a pointer with the originator's privilege eliminates the complex and time-consuming software typically associated with pointer validation in less comprehensive architectures. The iAPX 286 hardware performs the pointer test automatically while loading the selector.

Privilege errors are trapped at the time the selector is loaded because pointers are commonly passed to other routines, and it may not be possible to identify a pointer's originator. To verify the access capabilities of a pointer, it should be tested when the pointer is first received from an untrusted source. The VERR (Verify Read), VERW (Verify Write), and LAR (Load Access Rights) instructions are provided for this purpose.

Although pointer validation is fully supported in the iAPX 286, its use is an option of the system designer. To accommodate systems that do not require it, RPL can be ignored by setting selector RPLs to zero (except stack segment selectors) and not adjusting them with the ARPL instruction.

7.5 CONTROL TRANSFERS

Three kinds of control transfers can occur within a task:

1. Within a segment, causing no change of privilege level (a short jump, call, or return).
2. Between segments at the same privilege level (a long jump, call, or return).
3. Between segments at different privilege levels (a long call, or return). (NOTE: A JUMP to a different privilege level is not allowed.)

The first two types of control transfers need no special controls (with respect to privilege protection) beyond those discussed in section 7.4.

<table>
<thead>
<tr>
<th>Level 3 PUSH SELECTOR CALL LEVEL 2</th>
</tr>
</thead>
<tbody>
<tr>
<td>Level 2:</td>
</tr>
<tr>
<td>ENTER 4,0</td>
</tr>
<tr>
<td>MOV AX, [BP]+4</td>
</tr>
<tr>
<td>ARPL [BP]+8, AX</td>
</tr>
<tr>
<td>; GET CS of return address</td>
</tr>
<tr>
<td>; Put 3 in RPL field</td>
</tr>
<tr>
<td>Level 0:</td>
</tr>
<tr>
<td>PUSH WORD PTR [BP]+8 ; Pass selector</td>
</tr>
<tr>
<td>CALL Level 0</td>
</tr>
<tr>
<td>Level 0:</td>
</tr>
<tr>
<td>ENTER 6,0</td>
</tr>
<tr>
<td>MOV AX, [BP]+4</td>
</tr>
<tr>
<td>ARPL [BP]+8, AX</td>
</tr>
<tr>
<td>; Get CS of return address</td>
</tr>
<tr>
<td>; Leaves RPL unchanged</td>
</tr>
</tbody>
</table>

Figure 7-9. Pointer Privilege Stamping
Inter-level transfers require special consideration to maintain system integrity. The protection hardware must check that:

- The task is currently allowed to access the destination address.
- The correct entry address is used.

To achieve control transfers, a special descriptor type called a gate is provided to mediate the change in privilege level. Control transfer instructions call the gate rather than transfer directly to a code segment. From the viewpoint of the program, a control transfer to a gate is the same as to another code segment.

Gates allow programs to use other programs at more privileged levels in the same manner as a program at the same privilege level. Programmers need never distinguish between programs or subroutines that are more privileged than the current program and those that are not. The system designer may, however, elect to use gates only for control transfers that cross privilege levels.

7.5.1 Gates

A gate is a four-word descriptor used to redirect a control transfer to a different code segment in the same or more privileged level or to a different task. There are four types of gates: call, trap, interrupt, and task gates. The access rights byte distinguishes a gate from a segment descriptor, and determines which type of gate is involved. Figure 7-10 shows the format of a gate descriptor.

A key feature of a gate is the re-direction it provides. All four gate types define a new address which transfers control when invoked. This destination address normally cannot be accessed by a program. Loading the selector to a call gate into SS, DS, or ES will cause a general protection fault with an ‘error code identifying the invalid selector.

Only the selector portion of an address is used to invoke a gate. The offset is ignored. All that a program need know about the desired function is the selector required to invoke the gate. The iAPX 286 will automatically start the execution at the correct address.

A further advantage of a gate is that it provides a fixed address for any program to invoke another program. The calling program's address remains unaltered even if the entry address of the destination program changes. Thus, gates provide a fixed set of entry points that allow a task to access Operating System functions such as simple subroutines, yet the task is prohibited from simply jumping into the middle of the Operating System.

Call gates, as described in the next section, are used for control transfers within a task which must either be transparently redirected or which require an increase in privilege level. A call gate normally specifies a subroutine at a greater privilege level, and the called routine returns via a return instruction. Call gates also support delayed binding (resolution of target routine addresses at run-time rather than program-generation-time).

Trap and interrupt gates handle interrupt operations that are to be serviced within the current task. Interrupt gates cause interrupts to be disabled; trap gates do not. Trap and interrupt gates both require a return via the interrupt return instruction.

Task gates are used to control transfers between tasks and to make use of task state segments for task control and status information. Tasks are discussed in Chapter 8, interrupts in Chapter 9.

In the iAPX 286 protection model, each privilege level has its own stack. Therefore, a
control transfer (call or return) that changes the privilege level causes a new stack to be invoked.

7.5.1.1 CALL GATES

Call gate descriptors are used by call and jump instructions in the same manner as a code segment descriptor. The hardware automatically recognizes that the destination selector refers to a gate descriptor. Then, the operation of the instruction is expanded as determined by the contents of the call gate. A jump instruction can access a call gate only if the target code segment is at the same privilege level. A call instruction uses a call gate for the same or more privileged access.

A call gate descriptor may reside in either the GDT or the LDT, but not in the IDT. Figure 7-10 gives the complete layout of a call gate descriptor.

A call gate can be referred to by either the long JMP or CALL instructions. From the viewpoint of the program executing a JMP or CALL instruction, the fact that the destination was reached via a call gate and not directly from the destination address of the instruction is not apparent.
The checks indicated in table 7-3 are applied to the contents of the call gate. Violating any of them causes the exception shown. The low order two bits of the error code are zero for these exceptions.

7.5.1.2 INTRA-LEVEL TRANSFERS VIA CALL GATE

The transfer is Intra-level if the destination code segment is at the same privilege level as CPL. Either the code segment is non-conforming with DPL = CPL or it is conforming, with DPL ≤ CPL (see section 11.2 for this case). The 32-bit destination address in the gate is loaded into CS:IP.

The following is a description of the protection checks performed while transferring control (with the CALL instruction) through a call gate:

- Verifying that access to the call gate is allowed. One of the protection features provided by call gates is the access checks made to determine if the call gate may be used (i.e., checking if the privilege level of the calling program is adequate).
- Determining the destination address and whether a privilege transition is required. This feature makes privilege transitions transparent to the caller.
- Performing the privilege transition, if required.

Verifying access to a call gate is the same for any call gate and is independent of whether a JMP or CALL instruction was used. The rules of privilege used to determine whether a data segment may be accessed are employed to check if a call gate may be jumped-to or called. Thus, privileged subroutines can be hidden from untrusted programs by the absence of a call gate.

When an inter-segment CALL or JMP instruction selects a call gate, the gate’s privi-

---

### Table 7-3. Call Gate Checks

<table>
<thead>
<tr>
<th>Type of Check</th>
<th>Fault(1)</th>
<th>Error Code</th>
</tr>
</thead>
<tbody>
<tr>
<td>Selector is not Null</td>
<td></td>
<td>GP</td>
</tr>
<tr>
<td>Selector is within Descriptor Table Limit</td>
<td></td>
<td>GP</td>
</tr>
<tr>
<td>Descriptor is a Code Segment</td>
<td></td>
<td>GP</td>
</tr>
<tr>
<td>Code Segment is Present</td>
<td></td>
<td>GP</td>
</tr>
<tr>
<td>Nonconforming Code Segment</td>
<td></td>
<td>NP</td>
</tr>
<tr>
<td>DPL &gt; CPL</td>
<td></td>
<td>GP</td>
</tr>
</tbody>
</table>

NOTES:
(1) GP = General Protection, NP = Not-Present Exception.

The offset portion of the JMP or CALL destination address which refers to a call gate is always ignored.

7-18
If the IP value is not within the limit of the code segment, a general protection fault occurs with an error code of 0. If a CALL instruction is used, the return address is saved in the normal manner. The only effect of the call gate is to place a different address into CS:IP than that specified in the destination address of the JMP or CALL instruction. This feature is useful for systems which require that a fixed address be provided to programs, even though the entry address for the routine may change due to different functions, software changes, or segment relocation.

7.5.1.3 INTER-LEVEL CONTROL TRANSFER VIA CALL GATES

If the destination code segment of the call gate is at a different privilege level than the CPL, an inter-level transfer is being requested. However, if the destination code segment DPL < CPL, then a general protection fault occurs with an error code identifying the destination code segment.

The gate guarantees that all transitions to a more privileged level will go to a valid entry point rather than possibly into the middle of a procedure (or worse, into the middle of an instruction). See figure 7-11.

Calls to more privileged levels may be performed only through call gates. A JMP instruction can never cause a privilege change. Any attempt to use a call gate in this manner will cause a general protection fault with an error code identifying the gate. Returns to more privileged levels are also prohibited. Inter-level transitions due to interrupts use a different gate, as discussed in Chapter 9.

Figure 7-11. Call Gate
PROTECTION

The RPL field of the CS selector saved as part of the return address will always identify the caller’s CPL. This information is necessary to correctly return to the caller’s privilege level during the return instruction. Since the CALL instruction places the CS value on the more privileged stack, and JMP instructions cannot change privilege levels, it is not possible for a program to maliciously place an invalid return address on the caller’s stack.

7.5.1.4 STACK CHANGES CAUSED BY CALL GATES
To maintain system integrity, each privilege level has a separate stack. These stacks assure sufficient stack space to process calls from less privileged levels. Without them, trusted programs may not work correctly, especially if the calling program does not provide sufficient space on the caller’s stack.

When a call gate is used to change privilege levels, a new stack is selected as determined by the new CPL. The new stack pointer value is loaded from the Task State Segment (TSS). The privilege level of the new stack data segment must equal the new CPL; if it does not, a task stack fault occurs with the saved machine state pointing at the CALL instruction and the error code identifying the invalid stack selector.

The new stack should contain enough space to hold the return address, and all parameters and local variables required to process the call. The initial stack pointers for privilege levels 0-2 in the TSS are strictly read only values. They are never changed during the course of execution.

The normal technique for passing parameters to a subroutine is to place them onto the stack. To make privilege transitions transparent to the called program, a call gate specifies that parameters are to be copied from the old stack to the new stack. The word count field in a call gate (see figure 7-10) specifies how many words (up to 31) are to be copied from the caller’s stack to the new stack. If the word count is zero, no parameters are copied.

Before copying the parameters, the new stack is checked to assure that it is large enough to hold the parameters; if it is not, a stack fault occurs with an error code of 0. After the parameters are copied, the return link is on the new stack (i.e., a pointer to the old stack is placed in the new stack). In particular, the return address is pointed at by SS:SP. The call and return example of figure 7-12 illustrate the stack contents after a successful inter-level call.

The stack pointer of the caller is saved above the caller’s return address as the first two words pushed onto the new stack. The caller’s stack can only be saved for calls to procedures at privilege levels 2, 1, and 0. Since level 3 cannot be called by any procedure at any other privilege level, the level 3 stack will never contain links to other stacks.

Procedures requiring more than the 31 words for parameters that may be called from another privilege level must use the saved SS:SP link to access all parameters beyond the last word copied.

The call gate does not check the values of the words copied onto the new stack. The called procedure should check each parameter for validity. Section 11.3 discusses how the ARPL, VERR, VERW, LSL, and LAR instructions can be used to check pointer values.

7.5.2 Inter-level Returns
An inter-segment return instruction can also change levels, but only toward programs of
equal or lesser privilege (when code segment DPL is numerically greater or equal than the CPL). The RPL of the selector popped off the stack by the return instruction identifies the privilege level to resume execution of the calling program.

When the RET instruction encounters a saved CS value whose RPL > CPL, an inter-level return occurs. Checks shown in table 7-4 are made during such a return.

The old SS:SP value is then adjusted by the number of bytes indicated in the RET instruction and loaded into SS:SP. The new SP value is not checked for validity. If SP is invalid it is not recognized until the first stack operation. The SS:SP value of the returning program is not saved. (Note: this value normally is the same as that saved in the TSS.)

The last step in the return is checking the contents of the DS and ES descriptor registers. If DS or ES refer to segments whose DPL is greater than the new CPL (excluding conforming code segments), the segment registers are loaded with the null selector. Any subsequent memory reference that attempts to use the segment register containing the null selector will cause a general protection fault. This prevents less privileged code from accessing more privileged data previously accessed by the more privileged program.
## Table 7-4. Inter-Level Return Checks

<table>
<thead>
<tr>
<th>Type of Check</th>
<th>Exception</th>
<th>Error Code</th>
</tr>
</thead>
<tbody>
<tr>
<td>SP is not a Segment Limit</td>
<td>SF</td>
<td>0</td>
</tr>
<tr>
<td>SP + N + 7 is not in Segment Limit</td>
<td>SF</td>
<td>0</td>
</tr>
<tr>
<td>RPL of Return CS is Greater than CPL</td>
<td>GP</td>
<td>Return CS id</td>
</tr>
<tr>
<td>Return CS Selector is not null</td>
<td>GP</td>
<td>Return CS id</td>
</tr>
<tr>
<td>Return CS segment is within Descriptor Table Limit</td>
<td>GP</td>
<td>Return CS id</td>
</tr>
<tr>
<td>Return CS Selector is a Code Segment</td>
<td>GP</td>
<td>Return CS id</td>
</tr>
<tr>
<td>Return CS Segment is Present</td>
<td>NP</td>
<td>Return CS id</td>
</tr>
<tr>
<td>DPL of Return Non-Conforming Code Segment = RPL of CS</td>
<td>GP</td>
<td>Return CS id</td>
</tr>
<tr>
<td>SS Selector at SP + N + 6 is not Null</td>
<td>SF</td>
<td>Return SS id</td>
</tr>
<tr>
<td>SS Selector at SP + N + 6 is within Descriptor Table Limit</td>
<td>SF</td>
<td>Return SS id</td>
</tr>
<tr>
<td>SS Descriptor is Writable Data Segment</td>
<td>SF</td>
<td>Return SS id</td>
</tr>
<tr>
<td>SS Segment is Present</td>
<td>SF</td>
<td>Return SS id</td>
</tr>
<tr>
<td>SS Segment DPL = RPL of CS</td>
<td>SF</td>
<td>Return SS id</td>
</tr>
</tbody>
</table>

*SF = Stack Fault, GP = General Protection Exception, NP = Not-Present Exception*
Tasks And State Transitions
CHAPTER 8
TASKS AND STATE TRANSITIONS

8.1 INTRODUCTION

An iAPX 286 task is a single, sequential thread of execution. Each task can be isolated from all other tasks. There may be many tasks associated with an iAPX 286 CPU, but only one task executes at any time. Switching the CPU from executing one task to executing another can occur as the result of either an interrupt or an inter-task call or jump. A hardware recognized data structure defines each task.

The iAPX 286 provides a high performance task switch operation with complete isolation between tasks. A full task-switch operation takes only 22 microseconds at 8 MHz (18 microseconds at 10 MHz). High-performance, interrupt-driven, multi-application systems that need the benefits of protection are feasible with the 80286.

A performance advantage and system design advantage arise from the iAPX 286 task switch:

- Faster task switch: A task switch is a single instruction performed by microcode. Such a scheme is 2-3 times faster than an explicit task switch instruction. A fast task switch translates to a significant performance boost for heavily multi-tasked systems over conventional methods.

- More reliable, flexible systems: The isolation between tasks and the high speed task switch allows interrupts to be handled by separate tasks rather than within the currently interrupted task. This isolation of interrupt handling code from normal programs prevents undesirable interactions between them. The interrupt system can become more flexible since adding an interrupt handler is as safe and easy as adding a new task.

- Every task is protected from all others via the separation of address spaces described in Chapter 7 (unless explicit sharing is planned in advance). If the address spaces of two tasks include no shared data, one task cannot affect the data of another task. Code sharing is always safe since code segments may never be written into.

8.2 TASK STATE SEGMENTS AND DESCRIPTORS

Tasks are defined by a special control segment called a Task State Segment (TSS). The definition of a task includes its address space and execution state. A task is invoked (made active) by inter-segment jump or call instructions whose destination address refers to a task state segment or a task gate.

The Task State Segment (TSS) has a special descriptor. The Task Register within the CPU contains a selector to that descriptor. Each TSS selector value is unique, providing an unambiguous "identifier" for each task. Thus, an operating system can use the value of the TSS selector to uniquely identify the task.

A TSS contains 22 words that define the contents of all registers and flags, the initial stacks for privilege levels 0-2, the LDT selector, and a link to the TSS of the previously executing task. Figure 8-1 shows the layout of the TSS.

Each TSS consists of two parts, a static portion and a dynamic portion. The static entries are never changed by the iAPX 286, while the dynamic entries are changed by each task switch out of this task. The static portions...
Figure 8-1. Task State Segment and TSS Registers
of this segment are the task LDT selector and the initial stack pointer address for levels 0-2.

The modifiable or dynamic portion of the task state segment consists of all dynamically-variable and programmer-visible processor registers, including flags, segment registers, and the instruction pointer. It also includes the linkage word used to chain nested invocations of different tasks.

The link word provides a history of which tasks invoked others. The link word is important for restarting an interrupted task when the interrupt has been serviced. Placing the back link in the TSS protects it from improper use by the interrupt task.

The stack pointer entries in the TSS for privilege levels 0-2 are static (i.e., never written during a privilege or task switch). They define the stack to use upon entry to that privilege level. When entering a more privileged level, the caller's stack pointer is saved on the stack of the new privilege level, not in the TSS. Leaving the privilege level requires popping the caller's return address and stack pointer off the current stack. The stack pointer at that point will be the same as the initial value loaded from the TSS upon entry to the privilege level.

There is only one stack active at any time, the one defined by the SS and SP registers. The only other stacks that may be active are those at outer (less privileged) levels that called the current level. Stacks for inner levels cannot be active since outward (to numerically larger privilege levels) calls from inner levels are not allowed.

The location of the stack pointer for an outer privilege level will always be found at the start of the stack of the inner privilege level called by that level. That stack may be the initial stack for this privilege level or an outer level. Look at the start of the stack for this privilege level. If the RPL of the saved SS selector is the privilege level required, then use the SS:SP value there. Otherwise, go to the beginning of the stack defined by that value and look at the saved SS:SP value there.

8.2.1 Task State Segment Descriptors
A special descriptor is used for task state segments. This descriptor must be accessible at all times; therefore, it can appear only in the GDT. The access byte distinguishes TSS descriptors from data or code segment descriptors. When bits 1 through 4 of the access byte are 0001 or 0003, the descriptor is for a TSS.

The complete layout of a task state segment descriptor is shown in figure 8-2.

![Figure 8-2. TSS Descriptor](image-url)
Like a data segment; the descriptor contains a base address and limit field. The limit must be at least 002BH (43) to contain the minimum amount of information required for a TSS. A task fault will occur if an attempt is made to switch to a task whose TSS descriptor limit is less than 43.

The P-bit (Present) flag indicates whether this descriptor contains currently valid information: 1 means yes, 0 no. A task switch that attempts to reference a not-present TSS causes a not-present exception code identifying the task state segment selector.

The descriptor privilege level (DPL) controls use of the TSS by JMP or CALL instructions. By the same reasoning as that for call gates, DPL can prevent a program from calling the TSS and thereby cause a task switch. Section 8.3 discusses privilege considerations during a task switch in greater detail.

Bit 4 is always 0 since TSS is a control segment descriptor. Control segments cannot be accessed by SS, DS, or ES. Any attempt to load those segment registers with a selector that refers to a control segment causes general protection. This rule prevents the program from improperly changing the contents of a control segment.

TSS descriptors can have two states: idle and busy. Bit 1 of the access byte distinguishes them. The distinction is necessary since tasks are not re-entrant; a busy TSS may not be invoked.

8.3 TASK SWITCHING

A task switch may occur in one of four ways:

1. The destination selector of a long JMP or CALL instruction refers to a TSS descriptor. The offset portion of the destination address is ignored.

2. An IRET instruction is executed when the NT bit in the flag word = 1. The new task TSS selector is in the back link field of the current TSS.

3. The destination selector of a long JMP or CALL instruction refers to a task gate. The offset portion of the destination address is ignored. The new task TSS selector is in the gate. (See section 8.5 for more information on task gates.)

4. An interrupt occurs. This interrupt's vector refers to a task gate in the interrupt descriptor table. The new task TSS selector is in the gate. See section 9.4 for more information on interrupt tasks.

No new instructions are required for a task switch operation. The standard iAPX 86 JMP, CALL, IRET, or interrupt operations perform this function. The distinction between the standard instruction and a task switch is made either by the type of descriptor referenced or by the NT bit in flag word. The choice of technique depends on whether a task is being made active or idle and whether return from the new task is expected.

Using the call instruction to switch tasks implies a return is expected from the called task. The jump instruction implies no return is expected from the new task.

The IRET instruction causes a return to the task that called this one.

The task gate is the preferred method of servicing an interrupt in an isolated task.

Access to TSS and task gate descriptors is restricted by the rules privilege level. The data access rules are used, thereby allowing task
switches to be restricted to programs of sufficient privilege. Address space separation does not apply to TSS descriptors since they must be in the GDT. The access rules for interrupts are discussed in section 9.4.

For JMP or CALL instructions that reference a TSS or task gate, the effective privilege level of the destination selector (i.e., the numeric maximum of the selector's RPL and current CPL) must be less than or equal to the descriptor DPL. If it is not, a general protection fault will occur with an error code identifying the descriptor.

Once access to the TSS has been granted, the task switch operation involves six steps:

1. Recognizing that the JMP/CALL/IRET instruction or interrupt requires a task switch: One of the four ways shown in section 8.3 must be used for this. The new TSS to use is defined either directly by the TSS descriptor selected by the instruction or is in the task gate.

2. Checking that the current task is allowed to switch to the designated task: Data access privilege rules are applied for the JMP/CALL cases. The current task becomes the outgoing task.

3. Checking that the new task is present and has a proper TSS limit: The new task becomes the incoming task.

4. Saving the state of the outgoing task: The outgoing TSS selector is in the TR. The dynamic portion of the outgoing TSS is written with the corresponding CPU register values (e.g., AX, BX, CX, DX, SI, DI, BP, SP, ES, DS, SS, CS, IP, and flag register). The IP value points at the instruction following the one which caused the task switch. All errors up to this point are handled in the context of the outgoing task. The errors are restartable and error handling is transparent to the application program.

5. Load TR with the incoming task selector, mark the incoming task's descriptor as busy, and set TS.

6. Load the incoming task state and resume execution: The following registers are loaded: LDT, AX, BX, CX, DX, SI, DI, BP, SP, ES, DS, SS, CS, IP, and flag register. Any errors detected in this step are handled in the context of the incoming task. It will appear as if the first instruction of the new task had not yet executed.

Note that the state of the outgoing task is always saved. If execution of that task is resumed, it will start the instruction that caused the task switch. The values of the registers will be the same as that when the task stopped running.

Any task switch sets the Task Switched (TS) bit in the Machine Status Word (MSW). This flag is used when processor extensions such as the 80287 Numeric Processor Extension are present. The TS bit signals that the context of the processor extension may not belong to the current iAPX 286 task. Chapter 11 discusses the TS bit and processor extensions in more detail.

The checks in table 8-1 are made during the task switch. All the requirements shown in the table must be satisfied for the task switch to occur without an exception. For each check, the type of exception and error code are described. Up to and including step 3, the exception occurs in the context of the outgoing task. After step 3, the incoming task is considered valid. All exceptions occur in the context of the incoming task.
Validity tests on a selector ensure that the selector: is in the proper table (i.e., the LDT selector refers to GDT), lies within the bounds of the table, and refers to the proper type of descriptor (i.e., the LDT selector refers to the LDT descriptor).

A task switch allows flexibility in the privilege level of the outgoing and incoming tasks. The privilege level at which execution resumes in the incoming task is not restricted by the privilege level of the outgoing task. This is reasonable since both tasks are isolated from each other with separate address spaces and machine states. The privilege rules prevent improper access to a TSS. The only interaction between the tasks is to the extent that one started the other and the incoming task may restart the outgoing task while executing an IRET or RET instruction.

### 8.4 TASK LINKING

The TSS has a field called “back link” which contains the selector of the TSS of a task that should be restarted when the current task completes. The back link field of an interrupt-initiated task is automatically written with the TSS selector of the interrupted task.
A task switch initiated by a CALL instruction also points the back link at the outgoing task’s TSS. Such task nesting is indicated to programs via the Nested Task (NT) bit in the flag word of the incoming task.

Task nesting is necessary for interrupt functions to be processed as separate tasks. The interrupt function is thereby isolated from all other tasks in the system. To restart the interrupted task, the interrupt handler executes an IRET instruction much in the same manner as an iAPX 86 interrupt handler. The IRET instruction will then cause a task switch to the interrupted task.

Completion of a task occurs when the IRET instruction is executed with the NT bit in the flag word set. The NT bit is automatically set/reset by task switch operations as appropriate. Executing an IRET instruction with NT cleared causes the normal iAPX 86 interrupt return function to be performed.

Executing IRET with NT set causes a task switch to the task defined by the back link field of the current TSS. The selector value is fetched and verified as pointing to a valid, accessible TSS. The normal task switch operation described in section 8.3 then occurs.

After the task switch is complete, the outgoing task is now idle and considered ready to process another interrupt.

Table 8-2 shows how the busy bit, NT bit, and link word of the incoming and outgoing task are affected by task switch operations caused by JMP, CALL, or IRET instructions.

Violation of any of the busy bit requirements shown in table 8-2 causes a general protection fault with the saved machine state appearing as if the instruction had not executed. The error code identifies the selector of the TSS with the busy bit.

A bus lock is applied during the testing and setting of the TSS descriptor busy bit to ensure that two processors do not invoke the same task at the same time. See also section 11.4 for other multi-processor considerations.

The linking order of tasks can be changed by trusted software that can correctly change the back link field in a TSS and busy bit of the descriptor. Such changes are necessary if the software wants to restart a task interrupted by another task after the interrupted task requests some time-consuming function.

<table>
<thead>
<tr>
<th>Affected Field</th>
<th>JMP Instruction Effect</th>
<th>CALL/INT Instruction Effect</th>
<th>IRET Instruction Effect</th>
</tr>
</thead>
<tbody>
<tr>
<td>Busy bit of incoming task TSS descriptor</td>
<td>Set, must be 0 before</td>
<td>Set, must be 0 before</td>
<td>Unchanged, must be set</td>
</tr>
<tr>
<td>Busy bit of outgoing task TSS descriptor</td>
<td>Cleared</td>
<td>Unchanged</td>
<td>Cleared</td>
</tr>
<tr>
<td>NT bit in incoming task flag word</td>
<td>Cleared</td>
<td>Set</td>
<td>Unchanged</td>
</tr>
<tr>
<td>NT bit in outgoing task flag word</td>
<td>Unchanged</td>
<td>Unchanged</td>
<td>Cleared</td>
</tr>
<tr>
<td>Back link in incoming task TSS</td>
<td>Unchanged</td>
<td>Set to outgoing task TSS selector</td>
<td>Unchanged</td>
</tr>
<tr>
<td>Back link of outgoing task TSS</td>
<td>Unchanged</td>
<td>Unchanged</td>
<td>Unchanged</td>
</tr>
</tbody>
</table>
When trusted software deletes the link from one task to another, it should place a value in the backlink field, which will pass control to that trusted software when the task attempts to resume execution of another task via IRET.

### 8.5 TASK GATES

A task may be invoked by several different events. Task gates are provided to support this need. Task gates are used in the same way as call and interrupt gates. The ultimate effect of jumping to or calling a task gate is the same as jumping to or calling directly to the TSS in the task gate.

Figure 8-3 depicts the layout of a task gate.

A task gate is identified by the access byte field in bits 0 through 4 being 00101. The gate provides an extra level of indirection between the destination address and the TSS selector value. The offset portion of the JMP or CALL destination address is ignored.

Gate use provides flexibility in controlling access to tasks. Task gates can appear in the GDT or LDT. The TSS descriptors for all tasks must be kept in the GDT. They are normally placed at level 0 to prevent any task from improperly invoking another task. Task gates placed in the LDT allow private access to selected tasks with full privilege control.

The data segment access rules apply to accessing a task gate via JMP, CALL, or INT instructions. The effective privilege level (EPL) of the destination selector must be numerically less than or equal to the DPL of the task gate descriptor. Any violation of this requirement causes a general protection fault with an error code identifying the task gate involved.

Once access to the task gate has been verified, the TSS selector from the gate is read. The RPL of the TSS selector is ignored. From this point, all the checks and actions performed for a JMP or CALL to a TSS after access has been verified are performed (see section 8.4). Figure 8-4 illustrates an example of a task switch through a task gate.
Figure 8-4. Task Switch Through a Task Gate
Interrupts And Exceptions
Interrupts and exceptions are special cases of control transfer within a program. An interrupt occurs as a result of an event that is independent of the currently executing program, while exceptions are a direct result of the program currently being executed. Interrupts may be external or internal. External interrupts are generated by either the INTR or NMI input pins. Internal interrupts are caused by the INT instruction. Exceptions occur when an instruction cannot be completed normally. Although their causes differ, interrupts and exceptions use the same control transfer techniques and privilege rules; therefore, in the following discussions the term interrupt will also apply to exceptions.

The program used to service an interrupt may execute in the context of the task that caused the interrupt (i.e., used the same TSS, LDT, stacks, etc.) or may be a separate task. The choice depends on the function to be performed and the level of isolation required.

9.1 INTERRUPT DESCRIPTOR TABLE

Many different events may cause an interrupt. To allow the reason for an interrupt to be easily identified, each interrupt source is given a number called the interrupt vector. Up to 256 different interrupt vectors (numbers) are possible. See figure 9-1.

A table is used to define the handler for each interrupt vector. The Interrupt Descriptor Table (IDT) defines the interrupt handlers for up to 256 different interrupts. The IDT is in physical memory, pointed to by the contents of the on-chip IDT register that contains a 24-bit base and a 16-bit limit. The IDTR is normally loaded with the LIDT instruction by code that executes at privilege level 0 during system initialization. The IDT may be located anywhere in the physical address space of the iAPX 286.

Each IDT entry is a 4-word gate descriptor that contains a pointer to the handler. The

![Figure 9-1. Interrupt Descriptor Table Definition](image-url)
INTERRUPTS AND EXCEPTIONS

There are three types of gates permitted in the IDT: interrupt gates, trap gates (discussed in section 9.3), and task gates (discussed in section 8.5). Interrupt and task gates process interrupts in the same task, while task gates cause a task switch. Any other descriptor type in the IDT will cause an exception if it is referenced by an interrupt.

The IDT need not contain all 256 entries. A 16-bit limit register allows less than the full number of entries. Unused entries may be signaled by placing a zero in the access rights byte. If an attempt is made to access an entry outside the table limit, or if the wrong descriptor type is found, a general protection fault occurs with an error code identifying the invalid interrupt vector (see figure 9-2).

Exception error codes that refer to an IDT entry can be identified by bit 1 of the error code that will be set. Bit 0 of the error code is 1 if the interrupt was caused by an event external to the program (i.e., an external interrupt, a single step, a processor extension error, or a processor extension not present).

Interrupts 0-31 are reserved for use by Intel. Some of the interrupts are used for instruction exceptions. The IDT limit must be at least 255 to accommodate the minimum number of interrupts. The remaining 224 interrupts are available to the user.

9.2 HARDWARE INITIATED INTERRUPTS

Hardware-initiated interrupts are caused by some external event that activates either the INTR or NMI input pins of the processor. Events that use the INTR input are classified as maskable interrupts. Events that use the NMI input are classified as non-maskable interrupts.

All 224 user-defined interrupt sources share the INTR input, but each has the ability to use a separate interrupt handler. An 8-bit vector supplied by the interrupt controller identifies which interrupt is being signaled. To read the interrupt id, the processor performs the interrupt acknowledge bus sequence.

Maskable interrupts (from the INTR input) can be inhibited by software by setting the interrupt flag bit (IF) to 0 in the flag word. The IF bit does not inhibit exceptions or interrupts caused by the INT instruction. The IF bit also does not inhibit processor extension interrupts.

![Figure 9-2. IDT Selector Error Code](image-url)
INTERRUPTS AND EXCEPTIONS

The type of gate placed into the IDT for the interrupt vector will control whether other maskable interrupts remain enabled or not during the servicing of that interrupt. The flag word that was saved on the stack reflects the maskable interrupt enable status of the processor prior to the interrupt. The procedure servicing a maskable interrupt can also prevent further maskable interrupts during its work by resetting the IF flag.

Non-maskable interrupts are caused by the NMI input. They have a higher priority than the maskable interrupts (meaning that in case of simultaneous requests, the non-maskable interrupt will be serviced first). A non-maskable interrupt has a fixed vector (#2) and therefore does not require an interrupt acknowledge sequence on the bus. A typical use of an NMI is to invoke a procedure to handle a power failure or some other critical hardware exception.

A procedure servicing an NMI will not be further interrupted by other non-maskable interrupt requests until an IRET instruction is executed. Any further NMI requests are remembered by the hardware and will be serviced after the first IRET instruction. To prevent a maskable interrupt from interrupting the NMI interrupt handler, the IF flag should be cleared either by using an interrupt gate in the IDT or by setting IF = 0 in the flag word of the task involved.

9.3 SOFTWARE INITIATED INTERRUPTS

Software initiated interrupts occur explicitly as interrupt instructions or may arise as the result of an exceptional condition that prevents the continuation of program execution. Software interrupts are not maskable. Two interrupt instructions exist which explicitly cause an interrupt: INT n and INT 3. The first allows specification of any interrupt vector; the second implies interrupt vector 3 (Breakpoint).

Other instructions like INTO, BOUND, DIV, and IDIV may cause an interrupt, depending on the overflow flag or values of the operands. These instructions have predefined vectors associated with them in the first 32 interrupts reserved by Intel.

A whole class of interrupts called exceptions are intended to detect faults or programming errors (in the use of operands or privilege levels). Exceptions cannot be masked. They also have fixed vectors within the first 32 interrupts. Many of these exceptions pass an error code on the stack, which is not the case with the other interrupt types discussed in section 9.2. Section 9.5 discusses these error codes as well as the priority among interrupts that can occur simultaneously.

9.4 INTERRUPT GATES AND TRAP GATES

Interrupt gates and trap gates are special types of descriptors that may only appear in the interrupt descriptor table. The difference between a trap and an interrupt gate is whether the interrupt enable flag is to be cleared or not. An interrupt gate specifies a procedure that enters with interrupts disabled (i.e., with the interrupt enable flag cleared); entry via a trap gate leaves the interrupt enable status unchanged. The NT flag is always cleared when an interrupt uses these gates. Interrupts that have either gate in the associated IDT entry will be processed in the current task.

Interrupts and trap gates have the same structure as the call gates discussed in section 7.5.1. The selector and entry point for a code segment to handle the interrupt or exception is contained in the gate. See figure 9-3.

The access byte contains the Present bit, the descriptor privilege level, and the type identifier. Bits 0-4 of the access byte have a value of 6 for interrupt gates, 7 for trap gates. Byte
Interrupts and Exceptions

5 of the descriptor is not used by either of these gates; it is used only by the call gate, which uses it as the parameter word-count.

Trap and interrupt gates allow a privilege level transition to occur when passing control to a non-conforming code segment. Like a call gate, the DPL of the target code segment selected determines the new CPL. The DPL of the new non-conforming code segment must be less than or equal to CPL.

No privilege transition occurs if the new code segment is conforming. If the DPL of the conforming code segment is greater than the CPL, a general protection exception will occur.

As with all descriptors, these gates in the IDT carry a privilege level. The DPL controls access to interrupts with the INT n instruction. For access, the CPL of the program must be less than or equal to the gate DPL. If the CPL is not, a general protection exception will result with an error code identifying the selected IDT gate. For exceptions and external interrupts, the CPL of the program is ignored while accessing the IDT.

Interrupts pointing to a trap or an interrupt gate are handled in the same manner as an iAPX 86 interrupt. The flags and return address of the interrupted program are saved on the stack of the interrupt handler. To return to the interrupted program, the interrupt handler executes an IRET instruction.

If a privilege transition is required for handling the interrupt, a new stack will be loaded from the TSS. The stack pointer of the old privilege level will also be saved on the new stack in the same manner as a call gate. Figure 9-4 shows the stack contents after an exception with an error code (with or without a privilege level change).

If an interrupt or trap gate is used to handle an exception that passes an error code, the error code will be pushed onto the new stack after the return address (as shown in figure 9-4).

If an interrupt gate is used to handle an interrupt, it is assumed that the selected code segment has sufficient privilege to re-enable interrupts. The IRET instruction will not re-enable interrupts if CPL is numerically greater than IOPL.

Figure 9-3. Trap/Interrupt Gate Descriptors
Table 9-1 shows the checks performed during an interrupt operation that uses an interrupt or trap gate. EXT equals 1 when an event external to the program is involved, 0 otherwise. External events are maskable or non-maskable interrupts, single step interrupt, processor extension segment overrun interrupt, numeric processor not-present exception or numeric processor error. The EXT bit signals that the interrupt or exception is not related to the instruction at CS:IP. Each error code has bit 1 set to indicate an IDT entry is involved.

When the interrupt has been serviced, the service routine returns control via an IRET instruction to the routine that was interrupted. If an error code was passed, the exception handler must remove the error code from the stack before executing IRET.

The NT flag is cleared when an interrupt occurs which uses an interrupt or trap gate. Executing IRET with NT=0 causes the normal interrupt return function. Executing IRET with NT=1 causes a task switch (see section 8.4 for more details).
INTERRUPTS AND EXCEPTIONS

Table 9-1. Trap and Interrupt Gate Checks

<table>
<thead>
<tr>
<th>Check</th>
<th>Exception*</th>
<th>Error Code</th>
</tr>
</thead>
<tbody>
<tr>
<td>Interrupt vector is in IDT limit</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>Trap, Interrupt, or Task Gate in IDT Entry</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>If INT instruction, gate DPL ≥ CPL</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>P bit of gate is set</td>
<td>NP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>Code segment selector is in descriptor table limit</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>CS selector refers to a code segment</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>If code segment is non-conforming, Code Segment DPL ≤ CPL</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>If code segment is non-conforming, and DPL &lt; CPL and if SS selector in TSS is in descriptor table limit</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
<tr>
<td>If code segment is non-conforming, and DPL &lt; CPL and if SS is a writable data segment</td>
<td>GP</td>
<td>IDT entry × 8 + 2 + EXT</td>
</tr>
</tbody>
</table>

*** After this point the saved address will be in the interrupt handler ***

<table>
<thead>
<tr>
<th>Check</th>
<th>Exception*</th>
<th>Error Code</th>
</tr>
</thead>
<tbody>
<tr>
<td>If code segment is non-conforming, and DPL &lt; CPL and code segment DPL = stack segment DPL</td>
<td>GP</td>
<td>Stack segment selector + EXT</td>
</tr>
<tr>
<td>If code segment is non-conforming, and DPL &lt; CPL and if SS is present</td>
<td>SF</td>
<td>Stack segment selector + EXT</td>
</tr>
<tr>
<td>If code segment is non-conforming, and DPL &lt; CPL and if there is enough space for 5 words on the stack (or 6 if error code is required)</td>
<td>SF</td>
<td>Stack segment selector + EXT</td>
</tr>
<tr>
<td>If code segment is conforming, then DPL ≥ CPL</td>
<td>GP</td>
<td>Code segment selector + EXT</td>
</tr>
<tr>
<td>If code segment is not present</td>
<td>NP</td>
<td>Code segment selector + EXT</td>
</tr>
<tr>
<td>If IP is not within the limit of code segment</td>
<td>GP</td>
<td>0 + EXT</td>
</tr>
</tbody>
</table>

* GP = General Protection Exception
  NP = Not Present Exception
  SF = Stack Fault

Like the RET instruction, IRET is restricted to return to a level of equal or lesser privilege unless a task switch occurs. The IRET instruction works like the inter-segment RET instruction except that the flag word is popped and no stack update for parameters is performed. See section 7.5.5 for information on inter-level returns.

To distinguish an inter-level IRET, the new CPL (which is the RPL of the return address CS selector) is compared with the current CPL. If they are the same, the IP and flags are popped and execution continues.

An inter-level return via IRET has all the same checks as shown in table 7-4. The only difference is the extra word on the stack for the old flag word.

Interrupt gates are typically associated with high-priority hardware interrupts for
automatically disabling interrupts upon their invocation. Trap gates are typically software-invoked since they do not disable the maskable hardware interrupts. However, low-priority interrupts (e.g., a timer) are often invoked via a trap gate to allow other devices of higher priority to interrupt the handler of that lower priority interrupt.

Table 9-2 illustrates how the interrupt enable flag and interrupt type interact with the type of gate used.

### 9.5 TASK GATES AND INTERRUPT TASKS

The iAPX 286 allows interrupts to directly cause a task switch. When an interrupt vector selects an entry in the IDT which is a task gate, a task switch occurs. The format of a task gate is described in section 8.5.

A task gate offers two advantages over interrupt gates:

1. It automatically saves all of the processor registers as part of the task-switch operation whereas an interrupt gate saves only the flag register and CS:IP.

2. The new task is completely isolated from the task that was interrupted. Address spaces are isolated and the interrupt-handling task is unaffected by the privilege level of the interrupted task.

An interrupt task switch works like any other task switch once the TSS selector is fetched from the task gate. Like a trap or an interrupt gate, privilege and presence rules are applied to accessing a task gate during an interrupt.

Interrupts that cause a task switch set the NT bit in the flags of the new task. The TSS selector of the interrupted task is saved in the back link field of the new TSS. The interrupting task executes IRET to perform a task switch to return to the interrupted task because NT was previously set. The interrupt task state is saved in its TSS before returning control to the task that was interrupted; NT is restored to its original value in the interrupted task.

Since the interrupt handler state after executing IRET is saved, a re-entry of the interrupt service task will result in the execution of the instruction that follows IRET. Therefore, when the next interrupt occurs, the machine state will be the same as that when the IRET instruction was executed.

Note that an interrupt task resumes execution each time it is re-invoked, whereas an interrupt procedure starts executing at the beginning of the procedure each time. The interrupted task restarts execution at the point

<table>
<thead>
<tr>
<th>Type of Interrupt</th>
<th>Type of Gate</th>
<th>Further NMIs?</th>
<th>Further INTRs?</th>
<th>Further Exceptions?</th>
<th>Further software Interrupts?</th>
</tr>
</thead>
<tbody>
<tr>
<td>NMI</td>
<td>Trap</td>
<td>No</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>NMI</td>
<td>Trap</td>
<td>No</td>
<td>No</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>INTR</td>
<td>Trap</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>INTR</td>
<td>Trap</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Software</td>
<td>Trap</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Software</td>
<td>Trap</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Exception</td>
<td>Trap</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Exception</td>
<td>Trap</td>
<td>Yes</td>
<td>No</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td></td>
<td>Interrupt</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tbody>
</table>
INTERRUPTS AND EXCEPTIONS

of interruption because interrupts occur before the execution of an instruction.

When an interrupt task is used, the task must be concerned with avoiding further interrupts while it is operating. A general protection exception will occur if a task gate referring to a busy TSS is used while processing an interrupt. If subsequent interrupts can occur while the task is executing, the IF bit in the flag word (saved in the TSS) must be zero.

9.5.1 Scheduling Considerations

A software-scheduled operating system must be designed to handle the fact that interrupts can come along in the middle of scheduled tasks and cause a task switch to other tasks. The interrupt-scheduled tasks may call the operating system and eventually the scheduler, which needs to recognize that the task that just called it is not the one the operating system last scheduled.

If the Task Register (TR) does not contain the TSS selector of the last scheduled task, an interrupt initiated task switch has occurred. More than one task may have been interrupt-scheduled since the scheduler last ran. The scheduler must find via the backlink fields in each TSS all tasks that have been interrupted. The scheduler can clear those links and reset the busy bit in the TSS descriptors, putting them back in the scheduling queue for a new analysis of execution priorities. Unless the interrupted tasks are placed back in the scheduling queue, they would have to await a later restart via the task that interrupted them.

To locate tasks that have been interrupt-scheduled, the scheduler looks into the current task’s TSS backlink (word one of the TSS), which points at the interrupted task. If that task was not the last task scheduled, then it’s backlink field in the TSS also points to an interrupted task.

The backlink field of each interrupt-scheduled task should be set by the scheduler to point to a scheduling task that will reschedule the highest priority task when the interrupt-scheduled task executes IRET.

9.5.2 Deciding Between Task, Trap and Interrupt Gates

Interrupts and exceptions can be handled with either a trap/interrupt gate or a task gate. The advantages of a task gate are all the registers are saved and a new set is loaded with full isolation between the interrupted task and the interrupt handler. The advantages of a task/interrupt gate are faster response to an interrupt for simple operations and easy access to pointers in the context of the interrupted task. All interrupt handlers use IRET to resume the interrupted program.

Trap/interrupt gates require that the interrupt handler be able to execute at the same or greater privilege level than the interrupted program. If any program executing at level 0 can be interrupted through a trap/task gate, the interrupt handler must also execute at level 0 to avoid general protection exception. All code, data, and stack segment descriptors must be in the GDT to allow access from any task. But, placing all system interrupt handlers at privilege level 0 may be in consistent with maintaining the integrity of level 0 programs.

Some exceptions require the use of a task gate. The invalid task state segment exception (#10) can arise from errors in the original TSS as well as in the target TSS. Handling the exception within the same task could lead to recursive interrupts or other undesirable effects that are difficult to trace. The double fault exception (#8) should also use a task gate to prevent shutdown from another protection violation occurring during the servicing of the exception.
9.6 PROTECTION EXCEPTIONS AND RESERVED VECTORS

A protection violation will cause an exception, i.e., a non-maskable interrupt. Such a fault can be handled by the task that caused it if an interrupt or trap gate is used, or by a different task if a task gate is used (in the IDT).

Protection exceptions can be classified into program errors or implicit requests for service. The latter include stack overflow and not-present faults. Examples of program errors include attempting to write into a read-only segment, or violating segment limits.

Requests for service may use different interrupt vectors, but many diverse types of protection violation use the same general protection fault vector. Table 9-3 shows the reserved exceptions and interrupts.

When simultaneous external interrupt requests occur, they are processed in the fixed order shown in table 9-4. For each interrupt serviced, the machine state is saved. The new CS:IP is loaded from the gate or TSS. If other interrupts remain enabled, they are processed before the first instruction of the current interrupt handler, i.e., the last interrupt processed is serviced first.

All but three exceptions are restartable after the exceptional condition is removed. The three non-restartable exceptions are the processor extension segment overrun, a segment limit exception that arises during a string operation, and writing into read only segments with ADC, SBB, RCL, and RCR instructions. The return address normally points to the failing instruction, including all leading prefixes.

The instruction and data addresses for the processor extension segment overrun are contained in the processor extension status registers.

Interrupt handlers for most exceptions receive an error code that identifies the selector involved, or a 0 in bits 15-3 of the error code field if there is no selector involved. The error code is pushed last, after the return address, on the stack that will be active when the trap handler begins execution. This ensures that the handler will not have to access another stack segment to find the error code.

Table 9-3. Reserved Exceptions and Interrupts

<table>
<thead>
<tr>
<th>Vector Number</th>
<th>Description</th>
<th>Restartable</th>
<th>Error Code</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>Divide Error Exception</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>1</td>
<td>Single Step Interrupt</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>2</td>
<td>NMI Interrupt</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>3</td>
<td>Breakpoint Interrupt</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>4</td>
<td>INTO Detected Overflow Exception</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>5</td>
<td>BOUND Range Exceeded Exception</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>6</td>
<td>Invalid Opcode Exception</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>7</td>
<td>Processor Extension Not Available Exception</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>8</td>
<td>Double Exception Detected</td>
<td>No</td>
<td>Yes (Always 0)</td>
</tr>
<tr>
<td>9</td>
<td>Processor Extension Segment Overrun Interrupt</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>10</td>
<td>Invalid Task State Segment</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>11</td>
<td>Segment Not Present</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>12</td>
<td>Stack Segment Overrun or Not Present</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>13</td>
<td>General Protection</td>
<td>No</td>
<td>Yes</td>
</tr>
</tbody>
</table>
The following sections describe the exceptions in greater detail.

9.6.1 Invalid OP-Code (Interrupt 6)
When an invalid opcode is detected by the execution unit, interrupt 6 is invoked. (It is not detected until an attempt is made to execute it, i.e., prefetching an invalid opcode does not cause this exception.) The saved CS:IP will point to the invalid opcode or any leading prefixes; no error code is pushed on the stack. The exception can be handled within the same task, and is restartable.

This exception will occur for all cases of an invalid operand. Examples include an inter-segment jump referencing a register operand, or an LES instruction with a register source operand. This exception can also occur because redundant prefixes have been placed before an instruction so that the total length of the instruction exceeds 10 bytes.

9.6.2 Double Fault (Interrupt 8)
If two separate protection violations occur during a single instruction, exception 8 (Double Fault) occurs (e.g., a general protection fault in level 3 is followed by a not-present fault due to a segment not-present). If another protection violation occurs during the processing of exception 8, the iAPX 286 enters shutdown, during which time no further instructions or exceptions are processed.

Either NMI or RESET can force the CPU out of shutdown. An NMI input can bring the CPU out of shutdown if no errors occur while processing the NMI interrupt; otherwise, shutdown can only be exited via the RESET input. NMI causes the CPU to remain in protected mode, and RESET causes it to exit protected mode. Shutdown is signaled externally via a HALT bus operation with A1 HIGH.

A task gate must be used for the double fault handler to assure a proper task state to respond to the exception. The back link field in the current TSS will identify the TSS of the task causing the exception. The saved address will point at the instruction that was being executed (or was ready to execute) when the error was detected. The error code will be null.

9.6.3 Processor Extension Segment Overrun (Interrupt 9)
Interrupt 9 signals that the processor extension (such as the 80287 numerics processor) has overrun the limit of a segment while attempting to read/write the second or subsequent words of an operand. The interrupt is generated by the processor extension data channel within the 80286 during the limit test performed on each transfer of data between memory and the processor extension. This interrupt can be handled in the same task but is not restartable.

As with all external interrupts, Interrupt 9 is an asynchronous demand caused by the processor extension referencing something outside a segment boundary. Since Interrupt 9 can occur any time after the processor extension is started, the 80286 does not save any information that identifies what particular operation had been initiated in the processor extension. The processor extension
INTERRUPTS AND EXCEPTIONS

maintains special registers that identify the last instruction it executed and the address of the desired operand.

After this interrupt occurs, no WAIT or escape instruction, except FNINIT, can be executed until the interrupt condition is cleared or the processor extension is reset. The interrupt signals that the processor extension is requesting an invalid data transfer. The processor extension will always be busy when waiting on data. Deadlock results if the CPU executes an instruction that causes it to wait for the processor extension before resetting the processor extension. Deadlock means the CPU is waiting for the processor extension to become idle while the processor extension waits for the CPU to service its data request.

The FNINIT instruction is guaranteed to reset the processor extension without causing deadlock. After the interrupt is cleared, this restriction is lifted. It is then possible to read the instruction and operand address via FSTENV or FSAVE, causing the segment overrun in the processor extension's special registers.

9.6.4 Invalid Task State Segment (Interrupt 10)

Interrupt 10 is invoked if during a task switch the new TSS pointed to by the task gate is invalid. The EXT bit indicates whether the exception was caused by an event outside the control of the program.

A TSS is considered invalid in the cases shown in table 9-5.

Once the existence of the new TSS is verified, the task switch is considered complete, with the backlink set to the old task if necessary. All errors are handled in the context of the new task.

Exception 10 must use a task gate to insure a proper TSS to process it.

9.6.5 Not Present (Interrupt 11)

Exception 11 occurs when an attempt is made to load a not-present segment or to use a control descriptor that is marked not-present. (If, however, the missing segment is an LDT

<table>
<thead>
<tr>
<th>Reason</th>
<th>Error Code</th>
</tr>
</thead>
<tbody>
<tr>
<td>The limit in the TSS descriptor is less than 43</td>
<td>TSS id + EXT</td>
</tr>
<tr>
<td>Invalid LDT selector or LDT not present</td>
<td>LDT id + EXT</td>
</tr>
<tr>
<td>Stack segment selector is outside table limit</td>
<td>SS id + EXT</td>
</tr>
<tr>
<td>Stack segment is not a writable segment</td>
<td>SS id + EXT</td>
</tr>
<tr>
<td>Stack segment DPL does not match new CPL</td>
<td>SS id + EXT</td>
</tr>
<tr>
<td>Stack segment selector RPL ≠ CPL</td>
<td>SS id + EXT</td>
</tr>
<tr>
<td>Code segment selector is outside table limit</td>
<td>CS id + EXT</td>
</tr>
<tr>
<td>Code segment selector does not refer to code segment</td>
<td>CS id + EXT</td>
</tr>
<tr>
<td>Non-conforming code segment DPL ≠ CPL</td>
<td>CS id + EXT</td>
</tr>
<tr>
<td>Conforming code segment DPL &gt; CPL</td>
<td>CS id + EXT</td>
</tr>
<tr>
<td>DS or ES segment selector is outside table limits</td>
<td>ES/DS id + EXT</td>
</tr>
<tr>
<td>DS or ES are not readable segments</td>
<td>ES/DS id + EXT</td>
</tr>
</tbody>
</table>
that is needed in a task switch, exception 10 occurs.) This exception is fully restartable.

Any segment load instruction can cause this exception. Interrupt 11 is always processed in the context of the task in which it occurs.

The error code has the form shown in figure 9-5. The EXT bit will be set if an event external to the program caused an interrupt that subsequently referenced a not-present segment. Bit 1 will be set if the error code refers to an IDT entry, e.g., an INT instruction referencing a not-present gate. The upper 14 bits are the upper 14 bits of the segment selector involved.

When a not-present exception occurs, the ES and DS segment registers may not be usable for referencing memory. During a task switch, the selector values are loaded before the descriptors are checked. The not-present handler should not rely on being able to use the values found in CS, ES, SS, and DS without causing another exception.

9.6.6 Stack Fault (Interrupt 12)

Stack underflow or overflow causes exception 12, as does a not-present stack segment referenced during an inter-task or inter-level transition. This exception is fully restartable. A limit violation of the current stack results in an error code of 0. The EXT bit of the error code tells whether an interrupt external to the program caused the exception.

Any instruction that loads a selector to SS (e.g., POP SS, task switch) can cause this exception. This exception must use a task gate if there is a possibility that any level 0 stack may not be present.

When a stack fault occurs, the ES and DS segment registers may not be usable for referencing memory. During a task switch, the selector values are loaded before the descriptors are checked. The stack fault handler should check the saved values of SS, CS, DS, and ES to be sure that they refer to present segments before restoring them.

9.6.7 General Protection Fault (Interrupt 13)

If a protection violation occurs which is not covered in the preceding paragraphs, it is classed as Interrupt 13, a general protection fault. The error code is zero for limit violations, write to read-only segment violations, and accesses relative to DS or ES when they are zero or refer to a segment at a greater privilege level than CPL. Other access violations (e.g., a wrong descriptor type) push a non-zero error code that identifies the selector used on the stack. Error codes with bit 0 cleared and bits 15-2 non-zero indicate a restartable condition.

Bit 1 of the error code identifies whether the selector is in the IDT or LDT/GDT. If bit 1=0 then bit 2 separates LDT from GDT. Bit 0 (EXT) indicates whether the exception was caused by the program or an event external to it (i.e., single stepping, an external interrupt, a processor extension not-present or a segment overrun). If bit 0 is set, the selector typically has nothing to do with the instruction that was interrupted. The selector refers instead to some step of servicing an interrupt that failed.

When bit 0 of the error code is set, the program can be restarted, except for processor extension segment overrun exceptions. The exception with the bit 0 of the error code = 1 indicates some interrupt has been lost due to a fault in the descriptor pointed to by the error code.

A non-zero error code with bit 0 cleared may be an operand of the interrupted instruction,
an operand from a gate referenced by the instruction, or a field from the invalid TSS.

9.7 ADDITIONAL EXCEPTIONS AND INTERRUPTS

Interrupts 0, 5, and 1 have not yet been discussed. Interrupt 0 is the divide-error exception, Interrupt 5 the bound-range exceeded exceptions, and Interrupt 1 the single step interrupt. The divide-error or bound-range exceptions make it appear as if that instruction had never executed: the registers are restored and the instruction can be restarted. The divide-error exception occurs during a DIV or an IDIV instruction when the quotient will be too large to be representable, or when the divisor is zero.

Interrupt 5 occurs when a value exceeds the limit set for it. A program can use the BOUND instruction to check a signed array index against signed limits defined in a two-word block of memory. The block can be located just before the array to simplify addressing. The block's first word specifies the array's lower limit, the second word specifies the array's upper limit, and a register specifies the array index to be tested.

9.7.1 Single Step Interrupt (Interrupt 1)

Interrupt 1 allows programs to execute one instruction at a time. This single-stepping is controlled by the TF bit in the flag word. Once this bit is set, an internal single step interrupt will occur after the next instruction has been executed. The interrupt saves the flags and return address on the stack, clears the TF bit, and uses an internally supplied vector of 1 to transfer control to the service routine via the IDT.

The IRET instruction or a task switch must be used to set the TF bit and to transfer control to the next instruction to be single stepped. If TF=1 in a TSS and that task is invoked, it will execute the first instruction and then be interrupted.

The single-step flag is normally not cleared by privilege changes inside a task. INT instructions also do not clear TF. System software should check the current execution privilege level after any single step interrupt to see whether single stepping should continue.

The interrupt priorities in hardware guarantee that if an external interrupt occurs, single stepping stops. When both an external interrupt and a single step interrupt occur together, the single step interrupt is processed first. This clears the TF bit. After saving the return address or switching tasks, the external interrupt input is examined before the first instruction of the single step handler executes. If the external interrupt is still pending, it is then serviced. The external interrupt handler is not single-stepped. To single step an interrupt handler, just single step an interrupt instruction that refers to the interrupt handler.
CHAPTER 10
SYSTEM CONTROL AND INITIALIZATION

Special flags, registers, and instructions provide control of the critical processes and interaction in iAPX 286 operations. The flag register includes 3 bits that represent the current I/O privilege level (IOPL: 2 bits) and the nested task bit (NT). Four additional registers support the virtual addressing and memory protection features, one points to the current Task State Segment and the other three point to the memory-based descriptor tables: GDT, LDT, and IDT. These flags and registers are discussed in the next section. The machine status word, (which indicates processor configuration and status) and the instructions that load and store it are discussed in section 10.2.2.

Similar instructions pertaining to the other registers are the subject of sections 10.2 and 10.3. A detailed description of initialization states and processes, which appears in section 10.4, is supplemented by the extensive example in Appendix A. Instructions that validate descriptors and pointers are covered in section 11.3.

10.1 SYSTEM FLAGS AND REGISTERS

The IOPL flag (bits 12 and 13 of the flags word) controls access to I/O operations and interrupt control instructions. These two bits represent the maximum privilege level (highest numerical CPL) at which the task is permitted to perform I/O instructions. Alteration of the IOPL flags is restricted to programs at level 0 or to a task switch.

IRET uses the NT flag to select the proper return: if NT=0, the normal return within a task is performed. As discussed in Chapter 8, the nested task flag (bit 14 of flags) is set when a task initiates a task switch via a CALL or INT instruction. The old and new task state segments are marked busy and the backlink field of the new TSS is set to the old TSS selector. An interrupt that does not cause a task switch will clear NT after the old NT state is saved. To prevent a program from causing an illegal task switch by setting NT and then executing IRET, a zero selector should be placed in the backlink field of the TSS. An illegal task switch using IRET will then cause exception 13. The instructions POPF and IRET can also set or clear NT when flags are restored from the stack. POPF and IRET can also change the interrupt enable flag. If CPL ≤ IOPL, then the Interrupt Flag (IF) can be changed by POPF and IRET. Otherwise, the state of the IF bit in the new flag word is ignored by these instructions. Note that the CLI and STI instructions are valid only when CPL ≤ IOPL.

10.1.1 Descriptor Table Registers

The three descriptor tables used for all memory accesses are based at addresses supplied by (stored in) three registers: the global descriptor table register (GDTR), the interrupt descriptor table register (IDTR), and the local descriptor table register (LDTR). Each register contains a 24-bit base field and a 16-bit limit field. The base field gives the real memory address of the beginning of the table; the limit field tells the maximum offset permitted in accessing table entries. See figures 10-1 thru 10-3.

The LDT also contains a selector field that identifies the DT descriptor for that table. LDT descriptors must reside in the GDT.

The task register (TR) points to the task state segment for the currently active task. It is
Figure 10-1. Local and Global Descriptor Table Definition

Figure 10-2. Interrupt Descriptor Table Definition
similar to a segment register, with selector, base, and limit fields, of which only the selector field is readable under normal circumstances. Each such selector serves as a unique identifier for its task. The uses of the TR are described in Chapter 8.

The instructions controlling these special registers are described in the next section.

10.2 SYSTEM CONTROL INSTRUCTIONS
The instructions that load the GDTR and IDTR from memory can only be executed at privilege level 0. The store instructions for GDTR and IDTR may be executed at any privilege level. The four instructions are LIDT, LGDT, SIDT, and SGDT. The instructions move 3 words between the indicated descriptor table register and the effective real memory address supplied. The format of the 3 words is: a 2-byte limit, a 3-byte real base address, followed by an unused byte. These instructions are normally used during system initialization.

Similarly, the LLDT instruction loads the LDT registers from a descriptor in the GDT. LLDT uses as its operand a selector to that descriptor. LLDT, only executable at privilege level 0, is normally required only during system initialization because the processor automatically exchanges the LDTR contents as part of the task-switch operation.

Executing an LLDT instruction does not automatically update the TSS or the register caches. To properly change the LDT of the currently running task so that the change holds across task switches, you must perform, in order, the following three steps:

1. Store the new LDT selector into the appropriate word of TSS.
2. Load the new LDT selector into LDTR.
3. Reload the DS and ES registers if they refer to LDT-based descriptors.

Note that the current code segment and stack segment descriptors should reside in the GDT or be copied to the same location in the new LDT.

SLDT (store LDT) can be executed at any privilege level. SLDT stores the local descriptor table selector from the LDT register.

Task Register loading or storing is again similar to that of the LDT. The LTR instruction, operating only at level 0, loads the LTR at initialization time with a selector for the initial TSS. LTR does NOT cause a task switch; it just changes the current TSS. Note that the busy bit of the old TSS descriptor is not changed while the busy bit of the new TSS selector must be zero and will be set by LTR. The LDT and any segment registers referring to the old LDT should be reloaded. STR, which permits the storing of TR contents into memory, can be executed at any privilege level. LTR is not usually needed after initialization because the TR is managed by the task-switch operation.
10.2.2 Machine Status Word

The Machine Status Word (MSW) indicates the iAPX 286 configuration and status. It is not part of a task’s state. The MSW word is loaded by the LMSW instruction executed at privilege level 0 only, or is stored by the SMSW instruction executing at any privilege level. MSW is a 16-bit register, the lower four bits of which are used. These bits have the meanings shown in table 10-1.

The TS flag is set under hardware control and reset under software control. Once the TS flag is set, the next instruction using a processor extension causes a processor extension not-present exception (#7). This feature allows software to test whether the current processor extension state belongs to the current task as discussed in section 11.4. If the current processor extension state belongs to a different task, the software can save the state of any processor extension with the state of the task that uses it. Thus, the TS bit protects a task from processor extension errors that result from the actions of a previous task.

The CLTS instruction is used to reset the TS flag after the exception handler has set up the proper processor extension state. The CLTS instruction can be executed at privilege level 0 only.

The EM flag indicates a processor extension function is to be emulated by software. If EM = 1 and MP = 0, all ESCAPE instructions will be trapped via the processor extension not-present exception (#7).

MP flag tells whether a processor extension is present. If MP = 1 and TS = 1, escape and wait instructions will cause exception 7.

The PE flag indicates that the iAPX 286 is in the protected virtual address mode. Once the PE flag is set, it can be cleared only by a reset, which then puts the system in real address mode emulating the 8086.

Table 10-2 shows the recommended usage of the MSW.

10.2.3 Other Instructions

Instructions that verify or adjust access rights, segment limits, or privilege levels can be used to avoid exceptions or faults that are correctable. Section 10.3 describes such instructions.

10.3 PRIVILEGED AND TRUSTED INSTRUCTIONS

Instructions that execute only at CPL = 0 are called “privileged.” An attempt to execute the privileged instructions at any other privilege level causes a general protection exception.
(13) with an error code of zero. The privileged instructions manipulate descriptor tables or system registers. Incorrect use of these instructions can produce unrecoverable conditions. Some of these instructions (LGDT, LLDT, and LTR) are discussed in section 10.2.

Other privileged instructions are:

- LIDT—Load interrupt descriptor table register
- LMSW—Load machine status word
- CLTS—Clear task switch flag
- HALT—Halt processor execution

"Trusted" instructions are restricted to execution at privilege levels that can be programmed. For each task, the operating system defines a privilege level below which these instructions cannot be used. Most of these instructions deal with input/output or interrupt management. The IOPL field in the flag word holds the privilege level limit. The trusted instructions are:

- Input/Output—Block I/O, Input, and Output: IN, INW, OUT, OUTW, INSB, INSW, OUTSB, OUTSW
- Interrupts—Enable Interrupts, Disable Interrupts: STI, CLI
- Other—Lock Prefix

Note: POPF (POP flags) or IRET can change the IF value only if the user is operating at a trusted privilege level. POPF does not change IOPL except at Level 0.

### 10.4 INITIALIZATION

Whenever the iAPX 286 is initialized or reset, certain registers are set to predefined values. All additional desired initialization must be performed by user software. (See Appendix A for an example of a 286 initialization routine.) RESET forces the iAPX 286 to
terminate all execution and local bus activity; no instruction or bus action will occur as long as RESET is active. Execution in real address mode begins after RESET becomes inactive and an internal processing interval (3-4 clocks) occurs. The initial state at reset is:

\[
\begin{align*}
\text{FLAGS} &= 0002 \\
\text{MSW} &= \text{FFFFH} \\
\text{IP} &= \text{FFFFH} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{CS:base} &= \text{FFFF00H} \\
\text{MSW} &= \text{FFFFH} \\
\text{IP} &= \text{FFFF00H} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{DS:base} &= \text{FFFF00H} \\
\text{IP} &= \text{FFFF00H} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{ES:base} &= \text{FFFF00H} \\
\text{IP} &= \text{FFFF00H} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{IOT base} &= \text{FFFF00H} \\
\text{IP} &= \text{FFFF00H} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{CS.limit} &= \text{FFFF00H} \\
\text{SS:base} &= \text{FFFF00H} \\
\text{IP} &= \text{FFFF00H} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{CS.limit} &= \text{FFFF00H} \\
\text{SS:base} &= \text{FFFF00H} \\
\text{IP} &= \text{FFFF00H} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{CS.limit} &= \text{FFFF00H} \\
\text{SS:base} &= \text{FFFF00H} \\
\text{IP} &= \text{FFFF00H} \\
\text{CS Selector} &= \text{FFFFH} \\
\text{CS.limit} &= \text{FFFF00H} \\
\text{SS:base} &= \text{FFFF00H} \\
\text{IP} &= \text{FFFF00H} \\
\end{align*}
\]

Two fixed areas of memory are reserved: the system initialization area and the interrupt table area. The system initialization area begins at FFFFF00H (through FFFFFFH) and the interrupt table area begins at 0000000H (through 0003FFH). The interrupt table area is not reserved.

At this point, segment registers are valid and protection bits are set to 0. The iAPX 286 begins operation in real address mode, with PE=0. Maskable interrupts are disabled, and no processor extension is assumed or emulated (EM=MP=0).

DS, ES, and SS are initialized at reset to allow access to the first 64K of memory (exactly as in the 8086). The CS:IP combination specifies a starting address of FFFFF00H. For real address mode, the four most significant bits are not used, providing the same FFF00H address as the 8086 reset location. Use of (or upgrade to) the protected mode can be supported by a bootstrap loader at the high end of the address space. As mentioned in Chapter 5, location FFF00H ordinarily contains a JMP instruction whose target is the actual beginning of a system initialization or restart program.

After RESET, CS points to the top 64K bytes in the 16-Mbyte physical address space. Reloading CS register by a control transfer to a different code segment in real address mode will put zeros in the upper 4 bits. Since the initial IP is FFF00H, all of the upper 64K bytes of address space may be used for initialization.

Sections 10.4.1 and 10.4.2 describe the steps needed to initialize the iAPX286 in the real address mode and the protected mode, respectively.

### 10.4.1 Real Address Mode

1. Allocate a stack.
2. Load programs and data into memory from secondary storage.
3. Initialize external devices and the Interrupt Vector Table.
4. Set registers and MSW bits to desired values.
5. Set FLAG bits to desired values—including the IF bit to enable interrupts—after insuring that a valid interrupt handler exists for each possible interrupt.
6. Execute (usually via an inter-segment JMP to the main system program).

### 10.4.2 Protected Mode

The full iAPX 286 virtual address mode initialization procedure requires additional steps to operate correctly:

1. Load programs and associated descriptor tables.
2. Load valid descriptor tables, setting the GDTR and IDTR to their correct value.
3. Set the PE bit to enter protected mode.
4. Execute an intra-segment JMP to clear the processor queues.
5. Load or construct a valid task state segment for the initial task to be executed in protected mode.

6. Load the LDTR selector from the task’s GDT or 0000H (null) if an LDT is not needed.

7. Set the stack pointer (SS, SP) to a valid location in a valid stack segment.

8. Mark all items not in memory as not-present.

9. Set FLAGS and MSW bits to correct values for the desired system configuration.

10. Initialize external devices.

11. Ensure that a valid interrupt handler exists for each possible interrupt.

12. Enable interrupts.


The example in Appendix A shows the steps necessary to load all the required tables and registers that permit execution of the first task of a protected mode system. The program in Appendix A assumes that Intel development tools have been used to construct a prototype GDT, IDT, LDT, TSS, and all the data segments necessary to start up that first task. Typically, these items are stored on EPROM; on most systems it is necessary to copy them all into RAM to get going. Otherwise, the iAPX 286 will attempt to write into the EPROM to set the accessed or busy bits.

The example in Appendix A also illustrates the ability to allocate unused entries in descriptor tables to grow the tables dynamically during execution. Using suitable naming conventions, the builder can allocate alias data segments that are larger than the prototype EPROM version. The code in the example will zero out the extra entries to permit later dynamic usage.
CHAPTER 11
ADVANCED TOPICS

This chapter describes some of the advanced topics as virtual memory management, restartable instructions, special segment attributes, and the validation of descriptors and pointers.

11.1 VIRTUAL MEMORY MANAGEMENT

When access to a segment is requested and the access byte in its descriptor indicates the segment is not present in real memory, the not-present fault occurs (exception 11 or 12 for stacks). The handler for this fault can be set up to bring the absent segment into real memory (swapping or overwriting another segment if necessary), or to terminate execution of the requesting program if this is not possible.

The accessed bit (bit 0) of the access byte is provided in both executable and data segment descriptors to support segment usage profiling. Whenever the descriptor is accessed by the iAPX 286 hardware, the A-bit will be set in memory. This applies to selector test instruction (described below) as well as to the loading of a segment register. The reading of the access byte and the restoration of it with the A-bit set is an indivisible operation, i.e., it is performed as a read-modify-write with bus lock. If an operating system develops a profile of segment usage over time, it can recognize segments of low or zero access and choose among these candidates for replacement.

When a not-present segment is brought into real memory, the task that requested access to it can continue its execution because all instructions that load a segment register are restartable.

Not-present exceptions occur only on segment register load operations, gate accesses, and task switches. The saved instruction pointer refers to the first byte of the violating instruction. All other aspects of the saved machine state are exactly as they were before execution of the violating instruction began. After the fault handler clears up the fault condition and performs an IRET, the program continues to execute. The only external indication of a segment swap is the additional execution time.

11.2 SPECIAL SEGMENT ATTRIBUTES

11.2.1 Conforming Code Segments

Code segments intended for use at potentially different privilege levels need an attribute that permits them to emulate the privilege level of the calling task. Such segments are termed "conforming" segments. Conforming segments are also useful for interrupt-driven error routines that need only be as privileged as the routine that caused the error.

A conforming code segment has bit 2 of its access byte set to 1. This means it can be referenced by a CALL or JMP instruction in a task of equal or lesser privilege, i.e., CPL of the task is numerically greater than or equal to DPL of this segment. CPL does not change when executing the conforming code segment. A conforming segment continues to use the stack from the CPL. This is the only case in which the DPL of a code segment can be numerically less than the CPL. If bit 2 is a 0, the segment is not conforming and can be referenced only by a task of CPL=DPL.

Inter-segment Returns that refer to conforming code segments use the RPL field of the code selector of the return address to determine the new CPL. The RPL becomes the new CPL if the conforming code segment DPL≤RPL.
If a conforming segment is readable, it can be read from any privilege level without restriction. This is the only exception to the protection rules. This allows constants to be stored with conforming code. For example, a read-only look-up table can be embedded in a conforming code segment that can be used to convert system-wide logical ID's into character strings that represent those logical entities.

11.2.2 Expand-Down Data Segments

If bit 2 in the access byte of a data segment is 1, the segment is an expand-down segment. All the offsets that reference such a segment must be strictly greater than the segment limit, as opposed to normal data segments (bit 2 = 0) where all offsets must be less than or equal to the segment limit. Figure 11-1 shows an expand-down segment.

The size of the expand down segment can be changed by changing either the base or the limit. An expand down segment with Limit = 0 will have a size of $2^{16} - 1$ bytes. With a limit value of FFFFH, the expand down segment will have a size of 0 bytes. In an expand down segment, the base + offset value should always be greater than the base + limit value. Therefore, a full size segment ($2^{16}$ bytes) can only be obtained by using an expand up segment.

The operating system should check the Expanded Down bit when a protection fault indicates that the limit of a data segment has been reached. If the Expand Down bit is not set, the operating system should increase the segment limit; if it is set, the limit should be lowered. This supplies more room in either case (assuming the segment is not write-protected, i.e., that bit 1 is not 0). In some cases, if the operating system can ascertain that there is not enough room to expand the data segment to meet the need that caused the fault, it can move the data segment to a region of memory where there is enough room. See figure 11-2.

11.3 POINTER VALIDATION

Pointer validation is an important part of locating programming errors. Pointer validation is necessary for maintaining isolation between the privilege levels. Pointer validation consists of the following steps:

1. Check if the supplier of the pointer is entitled to access the segment.
2. Check if the segment type is appropriate to its intended use.
3. Check if the pointer violates the segment limit.

The iAPX 286 hardware automatically performs checks 2 and 3 during instruction execution, while software must assist in performing the first check. This point is discussed in section 11.3.2. Software can explicitly perform steps 2 and 3 to check for potential violations (rather than causing an exception). The unprivileged instructions LSL, LAR, VERR, and VERW are provided for this purpose.
The load access rights (LAR) instruction obtains the access rights byte of a descriptor pointed to by the selector used in the instruction. If that selector is visible at the CPL, the instruction loads the access byte into the specified destination register as the higher byte (the low byte is zero) and the zero flag is set. Once loaded, the access bits can be tested. System segments such as a task state segment or a descriptor table cannot be read or modified. This instruction is used to verify that a pointer refers to a segment of the proper privilege level and type. If the RPL or CPL is greater than DPL, or the selector is outside the table limit, no access value is returned and the zero flag is cleared. Conforming code segments may be accessed from any RPL or CPL.

Additional parameter checking can be performed via the load segment limit (LSL) instruction. If the descriptor denoted by the given selector (in memory or a register) is visible at the CPL, LSL loads the specified register with a word that consists of the limit field of that descriptor. This can only be done for segments, task state segments, and local descriptor tables (i.e., words from control descriptors are inaccessible). Interpreting the limit is a function of the segment type. For example, downward expandable data segments treat the limit differently than code segments do.

For both LAR and LSL, the zero flag (ZF) is set if the loading was performed; otherwise, the zero flag is cleared. Both instructions are undefined in real address mode, causing an invalid opcode exception (interrupt #6).

11.3.1 Descriptor Validation

The iAPX 286 has two instructions, VERR and VERW, which determine whether a selector points to a segment that can be read or written at the current privilege level. Neither instruction causes a protection fault if the result is negative.

VERR verifies a segment for reading and loads ZF with 1 if that segment is readable from the current privilege level. The validation process checks that: 1) the selector points to a descriptor within the bounds of the GDT or LDT, 2) it denotes a segment descriptor.
(as opposed to a control descriptor), and 3) the segment is readable and of appropriate privilege level. The privilege check for data segments and non-conforming code segments is that the DPL must be numerically greater than or equal to both the CPL and the selector’s RPL. Conforming segments are not checked for privilege level.

VERW provides the same capability as VERR for verifying writability. Like the VERR instruction, VERW loads ZF if the result of the writability check is positive. The instruction checks that the descriptor is within bounds, is a segment descriptor, is writable, and that its DPL is numerically greater or equal to both the CPL and the selector’s RPL. Code segments are never writable, conforming or not.

11.3.2 Pointer Integrity: RPL and the “Trojan Horse Problem”

The Requested Privilege Level (RPL) feature can prevent inappropriate use of pointers that could corrupt the operation of more privileged code or data from a less privileged level.

A common example is a file system procedure, FREAD (file_id, nybytes, buffer.ptr). This hypothetical procedure reads data from a file into a buffer, overwriting whatever is there. Normally, FREAD would be available at the user level, supplying only pointers to the file system procedures and data located and operating at a privileged level. Normally, such a procedure prevents user-level procedures from directly changing the file tables. However, in the absence of a standard protocol for checking pointer validity, a user-level procedure could supply a pointer into the file tables in place of its buffer pointer, causing the FREAD procedure to corrupt them unwittingly.

By using the RPL, you can avoid such problems. The RPL field allows a privilege attribute to be assigned to a selector. This privilege attribute would normally indicate the privilege level of the code which generated the selector. The iAPX 286 hardware will automatically check the RPL of any selector loaded into a segment register or a control register to see if the RPL allows access.

To guard against invalid pointers, the called procedure need only ensure that all selectors passed to it have an RPL at least as high (numerically) as the caller’s CPL. This indicates that the selectors were not more trusted than their supplier. If one of the selectors is used to access a segment that the caller would not be able to access directly, i.e., the RPL is numerically greater than the DPL, then a protection fault will result when loaded into a segment or control register.

The caller’s CPL is available in the CS selector that was pushed on the stack as the return address. A special instruction, ARPL, can be used to appropriately adjust the RPL field of the pointer. ARPL (Adjust RPL field of selector instruction) adjusts the RPL field of a selector to become the larger of its original value and the value of the RPL field in a specified register. The latter is normally loaded from the caller’s CS register. If the adjustment changes the selector’s RPL, ZF is set; otherwise, the zero flag is cleared.

11.4 NPX CONTEXT SWITCHING

The context of a processor extension (such as the 80287 numerics processor) is not changed by the task switch operation. A processor extension context need only be changed when a different task attempts to use the processor extension (which still contains the context of a previous task). The 80286 detects the first use of a processor extension after a task switch by causing the processor extension not-present exception (#7). The interrupt handler may then decide whether a context change is necessary.
The 286 services numeric errors only when it
executes wait or escape instructions because
the processor extension is running independent­
ly. The numerics error from one task may
be recorded when the 286 is running a differ­
ent task. If the 286 task has changed, it makes
sense to defer handling that error until the
original task is restored. For example, inter­
rupt handlers that use the NPX should not
have their timing upset by a numeric error
interrupt that pertains to some earlier process.
It is of little value to service someone else’s
error.

If the task switch bit is set (bit 3 of MSW)
when the CPU begins to execute a wait or
escape instruction, the processor-extension
not-present exception results (#7). The
handler for this interrupt must know who
currently “owns” the NPX, i.e., the handler
must know the last task to issue a command
to the NPX. If the owner is the same as the
current task, then it was merely interrupted
and the interrupt handler has since returned;
the handler for interrupt 7 simply clears the
TS bit, restores the working registers, and
returns (restoring interrupts if enabled).

If the recorded owner is different from the
current task, the handler must first save the
existing NPX context in the save area of the
old task. It can then re-establish the correct
NPX context from the current task’s save
area.

The code example in figure 11-3 relies on the
convention that each TSS entry in the GDT
is followed by an alias entry for a data
segment that points to the same physical
region of memory that contains the TSS. The
alias segment also contains an area for saving
the NPX context, the kernel stack, and certain
kernel data. That is, the first 44 bytes in that
segment are the 286 context, followed by 94
bytes for the processor extension context,
followed in some cases by the kernel stack and
kernel private data areas.

The implied convention is that the stack
segment selector points to this data segment
alias so that whenever there is an interrupt at
level zero and SS is automatically loaded, all
of the above information is immediately
addressable.

It is assumed that the program example knows
about only one data segment that points to a
global data area in which it can find the one
word NPX owner to begin the processing
described. The specific operations needed, and
shown in the figure, are listed in table 11-1.

11.5 MULTIPROCESSOR
CONSIDERATIONS

As mentioned in Chapter 8, a bus lock is
applied during the testing and setting of the
task busy bit to ensure that two processors do
not invoke the same task at the same time.
However, protection traps and conflicting use
of dynamically varying segments or descrip­
tors must be addressed by an inter-processor
synchronization protocol. The protocol can use
the indivisible semaphore operation of the
base instruction set. Coordination of inter­
rupt and trap vectoring must also be
addressed when multiple concurrent proces­
sors are operating.

The interrupt bus cycles are locked so no
interleaving occurs on those cycles. Descrip­
tor caching is locked so that a descriptor
reference cannot be altered while it is being
fetched.

When a program changes a descriptor that is
shared with other processors, it should broad­
cast this fact to the other processors. This
broadcasting can be done with an inter-
processor interrupt. The handler for this interrupt must ensure that the segment registers, the LDTR and the TR, are re-loaded. This happens automatically if the interrupt is serviced by a task switch.

Modification of descriptors of shared segments in multi-processor systems may require that the on-chip descriptors also be updated. For example, one processor may attempt to mark the descriptor of a shared segment as not-present while another is using it. Software has to ensure that the descriptors in the segment register caches are updated with the new information. The segment register caches can be updated by a re-entrant procedure that is invoked by an interprocessor interrupt. The handler must ensure that the segment registers, the LDTR and the TR, are re-loaded. This happens automatically if the interrupt is serviced by a task switch.

```
PUBLIC switch_npX_context
PUBLIC last_npX_task

; Set the new task
pop ds
mov ax, [last_npX_task]
; Get address of global NPX context
add ds, [npX_context]
push ds
push ax
xor ax, ax
push ax
add ax, ds
push ax
mov ax, [npX_context + 4]
add ax, ds
push ax
mov ax, [npX_context + 8]
add ax, ds
push ax
mov ax, [npX_context + 12]
add ax, ds
push ax
mov ax, [npX_context + 16]
add ax, ds
push ax
mov ax, [npX_context + 20]
add ax, ds
push ax
mov ax, [npX_context + 24]
add ax, ds
push ax
mov ax, [npX_context + 28]
add ax, ds
push ax
mov ax, [npX_context + 32]
add ax, ds
push
```

**Figure 11-3. Example of NPX Context Switching**
## Table 11-1. NPX Context Switching

<table>
<thead>
<tr>
<th>Step</th>
<th>Operation</th>
<th>Lines</th>
</tr>
</thead>
<tbody>
<tr>
<td>1.</td>
<td>Save the working registers</td>
<td>28, 29</td>
</tr>
<tr>
<td>2.</td>
<td>Set up address for kernel work area</td>
<td>30, 31</td>
</tr>
<tr>
<td>3.</td>
<td>Get current task ID from Task Register</td>
<td>32</td>
</tr>
<tr>
<td>4.</td>
<td>Clear Task Switch flag to allow NPX work</td>
<td>34</td>
</tr>
<tr>
<td>5.</td>
<td>Inhibit interrupts</td>
<td>35</td>
</tr>
<tr>
<td>6.</td>
<td>Compare owner with current task ID</td>
<td>37</td>
</tr>
<tr>
<td></td>
<td><strong>If same owner:</strong></td>
<td></td>
</tr>
<tr>
<td>7a.</td>
<td>Restore working registers</td>
<td>48, 49</td>
</tr>
<tr>
<td>7b.</td>
<td>and return</td>
<td>50</td>
</tr>
<tr>
<td></td>
<td><strong>If owner is not current task:</strong></td>
<td></td>
</tr>
<tr>
<td>8a.</td>
<td>Use owner ID to save old context in its TSS</td>
<td>42, 43, 44</td>
</tr>
<tr>
<td>8b.</td>
<td>Restore context of current task; restore working registers;</td>
<td>45</td>
</tr>
<tr>
<td></td>
<td>and return</td>
<td>46</td>
</tr>
</tbody>
</table>

---

11-7
Appendix

iAPX 286 System Initialization
# APPENDIX A

## Contents

<table>
<thead>
<tr>
<th>System Initialization</th>
<th>A-1</th>
</tr>
</thead>
</table>

APPENDIX A

iAPX 286 SYSTEM INITIALIZATION

$title('Switch the 80286 from Real Address Mode to Protected Mode')
name switch 80286_modes
public idt_desc,gdt_desc

Switch the 80286 from real address mode into protected mode.
The initial EPROM GDT, IDT, TSS, and LDT (if any) constructed by BLD286
will be copied from EPROM into RAM. The RAM areas are defined by data
segments allocated as fixed entries in the GDT. The CPU registers for
the GDT, IDT, TSS, and LDT will be set to point at the RAM-based
segments. The base fields in the RAM-based GDT will also be updated to
point at the RAM-based segments.

This code is used by adding it to the list of object modules given
to BLD286. BLD286 must then be told to place the segment
init_code at address FFFE10H. Execution of the mode switch code begins
after RESET. This happens because the mode switch code will start at
physical address FFFFFFFH, which is the power up address. This code then
sets up RAM copies of the EPROM-based segments before jumping to the
initial task placed at a fixed GDT entry. After the jump, the CPU
executes in the state of the first task defined by BLD286.

This code will not use any of the EPROM-based tables directly.
Such use would result in the 80286 writing into EPROM to set
the A bit. Any use of a GDT or TSS will always be in the RAM copy.
The limit and size of the EPROM-based GDT and IDT must be stored at
the public symbols idt_desc and gdt_desc. The location commands of BLD286
provide this function.

Interrupts are disabled during this mode switching code. Full error
checking is made of the EPROM-based GDT, IDT, TSS, and LDT to assure
they are valid before copying them to RAM. If any of the RAM-based
alias segments are smaller than the EPROM segments they are to hold,
halt or shutdown will occur. In general, any exception or NMI will
cause shutdown to occur until the first task is invoked.

If the RAM segment is larger than the EPROM segment, the RAM segment
will be expanded with zeros. If the initial TSS specifies an LDT,
the LDT will also be copied into idt_alias with zero fill if needed.
The EPROM-based or RAM-based GDT, IDT, TSS, and LDT segments may be located
anywhere in physical memory.
Form an adjustment factor from the real CS base of FF0000H to the
segment base address assumed by ASM286. Any data reference made
into CS must add an indexing term (BP) to compensate for the difference
between the offset generated by ASM286 and the offset required from
the base of FF0000H.

start proc
  call start1
start1:
  pop bp
  sub bp, offset start1
  lidt initial_gdt[bp]
  The value of IP at run time will not be
  the same as the one used by ASM286!
  Get true offset of start1
  Subtract ASM286 offset of start1
  leaving adjustment factor in BP
  Setup null IDT to force shutdown
  on any protection error or interrupt

Copy the EPROM-based temporary GDT into RAM.

lea si, initial_gdt[bp] ; Setup pointer to temporary GDT
mov cx, (end_gdt - initial_gdt)/2 ; Set length
rep movs es:word ptr [di], cs:[si]; Put into reserved RAM area

Look for 80287 processor extension. Assume all ones will be read
if an 80287 is not present.

fninit bx, EM ; Initialize 80287 if present
mov ax, EM ; Assume no 80287
fstaw ax ; Look at status of 80287
or al, al ; No errors should be present
jnz set_mode ; Jump if no 80287

fsetpm bx, MP ; Put 80287 into protected mode

Switch to protected mode and setup a stack, GDT, and LDT.

set_mode:
  smsw ax ; Get current MSW
  or ax, PE ; Set PE bit
  or ax, bx ; Set NPX status flags
  imsw ax ; Enter protected mode!
  jmp *+2 ; Clear queue of instructions decoded
  while in Real Address Mode
  CPL is now 0, CS still points at
  FFFE10 in physical memory
IAPX 286 SYSTEM INITIALIZATION

Define the template for a temporary GDT used to locate the initial
GDT and stack. This data will be copied to location 0.
This space is also used for a temporary stack and finally serves
as the TSS written into when entering the initial TSS.

org 0 ; Place remaining code below power-up

init_gdt desc <> ; Filler and null IDT descriptor
gdt_desc desc <> ; Descriptor for EPROM GDT
idt_desc desc <> ; Descriptor for EPROM IDT
temp_desc desc <> ; Temporary descriptor

define a descriptor that will point the GDT at location 0.
This descriptor will also be loaded into SS to define the initial
protected mode stack segment.

temp_stack desc <end_gdt-init_gdt-1,0,0,DS_ACCESS,0>

Define the TSS descriptor used to allow the task switch to the
first task to overwrite this region of memory. The TSS will overlay
the initial GDT and stack at location 0.

save_tss desc <end_gdt-init_gdt-1,0,0,TSS_ACCESS,0>

Define the initial stack space and filler for the end of the TSS.

dw 8 dup (0)

Define template for the task definition list.

task_entry struct ; Define layout of task description
TSS_sel dw ? ; Selector for TSS
TSS_alias dw ? ; Data segment alias for TSS
LDT_alias dw ? ; Data segment alias for LDT if any
task_entry ends

task_list task_entry: <start_task,start_TSS_alias,start_LDT_alias>
dw 0 ; Terminate list

reset_startup:
cli ; No interrupts allowed!
cld ; Use autoincrement mode
xor dl,dl ; Point ES:DI at physical address 000000H
mov ds,dl
mov es,dl
mov ss,dl
mov sp,end_gdt-init_gdt
IAPX 286 SYSTEM INITIALIZATION

; Define layout of a descriptor.
; desc struct
;    limit   dw 0 ; Offset of last byte in segment
;    base_low dw 0 ; Low 16 bits of 24-bit address
;    base_high db 0 ; High 8 bits of 24-bit address
;    access  db 0 ; Access rights byte
;    res     dw 0 ; Reserved word
; desc ends

; Define the fixed GDT selector values for the descriptors that define the EPROM-based tables. BLD286 must be instructed to place the appropriate descriptors into the GDT.
; gdt_alias equ 1*size desc ; GDT(1) is data segment in RAM for GDT
; idt_alias equ 2*size desc ; GDT(2) is data segment in RAM for IDT
; start_TSS_alias equ 3*size desc ; GDT(3) is data segment in RAM for TSS
; start_task equ 4*size desc ; GDT(4) is TSS for starting task
; start_LDT_alias equ 5*size desc ; GDT(5) is data segment in RAM for LDT

; Define machine status word bit positions.
; PE equ 1 ; Protection enable
; MP equ 2 ; Monitor processor extension
; EM equ 4 ; Emulate processor extension

; Define particular values of descriptor access rights byte.
; DT_ACCESS equ 82H ; Access byte value for an LDT
; DS_ACCESS equ 92H ; Access byte value for data segment
; which is grow up, at level 0, writeable
; TSS_ACCESS equ 81H ; Access byte value for an idle TSS
; DPL equ 60H ; Privilege level field of access rights
; ACCESSED equ 1 ; Define accessed bit
; TI equ 4 ; Position of TI bit
; TSS_SIZE equ 44 ; Size of a TSS
; LDT_OFFSET equ 42 ; Position of LDT in TSS
; TIRPL_MASK equ size desc-1 ; TI and RPL field mask

; Pass control from the power-up address to the mode switch code.
; The segment containing this code must be at physical address FFFE10H
to place the JMP instruction at physical address FFFFF0H. The base
address is chosen according to the size of this segment.

; init_code segment

cs_offset equ 0FE10H ; Low 16 bits of starting address
org 0FFF0H-cs_offset ; Start at address FFFFF0H
jmp reset_startup ; Do not change CS!
Copy the TSS and LDT for the task pointed at by CS:BX.
If the task has an LDT it will also be copied down.
BX and BP are transparent.

bad_tss:
   .endp

   If the task has an LDT it will also be copied down.

   BX and BP are transparent.

bad_tss:    proc
   .halt ; Halt here if TSS is invalid
   copy_tasks

   mov   si,gdt_alias
   mov   ds,si
   mov   si,cs:[bx].tss_alias
   mov   es,si
   lsl   ax,si
   mov   si,cs:[bx].tss_sel
   ldr   dx,si
   jnz   bad_tss
   mov   dl,dh
   and   dh,not DPL
   cmp   dh,TSS_ACCESS
   jnz   bad_tss
   lsl   cx,si
   cmp   cx,TSS_SIZE-1
   jb    bad_tss

   .setup for moving the EPROM-based TSS to RAM
   .DS points at GDT
   mov   [si].access,DS_ACCESS
   mov   ds,si
   call   copy_with_fill

   mov   ax,gdt_alias
   mov   ds,ax
   mov   es,ax
   mov   di,cs:[bx].tss_sel
   mov   si,cs:[bx].tss_alias
   movsw
   movsw
   lodsw
   mov   ah,dl
   stosw
   movsw

   .set the GDT TSS limit and base address to the RAM values.

   mov   ax,gdt_alias
   mov   ds,ax
   mov   es,ax
   mov   di,cs:[bx].tss_sel
   mov   si,cs:[bx].tss_alias
   movsw
   movsw
   lodsw
   mov   ah,dl
   stosw
   movsw

   .restore GDT addressing

   .get TSS selector
   .get RAM alias selector
   .copy limit
   .copy low 16 bits of address
   .get high 8 bits of address
   .mark as TSS descriptor
   .fill in high address and access bytes
   .copy reserved word
19}d
mov ax,temp_stack-initial_gdt ; Setup SS with valid protected mode
mov ss,ax ; selector to the RAM GDT and stack
xor ax,ax ; Set the current LDT to null
lidt ax ; Any references to it will cause an exception causing shutdown
mov ax,save_tss-initial_gdt ; Set initial TSS into the low RAM
ltrl ax ; The task switch needs a valid TSS

Copy the EPROM-based GDT into the RAM data segment alias.
First the descriptor for the RAM data segment must be copied into
the temporary GDT.

mov ax,gdt_desc(bp).limit ; Get size of GDT
cmp ax,6*size desc-1 ; Be sure the last entry expected by
                jnb bad_gdt ; this code is inside the GDT
mov bx,gdt-desc-initial_gdt ; Form selector to EPROM GDT
mov si,gdt_aliases ; Get selector of GDT alias
call copyEPROM_dt ; Copy into EPROM
mov si,idt_aliases ; Get selector of IDT alias
mov bx,idt-desc-initial_gdt ; Indicate EPROM IDT
call copyEPROM_dt
mov ax,gdt-desc-initial_gdt ; Setup addressing into EPROM GDT
mov ds,ax
mov bx,gdt_aliases ; Get GDT alias data segment selector
lgdt [bx] ; Set GDT to RAM GDT
          ; SS and TR remain in low RAM

Copy all task's TSS and LDT segments into RAM

lea bx,task_list(bp) ; Define list of tasks to setup
call copy_tasks ; Copy them into RAM
add bx,cs:bx.size task_entry ; Go to next entry
mov ax,cs:[bx].tss_sel ; See if there is another entry
or ax,ax
jnz copy_task_loop ;

With TSS, GDT, and LDT set, startup the initial task!

mov bx,gdt_aliases ; Point DS at GDT
mov ds,bx
mov bx,idt_aliases ; Get IDT alias data segment selector
lidt [bx] ; Set IDT for errors and interrupts
jmp start_pointer(bp) ; Start the first task!
          ; The low RAM area is overwritten with
          ; the current CPU context

bad_gdt:
hlt ; Halt here if GDT is not big enough
IAPX 286 SYSTEM INITIALIZATION

; Test the descriptor table size in AX to verify that it is an even number of descriptors in length.
:test_dt_limit  proc
    push  ax
    ; Save length
    and  al,7
    ; Look at low order bits
    cmp  al,7
    ; Must be all ones
    pop  ax
    ; Restore length
    jne  bad_dt_limit
    ret
bad_dt_limit:
    ; All OK
hit:
    ; Die!
:test_dt_limit  endp

; Copy the EPROM DT at selector BX in the temporary GDT to the alias data segment at selector SI. Any improper descriptors or limits will cause shutdown!
:copy_EPROM_dt  proc
    mov  ax,ss
    ; Point ES:DI at temporary descriptor
    mov  es,ax
    mov  es:[bx].access,DS_ACCESS
    ; Mark descriptor as a data segment
    mov  es:[bx].res,0
    ; Clear reserved word
    lodsw
    ; Get limit of EPROM DT
    mov  cx,ax
    ; Save for later
    call  test_dt_limit
    ; Verify it is a proper limit
    mov  ds,[di].gdl_desc-initial_gdt
    ; Address EPROM GDT in DS
    mov  ds,dl
    mov  dl,[di].temp_desc-initial_gdl
    ; Get selector for temporary descriptor
    push  dl
    ; Save offset for later use as selector
    lodsw
    ; Get alias segment size
    call  test_dt_limit
    ; Verify it is an even multiple of descriptors in length
    stosw
    ; Put length into temporary
    movsw
    ; Copy remaining entries into temporary
    movsw
    pop  es
    ; ES now points at the GDT alias area
    mov  ds,bx
    ; DS now points at EPROM DT as data
    movsw
    ; Copy segment to alias with zero fill
    ; CX is copy count, AX-CX is fill count
    ; Fall into copy_with_fill
:copy_EPROM_dt  endp
See if a valid LDT is specified for the startup task
If so then copy the EPROM version into the RAM alias.

mov ds, cs: [bx]. tss_alias ; Address TSS to get LDT
mov si, ds:word ptr LDT_OFFSET
and si, not TIRPL_MASK ; Ignore TI and RPL
jz no_ldt ; Skip this if no LDT used

push si ; Save LDT selector
lar dx, si ; Test descriptor
jnz bad_ldt ; Jump if invalid selector

mov dl, dh ; Save LDT descriptor access byte
and dh, not DPL ; Ignore privilege
cmp dh, DT_ACCESS ; Be sure it is an LDT descriptor
jne bad_ldt ; Jump if invalid

mov es: [si]. access, DS_ACCESS ; Mark LDT as data segment
mov ds, si ; Point DS at EPROM LDT
lsl ax, si ; Get LDT limit
call test_dt_limit ; Verify it is valid
mov cx, ax ; Save for later

Examine the LDT alias segment and, if good, copy to RAM

mov si, cs: [bx]. ldt_alias ; Get LDT alias selector
mov es, si ; Point ES at alias segment
lsl ax, si ; Get length of alias segment
call test_dt_limit ; Verify it is valid
call copy_with_fill ; Copy LDT into RAM alias segment

Set the LDT limit and base address to the RAM copy of the LDT.

mov si, cs: [bx]. ldt_alias ; Restore LDT alias selector
pop dl ; Restore LDT selector
mov ax, gdt_alias ; Restore GDT addressing
mov ds, ax
mov es, ax
movsw
movsw ; Move the RAM LDT limit
movsw ; Move the low 16 bits across
lodsw ; Get the high 8 bits
mov ah, dl ; Mark as LDT descriptor
stosw ; Set high address and access rights
movsw ; Copy reserved word

no_ldt:
ret ; All done
bad_ldt:
hlt ; Halt here if LDT is invalid

copy_tasks endp
Copy the segment at DS to the segment at ES for length CX.
Fill the end with AX-CX zeros. Use word operations for speed but
allow odd byte operations.

```assembly
; Start at beginning of segments
xor si, si
xor di, di
sub ax, cx
add cx, 1
rcr cx, 1
rep movsw
xchg ax, cx
jnc even_copy
movsb or cx, cx
jz exit_copy
stosb
dec cx
even_copy:
shr cx, 1
rep stosw
jnc exit_copy
stosb
exit_copy:
ret
copy_with_fill endp

init_code ends
end
```

IAPX 286 SYSTEM INITIALIZATION
Appendix
The iAPX 286 Instruction Set
APPENDIX B

Contents

 Opcode .................................................. B-1
 Instruction ........................................... B-5
 Clocks .................................................. B-6
 Description ........................................... B-6
 Flags Modified ......................................... B-6
 Flags Undefined ....................................... B-6
 Operation ............................................... B-6
 Protected Mode Exceptions ......................... B-6
 Real Address Mode Exceptions ................... B-7
 Protection Exceptions ................................. B-7
 Error Codes ........................................... B-7
 #DF8 Double Fault (Zero Error Code) ........ B-8
 #GP 13 General Protection
   (Selector or Zero Error Code) ............... B-8
 #MF 16 Math Fault (No Error Code) ....... B-8
 #MP 9 Math Unit Protection Fault
   (No Error Code) ................................ B-9
 #NM 7 No Math Unit Available
   (No Error Code) ................................ B-9
 #NP 11 Not Present
   (Selector Error Code) ......................... B-9
 #SS 12 Stack Fault (Selector or Zero Error Code) ....................... B-10
 #TS 10 Invalid Task State Segment
   (Selector Error Code) ....................... B-10
 #UD 6 Undefined Opcode
   (No Error Code) ................................. B-11
 Privilege Level and Task Switching
 on the iAPX 286 .................................... B-11
 AAA-XOR ............................................ B-14 thru B-111
APPENDIX B
THE iAPX 286 INSTRUCTION SET

This section presents the iAPX 286 instruction set using Intel's ASM286 notation. All possible operand types are shown. Instructions are organized alphabetically according to generic operations. Within each operation, many different instructions are possible depending on the operand. The pages are presented in a standardized format, the elements of which are described in the following paragraphs.

**Opcode**

This column gives the complete object code produced for each form of the instruction. Where possible, the codes are given as hexadecimal bytes, presented in the order in which they will appear in memory. Several shorthand conventions are used for the parts of instructions which specify operands. These conventions are as follows:

/i$n$: ($n$ is a digit from 0 through 7) A ModRM byte, plus a possible immediate and displacement field follow the opcode. See figure B-1 for the encoding of the fields. The digit $n$ is the value of the REG field of the ModRM byte. To obtain the possible hexadecimal values for $/n$, refer to column $n$ of table B-1. Each row gives a possible value for the effective address operand to the instruction. The entry at the end of the row indicates whether the effective address operand is a register or memory; if memory, the entry indicates what kind of indexing and/or displacement is used. Entries with D8 or D16 signify that a one-byte or two-byte displacement quantity immediately follows the ModRM and optional immediate field bytes. The signed displacement is added modulo 65536 to the offset of the instruction FOLLOWING this instruction to obtain the new IP value.

/cb: A one-byte signed displacement in the range of $-128$ to $+127$ follows the opcode. The displacement is sign-extended to 16 bits, and added modulo 65536 to the offset of the instruction FOLLOWING this instruction to obtain the new IP value.

/cw: A two-byte displacement is added modulo 65536 to the offset of the instruction FOLLOWING this instruction to obtain the new IP value.

/cd: A two-word pointer which will be the new CS:IP value. The offset is given first, followed by the selector.

/db: An immediate byte operand to the instruction which follows the opcode and ModRM bytes. The opcode determines if it is a signed value.

dw: An immediate word operand to the instruction which follows the opcode and ModRM bytes. All words are given in the iAPX 286 with the low-order byte first.

/+rb: A register code from 0 through 7 which is added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte. The codes are: AL=0, CL=1, DL=2, BL=3, AH=4, CH=5, DH=6, and BH=7.
THE IAPX 286 INSTRUCTION SET

/instruction Byte Format

<table>
<thead>
<tr>
<th>mod</th>
<th>n</th>
<th>r/m</th>
<th>imm. low(1)</th>
<th>imm. high(1)</th>
<th>disp-low</th>
<th>disp-high</th>
</tr>
</thead>
<tbody>
<tr>
<td>7</td>
<td>6</td>
<td>5</td>
<td>4</td>
<td>3</td>
<td>2</td>
<td>1</td>
</tr>
<tr>
<td>0</td>
<td>7</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0</td>
</tr>
<tr>
<td>0</td>
<td>7</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0</td>
</tr>
<tr>
<td>0</td>
<td>7</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0</td>
</tr>
</tbody>
</table>

"mod" Field Bit Assignments

<table>
<thead>
<tr>
<th>mod</th>
<th>Displacement</th>
</tr>
</thead>
<tbody>
<tr>
<td>00</td>
<td>DISP = 0(2), disp-low and disp-high are absent</td>
</tr>
<tr>
<td>01</td>
<td>DISP = disp-low sign-extended to 16-bits, disp-high is absent</td>
</tr>
<tr>
<td>10</td>
<td>DISP = disp-high: disp-low</td>
</tr>
<tr>
<td>11</td>
<td>r/m is treated as a &quot;reg&quot; field</td>
</tr>
</tbody>
</table>

"r/m" Field Bit Assignments

<table>
<thead>
<tr>
<th>r/m</th>
<th>Operand Address</th>
</tr>
</thead>
<tbody>
<tr>
<td>000</td>
<td>(BX) + (SI) + DISP</td>
</tr>
<tr>
<td>001</td>
<td>(BX) + (DI) + DISP</td>
</tr>
<tr>
<td>010</td>
<td>(BP) + (SI) + DISP</td>
</tr>
<tr>
<td>011</td>
<td>(BP) + (DI) + DISP</td>
</tr>
<tr>
<td>100</td>
<td>(SI) + DISP</td>
</tr>
<tr>
<td>101</td>
<td>(DI) + DISP</td>
</tr>
<tr>
<td>110</td>
<td>(BP) + DISP(2)</td>
</tr>
<tr>
<td>111</td>
<td>(BX) + DISP</td>
</tr>
</tbody>
</table>

DISP follows 2nd byte of instruction (before data if required).

NOTES:
1. Opcode indicates presence and size of immediate value.
2. Except if mod=00 and r/m=110 then EA=disp-high: disp-low.

Figure B-1. /n Instruction Byte Format
### Table B-1. ModRM Values

<table>
<thead>
<tr>
<th>Rb</th>
<th>AL</th>
<th>CL</th>
<th>DL</th>
<th>BL</th>
<th>AH</th>
<th>CH</th>
<th>DH</th>
<th>BH</th>
</tr>
</thead>
<tbody>
<tr>
<td>Rw</td>
<td>AX</td>
<td>CX</td>
<td>DX</td>
<td>BX</td>
<td>SP</td>
<td>BP</td>
<td>SI</td>
<td>DI</td>
</tr>
<tr>
<td>REG</td>
<td>0</td>
<td>1</td>
<td>2</td>
<td>3</td>
<td>4</td>
<td>5</td>
<td>6</td>
<td>7</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>ModRM values:</th>
<th>Effective address:</th>
</tr>
</thead>
<tbody>
<tr>
<td>00 08 10 18 20 28 30 38</td>
<td>[BX + SI]</td>
</tr>
<tr>
<td>01 09 11 19 21 29 31 39</td>
<td>[BX + DI]</td>
</tr>
<tr>
<td>02 0A 12 1A 22 2A 32 3A</td>
<td>[BP + SI]</td>
</tr>
<tr>
<td>03 0B 13 1B 23 2B 33 3B</td>
<td>[BP + DI]</td>
</tr>
<tr>
<td>04 0C 14 1C 24 2C 34 3C</td>
<td>[SI]</td>
</tr>
<tr>
<td>05 0D 15 1D 25 2D 35 3D</td>
<td>[DI]</td>
</tr>
<tr>
<td>06 0E 16 1E 26 2E 36 3E</td>
<td>D16 (simple var)</td>
</tr>
<tr>
<td>07 0F 17 1F 27 2F 37 3F</td>
<td>[BX]</td>
</tr>
<tr>
<td>40 48 50 58 60 68 70 78</td>
<td>[BX + SI] + D8(1)</td>
</tr>
<tr>
<td>41 49 51 59 61 69 71 79</td>
<td>[BX + DI] + D8</td>
</tr>
<tr>
<td>42 4A 52 5A 62 6A 72 7A</td>
<td>[BP + SI] + D8</td>
</tr>
<tr>
<td>43 4B 53 5B 63 6B 73 7B</td>
<td>[BP + DI] + D8</td>
</tr>
<tr>
<td>44 4C 54 5C 64 6C 74 7C</td>
<td>[SI] + D8</td>
</tr>
<tr>
<td>45 4D 55 5D 65 6D 75 7D</td>
<td>[DI] + D8</td>
</tr>
<tr>
<td>46 4E 56 5E 66 6E 76 7E</td>
<td>[BP] + D8(2)</td>
</tr>
<tr>
<td>47 4F 57 5F 67 6F 77 7F</td>
<td>[BX] + D8</td>
</tr>
<tr>
<td>80 88 90 98 A0 A8 B0 B8</td>
<td>[BX + SI] + D16(3)</td>
</tr>
<tr>
<td>81 89 91 99 A1 A9 B1 B9</td>
<td>[BX + DI] + D16</td>
</tr>
<tr>
<td>82 8A 92 9A A2 AA B2 BA</td>
<td>[BP + SI] + D16</td>
</tr>
<tr>
<td>83 8B 93 9B A3 AB B3 BB</td>
<td>[BP + DI] + D16</td>
</tr>
<tr>
<td>84 8C 94 9C A4 AC B4 BC</td>
<td>[SI] + D16</td>
</tr>
<tr>
<td>85 8D 95 9D A5 AD B5 BD</td>
<td>[DI] + D16</td>
</tr>
<tr>
<td>86 8E 96 9E A6 AE B6 BE</td>
<td>[BP] + D16(2)</td>
</tr>
<tr>
<td>87 8F 97 9F A7 AF B7 BF</td>
<td>[BX] + D16</td>
</tr>
<tr>
<td>C0 C8 D0 D8 E0 E8 F0 F8</td>
<td>Ew=AX Eb=AL</td>
</tr>
<tr>
<td>C1 C9 D1 D9 E1 E9 F1 F9</td>
<td>EW=CX Eb=CL</td>
</tr>
<tr>
<td>C2 CA D2 DA E2 EA F2 FA</td>
<td>Ew=DX Eb=DL</td>
</tr>
<tr>
<td>C3 CB D3 DB E3 EB F3 FB</td>
<td>Ew=BX Eb=BL</td>
</tr>
<tr>
<td>C4 CC D4 DC E4 EC F4 FC</td>
<td>Ew=SP Eb=AH</td>
</tr>
<tr>
<td>C5 CD D5 DD E5 ED F5 FD</td>
<td>Ew=BP Eb=CH</td>
</tr>
<tr>
<td>C6 CE D6 DE E6 EE F6 FE</td>
<td>Ew=SI Eb=DH</td>
</tr>
<tr>
<td>C7 CF D7 DF E7 EF F7 FF</td>
<td>Ew=DI Eb=BH</td>
</tr>
</tbody>
</table>

### NOTES:

1. **D8** denotes an 8-bit displacement following the ModRM byte that is sign-extended and added to the index.

2. Default segment register is **SS** for effective addresses containing a BP index; **DS** is for other memory effective addresses.

3. **D16** denotes the 16-bit displacement following the ModRM byte that is added to the index.
THE iAPX 286 INSTRUCTION SET

/r Instruction Byte Format

<table>
<thead>
<tr>
<th>mod</th>
<th>r</th>
<th>r/m</th>
<th>imm. low(1)</th>
<th>imm. high(1)</th>
<th>disp-low</th>
<th>disp-high</th>
</tr>
</thead>
<tbody>
<tr>
<td>7</td>
<td>6</td>
<td>5</td>
<td>4</td>
<td>3</td>
<td>2</td>
<td>1</td>
</tr>
</tbody>
</table>

"mod" Field Bit Assignments

<table>
<thead>
<tr>
<th>mod</th>
<th>Displacement</th>
</tr>
</thead>
<tbody>
<tr>
<td>00</td>
<td>DISP = 0(2), disp-low and disp-high are absent</td>
</tr>
<tr>
<td>01</td>
<td>DISP = disp-low sign-extended to 16-bits, disp-high is absent</td>
</tr>
<tr>
<td>10</td>
<td>DISP = disp-high; disp-low</td>
</tr>
<tr>
<td>11</td>
<td>r/m is treated as a &quot;reg&quot; field</td>
</tr>
</tbody>
</table>

"r" Field Bit Assignments

<table>
<thead>
<tr>
<th>16-Bit (w = 1)</th>
<th>8-Bit (w = 0)</th>
<th>Segment</th>
</tr>
</thead>
<tbody>
<tr>
<td>000 AX</td>
<td>000 AL</td>
<td>00 ES</td>
</tr>
<tr>
<td>001 CX</td>
<td>001 CL</td>
<td>01 CS</td>
</tr>
<tr>
<td>010 DX</td>
<td>010 DL</td>
<td>10 SS</td>
</tr>
<tr>
<td>011 BX</td>
<td>011 BL</td>
<td>11 DS</td>
</tr>
<tr>
<td>100 SP</td>
<td>100 AH</td>
<td></td>
</tr>
<tr>
<td>101 BP</td>
<td>101 CH</td>
<td></td>
</tr>
<tr>
<td>110 SI</td>
<td>110 DH</td>
<td></td>
</tr>
<tr>
<td>111 DI</td>
<td>111 BH</td>
<td></td>
</tr>
</tbody>
</table>

"r/m" Field Bit Assignments

<table>
<thead>
<tr>
<th>r/m</th>
<th>Operand Address</th>
</tr>
</thead>
<tbody>
<tr>
<td>000</td>
<td>(BX) + (SI) + DISP</td>
</tr>
<tr>
<td>001</td>
<td>(BX) + (DI) + DISP</td>
</tr>
<tr>
<td>010</td>
<td>(BP) + (SI) + DISP</td>
</tr>
<tr>
<td>011</td>
<td>(BP) + (DI) + DISP</td>
</tr>
<tr>
<td>100</td>
<td>(SI) + DISP</td>
</tr>
<tr>
<td>101</td>
<td>(DI) + DISP</td>
</tr>
<tr>
<td>110</td>
<td>(BP) + DISP(2)</td>
</tr>
<tr>
<td>111</td>
<td>(BX) + DISP</td>
</tr>
</tbody>
</table>

DISP follows 2nd byte of instruction (before data if required).

NOTES:
1. Opcode indicates presence and size of immediate field.
2. Except if mod=00 and r/m=110 then EA=disp-high: disp-low.

Figure B-2. /r Instruction Byte Format
THE IAPX 286 INSTRUCTION SET

+rw: A register code from 0 through 7 which is added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte. The codes are: AX=0, CX=1, DX=2, BX=3, SP=4, BP=5, SI=6, and DI=7.

Instruction

This column gives the instruction mnemonic and possible operands. The type of operand used will determine the opcode and operand encodings. The following entries list the type of operand which can be encoded in the format shown in the instruction column. The Intel convention is to place the destination operand as the left hand operand. Source-only operands follow the destination operand.

In many cases, the same instruction can be encoded several ways. It is recommended that you use the shortest encoding. The short encodings are provided to save memory space.

cb: a destination instruction offset in the range of 128 bytes before the end of this instruction to 127 bytes after the end of this instruction.

cw: a destination offset within the same code segment as this instruction. Some instructions allow a short form of destination offset. See cb type for more information.

cd: a destination address, typically in a different code segment from this instruction. Using the cd: address form with call instructions saves the code segment selector.

db: a signed value between −128 and +127 inclusive which is an operand of the instruction. For instructions in which the db is to be combined in some way with a word operand, the immediate value is sign-extended to form a word. The upper byte of the word is filled with the topmost bit of the immediate value.

dw: an immediate word value which is an operand of the instruction.

eb: a byte-sized operand. This is either a byte register or a (possibly indexed) byte memory variable. Either operand location may be encoded in the ModRM field. Any memory addressing mode may be used.

ew: a word-sized operand. This is either a word register or a (possibly indexed) word memory variable. Either operand location may be encoded in the ModRM field. Any memory addressing mode may be used.

m: a memory location. Operands in registers do not have a memory address. Any memory addressing mode may be used.

mb: a memory-based byte-sized operand. Any memory addressing mode may be used.

mw: a memory-based word operand. Any memory addressing mode may be used.

md: a memory-based pointer operand. Any memory addressing mode may be used.

rb: one of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH.

rw: one of the word registers AX, CX, DX, BX, SP, BP, SI, or DI.

xb: a simple byte memory variable without a base or index register. MOV instructions between AL and memory have this optimized form if no indexing is required.

xw: a simple word memory variable without a base or index register. MOV instructions between AX and memory have this optimized form if no indexing is required.
**Clocks**

This column gives the number of clock cycles that this form of the instruction takes to execute. The amount of time for each clock cycle is computed by dividing one microsecond by the number of MHz at which the 80286 is running. For example, a 10-MHz 80286 (with the CLK pin connected to a 20-MHz crystal) takes 100 nanoseconds for each clock cycle.

The clock counts establish the maximum execution rate of the 80286. With no delays in bus cycles, the actual clock count of an 80286 program will average 5-10% more than the calculated clock count due to instruction sequences that execute faster than they can be fetched from memory.

Some instruction forms give two clock counts, one unlabelled and one labelled. These counts indicate that the instruction has two different clock times for two different circumstances. Following are the circumstances for each possible label:

- **mem**: The instruction has an operand that can either be a register or a memory variable. The unlabelled time is for the register; the mem time is for the memory variable. Also, one additional clock cycle is taken for indexed memory variables for which all three possible indices (base register, index register, and displacement) must be added.

- **noj**: The instruction involves a conditional jump or interrupt. The unlabelled time holds when the jump is made; the noj time holds when the jump is not made.

- **pm**: The instruction takes more time to execute when the 80286 is in Protected Mode. The unlabelled time is for Real Address Mode; the pm time is for Protected Mode.

**Description**

This is a concise description of the operation performed for this form of the instruction. More details are given in the “Operation” section that appears later in this chapter.

**Flags Modified**

This is a list of the flags that are set to a meaningful value by the instruction. If a flag is always set to the same value by the instruction, the value is given (“=0” or “=1”) after the flag name.

**Flags Undefined**

This is a list of the flags that have an undefined (meaningless) setting after the instruction is executed.

All flags not mentioned under “Flags Modified” or “Flags Undefined” are unchanged by the instruction.

**Operation**

This section fully describes the operation performed by the instruction. For some of the more complicated instructions, suggested usage is also indicated.

**Protected Mode Exceptions**

The possible exceptions involved with this instruction when running under the iAPX 286 Protected Mode are listed below. These exceptions are abbreviated with a pound sign (#) followed by two capital letters and an optional error code in parenthesis. For example, #GP(0) denotes the general protection exception with an error code of zero. The next section describes all of the iAPX 286 exceptions and the machine state upon entry to the exception.

If you are an applications programmer, consult the documentation provided with your operating system to determine what actions are taken by the system when exceptions occur.
Real Address Mode Exceptions

Since less error checking is performed by the iAPX 286 when it is in Real Address Mode, there are fewer exceptions in this mode. One exception that is possible in many instructions is #GP(0). Exception 13 is generated whenever a word operand is accessed from effective address 0FFFFH in a segment. This happens because the second byte of the word is considered located at location 10000H, not at location 0, and thus exceeds the segment’s addressability limit.

Protection Exceptions

In parallel with the execution of instructions, the protected-mode iAPX 286 checks all memory references for validity of addressing and type of access. Violation of the memory protection rules built into the processor will cause a transfer of program control to one of the interrupt procedures described in this section. The interrupts have dedicated positions within the Interrupt Descriptor Table, which is shown in table B-2. The interrupts are referenced within the instruction set pages by a pound sign (#) followed by a two-letter mnemonic and the optional error code in parenthesis.

Error Codes

Some exceptions cause the iAPX 286 to pass a 16-bit error code to the interrupt procedure. When this happens, the error code is the last item pushed onto the stack before control is transferred to the interrupt procedure. If stacks were switched as a result of the interrupt, the error code appears on the interrupt procedure’s stack, not on the stack of the task that was interrupted.

The error code generally contains the selector of the segment that caused the protection violation. The RPL field (bottom two bits) of the error code does not, however, contain the privilege level. Instead, it contains the following information:

- Bit 0 contains the value 1 if the exception was detected during an interrupt caused by an event external to the program (i.e., an external interrupt, a single step, a processor extension not-present exception, or a processor extension segment overrun). Bit 0 is 0 if the exception was detected while processing the regular instruction stream, even if the instruction stream is part of an external interrupt handling procedure or task. If bit 0 is set, the instruction pointed to by the saved CS:IP address is not responsible for the error.
- Bit 1 is 1 if the selector points to the Interrupt Descriptor Table. In this case, bit 2 can be ignored, and bits 3-15 contain the index into the IDT.

<table>
<thead>
<tr>
<th>Abbreviation</th>
<th>Interrupt Number</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>#UD</td>
<td>6</td>
<td>Undefined Opcode</td>
</tr>
<tr>
<td>#NM</td>
<td>7</td>
<td>No Math Unit Available</td>
</tr>
<tr>
<td>#DF</td>
<td>8</td>
<td>Double Fault</td>
</tr>
<tr>
<td>#MP</td>
<td>9</td>
<td>Math Unit Protection Fault</td>
</tr>
<tr>
<td>#TS</td>
<td>10</td>
<td>Invalid Task State Segment</td>
</tr>
<tr>
<td>#NP</td>
<td>11</td>
<td>Not Present</td>
</tr>
<tr>
<td>#SS</td>
<td>12</td>
<td>Stack Fault</td>
</tr>
<tr>
<td>#GP</td>
<td>13</td>
<td>General Protection</td>
</tr>
<tr>
<td>#MF</td>
<td>16</td>
<td>Math Fault</td>
</tr>
</tbody>
</table>

Table B-2. Protection Exceptions of the iAPX 286
THE IAPX 286 INSTRUCTION SET

• Bit 1 is 0 if the selector points to the Global or Local Descriptor Tables. In this case, bits 2-15 have their usual selector interpretation: bit 2 selects the table (1 = Local, 0 = Global), and bits 3-15 are the index into the table.

In some cases the iAPX 286 chooses to pass an error code with no information in it. In these cases, all 16 bits of the error code are zero.

The existence and type of error codes are described under each of the following individual exceptions.

#DF 8 Double Fault (Zero Error Code)
This exception is generated when a second exception is detected while the processor is attempting to transfer control to the handler for an exception. For instance, it is generated if the code segment containing the exception handler is marked not present. It is also generated if invoking the exception handler causes a stack overflow.

This exception is not generated during the execution of an exception handler. Faults detected within the instruction stream are handled by regular exceptions.

The error code is normally zero. The saved CS:IP will point at the instruction that was attempting to execute when the double fault occurred. Since the error code is normally zero, no information on the source of the exception is available. Restart is not possible.

#GP 13 General Protection (Selector or Zero Error Code)
This exception is generated for all protection violations not covered by the other exceptions in this section. Examples of this include:

1. An attempt to address a memory location by using an offset that exceeds the limit for the segment involved.
2. An attempt to jump to a data segment.
3. An attempt to load SS with a selector for a read-only segment.
4. An attempt to write to a read-only segment.

If #GP occurred while loading a descriptor, the error code passed contains the selector involved. Otherwise, the error code is zero.

If the error code is not zero, the instruction can be restarted if the erroneous condition is rectified. If the error code is zero either a limit violation, a write protect violation, or an illegal use of invalid segment register occurred. An invalid segment register contains the values 0-3. Generally, a limit fault on MOVs, CMPS, INS, OUTS, or STOS is not restartable. A write protect fault on ADC, SBB, RCL, RCR, or XCHG also is not restartable.

#MF 16 Math Fault (No Error Code)
This exception is generated when the numeric processor extension (the 80287) detects an error signalled by the ERROR input pin leading from the 80287 to the 80286. The ERROR pin is tested at the beginning of most floating point instructions, and when a WAIT instruction is executed with the EM bit of the Machine Status Word set to 0 (i.e., no emulation of the math unit). The floating point instructions that do not cause the ERROR pin to be tested are FNCLEX, FNINIT, FSETPM, FNSTCW, FSTCW, FNSTSW, FSTSW, FNSAVE, FSAVE, FNSTENV, and FSTENV.

If the handler corrects the error condition causing the exception, the floating point instruction that caused #MF can be restarted. This is not accomplished by IRET, however, since the fault occurs at the floating point instruction that follows the offending instruction. Before restarting the numeric instruc-
tion, the handler must obtain from the 80287 the address of the offending instruction and the address of the optional numeric operand.

**#MP 9 Math Unit Protection Fault**  
(No Error Code)

This exception is generated if the numeric operand is larger than one word and has the second or subsequent words outside the segment's limit. Not all math addressing errors cause exception 9. If the effective address of an ESCAPE instruction is not in the segment's limit, or if a write is attempted on a read-only segment, exception 13 will occur. The #MP exception occurs during the execution of the numeric instruction by the 80287. Thus, the 80286 may be in an unrelated instruction stream at the time.

The offending floating point instruction cannot be restarted; the task which attempted to execute the offending numeric instruction must be aborted. However, if the exception interrupted another task, it may be restarted. The exception handler must execute FNINIT before executing any ESCAPE or WAIT instruction.

**#NM 7 No Math Unit Available**  
(No Error Code)

This exception occurs when any floating point instruction is executed while the EM bit or the TS bit of the Machine Status Word is 1. It also occurs when a WAIT instruction is encountered and both the MP and TS bits of the Machine Status Word are 1.

Depending on the setting of the MSW bits that caused this exception, the exception handler could provide emulation of the 80287, or it could perform a context switch of the math processor to prepare it for use by another task.

The instruction causing #NM can be restarted if the handler performs a numeric context switch. If the handler provided emulation of the math unit, it should advance the return pointer beyond the floating point instruction that caused NM.

**#NP 11 Not Present**  
(Selector Error Code)

This exception occurs when CS, DS, ES, or the Task Register is loaded with a descriptor that is marked not present but is otherwise valid. It can occur in an LLDT instruction, but the #NP exception will not occur if the processor attempts to load the LDT register during a task switch. A not-present LDT encountered during a task switch causes the #TS exception.

The error code passed is the selector of the descriptor that is marked not present.

Typically, the Not Present exception handler is used to implement a virtual memory system. The operating system can swap inactive memory segments to a mass-storage device such as a disk. Applications programs need not be told about this; the next time they attempt to access the swapped-out memory segment, the Not Present handler will be invoked, the segment will be brought back into memory, and the offending instruction within the applications program will be restarted.

If #NP is detected on loading CS, DS, or ES in a task switch, the exception occurs in the new task, and the IRET from the exception handler jumps directly to the next instruction in the new task.

The Not Present exception handler must contain special code to complete the loading of segment registers when #NP is detected in loading the CS or DS registers in a task switch and a trap or interrupt gate was used. The DS and ES registers have been loaded but their descriptors have not been loaded. Any memory reference using the segment register may cause exception 13. The #NP
exception handler should execute code such as the following to ensure full loading of the segment registers:

MOV AX,DS
MOV DS,AX
MOV AX,ES
MOV ES,AX

#SS 12 Stack Fault (Selector or Zero Error Code)

This exception is generated when a limit violation is detected in addressing through the SS register. It can occur on stack-oriented instructions such as PUSH or POP, as well as other types of memory references using SS such as MOV AX,[BP+28]. It also can occur on an ENTER instruction when there is not enough space on the stack for the indicated local variable space, even if the stack exception is not triggered by pushing BP or copying the display stack. A stack exception can therefore indicate a stack overflow, a stack underflow or a wild offset. The error code will be zero.

#SS is also generated on an attempt to load SS with a descriptor that is marked not present but is otherwise valid. This can occur in a task switch, an inter-level call, an inter-level return, a move to the SS instruction or a pop to the SS instruction. The error code will be non-zero.

#SS is never generated when addressing through the DS or ES registers even if the offending register points to the same segment as the SS register.

The #SS exception handler must contain special code to complete the loading of segment registers. The DS and ES registers will not be fully loaded if a not-present condition is detected while loading the SS register. Therefore, the #SS exception handler should execute code such as the following to insure full loading of the segment registers:

MOV AX,DS
MOV DS,AX
MOV AX,ES
MOV ES,AX

Generally, the instruction causing #SS can be restarted, but there is one special case when it cannot: when a PUSHA or POPA instruction attempts to wrap around the 64K boundary of a stack segment. This condition is identified by the value of the saved SP, which can be either 0000H, 0001H, 0FFFEH, or 0FFFFH.

#TS 10 Invalid Task State Segment (Selector Error Code)

This exception is generated when a task state segment is invalid, that is, when a task state segment is too small; when the LDT indicated in a TSS is invalid or not present; when the SS, CS, DS, or ES indicated in a TSS are invalid (task switch); when a TSS indicated an invalid privileged stack (inter-level call); or when the back link in a TSS is invalid (inter-task IRET).

#TS is not generated when the SS, CS, DS, or ES back link or privileged stack selectors point to a descriptor that is not present but otherwise is valid. #NP is generated in these cases.

The error code passed to the exception handler contains the selector of the offending segment, which can either be the Task State Segment itself, or a selector found within the Task State Segment.

The instruction causing #TS can be restarted. #TS must be handled through a task gate.
THE IAPX 286 INSTRUCTION SET

#UD 6 Undefined Opcode (No Error Code)
This exception is generated when an invalid operation code is detected in the instruction stream. Following are the cases in which #UD can occur:

1. The first byte of an instruction is completely invalid (e.g., 64H).
2. The first byte indicates a 2-byte opcode and the second byte is invalid (e.g., 0FH followed by 0FFH).
3. An invalid register is used with an otherwise valid opcode (e.g., MOV CS,AX).
4. An invalid opcode extension is given in the REG field of the ModRM byte (e.g., 0F6H /1).
5. A register operand is given in an instruction that requires a memory operand (e.g., LGDT AX).

Since the offending opcode will always be invalid, it cannot be restarted. However, the #UD handler might be coded to implement an extension of the iAPX 286 instruction set. In that case, the handler could advance the return pointer beyond the extended instruction and return control to the program after the extended instruction is emulated. *Any such extensions may be incompatible with iAPX 386.*

Privilege Level and Task Switching on the IAPX 286
The iAPX 286 supports many of the functions necessary to implement a protected, multitasking operating system in hardware. This support is provided not by additional instructions, but by extension of the semantics of iAPX 86/88 instructions that change the value of CS:IP.

Whenever the iAPX 286 performs an inter-segment jump, call, interrupt, or return, it consults the Access Rights (AR) byte found in the descriptor table entry of the selector associated with the new CS value. The AR byte determines whether the long jump being made is through a gate, or is a task switch, or is a simple long jump to the same privilege level. Table B-3 lists the possible values of the AR byte. The “privilege” headings at the top of the table give the Descriptor Privilege Level, which is referred to as the DPL within the instruction descriptions.

Each of the CALL, INT, IRET, JMP, and RET instructions contains on its instruction set pages a listing of the access rights checking and actions taken to implement the instruction. Instructions involving task switches contain the symbol SWITCH_TASKS, which is an abbreviation for the following list of checks and actions:

**SWITCH_TASKS:**
Locked set AR byte of new TSS descriptor to Busy TSS (Bit 1 = 1)
Current TSS cache must be valid with limit ≥ 43 else #TS (error code will be new TSS, but back link points at old TSS)
New TSS limit ≥ 43 else #TS (new TSS)
Save machine state in current TSS
If nesting tasks, set the new TSS link to the current TSS selector
Any exception will be in new context Else set the AR byte of current TSS descriptor to Available TSS (Bit 1 = 0)
Set the current TR to selector, base, and limit of new TSS
Set all machine registers to values from new TSS without loading descriptors for DS, ES, CS, SS, LDT
Clear valid flags for LDT, SS, CS, DS, ES (not valid yet)
Set the Task Switched flag to 1
If nesting tasks, set the Nested Task flag to 1
LDT from the new TSS must be within GDT table limits else #TS(LDT)
AR byte from LDT descriptor must specify LDT segment else #TS(LDT)
AR byte from LDT descriptor must indicate PRESENT else #TS(LDT)
Load LDT cache with new LDT descriptor and set valid bit
Set CPL to the RPL of the CS selector in the new TSS
If new stack selector is null #TS(SS)
SS selector must be within its descriptor table limits else #TS(SS)
SS selector RPL must be equal to CPL else #TS(SS)
DPL of SS descriptor must equal CPL else #TS(SS)
SS descriptor AR byte must indicate writable data segment else #TS(SS)
SS descriptor AR byte must indicate PRESENT else #SS(SS)
Load SS cache with new stack segment and set valid bit
New CS selector must not be null else #TS(CS)
CS selector must be within its descriptor table limits else #TS(CS)
CS descriptor AR byte must indicate code segment else #TS(CS)
If non-conforming then DPL must equal CPL else #TS(CS)
If conforming then DPL must be $\leq$ CPL else #TS(CS)
CS descriptor AR byte must indicate PRESENT else #NP(CS)
Load CS cache with new code segment descriptor and set valid bit
For DS and ES:
If new selector is not null then perform following checks:
   Index must be within its descriptor table limits else #TS(segment selector)
   AR byte must indicate data or readable code else #TS(segment selector)
If data or non-conforming code then:
   DPL must be $\geq$ CPL else #TS(segment selector)
   DPL must be $\geq$ RPL else #TS(segment selector)
   AR byte must indicate PRESENT else #NP(segment selector)
Load cache with new segment descriptor and set valid bit
Table B-3. Hexadecimal Values for the Access Rights Byte

<table>
<thead>
<tr>
<th>Not present, privilege</th>
<th>Present, privilege</th>
<th>Descriptor Type</th>
</tr>
</thead>
<tbody>
<tr>
<td>00 20 40 60</td>
<td>00 A0 C0 E0</td>
<td>Illegal</td>
</tr>
<tr>
<td>01 21 41 61</td>
<td>01 A1 C1 E1</td>
<td>Available Task State Segment</td>
</tr>
<tr>
<td>02 22 42 62</td>
<td>02 A2 C2 E2</td>
<td>Local Descriptor Table Segment</td>
</tr>
<tr>
<td>03 23 43 63</td>
<td>03 A3 C3 E3</td>
<td>Busy Task State Segment</td>
</tr>
<tr>
<td>04 24 44 64</td>
<td>04 A4 C4 E4</td>
<td>Call Gate</td>
</tr>
<tr>
<td>05 25 45 65</td>
<td>05 A5 C5 E5</td>
<td>Task Gate</td>
</tr>
<tr>
<td>06 26 46 66</td>
<td>06 A6 C6 E6</td>
<td>Interrupt Gate</td>
</tr>
<tr>
<td>07 27 47 67</td>
<td>07 A7 C7 E7</td>
<td>Trap Gate</td>
</tr>
<tr>
<td>08 28 48 68</td>
<td>08 A8 C8 E8</td>
<td>Illegal</td>
</tr>
<tr>
<td>09 29 49 69</td>
<td>09 A9 C9 E9</td>
<td>Illegal</td>
</tr>
<tr>
<td>0A 2A 4A 6A</td>
<td>0A AA CA EA</td>
<td>Illegal</td>
</tr>
<tr>
<td>0B 2B 4B 6B</td>
<td>0B AB CB EB</td>
<td>Illegal</td>
</tr>
<tr>
<td>0C 2C 4C 6C</td>
<td>0C AC CC EC</td>
<td>Illegal</td>
</tr>
<tr>
<td>0D 2D 4D 6D</td>
<td>0D AD CD ED</td>
<td>Illegal</td>
</tr>
<tr>
<td>0E 2E 4E 6E</td>
<td>0E AE CE EE</td>
<td>Illegal</td>
</tr>
<tr>
<td>0F 2F 4F 6F</td>
<td>0F AF CF EF</td>
<td>Illegal</td>
</tr>
<tr>
<td>10 30 50 70</td>
<td>10 B0 D0 F0</td>
<td>Expand-up, read only, ignored Data Segment</td>
</tr>
<tr>
<td>11 31 51 71</td>
<td>11 B1 D1 F1</td>
<td>Expand-up, read only, accessed Data Segment</td>
</tr>
<tr>
<td>12 32 52 72</td>
<td>12 B2 D2 F2</td>
<td>Expand-up, writable, ignored Data Segment</td>
</tr>
<tr>
<td>13 33 53 73</td>
<td>13 B3 D3 F3</td>
<td>Expand-up, writable, accessed Data Segment</td>
</tr>
<tr>
<td>14 34 54 74</td>
<td>14 B4 D4 F4</td>
<td>Expand-down, read only, ignored Data Segment</td>
</tr>
<tr>
<td>15 35 55 75</td>
<td>15 B5 D5 F5</td>
<td>Expand-down, read only, accessed Data Segment</td>
</tr>
<tr>
<td>16 36 56 76</td>
<td>16 B6 D6 F6</td>
<td>Expand-down, writable, ignored Data Segment</td>
</tr>
<tr>
<td>17 37 57 77</td>
<td>17 B7 D7 F7</td>
<td>Expand-down, writable, accessed Data Segment</td>
</tr>
<tr>
<td>18 38 58 78</td>
<td>18 B8 D8 F8</td>
<td>Non-conform, no read, ignored Code Segment</td>
</tr>
<tr>
<td>19 39 59 79</td>
<td>19 B9 D9 F9</td>
<td>Non-conform, no read, accessed Code Segment</td>
</tr>
<tr>
<td>1A 3A 5A 7A</td>
<td>1A BA DA FA</td>
<td>Non-conform, readable, ignored Code Segment</td>
</tr>
<tr>
<td>1B 3B 5B 7B</td>
<td>1B BB DB FB</td>
<td>Non-conform, readable, accessed Code Segment</td>
</tr>
<tr>
<td>1C 3C 5C 7C</td>
<td>1C BC DC FC</td>
<td>Conforming, no read, ignored Code Segment</td>
</tr>
<tr>
<td>1D 3D 5D 7D</td>
<td>1D BD DD FD</td>
<td>Conforming, no read, accessed Code Segment</td>
</tr>
<tr>
<td>1E 3E 5E 7E</td>
<td>1E BE DE FE</td>
<td>Conforming, readable, ignored Code Segment</td>
</tr>
<tr>
<td>1F 3F 5F 7F</td>
<td>1F BF DF FF</td>
<td>Conforming, readable, accessed Code Segment</td>
</tr>
</tbody>
</table>
AAA—ASCII Adjust AL After Addition

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>37</td>
<td>AAA</td>
<td>3</td>
<td>ASCII adjust AL after addition</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Auxiliary carry, carry

**FLAGS UNDEFINED**
Overflow, sign, zero, parity

**OPERATION**
AAA should be executed only after an ADD instruction which leaves a byte result in the AL register. The lower nibbles of the operands to the ADD instruction should be in the range 0 through 9 (BCD digits). In this case, the AAA instruction will adjust AL to contain the correct decimal digit result. If the addition produced a decimal carry, the AH register is incremented, and the carry and auxiliary carry flags are set to 1. If there was no decimal carry, the carry and auxiliary carry flags are set to 0, and AH is unchanged. In any case, AL is left with its top nibble set to 0. To convert AL to an ASCII result, you can follow the AAA instruction with OR AL,30H.

The precise definition of AAA is as follows: if the lower 4 bits of AL are greater than nine, or if the auxiliary carry flag is 1, then increment AL by 6, AH by 1, and set the carry and auxiliary carry flags. Otherwise, reset the carry and auxiliary carry flags. In any case, conclude the AAA operation by setting the upper four bits of AL to zero.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
AAD—ASCII Adjust AX Before Division

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>D5 0A</td>
<td>AAD</td>
<td>14</td>
<td>ASCII adjust AX before division</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Sign, zero, parity

**FLAGS UNDEFINED**
Overflow, auxiliary carry, carry

**OPERATION**
AAD is used to prepare two unpacked BCD digits (least significant in AL, most significant in AH) for a division operation which will yield an unpacked result. This is accomplished by setting AL to AL + (10 × AH), and then setting AH to 0. This leaves AX equal to the binary equivalent of the original unpacked 2-digit number.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
AAM—ASCII Adjust AX After Multiply

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>D4 0A</td>
<td>AAM</td>
<td>16</td>
<td>ASCII adjust AX after multiply</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Sign, zero, parity

FLAGS UNDEFINED
Overflow, auxiliary carry, carry

OPERATION
AAM should be used only after executing a MUL instruction between two unpacked BCD digits, leaving the result in the AX register. Since the result is less than one hundred, it is contained entirely in the AL register. AAM unpacks the AL result by dividing AL by ten, leaving the quotient (most significant digit) in AH, and the remainder (least significant digit) in AL.

PROTECTED MODE EXCEPTIONS
None

REAL ADDRESS MODE EXCEPTIONS
None
AAS—ASCII Adjust AL After Subtraction

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>3F</td>
<td>AAS</td>
<td>3</td>
<td>ASCII adjust AL after subtraction</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Auxiliary carry, carry

**FLAGS UNDEFINED**
Overflow, sign, zero, parity

**OPERATION**
AAS should be executed only after a subtraction instruction which left the byte result in the AL register. The lower nibbles of the operands to the SUB instruction should have been in the range 0 through 9 (BCD digits). In this case, the AAS instruction will adjust AL to contain the correct decimal digit result. If the subtraction produced a decimal carry, the AH register is decremented, and the carry and auxiliary carry flags are set to 1. If there was no decimal carry, the carry and auxiliary carry flags are set to 0, and AH is unchanged.

In any case, AL is left with its top nibble set to 0. To convert AL to an ASCII result, you can follow the AAS instruction with OR AL,30H.

The precise definition of AAS is as follows: if the lower four bits of AL are greater than 9, or if the auxiliary carry flag is 1, then decrement AL by 6, AH by 1, and set the carry and auxiliary carry flags. Otherwise, reset the carry and auxiliary carry flags. In any case, conclude the AAS operation by setting the upper four bits of AL to zero.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
ADC/ADD—Integer Addition

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>10</td>
<td>ADC eb,rb</td>
<td>2,mem=7</td>
<td>Add with carry byte register into EA byte</td>
</tr>
<tr>
<td>11</td>
<td>ADC ew,rw</td>
<td>2,mem=7</td>
<td>Add with carry word register into EA word</td>
</tr>
<tr>
<td>12</td>
<td>ADC rb,eb</td>
<td>2,mem=7</td>
<td>Add with carry EA byte into byte register</td>
</tr>
<tr>
<td>13</td>
<td>ADC rw,ew</td>
<td>2,mem=7</td>
<td>Add with carry EA word into word register</td>
</tr>
<tr>
<td>14</td>
<td>ADC AL,db</td>
<td>3</td>
<td>Add with carry immediate byte into AL</td>
</tr>
<tr>
<td>15</td>
<td>ADC AX,dw</td>
<td>3</td>
<td>Add with carry immediate word into AX</td>
</tr>
<tr>
<td>80</td>
<td>ADC eb,db</td>
<td>3,mem=7</td>
<td>Add with carry immediate byte into EA byte</td>
</tr>
<tr>
<td>81</td>
<td>ADC ew,dw</td>
<td>3,mem=7</td>
<td>Add with carry immediate word into EA word</td>
</tr>
<tr>
<td>83</td>
<td>ADC ew,db</td>
<td>3,mem=7</td>
<td>Add with carry immediate byte into EA word</td>
</tr>
<tr>
<td>00</td>
<td>ADD eb,rb</td>
<td>2,mem=7</td>
<td>Add byte register into EA byte</td>
</tr>
<tr>
<td>01</td>
<td>ADD ew,rw</td>
<td>2,mem=7</td>
<td>Add word register into EA word</td>
</tr>
<tr>
<td>02</td>
<td>ADD rb,eb</td>
<td>2,mem=7</td>
<td>Add EA byte into byte register</td>
</tr>
<tr>
<td>03</td>
<td>ADD rw,ew</td>
<td>2,mem=7</td>
<td>Add EA word into word register</td>
</tr>
<tr>
<td>04</td>
<td>ADD AL,db</td>
<td>3</td>
<td>Add immediate byte into AL</td>
</tr>
<tr>
<td>05</td>
<td>ADD AX,dw</td>
<td>3</td>
<td>Add immediate word into AX</td>
</tr>
<tr>
<td>80</td>
<td>ADD eb,db</td>
<td>3,mem=7</td>
<td>Add immediate byte into EA byte</td>
</tr>
<tr>
<td>81</td>
<td>ADD ew,dw</td>
<td>3,mem=7</td>
<td>Add immediate word into EA word</td>
</tr>
<tr>
<td>83</td>
<td>ADD ew,db</td>
<td>3,mem=7</td>
<td>Add immediate byte into EA word</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Overflow, sign, zero, auxiliary carry, parity, carry

**FLAGS UNDEFINED**
None

**OPERATION**
ADD and ADC perform an integer addition on the two operands. The ADC instruction also adds in the initial state of the carry flag. The result of the addition goes to the first operand. ADC is usually executed as part of a multi-byte or multi-word addition operation.

When a byte immediate value is added to a word operand, the immediate value is first sign-extended.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
AND — Logical AND

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>20 /r</td>
<td>AND eb,rb</td>
<td>2, mem=7</td>
<td>Logical-AND byte register into EA byte</td>
</tr>
<tr>
<td>21 /r</td>
<td>AND ew,rw</td>
<td>2, mem=7</td>
<td>Logical-AND word register into EA word</td>
</tr>
<tr>
<td>22 /r</td>
<td>AND rb,eb</td>
<td>2, mem=7</td>
<td>Logical-AND EA byte into byte register</td>
</tr>
<tr>
<td>23 /r</td>
<td>AND rw,ew</td>
<td>2, mem=7</td>
<td>Logical-AND EA word into word register</td>
</tr>
<tr>
<td>24 db</td>
<td>AND AL,db</td>
<td>3</td>
<td>Logical-AND immediate byte into AL</td>
</tr>
<tr>
<td>25 dw</td>
<td>AND AX,db</td>
<td>3</td>
<td>Logical-AND immediate word into AX</td>
</tr>
<tr>
<td>80 /4</td>
<td>db AND eb,db</td>
<td>3, mem=7</td>
<td>Logical-AND immediate byte into EA byte</td>
</tr>
<tr>
<td>81 /4</td>
<td>dw AND ew,dw</td>
<td>3, mem=7</td>
<td>Logical-AND immediate word into EA word</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Overflow = 0, sign, zero, parity, carry = 0

FLAGS UNDEFINED
Auxiliary carry

OPERATION
Each bit of the result is a 1 if both corresponding bits of the operands were 1; it is 0 otherwise.

PROTECTED MODE EXCEPTIONS
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
ARPL—Adjust RPL Field of Selector

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>63 /r</td>
<td>ARPL $e_\text{w},r_\text{w}$</td>
<td>10,mem=11</td>
<td>Adjust RPL of EA word not less than RPL of $r_\text{w}$</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Zero

**FLAGS UNDEFINED**
None

**OPERATION**
The ARPL instruction has two operands. The first operand is a 16-bit memory variable or word register that contains the value of a selector. The second operand is a word register. If the RPL field (bottom two bits) of the first operand is less than the RPL field of the second operand, then the zero flag is set to 1 and the RPL field of the first operand is increased to match the second RPL. Otherwise, the zero flag is set to 0 and no change is made to the first operand.

ARPL appears in operating systems software, not in applications programs. It is used to guarantee that a selector parameter to a subroutine does not request more privilege than the caller was entitled to. The second operand used by ARPL would normally be a register that contains the CS selector value of the caller.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 6. ARPL is not recognized in Real Address mode.
BOUND—Check Array Index Against Bounds

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>62</td>
<td>/r</td>
<td>BOUND</td>
<td>INT 5 if rw not within bounds</td>
</tr>
<tr>
<td>rw,md</td>
<td>noj=13</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
BOUND is used to ensure that a signed array index is within the limits defined by a two-word block of memory. The first operand (a register) must be greater than or equal to the first word in memory, and less than or equal to the second word in memory. If the register is not within the bounds, an INTERRUPT 5 occurs.

The two-word block might typically be found just before the array itself and therefore would be accessible at a constant offset of −4 from the array, simplifying the addressing.

**PROTECTED MODE EXCEPTIONS**
INTERRUPT 5 if the bounds test fails, as described above. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

The second operand must be a memory operand, not a register. If the BOUND instruction is executed with a ModRM byte representing a register second operand, then fault #UD will occur.

**REAL ADDRESS MODE EXCEPTIONS**
INTERRUPT 5 if the bounds test fails, as described above. Interrupt 13 for a second operand at offset 0FFFDH or higher. Interrupt 6 if the second operand is a register, as described in the paragraph above.
## CALL—Call Procedure

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks*</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>E8</td>
<td>CALL cw</td>
<td>7</td>
<td>Call near, offset relative to next instruction</td>
</tr>
<tr>
<td>FF /2</td>
<td>CALL ew</td>
<td>7,mem=11</td>
<td>Call near, offset absolute at EA word</td>
</tr>
<tr>
<td>9A cd</td>
<td>CALL cd</td>
<td>13,pm=26</td>
<td>Call inter-segment, immediate 4-byte address</td>
</tr>
<tr>
<td>9A cd</td>
<td>CALL cd</td>
<td>41</td>
<td>Call gate, same privilege</td>
</tr>
<tr>
<td>9A cd</td>
<td>CALL cd</td>
<td>82</td>
<td>Call gate, more privilege, no parameters</td>
</tr>
<tr>
<td>9A cd</td>
<td>CALL cd</td>
<td>86+4X</td>
<td>Call gate, more privilege, X parameters</td>
</tr>
<tr>
<td>9A cd</td>
<td>CALL cd</td>
<td>177</td>
<td>Call via Task State Segment</td>
</tr>
<tr>
<td>9A cd</td>
<td>CALL cd</td>
<td>182</td>
<td>Call via task gate</td>
</tr>
<tr>
<td>FF /3</td>
<td>CALL ed</td>
<td>16,mem=29</td>
<td>Call inter-segment, address at EA doubleword</td>
</tr>
<tr>
<td>FF /3</td>
<td>CALL ed</td>
<td>44</td>
<td>Call gate, same privilege</td>
</tr>
<tr>
<td>FF /3</td>
<td>CALL ed</td>
<td>83</td>
<td>Call gate, more privilege, no parameters</td>
</tr>
<tr>
<td>FF /3</td>
<td>CALL ed</td>
<td>90+4X</td>
<td>Call gate, more privilege, X parameters</td>
</tr>
<tr>
<td>FF /3</td>
<td>CALL ed</td>
<td>180</td>
<td>Call via Task State Segment</td>
</tr>
<tr>
<td>FF /3</td>
<td>CALL ed</td>
<td>185</td>
<td>Call via task gate</td>
</tr>
</tbody>
</table>

*Add one clock for each byte in the next instruction executed.

### FLAGS MODIFIED

None, except when a task switch occurs

### FLAGS UNDEFINED

None

### OPERATION

The CALL instruction causes the procedure named in the operand to be executed. When the procedure is complete (a return instruction is executed within the procedure), execution continues at the instruction that follows the CALL instruction.

The CALL cw form of the instruction adds modulo 65536 (the 2-byte operand) to the offset of the instruction following the CALL and sets IP to the resulting offset. The 2-byte offset of the instruction that follows the CALL is pushed onto the stack. It will be popped by a near RET instruction within the procedure. The CS register is not changed by this form.

The CALL ew form of the instruction is the same as CALL cw except that the operand specifies a memory location from which the absolute 2-byte offset for the procedure is fetched.

The CALL cd form of the instruction uses the 4-byte operand as a pointer to the procedure called. The CALL ed form fetches the long pointer from the memory location specified. Both long pointer forms consult the AR byte in the descriptor indexed by the selector part of the long pointer. The AR byte can indicate one of the following descriptor types:

1. **Code Segment**—The access rights are checked, the return pointer is pushed onto the stack, and the procedure is jumped to.

2. **Call Gate**—The offset part of the pointer is ignored. Instead, the entire address of the procedure is taken from the call gate descriptor entry. If the routine being entered is more privileged, then a new stack (both SS and SP) is loaded from the task state segment for the new privilege level, and parameters determined by the wordcount field of the call gate are copied from the old stack to the new stack.
3. Task Gate—The current task’s context is saved in its Task State Segment (TSS), and the TSS named in the task-gate is used to load the new context. The selector for the outgoing task (from TR) is stored into the new TSS’s link field, and the new task’s Nested Task flag is set. The outgoing task is left marked busy, the new TSS is marked busy, and execution resumes at the point at which the new task was last suspended.

4. Task State Segment—The current task is suspended and the new task initiated as in 3 above except that there is no intervening gate.

CALL FAR:
If indirect then check access of EA doubleword #GP(0) if limit violation
New CS selector must not be null else #GP(0)
Check that new CS selector index is within its descriptor table limits; else #GP (new CS selector)
Examine AR byte of selected descriptor for various legal values:

CALL CONFORMING CODE SEGMENT:
  DPL must be ≥ CPL else #GP (code segment selector)
  Segment must be PRESENT else #NP (code segment selector)
  Stack must be big enough for return address else #SS(0)
  IP must be in code segment limit else #GP(0)
  Load code segment descriptor into CS cache
  Load CS with new code segment selector
  Set RPL of CS to CPL
  Load IP with new offset

CALL NONCONFORMING CODE SEGMENT:
  RPL must be ≤ CPL else #GP (code segment selector)
  DPL must be = CPL else #GP (code segment selector)
  Segment must be PRESENT else #NP (code segment selector)
  Stack must be big enough for return address else #SS(0)
  IP must be in code segment limit else #GP(0)
  Load code segment descriptor into CS cache
  Load CS with new code segment selector
  Set RPL of CS to CPL
  Load IP with new offset

CALL TO CALL GATE:
  Call gate DPL must be ≥ CPL else #GP (call gate selector)
  Call gate DPL must be ≥ RPL else #GP (call gate selector)
  Call gate must be PRESENT else #NP (call gate selector)
  Examine code segment selector in call gate descriptor:
    Selector must not be null else #GP(0)
    Selector must be within its descriptor table limits else #GP (code segment selector)
    AR byte of selected descriptor must indicate code segment else #GP (code segment selector)
    DPL of selected descriptor must be ≤ CPL else #GP (code segment selector)
    If non-conforming code segment and DPL < CPL then

CALL GATE TO MORE PRIVILEGE:
Get new SS selector for new privilege level from TSS
THE IAPX 286 INSTRUCTION SET

Check selector and descriptor for new SS:
   Selector must not be null else #TS(0)
   Selector index must be within its descriptor table limits else #TS (SS selector)
   Selector's RPL must equal DPL of code segment else #TS (SS selector)
   Stack segment DPL must equal DPL of code segment else #TS (SS selector)
   Descriptor must indicate writable data segment else #TS (SS selector)
   Segment PRESENT else #SS (SS selector)
New stack must have room for parameters plus 8 bytes else #SS(0)
IP must be in code segment limit else #GP(0)
Load new SS:SP value from TSS
Load new CS:IP value from gate
Load CS descriptor
Load SS descriptor
Push long pointer of old stack onto new stack
Get word count from call gate, mask to 5 bits
Copy parameters from old stack onto new stack
Push return address onto new stack
Set CPL to stack segment DPL
Set RPL of CS to CPL

Else
   CALL GATE TO SAME PRIVILEGE:
   Stack must have room for 4-byte return address else #SS(0)
   IP must be in code segment limit else #GP(0)
   Load CS:IP from gate
   Push return address onto stack
   Load code segment descriptor into CS-cache
   Set RPL of CS to CPL

CALL TASK GATE:
   Task gate DPL must be ≥ CPL else #GP (gate selector)
   Task gate DPL must be ≥ RPL else #GP (gate selector)
   Task Gate must be PRESENT else #NP (gate selector)
Examine selector to TSS, given in Task Gate descriptor:
   Must specify global in the local/global bit else #GP (TSS selector)
   Index must be within GDT limits else #GP (TSS selector)
   TSS descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector)
   Task State Segment must be PRESENT else #NP (TSS selector)
SWITCH_TASKS with nesting to TSS
IP must be in code segment limit else #GP(0)

TASK STATE SEGMENT:
   TSS DPL must be ≥ CPL else #GP (TSS selector)
   TSS DPL must be ≥ RPL else #GP (TSS selector)
   TSS descriptor AR byte must specify available TSS else #GP (TSS selector)
   Task State Segment must be PRESENT else #NP (TSS selector)
SWITCH_TASKS with nesting to TSS
IP must be in code segment limit else #GP(0)

ELSE #GP (code segment selector)

PROTECTED MODE EXCEPTIONS
FAR calls: #GP, #NP, #SS, and #TS, as indicated in the list above.
NEAR direct calls: #GP(0) if procedure location is beyond the code segment limits.
NEAR indirect CALL: #GP(0) for an illegal memory operand effective address in the CS,
   DS, or ES segments; #SS(0) for an illegal address in the SS segment. #GP if the indirect
   offset obtained is beyond the code segment limits.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
# CBW—Convert Byte into Word

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>98</td>
<td>CBW</td>
<td>2</td>
<td>Convert byte into word (AH = top bit of AL)</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
CBW converts the signed byte in AL to a signed word in AX. It does so by extending the top bit of AL into all of the bits of AH.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
CLC—Clear Carry Flag

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F8</td>
<td>CLC</td>
<td>2</td>
<td>Clear carry flag</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED

- Carry = 0

FLAGS UNDEFINED

- None

OPERATION

CLC sets the carry flag to zero. No other flags or registers are affected.

PROTECTED MODE EXCEPTIONS

- None

REAL ADDRESS MODE EXCEPTIONS

- None
CLD—Clear Direction Flag

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>FC</td>
<td>CLD</td>
<td>2</td>
<td>Clear direction flag, SI and DI will increment</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Direction = 0

FLAGS UNDEFINED
None

OPERATION
CLD clears the direction flag. No other flags or registers are affected. After CLD is executed, string operations will increment the index registers (SI and/or DI) that they use.

PROTECTED MODE EXCEPTIONS
None

REAL ADDRESS MODE EXCEPTIONS
None
CLI—Clear Interrupt Flag

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>FA</td>
<td>CLI</td>
<td>3</td>
<td>Clear interrupt flag; interrupts disabled</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Interrupt = 0

**FLAGS UNDEFINED**
None

**OPERATION**
CLI clears the interrupt enable flag if the current privilege level is at least as privileged as IOPL. No other flags are affected. External interrupts will be ignored after the next instruction if the interrupt enable flag remains cleared.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the current privilege level is bigger (has less privilege) than the IOPL in the flags register. IOPL specifies the least privileged level at which I/O may be performed.

**REAL ADDRESS MODE EXCEPTIONS**
None
CLTS—Clear Task Switched Flag

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 06</td>
<td>CLTS</td>
<td>2</td>
<td>Clear task switched flag</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Task switched = 0

FLAGS UNDEFINED
None

OPERATION
CLTS clears the task switched flag in the Machine Status Word. This flag is set by the iAPX 286 every time a task switch occurs. The TS flag is used to manage processor extensions as follows: every execution of a WAIT or an ESC instruction will be trapped if the MP flag of MSW is set and the task switched flag is set. Thus, if a processor extension is present and a task switch has been made since the last ESC instruction was begun, the processor extension's context must be saved before a new instruction can be issued. The fault routine will save the context and reset the task switched flag or place the task requesting the processor extension into a queue until the current processor extension instruction is completed.

CLTS appears in operating systems software, not in applications programs. It is a privileged instruction that can only be executed at level 0.

PROTECTED MODE EXCEPTIONS
#GP(0) if CLTS is executed with a current privilege level other than 0.

REAL ADDRESS MODE EXCEPTIONS
None (valid in REAL ADDRESS MODE to allow power-up initialization for Protected Mode)
CMC—Complement Carry Flag

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F5</td>
<td>CMC</td>
<td>2</td>
<td>Complement carry flag</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
- Carry

**FLAGS UNDEFINED**
- None

**OPERATION**
CMC reverses the setting of the carry flag. No other flags are affected.
**CMP—Compare Two Operands**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>3C db</td>
<td>CMP AL,db</td>
<td>3</td>
<td>Compare immediate byte from AL</td>
</tr>
<tr>
<td>3D dw</td>
<td>CMP AX,dw</td>
<td>3</td>
<td>Compare immediate word from AX</td>
</tr>
<tr>
<td>80 /7 db</td>
<td>CMP eb,db</td>
<td>3,mem=6</td>
<td>Compare immediate byte from EA byte</td>
</tr>
<tr>
<td>38 /r</td>
<td>CMP eb,rb</td>
<td>2,mem=7</td>
<td>Compare byte register from EA byte</td>
</tr>
<tr>
<td>83 /7 db</td>
<td>CMP ew,db</td>
<td>3,mem=6</td>
<td>Compare immediate byte from EA word</td>
</tr>
<tr>
<td>81 /7 dw</td>
<td>CMP ew,dw</td>
<td>3,mem=6</td>
<td>Compare immediate word from EA word</td>
</tr>
<tr>
<td>39 /r</td>
<td>CMP ew,rw</td>
<td>2,mem=7</td>
<td>Compare word register from EA word</td>
</tr>
<tr>
<td>3A /r</td>
<td>CMP rb,eb</td>
<td>2,mem=6</td>
<td>Compare EA byte from byte register</td>
</tr>
<tr>
<td>3B /r</td>
<td>CMP rw,ew</td>
<td>2,mem=6</td>
<td>Compare EA word from word register</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

Overflow, sign, zero, auxiliary carry, parity, carry

**FLAGS UNDEFINED**

None

**OPERATION**

CMP subtracts the second operand from the first operand, but it does not place the result anywhere. Only the flags are changed by this instruction. CMP is usually followed by a conditional jump instruction. See the "Jcond" instructions in this chapter for the list of signed and unsigned flag tests provided by the iAPX 286.

If a word operand is compared to an immediate byte value, the byte value is first sign-extended.

**PROTECTED MODE EXCEPTIONS**

#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
## CMPS/CMPSB/CMPSW—Compare string operands

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>A6</td>
<td>CMPS (mb,mb) 8</td>
<td>Compare bytes ES:[DI] from [SI]</td>
<td></td>
</tr>
<tr>
<td>A6</td>
<td>CMPSB       8</td>
<td>Compare bytes ES:[DI] from DS:[SI]</td>
<td></td>
</tr>
<tr>
<td>A7</td>
<td>CMPSW       8</td>
<td>Compare words ES:[DI] from DS:[SI]</td>
<td></td>
</tr>
</tbody>
</table>

### Flags Modified
Overflow, sign, zero, auxiliary carry, parity, carry

### Flags Undefined
None

### Operation
CMPS compares the byte or word pointed to by SI with the byte or word pointed to by DI by performing the subtraction \([SI] - [DI]\). The result is not placed anywhere; only the flags reflect the result of the subtraction. The types of the operands to CMPS determine whether bytes or words are compared. The segment addressability of the first (SI) operand determines whether a segment override byte will be produced or whether the default segment register DS is used. The second (DI) operand must be addressable from the ES register; no segment override is possible.

After the comparison is made, both SI and DI are automatically advanced. If the direction flag is 0 (CLD was executed), the registers increment; if the direction flag is 1 (STD was executed), the registers decrement. The registers increment or decrement by 1 if a byte was moved; by 2 if a word was moved.

CMPS can be preceded by the REPE or REPNE prefix for block comparison of CX bytes or words. Refer to the REP instruction for details of this operation.

### Protected Mode Exceptions
- #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments;
- #SS(0) for an illegal address in the SS segment.

### Real Address Mode Exceptions
Interrupt 13 for a word operand at offset 0FFFFH.
# CWD—Convert Word to Doubleword

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>99</td>
<td>CWD</td>
<td>2</td>
<td>Convert word to doubleword (DX:AX = AX)</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
CWD converts the signed word in AX to a signed doubleword in DX:AX. It does so by extending the top bit of AX into all the bits of DX.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
## DAA—Decimal Adjust AL After Addition

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>27</td>
<td>DAA</td>
<td>3</td>
<td>Decimal adjust AL after addition</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Sign, zero, auxiliary carry, parity, carry

**FLAGS UNDEFINED**
Overflow

**OPERATION**
DAA should be executed only after an ADD instruction which leaves a two-BCD-digit byte result in the AL register. The ADD operands should consist of two packed BCD digits. In this case, the DAA instruction will adjust AL to contain the correct two-digit packed decimal result.

The precise definition of DAA is as follows:

1. If the lower 4 bits of AL are greater than nine, or if the auxiliary carry flag is 1, then increment AL by 6, and set the auxiliary carry flag. Otherwise, reset the auxiliary carry flag.

2. If AL is now greater than 9FH, or if the carry flag is set, then increment AL by 60H, and set the carry flag. Otherwise, clear the carry flag.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
DAS—Decimal Adjust AL After Subtraction

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>2F</td>
<td>DAS</td>
<td>3</td>
<td>Decimal adjust AL after subtraction</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Sign, zero, auxiliary carry, parity, carry

FLAGS UNDEFINED
Overflow

OPERATION
DAS should be executed only after a subtraction instruction which leaves a two-BCD-digit byte result in the AL register. The operands should consist of two packed BCD digits. In this case, the DAS instruction will adjust AL to contain the correct packed two-digit decimal result.

The precise definition of DAS is as follows:

1. If the lower four bits of AL are greater than 9, or if the auxiliary carry flag is 1, then decrement AL by 6, and set the auxiliary carry flag. Otherwise, reset the auxiliary carry flag.

2. If AL is now greater than 9FH, or if the carry flag is set, then decrement AL by 60H, and set the carry flag. Otherwise, clear the carry flag.

PROTECTED MODE EXCEPTIONS
None

REAL ADDRESS MODE EXCEPTIONS
None
DEC—Decrement by 1

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>FE /1</td>
<td>DEC eb</td>
<td>2,mem=7</td>
<td>Decrement EA byte by 1</td>
</tr>
<tr>
<td>FF /1</td>
<td>DEC ew</td>
<td>2,mem=7</td>
<td>Decrement EA word by 1</td>
</tr>
<tr>
<td>48+ rw</td>
<td>DEC rw</td>
<td>2</td>
<td>Decrement word register by 1</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Overflow, sign, zero, auxiliary carry, parity

**FLAGS UNDEFINED**
None

**OPERATION**
1 is subtracted from the operand. Note that the carry flag is not changed by this instruction. If you want the carry flag set, use the SUB instruction with a second operand of 1.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the operand is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
DIV — Unsigned Divide

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F6 /6</td>
<td>DIV eb</td>
<td>14, mem=17</td>
<td>Unsigned divide AX by EA byte</td>
</tr>
<tr>
<td>F7 /6</td>
<td>DIV ew</td>
<td>22, mem=25</td>
<td>Unsigned divide DX:AX by EA word</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
Overflow, sign, zero, auxiliary carry, parity, carry

OPERATION
DIV performs an unsigned divide. The dividend is implicit; only the divisor is given as an operand. If the source operand is a BYTE operand, divide AX by the byte. The quotient is stored in AL, and the remainder is stored in AH. If the source operand is a WORD operand, divide DX:AX by the word. The high-order 16 bits of the dividend are kept in DX. The quotient is stored in AX, and the remainder is stored in DX. Non-integral quotients are truncated towards 0. The remainder is always less than the dividend.

PROTECTED MODE EXCEPTIONS
Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is zero. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is zero. Interrupt 13 for a word operand at offset 0FFFFH.
ENTER—Make Stack Frame for Procedure Parameters

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>C8 dw 00</td>
<td>ENTER dw, 0</td>
<td>11</td>
<td>Make stack frame for procedure parameters</td>
</tr>
<tr>
<td>C8 dw 01</td>
<td>ENTER dw, 1</td>
<td>15</td>
<td>Make stack frame for procedure parameters</td>
</tr>
<tr>
<td>C8 dw db</td>
<td>ENTER dw, db</td>
<td>12 + 4db</td>
<td>Make stack frame for procedure parameters</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
ENTER is used to create the stack frame required by most block-structured high-level languages. The first operand specifies how many bytes of dynamic storage are to be allocated on the stack for the routine being entered. The second operand gives the lexical nesting level of the routine within the high-level-language source code. It determines how many stack frame pointers are copied into the new stack frame from the preceding frame. BP is used as the current stack frame pointer.

If the second operand is 0, ENTER pushes BP, sets BP to SP, and subtracts the first operand from SP.

For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 instruction at its entry point and a LEAVE instruction before every RET. The 12 local bytes would be addressed as negative offsets from [BP].

The formal definition of the ENTER instruction for all cases is given by the following listing. LEVEL denotes the value of the second operand.

LEVEL := LEVEL MOD 32
Push BP
Set a temporary value FRAME_PTR := SP
If LEVEL > 0 then
  Repeat (LEVEL - 1) times:
    BP := BP - 2
    Push the word pointed to by BP
End repeat
Push FRAME_PTR
End if
BP := FRAME_PTR
SP := SP - first operand.

PROTECTED MODE EXCEPTIONS
#SS(0) if SP were to go outside of the stack limit within any part of the instruction execution.

REAL ADDRESS MODE EXCEPTIONS
None
HLT—Halt

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F4</td>
<td>HLT</td>
<td>2</td>
<td>Halt</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

Successful execution of HLT causes the iAPX 286 to cease executing instructions and to enter a HALT state. Execution resumes only upon receipt of an enabled interrupt or a reset.

If an interrupt is used to resume program execution after HLT, the saved CS:IP value will point to the instruction that follows HLT.

**PROTECTED MODE EXCEPTIONS**

HLT is a privileged instruction. #GP(0) if the current privilege level is not 0.

**REAL ADDRESS MODE EXCEPTIONS**

None
IDIV — Signed Divide

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F6 /7</td>
<td>IDIV eb</td>
<td>17,mem=20</td>
<td>Signed divide AX by EA byte (AL=Quo, AH=Rem)</td>
</tr>
<tr>
<td>F7 /7</td>
<td>IDIV ew</td>
<td>25,mem=28</td>
<td>Signed divide DX:AX by EA word (AX=Quo, DX=Rem)</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

Overflow, sign, zero, auxiliary carry, parity, carry

**OPERATION**

IDIV performs a signed divide. The dividend is implicit; only the divisor is given as an operand. If the source operand is a BYTE operand, divide AX by the byte. The quotient is stored in AL, and the remainder is stored in AH. If the source operand is a WORD operand, divide DX:AX by the word. The high-order 16 bits of the dividend are in DX. The quotient is stored in AX, and the remainder is stored in DX. Non-integral quotients are truncated towards 0. The remainder has the same sign as the dividend and always has less magnitude than the dividend.

**PROTECTED MODE EXCEPTIONS**

Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is 0. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 0 if the quotient is too big to fit in the designated register (AL or AX), or if the divisor is 0. Interrupt 13 for a word operand at offset 0FFFFH.
**IMUL—Signed Multiply**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F6 /5</td>
<td>IMUL eb</td>
<td>13,mem=16</td>
<td>Signed multiply (AX = AL × EA byte)</td>
</tr>
<tr>
<td>F7 /5</td>
<td>IMUL ew</td>
<td>21,mem=24</td>
<td>Signed multiply (DXAX = AX × EA word)</td>
</tr>
<tr>
<td>6B /r db</td>
<td>IMUL rw,db</td>
<td>21,mem=24</td>
<td>Signed multiply imm. byte into word reg.</td>
</tr>
<tr>
<td>69 /r dw</td>
<td>IMUL rw,ew,dw</td>
<td>21,mem=24</td>
<td>Signed multiply (rw = EA word × imm. word)</td>
</tr>
<tr>
<td>6B /r db</td>
<td>IMUL rw,ew,db</td>
<td>21,mem=24</td>
<td>Signed multiply (rw = EA word × imm. byte)</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Overflow, carry

**FLAGS UNDEFINED**
Sign, zero, auxiliary carry, parity

**OPERATION**
IMUL performs signed multiplication. If IMUL has a single byte source operand, then the source is multiplied by AL and the 16-bit signed result is left in AX. Carry and overflow are set to 0 if AH is a sign extension of AL; they are set to 1 otherwise.

If IMUL has a single word source operand, then the source operand is multiplied by AX and the 32-bit signed result is left in DX:AX. DX contains the high-order 16 bits of the product. Carry and overflow are set to 0 if DX is a sign extension of AX; they are set to 1 otherwise.

If IMUL has three operands, then the second operand (an effective address word) is multiplied by the third operand (an immediate word), and the 16 bits of the result are placed in the first operand (a word register). Carry and overflow are set to 0 if the result fits in a signed word (between −32768 and +32767, inclusive); they are set to 1 otherwise.

**NOTE**
The low 16 bits of the product of a 16-bit signed multiply are the same as those of an unsigned multiply. The three operand IMUL instruction can be used for unsigned operands as well.

**PROTECTED MODE EXCEPTIONS**
#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
IN—Input from Port

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>E4 db</td>
<td>IN AL,db</td>
<td>5</td>
<td>Input byte from immediate port into AL</td>
</tr>
<tr>
<td>EC</td>
<td>IN AL,DX</td>
<td>5</td>
<td>Input byte from port DX into AL</td>
</tr>
<tr>
<td>E5 db</td>
<td>IN AX,db</td>
<td>5</td>
<td>Input word from immediate port into AX</td>
</tr>
<tr>
<td>ED</td>
<td>IN AX,DX</td>
<td>5</td>
<td>Input word from port DX into AX</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
IN transfers a data byte or data word from the port numbered by the second operand into the register (AL or AX) given as the first operand. You can access any port from 0 to 65535 by placing the port number in the DX register then using an IN instruction with DX as the second parameter. These I/O instructions can be shortened by using an 8-bit port I/O in the instruction. The upper 8 bits of the port address will be zero when an 8-bit port I/O is used.

Intel has reserved I/O port addresses 00F8H to 00FFH; they should not be used.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the current privilege level is bigger (has less privilege) than IOPL, which is the privilege level found in the flags register.

**REAL ADDRESS MODE EXCEPTIONS**
None
INC—Increment by 1

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>FE /0</td>
<td>INC eb</td>
<td>2,mem=7</td>
<td>Increment EA byte by 1</td>
</tr>
<tr>
<td>FF /0</td>
<td>INC ew</td>
<td>2,mem=7</td>
<td>Increment EA word by 1</td>
</tr>
<tr>
<td>40+ rw</td>
<td>INC rw</td>
<td>2</td>
<td>Increment word register by 1</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Overflow, sign, zero, auxiliary carry, parity

FLAGS UNDEFINED
None

OPERATION
1 is added to the operand. Note that the carry flag is not changed by this instruction. If you want the carry flag set, use the ADD instruction with a second operand of 1.

PROTECTED MODE EXCEPTIONS
#GP(0) if the operand is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
# THE IAPX 286 INSTRUCTION SET

## INS/INSB/INSW—Input from Port to String

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>6C</td>
<td>INS eb,DX</td>
<td>5</td>
<td>Input byte from port DX into ES:[DI]</td>
</tr>
<tr>
<td>6D</td>
<td>INS ew,DX</td>
<td>5</td>
<td>Input word from port DX into ES:[DI]</td>
</tr>
<tr>
<td>6C</td>
<td>INSB</td>
<td>5</td>
<td>Input byte from port DX into ES:[DI]</td>
</tr>
<tr>
<td>6D</td>
<td>INSW</td>
<td>5</td>
<td>Input word from port DX into ES:[DI]</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

INS transfers data from the input port numbered by the DX register to the memory byte or word at ES:DI. The memory operand must be addressable from the ES register; no segment override is possible.

INS does not allow the specification of the port number as an immediate value. The port must be addressed through the DX register.

After the transfer is made, DI is automatically advanced. If the direction flag is 0 (CLD was executed), DI increments; if the direction flag is 1 (STD was executed), DI decrements. DI increments or decrements by 1 if a byte was moved; by 2 if a word was moved.

INS can be preceded by the REP prefix for block input of CX bytes or words. Refer to the REP instruction for details of this operation.

Intel has reserved I/O port addresses 00F8H to 00FFH; they should not be used.

**NOTE**

Not all input port devices can handle the rate at which this instruction transfers input data to memory.

**PROTECTED MODE EXCEPTIONS**

#GP(0) if CPL > IOPL. #GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
INT INTO—Call to Interrupt Procedure

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks(^{(1)})</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CC</td>
<td>INT 3</td>
<td>23(^{(2)})</td>
<td>Interrupt 3 (trap to debugger)</td>
</tr>
<tr>
<td>CC</td>
<td>INT 3</td>
<td>40</td>
<td>Interrupt 3, protected mode, same privilege</td>
</tr>
<tr>
<td>CC</td>
<td>INT 3</td>
<td>78</td>
<td>Interrupt 3, protected mode, more privilege</td>
</tr>
<tr>
<td>CC</td>
<td>INT 3</td>
<td>167</td>
<td>Interrupt 3, protected mode, via task gate</td>
</tr>
<tr>
<td>CD db</td>
<td>INT db</td>
<td>23(^{(2)})</td>
<td>Interrupt numbered by immediate byte</td>
</tr>
<tr>
<td>CD db</td>
<td>INT db</td>
<td>40</td>
<td>Interrupt, protected mode, same privilege</td>
</tr>
<tr>
<td>CD db</td>
<td>INT db</td>
<td>78</td>
<td>Interrupt, protected mode, more privilege</td>
</tr>
<tr>
<td>CD db</td>
<td>INTO</td>
<td>167</td>
<td>Interrupt, protected mode, via task gate</td>
</tr>
<tr>
<td>CE</td>
<td>INTO</td>
<td>24, noj = 3(^{(2)})</td>
<td>Interrupt 4 if overflow flag is 1</td>
</tr>
</tbody>
</table>

\(^{(1)}\) = Add one clock for each byte of the next instruction executed.
\(^{(2)}\) = (real mode)

FLAGS UNDEFINED

None

FLAGS MODIFIED

All if a task switch takes place; none if no task switch occurs.

OPERATION

The INT instruction generates via software a call to an interrupt procedure. The immediate operand, from 0 to 255, gives the index number into the Interrupt Descriptor Table of the interrupt routine to be called. In protected mode, the IDT consists of 8-byte descriptors; the descriptor for the interrupt invoked must indicate an interrupt gate, a trap gate, or a task gate. In real address mode, the IDT is an array of 4-byte long pointers at the fixed location 00000H.

The INTO instruction is identical to the INT instruction except that the interrupt number is implicitly 4, and the interrupt is made only if the overflow flag of the iAPX 286 is on. The clock counts for the four forms of INT db are valid for INTO, with the number of clocks increased by 1 for the overflow flag test.

The first 32 interrupts are reserved by Intel for systems use. Some of these interrupts are exception handlers for internally-generated faults. Most of these exception handlers should not be invoked with the INT instruction.

Generally, interrupts behave like far CALLs except that the flags register is pushed onto the stack before the return address. Interrupt procedures return via the IRET instruction, which pops the flags from the stack.

In Real Address mode, INT pushes the flags, CS, and the return IP onto the stack in that order, then jumps to the long pointer indexed by the interrupt number.

In Protected mode, the precise semantics of the INT instruction are given by the following listing:

INTERRUPT

Interrupt vector must be within IDT table limits else #GP (vector number × 8 + 2 + EXT)
Descriptor AR byte must indicate interrupt gate, trap gate, or task gate else #GP (vector number × 8 + 2 + EXT)
If INT instruction then gate descriptor DPL must be ≥ CPL else #GP (vector number × 8 + 2 + EXT)
Gate must be PRESENT else \#NP (vector number $\times 8+2+\text{EXT})$

**If TRAP GATE or INTERRUPT GATE:**

Examine CS selector and descriptor given in the gate descriptor:
- Selector must be non-null else \#GP (EXIT)
- Selector must be within its descriptor table limits else \#GP (selector + EXT)
- Descriptor AR byte must indicate code segment else \#GP (selector + EXT)
- Segment must be PRESENT else \#NP (selector + EXT)

If code segment is non-conforming and DPL < CPL then

**INTERRUPT TO INNER PRIVILEGE:**

Check selector and descriptor for new stack in current Task State Segment:
- Selector must be non-null else \#GP(EXT)
- Selector index must be within its descriptor table limits else \#TS (SS selector + EXT)
- Selector's RPL must equal DPL of code segment else \#TS (SS selector + EXT)
- Stack segment DPL must equal DPL of code segment else \#TS (SS selector + EXT)
- Descriptor must indicate writable data segment else \#TS (SS selector + EXT)
- Segment must be PRESENT else \#SS (SS selector + EXT)

New stack must have room for 10 bytes else \#SS(0)
- IP must be in CS limit else \#GP(0)
- Load new SS and SP value from TSS
- Load new CS and IP value from gate
- Load CS descriptor
- Load SS descriptor
- Push long pointer to old stack onto new stack
- Push return address onto new stack
- Set CPL to new code segment DPL
- Set RPL of CS to CPL
- If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled)
- Set the Trap Flag to 0
- Set the Nested Task Flag to 0

If code segment is conforming or code segment DPL = CPL then

**INTERRUPT TO SAME PRIVILEGE LEVEL:**

- Current stack limits must allow pushing 6 bytes else \#SS(0)
- If interrupt was caused by fault with error code then
  - Stack limits must allow push of two more bytes else \#SS(0)
- IP must be in CS limit else \#GP(0)
- Push flags onto stack
- Push current CS selector onto stack
- Push return offset onto stack
- Load CS:IP from gate
- Load CS descriptor
- Set the RPL field of CS to CPL
- Push error code (if any) onto stack
- If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled)
- Set the Trap Flag to 0
- Set the Nested Task Flag to 0

Else \#GP (CS selector + EXT)

**If TASK GATE:**

Examine selector to TSS, given in Task Gate descriptor:
- Must specify global in the local/global bit else \#GP (TSS selector)
- Index must be within GDT limits else \#GP (TSS selector)
- AR byte must specify available TSS (bottom bits 00001) else \#GP (TSS selector)
- Task State Segment must be PRESENT else \#NP (TSS selector)

**SWITCH_TASKS with nesting to TSS**

If interrupt was caused by fault with error code then
- Stack limits must allow push of two more bytes else \#SS(0)
- Push error code onto stack
- IP must be in CS limit else \#GP(0)
NOTE
EXT is 1 if an external event (i.e., a single step, an external interrupt, an MF exception, or an MP exception) caused the interrupt; 0 if not (i.e., an INT instruction or other exceptions).

PROTECTED MODE EXCEPTIONS
#GP, #NP, #SS, and #TS, as indicated in the list above.

REAL ADDRESS MODE EXCEPTIONS
None
# IRET—Interrupt Return

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks*</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CF</td>
<td>IRET</td>
<td>17, pm=31</td>
<td>Interrupt return (far return and pop flags)</td>
</tr>
<tr>
<td>CF</td>
<td>IRET</td>
<td>55</td>
<td>Interrupt return, lesser privilege</td>
</tr>
<tr>
<td>CF</td>
<td>IRET</td>
<td>169</td>
<td>Interrupt return, different task (NT=1)</td>
</tr>
</tbody>
</table>

*Add one clock for each byte in the next instruction executed.

**FLAGS MODIFIED**
Entire flags register popped from stack

**FLAGS UNDEFINED**
None

**OPERATION**
In real address mode, IRET pops IP, CS, and FLAGS from the stack and resumes the interrupted routine.

In protected mode, the action of IRET depends on the setting of the Nested Task Flag (NT).

If NT=0, IRET returns from an interrupt procedure without a task switch. The code returned to must be equally or less privileged than the interrupt routine.

If NT=1, IRET reverses the operation of a CALL or INT that caused a task switch. The task executing IRET has its updated state saved in its Task State Segment. This means that if the task is re-entered, the code that follows IRET will be executed.

The exact checks and actions performed by IRET in protected mode are given on the following page.
INTERRUPT RETURN:
If Nested Task Flag = 1 then

RETURN FROM NESTED TASK:
Examine Back Link Selector in TSS addressed by the current Task Register:
- Must specify global in the local/global bit else #TS (new TSS selector)
- Index must be within GDT limits else #TS (new TSS selector)
- AR byte must specify TSS else #TS (new TSS selector)
- New TSS must be busy else #TS (new TSS selector)
- Task State Segment must be PRESENT else #NP (new TSS selector)
- SWITCH_TASKS without nesting to TSS specified by back link selector
- Mark the task just abandoned as NOT BUSY
- IP must be in code segment limit else #GP(0)

If Nested Task Flag = 0 then
INTERRUPT RETURN ON STACK:
Second word on stack must be within stack limits else #SS(0)
Return CS selector RPL must be ≥ CPL else #GP (Return selector)
If return selector RPL = CPL then
INTERRUPT RETURN TO SAME LEVEL:
- Top 6 bytes on stack must be within limits else #SS(0)
- Return CS selector (at SP+2) must be non-null else #GP(0)
- Selector index must be within its descriptor table limits else #GP (Return selector)
- AR byte must indicate code segment else #GP (Return selector)
- If non-conforming then code segment DPL must = CPL else #GP (Return selector)
- If conforming then code segment DPL must be ≤ CPL else #GP (Return selector)
- Segment must be PRESENT else #NP (Return selector)
- IP must be in code segment limit else #GP(0)
- Load CS:IP from stack
- Load CS-cache with new code segment descriptor
- Load flags with third word on stack
- Increment SP by 6

Else
INTERRUPT RETURN TO OUTER PRIVILEGE LEVEL:
- Top 10 bytes on stack must be within limits else #SS(0)
Examine return CS selector (at SP+2) and associated descriptor:
- Selector must be non-null else #GP(0)
- Selector index must be within its descriptor table limits else #GP (Return selector)
- AR byte must indicate code segment else #GP (Return selector)
- If non-conforming then code segment DPL must = CS selector RPL else #GP (Return selector)
- If conforming then code segment DPL must be > CPL else #GP (Return selector)
- Segment must be PRESENT else #NP (Return selector)
Examine return SS selector (at SP+8) and associated descriptor:
- Selector must be non-null else #GP(0)
- Selector index must be within its descriptor table limits else #GP (SS selector)
- Selector RPL must equal the RPL of the return CS selector else #GP (SS selector)
- AR byte must indicate a writable data segment else #GP (SS selector)
- Stack segment DPL must equal the RPL of the return CS selector else #GP (SS selector)
- SS must be PRESENT else #NP (SS selector)
- IP must be in code segment limit else #GP(0)
- Load CS:IP from stack
- Load flags with values at (SP+4)
- Load SS:SP from stack
- Set CPL to the RPL of the return CS selector
- Load the CS-cache with the CS descriptor
- Load the SS-cache with the SS descriptor
For each of ES and DS:
- If the current register setting is not valid for the outer level, then zero the register and clear the valid flag
- To be valid, the register setting must satisfy the following properties:
  - Selector index must be within descriptor table limits
AR byte must indicate data or readable code segment
If segment is data or non-conforming code, then:
DPL must be $\geq$ CPL, or
DPL must be $\geq$ RPL.

PROTECTED MODE EXCEPTIONS
#GP, #NP, or #SS, as indicated in the above listing.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 if the stack is popped when it has offset 0FFFFH.
**Jcond—Jump Short If Condition Met**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>77 cb</td>
<td>JA cb</td>
<td>7, noj=3</td>
<td>Jump short if above (CF=0 and ZF=0)</td>
</tr>
<tr>
<td>73 cb</td>
<td>JAE cb</td>
<td>7, noj=3</td>
<td>Jump short if above or equal (CF=0)</td>
</tr>
<tr>
<td>72 cb</td>
<td>JB cb</td>
<td>7, noj=3</td>
<td>Jump short if below (CF=1)</td>
</tr>
<tr>
<td>76 cb</td>
<td>JBE cb</td>
<td>7, noj=3</td>
<td>Jump short if below or equal (CF=1 or ZF=1)</td>
</tr>
<tr>
<td>72 cb</td>
<td>JC cb</td>
<td>7, noj=3</td>
<td>Jump short if carry (CF=1)</td>
</tr>
<tr>
<td>E3 cb</td>
<td>JCXZ cb</td>
<td>8, noj=4</td>
<td>Jump short if CX register is zero</td>
</tr>
<tr>
<td>74 cb</td>
<td>JE cb</td>
<td>7, noj=3</td>
<td>Jump short if equal (ZF=1)</td>
</tr>
<tr>
<td>7F cb</td>
<td>JG cb</td>
<td>7, noj=3</td>
<td>Jump short if greater (ZF=0 and SF=OF)</td>
</tr>
<tr>
<td>7D cb</td>
<td>JGE cb</td>
<td>7, noj=3</td>
<td>Jump short if greater or equal (SF=OF)</td>
</tr>
<tr>
<td>7C cb</td>
<td>JL cb</td>
<td>7, noj=3</td>
<td>Jump short if less (SF=OF)</td>
</tr>
<tr>
<td>7E cb</td>
<td>JLE cb</td>
<td>7, noj=3</td>
<td>Jump short if less or equal (ZF=1 or SF/=OF)</td>
</tr>
<tr>
<td>76 cb</td>
<td>JNAE cb</td>
<td>7, noj=3</td>
<td>Jump short if not above/equal (CF=1)</td>
</tr>
<tr>
<td>73 cb</td>
<td>JNB cb</td>
<td>7, noj=3</td>
<td>Jump short if not below (CF=0)</td>
</tr>
<tr>
<td>77 cb</td>
<td>JNBE cb</td>
<td>7, noj=3</td>
<td>Jump short if not below/equal (CF=0 and ZF=0)</td>
</tr>
<tr>
<td>73 cb</td>
<td>JNC cb</td>
<td>7, noj=3</td>
<td>Jump short if not carry (CF=0)</td>
</tr>
<tr>
<td>75 cb</td>
<td>JNE cb</td>
<td>7, noj=3</td>
<td>Jump short if not equal (ZF=0)</td>
</tr>
<tr>
<td>7E cb</td>
<td>JNG cb</td>
<td>7, noj=3</td>
<td>Jump short if not greater (ZF=1 or SF/=OF)</td>
</tr>
<tr>
<td>7C cb</td>
<td>JNGE cb</td>
<td>7, noj=3</td>
<td>Jump short if not greater/equal (SF/=OF)</td>
</tr>
<tr>
<td>7D cb</td>
<td>JNL cb</td>
<td>7, noj=3</td>
<td>Jump short if not less (SF=OF)</td>
</tr>
<tr>
<td>7F cb</td>
<td>JNLE cb</td>
<td>7, noj=3</td>
<td>Jump short if not less/equal (ZF=0 and SF=OF)</td>
</tr>
<tr>
<td>71 cb</td>
<td>JNO cb</td>
<td>7, noj=3</td>
<td>Jump short if not overflow (OF=0)</td>
</tr>
<tr>
<td>7B cb</td>
<td>JNP cb</td>
<td>7, noj=3</td>
<td>Jump short if not parity (PF=0)</td>
</tr>
<tr>
<td>79 cb</td>
<td>JNS cb</td>
<td>7, noj=3</td>
<td>Jump short if not sign (SF=0)</td>
</tr>
<tr>
<td>75 cb</td>
<td>JNZ cb</td>
<td>7, noj=3</td>
<td>Jump short if not zero (ZF=0)</td>
</tr>
<tr>
<td>70 cb</td>
<td>JO cb</td>
<td>7, noj=3</td>
<td>Jump short if overflow (OF=1)</td>
</tr>
<tr>
<td>7A cb</td>
<td>JP cb</td>
<td>7, noj=3</td>
<td>Jump short if parity (PF=1)</td>
</tr>
<tr>
<td>7A cb</td>
<td>JPE cb</td>
<td>7, noj=3</td>
<td>Jump short if parity even (PF=1)</td>
</tr>
<tr>
<td>7B cb</td>
<td>JPO cb</td>
<td>7, noj=3</td>
<td>Jump short if parity odd (PF=0)</td>
</tr>
<tr>
<td>78 cb</td>
<td>JS cb</td>
<td>7, noj=3</td>
<td>Jump short if sign (SF=1)</td>
</tr>
<tr>
<td>74 cb</td>
<td>JZ cb</td>
<td>7, noj=3</td>
<td>Jump short if zero (ZF=1)</td>
</tr>
</tbody>
</table>

*When a jump is taken, add one clock for every byte of the next instruction executed.

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

Conditional jumps (except for JCXZ, explained below) test the flags, which presumably have been set in some meaningful way by a previous instruction. The conditions for each mnemonic are given in parentheses after each description above. The terms “less” and “greater” are used for comparing signed integers; “above” and “below” are used for unsigned integers.

If the given condition is true, then a short jump is made to the label provided as the operand. The operand must be in the range from 126 bytes before the instruction to 127 bytes beyond the instruction. This range is necessary for the assembler to construct a one-byte signed displacement from the end of the current instruction. If the label is out-of-range, or if the label is a FAR label, then you must perform a jump with the opposite
condition around an unconditional jump to the non-short label.

Because there are, in many instances, several ways to interpret a particular state of the flags, ASM286 provides more than one mnemonic for most of the conditional jump opcodes. For example, consider that a programmer who has just compared a character to another in AL might wish to jump if the two were equal (JE), while another programmer who had just ANDed AX with a bit field mask would prefer to consider only whether the result was zero or not (he would use JZ, a synonym for JE).

JCXZ differs from the other conditional jumps in that it actually tests the contents of the CX register for zero, rather than interrogating the flags. This instruction is useful following a conditionally repeated string operation (REPE SCASB, for example) or a conditional loop instruction (such as LOOPNE TARGETLABEL). These instructions implicitly use a limiting count in the CX register. Looping (repeating) ends when either the CX register goes to zero or the condition specified in the instruction (flags indicating equals in both of the above cases) occurs. JCXZ is useful when the terminations must be handled differently.

PROTECTED MODE EXCEPTIONS
#GP(0) if the offset jumped to is beyond the limits of the code segment.

REAL ADDRESS MODE EXCEPTIONS
None
## JMP — Jump

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks*</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>EB cb</td>
<td>JMP cb</td>
<td>7</td>
<td>Jump short</td>
</tr>
<tr>
<td>EA cd</td>
<td>JMP cd</td>
<td>180</td>
<td>Jump to task gate</td>
</tr>
<tr>
<td>E9 cw</td>
<td>JMP cw</td>
<td>7</td>
<td>Jump near</td>
</tr>
<tr>
<td>EA cd</td>
<td>JMP cd</td>
<td>11,pm=23</td>
<td>Jump far (4-byte immediate address)</td>
</tr>
<tr>
<td>EA cd</td>
<td>JMP cd</td>
<td>38</td>
<td>Jump to call gate, same privilege</td>
</tr>
<tr>
<td>EA cd</td>
<td>JMP cd</td>
<td>175</td>
<td>Jump via Task State Segment</td>
</tr>
<tr>
<td>FF /4</td>
<td>JMP ew</td>
<td>7,mem=11</td>
<td>Jump near to EA word (absolute offset)</td>
</tr>
<tr>
<td>FF /5</td>
<td>JMP md</td>
<td>15,pm=28</td>
<td>Jump far (4-byte address in memory double-word)</td>
</tr>
<tr>
<td>FF /5</td>
<td>JMP md</td>
<td>41</td>
<td>Jump to call gate, same privilege</td>
</tr>
<tr>
<td>FF /5</td>
<td>JMP md</td>
<td>178</td>
<td>Jump via Task State Segment</td>
</tr>
<tr>
<td>FF /5</td>
<td>JMP md</td>
<td>183</td>
<td>Jump to task gate</td>
</tr>
</tbody>
</table>

*Add one clock for every byte of the next instruction executed.

### FLAGS MODIFIED

All if a task switch takes place; none if no task switch occurs.

### FLAGS UNDEFINED

None

### OPERATION

The JMP instruction transfers program control to a different instruction stream without recording any return information.

For inter-segment jumps, the destination can be a code segment, a call gate, a task gate, or a Task State Segment. The latter two destinations cause a complete task switch to take place.

Control transfers within a segment use the JMP cw or JMP cb forms. The operand is a relative offset added modulo 65536 to the offset of the instruction that follows the JMP. The result is the new value of IP; the value of CS is unchanged. The byte operand is sign-extended before it is added; it can therefore be used to address labels within 128 bytes in either direction from the next instruction.

Indirect jumps within a segment use the JMP ew form. The contents of the register or memory operand is an absolute offset, which becomes the new value of IP. Again, CS is unchanged.

Inter-segment jumps in real address mode simply set IP to the offset part of the long pointer and set CS to the selector part of the pointer.

In protected mode, inter-segment jumps cause the iAPX 286 to consult the descriptor addressed by the selector part of the long pointer. The AR byte of the descriptor determines the type of the destination. (See table B-3 for possible values of the AR byte.) Following are the possible destinations:

1. Code segment — The addressability and visibility of the destination are verified, and CS and IP are loaded with the destination pointer values.
2. Call gate — The offset part of the destination pointer is ignored. After checking for validity, the processor jumps to the location stored in the call gate descriptor.
3. Task gate—The current task’s state is saved in its Task State Segment (TSS), and the TSS named in the task gate is used to load a new context. The outgoing task is marked not busy, the new TSS is marked busy, and execution resumes at the point at which the new task was last suspended.

4. TSS—The current task is suspended and the new task is initiated as in 3 above except that there is no intervening gate.

Following is the list of checks and actions taken for long jumps in protected mode:

**JUMP FAR:**
- If indirect then check access of EA doubleword #GP(0) or #SS(0) if limit violation
- Destination selector is not null else #GP(0)
- Destination selector index is within its descriptor table limits else #GP (selector)
- Examine AR byte of destination selector for legal values:
  - **JUMP CONFORMING CODE SEGMENT:**
    - Descriptor DPL must be ≥ CPL else #GP (selector)
    - Segment must be PRESENT else #NP (selector)
    - IP must be in code segment limit else #GP(0)
    - Load CS:IP from destination pointer
    - Load CS-cache with new segment descriptor
    - Set RPL field of CS register to CPL
  - **JUMP NONCONFORMING CODE SEGMENT:**
    - RPL of destination selector must be ≤ CPL else #GP (selector)
    - Descriptor DPL must = CPL else #GP (selector)
    - Segment must be PRESENT else #NP (selector)
    - IP must be in code segment limit else #GP(0)
    - Load CS:IP from destination pointer
    - Load CS-cache with new segment descriptor
    - Set RPL field of CS register to CPL
  - **JUMP TO CALL GATE:**
    - Descriptor DPL must be ≥ CPL else #GP (gate selector)
    - Descriptor DPL must be ≥ gate selector RPL else #GP (gate selector)
    - Gate must be PRESENT else #NP (gate selector)
    - Examine selector to code segment given in call gate descriptor:
      - Selector must not be null else #GP(0)
      - Selector must be within its descriptor table limits else #GP (CS selector)
      - Descriptor AR byte must indicate code segment else #GP (CS selector)
      - If non-conforming, code segment descriptor DPL must = CPL else #GP (CS selector)
      - If conforming, then code segment descriptor DPL must be ≤ CPL else #GP (CS selector)
    - Code Segment must be PRESENT else #NP (CS selector)
    - IP must be in code segment limit else #GP(0)
    - Load CS:IP from call gate
    - Load CS-cache with new code segment
    - Set RPL of CS to CPL
  - **JUMP TASK GATE:**
    - Gate descriptor DPL must be ≥ CPL else #GP (gate selector)
    - Gate descriptor DPL must be ≥ gate selector RPL else #GP (gate selector)
    - Task Gate must be PRESENT else #NP (gate selector)
    - Examine selector to TSS, given in Task Gate descriptor:
      - Must specify global in the local/global bit else #GP (TSS selector)
      - Index must be within GDT limits else #GP (TSS selector)
      - Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector)
    - Task State Segment must be PRESENT else #NP (TSS selector)
SWITCH_TASKS without nesting to TSS
IP must be in code segment limit else #GP(0)

JUMP TASK STATE SEGMENT:
TSS DPL must be ≥ CPL else #GP(TSS selector)
TSS DPL must be ≥ TSS selector RPL else #GP(TSS selector)
Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP(TSS selector)
Task State Segment must be PRESENT else #NP(TSS selector)
SWITCH_TASKS with nesting to TS,
IP must be in code segment limit else #GP(0)

Else GP (selector)

PROTECTED MODE EXCEPTIONS
For NEAR jumps, #GP(0) if the destination offset is beyond the limits of the current code segment. For FAR jumps, #GP, #NP, #SS, and #TS, as indicated above. #UD if indirect inter-segment jump operand is a register.

REAL ADDRESS MODE EXCEPTIONS
#UD if indirect inter-segment jump operand is a register.
LAHF—Load Flags into AH Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>9F</td>
<td>LAHF</td>
<td>2</td>
<td>Load: AH = flags SF ZF xx AF xx PF xx CF</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The low byte of the flags word is transferred to AH. The bits, from top to bottom, are as follows: sign, zero, indeterminate, auxiliary carry, indeterminate, parity, indeterminate, and carry.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
LAR—Load Access Rights Byte

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 02</td>
<td>/r LAR rw,ow</td>
<td>14,mem=16</td>
<td>Load: high(rw)= Access Rights byte,selector ow</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Zero

FLAGS UNDEFINED
None

OPERATION
LAR expects the second operand (memory or register word) to contain a selector. If the associated descriptor is visible at the current privilege level and at the selector RPL, then the access rights byte of the descriptor is loaded into the high byte of the first (register) operand, and the low byte is set to zero. The zero flag is set if the loading was performed (i.e., the selector index is within the table limit, descriptor DPL ≥ CPL, and descriptor DPL ≥ selector RPL); the zero flag is cleared otherwise.

Selector operands cannot cause protection exceptions.

PROTECTED MODE EXCEPTIONS
#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTION
INTERRUPT 6; LAR is unrecognized in Real Address mode.
**LDS/LES—Load Doubleword Pointer**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>C5</td>
<td>LDS rw,ed</td>
<td>7,pm=21</td>
<td>Load EA doubleword into DS and word register</td>
</tr>
<tr>
<td>C4</td>
<td>LES rw,ed</td>
<td>7,pm=21</td>
<td>Load EA doubleword into ES and word register</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The four-byte pointer at the memory location indicated by the second operand is loaded into a segment register and a word register. The first word of the pointer (the offset) is loaded into the register indicated by the first operand. The last word of the pointer (the selector) is loaded into the segment register (DS or ES) given by the instruction opcode.

When the segment register is loaded, its associated cache is also loaded. The data for the cache is obtained from the descriptor table entry for the selector given.

A null selector (values 0000-0003) can be loaded into DS or ES without a protection exception. Any memory reference using such a segment register value will cause a #GP(0) exception but will not result in a memory reference. The saved segment register value will be null.

Following is a list of checks and actions taken when loading the DS or ES registers:

If selector is non-null then:
- Selector index must be within its descriptor table limits else #GP (selector)
- Examine descriptor AR byte:
  - Data segment or readable non-conforming code segment
    - Descriptor DPL ≥ CPL else #GP (selector)
    - Descriptor DPL ≥ selector RPL else #GP (selector)
  - Readable conforming code segment
    - No DPL, RPL, or CPL checks
  - Else #GP (selector)
- Segment must be present else #NP (selector)
- Load registers from operand
- Load segment register descriptor cache

If selector is null then:
- Load registers from operand
- Mark segment register cache as invalid
PROTECTED MODE EXCEPTIONS
#GP or #NP, as indicated in the list above.
#GP(0) or #SS(0) if operand lies outside segment limit. #UD if the source operand is a register.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for operand at offset 0FFFFH or 0FFFFD. #UD if the source operand is a register.
**LEA—Load Effective Address Offset**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>8D /r</td>
<td>LEA rw,m</td>
<td>3</td>
<td>Calculate EA offset given by m, place in rw</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

The effective address (offset part) of the second operand is placed in the first (register) operand.

**PROTECTED MODE EXCEPTIONS**

#UD if second operand is a register.

**REAL ADDRESS MODE EXCEPTIONS**

#UD if second operand is a register.
LEAVE—High Level Procedure Exit

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>C9</td>
<td>LEAVE</td>
<td>5</td>
<td>Set SP to BP, then POP BP</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
LEAVE is the complementary operation to ENTER; it reverses the effects of that instruction. By copying BP to SP, LEAVE releases the stack space used by a procedure for its dynamics and display. The old frame pointer is now popped into BP, restoring the caller's frame, and a subsequent RET nn instruction will follow the back-link and remove any arguments pushed on the stack for the exiting procedure.

**PROTECTED MODE EXCEPTIONS**
#SS(0) if BP does not point to a location within the current stack segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
## LGDT/LIDT—Load Global/Interrupt Descriptor Table Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 01 /2</td>
<td>LGDT m</td>
<td>11</td>
<td>Load m into Global Descriptor Table reg</td>
</tr>
<tr>
<td>0F 01 /3</td>
<td>LIDT m</td>
<td>12</td>
<td>Load m into Interrupt Descriptor Table reg</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The Global or the Interrupt Descriptor Table Register is loaded from the six bytes of memory pointed to by the effective address operand. The LIMIT field of the descriptor table register loads from the first word; the next three bytes go to the BASE field of the register; the last byte is ignored.

LGDT and LIDT appear in operating systems software; they are not used in application programs.

**PROTECTED MODE EXCEPTIONS**
- #GP(0) if the current privilege level is not 0.
- #UD if source operand is a register.
- #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments;
- #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
These instructions are valid in Real Address mode to allow the power-up initialization for Protected mode.

Interrupt 13 for a word operand at offset 0FFFFH. #UD if source operand is a register.
LLDT—Load Local Descriptor Table Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 00 /2</td>
<td>LLDT <em>ew</em></td>
<td>17,mem=19</td>
<td>Load selector <em>ew</em> into Local Descriptor Table register</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The word operand (memory or register) to LLDT should contain a selector pointing to the Global Descriptor Table. The GDT entry should be a Local Descriptor Table. If so, then the Local Descriptor Table Register is loaded from the entry. The descriptor cache entries for DS, ES, SS, and CS are not affected. The LDT field in the TSS is not changed.

The selector operand is allowed to be zero. In that case, the Local Descriptor Table Register is marked invalid. All descriptor references (except by LAR, VERR, VERW or LSL instructions) will cause a #GP fault.

LLDT appears in operating systems software; it does not appear in applications programs.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the current privilege level is not 0.
#GP (selector) if the selector operand does not point into the Global Descriptor Table, or if the entry in the GDT is not a Local Descriptor Table. #NP (selector) if LDT descriptor is not present. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 6; LLDT is not recognized in Real Address Mode.
LMSW—Load Machine Status Word

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 01 /6</td>
<td>LMSW ew</td>
<td>3,mem=6</td>
<td>Load EA word into Machine Status Word</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The Machine Status Word is loaded from the source operand. This instruction may be used to switch to protected mode. If so, then it must be followed by an intra-segment jump to flush the instruction queue. LMSW will not switch back to Real Address Mode.

LMSW appears only in operating systems software. It does not appear in applications programs.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the current privilege level is not 0.
#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments;
#SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
LOCK—Assert BUS LOCK Signal

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F0</td>
<td>LOCK</td>
<td>0</td>
<td>Assert BUSLOCK signal for the next instruction</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
LOCK is a prefix that will cause the BUS LOCK signal of the iAPX 286 to be asserted for the duration of the instruction which it precedes. In a multiprocessor environment, this signal should be used to ensure that the iAPX 286 has exclusive use of any shared memory while BUS LOCK is asserted. The read-modify-write sequence typically used to implement TEST-AND-SET in the iAPX 286 is the XCHG instruction. XCHG always asserts BUS LOCK regardless of the presence or absence of the LOCK prefix.

The LOCK prefix does not lock all bus cycles of all instructions. The bus will not remain locked for all bus cycles while creating the following instructions with multi-word operands: CMPS, SCAS, STOS, LODS, PUSHA, POPA, CALL, RET, IRET, ENTER, BOUND, PUSH, POP, and any ESC.

PROTECTED MODE EXCEPTIONS
#GP(0) if the current privilege level is bigger (less privileged) than the I/O privilege level.

Other exceptions may be generated by the subsequent (locked) instruction.

REAL ADDRESS MODE EXCEPTIONS
None. Exceptions may still be generated by the subsequent (locked) instruction.
LODS/LODSB/LODSW—Load String Operand

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>AC</td>
<td>LODS $mb$</td>
<td>5</td>
<td>Load byte [SI] into AL</td>
</tr>
<tr>
<td>AD</td>
<td>LODS $mw$</td>
<td>5</td>
<td>Load byte [SI] into AL</td>
</tr>
<tr>
<td>AC</td>
<td>LODSB</td>
<td>5</td>
<td>Load byte DS:[SI] into AL</td>
</tr>
<tr>
<td>AD</td>
<td>LODSW</td>
<td>5</td>
<td>Load byte DS:[SI] into AL</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
LODS loads the AL or AX register with the memory byte or word at SI. After the transfer is made, SI is automatically advanced. If the direction flag is 0 (CLD was executed), SI increments; if the direction flag is 1 (STD was executed), SI decrements. SI increments or decrements by 1 if a byte was moved; by 2 if a word was moved.

PROTECTED MODE EXCEPTIONS
#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
LOOP/LOOPcond—Loop Control with CX Counter

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>E2 cb</td>
<td>LOOP cb</td>
<td>8, noj=4</td>
<td>DEC CX; jump short if CX ≠ 0</td>
</tr>
<tr>
<td>E1 cb</td>
<td>LOOPE cb</td>
<td>8, noj=4</td>
<td>DEC CX; jump short if CX ≠ 0 and equal (ZF=1)</td>
</tr>
<tr>
<td>E0 cb</td>
<td>LOOPNE cb</td>
<td>8, noj=4</td>
<td>DEC CX; jump short if CX ≠ 0 and not equal (ZF=0)</td>
</tr>
<tr>
<td>E0 cb</td>
<td>LOOPNZ cb</td>
<td>8, noj=4</td>
<td>DEC CX; jump short if CX ≠ 0 and ZF=0</td>
</tr>
<tr>
<td>E1 cb</td>
<td>LOOPZ cb</td>
<td>8, noj=4</td>
<td>DEC CX; jump short if CX ≠ 0 and zero (ZF=1)</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
LOOP first decrements the CX register without changing any of the flags. Then, conditions are checked as given in the description above for the form of LOOP being used. If the conditions are met, then an intra-segment jump is made. The destination to LOOP is in the range from 126 (decimal) bytes before the instruction to 127 bytes beyond the instruction.

The LOOP instructions are intended to provide iteration control and to combine loop index management with conditional branching. To use the LOOP instruction you load an unsigned iteration count into CX, then code the LOOP at the end of a series of instructions to be iterated. The destination of LOOP is a label that points to the beginning of the iteration.

PROTECTED MODE EXCEPTIONS
#GP(0) if the offset jumped to is beyond the limits of the current code segment.

REAL ADDRESS MODE EXCEPTIONS
None
LSL—Load Segment Limit

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 03/r</td>
<td>LSL rw,ew</td>
<td>14,mem=16</td>
<td>Load: rw = Segment Limit, selector ew</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Zero

FLAGS UNDEFINED
None

OPERATION
If the descriptor denoted by the selector in the second (memory or register) operand is visible at the CPL, a word that consists of the limit field of the descriptor is loaded into the left operand, which must be a register. The value is the limit field for that segment. The zero flag is set if the loading was performed (that is, if the selector is non-null, the selector index is within the descriptor table limits, the descriptor is a non-conforming segment descriptor with DPL ≥ CPL, and the descriptor DPL ≥ selector RPL); the zero flag is cleared otherwise.

The LSL instruction returns only the limit field of segments, task state segments, and local descriptor tables. The interpretation of the limit value depends on the type of segment.

The selector operand’s value cannot result in a protection exception.

PROTECTED MODE EXCEPTIONS
#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 6; LSL is not recognized in Real Address mode.
LTR—Load Task Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 00 /3</td>
<td>LTR ew</td>
<td>17,mem=19</td>
<td>Load EA word into Task Register</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The Task Register is loaded from the source register or memory location given by the operand. The loaded TSS is marked busy. A task switch operation does not occur.

LTR appears only in operating systems software. It is not used in applications programs.

**PROTECTED MODE EXCEPTIONS**
#GP for an illegal memory operand effective address in the CS, DS, or ES segments; #SS for an illegal address in the SS segment.

#GP(0) if the current privilege level is not 0.
#GP (selector) if the object named by the source selector is not a TSS or is already busy.
#NP (selector) if the TSS is marked not present.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 6; LTR is not recognized in Real Address mode.
MOV—Move Data

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>88 /r</td>
<td>MOV eb,rb</td>
<td>2,mem=3</td>
<td>Move byte register into EA byte</td>
</tr>
<tr>
<td>89 /r</td>
<td>MOV ew,rb</td>
<td>2,mem=3</td>
<td>Move word register into EA word</td>
</tr>
<tr>
<td>8A /r</td>
<td>MOV rb,eb</td>
<td>2,mem=5</td>
<td>Move EA byte into byte register</td>
</tr>
<tr>
<td>8B /r</td>
<td>MOV rw,eb</td>
<td>2,mem=5</td>
<td>Move EA word into word register</td>
</tr>
<tr>
<td>8C /0</td>
<td>MOV ew,ES</td>
<td>2,mem=3</td>
<td>Move ES into EA word</td>
</tr>
<tr>
<td>8C /1</td>
<td>MOV ew,CS</td>
<td>2,mem=3</td>
<td>Move CS into EA word</td>
</tr>
<tr>
<td>8C /2</td>
<td>MOV ew,SS</td>
<td>2,mem=3</td>
<td>Move SS into EA word</td>
</tr>
<tr>
<td>8C /3</td>
<td>MOV ew,DS</td>
<td>2,mem=3</td>
<td>Move DS into EA word</td>
</tr>
<tr>
<td>8E /0</td>
<td>MOV ES,mw</td>
<td>5,pm=19</td>
<td>Move memory word into ES</td>
</tr>
<tr>
<td>8E /0</td>
<td>MOV ES,rb</td>
<td>2,pm=17</td>
<td>Move word register into ES</td>
</tr>
<tr>
<td>8E /2</td>
<td>MOV SS,mw</td>
<td>5,pm=19</td>
<td>Move memory word into SS</td>
</tr>
<tr>
<td>8E /2</td>
<td>MOV SS,rb</td>
<td>2,pm=17</td>
<td>Move word register into SS</td>
</tr>
<tr>
<td>8E /3</td>
<td>MOV DS,mw</td>
<td>5,pm=19</td>
<td>Move memory word into DS</td>
</tr>
<tr>
<td>8E /3</td>
<td>MOV DS,rb</td>
<td>2,pm=17</td>
<td>Move word register into DS</td>
</tr>
<tr>
<td>A0 dw</td>
<td>MOV AL,xb</td>
<td>5</td>
<td>Move byte variable (offset dw) into AL</td>
</tr>
<tr>
<td>A1 dw</td>
<td>MOV AX,xw</td>
<td>5</td>
<td>Move word variable (offset dw) into AX</td>
</tr>
<tr>
<td>A2 dw</td>
<td>MOV xb,AL</td>
<td>3</td>
<td>Move AL into byte variable (offset dw)</td>
</tr>
<tr>
<td>A3 dw</td>
<td>MOV xw,AX</td>
<td>3</td>
<td>Move AX into word register (offset dw)</td>
</tr>
<tr>
<td>B0+ rb db</td>
<td>MOV rb,db</td>
<td>2</td>
<td>Move immediate byte into byte register</td>
</tr>
<tr>
<td>B8+ rw dw</td>
<td>MOV rw,dw</td>
<td>2</td>
<td>Move immediate word into word register</td>
</tr>
<tr>
<td>C6 /0</td>
<td>MOV eb,db</td>
<td>2,mem=3</td>
<td>Move immediate byte into EA byte</td>
</tr>
<tr>
<td>C7 /0</td>
<td>MOV ew,dw</td>
<td>2,mem=3</td>
<td>Move immediate word into EA word</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
The second operand is copied to the first operand.

If the destination operand is a segment register (DS, ES, or SS), then the associated segment register cache is also loaded. The data for the cache is obtained from the descriptor table entry for the selector given.

A null selector (values 0000-0003) can be loaded into DS and ES registers without causing a protection exception. Any use of a segment register with a null selector to address memory will cause #GP(0) exception. No memory reference will occur.

Any move into SS will inhibit all interrupts until after the execution of the next instruction.

Following is a listing of the protected-mode checks and actions taken in the loading of a segment register:

If SS is loaded:
- If selector is null then #GP(0)
- Selector index must be within its descriptor table limits else #GP (selector)
- Selector's RPL must equal CPL else #GP (selector)
- AR byte must indicate a writable data segment else #GP (selector)
- DPL in the AR byte must equal CPL else #GP (selector)
- Segment must be marked PRESENT else #SS (selector)
- Load SS with selector
Load SS cache with descriptor
If ES or DS is loaded with non-null selector
   Selector index must be within its descriptor table limits else #GP (selector)
   AR byte must indicate data or readable code segment else #GP (selector)
   If data or non-conforming code, then both the RPL and the
   CPL must be less than or equal to DPL in AR byte else #GP (selector)
   Segment must be marked PRESENT else #NP (selector)
Load segment register with selector
Load segment register cache with descriptor
If ES or DS is loaded with a null selector:
   Load segment register with selector
   Clear descriptor valid bit

PROTECTED MODE EXCEPTIONS
If a segment register is being loaded, #GP, #SS, and #NP, as described in the listing above.
Otherwise, #GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
MOVS/MOVSB/MOVSW — Move Data from String to String

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>A4</td>
<td>MOVS mb,mb</td>
<td>5</td>
<td>Move byte [SI] to ES:[DI]</td>
</tr>
<tr>
<td>A5</td>
<td>MOVS mw,mw</td>
<td>5</td>
<td>Move word [SI] to ES:[DI]</td>
</tr>
<tr>
<td>A4</td>
<td>MOVSB</td>
<td>5</td>
<td>Move byte DS:[SI] to ES:[DI]</td>
</tr>
<tr>
<td>A5</td>
<td>MOVSW</td>
<td>5</td>
<td>Move word DS:[SI] to ES:[DI]</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
MOVS copies the byte or word at [SI] to the byte or word at ES:[DI]. The destination operand must be addressable from the ES register; no segment override is possible. A segment override may be used for the source operand.

After the data movement is made, both SI and DI are automatically advanced. If the direction flag is 0 (CLD was executed), the registers increment; if the direction flag is 1 (STD was executed), the registers decrement. The registers increment or decrement by 1 if a byte was moved; by 2 if a word was moved.

MOVMS can be preceded by the REP prefix for block movement of CX bytes or words. Refer to the REP instruction for details of this operation.

PROTECTED MODE EXCEPTIONS
#GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
MUL—Unsigned Multiplication of AL or AX

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F6 /4</td>
<td>MUL eb</td>
<td>13, mem=16</td>
<td>Unsigned multiply (AX = AL × EA byte)</td>
</tr>
<tr>
<td>F7 /4</td>
<td>MUL ew</td>
<td>21, mem=24</td>
<td>Unsigned multiply (DXAX = AX × EA word)</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Overflow, carry

FLAGS UNDEFINED
Sign, zero, auxiliary carry, parity

OPERATION
If MUL has a byte operand, then the byte is multiplied by AL, and the result is left in AX. Carry and overflow are set to 0 if AH is 0; they are set to 1 otherwise.

If MUL has a word operand, then the word is multiplied by AX, and the result is left in DX:AX. DX contains the high order 16 bits of the product. Carry and overflow are set to 0 if DX is 0; they are set to 1 otherwise.

PROTECTED MODE EXCEPTIONS
#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
NEG—Two's Complement Negation

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F6 /3</td>
<td>NEG eb</td>
<td>2,mem=7</td>
<td>Two's complement negate EA byte</td>
</tr>
<tr>
<td>F7 /3</td>
<td>NEG ew</td>
<td>2,mem=7</td>
<td>Two's complement negate EA word</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Overflow, sign, zero, auxiliary carry, parity, carry

FLAGS UNDEFINED
None

OPERATION
The two's complement of the register or memory operand replaces the old operand value. Likewise, the operand is subtracted from zero, and the result is placed in the operand.

The carry flag is set to 1 except when the input operand is zero, in which case the carry flag is cleared to 0.

PROTECTED MODE EXCEPTIONS
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
# NOP — No OPERATION

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>90</td>
<td>NOP</td>
<td>3</td>
<td>No OPERATION</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
Performs no operation. NOP is a one-byte filler instruction that takes up space but affects none of the machine context except IP.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
NOT — One’s Complement Negation

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F6 /2</td>
<td>NOT eb</td>
<td>2,mem=7</td>
<td>Reverse each bit of EA byte</td>
</tr>
<tr>
<td>F7 /2</td>
<td>NOT ew</td>
<td>2,mem=7</td>
<td>Reverse each bit of EA word</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
The operand is inverted; that is, every 1 becomes a 0 and vice versa.

PROTECTED MODE EXCEPTIONS
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
## OR—Logical Inclusive OR

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>08</td>
<td>OR eb,rb</td>
<td>2,mem=7</td>
<td>Logical-OR byte register into EA byte</td>
</tr>
<tr>
<td>09</td>
<td>OR ew,rw</td>
<td>2,mem=7</td>
<td>Logical-OR word register into EA word</td>
</tr>
<tr>
<td>0A</td>
<td>OR rb,eb</td>
<td>2,mem=7</td>
<td>Logical-OR EA byte into byte register</td>
</tr>
<tr>
<td>0B</td>
<td>OR rw,ew</td>
<td>2,mem=7</td>
<td>Logical-OR EA word into word register</td>
</tr>
<tr>
<td>0C</td>
<td>OR AL,db</td>
<td>3</td>
<td>Logical-OR immediate byte into AL</td>
</tr>
<tr>
<td>0D</td>
<td>OR AX,dw</td>
<td>3</td>
<td>Logical-OR immediate word into AX</td>
</tr>
<tr>
<td>80</td>
<td>OR eb,db</td>
<td>3,mem=7</td>
<td>Logical-OR immediate byte into EA byte</td>
</tr>
<tr>
<td>81</td>
<td>OR ew,db</td>
<td>3,mem=7</td>
<td>Logical-OR immediate word into EA word</td>
</tr>
</tbody>
</table>

### FLAGS MODIFIED
Overflow = 0, sign, zero, parity, carry = 0

### FLAGS UNDEFINED
Auxiliary carry

### OPERATION
This instruction computes the inclusive OR of the two operands. Each bit of the result is 0 if both corresponding bits of the operands are 0; each bit is 1 otherwise. The result is placed in the first operand.

### PROTECTED MODE EXCEPTIONS
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

### REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
OUT — Output to Port

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>E6 db</td>
<td>OUT db,AL</td>
<td>3</td>
<td>Output byte AL to immediate port number db</td>
</tr>
<tr>
<td>E7 db</td>
<td>OUT db,AX</td>
<td>3</td>
<td>Output word AX to immediate port number db</td>
</tr>
<tr>
<td>EE</td>
<td>OUT DX,AL</td>
<td>3</td>
<td>Output byte AL to port number DX</td>
</tr>
<tr>
<td>EF</td>
<td>OUT DX,AX</td>
<td>3</td>
<td>Output word AX to port number DX</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

OUT transfers a data byte or data word from the register (AL or AX) given as the second operand to the output port numbered by the first operand. You can output to any port from 0-65535 by placing the port number in the DX register then using an OUT instruction with DX as the first operand. If the instruction contains an 8-bit port ID, that value is zero-extended to 16 bits.

**PROTECTED MODE EXCEPTIONS**

#GP(0) if the current privilege level is bigger (has less privilege) than IOPL, which is the privilege level found in the flags register.

**REAL ADDRESS MODE EXCEPTIONS**

None
OUTS/OUTSB/OUTSW—Output String to Port

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>6E</td>
<td>OUTS DX,eb</td>
<td>5</td>
<td>Output byte [SI] to port number DX</td>
</tr>
<tr>
<td>6F</td>
<td>OUTS DX,ew</td>
<td>5</td>
<td>Output word [SI] to port number DX</td>
</tr>
<tr>
<td>6E</td>
<td>OUTSB</td>
<td>5</td>
<td>Output byte DS:[SI] to port number DX</td>
</tr>
<tr>
<td>6F</td>
<td>OUTSW</td>
<td>5</td>
<td>Output word DS:[SI] to port number DX</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
OUTS transfers data from the memory byte or word at SI to the output port numbered by the DX register.

OUTS does not allow the specification of the port number as an immediate value. The port must be addressed through the DX register.

After the transfer is made, SI is automatically advanced. If the direction flag is 0 (CLD was executed), SI increments; if the direction flag is 1 (STD was executed), SI decrements.

SI increments or decrements by 1 if a byte was moved; by 2 if a word was moved.

OUTS can be preceded by the REP prefix for block output of CX bytes or words. Refer to the REP instruction for details of this operation.

**NOTE**
Not all output devices can handle the rate at which this instruction transfers data.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if CPL > IOPL. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
## POP—Pop a Word from the Stack

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>1F</td>
<td>POP DS</td>
<td>5,pm=20</td>
<td>Pop top of stack into DS</td>
</tr>
<tr>
<td>07</td>
<td>POP ES</td>
<td>5,pm=20</td>
<td>Pop top of stack into ES</td>
</tr>
<tr>
<td>17</td>
<td>POP SS</td>
<td>5,pm=20</td>
<td>Pop top of stack into SS</td>
</tr>
<tr>
<td>8F /0</td>
<td>POP mw</td>
<td>5</td>
<td>Pop top of stack into memory word</td>
</tr>
<tr>
<td>58+ rw</td>
<td>POP rw</td>
<td>5</td>
<td>Pop top of stack into word register</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The word on the top of the iAPX 286 stack, addressed by SS:SP, replaces the previous contents of the memory, register, or segment register operand. The stack pointer SP is incremented by 2 to point to the new top of stack.

If the destination operand is another segment register (DS, ES, or SS), the value popped must be a selector. In protected mode, loading the selector initiates automatic loading of the descriptor information associated with that selector into the hidden part of the segment register; loading also initiates validation of both the selector and the descriptor information.

A null value (0000-0003) may be loaded into the DS or ES register without causing a protection exception. Attempts to reference memory using a segment register with a null value will cause #GP(0) exception. No memory reference will occur. The saved value of the segment register will be null.

A POP SS instruction will inhibit all interrupts until after the execution of the next instruction.

Following is a listing of the protected-mode checks and actions taken in the loading of a segment register:
THE IAPX 286 INSTRUCTION SET

If SS is loaded:
  If selector is null then #GP(0)
  Selector index must be within its descriptor table limits else #GP (selector)
  Selector’s RPL must equal CPL else #GP (selector)
  AR byte must indicate a writable data segment else #GP (selector)
  DPL in the AR byte must equal CPL else #GP (selector)
  Segment must be marked PRESENT else #SS (selector)
  Load SS register with selector
  Load SS cache with descriptor

If ES or DS is loaded with non-null selector:
  AR byte must indicate data or readable code segment else #GP (selector)
  If data or non-conforming code, then both the RPL and the
    CPL must be less than or equal to DPL in AR byte else #GP (selector)
  Segment must be marked PRESENT else #NP (selector)
  Load segment register with selector
  Load segment register cache with descriptor
If ES or DS is loaded with a null selector:
  Load segment register with selector
  Clear valid bit in cache

PROTECTED MODE EXCEPTIONS
If a segment register is being loaded, #GP, #SS, and #NP, as described in the listing
above.

Otherwise, #SS(0) if the current top of stack
is not within the stack segment.

#GP(0) if the destination is in a non-writable
segment. #GP(0) for an illegal memory
operand effective address in the CS, DS, or
ES segments; #SS(0) for an illegal address in
the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset
0FFFFFFH.
POPA—Pop All General Registers

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>61</td>
<td>POPA</td>
<td>19</td>
<td>Pop DI, SI, BP, SP, BX, DX, CX, AX</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
POPA pops the eight general registers given in the description above, except that the SP value is discarded instead of loaded into SP. POPA reverses a previous PUSHA, restoring the general registers to their values before PUSHA was executed. The first register popped is DI.

PROTECTED MODE EXCEPTIONS
#SS(0) if the starting or ending stack address is not within the stack segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
POPF—Pop from Stack into the Flags Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>9D</td>
<td>POPF</td>
<td>5</td>
<td>Pop top of stack into flags register</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Entire flags register is popped from stack

FLAGS UNDEFINED
None

OPERATION
The top of the iAPX 286 stack, pointed to by SS:SP, is copied into the iAPX 286 flags register. The stack pointer SP is incremented by 2 to point to the new top of stack. The flags, from the top bit (bit 15) to the bottom (bit 0), are as follows: undefined, nested task, I/O privilege level (2 bits), overflow, direction, interrupts enabled, trap, sign, zero, undefined, auxiliary carry, undefined, parity, undefined, and carry.

The I/O privilege level will be altered only when executing at privilege level 0. The interrupt enable flag will be altered only when executing at a level at least as privileged as the I/O privilege level. (Real Address mode is equivalent to privilege level 0.) If you execute a POPF instruction with insufficient privilege, there will be no exception; the privileged bits will not change.

PROTECTED MODE EXCEPTIONS
#SS(0) if the top of stack is not within the stack segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at OFFFFH.
PUSH—Push a Word onto the Stack

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>06</td>
<td>PUSH ES</td>
<td>3</td>
<td>Push ES</td>
</tr>
<tr>
<td>0E</td>
<td>PUSH CS</td>
<td>3</td>
<td>Push CS</td>
</tr>
<tr>
<td>16</td>
<td>PUSH SS</td>
<td>3</td>
<td>Push SS</td>
</tr>
<tr>
<td>1E</td>
<td>PUSH DS</td>
<td>3</td>
<td>Push DS</td>
</tr>
<tr>
<td>50+</td>
<td>rw</td>
<td>3</td>
<td>Push word register</td>
</tr>
<tr>
<td>FF /6</td>
<td>PUSH mw</td>
<td>5</td>
<td>Push memory word</td>
</tr>
<tr>
<td>68</td>
<td>dw</td>
<td>3</td>
<td>Push immediate word</td>
</tr>
<tr>
<td>6A</td>
<td>db</td>
<td>3</td>
<td>Push immediate sign-extended byte</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The stack pointer SP is decremented by 2, and the operand is placed on the new top of stack, which is pointed to by SS:SP.

The iAPX 286 PUSH SP instruction pushes the value of SP as it existed before the instruction. This differs from the iAPX 86, which pushes the new (decremented by 2) value.

**PROTECTED MODE EXCEPTIONS**
#SS(0) if the new value of SP is outside the stack segment limit.

#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments;
#SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
**PUSHA—Push All General Registers**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>60</td>
<td>PUSHA</td>
<td>17</td>
<td>Push AX,CX,DX,BX,original SP,BP,SI,DI</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
PUSHA saves the registers noted above on the iAPX 286 stack. The stack pointer SP is decremented by 16 to hold the 8 word values. Since the registers are pushed onto the stack in the order in which they were given, they will appear in the 16 new stack bytes in the reverse order. The last register pushed is DI.

**PROTECTED MODE EXCEPTIONS**
#SS(0) if the starting or ending address is outside the stack segment limit.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
PUSHF—Push Flags Register onto the Stack

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>9C</td>
<td>PUSHF</td>
<td>3</td>
<td>Push flags register</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
The stack pointer SP is decremented by 2, and the iAPX 286 flags register is copied to the new top of stack, which is pointed to by SS:SP. The flags, from the top bit (15) to the bottom bit (0), are as follows: undefined, nested task, I/O privilege level (2 bits), overflow, direction, interrupts enabled, trap, sign, zero, undefined, auxiliary carry, undefined, parity, undefined, and carry.

PROTECTED MODE EXCEPTIONS
#SS(0) if the new value of SP is outside the stack segment limit.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
RCL/RCL/ROL/ROR—Rotate Instructions

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks-N°</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>D0 /2</td>
<td>RCL eb,1</td>
<td>2,mem=7</td>
<td>Rotate 9-bits (CF, EA byte) left once</td>
</tr>
<tr>
<td>D2 /2</td>
<td>RCL eb,CL</td>
<td>5,mem=8</td>
<td>Rotate 9-bits (CF, EA byte) left CL times</td>
</tr>
<tr>
<td>C0 /2</td>
<td>RCL eb,db</td>
<td>5,mem=8</td>
<td>Rotate 9-bits (CF, EA byte) left db times</td>
</tr>
<tr>
<td>D1 /2</td>
<td>RCL ew,1</td>
<td>2,mem=7</td>
<td>Rotate 17-bits (CF, EA word) left once</td>
</tr>
<tr>
<td>D3 /2</td>
<td>RCL ew,CL</td>
<td>5,mem=8</td>
<td>Rotate 17-bits (CF, EA word) left CL times</td>
</tr>
<tr>
<td>C1 /2</td>
<td>RCL ew,db</td>
<td>5,mem=8</td>
<td>Rotate 17-bits (CF, EA word) left db times</td>
</tr>
<tr>
<td>D0 /3</td>
<td>RCR eb,1</td>
<td>2,mem=7</td>
<td>Rotate 9-bits (CF, EA byte) right once</td>
</tr>
<tr>
<td>D2 /3</td>
<td>RCR eb,CL</td>
<td>5,mem=8</td>
<td>Rotate 9-bits (CF, EA byte) right CL times</td>
</tr>
<tr>
<td>C0 /3</td>
<td>RCR eb,db</td>
<td>5,mem=8</td>
<td>Rotate 9-bits (CF, EA byte) right db times</td>
</tr>
<tr>
<td>D1 /3</td>
<td>RCR ew,1</td>
<td>2,mem=7</td>
<td>Rotate 17-bits (CF, EA word) right once</td>
</tr>
<tr>
<td>D3 /3</td>
<td>RCR ew,CL</td>
<td>5,mem=8</td>
<td>Rotate 17-bits (CF, EA word) right CL times</td>
</tr>
<tr>
<td>C1 /3</td>
<td>RCR ew,db</td>
<td>5,mem=8</td>
<td>Rotate 17-bits (CF, EA word) right db times</td>
</tr>
<tr>
<td>D0 /0</td>
<td>ROL eb,1</td>
<td>2,mem=7</td>
<td>Rotate 8-bit EA byte left once</td>
</tr>
<tr>
<td>D2 /0</td>
<td>ROL eb,CL</td>
<td>5,mem=8</td>
<td>Rotate 8-bit EA byte left CL times</td>
</tr>
<tr>
<td>C0 /0</td>
<td>ROL eb,db</td>
<td>5,mem=8</td>
<td>Rotate 8-bit EA byte left db times</td>
</tr>
<tr>
<td>D1 /0</td>
<td>ROL ew,1</td>
<td>2,mem=7</td>
<td>Rotate 16-bit EA word left once</td>
</tr>
<tr>
<td>D3 /0</td>
<td>ROL ew,CL</td>
<td>5,mem=8</td>
<td>Rotate 16-bit EA word left CL times</td>
</tr>
<tr>
<td>C1 /0</td>
<td>ROL ew,db</td>
<td>5,mem=8</td>
<td>Rotate 16-bit EA word left db times</td>
</tr>
<tr>
<td>D0 /1</td>
<td>ROR eb,1</td>
<td>2,mem=7</td>
<td>Rotate 8-bit EA byte right once</td>
</tr>
<tr>
<td>D2 /1</td>
<td>ROR eb,CL</td>
<td>5,mem=8</td>
<td>Rotate 8-bit EA byte right CL times</td>
</tr>
<tr>
<td>C0 /1</td>
<td>ROR eb,db</td>
<td>5,mem=8</td>
<td>Rotate 8-bit EA byte right db times</td>
</tr>
<tr>
<td>D1 /1</td>
<td>ROR ew,1</td>
<td>2,mem=7</td>
<td>Rotate 16-bit EA word right once</td>
</tr>
<tr>
<td>D3 /1</td>
<td>ROR ew,CL</td>
<td>5,mem=8</td>
<td>Rotate 16-bit EA word right CL times</td>
</tr>
<tr>
<td>C1 /1</td>
<td>ROR ew,db</td>
<td>5,mem=8</td>
<td>Rotate 16-bit EA word right db times</td>
</tr>
</tbody>
</table>

* Add 1 clock to the times shown for each rotate made

**FLAGS MODIFIED**
Overflow (only for single rotates), carry

**FLAGS UNDEFINED**
Overflow for multi-bit rotates

**OPERATION**
Each rotate instruction shifts the bits of the register or memory operand given. The left rotate instructions shift all of the bits upward, except for the top bit, which comes back around to the bottom. The right rotate instructions do the reverse: the bits shift downward, with the bottom bit coming around to the top.

For the RCL and RCR instructions, the carry flag is part of the rotated quantity. RCL shifts the carry flag into the bottom bit and shifts the top bit into the carry flag; RCR shifts the carry flag into the top bit and shifts the bottom bit into the carry flag. For the ROL and ROR instructions, the original value of the carry flag is not a part of the result; nonetheless, the carry flag receives a copy of the bit that was shifted from one end to the other.

The rotate is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. The iAPX 286 does not allow rotation counts greater than 31. If a rotation count greater than 31 is attempted, only the bottom five bits of the rotation are used. The iAPX 86 does not mask rotate counts.

The overflow flag is set only for the single-rotate (second operand = 1) forms of the
instructions. For RCR, the test for overflow is made before the rotation; for RCL, ROL, and ROR, it is made after the rotation. The test is as follows: if the carry flag equals the high bit of the operand, set the overflow flag to 0; if the carry flag does not equal the high bit of the operand, set the overflow flag to 1.

**PROTECTED MODE EXCEPTIONS**

#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
**REP / REPE / REPNE—Repeat Following String Operation**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks*</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F3 6C</td>
<td>REP INS eb,DX</td>
<td>5+4*CX</td>
<td>Input CX bytes from port DX into ES:[DI]</td>
</tr>
<tr>
<td>F3 6D</td>
<td>REP INS ew,DX</td>
<td>5+4*CX</td>
<td>Input CX words from port DX into ES:[DI]</td>
</tr>
<tr>
<td>F3 6C</td>
<td>REP INSB</td>
<td>5+4*CX</td>
<td>Input CX bytes from port DX into ES:[DI]</td>
</tr>
<tr>
<td>F3 6D</td>
<td>REP INSW</td>
<td>5+4*CX</td>
<td>Input CX words from port DX into ES:[DI]</td>
</tr>
<tr>
<td>F3 A4</td>
<td>REP MOVs mb,mb</td>
<td>5+4*CX</td>
<td>Move CX bytes from [SI] to ES:[DI]</td>
</tr>
<tr>
<td>F3 A5</td>
<td>REP MOVs mw,mw</td>
<td>5+4*CX</td>
<td>Move CX words from [SI] to ES:[DI]</td>
</tr>
<tr>
<td>F3 A4</td>
<td>REP MOVSB</td>
<td>5+4*CX</td>
<td>Move CX bytes from DS:[SI] to ES:[DI]</td>
</tr>
<tr>
<td>F3 A5</td>
<td>REP MOVSW</td>
<td>5+4*CX</td>
<td>Move CX words from DS:[SI] to ES:[DI]</td>
</tr>
<tr>
<td>F3 6E</td>
<td>REP OUTS DX,eb</td>
<td>5+4*CX</td>
<td>Output CX bytes from [SI] to port DX</td>
</tr>
<tr>
<td>F3 6F</td>
<td>REP OUTS DX,ew</td>
<td>5+4*CX</td>
<td>Output CX words from [SI] to port DX</td>
</tr>
<tr>
<td>F3 6E</td>
<td>REP OUTSb</td>
<td>5+4*CX</td>
<td>Output CX bytes from DS:[SI] to port DX</td>
</tr>
<tr>
<td>F3 6F</td>
<td>REP OUTSW</td>
<td>5+4*CX</td>
<td>Output CX words from DS:[SI] to port DX</td>
</tr>
<tr>
<td>F3 AA</td>
<td>REP STOS mb</td>
<td>4+3*CX</td>
<td>Fill CX bytes at ES:[DI] with AL</td>
</tr>
<tr>
<td>F3 AB</td>
<td>REP STOS mw</td>
<td>4+3*CX</td>
<td>Fill CX words at ES:[DI] with AX</td>
</tr>
<tr>
<td>F3 AA</td>
<td>REP STOSB</td>
<td>4+3*CX</td>
<td>Fill CX bytes at ES:[DI] with AL</td>
</tr>
<tr>
<td>F3 AB</td>
<td>REP STOSW</td>
<td>4+3*CX</td>
<td>Fill CX words at ES:[DI] with AX</td>
</tr>
<tr>
<td>F3 A6</td>
<td>REP E CMPS mb,mb</td>
<td>5+9*N</td>
<td>Find nonmatching bytes in ES:[DI] and [SI]</td>
</tr>
<tr>
<td>F3 A7</td>
<td>REP E CMPS mw,mw</td>
<td>5+9*N</td>
<td>Find nonmatching words in ES:[DI] and [SI]</td>
</tr>
<tr>
<td>F3 A6</td>
<td>REP E CMPSB</td>
<td>5+9*N</td>
<td>Find nonmatching bytes in ES:[DI] and DS:[SI]</td>
</tr>
<tr>
<td>F3 A7</td>
<td>REP E CMPSW</td>
<td>5+9*N</td>
<td>Find nonmatching words in ES:[DI] and DS:[SI]</td>
</tr>
<tr>
<td>F3 AE</td>
<td>REP E SCAS mb</td>
<td>5+8*N</td>
<td>Find non-AX byte starting at ES:[DI]</td>
</tr>
<tr>
<td>F3 AF</td>
<td>REP E SCAS mw</td>
<td>5+8*N</td>
<td>Find non-AX word starting at ES:[DI]</td>
</tr>
<tr>
<td>F3 AE</td>
<td>REP E SCASB</td>
<td>5+8*N</td>
<td>Find non-AL byte starting at ES:[DI]</td>
</tr>
<tr>
<td>F3 AF</td>
<td>REP E SCASW</td>
<td>5+8*N</td>
<td>Find non-AX word starting at ES:[DI]</td>
</tr>
<tr>
<td>F2 A6</td>
<td>REP NE CMPS mb,mb</td>
<td>5+9*N</td>
<td>Find matching bytes in ES:[DI] and [SI]</td>
</tr>
<tr>
<td>F2 A7</td>
<td>REP NE CMPS mw,mw</td>
<td>5+9*N</td>
<td>Find matching words in ES:[DI] and [SI]</td>
</tr>
<tr>
<td>F2 A6</td>
<td>REP NE CMPSB</td>
<td>5+9*N</td>
<td>Find matching bytes in ES:[DI] and DS:[SI]</td>
</tr>
<tr>
<td>F2 A7</td>
<td>REP NE CMPSW</td>
<td>5+9*N</td>
<td>Find matching words in ES:[DI] and DS:[SI]</td>
</tr>
<tr>
<td>F2 AE</td>
<td>REP NE SCAS mb</td>
<td>5+8*N</td>
<td>Find AL, starting at ES:[DI]</td>
</tr>
<tr>
<td>F2 AF</td>
<td>REP NE SCAS mw</td>
<td>5+8*N</td>
<td>Find AX, starting at ES:[DI]</td>
</tr>
<tr>
<td>F2 AE</td>
<td>REP NE SCASB</td>
<td>5+8*N</td>
<td>Find AL, starting at ES:[DI]</td>
</tr>
<tr>
<td>F2 AF</td>
<td>REP NE SCASW</td>
<td>5+8*N</td>
<td>Find AX, starting at ES:[DI]</td>
</tr>
</tbody>
</table>

* N denotes the number of iterations actually executed.

**FLAGS MODIFIED**

By CMPS and SCAS, none by REP

**FLAGS UNDEFINED**

None

**OPERATION**

REP, REPE, and REPNE are prefix operations. These prefixes cause the string instruction that follows to be repeated CX times or (for REPE and REPNE) until the indicated condition in the zero flag is no longer met.

Thus, REPE stands for “Repeat while equal,” REPNE for “Repeat while not equal.”

The REP prefixes make sense only in the contexts listed above. They cannot be applied to anything other than string operations.

Synonymous forms of REPE and REPNE are REPZ and REPNZ, respectively.

The REP prefixes apply only to one string instruction at a time. To repeat a block of instructions, use a LOOP construct.
The precise action for each iteration is as follows:

1. Check the CX register. If it is zero, exit the iteration and move to the next instruction.
2. Acknowledge any pending interrupts.
3. Perform the string operation once.
4. Decrement CX by 1; no flags are modified.
5. If the string operation is SCAS or CMPS, check the zero flag. If the repeat condition does not hold, then exit the iteration and move to the next instruction. Exit if the prefix is REPE and ZF=0 (the last comparison was not equal), or if the prefix is REPNE and ZF=1 (the last comparison was equal).
6. Go to step 1 for the next iteration.

As defined by the individual string-ops, the direction of movement through the block is determined by the direction flag. If the direction flag is 1 (STD was executed), SI and/or DI start at the end of the block and move backward; if the direction flag is 0 (CLD was executed), SI and/or DI start at the beginning of the block and move forward.

For repeated SCAS and CMPS operations the repeat can be exited for one of two different reasons: the CX count can be exhausted or the zero flag can fail the repeat condition. Your code will probably want to distinguish between the two cases. It can do so via either the JCXZ instruction or the conditional jumps that test the zero flag (JZ, JNZ, JE, and JNE).

**NOTE**

Not all input/output ports can handle the rate at which the repeated I/O instructions execute.

**PROTECTED MODE EXCEPTIONS**

None by REP; exceptions can be generated when the string-op is executed.

**REAL ADDRESS MODE EXCEPTIONS**

None by REP; exceptions can be generated when the string-op is executed.
RET — Return from Procedure

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks*</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CB</td>
<td>RET</td>
<td>15, pm=25</td>
<td>Return to far caller, same privilege</td>
</tr>
<tr>
<td>CB</td>
<td>RET</td>
<td>55</td>
<td>Return, lesser privilege, switch stacks</td>
</tr>
<tr>
<td>C3</td>
<td>RET</td>
<td>11</td>
<td>Return to near caller</td>
</tr>
<tr>
<td>CA</td>
<td>dw RET dw</td>
<td>15, pm=25</td>
<td>RET (far), same privilege, pop dw bytes</td>
</tr>
<tr>
<td>CA</td>
<td>dw RET dw</td>
<td>55</td>
<td>RET (far), lesser privilege, pop dw bytes</td>
</tr>
<tr>
<td>C2</td>
<td>dw RET dw</td>
<td>11</td>
<td>RET (near), pop dw bytes pushed before Call</td>
</tr>
</tbody>
</table>

*Add 1 clock for each byte in the next instruction executed.

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
RET transfers control to a return address located on the stack. The address is usually placed on the stack by a CALL instruction; in that case, the return is made to the instruction that follows the CALL.

There is an optional numeric parameter to RET. It gives the number of stack bytes to be released after the return address is popped. These bytes are typically used as input parameters to the procedure called.

For the intra-segment return, the address on the stack is a 2-byte quantity popped into IP. The CS register is unchanged.

For the inter-segment return, the address on the stack is a 4-byte-long pointer. The offset is popped first, followed by the selector. In real address mode, CS and IP are directly loaded.

In protected mode, an inter-segment return causes the processor to consult the descriptor addressed by the return selector. The AR byte of the descriptor must indicate a code segment of equal or less privilege (of greater or equal numeric value) than the current privilege level. Returns to a lesser privilege level cause the stack to be reloaded from the value saved beyond the parameter block.

The DS and ES segment registers may be set to zero by the inter-segment RET instruction. If these registers refer to segments which cannot be used by the new privilege level, they are set to zero to prevent unauthorized access.

The following list of checks and actions describes the protected-mode inter-segment return in detail.
The IAPX 286 Instruction Set

Inter-segment RET:

Second word on stack must be within stack limits else #SS(0)
Return selector RPL must be ≥ CPL else #GP (return selector)
If return selector RPL = CPL then
  RETURN TO SAME LEVEL:
  Return selector must be non-null else #GP(0)
  Selector index must be within its descriptor table limits else #GP (selector)
  Descriptor AR byte must indicate code segment else #GP (selector)
  If non-conforming then code segment DPL must equal CPL else #GP (selector)
  If conforming then code segment DPL must be ≤ CPL else #GP (selector)
  Code segment must be PRESENT else #NP (selector)
  Top word on stack must be within stack limits else #SS(0)
  IP must be in code segment limit else #GP(0)
  Load CS:IP from stack
  Load CS-cache with descriptor
  Increment SP by 4 plus the immediate offset if it exists

Else
  RETURN TO OUTER PRIVILEGE LEVEL:
  Top (8+ immediate) bytes on stack must be within stack limits else #SS(0)
  Examine return CS selector (at SP +2) and associated descriptor:
    Selector must be non-null else #GP(0)
    Selector index must be within its descriptor table limits else #GP (selector)
    Descriptor AR byte must indicate code segment else #GP (selector)
    If non-conforming then code segment DPL must equal return selector RPL else #GP (selector)
    If conforming then code segment DPL must be ≤ return selector RPL else #GP (selector)
    Segment must be PRESENT else #NP (selector)
  Examine return SS selector (at SP +6 +imm) and associated descriptor:
    Selector must be non-null else #GP(0)
    Selector index must be within its descriptor table limits else #GP (selector)
    Selector RPL must equal the RPL of the return CS selector else #GP (selector)
    Descriptor AR byte must indicate a writable data segment else #GP (selector)
    Descriptor DPL must equal the RPL of the return CS selector else #GP (selector)
    Segment must be PRESENT else #NP (selector)
  IP must be in code segment limit else #GP(0)
  Set CPL to the RPL of the return CS selector
  Load CS:IP from stack
  Set CS RPL to CPL
  Increment SP by 4 plus the immediate offset if it exists
  Load SS:SP from stack
  Load the CS-cache with the return CS descriptor
  Load the SS-cache with the return SS descriptor
  For each of ES and DS:
    If the current register setting is not valid for the outer level, set the register to null (selector = AR = 0)
    To be valid, the register setting must satisfy the following properties:
      Selector index must be within descriptor table limits
      Descriptor AR byte must indicate data or readable code segment
      If segment is data or non-conforming code, then:
        DPL must be ≥ CPL, or
        DPL must be ≥ RPL

Protected Mode Exceptions

#GP, #NP, or #SS, as described in the above listing.

Real Address Mode Exceptions

Interrupt 13 if the stack pop wraps around from 0FFFFH to 0.
## SAHF — Store AH into Flags

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>9E</td>
<td>SAHF</td>
<td>2</td>
<td>Store AH into flags SF ZF xx AF xx PF xx CF</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Sign, zero, auxiliary carry, parity, carry

**FLAGS UNDEFINED**
None

**OPERATION**
The flags listed above are loaded with values from the AH register, from bits 7, 6, 4, 2, and 0, respectively.

**PROTECTED MODE EXCEPTIONS**
None

**REAL ADDRESS MODE EXCEPTIONS**
None
### SAL/SAR/SHL/SHR—Shift Instructions

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks-N</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>D0 /4</td>
<td>SAL eb,1</td>
<td>2, mem=7</td>
<td>Multiply EA byte by 2, once</td>
</tr>
<tr>
<td>D0 /4</td>
<td>SAL eb,CL</td>
<td>5, mem=8</td>
<td>Multiply EA byte by 2, CL times</td>
</tr>
<tr>
<td>C0 /4 db</td>
<td>SAL eb,db</td>
<td>5, mem=8</td>
<td>Multiply EA byte by 2, db times</td>
</tr>
<tr>
<td>D1 /4</td>
<td>SAL ew,1</td>
<td>2, mem=7</td>
<td>Multiply EA word by 2, once</td>
</tr>
<tr>
<td>D3 /4</td>
<td>SAL ew,CL</td>
<td>5, mem=8</td>
<td>Multiply EA word by 2, CL times</td>
</tr>
<tr>
<td>C1 /4 db</td>
<td>SAL ew,db</td>
<td>5, mem=8</td>
<td>Multiply EA word by 2, db times</td>
</tr>
<tr>
<td>D0 /7</td>
<td>SAR eb,1</td>
<td>2, mem=7</td>
<td>Signed divide EA byte by 2, once</td>
</tr>
<tr>
<td>D2 /7</td>
<td>SAR eb,CL</td>
<td>5, mem=8</td>
<td>Signed divide EA byte by 2, CL times</td>
</tr>
<tr>
<td>C0 /7 db</td>
<td>SAR eb,db</td>
<td>5, mem=8</td>
<td>Signed divide EA byte by 2, db times</td>
</tr>
<tr>
<td>D1 /7</td>
<td>SAR ew,1</td>
<td>2, mem=7</td>
<td>Signed divide EA word by 2, once</td>
</tr>
<tr>
<td>D3 /7</td>
<td>SAR ew,CL</td>
<td>5, mem=8</td>
<td>Signed divide EA word by 2, CL times</td>
</tr>
<tr>
<td>C1 /7 db</td>
<td>SAR ew,db</td>
<td>5, mem=8</td>
<td>Signed divide EA word by 2, db times</td>
</tr>
<tr>
<td>D0 /5</td>
<td>SHR eb,1</td>
<td>2, mem=7</td>
<td>Unsigned divide EA byte by 2, once</td>
</tr>
<tr>
<td>D2 /5</td>
<td>SHR eb,CL</td>
<td>5, mem=8</td>
<td>Unsigned divide EA byte by 2, CL times</td>
</tr>
<tr>
<td>C0 /5 db</td>
<td>SHR eb,db</td>
<td>5, mem=8</td>
<td>Unsigned divide EA byte by 2, db times</td>
</tr>
<tr>
<td>D1 /5</td>
<td>SHR ew,1</td>
<td>2, mem=7</td>
<td>Unsigned divide EA word by 2, once</td>
</tr>
<tr>
<td>D3 /5</td>
<td>SHR ew,CL</td>
<td>5, mem=8</td>
<td>Unsigned divide EA word by 2, CL times</td>
</tr>
<tr>
<td>C1 /5 db</td>
<td>SHR ew,db</td>
<td>5, mem=8</td>
<td>Unsigned divide EA word by 2, db times</td>
</tr>
</tbody>
</table>

* Add 1 clock to the times shown for each shift performed

**FLAGS MODIFIED**

Overflow (only for single-shift form), carry, zero, overflow, parity, sign

**FLAGS UNDEFINED**

Auxiliary carry

**OPERATION**

SAL (or its synonym SHL) shifts the bits of the operand upward. The high-order bit is shifted into the carry flag, and the low-order bit is set to 0.

SAR and SHR shift the bits of the operand downward. The low-order bit is shifted into the carry flag. The effect is to divide the operand by 2. SAR performs a signed divide: the high-order bit remains the same. SHR performs an unsigned divide: the high-order bit is set to 0.

The shift is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. The iAPX 286 does not allow shift counts greater than 31. If a shift count greater than 31 is attempted, only the bottom five bits of the shift count are used. The iAPX 86 uses all 8 bits of the shift count.

The overflow flag is set only if the single-shift forms of the instructions are used. For left shifts, it is set to 0 if the high bit of the answer is the same as the result carry flag (i.e., the top two bits of the original operand were the same); it is set to 1 if they are different. For SAR it is set to 0 for all single shifts. For SHR, it is set to the high-order bit of the original operand.

**PROTECTED MODE EXCEPTIONS**

#GP(0) if the operand is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
SBB—Integer Subtraction With Borrow

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>18</td>
<td>SBB eb,rb</td>
<td>2,mem=7</td>
<td>Subtract with borrow byte register from EA byte</td>
</tr>
<tr>
<td>19</td>
<td>SBB ew,rb</td>
<td>2,mem=7</td>
<td>Subtract with borrow word register from EA word</td>
</tr>
<tr>
<td>1A</td>
<td>SBB rb,eb</td>
<td>2,mem=7</td>
<td>Subtract with borrow EA byte from byte register</td>
</tr>
<tr>
<td>1B</td>
<td>SBB rw,eb</td>
<td>2,mem=7</td>
<td>Subtract with borrow EA word from word register</td>
</tr>
<tr>
<td>1C</td>
<td>SBB AL,db</td>
<td>3</td>
<td>Subtract with borrow imm. byte from AL</td>
</tr>
<tr>
<td>1D</td>
<td>SBB AX,db</td>
<td>3</td>
<td>Subtract with borrow imm. word from AX</td>
</tr>
<tr>
<td>80</td>
<td>SBB eb,db</td>
<td>3,mem=7</td>
<td>Subtract with borrow imm. byte from EA byte</td>
</tr>
<tr>
<td>81</td>
<td>SBB ew,db</td>
<td>3,mem=7</td>
<td>Subtract with borrow imm. word from EA word</td>
</tr>
<tr>
<td>83</td>
<td>SBB ew,db</td>
<td>3,mem=7</td>
<td>Subtract with borrow imm. byte from EA word</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Overflow, sign, zero, auxiliary carry, parity, carry

**FLAGS UNDEFINED**
None

**OPERATION**
The second operand is added to the carry flag and the result is subtracted from the first operand. The first operand is replaced with the result of the subtraction, and the flags are set accordingly.

When a byte-immediate value is subtracted from a word operand, the immediate value is first sign-extended.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
SCAS/SCASB/SCASW—Compare String Data

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>AE</td>
<td>SCAS mb</td>
<td>7</td>
<td>Compare bytes AL - ES:[DI], advance DI</td>
</tr>
<tr>
<td>AF</td>
<td>SCAS mw</td>
<td>7</td>
<td>Compare words AX - ES:[DI], advance DI</td>
</tr>
<tr>
<td>AE</td>
<td>SCASB</td>
<td>7</td>
<td>Compare bytes AL - ES:[DI], advance DI</td>
</tr>
<tr>
<td>AF</td>
<td>SCASW</td>
<td>7</td>
<td>Compare words AX - ES:[DI], advance DI</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Overflow, sign, zero, auxiliary carry, parity, carry

FLAGS UNDEFINED
None

OPERATION
SCAS subtracts the memory byte or word at ES:DI from the AL or AX register. The result is discarded; only the flags are set. The operand must be addressable from the ES register; no segment override is possible.

After the comparison is made, DI is automatically advanced. If the direction flag is 0 (CLD was executed), DI increments; if the direction flag is 1 (STD was executed), DI decrements. DI increments or decrements by 1 if bytes were compared; by 2 if words were compared.

SCAS can be preceded by the REPE or REPNE prefix for a block search of CX bytes or words. Refer to the REP instruction for details of this operation.

PROTECTED MODE EXCEPTIONS
#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments;
#SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFFFH.
SGDT/ SIDT—Store Global/Interrupt Descriptor Table Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 01 /0</td>
<td>SGDT m</td>
<td>11</td>
<td>Store Global Descriptor Table register to m</td>
</tr>
<tr>
<td>0F 01 /1</td>
<td>SIDT m</td>
<td>12</td>
<td>Store Interrupt Descriptor Table register to m</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The contents of the descriptor table register are copied to six bytes of memory indicated by the operand. The LIMIT field of the register goes to the first word at the effective address; the next three bytes get the BASE field of the register; and the last byte is undefined.

SGDT and SIDT appear only in operating systems software; they are not used in applications programs.

**PROTECTED MODE EXCEPTIONS**
#UD if the destination operand is a register.
#GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
These instructions are valid in Real Address mode to facilitate power-up or to reset initialization prior to entering Protected mode.

#UD if the destination operand is a register. Interrupt 13 for a word operand at offset 0FFFFFFH.
SLDT—Store Local Descriptor Table Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 00 /0</td>
<td>SLDT ew</td>
<td>2,mem=3</td>
<td>Store Local Descriptor Table register to EA word</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
The Local Descriptor Table register is stored in the 2-byte register or memory location indicated by the effective address operand. This register is a selector that points into the Global Descriptor Table.

SLDT appears only in operating systems software. It is not used in applications programs.

PROTECTED MODE EXCEPTIONS
#GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 6; SLDT is not recognized in Real Address mode.
SMSW—Store Machine Status Word

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 01 /4</td>
<td>SMSW ew</td>
<td>2,mem=3</td>
<td>Store Machine Status Word to EA word</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
None

FLAGS UNDEFINED
None

OPERATION
The Machine Status Word is stored in the 2-byte register or memory location indicated by the effective address operand.

PROTECTED MODE EXCEPTIONS
#GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 13 for a word operand at offset 0FFFFH.
**STC—Set Carry Flag**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>F9</td>
<td>STC</td>
<td>2</td>
<td>Set carry flag</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
- Carry = 1

**PROTECTED MODE EXCEPTIONS**
- None

**FLAGS UNDEFINED**
- None

**REAL ADDRESS MODE EXCEPTIONS**
- None

**OPERATION**
The carry flag is set to 1.
## STD—Set Direction Flag

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>FD</td>
<td>STD</td>
<td>2</td>
<td>Set direction flag so SI and DI will decrement</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
- Direction = 1

**FLAGS UNDEFINED**
- None

**OPERATION**
The direction flag is set to 1. This causes all subsequent string operations to decrement the index registers (SI and/or DI) on which they operate.

**PROTECTED MODE EXCEPTIONS**
- None

**REAL ADDRESS MODE EXCEPTIONS**
- None
STI—Set Interrupt Enable Flag

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>FB</td>
<td>STI</td>
<td>2</td>
<td>Set interrupt enable flag, interrupts enabled</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

Interrupt = 1

**FLAGS UNDEFINED**

None

**OPERATION**

The interrupts-enabled flag is set to 1. The iAPX 286 will now respond to external interrupts after executing the next instruction.

**PROTECTED MODE EXCEPTIONS**

#GP(0) if the current privilege level is bigger (has less privilege) than the I/O privilege level.

**REAL ADDRESS MODE EXCEPTIONS**

None
STOS/STOSB/STOSW—Store String Data

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>AA</td>
<td>STOS \textit{mb}</td>
<td>3</td>
<td>Store AL to byte ES:[DI], advance DI</td>
</tr>
<tr>
<td>AB</td>
<td>STOS \textit{mw}</td>
<td>3</td>
<td>Store AX to word ES:[DI], advance DI</td>
</tr>
<tr>
<td>AA</td>
<td>STOSB</td>
<td>3</td>
<td>Store AL to byte ES:[DI], advance DI</td>
</tr>
<tr>
<td>AB</td>
<td>STOSW</td>
<td>3</td>
<td>Store AX to word ES:[DI], advance DI</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

STOS transfers the contents the AL or AX register to the memory byte or word at ES:DI. The operand must be addressable from the ES register; no segment override is possible.

After the transfer is made, DI is automatically advanced. If the direction flag is 0 (CLD was executed), DI increments; if the direction flag is 1 (STD was executed), DI decrements.

DI increments or decrements by 1 if a byte was moved; by 2 if a word was moved.

STOS can be preceded by the REP prefix for a block fill of CX bytes or words. Refer to the REP instruction for details of this operation.

**PROTECTED MODE EXCEPTIONS**

#GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
STR—Store Task Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 00 /1</td>
<td>STR $w</td>
<td>2,mem=3</td>
<td>Store Task Register to EA word</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
The contents of the Task Register are copied to the 2-byte register or memory location indicated by the effective address operand.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the destination is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 6; STR is not recognized in Real Address mode.
**SUB—Integer Subtraction**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>28 /r</td>
<td>SUB eb,rb</td>
<td>2,mem=7</td>
<td>Subtract byte register from EA byte</td>
</tr>
<tr>
<td>29 /r</td>
<td>SUB ew,rw</td>
<td>2,mem=7</td>
<td>Subtract word register from EA word</td>
</tr>
<tr>
<td>2A /r</td>
<td>SUB rb,eb</td>
<td>2,mem=7</td>
<td>Subtract EA byte from byte register</td>
</tr>
<tr>
<td>2B /r</td>
<td>SUB rw,ew</td>
<td>2,mem=7</td>
<td>Subtract EA word from word register</td>
</tr>
<tr>
<td>2C db</td>
<td>SUB AL,db</td>
<td>3</td>
<td>Subtract immediate byte from AL</td>
</tr>
<tr>
<td>2D dw</td>
<td>SUB AX,dw</td>
<td>3</td>
<td>Subtract immediate word from AX</td>
</tr>
<tr>
<td>80 /5</td>
<td>SUB eb,db</td>
<td>3,mem=7</td>
<td>Subtract immediate byte from EA byte</td>
</tr>
<tr>
<td>81 /5</td>
<td>SUB ew,dw</td>
<td>3,mem=7</td>
<td>Subtract immediate word from EA word</td>
</tr>
<tr>
<td>83 /5</td>
<td>SUB ew,db</td>
<td>3,mem=7</td>
<td>Subtract immediate byte from EA word</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Overflow, sign, zero, auxiliary carry, parity, carry

**FLAGS UNDEFINED**
None

**OPERATION**
The second operand is subtracted from the first operand, and the first operand is replaced with the result.

When a byte-immediate value is subtracted from a word operand, the immediate value is first sign-extended.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
**TEST — Logical Compare**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>84/r</td>
<td>TEST eb,rb</td>
<td>2,mem=6</td>
<td>AND byte register into EA byte for flags only</td>
</tr>
<tr>
<td>84/r</td>
<td>TEST rb,eb</td>
<td>2,mem=6</td>
<td>AND EA byte into byte register for flags only</td>
</tr>
<tr>
<td>85/r</td>
<td>TEST ew,rb</td>
<td>2,mem=6</td>
<td>AND word register into EA word for flags only</td>
</tr>
<tr>
<td>85/r</td>
<td>TEST rw,eb</td>
<td>2,mem=6</td>
<td>AND EA word into word register for flags only</td>
</tr>
<tr>
<td>A8/db</td>
<td>TEST AL,db</td>
<td>3</td>
<td>AND immediate byte into AL for flags only</td>
</tr>
<tr>
<td>A9/dw</td>
<td>TEST AX,dw</td>
<td>3</td>
<td>AND immediate word into AX for flags only</td>
</tr>
<tr>
<td>F6/0</td>
<td>TEST eb,db</td>
<td>3,mem=6</td>
<td>AND immediate byte into EA byte for flags only</td>
</tr>
<tr>
<td>F7/0</td>
<td>TEST ew,db</td>
<td>3,mem=6</td>
<td>AND immediate word into EA word for flags only</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

Overflow=0, sign, zero, parity, carry=0

**FLAGS UNDEFINED**

Auxiliary carry

**OPERATION**

TEST computes the bit-wise logical AND of the two operands given. Each bit of the result is 1 if both of the corresponding bits of the operands are 1; each bit is 0 otherwise. The result of the operation is discarded; only the flags are modified.

**PROTECTED MODE EXCEPTIONS**

#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
VERR, VERW—Verify a Segment for Reading or Writing

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0F 00 /4</td>
<td>VERR ew</td>
<td>14, mem=16</td>
<td>Set ZF=1 if seg. can be read, selector ew</td>
</tr>
<tr>
<td>0F 00 /5</td>
<td>VERW ew</td>
<td>14, mem=16</td>
<td>Set ZF=1 if seg. can be written, selector ew</td>
</tr>
</tbody>
</table>

FLAGS MODIFIED
Zero

FLAGS UNDEFINED
None

OPERATION
VERR and VERW expect the 2-byte register or memory operand to contain the value of a selector. The instructions determine whether the segment denoted by the selector is reachable from the current privilege level; the instructions also determine whether it is readable or writable. If the segment is determined to be accessible, the zero flag is set to 1; if the segment is not accessible, it is set to 0. To set ZF, the following conditions must be met:

1. The selector must denote a descriptor within the bounds of the table (GDT or LDT); that is, the selector must be "defined."
2. The selector must denote the descriptor of a code or data segment.
3. If the instruction is VERR, the segment must be readable. If the instruction is VERW, the segment must be a writable data segment.
4. If the code segment is readable and conforming, the descriptor privilege level (DPL) can be any value for VERR. Otherwise, the DPL must be greater than or equal to (have less or the same privilege as) both the current privilege level and the selector's RPL.

The validation performed is the same as if the segment were loaded into DS or ES and the indicated access (read or write) were performed. The zero flag receives the result of the validation. The selector's value cannot result in a protection exception. This enables the software to anticipate possible segment access problems.

PROTECTED MODE EXCEPTIONS
The only faults that can occur are those generated by illegally addressing the memory operand which contains the selector. The selector is not loaded into any segment register, and no faults attributable to the selector operand are generated.

#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

REAL ADDRESS MODE EXCEPTIONS
Interrupt 6; VERR and VERW are not recognized in Real Address Mode.
**WAIT—Wait Until BUSY Pin Is Inactive (HIGH)**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>9B</td>
<td>WAIT</td>
<td>3</td>
<td>Wait until BUSY pin is inactive (HIGH)</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
None

**FLAGS UNDEFINED**
None

**OPERATION**
WAIT suspends execution of 80286 instructions until the BUSY pin is inactive (high). The BUSY pin is driven by the 80287 numeric processor extension. WAIT is issued to ensure that the numeric instruction being executed is complete, and to check for a possible numeric fault (see below).

**PROTECTED MODE EXCEPTIONS**
#NM if task switch flag in MSW is set. #MF is 80287 has detected an unmasked numeric error.

**REAL ADDRESS MODE EXCEPTIONS**
Same as Protected mode.
XCHG—Exchange Memory/Register with Register

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>86</td>
<td>/r</td>
<td>XCHG eb,rb</td>
<td>3,mem=5</td>
</tr>
<tr>
<td>86</td>
<td>/r</td>
<td>XCHG rb,eb</td>
<td>3,mem=5</td>
</tr>
<tr>
<td>87</td>
<td>/r</td>
<td>XCHG ew,rw</td>
<td>3,mem=5</td>
</tr>
<tr>
<td>87</td>
<td>/r</td>
<td>XCHG rw,ew</td>
<td>3,mem=5</td>
</tr>
<tr>
<td>90+</td>
<td>rw</td>
<td>XCHG AX,rw</td>
<td>3</td>
</tr>
<tr>
<td>90+</td>
<td>rw</td>
<td>XCHG rw,AX</td>
<td>3</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

The two operands are exchanged. The order of the operands is immaterial. BUS LOCK is asserted for the duration of the exchange, regardless of the presence or absence of the LOCK prefix or IOPL.

**PROTECTED MODE EXCEPTIONS**

#GP(0) if either operand is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
**XLAT—Table Look-up Translation**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>D7</td>
<td>XLAT (mb)</td>
<td>5</td>
<td>Set AL to memory byte DS:[BX + unsigned AL]</td>
</tr>
<tr>
<td>D7</td>
<td>XLATB</td>
<td>5</td>
<td>Set AL to memory byte DS:[BX + unsigned AL]</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**

None

**FLAGS UNDEFINED**

None

**OPERATION**

When XLAT is executed, AL should be the unsigned index into a table addressed by DS:BX. XLAT changes the AL register from the table index into the table entry. BX is unchanged.

**PROTECTED MODE EXCEPTIONS**

#GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**

Interrupt 13 for a word operand at offset 0FFFFH.
**XOR—Logical Exclusive OR**

<table>
<thead>
<tr>
<th>Opcode</th>
<th>Instruction</th>
<th>Clocks</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>30</td>
<td>/r XOR eb,rb</td>
<td>2,mem=7</td>
<td>Exclusive-OR byte register into EA byte</td>
</tr>
<tr>
<td>31</td>
<td>/r XOR ew rw</td>
<td>2,mem=7</td>
<td>Exclusive-OR word register into EA word</td>
</tr>
<tr>
<td>32</td>
<td>/r XOR rb,eb</td>
<td>2,mem=7</td>
<td>Exclusive-OR EA byte into byte register</td>
</tr>
<tr>
<td>33</td>
<td>/r XOR rw,ew</td>
<td>2,mem=7</td>
<td>Exclusive-OR EA word into word register</td>
</tr>
<tr>
<td>34</td>
<td>db XOR AL,db</td>
<td>3</td>
<td>Exclusive-OR immediate byte into AL</td>
</tr>
<tr>
<td>35</td>
<td>dw XOR AX,dw</td>
<td>3</td>
<td>Exclusive-OR immediate word into AX</td>
</tr>
<tr>
<td>80</td>
<td>/6 db XOR eb,db</td>
<td>3,mem=7</td>
<td>Exclusive-OR immediate byte into EA byte</td>
</tr>
<tr>
<td>81</td>
<td>/6 dw XOR ew,dw</td>
<td>3,mem=7</td>
<td>Exclusive-OR immediate word into EA word</td>
</tr>
</tbody>
</table>

**FLAGS MODIFIED**
Overflow=0, sign, zero, parity, carry=0

**FLAGS UNDEFINED**
Auxiliary carry

**OPERATION**
XOR computes the exclusive OR of the two operands. Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same. The answer replaces the first operand.

**PROTECTED MODE EXCEPTIONS**
#GP(0) if the result is in a non-writable segment. #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment.

**REAL ADDRESS MODE EXCEPTIONS**
Interrupt 13 for a word operand at offset 0FFFFH.
Appendix
iAPX 286/10
## Contents

- Functional Description ........................................ C-5
- iAPX 286/10 Base Architecture .......................... C-5
- iAPX 86 Real Address Mode ............................. C-13
- Protected Virtual Address Mode ......................... C-14
- System Interface ........................................... C-24
- System Configurations ....................................... C-34
- Package .......................................................... C-37
- Absolute Maximum Ratings ............................... C-37
- D.C. Characteristics .......................................... C-37
- A.C. Characteristics .......................................... C-38
- Waveforms ...................................................... C-39
- 80286 Instruction Set Summary .......................... C-42
The iAPX 286/10 (80286 part number) is an advanced, high-performance microprocessor with specially optimized capabilities for multiple user and multi-tasking systems. The 80286 has built-in memory protection that supports operating system and task isolation as well as program and data privacy within tasks. A 10 MHz iAPX 286/10 provides up to six times greater throughput than the standard 5 MHz iAPX 86/10. The 80286 includes memory management capabilities that map up to \(2^{30}\) bytes (one gigabyte) of virtual address space per task into \(2^{24}\) bytes (16 megabytes) of physical memory.

The iAPX 286 is upward compatible with iAPX 86 and 88 software. Using iAPX 86 real address mode, the 80286 is object code compatible with existing iAPX 86, 88 software. In protected virtual address mode, the 80286 is source code compatible with iAPX 86, 88 software and may require upgrading to use virtual addresses supported by the 80286's integrated memory management and protection mechanism. Both modes operate at full 80286 performance and execute a superset of the iAPX 86 and 88's instructions.

The 80286 provides special operations to support the efficient implementation and execution of operating systems. For example, one instruction can end execution of one task, save its state, switch to a new task, load its state, and start execution of the new task. The 80286 also supports virtual memory systems by providing a segment-not-present exception and restartable instructions.

Figure 1. 80286 Internal Block Diagram

The following are trademarks of Intel Corporation and its affiliates and may be used only to identify Intel products: BXp, CREDIT, i,j, ICE, iCS, m, InSite, Intel, INTEL, Inteletron, Intellinx, Intellic, IMMIX, IDSP, IPDS, IRMX, iSBIC, iSBX, Library Manager, MCS, MULTIMODULE, Megachassis, Micromainframe, MULTIBUS, Multichannel, Plug-A-Bubble, PROMPT, Promware, RUP, RMX/80, System 2000, UPI, and the combination of iCS, IRMX, iSBIC, iSBX, ICE, ICE, MCS, or UPI and a numerical suffix. Intel Corporation assumes no responsibility for the use of any Circuitry Other Than Circuitry Embodied in an Intel Product. No Other Patent Licenses are implied. ©INTEL CORPORATION, 1982.

ORDER NUMBER: 210253-001
Component Pad View—As viewed from underside of component when mounted on the board.

P.C. Board View—As viewed from the component side of the P.C. board.

NOTE: N.C. pads must not be connected.

Figure 2. 80286 Pin Configuration

Table 1. Pin Description

The following pin function descriptions are for the 80286 microprocessor:

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Type</th>
<th>Name and Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>CLK</td>
<td>I</td>
<td>System Clock provides the fundamental timing for IAPX 286 systems. It is divided by two inside the 80286 to generate the processor clock. The internal divide-by-two circuitry can be synchronized to an external clock generator by a LOW to HIGH transition on the RESET input.</td>
</tr>
<tr>
<td>D15–D0</td>
<td>I/O</td>
<td>Data Bus inputs data during memory, I/O, and interrupt acknowledge read cycles; outputs data during memory and I/O write cycles. The data bus is active HIGH and floats to 3-state OFF during bus hold acknowledge.</td>
</tr>
<tr>
<td>A23–A0</td>
<td>O</td>
<td>Address Bus outputs physical memory and I/O port addresses. A0 is LOW when data is to be transferred on pins D7–0. A23–A16 are LOW during I/O transfers. The address bus is active HIGH and floats to 3-state OFF during bus hold acknowledge.</td>
</tr>
<tr>
<td>BHE</td>
<td>O</td>
<td>Bus High Enable indicates transfer of data on the upper byte of the data bus, D15–8. Eight-bit oriented devices assigned to the upper byte of the data bus would normally use BHE to condition chip select functions. BHE is active LOW and floats to 3-state OFF during bus hold acknowledge.</td>
</tr>
</tbody>
</table>

BHE and A0 Encodings

<table>
<thead>
<tr>
<th>BHE Value</th>
<th>A0 Value</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>0</td>
<td>Word transfer</td>
</tr>
<tr>
<td>0</td>
<td>1</td>
<td>Byte transfer on upper half of data bus (D15–8)</td>
</tr>
<tr>
<td>1</td>
<td>0</td>
<td>Byte transfer on lower half of data bus (D7–0)</td>
</tr>
<tr>
<td>1</td>
<td>1</td>
<td>Reserved</td>
</tr>
</tbody>
</table>
Table 1. Pin Description (Cont.)

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Type</th>
<th>Name and Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>S1, S0</td>
<td>O</td>
<td>Bus Cycle Status indicates initiation of a bus cycle and, along with M/IO and COD/INTA, defines the type of bus cycle. The bus is in a T₃ state whenever one or both are LOW. S1 and S0 are active LOW and float to 3-state OFF during bus hold acknowledge.</td>
</tr>
<tr>
<td></td>
<td></td>
<td><strong>80286 Bus Cycle Status Definition</strong></td>
</tr>
<tr>
<td></td>
<td></td>
<td><strong>COD/INTA</strong></td>
</tr>
<tr>
<td></td>
<td></td>
<td>0 (LOW)</td>
</tr>
<tr>
<td></td>
<td></td>
<td>0</td>
</tr>
<tr>
<td></td>
<td></td>
<td>0</td>
</tr>
<tr>
<td></td>
<td></td>
<td>0</td>
</tr>
<tr>
<td></td>
<td></td>
<td>0</td>
</tr>
<tr>
<td></td>
<td></td>
<td>0</td>
</tr>
<tr>
<td></td>
<td></td>
<td>0</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1 (HIGH)</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1</td>
</tr>
<tr>
<td></td>
<td></td>
<td>1</td>
</tr>
<tr>
<td>M/IO</td>
<td>O</td>
<td>Memory/IO Select distinguishes memory access from I/O access. If HIGH during T₃, a memory cycle or a halt/shutdown cycle is in progress. If LOW, an I/O cycle or an interrupt acknowledge cycle is in progress. M/IO floats to 3-state OFF during bus hold acknowledge.</td>
</tr>
<tr>
<td></td>
<td></td>
<td>Code/Interrupt Acknowledge distinguishes instruction fetch cycles from memory data read cycles. Also distinguishes interrupt acknowledge cycles from I/O cycles. COD/INTA floats to 3-state OFF during bus hold acknowledge.</td>
</tr>
<tr>
<td>LOCK</td>
<td>O</td>
<td>Bus Lock indicates that other system bus masters are not to gain control of the system bus following the current bus cycle. The LOCK signal may be activated explicitly by the &quot;LOCK&quot; instruction prefix or automatically by 80286 hardware during memory XCHG instructions, interrupt acknowledge, or descriptor table access. LOCK is active LOW and floats to 3-state OFF during bus hold acknowledge.</td>
</tr>
<tr>
<td>READY</td>
<td>I</td>
<td>Bus Ready terminates a bus cycle. Bus cycles are extended without limit until terminated by READY LOW. READY is an active LOW synchronous input requiring setup and hold times relative to the system clock be met for correct operation. READY is ignored during bus hold acknowledge.</td>
</tr>
<tr>
<td>HOLD</td>
<td>I</td>
<td>Bus Hold Request and Hold Acknowledge control ownership of the 80286 local bus. The HOLD input allows another local bus master to request control of the local bus. When control is granted, the 80286 will float its bus drivers to 3-state OFF and then activate HLDA, thus entering the bus hold acknowledgment condition. The local bus will remain granted to the requesting master until HOLD becomes inactive which results in the 80286 deactivating HLDA and regaining control of the local bus. This terminates the bus hold acknowledge condition. HOLD may be asynchronous to the system clock. These signals are active HIGH.</td>
</tr>
<tr>
<td>HLDA</td>
<td>O</td>
<td></td>
</tr>
<tr>
<td>INTR</td>
<td>I</td>
<td>Interrupt Request requests the 80286 to suspend its current program execution and service a pending external request. Interrupt requests are masked whenever the interrupt enable bit in the flag word is cleared. When the 80286 responds to an interrupt request, it performs two interrupt acknowledge bus cycles to read an 8-bit interrupt vector that identifies the source of the interrupt. To assure program interruption, INTR must remain active until the first interrupt acknowledge cycle is completed. INTR is sampled at the beginning of each processor cycle and must be active HIGH at least two processor cycles before the current instruction ends in order to interrupt before the next instruction. INTR is level sensitive, active HIGH, and may be asynchronous to the system clock.</td>
</tr>
<tr>
<td>NMI</td>
<td>I</td>
<td>Non-maskable Interrupt Request interrupts the 80286 with an internally supplied vector value of 2. No interrupt acknowledge cycles are performed. The interrupt enable bit in the 80286 flag word does not affect this input. The NMI input is active HIGH, may be asynchronous to the system clock, and is edge triggered after internal synchronization. For proper recognition, the input must have been previously LOW for at least four system clock cycles and remain HIGH for at least four system clock cycles.</td>
</tr>
</tbody>
</table>
Table 1. Pin Description (Cont.)

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Type</th>
<th>Name and Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>PEREQ</td>
<td>I</td>
<td>Processor Extension Operand Request and Acknowledge extend the memory management and protection capabilities of the 80286 to processor extensions. The PEREQ input requests the 80286 to perform a data operand transfer for a processor extension. The PEACK output signals the processor extension when the requested operand is being transferred. PEREQ is active HIGH and floats to 3-state OFF during bus hold acknowledge. PEACK may be asynchronous to the system clock. PEACK is active LOW.</td>
</tr>
<tr>
<td>PEACK</td>
<td>O</td>
<td></td>
</tr>
<tr>
<td>BUSY</td>
<td>I</td>
<td>Processor Extension Busy and Error indicate the operating condition of a processor extension to the 80286. An active BUSY input stops 80286 program execution on WAIT and some ESC instructions until BUSY becomes inactive (HIGH). The 80286 may be interrupted while waiting for BUSY to become inactive. An active ERROR input causes the 80286 to perform a processor extension interrupt when executing WAIT or some ESC instructions. These inputs are active LOW and may be asynchronous to the system clock.</td>
</tr>
<tr>
<td>ERROR</td>
<td>I</td>
<td></td>
</tr>
<tr>
<td>RESET</td>
<td>I</td>
<td>System Reset clears the internal logic of the 80286 and is active HIGH. The 80286 may be re-initialized at any time with a LOW to HIGH transition on RESET which remains active for more than 16 system clock cycles. During RESET active, the output pins of the 80286 enter the state shown below:</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Pin Value</th>
<th>Pin Names</th>
</tr>
</thead>
<tbody>
<tr>
<td>1 (HIGH)</td>
<td>SO, S1, PEACK, A23-A0, BHE, LOCK</td>
</tr>
<tr>
<td>0 (LOW)</td>
<td>M/I, C/D/INTA, H/LDA</td>
</tr>
<tr>
<td>3-state OFF</td>
<td>D15-D0</td>
</tr>
</tbody>
</table>

Operation of the 80286 begins after a HIGH to LOW transition on RESET. The HIGH to LOW transition of RESET must be synchronous to the system clock. Approximately 50 system clock cycles are required by the 80286 for internal initializations before the first bus cycle to fetch code from the power-on execution address is performed.

A LOW to HIGH transition of RESET synchronous to the system clock will end a processor cycle at the second HIGH to LOW transition of the system clock. The LOW to HIGH transition of RESET may be asynchronous to the system clock; however, in this case it cannot be predetermined which phase of the processor clock will occur during the next system clock period. Synchronous LOW to HIGH transitions of RESET are required only for systems where the processor clock must be phase synchronous to another clock.

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Type</th>
<th>Name and Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>VSS</td>
<td>I</td>
<td>System Ground: 0 VOLTS.</td>
</tr>
<tr>
<td>VCC</td>
<td>I</td>
<td>System Power: +5 Volt Power Supply.</td>
</tr>
<tr>
<td>CAP</td>
<td>I</td>
<td>Substrate Filter Capacitor: a 0.047μF ± 20% 12V capacitor must be connected between this pin and ground. This capacitor filters the output of the internal substrate bias generator. A maximum DC leakage current of 1 μA is allowed through the capacitor. For correct operation of the 80286, the substrate bias generator must charge this capacitor to its operating voltage. The capacitor chargeup time is 5 milliseconds (max.) after VCC and CLK reach their specified AC and DC parameters. RESET may be applied to prevent spurious activity by the CPU during this time. After this time, the 80286 processor clock can be phase synchronized to another clock by pulsing RESET LOW synchronous to the system clock.</td>
</tr>
</tbody>
</table>
FUNCTIONAL DESCRIPTION

Introduction
The 80286 is an advanced, high-performance microprocessor with specially optimized capabilities for multiple user and multi-tasking systems. Depending on the application, the 80286's performance is up to six times faster than the standard 5 MHz 8086's, while providing complete upward software compatibility with Intel’s iAPX 86, 88, and 186 family of CPU’s.

The 80286 operates in two modes: iAPX 86 real address mode and protected virtual address mode. Both modes execute a superset of the iAPX 86 and 88 instruction set.

In iAPX 86 real address mode programs use real addresses with up to one megabyte of address space. Programs use virtual addresses in protected virtual address mode, also called protected mode. In protected mode, the 80286 CPU automatically maps 1 gigabyte of virtual addresses per task into a 16 megabyte real address space. This mode also provides memory protection to isolate the operating system and ensure privacy of each task’s programs and data. Both modes provide the same base instruction set, registers, and addressing modes.

The following Functional Description describes first, the base 80286 architecture common to both modes, second, iAPX 86 real address mode, and third, protected mode.

iAPX 286/10 BASE ARCHITECTURE

The iAPX 86, 88, 186, and 286 CPU family all contain the same basic set of registers, instructions, and addressing modes. The 80286 processor is upward compatible with the 8086, 8088, and 80186 CPU’s.

Register Set
The 80286 base architecture has fifteen registers as shown in Figure 3. These registers are grouped into the following four categories:

General Registers: Eight 16-bit general purpose registers used to contain arithmetic and logical operands. Four of these (AX, BX, CX, and DX) can be used either in their entirety as 16-bit words or split into pairs of separate 8-bit registers.

Segment Registers: Four 16-bit special purpose registers select, at any given time, the segments of memory that are immediately addressable for code, stack, and data. (For usage, refer to Memory Organization.)

Base and Index Registers: Four of the general purpose registers may also be used to determine offset addresses of operands in memory. These registers may contain base addresses or indexes to particular locations within a segment. The addressing mode determines the specific registers used for operand address calculations.

Status and Control Registers: The 3 16-bit special purpose registers in figure 3A record or control certain aspects of the 80286 processor state including the Instruction Pointer, which contains the offset address of the next sequential instruction to be executed.

Figure 3. Register Set
**Flags Word Description**

The Flags word (Flags) records specific characteristics of the result of logical and arithmetic instructions (bits 0, 2, 4, 6, 7, and 11) and controls the operation of the 80286 within a given operating mode (bits 8 and 9). Flags is a 16-bit register. The function of the flag bits is given in Table 2.

**Instruction Set**

The instruction set is divided into seven categories: data transfer, arithmetic, shift/rotate/logical, string manipulation, control transfer, high level instructions, and processor control. These categories are summarized in Figure 4.

An 80286 instruction can reference zero, one, or two operands; where an operand resides in a register, in the instruction itself, or in memory. Zero-operand instructions (e.g. NOP and HLT) are usually one byte long. One-operand instructions (e.g. INC and DEC) are usually two bytes long but some are encoded in only one byte. One-operand instructions may reference a register or memory location. Two-operand instructions permit the following six types of instruction operations:

- Register to Register
- Memory to Register
- Immediate to Register
- Memory to Memory
- Register to Memory
- Immediate to Memory

---

**Table 2. Flags Word Bit Functions**

<table>
<thead>
<tr>
<th>Bit Position</th>
<th>Name</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>CF</td>
<td>Carry Flag—Set on high-order bit carry or borrow; cleared otherwise</td>
</tr>
<tr>
<td>2</td>
<td>PF</td>
<td>Parity Flag—Set if low-order 8 bits of result contain an even number of 1-bits; cleared otherwise</td>
</tr>
<tr>
<td>4</td>
<td>AF</td>
<td>Set on carry from or borrow to the low order four bits of AL; cleared otherwise</td>
</tr>
<tr>
<td>6</td>
<td>ZF</td>
<td>Zero Flag—Set if result is zero; cleared otherwise</td>
</tr>
<tr>
<td>7</td>
<td>SF</td>
<td>Sign Flag—Set equal to high-order bit of result (0 if positive, 1 if negative)</td>
</tr>
<tr>
<td>11</td>
<td>OF</td>
<td>Overflow Flag—Set if result is a too-large positive number or a too-small negative number (excluding sign-bit) to fit in destination operand; cleared otherwise</td>
</tr>
<tr>
<td>8</td>
<td>TF</td>
<td>Single Step Flag—Once set, a single step interrupt occurs after the next instruction executes. TF is cleared by the single step interrupt.</td>
</tr>
<tr>
<td>9</td>
<td>IF</td>
<td>Interrupt-enable Flag—When set, maskable interrupts will cause the CPU to transfer control to an interrupt vector specified by the interrupt vector location.</td>
</tr>
<tr>
<td>10</td>
<td>DF</td>
<td>Direction Flag—Causes string instructions to auto decrement the appropriate index registers when set. Clearing DF causes auto increment.</td>
</tr>
</tbody>
</table>
Two-operand instructions (e.g. MOV and ADD) are usually three to six bytes long. Memory to memory operations are provided by a special class of string instructions requiring one to three bytes. For detailed instruction formats and encodings refer to the instruction set summary at the end of this document.

<table>
<thead>
<tr>
<th>Data Transfer Instructions</th>
</tr>
</thead>
<tbody>
<tr>
<td>MOV</td>
</tr>
<tr>
<td>PUSH</td>
</tr>
<tr>
<td>POP</td>
</tr>
<tr>
<td>PUSHA</td>
</tr>
<tr>
<td>POPA</td>
</tr>
<tr>
<td>XCHG</td>
</tr>
<tr>
<td>XLAT</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>General Purpose</th>
</tr>
</thead>
<tbody>
<tr>
<td>MOV</td>
</tr>
<tr>
<td>PUSH</td>
</tr>
<tr>
<td>POP</td>
</tr>
<tr>
<td>PUSHA</td>
</tr>
<tr>
<td>POPA</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Flag Transfer</th>
</tr>
</thead>
<tbody>
<tr>
<td>LAHF</td>
</tr>
<tr>
<td>SAHF</td>
</tr>
<tr>
<td>PUSHF</td>
</tr>
<tr>
<td>POPF</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>ADDITION</th>
</tr>
</thead>
<tbody>
<tr>
<td>ADD</td>
</tr>
<tr>
<td>ADC</td>
</tr>
<tr>
<td>INC</td>
</tr>
<tr>
<td>AAA</td>
</tr>
<tr>
<td>DAA</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>SUBTRACTION</th>
</tr>
</thead>
<tbody>
<tr>
<td>SUB</td>
</tr>
<tr>
<td>SBB</td>
</tr>
<tr>
<td>DEC</td>
</tr>
<tr>
<td>NEG</td>
</tr>
<tr>
<td>CMP</td>
</tr>
<tr>
<td>AAS</td>
</tr>
<tr>
<td>DAS</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Multiplication</th>
</tr>
</thead>
<tbody>
<tr>
<td>MUL</td>
</tr>
<tr>
<td>IMUL</td>
</tr>
<tr>
<td>AAM</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Division</th>
</tr>
</thead>
<tbody>
<tr>
<td>DIV</td>
</tr>
<tr>
<td>IDIV</td>
</tr>
<tr>
<td>AAD</td>
</tr>
<tr>
<td>CBW</td>
</tr>
<tr>
<td>CWD</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>String Instructions</th>
</tr>
</thead>
<tbody>
<tr>
<td>MOVS</td>
</tr>
<tr>
<td>INS</td>
</tr>
<tr>
<td>OUTS</td>
</tr>
<tr>
<td>CMPS</td>
</tr>
<tr>
<td>SCAS</td>
</tr>
<tr>
<td>LODS</td>
</tr>
<tr>
<td>STOS</td>
</tr>
<tr>
<td>REP</td>
</tr>
<tr>
<td>REPNE/REPZ</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Logical Instructions</th>
</tr>
</thead>
<tbody>
<tr>
<td>NOT</td>
</tr>
<tr>
<td>AND</td>
</tr>
<tr>
<td>OR</td>
</tr>
<tr>
<td>XOR</td>
</tr>
<tr>
<td>TEST</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Shifts</th>
</tr>
</thead>
<tbody>
<tr>
<td>SHL/SAL</td>
</tr>
<tr>
<td>SHR</td>
</tr>
<tr>
<td>SAR</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Rotates</th>
</tr>
</thead>
<tbody>
<tr>
<td>ROL</td>
</tr>
<tr>
<td>ROR</td>
</tr>
<tr>
<td>RCL</td>
</tr>
<tr>
<td>RCR</td>
</tr>
</tbody>
</table>

Figure 4a. Data Transfer Instructions
Figure 4b. Arithmetic Instructions
Figure 4c. String Instructions
Figure 4d. Shift/Rotate/Logical Instructions
### Conditional Transfers

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>JA/JNBE</td>
<td>Jump if above/not below nor equal</td>
</tr>
<tr>
<td>JAE/JNB</td>
<td>Jump if above or equal/not below</td>
</tr>
<tr>
<td>JB/JNAE</td>
<td>Jump if below/not above nor equal</td>
</tr>
<tr>
<td>JBE/JNA</td>
<td>Jump if below or equal/not above</td>
</tr>
<tr>
<td>JC</td>
<td>Jump if carry</td>
</tr>
<tr>
<td>JE/JZ</td>
<td>Jump if equal/zero</td>
</tr>
<tr>
<td>JG/JNLE</td>
<td>Jump if greater/not less nor equal</td>
</tr>
<tr>
<td>JGE/JNL</td>
<td>Jump if greater or equal/not less</td>
</tr>
<tr>
<td>JJ/JNGE</td>
<td>Jump if less/not greater nor equal</td>
</tr>
<tr>
<td>JLE/JNG</td>
<td>Jump if less or equal/not greater</td>
</tr>
<tr>
<td>JCXZ</td>
<td>Jump if register CX = 0</td>
</tr>
<tr>
<td>JNC</td>
<td>Jump if not carry</td>
</tr>
<tr>
<td>JNE/JNZ</td>
<td>Jump if not equal/not zero</td>
</tr>
<tr>
<td>JNP/JPO</td>
<td>Jump if not parity/parity odd</td>
</tr>
<tr>
<td>JNS</td>
<td>Jump if not sign</td>
</tr>
<tr>
<td>JO</td>
<td>Jump if overflow</td>
</tr>
<tr>
<td>JP/JPE</td>
<td>Jump if parity/parity even</td>
</tr>
<tr>
<td>JS</td>
<td>Jump if sign</td>
</tr>
</tbody>
</table>

### Unconditional Transfers

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CALL</td>
<td>Call procedure</td>
</tr>
<tr>
<td>RET</td>
<td>Return from procedure</td>
</tr>
<tr>
<td>JMP</td>
<td>Jump</td>
</tr>
<tr>
<td>LOOP</td>
<td>Loop</td>
</tr>
<tr>
<td>LOOPNE/LOOPNZ</td>
<td>Loop if equal/not zero</td>
</tr>
<tr>
<td>JCXZ</td>
<td>Jump if register CX = 0</td>
</tr>
</tbody>
</table>

### Iteration Controls

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>INT</td>
<td>Interrupt</td>
</tr>
<tr>
<td>INTO</td>
<td>Interrupt if overflow</td>
</tr>
<tr>
<td>IRET</td>
<td>Interrupt return</td>
</tr>
</tbody>
</table>

### Interrupts

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>STC</td>
<td>Set carry flag</td>
</tr>
<tr>
<td>CLC</td>
<td>Clear carry flag</td>
</tr>
<tr>
<td>CMC</td>
<td>Complement carry flag</td>
</tr>
<tr>
<td>STD</td>
<td>Set direction flag</td>
</tr>
<tr>
<td>CLD</td>
<td>Clear direction flag</td>
</tr>
<tr>
<td>STI</td>
<td>Set interrupt enable flag</td>
</tr>
<tr>
<td>CLI</td>
<td>Clear interrupt enable flag</td>
</tr>
<tr>
<td>HLT</td>
<td>Halt until interrupt or reset</td>
</tr>
<tr>
<td>WAIT</td>
<td>Wait for BUSY not active</td>
</tr>
<tr>
<td>ESC</td>
<td>Escape to extension processor</td>
</tr>
<tr>
<td>LOCK</td>
<td>Lock bus during next instruction</td>
</tr>
</tbody>
</table>

### External Synchronization

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>LMSW</td>
<td>Load machine status word</td>
</tr>
<tr>
<td>SMSW</td>
<td>Store machine status word</td>
</tr>
</tbody>
</table>

### No Operation

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>NOP</td>
<td>No operation</td>
</tr>
</tbody>
</table>

### Execution Environment Control

<table>
<thead>
<tr>
<th>Instruction</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>ENTER</td>
<td>Format stack for procedure entry</td>
</tr>
<tr>
<td>LEAVE</td>
<td>Restore stack for procedure exit</td>
</tr>
<tr>
<td>BOUND</td>
<td>Detects values outside prescribed range</td>
</tr>
</tbody>
</table>

### Memory Organization

Memory is organized as sets of variable length segments. Each segment is a linear contiguous sequence of up to 64K \((2^{16})\) 8-bit bytes. Memory is addressed using a two-component address (a pointer) that consists of a 16-bit segment selector, and a 16-bit offset. The segment selector indicates the desired segment in memory. The offset component indicates the desired byte address within the segment.

![Two Component Address](image-url)
Table 3. Segment Register Selection Rules

<table>
<thead>
<tr>
<th>Memory Reference Needed</th>
<th>Segment Register Used</th>
<th>Implicit Segment Selection Rule</th>
</tr>
</thead>
<tbody>
<tr>
<td>Instructions</td>
<td>Code (CS)</td>
<td>Automatic with instruction prefetch</td>
</tr>
<tr>
<td>Stack</td>
<td>Stack (SS)</td>
<td>All stack pushes and pops. Any memory reference which uses BP as a base register.</td>
</tr>
<tr>
<td>Local Data</td>
<td>Data (DS)</td>
<td>All data references except when relative to stack or string destination</td>
</tr>
<tr>
<td>External (Global) Data</td>
<td>Extra (ES)</td>
<td>Alternate data segment and destination of string operation</td>
</tr>
</tbody>
</table>

All instructions that address operands in memory must specify the segment and the offset. For speed and compact instruction encoding, segment selectors are usually stored in the high speed segment registers. An instruction need only specify the desired segment register and an offset in order to address a memory operand.

Most instructions need not explicitly specify which segment register is used. The correct segment register is automatically chosen according to the rules of Table 3. These rules follow the way programs are written (see Figure 6) as independent modules that require areas for code and data, a stack, and access to external data areas.

Special segment override instruction prefixes allow the implicit segment register selection rules to be overridden for special cases. The stack, data, and extra segments may coincide for simple programs. To access operands not residing in one of the four immediately available segments, a full 32-bit pointer or a new segment selector must be loaded.

Addressing Modes

The 80286 provides a total of eight addressing modes for instructions to specify operands. Two addressing modes are provided for instructions that operate on registers or immediate operands:

Register Operand Mode: The operand is located in one of the 8 or 16-bit general registers.

Immediate Operand Mode. The operand is included in the instruction.

Six modes are provided to specify the location of an operand in a memory segment. A memory operand address consists of two 16-bit components: segment selector and offset. The segment selector is supplied by a segment register either implicitly chosen by the addressing mode or explicitly chosen by a segment override prefix. The offset is calculated by summing any combination of the following three address elements:

- the displacement (an 8 or 16-bit immediate value contained in the instruction)
- the base (contents of either the BX or BP base registers)
- the index (contents of either the SI or DI index registers)

Any carry out from the 16-bit addition is ignored. Eight-bit displacements are sign extended to 16-bit values.

Combinations of these three address elements define the six memory addressing modes, described below.

Direct Mode: The operand's offset is contained in the instruction as an 8 or 16-bit displacement element.

Register Indirect Mode: The operand's offset is in one of the registers SI, DI, BX, or BP.

Based Mode: The operand's offset is the sum of an 8 or 16-bit displacement and the contents of a base register (BX or BP).
Indexed Mode: The operand’s offset is the sum of an 8 or 16-bit displacement and the contents of an index register (SI or DI).

Based Indexed Mode: The operand’s offset is the sum of the contents of a base register and an index register.

Based Indexed Mode with Displacement: The operand’s offset is the sum of a base register’s contents, an index register’s contents, and an 8 or 16-bit displacement.

Data Types
The 80286 directly supports the following data types:

- Integer: A signed binary numeric value contained in an 8-bit byte or a 16-bit word. All operations assume a 2’s complement representation. Signed 32 and 64-bit integers are supported using the iAPX 286/20 Numeric Data Processor.
- Ordinal: An unsigned binary numeric value contained in an 8-bit byte or 16-bit word.
- Pointer: A 32-bit quantity, composed of a segment selector component and an offset component. Each component is a 16-bit word.
- String: A contiguous sequence of bytes or words. A string may contain from 1 byte to 64K bytes.
- ASCII: A byte representation of alphanumeric and control characters using the ASCII standard of character representation.
- BCD: A byte (unpacked) representation of the decimal digits 0—9.
- Packed BCD: A byte (packed) representation of two decimal digits 0—9 storing one digit in each nibble of the byte.
- Floating Point: A signed 32, 64, or 80-bit real number representation. (Floating point operands are supported using the iAPX 286/20 Numeric Processor configuration.)

Figure 7 graphically represents the data types supported by the iAPX 286.

I/O Space
The I/O space consists of 64K 8-bit or 32K 16-bit ports. I/O instructions address the I/O space with either an 8-bit port address, specified in the instruction, or a 16-bit port address in the DX register. 8-bit port addresses are zero extended such that A15—A8 are LOW. I/O port addresses 00F6(H) through 00FF(H) are reserved.
Table 4. Interrupt Vector Assignments

<table>
<thead>
<tr>
<th>Function</th>
<th>Interrupt Number</th>
<th>Related Instructions</th>
<th>Return Address Before Instruction Causing Exception?</th>
</tr>
</thead>
<tbody>
<tr>
<td>Divide error exception</td>
<td>0</td>
<td>DIV, IDIV</td>
<td>Yes</td>
</tr>
<tr>
<td>Single step interrupt</td>
<td>1</td>
<td>All</td>
<td></td>
</tr>
<tr>
<td>NMI interrupt</td>
<td>2</td>
<td>All</td>
<td></td>
</tr>
<tr>
<td>Breakpoint interrupt</td>
<td>3</td>
<td>INT</td>
<td></td>
</tr>
<tr>
<td>INTO detected overflow exception</td>
<td>4</td>
<td>INTO</td>
<td>No</td>
</tr>
<tr>
<td>BOUND range exceeded exception</td>
<td>5</td>
<td>BOUND</td>
<td>Yes</td>
</tr>
<tr>
<td>Invalid opcode exception</td>
<td>6</td>
<td>Any undefined opcode</td>
<td>Yes</td>
</tr>
<tr>
<td>Processor extension not available exception</td>
<td>7</td>
<td>ESC or WAIT</td>
<td>Yes</td>
</tr>
<tr>
<td>Reserved</td>
<td>8–15</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Processor extension error interrupt</td>
<td>16</td>
<td>ESC or WAIT</td>
<td></td>
</tr>
<tr>
<td>Reserved</td>
<td>17–31</td>
<td></td>
<td></td>
</tr>
<tr>
<td>User defined</td>
<td>32–255</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

Interrupts

An interrupt transfers execution to a new program location. The old program address (CS:IP) and machine state (Flags) are saved on the stack to allow resumption of the interrupted program. Interrupts fall into three classes: hardware initiated, INT instructions, and instruction exceptions. Hardware initiated interrupts occur in response to an external input and are classified as non-maskable or maskable. Programs may cause an interrupt with an INT instruction. Instruction exceptions occur when an unusual condition, which prevents further instruction processing, is detected while attempting to execute an instruction. The return address from an exception will always point at the instruction causing the exception and include any leading instruction prefixes.

A table containing up to 256 pointers defines the proper interrupt service routine for each interrupt. Interrupts 0–31, some of which are used for instruction exceptions, are reserved. For each interrupt, an 8-bit vector must be supplied to the 80286 which identifies the appropriate table entry. Exceptions supply the interrupt vector internally. INT instructions contain or imply the vector and allow access to all 256 interrupts. Maskable hardware initiated interrupts supply the 8-bit vector to the CPU during an interrupt acknowledge bus sequence. Non-maskable hardware interrupts use a predefined internally supplied vector.

Maskable Interrupt (INTR)
The 80286 provides a maskable hardware interrupt request pin, INTR. Software enables this input by setting the interrupt flag bit (IF) in the flag word. All 224 user-defined interrupt sources can share this input, yet they can retain separate interrupt handlers. An 8-bit vector read by the CPU during the interrupt acknowledge sequence (discussed in System Interface section) identifies the source of the interrupt.

Further maskable interrupts are disabled while servicing an interrupt by resetting the IF but as part of the response to an interrupt or exception. The saved flag word will reflect the enable status of the processor prior to the interrupt. Until the flag word is restored to the flag register, the interrupt flag will be zero unless specifically set. The interrupt return instruction includes restoring the flag word, thereby restoring the original status of IF.

Non-maskable interrupt request (NMI)
A non-maskable interrupt input (NMI) is also provided. NMI has higher priority than INTR. A typical use of NMI would be to activate a power failure routine. The activation of this input causes an interrupt with an internally supplied vector value of 2. No external interrupt acknowledge sequence is performed.

While executing the NMI servicing procedure, the 80286 will service neither further NMI requests, INTR requests, nor the processor extension segment overrun interrupt until an interrupt return (IRET) instruction is executed or the CPU is reset. If NMI occurs while currently servicing an NMI, its presence will be saved for servicing after executing the first IRET instruction. IF is cleared at the beginning of an NMI interrupt to inhibit INTR interrupts.
SINGLE STEP INTERRUPT

The 80286 has an internal interrupt that allows programs to execute one instruction at a time. It is called the single step interrupt and is controlled by the single step flag bit (TF) in the flag word. Once this bit is set, an internal single step interrupt will occur after the next instruction has been executed. The interrupt clears the TF bit and uses an internally supplied vector of 1. The IRET instruction is used to set the TF bit and transfer control to the next instruction to be single stepped.

Interrupt Priorities

When simultaneous interrupt requests occur, they are processed in a fixed order as shown in Table 5. Interrupt processing involves saving the flags, return address, and setting CS:IP to point at the first instruction of the interrupt handler. If other interrupts remain enabled they are processed before the first instruction of the current interrupt handler is executed. The last interrupt processed is therefore the first one serviced.

<table>
<thead>
<tr>
<th>Order</th>
<th>Interrupt</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>INT instruction or exception</td>
</tr>
<tr>
<td>2</td>
<td>Single step</td>
</tr>
<tr>
<td>3</td>
<td>NMI</td>
</tr>
<tr>
<td>4</td>
<td>Processor extension segment overrun</td>
</tr>
<tr>
<td>5</td>
<td>INTR</td>
</tr>
</tbody>
</table>

Initialization and Processor Reset

Processor initialization or start up is accomplished by driving the RESET input pin HIGH. RESET forces the 80286 to terminate all execution and local bus activity. No instruction or bus activity will occur as long as RESET is active. After RESET becomes inactive and an internal processing interval elapses, the 80286 begins execution in real address mode with the instruction at physical location FFF00(H). RESET also sets some registers to predefined values as shown in Table 6.

<table>
<thead>
<tr>
<th>Bit</th>
<th>Position</th>
<th>Name</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>PE</td>
<td>Protected mode enable places the 80286 into protected mode and cannot be cleared except by RESET.</td>
<td></td>
</tr>
<tr>
<td>1</td>
<td>MP</td>
<td>Monitor processor extension allows WAIT instructions to cause a processor extension not present exception (number 7).</td>
<td></td>
</tr>
<tr>
<td>2</td>
<td>EM</td>
<td>Emulate processor extension causes a processor extension not present exception (number 7) on ESC instructions to allow emulating a processor extension.</td>
<td></td>
</tr>
<tr>
<td>3</td>
<td>TS</td>
<td>Task switched indicates the next instruction using a processor extension will cause exception 7, allowing software to test whether the current processor extension context belongs to the current task.</td>
<td></td>
</tr>
</tbody>
</table>

The LMSW and SMSW instructions can load and store the MSW in real address mode. The recommended use of TS, EM, and MP is shown in Table 8.

<table>
<thead>
<tr>
<th>TS</th>
<th>MP</th>
<th>EM</th>
<th>Recommended Use</th>
<th>Instructions Causing Exception 7</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>0</td>
<td>0</td>
<td>Initial encoding after RESET. IAPX 286 operation is identical to IAPX 86,88.</td>
<td>None</td>
</tr>
<tr>
<td>0</td>
<td>0</td>
<td>1</td>
<td>No processor extension is available. Software will emulate its function.</td>
<td>ESC</td>
</tr>
<tr>
<td>1</td>
<td>0</td>
<td>1</td>
<td>No processor extension is available. Software will emulate its function. The current processor extension context may belong to another task.</td>
<td>ESC</td>
</tr>
<tr>
<td>0</td>
<td>1</td>
<td>0</td>
<td>A processor extension exists.</td>
<td>None</td>
</tr>
<tr>
<td>1</td>
<td>1</td>
<td>0</td>
<td>A processor extension exists. The current processor extension context may belong to another task. The exception on WAIT allows software to test for an error pending from a previous processor extension operation.</td>
<td>ESC or WAIT</td>
</tr>
</tbody>
</table>
Halt
The HLT instruction stops program execution and prevents the CPU from using the local bus until restarted. Either NMI, INTR with IF = 1, or RESET will force the 80286 out of halt. If interrupted, the saved CS:IP will point to the next instruction after the HLT.

iAPX 86 REAL ADDRESS MODE
The 80286 executes a fully upward-compatible superset of the 8086 instruction set in real address mode. In real address mode the 80286 is object code compatible with 8086 and 8088 software. The real address mode architecture (registers and addressing modes) is exactly as described in the iAPX 286/10 Base Architecture section of this Functional Description.

Memory Size
Physical memory is a contiguous array of up to 1,048,576 bytes (one megabyte) addressed by pins A_0 through A_{19} and BHE. A_{20} through A_{23} may be ignored.

Memory Addressing
In real address mode the processor generates 20-bit physical addresses directly from a 20-bit segment base address and a 16-bit offset.

The selector portion of a pointer is interpreted as the upper 16 bits of a 20-bit segment address. The lower four bits of the 20-bit segment address are always zero. Segment addresses, therefore, begin on multiples of 16 bytes. See Figure 8 for a graphic representation of address formation.

All segments in real address mode are 64K bytes in size and may be read, written, or executed. An exception or interrupt can occur if data operands or instructions attempt to wrap around the end of a segment (e.g. a word with its low order byte at offset FFFF(H) and its high order byte at offset 0000(H)). If, in real address mode, the information contained in a segment does not use the full 64K bytes, the unused end of the segment may be overlayed by another segment to reduce physical memory requirements.

Reserved Memory Locations
The 80286 reserves two fixed areas of memory in real address mode (see Figure 9); system initialization area and interrupt table area. Locations from addresses FFFFFH through FFFFFH are reserved for system initialization. Initial execution begins at location FFFFOH. Locations 00000H through 003FFH are reserved for interrupt vectors.

Figure 8. iAPX 86 Real Address Mode Address Calculation

Figure 9. iAPX 86 Real Address Mode Initially Reserved Memory Locations
Table 9. Real Address Mode Addressing Interrupts

<table>
<thead>
<tr>
<th>Function</th>
<th>Interrupt Number</th>
<th>Related Instructions</th>
<th>Return Address Before Instruction?</th>
</tr>
</thead>
<tbody>
<tr>
<td>Interrupt table limit too small exception</td>
<td>8</td>
<td>INT vector is not within table limit</td>
<td>Yes</td>
</tr>
<tr>
<td>Processor extension segment overrun interrupt</td>
<td>9</td>
<td>ESC with memory operand extending beyond offset FFFF(H)</td>
<td>No</td>
</tr>
<tr>
<td>Segment overrun exception</td>
<td>13</td>
<td>Word memory reference with offset = FFFF(H) or an attempt to execute past the end of a segment</td>
<td>Yes</td>
</tr>
</tbody>
</table>

Interrupts

Table 9 shows the interrupt vectors reserved for exceptions and interrupts which indicate an addressing error. The exceptions leave the CPU in the state existing before attempting to execute the failing instruction (except for PUSH, POP, PUSHA, or POPA). Refer to the next section on protected mode initialization for a discussion on exception 8.

Protected Mode Initialization

To prepare the 80286 for protected mode, the LIDT instruction is used to load the 24-bit interrupt table base and 16-bit limit for the protected mode interrupt table. This instruction can also set a base and limit for the interrupt vector table in real address mode. After reset, the interrupt table base is initialized to 000000(H) and its size set to 03FF(H). These values are compatible with iAPX 86, 88 software. LIDT should only be executed in preparation for protected mode.

Shutdown

Shutdown occurs when a severe error is detected that prevents further instruction processing by the CPU. Shutdown and halt are externally signalled via a halt bus operation. They can be distinguished by A1 HIGH for halt and A1 LOW for shutdown. In real address mode, shutdown can occur under two conditions:

- Exceptions 8 or 13 happen and the IDT limit does not include the interrupt vector.
- A CALL, INT, or POP instruction attempts to wrap around the stack segment when SP is not even.

An NMI input can bring the CPU out of shutdown if the IDT limit is at least 000F(H) and 'SP is greater than 0005(H), otherwise shutdown can only be exited via the RESET input.

Protected Virtual Address Mode

The 80286 executes a fully upward-compatible superset of the 8086 instruction set in protected virtual address mode (protected mode). Protected mode also provides memory management and protection mechanisms and associated instructions.

The 80286 enters protected virtual address mode from real address mode by setting the PE (Protection Enable) bit of the machine status word with the Load Machine Status Word (LMSW) instruction. Protected mode offers extended physical and virtual memory address space, memory protection mechanisms, and new operations to support operating systems and virtual memory.

All registers, instructions, and addressing modes described in the iAPX 286/10 Base Architecture section of this Functional Description remain the same. Programs for the iAPX 86, 88, 186, and real address mode 80286 can be run in protected mode; however, embedded constants for segment selectors are different.

Memory Size

The protected mode 80286 provides a 1 gigabyte virtual address space per task mapped into a 16 megabyte physical address space defined by the address pins A23—A0 and BHE. The virtual address space may be larger than the physical address space since any use of an address that does not map to a physical memory location will cause a restartable exception.

Memory Addressing

As in real address mode, protected mode uses 32-bit pointers, consisting of 16-bit selector and offset components. The selector, however, specifies an index into a memory resident table rather than the upper 16-bits of a real memory address. The 24-bit base address of the
desired segment is obtained from the tables in memory. The 16-bit offset is added to the segment base address to form the physical address as shown in Figure 10. The tables are automatically referenced by the CPU whenever a segment register is loaded with a selector. All iAPX 286 instructions which load a segment register will reference the memory based tables without additional software. The memory based tables contain 8 byte values called descriptors.

**DESCRIPTORS**

Descriptors define the use of memory. Special types of descriptors also define new functions for transfer of control and task switching. The 80286 has segment descriptors for code, stack and data segments, and system control descriptors for special system data segments and control transfer operations. Descriptor accesses are performed as locked bus operations to assure descriptor integrity in multi-processor systems.

**CODE AND DATA SEGMENT DESCRIPTORS**

Besides segment base addresses, code and data descriptors contain other segment attributes including segment size (1 to 64K bytes), access rights (read only, read/write, execute only, and execute/read), and presence in memory (for virtual memory systems) (See Figure 11). Any segment usage violating a segment attribute indicated by the segment descriptor will prevent the memory cycle and cause an exception or interrupt.

**Figure 10. Protected Mode Memory Addressing**

**Figure 11. Code and Data Segment Descriptor Formats**

<table>
<thead>
<tr>
<th>Bit Position</th>
<th>Name</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>7</td>
<td>Present (P)</td>
<td>P = 1 Segment is mapped into physical memory. P = 0 No mapping to physical memory exists, base and limit are not used. Segment privilege attribute used in privilege tests.</td>
</tr>
<tr>
<td>6–5</td>
<td>Descriptor Privilege Level (DPL)</td>
<td>S = 1 Code or Data segment descriptor S = 0 Non-segment descriptor</td>
</tr>
<tr>
<td>4</td>
<td>Segment Descriptor (S)</td>
<td>ED = 0 Grow up segment, offsets must be ≤ limit. ED = 1 Grow down segment, offsets must be &gt; limit.</td>
</tr>
<tr>
<td>3</td>
<td>Executable (E)</td>
<td>E = 0 Data segment descriptor type is: E = 1 Code Segment Descriptor type is:</td>
</tr>
<tr>
<td>2</td>
<td>Expansion Direction (ED)</td>
<td>ED = 0 Grow up segment, offsets must be ≤ limit. ED = 1 Grow down segment, offsets must be &gt; limit.</td>
</tr>
<tr>
<td>1</td>
<td>Writeable (W)</td>
<td>W = 0 Data segment may not be written into. W = 1 Data segment may be written into.</td>
</tr>
<tr>
<td></td>
<td>type Field Definition</td>
<td></td>
</tr>
<tr>
<td>3</td>
<td>Executable (E)</td>
<td>E = 1 Code Segment Descriptor type is: C = 1 Code segment may only be executed when CPL ≥ DPL.</td>
</tr>
<tr>
<td>2</td>
<td>Conforming (C)</td>
<td>C = 1 Code segment may only be executed when CPL ≥ DPL. R = 0 Code segment may not be read.</td>
</tr>
<tr>
<td>1</td>
<td>Readable (R)</td>
<td>R = 0 Code segment may not be read. R = 1 Code segment may be read.</td>
</tr>
<tr>
<td>0</td>
<td>Accessed (A)</td>
<td>A = 0 Segment has not been accessed. A = 1 Segment selector has been loaded into segment register or used by selector test instructions.</td>
</tr>
</tbody>
</table>
Code and data are stored in two types of segments: code segments and data segments. Both types are identified and defined by segment descriptors. Code segments are identified by the executable (E) bit set to 1 in the descriptor access rights byte. The access rights byte of both code and data segment descriptor types have three fields in common: present (P) bit, Descriptor Privilege Level (DPL), and accessed (A) bit. If P = 0, any attempted use of this segment will cause a not-present exception. DPL specifies the privilege level of the segment descriptor. DPL effects when the descriptor may be used by a task (refer to privilege discussion below). The A bit shows whether the segment has been previously accessed for usage profiling, a necessity for virtual memory systems. The CPU will always set this bit when accessing the descriptor.

Data segments (S = 1, E = 0) may be either read-only or read-write as controlled by the W bit of the access rights byte. Read-only (W = 0) data segments may not be written into. Data segments may grow in two directions, as determined by the Expansion Direction (ED) bit: upwards (ED = 0) for data segments, and downwards (ED = 1) for a segment containing a stack. The limit field for a data segment descriptor is interpreted differently depending on the ED bit (see Figure 11).

A code segment (S = 1, E = 1) may be execute-only or execute/read as determined by the Readable (R) bit. Code segments may never be written into and execute-only code segments (R = 0) may not be read. A code segment may also have an attribute called conforming (C). A conforming code segment may be shared by programs that execute at different privilege levels. The DPL of a conforming code segment defines the range of privilege levels at which the segment may be executed (refer to privilege discussion below). The limit field identifies the last byte of a code segment.

**SYSTEM CONTROL DESCRIPTORS**

In addition to code and data segment descriptors, the protected mode 80286 defines system control descriptors. These descriptors define special system data segments and control transfer mechanisms in the protected environment. The special system data segment descriptors define segments which contain tables of descriptors (Local Descriptor Table Descriptor) and segments which contain the execution state of a task (Task State Segment Descriptor).

The control transfer descriptors are call gates, task gates, interrupt gates and trap gates. Gates provide a level of indirection between the source and destination of the control transfer. This indirection allows the CPU to automatically perform protection checks and control the entry point of the destination. Call gates are used to change privilege levels (see Privilege), task gates are used to perform a task switch, and interrupt and trap gates are used to specify interrupt service routines. The interrupt gate disables interrupts (resets IF) while the trap gate does not.

Figure 12 gives the formats for the special system data segment descriptors. The descriptors contain a 24-bit base address of the segment and a 16-bit limit. The access byte defines the type of descriptor, its state and privilege level. The descriptor contents are valid and the segment is in physical memory if P = 1. If P = 0, the segment is not valid. The DPL field is only used in Task State Segment descriptors and indicates the privilege level at which the descriptor may be used (see Privilege). Since the Local Descriptor Table descriptor may only be used by a special privileged instruction, the DPL field is not used. Bit 4 of the access byte is 0 to indicate that it is a system control descriptor. The type field specifies the descriptor type as indicated in Figure 12.

Figure 13 shows the format of the gate descriptors. The descriptor contains a destination pointer that points to the descriptor of the target segment and the entry point offset. The destination selector in an interrupt gate, trap gate, and call gate must refer to a code segment descriptor. These gate descriptors contain the entry point to prevent a program from constructing and using an illegal entry point. Task gates may only refer to a task state segment. Since task gates invoke a task switch, the destination offset is not used in the task gate.

Exception 13 is generated when the gate is used if a destination selector does not refer to the correct de-
IAPX 286/10
ADVANCE INFORMATION

Gate Descriptor

<table>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>TYPE</td>
<td>4</td>
<td>--Call Gate</td>
</tr>
<tr>
<td></td>
<td>5</td>
<td>--Task Gate</td>
</tr>
<tr>
<td></td>
<td>6</td>
<td>--Interrupt Gate</td>
</tr>
<tr>
<td></td>
<td>7</td>
<td>--Trap Gate</td>
</tr>
<tr>
<td>P</td>
<td>0</td>
<td>--Descriptor Contents are not valid</td>
</tr>
<tr>
<td></td>
<td>1</td>
<td>--Descriptor Contents are valid</td>
</tr>
<tr>
<td>DPL</td>
<td>0–3</td>
<td>Descriptor Privilege Level</td>
</tr>
<tr>
<td>WORD COUNT</td>
<td>0–31</td>
<td>Number of words to copy from caller's stack to called procedures stack. Only used with call gate.</td>
</tr>
<tr>
<td>DESTINATION SELECTOR</td>
<td>16-bit selector</td>
<td>Selector to the target code segment (Call, Interrupt or Trap Gate)</td>
</tr>
<tr>
<td>DESTINATION OFFSET</td>
<td>16-bit offset</td>
<td>Entry point within the target code segment</td>
</tr>
</tbody>
</table>

*Must be set to 0 for compatibility with IAPX 386. (X is don't care)

Gate Descriptor Fields

<table>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>TYPE</td>
<td>4</td>
<td>--Call Gate</td>
</tr>
<tr>
<td></td>
<td>5</td>
<td>--Task Gate</td>
</tr>
<tr>
<td></td>
<td>6</td>
<td>--Interrupt Gate</td>
</tr>
<tr>
<td></td>
<td>7</td>
<td>--Trap Gate</td>
</tr>
<tr>
<td>P</td>
<td>0</td>
<td>--Descriptor Contents are not valid</td>
</tr>
<tr>
<td></td>
<td>1</td>
<td>--Descriptor Contents are valid</td>
</tr>
<tr>
<td>DPL</td>
<td>0–3</td>
<td>Descriptor Privilege Level</td>
</tr>
<tr>
<td>WORD COUNT</td>
<td>0–31</td>
<td>Number of words to copy from caller's stack to called procedures stack. Only used with call gate.</td>
</tr>
<tr>
<td>DESTINATION SELECTOR</td>
<td>16-bit selector</td>
<td>Selector to the target code segment (Call, Interrupt or Trap Gate)</td>
</tr>
<tr>
<td>DESTINATION OFFSET</td>
<td>16-bit offset</td>
<td>Entry point within the target code segment</td>
</tr>
</tbody>
</table>

Figure 13. Gate Descriptor Format

The word count field is used in the call gate descriptor to indicate the number of parameters (0–31 words) to be automatically copied from the caller's stack to the stack of the called routine when a control transfer changes privilege levels. The word count field is not used by any other gate descriptor.

The access byte format is the same for all gate descriptors. P = 1 indicates that the gate contents are valid. P = 0 indicates the contents are not valid and causes exception 11 if referenced. DPL is the descriptor privilege level and specifies when this descriptor may be used by a task (refer to privilege discussion below). Bit 4 must equal 0 to indicate a system control descriptor. The type field specifies the descriptor type as indicated in Figure 13.

SEGMENT DESCRIPTR CACHE REGISTERS

A segment descriptor cache register is assigned to each of the four segment registers (CS, SS, DS, ES). Segment descriptors are automatically loaded (cached) into a segment descriptor cache register (Figure 14) whenever the associated segment register is loaded with a selector. Only segment descriptors may be loaded into segment descriptor cache registers. Once loaded, all references to that segment of memory use the cached descriptor information instead of reaccessing memory. The descriptor cache registers are not visible to programs. No instructions exist to store their contents. They only change when a segment register is loaded.

SECTOR FIELDS

A protected mode selector has three fields: descriptor entry index, local or global descriptor table indicator (TI), and selector privilege (RPL) as shown in Figure 15. These fields select one of two memory based tables of descriptors, select the appropriate table entry and allow high-speed testing of the selector's privilege attribute (refer to privilege discussion below).

Figure 15. Selector Fields

Figure 14. Descriptor Cache Registers
LOCAL AND GLOBAL DESCRIPTOR TABLES

Two tables of descriptors, called descriptor tables, contain all descriptors accessible by a task at any given time. A descriptor table is a linear array of up to 8192 descriptors. The upper 13 bits of the selector value are an index into a descriptor table. Each table has a 24-bit base register to locate the descriptor table in physical memory and a 16-bit limit register that confine descriptor access to the defined limits of the table as shown in Figure 16. A restartable exception (13) will occur if an attempt is made to reference a descriptor outside the table limits.

One table, called the Global Descriptor Table (GDT), contains descriptors available to all tasks. The other table, called the Local Descriptor Table (LDT), contains descriptors that can be private to a task. Each task may have its own private LDT. The GDT may contain all descriptor types except interrupt and trap descriptors. The LDT may contain only segment, task gate, and call gate descriptors. A segment cannot be accessed by a task if its segment descriptor does not exist in either descriptor table at the time of access.

The LGDT and LLDT instructions load the base and limit of the global and local descriptor tables. LGDT and LLDT are protected. They may only be executed by trusted programs operating at level 0. The LGDT instruction loads a six byte field containing the 16-bit table limit and 24-bit base address of the Global Descriptor Table as shown in Figure 17. The LLDT instruction loads a selector which refers to a Local Descriptor Table descriptor containing the base address and limit for an LDT, as shown in Figure 12.

DISTRACT DESCRIPTOR TABLE

The protected mode 80286 has a third descriptor table, called the Interrupt Descriptor Table (IDT) (see Figure 18), used to define up to 256 interrupts. It may contain only task gates, interrupt gates and trap gates. The IDT (Interrupt Descriptor Table) has a 24-bit base and 16-bit limit register in the CPU. The protected LlDT instruction loads these registers with a six byte value of identical form to that of the LGDT instruction (see Figure 17 and Protected Mode Initialization).

References to IDT entries are made via INT instructions, external interrupt vectors, or exceptions. The IDT must be at least 256 bytes in size to allocate space for all reserved interrupts.

Privilege

The 80286 has a four-level hierarchical privilege system which controls the use of privileged instructions and access to descriptors (and their associated segments) within a task. Four-level privilege, as shown in Figure 19, is an extension of the user/supervisor mode commonly found in minicomputers. The privilege levels are numbered 0 through 3. Level 0 is the most privileged level. Privilege
levels provide protection within a task. (Tasks are isolated by providing private LDTs for each task.) Operating system routines, interrupt handlers, and other system software can be included and protected within the virtual address space of each task using the four levels of privilege. Tasks may also have a separate stack for each privilege level.

Tasks, descriptors, and selectors have a privilege level attribute that determines whether the descriptor may be used. Task privilege effects the use of instructions and descriptors. Descriptor and selector privilege only effect access to the descriptor.

**TASK PRIVILEGE**

A task always executes at one of the four privilege levels. The task privilege level at any specific instant is called the Current Privilege Level (CPL) and is defined by the lower two bits of the CS register. CPL cannot change during execution in a single code segment. A task's CPL may only be changed by control transfers through gate descriptors to a new code segment (See Control Transfer). Tasks begin executing at the CPL value specified by the code segment when the task is initiated via a task switch operation. A task executing at Level 0 can access all data segments defined in the GDT and the task's LDT and is considered the most trusted level. A task executing at Level 3 has the most restricted access to data and is considered the least trusted level.

**DESCRIPTOR PRIVILEGE**

Descriptor privilege is specified by the Descriptor Privilege Level (DPL) field of the descriptor access byte. DPL specifies the least trusted task privilege level (CPL) at which a task may access the descriptor. Descriptors with DPL = 0 are the most protected. Only tasks executing at privilege level 0 (CPL = 0) may access them. Descriptors with DPL = 3 are the least protected (i.e. have the least restricted access) since tasks can access them when CPL = 0, 1, 2, or 3. This rule applies to all descriptors, except LDT descriptors.

**SELECTOR PRIVILEGE**

Selector privilege is specified by the Requested Privilege Level (RPL) field in the least significant two bits of a selector. Selector RPL may establish a less trusted privilege level than the current privilege level for the use of a selector. This level is called the task's effective privilege level (EPL). RPL can only reduce the scope of a task's access to data with this selector. A task's effective privilege is the numeric maximum of RPL and CPL. A selector with RPL = 0 imposes no additional restriction on its use while a selector with RPL = 3 can only refer to segments at privilege Level 3 regardless of the task's CPL. RPL is generally used to verify that pointer parameters passed to a more trusted procedure are not allowed to use data at a more privileged level than the caller (refer to pointer testing instructions).

**Descriptor Access and Privilege Validation**

Determining the ability of a task to access a segment involves the type of segment to be accessed, the instruction used, the type of descriptor used and CPL, RPL, and DPL. The two basic types of segment accesses are control transfer (selectors loaded into CS) and data (selectors loaded into DS, ES or SS).

**DATA SEGMENT ACCESS**

Instructions that load selectors into DS and ES must refer to a data segment descriptor or readable code segment descriptor. The CPL of the task and the RPL of the selector must be the same as or more privileged (numerically equal to or lower than) than the descriptor CPL. In general, a task can only access data segments at the same or less privileged levels than the CPL or RPL (whichever is numerically higher) to prevent a program from accessing data it cannot be trusted to use.

An exception to the rule is a readable conforming code segment. This type of code segment can be read from any privilege level.

If the privilege checks fail (e.g. DPL is numerically less than the maximum of CPL and RPL) or an incorrect type of descriptor is referenced (e.g. gate descriptor or execute only code segment) exception 13 occurs. If the segment is not present, exception 11 is generated.
Instructions that load selectors into SS must refer to data segment descriptors for writable data segments. The descriptor privilege (DPL) and RPL must equal CPL. All other descriptor types or a privilege level violation will cause exception 13. A not present fault causes exception 12.

**CONTROL TRANSFER**

Four types of control transfer can occur when a selector is loaded into CS by a control transfer operation (see Table 10). Each transfer type can only occur if the operation which loaded the selector references the correct descriptor type. Any violation of these descriptor usage rules (e.g. JMP through a call gate or RET to a Task State Segment) will cause exception 13.

The ability to reference a descriptor for control transfer is also subject to rules of privilege. A CALL or JMP instruction may only reference a code segment descriptor with DPL equal to the task CPL or a conforming segment with DPL of equal or greater privilege than CPL. The RPL of the selector used to reference the code descriptor must have as much privilege as CPL.

RET and IRET instructions may only reference code segment descriptors with descriptor privilege equal to or less privileged than the task CPL. The selector loaded into CS is the return address from the stack. After the return, the selector RPL is the task's new CPL. If CPL changes, the old stack pointer is popped after the return address.

When a JMP or CALL references a Task State Segment descriptor, the descriptor DPL must be the same or less privileged than the task's CPL. Reference to a valid Task State Segment descriptor causes a task switch (see Task Switch Operation). Reference to a Task State Segment descriptor at a more privileged level than the task's CPL generates exception 13.

When an instruction or interrupt references a gate descriptor, the gate DPL must have the same or less privilege than the task CPL. If DPL is at a more privileged level than CPL, exception 13 occurs. If the destination selector contained in the gate references a code segment descriptor, the code segment descriptor DPL must be the same or more privileged than the task CPL. If not, Exception 13 is issued. After the control transfer, the code segment descriptors DPL is the task's new CPL. If the destination selector in the gate references a task state segment, a task switch is automatically performed (see Task Switch Operation).

The privilege rules on control transfer require:

- a JMP or CALL direct to a code segment (code segment descriptor) can only be to a conforming segment with DPL of equal or greater privilege than CPL or a non-conforming segment at the same privilege level.
- interrupts within the task or calls that may change privilege levels, can only transfer control through a gate at the same or a less privileged level than CPL to a code segment at the same or more privileged level than CPL.
- return instructions that don't switch tasks can only return control to a code segment at the same or less privileged level.
- task switch can be performed by a call, jump or interrupt which references either a task gate or task state segment at the same or less privileged level.

<table>
<thead>
<tr>
<th>Control Transfer Types</th>
<th>Operation Types</th>
<th>Descriptor Referenced</th>
<th>Descriptor Table</th>
</tr>
</thead>
<tbody>
<tr>
<td>Intersegment within the same privilege level</td>
<td>JMP, CALL, RET, IRET*</td>
<td>Code Segment</td>
<td>GDT/LDT</td>
</tr>
<tr>
<td>Intersegment to the same or higher privilege level Interrupt within task may change CPL</td>
<td>CALL</td>
<td>Call Gate</td>
<td>GDT/LDT</td>
</tr>
<tr>
<td>Interrupt Instruction, Exception, External Interrupt</td>
<td>Trap or Interrupt Gate</td>
<td></td>
<td>IDT</td>
</tr>
<tr>
<td>Intersegment to a lower privilege level (changes task CPL)</td>
<td>RET, IRET*</td>
<td>Code Segment</td>
<td>GDT/LDT</td>
</tr>
<tr>
<td>Task Switch</td>
<td>CALL, JMP</td>
<td>Task State Segment</td>
<td>GDT</td>
</tr>
<tr>
<td></td>
<td>CALL, JMP</td>
<td>Task Gate</td>
<td>GDT/LDT</td>
</tr>
<tr>
<td></td>
<td>IRET**</td>
<td>Task Gate</td>
<td>IDT</td>
</tr>
</tbody>
</table>

*NT (Nested Task bit of flag word) = 0
**NT (Nested Task bit of flag word) = 1
PRIVILEGE LEVEL CHANGES

Any control transfer that changes CPL within the task, causes a change of stacks as part of the operation. Initial values of SS:SP for privilege levels 0, 1, and 2 are kept in the task state segment (refer to Task Switch Operation). During a JMP or CALL control transfer, the new stack pointer is loaded into the SS and SP registers and the previous stack pointer is pushed onto the new stack.

When returning to the original privilege level, its stack is restored as part of the RET or IRET instruction operation. For subroutine calls that pass parameters on the stack and cross privilege levels, a fixed number of words, as specified in the gate, are copied from the previous stack to the current stack. The inter-segment RET instruction with a stack adjustment value will correctly restore the previous stack pointer upon return.

Protection

The 80286 includes mechanisms to protect critical instructions that affect the CPU execution state (e.g. HLT) and code or data segments from improper usage. These mechanisms are grouped under the term “protection” and have three forms:

- Restricted usage of segments (e.g. no write allowed to read-only data segments). The only segments available for use are defined by descriptors in the Local Descriptor Table (LDT) and Global Descriptor Table (GDT).

- Restricted access to segments via the rules of privilege and descriptor usage.

- Privileged instructions or operations that may only be executed at certain privilege levels as determined by the CPL and I/O Privilege Level (IOPL). The IOPL is defined by bits 14 and 13 of the flag word.

These checks are performed for all instructions and can be split into three categories: segment load checks (Table 11), operand reference checks (Table 12), and privileged instruction checks (Table 13). Any violation of the rules shown will result in an exception. A not-present exception related to the stack segment causes exception 12.

The IRET and POPF instructions do not perform some of their defined functions if CPL is not of sufficient privilege (numerically small enough). No exceptions or other indication are given when these conditions occur.

The IF bit is not changed if CPL > IOPL.

The IOPL field of the flag word is not changed if CPL > 0.

### Table 11 Segment Register Load Checks

<table>
<thead>
<tr>
<th>Error Description</th>
<th>Exception Number</th>
</tr>
</thead>
<tbody>
<tr>
<td>Descriptor table limit exceeded</td>
<td>13</td>
</tr>
<tr>
<td>Segment descriptor not-present</td>
<td>11 or 12</td>
</tr>
<tr>
<td>Privilege rules violated</td>
<td>13</td>
</tr>
<tr>
<td>Invalid descriptor/segment type segment register load:</td>
<td></td>
</tr>
<tr>
<td>- Read only data segment load to SS</td>
<td></td>
</tr>
<tr>
<td>- Special control descriptor load to DS, ES, SS</td>
<td></td>
</tr>
<tr>
<td>- Execute only segment load to DS, ES, SS</td>
<td></td>
</tr>
<tr>
<td>- Data segment load to CS</td>
<td></td>
</tr>
<tr>
<td>- Read/Execute code segment load to SS</td>
<td>13</td>
</tr>
</tbody>
</table>

### Table 12 Operand Reference Checks

<table>
<thead>
<tr>
<th>Error Description</th>
<th>Exception Number</th>
</tr>
</thead>
<tbody>
<tr>
<td>Write into code segment</td>
<td>13</td>
</tr>
<tr>
<td>Read from execute-only code segment</td>
<td>13</td>
</tr>
<tr>
<td>Write to read-only data segment</td>
<td>13</td>
</tr>
<tr>
<td>Segment limit exceeded</td>
<td>12 or 13</td>
</tr>
</tbody>
</table>

Note 1: Carry out in offset calculations is ignored.

### Table 13 Privileged Instruction Checks

<table>
<thead>
<tr>
<th>Error Description</th>
<th>Exception Number</th>
</tr>
</thead>
<tbody>
<tr>
<td>CPL ≠ 0 when executing the following instructions:</td>
<td>13</td>
</tr>
<tr>
<td>LIDT, LLDT, LGDT, LTR, LMSW, CTS, HLT</td>
<td></td>
</tr>
<tr>
<td>CPL &gt; IOPL when executing the following instructions:</td>
<td>13</td>
</tr>
<tr>
<td>INS, IN, OUTS, OUT, STI, CLI, LOCK</td>
<td></td>
</tr>
</tbody>
</table>

EXCEPTIONS

The 80286 detects several types of exceptions and interrupts, in protected mode (see Table 14). Most are restartable after the exceptional condition is removed. Interrupt handlers for most exceptions receive an error code, pushed on the stack after the return address, that identifies the selector involved (0 if none). The return address normally points to the failing instruction, including all leading prefixes. For a processor extension segment overrun exception, the return address will not point at the ESC instruction that caused the exception; however, the processor extension registers may contain the address of the failing instruction.
The rules shown can be split into three categories: segment

<table>
<thead>
<tr>
<th>Interrupt</th>
<th>Function</th>
<th>Return Address At Failing Instruction?</th>
<th>Always Restartable?</th>
<th>Error Code on Stack?</th>
</tr>
</thead>
<tbody>
<tr>
<td>8</td>
<td>Double exception detected</td>
<td>Yes</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>9</td>
<td>Processor extension segment overrun</td>
<td>No</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>10</td>
<td>Invalid task state segment</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>11</td>
<td>Segment not present</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>12</td>
<td>Stack segment overrun or segment not present</td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>13</td>
<td>General protection</td>
<td>Yes</td>
<td>No</td>
<td>Yes</td>
</tr>
</tbody>
</table>

Note 1: When a PUSHA or POPA instruction attempts to wrap around the stack segment, the machine state after the exception will not be restartable. This condition is identified by the value of the saved SP being either 0000(H), 0001(H), FFFE(H), or FFFF(H).

All these checks are performed for all instructions and can be split into three categories: segment load checks (Table 11), operand reference checks (Table 12), and privileged instruction checks (Table 13). Any violation of the rules shown will result in an exception. A not-present exception related to the stack segment causes exception 12.

**Special Operations**

**TASK SWITCH OPERATION**

The 80286 provides a built-in task switch operation which saves the entire 80286 execution state (registers, address space, and a link to the previous task), loads a new execution state, and commences execution in the new task. Like gates, the task switch operation is invoked by executing an inter-segment JMP or CALL instruction which refers to a Task State Segment (TSS) or task gate descriptor in the GDT or LDT. An INT n instruction, exception, or external interrupt may also invoke the task switch operation by selecting a task gate descriptor in the associated IDT descriptor entry.

The TSS descriptor points at a segment (see Figure 20) containing the entire 80286 execution state while a task gate descriptor contains a TSS selector. The limit field must be > 002B(H).

Each task must have a TSS associated with it. The current TSS is identified by a special register in the 80286 called the Task Register (TR). This register contains a selector referring to the task state segment descriptor that defines the current TSS. A hidden base and limit register associated with TR are loaded whenever TR is loaded with a new selector.

The IRET instruction is used to return control to the task that called the current task or was interrupted. Bit 14 in the flag register is called the Nested Task (NT) bit. It controls the function of the IRET instruction. If NT = 0, the IRET instruction performs the regular current task return; when NT = 1, IRET performs a task switch operation back to the previous task.

When a CALL or INT instruction initiates a task switch, the old and new TSS will be marked busy and the back link field of the new TSS set to the old TSS selector. The NT bit of the new task is set by CALL or INT initiated task switches. An interrupt that does not cause a task switch will clear NT. NT may also be set or cleared by POPF or IRET instructions.

The task state segment is marked busy by changing the descriptor type field from Type 1 to Type 3. Use of a selector that references a busy task state segment causes Exception 13.

**PROCESSOR EXTENSION CONTEXT SWITCHING**

The context of a processor extension (such as the 80287 numerics processor) is not changed by the task switch operation. A processor extension context need only be changed when a different task attempts to use the processor extension (which still contains the context of a previous task). The 80286 detects the first use of a processor extension after a task switch by causing the processor extension not present exception (7). The interrupt handler may then decide whether a context change is necessary.

Whenever the 80286 switches tasks, it sets the Task Switched (TS) bit of the MSW. TS indicates that a processor extension context may belong to a different task than the current one. The processor extension not present exception (7) will occur when attempting to execute an ESC or WAIT instruction if TS = 1 and a processor extension is present (MP = 1 in MSW).

**POINTER TESTING INSTRUCTIONS**

The iAPX 286 provides several instructions to speed pointer testing and consistency checks for maintaining system integrity (see Table 15). These instructions use the memory management hardware to verify that a selector value refers to an appropriate segment without risking an exception. A condition flag (ZF) indicates whether use of the selector or segment will cause an exception.
Figure 20. Task State Segment and TSS Registers
DOUBLE FAULT AND SHUTDOWN

If two separate exceptions are detected during a single instruction execution, the 80286 performs the double fault exception (8). If an exception occurs during processing of the double fault exception, the 80286 will enter shutdown. During shutdown no further instructions or exceptions are processed. Either NMI (CPU remains in protected mode) or RESET (CPU exits protected mode) can force the 80286 out of shutdown. Shutdown is externally signalled via a HALT bus operation with A₁ HIGH.

PROTECTED MODE INITIALIZATION

The 80286 initially executes in real address mode after RESET. To allow initialization code to be placed at the top of physical memory, A₂₃₋₂₀ will be HIGH when the 80286 performs memory references relative to the CS register until CS is changed. A₂₃₋₂₀ will be zero for references to the DS, ES, or SS segments. Changing CS in real address mode will force A₂₃₋₂₀ LOW whenever CS is used again. The initial CS:IP value of F000:FFF0 provides 64K bytes of code space for initialization code without changing CS.

Protected mode operation requires several registers to be initialized. The GDT and IDT base registers must refer to a valid GDT and IDT. After executing the LMSW instruction to set PE, the 80286 must immediately execute an intra-segment JMP instruction to clear the instruction queue of instructions decoded in real address mode.

To force the 80286 CPU registers to match the initial protected mode state assumed by software, execute a JMP instruction with a selector referring to the initial TSS used in the system. This will load the task register, local descriptor table register, segment registers and initial general register state. The TR should point at a valid TSS since any task switch operation involves saving the current task state.

SYSTEM INTERFACE

The 80286 system interface appears in two forms: a local bus and a system bus. The local bus consists of address, data, status, and control signals at the pins of the CPU. A system bus is any buffered version of the local bus. A system bus may also differ from the local bus in terms of coding of status and control lines and/or timing and loading of signals. The iAPX 286 family includes several devices to generate standard system buses such as the IEEE 796 standard Multibus™.

Bus Interface Signals and Timing

The iAPX 286 microsystem local bus interfaces the 80286 to local memory and I/O components. The interface has 24 address lines, 16 data lines, and 8 status and control signals.

The 80286 CPU, 82284 clock generator, 82288 bus controller, 82289 bus arbiter, 8286/7 transceivers, and 8282/3 latches provide a buffered and decoded system bus interface. The 82284 generates the system clock and synchronizes READY and RESET. The 82288 converts bus operation status encoded by the 8286 into command and bus control signals. The 82289 bus arbiter generates Multibus bus arbitration signals. These components can provide the timing and electrical power drive levels required for most system bus interfaces including the Multibus.

Physical Memory and I/O Interface

A maximum of 16 megabytes of physical memory can be addressed in protected mode. One megabyte can be addressed in real address mode. Memory is accessible by bytes or words. Words consist of any two consecutive bytes addressed with the least significant byte stored in the lowest address.

Byte transfers occur on either half of the 16-bit local data bus. Even bytes are accessed over D₇₋₀ while odd bytes are transferred over D₁₅₋₈. Even-addressed words are transferred over D₁₅₋₀ in one bus cycle, while odd-addressed words require two bus operations. The first transfers data on D₁₅₋₈, and the second transfers data on D₇₋₀. Both byte data transfers occur automatically, transparent to software.

Two bus signals, A₀ and BHE, control transfers over the lower and upper halves of the data bus. Even address
The 80286 uses a double frequency system clock (CLK input) to control bus timing. All signals on the local bus are measured relative to the system CLK input. The CPU divides the system clock by 2 to produce the internal processor clock, which determines bus state. Each processor clock is composed of two system clock cycles named phase 1 and phase 2. The 82284 clock generator output (PCLK) identifies the next phase of the processor clock. (See Figure 21.)

Six types of bus operations are supported: memory read, memory write, I/O read, I/O write, interrupt acknowledge, and halt/shutdown. Data can be transferred at a maximum rate of one word per two processor clock cycles.

The IAPX 286 bus has three basic states: idle (T_i), send status (T_s), and perform command (T_c). The 80286 CPU also has a fourth local bus state called hold (T_h). T_h indicates that the 80286 has surrendered control of the local bus to another bus master in response to a HOLD request.

Each bus state is one processor clock long. Figure 22 shows the four 80286 local bus states and allowed transitions.

Bus States

The idle (T_i) state indicates that no data transfers are in progress or requested. The first active state (T_s) is signaled by status line S1 or S0 going LOW and identifying phase 1 of the processor clock. During T_s, the command encoding, the address, and data (for a write operation) are available on the 80286 output pins. The 82288 bus controller decodes the status signals and generates Multibus compatible read/write command and local transceiver control signals.

After T_s, the perform command (T_c) state is entered. Memory or I/O devices respond to the bus operation during T_c, either transferring read data to the CPU or accepting write data. T_c states may be repeated as often as necessary to assure sufficient time for the memory or I/O device to respond. The READY signal determines whether T_c is repeated.

During hold (T_h), the 80286 will float all address, data, and status output pins enabling another bus master to use the local bus. The 80286 HOLD input signal is used to place the 80286 into the T_h state. The 80286 HLDA output signal indicates that the CPU has entered T_h.

Pipelined Addressing

The 80286 uses a local bus interface with pipelined timing to allow as much time as possible for data access. Pipelined timing allows bus operations to be performed in two processor cycles, while allowing each individual bus operation to last for three processor cycles.

The timing of the address outputs is pipelined such that the address of the next bus operation becomes available during the current bus operation. Or in other words, the first clock of the next bus operation is overlapped with the last clock of the current bus operation. Therefore, address decode and routing logic can operate in ad-
vance of the next bus operation. External address latches may hold the address stable for the entire bus operation, and provide additional AC and DC buffering.

The 80286 does not maintain the address of the current bus operation during all Tc states. Instead, the address for the next bus operation may be emitted during phase 2 of any Tc. The address remains valid during phase 1 of the first Tc to guarantee hold time, relative to ALE, for the address latch inputs.

**Bus Control Signals**

The 82288 bus controller provides control signals; address latch enable (ALE), Read/Write commands, data transmit/receive (DT/R), and data enable (DEN) that control the address latches, data transceivers, write enable, and output enable for memory and I/O systems.

The Address Latch Enable (ALE) output determines when the address may be latched. ALE provides at least one system CLK period of address hold time from the end of the previous bus operation until the address for the next bus operation appears at the latch outputs. This address hold time is required to support Multibus® and common memory systems.

The data bus transceivers are controlled by 82288 outputs Data Enable (DEN) and Data Transmit/Receive (DT/R). DEN enables the data transceivers; while DT/R controls transceiver direction. DEN and DT/R are timed to prevent bus contention between the bus master, data bus transceivers, and system data bus transceivers.

**Command Timing Controls**

Two system timing customization options, command extension and command delay, are provided on the iAPX 286 local bus.

Command extension allows additional time for external devices to respond to a command and is analogous to inserting wait states on the 8086. External logic can control the duration of any bus operation such that the operation is only as long as necessary. The READY input signal can extend any bus operation for as long as necessary.

Command delay allows an increase of address or write data setup time to system bus command active for any bus operation by delaying when the system bus command becomes active. Command delay is controlled by the 82288 CMDLY input. After T9, the bus controller samples CMDLY at each failing edge of CLK. If CMDLY is HIGH, the 82288 will not activate the command signal. When CMDLY is LOW, the 82288 will activate the command signal. After the command becomes active, the CMDLY input is not sampled.

When a command is delayed, the available response time from command active to return read data or accept write data is less. To customize system bus timing, an address decoder can determine which bus operations require delaying the command. The CMDLY input does not affect the timing of ALE, DEN, or DT/R.
Figure 24. CMDLY Controls and Leading Edge of the Command

Figure 24 illustrates four uses of CMDLY. Example 1 shows delaying the read command two system CLKs for cycle N-1 and no delay for cycle N, and example 2 shows delaying the read command one system CLK for cycle N-1 and one system CLK delay for cycle N.

Bus Cycle Termination
At maximum transfer rates, the iAPX 286 bus alternates between the status and command states. The bus status signals become inactive after T_s so that they may correctly signal the start of the next bus operation after the completion of the current cycle. No external indication of T_c exists on the iAPX 286 local bus. The bus master and bus controller enter T_c directly after T_s and continue executing T_c cycles until terminated by READY.

READY Operation
The current bus master and 82288 bus controller terminate each bus operation simultaneously to achieve maximum bus bandwidth. Both are informed in advance by READY active which identifies the last T_c cycle of the current bus operation. The bus master and bus controller must see the same sense of the READY signal, thereby requiring READY be synchronous to the system clock.

Synchronous Ready
The 82284 clock generator provides READY synchronization from both synchronous and asynchronous sources (see Figure 25). The synchronous ready input (SRDY) of the clock generator is sampled with the falling edge of CLK at the end of phase 1 of each T_c. The state of SRDY is then broadcast to the bus master and bus controller via the READY output line.

Asynchronous Ready
Many systems have devices or subsystems that are asynchronous to the system clock. As a result, their ready outputs cannot be guaranteed to meet the 82284 SRDY setup and hold time requirements. The 82284 asynchronous ready input (ARDY) is designed to accept such signals. The ARDY input is sampled at the beginning of each T_c cycle by 82284 synchronization logic. This provides a system CLK cycle time to resolve its value before broadcasting it to the bus master and bus controller.
ARDY or ARDYEN must be HIGH at the end of Tₜ. ARDY cannot be used to terminate bus cycle with no wait states.

Each ready input of the 82284 has an enable pin (SRDYEN and ARDYEN) to select whether the current bus operation will be terminated by the synchronous or asynchronous ready. Either of the ready inputs may terminate a bus operation. These enable inputs are active low and have the same timing as their respective ready inputs. Address decode logic usually selects whether the current bus operation should be terminated by ARDY or SRDY.

**Data Bus Control**

Figures 26, 27, and 28 show how the DT/R, DEN, data bus, and address signals operate for different combinations of read, write, and idle bus operations. DT/R goes active (LOW) for a read operation. DT/R remains HIGH before, during, and between write operations.

The data bus is driven with write data during the second phase of Tₜ. The delay in write data timing allows the read data drivers, from a previous read cycle, sufficient time to enter 3-state OFF before the 80286 CPU begins driving the local data bus for write operations. Write data will always remain valid for one system clock past the last Tₜ to provide sufficient hold time for Multibus or other similar memory or I/O systems. During write-read or write-idle sequences the data bus enters 3-state OFF during the second phase of the processor cycle after the last Tₜ. In a write-write sequence the data bus does not enter 3-state OFF between Tₜ and Tₛ.

**Bus Usage**

The 80286 local bus may be used for several functions: instruction data transfers, data transfers by other bus masters, instruction fetching, processor extension data transfers, interrupt acknowledge, and halt/shutdown. This section describes local bus activities which have special signals or requirements.
Figure 26. Back to Back Read-Write Cycles

Figure 27. Back to Back Write-Read Cycles
HOLD and HLDA

HOLD and HLDA allow another bus master to gain control of the local bus by placing the 80286 bus into the Tₜ state. The sequence of events required to pass control between the 80286 and another local bus master are shown in Figure 29.

In this example, the 80286 is initially in the Tₜ state as signaled by HLDA being active. Upon leaving Tₜ, as signaled by HLDA going inactive, a write operation is started. During the write operation another local bus master requests the local bus from the 80286 as shown by the HOLD signal. After completing the write operation, the 80286 performs one Tₜ bus cycle, to guarantee write data hold time, then enters Tₜ as signaled by HLDA going active.

The CMDLY signal and ARDY ready are used to start and stop the write bus command, respectively. Note that SRDY must be inactive or disabled by SRDYEN to guarantee ARDY will terminate the cycle.

Instruction Fetching

The 80286 Bus Unit (BU) will fetch instructions ahead of the current instruction being executed. This activity is called prefetching. It occurs when the local bus would otherwise be idle and obeys the following rules:

A prefetch bus operation starts when at least two bytes of the 6-byte prefetch queue are empty.

The prefetcher normally performs word prefetches independent of the byte alignment of the code segment base in physical memory.

The prefetcher will perform only a byte code fetch operation for control transfers to an instruction beginning on a numerically odd physical address.

Prefetching stops whenever a control transfer or HLT instruction is decoded by the IU and placed into the instruction queue.

In real address mode, the prefetcher may fetch up to 6 bytes beyond the last control transfer or HLT instruction in a code segment.

In protected mode, the prefetcher will never cause a segment overrun exception. The prefetcher stops at the last physical memory word of the code segment. Exception 13 will occur if the program attempts to execute beyond the last full instruction in the code segment.

If the last byte of a code segment appears on an even physical memory address, the prefetcher will read the next physical byte of memory (perform a word code fetch). The value of this byte is ignored and any attempt to execute it causes exception 13.
NOTES:
1. Status lines are not driven by 80286, yet remain high due to pullup resistors in 82288 and 82289 during HOLD state.
2. Address, M/JIO and COD/INTA may start floating during any TC depending on when internal 80286 bus arbiter decides to release bus to external HOLD. The float starts in δ2 of TC.
3. BHE and LOCK may start floating after the end of any TC depending on when internal 80286 bus arbiter decides to release bus to external HOLD. The float starts in δ1 of TC.
4. The minimum HOLD to HLDA time is shown. Maximum is one T1 longer.
5. The earliest HOLD time is shown. It will always allow a subsequent memory cycle if pending is shown.
6. The minimum HOLD to HLDA time is shown. Maximum is a function of the instruction, type of bus cycle and other machine status (i.e., Interrupts, Waits, Lock, etc.)
7. Asynchronous ready allows termination of the cycle. Synchronous ready does not signal ready in this example. Synchronous ready state is ignored after ready is signaled via the asynchronous input.

Figure 29. Multibus Write Terminated by Asynchronous Ready with Bus Hold
Processor Extension Transfers

The processor extension interface uses I/O port addresses 00F8(H), 00FA(H), and 00FC(H) which are part of the I/O port address range reserved by Intel. An ESC instruction with EM = 0 and TS = 0 will perform I/O bus operations to one or more of these I/O port addresses independent of the value of IOPL and CPL.

ESC instructions with memory references enable the CPU to accept PEREQ inputs for processor extension operand transfers. The CPU will determine the operand starting address and read/write status of the instruction. For each operand transfer, two or three bus operations are performed, one word transfer with I/O port address 00FA(H) and one or two bus operations with memory. Three bus operations are required for each word operand aligned on an odd byte address.

Interrupt Acknowledge Sequence

Figure 30 illustrates an interrupt acknowledge sequence performed by the 80286 in response to an INTR input. An interrupt acknowledge sequence consists of two INTA bus operations. The first allows a master 8259A Programmable Interrupt Controller (PIC) to determine which of any of its slaves should return the interrupt vector. An eight bit vector is read by the 80286 during the second INTA bus operation to select an interrupt handler routine from the interrupt table.

The Master Cascade Enable (MCE) signal of the 82288 is used to enable the cascade address drivers, during INTA bus operations (see Figure 30) onto the local address bus for distribution to slave interrupt controllers via the system address bus. The 80286 emits the LOCK signal (active LOW) during T₅ of the first INTA bus operation. A local bus “hold” request will not be honored until the end of the second INTA bus operation.

Three idle processor clocks are provided by the 80286 between INTA bus operations to allow for the minimum INTA to INTA time and CAS (cascade address) out delay of the 8259A. The second INTA bus operation must always have at least one extra T₆ state added via logic controlling READY. A₂₃–A₂₀ are in 3-state OFF until after the first T₆ state of the second INTA bus operation. This prevents bus contention between the cascade address drivers and CPU address drivers. The extra T₆ state allows time for the 80286 to resume driving the address lines for subsequent bus operations.

Local Bus Usage Priorities

The 80286 local bus is shared among several internal units and external HOLD requests. In case of simultaneous requests, their relative priorities are:

(Highest) Any transfers which assert LOCK either explicitly (via the LOCK instruction prefix) or implicitly (i.e., segment descriptor access, interrupt acknowledge sequence, or an XCHG with memory).

The second of the two byte bus operations required for an odd aligned word operand.

The second or third cycle of a processor extension data transfer.

Local bus request via HOLD input.

Processor extension data operand transfer via PEREQ input.

Data transfer performed by EU as part of an instruction.

(Lowest) An instruction prefetch request from BU. The EU will inhibit prefetching two processor clocks in advance of any data transfers to minimize waiting by EU for a prefetch to finish.

Halt or Shutdown Cycles

The 80286 externally indicates halt or shutdown conditions as a bus operation. These conditions occur due to a HLT instruction or multiple protection exceptions while attempting to execute one instruction. A halt or shutdown bus operation is signalled when ST, S0 and COD/INTA are LOW and M/IO is HIGH. A₁ HIGH indicates halt, and A₁ LOW indicates shutdown. The 82288 bus controller does not issue ALE, nor is READY required to terminate a halt or shutdown bus operation.

During halt or shutdown, the 80286 may service PEREQ or HOLD requests. A processor extension segment overrun exception during shutdown will inhibit further service of PEREQ. Either NMI or RESET will force the 80286 out of either halt or shutdown. An INTR, if interrupts are enabled, or a processor extension segment overrun exception will also force the 80286 out of halt.
1. Data is ignored.
2. First INTA cycle should have at least one wait state inserted to meet 8259A minimum INTA pulse width.
3. Second INTA cycle must have at least one wait state inserted since the CPU will not drive $A_{23} - A_0$, BHE, and LOCK until after the first Tc state.
   The CPU imposed one-clock delay prevents bus contention between cascade address buffer being disabled by MCE and address outputs.
   Without the wait state, the 80286 address will not be valid for a memory cycle started immediately after the second INTA cycle. The 8259A also requires one wait state for minimum INTA pulse width.
4. LOCK is active for the first INTA cycle to prevent the 82289 from releasing the bus between INTA cycles in a multi-master system.
5. $A_{23} - A_0$ exits 3-state OFF during $\phi_2$ of the second Tc in the INTA cycle.

Figure 30. Interrupt Acknowledge Sequence
SYSTEM CONFIGURATIONS

The versatile bus structure of the iAPX 286 microsystem, with a full complement of support chips, allows flexible configuration of a wide range of systems. The basic configuration, shown in Figure 31, is similar to an iAPX 86 maximum mode system. It includes the CPU plus an 8259A interrupt controller, 82284 clock generator, and the 82288 Bus Controller. The iAPX 86 latches (8282 and 8283) and transceivers (8286 and 8287) may be used in an iAPX 286 microsystem.

As indicated by the dashed lines in Figure 31, the ability to add processor extensions is an integral feature of iAPX 286 microsystems. The processor extension interface allows external hardware to perform special functions and transfer data concurrent with CPU execution of other instructions. Full system integrity is maintained because the 80286 supervises all data transfers and instruction execution for the processor extension.

The iAPX 286/20 numeric data processor which includes the 80287 numeric processor extension (NPX) uses this interface. The iAPX 286/20 has all the instructions and data types of an iAPX 86/20 or iAPX 88/20. The 80287 NPX can perform numeric calculations and data transfers concurrently with CPU program execution. Numerics code and data have the same integrity as all other information protected by the iAPX 286 protection mechanism.

The 80286 can overlap chip select decoding and address propagation during the data transfer for the previous bus operation. This information is latched into the 8282/3’s by ALE during the middle of a T5 cycle. The latched chip select and address information remains stable during the bus operation while the next cycles address is being decoded and propagated into the system. Decode logic can be implemented with a high speed bipolar PROM.

The optional decode logic shown in Figure 31 takes advantage of the overlap between address and data of the 80286 bus cycle to generate advanced memory and IO-select signals. This minimizes system performance.
 degradation caused by address propagation and decode delays. In addition to selecting memory and I/O, the advanced selects may be used with configurations supporting local and system buses to enable the appropriate bus interface for each bus cycle. The COD/INTA and M/IO signals are applied to the decode logic to distinguish between interrupt, I/O, code and data bus cycles.

By adding the 82289 bus arbiter chip the 80286 provides a Multibus system bus interface as shown in Figure 32. The ALE output of the 82288 for the Multibus bus is connected to its CMDLY input to delay the start of commands one system CLK as required to meet Multibus address and write data setup times. This arrangement will add at least one extra Tc state to each bus operation which uses the Multibus.

A second 82288 bus controller and additional latches and transceivers could be added to the local bus of Figure 32. This configuration allows the 80286 to support an on-board bus for local memory and peripherals, and the Multibus for system bus interfacing.

Figure 32. Multibus System Bus Interface
Figure 33 shows the addition of dual ported dynamic memory between the Multibus system bus and the iAPX 286 local bus. The dual port interface is provided by the 8207 Dual Port DRAM Controller. The 8207 runs synchronously with the CPU to maximize throughput for local memory references. It also arbitrates between requests from the local and system buses and performs functions such as refresh, initialization of RAM, and read/modify/write cycles. The 8207 combined with the 8206 Error Checking and Correction memory controller provide for single bit error correction. The dual-ported memory can be combined with a standard Multibus system bus interface to maximize performance and protection in multiprocessor system configurations.
PACKAGE

The 80286 is packaged in a 68-pin, leadless JEDEC type A hermetic leadless chip carrier. Figure 34 illustrates the package, and Figure 2 shows the pinout.

**Figure 34. JEDEC Type A Package**

**ABSOLUTE MAXIMUM RATINGS* **

<table>
<thead>
<tr>
<th>Parameter</th>
<th>Min.</th>
<th>Max.</th>
<th>Units</th>
<th>Test Conditions</th>
</tr>
</thead>
<tbody>
<tr>
<td>Ambient Temperature Under Bias</td>
<td></td>
<td>0°C to 70°C</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Storage Temperature</td>
<td></td>
<td>-65°C to + 150°C</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Voltage on Any Pin with Respect to Ground</td>
<td>-1.0 to +7V</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Power Dissipation</td>
<td></td>
<td>3.6 Watt</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

*NOTICE: Stresses above those listed under "Absolute Maximum Ratings" may cause permanent damage to the device. This is a stress rating only and functional operation of the device at these or any other conditions above those indicated in the operational sections of this specification is not implied. Exposure to absolute maximum rating conditions for extended periods may affect device reliability.

**D.C. CHARACTERISTICS (80286: \( T_A = 0°C \) to 70°C, \( V_{CC} = 5V \pm 10% \))**

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Parameter</th>
<th>Min.</th>
<th>Max.</th>
<th>Units</th>
<th>Test Conditions</th>
</tr>
</thead>
<tbody>
<tr>
<td>( V_{IL} )</td>
<td>Input Low Voltage</td>
<td>-0.5</td>
<td>+0.8</td>
<td>V</td>
<td></td>
</tr>
<tr>
<td>( V_{IH} )</td>
<td>Input High Voltage</td>
<td>2.0</td>
<td>( V_{CC} + 0.5 )</td>
<td>V</td>
<td>( I_{OL} = 3.0 ) mA</td>
</tr>
<tr>
<td>( V_{OL} )</td>
<td>Output Low Voltage</td>
<td>0.45</td>
<td>V</td>
<td></td>
<td>( \mu A )</td>
</tr>
<tr>
<td>( V_{OH} )</td>
<td>Output High Voltage</td>
<td>2.4</td>
<td>V</td>
<td></td>
<td>( I_{OH} = -400 ) μA</td>
</tr>
<tr>
<td>( I_{CC} )</td>
<td>Power Supply Current</td>
<td>600</td>
<td>mA</td>
<td></td>
<td>( T_A = 25°C )</td>
</tr>
<tr>
<td>( I_{LI} )</td>
<td>Input Leakage Current</td>
<td>±10</td>
<td>μA</td>
<td></td>
<td>( V_{IN} \leq V_{CC} )</td>
</tr>
<tr>
<td>( I_{LO} )</td>
<td>Output Leakage Current</td>
<td>±10</td>
<td>μA</td>
<td></td>
<td>( 0.45V \leq V_{OUT} \leq V_{CC} )</td>
</tr>
<tr>
<td>( V_{CL} )</td>
<td>Clock Input High Voltage</td>
<td>-0.5</td>
<td>+0.6</td>
<td>V</td>
<td></td>
</tr>
<tr>
<td>( V_{CH} )</td>
<td>Clock Input High Voltage</td>
<td>3.8</td>
<td>( V_{CC} + 1.0 )</td>
<td>V</td>
<td></td>
</tr>
<tr>
<td>( C_{IN} )</td>
<td>Capacitance of Inputs (All input except CLK)</td>
<td>10</td>
<td>pF</td>
<td>( f_c = 1 ) MHz</td>
<td></td>
</tr>
<tr>
<td>( C_{O} )</td>
<td>Capacitance of I/O or outputs</td>
<td>20</td>
<td>pF</td>
<td>( f_c = 1 ) MHz</td>
<td></td>
</tr>
<tr>
<td>( C_{CLK} )</td>
<td>Capacitance of CLK Input</td>
<td>12</td>
<td>pF</td>
<td>( f_c = 1 ) MHz</td>
<td></td>
</tr>
</tbody>
</table>
A.C. CHARACTERISTICS \((T_A = 0^\circ\text{C} \text{ to } 70^\circ\text{C}, V_{CC} = 5V \pm 10\%\)\)

### 80286 Timing Requirements

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Parameter</th>
<th>Min.</th>
<th>Max.</th>
<th>Units</th>
<th>Test Conditions</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>System clock period</td>
<td>62.5</td>
<td>250</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>2</td>
<td>System clock low time</td>
<td>15</td>
<td>230</td>
<td>ns</td>
<td>at .6 Volts</td>
</tr>
<tr>
<td>3</td>
<td>System clock high time</td>
<td>20</td>
<td>235</td>
<td>ns</td>
<td>at 3.2 Volts</td>
</tr>
<tr>
<td>4</td>
<td>Asynchronous input setup time</td>
<td>20</td>
<td></td>
<td>ns</td>
<td>See note 1</td>
</tr>
<tr>
<td>5</td>
<td>Asynchronous input hold time</td>
<td>20</td>
<td></td>
<td>ns</td>
<td>See note 1</td>
</tr>
<tr>
<td>6</td>
<td>RESET setup time</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>7</td>
<td>RESET hold time</td>
<td>0</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>8</td>
<td>Read data in setup time</td>
<td>10</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>9</td>
<td>Read data in hold time</td>
<td>5</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>10</td>
<td>READY setup time</td>
<td>38.5</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>11</td>
<td>READY hold time</td>
<td>25</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>12</td>
<td>STATUS/PEACK valid delay</td>
<td>0</td>
<td>40</td>
<td>ns</td>
<td>(C_L = 100\ \text{pF max above self load})</td>
</tr>
<tr>
<td>13</td>
<td>Address valid delay</td>
<td>0</td>
<td>60</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>14</td>
<td>Write data valid delay</td>
<td>0</td>
<td>50</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>15</td>
<td>Address/Status/Data float delay</td>
<td>0</td>
<td>60</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>16</td>
<td>HLDA valid delay</td>
<td>0</td>
<td>60</td>
<td>ns</td>
<td></td>
</tr>
</tbody>
</table>

### 82284 Timing Requirements

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Parameter</th>
<th>Min.</th>
<th>Max.</th>
<th>Units</th>
<th>Test Conditions</th>
</tr>
</thead>
<tbody>
<tr>
<td>17</td>
<td>SRDY/SRDYEN setup time</td>
<td>15</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>18</td>
<td>SRDY/SRDYEN hold time</td>
<td>0</td>
<td></td>
<td>ns</td>
<td>See note 1</td>
</tr>
<tr>
<td>19</td>
<td>ARDY/ARDYEN setup time</td>
<td>0</td>
<td></td>
<td>ns</td>
<td>See note 1</td>
</tr>
<tr>
<td>20</td>
<td>ARDY/ARDYEN hold time</td>
<td>16</td>
<td></td>
<td>ns</td>
<td>See note 1</td>
</tr>
<tr>
<td>21</td>
<td>PCLK delay</td>
<td>0</td>
<td>40</td>
<td>ns</td>
<td>(C_L = 50\ \text{pF max}) (I_{OL} = 5\ \text{ma max}) (I_{OH} = -1\ \text{ma max})</td>
</tr>
</tbody>
</table>

**NOTE 1:** These times are given for testing purposes to assure a predetermined action.

### 82288 Timing Requirements

<table>
<thead>
<tr>
<th>Symbol</th>
<th>Parameter</th>
<th>Min.</th>
<th>Max.</th>
<th>Units</th>
<th>Test Conditions</th>
</tr>
</thead>
<tbody>
<tr>
<td>22</td>
<td>CMDLY setup time</td>
<td>20</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>23</td>
<td>CMDLY hold time</td>
<td>0</td>
<td></td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>24</td>
<td>Command delay</td>
<td>3</td>
<td>15</td>
<td>ns</td>
<td>(C_L = 300\ \text{pF max}) (I_{OL} = 32\ \text{ma max}) (I_{OH} = -15\ \text{ma max})</td>
</tr>
<tr>
<td>25</td>
<td>ALE active delay</td>
<td>3</td>
<td>15</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>26</td>
<td>ALE inactive delay</td>
<td>0</td>
<td>20</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>27</td>
<td>DT/R read active delay</td>
<td>0</td>
<td>20</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>28</td>
<td>DT/R read inactive delay</td>
<td>10</td>
<td>40</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>29</td>
<td>DEN read active delay</td>
<td>10</td>
<td>50</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>30</td>
<td>DEN read inactive delay</td>
<td>3</td>
<td>15</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>31</td>
<td>DEN write active delay</td>
<td>0</td>
<td>30</td>
<td>ns</td>
<td></td>
</tr>
<tr>
<td>32</td>
<td>DEN write inactive delay</td>
<td>3</td>
<td>30</td>
<td>ns</td>
<td></td>
</tr>
</tbody>
</table>

\(C_L = 80\ \text{pF max}\) \(I_{OL} = 16\ \text{ma max}\) \(I_{OH} = -1\ \text{ma max}\)
WAVEFORMS

MAJOR CYCLE TIMING

BUS CYCLE TYPE

CLK

VDD

VSS

S1 = S0

A22-A0

M IO, CDD INTA

BH LOCK

D15-D0

READY

SRDY + SRDEN

ARDY + ARDEN

PCLK

ALE

CMDLY

MWTC

NROC

DTB

DEN

VDD

VSS

T1

T2

T3

T4

T5

T6

T7

T8

T9

T10

T11

T12

T13

T14

T15

T16

T17

T18

T19

T20

T21

T22

T23

T24

T25

T26

T27

T28

T29

T30

T31

T32

T33

T34

T35

T36

T37

T38

T39

T40

T41

T42

T43

T44

T45

T46

T47

T48

T49

T50

T51

T52

T53

T54

T55

T56

T57

T58

T59

T60

T61

T62

T63

T64

T65

T66

T67

T68

T69

T70

T71

T72

T73

T74

T75

T76

T77

T78

T79

T80

T81

T82

T83

T84

T85

T86

T87

T88

T89

T90

T91

T92

T93

T94

T95

T96

T97

T98

T99

T100

T101

T102

T103

T104

T105

T106

T107

T108

T109

T110

T111

T112

T113

T114

T115

T116

T117

T118

T119

T120

T121

T122

T123

T124

T125

T126

T127

T128

T129

T130

T131

T132

T133

T134

T135

T136

T137

T138

T139

T140

T141

T142

T143

T144

T145

T146

T147

T148

T149

T150

T151

T152

T153

T154

T155

T156

T157

T158

T159

T160

T161

T162

T163

T164

T165

T166

T167

T168

T169

T170

T171

T172

T173

T174

T175

T176

T177

T178

T179

T180

T181

T182

T183

T184

T185

T186

T187

T188

T189

T190

T191

T192

T193

T194

T195

T196

T197

T198

T199

T200

T201

T202

T203

T204

T205
WAVEFORMS (Continued)

80286 ASYNCHRONOUS INPUT SIGNAL TIMING

**NOTES:**
1. PCLK indicates which processor cycle phase will occur on the next CLK. PCLK may not indicate the correct phase until the first bus cycle is performed.
2. These inputs are asynchronous. The setup and hold times shown assure recognition for testing purposes.

EXITING AND ENTERING HOLD

**NOTES:**
1. These signals may not be driven by the 80286 during the time shown. The worst case in terms of latest float time is shown.
2. The data bus will be driven as shown if the last cycle before Tₜ in the diagram was a write Tᵢ.
3. The 80286 floats its status pins during Tᵢ. External pullup resistors (in 82288) keep these signals high.
4. For HOLD request set up to HLDA, refer to Figure 29.
5. BHE and LOCK are driven at this time but will not become valid until Tₛ.
6. The data bus will remain in 3-state OFF if a read cycle is performed.
WAVEFORMS (Continued)

80286 PEROQ/PEACK TIMING FOR ONE TRANSFER ONLY

NOTES:
1. PEACK always goes active during the first bus operation of a processor extension data operand transfer sequence. The first bus operation will be either a memory read at operand address or I/O read at port address OOF(H).
2. To prevent a second processor extension data operand transfer, the worst case maximum time (Shown above) is: 3X(① - ②)_{\text{max}} - ④_{\text{min}}. The actual, configuration dependent, maximum time is: 3X(① - ②)_{\text{max}} - ④_{\text{min}} + A X 2 X ①.
   A is the number of extra Tc states added to either the first or second bus operation of the processor extension data operand transfer sequence.

INITIAL 80286 PIN STATE DURING RESET

NOTES:
1. Setup time for RESET + may be violated with the consideration that ⑤ of the processor clock may begin one system CLK period later.
2. Setup and hold times for RESET + must be met for proper operation.
3. The data bus is only guaranteed to be in 3-state OFF at the time shown.
80286 INSTRUCTION SET SUMMARY

Instruction Timing Notes
The instruction clock counts listed below establish the maximum execution rate of the 80286. With no delays in bus cycles, the actual clock count of an 80286 program will average 5% more than the calculated clock count, due to instruction sequences which execute faster than they can be fetched from memory.

To calculate elapsed times for instruction sequences, multiply the sum of all instruction clock counts, as listed in the table below, by the processor clock period. An 8 MHz processor clock has a clock period of 125 nanoseconds and requires an 80286 system clock (CLK input) of 16 MHz.

Instruction Clock Count Assumptions
1. The instruction has been prefetched, decoded, and is ready for execution. Control transfer instruction clock counts include all time required to fetch, decode, and prepare the next instruction for execution.
2. Bus cycles do not require wait states.
3. There are no processor extension data transfer or local bus HOLD requests.
4. No exceptions occur during instruction execution.

Instruction Set Summary Notes
Addressing displacements selected by the MOD field are not shown. If necessary they appear after the instruction fields shown.

Above/below refers to unsigned value
Greater refers to positive signed value
Less refers to less positive (more negative) signed values
if \( d = 1 \) then to register; if \( d = 0 \) then from register
if \( w = 1 \) then word instruction; if \( w = 0 \) then byte instruction
if \( s = 0 \) then 16-bit immediate data form the operand
if \( s = 1 \) then an immediate data byte is sign-extended to form the 16-bit operand
\( x \) don't care
\( z \) used for string primitives for comparison with ZF FLAG

If two clock counts are given, the smaller refers to a register operand and the larger refers to a memory operand
\( * \) = add one clock if offset calculation requires summing 3 elements
\( n \) = number of times repeated
\( m \) = number of bytes of code in next instruction

Level (L)—Lexical nesting level of the procedure
The following comments describe possible exceptions, side effects, and allowed usage for instructions in both operating modes of the 80286.

REAL ADDRESS MODE ONLY
1. This is a protected mode instruction. Attempted execution in real address mode will result in an undefined opcode exception (6).
2. A segment overrun exception (13) will occur if a word operand reference at offset FFFF(H) is attempted.
3. This instruction may be executed in real address mode to initialize the CPU for protected mode.
4. The IOPL and NT fields will remain 0.
5. Processor extension segment overrun interrupt (9) will occur if the operand exceeds the segment limit.

EITHER MODE
6. An exception may occur, depending on the value of the operand.
7. LOCK is automatically asserted regardless of the presence or absence of the LOCK instruction prefix.
8. LOCK does not remain active between all operand transfers.

PROTECTED VIRTUAL ADDRESS MODE ONLY
9. A general protection exception (13) will occur if the memory operand cannot be used due to either a segment limit or access rights violation. If a stack segment limit is violated, a stack segment overrun exception (12) occurs.
10. For segment load operations, the CPL, RPL, and DPL must agree with privilege rules to avoid an exception. The segment must be present to avoid a not-present exception (11). If the SS register is the destination, and a segment not-present violation occurs, a stack exception (12) occurs.
11. All segment descriptor accesses in the GDT or LDT made by this instruction will automatically assert LOCK to maintain descriptor integrity in multiprocessor systems.
12. JMP, CALL, INT, RET, IRET instructions referring to another code segment will cause a general protection exception (13) if any privilege rule is violated.
13. A general protection exception (13) occurs if CPL ≠ 0.
14. A general protection exception (13) occurs if CPL > IOPL.
15. The IF field of the flag word is not updated if CPL > IOPL. The IOPL field is updated only if CPL = 0.
16. Any violation of privilege rules as applied to the selector operand do not cause a protection exception; rather, the instruction does not return a result and the zero flag is cleared.
17. If the starting address of the memory operand violates a segment limit, or an invalid access is attempted, a general protection exception (13) will occur before the ESC instruction is executed. A stack segment overrun exception (12) will occur if the stack limit is violated by the operand's starting address. If a segment limit is violated during an attempted data transfer then a processor extension segment overrun exception (9) occurs.
18. The destination of an INT, JMP, CALL, RET or IRET instruction must be in the defined limit of a code segment or a general protection exception (13) will occur.
<table>
<thead>
<tr>
<th>FUNCTION</th>
<th>FORMAT</th>
<th>CLOCK COUNT</th>
<th>COMMENTS</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td>Real Address Mode</td>
<td>Protected Address Mode</td>
</tr>
<tr>
<td><strong>DATA TRANSFER</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>MOVE = Move:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register to Register/Memory</td>
<td>1 0 0 0 1 0 0 w</td>
<td>2,3*</td>
<td>2,3*</td>
</tr>
<tr>
<td>Register/memory to register</td>
<td>1 0 0 0 1 0 1 w</td>
<td>2,5*</td>
<td>2,5*</td>
</tr>
<tr>
<td>Immediate to register/memory</td>
<td>1 1 0 0 0 1 1 w</td>
<td>data if w = 1</td>
<td>2,3*</td>
</tr>
<tr>
<td>Immediate to register</td>
<td>1 0 1 1 w</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>Memory to accumulator</td>
<td>1 0 1 0 0 0 0 w</td>
<td>addr-high</td>
<td>5</td>
</tr>
<tr>
<td>Accumulator to memory</td>
<td>1 0 1 0 0 0 1 w</td>
<td>addr-high</td>
<td>3</td>
</tr>
<tr>
<td>Register/memory to segment register</td>
<td>1 0 0 0 1 1 0</td>
<td>mod 0 reg</td>
<td>2,5*</td>
</tr>
<tr>
<td>Segment register to register/memory</td>
<td>1 0 0 0 1 1 0</td>
<td>mod 0 reg</td>
<td>2,3*</td>
</tr>
<tr>
<td>PUSH = Push:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory</td>
<td>1 1 1 1 1 1 1</td>
<td>5*</td>
<td>5*</td>
</tr>
<tr>
<td>Register</td>
<td>0 1 0 1 1</td>
<td>5</td>
<td>5</td>
</tr>
<tr>
<td>Segment register</td>
<td>0 0 0</td>
<td>3</td>
<td>3</td>
</tr>
<tr>
<td>Immediate</td>
<td>0 1 1 0 1 0 s</td>
<td>data if s = 0</td>
<td>3</td>
</tr>
<tr>
<td><strong>PUSHA = Push All</strong></td>
<td></td>
<td>17</td>
<td>17</td>
</tr>
<tr>
<td>POP = Pop:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory</td>
<td>1 0 0 0 1 1 1</td>
<td>5*</td>
<td>5*</td>
</tr>
<tr>
<td>Register</td>
<td>0 1 0 1 1</td>
<td>5</td>
<td>5</td>
</tr>
<tr>
<td>Segment register</td>
<td>0 0 0</td>
<td>5</td>
<td>20</td>
</tr>
<tr>
<td><strong>POPA = Pop All</strong></td>
<td></td>
<td>19</td>
<td>19</td>
</tr>
<tr>
<td>XCHG = Exchange:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register/memory with register</td>
<td>1 0 0 0 0 1 1 w</td>
<td>3,5*</td>
<td>3,5*</td>
</tr>
<tr>
<td>Register with accumulator</td>
<td>1 0 0 1 0</td>
<td>3</td>
<td>3</td>
</tr>
<tr>
<td>IN = Input from:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Fixed port</td>
<td>1 1 1 0 0 1 0 w</td>
<td>port</td>
<td>5</td>
</tr>
<tr>
<td>Variable port</td>
<td>1 1 1 0 1 1 0 w</td>
<td>5</td>
<td>5</td>
</tr>
<tr>
<td>OUT = Output to:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Fixed port</td>
<td>1 1 1 0 0 1 1 w</td>
<td>port</td>
<td>5</td>
</tr>
<tr>
<td>Variable port</td>
<td>1 1 1 0 1 1 0 w</td>
<td>3</td>
<td>3</td>
</tr>
<tr>
<td>XLAT = Translate byte to AL</td>
<td>1 1 0 1 0 1 1</td>
<td>5</td>
<td>5</td>
</tr>
<tr>
<td>LEA = Load EA to register</td>
<td>1 0 0 0 1 1 0 1</td>
<td>mod 0 reg</td>
<td>3*</td>
</tr>
<tr>
<td>LDS = Load pointer to DS</td>
<td>1 1 0 0 1 1 0 1</td>
<td>mod 0 reg</td>
<td>(mod + 11)</td>
</tr>
<tr>
<td>LES = Load pointer to ES</td>
<td>1 1 0 0 0 1 1 0</td>
<td>mod 0 reg</td>
<td>(mod + 11)</td>
</tr>
<tr>
<td>LAHF = Load AH with flags</td>
<td>1 0 0 1 1 1 1 1</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>SAHF = Store AH into flags</td>
<td>1 0 0 1 1 1 0</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>PUSHF = Push flags</td>
<td>1 0 0 1 1 1 0</td>
<td>3</td>
<td>3</td>
</tr>
<tr>
<td>POPF = Pop flags</td>
<td>1 0 0 1 1 1 1</td>
<td>5</td>
<td>5</td>
</tr>
</tbody>
</table>

Shaded areas indicate instructions not available in iAPX 86, 88 microsystems.
### 80286 INSTRUCTION SET SUMMARY (Continued)

<table>
<thead>
<tr>
<th>FUNCTION</th>
<th>FORMAT</th>
<th>CLOCK COUNT</th>
<th>COMMENTS</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>ARITHMETIC</strong></td>
<td></td>
<td>Real Address Mode</td>
<td>Protected Virtual Address Mode</td>
</tr>
<tr>
<td><strong>ADD</strong> = Add:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Reg/memory with register to either</td>
<td>0 0 0 0 0 0 0 0 d w</td>
<td>mod reg</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate to register/memory</td>
<td>1 0 0 0 0 0 s w</td>
<td>mod 0 0 0</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate to accumulator</td>
<td>0 0 0 0 0 1 0 w</td>
<td>data</td>
<td>data if w = 1</td>
</tr>
<tr>
<td><strong>ADC</strong> = Add with carry:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Reg/memory with register to either</td>
<td>0 0 0 1 0 0 0 d w</td>
<td>mod reg</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate to register/memory</td>
<td>1 0 0 0 0 0 s w</td>
<td>mod 0 1 0</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate to accumulator</td>
<td>0 0 0 1 0 1 0 w</td>
<td>data</td>
<td>data if w = 1</td>
</tr>
<tr>
<td><strong>INC</strong> = Increment:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register/memory</td>
<td>1 1 1 1 1 1 1 w</td>
<td>mod 0 0 0</td>
<td>r/m</td>
</tr>
<tr>
<td>Register</td>
<td>0 1 0 0 0</td>
<td>reg</td>
<td></td>
</tr>
<tr>
<td><strong>SUB</strong> = Subtract:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Reg/memory and register to either</td>
<td>0 0 1 0 1 0 d w</td>
<td>mod reg</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate from register/memory</td>
<td>1 0 0 0 0 0 s w</td>
<td>mod 0 1 1</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate from accumulator</td>
<td>0 0 1 0 1 1 0 w</td>
<td>data</td>
<td>data if w = 1</td>
</tr>
<tr>
<td><strong>SBB</strong> = Subtract with borrow:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Reg/memory and register to either</td>
<td>0 0 0 1 0 0 d w</td>
<td>mod reg</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate from register/memory</td>
<td>1 0 0 0 0 0 s w</td>
<td>mod 0 1 1</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate from accumulator</td>
<td>0 0 0 1 1 0 w</td>
<td>data</td>
<td>data if w = 1</td>
</tr>
<tr>
<td><strong>DEC</strong> = Decrement:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register/memory</td>
<td>1 1 1 1 1 1 1 w</td>
<td>mod 0 0 1</td>
<td>r/m</td>
</tr>
<tr>
<td>Register</td>
<td>0 1 0 0 1</td>
<td>reg</td>
<td></td>
</tr>
<tr>
<td><strong>CMP</strong> = Compare:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register/memory with register</td>
<td>0 1 1 1 0 1 w</td>
<td>mod reg</td>
<td>r/m</td>
</tr>
<tr>
<td>Register with register/memory</td>
<td>0 1 1 1 0 0 w</td>
<td>mod reg</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate with register/memory</td>
<td>1 0 0 0 0 0 s w</td>
<td>mod 1 1 1</td>
<td>r/m</td>
</tr>
<tr>
<td>Immediate with accumulator</td>
<td>0 0 1 1 1 1 0 w</td>
<td>data</td>
<td>data if w = 1</td>
</tr>
<tr>
<td><strong>NEG</strong> = Change sign:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>1 1 1 1 0 1 1 w</td>
<td>mod 0 1 1</td>
<td>r/m</td>
</tr>
<tr>
<td><strong>AAA</strong> = ASCII adjust for add:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>0 0 1 1 0 1 1</td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>DAA</strong> = Decimal adjust for add:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>0 0 1 0 0 1 1</td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>AAS</strong> = ASCII adjust for subtract:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>0 0 1 1 1 1 1</td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>DAS</strong> = Decimal adjust for subtract:</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>0 0 1 0 1 1 1</td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>MUL</strong> = Multiply (unsigned):</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register-Byte</td>
<td>1 1 1 0 1 1 w</td>
<td>mod 1 0 0</td>
<td>r/m</td>
</tr>
<tr>
<td>Register-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Byte</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>IMUL</strong> = Integer multiply (signed):</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register-Byte</td>
<td>1 1 1 0 1 1 w</td>
<td>mod 1 0 1</td>
<td>r/m</td>
</tr>
<tr>
<td>Register-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Byte</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>IMUL</strong> = Integer immediate multiply (signed):</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register-Byte</td>
<td>0 1 1 0 1 0 s 1</td>
<td>mod reg</td>
<td>r/m</td>
</tr>
<tr>
<td>Register-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Byte</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>DIV</strong> = Divide (unsigned):</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register-Byte</td>
<td>1 1 1 0 1 1 w</td>
<td>mod 1 1 0</td>
<td>r/m</td>
</tr>
<tr>
<td>Register-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Byte</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Memory-Word</td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

Shaded areas indicate instructions not available in iAPX 86, 88 microsystems.
### ARITHMETIC (Continued):

- **IDIV** = Integer divide (signed):
  - Register-Byte: 
    - Real: 1111011 w
    - Protected: 1111 r/m
  - Memory-Byte: 
    - Real: 20*
    - Protected: 20*
  - Memory-Word: 
    - Real: 26*
    - Protected: 26*

- **AAM** = ASCII adjust for multiply
  - Address: 11010100 00000101

- **AAD** = ASCII adjust for divide
  - Address: 11010101 00000101

- **CBW** = Convert byte to word
  - Address: 10011000

- **CWO** = Convert word to double word
  - Address: 10011001

### FUNCTION FORMAT:

- **Address**
  - Mode
  - Address

### CLOCK COUNT COMMENTS

<table>
<thead>
<tr>
<th>FUNCTION</th>
<th>CLOCK COUNT</th>
<th>COMMENTS</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>ARITHMETIC (Continued):</strong></td>
<td></td>
<td></td>
</tr>
<tr>
<td>IDIV = Integer divide (signed):</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register-Byte</td>
<td>17</td>
<td>6</td>
</tr>
<tr>
<td>Memory-Byte</td>
<td>20*</td>
<td>2,6</td>
</tr>
<tr>
<td>Memory-Word</td>
<td>26*</td>
<td>2,6</td>
</tr>
<tr>
<td>AAM = ASCII adjust for multiply</td>
<td>16</td>
<td></td>
</tr>
<tr>
<td>AAD = ASCII adjust for divide</td>
<td>14</td>
<td></td>
</tr>
<tr>
<td>CBW = Convert byte to word</td>
<td>2</td>
<td></td>
</tr>
<tr>
<td>CWO = Convert word to double word</td>
<td>2</td>
<td></td>
</tr>
<tr>
<td>Logic</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Shift/rotate instructions:</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register/Memory by 1</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register/Memory by CL</td>
<td>5+i,8+i*</td>
<td>2,9</td>
</tr>
<tr>
<td>Register/Memory by Count</td>
<td>5+i,8+i*</td>
<td>2,9</td>
</tr>
<tr>
<td>AND = And:</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Reg/memory and register to either</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Immediate to register/memory</td>
<td>3,7*</td>
<td>2,9</td>
</tr>
<tr>
<td>Immediate to accumulator</td>
<td>3</td>
<td></td>
</tr>
<tr>
<td>TEST = And function to flags, no result:</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Register/memory and register</td>
<td>2,6*</td>
<td>2,9</td>
</tr>
<tr>
<td>Immediate data and register/memory</td>
<td>3,6*</td>
<td>2,9</td>
</tr>
<tr>
<td>Immediate data and accumulator</td>
<td>3</td>
<td></td>
</tr>
<tr>
<td>OR = Or:</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Reg/memory and register to either</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Immediate to register/memory</td>
<td>3,7*</td>
<td>2,9</td>
</tr>
<tr>
<td>Immediate to accumulator</td>
<td>3</td>
<td></td>
</tr>
<tr>
<td>XOR = Exclusive or:</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Reg/memory and register to either</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Immediate to register/memory</td>
<td>3,7*</td>
<td>2,9</td>
</tr>
<tr>
<td>Immediate to accumulator</td>
<td>3</td>
<td></td>
</tr>
<tr>
<td>NOT = Invert register/memory</td>
<td>2,7*</td>
<td>2,9</td>
</tr>
</tbody>
</table>

### STRING MANIPULATION:

<table>
<thead>
<tr>
<th>FUNCTION</th>
<th>CLOCK COUNT</th>
<th>COMMENTS</th>
</tr>
</thead>
<tbody>
<tr>
<td>MOVS = Move byte/word</td>
<td>5</td>
<td>2,9</td>
</tr>
<tr>
<td>CMPS = Compare byte/word</td>
<td>8</td>
<td>2,9</td>
</tr>
<tr>
<td>SCAS = Scan byte/word</td>
<td>7</td>
<td>2,9</td>
</tr>
<tr>
<td>LDS = Load byte/word to AL/Ax</td>
<td>5</td>
<td>2,9</td>
</tr>
<tr>
<td>STDS = Store byte/word from AL/Ax</td>
<td>3</td>
<td>2,9</td>
</tr>
<tr>
<td>INBS = Input byte/word from DX port</td>
<td>5</td>
<td>2,9,14</td>
</tr>
<tr>
<td>OUTS = Output byte/word to DX port</td>
<td>5</td>
<td>2,9,14</td>
</tr>
</tbody>
</table>

Shaded areas indicate instructions not available in iAPX 86, 88 microsystems.
### FUNCTION

<table>
<thead>
<tr>
<th>FUNCTION</th>
<th>FORMAT</th>
<th>CLOCK COUNT</th>
<th>COMMENTS</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>STRING MANIPULATION (Continued):</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Repeated by count in CX</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>MOV = Move string</strong></td>
<td>1 1 1 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 w</td>
<td>5 + 4n</td>
<td>5 + 4n</td>
</tr>
<tr>
<td><strong>CMPS = Compare string</strong></td>
<td>1 1 1 1 0 0 1 0 1 0 1 0 1 1 1 w</td>
<td>5 + 9n</td>
<td>5 + 9n</td>
</tr>
<tr>
<td><strong>SCAS = Scan string</strong></td>
<td>1 1 1 1 0 0 1 0 1 0 1 1 1 w</td>
<td>5 + 8n</td>
<td>5 + 8n</td>
</tr>
<tr>
<td><strong>LODS = Load string</strong></td>
<td>1 1 1 1 0 0 1 0 1 0 1 1 0 1 0 w</td>
<td>5 + 4n</td>
<td>5 + 4n</td>
</tr>
<tr>
<td><strong>STD = Store string</strong></td>
<td>1 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 0 1 0 w</td>
<td>4 + 3n</td>
<td>4 + 3n</td>
</tr>
<tr>
<td><strong>INS = Input string</strong></td>
<td>1 1 1 1 0 0 1 0 0 1 0 1 0 1 1 0 1 0 1 0 1 0 w</td>
<td>5 + 4n</td>
<td>5 + 4n</td>
</tr>
<tr>
<td><strong>OUTS = Output string</strong></td>
<td>1 1 1 1 0 0 1 0 0 1 0 1 0 1 1 1 w</td>
<td>5 + 4n</td>
<td>5 + 4n</td>
</tr>
</tbody>
</table>

### CONTROL TRANSFER

<table>
<thead>
<tr>
<th>CALL = Call:</th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>Direct within segment</td>
<td>1 1 1 0 1 0 0 0 disp-low disp-high</td>
<td>7 + m</td>
<td>7 + m</td>
</tr>
<tr>
<td>Register/memory indirect within segment</td>
<td>1 1 1 1 1 1 1 1 mod 0 1 0 r/m</td>
<td>7 + m,11 + m/2 7 + m,11 + m/2</td>
<td>2,8 9,18</td>
</tr>
<tr>
<td>Direct intersegment</td>
<td>1 0 0 1 1 0 1 0 segment offset</td>
<td>13 + m</td>
<td>26 + m</td>
</tr>
<tr>
<td><strong>Protected Mode Only (Direct Intercsegment):</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Via call gate to same privilege level</td>
<td>41 + m</td>
<td>8,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via call gate to different privilege level, no parameters</td>
<td>42 + m</td>
<td>8,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via call gate to different privilege level, x parameters</td>
<td>16 + 4k + m</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via TSS</td>
<td>177 + n</td>
<td>8,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via task gate</td>
<td>117 + m</td>
<td>8,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Indirect intersegment</td>
<td>1 1 1 1 1 1 1 mod 0 1 1 r/m (mod + 11)</td>
<td>15 + m</td>
<td>25 + m</td>
</tr>
<tr>
<td><strong>Protected Mode Only (Indirect Intercsegment):</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Via call gate to same privilege level</td>
<td>44 + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via call gate to different privilege level, no parameters</td>
<td>51 + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via call gate to different privilege level, x parameters</td>
<td>16 + 4k + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via TSS</td>
<td>180 + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via task gate</td>
<td>195 + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td><strong>JMP = Unconditional jump:</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Short/long</td>
<td>1 1 1 0 1 0 1 1 disp-low</td>
<td>7 + m</td>
<td>7 + m</td>
</tr>
<tr>
<td>Direct within segment</td>
<td>1 1 1 0 1 0 0 1 disp-low disp-high</td>
<td>7 + m</td>
<td>7 + m</td>
</tr>
<tr>
<td>Register/memory indirect within segment</td>
<td>1 1 1 1 1 1 1 mod 1 0 0 r/m</td>
<td>7 + m,11 + m/2 7 + m,11 + m/2</td>
<td>2,8 9,18</td>
</tr>
<tr>
<td>Direct intersegment</td>
<td>1 1 0 1 0 1 0 0 segment offset</td>
<td>11 + m</td>
<td>23 + m</td>
</tr>
<tr>
<td><strong>Protected Mode Only (Direct Intercsegment):</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Via call gate to same privilege level</td>
<td>14 + m/4</td>
<td>8,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via TSS</td>
<td>115 + m/4</td>
<td>8,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via task gate</td>
<td>116 + m/4</td>
<td>8,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Indirect intersegment</td>
<td>1 1 1 1 1 1 1 mod 1 0 1 r/m (mod + 11)</td>
<td>15 + m/4</td>
<td>25 + m/4</td>
</tr>
<tr>
<td><strong>Protected Mode Only (Indirect Intercsegment):</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Via call gate to same privilege level</td>
<td>41 + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via TSS</td>
<td>178 + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td>Via task gate</td>
<td>183 + m/4</td>
<td>8,9,11,12,18</td>
<td></td>
</tr>
<tr>
<td><strong>RET = Return from CALL:</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Within segment</td>
<td>1 1 1 0 0 0 0 1 1</td>
<td>11 + m</td>
<td>11 + m</td>
</tr>
<tr>
<td>Within seg adding immerted to SP</td>
<td>1 1 1 0 0 0 0 1 0 data-low data-high</td>
<td>11 + m</td>
<td>11 + m</td>
</tr>
<tr>
<td>Intercsegment</td>
<td>1 1 1 0 0 1 0 1 1</td>
<td>15 + m</td>
<td>25 + m</td>
</tr>
<tr>
<td>Intercsegment adding immediate to SP</td>
<td>1 1 1 0 0 1 0 1 0 data-low data-high</td>
<td>15 + m</td>
<td>2 8,9,11,12,18</td>
</tr>
<tr>
<td><strong>Protected Mode Only (RET):</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>To different privilege level</td>
<td>55 + m</td>
<td>9,11,12,18</td>
<td></td>
</tr>
</tbody>
</table>

Shaded areas indicate instructions not available in iAPX 86, 88 microsystems.
## 80286 INSTRUCTION SET SUMMARY (Continued)

<table>
<thead>
<tr>
<th>FUNCTION</th>
<th>FORMAT</th>
</tr>
</thead>
<tbody>
<tr>
<td>JZJE / JZ / JEQ – Jump on equal/zero</td>
<td>0 1 1 1 0 0 1 0</td>
</tr>
<tr>
<td>JNE/JNZ / JNZ – Jump on not equal/zero or not zero</td>
<td>0 1 1 1 0 0 0 0</td>
</tr>
<tr>
<td>JG / JGEO / JG – Jump on greater or equal</td>
<td>0 1 1 1 0 1 1 0</td>
</tr>
<tr>
<td>JL / JLE / JLE – Jump on less or equal/not greater</td>
<td>0 1 1 1 0 1 1 1</td>
</tr>
<tr>
<td>JNP / JPO / JPO – Jump on not par/parity odd</td>
<td>0 1 1 1 1 0 0 1</td>
</tr>
<tr>
<td>LOOPZ/LOOPE / LOOPZ – Loop on zero/equal</td>
<td>1 1 0 0 0 0 0</td>
</tr>
<tr>
<td>LOOPNZ/LOOPNE / LOOPNZ – Loop on not zero/equal</td>
<td>1 1 0 0 0 0 1</td>
</tr>
<tr>
<td>JCXZ – Jump on CX zero</td>
<td>1 1 0 0 0 1 1</td>
</tr>
</tbody>
</table>

### ENTER
- Enter Procedure: 1 1 0 0 1 0 0 0
  - data-low: data-high: L
  - L = 0: 11
  - L = 1: 15
  - L > 1: 16 + (L-1)

### LEAVE
- Leave Procedure: 1 1 0 0 0 1 1

### INT
- Interrupt: Specified Type: 1 1 0 0 1 1 0 1
  - 23 + m
- Type 3: 1 1 0 0 1 1 0 0
  - 23 + m

### INTO
- Interrupt on overflow: 1 1 0 0 1 1 0 0
  - 24 + m + 1
  - (if trap interrupt) (overflow interrupt)

### Protected Mode Only:
- Via interrupt or trap gate to same privilege level: 40 + m
- Via interrupt or trap gate to different privilege level: 78 + m
- Via Task Gate: 167 + m

### IRET
- Interrupt return: 1 1 0 0 1 1 1 1
  - 17 + m
  - 31 + m
  - 2.4

### Protected Mode Only:
- To different privilege level: 55 + m
- To different task (NT = 1): 169 + m

### BOUND
- Detect value out of range: 0 1 1 0 0 0 1 0
  - mod reg / m
  - 13
  - (use INT stack count for exception 0)

Shaded areas indicate instructions not available in iAPX 86, 88 microsystems.
80286 INSTRUCTION SET SUMMARY (Continued)

<table>
<thead>
<tr>
<th>FUNCTION</th>
<th>FORMAT</th>
<th>CLOCK COUNT</th>
<th>COMMENTS</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>PROCESSOR CONTROL</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>CLC = Clear carry</td>
<td>11111000</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>CMC = Complement carry</td>
<td>11110101</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>STC = Set carry</td>
<td>11111001</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>CLD = Clear direction</td>
<td>11111100</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>STD = Set direction</td>
<td>11111101</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>CLI = Clear interrupt</td>
<td>11111010</td>
<td>3</td>
<td>3</td>
</tr>
<tr>
<td>STI = Set interrupt</td>
<td>11111011</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>HLT = Halt</td>
<td>11110100</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>WAIT = Wait</td>
<td>10011011</td>
<td>3</td>
<td>3</td>
</tr>
<tr>
<td>LOCK = Bus lock prefix</td>
<td>11110000</td>
<td>0</td>
<td>0</td>
</tr>
<tr>
<td>CTS = Clear task switched flag</td>
<td>000011110 0000110</td>
<td>2</td>
<td>2</td>
</tr>
<tr>
<td>ESC = Processor Extension Escape</td>
<td>11011111 mod LLI</td>
<td>9-20°</td>
<td>9-20°</td>
</tr>
<tr>
<td>SEG = Segment Override Prefix</td>
<td>001 reg 110</td>
<td>0</td>
<td>0</td>
</tr>
<tr>
<td><strong>PROTECTION CONTROL</strong></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>LGDT = Load global descriptor table register</td>
<td>000011110 00000001</td>
<td>11°</td>
<td>11°</td>
</tr>
<tr>
<td>SGDT = Store global descriptor table register</td>
<td>000011110 00000001</td>
<td>11°</td>
<td>11°</td>
</tr>
<tr>
<td>LDIT = Load interrupt descriptor table register</td>
<td>000011110 00000001</td>
<td>12°</td>
<td>12°</td>
</tr>
<tr>
<td>SIDT = Store interrupt descriptor table register</td>
<td>000011110 00000001</td>
<td>12°</td>
<td>12°</td>
</tr>
<tr>
<td>LLDT = Load local descriptor table register from regular memory</td>
<td>000011110 00000000</td>
<td>17,19°</td>
<td>1</td>
</tr>
<tr>
<td>SLDT = Store local descriptor table register to regular memory</td>
<td>000011110 00000000</td>
<td>2,3°</td>
<td>1</td>
</tr>
<tr>
<td>LTR = Load task register from regular memory</td>
<td>000011110 00000000</td>
<td>17,19°</td>
<td>1</td>
</tr>
<tr>
<td>STR = Store task register to regular memory</td>
<td>000011110 00000000</td>
<td>2,3°</td>
<td>1</td>
</tr>
<tr>
<td>LMSW = Load machine status word from regular memory</td>
<td>000011110 00000001</td>
<td>3,6°</td>
<td>3,6°</td>
</tr>
<tr>
<td>SMSW = Store machine status word</td>
<td>000011110 00000001</td>
<td>2,3°</td>
<td>2,3°</td>
</tr>
<tr>
<td>LAR = Load access rights from regular memory</td>
<td>000011110 00000010</td>
<td>14,16°</td>
<td>1</td>
</tr>
<tr>
<td>LSL = Load segment limit from regular memory</td>
<td>000011110 00000010</td>
<td>14,16°</td>
<td>1</td>
</tr>
<tr>
<td>ARPL = Adjust requested privilege level from regular memory</td>
<td>000011110 00000011</td>
<td>10°,11°</td>
<td>2</td>
</tr>
<tr>
<td>VERR = Verify read access: register/memory</td>
<td>000011110 00000000</td>
<td>14,16°</td>
<td>1</td>
</tr>
<tr>
<td>VERR = Verify write access:</td>
<td>000011110 00000011</td>
<td>14,16°</td>
<td>1</td>
</tr>
</tbody>
</table>

Shaded areas indicate instructions not available in iAPX 86, 88 microsystems.
Footnotes

The effective Address (EA) of the memory operand is computed according to the mod and r/m fields:

- If mod = 11 then r/m is treated as a REG field.
- If mod = 00 then DISP = 0*, disp-low and disp-high are absent.
- If mod = 01 then DISP = disp-low sign-extended to 16-bits, disp-high is absent.
- If mod = 10 then DISP = disp-high: disp-low.

If r/m = 000 then EA = (BX) + (SI) + DISP
If r/m = 001 then EA = (BX) + (DI) + DISP
If r/m = 010 then EA = (BP) + (SI) + DISP
If r/m = 011 then EA = (BP) + (DI) + DISP
If r/m = 100 then EA = (SI) + DISP
If r/m = 101 then EA = (DI) + DISP
If r/m = 110 then EA = (BP) + DISP*
If r/m = 111 then EA = (BX) + DISP

DISP follows 2nd byte of instruction (before data if required)

*except if mod = 00 and r/m = 110 then EA = disp-high: disp-low.

REG is assigned according to the following table:

<table>
<thead>
<tr>
<th>16-Bit (w = 1)</th>
<th>8-Bit (w = 0)</th>
</tr>
</thead>
<tbody>
<tr>
<td>000 AX</td>
<td>000 AL</td>
</tr>
<tr>
<td>001 CX</td>
<td>001 CL</td>
</tr>
<tr>
<td>010 DX</td>
<td>010 DL</td>
</tr>
<tr>
<td>011 BX</td>
<td>011 BL</td>
</tr>
<tr>
<td>100 SP</td>
<td>100 AH</td>
</tr>
<tr>
<td>101 BP</td>
<td>101 CH</td>
</tr>
<tr>
<td>110 SI</td>
<td>110 DH</td>
</tr>
<tr>
<td>111 DI</td>
<td>111 BH</td>
</tr>
</tbody>
</table>

The physical addresses of all operands addressed by the BP register are computed using the SS segment register. The physical addresses of the destination operands of the string primitive operations (those addressed by the DI register) are computed using the ES segment, which may not be overridden.

SEGMENT OVERRIDE PREFIX

0 0 1 reg 1 1 0

reg is assigned according to the following:

<table>
<thead>
<tr>
<th>Segment</th>
<th>Register</th>
</tr>
</thead>
<tbody>
<tr>
<td>00</td>
<td>ES</td>
</tr>
<tr>
<td>01</td>
<td>CS</td>
</tr>
<tr>
<td>10</td>
<td>SS</td>
</tr>
<tr>
<td>11</td>
<td>DS</td>
</tr>
</tbody>
</table>
Appendix
iAPX 86/88 Software Compatibility Considerations
## Contents

List of Minor Differences Between iAPX 86 and iAPX 286 (Real Mode) ..... D-1
APPENDIX D
iAPX 86/88 SOFTWARE COMPATIBILITY CONSIDERATIONS

In general, the real address mode iAPX 286 will correctly execute ROM-based iAPX 86/88 software. The following is a list of the minor differences between iAPX 86 and iAPX 286 (Real mode).

1. Add Six Interrupt Vectors.

The iAPX 286 adds six interrupts which arise only if the iAPX 86/88 program has a hidden bug. These interrupts occur only for instructions which were undefined on the 8086/8088 or if a segment wraparound is attempted. It is recommended that you add an interrupt handler to the iAPX 86/88 software that is to be run on the iAPX 286, which will treat these interrupts as invalid operations.

This additional software does not significantly affect the existing iAPX 86/88 software because the interrupts do not normally occur and should not already have been used since they are in the interrupt group reserved by Intel. Table D-1 describes the new iAPX 286 interrupts.

2. Do not Rely on iAPX 86/88 Instruction Clock Counts.

The iAPX 286 takes fewer clocks for most instructions than the iAPX 86/88. The areas to look into are delays between I/O operations, and assumed delays in iAPX 86/88 operating in parallel with an 8087.

3. Divide Exceptions Point at the DIV Instruction.

Any interrupt on the iAPX 286 will always leave the saved CS:IP value pointing at the instruction which failed. On the iAPX 86/88, the CS:IP value saved for a divide exception points at the next instruction.

4. Use Interrupt 16 for Numeric Exceptions.

Any iAPX 286/20 system must use interrupt vector 16 for the numeric error interrupt. If an iAPX 86/20 or iAPX 88/20 system uses another vector for the 8087 interrupt, both vectors should point at the numeric error interrupt handler.

Table D-1. New iAPX 286 Interrupts

<table>
<thead>
<tr>
<th>Interrupt Number</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>5</td>
<td>A BOUND instruction was executed with a register value outside the two limit values.</td>
</tr>
<tr>
<td>6</td>
<td>An undefined opcode was encountered.</td>
</tr>
<tr>
<td>7</td>
<td>The EM bit in the MSW has been set and an ESC instruction was executed. This interrupt will also occur on WAIT instructions if TS is set.</td>
</tr>
<tr>
<td>8</td>
<td>The interrupt table limit was changed by the L1DT instruction to a value between 20H and 42H. The default limit after reset is 3FFH, enough for all 256 interrupts.</td>
</tr>
<tr>
<td>9</td>
<td>A processor extension data transfer exceeded offset OFFFFH in a segment. This interrupt handler must execute FNINIT before any ESC or WAIT instruction is executed.</td>
</tr>
<tr>
<td>13</td>
<td>Segment wraparound was attempted by a word operation at offset OFFFFH. A push with SP=1 during PUSH, CALL, or INT will also cause this.</td>
</tr>
</tbody>
</table>

The saved CS:IP value in the NPX environment save area will point at any leading prefixes before an ESC instruction. On iAPX 86/88 systems, this value points only at the ESC instruction.


iAPX 86/88 instructions like POP CS or MOV CS,op will either cause exception 6 (undefined opcode) or perform a protection setup operation like LIDT on the iAPX 286. Undefined bit encodings for bits 5-3 of the second byte of POP MEM or PUSH MEM will cause exception 13 on the iAPX 286.

7. Place a Far JMP Instruction at FFFFFOH.

After reset, CS:IP = F000:FFFF0 on the iAPX 286. This change was made to allow sufficient code space to enter protected mode without reloading CS. Placing a far JMP instruction at FFFFFOH will avoid this difference. Note that the BOOTSTRAP option of LOC86 will automatically generate this jump instruction.

8. Do not Rely on the Value Written by PUSH SP.

The iAPX 286 will push a different value on the stack for PUSH SP than the iAPX 86/88. If the value pushed is important, replace PUSH SP instructions with the following three instructions:

PUSH BP
MOV BP,SP
XCHG BP,[BP]

This code functions as the iAPX 86/88 PUSH SP instruction on the iAPX 286.

9. Do not Shift or Rotate by More than 31 Bits.

The iAPX 286 masks all shift/rotate counts to the low 5 bits. This MOD 32 operation limits the count to a maximum of 31 bits. With this change, the longest shift/rotate instruction is 39 clocks. Without this change, the longest shift/rotate instruction would be 264 clocks, which delays interrupt response until the instruction completes execution.

10. Do not Duplicate Prefixes.

The iAPX 286 sets an instruction length limit of 10 bytes. The only way to violate this limit is by duplicating a prefix two or more times before an instruction. Exception 6 occurs if the instruction length limit is violated. The iAPX 86 or 88 has no instruction length limit.

11. Do not Rely on Odd iAPX 86/88 LOCK Characteristics.

The LOCK prefix and its corresponding output signal should only be used to prevent other bus masters from interrupting a data movement operation. The iAPX 286 will always assert LOCK during an XCHG instruction with memory (even if the LOCK prefix was not used). LOCK should only be used with the XCHG, MOV, MOVS, INS, and OUTS instructions.

The iAPX 286 LOCK signal will not go active during an instruction prefetch.


The priority of the iAPX 286 single step interrupt is different from that of the iAPX 86/88. This change was made to prevent an external interrupt from being single-stepped if it occurs while single stepping through a program. The iAPX 286 single step interrupt has higher priority than any external interrupt.
The iAPX 286 will still single step through an interrupt handler invoked by INT instructions or an instruction exception.

13. Do not Rely on IDIV Exceptions for Quotients of 80H or 8000H.

The iAPX 286 can generate the largest negative number as a quotient for IDIV instructions. The iAPX 86 will instead cause exception 0.

14. Do not Rely on NMI Interrupting NMI Handlers.

After an NMI is recognized, the NMI input and processor extension limit error interrupt is masked until the first IRET instruction is executed.

15. The NPX error signal does not pass through an interrupt controller (an 8087 INT signal does). Any interrupt controller-oriented instructions for the iAPX 86/20 may have to be deleted.
U.S. SALES OFFICES

ALABAMA
Intel Corp.
333 Williams Avenue, S.W.
Suite 1422
Huntsville 35801
Tel: (205) 533-9533

ARIZONA
Intel Corp.
1010 Hurley Way
Suite 300
Sarasota 85825
Tel: (916) 929-4078

CALIFORNIA
Intel Corp.
Inlel Corp.
Tel: (503) 641-1000
TWX: 510-461-2077

COLORADO
Intel Corp.
2000 East 4th Street
Suite 100
Colorado Springs 80907
Tel: (714) 268-3563

CONNECTICUT
Intel Corp.
650 S. Cherry Street
Suite 720
Lauderdale 33309
Tel: (213) 708-0333

DELAWARE
Intel Corp.
4445 Northpark Drive
Suite 100
Delaware Springs 88007
Tel: (303) 594-6522

FLORIDA
Intel Corp.
1500 N.W. 62nd Street
Suite 104
Fort Lauderdale 33309
Tel: (303) 771-0000
TWX: 510-955-9407

GEORGIA
Intel Corp.
3200 Holcomb Bridge Road
Suite 225
Norcross 30092
Tel: (703) 449-2041

ILLINOIS
Intel Corp.*
2550 Golf Road
Suite 815
Rolling Meadows 60008
Tel: (703) 591-7200
TWX: 910-651-5881

INDIANA
Intel Corp.
9100 Purdue Road
Suite 400
Indianapolis 46268
Tel: (317) 875-0823

IOWA
Intel Corp.
St. Andrews Building
1555 St. Andrews Drive N.E.
Cedar Rapids 52402
Tel: (319) 395-5110

KANSAS
Intel Corp.
6400 W. 110th Street
Suite 170
Overland Park 66210
Tel: (913) 642-8080

LOUISIANA
Intel Corp.
1350 Shorebird Way
Mt. View 84043
Tel: (415) 958-8086
TWX: 810-339-9279
910-338-9255

MASSACHUSETTS
Intel Corp.
1500 N.W. 62nd Street
Suite 104
Fort Lauderdale 33309
Tel: (303) 641-2200
TWX: 510-461-2077

MICHIGAN
Intel Corp.
27 Industrial Avenue
Chesterfield 81824
Tel: (716) 275-1600
TWX: 716-343-2333

MINNESOTA
Intel Corp.
2050 W. 80th Street
Suite 360
Bloomington 55431-3309
Tel: (612) 835-6722
TWX: 910-516-2887

MISSISSIPPI
Intel Corp.
4203 Earth City Expressway
Suite 131
Earth City 63045
Tel: (314) 291-1990

MISSOURI
Tel: (205) 533-9533

NEW JERSEY
Intel Corp.*
Raritan Plaza III
Raritan Center
Edison 08837
Tel: (201) 225-3000
TWX: 716-450-6238

NEW MEXICO
Intel Corp.
1120 Juan Tabo N.E.
Albuquerque 87112
Tel: (505) 292-8086

NEW YORK
Intel Corp.*
300 Vanderbilt Motor Parkway
Hauppauge 11788
Tel: (516) 231-3300
TWX: 510-227-0926

NY
Tel: (516) 473-2302
TWX: 510-248-0000

NORTH CAROLINA
Intel Corp.
2306 W. Meadowview Road
Suite 206
Greensboro 27407
Tel: (919) 294-1541

OHIO
Intel Corp.*
6500 Pleas Avenue
Dayton 45414
Tel: (513) 755-5700
TWX: 710-862-1944

PENNSYLVANIA
Intel Corp.*
510 Pennsylvania Avenue
Fort Washington 19034
Tel: (215) 641-1000
TWX: 510-461-2077

TENNESSEE
Intel Corp.*
201 First Center Boulevard
Suite 301W
Pittsburgh 15235
Tel: (412) 833-4870

TEXAS
Intel Corp.*
12330 Ford Road
Suite 380
Dallas 75234
Tel: (214) 241-8087
TWX: 910-805-5817

UTAH
Intel Corp.
15235 N. Sunnyslope Road
Suite 130
Salt Lake City 84105
Tel: (801) 752-3624

VIRGINIA
Intel Corp.
1600 Santa Rosa Road
Suite 118
Richmond 23228
Tel: (804) 782-5568

WASHINGTON
Intel Corp.
110 11th Avenue N.E.
Suite 510
Bellevue 89804
Tel: (205) 453-8086
TWX: 910-443-3002

WISCONSIN
Intel Corp.
450 N. Sunnyvale Road
Suite 130
Brookfield 53005
Tel: (414) 784-9500

*Field Application Location
U.S. DISTRIBUTORS

NEW YORK (Continued)
†Harvey Electronics
60 Crossways Park West
Woodbury, Long Island 11797
Tel: (516) 921-8700
TWX: 510-221-2184
†Harvey/Rochester
840 Fairport Park
Fairport 14450
Tel: (716) 381-7070
TWX: 510-253-7001
†MTI Systems Sales
38 Harbor Park Drive
Port Washington 11050
Tel: (516) 621-8200
TWX: 510-223-3846

NORTH CAROLINA
†Arrow Electronics, Inc.
528 Burke Street
Winston-Salem 27101
Tel: (919) 725-8711
TWX: 510-459-1622
Tel:
TWX: 810-450-2531
†arrow Electronics, Inc.
3117 Poplarwood Court
Suite 123
Raleigh 27609
Tel: (919) 876-3132
TWX: 510-928-1856
†Harvey Electronics
2903 Industrial Drive
Raleigh 27609
Tel: (919) 829-9030
TWX: 510-925-1335
†Pioneer/Carolina
103 Industrial Avenue
Greenboro 27406
Tel: (336) 273-4441
TWX: 510-925-1174

OHIO
†Arrow Electronics, Inc.
7620 McEwen Road
Cantonville 45459
Tel: (513) 435-5563
TWX: 510-459-1611
†Arrow Electronics, Inc.
6238 Cheyenne Road
SOLON 44139
Tel: (216) 248-3990
TWX: 510-645-1611
†Hamilton/Avnet Electronics
954 Senate Drive
Dayton 45459
Tel: (513) 433-0910
TWX: 510-455-2531
†Hamilton/Avnet Electronics
4588 E. 131st Street
Cleveland 44105
Tel: (216) 587-3600
TWX: 510-422-2111

OKLAHOMA
†Arrow Electronics, Inc.
4719 S. Memorial Drive
Tulsa 74145
Tel: (918) 665-7700

OREGON
†Arrow Electronics Corporation
4022 S.W. Nimbus, Bldg. 7
Beaverton 97005
Tel: (503) 641-9070
TWX: 910-457-8713
†Hamilton/Avnet Electronics
6024 S.W. Jan Road
Bldg. C, Suite 10
Lake Oswego 97234
Tel: (553) 635-7848
TWX: 910-455-8179

PENNSYLVANIA
†Arrow Electronics, Inc.
450 Secc Road
Monroeville 15148
Tel: (412) 856-7000
†Pioneer/Pittsburgh
259 Kappa Drive
Pittsburgh 15238
Tel: (412) 782-2300
TWX: 712-795-3122
†Pioneer/Delaware Valley
261 Goteiner Road
Horsham 19044
Tel: (215) 674-4100
TWX: 510-665-5778

TEXAS
†Arrow Electronics, Inc.
13715 Gama Road
Dallas 75234
Tel: (214) 385-7500
TWX: 910-860-5377
†Arrow Electronics, Inc.
10760 Corporate Drive
Suite 100
Stafford 77477
Tel: (713) 491-4100
TWX: 910-860-4439
†Arrow Electronics, Inc.
10125 Metropolitan
Austin 78758
Tel: (512) 835-4100
†Arrow Electronics, Inc.
14320 N.E. 21st Street
Bellevue 98007
TWX: 910-444-2317
†Hamilton/Avnet Electronics
4212 N.E. 21st Street
Bellevue 98005
Tel: (206) 453-5874
TWX: 510-443-2465

UTAH
†Arrow Electronics Corporation
1585 West 2100 South
Salt Lake City 84119
Tel: (801) 972-2800
TWX: 910-525-4108
†Arrow Electronics, Inc.
4980 Amelia Earhart Drive
Salt Lake City 84112
Tel: (801) 539-1135

WASHINGTON
†Arrow Electronics Corporation
14350 S.E. Eastgate Way
Bellevue 98017
Tel: (206) 643-9992
TWX: 910-444-2267
†Arrow Electronics, Inc.
14320 N.E. 21st Street
Bellevue 98007
Tel: (206) 643-4800
TWX: 910-444-2317
†Hamilton/Avnet Electronics
14212 N.E. 21st Street
Bellevue 98005
Tel: (206) 453-5874
TWX: 510-443-2465

WISCONSIN
†Arrow Electronics, Inc.
430 W. Rauscher Avenue
Oak Creek 53154
Tel: (414) 764-6000
TWX: 919-262-1193
†Hamilton/Avnet Electronics
2915 Moorland Road
New Berlin 53151
Tel: (414) 794-4510
TWX: 910-262-1182

†Microcomputer System Technical Demonstrator Centers
INTEL EUROPEAN SALES OFFICES

BELGIUM
Intel Corporation S.A.
Perc Sery
Rue du Moulin a papier 51
B-1160 Brussels
Tel: (02) 661 07 11
TELEX: 24814
DENMARK
Intel Denmark A/S
Lynghavn 28, 2nd Floor
DK-3100 Copenhagen East
Tel: (05) 18 03 00
TELEX: 19637
FINLAND
Intel Finland OY
Hanserti 1A
SF-00550 Helsinki 55
Tel: (09) 754 553
TELEX: 123332
FRANCE
Intel Corporation, S.A.R.L.*
5 Place de la Balance
92831 Nanterre Cedex
Tel: (01) 60 22 21
TELEX: 270475
Inelco
Rotemuehlgasse 26
7012 Feldbach
Österreich
Tel: (711) 58 00 82
TELEX: 7324861 INT D
MultiKomponent
DECADE Ltd.
Vallon de Rove 37
7012 Feldbach
Österreich
Tel: (711) 58 00 82
TELEX: 7324861 INT D
Nordisk Semiconductor GmbH*
Hønenziolm Strasse 35
3000 Heimberg
Tel: (511) 34 40 81
TELEX: 923635 INT D
Nordisk Semiconductor GmbH*
Over-Ratherstrasse 2
3400 Dusseldorf 30
Tel: (211) 80 10 54
TELEX: 085897 INT D
ISRAEL
Intel Corporation Ltd.*
P.O. Box 1659
Haifa
Tel: (09) 2526 241
TELEX: 45511
ITALY
Intel Corporation Italia Spa*
Milanorr, Piazza E
20094 Asaggio E
Tel: (02) 824 00 06
TELEX: 315183 INT D
Netherlands
Intel Semiconductor Nederland B.V.*
Alexandertuin Building
Marten Meerweg 53
3068 Rotterdam
Tel: (010) 21 33 77
TELEX: 22288
SWITZERLAND
Intel Semiconductor A.G.*
Forchstrasse 66
CH-8102 Zurich
Tel: (01) 55 45 02
TELEX: 57889 CH CH
UNITED KINGDOM
Intel Corporation (U.K.) Ltd.*
5 Hospital Street
Neiasco, London WC2 5RE
Tel: (0727) 628 580
TELEX: 368200 INTEL CH

EUROPEAN DISTRIBUTORS/REPRESENTATIVES

February 1983

AUSTRIA
Bacher Elektronische Geräte GmbH
Rotemuehlgasse 26
A-1120 Vienna
Tel: (0222) 831 96
TELEX: 11532 BASAT A
BECALM
Belgium
Ineco Belgium S.A.
Ave. des Croix de Guerre 94
B-1120 Brussels
Tel: (02) 216 01 80
TELEX: 25441
DENMARK
MulKomponent A/S
Färberparken 21
DK-2600 Goskup
Tel: (02) 45 48 45
TE: 33855
Scandinavian Semiconductor
Supply A/S
Nansgade 18
DK-2200 Copenhagen
Tel: (01) 83 50 90
TELEX: 19637
FINLAND
Oy Fintronic AB
Mekononkatu 24 A
SF-00100 Helsinki 21
Tel: (09) 692 52 22
TELEX: 124 224 Piron SF
FRANCE
Jermyn S A
3 rue Jules Ferry 35
93170 Bagnolet
Tel: (1) 835 04 04
TELEX: 213801 F
Metrologie
La Tour d'Asnières
1 Avenue Laurent Cely
92600-Asnieres
Tel: (1) 781 44 84
TELEX: 611 448
Telesca Artron
Cite des Bruyères
Rue Charles Vernet
F-92310 Scevres
Tel: (01) 534 75 35
TELEX: 204502
WEST GERMANY
Intel Germany GmbH
Seestraße 27
D-8000 München 2
Tel: (89) 53899
TELEX: 06932117 INT D
Intel Semiconductor GmbH*
Mainzer Strasse 75
D-6200 Wiesbaden 1
Tel: (6121) 70 08 74
TELEX: 01462613 INTECH D
Intel Semiconductor GmbH
Blueschneiderstrasse 61
7012 Feldbach
Österreich
Tel: (711) 58 00 82
TELEX: 7324861 INT D
Intel Corporation Ltd.*
Rue du Moulin à papier 51
B-1160 Brussels
Tel: (02) 661 07 11
TELEX: 24814
ITALY
Intel Corporation Italia Spa*
Milanoor, Piazza E
20094 Asaggio E
Tel: (02) 824 00 06
TELEX: 315183 INT D
NETHERLANDS
Intel Semiconductor Nederland B.V.*
Alexandertuin Building
Marten Meerweg 53
3068 Rotterdam
Tel: (010) 21 33 77
TELEX: 22288
FRANCE
Intel Corporation, S.A.R.L.*
5 Place de la Balance
92831 Nanterre Cedex
Tel: (01) 60 22 21
TELEX: 270475
Inelco
Rotemuehlgasse 26
7012 Feldbach
Österreich
Tel: (711) 58 00 82
TELEX: 7324861 INT D
MultiKomponent
DECADE Ltd.
Vallon de Rove 37
7012 Feldbach
Österreich
Tel: (711) 58 00 82
TELEX: 7324861 INT D
Nordisk Semiconductor GmbH*
Hønenziolm Strasse 35
3000 Heimberg
Tel: (511) 34 40 81
TELEX: 923635 INT D
Nordisk Semiconductor GmbH*
Over-Ratherstrasse 2
3400 Dusseldorf 30
Tel: (211) 80 10 54
TELEX: 085897 INT D
ISRAEL
Intel Corporation Ltd.*
P.O. Box 1659
Haifa
Tel: (09) 2526 241
TELEX: 45511
NETHERLANDS
Korning & Hartman
Koperwerk 37
3552 Chisden
Tel: (070) 254 23 20
TELEX: 254236 JERM
NORWAY
Nordisk Elektronikk A/S
Postoffice Box 122
Sandvand 4
1364 Herstad
Tel: (2) 765 210
TELEX: 19663
PORTUGAL
Dirtam
Componentes Elettronica Ltd.
Ave. Miguel Bombarda, 133
210.101
TELEX: 417983
Tel: (1) 859 6288
Spain
Interface SA.
Ronda Pencaledo 22, 3
Barcelona 10
Tel: (02) 301 79 51
TWX: 51508
ITT SESA
Miguel Angel 23-3
Madrid 10
Tel: (1) 419 54 00
TELEX: 27767
SWEDEN
ASI Gosta Backstrom
Box 12009
Tel: (08) 541 080
SWEDEN
ASI Gosta Backstrom
Box 12009
Tel: (08) 541 080
TELEX: 10135
Oekostronesian AB
Sandhamnsgatan 71
S-10354 Stockholm
Tel: (8) 835 040
TELEX: 10547
YUGOSLAVIA
H. R. Microelectronics Enterprises
P.O. Box 5804
San Jose, California 95150
Tel: (408) 878 8900
TELEX: 278-559