Documente Academic
Documente Profesional
Documente Cultură
Once an 80286 is switched into protected mode by executing the LMSW instruction, the
only way to get an 80286 back to its real address mode is by resetting the system.
FEATURES OF 80386:
(2)Control Registers: The 80386 has four32 bit control registers CR0,
CR1, CR2 and CR3.CR0 contains total six flags.PE(Protection enable)PE=0 real
mode PE=1 protected mode ,MP(Math coprocessor Present),EM(Emulate
floating point coprocessor),ET(Extension type)coprocessor attached is
80387,PG(Paging)PG=1 MMU is enable.
•CR1 is reserved while CR2 and CR3 are used for paging mechanism.
(3) Debug Registers: Intel has provide a set of 8 debug
registers for hardware debugging. Out of these eight registers DR0 to
DR7, two registers DR4 and DR5 are Intel reserved.
(4) Test Registers: Intel has provide two test registers(TR6 and
TR7 used for internal testing purpose..
Protected Mode of 80386:
•All the capabilities of 80386 are available for
utilization in its protected mode of operation.
•The 80386 in protected mode support all the software
written for 80286 and 8086 to be executed under the
control of memory management and protection
abilities of 80386.
•The protected mode allows the use of additional
instruction, addressing modes and capabilities of
80386.
ADDRESSING IN PROTECTED MODE: In this mode, the
contents of segment registers are used as selectors
to address descriptors which contain the segment
limit, base address and access rights byte of the
segment.
•The effective address (offset) is added with segment
base address to calculate linear address. This linear
address is further used as physical address, if the
paging unit is disabled, otherwise the paging unit
converts the linear address into physical address.
•The paging unit is a memory management unit
enabled only in protected mode. The paging
mechanism allows handling of large segments of
memory in terms of pages of 4Kbyte size.
•Segments are interpreted differently in Protected Mode vs.
Real Mode:
•Segment register contains a selector that selects a descriptor
from the descriptor table.
•The descriptor contains information about the segment, e.g.,
it's base address, length and access rights.
•The offset can be 32-bits.
63 56 55 52 51 48 47 40 39 16 15 0
15 8 7 0
Base(31-24)
G D X U Limi 6
t
(19-
16)
P DP S T A Base(23-16) 4
Access Rights Byte L Y
P
E
Base(15-0) 2
Limit(15-0) 0
•E.g. if limit field is 003FFh it means that valid offset range is 0000 to
003FFh and the length of the segment is 00400h.
•To define a segment with only 1 byte the limit field would be 00000h.
•Eg. Limit field is 0000 and G=1 the length of segment is 4KB
•Bit40-47 in the segment descriptor define the access right.
Field Posi Meaning Function
tion
A Bit It is set when a segment define A=0 segment has not been accessed
(Access 0 by the descriptor is accessed. A=0 segment has been accessed
bit)
TPYE Bit It define the type of
(segment 1 2 segment(code, data, stack)
type) &3
P(Presen Bit If P=1 segment is physically P=0 segment is not mapped to physical
t bit) 47 present otherwise it is not memory
present. P=1 segment is mapped into physical
•Types of Segment
Type Value Type of Segment
E ED R/W (Data seg. S=1 & E=0)
E C R/W (Code seg. S=1 & E=1)
0 0 0 Data segment, read only
0 0 1 Data segment, read/write
0 1 0 Stack segment, read only
Limit, DPL.
SS
DS
ES
FS
GS
•When an attempt is made to access a segment by loading a segment selector into
the visible part of a segment Register,386 automatically makes several checks.
•To access a data segment for example, the selector might be loaded into the visible part o
the DS,ES,FS or GS register
•First of all it checks to see if the descriptor table indexed by the selector contains a valid
descriptor for that selector. If the selector attempts to access a location outside the limit of
the descriptor table or the location indexed by the selector in the descriptor table does not
contain a valid descriptor, then an exception is produced.
•Second it also checks to see if the segment descriptor is of the right type to be laded into
the specified segment register. for example descriptor for a read only data segment, canno
be loaded into SS register because stack must be able to be Written to. A Selector for the
code segment is “execute only” so can not be loaded in to the DS register.
•If privilege level of the selector and the privilege level of the current code
segment is not as high the privilege level of the descriptor an exception will be
produced an access will not be Allowed.
•If all these protection conditions are met, the limit, base and access right byte of
the segment descriptor are copied in to The invisible part of the segment
register.
•The 386 then checks the P bit of the accesses byte to see if the segment for
descriptor is present in physical memory. If it is not present type 11 exception is
produced the exception handler will read the segment in From disk to physical
memory.
•The address produced by program does not fall outside the limit.
•Attempts to write a code segment or read only data segment will cause an
exception.
15 2 1 0
TI RPL
Example-1
P DP S T A
L Y
P
Example:2
Describe the following descriptor in detail. Selector of this descriptor must be loaded into
which register of 80386 in PM?
00h 40h 6
9Bh 80h 4
00h 00h 2
00h 20h 0
Which are all the checks 80386 will do and will there be exception(s) due to this
checks ?
P DP S T A
L Y
P
E
1 00 1 101 1
Example:3
The following is valid data segment descriptor and already cached in invisible
portion of the DS :
00h CFh 6
91h 00h 4
00h 80h 2
FFh FFh 0
•We can switch from real mode to protected mode by setting PE bit in the CR0 register.
•The protected mode permits memory management, virtual addresses, paging protection and
multitasking capabilities through MMU
•In protected mode for each segment one segment descriptor is created and managed.
•For a multitasking system at a time plenty of segments are in memory, which are parts of
different task. Which needs large number of segment descriptors so that memory areas
described by them are accessed by the processor for executing different task.
•How does the 80386 organize a large number of segment descriptors so that they can be
easily accessed to make references to segment spaces?
•The 80386 organizes the segment descriptors by grouping them in the tables depending on
the purpose of the segment descriptors
GDTR
47 16 15 0
Descriptor
Base Limit Descriptor
Descriptor
IDT(Interrupt Descriptor Table):IDT is used to stores the descriptors for exception handles.
LDT(Local Descriptor Table):LDT is local to a task and can be created per task basis, but it is optional.
•The 80386 protected mode defines only one GDT and IDT whereas LDT can be multiple.
•The protected mode registers GDTR,IDTR and LDTR are used to keep track of GDT ,IDT and LDT in memory respectively.
•The task either use all the descriptors from the GDT if it does not define it own LDT.
•An LDT is not define as independent table, rather its defined as an extension to GDT containing the Base and Limit of the
LDT.
•That means the maximum number of LDT can be 8192 if all the descriptors in the GDT are LDT descriptors.
•Selectors: The 80386 contains six segment registers. The segment registers in the real mode have the same role as 8086.
•The role of segment registers entirely changes in the protected mode, segment register act as selector.
15 2 1 0
TI RPL
Example-3 Given the selector value 2F32h find the table referred to and the index of the
pointed descriptor.
It is pointing to descriptor 1510 in GDT
Descriptor Descriptor
LDTR
Index 0
Descriptor LDT
Descriptor Descriptor
Descriptor Descriptor
GDTR (LDT)
BASE
Descriptor
Memory
GDT
•User task can be protected from each other in a 386system by giving each task
its own local descriptor table .
•The LDT register which points to user’s local descriptor table can only be
changed with the LDTR instruction or by a task switch.
•The LDTR instruction can be executed only at the highest privileged level which
is usually reserved for the operating system.
•Likewise a switch form one task to another task is done by the operating system
At the highest privilege level.
•So, user task operating at lower privilege level cannot cause switch to other user
tasks. Also because of the limit checking , a task cannot accidently or
intentionally access descriptor in the another task local descriptor table.
Two process each of PL = 3 should be allotted segments such that one should not access the segments of
other.
GDTR
GDT
LDTR
LDTR
Per process
Per process
If at all each process should access memory, it has to use the descriptors in its LDTR only
and it cannot change the LDTR/LDT/GDTR/GDT contents as they would be maintained in
a higher privileged memory area.
Introduction to Protection Model:
•The 80386 can run a task at one of the four privilege levels-0,1,2 and 3 where
level-0 is most privileged and level-3 is least privileged.
•The kernel of the operating system perform all the important task like process
management ,memory management and runs at level-0 as it needs to access all
the resources including privileged resources.
•The privilege 0,1 and 2 together called supervisor mode and privilege 3 is
called user mode.
•DPL,CPL,RPL
•DPL(Descriptor privilege level) field of segment descriptor defines the privilege level
of an entire segment. The CPL (Current privilege level) is set to DPL from where the
processor is fetching a instruction.
•The DPL of the segment(CS,DS,SS) is defined at the time of creating the segment
descriptor.
•CPL changes as the process moves from one code segment to other code segment.
•The code segment can access the data at the same or lower privilege levels than the
CPL. The access is allowed if DPL≥maximum(CPL,RPL).
•The code segment can access the stack only at the same privilege level that is only
target DPL=CPL.
•The code segment can transfer the control to another code segment if both are at the
same privilege level.
•The FAR jump or FAR Call instruction can transfer the control directly by
specifying the location within another code segment with the same privilege
level as the CPL.
• There are four types of gates call, interrupt, task and trap.
15 87 0
Destination offset(31-16)
Descriptor
Destination
offset(Call
gate Target Code segment
descriptor)
Descriptor
Descriptor
Memory
Calling Higher privileged code
Code Desc
Correct Incorrect
80386 Multitasking and Exception
Multitasking: The multitasking system allow execution of multiple tasks
from one or more users at the same time using a concept called time
sharing.
•The processor runs a task for a period of a time slice and switches to the
next task waiting for its turn.
•After execution of last task processor comes again to the first task
•This make it mandatory to save the state of the task somehow so that it
can be started next time with the last state, not from the beginning, and
thus the task moves forward towards finishing.
•The concept of multitasking looks very simple raises many issues, solving
which makes the system complex
•The processor needs to remember the correct point to resume the task.
•Not only remember the correct point but also remember the last state
including register flags and other state information.
•The entire state of a task including the execution point, register flags and
other necessary status information is called context of the task.
•Whenever the time slice for the current task is over ,the context of the
task is saved and the context of the next task to be executed to resume it
correctly.
•The process of saving the context of an outgoing task and loading the
context of an incoming task is known as context switching or task
switching.
Task State Segment
•The 80386 uses a special segment called task state segment to save the
context of a task.
•The TSS is described by a system segment descriptor called TSS
descriptor.
•The TSS descriptor can stored only in GDT.
•The Value of TYPE field is 1001 which indicates the TSS is available.
•When task represented by TSS is executing value of TYPE field is 1011.
Base(31-24) GD X U Limit 6
(19-
16)
P DPL S TYPE Base(23-16) 4
(0) 10B 1
Base(15-0) 2
Limit(15-0) 0
•The TSS stores all the general purpose registers including eight extended
registers ,extended instruction pointer ,EFLAG and six segment register.
•Storing the CR3 register in the TSS indicates that the page directory and
the page table can also be changed from task to task.
•The back link field is used to store the selector of the previous task in a
task chain specifically when the task are nested so that it can return to the
calling task.
•The Bit_map field is used for the I/O permission.
•The TSS also store the details of stack(SS and ESP) at privilged level 0 ,1
and 2.
•The worst case is CPL of the task is 3 which needs to access the code at
any higher privileged level 0,1,2.
•For each task one TSS is required to store its context.
•TSS initialized only once when the task is created first time.
Bit_Map offeset - T
- LDT
- GS
- FS
- DS
- SS
- CS
- ES
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
EFLAG
EIP
CR3
- SS2
ESP2
- SS1
ESP1
- SS0
ESP0
Performing A task switching
•TR Register
TSS
TR
TSS
Descriptor
GDT
BASE
Physical Memory
The TSS of the current Task
Task Switching
•Let us see how the execution of the FAR CALL or FAR JMP
instruction causes a task switch.
•One of the operand in the FAR JMP or FAR CALL instruction is
selector value.
•The 80386 provides two different ways for a task switch, one by
directly refereeing to TSS descriptor using it selector value and
second by using Task gate.
•Direct Method
•In this method the task switching instruction(FAR JMP and FAR
CALL) contains directly the selector value of TSS descriptor of the
new task to which the context switch is going to happen.
•The CPL or RPL of the current task, whichever is higher ,must be
privileged enough to refer to the TSS, that is, it must have equal or
higher privilege than that of the TSS. The violation of this rule result
in a general protection fault.
Maximum(CPL,RPL)≥TSS DPL
The format of a Task Gate
15 87 0
P DP (0) TYPE -
L S 0101
Destination Selector(15-0)
-
•Task Gate
•In this method the task switching instruction(FAR JMP and FAR CALL)
contains
The selector value of the task gate which is very similar to the call gate. It is a
system segment descriptor with TYPE=0101.
•The task gate contains only the selector field which contains the selector field
which points to the TSS descriptor of the task to which task switching is to
happen.
•The violation of the following rule result in a general protection fault.
Maximum(CPL,RPL)≥Task gate DPL
Nested Task
•If task switch happens due to execution of a FAR CALL instruction or an
exception or interrupt, the new task or exception runs as the nested task
within the current task. The nesting of more level creates a task chain.
• The 80386 set the NT flag in the EFLAG register if the new task is nested
inside the current task.
•The TSS contains the 16 bit Back Link field to store the selector of the TSS
of the caller task if the task is nested task.
•That means if the NT=1 the back link field is valid and it store the selector
value of the TSS of the caller task.
•The NT=1 indicates the current task is child of the parent task having parent
selector in the Back Link field.
•Task Scheduling
•Who will perform the task switching?
•The operating system contains the software module called scheduler.
•The scheduler has well defined policy to select the next task fro the
execution.
I/O Privilege Levels
•The minimum size of the TSS for a task is 104bytes.However the TSS is
like any other segment and can be as large as 4GB.
•We can Extend the TSS beyond the 104bytes to store some useful
information.
•One such optional information is the I/O permission bit map for the task.
I/O Permission
•We know that the instruction CLI ,STI ,IN,INS,OUT are trusted
instructions which can be executed by the task only if its CPL is
less than or equal to IOPL.
•The IOPL is a 2bit field in the ELAG register and change from task to
task.
•If the I/O permission bit map is defined for the task, we can execute
the I/O instructions even though the standard privileged check fails.
•The field at the offset 0066h in the TSS is the bit map offset.
•It store the offset at which I/O permission bit map starts.
•The I/O permission bit map is sequence of bits ,one for each byte I/O
port address.
•Each bit in the I/O permission bit map correspond to one byte I/O
port address.
•For example, the least significant bit of the first byte is the I/O
permission for the byte 0 ,next for address 1 and so on.
80386 Exception
•The 8086 categorizes interrupts as hardware interrupts, exceptions and
software interrupts
•The 80386 interrupt and interrupt handling in the protected mode is also
similar to 8086 processor.
•The 80386 exceptions are nothing but the interrupts in the 80386 system
including hardware interrupts(maskable and non maskable),software
exceptions and software interrupts(INT n).
•The source of the hardware interrupts are the signals from the external
devices received either on INTR or on NMI pins.
•The interrupt received on INTR are maskable, where as on NMI are non
maskable.
•The software interrupt are caused by executing the INT n instruction ,where
n is the interrupt number or vector number and ranges from 0 to 255.
•The software exceptions occur due to the error condition like privilege
violation, accessing address outside the LIMIT.
There are three types of software exception in 80386.
(1)TRAP:
The software traps are caught after an error occurs. The execution is resumed from the next instruction after
completing the exception handler. They occurs in debugging or breakpoints.
(2)Fault:
The software faults are caught before they occur. Execution is resumed from the instruction that caused the fault.
Privilege violation and segment limit overrun are example of faults.
(3)Abort:
The software abort are caught after an error occurs. The program causing abort is terminated.
•The IDT is like the GDT and 80386 needs only one.
• The IDT stores the descriptors which act as an entry point(gate) for the
corresponding exception handler(ISRs).
•The IDT stores the 256 gate descriptor, one for each vector, as the 80386
recognize a total 256 exception in the protected mode identified by vectors 0
to 255.
•The only difference is that it store the descriptor gates rather than directly
the addresses.
The IDT and Exception handling
•Consider 8 bytes for each descriptor, the size of IDT is 256*8=2KB.
•When an exception occurs , the 80386 gets the vector number which
act as an index into the IDT and the gate descriptor at that index into
the IDT is used to transfer the control to the respective handler.
•The IDTR register store the base and limit of the IDT.
•An interrupt through a interrupt gate change IF but an interrupt
through an trap gate does not resets IF.
•The IDT stores three different types of descriptor
(1)Interrupt Gate Descriptor
(2)Task gate
(3) Trap Gate
GATE 255
IDTR GATE 254
47 40 39 16 15 0
Interrupt Descriptor Table
BASE LIMIT
GATE 2
GATE 1
GATE 0
Memory
The format of a Interrupt Gate Descriptor
15 87 0
Destination offset(31-16)
OFFESET
Vector Number
Interrupt
GDT or LDT
Gate
IDT
SELECTOR Descriptor
15 87 0
Destination offset(31-16)
80h 00h 6
EEh 08h 4
00h 80h 2
00h 00h 0
Prove that it is a valid 80386 interrupt gate descriptor. Now if GDTR=00008000007F, selector of interrupt gate
descriptor will generate any exception? If yes, do the correction in the selector of the above descriptor such that
there would not be any exception. If no ,why?
First check the Limit field base on the interrupt type number of IDT. For this example interrupt type=16d so it
stored at 17th location in the IDT so limit should not be less than 17d. Then check S bit and TYPE field to prove
it valid or not
Second check the destination offset value from the give descriptor it should not be more than the limit specified
in GDTR otherwise it will generate exception.
If an interrupt comes on IR0 pin of 8259 and upper five bits of ICW2 contains 00100 b and
IDTR=00000000007fh, will there be any exception ? If any exception, correct the content of IDTR. The
following is the interrupt Gate descriptor whose content is as follows :
00h 0Fh 6
EEh 00h 4
00h 80h 2
00h 00h 0
IR0 pin of 8259 will set ICW2 register with interrupt type number. upper 5 bits, lower 3 bits are always 0 for ICW2.
D7 D6 D5 D4 D3 D2 D1 D0
0 0 0
ICW2
Paging:
•Paging Operation: Paging is one of the memory
management techniques used for virtual memory
multitasking operating system.
•The segmentation scheme may divide the physical
memory into a variable size segments but the paging
divides the memory into a fixed size pages.
•The segments are supposed to be the logical
segments of the program, but the pages do not have
any logical relation with the program.
•The pages are just fixed size portions of the program
module or data.
•The advantage of paging scheme is that the
complete segment of a task need not be in the
physical memory at any time.
•Only a few pages of the segments, which are
required currently for the execution need to be
available in the physical memory. Thus the
memory requirement of the task is substantially
reduced, relinquishing the available memory for
other tasks.
•Whenever the other pages of task are required
for execution, they may be fetched from the
secondary storage.
•The previous page which are executed, need
not be available in the memory, and hence the
space occupied by them may be relinquished
for other tasks.
•Thus paging mechanism provides an effective
technique to manage the physical memory for
multitasking systems.
•Paging Unit: The paging unit of 80386 uses a two
level table mechanism to convert a linear address
provided by segmentation unit into physical
addresses.
The paging unit converts the complete map of
a task into pages, each of size 4K. The task is further
handled in terms of its page, rather than segments.
The paging unit handles every task in terms
of three components namely page directory, page
tables and page itself.
•Paging Descriptor Base Register: The control
register CR2 is used to store the 32-bit linear
address at which the previous page fault was
detected.
The CR3 is used as page directory physical
base address register, to store the physical
starting address of the page directory.
The lower 12 bit of the CR3 are always zero
to ensure the page size aligned directory. A move
operation to CR3 automatically loads the page
table entry caches and a task switch operation, to
load CR0 suitably.
The 80386 Control Registers
31 0
CR0 P E T E MP
G T S MP E
CR1
Page Tables
Size=4KB Physical Memory
Linear to physical Address Translation
31 22 21 12 11 0
(1)The Linear address 014202CAh(0000 0001 0100 0010 0000 0010 1100 1010) means DIR=0000 0001
01=PDE index 5, PAGE=00 0010 0000=PTE index 32 and OFFSET=0010 1100 1010=2CAh.
(1)The Physical Address for the page directory is 23455000h(PDBR with lower 12 bits 0s).
(1)The PDE is located at the physical address 23455000h+5*4=23455014h.It is used to refer the page
table address from the PDE 5 which is 45345h.
(5)The PTE is located at the physical address 45345000h+32*4=45345080h.It is used to refer the page
frame address from the PTE 32 which is 67345h.
PAGE OS 0 0 D A 0 0 U R P
TABLE RESERVED S
ADDRESS
W
31..12
31 12 11 10 9 8 7 6 5 4 3 2 1 0
PAGE OS 0 0 D A 0 0 U R P
FRAME RESEV S W
ADDRESS ED
31..12