SE Computer ( 2019 pattern ) Microprocessor

Notes for unit 2

Processor State after Reset

When the 80386 is turned ON, or if reset button is pressed, it always begins operating in Real
mode.(Then programmer has to write program to operate the processor in Protected mode.)
1. When the processor is turned ON or Reset, the registers have the values shown in Table.

X=undefined

2. If BUSY pin is active(i.e. low), then MP then performs self test , (The result of self test is stored in
EAX)
3. MP checks if 80387 numeric processor is present on the motherboard or not by checking signal on
ERROR pin .
4. MP fetches always its first instruction from a fixed physical address FFFFFFF0.(since CS=F000 &
IP =FFF0). This is 16 bytes before the high end of the 80386’s 4GB address space i.e. FFFFFFFF.
And this address space is given to ROM in the PC. There we can write jump instruction , to go to our
program.
5. We can decide whether to continue in real mode or switch the80386 to protected mode.
functionality of various pins

#means active low i.e. when that pin is low,it is active else it is deactive.

CLK2( input )provides clock signal for synchronous operation. This signal is divided by two
internally, so the 80386 fundamental frequency is half the CLK2 signal frequency. For example, a
16-MHz 80386 requiresCLK2 signal of 32-MHz.
Data bus D31-DO(input, output).Either 8,16,24,or32bits of data can be transferred at once between
processor to /from memory & input output devices. The number of bits to be transferred is decided
by BE0# to BE3# pins
ByteEnableBE0#–BE3#(output),indicate which part of the32-bit data bus are carryingdata. If BE0#
is active then data is on D0–D7( byte)
IfBE1# is active then data is on D8–D15 ( byte) IfBE2# is active then data is on D16–D23(byte) If
BE3# is active then data is on D24–D31 ( byte)
IfBE0# & BE1# are active then data is on D16–D23 (16bits)
IfBE0#, BE1#, BE2#, BE3# are active then data is on D0 toD31 (32bits)

Address bus (A31-A2) ( output) , consists of 30 address pins but generates 32-bit addresses along
with byte-enable pins (BE3#-BE0#).(two address pins A0 and Al are replaced withfour byte enable
pins).Each byte-enable pin corresponds to one of four bytes of the 32-bit data bus.

A1 A0 BE# Data is on
0 0 BE0# is low ( active) D0–D7
0 1 BE1# is low ( active) D8–D15
1 0 BE2# is low ( active) D16–D23
1 1 BE3# is low ( active) D24–D31

Write/read (W/R#) (output)if low it indicates that CPU is reading from memory or input device. if
High , it indicates that CPU is writing to memory or output device
Data/control D/C#(output): tells whether data is being sent or received or control operation is
going on ( such as interrupt acknowledge, halt, and instruction fetching).
Memory/input output(M/IO#)(output):tells whether memory is being accessed or input/output
devices are being accessed

Address status(ADS#)(output):Indicates that a valid operation is being carried out on bus( D31-D0,
A31-A2, BE0 to BE3, M/IO, W/R , D/C are valid )

NEXT ADDRESS(NA#)(input)is used to request address pipelining. i.e. Sending address and status
signals for the next bus cycle during the current cycle

BUS SIZE16 (BS16#)(Input)allows the interfacing of 16 bit devices with the 32bit wide data bus of
80386.

HOLD(input)signal is generated by another bus master to request that the 80386 release the control
of the bus.

HOLD Acknowledged HLDA(output)The 80386 responds by activating the Hold Acknowledge

(HLDA) signal as it releases the control of the local bus.

Maskable Interrupt (INTR) ( input)inputs cause the 80386 to interrupt its current program and
begin execution of an interrupt service routine. This Interrupt can be disabled by resetting the IF flag
in flag register

Non-Maskable Interrupt(NMI)(input)cause the 80386 to interrupt its current program and begin
execution of an interrupt service routine. This Interrupt cannot be disabled.

BUSY#,ERROR#. and Coprocessor Request(PEREQ)(all inputs)used when there is an external

numeric coprocessor. BUSY# and ERROR# are status signals sent by the coprocessor;

The 80386 can use either the 80287 orthe 80387 m a t h coprocessor.

BUSY signal from coprocessor tells processor that the coprocessor is busy. ERROR signal from
coprocessor tells processor that there is some error in executing instructions sent to it . PEREQ
allows the coprocessor to request data from the 80386.

Ready # ( input)It is used to match the speed of memory with that of processor . Till the processor
does not receive this signal from memory, the processor keeps on inserting wait states in a bus cycle
operation. When it is received from memory, the processor ends the current bus cycle.

LOCK#(output)tells other processors that the bus is locked and they are denied access to the system
bus while it is active.

RESET(input):stops any operation in progress and takes the 80386 in a reset state and it enters real
mode .
Memory Organization (Memory banks)

80386 can access total of 4 GB physical memory.

Memory is divided into 4 banks, each of 1GB locations, with each location storing8 bits.

Memory address 00000000H is in bank 0, next address 00000001H is in bank 1, address 00000002H
is in bank 2, and address 00000003H is in bank3& again address 00000004H is in bank 0 and so on.
The 80386 does not contain address pins A1 and A0 because these have been replaced as the bank
enable signals ( BE0 to BE3).
Bank selection is done by the bank enable signals BE3,BE2, BE1,and BE0. If a 32 bit number is to
be transferred, all four banks are selected;
If a 16-bit number is to be transferred, two banks (usually BE3 and BE2 or BE1 and BE0)are
selected;
If 8 bits are to be transferred, a single bank is selected (by sending low signal on corresponding BE
pin).
I/Oorganization

The 80386 allows two types of data transfer to input/output devices (ports):

• By means of a separate I/O address space (by using specific I/O instructions such as IN, OUT instructions)

• By means of memory-mapped I/O (using general-purpose operand manipulation

instructions such as MOV instruction).

Address Space

The 80386 provides a separate I/O address, apart from physical memory, that can be used to
address the input/output ports (or devices). The I/O address space consists of 2^(16) = (64K)
individually addressable 8-bit ports; any two consecutive 8-bit ports can be treated as a 16-bit
port; and four consecutive 8-bit ports can be treated as a 32-bit port. Thus, the I/O address space
can accommodate up to 64K 8-bit ports, up to 32K 16-bit ports, or up to 16K 32-bit ports.

Basic memory write cycle with timing diagram.

In bus cycles, there are two options: pipelined and non-pipelined, which can be decided by the
NA# pin. If NA# pin is high, it is non-pipelined. If NA# pin is low, it is pipelined. Pipelined is
faster than non-pipelined.

Bus cycle consists of two states T1 and T2. During the entire bus cycle, the processor sends valid
address on A31-A2, BE0-BE3, and valid M/IO# (high for memory and low for IO), valid D/C# (for
data transfer it is high and for control operation it is low). During the write cycle, the W/R# pin is set
to high by the processor. And the processor sends data on the data bus to write to memory or device.
During the read cycle, the W/R# pin is set to low by the processor. And the processor reads data
from the data bus, which is sent by memory or device. BS16 decides whether data to be sent or
received is 16-bit or 32-bit. LOCK# is valid (low) so other processors (bus masters) cannot take
control of the bus during the bus cycle.
Write cycle with wait states
The processor checks the READY signal near the end of T2. If the READY pin is set high by an
external device, the processor simply stretches the T2 by maintaining the state with the same values
of all signals on pins. In other words, it inserts wait states as long as the READY signal is not made
low by external hardware. This is done to synchronize the speed of the processor with a slow
external device (memory or device).
Basic read cycle with timing diagram

In bus cycles, there are two options: pipelined and non-pipelined, which can be decided by the NA# pin. If the NA# pin is high, it is non-pipelined.
Pipelined is faster than non-pipelined. The bus cycle consists of two states, T1 and T2.

During the entire bus cycle, the processor sends valid address on A31-A2, BE0-BE3, and valid M/IO# (high for memory and low for IO), valid D/C#
(for data transfer, it is high, and for control operation, it is low).

During the read cycle, the W/R# pin is set to low by the processor. And the processor reads data from the Data bus, which is sent by memory or
device. BS16 decides whether data to be sent or received is 16-bit or 32-bit. LOCK# is valid (low), so other processors (bus masters) cannot take
control of the bus during the bus cycle.

Timing diagram of Read cycle without pipeline

Pipelined
Systemflags

VM (Virtual 8086 Mode)

The VM bit provides Virtual 8086 Mode within Protected Mode. If set to 1 while the Intel386 DX
is in Protected Mode, the Intel386 DX will switch to Virtual 8086 operation, i.e. behaves like
8086. But if the program contains privileged opcodes, it generates exception 13 faults. The VM bit
can be set only in Protected Mode, by the IRET instruction (if the current privilege level is 0) and
by task switches at any privilege level.

RF (Resume Flag)

The RF flag is used in with the debug register breakpoints. It is checked at instruction boundaries
before breakpoint processing. By setting it, you can selectively mask (disable) some exceptions
while you are debugging code. RF is then automatically reset at the successful completion of
every instruction (no faults are signaled) except the IRET instruction, the POPF instruction, (and
JMP, CALL, and INT instructions causing a task switch).

NT (Nested Task)

This flag applies to Protected Mode. NT is set to indicate that the execution of this task is nested
within another task. If set, it indicates that the current nested task’s Task State Segment (TSS) has
a valid back link to the previous task’s TSS. This bit is set or reset to control transfers to other
tasks.

IOPL (Input/Output Privilege Level)

This two-bit field applies to Protected Mode. It holds the privilege level, from 0 to 3, at which
your code must be running in order to execute any I/O-related instructions. Means if IOPL is set
as 10 (i.e. 2), the code should also have CPL 2, in order to execute IO-related instructions. If code
having CPL3 tries to execute IO instructions, it will cause exception 13 fault. (Level 0 is the most
privileged level and level 3 is the least privileged.) IOPL indicates the numerically maximum CPL
(current privilege level) value permitted to execute I/O instructions. POPF and IRET instruction
can alter the IOPL field when executed at CPL0.

Memory Management registers

 Segment Registers

A program can have at a time 6 segments. One for code (program), one for stack, and four for
holding data. Six 16-bit segment registers (CS, SS, DS, ES, GS, GS) hold selectors that store
information about current memory segments. Segment registers are shown in Figure.

In Protected Mode, each segment may have size from one byte up to the entire physical memory of 4
Gbytes (2^32 bytes).
In Real Address Mode, the maximum segment size is fixed at 64 Kbytes (2^16 bytes).

Segment Descriptor Registers

These are not programmer-visible (i.e., programmer can’t see or modify these registers), yet it is
very useful to understand their content.
Inside the Intel386 DX, a descriptor register (programmer-invisible) is associated with each
programmer-visible segment register, as shown by Figure.
 Each descriptor register holds a 32-bit segment base address, a 32-bit segment limit, and the other
necessary segment attributes. When a selector value is loaded into a segment register, the
associated descriptor register is automatically updated with the correct information. In Real
Address Mode, only the base address is updated directly (by shifting the selector value four bits to
the left, e.g., if CS is F4D2, then the base address of the corresponding code segment is F4D20).
The segment maximum limit (1MB) and attributes are fixed in Real Mode. In Protected Mode, the
base address, the limit, and the attributes are all updated as per the contents of the segment
descriptor pointed by the selector. Whenever a memory reference occurs, the 32-bit segment base
address is used to calculate the linear address, the 32-bit limit is used for the limit-check
operation, and the attributes are checked whether the type of memory reference requested is
permitted or not.

Control registers
The Intel386 DX has three control registers of 32 bits, CR0, CR2, and CR3, to hold machine state of
a global nature (not specific to an individual task). These registers, along with System Address
Registers, hold machine state that affects all tasks in the system. To access the Control Registers,
load and store instructions are used.
CR0:MachineControlRegister
CR0,shown in Figure, contains 6 bits for control and status purposes.

The low-order 16 bits of CR0 are also known as the Machine Status Word, MSW. LMSW and
SMSW instructions are for the Load and Store the lower 16 bits of CR0. New Intel386DX
operating systems should use the <MOV CR0, Reg> instruction for the Load and Store the lower
16 bits of CR0.

The defined CR0 bits are described below.

PG (Paging Enable)
The PG bit is set to enable the on-chip paging unit. When it is reset, it disables the on-chip paging
unit.

TS (Task Switched)
The processor sets this bit automatically every time it performs a task switch. It will never clear
this bit on its own; you can do so with the CLTS instruction.

EM (Emulate Coprocessor)
If this bit is set, then whenever 80386 fetches a floating-point instruction, it causes an exception
(because 80386 can't execute floating-point instructions). You can use this exception to emulate
floating-point operation by a program (instead of getting it executed by coprocessor) if you want.

MP (Monitor Coprocessor)
When this bit is set, the 80386 assumes that a floating-point coprocessor (80387) is attached to it.

PE (Protection Enable)
When PE = 0, 80386 works in real mode. When PE is set to 1, 80386 works in protected mode.
Changing PE from 1 to 0, to switch from protected mode to real mode, requires a longer sequence
of instructions.

CR1: reserved
CR1 is reserved for use in future Intel processors.

CR2: Page Fault Linear Address

CR2 is a read-only register in which the 80386 will deposit the value of the last 32-bit linear
address that caused a page fault. This address is important to write a page-fault handler (program)
because it will help you determine the cause of the fault.
 CR3: Page Directory Base Register (PDBR)
It holds the physical address of the start of the paging tables used when paging is enabled (i.e., when
the PG bit in CR0 is set). The paging tables must be 4KB-aligned, and so the least significant 12 bits
are undefined. They will be ignored when the register is loaded and will be stored as zeros.
12 11 10 9 8 7 6 5 4 3 2 1
4096 2048 1024 512 128 64 32 16 8 4 2 1

Debug registers
The six debug registers provide on-chip support for debugging. They can be accessed by
programmer.
80386 provides two other ways for debugging:
1. INT3 instruction
2. Setting trap flag in flags register
Debug Registers DR0 to DR3 specify the four linear breakpoints.
The Debug Control Register DR7 is used to set the breakpoints and
the Debug Status Register DR6, displays the current state of the breakpoints.

Debug Registers (DR0 to DR3):

The first four debug registers hold up to four linear address breakpoints. The addresses in these
registers are compared to the processor’s address-generation logic on every instruction and, if a
match is found, debug fault (exception) is generated.
Debug register (DR7) (debug control register):
By filling in the various fields of this register, you can control the operation of the four linear
address breakpoints.

Each of these breakpoints is controlled by a set of four fields each (Li, Gi, LENi, RWi) (i=0 to 3).
The meaning is as follows:
L0, L1, L2, L3 (local enable)
When this bit is set, the breakpoint address in DR0/1/2/3 is monitored only for the current running
task.
G0, G1, G2, G3 (global enable)
When this bit is set, the breakpoint address in DR0/1/2/3 is monitored only for all tasks.
LEN0, LEN1, LEN2, LEN3 (length of breakpoint) (two bits for each LEN field)
LEN specifies the length of the associated breakpoint field.

00 1 byte
01 2 byte
10 Reserved
 11 4 byte

RW(read/write)
When breakpoint address is matched during one of the following types of access, then breakpoint
fault (exception) occurs.
Eg. If RW is set to 00 for DR0 & if break point address in DR0 is matched with current linear
address (generated by80386 ) at which there is instruction, then break point fault ( exception) occurs.

Typeof access:
00 Instructionfetch
01 Datawritesonly
10 Reserved
11 Datareadsandwrites only

Three bits are common for all four breakpoints:

LE (local exact)
When you set this bit, to know when a breakpoint hit occurs at the instant it occurs. Because of
pipelining, 80386 fetches the next instruction before the current one completes. Because of this
reason, if the local exact bit is not set, the breakpoint is reported a few instructions after it has
happened. This feature is available only while the processor is running the current task. For the
next task again it has to be set.
GE (global exact)
This is similar to the LE bit but it is for all tasks which run one after another.
GD (global debug access)
Once it is set, the processor denies all further access to any of the debug registers. Debug registers
can’t be read or modified.

Debug Register DR6 (debug status register).

The 80386 sets the appropriate bits in this register to give information of the circumstances that
have caused the last debug fault (exception). i.e. Debug Status Register, DR6 allows the exception
handler (program) to easily determine why it was called.
```

B0, B1, B2, B3 (breakpoint 0–3)

The processor sets this bit when it references the linear address contained in DRi with conditions
specified in Li, Gi, RWi, LENi, LE, GE are satisfied. So, the exception handler comes to know
which breakpoint has occurred.
BD (break for debug register access)
This bit is set by 80386 when an instruction attempts to read or write to the debug registers when
the debug register set is locked by setting GD bit in DR7.
BS (break for single-step)
This bit is set by 80386 if the TF bit in the EFLAGS register is set (TF=trace/trap flag which can
be set to 1 for single-stepping/tracing).
BT (break for task switch)
This bit is set by 80386 if a task switch is about to happen to a task which has T bit set in its TSS
(task state segment).
Summary
Thus, there can be one of the reasons for invoking the exception 1 handler:

1) DR0 Breakpoint fault/trap.

2) DR1 Breakpoint fault/trap.
3) DR2 Breakpoint fault/trap.
4) DR3 Breakpoint fault/trap.
5) Fault due to attempted debug register access when GD=1.
6) Single-step (TF) trap.
7) Task switch trap.

Test registers
There are two test registers: TR6 & TR7 (TR0 to TR5 are not available to the programmer). These
are used for testing the TLB (translation lookaside buffer) which is used in memory management.
TR6 is used to set conditions for testing TLB and to start testing. TR7 returns the result (status) of
TLB testing.

TLB can store details about 32 pages in physical memory. Each entry holds a 20-bit linear
address, the 20-bit physical address to which it is mapped, and four tag bits. The tag bits are
defined as follows:
V (Valid): When set, the V bit indicates that this entry (about that page) is valid. If this bit is clear,
this entry is not valid.
D (Dirty): when this bit is set, it indicates that the page it points to has been modified by the
program.
U (user): when this bit is set, it indicates that the page it points to is user accessible. If it is clear, it
means the page is accessible only by supervisor program (having privilege level = 0).
W (writable): when this bit is set, it indicates that the page it points to is writable (program can
write into that page).
C (command bit): when C=1, the processor performs a write to the TLB. When C=0, the processor
performs a TLB lookup (reading of TLB).

TR7:
RP (replacement pointer): This field indicates which set of the TLB’s four-way set-associative
cache to write to.
PL (or H) (hit): PL has two roles. During TLB lookup, the PL bit indicates whether the lookup
was a hit (PL gets set to 1) or a miss (PL gets reset to 0). During TLB writes, it determines how
cache sets are selected. PL=1 causes the REP field of TR7 to select which off four associative
blocks of the TLB is to be written, and PL=0 allows to select which TLB block is written. If this
bit is set, the RP field determines which cache set to write to. If it is cleared, the set is determined
with an internal algorithm. Physical address, this field contains either the physical address to be
written into the TLB or the results of a valid TLB hit.

System Instructions

Also called as Protection Mode instruction. These are used only in operating system software;
they are not used in application programs.

SGDT Store global descriptor table register copies the contents of the descriptor table register
(total six bytes) in the memory. The address of the memory is specified in the instruction. eg
SGDT mem

LGDT Load Global Descriptor Table Register loads a linear base address and limit value from a
six-byte data operand in memory into the GDTR.

SIDT Store interrupt descriptor table register copies the contents of the interrupt descriptor table
register (total six bytes) in the memory. The address of the memory is specified in the instruction.
eg SIDT mem

LIDT load interrupt descriptor table register loads a linear base address and limit value from a six-
byte data operand in memory into the IDTR.

SLDT Store Local Descriptor Table Register SLDT stores the Local Descriptor Table Register
(LDTR) in the two-byte register or memory location. Eg SLDT BX

LLDT Load Local Descriptor Table Register loads the Local Descriptor Table register (LDTR).
The word operand (memory or register) to LLDT should contain a selector to the Global
Descriptor Table (GDT). The GDT entry should be a Local Descriptor Table. If so, then the
LDTR is loaded from the entry.

STR store task register The contents of the task register are copied to the two-byte register or
memory location Eg STR mem STR CX

LTR Load Task Register loads the task register from the source register or memory location
specified by the operand Eg LTR mem

LAR Load the access rights Loads the access rights from the segment descriptor specified by the
second operand (source operand) into the first operand (destination operand) and sets the ZF flag
in the flag register. The source operand (which can be a register or a memory location) contains
the segment selector for the segment descriptor being accessed. The destination operand is a
general-purpose register. Eg LAR BX, mem

LSL Loads segment limit Loads the unscrambled segment limit from the segment descriptor
specified with the second operand (source operand) into the first operand (destination operand)
and sets the ZF flag in the FLAGS register. The source operand (which can be a register or a
memory location) contains the segment selector for the segment descriptor being accessed. The
destination operand is a general-purpose register. eg. LSL AX, mem

VERR/VERW Verify a Segment for Reading Verifies whether the code or data segment specified
with the source operand is readable (VERR) from the current privilege level (CPL). The source
operand is a 16-bit register or a memory location that contains the segment selector for the
segment to be verified. If the segment is accessible and readable (VERR) the ZF flag is set;
 otherwise, the ZF flag is cleared. Eg VERR reg/mem

VERW Verify a Segment for Writing Verifies whether the code or data segment specified with
the source operand is writable (VERW) from the current privilege level (CPL). The source
operand is a 16-bit register or a memory location that contains the segment selector for the
segment to be verified. If the segment is accessible and writable (VERW), the ZF flag is set;
otherwise, the ZF flag is cleared. Eg VERW reg/mem

ARPL (Adjust requested privilege level) This instruction is used to modify a selector’s privilege
level. It can only change from higher privilege level to lower privilege level. PL are from 0 to 3
where 0 is the highest PL and 3 is the lowest PL. If the RPL of the destination operand is
numerically less (higher privilege level) than that of the source operand, the destination selector’s
RPL is changed to match that of the source operand, and ZF is set to 1. If the destination operand
is numerically higher (less privileged), then it is not modified and ZF is set to 0. Eg ARPL AX,
BX If selector in AX has PL=1 and selector in BX has PL=2, then PL of selector in AX is
changed to 2 and zero flag is set to 1.

SMSW Store Machine Status Word stores the machine status word (part of CR0) in the two-byte
register (16-bit) or memory location. Eg SMSW REG16/mem

LMSW Load Machine Status Word loads the machine status word (part of CR0) from the source
operand. This instruction can be used to switch to Protected Mode; if so, it must be followed by an
intrasegment jump to flush (clear) the instruction queue. LMSW will not switch back to Real
Address Mode. Eg LMSW reg/mem

Processor Control Instructions

HLT (HALT)
This instruction stops the processor. The processor will not execute any instruction until the
processor is brought out of the halt state either by a signal on the reset pin or on the interrupt pin. In
case of Reset, the processor will resume from real mode again. Whereas in case of an interrupt, after
the interrupt service routine is completed, the execution will resume at the instruction after the HLT
instruction. The HLT instruction is a privileged instruction. When the processor is running in
protected or virtual-8086 mode, the privilege level of a program or procedure must be 0 to execute
the HLT instruction.

WAIT (Wait until BUSY# Pin is Inactive (HIGH))

When a floating-point instruction is being executed by the math coprocessor, the math coprocessor
keeps the BUSY signal high. As long as the BUSY signal is high, the processor remains idle (does
not execute any instruction). When the math coprocessor finishes its execution, it makes the BUSY
signal low, then the processor resumes its execution. This is to ensure that the coprocessor
instruction has completed before accessing the result.

LOCK# Prefix (Make LOCK# Signal active (Low))

It is a Prefix to an instruction. When an instruction has this LOCK prefix, the 80386 makes LOCK
signal low. This makes the system bus locked. So that other bus masters (processors) in the system
cannot take control of the system bus. In a multiprocessor environment, the LOCK# signal ensures
that the processor has exclusive use of any shared memory while the signal is asserted (active). The
LOCK prefix functions only with the following instructions: BT, BTS, BTR, BTC, XCHG, ADD,
OR, ADC, SBB, AND, SUB, XOR, NOT, NEG, INC, DEC

ESC (Escape)
The processor cannot execute the instructions meant to be executed by the coprocessor. So such
instructions have escape code in them (first five bits of the coprocessor instruction are 11011). The
ESC pattern tells the 80386 to send the opcode and addresses of operands to the math coprocessor,
which then performs these operations.

Eg FMUL AX, BX ; instruction starting with F are for coprocessor

WAIT ; processor waits for the coprocessor to complete the execution of above instruction