From eae2750b2cc33eac111c5fcdcee83bbf7ac11c85 Mon Sep 17 00:00:00 2001 From: Jeff Parsons Date: Mon, 8 Feb 2016 17:33:52 -0800 Subject: [PATCH] Documentation update --- pubs/pc/reference/intel/8086/README.md | 94 +++++++++++++++++++++++++- 1 file changed, 92 insertions(+), 2 deletions(-) diff --git a/pubs/pc/reference/intel/8086/README.md b/pubs/pc/reference/intel/8086/README.md index 0cb8b6feac..6430dc803e 100644 --- a/pubs/pc/reference/intel/8086/README.md +++ b/pubs/pc/reference/intel/8086/README.md @@ -7,15 +7,105 @@ permalink: /pubs/pc/reference/intel/8086/ Intel 8086/8088 CPU Information --- +We do not have any official Intel documentation of 8086/8088 errata, but the following are well-known "features" +of those CPUs. + 8086 Errata --- -* TBD +### Interrupts Following MOV SS,xxx and POP SS Instructions May Corrupt Memory + +On early Intel 8088 processors (marked "INTEL '78" or "(C) 1978"), if an interrupt occurs immediately after a +`MOV SS,xxx` or `POP SS` instruction, data may be pushed using an incorrect stack address, resulting in memory +corruption. + +The work-around is to change SS (along with SP) only when hardware interrupts are disabled. However, that does +not resolve NMIs (non-maskable interrupts); on IBM PCs, you can work around the NMI problem by temporarily disabling +NMIs (see port 0x61). + +Intel provided a fix for this on later processors, by delaying the acknowledgement of hardware interrupts immediately +after a `MOV SS,xxx` or `POP SS` instruction; the delay lasts only one instruction, so you're obliged to change SP on +the very next instruction. + +Note that Intel's fix appears to have been over-broad: *all* `MOV segreg,xxx` and `POP segreg` +instructions delay interrupts, not just `MOV SS,xxx` and `POP SS`. In fact, it's been +[reported](http://www.malinov.com/Home/sergeys-projects/sergey-s-xt/historical-notes) +that all PUSH *segreg* instructions also have the same delaying effect, at least on selected 80C88 processors. + +### Interrupted String Instructions With Multiple Prefixes Do Not Resume Correctly + +If a repeated string instruction includes more than one override; eg: + + REP ES: MOVSB + +and an interrupt occurs, the instruction will restart with only the last override. This was never fixed in any +8086/8088. + +The recommended work-around is to ensure that the segment override immediately precedes the instruction, and to rewrite +the sequence: + + top: + REP ES: MOVSB + JCXZ done + JMP top + done: 8086 Undocumented Instructions --- -* TBD +Some of the following information is courtesy of the [OS/2 Museum](http://www.os2museum.com/wp/undocumented-8086-opcodes/). + +### POP CS (0x0F) + +This single-byte opcode existed only on the 8086/8088, and was of limited use, since it altered CS without a +corresponding IP. + +There is no `POP CS` instruction on later x86 CPUs. The opcode was explicitly made invalid on the 80186/80188, +but was reused on later CPUs (starting with the 80286) as the first byte in a series of two-byte opcodes. + +### MOV segreg,xxx (0x8E) + +Similar to `POP CS`, this instruction was of limited value when the selected *segreg* was CS. + +Note that *segreg* was encoded as a 3-bit value in the second byte of the instruction, where: + + * 0 = ES + * 1 = CS (invalid on 80286 and later) + * 2 = SS + * 3 = DS + * 4 = ES (invalid on 80286, FS on 80386 and later) + * 5 = CS (invalid on 80286, GS on 80386 and later) + * 6 = SS (invalid on 80286 and later) + * 7 = DS (invalid on 80286 and later) + +On the 8086/8088/80186/80188, values 0-3 were treated the same as values 4-7, and all values were allowed. + +### SETALC aka SALC (0xD6) + +Performs an operation equivalent to `SBB AL,AL`, but without modifying any flags. In other words, AL will be set to +0xFF or 0x00, depending on whether CF is set or clear. This instruction exists on all later x86 CPUs, but for some +reason, it has never been documented. + +### Duplicate Conditional Jumps (0x60-0x6F) + +Opcodes 0x60 through 0x6F decode identically to the conditional jump opcodes at 0x70 through 0x7F, respectively. +This is not true for any other x86 CPU. + +### Duplicate RET and RETF Instructions (0xC0, 0xC1, 0xC8, 0xC9) + +* Opcode 0xC0 decodes identically to RET n (0xC2) +* Opcode 0xC1 decodes identically to RET (0xC3) +* Opcode 0xC8 decodes identically to RETF n (0xCA) +* Opcode 0xC9 decodes identically to RET n (0xCB) + +Starting with the 80186, opcodes 0xC0 and 0xC1 were reused for new shift and rotate instruction groups, and opcodes +0xC8 and 0xC9 became the `ENTER` and `LEAVE` instructions. + +### Duplicate LOCK Prefix (0xF1) + +It is believed that 0xF1 decodes identically to 0xF0 (the `LOCK` prefix). + +On newer processors, 0xF1 is an undocumented instruction usually called `ICEBP` or `INT1`. Assorted Publications ---