23
Control Transfer
Four types of control transfer can occur when a selector is
loaded into CS by a control transfer operation (see Table
13). Each transfer type can only occur if the operation which
loaded the selector references the correct descriptor type.
Any violation of these descriptor usage rules (e.g. JMP
through a call gate or RET to a Task State Segment) will
cause exception 13.
The ability to reference a descriptor for control transfer is
also subject to rules of privilege. A CALL or JUMP instruction
may only reference a code segment descriptor with DPL
equal to the task CPL or a conforming segment with DPL of
equal or greater privilege than CPL. The RPL of the selector
used to reference the code descriptor must have as much
privilege as CPL.
RET and IRET instructions may only reference code seg-
ment descriptors with descriptor privilege equal to or less
privileged than the task CPL. The selector loaded into CS is
the return address from the stack. After the return, the selec-
tor RPL is the task's new CPL. If CPL changes, the old stack
pointer is popped after the return address.
When a JMP or CALL references a Task State Segment
descriptor, the descriptor DPL must be the same or less priv-
ileged than the task's CPL. Reference to a valid Task State
Segment descriptor causes a task switch (see Task Switch
Operation). Reference to a Task State Segment descriptor
at a more privileged level than the task's CPL generates
exception 13.
When an instruction or interrupt references a gate descrip-
tor, the gate DPL must have the same or less privilege than
the task CPL. If DPL is at a more privileged level than CPL,
exception 13 occurs. If the destination selector contained in
the gate references a code segment descriptor, the code
segment descriptor DPL must be the same or more privi-
leged than the task CPL. If not, Exception 13 is issued. After
the control transfer, the code segment descriptors DPL is the
task's new CPL. If the destination selector in the gate refer-
ences a task state segment, a task switch is automatically
performed (see Task Switch Operation).
The privilege rules on control transfer require:
JMP or CALL direct to a code segment (code segment
descriptor) can only be a conforming segment with DPL of
equal or greater privilege than CPL or a non-conforming
segment at the same privilege level.
Interrupts within the task, or calls that may change privilege
levels, can only transfer control through a gate at the same
or a less privileged level than CPL to a code segment at the
same or more privileged level than CPL.
Return instructions that don't switch tasks can only return
control to a code segment at the same or less privileged
level.
Task switch can be performed by a call, jump or interrupt
which references either a task gate or task state segment at
the same or less privileged level.
Privilege Level Changes
Any control transfer that changes CPL within the task,
causes a change of stacks as part of the operation. Initial
values of SS:SP for privilege levels 0, 1, and 2 are kept in
the task state segment (refer to Task Switch Operation).
During a JMP or CALL control transfer, the new stack pointer
is loaded into the SS and SP registers and the previous
stack pointer is pushed onto the new stack.
When returning to the original privilege level, its stack is
restored as part of the RET or IRET instruction operation.
For subroutine calls that pass parameters on the stack and
cross privilege levels, a fixed number of words, as specified
in the gate, are copied from the previous stack to the current
stack. The inter-segment RET instruction with a stack adjust-
ment value will correctly restore the previous stack pointer
upon return.
Protection
The 80C286 includes mechanisms to protect critical instruc-
tions that effect the CPU execution state (e.g. HLT) and
code or data segments from improper usage. These protec-
tion mechanisms are grouped into three forms:
Restricted usage of segments (e.g. no write allowed to
read-only data segments). The only segments available for
use are defined by descriptors in the Local Descriptor Table
(LDT) and Global Descriptor Table (GDT).
Restricted access to segments via the rules of privilege and
descriptor usage.
Privileged instructions or operations that may only be exe-
cuted at certain privilege levels as determined by the CPL
and I/O Privilege Level (lOPL). The lOPL is defined by bits
14 and 13 of the flag word.
These checks are performed for all instructions and can be
split into three categories: segment load checks (Table 14),
operand reference checks (Table 15), and privileged instruc-
tion checks (Table 16). Any violation of the rules shown will
result in an exception. A not-present exception related to the
stack segment causes exception 12.
TABLE 14. SEGMENT REGISTER LOAD CHECKS
ERROR DESCRIPTION
EXCEPTION
NUMBER
Descriptor table limit exceeded
13
Segment descriptor not-present
11 or 12
Privilege rules violated
13
Invalid descriptor/segment type segment register
load:
- Read only data segment load to SS
- Special control descriptor load to DS, ES, SS
- Execute only Segment load to DS, ES, SS
- Data segment load to CS
- Read/Execute code segment load SS
13
80C286