Intel IA-32 User Manual

IA-32 Intel® Architecture
Software Developer’s Manual
Volume 3A:
System Programming Guide, Part 1
NOTE: The IA-32 Intel Architecture Software Developer's Manual consists of five volumes: Basic Architecture, Order Number 253665; Instruction Set Reference A-M, Order Number 253666; Instruction Set Reference N-Z, Order Number 253667; System Programming Guide, Part 1, Order Number 253668; System Programming Guide, Part 2, Order Number
253669. Refer to all five volumes when evaluating your design needs.
Order Number: 253668-019
March 2006
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EX­PRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTEL LECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER , AND INTEL DI SCLAIMS ANY EXPRESS OR IMPLIED WARRANTY , RE­LATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FIT­NESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS.
Intel may make changes to specifications and product descriptions at any time, without notice. Developers must not rely on the absence or characteristics of any features or inst ructions marke d “reserved” or “undefine d.”
Improper use of reserved or undefined features or instructions may cause unpredictable behavior or failure in developer's software code when running on an Intel processor. Intel reserves these features or instructions for fut ur e def init ion and shal l have no responsibility whatsoever for conflicts or incompatibilities arising from their unauthorized use.
®
The Intel known as errata. Current characterized errata are available on request.
Hyper-Threading Technology requires a computer system with an Intel Technology and an HT Technology enabled chipset, BIOS and operating system. Performance will vary depending on the specific hardware and software you use. See http://www.intel.com/techtrends/technologies/hyperthreading.htm formation including details on which processors support HT Technology.
Intel (VMM) and for some uses, certain platform software enabled for it. Functionality, performance or other benefits wi ll pending on hardware and software configurations. Intel
IA-32 architecture processors (e.g., Pe ntium® 4 and Pentium III processors) may cont ain de sign def ects or errors
®
Pentium® 4 processor supporting Hyper-Threading
for more in-
®
Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine mon itor
®
Virtualization Technology-enabled BIOS and VMM applications are
vary de-
currently in development.
®
Extended Memory 64 Technology (Intel® EM64T) requires a computer system with a processor, chipset, BIOS, OS,
Intel device drivers and applications enabled for Intel EM64T. Processor will not operate (including 32-bit operation) with-
out an Intel EM64T-enabled BIOS. Performa nce will vary d epend ing on you r hard ware and software configurations. Intel EM64T-enabled OS, BIOS, device drivers and applications may not be available. Check with your vendor for more
information. Intel, Pentium, Intel Xeon, Intel NetBurst, Intel Core Solo, Intel Core Duo, Intel Pentium D, Itanium, MMX, and VTune are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Contact your local Intel sales office or your distributor to obt ain the latest specifications and befor e placing your product order. Copies of documents which have an ordering number and are referenced in this document, or other Intel literature, may be
obtained from:
Intel Corporation P.O. Box 5937 Denver, CO 80217-9808
or call 1-800-548-4725 or visit Intel’s website at http://www.intel.com
Copyright © 1997-2006 Intel Corporation

CONTENTS FOR VOLUME 3A AND 3B

CHAPTER 1 ABOUT THIS MANUAL
1.1 IA-32 PROCESSORS COVERED IN THIS MANUAL . . . . . . . . . . . . . . . . . . . . . . . 1-1
1.2 OVERVIEW OF THE SYSTEM PROGRAMMING GUIDE. . . . . . . . . . . . . . . . . . . . 1-2
1.3 NOTATIONAL CONVENTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
1.3.1 Bit and Byte Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
1.3.2 Reserved Bits and Software Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
1.3.3 Instruction Operands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
1.3.4 Hexadecimal and Binary Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-7
1.3.5 Segmented Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-7
1.3.6 Syntax for CPUID, CR, and MSR Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-7
1.3.7 Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-8
1.4 RELATED LITERATURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
CHAPTER 2 SYSTEM ARCHITECTURE OVERVIEW
2.1 OVERVIEW OF THE SYSTEM-LEVEL ARCHITECTURE . . . . . . . . . . . . . . . . . . . 2-2
2.1.1 Global and Local Descriptor Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5
2.1.1.1 Global and Local Descriptor Tables in IA-32 Mode . . . . . . . . . . . . . . . . . . . . .2-5
2.1.2 System Segments, Segment Descriptors, and Gates . . . . . . . . . . . . . . . . . . . . . .2-5
2.1.2.1 Gates in IA-32e Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6
2.1.3 Task-State Segments and Task Gates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6
2.1.3.1 Task-State Segments in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7
2.1.4 Interrupt and Exception Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7
2.1.4.1 Interrupt and Exception Handling IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . .2-7
2.1.5 Memory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7
2.1.5.1 Memory Management in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8
2.1.6 System Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8
2.1.6.1 System Registers in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-9
2.1.7 Other System Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-10
2.2 MODES OF OPERATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
2.3 SYSTEM FLAGS AND FIELDS IN THE EFLAGS REGISTER . . . . . . . . . . . . . . . 2-12
2.3.1 System Flags and Fields in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-14
2.4 MEMORY-MANAGEMENT REGISTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
2.4.1 Global Descriptor Table Register (GDTR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
2.4.2 Local Descriptor Table Register (LDTR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
2.4.3 IDTR Interrupt Descriptor Table Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-16
2.4.4 Task Register (TR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-16
2.5 CONTROL REGISTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
2.5.1 CPUID Qualification of Control Register Flag s . . . . . . . . . . . . . . . . . . . . . . . . . .2-24
2.6 SYSTEM INSTRUCTION SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
2.6.1 Loading and Storing System Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-25
2.6.2 Verifying of Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-26
2.6.3 Loading and Storing Debug Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-27
2.6.4 Invalidating Caches and TLBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-27
2.6.5 Controlling the Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-27
2.6.6 Reading Performance-Monitoring and Time-Stamp Counters . . . . . . . . . . . . . .2-28
2.6.6.1 Reading Counters in 64-Bit Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-29
Vol. 3A iii
CONTENTS
PAGE
2.6.7 Reading and Writing Model-Specific Registers . . . . . . . . . . . . . . . . . . . . . . . . . .2-29
2.6.7.1 Reading and Writing Model-Specific Registers in 64-Bit Mode . . . . . . . . . . .2-29
CHAPTER 3 PROTECTED-MODE MEMORY MANAGEMENT
3.1 MEMORY MANAGEMENT OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.2 USING SEGMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
3.2.1 Basic Flat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3
3.2.2 Protected Flat Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3
3.2.3 Multi-Segment Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
3.2.4 Segmentation in IA-32e Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6
3.2.5 Paging and Segmentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6
3.3 PHYSICAL ADDRESS SPACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
3.3.1 Physical Address Space for Processors with Intel
®
EM64T . . . . . . . . . . . . . . . . .3-7
3.4 LOGICAL AND LINEAR ADDRESSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
3.4.1 Logical Address Translation in IA-32e Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8
3.4.2 Segment Selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8
3.4.3 Segment Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9
3.4.4 Segment Loading Instructions in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . .3-11
3.4.5 Segment Descriptors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12
3.4.5.1 Code- and Data-Segment Descriptor Types. . . . . . . . . . . . . . . . . . . . . . . . . .3-15
3.5 SYSTEM DESCRIPTOR TYPES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
3.5.1 Segment Descriptor Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
3.5.2 Segment Descriptor Tables in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-20
3.6 PAGING (VIRTUAL MEMORY) OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
3.6.1 Paging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-21
3.6.2 Page Tables and Directories in the Absence of Intel EM64T . . . . . . . . . . . . . . .3-22
3.7 PAGE TRANSLATION USING 32-BIT PHYSICAL ADDRESSING . . . . . . . . . . . . 3-22
3.7.1 Linear Address Translation (4-KByte Pages) . . . . . . . . . . . . . . . . . . . . . . . . . . .3-23
3.7.2 Linear Address Translation (4-MByte Pages) . . . . . . . . . . . . . . . . . . . . . . . . . . .3-24
3.7.3 Mixing 4-KByte and 4-MByte Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-25
3.7.4 Memory Aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-25
3.7.5 Base Address of the Page Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-25
3.7.6 Page-Directory and Page-Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 -26
3.7.7 Not Present Page-Directory and Page-Table Entries . . . . . . . . . . . . . . . . . . . . .3-30
3.8 36-BIT PHYSICAL ADDRESSING USING THE PAE PAGING MECHANISM . . . 3-30
3.8.1 Enhanced Legacy PAE Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-31
3.8.2 Linear Address Translation With PAE Enabled (4-KByte Pages) . . . . . . . . . . . .3-31
3.8.3 Linear Address Translation With PAE Enabled (2-MByte Pages). . . . . . . . . . . .3-32
3.8.4 Accessing the Full Extended Physical Address Space With the
Extended Page-Table Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-33
3.8.5 Page-Directory and Page-Table Entries With Extended Addressing
Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-34
3.9 36-BIT PHYSICAL ADDRESSING USING THE PSE-36 PAGING
MECHANISM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37
3.10 PAE-ENABLED PAGING IN IA-32E MODE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
3.10.1 IA-32e Mode Linear Address Translation (4-KByte Pages). . . . . . . . . . . . . . . . .3-39
3.10.2 IA-32e Mode Linear Address Translation (2-MByte Pages) . . . . . . . . . . . . . . . .3-40
3.10.3 Enhanced Paging Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-41
3.10.3.1 Reserved Bit Checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-43
3.11 MAPPING SEGMENTS TO PAGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
3.12 TRANSLATION LOOKASIDE BUFFERS (TLBS) . . . . . . . . . . . . . . . . . . . . . . . . . 3-46
iv
Vol. 3A
CONTENTS
PAGE
CHAPTER 4 PROTECTION
4.1 ENABLING AND DISABLING SEGMENT AND PAGE PROTECTION . . . . . . . . . . 4-1
4.2 FIELDS AND FLAGS USED FOR SEGMENT-LEVEL AND
PAGE-LEVEL PROTECTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
4.2.1 Code Segment Descriptor in 64-bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
4.3 LIMIT CHECKING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
4.3.1 Limit Checking in 64-bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
4.4 TYPE CHECKING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
4.4.1 Null Segment Selector Checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
4.4.1.1 NULL Segment Checking in 64-bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
4.5 PRIVILEGE LEVELS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
4.6 PRIVILEGE LEVEL CHECKING WHEN ACCESSING DATA SEGMENTS. . . . . . 4-11
4.6.1 Accessing Data in Code Segments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13
4.7 PRIVILEGE LEVEL CHECKING WHEN LOADING THE SS REGISTER . . . . . . . 4-13
4.8 PRIVILEGE LEVEL CHECKING WHEN TRANSFERRING PROGRAM
CONTROL BETWEEN CODE SEGMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13
4.8.1 Direct Calls or Jumps to Code Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
4.8.1.1 Accessing Nonconforming Code Segments . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
4.8.1.2 Accessing Conforming Code Segments. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
4.8.2 Gate Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17
4.8.3 Call Gates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18
4.8.3.1 IA-32e Mode Call Gates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
4.8.4 Accessing a Code Segment Through a Call Gate. . . . . . . . . . . . . . . . . . . . . . . 4-20
4.8.5 Stack Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
4.8.5.1 Stack Switching in 64-bit Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
4.8.6 Returning from a Called Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
4.8.7 Performing Fast Calls to System Procedures with the
SYSENTER and SYSEXIT Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
4.8.7.1 SYSENTER and SYSEXIT Instructions in IA-32e Mode. . . . . . . . . . . . . . . . 4-29
4.8.8 Fast System Calls in 64-bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30
4.9 PRIVILEGED INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
4.10 POINTER VALIDATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
4.10.1 Checking Access Rights (LAR Instruction) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
4.10.2 Checking Read/Write Rights (VERR and VERW Instructions) . . . . . . . . . . . . . 4-34
4.10.3 Checking That the Pointer Offset Is Within Limits (LSL Instruction) . . . . . . . . . 4-34
4.10.4 Checking Caller Access Privileges (ARPL Instruction) . . . . . . . . . . . . . . . . . . . 4-35
4.10.5 Checking Alignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
4.11 PAGE-LEVEL PROTECTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
4.11.1 Page-Protection Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
4.11.2 Restricting Addressable Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
4.11.3 Page Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
4.11.4 Combining Protection of Both Levels of Page Tables . . . . . . . . . . . . . . . . . . . . 4-39
4.11.5 Overrides to Page Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
4.12 COMBINING PAGE AND SEGMENT PROTECTION . . . . . . . . . . . . . . . . . . . . . . 4-39
4.13 PAGE-LEVEL PROTECTION AND EXECUTE-DISABLE BIT. . . . . . . . . . . . . . . . 4-40
4.13.1 Detecting and Enabling the Execute-Disable Bit Capability. . . . . . . . . . . . . . . . 4-41
4.13.2 Execute-Disable Bit Page Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
4.13.3 Reserved Bit Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
4.13.4 Exception Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
Vol. 3A v
CONTENTS
PAGE
CHAPTER 5 INTERRUPT AND EXCEPTION HANDLING
5.1 INTERRUPT AND EXCEPTION OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
5.2 EXCEPTION AND INTERRUPT VECTORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.3 SOURCES OF INTERRUPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.3.1 External Interrupts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-2
5.3.2 Maskable Hardware Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-4
5.3.3 Software-Generated Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-4
5.4 SOURCES OF EXCEPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
5.4.1 Program-Error Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5
5.4.2 Software-Generated Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5
5.4.3 Machine-Check Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5
5.5 EXCEPTION CLASSIFICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
5.6 PROGRAM OR TASK RESTART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
5.7 NONMASKABLE INTERRUPT (NMI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
5.7.1 Handling Multiple NMIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-8
5.8 ENABLING AND DISABLING INTERRUPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
5.8.1 Masking Maskable Hardware Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-9
5.8.2 Masking Instruction Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-10
5.8.3 Masking Exceptions and Interrupts When Switching Stacks. . . . . . . . . . . . . . . .5-10
5.9 PRIORITY AMONG SIMULTANEOUS EXCEPTIONS AND INTERRUPTS . . . . . 5-10
5.10 INTERRUPT DESCRIPTOR TABLE (IDT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
5.11 IDT DESCRIPTORS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
5.12 EXCEPTION AND INTERRUPT HANDLING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.12.1 Exception- or Interrupt-Handler Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-15
5.12.1.1 Protection of Exception- and Interrupt-Handler Procedures. . . . . . . . . . . . . .5-17
5.12.1.2 Flag Usage By Exception- or Interrupt-Handler Procedure . . . . . . . . . . . . . .5 -18
5.12.2 Interrupt Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-19
5.13 ERROR CODE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.14 EXCEPTION AND INTERRUPT HANDLING IN 64-BIT MODE. . . . . . . . . . . . . . . 5-22
5.14.1 64-Bit Mode IDT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-22
5.14.2 64-Bit Mode Stack Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-23
5.14.3 IRET in IA-3 2e Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-24
5.14.4 Stack Switching in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-24
5.14.5 Interrupt Stack Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-25
5.15 EXCEPTION AND INTERRUPT REFERENCE. . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26
Interrupt 0—Divide Error Exception (#DE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-27
Interrupt 1—Debug Exception (#DB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-28
Interrupt 2—NMI Interrupt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -29
Interrupt 3—Breakpoint Exception (#BP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-30
Interrupt 4—Overflow Exception (#OF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -31
Interrupt 5—BOUND Range Exceeded Exception (#BR) . . . . . . . . . . . . . . . . . .5-32
Interrupt 6—Invalid Opcode Exception (#UD). . . . . . . . . . . . . . . . . . . . . . . . . . .5-33
Interrupt 7—Device Not Available Exception (#NM) . . . . . . . . . . . . . . . . . . . . . .5-35
Interrupt 8—Double Fault Exception (#DF). . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-37
Interrupt 9—Coprocessor Segment Overrun. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -39
Interrupt 10—Invalid TSS Exception (#TS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-40
Interrupt 11—Segment Not Present (#NP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-43
Interrupt 12—Stack Fault Exception (#SS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-45
Interrupt 13—General Protection Exception (#GP) . . . . . . . . . . . . . . . . . . . . . . .5-47
Interrupt 14—Page-Fault Exception (#PF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 -51
vi
Vol. 3A
CONTENTS
PAGE
Interrupt 16—x87 FPU Floating-Point Error (#MF) . . . . . . . . . . . . . . . . . . . . . . 5-55
Interrupt 17—Alignment Check Exception (#AC). . . . . . . . . . . . . . . . . . . . . . . . 5-57
Interrupt 18—Machine-Check Exception (#MC) . . . . . . . . . . . . . . . . . . . . . . . . 5-59
Interrupt 19—SIMD Floating-Point Exception (#XF) . . . . . . . . . . . . . . . . . . . . . 5-61
Interrupts 32 to 255—User Defined Interrupts. . . . . . . . . . . . . . . . . . . . . . . . . . 5-64
CHAPTER 6 TASK MANAGEMENT
6.1 TASK MANAGEMENT OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
6.1.1 Task Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
6.1.2 Task State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
6.1.3 Executing a Task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
6.2 TASK MANAGEMENT DATA STRUCTURES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
6.2.1 Task-State Segment (TSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
6.2.2 TSS Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
6.2.3 TSS Descriptor in 64-bit mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
6.2.4 Task Register. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
6.2.5 Task-Gate Descriptor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
6.3 TASK SWITCHING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
6.4 TASK LINKING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
6.4.1 Use of Busy Flag To Prevent Recursive Task Switching. . . . . . . . . . . . . . . . . . 6-18
6.4.2 Modifying Task Linkages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
6.5 TASK ADDRESS SPACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
6.5.1 Mapping Tasks to the Linear and Physical Address Spaces. . . . . . . . . . . . . . . 6-19
6.5.2 Task Logical Address Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
6.6 16-BIT TASK-STATE SEGMENT (TSS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
6.7 TASK MANAGEMENT IN 64-BIT MODE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
CHAPTER 7 MULTIPLE-PROCESSOR MANAGEMENT
7.1 LOCKED ATOMIC OPERATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
7.1.1 Guaranteed Atomic Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
7.1.2 Bus Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
7.1.2.1 Automatic Locking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
7.1.2.2 Software Controlled Bus Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
7.1.3 Handling Self- and Cross-Modifying Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
7.1.4 Effects of a LOCK Operation on Internal Processor Caches. . . . . . . . . . . . . . . . 7-7
7.2 MEMORY ORDERING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
7.2.1 Memory Ordering in the Intel
7.2.2 Memory Ordering Pentium 4, Intel
®
Pentium® and Intel486™ Processors . . . . . . . . . 7-8
®
Xeon®, and P6 Family Processors. . . . . . . 7-8
7.2.3 Out-of-Order Stores For String Operations in Pentium 4, Intel Xeon,
and P6 Family Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
7.2.4 Strengthening or Weakening the Memory Ordering Model . . . . . . . . . . . . . . . . 7-11
7.3 PROPAGATION OF PAGE TABLE AND PAGE DIRECTORY
ENTRY CHANGES TO MULTIPLE PROCESSORS . . . . . . . . . . . . . . . . . . . . . . . 7-13
7.4 SERIALIZING INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
7.5 MULTIPLE-PROCESSOR (MP) INITIALIZATION . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
7.5.1 BSP and AP Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
7.5.2 MP Initialization Protocol Requirements and Restrictions
for Intel Xeon Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
7.5.3 MP Initialization Protocol Algorithm for Intel Xeon Processors . . . . . . . . . . . . . 7-17
Vol. 3A vii
CONTENTS
PAGE
7.5.4 MP Initialization Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
7.5.4.1 Typical BSP Initialization Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-19
7.5.4.2 Typical AP Initialization Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-21
7.5.5 Identifying Logical Processors in an MP System. . . . . . . . . . . . . . . . . . . . . . . . .7-22
7.6 HYPER-THREADING AND MULTI-CORE TECHNOLOGY . . . . . . . . . . . . . . . . . 7-23
7.7 DETECTING HARDWARE MULTI-THREADING SUPPORT AND
TOPOLOGY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24
7.7.1 Initializing IA-32 Processors Supporting Hyp er-Threading Technology . . . . . . .7-24
7.7.2 Initializing Dual-Core IA-32 Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-25
7.7.3 Executing Multiple Threads on an IA-32 Processor
Supporting Hardware Multi-Threading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-25
7.7.4 Handling Interrupts on an IA-32 Processor
Supporting Hardware Multi-Threading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-25
7.8 INTEL
®
HYPER-THREADING TECHNOLOGY ARCHITECTURE . . . . . . . . . . . . 7-26
7.8.1 State of the Logical Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-27
7.8.2 APIC Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-28
7.8.3 Memory Type Range Registers (MTRR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-28
7.8.4 Page Attribute Table (PAT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29
7.8.5 Machine Check Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29
7.8.6 Debug Registers and Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29
7.8.7 Performance Monitoring Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29
7.8.8 IA32_MISC_ENABLE MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
7.8.9 Memory Ordering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
7.8.10 Serializing Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
7.8.11 MICROCODE UPDATE Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
7.8.12 Self Modifying Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-31
7.8.13 Implementation-Specific HT Technology Facilities . . . . . . . . . . . . . . . . . . . . . . .7-31
7.8.13.1 Processor Caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-31
7.8.13.2 Processor Translation Lookaside Buffers (TLBs) . . . . . . . . . . . . . . . . . . . . . .7-31
7.8.13.3 Thermal Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32
7.8.13.4 External Signal Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32
7.9 DUAL-CORE ARCHITECTURE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33
7.9.1 Logical Processor Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
7.9.2 Memory Type Range Registers (MTRR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-34
7.9.3 Performance Monitoring Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-34
7.9.4 IA32_MISC_ENABLE MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-34
7.9.5 MICROCODE UPDATE Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -34
7.10 PROGRAMMING CONSIDERATIONS FOR HARDWARE
MULTI-THREADING CAPABLE PROCESSORS . . . . . . . . . . . . . . . . . . . . . . . . . 7-35
7.10.1 Hierarchical Mapping of Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-35
7.10.2 Identifying Logical Processors in an MP System. . . . . . . . . . . . . . . . . . . . . . . . .7-36
7.10.3 Algorithm for Three-Level Mappings of APIC_ID . . . . . . . . . . . . . . . . . . . . . . . .7-38
7.10.4 Id en ti fying Topological Relationshi ps in a MP System . . . . . . . . . . . . . . . . . . . .7-41
7.11 MANAGEMENT OF IDLE AND BLOCKED CONDITIONS . . . . . . . . . . . . . . . . . . 7-45
7.11.1 HLT Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-45
7.11.2 PAUSE Instruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-46
7.11.3 Detecting Support MONITOR/MWAIT Instruction. . . . . . . . . . . . . . . . . . . . . . . .7-46
7.11.4 MONITOR/MWAIT Instruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-47
7.11.5 Moni to r/ Mw ai t Ad dre ss R ang e D etermination. . . . . . . . . . . . . . . . . . . . . . . . . . .7-48
7.11.6 Required Operating System Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-49
7.11.6.1 Use th e PAU SE Inst ruction in Spin-Wait Loops. . . . . . . . . . . . . . . . . . . . . . .7-49
7.11.6.2 Potential Usage of MONITOR/MWAIT in C0 Idle Loops . . . . . . . . . . . . . . . .7-50
viii
Vol. 3A
CONTENTS
PAGE
7.11.6.3 Halt Idle Logical Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52
7.11.6.4 Potential Usage of MONITOR/MWAIT in C1 Idle Loops. . . . . . . . . . . . . . . . 7-52
7.11.6.5 Guidelines for Scheduling Threads on Logical Processors
Sharing Execution Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-53
7.11.6.6 Eliminate Execution-Based Timing Loops . . . . . . . . . . . . . . . . . . . . . . . . . . 7-53
7.11.6.7 Place Locks and Semaphores in Aligned, 128-Byte Blocks of
Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-54
CHAPTER 8 ADVANCED PROGRAMMABLE INTERRUPT CONTROLLER (APIC)
8.1 LOCAL AND I/O APIC OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
8.2 SYSTEM BUS VS. APIC BUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
8.3 THE INTEL
®
82489DX EXTERNAL APIC, THE APIC, AND THE XAPIC . . . . . . . . 8-5
8.4 LOCAL APIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
8.4.1 The Local APIC Block Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
8.4.2 Presence of the Local APIC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
8.4.3 Enabling or Disabling the Local APIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
8.4.4 Local APIC Status and Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
8.4.5 Relocating the Local APIC Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
8.4.6 Local APIC ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.4.7 Local APIC State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.4.7.1 Local APIC State After Power-Up or Reset . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
8.4.7.2 Local APIC State After It Has Been Software Disabled . . . . . . . . . . . . . . . . 8-13
8.4.7.3 Local APIC State After an INIT Reset (“Wait-for-SIPI” State) . . . . . . . . . . . . 8-14
8.4.7.4 Local APIC State After It Receives an INIT-Deassert IPI . . . . . . . . . . . . . . . 8-14
8.4.8 Local APIC Version Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14
8.5 HANDLING LOCAL INTERRUPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.5.1 Local Vector Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.5.2 Valid Interrupt Vectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18
8.5.3 Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
8.5.4 APIC Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
8.5.5 Local Interrupt Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
8.6 ISSUING INTERPROCESSOR INTERRUPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
8.6.1 Interrupt Command Register (ICR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
8.6.2 Determining IPI Destination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
8.6.2.1 Physical Destination Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
8.6.2.2 Logical Destination Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-29
8.6.2.3 Broadcast/Self Delivery Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31
8.6.2.4 Lowest Priority Delivery Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31
8.6.3 IPI Delivery and Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
8.7 SYSTEM AND APIC BUS ARBITRATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
8.8 HANDLING INTERRUPTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-33
8.8.1 Interrupt Handling with the Pentium 4 and Intel Xeon Processors. . . . . . . . . . . 8-33
8.8.2 Interrupt Handling with the P6 Family and Pentium Processors . . . . . . . . . . . . 8-34
8.8.3 Interrupt, Task, and Processor Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
8.8.3.1 Task and Processor Priorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37
8.8.4 Interrupt Acceptance for Fixed Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
8.8.5 Signaling Interrupt Servicing Completion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
8.8.6 Task Priority in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
8.8.6.1 Interaction of Task Priorities between CR8 and APIC . . . . . . . . . . . . . . . . . 8-41
8.9 SPURIOUS INTERRUPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41
Vol. 3A ix
CONTENTS
PAGE
8.10 APIC BUS MESSAGE PASSING MECHANISM AND
PROTOCOL (P6 FAMILY, PENTIUM PROCESSORS). . . . . . . . . . . . . . . . . . . . . 8-42
8.10.1 Bus Message Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-43
8.11 MESSAGE SIGNALLED INTERRUPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.11.1 Message Address Register Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-44
8.11.2 Message Data Register Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-45
CHAPTER 9 PROCESSOR MANAGEMENT AND INITIALIZATION
9.1 INITIALIZATION OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
9.1.1 Processor State After Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-2
9.1.2 Processor Built-In Self-Test (BIST). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-2
9.1.3 Model and Stepping Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-5
9.1.4 First Instruction Executed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-6
9.2 X87 FPU INITIALIZATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.2.1 Configuring the x87 FPU Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-6
9.2.2 Setting the Processor for x87 FPU Software Emulation . . . . . . . . . . . . . . . . . . . .9-7
9.3 CACHE ENABLING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
9.4 MODEL-SPECIFIC REGISTERS (MSRS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
9.5 MEMORY TYPE RANGE REGISTERS (MTRRS). . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
9.6 INITIALIZING SSE/SSE2/SSE3 EXTENSIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
9.7 SOFTWARE INITIALIZATION FOR REAL-ADDRESS MODE OPERATION . . . . 9-10
9.7.1 Real-Address Mode IDT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 -11
9.7.2 NMI Interrupt Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-11
9.8 SOFTWARE INITIALIZATION FOR PROTECTED-MODE OPERATION . . . . . . . 9-11
9.8.1 Protected-Mode System Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-12
9.8.2 Initializing Protec ted-Mode Exceptions and Interrupts . . . . . . . . . . . . . . . . . . . .9-13
9.8.3 Initializing Paging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-13
9.8.4 Initializing Multitasking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-13
9.8.5 Initializing IA-32e Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-14
9.8.5.1 IA-32e Mode System Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-15
9.8.5.2 IA-32e Mode Interrupts and Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-15
9.8.5.3 64-bit Mode and Compatibility Mode Operation . . . . . . . . . . . . . . . . . . . . . . . 9-15
9.8.5.4 Switching Out of IA-32e Mode Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . .9-16
9.9 MODE SWITCHING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
9.9.1 Switching to Protected Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-17
9.9.2 Switching Back to Real-Address Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-18
9.10 INITIALIZATION AND MODE SWITCHING EXAMPLE. . . . . . . . . . . . . . . . . . . . . 9-20
9.10.1 Assembler Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-22
9.10.2 STARTUP.ASM Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-23
9.10.3 MAIN.ASM Source Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-33
9.10.4 Supporting Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-33
9.11 MICROCODE UPDATE FACILITIES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35
9.11.1 Microcode Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-36
9.11.2 Optional Extended Signature Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-40
9.11.3 Processor Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-41
9.11.4 Platform Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-42
9.11.5 Microcode Update Checksum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-43
9.11.6 Microcode Update Loader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-44
9.11.6.1 Hard Resets in Update Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-45
9.11.6.2 Update in a Multiprocessor System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-45
9.11.6.3 Update in a System Supporting Intel Hyper-Threading Technology. . . . . . . .9-46
x
Vol. 3A
CONTENTS
PAGE
9.11.6.4 Update in a System Supporting Dual-Core Technology . . . . . . . . . . . . . . . . 9-46
9.11.6.5 Update Loader Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-46
9.11.7 Update Signature and Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-46
9.11.7.1 Determining the Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-47
9.11.7.2 Authenticating the Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48
9.11.8 Pentium 4, Intel Xeon, and P6 Family Processor
Microcode Update Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49
9.11.8.1 Responsibilities of the BIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49
9.11.8.2 Responsibilities of the Calling Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-51
9.11.8.3 Microcode Update Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54
9.11.8.4 INT 15H-based Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-55
9.11.8.5 Function 00H—Presence Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-55
9.11.8.6 Function 01H—Write Microcode Update Data . . . . . . . . . . . . . . . . . . . . . . . 9-56
9.11.8.7 Function 02H—Microcode Update Control. . . . . . . . . . . . . . . . . . . . . . . . . . 9-61
9.11.8.8 Function 03H—Read Microcode Update Data . . . . . . . . . . . . . . . . . . . . . . . 9-62
9.11.8.9 Return Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-63
CHAPTER 10 MEMORY CACHE CONTROL
10.1 INTERNAL CACHES, TLBS, AND BUFFERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
10.2 CACHING TERMINOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
10.3 METHODS OF CACHING AVAILABLE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
10.3.1 Buffering of Write Combining Memory Locations. . . . . . . . . . . . . . . . . . . . . . . . 10-8
10.3.2 Choosing a Memory Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
10.4 CACHE CONTROL PROTOCOL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
10.5 CACHE CONTROL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
10.5.1 Cache Control Registers and Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11
10.5.2 Precedence of Cache Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15
10.5.2.1 Selecting Memory Types for Pentium Pro and Pentium II
Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
10.5.2.2 Selecting Memory Types for Pentium 4, Intel Xeon,
and Pentium III Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
10.5.2.3 Writing Values Across Pages with Different Memory Types. . . . . . . . . . . . 10-18
10.5.3 Preventing Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18
10.5.4 Disabling and Enabling the L3 Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
10.5.5 Cache Management Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19
10.5.6 L1 Data Cache Context Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20
10.5.6.1 Adaptive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21
10.5.6.2 Shared Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21
10.6 SELF-MODIFYING CODE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21
10.7 IMPLICIT CACHING (PENTIUM 4, INTEL XEON,
AND P6 FAMILY PROCESSORS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
10.8 EXPLICIT CACHING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
10.9 INVALIDATING THE TRANSLATION LOOKASIDE BUFFERS (TLBS) . . . . . . . 10-23
10.10 STORE BUFFER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24
10.11 MEMORY TYPE RANGE REGISTERS (MTRRS) . . . . . . . . . . . . . . . . . . . . . . . . 10-24
10.11.1 MTRR Feature Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26
10.11.2 Setting Memory Ranges with MTRRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27
10.11.2.1 IA32_MTRR_DEF_TYPE MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27
10.11.2.2 Fixed Range MTRRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28
10.11.2.3 Variable Range MTRRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29
10.11.3 Example Base and Mask Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32
Vol. 3A xi
CONTENTS
PAGE
10.11.3.1 Base and Mask Calculations with Intel EM64T. . . . . . . . . . . . . . . . . . . . . . .10-33
10.11.4 Range Size and Alignment Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-34
10.11.4.1 MTRR Precedences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-34
10.11.5 MTRR Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-35
10.11.6 Remapping Memory Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-35
10.11.7 MTRR Maintenance Programming Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36
10.11.7.1 MemTypeGet() Function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-36
10.11.7.2 MemTypeSet() Function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-37
10.11.8 MTRR Considerations in MP Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-39
10.11.9 Large Page Size Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-40
10.12 PAGE ATTRIBUTE TABLE (PAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41
10.12.1 Detecting Support for the PAT Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-41
10.12.2 IA32_CR_PAT MSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-42
10.12.3 Selecting a Memory Type from the PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-43
10.12.4 Programming the PAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-43
10.12.5 PAT Compatibility with Earlier IA-32 Processors. . . . . . . . . . . . . . . . . . . . . . . .10-45
CHAPTER 11
®
INTEL
MMX™ TECHNOLOGY SYSTEM PROGRAMMING
11.1 EMULATION OF THE MMX INSTRUCTION SET. . . . . . . . . . . . . . . . . . . . . . . . . 11-1
11.2 THE MMX STATE AND MMX REGISTER ALIASING. . . . . . . . . . . . . . . . . . . . . . 11-1
11.2.1 Effect of MMX, x87 FPU, FXSAVE, and FXRSTOR
Instructions on the x87 FPU Tag Word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-3
11.3 SAVING AND RESTORING THE MMX STATE AND REGISTERS . . . . . . . . . . . 11-4
11.4 SAVING MMX STATE ON TASK OR CONTEXT SWITCHES . . . . . . . . . . . . . . . 11-5
11.5. EXCEPTIONS THAT CAN OCCUR WHEN EXECUTING MMX
INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
11.5.1 Effect of MMX Instructions on Pending x87 Floating-Point Exceptions. . . . . . . .11-6
11.6 DEBUGGING MMX CODE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
CHAPTER 12 SSE, SSE2 AND SSE3 SYSTEM PROGRAMMING
12.1 PROVIDING OPERATING SYSTEM SUPPORT FOR
SSE/SSE2/SSE3 EXTENSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1
12.1.1 Adding Support to an Operating System for SSE/SSE2/SSE3 Extensions. . . . .12-1
12.1.2 Checking for SSE/SSE2/SSE3 Extension Support . . . . . . . . . . . . . . . . . . . . . . .12-2
12.1.3 Checking for Support for the FXSAVE and FXRSTOR Instructions . . . . . . . . . .12-2
12.1.4 Initialization of the SSE/SSE2/SSE3 Extensions. . . . . . . . . . . . . . . . . . . . . . . . .12-2
12.1.5 Providing Non-Numeric Exception Handlers for Exceptions Generated
by the SSE/SSE2/SSE3 Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
12.1.6 Providing an Handler for the SIMD Floating-Point Exception (#XF) . . . . . . . . . .12-5
12.1.6.1 Numeric Error flag and IGNNE#. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-6
12.2 EMULATION OF SSE/SSE2/SSE3 EXTENSIONS . . . . . . . . . . . . . . . . . . . . . . . . 12-6
12.3 SAVING AND RESTORING THE SSE/SSE2/SSE3 STATE . . . . . . . . . . . . . . . . . 12-6
12.4 SAVING THE SSE/SSE2/SSE3 STATE ON TASK
OR CONTEXT SWITCHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
12.5 DESIGNING OS FACILITIES FOR AUTOMATICALLY SAVING X87 FPU,
MMX, AND SSE/SSE2/SSE3 STATE ON TASK OR CONTEXT SWITCHES. . . . 12-7
12.5.1. Using the TS Flag to Control the Saving of the
x87 FPU, MMX, SSE, SSE2 and SSE3 State. . . . . . . . . . . . . . . . . . . . . . . . . . .12-8
Vol. 3A
xii
CONTENTS
PAGE
CHAPTER 13 POWER AND THERMAL MANAGEMENT
13.1 ENHANCED INTEL SPEEDSTEP® TECHNOLOGY . . . . . . . . . . . . . . . . . . . . . . . 13-1
13.1.1 Software Interface F or Initiating Performance State Transitions . . . . . . . . . . . . 13-1
13.2 THERMAL MONITORING AND PROTECTION. . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
13.2.1 Catastrophic Shutdown Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
13.2.2 Thermal Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
13.2.2.1 Thermal Monitor 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
13.2.2.2 Thermal Monitor 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
13.2.2.3 Performance State Transitions and Thermal Monitoring. . . . . . . . . . . . . . . . 13-4
13.2.2.4 Thermal Status Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
13.2.3 Software Controlled Clock Modulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
13.2.4 Detection of Thermal Monitor and Software Controlled
Clock Modulation Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-8
CHAPTER 14 MACHINE-CHECK ARCHITECTURE
14.1 MACHINE-CHECK EXCEPTIONS AND ARCHITECTURE. . . . . . . . . . . . . . . . . . 14-1
14.2 COMPATIBILITY WITH PENTIUM
PROCESSOR. . . . . . . . . . . . . . . . . . . . . . . . . 14-1
14.3 MACHINE-CHECK MSRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
14.3.1 Machine-Check Global Control MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
14.3.1.1 IA32_MCG_CAP MSR (Pentium 4 and Intel Xeon Processors). . . . . . . . . . 14-2
14.3.1.2 MCG_CAP MSR (P6 Family Processors). . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
14.3.1.3 IA32_MCG_STATUS MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.3.1.4 IA32_MCG_CTL MSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
14.3.2 Error-Reporting Register Banks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
14.3.2.1 IA32_MC
14.3.2.2 IA32_MC
14.3.2.3 IA32_MC
14.3.2.4 IA32_MC
i_CTL MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
i_STATUS MSRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
i_ADDR MSRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7
i_MISC MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8
14.3.2.5 IA32_MCG Extended Machine Check State MSRs . . . . . . . . . . . . . . . . . . . 14-8
14.3.3 Mapping of the Pentium Processor Machine-Check Errors
to the Machine-Check Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11
14.4 MACHINE-CHECK AVAILABILITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11
14.5 MACHINE-CHECK INITIALIZATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11
14.6. INTERPRETING THE MCA ERROR CODES . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
14.6.1 Simple Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
14.6.2 Compound Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14
14.6.3 Machine-Check Error Codes Interpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17
14.7 GUIDELINES FOR WRITING MACHINE-CHECK SOFTWARE . . . . . . . . . . . . . 14-17
14.7.1 Machine-Check Exception Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18
14.7.2 Enabling BINIT# Drive and BINIT# Observation . . . . . . . . . . . . . . . . . . . . . . . 14-19
14.7.3 Pentium
Processor Machine-Check Exception Handling. . . . . . . . . . . . . . . . . 14-20
14.7.4 Logging Correctable Machine-Check Errors . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20
CHAPTER 15 8086 EMULATION
15.1 REAL-ADDRESS MODE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
15.1.1 Address Translatio n in Real-Address Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
15.1.2 Registers Supported in Real-Address Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4
15.1.3 Instructions Supported in Real-Address Mode . . . . . . . . . . . . . . . . . . . . . . . . . 15-4
15.1.4 Interrupt and Exception Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6
Vol. 3A xiii
CONTENTS
PAGE
15.2 VIRTUAL-8086 MODE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7
15.2.1 Enabli ng Virtual-8086 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-9
15.2.2 Structure of a Virtual-8086 Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-9
15.2.3 Paging of Virtual-8086 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-10
15.2.4 Protection within a Virtual-8086 Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-11
15.2.5 Ente ring Virtual-8086 Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-11
15.2.6 Leaving Virtual-8086 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-13
15.2.7 Sensitive Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-14
15.2.8 Virtual-8086 Mode I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-14
15.2.8.1 I/O-Port-Mapped I/O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-14
15.2.8.2 Memory-Mapped I/O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-15
15.2.8.3 Special I/O Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-15
15.3 INTERRUPT AND EXCEPTION HANDLING
IN VIRTUAL-8086 MODE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15
15.3.1 Class 1—Hardware Interrupt and Exception Handling
in Virtual-8086 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-17
15.3.1.1 Handling an Interrupt or Exception Through a
Protected-Mode Trap or Interrupt Gate . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-17
15.3.1.2 Handling an Interrupt or Exception With an
8086 Program Interrupt or Exception Handler . . . . . . . . . . . . . . . . . . . . . . .15-19
15.3.1.3 Handling an Interrupt or Exception Through a Task Gate . . . . . . . . . . . . . .15- 20
15.3.2 Class 2—Maskable Hardware Interrupt Handling in
Virtual-8086 Mode Using the Virtual Interrupt Mechanism . . . . . . . . . . . . . . . .15-20
15.3.3 Class 3—Software Interrupt Handling in Virtual-8086 Mode. . . . . . . . . . . . . . .15-23
15.3.3.1 Method 1: Software Interrupt Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-25
15.3.3.2 Methods 2 and 3: Software Interrupt Handling. . . . . . . . . . . . . . . . . . . . . . .15-26
15.3.3.3 Method 4: Software Interrupt Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-26
15.3.3.4 Method 5: Software Interrupt Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-26
15.3.3.5 Method 6: Software Interrupt Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-27
15.4 PROTECTED-MODE VIRTUAL INTERRUPTS. . . . . . . . . . . . . . . . . . . . . . . . . . 15-28
CHAPTER 16 MIXING 16-BIT AND 32-BIT CODE
16.1 DEFINING 16-BIT AND 32-BIT PROGRAM MODULES . . . . . . . . . . . . . . . . . . . . 16-2
16.2 MIXING 16-BIT AND 32-BIT OPERATIONS WITHIN A CODE SEGMENT . . . . . 16-2
16.3 SHARING DATA AMONG MIXED-SIZE CODE SEGMENTS . . . . . . . . . . . . . . . . 16-3
16.4 TRANSFERRING CONTROL AMONG MIXED-SIZE CODE SEGMENTS . . . . . . 16-4
16.4.1 Code-Se gment Pointer Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-5
16.4.2 Stack Management for Control Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-5
16.4.2.1 Controlling the Operand-Size Attribute For a Call . . . . . . . . . . . . . . . . . . . . .16-7
16.4.2.2 Passing Parameters With a Gate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-7
16.4.3 Interrupt Control Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-8
16.4.4 Parameter Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-8
16.4.5 Writing Interfa ce Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-8
CHAPTER 17 IA-32 ARCHITECTURE COMPATIBILITY
17.1. IA-32 PROCESSOR FAMILIES AND CATEGORIES . . . . . . . . . . . . . . . . . . . . . . 17-1
17.2. RESERVED BITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2
17.3. ENABLING NEW FUNCTIONS AND MODES. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2
17.4. DETECTING THE PRESENCE OF NEW FEATURES THROUGH SOFTWARE . 17-2
17.5. INTEL MMX TECHNOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3
Vol. 3A
xiv
CONTENTS
PAGE
17.6. STREAMING SIMD EXTENSIONS (SSE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3
17.7. STREAMING SIMD EXTENSIONS 2 (SSE2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3
17.8. STREAMING SIMD EXTENSIONS 3 (SSE3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3
17.9. HYPER-THREADING TECHNOLOGY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-4
17.10. DUAL-CORE TECHNOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-4
17.11. SPECIFIC FEATURES OF DUAL-CORE PROCESSOR . . . . . . . . . . . . . . . . . . . 17-4
17.12. NEW INSTRUCTIONS IN THE PENTIUM AND LATER IA-32 PROCESSORS . . 17-4
17.12.1. Instructions Added Prior to the Pentium Processor. . . . . . . . . . . . . . . . . . . . . . 17-5
17.13. OBSOLETE INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
17.14. UNDEFINED OPCODES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
17.15. NEW FLAGS IN THE EFLAGS REGISTER. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
17.15.1. Using EFLAGS Flags to Distinguish Between 32-Bit IA-32 Processors . . . . . . 17-7
17.16. STACK OPERATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-7
17.16.1. PUSH SP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-7
17.16.2. EFLAGS Pushed on the Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-8
17.17. X87 FPU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-8
17.17.1. Control Register CR0 Flags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-8
17.17.2. x87 FPU Status Word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-9
17.17.2.1. Condition Code Flags (C0 through C3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-9
17.17.2.2. Stack Fault Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10
17.17.3. x87 FPU Control Word. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10
17.17.4. x87 FPU Tag Word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10
17.17.5. Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-11
17.17.5.1. NaNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-11
17.17.5.2. Pseudo-zero, Pseudo-NaN, Pseudo-infinity, and Unnormal F ormats. . . . . 17-11
17.17.6. Floating-Point Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-11
17.17.6.1. Denormal Operand Exception (#D). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-11
17.17.6.2. Numeric Overflow Exception (#O) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12
17.17.6.3. Numeric Underflow Exception (#U). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12
17.17.6.4. Exception Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-13
17.17.6.5. CS and EIP For FPU Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-13
17.17.6.6. FPU Error Signals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-13
17.17.6.7. Assertion of the FERR# Pin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-13
17.17.6.8. Invalid Operation Exception On Denormals . . . . . . . . . . . . . . . . . . . . . . . . 17-14
17.17.6.9. Alignment Check Exceptions (#AC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-14
17.17.6.10. Segment Not Present Exception During FLDENV . . . . . . . . . . . . . . . . . . . 17-14
17.17.6.11. Device Not Available Exception (#NM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-14
17.17.6.12. Coprocessor Segment Overrun Exception . . . . . . . . . . . . . . . . . . . . . . . . . 17-14
17.17.6.13. General Protection Exception (#GP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-14
17.17.6.14. Floating-Point Error Exception (#MF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15
17.17.7. Changes to Floating-Point Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15
17.17.7.1. FDIV, FPREM, and FSQRT Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15
17.17.7.2. FSCALE Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15
17.17.7.3. FPREM1 Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15
17.17.7.4. FPREM Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15
17.17.7.5. FUCOM, FUCOMP, and FUCOMPP Instructions. . . . . . . . . . . . . . . . . . . . 17-16
17.17.7.6. FPTAN Instruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-16
17.17.7.7. Stack Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-16
17.17.7.8. FSIN, FCOS, and FSINCOS Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 17-16
17.17.7.9. FPATAN Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-16
17.17.7.10. F2XM1 Instruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-16
17.17.7.11. FLD Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-17
Vol. 3A xv
CONTENTS
PAGE
17.17.7.12. FXTRACT Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-17
17.17.7.13. Load Constant Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-17
17.17.7.14. FSETPM Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-17
17.17.7.15. FXAM Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
17.17.7.16. FSAVE and FSTENV Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
17.17.8. Transcendental Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
17.17.9. Obsolete Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
17.17.10. WAIT/FWAIT Prefix Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
17.17.11. Operands Split Across Segments and/or Pages. . . . . . . . . . . . . . . . . . . . . . . .17-19
17.17.12. FPU Instruction Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-19
17.18. SERIALIZING INSTRUCTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-19
17.19. FPU AND MATH COPROCESSOR INITIALIZATION . . . . . . . . . . . . . . . . . . . . . 17-19
17.19.1. Intel
®
387 and Intel®287 Math Coprocessor Initialization. . . . . . . . . . . . . . . . .17 - 20
17.19.2. Intel486 SX Processor and Intel 487 SX Math Coprocessor Initialization. . . . .17-20
17.20. CONTROL REGISTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-21
17.21. MEMORY MANAGEMENT FACILITIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-23
17.21.1. New Memory Management Control Flags. . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-23
17.21.1.1. Physical Memory Addressing Extension. . . . . . . . . . . . . . . . . . . . . . . . . . . .17-23
17.21.1.2. Global Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-23
17.21.1.3. Larger Page Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-24
17.21.2. CD and NW Cache Control Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-24
17.21.3. Descriptor Types and Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-24
17.21.4. Changes in Segment Descriptor Loads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-24
17.22. DEBUG FACILITIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-24
17.22.1. Differences in Debug Register DR6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-24
17.22.2. Differences in Debug Register DR7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-25
17.22.3. Debug Registers DR4 and DR5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-25
17.23. RECOGNITION OF BREAKPOINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-25
17.24. EXCEPTIONS AND/OR EXCEPTION CONDITIONS . . . . . . . . . . . . . . . . . . . . . 17-26
17.24.1. Machine-Check Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-27
17.24.2. Priority OF Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-27
17.25. INTERRUPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-28
17.25.1. Interrupt Propagation Delay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-28
17.25.2. NMI Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-28
17.25.3. IDT Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-28
17.26. ADVANCED PROGRAMMABLE INTERRUPT CONTROLLER (APIC). . . . . . . . 17-28
17.26.1. Software Visible Differences Between the Local APIC and the
17.26.2. New Features Incorporated in the Local APIC for the P6 Family
82489DX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-29
and
Pentium Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-30
17.26.3. New Features Incorporated in the Local APIC of the Pentium 4 and
Intel Xeon Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-30
17.27. TASK SWITCHING AND TSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-30
17.27.1. P6 Family and Pentium Processor TSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-30
17.27.2. TSS Selector Writes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-31
17.27.3. Order of Reads/Writes to the TSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-31
17.27.4. Using A 16-Bit TSS with 32-Bit Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-31
17.27.5. Differences in I/O Map Base Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-31
17.28. CACHE MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-32
17.28.1. Self-Modifying Code with Cache Enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-33
17.28.2. Disabling the L3 Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-34
17.29. PAGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-34
xvi
Vol. 3A
CONTENTS
PAGE
17.29.1. Large Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-34
17.29.2. PCD and PWT Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-34
17.29.3. Enabling and Disabling Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-35
17.30. STACK OPERATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-35
17.30.1. Selector Pushes and Pops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-35
17.30.2. Error Code Pushes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-36
17.30.3. Fault Handling Effects on the Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-36
17.30.4. Interlevel RET/IRET From a 16-Bit Interrupt or Call Gate . . . . . . . . . . . . . . . . 17-36
17.31. MIXING 16- AND 32-BIT SEGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-36
17.32. SEGMENT AND ADDRESS WRAPAROUND. . . . . . . . . . . . . . . . . . . . . . . . . . . 17-37
17.32.1. Segment Wraparound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-38
17.33. STORE BUFFERS AND MEMORY ORDERING . . . . . . . . . . . . . . . . . . . . . . . . 17-38
17.34. BUS LOCKING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-40
17.35. BUS HOLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-40
17.36. MODEL-SPECIFIC EXTENSIONS TO THE IA-32 . . . . . . . . . . . . . . . . . . . . . . . 17-40
17.36.1. M odel-Specific Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-40
17.36.2. RDMSR and WRMSR Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-41
17.36.3. Memory Type Range Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-41
17.36.4. Machine-Check Exception and Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . 17-42
17.36.5. Performance-Monitoring Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-42
17.37. TWO WAYS TO RUN INTEL 286 PROCESSOR TASKS . . . . . . . . . . . . . . . . . . 17-43
CHAPTER 18 DEBUGGING AND PERFORMANCE MONITORING
18.1 OVERVIEW OF THE DEBUGGING SUPPORT FACILITIES. . . . . . . . . . . . . . . . . 18-1
18.2 DEBUG REGISTERS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2
18.2.1 Debug Address Registers (DR0-DR3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-3
18.2.2 Debug Registers DR4 and DR5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-4
18.2.3 Debug Status Register (DR6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-4
18.2.4 Debug Control Register (DR7). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
18.2.5 Breakpoint Field Recognition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-6
18.2.6 Debug Registers and Intel EM64T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-7
18.3 DEBUG EXCEPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-7
18.3.1 Debug Exception (#DB)—Interrupt Vector 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-8
18.3.1.1 Instruction-Breakpoint Exception Condition . . . . . . . . . . . . . . . . . . . . . . . . . 18-9
18.3.1.2 Data Memory and I/O Breakpoint Exception Conditions. . . . . . . . . . . . . . . 18-10
18.3.1.3 General-Detect Exception Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11
18.3.1.4 Single-Step Exception Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11
18.3.1.5 Task-Switch Exception Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11
18.3.2 Breakpoint Exception (#BP)—Interrupt Vector 3 . . . . . . . . . . . . . . . . . . . . . . . 18-12
18.4 LAST BRANCH RECORDING OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-12
18.5 LAST BRANCH, INTERRUPT, AND EXCEPTION RECORDING
(PENTIUM 4 AND INTEL XEON PROCESSORS). . . . . . . . . . . . . . . . . . . . . . . . 18-12
18.5.1 CPL-Qualified Last Branch Recording Mechanism . . . . . . . . . . . . . . . . . . . . . 18-13
18.5.2 MSR_DEBUGCTLA MSR (Pentium 4 and Intel Xeon Processors) . . . . . . . . . 18-15
18.5.3 LBR Stack (Pentium 4 and Intel Xeon Processors). . . . . . . . . . . . . . . . . . . . . 18-16
18.5.3.1 LBR Stack and Intel EM64T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-18
18.5.4 Monitoring Branche s, Exceptions, and Interrupts (Pentium 4 and
Intel Xeon Processors) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-18
18.5.5 Single-Stepping on Branches, Exceptions, and Interrupts . . . . . . . . . . . . . . . 18-18
18.5.6 Branch Trace Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-19
18.5.7 Last Exception Records (Pentium 4 and Intel Xeon Processors) . . . . . . . . . . 18-19
Vol. 3A xvii
CONTENTS
PAGE
18.5.7.1 Last Exception Records and Intel EM64T . . . . . . . . . . . . . . . . . . . . . . . . . .18-19
18.5.8 Branch Trace Store (BTS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-19
18.5.8.1 Detection of the BTS Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-20
18.5.8.2 Setting Up the DS Save Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-20
18.5.8.3 Setting Up the BTS Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-21
18.5.8.4 Setting Up CPL-Qualified BTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-22
18.5.8.5 Writing the DS Interrupt Service Routine . . . . . . . . . . . . . . . . . . . . . . . . . . .18-22
18.6 LAST BRANCH, INTERRUPT, AND EXCEPTION
RECORDING (PENTIUM M PROCESSORS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-23
18.7 LAST BRANCH, INTERRUPT, AND EXCEPTION
RECORDING (P6 FAMILY PROCESSORS). . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-25
18.7.1 DebugCtlMSR Register (P6 Family Processors). . . . . . . . . . . . . . . . . . . . . . . .18-25
18.7.2 Last Branch and Last Exception MSRs (P6 Family Processors). . . . . . . . . . . .18-26
18.7.3 Monitoring Branches, Exceptions, and Interrupts (P6 Family
Processors). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-27
18.8 TIME-STAMP COUNTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-28
18.9 PERFORMANCE MONITORING OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . 18-29
18.10 PERFORMANCE MONITORING (PEN TIUM 4
AND INTEL XEON PROCESSORS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-30
18.10.1 ESCR MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-33
18.10.2 Performance Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-35
18.10.3 CCCR MSRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-36
18.10.4 Debug Store (DS) Mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-38
18.10.5 DS Save Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-39
18.10.5.1 DS Save Area and IA-32e Mode Operation . . . . . . . . . . . . . . . . . . . . . . . . .18-42
18.10.6 Programming the Performance Counters for Non-Retirement Events . . . . . . .18-43
18.10.6.1 Selecting Events to Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-44
18.10.6.2 Filtering Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-47
18.10.6.3 Starting Event Counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-48
18.10.6.4 Reading a Performance Counter’s Count. . . . . . . . . . . . . . . . . . . . . . . . . . .18-48
18.10.6.5 Halting Event Counting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-49
18.10.6.6 Cascading Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-49
18.10.6.7 EXTENDED CASCADING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-50
18.10.6.8 EXTENDED CASCADING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-51
18.10.6.9 Generating an Interrupt on Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-51
18.10.6.10 Counter Usage Guideline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-52
18.10.7 At-Retirement Counting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-52
18.10.7.1 Using At-Retirement Counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-54
18.10.7.2 Tagging Mechanism for Front_end_event . . . . . . . . . . . . . . . . . . . . . . . . . .18-55
18.10.7.3 Tagging Mechanism For Execution_event . . . . . . . . . . . . . . . . . . . . . . . . . .18-55
18.10.7.4 Tagging Mechanism for Replay_event . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-56
18.10.8 Precise Event-Based Sampling (PEBS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-56
18.10.8.1 Detection of the Availability of the PEBS Facilities. . . . . . . . . . . . . . . . . . . .18-56
18.10.8.2 Setting Up the DS Save Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-57
18.10.8.3 Setting Up the PEBS Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-57
18.10.8.4 Writing a PEBS Interrupt Service Routine . . . . . . . . . . . . . . . . . . . . . . . . . .18-57
18.10.8.5 Other DS Mechanism Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-57
18.10.9 Counting Clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-57
18.10.9.1 Non-Halted Clockticks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-58
18.10.9.2 Non-Sleep Clockticks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-59
18.10.9.3 Incrementing the Time-Stamp Counter. . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-59
18.10.10 Operating System Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-60
xviii
Vol. 3A
CONTENTS
PAGE
18.11 PERFORMANCE MONITORING AND HYPER-THREADING
TECHNOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-60
18.11.1 ESCR MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-61
18.11.2 CCCR MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-62
18.11.3 IA32_PEBS_ENABLE MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-64
18.11.4 Performance Monitoring Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-64
18.12 PERFORMANCE MONITORING AND DUAL-CORE TECHNOLOGY . . . . . . . . 18-66
18.13 PERFORMANCE MONITORING ON 64-BIT INTEL XEON PROCESSOR
MP WITH UP TO 8-MBYTE L3 CACHE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-66
18.14 PERFORMANCE MONITORING (P6 FAMILY
PROCESSOR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-70
18.14.1 PerfEvtSel0 and PerfEvtSel1 MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-71
18.14.2 PerfCtr0 and PerfCtr1 MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-72
18.14.3 Starting and Stopping the Performance-Mo nitoring Counters . . . . . . . . . . . . . 18-73
18.14.4 Event and Time-Stamp Monitoring Software. . . . . . . . . . . . . . . . . . . . . . . . . . 18-73
18.14.5 Monitoring Counter Overflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-74
18.15 PERFORMANCE MONITORING (PENTIUM PROCESSORS) . . . . . . . . . . . . . . 18-74
18.15.1 Control and Event Select Register (CESR) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-75
18.15.2 Use of the Performance-Monitoring Pins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-76
18.15.3 Events Counted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-77
CHAPTER 19 INTRODUCTION TO VIRTUAL-MACHINE EXTENSIONS
19.1 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
19.2 VIRTUAL MACHINE ARCHITECTURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
19.3 INTRODUCTION TO VMX OPERATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
19.4 LIFE CYCLE OF VMM SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
19.5 VIRTUAL-MACHINE CONTROL STRUCTURE. . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
19.6 DISCOVERING SUPPORT FOR VMX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
19.7 ENABLING AND ENTERING VMX OPERATION . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
19.8 RESTRICTIONS ON VMX OPERATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
CHAPTER 20 VIRTUAL-MACHINE CONTROL STRUCTURES
20.1 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1
20.2 FORMAT OF THE VMCS REGION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-2
20.3 ORGANIZATION OF VMCS DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-3
20.4 GUEST-STATE AREA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-3
20.4.1 Guest Register State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-3
20.4.2 Guest Non-Register State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-6
20.5 HOST-STATE AREA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-8
20.6 VM-EXECUTION CONTROL FIELDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-9
20.6.1 Pin-Based VM-Execution Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-9
20.6.2 Processor-Based VM-Execution Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-9
20.6.3 Exception Bitmap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-11
20.6.4 I/O-Bitmap Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-11
20.6.5 Time-Stamp Counter Offset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-12
20.6.6 Guest/Host Masks and Read Shadows for CR0 and CR4. . . . . . . . . . . . . . . . 20-12
20.6.7 CR3-Target Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-12
20.6.8 Controls for CR8 Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-13
20.6.9 MSR-Bitmap Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-13
20.6.10 Executive-VMCS Pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-14
Vol. 3A xix
CONTENTS
PAGE
20.7 VM-EXIT CONTROL FIELDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-14
20.7.1 VM-Exit Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
20.7.2 VM-Exit Controls for MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-15
20.8 VM-ENTRY CONTROL FIELDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-15
20.8.1 VM-Entry Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-16
20.8.2 VM-Entry Controls for MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-16
20.8.3 VM-Entry Controls for Event Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-17
20.9 VM-EXIT INFORMATION FIELDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-18
20.9.1 Basic VM-Exit Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-18
20.9.2 Information for VM Exits Due to Vectored Events. . . . . . . . . . . . . . . . . . . . . . .20-19
20.9.3 Information for VM Exits That Occur During Event Delivery . . . . . . . . . . . . . . .20-19
20.9.4 Information for VM Exits Due to Instruction Execution . . . . . . . . . . . . . . . . . . .20-20
20.9.5 VM-Instruction Error Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-22
20.10 SOFTWARE ACCESS TO THE VMCS AND RELATED STRUCTURES . . . . . . 20-22
20.10.1 Software Access to the Virtual-Machine Control Structure . . . . . . . . . . . . . . . .20-22
20.10.2 VMREAD, VMWRITE, and Encodings of VMCS Fields . . . . . . . . . . . . . . . . . .20-23
20.10.3 Software Access to Related Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-26
20.10.4 The VMXON Region . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-26
20.11 USING VMCLEAR TO INITIALIZE A VMCS REGION. . . . . . . . . . . . . . . . . . . . . 20-26
CHAPTER 21 VMX NON-ROOT OPERATION
21.1 INSTRUCTIONS THAT CAUSE VM EXITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
21.1.1 Relative Priority of IA-32 Faults and VM Exits. . . . . . . . . . . . . . . . . . . . . . . . . . .19-2
21.1.2 Instructions That Cause VM Exits Unconditionally . . . . . . . . . . . . . . . . . . . . . . .19-2
21.1.3 Instructions That Cause VM Exits Conditionally . . . . . . . . . . . . . . . . . . . . . . . . .19-3
21.2 OTHER CAUSES OF VM EXITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-5
21.3 CHANGES TO INSTRUCTION BEHAVIOR IN VMX NON-ROOT OPERATION . 19-7
21.4 OTHER CHANGES IN VMX NON-ROOT OPERATION . . . . . . . . . . . . . . . . . . . 19-10
21.4.1 Event Blocking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19-10
21.4.2 Treatment of Task Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19-10
CHAPTER 22 VM ENTRIES
22.1 BASIC VM-ENTRY CHECKS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-2
22.2 CHECKS ON VMX CONTROLS AND HOST-STATE AREA. . . . . . . . . . . . . . . . . 21-3
22.2.1 Checks on VMX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-3
22.2.1.1 VM-Execution Control Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-3
22.2.1.2 VM-Exit Control Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-4
22.2.1.3 VM-Entry Control Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-5
22.2.2 Checks on Host Control Registers and MSRs. . . . . . . . . . . . . . . . . . . . . . . . . . .21-6
22.2.3 Checks on Host Segment and Descriptor-Table Registers. . . . . . . . . . . . . . . . .21-6
22.2.4 Checks Related to Address-Space Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-7
22.3 CHECKING AND LOADING GUEST STATE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-7
22.3.1 Checks on the Guest State Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-7
22.3.1.1 Checks on Guest Control Registers, Debug Registers, and MSRs . . . . . . . .21-8
22.3.1.2 Checks on Guest Segment Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-8
22.3.1.3 Checks on Guest Descriptor-Table Registers . . . . . . . . . . . . . . . . . . . . . . .21-11
22.3.1.4 Checks on Guest RIP and RFLAGS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-11
22.3.1.5 Checks on Guest Non-Register State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-12
22.3.1.6 Checks on Guest Page-Directory Pointers. . . . . . . . . . . . . . . . . . . . . . . . . .21-14
22.3.2 Loading Guest State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-14
Vol. 3A
xx
CONTENTS
PAGE
22.3.2.1 Loading Guest Control Registers, Debug Registers, and MSRs . . . . . . . . 21-14
22.3.2.2 Loading Guest Segment Registers and Descriptor-Table
Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-16
22.3.2.3 Loading Guest RIP, RSP, and RFLAGS. . . . . . . . . . . . . . . . . . . . . . . . . . . 21-17
22.3.2.4 Loading Page-Directory Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-17
22.3.3 Clearing Address-Range Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-17
22.4 LOADING MSRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-17
22.5 EVENT INJECTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-18
22.5.1 Details of Event Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-18
22.5.2 VM Exits During Event Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-20
22.6 SPECIAL FEATURES OF VM ENTRY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-21
22.6.1 Interruptibility State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-21
22.6.2 Activity State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-22
22.6.3 Delivery of Pending Debug Exceptions after VM Entry . . . . . . . . . . . . . . . . . . 21-22
22.6.4 Interrupt-Window Exiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-23
22.6.5 VM Entries and Advanced Debugging Features . . . . . . . . . . . . . . . . . . . . . . . 21-24
22.7 VM-ENTRY FAILURES DURING OR AFTER LOADING GUEST STATE. . . . . . 21-24
22.8 MACHINE CHECKS DURING VM ENTRY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-25
CHAPTER 23 VM EXITS
23.1 ARCHITECTURAL STATE BEFORE A VM EXIT . . . . . . . . . . . . . . . . . . . . . . . . . 22-1
23.2 RECORDING VM-EXIT INFORMATION AND UPDATING CONTROLS. . . . . . . . 22-4
23.2.1 Basic VM-Exit Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-5
23.2.2 Information for VM Exits Due to Vectored Events . . . . . . . . . . . . . . . . . . . . . . . 22-9
23.2.3 Information for VM Exits During Event Delivery. . . . . . . . . . . . . . . . . . . . . . . . 22-10
23.2.4 Information for VM Exits Due to Instruction Execution. . . . . . . . . . . . . . . . . . . 22-11
23.3 SAVING GUEST STATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-12
23.3.1 Saving Control Reg isters, Debug Registers, and MSRs . . . . . . . . . . . . . . . . . 22-12
23.3.2 Saving Segment Regi sters and Descriptor-Table Registers . . . . . . . . . . . . . . 22-13
23.3.3 Saving RIP, RSP, and RFLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-14
23.3.4 Saving Non-Register State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-15
23.4 SAVING MSRS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-17
23.5 LOADING HOST STATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-17
23.5.1 Loading Host Control Registers, Debug Registers, MSRs . . . . . . . . . . . . . . . 22-18
23.5.2 Loading Host Segment and Descriptor-Table Registers . . . . . . . . . . . . . . . . . 22-19
23.5.3 Loading Host RIP, RSP, and RFLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-20
23.5.4 Checki ng and Loading Host Page-Directory Pointers . . . . . . . . . . . . . . . . . . . 22-20
23.5.5 Updating Non-Register State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-21
23.5.6 Clearing Address-Range Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-21
23.6 LOADING MSRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-21
23.7 VMX ABORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-22
23.8 MACHINE CHECK DURING VM EXIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-23
CHAPTER 24 SYSTEM MANAGEMENT
24.1 SYSTEM MANAGEMENT MODE OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-1
24.1.1 System Management Mode and VMX Op eration . . . . . . . . . . . . . . . . . . . . . . . 26-2
24.2 SYSTEM MANAGEMENT INTERRUPT (SMI). . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-2
24.3 SWITCHING BETWEEN SMM AND THE OTHER
PROCESSOR OPERATING MODES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-3
24.3.1 Entering SMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-3
Vol. 3A xxi
CONTENTS
PAGE
24.3.2 Exiting From SMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-4
24.4 SMRAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-4
24.4.1 SMRAM State Save Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-5
24.4.1.1 SMRAM State Save Map and Intel EM64T . . . . . . . . . . . . . . . . . . . . . . . . . .26-8
24.4.2 SMRAM Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-10
24.5 SMI HANDLER EXECUTION ENVIRONMENT. . . . . . . . . . . . . . . . . . . . . . . . . . 26-11
24.6 EXCEPTIONS AND INTERRUPTS WITHIN SMM . . . . . . . . . . . . . . . . . . . . . . . 26-13
24.7 MANAGING SYNCHRONOUS AND ASYNCHRONOUS
SYSTEM MANAGEMENT INTERRUPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-14
24.7.1 I/O State Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-14
24.8 NMI HANDLING WHILE IN SMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-16
24.9 SAVING THE X87 FPU STATE WHILE IN SMM. . . . . . . . . . . . . . . . . . . . . . . . . 26-16
24.10 SMM REVISION IDENTIFIER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-17
24.11 AUTO HALT RESTART. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-18
24.11.1 Executing the HLT Instruction in SMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-18
24.12 SMBASE RELOCATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-19
24.12.1 Relocating SMRAM to an Address Above 1 MByte. . . . . . . . . . . . . . . . . . . . . .26-19
24.13 I/O INSTRUCTION RESTART. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-20
24.13.1 Back-to-Back SMI Interrupts When I/O Instruction Restart Is Being
Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-21
24.14 SMM MULTIPLE-PROCESSOR CONSIDERATIONS. . . . . . . . . . . . . . . . . . . . . 26-21
24.15 DEFAULT TREATMENT OF SMI
s AND SMM WITH VMX . . . . . . . . . . . . . . . . . 26-22
24.15.1 Default Treatment of SMI Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-22
24.15.2 Default Treatment of RSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-22
24.15.3 Protection of CR4.VMXE in SMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-24
24.16 DUAL-MONITOR TREATMENT OF SMIs AND SMM . . . . . . . . . . . . . . . . . . . . . 26-24
24.16.1 Dual-Monitor Treatment Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-24
24.16.2 SMM VM Exits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-25
24.16.2.1 Architectural State Before a VM Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-25
24.16.2.2 Updating the Current-VMCS and Executive-VMCS Pointers . . . . . . . . . . . .26-25
24.16.2.3 Recording VM-Exit Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-25
24.16.2.4 Saving Guest State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-27
24.16.2.5 Updating Non-Register State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-27
24.16.3 Operation of an SMM Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-27
24.16.4 VM Entries that Return from SMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-27
24.16.4.1 Checks on the Executive-VMCS Pointer Field . . . . . . . . . . . . . . . . . . . . . . .26-27
24.16.4.2 Checks on VM-Execution Control Fields . . . . . . . . . . . . . . . . . . . . . . . . . . .26-28
24.16.4.3 Checks on Guest Non-Register State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-28
24.16.4.4 Loading Guest State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-28
24.16.4.5 Updating the Current-VMCS and SMM-Transfer VMCS Pointers . . . . . . . .26-29
24.16.4.6 VM Exits Induced by VM Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-29
24.16.4.7 SMI Blocking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-29
24.16.4.8 Failures of VM Entries That Return from SMM. . . . . . . . . . . . . . . . . . . . . . .26-30
24.16.5 Enabling the Dual-Monitor Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-30
24.16.6 Activating the Dual-Monitor Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-32
24.16.6.1 Initial Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-32
24.16.6.2 MSEG Checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-33
24.16.6.3 Updating the Current-VMCS and Executive-VMCS Pointers . . . . . . . . . . . .26-33
24.16.6.4 Loading Host State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-33
24.16.6.5 Loading MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-36
24.16.7 Deactivating the Dual-Monitor Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-36
xxii
Vol. 3A
CONTENTS
PAGE
CHAPTER 25 VIRTUAL-MACHINE MONITOR PROGRAMMING CONSIDERATIONS
25.1 VMX SYSTEM PROGRAMMING OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-1
25.2 SUPPORTING PROCESSOR OPERATING MODES IN GUEST
ENVIRONMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-1
25.2.1 Emulating Guest Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-2
25.3 MANAGING VMCS REGIONS AND POINTERS. . . . . . . . . . . . . . . . . . . . . . . . . . 23-2
25.4 USING VMX INSTRUCTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-5
25.5 VMM SETUP & TEAR DOWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-5
25.6 PREPARATION AND LAUNCHING A VIRTUAL MACHINE . . . . . . . . . . . . . . . . . 23-6
25.7 HANDLING OF VM EXITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-7
25.7.1 Handling VM Exits Due to Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-8
25.7.1.1 Reflecting Exceptions to Guest Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-8
25.7.1.2 Resuming Guest Software after Handling an Exception. . . . . . . . . . . . . . . 23-10
25.8 MULTI-PROCESSOR CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-11
25.8.1 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-11
25.8.2 Moving a VMCS Between Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-12
25.8.3 Paired Index-Data Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-13
25.8.4 External Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-13
25.8.5 CPUID Emulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-13
25.9 32-BIT AND 64-BIT GUEST ENVIRONMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . 23-13
25.9.1 Operating Modes of Guest Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-14
25.9.2 Handling Widths of VMCS Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-14
25.9.2.1 Natural-Width VMCS Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-14
25.9.2.2 64-Bit VMCS Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-15
25.9.3 IA-32e Mode Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-15
25.9.4 IA-32e Mode Guests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-16
25.9.5 32-Bit Guests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-17
25.10 HANDLING MODEL SPECIFIC REGISTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-17
25.10.1 Using VM-Execution Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-17
25.10.2 Using VM-Exit Controls for MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-18
25.10.3 Using VM-Entry Controls for MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-18
25.10.4 Handling Special-Case MSRs and Instructions. . . . . . . . . . . . . . . . . . . . . . . . 23-18
25.10.4.1 Handling IA32_EFER MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-19
25.10.4.2 Handling the SYSENTER and SYSEXIT Instructions. . . . . . . . . . . . . . . . . 23-19
25.10.4.3 Handling the SYSCALL and SYSRET Instructions. . . . . . . . . . . . . . . . . . . 23-19
25.10.4.4 Handling the SWAPGS Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-20
25.10.4.5 Implementation Specific Behavior on Writing to Certain MSRs . . . . . . . . . 23-20
25.10.5 Handling Accesses to Reserved MSR Addresses. . . . . . . . . . . . . . . . . . . . . . 23-20
25.11 HANDLING ACCESSES TO CONTROL REGISTERS . . . . . . . . . . . . . . . . . . . . 23-20
25.12 PERFORMANCE CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-21
CHAPTER 26 VIRTUALIZATION OF SYSTEM RESOURCES
26.1 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-1
26.2 VIRTUALIZATION SUPPORT FOR IA-32 DEBUGGING FACILITIES. . . . . . . . . . 24-1
26.3 MEMORY VIRTUALIZATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-2
26.3.1 IA-32 Processor Operating Modes & Memory Virtualization . . . . . . . . . . . . . . . 24-2
26.3.2 Guest & Host Physical Address Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-2
26.3.3 Virtualizing Virtual Memory by Brute Force . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-3
26.3.4 Alternate Approach to Memory Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . 24-4
26.3.5 Details of Virtual TLB Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-5
Vol. 3A xxiii
CONTENTS
PAGE
26.3.5.1 Initialization of Virtual TLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-6
26.3.5.2 Response to Page Faults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-7
26.3.5.3 Response to Uses of INVLPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-9
26.3.5.4 Response to CR3 Writes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-10
26.4 MICROCODE UPDATE FACILITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-10
26.4.1 Early Load of Mi crocode Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-10
26.4.2 Late Load of Microcode Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-11
CHAPTER 27 HANDLING BOUNDARY CONDITIONS IN A VIRTUAL MACHINE MONITOR
27.1 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-1
27.2 INTERRUPT HANDLING IN VMX OPERATION . . . . . . . . . . . . . . . . . . . . . . . . . . 25-1
27.3 VMM HANDLING OF EXCEPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-3
27.3.1 Debug Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-3
27.4 EXTERNAL INTERRUPT VIRTUALIZATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-4
27.4.1 Virtualization of Interrupt Vector Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-4
27.4.2 Control of Platform Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-6
27.4.2.1 PIC Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 5-7
27.4.2.2 xAPIC Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-7
27.4.2.3 Local APIC Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-7
27.4.2.4 I/O APIC Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-8
27.4.2.5 Virtualization of Message Signaled Interrupts . . . . . . . . . . . . . . . . . . . . . . . .25-9
27.4.3 Exa mp les of Handling of External Interrupts. . . . . . . . . . . . . . . . . . . . . . . . . . . .25-9
27.4.3.1 Guest Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-9
27.4.3.2 Processor Treatment of External Interrupt . . . . . . . . . . . . . . . . . . . . . . . . . . .2 5-9
27.4.3.3 Processing of External Interrupts by VMM. . . . . . . . . . . . . . . . . . . . . . . . . .25-10
27.4.3.4 Generation of Virtual Interrupt Events by VMM . . . . . . . . . . . . . . . . . . . . . .25-11
27.5 ERROR HANDLING BY VMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-12
27.5.1 VM-exit Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-12
27.5.2 Machine Check Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-12
27.6 HANDLING ACTIVITY STATES BY VMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-14
APPENDIX A PERFORMANCE-MONITORING EVENTS
A.1 PENTIUM 4 AND INTEL XEON PROCESSOR PERFORMANCE-
MONITORING EVENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
A.2 PERFORMANCE MONITORING EVENTS FOR
INTEL
®
PENTIUM® M PROCESSORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41
A.3 P6 FAMILY PROCESSOR PERFORMANCE-MONITORING EVENTS . . . . . . . . A-44
A.4 PENTIUM PROCESSOR PERFORMANCE-
MONITORING EVENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-58
APPENDIX B MODEL-SPECIFIC REGISTERS (MSRS)
B.1 MSRS IN THE PENTIUM 4 AND INTEL XEON PROCESSORS. . . . . . . . . . . . . . . B-1
B.1.1 MSRs Unique to the 64-bit Intel Xeon Processor MP with Up to
8-MByte MB L3 Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-37
B.2 MSRS IN THE PENTIUM M PROCESSOR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-38
B.3 MSRS IN THE P6 FAMILY PROCESSORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-47
B.4 MSRS IN PENTIUM PROCESSORS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-56
B.5 ARCHITECTURAL MSRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-57
Vol. 3A
xxiv
CONTENTS
PAGE
APPENDIX C MP INITIALIZATION FOR P6 FAMILY PROCESSORS
C.1 OVERVIEW OF THE MP INITIALIZATION PROCESS FOR P6 FAMILY
PROCESSORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1
C.2 MP INITIALIZATION PROTOCOL ALGORITHM. . . . . . . . . . . . . . . . . . . . . . . . . . . C-2
C.2.1 Error Detection and Handling During the MP Initialization Protocol. . . . . . . . . . . C-4
APPENDIX D PROGRAMMING THE LINT0 AND LINT1 INPUTS
D.1 CONSTANTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1
D.2 LINT[0:1] PINS PROGRAMMING PROCEDURE. . . . . . . . . . . . . . . . . . . . . . . . . . . D-1
APPENDIX E INTERPRETING MACHINE-CHECK ERROR CODES
E.1 INCREMENTAL DECODING INFORMATION: PROCESSOR FAMILY
06H MACHINE ERROR CODES FOR MACHINE CHECK . . . . . . . . . . . . . . . . . . . E-1
E.2 INCREMENTAL DECODING INFORMATION: PROCESSOR FAMILY
0FH MACHINE ERROR CODES FOR MACHINE CHECK . . . . . . . . . . . . . . . . . . . E-4
APPENDIX F APIC BUS MESSAGE FORMATS
F.1 BUS MESSAGE FORMATS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1
F.2 EOI MESSAGE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1
F.2.1 Short Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2
F.2.2 Non-focused Lowest Priority Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-3
F.2.3 APIC Bus Status Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-5
APPENDIX G VMX CAPABILITY REPORTING FACILITY
G.1 BASIC VMX INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1
G.2 VM-EXECUTION CONTROLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-2
G.3 VM-EXIT CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-3
G.4 VM-ENTRY CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-3
G.5 MISCELLANEOUS DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-3
G.6 VMX-FIXED BITS IN CR0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-4
G.7 VMX-FIXED BITS IN CR4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-4
G.8 VMCS ENUMERATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-4
APPENDIX H FIELD ENCODING IN VMCS
H.1 16-BIT FIELDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-1
H.1.1 16-Bit Guest-State Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-1
H.1.2 16-Bit Host-State Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-2
H.2 64-BIT FIELDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-2
H.2.1 64-Bit Control Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-2
H.2.2 64-Bit Guest-State Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-3
H.3 32-BIT FIELDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-4
H.3.1 32-Bit Control Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-4
H.3.2 32-Bit Read-Only Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-5
H.3.3 32-Bit Guest-State Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-5
Vol. 3A xxv
CONTENTS
PAGE
H.3.4 32-Bit Host-State Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-6
H.4 NATURAL-WIDTH FIELDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-6
H.4.1 Natural-Width Control Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-7
H.4.2 Natural-Width Read-Only Data Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-7
H.4.3 Natural-Width Guest-State Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-8
H.4.4 Natural-Width Host-State Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-9
APPENDIX I VMX BASIC EXIT REASONS
APPENDIX J VM INSTRUCTION ERROR NUMBERS
FIGURES
Figure 1-1. Bit and Byte Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Figure 1-2. Syntax for CPUID, CR, and MSR Data Presentation . . . . . . . . . . . . . . . . . . . .1-8
Figure 2-1. IA-32 System-Level Registers and Data Structures. . . . . . . . . . . . . . . . . . . . . 2-3
Figure 2-2. System-Level Registers and Data Structures in IA-32e Mode . . . . . . . . . . . . .2-4
Figure 2-3. T r ansitions Among the Processor’s Operating Modes . . . . . . . . . . . . . . . . . .2-11
Figure 2-4. System Flags in the EFLAGS Register. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-12
Figure 2-5. Memory Management Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
Figure 2-6. Control Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18
Figure 3-1. Segmentation and Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
Figure 3-2. Flat Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
Figure 3-3. Protected Flat Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
Figure 3-4. Multi-Segment Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
Figure 3-5. Logical Address to Linear Address Translation . . . . . . . . . . . . . . . . . . . . . . . .3-8
Figure 3-6. Segment Selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9
Figure 3-7. Segment Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10
Figure 3-8. Segment Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12
Figure 3-9. Segment Descriptor When Segment-Present Flag Is Clear. . . . . . . . . . . . . .3-14
Figure 3-10. Global and Local Descriptor Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
Figure 3-11. Pseudo-Descriptor Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-19
Figure 3-12. Linear Address Translation (4-KByte Pages) . . . . . . . . . . . . . . . . . . . . . . . . .3-23
Figure 3-13. Linear Address Translation (4-MByte Pages). . . . . . . . . . . . . . . . . . . . . . . . .3-24
Figure 3-14. Format of Page-Directory and Page-Table Entries for 4-KByte Pages Figure 3-15. Format of Page-Directory Entries for 4-MByte Pages and 32-Bit Figure 3-16. Format of a Page-Table or Page-Directory Entry for a Figure 3-17. Register CR3 Format When the Physical Address Extension
Figure 3-18. Linear Address Translation With PAE Enabled (4-KByte Pages). . . . . . . . . . 3-32
Figure 3-19. Linear Address Translation With PAE Enabled (2-MByte Pages) . . . . . . . . .3-33
Figure 3-20. Format of Page-Directory-Pointer-Table, Page-Directory, and Figure 3-21. Format of Page-Directory-Pointer-Table and Page-Directory Entries
Figure 3-22. Linear Address Translation (4-MByte Pages). . . . . . . . . . . . . . . . . . . . . . . . .3-38
and 32-Bit Physical Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-26
Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-27
Not-Present Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-30
is Enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-31
Page-Table Entries for 4-KByte Pages with PAE Enabled. . . . . . . . . . . . . . .3-35
for 2-MByte Pages with PAE Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-36
xxvi
Vol. 3A
CONTENTS
PAGE
Figure 3-23. Format of Page-Directory Entries for 4-MByte Pages and
36-Bit Physical Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38
Figure 3-24. IA-3 2e Mode Paging Structures (4-KByte Pages) . . . . . . . . . . . . . . . . . . . . 3-40
Figure 3-25. IA-32e Mode Paging Structures (2-MByte pages) . . . . . . . . . . . . . . . . . . . . 3-41
Figure 3-26. Format of Paging Structure Entries for 4-KByte Pages in IA-32e Mode . . . . 3-42
Figure 3-27. Format of Paging Structure Entries for 2-MByte Pages in IA-32e Mode. . . . 3-43
Figure 3-28. Memory Management Convention That Assigns a Page Table
to Each Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46
Figure 4-1. Descriptor Fields Used for Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Figure 4-2. Descriptor Fields with Flags used in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . 4-5
Figure 4-3. Protection Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Figure 4-4. Privilege Check for Data Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Figure 4-5. Example s of Accessing Data Segments From Various Privilege
Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Figure 4-6. Privile ge Check for Control Transfer Without Using a Gate . . . . . . . . . . . . . 4-14
Figure 4-7. Examples of Accessing Conforming and Nonconforming Code
Segments From Various Privilege Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
Figure 4-8. Call-Gate Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18
Figure 4-9. Call-Gate Descriptor in IA-32e Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Figure 4-10. Call-Gate Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Figure 4-11. Privilege Check for Control Transfer with Call Gate . . . . . . . . . . . . . . . . . . . 4-21
Figure 4-12. E xample of Accessing Call Gates At Various Privilege Levels. . . . . . . . . . . 4-23
Figure 4-13. Stack Switching During an Interprivilege-Level Call . . . . . . . . . . . . . . . . . . . 4-25
Figure 4-14. MSRs Used by SYSCALL and SYSRET . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
Figure 4-15. Use of RPL to Weaken Privilege Level of Called Procedure . . . . . . . . . . . . 4-36
Figure 5-1. Relationship of the IDTR and IDT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Figure 5-2. IDT Gate Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Figure 5-3. Interrupt Procedure Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Figure 5-4. Stack Usage on Transfers to Interrupt and Exception-Handling
Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Figure 5-5. Interrupt Task Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Figure 5-6. Error Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Figure 5-7. 64-Bit IDT Gate Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Figure 5-8. IA-3 2e Mode Stack Usage After Privilege Level Change . . . . . . . . . . . . . . . 5-25
Figure 5-9. Page-Fault Error Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-52
Figure 6-1. Structure of a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Figure 6-2. 32-Bit Task-State Segment (TSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Figure 6-3. TSS Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Figure 6-4. Format of TSS and LDT Descriptors in 64-bit Mode. . . . . . . . . . . . . . . . . . . . 6-9
Figure 6-5. Task Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Figure 6-6. Task-Gate Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Figure 6-7. Task Gates Referencing the Same Task . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
Figure 6-8. Nested Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
Figure 6-9. Overlapping Linear-to-Physical Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Figure 6-10. 16-Bit TSS Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Figure 6-11. 64-Bit TSS Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24
Figure 7-1. Example of Write Ordering in Multiple-Processor Systems . . . . . . . . . . . . . 7-10
Figure 7-2. In terpretation of APIC ID in Early MP Systems. . . . . . . . . . . . . . . . . . . . . . . 7-23
Figure 7-3. Loca l APICs and I/O APIC in MP System Supporting HT Te chnology. . . . . 7-26
Figure 7-4. IA-32 Processor with Two Logical Processors Supporting HT
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27
Figure 7-5. Ge neralized Four level Interpretation of the initial APIC ID. . . . . . . . . . . . . . 7-36
Vol. 3A xxvii
CONTENTS
PAGE
Figure 7-6. Top ological Relationships between Hierarchical IDs in a
Hypothetical MP Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-36
Figure 8-1. Relationship of Local APIC and I/O APIC In Single-Processor
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-3
Figure 8-2. Local APICs and I/O APIC When Intel Xeon Processors Are Used
in Multiple-Processor Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-4
Figure 8-3. Local APICs and I/O APIC When P6 Family Processors Are Used
in Multiple-Processor Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-4
Figure 8-4. Local APIC Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-7
Figure 8-5. IA32_APIC_BASE MSR (APIC_BASE_MSR in P6 Family) . . . . . . . . . . . . . .8-11
Figure 8-6. Local APIC ID Register. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-12
Figure 8-7. Local APIC Version Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-15
Figure 8-8. L ocal Vector Tab le (LVT ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-16
Figure 8-9. Error Status Register (ESR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-20
Figure 8-10. Divide Configuration Register. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-21
Figure 8-11. Initial Count and Current Count Registers . . . . . . . . . . . . . . . . . . . . . . . . . . .8-21
Figure 8-12. Interrupt Command Register (ICR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-23
Figure 8-13. Logical Destination Register (LDR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29
Figure 8-14. Destination Format Register (DFR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29
Figure 8-15. Arbitration Priority Register (APR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 -31
Figure 8-16. Interrupt Acceptance Flow Chart for the Local APIC (Pentium 4 and
Intel Xeon Processors) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-33
Figure 8-17. Interrupt Acceptance Flow Chart for the Local APIC (P6 Family and
Pentium Processors) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-35
Figure 8-18. Task Priority Register (TPR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-37
Figure 8-19. Processor Priority Register (PPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-38
Figure 8-20. IRR, ISR and TMR Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 -39
Figure 8-21. EOI Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-40
Figure 8-22. CR8 Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-41
Figure 8-23. Spurious-Interrupt Vector Register (SVR) . . . . . . . . . . . . . . . . . . . . . . . . . . .8-42
Figure 8-24. Layout of the MSI Message Address Register . . . . . . . . . . . . . . . . . . . . . . . .8-44
Figure 8-25. Layout of the MSI Message Data Register. . . . . . . . . . . . . . . . . . . . . . . . . . .8-45
Figure 9-1. Contents of CR0 Register after Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-5
Figure 9-2. Version Information in the EDX Register after Reset . . . . . . . . . . . . . . . . . . . .9-5
Figure 9-3. Processor State After Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-21
Figure 9-4. Constructing Temporary GDT and Switching to Protected Mode
(Lines 162-172 of List File). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-30
Figure 9-5. Moving the GDT, IDT, and TSS from ROM to RAM (Lines 196-261
of List File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-31
Figure 9-6. Task Switching (Lines 282-296 of List File) . . . . . . . . . . . . . . . . . . . . . . . . . .9-32
Figure 9-7. Ap plying Microcode Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-36
Figure 9-8. Microcode Update Write Operation Flow [1]. . . . . . . . . . . . . . . . . . . . . . . . . .9-59
Figure 9-9. Microcode Update Write Operation Flow [2]. . . . . . . . . . . . . . . . . . . . . . . . . .9-60
Figure 10-1. Cache Structure of the Pentium 4 and Intel Xeon Processors . . . . . . . . . . . .10-1
Figure 10-2. Cache-Control Registers and Bits Available in IA-32 Processors . . . . . . . .10-12
Figure 10-3. Mapping Physical Memory With MTRRs . . . . . . . . . . . . . . . . . . . . . . . . . . .10-26
Figure 10-4. IA32_MTRRCAP Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-27
Figure 10-5. IA32_MTRR_ DEF_TYPE MSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-28
Figure 10-6. IA32_MTRR_PHYSBASEn and IA32_MTRR_PHYSMASKn
Variable-Range Register Pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-31
Figure 10-7. IA32_CR_PAT MSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-42
Figure 11-1. Mapping of MMX Registers to Floating-Point Registers. . . . . . . . . . . . . . . . .11-2
xxviii
Vol. 3A
CONTENTS
PAGE
Figure 11-2. Mapping of MMX Registers to x87 FPU Data Register Stack. . . . . . . . . . . . 11-7
Figure 12-1. Example of Saving the x87 FPU, MMX, SSE, and SSE2 State
During an Operating-System Controlled Task Switch. . . . . . . . . . . . . . . . . . 12-9
Figure 13-1. Processor Modulation Through Stop-Clock Mechanism. . . . . . . . . . . . . . . . 13-2
Figure 13-2. MSR_THERM2_CTL Register for the Pentium M Processor . . . . . . . . . . . . 13-4
Figure 13-3. MSR_THERM2_CTL Register for the Pentium 4 Processor
Supporting TM2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Figure 13-4. IA32_THERM_STATUS MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
Figure 13-5. IA32_THERM_INTERRUPT MSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Figure 13-6. IA32_CLOCK_MODULATION MSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Figure 14-1. Machine-Check MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
Figure 14-2. IA32_MCG_CAP Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
Figure 14-3. MCG_CAP Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
Figure 14-4. IA32_MCG_STATUS Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
Figure 14-5. IA32_MCi_CTL Register. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
Figure 14-6. IA32_MCi_STATUS Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
Figure 14-7. IA32_MCi_ADDR MSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8
Figure 15-1. Real-Address Mode Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4
Figure 15-2. Interrupt Vector Table in Real-Address Mode. . . . . . . . . . . . . . . . . . . . . . . . 15-7
Figure 15-3. Entering and Leaving Virtual-8086 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 15-12
Figure 15-4. Privilege Level 0 Stack After Interrupt or Exception in Virtual-8086
Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-18
Figure 15-5. Software Interrupt Redirection Bit Map in TSS . . . . . . . . . . . . . . . . . . . . . . 15-25
Figure 16-1. Stack after Far 16- and 32-Bit Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6
Figure 17-1. I/O Map Base Address Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-32
Figure 18-1. Debug Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-3
Figure 18-2. DR6 and DR7 Layout on IA-32 Processors Supporting Intel EM64T . . . . . . 18-7
Figure 18-3. MSR_LASTBRANCH_TOS MSR Layout for the Pentium 4
and Intel Xeon Processor Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-15
Figure 18-4. MSR_DEBUGCTLA MSR for Pentium 4 and Intel Xeon Processors . . . . . 18-16
Figure 18-5. LBR MSR Branch Record Layout for the Pentium 4
and Intel Xeon Processor Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-17
Figure 18-6. MSR_DEBUGCTLB MSR for Pentium M Processors. . . . . . . . . . . . . . . . . 18-24
Figure 18-7. LBR Branch Record Layout for the Pentium M Processor . . . . . . . . . . . . . 18-25
Figure 18-8. DebugCtlMSR Register (P6 Family Processors) . . . . . . . . . . . . . . . . . . . . 18-26
Figure 18-9. Event Selection Control Register (ESCR) for Pentium 4 and
Intel Xeon Processors without HT Technology Support . . . . . . . . . . . . . . . 18-34
Figure 18-10. Performance Counter (Pentium 4 and Intel Xeon Processors). . . . . . . . . . 18-36
Figure 18-11. Counter Configuration Control Register (CCCR) . . . . . . . . . . . . . . . . . . . . 18-37
Figure 18-12. DS Save Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-41
Figure 18-13. Branch Trace Record Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-42
Figure 18-14. IA-32e Mode DS Save Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-43
Figure 18-15. PEBS Record Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-44
Figure 18-16. Effects of Edge Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-48
Figure 18-17. Event Selection Control Register (ESCR) for the Pentium 4
Processor, Intel Xeon Processor and Intel Xeon Processor MP
Supporting Hyper-Threading Technology. . . . . . . . . . . . . . . . . . . . . . . . . . 18-61
Figure 18-18. Counter Configuration Control Register (CCCR) . . . . . . . . . . . . . . . . . . . . 18-63
Figure 18-19. Block Diagram of 64-bit Intel Xeon Processor MP with 8-MByte L3. . . . . . 18-66
Figure 18-20. MSR_IFSB_IBUSQx, Addresses: 107CCH and 107CDH. . . . . . . . . . . . . . 18-67
Figure 18-21. MSR_IFSB_ISNPQx, Addresses: 107CEH and 107CFH. . . . . . . . . . . . . . 18-68
Figure 18-22. MSR_IFSB_DRDYx, Addresses: 107D0H and 107D1H. . . . . . . . . . . . . . . 18-69
Vol. 3A xxix
CONTENTS
PAGE
Figure 18-23. MSR_IFSB_CTL6, Address: 107D2H;
Figure 18-24. PerfEvtSel0 and PerfEvtSel1 MSRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-71
Figure 18-25. CESR MSR (Pentium Processor Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-75
Figure 19-1. Interaction of a Virtual-Machine Monitor and Guests . . . . . . . . . . . . . . . . . . .14-3
Figure 19-1. CPUID Extended Feature Information ECX . . . . . . . . . . . . . . . . . . . . . . . . . .14-4
Figure 24-1. SMRAM Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 6-6
Figure 24-2. SMM Revision Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-17
Figure 24-3. Auto HALT Restart Field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-18
Figure 24-4. SMBASE Relocation Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-19
Figure 24-5. I/O Instruction Restart Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26-20
Figure 25-1. VMX Transitions and States of VMCS in a Logical Processor . . . . . . . . . . . .23-4
Figure 26-1. Virtual TLB Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-6
Figure 27-1. Host External Interrupts and Guest Virtual Interrupts. . . . . . . . . . . . . . . . . . .25-6
Figure C-1. MP System With Multiple Pentium III Processors. . . . . . . . . . . . . . . . . . . . . . C-3
MSR_IFSB_CNTR7, Address: 107D3H . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-70
TABLES
Table 2-1. Action Taken By x87 FPU Instructions for Different
Table 2-2. Summary of System Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-24
Table 3-1. Code- and Data-Segment Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15
Table 3-2. System-Segment and Gate-Descriptor Types . . . . . . . . . . . . . . . . . . . . . . . .3-17
Table 3-3. Page Sizes and Physical Address Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-23
Table 3-4. Reserved Bit Checking When Execute Disable Bit is Disabled . . . . . . . . . . .3-44
Table 3-5. Reserved Bit Checking When Execute Disable Bit is Enabled. . . . . . . . . . . .3-44
Table 4-1. Privilege Check Rules for Call Gates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-22
Table 4-2. 64-Bit-Mode Stack Layout After CALLF with CPL Change. . . . . . . . . . . . . . .4-26
Table 4-3. Combined Page-Directory and Page-Table Protection. . . . . . . . . . . . . . . . . .4-40
Table 4-4. Page Sizes and Physical Address Sizes Supported by
Table 4-5. Extended Feature Enable MSR (IA32_EFER) . . . . . . . . . . . . . . . . . . . . . . . .4-41
Table 4-6. IA-32e Mode Page Level Protection Matrix Table 4-7. Legacy PAE-Enabled 4-KByte Page Level Protection Matrix Table 4-8. Legacy PAE-Enabled 2-MByte Page Level Protection Table 4-9. IA-32e Mode Page Level Protection Matrix Table 4-10. Reserved Bit Checking WIth Execute-Disable Bit Capability
Table 5-1. Protected-Mode Exceptions and Interrupts . . . . . . . . . . . . . . . . . . . . . . . . . .5-3
Table 5-2. Priority Among Simultaneous Exceptions and Interrupts . . . . . . . . . . . . . . . .5-11
Table 5-3. Debug Exception Conditions and Corresponding Exception Classes . . . . . .5-28
Table 5-4. Interrupt and Exception Classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-37
Table 5-5. Conditions for Generating a Double Fault . . . . . . . . . . . . . . . . . . . . . . . . . . .5-38
Table 5-6. Invalid TSS Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
Table 5-7. Alignment Requirements by Data Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-57
Table 5-8. SIMD Floating-Point Exceptions Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-62
Combinations of EM, MP, and TS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-20
Execute-Disable Bit Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-41
with Execute-Disable Bit Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-42
with Execute-Disable Bit Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-42
with Execute-Disable Bit Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-42
with Execute-Disable Bit Capability Enabled . . . . . . . . . . . . . . . . . . . . . . . . .4-43
Not Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-44
xxx
Vol. 3A
CONTENTS
PAGE
Table 6-1. Exception Conditions Checked During a Task Switch . . . . . . . . . . . . . . . . . 6-15
Table 6-2. Effect of a Task Switch on Busy Flag, NT Flag,
Previous Task Link Field, and TS Flag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
Table 7-1. Initial APIC IDs for the Logical Processors in a System that has
Four MP-Type Intel Xeon Processors Supporting Hyper-Threading
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
Table 7-2. Initial APIC IDs for the Logical Processors in a System that has
Two Physical Processors Supporting Dual-Core and Hyper-Threading
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
Table 8-1. Local APIC Register Address Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Table 8-2. ESR Flags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
Table 8-3. Valid Combinations for the Pentium 4 and Intel Xeon Processors’
Local xAPIC Interrupt Command Register . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Table 8-4. Valid Combinations for the P6 Family Processors’
Local APIC Interrupt Command Register . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Table 9-1. IA-32 Processor States Following Power-up, Reset, or INIT . . . . . . . . . . . . . 9-3
Table 9-2. Recommended Settings of EM and MP Flags on IA-32 Processors. . . . . . . . 9-7
Table 9-3. Software Emulation Settings of EM, MP, and NE Flags. . . . . . . . . . . . . . . . . 9-8
Table 9-4. Main Initialization Steps in STARTUP.ASM Source Listing . . . . . . . . . . . . . 9-21
Table 9-5. Relationship Between BLD Item and ASM Source File . . . . . . . . . . . . . . . . 9-35
Table 9-6. Microcode Update Field Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37
Table 9-7. Microcode Update Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-39
Table 9-8. Extended Processor Signature Table Header Structure. . . . . . . . . . . . . . . . 9-40
Table 9-9. Processor Signature Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-40
Table 9-10. Processor Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42
Table 9-11. Microcode Update Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48
Table 9-12. Microcode Update Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54
Table 9-13. Parameters for the Presence Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-55
Table 9-14. Parameters for the Write Update Data Function. . . . . . . . . . . . . . . . . . . . . . 9-56
Table 9-15. Parameters for the Control Update Sub-function . . . . . . . . . . . . . . . . . . . . . 9-61
Table 9-16. Mnemonic Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-61
Table 9-17. Parameters for the Read Microcode Update Data Function. . . . . . . . . . . . . 9-62
Table 9-18. Return Code Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-63
Table 10-1. Characteristics of the Caches, TLBs, Store Buffer, and
Write Combining Buffer in IA-32 Processors. . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Table 10-2. Memory Types and Their Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Table 10-3. Methods of Caching Available in Pentium 4, Intel Xeon, P6 Family,
and Pentium Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Table 10-4. MESI Cache Line States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Table 10-5. Cache Operating Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13
Table 10-6. Effective Page-Level Memory Type for Pentium Pro and
Pentium II Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
Table 10-7. Effective Page-Level Memory Types for Pentium III, Pentium 4,
and Intel Xeon Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17
Table 10-8. Memory Types That Can Be Encoded in MTRRs. . . . . . . . . . . . . . . . . . . . 10-25
Table 10-9. Address Mapping for Fixed-Range MTRRs . . . . . . . . . . . . . . . . . . . . . . . . 10-29
Table 10-10. Memory Types That Can Be Encoded With PAT . . . . . . . . . . . . . . . . . . . . 10-42
Table 10-11. Selection of PAT Entries with PAT, PCD, and PWT Flags . . . . . . . . . . . . . 10-43
Table 10-12. Memory Type Setting of PAT Entries Following a Power-up or Reset . . . . 10-43
Table 11-1. Action Taken By MMX Instructions for Different Combinations
of EM, MP and TS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Table 11-2. Effects of MMX Instructions on x87 FPU State. . . . . . . . . . . . . . . . . . . . . . . 11-3
Vol. 3A xxxi
CONTENTS
PAGE
Table 11-3. Effect of the MMX, x87 FPU, and FXSAVE/FXRSTOR Instructions
on the x87 FPU Tag Word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-4
Table 12-1. Action Taken for Combinations of OSFXSR, OSXMMEXCPT, SSE,
SSE2, SSE3, EM, MP, and TS1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-3
Table 13-1. On-Demand Clock Modulation Duty Cycle Field Encoding . . . . . . . . . . . . . .13-7
Table 14-1. Extended Machine Check State MSRs in Processors Without Support
for EM64T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-8
Table 14-2. Extended Machine Check State MSRs
In Processors With Support For Intel EM64T. . . . . . . . . . . . . . . . . . . . . . . . .14-9
Table 14-3. IA32_MCi_Status [15:0] Simple Error Code Encoding. . . . . . . . . . . . . . . . .14-14
Table 14-4. IA32_MCi_Status [15:0] Compound Error Code Encoding. . . . . . . . . . . . . .14-15
Table 14-5. Encoding for TT (Transaction Type) Sub-Field. . . . . . . . . . . . . . . . . . . . . . .14-15
Table 14-6. Level Encoding for LL (Memory Hierarchy Level) Sub-Field . . . . . . . . . . . .14 - 15
Table 14-7. Encoding of Request (RRRR) Sub-Field . . . . . . . . . . . . . . . . . . . . . . . . . . .14-16
Table 14-8. Encodings of PP, T, and II Sub-Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-17
Table 15-1. Real-Address Mode Exceptions and Interrupts . . . . . . . . . . . . . . . . . . . . . .15-8
Table 15-2. Software Interrupt Handling Methods While in Virtual-8086 Mode. . . . . . . .15-24
Table 16-1. Characteristics of 16-Bit and 32-Bit Program Modules. . . . . . . . . . . . . . . . . .16-1
Table 17-1. New Instruction in the Pentium Processor and Later IA-32
Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-5
Table 17-2. Recommended Values of the EM, MP, and NE Flags for Intel486 SX
Microprocessor/Intel 487 SX Math Coprocessor System . . . . . . . . . . . . . . .17-20
Table 17-3. EM and MP Flag Interpretation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-20
Table 18-1. Breakpointing Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-8
Table 18-2. Debug Exception Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 8-9
Table 18-3. LBR MSR Stack Structure for the Pentium 4 and Intel Xeon
Processor Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-14
Table 18-4. MSR_DEBUGCTLA MSR Flag Encodings. . . . . . . . . . . . . . . . . . . . . . . . . .18-21
Table 18-5. CPL-Qualified Branch Trace Store Encodings . . . . . . . . . . . . . . . . . . . . . . .18-22
Table 18-6. Performance Counter MSRs and Associated CCCR and
ESCR MSRs (Pentium 4 and Intel Xeon Processors) . . . . . . . . . . . . . . . . .18-31
Table 18-7. Event Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-45
Table 18-8. CCR Names and Bit Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-50
Table 18-9. Effect of Logical Processor and CPL Qualification for Logical
Processor-Specific (TS) Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-65
Table 18-10. Effect of Logical Processor and CPL Qualification for
Non-logical-processor-specific (TI) Events. . . . . . . . . . . . . . . . . . . . . . . . . .18-65
Table 20-1. Format of the VMCS Region. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-2
Table 20-2. Format of Access Rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-4
Table 20-3. Format of Interruptibility State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-6
Table 20-4. Format of Pending-Debug-Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Table 20-5. Definitions of Pin-Based VM-Execution Controls . . . . . . . . . . . . . . . . . . . . . .20-9
Table 20-6. Definitions of Processor-Based VM-Execution Controls. . . . . . . . . . . . . . . .20-10
Table 20-7. Definitions of VM-Exit Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
Table 20-8. Format of an MSR Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-15
Table 20-9. Definitions of VM-Entry Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-16
Table 20-10. Format of the VM-Entry Interruption-Information Field. . . . . . . . . . . . . . . . .20-17
Table 20-11. Format of Exit Reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-18
Table 20-12. Format of the VM-Exit Interruption-Information Field . . . . . . . . . . . . . . . . . .20-19
Table 20-13. Format of the IDT-Vectoring Information Field . . . . . . . . . . . . . . . . . . . . . . .20-20
Table 20-14. Format of the VMX-Instruction Information Field . . . . . . . . . . . . . . . . . . . . .20-21
Table 20-15. Structure of VMCS Component Encoding . . . . . . . . . . . . . . . . . . . . . . . . . .20-24
xxxii
Vol. 3A
CONTENTS
PAGE
Table 23-1. Exit Qualification for Debug Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-5
Table 23-2. Exit Qualification for Task Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-6
Table 23-3. Exit Qualification for Control-Register Accesses. . . . . . . . . . . . . . . . . . . . . . 22-7
Table 23-4. Exit Qualification for MOVDR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-7
Table 23-5. Exit Qualification for I/O Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-8
Table 24-1. SMRAM State Save Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-6
Table 24-2. SMRAM State Save Map for Intel EM64T . . . . . . . . . . . . . . . . . . . . . . . . . . 26-8
Table 24-3. Processor Register Initialization in SMM. . . . . . . . . . . . . . . . . . . . . . . . . . . 26-12
Table 24-4. I/O Instruction Information in the SMM State Save Map. . . . . . . . . . . . . . . 26-15
Table 24-5. I/O Instruction Type Encodings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-15
Table 24-6. Auto HALT Restart Flag Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-18
Table 24-7. I/O Instruction Restart Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-20
Table 24-6. Exit Qualification for SMIs That Arrive Immediately
After the Retirement of an I/O Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . 26-26
Table 24-7. Format of MSEG Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-30
Table 25-1. Operating Modes for Host and Guest Environments . . . . . . . . . . . . . . . . . 23-14
Table A-1. Pentium 4 and Intel Xeon Processor Performance Monitoring Events
for Non-Retirement Counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Table A-2. Pentium 4 and Intel Xeon Processor Performance Monitoring Events
For At-Retirement Counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-27
Table A-3. Model-Specific Performance Monitoring Events (For Model Encoding
3 or 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-33
Table A-4. List of Metrics Available for Front_end Tagging
(For Front_end Event Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-33
Table A-5. List of Metrics Available for Execution Tagging
(For Execution Event Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-34
Table A-6. List of Metrics Available for Replay Tagging
(For Replay Event Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-35
Table A-7. Event Mask Qualification for Logical Processors . . . . . . . . . . . . . . . . . . . . . A-36
Table A-8. Performance Monitoring Events on Intel Table A-9. Performance Monitoring Events Modified on Intel
®
Pentium® M Processors . . . . . . . A-41
®
Pentium® M
Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43
Table A-10. Events That Can Be Counted with the P6 Family Performance-
Monitoring Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-44
Table A-11. Events That Can Be Counted with the Pentium Processor
Performance-Monitoring Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-59
Table B-1. MSRs in the Pentium 4 and Intel Xeon Processors . . . . . . . . . . . . . . . . . . . . B-1
Table B-2. MSRs Unique to 64-bit Intel Xeon Processor MP with
Up to an 8 MB L3 Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-37
Table B-3. MSRs in Pentium M Processors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-38
Table B-4. MSRs in the P6 Family Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-47
Table B-5. MSRs in the Pentium Processor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-56
Table B-6. IA-32 Architectural MSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-57
Table C-1. Boot Phase IPI Message Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2
Table E-1. Incremental Decoding Information: Processor Family 06H
Machine Error Codes For Machine Check . . . . . . . . . . . . . . . . . . . . . . . . . . . E-1
Table E-2. Incremental Decoding Information: Processor Family 0FH
Machine Error Codes For Machine Check . . . . . . . . . . . . . . . . . . . . . . . . . . . E-4
Table E-3. Decoding Family 0FH Machine Check Codes for Memory
Hierarchy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-5
Table F-1. EOI Message (14 Cycles). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1
Table F-2. Short Message (21 Cycles). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2
Vol. 3A xxxiii
CONTENTS
PAGE
Table F-3. Non-Focused Lowest Priority Message (34 Cycles). . . . . . . . . . . . . . . . . . . . .F-3
Table F-4. APIC Bus Status Cycles Interpretation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .F-5
Table G-1. Memory Types Used For VMCS Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-2
Table H-1. Encodings for 16-Bit Guest-State Fields (0000_10xx_xxxx_xxx0B). . . . . . . . H-1
Table H-2. Encodings for 16-Bit Host-State Fields (0000_11xx_xxxx_xxx0B). . . . . . . . . H-2
Table H-3. Encodings for 64-Bit Control Fields (0010_00xx_xxxx_xxxAb) . . . . . . . . . . . H-2
Table H-4. Encodings for 64-Bit Guest-State Fields (0010_10xx_xxxx_xxxAb). . . . . . . . H-3
Table H-5. Encodings for 32-Bit Control Fields (0100_ 00xx_xxxx_xxx0B) . . . . . . . . . . . H-4
Table H-6. Encodings for 32-Bit Read-Only Data Fields (0100_01xx_xxxx_xxx0B) . . . . H-5
Table H-7. Encodings for 32-Bit Guest-State Fields (0100_10xx_xxxx_xxx0B). . . . . . . . H-5
Table H-8. Encodings for 32-Bit Host-State Field (0100_11xx_xxxx_xxx0B). . . . . . . . . . H-6
Table H-9. Encodings for Natural-Width Control Fields (0110_00xx_xxxx_xxx0B) . . . . . H-7
Table H-10. Encodings for Natural-Width Read-Only Data Fields
(0110_01xx_xxxx_xxx0B). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-7
Table H-11. Encodings for Natural-Width Guest-State Fields
(0110_10xx_xxxx_xxx0B). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-8
Table H-12. Encodings for Natural-Width Host-State Fields
(0110_11xx_xxxx_xxx0B). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-9
Table I-1. Basic Exit Reasons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I-1
Table J-1. VM-Instruction Error Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .J-1
xxxiv
Vol. 3A
About This Manual
1
CHAPTER 1
ABOUT THIS MANUAL
The IA-32 Intel® Architecture Software Developer’ s Manual, Volume 3A: System Programming Guide, Part 1 (order number 253668) and the IA-32 Intel® Architecture Software Developer’s Manual, Volume 3B: System Programming Guide, Part 2 (order number 253669) are part of a
set that describes the architecture and programming environment of all IA-32 Intel Architecture processors. The other volumes in this set are:
IA-32 Intel® Architecture Software Developer’s Manual, Volume 1: Basic Architecture
(order number 253665).
IA-32 Intel® Architecture Software Developer’s Manual, Volumes 2A & 2B: Instruction
Set Reference (order numbers 253666 and 253667).
The IA-32 Intel® Architecture Software Developer’s Manual, Volume 1, describes the basic architecture and programming environment of an IA-32 processor. The IA-32 Intel® Architec- ture Software Developer’s Manual, Volumes 2A & 2B, describe the instruction set of the processor and the opcode structure. These volumes apply to application programmers and to programmers who write operating systems or executives. The IA-32 Intel® Architecture Soft- ware Developer’s Manual, Volumes 3A & 3B, describe the operating-system support environ­ment of an IA-32 processor and IA-32 processor compatibility information. These volumes target operating-system and BIOS designers. In addition, IA-32 Intel® Architecture Software Developer’s Manual, Volume 3B, addresses the program ming environment for classes of soft­ware that host operating systems.

1.1 IA-32 PROCESSORS COVERED IN THIS MANUAL

This manual includes information pertaining primarily to the most recent IA-32 processors, which include the Pentium
®
Xeon® processors, the Pentium M processors, the Pentium D processors, and the Pentium
Intel processor Extreme Edition. The P6 family processors are those IA-32 processors based on the P6 family microarchitecture, which include the Pentium Pro, Pentium II, and Pentium III proces­sors. The Pentium 4, Intel Xeon, Pentium D processors, and Pentium processor Extreme Editions are based on the Intel NetBurst
®
processors, the P6 family processors, the Pentium 4 processors, the
®
microarchitecture.
Vol. 3A 1-1
ABOUT THIS MANUAL

1.2 OVERVIEW OF THE SYSTEM PROGRAMMING GUIDE

A description of this manual’s content follows:
Chapter 1 — About This Manual. Gives an overview of all three volumes of the IA-32 Intel Architectur e Softwar e Developer’s Manual. It also describes the notational conventions in these
manuals and lists related Intel manuals and documentation of interest to programmers and hard­ware designers.
Chapter 2 — System Architecture Overview. Describes the modes of operation of an IA-32 processor and the mechanisms provided in the IA-32 architecture to support operating systems and executives, including the system-oriented registers and data structures and the system­oriented instructions. The steps necessary for switching between real-address and protected modes are also identified.
Chapter 3 — Protected-Mode Memory Management. Describes the data structures, registers, and instructions that support segmentation and paging. The chapter explains how they can be used to implement a “flat” (unsegmented) memory model or a segmented memory model.
Chapter 4 — Protection. Describes the support for page and segment protection provided in the IA-32 architecture. This chapter also explains the implementation of privilege rules, stack switching, pointer validation, user and supervisor modes.
Chapter 5 — Interrupt and Exception Handling. Describes the basic interrupt mechanisms defined in the IA-32 architecture, shows how interrupts and exceptions relate to protection, and describes how the architecture handles each exception type. Reference information for each IA-32 exception is given at the end of this chapter.
Chapter 6 — Task Management. Describes mechanisms the IA-32 architecture provides to support multitasking and inter-task protection.
Chapter 7 — Multiple-Processor Management. Describes the instructions and flags that support multiple processors with shared memory, memory ordering, and Hyper-Threading T ech­nology.
Chapter 8 — Advanced Programmable Interrupt Controller (APIC). Describes the programming interface to the local APIC and gives an overview of the interface between the local APIC and the I/O APIC.
Chapter 9 — Processor Management and Initialization. Defines the state of an IA-32 processor after reset initialization. This chapter also explains how to set up an IA-32 processor for real-address mode operation and protected- mode operation, and how to switch between modes.
Chapter 10 — Memory Cache Control. Describes the general concept of caching and the caching mechanisms supported by the IA-32 architecture. This chapter also describes the memory type range registers (MTRRs) and how they can be used to map memory types of phys­ical memory. Information on using the new cache control and memory streaming instructions introduced with the Pentium III, Pentium 4, and Intel Xeon processors is also given.
Chapter 11 — Intel
the Intel
1-2 Vol. 3A
®
MMX™ technology that must be handled and considered at the system programming
®
MMX™ T echnology System Programming. Describes those aspects of
ABOUT THIS MANUAL
level, including: task switching, exception handling, and compatib ility with existing system environments.
Chapter 12 — SSE, SSE2 and SSE3 System Programming. Describes those aspects of SSE/SSE2/SSE3 extensions that must be handled and considered at the system programming level, including task switching, exception handling, and compatibility with existing system environments.
Chapter 13 — Power and Thermal Management. Describes the IA-32 architecture’s power and the thermal monitoring facilities.
Chapter 14 — Machine-Check Architecture. Describes the machine-check architecture. Chapter 15 — 8086 Emulation. Describes the real-address and virtual-8086 modes of the
IA-32 architecture. Chapter 16 — Mixing 16-Bit and 32-Bit Code. Describes how to mix 16-bit and 32-bit code
modules within the same program or task. Chapter 17 — IA-32 Architecture Compatibility. Describes architectural compatibility
among the IA-32 processors, which include the Intel 286, Intel386™, Intel 486™, Pentium , P6 family, Pentium 4, and Intel Xeon processors. The differences among the 32-bit IA-32 proces­sors are also described throughout the three volumes of the IA-32 Software Developer’s Manual, as relevant to particular features of the architecture. This chapter provides a collection of all the relevant compatibility information for all IA-32 processors and also describes the basic differences with respect to the 16-bit IA-32 processors (the Intel 8086 and Intel 286 processors).
Chapter 18 — Debugging and Performance Monitoring. Descri bes the debugging registers and other debug mechanism provided in the IA-32 architecture. This chapter also describes the time-stamp counter and the performance-monitoring counters.
Chapter 19 — Introduction to Virtual-Machine Extensions. Describes the basic elements of virtual machine architecture and the virtual-machine extensions of IA-32 Intel Architecture..
Chapter 20 — Virtual-Machine Control Structures. Describes components that manage VMX operation. These include the working-VMCS pointer and the controlling-VMCS pointer.
Chapter 21— VMX Non-Root Operation. Describes the operation of a VMX non-root oper­ation. Processor operation in VMX non-root mode can be restricted programmatically such that certain operations, events or conditions can cause the processor to transfer control from the guest (running in VMX non-root mode) to the monitor software (running in VMX root mode).
Chapter 22 — VM Entries. Describes VM-entries. VM-entry transitions the processor from the VMM running in VMX root-mode to a VM running in VMX non-root mode. VM-Entry is performed by the execution of VMLAUNCH or VMRESUME instructions.
Chapter 23 — VM Exits. Describes VM-exits. Certain events, operations or situations while the processor is in VMX non-root operation may cause VM-exit transitions. In addition VM­exits can also occur on failed VM-entries.
Chapter 24 — System Management. Describes the IA-32 architecture’s system management mode (SMM) facilities.
Vol. 3A 1-3
ABOUT THIS MANUAL
Chapter 25 — Virtual-Machine Monitoring Programming Considerations. Describes programming considerations for VMMs. VMMs manage virtual machines (VMs).
Chapter 26 — Virtualization of System Resources. Describes the virtualization of the system resources. These include: debugging facilities, address translation, physical memory , and micro­code update facilities.
Chapter 27 — Handling Boundary Conditions in a Virtual Machine Monitor. Describes what a VMM must consider when handling exceptions, interrupts, error conditions, an d tran si­tions between activity states.
Appendix A — Performance-Monitoring Events. Lists the events that can be counted with the performance-monitoring counters and the codes used to select these events. Both Pentium processor and P6 family processor events are described.
Appendix B — Model-Specific Registers (MSRs). Lists the MSRs available in the Pentium processors, the P6 family processors, and the Pentium 4 and Intel Xeon processors and describes their functions.
Appendix C — MP Initialization For P6 Family Processors. Gives an example of how to use of the MP protocol to boot P6 family processors in n MP system.
Appendix D — Programming the LINT0 and LINT1 Inputs. Gives an example of how to program the LINT0 and LINT1 pins for specific interrupt vectors.
Appendix E — Interpreting Machine-Check Error Codes. Gives an example of how to inter­pret the error codes for a machine-check error that occurred on a P6 family processor.
Appendix F — APIC Bus Message Formats. Describes the message formats for messages transmitted on the APIC bus for P6 family and Pentium processors.
Appendix G — VMX Capability Reporting Facility. Describes the VMX capability MSRs. Support for specific VMX features is determined by reading capability MSRs.
Appendix H — Field Encoding in VMCS. Enumerates all fields in the VMCS and their encod­ings. Fields are grouped by width (16-bit, 32-bit, etc.) and type (guest-state, ho st-state, etc.).
Appendix I — VM Basic Exit Reasons. Describes the 32-bit fields that encode reasons for a VM-Exit. Examples of exit reasons include, but are not limited to: software interrupts, processor exceptions, software traps, NMIs, external interrupts, and triple faults.
Appendix J — VM Instruction Error Numbers. Describes the VM-instruction error codes generated by failed VM instruction executions (that have a valid working-VMCS pointer).

1.3 NOTATIONAL CONVENTIONS

This manual uses specific notation for data-structure formats, for symbolic representation of instructions, and for hexadecimal and binary numbers. A review of this notation makes the manual easier to read.
1-4 Vol. 3A
ABOUT THIS MANUAL

1.3.1 Bit and Byte Order

In illustrations of data structures in memory, smaller addresses appear toward the bottom of the figure; addresses increase toward the top. Bit positions are numbered from right to left. The numerical value of a set bit is equal to two raised to the power of the bit position. IA-32 proces­sors are “little endian” machines; this means the bytes of a word are numbered starting from the least significant byte. Figure 1-1 illustrates these conventions.

1.3.2 Reserved Bits and Software Compatibility

In many register and memory layout descriptions, certain bits are marked as reserved. When bits are marked as reserved, it is essential for compatibility with future processors that software treat these bits as having a future, though unknown, effect. The behavior of reserved bits should be regarded as not only undefined, but unpredictable. Software sh ould follow these gui delines in dealing with reserved bits:
Do not depend on the states of any reserved bits when testin g the val ues of registers which
contain such bits. Mask out the reserved bits before testing.
Do not depend on the states of any reserved bits when storing to memory or to a register.
Do not depend on the ability to retai n informati on written into any reserved bits.
When loading a register, always load the reserved bits with the values indicated in the
documentation, if any, or reload them with values previously read from the same register.
NOTE
Avoid any software dependence upon the state of reserved bits in IA-32 registers. Depending upon the values of reserved register bits will make software dependent upon the unspecified manner in which the processor handles these bits. Programs that depend upon reserved values risk incompat­ibility with future processors.
Vol. 3A 1-5
ABOUT THIS MANUAL
Highest
Address
31
Byte 3
Data Structure
23
24
Byte 2
Figure 1-1. Bit and Byte Order
16
15
Byte 1
8
7
Byte 0
0
28 24
20 16 12
8 4 0
Byte Offset
Bit offset
Lowest Address

1.3.3 Instruction Operands

When instructions are represented symbolically, a subset of the IA-32 assembly language is used. In this subset, an instruction has the following format:
label: mnemonic argument1, argument2, argument3
where:
A label is an identifier which is followed by a colon.
A mnemonic is a reserved name for a class of instruction opcodes which have the same
function.
The operands argument1, argument2, and argument3 are optional. There may be from
zero to three operands, depending on the opcode. When present, they take the form of either literals or identifiers for data items. Operand identifiers are either reserved names of registers or are assumed to be assigned to data items declared in another part of the program (which may not be shown in the example).
When two operands are present in an arithmetic or logical instruction, the right operand i s the source and the left operand is the destination.
For example:
LOADREG: MOV EAX, SUBTOTAL
In this example LOADREG is a label, MOV is the mnemonic identifier of an opcode, EAX is the destination operand, and SUBTOTAL is the source operand. Some assembly languages put the source and destination in reverse order.
1-6 Vol. 3A
ABOUT THIS MANUAL

1.3.4 Hexadecimal and Binary Numbers

Base 16 (hexadecimal) numbers are represented by a string of hexadecimal digits followed by the character H (for example, F82EH). A hexadecimal digit is a character from the following set: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F.
Base 2 (binary) numbers are represented by a string of 1s and 0s, sometimes fo llowed by the character B (for example, 1010B). The “B” designation is only used in situations where confu­sion as to the type of number might arise.

1.3.5 Segmented Addressing

The processor uses byte addressing. This means memory is organized and accessed as a sequence of bytes. Whether one or more bytes are being accessed, a byte address is used to locate the byte or bytes memory. The range of memory that can be addressed is called an address space.
The processor also supports segmented addressing. This is a form of addressing where a program may have many independent address spaces, called segments. For example, a program can keep its code (instructions) and stack in separate segments. Code addresses would always refer to the code space, and stack addresses would always refer to the stack space. The following notation is used to specify a byte address within a segment:
Segment-register:Byte-address
For example, the following segment address identifies the byte at address FF79H in the segment pointed by the DS register:
DS:FF79H
The following segment address identifies an instruction address in the code segment. The CS register points to the code segment and the EIP register contains the address of the instruction.
CS:EIP

1.3.6 Syntax for CPUID, CR, and MSR Values

Obtain feature flags, status, and system information by using the CPUID instruction, by checking control register bits, and by reading model-specific registers. We are moving toward a single syntax to represent this type of information. See Figure 1-2.
Vol. 3A 1-7
ABOUT THIS MANUAL
CPUID Input and Output
Control Register Values
Model-Specific Register Values
CPUID.01H:ECX.SSE [bit 25] = 1
Input value for EAX register
Output register and feature flag or field
name with bit position(s)
Value (or range) of output
CR4.OSFXSR[bit 9] = 1
Example CR name
Feature flag or field name
with bit position(s)
Value (or range) of output
IA32_MISC_ENABLES.ENABLEFOPCODE[bit 2] = 1
Example MSR name
Feature flag or field name with bit position(s)
Value (or range) of output
OM17732
Figure 1-2. Syntax for CPUID, CR, and MSR Data Presentation

1.3.7 Exceptions

An exception is an event that typically occurs when an instruction causes an error. For example, an attempt to divide by zero generates an exception. However, some exceptions, such as break­points, occur under other conditions. Some types of exceptions may provid e error codes. An error code reports additional information abo ut the error. An example of the notation used to show an exception and error code is shown below:
#PF(fault code)
This example refers to a page-fault exception under conditions where an error code naming a type of fault is reported. Under some conditions, exceptions which produce error codes may not
1-8 Vol. 3A
ABOUT THIS MANUAL
be able to report an accurate code. In this case, the error code is zero, as shown below for a general-protection exception.
#GP(0)

1.4 RELATED LITERATURE

Literature related to IA-32 processors is listed on-line at this link:
http://developer.intel.com/design/processor/
Some of the documents listed at this web site can be viewed on-line; others can be ordered. The literature available is listed by Intel processor and then by the following literature types: appli­cations notes, data sheets, manuals, papers, and specification updates.
See also:
the data sheet for a particular Intel IA-32 processor
the specification update for a particular Intel IA-32 processor
AP-485, Intel Processor Identification and the CPUID Instruction, Order Number 241618
IA-32 Intel® Architecture Optimization Reference Manual, Order Number 248966
Vol. 3A 1-9
ABOUT THIS MANUAL
1-10 Vol. 3A
System Architecture Overview
2
CHAPTER 2
SYSTEM ARCHITECTURE OVERVIEW
IA-32 architecture (beginning with the Intel386 processor family) provides extensive support for operating-system and system-development software. This support offers multiple mo des of operation, which include:
Real mode, protected m ode, virtual 80 86 mode, and syst em management mod e. These are
sometimes referred to as legacy modes.
IA-32e mode (added b y Intel
in one of two sub-modes: 64-bit mode or compatibility mode.
The IA-32 system-level architecture and includes features to assist in the following operations:
Memory management
Protection of software modules
Multitasking
Exception and interrupt handling
Multiprocessing
Cache management
Hardware resource and power management
®
Extended Memory 64 Technology). IA-32e mode operates
Debugging and performance monitoring
This chapter provides a description of each part of this architecture. It also describes the system registers that are used to set up and control the processor at the system level and gives a brief overview of the processor’s system-level (operating system) instructions.
Many features of the IA-32 system-level architectural are used only by system programmers. However, application programmers may need to read this chapter and the following chapters in order to create a reliable and secure environment for application programs.
This overview and most subsequent chapters of this book focus on protected-mode operation of the IA-32 architecture. IA-32e mode operation, as it differs from protected mode operation, is also described.
All IA-32 processors enter real-address mode following a power-up or reset (see Chapter 9, “Processor Management and Initialization”). Software then initiates the switch from real­address mode to protected mode. If IA-32e mode operation is desired, software also initiates a switch from protected mode to IA-32e mode.
Vol. 3A 2-1
SYSTEM ARCHITECTURE OVERVIEW

2.1 OVERVIEW OF THE SYSTEM-LEVEL ARCHITECTURE

IA-32 system-level architecture consists of a set of registers, data structures, and instructions designed to support basic system-level operations such as memory management, interrupt and exception handling, task management, and control of multiple processors.
Figure 2-1 provides a summary of system regi sters and data structures that applies to 32-bit modes. System registers and data structures that apply to IA-32e mode are shown in Figure 2-2.
2-2 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
EFLAGS Register
Control Registers
Task Register
Interrupt
Vector
Interrupt Descriptor
Table (IDT)
Interrupt Gate
Task Gate Trap Gate
IDTR
CR4 CR3 CR2 CR1 CR0
Segment Sel. TSS Seg. Sel.
Call-Gate
Segment Selector
LDTR
Physical Address Linear Address
Segment Selector
Register
Global Descriptor
Table (GDT)
Seg. Desc. TSS Desc. Seg. Desc. TSS Desc.
LDT Desc.
GDTR
Local Descriptor
Table (LDT)
Seg. Desc.
Call Gate
Code, Data or Stack Segment
Task-State Segment (TSS)
Current TSS
Task-State Segment (TSS)
Current TSS
Protected Procedure
Current TSS
Task
Code
Data
Stack
Interrupt Handler
Code
Stack
Task
Code
Data
Stack
Exception Handler
Code
Stack
Code
Stack
Linear Address Space
Linear Addr.
0
Figure 2-1. IA-32 System-Level Registers and Data Structures
Page Directory
Pg. Dir. Entry
CR3*
*Physical Address
This page mapping example is for 4-KByte pages and the normal 32-bit physical address size.
Dir
Linear Address
Table Offset
Page Table
Pg. Tbl. Entry
Page
Physical Addr.
Vol. 3A 2-3
SYSTEM ARCHITECTURE OVERVIEW
RFLAGS
Physical Address
Control Register
CR8 CR4 CR3 CR2 CR1 CR0
Task Register
Linear Address Segment Selector
Register
Global Descriptor
Table (GDT)
Code, Data or Stack Segment (Base =0)
Task-State
Segment (TSS)
Segment Sel.
Interrupt
Vector
Interrupt Descriptor
Table (IDT)
Interrupt Gate
Interrupt Gate
Trap Gate
IDTR
Linear Address Space
Linear Addr.
TR
Segment Selector
Call-Gate
LDTR
PML4
PML4.
Entry
Seg. Desc.
TSS Desc. Seg. Desc. Seg. Desc.
LDT Desc.
GDTR
Local Descriptor
Table (LDT)
Seg. Desc.
Call Gate
Dir. Pointer
PML4
Pg. Dir. Ptr.
Current TSS
IST
Linear Address
Page Dir.
Pg. Dir.
Entry
Interrupt Handler
NULL
Exception Handler
NULL
Protected Procedure
NULL
TableDirectory
Page Table
Offset
Entry
Code
Stack
Interr. Handler
Code
Stack
Code
Stack
Code
Stack
Page
Physical
Addr.Page Tbl
2-4 Vol. 3A
0
CR3*
*Physical Address
This page mapping example is for 4-KByte pages
and 40-bit physical address size.
Figure 2-2. System-Level Registers and Data Structures in IA-32e Mode
SYSTEM ARCHITECTURE OVERVIEW

2.1.1 Global and Local Descriptor Tables

When operating in protected mode, all memory accesses pass through either the global descriptor table (GDT) or an optional local descriptor table (LDT) as shown in Figure 2-1. These tables contain entries called segment descriptors. Segment descriptors provide the base address of segments well as access rights, type, and usage information.
Each segment descriptor has an associated segm ent selector. A segment selector provides the software that uses it with an index into the GDT or LDT (the offset of its associated segment descriptor), a global/local flag (determines whether the selector points to the GDT or the LDT), and access rights information.
To access a byte in a segment, a segment selector and an offset must be supplied. The segment selector provides access to the segment descriptor for the segment (in the GDT or LDT). From the segment descriptor, the processor obtains the base address of the segment in the linear address space. The offset then provides the location of the byte relative to the base address. This mechanism can be used to access any valid code, data, or stack segment, provided the segment is accessible from the current privilege level (CPL) at which the processor is operating. The CPL is defined as the protection level of the currently executing code segment.
See Figure 2-1. The solid arrows in the figure indicate a linear address, dashed lines indicate a segment selector, and the dotted arrows indicate a physical address. For simplicity, many of the segment selectors are shown as direct pointers to a segment. However, the actual path from a segment selector to its associated segment is always through a GDT or LDT.
The linear address of the base of the GDT is contained in the GDT register (GDTR); the linear address of the LDT is contained in the LDT register (LDTR).
2.1.1.1 Global and Local Descriptor Tables in IA-32 Mode
GDTR and LDTR registers are expanded to 64-bit wide in both IA-32e sub-modes (64-bit mode and compatibility mode). For more information: see Section 3.5.2, “Segment Descriptor Tables in IA-32e Mode.”
Global and local descriptor tables are expanded in 64-bit mode to support 64-bit base addresses, (16-byte LDT descriptors hold a 64-bit base address and various attributes). In compatibil ity mode, descriptors are not expanded.

2.1.2 System Segments, Segment Descriptors, and Gates

Besides code, data, and stack segments that make up the execution environment of a program or procedure, the architecture defines two system segments: the task-state segment (TSS) and the LDT. The GDT is not considered a segment because it is not accessed by means of a segment selector and segment descriptor. TSSs and LDTs have segment descriptors defi ned for them.
The architecture also defines a set of special descriptors called gates (call gates, interrupt gates, trap gates, and task gates). These provide protected gateways to system procedures and handlers that may operate at a different privilege level than application programs and most procedures.
Vol. 3A 2-5
SYSTEM ARCHITECTURE OVERVIEW
For example, a CALL to a call gate can provide access to a procedure in a code segment that is at the same or a numerically lower privilege level (more privileged) than the current code segment. To access a procedure through a call gate, the calling procedure
1
supplies the selector for the call gate. The processor then performs an access rights check on the call gate, comparing the CPL with the privilege level of the call gate and the destination code segment pointed to by the call gate.
If access to the destination code segment is allowed, the processor gets the segment selector for the destination code segment and an offset into that code segment from the call gate. If the call requires a change in privilege level, the processor also switches to the stack for the targeted priv­ilege level. The segment selector for the new stack is obtained from the TSS for the currently running task. Gates also facilitate transitions between 16-bit and 32-bit code segments, and vice versa.
2.1.2.1 Gates in IA-32e Mode
In IA-32e mode, the following descriptors are 16-byte descriptors (expanded to allow a 64-bit base): LDT descriptors, 64-bit TSSs, call gates, interrupt gates, and trap gates.
Call gates facilitate transitions between 64-bit mode and compatibility mode. Task gates are not supported in IA-32e mode. On privilege level changes, stack segment selectors are not read from the TSS. Instead, they are set to NULL.

2.1.3 Task-State Segments and Task Gates

The TSS (see Figure 2-1) defines the state of the execution environment for a task. It includes the state of general-purpose registers, segment registers, the EFLAGS register, the EIP register, and segment selectors with stack pointers for three stack segments (one stack for each privilege level). The TSS also includes the segment selector for the LDT associated with the task and the page-table base address.
All program execution in protected mode happens within the context of a task (called the current task). The segment selector for the TSS for the current task is stored in the task register. The simplest method for switching to a task is to make a call or jump to the new task. Here, the segment selector for the TSS of the new task is given in the CALL or JMP instruction. In switching tasks, the processor performs the follo wi n g act ions:
1. Stores the state of the current task in the current TSS.
2. Loads the task register with the segment selector for the new task.
3. Accesses the new TSS through a segment descriptor in the GDT.
4. Loads the state of the new task from the new TSS into the general-purpose registers, the
segment registers, the LDTR, control register CR3 (page-table base address), the EFLAGS register, and the EIP register.
5. Begins execution of the new task.
1. The word “procedure” is commonly used in this document as a general term for a logical unit or block of
code (such as a program, procedure, function, or routine).
2-6 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
A task can also be accessed through a task gate. A task gate is similar to a call gate, except that it provides access (through a segment selector) to a TSS rather than a code segment.
2.1.3.1 Task-State Segments in IA-32e Mode
Hardware task switches are not supported in IA-32e mode. However, TSSs continue to exist. The base address of a TSS is specified by its descriptor.
A 64-bit TSS holds the following information that is important to 64-bit operation:
Stack pointer addresses for each privilege level
Pointer addresses for the interrupt stack table
Offset address of the IO-permission bitmap (from the TSS base)
The task register is expanded to hold 64-bit base addresses in IA-32e mode. See also: Section 6.7, “Task Management in 64-bit Mode.”

2.1.4 Interrupt and Exception Handling

External interrupts, software interrupts and exceptions are handled through the interrupt descriptor table (IDT). The IDT stores a collection of gate descriptors that provide access to interrupt and exception handlers. Like the GDT, the IDT is not a segment. The linear address for the base of the IDT is contained in the IDT register (IDTR).
Gate descriptors in the IDT can be interrupt, trap, or task gate descriptors. T o access an interrupt or exception handler, the processor first receives an interrupt vector (interrupt number) from internal hardware, an external interrupt controller, or from software by means of an INT , INT O, INT 3, or BOUND instruction. The interrupt vector provides an index into the IDT. If the selected gate descriptor is an interrupt gate or a trap gate, the associated handler procedure is accessed in a manner similar to calling a procedure through a call gate. If the descriptor is a task gate, the handler is accessed through a task switch.
2.1.4.1 Interrupt and Exception Handling IA-32e Mode
In IA-32e mode, interrupt descriptors are expanded to 16 bytes to support 64-bit base addresses. This is true for 64-bit mode and compatibility mode.
The IDTR register is expanded to hold a 64-bit base address. Task gates are not supported.

2.1.5 Memory Management

System architecture supports either direct physical addressing of memory or virtual memory (through paging). When physical addressing is used, a linear address is treated as a physical address. When paging is used: all code, data, stack, and system segments (including the GDT and IDT) can be paged with only the most recently accessed pages being held in physical memory.
Vol. 3A 2-7
SYSTEM ARCHITECTURE OVERVIEW
The location of pages (sometimes called page frames) in physical memory is contained in two types of system data structures: page directories and page tables. Both structures reside in phys­ical memory (see Figure 2-1).
The base physical address of the page directory is contained in control register CR3. An entry in a page directory contains the physical address of the base of a page table, access rights and memory management information. An entry in a page table contains the physical address of a page frame, access rights and memory management information.
T o use this paging mechanism, a linear address is broken into three parts. The parts provide sepa­rate offsets into the page directory, the page table, and the page frame. A system can have a single page directory or several. For example, each task can have its own page directory.
2.1.5.1 Memory Management in IA-32e Mode
In IA-32e mode, physical memory pages are managed by a set of system data structures. In compatibility mode and 64-bit mode, four levels of system data structures are used. These include:
The page map level 4 (PML4) — An entry in a PML4 table contains the physical address
of the base of a page directory pointer table, access rights, and memory management infor­mation. The base physical address of the PML4 is stored in CR3.
A set of page directory pointers — An entry in a page directory pointer table contains the
physical address of the base of a page directory table, access rights, and memory management information.
Sets of page directories — An entry in a page directory table contains the physical
address of the base of a page table, access rights, and memory management information.
Sets of page tables — An entry in a page table contains the physical address of a page
frame, access rights, and memory management information.

2.1.6 System Registers

T o assist in initializing the processor and controlling system operations, the system architecture provides system flags in the EFLAGS register and several system registers:
The system flags and IOPL field in the EFLAGS register control task and mode switching,
interrupt handling, instruction tracing, and access rights. See also: Section 2.3, “System Flags and Fields in the EFLAGS Register.”
The control registers (CR0, CR2, CR3, and CR4) contain a variety of flags and data fields
for controlling system-level operations. Other flags in these registers are used to indicate support for specific processor capabilities within the operating system or executive. See also: Section 2.5, “Control Registers.”
The debug registers (not shown in Figure 2-1) allow the setting of breakpoints for use in
debugging programs and systems software. See also: Chapter 18, “Debugging and Performance Monitoring.”
2-8 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
The GDTR, LDTR, and IDTR registers contain the linear addresses and sizes (limits) of
their respective tables. See also: Section 2.4, “Memory-Management Registers.”
The task register contains the linear address and size of the TSS for the current task. See
also: Section 2.4, “Memory-Management Registers.”
Model-specific registers (not shown in Figure 2-1).
The model-specific registers (MSRs) are a group of registers available primarily to operating­system or executive procedures (that is, code running at privilege level 0). These registers control items such as the debug extensions, the performance-monitoring counters, the machine­check architecture, and the memory type ranges (MTRRs).
The number and function of these registers varies among different members of the IA-32 processor families. See also: Section 9.4, “Model-Specific Registers (MSRs),” and Appendix B, “Model-Specific Registers (MSRs).”
Most systems restrict access to system registers (other than the EFLAGS register) by application programs. Systems can be designed, however, where all programs and procedures run at the most privileged level (privilege level 0). In such a case, application programs would be allowed to modify the system registers.
2.1.6.1 System Registers in IA-32e Mode
In IA-32e mode, the four system-descriptor-table registers (GDTR, IDTR, LDTR, and TR) are expanded in hardware to hold 64-bit base addresses. EFLAGS becomes the 64-bit RFLAGS register. CR0-CR4 are expanded to 64 bits. CR8 becomes available. CR8 provides read-write access to the task priority register (TPR) so that the operating system can control the priority classes of external interrupts.
In 64-bit mode, debug registers DR0–DR7 are 64 bits. In compatibility mode, address-matching in DR0-DR3 is also done at 64-bit granularity.
On systems that support IA-32e mode, the exte nded feature enable register (IA32_EFER) is available. This model-specific register controls activation of IA-32e mode and other IA-32e mode operations. In addition, there are several model-specific registers that govern IA-32e mode instructions:
IA32_KernelGSbase — Used by SWAPGS instruction.
IA32_LSTAR — Used by SYSCALL instruction.
IA32_SYSCALL_FLAG_ M ASK — Used by SYSCALL instruction.
IA32_STAR_CS — Used by SYSCALL and SYSRET instruction.
Vol. 3A 2-9
SYSTEM ARCHITECTURE OVERVIEW

2.1.7 Other System Resources

Besides the system registers and data structures described in the previous sections, system archi­tecture provides the following additional resources:
Operating system instruction s (see also: Section 2.6, “System Instruction Summary”).
Performance-monitoring counters (not shown in Figure 2-1).
Internal caches and buffers (not shown in Figure 2-1).
Performance-monitoring counters are event counters that can be programmed to count processor events such as the number of instructions decoded, the number of interrupts received, or the number of cache loads. See also: Section 18, “Debugging and Performance Monitoring.”
The processor provides several internal caches and buffers. The caches are used to store both data and instructions. The buffers are used to store things like decoded addresses to system and application segments and write operations waiting to be performed. See also: Chapter 10, “Memory Cache Control.”

2.2 MODES OF OPERATION

The IA-32 architecture supports four operating modes and one quasi-operating mode:
Protected mode — This is the native operating mode of the processor. It provides a rich
set of architectural features, flexibility, high performance and backward compatibility to existing software base.
Real-address mode — This operating mode provides the programming environment of
the Intel 8086 processor, with a few extensions (such as the ability to switch to protected or system management mode).
System management mode (SMM) — SMM is a standard architectural feature in all
IA-32 processors, beginning with the Intel386 SL processor. This mode provides an operating system or executive with a transparent mechanism for implementing power management and OEM differentiation features. SMM is entered through activation of an external system interrupt pin (SMI#), which generates a system management interrupt (SMI). In SMM, the processor switches to a separate address space while saving the context of the currently running program or task. SMM-specific code may then be executed transparently. Upon returning from SMM, the processor is placed back into its state prior to the SMI.
Virtual-8086 mode — In protected mode, the processor supports a quasi-operating mode
known as virtual-8086 mode. This mode allows the processor execute 8086 software in a protected, multitasking environment.
IA-32e mode — In IA-32e mode, the processor supports two sub-modes: compatibility
mode and 64-bit mode. 64-bit mode provides 64-bit linear addressing and support for physical address space larger than 64 GBytes. Compatibility mode allows most legacy protected-mode applications to run unchanged.
Figure 2-3 shows how the processor moves among these operating modes.
2-10 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
SMI#
System
Reset
Real-Address
Reset or
PE=0
Protected Mode
Mode
PE=1
Reset
or
RSM
SMI#
RSM
Management
VM=1VM=0
Virtual-8086
Mode
LME=1, CR0.PG=1*
See**
SMI#
RSM
IA-32e
Mode
SMI#
RSM
Figure 2-3. Transitions Among the Processor’s Operating Modes
Mode
* See Section 9.8.5
** See Section 9.8.5.4
The processor is placed in real-address mode following power-up or a reset. The PE flag in control register CR0 then controls whether the processor is operating in real-address or protected mode. See also: Section 9.9, “Mode Switching.”
The VM flag in the EFLAGS register determines whether the processor is operating in protected mode or virtual-8086 mode. Transitions between protected mode and virtual-8086 mode are generally carried out as part of a task switch or a return from an interrupt or exception handler. See also: Section 15.2.5, “Entering Virtual-8086 Mode.”
The LMA bit (IA32_EFER.LMA.LMA[bit 10]) determines whether the processor is operating in IA-32e mode. When running in IA-32e mode, 64-bit or compatibility sub-mode operation is determined by CS.L bit of the code segment. The processor enters into IA-32e mode from protected mode by enabling paging and setting the LME bit (IA32_EFER.LME[bit 8]). See also: Chapter 9, “Processor Management and Initialization.”
The processor switches to SMM whenever it receives an SMI while the processor is in real­address, protected, virtual-8086, or IA-32e modes. Upon execution of the RSM instruction, the processor always returns to the mode it was in when the SMI occurred.
Vol. 3A 2-11
SYSTEM ARCHITECTURE OVERVIEW

2.3 SYSTEM FLAGS AND FIELDS IN THE EFLAGS REGISTER

The system flags and IOPL field of the EFLAGS register control I/O, maskable hardware inter­rupts, debugging, task switching, and the virtual-8086 mode (see Figure 2-4). Only privileged code (typically operating system or executive code) should be allowed to modify these bits .
The system flags and IOPL are: TF Trap (bit 8) — Set to enable single-step mode for debugging; clear to disable single-
step mode. In single-step mode, the processor generates a debug exception after each instruction. This allows the execution state of a program to be inspected after each instruction. If an application program sets the TF flag using a POPF, POPFD, or IRET instruction, a debug exception is generated after the instruction that follows the POPF, POPFD, or IRET.
31
Reserved (set to 0)
22
21 20 19
I
D
17
16
151314 12 11
18
V
V
A
I
I
C
P
F
N
R
V
0
T
F
M
I O P
L
10 9
O
DFIFTFSFZ
F
876
543
F
1
0
2
P
A F
C
1
00
F
F
ID — Identification Flag VIP — Virtual Interrupt Pending VIF — Virtual Interrupt Flag
AC — Alignment Check
VM — Virtual-8086 Mode RF — Resume Flag NT — Nested Task Flag IOPL— I/O Privilege Level IF — Interrupt Enable Flag TF — Trap Flag
Reserved
Figure 2-4. System Flags in the EFLAGS Register
IF Interrupt enable (bit 9) — Controls the response of the processor to maskable hard-
ware interrupt requests (see also: Section 5.3.2, “Maskable Hardware Interrupts”). The flag is set to respond to maskable hardware interrupts; cleared to inhibit maskable hard­ware interrupts. The IF flag does not affect the generation of exceptions or nonmaskable interrupts (NMI interrupts). The CPL, IOPL, and the state of the VME flag in control register CR4 determine whether the IF flag can be modified by the CLI, STI, POPF, POPFD, and IRET.
IOPL I/O privilege level field (bits 12 and 13) — Indicates the I/O privilege level (IOPL)
of the currently running program or task. The CPL of the currently running program or task must be less than or equal to the IOPL to access the I/O address space. This field can only be modified by the POPF and IRET instructions when operating at a CPL of 0.
2-12 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
The IOPL is also one of the mechanisms that controls the modification of the IF flag
and the handling of interrupts in virtual-8086 mod e when vi rtu al mode extensions are
in effect (when CR4.VME = 1). See also: Chapter 13, “Input/Output,” in the IA-32
Intel® Architecture Software Developer’s Manual, Volume 1.
NT Nested task (bit 14) — Controls the chaining of interrupted and called tasks. Th e
processor sets this flag on calls to a task initiated with a CALL instruction, an interrupt,
or an exception. It examines and modifies this flag on returns from a task initiated with
the IRET instruction. The flag can be explicitly set or cleared with the PO PF/POPFD
instructions; however, changing to the state of this flag can generate unexpected excep-
tions in application programs.
See also: Section 6.4, “Task Linking.”
RF Resume (bit 16) — Controls the processor’s response to instruction-breakpoint condi-
tions. When set, this flag temporarily disab les debug exceptions (#DB) from being
generated for instruction breakpoints (although other exception conditions can
cause an exception to be generated). When clear, instruction breakpoints will
generate debug exceptions.
The primary function of the RF flag is to allow the restarting of an instruction following
a debug exception that was caused by an instruction breakpoint condition. Here, debug
software must set this flag in the EFLAGS image on the stack just prior to returning to
the interrupted program with IRETD (to prevent the instruction breakpoint from
causing another debug exception). Th e p roc esso r then automatically clears this flag
after the instruction returned to has been successfully executed, enabling instruction
breakpoint faults again.
See also: Section 18.3.1.1, “Instruction-Breakpoint Exception Condition.”
VM Virtual-8086 mode (bit 17) — Set to enable virtual-8086 mode; clear to return to
protected mode.
See also: Section 15.2.1, “Enabling Virtual-8086 Mode.”
AC Alignment check (bit 18) — Set th is flag and the AM flag in control register CR0 to
enable alignment checking of memory references; clear the AC flag and/or the AM flag
to disable alignment checking. An alignment-check exception is generated when refer-
ence is made to an unaligned operand, such as a word at an odd byte address or a
doubleword at an address which is not an integral multiple of four. Alignment-check
exceptions are generated only in user mode (privilege level 3). Memory references that
default to privilege level 0, such as segment descriptor loads, do not generate this
exception even when caused by instructions executed in user-mode.
The alignment-check exception can be used to check alignment of data. This is useful
when exchanging data with processors which require all data to be aligned. The align-
ment-check exception can also be used by interpreters to flag some pointers as special
by misaligning the pointer. This eliminates overhead of checking each pointer and only
handles the special pointer when used.
Vol. 3A 2-13
SYSTEM ARCHITECTURE OVERVIEW
VIF Virtual Interrupt (bit 19) — Contains a virtual image of the IF flag. This flag is used
in conjunction with the VIP flag. The processor only recognizes the VIF flag when either the VME flag or the PVI flag in control register CR4 is set and the IOPL is less than 3. (The VME flag enables the virtual-8086 mode extensions; the PVI flag enables the protected-mode virtual interrupts.)
See also: Section 15.3.3.5, “Method 6: Software Interrupt Handling,” and Section 15.4, “Protected-Mode Virtual Interrupts.”
VIP Virtual interrupt pending (bit 20) — Set by software to indicate that an interrupt is
pending; cleared to indicate that no interrupt is pending. This flag is used in conjunction with the VIF flag. The processor reads this flag but never modifies it. The processor only recognizes the VIP flag when either the VME flag or the PVI flag in control register CR4 is set and the IOPL is less than 3. The VME flag enables the virtual-8086 mode extensions; the PVI flag enables the protected-mode virtual interrupts.
See Section 15.3.3.5, “Method 6: Software Interrupt Handling,” and Section 15.4, “Protected-Mode Virtual Interrupts.”
ID Identification (bit 21). — The ability of a program or procedure to set or clear this flag
indicates support for the CPUID instruction.

2.3.1 System Flags and Fields in IA-32e Mode

In 64-bit mode, the RFLAGS register expands to 64 bits with the upper 32 bits reserved. System flags in RFLAGS (64-bit mode) or EFLAGS (compatibility mode) are shown in Figure 2-4.
In IA-32e mode, the processor does not allow the VM bit to be set because virtual-8086 mode is not supported (attempts to set the bit are ignored). Also, the processor will not set the NT bit. The processor does, however, allow software to set the NT bit (note that an IRET causes a general protection fault in IA-32e mode if the NT bit is set).
In IA-32e mode, the SYSCALL/SYSRET instructions have a programmable method of speci­fying which bits are cleared in RFLAGS/EFLAGS. These instructions save/restore EFLAGS/RFLAGS.

2.4 MEMORY-MANAGEMENT REGISTERS

The processor provides four memory-management registers (GDTR, LDTR, IDTR, and TR) that specify the locations of the data structures which control segmented memory management (see Figure 2-5). Special instructions are provided for loading and storing these registers.
2-14 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
GDTR
IDTR
Task
Register
LDTR
47(79)
32(64)-bit Linear Base Address 32(64)-bit Linear Base Address
System Segment
Registers
15
Seg. Sel. Seg. Sel.
System Table Registers
Segment Descriptor Registers (Automatically Loaded)
0
1516
16-Bit Table Limit
16-Bit Table Limit
32(64)-bit Linear Base Address 32(64)-bit Linear Base Address
0
Attributes
Segment Limit
Segment Limit
Figure 2-5. Memory Management Registers

2.4.1 Global Descriptor Table Register (GDTR)

The GDTR register holds the base address (32 bits in protected mode; 64 bits in IA-32e mode) and the 16-bit table limit for the GDT. The base address specifies the linear address of byte 0 of the GDT; the table limit specifies the number of bytes in the table.
The LGDT and SGDT instructions load and store the GDTR register, respectively. On power up or reset of the processor, the base address is set to the default value of 0 and the limit is set to 0FFFFH. A new base address must be loaded into the GDTR as part of the processor initializa­tion process for protected-mode operation.
See also: Section 3.5.1, “Segment Descriptor Tables.”

2.4.2 Local Descriptor Table Register (LDTR)

The LDTR register holds the 16-bit segment selector, base address (32 bits in protected mode; 64 bits in IA-32e mode), segment limit, and descriptor attributes for the LDT. The base address specifies the linear address of byte 0 of the LDT segment; the segment limit specifies the number of bytes in the segment. See also: Section 3.5.1, “Segment Descriptor Tables.”
The LLDT and SLDT instructions load and store the segment selector part of the LDTR register, respectively. The segment that contains the LDT must have a segment descriptor in the GDT. When the LLDT instruction loads a segment selector in the LDTR: the base address, limit, and descriptor attributes from the LDT descriptor are automatically loaded in the LDTR.
When a task switch occurs, the LDTR is automatically loaded with the segment selector and descriptor for the LDT for the new task. The contents of the LDTR are not automatically saved prior to writing the new LDT information into the register.
On power up or reset of the processor, the segment selector and base address are set to the default value of 0 and the limit is set to 0FFFFH.
Vol. 3A 2-15
SYSTEM ARCHITECTURE OVERVIEW

2.4.3 IDTR Interrupt Descriptor Table Register

The IDTR register holds the base address (32 bits in protected mode; 64 bits in IA-32e mod e) and 16-bit table limit for the IDT. The base address specifies the linear address of byte 0 of the IDT; the table limit specifies the number of bytes in the table. The LIDT and SIDT instructions load and store the IDTR register, respectively. On power up or reset of the processor, the base address is set to the default value of 0 and the limit is set to 0FFFFH. The base address and limi t in the register can then be changed as part of the processor initialization process.
See also: Section 5.10, “Interrupt Descriptor Table (IDT).”

2.4.4 Task Register (TR)

The task register holds the 16-bit segment selector, base address (32 bits in protected mode; 64 bits in IA-32e mode), segment limit, and descriptor attributes for the TSS of the current task. The selector references the TSS descriptor in the GDT. The base address specifies the linear address of byte 0 of the TSS; the segment limit specifies the number of bytes in the TSS. See also: Section 6.2.4, “Task Register.”
The LTR and STR instructions load and store the segment selector part of the task register, respectively. When the LTR instruction loads a segment selector in the task register, the base address, limit, and descriptor attributes from the TSS descriptor are automatically loaded in to the task register. On power up or reset of the processor, the base address is set to the default value of 0 and the limit is set to 0FFFFH.
When a task switch occurs, the task register is automatically loaded with the segment selector and descriptor for the TSS for the new task. The contents of the task register are not automati­cally saved prior to writing the new TSS information into the register.

2.5 CONTROL REGISTERS

Control registers (CR0, CR1, CR2, CR3, and CR4; see Figure 2-6) d etermine operating mode of the processor and the characteristics of the currently executing task. These registers are 32 bits in all 32-bit modes and compatibility mode.
In 64-bit mode, control registers are expanded to 64 bits. The MOV CRn instructions are used to manipulate the register bits. Operand-size prefixes for these instructions are ignored. The following is also true:
Bits 63:32 of CR0 and CR4 are reserved and must be written with zeros. Writing a nonzero
value to any of the upper 32 bits results in a general-protection exception, #GP(0).
All 64 bits of CR2 are writable by software.
Bits 51:40 of CR3 are reserved and must be 0.
The MOV CRn instructions do not check that addresses written to CR2 and CR3 are within
the linear-address or physical-address limitations of the implementation.
Register CR8 is available in 64-bit mode only.
2-16 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
The control registers are summarized below, and each architecturally defined control field in these control registers are described individually. In Figure 2-6, the width of the register in 64-bit mode is indicated in parenthesis (except for CR0).
CR0 — Contains system control flags that control operating mode and states of the
processor.
CR1 — Reserved.
CR2 — Contains the page-fault linear address (the linear address that caused a page fault).
CR3 — Contains the physical address of the base of the page directory and two flags (PCD
and PWT). This register is also known as the page-directory base register (PDBR). Only the most-significant bits (less the lower 12 bits) of the base address are specified; the lower 12 bits of the address are assumed to be 0. The page directory must thus be aligned to a page (4-KByte) boundary. The PCD and PWT flags control caching of the page directory in the processor’s internal data caches (they do not control TLB caching of page-directory information).
When using the physical address extension, the CR3 register contains the b ase address of the page-directory-pointer table In IA-32e mode, the CR3 register contains the base address of the PML4 table.
See also: Section 3.8, “36-Bit Physical Addressing Using the P A E Paging Mechanism.”
CR4 — Contains a group of flags that enable several architectural extensions, and indicate
operating system or executive support for specific processor capabilities. The control registers can be read and loaded (or modified) using the move-to-or-from-control-registers forms of the MOV instruction. In protected mode, the MOV instructions al low the cont rol registers to be read or loaded (at privilege level 0 only). This restriction means that application programs or operating-system procedures (running at privilege levels 1, 2, or
3) are prevented from reading or loading the control registers.
CR8 — Provides read and write access to the Task Priority Register (TPR). It specifies the
priority threshold value that operating systems use to control the priority class of external interrupts allowed to interrupt the processor. This register is available only in 64-bit mode. However, interrupt filtering continues to apply in compatibility mode.
Vol. 3A 2-17
SYSTEM ARCHITECTURE OVERVIEW
31(63)
31(63)
31(63)
31(63)
312930 28
P
N
C
G
W
D
Reserved
Reserved (set to 0)
OSXMMEXCPT
Page-Directory Base
Page-Fault Linear Address
19
18
A
M
Figure 2-6. Control Registers
OSFXSR
17
16
W
P
P
P
M
C
G
C
E
E
E
543210
V
T
P A E
54320
P
P
D
M
S
V
S
E
E
D
I
E
P
P
C
W
T
D
0
CR4
CR3 (PDBR)
9876
10
12
11
CR2
0
CR1
15
543
6
N E
1
0
2
E
P
M
T
E
S
T
CR0
M
E
P
When loading a control register, reserved bits should always be set to the values previously read. The flags in control registers are:
PG Paging (bit 31 of CR0) — Enables paging when set; disables paging when clear.
When paging is disabled, all linear addresses are treated as physical addresses. The PG flag has no effect if the PE flag (bit 0 of register CR0) is not also set; setting the PG flag when the PE flag is clear causes a general-protection exception (#GP). See also: Section 3.6, “Paging (Virtual Memory) Overview.”
On IA-32 processors that support Intel
®
EM64T , enabling and disabling IA-32e mode
operation also requires modifying CR0. PG.
CD C ache Disable (bit 30 of CR0) — When the CD and NW flags are clear, caching of
memory locations for the whole of physical memory in the processor’s internal (and external) caches is enabled. When the CD flag is set, caching is restricted as described in Table 10-5. To prevent the processor from accessing and updating its caches, the CD flag must be set and the caches must be invalidated so that no cache hits can occur.
See also: Section 10.5.3, “Preventing Caching,” and Section 10.5, “Cache Control.”
2-18 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
NW Not Write-through (bit 29 of CR0) — When the NW and CD flags are clear, write-
back (for Pentium 4, Intel Xeon, P6 family, and Pentium processors) or write-through
(for Intel486 processors) is enabled for writes that hit the cache and invalidation cycles
are enabled. See Ta ble 10-5 for detailed information about the affect of the NW flag on
caching for other settings of the CD and NW flags.
AM Alignment Mask (bit 18 of CR0) — Enables automatic alignment checking when set;
disables alignment checking when clear. Alignment checking is performed only when
the AM flag is set, the AC flag in the EFLAGS register is set, CPL is 3, and the
processor is operating in either protected or virtual-8086 mode.
WP Write Protect (bit 16 of CR0) — Inhibits supervisor-level procedures from writing
into user-level read-only pages when set; allows supervisor-level procedures to write
into user-level read-only pages when clear. This flag facilitates im plementation of the
copy-on-write method of creating a new process (fo rking) used by operating systems
such as UNIX*.
NE Numeric Error (bit 5 of CR0) — Enables the native (internal) mechanism for
reporting x87 FPU errors when set; enables the PC-style x87 FPU error reporting
mechanism when clear. When the NE flag is clear and the IGNNE# input is asserted,
x87 FPU errors are ignored. When the NE flag is clear and the IGNNE# input is deas-
serted, an unmasked x87 FPU error causes the processor to assert the FERR# pin to
generate an external interrupt and to stop instruction execution imm ediately before
executing the next waiting floating-point instruction or WAIT/FWAIT instruction.
The FERR# pin is intended to drive an input to an external interrupt controller (the
FERR# pin emulates the ERROR# pin of the Intel 287 and Int el 387 DX math copro-
cessors). The NE flag, IGNNE# pin, and FERR# pin are used with external logic to
implement PC-style error reporting.
See also: “Software Exception Handling” in Chapter 8, “Programming with the x87
FPU,” and Appendix A, “Eflags Cross-Reference,” in the IA-32 Intel® Architecture
Software Developer’s Manual, Volume 1.
ET Extension Type (bit 4 of CR0) — Reserved in the Pentium 4, Intel Xeon, P6 family,
and Pentium processors. In the Pentium 4, Intel Xeon, and P6 family processors, this
flag is hardcoded to 1. In the Intel386 and Intel486 processors, this flag indicates
support of Intel 387 DX math coprocessor instructions when set.
TS T ask Switched (bit 3 of CR0) — Allows the saving of the x87 FPU/MMX/SSE/SSE2/
SSE3 context on a task switch to be delayed until an x87 FPU/MMX/SSE/SSE2/SSE3
instruction is actually executed by the new task. The processor sets this flag on every
task switch and tests it when executing x87 FPU/MMX/SSE/SSE2/SSE3 instructions.
If the TS flag is set and the EM flag (bit 2 of CR0) is clear, a device-not-available
exception (#NM) is raised prior to the execution of any x87 FPU/MMX/SSE/ SSE2/SSE3 instruction; with the exception of PAUSE, PREFETCHh, SFENCE, LFENCE, MFENCE, MOVNTI, and CLFLUSH. See the paragraph below for the special case of the WAIT/FWAIT instructions.
Vol. 3A 2-19
SYSTEM ARCHITECTURE OVERVIEW
If the TS flag is set and the MP flag (bit 1 of CR0) and EM flag are clear, an #NM
exception is not raised prior to the execution of an x87 FPU WAIT/FWAIT instruction.
If the EM flag is set, the setting of the TS flag has no affect on the execution of
x87 FPU/MMX/SSE/SSE2/SSE3 instructions.
T able 2-1 shows the actions taken when the processor encounters an x87 FPU instruc­tion based on the settings of the TS, EM, and MP flags. Table 11-1 and 12-1 show the actions taken when the processor encounters an MMX/SSE/SSE2/SSE3 instruction.
The processor does not automatically save the context of the x87 FPU, XMM, and MXCSR registers on a task switch. Instead, it sets the TS flag, which causes the processor to raise an #NM exception whenever it encounters an x87 FPU/MMX/SSE /SSE2/SSE3 instruction in the instruction stream for the new task (with the exception of the instructions listed above).
The fault handler for the #NM exception can then be used to clear the TS flag (with the CLTS instruction) and save the context of the x87 FPU, XMM, and MXCSR registers. If the task never encounters an x87 FPU/MMX/SSE/SSE2/SSE3 instruction; the x87 FPU/MMX/SSE/SSE2/ SSE3 context is never saved.
Table 2-1. Action Taken By x87 FPU Instructions for Different
Combinations of EM, MP, and TS
CR0 Flags x87 FPU Instruction Type
EM MP TS Floating-Point WAIT/FWAIT
0 0 0 Execute Execute. 0 0 1 #NM Exception Execute. 0 1 0 Execute Execute. 0 1 1 #NM Exception #NM exception. 1 0 0 #NM Exception Execute. 1 0 1 #NM Exception Execute. 1 1 0 #NM Exception Execute. 1 1 1 #NM Exception #NM exception.
EM Emulation (bit 2 of CR0) — Indicates that the processor does not have an internal or
external x87 FPU when set; indicates an x87 FPU is present when clear. This flag also affects the execution of MMX/SSE/SSE2/SSE3 instructions.
When the EM flag is set, execution of an x87 FPU instruction generates a device-not­available exception (#NM). This flag must be set when the processor does not have an interna l x87 FPU or is not connected to an external math coprocessor . Setting this flag forces all floating-point instructions to be handled by software emulation. Table 9-2 shows the recommended setting of this flag, depending on the IA-32 processor and x87
2-20 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
FPU or math coprocessor present in the system. Table 2-1 shows the interaction of the
EM, MP, and TS flags.
Also, when the EM flag is set, execution of an MMX instruction causes an invalid-
opcode exception (#UD) to be generated (see Table 11-1). Thus, if an IA-32 processor
incorporates MMX technology, the EM flag must be set to 0 to enable execution of
MMX instructions.
Similarly for SSE/SSE2/SSE3 extensions, when the EM flag is set, execution of most
SSE/SSE2/SSE3 instructions causes an invalid opcode exception (#UD) to be gener-
ated (see Table 12-1). If an IA-32 processor incorporates the SSE/SSE2/SSE3 exten-
sions, the EM flag must be set to 0 to enable execution of these extensions.
SSE/SSE2/SSE3 instructions not affected by the EM flag include: PAUSE,
PREFETCHh, SFENCE, LFENCE, MFENCE, MOVNTI, and CLFLUSH.
MP Monitor Coprocessor (bit 1 of CR0). — Controls the interaction of the WAIT (or
FWAIT) instruction wit h the TS flag (bit 3 of CR0). If the MP flag is set, a WAIT
instruction generates a device-not-available exception (#NM) if the TS flag is also set.
If the MP flag is clear, the WAIT instruction ignores the setting of the TS flag. Table 9-2
shows the recommended setting of this flag, depending on the IA-32 processor and x87
FPU or math coprocessor present in the system. Table 2-1 shows the interaction of the
MP, EM, and TS flags.
PE Protection Enable (bit 0 of CR0) — Enables protected mode when set; enables real-
address mode when clear. This flag does not enable paging directly. It only enables
segment-level protection. To enable paging, both the PE and PG flags must be set.
See also: Section 9.9, “Mode Switching.”
PCD Page-level Cache Disable (bit 4 of CR3) — Controls caching of the current page
directory. When the PCD flag is set, caching of the page-directory is prevented; when the flag is clear, the page-directory can be cached. This flag affects only the processor’ s internal caches (both L1 and L2, when present). The processor ignores this flag if paging is not used (the PG flag in register CR0 is clear) or the CD (cache disable) flag in CR0 is set.
See also: Chapter 10, “Memory Cache Control” (for more about the use of the PCD
flag) and Section 3.7.6, “Page-Directory and Page-Table Entries” (for a description of
a companion PCD flag in page-directory and page-table entries).
PWT Page-level Writes T ransparent (bit 3 of CR3) — Controls the write-through or write-
back caching policy of the current page directory. When the PWT flag is set, write-
through caching is enabled; when the flag is clear, write-back caching is enabled. This
flag affects only internal caches (both L1 and L2, when present). The processor ignores
this flag if paging is not used (the PG flag in register CR0 is clear) or the CD (cache
disable) flag in CR0 is set.
See also: Section 10.5, “Cache Control” (for more information about the use of this
flag), and Section 3.7.6, “Page-Directory and Page-T able Entries” (for a description of
a companion PCD flag in the page-directory and page-table entries).
Vol. 3A 2-21
SYSTEM ARCHITECTURE OVERVIEW
VME Virtual-8086 Mode Extensions (bit 0 of CR4) — Enables interrupt- and exception-
handling extensions in virtual-8086 mode when set; disables the extensions when clear. Use of the virtual mode extensions can improve the performance of virtual-8086 appli­cations by eliminating the overhead of calling the virtual-8086 monitor to handle inter­rupts and exceptions that occur while executing an 8086 program and, instead, redirecting the interrupts and exceptions back to the 8086 program’s handlers. It also provides hardware support for a virtual interrupt flag (VIF) to impro ve reliability of running 8086 programs in multitasking and multiple-processor environments.
See also: Section 15.3, “Interrupt and Exception Handling in Virtual-8086 Mode.”
PVI Protected-Mode Virtual Interrupts (bit 1 of CR4) — Enables hardware support for
a virtual interrupt flag (VIF) in protected mode when set; disables the VIF flag in protected mode when clear.
See also: Section 15.4, “Protected-Mode Virtual Interrupts.”
TSD Time Stamp Disable (bit 2 of CR4) — Restricts the execution of the RDTSC instruc-
tion to procedures running at privilege level 0 when set; allows RDTSC instruction to be executed at any privilege level when clear.
DE Debugging Extensions (bit 3 of CR4) — References to debug registers DR4 and DR5
cause an undefined opcode (#UD) exception to be generated when set; when clear, processor aliases references to registers DR4 and DR5 for compatibility with software written to run on earlier IA-32 processors.
See also: Section 18.2.2, “Debug Registers DR4 and DR5.”
PSE Page Size Extensions (bit 4 o f CR4) — Enables 4-MByte pages when set; restricts
pages to 4 KBytes when clear.
See also: Section 3.6.1, “Paging Options.”
PAE Physical Address Extension (bit 5 of CR4) — When set, enables paging mechanism
to reference greater-or-equal-than-36-bit physical addresses. When clear, restricts physical addresses to 32 bits. PAE must be enabled to enable IA-32e mode operation. Enabling and disabling IA-32e mode operation also requires modifying CR4.PAE.
See also: Section 3.8, “36-Bit Physical Addressing Using the PAE Paging Mechanism.”
MCE Machine-Check Enable (bit 6 of CR4) — Enables the machine-check exception
when set; disables the machine-check exception when clear.
See also: Chapter 14, “Machine-Check Architecture.”
PGE Page Global Enable (bit 7 of CR4) — (Introduced in the P6 family processors.)
Enables the global page feature when set; disables the global page feature when clear. The global page feature allows frequently used or shared pages to be marked as global to all users (done with the global flag, bit 8, in a page-directory or page-table entry). Global pages are not flushed from the translation-lookaside buffer (TLB) on a task switch or a write to register CR3.
2-22 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
When enabling the global page feature, paging must be enabled (by setting the PG flag
in control register CR0) before the PGE flag is set. Reversing this sequence may affect
program correctness, and processor performance will be impacted.
See also: Section 3.12, “Translation Lookaside Buffers (TLBs).”
PCE Performance-Monitoring Counter Enable (bit 8 of CR4) — Enables execution of
the RDPMC instruction for programs or procedures running at any protection level
when set; RDPMC instruction can be executed only at protection level 0 when clear.
OSFXSR
Operating System Support for FXSAVE and FXRSTOR instructions (bit 9 of
CR4) — When set, this flag: (1) indicates to software that the operating system
supports the use of the FXSAVE and FXRSTOR instructions, (2) enables the FXSAVE
and FXRSTOR instructions to save and restore the contents of the XMM and MXCSR
registers along with the contents of the x87 FPU and MMX registers, and (3) enables
the processor to execute SSE/SSE2/SSE3 instructions, with the exception of the
PAUSE, PREFETCHh, SFENCE, LFENCE, MFENCE, MOVNTI, and CLFLUSH.
If this flag is clear, the FXSAVE and FXRSTOR instructions will save and restore the
contents of the x87 FPU and MMX instructions, but they may not save and restore the
contents of the XMM and MXCSR registers. Also, the processor will generate an
invalid opcode exception (#UD) if it attempts to execute any SSE/SSE2/SSE3 instruc-
tion, with the exception of PA USE, PREFETCHh, SFENCE, LFENCE, MFENCE,
MOVNTI, and CLFLUSH. The operating system or executive must explicitly set this
flag.
NOTE
CPUID feature flags FXSR, SSE, SSE2, and SSE3 indi cate availability of the FXSAVE/FXRESTOR instructions, SSE extensions, SSE2 extensions, and SSE3 extensions respectively. The OSFXSR bit provides operating system software with a means of enabling these features and indicating that the operating system supports the features.
OSXMMEXCPT
Operating System Support for Unmasked SIMD Floating-Point Exceptions (bit 10
of CR4) — When set, indicates that the operating system supports the handling of
unmasked SIMD floating-point exceptions through an exception handler that is invoked
when a SIMD floating-point exception (#XF) is generated. SIMD floating-point excep-
tions are only generated by SSE/SSE2/SSE3 SIMD floating-point instructions.
The operating system or executive must explicitly set this flag. If this flag is not set, the
processor will generate an invalid opcode exception (#UD) whenever it detects an
unmasked SIMD floating-point exception.
TPL Task Priority Level (bit 3:0 of CR8) — This sets the threshold value corresponding
to the highest-priority interrupt to be blocked. A value of 0 means all interrupts are
enabled. This field is available in 64-bit mode. A value of 15 means al l interrupts will
be disabled.
Vol. 3A 2-23
SYSTEM ARCHITECTURE OVERVIEW

2.5.1 CPUID Qualification of Control Register Flags

The VME, PVI, TSD, DE, PSE, PAE, MCE, PGE, PCE, OSFXSR, and OSXMMEXCPT flags in control register CR4 are model specific. All of these flags (except the PCE flag) can be qual­ified with the CPUID instruction to determine if they are implemented on the processor before they are used.
The CR8 register is available on processors that support Intel EM64T . Support for Intel EM64T can determined using CPUID.

2.6 SYSTEM INSTRUCTION SUMMARY

System instructions handle system-level functions such as loading system registers, managing the cache, managing interrupts, or setting up the debug registers. Many of these instructions can be executed only by operating-system or executive procedures (th at is, procedures running at privilege level 0). Others can be executed at any privilege level and are thus available to appli­cation programs.
Table 2-2 lists the system instructions and indicates whether they are available and useful for application programs. These instructions are described in Chapter 3 and Chapter 4 of the IA-32
Intel® Architecture Software Developer’s Manual, Volumes 2A & 2B.
Table 2-2. Summary of System Instructions
Instruction Description
LLDT Load LDT Register No Yes SLDT Store LDT Register No No LGDT Load GDT Register No Yes SGDT Store GDT Register No No LTR Load Task Register No Yes STR Store Task Register No No LIDT Load IDT Register No Yes SIDT Store IDT Register No No MOV CRn Load and store control registers No Yes SMSW Store MSW Yes No LMSW Load MSW No Yes CLTS Clear TS flag in CR0 No Yes ARPL Adjust RPL Yes LAR Load Access Rights Yes No LSL Load Segment Limit Yes No VERR Verify for Reading Yes No VERW Verify for Writing Yes No
Useful to Application?
1, 5
Protected from Application?
No
2-24 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
Table 2-2. Summary of System Instructions (Contd.)
Instruction Description
MOV DRn Load and store debug registers No Yes INVD Invalidate cache, no writeback No Yes WBINVD Invalidate cache, with writeback No Yes INVLPG Invalidate TLB entry No Yes HLT Halt Processor No Yes LOCK (Prefix) Bus Lock Yes No RSM Return from system management mode No Yes
3
RDMSR WRMSR RDPMC RDTSC
NOTES:
1. Useful to application programs running at a CPL of 1 or 2.
2. The TS D and PCE flags in control register CR4 control access to these instructions by application
3. These instructions were introduced into the IA-32 Architecture with the Pentium processor.
4. This instruction was introduced into the IA-32 Architecture with the Pentium Pro processor and the
5. This instruction is not supported in 64-bit mode.
3
4
3
programs running at a CPL of 3.
Pentium processor with MMX technology.
Read Model-Specific Registers No Yes Write Model-Specific Registers No Yes Read Performance-Monitoring Counter Yes Yes Read Time-Stamp Counter Yes Yes
Useful to Application?
Protected from Application?
2
2

2.6.1 Loading and Storing System Registers

The GDTR, LDTR, IDTR, and TR registers each have a load and store instruction for loading data into and storing data from the register:
LGDT (Load GDTR Register) — Load s the GDT base address and limit from memory
into the GDTR register.
SGDT (Store GDTR Register) — Stores the GDT base address and limit from the GDTR
register into memory.
LIDT (Load IDTR Register) — Loads the IDT b ase address and limit from memory into
the IDTR register.
SIDT (Load IDTR Register — Stores the IDT base address and limit from the IDTR
register into memory.
LLDT (Load LDT Register) — Loads the LDT segment selector and segment descriptor
from memory into the LDTR. (The segment selector operand can also be located in a general-purpose register.)
Vol. 3A 2-25
SYSTEM ARCHITECTURE OVERVIEW
SLDT (Store LDT Register) — Stores the LDT segment selector from the LDTR register
into memory or a general-purpose register.
LTR (Load Task Register) — Loads segment selector and segment descriptor for a TSS
from memory into the task register. (The segment selector operand can also be located in a general-purpose register.)
STR (Store Task Regist er) — Stores the segment selector for the current task TSS from
the task register into memory or a general-purpose register.
The LMSW (load machine status word) and SMSW (store machine status word) instructions operate on bits 0 through 15 of control register CR0. These instructions are provided for compat­ibility with the 16-bit Intel 286 processor. Programs written to run on 32-bit IA-32 processors should not use these instructions. Instead, they should access the control register CR0 using the MOV instruction.
The CLTS (clear TS flag in CR0) instruction is provided for use in handling a device-not-avail­able exception (#NM) that occurs when the processor attempts to execute a floating-point instruction when the TS flag is set. This instruction allows the TS flag to be cleared after the x87 FPU context has been saved, preventing further #NM exceptions. See Section 2.5, “Control Registers,” for more information on the TS flag.
The control registers (CR0, CR1, CR2, CR3, CR4, and CR8) are loaded using the MOV instruc­tion. The instruction loads a control register from a general-purpose register or stores the content of a control register in a general-purpose register.

2.6.2 Verifying of Access Privileges

The processor provides several instructions for examining segment selectors and segment descriptors to determine if access to their associated segments is allowed. These instructions duplicate some of the automatic access rights and type checking done by the processor, thus allowing operating-system or executive software to prevent exceptions from being generate d.
The ARPL (adjust RPL) instruction adjusts the RPL (requestor privilege level) of a segment selector to match that of the program or procedure that supplied the segment selector. See Section 4.10.4, “Checking Caller Access Privileges (ARPL Instruction),” fo r a detailed expla­nation of the function and use of this instruction. Not e that ARPL is not supported in 64-bit mode.
The LAR (load access rights) instruction verifies the accessibility of a specified segment and loads access rights information from the segment’s segment descriptor into a general-purpose register. Software can then examine the access rights to determine if the segment type is compat­ible with its intended use. See Section 4.10.1, “Checking Access Rights (LAR Instruction),” for a detailed explanation of the function and use of this instruction.
The LSL (load segment limit) instruction verifies the accessibility of a specified segment and loads the segment limit from the segment’s segment descriptor into a general-purpose register. Software can then compare the segment limit with an offset into the segment to determine whether the offset lies within the segment. See Section 4.10.3, “Checking That the Pointer
2-26 Vol. 3A
SYSTEM ARCHITECTURE OVERVIEW
Offset Is Within Limits (LSL Instruction),” for a detailed explanation of the function and use of this instruction.
The VERR (verify for reading) and VERW (verify for writing) instructions verify if a selected segment is readable or writable, respectively, at a given CPL. See Section 4.10.2, “Checking Read/Write Rights (VERR and VERW Instructions),” for a detailed explanation of the function and use of this instruction.

2.6.3 Loading and Storing Debug Registers

Internal debugging facilities in the processor are controlled by a set of 8 debug registers (DR0-DR7). The MOV instruction allows setup data to be loaded to and stored from these registers.
On processors that support Intel EM64T, debug registers DR0-DR7 are 64 bits. In 32-bit modes and compatibility mode, writes to a debug register fill the upper 32 bits with zeros. Reads return the lower 32 bits. In 64-bit mode, the upper 32 bits of DR6-DR7 are reserved and must be written with zeros. Writing one to any of the upper 32 bits causes an exception, #GP(0).
In 64-bit mode, MOV DRn instructions read or write all 64 bits of a debug register (operand­size prefixes are ignored). All 64 bits of DR0-DR3 are writable by software. However, MOV DRn instructions do not check that addresses written to DR0-DR3 are in the limits of the implementation. Address matching is supported only on valid addresses generated by the processor implementation.

2.6.4 Invalidating Caches and TLBs

The processor provides several instructions for use in explicitly invalidating its caches and TLB entries. The INVD (invalidate cache with no writeback) instruction invalidates all data and instruction entries in the internal caches and sends a signal to the external caches indicating that they should be also be invalidated.
The WBINVD (invalidate cache with writeback) instruction performs the same function as the INVD instruction, except that it writes back modified lines in its internal caches to memory before it invalidates the caches. After invalidating the internal caches, WBINVD signals external caches to write back modified data and invalidate their contents.
The INVLPG (invalidate TLB entry) instruction invalidates (flushes) the TLB entry for a spec­ified page.

2.6.5 Controlling the Processor

The HL T (halt processor) instruction stops the processor until an enabled interrupt (such as NMI or SMI, which are normally enabled), a debug exception, the BINIT# signal, the INIT# signal, or the RESET# signal is received. The processor generates a special bus cycle to indicate that the halt mode has been entered.
Vol. 3A 2-27
SYSTEM ARCHITECTURE OVERVIEW
Hardware may respond to this signal in a number of ways. An indicator light on the front panel may be turned on. An NMI interrupt for recording diagnostic information may be generated. Reset initialization may be invoked (note that the BINIT# pin was introduced with the Pentium Pro processor). If any non-wake events are pending during shutdown, they will be handled after the wake event from shutdown is processed (for example, A20M# interrupts).
The LOCK prefix invokes a locked (atomic) read-modify-write operation when modifying a memory operand. This mechanism is used to allow reliable communications between processors in multiprocessor systems, as described below:
In the Pentium processor and earlier IA-32 processors, the LOCK prefix causes the
processor to assert the LOCK# signal during the instruction. This always causes an explicit bus lock to occur.
In the Pentium 4, Intel Xeon, and P6 family pro cessors, the locking operation is handled
with either a cache lock or bus lock. If a memory access is cacheable and affects only a single cache line, a cache lock is invoked and the system bus and the actual memory location in system memory are not locked during the operation. Here, o ther Pentium 4, Intel Xeon, or P6 family processors on the bus write-back any modified data and invalidate their caches as necessary to maintain system memory coherency. If the memory access is not cacheable and/or it crosses a cache line boundary, the processor’s LOCK# signal is asserted and the processor does not respond to requests for bus control during the locked operation.
The RSM (return from SMM) instruction restores the processor (from a context dump) to the state it was in prior to an system management mode (SMM) interrupt.

2.6.6 Reading Performance-Monitoring and Time-Stamp Counters

The RDPMC (read performance-monitoring counter) and RDTSC (read time-stamp counter) instructions allow application programs to read the processor ’s performance-monitoring and time-stamp counters, respectively. Pentium 4 and Intel Xeon processors have eighteen 40-bit performance-monitoring counters; P6 family processors have two 40-bit counters.
Use these counters to record either the occurrence or duration of events. Events that can be monitored are model specific; they may include the number of instructions decoded, interrupts received, or the number of cache loads. Individual counters can be set up to monitor different events. Use the system instruction WRMSR to set up values in the one of the 45 ESCRs and one of the 18 CCCR MSRs (for Pentium 4 and Intel Xeon processors); or in the PerfEvtSel0 or the PerfEvtSel1 MSR (for the P6 family processors). The RDPMC instruction loads the current count from the selected counter into the EDX:EAX registers.
The time-stamp counter is a model-specific 64-bit counter that is reset to zero each time the processor is reset. If not reset, the counter will increment ~9.5 x 10 the processor is operating at a clock rate of 3GHz. At this clock frequency, it would take over 190 years for the counter to wrap around. The RDTSC instruction loads the current count of the time-stamp counter into the EDX:EAX registers.
2-28 Vol. 3A
16
times per year when
SYSTEM ARCHITECTURE OVERVIEW
See Section 18.10, “Performance Monitoring Overview,” and Section 18.9, “Time-Stamp Counter,” for more information about the performance monitoring and time-stamp counters.
The RDTSC instruction was introduced into the IA-32 architecture with the Pentium processor. The RDPMC instruction was introduced into the IA-32 architecture with the Pentium Pro processor and the Pentium processor with MMX technology. Earlier Pentium processors have two performance-monitoring counters, but they can be read only wit h the RDMSR i nstruction, and only at privilege level 0.
2.6.6.1 Reading Counters in 64-Bit Mode
In 64-bit mode, RDTSC operates the same as in protected mode. The count in the time-stamp counter is stored in EDX:EAX (or RDX[31:0]:RAX[31:0] with RDX[63:32]:RAX[63:32] cleared).
RDPMC requires an index to specify the offset of the performance-monitoring counter. In 64-bit mode for Pentium 4 or Intel Xeon processor families, the index is specified in ECX[30:0]. The current count of the performance-monitoring counter is stored in EDX:EAX (or RDX[31:0]:RAX[31:0] with RDX[63:32]:RAX[63:32] cleared).

2.6.7 Reading and Writing Model-S pecific Registers

The RDMSR (read model-specific register) and WRMSR (write model-specific register) instructions allow a processor’s 64-bit model-specific registers (MSRs) to be read and written, respectively. The MSR to be read or written is specified by the value in the ECX register.
RDMSR reads the value from the specified MSR to the EDX:EAX registers; WRMSR writes the value in the EDX:EAX registers to the specified MSR. RDMSR and WRMSR were intro­duced into the IA-32 architecture with the Pentium processor.
See Section 9.4, “Model-Specific Registers (MSRs),” for more information.
2.6.7.1 Reading and Writing Model-Specific Registers in 64-Bit Mode
RDMSR and WRMSR require an index to specify the address of an MSR. In 64-bit mode, the index is 32 bits; it is specified using ECX.
Vol. 3A 2-29
SYSTEM ARCHITECTURE OVERVIEW
2-30 Vol. 3A
Protected-Mode Memory Management
3
CHAPTER 3
PROTECTED-MODE MEMORY MANAGEMENT
This chapter describes the IA-32 architecture’s protected-mode memory management facilities, including the physical memory requirements, segmentation mechanism, and paging mechanism.
See also: Chapter 4, “Protection” (for a description of the processor’s protection mechanism) and Chapter 15, “8086 Emulation” (for a description of memory ad dressing protection in real­address and virtual-8086 modes).

3.1 MEMORY MANAGEMENT OVERVIEW

The memory management facilities of the IA-32 architecture are divided into two parts: segmen­tation and paging. Segmentation provides a mechanism of isolat ing individual code, data, and stack modules so that multiple programs (or tasks) can run on the same processor without inter­fering with one another. Paging provides a mechanism for implementing a conventional demand-paged, virtual-memory system where sections of a program’s execution environment are mapped into physical memory as needed. Paging can also be used to provide isolation between multiple tasks. When operating in protected mode, some form of segmentation must be used. There is no mode bit to disable segmentation. The use of paging, however, is optional.
These two mechanisms (segmentation and paging) can be configured to supp ort simp le sin gle­program (or single-task) systems, multitasking systems, or multiple-processor systems that used shared memory.
As shown in Figure 3-1, segmentation provides a mechanism for dividing the processor’s addressable memory space (called the linear address space) into smaller protected address spaces called segments. Segments can be used to hold the code, data, and stack for a program or to hold system data structures (such as a TSS or LDT). If more than one program (or task) is running on a processor, each program can be assigned its own set of segments. The processor then enforces the boundaries between these segments and insures that one program does not interfere with the execution of another program by writing into the other program’s segments. The segmentation mechanism also allows typing of segments so that the operations that may be performed on a particular type of segment can be restricted.
All the segments in a system are contained in the processor’s linear address space. To locate a byte in a particular segment, a logical address (also called a far pointer) must be provided. A logical address consists of a segment selector and an offset. The segment selector is a unique identifier for a segment. Among other things it provides an offset into a descriptor table (such as the global descriptor table, GDT) to a data structure called a segment descriptor. Each segment has a segment descriptor, which specifies the size of the segment, the access rights and privilege level for the segment, the segment type, and the location of the first byte of the segment in the linear address space (called the base address of the segment). The offset part of the logical address is added to the base address for the segment to locate a byte within the segment. The base address plus the offset thus forms a linear address in the processor’ s linear address space.
Vol. 3A 3-1
PROTECTED-MODE MEMORY MANAGEMENT
Logical Address
(or Far Pointer)
Segment
Selector
Offset
Linear Address
Space
Global Descriptor
Table (GDT)
Segment
Descriptor
Segment
Base Address
Segment
Page Directory
Lin. Addr.
Page
Segmentation
Dir
Entry
Linear Address
Table Offset
Page Table
Entry
Paging
Physical Address
Space
Page
Phy. Addr.
Figure 3-1. Segmentation and Paging
If paging is not used, the linear address space of the processor is mapped directly into the phys­ical address space of processor. The physical address space is defined as the range of addresses that the processor can generate on its address bus.
Because multitasking computing systems commonly define a linear address space much larger than it is economically feasible to contain all at once in physical memory, some method of “virtualizing” the linear address space is needed. This virtualization of the linear address space is handled through the processor’s paging mechanism.
Paging supports a “virtual memory” environment where a large linear address space is simulated with a small amount of physical memory (RAM and ROM) and some disk storage. When using paging, each segment is divided into pages (typically 4 KBytes each in size), which are stored either in physical memory or on the disk. The operating system or executive maintains a page directory and a set of page tables to keep track of the pages. When a program (or task) attempts to access an address location in the linear address space, the processor uses the page directory and page tables to translate the linear address into a physical address and then performs the requested operation (read or write) on the memory location.
3-2 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
If the page being accessed is not currently in physical memory, the processor interrupts execu­tion of the program (by generating a page-fault exception). The operating system or executive then reads the page into physical memory from the disk and continues executing the program.
When paging is implemented properly in the operating-system or executive, the swapping of pages between physical memory and the disk is transparent to the correct execution of a program. Even programs written for 16-bit IA-32 processors can be paged (transparently) when they are run in virtual-8086 mode.

3.2 USING SEGMENTS

The segmentation mechanism supported by the IA-32 architecture can be used to implement a wide variety of system designs. These designs range from flat models that make only minimal use of segmentation to protect programs to multi-segmented models that employ segmentat ion to create a robust operating environment in which multiple programs and tasks can be executed reliably.
The following sections give several examples of how segmentation can be employed in a system to improve memory management performance and reliability.

3.2.1 Basic Flat Model

The simplest memory model for a system is the basic “flat model,” in which the operating system and application programs have access to a continuous, unsegmented address space. To the greatest extent possible, this basic flat model hides the segmentation mechanism of the archi­tecture from both the system designer and the application programmer.
To implement a basic flat memory model with the IA-32 architecture, at least two segment descriptors must be created, one for referencing a code segment and one for referencing a dat a segment (see Figure 3-2). Both of these segments, however, are mapped to the entire linear address space: that is, both segment descriptors have the same base address value of 0 and the same segment limit of 4 GBytes. By setting the segment limit to 4 GBytes, the segmentation mechanism is kept from generating exceptions for out of limit memory references, even if no physical memory resides at a particular address. ROM (EPROM) is generally located at the top of the physical address space, because the processor begins execution at FFFF_FFF0H. RAM (DRAM) is placed at the bottom of the address space because the initial base address for the DS data segment after reset initialization is 0.

3.2.2 Protected Flat Model

The protected flat model is similar to the basic flat model, except the segment limits are set to include only the range of addresses for which physical memory actually exists (see Figure 3-3). A general-protection exception (#GP) is then generated on any attempt to access nonexistent memory. This model provides a minimum level of hardware protection against some kinds of program bugs.
Vol. 3A 3-3
PROTECTED-MODE MEMORY MANAGEMENT
Segment
Registers
CS SS DS ES FS GS
Code- and Data-Segment
Descriptors
LimitAccess
Base Address
Figure 3-2. Flat Model
Linear Address Space
(or Physical Memory)
Code
Not Present
Data and
Stack
FFFFFFFFH
0
Segment
Registers
CS ES
SS DS FS GS
Segment
Descriptors
LimitAccess
Base Address
LimitAccess
Base Address
Linear Address Space
(or Physical Memory)
Code
Not Present
Memory I/O
Data and
Stack
FFFFFFFFH
0
Figure 3-3. Protected Flat Model
More complexity can be added to this protected flat model to provide more protection. For example, for the paging mechanism to provide isolation between user and supervisor code and data, four segments need to be defined: code and data segments at privilege level 3 for the user, and code and data segments at privilege level 0 for the supervisor. Usually these segments all overlay each other and start at address 0 in the linear address space. This flat segmentation model along with a simple paging structure can protect the operating sys tem from applications, and by adding a separate paging structure for each task or process, it can also protect applica­tions from each other. Similar designs are used by several popular multitasking operating systems.
3-4 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT

3.2.3 Multi-Segment Model

A multi-segment model (such as the one shown in Figure 3-4) uses t he full capabilities of the segmentation mechanism to provided hardware enforced protection of code, data structures, and programs and tasks. Here, each program (or task) is given its own table of segment descriptors and its own segments. The segments can be completely private to their assigned programs or shared among programs. Access to all segments and to the execution environments of individual programs running on the system is controlled by hardware.
Segment
Registers
CS
SS
DS
ES
FS
GS
Segment
Descriptors
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
LimitAccess
Base Address
Linear Address Space
(or Physical Memory)
Stack
Code
Data
Data
Data
Data
Figure 3-4. Multi-Segment Model
Access checks can be used to protect not only against referencing an address outside the limit of a segment, but also against performing disallowed operations in certain segments. For example, since code segments are designated as read-only segments, hardware can be used to prevent writes into code segments. The access rights information created for segments can also be used to set up protection rings or levels. Protection levels can be used to protect operating­system procedures from unauthorized access by application programs.
Vol. 3A 3-5
PROTECTED-MODE MEMORY MANAGEMENT

3.2.4 Segmentation in IA-32e Mode

In IA-32e mode, the effects of segmentation depend on whether the processor is running in compatibility mode or 64-bit mode. In compatibility mode, segmentatio n functions just as it does using legacy 16-bit or 32-bit protected mode semantics.
In 64-bit mode, segmentation is generally (but not completely) disabled, creating a flat 64-bit linear-address space. The processor treats the segment base of CS, DS, ES, SS as zero, creating a linear address that is equal to the effective address. The FS and GS segments are exceptions. These segment registers (which hold the segment base) can be used as an additional base regis­ters in linear address calculations. They facilitate addressing local data and certain operating system data structures.
Note that the processor does not perform segment limit checks at runtime in 64-bit mode.

3.2.5 Paging and Segmentation

Paging can be used with any of the segmentation models described in Figures 3-2, 3-3, and 3-4. The processor’s paging mechanism divides the linear address space (into which segments are mapped) into pages (as shown in Figure 3-1). These linear-address-space pages are then mapped to pages in the physical address space. The paging mechanism offers several page-level protec­tion facilities that can be used with or instead of the segment-protection facilities. For example, it lets read-write protection be enforced on a page-by-page basis. The paging mechanism also provides two-level user-supervisor protection that can also be specified on a page-by-page basis.

3.3 PHYSICAL ADDRESS SPACE

In protected mode, the IA-32 architecture provides a normal physical address space of 4 GBytes
32
(2
bytes). This is the address space that the processor can address on its address bus. This
address space is flat (unsegmented), with addresses ranging continuously from 0 to FFFFFFFFH. This physical address space can be mapped to read-write memory, read-only memory, and memory mapped I/O. The memory mapping facilities described in this chapter can be used to divide this physical memory up into segments and/or pages.
Starting with the Pentium Pro processor, the IA-32 architecture also supports an extension of the physical address space to 2
36
bytes (64 GBytes); with a maximum physical address of
FFFFFFFFFH. This extension is invoked in either of two ways:
Using the physical address extension (PAE) flag, located in bit 5 of control register CR4.
Using the 36-bit page size extension (PSE-36) feature (introduced in the Pentium III
processors).
See Section 3.8, “36-Bit Physical Addressing Using the P AE Paging Mechanism” and Section 3.9, “36-Bit Physical Addressing Using the PSE-36 Paging Mechanism” for more information about 36-bit physical addressing.
3-6 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT

3.3.1 Physical Address Space for Processors with Intel® EM64T

On processors that support Intel EM64T (CPUID.80000001.EDX[29] = 1), the size of physical address range is implementation-specific and indicat ed by CPUID.80000001H. The physical address size supported by a given implementation is available to IA-32e mode and enhanced legacy PAE paging.
See also: Section 3.8.1, “Enhanced Legacy PAE Paging”.

3.4 LOGICAL AND LINEAR ADDRESSES

At the system-architecture level in protected mode, the processor uses two stages of address translation to arrive at a physical address: logical-address translation and linear address space paging.
Even with the minimum use of segments, every byte in the processor’s address space is accessed with a logical address. A logical address consists of a 16-bit segment selector and a 32-bit offset (see Figure 3-5). The segment selector identifies the segment the byte is located in and the offset specifies the location of the byte in the segment relative to the base address of the segment.
The processor translates every logical address into a linear address. A linear address is a 32-bit address in the processor’s linear address space. Like the physical address space, the linear address space is a flat (unsegmented), 2 FFFFFFFFH. The linear address space contains all the segments and system tables defined for a system.
To translate a logical address into a linear address, the processor does the following:
32
-byte address space, with addresses ranging from 0 to
1. Uses the offset in the segment selector to locate the segment descriptor for the segment in the GDT or LDT and reads it into the processor. (This step is needed only when a new segment selector is loaded into a segment register.)
2. Examines the segment descriptor to check the access rights and range of the segment to insure that the segment is accessible and that the offset is within the limits of the segment.
3. Adds the base address of the segment from the segment descriptor to the offset to form a linear address.
Vol. 3A 3-7
PROTECTED-MODE MEMORY MANAGEMENT
Logical
Address
Figure 3-5. Logical Address to Linear Address Translation
Seg. Selector
015
Descriptor Table
Segment Descriptor
31(63)
Offset (Effective Address)
Base Address
Linear Address
+
0
031(63)
If paging is not used, the processor maps the linear address directly to a physical address (that is, the linear address goes out on the processor’s address bus). If the linear address space is paged, a second level of address translation is used to translate the linear address into a physical address.
See also: Section 3.6, “Paging (Virtual Memory) Overview”.

3.4.1 Logical Address Translation in IA-32e Mode

In IA-32e mode, the processor uses the steps described above to translate a logical address to a linear address. In 64-bit mode, the offset and base address of the segment are 64-bits instead of 32 bits. The linear address format is also 64 bits wide and is subject to the canonical form requirement.
Each code segment descriptor provides an L bit. This bit allows a code segment to execute 64-bit code or legacy 32-bit code by code segment.

3.4.2 Segment Selectors

A segment selector is a 16-bit identifier for a segment (see Figure 3-6). It does not point directly to the segment, but instead points to the segment descriptor that defines the segment. A segment selector contains the following items:
Index (Bits 3 through 15) — Selects one of 8192 descriptors in the GDT or LDT. The
processor multiplies the index value by 8 (the number of bytes in a segment descriptor) and adds the result to the base address of the GDT or LDT (from the GDTR or LDTR register, respectively).
3-8 Vol. 3A
TI (table indicator) flag
(Bit 2) — Specifies the descriptor table to use: clearing this flag selects the GDT; setting this flag selects the current LDT.
PROTECTED-MODE MEMORY MANAGEMENT
15
Index
Table Indicator 0 = GDT 1 = LDT
Requested Privilege Level (RPL)
Figure 3-6. Segment Selector
1
3
0
2
T
RPL
I
Requested Privilege Level (RPL)
(Bits 0 and 1) — Specifies the privilege level of the selector. The privilege level can range from 0 to 3, with 0 being the most privileged level. See Section 4.5, “Privilege Levels”, for a description of the relationship of the RPL to the CPL of the executing program (or task) and the descripto r privileg e level (DPL) of the descriptor the segment selector points to.
The first entry of the GDT is not used by the processor. A segment selector that points to this entry of the GDT (that is, a segment selector with an index of 0 and the TI flag set to 0) is used as a “null segment selector.” The processor does not generate an exception when a segment register (other than the CS or SS registers) is loaded with a null selector. It does, however, generate an exception when a segment register holding a null selector is used to access memory. A null selector can be used to initialize unused segment registers. Loading the CS or SS register with a null segment selector causes a general-protection exception (#GP) to be generated.
Segment selectors are visible to application programs as part of a pointer variable, but the values of selectors are usually assigned or modified by link editors or linking loaders, not ap plication programs.

3.4.3 Segment Registers

To reduce address translation time and coding complexity, the processor provides registers for holding up to 6 segment selectors (see Figure 3-7). Each of these segment registers support a specific kind of memory reference (code, stack, or data). For virtually any kind of program execution to take place, at least the code-segment (CS), data-segment (DS), and stack-segment (SS) registers must be loaded with valid segment selectors. The processor also provides three additional data-segment registers (ES, FS, and GS), which can be used to make additional data segments available to the currently executing program (or task).
For a program to access a segment, the segment selector for the segment must have been loaded in one of the segment registers. So, although a system can define thousands of segments, only 6
Vol. 3A 3-9
PROTECTED-MODE MEMORY MANAGEMENT
can be available for immediate use. Other segments can be made available by loading their segment selectors into these registers during program execution.
Visible Part Hidden Part
Segment Selector Base Address, Limit, Access Information
Figure 3-7. Segment Registers
CS SS DS
ES FS GS
Every segment register has a “visible” part and a “hidden” part. (The hidden part is sometimes referred to as a “descriptor cache” or a “shadow register.”) When a segment selector is loaded into the visible part of a segment register, the processor also loads the hidden part of the segment register with the base address, segment limit, and access control information from the segment descriptor pointed to by the segment selector. The information cached in the segment register (visible and hidden) allows the processor to translate addresses without taking extra bus cycles to read the base address and limit from the segment descriptor. In systems in which multiple processors have access to the same descriptor tables, it is the responsibility of software to reload the segment registers when the descriptor tables are modified. If this is not done, an old segment descriptor cached in a segment register might be used after its memory-resident version has been modified.
T wo kinds of load instructions are provided for loading the segment registers:
1. Direct load instructions such as the MOV, POP, LDS, LES, LSS, LGS, and LFS instruc­tions. These instructions explicitly reference the segment registers.
2. Im plied load instructions such as the far pointer versions of the CALL, JMP, and RET instructions, the SYSENTER and SYSEXIT instructions, and the IRET, INTn, INTO and INT3 instructions. These instructions change the contents of the CS register (and sometimes other segment registers) as an incidental part of their operation.
The MOV instruction can also be used to store visible part of a segment register in a general­purpose register.
3-10 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT

3.4.4 Segment Loading Instructions in IA-32e Mode

Because ES, DS, and SS segment registers are not used in 64-bit mode, their fields (base, limit, and attribute) in segment descriptor registers are ignored. Some forms of segment load instruc­tions are also invalid (for example, LDS, POP ES). Address calculations that reference the ES, DS, or SS segments are treated as if the segment base is zero.
The processor checks that all linear-address references are in canonical form instead of performing limit checks. Mode switching does not change the contents of the segment registers or the associated descriptor registers. These registers are also not changed during 64-bit mode execution, unless explicit segment loads are performed.
In order to set up compatibility mode for an application, segment-load instructions (MOV to Sreg, POP Sreg) work normally in 64-bit mode. An entry is read from the system descriptor table (GDT or LDT) and is loaded in the hidden portion of the segment descriptor register. The descriptor-register base, limit, and attribute fields are all loaded. However, the contents of the data and stack segment selector and the descriptor registers are ignored.
When FS and GS segment overrides are used in 64-bit mode, their respective base addresses are used in the linear address calculation: (FS or GS).base + index + displacement. FS.base and GS.base are then expanded to the full linear-address size supported by the implementation. The resulting effective address calculation can wrap across positive and negative addresses; the resulting linear address must be canonical.
In 64-bit mode, memory accesses using FS-segment and GS-segment overrides are not checked for a runtime limit nor subjected to attribute-checking. Normal segment loads (MOV to Sreg and POP Sreg) into FS and GS load a standard 32-bit base value in the hidden portion of the segment descriptor register. The base address bits above the standard 32 bits are cleared to 0 to allow consistency for implementations that use less than 64 bits.
The hidden descriptor register fields for FS.base and GS.base are physically mapped to MSRs in order to load all address bits supported by a 64-bit implementation. Software with CPL = 0 (privileged software) can load all supported linear-address bits into FS.base or GS.base using WRMSR. Addresses written into the 64-bit FS.base and GS.base registers must be in canonical form. A WRMSR instruction that attempts to wr ite a non-canonical address to those registers causes a #GP fault.
When in compatibility mode, FS and GS overrides operate as defined by 32-bit mode behavior regardless of the value loaded into the upper 32 linear-address bits of the hidden descriptor register base field. Compatibility mode ignores the upper 32 bits when calculating an effective address.
A new 64-bit mode instruction, SWAPGS, can be used to load GS base. SWAPGS exchanges the kernel data structure pointer from the IA32_KernelGSbase MSR with the GS base regi ster. The kernel can then use the GS prefix on normal memory references to access the kernel data structures. An attempt to write a non-canonical value (using WRMSR) to the IA32_KernelGSBase MSR causes a #GP fault.
Vol. 3A 3-11
PROTECTED-MODE MEMORY MANAGEMENT

3.4.5 Segment Descriptors

A segment descriptor is a data structure in a GDT or LDT that provides the processor with the size and location of a segment, as well as access control and status information. Segment descriptors are typically created by compilers, linkers, loaders, or the operating system or exec­utive, but not application programs. Figure 3-8 illustrates the general descriptor fo rmat for all types of segment descriptors.
31
Base 31:24
31
Base Address 15:00
242322
G
21 20 19 16
D
A
L
/
V
B
19:16
L
Seg. Limit
151314 12
P
16
15
11
D
TypeS
P L
Segment Limit 15:00
L — 64-bit code segment (IA-32e mode only) AVL —Available for use by system software
BASE — Segment base address D/B — Default operation size (0 = 16-bit segment; 1 = 32-bit segment) DPL — Descriptor privilege level
G — Granularity
LIMIT — Segment Limit
P — Segment present
S — Descriptor type (0 = system; 1 = code or data) TYPE — Segment type
Figure 3-8. Segment Descriptor
The flags and fields in a segment descriptor are as follows:
Segment limit field
Specifies the size of the segment. The processor puts together the two segment limit fields to form a 20-bit value. The processor interprets the segment limit in one of two ways, depending on the setting of the G (granularity) flag:
8
7
Base 23:16
0
4
0
0
3-12 Vol. 3A
If the granularity flag is clear, the segment size can range from 1 byte to 1 MByte, in byte increments.
If the granularity flag is set, the segment size can range from 4 KBytes to 4 GBytes, in 4-KByte increments.
The processor uses the segment limit in two different ways, depending on whether the segment is an expand-up or an expand-down segment. See Section
3.4.5.1, “Code- and Data-Segment Descriptor Types”, for more information
about segment types. For expand-up segments, the offset in a logical address can range from 0 to the segment limit. Offsets greater than the segment limit generate general-protection exceptions (#GP). For expand-down segments, the
PROTECTED-MODE MEMORY MANAGEMENT
segment limit has the reverse function; the offset can range from the segment limit to FFFFFFFFH or FFFFH, depending on the setting of the B flag. Offsets less than the segment limit generate general-protection exceptions. Decreasing the value in the segment limit field for an expand-down segment allocates new memory at the bottom of the segment's address space, rather than at the top. IA-32 architecture stacks always grow downwards, making this mechanism convenient for expandable stacks.
Base address fields
Defines the location of byte 0 of the segment within the 4-GByte linear address space. The processor puts together the three base address fields to form a single 32-bit value. Segment base addresses should be aligned to 16-byte boundaries. Although 16-byte alignment is not required, this alignment allows programs to maximize performance by aligning code and data on 16-byte boundaries.
Type field Indicates the segment or gate type and specifies the kinds of access that can be
made to the segment and the direction of growth. The interpretation of this field depends on whether the descriptor type flag specifies an application (code or data) descriptor or a system descriptor. The encoding of the type field is different for code, data, and system descriptors (see Figure 4-1). See Section
3.4.5.1, “Code- and Data-Segment Descriptor Types”, for a description of how this field is used to specify code and data-segment types.
S (descriptor type) flag
Specifies whether the segment descriptor is for a system segment (S flag is clear) or a code or data segment (S flag is set).
DPL (descriptor privilege level) field
Specifies the privilege level of the segment. The privilege level can range from 0 to 3, with 0 being the most privileged level. The DPL is used to control access to the segment. See Section 4.5, “Privilege Levels”, for a description of the relationship of the DPL to the CPL of the executing code segment and the RPL of a segment selector.
P (segment-present) flag
Indicates whether the segment is present in memory (set) or not present (clear). If this flag is clear, the processor generates a segment-not-present exception (#NP) when a segment selector that points to the segment descriptor is loaded into a segment register. Memory management software can use this flag to control which segments are actually loaded into physical memory at a given time. It offers a control in addition to paging for managing virtual memory.
Figure 3-9 shows the format of a segment descriptor when the segment-present flag is clear. When this flag is clear, the operating system or executive is free to use the locations marked “Available” to store its own data, such as informa­tion regarding the whereabouts of the missing segment.
D/B (default operation size/default stack pointer size and/or upper bound) flag
Performs different functions depending on whether the segment descriptor is an executable code segment, an expand-down data segment, or a stack
Vol. 3A 3-13
PROTECTED-MODE MEMORY MANAGEMENT
segment. (This flag should always be set to 1 for 32-bit code and data segments and to 0 for 16-bit code and data segments.)
Executable code segment. The flag is called the D flag and it indicates the default length for effective addresses and operands referenced by instruc­tions in the segment. If the flag is set, 32-bit addresses and 32-bit or 8-bit operands are assumed; if it is clear, 16-bit addresses and 16-bit or 8-bit operands are assumed. The instruction prefix 66H can be used to select an operand size other than the default, and the prefix 67H can be used select an address size other than the default.
Stack segment (data segment pointed to by the SS register). The flag is called the B (big) flag and it specifies the size of the stack pointer used for implicit stack operations (such as pushes, pops, and calls). If the flag is set, a 32-bit stack pointer is used, which is stored in the 32-bit ESP register; if the flag is clear, a 16-bit stack pointer is used, which is stored in the 16-bit SP register. If the stack segment is set up to be an expand-down data segment (described in the next paragraph), the B flag also specifies the upper bound of the stack segment.
Expand-down data segment. The flag is called the B flag and it specifies the upper bound of the segment. If the flag is set, the upper bound is FFFFFFFFH (4 GBytes); if the flag is clear, the upper bound is FFFFH (64 KBytes).
31
31
Figure 3-9. Segment Descriptor When Segment-Present Flag Is Clear
G (granularity) flag
Determines the scaling of the segment limit field. When the granularity flag is clear, the segment limit is interpreted in byte units; when flag is set, the segment limit is interpreted in 4-KByte units. (This flag does not affect the granularity of the base address; it is always byte granular.) When the granu­larity flag is set, the twelve least significant bits of an offset are not tested when checking the offset against the segment limit. For example, when the granu­larity flag is set, a limit of 0 results in valid offsets from 0 to 4095.
3-14 Vol. 3A
Available
16
151314 12
0
Available
11
D P
L
7
8
TypeS
Available
0
4
0
0
PROTECTED-MODE MEMORY MANAGEMENT
L (64-bit code segment) flag
In IA-32e mode, bit 21 of the second doubleword of the segment descriptor indicates whether a code segment contains native 64-bit code. A value of 1 indicates instructions in this code segment are executed in 64-bit mode. A value of 0 indicates the instructions in this code segment are executed in compatibility mode. If L-bit is set, then D-bit must be cleared. When not in IA-32e mode or for non-code segments, bit 21 is reserved and should always be set to 0.
Available and reserved bits
Bit 20 of the second doubleword of the segment descriptor is available for use by system software.
3.4.5.1 Code- and Data-Segment Descriptor Types
When the S (descriptor type) flag in a segment descriptor is set, the descriptor is for either a code or a data segment. The highest order bit of the type field (bit 11 of the second double word of the segment descriptor) then determines whether the descriptor is for a data segment (clear) or a code segment (set).
For data segments, the three low-order bits of the type field (bits 8, 9, and 10) are interpreted as accessed (A), write-enable (W), and expansion-direction (E). See Table 3-1 for a description of the encoding of the bits in the type field for code and data segments. Data segments can be read­only or read/write segments, depending on the setting of the write-enable bit.
T able 3-1. Code- and Data-Segment Types
Type Field Descriptor
Decimal 11 10E9
0
0 1 2 3 4 5 6 7
8
9 10 11 12 13 14 15
0
0
0
0
0
0
0
1
0
1
0
1
0
1
0
CRA
0
1
0
1
0
1
0
1
1
1
1
1
1
1
1
1
W8A
0 0 1 1 0 0 1 1
0 0 1 1 0 0 1 1
Type
0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1
Data Data Data Data Data Data Data Data
Code Code Code Code Code Code Code Code
Read-Only Read-Only, accessed Read/Write Read/Write, accessed Read-Only, expand-down Read-Only, expand-down, accessed Read/Write, expand-down Read/Write, expand-down, accessed
Execute-Only Execute-Only, accessed Execute/Read Execute/Read, accessed Execute-Only, conforming Execute-Only, conforming, accessed Execute/Read-Only, conforming Execute/Read-Only, conforming, accessed
Description
Vol. 3A 3-15
PROTECTED-MODE MEMORY MANAGEMENT
Stack segments are data segments which must be read/write segments. Loading the SS register with a segment selector for a nonwritable data segment generates a general-protection exception (#GP). If the size of a stack segment needs to be changed dynamically , the stack segment can be an expand-down data segment (expansion-direction flag set). Here, dynamically changing the segment limit causes stack space to be added to the bottom of the stack. If the size of a stack segment is intended to remain static, the stack segment may be either an expand-up or expand­down type.
The accessed bit indicates whether the segment has been accessed since the last time the oper­ating-system or executive cleared the bit. The processor sets this bit whenever it loads a segment selector for the segment into a segment register, assuming that the type of memory that contains the segment descriptor supports processor writes. The bit remains set u ntil explicitly cleared. This bit can be used both for virtual memory management and for debugging.
For code segments, the three low-order bits of the type field are interpreted as accessed (A), read enable (R), and conforming (C). Code segments can be execute-only or execute/read, depending on the setting of the read-enable bit. An execute/read segment might be used when constants or other static data have been placed with instruction code in a ROM. Here, data can be read from the code segment either by using an instruction with a CS override prefix or by loading a segment selector for the code segment in a data-segment register (the DS, ES, FS, or GS regis­ters). In protected mode, code segments are not writable.
Code segments can be either conforming or nonconforming. A transfer of execution into a more­privileged conforming segment allows execution to continue at the current privilege level. A transfer into a nonconforming segment at a different privilege level results in a general-protec­tion exception (#GP), unless a call gate or task gate is used (see Section 4.8.1, “Direct Calls or Jumps to Code Segments”, for more information on conforming and nonconforming code segments). System utilities that do not access protected facilities and handlers for some types of exceptions (such as, divide error or overflow) may be loaded in conforming code segments. Util­ities that need to be protected from less privileged programs and procedures should be placed in nonconforming code segments.
NOTE
Execution cannot be transferred by a call or a jump to a less-privileged (numerically higher privilege level) code segment, regardless of whether the target segment is a conforming or nonconforming code segment. Attemptin g such an execution transfer will result in a general-protection exception.
All data segments are nonconforming, meaning that they cannot be accessed by less privileged programs or procedures (code executing at numerically high privilege levels). Unlike code segments, however, data segments can be accessed by more privileged programs or procedures (code executing at numerically lower privilege levels) without using a special access gate.
If the segment descriptors in the GDT or an LDT are placed in ROM, the processor can enter an indefinite loop if software or the processor attempts to update (write to) the ROM-based segment descriptors. To prevent this problem, set the accessed bits for all segment descriptors placed in a ROM. Also, remove operating-system or executive code that attempts to modify segment descriptors located in ROM.
3-16 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT

3.5 SYSTEM DESCRIPTOR TYPES

When the S (descriptor type) flag in a segment descriptor is clear, the descriptor type is a system descriptor. The processor recognizes the following types of system descriptors:
Local descriptor-table (LDT) segment descriptor.
Task-state segment (TSS) descriptor.
Call-gate descriptor.
Interrupt-gate descriptor.
Trap-gate descriptor.
Task-gate descriptor.
These descriptor types fall into two categories: system-segment descriptors and gate descriptors. System-segment descriptors point to system segments (LDT and TSS segments). Gate descrip­tors are in themselves “gates,” which hold pointers to procedure entry points in code segments (call, interrupt, and trap gates) or which hold segment selectors for TSS’s (task gates).
T able 3-2 shows the encoding of the type field for system-segment descriptors and gate descrip­tors. Note that system descriptors in IA-32e mode are 16 bytes instead of 8 bytes.
Table 3-2. System-Segment and Gate-Descriptor Types
Type Field Description
Decimal 11 10 9 8 32-Bit Mode IA-32e Mode
0 0000Reserved Upper 8 byte of an 16-byte
1 000116-bit TSS (Available) Reserved 2 0010LDT LDT 3 001116-bit TSS (Busy) Reserved 4 010016-bit Call Gate Reserved 5 0101Task Gate Reserved 6 011016-bit Interrupt Gate Reserved 7 011116-bit Trap Gate Reserved 8 1000Reserved Reserved
9 100132-bit TSS (Available) 64-bit TSS (Available) 10 1010Reserved Reserved 11 101132-bit TSS (Busy) 64-bit TSS (Busy) 12 110032-bit Call Gate 64-bit Call Gate 13 1101Reserved Reserved 14 111032-bit Interrupt Gate 64-bit Interrupt Gate 15 111132-bit Trap Gate 64-bit Trap Gate
descriptor
Vol. 3A 3-17
PROTECTED-MODE MEMORY MANAGEMENT
See also: Section 3.5.1, “Segment Descriptor Tables”, and Section 6.2.2, “TSS Descriptor” (for more information on the system-segment descriptors); see Section 4.8.3, “Call Gates”, Section 5.11, “IDT Descriptors”, and Section 6.2.5, “Task-Gate Descriptor” (for more infor­mation on the gate descriptors).

3.5.1 Segment Descriptor Tables

A segment descriptor table is an array of segment descriptors (see Figure 3-10). A descriptor table is variable in length and can contain up to 8192 (2
13
) 8-byte descriptors. There are two
kinds of descriptor tables:
The global descriptor table (GDT)
The local descriptor tables (LDT)
T
I
Segment
Selector
Global
Descriptor
Table (GDT)
TI = 0
56
48
40
32
24
16
Local
Descriptor
Table (LDT)
TI = 1
56
48
40
32
24
16
3-18 Vol. 3A
8
First Descriptor in
GDT is Not Used
GDTR Register LDTR Register
Limit
Base Address
0
Base Address
Seg. Sel.
Figure 3-10. Global and Local Descriptor Tables
8
0
Limit
PROTECTED-MODE MEMORY MANAGEMENT
Each system must have one GDT defined, which may be used for all programs and tasks in the system. Optionally, one or more LDTs can be defined. For example, an LDT can be defined for each separate task being run, or some or all tasks can share the same LDT.
The GDT is not a segment itself; instead, it is a data structure in linear address space. The base linear address and limit of the GDT must be loaded into the GDTR register (see Section 2.4, “Memory-Management Registers”). The base addresses of the GDT should be aligned on an eight-byte boundary to yield the best processor performance. The limit value for the GDT is expressed in bytes. As with segments, the limit value is added to the base address to get the address of the last valid byte. A limit value of 0 results in exactly one valid byte. Because segment descriptors are always 8 bytes long, the GDT limit should always be one less than an integral multiple of eight (that is, 8N – 1).
The first descriptor in the GDT is not used by the processor. A segment selector to this “null descriptor” does not generate an exception when loaded into a data-segment register (DS, ES, FS, or GS), but it always generates a general-protection exception (#GP) when an attempt is made to access memory using the descriptor. By initializing the segment registers with this segment selector, accidental reference to unused segment registers can be guaranteed to generate an exception.
The LDT is located in a system segment of the LDT type. The GDT must contain a segment descriptor for the LDT segment. If the system supports multiple LDTs, each must have a sepa­rate segment selector and segment descriptor in the GDT. The segment descriptor for an LDT can be located anywhere in the GDT. See Section 3.5, “System Descriptor Types”, information on the LDT segment-descriptor type.
An LDT is accessed with its segment selector . To eliminate address translations when accessing the LDT , the segment selector , base linear address, limit, and access rights of the LDT are stored in the LDTR register (see Section 2.4, “Memory-Management Registers”).
When the GDTR register is stored (using the SGDT instruction), a 48-bit “pseudo-descriptor” is stored in memory (see top diagram in Figure 3-11). To avo id alignment check faults in user mode (privilege level 3), the pseudo-descriptor should be located at an odd word address (that is, address MOD 4 is equal to 2). This causes the processor to store an aligned word, followed by an aligned doubleword. User-mode programs normally do not store pseudo-descriptors, but the possibility of generating an alignment check fault can be avoided by aligning pseudo­descriptors in this way. The same alignment should be used when storing the IDTR register using the SIDT instruction. When storing the LDTR or task register (using th e SLTR or STR instruction, respectively), the pseudo-descriptor should be located at a doubleword address (that is, address MOD 4 is equal to 0).
47 1516
32-bit Base Address
79 1516
64-bit Base Address
Figure 3-11. Pseudo-Descriptor Formats
Limit
Limit
0
0
Vol. 3A 3-19
PROTECTED-MODE MEMORY MANAGEMENT

3.5.2 Segment Descriptor Tables in IA-32e Mode

In IA-32e mode, a segment descriptor table can contain up to 8192 (213) 8-byte descriptors. An entry in the segment descriptor table can be 8 bytes. System descriptors are expanded to 16 bytes (occupying the space of two entries).
GDTR and LDTR registers are expanded to hold 64-bit base address. The corresponding pseudo-descriptor is 80 bits. (see the bottom diagram in Figure 3-11).
The following system descriptors expand to 16 bytes:
— Call gate descriptors (see Section 4.8.3.1, “IA-32e Mode Call Gates”) — IDT gate descriptors (see Section 5.14.1, “64-Bit Mode IDT”) — LDT and TSS descriptors (see Section 6.2.3, “TSS Descriptor in 64-bit mode”).

3.6 PAGING (VIRTUAL MEMORY) OVERVIEW

When operating in protected mode, IA-32 architecture permits linear address space to be mapped directly into a large physical memory (for example, 4 GBytes of RAM) or indirectly (using paging) into a smaller physical memory and disk storage. This latter method of mapping the linear address space is referred to as virtual memory or demand-paged virtual memory.
When paging is used, the processor divides the linear address space into fixed-size pages (of 4 KBytes, 2 MBytes, or 4 MBytes in length) that can be mapped into physical memory and/or disk storage. When a program (or task) references a logical address in memory, the processor translates the address into a linear address and then uses its paging mechanism to translate the linear address into a corresponding physical address.
If the page containing the linear address is not currently in physical memory, the processor generates a page-fault exception (#PF). The exception handler for the page-fault exception typi­cally directs the operating system or executive to load the page from disk storage into physical memory (perhaps writing a different page from physical memory out to disk in the process). When the page has been loaded in physical memory, a return from the exception handler causes the instruction that generated the exception to be restarted. The information that the processor uses to map linear addresses into the physical address space and to generate page-fault excep­tions (when necessary) is contained in page directories and page tables stored in memory.
Paging is different from segmentation through its use of fixed-size pages. Unlike seg ments, which usually are the same size as the code or data structures they hold, pages have a fixed size. If segmentation is the only form of address translation used, a data structure present in physical memory will have all of its parts in memory. If paging is used, a data structure can be partly in memory and partly in disk storage.
To minimize the number of bus cycles required for address translation, the most recently accessed page-directory and page-table entries are cached in the processor in devices called translation lookaside buffers (TLBs). The TLBs satisfy most requests for reading the current page directory and page tables withou t requi ri ng a bus cycle. Extra bus cycles occur only when the TLBs do not contain a page-table entry, which typically happens when a page has not been
3-20 Vol. 3A
Loading...