Intersil Corporation 80C286 Datasheet

March 1997

/
j

/

/

/

80C286

High Performance Microprocessor

with Memory Management and Protection

[ /Title
(80C28

6)
Sub­ect

(High
Perfor­mance
Micro­proces­sor
with
Mem­ory
Man­age­ment
and
Protec­tion)

Autho

r ()

Key-

words
(Inter­sil
Corpo­ration,
High
Perfor­mance
uP,
micro­proces­sor,
25MH
z, PC,

80286)
Cre-

Features

• Compatible with NMOS 80286

• Wide Range of Clock Rates

- DC to 25MHz (80C286-25)

- DC to 20MHz (80C286-20)

- DC to 16MHz (80C286-16)

- DC to 12.5MHz (80C286-12)

- DC to 10MHz (80C286-10)

• Static CMOS Design for Low Power Operation

- ICCSB = 5mA Maximum

- ICCOP = 185mA Maximum (80C286-10)
220mA Maximum (80C286-12)
260mA Maximum (80C286-16)
310mA Maximum (80C286-20)
410mA Maximum (80C286-25)

• High Performance Processor (Up to 19 Times the 8086
Throughput)

• Large Address Space

• 16 Megabytes Physical/1 Gigabyte Virtual per Task

• Integrated Memory Management, Four-Level Memory
Protection and Support for Virtual Memory and Operat­ing Systems

• Two 80C86 Upward Compatible Operating Modes

- 80C286 Real Address Mode

-PVAM

• Compatible with 80287 Numeric Data Co-Processor

• High Bandwidth Bus Interface (25 Megabyte/Sec)

• Available In

- 68 Pin PGA (Commercial, Industrial, and Military)

- 68 Pin PLCC (Commercial and Industrial)

Description

The Intersil 80C286 is a static CMOS version of the NMOS
80286 microprocessor. The 80C286 is an advanced, high­performance microprocessor with specially optimized capa­bilities for multiple user and multi-tasking systems. The
80C286 has built-in memory protection that supports operat­ing system and task isolation as well as program and data
privacy within tasks. A 25MHz 80C286 provides up to nine­teen times the throughput of a standard 5MHz 8086. The
80C286 includes memory management capabilities that

30

map 2
into 2

The 80C286 is upwardly compatible with 80C86 and 80C88
software (the 80C286 instruction set is a superset of the
80C86/80C88 instruction set). Using the 80C286 real
address mode, the 80C286 is object code compatible with
existing 80C86 and 80C88 software. In protected virtual
address mode, the 80C286 is source code compatible with
80C86 and 80C88 software but may require upgrading to
use virtual address as supported by the 80C286’s integrated
memory management and protection mechanism. Both
modes operate at full 80C286 performance and execute a
superset of the 80C86 and 80C88 instructions.

The 80C286 provides special operations to support the effi­cient implementation and execution of operating systems.
For example, one instruction can end execution of one task,
save its state, switch to a new task, load its state, and start
execution of the new task. The 80C286 also supports vir tual
memory systems by providing a segment-not-present excep­tion and restartable instructions.

(one gigabyte) of virtual address space per task

24

bytes (16 megabytes) of physical memory.

Ordering Information

PACKAGE TEMP. RANGE 10MHz 12.5MHz 16MHz 20MHz 25MHz PKG. NO.

PGA 0oC to +70oC - CG80C286-12 CG80C286-16 CG80C286-20 - G68.B

-40oC to +85oC IG80C286-10 IG80C286-12 - - - G68.B

-55oC to +125oC 5962­9067801MXC

PLCC 0oC to +70oC - CS80C286-12 CS80C286-16 CS80C286-20 CS80C286-25 N68.95

-40oC to +85oC IS80C286-10 IS80C286-12 IS80C286-16 IS80C286-20 - N68.95

5962­9067802MXC

- - - G68.B

CAUTION: These devices are sensitive to electrostatic discharge; follow proper IC Handling Procedures.
http://www.intersil.com or 407-727-9207

| Copyright © Intersil Corporation 1999

3-68

File Number 2947.2

Pinouts

80C286

68 LEAD PGA

Component Pad View - As viewed from underside of the component when mounted on the board.

A0

A2

V

A3

A5

A7

A9

A11

A13

SS

D8

V

D1

D0

35 37

D0

A1

CLK

CC

RESET

A4

A6

A8

A10

A12

36

34

32

30

28

26

24

22

38 40

33

31

29

27

25

23

2120

1918

1517

A15

A12

A16

A14

D9

D2

39 41

1416

A17

A18

D10

D3

42 44

1113

A19

A20

D11

D4

43 45

10

A21

SS

V

D12

D5

46 48

A22

A23

D13

D6

47 49

6812

579

PEACK

S0

D15

D14

ERROR

D7

51

IO

NC

BUSY

NC

NC

V

SS

V

CC

HOLD

COD/INTA

LOCK

PIN 1 INDICATOR

50

55

57

59

61

63

65

67

4

2

13

S1

NC

NC

BHE

ERROR

5253

NC

54

INTR

56

NMI

58

PEREQ

60

READY

62

HLDA

64

66

M/

68

NC

P.C. Board View - As viewed from the component side of the P.C. board.

NC

BUSY

NC

NC

V

SS

V

CC

HOLD

COD/

INTA

LOCK

PIN 1 INDICATOR

ERROR

NC

INTR

NMI

PEREQ

READY

HLDA

M/

NC

68 LEAD PGA

D1

3840

15 17

A15

A16

SS

V

D0

3537

36

33

31

29

27

25

23

21 20

19 18

A12

A14

D0

A1

CLK

RESET

A4

A6

A8

A10

A12

A0

A2

V

A3

A5

A7

A9

A11

A13

CC

34

32

30

28

26

24

22

D15

D14

D13

D12

D11

D10D9D8

ERROR

D7

D6

D5

D4

D3

D2

A21

SS

V

4244

11 13

A19

A20

3941

14 16

A17

A18

4345

50

4

2

13

S1

NC

NC

BHE

4749

4648

10

68 12

579

A22

PEACK

S0

A23

51

52 53

55

54

57

56

59

58

61

60

63

62

65

64

67

66

IO

68

3-69

80C286

Pinouts

(Continued)

68 LEAD PLCC

P.C. Board View - As viewed from the component side of the P.C. board.

INTA

CC

V

READY

HLDA

A10

PEREQ

HOLD

A9A8A7A6A5A4A3

VSSNMINCINTRNCNC

CC

CLK

V

RESET

BUSY

ERROR

3418 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

A2A1A0

NC

D15

51

D7

50

D14

49

D6

48

D13

47

D5

46

D12

45

D4

44

D11

43

D3

42

D10

41

D2

40

D9

39

D1

38

D8

37

D0

36

V

35

SS

BHE

NC
NC

PEACK

A23
A22
V
A21
A20
A19
A18
A17
A16
A15
A14

LOCK

M/IO

COD/

68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52

1
2
3

S1

4

S0

5
6
7
8
9

SS

10
11
12
13
14
15
16
17

A11

A13

A12

Functional Diagram

ADDRESS UNIT (AU)

OFFSET

ADDER

REGISTERS

EXECUTION UNIT (EU)

SEGMENT

LIMIT

CHECKER

ALU

CONTROL

NMI BUSY

SEGMENT

BASES

SEGMENT

SIZES

ERRORINTR

PHYSICAL
ADDRESS
ADDER

3 DECODED

INSTRUCTION

QUEUE

ADDRESS

LATCHES AND DRIVERS

PRE-

FETCHER

PROCESSOR

EXTENSION

INTERFACE

BUS CONTROL

DATA TRANSCEIVERS

6-BYTE

PREFETCH

QUEUE

INSTRUCTION

DECODER

BUS UNIT (BU)

INSTRUCTION

UNIT (IU)

A

- A0,

23

BHE, M/IO
PEACK

PEREQ
READY,

HOLD,
S1, S0,

COD/

INTA,

LOCK, HLDA
D

- D

15

0

RESET
CLK
V

SS

V

CC

3-70

80C286

Pin Descriptions

PIN

SYMBOL

CLK 31 I SYSTEM CLOCK: provides the fundamental timing for the 80C286 system. It is divided by two inside

- D

D

15

A23 - A

BHE 1 O BUS HIGH ENABLE: indicates transfer of data on the upper byte of the data bus, D15 - D8. Eight-bit

NUMBER TYPE DESCRIPTION

36 - 51 I/O DATA BUS: inputs data during memory, I/O, and interrupt acknowledge read cycles; outputs data

0

7 - 8

0

10 - 28
32 - 43

The following pin function descriptions are for the 80C286 microprocessor.

the 80C286 to generate the processor clock. The internal divide-by-two circuitry can be synchro­nized to an external clock generator by a LOW to HIGH transition on the RESET input.

during memory and I/O write cycles. The data bus is active HIGH and is held at high impedance to
the last valid logic level during bus hold acknowledge.

O ADDRESS BUS: outputs physical memory and I/O port addresses. A23- A16 are LOW during I/O

transfers. A0 is LOW when data is to be transferred on pins D7 - D0 (see table below). The address
bus is active High and floats to three-state off during bus hold acknowledge.

oriented devices assigned to the upper byte of the data bus would normally use BHE to condition chip
select functions. BHE is active LOW and floats to three-state OFF during bus hold ac knowledge.

BHE AND A0 ENCODINGS

BHE VALUE A0 VALUE FUNCTION

0 0 Word transfer
0 1 Byte transfer on upper half of data bus (D15 - D8)
1 0 Byte transfer on lower half of data bus (D7 - D0)
1 1 Reserved

S1, S0 4, 5 O BUS CYCLE STATUS: indicates initiation of a bus cycle and along with M/IO and COD/lNTA, de-

fines the type of bus cycle. The bus is in a TS state whenever one or both are LOW. S1 and S0 are
active LOW and are held at a high impedance logic one during bus hold acknowledge.

80C286 BUS CYCLE STATUS DEFINITION

COD/INTAM/IO S1 S0 BUS CYCLE INITIATED

0(LOW) 0 0 0 Interrupt acknowledge

0 0 0 1 Reserved
0 0 1 0 Reserved
0 0 1 1 None; not a status cycle
0 1 0 0 If A1 = 1 then halt; else shutdown
0 1 0 1 Memory data read
0 1 1 0 Memory data write
0 1 1 1 None; not a status cycle

1(HIGH) 0 0 0 Reserved

1 0 0 1 I/O read
1 0 1 0 I/O write
1 0 1 1 None; not a status cycle
1 1 0 0 Reserved
1 1 0 1 Memory instruction read
1 1 1 0 Reserved
1 1 1 1 None; not a status cycle

3-71

80C286

Pin Descriptions

PIN

SYMBOL

M/IO 67 O MEMORY I/O SELECT: distinguishes memory access from I/O access. If HIGH during TS, a mem-

COD/lNTA 66 O CODE/INTERRUPT ACKNOWLEDGE: distinguishes instruction fetch cycles from memory data

LOCK 68 O BUS LOCK: indicates that other system bus masters are not to gain control of the system bus for

READY 63 l BUS READY: terminates a bus cycle. Bus cycles are extended without limit until terminated by

HOLD
HLDA

INTR 57 I INTERRUPT REQUEST: requires the 80C286 to suspend its current program execution and service

NMI 59 l NON-MASKABLE INTERRUPT REQUEST: interrupts the 80C286 with an internally supplied vector

PEREQ
PEACK

BUSY

ERROR

NUMBER TYPE DESCRIPTION

64
65

61

6

54
53

The following pin function descriptions are for the 80C286 microprocessor. (Continued)

ory cycle or a halt/shutdown cycle is in progress. If LOW, an I/O cycle or an interrupt acknowledge
cycle is in progress. M/IO is held at high impedance to the last valid logic state during bus hold ac­knowledge.

read cycles. Also distinguishes interrupt acknowledge cycles from I/O cycles. COD/lNTA is held at
high impedance to the last valid logic state during bus hold acknowledge. Its timing is the same as
M/IO.

the current and following bus cycles. The LOCK signal may be activated explicitly by the “LOCK”
instruction prefix or automatically by 80C286 hardware during memory XCHG instructions, interrupt
acknowledge, or descriptor table access. LOCK is active LOW and is held at a high impedance logic
one during bus hold acknowledge.

READY LOW. READY is an active LOW synchronous input requiring setup and hold times relative
to the system clock be met for correct operation. READY is ignored during bus hold acknowledge.
(See Note 1)

I

BUS HOLD REQUEST AND HOLD ACKNOWLEDGE: control ownership of the 80C286 local bus.

O

The HOLD input allows another local bus master to request control of the local bus. When control is
granted, the 80C286 will float its bus drivers and then activate HLDA, thus entering the bus hold ac­knowledge condition. The local bus will remain granted to the requesting master until HOLD be­comes inactive which results in the 80C286 deactivating HLDA and regaining control of the local
bus. This terminates the bus hold acknowledge condition. HOLD may be asynchronous to the sys­tem clock. These signals are active HIGH. Note that HLDA never floats.

a pending external request. Interrupt requests are masked whenever the interrupt enable bit in the
flag word is cleared. When the 80C286 responds to an interrupt request, it performs two interrupt
acknowledge bus cycles to read an 8-bit interrupt vector that identifies the source of the interrupt.
To ensure program interruption, INTR must remain active until an interrupt acknowledge bus cycle
is initiated. INTR is sampled at the beginning of each processor cycle and must be active HIGH at
least two processor cycles before the current instruction ends in order to interrupt before the next
instruction. INTR is level sensitive, active HIGH, and may be asynchronous to the system clock.

value of two. No interrupt acknowledge cycles are performed. The interrupt enable bit in the 80C286
flag word does not affect this input. The NMI input is active HIGH, may be asynchronous to the sys­tem clock, and is edge triggered after internal synchronization. For proper recognition, the input must
have been previously LOW for at least four system clock cycles and remain HIGH for at least four
system clock cycles.

l

PROCESSOR EXTENSION OPERAND REQUEST AND ACKNOWLEDGE: extend the memory

O

management and protection capabilities of the 80C286 to processor extensions. The PEREQ input
requests the 80C286 to perform a data operand transfer for a processor extension. The PEACK out­put signals the processor extension when the requested operand is being transferred. PEREQ is ac­tive HIGH. PEACK is active LOW and is held at a high impedance logic one during bus hold
acknowledge. PEREQ may be asynchronous to the system clock.

l

PROCESSOR EXTENSION BUSY AND ERROR: indicates the operating condition of a processor

I

extension to the 80C286. An active BUSY input stops 80C286 program execution on WAIT and
some ESC instructions until BUSY becomes inactive (HIGH). The 80C286 may be interrupted while
waiting for BUSY to become inactive. An active ERROR input causes the 80C286 to perform a pro­cessor extension interrupt when executing WAIT or some ESC instructions. These inputs are active
LOW and may be asynchronous to the system clock.

3-72

80C286

Pin Descriptions

PIN

SYMBOL

RESET 29 l SYSTEM RESET: clears the internal logic of the 80C286 and is active HIGH. The 80C286 may be

V

SS

V

CC

NOTES:

1. READY is an open-collector signal and should be pulled inactive with an appropriate resistor (620Ω at 10MHz and 12.5MHz, 470Ω at
16MHz, 390Ω at 20MHz, 270Ω at 25MHz).

2. HLDA is only Low if HOLD is inactive (Low).

3. All unused inputs should be pulled to their inactive state with pull up/down resistors.

NUMBER TYPE DESCRIPTION

9, 35, 60 l SYSTEM GROUND: are the ground pins (all must be connected to system ground).

30, 62 l SYSTEM POWER: +5V power supply pins. A 0.1µF capacitor between pins 60 and 62 is recommended.

The following pin function descriptions are for the 80C286 microprocessor. (Continued)

reinitialize at any time with a LOW to HIGH transition on RESET which remains active for more than
16 system clock cycles. During RESET active, the output pins of the 80C286 enter the state shown
below.

80C286 PIN STATE DURING RESET

PIN VALUE PIN NAMES

1 (HIGH) S0, S1, PEACK, A23 - A0, BHE, LOCK

0 (LOW) M/IO, COD/lNTA, HLDA (Note 2)

HIGH IMPEDANCE D15 - D0

Operation of the 80C286 begins after a HlGH to LOW transition on RESET. The HIGH to LOW
transition of RESET must be synchronous to the system clock. Approximately 50 system clock
cycles are required by the 80C286 for internal initializations before the first bus cycle to fetch code
from the power-on execution address is performed. A LOW to HIGH transition of RESET
synchronous to the system clock will end a processor cycle at the second HIGH to LOW transition
of the system clock. The LOW to HIGH transition of RESET may be asynchronous to the system
clock; however, in this case it cannot be predetermined which phase of the processor clock will occur
during the next system clock period. Synchronous LOW to HIGH transitions of RESET are required
only for systems where the processor clock must be phase synchronous to another clock.

Functional Description

Introduction

The Intersil 80C286 microprocessor is a static CMOS ver­sion of the NMOS 80286 microprocessor. The 80C286 is an
advanced, high-performance microprocessor with specially
optimized capabilities for multiple user and multi-tasking sys­tems. Depending on the application, the 80C286's perfor­mance is up to nineteen times faster than the standard
5MHz 8086's, while providing complete upward software
compatibility with Intersil 80C86 and 80C88 CPU family.

The 80C286 operates in two modes: 80C286 real address
mode and protected virtual address mode. Both modes exe­cute a superset of the 80C86 and 80C88 instruction set.

In 80C286 real address mode programs use real addresses
with up to one megabyte of address space. Programs use vir­tual addresses in protected virtual address mode, also called
protected mode. In protected mode, the 80C286 CPU automat­ically maps 1 gigabyte of virtual addresses per task into a 16
megabyte real address space. This mode also provides mem­ory protection to isolate the operating system and ensure pri­vacy of each tasks' programs and data. Both modes provide
the same base instruction set, registers and addressing modes.

The Functional Description describes the following: Static oper­ation, the base 80C286 architecture common to both modes,
80C286 real address mode, and finally, protected mode.

Static Operation

The 80C286 is comprised of completely static circuitry.
Internal registers, counters, and latches are static and
require no refresh as with dynamic circuit design. This elim­inates the minimum operating frequency restriction typically
placed on microprocessors. The CMOS 80C286 can oper­ate from DC to the specified upper frequency limit. The
clock to the processor may be stopped at any point (either
phase one or phase two of the processor clock cycle) and
held there indefinitely. There is, however, a significant
decrease in power requirement if the clock is stopped in
phase two of the processor clock cycle. Details on the clock
relationships will be discussed in the Bus Operation sec­tion. The ability to stop the clock to the processor is espe­cially useful for system debug or pow er critical applications.

3-73

80C286

The 80C286 can be single-stepped using only the CPU
clock. This state can be maintained as long as necessary.
Single step clock information allows simple interface circuitry
to provide critical information for system debug.

Static design also allows very low frequency operation
(down to DC). In a power critical situation, this can provide
low power operation since 80C286 power dissipation is
directly related to operating frequency. As the system fre­quency is reduced, so is the operating power until, ultimately,
with the clock stopped in phase two of the processor clock
cycle, the 80C286 power requirement is the standby current
(5mA maximum).

80C286 Base Architecture

The 80C86, 80C88, and 80C286 CPU family all contain the
same basic set of registers, instructions, and addressing
modes. The 80C286 processor is upwardly compatible with
the 80C86 and 80C88 CPU's.

Register Set

The 80C286 base architecture has fifteen registers as
shown in Figure 1. These registers are grouped into the fol­lowing four categories.

GENERAL REGISTERS: Eight 16-bit general purpose regis­ters used to contain arithmetic and logical operands. Four of
these (AX, BX, CX and DX) can be used either in their
entirety as 16-bit words or split into pairs of separate 8-bit
registers.

SEGMENT REGISTERS: Four 16-bit special purpose regis­ters select, at any given time, the segments of memory that
are immediately addressable for code, stack and data. (For
usage, refer to Memory Organization.)

BASE AND INDEX REGISTERS: Four of the general pur­pose registers may also be used to determine offset
addresses of operands in memory . These registers ma y con­tain base addresses or indexes to particular locations within
a segment. The addressing mode determines the specific
registers used for operand address calculations.

STATUS AND CONTROL REGISTERS: Three 16-bit special
purpose registers record or control certain aspects of the
80C286 processor state. These include the Flags register
and Machine Status Word register shown in Figure 2, and
the Instruction Pointer, which contains the offset address of
the next sequential instruction to be executed.

REGISTER

ADDRESSABLE

BYTE

(8-BIT

REGISTER

NAMES

SHOWN)

16-BIT

NAME

AH AL

AX

DX

DH

CX

CH

BX

BH

BP

SI

DI

SP

15 0

GENERAL

REGISTERS

CS

DS

SS

ES

SEGMENT

REGISTERS

F

IP

MSW

STATUS AND CONTROL

REGISTERS

DL

CL

BL

SPECIAL

REGISTER

FUNCTIONS

0707

MULTIPLY/DIVIDE
I/O INSTRUCTIONS

LOOP/SHIFT/REPEAT
COUNT

BASE REGISTERS

INDEX REGISTERS

STACK POINTER

015

CODE SEGMENT
SELECTOR

DATA SEGMENT
SELECTOR

STACK SEGMENT
SELECTOR

EXTRA SEGMENT
SELECTOR

015

FLAGS
INSTRUCTION

POINTER
MACHINE

STATUS WORD

FIGURE 1. REGISTER SET

Flags Word Description

The Flags word (Flags) records specific characteristics of
the result of logical and arithmetic instructions (bits 0, 2, 4, 6,
7 and 11) and controls the operation of the 80C286 within a
given operating mode (bits 8 and 9). Flags is a 16-bit regis­ter. The function of the flag bits is given in Table 1.

3-74

MSW:

80C286

STATUS FLAGS:

CARRY
PARITY

AUXILIARY CARRY

ZERO

SIGN

OVERFLOW

1415 13 12 11 10 9 8 7 6 5 4 3 2 1 0

CFPFAFZFSFTFIFDFOFIOPLNTFLAGS:

CONTROL FLAGS:
TRAP FLAG
INTERRUPT ENABLE
DIRECTION FLAG

SPECIAL FIELDS:
I/O PRIVILEGE LEVEL
NESTED TASK FLAG

012315

TS EM MP PE

RESERVED

PROCESSOR EXTENSION EMULATED

MONITOR PROCESSOR EXTENSION

TASK SWITCH

PROTECTION ENABLE

FIGURE 2. STATUS AND CONTROL REGISTER BIT FUNCTIONS

TABLE 1. FLAGS WORD BIT FUNCTIONS

BIT POSITION NAME FUNCTION

0 CF Carry Flag - Set on high-order bit carry or borrow; cleared otherwise.

2 PF Parity Flag - Set if low-order 8 bits of result contain an even number of 1 bits; cleared otherwise.

4 AF Set on carry from or borrow to the low order four bits of AL; cleared otherwise.

6 ZF Zero Flag - Set if result is zero; cleared otherwise.

7 SF Sign Flag - Set equal to high-order bit of result (0 if positive, 1 if negative).

11 OF Overflow Flag - Set if result is a too-large positive number or a too-small negative number (excluding

sign-bit) to fit in destination operand; cleared otherwise.

8 TF Single Step Flag - Once set, a single step interrupt occurs after the next instruction executes. TF is

cleared by the single step interrupt.

9 IF Interrupt-Enable Flag - When set, maskable interrupts will cause the CPU to transfer control to an inter-

rupt vector specified location.

10 DF Direction Flag - Causes string instructions to auto decrement the appropriate index registers when set.

Clearing DF causes auto increment.

3-75

80C286

Instruction Set

The instruction set is divided into seven categories: data
transfer, arithmetic, string manipulation, shift/rotate/logical,
high level, processor control and control transf er instructions.
These categories are summarized in Table 2.

An 80C286 instruction can reference zero, one, or two oper­ands; where an operand may reside in a register, in the
instruction itself, or in memory. Zero-operand instructions
(e.g. NOP and HLT) are usually one byte long. One-operand
instructions (e.g. INC and DEC) are usually two bytes long
but some are encoded in only one byte. One-operand
instructions may reference a register or memory location.
Two-operand instructions permit the following six types of
instruction operations:

• Register to Register • Memory to Memory

• Memory to Register • Register to Memory

• Immediate to Register • Immediate to Memory
Two-operand instructions (e.g. MOV and ADD) are usually

three to six bytes long. Memory to memory operations are
provided by a special class of string instructions requiring
one to three bytes. For detailed instruction formats and
encodings refer to the instruction set summary at the end of
this document.

TABLE 2A. DATA TRANSFER INSTRUCTIONS

GENERAL PURPOSE

MOV Move byte or word

PUSH Push word onto stack

POP Pop word off stack

PUSHA Push all registers on stack

POPA Pop all registers from stack
XCHG Exchange byte or word

XLAT Translate byte

INPUT/OUTPUT

IN Input byte or word

OUT Output byte or word

ADDRESS OBJECT

LEA Load effective address

LDS Load pointer using DS

LES Load pointer using ES

FLAG TRANSFER

LAHF Load AH register from flags

SAHF Store AH register in flags

PUSHF Push flags onto stack

POPF Pop flags off stack

TABLE 2B. ARITHMETIC INSTRUCTIONS

ADDITION

ADD Add byte or word
ADC Add byte or word with carry

INC Increment byte or word by 1
AAA ASClI adjust for addition
DAA Decimal adjust for addition

SUBTRACTION

SUB Subtract byte or word
SBB Subtract byte or word with borrow

DEC Decrement byte or word by 1
NEG Negate byte or word
CMP Compare byte or word

AAS ASClI adjust for subtraction
DAS Decimal adjust for subtraction

MULTIPLICATION

MUL Multiply byte or word unsigned
lMUL Integer multiply byte or word
AAM ASClI adjust for multiply

DIVISION

DlV Divide byte or word unsigned

lDlV Integer divide byte or word
AAD ASClI adjust for division

CBW Convert byte to word
CWD Convert word to doubleword

TABLE 2C. STRING INSTRUCTIONS

MOVS Move byte or word string

INS Input bytes or word string

OUTS Output bytes or word string
CMPS Compare byte or word string

SCAS Scan byte or word string
LODS Load byte or word string
STOS Store byte or word string

REP Repeat

REPE/REPZ Repeat while equal/zero

REPNE/REPNZ Repeat while not equal/not zero

3-76

80C286

TABLE 2D. SHIFT/ROTATE LOGICAL INSTRUCTIONS

LOGICALS

NOT “Not” byte or word
AND “And” byte or word

OR “Inclusive or” byte or word

XOR “Exclusive or” byte or word

TEST “Test” byte or word

SHIFTS

SHL/SAL Shift logical/arithmetic left byte or word

SHR Shift logical right byte or word
SAR Shift arithmetic right byte or word

ROTATES

ROL Rotate left byte or word

ROR Rotate right byte or word

RCL Rotate through carry left byte or word

RCR Rotate through carry right byte or word

TABLE 2E. HIGH LEVEL INSTRUCTIONS

ENTER Format stack for procedure entry

LEAVE Restore stack for procedure exit

BOUND Detects values outside prescribed range

TABLE 2F. PROCESSOR CONTROL INSTRUCTIONS

FLAG OPERATIONS

STC Set carry flag
CLC Clear carry flag

CMC Complement carry flag

STD Set direction flag
CLD Clear direction flag

STl Set interrupt enable flag
CLl Clear interrupt enable flag

EXTERNAL SYNCHRONIZATION

HLT Halt until interrupt or reset

WAIT Wait for TEST pin active

ESC Escape to extension processor

LOCK Lock bus during next instruction

NO OPERATION

NOP No operation

EXECUTION ENVIRONMENT CONTROL

LMSW Load machine status word

SMSW Store machine status word

TABLE 2G. PROGRAM TRANSFER INSTRUCTIONS

CONDITIONAL TRANSFERS UNCONDITIONAL TRANSFERS

JA/JNBE Jump if above/not below nor equal CALL Call procedure
JAE/JNB Jump if above or equal/not below RET Return from procedure
JB/JNAE Jump if below/not above nor equal JMP Jump
JBE/JNA Jump if below or equal/not above

JC Jump if carry ITERATION CONTROLS

JE/JZ Jump if equal/zero LOOP Loop
JG/JNLE Jump if greater/not less nor equal
JGE/JNL Jump if greater or equal/not less LOOPE/LOOPZ Loop if equal/zero
JL/JNGE Jump if less/not greater nor equal LOOPNE/LOOPNZ Loop if not equal/not zero
JLE/JNG Jump if less or equal/not greater JCXZ Jump if register CX = 0

JNC Jump if not carry

JNE/JNZ Jump if not equal/not zero INTERRUPTS

JNO Jump if not overflow INT Interrupt

JNP/JPO Jump if not parity/parity odd

JNS Jump if not sign INTO Interrupt if overflow

JO Jump if overflow lRET Interrupt return

JP/JPE Jump if parity/parity even

JS Jump if sign

3-77

80C286

Memory Organization

Memory is organized as sets of variable-length segments. Each
segment is a linear contiguous sequence of up to 64K (2

16

) 8­bit bytes. Memory is addressed using a two-component
address (a pointer) that consists of a 16-bit segment selector
and a 16-bit offset. The segment selector indicates the desired
segment in memory. The offset component indicates the
desired byte address within the segment. (See Figure 3).

All instructions that address operands in memory must spec­ify the segment and the offset. For speed and compact
instruction encoding, segment selectors are usually stored in
the high speed segment registers. An instruction need spec­ify only the desired segment register and offset in order to
address a memory operand.

POINTER

OFFSETSEGMENT

31 1615 0

OPERAND

SELECTED

MEMORY

FIGURE 3. TWO COMPONENT ADDRESS

SELECTED
SEGMENT

Most instructions need not explicitly specify which segment
register is used. The correct segment register is automati­cally chosen according to the rules of Table 3. These rules
follow the way programs are written (see Figure 4) as inde­pendent modules that require areas for code and data, a
stack, and access to external data areas.

Special segment override instruction prefixes allow the
implicit segment register selection rules to be overridden for
special cases. The stack, data and extra segments may
coincide for simple programs. To access operands not resid­ing in one of the four immediately available segments, a full
32-bit pointer or a new segment selector must be loaded.

TABLE 3. SEGMENT REGISTER SELECTION RULES

MEMORY

REFERENCE

NEEDED

SEGMENT
REGISTER

USED

IMPLICIT SEGMENT

SELECTION RULE

Addressing Modes

The 80C286 provides a total of eight addressing modes for
instructions to specify operands. Two addressing modes are
provided for instructions that operate on register or immedi­ate operands:

REGISTER OPERAND MODE: The operand is located in
one of the 8 or 16-bit general registers.

IMMEDIATE OPERAND MODE: The operand is included in
the instruction.

Six modes are provided to specify the location of an operand in
a memory segment. A memory operand address consists of
two 16-bit components: segment selector and offset. The seg­ment selector is supplied by a segment register either implicitly
chosen by the addressing mode or explicitly chosen by a seg­ment override prefix. The offset is calculated by summing any
combination of the following three address elements:

the displacement (an 8 or 16-bit immediate value contained
in the instruction)

the base (contents of either the BX or BP base registers)
the index (contents of either the SI or Dl index registers)

MODULE A

MODULE B

PROCESS

STACK

PROCESS

DAT A

BLOCK 1

CODE

DAT A

CODE

DAT A

CPU

CODE

DAT A

STACK
EXTRA

SEGMENT

REGISTERS

Instructions Code (CS) Automatic with instruction prefetch
Stack Stack (SS) All stack pushes and pops. Any

memory reference which uses BP
as a base register.

Local Data Data (DS) All data references except when

relative to stack or string destination

External
(Global) Data

Extra (ES) Alternate data segment and

destination of string operation

PROCESS

DAT A

BLOCK 2

MEMORY

FIGURE 4. SEGMENTED MEMORY HELPS STRUCTURE

SOFTWARE

Any carry out from the 16-bit addition is ignored. Eight-bit
displacements are sign extended to 16-bit values.

3-78

80C286

Combinations of these three address elements define the six
memory addressing modes, described below.

DIRECT MODE: The operand's offset is contained in the
instruction as an 8 or 16-bit displacement element.

REGISTER INDIRECT MODE: The operand's offset is in
one of the registers SI, Dl, BX or BP.

BASED MODE: The operand's offset is the sum of an 8 or
16-bit displacement and the contents of a base register (BX
or BP).

INDEXED MODE: The operand's offset is the sum of an 8 or 16­bit displacement and the contents of an index register (SI or Dl).

BASED INDEXED MODE: The operand's offset is the sum
of the contents of a base register and an index register.

BASED INDEXED MODE WITH DISPLACEMENT: The
operand's offset is the sum of a base register's contents, an
index register's contents, and an 8 or 16-bit displacement.

Data Types

The 80C286 directly supports the following data types:
Integer: A signed binar y numeric value contained in an 8-

bit byte or a 16-bit word. All operations assume a
2's complement representation. Signed 32 and
64-bit integers are supported using the 80287
Numeric Data Processor.

Ordinal: An unsigned binary numeric value contained in an

8-bit byte or 16-bit word.

Pointer: A 32-bit quantity, composed of a segment selector

component and an offset component. Each com­ponent is a 16-bit word.

String: A contiguous sequence of bytes or words. A string

may contain from 1 byte to 64K bytes.

ASClI: A byte representation of alphanumeric and control

characters using the ASClI standard of character
representation.

BCD: A byte (unpacked) representation of the decimal

digits 0-9.

Pack ed A byte (packed) representation of two decimal
BCD: digits 0-9 storing one digit in each nibble of the

byte.

Floating A signed 32, 64 or 80-bit real number representa­Point: tion. (Floating point operands are supported using

the 80287 Numeric Processor extension).

Figure 5 graphically represents the data types supported by
the 80C286.

SIGNED

SIGN BIT

UNSIGNED

SIGNED

SIGN BIT

SIGNED

DOUBLE

(NOTE)

SIGN BIT

SIGNED

(NOTE)

SIGN BIT

UNSIGNED

BINARY

CODED

DECIMAL

PACKED

STRING

POINTER

FLOATING

POINT (NOTE)

SIGN BIT

70

BYTE

MAGNITUDE

70

BYTE

MAGNITUDE

15

14

WORD

31

WORD

63

QUAD

WORD

+1

15

WORD

7

(BCD)

DIGIT N

7

ASCII

CHARACTER

7

BCD

MOST
SIGNIFICANT DIGIT

7/15

BYTE/WORD N BYTE/WORD 1 BYTE/WORD 0

31

79

EXPONENT MAGNITUDE

MSB

+1 0

87 0

MSB

MAGNITUDE

+3 +2

MSB

MAGNITUDE

+6+7 +5 +4 +3 +2 +1 0

4847 32 31 1615

MSB

MAGNITUDE

0

MSB

MAGNITUDE

+N

0

•••

BCD

+N

0

•••

ASCII

+N

+N

+3

SELECTOR

+9 +8 +7 +6 +5 +4 +3 +2 +1 0

CHARACTER

N

0

•••

0 7/15

•••

+1

+1 0

16

15 0

0

+1

7

7

7

16

0

7

BCD

DIGIT 1

+1

ASCII

+1

SIGNIFICANT DIGIT

+1

+1 0

15

BCD

DIGIT 0

0

7

ASCII
CHARACTER

1

07

0 7/1500

OFFSET

0

0

0

LEAST

0

0

0

0

0

0

FIGURE 5. 80C286 SUPPORTED DATA TYPES

NOTE: Supported by 80C286/80C287 Numeric Data Processor
Configuration

0

3-79

80C286

TABLE 4. INTERRUPT VECTOR ASSIGNMENTS

DOES RETURN ADDRESS

INTERRUPT

FUNCTION

Divide Error Exception 0 DlV, lDlV Yes
Single Step Interrupt 1 All
NMI Interrupt 2 INT 2 or NMI Pin
Breakpoint Interrupt 3 INT 3
INTO Detected Overflow Exception 4 INTO No
BOUND Range Exceeded Exception s BOUND Yes
Invalid Opcode Exception 6 Any Undefined Opcode Yes
Processor Extension Not Available Exception 7 ESC or WAIT Yes
Reserved - Do Not Use 8 - 15
Processor Extension Error Interrupt 16 ESC or WAIT
Reserved 17 - 31

NUMBER

RELATED

INSTRUCTIONS

POINT TO INSTRUCTION

CAUSING EXCEPTION?

User Defined 32 - 255

I/O Space

The I/O space consists of 64K 8-bit ports, 32K 16-bit ports, or
a combination of the two. I/O instructions address the I/O
space with either an 8-bit port address, specified in the
instruction, or a 16-bit port address in the DX register. 8-bit
port addresses are zero extended such that A

15-A8

are LOW.

I/O port addresses 00F8(H) through 00FF(H) are reserved.

Interrupts

An interrupt transfers execution to a new program location.
The old program address (CS:lP) and machine state (Flags)
are saved on the stack to allow resumption of the interrupted
program. Interrupts fall into three classes: hardware initiated,
INT instructions, and instruction exceptions. Hardware initi­ated interrupts occur in response to an external input and
are classified as non-maskable or maskable. Programs may
cause an interrupt with an INT instruction. Instruction excep­tions occur when an unusual condition which prevents fur­ther instruction processing is detected while attempting to
execute an instruction. The return address from an excep­tion will always point to the instruction causing the exception
and include any leading instruction prefixes.

A table containing up to 256 pointers defines the proper
interrupt service routine for each interrupt. Interrupts 0-31,
some of which are used for instruction exceptions, are
reserved. For each interrupt, an 8-bit vector must be sup­plied to the 80C286 which identifies the appropriate table
entry. Exceptions supply the interrupt vector internally. INT
instructions contain or imply the vector and allow access to
all 256 interrupts. Maskable hardware initiated interrupts
supply the 8-bit vector to the CPU during an interrupt
acknowledge bus sequence. Nonmaskable hardware inter­rupts use a predefined internally supplied vector.

Maskable Interrupt (INTR)

The 80C286 provides a maskable hardware interrupt request
pin, INTR. Software enables this input by setting the interrupt
flag bit (IF) in the flag word. All 224 user-defined interrupt
sources can share this input, yet they can retain separate
interrupt handlers. An 8-bit vector read by the CPU during the
interrupt acknowledge sequence (discussed in System Inter­face section) identifies the source of the interrupt.

The processor automatically disables further maskable inter­rupts internally by resetting the IF as part of the response to
an interrupt or exception. The saved flag word will reflect the
enable status of the processor prior to the interrupt. Until the
flag word is restored to the flag register, the interrupt flag will
be zero unless specifically set. The interrupt return instruc­tion includes restoring the flag word, thereby restoring the
original status of IF.

Non-Maskable Interrupt Request (NMI)

A non-maskable interrupt input (NMI) is also provided. NMI
has higher priority than INTR. A typical use of NMI would be
to activate a power f ailure routine . The activation of this input
causes an interrupt with an internally supplied vector value
of 2. No external interrupt acknowledge sequence is per­formed.

While executing the NMI servicing procedure, the 80C286
will service neither further NMI requests, INTR requests, nor
the processor extension segment overrun interrupt until an
interrupt return (lRET) instruction is executed or the CPU is
reset. If NMI occurs while currently servicing an NMI, its
presence will be saved for servicing after executing the first
IRET instruction. IF is cleared at the beginning of an NMI
interrupt to inhibit INTR interrupts.

3-80

80C286

Single Step Interrupt

The 80C286 has an internal interrupt that allows programs to
execute one instruction at a time. It is called the single step
interrupt and is controlled by the single step flag bit (TF) in the
flag word. Once this bit is set, an internal single step interrupt
will occur after the next instruction has been executed. The
interrupt clears the TF bit and uses an internally supplied vec­tor of 1. The lRET instruction is used to set the TF bit and
transfer control to the next instruction to be single stepped.

Interrupt Priorities

When simultaneous interrupt requests occur, they are pro­cessed in a fixed order as shown in Table 5. Interrupt pro­cessing involves sa ving the flags , return address, and setting
CS:lP to point at the first instruction of the interrupt handler.
If another enabled interrupt should occur, it is processed
before the next instruction of the current interrupt handler is
executed. The last interrupt processed is therefore the first
one serviced.

TABLE 5. INTERRUPT PROCESSING ORDER

ORDER INTERRUPT

1 Instruction Exception
2 Single Step
3 NMI
4 Processor Extension Segment Overrun
5 INTR
6 INT Instruction

Initialization and Processor Reset

Processor initialization or start up is accomplished by driving
the RESET input pin HIGH. RESET forces the 80C286 to
terminate all execution and local bus activity. No instruction
or bus activity will occur as long as RESET is active. After
RESET becomes inactive, and an internal processing inter­val elapses, the 80C286 begins execution in real address
mode with the instruction at physical location FFFFF0(H).
RESET also sets some registers to predefined values as
shown in Table 6.

TABLE 6. 80C286 INITIAL REGISTER STATE AFTER RESET

Machine Status Word Description

The machine status word (MSW) records when a task switch
takes place and controls the operating mode of the 80C286.
It is a 16-bit register of which the lower four bits are used.
One bit places the CPU into protected mode, while the other
three bits, as shown in Table 7, control the processor exten­sion interface. After RESET, this register contains FFF0(H)
which places the 80C286 in 80C286 real address mode.

TABLE 7. MSW BIT FUNCTIONS

BIT

POSITION NAME FUNCTION

0 PE Protected mode enable places the

80C286 into protected mode and cannot
be cleared except by RESET.

1 MP Monitor processor extension allows WAIT

instructions to cause a processor exten­sion not present exception (number 7).

2 EM Emulate processor extension causes a

processor extension not present excep­tion (number 7) on ESC instructions to al­low emulating a processor extension.

3 TS Task switched indicates the next instruc-

tion using a processor extension will
cause exception 7, allowing software to
test whether the current processor exten­sion context belongs to the current task.

The LMSW and SMSW instructions can load and store the
MSW in real address mode. The recommended use of TS,
EM, and MP is shown in Table 8.

Halt

The HLT instruction stops program execution and prevents
the CPU from using the local bus until restarted. Either NMI,
INTR with IF = 1, or RESET will force the 80C286 out of halt.
If interrupted, the saved CS:IP will point to the next instruc­tion after the HLT.

Flag Word 0002(H)
Machine Status Word FFF0(H)
Instruction Pointer FFF0(H)
Code Segment F000(H)
Data Segment 0000(H)
Extra Segment 0000(H)
Stack Segment 0000(H)

HOLD must not be active during the time from the leading
edge of the initial RESET to 34 CLKs after the trailing edge
of the initial RESET of an 80C286 system.

3-81

80C286

TABLE 8. RECOMMENDED MSW ENCODINGS FOR PROCESSOR EXTENSION CONTROL

INSTRUCTION

CAUSING

TS MP EM RECOMMENDED USE

0 0 0 Initial encoding after RESET. 80C286 operation is identical to 80C86/88. None
0 0 1 No processor extension is available. Software will emulate its function. ESC
1 0 1 No processor extension is available. Software will emulate its function. The

current processor extension context may belong to another task.
0 1 0 A processor extension exists. None
1 1 0 A processor e xtension e xists . The current processor e xtension conte xt ma y

belong to another task. The exception 7 on WAIT allo ws softw are to test f or

an error pending from a previous processor extension operation.

TABLE 9. REAL ADDRESS MODE ADDRESSING INTERRUPTS

EXCEPTION 7

ESC

ESC or WAIT

INTERRUPT

FUNCTION

Interrupt table limit too small exception 8 INT vector is not within table limit Yes
Processor extension segment overrun

interrupt
Segment overrun exception 13 Word memory reference with offset = FFFF(H) or an

NUMBER RELATED INSTRUCTIONS

9 ESC with memory operand extending beyond offset

FFFF(H)

attempt to execute past the end of a segment

RETURN ADDRESS

BEFORE INSTRUCTION

80C286 Real Address Mode

The 80C286 executes a fully upward-compatible superset of
the 80C86 instruction set in real address mode. In real
address mode the 80C286 is object code compatible with
80C86 and 80C88 software. The real address mode archi­tecture (registers and addressing modes) is exactly as
described in the 80C286 Base Architecture section of this
Functional Description.

Memory Size

Physical memory is a contiguous array of up to 1,048,576
bytes (one megabyte) addressed by pins A

through A

0

and BHE. A20 through A23 should be ignored.

Memory Addressing

In real address mode physical memory is a contiguous array
of up to 1,048,576 bytes (one megabyte) addressed by pin
A

through A19 and BHE. Address bits A20-A23 may not

0

always be zero in real mode. A

should not be used by

20-A23

the system while the 80C286 is operating in Real Mode.

in a segment does not use the full 64K bytes, the unused
end of the segment may be overlaid by another segment to
reduce physical memory requirements.

15 0

OFFSET
ADDRESS

SEGMENT
ADDRESS

19

0000 OFFSET

SEGMENT

SELECTOR

ADDER

015

0000

No

Yes

The selector portion of a pointer is inter preted as the upper
16-bits of a 20-bit segment address. The lower four bits of
the 20-bit segment address are always zero. Segment
addresses, therefore, begin on multiples of 16 bytes. See
Figure 6 for a graphic representation of address information.

All segments in real address mode are 64K bytes in size and
may be read, written, or executed. An exception or interrupt
can occur if data operands or instructions attempt to wrap
around the end of a segment (e.g. a word with its low order
byte at offset FFFF(H) and its high order byte at offset
0000(H)). If, in real address mode, the information contained

19 0

20-BIT PHYSICAL

MEMORY ADDRESS

FIGURE 6. 80C286 REAL ADDRESS MODE ADDRESS

CALCULATION

3-82

80C286

Reserved Memory Locations

The 80C286 reserves two fixed areas of memory in real
address mode (see Figure 7); system initialization area and
interrupt table area. Locations from addresses FFFF0(H)
through FFFFF(H) are reserved for system initialization. Initial
execution begins at location FFFF0(H). Locations 00000(H)
through 003FF(H) are reserved for interrupt vectors.

RESET BOOTSTRAP

PROGRAM JUMP

•

•

•

INTERRUPT POINTER

FOR VECTOR 255

•

•

•

INTERRUPT POINTER

FOR VECTOR 1

INTERRUPT POINTER

FOR VECTOR 0

INITIAL CS:IP VALUE IS F000:FFF0

FIGURE 7. 80C286 REAL ADDRESS MODE INITIALLY

RESERVED MEMORY LOCATIONS

FFFFFH
FFFF0H

3FFH
3FCH

7H

4H
3H
0H

Interrupts

Table 9 shows the interrupt vectors reserved for exceptions
and interrupts which indicate an addressing error. The
exceptions leave the CPU in the state existing before
attempting to execute the failing instruction (except for
PUSH, POP, PUSHA, or POPA). Refer to the next section on
protected mode initialization for a discussion on exception 8.

Protected Virtual Address Mode

The 80C286 executes a fully upward-compatible superset of
the 80C86 instruction set in protected virtual address mode
(protected mode). Protected mode also provides memory
management and protection mechanisms and associated
instructions.

The 80C286 enters protected virtual address mode from real
address mode by setting the PE (Protection Enable) bit of
the machine status word with the Load Machine Status Word
(LMSW) instruction. Protected mode offers extended physi­cal and virtual memory address space, memor y protection
mechanisms, and new operations to support operating sys­tems and virtual memory.

All registers, instructions, and addressing modes described
in the 80C286 Base Architecture section of this Functional
Description remain the same. Programs for the 80C86,
80C88, and real address mode 80C286 can be run in pro­tected mode; however, embedded constants for segment
selectors are different.

Memory Size

The protected mode 80C286 provides a 1 gigabyte virtual
address space per task mapped into a 16 megabyte physical
address space defined by the address pins A
BHE. The virtual address space may be larger than the
physical address space since any use of an address that
does not map to a physical memory location will cause a
restartable exception.

CPU

31 16 15 0

POINTER

SELECTOR OFFSET

23-A0

and

Protected Mode Initialization

To prepare the 80C286 for protected mode, the LIDT instruc­tion is used to load the 24-bit interrupt table base and 16-bit
limit for the protected mode interrupt table. This instruction
can also set a base and limit for the interrupt vector table in
real address mode. After reset, the interrupt table base is ini­tialized to 000000(H) and its size set to 03FF(H). These val­ues are compatible with 80C86 and 80C88 software. LIDT
should only be executed in preparation for protected mode.

Shutdown

Shutdown occurs when a severe error is detected that prevents
further instruction processing by the CPU. Shutdown and halt
are externally signalled via a halt bus operation. They can be
distinguished by A

HIGH for halt and A1 LOW for shutdown. In

1

real address mode, shutdown can occur under two conditions:

• Exceptions 8 or 13 happen and the IDT limit does not
include the interrupt vector.

• A CALL INT or PUSH instruction attempts to wrap around
the stack segment when SP is not even.

An NMI input can bring the CPU out of shutdown if the IDT
limit is at least 000F(H) and SP is greater than 0005(H), oth­erwise shutdown can only be exited via the RESET input.

PHYSICAL MEMORY

PHYSICAL

ADDRESS

ADDER

SEGMENT BASE

ADDRESS

023

FIGURE 8. PROTECTED MODE MEMORY ADDRESSING

MEMORY

OPERAND

SEGMENT

DESCRIPTOR

SEGMENT

TABLE

SEGMENT

DESCRIPTION

Memory Addressing

As in real address mode, protected mode uses 32-bit point­ers, consisting of 16-bit selector and offset components. The
selector, however, specifies an index into a memory resident
table rather than the upper 16-bits of a real memory address.
The 24-bit base address of the desired segment is obtained

3-83

80C286

from the tables in memory. The 16-bit offset is added to the
segment base address to form the physical address as
shown in Figure 8. The tables are automatically referenced
by the CPU whenever a segment register is loaded with a
selector. All 80C286 instructions which load a segment reg­ister will reference the memory based tables without addi­tional software. The memory based tables contain 8 byte
values called descriptors.

Descriptors

Descriptors define the use of memory. Special types of
descriptors also define new functions for transfer of control
and task switching. The 80C286 has segment descriptors for
code, stack and data segments, and system control descrip­tors for special system data segments and control transfer
operations. Descriptor accesses are performed as locked
bus operations to assure descriptor integrity in multi-proces­sor systems.

Code and Data Segment Descriptors (S = 1)

Besides segment base addresses, code and data descriptors
contain other segment attributes including segment size (1 to
64K bytes), access rights (read only, read/wr ite, execute only,
and execute/read), and presence in memory (for virtual mem­ory systems) (See Table 10). Any segment usage violating a
segment attribute indicated by the segment descriptor will pre­vent the memory cycle and cause an exception or interrupt.

707

+7

P DPL S TYPE A

ACCESS

RIGHTS BYTE

† MUST BE SET TO 0 FOR COMPATIBILITY WITH FUTURE UPGRADES

FIGURE 9. CODE OR DATA SEGMENT DESCRIPTOR

+5

+3

+1

15

BASE

LIMIT

RESERVED †

BASE

23 - 16

15 - 0

15 - 0

780

0

+6

+4

+2

0

Code and data (including stack data) are stored in two types
of segments: code segments and data segments. Both types
are identified and defined by segment descriptors (S = 1).
Code segments are identified by the executable (E) bit set to
1 in the descriptor access rights byte. The access rights byte
of both code and data segment descriptor types have three
fields in common: present (P) bit, Descriptor Privilege Level
(DPL), and accessed (A) bit. If P = 0, any attempted use of
this segment will cause a not-present exception. DPL speci­fies the privilege level of the segment descriptor. DPL con­trols when the descriptor may be used by a task (refer to
privilege discussion below). The A bit shows whether the
segment has been previously accessed for usage profiling, a
necessity for virtual memory systems. The CPU will always
set this bit when accessing the descriptor.

Type

Field

Definition

TABLE 10. CODE AND DATA SEGMENT DESCRIPTOR FORMATS - ACCESS RIGHTS BYTE DEFINITION

BIT

POSITION NAME FUNCTION

7 Present (P) P = 1 Segment is mapped into physical memory.

P = 0 No mapping to physical memory exits, base and limit are not used.

6 - 5 Descriptor Privilege

Level (DPL)

4 Segment Descriptor (S) S = 1 Code or Data (includes stacks) segment descriptor

S = 0 System Segment Descriptor or Gate Descriptor
3 Executable (E) E = 0 Data segment descriptor type is:
2 Expansion Direction

(ED)

1 Writable (W) W = 0 Data segment may not be written into.

3 Executable (E) E = 1 Code Segment Descriptor type is:
2 Conforming (C) C = 1 Code segment may only be executed when CPL ≥

1 Readable (R) R = 0 Code segment may not be read.

0 Accessed (A) A = 0 Segment has not been accessed.

ED = 0 Expand up segment, offsets must be ≤ limit.

ED = 1 Expand down segment, offsets must be > limit.

W = 1 Data segment may be written into.

R = 1 Code segment may be read.

A = 1 Segment selector has been loaded into segment register or used by selector

Segment privilege attribute used in privilege tests.

DPL and CPL remains unchanged.

test instructions.

If Data Segment
(S = 1, E = 0)

If Code Segment
(S = 1, E = 1)

3-84

80C286

Data segments (S = 1, E = 0) may be either read-only or read­write as controlled by the W bit of the access rights byte.
Read-only (W = 0) data segments may not be written into.
Data segments may grow in two directions, as determined by
the Expansion Direction (ED) bit: upwards (ED = 0) for data
segments, and downwards (ED = 1) for a segment containing
a stack. The limit field for a data segment descriptor is inter­preted differently depending on the ED bit (see Table 10).

A code segment (S = 1, E = 1) may be execute-only or exe­cute/read as determined by the Readable (R) bit. Code seg­ments may never be written into and execute-only code
segments (R = 0) may not be read. A code segment may
also have an attribute called conforming (C). A conforming
code segment may be shared by programs that execute at
different privilege levels. The DPL of a conforming code seg­ment defines the range of privilege levels at which the seg­ment may be executed (refer to privilege discussion below).
The limit field identifies the last byte of a code segment.

System Segment Descriptors (S = 0, Type = 1-3)

In addition to code and data segment descriptors, the pro­tected mode 80C286 defines System Segment Descriptors.
These descriptors define special system data segments
which contain a table of descriptors (Local Descriptor Table
Descriptor) or segments which contain the execution state of
a task (Task State Segment Descriptor).

Table 11 gives the formats for the special system data seg­ment descriptors. The descriptors contain a 24-bit base
address of the segment and a 16-bit limit. The access byte
defines the type of descriptor, its state and privilege level.
The descriptor contents are valid and the segment is in
physical memory if P = 1. If P = 0, the segment is not valid.
The DPL field is only used in Task State Segment descrip­tors and indicates the privilege level at which the descriptor
may be used (see Privilege). Since the Local Descriptor
Table descriptor may only be used by a special privileged
instruction, the DPL field is not used. Bit 4 of the access byte
is 0 to indicate that it is a system control descriptor. The type
field specifies the descriptor type as indicated in Table 11.

707

+7

P DPL 0 TYPE

+5

+3

+1

15

† MUST BE SET TO 0 FOR COMPATIBILITY WITH FUTURE UPGRADES

FIGURE 10. SYSTEM SEGMENT DESCRIPTOR

RESERVED †

BASE

23 - 16

BASE

15 - 0

LIMIT

15 - 0

780

0

+6

+4

+2

0

TABLE 11. SYSTEM SEGMENT DESCRIPTOR FORMAT FIELDS

NAME VALUE DESCRIPTION

TYPE 1 Available Task State Segment (TSS)

2 Local Descriptor Table
3 Busy Task State Segment (TSS)

P 0 Descriptor contents are not valid

1 Descriptor contents are valid

DPL 0-3 Descriptor Privilege Level

BASE 24-Bit

Number

LIMIT 16-Bit

Number

Base Address of special system data
segment in real memory

Offset of last byte in segment

Gate Descriptors (S = 0, Type = 4-7)

Gates are used to control access to entry points within the
target code segment. The gate descriptors are call gates,
task gates, interrupt gates and trap gates. Gates provide a
level of indirection between the source and destination of the
control transfer. This indirection allows the CPU to automati­cally perform protection checks and control entry point of the
destination. Call gates are used to change privilege levels
(see Privilege), task gates are used to perform a task switch,
and interrupt and trap gates are used to specify interrupt ser­vice routines. The interrupt gate disables interrupts (resets
IF) while the trap gate does not.

Table 12 shows the format of the gate descriptors. The
descriptor contains a destination pointer that points to the
descriptor of the target segment and the entry point offset.
The destination selector in an interrupt gate, trap gate, and
call gate must refer to a code segment descriptor. These gate
descriptors contain the entry point to prevent a program from
constructing and using an illegal entry point. Task gates may
only refer to a task state segment. Since task gates invoke a
task switch, the destination offset is not used in the task gate.

Exception 13 is generated when the gate is used if a destina­tion selector does not refer to the correct descriptor type. The
word count field is used in the call gate descriptor to indicate
the number of parameters (0-31 words) to be automatically
copied from the caller’s stack to the stack of the called routine
when a control transfer changes privilege levels. The word
count field is not used by any other gate descriptor.

The access byte format is the same for all descriptors. P = 1
indicates that the gate contents are valid. P = 0 indicates the
contents are not valid and causes exception 11 if ref erenced.
DPL is the descriptor privilege level and specifies when this
descriptor may be used by a task (refer to privilege discus­sion below). Bit 4 must equal 0 to indicate a system control
descriptor. The type field specifies the descriptor type as
indicated in Table 12.

3-85

80C286

Segment Descriptor Cache Registers

A segment descriptor cache register is assigned to each of
the four segment registers (CS, SS, DS, ES). Segment
descriptors are automatically loaded (cached) into a seg­ment descriptor cache register (Figure 12) whenever the
associated segment register is loaded with a selector.

Only segment descriptors may be loaded into segment
descriptor cache registers. Once loaded, all references to
that segment of memory use the cached descriptor informa­tion instead of reaccessing the descriptor. The descriptor
cache registers are not visible to programs. No instructions
exist to store their contents. They only change when a seg­ment register is loaded.

707

+7

P DPL 0 TYPE

+5
+3
+1

† MUST BE SET TO 0 FOR COMPATIBILITY WITH FUTURE UPGRADES

15

RESERVED †

XX X

DESTINATION SELECTOR

DESTINATION OFFSET

780

WORD COUNT

15 - 0

15 - 0

FIGURE 11. GATE DESCRIPTOR

TABLE 12. GATE DESCRIPTOR FORMAT FIELD

NAME VALUE DESCRIPTION

TYPE 4 Call Gate

5 Task Gate
6 Interrupt Gate
7 Trap Gate

P 0 Descriptor Contents are not valid

1 Descriptor Contents are valid

DPL 0 - 3 Descriptor Privilege Level

WORD

COUNT

0 - 31 Number of words to copy from callers

stack to called procedures stack. Only
used with call gate.

DESTINATION

SELECTOR

16-Bit

Selector

Selector to the target code segment
(call, interrupt or selector Trap Gate).
Selector to the target task state seg­ment (Task Gate).

DESTINATION

OFFSET

16-Bit

Offset

Entry point within the target code seg­ment

4 - 0

XX

0

+6
+4
+2
0

Selector Fields

A protected mode selector has three fields: descriptor entry
index, local or global descriptor table indicator (T

), and selec-

I

tor privilege (RPL) as shown in Figure 13. These fields select
one of two memory based tables of descriptors, select the
appropriate table entry and allow high-speed testing of the
selector's privilege attribute (refer to privilege discussion
below).

PROGRAM VISIBLE

SEGMENT SELECTORS
CS
DS
SS
ES

15 0

SEGMENT REGISTERS

(LOADED BY PROGRAM)

PROGRAM INVISIBLE

ACCESS

RIGHTS

47 40 39 16 15 0

SEGMENT PHYSICAL

BASE ADDRESS

SEGMENT DESCRIPTOR CACHE REGISTERS

(AUTOMATICALLY LOADED BY CPU)

SEGMENT SIZE

FIGURE 12. DESCRIPTOR CACHE REGISTERS

SELECTOR

INDEX

15 8 7 2 1 0

RPLTI

BITS NAME FUNCTION

1 - 0 Requested Privilege Level

(RPL)

Indicates Selector Privilege
Level Desired

2 Table Indicator (TI) TI = 0 Use Global Descrip-

tor Table (GDT)
TI = 1 Use Local Descriptor
Table (LDT)

15 - 3 Index Select Descriptor Entry In

Table

FIGURE 13. SELECTOR FIELDS

Local and Global Descriptor Tables

Two tables of descriptors, called descriptor tables, contain all
descriptors accessible by a task at any given time. A descriptor
table is a linear array of up to 8192 descriptors. The upper 13
bits of the selector value are an index into a descriptor table.
Each table has a 24-bit base register to locate the descriptor
table in physical memory and a 16-bit limit register that confine
descriptor access to the defined limits of the table as shown in
Figure 14. A restartable exception (13) will occur if an attempt is
made to reference a descriptor outside the table limits.

One table, called the Global Descriptor table (GDT), con­tains descriptors available to all tasks. The other tab le , called
the Local Descriptor Table (LDT), contains descriptors that
can be private to a task. Each task may have its own private
LDT. The GDT may contain all descriptor types except inter­rupt and trap descriptors. The LDT may contain only seg­ment, task gate, and call gate descriptors. A segment cannot
be accessed by a task if its segment descriptor does not
exist in either descriptor table at the time of access.

3-86