ADVANCED TOPICS

This chapter describes some of the advanced topics as virtual memory management, restartable instructions, special segment attributes, and the validation of descriptors and pointers.

11.1 VIRTUAL MEMORY MANAGEMENT When access to a segment is requested and memory (swapping or overwriting another segment if necessary), or to terminate execu-tion of the requesting program if this is not

possible. .

The accessed bit (bit 0) of the access byte is provided in both executable and data segment descriptors to support segment usage profil-ing. Whenever the descriptor is accessed by the iAPX 286 hardware, the A-bit will be set in memory. This applies to selector test instruction (described below) as well as to the loading of a segment register. The reading of the access byte and the restoration of it with the A-bit set is an indivisible operation, i.e., it is performed as a read-modify-write with bus lock. If an operating system develops a profile of segment usage over time, . it can recognize segments of low or zero access and choose among these candidates for

Not-present exceptions occur only on segment register load operations, gate accesses, and

task switches. The saved instruction pointer refers to the first byte of the violating instruction. All other aspects of the saved machine state are exactly as they were before execution of the violating instruction began.

After the fault handler clears up the fault condition and performs an IRET, the program continues to execute. The only external indication of a segment swap is the additional execution time.

11.2 SPECIAL SEGMENT ATTRIBUTES 11.2.1 Conforming Code Segments Code segments intended for use at potentially different privilege levels need an attribute that permits them to emulate the privilege level of the calling task. Such segments are termed

"conforming" segments. Conforming segments are also useful for interrupt-driven error routines that need only be as privileged as the routine that caused the error.

A conforming code segment has bit 2 of its access byte set to 1. This means it can be referenced by a CALL or JMP instruction in a task of equal or lesser privilege, i.e., CPL of the task is numerically greater than or equal to DPL of this segment. CPL does not change when executing the conforming code segment.

A conforming segment continues to use the

Inter-segment Returns that refer to conform-ing code segments use the RPL field of the code selector of the return address to deter-mine the new CPL. The RPL becomes the new CPL. if the conforming code segment DPL<RPL.

ADVANCED TOPICS

If a conforming segment is readable, it can be read from any privilege level without restric-tion. This is the only exception to the protec-tion rules. This allows constants to be stored with conforming code. For example, a read-only look-up table can be embedded in a conforming code segment that can be used to convert system-wide logical ID's into charac-ter strings that represent :those logical entities.

11.2.2 Expand-Down Data Segments If bit 2 in the access byte of a data segment:

is I, the segment is an expand-down segment.

All the offsets that reference such a segment must be strictly greater than the segment limit, as opposed to normal data segments (bit 2=0) where all offsets must be less than or equal to the segment limit. Figure 11-1 shows an expand-down segment.

The size of the expand down segment can be changed by changing either the base' or the limit.· An expand down segment with

Limit~O will have a size of 2¹⁶-1 bytes ..

With a limit value of FFFFH, the. expand down segment will have a size of 0 bytes. In an expand down segment, the base

+

^offset

BASE + FFFEH --i~~~~

BASE + OFFSET --'-".".'"

> BASE + LIMIT

BASE + ^LIMIT ---l~~~~..:o:t BASE

EXPAND DOWN SEGMENT

Figure 11-1. Expand Down Segment·

value should always be greater than the base

+

limit value. Therefore, a full size segment (2¹⁶ bytes) can only be obtained by using an expand up segment.

The operating system should check the Expanded Down bit when a protection fault indicates that the limit of a data segment has been reached. If the Expand Down bit is not set, the operating system· should increase the segment limit; if it is set, the limit should be lowered. This supplies more room in either case (assuming the segment is not write-protected, i.e., that bit 1 is not 0). In some cases, if the operating system can ascertain that there is not enough room to expand the data segment to meet the need that caused the fault,it can move the data . segment to a region of memory where there is enough room. See figure 11-2.

11.3 POINTER VALIDATION

Pointer validation is an important part of locating programming errors. Pointer valida-tion is necessary for maintaining isolavalida-tion between the privilege levels. Pointer valida-tion consists of the following steps:

1. Check if the supplier of the pointer is entitled to access the s~gment.

2.· Check if the segment type is appropriate to its intended use.

3. Check if the pointer violates the segment limit.

The iAPX 286 hardware automatically performs checks 2 and 3 during instruction execution, .while software must assist in performing the first check. This point is discussed in section 11.3.2. Software can explicitly perform steps 2 and 3 to check for potential violations (rather than causing an exception). The unprivileged instructions LSL, LAR; VERR, and VER Ware provided for this purpose.

ADVANCED TOPICS

BASE + 10000H --t~""""""""""1 STACK SEG. B

BASE + 10000H - - ' 1 * - - - - 1

STACK SEG.B

+

gtg

~~~i --+----1

NEW BASE ---;~~..,.,..,..,..,.,.j

OLD BASE

Figure 11·2. Dynamic Segment Relocation and Expansion of Segment Limit

The load access rights (LAR) instruction obtains the access rights byte of a descriptor pointed to by the selector used in the instruc-tion. If that selector is visible at the CPL, the instruction loads the access byte into the specified destination register as the higher byte (the low byte is zero) and the zero flag is set. Once loaded, the access bits can be tested. System segments such as a task state segment or a descriptor table cannot be read or modified. This instruction is used to verify that a pointer refers to a segment of the proper privilege level and type. If the RPL or CPL is greater than DPL, or the selector is outside the table limit, no access value is returned and the zero flag is cleared.

Conforming code segments may be accessed from any RPL or CPL.

Additional parameter checking can be performed via the load segment limit (LSL) instruction. If the descriptor denoted by the given selector (in memory or a register) is visible at the CPL, LSL loads the specified register with a word that consists of the limit field of that descriptor. This can only be done for segments, task state segments, and local

descriptor tables (Le., words from control descriptors are inaccessible). Interpreting the limit is a function of the segment type. For example, downward expandable data segments treat the limit differently than code segments do.

For both LAR and LSL, the zero flag (ZF) is set if the loading was performed; otherwise, the zero flag is cleared. Both instructions are undefined iil real address mode, causing an invalid opcode exception (interrupt #6).

11.3. 1 Descriptor Validation

The iAPX 286 has two instructions, VERR and VER W, which determine whether a selector points to a segment that can be read or written at the current privilege level.

Neither instruction causes a protection fault if the result is negative.

VERR verifies a segment for reading and loads ZF with 1 if that segment is readable from the current privilege level. The valida-tion process checks that: I) the selector points to a descriptor within the bounds of the GDT or LDT, 2) it denotes a segment descriptor

Dans le document MANUAL PROGRAMMER'S iAPX 286 (Page 174-177)