INTEL M80C286

M80C286
HIGH PERFORMANCE CHMOS MICROPROCESSOR
WITH MEMORY MANAGEMENT AND PROTECTION
Military
Y
High Speed CHMOS III Technology
Y
10 MHz Clock Rate
Y
Pin for Pin, Clock for Clock, and
Functionally Compatible with the HMOS
M80286
Y
68 Lead Pin Grid Array Package
Y
68 Lead Ceramic Quad Flatpack
Package
(See M80286 Data Sheet, Order Ý271028-003)
Y
Stop Clock Capability
Ð Uses Less Power (see ICCS
Specification)
(See Packaging Spec., Order Ý231369)
Y
Military Temperature Range:
b 55§ C to a 125§ C (TC)
INTRODUCTION
The M80C286 is an advanced 16 bit CHMOS III microprocessor designed for multi-user and multi-tasking
applications that require low power and high performance. The M80C286 is fully compatible with its predecessor the HMOS M80286 and object-code compatible with the M8086 and M80386 family of products. In
addition, the M80C286 has a power down mode which uses less power, making it ideal for mobile applications.
The M80C286 has built-in memory protection that maintains a four level protection mechanism for task isolation, a hardware task switching facility and memory mangement capabilities that map 230 bytes (one gigabyte)
of virtual address space per task (per user) into 224 bytes (16 megabytes) of physical memory.
The M80C286 is upward compatible with M8086 and M8088 software. Using M8086 real address mode, the
M80C286 is object code compatible with existing M8086, M8088 software. In protected virtual address mode,
the M80C286 is source code compatible with M8086, M8088 software which may require upgrading to use
virtual addresses supported by the M80C286’s integrated memory management and protection mechanism.
Both modes operate at full M80C286 performance and execute a superset of the M8086 and M8088 instructions.
The M80C286 provides special operations to support the efficient implementation and execution of operating
systems. For example, one instruction can end execution of one task, save its state, switch to a new task, load
its state, and start execution of the new task. The M80C286 also supports virtual memory systems by providing
a segment-not-present exception and restartable instructions.
271103 – 1
Figure 1. M80C286 Internal Block Diagram
February 1990
Order Number: 271103-001
M80C286
addressing modes. The M80C286 processor is upward compatible with the M8086, M8088, and 80186
CPU’s and fully compatible with the HMOS M80286.
FUNCTIONAL DESCRIPTION
Introduction
The M80C286 is an advanced, high-performance microprocessor with specially optimized capabilities for
multiple user and multi-tasking systems. Depending
on the application, a 10 MHz M80C286’s performance is up to eight times faster than the standard 5
MHz M8086’s, while providing complete upward
software compatibility with Intel’s M8086, 88, and
186 family of CPU’s.
The M80C286 operates in two modes: M8086 real
address mode and protected virtual address mode.
Both modes execute a superset of the M8086 and
88 instruction set.
In M8086 real address mode programs use real addresses with up to one megabyte of address space.
Programs use virtual addresses in protected virtual
address mode, also called protected mode. In protected mode, the M80C286 CPU automatically maps
1 gigabyte of virtual addresses per task into a 16
megabyte real address space. This mode also provides memory protection to isolate the operating
system and ensure privacy of each tasks’ programs
and data. Both modes provide the same base instruction set, registers, and addressing modes.
The following Functional Description describes first,
the base M80C286 architecture common to both
modes, second, M8086 real address mode, and
third, protected mode.
M80C286 BASE ARCHITECTURE
Register Set
The M80C286 base architecture has fifteen registers
as shown in Figure 2. These registers are grouped
into the following four categories:
General Registers: Eight 16-bit general purpose
registers used to contain arithmetic and logical operands. Four of these (AX, BX, CX, and DX) can be
used either in their entirety as 16-bit words or split
into pairs of separate 8-bit registers.
Segment Registers: Four 16-bit special purpose
registers select, at any given time, the segments of
memory that are immediately addressable for code,
stack, and data. (For usage, refer to Memory Organization.)
Base and Index Registers: Four of the general purpose registers may also be used to determine offset
addresses of operands in memory. These registers
may contain base addresses or indexes to particular
locations within a segment. The addressing mode
determines the specific registers used for operand
address calculations.
Status and Control Registers: The 3 16-bit special
purpose registers in Figure 3 record or control certain aspects of the M80C286 processor state including the Instruction Pointer, which contains the offset
address of the next sequential instruction to be executed.
The M8086, 88, 186, and 286 CPU family all contain
the same basic set of registers, instructions, and
16-BIT
REGISTER
NAME
SPECIAL
REGISTER
FUNCTIONS
7
BYTE
ADDRESSABLE
(8-BIT
REGISTER
NAMES
SHOWN)
%
0
7
0
AX
AH
AL
DX
DH
DL
CX
CH
CL
BX
BH
BL
*
(
MULTIPLY/DIVIDE
I/O INSTRUCTIONS
LOOP/SHIFT/REPEAT/COUNT
15
0
CS
CODE SEGMENT SELECTOR
DS
DATA SEGMENT SELECTOR
SS
STACK SEGMENT SELECTOR
ES
EXTRA SEGMENT SELECTOR
SEGMENT REGISTERS
BASE REGISTERS
*
BP
15
SI
0
F
STATUS WORD
IP
INSTRUCTION POINTER
INDEX REGISTERS
*
DI
(
SP
15
STACK POINTER
GENERAL
REGISTERS
Figure 2. Register Set
2
STATUS AND CONTROL
REGISTERS
0
M80C286
271103 – 2
Figure 3. Status and Control Register Bit Functions
Table 1. Flags Word Bit Functions
Flags Word Description
The Flags word (Flags) records specific characteristics of the result of logical and arithmetic instructions
(bits 0, 2, 4, 6, 7, and 11) and controls the operation
of the M80C286 within a given operating mode (bits
8 and 9). Flags is a 16-bit register. The function of
the flag bits is given in Table 1.
Instruction Set
The instruction set is divided into seven categories:
data transfer, arithmetic, shift/rotate/logical, string
manipulation, control transfer, high level instructions, and processor control. These categories are
summarized in Table 2.
An M80C286 instruction can reference zero, one, or
two operands; where an operand resides in a register, in the instruction itself, or in memory. Zero-operand instructions (e.g. NOP and HLT) are usually one
byte long. One-operand instructions (e.g. INC and
DEC) are usually two bytes long but some are encoded in only one byte. One-operand instructions
may reference a register or memory location. Twooperand instructions permit the following six types of
instruction operations:
ÐRegister to Register
ÐMemory to Register
ÐImmediate to Register
ÐMemory to Memory
ÐRegister to Memory
ÐImmediate to Memory
Bit
Position
Name
0
CF
Carry FlagÐSet on high-order bit
carry or borrow; cleared otherwise
2
PF
Parity FlagÐSet if low-order 8 bits
of result contain an even number of
1-bits; cleared otherwise
4
AF
Set on carry from or borrow to the
low order four bits of AL; cleared
otherwise
6
ZF
Zero FlagÐSet if result is zero;
cleared otherwise
7
SF
Sign FlagÐSet equal to high-order
bit of result (0 if positive, 1 if negative)
11
OF
Overflow FlagÐSet if result is a toolarge positive number or a too-small
negative number (excluding sign-bit)
to fit in destination operand; cleared
otherwise
8
TF
Single Step FlagÐOnce set, a single step interrupt occurs after the
next instruction executes. TF is
cleared by the single step interrupt.
9
IF
Interrupt-enable FlagÐWhen set,
maskable interrupts will cause the
CPU to transfer control to an interrupt vector specified location.
10
DF
Direction FlagÐCauses string
instructions to auto decrement
the appropriate index registers
when set. Clearing DF causes
auto increment.
Function
3
M80C286
Two-operand instructions (e.g. MOV and ADD) are
usually three to six bytes long. Memory to memory
operations are provided by a special class of string
instructions requiring one to three bytes. For detailed instruction formats and encodings refer to the
instruction set summary at the end of this document.
For detailed operation and usage of each instruction, see Appendix B of the 80286/80287 Programmer’s Reference Manual (Order No. 210498).
Table 2. Instruction Set
GENERAL PURPOSE
ADDITION
MOV
Move byte or word
ADD
Add byte or word
PUSH
Push word onto stack
ADC
Add byte or word with carry
POP
Pop word off stack
INC
Increment byte or word by 1
PUSHA
Push all registers on stack
AAA
ASCII adjust for addition
POPA
Pop all registers from stack
DAA
Decimal adjust for addition
XCHG
Exchange byte or word
XLAT
Translate byte
SUB
Subtract byte or word
SUBTRACTION
SBB
Subtract byte or word with borrow
IN
Input byte or word
DEC
Decrement byte or word by 1
OUT
Output byte or word
NEG
Negate byte or word
CMP
Compare byte or word
ASCII adjust for subtraction
INPUT/OUTPUT
ADDRESS OBJECT
LEA
Load effective address
AAS
LDS
Load pointer using DS
DAS
LES
Load pointer using ES
Decimal adjust for subtraction
MULTIPLICATION
MUL
Multiple byte or word unsigned
LAHF
Load AH register from flags
IMUL
Integer multiply byte or word
SAHF
Store AH register in flags
AAM
ASCII adjust for multiply
PUSHF
Push flags onto stack
POPF
Pop flags off stack
DIV
Divide byte or word unsigned
IDIV
Integer divide byte or word
AAD
ASCII adjust for division
Convert byte to word
FLAG TRANSFER
Data Transfer Instructions
DIVISION
MOVS
Move byte or word string
CBW
INS
Input bytes or word string
CWD
OUTS
Output bytes or word string
CMPS
Compare byte or word string
SCAS
Scan byte or word string
LODS
Load byte or word string
NOT
‘‘Not’’ byte or word
STOS
Store byte or word string
AND
‘‘And’’ byte or word
REP
Repeat
OR
‘‘Inclusive or’’ byte or word
REPE/REPZ
Repeat while equal/zero
XOR
‘‘Exclusive or’’ byte or word
REPNE/REPNZ
Repeat while not equal/not zero
TEST
‘‘Test’’ byte or word
SHL/SAL
Shift logical/arithmetic left byte or word
SHR
Shift logical right byte or word
SAR
Shift arithmetic right byte or word
ROL
Rotate left byte or word
ROR
Rotate right byte or word
RCL
Rotate through carry left byte or word
RCR
Rotate through carry right byte or word
Convert word to doubleword
Arithmetic Instructions
LOGICALS
SHIFTS
String Instructions
ROTATES
Shift/Rotate Logical Instructions
4
M80C286
Table 2. Instruction Set (Continued)
CONDITIONAL TRANSFERS
FLAG OPERATIONS
JA/JNBE
Jump if above/not below nor equal
STC
Set carry flag
JAE/JNB
Jump if above or equal/not below
CLC
Clear carry flag
JB/JNAE
Jump if below/not above nor equal
CMC
Complement carry flag
JBE/JNA
Jump if below or equal/not above
STD
Set direction flag
JC
Jump if carry
CLD
Clear direction flag
JE/JZ
Jump if equal/zero
STI
Set interrupt enable flag
JG/JNLE
Jump if greater/not less nor equal
CLI
JGE/JNL
Jump if greater or equal/not less
JL/JNGE
Jump if less/not greater nor equal
HLT
Halt until interrupt or reset
JLE/JNG
Jump if less or equal/not greater
WAIT
Wait for BUSY not active
JNC
Jump if not carry
ESC
Escape to extension processor
JNE/JNZ
Jump if not equal/not zero
LOCK
JNO
Jump if not overflow
JNP/JPO
Jump if not parity/parity odd
JNS
Jump if not sign
JO
Jump if overflow
LMSW
JP/JPE
Jump if parity/parity even
SMSW
JS
Jump if sign
Clear interrupt enable flag
EXTERNAL SYNCHRONIZATION
Lock bus during next instruction
NO OPERATION
NOP
No operation
EXECUTION ENVIRONMENT CONTROL
Load machine status word
Store machine status word
Process Control Instructions
UNCONDITIONAL TRANSFERS
CALL
Call procedure
ENTER
Format stack for procedure entry
RET
Return from procedure
LEAVE
Restore stack for procedure exit
JMP
Jump
BOUND
Detects values outside
prescribed range
ITERATION CONTROLS
LOOP
Loop
LOOPE/LOOPZ
Loop if equal/zero
LOOPNE/LOOPNZ
Loop if not equal/not zero
JCXZ
High Level Instructions
Jump if register CX e 0
INTERRUPTS
INT
Interrupt
INTO
Interrupt if overflow
IRET
Interrupt return
Program Transfer Instructions
Memory Organization
Memory is organized as sets of variable length segments. Each segment is a linear contiguous sequence of up to 64K (216) 8-bit bytes. Memory is
addressed using a two component address (a pointer) that consists of a 16-bit segment selector, and a
16-bit offset, see Figure 4. The segment selector indicates the desired segment in memory. The offset
component indicates the desired byte address within
the segment.
271103 – 3
Figure 4. Two Component Address
5
M80C286
Table 3. Segment Register Selection Rules
Memory
Reference Needed
Segment Register
Used
Implicit Segment
Selection Rule
Instructions
Code (CS)
Automatic with instruction prefetch
Stack
Stack (SS)
All stack pushes and pops. Any memory reference which uses BP
as a base register.
Local Data
Data (DS)
All data references except when relative to stack or
string destination
External (Global) Data
Extra (ES)
Alternate data segment and destination of string operation
All instructions that address operands in memory
must specify the segment and the offset. For speed
and compact instruction encoding, segment selectors are usually stored in the high speed segment
registers. An instruction need specify only the desired segment register and an offset in order to address a memory operand.
Most instructions need not explicitly specify which
segment register is used. The correct segment register is automatically chosen according to the rules
of Table 3. These rules follow the way programs are
written (see Figure 5) as independent modules that
require areas for code and data, a stack, and access
to external data areas.
Special segment override instruction prefixes allow
the implicit segment register selection rules to be
overridden for special cases. The stack, data, and
extra segments may coincide for simple programs.
To access operands not residing in one of the four
immediately available segments, a full 32-bit pointer
or a new segment selector must be loaded.
Addressing Modes
The M80C286 provides a total of eight addressing
modes for instructions to specify operands. Two addressing modes are provided for instructions that
operate on register or immediate operands:
Register Operand Mode: The operand is located in one of the 8 or 16-bit general registers.
Immediate Operand Mode: The operand is included in the instruction.
Six modes are provided to specify the location of an
operand in a memory segment. A memory operand
address consists of two 16-bit components: segment selector and offset. The segment selector is
supplied by a segment register either implicitly chosen by the addressing mode or explicitly chosen by
a segment override prefix. The offset is calculated
by summing any combination of the following three
address elements:
the displacement (an 8 or 16-bit immediate value contained in the instruction)
the base (contents of either the BX or BP base
registers)
6
271103 – 4
Figure 5. Segmented Memory Helps
Structure Software
the index (contents of either the SI or DI index
registers)
Any carry out from the 16-bit addition is ignored.
Eight-bit displacements are sign extended to 16-bit
values.
Combinations of these three address elements define the six memory addressing modes, described
below.
Direct Mode: The operand’s offset is contained in
the instruction as an 8 or 16-bit displacement element.
Register Indirect Mode: The operand’s offset is in
one of the registers SI, DI, BX, or BP.
Based Mode: The operand’s offset is the sum of an
8 or 16-bit displacement and the contents of a base
register (BX or BP).
M80C286
Indexed Mode: The operand’s offset is the sum of
an 8 or 16-bit displacement and the contents of an
index register (SI or DI).
Based Indexed Mode: The operand’s offset is the
sum of the contents of a base register and an index
register.
either an 8-bit port address, specified in the instruction, or a 16-bit port address in the DX register. 8-bit
port addresses are zero extended such that A15 –A8
are LOW. I/O port addresses 00F8(H) through
00FF(H) are reserved.
Based Indexed Mode with Displacement: The operand’s offset is the sum of a base register’s contents, an index register’s contents, and an 8 or 16-bit
displacement.
Data Types
The M80C286 directly supports the following data
types:
Integer:
A signed binary numeric value contained in an 8-bit byte or a 16-bit
word. All operations assume a 2’s
complement representation. Signed
32 and 64-bit integers are supported
using the Numeric Data Processor,
the M80C287.
Ordinal:
An unsigned binary numeric value
contained in an 8-bit byte or 16-bit
word.
Pointer:
A 32-bit quantity, composed of a
segment selector component and an
offset component. Each component
is a 16-bit word.
String:
A contiguous sequence of bytes or
words. A string may contain from 1
byte to 64K bytes.
ASCII:
A byte representation of alphanumeric and control characters using
the ASCII standard of character representation.
BCD:
A byte (unpacked) representation of
the decimal digits 0–9.
Packed BCD: A byte (packed) representation of
two decimal digits 0–9 storing one
digit in each nibble of the byte.
Floating Point: A signed 32, 64, or 80-bit real number representation. (Floating point
operands are supported using the
M80C287 Numeric Processor).
Figure 6 graphically represents the data types supported by the M80C286.
271103 – 5
Figure 6. M80C286 Supported Data Types
I/O Space
The I/O space consists of 64K 8-bit or 32K 16-bit
ports. I/O instructions address the I/O space with
7
M80C286
Table 4. Interrupt Vector Assignments
Function
Interrupt
Number
Related
Instructions
Divide error exception
0
DIV, IDIV
Single step interrupt
1
All
NMI interrupt
2
INT 2 or NMI pin
Breakpoint interrupt
3
INT 3
Does Return Address
Point to Instruction
Causing Exception?
Yes
INTO detected overflow exception
4
INTO
No
BOUND range exceeded exception
5
BOUND
Yes
Invalid opcode exception
6
Any undefined opcode
Yes
Processor extension not available exception
7
ESC or WAIT
Yes
Intel reserved–do not use
Processor extension error interrupt
8-15
16
Intel reserved–do not use
17-31
User defined
32-255
Interrupts
An interrupt transfers execution to a new program
location. The old program address (CS:IP) and machine state (Flags) are saved on the stack to allow
resumption of the interrupted program. Interrupts fall
into three classes: hardware initiated, INT instructions, and instruction exceptions. Hardware initiated
interrupts occur in response to an external input and
are classified as non-maskable or maskable. Programs may cause an interrupt with an INT instruction. Instruction exceptions occur when an unusual
condition, which prevents further instruction processing, is detected while attempting to execute an
instruction. The return address from an exception
will always point at the instruction causing the exception and include any leading instruction prefixes.
A table containing up to 256 pointers defines the
proper interrupt service routine for each interrupt. Interrupts 0–31, some of which are used for instruction exceptions, are reserved. For each interrupt, an
8-bit vector must be supplied to the M80C286 which
identifies the appropriate table entry. Exceptions
supply the interrupt vector internally. INT instructions
contain or imply the vector and allow access to all
256 interrupts. The Interrupt Vector Assignments are
listed in Table 4. Maskable hardware initiated interrupts supply the 8-bit vector to the CPU during an
interrupt acknowledge bus sequence. Non-maskable hardware interrupts use a predefined internally
supplied vector.
MASKABLE INTERRUPT (INTR)
The M80C286 provides a maskable hardware interrupt request pin, INTR. Software enables this input
8
ESC or WAIT
by setting the interrupt flag bit (IF) in the flag word.
All 224 user-defined interrupt sources can share this
input, yet they can retain separate interrupt handlers. An 8-bit vector read by the CPU during the
interrupt acknowledge sequence (discussed in System Interface section) identifies the source of the
interrupt.
Further maskable interrupts are disabled while servicing an interrupt by resetting the IF but as part of
the response to an interrupt or exception. The saved
flag word will reflect the enable status of the processor prior to the interrupt. Until the flag word is restored to the flag register, the interrupt flag will be
zero unless specifically set. The interrupt return instruction includes restoring the flag word, thereby
restoring the original status of IF.
NON-MASKABLE INTERRUPT REQUEST (NMI)
A non-maskable interrupt input (NMI) is also provided. NMI has higher priority than INTR. A typical use
of NMI would be to activate a power failure routine.
The activation of this input causes an interrupt with
an internally supplied vector value of 2. No external
interrupt acknowledge sequence is performed.
While executing the NMI servicing procedure, the
M80C286 will service neither further NMI requests,
INTR requests, nor the processor extension segment overrun interrupt until an interrupt return (IRET)
instruction is executed or the CPU is reset. If NMI
occurs while currently servicing an NMI, its presence
will be saved for servicing after executing the first
IRET instruction. IF is cleared at the beginning of an
NMI interrupt to inhibit INTR interrupts.
M80C286
Table 6. M80C286 Initial Register State after RESET
SINGLE STEP INTERRUPT
The M80C286 has an internal interrupt that allows
programs to execute one instruction at a time. It is
called the single step interrupt and is controlled by
the single step flag bit (TF) in the flag word. Once
this bit is set, an internal single step interrupt will
occur after the next instruction has been executed.
The interrupt clears the TF bit and uses an internally
supplied vector of 1. The IRET instruction is used to
set the TF bit and transfer control to the next instruction to be single stepped.
0002(H)
FFF0(H)
FFF0(H)
F000(H)
0000(H)
0000(H)
0000(H)
HOLD must not be active during the time from the
leading edge of RESET to 34 CLKs after the trailing
edge of RESET.
Machine Status Word Description
Interrupt Priorities
When simultaneous interrupt requests occur, they
are processed in a fixed order as shown in Table 5.
Interrupt processing involves saving the flags, return
address, and setting CS:IP to point at the first instruction of the interrupt handler. If other interrupts
remain enabled they are processed before the first
instruction of the current interrupt handler is executed. The last interrupt processed is therefore the first
one serviced.
Table 5. Interrupt Processing Order
Order
Flag word
Machine Status Word
Instruction pointer
Code segment
Data segment
Extra segment
Stack segment
The machine status word (MSW) records when a
task switch takes place and controls the operating
mode of the M80C286. It is a 16-bit register of which
the lower four bits are used. One bit places the CPU
into protected mode, while the other three bits, as
shown in Table 7, control the processor extension
interface. After RESET, this register contains
FFF0(H) which places the M80C286 in M8086 real
address mode.
Table 7. MSW Bit Functions
Bit
Name
Position
Interrupt
1
Instruction exception
2
Single step
3
NMI
4
Processor extension segment overrun
5
INTR
6
INT instruction
0
PE
Protected mode enable places the
M80C286 into protected mode and
cannot be cleared except by RESET.
1
MP
Monitor processor extension allows
WAIT instructions to cause a processor
extension not present exception
(number 7).
2
EM
Emulate processor extension causes a
processor extension not present
exception (number 7) on ESC
instructions to allow emulating a
processor extension.
3
TS
Task switched indicates the next
instruction using a processor extension
will cause exception 7, allowing software
to test whether the current processor
extension context belongs to the current
task.
Initialization and Processor Reset
Processor initialization or start up is accomplished
by driving the RESET input pin HIGH. RESET forces
the M80C286 to terminate all execution and local
bus activity. No instruction or bus activity will occur
as long as RESET is active. After RESET becomes
inactive and an internal processing interval elapses,
the M80C286 begins execution in real address
mode with the instruction at physical location
FFFFF0(H). RESET also sets some registers to predefined values as shown in Table 6.
Function
The LMSW and SMSW instructions can load and
store the MSW in real address mode. The recommended use of TS, EM, and MP is shown in Table 8.
Table 8. Recommended MSW Encodings For Processor Extension Control
Recommended Use
Instructions
Causing
Exception 7
TS
MP
EM
0
0
0
Initial encoding after RESET. M80C286 operation is identical to M8086, 88.
None
0
0
1
No processor extension is available. Software will emulate its function.
ESC
1
0
1
No processor extension is available. Software will emulate its function. The current
processor extension context may belong to another task.
ESC
0
1
0
A processor extension exists.
None
1
1
0
A processor extension exists. The current processor extension context may belong to
another task. The Exception 7 on WAIT allows software to test for an error pending
from a previous processor extension operation.
ESC or
WAIT
9
M80C286
Halt
The HLT instruction stops program execution and
prevents the CPU from using the local bus until restarted. Either NMI, INTR with IF e 1, or RESET will
force the M80C286 out of halt. If interrupted, the
saved CS:IP will point to the next instruction after
the HLT.
zation area and interrupt table area. Locations from
addresses FFFF0(H) through FFFFF(H) are reserved for system initialization. Initial execution begins at location FFFF0(H). Locations 00000(H)
through 003FF(H) are reserved for interrupt vectors.
M8086 REAL ADDRESS MODE
The M80C286 executes a fully upward-compatible
superset of the M8086 instruction set in real address
mode. In real address mode the M80C286 is object
code compatible with M8086 and M8088 software.
The real address mode architecture (registers and
addressing modes) is exactly as described in the
M80C286 Base Architecture section of this Functional Description.
Memory Size
Physical memory is a contiguous array of up to
1,048,576 bytes (one megabyte) addressed by pins
A0 through A19 and BHE. A20 through A23 should be
ignored.
Memory Addressing
In real address mode physical memory is a contiguous array of up to 1,048,576 bytes (one megabyte)
addressed by pins A0 through A19 and BHE. Address bits A20 –A23 may not always be zero in real
mode. A20 –A23 should not be used by the system
while the M80C286 is operating in Real Mode.
271103 – 6
Figure 7. M8086 Real Address Mode
Address Calculation
The selector portion of a pointer is interpreted as the
upper 16 bits of a 20-bit segment address. The lower
four bits of the 20-bit segment address are always
zero. Segment addresses, therefore, begin on multiples of 16 bytes. See Figure 7 for a graphic representation of address information.
All segments in real address mode are 64K bytes in
size and may be read, written, or executed. An exception or interrupt can occur if data operands or
instructions attempt to wrap around the end of a
segment (e.g. a word with its low order byte at offset
FFFF(H) and its high order byte at offset 0000(H). If,
in real address mode, the information contained in a
segment does not use the full 64K bytes, the unused
end of the segment may be overlayed by another
segment to reduce physical memory requirements.
Reserved Memory Locations
The M80C286 reserves two fixed areas of memory
in real address mode (see Figure 8); system initiali10
271103 – 7
Figure 8. M8086 Real Address Mode Initially
Reserved Memory Locations
M80C286
Table 9. Real Address Mode Addressing Interrupts
Function
Interrupt
Number
Related
Instructions
Interrupt table limit too small exception
8
INT vector is not within table limit
Yes
Processor extension segment overrun
interrupt
9
ESC with memory operand extending beyond offset FFFF(H)
No
Segment overrun exception
13
Word memory reference with offset
e FFFF(H) or an attempt to execute past the end of a segment
Yes
Interrupts
Table 9 shows the interrupt vectors reserved for exceptions and interrupts which indicate an addressing
error. The exceptions leave the CPU in the state existing before attempting to execute the failing instruction (except for PUSH, POP, PUSHA, or POPA).
Refer to the next section on protected mode initialization for a discussion on exception 8.
Protected Mode Initialization
To prepare the M80C286 for protected mode, the
LIDT instruction is used to load the 24-bit interrupt
table base and 16-bit limit for the protected mode
interrupt table. This instruction can also set a base
and limit for the interrupt vector table in real address
mode. After reset, the interrupt table base is initialized to 000000(H) and its size set to 03FF(H). These
values are compatible with M8086, 88 software.
LIDT should only be executed in preparation for protected mode.
Shutdown
Shutdown occurs when a severe error is detected
that prevents further instruction processing by the
CPU. Shutdown and halt are externally signalled via
a halt bus operation. They can be distinguished by
A1 HIGH for halt and A1 LOW for shutdown. In real
address mode, shutdown can occur under two conditions:
# Exceptions 8 or 13 happen and the IDT limit does
not include the interrupt vector.
# A CALL INT or PUSH instruction attempts to wrap
Return Address
Before Instruction?
PROTECTED VIRTUAL ADDRESS
MODE
The M80C286 executes a fully upward-compatible
superset of the M8086 instruction set in protected
virtual address mode (protected mode). Protected
mode also provides memory management and protection mechanisms and associated instructions.
The M80C286 enters protected virtual address
mode from real address mode by setting the PE
(Protection Enable) bit of the machine status word
with the Load Machine Status Word (LMSW) instruction. Protected mode offers extended physical and
virtual memory address space, memory protection
mechanisms, and new operations to support operating systems and virtual memory.
All registers, instructions, and addressing modes described in the M80C286 Base Architecture section
of this Functional Description remain the same. Programs for the M8086, 88, 186, and real address
mode M80C286 can be run in protected mode; however, embedded constants for segment selectors
are different.
Memory Size
The protected mode M80C286 provides a 1 gigabyte
virtual address space per task mapped into a 16
megabyte physical address space defined by the address pin A23– A0 and BHE. The virtual address
space may be larger than the physical address
space since any use of an address that does not
map to a physical memory location will cause a restartable exception.
around the stack segment when SP is not even.
Memory Addressing
An NMI input can bring the CPU out of shutdown if
the IDT limit is at least 000F(H) and SP is greater
than 0005(H), otherwise shutdown can only be exited via the RESET input.
As in real address mode, protected mode uses 32bit pointers, consisting of 16-bit selector and offset
components. The selector, however, specifies an index into a memory resident table rather than the upper 16-bits of a real memory address. The 24-bit
base address of the desired segment is obtained
11
M80C286
from the tables in memory. The 16-bit offset is added to the segment base address to form the physical
address as shown in Figure 10. The tables are automatically referenced by the CPU whenever a segment register is loaded with a selector. All M80C286
instructions which load a segment register will reference the memory based tables without additional
software. The memory based tables contain 8 byte
values called descriptors.
of control and task switching. The M80C286 has
segment descriptors for code, stack and data segments, and system control descriptors for special
system data segments and control transfer operations, see Figure 10. Descriptor accesses are performed as locked bus operations to assure descriptor integrity in multi-processor systems.
CODE AND DATA SEGMENT DESCRIPTORS
(S e 1)
Besides segment base addresses, code and data
descriptors contain other segment attributes including segment size (1 to 64K bytes), access rights
(read only, read/write, execute only, and execute/
read), and presence in memory (for virtual memory
systems) (See Figure 11). Any segment usage violating a segment attribute indicated by the segment
descriptor will prevent the memory cycle and cause
an exception or interrupt.
271103 – 8
271103 – 9
*Must be set to 0 for compatibility with 80386.
Figure 9. Protected Mode Memory Addressing
Figure 10. Code or Data Segment Descriptor
DESCRIPTORS
Descriptors define the use of memory. Special types
of descriptors also define new functions for transfer
Access Rights Byte Definition
Bit
Position
7
Present (P)
6–5
Descriptor Privilege
Level (DPL)
Segment Descriptor (S)
Function
Pe1
Pe0
Segment is mapped into physical memory.
No mapping to physical memory exits, base and limit are
not used.
Segment privilege attribute used in privilege tests.
Se1
Se0
Code or Data (includes stacks) segment descriptor
System Segment Descriptor or Gate Descriptor
1
Executable (E)
Expansion Direction (ED)
Writeable (W)
Ee0
ED e 0
ED e 1
We0
We1
Data segment descriptor type is:
Expand up segment, offsets must be s limit.
Expand down segment, offsets must be l limit.
Data segment may not be written into.
Data segment may be written into.
3
2
Executable (E)
Conforming (C)
Ee1
Ce1
1
Readable (R)
R e0
Re1
Code Segment Descriptor type is:
Code segment may only be executed
when CPL tDPL and CPL
remains unchanged.
Code segment may not be read
Code segment may be read.
0
Accessed (A)
Ae0
Ae1
4
3
2
Type
Field
Definition
Name
*
If
Code
Segment
(S e 1,
E e 1)
Segment has not been accessed.
Segment selector has been loaded into segment register
or used by selector test instructions.
Figure 11. Code and Data Segment Descriptor Formats
12
*
If
Data
Segment
(S e 1,
E e 0)
M80C286
Code and data (including stack data) are stored in
two types of segments: code segments and data
segments. Both types are identified and defined by
segment descriptors (S e 1). Code segments are
identified by the executable (E) bit set to 1 in the
descriptor access rights byte. The access rights byte
of both code and data segment descriptor types
have three fields in common: present (P) bit, Descriptor Privilege Level (DPL), and accessed (A) bit.
If P e 0, any attempted use of this segment will
cause a not-present exception. DPL specifies the
privilege level of the segment descriptor. DPL controls when the descriptor may be used by a task
(refer to privilege discussion below). The A bit shows
whether the segment has been previously accessed
for usage profiling, a necessity for virtual memory
systems. The CPU will always set this bit when accessing the descriptor.
only used in Task State Segment descriptors and
indicates the privilege level at which the descriptor
may be used (see Privilege). Since the Local Descriptor Table descriptor may only be used by a special privileged instruction, the DPL field is not used.
Bit 4 of the access byte is 0 to indicate that it is a
system control descriptor. The type field specifies
the descriptor type as indicated in Figure 12.
System Segment Descriptor
271103 – 10
*Must be set to 0 for compatibility with 80386.
Data segments (S e 1, E e 0) may be either readonly or read-write as controlled by the W bit of the
access rights byte. Read-only (W e 0) data segments may not be written into. Data segments may
grow in two directions, as determined by the Expansion Direction (ED) bit: upwards (ED e 0) for data
segments, and downwards (ED e 1) for a segment
containing a stack. The limit field for a data segment
descriptor is interpreted differently depending on the
ED bit (see Figure 11).
A code segment (S e 1, E e 1) may be executeonly or execute/read as determined by the Readable (R) bit. Code segments may never be written
into and execute-only code segments (R e 0) may
not be read. A code segment may also have an attribute called conforming (C). A conforming code segment may be shared by programs that execute at
different privilege levels. The DPL of a conforming
code segment defines the range of privilege levels
at which the segment may be executed (refer to privilege discussion below). The limit field identifies the
last byte of a code segment.
SYSTEM SEGMENT DESCRIPTORS (S e 0,
TYPE e 1 –3)
In addition to code and data segment descriptors,
the protected mode M80C286 defines System Segment Descriptors. These descriptors define special
system data segments which contain a table of descriptors (Local Descriptor Table Descriptor) or segments which contain the execution state of a task
(Task State Segment Descriptor).
Figure 12 gives the formats for the special system
data segment descriptors. The descriptors contain a
24-bit base address of the segment and a 16-bit limit. The access byte defines the type of descriptor, its
state and privilege level. The descriptor contents are
valid and the segment is in physical memory if P e 1.
If P e 0, the segment is not valid. The DPL field is
System Segment Descriptor Fields
Name
Value
Description
TYPE
1
2
3
Available Task State Segment (TSS)
Local Descriptor Table
Busy Task State Segment (TSS)
P
0
1
Descriptor contents are not valid
Descriptor contents are valid
DPL
0–3
BASE
24-bit
number
Descriptor Privilege Level
Base Address of special system data
segment in real memory
LIMIT
16-bit
number
Offset of last byte in segment
Figure 12. System Segment Descriptor Format
GATE DESCRIPTORS (S e 0, TYPE e 4–7)
Gates are used to control access to entry points
within the target code segment. The gate descriptors are call gates, task gates, interrupt gates and
trap gates. Gates provide a level of indirection between the source and destination of the control
transfer. This indirection allows the CPU to automatically perform protection checks and control entry
point of the destination. Call gates are used to
change privilege levels (see Privilege), task gates
are used to perform a task switch, and interrupt and
trap gates are used to specify interrupt service routines. The interrupt gate disables interrupts (resets
IF) while the trap gate does not.
Figure 13 shows the format of the gate descriptors.
The descriptor contains a destination pointer that
points to the descriptor of the target segment and
the entry point offset. The destination selector in an
interrupt gate, trap gate, and call gate must refer to a
code segment descriptor. These gate descriptors
contain the entry point to prevent a program from
constructing and using an illegal entry point. Task
gates may only refer to a task state segment. Since
task gates invoke a task switch, the destination offset is not used in the task gate.
13
M80C286
Gate Descriptor
271103 – 11
*Must be set to 0 for compatibility with 80386 (X is don’t care)
Gate Descriptor Fields
Name
Value
TYPE
4
5
6
7
–Call Gate
–Task Gate
–Interrupt Gate
–Trap Gate
P
0
–Descriptor Contents are not
valid
–Descriptor Contents are
valid
1
DPL
WORD
COUNT
Description
0–3
Descriptor Privilege Level
0– 31
Number of words to copy
from callers stack to called
procedures stack. Only used
with call gate.
DESTINATION
SELECTOR
16-bit
selector
Selector to the target code
segment (Call, Interrupt or
Trap Gate)
Selector to the target task
state segment (Task Gate)
DESTINATION
OFFSET
16-bit
offset
Entry point within the target
code segment
causes exception 11 if referenced. DPL is the descriptor privilege level and specifies when this descriptor may be used by a task (refer to privilege
discussion below). Bit 4 must equal 0 to indicate a
system control descriptor. The TYPE field specifies
the descriptor type as indicated in Figure 13.
SEGMENT DESCRIPTOR CACHE REGISTERS
A segment descriptor cache register is assigned to
each of the four segment registers (CS, SS, DS, ES).
Segment descriptors are automatically loaded
(cached) into a segment descriptor cache register
(Figure 14) whenever the associated segment register is loaded with a selector. Only segment descriptors may be loaded into segment descriptor cache
registers. Once loaded, all references to that segment of memory use the cached descriptor information instead of reaccessing the descriptor. The descriptor cache registers are not visible to programs.
No instructions exist to store their contents. They
only change when a segment register is loaded.
SELECTOR FIELDS
A protected mode selector has three fields: descriptor entry index, local or global descriptor table indicator (TI), and selector privilege (RPL) as shown in
Figure 15. These fields select one of two memory
based tables of descriptors, select the appropriate
table entry and allow highspeed testing of the selector’s privilege attribute (refer to privilege discussion
below).
Figure 13. Gate Descriptor Format
Exception 13 is generated when the gate is used if a
destination selector does not refer to the correct descriptor type. The word count field is used in the call
gate descriptor to indicate the number of parameters
(0–31 words) to be automatically copied from the
caller’s stack to the stack of the called routine when
a control transfer changes privilege levels. The word
count field is not used by any other gate descriptor.
The access byte format is the same for all gate descriptors. P e 1 indicates that the gate contents are
valid. P e 0 indicates the contents are not valid and
271103 – 12
Figure 15. Selector Fields
271103 – 13
Figure 14. Descriptor Cache Registers
14
M80C286
LOCAL AND GLOBAL DESCRIPTOR TABLES
Two tables of descriptors, called descriptor tables,
contain all descriptors accessible by a task at any
given time. A descriptor table is a linear array of up
to 8192 descriptors. The upper 13 bits of the selector value are an index into a descriptor table. Each
table has a 24-bit base register to locate the descriptor table in physical memory and a 16-bit limit register that confine descriptor access to the defined limits of the table as shown in Figure 16. A restartable
exception (13) will occur if an attempt is made to
reference a descriptor outside the table limits.
One table, called the Global Descriptor table (GDT),
contains descriptors available to all tasks. The other
table, called the Local Descriptor Table (LDT), contains descriptors that can be private to a task. Each
task may have its own private LDT. The GDT may
contain all descriptor types except interrupt and trap
descriptors. The LDT may contain only segment,
task gate, and call gate descriptors. A segment cannot be accessed by a task if its segment descriptor
does not exist in either descriptor table at the time of
access.
The LDT instruction loads a selector which refers to
a Local Descriptor Table descriptor containing the
base address and limit for an LDT, as shown in Figure 16.
271103 – 15
*Must be set to 0 for compatibility with 80386.
Figure 17. Global Descriptor Table and
Interrupt Descriptor Table Data Type
INTERRUPT DESCRIPTOR TABLE
The protected mode M80C286 has a third descriptor
table, called the Interrupt Descriptor Table (IDT)
(see Figure 18), used to define up to 256 interrupts.
It may contain only task gates, interrupt gates and
trap gates. The IDT (Interrupt Descriptor Table) has
a 24-bit physical base and 16-bit limit register in the
CPU. The privileged LIDT instruction loads these
registers with a six byte value of identical form to
that of the LGDT instruction (see Figure 17 and Protected Mode Initialization).
271103 – 16
Figure 18. Interrupt Descriptor Table Definition
271103 – 14
Figure 16. Local and Global
Descriptor Table Definition
The LGDT and LLDT instructions load the base and
limit of the global and local descriptor tables. LGDT
and LLDT are privileged, i.e. they may only be executed by trusted programs operating at level 0. The
LGDT instruction loads a six byte field containing the
16-bit table limit and 24-bit physical base address of
the Global Descriptor Table as shown in Figure 17.
References to IDT entries are made via INT instructions, external interrupt vectors, or exceptions. The
IDT must be at least 256 bytes in size to allocate
space for all reserved interrupts.
Privilege
The M80C286 has a four-level hierarchical privilege
system which controls the use of privileged instructions and access to descriptors (and their associated segments) within a task. Four-level privilege, as
shown in Figure 19, is an extension of the user/supervisor mode commonly found in minicomputers.
The privilege levels are numbered 0 through 3.
15
M80C286
byte. DPL specifies the least trusted task privilege
level (CPL) at which a task may access the descriptor. Descriptors with DPL e 0 are the most protected. Only tasks executing at privilege level 0
(CPL e 0) may access them. Descriptors with DPL
e 3 are the least protected (i.e. have the least restricted access) since tasks can access them when
CPL e 0, 1, 2, or 3. This rule applies to all descriptors, except LDT descriptors.
SELECTOR PRIVILEGE
271103 – 17
Figure 19. Privilege Levels
Level 0 is the most privileged level. Privilege levels
provide protection within a task. (Tasks are isolated
by providing private LDT’s for each task.) Operating
system routines, interrupt handlers, and other system software can be included and protected within
the virtual address space of each task using the four
levels of privilege. Each task in the system has a
separate stack for each of its privilege levels.
Tasks, descriptors, and selectors have a privilege
level attribute that determines whether the descriptor may be used. Task privilege effects the use of
instructions and descriptors. Descriptor and selector
privilege only effect access to the descriptor.
TASK PRIVILEGE
A task always executes at one of the four privilege
levels. The task privilege level at any specific instant
is called the Current Privilege Level (CPL) and is defined by the lower two bits of the CS register. CPL
cannot change during execution in a single code
segment. A task’s CPL may only be changed by control transfers through gate descriptors to a new code
segment (See Control Transfer). Tasks begin executing at the CPL value specified by the code segment selector within TSS when the task is initiated
via a task switch operation (See Figure 20). A task
executing at Level 0 can access all data segments
defined in the GDT and the task’s LDT and is considered the most trusted level. A task executing a
Level 3 has the most restricted access to data and is
considered the least trusted level.
DESCRIPTOR PRIVILEGE
Descriptor privilege is specified by the Descriptor
Privilege Level (DPL) field of the descriptor access
16
Selector privilege is specified by the Requested Privilege Level (RPL) field in the least significant two bits
of a selector. Selector RPL may establish a less
trusted privilege level than the current privilege level
for the use of a selector. This level is called the
task’s effective privilege level (EPL). RPL can only
reduce the scope of a task’s access to data with this
selector. A task’s effective privilege is the numeric
maximum of RPL and CPL. A selector with RPL e 0
imposes no additional restriction on its use while a
selector with RPL e 3 can only refer to segments at
privilege Level 3 regardless of the task’s CPL. RPL
is generally used to verify that pointer parameters
passed to a more trusted procedure are not allowed
to use data at a more privileged level than the caller
(refer to pointer testing instructions).
Descriptor Access and Privilege
Validation
Determining the ability of a task to access a segment involves the type of segment to be accessed,
the instruction used, the type of descriptor used and
CPL, RPL, and DPL. The two basic types of segment
accesses are control transfer (selectors loaded into
CS) and data (selectors loaded into DS, ES or SS).
DATA SEGMENT ACCESS
Instructions that load selectors into DS and ES must
refer to a data segment descriptor or readable code
segment descriptor. The CPL of the task and the
RPL of the selector must be the same as or more
privileged (numerically equal to or lower than) than
the descriptor DPL. In general, a task can only access data segments at the same or less privileged
levels than the CPL or RPL (whichever is numerically
higher) to prevent a program from accessing data it
cannot be trusted to use.
An exception to the rule is a readable conforming
code segment. This type of code segment can be
read from any privilege level.
If the privilege checks fail (e.g. DPL is numerically
less than the maximum of CPL and RPL) or an incorrect type of descriptor is referenced (e.g. gate de-
M80C286
scriptor or execute only code segment) exception 13
occurs. If the segment is not present, exception 11
is generated.
Instructions that load selectors into SS must refer to
data segment descriptors for writable data segments. The descriptor privilege (DPL) and RPL must
equal CPL. All other descriptor types or a privilege
level violation will cause exception 13. A not present
fault causes exception 12.
CONTROL TRANSFER
Four types of control transfer can occur when a selector is loaded into CS by a control transfer operation (see Table 10). Each transfer type can only occur if the operation which loaded the selector references the correct descriptor type. Any violation of
these descriptor usage rules (e.g. JMP through a call
gate or RET to a Task State Segment) will cause
exception 13.
The ability to reference a descriptor for control transfer is also subject to rules of privilege. A CALL or
JUMP instruction may only reference a code segment descriptor with DPL equal to the task CPL or a
conforming segment with DPL of equal or greater
privilege than CPL. The RPL of the selector used to
reference the code descriptor must have as much
privilege as CPL.
RET and IRET instructions may only reference code
segment descriptors with descriptor privilege equal
to or less privileged than the task CPL. The selector
loaded into CS is the return address from the stack.
After the return, the selector RPL is the task’s new
CPL. If CPL changes, the old stack pointer is popped
after the return address.
When a JMP or CALL references a Task State Segment descriptor, the descriptor DPL must be the
same or less privileged than the task’s CPL. Refer-
ence to a valid Task State Segment descriptor causes a task switch (see Task Switch Operation). Reference to a Task State Segment descriptor at a more
privileged level than the task’s CPL generates exception 13.
When an instruction or interrupt references a gate
descriptor, the gate DPL must have the same or less
privilege than the task CPL. If DPL is at a more privileged level than CPL, exeception 13 occurs. If the
destination selector contained in the gate references a code segment descriptor, the code segment descriptor DPL must be the same or more privileged than the task CPL. If not, Exception 13 is issued. After the control transfer, the code segment
descriptors DPL is the task’s new CPL. If the destination selector in the gate references a task state
segment, a task switch is automatically performed
(see Task Switch Operation).
The privilege rules on control transfer require:
Ð JMP or CALL direct to a code segment (code
segment descriptor) can only be to a conforming
segment with DPL of equal or greater privilege
than CPL or a non-conforming segment at the
same privilege level.
Ð interrupts within the task or calls that may
change privilege levels, can only transfer control
through a gate at the same or a less privileged
level than CPL to a code segment at the same or
more privileged level than CPL.
Ð return instructions that don’t switch tasks can
only return control to a code segment at the
same or less privileged level.
Ð task switch can be performed by a call, jump or
interrupt which references either a task gate or
task state segment at the same or less privileged
level.
Table 10. Descriptor Types Used for Control Transfer
Operation Types
Descriptor
Referenced
Descriptor
Table
Intersegment within the same privilege level
JMP, CALL, RET, IRET*
Code Segment
GDT/LDT
Intersegment to the same or higher privilege level Interrupt
within task may change CPL.
CALL
Call Gate
GDT/LDT
Interrupt Instruction,
Exception, External
Interrupt
Trap or
Interrupt
Gate
IDT
Control Transfer Types
Intersegment to a lower privilege level (changes task CPL)
Task Switch
RET, IRET*
Code Segment
GDT/LDT
CALL, JMP
Task State
Segment
GDT
CALL, JMP
Task Gate
GDT/LDT
IRET**
Interrupt Instruction,
Exception, External
Interrupt
Task Gate
IDT
*NT (Nested Task bit of flag word) e 0
**NT (Nested Task bit of flag word) e 1
17
M80C286
PRIVILEGE LEVEL CHANGES
Any control transfer that changes CPL within the
task, causes a change of stacks as part of the operation. Initial values of SS:SP for privilege levels 0, 1,
and 2 are kept in the task state segment (refer to
Task Switch Operation). During a JMP or CALL control transfer, the new stack pointer is loaded into the
SS and SP registers and the previous stack pointer
is pushed onto the new stack.
When returning to the original privilege level, its
stack is restored as part of the RET or IRET instruction operation. For subroutine calls that pass parameters on the stack and cross privilege levels, a fixed
number of words, as specified in the gate, are copied from the previous stack to the current stack. The
inter-segment RET instruction with a stack adjustment value will correctly restore the previous stack
pointer upon return.
Protection
The M80C286 includes mechanisms to protect critical instructions that affect the CPU execution state
(e.g. HLT) and code or data segments from improper
usage. These protection mechanisms are grouped
into three forms:
Restricted usage of segments (e.g. no write allowed to read-only data segments). The only segments available for use are defined by descriptors in the Local Descriptor Table (LDT) and
Global Descriptor Table (GDT).
Restricted access to segments via the rules of
privilege and descriptor usage.
Privileged instructions or operations that may
only be executed at certain privilege levels as determined by the CPL and I/O Privilege Level
(IOPL). The IOPL is defined by bits 14 and 13 of
the flag word.
These checks are performed for all instructions and
can be split into three categories: segment load
checks (Table 11), operand reference checks (Table
12), and privileged instruction checks (Table 13).
Any violation of the rules shown will result in an exception. A not-present exception related to the stack
segment causes exception 12.
The IRET and POPF instructions do not perform
some of their defined functions if CPL is not of sufficient privilege (numerically small enough). Precisely
these are:
# The IF bit is not changed if CPL l IOPL.
# The IOPL field of the flag word is not changed if
CPL l 0.
No exceptions or other indication are given when
these conditions occur.
18
Table 11. Segment Register Load Checks
Error Description
Exception
Number
Descriptor table limit exceeded
13
Segment descriptor not-present
11 or 12
Privilege rules violated
13
Invalid descriptor/segment type segment register load:
ÐRead only data segment load to
SS
ÐSpecial Control descriptor load to
DS, ES, SS
ÐExecute only segment load to
DS, ES, SS
ÐData segment load to CS
ÐRead/Execute code segment
load to SS
13
Table 12. Operand Reference Checks
Error Description
Write into code segment
Read from execute-only code
segment
Write to read-only data segment
Segment limit exceeded1
Exception
Number
13
13
13
12 or 13
NOTE:
Carry out in offset calculations is ignored.
Table 13. Privileged Instruction Checks
Error Description
Exception
Number
CPL i 0 when executing the following
instructions:
LIDT, LLDT, LGDT, LTR, LMSW,
CTS, HLT
13
CPL l IOPL when executing the following instructions:
INS, IN, OUTS, OUT, STI, CLI,
LOCK
13
EXCEPTIONS
The M80C286 detects several types of exceptions
and interrupts, in protected mode (see Table 14).
Most are restartable after the exceptional condition
is removed. Interrupt handlers for most exceptions
can read an error code, pushed on the stack after
the return address, that identifies the selector involved (0 if none). The return address normally
points to the failing instruction, including all leading
prefixes. For a processor extension segment overrun exception, the return address will not point at the
ESC instruction that caused the exception; however,
the processor extension registers may contain the
address of the failing instruction.
M80C286
Table 14. Protected Mode Exceptions
Interrupt
Vector
Function
Return
Address
At Falling
Instruction?
Always
Restartable?
Error
Code
on Stack?
8
9
10
11
12
13
Double exception detected
Processor extension segment overrun
Invalid task state segment
Segment not present
Stack segment overrun or stack segment not present
General protection
Yes
No
Yes
Yes
Yes
Yes
No2
No2
Yes
Yes
Yes1
No2
Yes
No
Yes
Yes
Yes
Yes
NOTE:
1. When a PUSHA or POPA instruction attempts to wrap around the stack segment, the machine state after the exception
will not be restartable because stack segment wrap around is not permitted. This condition is identified by the value of the
saved SP being either 0000(H), 0001(H), FFFE(H), or FFFF(H).
2. These exceptions indicate a violation to privilege rules or usage rules has occurred. Restart is generally not attempted
under those conditions.
These exceptions indicate a violation to privilege
rules or usage rules has occurred. Restart is generally not attempted under those conditions.
All these checks are performed for all instructions
and can be split into three categories: segment load
checks (Table 11), operand reference checks (Table
12), and privileged instruction checks (Table 13).
Any violation of the rules shown will result in an exception. A not-present exception causes exception
11 or 12 and is restartable.
Special Operations
TASK SWITCH OPERATION
The M80C286 provides a built-in task switch operation which saves the entire M80C286 execution
state (registers, address space, and a link to the previous task), loads a new execution state, and commences execution in the new task. Like gates, the
task switch operation is invoked by executing an inter-segment JMP or CALL instruction which refers to
a Task State Segment (TSS) or task gate descriptor
in the GDT or LDT. An INT n instruction, exception,
or external interrupt may also invoke the task switch
operation by selecting a task gate descriptor in the
associated IDT descriptor entry.
The TSS descriptor points at a segment (see Figure
20) containing the entire M80C286 execution state
while a task gate descriptor contains a TSS selector.
The limit field of the descriptor must be l 002B(H).
Each task must have a TSS associated with it. The
current TSS is identified by a special register in the
M80C286 called the Task Register (TR). This register contains a selector referring to the task state
segment descriptor that defines the current TSS. A
hidden base and limit register associated with TR
are loaded whenever TR is loaded with a new selector.
The IRET instruction is used to return control to the
task that called the current task or was interrupted.
Bit 14 in the flag register is called the Nested Task
(NT) bit. It controls the function of the IRET instruction. If NT e 0, the IRET instruction performs the
regular current task by popping values off the stack;
when NT e 1, IRET performs a task switch operation back to the previous task.
When a CALL, JMP, or INT instruction initiates a
task switch, the old (except for case of JMP) and
new TSS will be marked busy and the back link field
of the new TSS set to the old TSS selector. The NT
bit of the new task is set by CALL or INT initiated
task switches. An interrupt that does not cause a
task switch will clear NT. NT may also be set or
cleared by POPF or IRET instructions.
The task state segment is marked busy by changing
the descriptor type field from Type 1 to Type 3. Use
of a selector that references a busy task state segment causes Exception 13.
PROCESSOR EXTENSION CONTEXT
SWITCHING
The context of a processor extension (such as the
M80C287 numerics processor) is not changed by
the task switch operation. A processor extension
context need only be changed when a different task
attempts to use the processor extension (which still
contains the context of a previous task). The
M80C286 detects the first use of a processor extension after a task switch by causing the processor
extension not present exception (7). The interrupt
handler may then decide whether a context change
is necessary.
Whenever the M80C286 switches tasks, it sets the
Task Switched (TS) bit of the MSW. TS indicates
that a processor extension context may belong to a
different task than the current one. The processor
extension not present exception (7) will occur when
attempting to execute an ESC or WAIT instruction if
TS e 1 and a processor extension is present (MP e 1
in MSW).
19
M80C286
POINTER TESTING INSTRUCTIONS
The M80C286 provides several instructions to
speed pointer testing and consistency checks for
maintaining system integrity (see Table 15). These
instructions use the memory management hardware
to verify that a selector value refers to an appropriate segment without risking an exception. A condition flag (ZF) indicates whether use of the selector
or segment will cause an exception.
271103 – 18
Figure 20. Task State Segment and TSS Registers
20
M80C286
Table 15. M80C286 Pointer Test Instructions
Operands
Function
ARPL
Instruction
Selector,
Register
Adjust Requested Privilege
Level: adjusts the RPL of
the selector to the numeric
maximum of current selector RPL value and the RPL
value in the register. Set
zero flag if selector RPL
was changed by ARPL.
VERR
Selector
VERify for Read: sets the
zero flag if the segment referred to by the selector
can be read.
VERW
Selector
VERify for Write: sets the
zero flag if the segment referred to by the selector
can be written.
LSL
Register,
Selector
Load Segment Limit: reads
the segment limit into the
register if privilege rules
and descriptor type allow.
Set zero flag if successful.
LAR
Register,
Selector
Load Access Rights: reads
the descriptor access
rights byte into the register
if privilege rules allow. Set
zero flag if successful.
DOUBLE FAULT AND SHUTDOWN
If two separate exceptions are detected during a single instruction execution, the M80C286 performs the
double fault exception (8). If an execution occurs
during processing of the double fault exception, the
M80C286 will enter shutdown. During shutdown no
further instructions or exceptions are processed. Either NMI (CPU remains in protected mode) or RESET (CPU exits protected mode) can force the
M80C286 out of shutdown. Shutdown is externally
signalled via a HALT bus operation with A1 LOW.
PROTECTED MODE INITIALIZATION
The M80C286 initially executes in real address
mode after RESET. To allow initialization code to be
placed at the top of physical memory, A23 –A20 will
be HIGH when the M80C286 performs memory references relative to the CS register until CS is
changed. A23 –A20 will be zero for references to the
DS, ES, or SS segments. Changing CS in real address mode will force A23 –A20 LOW whenever CS is
used again. The initial CS:IP value of F000:FFF0
provides 64K bytes of code space for initialization
code without changing CS.
Protected mode operation requires several registers
to be initialized. The GDT and IDT base registers
must refer to a valid GDT and IDT. After executing
the LMSW instruction to set PE, the M80C286 must
immediately execute an intra-segment JMP instruction to clear the instruction queue of instructions decoded in real address mode.
To force the M80C286 CPU registers to match the
initial protected mode state assumed by software,
execute a JMP instruction with a selector referring to
the initial TSS used in the system. This will load the
task register, local descriptor table register, segment
registers and initial general register state. The TR
should point at a valid TSS since any task switch
operation involves saving the current task state.
SYSTEM INTERFACE
The M80C286 system interface appears in two
forms: a local bus and a system bus. The local bus
consists of address, data, status, and control signals
at the pins of the CPU. A system bus is any buffered
version of the local bus. A system bus may also differ from the local bus in terms of coding of status
and control lines and/or timing and loading of signals. The M80C286 family includes several devices
to generate standard system buses such as the
IEEE 796 standard MULTIBUS.
Bus Interface Signals and Timing
The M80C286 microsystem local bus interfaces the
M80C286 to local memory and I/O components.
The interface has 24 address lines, 16 data lines,
and 8 status and control signals.
The M80C286 CPU, M82C284 clock generator,
M82C288 bus controller, transceivers, and latches
provide a buffered and decoded system bus interface. The M82C284 generates the system clock and
synchronizes READY and RESET. The M82C288
converts bus operation status encoded by the
M80C286 into command and bus control signals.
These components can provide the timing and electrical power drive levels required for most system
bus interfaces including the Multibus.
Physical Memory and I/O Interface
A maximum of 16 megabytes of physical memory
can be addressed in protected mode. One megabyte can be addressed in real address mode. Memory is accessible as bytes or words. Words consist of
any two consecutive bytes addressed with the least
significant byte stored in the lowest address.
Byte transfers occur on either half of the 16-bit local
data bus. Even bytes are accessed over D7 –D0
while odd bytes are transferred over D15 –D8. Evenaddressed words are transferred over D15 –D0 in
one bus cycle, while odd-addressed word require
two bus operations. The first transfers data on
D15 –D8, and the second transfers data on D7 –D0.
Both byte data transfers occur automatically, transparent to software.
21
M80C286
Two bus signals, A0 and BHE, control transfers over
the lower and upper halves of the data bus. Even
address byte transfers are indicated by A0 LOW and
BHE HIGH. Odd address byte transfers are indicated by A0 HIGH and BHE LOW. Both A0 and BHE are
LOW for even address word transfers.
The I/O address space contains 64K addresses in
both modes. The I/O space is accessible as either
bytes or words, as is memory. Byte wide peripheral
devices may be attached to either the upper or lower
byte of the data bus. Byte-wide I/O devices attached
to the upper data byte (D15 –D8) are accessed with
odd I/O addresses. Devices on the lower data byte
are accessed with even I/O addresses. An interrupt
controller such as Intel’s 82C59A-2 must be connected to the lower data byte (D7 –D0) for proper
return of the interrupt vector.
Bus Operation
The M80C286 uses a double frequency system
clock (CLK input) to control bus timing. All signals on
the local bus are measured relative to the system
CLK input. The CPU divides the system clock by 2 to
produce the internal processor clock, which determines bus state. Each processor clock is composed
of two system clock cycles named phase 1 and
phase 2. The M82C284 clock generator output
(PCLK) identifies the next phase of the processor
clock. (See Figure 21.)
271103 – 19
Figure 21. System and Processor
Clock Relationships
Six types of bus operations are supported; memory
read, memory write, I/O read, I/O write, interrupt acknowledge, and halt/shutdown. Data can be transferred at a maximum rate of one word per two processor clock cycles.
The M80C286 bus has three basic states: idle (Ti),
send status (Ts), and perform command (Tc). The
M80C286 CPU also has a fourth local bus state
called hold (Th). Th indicates that the M80C286 has
surrendered control of the local bus to another bus
master in response to a HOLD request.
Each bus state is one processor clock long. Figure
22 shows the four M80C286 local bus states and
allowed transitions.
271103 – 20
Figure 22. M80C286 Bus States
Bus States
The idle (Ti) state indicates that no data transfers
are in progress or requested. The first active state
TS is signaled by status line S1 or S0 going LOW
and identifying phase 1 of the processor clock. During TS, the command encoding, the address, and
data (for a write operation) are available on the
M80C286 output pins. The M82C288 bus controller
decodes the status signals and generates Multibus
compatible read/write command and local transceiver control signals.
After TS, the perform command (TC) state is entered. Memory or I/O devices respond to the bus
operation during TC, either transferring read data to
the CPU or accepting write data. TC states may be
repeated as often as necessary to assure sufficient
time for the memory or I/O device to respond. The
READY signal determines whether TC is repeated. A
repeated TC state is called a wait state.
During hold (Th), the M80C286 will float* all address,
data, and status output pins enabling another bus
master to use the local bus. The M80C286 HOLD
input signal is used to place the M80C286 into the
Th state. The M80C286 HLDA output signal indicates that the CPU has entered Th.
Pipelined Addressing
The M80C286 uses a local bus interface with pipelined timing to allow as much time as possible for
data access. Pipelined timing allows a new bus operation to be initiated every two processor cycles,
while allowing each individual bus operation to last
for three processor cycles.
The timing of the address outputs is pipelined such
that the address of the next bus operation becomes
available during the current bus operation. Or in other words, the first clock of the next bus operation is
overlapped with the last clock of the current bus operation. Therefore, address decode and routing logic
can operate in advance of the next bus operation.
*NOTE:
See section on bus hold circuitry.
22
M80C286
271103 – 21
Figure 23. Basic Bus Cycle
External address latches may hold the address stable for the entire bus operation, and provide additional AC and DC buffering.
The M80C286 does not maintain the address of the
current bus operation during all Tc states. Instead,
the address for the next bus operation may be emitted during phase 2 of any Tc. The address remains
valid during phase 1 of the first Tc to guarantee hold
time, relative to ALE, for the address latch inputs.
Bus Control Signals
The M82C288 bus controller provides control signals; address latch enable (ALE), Read/Write commands, data transmit/receive (DT/R), and data enable (DEN) that control the address latches, data
transceivers, write enable, and output enable for
memory and I/O systems.
The Address Latch Enable (ALE) output determines
when the address may be latched. ALE provides at
least one system CLK period of address hold time
from the end of the previous bus operation until the
address for the next bus operation appears at the
latch outputs. This address hold time is required to
support MULTIBUS and common memory systems.
The data bus transceivers are controlled by
M82C288 outputs Data Enable (DEN) and Data
Transmit/Receive (DT/R). DEN enables the data
transceivers; while DT/R controls tranceiver direction. DEN and DT/R are timed to prevent bus contention between the bus master, data bus transceivers, and system data bus transceivers.
Command Timing Controls
Two system timing customization options, command
extension and command delay, are provided on the
M80C286 local bus.
Command extension allows additional time for external devices to respond to a command and is analogous to inserting wait states on the M8086. External
logic can control the duration of any bus operation
such that the operation is only as long as necessary.
The READY input signal can extend any bus operation for as long as necessary, see Figure 23.
Command delay allows an increase of address or
write data setup time to system bus command active
for any bus operation by delaying when the system
bus command becomes active. Command delay is
controlled by the M82C288 CMDLY input. After TS,
the bus controller samples CMDLY at each failing
edge of CLK. If CMDLY is HIGH, the M82C288 will
not activate the command signal. When CMDLY is
LOW, the M82C288 will activate the command signal. After the command becomes active, the CMDLY
input is not sampled.
When a command is delayed, the available response time from command active to return read
data or accept write data is less. To customize system bus timing, an address decoder can determine
which bus operations require delaying the command. The CMDLY input does not affect the timing
of ALE, DEN, or DT/R.
23
M80C286
271103 – 22
Figure 24. CMDLY Controls the Leading Edge of Command Signal
Figure 24 illustrates four uses of CMDLY. Example 1
shows delaying the read command two system
CLKs for cycle N-1 and no delay for cycle N, and
example 2 shows delaying the read command one
system CLK for cycle N-1 and one system CLK delay for cycle N.
Bus Cycle Termination
At maximum transfer rates, the M80C286 bus alternates between the status and command states. The
bus status signals become inactive after Ts so that
they may correctly signal the start of the next bus
operation after the completion of the current cycle.
No external indication of Tc exists on the M80C286
local bus. The bus master and bus controller enter
Tc directly after Ts and continue executing Tc cycles
until terminated by READY.
READY Operation
The current bus master and M82C288 bus controller
terminate each bus operation simultaneously to
achieve maximum bus operation bandwidth. Both
are informed in advance by READY active (opencollector output from M82C284) which identifies the
last TC cycle of the current bus operation. The bus
master and bus controller must see the same sense
24
of the READY signal, thereby requiring READY be
synchronous to the system clock.
Synchronous Ready
The M82C284 clock generator provides READY
synchronization from both synchronous and asynchronous sources (see Figure 25). The synchronous
ready input (SRDY) of the clock generator is sampled with the falling edge of CLK at the end of phase
1 of each Tc. The state of SRDY is then broadcast to
the bus master and bus controller via the READY
output line.
Asynchronous Ready
Many systems have devices or subsystems that are
asynchronous to the system clock. As a result, their
ready outputs cannot be guaranteed to meet the
M82C284 SRDY setup and hold time requirements.
But the M82C284 asynchronous ready input (ARDY)
is designed to accept such signals. The ARDY input
is sampled at the beginning of each TC cycle by
M82C284 synchronization logic. This provides one
system CLK cycle time to resolve its value before
broadcasting it to the bus master and bus controller.
M80C286
NOTES:
1. SRDYEN is active low.
2. If SRDYEN is high, the state of SRDY will no affect READY.
3. ARDYEN is active low.
271103 – 23
Figure 25. Synchronous and Asynchronous Ready
ARDY or ARDYEN must be HIGH at the end of TS.
ARDY cannot be used to terminate bus cycle with no
wait states.
Each ready input of the M82C284 has an enable pin
(SRDYEN and ARDYEN) to select whether the current bus operation will be terminated by the synchronous or asynchronous ready. Either of the ready inputs may terminate a bus operation. These enable
inputs are active low and have the same timing as
their respective ready inputs. Address decode logic
usually selects whether the current bus operation
should be terminated by ARDY or SRDY.
The data bus is driven with write data during the
second phase of Ts. The delay in write data timing
allows the read data drivers, from a previous read
cycle, sufficient time to enter 3-state OFF* before
the M80C286 CPU begins driving the local data bus
for write operations. Write data will always remain
valid for one system clock past the last Tc to provide
sufficient hold time for Multibus or other similar
memory or I/O systems. During write-read or writeidle sequences the data bus enters 3-state OFF*
during the second phase of the processor cycle after
the last Tc. In a write-write sequence the data bus
does not enter 3-state OFF* between Tc and Ts.
Data Bus Control
Bus Usage
Figures 26, 27, and 28 show how the DT/R, DEN,
data bus, and address signals operate for different
combinations of read, write, and idle bus operations.
DT/R goes active (LOW) for a read operation. DT/R
remains HIGH before, during, and between write operations.
The M80C286 local bus may be used for several
functions: instruction data transfers, data transfers
by other bus masters, instruction fetching, processor
extension data transfers, interrupt acknowledge, and
halt/shutdown. This section describes local bus activities which have special signals or requirements.
*NOTE:
See section on bus hold circuitry.
25
M80C286
271103 – 24
Figure 26. Back to Back Read-Write Cycles
271103 – 25
Figure 27. Back to Back Write-Read Cycles
26
M80C286
271103 – 26
Figure 28. Back to Back Write-Write Cycles
HOLD and HLDA
HOLD AND HLDA allow another bus master to gain
control of the local bus by placing the M80C286 bus
into the Th state. The sequence of events required
to pass control between the M80C286 and another
local bus master are shown in Figure 29.
In this example, the M80C286 is initially in the Th
state as signaled by HLDA being active. Upon leaving Th, as signaled by HLDA going inactive, a write
operation is started. During the write operation another local bus master requests the local bus from
the M80C286 as shown by the HOLD signal. After
completing the write operation, the M80C286 performs one Ti bus cycle, to guarantee write data hold
time, then enters Th as signaled by HLDA going active.
The CMDLY signal and ARDY ready are used to
start and stop the write bus command, respectively.
Note that SRDY must be inactive or disabled by
SRDYEN to guarantee ARDY will terminate the cycle.
HOLD must not be active during the time from the
leading edge of RESET until 34 CLKs following the
trailing edge of RESET.
Lock
The CPU asserts an active lock signal during Interrupt-Acknowledge cycles, the XCHG instruction, and
during some descriptor accesses. Lock is also asserted when the LOCK prefix is used. The LOCK
prefix may be used with the following ASM-286 assembly instructions; MOVS, INS, and OUTS. For bus
cycles other than Interrupt-Acknowledge cycles,
Lock will be active for the first and subsequent cycles of a series of cycles to be locked. Lock will not
be shown active during the last cycle to be locked.
For the next-to-last cycle, Lock will become inactive
at the end of the first Tc regardless of the number of
wait-states inserted. For Interrupt-Acknowledge cycles, Lock will be active for each cycle, and will become inactive at the end of the first Tc for each cycle regardless of the number of wait-states inserted.
Instruction Fetching
The M80C286 Bus Unit (BU) will fetch instructions
ahead of the current instruction being executed. This
activity is called prefetching. It occurs when the local
bus would otherwise be idle and obeys the following
rules:
A prefetch bus operation starts when at least two
bytes of the 6-byte prefetch queue are empty.
The prefetcher normally performs word prefetches
independent of the byte alignment of the code segment base in physical memory.
The prefetcher will perform only a byte code fetch
operation for control transfers to an instruction beginning on a numerically odd physical address.
Prefetching stops whenever a control transfer or
HLT instruction is decoded by the IU and placed into
the instruction queue.
27
M80C286
In real address mode, the prefetcher may fetch up to
6 bytes beyond the last control transfer or HLT instruction in a code segment.
execute beyond the last full instruction in the code
segment.
In protected mode, the prefetcher will never cause a
segment overrun exception. The prefetcher stops at
the last physical memory word of the code segment.
Exception 13 will occur if the program attempts to
If the last byte of a code segment appears on an
even physical memory address, the prefetcher will
read the next physical byte of memory (perform a
word code fetch). The value of this byte is ignored
and any attempt to execute it causes exception 13.
271103 – 27
NOTES:
1. Status lines are not driven by M80C286, yet remain high due to internal pullup resistors during HOLD state. See
section on bus hold circuitry.
2. Address, M/IO and COD/INTA may start floating during any TC depending on when internal M80C286 bus arbiter
decides to release bus to external HOLD. The float starts in w2 of TC. See section on bus hold circuitry.
3. BHE and LOCK may start floating after the end of any TC depending on when internal M80C286 bus arbiter decides
to release bus to external HOLD. The float starts in w1 of TC. See section on bus hold circuitry.
4. The minimum HOLD to HLDA time is shown. Maximum is one TH longer.
5. The earliest HOLD time is shown. It will always allow a subsequent memory cycle if pending is shown.
6. The minimum HOLD to HLDA time is shown. Maximum is a function of the instruction, type of bus cycle and other
machine state (i.e., Interrupts, Waits, Lock, etc.).
7. Asynchronous ready allows termination of the cycle. Synchronous ready does not signal ready in this example. Synchronous ready state is ignored after ready is signaled via the asynchronous input.
Figure 29. MULTIBUS Write Terminated by Asynchronous Ready with Bus Hold
28
M80C286
Processor Extension Transfers
The processor extension interface uses I/O port addresses 00F8(H), 00FA(H), and 00FC(H) which are
part of the I/O port address range reserved by Intel.
An ESC instruction with Machine Status Word bits
EM e 0 and TS e 0 will perform I/O bus operations
to one or more of these I/O port addresses independent of the value of IOPL and CPL.
ESC instructions with memory references enable the
CPU to accept PEREQ inputs for processor extension operand transfers. The CPU will determine the
operand starting address and read/write status of
the instruction. For each operand transfer, two or
three bus operations are performed, one word transfer with I/O port address 00FA(H) and one or two
bus operations with memory. Three bus operations
are required for each word operand aligned on an
odd byte address.
NOTE:
Odd-aligned numerics instructions should be avoided when using an M80C286 system running six or
more memory-write wait-states. The M80C286 can
generate an incorrect numerics address if all the
following conditions are met:
Ð Two floating point (FP) instructions are fetched
and in the M80C286 queue.
Ð The first FP instruction is any floating point store
except FSTSW AX.
Ð The second FP instruction is any floating point
store except FSTSW AX.
Ð The second FP instruction accesses memory.
Ð The operand of the first instruction is aligned on
an odd memory address.
Ð More than five wait-states are inserted during either of the last two memory write transfers
(transferred as two bytes for odd aligned operands) of the first instruction.
The second FP instruction operand address will be
incremented by one if these conditions are met.
These conditions are most likely to occur in a multimaster system. For a hardware solution, contact
your local Intel representative.
Ten or more command delays should not be used
when accessing the numerics coprocessor. Excessive command delays can cause the M80C286 and
M80C287 to lose synchronization.
Interrupt Acknowledge Sequence
an INTR input. An interrupt acknowledge sequence
consists of two INTA bus operations. The first allows
a master M8259A Programmable Interrupt Controller (PIC) to determine which if any of its slaves
should return the interrupt vector. An eight bit vector
is read on D0 – D7 of the M80C286 during the second INTA bus operation to select an interrupt handler routine from the interrupt table.
The Master Cascade Enable (MCE) signal of the
M82C288 is used to enable the cascade address
drivers, during INTA bus operations (See Figure 30),
onto the local address bus for distribution to slave
interrupt controllers via the system address bus. The
M80C286 emits the LOCK signal (active LOW) during Ts of the first INTA bus operation. A local bus
‘‘hold’’ request will not be honored until the end of
the second INTA bus operation.
Three idle processor clocks are provided by the
M80C286 between INTA bus operations to allow for
the minimum INTA to INTA time and CAS (cascade
address) out delay of the M8259A. The second INTA
bus operation must always have at least one extra
Tc state added via logic controlling READY. This is
needed to meet the M8259A minimum INTA pulse
width.
Local Bus Usage Priorities
The M80C286 local bus is shared among several
internal units and external HOLD requests. In case
of simultaneous requests, their relative priorities are:
(Highest) Any transfers which assert LOCK either
explicitly (via the LOCK instruction prefix)
or implicitly (i.e. some segment descriptor
accesses, interrupt acknowledge sequence, or an XCHG with memory).
The second of the two byte bus operations required for an odd aligned word operand.
The second or third cycle of a processor
extension data transfer.
Local bus request via HOLD input.
Processor extension data operand transfer via PEREQ input.
Data transfer performed by EU as part of
an instruction.
(Lowest) An instruction prefetch request from BU.
The EU will inhibit prefetching two processor clocks in advance of any data
transfers to minimize waiting by EU for a
prefetch to finish.
Figure 30 illustrates an interrupt acknowledge sequence performed by the M80C286 in response to
29
M80C286
271103 – 28
NOTES:
1. Data is ignored, upper data bus, D8 – D15, should not change state during this time.
2. First INTA cycle should have at least one wait state inserted to meet M8259A minimum INTA pulse width.
3. Second INTA cycle should have at least one wait state inserted to meet M8259A minimum INTA pulse width.
4. LOCK is active for the first INTA cycle to prevent a bus arbiter from releasing the bus between INTA cycles in a multimaster system. LOCK is also active for the second INTA cycle.
5. A23 – A0 exits 3-state OFF during w2 of the second TC in the INTA cycle. See section on bus hold circuitry.
6. Upper data bus should not change state during this time.
Figure 30. Interrupt Acknowledge Sequence
Halt or Shutdown Cycles
The M80C286 externally indicates halt or shutdown
conditions as a bus operation. These conditions occur due to a HLT instruction or multiple protection
exceptions while attempting to execute one instruction. A halt or shutdown bus operation is signalled
when S1, S0 and COD/INTA are LOW and M/IO is
HIGH. A1 HIGH indicates halt, and A1 LOW indicates shutdown. The 82288 bus controller does not
issue ALE, nor is READY required to terminate a halt
or shutdown bus operation.
30
During halt or shutdown, the M80C286 may service
PEREQ or HOLD requests. A processor extension
segment overrun exception during shutdown will inhibit further service of PEREQ. Either NMI or RESET
will force the M80C286 out of either halt or shutdown. An INTR, if interrupts are enabled, or a processor extension segment overrun exception will also
force the M80C286 out of halt.
M80C286
271103 – 29
Figure 31. Example Power-Down Sequence
THE POWER-DOWN FEATURE OF
THE M80C286
The M80C286, unlike the HMOS part, can enter into
a power-down mode. By stopping the processor
CLK, the processor will enter a power-down mode.
Once in the power-down mode, all M80C286 outputs
remain static (the same state as before the mode
was entered). The M80C286 D.C. specification ICCS
rates the amount of current drawn by the processor
when in the power-down mode. When the CLK is
reapplied to the processor, it will resume execution
where it was interrupted.
In order to obtain maximum benefits from the powerdown mode, certain precautions should be taken.
When in the power-down mode, all M80C286 outputs remain static and any output that is turned on
and remains in a HIGH condition will source current
when loaded. Best low-power performance can be
obtained by first putting the processor in the HOLD
condition (turning off all of the output buffers), and
then stopping the processor CLK in the phase 2
state. In this condition, any output that is loaded will
source only the ‘‘Bus Hold Sustaining Current’’.
When coming out of power-down mode, the system
CLK must be started with the same polarity in which
it was stopped. An example power down sequence
is shown in Figure 31.
BUS HOLD CIRCUITRY
To avoid high current conditions caused by floating
inputs to peripheral CMOS devices and eliminate the
need for pull-up/down resistors, ‘‘bus-hold’’ circuitry
has been used on all tri-state M80C286 outputs. See
Table 16 for a list of these pins and Figures 32 and
33 for a complete description of which pins have bus
hold circuitry. These circuits will maintain the last
valid logic state if no driving source is present (i.e.,
an unconnected pin or a driving source which goes
to a high impedance state). To overdrive the ‘‘bus
hold’’ circuits, an external driver must be capable of
supplying the maximum ‘‘Bus Hold Overdrive’’ sink
or source current at valid input voltage levels. Since
this ‘‘bus hold’’ circuitry is active and not a
Pull-Up/Pull-Down
When stopping the processor clock, minimum clock
high and low times cannot be violated (no glitches
on the clock line).
Violating this condition can cause the M80C286 to
erase its internal register states. Note that all inputs
to the M80C286 (CLK, HOLD, PEREQ, RESET,
READY, INTR, NMI, BUSY, and ERROR) should be
at VCC or VSS; any other value will cause the
M80C286 to draw additional current.
271103 – 30
Figure 32. Bus Hold Circuitry Pins 36 – 51, 66 – 67
31
M80C286
‘‘resistive’’ type element, the associated power supply current is negligible and power dissipation is significantly reduced when compared to the use of passive pull-up resistors.
The M80C287 NPX can perform numeric calculations and data transfers concurrently with CPU program execution. Numerics code and data have the
same integrity as all other information protected by
the M80C286 protection mechanism.
Table 16. Bus Hold Circuitry on the M80C286
Signal
Pin
Polarity Pulled to
Location when tri-stated
S1, S0, PEACK, LOCK 4–6, 68
Hi, See Figure 33
Data Bus (D0 –D15)
36–51
Hi/Lo,
See Figure 32
COD/INTA, M/IO
66–67
Hi/Lo,
See Figure 32
Pull-Up
271103 – 31
Figure 33. Bus Hold Circuitry Pins 4–6, 68
SYSTEM CONFIGURATIONS
The versatile bus structure of the M80C286 microsystem, with a full complement of support chips, allows flexible configuration of a wide range of systems. The basic configuration, shown in Figure 34, is
similar to an M8086 maximum mode system. It includes the CPU plus an M8259A interrupt controller,
M82C284 clock generator, and the M82C288 Bus
Controller.
As indicated by the dashed lines in Figure 34, the
ability to add processor extensions is an integral feature of M80C286 microsystems. The processor extension interface allows external hardware to perform special functions and transfer data concurrent
with CPU execution of other instructions. Full system
integrity is maintained because the M80C286 supervises all data transfers and instruction execution for
the processor extension.
32
The M80C286 can overlap chip select decoding and
address propagation during the data transfer for the
previous bus operation. This information is latched
by ALE during the middle of a Ts cycle. The latched
chip select and address information remains stable
during the bus operation while the next cycle’s address is being decoded and propagated into the system. Decode logic can be implemented with a high
speed PROM or PAL.
The optional decode logic shown in Figure 32 takes
advantage of the overlap between address and data
of the M80C286 bus cycle to generate advanced
memory and lO-select signals. This minimizes system performance degradation caused by address
propagation and decode delays. In addition to selecting memory and I/O, the advanced selects may
be used with configurations supporting local and
system buses to enable the appropriate bus interface for each bus cycle. The COD/INTA and M/IO
signals are applied to the decode logic to distinguish
between interrupt, I/O, code and data bus cycles.
By adding a bus arbiter, the M80C286 provides a
MULTIBUS system bus interface as shown in Figure
35. The ALE output of the M82C288 for the
MULTIBUS bus is connected to its CMDLY input to
delay the start of commands one system CLK as
required to meet MULTIBUS address and write data
setup times. This arrangement will add at least one
extra Tc state to each bus operation which uses the
MULTIBUS.
A second M82C288 bus controller and additional
latches and transceivers could be added to the local
bus of Figure 35. This configuration allows the
M80C286 to support an on-board bus for local memory and peripherals, and the MULTIBUS for system
bus interfacing.
271103– 32
M80C286
Figure 34. Basic M80C286 System Configuration
33
M80C286
271103 – 33
Figure 35. MULTIBUS System Bus Interface
34
M80C286
271103 – 34
Figure 36. M80C286 System Configuration with Dual-Ported Memory
Figure 36 shows the addition of dual ported dynamic
memory between the MULTIBUS system bus and
the M80C286 local bus. The dual port interface is
provided by the 8207 Dual Port DRAM Controller.
The 8207 runs synchronously with the CPU to maximize throughput for local memory references. It also
arbitrates between requests from the local and system buses and performs functions such as refresh,
initialization of RAM, and read/modify/write cycles.
The 8207 combined with the 8206 Error Checking
and Correction memory controller provide for single
bit error correction. The dual-ported memory can be
combined with a standard MULTIBUS system bus
interface to maximize performance and protection in
multiprocessor system configurations.
Mechanical Data
The M80C286 pinout for both the Ceramic Quad
Flatpack, CQFP, and Pin Grid Array, PGA, packages
are shown in Figure 37. VCC and GND connections
must be made to mutiple VCC and VSS (GND) pins.
Each VCC and VSS MUST be connected to the appropriate voltage level. The circuit board should include VCC and GND planes for power distribution
and all VCC pins must be connected to the appropriate plane.
Table 17 shows the pin assignments for both the
CQFP and PGA components.
NOTE:
Pins identified as ‘‘N.C.’’ should remain completely
unconnected.
35
M80C286
Component Pad ViewsÐAs viewed from underside of
component when mounted on the board.
P.C. Board ViewsÐAs viewed from the component
side of the P.C. board.
Ceramic Quad Flatpack
271103 – 35
NOTE:
N.C. signals must not be connected
Pin Grid Array
271103 – 36
Figure 37. M80C286 Pin Configuration
36
M80C286
Table 17. Pin Cross Reference for M80C286
Signal
CQFP
PGA
Signal
CQFP
PGA
Signal
CQFP
PGA
A0
44
34
A23
3
7
A1
45
33
D0
42
36
LOCK
10
68
M/IO
11
67
A2
46
32
D1
40
38
COD/INTA
12
66
A3
50
28
D2
38
40
HLDA
13
65
A4
51
27
D3
36
42
HOLD
14
64
A5
52
26
D4
34
44
READY
15
63
A6
53
25
D5
32
46
PEREQ
17
61
A7
54
24
D6
30
48
NMI
19
59
A8
55
23
D7
28
50
INTR
21
57
A9
56
22
D8
41
37
BUSY
24
54
A10
57
21
D9
39
39
ERROR
25
53
A11
58
20
D10
37
41
CAP
26
52
A12
59
19
D11
35
43
VSS
1
9
A13
60
18
D12
33
45
VSS
18
35
A14
61
17
D13
31
47
VSS
43
60
A15
62
16
D14
29
49
VCC
16
30
A16
63
15
D15
27
51
VCC
48
62
A17
64
14
CLK
47
31
N.C.
7
2
A18
65
13
RESET
49
29
N.C.
8
3
A19
66
12
BHE
9
1
N.C.
20
55
A20
67
11
S1
6
4
N.C.
22
56
A21
68
10
S0
5
5
N.C.
23
58
A22
2
8
PEACK
4
6
Table 18. Pin Description
The following pin function descriptions are for the M80C286 microprocessor :
Symbol
CLK
Type
Name and Function
I
SYSTEM CLOCK provides the fundamental timing for M80C286 systems. It is
divided by two inside the M80C286 to generate the processor clock. The internal
divide-by-two circuitry can be synchronized to an external clock generator by a
LOW to HIGH transition on the RESET input.
D15 – D0
I/O
DATA BUS inputs data during memory, I/O, and interrupt acknowledge read
cycles; outputs data during memory and I/O write cycles. The data bus is active
HIGH and floats to 3-state OFF* during bus hold acknowledge.
A23 – A0
O
ADDRESS BUS outputs physical memory and I/O port addresses. A0 is LOW
when data is to be transferred on pins D7– 0. A23 –A16 are LOW during I/O
transfers. The address bus is active HIGH and floats to 3-state OFF* during bus
hold acknowledge.
BHE
O
BUS HIGH ENABLE indicates transfer or data on the upper byte of the data bus.
D15 – 8. Eight-bit oriented devices assigned to the upper byte of the data bus would
normally use BHE to condition chip select functions. BHE is active LOW and floats
to 3-state OFF* during bus hold acknowledge.
*See bus hold circuitry section.
37
M80C286
Table 18. Pin Description (Continued)
Symbol
Type
BHE
(Continued)
S1, S0
Name and Function
BHE and A0 Encodings
O
BHE Value
A0 Value
0
0
1
1
0
1
0
1
Function
Word transfer
Transfer on upper half of data bus (D15 –D8)
Byte transfer on lower half of data bus (D7 –D0)
Will never occur
BUS CYCLE STATUS indicates initiation of a bus cycle and, along with M/IO and COD/
INTA, defines the type of bus cycle. The bus is in a Ts state whenever one or both are LOW,
S1 and S0 are active LOW and float to 3-state OFF* during bus hold acknowledge.
M80C286 Bus Cycle Status Definition
COD/INTA
0 (LOW)
0
0
0
0
0
0
0
1 (HIGH)
1
1
1
1
1
1
1
M/IO
S1
S0
Bus Cycle Initiated
0
0
0
0
1
1
1
1
0
0
0
0
1
1
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
Interrupt acknowledge
Will not occur
Will not occur
None; not a status cycle
IF A1 e 1 then halt; else shutdown
Memory data read
Memory data write
None; not a status cycle
Will not occur
I/O read
I/O write
None; not a status cycle
Will not occur
Memory instruction read
Will not occur
None; not a status cycle
M/IO
O
MEMORY I/O SELECT distinguishes memory access from I/O access. If HIGH during Ts, a
memory cycle or a halt/shutdown cycle is in progress. If LOW, an I/O cycle or an interrupt
acknowledge cycle is in progress. M/IO floats to 3-state OFF* during bus hold
acknowledge.
COD/INTA
O
CODE/INTERRUPT ACKNOWLEDGE distinguishes instruction fetch cycles from memory
data read cycles. Also distinguishes interrupt acknowledge cycles from I/O cycles. COD/
INTA floats to 3-state OFF* during bus hold acknowledge. Its timing is the same as M/IO.
LOCK
O
BUS LOCK indicates that other system bus masters are not to gain control of the system
bus for the current and the following bus cycle. The LOCK signal may be activated explicitly
by the ‘‘LOCK’’ instruction prefix or automatically by M80C286 hardware during memory
XCHG instructions, interrupt acknowledge, or descriptor table access. LOCK is active LOW
and floats to 3-state OFF* during bus hold acknowledge.
READY
I
BUS READY terminates a bus cycle. Bus cycles are extended without limit until terminated
by READY LOW. READY is an active LOW synchronous input requiring setup and hold
times relative to the system clock be met for correct operation. READY is ignored during
bus hold acknowledge.
HOLD
HLDA
I
O
BUS HOLD REQUEST AND HOLD ACKNOWLEDGE control ownership of the M80C286
local bus. The HOLD input allows another local bus master to request control of the local
bus. When control is granted, the M80C286 will float its bus drivers to 3-state OFF* and
then activate HLDA, thus entering the bus hold acknowledge condition. The local bus will
remain granted to the requesting master until HOLD becomes inactive which results in the
M80C286 deactivating HLDA and regaining control of the local bus. This terminates the bus
hold acknowledge condition. HOLD may be asynchronous to the system clock. These
signals are active HIGH.
INTR
I
INTERRUPT REQUEST requests the M80C286 to suspend its current program execution
and service a pending external request. Interrupt requests are masked whenever the
interrupt enable bit in the flag word is cleared. When the M80C286 responds to an interrupt
request, it performs two interrupt acknowledge bus cycles to read an 8-bit interrupt vector
that identifies the source of the interrupt. To assure program interruption, INTR must remain
active until the first interrupt acknowledge cycle is completed. INTR is sampled at the
beginning of each processor cycle and must be active HIGH at least two processor cycles
before the current instruction ends in order to interrupt before the next instruction. INTR is
level sensitive, active HIGH, and may be asynchronous to the system clock.
*See bus hold circuitry section.
38
M80C286
Table 18. Pin Description (Continued)
Symbol
Type
Name and Function
NMI
I
NON-MASKABLE INTERRUPT REQUEST interrupts the M80C286 with an
internally supplied vector value of 2. No interrupt acknowledge cycles are
performed. The interrupt enable bit in the M80C286 flag word does not affect
this input. The NMI input is active HIGH, may be asynchronous to the system
clock, and is edge triggered after internal synchronization. For proper
recognition, the input must have been previously LOW for at least four system
clock cycles and remain HIGH for at least four system clock cycles.
PEREQ
PEACK
I
O
PROCESSOR EXTENSION OPERAND REQUEST AND ACKNOWLEDGE
extend the memory management and protection capabilities of the M80C286
to processor extensions. The PEREQ input requests the M80C286 to perform
a data operand transfer for a processor extension. The PEACK output signals
the processor extension when the requested operand is being transferred.
PEREQ is active HIGH and floats to 3-state OFF* during bus hold
acknowledge. PEACK may be asynchronous to the system clock. PEACK is
active LOW.
BUSY
ERROR
I
I
PROCESSOR EXTENSION BUSY AND ERROR indicate the operating
condition of a processor extension to the M80C286. An active BUSY input
stops M80C286 program execution on WAIT and some ESC instructions until
BUSY becomes inactive (HIGH). The M80C286 may be interrupted while
waiting for BUSY to become inactive. An active ERROR input causes the
M80C286 to perform a processor extension interrupt when executing WAIT or
some ESC instructions. These inputs are active LOW and may be
asynchronous to the system clock. These inputs have internal pull-up
resistors.
RESET
I
SYSTEM RESET clears the internal logic of the M80C286 and is active HIGH.
The M80C286 may be reinitialized at any time with a LOW to HIGH transition
on RESET which remains active for more than 16 system clock cycles. During
RESET active, the output pins of the M80C286 enter the state shown below:
M80C286 Pin State During Reset
Pin Value
1 (HIGH)
0 (LOW)
3-state OFF*
Pin Names
S0, S1, PEACK, A23 – A0, BHE, LOCK
M/IO, COD/INTA, HLDA (Note 1)
D15 –D0
Operation of the M80C286 begins after a HIGH to LOW transition on RESET.
The HIGH to LOW transition of RESET must be synchronous to the system
clock. Approximately 38 CLK cycles from the trailing edge of RESET are
required by the M80C286 for internal initialization before the first bus cycle, to
fetch code from the power-on execution address, occurs.
A LOW to HIGH transition of RESET synchronous to the system clock will
end a processor cycle at the second HIGH to LOW transition of the system
clock. The LOW to HIGH transition of RESET may be asynchronous to the
system clock; however, in this case it cannot be predetermined which phase
of the processor clock will occur during the next system clock period.
Synchronous LOW to HIGH transitions of RESET are required only for
systems where the processor clock must be phase synchronous to another
clock.
VSS
I
SYSTEM GROUND: 0 Volts.
VCC
I
SYSTEM POWER: a 5 Volt Power Supply.
CAP
I
SUBSTRATE FILTER CAPACITOR: a 0.047 mF g 20% 12V capacitor can
be connected between this pin and ground for compatibility with the HMOS
M80286. For systems using only an M80C286, this pin can be left floating.
*See bus hold circuitry section.
NOTE:
1. HLDA is only Low if HOLD is inactive (Low).
39
M80C286
Table 19. M80C286 Systems Recommended Pull Up Resistor Values
M80C286 Pin and Name
Pullup Value
4ÐS1
5ÐS0
Purpose
Pull S0, S1, and PEACK inactive during M80C286 hold periods
20 KX g 10%
(Note 1)
6ÐPEACK
63ÐREADY
910X g 5%
Pull READY inactive within required minimum time (CL e 150 pF,
lR s 7 mA)
NOTE:
1. Pullup resistors are not required for S0 and S1 when the corresponding pins on the M82C284 are connected to S0 and
S1.
M80286 IN-CIRCUIT EMULATION
CONSIDERATIONS
One of the advantages of using the M80C286 is that
full in-circuit emulation development support is available thru either the I2ICE 80286 probe for
8 MHz/10 MHz or ICE286 for 12.5 MHz designs. To
utilize these powerful tools it is necessary that the
designer be aware of a few minor parametric and
functional differences between the M80C286 and
the in-circuit emulators. The I2ICE datasheet (I2ICE
Integrated Instrumentation and In-Circuit Emulation
System, order Ý210469) contains a detailed description of these design considerations. The
ICE286 Fact Sheet (Ý280718) and User’s Guide
(Ý452317) contain design considerations for the
80286 12.5 MHz microprocessor. It is recommended
that the appropriate document be reviewed by the
80286 system designer to determine whether or not
these differences affect the design.
PACKAGE THERMAL
SPECIFICATIONS
The M80C286 Microprocessor is specified for operation when case temperature (TC) is within the range
of b 55§ C– a 125§ C. Case temperature, unlike ambient temperature, is easily measured in any environment to determine whether the M80C286 Microprocessor is within the specified operating range. The
case temperature should be measured at the center
of the top surface of the component.
The maximum ambient temperature (TA) allowable
without violating TC specifications can be calculated
from the equations shown below. TJ is the 80C286
junction temperature. P is the power dissipated by
the M80C286.
40
TJ e TC a P * iJC
TA e TJ b P * iJA
TC e TA a P * [iJA b iJC]
Values for iJA and iJC are given in Table 20. Table
21 shows the maximum TA allowable (without exceeding TC).
Junction temperature calculations should use an ICC
value that is measured without external resistive
loads. The external resistive loads dissipate additional power external to the M80C286 and not on
the die. This increases the resistor temperature, not
the die temperature. The full capacitive load (CL e
100 pF) should be applied during the ICC measurement.
Table 20. Thermal Resistances (§ C/W)
iJC
iJC
68-Lead PGA
5.5
30
68-Lead CQFP
11
32
Package
NOTE:
The numbers in Table 20 were calculated using an
ICC of 150 mA, which is representative of the worst
case ICC at TC e 125§ C with the outputs unloaded.
Table 21. Maximum (TA)
Package
TA (§ C)
68-Lead PGA
105
68-Lead CQFP
108
M80C286
ABSOLUTE MAXIMUM RATINGS*
NOTICE: This data sheet contains information on
products in the sampling and initial production phases
of development. The specifications are subject to
change without notice. Verify with your local Intel
Sales office that you have the latest data sheet before finalizing a design.
Case Temperature under Bias ÀÀÀ b 55§ C to a 125§ C
Storage Temperature ÀÀÀÀÀÀÀÀÀÀÀ b 65§ C to a 150§ C
Voltage on Any Pin with
Respect to GroundÀÀÀÀÀÀÀÀÀÀÀÀÀÀ b 1.0V to a 7V
*WARNING: Stressing the device beyond the ‘‘Absolute
Maximum Ratings’’ may cause permanent damage.
These are stress ratings only. Operation beyond the
‘‘Operating Conditions’’ is not recommended and extended exposure beyond the ‘‘Operating Conditions’’
may affect device reliability.
Power DissipationÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀÀ1.1W
Operating Conditions
Description
Min
Max
Units
TC
Symbol
Case Temperature (Instant On)
b 55
a 125
§C
VCC
Digital Supply Voltage
4.50
5.50
V
D.C. CHARACTERISTICS
Symbol
Over Specified Operating Conditions
Parameter
Max
Unit
200
mA
Comments
CL e 100 pF (Note 6)
Supply Current (Static)
5
mA
(Note 7)
CLK Input Capacitance
20
pF
FREQ e 1 MHz
CIN
Other Input Capacitance
10
pF
FREQ e 1 MHz
CO
Input/Output Capacitance
ICC
Supply Current
ICCS
CCLK
Min
20
pF
FREQ e 1 MHz
b 0.5
0.8
V
FREQ e 2 MHz
FREQ e 2 MHz
FREQ e 2 MHz
VIL
Input LOW Voltage
VIH
Input HIGH Voltage
2.0
VCC a 0.5
V
VILC
CLK Input LOW Voltage
b 0.5
0.8
V
VIHC
CLK Input HIGH Voltage
3.8
VCC a 0.5
V
VOL
Output LOW Voltage
0.45
V
FREQ e 2 MHz
IOL e 2.0 mA, FREQ e 2 MHz
VOH
Output HIGH Voltage
V
V
IOH e b 2.0 mA, FREQ e 2 MHz
IOH e b 100 mA, FREQ e 2 MHz
ILI
Input Leakage Current
g 10
mA
VIN e GND or VCC (Note 6)
ILO
Output Leakage Current
g 10
mA
VO e GND or VCC (Note 1)
IIL
Input Sustaining Current on
BUSYÝ and ERRORÝ Pins
b 30
b 500
mA
VIN e 0V (Note 1)
IBHL
Input Sustaining Current
(Bus Hold LOW)
35
200
mA
VIN e 1.0V (Notes 1, 2)
IBHH
Input Sustaining Current
(Bus Hold HIGH)
b 50
b 400
mA
VIN e 3.0V (Notes 1, 3)
IBHLO
Bus Hold LOW Overdrive
250
mA
(Notes 1, 4)
IBHHO
Bus Hold HIGH Overdrive
b 420
mA
(Notes 1, 5)
3.0
VCC b 0.5
NOTES:
1. Tested with the clock stopped.
2. IBHL should be measured after lowering VIN to GND and then raising to 1.0V on the following pins: 36 – 51, 66, 67.
3. IBHH should be measured after raising VIN to VCC and then lowering to 3.0V on the following pins: 4 – 6, 36 – 51, 66 – 68.
4. An external driver must source at least IBHLO to switch this node from LOW to HIGH.
5. An external driver must sink at least IBHHO to switch this node from HIGH to LOW.
6. Tested with outputs unloaded and at maximum frequency.
7. Tested while clock stopped in phase 2 and inputs at VCC or VSS with the outputs unloaded.
41
M80C286
A.C. CHARACTERISTICS
Over Specified Operating Conditions
A.C. timings are referenced to 1.5V points of signals as illustrated in datasheet waveforms, unless otherwise
noted.
Symbol
Parameter
10 MHz
Min
Max
DC
Unit
Comments
1
System Clock (CLK) Period
50
ns
2
System Clock (CLK) LOW Time
12
ns
at 1.0V
3
System Clock (CLK) HIGH Time
16
ns
at 3.6V
17
System Clock (CLK) Rise Time
8
ns
1.0V to 3.6V
18
System Clock (CLK) Fall Time
8
ns
3.6V to 1.0V
4
Asynchronous Inputs Setup Time
20
ns
(Note 1)
5
Asynchronous Inputs Hold Time
20
ns
(Note 1)
6
RESET Setup Time
23
ns
7
RESET Hold Time
5
ns
8
Read Data Setup Time
8
ns
9
Read Data Hold Time
8
ns
10
READY Setup Time
26
ns
11
READY Hold Time
25
12a1
Status Active Delay
5
22
ns
(Notes 2, 3)
12a2
PEACK Active Delay
5
22
ns
(Notes 2, 3)
12b
Status/PEACK Inactive Delay
3
30
ns
(Notes 2, 3)
13
Address Valid Delay
4
35
ns
(Notes 2, 3)
14
Write Data Valid Delay
3
40
ns
(Notes 2, 3)
15
Address/Status/Data Float Delay
2
47
ns
(Notes 2, 4)
16
HLDA Valid Delay
3
47
ns
(Notes 2, 3)
19
Address Valid To Status
Valid Setup Time
27
ns
(Notes 2, 3)
ns
NOTES:
1. Asynchronous inputs are INTR, NMI, HOLD, PEREQ, ERROR, and BUSY. This specification is given only for testing
purposes, to assure recognition at a specific CLK edge.
2. Delay from 1.0V on the CLK, to 1.5V or float on the output as appropriate for valid or floating condition.
3. Output load: CL e 100 pF.
4. Float condition occurs when output current is less than ILO in magnitude.
42
M80C286
A.C. CHARACTERISTICS
(Continued)
271103 – 37
NOTE:
AC Test Loading on Outputs
271103 – 38
NOTE:
AC Drive and Measurement PointsÐCLK Input
271103 – 39
NOTE:
AC Setup, Hold and Delay Time MeasurementÐGeneral
43
M80C286
Typical Capacitive Derating Curves
271103 – 40
Typical CMOS Level Slew Rates for Address/Data Buffers
271103 – 41
44
M80C286
Typical TTL Level Slew Rates for Address/Data Buffers
271103 – 42
Typical ICC vs Frequency for Different Output Loads
271103 – 43
45
M80C286
A.C. CHARACTERISTICS
(Continued)
M82C284 Timing Requirements
M82C284-10
Symbol
Parameter
11
SRDY/SRDYEN Setup Time
17.5
ns
12
SRDY/SRDYEN Hold Time
2
ns
13
ARDY/ARDYEN Setup Time
0
ns
(Note 1)
14
ARDY/ARDYEN Hold Time
30
ns
(Note 1)
19
PCLK Delay
0
ns
CL e 75 pF
IOL e 5 mA
IOH e b 1 mA
Min
Max
35
Unit
Comments
NOTE:
1. These times are given for testing purposes to assure a predetermined action.
M82C288 Timing Requirements
Symbol
46
Parameter
M82C288-10
Min
Max
Unit
12
CMDLY Setup Time
15
ns
13
CMDLY Hold Time
1
ns
30
5
29
Command
Delay
from CLK
16
ALE Active Delay
17
19
22
DT/R Read Inactive Delay
20
Command Inactive
Command Active
20
ns
3
21
3
16
ns
ALE Inactive Delay
19
ns
DT/R Read Active Delay
23
ns
5
20
ns
DEN Read Active Delay
5
21
ns
21
DEN Read Inactive Delay
3
23
DEN Write Active Delay
24
DEN Write Inactive Delay
3
21
ns
23
ns
19
ns
Comments
CL e 300 pF max
IOL e 32 mA max
IOH e b 5 mA max
CL e 150 pF
IOL e 16 mA max
IOH e b 1 mA max
M80C286
WAVEFORMS
MAJOR CYCLE TIMING
271103 – 44
NOTE:
1. The modified timing is due to the CMDLY signal being active.
47
M80C286
WAVEFORMS (Continued)
M80C286 ASYNCHRONOUS
INPUT SIGNAL TIMING
M80C286 RESET INPUT TIMING AND
SUBSEQUENT PROCESSOR CYCLE PHASE
271103 – 45
NOTES:
1. PCLK indicates which processor cycle phase will occur on the next CLK. PCLK may not indicate the correct phase until the first bus cycle is performed.
2. These inputs are asynchronous. The setup and hold
times shown assure recognition for testing purposes.
271103 – 46
NOTE:
1. When RESET meets the setup time shown, the next
CLK will start or repeat w2 of a processor cycle.
EXITING AND ENTERING HOLD
271103 – 47
NOTES:
1. These signals may not be driven by the M80C286 during the time shown. The worst case in terms of latest float time
is shown.
2. The data bus will be driven as shown if the last cycle before TI in the diagram was a write TC.
3. The M80C286 floats its status pins during TH. External 20 KX resistors keep these signals high (see Table 16).
4. For HOLD request set up to HLDA, refer to Figure 29.
5. BHE and LOCK are driven at this time but will not become valid until TS.
6. The data bus will remain in 3-state OFF if a read cycle is performed.
48
M80C286
WAVEFORMS (Continued)
M80C286 PEREQ/PEACK TIMING FOR ONE TRANSFER ONLY
NOTES:
271103 – 48
1. PEACK always goes active during the first bus operation of a processor extension data operand transfer sequence.
The first bus operation will be either a memory read at operand address or I/O read at port address OOFA(H).
2. To prevent a second processor extension data operand transfer, the worst case maximum time (Shown above) is:
3 c j b12a2max.b m min.. The actual, configuration dependent, maximum time is: 3 c j b12a2max.b m min. a
Ac2c j .
A is the number of extra TC states added to either the first or second bus operation of the processor extension data
operand transfer sequence.
INITIAL M80C286 PIN STATE DURING RESET
NOTES:
271103 – 49
1. Setup time for RESET u may be violated with the consideration that w1 of the processor clock may begin one
system CLK period later.
2. Setup and hold times for RESET v must be met for proper operation, but RESET v may occur during w1 or w2.
3. The data bus is only guaranteed to be in 3-state OFF at the time shown.
49
M80C286
271103 – 50
Figure 35. M80C286 Instruction Format Examples
M80C286 INSTRUCTION SET
SUMMARY
Instruction Timing Notes
The instruction clock counts listed below establish
the maximum execution rate of the M80C286. With
no delays in bus cycles, the actual clock count of an
M80C286 program will average 5% more than the
calculated clock count, due to instruction sequences
which execute faster than they can be fetched from
memory.
To calculate elapsed times for instruction sequences, multiply the sum of all instruction clock
counts, as listed in the table below, by the processor
clock period. A 10 MHz processor clock has a clock
period of 100 nanoseconds and requires an
M80C286 system clock (CLK input) of 20 MHz.
Instruction Clock Count Assumptions
1. The instruction has been prefetched, decoded,
and is ready for execution. Control transfer instruction clock counts include all time required to
fetch, decode, and prepare the next instruction for
execution.
2. Bus cycles do not require wait states.
3. There are no processor extension data transfer or
local bus HOLD requests.
4. No exceptions occur during instruction execution.
50
Instruction Set Summary Notes
Addressing displacements selected by the MOD
field are not shown. If necessary they appear after
the instruction fields shown.
Above/below refers to unsigned value
Greater refers to positive signed value
Less refers to less positive (more negative) signed
values
if d e 1 then to register; if d e 0 then from register
if w e 1 then word instruction; if w e 0 then byte
instruction
if s e 0 then 16-bit immediate data form the operand
if s e 1 then an immediate data byte is sign-extended to form the 16-bit operand
x don’t care
z
used for string primitives for comparison with
ZF FLAG
If two clock counts are given, the smaller refers to a
register operand and the larger refers to a memory
operand
* e add one clock if offset calculation requires
summing 3 elements
n e number of times repeated
m e number of bytes of code in next instruction
Level (L)ÐLexical nesting level of the procedure
M80C286
The following comments describe possible exceptions, side effects, and allowed usage for instructions in both operating modes of the M80C286.
avoid a not-present exception (11). If the SS register is the destination, and a segment not-present violation occurs, a stack exception (12) occurs.
REAL ADDRESS MODE ONLY
1. This is a protected mode instruction. Attempted
execution in real address mode will result in an
undefined opcode exception (6).
11. All segment descriptor accesses in the GDT or
LDT made by this instruction will automatically
assert LOCK to maintain descriptor integrity in
multiprocessor systems.
2. A segment overrun exception (13) will occur if a
word operand reference at offset FFFF(H) is attempted.
12. JMP, CALL, INT, RET, IRET instructions referring to another code segment will cause a general protection exception (13) if any privilege rule is
violated.
13. A general protection exception (13) occurs if
CPL i 0.
3. This instruction may be executed in real address
mode to initialize the CPU for protected mode.
4. The IOPL and NT fields will remain 0.
5. Processor extension segment overrun interrupt
(9) will occur if the operand exceeds the segment limit.
EITHER MODE
6. An exception may occur, depending on the value
of the operand.
7. LOCK is automatically asserted regardless of the
presence or absence of the LOCK instruction
prefix.
8. LOCK does not remain active between all operand transfers.
PROTECTED VIRTUAL ADDRESS MODE ONLY
9. A general protection exception (13) will occur if
the memory operand cannot be used due to either a segment limit or access rights violation. If
a stack segment limit is violated, a stack segment overrun exception (12) occurs.
10. For segment load operations, the CPL, RPL, and
DPL must agree with privilege rules to avoid an
exception. The segment must be present to
14. A general protection exception (13) occurs if
CPL l IOPL.
15. The IF field of the flag word is not updated if CPL
l IOPL. The IOPL field is updated only if
CPL e 0.
16. Any violation of privilege rules as applied to the
selector operand do not cause a protection exception; rather, the instruction does not return a
result and the zero flag is cleared.
17. If the starting address of the memory operand
violates a segment limit, or an invalid access is
attempted, a general protection exception (13)
will occur before the ESC instruction is executed. A stack segment overrun exception (12) will
occur if the stack limit is violated by the operand’s starting address. If a segment limit is violated during an attempted data transfer then a
processor extension segment overrun exception
(9) occurs.
18. The destination of an INT, JMP, CALL, RET or
IRET instruction must be in the defined limit of a
code segment or a general protection exception
(13) will occur.
51
M80C286
M80C286 INSTRUCTION SET SUMMARY
CLOCK COUNT
FUNCTION
COMMENTS
Protected
Protected
Real
Real
Virtual
Virtual
Address
Address
Address
Address
Mode
Mode
Mode
Mode
FORMAT
DATA TRANSFER
MOV e Move:
Register to Register/Memory
1000100w
mod reg
r/m
2,3*
2,3*
2
9
Register/memory to register
1000101w
mod reg
r/m
2,5*
2,5*
2
9
Immediate to register/memory
1100011w
mod 0 0 0 r/m
data
2,3*
2,3*
2
9
Immediate to register
1 0 1 1 w reg
data
data if w e 1
2
2
Memory to accumulator
1010000w
addr-low
addr-high
5
5
2
9
Accumulator to memory
1010001w
addr-low
addr-high
3
3
2
9
Register/memory to segment register
10001110
mod 0 reg r/m
2,5*
17,19*
2
9,10,11
Segment register to register/memory
10001100
mod 0 reg r/m
2,3*
2,3*
2
9
11111111
mod 1 1 0 r/m
5*
5*
2
9
data if w e 1
PUSH e Push:
Memory
Register
0 1 0 1 0 reg
3
3
2
9
Segment register
0 0 0 reg 1 1 0
3
3
2
9
Immediate
011010s0
3
3
2
9
PUSHA e Push All
01100000
17
17
2
9
5*
5*
2
9
5
5
2
9
5
20
2
9,10,11
19
19
2
9
3,5*
3,5*
2,7
7,9
3
3
data
data if s e 0
POP e Pop:
Memory
10001111
Register
0 1 0 1 1 reg
Segment register
0 0 0 reg 1 1 1
POPA e Pop All
01100001
mod 0 0 0
r/m
(reg i 01)
XCHG e Exhcange:
Register/memory with register
1 0 0 0 0 1 1 w mod reg
Register with accumulator
1 0 0 1 0 reg
r/m
IN e Input from:
Fixed port
1110010w
Variable port
1110110w
port
5
5
14
5
5
14
3
3
14
OUT e Output to:
Fixed port
1110011w
port
Variable port
1110111w
3
3
14
XLAT e Translate byte to AL
11010111
5
5
9
LEA e Load EA to register
10001101
mod reg
r/m
3*
3*
LDS e Load pointer to DS
11000101
mod reg
r/m
(mod i 11)
7*
21*
2
9,10,11
LES e Load pointer to ES
11000100
mod reg
r/m
(mod i 1)
7*
21*
2
9,10,11
Shaded areas indicate instructions not available in M8086, 88 microsystems.
52
M80C286
M80C286 INSTRUCTION SET SUMMARY (Continued)
CLOCK COUNT
FUNCTION
COMMENTS
Protected
Protected
Real
Real
Virtual
Virtual
Address
Address
Address
Address
Mode
Mode
Mode
Mode
FORMAT
DATA TRANSFER (Continued)
LAHF Load AH with flags
10011111
2
2
SAHF e Store AH into flags
10011110
2
2
PUSHF e Push flags
10011100
3
3
2
9
POPF e Pop flags
10011101
5
5
2,4
9,15
2,7*
2,7*
2
9
3,7*
3,7*
2
9
3
3
2,7*
2,7*
2
9
3,7*
3,7*
2
9
3
3
2,7*
2,7*
2
9
2
2
2,7*
2,7*
2
9
3,7*
3,7*
2
9
3
3
2,7*
2,7*
2
9
3,7*
3,7*
2
9
3
3
2,7*
2,7*
2
9
2
2
ARITHMETIC
ADD e Add:
Reg/memory with register to either
000000dw
mod reg
Immediate to register/memory
100000sw
mod 0 0 0 r/m
r/m
data
Immediate to accumulator
0000010w
data
data if w e 1
data if s w e 01
ADC e Add with carry:
Reg/memory with register to either
000100dw
mod reg
Immediate to register/memory
100000sw
mod 0 1 0 r/m
r/m
data
Immediate to accumulator
0001010w
data
data if w e 1
1111111w
mod 0 0 0 r/m
data if s w e 01
INC e Increment:
Register/memory
Register
0 1 0 0 0 reg
SUB e Subtract:
Reg/memory and register to either
001010dw
mod reg
Immediate from register/memory
100000sw
mod 1 0 1 r/m
r/m
data
Immediate from accumulator
0010110w
data
data if w e 1
data if s w e 01
SBB e Subtract with borrow:
Reg/memory and register to either
000110dw
mod reg
Immediate from register/memory
100000sw
mod 0 1 1 r/m
r/m
data
Immediate from accumulator
0001110w
data
data if w e 1
data if s w e 01
DEC e Decrement
Register/memory
1 1 1 1 1 1 1 w mod 0 0 1
Register
0 1 0 0 1 reg
r/m
CMP e Compare
Register/memory with register
0 0 1 1 1 0 1 w mod reg
r/m
2,6*
2,6*
2
9
Register with register/memory
0 0 1 1 1 0 0 w mod reg
r/m
2,7*
2,7*
2
9
Immediate with register/memory
100000sw
mod 1 1 1
r/m
3,6*
3,6*
2
9
Immediate with accumulator
0011110w
data
NEG e Change sign
1 1 1 1 0 1 1 w mod 0 1 1
2
9
AAA e ASCII adjust for add
DAA e Decimal adjust for add
data
data if w e 1
data if s w e 01
3
3
2
7*
00110111
3
3
00100111
3
3
r/m
53
M80C286
M80C286 INSTRUCTION SET SUMMARY (Continued)
CLOCK COUNT
FUNCTION
Real
Address
Mode
FORMAT
COMMENTS
Protected
Protected
Real
Virtual
Virtual
Address
Address
Address
Mode
Mode
Mode
ARITHMETIC (Continued)
AAS e ASCII adjust for subtract
00111111
3
3
DAS e Decimal adjust for subtract
00101111
3
3
MUL e Multiply (unsigned):
1 1 1 1 0 1 1 w mod 1 0 0
13
21
16*
24*
13
21
16*
24*
2
2
9
9
13
21
16*
24*
13
21
16*
24*
2
2
9
9
21,24*
21,24*
2
9
14
22
17*
25*
14
22
17*
25*
6
6
2,6
2,6
6
6
6,9
6,9
17
25
20*
28*
17
25
20*
28*
6
6
2,6
2,6
6
6
6,9
6,9
r/m
Register-Byte
Register-Word
Memory-Byte
Memory-Word
IMUL e Integer multiply (signed):
1 1 1 1 0 1 1 w mod 1 0 1
r/m
Register-Byte
Register-Word
Memory-Byte
Memory-Word
IMUL e Integer immediate multiply
(signed)
011010s1
mod reg
DIV e Divide (unsigned)
1 1 1 1 0 1 1 w mod 1 1 0
r/m
data
data if s e 0
r/m
Register-Byte
Register-Word
Memory-Byte
Memory-Word
IDIV e Integer divide (signed)
1 1 1 1 0 1 1 w mod 1 1 1
r/m
Register-Byte
Register-Word
Memory-Byte
Memory-Word
AAM e ASCII adjust for multiply
11010100
00001010
16
16
AAD e ASCII adjust for divide
11010101
00001010
14
14
CBW e Convert byte to word
10011000
2
2
CWD e Convert word to double word
10011001
2
2
2,7*
2,7*
LOGIC
Shift/Rotate Instructions:
Register/Memory by 1
1 1 0 1 0 0 0 w mod TTT
r/m
Register/Memory by CL
1 1 0 1 0 0 1 w mod TTT
r/m
Register/Memory by Count
1 1 0 0 0 0 0 w mod TTT
r/m
count
TTT
Instruction
000
ROL
001
ROR
010
RCL
011
RCR
1 0 0 SHL/SAL
101
SHR
111
SAR
Shaded areas indicate instructions not available in M8086, 88 microsystems.
54
2
9
5 a n,8 a n* 5 a n,8 a n*
2
9
5 a n,8 a n* 5 a n,8 a n*
2
9
M80C286
M80C286 INSTRUCTION SET SUMMARY (Continued)
CLOCK COUNT
FUNCTION
Real
Address
Mode
FORMAT
COMMENTS
Protected
Protected
Real
Virtual
Virtual
Address
Address
Address
Mode
Mode
Mode
ARITHMETIC (Continued)
AND e And:
Reg/memory and register to either
001000dw
mod reg
Immediate to register/memory
1000000w
mod 1 0 0 r/m
r/m
data
Immediate to accumulator
0010010w
data
data if w e 1
data if w e 1
2,7*
2,7*
2
9
3,7*
3,7*
2
9
3
3
2,6*
2,6*
2
9
3,6*
3,6*
2
9
3
3
2,7*
2,7*
2
9
3,7*
3,7*
2
9
3
3
2,7*
2,7*
2
9
3,7*
3,7*
2
9
3
3
2,7*
2,7*
2
9
TEST e And function to flags, no result:
Register/memory and register
1000010w
mod reg
Immediate data and register/memory
1111011w
mod 0 0 0 r/m
r/m
data
Immediate data and accumulator
1010100w
data
data if w e 1
data if w e 1
OR e Or:
Reg/memory and register to either
000010dw
mod reg
Immediate to register/memory
1000000w
mod 0 0 1 r/m
r/m
data
Immediate to accumulator
0000110w
data
data if w e 1
data if w e 1
XOR e Exclusive or:
Reg/memory and register to either
001100dw
mod reg
r/m
Immediate to register/memory
1000000w
mod 1 1 0 r/m
data
Immediate to accumulator
0011010w
data
data if w e 1
NOT e Invert register/memory
1111011w
mod 0 1 0 r/m
data if w e 1
STRING MANIPULATION:
MOVS e Move byte/word
1010010w
5
5
2
9
CMPS e Compare byte/word
1010011w
8
8
2
9
SCAS e Scan byte/word
1010111w
7
7
2
9
LODS e Load byte/wd to AL/AX
1010110w
5
5
2
9
STOS e Stor byte/wd from AL/A
1010101w
3
3
2
9
INS e Input byte/wd from DX port
0110110w
5
5
2
9,14
OUTS e Output byte/wd to DX port
0110111w
5
5
2
9,14
Repeated by count in CX
MOV5 e Move string
11110011
1010010w
5 a 4n
5 a 4n
2
9
CMPS e Compare string
1111001z
1010011w
5 a 9n
5 a 9n
2,8
8,9
SCAS e Scan string
1111001z
1010111w
5 a 8n
5 a 8n
2,8
8,9
LODS e Load string
11110011
1010110w
5 a 4n
5 a 4n
2,8
8,9
4 a 3n
STOS e Store string
11110011
1010101w
4 a 3n
2,8
8,9
INS e Input string
11110011
0110110w
5 a 4n
5 a 4n
2
9,14
OUTS e Output string
11110011
0110111w
5 a 4n
5 a 4n
2
9,14
Shaded areas indicate instructions not available in M8086, 88 microsystems.
55
M80C286
M80C286 INSTRUCTION SET SUMMARY (Continued)
CLOCK COUNT
FUNCTION
FORMAT
COMMENTS
Real
Address
Mode
Protected
Virtual
Address
Mode
7am
7am
2
18
7 a m, 11 a m*
7 a m, 11 a m*
2,8
8,9,18
13 a m
26 a m
2
11,12,18
Real
Address
Mode
Protected
Virtual
Address
Mode
CONTROL TRANSFER
CALL e Call:
Direct within segment
11101000
Register/memory
indirect within segment
11111111
Direct intersegment
10011010
Protected Mode Only (Direct intersegment):
Via call gate to same privilege level
Via call gate to different privilege level, no parameters
Via call gate to different privilege level, x parameters
Via TSS
Via task gate
Indirect intersegment
11111111
disp-low
mod 0 1 0
disp-high
r/m
segment offset
segment selector
41 a m
82 a m
86 a 4x a m
177 a m
182 a m
mod 0 1 1
r/m
(mod i 11)
16 a m
Protected Mode Only (Indirect intersegment):
Via call gate to same privilege level
Via call gate to different privilege level, no parameters
Via call gate to different privilege level, x parameters
Via TSS
Via task gate
JMP e Unconditional jump:
Short/long
11101011
Direct within segment
11101001
Register/memory indirect within segment
11111111
Direct intersegment
11101010
Protected Mode Only (Direct intersegment):
Via call gate to same privilege level
Via TSS
Via task gate
Indirect intersegment
11111111
11000011
Within seg adding immed to SP
11000010
Intersegment
11001011
Intersegment adding immediate to SP
11001010
Protected Mode Only (RET):
To different privilege level
56
2
8,9,11,12,18
44 a m*
83 a m*
90 a 4x a m*
180 a m*
185 a m*
8,9,11,12,18
8,9,11,12,18
8,9,11,12,18
8,9,11,12,18
8,9,11,12,18
18
disp-low
7am
7am
disp-low
7am
7a m
7 a m, 11 a m*
7 a m, 11 a m*
11 a m
23 a m
11,12,18
38 a m
175 a m
180 a m
8,11,12,18
8,11,12,18
8,11,12,18
mod 1 0 0
disp-high
r/m
segment offset
18
2
9,18
segment selector
mod 1 0 1
r/m
(mod i 11)
15 a m*
Protected Mode Only (Indirect intersegment):
Via call gate to same privilege level
Via TSS
Via task gate
RET e Return from CALL:
Within segment
29 a m*
8,11,12,18
8,11,12,18
8,11,12,18
8,11,12,18
8,11,12,18
26 a m*
2
41 a m*
178 a m*
183 a m*
data-low
data-low
data-high
data-high
8,9,11,12,18
8,9,11,12,18
8,9,11,12,18
8,9,11,12,18
11 a m
11 a m
2
8,9,18
11 a m
11 a m
2
8,9,18
15 a m
25 a m
15 a m
55 a m
2
8,9,11,12,18
2
8,9,11,12,18
9,11,12,18
M80C286
M80C286 INSTRUCTION SET SUMMARY (Continued)
CLOCK COUNT
FUNCTION
FORMAT
Real
Address
Mode
Protected
Virtual
Address
Mode
COMMENTS
Real
Address
Mode
Protected
Virtual
Address
Mode
CONTROL TRANSFER (Continued)
JE/JZ e Jump on equal zero
01110100
disp
7 a m or 3
7 a m or 3
18
JL/JNGE e Jump on less/not greater or equal
01111100
disp
7 a m or 3
7 a m or 3
18
7 a m or 3
18
JLE/JNG e Jump on less or equal/not greater
01111110
disp
7 a m or 3
JB/JNAE e Jump on below/not above or equal
01110010
disp
7 a m or 3
7 a m or 3
18
JBE/JNA e Jump on below or equal/not above
01110110
disp
7 a m or 3
7 a m or 3
18
7 a m or 3
18
JP/JPE e Jump on parity/parity even
01111010
disp
7 a m or 3
JO e Jump on overflow
01110000
disp
7 a m or 3
7 a m or 3
18
JS e Jump on sign
01111000
disp
7 a m or 3
7 a m or 3
18
JNE/JNZ e Jump on not equal/not zero
01110101
disp
7 a m or 3
7 a m or 3
18
JNL/JGE e Jump on not less/greater or equal
01111101
disp
7 a m or 3
7 a m or 3
18
JNLE/JG e Jump on not less or equal/greater
01111111
disp
7 a m or 3
7 a m or 3
18
JNB/JAE e Jump on not below/above or equal
01110011
disp
7 a m or 3
7 a m or 3
18
JNBE/JA e Jump on not below or equal/above
01110111
disp
7 a m or 3
7 a m or 3
18
JNP/JPO e Jump on not par/par odd
01111011
disp
7 a m or 3
7 a m or 3
18
JNO e Jump on not overflow
01110001
disp
7 a m or 3
7 a m or 3
18
JNS e Jump on not sign
01111001
disp
7 a m or 3
7 a m or 3
18
LOOP e Loop CX times
11100010
disp
8 a m or 4
8 a m or 4
18
8 a m or 4
18
LOOPZ/LOOPE e Loop while zero/equal
11100001
disp
8 a m or 4
LOOPNZ/LOOPNE e Loop while not zero/equal
11100000
disp
8 a m or 4
8 a m or 4
18
JCXZ e Jump on CX zero
11100011
disp
8 a m or 4
8 a m or 4
18
ENTER e Enter Procedure
11001000
data-low
data-high
Le0
Le1
Ll1
LEAVE e Leave Procedure
L
11
11
15
15
16 a 4(L b 1) 16 a 4(L b 1)
11001001
5
2,8
8,9
2,8
2,8
2,8
8,9
8,9
8,9
5
INT e Interrupt:
Type specified
11001101
type
23 a m
Type 3
11001100
23 a m
2,7,8
2,7,8
INTO e Interrupt on overflow
11001110
24 a m or 3
(3 if no
interrupt)
2,6,8
(3 if no
interrupt)
Shaded areas indicate instructions not available in M8086, 88 microsystems.
57
M80C286
M80C286 INSTRUCTION SET SUMMARY (Continued)
CLOCK COUNT
FUNCTION
Real
Address
Mode
FORMAT
Protected
Virtual
Address
Mode
COMMENTS
Real
Address
Mode
Protected
Virtual
Address
Mode
CONTROL TRANSFER (Continued)
Protected Mode Only:
Via interrupt or trap gate to same privilege level
Via interrupt or trap gate to fit different privilege level
Via Task Gate
IRET e Interrupt return
40 a m
78 a m
167 a m
11001111
17 a m
Protected Mode Only:
To different privilege level
To different task (NT e 1)
BOUND e Detect value out of range
31 a m
7,8,11,12,18
7,8,11,12,18
7,8,11,12,18
2,4
55 a m
169 a m
01100010
mod reg
r/m
13*
13*
(Use INT clock
count if
exception 5)
8,9,11,12,15,18
8,9,11,12,15,18
8,9,11,12,18
2,6
6,8,9,11,12,18
PROCESSOR CONTROL
CLC e Clear carry
11111000
2
2
CMC e Complement carry
11110101
2
2
STC e Set carry
11111001
2
2
CLD e Clear direction
11111100
2
2
STD e Set direction
11111101
2
2
CLI e Clear interrupt
11111010
3
3
14
STI e Set interrupt
11111011
2
2
14
HLT e Halt
11110100
2
2
13
WAIT e Wait
10011011
3
3
LOCK e Bus lock prefix
11110000
0
0
CTS e Clear task switched flag
00001111
00000110
ESC e Processor Extension Escape
11011TTT
mod LLL
r/m
14
2
2
3
13
9–20*
9–20*
5,8
8,17
0
0
9,13
(TTT LLL are opcode to processor extension)
SEG e Segment Override Prefix
001 reg 110
PROTECTION CONTROL
LGDT e Load global descriptor table register
00001111
00000001
mod 0 1 0
r/m
11*
11*
2,3
SGDT e Store global descriptor table register
00001111
00000001
mod 0 0 0
r/m
11*
11*
2,3
9
LIDT e Load interrupt descriptor table register
00001111
00000001
mod 0 1 1
r/m
12*
12*
2,3
9,13
SIDT e Store interrupt descriptor table register
00001111
00000001
mod 0 0 1
r/m
12*
12*
2,3
9
LLDT e Load local descriptor table register
from register memory
00001111
00000000
mod 0 1 0
r/m
17,19*
1
9,11,13
SLDT e Store local descriptor table register
to register/memory
00001111
00000000
mod 0 0 0
r/m
2,3*
1
9
Shaded areas indicate instructions not available in M8086, 88 microsystems.
58
M80C286
M80C286 INSTRUCTION SET SUMMARY (Continued)
CLOCK COUNT
FUNCTION
Real
Address
Mode
FORMAT
COMMENTS
Protected
Virtual
Address
Mode
Real
Address
Mode
Protected
Virtual
Address
Mode
PROTECTION CONTROL (Continued)
LTR e Local task register
from register/memory
00001111
00000000
mod 0 1 1
r/m
17,19*
1
9,11,13
STR e Store task register
to register memory
00001111
00000000
mod 0 0 1
r/m
2,3*
1
9
LMSW e Load machine status word
from register/memory
00001111
00000001
mod 1 1 0
r/m
3,6*
3,6*
2,3
9,13
SMSW e Store machine status word
00001111
00000001
mod 1 0 0
r/m
2,3*
2,3*
2,3
9
LAR e Load access rights
from register/memory
00001111
00000010
mod reg
r/m
14,16*
1
9,11,16
LSL e Load segment limit
from register/memory
00001111
00000011
mod reg
ARPL e Adjust requested privilege level:
from register/memory
14,16*
1
9,11,16
01100011
mod reg
r/m
r/m
10*,11*
2
8,9
VERR e Verify read access: register/memory
00001111
00000000
mod 1 0 0 r/m
14,16*
1
9,11,16
VERR e Verify write access:
00001111
00000000
mod 1 0 1 r/m
14,16*
1
9,11,16
Shaded areas indicate instructions not available in M8086, 88 microsystems.
59
M80C286
Footnotes
The Effective Address (EA) of the memory operand
is computed according to the mod and r/m fields:
if mod e 11 then r/m is treated as a REG field
if mod e 00 then DISP e 0*, disp-low and disp-high
are absent
if mod e 01 then DISP e disp-low sign-extended to
16 bits, disp-high is absent
if mod e 10 then DISP e disp-high: disp-low
if
if
if
if
if
if
if
if
r/m
r/m
r/m
r/m
r/m
r/m
r/m
r/m
e
e
e
e
e
e
e
e
000
001
010
011
100
101
110
111
then
then
then
then
then
then
then
then
EA
EA
EA
EA
EA
EA
EA
EA
e
e
e
e
e
e
e
e
(BX) a (SI) a
(BX) a (DI) a
(BP) a (SI) a
(BP) a (DI) a
(SI) a DISP
(DI) a DISP
(BP) a DISP*
(BX) a DISP
DISP
DISP
DISP
DISP
REG is assigned according to the following table:
8-Bit (w e 0)
16-Bit (w e 1)
000 AX
000 AL
001 CX
001 CL
010 DX
010 DL
011 BX
011 BL
100 SP
100 AH
101 BP
101 CH
101 SI
110 DH
111 DI
111 BH
The physical addresses of all operands addressed
by the BP register are computed using the SS segment register. The physical addresses of the destination operands of the string primitive operations
(those addressed by the DI register) are computed
using the ES segment, which may not be overridden.
DISP follows 2nd byte of instruction (before data if
required)
*except if mod e 00 and r/m e 110 then EQ e disp-high: disp-low.
SEGMENT OVERRIDE PREFIX
0 0 1 reg 1 1 0
reg is assigned according to the following:
reg
00
01
10
11
Segment
Register
ES
CS
SS
DC
INTEL CORPORATION, 2200 Mission College Blvd., Santa Clara, CA 95052; Tel. (408) 765-8080
INTEL CORPORATION (U.K.) Ltd., Swindon, United Kingdom; Tel. (0793) 696 000
INTEL JAPAN k.k., Ibaraki-ken; Tel. 029747-8511