Esteve Personal Blog

This is an explanation of the Real-address mode of intel’s X86 processors. It is a subsection of target architecture chapter.

Real-address Mode

This mode is provided on the Intel X86 family to emulate the behavior of an 8086 computer, it is provided for backward compatibility for older operating systems.
When the system is started the CPU starts in Real-address mode and behaves exactly as a 8086 system with a fast processor.
The instruction set is the same as of an 8086 system but extended, this means that it has backwards compatibility for software designed for 8086.

It is the job of the operating system, or the bootloader to take the CPU to further modes, in this mode we have a large set of limitations, which are typical
on 8086 systems. Some of the most important features of this mode are the following\footnote{This data is taken from the Intel Darasheet for Penitum processors, Volume 3}( those features do not include the extended set and are native of 8086 systems):

• The processor supports up to 1 Mb of physical memory ( 20 bit address ), the address space is divided into 64 Kb segments, the base of a segment is selected
  with a 16bit segment selector, which is zero extended to form the 20bit address offset from address 0, operation in a segment are addressed with 16bits
  addressing from the base of the segment. Physical address are 20bits, which are formed by adding the 16bit segment offset to the 20bit segment base.
• Native operands are 8 or 16 bits.
• Eight 16-bit general-purpose registers are provided: AX, BX, CX, DX, SP, BP, SI, and DI.
• Four segment registers are provided: CS, DS, SS, and ES. The CS register contains the segment selector for the code segment; the DS and ES
  registers contain segment selectors for data segments; and the SS register contains the segment selector for the stack segment.
• The 8086 16-bit instruction pointer (IP) is mapped to the lower 16-bits of the EIP register. Note this register is a 32-bit
  register and unintentional address wrapping may occur.
• The 16-bit FLAGS register contains status and control flags.
• All of the Intel 8086 instructions are supported.
• A single, 16-bit-wide stack is provided for handling procedure calls and invocations of
  interrupt and exception handlers. This stack is contained in the stack segment identified
  with the SS register. The SP (stack pointer) register contains an offset into the stack
  segment. The stack grows down (toward lower segment offsets) from the stack pointer.
  The BP (base pointer) register also contains an offset into the stack segment that can be
  used as a pointer to a parameter list. When a CALL instruction is executed, the processor
  pushes the current instruction pointer (the 16 least-significant bits of the EIP register and,
  on far calls, the current value of the CS register) onto the stack. On a return, initiated with
  a RET instruction, the processor pops the saved instruction pointer from the stack into the
  EIP register (and CS register on far returns). When an implicit call to an interrupt or
  exception handler is executed, the processor pushes the EIP, CS, and EFLAGS (low-order
  16-bits only) registers onto the stack. On a return from an interrupt or exception handler,
  initiated with an IRET instruction, the processor pops the saved instruction pointer and
  EFLAGS image from the stack into the EIP, CS, and EFLAGS registers.
• A single interrupt table, called the interrupt vector table or interrupt table, is provided
  for handling interrupts and exceptions. The interrupt table (which has 4-byte entries) takes the place of the interrupt descriptor table
  (IDT, with 8-byte entries) used when handling protected-mode interrupts and exceptions. Interrupt and exception vector numbers provide an index to
  entries in the interrupt table. Each entry provides a pointer (called a vector) to an interrupt- or exception-handling procedure.
• The FPU is the same as that on 8086 systems, all programs can be run as if the math unit was the same.

Segments

The way the 8086 does segmentation differs from typical segmentation systems, as the segment selector does not reference to an entry to a segment table,
but it is the base of the segment itself.

As an example let’s imagine we are working with the Data Segment register ( DS ), this register is a 16bit register, to form the base offset of the register it is
shifted left 4 bits. For example DS=0x07C0 would become on being a base address 0x7C00, all data access made with this DS register would be added to that base.
So if we want to access the 16bit data address 0×7 we would be accessing the physical address 0x7C07. This is how segmentation works under real address mode.

The segment and offset is often noted as Segment:Offset, on our example it would be noted as 07C0:0007 which as we had previously seen refereed address 0x7C07.

A20 Line

The segment and offset structure leads us to be able to access a 21 bit address. As an example take the address FFFF:FFFF this is base FFFF0 plus offset FFFF which
is the physical address 10FFEF, this has bit 21 set to 1, on 8086 and 8088 the physical wiring was of 20bit so this 21st bit was ignored, and the address
was treated as if it were address FFEF, software had to be aware of this address wraping.

When the Intel 80286 came out it had a 24 address line, and support for both real and protected modes. Under real-address mode there was a bug on the processor
and the 21st line was not zeroed, thus making available the first 64Kb ( less 16 bytes ) when in real-address mode. This address range (100000-10FFEFh) is
call high memory area (HMA).

To ensure compatibility with old 8086 programs, under the AT specification IBM used a spare pin on the keyboard controller to control this address line, it was
the line A20 (21st address line), using the keyword control, software can turn on and off this line, enabling or not this wraparound.

Later on the manipulation on the A20 line was let to be handled by the BIOS. This is one of the many design bugs that persist on the Intel processor family,
though it make compatibility possible.

Care should be taken that the line A20 is handled correctly before entering in protected mode, if the A20 line is zeroed we will only be able to have
access to half of our space, only even MB size chunks will be accessible.

Interrupt and Exception Handling

When in real address mode the software must provide the handling facilities, separately from those of protected mode. When the processor receives an interrupt or
exception it refers to an interrupt table, it uses the number of the interrupt vector as an index at the interrupt table, the interrupt table is called IVT,
interrupt vector table. The IVT provides a pointer to the handler function for each vector, the pointer is a segment and offset pair, being each 4 bytes.

The processor does the following to access the handling function:

• The interrupt is received by the processor.
• Stores the current values of the CS and IP registers onto the stack.
• Pushes the low-order 16 bits of the EFLAGS register onto the stack.
• Clears the IF flag in the EFLAGS register to disable interrupts.
• Clears the TF, RC, and AC flags, in the EFLAGS register.
• Transfers program control to the location specified in the interrupt vector table.

To return from an interrupt the instruction IRET is used and does the inverse as what has just been decribed.

Following reset, the base of the interrupt vector table is located at physical address 0 and its limit is set to
3FFH. In the Intel 8086 processor, the base address and limit of the interrupt vector table cannot
be changed. In the later IA-32 processors, the base address and limit of the interrupt vector table
are contained in the IDTR register and can be changed using the LIDT instruction.