1
®
March 1997
80C286
High Performance Microprocessor
with Memory Management and Protection
Features
Compatible with NMOS 80286
Wide Range of Clock Rates
- DC to 25MHz (80C286-25)
- DC to 20MHz (80C286-20)
- DC to 16MHz (80C286-16)
- DC to 12.5MHz (80C286-12)
- DC to 10MHz (80C286-10)
Static CMOS Design for Low Power Operation
- ICCSB = 5mA Maximum
- ICCOP = 185mA Maximum (80C286-10)
220mA Maximum (80C286-12)
260mA Maximum (80C286-16)
310mA Maximum (80C286-20)
410mA Maximum (80C286-25)
High Performance Processor (Up to 19 Times the 8086
Throughput)
Large Address Space
16 Megabytes Physical/1 Gigab yte Virtual per Task
Integrated Memory Management, Four-Level Memory
Protection and Support for Virtual Memory and Operat-
ing Systems
Two 80C86 Upward Compatible Operating Modes
- 80C286 Real Address Mode
- PVAM
Compatible with 80287 Numeric Data Co-Processor
High Bandwid th Bus In te rfa c e (2 5 Me ga by te /Se c)
Available In
- 68 Pin PGA (Co mmercial, Industrial, and Military)
- 68 Pin PLCC (Commer cial and Industrial)
Description
The Intersil 80C286 is a static CMOS version of the NMOS
80286 microprocessor. The 80C286 is an advanced, high-
performance microprocessor with specially optimized capa-
bilities for multiple user and multi-tasking systems. The
80C286 has built-in memory protection that supports operat-
ing system and task isolation as well as program and data
privacy within tasks. A 25MHz 80C286 provides up to nine-
teen times the throughput of a standard 5MHz 8086. The
80C286 includes memory management capabilities that map
230 (one gigabyte) of virtual addres s space per task into 2 24
bytes (16 megabytes) of physical memory.
The 80C286 is upwardly compatible with 80 C86 and 80C88
software (the 80C286 instruction set is a superset of the
80C86/80C88 instruction set). Using the 80C286 real
address mode, the 80C286 is object code compatible with
existing 80C86 and 80C88 software. In protected virtual
address mode, the 80C286 is source code compatible with
80C86 and 80C88 software but may require upgrading to
use virtual address as su pported by the 80C286’s integrated
memory management and protection mechanism. Both
modes operate at full 80C286 performance and execute a
superset of the 80C86 and 80C88 instructions.
The 80C286 provide s special operations to support the e ffi-
cient implementation and execution of operating systems.
For example, one i nstruction can end execution of on e task,
save its state, switch to a new task, load its state, and start
execution of the new task. The 80C286 also supports virtual
memory systems by providing a segment-not-present excep-
tion and restartable instructions.
Ordering Information
PACKAGE TEMP. RANGE 10MHz 12.5MHz 16MHz 20MHz 25MHz PKG. NO.
PGA 0oC to +70oC - CG80C286-12 CG80C286-16 CG80C286-20 - G68.B
-40oC to +85oC IG80C286-10 IG80C286-12 - - - G68.B
-55oC to +125oC 5962-
9067801MXC 5962-
9067802MXC ---G68.B
PLCC 0oC to +70oC - CS80C286-12 CS80C286-16 CS80C286-20 CS80C286-25 N68.95
-40oC to +85oC IS80C286-10 IS80C286-12 IS80C286-16 IS80C286-20 - N68.95
FN2947.2
CAUTION: These devices are sensitive to electrostatic discharge; follow proper IC Handling Procedures.
1-888-INTERSIL or 321-724-7143 |Intersil (and design) is a registered trademark of Intersil Americas Inc.
Copyright © Intersil Americas Inc. 2003. All Rights Reserved
All other trademarks mentioned are the property of their respective owners.
2
Pinouts
68 LEAD PGA
Component Pad View - As viewed from underside of the component when mounted on the board.
68 LEAD PGA
P.C. Board View - As viewed from the component side of the P.C. board.
68
66
64
62
60
58
56
54
5253
51
55
57
59
61
63
65
67
2
13
579
10 4
6812
1113
1416
1517
1918
2120
22
24
26
28
30
32
34
23
25
27
29
31
33
36
35 37
38 40
39 41
42 44
43 45
46 48
47 49
50
ERROR
D7
D6
D5
D4
D3
D2
D1
D0
NC
S1
PEACK
A22
A21
A19
A17
A15
A12
D0
A1
CLK
RESET
A4
A6
A8
A10
A12
ERROR
NC
INTR
NMI
PEREQ
READY
HLDA
M/IO
NC
NC
BUSY
NC
NC
VSS
VCC
HOLD
COD/INTA
LOCK
D15
D14
D13
D12
D11
D10
D9
D8
VSS
BHE
NC
S0
A23
VSS
A20
A18
A16
A14
A0
A2
VCC
A3
A5
A7
A9
A11
A13
PIN 1 INDICATOR
68
66
64
62
60
58
56
54
52 53
51
55
57
59
61
63
65
67
2
13579
10
468 12
11 13
14 16
15 17
19 18
21 20
22
24
26
28
30
32
34
23
25
27
29
31
33
36
3537
3840
3941
4244
4345
4648
4749
50
ERROR
D7
D6
D5
D4
D3
D2
D1
D0
NC
S1
PEACK
A22
A21
A19
A17
A15
A12
D0
A1
CLK
RESET
A4
A6
A8
A10
A12
ERROR
NC
INTR
NMI
PEREQ
READY
HLDA
M/IO
NC
NC
BUSY
NC
NC
VSS
VCC
HOLD
COD/INTA
LOCK
D15
D14
D13
D12
D11
D10
D9
D8
VSS
BHE
NC
S0
A23
VSS
A20
A18
A16
A14
A0
A2
VCC
A3
A5
A7
A9
A11
A13
PIN 1 INDICATOR
80C286
3
68 LEAD PLCC
P.C. Board View - As viewed from the component side of the P.C. board.
Functional Diagram
Pinouts (Continued)
68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52
51
50
49
48
47
46
45
44
43
42
41
40
39
38
37
36
35
3418 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
D15
D7
D14
D6
D13
D5
D12
D4
D11
D3
D10
D2
D9
D1
D8
D0
VSS
BHE
NC
NC
S1
S0
PEACK
A23
A22
VSS
A21
A20
A19
A18
A17
A16
A15
A14
LOCK
M/IO
COD/INTA
HLDA
HOLD
READY
VCC
PEREQ
VSS
NMI
NC
INTR
NC
NC
BUSY
ERROR
NC
A13
A12
A11
A10
A9
A8
A7
A6
A5
A4
A3
RESET
VCC
CLK
A2
A1
A0
OFFSET
ADDER SEGMENT
LIMIT
CHECKER
SEGMENT
BASES
SEGMENT
SIZES
PHYSICAL
ADDRESS
ADDER
ALU
CONTROL
REGISTERS
ADDRESS
LATCHES AND DRIVERS
PRE-
BUS CONTROL
FETCHER
PROCESSOR
EXTENSION
INTERFACE
DATA TRANSCEIVERS
6-BYTE
PREFETCH
QUEUE
INSTRUCTION
UNIT (IU)
BUS UNIT (BU)
EXECUTION UNIT (EU)
ADDRESS UNIT (AU) A23 - A0,
BHE, M/IO
PEACK
3 DECODED
INSTRUCTION
QUEUE
INSTRUCTION
DECODER
PEREQ
READY,
HOLD,
S1, S0,
COD/INTA,
LOCK, HLDA
D15 - D0
RESET
CLK
VSS
VCC
NMI BUSY
ERRORINTR
80C286
4
Pin Descriptions The following pin function descriptions are for the 80C286 microprocessor.
SYMBOL PIN
NUMBER TYPE DESCRIPTION
CLK 31 I SYSTEM CLOCK: provides the fundamental timing for the 80C286 system. It is divided by two inside
the 80C286 to generate the processor clock. The internal divide-by-two circuitry can be synchro-
nized to an external clock generator by a LOW to HIGH transition on the RESET input.
D15 - D036 - 51 I/O DATA BUS: inputs data during memory, I/O, and interrupt acknowledge read cycles; outputs data
during memory and I/O write cycles. The data bus is active HIGH and is held at high impedance to
the last valid logic level during bus hold acknowledge.
A23 - A07 - 8
10 - 28
32 - 43
O ADDRESS BUS: outputs physical memory and I/O port addresses. A23 - A16 are LOW during I/O
transfers. A0 is LOW when data is to be transferred on pins D7 - D0 (see table below). The address
bus is active High and floats to three-state off during bus hold acknowledge.
BHE 1 O BUS HIGH ENABLE: indicates tran sf er of dat a on the upper byte of the dat a bu s, D 15 - D8. Eight-bit
oriented devices assigned to the up per byte of the data bus would normally use BHE to condition chip
select functions. BHE is act ive LOW a nd f lo ats t o th ree-state OFF during bus ho ld acknowledge.
S1, S0 4, 5 O BUS CYCLE STATUS: indicates initiation of a bus cycle and along with M/IO and COD/lNTA, de-
fines the type of bus cycle. The bus is in a TS state whenever one or both are LOW. S1 and S0 are
active LOW and are held at a high impedance logic one during bus hold acknowledge.
BHE AND A0 ENCODINGS
BHE VALUE A0 VALUE FUNCTION
0 0 Word transfer
0 1 Byte transfer on upper half of data bus (D15 - D8)
1 0 Byte transfer on lower half of data bus (D7 - D0)
11Reserved
80C286 BUS CYCLE STATUS DEFINITION
COD/INTA M/IO S1 S0 BUS CYCLE INITIATED
0(LOW) 0 0 0 Interrupt acknowledge
0001Reserved
0010Reserved
0 0 1 1 None; not a status cycle
0 1 0 0 If A1 = 1 then halt; else shutdown
0 1 0 1 Memory data read
0 1 1 0 Memory data write
0 1 1 1 None; not a status cycle
1(HIGH) 0 0 0 Reserved
1 0 0 1 I/O read
1 0 1 0 I/O write
1 0 1 1 None; not a status cycle
1100Reserved
1 1 0 1 Memory instruction read
1110Reserved
1 1 1 1 None; not a status cycle
80C286
5
M/IO 67 O MEMORY I/O SELECT: distinguishes memory access from I/O access. If HIGH during TS, a mem-
ory cycle or a halt/shutdown cycle is in progress. If LOW, an I/O cycle or an interrupt acknowledge
cycle is in progress. M/IO is held at high impedance to the last valid logic state during bus hold ac-
knowledge.
COD/lNTA 66 O CODE/INTERRUPT ACKNOWLEDGE: distinguishes instruction fetch cycles from memory data
read cycles. Also distinguishes interrupt acknowledge cycles from I/O cycles. COD/lNTA is held at
high impedance to the last valid logic state during bus hold acknowledge. Its timing is the same as
M/IO.
LOCK 68 O BUS LOCK: indicates that other system bus masters are not to gain control of the system bus for
the current and following bus cycles. The LOCK signal may be activated explicitly by the “LOCK”
instruction prefix or automatically by 80C286 hardware during memory XCHG instructions, interrupt
acknowledge, or descriptor table access. LOCK is active LOW and is held at a high impedance logic
one during bus hold acknowledge.
READY 63 l BUS READY: terminates a bus cycle. Bus cycles are extended without limit until terminated by
READY LOW. READY is an active LOW synchronous input requiring setup and hold times relative
to the system clock be met for correct operation. READY is ignored during bus hold acknowledge.
(See Note 1)
HOLD
HLDA 64
65 I
OBUS HOLD REQUEST AND HOLD ACKNOWLEDGE: control ownership of the 80C286 local bus.
The HOLD input allows another local bus master to request control of the local bus. When control is
granted, the 80C286 will float its bus drivers and then activate HLDA, thus entering the bus hold ac-
knowledge condition. The local bus will remain granted to the requesting master until HOLD be-
comes inactive which results in the 80C286 deactivating HLDA and regaining control of the local
bus. This terminates the bus hold acknowledge condition. HOLD may be asynchronous to the sys-
tem clock. These signals are active HIGH. Note that HLDA never floats.
INTR 57 I INTERRUPT REQUEST: requires the 80C286 to suspend its current program execution and service
a pending external request. Interrupt requests are masked whenever the interrupt enable bit in the
flag word is cleared. When the 80C286 responds to an interrupt request, it performs two interrupt
acknowledge bus cycles to read an 8-bit interrupt vector that identifies the source of the interrupt.
To ensure program interruption, INTR must remain active until an interrupt acknowledge bus cycle
is initiated. INTR is sampled at the beginning of each processor cycle and must be active HIGH at
least two processor cycles before the current instruction ends in order to interrupt before the next
instruction. INTR is level sensitive, active HIGH, and may be asynchronous to the system clock.
NMI 59 l NON-MASKABLE INTERRUPT REQUEST: interrupts the 80C286 with an internally supplied vector
value of two. No interrupt acknowledge cycles are performed. The interrupt enable bit in the 80C286
flag word does not affect this input. The NMI input is active HIGH, may be asynchronous to the sys-
tem clock, and is edge triggered after internal synchronization. For proper recognition, the input must
have been previously LOW for at least four system clock cycles and remain HIGH for at least four
system clock cycles.
PEREQ
PEACK 61
6l
OPROCESSOR EXTENSION OPERAND REQUEST AND ACKNOWLEDGE: extend the memory
management and protection capabilities of the 80C286 to processor extensions. The PEREQ input
requests the 80C286 to perform a data operand transfer for a processor extension. The PEACK out-
put signals the processor extension when the requested operand is being transferred. PEREQ is ac-
tive HIGH. PEACK is active LOW and is held at a high impedance logic one during bus hold
acknowledge. PEREQ may be asynchronous to the system clock.
BUSY
ERROR 54
53 l
IPROCESSOR EXTENSION BUSY AND ERROR: indicates the operating condition of a processor
extension to the 80C286. An active BUSY input stops 80C286 program execution on WAIT and
some ESC instructions until BUSY becomes inactive (HIGH). The 80C286 may be interrupted while
waiting for BUSY to become inactive. An active ERROR input causes the 80C286 to perform a pro-
cessor extension interrupt when executing WAIT or some ESC instructions. These inputs are active
LOW and may be asynchronous to the system clock.
Pin Descriptions The following pin function descriptions are for the 80C286 microprocessor. (Continued)
SYMBOL PIN
NUMBER TYPE DESCRIPTION
80C286
6
Functional Description
Introduction
The Intersil 80C286 microprocessor is a static CMOS ver-
sion of the NMOS 80286 microprocessor. The 80C286 is an
advanced, high-performance microprocessor with specially
optimized capabilities for multiple user and multi-tasking sys-
tems. Depending on the application, the 80C286's perfor-
mance is up to nineteen times faster than the standard
5MHz 8086's, while providing complete upward software
compatibility with Intersil 80C86 and 80C88 CPU family.
The 80C286 operates in two modes: 80C286 real address
mode and protected virtual address mode. Bo th mode s exe-
cute a superset of the 80C86 and 80C88 instruction set.
In 80C286 real address mode programs use real addresses
with up to one megabyte of address space. Programs use vir-
tual addresses in protected virtual address mode, also called
protected mode. In protected mode, the 80C286 CPU automat-
ically maps 1 gigabyte of virtual addresses per task into a 16
megabyte real address spa ce. This mode also provides mem-
ory protection to isolate the operating system and ensure pri-
vacy of each tasks' programs and data. Both modes provide
the same base instruction set, registers and addressing modes.
The Functional Description describes the following: Static oper-
ation, the base 80C286 architecture common to both modes,
80C286 real address mode, and finally, protected mode.
Static Operation
The 80C286 is comprised of completely static circuitry.
Internal registers, counters, and latches are static and
require no refresh as with dynamic circuit de sig n. This elim-
inates the minimum operatin g fre quency restricti on typically
placed on microprocessors. The CMOS 80C286 can oper-
ate from DC to the specified upper frequency limit. The
clock to the processor may be stopped at any point (either
phase one or phase two of the processor clock cycle) and
held there indefinitely. There is, however, a significant
decrease in power requirement if the clock is stopped in
phase two of the processor clo ck cycle. Detai ls on the clock
relationships will be discussed in the Bus Operation sec-
tion. The ability to stop the clock to the processor is espe-
cially useful for system debug or power critical applicatio ns.
RESET 29 l SYSTEM RESET: clears the internal logic of the 80C286 and is active HIGH. The 80C286 may be
reinitialize at any time with a LOW to HIGH transition on RESET which remains activ e for more than
16 system clock cycles. During RESET active, the output pins of the 80C286 enter the state shown
below.
Operation of the 80C286 begins after a HlGH to LOW transition on RESET. The HIGH to LOW
transition of RESET must be synchronous to the system clock. Approximately 50 system clock
cycles are required by the 80C286 for internal initializations b efore the first bus cycle to fetch code
from the power-on execution address is performed. A LOW to HIGH transition of RESET
synchronous to the system clock will end a processor cycle at the second HIGH to LOW transition
of the system clock. The LOW to HIGH transition of RESET may be asynchronous to the system
clock; however, in this case it cannot be predetermined which phase of the processor clock will occur
during the next system clock period. Synchronous LOW to HIGH transitions of RESET are required
only for systems where the processor clock must b e phase synchronous to another clock.
VSS 9, 35, 60 l SYSTEM GROUND: are the ground pins (all must be connected to system ground).
VCC 30, 62 l SYSTEM POWER: +5V power supply pins. A 0.1µF capacitor between pins 60 and 62 is recommended.
NOTES:
1. READY is an open-collector signal and should be pulled inactive with an appropriate resistor (620 at 10MHz and 12.5MHz, 470 at
16MHz, 390 at 20MHz, 270 at 25MHz).
2. HLDA is only Low if HOLD is inactive (Low).
3. All unused inputs should be pulled to their inactive state with pull up/down resistors.
Pin Descriptions The following pin function descriptions are for the 80C286 microprocessor. (Continued)
SYMBOL PIN
NUMBER TYPE DESCRIPTION
80C286 PIN STATE DURING RESET
PIN VALUE PIN NAMES
1 (HIGH) S0, S1, PEACK, A23 - A0, BHE, LOCK
0 (LOW) M/IO, COD/lNTA, HLDA (Note 2)
HIGH IMPEDANCE D15 - D0
80C286
7
The 80C286 can be single-stepped using only the CPU
clock. This state can be maintained as long as necessary.
Single step clock information allows simple interface circuitry
to provide critical information for system debug.
Static design also allows very low frequency operation
(down to DC). In a power critical situation, this can provide
low power operation since 80C286 power dissipation is
directly related to operating frequency. As the system fre-
quency is reduced, so is the operating power until, ulti-
mately, with the clock stopped in phase two of the processor
clock cycle, the 80C286 power requirement is the standby
current (5mA maximum).
80C286 Base Architecture
The 80C86, 80C8 8, and 80C286 CPU family all contain the
same basic set of registers, instructions, and addressing
modes. The 80C286 processor is upwardly compatible with
the 80C86 and 80C88 CPU's.
Register Set
The 80C286 base architecture has fifteen registers as
shown in Figure 1. These registers are grouped into the fol-
lowing four categories.
GENERAL REGISTERS: Eight 16-bit general purpose regis-
ters used to contain arithmetic and logical operand s. Four of
these (AX, BX, CX and DX) can be used either in their
entirety as 16-bit words or split into pairs of separate 8-bit
registers.
SEGMENT REGISTERS: Four 16-bit special p urpose regis-
ters select, at any give n time, the segments of memory that
are immediately addressable for code, stack and data. (For
usage, refer to Memory Organization.)
BASE AND INDEX REGISTERS: Four of the general pur-
pose registers may also be used to determine offset
addresses of operands in memory. These registers may
contain base addresses or indexes to particular locations
within a segment. The addressing mode determines the spe-
cific registers used for operand address calculations.
STATUS AND CONTROL REGISTERS: Three 16-bit spe-
cial purpose registers record or control certain aspects of the
80C286 processor state. These include the Flags register
and Machine Status Word register shown in Figure 2, and
the Instruction Pointer, which contains the offset address of
the next sequential instruction to be executed.
Flags Word Descrip tion
The Flags word (Flags) records specific characteristics of
the result of logical and arithmetic instructions (bits 0, 2, 4, 6,
7 and 11) and contro ls the operation of the 80C286 within a
given operating mo de (bits 8 and 9). Flags is a 16-bit regis-
ter. The function of the flag bits is given in Table 1.
AH AL
DL
CL
BL
DH
CH
BH
AX
DX
CX
BX
BP
SI
DI
SP
BYTE
ADDRESSABLE
(8-BIT
REGISTER
NAMES
SHOWN)
MULTIPLY/DIVIDE
I/O INSTRUCTIONS
LOOP/SHIFT/REPEAT
BASE REGISTERS
COUNT
INDEX REGISTERS
STACK POINTER
15 0
0707
SPECIAL
REGISTER
FUNCTIONS
16-BIT
REGISTER
NAME
GENERAL
REGISTERS
CS
DS
SS
ES
015
CODE SEGMENT
SEGMENT
REGISTERS
SELECTOR
DATA SEGMENT
SELECTOR
STACK SEGMENT
SELECTOR
EXTRA SEGMENT
SELECTOR
F
015
FLAGS
INSTRUCTION
MACHINE
POINTER
STATUS WORD
IP
MSW
STATUS AND CONTROL
REGISTERS
FIGURE 1. REGISTER SET
80C286
8
TABLE 1. FLAGS WORD BIT FUNCTIONS
BIT POSITION NAME FUNCTION
0 CF Carry Flag - Set on high-order bit carry or borrow; cleared otherwise.
2 PF Parity Flag - Set if low-order 8 bits of result contain an even number of 1 bits; cleared otherwise.
4 AF Set on carry from or borrow to the low order four bits of AL; cleared otherwise.
6 ZF Zero Flag - Set if result is zero; cleared otherwise.
7 SF Sign Flag - Set equal to high-order bit of result (0 if positive, 1 if negative).
11 OF Overflow Flag - Set if result is a too-large positive number or a too-small negative number (excluding
sign-bit) to fit in destination operand; cleared otherwise.
8 TF Single Step Flag - Once set, a single step interrupt occurs after the next instruction executes. TF is
cleared by the single step interrupt.
9 IF Interrupt-Enable Flag - When set, maskable interrupts will cause the CPU to transfer control to an inter-
rupt vector specified location.
10 DF Direction Flag - Causes string instructions to auto decrement the appropriate index registers when set.
Clearing DF causes auto increment.
CONTROL FLAGS:
TRAP FLAG
INTERRUPT ENABLE
DIRECTION FLAG
SPECIAL FIELDS:
I/O PRIVILEGE LEVEL
NESTED TASK FLAG
TS EM MP PE
CFPFAFZFSFTFIFDFOFIOPLNTFLAGS:
1415 13 12 11 10 9 8 7 6 5 4 3 2 1 0
012315
OVERFLOW
SIGN
ZERO
AUXILIARY CARRY
PARITY
CARRY
STATUS FLAGS:
MSW:
RESERVED TASK SWITCH
PROCESSOR EXTENSION EMULATED
MONITOR PROCESSOR EXTENSION
PROTECTION ENABLE
FIGURE 2. STATUS AND CONTROL REGISTER BIT FUNCTIONS
80C286
9
Instruction Set
The instruction set is divided into seven categories: data
transfer, arithmetic, string manipulation, shift/rotate/logical,
high level, processor control and control transfer instruc-
tions. These categories are summarized in Table 2.
An 80C286 instruction can refere nce zero, one, or two oper-
ands; where an operand may reside in a register, in the
instruction itself, or in memory. Zero-operand instructions
(e.g. NOP and HLT) are usually one byte long. One-operand
instructions (e.g. INC and DEC) are usually two bytes long
but some are encoded in only one byte. One-operand
instructions may reference a register or memory location.
Two-operand instructions permit the following six types of
instruction operations:
• Register to Register • Memory to Memory
• Memory to Register • Register to Memory
• Immediate to Register • Immediate to Memory
Two-operand instructions (e.g. MOV and ADD) are usually
three to six bytes long. Memory to memory operations are
provided by a special class of string instructions requiring
one to three bytes. For detailed instruction formats and
encodings refer to the instruction set summary at the end of
this document.
TABLE 2A. DATA TRANSFER INSTRUCTIONS
GENERAL PURPOSE
MOV Move byte or word
PUSH Push word onto stack
POP Pop word off stack
PUSHA Push all registers on stack
POPA Pop all registers from stack
XCHG Exchange byte or word
XLAT Translate byte
INPUT/OUTPUT
IN Input byte or word
OUT Output byte or word
ADDRESS OBJECT
LEA Load effective address
LDS Load pointer using DS
LES Load pointer using ES
FLAG TRANSFER
LAHF Load AH register from flags
SAHF Store AH register in flags
PUSHF Push flags onto stack
POPF Pop flags off stack
TABLE 2B. ARITHMETIC INSTRUC TIONS
ADDITION
ADD Add byte or word
ADC Add byte or word with carry
INC Increment byte or word by 1
AAA ASClI adjust for addition
DAA Decimal adjust for addition
SUBTRACTION
SUB Subtract byte or word
SBB Subtract byte or word with borr ow
DEC Decrement byte or word by 1
NEG Negate byte or word
CMP Compare byte or word
AAS ASClI adjust for subtraction
DAS Decimal adjust for subtraction
MULTIPLICATION
MUL Multiply byte or word unsigned
lMUL Integer multiply byte or word
AAM ASClI adjust for multiply
DIVISION
DlV Divide byte or word unsigned
lDlV Integer divide byte or word
AAD ASClI adjust for division
CBW Convert byte to word
CWD Convert word to doubleword
TABLE 2C. STRING INSTRUCTIONS
MOVS Move byte or word string
INS Input bytes or word string
OUTS Output bytes or word string
CMPS Compare byte or word string
SCAS Scan byte or word string
LODS Load byte or word string
STOS Store byte or word string
REP Repeat
REPE/REPZ Repeat while equal/zero
REPNE/REPNZ Repeat while not equal/not zero
80C286
10
TABLE 2D. SHIFT/ROTATE LOGICAL INSTRUCTIONS
LOGICALS
NOT “Not” byte or word
AND “And” byte or word
OR “Inclusive or” byte or word
XOR “Exclusive or” byte or word
TEST “Test” byte or word
SHIFTS
SHL/SAL Shift logical/arithmetic left byte or word
SHR Shift logical right byte or word
SAR Shift arithmetic right byte or word
ROTATES
ROL Rotate left byte or word
ROR Rotate right byte or word
RCL Rotate through carry left byte or word
RCR Rotate through carry right byte or word
TABLE 2E. HIGH LEVEL INSTRUCTIONS
ENTER Format stack for procedure entry
LEAVE Restore stack for procedure exit
BOUND Detects values outside prescribed range
TABLE 2F. PROCESSOR CONTROL INSTRUCTIONS
FLAG OPERATIONS
STC Set carry flag
CLC Clear carry flag
CMC Complement carry flag
STD Set direction flag
CLD Clear direction flag
STl Set interrupt enable flag
CLl Clear interrupt enable flag
EXTERNAL SYNCHRONIZATION
HLT Halt until interrupt or reset
WAIT Wait for TEST pin active
ESC Escape to exte nsion processor
LOCK Lock bus during next instruction
NO OPERATION
NOP No operation
EXECUTION ENVIRONMENT CONTROL
LMSW Load machine status word
SMSW Store machine status word
TABLE 2G. PROGRAM TRANSFER INSTRUCTIONS
CONDITIONAL TRANSFERS UNCONDITIONAL TRANSFERS
JA/JNBE Jump if above/not below nor equal CALL Call procedure
JAE/JNB Jump if above or equal/not below RET Return from procedure
JB/JNAE Jump if below/not above nor equal JMP Jump
JBE/JNA Jump if below or equal/not above
JC Jump if carry ITERATION CONTROLS
JE/JZ Jump if equal/zero LOOP Loop
JG/JNLE Jump if greater/not less nor equal
JGE/JNL Jump if greater or equal/not less LOOPE/LOOPZ Loop if equal/zero
JL/JNGE Jump if less/not greater nor equal LOOPNE/LOOPNZ Loop if not equal/not zero
JLE/JNG Jump if less or equal/not greater JCXZ Jump if register CX = 0
JNC Jump if not carry
JNE/JNZ Jump if not equal/not zero INTERRUPTS
JNO Jump if not overflow INT Interrupt
JNP/JPO Jump if not parity/parity odd
JNS Jump if not sign INTO Interrupt if overflow
JO Jump if overflow lRET Interrupt return
JP/JPE Jump if parity/parity even
JS Jump if sign
80C286
11
Memory Organization
Memory is organized as sets of variable-length segments. Each
segment is a linear contiguous sequence of up to 6 4K (216) 8-
bit bytes. Memory is addressed using a two-component
address (a pointer) that consists of a 16-bit segment selector
and a 16-bit offset. Th e segment sel ector indicates the desired
segment in memory. The offset component indicates the
desired byte address within the segment. (See Figure 3).
All instructions that address operands in memory must spec-
ify the segment and the offset. For speed and compact
instruction encoding, segment selectors are usually stored in
the high speed se gment reg ister s. An instructi on n eed spec-
ify only the desired segment register and offset in order to
address a memory operand.
Most instructions need not explicitly specify which segment
register is used. The correct segment register is automati-
cally chosen according to the rules of Table 3. These rules
follow the way programs are written (see Figure 4) as inde-
pendent modules that require areas for code and data, a
stack, and access to external data areas.
Special segment override instruction prefixes allow the
implicit segment register se lection rules to be overridden for
special cases. The stack, data and extra segments may
coincide for simple programs. To access operands not resid-
ing in one of the four immediately availab le segments, a full
32-bit pointer or a new segment selector must be loaded.
Addressing Modes
The 80C286 provides a total of eight addressing modes for
instructions to specify operands. Two addressing modes are
provided for instructions that operate on register or immedi-
ate operands:
REGISTER OPERAND MODE: The operand is located in
one of the 8 or 16-bit general register s.
IMMEDIATE OPERAND MODE: The operand is included in
the instruction.
Six modes are provided to specify the location of an operand in
a memory segment. A memory operand address consists of
two 16-bit components: segment selector and o ffset. The seg-
ment selector is supplied by a segment register either implicitly
chosen by the addressing mode or explicitly chosen by a seg-
ment override prefix. The offset is calculated by summing any
combination of the following three address elements:
the displacement (an 8 or 16-bit immediate value contained
in the instruction)
the base (contents of either the BX or BP base registers)
the index (contents of either the SI or Dl index registers)
Any carry out from the 16-bit addition is ignored. Eight-bit
displacements are sign exte nded to 16-bit values.
TABLE 3. SEGMENT REGISTER SELECTION RULES
MEMORY
REFERENCE
NEEDED
SEGMENT
REGISTER
USED IMPLICIT SEGMENT
SELECTION RULE
Instructions Code (CS) Automatic with instruction prefetch
Stack Stack (SS) All stack pushes and pops. Any
memory reference which uses BP
as a base register.
Local Data Data (DS) All data references except when
relative to stack or string destination
External
(Global) Data Extra (ES) Alternate data segment and
destination of string operation
POINTER
OFFSETSEGMENT
31 16 15 0 OPERAND SELECTED
SEGMENT
MEMORY
SELECTED
FIGURE 3. TWO COMPONENT ADDRESS CODE
DATA
CODE
DATA
MEMORY
CPU
CODE
DATA
STACK
EXTRA
SEGMENT
REGISTERS
MODULE A
MODULE B
PROCESS
STACK
PROCESS
DATA
BLOCK 1
PROCESS
DATA
BLOCK 2
FIGURE 4. SEGMENTED MEMORY HELPS STRUCTURE
SOFTWARE
80C286
12
Combinations of these three address elements define the six
memory addressi ng mod e s, de scri b ed be l ow.
DIRECT MODE: The operand's offset is contained in the
instruction as an 8 or 16-bit displacement element.
REGISTER INDIRECT MODE: The operand's offset is in
one of the registers SI, Dl, BX or BP.
BASED MODE: The operand's offset is the sum of an 8 or
16-bit displacement and the contents of a base register (BX
or BP).
INDEXED MODE: The operand's offset is th e sum of an 8 or 16-
bit displacement and the contents of an index registe r (SI or Dl).
BASED INDEXED MODE: The operand's offset is the sum
of the contents of a base register and an index register.
BASED INDEXED MODE WITH DISPLACEMENT: The
operand's offset is the sum of a base register's contents, an
index register's contents, and an 8 or 16-bit displacement.
Data Types
The 80C286 directly supports the following data types:
Integer: A signed binary numeri c value contained in an 8-
bit byte or a 16-bit word. All operati ons assume a
2's complement representation. Signed 32 and
64-bit integers are supported using the 80287
Numeric Data Processor.
Ordinal: An unsigned binary numeric value contained in an
8-bit byte or 16-bit word.
Pointer: A 32-bit quantity, composed of a segment selec-
tor component and an offset component. Each
component is a 16-bit word.
String: A contiguous sequence of bytes or words. A string
may contain from 1 byte to 64K bytes.
ASClI: A byte representation of alphanumeric and control
characters using the ASClI standard of character
representation.
BCD: A byte (unpacked) representation of the decimal
digits 0-9.
Packed A byte (packed) representation of two decimal
BCD: digits 0-9 storing one digit in each nibble of the
byte.
Floating A signed 32, 64 or 80-bit real number representa-
Point: tion. (Floating point operands are supported using
the 80287 Numeric Processor extension).
Figure 5 graphically re presents the data types supported by
the 80C286.
NOTE: Supported by 80C286/80C287 Numeric Data Processor
Configuration
SIGNED
BYTE
UNSIGNED
BYTE
SIGNED
WORD
SIGNED
DOUBLE
WORD
(NOTE)
SIGN BIT
SIGN BIT
SIGNED
QUAD
WORD
(NOTE)
SIGN BIT
UNSIGNED
WORD
BINARY
CODED
DECIMAL
(BCD)
ASCII
STRING
PACKED
BCD
POINTER
FLOATING
POINT (NOTE)
SIGN BIT
MAGNITUDE
70
MAGNITUDE
70
MSB
15
MAGNITUDE
MSB
14 +1 0
87 0
SIGN BIT
31 +3 +2 16 +1 0
15 0
MAGNITUDE
MAGNITUDE
MSB
MSB
63 +6+7 +5 +4 +3 +2 +1 0
4847 3231 1615 0
MAGNITUDE
MSB
15 +1 0
0
BCD
7+N 0
DIGIT N BCD
7+1 0
DIGIT 1 BCD
700
DIGIT 0
•••
•••
•••
•••
ASCII
7+N 0
CHARACTERNASCII
7+1 0
CHARACTER1ASCII
700
CHARACTER0
7+N 0
MOST
SIGNIFICANT DIGIT
7+1 07 00
LEAST
SIGNIFICANT DIGIT
BYTE/WORD N BYTE/WORD 1 BYTE/WORD 0
7/15 +N 07/15
+1 07/1500
SELECTOR OFFSET
31 +3 16 +1 0 0
EXPONENT MAGNITUDE
79 +9 +8 +7 +6 +5 +4 +3 +2 +1 0 0
+1 15
FIGURE 5. 80C286 SUPPORTED DATA TYPES
80C286
13
I/O Space
The I/O space consists of 64K 8-bit ports, 32K 16-bit ports, or
a combination of the two. I/O instructions address the I/O
space with either an 8-bit port address, specified in the
instruction, or a 16-bit port address in the DX register. 8-bit
port addresses are zero e xtended such that A15-A8 are LOW.
I/O port addresses 00F8(H) through 00FF(H) are reserved.
Interrupts
An interrupt transfers execution to a new program location.
The old program address (CS:lP) a nd machine state (Flags)
are saved on the stack to allow resumption of the interrupted
program. Interrupts fall into three classes: hardware initiated,
INT instructions, and instruction exceptions. Hardware initi-
ated interrupts occur in response to an external input and
are classified as non-maskable or maska ble. Programs may
cause an interrupt with an INT in struction. Instruction excep-
tions occur when an unusual condition which prevents fur-
ther instruction processing is detected while attempting to
execute an instruction. The return address from an excep-
tion will always point to th e instruction causing th e exception
and include any leading instruction prefixes.
A table containing up to 256 pointers defines the proper
interrupt service routine for each interrupt. Interrupts 0-31,
some of which are used for instruction exceptions, are
reserved. For each interrupt, an 8-bit vector must be sup-
plied to the 80C286 which identifies the appropriate table
entry. Exceptions supply the interrupt vector internally. INT
instructions contain or imply the vector and allow access to
all 256 interrupts. Maskable hardware initiated interrupts
supply the 8-bit vector to the CPU during an interrupt
acknowledge bus sequence. Nonmaskable hardware inter-
rupts use a predefined internally supplied vector.
Maskable Interrupt (INTR)
The 80C286 provides a maskable hardware interrupt request
pin, INTR. Software enables this input by setting the interrupt
flag bit (IF) in the flag word. All 224 user-defined interrupt
sources can share this input, yet they can retain separate
interrupt handlers. An 8-bit vector read by the CPU during the
interrupt acknowledge sequence (discussed in System Inter-
face section) identifies the source of the interrupt.
The processor automatically disables further maskable inter-
rupts internally by resetting the IF as part of the response to
an interrupt or exception. The saved flag word will reflect the
enable status of the processor prior to the interrupt. Until the
flag word is restored to the flag register, the interrupt flag will
be zero unless specifically set. The interrupt return instruc-
tion includes restoring the flag word, thereby restoring the
original status of IF.
Non-Maskable Interrupt Request (NMI)
A non-maskable interrupt input (NMI) is also provided. NMI
has higher priority than INTR. A typical use of NMI would be
to activate a power failure routine. The activation of this input
causes an interrupt with an internally supplied vector value
of 2. No external interrupt acknowledge sequence is per-
formed.
While executing the NMI servicing procedure, the 80C286
will service neither further NMI req uests, INTR req uests, nor
the processor extension segment overrun interrupt until an
interrupt return (lRET) instruction is executed or the CPU is
reset. If NMI occurs while currently servicing an NMI, its
presence will be saved for servicing after executing the first
IRET instruction. IF is cleared at the beginning of an NMI
interrupt to inhibit INTR interrupts.
TABLE 4. INTERRUPT VECTOR ASSIGNMENTS
FUNCTION INTERRUPT
NUMBER RELATED
INSTRUCTIONS
DOES RETURN ADDRESS
POINT TO INSTRUCTION
CAUSING EXCEPTION?
Divide Error Exception 0 DlV, lDlV Yes
Single Step Interrupt 1 All
NMI Interrupt 2 INT 2 or NMI Pin
Breakpoint Interrupt 3 INT 3
INTO Detected Overflow Exception 4 INTO No
BOUND Range Exceeded Exception s BOUND Yes
Invalid Opcode Exception 6 Any Undefined Opcode Yes
Processor Extension Not Available Exception 7 ESC or WAIT Yes
Reserved - Do Not Use 8 - 15
Processor Extension Error Interrupt 16 ESC or WAIT
Reserved 17 - 31
User Defined 32 - 255
80C286
14
Single Step Interrupt
The 80C286 has an internal interrupt that allows programs to
execute one instruction at a time. It is called the single step
interrupt and is controlled by the single step flag bi t (TF) in the
flag word. Once this bit is set, an internal single step interrupt
will occur after the next instruction has been executed. The
interrupt clears the TF bit and uses an intern ally supplied vec-
tor of 1. The lRET instruction is used to set the TF bit and
transfer control to the next instruction to be single stepped.
Interrupt Priorities
When simultaneous interrupt requests occur, they are pro-
cessed in a fixed order as shown in Table 5. Interrupt pro-
cessing involves saving the flags, return address, and
setting CS:lP to point at the first instruction of the interrupt
handler. If another enabled interrupt should occur, it is pro-
cessed before the next instruction of the current interrupt
handler is executed. The last interrupt processed is therefore
the first one serviced.
Initialization and Processor Reset
Processor initialization or start u p is accomplished by driving
the RESET input pin HIGH. RESET forces the 80C286 to
terminate all execution and local bus activity. No instruction
or bus activity will occur as long as RESET is active. After
RESET becomes inactive, and an internal processing inter-
val elapses, the 80C286 begins execution in real address
mode with the instruction at physical location FFFFF0(H).
RESET also sets some registers to predefined values as
shown in Table 6.
HOLD must not be active during the time from the leading
edge of the initial R ESET to 34 CLKs after the trailing edge
of the initial RESET of an 80C286 system.
Machine Status Word Description
The machine status word (MSW) records when a task switch
takes place and controls the operating mode of the 80C286.
It is a 16-bit register of which the lower four bits are used.
One bit places the CPU into protected mode, while th e other
three bits, as shown in Tabl e 7, control the processor exten-
sion interface. After RESET, this register contains FFF0(H)
which places the 80C286 in 80C286 re al address mode.
The LMSW and SMSW instructions can load and store the
MSW in real address mode. The recommended use of TS,
EM, and MP is shown in Table 8.
Halt
The HLT instruction stops program execution and prevents
the CPU from using the local bus until restarted. Either NMI,
INTR with IF = 1, or RESET will force the 80C286 out of halt.
If interrupted, the saved CS:IP will point to the next instruc-
tion after the HLT.
TABLE 5. INTERRUPT PROCESSING ORDER
ORDER INTERRUPT
1 Instruction Exception
2 Single Step
3NMI
4 Processor Extension Segment Overrun
5INTR
6 INT Instruction
TABLE 6. 80C286 INITIAL REGISTER STATE AFTER RESET
Flag Word 0002(H)
Machine Status Word FFF0(H)
Instruction Pointer FFF0(H)
Code Segment F000(H)
Data Segment 0000(H)
Extra Segment 0000(H)
Stack Segment 0000(H)
TABLE 7. MSW BIT FUNCTIONS
BIT
POSITION NAME FUNCTION
0 PE Protected mode enable places the
80C286 into protected mode and cannot
be cleared except by RESET.
1 MP Monitor processor extension allows WA IT
instructions to cause a processor exten-
sion not present exception (number 7).
2 EM Emulate processor extension causes a
processor extension not present excep-
tion (number 7) on ESC instructions to al-
low emulating a processor extension.
3 TS Task switched indicates the next instruc-
tion using a processor extension will
cause exception 7, allowing software to
test whether the current processor exten-
sion context belongs to the current task.
80C286
15
80C286 Real Address Mode
The 80C286 executes a fully upward-compatible superset of
the 80C86 instruction set in real address mode. In real
address mode the 80C286 is object code compatible with
80C86 and 80C88 software. The real address mode archi-
tecture (registers and addressing modes) is exactly as
described in the 80C286 Base Architecture section of this
Functional Description.
Memory Size
Physical memory is a contiguous array of up to 1,048,576
bytes (one megabyte) addressed by pins A0 through A19
and BHE. A20 through A23 should be ignore d.
Memory Addressing
In real address mode physical memory is a contiguous array
of up to 1,048,576 bytes (one megabyte) addressed by pin
A0 through A19 and BHE. Address bits A20-A23 may not
always be zero in real mode. A20-A23 should not be used by
the system while the 80C286 is operating in Real Mode.
The selector portion of a pointer is interpreted as the upper
16-bits of a 20-bit segment address. The lower four bits of
the 20-bit segment address are always zero. Segment
addresses, therefore, begin on multiples of 16 bytes. See
Figure 6 for a graphic representation of add ress information.
All segments in real address mode are 64K bytes in size and
may be read, written, or executed. An exception or interrupt
can occur if data operands or instructions attempt to wrap
around the end of a segment (e.g. a word with its low order
byte at offset FFFF(H) and its high order byte at offset
0000(H)). If, in real address mode, the information contained
in a segment does not use the full 64K bytes, the unused
end of the segment ma y be overlaid by another segment to
reduce physical memory requirements.
TABLE 8. RECOMMENDED MSW ENCODINGS FOR PROCESSOR EXTENSION CONTROL
TS MP EM RECOMMENDED USE
INSTRUCTION
CAUSING
EXCEPTION 7
0 0 0 Initial encoding after RESET. 80C286 operation is identical to 80C86/88. None
0 0 1 No processor extension is available. Software will emulate its function. ESC
1 0 1 No processor extension is available. Software will emulate its function. The
current processor extension context may belong to another task. ESC
0 1 0 A processor extension exists. None
1 1 0 A processor extension exists. The current processor e xtension context may
belong to another task. The exce ption 7 on WAIT allows software to test for
an error pending from a previous processor extension operation.
ESC or WAIT
TABLE 9. REAL ADDRESS MODE ADDRESSING INTERRUPTS
FUNCTION INTERRUPT
NUMBER RELATED INSTRUCTIONS RETURN ADDRESS
BEFORE INSTRUCTION
Interrupt table limit too small exception 8 INT vector is not within table limit Yes
Processor extension segment overrun
interrupt 9 ESC with memory operand extending beyond offset
FFFF(H) No
Segment overrun exception 13 Word memory reference with offset = FFFF(H) or an
attempt to execute past the end of a segment Yes
0000 OFFSET OFFSET
ADDRESS
0000
SEGMENT
SELECTOR
ADDER
19 0
015
15 0
20-BIT PHYSICAL
MEMORY ADDRESS
SEGMENT
ADDRESS
FIGURE 6. 80C286 REAL ADDRESS MODE ADDRESS
CALCULATION
80C286
16
Reserved Memory Locations
The 80C286 reserves two fixed areas of memory in real
address mode (see Figure 7); system initialization area and
interrupt table area. Locations from addresses FFFF0(H)
through FFFFF(H) are reserved for system initialization. Initial
execution begins at location FFFF0(H). Locations 00000(H)
through 003FF(H) are reserved for interrupt vecto rs.
Interrupts
Table 9 shows the interrupt vectors reserved for exceptions
and interrupts which indicate an addressing error. The
exceptions leave the CPU in the state existing before
attempting to execute the failing instruction (except for
PUSH, POP, PUSHA, or POPA). Refer to the next section
on protected mode initialization for a discussion on excep-
tion 8.
Protected Mode Initialization
To prepare the 80C286 for protected mode, the LIDT
instruction is used to load the 24-bit interrupt table base and
16-bit limit for the protected mode interrupt table. This
instruction can also set a base and limit for the interrupt vec-
tor table in real address mode. After reset, the interrupt table
base is initialized to 000000(H) and its size set to 03FF(H).
These values are compatible with 80C86 and 80C88 soft-
ware. LIDT should only be executed in preparation for pro-
tected mode.
Shutdown
Shutdown occurs when a severe error is detected that prevents
further instruction processing by the CPU. Shutdown and halt
are externally signalled via a halt bus operation. They can be
distinguished by A1 HIGH for halt and A1 LOW for shutdown. In
real address mode, shutdown can occur under two conditions:
Exceptions 8 or 13 happen and the IDT limit does not
include the interrupt vector.
A CALL INT or PUSH instruction attempts to wrap around
the stack segment when SP is not even.
An NMI input can bring the CPU out of shutdown if the IDT
limit is at least 000F(H) and SP is greater than 0005 (H), oth-
erwise shutdown can only be exited via the RESET input.
3H
RESET BOOTSTRAP
PROGRAM JUMP
INTERRUPT POINTER
FOR VECTOR 255
INTERRUPT POINTER
FOR VECTOR 1
INTERRUPT POINTER
FOR VECTOR 0
FFFFFH
FFFF0H
3FFH
3FCH
7H
4H
0H
INITIAL CS:IP VALUE IS F000:FFF0
FIGURE 7. 80C286 REAL ADDRESS MODE INITIALLY
RESERVED MEMORY LOCATIONS
80C286
17
Protected Virtual Address Mode
The 80C286 executes a fully upward-compatible superset of
the 80C86 instruction set in protected virtual address mode
(protected mode). Protected mode also provides memory
management and protection mechanisms and associated
instructions.
The 80C286 enters protected virtual address mode from real
address mode by setting the PE (Protection Enable) bit of
the machine status word with the Load Machine Status Word
(LMSW) instruction. Protected mode offers extended physi-
cal and virtual memory address space, memory protection
mechanisms, and new operations to support operating sys-
tems and virtual memory.
All registers, instructions, and addressing modes described
in the 80C286 Base Architecture section of this Functional
Description remain the same. Programs for the 80C86,
80C88, and real address mode 80C286 can be run in pro-
tected mode; however, embedded constants for segment
selectors are different.
Memory Size
The protected mode 80C286 provides a 1 gigabyte virtual
address space per task mapped into a 16 megabyte physical
address space defined by the address pins A23-A0 and
BHE. The virtual address space may be larger than the
physical address space since any use of an address that
does not map to a physical memory location will cause a
restartable exception.
Memory Addressing
As in real address mode, protected mode uses 32-bit point-
ers, consisting of 16-bit selector and offset components. The
selector, however, specifies an index into a memory resident
table rather than the upper 16-bits of a real memory address.
The 24-bit base address of the desired segment is obtained
from the tables in memory. The 16-bit offset is added to the
segment base address to form the physical address as
shown in Figure 8. The tables are automatically referenced
by the CPU whenever a segment register is loaded with a
selector. All 80C286 i nstructions which load a segment reg-
ister will reference the memory based tables without addi-
tional software. The memory based tables contain 8 byte
values called descriptors.
Descriptors
Descriptors define the use of memory. Special types of
descriptors also define new functions for transfer of control
and task switching. The 80C286 has segment descriptors for
code, stack and data segments, and system control descrip-
tors for special system data segments and control transfer
operations. Descriptor accesses are performed as locked
bus operations to assure descrip tor integrity in mu lti-proces-
sor systems.
Code and Data Segme nt Descriptors (S = 1)
Besides segment base addresses, code and data descriptors
contain other segment attributes including segment size (1 to
64K bytes), access rights (read only, read/write, execute only,
and execute/read), and presence in memory (for virtual mem-
ory systems) (See Table 10). Any segment usage violating a
segment attribute indicated by the segment descrip tor will pre-
vent the memory cycle and cause an exception or interrupt.
Code and data (including stack data ) are sto red in two types
of segments: code segments and data segments. Both types
are identified and defined by segment descriptors (S = 1).
Code segments are identified by the executable (E) bit set to
1 in the descriptor access rights byte. The access rights byte
of both code and data segment descriptor types have three
fields in common: present (P) bit, Descriptor Privilege Level
(DPL), and accessed (A) bit. If P = 0, any attempted use of
this segment will cause a not-present exceptio n. DPL speci-
fies the privilege level of the segment descriptor. DPL con-
trols when the descriptor may be used by a task (refer to
privilege discussion below). The A bit shows whether the
segment has been previously accessed for usage profiling, a
necessity for virtual memory systems. The CPU will always
set this bit when accessing the descriptor.
PHYSICAL
ADDRESS
ADDER
MEMORY
OPERAND
SEGMENT
DESCRIPTOR
SEGMENT BASE
ADDRESS
POINTER SELECTOR OFFSET
PHYSICAL MEMORY
SEGMENT
SEGMENT
DESCRIPTION
TABLE
023
31 1615 0
CPU
FIGURE 8. PROTECTED MODE MEMORY ADDRESSING
RESERVED
ACCESS
RIGHTS BYTE
PDPLSTYPEA BASE 23 - 16
BASE 15 - 0
LIMIT 15 - 0
15
707
780
0
+6
+4
+2
0
+7
+5
+3
+1
MUST BE SET TO 0 FOR COMPATIBILITY WITH FUTURE UPGRADES
FIGURE 9. CODE OR DATA SEGMENT DESCRIPTOR
80C286
18
TABLE 10. CODE AND DATA SEGMENT DESCRIPTOR FORMATS - ACCESS RIGHTS BYTE DEFINITION
BIT
POSITION NAME FUNCTION
7 Present (P) P = 1 Segment is mapped into physical memory.
P = 0 No mapping to physical memory exits, base and limit are not used.
6 - 5 Descriptor Privilege
Level (DPL) Segment privilege attribute used in privilege tests.
4 Segment Descriptor (S) S = 1 Code or Data (includes stacks) segment descriptor
S = 0 System Segment Descriptor or Gate Descriptor
3 Executable (E) E = 0 Data segment descriptor type is:
If Data Segment
(S = 1, E = 0)
2 Expansion Direction
(ED) ED = 0 Expand up segment, offsets must be limit.
ED = 1 Expand down segment, offsets must be > limit.
1 Writable (W) W = 0 Data segment may not be written into.
W = 1 Data segment may be written into.
Type
Field
Definition
3 Executable (E) E = 1 Code Segment Descriptor type is:
If Code Segment
(S = 1, E = 1)
2 Conforming (C) C = 1 Code segment may only be executed when CPL
DPL and CPL remains unchanged.
1 Readable (R) R = 0 Code segment may not be read.
R = 1 Code segment may be read.
0 Accessed (A) A = 0 Segment has not been accessed.
A = 1 Segment selector has been loaded into segment register or used by selector
test instructions.
80C286
19
Data segments (S = 1, E = 0) may be either read-only or read-
write as controlled by the W bit of the access rights byte.
Read-only (W = 0) data segments may not be written into.
Data segments may grow in two directions, as determined by
the Expansion Direction (ED) bit: upwards (ED = 0) for data
segments, and downwards (ED = 1) for a segment containing
a stack. The limit field for a data segment descriptor is inter-
preted differently depending on the ED bit (see Table 10).
A code segment (S = 1, E = 1) may be execute-only or exe-
cute/read as determined b y the Readable (R) bit. Code seg-
ments may never be written into and execute-only code
segments (R = 0) may not be read. A code segment may
also have an attribute called conforming (C). A conforming
code segment may be shared by programs that execute at
different privilege levels. The DPL of a conforming code seg-
ment defines the range of privilege levels at which the seg-
ment may be executed (refer to privilege discussion below).
The limit field identifies the last byte of a code segment.
System Segment Descriptor s (S = 0, Type = 1-3)
In addition to code and data segment descriptors, the pro-
tected mode 80C286 defines System Segment Descriptors.
These descriptors define special system data segments
which contain a table of descriptors (Local Descriptor Tabl e
Descriptor) or segments which contain the execution state of
a task (Task State Segment Descriptor).
Table 11 gives the formats for the special system data seg-
ment descriptors. The descriptors contain a 24-bit base
address of the segment and a 16-bit limit. The access byte
defines the type of descriptor, its state and privilege level.
The descriptor contents are valid and the segment is in
physical memory if P = 1. If P = 0, the segment is not valid.
The DPL field is only used in Task State Segment descrip-
tors and indicates the privilege level at which the descriptor
may be used (see Privilege). Since the Local Descriptor
Table descriptor may only be used by a special privileged
instruction, the DPL field is not used. Bit 4 of the access byte
is 0 to indicate that it is a system control descriptor. The type
field specif ie s th e de scri p tor type as indicate d in Ta bl e 11 .
Gate Descriptors (S = 0, Type = 4-7)
Gates are used to control access to entry points within the
target code segment. The gate descriptors are call gates,
task gates, interrupt gates and trap gates. Gates provide a
level of indirection between the source and destination of the
control transfer. This indirecti on a llow s th e CPU to automati-
cally perform protection checks and control entry point of the
destination. Call gates are used to change privilege levels
(see Privilege), task gates are used to perform a task switch,
and interrupt and trap gates are used to specify interrupt ser-
vice routines. The interrupt gate disables interrupts (resets
IF) while the trap gate does not.
Table 12 shows the format of the gate descriptors. The
descriptor contains a destination pointer that points to the
descriptor of the target segment and the entry point offset.
The destination selector in an interrupt gate, trap gate, and
call gate must refer to a code segment descriptor. These gate
descriptors contain the entry point to prevent a program from
constructing and using an illegal entry point. Task gates may
only refer to a task state segment. Since task gates invoke a
task switch, the destination offset is not used in the task gate.
Exception 13 is generated when the gate is used if a destina-
tion selector does not refer to the correct descriptor type. The
word count field is used in the call gate descriptor to indicate
the number of parameters (0-31 words) to be automatically
copied from the caller’s stack to the stack of the called routine
when a control transfer changes privilege levels. The word
count field is not used by any othe r gate descriptor.
The access byte format is the same for all d esc ri pt ors . P = 1
indicates that the gate contents are valid. P = 0 indicates the
contents are not valid and causes exception 11 if refer-
enced. DPL is the descriptor privilege level and specifies
when this descriptor may be used by a task (refer to privilege
discussion below). Bit 4 must equal 0 to indicate a system
control descriptor. The type field specifies the descriptor type
as indicated in Table 12.
RESERVED
PDPL0 TYPE BASE 23 - 16
BASE 15 - 0
LIMIT 15 - 0
15
707
780
0
+6
+4
+2
0
+7
+5
+3
+1
MUST BE SET TO 0 FOR COMPATIBILITY WITH FUTURE UPGRADES
FIGURE 10. SYSTEM SEGMENT DESCRIPTOR
TABLE 11. SYSTEM SEGMENT DESCRIPTOR FORMAT FIELDS
NAME VALUE DESCRIPTION
TYPE 1 Available Task State Segment (TSS)
2 Local Descriptor Table
3 Busy Task State Segment (T SS)
P 0 Descriptor contents are not valid
1 Descriptor contents are valid
DPL 0-3 Descriptor Privilege Level
BASE 24-Bit
Number Base Address of special system data
segment in real memory
LIMIT 16-Bit
Number Offset of last byte in segment
80C286
20
Segment Descriptor Cache Registers
A segment descriptor cache register is assigned to each of
the four segment registers (CS, SS, DS, ES). Segment
descriptors are automatically loaded (cached) into a seg-
ment descriptor cache register (Figure 12) whenever the
associated segment register is loaded with a selector.
Only segment descriptors may be loaded into segment
descriptor cache registers. Once loaded, all references to
that segment of memory use the cached descriptor informa-
tion instead of reaccessing the descriptor. The descriptor
cache registers are not visible to programs. No instructions
exist to store their contents. They only change when a seg-
ment register is loaded.
Selector Fields
A protected mode selector has three fields: descriptor entry
index, local or global descriptor table indicator (TI), and selec-
tor privilege (RPL) as shown in Figure 13. These fields select
one of two memory based tables of descriptors, select the
appropriate table entry and allow high-speed testing of the
selector's privilege attribute (refer to privilege discussion
below).
Local and Global Descriptor Tables
Two tables of descriptors, called descriptor tables, contain all
descriptors access ible by a task at any given time. A descriptor
table is a linear array of up to 8192 descriptors. The upp er 13
bits of the selector value are an index into a descriptor table.
Each table has a 24-bit base register to locate the descriptor
table in physical memory and a 16-bit limit register that confi ne
descriptor access to the defined limits of the table as shown in
Figure 14. A restartable exception (13) will occur if an attempt is
made to reference a descriptor outside the table limits.
One table, called the Global Descriptor table (GDT), con-
tains descriptors available to all tasks. The other table,
called the Local Descriptor Table (LDT), contains descriptors
that can be private to a task. Each task may have its own pri-
vate LDT. The GDT may co ntain all descriptor types except
interrupt and trap descriptors. The LDT may contain only
segment, task gate, and call gate descriptors. A segment
cannot be accessed by a task if i ts segment descriptor does
not exist in either descriptor table at the time of access.
TABLE 12. GATE DESCRIPTOR FORMAT FIELD
NAME VALUE DESCRIPTION
TYPE 4 Call Gate
5 Task Gate
6 Interrupt Gate
7 Trap Gate
P 0 Descriptor Contents are not valid
1 Descriptor Contents are valid
DPL 0 - 3 Descriptor Privilege Level
WORD
COUNT 0 - 31 Number of words to copy from callers
stack to called procedures stack. Only
used with call gate.
DESTINATION
SELECTOR 16-Bit
Selector Selector to the target code segment
(call, interrupt or selector Trap Gate).
Selector to the target task state seg-
ment (Task Gate).
DESTINATION
OFFSET 16-Bit
Offset Entry point within the target code seg-
ment
RESERVED
PDPL0 TYPE
DESTINATION SELECTOR 15 - 0
DESTINATION OFFSET 15 - 0
15
707
780
0
+6
+4
+2
0
+7
+5
+3
+1
MUST BE SET TO 0 FOR COMPATIBILITY WITH FUTURE UPGRADES
XX X
XX
WORD COUNT
4 - 0
FIGURE 11. GATE DESCRIPTOR
BITS NAME FUNCTION
1 - 0 Requested Privilege Level
(RPL) Indicates Selector Privilege
Level Desired
2 Table Indicator (TI) TI = 0 Use Global Descrip-
tor Table (GDT)
TI = 1 Use Local Descriptor
Table (LDT)
15 - 3 Index Select Descriptor Entry In
Table
FIGURE 13. SELECTOR FIELDS
PROGRAM VISIBLE
SEGMENT SELECTORS
CS
DS
SS
ES
15 0
SEGMENT REGISTERS
(LOADED BY PROGRAM)
SEGMENT SIZE
SEGMENT PHYSICAL
BASE ADDRESS
ACCESS
RIGHTS
PROGRAM INVISIBLE
47 40 39 16 15 0
SEGMENT DESCRIPTOR CACHE REGISTERS
(AUTOMATICALLY LOADED BY CPU)
FIGURE 12. DESCRIPTOR CACHE REGISTERS
INDEX RPLTI
15 8 7 2 1 0
SELECTOR
80C286
21
The LGDT and LLDT instructions load the base and limit of
the global and local descriptor tables. LGDT and LLDT are
privileged, i.e. they may only be executed by trusted pro-
grams operating at level 0. The LGDT instruction loads a six
byte field containing the 16-bit table li mit and 24-bit physica l
base address of the Global Descriptor Table as shown in
Figure 15. The LDT instruction loads a sel ector which refers
to a Local Descriptor Table descriptor containing the base
address and limit for an LDT, as shown in Table 11.
Interrupt Descriptor Table
The protected mode 80C286 has a third descriptor table,
called the Interrupt Descriptor Table (IDT) (see Figure 16),
used to define up to 256 interrupts. It may contain only task
gates, interrupt gates and trap gates. The IDT (Interrupt
Descriptor Table) has a 24-bit physical base and 16-bit limit
register in the CPU. The privileged LlDT instruction loads
these registers with a six b yte value of identical form to that
of the LGDT instruction (see Figure 16 and Protected Mode
lnitialization).
References to IDT entries are made via INT instructions, exter-
nal interrupt vectors, or exceptions. The IDT must be at least
256 bytes in size to allocate space for all reserved interrupts.
Privilege
The 80C286 has a four-level hierarchical privilege system
which controls the use of privileged instructions and access
to descriptors (and their a ssociated segments) withi n a task.
Four-level privilege, as shown in Figure 17, is an extension
of the users/supervisor mode commonly found in minicom-
puters. The privilege leve ls are numbered 0 through 3. Level
0 is the most privileged level. Privilege levels provide protec-
tion within a task. (Tasks are isolated by providing private
LDT’s for each task.) Operating system routines, interrupt
handlers, and other system software can be included and
protected within the virtual address space of each task using
the four levels of privilege. Each task in the system has a
separate stack for each of its privilege levels.
Tasks, descriptors, and selectors have a privilege level
attribute that determines whether the descriptor may be
used. Task privilege affects the use of instructions and
descriptors. Descriptor and selector privilege only affect
access to the descriptor.
CPU
GDT LIMIT
GDT BASE
24-BIT PHYS AD
LDT
DESCR
SELECTOR
LDT LIMIT
LDT BASE
24-BIT PHYS AD
PROGRAM INVISIBLE
(AUTOMATICALLY
LOADED
FROM LDT DESCR
WITHIN GDT)
GDT
CURRENT
LDT
INCREASING
MEMORY
ADDRESS
MEMORY
LDT1
LDTn
15 0
0
015
23
23
15
FIGURE 14. LOCAL AND GLOBAL DESCRIPTOR TABLE
DEFINITION
RESERVED
BASE 15 - 0
LIMIT 15 - 0
15
707
780
0
+4
+2
0
+5
+3
+1
MUST BE SET TO 0 FOR COMPATIBILITY WITH FUTURE UPGRADES
BASE 23 - 16
FIGURE 15. GLOBAL DESCRIPTOR TABLE AND INTERRUPT
DESCRlPTOR TABLE DATA TYPE
IDT LIMIT
IDT BASE
INTERRUPT
DESCRIPTOR
TABLE
MEMORY
0
15
23
0
GATE FOR
INTERRUPT #n
CPU
GATE FOR
INTERRUPT #1
GATE FOR
INTERRUPT #n-1
GATE FOR
INTERRUPT #0
INCREASING
MEMORY
ADDRESS
(IDT)
FIGURE 16. INTERRUPT DESCRIPTOR TABLE DEFINITION
APPLICATIONS
OS EXTENSIONS
SYSTEM
SERVICES
KERNAL
PL = 0
MOST
PRIVILEGED
CPU
ENFORCED
SOFTWARE
INTERFACES
HIGH SPEED
OPERATING
SYSTEM
INTERFACE
PL = 1
PL = 2
PL = 3
NOTE: PL becomes numerically lower as privilege level increases.
FIGURE 17. HIERARCHICAL PRIVILEGE LEVELS
80C286
22
Task Privilege
A task always executes at one of the four privilege levels.
The task privilege level at any specific instant is called the
Current Privilege Level (CPL) and is defined by the lower
two bits of the CS register. CPL cannot change during exe-
cution in a single code segment. A task's CPL may only be
changed by control transfers through gate descriptors to a
new code segment (See Control Transfer). Tasks begin exe-
cuting at the CPL value specified by the code segment
selector within TSS when the task is initiated via a task
switch operation (See Figure 18). A task executing at Level 0
can access all data segments defined in the GDT and the
task's LDT and is considered the most trusted level. A task
executing a Level 3 has the most restricted access to data
and is considered the least trusted level.
Descriptor Pr ivilege
Descriptor privilege is specified by the Descriptor Privilege
Level (DPL) field of the descriptor access byte. DPL specifies
the least trusted task privilege level (CPL) at which a task may
access the descriptor. Descriptors with DPL = 0 are the most
protected. Only tasks executing at privilege level 0 (CPL = 0)
may access them. Descriptors with DPL = 3 are the least pro-
tected (i.e. have the least restricted access) since tasks can
access them when CPL = 0, 1, 2, or 3). This rule applies to all
descriptors, except L DT descriptors.
Selector Privilege
Selector privilege is specified by the Requested Privilege
Level (RPL) field in the least significant two bits of a selector.
Selector RPL may establish a less trusted privilege level
than the current p rivilege level for the use of a selector. This
level is called the task's effective privilege level (EPL). RPL
can only reduce the scope of a task's access to data with
this selector. A task's effective privilege is the numeric maxi-
mum of RPL and CPL. A selector with RPL = 0 i mposes no
additional restriction on its us e whil e a selector with RPL = 3
can only refer to segments at privileg e Level 3 regardless of
the task's CPL. RPL is generally used to verify that pointer
parameters passed to a more trusted procedure are not
allowed to use data at a more privileged level than the caller
(refer to pointer testing instructions).
Descriptor Access and Privilege Validation
Determining the ability of a task to access a segment
involves the type of segment to be accessed, the instruction
used, the type of descriptor used and CPL, RPL, and DPL.
The two basic types of segment accesses are control trans-
fer (selectors loaded into CS) and data (selectors loaded into
DS, ES or SS).
Data Segment Access
Instructions that load selectors into DS and ES must refer to
a data segment descriptor or readable code segment
descriptor. The CPL of th e task and the RPL of the selector
must be the same as or more privileged (numerically equal
to or lower than) than the descriptor DPL. In gen eral, a task
can only access data segments at the same or less privi-
leged levels than the CPL or RPL (whichever is numerically
higher) to prevent a program from accessing data it cannot
be trusted to use.
An exception to the rule is a readable conforming code seg-
ment. This type of code segment can be read from any privi-
lege level.
If the privilege checks fail (e.g. DPL is numerically less than
the maximum of CPL and RPL) or an incorrect type of
descriptor is referenced (e.g. gate descriptor o r execute only
code segment) exception 13 occurs. If the segment is not
present, exception 11 is generated.
Instructions that load selectors into SS must refer to data
segment descriptors for writable data segments. The
descriptor privilege (DPL) and RPL must equal CPL. All
other descriptor types or a privilege level violation will cause
exception 13. A not present fault causes exception 12.
TABLE 13. DESCRlPTOR TYPES USED FOR CONTROL TRANSFER
CONTROL TRANSFER TYPES OPERATION TYPES DESCRIPTOR
REFERENCED DESCRIPTOR
TABLE
Intersegment within the same privilege levels JMP, CALL, RET, lRET (Note 4) Code Segment GDT/LDT
Intersegment to the same or higher privilege level interrupt
within task may change CPL CALL Call Gate GDT/LDT
Interrupt Instruction, Exception
External Interrupt Trap or Interrupt Gate lDT
Intersegment to a lower privilege level (changes task CPL) RET, IRET (Not e 4) Code Segment GDT/LDT
Task Switch CALL, JMP Task State Segment GDT
CALL, JMP Task Gate GDT/LDT
lRET (Note 5)
Interrupt Instruction, Exception
External Interrupt
Task Gate IDT
NOTES:
4. NT (Nested Task bit of flag word) = 0
5. NT (Nested Task bit of flag word) = 1
80C286
23
Control Transfer
Four types of control transfer can occur when a selector is
loaded into CS by a control transfer operation (see Table
13). Each transfer type can only occur if the operation which
loaded the selector references the correct descriptor type.
Any violation of these descriptor usage rules (e.g. JMP
through a call gate or RET to a Task State Segment) will
cause exception 13.
The ability to reference a descriptor for control transfer is
also subject to rules of privilege. A CALL or JUMP instruction
may only reference a code segment descriptor with DPL
equal to the task CPL or a conforming segment with DPL of
equal or greater privilege than CPL. The RPL of the se lector
used to reference the code descriptor must have as much
privilege as CPL.
RET and IRET instructions may only reference code seg-
ment descriptors with descriptor privilege equal to or less
privileged than the task CPL. T he selector loaded into CS is
the return address from the stack. After the return, the selec-
tor RPL is the task's new CPL. If CPL changes, the old stack
pointer is popped after the return address.
When a JMP or CALL references a Task State Segment
descriptor, the descriptor DPL must be the same or less priv-
ileged than the task's CPL. Reference to a valid Task State
Segment descriptor causes a task switch (see Task Switch
Operation). Reference to a Task State Segment descriptor
at a more privileged level than the task's CPL generates
exception 13.
When an instruction or interrupt references a gate descrip-
tor, the gate DPL must have the same or less privilege than
the task CPL. If DPL is at a more privil eged level than CPL,
exception 13 occurs. If the des tination selector contained in
the gate references a code segment descriptor, the code
segment descriptor DPL must be the same or more privi-
leged than the task CPL. If not, Exception 13 is issued. After
the control transfer, the code segment descriptors DPL is the
task's new CPL. If the destinat ion selector in the gate refer-
ences a task state segment, a task switch is automatically
performed (see Task Switch Operation).
The privilege rules on contro l transfer require:
JMP or CALL direct to a code segment (code segment
descriptor) can only be a conforming segment with DPL of
equal or greater privilege than CPL or a non-conforming
segment at the same privilege level.
Interrupts within the task, or calls that may change privilege
levels, can only transfer control through a gate at the same
or a less privileged level than C PL to a code segment at the
same or more privileged level than CPL.
Return instructions that don't switch tasks can only return
control to a code segment at the same or less privileged
level.
Task switch can be performed by a call, jump or interrupt
which references either a task gate or task sta te segment at
the same or less privileged level.
Privilege Level Changes
Any control transfer that changes CPL within the task,
causes a change of stacks as part of the operation. Initial
values of SS:SP for privilege levels 0, 1, and 2 are kept in
the task state segment (refer to Task Switch Operation).
During a JMP or CALL control transfer, the new stack pointer
is loaded into the SS and SP registers and the previous
stack pointer is pushed onto the new stack.
When returning to the original privilege level, its stack is
restored as part of the RET or IRET instruction operation.
For subroutine calls that pass parameters on the stack and
cross privilege levels, a fixe d number of words, as specified
in the gate, are copied from the previous stack to the current
stack. The inter-segment RET instruction with a stack adjust-
ment value will correctly restore the previous stack pointer
upon return.
Protection
The 80C286 includes mecha nisms to protect critical instruc-
tions that effect the CPU execution state (e.g. HLT) and
code or data segments from improper u sage. These protec-
tion mechanisms are grouped into three forms:
Restricted usage of segments (e.g. no write allowed to
read-only data segments). The only segments available for
use are defined by descriptors in the Local Descriptor Tabl e
(LDT) and Global Descriptor Table (GDT).
Restricted access to segments via the rules o f privilege and
descriptor usage.
Privileged instructions or operations that may only be exe-
cuted at certain privilege levels as determined by the CPL
and I/O Privilege Level (lOPL). The lOPL is defined by bits
14 and 13 of the flag word.
These checks are performed for all instructions and can be
split into three categories: segment load checks (Table 14),
operand reference checks (Table 15), and privileged instruc-
tion checks (Table 16). Any violation of the rules shown will
result in an exception. A no t-present exception related to the
stack segment causes exception 12.
TABLE 14. SEGMENT REGISTER LOAD CHECKS
ERROR DESCRIPTION EXCEPTION
NUMBER
Descriptor table limit exceeded 13
Segment descriptor not-present 11 or 12
Privilege rules violated 13
Invalid descriptor/segment type segment register
load:
- Read only data segment load to SS
- Special control descriptor load to DS, ES, SS
- Execute only Segment load to DS, ES, SS
- Data segment load to CS
- Read/Execute code segment load SS
13
80C286
24
The lRET and POPF instructions do not perform some of
their defined functions if CPL is not of sufficient privilege
(numerically small enough). Pre c isely these are:
The IF bit is not changed if CPL is greater than IOPL.
The lOPL field of the flag word is not changed if CPL is
greater than 0.
No exceptions or other indica tion are given when these con-
ditions occur.
Exceptions
The 80C286 detects several types of exceptions and inter-
rupts in protected mode (see Table 17). Most are restartable
after the exceptional condition is removed. Interrupt handlers
for most exceptions can read an error code, pushed on the
stack after the return address, that identifies the selector
involved (0 if none). The return address normally points to
the failing instruction including all leading prefixes. For a pro-
cessor extension segment overrun exception, the return
address will not poin t at the ESC instruction that caused the
exception; however, the processor extension registers may
contain the address of the failing instruction.
These exceptions indicate a violation to privilege rules or
usage rules has occurred. Restart is generally not attempted
under those conditions.
All these checks are performed for all instructions and can
be split into three categories: segment load checks (Table
14), operand reference checks (Table 15), and privileged
instruction checks (Table 16). Any violation of the rules
shown will result in an exception. A not-present exception
causes exception 11 or 12 and is restartable.
SPECIAL OPERATIONS
Task Switch Operation
The 80C286 provides a built-in task switch operation which
saves the entire 80C286 execution state (registers, address
space, and a link to the previous task), loads a new execution
state, and commences execution in the new task. Like gates,
the task switch operation is invoked by executing an inter-seg-
ment JMP or CALL instruction which refers to a Task State
Segment (TSS) or task gate descriptor in the GDT or LDT. An
INT instruction, exception, or external interrupt may also
invoke the task switch operation by selecting a task gate
descriptor in the associated ID T descriptor entry.
The TSS descriptor points at a segment (see Figure 18) con-
taining the entire 80C286 execution state while a task gate
descriptor contains a TSS selector. The limit field of the
descriptor must be greater than 002B(H).
Each task must have a TSS associated with it. The current
TSS is identified by a special register in the 80C286 called
the Task Register (TR). This register contains a selector
referring to the task state segment descriptor that defines
the current TSS. A hidden base and limit register associ ated
with TR are loaded whenever TR is loaded with a new selec-
tor. The IRET instruction is used to return control to the task
that called the current task or was interrupted. Bit 14 in the
flag register is called the Nested Task (NT) bit. It controls the
TABLE 15. OPERAND REFERENCE CHECKS
ERROR DESCRIPTION EXCEPTION
NUMBER
Write into code segment 13
Read from execute-only code segment 13
Write to read-only data segment 13
Segment limit exceeded (See Note) 12 or 13
NOTE: Carry out in offset calculations is ignored.
TABLE 16. PRIVILEGED INSTRUCTION CHECKS
ERROR DESCRIPTION EXCEPTION
NUMBER
CPL 0 when executing th e following instructions:
LIDT, LLDT, LGDT, LTR, LMSW, CTS, HLT 13
CPT > IOPL when executing the following
instructions:
INS, IN, OUTS, OUT, STI, CLI, LOCK
13
TABLE 17. PROTECTED MODE EXCEPTIONS
INTERRUPT
VECTOR FUNCTION
RETURN ADDRESS
AT FALLING
INSTRUCTION? ALWAYS
RESTARTABLE? ERROR CODE
ON STACK?
8 Double exception detected Yes No (Note 7) Yes
9 Processor extension segment overrun No No (Note 7) No
10 Invalid task state segment Yes Yes Yes
11 Segment not present Yes Yes Yes
12 Stack segment overrun or stack segment not present Yes Yes (Note 6) Yes
13 General protection Yes No (Note 7) Yes
NOTES:
6. When a PUSHA or POPA in struction attempts to wrap aro und the stack segment, the machine state after the exception will not be re startable
because stack segment wrap aro und is not permitted. This condition is identified by the value of the saved SP being either 0000 (H), 0001(H),
FFFE(H), or FFFF(H).
7. These exceptions in dicate a violation to privilege rules or usage rules has oc curred. Restart is generally not attempted unde r those conditions.
80C286
25
function of the IRET instruction. If NT = 0, the IRET instruc-
tion performs the regular current task by popping values off
the stack; when NT = 1, IRET performs a task switch opera-
tion back to the previous task.
When a CALL, JMP, or INT instruction initiates a task switch,
the old (except for case of JMP) and new TSS will be
marked busy and the back link field of the new TSS set to
the old TSS selector. The NT bit of the new task is set by
CALL or INT initiated task switches. An interrupt that does
not cause a task switch will clear NT. NT may also be set or
cleared by POPF or IRET instructions.
The task state segment is marked busy by changing the
descriptor type field from Type 1 to Type 3. Use of a selec-
tor that references a busy task state segment causes
Exception 13.
Processor Extension Context Switch ing
The context of a processor extension is not changed by the
task switch operation. A processor extension context need
only be changed when a different task attempts to use the
processor extension (which still contains the context of a pre-
vious task). The 80C286 detects the first use of a processor
extension after a task switch by causing the processor exten-
sion not present exception (7). The interrupt hand ler may then
decide whether a context ch ange is necessa ry.
Whenever the 80C286 switches tasks, it sets the Task
Switched (TS) bit of the MSW. TS indicates that a proces-
sor extension context may belong to a different task than
the current one. The processor extension not present
exception (7) will occur when attempting to execute an
ESC or WAIT instruction if TS = 1 and a processor exten-
sion is present (MP = 1 in MSW).
Pointer Testing Instructions
The 80C286 provides several instructions to speed pointer
testing and consistency checks for maintaining system integ-
rity (see Table 18). These instructions use the memory man-
agement hardware to verify that a selector value refers to an
appropriate segment without risking an exception. A condition
flag (ZF) indicates whether use of the selector or segment will
cause an exception.
Double Fault and Shutdown
If two separate exceptions are detected during a single
instruction execution, the 80C286 performs the double fault
exception (8). If an exception occurs during processing of
the double fault exception, the 80C286 will enter shutdown.
During shutdown no further instructions or exceptions are
processed. Either NMI (CPU remains in protected mode) or
RESET (CPU exits protected mode) can force the 80C286
out of shutdown. Shutdown is externally signalled via a
HALT bus operation with A1 LOW.
Protected Mode lnitialization
The 80C286 initially executes in real address mode after
RESET. To allow initialization code to be placed at the top of
physical memory. A23-20 will be HIGH when the 80C286
performs memory references relative to the CS register until
CS is changed. A23-20 will be zero for references to the DS,
ES, or SS segments. Changing CS in real address mode will
force A23-20 LOW whenever CS is used again. The initial
CS:lP value of F000:FFF0 provides 64K bytes of code space
for initialization code without changing CS.
Protected mode operation requires several registers to be
initialized. The GDT and IDT base registers must refer to a
valid GDT and IDT. After executing the LMSW instruction to
set PE, the 80C286 must immediately execute an intraseg-
ment JMP instruction to clear the instruction queue of
instructions decoded in real address mode.
To force the 80C286 CPU registers to match the initial pro-
tected mode state assumed by software, execute a JMP
instruction with a selector referring to the initial TSS used in
the system. This will load the task register, local descriptor
table register, segment registers and initial general register
state. The TR should point at a valid TSS since any task
switch operation involves saving the current task state.
TABLE 18. 80C286 POINTER TEST INSTRUCTIONS
INSTRUCTION OPERANDS FUNCTION
ARPL Selector,
Register Adjust Requested Privilege Level: adjusts the RPL of the selector to the numeric maximum of
current selector RPL value and the RPL value in the register. Set zero flag if selector RPL was
changed by ARPL.
VERR Selector VERify for Read: sets the zero flag if the segment referred to by the selector can be read.
VERW Selector VERify for Write: sets the zero flag if the segment referred to by the selector can be written.
LSL Register,
Selector Load Segment Limit: reads the segment limit into the register if privilege rules and descriptor type
allow. Set zero flag if successful.
LAR Register,
Selector Load Access Rights: reads the descriptor access rights byte into the register if privilege rules al-
low. Set zero flag if successful.
80C286
26
System Interface
The 80C286 system interface appears in two forms: a local
bus and a system bus. The local bus consists of address,
data, status, and control sign als at the pins o f the CPU. A sys-
tem bus is any buffered version of the local bus. A system bus
may also differ from the local bus in terms of coding of status
and control lines and/o r timing and loading o f signals.
Bus Interface Signals and T imin g
The 80C286 micros ystem s loca l bus interfaces the 80C286 to
local memory and I/O components. The interface has 24
address lines, 16 data lines, and 8 status and contro l signals.
The 80C286 CPU, 82C284 clock generator, 82C288 bus
controller, 82289 bus arbiter, 82C86H/87H transceivers, and
82C82/83H latches provid e a buffered and decoded system
bus interface. The 82C284 generates the system clock and
LIMIT
BASE
0
15
23
0
CPU
TASK REGISTER TYPE DESCRIPTION
1 An available task state segment.
May be used as the destination
of a task switch operation.
3 A busy task state segment. Can-
not be used as the destination of
a task switch.
SYSTEM
SEGMENT
DESCRIPTOR
TR
RESERVED
PD
P
L
0TYPE
BASE 15 - 0
LIMIT 15 - 0
BASE 23 - 16
TASK LDT SELECTOR
DS SELECTOR
SS SELECTOR
CS SELECTOR
ES SELECTOR
DI
SI
BP
SP
BX
DX
CX
AX
FLAG WORD
IP (ENTRY POINT)
SS FOR CPL 2
SP FOR CPL 2
SS FOR CPL 1
SP FOR CPL 1
SS FOR CPL 0
SP FOR CPL 0
BACK LINK SELECTOR TO TSS
42
40
38
36
34
32
30
28
26
24
22
20
18
16
14
12
10
8
6
4
2
0
CURRENT
TASK
STATE
INITIAL
STACKS
FOR CPL 0, 1, 2
BYTE
OFFSET
TASK
STATE
SEGMENT
PROGRAM INVISIBLE
15 0
15 0
P DESCRIPTION
1 Base and Limit fields are valid.
0 Segment is not present in mem-
ory, Base and Limit are not de-
fined.
FIGURE 18. TASK STATE SEGMENT AND TSS REGISTERS
80C286
27
synchronizes READY and RESET. The 82C288 converts
bus operation status encoded by the 80C286 into command
and bus control signals. The 82289 bus arbiter generates
Multibus™ bus arbitration signals. These components can
provide the critical timing required for most system bus inter-
faces including the Multibus.
Bus Hold Circuitry
To avoid high curre nt conditio ns caused by floating i nputs to
CMOS devices, and to eliminate the need for pull-up/down
resistors, “bus-hold” circuitry has been used on the 80C286
pins 4-6, 36-51 and 66-68 (See Figure 19A and 19B). The
circuit shown in Figure 19A will maintain the last valid logic
state if no driving source is pr esent (i.e . an unconn ected pin
or a driving source which goes to a high impedance state).
The circuit shown in Figure 19B will maintain a high imped-
ance logic one state if no driving source is present. To over-
drive the “bus-hold” circuits, an external driver must be
capable of sinking or sourcing approximately 400 microamps
at valid input voltage levels. Since this “bus-hold ” circuitry is
active and not a “resistive” type element, the associated
power supply current is negligible, and power dissipation is
significantly reduced when compared to the use of passive
pull-up resistors.
Physical Memory and I/O Interface
A maximum of 16 megabytes of physical memory can be
addressed in protected mode. One megabyte can be
addressed in real address mode. Memory is accessible as
bytes or words. Words consist of any two consecutive bytes
addressed with the least significant byte stored in the lowest
address. Byte transfers occur on either half of the 16-bit local
data bus. Even bytes are accessed over D 7-0 wh ile odd bytes
are transferred over D15-8. Even addressed words are trans-
ferred over D15-0 in one bus cycl e, w hile odd addressed w ord
require two bus operations. The first transfers data on D15-8,
and the second transfers data on D7-0. Both byte data trans-
fers occur automatically, transparent to software.
Two bus signals, A0 and BHE, control transfers over the
lower and upper halves of the data bus. Even address byte
transfers are indicated by A0 LOW and BHE HIGH. Odd
address byte transfers are indicated by A0 HlGH and BHE
LOW. Both A0 and BHE are LOW for even address word
transfers.
The I/O address space contains 64K addresses in both
modes. The I/O space is accessible as either bytes or words,
as is memory. Byte wide peripheral devices may be attached
to either the upper or lower byte of the data bus. Byte-wide I/O
devices attached to the upper data byte (D15-8) are accessed
with odd I/O addresses. Devices on the lower data byte are
accessed with even I/O addresses. An interrupt controller
such as Intersil's 82C59A must be connected to the lower
data byte (D7-0) for proper return of the interrupt vector.
Bus Operation
The 80C286 uses a double frequency system clock (CLK
input) to control bus timing. All signals on the local bus are
measured relative to the system CLK input. The CPU divides
the system clock by 2 to produce the internal processor
clock, which determines bus state. Each processor clock is
composed of two system clock cycles named phase 1 and
phase 2. The 82C284 clock generator output (PCLK) identi-
fies the next phase of the processor clock. (See Figure 20.)
Six types of bus operations are supported; memory read,
memory write, I/O read, I/O write, interrupt acknowledge,
and halt/shutdown. Data can be transferred at a maximum
rate of one word per two processor clock cycles.
The 80C286 bus has three basic states: idle (TI), send sta-
tus (TS), and perform command (TC). The 80C286 CPU also
has a fourth local bus state called hold (TH). TH indicates
that the 80C286 has surrendered control of the local bus to
another bus master in response to a HOLD request.
Each bus state is one processor clock long. Figure 21 shows
the four 80C286 local bus states and allowed transitions.
EXTERNAL
PIN
OUTPUT
DRIVER
INPUT
DRIVER INPUT
PROTECTION
CIRCUITRY
BOND
PAD
FIGURE 19A. BUS HOLD CIRCUITRY, PINS 36-51, 66, 67
EXTERNAL
PIN
OUTPUT
DRIVER
INPUT
DRIVER INPUT
PROTECTION
CIRCUITRY
BOND
PAD
VCC P
FIGURE 19B. BUS HOLD CIRCUITRY, PINS 4-6, 68
OF PROCESSOR OF PROCESSOR
ONE PROCESSOR CLOCK CYCLE
ONE BUS T STATE
ONE SYSTEM
CLK CYCLE
PCLK
CLK
PHASE 1
CLOCK CYCLE
PHASE 2
CLOCK CYCLE
FIGURE 20. SYSTEM AND PROCESSOR CLOCK RELATION-
SHIPS
80C286
28
Bus States
The idle (TI) state indicates that no data transfers are in
progress or requested. The first active state TS is signaled
by status line S1 or S0 going LOW and identifying phase 1 of
the processor clock. During TS, the command encoding, the
address, and data (for a write operation) are available on the
80C286 output pins. The 82C288 bus controller decodes the
status signals and generates Multibus compatible read/write
command and local transceiver control signals.
After TS, the perform co mmand (TC) state is entered. Mem-
ory or I/O devices respond to the bus operation during TC,
either transferring read data to the CPU or accepting write
data. TC states may be repeated as often as necessary to
ensure sufficient time for the memory or I/O device to
respond. The READY signal determines whether TC is
repeated. A repeated TC state is called a wait state.
During hold (T H), the 80C286 will float all address, data, and
status output drivers enabling another bus master to use the
local bus. The 80C286 HOLD input signal is used to place
the 80C286 into the TH state. The 80C286 HLDA output sig-
nal indicates that the CPU has entered TH.
Pipelined Ad dre s si ng
The 80C286 uses a local bus inte rface with pipel ined timing
to allow as much time as possible for data access. Pipeline d
timing allows a new bus operation to be initiated every two
processor cycles, while allowing each individual bus opera-
tion to last for three processor cycles.
The timing of the address outputs is pipelined such that the
address of the next bus operation becomes available during
the current bus operation. Or, in other words, the first clock of
the next bus operation is overlapped with the last clock of the
current bus operation. Therefore, address decode and routing
logic can operate in advance of the n ext bus ope ration.
External address latches may hold the address stable for the
entire bus operation, and provide additional AC and DC buff-
ering.
The 80C286 does no t mai ntain the address of the current bus
operation during all TC states. Instead, the address for the
next bus operation may be emitted during phase 2 of any TC.
The address remains valid during phase 1 of the first TC to
guarantee hold time, relative to ALE, for the address latch
inputs.
Bus Control Signals
The 82C288 bus controller provid es control sig nals; a ddress
latch enable (ALE), Read/Write commands, data trans-
mit/receive (DT/R), and data enable (DEN) that control the
address latches, data transce ivers, write enable, and output
enable for memory and I/O systems.
The Address Latch Enable (ALE) output determines when
the address may be latched. ALE provides a t least one sys-
tem CLK period of address hold time from the end of the pre-
vious bus operation until the address for the next bus
operation appears at the latch outputs. This address hold
time is required to support Multibus and common memory
systems.
The data bus transceivers are controlled by 82C288 outputs
Data Enable (DEN) and Data Transmit/Receive (DT/R). DEN
enables the data transceivers; while DT/R controls trans-
ceiver direction. DEN and DT/R are timed to prevent bus
contention between the bus master, data bus transceivers,
and system data bus transceivers.
Command Timing Controls
Two system timing customization options, command extension
and command delay, are provided on the 80C286 local bus.
Command extension allows additional time for external
devices to respond to a command and is analogous to
inserting wait states on the 80C86. External logic can control
the duration of any bus operation such that the operation is
only as long as necessary. The READY input signal can
extend any bus operation for as long as necessary.
Command delay allows an increase of add ress or write data
setup time to system bus command active for any bus oper-
ation by delaying when the system bus command becomes
active. Command delay is controlle d b y the 82 C288 CMDLY
input. After TS, the bus controller samples CMDLY at each
failing edge of CLK. If CMDLY is HIGH, the 82C288 wi ll not
activate the command signal. When CMDLY is LOW, the
82C288 will activate the command signal. After the com-
mand becomes active, the CMDLY input is not sampled.
When a command is delayed, the available response time
from command active to return read data or accept write
data is less. To customize system bus timing, an address
decoder can determine which bus operations require delay-
ing the command. The CMDLY inp ut does not a ffect the tim-
ing of ALE, DEN or DT/R.
Figure 23 illustrates four uses of CMDLY. Exampl e 1 shows
delaying the read command two system CLKs for cycle N-1
and no delay for cycle N, and example 2 shows delaying the
read command one system CLK for cycle N-1 and one sys-
tem CLK delay for cycle N.
HLDA NEW CYCLE
NEW CYCLE HLDA
READY NEW CYCLE
READY
HLDA NEW CYCLE
HOLD
TH
IDLE
TI
COMMAND
TC
STATUS
TS
HLDA
HLDA
NEW CYCLE
ALWAYS
RESET
READY NEW CYCLE
FIGURE 21. 80C286 BUS STATES
80C286
29
FIGURE 22. BASIC BUS CYCLE
READ BUS CYCLE N
CLK
PROC
A23 - A0
S0 S1
READY
D15 - D0
READ BUS CYCLE N + 1
TC
TS
TC
TS
TI
φ1φ2φ1φ2φ1φ2φ1φ2
VALID READ
DATA (N) VALID READ
DATA (N + 1)
VALID ADDR (N) VALID ADDR (N + 1)
2 PCLK CYCLE TRANSFER
2.5 CLOCK CYCLE ADDRESS TO DATA VALID
2 PCLK CYCLE TRANSFER
CLK
PIPELINING: VALID ADDRESS (N + 1) AVAILABLE IN LAST PHASE OF BUS CYCLE (N).
80C286
30
Bus Cycle Termination
At maximum transfer rates, the 80C286 bus alternates
between the status and command states. The bus status
signals become inactive after TS so that they may correctly
signal the start of the next bus operation after the completion
of the current cycle. No external indication of TC exists on
the 80C286 local bus. The bus master and bus controller
enter TC directly after TS and continue executing TC cycles
until terminated by the assertion of READY.
READY Operation
The current bus master and 82C288 bus controller terminate
each bus operation simultaneously to achieve maximum bus
operation bandwidth. Both are informed in advance by
READY active (open-collector output from 82C284) which
identifies the last TC cycle of the current bus operation. The
bus master and bus controller must see the same sense of
the READY signal, thereb y requiring READY to be synchro-
nous to the system clock.
Synchronous Ready
The 82C284 clock generator provides READY synchroniza-
tion from both synchronous and asynch ronous sources (see
Figure 24). The synchronous ready input (SRDY) of the
clock generator is sampled with the falling edge of CLK at
the end of phase 1 of each TC. The state of SRDY is then
broadcast to the bus master and bus controller via the
READY output line.
Asynch r onous Read y
Many systems have devices or subsystems that are asyn-
chronous to the system clock. As a result, their ready out-
puts cannot be guaranteed to meet the 82C284 SRDY setup
and hold time requirements. But the 82C284 asynchronous
ready input (ARDY) is designed to a ccept such signals. The
ARDY input is sampled at the beginning of each TC cycle by
82C284 synchronization logic. This provides one system
CLK cycle time to resolve its value before broadcasting it to
the bus master and bus controller.
ARDY or ARDYEN must be HIGH at the end of TS. ARDY
cannot be used to terminate the bus cycle with no wait
states.
Each ready input of the 82C284 has an enable pin
(SRDYEN and ARDYEN) to select whether the current bus
operation will be terminated by the synchronous or asyn-
chronous ready. Either of the ready inputs may terminate a
bus operation. These ena ble inputs are active low and have
the same timing as their respective ready inputs. Address
decode logic usually selects wh ether the current bus opera-
tion should be terminated by ARDY or SRDY.
FIGURE 23. CMDLY CONTROLS THE LEADING EDGE OF COMMAND SIGNAL
TSTCTCTSTC
READ CYCLE N -1 READ CYCLE N
VALID ADDR N
VALID ADDR (N-1)
A23 - A0
PROC
CLK
CLK
S1 S0
ALE
READY
RD
CMDLY
RD
CMDLY
EX1
EX2
φ1φ2φ1φ2φ1φ2φ1φ2φ1φ2
80C286
31
Data Bus Control
Figures 25, 26, and 27 show how the DT/R, DEN, data bus,
and address signals operate for different combinations of
read, write, and idle bus operations. DT/R goes active
(LOW) for a read operation. DT/R remains HIGH before, dur-
ing, and between write operations.
The data bus is driven with write data during the second
phase of TS. The delay in write data timing allows the read
data drivers, from a previous read cycle, sufficient time to
enter three-state OFF before the 80C286 CPU begins driv-
ing the local data bus for write operations. Write data will
always remain valid for one system clock past the last TC to
provide sufficient hold time for Multibus or other similar
memory or I/O systems. During write-read or write-idle
sequences the data bus enters a high impedance state dur-
ing the second phase of the processor cycle after the last
TC. In a write-w rite sequence the da ta bus does not ente r a
high impedance state between TC and TS.
Bus Usage
The 80C286 local bus may be used for several functions:
instruction data transfers, data transfers by other bus mas-
ters, instruction fetching, processor extension data trans-
fers, interrupt acknowledge, and halt/shutdown. This
section describes local bus activities which have special
signals or requirements. Note that I/O transfers take place
in exactly the same mann er as memory transfers (i.e. to the
80C286 the timing, etc. of an I/O transfer is identical to a
memory transfer).
HOLD and HLDA
HOLD and HLDA allow another bus master to gain control of
the local bus by placing the 80 C286 bus into the T H state. The
sequence of events required to pass control between the
80C286 and anoth er local bus master are sh own in Figure 28 .
In this example, the 80C286 is initially in the TH state as
signaled by HLDA being active. Upon leaving TH, as sig-
naled by HLDA going inactive, a write operation is started.
During the write operation another local bus master
requests the local bus from the 80C286 as shown by the
HOLD signal. After completing the write operation, the
80C286 performs one TI bus cycle, to guarantee write data
hold time, then enters TH as signaled by HLDA going
active.
The CMDLY signal and ARDY ready are used to start and
stop the write bus command, respectively. Note that SRDY
must be inactive or disabled by SRDYEN to guarantee
ARDY will terminate the cycle.
HOLD must not be active during the time from the leading
edge of RESET until 34 CLKs following the trailing edge of
RESET unless the 80C286 is in the Halt condition. To
ensure that the 80C286 remains in the Halt condition until
the processor Reset operation is complete, no interrupts
should occur after the execution of HLT until 34 CLKs after
the trailing edge of the RESET pulse.
LOCK
The CPU asserts an active lock signal during Interrupt-
Acknowledge cycles, the XCHG instruction, and during
some descriptor accesses. Lock is also asserted when the
LOCK prefix is used. The LOCK prefix may be used with
the following ASM-286 assembly instructions; MOVS, INS
and OUTS. For bus cycles other than Interrupt-Acknowl-
edge cycles, Lock will be active for the first and subsequent
cycles of a series of cycles to be locked. Lock will not be
shown active during the last cycle to be locked. For the
next-to-last cycle, Lock will become inactive at the end of
the first TC regardless of the number of wait states
inserted. For Interrupt-Acknowledge cycles, Lock will be
active for each cycle, and will become inactive at the end of
the first TC for each cycle regardless of the number of wait-
states inserted.
Instruction Fetching
The 80C286 Bus Unit (BU) will fetch instructions ahead of
the current instruction be ing executed. This activity i s called
prefetching. It occurs when the local bus would otherwise be
idle and obeys the following rules:
A prefetch bus operation starts when at least two bytes of
the 6-byte prefetch queue are empty.
The prefetcher normally performs word prefetches indepen-
dent of the byte alignment of the code segment base in
physical memory.
The prefetcher will perform only a byte code fetch operation
for control transfers to an instructio n beginning on a numeri-
cally odd physical address.
Prefetching stops whenever a control transfer or HLT
instruction is decoded by the lU and placed into the in struc-
tion queue.
In real address mode, the prefetcher may fetch up to 6 bytes
beyond the last control transfer or HLT instruction in a code
segment.
In protected mode, the prefetcher will never cause a seg-
ment overrun exception. The prefetcher stops at the last
physical memory word of the code segment. Exception 13
will occur if the program attempts to execute beyo nd the la st
full instruction in the code segment.
If the last byte of a code segment appears on an even physi-
cal memory address, the prefetcher will read the next physi-
cal byte of memory (perform a word code fetch). The value
of this byte is ignored and any attempt to execute it causes
exception 13.
80C286
32
NOTES:
8. SRDYEN is active low.
9. If SRDYEN is high, the state of SRDY will not effect READY.
10. ARDYEN is active low. FIGURE 24. SYNCHRONOUS AND ASYNCHRONOUS READY
TSTCTSTCTC
MEMORY CYCLE N - 1 MEMORY CYCLE N
φ1φ2φ1φ2φ1φ2φ1φ2φ1φ2
VALID ADDRVALID ADDRVALID ADDR
(SEE NOTE 8) (SEE NOTE 9)
(SEE NOTE 10)
A23 - A0
CLK
S0 S1
SRDY
READY
ARDY
PROC
CLK
80C286
33
FIGURE 25. BACK TO BACK READ-WRITE CYCLE
TITSTCTSTC
READ CYCLE WRITE CYCLE
φ2φ1φ2φ1φ2φ1φ2φ1φ2φ1φ2
TI
A23 - A0
CLK
S0 S1
MRDC
MWTC
DT/R
D15 - D0
DEN
VALID
READ DATA
VALID ADDR VALID ADDR
VALID WRITE DATA
80C286
34
Processor Extension Transfe rs
FIGURE 26. BACK TO BACK WRITE-READ CYCLE
FIGURE 27. BACK TO BACK WRITE-WRITE CYCLE
TITSTCTSTC
WRITE CYCLE READ CYCLE
φ2φ1φ2φ1φ2φ1φ2φ1φ2φ1φ2
TI
CLK
VALID WRITE DATA
A23 - A0
S0 S1
D15 - D0
MRDC
MWTC
DEN
DT/R
VALID VALID
VALID
READ DATA
TITSTCTSTC
WRITE CYCLE N-1 WRITE CYCLE N
φ2φ1φ2φ1φ2φ1φ2φ1φ2φ1φ2
TI
CLK
A23 - A0VALID ADDR N-1 VALID ADDR N
VALID DATA N-1 VALID DATA N
S0 S1
D15 - D0
MWTC
DT/R
DEN
(HIGH)
80C286
35
The processor extension interface uses I/O port addresses
00F8(H), and 00FC(H) which are part of the I/O port address
range reserved by Intersil. An ESC instruction with Machine
Status Word bits EM = 0 and TS = 0 will perform I/O bus
operations to one or more of the se I/O port addresses inde-
pendent of the value of lOPL and CPL.
ESC instructions with memory references enable the CPU to
accept PEREQ inputs for processor extension operand
transfers. The CPU will determine the operand starting
address and read/write status of the instruction. For each
operand transfer, two or three bus operations are performed,
one word transfer with I/O port address 00FA(H) and one or
two bus operations with memory. Three bus operations are
required for each word operand aligned on an odd byte
address.
Interrupt Acknowledge Sequence
Figure 29 illustrates an interrupt acknowledge sequence per-
formed by the 80C286 in response to an INTR input. An
interrupt acknowledge sequence consists of two INTA bus
operations. The first allows a master 82C59A Programmable
Interrupt Controller (PlC) to determine which if any of its
slaves should return the interrupt vector. An eight bit vector
is read on D0-D7 of the 80C286 during the second INTA bus
operation to select an interrupt handler routine from the
interrupt table.
The Master Cascade Enable (MCE) signa l of the 82C288 is
used to enable the cascade address drivers during INTA bus
operations (See Figure 29) onto the local address bus for
distribution to slave interrupt controllers via the system
address bus. The 80C286 emits the LOCK signal (active
LOW) during TS of the first INTA bus operation. A loca l bus
“hold” request will not be honored until the end of the second
INTA bus operation.
Three idle processor clocks are provided by the 80C286
between INTA bus operations to allow for the minimum INTA
to INTA time and CAS (cascade address) out delay of the
82C59A. The second INTA bus operati on must always have
at least one extra TC state added via logic controlling
READY. A23-A0 are in three-state OFF until after the first TC
state of the second INTA bus operation. This prevents bus
contention between the cascade address drivers and CPU
address drivers. The extra TC state allows time for the
80C286 to resume driving the address lines for subsequent
bus operations.
80C286
36
NOTES:
11. Status lines are held at a high impedance logic one by the 80C286 during a HOLD state.
12. Address, M/IO and COD/lNTA may start floating during any TC depending on when internal 80C286 bus arbiter decides to release bus
to external HOLD. The float starts in φ2 of TC.
13. BHE and LOCK may start floating after the end of any TC depending on when internal 80C286 bus arbiter decides to release bus to
external HOLD. The float starts in φ1 of TC.
14. The minimum HOLD to HLDA time is shown. Maximum is one TH longer.
15. The earliest HOLD time is shown. It will always allow a subsequent memory cycle if pending is shown.
16. The minimum HOLD to HLDA time is shown. Maximum is a function of the instruction, type of bus cycle and other machine state (i.e.,
Interrupts, Waits, Lock, etc.).
17. Asynchronous ready allows termination of the cycle. Synchronous ready does not signal ready in this example. Synchronous ready state
is ignored after ready is signaled via the asynchronous input.
FIGURE 28. MULTIBUS WRITE TERMINATED BY ASYNCHRONOUS READY WITH BUS HOLD
VALID
VALID
VALID
(SEE NOTE 13)
(SEE NOTE 12)
(SEE NOTE 11)
(SEE NOTE 16)
(SEE NOTE 15)
NOT READY NOT READY
NOT READY NOT READY
(SEE NOTE 17)
READY
(SEE NOTE 17)DELAY ENABLE
VOH
TH
φ2φ1
TH
φ2φ1
TH
φ2φ1
BUS HOLD ACKNOWLEDGE
TS
φ2φ1
TC
φ2φ1
TC
φ2φ1
TC
φ2φ1
TI
φ2φ1
TH
φ2φ1
BUS HOLD
ACKNOWLEDGE
WRITE CYCLE
BUS CYCLE TYPE
CLK
HOLD (SEE NOTE 14)
HLDA
S1 S0
A23 - A0
M/IO,
D15 - D0
SRDY +
ARDY +
CMDLY
MWTC
DT/R
ALE
COD/INTA
BHE, LOCK
SRDYEN
ARDYEN
DEN
80C28680C28480C288
TS - STATUS CYCLE
TC - COMMAND CYCLE
(SEE NOTE 11)
80C286
37
Local Bus Usage Priorities
The 80C286 local bus is shared among several internal units
and external HOLD requests. In case of simultaneous
requests, their relative priorities are:
Halt or Shutdown Cycles
The 80C286 externally in dicates halt or shutdown conditio ns
as a bus operation. These conditions occur due to a HLT
instruction or multiple protection exceptions while attempting
to execute one instruction. A halt or shu tdown bus operation
is signalled when S 1, S0 and COD/lNTA are LOW and M/IO
is HIGH. A1 HIGH indicates halt, and A1 LOW indicates
shutdown. The 82C288 bus controller does not issue ALE,
nor is READY required to terminate a halt or shutdown bus
operation.
During halt or shutdown, the 80C286 may service PEREQ or
HOLD requests. A processor extension segment overrun
during shutdown will inhibit further se rvice of PEREQ. Either
NMl or RESET will force the 80C286 out of either halt or
shutdown. An INTR, if interrupts are enabled, or a processor
extension segment overrun exception will also force the
80C286 out of halt.
System Configurations
The versatile bus structure of the 80C286 micro-system, with
a full complement of support chips, allo ws fl exible con figura-
tion of a wide range of systems. The basic configuration,
shown in Figure 30, is similar to an 80C86 maximum mode
system. It includes the CPU plus an 82C59A interrupt con-
troller, 82C284 clock generator, and the 82C288 Bus Con-
troller. The 80C86 latches (82C82 and 82C83H) and
transceivers (82C86H and 82C87H) may be used in an
80C286 microsystem.
As indicated by the dashed lines in Figure 30, the ability to
add processor extensions is an integral feature of 80C286
based microsystems. The processor extension interface
allows external hardware to perform special functions and
transfer data concurrent with CPU execution of other instruc-
tions. Full system integrity is maintained because the
80C286 supervises all data transfers and instruction execu-
tion for the processor extension.
An 80C286 system which incl udes the 80287 numeric proce s-
sor extension (NPX) uses this interface. The 80C286/80287
system has all the instructions and data types of an 80C86 or
80C88 with 8087 numeric processor extension. The 80287
NPX can perform numeric calculations and data transfers
concurrently with CPU program execution. Numerics code
and data have the same integrity as all other information pro-
tected by the 80C286 protection mechanism.
The 80C286 can overlap chip select decoding and address
propagation during the data transfer for the previous bus
operation. This information is latched into the 82C82/83H's
by ALE during the middle of a TS cycle. The latched chip
select and address information remains stable during the
bus operation while the next cycle's address is being
decoded and propaga ted into the system. Decode logic can
be implemented with a high speed PROM or PAL.
The optional decode logic shown in Figure 30 takes advan-
tage of the overlap between address and data of the 80C286
bus cycle to generate advanced memory and I/O select sig-
nals. This minimizes system performance degradation
caused by address propagation and decode delays. In addi-
tion to selecting memory and I/O, the advanced selects may
be used with configurations supporting local and system
buses to enable the appropriate bus interface for each bus
cycle. The COD/lNTA and M/IO signals are applied to the
decode logic to distinguish b etween interrupt, I/O, code, a nd
data bus cycles.
By adding the 82289 bus arbiter chip the 80C286 provides a
Multibus system bus interface as shown in Figure 31. The
ALE output of the 82C288 for the Multibus bus is connected to
its CMDLY input to delay the start of commands one system
CLK as required to meet Multibus address and write data
setup times. This arrangement will add at least one extra TC
state to each bus operation which uses the Multibus.
A second 82C288 bus controller and additional latches and
transceivers could be added to the local bus of Figure 31.
This configuration allows the 80C286 to support an on-board
bus for local memory and peripherals, and the Multibus for
system bus interfacing.
(Highest) Any transfers which assert L OCK either explic-
itly (via the LOCK instruction prefix) or implic-
itly (i.e. some segment descriptor accesses, an
interrupt acknowledge sequence, or an XCHG
with memory).
The second of the two byte bus operations
required for an odd aligned word operand.
The second or third cycle of a processor exten-
sion data transfer.
Local bus request via HOLD input.
Processor extension data operand tra nsfer via
PEREQ input.
Data transfer performed by EU as part of an
instruction.
(Lowest) An instruction prefetch request from BU. The
EU will inhibit prefetching two processor clocks
in advance of any data transfers to minimize
waiting by the EU for a prefetch to finish.
80C286
38
NOTES:
18. Data is ignored.
19. First INTA cycle should have at least one wait state inserted to meet 82C59A minimum INTA pulse width.
20. Second INTA cycle must have at least one wait state inserted since the CPA will not drive A23-A0, BHE, and LOCK until after the first TC
state. The CPU imposed one/clock delay prevents has contention between cascade address buffer being disabled by MCE and address
outputs.
21. Without the wait state, the 80C286 address will not be valid for a memory cycle started immediately after the second INTA cycle. The
82C59A also requires one wait state for minimum INTA pulse width.
22. LOCK is active for the first INTA cycle to prevent the 82289 from releasing the bus between INTA cycles in a multi-master system. LOCK
is also active for the second INTA cycle.
23. A23-A0 exits three-state OFF during φ2 of the second TC in the INTA cycle.
FIGURE 29. INTERRUPT ACKNOWLEDGE SEQUENCE
T
C
φ
2
φ
1
INTA CYCLE 1
T
S
φ
2
φ
1
T
C
φ
2
φ
1
T
C
φ
2
φ
1
T
I
φ
2
φ
1
T
I
φ
2
φ
1
T
I
φ
2
φ
1
T
S
φ
2
φ
1
T
C
φ
2
φ
1
T
C
φ
2
φ
1
T
S
φ
2
φ
1
INTA CYCLE 2
BUS CYCLE
CLK
S1
S0
M/IO,
LOCK
A
23
- A
0
BHE
D
15
- D
0
READY
INTA
MCE
ALE
DT/R
DEN
(SEE NOTE 21)
(SEE NOTE 22) (SEE NOTE 22)
DON’T CARE
DON’T CARE
PREVIOUS
WRITE CYCLE (SEE NOTE 18) VECTOR
(SEE NOTE 20)
NOT READY READY
(SEE NOTE 19)
NOT READY READY
COD/INTA
TYPE
80C28682C288
80C286
39
FIGURE 30. BASIC 80C286 SYSTEM CONFIGURATION
VCC
RESET
SYNC READY
ENABLE
ASYNC READY
ENABLE ARDYEN
ARDY
SRDYEN
SHDY RESET
CLK
READY
S1
S0
F/C
EFI
PCLK
RES
X1
X2
82C284
CLOCK
GENERATOR
VCC
PROCESSOR
EXTENSION
(OPTIONAL)
MB
AEN
CMDLY
CLK
READY
S1
S0
M/IO
DT/R
DEN
MCE
ALE
INTA
IOWC
IORC
MWTC
MRDC
82C288 BUS
CONTROLLER
READY
ERROR
RESET
CLK
M/IO
S1
S0
NMI
HOLD
HLDA
BUSY
PEACK
PEREQ
LOCK
COD/INTA
D15 - D0
A23 - A0
BHE
INTR
INTERRUPT ACKNOWLEDGE
I/O WRITE
I/O READ
MEMORY WRITE
MEMORY READ
ADVANCED MEMORY
AND I/O CHIP SELECTS
ADDRESS BUS
CHIP SELECT
IR0 - IR7
DATA BUS
80C286
CPU
DECODE
(OPTIONAL)
STB
OE
CAS0-2
INT
INTA
WR
RD
D0 - D7
OE
T
82C82 OR
82C83H
LATCH
A0
CS
SP/EN
82C59A
INTERRUPT
CONTROLLER
82C86H
OR 82C87H
TRANS-
CEIVER
80C286
40
FIGURE 31. MULTIBUS SYSTEM BUS INTERFACE
SYSB/RESB
RESET
CBRQ
ALWAYS
CBQLCK
S0
S1
READY
CLK
AEN M/IO
LOCK
CBRQ
BUSY
BPRN
BPRO
BREQ
INIT
BCLK
82289
BUS ARBITER
X2X1
VCC
AEN
CMDLY
S0
S1
READY
CLK
MRDC
MWTC
IORC
IOWC
INTA
ALE
MCE
DEN
DT/R
M/IO
82C288
BUS CONTROLLER
RES
PCLK
F/C
EFI
SRDY
SRDYEN
ARDY
ARDYEN
RESET
CLK
READY
S1
S0
82C284
CLOCK
GENERATOR
RESET
SYNC READY
ENABLE
ASYNC READY
ENABLE
PROCESSOR
EXTENSION
(OPTIONAL)
M/IO
CLK
RESET
READY
S1
S0
NMI
HOLD
HLDA
ERROR
BUSY
PEACK
PEREQ
80C286
CPU
D15 - D0
INTR
BHE
A23 - A0
COD/INTA
LOCK STB
OE
82C83H
LATCH
CAS0-2
INT
INTA
WR
RD
SP/EN
D0 - D7
OE
T
82C59A
INTERRUPT
CONTROLLER
82C87H
TRANS-
CEIVER
A0
CS CHIP SELECT
ADDRESS BUS
IR0 - IR7
DATA BUS
VCC
MEMORY READ
MEMORY WRITE
I/O READ
I/O WRITE
INTERRUPT ACKNOWLEDGE
MULTIBUS
BUS ARBITRATION
VCC
80C286
41
/
Absolute Maximum Ratings Thermal Information
Supply Voltage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ±8.0V
Input, Output or I/O Voltage Applied. . . . . GND -1.0V to VCC +1.0V
Storage Temperature Range . . . . . . . . . . . . . . . . . -65oC to +150oC
Junction Temperature, PGA. . . . . . . . . . . . . . . . . . . . . . . . . +175oC
PLCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . +150oC
Lead Temperature (Soldering, 10s) . . . . . . . . . . . . . . . . . . . +300oC
(PLCC - Lead Tips Only)
Thermal Resistance (Typical) θJA (oC/W) θJC (oC/W)
PDIP Package. . . . . . . . . . . . . . . . . . . 35 6
CERDIP Package . . . . . . . . . . . . . . . . 33 9
Maximum Package Power Dissipation
PGA Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.22W
PLCC Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2W
Gate Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22,500
CAUTION: Stresses above those listed in “Absolute Maximum Ratings” may cause permanent damage to the device. This is a stress only rating and operation
of the device at these or any other conditions above those indicated in the operational sections of this specificatio n i s not implied.
Operating Conditions
Operating Voltage Range
80C286-10, -12. . . . . . . . . . . . . . . . . . . . . . . . . . . +4.5V to +5.5V
80C286-16, -20, -25 . . . . . . . . . . . . . . . . . . . . . +4.75V to +5.25V
Operating Temperature Range
I80C286-10, -12, -16, -20 . . . . . . . . . . . . . . . . . . -40oC to +85oC
C80C286-12, -16, -20, -25. . . . . . . . . . . . . . . . . . . . 0oC to +70oC
DC Electrical Specifications VCC = +5V ± 10%, TA = 0oC to +7 0oC (C80C286-12), VCC = +5V ± 5%, TA = 0oC to +70 oC
(C80C286-16, -20, -25), VCC = +5V ± 10%, TA = -40oC to +85oC (I80C286-10 , -12 ), V CC = +5V ± 5%,
TA = -40oC to +85oC (I80C286-16, -20)
SYMBOL PARAMETER MIN MAX UNITS TEST CONDITIONS
VIL Input LOW Voltage -0.5 0.8 V
VIH Input HIGH Voltage 2.0 VCC +0.5 V
VILC CLK Input LOW Voltage -0.5 1.0 V
VIHC CLK Input HIGH Voltage 3.6 VCC +0.5 V
VOL Output LOW Voltage - 0.4 V IOL = 2.0mA
VOH Output HIGH Voltage 3.0
VCC -0.4 -
-VI
OH = -2.0mA, IOH = -100µA
IIInput Leakage Current -10 10 µAV
IN = GND or VCC
Pins 29, 31, 57, 59, 61, 63-64
ISH Input Sustaining Current on BUSY and
ERROR Pins -30 -500 µAV
IN = GND (See Note 28)
IBHL Input Sustaining Current LOW 38 200 µAV
IN = 1.0V (See Note 24)
IBHH Input Sustaining Current HIGH -50 -400 µAV
IN = 3.0V (See Note 25)
IOOutput Leakage Current -10 10 µAV
O = GND or VCC
Pins 1, 7-8, 10-28, 32-34
ICCOP Active Power Supply Current - 185 mA 80C286-10 (See Note 27)
- 220 mA 80C286-12 (See Note 27)
- 260 mA 80C286-16 (See Note 27)
- 310 mA 80C286-20 (See Note 27)
- 410 mA 80C286-25 (See Note 27)
ICCSB Standby Power Supply Current - 5 mA (See Note 26)
Capacitance TA = +25oC, All Measurements Referenced to Device GND
SYMBOL PARAMETER TYP UNITS TEST CONDITIONS
CCLK CLK Input Capacitance 10 pF FREQ = 1MHz
CIN Other Input Capacitance 10 pF
CI/O I/O Capacitance 10 pF
NOTES:
24. IBHL should be measured after lowering VIN to GND and then raising to 1.0V on the following pins: 36-51, 66, 67.
25. IBHH should be measured after raising VIN to VCC and then lowering to 3.0V on the following pins: 4-6, 36-51, 66-68.
26. ICCSB tested with the clock stopped in phase two of the processor clock cycle. VIN = VCC or GND, VCC = VCC (Max), outputs unloaded.
27. ICCOP measured at 10MHz for the 80C286-10, 12.5MHz for the 80C286-12, 16MHz for the 80C286-16, 20MHz for the 80C286-20, and
25MHz for the 80C286-25. VIN = 2.4V or 0.4V, VCC = VCC (Max), outputs unloaded.
28. ISH should be measured after raising VIN to VCC and then lowering to GND on pins 53 and 54.
80C286
42
AC Test Conditions
AC Electrical Specifications VCC = +5V ±10%, TA = 0oC to +70oC (C80C286-12) , TA = -40oC to +85oC (I80C286-10, -12)
VCC = +5V ±5%, TA = 0oC to +70oC (C80C286-16), TA = -40oC to +85oC (I80C286-16) AC Timings
are Referenced to 0.8V and 2.0V Points of the Signals as Illustrated in Data Sheet Waveforms,
Unless Otherwise Specified
SYMBOL PARAMETER
10MHz 12.5MHz 16MHz
UNIT TEST
CONDITIONMIN MAX MIN MAX MIN MAX
TIMING REQUIREMENTS
1 System Clock (CLK) Period 50 - 40 - 31 - ns
2 System Clock (CLK) LOW Time 12 - 11 - 7 - ns At 1.0V
3 System Clock (CLK) HIGH Time 16 - 13 - 11 - ns At 3.6V
17 System Clock (CLK) RISE Time - 8 - 8 - 5 ns 1.0V to 3.6V
18 System Clock (CLK) FALL Time - 8 - 8 - 5 ns 3.6V to 1.0V
4 Asynchronous Inputs SETUP Time 20 - 15 - 5 - ns (Note 29)
5 Asynchronous Inputs HOLD Time 20 - 15 - 5 - ns (Note 29)
6 RESET SETUP Time 19 - 10 - 10 - ns
7 RESET HOLD Time 0 - 0 - 0 - ns
8 Read Data SETUP Time 8 - 5 - 5 - ns
9 Read Data HOLD Time 4 - 4 - 3 - ns
10 READY SETUP Time 26 - 20 - 12 - ns
11 READY HOLD Time 25 - 20 - 5 - ns
20 Input RISE/FALL Times - 10 - 8 - 6 ns 0.8V to 2.0V
TIMING RESPONSES
12A Status/PEACK Active Delay 1 22 1 21 1 18 ns 1, (Notes 31, 35)
12B Status/PEACK Inactive Delay 1 30 1 24 1 20 ns 1, (Notes 31, 34)
13 Address Valid Delay 1 35 1 32 1 27 ns 1, (Notes 30, 31)
14 Write Data Valid Delay 0 40 0 31 0 28 ns 1, (Notes 30, 31)
15 Address/Status/Data Float Delay 0 47 0 32 0 29 ns 2, (Note 33)
16 HLDA Valid Delay 0 47 0 25 0 25 ns 1, (Notes 31, 36)
19 Address Valid to Status SETUP Time 27 - 22 - 16 - ns 1, (Notes 31, 32)
NOTES:
29. Asynchronous inputs are INTR, NMl, HOLD, PEREQ, ERROR, and BUSY. This specification is given only for testing purposes, to assure
recognition at a specific CLK edge.
30. Delay from 1.0V on the CLK to 0.8V or 2.0V.
31. Output load: CL = 100pF.
32. Delay measured from address either reaching 0.8V or 2.0V (valid) to status goin g active reac hing 0.8V or st atus going in active reaching
2.0V.
33. Delay from 1.0V on the CLK to Float (no current drive) condition.
34. Delay from 1.0V on the CLK to 0.8V for min. (HOLD time) and to 2.0V for max. (inactive delay).
35. Delay from 1.0V on the CLK to 2.0V for min. (HOLD time) and to 0.8V for ma x. (active delay).
36. Delay from 1.0V on the CLK to 2.0V.
TEST CONDITION IL (CONSTANT CURRENT SOURCE) CL
1 |2.0mA| 100pF
2-6mA (V
OH to Float)
8mA (VOL to Float) 100pF
80C286
43
AC Test Conditions
AC Electrical Specifications VCC = +5V ±5%, TA = 0oC to +70oC (C80C286-20, - 25), TA = -40oC to +85oC (l80C286-20)
AC Timings are Referenced to the 1.5V Point of the Signals as Illustrated in Data Sheet Waveforms,
Unless Otherwise Specified
SYMBOL PARAMETER
20MHz 25MHz
UNIT TEST CONDITIONMIN MAX MIN MAX
TIMING REQUIREMENTS
1 System Clock (CLK) Period 25 - 20 - ns
2 System Clock (CLK) LOW Time 6 - 5 - ns At 1.0V
3 System Clock (CLK) HIGH Time 9 - 7 - ns At 3.6V
17 System Clock (CLK) RISE Time - 4 - 4 ns 1.0V to 3.6V
18 System Clock (CLK) FALL Time - 4 - 4 ns 3.6V to 1.0V
4 Asynchronous Inputs SETUP Time 4 - 4 - ns (Note 37)
5 Asynchronous Inputs HOLD Time 4 - 4 - ns (Note 37)
6 RESET SETUP Time 10 - 10 - ns
7 RESET HOLD Time 0 - 0 - ns
8 Read Data SETUP Time 3 - 3 - ns
9 Read Data HOLD Time 2 - 2 - ns
10 READY SETUP Time 10 - 9 - ns
11 READY HOLD Time 3-3-ns
20 Input RISE/FALL Times - 6 - 6 ns 0.8V to 2.0V
TIMING RESPONSES
12A Status/PEACK Active Delay 1 15 1 12 ns 1, (Notes 39, 42)
12B Status/PEACK Inactive Delay 1 16 1 13 ns 1, (Notes 39, 42)
13 Address Valid Delay 1 23 1 20 ns 1, (Notes 38, 39)
14 Write Data Valid Delay 0 27 0 24 ns 1, (Notes 38, 39)
15 Address/Status/Data Float Delay 0 25 0 24 ns 2, (Note 41)
16 HLDA Valid Delay 0 20 0 19 ns 1, (Notes 38, 39)
19 Address Valid to Status SETUP Time 9 - 12 - ns 1, (Notes 39, 40)
NOTES:
37. Asynchronous inputs are INTR, NMl, HOLD, PEREQ, ERROR, and BUSY. This specification is given only for testing purposes, to assure
recognition at a specific CLK edge.
38. Delay from 1.0V on the CLK to 1.5V.
39. Output load: CL = 100pF.
40. Delay measured from address reaching 1.5V to status reaching 1.5V.
41. Delay from 1.0V on the CLK to Float (no current drive) condition.
42. Delay from 1.0V on the CLK to 1.5V.
TEST CONDITION IL (CONSTANT CURRENT SOURCE) CL
1 |2.0mA| 100pF
2-6mA (V
OH to Float)
8mA (VOL to Float) 100pF
80C286
44
AC Specifications (Continued)
C80C86-12, -16
I80C286-10, -12, -16
AC DRIVE AND MEASURE POINTS - CLK INPUT
NOTE: For AC testing, input rise and fall times are driven at 1ns per volt.
FIGURE 32.
CLK INPUT
4.0V
0.45V
3.6V 3.6V
1.0V1.0V
1.0V 1.0V
3.6V3.6V
4.0V
2.0V
0.8V 0.8V
2.0V
0.8V
2.0V
tDELAY (MAX)
tDELAY (MAX)
tHOLD
tSETUP
CLK INPUT
0.45V
2.4V
OTHER
0.4V
DEVICE
DEVICE
INPUT
OUTPUT
80C286
45
C80C286-20, -25
I80C286-20
AC DRIVE AND MEASURE POINTS - CLK INPUT
NOTE: Typical Output Rise/Fall Time is 6ns. For AC testing, input rise and fall times are driven at 1ns per volt.
FIGURE 33.
AC Specifications (Continued)
CLK INPUT
4.0V
0.45V
3.6V 3.6V
1.0V1.0V
1.0V 1.0V
3.6V3.6V
4.0V
2.0V
0.8V 0.8V
2.0V
1.5V
tDELAY
tHOLD
tSETUP
CLK INPUT
0.45V
2.4V
OTHER
0.4V
DEVICE
DEVICE
INPUT
OUTPUT
80C286
46
AC Electrical Specifications 82C284 and 82C288 Timing Specifications are given for reference only and no guarantee is implied.
82C284 Timing
SYMBOL PARAMETER
10MHz 12.5MHz 16MHz
UNIT TEST
CONDITIONMIN MAX MIN MAX MIN MAX
TIMING REQUIREMENTS
11 SRDY/SRDYEN Setup Time 15 - 15 - 10 - ns
12 SRDY/SRDYEN Hold Time 2-2-1-ns
13 ARDY/ARDYEN Setup Time 5 - 5 - 3 - ns (Note 43)
14 ARDY/ARDYEN Hold Time 30 - 25 - 20 - ns (Note 43)
TIMING RESPONSES
19PCLK Delay 020016015nsC
L = 75pF,
IOL = 5mA,
IOH = 1mA
NOTE:
43. These times are given for testing purposes to ensure a predetermined action.
82C288 Timing
SYMBOL PARAMETER
10MHz 12.5MHz 16MHz
UNIT TEST
CONDITIONMIN MAX MIN MAX MIN MAX
TIMING REQUIREMENTS
12 CMDLY Setup Time 15 - 15 - 10 - ns
13CMDLY Hold Time 1-1-0-ns
TIMING RESPONSES
16 ALE Active Delay 1 16 1 16 1 12 ns
17 ALE Inactive Delay - 19 - 19 - 15 ns
19 DT/R Read Active Delay - 23 - 23 - 18 ns CL = 150pF
20 DEN Read Active Delay - 21 - 21 - 16 ns IOL = 16mA Max
21 DEN Read Inactive Delay 3 23 3 21 5 14 ns IOL = 1mA Max
22 DT/R Read Inactive Delay 5 24 5 18 5 14 ns
23 DEN Write Active Delay - 23 - 23 - 17 ns
24 DEN Write Inactive Delay 3 23 3 23 3 15 ns
29 Command Active Delay from CLK 3 21 3 21 3 15 ns CL = 300pF
30 Command Inactive Delay from CLK 3 20 3 20 3 15 ns IOL = 32mA Max
NOTE:
44. These times are given for testing purposes to ensure a predetermined action.
80C286
47
Waveforms
FIGURE 34. MAJOR CYCLE TIMING
NOTE: The modified timing is due to the CMDLY signal being active.
3
212A
1
12B
19
13
13
13 19
13
9
814
11
10 10
11
15
14
13
30
29
24
13
12
12
13
22
23
21
20
19
29 30
13
12
17
19 20
19
12
11
19
16
TI
φ2φ2φ2φ1
TS
φ2φ1
TC
φ2φ1
TS
φ2φ1
TC
φ1
TC
WRITE CYCLE
BUS
VALID IF TS
READ
(TS OR TS)
ILLUSTRATED WITH ONE
WAIT STATE
READ CYCLE
ILLUSTRATED WITH ZERO
WAIT STATES
CYCLE TYPE
VOH
CLK
VOL
S1 S0
A23 - A0
M/IO, COD,
BHE, LOCK
READY
SRDY + SRDYEN
ARDY + ARDYEN
PLCK
CMDLY
MWTC
MRDC
DT/R
DEN
ALE
INTA
D15 - D0
VALID ADDRESSVALID ADDRESS
VALID CONTROL VALID CONTROL
VALID WRITE DATA
VALID READ DATA
(SEE NOTE 1)
82C288 82C284 80C286
80C286
48
FIGURE 35. 80C286 ASYNCHRONOUS INPUT SIGNAL TIMING
NOTES:
45. PCLK indicates which processor cycle phase will occur on the
next CLK, PCLK may not indicate the correct phase until the first
cycle is performed.
46. These inputs are asynchronous. The setup and hold times
shown assure recognition for testing purposes.
FIGURE 36. 80C286 RESET INPUT TIMING AND SUBSEQUENT
PROCESSOR CYCLE PHASE
NOTE:
47. When RESET meets the setup time shown, the next CLK will
start or repeat φ1 of a processor cycle.
Waveforms (Continued)
19 19
5
4
5
4
BUS CYCLE TYPE
CLK
VCH
VCL
PCLK
(SEE NOTE 47)
INTR, NMI
HOLD, PEREQ
(SEE NOTE 45)
ERROR, BUSY
(SEE NOTE 46)
TXφ2φ1CLK
VCH
VCL
TX
φ1φ2φ1φ2
76
76
RESET
CLK
RESET
VCH
VCL
TX
φ1φ1φ2
(SEE NOTE 47)
(SEE NOTE 47)
80C286
49
FIGURE 37. EXITING AND ENTERING HOLD
NOTES:
48. These signals may not be driven by the 80C286 during the time shown. The worst case in terms of latest float time is shown.
49. The data bus will be driven as shown if the cycle before TI in the diagram was a write TC.
50. The 80C286 puts its status pins in a high impedance logic one state during TH.
51. For HOLD request set up to HLDA, refer to Figure 29.
52. BHE and LOCK are driven at this time but will not become valid until TS.
53. The data bus will remain in a high impedance state if a read cycle is performed.
Waveforms (Continued)
TH
φ1
BUS
CYCLE TYPE
VCH
CLK
VCL
S1 S0
BHE, LOCK
80C286
φ2
HLDA
CLK
D15 - D0
PCLK
80C284
A23 - A0,
M/IO,
COD/INTA
φ1φ2φ1φ2φ1φ2
16 16
15
15
15
15
14
13
12A
12B
TS OR TITITH
(SEE NOTE 51)
(SEE NOTE 50)
(SEE NOTE 48)
(SEE NOTE 49)
(SEE NOTE 53)
(SEE NOTE 52)
(SEE NOTE 50)
IF TS
IF NPX TRANSFER
VALID
VALID IF WRITE
80C286
50
ASSUMING WORD-ALIGNED MEMORY OPERAND. IF ODD ALIGNED, 80C286 TRANSFERS TO/FROM MEMORY BYTE-AT- A-TIME WITH TWO MEMORY
CYCLES.
FIGURE 38. 80C286 PEREQ/PEACK TIMING FOR ONE TRANSFER ONLY
NOTES:
54. PEACK always goes active during the first bus operation of a processor extension data operand transfer sequence. The first bus opera-
tion will be either a memory read at operand address or I/O read at port address 00FA(H).
55. To prevent a second processor extension data operand transfer, the worst case maximum time (Shown above) is
3 x - 12AMAX - MIN. The actual configuration dependent, maximum time is: 3 x - 12AMAX - MIN + N x 2 x . N is the
number of extra TC states added to either the first or second bus operation of the processor extension data operand transfer sequence.
FIGURE 39. INITIAL 80C286 PIN STATE DURING RESET
NOTES:
56. Setup time for RESET may be violated with the consideration that φ1 of the processor clock may begin one system CLK period later.
57. Setup and hold times for RESET must be met for proper operation, but RESET may occur during φ1 or φ2.
58. The data bus is only guaranteed to be in a high impedance state at the time shown.
Waveforms (Continued)
1
12A 12B
45
TIφ2
BUS
CYCLE TYPE
VCH
CLK
VCL
φ1
S1 S0
A23 - A0
M/IO,
PEACK
PEREQ
φ2φ2φ1φ2φ1φ2φ1
TSTCTSTCTI
I/O READ IF PROC. EXT. TO MEMORY
MEMORY READ IF MEMORY TO PROC. EXT. MEMORY WRITE IF PROC. EXT. TO MEMORY
I/O WRITE IF MEMORY TO PROC. EXT.
MEMORY ADDRESS IF PROC. EXT. TO MEMORY TRANSFER I/O PORT
ADDRESS 00FA(H) IF MEMORY TO PROC. EXT. TRANSFER
I/O PORT ADDRESS 00FA(H) IF PROC. EXT. TO MEMORY TRANSFER
MEMORY ADDRESS IF MEMORY TO PROC. EXT. TRANSFER
(SEE NOTE 54)
(SEE NOTE 55)
COD INTA
14 1 4 1
6
7
12B
13
13
13
15
16
19
φ2
BUS
CYCLE TYPE
VCH
CLK
VCL
φ1
RESET
A23 - A0
(SEE NOTE 56)
φ2φ1φ2φ1φ2φ1φ2
UNKNOWN
UNKNOWN
UNKNOWN
UNKNOWN
UNKNOWN
S1 S0
BHE
M/IO
COD/INTA
LOCK
DATA
HLDA
PEACK
TXTXTXTI
AT LEAST (SEE NOTE 57)
(SEE NOTE 58)
16 CLK PERIODS
80C286
51
80C286 Instruction Set Summary
Instruction Timing Notes
The instruction clock counts l isted below establish the maxi-
mum execution rate of the 80C286. With no delays in bus
cycles, the actual clock count of an 80C286 program will
average 5% more than the calculated clock count, due to
instruction sequences which execute faster than they can be
fetched from memory.
To calculate elapsed times for instruction sequences, multi-
ply the sum of all instruction clock counts, as listed in the
table below, by the processor clock period. An 12.5MHz pro-
cessor clock has a clock period of 80 nanoseconds and
requires an 80C286 system clock (CLK input) of 25MHz.
Instruction Clock Count Assumptions
1. The instruction has been perfected, decoded and is
ready for execution. Control transfer instruction clock
counts include all time required to fetch, decode, and
prepare the next instruction for execution.
2. Bus cycles do not require wait states.
3. There are no processor extension data transfer or local
bus HOLD requests.
4. No exceptions occur during instruction executi on.
Instruction Set Summary Notes
Addressing displacements selected by the MOD field are not
shown. If necessary they appear after the instruction fields
shown.
Above/below refers to unsigned value.
Greater refers to more positive signed values.
Less refers to less positive (more negative) signed values
if d = 1, then “to” register; if d = 0 then “from” register
if w = 1, then word instruction; if w = 0, then byte instruction
if s = 0, then 16-bit immediate data form the operand
if s = 1, then an immediate data byte is sign-extended to
form the 16-bit operand
x don’t care
z used for string primitives for comparison with ZF FLAG
If two clock counts are given, the smaller refers to a register
operand and the larger refers to a memory opera nd
* = add one clock if offset calculation requires summing 3
elements
n = number of times repeated
m = number of bytes of code in next instruction
Level (L) - Lexical nesting level of the procedure
The following comments describe possible exceptions, side
effects and allowed usage for instructions in both operating
modes of the 80C286.
FIGURE 40A. SHORT OPCODE FORMAT EXAMPLE
FIGURE 40B. LONG OPCODE FORMAT EXAMPLE
FIGURE 40. 80C286 INSTRUCTION FORMAT EXAMPLES
Waveforms (Continued)
LOW DISP/DATA HIGH DISP/DATA LOW DATA HIGH DATA
OPCODE MOD REG R/Mdw
BYTE 1 BYTE 2 BYTE 3 BYTE 4 BYTE 5 BYTE 6
7654321076543210
REGISTER OPERAND REGISTERS TO USE IN OFFSET CALCULATION
REGISTER OPERAND/EXTENSION OF OPCODE
REGISTER M OD E /MEMORY MO D E WITH DISPLACEMENT LENGTH
WORD/BYTE OPERATION
DIRECTION IS TO REGISTER DIRECTION IS FROM REGISTER
OPERATION (INSTRUCTION) CODE
LOW DISP HIGH DISP
BYTE 5BYTE 4BYTE 3BYTE 2BYTE 1
LONG OPCODE MOD REG R/M
765432107654321076543210
80C286
52
Real Address Mode Only
1. This is a protected mode instruction. Attempted execu-
tion in real address mode will result in an undefined
opcode exception (6).
2. A segment overrun exception (13) will occur if a word
operand references at offset FFFF(H) is attempted.
3. This instruction may be executed in real address mode to
initialize the CPU for protecte d mode.
4. The IOPL and NT fields will remain 0.
5. Processor extension segment overrun interrupt (9) will
occur if the operand exceeds the segment limit.
Either Mode
6. An exception may occur, depending on the value of the
operand.
7. LOCK is automatically asserted regardless of the pres-
ence or absence of the LOCK instruction prefix.
8. LOCK does not remain active between all operand
transfers.
Protected Virtual Address Mode Only
9. A general protection exception (13) will occur if the mem-
ory operand cannot be used due to either a segment limit
or access rights violation. If a stack segment limit is vio-
lated, a stack segment overrun exception (12) occurs.
10. For segment load operations, the CPL, RPL and DPL
must agree with privilege rules to avoid an exception.
The segment must be present to avoid a not-present
exception (11). If the SS register is the destin ation and a
segment not-present violation occurs, a stack exception
(12) occurs.
11. All segment descriptor accesses in the GDT or LDT made
by this instruction will automatically assert LOC K to main-
tain descriptor integrity in multiprocessor systems.
12. JMP, CALL, INT, RET, IRET instructions referring to
another code segment will cause a general protection
exception (13) if any privilege rule is violated.
13. A general protection exception (13) occurs if CPL 0.
14. A general protection exception (13) occurs if CPL > IOPL.
15. The IF field of the flag word is not updated if CPL > IOPL.
The IOPL field is updated only if CPL = 0.
16. Any violation of privilege rules as applied to the selector
operand does not cause a protection exception; rather,
the instruction does not return a result and the zero flag
is cleared.
17. If the starting address of the memory operand violates a
segment limit, or an invalid access is attempted, a gen-
eral protection exception (13) will occur before the ESC
instruction is executed. A stack segment overrun excep-
tion (12) will occur if the stack limit is violated by the
operand’s starting address. If a segment limit is violated
during an attempted data transfer then a processor
extension segment overrun exception (9) occurs.
18. The destination of an INT, JMP, CALL, RET or IRET
instruction must be in the defined limit of a code segment
or a general protection exception (13) will occur.
80C286 Instruction Set Summary
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
DATA TRANSFER
MOV = Move
Register to Register/Mem-
ory 1000100w mod reg
r/m 2, 3
(Note 59) 2, 3
(Note 59) 29
Register/Memory to Regis-
ter 1000101w mod reg
r/m 2, 5
(Note 59) 2, 5
(Note 59) 29
Immediate to Register/Mem-
ory 1100011w mod 000
r/m data data if
w = 1 2, 3
(Note 59) 2, 3
(Note 59) 29
Immediate to Register 1011w reg data data if w =
1 22
Memory to Accumulator 1010000w addr-low addr-high 5 5 2 9
80C286
53
Accumulator to Memory 1010001w addr-low ad dr-high 3 3 2 9
Register/Memory to Seg-
ment Register 10001110 mod 0 reg
r/m 2, 5
(Note 59) 17, 19
(Note 59) 2 9, 10, 11
Segment Register to Regis-
ter/Memory 10001100 mod 0 reg
r/m 2, 3
(Note 59) 2, 3
(Note 59) 29
PUSH = Push
Memory 11111111 mod 110
r/m 5
(Note 59) 5
(Note 59) 29
Register 01010 reg 3 3 2 9
Segment Register 000 reg
110 33 29
Immediate 011010s0 data data if s =
033 29
PUSHA = Push All 01100000 17 17 2 9
POP = Pop
Memory 10001111 mod 000
r/m 5
(Note 59) 5
(Note 59) 29
Register 01011 reg 5 5 2 9
Segment Register 000 reg
111 (reg 01) 5 20 2 9, 10, 11
POPA = Pop All 01100001 19 19 2 9
XCHG = Exchange
Register/Memory with Reg-
ister 1000011w mod reg
r/m 3, 5
(Note 59) 3, 5
(Note 59) 2, 7 7, 9
Register with Accumulator 10010 reg 3 3
IN = Input From
Fixed Port 1110010w port 5 5 14
Variable Port 1110110w 5 5 14
OUT = Output T o
Fixed Port 1110011w port 3 3 14
Variable Port 1110111w 3 3 14
XLAT = Translate Byte to
AL 11010111 5 5 9
80C286 Instruction Set Summary (Continued)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
80C286
54
LEA = Load EA to Register 10001101 mod reg
r/m 3
(Note 59) 3
(Note 59)
LDS = Load Pointer to DS 11000101 mod reg
r/m (mod 11) 7
(Note 59) 21
(Note 59) 2 9, 10, 11
LES = Load Pointer to ES 11000100 mod reg
r/m (mod 1) 7
(Note 59) 21
(Note 59) 2 9, 10, 11
LAHF Load AH with Flags 10011111 2 2
SAHF = Store AH into Flags 10011110 2 2
PUSHF = Push Flags 10011100 3 3 2 9
POPF = Pop Flags 10011101 5 5 2, 4 9, 15
ARlTHMETlC
ADD = Add
Reg/Memory with Register
to
Either
000000dw mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Immediate to Regis-
ter/Memory 100000sw mod 000
r/m data data if
sw = 01 3, 7
(Note 59) 3, 7
(Note 59) 29
Immediate to Accumulator 0000010w data data if w =
133
ADC = Add with Carry
Reg/Memory with Register
to
Either
000100dw mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Immediate to Regis-
ter/Memory 100000sw mod 010
r/m data data if
sw = 01 3, 7
(Note 59) 3, 7
(Note 59) 29
Immediate to Accumulator 0001010w data data if w =
133
INC = Increment
Register/Memory 1111111w mod 000
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Register 01000 reg 2 2
SUB = Subtract
Reg/Memory and Register
to
Either
001010dw mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
80C286 Instruction Set Summary (Continued)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
80C286
55
Immediate from Regis-
ter/Memory 100000sw mod 101
r/m data data if
sw = 01 3, 7
(Note 59) 3, 7
(Note 59) 29
Immediate from Accumula-
tor 0010110w data data if w =
133
SBB = Subtract with Borrow
Reg/Memory and Register
to
Either
000110dw mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Immediate from Regis-
ter/Memory 100000sw mod 011
r/m data data if
sw = 01 3, 7
(Note 59) 3, 7
(Note 59) 29
Immediate from Accumula-
tor 0001110w data data if w =
133
DEC = Decrement
Register/Memory 1111111w mod 001
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Register 01001 reg 2 2
CMP = Compare
Register/Memory with Reg-
ister 0011101w mod reg
r/m 2, 6
(Note 59) 2, 6
(Note 59) 29
Register with Regis-
ter/Memory 0011100w mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Immediate with Regis-
ter/Memory 100000sw mod 111
r/m data data if
sw = 01 3, 6
(Note 59) 3, 6
(Note 59) 29
Immediate with Accumula-
tor 0011110w data data if w =
133
NEG = Change Sign 1111011w mod 011
r/m 27
(Note 59) 27
AAA = ASCII Adjust for Add 00110111 3 3
DAA = Decimal Adjust for
Add 00100111 3 3
AAS = ASCII Adjust for
Subtract 00111111 3 3
DAS = Decimal Adlust for
Subtract 00101111 3 3
MUL = Multiply (Unsigned) 1111011w mod 100
r/m
80C286 Instruction Set Summary (Continued)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
80C286
56
Register - Byte 13 13
Register - Word 21 21
Memory - Byte 16
(Note 59) 16
(Note 59) 29
Memory - Word 24
(Note 59) 24
(Note 59) 29
IMUL = Integer Multiply
(Signed) 1111011w mod 101
r/m
Register - Byte 13 13
Register - Word 21 21
Memory - Byte 16
(Note 59) 16
(Note 59) 29
Memory - Word 24
(Note 59) 24
(Note 59) 29
IMUL = Interger Immediate
Multiply (Signed) 011010s1 mod reg
r/m data data if s =
021, 24
(Note 59) 21, 24
(Note 59) 29
DIV = Divide (Unsigned) 1111011w mod 110
r/m
Register - Byte 14 14 6 6
Register - Word 22 22 6 6
Memory - Byte 17
(Note 59) 17
(Note 59) 2, 6 6, 9
Memory - Word 25
(Note 59) 25
(Note 59) 2, 6 6, 9
IDIV = Integer Divide
(Signed) 1111011w mod 111
r/m
Register - Byte 17 17 6 6
Register - Word 25 25 6 6
Memory - Byte 20
(Note 59) 20
(Note 59) 2, 6 6, 9
Memory - Word 28
(Note 59) 28
(Note 59) 2, 6 6, 9
AAM = ASCII Adjust for
Multiply 11010100 000010 10 16 16
80C286 Instruction Set Summary (Continued)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
80C286
57
AAD = ASCII Adjust for
Divide 11010101 000010 10 14 14
CBW = Convert Byte to
Word 10011000 2 2
CWD = Convert Word to
Double Word 10011001 2 2
LOGIC
Shift/Rotate Instructions
Register/Memory by 1 110100 0w mod TTT
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Register/Memory by CL 1101001w mod TTT
r/m 5+n, 8+n
(Note 59) 5+n, 8+n
(Note 59) 29
Register/Memory by Count 1100000 mod TTT
r/m count 5+n, 8+n
(Note 59) 5+n, 8+n
(Note 59) 29
TTT Instruction
000 ROL
001 ROR
010 RCL
011 RCR
100 SHL/SAL
101 SHR
111 SAR
AND = And
Reg/Memory and Register
to
Either
001000dw mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Immediate to Regis-
ter/Memory 1000000w mod 100
r/m data data if w =
13, 7
(Note 59) 3, 7
(Note 59) 29
Immediate to Accumulator 0010010w data data if w =
133
TEST = And Function to Flag s, No Result
Register/Memory and Reg-
ister 1000010w mod reg
r/m 2, 6
(Note 59) 2, 6
(Note 59) 29
80C286 Instruction Set Summary (Continued)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
80C286
58
Immediate Data and Regis-
ter/Memory 1111011w mod 000
r/m data data if w =
13, 6
(Note 59) 3, 6
(Note 59) 29
Immediate Data and Accu-
mulator 1010100w data data if w =
133
OR = Or
Reg/Memory and Register
to
Either
000010dw mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Immediate to Regis-
ter/Memory 1000000w mod 001
r/m data data if w =
13, 7
(Note 59) 3, 7
(Note 59) 29
Immediate to Accumulator 0000110w data data if w =
133
XOR = Exclusive or
Reg/Memory and Register
to
Either
001100dw mod reg
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
Immediate to Regis-
ter/Memory 1000000w mod reg
r/m data data if w =
13, 7
(Note 59) 3, 7
(Note 59) 29
Immediate to Accumulator 0011010w data data if w =
133
NOT = Invert Regis-
ter/Memory 1111011w mod 010
r/m 2, 7
(Note 59) 2, 7
(Note 59) 29
STRING MANIPULATION
MOVS = Move Byte/Word 1010010w 5 5 2 9
CMPS = Compare
Byte/Word 1010011w 8 8 2 9
SCAS = Scan Byte/Word 1010111w 7 7 2 9
LODS = Load Byte/Word to
AL/AX 1010110w 5 5 2 9
STOS = Store Byte/Word
from AL/A 1010101w 3 3 2 9
INS = Input Byte/Word from
DX Port 0110110w 5 5 2 9, 14
OUTS = Output Byte/Word
to
DX Port
0110111w 5 5 2 9, 14
80C286 Instruction Set Summary (Continued)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
80C286
59
All Intersil U.S. products are manufactured, assembled and tested utilizing ISO9000 quality systems.
Intersil Corporation’s quality certifications can be viewed at www.intersil.com/design/quality
Intersil products are sold by description only. Intersil Corporation reserves the right to make changes in circuit design, software and/or specifications at any time without
notice. Accordingly, the reader is cautioned to verify that data sheets are current before placing orders. Information furnished by Intersil is believed to be accurate and
reliable. However, no responsibility is assumed by Intersil or its subsidiaries for its use; nor for any infringements of patents or other rights of third parties which may result
from its use. No license is grant ed by impl icati on or ot herwise under any patent or pat ent rights of Intersil or its subsi diaries.
For information regarding Intersil Corporation and its products, see www.intersil.com
80C286
Repeated by Count in CX
MOVS = Move String 11110011 1010010w 5 + 4n 5 + 4n 2 9
CMPS = Compare String 1111001z 1010011w 5 + 9n 5 + 9n 2, 8 8, 9
SCAS = Scan String 1111001z 1010111w 5 + 8n 5 + 8n 2, 8 8, 9
LODS = Load String 11110011 1010110w 5 + 4n 5 + 4n 2, 8 8, 9
STOS = Store String 11110011 1010101w 4 + 3n 4 + 3n 2, 8 8, 9
INS = Input String 11110011 0110110w 5 + 4n 5 + 4n 2 9, 14
OUTS = Output String 11110011 0110111w 5 + 4n 5 + 4n 2 9, 14
CONTROL TRANSFER
CALL = Call
Direct Within Segment 11101000 disp-low disp-high 7 + m 7 + m 2 18
Register/Memory Indirect
Within Segment 11111111 mod 010
r/m 7 + m,
11 + m
(Note 59)
7 + m,
11 + m
(Note 59)
2, 8 8, 9, 18
Direct Intersegment 10011010 Segment Offset 13 + m 26 + m 2 11, 12,18
Protected Mode Only
(Direct Intersegment) Segment Selector
Via Call Gate to Same
Privilege Level 41 + m 8, 11, 12, 18
Via Call Gate to Different
Privilege Level, No
Parameters
82 + m 8, 11, 12, 18
80C286 Instruction Set Summary (Continued)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
60
Via Call Gate to Different
Privilege Level, X Param-
eters
86 + 4x + m 8, 11, 12, 18
Via TSS 177 + m 8, 11, 12, 18
Via Task Gate 182 + m 8, 11, 12, 18
Indirect Intersegment 11111111 mod 011
r/m mod 11 16 + m
(Note 59) 29 + m
(Note 59) 2 8, 9, 11, 12,
18
Protected Mode Only (Indirect Intersegment)
Via Call Gate to Same
Privilege Level 44 + m
(Note 59) 8, 9, 11, 12,
18
Via Call Gate to Different
Privilege Level, No
Parameters
83 + m
(Note 59) 8, 9, 11, 12,
18
Via Call Gate to Different
Privilege Level, X Param-
eters
90 + 4x + m
(Note 59) 8, 9, 11, 12,
18
Via TSS 180 + m
(Note 59) 8, 9, 11, 12,
18
Protected Mode Only (Indirect Intersegment) (Continued)
Via Task Gate 185 + m
(Note 59) 8, 9, 11, 12,
18
JMP = Unconditional Jump
Short/Long 11101011 disp-low 7 + m 7 + m 18
Direct Within Segment 111 01001 disp-low disp-high 7 + m 7 + m 18
Register/Memory Indirect
Within Segment 11111111 mod 100
r/m 7 + m,
11 + m
(Note 59)
7 + m,
11 + m
(Note 59)
29, 18
Direct Intersegment 11101010 Segment Offset 11 + m 23 + m 11, 12, 18
Protected Mode Only
(Direct Intersegment) Segment Selector
Via Call Gate to Same
Privilege Level 38 + m 8, 11,12,18
Via TSS 175 + m 8, 11,12,18
Via Task Gate 180 + m 8, 11,12,18
Indirect Intersegment 11111111 mod 101
r/m mod 11 15 + m
(Note 59) 26 + m
(Note 59) 2 8, 9, 11, 12,
18
Protected Mode Only (Indirect Intersegment)
80C286 Instruction Set Summary (Continu ed)
FUNCTION FORMAT CLOCK COUNT COMMENTS
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
REAL
ADDRES
S
MODE
PRO-
TECTED
VIRTUAL
ADDRESS
MODE
80C286