The question is about persistent validity of code segment selector while switching from real mode to protected mode on intel i386. The switching code is as follows (excerpted from bootasm.S
of xv6 x86 version):
9138 # Switch from real to protected mode. Use a bootstrap GDT that makes 9139 # virtual addresses map directly to physical addresses so that the 9140 # effective memory map doesn’t change during the transition. 9141 lgdt gdtdesc 9142 movl %cr0, %eax 9143 orl $CR0_PE, %eax 9144 movl %eax, %cr0 9150 # Complete the transition to 32−bit protected mode by using a long jmp 9151 # to reload %cs and %eip. The segment descriptors are set up with no 9152 # translation, so that the mapping is still the identity mapping. 9153 ljmp $(SEG_KCODE<<3), $start32
The GDT layout is as follows:
9182 gdt: 9183 SEG_NULLASM # null seg 9184 SEG_ASM(STA_X|STA_R, 0x0, 0xffffffff) # code seg 9185 SEG_ASM(STA_W, 0x0, 0xffffffff) # data seg
After executing line 9144, the processor switches to protected mode in which mere segment memory management is enabled (but paging has not yet been enabled). My understanding is that, since segment MM has been enabled, the fetching of the following instruction should conform to the rules of segment MM. At this point (immediately before line 9153), however, the code selector remains 0, which in my understanding means the code segment should have selected the zero-th descriptor in GDT, which is null. But my question comes out naturally, how such a null descriptor can load the supposed ljmp
instruction? I tried to answer my question by googling, and a document gives some explanation as follows: http://www.logix.cz/michal/doc/i386/chp10-03.htm#10-03
The segment registers continue to point to the same linear addresses as in real address mode
This sentence seems to answer my question: if the segment registers continue to point to the same linear addresses, the next instruction should be the same as in real mode, that is, ljmp
. But I immediately have a sequence of new questions: why can the segment selector "continue to point to the same linear addresses"? Hasn't the processor been changed to protected mode? Doesn't the value of 0 in %cs
point to the zero-th descriptor, instead of the 1st (set in line 9184) which is the supposed descriptor to fetch ljmp
instruction? How does the x86 CPU magically know it is the ljmp
that is the next instruction it should execute? Where is the description in any manual that describe this magic? I tried to persuade myself that the ljmp
has been prefetched in the processor's instruction queue, but the second paragraph of the same webpage tells me that the prefetched ljmp
, if any, has been invalidated so the CPU should fetch the next instruction afresh. Can you please give me some clarification of how "the segment registers continue to point to the same linear addresses as in real address mode" magically? Thank you.
PS, the CPU I am working on is intel i386 compatible.
The modern reference is the Intel Software Developer's Manual, Volume 3A, Section 9.9.1, "Switching to protected mode".
Intel isn't big on explaining how magic works internally. What it says, and all you need to know, is that if your movl %eax, %cr0
is immediately followed by a far jump or far call, then everything will work. If you put any other instruction there, then "random failures can occur" (their wording).
As it says, %cs
continues to hold its previous value, and presumably that's the value that would be pushed on the stack if you did a far call as the instruction after movl %eax, %cr0
. (Where the stack would be is another interesting question - I think everyone uses the jump instead so it rarely comes up.) But for this one instruction it evidently isn't used as a selector in the usual way.
One guess as to how it might work: we know that in protected mode, there are hidden registers that store the segment attributes, and are reloaded from the descriptor table when you load a segment register. So the movl %eax, %cr0
might cause the hidden register corresponding to %cs
to be loaded with attributes of a segment whose base address is the linear address of the current 16-bit segment: e.g. if %cs
contained 0x1234
then it could be a segment with base address 0x12340
. But the %cs
register itself could be left alone, temporarily not matching its hidden counterpart. Then if the high bits of %eip
are zeroed, the next instruction would be fetched from the right place. That instruction is required to be the long jump which will reload %cs
as well as the hidden segment attribute register.
It's also possible that it just sets some internal flag that says "even though in protected mode, fetch the next instruction according to real-mode address translation". Then this flag gets cleared when a far jump occurs, or after one instruction has been fetched, or something like that.