s06_03.htm

Programmer s Reference Manual is an improtant book on Intel processor architecture and programming.

<IMG align=center SRC="fig6-3.gif" border=0>
<P>
<H3>6.3.2.1  Accessing Data in Code Segments</H3>
Less common than the use of data segments is the use of code segments to
store data. Code segments may legitimately hold constants; it is not
possible to write to a segment described as a code segment. The following
methods of accessing data in code segments are possible:
<OL>
<LI> Load a data-segment register with a selector of a nonconforming,
readable, executable segment.
<LI> Load a data-segment register with a selector of a conforming,
readable, executable segment.
<LI> Use a CS override prefix to read a readable, executable segment whose
selector is already loaded in the CS register.
</OL>
The same rules as for access to data segments apply to case 1. Case 2 is
always valid because the privilege level of a segment whose conforming bit
is set is effectively the same as CPL regardless of its DPL. Case 3 always
valid because the DPL of the code segment in CS is, by definition, equal to
CPL.

<H2>6.3.3  Restricting Control Transfers</H2>
With the 80386, control transfers are accomplished by the instructions 
<A HREF="JMP.htm">JMP</A>,
<A HREF="CALL.htm">CALL</A>, 
<A HREF="RET.htm">RET</A>, 
<A HREF="INT.htm">INT</A>, and <A HREF="IRET.htm">IRET</A>, 
as well as by the exception and interrupt
mechanisms . Exceptions and interrupts are special cases that 
<A HREF="c09.htm">Chapter 9</A>
covers. This chapter discusses only <A HREF="JMP.htm">JMP</A>, 
<A HREF="CALL.htm">CALL</A>, and <A HREF="RET.htm">RET</A> instructions.
<P>
The "near" forms of <A HREF="JMP.htm">JMP</A>, <A HREF="CALL.htm">CALL</A>, and 
<A HREF="RET.htm">RET</A> transfer within the current code
segment, and therefore are subject only to limit checking. The processor
ensures that the destination of the <A HREF="JMP.htm">JMP</A>, 
<A HREF="CALL.htm">CALL</A>, or 
<A HREF="RET.htm">RET</A> instruction does not
exceed the limit of the current executable segment. This limit is cached in
the CS register; therefore, protection checks for near transfers require no
extra clock cycles.
<P>
The operands of the "far" forms of 
<A HREF="JMP.htm">JMP</A> and 
<A HREF="CALL.htm">CALL</A> refer to other segments;
therefore, the processor performs privilege checking. There are two ways a
<A HREF="JMP.htm">JMP</A> or 
<A HREF="CALL.htm">CALL</A> can refer to another segment:
<OL>
<LI> The operand selects the descriptor of another executable segment.
<LI> The operand selects a call gate descriptor. This gated form of
transfer is discussed in a later section on call gates.
</OL>
As 
<A HREF="#fig6-4">Figure 6-4</A>
  shows, two different privilege levels enter into a privilege
check for a control transfer that does not use a call gate:
<OL>
<LI> The CPL (current privilege level).

<LI> The DPL of the descriptor of the target segment.
</OL>
Normally the CPL is equal to the DPL of the segment that the processor is
currently executing. CPL may, however, be greater than DPL if the conforming
bit is set in the descriptor of the current executable segment. The
processor keeps a record of the CPL cached in the CS register; this value
can be different from the DPL in the descriptor of the code segment.
<P>
The processor permits a 
<A HREF="JMP.htm">JMP</A> or 
<A HREF="CALL.htm">CALL</A> directly to another segment only if one
of the following privilege rules is satisfied:
<UL>
<LI> DPL of the target is equal to CPL.
<LI> The conforming bit of the target code-segment descriptor is set, and
the DPL of the target is less than or equal to CPL.
</UL>
An executable segment whose descriptor has the conforming bit set is called
a conforming segment. The conforming-segment mechanism permits sharing of
procedures that may be called from various privilege levels but should
execute at the privilege level of the calling procedure. Examples of such
procedures include math libraries and some exception handlers. When control
is transferred to a conforming segment, the CPL does not change. This is
the only case when CPL may be unequal to the DPL of the current executable
segment.
<P>
Most code segments are not conforming. The basic rules of privilege above
mean that, for nonconforming segments, control can be transferred without a
gate only to executable segments at the same level of privilege. There is a
need, however, to transfer control to (numerically) smaller privilege
levels; this need is met by the 
<A HREF="CALL.htm">CALL</A> instruction when used with call-gate
descriptors, which are explained in the next section. The 
<A HREF="JMP.htm">JMP</A> instruction
may never transfer control to a nonconforming segment whose DPL does not
equal CPL.
<P>
<A NAME="fig6-4">
<IMG align=center SRC="fig6-4.gif" border=0>
<P>
<H2>6.3.4  Gate Descriptors Guard Procedure Entry Points</H2>
To provide protection for control transfers among executable segments
at different privilege levels, the 80386 uses gate descriptors. There are
four kinds of gate descriptors:
<UL>
<LI> Call gates
<LI> Trap gates
<LI> Interrupt gates
<LI> Task gates
</UL>
This chapter is concerned only with call gates. Task gates are used for
task switching , and therefore are discussed in 
<A HREF="c07.htm">Chapter 7</A>. 
<A HREF="c09.htm">Chapter 9</A>
explains how trap gates and interrupt gates are used by exceptions and
interrupts. 
<A HREF="#fig6-5">Figure 6-5</A>
  illustrates the format of a call gate. A call gate
descriptor may reside in the GDT or in an LDT, but not in the IDT.
A call gate has two primary functions:
<OL>
<LI> To define an entry point of a procedure.
<LI> To specify the privilege level of the entry point.
</OL>
Call gate descriptors are used by call and jump instructions in the same
manner as code segment descriptors. When the hardware recognizes that the
destination selector refers to a gate descriptor, the operation of the
instruction is expanded as determined by the contents of the call gate.
<P>
The selector and offset fields of a gate form a pointer to the entry point
of a procedure. A call gate guarantees that all transitions to another
segment go to a valid entry point, rather than possibly into the middle of a
procedure (or worse, into the middle of an instruction). The far pointer
operand of the control transfer instruction does not point to the segment
and offset of the target instruction; rather, the selector part of the
pointer selects a gate, and the offset is not used. 
<A HREF="#fig6-6">Figure 6-6</A>
  illustrates
this style of addressing.
<P>
As 
<A HREF="#fig6-7">Figure 6-7</A>
  shows, four different privilege levels are used to check the
validity of a control transfer via a call gate:
<OL>
<LI> The CPL (current privilege level).
<LI> The RPL (requestor's privilege level) of the selector used to specify
the call gate.
<LI> The DPL of the gate descriptor.
<LI> The DPL of the descriptor of the target executable segment.
</OL>
The DPL field of the gate descriptor determines what privilege levels can
use the gate. One code segment can have several procedures that are intended
for use by different privilege levels. For example, an operating system may
have some services that are intended to be used by applications, whereas
others may be intended only for use by other systems software.
<P>
Gates can be used for control transfers to numerically smaller privilege
levels or to the same privilege level (though they are not necessary for
transfers to the same level). Only 
<A HREF="CALL.htm">CALL</A> instructions can use gates to
transfer to smaller privilege levels. A gate may be used by a 
<A HREF="JMP.htm">JMP</A>
instruction only to transfer to an executable segment with the same
privilege level or to a conforming segment.
<P>
For a 
<A HREF="JMP.htm">JMP</A> instruction to a nonconforming segment, 
both of the following
privilege rules must be satisfied; otherwise, a general protection exception
results.
<PRE>
MAX (CPL,RPL) <= gate DPL
target segment DPL = CPL
</PRE>
For a <A HREF="CALL.htm">CALL</A> instruction (or for a 
<A HREF="JMP.htm">JMP</A> instruction to a conforming segment),
both of the following privilege rules must be satisfied; otherwise, a
general protection exception results.
<PRE>
MAX (CPL,RPL) <= gate DPL
target segment DPL <= CPL
</PRE>
<P>
<A NAME="fig6-5">
<IMG align=center SRC="fig6-5.gif" border=0>
<P>
<HR>
<P>
<A NAME="fig6-6">
<IMG align=center SRC="fig6-6.gif" border=0>
<P>
<HR>
<P>
<A NAME="fig6-7">
<IMG align=center SRC="fig6-7.gif" border=0>
<P>
<H3>6.3.4.1  Stack Switching</H3>
If the destination code segment of the call gate is at a different
privilege level than the CPL, an interlevel transfer is being requested.
<P>
To maintain system integrity, each privilege level has a separate stack.
These stacks assure sufficient stack space to process calls from less
privileged levels. Without them, a trusted procedure would not work
correctly if the calling procedure did not provide sufficient space on the
caller's stack.
<P>
The processor locates these stacks via the task state segment (see 
<A HREF="#fig6-8">Figure 6-8</A>). 
Each task has a separate TSS, thereby permitting tasks to have
separate stacks. Systems software is responsible for creating TSSs and
placing correct stack pointers in them. The initial stack pointers in the
TSS are strictly read-only values. The processor never changes them during
the course of execution.
<P>
When a call gate is used to change privilege levels, a new stack is
selected by loading a pointer value from the Task State Segment (TSS). The
processor uses the DPL of the target code segment (the new CPL) to index the
initial stack pointer for PL 0, PL 1, or PL 2.
<P>
The DPL of the new stack data segment must equal the new CPL; if it does
not, a stack exception occurs. It is the responsibility of systems software
to create stacks and stack-segment descriptors for all privilege levels that
are used. Each stack must contain enough space to hold the old SS:ESP, the
return address, and all parameters and local variables that may be required
to process a call.
<P>
As with intralevel calls, parameters for the subroutine are placed on the
stack. To make privilege transitions transparent to the called procedure,
the processor copies the parameters to the new stack. The count field of a
call gate tells the processor how many doublewords (up to 31) to copy from
the caller's stack to the new stack. If the count is zero, no parameters are
copied.
<P>
The processor performs the following stack-related steps in executing an
interlevel <A HREF="CALL.htm">CALL</A>.
<OL>
<LI> The new stack is checked to assure that it is large enough to hold
the parameters and linkages; if it is not, a stack fault occurs with
an error code of 0.
<LI> The old value of the stack registers SS:ESP is pushed onto the new
stack as two doublewords.
<LI> The parameters are copied.
<LI> A pointer to the instruction after the 
<A HREF="CALL.htm">CALL</A> instruction (the former
value of CS:EIP) is pushed onto the new stack. The final value of
SS:ESP points to this return pointer on the new stack.
</OL>

<A HREF="#fig6-9">Figure 6-9</A>
  illustrates the stack contents after a successful interlevel
call.
<P>
The TSS does not have a stack pointer for a privilege level 3 stack,
because privilege level 3 cannot be called by any procedure at any other
privilege level.
<P>
Procedures that may be called from another privilege level and that require
more than the 31 doublewords for parameters must use the saved SS:ESP link
to access all parameters beyond the last doubleword copied.
<P>
A call via a call gate does not check the values of the words copied onto
the new stack. The called procedure should check each parameter for
validity. A later section discusses how the <A HREF="ARPL.htm">ARPL</A>, 
<A HREF="VERR.htm">VERR</A>, 
<A HREF="VERR.htm">VERW</A>, 
<A HREF="LSL.htm">LSL</A>, and 
<A HREF="LAR.htm">LAR</A>
instructions can be used to check pointer values.
<P>
<A NAME="fig6-8">
<IMG align=center SRC="fig6-8.gif" border=0>
<P>
<HR>
<P>
<A NAME="fig6-9">
<IMG align=center SRC="fig6-9.gif" border=0>