URL https://opencores.org/ocsvn/ao486/ao486/trunk

Subversion Repositories ao486

[/] [ao486/] [trunk/] [doc/] [ao486_notes.txt] - Blame information for rev 2

Details | Compare with Previous | View Log


RET near
 
1) D:
   M: repeat CMD_RET_near with CMDEX_NULL
   R: pop new_EIP to dst
   E: check new_EIP; copy dst to exe_buffer; prepare next ESP (imm: add imm to ESP)
   W: commit ESP; reset P,M,R,E,W
 
 
CMD_MC_LOAD_SEG 1,2
 
    D:
    M:
    R: prepare real/v86 descriptor; prepare null descriptor
    E: verify SS,TR not null; LDT,TR not from LDT --> #GP
    W: write real/v86 descriptor; write null descriptor
 
    D:
    M:
    R: read descriptor
    E: verify loaded descriptor --> #GP,#SS,#NP
    W: touch descriptor; write descriptor registers
 
RET far
 
1) D:
   M:
   R: pop eip to dst;                               read cs from ESP+(4/2)
   E: save eip to mc_param_2
   W: ESP speculative
 
2) D:
   M:
   R: pop cs;                                       read eip from ESP
   E: check new_EIP; save cs to mc_param_1
   W:
 
3) D:
   M: CMD_MC_LOAD_SEG 1;
   R:
   E:                                               cs null --> #GP(sel);
   W:
 
4) D:
   M: CMD_MC_LOAD_SEG 2;
   R:                                               read descriptor
   E:                                               rpl < cpl --> #GP(sel); check_cs
   W:                                               if(cpl == rpl) touch; update EIP,ESP
 
 
check_cs:
must be segment; must be code segment;
non conforming && dpl != rpl --> #GP(sel)
(non conforming + check_rpl) ignored
conforming && dpl > rpl --> #GP(sel)
not present --> #NP(sel)
 
if(cpl == rpl)
branch_far64: (ret_far,exception,iret,jmp,call)
    new_EIP > new_cs_limit --> #GP(0)
 
    load_cs: (exception,call_far)
        touch_segment:
            if(not accessed segment) write 1 byte
        save selector, descriptor; selector.value with rpl
 
    EIP = new_EIP
(ESP/SP) += (4/2) + pop_bytes
 
if(cpl != rpl)
read ss      from ESP + (12/6) + pop_bytes
read new_esp from ESP + (8/4)  + pop_bytes
ss null --> #GP(sel)
not segment || not data segment || not data writable --> #GP(ss sel)
ss.rpl != cs.rpl --> #GP(ss sel)
not present --> #SS(ss sel)
branch_far64: (the same as above)
load_ss: (iret,exception,ret_far,call_far)
    if(new_ss.rpl != 0) --> touch_segment: if(not accessed segment) --> write 1 byte
    save selector, descriptor; selector.value with rpl
 
ESP=new_ESP + pop_bytes
validate_seg_regs: (iret,ret_far)
    for ds,es,fs,gs: if(dpl < cpl && (not valid || not segment || data segment || code non conforming)
    selector=0; valid=0
 
   R:
   E:
   W:
 
5) D:
   M:
   R:
   E: prepare next ESP (imm: add imm to ESP)
   W: comit ESP; reset P,M,R,E,W
 
 
IRET
Note 1: in protected mode: NT and VM can not be set together -- NT not checked if not protected mode
Note 2: in protected mode: NT and TR not valid can not be set together -- TR always valid
 
    real                                    v8086                                           protected NT:                           protected:
1)  D:                                      D:                                              D:                                      D:
    M:                                      M:                                              M:                                      M:
    R: read eip 16/32                       R: check IOPL --> skip; read eip 16/32          R: read system ts 16                    R: read eflags temp_esp+8/4
    E:                                      E: check IOPL --> #GP(0);                       E: check ts --> #TS(val)                E:
    W:                                      W:                                              W:                                      W:
 
2)  D:                                      D:                                              D:                                      D:
    M:                                      M:                                              M:                                      M:
    R: read cs 16/32                        R: read cs 16/32                                R: read desc --> #TS(0)                 R: read cs temp_esp+4/2
    E:                                      E:                                              E: check desc --> #TS(val), #NP(val)    E:
    W:                                      W:                                              W:                                      W:
 
3)  D:                                      D:                                              D:                                      D:
    M:                                      M:                                              M: TASK_SWITCH                          M:
    R: read eflags 16/32                    R: read eflags 16/32                            R:                                      R: read eip temp_esp+0/0
    E: check eip --> #GP(0)                 E: --                                           E:                                      E:
    W:                                      W:                                              W:                                      W:
 
4-5)D:                                      D:                                                                                      D:
    M: load_seg: 1,2 CS                     M: load_seg: 1,2 CS                                                                     M: load_seg 1,2 CS (load_seg 1 CS: check null, fix RET_far)
    R:                                      R:                                                                                      R:
    E:                                      E:                                                                                      E:
    W:                                      W:                                                                                      W:
 
5)  D:                                      D:                                                                                      D:                                  D:                                       D:
    M:                                      M:                                                                                      M: same                             M: outer                                 M: IRET_TO_V86
    R:                                      R:                                                                                      R:                                  R: read ss temp_esp+16/8                 R: read esp temp_esp+12
    E:                                      E:                                                                                      E: check eip limit                  E: check ss_rpl != cs_rpl                E:
    W: write eip,eflags                     W: write eip,eflags(v86 mask)                                                           W: touch cs; save cs, esp           W:                                       W:
 
6)                                                                                                                                  D:                                  D:                                       D:
                                                                                                                                    M: same                             M: outer, LOAD_SEG 1,2 SS                M:
                                                                                                                                    R:                                  R:      (with null check, NP not SS!)    R: read ss temp_esp+16
                                                                                                                                    E:                                  E:                                       E:
                                                                                                                                    W: save eip, eflags                 W:                                       W:
 
7)                                                                                                                                                                      D:                                       D:
                                                                                                                                                                        M: outer                                 M:
                                                                                                                                                                        R: read esp temp_esp+12/6                R: read es temp_esp+20
                                                                                                                                                                        E:                                       E:
                                                                                                                                                                        W:                                       W:
 
8)                                                                                                                                                                      D:                                       D:
                                                                                                                                                                        M: outer                                 M:
                                                                                                                                                                        R: read eflags temp_esp+8/4              R: read ds temp_esp+24
                                                                                                                                                                        E:                                       E:
                                                                                                                                                                        W:                                       W:
 
9)                                                                                                                                                                      D:                                       D:
                                                                                                                                                                        M: outer                                 M:
                                                                                                                                                                        R: read eip temp_esp+0/0                 R: read fs temp_esp+28
                                                                                                                                                                        E: check eip --> #GP(0)                  E:
                                                                                                                                                                        W: touch cs; save cs; save eflags        W:
 
10)                                                                                                                                                                     D:                                       D:
                                                                                                                                                                        M: outer                                 M:
                                                                                                                                                                        R:                                       R: read gs temp_esp+20
                                                                                                                                                                        E:                                       E:
                                                                                                                                                                        W: touch ss; save esp; validate seg      W: write eflags, eip, esp, cs,ds,es,fs,gs,ss with v86 init
 
TASK_SWITCH
param:  tss_desc
param:  tss
param:  source
 
1)  D:
    M:
    R:
    E: check new_tss_desc limit; check old_tss_desc limit --> #TS(val)
    W:
 
    D:
    M:
    R:
    E: validate page(nbase, nbase+max; READ); validate if from CALL,INT page(nbase, nbase+1; WRITE)
    W:
 
    D:
    M:
    R: if from JUMP,IRET: read system dword old tr_desc
    E:
    W: if from JUMP,IRET: write system dword old tr_desc with not busy
 
    D:
    M:
    R:
    E: validate if to 286 page(obase+14, obase+41, WRITE); if to 386 page(obase+0x20, obase+0x5d, WRITE)
    W: write system eip 16/32; +14/+0x20;
 
    D:
    M:
    R:
    E:
    W: write system old_eflags 16/32; +16/+0x24; if moving to busy tss; clear old NT
 
    D:
    M:
    R:
    E:
    W: write system eax 16/32; +20/+0x28; ecx,edx,ebx,esp,ebp,esi,edi; +32/+0x44
 
    D:
    M:
    R:
    E:
    W: write system es 16; +32/+0x48; cs,ss,ds; +40/+0x54
 
    D:
    M:
    R:
    E:
    W: write system fs 16; +0x58; gs; +0x5c
 
    D:
    M:
    R:
    E:
    W: if from CALL,INT: write system link tr nbase+0
 
    D:
    M:
    R: if PG and 386: read system dword nbase+0x1c --newCR3
    E:
    W:
 
    D:
    M: step 6
    R: read system word/dword +14/+0x20 --tmp values: eip,eflags,eax,ecx,edx,ebx,esp,ebp,esi,edi,es,cs,ss,ds +40/+0x54 (ldt/fs,gs,ldt,trap) +42/+0x64
    E:
    W:
 
    D:
    M: step 7
    R: if not from IRET: read system dword for busy
    E:
    W: if not from IRET: write system dword for busy
 
    D:
    M:
    R:
    E:
    W: save tr,cr0_ts,dr,eflags,eax,ecx,edx,ebx,esp,ebp,esi,edi,eip,speculative esp,selectors,cache not valid; if 386 and PG and cr3 change --> save cr3
 
todo: cpl=3, ldtr ...
    D:
    M:
    R:
    E: check ldtr.ti,check index in tables(not null)
    W:
 
    D:
    M:
    R: read ldtr.desc
    E: verify desc
    W: save desc
 
    D:
    M:
    R: if protected: read system desc; if null --> GP(0)
    E: if protected: check ss desc (with CPL=3); if v8086: prepare ss from selector
    W: if protected: touch;
 
    D:
    M: load ds
    R:
    E:
    W:
 
    D:
    M: load es
    R:
    E:
    W:
 
    D:
    M: load fs
    R:
    E:
    W:
 
    D:
    M; load gs
    R:
    E:
    W:
 
    D:
    M; load cs
    R:
    E:
    W:
 
    D:
    M;
    R:
    E:
    W: push error; esp speculative
 
    D:
    M;
    R:
    E: verify eip;
    W: esp commit
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
CALL Ev, Jv
 
    D:
    M:
    R: if(Ev) read mem/reg word/dword from ea/reg; else read imm
    E: if(Ev) save src to mc_param_2; else save src+eip
    W: esp speculative; push ip/eip
 
    D:
    M:
    R:
    E: check new_eip > cs_limit
    W: esp commit; set eip
 
CALL Ep, Ap
 
    D:
    M:
    R: if(Ep) read offset dword/word from ea; else from Imm; to mc_param_2
    E:
    W:
 
    D:
    M:
    R: if(Ep) read cs word from (ea+2/4)&a_mask; else from Imm; to mc_param_1
    E:
    W: esp speculative
 
    --> real/v8086 or protected
 
    real/v8086:
 
    D:
    M:
    R:
    E: if(op32) check if eip > cs_limit -->  #GP(0)
    W: push word/dword: cs
 
    D:
    M:
    R:
    E:
    W: push word/dword: eip
 
    D:
    M:
    R:
    E: if(op16) check if eip > cs_limit -->  #GP(0)
    W:
 
    --< load_seg
 
    D:
    M:
    R:
    E:
    W: esp commit; set eip
 
    call_protected:
 
    D:
    M:
 
        mc_param_1: new_cs
        mc_param_2: new_eip
 
    R: if(not null new_cs) fetch new_cs descriptor
 
        mc_descriptor: new_cs_descriptor
 
        mc_param_3: clear
 
    E: if(null new_cs || unknown type || (segment && check_cs) ) #GP(new_cs)
       if(gate.dpl < CPL || gate.dpl < gate.rpl) #GP(new_cs)
       if(tss) #GP, #NP
       if(call_gate) #NP
       if(other_type) #GP
    W:
 
CMDEX_CALL_protected_STEP_1: [idle, wait for mc_descriptor save]
    D:
    M:
    R:
    E:
    W:
 
CMDEX_CALL_protected_seg_STEP_0:
 
    D:
    M:
    R:
    E: move mc_descriptor to mc_descriptor_2;
       move ss_cache to mc_descriptor
    W: write_new_stack(temp_ESP-4/-2, old_cs.dpl, new_cs.dpl) old_cs
 
CMDEX_CALL_protected_seg_STEP_1:
    D:
    M:
    R:
    E:
    W: write_new_stack(temp_ESP-8/-4, old_cs.dpl, new_cs.dpl) old_eip
 
CMDEX_CALL_protected_seg_STEP_2:
    D:
    M:
    R:
    E: move mc_descriptor_2 to mc_descriptor_1
    W:
 
[CMD_CALL_2] CMDEX_CALL_2_protected_seg_STEP_3:
    D:
    M:
    R:
    E:
    W: save new_cs, esp, esp commit
 
CMDEX_CALL_2_protected_seg_STEP_4:
    D:
    M:
    R:
    E:
    W: save eip; reset pipeline
 
    --> task_switch
 
CMDEX_CALL_2_task_switch_STEP_0:
    D:
    M:
    R:
    E: prepare parameters for task switch
    W:
 
    --> task_gate
 
    task_gate:
source: selector,descriptor,source
 
    D:
    M:
    R: if(present && global) read descriptor
    E: if(not present || local) #NP, #GP
       if(segment or not tss or not present) #GP, #NP
    W:
 
    --> call_protected call_gate:
 
    D:
    M:
    R: if(selector not null) read descriptor
    E: if(selector null || not segment || not code || priv || not present) #GP, #NP
    W:
 
    --> same priv/more priv (if conforming || new_cs.dpl >= CPL)
 
    call_protected call_gate same_priv:
 
    D:
    M:
    R:
    E:
    W: push 32/16(descriptor type, old_cs)
 
    D:
    M:
    R:
    E:
    W: push 32/16(descriptor type, eip)
 
    D:
    M:
    R:
    E: check new eip
    W: set cs; touch cs; set esp
 
    D:
    M:
    R:
    E:
    W: set eip; reset pipeline
 
    call_protected call_gate more_priv:
 
    get_SS_ESP_from_TSS:
 
    D:
    M:
    R: if(in limits) system_read_word ss (tr_base + tss_offset + 4/2)
    E:
    W:
 
    D:
    M:
    R: system_read_word/dword  (tr_base + tss_offset)
    E:
    W:
 
    continue:
 
    D:
    M:
    R: if(not null new_ss) read descriptor
    E: check new_ss --> #TS, #SS
    W:
 
    D:
    M:
    R:
    E:
    W: write_new_stack return_SS
 
    D:
    M:
    R:
    E:
    W: write_new_stack return_ESP
 
    loop:
 
    D:
    M:
    R: if(loop) stack_read_dword (return_ESP + (n-1)*4/2)
    E:
    W: if(loop) write_new_stack
 
    D:
    M:
    R:
    E:
    W: write_new_stack return_CS
 
    D:
    M:
    R:
    E:
    W: write_new_stack return_EIP
 
    D:
    M:
    R:
    E: check return_EIP
    W: set ss
 
    D:
    M:
    R:
    E:
    W: set cs
 
    D:
    M:
    R:
    E:
    W: set eip; esp commit; reset pipeline
 

Browse

Tools

Subversion Repositories ao486

[/] [ao486/] [trunk/] [doc/] [ao486_notes.txt] - Blame information for rev 2

Line No.	Rev	Author	Line
1	2	alfik	`RET near`
2
3			`1) D:`
4			`M: repeat CMD_RET_near with CMDEX_NULL`
5			`R: pop new_EIP to dst`
6			`E: check new_EIP; copy dst to exe_buffer; prepare next ESP (imm: add imm to ESP)`
7			`W: commit ESP; reset P,M,R,E,W`
8
9
10			`CMD_MC_LOAD_SEG 1,2`
11
12			`D:`
13			`M:`
14			`R: prepare real/v86 descriptor; prepare null descriptor`
15			`E: verify SS,TR not null; LDT,TR not from LDT --> #GP`
16			`W: write real/v86 descriptor; write null descriptor`
17
18			`D:`
19			`M:`
20			`R: read descriptor`
21			`E: verify loaded descriptor --> #GP,#SS,#NP`
22			`W: touch descriptor; write descriptor registers`
23
24			`RET far`
25
26			`1) D:`
27			`M:`
28			`R: pop eip to dst; read cs from ESP+(4/2)`
29			`E: save eip to mc_param_2`
30			`W: ESP speculative`
31
32			`2) D:`
33			`M:`
34			`R: pop cs; read eip from ESP`
35			`E: check new_EIP; save cs to mc_param_1`
36			`W:`
37
38			`3) D:`
39			`M: CMD_MC_LOAD_SEG 1;`
40			`R:`
41			`E: cs null --> #GP(sel);`
42			`W:`
43
44			`4) D:`
45			`M: CMD_MC_LOAD_SEG 2;`
46			`R: read descriptor`
47			`E: rpl < cpl --> #GP(sel); check_cs`
48			`W: if(cpl == rpl) touch; update EIP,ESP`
49
50
51			`check_cs:`
52			`must be segment; must be code segment;`
53			`non conforming && dpl != rpl --> #GP(sel)`
54			`(non conforming + check_rpl) ignored`
55			`conforming && dpl > rpl --> #GP(sel)`
56			`not present --> #NP(sel)`
57
58			`if(cpl == rpl)`
59			`branch_far64: (ret_far,exception,iret,jmp,call)`
60			`new_EIP > new_cs_limit --> #GP(0)`
61
62			`load_cs: (exception,call_far)`
63			`touch_segment:`
64			`if(not accessed segment) write 1 byte`
65			`save selector, descriptor; selector.value with rpl`
66
67			`EIP = new_EIP`
68			`(ESP/SP) += (4/2) + pop_bytes`
69
70			`if(cpl != rpl)`
71			`read ss from ESP + (12/6) + pop_bytes`
72			`read new_esp from ESP + (8/4) + pop_bytes`
73			`ss null --> #GP(sel)`
74			`not segment \|\| not data segment \|\| not data writable --> #GP(ss sel)`
75			`ss.rpl != cs.rpl --> #GP(ss sel)`
76			`not present --> #SS(ss sel)`
77			`branch_far64: (the same as above)`
78			`load_ss: (iret,exception,ret_far,call_far)`
79			`if(new_ss.rpl != 0) --> touch_segment: if(not accessed segment) --> write 1 byte`
80			`save selector, descriptor; selector.value with rpl`
81
82			`ESP=new_ESP + pop_bytes`
83			`validate_seg_regs: (iret,ret_far)`
84			`for ds,es,fs,gs: if(dpl < cpl && (not valid \|\| not segment \|\| data segment \|\| code non conforming)`
85			`selector=0; valid=0`
86
87			`R:`
88			`E:`
89			`W:`
90
91			`5) D:`
92			`M:`
93			`R:`
94			`E: prepare next ESP (imm: add imm to ESP)`
95			`W: comit ESP; reset P,M,R,E,W`
96
97
98			`IRET`
99			`Note 1: in protected mode: NT and VM can not be set together -- NT not checked if not protected mode`
100			`Note 2: in protected mode: NT and TR not valid can not be set together -- TR always valid`
101
102			`real v8086 protected NT: protected:`
103			`1) D: D: D: D:`
104			`M: M: M: M:`
105			`R: read eip 16/32 R: check IOPL --> skip; read eip 16/32 R: read system ts 16 R: read eflags temp_esp+8/4`
106			`E: E: check IOPL --> #GP(0); E: check ts --> #TS(val) E:`
107			`W: W: W: W:`
108
109			`2) D: D: D: D:`
110			`M: M: M: M:`
111			`R: read cs 16/32 R: read cs 16/32 R: read desc --> #TS(0) R: read cs temp_esp+4/2`
112			`E: E: E: check desc --> #TS(val), #NP(val) E:`
113			`W: W: W: W:`
114
115			`3) D: D: D: D:`
116			`M: M: M: TASK_SWITCH M:`
117			`R: read eflags 16/32 R: read eflags 16/32 R: R: read eip temp_esp+0/0`
118			`E: check eip --> #GP(0) E: -- E: E:`
119			`W: W: W: W:`
120
121			`4-5)D: D: D:`
122			`M: load_seg: 1,2 CS M: load_seg: 1,2 CS M: load_seg 1,2 CS (load_seg 1 CS: check null, fix RET_far)`
123			`R: R: R:`
124			`E: E: E:`
125			`W: W: W:`
126
127			`5) D: D: D: D: D:`
128			`M: M: M: same M: outer M: IRET_TO_V86`
129			`R: R: R: R: read ss temp_esp+16/8 R: read esp temp_esp+12`
130			`E: E: E: check eip limit E: check ss_rpl != cs_rpl E:`
131			`W: write eip,eflags W: write eip,eflags(v86 mask) W: touch cs; save cs, esp W: W:`
132
133			`6) D: D: D:`
134			`M: same M: outer, LOAD_SEG 1,2 SS M:`
135			`R: R: (with null check, NP not SS!) R: read ss temp_esp+16`
136			`E: E: E:`
137			`W: save eip, eflags W: W:`
138
139			`7) D: D:`
140			`M: outer M:`
141			`R: read esp temp_esp+12/6 R: read es temp_esp+20`
142			`E: E:`
143			`W: W:`
144
145			`8) D: D:`
146			`M: outer M:`
147			`R: read eflags temp_esp+8/4 R: read ds temp_esp+24`
148			`E: E:`
149			`W: W:`
150
151			`9) D: D:`
152			`M: outer M:`
153			`R: read eip temp_esp+0/0 R: read fs temp_esp+28`
154			`E: check eip --> #GP(0) E:`
155			`W: touch cs; save cs; save eflags W:`
156
157			`10) D: D:`
158			`M: outer M:`
159			`R: R: read gs temp_esp+20`
160			`E: E:`
161			`W: touch ss; save esp; validate seg W: write eflags, eip, esp, cs,ds,es,fs,gs,ss with v86 init`
162
163			`TASK_SWITCH`
164			`param: tss_desc`
165			`param: tss`
166			`param: source`
167
168			`1) D:`
169			`M:`
170			`R:`
171			`E: check new_tss_desc limit; check old_tss_desc limit --> #TS(val)`
172			`W:`
173
174			`D:`
175			`M:`
176			`R:`
177			`E: validate page(nbase, nbase+max; READ); validate if from CALL,INT page(nbase, nbase+1; WRITE)`
178			`W:`
179
180			`D:`
181			`M:`
182			`R: if from JUMP,IRET: read system dword old tr_desc`
183			`E:`
184			`W: if from JUMP,IRET: write system dword old tr_desc with not busy`
185
186			`D:`
187			`M:`
188			`R:`
189			`E: validate if to 286 page(obase+14, obase+41, WRITE); if to 386 page(obase+0x20, obase+0x5d, WRITE)`
190			`W: write system eip 16/32; +14/+0x20;`
191
192			`D:`
193			`M:`
194			`R:`
195			`E:`
196			`W: write system old_eflags 16/32; +16/+0x24; if moving to busy tss; clear old NT`
197
198			`D:`
199			`M:`
200			`R:`
201			`E:`
202			`W: write system eax 16/32; +20/+0x28; ecx,edx,ebx,esp,ebp,esi,edi; +32/+0x44`
203
204			`D:`
205			`M:`
206			`R:`
207			`E:`
208			`W: write system es 16; +32/+0x48; cs,ss,ds; +40/+0x54`
209
210			`D:`
211			`M:`
212			`R:`
213			`E:`
214			`W: write system fs 16; +0x58; gs; +0x5c`
215
216			`D:`
217			`M:`
218			`R:`
219			`E:`
220			`W: if from CALL,INT: write system link tr nbase+0`
221
222			`D:`
223			`M:`
224			`R: if PG and 386: read system dword nbase+0x1c --newCR3`
225			`E:`
226			`W:`
227
228			`D:`
229			`M: step 6`
230			`R: read system word/dword +14/+0x20 --tmp values: eip,eflags,eax,ecx,edx,ebx,esp,ebp,esi,edi,es,cs,ss,ds +40/+0x54 (ldt/fs,gs,ldt,trap) +42/+0x64`
231			`E:`
232			`W:`
233
234			`D:`
235			`M: step 7`
236			`R: if not from IRET: read system dword for busy`
237			`E:`
238			`W: if not from IRET: write system dword for busy`
239
240			`D:`
241			`M:`
242			`R:`
243			`E:`
244			`W: save tr,cr0_ts,dr,eflags,eax,ecx,edx,ebx,esp,ebp,esi,edi,eip,speculative esp,selectors,cache not valid; if 386 and PG and cr3 change --> save cr3`
245
246			`todo: cpl=3, ldtr ...`
247			`D:`
248			`M:`
249			`R:`
250			`E: check ldtr.ti,check index in tables(not null)`
251			`W:`
252
253			`D:`
254			`M:`
255			`R: read ldtr.desc`
256			`E: verify desc`
257			`W: save desc`
258
259			`D:`
260			`M:`
261			`R: if protected: read system desc; if null --> GP(0)`
262			`E: if protected: check ss desc (with CPL=3); if v8086: prepare ss from selector`
263			`W: if protected: touch;`
264
265			`D:`
266			`M: load ds`
267			`R:`
268			`E:`
269			`W:`
270
271			`D:`
272			`M: load es`
273			`R:`
274			`E:`
275			`W:`
276
277			`D:`
278			`M: load fs`
279			`R:`
280			`E:`
281			`W:`
282
283			`D:`
284			`M; load gs`
285			`R:`
286			`E:`
287			`W:`
288
289			`D:`
290			`M; load cs`
291			`R:`
292			`E:`
293			`W:`
294
295			`D:`
296			`M;`
297			`R:`
298			`E:`
299			`W: push error; esp speculative`
300
301			`D:`
302			`M;`
303			`R:`
304			`E: verify eip;`
305			`W: esp commit`
306
307			`--------------------------------------------------------------------------------`
308			`--------------------------------------------------------------------------------`
309			`--------------------------------------------------------------------------------`
310
311			`CALL Ev, Jv`
312
313			`D:`
314			`M:`
315			`R: if(Ev) read mem/reg word/dword from ea/reg; else read imm`
316			`E: if(Ev) save src to mc_param_2; else save src+eip`
317			`W: esp speculative; push ip/eip`
318
319			`D:`
320			`M:`
321			`R:`
322			`E: check new_eip > cs_limit`
323			`W: esp commit; set eip`
324
325			`CALL Ep, Ap`
326
327			`D:`
328			`M:`
329			`R: if(Ep) read offset dword/word from ea; else from Imm; to mc_param_2`
330			`E:`
331			`W:`
332
333			`D:`
334			`M:`
335			`R: if(Ep) read cs word from (ea+2/4)&a_mask; else from Imm; to mc_param_1`
336			`E:`
337			`W: esp speculative`
338
339			`--> real/v8086 or protected`
340
341			`real/v8086:`
342
343			`D:`
344			`M:`
345			`R:`
346			`E: if(op32) check if eip > cs_limit --> #GP(0)`
347			`W: push word/dword: cs`
348
349			`D:`
350			`M:`
351			`R:`
352			`E:`
353			`W: push word/dword: eip`
354
355			`D:`
356			`M:`
357			`R:`
358			`E: if(op16) check if eip > cs_limit --> #GP(0)`
359			`W:`
360
361			`--< load_seg`
362
363			`D:`
364			`M:`
365			`R:`
366			`E:`
367			`W: esp commit; set eip`
368
369			`call_protected:`
370
371			`D:`
372			`M:`
373
374			`mc_param_1: new_cs`
375			`mc_param_2: new_eip`
376
377			`R: if(not null new_cs) fetch new_cs descriptor`
378
379			`mc_descriptor: new_cs_descriptor`
380
381			`mc_param_3: clear`
382
383			`E: if(null new_cs \|\| unknown type \|\| (segment && check_cs) ) #GP(new_cs)`
384			`if(gate.dpl < CPL \|\| gate.dpl < gate.rpl) #GP(new_cs)`
385			`if(tss) #GP, #NP`
386			`if(call_gate) #NP`
387			`if(other_type) #GP`
388			`W:`
389
390			`CMDEX_CALL_protected_STEP_1: [idle, wait for mc_descriptor save]`
391			`D:`
392			`M:`
393			`R:`
394			`E:`
395			`W:`
396
397			`CMDEX_CALL_protected_seg_STEP_0:`
398
399			`D:`
400			`M:`
401			`R:`
402			`E: move mc_descriptor to mc_descriptor_2;`
403			`move ss_cache to mc_descriptor`
404			`W: write_new_stack(temp_ESP-4/-2, old_cs.dpl, new_cs.dpl) old_cs`
405
406			`CMDEX_CALL_protected_seg_STEP_1:`
407			`D:`
408			`M:`
409			`R:`
410			`E:`
411			`W: write_new_stack(temp_ESP-8/-4, old_cs.dpl, new_cs.dpl) old_eip`
412
413			`CMDEX_CALL_protected_seg_STEP_2:`
414			`D:`
415			`M:`
416			`R:`
417			`E: move mc_descriptor_2 to mc_descriptor_1`
418			`W:`
419
420			`[CMD_CALL_2] CMDEX_CALL_2_protected_seg_STEP_3:`
421			`D:`
422			`M:`
423			`R:`
424			`E:`
425			`W: save new_cs, esp, esp commit`
426
427			`CMDEX_CALL_2_protected_seg_STEP_4:`
428			`D:`
429			`M:`
430			`R:`
431			`E:`
432			`W: save eip; reset pipeline`
433
434			`--> task_switch`
435
436			`CMDEX_CALL_2_task_switch_STEP_0:`
437			`D:`
438			`M:`
439			`R:`
440			`E: prepare parameters for task switch`
441			`W:`
442
443			`--> task_gate`
444
445			`task_gate:`
446			`source: selector,descriptor,source`
447
448			`D:`
449			`M:`
450			`R: if(present && global) read descriptor`
451			`E: if(not present \|\| local) #NP, #GP`
452			`if(segment or not tss or not present) #GP, #NP`
453			`W:`
454
455			`--> call_protected call_gate:`
456
457			`D:`
458			`M:`
459			`R: if(selector not null) read descriptor`
460			`E: if(selector null \|\| not segment \|\| not code \|\| priv \|\| not present) #GP, #NP`
461			`W:`
462
463			`--> same priv/more priv (if conforming \|\| new_cs.dpl >= CPL)`
464
465			`call_protected call_gate same_priv:`
466
467			`D:`
468			`M:`
469			`R:`
470			`E:`
471			`W: push 32/16(descriptor type, old_cs)`
472
473			`D:`
474			`M:`
475			`R:`
476			`E:`
477			`W: push 32/16(descriptor type, eip)`
478
479			`D:`
480			`M:`
481			`R:`
482			`E: check new eip`
483			`W: set cs; touch cs; set esp`
484
485			`D:`
486			`M:`
487			`R:`
488			`E:`
489			`W: set eip; reset pipeline`
490
491			`call_protected call_gate more_priv:`
492
493			`get_SS_ESP_from_TSS:`
494
495			`D:`
496			`M:`
497			`R: if(in limits) system_read_word ss (tr_base + tss_offset + 4/2)`
498			`E:`
499			`W:`
500
501			`D:`
502			`M:`
503			`R: system_read_word/dword (tr_base + tss_offset)`
504			`E:`
505			`W:`
506
507			`continue:`
508
509			`D:`
510			`M:`
511			`R: if(not null new_ss) read descriptor`
512			`E: check new_ss --> #TS, #SS`
513			`W:`
514
515			`D:`
516			`M:`
517			`R:`
518			`E:`
519			`W: write_new_stack return_SS`
520
521			`D:`
522			`M:`
523			`R:`
524			`E:`
525			`W: write_new_stack return_ESP`
526
527			`loop:`
528
529			`D:`
530			`M:`
531			`R: if(loop) stack_read_dword (return_ESP + (n-1)*4/2)`
532			`E:`
533			`W: if(loop) write_new_stack`
534
535			`D:`
536			`M:`
537			`R:`
538			`E:`
539			`W: write_new_stack return_CS`
540
541			`D:`
542			`M:`
543			`R:`
544			`E:`
545			`W: write_new_stack return_EIP`
546
547			`D:`
548			`M:`
549			`R:`
550			`E: check return_EIP`
551			`W: set ss`
552
553			`D:`
554			`M:`
555			`R:`
556			`E:`
557			`W: set cs`
558
559			`D:`
560			`M:`
561			`R:`
562			`E:`
563			`W: set eip; esp commit; reset pipeline`
564