1. Field of the Invention
The present invention relates to operating systems in computer systems, and more particularly to an interruptible protected mode kernel which can service, in virtual 8086 mode, hardware interrupts which occur during execution of ring 0 protected mode code.
2. Description of the Prior Art
Many popular personal computers are based on the Intel Corporation (Intel) 8086 family of microprocessors. This microprocessor family includes the 8088, the 8086, the 80186, the 80286, the 80386, and the 80486 microprocessors, among others. These microprocessors have been designed for upward compatibility--programs written for the 8088 and/or the 8086 can be run on computers having 80286, 80386, or 80486 processors, and programs written for the 80286 processor can be run by the 80386 or the 80486. For the purposes of this disclosure, the upwardly compatible series of Intel processors and processors which include the instruction set of these processors is hereinafter referred to as the Intel 8086 family of microprocessors. Also, for the purposes of this disclosure, the 8088 and the 8086 may be considered functionally equivalent and will henceforth be referred to as "the 8086." In addition, the 80386 and 80486 microprocessors are considered functionally equivalent and will henceforth be referred to as "the 80386."
The amount of physical memory a microprocessor can access depends on the number of address lines that emanate from the chip. Each additional bit doubles the amount of addressable memory. The 8086 can address one Megabyte of memory, which requires a 20-bit address. Rather than introduce a 20-bit register into the 8086, the 20-bit address is split into two portions--a 16-bit segment address and a 16-bit offset address, which are stored in different registers. The microprocessor shifts the segment address 4 bits left (thereby effectively multiplying it by 16) and then adds the offset address. The result is a 20-bit address that an access 1 Megabyte of memory.
By convention, a 20-bit address can be shown broken down into its segment and offset parts using the notation 0000:0000, the segment being to the left of the colon and the offset on the right. For example, a 20-bit address written as FFE6E in hexadecimal notation could be written as FFE4:002E in segmented notation. Each of the four segment registers in the 8086 defines a 64 KB block of memory called a "segment." If all the segment registers are kept constant and equal, then the microprocessor can access only 64 kbytes of memory.
The 80286 and the 80386 microprocessors all support and go beyond the segmented addressing scheme of the 8086. When first powered up, they operate in "real mode," which uses segment and offset registers in the same way as the 8086 to access the same one Megabyte of memory. Thus the 80286 and the 80386 microprocessors are upwardly compatible with the addressing scheme of the 8086 chip.
In addition to real mode operation, the 80286 and the 80386 can operate in "protected mode." The main difference of protected mode is that the segment register is no longer a real (i.e., physical) address. Instead, the 80286 and 80386 microprocessors use the value held in the segment register to look up a base address which is stored in a descriptor table in memory. The 80286 utilizes a 24-bit base address, which allows the 80286 to access 16 Megabytes of memory (2.sup.24) instead of 1 Megabyte (2.sup.20). The 80286 adds a 16-bit offset address to this base address to form a 24 bit address. The 80386 utilizes a 32-bit base address and a 32-bit offset to form a 32-bit address, which allows the 80386 to access 4 gigabytes of memory.
In order to more fully understand the present invention, there follows a discussion of the way in which the 80386 microprocessor addresses memory.
The physical address space of most computers is organized as a simple array of bytes. With the development of memory management units (MMU's), computer architectures began to distinguish between the physical address space implemented by the memory hardware and the logical address space seen by a programmer. The MMU translates the logical addresses presented by programs into the physical addresses that are provided from the microprocessor. The 80386 logical address space consists of a collection of one of the following:
Bytes: The logical address space consists of an array of bytes with no other structure (this is sometimes called a "flat" or "linear" address space). No MMU translation is required because of a logical address is exactly equivalent to a physical address.
Segments: The logical address space consists of a few or many segments, each of which is composed of a variable number of bytes. A logical address is given in two parts, a segment number and an offset into the segment. The MMU translates a logical address into a physical address.
Pages: The logical address space consists of many pages, each of which is composed of a fixed number of bytes. A logical address is a page number plus an offset within the page. The MMU translates a logical address into a physical address.
Paged Segments: The logical address space consists of segments which themselves consist of pages. A logical address is a segment number and an offset. The MMU translates the logical address into a linear address which is then translated by the paging mechanism into a physical address.
Technically, the 80386 views memory as a collection of segments that are optionally paged. In practice, the 80386 architecture supports operating systems that use any of the four views of memory described above. There follows a more detailed discussion of the segmentation and paging mechanisms in the 80386 microprocessor.
In protected mode, the segment is the unit the 80386 provides for defining a task's logical address space. Segment registers define the way that memory is organized between tasks, that is, a task's logical address space consists of one or more segments. An instruction refers to a memory operand by a two-part logical address consisting of a segment selector and an offset into the segment. The 80386 uses the selector to look up the segment's descriptor in a segment descriptor table, and the base address in the descriptor is added to the offset to produce the operand's linear address. In this manner, the segmentation unit in the 80386 translates a logical address into a linear address.
Each task has its own descriptor table describing the segments for that task, and that (along with 80386 register values) is virtually all that the 80386 needs to store to switch between tasks. Since addresses are stored in the descriptor table rather than in the segment registers, the operating system can move memory around without application programs being affected.
Unlike the 8086, 8088, and 80286, the 80386 microprocessor incorporates memory paging hardware. This allows linear addresses to be mapped to physical memory addresses. This facility allows the efficient implementation of virtual memory systems. With memory paging support, the operating system can easily allocate contiguous memory to an application simply by mapping a number of noncontiguous physical memory pages into the requested logical program space. This mapping of a program's linear address space into physical memory is shown schematically in FIG. 1.
The mapping of noncontiguous physical memory pages into a requested logical program space is performed by updating the page directory and page tables. An 80386 operating system enables paging by setting the PG (Paging Enabled) bit in Control Register 0 (CR0) with a privileged instruction. When paging is enabled, the processor translates a linear address to a physical address with the aid of page tables. Page tables are the counterparts of segment descriptor tables; as a task's segment descriptor table defines its logical address space, a task's page tables define its linear address space. An 80386 task's page tables are arranged in a two-level hierarchy as shown in FIG. 2. Each task can have its own page table directory. The 80386's CR3 (Page Table Directory Base) system register points to the running task's page table directory. The 80386 updates CR3 on each task switch, obtaining the new directory address from an area of memory associated with that task referred to as the task state segment (TSS). FIG. 2 shows in functional terms how the 80386 microprocessor translate a linear address to a physical address when paging is enabled. The processor uses the upper 10 bits of the linear address as an index into the directory. The selected directory entry contains the address of a page table. The processor adds the middle 10 bits of the linear address to the page table address to index the page table entry that describes the target page. Adding the lower 12 bits of the linear address to the page address produces the 32-bit physical address.
FIG. 3 shows the basic content of a page table entry. Directory entries are identical, except that the page address field is interpreted as the physical address of a page table, rather than a page.
Tasks can share individual pages or entire page tables. Entries in different page tables that point to the same page are aliases of one another just as descriptors with the same base address are aliases of one another. The 80386's two-level page table structure makes it easier to share pages between tasks by sharing entire page tables. Since the address of a page shared in this way exists in a single page table, the operating system has one page table entry to update when it moves the page. This phase of address transformation implements the basic features needed for page-oriented virtual memory systems and page-level protection. FIG. 6 illustrates how the 80386 paging mechanism can manage memory for multiple virtual-8086 mode machine simulations concurrently with protected mode applications, which is explained more fully below.
Therefore, the segmentation unit of the 80386 translates a logical address as seen by the programmer to a linear address. If paging is not enabled, the processor considers the linear address formed from the segment:offset to be the physical address and provides it on the address pins. If paging is enabled, the 80386 translates the linear address into a physical address with the aid of page tables. The page translation step is optional, and paging must be enabled if the operating system is to implement multiple virtual 8086 tasks, page-oriented protection, or page-oriented virtual memory. FIG. 4 shows the fundamentals of 80386 logical-to-physical address translation.
In addition to the on-chip memory management feature discussed above, the 80386 includes a protection scheme in order to support multitasking. The 80386 protection mechanism consists of two parts: the memory management scheme discussed above, which is used to protect various tasks from each other, and privilege level protection, which is used to selectively protect various portions of the operating system and other software from user applications. As explained above, the memory management abilities of the 80386 provides for the separation of task address spaces by segment descriptor tables and page tables. This separation can effectively prevent application tasks from interfering with each other's code and data. In addition to isolating tasks from each other, the privilege level protection mechanism provides facilities for protecting the operating system from application code, for protecting one part of the operating system from other parts, and for protecting a task from some of its own errors.
Referring now to FIG. 5, the privilege level protection facilities of the 80386 are based on the notion of a privilege hierarchy. The 80386 microprocessor has four levels of protection which can support the needs of a multitasking operating system to isolate and protect user programs from each other and the operating system. In this description, privilege levels are also generally referred to as rings, and they are numbered 0 through 3. Ring 0 is the most privileged level and ring 3 is the least privileged level.
FIG. 5 shows how the 80386 privilege levels can be used to establish different protection policies. An unprotected system can be implemented by simply placing all procedures in a segment (or segments) whose privilege level is 0. Real mode is an example of an unprotected system because the operating system (OS) and all of the various procedures and applications are operating at ring 0 level. In contrast, protected mode utilizes the full privilege and protection capabilities of the 80386. For example, in protected mode, the most critical and least changing operating system procedures (referred to as the operating system kernel) are assigned to ring 0. Ring 1 is generally used for the services that are less critical and more frequently modified or extended, for example, device drivers. Ring 2 may be reserved for use by original equipment manufacturers (OEM's). Such OEM's could then assign their code privilege level 2, leaving ring 3 for the end users. In this way, the OEM software is protected from the end users; the operating system is protected from both the OEM and the end users; and, the operating system kernel is protected from all other software, including that part of the operating system that is subject to frequent change.
Therefore, protected mode is so named because segments belonging to one task are protected from being corrupted by another task. Tasks are organized in privilege levels, and certain machine-code instructions are prohibited to lower privilege levels. In a well-designed protected-mode operating system, a single program or task cannot compromise the system's integrity.
On the 80286 and 80386 microprocessors, the basic unit of a multitasking system is the task. A task can be defined as either a single program or a group of related programs operating in the computer system. The 80286 and 80386 microprocessors include a special segment referred to as a task state segment, or TSS, assigned to each task. The TSS contains important information about a task. The 80286 and 80386 processors use the TSS to store a task's vital information when the task is not running. The processor retrieves the information necessary to restart the task from the TSS when the task's turn comes again. Therefore, the TSS supports task suspension and resumption by holding a complete image of the register state of the task while the task is inactive. When a task is suspended, the current processor register values are written into fields in the TSS. When a task is resumed, the registers are loaded from the values saved in the TSS to reestablish the state of the task. This allows the task to resume execution as if it were never suspended.
In addition to the register save area discussed above, the TSS includes a back link field which is used by the processor to keep track of a task chain for task switching or multitasking purposes. A task switch occurs when a task executes a CALL instruction that references another task or if an interrupt occurs which specifies handling with a task switch. The back link field is used with the nested task (NT) bit in the 80386's EFLAGS register to link the TSS's for tasks suspended by CALL instructions or interrupts.
Each of the privilege levels or rings discussed above includes a separate stack which programs use when they are operating at that privilege level. Each protection level includes it own stack to avoid protection problems which might occur in a shared stack. The TSS for each task includes an inner-level stack pointer SS:ESP for each of the inner levels 0, 1, and 2 which are used to initialize the respective inner level stack when a privilege level change or ring transition to an inner level occurs. The SS:ESP values which point to the beginning of the respective inner level stack are taken from the TSS and loaded into the SS and ESP register to begin operation at the proper location in the inner level stack. Therefore, unless a respective inner-level stack pointer is modified, inner-level transitions initialize the inner stack to the same point, always starting with a "fresh" stack on each inner transition.
A task's privilege level determines what instructions it may execute and what subset of the segments and/or pages in its address space it may reference. At any instant, a task's privilege is equal to the privilege level of the code segment it is executing. In each segment descriptor is a field that defines the privilege level of the associated segment. The field may take one of four values. The processor checks for consistency between a task's privilege level and the privilege level of the segment or page that is the target of an instruction. Any attempt by a task to use a more privileged segment or page makes the processor stop execution of the instruction and raise a general protection (GP) exception.
In addition to defining which segments and pages it can use, a task's privilege level defines the instructions it can execute. The 80386 has a number of instructions whose execution must be tightly controlled to prevent serious system disruption. These instructions are referred to as privileged instructions, and they are allowed only if the program which includes the instructions is running at privilege level or ring 0. All of the instructions that load new values into the system registers are examples of privileged instructions. Other examples of privileged instructions are instructions that modify the interrupt flag, alter the segmentation, or affect the protection mechanism.
The descriptors in a task's Local Descriptor Table (LDT) and Global Descriptor Table (GDT) define the task's logical address space. The segments defined in these tables are theoretically addressable, because the descriptor tables provide the information necessary to compute a segment's address. However, an addressable segment may not be accessible to a particular operation because of the additional protection checks made by the protection mechanism in the 80386. The 80386 checks every segment reference (whether generated by the execution of an instruction or an instruction fetch) to verify that the reference is consistent with the protection attributes of the segment. In order to access a segment, a program must be at least as privileged as the segment. For example, a program running at level 3 can only reference segments whose privilege level is also 3, while a program running at level 0 can access all segments in its logical address space.
Systems that do not make extensive use of segments can instead protect pages. (Page protection can also be applied to sections of large segments.) Like a descriptor, a page table entry has a set of protection attributes. The 80386 checks every reference to the page for conformance to these attributes. The 80386 microprocessor checks the protection attributes of a page after verifying that an access is consistent with the segment attributes. Thus, page protection is a convenient way for an operating system to apply additional protection to portions of a segment. For example, an operating system can safely store task-related operating system data, such as page tables and file descriptors, in a task's data segment by designating the pages containing the respective data supervisor pages.
Since its commercial introduction in 1981, the IBM PC from International Business Machines Corp., and various compatible units, and the primary operating system, MS-DOS, have found immediate acceptance and widespread use throughout the world. (MS-DOS is a trademark of Microsoft Corporation of Bellevue, Wash.) The IBM PC utilized the 8088 microprocessor. Consequently, an enormous amount of software has been developed to operate on 8086-based machines running MS-DOS or some variation. When Intel introduced the 80286 in 1983, it was widely used by personal computer makers as the next generation microprocessor succeeding the 8086. The 80286 represented a major leap over the 8086 in performance capabilities, principally due to its new protected mode of operation. Unfortunately, the large amount of software written for 8086-based computers was unable to take advantage of the new protected mode features of the 80286, but rather had to be run in real mode. Consequently, the great majority of 80286-based computer systems were run in real mode, and the high performance features of protected mode largely remained untapped. In addition, multitasking was impractical when the 80286 was operated in real mode because real mode only recognizes one Mbyte of memory and, in addition, real mode operates all software, including the operating system, in the most privileged level of the processor and therefore provides no protection mechanisms to protect the integrity of different programs or tasks.
In order to overcome these shortcomings, Intel introduced the 80386 microprocessor which, in addition to the enhancements previously discussed, including a 32-bit architecture and a paging memory management unit (MMU), includes an additional mode of operation known as virtual 8086 mode or V86 mode. V86 mode is an 8086 emulation mode that is somewhat of a hybrid between real mode and protected mode. Within protected mode, software can perform a task switch to enter into tasks designated as V86 tasks. A task is designated as a V86 task when the VM flag (bit 17) in the EFLAGS register is set. Software that was formerly run in real mode can now be run in virtual 8086 mode as a V86 task. V86 tasks behave with 8086 semantics, thus allowing 8086-compatible, real mode software to execute.
Real mode applications software was originally written for a DOS environment which included no protection mechanisms. Therefore, real mode software is accustomed to having complete access to all of the operating system services necessary for operation. In a similar manner, V86 mode includes none of the memory protection or privilege mechanisms discussed above. Instead, the 80386 enforces a type of group privilege level on all V86 tasks. In order to protect the host operating system and the various protected mode services from DOS applications that are used to running in real mode, V86 tasks are run in ring 3 or the least privileged level. This prevents real mode applications running as V86 tasks from having direct access to the hardware and other protected system services. This facilitates the ability of an operating system to manage all accesses to hardware in order to support a multitasking or task switching environment which includes multiple 8086 applications.
In V86 mode, the 80386 treats the segment registers the same way as in real mode, where they represent real (i.e., physical) addresses. Thus, existing DOS programs (and DOS itself) can operate in the conventional manner with segment registers and not run into the problems associated with protected mode. The addresses from multiple virtual 8086 sessions do not collide when they access physical memory because, when the 80386 processor adds the segment and offset registers together, they create not a physical address, but a linear address. The paging mechanism of the 80386 is operative in V86 mode to translate the linear address into a physical address, which may be anywhere in the 4 gigabytes of the 80386 processor's addressable memory.
Using the 80386 memory paging functions, the operating system can manage memory for multiple V86 mode machine simulations concurrently with protected mode applications. Memory paging can also be used to allow each 8086 machine simulation to have access to common routines and data, such as a system ROM, by making the physical ROM appear in the memory space of each simulated machine. Actually, only one ROM exists, but each machine sees it as the expected address within its 1 Mb address space.
FIG. 6 shows how the 80386 paging mechanism enables multiple virtual 8086 machines to be managed. A single copy of the 8086 operating system (DOS) is made to appear in the address space of both machines. The paging mechanism gives each virtual 8086 task a 1 Mb linear address space. Read-only areas, such as the 8086 operating system, can reside on shared pages used by all virtual 8086 tasks. Unused pages can be omitted from physical memory. Therefore, use of the paging mechanism in V86 mode permits the 80386 processor to imitate multiple 8086-based machines while it is also running in protected mode. As the name implies, the 80386 can mimic a 1 Megabyte addressing environment that to existing programs appears to be an 8086. But unlike real mode, more than 1 Mbyte is available. The 80386 processor can actually maintain more than one V86 environment in memory at the same time. Each of these environments can have its own copy of the operating system and an application program. At the same time, a protected mode application can be using a different area of memory. In this manner, multitasking of real mode and protected mode applications is possible.
In general, the concept behind providing V86 mode in the 80386 microprocessor was to allow a protected mode kernel, which could be a full power operating system such as OS/2 or UNIX, to run multiple real mode applications, including DOS, as well as protected mode applications in a multitasking or task switching environment. The protected mode kernel or operating system would run in protected mode, but would place the 80386 into V86 mode to run real mode DOS applications as V86 tasks.
However, it is unnecessary to require a full-fledged operating system in order to take advantage of the V86 mode of the 80386. Instead, all that is generally required to take advantage of the V86 mode are the very essential elements or kernel of an operating system. A protected mode kernel that runs in protected mode but is able to run real mode DOS applications as V86 tasks is referred to as a virtual DOS monitor. An example of a virtual DOS monitor is a software program called Compaq Expanded Memory Manager (CEMM), which utilizes a virtual DOS monitor and the paging mechanism of the 80386 to emulate expanded memory in software using extended memory. A description of the operation of CEMM is described in U.S. Pat. No. 4,926,322 titled "Software Emulation of Bank-Switched Memory Using a Virtual DOS Monitor and Paged Memory Management." Other software programs which include virtual DOS monitors are Windows 3.0 from Microsoft Corp. and Quarterdeck Expanded Memory Manager (QEMM) from Quarterdeck Corp.
As previously discussed, V86 mode tasks run in ring 3 level or the least privileged level of the processor to prevent these V86 mode tasks from having complete access to hardware and various protected services in the system. However, since V86 tasks are essentially real mode applications, they were designed to run in an unprotected system and hence have access to all of the system services they require. Because V86 tasks run at ring 3 level, they are unable to access the real mode DOS services that DOS applications generally require. Therefore, one of the primary tasks of a virtual DOS monitor (VDM) is to track any request for DOS services by V86 tasks and then emulate some of those services. The DOS services required would not actually be performed by DOS, but rather would be emulated by the VDM. Therefore, in summary, a virtual DOS monitor emulates the services provided by an Intel 8086 family microprocessor based computer running the MS-DOS operating system in real mode for a V86 task that is running in virtual 8086 mode because the V86 task is running at ring 3 level and is unable to access the DOS services it requires. The emulation is accomplished using the virtual 8086 mode of the 80386 microprocessor.
The VDM itself executes in the protected mode of the microprocessor. Its principal functions are: hardware and software interrupt reflection; input/output (I/0) instruction trapping; emulation of privileged instructions; provision of a communication interface between virtual-mode tasks running under the VDM and the VDM itself; and handling of system protection violations and error conditions. In this manner, the VDM is similar in functionality to the kernel of a simple operating system. The VDM allows an MS-DOS real mode program to execute within the virtual 8086 mode of an 80386 processor, which provides an 8086 execution environment.
In order to more fully understand the present invention, a discussion of interrupt handling techniques used by virtual DOS monitors is deemed appropriate. For a more complete discussion of interrupt handling techniques used by VDM's, please refer to U.S. Pat. No. 4,926,322 to Stimac, et al., which is hereby incorporated by reference. In the following discussion, interrupts and exceptions are referred to collectively as exceptional conditions. Exceptional conditions are further classified as hardware and software interrupts and exceptions. A hardware interrupt is an event asynchronous to the processor which indicates that a hardware device requires service. A software interrupt occurs when an INT instruction is executed and is otherwise similar to a hardware interrupt. Exceptions are unusual or invalid conditions detected during the execution of an instruction. In IBM-compatible computers based on the industry standard architecture (ISA) as originated in the IBM PC/AT, there are generally 16 hardware interrupts, 16 exceptions, and 256 software interrupts.
A VDM employs a technique referred to as "interrupt reflection" to simulate the action of a real-mode software or hardware interrupt for a task which is running in V86 mode. When an exceptional condition occurs in a V86 task, the 80386 automatically switches from V86 mode to protected mode. In handling an exceptional condition, in many instances a determination must first be made as to whether the external event which occurred in the V86 program was a hardware interrupt, a software interrupt, or an exception. The original Intel 8086 architecture allowed for 256 interrupts referred to as interrupts 0-255, but they reserved 0-31 for exceptions for their own internal use. However, when International Business Machine Corp. (IBM) introduced its first computer, the IBM PC, it was architected such that hardware interrupts were mapped in at the same interrupt level or number as these reserved exceptions. More specifically, the master programmable interrupt controller (PIC) on the IBM PC generated interrupts 8-15 in response to interrupt request lines (IRQ's) 0-7. Unfortunately, these interrupt locations conflict with 80386 exceptions 8-15. As a result, there was a conflicting usage of interrupt vector table (IVT) entries for exceptions and for interrupts because they are each mapped to the same interrupt numbers. In order to maintain compatibility with the IBM PC, subsequent developers have been forced to map hardware interrupts into the area that conflicts with exceptions. Consequently, a determination between whether an interrupt or an exception has occurred is often difficult. Therefore, when an exceptional condition occurs in a V86 program such that the interrupt number generated could represent an interrupt or an exception, the respective protected mode interrupt handler must determine whether the exceptional condition was a hardware or software interrupt or an exception.
One method that has been used to differentiate between interrupts and exceptions in a non-reentrant protected mode kernel was described in U.S. Pat. No. 4,926,322 referenced above, hereafter referred to as the CEMM patent. In the VDM described in the CEMM patent, most software interrupts were designed to generate general protection (GP) faults and thus to enter the VDM protected mode GP fault handler. Due to the larger number (256) of software interrupts, most software interrupts were funneled through the GP fault handler to obviate the necessity of having 256 different protected mode entry points and 256 different protected mode interrupt handlers.
The GP fault handler included code to distinguish between whether the condition which caused the processor to enter the GP fault handler was a software interrupt or a general protection exception. This code determined the respective instruction which caused the condition. If the instruction which resulted in the exceptional condition was an INT instruction, then the condition was a software interrupt. If not, then the condition was a GP exception, and the GP fault exception handler routine was executed. If the exceptional condition was determined to be a software interrupt, then code in the GP fault handler determined which interrupt number was generated. This code is necessary because the "funnelled" software interrupts all enter the GP fault handler through the same entry point, and thus there is no longer a unique entry point for each software interrupt. If the interrupt requested a real mode interrupt service routine, the code would reflect the interrupt back to the respective real mode ISR, which would then be executed as a V86 task. The method used to reflect interrupts is described further below. Software interrupts which request protected mode services generally were not funneled through the GP fault handler, but preferably had their own entry point. Therefore, the VDM described in the CEMM patent solved the problem of overlapping software interrupts and exceptions by forcing most software interrupts to generate a GP fault and enter through the GP exception handler. For more information on the method used to distinguish between software interrupts and exceptions, please refer to the CEMM patent.
The VDM described in the CEMM patent used a different method to distinguish between hardware interrupts and exceptions. When an exceptional condition occurs, the 80386 performs a ring transition from ring 3 to ring 0 and begins using the ring 0 stack. The 80386 first saves the state of the interrupted V86 task, which includes the virtual mode data segments, SS, ESP, EFLAGS, and CS:EIP of the interrupted V86 task, on top of the ring 0 stack as shown in FIG. 7. In the following discussion stacks grow downward in memory, and the "top" of the ring 0 stack is visually the bottom of the stack. The above variables saved on the ring 0 stack represent the saved state of the V86 task and are referred to as the virtual mode trap frame (VMTF). This process of saving the state of the current V86 task on the ring 0 stack is described more fully below. The method described in the CEMM patent used the fact that, when an exception occurs, the 80386 automatically adds an error code or value at the end of the ring 0 stack after the VMTF described above. When the ring transition occurs from ring 3 to ring 0, the TSS keeps track of where the ring 0 stack is located through its ring 0 stack pointer variable SS:ESP. If an exception occurred, then, as shown in FIG. 7, the ring 0 pointer SS:ESP would point to the error code, as shown. However, if an interrupt had occurred, than SS:ESP would be pointing to the last value of the VMTF (EIP) because no error code would be present. Therefore, the VDM described in the CEMM patent utilized the ring 0 stack pointer variables SS:ESP to determine if an error code was added to the end of this ring 0 stack after the VMTF. If so, then the exceptional condition which caused the ring transition was an exception. If no error code is present, then the exceptional condition was an interrupt.
Since the top of the ring 0 stack is a known value, (it is taken from the TSS when the transition from virtual mode to protected mode occurs), checking for the presence of the error code is simply a matter of measure the depth of the stack. The stack is one word (the error code) deeper when the exceptional condition was caused by a processor exception than when it was caused by a hardware interrupt. If the exceptional condition is determined to be an exception, then the VDM handles the exception through a protected mode exception handler, and no reflection back to V86 mode is required. If the exceptional condition is determined to be a hardware interrupt, then the protected mode interrupt handler vectors off to interrupt reflection code which reflects the interrupt to the appropriate interrupt service routine that would have been invoked had the interrupt occurred in real mode.
The VDM uses interrupt reflection to cause the result of a real mode hardware or software interrupt, generated in connection with a virtual mode task, to be the same as with a real-mode task. Interrupt reflection enables the protected mode interrupt handler to emulate DOS services in real mode and invoke real mode ISR's in V86 mode. Through interrupt reflection, V86 tasks can operate identically to real mode. This permits the proper operation of the system ROM interrupt handlers, of real mode operating system interrupt handlers (e.g., those associated with MS-DOS), and real mode applications which trap interrupts. Because knowledge of interrupt reflection is important in understanding the present invention, a description of its operation follows. For a more detailed description of interrupt reflection, please refer to U.S. Pat. No. 4,926,322 to Stimac, et al. (the CEMM patent), which was referenced above.
In understanding interrupt reflection, it is useful to examine the difference between the effects of a hardware interrupt in V86 mode and in real mode. In real mode on the 80386, for example, a hardware interrupt proceeds as follows. The processor suspends execution of the currently executing task at the address specified by the current contents of the code segment (CS) register and the instruction pointer (IP) register. The processor pushes the current contents of the FLAGS register, the CS, and the IP register onto the real mode stack, as defined by the real mode stack segment (SS) and the stack pointer (SP) registers. These values are pushed onto the stack in the order just described, as illustrated in FIG. 8. These values are referred to as the real mode trap froma (RMTF).
The 80386 then determines the beginning execution address for the respective interrupt service routine (ISR) via the interrupt vector table (IVT) in low memory. The IVT may generally be defined as the real mode version of the Interrupt Description Table (IDT), which is explained below. The beginning address is determined by the respective interrupt vector in the IVT corresponding to the respective interrupt number generated. Finally, the processor clears the interrupt flag (IF) and trace flag (TF) bits in the current flags register and continues execution at the beginning address of the respective interrupt service routine. In short, the processor in real mode saves the current flags and the CS and IP registers on the real mode stack and dispatches the appropriate ISR with the IF and TF bits cleared. The processor remains in real mode throughout this process.
Interrupts are handled somewhat differently in V86 mode. In V86 mode, when the 80386 receives a hardware interrupt, it first performs a ring transition or switch from ring 3 V86 mode to ring 0 where the interrupt handler of the VDM is located in protected mode. Protected mode interrupt handlers must operate in ring 0 to ensure that the IRET instruction at the end of the handler will execute at ring 0. This is necessary because only an IRET instruction executed in ring 0 has the privilege required to alter the VM (virtual 8086 mode) bit in the EFLAGS register to properly return to V86 mode.
Referring now to FIG. 9, as previously described, an interrupt in V86 mode causes the 80386 to perform a ring transition from ring 3 to ring 0. As a consequence of performing a ring transition from ring 3 to ring 0, the 80386 begins using all of the ring 0 resources, one of which is the ring 0 stack. Therefore, because the interrupt handler executes at ring 0 of protected mode, the stack on which the current V86 environment is saved is the ring 0 stack. The 80386 locates the current task's TSS and reads the ring 0 stack selector and stack pointer SS:ESP in order to utilize the ring 0 stack. It then pushes all of the virtual mode segment registers, shown in FIG. 9 as the data segments and the SS, onto the ring 0 stack. The 80386 then pushes the ESP from the V86 environment onto the ring 0 stack. The 80386 then pushes the current EFLAGS, CS, and EIP onto the ring 0 stack. It should be noted that all 32 bits of the EIP and EFLAGS registers are necessarily saved on the ring 0 stack because, otherwise, the 32-bit protected mode interrupt handler might alter the upper half of either register. As shown in FIG. 9, the virtual mode data segment registers, SS, ESP, EFLAGS, CS, and EIP saved on the ring 0 stack are referred to as the virtual mode trap frame (VMTF). The virtual mode or ring 3 stack, as determined by the virtual mode task's SS:SP at interrupt time, is not altered.
Since the 80386 is now in protected mode, the beginning address of the interrupt handler is not determined by reference to the interrupt vector table located in low memory, but instead by an entry in the system's Interrupt Descriptor Table (IDT). The IDT contains an entry for each valid interrupt in the system. If the interrupt which occurred was a software interrupt, then the software interrupt might be funneled through the GP fault handler, as was described above. If the interrupt which occurred was a hardware interrupt then the required interrupt service routine will necessarily be a real mode ISR. Therefore, the protected mode interrupt handler must have a means to dispatch the real mode ISR in V86 mode. As previously mentioned, as a general rule, all interrupts and exceptions which occur in V86 mode must be handled by ring 0 code. More specifically, if a particular interrupt handler could ever be invoked while a V86 program was running, the handler must generally be placed in a ring 0 code segment to allow the IRET instruction enough privilege to set the VM bit in the EFLAGS register to return to V86 mode. However, in many instances, such as where real mode services are required, it is necessary to service an interrupt in V86 mode because the real mode ISR required to service the interrupt can only exist in a V86 task.
One way a programmer might choose to execute a real mode ISR in V86 mode is for the protected mode interrupt handler to invoke the real mode ISR directly through a task gate. This method involves placing a task gate descriptor into the IDT slot corresponding to the respective interrupt or exception. In this manner, the 80386 processor would go to the respective slot in the IDT and vector to a task gate that switches to another V86 task.
However, a problem arises if a task gate is used to switch from a protected mode task to a V86 task. Whenever an interrupt or exception causes a task switch like this, the 80386 automatically sets the NT (Nested Task) bit in the new task's EFLAGS register, signifying that this task is nested inside another. The new task's TSS will also get a new back link field identifying the parent task. This way, the 80386 can determine whether a subsequent IRET instruction should return to another task or to code within the same task. Unfortunately, the NT bit is checked only when the IRET instruction is executed in protected mode. The NT bit is ignored in V86 mode. The net result is that an IRET instruction can be used only to set the VM (virtual mode) bit in the EFLAGS register, not clear it, and therefore a V86 task cannot return to its parent task with an IRET instruction. Therefore, since the only way to invoke a real mode service in V86 mode directly is through a task gate, and because nested V86 tasks cannot return to their callers properly, then it seems that protected mode tasks are required to service interrupts which occur during V86 mode.
However, even though the interrupt handler must run in protected mode, interrupt reflection techniques have been developed to allow the protected mode interrupt handler to invoke a V86 program or task. The V86 task which is invoked is the real mode ISR required to service the interrupt. Interrupt reflection entails manipulation of the ring 0 and virtual mode stacks to cause results like a real mode interrupt action for the virtual task. The desired end result is virtual mode execution of the respective interrupt service routine as determined by the interrupt vector table, using the same stack contents and entry flags as would have existed if the interrupt had occurred in real mode. To achieve interrupt reflection on an 80386, the VDM's interrupt reflection code performs the following steps within the protected mode interrupt handler.
As previously described, when an interrupt or exception occurs, the 80386 switches from ring 3 V86 mode to ring 0 protected mode and saves a VMTF on the ring 0 stack, as shown in FIG. 9. Referring now to FIG. 10, the FLAGS, CS, and IP are copied from the ring 0 stack onto the ring 3 stack used by V86 programs. These values are copied onto the ring 3 stack to emulate what the 80386 would normally do in real mode. The values are saved on the ring 3 stack so that upon completion of the real mode ISR, the 80386 can perform an IRET instruction and return to execution of the V86 task in the same V86 environment as when the interrupt occurred. The virtual mode or ring 3 stack segment (SS) and stack pointer (ESP), which reside in the ring 0 stack, are modified to point to the new "end" of the ring 3 stack to further emulate what would have occurred in real mode. This is necessary so that subsequent variables stored on the ring 3 stack during execution of the real mode ISR do not overwrite the saved state of the V86 task stored on the ring 3 stack.
The interrupt which occurred in the V86 program causes the 80386 to index into an entry point in the IDT. Depending on the entry point indexed in the IDT, the 80386 knows what actual interrupt number occurred and vectors to the appropriate protected mode interrupt handler. The interrupt handler then invokes interrupt reflection code that is used to reflect the interrupt to the requested real mode ISR. The interrupt reflection code determines the beginning address for the real mode ISR via the appropriate interrupt vector in the interrupt vector table. The code replaces the CS and IP on the ring 0 stack with CS and EIP values which point to the beginning of the real mode ISR. The code also clears the IF and TF bits in the EFLAGS value in the ring 0 stack to mimic what is done by the 80386 if it were in real mode. At this point, the ring 0 and ring 3 stacks would appear as in FIG. 11.
At this point, the VDM's protected mode interrupt handler executes an IRETD instruction to return to V86 mode and execute the real mode ISR. When the IRETD is executed, the 80386 pops the register values off of the ring 0 stack and returns to V86 mode. The 80386 begins execution at the address pointed to by the CS:EIP value which was popped off the ring 0 stack. Since the CS:EIP value was modified to point to the beginning address of the real mode ISR, the 80386 executes the real mode ISR which was required to service the interrupt which occurred in the original V86 program. The 80386 enters V86 mode to perform the ISR in the essentially the same state as when the original V86 program left V86 mode due to the interrupt. When the ISR is completed, the 80386 executes an IRET instruction, which pops the saved state of the interrupted V86 task off of the ring 3 stack, and the original V86 task resumes operation. Therefore, what actually has occurred is that the VDM has emulated in software what the 80386 microcode would normally do in real mode. The VDM code has emulated DOS to reflect an interrupt to the appropriate ISR which would have been executed had the 80386 been in real mode.
In summary, the implementation of the VDM's interrupt reflection logic comprises the following general steps. The processor interrupts a virtual mode task, saves the state of the virtual mode task on the ring 0 stack, and begins execution of the VDM's interrupt handler in ring 0 of protected mode. The VDM's interrupt handler manipulates the virtual mode ring 3 stack to emulate the action of a real mode interrupt and modifies the ring 0 stack to contain the appropriate entry conditions for the real mode ISR requested by the interrupt. The VDM then executes an IRETD instruction, and the processor returns to virtual mode and executes the interrupt service routine in V86 mode with the same entry conditions that would have existed had the interrupt occurred in real mode. Therefore, the VDM described in U.S. Pat. No. 4,926,322 included an interrupt handler wherein, if a real mode ISR was requested by a V86 task, the interrupt handler would manipulate the ring 0 stack so that the ISR could be executed in V86 mode. The manipulation of the ring 0 stack by the protected mode interrupt handler to invoke a real mode ISR in V86 mode is what is meant by interrupt reflection.
According to the VDM described in the CEMM patent, when a V86 task generates a software interrupt to request a protected mode service, the interrupt handler invokes the protected mode service, which is then executed in ring 0 protected mode to service the interrupt. At the end of the protected mode service, the 80386 performs an IRET instruction, which transfers control back to the interrupted V86 mode task. However, a problem arose in that the protected mode kernel forming the VDM in the CEMM patent was not interruptible when a protected mode service was being executed. During the entire time that the protected mode service was being executed, interrupts were not enabled because the kernel was unable to handle an exceptional condition while it was in protected mode. Therefore, if an interrupt came in during the time that the protected mode service was executing, the interrupt would not be acknowledged until after the protected mode service was completed. Problems arose because many of the protected mode services required a considerable length of time to execute, and therefore the interrupt latency during a protected mode service became unbearable. For example, if a high speed communications device connected to the computer system was attempting to communicate with the system during this time, the device could possibly attempt to interrupt the system several times during execution of the protected mode service while interrupts were not enabled. If the first interrupt was not acknowledged before a second interrupt was generated, then the system would possibly lose data from the device. Therefore a method is needed to allow a protected mode kernel to be interruptible or reentrant during execution of ring 0 protected mode code to reduce interrupt latency and prevent errors from occurring.
Background on DOS extenders and the VCPI interface is deemed appropriate. As previously mentioned, DOS provides computer systems with certain memory constraints, namely that DOS only recognizes one Megabyte of memory. Before the introduction of VDM's which took advantage of V86 mode, software applications which ran under DOS had to be run in real mode where the application could only access one Megabyte of memory. In order to combat these memory constraints, software designers built high powered DOS applications which were designed to take advantage of the full addressing capabilities of the 80386 processor. These applications included built-in DOS extenders which included a small protected mode kernel that took the 80386 into protected mode. When the software application was loaded, it created its own kernel, switched the 80386 into protected mode, and took over the machine completely. Since these high-powered DOS applications originally ran in real mode when they are loaded, they were running at ring 0 level and thus had complete access to all of the system resources required to flip themselves into protected mode.
However, with the introduction of virtual DOS monitors, problems resulted in the operation of DOS extenders. When a system included a VDM, DOS extenders were no longer allowed access to the system resources they required. A virtual DOS monitor is essentially a protected mode kernel wherein everything, including DOS, the ROM, and various applications are seen as V86 tasks which are running under the V86 monitor. The V86 monitor operates real mode tasks in V86 mode at ring 3 level, which is the least protected level. Therefore, in a computer system which includes a virtual DOS monitor, all DOS applications, including those with DOS extenders, are running in a V86 environment at ring 3 level. Therefore, a DOS extender operating as a V86 task no longer had the privilege to access the various system resources and system registers required to flip itself into protected mode. Thus DOS extenders were originally incompatible with any kernel which operated DOS application as V86 tasks. In order to allow the various DOS extenders to operate in conjunction with protected mode operating system software, the virtual control program interface (VCPI) was introduced. VCPI is a software interface designed to allow DOS extenders to operate in conjunction with protected mode kernels or VDM's.
To summarize the problems intended to be solved by the present invention, when a VDM is running a V86 task in V86 mode of the 80386 processor and receives an interrupt or exception, the 80386 enters ring 0 protected mode to service the condition. If the event is a software interrupt which requires a protected mode service, then the interrupt preferably includes its own entry point in the IDT, and the respective interrupt handler invokes the appropriate protected mode service. Problems arose where the protected mode kernel was not interruptible during the time that a protected mode service was being executed because no interrupts could be acknowledged during this time. As a result, the interrupt latency became intolerable, especially if an interrupt occurred in the beginning of the protected mode service. In instances where high speed communication devices are generating interrupts, several interrupts could come in during the protected mode service, and the data associated with their interrupts could be lost. Therefore, a method is needed to allow a protected mode kernel to service, in V86 mode, interrupts which occur during execution of ring 0 protected mode code.