PROTECTION
Since stacks normally occupy different offset ranges (lower limit to OFFFFH) than data segments, the
limit field of a segment descriptor can be interpreted in
two
ways. The Expand Down (ED) bit in the
access byte allows offsets for stack segments to be greater than the limit field. When ED
is
1,
the
allowed range of offsets within the segment
is
limit + 1 to OFFFFH. To allow a full stack segment, set
ED
to
1 and the limit to OFFFFH. The ED bit of a data segment descriptor does not have to be set for
use in
SS
(i.e., it will not cause an exception). Section 7.5.4 discusses stack segment usage in greater
detail. An expand down
(ED=
1) segment can also be loaded into ES or DS.
Limit and access checks are performed before any memory reference
is
started. For stack push instruc-
tions
(PUSH, PUSHA,
ENTER,
CALL, INT), a possible limit violation
is
identified before any inter-
nal registers are updated. Therefore, these instructions are fully restartable after a stack size violation.
7.4.2
Code Segment Access
Code segments are accessed via
CS
for execution. Segments that are execute-only can
ONLY
be
executed; they cannot be accessed via
DS or ES, nor read via CS with a CS override prefix.
If
a
segment
is
executable (bit 3 = 1
in
the access byte), access via DS or ES
is
possible only
if
it
is
also
readable. Thus, any code segment that also contains data must be readable. (Refer
to
Chapter 2 for a
discussion of segment override prefixes.)
An execute-only segment preserves the privacy of the code against any attempt
to
read it; such an
attempt causes a general protection fault with an error code of
O.
A code segment cannot be loaded
into
SS
and
is
never writable. Any attempted write will cause a general protection fault with an error
code of
O.
The limit field of a code segment descriptor identifies the last byte in the segment. Any offset greater
than the limit value will cause a general protection fault. The prefetcher of the
80286 can never cause
a code segment limit violation with an error code of
O.
The program must actually attempt to execute
an instruction beyond the end of the code segment
to
cause an exception.
If
a readable non-conforming code segment
is
to be loaded into DS or ES, the privilege level require-
ments are the same as those stated for data segments
in
7.4.1.
Code segments are subject
to
different privilege checks when executed. The normal privilege require-
ment for a
jump
or call to another code segment
is
that the current privilege level equal the descriptor
privilege level of the new code segment. Jumps and calls within the current code segment automatically
obey this rule.
Return instructions may pass control to code segments
at
the same or less (numerically greater) privi-
leged level. Code segments
at
more privileged levels may only be reached via a call through a call gate
as described in section 7.5.
An exception to this, previously stated,
is
the conforming code segment that allows the DPL of the
requested code segment to be numerically less than (of greater privilege than) the CPL. Conforming
code segments are discussed in section 11.2.
7.4.3
Data Access Restriction by Privilege Level
This section describes privilege verification when accessing either data segments (loading segment
selectors into
DS, ES, or SS) or readable code segments. Privilege verification when loading CS for
transfer of control across privilege levels
is
described in the next section.
7-13