*** Glen McNabb wrote in a message to Peter Magnusson:
PM> SM> The most blatant bug must be the POP CS bug in the 808x;
PM> SM> Intel was (probably) forced to leave it in for
PM> SM> compatibility, so it wasn't changed until the 8018x.
PM>
PM> What kind of bug was it?
GM> Not a bug. :) A feature... This is the fastest form of
GM> Segment JMP you'll find... :)
Oops, I just realized that I got my bugs confuddlerized.
Let's see if I can list most of the known bugs in the 808x CPUs, as well as
the differences between the 808x CPUs and other CPUs.
The CMOS versions, 80C8x, have some of the bugs fixed.
The 808x and 8018x have the PUSH SP bug, where the wrong value of SP is
pushed.
PUSH SP
POP AX
CMP AX,SP
JNE Bug
There's a difference between the 808x and 8018x, in which if you write a word
to xxxx:FFFF, on the 808x, the second byte will appear at xxxx:0000 and on
the 8018x, the second byte will appear at xxxx:10000 (Note five digits
there). My notes say something about V86 mode; apparently V86 memory
managers trap this but don't emulate it, but would have to verify this. I
guess I need to fiddle with my CPUID program a bit more and clarify the note.
After a MUL, the 808x always sets ZF=0, while the V20/V30 leaves ZF alone.
On the 808x/NEC, when doing a shift/rotate, the 808x/NE will actually execute
the number of times specified. On 8018x and higher, the count is masked off
to the # of bits in the register.
On of the bugs in the original 808x that was fixed in 80C8x was a problem
with multi-prefix string instructions. With code like REP: ES: LODS [SI]
(this would normally be written REP LODS ES:[SI]), if an interrupt occurs
during the loop, the instruction will be resumed at the REP instead of at the
ES. This is normally tested by actually trying a loop to see if CX is always
0 when the loop finishes, although single-stepping might work as described
below for the POP SS bug; I'll try that next time I can get ahold of an 8088
board. If it works, that would be better to use, since the normal method is
statistical, therefore it may give false results.
The 8088/V20/80188 have a 4-byte queue, while the 8086/V30/80186 have a
6-byte queue. Interrupts should be disabled during a queue test. On the
386, 386DX CPUs newer than D0 have a 12-byte queue to get around a bug in the
16-byte queue of previous chips. All 386SX chips have 16-byte queues;
apparently they don't have the bug. Apparently it's extremely hard to
reliably detect the queue size on 386 CPUs; see http://x86.org for details.
Since the 8088/V20/80188 access data a byte at a time and the 8086/V30/80186
access data a word at a time, this can be checked for indirectly by testing
to see if reading a word from odd addresses takes noticeably longer than
reading a word from even addresses. The same test can be used to distinguish
between 16-bit data bus and 32-bit data bus (386SX/386DX)
On the 808x, when loading SS, an interrupt can occur before SP is loaded,
thus writing stack data to the new SS segment and the old SP offset. This
can be reliably checked by single-stepping, to see if the single-step stops
immediately after the segment load (bug), or one instruction beyond
orrect).
On the 808x, PUSHA is interpreted as JMP $+2 (effectively a NOP). On the
V20/V30/80x8x chips, it's a PUSHA.
On the 808x CPUs, bits 12-15 of the flags register are locked on. On the
80286, they are locked off. Dunno about V20/V30/8018x.
I added the NEC AAD/AAM thing to my list... ;)
--Scott.
--- timEd 1.01
---------------
* Origin: Wizard's, 254-554-2146, Abacus PLUS, 903-3097 (1:395/11)
|