SM>  *** Glen McNabb wrote in a message to Peter Magnusson:
SM> PM> What kind of bug was it?
SM> 
SM> GM> Not a bug. :) A feature... This is the fastest form of
SM> GM> Segment JMP you'll find... :)
SM> 
SM> Oops, I just realized that I got my bugs confuddlerized.  
SM> 
SM> Let's see if I can list most of the known bugs in the 808x CPUs, as well 
SM> as the differences between the 808x CPUs and other CPUs.
SM> 
SM> The CMOS versions, 80C8x, have some of the bugs fixed.
SM> The 808x and 8018x have the PUSH SP bug, where the wrong value of SP is 
SM> pushed.
SM>   PUSH SP
SM>   POP AX
SM>   CMP AX,SP
SM>   JNE Bug
Really... Seems to me the SP changes value in a push. Which is what
it's supposed to do. If would seem to me, to be asking for a problem.
SM> There's a difference between the 808x and 8018x, in which if you write a
SM> word to xxxx:FFFF, on the 808x, the second byte will appear at xxxx:0000 
SM> and on the 8018x, the second byte will appear at xxxx:10000 (Note five 
SM> digits there).  My notes say something about V86 mode; apparently V86 
SM> memory managers trap this but don't emulate it, but would have to verify 
SM> this.  I guess I need to fiddle with my CPUID program a bit more and 
SM> clarify the note. SM>  
I would think you'd get a segment overflow interupt if that was the case.
SM> After a MUL, the 808x always sets ZF=0, while the V20/V30 leaves ZF 
one.
Actually the 808x does this correct. On any multiply it would with 2
exceptions. 1. if you multiplied by zero. In which case the result is
0. 2. if the values multiplied overflowed the AX (for 8 bit) or
DX:AX (for 16 bit) where the result was 0 in the register(s). I discovered
this when making a random number generator that used a division after
multiplicitive method.
SM> On the 808x/NEC, when doing a shift/rotate, the 808x/NE will actually 
SM> execute the number of times specified.  On 8018x and higher, the count is 
SM> masked off to the # of bits in the register.
That depended on the contents of the carry/borrow flag if I remember
correctly...
SM> On of the bugs in the original 808x that was fixed in 80C8x was a problem 
SM> with multi-prefix string instructions.  With code like REP: ES: LODS [SI] 
SM> (this would normally be written REP LODS ES:[SI]), if an interrupt occurs 
SM> during the loop, the instruction will be resumed at the REP instead of at 
SM> the ES.  This is normally tested by actually trying a loop to see if CX 
SM> is always 0 when the loop finishes, although single-stepping might work 
SM> as described below for the POP SS bug; I'll try that next time I can get 
SM> ahold of an 8088 board.  If it works, that would be better to use, since 
SM> the normal method is statistical, therefore it may give false results.
Wouldn't know about that one. I never used that peticular type of
instruction.
SM> The 8088/V20/80188 have a 4-byte queue, while the 8086/V30/80186 have a 
-
SM> byte queue.  Interrupts should be disabled during a queue test.  On the 
SM> 386, 386DX CPUs newer than D0 have a 12-byte queue to get around a bug in 
SM> the 16-byte queue of previous chips.  All 386SX chips have 16-byte 
SM> queues; apparently they don't have the bug.  Apparently it's extremely 
SM> hard to reliably detect the queue size on 386 CPUs; see http://x86.org 
SM> for details.
SM> Since the 8088/V20/80188 access data a byte at a time and the 
SM> 8086/V30/80186 access data a word at a time, this can be checked for 
SM> indirectly by testing to see if reading a word from odd addresses takes 
SM> noticeably longer than reading a word from even addresses.  The same test 
SM> can be used to distinguish between 16-bit data bus and 32-bit data bus 
SM> (386SX/386DX)
This can be done better by reading words across the odd/even address
boundry...
SM> On the 808x, when loading SS, an interrupt can occur before SP is loaded, 
SM> thus writing stack data to the new SS segment and the old SP offset.  
SM> This can be reliably checked by single-stepping, to see if the single-
SM> step stops immediately after the segment load (bug), or one instruction 
SM> beyond (correct).
Reliably, a well written interrupt will not use the current stack for
that reason.
SM> On the 808x, PUSHA is interpreted as JMP $+2 (effectively a NOP).  On the 
SM> V20/V30/80x8x chips, it's a PUSHA.
As far as I know the PUSHA was not a part of the 808x instruction set.
SM> On the 808x CPUs, bits 12-15 of the flags register are locked on.  On the 
SM> 80286, they are locked off.  Dunno about V20/V30/8018x.
There was a reason behind that. Can't remember what it was offhand...
I think that the 8018x also used one or more of those flags for it's
own purpose. I think it had something to do with the internal chips
that were additional to it.
SM> I added the NEC AAD/AAM thing to my list...  ;)
Cool beans...
--- ProBoard v2.16 [Reg]
---------------