Now Reading
Reverse-engineering the conditional soar circuitry within the 8086 processor

Reverse-engineering the conditional soar circuitry within the 8086 processor

2023-01-23 14:05:25

Intel launched the 8086 microprocessor in 1978 and it had an enormous affect on computing.
I am reverse-engineering the
8086 by analyzing the circuitry on its silicon die and on this weblog submit I check out how conditional jumps
are carried out.
Conditional jumps are an vital a part of any instruction set, altering the circulation of execution primarily based on
a situation.
Though this instruction could seem easy, it includes many components of the CPU:
the 8086 makes use of microcode together with special-purpose situation logic.

The die picture under exhibits the 8086 microprocessor underneath a microscope.
The steel layer on prime of the chip is seen, with the silicon and polysilicon largely hidden beneath.
Across the edges of the die, bond wires join pads to the chip’s 40 exterior pins.
I’ve labeled the important thing useful blocks; those which can be vital to this dialogue are darker and will likely be mentioned intimately under.
Architecturally, the chip is partitioned right into a Bus Interface Unit (BIU) on the prime and an Execution Unit (EU) under.
The BIU handles reminiscence accesses, whereas the Execution Unit (EU) executes directions.
Many of the related circuitry is within the Execution Unit, such because the situation analysis circuitry close to the middle,
and the microcode within the decrease proper. However the Bus Interface Unit performs an element too, holding and modifying this system counter.

The 8086 die under a microscope, with main functional blocks labeled. This photo shows the chip's single metal layer; the polysilicon and silicon are underneath. Click on this image (or any other) for a larger version.

The 8086 die underneath a microscope, with major useful blocks labeled. This picture exhibits the chip’s single steel layer; the polysilicon and silicon are beneath. Click on on this picture (or another) for a bigger model.

Microcode

Most individuals consider machine directions as the essential steps that a pc performs.
Nevertheless, many processors (together with the 8086) have one other layer of software program beneath: microcode.
One of many hardest components of laptop design is creating the management logic that directs the processor for every step of an instruction.
The simple method is to construct a circuit from flip-flops and gates that strikes by way of the assorted steps and generates the management alerts.
Nevertheless, this circuitry is sophisticated, error-prone, and arduous to design.

The choice is microcode: as an alternative of constructing the management circuitry from advanced logic gates, the management logic is essentially changed with code.
To execute a machine instruction, the pc internally executes a number of easier micro-instructions, specified by the microcode.
In different phrases, microcode kinds one other layer between the machine directions and the {hardware}.
The primary benefit of microcode is that it turns design of management circuitry right into a programming process as an alternative of a troublesome logic design process.

The 8086 makes use of a hybrid method: though the 8086 makes use of microcode, a lot of the instruction performance is carried out with gate logic.
This method eliminated duplication from the microcode and saved the microcode sufficiently small for 1978 expertise.
In a way, the microcode is parameterized.
As an example, the microcode can specify a generic Arithmetic/Logic Unit (ALU) operation, and the gate logic determines from the instruction which ALU (Arithmetic/Logic Unit) operation to carry out.
Extra related to this weblog submit, the microcode can specify a generic conditional take a look at and the gate logic determines which situation to make use of.
Though this made the 8086’s gate logic extra sophisticated, the tradeoff was worthwhile.

Microcode for conditional jumps

The 8086 processor has six standing flags:
carry, parity, auxiliary carry, zero, signal, and overflow.1
These flags are up to date by arithmetic and logic operations primarily based on the consequence.
The 8086 has sixteen completely different conditional soar directions2
that take a look at standing flags and soar if circumstances are glad, reminiscent of zero, lower than, or odd parity.
These directions are crucial since they enable if statements, loops, comparisons, and so forth.

In machine language, a conditional soar opcode is adopted by a signed offset byte which specifies
a location relative to the present program counter, from 127 bytes forward
to 128 bytes again.
This can be a pretty small vary, however the profit is that the offset suits in a single byte, lowering the code measurement.3
For typical functions reminiscent of loops or conditional code, jumps often keep in the identical neighborhood of code,
so the tradeoff is worth it.

The 8086’s microcode was disassembled by Andrew Jenner (link) from my die pictures, so we are able to see precisely what micro-instructions the 8086 is operating for every machine instruction.
The microcode under implements conditional jumps.
In short, the conditional soar code (Jcond) will get the department offset byte.
It assessments the suitable situation and, if glad, jumps to the relative soar microcode (RELJUMP).
The RELJMP code provides the offset to this system counter.
In both case, the microcode routine ends when it runs the subsequent instruction (RNI).

   transfer       motion
Jcond:
1 Q→tmpBL
2          XC    RELJMP                    
3          RNI                       

RELJMP:
4          SUSP
5          CORR                      
6 PC→tmpA  ADD   tmpA
7 Σ→PC     FLUSH RNI                       

In additional element, micro-instruction 1 (arbitrary numbering) strikes a byte from the prefetch queue (Q) throughout the queue bus to the
ALU’s non permanent B register.4 (Arguments for ALU operations are first saved in non permanent registers, invisible to the programmer.)
Instruction 2 assessments the suitable situation with XC, and jumps to the RELJMP routine if the situation is glad.5
In any other case, RNI (Run Subsequent Instruction) ends this sequence and hundreds the subsequent machine instruction with out leaping.

If the situation is glad, the relative soar routine begins with instruction 4, which suspends prefetching.6
Instruction 5 corrects this system counter worth, because it usually factors to the subsequent byte to prefetch,
not the subsequent byte to execute.
Instruction 6 strikes the corrected program counter tackle to the ALU’s non permanent A register.
It additionally begins an ALU operation so as to add non permanent A and non permanent B.
Instruction 7 strikes the sum (Σ) to this system counter.
It flushes the prefetch queue, which begins up prefetching from the brand new PC worth.
Lastly, RNI runs the subsequent instruction, from the up to date tackle.

This code helps all 16 conditional jumps as a result of the microcode assessments the generic
“XC” situation.
This means that the precise take a look at depends upon the 4 low bits of the opcode, and the {hardware} determines
precisely what to check.
It is vital to maintain the 2 ranges straight: the machine instruction is doing a conditional soar to a special reminiscence tackle, whereas the microcode that implements this instruction is performing a conditional soar to a special micro-address.

The timing for conditional jumps

The RNI (Run Subsequent Instruction) micro-operation initiates processing of the subsequent machine instruction.
Nevertheless, it takes a clock cycle to get the subsequent instruction from the prefetch queue, decode it, and begin the
applicable micro-instruction.
This causes a wasted clock cycle earlier than the subsequent micro-instruction executes.
To keep away from this delay, most microcode routines challenge a NXT micro-operation one cycle earlier than they finish.
This provides the 8086 time to decode the subsequent machine instruction so micro-instructions can run uninterrupted.

Sadly, the conditional soar directions cannot make the most of NXT.
The issue is that the management circulation within the microcode depends upon whether or not the conditional soar is taken or not.
By the point the microcode is aware of it isn’t taking the department, it is too late to challenge NXT.

The datasheet provides the timing of a conditional soar as 4 clock cycles if the soar just isn’t taken, and eight clock
cycles if the soar is taken.
Wanting on the microcode explains these timings. There are 3 micro-instructions executed if the soar just isn’t taken, and seven
whether it is taken. Due to the RNI, there may be one wasted clock cycle, ensuing within the documented 4 or 8 cycles in whole.

The circumstances

At this level I’ll assessment the 8086’s conditional jumps.
The 8086 implements 16 conditional jumps. (This can be a massive quantity in comparison with earlier CPUs:
the 8080, 6502, and Z80 all had 8 conditional jumps, specified by 3 bits.)
The desk under exhibits which flags are examined for every situation, specified by the low 4 bits of the opcode.
Some soar directions have a number of names relying on the programmer’s interpretation, however they map to the identical machine instruction.7

Situation Bits Situation true Situation false
Overflow Flag (OF)=1 000x overflow (JO) not overflow (JNO)
Carry Flag (CF)=1 001x carry (JC)
under (JB)
not above or equal (JNAE)
not carry (JNC)
not under (JNB)
above or equal (JAE)
Zero Flag (ZF)=1 010x zero (JZ)
equal (JE)
not zero (JNZ)
not equal (JNE)
CF=1 or ZF=1 011x under or equal (JBE)
not above (JNA)
not under or equal (JNBE)
above (JA)
Signal Flag (SF)=1 100x signal (JS) not signal (JNS)
Parity Flag (PF)=1 101x parity (JP)
parity even (JPE)
not parity (JNP)
parity odd (JPO)
SF ≠ OF 110x much less (JL)
not better or equal (JNGE)
not much less (JNL)
better or equal (JGE)
ZF=1 or SF ≠ OF 111x much less or equal (JLE)
not better (JNG)
not much less or equal (JNLE)
better (JG)

From the {hardware} perspective, the vital factor is that there are eight completely different situation flag assessments.
Every take a look at has two soar directions related to it: one which jumps if the situation is true, and one which jumps
if the situation is fake.
The low little bit of the opcode selects “if true” or “if false”.

The picture under exhibits the situation analysis circuitry because it seems on the die. There is not a lot construction to it; it is simply
a bunch of gates.
This picture exhibits the doped silicon areas that type transistors. The quite a few small polygons with a circle inside
are connections between the steel layer and the polysilicon layer. Many of those connections use the silicon layer
to optimize the format.

The circuitry to compute conditions as it appears on the die. The metal and polysilicon layers have been removed for this image, showing the silicon underneath.

The circuitry to compute circumstances because it seems on the die. The steel and polysilicon layers have been eliminated for this picture, displaying the silicon beneath.

This circuitry evaluates every situation by getting the instruction bits from the Instruction Register,
checking the bits to match every situation, and testing if the situation is glad.
As an example, the overflow situation (with instruction bits 000x) is computed by a NOR gate: NOR(IR3, IR2, IR1, OF'), which will likely be true if instruction register bits 3, 2, and 1 are zero and the Overflow Flag is 1.

The outcomes from the person situation assessments are mixed with a 7-input NOR gate, producing a consequence that’s 0 if the required 3-bit situation is glad.
Lastly, the “if true” and “if false” circumstances are dealt with by flipping this sign relying on the low little bit of the instruction.
This ultimate consequence signifies if the 4-bit situation within the instruction is glad, and this sign is handed on
to the microcode management circuitry.

One surprising function of the implementation is {that a} 7-input NOR gate combines the assorted circumstances to
take a look at if the chosen situation is glad.
You’d count on that with eight circumstances, there could be eight inputs to the NOR gate.
Nevertheless, there’s a intelligent optimization that takes benefit of
circumstances which can be combos of clauses, for instance, “much less or equal”.
Particularly, the zero flag is examined for bit sample 01xx (the place x signifies a 0 or 1), which covers two circumstances with one gate.
Likewise, SF≠OF is examined for bit sample 11xx and CF=1 is examined for bit sample 0x1x.
With these optimizations, the eight circumstances are coated with seven checks.
(This exhibits that the opcodes weren’t assigned arbitrarily: the bit patterns wanted to be rigorously assigned for this to work.)

See Also

Again to the microcode

Earlier than explaining how the microcode soar circuitry works, I am going to briefly talk about the microcode format.
A micro-instruction is encoded into 21 bits as proven under.
Each micro-instruction incorporates a transfer from a supply register to a vacation spot register, every specified with 5 bits.
The that means of the remaining bits is a bit difficult because it depends upon the sort subject, which is 2 or three bits lengthy.
The “quick soar” (sort 0) is a conditional soar throughout the present block of 16 micro-instructions.
The ALU operation (sort 1) units up the arithmetic-logic unit to carry out an operation.
Bookkeeping operations (sort 4) are something from flushing the prefetch queue to ending the present instruction.
A reminiscence learn or write is sort 6.
A “lengthy soar” (sort 5) is a conditional soar to any of 16 mounted microcode areas (laid out in an exterior desk).
Lastly, a “lengthy name” (sort 7) is a conditional subroutine name to certainly one of 16 areas (completely different from the soar targets).

The encoding of a micro-instruction into 21 bits. Based on NEC v. Intel: Will Hardware Be Drawn into the Black Hole of Copyright?

I will deal with the XC RELJMP micro-instruction that we noticed within the microcode earlier.
This can be a “lengthy soar” with XC because the situation and RELJMP because the goal tag.
One other layer of {hardware} is required to implement the microcode circumstances.
The microcode helps 16 circumstances, that are utterly completely different from the 16 programmer-level circumstances.8
Some microcode circumstances take a look at special-purpose inside flags, whereas others take a look at circumstances reminiscent of an interrupt, the chip’s TEST pin,
bit 3 of the opcode, or if the instruction has a one-byte tackle offset.
The XC situation is certainly one of these 16 circumstances, quantity 15 particularly.

The circumstances are evaluated by the situation PLA (Programmable Logic Array, a grid of gates), proven under.
The 4 situation bits from the micro-instruction, together with their enhances, are fed into the columns.
The PLA has 16 rows, one for every situation.
Every row is a NOR gate matching one bit mixture (i.e. deciding on a situation) and the corresponding sign worth to
take a look at.9
Thus, if a specific situation is specified and is glad, that row will likely be 1.
The 16 row outputs are mixed by the 16-input NOR gate on the left.
Thus, if the required situation is glad, this output will likely be 0, and if the situation is unhappy, the
output will likely be 1.
This sign controls the soar or name micro-instruction:
if the situation is glad, the brand new micro-address is loaded into the microcode tackle register.
If the situation just isn’t glad, the microcode proceeds sequentially.

The condition PLA evaluates microcode conditionals.

The situation PLA evaluates microcode conditionals.

Conclusions

To summarize, the 8086 processor implements 16 conditional soar directions.
One piece of microcode effectively implements all 16 directions, with gate logic figuring out which flags to check, relying
on bits within the machine instruction.
The results of this take a look at is utilized by the microcode XC conditional soar, certainly one of 16 utterly completely different microcode-level
circumstances. If the XC situation is glad, this system counter is up to date by including the offset,
leaping to the brand new location.

Conditional jumps are comparatively simple directions from the programmer’s perspective,
however they work together with most components of the 8086 processor
together with
the prefetch queue, the tackle adder, the ALU, microcode, and the Translation ROM.
The diagram under exhibits the interactions for every step of the soar.

The conditional jump involves many parts of the die, shown in this diagram.

The conditional soar includes many components of the die, proven on this diagram.

I’ve written a number of posts on the 8086 to this point and
plan to proceed reverse-engineering the 8086 die so
comply with me on Twitter @kenshirriff or RSS for updates.
I’ve additionally began experimenting with Mastodon just lately as @[email protected].

Notes and references



Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top