Halt and Catch Fire (computing)

Last updated

In computer engineering, Halt and Catch Fire, known by the assembly language mnemonic HCF, is an idiom referring to a computer machine code instruction that causes the computer's central processing unit (CPU) to cease meaningful operation, typically requiring a restart of the computer. It originally referred to a fictitious instruction in IBM System/360 computers (introduced in 1964), making a joke about its numerous non-obvious instruction mnemonics.

Contents

With the advent of the MC6800 (introduced in 1974), a design flaw was discovered by programmers. Due to incomplete opcode decoding, two illegal opcodes, 0x9D and 0xDD, will cause the program counter on the processor to increment endlessly, which locks the processor until reset. Those codes have been unofficially named HCF. During the design process of the MC6802, engineers originally planned to remove this instruction, but kept it as-is for testing purposes. As a result, HCF was officially recognized as a real instruction. [1] [2] Later, HCF became a humorous catch-all term for instructions that may freeze a processor, including intentional instructions for testing purposes, and unintentional illegal instructions. Some are considered hardware defects, and if the system is shared, a malicious user can execute it to launch a denial-of-service attack.

In the case of real instructions, the implication of this expression is that, whereas in most cases in which a CPU executes an unintended instruction (a bug in the code) the computer may still be able to recover, in the case of an HCF instruction there is, by definition, no way for the system to recover without a restart.

The expression catch fire is a facetious exaggeration of the speed with which the CPU chip would be switching some bus circuits, causing them to overheat and burn. [3]

Origins

The Z1 (1938) and Z3 (1941) computers built by Konrad Zuse contained illegal sequences of instructions which damaged the hardware if executed by accident. [4]

Apocryphal stories connect this term with an illegal opcode in IBM System/360. A processor, upon encountering the instruction, would start switching bus lines very fast, potentially leading to overheating. [5] [6]

In a computer's assembly language, mnemonics are used that are directly equivalent to machine code instructions. The mnemonics are frequently three letters long, such as ADD, CMP (to compare two numbers), and JMP (jump to a different location in the program). The HCF instruction was originally a fictitious assembly language instruction, said to be under development at IBM for use in their System/360 computers, along with many other amusing three-letter acronyms like XPR (Execute Programmer) and CAI (Corrupt Accounting Information), and similar to other joke mnemonics such as "SDI" for "Self Destruct Immediately" [7] and "CRN" for "Convert to Roman Numerals". [8] A list of such mnemonics, including HCF, shows up as "Overextended Mnemonics" in the April 1980 Creative Computing flip-side parody issue. [9]

In modern CPUs

CPU designers sometimes incorporate one or more undocumented machine code instructions for testing purposes, such as the IBM System/360 DIAGnose instruction. [10]

Motorola 6800

The Motorola 6800 microprocessor was the first for which an undocumented assembly mnemonic HCF became widely known. The operation codes (opcodes—the portions of the machine language instructions that specify an operation to be performed) hexadecimal 9D and DD were reported and given the unofficial mnemonic HCF in a December 1977 article by Gerry Wheeler in BYTE magazine on undocumented opcodes. [11] Wheeler noted that Motorola reported 197 valid operation codes for the M6800 processor, and so inferred that with 256 possible 8 bit combinations, there must be 59 invalid instructions. He described the HCF as a "big surprise", and said of the Catch Fire portion of the moniker, "Well, almost":

When this instruction is run the only way to see what it is doing is with an oscilloscope. From the user's point of view the machine halts and defies most attempts to get it restarted. Those persons with indicator lamps on the address bus will see that the processor begins to read all of the memory, sequentially, very quickly. In effect, the address bus turns into a 16 bit counter. However, the processor takes no notice of what it is reading... it just reads. [11]

Another author wrote in 2002:

In the old days of the Motorola 6800 microprocessor, instruction code DD caused the processor to go into an endless loop, reading from each memory address in order. (Other engineers referred to this as the "Halt and Catch Fire" [HCF] instruction, but we remembered the code by calling it the "Drop Dead" instruction.) Drop Dead mode was wonderful for spotting hardware timing and address logic problems with a scope; all of the address and clock lines were nice, cycling square waves. [12]

The 6800's behavior when encountering HCF was known to Motorola by 1976. When the 6800 encounters the HCF instruction, the processor never finds the end of it, endlessly incrementing its program counter until the CPU is reset. [13] Hence, the address bus effectively becomes a counter, allowing the operation of all address lines to be quickly verified. Once the processor entered this mode, it is not responsive to interrupts, so normal operation can only be restored by a reset (hence the "Drop Dead" and "Halt and Catch Fire" monikers). These references are thus to the unresponsive behavior of the CPU in this state, and not to any form of erratic behavior.[ citation needed ]. Motorola kept the HCF behavior in the 6802 variant of the processor (which released in 1977) as an intentional self-test for the 6802's 128 bytes of onboard RAM.

Other HCF-like instructions were found later on the Motorola 6800 when executing undocumented opcodes FD (cycling twice slower than 9D/DD) or CD/ED (cycling at a human-readable very low frequency on a limited number of high-address lines). [14]

HCF is believed to be the first built-in self-test feature on a Motorola microprocessor. [2]

Intel x86

The Intel 8086 and subsequent processors in the x86 series have an HLT (halt) instruction, opcode F4, which stops instruction execution and places the processor in a HALT state. An enabled interrupt, a debug exception, the BINIT signal, the INIT signal, or the RESET signal resumes execution, which means the processor can always be restarted. [15] Some of the early Intel DX4 chips have a problem with the HLT instruction and cannot be restarted after this instruction is used, which disables the computer and turns HLT into more of an HCF instruction. The Linux kernel has a "no-hlt" option telling Linux to run an infinite loop instead of using HLT, which allows users of these broken chips to use Linux. [16]

The 80286 has the undocumented opcode 0F 04, causing the CPU to hang when executed. The only way out is a CPU reset.[ citation needed ] [17] In some implementations, the opcode is emulated through BIOS as a halting sequence. [18]

Many computers in the Intel Pentium line can be locked up by executing an invalid instruction (F00F C7C8), which causes the computer to lock up. This became known as the Pentium F00F bug. No compiler creates the instruction, but a malicious programmer can insert it into code to render an afflicted computer inoperable until the machine is power-cycled. Since its discovery, workarounds have been developed to prevent it from locking the computer, and the bug has been eliminated in subsequent Intel processors. [19] [20]

During Black Hat USA 2017, Christopher Domas showed that he found a new "Halt and Catch Fire" instruction [21] [22] on an undisclosed x86 processor model using his own x86 processor fuzzer called sandsifter. [23]

Other CPUs

The NMOS MOS Technology 6502 has 12 invalid instructions which cause the program counter to fail to fetch the next instruction, locking up the CPU and requiring a processor reset. [24] [25]   The WDC version of the CMOS 65C02, as well as the 65C816, has the STP (stop, opcode $DB) instruction.  When executed, STP will stop the processor's internal clock, causing all processing to cease—also, the processor will be unresponsive to all inputs except RESB (reset).  The only way to clear the effects of an STP instruction is to toggle RESB.

On the Zilog Z80, executing DI (disable interrupts) followed by HALT (wait for an interrupt) results in the CPU staying frozen indefinitely, waiting for an interrupt that cannot happen. However, the non-maskable interrupt signal can be used to break out of this state, making this pair not a true HCF. [26] [27] The /NMI signal is on Pin 17 of the original 40 pin DIP package. [28] [29] The pair will only result in a HCF condition if either the /NMI pin is connected directly to the +5V rail, making the generation of that signal impossible, or if the interrupt routine that services /NMI ends with a return, placing it back in the HALT state.

The SM83 processor [lower-alpha 1] [30] core in the Game Boy's LR35902 system on chip has a similar issue, triggered by two consecutive HALTs with interrupts disabled. [lower-alpha 2] [31] The core itself contains 11 opcodes that fully lock the CPU when executed. [32]

The Hitachi SC61860, mainly used in Sharp pocket computers in the 1980s and 1990s, has an undocumented HCF instruction with the opcode 7B. [33]

See also

Notes

  1. The SM83 CPU is similar to the Z80, but not directly related.
  2. When interrupts are disabled, the HALT instruction on the Game Boy CPU does not pause the CPU, but, rather, prevents the CPU's program counter from incrementing on the instruction immediately following the HALT, effectively doubling the instruction after the HALT (or, for a multi-byte instruction, doubling the first byte and separating off the original last byte into a new single-byte instruction); if the instruction after the HALT is itself a HALT, then (as HALT is a single-byte instruction) the CPU effectively sees an infinite series of HALTs, causing the system to lock up.

Related Research Articles

<span class="mw-page-title-main">Assembly language</span> Low-level programming language

In computer programming, assembly language, often referred to simply as assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence between the instructions in the language and the architecture's machine code instructions. Assembly language usually has one statement per machine instruction (1:1), but constants, comments, assembler directives, symbolic labels of, e.g., memory locations, registers, and macros are generally also supported.

<span class="mw-page-title-main">Intel 80286</span> Microprocessor model

The Intel 80286 is a 16-bit microprocessor that was introduced on February 1, 1982. It was the first 8086-based CPU with separate, non-multiplexed address and data buses and also the first with memory management and wide protection abilities. The 80286 used approximately 134,000 transistors in its original nMOS (HMOS) incarnation and, just like the contemporary 80186, it can correctly execute most software written for the earlier Intel 8086 and 8088 processors.

<span class="mw-page-title-main">Intel 8080</span> 8-bit microprocessor

The Intel 8080 ("eighty-eighty") is the second 8-bit microprocessor designed and manufactured by Intel. It first appeared in April 1974 and is an extended and enhanced variant of the earlier 8008 design, although without binary compatibility. The initial specified clock rate or frequency limit was 2 MHz, with common instructions using 4, 5, 7, 10, or 11 clock cycles. As a result, the processor is able to execute several hundred thousand instructions per second. Two faster variants, the 8080A-1 and 8080A-2, became available later with clock frequency limits of 3.125 MHz and 2.63 MHz respectively. The 8080 needs two support chips to function in most applications: the i8224 clock generator/driver and the i8228 bus controller. The 8080 is implemented in N-type metal–oxide–semiconductor logic (NMOS) using non-saturated enhancement mode transistors as loads thus demanding a +12 V and a −5 V voltage in addition to the main transistor–transistor logic (TTL) compatible +5 V.

<span class="mw-page-title-main">Intel 8088</span> Intel microprocessor model

The Intel 8088 microprocessor is a variant of the Intel 8086. Introduced on June 1, 1979, the 8088 has an eight-bit external data bus instead of the 16-bit bus of the 8086. The 16-bit registers and the one megabyte address range are unchanged, however. In fact, according to the Intel documentation, the 8086 and 8088 have the same execution unit (EU)—only the bus interface unit (BIU) is different. The 8088 was used in the original IBM PC and in IBM PC compatible clones.

<span class="mw-page-title-main">Motorola 68000</span> Microprocessor

The Motorola 68000 is a 16/32-bit complex instruction set computer (CISC) microprocessor, introduced in 1979 by Motorola Semiconductor Products Sector.

<span class="mw-page-title-main">MOS Technology 6502</span> 8-bit microprocessor from 1975

The MOS Technology 6502 is an 8-bit microprocessor that was designed by a small team led by Chuck Peddle for MOS Technology. The design team had formerly worked at Motorola on the Motorola 6800 project; the 6502 is essentially a simplified, less expensive and faster version of that design.

<span class="mw-page-title-main">Motorola 6800</span> 8-bit microprocessor

The 6800 is an 8-bit microprocessor designed and first manufactured by Motorola in 1974. The MC6800 microprocessor was part of the M6800 Microcomputer System that also included serial and parallel interface ICs, RAM, ROM and other support chips. A significant design feature was that the M6800 family of ICs required only a single five-volt power supply at a time when most other microprocessors required three voltages. The M6800 Microcomputer System was announced in March 1974 and was in full production by the end of that year.

<span class="mw-page-title-main">Motorola 6809</span> 8-bit microprocessor

The Motorola 6809 ("sixty-eight-oh-nine") is an 8-bit microprocessor with some 16-bit features. It was designed by Motorola's Terry Ritter and Joel Boney and introduced in 1978. Although source compatible with the earlier Motorola 6800, the 6809 offered significant improvements over it and 8-bit contemporaries like the MOS Technology 6502, including a hardware multiplication instruction, 16-bit arithmetic, system and user stack registers allowing re-entrant code, improved interrupts, position-independent code, and an orthogonal instruction set architecture with a comprehensive set of addressing modes.

<span class="mw-page-title-main">Zilog Z80</span> 8-bit microprocessor

The Zilog Z80 is an 8-bit microprocessor designed by Zilog that played an important role in the evolution of early computing. Software-compatible with the Intel 8080, it offered a compelling alternative due to its better integration and increased performance. The Z80 boasted fourteen registers compared to the 8080's seven, along with additional instructions for bit manipulation, making it a more powerful chip.

In computer architecture, 8-bit integers or other data units are those that are 8 bits wide. Also, 8-bit central processing unit (CPU) and arithmetic logic unit (ALU) architectures are those that are based on registers or data buses of that size. Memory addresses for 8-bit CPUs are generally larger than 8-bit, usually 16-bit. 8-bit microcomputers are microcomputers that use 8-bit microprocessors.

<span class="mw-page-title-main">Intel 8085</span> 8-bit microprocessor by Intel

The Intel 8085 ("eighty-eighty-five") is an 8-bit microprocessor produced by Intel and introduced in March 1976. It is the last 8-bit microprocessor developed by Intel.

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

<span class="mw-page-title-main">Pentium F00F bug</span> Pentium processor bug

The Pentium F00F bug is a design flaw in the majority of Intel Pentium, Pentium MMX, and Pentium OverDrive processors. Discovered in 1997, it can result in the processor ceasing to function until the computer is physically rebooted. The bug has been circumvented through operating system updates.

<span class="mw-page-title-main">WDC 65C02</span> CMOS microprocessor in the 6502 family

The Western Design Center (WDC) 65C02 microprocessor is an enhanced CMOS version of the popular nMOS-based 8-bit MOS Technology 6502. It uses less power than the original 6502, fixes several problems, and adds new instructions. The power usage is on the order of 10 to 20 times less than the original 6502 running at the same speed; its reduced power consumption has made it useful in portable computer roles and industrial microcontroller systems. The 65C02 has also been used in some home computers, as well as in embedded applications, including medical-grade implanted devices.

A Trace Vector Decoder (TVD) is computer software that uses the trace facility of its underlying microprocessor to decode encrypted instruction opcodes just-in-time prior to execution and possibly re-encode them afterwards. It can be used to hinder reverse engineering when attempting to prevent software cracking as part of an overall copy protection strategy.

<span class="mw-page-title-main">Illegal opcode</span> Undocumented CPU instruction that has an effect

An illegal opcode, also called an unimplemented operation, unintended opcode or undocumented instruction, is an instruction to a CPU that is not mentioned in any official documentation released by the CPU's designer or manufacturer, which nevertheless has an effect. Illegal opcodes were common on older CPUs designed during the 1970s, such as the MOS Technology 6502, Intel 8086, and the Zilog Z80. On these older processors, many exist as a side effect of the wiring of transistors in the CPU, and usually combine functions of the CPU that were not intended to be combined. On old and modern processors, there are also instructions intentionally included in the processor by the manufacturer, but that are not documented in any official specification.

In computer processors the carry flag is a single bit in a system status register/flag register used to indicate when an arithmetic carry or borrow has been generated out of the most significant arithmetic logic unit (ALU) bit position. The carry flag enables numbers larger than a single ALU width to be added/subtracted by carrying (adding) a binary digit from a partial addition/subtraction to the least significant bit position of a more significant word. This is typically programmed by the user of the processor on the assembly or machine code level, but can also happen internally in certain processors, via digital logic or microcode, where some processors have wider registers and arithmetic instructions than ALU. It is also used to extend bit shifts and rotates in a similar manner on many processors. For subtractive operations, two (opposite) conventions are employed as most machines set the carry flag on borrow while some machines instead reset the carry flag on borrow.

A test register, in the Intel 80386 and Intel 80486 processor, was a register used by the processor, usually to do a self-test. Most of these registers were undocumented, and used by specialized software. The test registers were named TR3 to TR7. Regular programs don't usually require these registers to work. With the Pentium, the test registers were replaced by a variety of model-specific registers (MSRs).

In the x86 computer architecture, HLT (halt) is an assembly language instruction which halts the central processing unit (CPU) until the next external interrupt is fired. Interrupts are signals sent by hardware devices to the CPU alerting it that an event occurred to which it should react. For example, hardware timers send interrupts to the CPU at regular intervals.

Intel microcode is microcode that runs inside x86 processors made by Intel. Since the P6 microarchitecture introduced in the mid-1990s, the microcode programs can be patched by the operating system or BIOS firmware to work around bugs found in the CPU after release. Intel had originally designed microcode updates for processor debugging under its design for testing (DFT) initiative.

References

  1. "6800 Instruction Set" (PDF). Bryan's Old Computers. Archived (PDF) from the original on 2021-05-01. Retrieved 2022-04-09.
  2. 1 2 Daniels, R. Gary; Bruce, William (April 1985). "Built-In Self-Test Trends in Motorola Microprocessors". IEEE Design & Test. 2 (2): 64–71. doi:10.1109/MDT.1985.294865. S2CID   22719798. To add insult to injury, we discovered that we had an illegal HACOF, an instruction that our customers found on the MC6800. It was an unused opcode-an illegal instruction. When executed inadvertently, the program counter would increment indefinitely. The problem, which was caused by incomplete opcode decoding, was a nuisance because Reset was the only means of terminating the instruction. ... During the design process, we figured out how to eliminate the HACOF instruction. About that time, the product engineers came to us with an idea. They said, 'You know what we'd really like? Some way to quickly test the RAM. If we could somehow point the program counter at the first RAM address and then just increment through the RAM, we could test it a lot faster.' Since the HACOF 'instruction' did precisely that—and we really didn't want to invest the effort needed to remove it—we replied, 'Have we got a deal for you!' HACOF thus became the first intentional built-in self-test feature on a Motorola microprocessor.
  3. "Jargon File entry for the HCF assembly mnemonic". Archived from the original on 2012-05-20. Retrieved 2014-05-04.
  4. Rojas, Raúl (April–June 1997). "Konrad Zuse's Legacy: The Architecture of the Z1 and Z3" (PDF). IEEE Annals of the History of Computing . 19 (2): 5–16 [9–10]. doi:10.1109/85.586067. Archived (PDF) from the original on 2022-07-03. Retrieved 2022-07-03. p. 10: There are a lot of details that the engineer designing the "microprogram" must keep in mind, otherwise short circuits can destroy the hardware. The Z1 with its mechanical design was still more sensitive in this respect than the Z3. Even after it was completed, there were sequences of instructions that the programmer had to avoid in order not to damage the hardware. One of those sequences was inadvertently tried at the Berlin Museum of Technology and Transportation, which led to slight damaging of the reconstructed Z1 in 1994. (12 pages)
  5. Clements, Alan (2006-10-28). Embedding Ethics in Computer Architecture. ASEE/IEEE Frontiers in Education Conference (36 ed.). p. 4. Archived from the original on 2022-04-30. Retrieved 2018-03-02.
  6. Kohler, Eddie (2005-04-04). "CS111 - Lecture 1" (PDF). p. 2. Archived (PDF) from the original on 2018-03-02. Retrieved 2018-03-02.
  7. Dunlap, Bryan. "A Proposed Instruction Set". Physics Department, The Ohio State University. Archived from the original on 2017-09-08. Retrieved 2016-06-20.
  8. Cirsovius, Werner. "Far out op codes". Archived from the original on 2016-03-05. Retrieved 2015-05-28.
  9. "Overextended Mnemonics". Creative Computing . 6 (4): 17 (hex) (flip–side). April 1980. Retrieved 2017-03-12.
  10. IBM System/360 Principles of Operation (PDF). IBM. Archived (PDF) from the original on 2012-02-29. Retrieved 2014-07-02.
  11. 1 2 Wheeler, Gerry (December 1977). "Undocumented M6800 Instructions". BYTE . Vol. 2, no. 12. pp. 46–47. Retrieved 2023-11-20. The mnemonics are, of course, assigned by me.
  12. Agans, David J. (2002). Debugging: the 9 indispensable rules for finding even the most elusive software and hardware problems. New York, USA: American Management Association. p. 77. ISBN   978-0-81442678-4. OCLC   52043345. Archived from the original on 2014-07-26. Retrieved 2016-10-30.
  13. Daniels, R. Gary; Bruce, William (April 1985). "Built-In Self-Test Trends in Motorola Microprocessors". IEEE Design & Test of Computers. 2 (2): 64. doi:10.1109/MDT.1985.294865. S2CID   22719798 . Retrieved 2023-08-28.
  14. Demeulemeester, Samuel (2019-07-17). "Investigating the HCF (Halt & Catch Fire) instruction on Motorola 6800". X86.FR – Doc TB's R&D Lab. Archived from the original on 2022-03-31. Retrieved 2022-04-09.
  15. "x86 Instruction Set Reference: HLT". Archived from the original on 2014-07-14. Retrieved 2014-07-02.
  16. Gortmaker, Paul (2003-03-21). "The Linux Boot Prompt-How To" (PDF). The Linux Documentation Project. Archived (PDF) from the original on 2015-07-06. Retrieved 2014-07-02.
  17. "Re: Undocumented opcodes (HINT_NOP)". Archived from the original on 2004-11-06. Retrieved 2010-11-07.
  18. "Re: Also some undocumented 0Fh opcodes". Archived from the original on 2003-06-26. Retrieved 2010-11-07.
  19. Collins, Robert R. (1998-05-01). "The Pentium F00F Bug: Workarounds for a nasty problem". Dr. Dobb's Journal. Archived from the original on 2022-04-30. Retrieved 2014-08-12.
  20. Pentium Processor Specification Update (PDF). Intel Corporation. January 1999. pp. 51–52. Order number 242480-041. Archived (PDF) from the original on 2016-03-04. Retrieved 2006-11-02.
  21. "Breaking the x86 ISA (PDF)" (PDF). Christopher Domas. Archived (PDF) from the original on 2018-01-04. Retrieved 2017-12-09.
  22. "Breaking the x86 ISA (video)". Christopher Domas. Archived from the original on 2021-12-21. Retrieved 2017-12-09.
  23. "sandsifter: the x86 processor fuzzer". Christopher Domas. Archived from the original on 2017-10-25. Retrieved 2017-12-09.
  24. Steil, Michael. "How MOS 6502 Illegal Opcodes really work". pagetable.com. Archived from the original on 2016-07-07. Retrieved 2016-08-01.
  25. Offenga, Freddy. "6502 Undocumented Opcodes". NesDev. Archived from the original on 2016-08-08. Retrieved 2016-08-01.
  26. "Interrupt Mechanism - Development - SMS Power!". Archived from the original on 2016-04-04. Retrieved 2016-04-25.
  27. Flammenkamp, Achim. "Interrupt Behaviour of the Z80 CPU". Archived from the original on 2016-04-20. Retrieved 2016-04-25.
  28. "Pinouts - Z80 family". Archived from the original on 2016-05-08. Retrieved 2016-04-25.
  29. Vis, Peter J. "Zilog Z80 Pinout". Archived from the original on 2016-10-11. Retrieved 2016-04-25.
  30. "Game Boy SM83 CPU reverse engineering". GitHub . Archived from the original on 2022-10-29. Retrieved 2022-11-08.
  31. "GameBoy CPU Manual" (PDF). Archived (PDF) from the original on 2018-06-23. Retrieved 2018-06-22.
  32. "Game Boy CPU instruction set". Archived from the original on 2021-02-09. Retrieved 2021-03-11.
  33. "SC61860 (Aka ESR-H) Instruction Set". GitHub . 2022-03-20. Archived from the original on 2022-03-23. Retrieved 2022-03-23.