Interrupt descriptor table

Last updated July 04, 2024

The interrupt descriptor table (IDT) is a data structure used by the x86 architecture to implement an interrupt vector table. The IDT is used by the processor to determine the memory addresses of the handlers to be executed on interrupts and exceptions.

Processor exceptions generated by the CPU have fixed mapping to the first up to 32 interrupt vectors.^[1] While 32 vectors (0x00-0x1f) are officially reserved (and many of them are used in newer processors), the original 8086 used only the first five (0-4) interrupt vectors and the IBM PC IDT layout did not respect the reserved range.
Hardware interrupt vector numbers correspond to the hardware IRQ numbers. The exact mapping depends on how the Programmable Interrupt Controller such as Intel 8259 is programmed.^[2] While Intel documents IRQs 0-7 to be mapped to vectors 0x20-0x27, IBM PC and compatibles map them to 0x08-0x0F. IRQs 8-15 are usually mapped to vectors 0x70-0x77.
Software interrupt vector numbers are defined by the specific runtime environment, such as the IBM PC BIOS, DOS, or other operating systems. They are triggered by software using the INT instruction (either by applications, device drivers or even other interrupt handlers). For example, IBM PC BIOS provides video services at the vector 0x10, MS-DOS provides the DOS API at the vector 0x21, and Linux provides the syscall interface at the vector 0x80.

Real mode

In real mode, the interrupt table is called IVT (interrupt vector table). Up to the 80286, the IVT always resided at the same location in memory, ranging from 0x0000 to 0x03ff, and consisted of 256 far pointers. Hardware interrupts may be mapped to any of the vectors by way of a programmable interrupt controller. On the 80286 and later, the size and locations of the IVT can be changed in the same way as it is done with the IDT (Interrupt descriptor table) in protected mode (i.e., via the LIDT (Load Interrupt Descriptor Table Register) instruction) though it does not change the format of it.^[3]

BIOS interrupts

The BIOS provides simple real-mode access to a subset of hardware facilities by registering interrupt handlers. They are invoked as software interrupts with the INT assembly instruction and the parameters are passed via registers. These interrupts are used for various tasks like detecting the system memory layout, configuring VGA output and modes, and accessing the disk early in the boot process.

Protected and long mode

The IDT is an array of descriptors stored consecutively in memory and indexed by the vector number. It is not necessary to use all of the possible entries: it is sufficient to populate the table up to the highest interrupt vector used, and set the IDT length portion of the IDTR accordingly.

The IDTR register is used to store both the linear base address and the limit (length in bytes minus 1) of the IDT. When an interrupt occurs, the processor multiplies the interrupt vector by the entry size (8 for protected mode, 16 for long mode) and adds the result to the IDT base address.^[4] If the address is inside the table, the DPL is checked and the interrupt is handled based on the gate type.

The descriptors may be either interrupt gates, trap gates or, for 32-bit protected mode only, task gates. Interrupt and trap gates point to a memory location containing code to execute by specifying both a segment (present in either the GDT or LDT) and an offset within that segment. The only difference between trap and interrupt gates is that interrupt gates will disable further processor handling of maskable hardware interrupts, making them suitable to handle hardware-generated interrupts (conversely, trap gates are useful for handling software interrupts and exceptions). A task gate will cause the currently active task-state segment to be switched, using the hardware task switch mechanism to effectively hand over use of the processor to another program, thread or process.

Common IDT layouts

Official Intel layout

All INT_NUM between 0x0 and 0x1F, inclusive, are reserved for exceptions by Intel.^[5] INT_NUM bigger than 0x1F are to be used for interrupt routines.

INT_NUM	Event Type	Short Description
0x00	Processor Exception	Division by zero
0x01	Processor Exception	Single-step interrupt (see trap flag)
0x02	Processor Exception	NMI
0x03	Processor Exception	Breakpoint (which benefits from the shorter 0xCC encoding of INT 3)
0x04	Processor Exception	Overflow
0x05	Processor Exception	Bound Range Exceeded
0x06	Processor Exception	Invalid Opcode
0x07	Processor Exception	Coprocessor not available
0x08	Processor Exception	Double Fault
0x09	Processor Exception	Coprocessor Segment Overrun (386 or earlier only)
0x0A	Processor Exception	Invalid Task State Segment
0x0B	Processor Exception	Segment not present
0x0C	Processor Exception	Stack Segment Fault
0x0D	Processor Exception	General Protection Fault
0x0E	Processor Exception	Page Fault
0x0F	Processor Exception	reserved
0x10	Processor Exception	x87 Floating Point Exception
0x11	Processor Exception	Alignment Check
0x12	Processor Exception	Machine Check
0x13	Processor Exception	SIMD Floating-Point Exception
0x14	Processor Exception	Virtualization Exception
0x15	Processor Exception	Control Protection Exception (only available with CET)
0x16-0x1F	Processor Exception	reserved
0x20-0x27	Hardware Interrupt	IRQ 0-7
0x70-0x77	Hardware Interrupt	IRQ 8-15

IBM PC layout

The IBM PC (BIOS and MS-DOS runtime) does not follow the official Intel layout beyond the first five exception vectors implemented in the original 8086. Interrupt 5 is already used for handling the Print Screen key, IRQ 0-7 is mapped to INT_NUM 0x08-0x0F, and BIOS is using most of the vectors in the 0x10-0x1F range as part of its API.^[6]

Hooking

Some Windows programs hook calls to the IDT. This involves writing a kernel mode driver that intercepts calls to the IDT and adds in its own processing. This has never been officially supported by Microsoft, but was not programmatically prevented on its operating systems until 64-bit versions of Windows, where a driver that attempts to use a kernel mode hook will cause the machine to bug check.^[7]

Related Research Articles

In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS firmware comes pre-installed on an IBM PC or IBM PC compatible's system board and exists in some UEFI-based systems to maintain compatibility with operating systems that do not support UEFI native operation. The name originates from the Basic Input/Output System used in the CP/M operating system in 1975. The BIOS originally proprietary to the IBM PC has been reverse engineered by some companies looking to create compatible systems. The interface of that original system serves as a de facto standard.

In computing, a context switch is the process of storing the state of a process or thread, so that it can be restored and resume execution at a later point, and then restoring a different, previously saved, state. This allows multiple processes to share a single central processing unit (CPU), and is an essential feature of a multiprogramming or multitasking operating system. In a traditional CPU, each process - a program in execution - utilizes the various CPU registers to store data and hold the current state of the running process. However, in a multitasking operating system, the operating system switches between processes or threads to allow the execution of multiple processes simultaneously. For every switch, the operating system must save the state of the currently running process, followed by loading the next process state, which will run on the CPU. This sequence of operations that stores the state of the running process and the loading of the following running process is called a context switch.

In digital computers, an interrupt is a request for the processor to interrupt currently executing code, so that the event can be processed in a timely manner. If the request is accepted, the processor will suspend its current activities, save its state, and execute a function called an interrupt handler to deal with the event. This interruption is often temporary, allowing the software to resume normal activities after the interrupt handler finishes, although the interrupt could instead indicate a fatal error.

IBM PC compatible computers are technically similar to the original IBM PC, XT, and AT, all from computer giant IBM, that are able to use the same software and expansion cards. Such computers were referred to as PC clones, IBM clones or IBM PC clones. The term "IBM PC compatible" is now a historical description only, since IBM no longer sells personal computers after it sold its personal computer division in 2005 to Chinese technology company Lenovo. The designation "PC", as used in much of personal computer history, has not meant "personal computer" generally, but rather an x86 computer capable of running the same software that a contemporary IBM PC could. The term was initially in contrast to the variety of home computer systems available in the early 1980s, such as the Apple II, TRS-80, and Commodore 64. Later, the term was primarily used in contrast to Apple's Macintosh computers.

A terminate-and-stay-resident program is a computer program running under DOS that uses a system call to return control to DOS as though it has finished, but remains in computer memory so it can be reactivated later. This technique partially overcame DOS's limitation of executing only one program, or task, at a time. TSRs are used only in DOS, not in Windows.

Real mode, also called real address mode, is an operating mode of all x86-compatible CPUs. The mode gets its name from the fact that addresses in real mode always correspond to real locations in memory. Real mode is characterized by a 20-bit segmented memory address space and unlimited direct software access to all addressable memory, I/O addresses and peripheral hardware. Real mode provides no support for memory protection, multitasking, or code privilege levels.

x86 memory segmentation refers to the implementation of memory segmentation in the Intel x86 computer instruction set architecture. Segmentation was introduced on the Intel 8086 in 1978 as a way to allow programs to address more than 64 KB (65,536 bytes) of memory. The Intel 80286 introduced a second version of segmentation in 1982 that added support for virtual memory and memory protection. At this point the original mode was renamed to real mode, and the new version was named protected mode. The x86-64 architecture, introduced in 2003, has largely dropped support for segmentation in 64-bit mode.

In computing, protected mode, also called protected virtual address mode, is an operational mode of x86-compatible central processing units (CPUs). It allows system software to use features such as segmentation, virtual memory, paging and safe multi-tasking designed to increase an operating system's control over application software.

The A20, or address line 20, is one of the electrical lines that make up the system bus of an x86-based computer system. The A20 line in particular is used to transmit the 21st bit on the address bus.

On the x86 computer architecture, a triple fault is a special kind of exception generated by the CPU when an exception occurs while the CPU is trying to invoke the double fault exception handler, which itself handles exceptions occurring while trying to invoke a regular exception handler.

In IBM PC compatible computing, DOS memory management refers to software and techniques employed to give applications access to more than 640 kibibytes (KiB) of "conventional memory". The 640 KiB limit was specific to the IBM PC and close compatibles; other machines running MS-DOS had different limits, for example the Apricot PC could have up to 768 KiB and the Sirius Victor 9000, 896 KiB. Memory management on the IBM family was made complex by the need to maintain backward compatibility to the original PC design and real-mode DOS, while allowing computer users to take advantage of large amounts of low-cost memory and new generations of processors. Since DOS has given way to Microsoft Windows and other 32-bit operating systems not restricted by the original arbitrary 640 KiB limit of the IBM PC, managing the memory of a personal computer no longer requires the user to manually manipulate internal settings and parameters of the system.

A general protection fault (GPF) in the x86 instruction set architectures (ISAs) is a fault initiated by ISA-defined protection mechanisms in response to an access violation caused by some running code, either in the kernel or a user program. The mechanism is first described in Intel manuals and datasheets for the Intel 80286 CPU, which was introduced in 1983; it is also described in section 9.8.13 in the Intel 80386 programmer's reference manual from 1986. A general protection fault is implemented as an interrupt. Some operating systems may also classify some exceptions not related to access violations, such as illegal opcode exceptions, as general protection faults, even though they have nothing to do with memory protection. If a CPU detects a protection violation, it stops executing the code and sends a GPF interrupt. In most cases, the operating system removes the failing process from the execution queue, signals the user, and continues executing other processes. If, however, the operating system fails to catch the general protection fault, i.e. another protection violation occurs before the operating system returns from the previous GPF interrupt, the CPU signals a double fault, stopping the operating system. If yet another failure occurs, the CPU is unable to recover; since 80286, the CPU enters a special halt state called "Shutdown", which can only be exited through a hardware reset. The IBM PC AT, the first PC-compatible system to contain an 80286, has hardware that detects the Shutdown state and automatically resets the CPU when it occurs. All descendants of the PC AT do the same, so in a PC, a triple fault causes an immediate system reset.

BIOS implementations provide interrupts that can be invoked by operating systems and application programs to use the facilities of the firmware on IBM PC compatible computers. Traditionally, BIOS calls are mainly used by DOS programs and some other software such as boot loaders. BIOS runs in the real address mode of the x86 CPU, so programs that call BIOS either must also run in real mode or must switch from protected mode to real mode before calling BIOS and then switching back again. For this reason, modern operating systems that use the CPU in Protected mode or Long mode generally do not use the BIOS interrupt calls to support system functions, although they use the BIOS interrupt calls to probe and initialize hardware during booting. Real mode has the 1MB memory limitation, modern boot loaders use the unreal mode or protected mode to access up to 4GB memory.

The Intel 8259 is a programmable interrupt controller (PIC) designed for the Intel 8085 and 8086 microprocessors. The initial part was 8259, a later A suffix version was upward compatible and usable with the 8086 or 8088 processor. The 8259 combines multiple interrupt input sources into a single interrupt output to the host microprocessor, extending the interrupt levels available in a system beyond the one or two levels found on the processor chip. The 8259A was the interrupt controller for the ISA bus in the original IBM PC and IBM PC AT.

<span class="mw-page-title-main">Intel 8253</span> Programmable interval timer IC

The Intel 8253 and 8254 are programmable interval timers (PITs), which perform timing and counting functions using three 16-bit counters.

In a computer, an interrupt request is a hardware signal sent to the processor that temporarily stops a running program and allows a special program, an interrupt handler, to run instead. Hardware interrupts are used to handle events such as receiving data from a modem or network card, key presses, or mouse movements.

An interrupt vector table (IVT) is a data structure that associates a list of interrupt handlers with a list of interrupt requests in a table of interrupt vectors. Each entry of the interrupt vector table, called an interrupt vector, is the address of an interrupt handler. While the concept is common across processor architectures, IVTs may be implemented in architecture-specific fashions. For example, a dispatch table is one method of implementing an interrupt vector table.

System Management Mode is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's firmware, or a hardware-assisted debugger, is then executed with high privileges.

An end of interrupt (EOI) is a computing signal sent to a programmable interrupt controller (PIC) to indicate the completion of interrupt processing for a given interrupt. Interrupts are used to facilitate hardware signals sent to the processor that temporarily stop a running program and allow a special program, an interrupt handler, to run instead. An EOI is used to cause a PIC to clear the corresponding bit in the in-service register (ISR), and thus allow more interrupt requests (IRQs) of equal or lower priority to be generated by the PIC.

ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive layers, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.

References

↑ "Exceptions - OSDev Wiki". wiki.osdev.org. Retrieved 2021-04-17.
↑ Friesen, Brandon. "IRQs and PICs". Bran's Kernel Development Tutorial. Retrieved 6 June 2024.
↑ Intel® 64 and IA-32 Architectures Software Developer’s Manual, 20.1.4 Interrupt and Exception Handling
↑ Intel® 64 and IA-32 Architectures Software Developer’s Manual, 6.12.1 Exception- or Interrupt-Handler Procedures
↑ "Exceptions - OSDev Wiki". wiki.osdev.org. Retrieved 2021-04-17.
↑ Jurgens, David. "Interrupt Table as Implemented by System BIOS/DOS". HelpPC Reference Library. Retrieved 6 June 2024.
↑ "Patching Policy for x64-Based Systems". Microsoft . If the operating system detects one of these modifications or any other unauthorized patch, it will generate a bug check and shut down the system.

General

Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 3: System Programming Guide

External links

Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 3A:System Programming Guide, Part 1 (see CHAPTER 5, INTERRUPT AND EXCEPTION HANDLING and CHAPTER 10, ADVANCED PROGRAMMABLE INTERRUPT CONTROLLER)]
Interrupt Descriptor Table at OSDev.org

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Exceptions - OSDev Wiki". wiki.osdev.org. Retrieved 2021-04-17.

[2] Friesen, Brandon. "IRQs and PICs". Bran's Kernel Development Tutorial. Retrieved 6 June 2024.

[3] Intel® 64 and IA-32 Architectures Software Developer’s Manual, 20.1.4 Interrupt and Exception Handling

[4] Intel® 64 and IA-32 Architectures Software Developer’s Manual, 6.12.1 Exception- or Interrupt-Handler Procedures

[5] "Exceptions - OSDev Wiki". wiki.osdev.org. Retrieved 2021-04-17.

[6] Jurgens, David. "Interrupt Table as Implemented by System BIOS/DOS". HelpPC Reference Library. Retrieved 6 June 2024.

[Patching_Policy_for_x64-Based_Systems-7] "Patching Policy for x64-Based Systems". Microsoft . If the operating system detects one of these modifications or any other unauthorized patch, it will generate a bug check and shut down the system.

[1]

[2]

[3]

[4]

[5]

[6]

[7]