Faster Syscall Trap redux

Raymond has a funny historical article about how Windows made system calls on 386 processors.

What he left out was the 286 version of this story.  Microsoft and Intel had a similar meeting to the one that Raymond described with the 386, but in that case, one of the Microsoft requests was for the ability to switch from protected mode back into real mode.

You see, the 286 had the ability to switch from real mode (no virtual memory) to protected mode (virtual memory), but not back.  The theory was that you'd never want to go back to real mode, that would be "silly".

But of course, that doesn't deal with the issue of compatibility.  OS/2 supported one real mode application running in the system, in the "DOS Box".  The DOS box was essentially just another task, it got time sliced like other processes (ok, it really didn't, but conceptually that's what happened), so the system did a LOT of switching between real mode and protected mode.

It was critical that we be able to switch from protected mode back to real mode (when switching to the DOS box).  The problem is that the only documented way of doing this was to write to the keyboard controller device (which controls WAY more just the keyboard on a PC).  Unfortunately, the keyboard controller was REALLY slow, and this mechanism took literally milliseconds.

So Microsoft went crazy trying to find a fast way of switching back to real mode.

Eventually they found it.

Their solution:

    LIDT -1    INT 1

What did this do?  Well, LIDT -1 sets the interrupt descriptor table to an invalid physical address.  The system tried to execute the INT 1 instruction, which caused it to fault the IDT into memory (a fault).  Well, the IDT couldn't be found, so that raised a not present fault (a double fault).  The not present fault tried to fault in the not present fault handler, which failed (a triple fault).

The 286 processor couldn't handle faults more than 3 deep, so it gave up the ghost and reset itself.  Which caused the system ROM to start executing, and we simply set the real mode start address (which was kept in real memory) and poof! we had transferred from protected mode to real mode in microseconds (not milliseconds).

I actually found a write-up of this technique on the web here.  Interestingly enough, the article on the web credits Intel for this technique, they may be right, I remember it being developed in-house, but I may be wrong.  After I unpack my office, I'll check my 286 reference manual.

Much later: I just checked my 286 reference manual (a rather well thumbed first edition), and I found the reference that was discussed in that article.  The comment accompanying the comment is "Setup null IDT to force shutdown on any protection error or interrupt".  That's it, that's the only hint that Intel came up with the triple faulting technique to force a restart in real mode.  Personally, I'm not surprised that the IBM engineers didn't pick up on this.