UNDOCUMENTED BITS IN DR7

Debug Register 7 (DR7) has a few undocumented bits that modify how the CPU behaves when used in an ICE environment. Now that Pentium has arrived, it is clear that some of these functions are predecessors to undocumented Pentium features, as well. Burried in Pentium documentation is a description of Branch Trace Messages. But very few people realize that these branch trace messages existed all the way back to the 80386.

Starting with Pentium, Intel documented their existence, but didn't tell you how to enable or use them. Neither do I tell you that in this document. But just when you thought there was light at the end of the tunnel, I'm going to tell you that Intel put these bits into two different places. To enable branch trace messages, see Model Specific Register TR-12. And for that one last bit in DR7 that doesn't exist any more, see the Probe Mode Control Register.

DR7:

3                  1 1 1 1 1 1         0
1                  5 4 3 2 1 0         0
+-----------------+-+-+-+-+-+-+--------+
|                 |T|T|G|I| | |        |
|                 |2|R|D|R| | |        |
+-----------------+-+-+-+-+-+-+--------+
                   | | | |
                   | | | +-- IceBp  1=INT01 causes emulator
                   | | |              to break emulation
                   | | |            0=CPU handles INT01
                   | | +---- Global Debug =
                   | +------ Trace1 1=Generate special address
                   |                  cycles after code dis-
                   |                  continuities.  On Pentium,
                   |                  these cycles are called
                   |                  Branch Trace Messages.
                   +-------- Trace2 1=Unknown.

Interrupt Redirection = When set, causes the emulator to break execution when any breakpoint condition occurs. These conditions include debug register breakpoints, TSS breakpoints, and the undocumented instruction ICEBP.
Global Debug. This bit has enjoyed an on-again, off-again relationship with Intel documenteers. It all depends on which data book you get, and where you look. If you look in early 80386 data books, it is described. But if you look in the 80386 Programmer's Reference Manual, it is omitted. Suit yourself, Intel.
Trace1= When set, the CPU generates a special cycle each time a code discontinuity occurs. The ICE reads this special cycle and stores it in the trace data. This address helps the CPU reconstruct code sequences from the trace data -- since all fetch discontinuity are logged by the setting of this bit. See also Branch Trace Messages in Pentium TR12.
Trace2= I don't know the exact purpose of this bit, but somehow it governs trace collection. By clearing this bit and resuming emulation (on an ICE) until the trace buffer is full, one can observe that the ICE is unable to reconstruct the execution trace for many hundreds, and sometimes thousands of CPU cycles.

Back to secrets and bugs