Intel Segmentation and Paging PDF
Intel Segmentation and Paging PDF
This chapter describes the I ntel 64 and I A-32 architecture’s protected-mode memory management facilities,
including the physical memory requirements, segmentation mechanism, and paging mechanism.
See also: Chapter 5, “Protection” (for a description of the processor’s protection mechanism) and Chapter 20,
“8086 Emulation” (for a description of memory addressing protection in real-address and virtual-8086 modes).
Vol. 3A 3-1
PROTECTED-MODE MEMORY MANAGEMENT
Logical Address
(or Far Pointer)
Segment
Selector Offset Linear Address
Space
Linear Address
Global Descriptor
Dir Table Offset Physical
Table (GDT)
Address
Space
Segment
Page Table Page
Segment
Descriptor
Page Directory Phy. Addr.
Lin. Addr.
Entry
Entry
Segment
Base Address
Page
Segmentation Paging
I f paging is not used, the linear address space of the processor is mapped directly into the physical address space
of processor. The physical address space is defined as the range of addresses that the processor can generate on
its address bus.
Because multitasking computing systems commonly define a linear address space much larger than it is economi-
cally feasible to contain all at once in physical memory, some method of “virtualizing” the linear address space is
needed. This virtualization of the linear address space is handled through the processor’s paging mechanism.
Paging supports a “virtual memory” environment where a large linear address space is simulated with a small
amount of physical memory (RAM and ROM) and some disk storage. When using paging, each segment is divided
into pages (typically 4 KBytes each in size), which are stored either in physical memory or on the disk. The oper-
ating system or executive maintains a page directory and a set of page tables to keep track of the pages. When a
program (or task) attempts to access an address location in the linear address space, the processor uses the page
directory and page tables to translate the linear address into a physical address and then performs the requested
operation (read or write) on the memory location.
I f the page being accessed is not currently in physical memory, the processor interrupts execution of the program
(by generating a page-fault exception). The operating system or executive then reads the page into physical
memory from the disk and continues executing the program.
When paging is implemented properly in the operating-system or executive, the swapping of pages between phys-
ical memory and the disk is transparent to the correct execution of a program. Even programs written for 16-bit I A-
32 processors can be paged (transparently) when they are run in virtual-8086 mode.
3-2 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
programs to multi-segmented models that employ segmentation to create a robust operating environment in
which multiple programs and tasks can be executed reliably.
The following sections give several examples of how segmentation can be employed in a system to improve
memory management performance and reliability.
FS
GS
Vol. 3A 3-3
PROTECTED-MODE MEMORY MANAGEMENT
GS 0
More complexity can be added to this protected flat model to provide more protection. For example, for the paging
mechanism to provide isolation between user and supervisor code and data, four segments need to be defined:
code and data segments at privilege level 3 for the user, and code and data segments at privilege level 0 for the
supervisor. Usually these segments all overlay each other and start at address 0 in the linear address space. This
flat segmentation model along with a simple paging structure can protect the operating system from applications,
and by adding a separate paging structure for each task or process, it can also protect applications from each other.
Similar designs are used by several popular multitasking operating systems.
3-4 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
Access Limit
DS
Base Address Code
Access Limit
ES
Base Address
Data
Access Limit
FS
Base Address
Data
Access Limit
GS
Base Address
Data
Access Limit
Base Address
Access Limit
Base Address
Data
Access Limit
Base Address
Access Limit
Base Address
Access checks can be used to protect not only against referencing an address outside the limit of a segment, but
also against performing disallowed operations in certain segments. For example, since code segments are desig-
nated as read-only segments, hardware can be used to prevent writes into code segments. The access rights infor-
mation created for segments can also be used to set up protection rings or levels. Protection levels can be used to
protect operating-system procedures from unauthorized access by application programs.
Vol. 3A 3-5
PROTECTED-MODE MEMORY MANAGEMENT
protection facilities. For example, it lets read-write protection be enforced on a page-by-page basis. The paging
mechanism also provides two-level user-supervisor protection that can also be specified on a page-by-page basis.
3-6 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
15 0 31(63) 0
Logical Seg. Selector Offset (Effective Address)
Address
Descriptor Table
31(63) 0
Linear Address
I f paging is not used, the processor maps the linear address directly to a physical address (that is, the linear
address goes out on the processor’s address bus). I f the linear address space is paged, a second level of address
translation is used to translate the linear address into a physical address.
See also: Chapter 4, “Paging.”
15 3 2 1 0
Index T RPL
I
Table Indicator
0 = GDT
1 = LDT
Requested Privilege Level (RPL)
Vol. 3A 3-7
PROTECTED-MODE MEMORY MANAGEMENT
Every segment register has a “visible” part and a “hidden” part. (The hidden part is sometimes referred to as a
“descriptor cache” or a “shadow register.”) When a segment selector is loaded into the visible part of a segment
register, the processor also loads the hidden part of the segment register with the base address, segment limit, and
access control information from the segment descriptor pointed to by the segment selector. The information cached
in the segment register (visible and hidden) allows the processor to translate addresses without taking extra bus
cycles to read the base address and limit from the segment descriptor. I n systems in which multiple processors
have access to the same descriptor tables, it is the responsibility of software to reload the segment registers when
the descriptor tables are modified. I f this is not done, an old segment descriptor cached in a segment register might
be used after its memory-resident version has been modified.
Two kinds of load instructions are provided for loading the segment registers:
1. Direct load instructions such as the MOV, POP, LDS, LES, LSS, LGS, and LFS instructions. These instructions
explicitly reference the segment registers.
3-8 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
2. I mplied load instructions such as the far pointer versions of the CALL, J MP, and RET instructions, the SYSENTER
and SYSEXI T instructions, and the I RET, I NTn, I NTO and I NT3 instructions. These instructions change the
contents of the CS register (and sometimes other segment registers) as an incidental part of their operation.
The MOV instruction can also be used to store visible part of a segment register in a general-purpose register.
Vol. 3A 3-9
PROTECTED-MODE MEMORY MANAGEMENT
31 24 23 22 21 20 19 16 15 14 13 12 11 8 7 0
D A Seg. D
Base 31:24 G / L V Limit P P S Type Base 23:16 4
B L 19:16 L
31 16 15 0
3-10 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
31 16 15 14 13 12 11 8 7 0
D
Available 0 P S Type Available 4
L
31 0
Available 0
G (granularity) flag
Determines the scaling of the segment limit field. When the granularity flag is clear, the segment
limit is interpreted in byte units; when flag is set, the segment limit is interpreted in 4-KByte units.
(This flag does not affect the granularity of the base address; it is always byte granular.) When the
granularity flag is set, the twelve least significant bits of an offset are not tested when checking the
Vol. 3A 3-11
PROTECTED-MODE MEMORY MANAGEMENT
offset against the segment limit. For example, when the granularity flag is set, a limit of 0 results in
valid offsets from 0 to 4095.
L (64-bit code segment) flag
I n I A-32e mode, bit 21 of the second doubleword of the segment descriptor indicates whether a
code segment contains native 64-bit code. A value of 1 indicates instructions in this code segment
are executed in 64-bit mode. A value of 0 indicates the instructions in this code segment are
executed in compatibility mode. I f L-bit is set, then D-bit must be cleared. When not in I A-32e mode
or for non-code segments, bit 21 is reserved and should always be set to 0.
Available and reserved bits
Bit 20 of the second doubleword of the segment descriptor is available for use by system software.
Stack segments are data segments which must be read/ write segments. Loading the SS register with a segment
selector for a nonwritable data segment generates a general-protection exception (#GP). I f the size of a stack
segment needs to be changed dynamically, the stack segment can be an expand-down data segment (expansion-
direction flag set). Here, dynamically changing the segment limit causes stack space to be added to the bottom of
3-12 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
the stack. I f the size of a stack segment is intended to remain static, the stack segment may be either an expand-
up or expand-down type.
The accessed bit indicates whether the segment has been accessed since the last time the operating-system or
executive cleared the bit. The processor sets this bit whenever it loads a segment selector for the segment into a
segment register, assuming that the type of memory that contains the segment descriptor supports processor
writes. The bit remains set until explicitly cleared. This bit can be used both for virtual memory management and
for debugging.
For code segments, the three low-order bits of the type field are interpreted as accessed (A), read enable (R), and
conforming (C). Code segments can be execute-only or execute/ read, depending on the setting of the read-enable
bit. An execute/ read segment might be used when constants or other static data have been placed with instruction
code in a ROM. Here, data can be read from the code segment either by using an instruction with a CS override
prefix or by loading a segment selector for the code segment in a data-segment register (the DS, ES, FS, or GS
registers). I n protected mode, code segments are not writable.
Code segments can be either conforming or nonconforming. A transfer of execution into a more-privileged
conforming segment allows execution to continue at the current privilege level. A transfer into a nonconforming
segment at a different privilege level results in a general-protection exception (#GP), unless a call gate or task
gate is used (see Section 5.8.1, “Direct Calls or J umps to Code Segments”, for more information on conforming and
nonconforming code segments). System utilities that do not access protected facilities and handlers for some types
of exceptions (such as, divide error or overflow) may be loaded in conforming code segments. Utilities that need to
be protected from less privileged programs and procedures should be placed in nonconforming code segments.
NOTE
Execution cannot be transferred by a call or a jump to a less-privileged (numerically higher
privilege level) code segment, regardless of whether the target segment is a conforming or
nonconforming code segment. Attempting such an execution transfer will result in a general-
protection exception.
All data segments are nonconforming, meaning that they cannot be accessed by less privileged programs or proce-
dures (code executing at numerically high privilege levels). Unlike code segments, however, data segments can be
accessed by more privileged programs or procedures (code executing at numerically lower privilege levels) without
using a special access gate.
I f the segment descriptors in the GDT or an LDT are placed in ROM, the processor can enter an indefinite loop if
software or the processor attempts to update (write to) the ROM-based segment descriptors. To prevent this
problem, set the accessed bits for all segment descriptors placed in a ROM. Also, remove operating-system or
executive code that attempts to modify segment descriptors located in ROM.
Vol. 3A 3-13
PROTECTED-MODE MEMORY MANAGEMENT
Table 3-2 shows the encoding of the type field for system-segment descriptors and gate descriptors. Note that
system descriptors in I A-32e mode are 16 bytes instead of 8 bytes.
See also: Section 3.5.1, “Segment Descriptor Tables”, and Section 7.2.2, “TSS Descriptor” (for more information
on the system-segment descriptors); see Section 5.8.3, “Call Gates”, Section 6.11, “I DT Descriptors”, and Section
7.2.5, “Task-Gate Descriptor” (for more information on the gate descriptors).
3-14 Vol. 3A
PROTECTED-MODE MEMORY MANAGEMENT
Global Local
Descriptor Descriptor
Table (GDT) Table (LDT)
T
I TI = 0 TI = 1
Segment
Selector
56 56
48 48
40 40
32 32
24 24
16 16
8 8
First Descriptor in
GDT is Not Used 0 0
Each system must have one GDT defined, which may be used for all programs and tasks in the system. Optionally,
one or more LDTs can be defined. For example, an LDT can be defined for each separate task being run, or some or
all tasks can share the same LDT.
The GDT is not a segment itself; instead, it is a data structure in linear address space. The base linear address and
limit of the GDT must be loaded into the GDTR register (see Section 2.4, “Memory-Management Registers”). The
base addresses of the GDT should be aligned on an eight-byte boundary to yield the best processor performance.
The limit value for the GDT is expressed in bytes. As with segments, the limit value is added to the base address to
get the address of the last valid byte. A limit value of 0 results in exactly one valid byte. Because segment descrip-
tors are always 8 bytes long, the GDT limit should always be one less than an integral multiple of eight (that is, 8N
– 1).
The first descriptor in the GDT is not used by the processor. A segment selector to this “null descriptor” does not
generate an exception when loaded into a data-segment register (DS, ES, FS, or GS), but it always generates a
general-protection exception (#GP) when an attempt is made to access memory using the descriptor. By initializing
the segment registers with this segment selector, accidental reference to unused segment registers can be guar-
anteed to generate an exception.
The LDT is located in a system segment of the LDT type. The GDT must contain a segment descriptor for the LDT
segment. I f the system supports multiple LDTs, each must have a separate segment selector and segment
descriptor in the GDT. The segment descriptor for an LDT can be located anywhere in the GDT. See Section 3.5,
“System Descriptor Types”, information on the LDT segment-descriptor type.
An LDT is accessed with its segment selector. To eliminate address translations when accessing the LDT, the
segment selector, base linear address, limit, and access rights of the LDT are stored in the LDTR register (see
Section 2.4, “Memory-Management Registers”).
When the GDTR register is stored (using the SGDT instruction), a 48-bit “pseudo-descriptor” is stored in memory
(see top diagram in Figure 3-11). To avoid alignment check faults in user mode (privilege level 3), the pseudo-
Vol. 3A 3-15
PROTECTED-MODE MEMORY MANAGEMENT
descriptor should be located at an odd word address (that is, address MOD 4 is equal to 2). This causes the
processor to store an aligned word, followed by an aligned doubleword. User-mode programs normally do not store
pseudo-descriptors, but the possibility of generating an alignment check fault can be avoided by aligning pseudo-
descriptors in this way. The same alignment should be used when storing the I DTR register using the SI DT instruc-
tion. When storing the LDTR or task register (using the SLDT or STR instruction, respectively), the pseudo-
descriptor should be located at a doubleword address (that is, address MOD 4 is equal to 0).
47 16 15 0
32-bit Base Address Limit
79 16 15 0
64-bit Base Address Limit
3-16 Vol. 3A
CHAPTER 4
PAGING
Chapter 3 explains how segmentation converts logical addresses to linear addresses. Paging (or linear-address
translation) is the process of translating linear addresses so that they can be used to access memory or I / O
devices. Paging translates each linear address to a physical address and determines, for each translation, what
accesses to the linear address are allowed (the address’s access rights) and the type of caching used for such
accesses (the address’s memory type).
I ntel-64 processors support three different paging modes. These modes are identified and defined in Section 4.1.
Section 4.2 gives an overview of the translation mechanism that is used in all modes. Section 4.3, Section 4.4, and
Section 4.5 discuss the three paging modes in detail.
Section 4.6 details how paging determines and uses access rights. Section 4.7 discusses exceptions that may be
generated by paging (page-fault exceptions). Section 4.8 considers data which the processor writes in response to
linear-address accesses (accessed and dirty flags).
Section 4.9 describes how paging determines the memory types used for accesses to linear addresses. Section 4.10
provides details of how a processor may cache information about linear-address translation. Section 4.11 outlines
interactions between paging and certain VMX features. Section 4.12 gives an overview of how paging can be used
to implement virtual memory.
Vol. 3A 4-1
PAGING
• I f CR0.PG = 1, CR4.PAE = 1, and I A32_ EFER.LME = 1, I A-32e paging is used. 1 I A-32e paging is detailed in
Section 4.5. I A-32e paging uses CR0.WP, CR4.PGE, CR4.PCI DE, CR4.SMEP, and I A32_ EFER.NXE as described
in Section 4.1.3. I A-32e paging is available only on processors that support the I ntel 64 architecture.
The three paging modes differ with regard to the following details:
• Linear-address width. The size of the linear addresses that can be translated.
• Physical-address width. The size of the physical addresses produced by paging.
• Page size. The granularity at which linear addresses are translated. Linear addresses on the same page are
translated to corresponding physical addresses on the same page.
• Support for execute-disable access rights. I n some paging modes, software can be prevented from fetching
instructions from pages that are otherwise readable.
• Support for PCI Ds. I n some paging modes, software can enable a facility by which a logical processor caches
information for multiple linear-address spaces. The processor may retain cached information when software
switches between different linear-address spaces.
Table 4-1 illustrates the key differences between the three paging modes.
Up to 4 KB
32-bit 1 0 02 32 No No
403 4 MB4
Up to 4 KB
PAE 1 1 0 32 Yes5 No
52 2 MB
4 KB
Up to
IA-32e 1 1 1 48 2 MB Yes5 Yes7
52
1 GB6
NOTES:
1. The physical-address width is always bounded by MAXPHYADDR; see Section 4.1.4.
2. The processor ensures that IA32_EFER.LME must be 0 if CR0.PG = 1 and CR4.PAE = 0.
3. 32-bit paging supports physical-address widths of more than 32 bits only for 4-MByte pages and only if the PSE-36 mechanism is
supported; see Section 4.1.4 and Section 4.3.
4. 4-MByte pages are used with 32-bit paging only if CR4.PSE = 1; see Section 4.3.
5. Execute-disable access rights are applied only if IA32_EFER.NXE = 1; see Section 4.6.
6. Not all processors that support IA-32e paging support 1-GByte pages; see Section 4.1.4.
7. PCIDs are used only if CR4.PCIDE = 1; see Section 4.10.1.
Because they are used only if I A32_ EFER.LME = 0, 32-bit paging and PAE paging is used only in legacy protected
mode. Because legacy protected mode cannot produce linear addresses larger than 32 bits, 32-bit paging and PAE
paging translate 32-bit linear addresses.
Because it is used only if I A32_ EFER.LME = 1, I A-32e paging is used only in I A-32e mode. (I n fact, it is the use of
I A-32e paging that defines I A-32e mode.) I A-32e mode has two sub-modes:
• Compatibility mode. This mode uses only 32-bit linear addresses. I A-32e paging treats bits 47: 32 of such an
address as all 0.
1. The LMA flag in the IA32_EFER MSR (bit 10) is a status bit that indicates whether the logical processor is in IA-32e mode (and thus
using IA-32e paging). The processor always sets IA32_EFER.LMA to CR0.PG & IA32_EFER.LME. Software cannot directly modify
IA32_EFER.LMA; an execution of WRMSR to the IA32_EFER MSR ignores bit 10 of its source operand.
4-2 Vol. 3A
PAGING
• 64-bit mode. While this mode produces 64-bit linear addresses, the processor ensures that bits 63: 47 of such
an address are identical. 1 I A-32e paging does not use bits 63: 48 of such addresses.
#GP #GP
Set LME
Set LME
#GP
Clear LME
Clear LME
Clear LME
Set PG
No Paging
PG = 0
PAE = 1
LME = 1
• I A32_ EFER.LME cannot be modified while paging is enabled (CR0.PG = 1). Attempts to do so using WRMSR
cause a general-protection exception (#GP(0)).
• Paging cannot be enabled (by setting CR0.PG to 1) while CR4.PAE = 0 and I A32_ EFER.LME = 1. Attempts to do
so using MOV to CR0 cause a general-protection exception (#GP(0)).
• CR4.PAE cannot be cleared while I A-32e paging is active (CR0.PG = 1 and I A32_ EFER.LME = 1). Attempts to
do so using MOV to CR4 cause a general-protection exception (#GP(0)).
• Regardless of the current paging mode, software can disable paging by clearing CR0.PG with MOV to CR0. 2
1. Such an address is called canonical. Use of a non-canonical linear address in 64-bit mode produces a general-protection exception
(#GP(0)); the processor does not attempt to translate non-canonical linear addresses using IA-32e paging.
2. If CR4.PCIDE = 1, an attempt to clear CR0.PG causes a general-protection exception (#GP); software should clear CR4.PCIDE before
attempting to disable paging.
Vol. 3A 4-3
PAGING
• Software can make transitions between 32-bit paging and PAE paging by changing the value of CR4.PAE with
MOV to CR4.
• Software cannot make transitions directly between I A-32e paging and either of the other two paging modes. I t
must first disable paging (by clearing CR0.PG with MOV to CR0), then set CR4.PAE and I A32_ EFER.LME to the
desired values (with MOV to CR4 and WRMSR), and then re-enable paging (by setting CR0.PG with MOV to
CR0). As noted earlier, an attempt to clear either CR4.PAE or I A32_ EFER.LME cause a general-protection
exception (#GP(0)).
• VMX transitions allow transitions between paging modes that are not possible using MOV to CR or WRMSR. This
is because VMX transitions can load CR0, CR4, and I A32_ EFER in one operation. See Section 4.11.1.
4-4 Vol. 3A
PAGING
Vol. 3A 4-5
PAGING
The following items give an example for each of the three paging modes (each example locates a 4-KByte page
frame):
• With 32-bit paging, each paging structure comprises 1024 = 2 10 entries. For this reason, the translation
process uses 10 bits at a time from a 32-bit linear address. Bits 31: 22 identify the first paging-structure entry
and bits 21: 12 identify a second. The latter identifies the page frame. Bits 11: 0 of the linear address are the
page offset within the 4-KByte page frame. (See Figure 4-2 for an illustration.)
• With PAE paging, the first paging structure comprises only 4 = 2 2 entries. Translation thus begins by using
bits 31: 30 from a 32-bit linear address to identify the first paging-structure entry. Other paging structures
comprise 512 =29 entries, so the process continues by using 9 bits at a time. Bits 29: 21 identify a second
paging-structure entry and bits 20: 12 identify a third. This last identifies the page frame. (See Figure 4-5 for
an illustration.)
• With I A-32e paging, each paging structure comprises 512 = 2 9 entries and translation uses 9 bits at a time
from a 48-bit linear address. Bits 47: 39 identify the first paging-structure entry, bits 38: 30 identify a second,
bits 29: 21 a third, and bits 20: 12 identify a fourth. Again, the last identifies the page frame. (See Figure 4-8
for an illustration.)
The translation process in each of the examples above completes by identifying a page frame; the page frame is
part of the translation of the original linear address. I n some cases, however, the paging structures may be
configured so that translation process terminates before identifying a page frame. This occurs if process encoun-
ters a paging-structure entry that is marked “not present” (because its P flag — bit 0 — is clear) or in which a
reserved bit is set. I n this case, there is no translation for the linear address; an access to that address causes a
page-fault exception (see Section 4.7).
I n the examples above, a paging-structure entry maps a page with 4-KByte page frame when only 12 bits remain
in the linear address; entries identified earlier always reference other paging structures. That may not apply in
other cases. The following items identify when an entry maps a page and when it references another paging struc-
ture:
• I f more than 12 bits remain in the linear address, bit 7 (PS — page size) of the current paging-structure entry
is consulted. I f the bit is 0, the entry references another paging structure; if the bit is 1, the entry maps a page.
• I f only 12 bits remain in the linear address, the current paging-structure entry always maps a page (bit 7 is
used for other purposes).
I f a paging-structure entry maps a page when more than 12 bits remain in the linear address, the entry identifies
a page frame larger than 4 KBytes. For example, 32-bit paging uses the upper 10 bits of a linear address to locate
the first paging-structure entry; 22 bits remain. I f that entry maps a page, the page frame is 2 22 Bytes = 4 MBytes.
32-bit paging supports 4-MByte pages if CR4.PSE = 1. PAE paging and I A-32e paging support 2-MByte pages
(regardless of the value of CR4.PSE). I A-32e paging may support 1-GByte pages (see Section 4.1.4).
Paging structures are given different names based their uses in the translation process. Table 4-2 gives the names
of the different paging structures. I t also provides, for each structure, the source of the physical address used to
locate it (CR3 or a different paging-structure entry); the bits in the linear address used to select an entry from the
structure; and details of about whether and how such an entry can map a page.
1. Bits in the range 39:32 are 0 in any physical address used by 32-bit paging except those used to map 4-MByte pages. If the proces-
sor does not support the PSE-36 mechanism, this is true also for physical addresses used to map 4-MByte pages. If the processor
does support the PSE-36 mechanism and MAXPHYADDR < 40, bits in the range 39:MAXPHYADDR are 0 in any physical address used
to map a 4-MByte page. (The corresponding bits are reserved in PDEs.) See Section 4.1.4 for how to determine MAXPHYADDR and
whether the PSE-36 mechanism is supported.
4-6 Vol. 3A
PAGING
Physical
Entry Bits Selecting
Paging Structure Paging Mode Address of Page Mapping
Name Entry
Structure
32-bit N/A
Page-directory-
PDPTE PAE CR3 31:30 N/A (PS must be 0)
pointer table
IA-32e PML4E 38:30 1-GByte page if PS=11
NOTES:
1. Not all processors allow the PS flag to be 1 in PDPTEs; see Section 4.1.4 for how to determine whether 1-GByte pages are supported.
2. 32-bit paging ignores the PS flag in a PDE (and uses the entry to reference a page table) unless CR4.PSE = 1. Not all processors allow
CR4.PSE to be 1; see Section 4.1.4 for how to determine whether 4-MByte pages are supported with 32-bit paging.
32-bit paging may map linear addresses to either 4-KByte pages or 4-MByte pages. Figure 4-2 illustrates the
translation process when it uses a 4-KByte page; Figure 4-3 covers the case of a 4-MByte page. The following
items describe the 32-bit paging process in more detail as well has how the page size is determined:
• A 4-KByte naturally aligned page directory is located at the physical address specified in bits 31: 12 of CR3 (see
Table 4-3). A page directory comprises 1024 32-bit entries (PDEs). A PDE is selected using the physical address
defined as follows:
— Bits 39: 32 are all 0.
— Bits 31: 12 are from CR3.
— Bits 11: 2 are bits 31: 22 of the linear address.
— Bits 1: 0 are 0.
Because a PDE is identified using bits 31: 22 of the linear address, it controls access to a 4-Mbyte region of the
linear-address space. Use of the PDE depends on CR.PSE and the PDE’s PS flag (bit 7):
• I f CR4.PSE = 1 and the PDE’s PS flag is 1, the PDE maps a 4-MByte page (see Table 4-4). The final physical
address is computed as follows:
— Bits 39: 32 are bits 20: 13 of the PDE.
— Bits 31: 22 are bits 31: 22 of the PDE. 1
— Bits 21: 0 are from the original linear address.
• I f CR4.PSE = 0 or the PDE’s PS flag is 0, a 4-KByte naturally aligned page table is located at the physical
address specified in bits 31: 12 of the PDE (see Table 4-5). A page table comprises 1024 32-bit entries (PTEs).
A PTE is selected using the physical address defined as follows:
— Bits 39: 32 are all 0.
— Bits 31: 12 are from the PDE.
— Bits 11: 2 are bits 21: 12 of the linear address.
1. The upper bits in the final physical address do not all come from corresponding positions in the PDE; the physical-address bits in the
PDE are not all contiguous.
Vol. 3A 4-7
PAGING
— Bits 1: 0 are 0.
• Because a PTE is identified using bits 31: 12 of the linear address, every PTE maps a 4-KByte page (see
Table 4-6). The final physical address is computed as follows:
— Bits 39: 32 are all 0.
— Bits 31: 12 are from the PTE.
— Bits 11: 0 are from the original linear address.
I f a paging-structure entry’s P flag (bit 0) is 0 or if the entry sets any reserved bit, the entry is used neither to refer-
ence another paging-structure entry nor to map a page. There is no translation for a linear address whose transla-
tion would use such a paging-structure entry; a reference to such a linear address causes a page-fault exception
(see Section 4.7).
With 32-bit paging, there are reserved bits only if CR4.PSE = 1:
• I f the P flag and the PS flag (bit 7) of a PDE are both 1, the bits reserved depend on MAXPHYADDR whether the
PSE-36 mechanism is supported: 1
— I f the PSE-36 mechanism is not supported, bits 21: 13 are reserved.
— I f the PSE-36 mechanism is supported, bits 21: (M– 19) are reserved, where M is the minimum of 40 and
MAXPHYADDR.
• I f the PAT is not supported: 2
— I f the P flag of a PTE is 1, bit 7 is reserved.
— I f the P flag and the PS flag of a PDE are both 1, bit 12 is reserved.
(I f CR4.PSE = 0, no bits are reserved with 32-bit paging.)
A reference using a linear address that is successfully translated to a physical address is performed only if allowed
by the access rights of the translation; see Section 4.6.
Linear Address
31 22 21 12 11 0
Directory Table Offset
12 4-KByte Page
PTE
20
PDE with PS=0
20
32
CR3
1. See Section 4.1.4 for how to determine MAXPHYADDR and whether the PSE-36 mechanism is supported.
2. See Section 4.1.4 for how to determine whether the PAT is supported.
4-8 Vol. 3A
PAGING
Linear Address
31 22 21 0
Directory Offset
22 4-MByte Page
10 Page Directory
Physical Address
32
CR3
Figure 4-4 gives a summary of the formats of CR3 and the paging-structure entries with 32-bit paging. For the
paging structure entries, it identifies separately the format of entries that map pages, those that reference other
paging structures, and those that do neither because they are “not present”; bit 0 (P) and bit 7 (PS) are high-
lighted because they determine how such an entry is used.
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
P PW
Address of page directory1 Ignored C Ignored CR3
D T
P P U R PTE:
Address of 4KB page frame Ignored G A D A C PW / / 1 4KB
T
T D S W page
PTE:
Ignored 0 not
present
Figure 4-4. Formats of CR3 and Paging-Structure Entries with 32-Bit Paging
NOTES:
1. CR3 has 64 bits on processors supporting the Intel-64 architecture. These bits are ignored with 32-bit paging.
2. This example illustrates a processor in which MAXPHYADDR is 36. If this value is larger or smaller, the number of bits reserved in
positions 20:13 of a PDE mapping a 4-MByte will change.
Vol. 3A 4-9
PAGING
Bit Contents
Position(s)
2:0 Ignored
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the page directory during linear-
address translation (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the page directory during linear-
address translation (see Section 4.9)
11:5 Ignored
31:12 Physical address of the 4-KByte aligned page directory used for linear-address translation
63:32 Ignored (these bits exist only on processors supporting the Intel-64 architecture)
4-10 Vol. 3A
PAGING
Table 4-4. Format of a 32-Bit Page-Directory Entry that Maps a 4-MByte Page
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 4-MByte page referenced by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 4-MByte page referenced by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the 4-MByte page referenced by
this entry (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the 4-MByte page referenced by
this entry (see Section 4.9)
5 (A) Accessed; indicates whether software has accessed the 4-MByte page referenced by this entry (see Section 4.8)
6 (D) Dirty; indicates whether software has written to the 4-MByte page referenced by this entry (see Section 4.8)
7 (PS) Page size; must be 1 (otherwise, this entry references a page table; see Table 4-5)
8 (G) Global; if CR4.PGE = 1, determines whether the translation is global (see Section 4.10); ignored otherwise
11:9 Ignored
12 (PAT) If the PAT is supported, indirectly determines the memory type used to access the 4-MByte page referenced by this
entry (see Section 4.9.2); otherwise, reserved (must be 0)1
(M20):13 Bits (M1):32 of physical address of the 4-MByte page referenced by this entry 2
31:22 Bits 31:22 of physical address of the 4-MByte page referenced by this entry
NOTES:
1. See Section 4.1.4 for how to determine whether the PAT is supported.
2. If the PSE-36 mechanism is not supported, M is 32, and this row does not apply. If the PSE-36 mechanism is supported, M is the min-
imum of 40 and MAXPHYADDR (this row does not apply if MAXPHYADDR = 32). See Section 4.1.4 for how to determine MAXPHYA-
DDR and whether the PSE-36 mechanism is supported.
Vol. 3A 4-11
PAGING
Table 4-5. Format of a 32-Bit Page-Directory Entry that References a Page Table
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 4-MByte region controlled by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 4-MByte region controlled by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the page table referenced by this
entry (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the page table referenced by this
entry (see Section 4.9)
5 (A) Accessed; indicates whether this entry has been used for linear-address translation (see Section 4.8)
6 Ignored
7 (PS) If CR4.PSE = 1, must be 0 (otherwise, this entry maps a 4-MByte page; see Table 4-4); otherwise, ignored
11:8 Ignored
31:12 Physical address of 4-KByte aligned page table referenced by this entry
Table 4-6. Format of a 32-Bit Page-Table Entry that Maps a 4-KByte Page
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 4-KByte page referenced by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 4-KByte page referenced by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the 4-KByte page referenced by this
entry (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the 4-KByte page referenced by this
entry (see Section 4.9)
5 (A) Accessed; indicates whether software has accessed the 4-KByte page referenced by this entry (see Section 4.8)
6 (D) Dirty; indicates whether software has written to the 4-KByte page referenced by this entry (see Section 4.8)
7 (PAT) If the PAT is supported, indirectly determines the memory type used to access the 4-KByte page referenced by this
entry (see Section 4.9.2); otherwise, reserved (must be 0) 1
8 (G) Global; if CR4.PGE = 1, determines whether the translation is global (see Section 4.10); ignored otherwise
11:9 Ignored
NOTES:
1. See Section 4.1.4 for how to determine whether the PAT is supported.
4-12 Vol. 3A
PAGING
Bit Contents
Position(s)
4:0 Ignored
31:5 Physical address of the 32-Byte aligned page-directory-pointer table used for linear-address translation
63:32 Ignored (these bits exist only on processors supporting the Intel-64 architecture)
The page-directory-pointer-table comprises four (4) 64-bit entries called PDPTEs. Each PDPTE controls access to a
1-GByte region of the linear-address space. Corresponding to the PDPTEs, the logical processor maintains a set of
four (4) internal, non-architectural PDPTE registers, called PDPTE0, PDPTE1, PDPTE2, and PDPTE3. The logical
processor loads these registers from the PDPTEs in memory as part of certain operations:
• I f PAE paging would be in use following an execution of MOV to CR0 or MOV to CR4 (see Section 4.1.1) and the
instruction is modifying any of CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then the
PDPTEs are loaded from the address in CR3.
• I f MOV to CR3 is executed while the logical processor is using PAE paging, the PDPTEs are loaded from the
address being loaded into CR3.
• I f PAE paging is in use and a task switch changes the value of CR3, the PDPTEs are loaded from the address in
the new CR3 value.
• Certain VMX transitions load the PDPTE registers. See Section 4.11.1.
Table 4-8 gives the format of a PDPTE. I f any of the PDPTEs sets both the P flag (bit 0) and any reserved bit, the
MOV to CR instruction causes a general-protection exception (#GP(0)) and the PDPTEs are not loaded. 2 As shown
in Table 4-8, bits 2: 1, 8: 5, and 63: MAXPHYADDR are reserved in the PDPTEs.
1. If MAXPHYADDR < 52, bits in the range 51:MAXPHYADDR will be 0 in any physical address used by PAE paging. (The corresponding
bits are reserved in the paging-structure entries.) See Section 4.1.4 for how to determine MAXPHYADDR.
2. On some processors, reserved bits are checked even in PDPTEs in which the P flag (bit 0) is 0.
Vol. 3A 4-13
PAGING
Bit Contents
Position(s)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the page directory referenced by
this entry (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the page directory referenced by
this entry (see Section 4.9)
11:9 Ignored
(M1):12 Physical address of 4-KByte aligned page directory referenced by this entry 1
NOTES:
1. M is an abbreviation for MAXPHYADDR, which is at most 52; see Section 4.1.4.
1. With PAE paging, the processor does not use CR3 when translating a linear address (as it does the other paging modes). It does not
access the PDPTEs in the page-directory-pointer table during linear-address translation.
4-14 Vol. 3A
PAGING
Linear Address
31 30 29 21 20 12 11 0
Directory Pointer Directory Table Offset
12 4-KByte Page
PDPTE Registers
40
PDPTE value
1. See Section 4.1.4 for how to determine whether the PAT is supported.
Vol. 3A 4-15
PAGING
Linear Address
31 30 29 21 20 0
Directory Offset
Pointer Directory
21 2-MByte Page
9
Page Directory Physical Address
PDPTE Registers
2
PDE with PS=1
31
PDPTE value
40
Table 4-9. Format of a PAE Page-Directory Entry that Maps a 2-MByte Page
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 2-MByte page referenced by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 2-MByte page referenced by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the 2-MByte page referenced by
this entry (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the 2-MByte page referenced by this
entry (see Section 4.9)
5 (A) Accessed; indicates whether software has accessed the 2-MByte page referenced by this entry (see Section 4.8)
6 (D) Dirty; indicates whether software has written to the 2-MByte page referenced by this entry (see Section 4.8)
7 (PS) Page size; must be 1 (otherwise, this entry references a page table; see Table 4-10)
8 (G) Global; if CR4.PGE = 1, determines whether the translation is global (see Section 4.10); ignored otherwise
11:9 Ignored
12 (PAT) If the PAT is supported, indirectly determines the memory type used to access the 2-MByte page referenced by this
entry (see Section 4.9.2); otherwise, reserved (must be 0)1
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 2-MByte page controlled by
this entry; see Section 4.6); otherwise, reserved (must be 0)
NOTES:
1. See Section 4.1.4 for how to determine whether the PAT is supported.
4-16 Vol. 3A
PAGING
Table 4-10. Format of a PAE Page-Directory Entry that References a Page Table
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 2-MByte region controlled by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 2-MByte region controlled by this entry (see
Section 4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the page table referenced by this
entry (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the page table referenced by this
entry (see Section 4.9)
5 (A) Accessed; indicates whether this entry has been used for linear-address translation (see Section 4.8)
6 Ignored
7 (PS) Page size; must be 0 (otherwise, this entry maps a 2-MByte page; see Table 4-9)
11:8 Ignored
(M1):12 Physical address of 4-KByte aligned page table referenced by this entry
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 2-MByte region controlled
by this entry; see Section 4.6); otherwise, reserved (must be 0)
Table 4-11. Format of a PAE Page-Table Entry that Maps a 4-KByte Page
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 4-KByte page referenced by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 4-KByte page referenced by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the 4-KByte page referenced by
this entry (see Section 4.9)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the 4-KByte page referenced by this
entry (see Section 4.9)
5 (A) Accessed; indicates whether software has accessed the 4-KByte page referenced by this entry (see Section 4.8)
6 (D) Dirty; indicates whether software has written to the 4-KByte page referenced by this entry (see Section 4.8)
7 (PAT) If the PAT is supported, indirectly determines the memory type used to access the 4-KByte page referenced by this
entry (see Section 4.9.2); otherwise, reserved (must be 0)1
8 (G) Global; if CR4.PGE = 1, determines whether the translation is global (see Section 4.10); ignored otherwise
Vol. 3A 4-17
PAGING
Table 4-11. Format of a PAE Page-Table Entry that Maps a 4-KByte Page (Contd.)
Bit Contents
Position(s)
11:9 Ignored
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 4-KByte page controlled by
this entry; see Section 4.6); otherwise, reserved (must be 0)
NOTES:
1. See Section 4.1.4 for how to determine whether the PAT is supported.
Figure 4-7 gives a summary of the formats of CR3 and the paging-structure entries with PAE paging. For the paging
structure entries, it identifies separately the format of entries that map pages, those that reference other paging
structures, and those that do neither because they are “not present”; bit 0 (P) and bit 7 (PS) are highlighted
because they determine how a paging-structure entry is used.
6666555555555 33322222222221111111111
M1 M-1
3210987654321 210987654321098765432109876543210
P P Rs
PDPTE:
Reserved3 Address of page directory Ign. Rsvd. CW 1
D T vd present
PDTPE:
Ignored 0 not
present
X P PP R PDE:
Address of
D Reserved Reserved A Ign. G 1 D A C W U / 1 2MB
2MB page frame
4 T D T /S W page
X I PPUR PDE:
Reserved Address of page table Ign. 0 g A C W /S / 1 page
D n DT W table
PDE:
Ignored 0 not
present
X P PPUR PTE:
Reserved Address of 4KB page frame Ign. G A D A C W /S / 1 4KB
D T DT W page
PTE:
Ignored 0 not
present
Figure 4-7. Formats of CR3 and Paging-Structure Entries with PAE Paging
NOTES:
1. M is an abbreviation for MAXPHYADDR.
2. CR3 has 64 bits only on processors supporting the Intel-64 architecture. These bits are ignored with PAE paging.
3. Reserved fields must be 0.
4. If IA32_EFER.NXE = 0 and the P flag of a PDE or a PTE is 1, the XD flag (bit 63) is reserved.
4-18 Vol. 3A
PAGING
Bit Contents
Position(s)
2:0 Ignored
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the PML4 table during linear-
address translation (see Section 4.9.2)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the PML4 table during linear-address
translation (see Section 4.9.2)
11:5 Ignored
M1:12 Physical address of the 4-KByte aligned PML4 table used for linear-address translation 1
NOTES:
1. M is an abbreviation for MAXPHYADDR, which is at most 52; see Section 4.1.4.
• Table 4-13 illustrates how CR3 is used with I A-32e paging if CR4.PCI DE = 1.
Bit Contents
Position(s)
M1:12 Physical address of the 4-KByte aligned PML4 table used for linear-address translation 2
NOTES:
1. Section 4.9.2 explains how the processor determines the memory type used to access the PML4 table during linear-address transla-
tion with CR4.PCIDE = 1.
2. M is an abbreviation for MAXPHYADDR, which is at most 52; see Section 4.1.4.
3. See Section 4.10.4.1 for use of bit 63 of the source operand of the MOV to CR3 instruction.
After software modifies the value of CR4.PCI DE, the logical processor immediately begins using CR3 as specified
for the new value. For example, if software changes CR4.PCI DE from 1 to 0, the current PCI D immediately changes
1. If MAXPHYADDR < 52, bits in the range 51:MAXPHYADDR will be 0 in any physical address used by IA-32e paging. (The correspond-
ing bits are reserved in the paging-structure entries.) See Section 4.1.4 for how to determine MAXPHYADDR.
Vol. 3A 4-19
PAGING
from CR3[11: 0] to 000H (see also Section 4.10.4.1). I n addition, the logical processor subsequently determines
the memory type used to access the PML4 table using CR3.PWT and CR3.PCD, which had been bits 4: 3 of the PCI D.
I A-32e paging may map linear addresses to 4-KByte pages, 2-MByte pages, or 1-GByte pages. 1 Figure 4-8 illus-
trates the translation process when it produces a 4-KByte page; Figure 4-9 covers the case of a 2-MByte page, and
Figure 4-10 the case of a 1-GByte page.
Linear Address
47 39 38 30 29 21 20 12 11 0
PML4 Directory Ptr Directory Table Offset
9 9
9 12 4-KByte Page
Physical Addr
PTE
Page-Directory- PDE with PS=0
40
Pointer Table 40 Page Table
Page-Directory
PDPTE 40
40
PML4E
40
CR3
4-20 Vol. 3A
PAGING
Linear Address
47 39 38 30 29 21 20 0
PML4 Directory Ptr Directory Offset
9 21
9
2-MByte Page
Physical Addr
Page-Directory- PDE with PS=1
Pointer Table 31
Page-Directory
PDPTE
40
9
40
PML4E
40
CR3
Linear Address
47 39 38 30 29 0
PML4 Directory Ptr Offset
30
9
1-GByte Page
Page-Directory-
Pointer Table
Physical Addr
PDPTE with PS=1
22
9
40
PML4E
40
CR3
Vol. 3A 4-21
PAGING
The following items describe the I A-32e paging process in more detail as well has how the page size is determined.
• A 4-KByte naturally aligned PML4 table is located at the physical address specified in bits 51: 12 of CR3 (see
Table 4-12). A PML4 table comprises 512 64-bit entries (PML4Es). A PML4E is selected using the physical
address defined as follows:
— Bits 51: 12 are from CR3.
— Bits 11: 3 are bits 47: 39 of the linear address.
— Bits 2: 0 are all 0.
Because a PML4E is identified using bits 47: 39 of the linear address, it controls access to a 512-GByte region of
the linear-address space.
• A 4-KByte naturally aligned page-directory-pointer table is located at the physical address specified in
bits 51: 12 of the PML4E (see Table 4-14). A page-directory-pointer table comprises 512 64-bit entries
(PDPTEs). A PDPTE is selected using the physical address defined as follows:
— Bits 51: 12 are from the PML4E.
— Bits 11: 3 are bits 38: 30 of the linear address.
— Bits 2: 0 are all 0.
Because a PDPTE is identified using bits 47: 30 of the linear address, it controls access to a 1-GByte region of the
linear-address space. Use of the PDPTE depends on its PS flag (bit 7): 1
• I f the PDPTE’s PS flag is 1, the PDPTE maps a 1-GByte page (see Table 4-15). The final physical address is
computed as follows:
— Bits 51: 30 are from the PDPTE.
— Bits 29: 0 are from the original linear address.
• I f the PDE’s PS flag is 0, a 4-KByte naturally aligned page directory is located at the physical address specified
in bits 51: 12 of the PDPTE (see Table 4-16). A page directory comprises 512 64-bit entries (PDEs). A PDE is
selected using the physical address defined as follows:
— Bits 51: 12 are from the PDPTE.
— Bits 11: 3 are bits 29: 21 of the linear address.
— Bits 2: 0 are all 0.
Because a PDE is identified using bits 47: 21 of the linear address, it controls access to a 2-MByte region of the
linear-address space. Use of the PDE depends on its PS flag:
• I f the PDE’s PS flag is 1, the PDE maps a 2-MByte page. The final physical address is computed as shown in
Table 4-17.
— Bits 51: 21 are from the PDE.
— Bits 20: 0 are from the original linear address.
• I f the PDE’s PS flag is 0, a 4-KByte naturally aligned page table is located at the physical address specified in
bits 51: 12 of the PDE (see Table 4-18). A page table comprises 512 64-bit entries (PTEs). A PTE is selected
using the physical address defined as follows:
— Bits 51: 12 are from the PDE.
— Bits 11: 3 are bits 20: 12 of the linear address.
— Bits 2: 0 are all 0.
• Because a PTE is identified using bits 47: 12 of the linear address, every PTE maps a 4-KByte page (see
Table 4-19). The final physical address is computed as follows:
— Bits 51: 12 are from the PTE.
— Bits 11: 0 are from the original linear address.
1. The PS flag of a PDPTE is reserved and must be 0 (if the P flag is 1) if 1-GByte pages are not supported. See Section 4.1.4 for how
to determine whether 1-GByte pages are supported.
4-22 Vol. 3A
PAGING
I f a paging-structure entry’s P flag (bit 0) is 0 or if the entry sets any reserved bit, the entry is used neither to refer-
ence another paging-structure entry nor to map a page. There is no translation for a linear address whose transla-
tion would use such a paging-structure entry; a reference to such a linear address causes a page-fault exception
(see Section 4.7).
The following bits are reserved with I A-32e paging:
• I f the P flag of a paging-structure entry is 1, bits 51: MAXPHYADDR are reserved.
• I f the P flag of a PML4E is 1, the PS flag is reserved.
• I f 1-GByte pages are not supported and the P flag of a PDPTE is 1, the PS flag is reserved. 1
• I f the P flag and the PS flag of a PDPTE are both 1, bits 29: 13 are reserved.
• I f the P flag and the PS flag of a PDE are both 1, bits 20: 13 are reserved.
• I f I A32_ EFER.NXE = 0 and the P flag of a paging-structure entry is 1, the XD flag (bit 63) is reserved.
A reference using a linear address that is successfully translated to a physical address is performed only if allowed
by the access rights of the translation; see Section 4.6.
Figure 4-11 gives a summary of the formats of CR3 and the I A-32e paging-structure entries. For the paging struc-
ture entries, it identifies separately the format of entries that map pages, those that reference other paging struc-
tures, and those that do neither because they are “not present”; bit 0 (P) and bit 7 (PS) are highlighted because
they determine how a paging-structure entry is used.
Table 4-14. Format of an IA-32e PML4 Entry (PML4E) that References a Page-Directory-Pointer Table
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 512-GByte region controlled by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 512-GByte region controlled by this entry (see
Section 4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the page-directory-pointer table
referenced by this entry (see Section 4.9.2)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the page-directory-pointer table
referenced by this entry (see Section 4.9.2)
5 (A) Accessed; indicates whether this entry has been used for linear-address translation (see Section 4.8)
6 Ignored
11:8 Ignored
M1:12 Physical address of 4-KByte aligned page-directory-pointer table referenced by this entry
62:52 Ignored
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 512-GByte region
controlled by this entry; see Section 4.6); otherwise, reserved (must be 0)
1. See Section 4.1.4 for how to determine whether 1-GByte pages are supported.
Vol. 3A 4-23
PAGING
Table 4-15. Format of an IA-32e Page-Directory-Pointer-Table Entry (PDPTE) that Maps a 1-GByte Page
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 1-GByte page referenced by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 1-GByte page referenced by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the 1-GByte page referenced by this
entry (see Section 4.9.2)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the 1-GByte page referenced by this
entry (see Section 4.9.2)
5 (A) Accessed; indicates whether software has accessed the 1-GByte page referenced by this entry (see Section 4.8)
6 (D) Dirty; indicates whether software has written to the 1-GByte page referenced by this entry (see Section 4.8)
7 (PS) Page size; must be 1 (otherwise, this entry references a page directory; see Table 4-16)
8 (G) Global; if CR4.PGE = 1, determines whether the translation is global (see Section 4.10); ignored otherwise
11:9 Ignored
12 (PAT) Indirectly determines the memory type used to access the 1-GByte page referenced by this entry (see Section
4.9.2)1
62:52 Ignored
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 1-GByte page controlled by
this entry; see Section 4.6); otherwise, reserved (must be 0)
NOTES:
1. The PAT is supported on all processors that support IA-32e paging.
4-24 Vol. 3A
PAGING
Table 4-16. Format of an IA-32e Page-Directory-Pointer-Table Entry (PDPTE) that References a Page Directory
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 1-GByte region controlled by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 1-GByte region controlled by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the page directory referenced by
this entry (see Section 4.9.2)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the page directory referenced by
this entry (see Section 4.9.2)
5 (A) Accessed; indicates whether this entry has been used for linear-address translation (see Section 4.8)
6 Ignored
7 (PS) Page size; must be 0 (otherwise, this entry maps a 1-GByte page; see Table 4-15)
11:8 Ignored
(M1):12 Physical address of 4-KByte aligned page directory referenced by this entry
62:52 Ignored
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 1-GByte region controlled
by this entry; see Section 4.6); otherwise, reserved (must be 0)
Table 4-17. Format of an IA-32e Page-Directory Entry that Maps a 2-MByte Page
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 2-MByte page referenced by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 2-MByte page referenced by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the 2-MByte page referenced by
this entry (see Section 4.9.2)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the 2-MByte page referenced by
this entry (see Section 4.9.2)
5 (A) Accessed; indicates whether software has accessed the 2-MByte page referenced by this entry (see Section 4.8)
6 (D) Dirty; indicates whether software has written to the 2-MByte page referenced by this entry (see Section 4.8)
7 (PS) Page size; must be 1 (otherwise, this entry references a page table; see Table 4-18)
8 (G) Global; if CR4.PGE = 1, determines whether the translation is global (see Section 4.10); ignored otherwise
Vol. 3A 4-25
PAGING
Table 4-17. Format of an IA-32e Page-Directory Entry that Maps a 2-MByte Page (Contd.)
Bit Contents
Position(s)
11:9 Ignored
12 (PAT) Indirectly determines the memory type used to access the 2-MByte page referenced by this entry (see Section
4.9.2)
62:52 Ignored
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 2-MByte page controlled by
this entry; see Section 4.6); otherwise, reserved (must be 0)
Table 4-18. Format of an IA-32e Page-Directory Entry that References a Page Table
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 2-MByte region controlled by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 2-MByte region controlled by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the page table referenced by this
entry (see Section 4.9.2)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the page table referenced by this
entry (see Section 4.9.2)
5 (A) Accessed; indicates whether this entry has been used for linear-address translation (see Section 4.8)
6 Ignored
7 (PS) Page size; must be 0 (otherwise, this entry maps a 2-MByte page; see Table 4-17)
11:8 Ignored
(M1):12 Physical address of 4-KByte aligned page table referenced by this entry
62:52 Ignored
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 2-MByte region controlled
by this entry; see Section 4.6); otherwise, reserved (must be 0)
4-26 Vol. 3A
PAGING
Table 4-19. Format of an IA-32e Page-Table Entry that Maps a 4-KByte Page
Bit Contents
Position(s)
1 (R/W) Read/write; if 0, writes may not be allowed to the 4-KByte page referenced by this entry (see Section 4.6)
2 (U/S) User/supervisor; if 0, user-mode accesses are not allowed to the 4-KByte page referenced by this entry (see Section
4.6)
3 (PWT) Page-level write-through; indirectly determines the memory type used to access the 4-KByte page referenced by
this entry (see Section 4.9.2)
4 (PCD) Page-level cache disable; indirectly determines the memory type used to access the 4-KByte page referenced by this
entry (see Section 4.9.2)
5 (A) Accessed; indicates whether software has accessed the 4-KByte page referenced by this entry (see Section 4.8)
6 (D) Dirty; indicates whether software has written to the 4-KByte page referenced by this entry (see Section 4.8)
7 (PAT) Indirectly determines the memory type used to access the 4-KByte page referenced by this entry (see Section 4.9.2)
8 (G) Global; if CR4.PGE = 1, determines whether the translation is global (see Section 4.10); ignored otherwise
11:9 Ignored
62:52 Ignored
63 (XD) If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 4-KByte page controlled by
this entry; see Section 4.6); otherwise, reserved (must be 0)
Vol. 3A 4-27
PAGING
6666555555555 33322222222221111111111
M1 M-1
3210987654321 210987654321098765432109876543210
PP
Reserved2 Address of PML4 table Ignored C W Ign. CR3
DT
X
Rs gI A P PUR
D Ignored Rsvd. Address of page-directory-pointer table Ign. C W / 1 PML4E:
3 vd n D T /S W present
PML4E:
Ignored 0 not
present
X P PPUR PDPTE:
Address of
Ignored Rsvd. Reserved A Ign. G 1 D A C W /S / 1 1GB
D 1GB page frame T DT W page
X I PPUR PDPTE:
Ignored Rsvd. Address of page directory Ign. 0 g A C W /S / 1 page
D n DT W directory
PDTPE:
Ignored 0 not
present
X P PPUR PDE:
Address of
Ignored Rsvd. Reserved A Ign. G 1 D A C W /S / 1 2MB
D 2MB page frame T DT W page
X I PPUR PDE:
Ignored Rsvd. Address of page table Ign. 0 g A C W /S / 1 page
D n DT W table
PDE:
Ignored 0 not
present
X P PPUR PTE:
Ignored Rsvd. Address of 4KB page frame Ign. G A D A C W /S / 1 4KB
D T DT W page
PTE:
Ignored 0 not
present
Figure 4-11. Formats of CR3 and Paging-Structure Entries with IA-32e Paging
NOTES:
1. M is an abbreviation for MAXPHYADDR.
2. Reserved fields must be 0.
3. If IA32_EFER.NXE = 0 and the P flag of a paging-structure entry is 1, the XD flag (bit 63) is reserved.
4-28 Vol. 3A
PAGING
Every access to a linear address is either a supervisor-mode access or a user-mode access. All accesses
performed while the current privilege level (CPL) is less than 3 are supervisor-mode accesses. I f CPL = 3, accesses
are generally user-mode accesses. However, some operations implicitly access system data structures with linear
addresses; the resulting accesses to those data structures are supervisor-mode accesses regardless of CPL. Exam-
ples of such implicit supervisor accesses include the following: accesses to the global descriptor table (GDT) or
local descriptor table (LDT) to load a segment descriptor; accesses to the interrupt descriptor table (I DT) when
delivering an interrupt or exception; and accesses to the task-state segment (TSS) as part of a task switch or
change of CPL.
The following items detail how paging determines access rights:
• For supervisor-mode accesses:
— Data reads.
Data may be read from any linear address with a translation.
— Data writes.
• I f CR0.WP = 0, data may be written to any linear address with a translation.
• I f CR0.WP = 1, data may be written to any linear address with a translation for which the R/ W flag
(bit 1) is 1 in every paging-structure entry controlling the translation.
— I nstruction fetches.
• For 32-bit paging or if I A32_ EFER.NXE = 0, access rights depend on the value of CR4.SMEP:
— I f CR4.SMEP = 0, instructions may be fetched from any linear address with a translation.
— I f CR4.SMEP = 1, instructions may be fetched from any linear address with a translation for which
the U/ S flag (bit 2) is 0 in at least one of the paging-structure entries controlling the translation.
• For PAE paging or I A-32e paging with I A32_ EFER.NXE = 1, access rights depend on the value of
CR4.SMEP:
— I f CR4.SMEP = 0, instructions may be fetched from any linear address with a translation for which
the XD flag (bit 63) is 0 in every paging-structure entry controlling the translation.
— I f CR4.SMEP = 1, instructions may be fetched from any linear address with a translation for which
(1) the U/ S flag is 0 in at least one of the paging-structure entries controlling the translation; and
(2) the XD flag is 0 in every paging-structure entry controlling the translation.
• For user-mode accesses:
— Data reads.
Data may be read from any linear address with a translation for which the U/ S flag (bit 2) is 1 in every
paging-structure entry controlling the translation.
— Data writes.
Data may be written to any linear address with a translation for which both the R/ W flag and the U/ S flag
are 1 in every paging-structure entry controlling the translation.
— I nstruction fetches.
• For 32-bit paging or if I A32_ EFER.NXE = 0, instructions may be fetched from any linear address with a
translation for which the U/ S flag is 1 in every paging-structure entry controlling the translation.
• For PAE paging or I A-32e paging with I A32_ EFER.NXE = 1, instructions may be fetched from any linear
address with a translation for which the U/ S flag is 1 and the XD flag is 0 in every paging-structure entry
controlling the translation.
A processor may cache information from the paging-structure entries in TLBs and paging-structure caches (see
Section 4.10). These structures may include information about access rights. The processor may enforce access
rights based on the TLBs and paging-structure caches instead of on the paging structures in memory.
This fact implies that, if software modifies a paging-structure entry to change access rights, the processor might
not use that change for a subsequent access to an affected linear address (see Section 4.10.4.3). See Section
4.10.4.2 for how software can ensure that the processor uses the modified access rights.
Vol. 3A 4-29
PAGING
31 4 3 2 1 0
RSVD
I/D
U/S
W/R
P
Reserved
4-30 Vol. 3A
PAGING
Page-fault exceptions occur only due to an attempt to use a linear address. Failures to load the PDPTE registers
with PAE paging (see Section 4.4.1) cause general-protection exceptions (#GP(0)) and not page-fault exceptions.
NOTE
The accesses used by the processor to set these flags may or may not be exposed to the
processor’s self-modifying code detection logic. I f the processor is executing code from the same
memory area that is being used for the paging structures, the setting of these flags may or may not
result in an immediate change to the executing code stream.
4.9.1 Paging and Memory Typing When the PAT is Not Supported (Pentium Pro and
Pentium II Processors)
NOTE
The PAT is supported on all processors that support I A-32e paging. Thus, this section applies only
to 32-bit paging and PAE paging.
1. With PAE paging, the PDPTEs are not used during linear-address translation but only to load the PDPTE registers for some execu-
tions of the MOV CR instruction (see Section 4.4.1). For this reason, the PDPTEs do not contain accessed flags with PAE paging.
2. The PAT is supported on Pentium III and more recent processor families. See Section 4.1.4 for how to determine whether the PAT is
supported.
Vol. 3A 4-31
PAGING
I f the PAT is not supported, paging contributes to memory typing in conjunction with the memory-type range regis-
ters (MTRRs) as specified in Table 11-6 in Section 11.5.2.1.
For any access to a physical address, the table combines the memory type specified for that physical address by
the MTRRs with a PCD value and a PWT value. The latter two values are determined as follows:
• For an access to a PDE with 32-bit paging, the PCD and PWT values come from CR3.
• For an access to a PDE with PAE paging, the PCD and PWT values come from the relevant PDPTE register.
• For an access to a PTE, the PCD and PWT values come from the relevant PDE.
• For an access to the physical address that is the translation of a linear address, the PCD and PWT values come
from the relevant PTE (if the translation uses a 4-KByte page) or the relevant PDE (otherwise).
• With PAE paging, the UC memory type is used when loading the PDPTEs (see Section 4.4.1).
4.9.2 Paging and Memory Typing When the PAT is Supported (Pentium III and More Recent
Processor Families)
I f the PAT is supported, paging contributes to memory typing in conjunction with the PAT and the memory-type
range registers (MTRRs) as specified in Table 11-7 in Section 11.5.2.2.
The PAT is a 64-bit MSR (I A32_ PAT; MSR index 277H) comprising eight (8) 8-bit entries (entry i comprises
bits 8i+7: 8i of the MSR).
For any access to a physical address, the table combines the memory type specified for that physical address by
the MTRRs with a memory type selected from the PAT. Table 11-11 in Section 11.12.3 specifies how a memory type
is selected from the PAT. Specifically, it comes from entry i of the PAT, where i is defined as follows:
• For an access to an entry in a paging structure whose address is in CR3 (e.g., the PML4 table with I A-32e
paging):
— For I A-32e paging with CR4.PCI DE = 1, i = 0.
— Otherwise, i = 2* PCD+PWT, where the PCD and PWT values come from CR3.
• For an access to a PDE with PAE paging, i = 2* PCD+PWT, where the PCD and PWT values come from the
relevant PDPTE register.
• For an access to a paging-structure entry X whose address is in another paging-structure entry Y, i =
2* PCD+PWT, where the PCD and PWT values come from Y.
• For an access to the physical address that is the translation of a linear address, i = 4* PAT+2* PCD+PWT, where
the PAT, PCD, and PWT values come from the relevant PTE (if the translation uses a 4-KByte page), the relevant
PDE (if the translation uses a 2-MByte page or a 4-MByte page), or the relevant PDPTE (if the translation uses
a 1-GByte page).
• With PAE paging, the WB memory type is used when loading the PDPTEs (see Section 4.4.1). 1
1. Some older IA-32 processors used the UC memory type when loading the PDPTEs. Some processors may use the UC memory type if
CR0.CD = 1 or if the MTRRs are disabled. These behaviors are model-specific and not architectural.
4-32 Vol. 3A
PAGING
NOTE
I n revisions of this manual that were produced when no processors allowed CR4.PCI DE to be set to
1, Section 4.10 discussed the caching of translation information without any reference to PCI Ds.
While the section now refers to PCI Ds in its specification of this caching, this documentation change
is not intended to imply any change to the behavior of processors that do not allow CR4.PCI DE to
be set to 1.
Vol. 3A 4-33
PAGING
4-34 Vol. 3A
PAGING
Vol. 3A 4-35
PAGING
1. With PAE paging, the PDPTEs are stored in internal, non-architectural registers. The operation of these registers is described in Sec-
tion 4.4.1 and differs from that described here.
4-36 Vol. 3A
PAGING
Vol. 3A 4-37
PAGING
then use that entry to complete the translation process (locating a PDE, etc.) as if it had traversed the
PDPTE and the PML4 corresponding to the PDPTE-cache entry.
— I f the processor does not find a relevant TLB entry, a relevant PDE-cache entry, or a relevant PDPTE-cache
entry, it may use bits 47: 39 of the linear address to select an entry from the PML4 cache that is associated
with the current PCI D. I t can then use that entry to complete the translation process (locating a PDPTE,
etc.) as if it had traversed the corresponding PML4.
(Any of the above steps would be skipped if the processor does not support the cache in question.)
I f the processor does not find a TLB or paging-structure-cache entry for the linear address, it uses the linear
address to traverse the entire paging-structure hierarchy, as described in Section 4.3, Section 4.4.2, and Section
4.5.
4-38 Vol. 3A
PAGING
4.10.2.4). 1 I NVLPG also invalidates all entries in all paging-structure caches associated with the current PCI D,
regardless of the linear addresses to which they correspond.
• I NVPCI D. The operation of this instruction is based on instruction operands, called the I NVPCI D type and the
I NVPCI D descriptor. Four I NVPCI D types are currently defined:
— I ndividual-address. I f the I NVPCI D type is 0, the logical processor invalidates mappings—except global
translations—associated with the PCI D specified in the I NVPCI D descriptor and that would be used to
translate the linear address specified in the I NVPCI D descriptor. (The instruction may also invalidate global
translations, as well as mappings associated with other PCI Ds and for other linear addresses.)
— Single-context. I f the I NVPCI D type is 1, the logical processor invalidates all mappings—except global
translations—associated with the PCI D specified in the I NVPCI D descriptor. (The instruction may also
invalidate global translations, as well as mappings associated with other PCI Ds.)
— All-context, including globals. I f the I NVPCI D type is 2, the logical processor invalidates
mappings—including global translations—associated with all PCI Ds.
— All-context. I f the I NVPCI D type is 3, the logical processor invalidates mappings—except global transla-
tions—associated with all PCI Ds. (The instruction may also invalidate global translations.)
See Chapter 3 of the I ntel 64 and I A-32 Architecture Software Developer’s Manual, Volume 2A for details of the
I NVPCI D instruction.
• MOV to CR0. The instruction invalidates all TLB entries (including global entries) and all entries in all paging-
structure caches (for all PCI Ds) if it changes the value of CR0.PG from 1 to 0.
• MOV to CR3. The behavior of the instruction depends on the value of CR4.PCI DE:
— I f CR4.PCI DE = 0, the instruction invalidates all TLB entries associated with PCI D 000H except those for
global pages. I t also invalidates all entries in all paging-structure caches associated with PCI D 000H.
— I f CR4.PCI DE = 1 and bit 63 of the instruction’s source operand is 0, the instruction invalidates all TLB
entries associated with the PCI D specified in bits 11: 0 of the instruction’s source operand except those for
global pages. I t also invalidates all entries in all paging-structure caches associated with that PCI D. I t is not
required to invalidate entries in the TLBs and paging-structure caches that are associated with other PCI Ds.
— I f CR4.PCI DE = 1 and bit 63 of the instruction’s source operand is 1, the instruction is not required to
invalidate any TLB entries or entries in paging-structure caches.
• MOV to CR4. The behavior of the instruction depends on the bits being modified:
— The instruction invalidates all TLB entries (including global entries) and all entries in all paging-structure
caches (for all PCI Ds) if (1) it changes the value of CR4.PGE; 2 or (2) it changes the value of the CR4.PCI DE
from 1 to 0.
— The instruction invalidates all TLB entries and all entries in all paging-structure caches for the current PCI D
if (1) it changes the value of CR4.PAE; or (2) it changes the value of CR4.SMEP from 0 to 1.
• Task switch. I f a task switch changes the value of CR3, it invalidates all TLB entries associated with PCI D 000H
except those for global pages. I t also invalidates all entries in all paging-structure caches for associated with
PCI D 000H. 3
• VMX transitions. See Section 4.11.1.
The processor is always free to invalidate additional entries in the TLBs and paging-structure caches. The following
are some examples:
• I NVLPG may invalidate TLB entries for pages other than the one corresponding to its linear-address operand. I t
may invalidate TLB entries and paging-structure-cache entries associated with PCI Ds other than the current
PCI D.
1. If the paging structures map the linear address using a page larger than 4 KBytes and there are multiple TLB entries for that page
(see Section 4.10.2.3), the instruction invalidates all of them.
2. If CR4.PGE is changing from 0 to 1, there were no global TLB entries before the execution; if CR4.PGE is changing from 1 to 0, there
will be no global TLB entries after the execution.
3. Task switches do not occur in IA-32e mode and thus cannot occur with IA-32e paging. Since CR4.PCIDE can be set only with IA-32e
paging, task switches occur only with CR4.PCIDE = 0.
Vol. 3A 4-39
PAGING
• I NVPCI D may invalidate TLB entries for pages other than the one corresponding to the specified linear address.
I t may invalidate TLB entries and paging-structure-cache entries associated with PCI Ds other than the specified
PCI D.
• MOV to CR0 may invalidate TLB entries even if CR0.PG is not changing. For example, this may occur if either
CR0.CD or CR0.NW is modified.
• MOV to CR3 may invalidate TLB entries for global pages. I f CR4.PCI DE = 1 and bit 63 of the instruction’s source
operand is 0, it may invalidate TLB entries and entries in the paging-structure caches associated with PCI Ds
other than the current PCI D. I t may invalidate entries if CR4.PCI DE = 1 and bit 63 of the instruction’s source
operand is 1.
• MOV to CR4 may invalidate TLB entries when changing CR4.PSE or when changing CR4.SMEP from 1 to 0.
• On a processor supporting Hyper-Threading Technology, invalidations performed on one logical processor may
invalidate entries in the TLBs and paging-structure caches used by other logical processors.
(Other instructions and operations may invalidate entries in the TLBs and the paging-structure caches, but the
instructions identified above are recommended.)
I n addition to the instructions identified above, page faults invalidate entries in the TLBs and paging-structure
caches. I n particular, a page-fault exception resulting from an attempt to use a linear address will invalidate any
TLB entries that are for a page number corresponding to that linear address and that are associated with the
current PCI D. it also invalidates all entries in the paging-structure caches that would be used for that linear address
and that are associated with the current PCI D. 1 These invalidations ensure that the page-fault exception will not
recur (if the faulting instruction is re-executed) if it would not be caused by the contents of the paging structures
in memory (and if, therefore, it resulted from cached entries that were not invalidated after the paging structures
were modified in memory).
As noted in Section 4.10.2, some processors may choose to cache multiple smaller-page TLB entries for a transla-
tion specified by the paging structures to use a page larger than 4 KBytes. There is no way for software to be aware
that multiple translations for smaller pages have been used for a large page. The I NVLPG instruction and page
faults provide the same assurances that they provide when a single TLB entry is used: they invalidate all TLB
entries corresponding to the translation specified by the paging structures.
1. Unlike INVLPG, page faults need not invalidate all entries in the paging-structure caches, only those that would be used to translate
the faulting linear address.
2. One execution of INVLPG is sufficient even for a page with size greater than 4 KBytes.
4-40 Vol. 3A
PAGING
— Execute MOV to CR4 to modify CR4.PGE, either immediately or before again using any of the affected
PCI Ds. For example, software could use different (previously unused) PCI Ds for the processes that used the
affected PCI Ds.
— For each affected PCI D, execute MOV to CR3 to make that PCI D current (and to load the address of the
appropriate PML4 table). I f the modified entry controls no global pages and bit 63 of the source operand to
MOV to CR3 was 0, no further steps are required. Otherwise, execute I NVLPG for linear addresses with each
of the page numbers with translations that would use the entry; if no page numbers that would use the
entry have translations, execute I NVLPG at least once.
• I f software using PAE paging modifies a PDPTE, it should reload CR3 with the register’s current value to ensure
that the modified PDPTE is loaded into the corresponding PDPTE register (see Section 4.4.1).
• I f the nature of the paging structures is such that a single entry may be used for multiple purposes (see Section
4.10.3.3), software should perform invalidations for all of these purposes. For example, if a single entry might
serve as both a PDE and PTE, it may be necessary to execute I NVLPG with two (or more) linear addresses, one
that uses the entry as a PDE and one that uses it as a PTE. (Alternatively, software could use MOV to CR3 or
MOV to CR4.)
• As noted in Section 4.10.2, the TLBs may subsequently contain multiple translations for the address range if
software modifies the paging structures so that the page size used for a 4-KByte range of linear addresses
changes. A reference to a linear address in the address range may use any of these translations.
Software wishing to prevent this uncertainty should not write to a paging-structure entry in a way that would
change, for any linear address, both the page size and either the page frame, access rights, or other attributes.
I t can instead use the following algorithm: first clear the P flag in the relevant paging-structure entry (e.g.,
PDE); then invalidate any translations for the affected linear addresses (see above); and then modify the
relevant paging-structure entry to set the P flag and establish modified translation(s) for the new page size.
• Software should clear bit 63 of the source operand to a MOV to CR3 instruction that establishes a PCI D that had
been used earlier for a different linear-address space (e.g., with a different value in bits 51: 12 of CR3). This
ensures invalidation of any information that may have been cached for the previous linear-address space.
This assumes that both linear-address spaces use the same global pages and that it is thus not necessary to
invalidate any global TLB entries. I f that is not the case, software should invalidate those entries by executing
MOV to CR4 to modify CR4.PGE.
1. If it is also the case that no invalidation was performed the last time the P flag was changed from 1 to 0, the processor may use a
TLB entry or paging-structure cache entry that was created when the P flag had earlier been 1.
Vol. 3A 4-41
PAGING
adverse behavior. Such an exception will occur at most once for each affected linear address (see Section
4.10.4.1).
• I f a paging-structure entry is modified to change the accessed flag from 1 to 0, failure to perform an invali-
dation may result in the processor not setting that bit in response to a subsequent access to a linear address
whose translation uses the entry. Software cannot interpret the bit being clear as an indication that such an
access has not occurred.
• I f software modifies a paging-structure entry that identifies the final physical address for a linear address
(either a PTE or a paging-structure entry in which the PS flag is 1) to change the dirty flag from 1 to 0, failure
to perform an invalidation may result in the processor not setting that bit in response to a subsequent write to
a linear address whose translation uses the entry. Software cannot interpret the bit being clear as an indication
that such a write has not occurred.
• The read of a paging-structure entry in translating an address being used to fetch an instruction may appear to
execute before an earlier write to that paging-structure entry if there is no serializing instruction between the
write and the instruction fetch. Note that the invalidating instructions identified in Section 4.10.4.1 are all
serializing instructions.
• Section 4.10.3.3 describes situations in which a single paging-structure entry may contain information cached
in multiple entries in the paging-structure caches. Because all entries in these caches are invalidated by any
execution of I NVLPG, it is not necessary to follow the modification of such a paging-structure entry by
executing I NVLPG multiple times solely for the purpose of invalidating these multiple cached entries. (I t may be
necessary to do so to invalidate multiple TLB entries.)
1. If the accesses are to different pages, this may occur even if invalidation has not been delayed.
4-42 Vol. 3A
PAGING
• As noted in Section 4.10.3.1, the processor may create an entry in a paging-structure cache even if there are
no translations for any linear address that might use that entry. Thus, if software has marked “not present” all
entries in page table, the processor may subsequently create a PDE-cache entry for the PDE that references
that page table (assuming that the PDE itself is marked “present”).
• I f software attempts to write to the freed portion of the linear-address space, the processor might not generate
a page fault. (Such an attempt would likely be the result of a software error.) For that reason, the page frames
previously associated with the freed portion of the linear-address space should not be reallocated for another
purpose until the appropriate invalidations have been performed.
Vol. 3A 4-43
PAGING
4-44 Vol. 3A
PAGING
directs the operating system or executive to load data for the unmapped page from external storage into physical
memory (perhaps writing a different page from physical memory out to external storage in the process) and to
map it using paging (by updating the paging structures). When the page has been loaded into physical memory, a
return from the exception handler causes the instruction that generated the exception to be restarted.
Paging differs from segmentation through its use of fixed-size pages. Unlike segments, which usually are the same
size as the code or data structures they hold, pages have a fixed size. I f segmentation is the only form of address
translation used, a data structure present in physical memory will have all of its parts in memory. I f paging is used,
a data structure can be partly in memory and partly in disk storage.
Page Frames
PTE
PTE
PTE
Seg. Descript. PDE
Seg. Descript. PDE
PTE
PTE
Vol. 3A 4-45
PAGING
4-46 Vol. 3A