I've just realized that, at least under win98,
DS limit is set to 0F300h! Am I crazy, or what?

SoftIce reports:
value base limit
CS 017F 0 FFFFFFFF
DS 0187 0 0000F300

Same thing for ES and SS.

You can check it with LSL instruction:
mov ax,ds
lsl eax,eax
jnz error ;(invalid selector...)


I'm not into pageing, but segment limit checking is done
before pageing unit, yes?

If so, then EVERY memory access will produce a GPF.

What am I missing here?

Edit: Just realized that it is 0C300h if SoftIce isn't running.
Posted on 2007-10-06 17:26:59 by aleksaZR

Edit: Just realized that it is 0C300h if SoftIce isn't running.


Good catch. Trying to debug 9x systems seems very unreliable :P
Posted on 2007-10-06 18:30:40 by SpooK
Heh, weird stuff. And shouldn't be possible, considering that applications are loaded to 0x400000.
Posted on 2007-10-07 05:05:52 by f0dder

Heh, weird stuff. And shouldn't be possible, considering that applications are loaded to 0x400000.



It is possible, but I just don't believe it!

Accessing the memory will produce a GPF, windoze will
- say "Ahaa, you wanna read/write something, a?"
- calc new address and use level 0 selector to read/write
- return to instruction following the one that produced the GPF.

Quite unbelievable..... However, this is taken from the softice history:

:ldt ds
Sel.  Type      Base      Limit    DPL  Attributes
0187  Data32    00000000  0000F300  3    P  RW ED

I would like someone to confirm this, please use the prog below.


.386
.model flat, stdcall

include    user32.inc ;change PATH
includelib user32.lib ;change PATH

.data
string byte '%X', 0
capt  byte 'windows segment limit', 0
text  byte 128 dup (?)

.code
Start proc public
mov ax,ds
lsl eax,eax
jz @F
mov eax,12345678h
@@:
invoke wsprintf, offset text, offset string, eax
invoke MessageBox, 0, offset text, offset capt, 0
ret
Start endp

end Start

Posted on 2007-10-07 13:53:10 by aleksaZR
Thanks for pointing this out, aleksa. Anytime I complain about this segment setting in win98 (don't know how it is in win95), nobody wants to believe me, even experienced system programmers. And I don't have native instalation of win98 available for long time so I can't prove them wrong :)

It is quite simple. There are segments which grows up and which grows down (according to bit 10, expansion-direction flag, in data segment descriptor). In case of win98, all flat data segments (DS, ES, SS) grow down, from FFFF_FFFF to limit.

I really don't know why the limit is usually FFxx and not FFFF. It would be interesting to look at these bytes and find out what they mean.
Posted on 2007-10-08 02:40:34 by MazeGen
Hm, have any of you tried it on native Win9x installs, and not just vmware/whatever?
Posted on 2007-10-08 03:30:35 by f0dder
I experimented with LSL and LAR years ago on my native install of win98se. That's why I know this feature.
Posted on 2007-10-08 03:36:53 by MazeGen
Thank you very much, MazeGen!

I was aware that data segments can be expand-up or expand-down,
but have never used expand-down, and completely forgotten about them.

I'we written a simple OS, and I have a problem detecting
when some app erroneously accesses memory around 0h, say first 32k.

Expand-down segment will simply solve this, thanks once again!


P.S.
The "ED" in the SoftIce "Attributes" stands for expand-down.
I have a native win98se.
Posted on 2007-10-08 06:02:03 by aleksaZR

I'we written a simple OS, and I have a problem detecting
when some app erroneously accesses memory around 0h, say first 32k.

Expand-down segment will simply solve this, thanks once again!


P.S.
The "ED" in the SoftIce "Attributes" stands for expand-down.
I have a native win98se.



Setting those first page tables to Ring-0 only (which will cause Ring-3 apps to trigger INT 0x0E (#PF) upon access) is probably a cleaner option, but obviously this is only useful if you intend to use paging.
Posted on 2007-10-08 11:38:05 by SpooK