General protection fault
|This article does not cite any references or sources. (May 2011)|
A general protection fault (GPF) in the Intel x86 and AMD x86-64 architectures, and other unrelated architectures, is a fault (a type of interrupt) that can encompass several cases in which protection mechanisms within the processor architecture are violated by any of the programs that are running, either the kernel or a user program. The mechanism is first described in section 9.8.13 in the Intel 80386 programmer's reference manual from 1986. A general protection fault is implemented as an interrupt (vector number 13 in decimal) in both x86 and AMD64 architectures.
If the processor detects a protection violation, it stops executing the code and sends a GPF interrupt. In most cases the operating system will simply remove the failing process from the execution queue, signal the user, and continue executing another program. If however the operating system fails to catch the general protection fault, i.e. another protection violation occurs before the operating system returns from the previous GPF interrupt, the processor will signal a double fault (interrupt vector 8, a typical BSOD scenario). If yet another failure occurs, the processor will shut down (see triple fault). It will then only respond to a reset (that is, pressing the reset-button) or init (rebooting the entire system) and non-maskable interrupts (unless it has previously failed when handling NM interrupts, in which case it will ignore these too).
Behaviour in specific operating systems
In Microsoft Windows, the general protection fault presents with varied language, depending on product version:
- Unrecoverable Application Error. (Windows 3.0)
- [Program Name] has caused a General Protection Fault in module [module name] at [memory address]. (Windows 3.1 and 3.1x)
- This program has performed an illegal operation and will be shut down. (Windows 9x & Windows NT 4.0)
- [Program Name] has generated errors and will be closed by Windows. (Windows 2000)
- [Program Name] has caused an error in [Module Name]. [Program Name] will now close. (Windows Me)
- [Program Name/Description] has encountered a problem and needs to close. We are sorry for the inconvenience. (Windows XP)
- [Program Name/Description] has stopped working. (Windows Vista, Windows 7, Windows 8, and Windows 8.1)
In memory errors, the faulting program accesses memory that it should not access. Examples include:
- Attempting to write to a read-only portion of memory
- Attempting to execute bytes in memory which are not designated as instructions
- Attempting to read as data bytes in memory which are designated as instructions
- Other miscellaneous conflicts between the designation of a part of memory and its use
However, many modern operating systems implement their memory access-control schemes via paging instead of segmentation, so it is often the case that invalid memory references in operating systems such as Windows are reported via page faults instead of general protection faults. Operating systems typically provide an abstraction layer (such as exception handling or signals) that hides whatever internal processor mechanism was used to raise a memory access error from a program, for the purposes of providing a standard interface for handling many different types of processor-generated error conditions.
In terms of the x86 architecture, general protection faults are specific to segmentation-based protection when it comes to memory accesses. However, general protection faults are still used to report other protection violations (aside from memory access violations) when paging is used, such as the use of instructions not accessible from the current privilege level.
While it is theoretically possible for an operating system to utilize both paging and segmentation, for the most part, common operating systems typically rely on paging for the bulk of their memory access control needs.
There are some things on a computer which are reserved for the exclusive use of the operating system. If a program which is not part of the operating system attempts to use one of these features, it may cause a general protection fault.
Additionally, there are storage locations which are reserved both for the operating system and the processor itself. As a consequence of their reservation, they are read-only and an attempt to write data to them by an unprivileged program is an error.
Technical causes for faults
General protection faults are raised by the processor when a protected instruction is encountered which exceeds the permission level of the currently executing task - either because a user-mode program is attempting a protected instruction, or because the operating system has issued a request which would put the processor into an undefined state.
General protection faults are caught and handled by modern operating systems. Generally, if the fault originated in a user-mode program, the user-mode program is terminated. If, however, the fault originated in a core system driver or the operating system itself, the operating system usually saves diagnostic information either to a file or to the screen, and then either causes a blue screen of death or restarts the computer.
Segment limits exceeded
Segment limits can be exceeded:
- with code segment (CS), data segment (DS), or ES, FS, or GS (extra segment) registers; or
- accessing descriptor tables such as the Global Descriptor Table (GDT), the Interrupt descriptor table (IDT) and the Local Descriptor Table (LDT).
Segment permissions violated
Segment permissions can be violated by:
- jumping to non-executable segments
- writing to code segments, or read only segments
- reading execute-only segments
Segments illegally loaded
This can occur when:
- a stack segment (SS) is loaded with a segment selector for a read only, executable, null segment, or segment with descriptor privilege not matching the current privilege in CS
- a code segment (CS) loaded with a segment selector for a data, system, or null segment
- SS, DS, ES, FS, or GS are segments loaded with a segment selector for a system segment
- SS, DS, ES, FS, or GS are segments loaded with a segment selector for an execute-only code segment
- accessing memory using DS, ES, FS, or GS registers, when they contain a null selector
Faults can occur in the task state segment (TSS) structure when:
- switching to a busy task during a call or jump instruction
- switching to an available task during an interrupt return (IRET) instruction
- using a segment selector on a switch pointing to a TSS descriptor in the LDT
Other causes of general protection faults are:
- attempting to access an interrupt/exception handler from v86 mode when the handler's code segment descriptor privilege level (DPL) is greater than zero
- attempting to write a one into the reserved bits of CR4
- attempting to execute privileged instructions when the current privilege level (CPL) is not zero
- writing to a reserved bit in an MSR instruction
- accessing a gate containing a null segment selector
- executing a software interrupt when the CPL is greater than the DPL set for the interrupt gate
- the segment selector in a call, interrupt or trap gate does not point to a code segment
- exceeding the instruction length of 15 bytes
- violating privilege rules
- enabling paging whilst disabling protection
- referencing the interrupt descriptor table following an interrupt or exception that is not an interrupt, trap, or a task gate
- Legacy SSE: Memory operand is not 16-byte aligned.
Notes and references
- Intel Architecture Software Developer's Manual–Volume 3: System Programming