Halt and Catch Fire (computing)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

In computer engineering, Halt and Catch Fire, known by the assembly mnemonic HCF, is an idiom referring to a computer machine code instruction that causes the computer's central processing unit (CPU) to cease meaningful operation, typically requiring a restart of the computer. It originally referred to a fictitious instruction in IBM System/360 computers (introduced in 1964), making a joke about its numerous non-obvious instruction mnemonics.

With the advent of the MC6800 (introduced in 1974), a design flaw was discovered by the programmers. Due to incomplete opcode decoding, two illegal opcodes, 0x9D and 0xDD, will cause the program counter on the processor to increment endlessly, which locks the processor until reset. Those codes have been unofficially named HCF. During the design process of the MC6802, engineers originally planned to remove this instruction, but kept it as-is for testing purposes. As a result, HCF was officially recognized as a real instruction.[1][2] Later, HCF became a humorous catch-all term for instructions that may freeze a processor, including intentional instructions for testing purposes, and unintentional illegal instructions. Some are considered hardware defects, and if the system is shared, a malicious user can execute it to launch a denial-of-service attack.

In the case of real instructions, the implication of this expression is that, whereas in most cases in which a CPU executes an unintended instruction (a bug in the code) the computer may still be able to recover, in the case of an HCF instruction there is, by definition, no way for the system to recover without a restart.

The expression "catch fire" is a facetious exaggeration of the speed with which the CPU chip would be switching some bus circuits, causing them to overheat and burn.[3]

Origins[edit]

The Z1 (1938) and Z3 (1941) computers built by Konrad Zuse contained illegal sequences of instructions which damaged the hardware if executed by accident.[4]

Apocryphal stories connect this term with an illegal opcode in IBM System/360. A processor, upon encountering the instruction, would start switching bus lines very fast, potentially leading to overheating.[5][6]

In a computer's assembly language, mnemonics are used that are directly equivalent to machine code instructions. The mnemonics are frequently three letters long, such as ADD, CMP (to compare two numbers), and JMP (jump to a different location in the program). The HCF instruction was originally a fictitious assembly language instruction, said to be under development at IBM for use in their System/360 computers, along with many other amusing three-letter acronyms like XPR (Execute Programmer) and CAI (Corrupt Accounting Information),[7] and similar to other joke mnemonics such as "SDI" for "Self Destruct Immediately"[7] and "CRN" for "Convert to Roman Numerals".[8] A list of such mnemonics, including HCF, shows up as "Overextended Mnemonics" in the April 1980 Creative Computing flip-side parody issue.[9]

The IBM System/360 already included numerous non-obvious mnemonics like ZAP (Zero and Add Packed), EDMK (EDit and MarK), TRT (TRanslate and Test), and Read Backward (an I/O channel command),[10] and programmers began creating similarly cryptic, but fictitious, instructions in a humorous vein.[11][12]

In a 1990 USENET discussion, it was claimed that HCF dated back to before 1977.[13][14]

In Rick Cook's science fiction/fantasy novel, The Wizardry Compiled, about programmers transported to a universe where magic could be programmed, one of them refers to the command as HMCF, for "Halt, Melt and Catch Fire".

In TIS-100, a 2015 puzzle video game made by Zachtronics, there is an achievement called HALT_AND_CATCH_FIRE for crashing the machine with a hidden opcode.[15]

In modern CPUs[edit]

CPU designers sometimes incorporate one or more undocumented machine code instructions for testing purposes, such as the IBM System/360 DIAGnose instruction.[10]

Motorola 6800[edit]

The Motorola 6800 microprocessor was the first for which an undocumented assembly mnemonic HCF became widely known. The operation codes (opcodes—the portions of the machine language instructions that specify an operation to be performed) are hexadecimal 9D and DD, and were reported and given the unofficial[16] mnemonic HCF in an article written by Gerry Wheeler in the December 1977 issue of BYTE magazine on undocumented opcodes.[16] Wheeler noted that Motorola reported 197 valid operation codes for the M6800 processor, and so inferred that with 256 possible 8 bit combinations, there must be 59 "invalid instructions". He goes on to describe the HCF as a "big surprise", and saying of the Catch Fire portion of the moniker, "Well, almost":

When this instruction is run the only way to see what it is doing is with an oscilloscope. From the user's point of view the machine halts and defies most attempts to get it restarted. Those persons with indicator lamps on the address bus will see that the processor begins to read all of the memory, sequentially, very quickly. In effect, the address bus turns into a 16 bit counter. However, the processor takes no notice of what it is reading... it just reads.[16]

The process is reviewed by David Agans, thus:

In the old days of the Motorola 6800 microprocessor, instruction code DD caused the processor to go into an endless loop, reading from each memory address in order. (Other engineers referred to this as the "Halt and Catch Fire" [HCF] instruction, but we remembered the code by calling it the "Drop Dead" instruction.) Drop Dead mode was wonderful for spotting hardware timing and address logic problems with a scope; all of the address and clock lines were nice, cycling square waves.[17]

That is, either opcode made the processor enter a mode, continuously performing memory read cycles from successive addresses with no intervening instruction fetches. Hence, the address bus effectively became a counter, allowing the operation of all address lines to be quickly verified. Once the processor entered this mode, it was not responsive to interrupts, so normal operation could only be restored by a reset (hence the "Drop Dead" and "Halt and Catch Fire" monikers). These references were thus to the unresponsive behavior of the CPU in this state, and not to any form of erratic behavior.[citation needed]

Other HCF-like instructions were found later on the Motorola 6800 when executing undocumented opcodes FD (cycling twice slower than 9D/DD) or CD/ED (cycling at a human-readable very low frequency on a limited number of high-address lines).[18]

The mnemonic HCF is believed to be the first built-in self-test feature on a Motorola microprocessor.[2]

Intel x86[edit]

The Intel 8086 and subsequent processors in the x86 series had an HLT (halt) instruction, opcode F4, which stopped instruction execution and placed the processor in a HALT state. An enabled interrupt, a debug exception, the BINIT signal, the INIT signal, or the RESET signal resumed execution, which meant the processor could always be restarted.[19] Some of the early Intel DX4 chips had a problem with the HLT instruction and could not be restarted after this instruction was used, which disabled the computer and turned HLT into more of an HCF instruction. The Linux kernel added a "no-hlt" option telling Linux to run an infinite loop instead of using HLT, which allowed users of these broken chips to use Linux.[20]

The 80286 has the undocumented opcode 0F 04, causing the CPU to hang when executed. The only way out is CPU reset.[citation needed][21] In some implementations, the opcode was emulated through BIOS as a halting sequence.[22]

Many computers in the Intel Pentium line could be locked up by executing an invalid instruction (F00F C7C8), which caused the computer to lock up. This became known as the Pentium F00F bug. No compiler would create the instruction, but a malicious programmer could insert it into code to render an afflicted computer inoperable until the machine was power-cycled. Since its discovery, workarounds have been developed to prevent it from locking the computer, and the bug has been eliminated in subsequent Intel processors.[23][24]

During Black Hat USA 2017, Christopher Domas showed that he has found a new currently unknown "Halt and Catch Fire" instruction[25][26] on a particular x86 processor model using his own x86 processor fuzzer called sandsifter.[27]

Other CPUs[edit]

The MOS Technology 6502 has 12 invalid instructions which will freeze the CPU.[28][29]

On the Zilog Z80, executing DI (disable interrupts) followed by HALT (wait for an interrupt) results in the CPU staying frozen indefinitely, waiting for an interrupt that cannot happen. The similar Sharp processor core in the Game Boy's LR35902 system on chip contains a partial fix allowing it to recover from one HALT, like the 65C02's analogous WAI instruction, but it becomes frozen with two consecutive HALTs with interrupts disabled.[a][30] The core itself contains no less than 11 opcodes that fully lock the CPU when executed.[31]

The Z80 also supports a non-maskable interrupt.[32][33] The /NMI signal is on Pin 17 of the original 40 pin DIP package.[34][35] Since a non-maskable interrupt will regain control of the CPU even after executing the instruction sequence DI / HALT, that pair does not represent a true HCF. It will only result in a HCF condition if either the /NMI pin is connected directly to the +5V rail, making the generation of that signal impossible, or if the interrupt routine that services /NMI ends with a return, placing it back in the HALT state.

The Hitachi SC61860 mainly used in Sharp pocket computers in the 1980–1990 also have an undocumented HCF instruction with the opcode 7B.[36]

See also[edit]

Notes[edit]

  1. ^ When interrupts are disabled, the HALT instruction on the Game Boy CPU does not pause the CPU, but, rather, prevents the CPU's program counter from incrementing on the instruction immediately following the HALT, effectively doubling the instruction after the HALT (or, for a multi-byte instruction, doubling the first byte and separating off the original last byte into a new single-byte instruction); if the instruction after the HALT is itself a HALT, then (as HALT is a single-byte instruction) the CPU effectively sees an infinite series of HALTs, causing the system to lock up.

References[edit]

  1. ^ "6800 Instruction Set" (PDF). Bryan's Old Computers. Archived (PDF) from the original on 2021-05-01. Retrieved 2022-04-09.
  2. ^ a b Daniels, R. Gary; Bruce, William (April 1985). "Built-In Self-Test Trends in Motorola Microprocessors". IEEE Design & Test. 2 (2): 64–71. doi:10.1109/MDT.1985.294865. S2CID 22719798. To add insult to injury, we discovered that we had an illegal HACOF, an instruction that our customers found on the MC6800. It was an unused opcode-an illegal instruction. When executed inadvertently, the program counter would increment indefinitely. The problem, which was caused by incomplete opcode decoding, was a nuisance because Reset was the only means of terminating the instruction. ... During the design process, we figured out how to eliminate the HACOF instruction. About that time, the product engineers came to us with an idea. They said, 'You know what we'd really like? Some way to quickly test the RAM. If we could somehow point the program counter at the first RAM address and then just increment through the RAM, we could test it a lot faster.' Since the HACOF 'instruction' did precisely that—and we really didn't want to invest the effort needed to remove it—we replied, 'Have we got a deal for you!' HACOF thus became the first intentional built-in self-test feature on a Motorola microprocessor.
  3. ^ "Jargon File entry for the HCF assembly mnemonic". Archived from the original on 2012-05-20. Retrieved 2014-05-04.
  4. ^ Rojas, Raúl (April–June 1997). "Konrad Zuse's Legacy: The Architecture of the Z1 and Z3" (PDF). IEEE Annals of the History of Computing. 19 (2): 5–16 [9–10]. doi:10.1109/85.586067. Archived (PDF) from the original on 2022-07-03. Retrieved 2022-07-03. p. 10: There are a lot of details that the engineer designing the "microprogram" must keep in mind, otherwise short circuits can destroy the hardware. The Z1 with its mechanical design was still more sensitive in this respect than the Z3. Even after it was completed, there were sequences of instructions that the programmer had to avoid in order not to damage the hardware. One of those sequences was inadvertently tried at the Berlin Museum of Technology and Transportation, which led to slight damaging of the reconstructed Z1 in 1994. (12 pages)
  5. ^ Clements, Alan (2006-10-28). Embedding Ethics in Computer Architecture. ASEE/IEEE Frontiers in Education Conference (36 ed.). p. 4. Archived from the original on 2022-04-30. Retrieved 2018-03-02.
  6. ^ Kohler, Eddie (2005-04-04). "CS111 - Lecture 1" (PDF). p. 2. Archived (PDF) from the original on 2018-03-02. Retrieved 2018-03-02.
  7. ^ a b Dunlap, Bryan. "A Proposed Instruction Set". Physics Department, The Ohio State University. Archived from the original on 2017-09-08. Retrieved 2016-06-20.
  8. ^ Cirsovius, Werner. "Far out op codes". Archived from the original on 2016-03-05. Retrieved 2015-05-28.
  9. ^ "Overextended Mnemonics". Creative Computing. 6 (4): 17 (hex) (flip–side). April 1980. Retrieved 2017-03-12.
  10. ^ a b IBM System/360 Principles of Operation (PDF). IBM. Archived (PDF) from the original on 2012-02-29. Retrieved 2014-07-02.
  11. ^ "Kevin Korb's Jokes: Assembler Opcodes that should exist". Archived from the original on 2015-06-05. Retrieved 2016-12-13.
  12. ^ "Forgotten Assembly Language Commands". Archived from the original on 2017-03-16. Retrieved 2016-12-13.
  13. ^ "Subject: HCF instruction: from Principles of Operation" Archived 2017-02-24 at the Wayback Machine, Archived at textfiles.com
  14. ^ "apocryphal opcode mnemonics,long" Archived 2019-05-31 at the Wayback Machine, 1990-04-23, alt.folklore.computers, (via Google Groups)
  15. ^ "Steam Community: TIS-100: Achievements". Archived from the original on 2021-05-05. Retrieved 2021-05-11.
  16. ^ a b c Wheeler, Gerry (December 1977). "Undocumented M6800 Instructions". BYTE. Vol. 2, no. 12. pp. 46–47. The mnemonics are, of course, assigned by me.
  17. ^ Agans, David J. (2002). Debugging: the 9 indispensable rules for finding even the most elusive software and hardware problems. New York, USA: American Management Association. p. 77. ISBN 978-0-81442678-4. OCLC 52043345. Archived from the original on 2014-07-26. Retrieved 2016-10-30.
  18. ^ Demeulemeester, Samuel (2019-07-17). "Investigating the HCF (Halt & Catch Fire) instruction on Motorola 6800". X86.FR – Doc TB's R&D Lab. Archived from the original on 2022-03-31. Retrieved 2022-04-09.
  19. ^ "x86 Instruction Set Reference: HLT". Archived from the original on 2014-07-14. Retrieved 2014-07-02.
  20. ^ Gortmaker, Paul (2003-03-21). "The Linux Boot Prompt-How To" (PDF). The Linux Documentation Project. Archived (PDF) from the original on 2015-07-06. Retrieved 2014-07-02.
  21. ^ "Re: Undocumented opcodes (HINT_NOP)". Archived from the original on 2004-11-06. Retrieved 2010-11-07.
  22. ^ "Re: Also some undocumented 0Fh opcodes". Archived from the original on 2003-06-26. Retrieved 2010-11-07.
  23. ^ Collins, Robert R. (1998-05-01). "The Pentium F00F Bug: Workarounds for a nasty problem". Dr. Dobb's Journal. Archived from the original on 2022-04-30. Retrieved 2014-08-12.
  24. ^ Pentium Processor Specification Update (PDF). Intel Corporation. January 1999. pp. 51–52. Order number 242480-041. Archived (PDF) from the original on 2016-03-04. Retrieved 2006-11-02.
  25. ^ "Breaking the x86 ISA (PDF)" (PDF). Christopher Domas. Archived (PDF) from the original on 2018-01-04. Retrieved 2017-12-09.
  26. ^ "Breaking the x86 ISA (video)". Christopher Domas. Archived from the original on 2021-12-21. Retrieved 2017-12-09.
  27. ^ "sandsifter: the x86 processor fuzzer". Christopher Domas. Archived from the original on 2017-10-25. Retrieved 2017-12-09.
  28. ^ Steil, Michael. "How MOS 6502 Illegal Opcodes really work". pagetable.com. Archived from the original on 2016-07-07. Retrieved 2016-08-01.
  29. ^ Offenga, Freddy. "6502 Undocumented Opcodes". NesDev. Archived from the original on 2016-08-08. Retrieved 2016-08-01.
  30. ^ "GameBoy CPU Manual" (PDF). Archived (PDF) from the original on 2018-06-23. Retrieved 2018-06-22.
  31. ^ "Game Boy CPU instruction set". Archived from the original on 2021-02-09. Retrieved 2021-03-11.
  32. ^ "Interrupt Mechanism - Development - SMS Power!". Archived from the original on 2016-04-04. Retrieved 2016-04-25.
  33. ^ Flammenkamp, Achim. "Interrupt Behaviour of the Z80 CPU". Archived from the original on 2016-04-20. Retrieved 2016-04-25.
  34. ^ "Pinouts - Z80 family". Archived from the original on 2016-05-08. Retrieved 2016-04-25.
  35. ^ Vis, Peter J. "Zilog Z80 Pinout". Archived from the original on 2016-10-11. Retrieved 2016-04-25.
  36. ^ "SC61860 (Aka ESR-H) Instruction Set". GitHub. 2022-03-20. Archived from the original on 2022-03-23. Retrieved 2022-03-23.