6502 Opcode 8B (XAA, ANE)
Of all the unsupported opcodes, 8B has had a lot of attention because it seems unpredictable. Even the same computer has been seen to act differently even with the same inputs.
The reason is that this opcode connects the A register to SB (the Special Bus) at both input and output: in a sense, A is both read and written. Unlike the stack pointer, the A register is not designed to do that, and the result is a circuit configuration which behaves in an interesting way.
Note that our switch-level simulation tends to produce wired-AND behaviour: if two logic gates both drive the same wire, then either of them can drive it low. A real 6502 usually does the same, which is why 8B - often called XAA - will more or less AND together the three inputs: the X register, the A register, and the immediate operand.
Why more or less? Two reasons: the A register is fed back on itself, and because of an interaction with the RDY input.
The A register drives the SB directly, and bits 0 and 4 read SB directly. The other 6 bits read SB through the Decimal Adjust logic, which doesn't affect the logic value but does affect the timing, the logic thresholds and the drive strengths. Exactly what happens is an analogue problem, not a digital one, so it will depend on the exact model of CPU, the variations of chip manufacture, the power supply and the temperature. We can't even model this without knowing the transistor strengths and having some idea of the transistor parameters - which we can only guess at.
The RDY input is a more digital influence on the outcome. RDY is intended to stall the CPU during read accesses, so it can read from slow memory. As it happens, the 6502 samples the databus on every falling clock edge, and loads the IDL (Input Data Latch), and then drives into the target register. Normally, the final cycle is the one which counts, overwriting the stray external values. In some computers, RDY is used to stall the CPU while the bus is used for DMA, which means the bus contains data such as video data for several cycles, except the last. In the case of XAA, every cycle's data is ANDed into A, and this is why the final value of A changes even for the same values of operand, X and A.
Here's an abridged circuit diagram. Note that bits 0 and 4 have direct A feedback whereas the other bits have indirect feedback. Note that phi1 is when A is written, but the preceding phi2 is when the operand is loaded and the two busses precharged high.
(Logic gate pullups shown as resistors, although in NMOS logic pullups are not usually depletion-mode transistors. They pull up to the positive rail. The pass transistors and precharges cannot pull up to the rail: they drop a threshold voltage. These considerations will affect an analogue analysis.)
Testing this opcode
This opcode has 3 bytes of input, supposing that we're not allowing RDY to stall the machine and add more operands. We have a test program which tests 256^3 combinations of inputs and compares the final A and the two affected flags against a model. We also have a few specific combinations we've used to characterise different chips.
- describe or define the programs here
- also mention the Java simulation which tests the robustness of the switch simulator results (against the order of evaluation)
Modelling this opcode
Mention and link to an emulator code fragment.
The base formula for XAA seens to be:
A = (A | magic) & X & imm
"magic" defines which bits of A shine through.
We collect here some results of testing this opcode on various CPUs from different manufacturers and in various computers.
|manufacturer||type||YYWW||country||markings||on back||device tested in||tester||magic||RDY clears #4||stable*||N,Z flags OK**||notes|
|?||KIM-1||Michael||FF||?||?||?||only minimal testing done|
|VC1541||Michael||EE||?||yes||?||this is the chip that came with this disk drive|
|VC1541||Michael||EE||?||yes||?||from my Atari 800|
|VC1541||Michael||FF||?||yes||?||Simon's; spare part bought from retailer|
|Michael||FE||yes||yes||?||very early 8500|
|Michael||FE||yes||yes||?||very late 6502-like CPU|
|?||VC1541||Michael||FF||?||no||?|| bit #3 of X input gets treated as "bit #3 of X & bit #4 of X" most of the time (depends on A though)|
1 MHz mode tested, can also do 2 MHz; chip is from a VC1571
|?||VC1541||Michael||?||Simon's; yet to test|
|?||C128D||Michael||?||yet to test; can do 1 MHz and 2 MHz|
|?||VC1581||Michael||?||yet to test; can do 1 MHz and 2 MHz|
|?||Atari 800XL||Hias||00||-||almost||?|| 40 errors in 256^3 full test|
sometimes bit 3 was set
|?||Atari 800XL||Hias||00||-||no||yes|| ~150k - 450k errors (1% - 2.7%) in full test|
sometimes bit 3 set, for example A=03 X=FF imm=FF results either in 03 or 0B in repeated tests
|?||Atari 800XL||Hias||00||-||no||almost|| ~30k - 80k errors (0.2% - 0.5%) in full test|
sometimes bit 3 is set, but also bit 2 and 5 were set sometimes
for example A=5F or A=87 resulted in a set bit 3 (quite frequently), bit 5 (less frequently) or bit 2 (least frequent)
only flipping from 0 to 1 observed, no flipping from 1 to 0
flags were wrong 115 times (~7ppm)
|NCR||SALLY||8337||?|| NCR C014806C-29|
(C) ATARI 1980
|?||Atari 65XE||Hias||00||-||no||no|| This one is highly unstable and the formula seems to be more like A & X & (imm | 6E)|
when the CPU is cold A=FF X=FF imm=00 result in 46, later 66 and then 6E (when the CPU is warm)
bit 0 often flips from 0 to 1, for example A=01 X=01 imm=0C results in 00 or 01 (01 occurring more frequently when the CPU is warm)
Also bit 3 flipping from 1 to 0 was observed with A=09 X=E5 and imm=05 or 41 (result: 00 instead of 08)
also the Z flag is often incorrectly set to 1 when the result is non-zero. N flag seems to be OK.
|?||Atari 600XL||Hias||00||-||no||?||~95k errors (0.6%) in full test, sometimes bit 3 was set|
|?||BBC Model B||EdS||?||?||?||?||?|
(*)Note: "stable" means that the formula, the "magic" value and the potential #4 clearing by RDY fully describe the behavior.
(**)Note: N and Z flags are set according to the result of XAA