What happens when a stack(or any expand-down data) segment (descriptor) is indexed with a register while using a expand-down segment? Say ESP=0, it gets decreased to 0xFFFFFFC for a dword write, then writing a value to SS:FFFFFFFC. The SS segment descriptor base pointing to 0x400, what memory address is the dword write written to? Is it written to 0x400+FFFFFFFC=3FC(according to the manual, it's just being added)? Or is the limit being added as well(0x400(base)+FFFFFFFC(index)+0x400(limit)=7FC), which would make more sense(the base still pointing to the start of the memory and the stack growing down from the end))?
Edit: This article seems to imply it's just simple addition, with the limit not being used in that case at all. So pushing a dword value to that stack will simply end up at linear memory address 0x3FC?
What happens when address sizes are changed? E.g. the base pointing to a 32-bit address, with a 16-bit offset being used? Is the offset simply sign-extended to 32-bits?
Edit: I've modified the accesses using 16-bits offsets within top-down segments to be extended to 32-bits by setting bits 16-31 to 1(offset |= 0xFFFF0000; ). Is that correct behaviour? Since the address space used is 32-bits wide(it's emulating a 32-bit x86 CPU(up to 80386 atm) with a 32-bit bus after all and 32-bits to address), setting those bits should ensure that 16-bit offsets behave correctly as the conversion to 32-bits and adding the upper 32 bits(before masking off the upper 8 bits when applying the address bus in the 80286) ensures that the address is indeed 'substracted' from the specified address)?