1. Field of the Invention
The present invention relates generally to computer systems and, in particular, to validation of input/output (I/O) addresses in a fault-tolerant computer system.
2. Description of the Related Art
An input/output (I/O) adapter permits a central processing unit (CPU) and a host memory of a computer system to exchange information with I/O devices, such as disks and networks. These I/O devices are typically connected to the host memory via a data channel that is configured to transfer I/O data to/from specific address locations in host memory.
Typically, I/O data are organized into blocks of contiguous data in host memory prior to processing by the CPU. For instance, in the case of input data, all bytes comprising a data block are accumulated in host memory before the CPU processes that block. Similarly, the CPU prepares in host memory a full block of data prior to transmitting to an I/O device any word of that block. To obtain maximum performance of the computer system, data transfer between these components must be controlled and synchronized.
One known approach to controlling the transmission of I/O data is program-controlled I/O. Under such a scheme, the CPU directs the input and output activity of the system by communicating with an I/O controller to direct the transfer of data between an I/O device and a register of the CPU. However, the program-controlled scheme tends to impose high overhead because of protracted involvement on behalf of the CPU. For example, the CPU must issue an initiation command followed by a series of completion tests to the controller along with, as the case may be, a transfer between its register and host memory for each word of data transferred.
Direct Memory Access (DMA) is a technique for reducing CPU involvement during the transfer of data by allowing transmission directly between the I/O device and host memory. Unlike programmed I/O, the CPU does not direct the transfer of data to/from its register and host memory. Instead, a separate, special-purpose DMA controller operates in conjunction with the I/O controller to administer the exchange of I/O data. Specifically, the DMA controller generates system addresses from I/O addresses so as to facilitate movement of data into and out of host memory, while the I/O controller reads and writes the data to the disk or network.
A fault-tolerant computer system is generally composed of specially designed components having improved tolerance to faults that enable their continuous operation. Examples of such specially designed components are an I/O adapter having a duplicated memory for "buffering" and checking all I/O information, and separate, duplicated DMA controller boards for verifying the accuracy of generated system addresses. These components simulate an intermediate staging area where duplicate copies of the data and addresses are temporarily stored and compared on a bit-by-bit basis. By ensuring the accuracy of the data/addresses, this arrangement prevents overwriting and corruption of valid information in host memory if, e.g., the DMA controller's address generation logic is faulty.
FIG. 1 is a schematic illustration of a prior art computer system 100 configured to implement the fault-tolerant DMA technique described above. The system 100 comprises an I/O adapter 140 coupled to a plurality of CPUs 102a,b (hereinafter 102) by way of duplicated DMA controller boards 120a,b (hereinafter 120). The I/O adapter 140 includes a plurality of I/O controllers (IOC) 142 and 144, each of which directs the operation of an associated I/O device. For the prior art embodiment shown in FIG. 1, IOC 142 controls the operation of disk 152 over line 154 and IOC 144 directs the operation of network 156 over line 158.
The IOCs are connected to duplicate memories 150a,b (hereinafter 150) by an internal bus 146. Each of the duplicate memories 150 is coupled to a discrete DMA controller board 120 via a respective I/O bus 130a,b. The DMA controller boards 120 contain address generation logic circuits 122a,b (hereinafter 122) for generating system addresses needed to access locations within host memories 104a,b (hereinafter 104) of the CPUs 102 over system buses 110a,b, respectively.
In accordance with the fault-tolerant DMA technique, the CPUs 102 initiate a transfer of a block of data, i.e., a DMA transaction, by first instructing the I/O adapter 140 to read the status of a specific I/O device and ensure that the device is prepared to accept data transfer commands. If status checking reveals a ready state, the CPUs 102 issue an appropriate initiation command to the DMA controllers 120. For example, if a data block is to be read from a disk, the command specifies a read operation and the location on disk of the data block to be transferred.
As noted, the CPUs are no longer involved in the transaction; accordingly, the DMA controllers must be provided with sufficient information so that they can execute the read/write operations on their own. This information typically consists of a starting address and a word count. The starting address specifies the host memory address at which the first data word is to be written or read and the word count indicates how many data words are to be transferred. Since the data block is expected to occupy contiguous memory locations, the memory addresses for subsequent data words are generated by incrementing (or decrementing) the current memory address. After transmitting the above parameters, the CPUs issue to the DMA controllers a start command. At this point, the CPUs are free to undertake other useful tasks and responsibility for the data block transfers are left to the DMA controllers.
Specifically, the DMA controllers 120 provide the appropriate I/O addresses to the I/O controller, which proceeds to acquire and place the data into the duplicated memories 150. Each DMA controller retrieves a copy of the data from a respective memory 150 and examines the data and their I/O addresses to verify their accuracy. Thereafter, the DMA controllers generate system addresses using the address generation logic 122 in connection with the associated I/O addresses, the starting host memory address and the number of words to be moved. The controller boards 120 then compare their generated addresses and, if correct, proceed to move the data into the proper host memory addresses.
After each word transfer, the DMA controllers examine the word count and if it is greater than 0, the controllers transfer the next word. A zero count is indicative of the fact that the number of specified words has been transferred; consequently, the DMA transaction is completed.
Although this duplicate hardware checking arrangement (e.g., duplicate memories 150, DMA controllers 120 and address generation logic 122) provides assurances that the data and addresses written to host memory are correct, the use of discrete, redundant hardware is costly and inefficient. A more effective arrangement comprises inserting the address generation logic onto the I/O adapter, integrating the DMA controller circuitry with the I/O controllers and eliminating the duplicate memories. The resulting embedded DMA "engines" obviate the need for separate DMA controller boards, while elimination of the duplicate memories reduces the latency associated with buffering of the I/O data.
However, the lack of discrete, redundant checking hardware generally inhibits identification of incorrectly generated I/O addresses and their mapped system addresses that may corrupt host memory. The present invention is directed towards protecting host memory by verifying the accuracy of the addresses generated by these embedded DMA engines prior to accessing the host memory.