Memory-Mapped IO. IA-32 processors permit applications to access input/output (“IO”) ports in either of two ways: through a separate IO address space or through the physical memory address space. The latter approach is commonly referred to as “memory-mapped IO.”
Address Space, Chipsets, and the BIOS. Beginning with the introduction of the Pentium Pro, IA-32 processors provide a 36-bit address bus. This enables them to support up to 64 GB of physical memory. Accesses to this address space by the CPU and other devices within a computer are generally handled by several chips commonly known as the “chipset.” A chipset provides bus interface, data path, instruction caching and similar functions on the motherboard. System firmware known as the basic input/output system (“BIOS”) must configure the chipset at boot time with various information, including information about where main memory is located within the address space.
Chipset Configuration and the AGP Aperture. As a practical matter, the capabilities and requirements of the chipset dictate in large part where main memory can be located. The Intel E7505 chipset, for example, is designed to assume that certain devices will always be mapped into the peripheral component interconnect (“PCI”) memory address range—that is, the address range beginning at 4 GB and extending downward far enough to include certain address regions. Specifically, it assumes that the advanced programmable interrupt controller (“APIC”) addresses, the hub interface addresses, and any memory-mapped IO addresses will reside in this range. Another range of addresses the chipset assumes to exist in the PCI range is the accelerated graphics port (“AGP”) aperture. By way of background, the operating system allocates numerous 4 KB pages in main memory for use by the graphics controller. These allocated pages are normally discontiguous; but the graphics controller needs contiguous memory. So, a translation mechanism is used to create a series of contiguous logical addresses (the AGP aperture) within the PCI address range. These addresses map to the discontiguous pages that are allocated in main memory, wherever those might be.
By way of further background, configuration of the Intel E7505 and similar chipsets requires among other things that the BIOS write appropriate values into the top of lower memory (“TOLM”) register and into the DRAM row boundary 7 (“DRB7”) register. The TOLM register is designed to contain the maximum address below 4 GB that should be treated as main memory. The DRB7 register is designed to contain the maximum address in the machine that should be treated as main memory. Thus, for machines having less physical memory than 4 GB minus the minimum size required for the PCI memory address range, the TOLM and DRB7 registers will contain the same value. But for machines having more memory than that, the physical memory must be split because the PCI memory address range may not be moved. In such machines, there will be one region of physical memory located below the PCI range, and another region of physical memory located above the PCI range. The TOLM register will indicate the highest address within the first range. The DRB7 register will indicate the highest address within the second range.
Memory Reclaiming. In previous generation chipsets, any physical memory that was overlapped by the logical address space allocated to the PCI range was unusable. But in some workstations, the amount of memory allocated to memory-mapped IO devices could easily exceed 1 GB. An unacceptably large amount of physical memory was rendered unusable in such machines.
Now, chipsets such as the E7505 attempt to provide a capability for “reclaiming” physical memory that is overlapped by the PCI range. In theory, this is done by remapping the physical memory lying within the PCI range to an equivalent-sized logical address range located just above the top of physical memory. During chipset configuration, the bottom and top of a remapped window are defined by values written by the BIOS into a REMAPBASE register and a REMAPLIMIT register, respectively. During normal operation, each incoming logical address is checked to determine whether it falls in the remapped window. If so, then the incoming logical address is remapped to the physical memory starting at the address defined by the TOLM register.
The AGP Aperture Bug. Unfortunately, the memory reclaiming feature of the current E7505 chipset operates erroneously: When a device writes to an address within the remapped window, the write is executed correctly. But when a device reads from an address within the remapped window, the E7505 chipset sometimes returns data from reclaimed physical memory, and other times returns data from a corresponding address within the AGP aperture! Moreover, no warning is given to the consumer of this memory when the error occurs.
The straightforward approach to addressing this problem would be to avoid using the memory reclaiming feature of the E7505 chipset altogether. This approach would ensure that no memory accesses could result in errors. The downside of the straightforward approach, however, is that it results in losing a large range of addresses as unusable memory—a range equal in size to the entire PCI memory address range. As was mentioned above, this range can exceed 1 GB in some workstations.