14

What happens if a segment register plus offset overflows the 20-bit address space of the 8086? I assume it wraps around to 00000h, but want to confirm. For example, say DS is F001h and the offset is FFF0h. Would I then be reading 00000h?

Jacob Krall
  • 2,299
  • 2
  • 17
  • 31

1 Answers1

27

On an 8086, yes, the address space wraps around. Thus a segment address of F001h and an offset of FFF0h, producing an address of F0010h + FFF0h = 100000h, wraps around to 00000h.

The 8088, 8086, 80188 and 80186 only have 20 address lines, so bits beyond that don’t correspond to anything and aren’t seen by the bus. Thus asking for 100000h in the CPU results in an address of 00000h on the bus, the top bit is lost.

On systems built around later CPUs, the behaviour depends on the A20 gate¹ (if there is one), which allows the 21st address line (A20) to be enabled or disabled. If the line is disabled, the behaviour in real mode ends up being the same as on the 8086. If it is enabled, addresses don’t “wrap around”; this can be used to provide access, in real mode, to the first few kilobytes of the second megabyte, known as the high memory area. A number of products could use this memory to reduce their footprint in conventional memory; perhaps most famously, DR DOS 5.0 and MS-DOS 5.0 and later could use it, which produced considerable memory savings (and the famous “Packed file corrupt” error message with some programs).

OS/2 Museum has a number of articles exploring this address wrap-around and the A20 gates: notably Who needs the address wraparound, anyway?, The A20-Gate: It Wasn’t WordStar, EXEPACK and the A20-Gate, and The A20-Gate Fallout.

¹ The 80286 and 80386 don’t provide control over their address lines; when IBM designed the PC AT, they added external hardware to control A20 so that backward compatibility with the original PC could be preserved when running DOS. The A20 gate was initially handled by the keyboard controller, and later by motherboard chipsets. Intel added A20 control to their CPUs starting with the 80486; this still required help from the chipset. CPUs from the last decade (Haswell and later) no longer have an A20 gate.

Stephen Kitt
  • 121,835
  • 17
  • 505
  • 462
  • 2
    @Raffzahn calls this “address wrap” in footnote 10 on https://retrocomputing.stackexchange.com/a/6824/11579 – Jacob Krall Jun 23 '22 at 17:17
  • The link to “High memory area” on Wikipedia is a perfect next thing for me to read, thank you! – Jacob Krall Jun 23 '22 at 17:19
  • 4
    OS/2 Museum has a detailed post on the A20 gate, INT 30h, and the sordid history of address wraparound in the name of CP/M compatibility: http://www.os2museum.com/wp/who-needs-the-address-wraparound-anyway/ – Jim Nelson Jun 23 '22 at 17:50
  • 1
    Thanks @Jim, I knew there was an article there but couldn‘t find it! – Stephen Kitt Jun 23 '22 at 18:00
  • 2
    @JimNelson "the sordid history", indeed! :) – paul garrett Jun 23 '22 at 20:49
  • 2
    Would there have been any particular downside to designing the IBM AT so that addresses whose top two bits were clear would have the next two bits forced to 10, and then wiring the board so memory would start at physical address $20000, so that memory from $20000 to $29FFF would be mirrored at $0000-$09FFF and $10000-$19FFF, without having to flip any external latches? That would allow a protected mode OS to treat all of RAM as contiguous. – supercat Jun 24 '22 at 16:06
  • 2
    @supercat apart from losing 2MiB out of 16, I can’t think of any, as long as the mirroring applies to the bus everywhere and not just between the CPU and the bus (so that cards and the DMA controller have the same view of the bus as the CPU). – Stephen Kitt Jun 24 '22 at 16:32
  • @StephenKitt: I would think 8-bit ISA cards' signals should be gated so that they wouldn't see any memory accesses above $20000, and 16-bit cards should be designed so that functions other than memory are exposed at $0A0000-$0FFFFF and some higher addresses above the top of RAM, but not at $2A0000-$2FFFFF, while RAM cards should be active in the $2A0000-$2FFFFF range. – supercat Jun 24 '22 at 18:17
  • @supercat yup, 8-bit cards only have 20 address lines anyway. I suspect it could be made to work... I was more concerned about incoherence between memory addresses transmitted through some protocol v. addresses on the bus, but I can’t think of anything that did that pre-PnP except for DMA. I’m not sure I follow your address break-down for 16-bit ISA; doesn’t it break the mirroring principle? (I understand why you’d want it, but having different behaviour depending on where you are on the bus feels like it’s asking for trouble.) – Stephen Kitt Jun 24 '22 at 19:11
  • @StephenKitt: Protected mode software would benefit from having a contiguous region of RAM, without weird I/O related stuff in the middle of it, but wouldn't have a reason to care whether, from the CPU's perspective, that starts somewhere above 0x200000 rather than just above things like the interrupt vector table and anything else that would need to be kept in low memory. – supercat Jun 24 '22 at 19:34
  • Fun fact: the A20 gate was used to dump the second version of the original Xbox's security ROM. As an x86, the Xbox booted from address 0xFFFFFFF0, at which address was the security ROM. We disabled A20, which caused the CPU to boot from 0xFFEFFFF0 instead, which was hacker-controlled. Now the hacker-controlled CPU code could re-enable A20 (by sending a message to hacker-added hardware) then read out the security ROM. – Myria Sep 28 '22 at 21:01