Ken Shirriff Spots a Hardware Bug Fix in a Vintage Intel 8086 Processor Die
A tiny piece of circuitry on a silicon die shows the "complex and ad-hoc" nature of Intel's x86 architectural design.
Noted reverse engineering Ken Shirriff has taken a close look at the die of an Intel 8086 process, launched in 1978 as the first device in what would become the x86 architecture, and discovered a surprise: a bug fix etched right into the silicon.
"The 8086 microprocessor was a groundbreaking processor introduced by Intel in 1978. It led to the x86 architecture that still dominates desktop and server computing," Shirriff explains. "While reverse engineering the 8086 from die photos, a particular circuit caught my eye because its physical layout on the die didn't match the surrounding circuitry. This circuit turns out to implement special functionality for a couple of instructions, subtly changing the way they interacted with interrupts."
When β and it is "when" rather than "if" β there's a flaw in the design of a modern microprocessor, the issue is fixed or circumvented in software β using user-updatable software-based microcode, loaded at boot, to modify the hardware's operation. In 1978, though, that wasn't a thing, and microcode was a fixed and irreplaceable part of the processor die β so when Intel realized it had made a mistake in designing the 8086, it had no choice but to patch the hardware design itself.
"Strictly speaking, the Group Decode ROM is more of a PLA (Programmable Logic Array) than a ROM [Read Only Memory], but Intel calls it a ROM. It is a regular grid of logic, allowing gates to be packed together densely," Shirriff explains of the part of the processor, which caught his eye during a visual inspection. "The last two columns in the PLA are a bit peculiar. The upper half is unused. Instead, two signals leave the side of the PLA horizontally and bypass the top of the PLA. These signals go to a NOR gate and an inverter that are kind of in the middle of nowhere, separated from the rest of the logic."
With other oddities surrounding the suspect circuitry, Shirriff did some research: Intel errata documentation revealed a bug responsible for memory corruption, should an interrupt directly follow certain MOV or POP instructions. The portion of the processor, which appears to be hacked into place, it transpires, was designed specifically to work around the bug β and prevent the memory corruption issue from the original design.
"One of the interesting things about reverse engineering the 8086 is when I find a curious feature on the die and then find that it matches an obscure part of the 8086 documentation," Shirriff concludes.
"Most of these are deliberate design decisions, but they show how complex and ad-hoc the 8086 architecture is, with many special cases. The case of the segment registers and interrupts, however, is the first circuit that I've found on the 8086 die that is part of a bug fix. This fix appears to have been fairly tricky, with multiple gates scattered in unused parts of the chip. It would be interesting to get a die photo of a very early 8086 chip, prior to this bug fix, to confirm the change and see if anything else was modified."
Shirriff's full write-up is available on his website, along with detailed footnotes.