2 * Memory mappings. Life was easier when 2G of memory was enough.
4 * The kernel memory starts at KZERO, with the text loaded at KZERO+1M
5 * (9load sits under 1M during the load). The memory from KZERO to the
6 * top of memory is mapped 1-1 with physical memory, starting at physical
7 * address 0. All kernel memory and data structures (i.e., the entries stored
8 * into conf.mem) must sit in this physical range: if KZERO is at 0xF0000000,
9 * then the kernel can only have 256MB of memory for itself.
11 * The 256M below KZERO comprises three parts. The lowest 4M is the
12 * virtual page table, a virtual address representation of the current
13 * page table tree. The second 4M is used for temporary per-process
14 * mappings managed by kmap and kunmap. The remaining 248M is used
15 * for global (shared by all procs and all processors) device memory
16 * mappings and managed by vmap and vunmap. The total amount (256M)
17 * could probably be reduced somewhat if desired. The largest device
18 * mapping is that of the video card, and even though modern video cards
19 * have embarrassing amounts of memory, the video drivers only use one
20 * frame buffer worth (at most 16M). Each is described in more detail below.
22 * The VPT is a 4M frame constructed by inserting the pdb into itself.
23 * This short-circuits one level of the page tables, with the result that
24 * the contents of second-level page tables can be accessed at VPT.
25 * We use the VPT to edit the page tables (see mmu) after inserting them
26 * into the page directory. It is a convenient mechanism for mapping what
27 * might be otherwise-inaccessible pages. The idea was borrowed from
30 * The VPT doesn't solve all our problems, because we still need to
31 * prepare page directories before we can install them. For that, we
32 * use tmpmap/tmpunmap, which map a single page at TMPADDR.
36 #include "../port/lib.h"
43 * Simple segment descriptors with no translation.
45 #define DATASEGM(p) { 0xFFFF, SEGG|SEGB|(0xF<<16)|SEGP|SEGPL(p)|SEGDATA|SEGW }
46 #define EXECSEGM(p) { 0xFFFF, SEGG|SEGD|(0xF<<16)|SEGP|SEGPL(p)|SEGEXEC|SEGR }
47 #define EXEC16SEGM(p) { 0xFFFF, SEGG|(0xF<<16)|SEGP|SEGPL(p)|SEGEXEC|SEGR }
48 #define TSSSEGM(b,p) { ((b)<<16)|sizeof(Tss),\
49 ((b)&0xFF000000)|(((b)>>16)&0xFF)|SEGTSS|SEGPL(p)|SEGP }
53 [NULLSEG] { 0, 0}, /* null descriptor */
54 [KDSEG] DATASEGM(0), /* kernel data/stack */
55 [KESEG] EXECSEGM(0), /* kernel code */
56 [UDSEG] DATASEGM(3), /* user data/stack */
57 [UESEG] EXECSEGM(3), /* user code */
58 [TSSSEG] TSSSEGM(0,0), /* tss segment */
59 [KESEG16] EXEC16SEGM(0), /* kernel code 16-bit */
62 static int didmmuinit;
63 static void taskswitch(ulong, ulong);
64 static void memglobal(void);
66 #define vpt ((ulong*)VPT)
67 #define VPTX(va) (((ulong)(va))>>12)
68 #define vpd (vpt+VPTX(VPT))
73 memmove(m->gdt, gdt, sizeof gdt);
84 if(0) print("vpt=%#.8ux vpd=%#p kmap=%#.8ux\n",
88 m->pdb[PDX(VPT)] = PADDR(m->pdb)|PTEWRITE|PTEVALID;
90 m->tss = mallocz(sizeof(Tss), 1);
92 panic("mmuinit: no memory for Tss");
93 m->tss->iomap = 0xDFFF<<16;
96 * We used to keep the GDT in the Mach structure, but it
97 * turns out that that slows down access to the rest of the
98 * page. Since the Mach structure is accessed quite often,
99 * it pays off anywhere from a factor of 1.25 to 2 on real
100 * hardware to separate them (the AMDs are more sensitive
101 * than Intels in this regard). Under VMware it pays off
102 * a factor of about 10 to 100.
104 memmove(m->gdt, gdt, sizeof gdt);
106 m->gdt[TSSSEG].d0 = (x<<16)|sizeof(Tss);
107 m->gdt[TSSSEG].d1 = (x&0xFF000000)|((x>>16)&0xFF)|SEGTSS|SEGPL(0)|SEGP;
109 ptr[0] = sizeof(gdt)-1;
112 ptr[2] = (x>>16) & 0xFFFF;
115 ptr[0] = sizeof(Segdesc)*256-1;
118 ptr[2] = (x>>16) & 0xFFFF;
121 /* make kernel text unwritable */
122 for(x = KTZERO; x < (ulong)etext; x += BY2PG){
123 p = mmuwalk(m->pdb, x, 2, 0);
129 taskswitch(PADDR(m->pdb), (ulong)m + BY2PG);
134 * On processors that support it, we set the PTEGLOBAL bit in
135 * page table and page directory entries that map kernel memory.
136 * Doing this tells the processor not to bother flushing them
137 * from the TLB when doing the TLB flush associated with a
138 * context switch (write to CR3). Since kernel memory mappings
139 * are never removed, this is safe. (If we ever remove kernel memory
140 * mappings, we can do a full flush by turning off the PGE bit in CR4,
141 * writing to CR3, and then turning the PGE bit back on.)
143 * See also mmukmap below.
145 * Processor support for the PTEGLOBAL bit is enabled in devarch.c.
153 /* only need to do this once, on bootstrap processor */
161 for(i=PDX(KZERO); i<1024; i++){
162 if(pde[i] & PTEVALID){
164 if(!(pde[i] & PTESIZE)){
165 pte = KADDR(pde[i]&~(BY2PG-1));
166 for(j=0; j<1024; j++)
167 if(pte[j] & PTEVALID)
175 * Flush all the user-space and device-mapping mmu info
176 * for this process, because something has been deleted.
177 * It will be paged back in on demand.
191 * Flush a single page mapping from the tlb.
196 if(X86FAMILY(m->cpuidax) >= 4)
203 * Allocate a new page for a page directory.
204 * We keep a small cache of pre-initialized
205 * page directories in each mach.
218 page = newpage(0, 0, 0);
219 page->va = (ulong)vpd;
222 memmove(pdb, m->pdb, BY2PG);
223 pdb[PDX(VPT)] = page->pa|PTEWRITE|PTEVALID; /* set up VPT */
227 m->pdbpool = page->next;
235 mmupdbfree(Proc *proc, Page *p)
238 panic("mmupdbfree: islo");
241 p->next = proc->mmufree;
244 p->next = m->pdbpool;
251 * A user-space memory segment has been deleted, or the
252 * process is exiting. Clear all the pde entries for user-space
253 * memory mappings and device mappings. Any entries that
254 * are needed will be paged back in as necessary.
257 mmuptefree(Proc* proc)
263 if(proc->mmupdb == nil || proc->mmuused == nil)
266 pdb = tmpmap(proc->mmupdb);
267 last = &proc->mmuused;
268 for(page = *last; page; page = page->next){
269 pdb[page->daddr] = 0;
274 *last = proc->mmufree;
275 proc->mmufree = proc->mmuused;
280 taskswitch(ulong pdb, ulong stack)
295 mmuswitch(Proc* proc)
307 pdb = tmpmap(proc->mmupdb);
308 pdb[PDX(MACHADDR)] = m->pdb[PDX(MACHADDR)];
310 taskswitch(proc->mmupdb->pa, (ulong)(proc->kstack+KSTACK));
312 taskswitch(PADDR(m->pdb), (ulong)(proc->kstack+KSTACK));
314 memmove(&m->gdt[PROCSEG0], proc->gdt, sizeof(proc->gdt));
315 if((x = (ulong)proc->ldt) && (n = proc->nldt) > 0){
316 m->gdt[LDTSEG].d0 = (x<<16)|((n * sizeof(Segdesc)) - 1);
317 m->gdt[LDTSEG].d1 = (x&0xFF000000)|((x>>16)&0xFF)|SEGLDT|SEGPL(0)|SEGP;
324 * Release any pages allocated for a page directory base or page-tables
326 * switch to the prototype pdb for this processor (m->pdb);
327 * call mmuptefree() to place all pages used for page-tables (proc->mmuused)
328 * onto the process' free list (proc->mmufree). This has the side-effect of
329 * cleaning any user entries in the pdb (proc->mmupdb);
330 * if there's a pdb put it in the cache of pre-initialised pdb's
331 * for this processor (m->pdbpool) or on the process' free list;
332 * finally, place any pages freed back into the free pool (palloc).
333 * This routine is only called from schedinit() with palloc locked.
336 mmurelease(Proc* proc)
342 panic("mmurelease: islo");
343 taskswitch(PADDR(m->pdb), (ulong)m + BY2PG);
345 if(proc->mmupdb == nil)
346 panic("mmurelease: no mmupdb");
347 if(--proc->kmaptable->ref)
348 panic("mmurelease: kmap ref %d", proc->kmaptable->ref);
350 panic("mmurelease: nkmap %d", proc->nkmap);
352 * remove kmaptable from pdb before putting pdb up for reuse.
354 pdb = tmpmap(proc->mmupdb);
355 if(PPN(pdb[PDX(KMAP)]) != proc->kmaptable->pa)
356 panic("mmurelease: bad kmap pde %#.8lux kmap %#.8lux",
357 pdb[PDX(KMAP)], proc->kmaptable->pa);
361 * move kmaptable to free list.
363 pagechainhead(proc->kmaptable);
368 mmupdbfree(proc, proc->mmupdb);
371 for(page = proc->mmufree; page; page = next){
374 panic("mmurelease: page->ref %d", page->ref);
377 if(proc->mmufree && palloc.r.p)
388 * Allocate and install pdb for the current process.
397 if(up->mmupdb != nil)
399 page = mmupdballoc();
401 if(up->mmupdb != nil){
403 * Perhaps we got an interrupt while
404 * mmupdballoc was sleeping and that
405 * interrupt allocated an mmupdb?
408 mmupdbfree(up, page);
413 pdb[PDX(MACHADDR)] = m->pdb[PDX(MACHADDR)];
416 putcr3(up->mmupdb->pa);
421 * Update the mmu in response to a user fault. pa may have PTEWRITE set.
424 putmmu(ulong va, ulong pa, Page*)
429 if(up->mmupdb == nil)
433 * We should be able to get through this with interrupts
434 * turned on (if we get interrupted we'll just pick up
435 * where we left off) but we get many faults accessing
436 * vpt[] near the end of this function, and they always happen
437 * after the process has been switched out and then
438 * switched back, usually many times in a row (perhaps
439 * it cannot switch back successfully for some reason).
441 * In any event, I'm tired of searching for this bug.
442 * Turn off interrupts during putmmu even though
443 * we shouldn't need to. - rsc
447 if(!(vpd[PDX(va)]&PTEVALID)){
448 if(up->mmufree == 0){
450 page = newpage(0, 0, 0);
455 up->mmufree = page->next;
457 vpd[PDX(va)] = PPN(page->pa)|PTEUSER|PTEWRITE|PTEVALID;
458 /* page is now mapped into the VPT - clear it */
459 memset((void*)(VPT+PDX(va)*BY2PG), 0, BY2PG);
460 page->daddr = PDX(va);
461 page->next = up->mmuused;
465 vpt[VPTX(va)] = pa|PTEUSER|PTEVALID;
468 if(getcr3() != up->mmupdb->pa)
469 print("bad cr3 %#.8lux %#.8lux\n", getcr3(), up->mmupdb->pa);
474 * Double-check the user MMU.
475 * Error checking only.
478 checkmmu(uintptr va, uintptr pa)
482 if(!(vpd[PDX(va)]&PTEVALID) || !(vpt[VPTX(va)]&PTEVALID))
484 if(PPN(vpt[VPTX(va)]) != pa)
485 print("%ld %s: va=%#p pa=%#p pte=%#08lux\n",
487 va, pa, vpt[VPTX(va)]);
491 * Walk the page-table pointed to by pdb and return a pointer
492 * to the entry for virtual address va at the requested level.
493 * If the entry is invalid and create isn't requested then bail
494 * out early. Otherwise, for the 2nd level walk, allocate a new
495 * page-table page and register it in the 1st level. This is used
496 * only to edit kernel mappings, which use pages from kernel memory,
497 * so it's okay to use KADDR to look at the tables.
500 mmuwalk(ulong* pdb, ulong va, int level, int create)
505 table = &pdb[PDX(va)];
506 if(!(*table & PTEVALID) && create == 0)
519 panic("mmuwalk2: va %luX entry %luX", va, *table);
520 if(!(*table & PTEVALID)){
522 * Have to call low-level allocator from
523 * memory.c if we haven't set up the xalloc
527 map = xspanalloc(BY2PG, BY2PG, 0);
531 panic("mmuwalk xspanalloc failed");
532 *table = PADDR(map)|PTEWRITE|PTEVALID;
534 table = KADDR(PPN(*table));
535 return &table[PTX(va)];
540 * Device mappings are shared by all procs and processors and
541 * live in the virtual range VMAP to VMAP+VMAPSIZE. The master
542 * copy of the mappings is stored in mach0->pdb, and they are
543 * paged in from there as necessary by vmapsync during faults.
546 static Lock vmaplock;
548 static int findhole(ulong *a, int n, int count);
549 static ulong vmapalloc(ulong size);
550 static void pdbunmap(ulong*, ulong, int);
553 * Add a device mapping to the vmap range.
556 vmap(ulong pa, int size)
562 * might be asking for less than a page.
569 size = ROUND(size, BY2PG);
571 print("vmap pa=0 pc=%#p\n", getcallerpc(&pa));
575 if((va = vmapalloc(size)) == 0
576 || pdbmap(MACHP(0)->pdb, pa|PTEUNCACHED|PTEWRITE, va, size) < 0){
581 /* avoid trap on local processor
582 for(i=0; i<size; i+=4*MB)
586 // print(" vmap %#.8lux %d => %#.8lux\n", pa+o, osize, va+o);
587 return (void*)(va + o);
591 findhole(ulong *a, int n, int count)
608 * Look for free space in the vmap.
611 vmapalloc(ulong size)
617 vpdb = &MACHP(0)->pdb[PDX(VMAP)];
618 vpdbsize = VMAPSIZE/(4*MB);
621 n = (size+4*MB-1) / (4*MB);
622 if((o = findhole(vpdb, vpdbsize, n)) != -1)
623 return VMAP + o*4*MB;
626 n = (size+BY2PG-1) / BY2PG;
627 for(i=0; i<vpdbsize; i++)
628 if((vpdb[i]&PTEVALID) && !(vpdb[i]&PTESIZE))
629 if((o = findhole(KADDR(PPN(vpdb[i])), WD2PG, n)) != -1)
630 return VMAP + i*4*MB + o*BY2PG;
631 if((o = findhole(vpdb, vpdbsize, 1)) != -1)
632 return VMAP + o*4*MB;
635 * could span page directory entries, but not worth the trouble.
636 * not going to be very much contention.
642 * Remove a device mapping from the vmap range.
643 * Since pdbunmap does not remove page tables, just entries,
644 * the call need not be interlocked with vmap.
647 vunmap(void *v, int size)
655 * might not be aligned
661 size = ROUND(size, BY2PG);
663 if(size < 0 || va < VMAP || va+size > VMAP+VMAPSIZE)
664 panic("vunmap va=%#.8lux size=%#x pc=%#.8lux",
665 va, size, getcallerpc(&v));
667 pdbunmap(MACHP(0)->pdb, va, size);
670 * Flush mapping from all the tlbs and copied pdbs.
671 * This can be (and is) slow, since it is called only rarely.
672 * It is possible for vunmap to be called with up == nil,
673 * e.g. from the reset/init driver routines during system
674 * boot. In that case it suffices to flush the MACH(0) TLB
677 if(!active.thunderbirdsarego){
678 putcr3(PADDR(MACHP(0)->pdb));
681 for(i=0; i<conf.nproc; i++){
688 for(i=0; i<conf.nmach; i++){
694 for(i=0; i<conf.nmach; i++){
697 while((active.machs&(1<<nm->machno)) && nm->flushmmu)
703 * Add kernel mappings for pa -> va for a section of size bytes.
706 pdbmap(ulong *pdb, ulong pa, ulong va, int size)
709 ulong pgsz, *pte, *table;
715 if((MACHP(0)->cpuiddx & Pse) && (getcr4() & 0x10))
720 for(off=0; off<size; off+=pgsz){
721 table = &pdb[PDX(va+off)];
722 if((*table&PTEVALID) && (*table&PTESIZE))
723 panic("vmap: va=%#.8lux pa=%#.8lux pde=%#.8lux",
724 va+off, pa+off, *table);
727 * Check if it can be mapped using a 4MB page:
728 * va, pa aligned and size >= 4MB and processor can do it.
730 if(pse && (pa+off)%(4*MB) == 0 && (va+off)%(4*MB) == 0 && (size-off) >= 4*MB){
731 *table = (pa+off)|flag|PTESIZE|PTEVALID;
734 pte = mmuwalk(pdb, va+off, 2, 1);
736 panic("vmap: va=%#.8lux pa=%#.8lux pte=%#.8lux",
737 va+off, pa+off, *pte);
738 *pte = (pa+off)|flag|PTEVALID;
746 * Remove mappings. Must already exist, for sanity.
747 * Only used for kernel mappings, so okay to use KADDR.
750 pdbunmap(ulong *pdb, ulong va, int size)
757 table = &pdb[PDX(va)];
758 if(!(*table & PTEVALID))
759 panic("vunmap: not mapped");
760 if(*table & PTESIZE){
762 panic("vunmap: misaligned: %#p", va);
767 table = KADDR(PPN(*table));
768 if(!(table[PTX(va)] & PTEVALID))
769 panic("vunmap: not mapped");
776 * Handle a fault by bringing vmap up to date.
777 * Only copy pdb entries and they never go away,
778 * so no locking needed.
785 if(va < VMAP || va >= VMAP+VMAPSIZE)
788 entry = MACHP(0)->pdb[PDX(va)];
789 if(!(entry&PTEVALID))
791 if(!(entry&PTESIZE)){
792 /* make sure entry will help the fault */
793 table = KADDR(PPN(entry));
794 if(!(table[PTX(va)]&PTEVALID))
797 vpd[PDX(va)] = entry;
799 * TLB doesn't cache negative results, so no flush needed.
806 * KMap is used to map individual pages into virtual memory.
807 * It is rare to have more than a few KMaps at a time (in the
808 * absence of interrupts, only two at a time are ever used,
809 * but interrupts can stack). The mappings are local to a process,
810 * so we can use the same range of virtual address space for
811 * all processes without any coordination.
813 #define kpt (vpt+VPTX(KMAP))
814 #define NKPT (KMAPSIZE/BY2PG)
822 panic("kmap: up=0 pc=%#.8lux", getcallerpc(&page));
823 if(up->mmupdb == nil)
826 panic("kmap %lud %s: nkmap=%d", up->pid, up->text, up->nkmap);
829 * Splhi shouldn't be necessary here, but paranoia reigns.
830 * See comment in putmmu above.
834 if(!(vpd[PDX(KMAP)]&PTEVALID)){
835 /* allocate page directory */
836 if(KMAPSIZE > BY2XPG)
837 panic("bad kmapsize");
838 if(up->kmaptable != nil)
841 up->kmaptable = newpage(0, 0, 0);
843 vpd[PDX(KMAP)] = up->kmaptable->pa|PTEWRITE|PTEVALID;
845 memset(kpt, 0, BY2PG);
846 kpt[0] = page->pa|PTEWRITE|PTEVALID;
851 if(up->kmaptable == nil)
852 panic("no kmaptable");
854 for(i=0; i<NKPT; i++){
855 if(kpt[(i+o)%NKPT] == 0){
857 kpt[o] = page->pa|PTEWRITE|PTEVALID;
860 return (KMap*)(KMAP+o*BY2PG);
863 panic("out of kmap");
873 if(up->mmupdb == nil || !(vpd[PDX(KMAP)]&PTEVALID))
874 panic("kunmap: no kmaps");
875 if(va < KMAP || va >= KMAP+KMAPSIZE)
876 panic("kunmap: bad address %#.8lux pc=%#p", va, getcallerpc(&k));
877 if(!(vpt[VPTX(va)]&PTEVALID))
878 panic("kunmap: not mapped %#.8lux pc=%#p", va, getcallerpc(&k));
881 panic("kunmap %lud %s: nkmap=%d", up->pid, up->text, up->nkmap);
887 * Temporary one-page mapping used to edit page directories.
889 * The fasttmp #define controls whether the code optimizes
890 * the case where the page is already mapped in the physical
902 panic("tmpaddr: islo");
904 if(fasttmp && p->pa < -KZERO)
908 * PDX(TMPADDR) == PDX(MACHADDR), so this
909 * entry is private to the processor and shared
910 * between up->mmupdb (if any) and m->pdb.
912 entry = &vpt[VPTX(TMPADDR)];
913 if(!(*entry&PTEVALID)){
914 for(i=KZERO; i<=CPU0MACH; i+=BY2PG)
915 print("%#p: *%#p=%#p (vpt=%#p index=%#p)\n", i, &vpt[VPTX(i)], vpt[VPTX(i)], vpt, VPTX(i));
916 panic("tmpmap: no entry");
918 if(PPN(*entry) != PPN(TMPADDR-KZERO))
919 panic("tmpmap: already mapped entry=%#.8lux", *entry);
920 *entry = p->pa|PTEWRITE|PTEVALID;
922 return (void*)TMPADDR;
931 panic("tmpaddr: islo");
932 if(fasttmp && (ulong)v >= KZERO && v != (void*)TMPADDR)
934 if(v != (void*)TMPADDR)
935 panic("tmpunmap: bad address");
936 entry = &vpt[VPTX(TMPADDR)];
937 if(!(*entry&PTEVALID) || PPN(*entry) == PPN(PADDR(TMPADDR)))
938 panic("tmpmap: not mapped entry=%#.8lux", *entry);
939 *entry = PPN(TMPADDR-KZERO)|PTEWRITE|PTEVALID;
944 * These could go back to being macros once the kernel is debugged,
945 * but the extra checking is nice to have.
950 if(pa > (ulong)-KZERO)
951 panic("kaddr: pa=%#.8lux", pa);
952 return (void*)(pa+KZERO);
962 panic("paddr: va=%#.8lux pc=%#p", va, getcallerpc(&v));
970 countpagerefs(ulong *ref, int print)
978 for(i=0; i<conf.nproc; i++){
982 if(ref[pagenumber(p->mmupdb)])
983 iprint("page %#.8lux is proc %d (pid %lud) pdb\n",
984 p->mmupdb->pa, i, p->pid);
987 if(ref[pagenumber(p->mmupdb)]++ == 0)
990 iprint("page %#.8lux is proc %d (pid %lud) pdb but has other refs!\n",
991 p->mmupdb->pa, i, p->pid);
995 if(ref[pagenumber(p->kmaptable)])
996 iprint("page %#.8lux is proc %d (pid %lud) kmaptable\n",
997 p->kmaptable->pa, i, p->pid);
1000 if(ref[pagenumber(p->kmaptable)]++ == 0)
1003 iprint("page %#.8lux is proc %d (pid %lud) kmaptable but has other refs!\n",
1004 p->kmaptable->pa, i, p->pid);
1006 for(pg=p->mmuused; pg; pg=pg->next){
1008 if(ref[pagenumber(pg)])
1009 iprint("page %#.8lux is on proc %d (pid %lud) mmuused\n",
1013 if(ref[pagenumber(pg)]++ == 0)
1016 iprint("page %#.8lux is on proc %d (pid %lud) mmuused but has other refs!\n",
1019 for(pg=p->mmufree; pg; pg=pg->next){
1021 if(ref[pagenumber(pg)])
1022 iprint("page %#.8lux is on proc %d (pid %lud) mmufree\n",
1026 if(ref[pagenumber(pg)]++ == 0)
1029 iprint("page %#.8lux is on proc %d (pid %lud) mmufree but has other refs!\n",
1034 iprint("%d pages in proc mmu\n", n);
1036 for(i=0; i<conf.nmach; i++){
1038 for(pg=mm->pdbpool; pg; pg=pg->next){
1040 if(ref[pagenumber(pg)])
1041 iprint("page %#.8lux is in cpu%d pdbpool\n",
1045 if(ref[pagenumber(pg)]++ == 0)
1048 iprint("page %#.8lux is in cpu%d pdbpool but has other refs!\n",
1053 iprint("%d pages in mach pdbpools\n", n);
1054 for(i=0; i<conf.nmach; i++)
1055 iprint("cpu%d: %d pdballoc, %d pdbfree\n",
1056 i, MACHP(i)->pdballoc, MACHP(i)->pdbfree);
1061 checkfault(ulong, ulong)
1066 * Return the number of bytes that can be accessed via KADDR(pa).
1067 * If pa is not a valid argument to KADDR, return 0.