Linkage mechanism for program isolation

Abstract

A computer system has general purpose registers, control registers and access registers for containing information to allow address space capability. A linkage stack uses protected address space to store state information during program call and program return operations. The linkage stack contains information relating to state entries for the saved information and header and trailer entries to point to other linkage stack sections. A control register contains the pointer to the current linkage stack entry and is changed as the program call or return moves through the stack.

Claims

Having thus described our invention, what we claim as new and desire to secure by Letters Patent is:

1. A method of operating a central processor which can execute programs each having access to multiple address spaces, comprising the steps of:

identifying a context switching instruction issued by a first program executing in a first address space as any of a program call instruction and a branch and link instruction, to a second program,

when the context switching instruction is identified as the program call instruction, using the program call instruction to index into an entry table comprising information defining a second address space and identifying the second program designated to execute therein,

selecting an address of a linkage stack entry in an area of memory protected from direct access by the first and second programs,

storing, in the linkage stack entry, data indicative of the first address space, a location of the context switching instruction in the first address space, and information identifying the linkage stack entry as one of a branch state entry resulting from the branch and link instruction and a program call state entry resulting from the program call instruction,

after said storing, when the context switching instruction has been identified as the program call instruction, causing the central processor to activate the second address space as that from which execution of instructions is to occur and commencing execution of the second program as within the addressability of the second address space,

after said storing, when the context switching instruction has been identified as the branch and link instruction, commencing execution of the second program as within the addressability of the first address space,

after said commencing execution of the second program, identifying a program return instruction issued by the second program, and

in response to said identifying of the program return instruction, (a) accessing the linkage stack entry, (b) when the information (identifying the linkage stack entry) indicates that the linkage stack entry is a program call state entry, providing the central processor with the data indicative of the first address space, (c) providing the central processor with the location of the context switching instruction, (d) causing the central processor to activate the first address space as that from which execution of instructions is to occur, and (e) recommencing execution of the first program from a point after the context switching instruction.

2. The method of claim 1 wherein said step of selecting an address of a linkage stack entry comprises the steps of:

determining a home address space of the first program; and

selecting the address of the linkage stack entry in the home address space.

3. A mechanism for enforced retraceable program linkage, comprising:

central processor means for executing programs,

a main memory containing a first program executing in a first address space, the first program including a program call to a service provider comprising a second program designated to execute in a second address space, the program call including a program call number indicative of the second program,

first linkage means, connected to receive the program call, the first linkage means including entry table means for identifying the second program and for causing the central processor to activate the second address space as that from which execution of instructions is to occur;

second linkage means, connected to receive the program call, the second linkage means including a linkage stack for storing the program call number and data indicative of the first address space;

protection means, coupled to said linkage means, for protecting the linkage stack means from direct access by the first and second program; and

return means, coupled to the central processor means and connected to receive the data indicative of the first address space from the linkage stack, for causing the central processor means to activate the first address space as that from which execution of instructions is to occur, responsive to a return instruction issued by the second program,

said linkage stack comprising a plurality of sections, each section of said linkage stack comprising:

header entry means for holding first information indicative of a trailer entry in a preceding linkage stack section;

state entry means for holding second information indicative of computer system states when the program call was issued, the second information comprising the program call number and the data indicative of said first address space, and for holding third information indicative of an amount of free space remaining in a section containing the state entry means;

trailer entry means for holding fourth information indicative of a header entry of a next succeeding linkage stack section; and

wherein said mechanism further comprises stack formation means, connected to receive the third information from the state entry means, for: (a) determining when the amount of free space remaining in said section is sufficient to hold an additional state entry means, (b) forming the additional state entry means in the section, responsive to a subsequent program call when the amount of free space is sufficient to hold the additional state entry means and, (c) forming the additional state entry means in the next succeeding linkage stack section, responsive to the subsequent program call when the amount of free space is not sufficient to hold the additional state entry means.

4. In a computer system of a type wherein a first program designated to execute in a first address space can issue a program call to a second program designated to execute in a second address space, a linkage stack mechanism comprising:

a plurality of sections, each section including:

header entry means for holding first information indicative of a trailer entry in a preceding linkage stack section;

state entry means for holding second information indicative of computer system states when the program call was issued, the second information comprising a program call number indicative of the program call and data indicative of the first address space, and for holding third information indicative of an amount of free space remaining in a section containing the state entry means;

trailer entry means for holding fourth information indicative of a header entry of a next succeeding linkage stack section; and,

stack formation means, connected to receive the third information from the state entry means, for: (a) determining when the amount of free space remaining in the section is sufficient to hold an additional state entry means, (b) forming the additional state entry means in the section, responsive to a subsequent program call when the amount of free space is sufficient to hold the additional state entry means and, (c) forming the additional state entry means in the next succeeding linkage stack section, responsive to the subsequent program call when the amount of free space is not sufficient to hold the additional state entry means.

Description

CROSS REFERENCE TO RELATED APPLICATIONS

This application contains subject matter which is related to the subject matter of the following applications filed on even date herewith and assigned to the same assignee:

"Nonhierarchical Program Authorization Mechanism" by R. I. Baum et al, Ser. No. 154,740, which issued on Jun. 11, 1991 as U.S. Pat. No. 5,023,773; "Multiple Address Space Token Designation, Protection Controls, Designation Translation and Lookaside" by R. I. Baum, et al, Ser. No. 535,248, issued on Dec. 18, 1990 as U.S. Pat. No. 4,979,098 as a continuation of Ser. No. 154,689, Filed Feb. 10, 1988, Abandoned; "Control Mechanism For Zero-Origin Data Spaces" by C. A. Scalzi et al, Ser. No. 154,688, which issued on Apr. 16, 1991 as U.S. Pat. No. 5,088,811; "Data Domain Switching On Program Address Space Switching And Return" by C. E. Clark et al, Ser. No. 154,685, which issued on Jul. 31, 1990 as U.S. Pat. No. 4,945,480; and "Operating System Accessing Control Blocks By Using Home Address Space Segment Table To Control Instruction and Operand Fetch and Store Operations" by C. E. Clark, Ser. No. 154,780, which issued on Jul. 24, 1990 as U.S. Pat. No. 4,943,913.

FIELD OF THE INVENTION

The invention relates to a method and means for enabling a program or programs being executed in a data processing system to have concurrent access to multiple virtual address spaces. In this system, access registers corresponding to general purpose registers contain tokens to allow the system to identify address spaces. The tokens are used to specify an access list entry for obtaining a segment table designation in a translation process. The use of tokens allows system control of address spaces to be isolated from program control of access registers. This invention is an improvement over the access register system shown in U.S. Pat. No. 4,355,355.

DESCRIPTION OF THE PRIOR ART

Data processing systems using virtual addressing in multiple virtual address spaces, such as the IBM System/370 Systems using MVS controlled programming, are well known. The organization and hardware/architectural aspects of the IBM System/370 are described in the "IBM System/370-XA Principles of Operation", form number SA22-7085-1. The described MVS system includes a central processing unit (CPU) which contains the sequencing and processing facilities for instruction execution, interruption action, timing functions, initial program loading, and other machine related functions. Also included is a main storage, which is directly addressable and provides for high speed processing of data by the CPU. The main storage may be either physically integrated with the CPU, or constructed in stand alone units.

U.S. Pat. No. 4,096,573 to A. R. Heller et al for "DLAT Synonym Control Means for Common Portions of All Address Spaces" and U.S. Pat. No. 4,136,385 to P. M. Gannon et al for "Synonym Control Means for Multiple Virtual Storage Systems" both assigned to the same assignee of the present invention, disclose MVS systems in which the main storage may be allocated as address spaces for use by multiple users, each address space containing a portion defined as common among all of the users. The result is that a user may isolate programs or data from other users by placing them in a "private" portion of the user's assigned address space, or he may make them accessible to all other users by placing the programs or data in "common". In such a system, data may be moved between two address spaces by having a program in the first address space move the data from its private area into common and then signal a program in the other address space to operate on, or further move, the data. The use of common as a communication area between address spaces increases the size of the common area and thus reduces the size of the private area available to all users. Signalling from one program to another can only be done by subsystems or the control program. Data is protected by storage protect keys. However, there are only 16 such keys, which are not enough to guarantee that the information is protected from an inadvertent store by another subsystem or authorized program since the information is commonly addressable.

U.S. Pat. No. 4,355,355 assigned to the same assignee as the present application, shows access registers (AR's) associated with the general purpose registers (GPRs) in a data processor. The AR's are each loaded with a unique STD (segment table descriptor). The STD comprises a segment table address in main storage and a segment table length field. There are a predetermined number of AR's associated respectively with the GPR's in a processor to define a subset of up to the predetermined number of data address spaces up to a maximum of one address space for each GPR. The STD in an AR is selected for address translation when the associated GPR is selected as a storage operand base register, such as being the GPR selected by the B-field in an IBM System/370 instruction. Each AR may also specify that it does not use the STD in its associated AR to define its data address space, but instead uses the STD in the program address space AR. However, the STD content of an AR is not selected for an address translation if the associated GPR is selected for a purpose other than as a storage operand base register, such as if a GPR is selected as an index (X) register or as a data source or sink register (R) for an instruction. A sixteenth AR may be provided to define and control the executing program address space, which may also contain data.

U.S. Pat. Nos. 4,366,537, 4,430,705 and 4,500,952, assigned to the same assignee as the present application, all deal with the dual address space (DAS) concept for which the present access register multiple address space (MAS) concept is an improvement. These patents deal with systems in which one program in one address space is permitted to obtain access to data in another address space or to call a program in another address space without invoking a supervisor. Each of a plurality of address spaces assigned an Address Space Number (ASN) has an associated set of address translation tables. A second address space can be designated by a program, and when authorized, the program can cause transfer of data in main memory from one physical location to another associated with the different address space. A program changeable space selection control bit controls use of two different sets of address translation tables associated with two different address spaces. Without invoking a supervisor, a particular program in an assigned address space can call a program in another address space or obtain addressability to data in another address space having an associated set of address translation tables.

U.S. Pat. No. 4,037,214, assigned to the same assignee as the present application, shows a horizontal addressing system in which multiple access keys in an access key register (AKR) switch the address space of a storage access as a function of an instruction address, a sink operand address and a source operand address, respectively.

U.S. Pat. No. 4,521,846 issued to the same assignee as the present invention and entitled "Mechanism for Accessing Multiple Virtual Spaces" shows another mechanism for controlling access to plural virtual address spaces in a cross-memory implementation where data can be accessed in a non-privileged state.

U.S. Pat. No. 3,787,813 shows the concept of data processing devices using capability registers. The patent shows a data processing device with a central processing unit and a storage unit, the information in the storage unit being arranged in segments and the central processing unit having a plurality of capability registers each arranged to store descriptor information indicative of the base and limit addresses of an information segment. One of the capability registers is arranged to hold information defining the base and limit addresses of an information segment which contains a segment pointer table, particular to the program currently being executed by the central processing unit and a further one of the registers is arranged to hold information defining the base and limit addresses of an information segment which contains a master capability table having an entry for each information segment in the storage unit composed of information defining the base and limit addresses of a segment. The segment pointer table comprises a list of data words which are used as pointers to define different entries in the master segment table.

U.S. Pat. No. 4,366,536 shows a digital computer system for selecting and linking multiple separately stored data processing procedures consisting of assembly level commands and for selecting a variable data area from a plurality of variable data areas. The system includes memories for storing the data processing procedures, the variable data areas and linking addresses; a program counter for accessing the memory containing the stored data processing procedures; registers for accessing the memories containing the data and the linking addresses; and a hardware unit which is adapted to execute the assembly level commands contained in selected data processing procedures in accordance with assembly level commands in the data processing procedure being executed and previously selected addresses.

U.S. Pat. No. 4,268,903 shows a stack control register group for controlling a stack area. A data stack pointer register holds the start address of the data stack area which is formed in the stack facility and controlled by the user program directly.

U.S. Pat. No. 4,454,580 entitled "Program Call Method and Call Instruction Execution Apparatus", assigned to the same assignee as the present invention includes a method of passing execution from a program in one logical address space to another program in a new logical address space. The calling program controls selective allocation of segments to the called program but the called program controls the lengths of the segments being allocated. In this way, recursive calls to the same program cannot affect the function or data of other programs or of the same program in a previous call. Also allocation of data segments can be postponed until execution resulting in more flexible execution of programs written without knowledge of the details of other co-executing programs.

U.S. Pat. No. 4,297,743 entitled "Call and Stack Mechanism for Procedures Executing in Different Rings" shows an architecture based on a hierarchy of rings where each ring represents a different level of privilege. Branches are allowed to rings having a lesser privilege and privilege levels are allowed to be different for read only status as opposed to read and write status. The patent shows a stack frame which has three areas: a work area for storing variables, a save area for saving the contents of registers and a communications area for passing parameters between procedures. Prior to a procedure call, the user must specify those registers to be saved and the user must load into the communications area the parameters to be passed to the called procedure. The system provides for a history of calls in a sequence of stack frames so that a return can be accomplished. Finally, U.S. Pat. No. 4,044,334 entitled "Database Instruction Unload" shows a system for retrieving a database pointer for locating database records in one of a plurality of segments of addressable space.

An article in the IBM Technical Disclosure Bulletin, January 1982, Vol. 24, No. 8, pages 4401-4403 entitled "Method of Revoking a Capability Containing a Pointer-Type Identifier Without Accessing The Capability" deals with an Address Space Number (ASN) as a pointer-type identifier for the address space capability. This publication relates to the dual address space facility and the fact that an address space does not have to be entered to determine if the access is valid since that information may be determined using the ASN-second-table entry (ASTE) associated with address translation. In general, access to an object by means of the capability is permitted only when the unique codes in the capability and the object are equal. The capability can be revoked simply by changing the unique code in the object without the need to locate and access the capability.

While the prior art previously discussed represents significant advancement in function for the computer user, there are significant areas in which improvement is desired. In particular, there is a need for a facility to move data between arbitrary address spaces. In addition, there is a need for a facility to control an authorization index for programs in a space so that different authorization indexes can be used in the same space. Finally, there is a need to improve the ability to switch frequently between address spaces and to acquire or relinquish the additional addressing capabilities on the switch of addressing environments. Control and authority mechanisms are important considerations. The contents of an AR should be changeable by the user; however, the user should not have direct access to actual addressing information such as the STD. Thus, there is a need to combine ease of use of address space mechanisms with the proper authority and control mechanisms to prevent unwanted access to address spaces. As will be described, the present invention provides improved performance in meeting these needs.

SUMMARY OF THE INVENTION

This invention is a data processing system which has multiple virtual address spaces under system control and in which the user's management of the address spaces is by means of tokens provided by the system for identifying the spaces. The tokens allow the user to identify the address spaces to be accessed to the system but do not allow the user to directly control either real or virtual address spaces. Thus, the system provides proper authority and control over access to address spaces so that the user cannot directly work with a system managed resource. The user also has the option of selecting among operating modes as to which addressing system of several possible is invoked.

In a computer system according to the present invention, an access register (AR) is provided to correspond to all of the general purpose registers that exist for users in the architecture. In AR mode, each access register contains an access list entry token (ALET) to signify an address space for which the general purpose register is to be allowed access. The ALET points to an access list entry (ALE). Dynamic address translation (DAT) is to occur using the operand in the general purpose register for the address space signified by the ALET. The process of obtaining the STD using access register translation (ART) is a two step process. First, the ALET is used to identify an access list entry in an access list which contains an address space number second table entry address (ASTE ADR). Then the ASTE ADR is used to access the ASTE which contains the STD used in dynamic address translation (DAT). Certain tests are performed using the components of the ALET, the access list and the ASTE before the STD is obtained from the ASTE.

The ART includes reliability, integrity and authority checks. When the ALET in the access register is first used to find the correct access list entry (ALE) in an access list, verification occurs to determine that the entry is valid. Then the contents of the ALE are used to find the correct ASTE from which the STD is obtained. In addition, an ASTE sequence number (ASTESN) comparison is made between the contents of the ALE and the ASTE to verify the correctness of the reference to the ASTE.

These comparisons have to do with the use of a capability as defined in the computer arts. A capability is an unforgeable object which allows its possessor to perform operations on another object. In the case of access registers, the capability deals with objects which are address spaces. If an access register were allowed to directly contain the capability, that is the STD for the address space, the AR contents would have to be manipulated solely by privileged instructions in order to maintain the unforgeable characteristic. The use of privileged instructions for address space control takes extra time and computer resource because it requires passing control between the problem state program and the privileged control program.

An access list contains the maximum potential addressability to address spaces at one time. The ART process further includes the determination of the authority level of an ALE that may limit the maximum addressability by authority tests. All program code operates under some predetermined authority level and access to an ALE is controlled by authority tests. There are three levels of tests. The first level is the public/private bit in the ALE. If it is public, any user of the access list may use the entry. If it is private, the second level test is that an extended authorization index (EAX) in control register 8 must be the same as an authorization index (ALEAX) associated with the accessed address space in the ALE. Control register 8 specifies the space accessing authority of the executing program. This is in effect the owner of a controlled space accessing the space. Finally, a third test is performed if the EAX does not equal the ALEAX. An authority table of the accessed ASTE is indexed by the EAX value from control register 8. If the particular EAX finds an allowed access in the authority table then the access is permitted. This is the equivalent of the owner of a space allowing special usage.

An advantage of the present invention is that ARs contain ALETs which allows address space control without use of privileged instructions. Because the AR contains an ALET which specifies a space indirectly through an access list entry, an unprivileged instruction or subroutine can save access register contents, use the access register for another purpose and then restore the saved contents without using a control program service. Thus, the access list controls the authority of the user. The reason the access list entry points to the ASTE which contains the STD, rather than the access list entry directly containing the STD is that control and authority over address spaces may be modified by manipulating the ASTE without having to find all the access list entries referencing the space. The address space second table (AST) provides a definition of all program address spaces in the system so that the system has a central point of control for all address spaces. Many users may have access to an address space and should have that space in their access list to do so. More than one ALE in more than one access list can point to the same ASTE. Thus, there are two levels of indirection between the AR and the STD which allow separate control of the user's capability and of the authority to address spaces.

As a further example of the control that is facilitated by the use of indirection between the AR and the STD, the management of real addresses in which the system places STD information is much simpler. Segment table origins are identified by real addresses and are usually on a page boundary. The segment table itself usually occupies full real frames of memory. Thus, it is important that when an address space is swapped out of main storage or is terminated, the real frames that map its segment table be reusable to map other segment tables or other virtual addresses. This requirement is met by the use of the ASTE which is the only place the control program needs to update information before reusing the real address in the STD.

The selected access list may be from one or more available domains. For example, the disclosed embodiment shows both a dispatchable unit domain (DUAL) and a primary address space domain (PSAL). Although an access list is associated with either a dispatchable unit or a primary address space, the valid entries in the list are intended to be associated with the different programs that are executed to perform the work of the dispatchable unit. The DUAL is used in the sense that it belongs to the user and can be different for different users even when executing the same program. The PSAL is used in the sense that it is common to a program executing in the associated primary address space regardless of dispatchable unit. Two principal advantages are gained by the primary address space domain. First, all users of the primary space domain have the capabilities of the domain without having to individually assign or acquire the capability to the dispatchable unit domain of every user. Second, a dispatchable unit may acquire capabilities by switching primary address space domains without having to separately acquire those capabilities.

The dispatchable unit access list (DUAL) contains the maximum potential addressability of all code running under the dispatchable unit regardless of what address space that code is in, while the PSAL contains the maximum space addressability of all code running in a particular address space regardless of what dispatchable unit it is running under. In either case, the ART process is subject to the EAX authority check. As an example, this allows a program to call a service in another address space allowing communication in a public address space while that service is forbidden access to the calling space itself for integrity or privacy reasons. Since a program call (PC) can change the EAX, this is easy to accomplish. Even though the access list is usable in the service address space, the entry for the private space can be blocked from access while the dispatchable unit is in the second space.

In addition, the present invention includes the provision of an ART lookaside buffer (ALB) that reduces the number of references to storage for the ALD, ALE, ASTE and the authority table which otherwise must occur every time the associated GPR contains a storage operand reference. Because the number of storage references during ART can be quite high, the use of an ALB to provide the results of the ART function means that the access register functions can be provided with an efficient use of computer resources.

When the ALB is used, the CPU performs an ART process in real storage only for the initial access using that AR entry. The information from the ART process is placed in the ALB, and subsequent ART operations are performed using the information in the ALB, unless that information has become invalid, or been replaced by the results of other ART operations. The ALB also provides required authority checks before producing an output. The presence of the ALB affects ART to the extent that a change to the contents of information used to perform ART in real storage does not necessarily have an immediate, if any, effect on whether an STD is obtained or on which STD is obtained from the ALB.

The ALB is logically a table, local to a CPU, consisting of some number of entry types and some number of entries of each type. The most complex implementation of an ALB provides the highest probability that one or more ALB entries will be usable in a particular instance of ART and, thus, that one or more references to real storage can be avoided in that instance. The most simple implementation of an ALB provides the lowest probability of avoiding references to real storage.

A linkage stack facility permits programs operating at arbitrarily different levels of authority to be linked directly without the intervention of the control program. The degree of authority of each program in a sequence of calling and called programs may be arbitrarily different, thus allowing a non hierarchical organization of programs to be established. Options concerning authorities for the EAX changing option and the PSW key changing option as well as those for the PSW key mask and the secondary address space provide means of associating different authorities with different programs or with the same called program. The authority of each program is prescribed in the entry tables and these tables are managed by the control program. By setting up the entry tables so that the same program can be called by means of different PC numbers, the program can be assigned different authorities depending on which PC number is used to call it. The entry tables also allow control over which PC numbers can be used by a program to call other programs.

Stacking PROGRAM CALL and PROGRAM RETURN linkage operations provided by the linkage stack facility can link programs residing in different address spaces and having different levels of authority. The execution state and the contents of the general registers and access registers are saved during the execution of a stacking PROGRAM CALL instruction and are partially restored during the execution of a PROGRAM RETURN instruction. A linkage stack provides an efficient means of saving and restoring both the execution state and the contents of registers during linkage operations.

IN THE DRAWINGS

FIG. 1 is a diagrammatic illustration of the use of an access register in addressing operands according to the present invention;

FIG. 2 is a diagrammatic illustration of an access register translation of contents of an access register of FIG. 1;

FIG. 3 depicts the organization and contents of the control registers for use with the MAS facility of the present invention;

FIG. 4 depicts the contents of the PSW for use with the MAS facility;

FIG. 5 depicts the format of an access-list-entry token for use with the MAS facility;

FIG. 6 depicts the format of an access-list entry for use with the MAS facility;

FIG. 7 depicts the format of a linkage-table entry according to the present invention;

FIG. 8 depicts the format of an entry-table entry for use with the MAS facility;

FIG. 9 is a diagrammatic illustration of a linkage stack for use with the MAS facility;

FIG. 10 depicts the format of an entry of the linkage stack of FIG. 9;

FIG. 11 depicts the format of an ASN-first-table entry;

FIG. 12 depicts the format of an ASN-second-table entry according to the present invention;

FIG. 13 depicts the format of an entry of an authority table for use with the MAS facility;

FIG. 14 depicts the format of a dispatchable-unit-control table for use with the MAS facility;

FIG. 15 is a diagrammatic illustration of the logic-flow of a PC number translation of a PROGRAM CALL operation;

FIG. 16 is a diagrammatic illustration of the logic flow of a stacking operation of a stacking PROGRAM CALL instruction;

FIG. 17 is a diagrammatic illustration of the logic flow of an ASN translation of a PROGRAM CALL operation;

FIG. 18 is a diagrammatic illustration of the logic flow of an access register translation of FIG. 2;

FIGS. 19A and 19B, when taken together, form a flow chart of an access register translation operation and exceptions;

FIG. 20 is an illustration of the use of the TEST ACCESS REGISTER instruction for use with the MAS facility;

FIG. 21 shows a first embodiment of an ALB entry according to the present invention;

FIG. 22 shows a second embodiment of an ALB entry according to the present invention;

FIG. 23 shows a third embodiment of an ALB entry according to the present invention;

FIG. 24 shows a fourth embodiment of an ALB entry according to the present invention; and

FIG. 25 shows a fifth embodiment of an ALB according to the present invention in which the ALB entries and authority are determined in separate tables.

DESCRIPTION OF THE PREFERRED EMBODIMENT

The multiple address space (MAS) facility of the present invention is an enhancement of the dual address space facility and of the access register system. The MAS facility is designed to run compatibly with, and in addition to, the DAS facility and, for the most part, to use the same tables and register arrangements as the DAS facility, with certain changes and enhancements. The access register translation (ART) system is an improvement which allows full use of the access register system by the user while providing isolation and protection of machine addressing functions from the user. The use of an ART lookaside buffer (ALB) enhances the performance of ART.

A service provider typically owns one or more address spaces containing data or programs, or both, which the service provider wants to make available to users. The service provider makes programs available to users by assigning them program call (PC) numbers. This assigning operation includes establishing links for transferring program control, specifying the authorization characteristics needed by the service callers, and assigning the authorization characteristics of the service provider's programs. The transfer of program control may be from one address space to another or may remain in the same address space. In either case, it may change the authorization from one level to another to provide greater, lesser or different authorization. The service provider may run with an authorization level different than the caller's level, allowing the service provider routines to access data in address spaces which the caller cannot access. The user and service provider can access all spaces on the access list which have not been designated as private address spaces. Additionally, the service provider can have access to selected address spaces which the user cannot access. Similarly, the service provider can be denied access to selected address spaces which the user can access.

The execution of a program instruction may be conveniently divided into two operations. The first operation is the fetching of the instruction to be executed. The second operation is the addressing of operands for the fetching and storing of data on which the instruction operates during its execution. In MAS in the AR mode, the instruction is fetched from that address space established as its primary address space. The establishment of the primary address space may require a space switching operation.

FIG. 1 shows the use of an access register according to the present invention in addressing operands. The process of using the contents of an access register to obtain a STD for use in a dynamic address translation, is called an access-register-translation (ART) operation, which is generally designated at 10. An instruction 12 has an operation code, a B field which designates a general register 14 containing a base address, and a displacement D, which, when joined with the base address of general register 14 by an adder 15, forms a logical address of a storage operand. In the access register mode, the B field also designates an access register 16 which contains an ALET which, when translated at ART 10, provides the STD for the address space in which the data is stored. The STD from the ART 10 may be joined with the logical address from the adder 15, and, when translated together in the dynamic address translation (DAT) operation, designated generally at 18, provides the real address of the operand for use by the system. In addition to the B field and displacement D shown in FIG. 1, an R field may be used for designating a general register containing a logical address of a storage operand.

The use of an access register of the present invention may be further illustrated by the following move (MVC) instruction:

MVC 0(L,1),0(2)

The second operand of this instruction, having length L, is to be moved to the first-operand location. The logical address of the second operand is in general register 2, and the logical address of the first-operand location is in general register 1. The address space containing the second operand is specified by the ALET in access register 2, and the address space of the first-operand is specified by the ALET in access register 1. These two address spaces may be different address spaces, and each may be different from the current instruction address space.

FIG. 2 provides an overview showing the translation of an ALET to a real address. Shown at 20 is an array of general registers numbered 0 through 15. An array 22 of access registers, also numbered 0 through 15, are arranged such that each access register is paired with a respective one of the general registers of array 20, as previously described in connection with FIG. 1. An access-list entry number (ALEN) in the ALET selects an entry in one of the access lists 24 or 25. Access list 24 is the DUAL, and access list 25 is the PSAL. In the example of FIG. 2, the ALEN of access register 2 points to entry 3 of the PSAL 25. The origin of the DUAL is specified by a dispatchable-unit-access-list designation (DUALD) 26 which is found by decoding an entry in control register 2, as will be explained. The origin of the PSAL is specified by a primary-space-access-list designation (PSALD) 27 which is found by decoding an entry in control register 5, as will be explained. The access-list designation used in the ART is known as the effective access-list designation (ALD).

Each entry in the access list includes an ASTE address which points to an ASN second table entry (ASTE) 98 which may or may not be in an ASN second table (AST) 30. An ASTE may be created and perform its function for ART totally independently of actually being in an AST, although ASTEs used for PC are required to be in an AST. Each ASTE is similar to that used in the DAS facility, and includes an STD value to determine the real address by the DAT 18, as discussed in connection with FIG. 1.

There are two access lists available to a program at the same time each representing a different capability domain. One access list is called the dispatchable unit access list (DUAL) and the other primary space access list (PSAL). A bit in the ALET determines whether the ALEN of the ALET is pointing to an entry in the DUAL 24 or the PSAL 25. Each entry in the access lists 24 and 25 is available for use by programs.

The DUAL domain is intended to be permanently associated with the dispatchable unit ("task" or "process") on behalf of the program or programs executed by the dispatchable unit. There is a unique DUAL for every dispatchable unit in the system. The DUAL for a dispatchable unit does not change even though the dispatchable unit may execute programs in many different address spaces. The PSAL domain is associated with a primary address space. All programs which execute in a primary address space share the PSAL of the address space. This allows programs executing within a primary space to share access to a common set of address spaces. The PSAL changes when the primary address space changes such as on a space switching PC operation. A user, in possession of a valid ALET, may access an access list entry on either the DUAL 24 or the PSAL 25, and this entry specifies the desired address space. Other domains may also be implemented and controlled in a similar manner using the ALET and selected control registers. For example, a system wide access list (SWAL) domain may be created having the capabilities of all programs in the system. Various subsets of domains can be constructed as desired, such as a SASN domain access list (SSAL), to allow further exploitation of an existing mechanism.

Entries 0 and 1 of the DUAL are not used because the ALETS are reserved for accessing operands in the primary and the secondary address spaces, respectively, when in the AR addressing mode. The addressing mode of the CPU is designated by bits in the PSW, as will be explained. When the CPU is in the AR addressing mode, an ALET of zero always refers to the primary address space and an ALET of one always refers to the secondary address space. See FIG. 1 in which box 28 identifies these special ALETS and provide the correct STD for the PASN and the SASN to DAT when they occur. When the CPU is in the home addressing mode, the home address space is the source of instructions to be executed and of data. The home address space is defined as that address space having the supervisor control information for the program being executed. By convention, the operating system assigns an ALEN of 2 for each home space for the purpose of data access and the STD for the home space is obtained by ART for such access. Since the STD values for the primary and the secondary address spaces are kept in control registers 1 and 7, respectively (see FIG. 3) access list entries 0 and 1 are not used. As implemented, entries 0, 1 and 2 in the PSAL 25 are unused and are marked invalid.

An ART lookaside buffer (ALB) 199 receives and saves inputs from the AR 22, the AL 25, and the AST 30 to hold the STD resulting from ART. The ALB also retains the access list designation, DUAL or PSAL. When the same ALET is used again, ALB 199 provides the correct output directly to DAT 18 so that ART does not have to be repeated.

FIGS. 3 and 4 show the control registers and the PSW word, respectively, for providing information for the control of a program and the state of the CPU during instruction execution.

FIG. 3 shows the contents of the control registers 0 through 15 for the MAS facility of the present invention. All of the contents of the control registers of FIG. 3 will not be discussed, as the majority of them have the identical functions of the control registers of the aforementioned DAS facility and are thus known. Thus, primarily those changes necessary to provide the MAS facility will be discussed. A 1 in bit 15 of control register zero indicates the CPU is operating in the MAS mode and the control program supports MAS. The MAS facility includes new formats for the entry table entry, the ASN second table entry, the availability of a linkage stack, and the ability to enter the access register mode. Control register 1 contains the primary segment-table designation (PSTD). Bits 1-19 specify the primary segment-table origin (PSTO) and bits 25-31 designate the primary segment-table length (PSTL). Bits 1-25 of control register 2 designate the dispatchable-unit-control-table origin (DUCTO) used by the MAS facility to locate the DUALD, as will be discussed Bits 1-25 of control register 5 designate the primary ASTE origin (PASTEO). As will be discussed, the entry in control register 5 points to the ASTE entry for finding the PSAL origin, and other information, in the ASTE for the primary address space.

Control register 7 includes the secondary segment-table designation (SSTD) in a format wherein bits 1-19 contain the secondary segment-table origin (SSTO) and bits 25-31 contain the secondary segment-table length (SSTL). Bits 0-15 of control register 8 contain an extended authorization index (EAX) for use by the MAS facility of the present invention. As will be discussed, the EAX may be modified as specified by bit entries in the entry table entry under the control of the service provider such that authorization to access address spaces by a program may be changed.

Control register 13 contains a home segment-table designation (HSTD) wherein bits 1-19 contain the home segment-table origin (HSTO), and bits 25-31 contain the home segment-table length (HSTL). Bits 1-28 of control register 15 contain the address of a linkage-stack entry as defined in the last linkage-stack operation, to be discussed.

FIG. 4 shows the format of the program status word (PSW). Bit 5 of the PSW is a DAT mode bit (T) which defines if the DAT 18 of FIGS. 1 and 2 is active. Bits 16 and 17 are combined to specify the addressing mode. When the DAT is active, the combination of bits 16 and 17 define if the CPU is in the primary mode (00), the secondary mode (10), the access register mode (01), or the home mode (11). Bit 32 of the PSW is an addressing mode bit which defines the format of the instruction address in bits 33 through 63 of the PSW. The function and format of the remainder of the fields in the PSW are well understood and defined for IBM System/370 Operations.

FIGS. 5 and 6 show the format of the ALET and the access list entry for defining the relationship of an access register and an address space.

FIG. 5 shows the format of the ALET discussed in connection with FIG. 2. In the ALET, bit 7 is a primary-list bit which, when 1, indicates that the ALEN refers to a PSAL. When the primary-list bit 7 is 0, the ALEN refers to the DUAL. Bits 16-31 contain the ALEN referred to in FIG. 2. When the ALEN is multiplied by 16, the product is equal to the number of bytes from the beginning of the effective access-list to the designated access-list entry. During the ART, an exception is recognized if the ALEN designates an entry that is outside of the effective access-list or if the left most 7 bits of the ALET are not all zeroes. The access-list entry is outside of the effective access list if the ALEN points to an address past the end of the access-list as determined by the access-list length (ALL) of the effective ALD. See FIG. 14 for the ALL. The described format of the ALET does not apply when the ALET is 00000000 or 00000001 (hexadecimal notation), since these values have been assigned a special meaning by the ART process.

An ALET can exist in an access register, in a general register or in storage, and it is not protected from manipulation by a user's problem program. Through the use of instructions, any program can transfer the value of an ALET back and forth between access registers, general registers and storage. A called program can save the contents of the access registers in any storage area available to it, load and use the access registers for its own purposes, and then restore the original contents of the access registers before returning to its caller. Bits 8-15 of the ALET contain an access-list-entry sequence number (ALESN). Since the ALET is not protected from the problem program, and a user may inadvertently change its contents to any value, the ALESN is included in the ALET as a reliability mechanism that is checked during an ART.

FIG. 6 depicts the format of an access-list entry (ALE). Bit 0 of the ALE is an invalid bit which indicates when the ALE is not valid. Bit 7 is a private bit which, when 0, specifies that any program is authorized to use this access-list entry in an ART operation. When bit 7 is 1, an access-list extended authorization index (ALEAX) value in bits 16-31 of the ALE is used to determine if a calling program is authorized to use this access-list entry. The ALE includes an ALESN value in bits 8-15, which is compared to the ALESN value of the designating ALET, as discussed in connection with FIG. 5, to make a validity check. Bits 65-89 of the ALE contains the corresponding ASTE address of the associated address space. An ASTE sequence number (ASTESN) is located in bits 96-126 of the ALE for use as a validity check in connection with the ASTE entry, to be discussed.

It is intended that entries on the access-lists 24 and 25 be provided by the control program such that they may be protected from direct manipulation by any problem program. This protection may be obtained by means of key-controlled protection or by placing the access-lists in real storage not accessible by any problem program by means of the DAT. As determined by bit 0 in the entry, an ALE is either valid or invalid. A valid ALE specifies an address space that can be used by a suitably authorized program to access that address space. An invalid ALE is available for allocation, or reallocation, as a valid entry. The control program provides services that allocates valid ALEs and that invalidates previously allocated ALEs.

Allocation of an ALE consists of the following steps. A problem program passes the identification of an address space to the control program, and it also passes an indicator specifying either the DUAL 24 or the PSAL 25. This indication is the primary list bit 7 of the ALET. The control program then checks the authority of the problem program to access the address space, as will be explained. If the problem program is authorized, the control program selects an invalid entry in the specified access list, changes it to a valid entry, includes the ASTE address and ASTESN thereby specifying the subject address space, and returns to the problem program the value of an ALET which designates the now allocated ALE. The problem program can then place the new ALET in an access register in order to access the address space. Later, through the use of the invalidation service of the control program, the ALE that was allocated may be made invalid.

In this way, a particular ALE may be allocated, then invalidated, and then reallocated, this time specifying a different address space then was specified in the original allocation. To guard the user against erroneous use of an ALET that designates a conceptually wrong address space, the ALESN is stored in both the ALET and the ALE. When the control program allocates an ALE, it places the same ALESN in both the ALE and the designated ALET that it returns to the problem program. When the control program reallocates an ALE, it changes the value of the ALESN in the reallocated ALE such that the value of the ALESN of previously designated ALETs no longer matches the ALESN in the new ALE.

Although the ASTESN portion of the ALE will be discussed further in connection with the ASTE and the associated figures, it is important to note here that comparison of the ASTESN value in the ALE with the value in the ASTE is the mechanism by which the ALE authority to designate the ASTE is confirmed. Thus, an ASTE can be reassigned and a different ASTESN assigned to control its use without having to back track to all ALE entries which have referenced the ASTE. Through use of the ASTESN the control program does not have to retain every program or dispatchable unit which was able to use the ASTE. Thus, the authority can be changed by changing the ASTESN and exceptions or interruptions generated when an attempt is made to use the ASTE without the proper ASTESN. This allows the operating system to be made aware of attempts to access the ASTE with a capability granted in an ALE at a time before the ASTESN was changed. Thus, an operating system has a mechanism to safely reuse an ASTE for a new and/or different space, or to revalidate the authority of the current accessors of an existing space to use it.

FIGS. 7, 8 and 10 depict the formats of entries in the linkage table, the entry table and the linkage stack, respectively. These tables are used according to the present invention to establish linkage for transferring control between programs in either the same or different address spaces.

As previously described, a PC number identifies the particular PC routine that the system is to invoke and is constructed by a service provider. Each service provider that provides PC routines owns one or more entry tables for defining the service provider's routines. The entry tables are connected to linkage tables of those address spaces that require access to the PC routines. Each entry in an entry table defines one PC routine, including its entry point, operating characteristics, and if the PC instruction is a stacking PC. FIG. 7 depicts the format of a linkage table entry, wherein each entry includes an invalid bit at bit 0, an entry table origin (ETO), and an entry table length (ETL), which together define an entry-table designation.

FIG. 8 depicts the format of the entry of the entry table pointed to by the linkage-table entry of FIG. 7. Bits 0-15 of the entry-table entry contain an authorization key mask (AKM) which is used to verify whether the program issuing the PC instruction, when in the problem state, is authorized to call this entry point. Bits 16-31 contain an entry address-space number (EASN) which indicates whether a PC-ss or a PC-cp is to occur. When the EASN is all zeroes, a PC-cp is specified. When the EASN is not all zeroes, a PC-ss is specified, and the EASN identifies the address-space number (ASN) which replaces the primary ASN (PASN). Bit 32 is an addressing mode bit that replaces the addressing mode bit in the PSW as part of the PC operation. The entry instruction address is the instruction address that replaces the instruction address in the PSW as part of the PC operation. Bit 63 is an entry problem state bit which replaces the problem state bit, bit 15 of the current PSW, as part of the PC operation. Bits 64-95 are an entry parameter which is placed in general register 4 as part of the PC operation. Bits 96-111 is an entry key mask (EKM) which may be ORed into or replace the contents of control register 3, dependent upon the value of the M bit, as will be explained. Bit 128 is a PC-type bit (T) which, when 1, specifies that the program call instruction is to perform a stacking operation. Bit 131 is a PSW-key control (K) which, when 1, specifies that the entry key (EK) of bits 136-139 is to replace the PSW-key in the PSW as part of the stacking PC operation. When the K bit is 0, the PSW key remains unchanged. Bit 132 is a PSW-key-mask control (M) which, when 1, specifies that the EKM is to replace the PSW-key mask in control register 3 as part of the stacking PC operation. When this bit is 0, the EKM is ORed into the PSW-key-mask in control register 3 as part of the stacking PC operation. Bit 133 is an extended-authorization-index control (E) which, when 1, specifies that the entry EAX of bits 144-159 is to replace the current EAX in control register 8 as part of the stacking PC operation. When the E bit is 0, the current EAX in control register 8 remains unchanged. Bit 134 is an address-space-control control (C) which, when 1, specifies that bit 17 of the current PSW is to be set to 1 as part of the stacking PC operation. When this bit is 0, bit 17 of the current PSW is also set to 0. Because the CPU must be in either the primary-space mode or the access-register mode when a stacking PC instruction is issued, the result of this C bit is that the CPU is placed in the access-register mode if bit 134 is 1 or the primary-space mode if bit 134 is 0. Bit 135 is a secondary-ASN control (S) which, when 1, specifies that the EASN of bits 16-31 are to become the new secondary ASN, and a new secondary segment-table designation (SSTD) is to be set equal to the new primary segment-table designation (PSTD), as part of the stacking PC-ss operation. When this bit is 0, the new secondary address-space number (SASN) and SSTD are set equal to the old primary address-space number (PASN) and PSTD, respectively, of the calling program. When the EASN is not all zeroes, the ASTE address of bits 161-185, with six zeroes appended on the right, forms the real ASTE address that results from applying the ASN translation of the EASN. It will thus be seen that the EASN and ASTE address entries in the entry-table entry point to an entry in the AST 30 which contains the STD, as shown in connection with FIG. 2. It is unpredictable whether an ASN translation of the EASN is performed to obtain an ASTE address, or whether the ASTE address of bits 161-185 is used to locate its designated ASTE. The CPU may do the latter to achieve improved performance.

FIG. 9 shows a linkage stack 35 which may be formed by the control program for each dispatchable unit. The linkage stack is used to save the execution state and the contents of the general-registers and access-registers during a stacking operation. The linkage stack is also used to restore a portion of the execution state and the general-register and access-register contents during a return operation. A linkage stack resides in virtual storage, with the linkage stack for a dispatchable unit in the home address space for that dispatchable unit. As discussed in connection with the control registers of FIG. 3, the home address space is designated by the HSTD in control register 13. This protects the linkage stack information and allows recovery of the linkage stack information in the event of a failure in the users address space.

The linkage stack is intended to be protected from problem-state programs so that these programs cannot examine or modify the information saved in the linkage stack except by means of specific extract and modify instructions. The linkage stack 35 may consist of a number of linkage stack sections 36, 37 and 38 which are chained together by forward pointers and backward pointers.

There are three types of entries in the linkage stack: header entries 40 having a backward pointer, trailer entries 42 having a forward pointer, and state entries 43 (see linkage stack section 36). A header entry and a trailer entry are at the beginning and end, respectively, of a linkage-stack section, and are used to chain linkage-stack sections together. Header entries and trailer entries are formed by the control program, and a state entry is added to contain the execution state and register contents that are saved in the stacking operations. The linkage-stack-entry address in control register 15 points to either the current state entry 44 or, if the last state entry in a section has been unstacked, to the header entry for the current section. FIG. 10 depicts the contents of a linkage-stack state entry which, for a stacking PC instruction, contains the contents of the general registers, the contents of the access registers, the PSW key mask, the secondary address space number, the EAX from control register 8, the primary address space number, and the contents of the PSW, all at the beginning of the stacking instruction, and the PC number used. In the case of a BRANCH AND STACK instruction (to be explained), the addressing mode bit and the branch address are saved rather than the PC number.

Each type of linkage-stack entry has a length that is a multiple of eight bytes. A header entry and trailer entry each has a length of 16 bytes. A state entry has a length of 168 bytes (as shown by the numbers in FIG. 10). Each type of entry has an eight-byte entry descriptor at its end (shown at 46 of FIG. 10 for a linkage-stack state entry).

Bit 0 of the entry descriptor is an unstack-suppression bit (U). When bit U is one in the entry descriptor of a header entry or a state entry, a stack-operation exception is recognized during the unstacking process in PROGRAM RETURN. Bit U is set to zero in the entry descriptor of a state entry when the entry is formed during the stacking process.

Bits 1-7 of the entry descriptor are an entry type (ET) code that specifies the type of linkage stack entry containing the entry descriptor. The codes are:

    ______________________________________
    0000001         Header entry
    0000010         Trailer entry
    0000100         Branch state entry
    0000101         Program call state entry
    ______________________________________

    ______________________________________
    BRANCH AND STACK
    PROGRAM RETURN
    ______________________________________

    ______________________________________
    GLOSSARY
    ______________________________________
    AKM       Authorization Key Mask
    AL        Access List - An addressing capability table.
    AR        Access Register - each access register is
              associated with a GPR.
    ART       Access Register Translation - A method of
              associating a STD - segment table designation
              with an access register.
    AX        Authorization Index
    ALB       ART Lookaside Buffer - ART occurs each time
              an AR is designated by a B field storage operand
              reference in a GPR, and the ALB reduces
              storage references during ART.
    ALE       Access List Entry
    ALEAX     Access List Entry Authorization Index
    ALEN      Access List Entry Number - Bits 16-31 of the
              ALET are the access list entry number of the
              designated ALE.
    ALL       Access List Length - Stored in a control
              register as a predetermined number and can at
              most permit 1024 access list entries.
    ALET      Access List Entry Token - An ALET designates
              an entry in an access list.
    ALESN     Access List Entry Sequence Number - Bits 8-15
              of the ALET and of the ALE.
    ASN       Address Space Number - Represents an address
              space.
    ASTE      ASN Second Table Entry - This is an expression
              of the 370/XA ASTE shown in the prior art and
              includes an I bit and an STD.
    ASTESN    ASTE Sequence Number - The ASTESN in
              the ALE is tested for equality with
              ASTESN in ASTE.
    ATL       Authority Table Length.
    DAS       Dual Address Space
    DASD      Direct Access storage device.
    DAT       Dynamic Address Translation - Uses an STD to
              convert virtual address to real storage
              addresses.
    DUAL      Dispatchable Unit Access List
    DUALD     DUAL designation consisting of the real origin
              and length of the DUAL
    DUCT      Dispatchable Unit Control Table - contains
              DUALD and specified by CR2
    EAX       Extended Authorization Index
    EKM       Entry Key Mask
    ETE       Entry Table Entry
    GPR       General Purpose Register for containing
              operands and addresses
    LTD       Linkage Table Designation
    MAS       Multiple Address Space
    P Bit     Bit in ALET that selects between DUAL and
              PSAL
    PRIVATE-Bit
              Bit P in the ALE that designates whether
              all users may have access or an authority
              mechanism is invoked.
    PASTE     Primary ASN second table entry - contains
              PSAL and LTD
    PC-cp     Program Call to Current Primary
    PC-ss     Program Call with Space Switching
    PKM       PSW Key Mask
    PSAL      Primary Space Access List
    PSALD     PSAL Designation consisting of the real origin
              and length found in the primary ASTE
    PSTD      Primary Segment Table Designation
    PSW       Program Status Word
    SSTD      Secondary Segment Table Designation
    STD       Segment Table Designation
    ______________________________________

• Inventors
  Baum, Richard I.; Borden, Terry L.; Clark, Carol E.; Ganek, Alan G.; Lum, James; Mall, Michael G.; Scalzi, Casper A.; Schmalz, Richard J.;
• Assignee
  International Business Machines Corporation (Armonk, NY)
• Published
  Jun-15-1993
• Current US Classes:
  712/233
  718/108
• Application #
  732936
• International Classes
  G06F 009/42
• Field of Search
  364/DIG. 395/775 395/800
• Examiner
  Clark; David L.
• Agent
  Goldman; Bernard M., Ludwin; Richard M.
• US Patent References:
  4037214
  4041462
  4044334
  4096573
  4104721
  4136385
  4268903
  4297743
  4355355
  4366536
  4366537
  4407016
  4420807
  4430705
  4454580
  4500952
  4521846
  4530049
  4546430
  4594659
  4630234
  4731734
  4766537
  4811208