System for determining the rights of object access for a server process by combining them with the rights of the client process

Abstract

In a multitasking, multiuser computer system, a server process temporarily impersonates the characteristics of a client process when the client process preforms a remote procedure call on the server process. Each process has an identifier list with a plurality of identifiers that characterize the process. The server process generates a new identifier list which is either the same as the client process's list, or is the union of the server's and the client's lists. Each object in the system can have an access control list which defines the identifiers that a process must have in order to access the object. The operation system has access checking software for enabling a selected process access to a specified object when the identifiers for the process match the list of identifiers in the access control list of the specified object. The server can therefore access all objects accessible to the client while the server is working for the client. The server can restore its original identifier list after completing the services that it performs for the client.

Claims

What is claimed is:

1. A computer system, comprising:

memory means for storing data and data structures;

a multiplicity of objects comprising data structures stored in said memory means;

a multiplicity of processes running concurrently on sid computer system; each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers; said multiplicity of processes including at least one server process and a plurality of client processes;

each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each object's access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object;

access checking means, coupled to said memory means and said multiplicity of processes, for enabling acces by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object's access control list; and

impresonation means, responsive to requests from one of said client processes, for generating an adopted set of identifiers to replace said set of identifiers denoted by the characteristic denoting means of one of said at least one server process, said impersonation means including means for generating said adopted set of identifiers by replacing said one server process' set of identifiers with theunion of said identifiers denoted by the characteristic denoting means of said requesting client process and said identifiers denoted by the characteristic denoting means of said one server process;

said one server process including means, coupled to said access checking means, for performing tasks on behalf of said requesting client process including accessing ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means.

2. The computer system set forth in claim 1, further including:

restoration means for storing said set of identifiers of said one server process replaced by said impersonation means, and for restoring said stored set of identifiers to said one server process after said one server process finishes performing said tasks on behalf of said one client process.

3. A computer system, comprising:

memory means for storing data and data structures;

a multiplicity of objects comprising data structures stored in said memory means; each object having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object;

a multiplicity of process running concurrently on said computer system; each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers; said multiplicity of processes including a plurality of server processes and a plurality of client processes;

access checking means, coupled to said memory means and said multiplicity of processes, for enabling access by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object's access control list;

each server process includign means, coupled to said access checking means, for responding to requests from one of said client processes by performing tasks on behalf of said requesting client process, said tasks including accessing ones of said multiplicity of objects; and

impersonation means, coupled to said plurality of server processes, for generating an adopted set of identifiers to replace said set of identifiers denoted by the characterstic denoting means of a specified one of said server processes, said impersonation means including means for generating said adopted set of identifiers by replacing said specified one server process' set of identifiers with the union of said identifiers denoted by the characteristic denoting means of said requesting client process and said identifiers denoted by the characteristic denoting means of said specified one server process;

said specified one server process accessing ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means.

4. The computer system set forth in claim 3, further including:

restoration means for storing said set of identifiers of said specified one server process replaced by said impersonation means, and for restoring said stored set of identifiers to said specified one server process after said specified one server process finishes performing said tasks on behalf of said requesting client process.

5. In a computer system, having

memory means for storing data and data structures;

a multiplicity of objects comprising data structures stored in said memory means; each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; and

a multiplicity of processes running concurrently on said computer system; said processes including at least one server process and a plurality of client processes; each of said processes having an associated identifier list denoting a set of identifiers;

a method of operating said computer system comprising the steps of:

one of said at least one server process responding to requests by one of said plurality of client processes by performing tasks on behalf of the requesting client process;

said one server process impersonating said requesting client process by adopting a set of identifiers to replace said identifier list associated with said one servier process, wherein said adopted set of identifiers is the union of said identifiers in said identifier list associated with said requesting client process and said identifiers in said identifier list associated with said one server process; and

said one server process initiating access to a specified one of said multiplicity of objects, said system enabling access by said one server process to said one specified object when said adopted set of identifiers match the identifiers of at least one entry in said one specified object's access control list.

6. A method of operating a computer system as set forth in claim 5, further including the steps of

storing the identifier list of said one server process that was replaced by said adopted set of identifiers, and later restoring said stored identifier list to said one server process after said one server process finishes performing said tasks on behalf of said requesting client process.

7. In a comptuer system, having

memory means for storing data and data structures;

a multiplicity of objects comprising data structures stored in said memory means; each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein eahc entry includes a conjunction of one or more identifiers required to access said each object; and

a multiplicity of processes running concurrently on said computer system; said processes including a plurality of server processes and a plurality of client processes; each of said processes having an associated identifier list denoting a set of identifiers;

a method of operating said computer system comprising the steps of:

dach respective server process responding to requests by respective ones of said plurality of client processes by performing tasks on behalf of the respective requesting client process; and

each respecitve server process, prior to performing said tasks on behalf of the respective requesting client process, impersonating said respective requesting client process by adopting a set of identifiers to replace said identifier list associated with said respective server process; wherein said set of identifiers adopted by said each respective server process is the union of said identifiers in said identifier list associated with said respective requesting client process and said identifiers in said identifier list associated with said respective server process; and

each respective server process initiating access to a respective one of said multiplicity of objects, said system enabling access by said respective server process to said one respective object when said set of identifiers adopted by said respective server process match the identifiers of at least one entry in saidone respective object's access control list.

8. A method of operating a computer system as set forth in claim 7, further including the steps of:

storing the identifier list of said respective server process that was replaced by said adopted set of identifiers, and later restoring said stored identifier list to said respective server process after said respective server process finishes performing said tasks on behalf of said respective requesting client process.

Description

This application is related to the application entitled RPC BASED COMPUTER SYSTEM USING TRANSPARENT CALLBACKS AND ASSOCIATED METHOD, in the name of Mark Ozur et al., Ser. No. 07/830,730, now U.S. Pat. No. 5,247,676, filed Feb. 4, 1992, which is a continuation of Ser. No. 07/374,100, now abandoned, filed on the same date as this application, and is hereby incorporated by reference.

The present invention relates generally to multitasking digital computer systems and particularly to methods and systems for managing the data structures used by a multitasking digital computer system.

BACKGROUND OF THE INVENTION

Large computer systems generally allow many users to simultaneously use a single computer's resources. Such systems are herein called multitasking digital computer systems. Such computers include virtually all mainframe computers and most minicomputers.

One of the primary jobs of the operating system for a multitasking computer system is to support and keep track of the operations of a multiplicity of users who are running numerous concurrent processes. Thus the computer's operating system must have data structures which represent the status of each user. Such status information includes the memory and other resources being used by each user process.

If every user process were completely independent, had its own dedicated resources, and there were no concerns about which resources each process could use, operating systems could be relatively simple. However, in actuality, computer resources are shared and many user processes need to access commonly used or owned resources. In fact, each user may generate a number of execution threads which run simultaneously and which need to be able to share resources and to communicate with other ones of the user's threads.

Another concern in multitasking computer systems is security and data integrity. Ideally, the computer system should provide an access security system which enables each user to control the extent or amount of sharing of information that belongs to the user. Further, the system should provide several types of protection. For example, when multiple processes are allowed access to a resource, the identity of each process which attempts to access the resource should be tested to determine if that particular process is authorized to access the resource. The system of access control should also provide limited "visibility" of computer resources so that an unauthorized user cannot obtain information about another user by repeated attempts to access resources with various names. In addition, to protect data integrity, the system must protect against simultaneous accesses by different authorized processes.

Yet another concern of multitasking operating systems is clearing the system of "objects" (i.e., files and data structures) which are no longer needed by any of the systems users. Ideally, the system should also be able to automatically deallocate resources, such as input/output devices, no longer needed by a process.

SUMMARY OF THE INVENTION

In summary, the present invention is an object based operating system for a multitasking computer system. The present invention, which is also called an object based architecture, is "object based" because it provides objects which represent the architecture or interrelationships of the system's resources. The present invention provides an extensible, yet rigorous framework for the definition and manipulation of object data structures.

Objects, generally, are data structures which store information about the user processes running in the system, and which act as gateways to using the system's resources. Resources, generally, include sets of information, physical devices such as a tape drive, and various programs or "operations". Such resources are not available to a user unless the user has explicit permission to use that resource. More specifically, access to certain objects is required in order to use the corresponding resources of the computer system.

A multiplicity of processes run concurrently in the computer system, including at least one server process and a plurality of client processes. Each process has a list of identifiers that represent the process' object access rights.

Each object has an access control list, which is list of identifiers, for use in determine which processes can access that object. Access control software in the computer's operating system compares the identifier list of a process requesting access to a specified object with the object's access control list, and allows the requested access when the process' identifier list matches at least one of the identifiers in the specified object's access control list.

For the purpose of facilitating server/client remote procedure calls, the operating system includes special software that enables a server process to "impersonate" a client process. When one of the client processes calls a server process, the impersonation software generates an adopted set of identifiers to temporarily replace the server process' usual list of identifiers. The impersonation software has two modes of operation. In one mode, the adopted set of identifiers is generated by replacing the server process' list of identifiers with the list of identifiers of the requesting client process. In the second mode, the adopted set of identifiers is generated by replacing said server process' list of identifiers with the union of the requesting client process' identifiers and the server process' list of identifiers.

After receiving the adopted set of identifiers, the server process performs tasks on behalf of the requesting client process, including accessing various objects using the adopted set of identifiers generated by said impersonation software.

BRIEF DESCRIPTION OF THE DRAWINGS

Additional objects and features of the invention will be more readily apparent from the following detailed description and appended claims when taken in conjunction with the drawings, in which:

FIG. 1 is a block diagram of a computer with a multitasking operating system.

FIG. 2 is a block diagram of the virtual memory spaces of several concurrently running user processes.

FIG. 3 is a block diagram showing how data structure objects in the system are organized in a three level hierarchy.

FIG. 4 is a block diagram showing the hierarchical relationship between a user object, a job, the processes for a job, and the execution threads for a process.

FIG. 5 is a block diagram showing the range of objects visible to a particular execution thread.

FIG. 6 is a block diagram of the container directory and object container data structures at one level of the three level hierarchy shown in FIG. 3. FIG. 6A is a more detailed diagram of the process level container directory for a process.

FIG. 7 is a block diagram of an object ID.

FIG. 8 is a block diagram of the data structure of an object.

FIG. 9 is a block diagram an object type descriptor.

FIG. 10 is a block diagram of the process for adding a new object type to the system by creating an object type descriptor for the new object type.

FIG. 11 is a block diagram showing the reference pointers for a specified object.

FIG. 12 is a flow chart of the process for creating a reference ID for a specified object.

FIG. 13 is a f low chart of the process for deleting an object ID.

FIG. 14 is a flow chart of the process for transferring an object from one object container to another object container.

FIG. 15 is a flow chart of the process for transferring an object container to a specified container directory.

FIG. 16 is a flow chart of the process for conditionally creating a specified object.

FIG. 17 is a block diagram of the access control list for an object and a execution thread which is attempting to access the object.

FIG. 18 is a block diagram of the data structures for privileged operation objects.

FIG. 19 is a block diagram of the data structures for allocating a set of objects to a thread, process, job or user.

FIG. 20 is a block diagram of the data structures for implementing user defined waitable objects.

FIG. 21 is a block diagram of the data structures for a server thread impersonating the characteristics of a client thread.

FIG. 22 is a flow chart of the impersonation process.

DESCRIPTION OF THE PREFERRED EMBODIMENT

Referring to FIG. 1, a computer system 100 in accordance with the present invention includes a high speed central processing unit (CPU) 102 which concurrently runs several processes 104-110. The CPU 102 may be either a single powerful processor or may contain multiple processors. As is standard in multitasking computer systems, each process has its own virtual memory space which is mapped partially into high speed primary memory 112 and partially into lower speed secondary memory 114 by a virtual memory manager 116. More generally, each process 104-110 is allocated a certain portion of computer's resources, including selected peripheral devices such as terminals 120-122 and other input/output devices 124 and 126. Other types of resources which are allocated to selected ones of the processes include specified sets of data and data structures in the system's memory 112-114.

The set of software which controls the computer's operation and the allocation of resources to the processes 104-110 running the computer is called the operating system 130. For the purposes of the present discussion it can be assumed that the operating system 130 is resident in primary memory 112, although certain infrequently used portions of the operating system may be swapped out to secondary memory by the memory manager 116. One feature of the present invention is that the computer system 100 can serve as a "computer server" to one or more client computers 132. Client computers 132, coupled to the CPU 102 by a bus interface 134, can send tasks to the computer system 100 for execution. The computer system 100 is a mainframe or other high performance computer system which can execute tasks in a relatively short period of time compared to the client computers 132. The operating system 130 of the present invention includes a mechanism for setting up a process in the computer system 100 which adopts the "profile" or characteristics of the process in the client computer which is being served.

Referring to FIG. 2, there is shown a block diagram of the virtual memory spaces of several concurrently running user processes 104-108. The virtual memory space of every process includes a portion 140 which can be accessed by "user mode" programs as well as "kernel mode" programs, and a portion 142-144 which can be accessed only by "kernel mode" programs. The kernel mode portion 142-144 includes two sets of software called "the kernel" 142 and "the executive" 144.

As shown in FIG. 2, the portion of the virtual memory space which comprises the kernel mode portion 142-144 is common to all user processes running in the computer system. In other words, a predefined portion of the address space of every user process is occupied by the operating system 130 and its data structures. The user mode portion of each user process 140 occupies a distinct virtual memory space.

"Kernel mode" is a mode of operation used only by kernel and executive software routines. Only kernel mode routines can access the data structures used to control the operation of the computer system and to define the system resources allocated to each user process.

When a user mode program 145 in a user process 104 creates an object, or performs any one of a number of operations on an object, the user process calls a kernel mode routine 146 in the kernel mode portion 142-144 of its address space to perform the necessary operations. When the kernel mode routine 146 completes the necessary operations on the kernel mode data structures, it returns control to the user mode program 145.

The kernel 142 is the "lowest layers, of the operating system 130 which interacts most directly with the computer's hardware 148. The kernel 142 synchronizes various activities, implements multiprocessing capabilities, dispatches execution threads, and provides services to device drivers for handling interrupts.

The executive 144, which also runs in kernel mode, implements system services, memory management, user-level object support, the computer's file system, network access, and device drivers. The executive defines "system policy", such as the rules which govern the visibility of user accessible objects.

OBJECT ARCHITECTURE

The object architecture of the present invention is a set of data structures and procedures which controls the use of user definable objects.

GLOSSARY

To clarify the following discussion, the following definitions are provided.

"Objects" are data structures used to hold information that is used by the operating system and which must be protected from unauthorized access by users of the system. While users cannot themselves "define" objects, they can ask the operating system to create specified objects on their behalf. The resultant objects are system data structures that are accessible by the user through system routines which protect the integrity of those objects. For instance, a "process object" is a type of object used in the present invention to store the information needed by the operating system to keep track of the status of a particular user process. "User accessible objects" are objects used by user processes, and will be referred to herein simply as "objects."

"Kernel objects" are a distinct set of data abstractions used by the system's kernel and are called kernel objects in order to distinguish them from the regular objects which are part of the object architecture of the present invention.

A "user" is herein defined to mean a person or other entity recognized by the computer system as being authorized to create processes and to use resources in the computer system.

A "Job" represents the current set of system resources being used by a particular user.

A "Process" is the entity to which a virtual memory address space is assigned, and is the entity to which process-level objects are assigned. There can be multiple processes in a Job. Whenever a job is created, a "top level" process is created for that job. Any process, including the top level process,, can cause the creation of additional processes, called subprocesses or child processes. Any process which creates another process is referred to as a parent process.

A "thread", also called an "execution thread". is the entity which actually executes programs and thus provides a stream of execution (sometimes called a context state). It is the schedulable entity which executes program steps and consumes resources. More technically, a thread is a system defined object that executes a program that is resident in a process's address space. A thread contains a machine state that consists of the computer's register contents, a program counter, and other privileged information needed to cause the thread to execute a program. Each process many create a number of execution threads which run "simultaneously" and which can share resources and communicate with one another. Multiple threads can run simultaneously when multiple CPUs are available. On a single CPU system the operating system makes the threads appear to run simultaneously. All resource limitation data structures for a thread belong to the thread's process.

An "object container" is a data structure for storing pointers to objects. It is essentially a table which is used to keep track of a set of objects.

A "container directory" is a data structure for storing pointers to a set of object containers. Thus a container directory is a table used to keep track of a set of object containers.

OBJECT HIERARCHY

Referring to FIG. 3, the object architecture of the present invention provides a hierarchical "visibility structure" for objects. When an object is "visible" to a particular execution thread or process it means that the execution thread may at least attempt to access that object. Objects not visible to a process are stored in such a way that the process cannot even attempt access.

When an object is created, it is placed at one of three levels: the system level 160, the job level 162, or the process level 164. At the system level 160 there is a single container directory 170 which contains a set of system level object containers 172, 174, 176. Objects 178-180 in system level containers are visible to all threads on the system.

At the job level 162 there is a container directory 190 for every job that is currently active in the system. Each job level container directory 190 contains a set of job level object containers 192, 194, 196. Objects at the job level 162 are visible only to threads in that job.

At the process level 164 there is a container directory 200-206 for every process that is currently active in the system. Each process level container directory 200 contains a set of process level object containers 212, 214, 216. Objects at the process level 164 are visible only to threads in that process. For example, a thread cannot access an object that is at the process level for another process. As will be explained below, this visibility restriction is achieved by giving each process a pointer, called an object ID, only to its own process level container directory. Because a process cannot have a pointer to the process level container directory for other processes, each process is incapable of "expressing" the object ID of objects in the containers not visible to that process.

Each process is assigned at least two process level object containers 212 and 214. The first object container 212 is called the public display container for the process and the second container 214 is called the private container. Only objects that the process wants to be accessible to subprocesses are placed in the public display container 214, and all other objects created by the process are put in its private container 216.

Referring to FIG. 4, there is a hierarchy of objects which represents users, jobs, processes and threads. FIG. 4 shows the hierarchical relationship between the objects for a user, a job, the processes for a job, and the execution threads for a process.

As shown, there are four levels of objects in the User-Job-Process-Thread (UJPT) hierarchy, and each type of object is stored in a corresponding system level object container 220, 222, 224 and 226. All user objects 230 are stored in a user object container 220. Job objects 232 are stored in a job object container 222. Process objects 234 and 236 are stored in a process object container 224, and thread objects 240, 242 and 244 are stored in a thread object container 226.

The four levels of objects provide a logical grouping of functionality and control. A user object 230, which appears at the highest level of the User-Job-Process-Thread (UJPT) hierarchy, defines the security profile and resource quotas/limits for its underlying objects. The user object 230 also stores a pointer to the job object 232 for the user.

A job object 232 provides a job level container directory and a set of resource limits for a collection of processes running as a job. The job object 232 includes a reference pointer to its user object 230, and a list head which points to the first process object 234 for the job. Thus the process objects 234-236 for a particular job are accessed as a linked list. Note that in FIG. 4, linked list pointers are depicted as narrow lines with arrow heads which point either down or to the right within the hierarchy, while reference pointers are depicted as thicker lines with arrow heads that point upwards in the hierarchy.

A process object 234 provides a process level container directory, a pointer to the page table for the process, and pointers to the parameters needed to manage the address spaces of its execution threads. The process object 234 includes a reference pointer to its job object 232, and a list head which points to first thread object 240 for the process. The thread objects 240-242 for a particular process are accessed as a linked list. The process object 234 also contains a list head which points to the first subprocess for which the object 234 is the parent process (not shown in FIG. 4).

A thread object 240 contains a thread control block which stores the processor state as it executes the steps of a program, including the pointers and values needed to keep track of all resources used by the thread object. The thread object 240 includes a reference pointer to its process object 234, and a list pointer for joining additional thread objects into a linked list of threads for the process.

FIG. 5 is a block diagram showing the range of objects visible to a particular execution thread. In particular, each thread object contains a thread control block 250 which points to the software process control block 252 for the thread's process. The software process control block 252 contains pointers which indirectly point to a container directory at each of three visibility levels. The container directory 170 at the process level is the container directory belonging to the process object for the thread. Similarly, the container directory 190 at the job level is the container directory belonging to the job object for the thread. The system level container directory 200 is the same for all threads.

MUTEXES

Access to each and every container directory is governed by a corresponding mutex. A mutex is essentially a f lag used to synchronize access to a corresponding system resource. The purpose of a mutex is to ensure that only one thread accesses a particular resource at any one time. To use a resource that is protected by a mutex, one must first "obtain the mutex". obtaining a mutex is an atomic (i.e., uninterruptable and interlocked) operation in which the mutex is tested. If the mutex was previously set, the process trying to obtain the mutex is suspended until the mutex becomes free. If the mutex is free, it is set and the requesting process is then allowed to access the protected resource.

Mutexes are used throughout the present invention to synchronize access to container directories, object containers, linked lists of objects, and many other types of data structures. For instance, to change certain fields of an object, the thread making the change must first obtain the mutex for the container in which the object is located. In addition, many objects contain a mutex which protects that object.

All mutexes used by the system are stored in an array 254 in a non-paged, protected portion of primary memory, accessible only to kernel mode routines, which cannot be swapped out by the memory manager. The "mutexes" shown in many of the data structures in the Figures are actually pointers to the corresponding mutexes in the mutex array 254. In other embodiments the mutexes need not be stored in an array so long as they are stored in non-paged, protected memory.

As will be explained in more detail below, in the section entitled waitable Objects, mutexes are a special type of kernel synchronization primitive.

As shown in FIG. 5, there is a mutex f or each of the three container directories which are visible to a particular thread.

CONTAINER DATA STRUCTURES

Referring to FIG. 6, there is shown a portion of the data structures for one container directory 260 and one object container 262. For the purposes of this discussion, the container directory and object container data structures may be at any level of the three level hierarchy shown in FIG. 3.

The data structures for container directories and object containers are virtually identical. For the sake of clarity, the data structure for an object container will be explained first.

An object container 262 comprises a container object 270, which contains a standard header 272, a pointer 274 to a name table 275, and a pointer 276 to an object array 280. The purpose of the name table 275 is to translate object names into object IDs, and the purpose of the object array 280 is to translate object IDs into pointers to objects 281. The object container also includes a container mutex 278 which is used to synchronize access to certain fields in the name table 275, the object array 280, and the objects in the container.

The name table 275 has two portions, an object name array 282 and an array of name definition blocks 284. The object name array 282 is simply an index into the array 284 of name definition blocks and may be implemented as either a hash table or a binary tree. In either case, each entry in the name array 282 contains one object name and one pointer to an entry in the array of name definition blocks 284. Each name definition block 286 contains information for one object name, including the object ID as well as the object's type (object types are described in more detail below) and mode (i.e., accessible by user mode or kernel mode routines).

The object array 280 contains an array size value 288 which denotes the size of the array 280, which corresponds to the maximum number of object points that can be stored in the object array 280. The object array has a set of elements 290-294, each of which can store either an object pointer or a place holder for an object pointer. The count value field 296 denotes the number of elements in the object array which currently hold object pointers (i.e., the count value is equal to the number of object pointers currently stored in the object array 280).

Array elements such as element 292 which store a place holder are said to be "free". These unused elements are arranged in a singly linked "free list", the head of which is the "next free" link head field 298. The unused elements 292 in the object array contain a "sequence number high" field and a link to the next free element in the object array. The link fields in the unused elements form a list of unused object array elements. As will be described below with respect to FIGS. 7 and 8, the "sequence number high" value is used when an object pointer is stored in this element. See the discussion of the sequence number high field 340 of an object ID, below.

Whenever a new object pointer is stored in the object array 280, the element at the top of the free list (pointed to by the link head 298) is popped off the top of the free list and is used to store the new object pointer. The count field 296 is also incremented. When an object pointer is deleted, it is added to the top of the free list and the count field 296 is decremented.

The header of every object, including a object container object 270, contains a back pointer to the container in which it resides. The container which holds an object container is a container directory 260, and therefore the object container's back pointer 299 points to its container directory 260. The back pointer in the object header of a container directory object (not shown) points to itself.

A container directory 260 comprises a container directory object 300, which has the same basic data structure as an object container 262. However, the object names in the name table 306 of a container directory 260 are the names of object containers. In other words, the objects referenced by the name table 306 and the object array 310 in a container directory are object containers, whereas many different types of objects can be referenced by the name table 275 and object array 280 of an object container 262. Note that every object, including container directories, must have at least one object ID and one corresponding pointer in a container. Since there is no "container for container directories", the first entry in the object array 310 of an object container is a pointer to itself.

The container directory object 300 contains an additional pointer called the display index 311. For system and job level container directories, the display index simply points at the first item in the object array 310.

For process level containers, the top entries in the object array point to the publicly accessible object containers visible to the process, herein called display containers, and the next entry points to the private container for the process. As mentioned above with reference to FIG. 3, each process is assigned at least two process level object containers 212 and 214. The first object container 212 is called the public display container for the process and the second container 214 is called the private container. Only objects that the process wants to be accessible to subprocesses are placed in the public display container 212, and all other objects created by the process are put in its private container 214 or other private object containers.

Referring to FIG. 6A, there is shown a more detailed diagram of the process level container directory 260 for a process. Whenever a subprocess is created, it is automatically given a pointer 314 to its parent's public display container as well as a pointer 316 to its own public display container and a pointer 318 to its private display container. As shown in FIG. 6A, the display index 312 points to the entry 316 in the object array which points to the public display container for this process. If this process is a subprocess, above the public display entry 316 are pointers 314 and 320 which point to the 1/2 display containers for this process's parent process and grandparent process, and so on. Below the entry 318 for the process's private container, the container directory 260 may contain pointers 322 to other process level private containers for this process.

OBJECT DATA STRUCTURE

Referring to FIG. 7, when an object is created, it is assigned a 64-bit value called its object ID 330. This value provides the fastest means for a user-mode routine to identify and access the object. Only kernel mode routines can use pointers which directly address an object.

When an object is created, the "object ID" returned by the object creating routine is called the principal ID. Every object has only one principal ID. An object may also have one or more reference IDs which also point indirectly to the object. Reference IDS are discussed below in the section entitled Reference IDs.

Both the principal ID and reference IDs are herein called "object IDs". In addition, it should be noted that these IDs are not "capabilities" as that term is used when describing capability based operating systems--rather they are indirect pointers to data structures called objects.

The principal ID of an object that is accessible by two processes is the same in both processes. This extends to objects at all levels. This property allows IDs of shared objects to be communicated between cooperating threads.

Object IDs are used to uniquely identify objects within the system. It should be noted that an object ID is not the address of an object; it is a value which may be translated into the address of an object through the use of the object array in an object container as shown in FIG. 6. Thus object IDs only indirectly point to objects.

Referring to FIGS. 6 and 7, the fields of an object ID 330 are as follows. An index into a container directory 332 is used to index into the object array 310 of a container directory 260 and thereby find a pointer to the object container 262. An index into a container's object array 334 is used to index into the object array 280 of an object container and thereby find a pointer to the object.

The level 336 of the principal object ID determines the level of an object's visibility: process, job or system, as was discussed with reference to FIG. 3. To find the container directory for an object ID, one may refer to the software process control block 252 (see FIG. 5). Any process which can express the object ID for an object can try to access the object. As shown in FIG. 5, the software control block 252 contains a pointer to the container directory corresponding to each level of visibility.

The sequence number low 338 and sequence number high 340 are used to prevent a program from using an object ID after the corresponding object has been deleted, and other types of programming errors. The sequence number low field 338 is a ten bit value which receives a new randomly generated value each time that a new object is created. The sequence number high field 340 is a ten bit value inside each object ID that is incremented each time that an object is created, and reset to zero when it overflows.

Note that the elements 290-294 in the object container are reused after an object is deleted. When an object pointer is deleted from the object array 280 in a container, the sequence number high 340 for the corresponding object ID is stored in the element that formerly held the deleted object pointer. The value of the sequence number high is incremented and stored in an object ID (and in the header of an object, as will be explained below) the next time that this element of the object array is used to store a pointer to a newly created object.

The use of sequence numbers does not totally eliminate the problem of illegal references to deleted objects, it just reduces it to an extremely small probability for most programming situations.

Referring to FIG. 8, each object 350 in the preferred embodiment has two parts, a standard object header 355 which is only manipulated by kernel mode object architecture routines, and an object type specific body 360 which is manipulated by object specific service routines. The object header 350 of each object is a data structure that has a number of fields 362-396. The object type 362 identifies the type of the object. The PTR-Object Type Descriptor field 368 contains a pointer to an object type descriptor (OTD) for this particular object type. OTDs will be discussed below with reference to FIG. 9.

In a typical implementation of the present invention there will be at least twenty-five different types of objects, including container directories, object containers, user definition objects, job definition objects, process control blocks, thread control blocks, and many others. For each object type there is an object type descriptor 400, described below with reference to FIG. 9, which specifies the routines for handling, allocating and deleting objects of that type. When an object ID is translated into a pointer to an object header, the type field 362 in the object header is compared with the desired object type to make sure that the proper object is being accessed.

For all objects except container objects, the object ID count 366 represents the number of object IDs which refer to the object. For container objects, the object ID count 366 represents the number of container directory object array pointers which refer to the object, which is also the number of container directories that can refer to this object container. Note that for container objects the object ID itself is not counted. Hence, for object containers, the object ID count 366 is equal to one unless the container is a display container for a parent process (see FIG. 6A and the corresponding discussion, above).

The object ID count 366 signifies the number of reasons that an object should not be removed from the system. If the object ID count 366 is zero, then no object container has a pointer to that object's header 355.

The object ID count field 336 is never directly incremented or decremented by a user mode routine, only the executive routines for object support operate on this field 366. For a kernel mode routine to increment or decrement this field 366, the mutex field 278 (in FIG. 6) of the object container in which this object resides and directory-level mutex must first be acquired. This is necessary to ensure that an object cannot be deleted while another reference to the object is being established. As will be explained below, it is sometimes necessary to acquire several mutexes before performing an operation on an object to ensure the integrity the object.

Whenever an access to an object will span a period of time that can not be protected by use of mutex locks on appropriate data structures, the pointer count field 364 must be incremented. In particular, an address of an object may not be used to regain access to the object unless the pointer count 364 has been previously incremented.

The pointer count 364 represents the number of pointers that have been taken out on the object, plus one for a non-zero object ID count. When an object ID is translated by an object service routine, the pointer count 364 is incremented by one. The pointer count 364 for an object signifies the number of reasons the storage for an object should not be deallocated. To increment this field, the directory-level mutex must first be held. This is necessary to avoid race conditions with the object ID being deleted.

When an object ID, object container pointer, or reference object ID is deleted, the object ID count 366 of the object is decremented. If the resultant object ID count is zero, the pointer count 364 is decremented, and then the process of deleting the object is begun by calling an object type-specific remove routine to initiate any required object type-specific removal actions, such as canceling I/O.

As mentioned above, when the object ID count 366 is decremented to zero, this causes the pointer count 364 to be decremented, as does the dereferencing of a pointer. When the pointer count 364 reaches zero, the object type-specific delete routine is called, and the object's storage is deallocated (i.e., the object is deleted).

One of the major goals of the lock strategy for objects is to allow the pointer count 364 to be decremented without having to hold a lock (i.e., mutex) to do so. This allows low overhead dereferencing of objects on such operations as I/O, wait, and the deleting of a reference object. Note that the pointer count 364 should be non-zero whenever the object ID count 366 is non-zero.

The link field 370 contains a forward pointer to the next object header of this type, as well as a backward link to the previous object header of this type. Thus all objects of each type are linked into a doubly linked list. The list head resides in the OTD for the object type, as will be shown in FIG. 9.

The container pointer 372 is a pointer to the object container in which the object resides. This field, also called the object's back pointer, is dynamic in that the object may be transferred to a different object container. Such a transfer would result in the assignment of a new object ID to the object. This field is zeroed when the principal object ID is deleted. This field 372 may be accessed only by a thread holding both the directory-level mutex and the mutex 278 (shown in FIG. 6) within the object container.

The index into container field 374 is the index into the object array in the container for this object.

The level field 376 specifies the level of visibility of the object, and the level of the object container in which the object resides.

When an object ID is translated into the address of an object, the value of the object ID's sequence fields 338 and 340 (see FIG. 7) are compared to the values of the sequence fields 378 and 380 in the object header. If they are not identical, then the object ID in invalid (i.e., the object referenced by the object ID has been deleted and the corresponding object ID entry in the object container has been reused).

The sequence number fields 378 and 380 of an object may be accessed only by a process which holds both the directory-level mutex and the mutex within the object container.

Note that it is possible to construct the principal object ID for an object if one is given the object header. The level field 376 is equal to the level field 336 in the object's principal ID, and the sequence number fields 378-380 are equal to those in all of the object's ID. The container index field 374 of the object header is equal to the container index field 334 of the object's principal ID. Finally, the container directory index field 332 of the object ID is constructed as follows. The container pointer field 372 points to the object header of a container. The index field 374 in that container's object header is equal to the directory index 332 for the principal object ID.

A dispatcher pointer 381 in the object header is given a nil value if the object is not a waitable object, as will be explained in more detail in the section entitled Waitable Objects. If the object is a waitable object, the dispatcher pointer 381 points to a data structure for a "kernel synchronization primitive" that is stored in the object body 360.

The pointer 382 to a name definition block is used to associate a name string with an object. If the object has an associated name, this field 382 contains a pointer to a name definition block which contains the name. Otherwise this field has a value of zero. The directory level mutex, the object container mutex, and the type-specific mutex must all be acquired in order to modify this field 382.

The owner's ID field 384 identifies the owner of the object. This field is used by the security access validation rules, which are discussed below in the section entitled Access Control Lists.

The ACL pointer field 386 points to an access control list (ACL) f or the object. A nil value indicates that no ACL exists for the object. The format and use of the ACL are discussed below in the section entitled Access Control Lists.

The allocation block pointer 388 is a used by object ID translation routines to ensure that the thread which is trying to access the object has access to the object. In order to translate an object ID into a pointer to an object header, the requesting thread must have access to the object as determined by the ACL, and must be in the allocation class of the object. Object allocation and allocation classes are discussed below in the section entitled Object Allocation.

The Allocation List Head Offset parameter 389 is non-negative when the object 350 has other objects allocated to it. The Allocation List Head Offset 389 indicates the position in the object body 360 of a list head which points to a list of allocation blocks for the objects allocated to this object.

Several binary flags 390-396 govern use of the object. When the temporary flag 390 is set it indicates that the object is temporary. If an object is temporary, the object is automatically deleted when all reference IDs to it are deleted. Note this is different from ordinary object deletion, which occurs when both the object ID count 366 and the pointer count 364 are equal to zero. Therefore, when the object ID count is decremented to one, the temporary flag field 390 must be checked. This will be explained in more detail in the section entitled Reference Object IDs and Temporary Objects.

The transfer flag 392, when clear, indicates that the object cannot be transferred to another container. The transfer action field state is determined at the time the object is created.

The reference inhibit flag 394, when true, prevents the creation of reference IDs to this object.

The access mode flag 396 contains the owner mode (kernel or user) of the object. Kernel-mode objects may not be created in user owned containers. Mode is also used to verify access to the object by the access validation procedures described below in the section entitled Access Control Lists.

OBJECT TYPE DESCRIPTOR (OTD)

Referring to FIG. 9, there is a single object type descriptor (OTD) for each object type defined by the system. OTDs are objects, and all OTD objects reside in a single system level container.

OTD objects have a standard object header 402 and an object body which contains general information about an object type, not a particular instance of an object. For example, on OTD indicates whether an object type supports synchronization or wait operations. Anything an OTD specifies about an object type applies to all instances of that object type.

Part of the information in an OTD 400 is the location of a number of routines 430-438 that may be called by the executive 144 (see FIG. 2). These routines have standard definitions across all object types, but require object type-specific processing. The routines are located by the executive via standard offsets into the OTD, at which are located pointers 420-428 to these routines.

Users of object instances of a particular type do not need to know anything about the routines 430-438 pointed to by the OTD. Only the designer of an object type must know how these routines work. Thus, the present invention makes it relatively easy to introduce new object types into a system because standard types of operations which depend on the particular structure of a new object type, such as creating, allocating and deleting the object, are defined by the designer of the object type and thus the details of the object's structure do not concern the users of these objects.

All the fields 404-428 of the OTD's body have a standardized definition. This allows the executive 144 to use the information in an OTD without having any detailed knowledge of the corresponding object type.

The Object Type field 404 contains a value indicating the type of object the OTD represents.

The List Head field 406 is a list head for a doubly linked list 405 of all the object instances of this type. The List Head field 406 contains a forward link to the first object header of this type, and a backward link to the last object header of this type. These links are used for consistency checking within the object architecture.

The Count field 408 contains a count of the number of objects of the corresponding type that currently exist in the system.

The Dispatcher Offset 410 is used only for object types which support wait operations. When non-negative, the Dispatcher Offset 410 is the offset from the start of the object body to a "kernel synchronization primitive" which is located inside the object body for object instances of this type. The Dispatcher Offset 410 is used to compute a pointer to the kernel synchronization primitive, called the Dispatcher Pointer, that is stored in each object's header.

When a wait operation is to be performed on an object instance of this type, the system's executive 144 issues a kernel wait operation on the kernel synchronization primitive pointed to by the object's Dispatcher Pointer. Kernel synchronization objects are discussed in more detail below in the section entitled Waitable Objects.

Any object type which has a non-negative dispatcher field must allocate the object instances of this type from non-paged portions of the system's primary memory because the kernel synchronization object must be in non-paged memory.

The Access Mask 412 is a bit mask which is used in conjunction with access control lists, and is discussed in section below entitled Access Control Lists.

The Allocation List Head Offset 414 is used only for object types that may have objects allocated to it. For example, thread objects, process objects, job objects and user objects can have other objects allocated to them. When the Allocation List Head Offset 414 is non-negative, it is the offset from the start of the object body to a list head which points to a set of allocation blocks. Object allocation and allocation blocks are discussed in more detail in the section entitled Object Allocation.

The Create Disable Flag 416, when set, prevents additional objects of this type from being created. It is used as part of process of shutting the system down in an orderly fashion.

The OTD Mutex 418 provides synchronization for creation, deletion and state changes among objects of this type.

The Allocate field 420 points to an allocation procedure 430 which performs object type-specific procedures when an object of this type is allocated to a user or process. Object allocation is discussed below in the section entitled Object Allocation. A null routine is provided for use by object types which do not have an allocate procedure.

The Deallocate field 422 points to a deallocation procedure 432 which performs object type-specific procedures when an object of this type is deallocated from a user or process.

The Remove field 424 points to a remove procedure 434. The remove procedure 434 for each object type performs any necessary actions that must be performed before deleting an object. The remove procedure is called when all object IDs to the object have been deleted. This procedure 434 allows object type-specific processing to be performed after applications can no longer reference the object instance, but before the object instance is actually deleted. A null procedure is provided for use by object types which do not have a remove procedure.

The Delete field 426 points to a delete procedure 436, which is responsible for manipulating object type-dependent data structures and deallocating the storage allocated for the object's extensions. The delete procedure is called when an object's pointer count 364 is decremented to zero. Note that the pointer counter 364 cannot decrement to zero when the object ID count is non-zero. After the delete procedure 436 is run, an object deletion routine in the kernel deallocates the storage for the object's header and body. A null procedure is provided for use by object types which do not have a delete procedure.

The Shutdown field 428 points to a shutdown procedure 438. The shutdown procedure 438 is called once when an object type is permanently removed from the system, generally at system shutdown time. The purpose of this routine is to perform object type-specific shutdown operations. Among other things, this provides the opportunity to dump any statistics that may have been gathered relating to the object type.

Although not referenced in the OTD 400, there is a distinct object creation routine 440 for each object type, herein called CREATE.sub.-- XXXX where XXXX identifies the object type. The create routine 440 creates new instances of the object type, allocates space for the object body and its extensions, and also stores initial values and data structures in the object body.

Table 1 is a list of some of the object types used in the preferred embodiment and which are discussed in this specification.

                  TABLE 1
    ______________________________________
    OBJECT TYPES
    ______________________________________
    Container Directory
    Object Container
    User
    Job
    Process
    Thread
    Object Type Descriptor (OTD)
    Privileged Operation Object
    FPU - Function Processor Unit (device unit)
    Notification Object **Waitable Objects
    Synchronization Object
    Semaphore Object
    Timer Object
    ______________________________________

                  TABLE 2
    ______________________________________
    ACCESS MASK
    ______________________________________
    MASK
    BIT    ACCESS TYPE    DESCRIPTION
    ______________________________________
    01     READ           Read data from Object
    02     WRITE          Write data into Object
    03     DELETE         Delete Object
    04     WAIT           Wait for signaling of Object
    05     ALLOCATE       Allocates Object
    06     SET ACL        Sets/Changes ACL of Object
    07     SET NAME       Sets Name of Object
    08     SET OWNER      Sets Owner of Object
    09     GET INFO       Gets general information
                          about Object
    17-32  --             Object Specific Access Types
    EXAMPLE: QUEUE OBJECT
    17     ADD HEAD       Add item to Head of Queue
                          Object
    18     ADD TAIL       Add item to Tail of Queue
                          Object
    19     REMOVE HEAD    Remove item from Head of
                          Queue Object
    20     REMOVE TAIL    Remove item from Tail of
                          Queue Object
    EXAMPLE: OTD OBJECT
    17     CREATE OBJECT  Create Object of the type
                          specified by the OTD
    EXAMPLE: PRIVILEGED OPERATION OBJECT
    17     PERFORM        Perform Privileged Operation
           OPERATION
    ______________________________________