CA1055615A - Protection of information in a multiprogram multiprocessor computer system - Google Patents

Abstract

ABSTRACT OF THE DISCLOSURE:
The present invention concerns an apparatus for protect-ing information stored in a virtual memory from unauthorized users by restricting accessability to the information in accordance to levels of privilege. The protecting apparatus comprises, in com-bination with an access checking mechanism, first arrangements for storing in the virtual memory at least one segment table comprising a plurality of segment descriptors, each having a predetermined format containing an access information element and a base address element in predetermined positions of the format. A plurality of second arrangements, having a predetermined format, communicating with the first arrangements, for storing in a predetermined portion of the second arrangements, provide a segment number for identifying a segment table and the location of a segment descriptor within the segment table. The second arrangements also store an offset address within a segment identified by the segment descriptor.
Third arrangements are responsive to an address syllable element of an instruction being executed for addressing one of the plura-lity of second arrangements. Fourth arrangements store a displa-cement from the address syllable. Fifth arrangements communicate with said first, second, third and fourth arrangements for ad-ding the displacement and the base address to the offset. And sixth arrangements are responsive to the access information element in a selected one of the segment descriptors for restricting the accessibility to the segment associated with the selected one of the segment descriptors in accordance to the level of privilege and the type of access specified in the access information element.

Description

1055~;15 This invention relates generally to data processing systems and more particularly to information protection hardware and techniques.
Several schemes have been utilized in the past in order to protect information. Some of them are detailed by Robert M.
Graham in a paper entitled "Protection in an Information Proces-sing Utility", published in CACM (May 1968).
This type of memory pro~ection is inadequate for present day multiprogramming systems because there is no provision for gradations of privilege or gradations of accessability, and severely limits the control over access to information. There should be provisions for diferent access rights to the different types of information. A partial answer to this problem is found in the concept of a memory having a segment as the unit o infor-mation to which access is controlled~ V,arying degrees of access to each segment is possible by providing for different types of privileges attached to each segment such as master/slave, write/
no-write and execute/no-execute. However, this method of protec-ting the privacy and integrity of information does not take into j~ 20 account the user of the information. ~Under this type of protec-tion, privilege is not accorded the user but the information béing provided. Hence a user if he has access at all to a segment has ~ ~ aocess similar~to all other users who have access to the segment.
3 David C. Evans and Jean Yves LeClerc in a paper entitled "Address 3 Mapping and the Control of Access in an Interactive Computer,"
l ~ ~SUCC 1967, recognized the~problem and attempted a solution.
J; Evans and LeClerc said in that article p. 23, "The user of a com-l~ ~ puting system should~be able to lnteract .. ,. ~ . ,, . . ~ . .. .

?' ` ~ . ' . ; ,,', ;; ; ' . , , ; ' ''l '`'\ . . - .
~,` 1055615 arbitrarily wit~ ~he system, his o~n computing processes, an(l othcr users in a controlled manner. He should have acc~ss to a lar~e information storage and retrieval system calle~ the file systcm. 'The file system should allo~ access by all users to in~ormation in a way whlch permits selectively controlled ~ri~acy and security of in~or~ation A user should be able to partition his computatlon into semi-independent tasl~s having controlled communication and interaotion among tasks. Such capability should reduce the human effort required to construct, debug, and modify programs and should m~e possible increased reliability o~ pro-grams. ~he system should not arbitrarily limit the use of ~input/output equipment or limit input/output programming by the uscr." Evans and ~eClerc proposed conditionin~ access rights on the procedure-in-execution~ ~he s~gment? under their propos~
i~ still the unit of information to which access is controlled;
.... . . .
i ' honeverJ a segment~s access control attributes are recorded . ,i . . .
;i substantially in a user-name versus procedure tables whose ~ntries -' ;, . .. . .
'1 `are the access modes. Such a soIutionj however, has'serious '' ' ~ . . .
drawbacks. For one, the construction and updating of each s~g-m~n~s table o~ access control'attributes presents a ~o~midable task. For another, too many u~es o~ the segment and event occu~
rences ~ust be ~oreseen. To oYercome this problem access control by procedure-set was suggested. Under this sug~estion, related procedures are grouped into "sets o~ procedures" and access~
ri~hts to seg~ents is based on the identity 'o~ the set to ~lich . , ~ .
the~procedure seeking access belongs. This method abbrevia~ed ~ ~t;~e problem of constructing and updating each segment~s voluminous ,'! . t cLes of access control attributes~but introduced the proble~ ~' ' '~of ~et~rminin~ to which set a gi~en procedure belonged, parti-cularly when a procedure was or could be a numbor of many~scts. '~
~ his ambi~uity in;defining sets~ and the possible transitlons ?: ` ~ 2 - ~

: ~ :

`` lOSS615 between sets makes the implementation of access control based on "sets of procedures" extremely difficult.
To overcome the difficulties encountered with the "set"
technique a ring concept was developed. The ring concept groups the sets of procedures into rings that can unambiguously be or-dered by increasing power or level of privilege. By assigning a collection of sets to a collection of concentric rings, and assigning numbers to each ring with the smallest ring having the smallest number and each succeeding larger ring having a progressively greater number, different levels of privilege can then be unambiguously assigned to the user of a segment.
Under this concept the innermost ring having the smallest number assigned to it has the greatest privilege. Hence it can be postulated that users in the lowest ring number can access infor-mation having higher rin~ numbers, but users in a higher ring . ~1 . . .:
; number cannot access information having lower ring numbers or can access information in a lower ring number only in a specified ~ -manner. This palpable chan~e of power or level of privilege with 1 a change in rings in a concept which overcomes the objections as-; 20 sociated to a change of sets.
Multics (Multiplexed Information and Computing Service) is an operating system developed primarily by Massaahusetts Institute of Technology, in cooperation with General Electric Co. and others which first utilized the ring theory of protection -in software on a converted Honeywell 635 ta trademark~ computer and later on a Honeywell 645 (a trademark) computer. The Multics I philosophy utilizes 64 rings of protection numbered as rings 0-63 and is set forth generally in a paper entitled "Access Control to -, .
the Multics Virtual Memory" Published by Honeywell Information Syst~ms Inc. in the Multics TechnicalPapers, Order No. ~G95, Rev. O.

A more detailed description of Multics ring protection is to be found on chapter 4 of a book entitled "The Multics System;

: ~

~ ~ 3 ~

.. . . . .. . .. . .. . . ... ..

' j ~L0556~5 An ~amination of its Structure~" by 311iott I. Organick, published by ~IT Press, and also in the Multics System Pro-grammers ~anual 1909, MI~ Project ~C. Briefly~ ~he i;Iultics system does not utilize a "pure ring pro~ection strategy" out rather employs the "ring bracI~et protection strategy" ~Iherein a user's access rignts Y~ith respect to a ~iYen se~men~ are encoded in an access-mode and a ~riple o* ring number (r1, 2, r3) cal7ed the user's "ring brackets" for a giren se~ent. A ~uotation fro~ pages 137-139 from the I-iultics Technical Paper entitled, "Access Control to the ~Iultics Vir~ual Memory" sets out the rules and conditions . .
~or using and changing rings. ~ -This "ring protection concept" was first implemented wi~h software techniques utilizing 64 separate rings. Subse-quently an attempt ~as made to define a suitable hardware base ~or ring protection. ~he ~loney~ell 645 computer represents a ~irst such attem~t. The Honeywell 645 system di~fers from the 'ringed hardware" concepts described supra in se~eral respects j . ~ ~ . . .
which when taken together, add up to the fact that the Honeywe 645 is a 2-ring rather than a 64-ring machine, and has in lieu of a "ring register", a master mode and a sla~e mode, ~hich , ... . . . .
- imparts greater power to the processor when in master mode than whQn ~n sla~e mode. "The access control ~ield o~ the 645's SD'~ (segment descriptor word) contains no infor~ation about rings; in particular it does not contain ring brackets. It does, however, contain either~
:~7.
a) aocess-mode~in~or~ation possibly including either of the t~Yo descriptors;
-~accessible in ~aster mode only~
- master mode procédure;
.. ' . . . . ~ . ~
~; ~30~ b) the specification o~ one o~ eight speclal ~directed~
faults~(traps) which i9 to ooour ~henever the seg~ent desoripto~

. ` 10556~L5 wv~ds (SDW) is accessed.
"~he procedure.is only ~in master mode' when executing - a procedure whose S~7 indicates a imaster mode procedur~ he p~ocessor may enter master mode w~ile e~ecuting a slave mode : ~ proceaure by:
~ aulting, ;. - taking an interrupt".
"~he 645 processor's access control machinery inter~rets . . . .
the SD'.7 during ~he addressing cycle and causes the appropriate . 10 action to occur depend~ng on the-SD7 and (usually) on the attempted access, as follows:
: a. I~ the SDI~ impIies a particuIar "directed fault", .-~ - the~ that ~ault occurs.
b. Otherwise~ if the S~Y does not permit the att~mpted .aoce~s~ the appropriate access ~iolation ~ault occurs. .
1 . :
'~:!, C. Otherwise, the SD~.Y pe~mits the attempted acca3s . . :
i~; and the access is performed.
~ n~hen a ~ult occurs~ the 645 enters master mode and ~.
trans~ers control to the appropriate master mode ~ault handlin~
procedure". ~Access Control to the ~ultics Virtual Nemory~ supra , pp8. 157-158).
Another paper by ~ichael D. Schroedex and Jerome H.
! . . : .
Saltzer entitled "A Hard~are Architecture ~or Implementing ~ : .
. Protection Rings" publis~ed in Co~munications o~ the AC~ larch 1972 Vol. 15~ No. 3, sets forth~background and theory o~ring protection and describes a hardware i~lementa~ion o~ "ring protectionn.
: Because the:~ultics and ~oney~ell 6~5 version o~ ring. ;
protection ~as im~lementea mainly in soft~are, cons~derable ~
;~operating system supervisor o~erhead was entailed particularly en calls to~greater or lesser.po~wer ~ere made by trappin~

~05S~15 to a supervisor procedure. What was required was an access control mechanism which had the functional capability to perform effectively its information protection function, was relatively simple in operation, was economic to build, operate and maintain, and did not restrict programming generality. The Honeywell 6000 computer system met these requirements by implementing most of the ring protection mechanism in hardware. Hence special access check-ing logic, integrated with the segmented addressing hardware was provided to validate each virtual memory reference, and also some special instructions for changing the ring of execution. However, certain portions of the ring system particularly outward calls and returns or calls to a lesser power and returns therefrom pre-sented problems which required the ring protection function to be performed by transferring control to a supervisor. What is now needed are Eurther improvements in hardware and techniques that will permit a full implementation o ring protection in hardware/
firmware and will meet the criteria of functional capability, economy, simplicity and programming generality.
Therefore, the present invention concerns, in an inter- ;
nally programmed data processing apparatus having a virtual memory, and being responsive to internally stored instruction words for process~ing information and having stored in said virtual memory a plurality of different types of groups of information each infor-mation group-type associated with an address space bounded by a segment having adjustable bounds, an apparatus for protecting the information in said virtual memory from unauthorized users by restricting accessability to the information in accordance to levels of privilege, characterized in that it comprises in combi-nation with an access checking mechanism:
(a) first means for storing ln said virtual memory at least one segment table comprising a plurality of segment des-criptors with each segment descriptor being associated with a -lOSS6~S
- predetermined one of said segments and each segment descriptor having a predetermined format containing an access information element and a base address element in predetermined positions .
of said format, said base address element for locating in said virtual memory the starting location of a selected one of said segments, and said access information element for specifying .
the minimum level of privilege required for a predetermined ~ .
type of access that is permitted in a selected one of said seg-ments;
`~; 10 (b) a plurality of second means having a predetermined .` format, -communicating with said first means, for storing in a pre-determined portion of said second means, a segment number SEG ::
for identifying a segment table and the location of a segment . descriptor within said segment tabler said second means also ~or ; storing, in a predetermined other portion of said second means, an offset address within the segment identified by said segment .~ descriptor said offset address for locating from said segment base the first byte of a word within said segment; ~ -! (c) thlrd means responsive to an address syllable element of an instruction being executed for addressing one of said plurality of second means;
(d) a fourth means for storing a displacement D ~rom said address syllable, said displacement D for locating from the j irst byte of said word within said segment any other byte of . said word;
.
~ e) fifth means, communicating with said first, second, third and fourth means, for adding the displacement D and said base address to said offset; and, . ~f) sixth means'responsive to said access information ~ :
30 element in a selected one of said segment descriptors for restric- :
tiny the accessability to the segment associated with said selec-ted one of said segment descriptors in accordance to the level of ,:

.
.. ~ , , .. , ., , , ,. ~, . ~ .. . ..

)556~5 ~ ~:
.
privilege and the type of access sp,ecified in said access infor-mation element.
Preferred embodiments of the present invention will be hereinafter described with reference to the accompanying dra-wings, wherein Figure 1 is a block diagram of a computer system utilizing the invention.
;~ Figure 2 is a schematic diagram illustrating the levels of privilege of the invention.
Figure 3 is a flow diagram of the segmented address scheme utilized by the invention. ' ', ' Figures 4A-4J are schematic diagrams of various novel , hardware structures utilized in the invention. ~ , Figure 5 is a schei,atic diagram o the computer ring ', protection hardware.
Figure 6 is a schematic diagram of the computer seg-, .
~ mented addressing hardware.

,~ ' Figures 7a-7h and Figures 8a-8d are detailed logic , block diagrams o the ring protection hardware.

`~ 20 Figures 9a-9k is the legend of symbols utilized in ,~1 the diagrams o the invention.

, Figure 10 is a schematic diagram of three stack seg-'I ments, one each for ring 0, 1 and 3 respectively.

Figure llA shows the format of the Enter Procedure ' ~ ' , instruction. ' ,~ ' t~ ~ ~ Figure llB shows the format of a procedure descriptor.

Figure llC shows the format of a gating procedure descriptor GPD the first word of the segment containing the ~' procedure descriptors. , ' t~
. :~:: : . , . j... :
':: :

~ ' ' . " ," ~ '' ~ . . .. , ' . , . ! : . .'` ~ ; '` ' ; , , .. , ' . . . ' ' ?igure 11~ shows the fo~nat of the Exit Procedure instruction.
Figure 12 is a flow diagram of a portion of the Enter ~-~ Instruction pertaining to ring crossing and ring checking.
I Figure 13 schematically shows a segment descriptor and the segment containing procedure descrip-tors.
~ igures 14-16 are flow diagrams showing various opera-tions that are performed when the 3nter Procedure instruction - is executed.
~, 10 l~igure 17 is a flow chart of the Exit instruction.
As previouæly discussed tlle ring concept of information 7`' protection was originated on I~U~TICS and implemented on various Honeywell Computer Systems. ~he original IIIU~TICS concept required 64 rings or level of privilege and later :i~plementation had the oquivalent of two ring~ on the Honeywell 6~5 and 8 rings on the Honeywell 6000. ~he instan-t invention groups data and procedure segments in the system into a hierarchy o~ 4 rings ~'t or classes. (Refer to Pigure 2j. ~he 4 rings or privilege levels are identified by integers 0-3; each ring represents a level of privilege in the system with level 0 ha~ing the most ~'~ pri~ilege and level 3 the least. ~evel 0 is known as the inner ~ `
i ring and level 3 as the outer ring. The basic notion as pre-~, viously disoussed is that a procedure belonging to an i.nner ring has free access to data in an outer ring. Conversely a procedure in an outer ring cannot access data in an inner ring without incurring~;a protection violatlon exeeption. Transfer of control among~procedures is monitored by a protection mechanism such that a procedure execution in an outer ring cannot directly ~; br~nch to a prooedure~in an inner ring. This type of control 1 30 transfer is possible only by execution of a special "procedure-, .
~ call" instruction. This instruction is protected ~gains~ misuse ,1 ~ ~ ; : ' ',, : 9 . .

` -in a number of ways. First, a ga-ting mechanism is available to ins.~re that procedures are entered only a-t planned entry points called gates when crossing rin~s. The segment descriptor of such a procedure contains a gate bit indicating that procedure in this segment can be entered only via gates; information regard these gates IS contained at the beginn~ng of the segment and is used by the hardware to cause entry at a legal entry-point.
The procedure itself must then verify (in a way which, of necessity depends on the function of the procedure) that it is being legitmately called. A further hardware protection mechanism is avaiiable in the case that the calling procedure supplies an address as a parameter; it is then possible that the more privileged procedure would invalidly modify inEormation at this address which the less privileged called could not have done, since the ring mechanism would have denied him access;
; an address validation instruction is available to avoid this . . .
possibility. -An important convention is required here in order to protect the procedure call mechanism. This states that it is not in general permissible to use this mechànism to call a proce-dure in a less privileged rin~ and return to the more privileged .. . .
one. This restriction is necessary since there is no assurance that the procedure in the higherjring wilI, in fact, return;
that it will not, accidentally or maliciously, destroy informatlon that the more prlvileged procedure is relying upon;
or that it will not, accidentally or maliciously, violate the security of the stack tsee GLOSSARY for definition). Any of these could lead to unpredictable results and crash the system.
The levels o~ privilege are quite independent of the process control mechanism and there is no notion here of privileged and non-privileged processes as in the IBM
~i : .: . ,.
(a trademark) system ~ ---~
, , ;, - 10 - ~ ,, ~05561S
360 Instead the ~n( process can e~ecute procedures at di~erent levels o~ ~)rivilege (rings) subject to the restrictions impose~
by the ring mechanismO In this sen~e the ring mechanism can be viewed as a method for subdividing the total address space assigned to a process according to level of privilege.
r~he ring mechanism de~ined herein permits the same segment to belong up to 3 dif~erent rings at the same time i.e.
there are 3 xing numbers in each segment descriptor, one ~or each ;` type of possible access. r~hus the same se~ment can be in ring one with respect to "wri-te" access, ring -two with respect to "execute" access and ring three with respect to "read" access.
; One obvious use for this is in the case of a procedure segment which can be written only by rin~ ~ero (perhaps the loader) but can be executed in rin~ thre~.
;' ! Of thc ~our available rings~ two are allocated to ~he . . .
operating system and two to users. ~ing zero, the most privi-leged rin~, is restricted to those operating system segments ,. . .
which are critical to -the operation of the whole system. r~hese segments form the hard core whose correctness at all times is vital to avoid disaster. Included would be the system in~or-mation base, those procedures dealing with the organization of physical memory or the initiation of physical data transfer operations, and the meohanisms which ma}~e the system function~
~?':~, like the "exception supervisor, the scheduler, and the resource anagement".
; Ring one contains a much greater volume of operating system segments whose failure would not lead to catastrophe but would allow reoovery. Included herein are the lan~uage : .:
translators, data and message management, and job and process 3 managemen~ ~hrough the~ availability o~ two rings ~or the ~ operating system, the problem o~ maintaining system inte6rity ., : ~ -~ 5 5 ~ 5 is made more tractable, since the smaller hard core which is -~
critical is isolated and can be most care~ully protected~
Rings threé and four are available to the user to assign according to his requirement. '~wo import;ant possibilities are debugging and proprietary packages. Programs being debugged ma~
be assignsd to ring four while checked out progr~ms and data with which they ~Jork may be in ring 3; in this way the e~fect o~ errors may be localized. Proprietary programs may be protected from their users by being placed in ring 3 while the latter occupy ring four. In these and other ways, these two rings may be ~lexibly used in applications.
q`he General Rules of the Rin~ System ~ .
1. A procedure in an inner ring such as ring 2~on ~i~ure 2 has ~ree acoess to data ln an outer ring such as ring and a legal access (arrow 201) results. Conversely a procedure .~ .
in an outer ring such as ring 3 cannot access data in an inner ring such as ring 2 and an attempt to do so results in an illegal ; access (arrow 202~.

2 A procedure in an outer ring such as ring 3 can ,,;, " . ~.
branch to an inner ring such as ring 1 via gate 2Q~ which results in a le~al brancll 203, but a procedure operating in ; an inner ring such as ring 2 ma~ not branch to an outer ring such as ring 3.

3. Each segment containing data is assigned 2 ring :'- . . . .
~ values, one ~or read (RD) and one ~or write ~W~ hese .
`~ ring values speci~y the maximum ring value in which a procedure ~ .
ma~ execute when accessing the data in either the read or write mode.
i Each time a procedure instruction is executed, the pro--.:
~ 3 cedure~s ring number (e~ective address ring, ~AR) is checked . . .
~ ~ ~ against the ring numbers as~igned to the segment containing .~ :, ,.

1,: ... . . ... . . .

lOS56i5 the referenced data. The EAR is the maximum number of process ring numbers in the processor instruction counter ~see later description) and all ring numbers in base registers and data descriptors found in the addressing path. Access to the data is granted or denied based on a comparison of the ring numbers.
For example, if a system table exists in a segment having a maxi-mum read/ring value of 3 and a maximum write/ring value of 1, then a user procedure executing in ring 3 may read the table but may not update the table by writing therein.
Procedure calls and the Stack Mechanism:
The procedure call and stack mechanism is an important mechanism utilized by the ring protection mechanism of the instant invention. Procedure calls are used to pass from one procedure to another; to allow user procedures to employ operating system services; and to achieve a modular structure within the operating , system. A procedure call is effected by instructions and a hard-ware recognized entity called a stack.
A stack is a mechanism that accepts, stores and allows retrieval of data on a last-in-first-out basis. Stacks reside in special segments called stack segments. A stack segment con-- sists of a number of contiguous parts called stack frames which are dynamica}ly allocated to each procedure. The first stack frame is loaded into the low end of the segment and succeeding frames are loaded after it. The last frame loaded is con-: .
~sidered the top of the stack. A T-register 114 (see Figure 1) loaateb the top of the stack for the currently active process-A virtual T-register exists in the process control block (PCB) ~;. . . :
- o all other processes in ~the system.

A stack frame~consists of three areas: a work area in which to store variables, a save area in which to save the contents of registers, and a communications area in which to ~ pass parameters between procedures. Prior to a procedure call, '' :
~ ~ ~ - 13 -10556~5 the user must specify those registers he wishes saved and he must load into the communications area the parameters to be passed to the called procedure. When the call is made, the hardware saves the contents of the instruction counter and specified base registers to facilitate a return from the called procedure.
Each procedure call creates a stack frame within a stack segment and subsequent method calls create additional frames. Each exit from one of these called procedures causes a stack frame to be de~ted from the stack. Thus, a history of calls is maintained which facilitates orderly returns.
To insure protection between procedures executing in ~ different rings, diferent stack segments are used. There is ; one stack segment corresponding to each protection ring per ;
process. A process control block (PCB) contains three stack base words (SBW) which point to the start of the stack segment for rings 0, 1 and 2 associated with the process. The ring 3 stack segment can never be entered by an inward call; therefore, its stack starting address is not required in the PCB.
2Q The procedure call is used by users who have written their programs in a modular way to pass from one program module to another. It is used by user programs to avail themselves of operating system services. It is used by the operating system itself to achieve a responsive modular structure. The procedure call : . ~"' \ , ' ,'1'' ' \ .
~: ' ~ ' \ ..........':1 ': \ ' ' ; ~ - 14 - ~

is effected by hardware instructions and the hardware recognizable stack mechanism.
The main requirements on a procedure call mechanism are:
1. Check the caller's right to call the caller;
2. Save the status of the caller which includes saving registers, instruction counter (for returm), and other status bits;
3. Allow for the passing of parameters;

4. Determine valid entry point for the called proce-dure;

5. Make any necessary adjustments in the addressign mechanism;

6. Enter the new procedure.
Whern the called procedure terminates or exits, what-ever was done in the call must be undone so that the status of the calling procedure is restored to what it was before the call.
As a preliminary to making a procedure call, the instruction PREPARE STACJ is extruded. This instruction causes those registers specified by the progtammer in the instruction to be saved in the stack. It causes the status register ( see Figure 1) to be saved, and provide the programmer with a pointer to parameter space which he may now load with information to be passed to the called procesure.
Another instruction ENTER PROCEDURE permiits the pro-cedure call via the following steps corresponding to the requi-rement specified above:
1. Ring checking--the caller's ring is checked to make sure that this ring may call the new procedure; the call must be to a smaller or equal ring number; and if ring crossing , ~ lOS5;61S
~ . . . .

does occur the new procedure must be gat~d through a gate 204 of ~igure 2. The new ring number will th~n be that o~ the called procedure, , , ~'~
2. The instruction counter is saved;
3, ~ase register O (see Figure 1) is made to point .
'_effectively to the parameters being passed;
~' 4. ~he entry-point of the called procedure is obiained from a procedure descriptor whose addr~ss is contained in the ' ' - EN~ER PROCEDURE I~S~RUCTION; ,' ; 10 , 5. A'pointer to linkage in~ormation is loaded in base ''~"
'' register number 7;
, 6. ~he new procedure is entered by loading the new ,', ring number and the add~ess o~ the entry-pQint in the instruction .. ~ . ~.
, counter. , '~, ~i The remainder o~ the current stack-frame is also ' ,. .. .
, available to the called procedure ~or stora~e o~ local variables. ' ' ' ~hen the called procedure wishes to return,~ it exccutes ~' the instruction EXI~ PROC~URE. ~he'regis~ers and the instruc- ,, tion counter are then restored ~rom their saving areas in the ~
20 ' stack. ' ' '' ~ Xe~erring to ~igure 1 there is shown a block diagram ,-~ ,'~, and a computer hardware system utilizing the invention. A main ' ' l , memory '101 is comprised of ~our modules of metal-oxide semi- ~ -.1 . . ..
~;~ oonductor (IIOS) memory. The four memo~y modules 1-4 are inter~aced to the central processor unit~100 via the main store sequencer i , 102. 'The ~our main memory modules 1-'4 are also inter~aced to ~ ' ' - -; ~` the peripheral subsystem such~as magnetic tape units and disk , ~ ~ drive units ~not shown) via the main store sequencer 102 and the~
' IOC (not shown).~ The main~store sequenc~r gives the capabillty~
30~ o~ providing access to~and control of all four memory modules.
Operatlons of th'e CPU are~controlled by a read~only , memory, RO~I, hereIn~called the control store unit '110. ~ , .. ,~ .~ .... . ... ...... ..... .... .. . .. . .. . . . . . . . .

j~ 1055615 'l`he control storc inter~ace a~apter 109 communicates with the control store unit 110, the data management unit 106, the address control unit 107 and the arithmetic lo~ic unit 112 for directing the operation of the control store memory. The control store inter~ace adapter 109 includes logic for control store address modi~ication, testinig, error checking, an~ hardware ~' address generation. Hardware address generation i9 utilized generally ~or developing the starting address o~ error sequencers or ~or the initialization sequence.
The bu~er store memory 104 is utilized to store the '~-most ~requently used or most recently used information that ;~ .
; is being processed by the CPU.
- ~he data management unit 106 provides the interI~ace '' between the CPU 100 and main memory 101, and/or bu~er store memory 104. During a memory read operation, in~ormation may be retrieved ~rom main memory or buf~er store memory It is 'the responsibility o~ the data management unit to recognize which unit contains the information and strobe the information into the CPU registers at the proper time. The data management unit also performs the masking during partial write operations.
' ~he instruction fetch unit 108 which interfaces with , .
', the data mana~ement unit 106, the address control unit 107, , ' the arithmetic and logic unit 112 and the control store unit i~ ' 1iO is responsible ~or keeping the CPU 1G0 supplied ~ith ins-tructions.
he address control unit 107 communicates with the ; instruction fetch unit 108,'the buffer store directory 105, the main stort; set~uencer 102, the arithmetic logic unit l12, the .: ~
- data management unit 106, and the control store unit 110 via ;30 ~ the control store interface adapter~109. ~he address control ' unit 107 is responsible for all address development in the ~PU.

` 105S6~5 ~ Interfacing wi~h the address control unit 107, the -~ instruction fetch unit 108 and the control store unit 110 is .
the arithmetic logic unit 112 ~ ich i3 the primaxy work area o~ the CPU 100. Its primary-function is to per~or~ the arithmetic operations and data mani~ulations required of the CPU . , Associated with the ari~hmetic logic ~mit 112 and the control store unit 110 is the local store unit 111 which typically is comprised of a 256-location (32 bits per location) solid state memory and the selec~ion and rea~/wri~e logic ~or ;
~he memo~y. The local store ~emoxy 111 is used to store CPU
contro1 in~or~ation and maintainabili~y in~or~ation. In addition, the local store nemory 111 contains working locations which are .~,, .
primarily used ~or temporary storage of operands and partial ;~ results during data manipulation.
~he centri~l processing unit 100 typici~lly contains 8 `~ base registers (R~) 116 which are used in the process of address computation to defi~e a segment number, i~n of~set, and a ring ~ number. ~he offset is a pointer within the segment and the ; 20 ring nu~ber is used in the address valiaity c~lculation to ~;~ detë~ine access ri~hts for a particular reference to a se~ment.
~he instruction counter 118 communicates with the , . . . .
m~n memory local register (i~) 10~ and ~ith the instructio~
; ~etch unit 108, and is a 32-bits register which contains tne , . . .
i~ ~ address o~ the nextinstruction, and the~current ring number -~ o~ the process (PRN). Also oontained in t~e centrai processing unit is a T register 114 ~hlch also interface~ with the instruc-$ ;tio~ fetch unit 108 and is typically a 32-bit register con~a~ni~ag a seg~ent number and a 16-bit~or 22-bit positive integer definin~ ` ~ 30 the relative address of the to~ ol the procedure s~ack. ~he status register 115~is an~8-bit register in the C~U ~hich among ~,~. - . . . : .

-- 1055~15 `
; other things contains the last ring number--i.e. the previous value of the process ring number ~PRN).
The main memory 101 is addressed by the memory address :- :
register (MAR) 119, and the in~ormation addressed by (MAR) 119 is ..
: fetched and temporarily stored in the memory local register (MLR) .
. 103. .~ .
Referring now to Figure 3 there is shown a flow dia-gram of the general rules for segmented address development.
~ That figure 3 is self-explanatory and advocates the use of as .. 10 many as 16 levels of indirection in the address development.
~ ~Referring now to Figures 4A-4J, Figures 4A and 4B show the format of the instruction counter designated by reference ~ numeral 118 on Figure 1. The instruction counter (IC) 118 is -' a 32-bit reyister which contains the address of the next ins-.. truction, and the current ring number of the proce.ss (PRN).
. Referring specifically to Figures 4A and 4B the TAG is a 2-bit "~ field which corresponds to the TAG field of data descriptors .; shown and described in the above-referenced application entitled Segmented Address Development. PRN is a 2-bit field which defines the current ring number of the process to be used in determination .. ~ of access rights to main storage. SEG is typically either a .,1 .\ .
" \ .

1- ~ \ Ji ,~ ' :`i \ , . .

;,: .:

- : :

19 - , ~

~- ` 10556~5 ~ ~:
12-bit or a 6-bit field ~nic~ de~ines the segment nu~bsr ~here instructions are being executed. ~he O~S3T is typically either a 16-bit or a 22-bit field ~,hich~ definès the address of the m s-, . . .
truc~ion within the segment S~G.
~- ~igures 4C-4~ sho~ the Lorma~ of segment descriptors with ~igures 4C and 4D showing the ~irst and second ~/ora o~ a .
- direct seg~en~ descriptor whereas ~igures 4E and 4~ show the ~ first and second word of an indirect se~ment descriptor.
, ,;
Segment descriptors are t~o words long each word comprised o~
32 bits. Re~erring to Figures 4C-4D t~hich show the first and ~; second word respecti~ely o~ a direct seg~ent descriptor, P is . .
a presence bit. I~ P equals one, the seg~ent defined b;~ the segment descriptor is present in main storage. I~ P eauals . . .
; zero~ the segment i9 not present and a re~erence to the segment descriptor causes a missing segment exception. All other ~ields in a segment descriptor have meaning only i~ P e`quals one A is the availability bit. I~ A equals zero, the ~egment is ura~aila-ble ~or locXed) and a re~erence to the segment causes an unavai-lable seg~ent excep~ion. I~ A equals o~e, the segment is availa-ble (or unlocked, and can be accessed) I is the indirec~ion .~ bit. If I equals zero~ the seg~ènt descriptor is direct. I~ I
~1 ~eguals one, the segment descriptor is indirect. U is the used bit. I~ U equals zero~ the segment has not been accessed If equals one, the segment has been accessed. U is set equal to one by any segment access. ~ is the written bit. Il W equals , . ~ .. .
zero, no ~rite operation~has been per~ormed on thç segment. If - ~ equals one, a ~ 3~operation has been performed~on the sesment.
.. . . . . .
'~ ~ is set to one by any ,~RI~E operation. GS is the gating-sema--; ~ phore bits. ~hen the procedure oall mechanism~re~erred to above -~; 30 re~uires t~at the~s~egment be a gating segmient or when the process ~-communication mechanism~(not shown) re~uires that the se~ment ~ 1055615 .
be a seg~ent descriptor se~ment (SD) the GS bits are exami~ed.
~o be a valid ~atin~ segment, the GS bits must have the value 10. To be a ~lid SD se~ent, the GS bits must haYe the value 01. If a gating or SD segment is not required, these bits are ignored. ~he ~ASE is a 24-bit ~ield which definas the absolute address in quadruple words of the ~irst ~y~e of the segment.
This ~ield is multiplied by 16 to compute the byte address o~
the segment base. ~he SIZE is a ~ield ~hich is used to compute the segment size. I~ the S~ is grester or equal to zero but less than or equal to six, the SIZE field is 18 bits long. Il the ST~ is greater than or equal to 8 but less than or eaual to 15~ the SIZE field is 12 bits long. The number of b~tes in ~he seg~ent i8 equal to 16 ti~es (SIZ~ SIZ~ equals zero, the segment size is 16 bytes. RD is the read aocess ~ield. ~his 1~ a 2-bit field which speci~ies the maximum EAR (ef~ective address ring r.~ber) ~or which a rea~ operation is pe~mitted o~ the se~-ment. (A procedure îs always permitted ~o read its own segment .. . . .
if EA~ equals ~R~ R is the write access ~ield. This is a ji ~ 2-bit field YJhich specifies the maximum EL~ ~or ~hich a wri~e ~ 20 operation is permitted on the segment and the minimum PRN at which the ~egmen~ may be executed. ~XR is the maximum ring num~er. ~his is a 2-bit field which specifies the m~ximum PRN
at ~hich the segment may be executed. '~P is the write permission~
bit. This bit indicates whether a ~r~I~ operation may be pe~
ormed on the segment- If ~equals zero9 no ~ E operation may be performed. I~ WP equ ls-one, a ~ 3 operation-may be .performed i~ EA~ is greater ~han or equ~1 to zero but less ~ . ; . ., than or equal to W~. EP is~the~execute permission bit. ~his ; bit specifies whether the segment may be executed. If EP equals~
; 30 ~ zero, the segment may not be eXecuted. Ii EP equ ls one, the `~ ` segment~may be;executed at any P~N for ~Yh ch PP~ is greater t~an or oqual to ~R but les~ thcn;or e~ual to ~A~d.~ ME~ ~s a-specia} -~ ' lOSS615 ~ .
field which must be set to zero by software when the field is created, before its initial use by hardware.
Referring to ~igures 4E-4F the definitions of the ~arious fields are similar as above however word O includes a ~OCA'~'IOM
field and word ~ includes a RSU field. '~he ~OCATION field is a -~ 28-bit field which defines the absolute address of a direct seg-ment descriptor. The value in the ~OCA~'ION field must be a multiple of 8 Thr RSU ~ield is a special ~iela which is reserved for softrvare use~
~igures 4G-4H show the format of the base registers (~R) which are used in the process o~ address computation to define a segment table number, a segment table entry number, an o~fset, and a ring number. q'here are typicaliy 8 base registers as sl~own by reference numeral 116 on Figure 1. A base register is specified or identified as base register O through 7. ~he size a~ a base .
register is 32 bits long. The base register format of Fi,gure 4G is utilized for small segment i.e. where S~N is greater or equal to 8 but less than or equal to 15, whereas the format of base register of ~igure 4~ is utilized for lar~e segments i.e.
STN is greater or equal to zero but less than or equal to six .. . . . . . .
~eferring to ~igures 4G-4H, TAG i~ a 2-bit field which corresponds~
~ to the ~AG o~ a data descriptor referenced previously. RING is a -. 2-bit field which contains the ring number associated with the .: ~
segmented address for protection purposes. SEG is a field pre- `
viously re~erred to~ which identifies a segment described~in a ~ -se'~ment table. S~N~is the segment table number, and STE is the segment table ent~y number. O~FSET lS a 16-bit field or a 22-bit field depending on segment table number, which defines a , , positive integer. ~The O~I'SE~ is used in the process of address 1~ , .
1~ ~ 30 ~ development as a pointer within a segment. ~

Referring to Figures 4I-4J there is shown the format of the T-register. The T-register is a 32-bit register containing a segment number and a 16-bit or 22-bit posltive integer defining the relative address of the top of the procedure stack previously mentioned. The T-register is shown by reference numeral 114 on Figure 1. The various fields of the T-register have the same definition as described above.
Referring now to Figures 3 and 4A-4J a more detailed description of absolute address calculation and access checking is made. In general, absolute address calculation consists of fetching a segment descriptor specified by STN and STE and using the segment descriptors in four ways: access checking, computa-tion of the absolute address, bound checking, and up~ating (U and W flags). The absolute address may be direct or indirect and is derived by first deriving an effective address from STN, STE, and SRA (segment relative address). STN is extracted rom bits 4 through 8 of the base register BR specified in the address syl-lable of an instruction. If STN is 7, an out of segment table word array exception is generated. STE is extracted ~rom the base register specified in the address syllable. If STN 4:4 ~i.e. beginning at bit 4 and including the next 4 bits) is grea-ter than or equal to zero or less than or equal to six, STE is in a base register blts 8 and ~. If STN 4:4 (i.e. 4 bits beginning at bit 4) is greater than or equal to 8 but less than or equal to 15, STE is in a base register BR bits 8 through 15. The seg-ment relative address SRA for direct addressing is computed by adding the displacement in the address syllable; the offset of the base register BR; and the 32-bit contents of an index regis-ter, if specified in the address syllable. The sum of these three quantities is a 32-bit unsigned binary integer which must be less than the segment size appropriate to the segment STN, STE.

: ~ ' -~-" 1055~15 ``

Indirect addressing is developed by fetching a data - descriptor and developing an address from that descriptor. The effective address of the data descriptor is computed as in the direct addressing case with the exception that the index regis-ter contents are not used. In developing the address from the data descriptor the effective address may be computed by an indi-rection to segment ITS descriptor and an indirection to base ITBE
descriptor. If the descriptor is ITS the SI'N and STE are extrac-ted from the descriptor in the same manner as from a base regis-ter. SRA is computed by adding the displacement in the descriptor and the -contents of an index register as specified in the syllable.
If the descriptor is an ITBB descriptor then STN and STE are ex-tracted from the base register specified in the BBR field (i.e.
the base register implied by ITBB descriptor) o the descriptor as in direct addressing. SRA is computed by adding the displace-.
ment in the descriptor, the offset of the base register, and the ~
, .
,~ contents of an index register is specified in the address syllable.
;~ As shown on Figure 3 the indirection process may be extended up to 16 levels.
~ 20 Every effective address contains protection information ;, which is computed in address development and checks or access i rights by the ring protection hardware of the absolute address calculation mechanism. The e~fective address contains protection ~' information in the form of an effective address ring number EAR.
'!~ The EAR is computed from the base register ring number BRN and from the current process ring number PRN by taking the maximum ring number. In developing the EAR or indirect addressing a ; somewhat more tedious but essentially similar procedure as indi-rect addressing is used. In indirect addressing the EAR for 30~ extraction of the first descriptor ~EAR 1) is once again the maximum of the ring number from the base register specified in the address syllable and the current process ring number PRN in '' ~ " '"
~ 24 -:: ~0556:~L5 the instruction counter 118 of Figure 1 and stored in UO register 512 of Figure 5. The EAR for extraction of the second descriptor (EAR 2), of multiple level indirection is the maximum of:
a. EAR 1;
b. The ring number in the first descriptor if indirec-tion is indirection to segment;
c. The ring number from a base register 116 utilized as a data base register BBR if the first descriptor is an indirect ~' to segment descriptor ITBB.
The EAR for extraction of the data of multiple level indirection is the maximum of:
a. EAR 2; :`:
b. The ring number in the second descriptor if it is `
an indirection segment descriptor ITS;
c. The ring number in one of the base registers uti-lized as a data base register BBR if the second descriptor is an .. . . .
~` indirection to base descriptor ITBB. ~ -.. . .
Referring now to Flgures 5 and 6, the transfers and manipulation of the various type ring numbers will be described , 20 at~the system leveI. Detailed logic block diagrams for effecting the transfers and operations of Figure 5 will be later described.
Referring first to Figure 6 an associative memory 600 is utilized , in segmented address development. The associative memory 600 'l : . ' comprises essentially a UAS associator 609 which has circuitry which includes associative~memory cells, bit sense amplifiers and drivers,~ and word sense amplifiers and drivers (not shown). A ~
word or any part of a~word;contained in UAS associator 609 may be ~-3i; read, compared to another~word with a match or no match signal generated thereby, or be written either in whole or in a selec-S~ 30~ ted part of the associ~ator 609. For example, US register 607 ; may contain a segment number which may also be in the associative memory 600. A comparison is made with`UAS associator 609 and if ;,, ,,, . ~.. . - , ~ , ~

- lOSS6~1L5 a match is found a "hit" results. The match of "hit" signal is provided to encoder 610. The function of encoder 610 is to trans-form the "hit" signal on one of the match lines to a 4 bit address.
Encoder 610 provides this 4 bit address to UAB associator buf~er 611 so that the information contained in that particular location ~, ......................................................................... .
of UAB associator buffer 611 is selected. Information in UAB
associator buffer 611 may be transferred to UV register 613 for ~ -temporary storage or for transfer to QA or QB bus 614 and 615 respectively. By thus locating a prestored segment number in the associative-memory 6~ (which may have been placed there after a generati-on-of an absolute address) regeneration of the same ad-~, . .
dress is not necessary. In the drawing of Figure 6, UAB associa-tor buffer 611 is shown as storing a first and second word of a segment descriptor; however other types of in~ormation may just as well be stored therein.
' :.
Briefly and with reference to Figure 6 any of 8 base registers 602 are addressed via UG and UH registers 603 and 604 ` respectively which contain base register addresses from an ins-truction address 'j ' ' /
, /
' ! / -~':~ ', ' ' / ' '~~ ' , /
i'~ ~ / . ' .

~ `~ ' ."'' ' r . $ ~ "

' J~.- 105~6~5 syllable or base register s~eci~ied by the instruction formats.
The base registers 602 contain such infol~ation as ~AG, base register ring number ~RN, segment table number STN,~seg~ent table entry STE and O~SET as shown or contained by base registers 1 and - 2 of the group of base registers 602. '.'~riting into the base :~.
registers is per~ormed under micro-op control by ~B logic 601.
. ~or exa~ple it is shown that information ~rom the UM.register 502 of Figure 5 may be written into bit positions ~2, 3) of a .
. selected base register; also ;nformation from the QA bus may be written into the base registers and provisions are made to clear a selected base register i.e. write all zeroes. Reading out of any of the base registers is performed by U~5~ logic 605. In gene-ral the UBR logic 605 permits the appropriate base register to be 8trobed out onto bus QA or QB, or into UN register 608. Note that UN regi~ter 608 holds bits 8 through 31 o~ the base registers ~hich is the O~FSE~ part oi the segmented address. Moreover UBR ;
logic 605 when addressed by an address contained in instruction . .
buf~er IB (not shown) reads out the segment number SEG (which is comprised of STN and S~E) into US register 607 via UBS transfer logic 606. ~he comparison o~ the segment number SEG in IJS regis-te/r 607 with the associative memory 600 may then be performed as previously described. It will be noted that bi~s (4-15) of QA
bus 614 may also be read into or ~rom US register 607. Similarly i~
bits ~8-~1) from QA bus 614 may read into U~ register 608. Also bits (9-11) o~ US register 60~ may be read into QA bus 614 as~.
. n~ denoted by US (9-11) arrow (the arrows into~various reglster and/' ~ or logic circuitry denote the source o~ data and that ~ollowed .
;.; by a number denote the bit numbers o~ that data).
Referring now to ~igures 5 and 6, a 2-bit UP reglster : :
501 storeS the current prooess ring number PR~T. The ourrent ;.
: process ring number PRN ~s obtained from bits 2 and 3 o~ the .

~ 27~
:', ~ ~',' . . ' - ,.... ..

.` 1(3 556~S :~
.. , :, .

instruction counter (118 of ~igure 1) via bits IC (2-3) o~ the QA bus 614 of ~igure 6. Bits IC (2-3) of QA bus 6~-4 are transfer-red to 2-bit UV register 503 under control of a micro-operation UV9QAO. The micro-operations are obtained from micro-instructions in the control store unit ~10. (On ~igure 5 the dot surrounded by a circle indicates a micro-operation and the first two letters `- o~ the name o~ the micro-operation indicate the destina~ion o~ the data to be trans~erred; the fo~rth and fi~th letters indicate t~e : source of the data trans~erred; the third character indicates whether a full or partial trans~er is made uith ~ indicating a full transfer ~hile the sixth character indicates whether the ;;~ signal doing the trans~erring is high or low with even numbers indicating a low signal and odd numbers indicating a high signal.
A8 an example cf the use o~ this convention bits 2 and 3 on QA bus indicating the tail of the arrow QA (2, 3) indicate E~N is the .. . .
PRN process ring number that i8 being trans~erred under cont~ol ,j of the micro-op W 9~AO which says the trans~er is made to re~ister W , is a partial trans~er of the bus QA, and the source of the ' data is the bus QA ana is an unconditional trans~er as indicated ~ 20 by the sixth character being 0. ~rans~er to W register ~ro~ QA
bus ~ource is unconditional. ?his O will be the corresponding serenth character in the logio ~ile name of the suboom~and , W 9QAlO. Once the process rin~ number PXI~ is trans~erred fro~
¦~ - the QA bus 614 to the W register 503 another transfer tal~es 1 , . .
place under control o~ micro-operation ~:I9UVO from W register 503 to U~ register ~02. ~inally another transfer takes place from UM register 502 to UP register 501 under control ol a . .
micro-operation UP9~iO;
~wo bit register Ui~I 502 i9 utilized to generate the !"
effective address r m g num~er EAR during Ir~S and ITB~ ti.e.
~ndirection to segment and indirection to base), ~AX = ~LX

28 - ~;
:~
. . ~ , . . .
: - ; . , i: ~ ... - . , . .... ,,. .. ... , .. , ,. :

~ ~5561S - ~

(3RN, P~N, DRN,/ ~R (BRN) etc ~ address formation ~or addre3s syl.able 1 and address ~yllable 2 Iype instruction format, ~he EAR is gcncrated according to thc rules prcviously enunciated 3 by utili~ing one or more tests shown in block 510 and the maximum . o~ the,~,ring number is obtained and stored in UI.I regis~er 5~2 which stores the effective address ring number ~AR (detailed logic or making the comparisons of block 510 are later sho~ and des- ~ ' cribed in detail). ~he U0 rcgister is used to save address sylla~
~, bIe 1 effective address r mg number EAR ln ~he event the address ', 10 syllable 2 is being utilized,to extract ELR 2. , ,-Two-bit UV register 503, and 2-bit Ut,'l register 50~ is . :
utilized mainly as storage ~or various rin~ numbers that are ' obtained from the outside of the ring checking hardwarc of l~igure ,~ 5 and trans~erred or processed, to other parts o~ the ring checking , . . .. ..
'`,hardware. ~or.example the base register ring number BL~ iS
' transferred from bit positions 2 and 3 o~ UBS transfer lo~ic 606 '.
. :
;'. to UV register 50~ under control of the ~icro-operation W ~S0; ':
the maximum ri~g number I;~XR,of word 2 o~ the se~ent descriptor (also shown stored'in bits 36 and 37 of UAB associator bu~fer 611)' ,', 20 is transferred ~rom UA~ buffer 611 to W register 503 under con- ' :
: . . .
,1~ , , trol of the micro-operation UVFA~l; also bits 34 and 35 of U~B .~ .
'~, buf~er 611 which is the write ring number ~ is tran ferred to , :
~,~ UV register 503 under control~of micro-operation UVFA~0. ~'1 : ' ., . :. .
': reglster 504.has similar transfers of other ring numbers from ` various parts of the system.`~ ~or example bits 34 and 35 which.
~ ' are the ~rite r m g number enR 0~ UAB buf~er 611 may also be trans~
'~ ~erred to U'W register 504 under control o~ micro-operation ~,~ABl;~
bits 32 and ~3, t'ne read R3 ring number ol UAB-bu~er 611 may also .
-be transferred~to UW register 504 under control of micro-op 30 ~ U'l'~AB0; also bits 0 and 1 of:QA bus 614 may be transferred to UW
; . . . . ..
~ register 504 under control :of m~cro-operation'UW9QA0., Note also, ~

... . j. .. . .. .. j ~ . , .

:

` ' ~05s6~

several trans~er paths of Ul,'l register 50~ into UV regi3ter 503 under control of the micro-operation UV9U,'I0; the tr~nsfer path of UV register 50~ into UM register 502 under control of micro-operation ~:I9W0; the transfer path of U~.~ register 502 into UP
register 501 under control OL the micro-operation UP9UI;.0; the transfer path o~ UP re~is~er 501 into U~I register 502 under con~
trol of micro-operation ~iI9UP0; the transfer path of UM register 502 into U0 register 512 under control of micro-operation . . . ..
U09Ui.I0; and finally the transfer path o~ U0 register 512 into Ul~
register 502 under control of the micro-operation U~I9U00.
Briefly therefore UP re~ister 501 holds the current process ring number PR~; U~iI register 502 and U0 register 512 are utiliæed for transfer operations and also to generl~te the E.~
UV register 50~ may store for various purposes and at di~f~rcnt ,, times the current process ring number P~T, the base register .~ ring number ~uir, the maximum rIng number I~XR, the write ring number l~, or the read ring number RD. ~f register 504 may at . ~arious times hold the read ring number ~D, the ~rite ring number , and bits 0 and 1 o~ b~s QA. UII~ 505 is logic, the details o~
which are shoYM on Pigure 8d, which compares the contents o~ - :
' registers Ull and UV and produces the greater of the ~o values in the registers and this value is stored in UM r~gister 502 , under micro-operation control ~.~MRO. ThiS iS one way of gene~
,' ~ rating thee~fective address ring number EAR~ U~DR logic 505 may also produce the greater ~alue of ~he contents Qf register ~::
i: UP or of bits 2 ana 3 of UBS~logic 606. This is another method 1- an ~or additional step in generating the effecti~e address ring .:::
~?~ number E~R, ~i~ logic 505 is also utilized to determine whether : -or not a write violation has occurred by trans~erring-a write rin~
nu~ber WR into UV register 503 and then comparing th0 contents of the U~ register~502-(holding EAR) w1th the contents of UV .

. ~ . 30 .
, ::. ~ -. 105561S
register 503 in order -to determine wllich one has the greater ' contents. Since U~' register 502 ,storcs~the effective address ,, ring nurnber EAR a comparison of the I~II register and the UV regis-ter ~ill indicate whether ~AR is greater than l~'~ or vice versa.
If '~ (i.e, write permission bit in the segment descriptor) is equal to 1 and i~ ~R lies in the xange of O~EA~<',im then a write operation may be perfox~ed into the segment. Note tllat U~ logic 505 may have inputs directly or inairectly from all registers 501-504, from other logic 506, 507, and also from U~3S logic 60O~
`' UWV logic 506 corresponds to the detail logic of ~igure '' 8a. U'~W logic 506 has inputs direct,ly or indirectly irolrL registers -`
.: . . .
-,' 501-504 and from loEic 505, 507 respectively and gener~tes an execute violation signal when a comparison o:~ U'~ Ur,I and UV regis-,', ters 50~, 502~ and 50~ respectively indicates that the maximum , ,, , ring number I,IA~ is greater or equal to the ef~ective address '' ring number EAR is greater or equal to the write ring num~er W~ is ,' not true i.e. in order for a procedure to be able to e:~ccute in a ' ~' given segment indlcated by the eIfective address the rnaYlmurn ~ing ' .~ - .
number IL9~ must be greater or equal to the eî~ective address ring ,, number and the effe,ctive address ring number ~ rnust be equal or greater than the ~rrite ring number ~',~. U~'IV logic 506' also p,er~
:eO~s tests shown in block 510. Indications may be given that ' `,~
the contents of UW register i~ less than or equal to the contents ,,; ,~, OI the W register; the contents of the UliI register is greater than or equal to the contents of the W register; the contents of the W registsr is equal to the contents of the UM reglster;
the contents oi the W register is greater or equal to the con~
,tents of the Uii~ register;; and the contents of the UM register i9 : ~.
greater than the contents~ of ~the UW'register. Of course when ~ -30 ,~ ~performing these tests difIsrént~values oi ring numbsrs may occupy'the reeisters.

UEP logic 507 corresponds to the detail logic ot`
Figure 8b. UEP logic 507 in combination with ~ilV logic 5~6 ~ ;
generates the read violation exception. ~owever the read viola-tion exception may be overridden if the ePfective address ring number EA~ equals the current process ring number PRN, since a procedure is always permitted to read its oY~ segment, and if the segment number o~ the procedure segment descriptor (not s~o~m herein) and the se~ment number of the address syllable utilized in generation of the effective address are the same.
; 10 ~o illustrate the overriding o~ the read ~iolation si-gnal assume that the ef~ective address read number EAR is greater than the read number RD which would generate a read violation high signal which would be applied as one input of AIrD gate 522.
However the read violation exception signal may not be generated .
e~en though there is a read violation signal i~ the following two conditions exists:
1. ~he effective address ring number EAR is equal to the process ring number PRN; i.e. the.contents of register U~
is equal to the contents of regis-ter UP; and, 2. ~he segment number contained in the address syllable of the segment in which a procedure aesires to read is equal.
to the segment number o~ the procedure segment descriptor (not shown) of the current procedure in execution and this is indicated by ~etting a bit called a P bit and located as the thirteenth bit of UE register.650. (U~ register 650 is a store . - :
for the contents of UAS associator 609 when a "hit" has resulted i ~
by a compar~son of the contents~o~ US register 607~. Since thi~ ~ i exa~ple assume~ that EAR equals PRN, U~P logic 507 will apply a nigh signal to AND gate 520 à~ one input., and since it is also ~`
assumed~that the segment number SE~ of the addréss syllable of .
the segment being~addressed~ i9~ equal to the segment number SEG
of the procedure segment descriptor (not shown) o~ the currently ;
.. ~: . ~ . .

~ 32 ~

/
~055615 executing procedure, then the P bit of the procedure segment descriptor will.be set and hence the other input applied to AND gate 520 will be high thus enabling AND gate 520; a high signal i9 there~ore applied to the input of inverter 521 resulting in a low signal at the output o~ inverter 521 which low signal is then applied as another input of AND gate 522. Since there is a low signal to A~D gate 522 no read vioIation exception signal can be generated by amplifier 523 even if the third input si~nal , : applied to A~ gate 522 is high.
To illustrate how a read ~iolation signal is generated and not overriden, assu~e that the output of UEP logic 507 indi- .
cates that the contents o~ UM register is not equal to the aontents o~ UP register. Then that input to A~ gate 520 would be low and hence AND gate 520 would not be enabled and its :
output would be low and would be applied to the input of inverter . .
~ ~21. Since the input of inverter 521 is low its output would be .i~. high which would be applied as one input of AND gate 522. If ~: .
also the effective address ring number ~AR is greater than the read ring number RD (i.e. con-tents of U~.s register is greater than contents o~ ~1N register) that signal would be high and would be ~:
also applied to another.input of AND gate 522. AND gate 5?2 has still a third input which ~ust also be high in order to enable : . AND gate 522. ~his third input is high when AND gate 526 is ~ ~
i enabled. Since AND gate 526 has.one input terminal which is high ; ... :
~ when the 00 terminal o~ URVl~ ~lop~;524 is low, AND gate 526 is ~ . -,: enabled by applying the micro-operation read violation interro- :.
j; gate signal AJERVA to one input termlnal o~ AND gate 52~ while :~
the 00 terminal o~ URVl~ flop 524 is low. Thus AND gate 522 ~ .
~ll have all input terminals high, generating the read violation 3 ~ exceptlon signal. . ~ ~ ....

33 ~
. .
.

~0556~L5 :.
~he execute viola~ion exception is generated in two ,: ways. It was seen earlier that an execute violation signal re-, sults when U~'N logic 506 indicates that ~ri~ is less than or equal .. . . .
to ~AR is less than or equal to ~AXR is niot true. ~his high execute violation signal is applied to a one-legged AND gate 550 which in turn is applied to the input terminal o~ two-le~ged h~D
,~ gate 553 vis amplifier 552,~ hen an execute Yiolation interro- . ,, . gate micro-operation signal AJE$~A is applied as another input . ,~;
-~ o~ two-legged A~ gate 55~, this gate is enabled which in turn generates the execute violation exception via amplifier 55~
, ~he other method by which the execute violation exception is gene- . .
; rated by the execute violation hardware 511 is when the execute permission bit EP is not set. '~hen thi~ condition is true it is :~
, indicated by the seventh bit of U~ register 613 being hig~l; this ,.j , bit is then applied to the input terminal of one-legged A~TD gate i ,,, 551 ~hich is applied as a high signal ~o one input terminal of ,~ AND gate 553 via ampli~ier 552. ,';Jhen the execute violation inter-~ rogat.e micro-operation signal AJEEV~ goes high~ AND gate 553, is ; ,, . ~, . .
~ ~ enabled and generates an execute violation exception via amp1i-;1 20 fier 554~ : ...................................................... ~` .. :
.. . . . .
",~ The ~rite violation exception is also generated in two ~.
ways. It was seen previously how the U~.~ logic 505 generat~s . :a write violation signal when EAR is greater than lj~R, This ..
write violation signal is applied to one input terminal o~.AND
.y gate 545. A~ gate 545 is enabled~when its second inpùt ter~inal:
j; - goes high thus generating a write violation exception through .
amplifier 547,- The second input t:erminal o~ AND gate 545 goes hi~h when A~D gate~542 i8 enabled,~ A~3 gate 542`is,~enabled ~Jhen~
~ the input signals applied to its input terminals are high. One ::
,, 30 ~ ~input signal is hi~h when UWVl~ ~lop 541 is low vJhich in turn ~ 34,_ . ~:,.
~ . ~ . - ..... .

i ~
`` 10556~5 applies a lo~ si~;nal to the input ter!~1inal of inverter 543 which in turn applies a high signal to one inpu~. terminal of AND gate 542; the other input signal is high when the write violation interro~;ate micro-op signal AJE~'~VA is hi~h and this happens when :~ it is d~sired to interrogate a procedure for the write violation ~ '' .~, . . exception. (~lip-flops URVlF, U~Nl:F, ancl U'.Wl~ are set low when any interrupts or software occurs). (U'~2~, URV2~, and U~U12 .,. flip-flops are utilized to store back-up excess checking informa- `
'.,~ tion for ring checking). '~he other method for generating a write ~ 10 violation exception is when the write per ission bit WP is not , , ~ .
set. This condition is indicated by bit 6 of UV register 613 being high. rlhen this condition exists and the high signal (i.e.
the sixth bit of UV rçgist,er) is applied as one inpu-t of ANl) ., , gate 546 and the interrogate signal AJE~WA is hi~sh and applied ,, as another input of A~lD gate 546f then A~ gate 546 is enabled '~
~'',"~ and a l~rite violation exception occurs via amplifier 547. . ~' ' ~, "
ogic circuitry 591 comprised of flip-flops 532 and 533 ., is conjunction with amplifier 530 and A~I~ gate 531 and inverter . ~ '530A permit the formation in register UM 502 of the maximum value 20 ~ oî ring nur~ber (i.e. ~AR) under control of a splatter instruction ,~:
,~ subcommand (not described herein) from the instruction fetch unit .
,1 , .
U, AssurQing URNl~ `flip-flop 532 is'se~ to logical 0 whereas , .
''1 ~ ' U~T2~ fIip-flop 533 is set to logical 1, then during the~ execu~
tion of the splatter subco~mand, input terminal 531A ~of AND gate~
531 will be high; therefore if ~lip-~lop 532 is low (logical ~0) `
then the `signal will be~inverted by inverter 53QA and AND gQte 531 ~ill, be enabled.: Hence the maximum value of the contents o~ , UP re~ister 501 ;or bits 2 and 3 of logic vector U~S 606 will be strobed into ~I register 502v Con~ersely if flip-flop 532 .is'a ~ -.
3o~ ~ l`ogical 1, then~ the contents Q~UM~register'502 i ot changea via ~the abo~e menbloned~souroes ~and the ~:AR derived in~U~;I register ;~

,s ~ P

10556~5 .
502 via the addressing process of indirection is the one utilized.
~lip-flop 533 is thc bacl~-up store ~or the EAR of address-syllable 2 when utilized.
Referring now to Figures 7 and 8 and ~igure 5 there is a correspondence wherein the detailed logic for hard~are in ~igu-re 5 is shoYm in Figures 7 and 8 as follows: ~ig. 7a and U
register 504; ~ig. '7b and UV register 503; ~lg. 7c and block S90;
Fig 7d and block 591; ~ig. 7e and block 592; ~ig. 7~''and UP
register 501; ~ig. 7~ and UO register 512; Fig. 7h and ~mI regis-ter 502; ~ig. 8a and U'IW logic 506; ~ig 8b an~ UEP logic 507;
and Fig. 8d and UMPL logic 505.
'~ Referring to ~igure 7a, the UW register 504 is comprised o~ two flip-flops 715a and 720a respectively, each flip-flop oapable o~ holding one b~t of information oE the U',IJ register.
Coupled to Ilip-îlop 715a'are 4 AI~D gates 711a 714a which are OR~ed together, with each gate (except gate 713a) having two input terminals, and with at least one signal applied to each input terminal. AND gate 714a has one OI its input terminal3 '~ ~ csupled to the set terminal U~rO0010 of the *lip-flop 715 a.
~i 20 Flip-flop 715a is also coupled to the terminal H27 for recei~ring~
.. . . .Irom a clock a timing signal called a PD4 signal. ~lip-flop 720a couplea to AND gates 716a-719a which are O~ed together. One ' ' inpu-t terminal of AND gate 716a is coupled to an input terminal ' of ANV gate 711a; one input terminal of'AND gate 717a is coupled to one input terminal of AND gate 712a and one input terminal , , ; of AND gate 719a is ooupled to an input terminal of AND gate '' ' ~ 714a, whereas the other input terminal of AI~D gate 719a is couplcd to the set terminal U':100110 'o~? the flip-~lop 720a.
.
lip-~lop 720a is also coupled to the H27 terminal for 30 ' receiving PDA pulses.

~0~5615 AI~ gates 701a-704a are Oi"ea together each having their output terminal coupled to the input ter~inal o~ inverter 705a. AI~D gate 706a is coupled to am~llfier 708a; whereas A~rD
gate 707a is coupled to a~plifier 709a; one input terminal o~
AND gate 706a is coupled to one input ter~inal of AND gate 707a.
The output terminal of inverter 705a is coupled to one input terminal o~ A~D gate 714a and 719a; the output terminal of , ampli~ier 708a is co~pled to the input ter~inal o~ A~ gate 713a : " . ~ : .
and the output terminal of amplifier 709a is couple`d to the input terminal of AND gate 718aj_ . .
The signals applied to the inputs of AI~ gates and the signals deri~ed as outputs from amplifiers, in~erters, or flip-:s ~lops are designated by letters forming a special oode. Since ,....................................................................... .
both data si~nals and control signals are either applied or derived there are two codes, one code ~or the control signals and one code for the data signals ~he code ~or the control si~nals i was previously described in detail and is summarized here.
; ~riefly the first ~o characters o~ a control signal indicate - the destination of data to be trans~erred; the third character J
indicates whether a ~ull or partial transfer is to be ef~ected , ~ith the letter ~ indicating full trans~er and any other character '~ indicating a partial transfer; the fourth and fifth character indicates the source o~ the data9 and if the source is iden~ified by more than two letters only the last t~o letters need be used;
the sixth and seventh characters are usually numerals and indicate ;i~
whether the signal is high~or low i.e. an odd numeral in the sixth ¦ ~ position indicates assertion and an even numeral in the sixth position indicates negation; the seYenth position indicates ~` ~ whether this is the ~irst, second, third, etc. level o~ occu of-the signal.` Data, on the other hand, is indicated di~erently.

. . .: . ..
: ~ ~': : .

q~he first three characters OI data iIl~icates the sourcc of the data, the fourth and îi~th charactcrs r,~hich May be numerals indi-cate thc bit positions where the data is located in thc source, and the sixth and seventh position are similar to the control si~;nals in that they indicate whether the signal is high or low .. . .
and the level of occurrence of the signal. Generally the format itself indicates ~vhether the signal is a control signal or a data , . . :
signal and by reference to ~igures 5 and 6 the source and desti-nation ~ay be determined. '~here are exceptions to this general rule and they will be spclled out in the specification, and addendum an example o~ this convention it will be noted on ~ure 7a that the following signals are control signals: ~EAB11, UY~AB10, UW9QA10. ~he following signals are data signals UA33410, UAB3210, UA133510, UAB3310, QA00110, and QA00010. The ~ollo~t1ing signals are exception PDARG10 is a timing signal whose source ~--1 is th~ PDA cloc'c; UWH0~10 is a hold signal for holding the ~nformation in the flip-îlops 7~5a and 720a U'f/013K10 and u~.~r~ 10 ~ ~ . . . .
are back-up logic ~/hose main function is to extend the input capability oi, Ilip-flops 715a and 720a by connecting the UW
register which is in fact Iormed by flip-floT~s 715a and 720a, to - bit zero and bit 1 represented b~ flip-flops 715a and 720a ; ~ respectively; and finally USCIR10 is the clear signal for clearing ;~- and setting the fllp-flops to zero.
As an illustration of the above mentioned convention herein adopted the signal UIY~A:E311 appliéd to the input of one-legged AND gate 702a is a control- si~;nal which trans~ers data (bits 34 and 35) contained in UAB associator bui~fer 611 (the ~ -U~ in the signal has been omitted)~to UW register 50~ and is a 30 ~ull trans~er to the U1;1 register ~1; the odd number i~idicates the , ~ . - . , ignal is assertion. ~ ~Signal U'~AB10 app~ied to the input o~

; ~ 38 ~ 055615 onelegged ~I~ gate 703a i5 a con~rol signal ~th the same source and d~st m ation as the signal applied to A~ gate 7~2a except . that bits 32 iand 33 of UA~ are tri~nsferred to Ul.'J register. rl`he ,.signal UW9QAlO applied to onelegged AI~D gate 704a is also a con-trol signal wherein data is transferred fro~ QA bus 614 to the : -.
: . . .unq register and m~y be a partial tri~nsfer. The signal QA00010 ... j , .
appliedto AI~rD gate 706a is a data signal where data is on QA ~;
. . bus Ç14 (the third.position is not herein utilized since the first two positions adequately describe ~here the data is) and this data signal represents the bit identified as 00 on QA
bus 614. The signal QAOOllO is similar to the previous 5ign21 .~.
except the data identified by this signal is the data on position .
Ol of the QA bu~ 61~ hus by utilizin~ this convcntion and .~ F~gure~ 5 ~hrough 9 the ring protection hardware i5 fully defined and may be easily built by a person o~ ordinary skill in th~i ~
.
computer art. . ..
~ Referring to Figure 7b there is shown the detailed .. logic bloct~ diagram for W register 503~ Signal U~IO~lO is a;j . ' hold signal ~or UV register 503 which is generated via inverter ?o 730b when none of the onelegged Ai~lD gates 701b-708b has a high ~ . .
.. ; sig.nal applied to it. UVHO~lO sig.nal is applied to AI~ gate 723b and causes information stored in the UV regi3ter 503 to be held therein. Signal U~IO~lE coupled to the input of AND
ate 704b and to the outputs OI A~D gates 705-708b extends the :~ :
number of control signals that may generate the~hold signal ; UVHO~lO. Signal UYOEKlO coupled to the outputs o~ A~ gates 710b-730b, and to the input of A~:D gate 722b is also utilized ~:
1~ to extend the mmber of input si ~ als that may be applied -to Llip-~
flop 724b. $ignal UVl ~ lO coupled to t~n~ outputs of AI~TD gates 716b-718b and to the input of AND gate 727b similarly extends the number of input signals that may be applied to flip-flop 729b.~ .

- . . .
1. , ~ . .

. , .. ,.. . ., . . ... :., ~ . , ,.: , ; , i , .

` 1055615 . . :
Referring now to l~ re '~ thcre is shown ti~c detailed ; logic block diagram of UO register 512. ~AND ~ates 701g-704g ~ `
` are OR~ea together and their output is applied as an input . .
to inverter 705g. AND gates 706~-709~ are also ORt ed together ~" and their outputs are coupled to ~lip-flop 710g. Also one input ~ of A~ gate 709'g is coupled to theUOOOOlO terminal o~ flip--~ ~lop 710 g. AND gates 711g-714~ are also OR'ed together and are similarly coupled to flip-flop 715g. It will be noted also t~at .
~n input of Al~D gate 706g is coupled to an input of AND gate 711g; an input of AI~ gate 707g is couple~ to an input of A~
gate 712g and an input of AI~ gate 709g is coupled to an inpui o~ AND gate 714g. The W HO~lO signal generated by inverter 705g i~ also coupled to an input o~ AND gatc 709g and 714g and is utilized to hold information in the UO register 512. XOO repre-... . .
sents a ground, whereas X~ means unused input.
Figure 7f is a detailed logic blocl; diagram of UP
' register 501. It is similar to ~igure 7g described supra except ,~ that different signals from diiferent destinations and different sources are applied.
~ 20 ~e~erring now to Figure 7h there is sho~M the detailed ,~ logic block diagram o~ ~I register 502. A~ gate 70lh-704h ~' are ORled to6ether to produce the U~i~lO~lO hold signal via inver-;, : .,.
~i - ter 705h. AND gates 706h~709h are ORted together and are coupledto the input of AND gate 704h in order to extend the range of ~ signals that may be;applied to;produce ~he ~IO~lO hold signal. ~ -i~ Similarl~ Ai~ gates 711h-714h are ORiea together and coupled to ~ -the input of A~D gate~723h in order to extend the range of ~ignals that ma~ be applied to flip-flop 730~1; and also A~D gates 716h-719~l are OE'ed together and are coupled to the input o~ ;
~Al~D gate 727h in order to extend the r~lgc o~ signals appli~d - , . . .
- ~

`
~OS5615 to flip-~lop 731h A line 740h ~or a~plying the PDA si6nals to ~lip-flop 730h and 731h is coupled at point 734h and 735h res-pectively. lhe input of AI~ gate 70~h is also expanded to pro-vide two further inputs URN1~00 and I~IIlO by coupling the out-put of amplilier 733h to the input of AI~D ~ate 703h.
Referring now to ~i~ures 7c-7e there is shown detailed logic blocl; di~grams of write cxception control logic 590, I~U subcommand control logic 591, and read violation exc~ption control logic 592 respectively. Referring ~lrst to Figul~e 7c there is shown flip-flops 705c and 710c which correspond to flip-flops 541 ~nd 540 respectively. Under a micro-operation UPLW2~lO
subcommand the infor~ation in flip-flop 710c is transferrcd to ,, .
flip-flop 705c. ~he UlNlIIlO hold signal is utilized to hold the in~ormation transferred to -~lip-flop 710c, whereas the U'~V2~10 signal is utilized to hold the informa~ion trans~erred to M ip-~lop 705c. Similarly in ~Tigure 7d info~.~ation is trans~crred ; from flip-flop 710d to flip-flop 705d under micro-operation signal Ul~ISIIlO, and in ~igure 7e information ~rom flip-~lop 710e is transferred to flip-flop 709e under control of mic~o-operation signal UR~2~10.
~eferring now to ~igures Ba, 8b, and 8d there is sho~m i detailed logi¢ block diagrams of UWV logic 506, UY~P logic 507, and UITR lo~ic 505 respectively. Referring first to Pi6ure ~a tnere i~ shown logic for generating a high si~nal wllen one of the test conditions 510 is true and also for generatin~ the '~ execute violation signal when the contents o~ U~7'J register is - less than or equal to ~he contents of ~iI register is less than~ ~;
., ~ . .
- or equal to t~e contents of W register is not true. YJhen the ~ signal UT.~LEVlO is generated it indicates that the contents of UW
i 30 ~ register 504 is less than or equal to the oontents of W register ~ 503.~ ~he logic for generating this signal was deri~ed~ pursu~It ~ -, ~ ~ , . . ~ , . . . .

. j~, , . - . .
- 41 _ ~
. . ~ . .~ .
, . ~ ..
. ~ , . . . . .
::

0556~5 .- ' - , to the folloYJing Boolean expression~
Xl = (BCD) + (AE3D) ~ (AC) - ~'lhere X1 represents the output of ampli~ier 805a and the various letters of the expres~ion represent different input terminals of AND gates 801a-804a.
An indication that the contents of W register 503 is greater than or equal to the contents of l~I register 502 is `~ had when WGEMlO signal is generated. ~his signal is generated 10 via inverter 820a in response to various inputs on AN~ gates 816a-8i9a vJhich are O~ed -together and coupled to the input of ~ inve~ter 820a. ~'he logic ~or generating the UVGEi,qlO signal is -~ ~ade pursuant to the follo~ring 300lean expression:

X2 = (B~) + (AB~) + (A~) .. . .
An indication that the contents of U~;l register 502 is greater than or equal to the contents o~ UV register 503 is indicatea by generating signal U~IGEVlO via inverter 810a in ~, response to the various inputs o~ A~D gates 806a-809a which are ~0 O~ed together. 1'he lo~ic for generating this signal is deriYed ~rom the follouling l3oolean expression:
~ , .
X~; = (B(:D) ~ (A~ (AC) .. . . .
(Wherein X3 is the generated output sig~al).
Si=ilarly the UVEQIdlQ signal is generated pursuant to ~;
' the ~ollowing Booleall expression:
. . .
; ~ X4 = (AC) + (AC) + (BD) + (~D) ~ ~ i Generation of the UVEQ~I10 SlgnBl indicates that the ~-i~ 30 contents of the W register 503 i9 equal to the contents of ;~ the UM register 502.

:

. ~LOSS615 The generation of the Ur~IG~WlO sinal indicates that the~
: contents o~ the UI.r register 502 is greater or equal to the con- ;: tents of the U'.7 register 504 and is generated pursu~nt to logic havin~ the ~ollowing Boolean expression:

. . ~ . _ _ ; . Xs = (3~ (AB~) + (AC) Generation of the UI.IG~ lO signal indicates that the ~- . contents of ~.I register 502 is greater than the contents of U;.l ~.
register 504 and this signal is generated by logic definea b~
the followin~ ~oolean expression~
.; ~ . . . .
.. . . . . .
X6 - (A~ A) .' , I~ , The generation of the U~G~i~OO signal indicates th~t '.' tho contents of U'~l register less than or equal to the conten.ts o~
'~,!1~ UM registerless than or e~ual to the contents of UV register is not true. It is obtained when the UVG~.IlO signal indicating hat the conten+s of W re~ister is greater than or equal to - -the contents of the UI.I register, and the U...G~Jio signal indicat m g that tne contents of the UM register is greater than or equal to the contents of the U'.7 register are both high. .
~ eferring now to ~igure 8b a U~,~QPlO signal is generated by logic derived from the following ~oolean expression: ~
: .. . , . ,~: . , .
:~ X7 = (A~) + (~C) ~ (B~ D~
hen this signal is high it indicates that the conte~ts of U~l register 502~is greater than the contents of UP re~ister -- .
ferring to ~igure 8d there is sho~Yn the detailed logic block diagram for:performing the operations o~ UI,~ logic 505 shown on Pigure 5. One of the operations o~ this logic is to deter~ine the maximum~value o~ the contents of UP register 501 4~

~556~5 and o~ bits 2 and 3 o~ UBS logic 606. In order to do this there must be an indication whether contents o~ UP is less th~n the contents of UBS or the contents of UP is greater than the contents o~ UBS. ~he generation o~ UPI~lO si~nal indicates that the contents o~ UP register 501 is less than or equal to bits ~ 2 and 3 of U~S logic 606; whereas the generation signal UPG~BlO
I indicates that the contents o~ UP register 501 is greater than bits 2 and 3 of U~S logic 606. ~hese signals are generated by logic which has been defined by the ~ollowing Boolean expression: -~
X8 = (B~ (A~D) ~ (A~) :
;~ Wherc ~8 is the output of inverter 805d and the lc~ters ~:
of the expression are ~arious inputs o~ the A~ gates 801d-803d.
o iliustrate ho~v the maximu~ value of the contents o~
UP register and U~S logic may be determined b~ the output signals - . ~.~BOlO and UI.~BllO o~ ~Qpl~ifier 814d and 817d respecti~ely, .~-assume iirst that the contents o~ register U~ are less than or .-, , .
equal to bits 2 and 3 of U~3 logic because bit 2 is l and bit 3 ~ is 1 whereas UB register contains ~l. q'his is indicated b~ the : 20 signal UP~lO being high and the si~nal UPG~lO being low since ,, it i8 the in~erse o~ signal UP~EBlO. I'his high UPLEBlO signal : . ~s applied to one inpu~ o~ AInD gate i813d and also one input of Al`~ gate 806d. I~ bit 2 o~ U~S logic is a l as indicated by :.
.
~ ~ signal UBS0210 then AND gate 813d is enabled and signal ~.~BOlO
.~ ~oes high and indi~cates that bit 2~on~U~S logic is a l. ~More-, over i~ bit 3 o~ U~S logic is a 1 indicated by inp.ut signal :, U~S0310 being applied as another:input of AND gate 816a then AMD
, gate 816d is enabled and signal u~æBllo is high or a l. There-fore under the assumed conditions wherei bits (2,3) U~S logic is ~ :
.~30 ~ greater or equal to the contents o~ UP register the m~ximu~ :.
v lue ;o~ the:- two~quantlties~is in U~S,~ and its~number lS binary `~ ` ~

~OSS~;15 , ` . . .
11 or decimal 4. Hence it is seen l~ow a comparison is first madc to determine whlch hardware contains the maximum, and then a detcrmination is made as to the value o~ that maximum. By similar analysis one may see how the vaiue o~ the UP register m~y be , determined by signals U~OlO and signals U~ O when the con-tents of UP register is greater than the second and third bit o~
, UBS logic. Similarly the maximum value of UII register 502 or W register 503 may be determined by signals UVG~lO and UIIG'ilV10 , . . .
respectively, w~en UV register 50~ is greater than or equal to ;~ 10 ~,~ register 502, and conversely when ~;I register 502 is greater .... - . - .
than UV register 503.
Referring now to Pigures ga-9i ~ legend o~ s~abols utilized in ~igures 7 and 8 is sho~l. ~igure 9a shows the symbol ~hen there i9 a oonnectio~ internally within the logic board.
~igure 9b illustrates an output pin connection. ~igure 9c indi-cates an input pin connection and is ~enerally a source outs~de of ; ;
;, the logic board illustrated. -~igure 9d is the symbol utilized ~or an AND gate. Figure 9e is the symbol utilized for an amplifier; whereas ~igure 9f is the symbol utilized ~or an inver-~- 20~ ter~ ~igure 9g illustrates three A~ gates 901g-903g that are ~i OR~ed together thus c~using o~tput 904g to go high when any . on~ oi Ar~ gates 901g-903g is high. ~igure 9h shovrs the symbol , o~ a flip-flop having a 00 reset terminal and a lO set terminal.
A PDA line supplies the clock pulse for causing the ~lip-flop to switch states ~hen other conditions are present on the flip-flop.
igure 9i represents a micro-operation control signal.
.

In order to enforce the ring protection scheme be~een procedures executin~ in di~erent;rings, ~he invention emplo~s push-down stacks for its procedure-l1nka~e mechanism wherein ~ a portion o~ each stack callea a stack frame is dynamically allocàted to éach procedure. Dif~ërént stack seglmen~s~are used 45 ~ : ~

: . ,. , . . ~

- ~0556~L5 ., for each ring with one stack segment corresponding to one ring.
Thus when a procedure is executed in ring RN its stack frame is located in the RN stack segment. Referring to Figure 10 there is shown three stack segments lOQl-1003, with each stack segment ha-ving stack frames Sl-S3 respectively. Ring 3 is assigned to stack segment 1001, ring 1 is assigned to stack segment 1002 ;~
and ring 0 is assigned to stack segment 1003. Within each stack segment there is a procedure Pl associated with stack frame Sl of stack segment 1001, a procedure P2 associated with stack frame S2 of stack segment 1002 and a procedure P3 associated with stack frame S3 of stack segment 1003. The segmented addresses (i.e.
~egment number and segment relative address SEG, SR~) of the ~irsk bytes of the stack segments ~or rings 0, 1 and 2 respecti-vely are located in stack base words SBWO-SBW2 respectively which are in turn located in process control block 104. Since the ring 3 stack segment can never be entered by an inward call (i.e. from a ring higher than ring 3) its stack starting address is not needed. Each stack frame Sl, S2, S3 is divided into a ,~
working area 1005, 1006, 1007 respectively; an unused portion 1008, 1009, 1010, which is utilized for alignment purposes; a register saving area 1011, 1012, and 1013; and a communication area 1014, 1015, and 1016 respectively. The working area is . . .
, utilized by its procedure as needed and may contain material re- -"
quired by the process such as local variables, etc. The saving a~ea of the stack frame is utilized to save the contents of ~, .
;! various registers such as,the status register, the T-register and the instruction counter contents ICC. The communications ~; area stores information which is needed to pass parameters bet--~ , ween procedures. Prior to a call to a given procedure the user 30~ saves those registers he wishes saved and moreover loads into the ; ; communication area the parameters to be passed to the called procedure. When the call is made, the hardware saves the contents , . .

- 46 - ~
:: ' .
- l~)S56~5 of the instruction counter and other specified registers to fa-cilitate a return from the called procedure. Each procedure call creates a stack frame within a stack segment and subse~uent pro-cedure calls create additional frames. Hence a stack is created and consists of a number of contiguous parts called stack frames which are dynamically allocated to each procedure. These stacks reside in stack segments. Generally the first stack frame is loaded into the beginning of the segment and succeeding frames are loaded after it. The last frame loaded is considered the top of the stack. A T-register 114 on Figure 1, locates the . ~ .
top of the~stack for the currently active process. A procedure such as for example Pl which is executing in ring 3 may call a .; . .
procedure P2 executing in ring 1 which in turn calls a procedure P3 which is now executing in ring 0. As each procedure is called it creates within its ring stack segment a stack frame (i.e. defi-.. . .
ning the environment for the procedure execution) and the T-., .
` register 114 is loaded which gives the address of the top of the stack for the currently active process. The procedure Pl (as previously assumed) may call procedure P2 which in turn may call procedure P3 and since these calls are from a higher ring number to a lower ring number a ring crossing entailing an inward call is required and is accomplished in a manner to be described in~ra.
During each chanye of procedure the necessary registers and para--1 meters are saved in order to facilitate a return from the called procedure.
A procedure is always accessed through a procedure escriptor 110 by means of the ENTER PROCEDURE INSTRUCTIONS.
The format of the ENTER PROCEDURE INSTRUCTION 1100 is shown ~, on Figure lla. The operation code ~OPj 1101 occupies bit posi-1 . - . :
1, 30 tions 0 through 7. The complementary code 1102 is a one bit ,. . .
code and occupies bit position 8 to 9; if the complementary code is set to logical 1 the instruction is ENT, whereas :Lf the ..:
~ ~ - 47 - ~

complementary code is logical 0 the instruction is ENTSR and the base register must be base register 0 (BRO). The address syllable AS 1104 occupies bit positions 12 thru 31 and provides the address syllable AS of the procedure descriptor 1110. When an ENTER PROCEDURE INSTRUCTION requires a ring crosslng a gating procedure descriptor 1120 is obligatorily accessed. This is indicated by the GS field 1302 of segment descriptor 1301 being set to logical 10. Generally the GS field is set to 10 when one of the ENTER PROCEDURE INSTRUCTIONS is utilized. The segment descriptor is utilized to point to the base of the segment desi-red, in this instance the segment 1300 containing gate procedure descriptors GPD 1120. The flrst word of the segment 1300 contai-ning the gating procedure descriptors ~GPD's) is formatted as shown in Figure llc. The TAG 1121 occupies bit positions 0 and 1 and must indicate a fault descriptor i.e. the TAG field must be set to logical 11. The Caller's Maximum Ring Number CMRN 1122 occupies bit positions 2 and 3, and indicates the maximum ring from which a calling procedure through the gated procedure des-.... .
criptor GPD is legal. A call violation exception is generated if . .
; 20 the caller's ring number is greater than CMRN 1122. The gated ,1 procedure descriptor address boun~y GP~B 1124 occupies bit positions l 10 through 31 and it must be greater than the segment relative .1 ; .
// , ~"
:i ~ ' .~ "
', / .' .

'/~ ' /' , ,.
'" :
. .

.~
. . .

. ~ "~'`'"

1055~

address Sl'~ (i.e. the GPD's displaccr.1cnt in ~he segment o~
procedure descriptors 1300), othc~ise an illegal GPD accr3ss exception occurs, Thus a gating procedure descriptor GPD is utilized as the ~irst ~ord of the segment con'taining procedure descriptors and is utilized to determine YJhether the caller has a rig'nt to access the segment via the caller~s Daximum rin~ number ~d~ and whether or not the procedure descriptor -called is ~ -..~. . .
'' within the gating procedure descriptor~s aadrcss boundary. Once .,. - . . : ..
'~ it is determined that there is a legal call to the se~ment and the caller has a right to enter the segment the address is obtained from,the address s~llable AS llO~ o~ enter instruction ~ ' 1100 and thc required procedure descriptor lllO (see ~lso ~igurc ;~ 13~ is accessed. r~he ~ormat of proceduro descriptor lllO is , shown on ~igure llb ~nd is comprised of two 32 bit words--wo;^d ,''~ O and l respectivel~. Word O contains the se~mented address 1ll3 o~ the entry point EP o~ the procedure desired. r~he se~ented ~, ' address, as in the case with the seg~en~ed address OL an~
... .
,~ operand, is co~prised o~ the segment numbcr S~G and the se~nent ~ .
", ' relative address SRA. 'l70rd O of the procedure descriptor includes .,1 ., .
, 20 an entry point r~lg numb~r EPRN lll2 and a rrAG field llll. '~he '" value o~ the ri'AG is interpreted as follows:
' a~ i~ the'r~AG contains logical 00 the procedure - descriptor is direct; ~ , `'9 ' . ~ . b. if the r~AG i5 logical Ol the~procedlre descripto~
j~ ~s an extended descrlptor and ;ncludes word l making a total 3 o~ two words; " `
.:,~
c. i~ the TAG is logioaI 10 the procedure descriptor ~ ~-is indirect and an illegal procedure,descriptor exception occurs; ' '' and, ~
~30'~ ~ d. if the ~AG is logical ll it is a ~ult procedure d~scriptor,and an exccption occurs. ' ` 10~5~5 Word 1 of the procedure descriptor is 32 bits long and is utilized when the '~AG indicates an extcnded descri~tor 'and contains the~ se~r.lcntcd address o~ a linl~a~e~ section ~thosa contents are load,e~d in base regis~cr BI~ 7 at proceaurc entry timc. ' ' Referring to ~i,,ure 12 a portion of the ~N~ instruction is shot~n and more specifically that portion which pertains to the ~'~ ring crossing and ring checking requirements. '~he ENT~ instruc-tion is called, 120~ and a comparison is made 1202 wherein the se~mented part o~ the base register ~n is compared to the ' ' 'segmented part o~ the address o~ the T re,.~,ister, and if they ; ' are not equal an illcgal stack base register 1208 is indicated. ''~ on the other h,~nd the,y are equal another comparison 1203 is . .
'~ made whe~rein the 30th bit including the next ~,~/o bits (i.,e,. Pits 30 and ~1) of base re~ ter n, ~Rn is compared to 0 and if' it is ' not equal to 0, then once again an illegal stack base register 1208 is indicated; ~ I~ it is equal to 0 it indicates that ~' the contents o~ HRn is ali~ned with respec; to the word boundar~
and anoth-~r comparison 1204 ~is performed to dete~nine that thc ~AG of ~n (i.e. the two bits starting from bit 0) is equal to 0.
... . . . . .
', A ~AG having a logical 0 indicates informa,,ion is accessed ~ia .:" ,, . , ' :
a direct descriptor which is one o~ the requirements of the E~T' ~' 'instruction. If the IAG (i.e. bits 0 and 1 of BRn)' is equal to 0 then the functions stated in flow charts of Fieures 14 throu~h 16 `~
are performed~(see flow chart;~-igure 12 block 1205)~ thsse meet the necessary requirements a~ urther chec~ 1206 is made to r ~ ~ deter~,ine whether the~segment~relative address of the entry point'~' which was ,given (SRA~æ)~'is svën,~becauss instructions st~rt~on a haIf-~ord boundary.~ If it is not'e~en then ~n illegal br~nch ~address exceptIon i9~eenerated~I209 however if' lt~is legal-~the - ' ' EN? instruction is'executed 1207 ~ia furtller steps not shotFm ~ 1055~5 Referring now to the flovl charts of the access checking mechanism ~igures 14-16, generally ~he ~ollo~ing opera~ions are - performed each time the instruction ~i~T~R PROCEDURE is issued: -a. the caller's right to call the callee is checked by first determining from the second word o~ the segment descrip-tor the call brac~et in which the callex is executing. (The call bracket is determined by takingthe minimum ring number ~ .
from the write ring number field WR and -the maximum ring number ... .
from the maximum ring number iield ~WrR);
b. a decision is made about the next process ring -number by determining whether the caller is in the same call bracket as the callee, which implies don't do anything; whether the caller is in a call bracket requiring that he makes an out-~ s l .
ward call in ~hich oase an e~ception condit~on is generated which is handled by a mechanism not described herein; or finally ~hether caller is in a call bracket which requires an inward call (i e.
going to a call bracket which requires ring crossing from a lar~
,f ger ring number to a smaller ring number in which case the ring crossing must be at a valid entry point ~P and the entry point 0 ~ must be ~alidated).
c - a stack ~rame is created ~or the callee (i~e.
space in the a~orementloned format of the appropriate . .j . .
segment is alloca~ed), and the staok frame a~d the stack frame registers are updated;
d. a branch to~ the~entry point of the procedure pointed to~by the procedure descrlptor is per~ormed.
Re~erring now to ~igure 14~the access checking is tarted 1401 by obtainlng the address syllable AS~containing tho effective addreas r m g number~E.~R, the segment number of the ~ procedure descriptor~SEGpv~ and the;segment relative address o~
. . i ,..
~ the procedure desorip~or~S ~ D.~ Havin~g~develo-ed thls lnformatlon ;.... ~ . ` ~` ...... ; . "`- ~i . .. . . . . .. . . .

OS56~5 ~-the proccdure descriptor lllO is fetcllcd 1403 from (SEGp~, S~ApD) ignoring access rights to scratch pad memory. fl~he procedure des-criptor lllO will yield the TAG which detormine3 whether the descriptor is direct, extended, indirect1 or a fault descriptor;
the entry point ring number E2RN; the segment ~SRAEp~ whicll contains the entry point and the se~nent relative address tsi~Ep) of the entry point. The ~AG is tested 14~4 to determine whether the descriptor lllO is direct, extended, indirect or a ~ault descriptor by checking its ~ield in accordance to the code herein-. .~
. 10 be~ore described Only a direct or extended procedure descriptor ~ is legal. An indirect or fault descriptor is illegal and upon .
:` . access invokes an exception mechanism not herein described. Once it is determined that a legal procedure descriptor has been acccssed the actual call right checking begins at point A

Referring now to ~igure 15 and continuing from point . A 1405 the maximum rin~ number r~xR, the write ring number ~R, ..
and the execute permission bit EP of the segment containing the .
entry points SEGEp ~re ~etched; this in~ormation is contained in 20 the segment desoriptor for the segment containing the entry points t (S~GEp)- 'rhe write ring number WR is co~pared to~the maximum ring 1 ~umber ~ 1503 and i~ the write ring number ~'~ is greate~ than .
the maximum ring number Ii~X~ the segment is nonexecuta~l~ and an execute violation exception 1513 oocurs. If the write ring number W~ i5 less than or:equal to the maximum ring number..~XR
then the execute permission bit EP is compared to log1cal 1 and ii the E2 bit is not logical.l then once aeain an execu~e viola- :
tion exception 1513 occurs; ho~e~er if the~EP bit is~equal to one : ` the ef~ective àddress rin~ number EAR of the calling proced~lre ~o~ is maximized with ~PR~ ~to:~give a new EAR2, -- ~ (EA~1 EPP

52 ~

::

10556~S
- , .
where ~AR, is the maximum of P~ as ~ound in the instruction coun-ter IC, and all ring numbers in base registers and data descrip-tors, if any, found in the path which leads to the procedure descriptor. The effective address ring nu~ber EAR2 is then com-~ parcd 1506 to the maximura ring number ~ X o~ the I;~Xl~ segment descriptor of S3C~p which is the maximum ring number at which a ~ :~
. procedure may execute. I~ ~AR2 is greater than I.~R the procedure call is an inward call v~hich requires that the procedur~ be entered by a valid entry point and the acccss checking operation 10 brQ~ch to point B 150~. The fol1owing checking operations are . then perforrned:
-.` a the SEG~p is checked to determine i~ it is a legal ~.
.~ gate segment; and, b. the caller's maximum ring number CII1~N i9 checked to deteI~ine i~ i-t i9 greater than or equal to th~ e~fective address ring number EAR of the caller.~ .
If these conditions are not.true then an illegal gate .,,;~ , . . ..
.j .segment exception 1603 or call violation exception 1615 occurs.
~,3 ; Heferring now to branch point B 1507 of ~igure 16 the :-' 20 first check 1602 that is made is to determine whether or not ~ the segment which contains the procedure descriptors ls a gate . . :
8e~ment. ~his is done by examining che Gatin ~Semaphore ~ield ~ ...
; GS of the segment descriptor pointing to the segment o~ procedure ~ .:
descriptors, to determine if it is set to logical 10. If the. . .
GS field-of the segment descriptor of the segment containin~
.procedure~descriptors is set to~10 it~is then a gate segment and ~ ~ -he first word of the segmsnt containing procedure descriptora is a gated~procedure descriptor GPD 1120 of ~igure llC and ~igure~
" ~ 13. ~he first word 1120 o~ the segment:containing procedure t~ 30~ descrlptors is thsn~fetched from address SEGpD,~0 ignoring accéss 105S6~5 .
ri~hts to scratch pad memory. It will be noted-that the T.~G
field of the ~irst word 1120 of the se~ent containing procedure descriptor S~GpD 1300 must be a ~ogical 11 (~igure 13) which indicates it is a fault descriptor. ~.Ioreover the ~ Z ~ield must be set to zero. These conditions are checked by hardware/~irmware (arithmetic logic unit) step 1605 and i~ these conditions do not hold an iliegal gate segment exception 160~ results~ However i~
these conditions do hold a check 1606 is ~urther made to determi~e that the segment relative address of the procedure descriptor SRAp~ 1110 is a multiple of ~, If the condition o~ step 1606 does not hold an illegal system object address exccption 1613 results otherwise the next step 1607 is per~ormed. Step 1607 checks to determine whether or not the seg~ent relative address o~ the procedure descriptor SRApD is within the address boundary GP~AB 112i o~ the gated procedure descriptor 1120; i~ it is not !':
`! , within that aadress boundary it is an illegal procedure descriptor and an ill2~al GPD gated procedure descriptor access exception 1614 occurs~ However if it is within the aadress boundary OL
~! the gated procedure descriptor ~i.e. SRAp~ is less than GPDA3) then the callér~s right to call the callee is checked 1608. ~his is performed by comparin~ the e~ective address ring nv~ber 'j~ EAR2 to the callerls maximum ring number Ci ~ 1122 as found in 1~ the ~irst word 1120 of the segment o~ procedure descriptors 1300.
l .~ . .. . .
I~ EAR2 is greater than the caller's CI~U~ a call violation exception 1615 occurs which indicates that the caller i~ this particular instance has no right~to legally call~inward i.e.
from a h1gher ring number to a~lower ring number. On the o~her hand i~ EA~2 is equal or less than CI~~N, then the inward call ~ ..~!''..' .' '' i8 1egal and a check ;is made 1609 tp determine that the process - 30 ~ ring number PRN which is the current process ring number ~ound in~th-~iAstruction roun~er~IO jus-~be~or- the All as m-de is ~ 1~5563L5 less than the maximurn ring number i~XR of S~G~p; and if it is the accessing mechanisrn branches to point C 1508, otherwise - a new process ring number ~rPRN is calculated and set to a maximu~
ring number k~XR 1611. Generally the e~fective address ring number EAR2 is the same as the process ring number P~ of the , . .
- caller. ~onetimes however, in cases where it is necessary to give maximum assurance that the caller ~ill not be denied access ' - to a given segment the EAR2 is greater than the P~. In those ` cases 2P~T is forced to tal~e the value of ~A~2 in order to m~e sure that the call i5 returned to the'maximum ring number upon an exit. To this point it will be noted that this checking ~echa- ' ~' nism wa~ invoked because the EAR2 r~as greater than the r;~x~
hence greater than the top o~ the call bracket o~ thc proccdure and hence an inward calI wa~ necessary which necessitated goin~
~;l through a valid gate, and the mechanism included these gating ., ~ . . .
' chec~s. By brancning back to C 1508 (~igure 15) a ~urther check 1509 is made to deterrnine then that the process ring number pl~T
~, is greater than the write ring number '~'~. o~ SEG~2 ~hich in this ;l context is the minimum ring number at which a procedure may execu-' 20 te. I~ the write ring nu~ber ~ is greater than the process rin~
number P~ an out~ard call exoeption l514 occurs. Houever if ~m i is less than or equal to PRN the call is legal and ~Ui is set ''; to P~ 1510; ' Having made the above checks the inward call ~is made, `-~~ ~ ' and a~ter perfo~ance o~ the desired operation a return back i ~ to tho original'point ~ the program in e~ecution is made by thei 1-, EXI~ INS~RUC~ION. ~ During the EN~E~ I~TSTRUCTION the instruction !~ ~ counter IC was sàved in the saving arsa o~ the caller~s stact;
I ~ra~e be~ore m~ing the -cal1.~ Moreover the caller~s ring number was also saved during the ~N~E~ INSTRUC~ION and this was saved in'base register 0 ~0.

` ~
~ \ ~
1~556~

he fo~-~at o~ the EXI~l' INS'l'RU~ION 1130 is S}lOV~l on ~igure llV. ~he operation code OP 1131 is found in bit positions 0-7 and the complcmenta~ code C 1133 is found in bit positions :~
12-15. The complementary code allows other instructions to use the same 8 bit op code, ~lhe NBZ ~ield 1132 in bit positions 8Lll must be O otherwise an illegal ~ormat ~ield exception occurs.
(BliO is generally a pointer to the coL1munications area o~ the cal~er's sta^k frame).
:. ,. .. -- In per~or~ing the ~YIT INST~UC~ION it is neces3ary to perform predetermined checks in order to ascertain that the caller didn't c}lan~e his image r~hich would permit him to operate.at a dif~erent privilege than was intended. ~efcrring to ~i~rure 17 ~
~: the first check per~or~ed 1701 is to determine i~ the ~A~ o~ the instruction counter content (ICC) indicates a direct.descri~tor. .
A logical 00 in the ~AG ~iéld indicates that it is direct if it .
'." is not an illegal stack data exception 1702 occurs, whereas i~ it :;
~ is equal to O the ring:fiéld in the instruction counter content :f ICC is set to the new process ring number ~ T 170~. ~his se~s i~ the new process ring number I~TP~J to ~hlat i-t used to be when the , 20 call v~as first made.. ~owever ~urther checks are made in order to i ascertain that there was no further cheating. ~lence the base ., register O ring number located at bit position 2 and extending j ~ for 2 bit positions from and including bit position 2 must be equal to the new process rin6 number NP~UT 1704. (It will be recalled that when the EN~E~ ~INS~RUC~ION was called ~he ring ..
number o~ tne caller before~the~.call was made was stored in bits -.
: . 2 and.3 o~ base register O,~ RO). If check 170i indicates that ~: : the new process ring number NP~J:is not equal to the ring nu~ber in bit positions 2 and 3 of base re~ister O (~0) an illegal stack 30 ~ data exception 1702 occurs.;~ ~he next check 1705 determines wheth~-r an inward or a-n outward retu~n must be pc~r~ormed. Since an inward call was previously performed an outward return is -~
implied in order to reach the original point from which the proce~
dure was called. l~ioreover since the inv~ntion does not per~it an out~Yard call there is never a necessity to return inward. ~lence the new process ring number I~N i5 compared to the process ring , . .
number P~N 1705, a-nd if I~l~ i5 less than P~ an inward return is implied and an inward return exception 1706 is generated, Hot~e~er i~ checlc 1705 is passed successfully (i.e. I\~ ~ is greater or equal to P~) then a check is made to determine that a return is made to the segmented address SEGr ~hat called the procedure and a return to thç call bracket of the oalling procedure is made -~ and moreover that the exeGute bit ~P is set. '~hi~ is per~ormed by ~etchin~ the segment descriptor SEGr o~ the calling procedure 1707 and making checks 1709, 1711~ 1712. In per~orming checks 1709 1711~ 1712, check 1709 and 1711 deter~ine that the new pr`ocess ...
ring nu~ber NPRN is greater than the minimum ring number ~rR
but less t'nan the maximum ring number l,~XR (i.e. that the ring .,,, ~ ~ ... .
number is in the call bracket o~ the calling procedure where it should be~. ~inally check 1712 makes sure that thé execute per-mission bit ~P is set to 1. ~hus a ~ull cycle is concluded a a11 was per~ormed via an E~ER INS~UC~lION; the required opera-.,~ . . . .
I tion or processing was per~ormed via the called procedure; then ,' a return via an EXI~ INS~RUC~ION to the calling procedure-~ras~
performed.
Ha~ mg shown and described the pre~erred embodiment o~
; the invention, those~skilled in~the art will realize~that ~any variation9 o~ modifications oan~be made to produce the described invention and still be within~the spirit and scope o~ the claimed 0~ en~ion.

~ 57 ~

: .
~ ~ G~OS~SA~ Oli` Tf3~tS
, ~ . . .
.
- ~ JO~ - The job is the ~ajor unit o~ worlc ~or the batch user. It is the vehicle for dcscribin~, scheduling, and accountin~ ~or work he wants done.
.; JO~ ST~P - A smaller unit of batch work. It is generally one step in the execution o~ a job consistin~ o~ -proccssing that logically belongs together -~ - TASK - The smallest unit of user-de~ined ~ork. Nouser-visible concurrenc~ of operation is per~it-ted within a task.
P~OG~M - A set o~ algorithms ~Jritten by a prograT~ner to ~urnish the procedural in~ormation necessary to do a job a part of a job. -I
; PROC~SS GROUP - ~he system~s inte~nal representation o~ a P~EX speci~ic execution o~ a job.
PROCESS G~OUP - A related set o~ proccsses~ usually those necessary for per~ormance o~ a single job step.
PXOCESS - ~he controlled execu~ion o, instructions wit~out concurrency. Its physical representatio~
and control are determined by internal syste~
~; design o~ convention.
.... ~ , , .
PROCEDURE - A named so~tware ~unction or algorith~ ~hich is executable by a computational processor ~it~lOUt concurrency. Its physical representa-tion (co~e ~-. plu5 associated in~ormation, in~ocation, and use are deter~ined by internal system or d~si~ned ' - convention).
i 20 ~OGICAL PROCESS - ~he collection of hardl~are resources and con-~trol i~formation necessary ~or the execution of a process.
1: ' ' . . . .
! ADDRESS SPACE ~ - ~he set o~ logical aadresses that the CPU is ` (S~GMæ~T~TION) permitted to trans~orm ~nto absolute addresses-during a particular proccss. Although à pro~
cessor has the technical ability o~ addr~ssing ~ .
every single cell of ti~ing memory, it is desi~
rable to-restrict access only to those cells ~ that are used during the process associated with~ ... -.
r ~ '` t~e processor.
; ~OGICA~ ~DDRESS - An element of the process addre~s spacc such as ~or exarmple se~ment numbcr S3G and~Dlsplace-AS~IC AD~RESS ~ A hard~re procedure which operates on a DE~E$0PMB~ number of address elements to cornpute an ~bso- ~ :
lute address~which is used to re~er to a by~e 30~ location~--in core~

P~O~ES5 CONT~O~ - A process control blocl~ PCB, is associatcd ~OCK ~th each process .~ld contains pertinent in~or-mation about its associatcd process, inclu~ing - the absolut~ address o:. tables de~ining the se~cn-t tablcs the process may acc~ss.
.. . .
J.P. 'rA~LES - A collection o~ logical addresses for locating a proccss control block associated with a pro-cess.
SEGp~ - The segment which contains the procedure descriptor.
SEGEp - ~he se~ment ~qhich contains the ent~y point, as - - found i~l the procedure descriptor.
P~N - The process ring number, found in the instruc-tion counter IC just be~ore the call, or calcu-lated by the EN~ER instruction. ~ -- ~AR - ~he ef~ective address ring number which is the maxi~um of: ~
(a) the process- ring number P~ as ~ound in the IC; or, . .
r (b) all ring numbers in the base re~ister and data d~scriptors (i~ any~ ~ound in the path ;I which leads to the procedure de~criptor Lrom the oall instruction, including the entr~r point ring number EP~N located in the procedure descriutor itsel~
.,~ . . ,.............. - ~ , . , T~R. ~ he maximum ring number at which a procedure may execute; ~XR is lound in the segment des-criptor of SEGEp.
2~ WR - - T~e minimum ring number at which a procedure ;~ ~ may execute; WR is ~ound in the segmeIlt descrip-tor o~ 3EGEp, E,P - Execution permit bi~ ~ound in the seg~ent i descriptor of SEG~p, CNRN - ~he caller~s maximu~ ring number, as found in ~
I the ~irst wora 0~ the segment S~G i~ this ~ ; -seg~ent is identi~ied as a gate s~ ~ ent (i.e. '~-with the code "gate" set).
NPRM-~ New process ring number.
EPRN ~ Entry point ring number (~ound in thé process prooed~ e descriptor).

~ 59 ~

t ~ L0556~LS
ADD~DUM

~l Name ~y~e ~unction ~-(1) WSCIR Control Clears register to which it is : connected ~ -, .; ., ~ . .
(2) PDA~G Control Clock Signal PDA
3) PDUP~Gl~t Connecting Pin connected to PDA at one end and resister at the other ~ (4) U~OEK ~onnecting Expands input to UW ré~ister ; (5) ~tnIO~ Control Holds information in register to ,. . which it is connected :
. t6) UWl~ Control Same as ~.~0~ but is connected to . di~f~rent input terminal of UW .
register :
- ~ (7) 1~00000 ~eset terminal of one ~lip-flop ~ of register U'.7 :-(8) UWOOOlO Set termi~al of ~lip-~lop OI~
. register U',7 :
(9j UWOOlOO Same as 7 ~ 8 but di~erent . U~/OOllO ilip~~lop 0) UVSPS Co~trol Spare Control Input.
` ~ (ll). W SPD Data ~pare Data Input :
~ . ('?) woE~ ~xpander ~ Sa~e as U','~O~ and UWlBK, but it ,~ ~ connects di~ferent regi~ters and ~ -`. gates ~ 20t~3) wooooo Same as U~YOOOOO~ U~/OOOlO~ U'~qOOlOO~
VOOO1000 . UWOOllO, but applies to flip-flop UVOOllO
14) Un~llS Control Control input ~or U~Wl~
15) U~'NlD Data Data input ~or UY~
(16) U~'N2~ rite control ~lip-flop `
(17) UWVlS Control; Control~input ~or U~'~lF~

; (18) U~D Data ~Data input ~or Ul~'~lF
~ (19) U~'~IH Control~ .Hold U~VlP flip-flop :~
; (20) U~WlC ~ Control~ :Clear UYWl~
. 30~ .~(21) U~W2C Control ~ .Clear U~l~2F

105561~
.
(Continued) Si~nal ~ame Type ~unction (22) URNlS Control Control inputs ~or URNl~, -UR~2S U~J2~ ;
(23) URNlD Data Data Input for Ul~I~
(24) U~SW Control ~ransfer U~ to URN2~ and UR~J2~ to URNI~
(25) U~U~2~ Control loading ~ax(U~, U3Sl ` to U~) -(26) U~LH .ontrol . Hold URNl~ flip-flop (27) U~2C Control - Clear URN2F ~.
(28). U~JlS Control Oontrol inputs ~or URVlF, UX~2S U}~V2~ :
(29) U~WlD Data ~ata Input ~or Ul~Vl~
(30) URV2F F ~ . ~ead control ~lop (31) XNU Indicates termiinal not used . ~erein ~ --~ ` (32) XOO . ~ Grounded Input . ~
: . . . .
. ,j . .

:~ ., ' ; .: .
. ~ . , .
''~' ' ' ' , : :
; . . : , , 1 . . , , : .: '. .
~ ....

~:: ~ . ' ~ - , , 'i: ~' ' " ' ' . .. .

`:' ,

Claims (13)

The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:

1. In an internally programmed data processing appara-tus having a virtual memory, and being responsive to internally stored instruction words for processing information and having stored in said virtual memory a plurality of different types of groups of information each information group-type associated with an address space bounded by a segment having adjustable bounds, an apparatus for protecting the information in said virtual memory from unauthorized users by restricting accessabili-ty to the information in accordance to levels of privilege, characterized in that it comprises in combination with an access checking mechanism;
(a) first means for storing in said virtual memory at least one segment table comprising a plurality of segment des-criptors with each segment descriptor being associated with a predetermined one of said segments and each segment descriptor having a predetermined format containing an access information element and a base address element in predetermined positions of said format, said base address element for locating in said virtual memory the starting location of a selected one of said segments, and said access information element for specifying the minimum level of privilege required for a predetermined type of access that is permitted in a selected one of said segments;
(b) a plurality of second means having a predetermined format, communicating with said first means, for storing in a predetermined portion of said second means, a segment number SEG for identifying a segment table and the location of a segment descriptor within said segment table, said second means also for storing, in a predetermined other portion of said second means, an offset address within the segment identified by said segment descriptor said offset address for locating from said segment base the first byte of a word within said segment;
(c) third means responsive to an address syllable element of an instruction being executed for addressing one of said plurality of second means;
(d) fourth means for storing a displacement D from said address syllable, said displacement D for locating from the first byte of said word within said segment any other byte of said word;
(e) fifth means, communicating with said first, second, third and fourth means, for adding the displacement D and said base address to said offset; and, (f) sixth means responsive to said access information element in a selected one of said segment descriptors for restricting the accessability to the segment associated with said selected one of said segment descriptors in accordance to the level of privilege and the type of access specified in said access information element.

2. An apparatus according to claim 1, characterized in that the said information is protected against unauthorized uses by a hierarchy of concentric ring leads where in each group type of information is associated with a predetermined ring number indicative of a lead of privilege, said lead of privilege decreasing as the associated ring number increases comprising means for determining the maximum effective address ring number EAR (i.e. minimum level of privilege) of a selected process to access a selected group of information, said means comprising:
(a) first means for storing first information indi-cating the maximum ring number RD (i.e. minimum level of privile-ge) required to read information from said selected group;
(b) second means for storing second information indicating the maximum ring number WR (i.e. minimum level of privilege) required to write information into said selected group;
(c) third means for storing third information indi-cating the maximum ring number MAXR (i.e. minimum level of privi-lege) required to process information from said selected group;
and, (d) fourth means communicating with said first, se-cond and third means, for determining the maximum of the contents of said first, second and third means, whereby the effective address ring number EAR is generated.

3. An apparatus according to claim 2, characterized in that said second means of means for determining the maximum effective address ring number EAR additionally indicates the mi-nimum ring number WR (i.e. maximum level of privilege) required to process information from said selected group.

4. An apparatus according to claim 2, characterized in that said fourth means of means for determining the maximum effective address ring number EAR comprises a comparator for comparing binary numbers.

5. An apparatus according to claim 2, characterized in that said means for determining the maximum effective address ring number EAR comprise fifth means, communicating with said last-mentioned second means, for comparing the effective address ring number EAR with the write ring number WR, and further inclu-ding sixth means communicating with said last-mentioned fifth means for generating a write-violation-exception signal when EAR is greater than WR.

6. An apparatus according to claim 2, characterized in that said means for determining the maximum effective address ring number EAR comprise seventh means communicating, with said last-mentioned second and third means for comparing the maximum ring number MAXR
and the write ring number WR with the effective-address-ring num-ber EAR, and further including eighth means communicating with said seventh means for generating an execute-violation-exception signal when the MAXR is not equal or greater than EAR which in turn is not equal or greater than WR.

7. An apparatus according to claim 2, characterized in that said means for determining the maximum effective address ring number EAR comprise ninth means, communicating with said last-mentioned first means, for comparing the effective address ring number EAR with the read ring number RD, and further inclu-ding tenth means, communicating with said ninth means, for gene-rating a read-violation-exception signal when EAR is greater than RD.

8. An apparatus according to claim 7, characterized in that said means for determining the maximum effective address ring number EAR comprise eleventh means for storing a process ring number PRN of a currently executing process; and also inclu-ding twelfth means for communicating with said eleventh means, and further including thirteenth means communicating with said twelfth means for overriding said read-violation-exception si-gnal when the effective address ring number EAR is equal to the process ring number PRN of the currently executing process.

9. An apparatus according to claim 1, characterized in that the access checking mechanism supervises transfer of con-trol of said data processing apparatus from a first selected pro-cedure (i.e. caller) having a first ring number indicative of a minimum level of provilege associated with said caller, to a second selected procedure (i.e. the callee) having a second ring number associated with said callee indicative of a minimum level of pri-vilege comprising:
(a) first means for checking the caller's right to call the callee;
(b) second means, communicating with said first means, for comparing the caller's ring number to the callee's ring number;
(c) third means responsive to said second means for per-mitting a transfer of control of said data processing apparatus from said caller to said callee when the ring number of the caller is greater than the ring number of the callee (i.e. inward call);
and;

(d) fourth means also responsive to said second means for denying a transfer of control of said data processing appara-tus from said caller to said callee when the ring number of said caller is less than the ring number of the callee (i.e. outward call)

10. An apparatus according to claim 9, characterized in that the access checking mechanism includes a plurality of ring stack-segment means each of said ring stack-segment means having associated with it a ring stack-segment number indicative of the minimum level of privilege required by a selected one of said ring stack segments.

11. An apparatus according to claim 10, characterized in that there are four ring stack-segment means having ring numbers 0 to 3 respectively.

12. An apparatus according to claim 10, characterized in that the access checking mechanism includes stack-frame-element means associated with selected ones of said procedures,said stack-frame-element means being grouped within said ring stack-segment means in accordance with the ring number of the associated pro-cedure of said stack-frame-element means, said stack-frame element means for saving information of said caller prior to passing control to said callee.

13. An apparatus according to claim 9, characterized in that the access checking mechanism includes fifth means, res-ponsive to said last-mentioned first, second, third and fourth means, for communicating between a selected one of said stack-frame means in a first ring stack-segment being associated with one ring number, and a selected other of said stack-frame means in a second ring stack-segment associated with another ring number.