johnl@ima.ima.isc.com (John R. Levine) (10/06/88)
In article <16017@ames.arc.nasa.gov> lamaster@ames.arc.nasa.gov.UUCP (Hugh LaMaster) writes: >May I assume that the [Multics] mechanism permitted unrestricted branching >WITHIN a particular code segment, and only restricted accesses OUTSIDE of the >current segment via a protected CALL/ENTER? > >This mechanism would seem to be a very low overhead means of providing >"top half of the kernel" type services to a process, since it provides >a protection mechanism which doesn't require a context switch. It also >extends nicely to a multiprocessor environment: anything which doesn't >require single threaded access could be in the protected system segments. >So, how come everybody doesn't do it? It's pretty common on machines with segmented addressing. Even the justly reviled Intel 286 has "call gates" which are funny segments that exist only to be entry points to protected segments. The gate segment's descriptor points to the actual address of the routine to call and has some other odds and ends like the number of argument words to copy from the caller's stack to the callee's stack. (Different modes have different stacks, otherwise you could compromise the system by setting the stack pointer to something bad and calling the system.) It is true that a call through a call gate takes 82 clocks as opposed to 26 clocks for a normal inter-segment call, but I suspect that for a system call that's not too bad. This sort of scheme only makes sense on a machine with segmented addresses, but on the small set of segmented machines I know (HP3000, B5500 et suc.) it is the standard method of making inter-mode transitions. -- John R. Levine, IECC, PO Box 349, Cambridge MA 02238-0349, +1 617 492 3869 { bbn | think | decvax | harvard | yale }!ima!johnl, Levine@YALE.something Rome fell, Babylon fell, Scarsdale will have its turn. -G. B. Shaw
cjh@hpausla.HP.COM (Clifford Heath) (10/20/88)
> Things at least vaguely along those lines have been done. There is one > major problem that has to be solved: how do you prevent a user from > branching to some well-chosen place in the *middle* of a privileged The HP 9000 series 500 is a fully symmetric multi-CPU (1-5) stack-based machine. Each segment has associated privelege levels and a jump table, which you use simply by saying 'call entry point N of segment M'. The kernel itself is simply a bunch of code and data segments, (about 30-40 I think), and the inter-segment call is very fast. The compilers normally create programs consisting of one segment per source file, however the linker can merge segments up to an approximate size, which is worthwhile since you only have 2048 segment numbers available systemwide. Quite a nice architecture, the 500, pity the machine is obsolete.