Implementation of process management for a secure archival storage system. by Strickler, Anthony R.
Calhoun: The NPS Institutional Archive
Theses and Dissertations Thesis Collection
1981
Implementation of process management for a secure
archival storage system.
Strickler, Anthony R.









IMPLEMENTATION OF PROCESS MANAGEMENT




Thesis Advisor: R. R. Schell




SECURITY CLASSIFICATION OF THIS PAGE (Wham Omtm En I •<•<*;,
REPORT DOCUMENTATION PAGE
I MPOMT NUMBTr 2. OOVT ACCESSION NO
4. TITLE (mnd Su»»/f/«)
Implementation of process management
for a secure archival storage system
7. AUTHOR'•>
Anthony Ross S trickier
READ INSTRUCTIONS
BEFORE COMPLETING FORM
1. WCIHEMT'S CATALOG NUMBER
S. TYPE OF REPORT * PERIOO COVERED
Master's Thesis "
March 19 81
S. PERFORMING ORG. REPORT NUMBER
S. CONTRACT OR GRANT NUMBER'*;
I PERFORMING ORGANIZATION NAME ANO AOORESS
Naval Postgreduate School
Monterey, California 9 3940
t0. PROGRAM ELEMENT, PROJECT, TASKAREA * WORK UNIT NUMBERS
I I. CONTROLLING OFFICE NAME ANO AOORESS
Naval Postgraduate School
Monterey, California 9 3940
12. REPORT DATE
March 19 81
13- NUMBER OF PAGES
22^




l«. DISTRIBUTION STATEMENT (of tftia Hmport)
Approved for public release; distribution unlimited
• 7. DISTRIBUTION STATEMENT (ol (Aa •••tract mntorod In Block 20, II dlllmrmnt horn Rmpott)
IS. SUPPLEMENTARY NOTES
IS. KEY WOROS (Contttntm on toworoo aiato II noommomrr awa! tmonttrf *r Mae* nummmr)
Computer security, Process Management, Distributed operating
systems, Traffic Controller process scheduling, event counts and
sequencers
20. ABSTRACT (Contimtm an rovormm olmTm II nmcmmmmrr on* loomtttr or ftJae* nummmr)
This thesis presents an implementation of process management for
a security kernel based secure archival storage system (SASS)
.
The implementation is based on a family of secure, distributed,
multi-microprocessor operating systems designed to provide
multilevel internal securitv and rnnfmiipri ehar^rt «* ^=.^--
author:
a two
processors. Inter-process commnni rat-inn mechanisms for
dd ,;FORMAN 73 1473 EDITION OF I NOV SI IS OBSOLETE
S/N 0103-014- 6601 |
Unclassified




synchronization, mutual exclusion, and message passing among
processes are provided by utilization of eventcount and sequencer
primitives. The implementation structure is based upon levels of
abstraction and is loop free to permit future expansion to more
complex members to the design family. Implementation was
completed on the ADVANCED MICRO COMPUTERS Am 96/4116 AmZ8002
16 Bit MonoBoard Computer.
DD Form 1473 Unclassified
if*— ©•«• *«••***»

Approved for puoiic release; distribution unlimited
Implementation of Process vana,?emen t
for a
Secure Archival Storage System
cy
Antnony R. Stricter
Captain, United vVStates Army
B.S., United States Military Academy, 197;
Suomitted in partial fulfillment of the
requirements for tne decree of






This thesis presents an implementation of process
manage me nt tor a security Kernel based secure archival
storage system (SASS). Tie implement ion is based en a family
of secure, distributed, multi-microprocessor operating
systems designed to provide multilevel internal security and
controlled snaring of data among authorized users. Frocess
scheduling is effected by one naif of a two level Traffic
Controller tnat binds processes to virtuaiized processors.
Inter-process communication mecnanisms for synenronization,
mutual exclusion, and message passing among processes are
provided by utilization of eventoount and sequencer
primitives. The implementation structure is rased upon
levels of abstraction and is Loop free to permit future
expansion to more complex members of tne design family.
Implementation was completed en the ADVANCED MICRO C0KFUTE7.S





I NTRODUCT ION le
A. BACKGROUND 11
B. BASIC CONCEPTS /DEFINITIONS 12
1. Process 13




4. Frotection Domains 22
5. Abstraction 2?
C. THESIS STRUCTURE 24
II. SECURE ARCHIVAL STORAGE SYSTEM DESIGN 26
A. BASIC SASS OVERVIEW ?.b
E. SUPERV IS OR 29
1. File Manager Process 31
2. Input/Output Process 32
C. GATS KEEPER 33
D. DISTRIBUTED KERNEL ,5?
1. Segment Manager 36
2. Event Manager ic
3. Non-Discretionary Security Module 3 s-
4. Traffic Controller 39
5. Inner Traffic Controller 43
6. Distrinuted ""emery Manager 4?

E. NON -DISTRIBUTED KERNEL 4£
1. Memory Manager Process - a
F
.
S TS TEM HA RDWA PS 5
£
G
. SUMMARY K c
III. IMPLEMENTATION ISSUES 56
A. DATABASE INITIALIZATION 56
1. Inner Traffic Controller In i t ial iza: ic n . . .57
2. Traffic Controller Initialization bZ
3. Additional Initialization Requirements . . . .63
S. PREEMPT INTERRUPTS 64
1. Physical Preempt Handler o4
2. Virtual Preempt Handler 66
C. IDLE PROCESSES 71
D. ADDITIONAL KERNEL REFINEMENTS 72
E. SUMMARY 74
IV. PFCCESS MANAGEMENT IMPLEMENTATION 7*
A. EVENT MANAGE?. MODULE 78
1. Support Procedures 7S
2. Read 61
3. Ticket 61
4 . Await 82
5 . Advance b 2
?. TRAFFIC CONTROLLER MODULE 83
1. TCJJETWORK 84-
2. TC_AWAIT r;




5. Remaining Procedures 91
C. DISTRIBUTEE MEMORT MANAGED MODULE 92
1 . MM^eac^Event count 92
2. MM_Advance 33
3. MMJFicicet 34
4. MM_A1 locate 94
L . GATE KEEPER MODULES 96
1. Cser_C-ate Module 37
2. £ernel_Gate_Keeper Module 3 C
s. summary iei
V. CONCLUSION 122
A . FOL LOW ON WORE 102
APPENDIX A—EVENT MANAGER LISTINGS 104
APPENDIX B—TRAFFIC CONTROLLER LISTINGS 115
APPENDIX C—DISTRIBUTED MEMORY MANAGER LISTINGS 146
APPENDIX D—GATE KEEPER LISTINGS 16S
APPENDIX E—BOOTSTRAP LOADER LISTINGS 1"?
APPENDIX F—LIBRARY FUNCTION LISTINGS VI
2
APPENDIX G—INNER TRAFFIC CONTROLLER LISTINGS 135
LIST OF REFERENCES 22-







LIST 01 FI" rJ?.?S
S AS S System 27
System Overview (Dual Host) ofc.'
Known Segment Table (KST) 37
Active Process Table (APT) 41
Virtual Processor Tatle (VPT) 45
Extended Instruction Set 51
Kernel Data cases 5 c
Memory Mana£ement Unit (MMU) Imase 54
Initial Process Stacx 6S
Implementation Module Structure 77
Advance Algorithm £7
Program Status Area 99

ACXNOWIEDCrEMiiNT
This researcn is sponsored in part by the Office of
Naval Fesearcn Project Number NS 337-£k5, monitored by Mr.
Joel Trimble.
I am indebted to a number of people for tne valuable
support that I .nave received in this thesis effort. y y
thesis advisor, It. Ccl. Eo f-er Scneii, provided a *ealtn of
knowledge and many nours cf patient counseling. Tnis tnesis
could not nave been written without nis enthusiastic
guidance
.
Thanks are also extended to my reader, Professor Lyle
Cox, for his assistance and concern. Tim Wells sacrificed
precious time in the final days of his tnesis wor* to
introduce me to tne Zilog Deveiopementai System providing
the programming environment for tnis implementation. Gary
Baker, Bob McDonnell, and iv iKe Williams provided excellent
technical assistance, especially in helping me with the n-^^.y
nardware problems tnat I encountered in working with a new
and unfamiliar system.
Finally, special tnanks and appreciation go to my wife,
Trenda , and my children, Christopher and ^ar.-c for their
undying love, patience, and understanding. ""nay always




This thesis addresses the implementation of process
management functions for the Secure Archival Storage System
or SASS. This system is designed to provide multilevel
secure access to information stored for a network of
possioly dissimilar host computer systems and the controlled
sharing of data amongst authorized users of the SASS.
Effective process management is essential to insure
efficient use and control of the system.
Among the major accomplishments of the work: reported
here are the inclusion of provisions for efficient process
creation and management. These functions are provided
through the establishment of a system Traffic Controller and
the creation of a virtual interrupt structure. An effective
mechanism for inter-process communication and
synchronization is realized through an Event Manager that
maKes use of uniquely identified segments supported «#>y
eventcount and sequencer primitives. A hardware controlled
two domain operational environment is created with the
necessary interfacing between domains provided by a software
"gate" mechanism. Additional support is provided through
considerable worlt in the area of database initialization and
a technique for limited dynamic memory allocation.
10

This implementation was completed on the commercial AMC
An96/4116 MonoBoard Computer witn a standard Multibus
interface .
A. BACKGROUND
The brief history of digital computers has been
characterized by rapid advances in hardware technology and a
continual increase in the number and variety of its
applications. The advent of the microprocessor has enabled
virtually every level of our society to make use of computer
resources. Today's "desk top" microcomputers, costing less
than a thousand dollars, have more computing power than the
"giant" computers of the early 1950's that cost hundreds of
times that amount.
These rapid advances in computer hardware technology
have reversed the economics of the computer design
environment. While hardware costs nave decreased, the
relative costs of the software required to effectively
utilize this hardware nas steadily increased until it now
dominates the overall cost of a computer system. This
economic reversal requires that developed software be
logical, easy to read, relatively maintenance free, and easy
to debug. Unfortunately, microcomputer operating systems and
applications software tend to be highly specialized, thus




As the usage of computers has expanded, expeciaily in
the area of sensitive information handling, the need for
information security has received greater recognition. While
ad-hoc attempts have been made to provide internal computer
security on larger systems, the problem of information
security on microprocessors has been largely ignored to
date.
In an attempt to address the above problems, O'Conneil
and Richardson [1] outlined a high level design for a
microprocessor based secure operating system. The goal of
this design was to provide information security, distributed
processing, multiple protection domains, configuration
independence, multiprocessing, and multiprogramming. Since
all computer applications do not require such a broad and
general operating system, the design provided for a family
of operating systems. This allows a member of the family to
incorporate only the subset of family functions needed for
its specific application, while providing for future
expansion. The SASS is a member of this operating system
family.
A brief nistory of prior wort done on the SASS is now
provided. Parts [2J provided the design for the SASS
Supervisor. The actual implementation of the Supervisor
design has not been addressed to date. The initial design of
the SASS Security Kernel was completed by Coleman [3] . The
works of O'Conneil and Richardson [1J , Parts [2J , and
12

Coleman [3] are available as a single publication from NTIS
and DDC in a report prepared by Schell and Cox [21 J . Further
refinements of tne Kernel design and partial Kernel
implementation has been accomplished in three additional
thesis efforts. Moore and Gary [4j provided the detailed
design and partial implementation of the Memory Manager
module. Design refinements for tne Inner Traffic Controller
and Traffic Controller modules as well as implementation of
the Inner Traffic Controller was provided by Reitz [5].
Wells [6] provided implementation of the Segment Manager and
Non-Discretionary Security modules as well as partial
implementation of distributed Memory Manager functions.
These design and implementation efforts provided the basis
for the work described here.
E. BASIC CONCEPTS/DEFINITIONS
This section provides an overview of several concepts
essential to the SASS design. Readers familiar with SASS or
with secure operating system principles may wish to skip to
the next section.
1. Process
The notion of a process has been viewed in many ways
in computer science literature. Organic* [7] defines a
process as a set of related procedures and data undergoing
execution and manipulation, respectively, by one of possibly
several processors of a computer. Madnick and Donovan [Sj
13

view a process as the locus of points of a processor
executing a collection of programs. Reed [9J describes a
process as the sequence of actions ta&en by some processor.
In otner words, it is tne past, present, and future
"history" of the states of the processor. In the SASS
design, a process is viewed as a logical entity entirely
characterized by an address space and an execution point. A
process' address space consists of the set of all memory
locations accessible by the process during its execution.
This may be viewed as a set of procedures and data related
to the process. The execution point is defined by the state
of the processor at any eriven instant of process execution.
As a logical entity, a process may have logical
attributes associated with it, sucn as a security access
class, a unique identifier, and an execution state. This
notion of logical attributes should not be confused witn tne
more typical notion of physical attributes, such as location
in memory, page size, etc. In SASS, a process is siven a
security access class, at the time of its creation, to
specify what authorization it possesses in terms of
information access (to be discussed in the next section). It
is also given a unique identifier that provides for its
identification by the system and is utilized for interaction
amons processes. A process may exist in one of three
execution states: 1) running, 2) ready, and 3) blocked. In
order to execute, a process must be mapped onto (bound to) a
14

pnysical processor in the system. Sucn a process is said to
be in the "running" state. A process that is not mapped onto
a pnysical processor, but is otnerwise ready to execute, is
in the "ready" state. A process in tne ""blocked" state is
waiting for some event to occur in tne system and cannot
continue execution until the event occurs. At that time, the
process is placed into tne ready state.
2. Information Security
There is an ever increasing demand for computer
systems that can provide controlled access to the data it
stores. In this thesis, "information security" is defined as
tne process of controlling access to information based upon
proper authorization. The critical need for information
security should "be clear. Banks and other commercial
enterprises risk the theft or loss of funds. Insurance and
credit companies are bound by law to protect the private or
otherwise personal information they maintain on their
customers. Universities and scientific institutions must
prevent the unauthorized use of their often over-burdened
systems. The Department of Defense and otner government
agencies must face the very real possibility that classified
information is being compromised or that weapon systems are
being tampered witn. In fact, security related problems can
be found at virtually every level of computer usage.
In tne past, attempts nave been made to identify tne
security weakness of computer systems by trial and error and
15

then fix them. However, Schell [10] has shown that security
cannot he "added on" to an existing system with any degree
of confidence that the resulting security system is
impregnable. Security must be explicitly designed into a
system from first principles. The Key to achieving provable
information security is realized in the concept of the
"security lrernel." Schell [llj provides a detailed
discussion of the use of this concept in the methodical
design of system security.
The security of computer systems processing
sensitive information can be achieved by two means: external
security controls and internal security controls. In the
first case, security is achieved by encapsulating the
computer and all its trusted users within a single security
perimeter established by pnysicai means (e.g., armed guards,
fences, etc.) This means of security is often undesirable
due to its added cost of implementation, tne innerent risic
of error-prone manual procedures, and the problem of
trustworthy but error-prone users. Also, since all security
controls are external to the computer system, the computer
is incapable of securely handling data at differing security
levels or users with differing degrees of authorization.
This restriction greatly limits the utility of modern
computers. Internal security controls rely upon the computer
system to internally distinguish between multiple levels of
information classification and user authorization. This is
16

clearly a more desirable and flexible approach to
information security. Tnis does not mean, however, tnat
external security is not needed. The optimal approacfi would
be to utilize internal security controls to maintain
information security and external security controls to
provide pnysical protection of our system against sabotage,
theft, or destruction. The primary concern of this thesis is
information security and will therefore center its
discussion on the achievement of information security
through implementation of the security kernel concept.
One might argue that a "totally secure" computer
system is one that allows no access to its classified or
otherwise sensitive information. Sucn a system would not be
of much value to its users. Therefore, when we say that a
system provides information security, it is only secure with
respect to some specific external security policy
established by laws, directives, or regulations. There are
two distinct aspects of security policy: non-discretionary
and discretionary. Each user (subject^ of the system is
given a label denoting what classification or level of
access the user is authorized. Likewise, all information or
segments (objects) within the system are labelled with their
classification or level of sensitivity. The
non-discretionary security mechanism is responsible for
comparing the authorization of a subject with the
classification of an object and determining what access, if
17

any, should be granted. The DOD security classification
system provides an example of the non-discretionary security
policy and is tne policy implemented in SASS. Tne
discretionary security policy is a refinement of the
non-discretionary policy. As sucn, it adds a higher degree
of restriction by allowing a subject to specify or restrict
who may nave access to nis files. It must be empnasized that
the discretionary policy is contained within the
non-discretionary policy and in no way undermines or
substitutes for it. This prevents a subject from granting
access that would violate the non-discretionary policy. An
example of discretionary security is provided by tne DOD
"need to know" policy. In SASS, the discretionary policy is
implemented within the supervisor [2j by means of an Access
Control List (ACL). There is an ACL maintained for every
file in tne system, wnich provides a list of all users
authorized access to that file. Every attempt by a user to
access a file is first cnecked against tne ACL and then
checked against the non-discretionary security policy. The
"least" or "most restrictive" access found in tnese checks
is then granted to the user.
The relationship between the labels associated with
the subject's access class (sac) and the object's access
class (oac) is defined oy a lattice model of secure








1. sac = oac, read and write access permitted
2. sac > oac, read access permitted
3. sac < oac, write access permitted
4. sac ! oac, no access permitted
In order to understand how these access levels are
determined, it is necessary to sain an awareness of and
consideration for several basic security properties.
The "Simple Security Property" deals with "read"
access. It states that a subject may nave read access only
to those object's whose classification is less than or equal
to tne classification of tne subject. This prevents a
subject from reading any object possessing a classification
nigher than nis own.
The "Confinement Property" (also known as
""'-property") governs "write" access. It states tnat a user
may be granted write access only to tnose objects whose
classification is greater than or equal to the
classification of the subject. This prevents a user from
writing information of a higher classification (e.e.,
Secret) into a file of a lower classification (e.g.,
Unclassified). It is noted that while this property allows a
user to write into a file possessing a classification higher
than his own, it does not allow him access to any of the
data in that file. The SASS design does not allow a user to
"write up" to higher classified files. Therefore, in SASS,
"sac < oac" denotes "no access permitted."
19

The Compatibility Property deals with the creation
of objects in a hierarchical structure. In SASS, objects
(segments) are hierarcnically organized in a tree structure.
This structure consists of nodes with a root node from which
the tree eminates. The Compatibility Property states that
tne classification of objects must be non-decreasing as we
move down the hierarchical structure. This prevents a parent
node from creating a child node of a lower classification.
Several prerequisites must be met in order to insure
that the security Kernel design provides a secure
environment. Firstly, every attempt to access data must
invoke the Kernel. In addition, the Kernel must be isolated
and tamperproof. Finally, tne Kernel design must be
verifiable. This implies that the mathematical model, upon
which the Kernel is based, must be proved secure and tnat
the Kernel is shown is to correctly implement this model.
3. Segmentation
Segmentation is a key element of a security Kernel
based system. A segment can be defined as a logical grouping
of information, sucn as a procedure, file or data area [8J
.
Therefore, we can redefine a process' address space as the
collection of all segments addressable by that process.
Segmentation is the technique applied to effect management
of tnose segments within an address space. In a segmented
environment, all references within an address space require
two components: 1) a segment specifier (number) and 2) the
location (offset) within the segment.
20

A segment may nave several logical and pnysical
attributes associated witn it. Tne logical attributes may
include the segment's classification, size, or permissable
access (read, write, or execute). Tnese logical attributes
allow a segment to nicely fit the definition of an object
within the security kernel concept, and thus provide a means
for the enforcement of information security. A segment's
physical attributes include tne current location of the
segment, whether or not the segment resides in main memory
or secondary storage, and wnere tne segment's attributes are
maintained by a segment descriptor. The segment descriptors
for eacn segment in a process' address space are contained
within a Descriptor Segment (viz., the MMU Image in SASS) to
facilitate tne memory management of that address space.
Segmentation supports information sharing by
allowing a single segment to exist in tne address spaces of
multiple processes. This allows us to forego the maintenance
of multiple copies of tne same segment and eliminates tne
possibility of conflicting data. Controlled access to a
segment is also enforced, since eacn process can nave
different attributes (read/write) specified in its segment
descriptor. In the implementation of SASS, any segment which
is shared, but has "read only" access by every process
sharing it, is placed in the processor local memory
supporting each of these processes rather than in the global
memory. This implies the maintenance of multiple copies of
21

some snared segments. It is noted tnat tne problem of
"conflicting data" is avoided since this only applies to
read only segments. Tnis apparent waste of memory and nonuse
of existing snaring facilities is justified by a design
decision to provide maximum reduction of bus contention
among processors accessing global memory. Tnis reduction in
bus contention is considered to be of more importance tnan
the saving of memory space provided by single copy sharing
of read only segments. This decision is also well supported
by the occurrence of decreasing memory costs, which we have
experienced in terms of high speed bus costs.
4. Protection Domains
The requirement for isolating the Kernel from the
remainder of the system is achieved by dividing the address
space of each process into a set of hierarchical domains or
protection rings [13J . O'Connell and Ricnardson [lj defined
three domains in the family of secure operating systems: the
user, the supervisor, and the kernel. Only two domains are
actually necessary in the SASS design since it does not
provide extended user applications. The Kernel resides in
the inner or most privileged domain and has access to all
segments in an address space. System wide data bases are
also maintained within the Kernel domain to insure their
accessibility is only through the Kernel. Tne Supervisor
exists in the outer or least privileged domain where its




/While protection domains may be created through
either hardware or software mechanisms, a hardware
implementation provides much greater efficiency. Current
microprocessor technology only provides for the
implementation of two domains. This two domain restriction
does not support O'Connell and Richardson's complete family
design, hut it is sufficient to allow hardware
implementation of the ring structure required by the SASS
subset.
5. A05tra.QUQn,
Dijfcstra [14] has shown tnat tne notion of
abstraction can be used to reduce the complexity of a
problem by applying a general solution to a number of
specific cases. A structure of increasing levels of
abstraction provides a powerful tool for tne design of
complex systems and generally leads to a better design with
greater clarity and fewer errors.
Each level of abstraction creates a virtual
hierarchical machine [8J which provides a set of "extended
instructions" to tne system. A virtual machine cannot maice
calls to another virtual machine at a higher level of
abstraction and in fact is unaware of its existence. This
implies that a level of abstraction is independent of any
higher levels. This independence provides for a loop-free
design. Additionally, a higher level may only ma&e use of
the resources of a lower level by applying the extended
instruction set of the lower level virtual machine.
23

Therefore, once a level of abstraction is created, any
nigher level is only interested in tne extended instruction
set it provides and is not concerned witn tne details of its
implementation. In SASS, once a level of abstraction is
created for the physical resources of the system, these
resources become "virtuaiized" making the higher levels of
the design independent of the physical configuration of the
system.
C. THESIS STRUCTURE
This thesis describes the implementation of the process
management functions for the SASS. The design base for this
implementation evolved from the secure family of operating
systems designed by O'Conneli and Richardson [lj . The
programming language utilized in this implementation was
PLZ/ASM assembly code [20J .
Chapter I provided an introduction to the Secure
Archival Storage System and a discussion of the basic
concepts which underlie a secure operating system
envi ronment
.
Chapter II will provide a discussion of tne SASS design.
An overview of the entire SASS system is presented alone
with more detailed description of the modules comprising
SASS and their associated databases.
Chapter III discusses the issues bearing on this
implementation and the refinements made to previous SASS
related worK. A discussion concerning the initialization of
24

the databases utilized by tne current SASS demonstration is
also presented.
Chapter IV presents tne implementation of process
management (viz., tne Traffic Controller, Event Manager,
Distributed Memory Manager, and Gate Keeper stub modules). A
description of design and implementation criteria, and
decisions made during implementation are also discussed in
this chapter.
Chapter V provides the conclusions reached, the status
of the researcn, and recommendations relative to the
continuation and extension of this woric.
The appendices include the PLZ/ASM code for tne modules
implemented and refined. The complete program listings for
the Secure Archival Storage System may be obtained from a




II. SECURE ARCHIVAL STORAGE SYSTEM DESIGN
This chapter provides an overview of the SASS in its
current design state. The intent of tnis summary is
threefold. First, it is intended to provide an overall
understanding of the SASS itself. Secondly, it will provide
an interrelationship between the wori done in this thesis
and previous wort performed on SASS. Lastly, it provides a
current base upon which further SASS development can occur.
A. BASIC SASS OVERVIEW
The purpose of the Secure Archival Storage System is to
provide a secure "data warehouse" or information pool whicn
can be accessed and shared by a variable set of host
computer systems possessing differing security
classifications. The primary goals of the SASS design are to
provide information security and controlled sharing of data
among system users.
Figure 1 provides an example of a possible SASS usage.
The system is used exclusively for managing an archival
storage system and does not provide any programming services
to its users. Thus the users of the SASS may only create,
store, retrieve, or modify files within the SASS. The host
computers are hardwired to the system via the I/O ports of
the Z8001 with each connection having a fixed security
26































































Figure 1. SASS System
27

classification. Each Host must nave a separate connection
for eacn security level it wishes to worfc on (It is
important to note that Figure 1 only represents the logical
interfacing of tne system. Specifically, tne actual
connection with tne nost system must be interfaced with the
Kernel as tne I/O instructions for tne port are privileged).
In our example. Host #1 can create and modify only Top
Secret files, but it can read files which are Top Secret,
Secret, Confidential, or Unclassified. Likewise, Host #2 can
create or modify secret files, using its secret connection
or confidential files, using its confidential connection.
Host #2 cannot create or modify Top Secret or Unclassified
files.
In order to provide information security and controlled
sharing of files, the SASS operates in two domains: (l) the
Supervisor domain and (2) tne Kernel domain. The SASS
achieves this desired environment through a districted
operating, system design wnicn consists of two primary
modules: the Supervisor and the Security Kernel. Each host
system connected to the SASS nas associated witn it two
processes within the SASS which perform the data transfer
and file management on benalf of tnat host. Tne host
computer communicates directly with its own I/O process and
File Manager process within the SASS.
We can use our notion of abstraction to present a system




Level 3-The Host Computer Systems
Level 2-The Supervisor
Level l-The Security Kernel
Level 0-The SASS Hardware
A pictorial representation of tnis abstract system overview
is presented in Figure 2. This representation is limited to
a dual nost system for clarity and space restrictions. Note
that the Gate Keeper module is in actuality the logical
boundary between levels one and two and as such %ill be
described separately.
Level 3, the host computer systems, of SASS has already
been addressed. It should be noted that the SASS design
mates no assumptions about the host computer systems.
Therefore each host may be of a different type or size
(i.e.- micro, mini, or maxi-computer system). Furthermore,'
the necessary physical security of tne host systems and
their respective data lints with the SASS is assumed.
B. SUPERVISOR
Level 2 of the SASS system is composed of the Supervisor
domain. As already stated, the SASS consists of two domains.
The actual implementation of these domains was greatly
simplified since the 78001 microprocessor provides two modes
of execution. The system mode, *ith which the Kernel was








Figure 2. System Overview (Dual Host)
3£

all segments within the system. The normal mode, with which
tne Supervisor was implemented, only provides access to a
limited subset of machine instructions and segments within
tne system. Tnerefore, tne Supervisor operates in an outer
or less privileged domain than the Kernel.
The purpose of tne Supervisor is to manage tne data link
between the host computer systems and the SASS by means of
Input/Output control, and to create and manage tne file
hierarchy of each host within the SASS. These functions are
accomplished via an Input/Output (I/O) process and a File
Manager (FM) process within the Supervisor. A separate FM
and I/O process are created and dedicated to eacn nost at
the time of system initialization.
1. File Manager Process
The FM process directs the interaction between the
host computer systems and the SASS. It interprets all
commands received from the Host computer and performs the
necessary action upon them through appropriate calls to the
Kernel. The primary functions of tne FM process are tne
management of the Host's virtual file system and the
enforcement of the discretionary security policy.
The virtual file system of the Host is viewed as a
hierarchy of files wnich are implemented in a tree
structure. The five basic actions which may he initiated
upon a file at this level are: 1) to create a file, 2) to
delete a file, 3) to read a file, 4) to store a file, and 5)
31

to modify a file. The FM process utilizes a FM Known Segment
Table (FM_KST) as tne primary database to aid in tnis
management
.
Tfie FM process maintains an Access Control List
(ACL) through which it enforces the discretionary security
in SASS. The FM process initializes an ACL for every file in
its Host's file system. The ACL is merely a list of all
users tnat are autnorized to access tnat file. Tne ACL is
checked upon every attempt to access a file to determine its
autnorization. The user (nost computer) directs tne FM
process as to what entries or deletions should be made in
the ACL, and as sucn, specifies wno ne wlsnes to nave access
to his file. As noted earlier, discretionary security is a
refinement to the Non-Discretionary Security Policy and
therefore can only be utilized to add furtner access
restrictions to those provided by the Non-Discretionary
Security." This prevents a user from granting access to a
file to someone who otherwise would not he authorized
access.
2. Input/Output Process
The I/O process is responsible for managing the
input and output of all data between tne nost computer
systems and the SASS. The I/O process is subservient to the
FM process and receives all of its commands from it. Data is
transferred between the SASS and Host Computer systems in
fixed size "packets". These packets are broken up into three
32

basic types: 1) a synchronization packet, 2) a coirmand
pacKet, and 3) a data pacKet. In order to insure reliable
transmission and receipt of packets between the Host
computer and the SASS, there must exist a protocol between
them. Paris [2] provides a more detailed description of
these packets, and a possible multi-pacKet protocol.
C. GATE KEEPER
The primary objective of the gate Keeper is to isolate
the Kernel and maKe it tamperproof. This f?oal is
accomplished by reason of a software ring crossing mecnanism
provided by the ^ate Keeper. In terms of SASS, this notion
of "ring-crossing" is merely the transition from tne
Supervisor domain to the Kernel domain. As noted earlier,
the gate Keeper establishes the logical boundary between the
Supervisor and the Kernel, and as a matter of course, it
provides a single software entry point (enforcea by
hardware) into the Kernel. Therefore, any call to the Kernel
must first pass through the gate Keeper.
The ffate Keeper acts as a trap handler. Once it is
invoKed by a user (Supervisor) process, the hardware preempt
interrupts are masKed, and the user process' registers and
stacK pointer are saved (within the Kernel domain). It then
taKes the argument list provided by the caller and validates
these passed parameters to insure tneir correctness. To aid
in the validation of these parameters, the sate Keeper
33

utilizes the Parameter Table as a database. The Parameter
table contains all of tne permitted functions provided by
tne Kernel. These relate directly to the extended
instruction set (viz.. Supervisor calls) provided by the
Kernel (these extended instructions will be described in the
next section). If an invalid call is encountered by the gate
Keeper, an error code is returned, and the Kernel is not
invoiced. If a valid call is encountered by tne gate Keeper,
the arguments and control are passed to the appropriate
Kernel module.
Once the Kernel has completed its action on tne user
request, it passes the necessary parameters and control bacK
to the gate Keeper. At this point, the gate Keeper
determines if any software virtual preempt interrupts nave
occurred. If they nave, then the virtual preempt handler is
invoKed vice the Kernel bein? exited (virtual interrupt
structure is discussed in chapter III). Correspondingly, if
a software virtual preempt has not occurred, then the return
arguments are passed to tne user process. The user process'
registers and stacK pointer (viz., its execution point) are
restored and control returned to tne Supervisor domain. A
detailed description of the Gate Keeper interface and




Level 1 of our abstract view of SASS consists of two
components: the distributed Kernel and tne non-distributed
Kernel. These two elements comprise tne Security Kernel of
the SASS. The Security Kernel has two primary objectives: 1)
the management of the system's nardware resources, and 2^
the enforcement of the non-discretionary security policy. It
executes in the most privileged domain (viz.. the system
mode of the Z8001) and nas access to all machine
instructions. Tne following section will provide a crief
description of the distributed Kernel, its components, and
the extended instruction set it provides. A discussion of
the non-distributed Kernel will be giver in the next
section.
The distributed Kernel consists of those Kernel modules
whose segments are contained (distributed) in the address
space of every user (Supervisor) process. Thus, in effect,
the distributed Kernel is shared by all user processes in
the SASS. Tne distributed Kernel is composed of the Segment
Manager, the Event Manager, the Non-Discretionary Security
Module, tne Traffic Controller, tne Inner Traffic
Controller, and the Distributed Memory Manager Module. The
Segment Manager and the Event Manager are the only "user
visible" modules in the distributed Kernel. In other words,
the set of extended instructions available to user processes





The objective of the Segment Manager is the
management of a process' segmented virtual storage. The
Segment Manager is invoiced by calls from the Supervisor
domain via the gate keeper. Calls to tne Segment Manager are
made by means of six extended instructions provided by the
segment manager. These extended instructions (viz., entry
points) are: l) CREATE_SEGMENT , 2) DELETE_SEGMENT , 3)
MAKE_KNOWN, 4) TERMINATE, 5) SM_SWAP_IN, and 6) SM_SWAF_OUT.
The extended instructions CREATE_SEGMENT and DELETE_SEGMENT
add and remove segments from the SASS. MAKE_KNOWN and
TERMINATE add and remove segments from the address space of
a process. Finally, SM_SWAP_IN and SM_SWAP_OUT move segments
from secondary storage to main storage and vice versa.
The primary database utilized by the Segment Manager
is the Known Segment Table (KST) . A representation of the
structure of the KST is provided in figure 3. The KST is a
process local database that contains an entry for every
segment in the address space of that process. The KST is
indexed by segment number with each, record of tne KST
containing descriptive information for a particular segment.
The KST provides a mapping mechanism by which tne segment
number of a particular segment can be converted into a
uniaue nandle for use by tne Memory Manager. The Memory




MM Handle J Size ! Acess In | Class ! Mentor Entry
j Mode | Core I ' Ses No ' Nuirber




The purpose of the Event Manager is the management
of event data which is associated with interprocess
communications within the SASS. Tnis event data is
implemented by means of eventcounts (a synchronization
primitive discussed by Reed [15J ) . Tne Event Manager is
invoked, via the Gate Keeper, by user processes residing in
the Supervisor domain. Tnere are two eventcounts associated
with every segment existing in the Supervisor domain. These
eventcounts (viz., Instance l and Instance 2) are maintained
in a database residing in the Memory Manager. The Event
Manager provides its management functions througn its
extended instruction set READ, TICKET, ADVANCE, and AWAIT,
and in conjunction with the extended instructions TC_ADVANCE
and TC_AWAIT provided by the Traffic Controller (to be
discussed next). These extended instructions are based on
the mechanism of eventcounts and sequencers [15 J . The Event
Manager verifies the access permission of every interprocess
communication request through the Non-Discretionary Security
Module. The extended instruction READ provides tne current
value of the eventcount requested by the caller. TICKET
provides a complete time ordering of possibly concurrent
events through the mechanism of sequencers. The Event
Manager will be discussed in more detail in chapter IV.
3. Non-Discretionary Security Module
The purpose of the Non-Discretionary Security Module
(NDS) is the enforcement of the non-discretionary security
38

policy of the SASS. Wnile the current implementation of SASS
represents the Department of Defense security policy, any
security policy wnicn may be represented tnrougn a lattice
structure [12] may also be implemented. The NDS is invoiced
via its extended instruction set: CLASS_EQ and CLASS_GE. Tne
NDS is passed two classifications which it compares and then
analyzes their relationship. CLASS_E0 will return a true
value to the calling procedure only if the two
classifications passed were equal. The CLASS_GE instruction
will return true if a given classification is analyzed to be
either greater than or equal to another given
classification. The NDS does not utilize a data base as it
worts only with tne parameters it is passed.
4. Traffic Controller
The tasir of processor scheduling is performed by the
traffic controller. Saltzer [16 J defines traffic controller
as tne processor multiplexing and control communication
section of an operating system. The current SASS design
utilizes Reed's [9J notion of a two level traffic
controller, consisting of: l) a Traffic Controller (TC) and
2) an Inner Traffic Controller (ITC).
The primary function of the Traffic Controller is
the scheduling (binding) of user processes onto virtual
processors. A virtual processor (V?) is an abstract data
structure that simulates a physical processor through the
preservation of an executing process' attributes (viz., tne
39

execution point and address space). Multiple VP's may exist
for every pnysical processor in the system. Two VP's are
permanently bound to Kernel processes (viz., Memory Manager
and Idle) and as sucft are not in contention tor process
scheduling. Tnese processes and tneir corresponding virtual
processors are invisible to the TC. The remaining virtual
processors are either idle or are temporarily bound to user
processes as scheduled by the TC . The database utilized by
the TC in process scheduling is the Active Process Table
(APT). Figure 4 provides the structure of the APT.
The APT is a system-wide Kernel database containing
an entry for every user process in the system. Since the
current SASS design does not provide for dynamic process
creation/deletion, a user process is active for the life of
the system. Therefore, tne size of the APT is fixed at the
time of system veneration. The APT is logically composed of
three parts: 1) an APT neader, 2) the main body of tne APT,
and 3) a VP table. The APT header includes: 1) a Loci to
provide for a mutual exclusion mecnanism, 2) a Running List
indexed by VP ID to identify the current process running on
each VP, 3) a Ready List, which points to the linked list of
processes which are ready for scheduling, and 4) a blocked
List, which points to the linked list of processes wnicn are
in the blocked state awaiting the occurrence of some event.
A design decision was made to incorporate a single






















AP ! DBR jAccessjPrioritylStateiAff i-| VPlHandie




Figure 4. Active Process Table (APT)
41

notion of separate lists per eventcount because of its
simplicity and its ease of implementation. Tnis decision
does not appreciably affect system performance or efficiency
as the "blocked" list will never be very long. The VP table
is indexed by logical CPU number and specifies tne number of
VP's associated with the logical CPU and its first VP in the
Running List. The logical CPU number, obtained during system
initialization, provides a simple means of uniquely
identifying each pnysical CPU in the system. The main body
of the APT contains the user process data required for its
efficient control and scheduling. NEXT_AP provides the
linked list threading mechanism for process entries. The DBR
entry is a handle identifying the process' Descriptor
Segment which is employed in process switching and memory
management. The ACCESS_CLASS entry provides every process
with a security label that is utilized by the Event Manager
and the Segment Manager in the enforcement of the
Non-Discretionary Security Policy. The PRIORITY and STATE
entries are the primary data used by the Traffic Controller
to effect process scheduling. AFFINITY identifies the
logical CPU which is associated with tne process. VP IE is
utilized to identify the virtual processor tnat is currently
bound to the process. Finally, the EVENTCOUNT entries are
utilized by the TC to manage processes which are blocked and
awaiting the occurrence of some event. EANELE identifies the
segment associated with the event, INSTANCE specifies the
42

event, and COUNT determines which occurrence of the event is
needed.
The Traffic Controller determines the scheduling
order by process priority. Every process is assigned a
priority at the time of its creation. Once scheduled, a
process will run on its VP until it either blocks itself or
it is preempted by a higher priority process. To insure that
the TC will always have a process available for scheduling,
there logically exists an "idle" process for every VP
visible to the TC. These "idle" processes exist at the
lowest process priority and, consequently, are scheduled
only if there exists no useful worK to be performed.
The Traffic Controller is invoked by the occurrence
of a virtual preempt interrupt or through its extended
instruction set: ADVANCE, AWAIT, PROCESS_CLASS , and
GET_DBP._NUMBER. ADVANCE and AWAIT are used to implement the
IPC mechanism envoked by the Supervisor. PROCESS_CLASS and
GET_DBR_NUMBER are called by the Segment ^anas-er to
ascertain the security label and DBH handle, respectively,
of a named process. A more detailed discussion of the TC is
provided in chapters III and IV.
5. Inner Traffic Controller
The Inner Traffic Controller is the second part of
our two-level traffic controller. Basically, the ITC
performs two functions. It multiplexes virtual processors
onto the actual physical processors, and it provides the
43

primitives for wnicn inter-VP communication witnin tne
Kernel is implemented. A design cnoice was made to provide
eacn pnysical processor in tne system vitn a small fixed set
of virtual processors. Two of tnese VP's are permanently
bound to tne Kernel processes. Tne Memory Manager is tound
to the highest priority VP. Conversely, the Idle Process is
bound to tne lowest priority VP and, as a result, will only
be scheduled if there exists no useful work for the CPU to
perform. Tne primary database utilized by tne ITC is the
Virtual Processor Table (VPT). Figure 5 illustrates the VPT.
The VPT is a system wide Kernel database containing
entries for every CPU in the system. The VPT is logically
composed of four parts: 1) a neader, 2) a VP data table, 3)
a message table, and 4) an external VP list. The header
includes a LOCK (spin lode) that provides a mutual exclusion
mechanism for table access, a RUNNING LIST (indexed by
logical CPU #) that identifies the V? currently running on
the corresponding pnysical CPU, a READ! LIST (indexed by
logical CPU #) which points to tne linked list of VP's which
are in the "ready" state and awaiting scheduling on that
CPU, and a FREE LIST wnicn points to the linked list of
unused entries in the message table. Tne VP data table
contains tne descriptive data required by tne ITC to
effectively manage the virtual processors. The DBR entry
points within tne MMU Image to the descriptor segment for
























NEXT ! ! jEXT!
READY iDBR{STATEi IDLE! VIRTUAL {PHYSICAL IPRIJVP | MSG
VP j j FLAG! PREEMPT {PROCESSOR! j ID {LIST
•MSG INDEX









Figure 5. Virtual Processor Table (VPT)
45

STATE, IDLE_ELAG, and PREEMPT are tne primary data used by
the ITC for VP scheduling. PREEMPT indicates whether cr not
a virtual preempt is pending for the VP. The IDLE_FLAG is
set whenever the TC has bound an "idle" process to the VP.
Normally, a VP with the IDLE_FLAG set will not be scneduled
"by the ITC as it has no useful wort to perform. In fact,
sucn a VP will only be scneduled if tne PREEMPT flag is set.
This scheduling will allow the VP to be given (bound) to
anotner process. PHYSICAL PROCESSOR contains an entry from
the Processor Data Segment (PRDS) that identifies the
pnysical processor tnat tne VP is executing on. EJT_V?_ID is
the identifier by which the VP is Known by the Traffic
Controller. A design choice was made to nave tne EXT_VP_ID
equate to an offset into the External VP List. The External
V? List specifies tne actual VP ID (viz.. VPT entry number)
for each external vp identifier. This precluded the
necessity for run time calculation of offsets for the
EXT_VP_ID. NEXT RSADT VP provides the threading mechanism
for tne "Ready" linked list, and MSG LIST points to tne
first entry in the Message Table containing a message for
that VP. The Message Table provides storage for the messages
generated in the course cf Inter-Virtual Processor
communications. MSG contains tne actual communication being
passed, while SENDER identifies the VP which initiated the
communication. NEXT_MSG provides a tnreading mecnanism for
multiple messages pending for a single VP.
46

The ITC is invoiced by means of its extended
instruction set: WAIT, SIGNAL, SWAP_VDBR, IDLE, SET_PPEEMPT,
and RUNNING_VP. WAIT and SIGNAL are the primitives employed
in implementing the Inter-VP communication. SWAP_VDBR, IDLE,
SET_PRE£MPT, and RUNNING_VP are all invoked by tne Traffic
Controller. SWAP_VDBR provides the means by whicn a user
process is temporarily bound to a virtual processor. IDLE
binds the "idle" process to a VP (tne implication of this
instruction will be discussed later). SET_PREEMPT provides
the means of indicating that a virtual preempt interrupt is
pending on a VP (specified hy the TO by setting the PREEMPT
flag for that VP in the VPT. RUNNINGJTP provides tne TC with
the external VP ID of the virtual processor currently
running on the physical processor.
6. Distributed Memory Manager
The Distributed Memory Manager provides an interface
structure between the Segment Manager and the Memory Manager
Process. Tnis interfacing is necessitated by the fact tnat
the Memory Manager Process does not reside in the
Distributed Kernel and consequently is not included in the
user process' address space. The primary functions performed
in tnis module are tne establishment of Inter-VP
Communication between the VP bound to its user process and
tne VP permanently bound to the Memory Manager Process, tne
manipulation of event data, and the dynamic allocation of
available memory. Tne Distributed Memory Manager Module is
47

invoked by the Segment Manager tnrough its extended
instruction set: MM_CREATE_ENTRY, MM_EELETE_ENTRT
,
MM_ACTIVATE, MM_DEACTIVATE , MM_SWA?_IN f and MM_SWAP_OUT.
Tnese extended instructions are utilized on a one to one
basis by the extended instruction set of the Segment Manager
(e.g., SM_SWAP_IN utilizes (calls) MM_SWAP_IN). Wells (6J
provides a more detailed description of this portion of the
Distributed Memory Manager and the extended instruction set
associated with it.
The Distributed Memory Manager is also invoked
tnrough its remaining extended instructions:
MM_READ_EVENTCOUNT, MM_TICKET, MM_ADVANCE, and MM_ALLOCATE.
These Distributed Memory Manager functions will be discussed
in detail in chapter IV.
E. NON-DISTRIBUTEE KERNEL
The Non-Distributed Kernel is the second element
residing in Level l of our abstract system view of the SASS.
The sole component of the Non-Distri outed Kernel is the
Memory Manager Process.
1 . Memory Manager Process
The primary purpose of the Memory Manager Process is
the management of all memory resources witbin the SASS.
These include tne local and global main memories, as well as
the hard-disk based secondary storage. A dedicated Memory
Manager Process exists for every CPU in tne system. Each CPU
48

possesses a local memory where process local segments and
snared, non-writeable segments are stored. There is also a
Global memory, to which every CPU has access, where the
shared, writeable segments are stored. It is necessary to
store these shared, writeable segments in the global memory
to ensure that a current copy exists for every access.
The Memory Manager Process is tasked by other
processes within the Kernel domain (via Signal and Wait) to
perform memory management functions. These basic functions
include the allocation/deallocation of local and glotal
memory and of secondary storage, and the transfer of
segments between tne local and global memory and between
secondary storage and the main memories. The extended
instruction set provided by tne Memory Manager Process
includes: CHEATE_ENTRY, DELETE_ENTR7, ACTIVATE, DEACTIVATE,
SWAP_IN, and SVAP_OUT. These instructions correspond one to
one with those of the Distributed Memory Manager Module. The
system wide data bases utilized by all Memory Manager
Processes are tne Global Active Segment Table (G_AST), the
Alias Table, the Distr Bit Map, and the Global Memory Bit
Map. The processor local databases used by each Memory
Manager Process are the Local Active Segment Table (L_AST),
and the Local Memory Bit Map. Gary and Moore l4j provide a
detailed description of tne Memory Manager, its extended
instruction set, and its databases.
49

A summary of the extended instruction set created by
the components of tne Security Kernel is provided by Figure
6. One mignt question tne prudence of omitting
FHYS_PFEEMPT_FANDL£R and VIRT_PREEMPT_HAND1SR (viz., tne
nandier routines for pnysical and virtual interrupts^ from
the extended instruction set as both of tnese interrupts may
fee raised (viz., initiated) from within tne Kernel. A
decision was made to not classify these handlers as
"extended instructions" since tney are only executed as tne
result of a physical or virtual interrupt and as such cannot
be directly invoiced (viz. t "called") by any module in the
system. A summary of the databases utilized by Kernel
modules is presented in Figure 7.
F. SYSTEM HARDWARE
Level of the SASS consists of the system hardware.
This nardware includes: 1) tne CPU, 2) the local memory, 3)
the global memory, 4) the secondary storage (viz. nard
disfc), and 5) tne I/O ports connecting tne Host computer
systems to the SASS. Since the SASS design allows for a
multiprocessor environment, tnere may exist multiple CPU's
and local memories. The target machine selected for the
initial implementation of tne system is tne Zilog Z8001
microprocessor [17] . The Z8001 is a general purpose lb-bit,
register oriented macnine tnat nas sixteen 16-bit general










































* Denotes user visible instructions




Gate Keeper Parameter Table
Segment Manager Known_Se£ment_Table (KST)
Traffic Controller Active_Process_Ta ble (APT)









Figure 7. Kernel Databases
52

memory, extensible to 48M bytes. Tne Z8001 arcnitecture
supports memory segmentation and two-domain operations. The
memory segmentation capability is provided externally by tne
Zilog Z8010 Memory Management Unit (MMU). Tne Z8010 MMU [16J
provides management of tne Z8001 addressable memory, dynamic
segment relocation, and memory protection. Memory segments
are variable in size from 256 bytes to 64K bytes and are
identified by a set of 54 Segment Descriptor Registers,
wnicn supply tne information needed to map logical memory
addresses to pnyscal memory addresses. Each of tne 64
Descriptor Registers contains a 16-bit case address field,
an 8-bit limit field, and an 6-bit attribute field.
Unfortunately, tne Z8001 nardware was not available for use
during system development. Therefore, all work to date has
been completed through utilization of tne Z8002
non-segmented version of the Z8000 microprocessor family
[17J . Tne actual hardware used in this implementation is the
Advanced Micro Computers Am96/4116 MonoEoard Computer [19j
containing tne AmZ8002 sixteen bit non-segmented
microprocessor. This computer provides 32K bytes of on-board
RAM, Sic bytes of PROM/ROM space, two RS232 serial I/O ports,
24 parallel I/O lines, and a standard INTEL Multibus
interface. The general structure of tne design nas teen
preserved by simulation of the segmentation hardware in
software. This software MMU Image (see Figure 8) is created






Base Addr ! Limit ! Attributes
(entries for one DBR #)
Figure 8. Memory Management Unit (MMU) Image
54

The MMU Image is a processor-local database indexed by
D!ER_No. Each DBR_No represents one record within the MMU
Image. Eacn record is an exact software copy of tne Segment
Descriptor Register set in tne hardware MMU. Each element of
this software MMU Image is in tne same form utilized cy tne
special I/O instructions to load the Hardware MMU. Each D.BR
record is indexed cy segment number (Segmen t_No ) . Eacn
Seement_No entry is composed of three fields* £ase_Addr,
Limit, and Attributes. Base_Addr is a 16-bit field which
contains the base address of the segment in physcal memory.
Limit is an 8-bit field tnat specifies tne number of
contiguous blocks of memory occupied by the segment.
Attributes is an 8-bit field representing the eight flaps
which specify tne segment's attributes (e.g., "read",
"execute", "write", etc.).
G. SUMMARV
An extended overview of the current SASS design has been
presented in this chapter. The four major levels of
abstraction comprising the SASS system have been identified
and the major components of eacn level nave been discussed.
The extended instruction set provided by the SAi>S Kernel was
also defined. With this background, the actual details cf





Issues bearing on tne implementation of process
management and refinements made to existing modules are
presented in tnis chapter. Process management for the SASS
was provided through tne implementation of tne Traffic
Controller Module, tne Event Manager Module, tne Distributed
Memory Manager Module, and a Gate Keeper Stub (system trap).
Additionally, since a demonstration/test bed was integral to
tne testing and verification of tne implementation, it was
necessary to complete other supportive tastfs. These
supportive tastes included limited Kernel database
initialization, revised preempt interrupt handling
mechanisms, Idle process definition and structure, and
additional refinements to existing modules.
A. DATABASE INITIALIZATION
Previous woric on SASS nas relied on statically built
databases, wnicn proved to be sufficient for demonstration
of a single processor, single nost supported system. In the
current demonstration, multiple hosts are simulated, and tne
Kernel data structures have been refined to represent a
multiprocessor environment. Since a multiprocessor system
was unavailable at the time of this demonstration, several
"runs" were made and traced, using different logical CPU
56

numbers, to snow tne correctness of this structure. Due to
this multiprocessor representation and simulation of
multiple hosts, tne use of statically built Kernel databases
was no longer convenient. Therefore, it became necessary to
provide initialization routines for tne dynamic creation of
those Kernel databases required for this implementation.
While it was not tne intent of tnis effort to implement
system initialization, care was tafcen in tne writing of
these initializing routines so that they might be utilized
in tne system int iaiization implementation witn, nopefuily,
minimal refinement. Database initialization was restricted
to tnose databases existing in tne Inner Traffic Controller
and the Traffic Controller. Limited elements of the Known
Segment Table (KST) and Global Active Segment Table (G_AST)
were also created for demonstration purposes.
1. Inner Traffic Controller Initialization
A "Eootstrap Loader" Module, which logically exists
at a higher level of abstraction within tne Kernel, was
created to initialize the databases of the Inner Traffic
Controller. Tnis initialization includes tne creation of: 1)
the Processor Data Segment (PRDS), 2) an MMO Yap, 3) Kernel
domain stac& segments for Kernel processes, 4) allocation
and updating of MMU entries for Kernel processes, and 5)
Virtual Processor Table (VPT) entries.
The PRDS was loaded with constant values that
specify tne pnysical CPU ID, logical CPU ID, and rumber of
57

VP's allocated to tne CPU. A design decision was made to
allocate logical CPU ID's in increments of two (beginning
with zero) so tnat they could be used to directly access
lists indexed by CPU number. Tne MMU map, constructed as a
"byte" map, was created to specify allocated and free PMU
Image entries.
A separate procedure, CHEATE_S TACK, was created to
establish the initial Kernel domain stactf conditions for
Kernel processes. A discussion and diagram of tnese initial
stack conditions is presented in tne next section.
ALLOCATE_MMU checks tne MMU Map and allocates tne next
availabe MMU entry to the process being created. The PRDS is
inserted in tne allocated MMU entry and the E£R number is
returned to the calling procedure. The D5R number (handle)
is merely the offset of tne DBR in tne MMU Image. Since tne
ITC deals with an address rather than a handle, a procedure,
GET_CBR_ADBR , was created to convert this offset into a
physical address. UPDATE_MMU_IMAGE is the procedure which
creates or modifies MMU Image entries. UPEATE_MMU_IMAGE
accepts as arguments the DBR number, segment number, segment
attributes, and segment limits. To facilitate process
switching and control, various process segments must possess
the same segment number system wide. This is accomplished
during initialization through the use of the
UPDATE_MMU_IMAGE procedure. In the ITC, these segments
include the PPDS (segment number zero) and tne Kernel stack
segment (segment number one).
5S

Tne final tas£ required in 1TC initialization is tne
creation of tne VPT. The VPT Header is initialized witn tne
"running" and "ready" lists pointers set to a 'nil' state,
and tne "free" list pointer set to tne first entry in tne
message table. Virtual Processor entries are inserted in the
main body of tne VPT by the UPDATE_VP_TAiiLE procedure.
Entries are first made for tne VP's permanently bound to the
Memory Manager and Idle processes. Tne VP bound to the MM
process is given a priority of 2 (highest), and the VP bound
to the Idle process is given a priority of (lowest). The
External VP ID for doth of tnese VP's is set to "nil" as
they are not visible to the Traffic Controller. The
remaining VP's allocated to the CPU (viz., TC visible VP's)
are then entered in the VPT with a priority of 1
(intermediate), and tneir "idle" and "preempt" flags are
set. The preempt flag is set for these TC visible VP's to
insure proper scneduling by tne Traffic Controller. Tne EBP.
for these remaining VP's is initialized with the Idle
process PER. A discussion of "idle" processes and VP's will
be provided later in this chapter. The External VP ID for
each TC visible VP is merely tne offset of the next
available entry in tne EXTERNAL VP LIST. This External VP ID
is entered in tne VPT, and tne corresponding VP ID (viz.,
VPT Entry ft) is entered in the EXTERNAL VP LIST.
Once tnese VPT entries nave been made, it is
necessary to set tne state of each VP to "ready" and thread
59

them (by priority) into tne appropriate ready list. A VPT
threading mechanism was provided by Reitz [5] in procedure
MAKE_READY. However, it was desired to nave a more general
threading mechanism that could be used for other lists.
Procedure LIST_INS£RT was created to provide tni s general
threading mechanism. LIST_INSERT is logically a "library"
function tnat exist? at tne lowest level of abstraction in
the Kernel. This function threads an object into a list
(specified by the caller) in order of priority, and tnen
sets its state as specified by the calling parameters.
Once tne "Bootstrap Loader" has completed ITC
initialization, it passes control to tne ITC GET Ttf03K
procedure to begin VP scneduling.
2. Traffic Controller Initialization
The initialization routines for tne TC include
TC_INIT, . C?EATE_PROCESS, and CREATS_KST. These routines are
called from the Memory Manager process. Tne MM process was
chosen to initiate these routines as it is bound to tne
nighest priority VP and will be^in running immediately after
the Inner Traffic Controller is initialized. Procedure
MM_ALLOCATE was written to allocate memory space for data
structures during initialization (viz., Kernel stacks, user
stacks, and KST's). Memory space is allocated in blocKs of
100 (hex) bytes. MM_AILOCATE is merely a stub of the memory
allocating procedure designed by Moore and Gary [4j .
60

It was necessary to pass long lists of arguments to
tne TC for initialization purposes. To ail in this passing
of parameters, a data structure template was used. This
template was created by declaring tne parameters as a data
structure in both the sending and receiving procedures, and
then imaging this structure at absolute address zero. The
process' stack pointer was tnen decremented ty tne size of
the parameter data structure, and the parameters were loaded
into tnis data structure indexed by tne stack pointer. This
template made it very easy to send and receive lone argument
lists using tne process' stack segment.
TC_INIT initializes the APT header and virtual
interrupt vector (discussed later). Each element of tne
running list is marked "idle", the ready and blocked lists
are set to "nil", and the number of VP's and first VP for
each CPU are entered in the VP table. The address of the
virtual preempt handler is then passed to the ITC procedure
CREATE_INT_7EC for insertion in tne virtual interrupt
vector.
CREATE_PROCiSS intiaiizes user processes and creates
entries in the APT. ALLOCATE_MMU is called to acquire a DPR
number, and an APT entry is created with tne process
descriptors (viz., parameters). Tne process is then declared
"ready" and tnreaded into the approciate ready list by
calling the threading function, LIST_INSERT. A user stack is
allocated and UPDAT£_MMU_Ir"AGE is called to include the user
SI

stack in the MMU as segment number three. The user stack
contains no information or user process initialization
parameters (viz., execution point and address space) as all
processes are initialized and begin execution from the
Kernel domain. Next, a Kernel domain stack is allocated and
included in the MMU Image. A design decision was made to
initialize the Kernel stacks for user processes witn tne
same structure as the Kernel process' stacks. The rationale
for this decision is presented in tne next section. As a
result of this decision, it became possible to use the
CREATE_STACK procedure in bui Iding^ Kernel domain stacks for
both Kernel and user prosesses. CREATE_STACK was therefore
used as a library function and placed in the library module
with LIST-INSERT.
Finally, a Known Segment Table (KST) stub is created
to provide a means of demonstrating the mechanism provided
by the eventcounts and sequencers for interprocess
communication (IPC) and mutual exclusion. Space for the
process' KST is created by calling MM_ALLOCATE. The KST is
then included in the process' address space, as segment
number two, by UPDATE_MMU_IMAGE. Initial entries are made in
the Known Segment Table by procedure CREATE_KST. CREATE_KST
mases an entry in the KST for the "root" and marits tne
remaining KST entries as "available." Tne Unique_ID portion
of the root's handle (viz., upper two words) is initialized
as -1 (for convenience) and tne G_AST entry number portion
of the handle (viz., lowest word) is initialized with zero.
62

3. Additional Initialization Requirements
As already mentioned, the Memory Manager Process
prepares tne arguments utilized Dy TC_INIT, CREATE_PRCCESS
,
and CREATE_KST for TC initialization and user process
creation. Additionally, tne MM process creates a Global
Active Segment Table (G_AST) stub utilized for demonstration
of event data management. The G_AST stub is declared in a
separate module (viz., the DEMO_DATABASE Module) with tne
format prescribed by Moore and Gary 14J . However, the only
fields initialized and utilized by this implementation are
UNI0UE_ID, SEQUENCER, INSTANCE 1, and INSTANCE 2. The
eventcounts and sequencer fields are initialized as zero
whenever an entry is created in the G_AST. The UNigUE_ir is
created just to support this demonstration and does not
reflect the segment's unique identifier as specified by
Moore and Gary [4j . In tnis demonstration, UNIOUE_IE is
built with the parameters passed to MM_ACTIVATE. The first
word in UNIOUE_ID is tne G_AST entry number of tne segment's
parent, and the second word is the segment's entry number
into tne alias table. Tne UNI0UE_ID to^etner with tne offset
of the segment's entry in the G_AST comprise the segment
HANDLE maintained in tne KST. Tne first entry in tne G_AST
is reserved for the root, and is initialized with an
Unique_ID of minus one (-1). It snould be noted tnat acy
call to MM_ACTIVATE for a segment already possessing an
entry in tne G_AST will not effect any cnanges to that
63

entry. This is to insure tnat a single G_AST entry exists
for every segment as specified by Moore and Gary [4j
.
B. PREEMPT INTERRUPTS
Various refinements were made in the handling of ootn
pnysical (nardware) and virtual (software) preempt
interrupts. A hardware preempt is a non-vectored interrupt
tnat invokes tne virtual processor scneduling mecnanism
(viz., ITC GETWORK). A virtual preempt is a software
vectored interrupt tnat invokes tne user process scneduling
mechanism (viz., TC_GETWORK). Tnis implementation provides
tne notion of a virtual interrupt tnat closely mirrors tne
behavior of a hardware interrupt. In particular, there are
similar constructs for initialization of a nandler,
invocation of a handler, masking of interrupts, and return
from a handler. As with most hardware interrupts, a virtual
interrupt can occur only at the completion of execution for
an "instruction," wnere each kernel entry and exit for a
process delimit a single "virtual instruction."
1. Physical Preempt Handler
Tne pnysical preempt nandler resides in the virtual
processor manager (viz., Inner Traffic Controller). The
functions it perform are: 1) save tne execution point, 2)
invoice ITC GETWORK, 3) checX for virtual preempt interrupts,
4) restore the execution point, and 5) return control via
the IRET instruction. Reitz [5] included tne hardware
64

preempt nandler in ITC GETWORK by establishing two entry
points and two exit points, one for a regular call to
GETWORK and another for the preempt interrupt. He had a
separate procedure, TEST_PREEMPT , that was used to checi for
the occurrence of virtual preempt interrupts. This structure
worlcs nicely, but it requires some means of determining how
GETWORK was invoked so that the proper exiting mechanism is
used. This was resolved by incorporating a preempt interruDt
flag in the status register blocK of every process' Kernel
domain stacfc segment. A design decision was made to
restructure the hardware preempt handler into a single and
separate procedure, PH y S_PREEMPT_HANDLER. This allowed ITC
GETWORK to have a single entry and exit point, and it did
away witn the necessity of maintaining a preempt interrupt
flag in the process stacks. PK*S_PRESMPT_PANDLER was
constructed from the preempt handling code in GETWORK and
procedure TEST_PREEMPT. TEST_PREE*pt was deleted from the
ITC as its functions were performed by PHYS_PREEMPT-HANELER
.
A further refinement was made to the hardware
preempt handler dealing with the netnod by wnicn tne virtual
preempt handler was invoiced. 3eitz [5J invoked the virtual
preempt nandler from TEST_PREEMPT by means of tne "call"
instruction. Since the virtual preempt nandler logically
exists at a nigner level of abstraction tnan the ITC, tnis
invocation violated our notion of only allowing* "calls" to
lower or equal abstraction levels. However, this deviation
6b

was necessitated by the absence or a virtual interrupt
structure. Tnis problem was alleviated by creating a virtual
interrupt vector in the ITC that is used in tne sane way as
tne hardware interrupt vector. Tne virtual preempt was given
a virtual interrupt number (zero). Tne virtual interrupt
handler is then invoked by means of a "jump" tnrougn the
virtual interrupt vector for virtual interrupt number 0.
This invocation occurs in tne same manner that tne nandlers
for hardware interrupts are invoiced. The virtual interrupt
vector is created by procedure CREATE_INT_VEC.
CREAT£_INT_VEC accepts as arguments a virtual interrupt
number and the address of the interrupt handler. Tne
creation of tne virtual preempt entry in the virtual
interrupt vector is accomplished at tne time of the Traffic
Controller initialization by TC_INIT.
2. Virtual Preempt Handler
The virtual preempt handler (VIRT_PR2EMPT_HANELER
)
resides in the user process manager (viz., the Traffic
Controller). The functions performed by VIRT_PREEMPT_EANPLER
are: 1^ determine the V? ID of the virtual processor beina*
preempted, 2) invoke the nrocess scneduling mechanism (viz.,
TC_GETWORK), and 3) return control via a virtual interrupt
return. The correct VP ID is obtained by calling RUNNING_VP
in the ITC. The Active Process Table is then locked, and' the
state of tne process running on tnat VP is changed to
"ready." At this time, process scheduling is effected by
66

calling TC_C-ETWORK. Once process scnedulin^ is completed,
the APT is unlocked and control is returned via a virtual
interrupt return. Tnis virtual interrupt return is merely a
jump to tne PPE.L'MFT_P£T label in tne Hardware preempt
nandier (Tnis jump emulates tne action of tne IRDT
instruction for a nardware interrupt return). Tnis label is
tne point at wnich the virtual preempt interrupts are
unmasked
.
All Kernel processes are initialized to appear as
tnougn tney are returning from a nardware preempt interrupt.
All user processes initially appear to be returning from a
virtual preempt interrupt. Therefore, tne initial conditions
of a process' Kernel domain stack is largely influenced by
tne stack manipulation of tne preempt handlers. Figure 9
illustrates the initial Kernel domain stack structure for
all system processes.
The initial Kernel Flag Control Word (FCW) value is
"5000"
f indicating non-segmented code, system mode of
operation, non-vectored interrupts masked, and vectored
interrupts enabled. The Current StacK Pointer value is set
to the first entry in the stack (viz., SP). The IPET Frame
is tne portion of tne Kernel stack affected by tne IP.5T
instruction. The first element, Interrupt ID (set to "FFFF")
is merely popped off of tne stack and discarded. The next
element. Initial FCW, is popped and placed in tne system

























Figure 9. Initial Process Stacfc
6S

processes and "18450" (indicating normal mcae witn ail
interrupts enabled) for user processes. The final element of
tne IRE? frame. Initial IC is popped off of tne stacK and
placed in tne program counter (PCM register. Tnis value is
initialized as tne entry address of tne process in auesticn.
The "register" entries on tne stac£ represent tne
initial register contents for tne process at tne beginning
of its execution. Since tne Kernel processes (viz., MM and
Idle) do not require any specific initial register states,
their entries reflect the register contents at tne time of
stack creation. Initial register conditions are used to
provide initial "parameters" required fey the user processes.
This will depend largely upon tne parameter passing
conventions of the implementation language. The means for
register initialization was provided through CREATE_PRCCESS
;
however, the only initial register condition used for the
user processes in this demonstration was register #13.
Register #13 was used to pass tne user ID/Host number of tne
process created. This value is utilized by the user process
in activating the segment used for inter-process
communication between a Host's File manager and I/O
processes. Another logical parameter passed to the user
processes is the root segment number. This did not require a
register for passing in the demonstration as it is known to
be the first entry in the KST for all processes. The N_S_P
entry on the stack represents tne initial value of the
69

normal stack pointer. For user processes, this value is
obtained wnen tne Supervisor domain stack for tnat process
is created. For Kernel processes, this value is set to
"FFFF" since tney execute solely in the Kernel domain and
have no Superivsor domain stack. The Preempt Return Point
specifies tne address wnere control will be passed once the
process' ^P is scheduled and the "return" from ITC GETWORK
is executed. For Kernel processes, this is tne point within
the hardware preempt nandier where the virtual processor
table is unlocked. For user processes, this is tne point
within the virtual preempt handler where the Active Process
Table is unlocked.
It is important to note that if the APT was not
unlocked when a user process bee-an its initial execution,
the system would become deadlocked and no further process
scheduling could occur. It should be further noted that the
initial stack conditions for user processes do not reflect a
valid history of execution. The "norrral" history of a user
process returning from ITC GETWOPK after a virtual preempt
interrupt would reflect the passing- of control throug-h
S*AP_VD3R and TC_GETWORK to the point in the virtual preempt
handler where the APT is unlocked. Another "possible"
history could reflect tne occurrence of a nardware preempt
interrupt at the point in the virtual preempt handler where
tne APT is unlocked. Such a nistory would be depicted by
replacing the current top of the stack with the return point
70

into the hardware preempt handler (viz., at the point of
virtual preempt interrupt unmasking) and an additional
hardware preempt interrupt frame whose IC value In the IPJ2T
frame is the point in the virtual preempt nandier where the
APT is unlocked. The current initial stack condition for
user processes was cnosen for its ease of understanding and
its clear depiction of the fact that the structure of a
Kernel domain stack is the same for both Kernel and user
processes .
C. IDLE PROCESSES
In the SASS design, there logically exists a Kernel
domain "idle" process for every physical processor in the
system and a Supervisor domain "idle" process for every "TC
visible" virtual processor in the system. These processes
are necessary to insure tnat both tne VP scheduler (viz.,
ITC GETWORK) and the process scheduler (TC_GETWORK) will
always nave some object to schedule, nence precluding any
CPU or VP from ever having an undefined execution point.
Since the Kernel domain Idle process performs no useful
work, it could be included within the ITC by means of an
infinite looping mechanism. Tne Kernel Idle process was
maintained separately, however, as it is hoped that future
work on SASS will provide this Idle process with some





The Supervisor domain Idle processes (nereafter referred
to as TC Idle processes) are scheduled (bound) on VP's when
there are no user processes awaiting scheduling. Since a TC
Idle process performs no user constructive worfc, we do not
want any VP executing a TC Idle process to be bound tc a
physical processor. In other words, a VP bound to a TC Idle
process assumes the lowest system nriority (represented by
the "idle flag"). Therefore, any such VP will have its idle
flag set and will not be scheduled unless it receives a
virtual preempt interrupt. Such an interrupt will allow the
V? to be rescneduled by tne Traffic Controller. It should be
obvious, at this point, that a TC Idle process will never
actually begin execution on a real processor. This knowledge
allowed a design decision to be made to only simulate the
existence of TC Idle processes. At tne TC level, this was
accomplished by a constant value, IDLE_?R0C, that was used
as a process ID in tne APT running list, thus precluding the
necessity of any "idle" entries in the APT. At the ITC
level, any VP marked "idle" (viz., tne idle flag set) was
given the DPR number (viz., address space) of the Kernel
Idle process solely to provide the use of a Kernel domain
stacs for rescheduling of the VP.
D. ADDITIONAL KERNEL REFINEMENTS
In addition to those already discussed, several other
refinements to existing Kernel modules were effected in this
72

implementa ti on. One of tnese refinements deals with the way
virtual processors are identified by the Traffic Controller.
In the current implementa ti on , all TC visible virtual
processors are *?iven an External VP ID which corresponds to
its entry number in an External VP list. This required a
modification to the ITC procedure RUNNING_VP. The benefits
derived from tnis refinement included the ability to
directly access the External VP ID in the Virtual Processor
Table vice the requirement of a run time division to compute
its value and the ability to use the External V? ID as an
index intc the TC running list.
Refinements were also made to the existing Memory
M anager, File Manager, and 10 process stucs used for
demonstration purposes. These refinements were largely
associated with the eventcount and sequencer mecnanisms
utilized in this implementation. The current status of these
processes is provided in a report by Scnell and Cot [22J .
The remaining refinements deal largely with the MMU
Image. In Moore and Gary's [4j design, tne MMU Image was
managed by the Memory Manager process. This was largely
because tne MMU Image is a processor local database and
would seem well suited for management by the non-distributed
Kernel. In fact, tne MMU Image is utilized mainly by tne ITC
for the multiplexing of process address spaces. Therefore,
in the current design, tne MMU Images are maintained by the
Inner Traffic Controller, however, the MMU header proposed
73

by Moore ana Gary (viz., the BLOCKS_USED and
MAXIMUM_A7AILAELE
-
EL0CKS fields) was retained in the Memory
Manarer as it is used strictly in tne management of a
process' virtual core and is not associated with the
Hardware MMU.
In Cells' design [6J , the Traffic Controller used tne
linear ordering of the DEH entries in the MMU Image as the
DER nandle (viz., 1,2,3...). This required a run time
division operation to compute the DER number, and a run time
multiplication operation, by MM_GET_DBR_VALUE , tc recompute
the DER address for use by the ITC. In the current design,
the offset of the DER entry in the MMU Image (obtained at
the time of MMU allocation) is used as the DER handle in the
Traffic Controller. Furthermore, SWAF_VDSR was refined to
accept a DER handle rattier than a DER address to preclude
the necessity of the Traffic Controller naving to deal with
MMU addresses. DiR addresses are computed only within the
ITC (viz., by procedure GET_DS?._ADDR ) by adding tne value of
the DER handle to the base address of the MMU lma^e. Since
DER addresses are now used solely within tne ITC. procedure
vm_GET_DER_v"AL tJE was no longer needed and was deleted from
the Memory Manager.
E. SUMMARY
The primary issues addressed in this thesis effort have
been presented in this chapter. Aside from the process
74

management functions, tnis description included a mecnanism
for limited Kernel database initialization, a revised
preempt interrupt nandling mecnanism, tne creation of a
virtual interrupt structure, a definition of "idle"
processes and tneir structure, and a discussion of tne minor
refinements effected in existing SASS modules. A detailed
description of tne implementation of process management
functions for tne SASS is nresented in tne next chaster.
75

17. PROCESS MANAGEMENT IMPLEMENTATION
Tne implementation of process management functions and a
gate deeper stub (system trap) is presented in tnis cnapter.
Tne implementation is discussed in terms of tne Event
Manager, Traffic Controller, Distributed Memory Manager,
User Gate, and Kernel Gate Keeper modules. A tiocic diagram
depicting tne structure and interreiationsnips of these
modules is presented in figure 10. Support in developing- tne
Z8000 macnine code for tnis implementation was provided by a
ZilOff MCZ Developmental System operating under tne P10
operating system. Tne Developmental System provided disir
file management for a dual drive, nard sectored floppy disur,
a line oriented text editor, a PLZ/ASM assembler, a linker
and a loader tnat created an executable image of earn zefcjee
load module. An upload/download capability with tne
Am96/4116 MonoBoard computer was also provided. This
capability, along witn tne general interfacing of tne
Am96/4116 into the SASS system, was accomplished in a
concurrent thesis endeavor by Gary Baser. Baiter's worlc
relating to hardware initialization in SASS, will be




MM Read Eventcount MM Ticket MM Advance
Distributed Memory Manager
Figure 10. Implementation Module Structure
7?

A. EVENT MANAGER MODULE _
The eventcount and sequencer primitives [15J , whim are
system-wide objects, collectively comprise the event data of
SASS. As mentioned earlier, this event data is tied directly
to system segments and is stored in the Global Active
Segment Table. There are two ever.tcounts and one sequencer
for every segment in the system. These objects are
identified to the Kernel in user calls by specification of a
segment number. Once this segment number is identified by
the Kernel, tne segment's handle can be obtained from tne
process' Known Segment Table. The segment nandle identifies
the particular entry in tne G_AST containing tne event data
desired.
Tne Event Manager module manages the event data within
the system and provides the mechanism for interprocess
communication between user processes. The Event Manager
consists of six procedures. Tour of these (Advance, Await,
Read, and Ticket) represent tne four user extended
instructions provided by the Event Manager. The remaining
two procedures provide internal computational support to
include necessary security checking. Tne Event Manager is
invoiced solely by user processes, via tne Gate Keeper,
through utilization of the extended instruction set
provided. For every Event Manager extended instruction
invoked by a user process, the non-discretionary security is
verified by comparing the security access classification of
78

tne process invoking tne instruction witn tne classification
of the object (segment) being accessed. Access to the user
process' Known Segment Table is required by tne module in
order to ascertain tne segment nandle and security class for
a ffiven segment number. The PIZ/ASM assembly lan2ua.ee
listing for the Event Manager module is provided in Appendix
A. A more detailed discussion of the procedures comprising
the Event Manager follows.
1. Support Procedures
The procedures GET_HANDL£ and CONVERT_AND_VERIEY
provide internal support for tne Event Manager and are not
visible to tne user processes. Procedure CONVERT_AND_VERIIY
is invoiced by the four procedures representing the
instruction set of the Event Manager. The input parameters
to CON^SP.T_AND_VEHIET are a segment number and a requested
mode of access (viz., read or write). C0N7ERT_AND_VER1FY
returns a pointer to the segment's handle and a success
code. Procedure GET_HANDLE is invoiced solely by
CONVERT_AND_VEPIFT. The input parameter to GET_HANi;LE is the
segment number received as input by CONV"ERT_ANr_VERIET
.
GET_HANDLE returns a pointer to tne segment's handle, a
pointer to tne segment's security classification, and a
success code. A discussion of the functions provided by
these support procedures follows.
Procedure GJ!iT_RANDLE translates the segment number,
received as input, into a KST index number and verifies that
79

the resulting index number is valid. Next the base address
of tne process' KST is obtained from procedure
ITC_GET_SEG_?TR. Tne KST index number is tnen converted into
a KST offset value and added to tne base address to obtain
tne appropriate KST entry pointer for tne segment in
question. A verification is tnen made to insure tnat tne
referenced segment is "known" to tne process. If tne segment
is not Known, an error message is returned to
CONVERT_AND_VERIFY. Otnerwise, a pointer to tne segment's
nandie is obtained to identify tne segment to the memory
manager. A pointer to tne segment's security class entry in
tne KST is also returned for use in appropriate security
cnecfcs
.
Procedure CONVERT_AND_VERIFY provides tne necessary
non-discretionary security verification for tne extended
instruction set of the Event Manager. Procedure GET_HANDLE
is invoked for segment number verification and to obtain
pointers to the segment's handle and security class. If
GET_HANDLE returns witn a successful verification, tne
process' security class is compared to tne segment's
security class to verify the mode of access requested. A
request for "write" access causes invocation of the CIASS_E0
function in the Non-Di scretionary Security Module to insure
that the security classification of the process is equal to
the classification of the eventcount or sequencer, which is
the same as that of the segment. Otherwise, the CLASS_GE
84?

function is called to verify that the process has read
access. If tne appropriate security cnecic is unsuccessful,
an error code is returned by CONVEKT_AND_VERIFY . Otherwise,
tne segment nandie is returned along with a success code of
"succeeded" indicating that tne user process possesses the
necessary security clearance to complete execution of tne
extended instruction.
2. Read
Procedure READ ascertains tne current value of a
user specified eventcount and returns its value to the
caller. Tne input parameters to READ are a segment number
and an instance (viz., an event number). CONVERT_AND_VERIFY
is invoked with a "read" access request to obtain tne
segment's handle and necessary verification. "Read" access
is sufficient for this operation as it only requires
observation of tne current eventcount value and performs no
data modification. If verification is successful, procedure
MM_READ_EVENTCOUNT is called to obtain tne eventcount value.
3. TicKet
Procedure TICKET returns tne current sequencer value
for the segment specified by the user. CONVERT_ANr_VERIIX is
called with a request for write access to obtain
verification and the segment handle. Write access is
required because once the sequencer value is read it must be
incremented in anticipation of the next ticket request. Once
verification is complete, MM_TICKET is invoked to obtain the
SI

sequencer value that is returned to the user process. It is
noted that every call to TICKET for a particular segment
number will return a unique and time ordered sequencer
value. Tnis is because the sequencer value may oniy be read
within MP*_TICK£T wnile the G_AST is loc&ed, thereby
preventing simultaneous read operatiors. Euthermore, once
the sequencer value is read it is incremented before the
G_AST is unlocked.
4. Await
Procedure AWAIT allows a user process to block
itself until some specified event has occurred. The
parameters to AWAIT include a segment number and instance,
which identify a particular event, ana a user specified
value which identifies a particular occurrence of the event.
Verification of read access and a pointer to tne segment's
handle is obtained from procedure CONVERT_AND_VEHIJ!
.
Procedure TC_AWAIT is invoiced to effect tne actual waiting
for the event occurrence. TC_AWAIT will not return to AWAIT
until the requested event has occurred. It is ncted that
AWAIT makes no assumptions about the event value specified
*y the user. Therefore, the Kernel cannot guarantee that the
event specified by the user will ever occur; this is the
responsibility of other cooperating user processes.
b. Advan^P
Procedure AL^ANCE allows a user process to broadcast
the occurrence of some event. This is accomplished by
82

incrementing tne value of tne eventcount associated witn tne
event that has occurred. Tne parameters to ADVANCE include a
segment number and instance wnicn identify a particular
event. Tne calling process must nave write access to the
identified segment as modification of tne eventcount is
required. Verification of write access and a pointer to tne
segment's handle is obtained through procedure
C0NV£RT_AND_VERIFY. Procedure TC_ADVANCE is invoked to
perform the actual broadcasting of event occurrence.
E. TRAFFIC controller module
The primary functions of the Traffic Controller module
are user process scneduling and support of tne inter-process
communication mechanism. The Traffic Controller is invoiced
by tne occurrence of a virtual preempt interrupt and by tne
Event Manager and the Segment Manager tnrougn tne extended
instruction set: TC_Advance. TC_Await, Process_Class and
Get_DER_N TJMBSR. The Traffic Controller module is comprised
of nine procedures. Four of tnese procedures represent tne
extended instruction set of the Traffic Controller. A
detailed discussion of six of tne procedures contained in
the Traffic Controller module is presented below. The
remaining tnree procedures (viz., TC_INIT, CREATE_PRCCESS
,
and CREATE_KST) were described in chapter tnree. The PLZ/ASM
assembly language source code listings for tne Traffic




Procedure TC_GETWOF.K provides tne mechanism for user
process scheduling". The input parameters to TC_GSTWORK are
the VP ID of tne virtual processor to wnich a process will
be scheduled and the logical CPU number to wnich the virtual
processor telongs. The determination of which process to
schedule is made by a looping mechanism that finds the first
"ready" process on the ready list associated with the
current logical CPU number. Processes appear in the ready
list by order of priority. This looping- mechanism is
required as both "running" and "ready" processes are
maintained on the ready list. This ready list structure was
cnosen to simplify the algorithm provided in procedure
TC_Advance. If a ready process is found, its state is
changed to "running" and its process IE (viz., the APT entry
number) is inserted in the running list entry associated
with the current virtual processor. Procedure S'ji/aP_VLER is
then invoiced in the Inner Traffic Controller to effect the
actual process switch. If a ready process was not found
(viz., the ready list was empty or comprised solely of
"running processes"), then tne running list entry associated
with the current virtual processor is marked with the





The primary function of TC_AWAIT is the
determination of whether some user specified event has
occurred. If the event nas occured, control is returned to
the caller. Otherwise, the process is blocked and another
process is scneduled. The input uarameters to TC_AWAIT are a
pointer to a segment handle, an instance (event number), and
a user specified eventcount value. TC_AWAIT initially locks
the Active Process Table and obtains the current value of
tne eventcount in question by calling procedure
MM_READ_Ev"EMTCCUNT. The determination of event occurrence is
made by comparing tne user specified eventcount value with
the current eventcount. If the user value is less than or
equal to tne current eventcount, tne awaited event nas
occurred and control is returned to the caller. Otherwise,
tne awaited event nas not yet occurred and tne process must
be blocked.
If the process is to be blocked, procedure
HTJNNINGJTP is invoked to ascertain the 7? ID of ta» virtual
processor bound to the process. The process' IT (viz . , APT
entry number) is then read from the running list. The input
parameters to TC_AWAIT (viz.. Handle, Instance, and Value)
are then stored in the Event Data portion of the process'
APT entry. Tne process is removed from its associated ready
list by redirecting the appropriate linking threads
(pointers). Once removed from tne ready list, tne process is
85

threaded into the blocked list and its state changed to
"blocked" by invocation of the library function LiST_INSEET .
Procedure TCJ3-ETWORK is tnen called to schedule another
process for the current virtual processor.
3. TC Advance
The primary purpose of TC_ADVANCB is the
broadcasting of some event occurrence. Tnis entails
incrementing the eventcount associated with the event,
awakening all processes that are waiting for tne event, and
insuring proper scheduling order by venerating any necessary
virtual preempt interrupts. Tne nign level design algoritnm
for TC_ADVANCE is provided in figure 11. The input
parameters to TC_AJ)VANCE are a pointer to a segment's nandie
and an instance (event number). Initially, TC_ADVANCE locks
tne APT to prevent tne possibility of a race condition. Tne
eventcount identified by the input parameters is then
incremented by calling ^M_ADVANCE. MM_ADVANCS returns tne
new value of the eventcount. Once the eventcount has been
advanced, TC_ADVANCE awakens all processes awaiting tnis
event occurrence. This is accomplished by checking all
processes tnat are currently in tne blocked list. Tne
process' HANDLE and INSTANCE entries are compared with the
nandie and instance identifying tne current event. If tney
are the same, then the process is awaiting some occurrence
of tne current event. In sucn a case, tne process' VALUE
entry in the APT is compared with the current value of the
86

TC_ADVANCE Procedure (HANDLE, INSTANCE)
Be^in
! Get new eventcount !
COUNT := MM_ADVANCE (HANDLE, INSTANCE)
Call WAIT_L0CK (APT)
! Vaie up processes !
PROCESS := SLOCKED_LIST_HEAD
Do wnile not; end of i3LOCKED_IIST
If (PROCESS. HANDLE = HANDLE) and
(PROCESS. INSTANCE = INSTANCE) and




PROCESS := PROCESS. NEXT_PROCESS
end do
! Cnecfc all ready lists for preempts !
LOGICAL_CPU_NO := 1
Do wnile LOGICAL_CPU_NO <= #NR_CPU
! Initialize oreempt vector !
VP_ID := FIRST_VP(LOGICAL_CPU_NO)
Do for LOOP := 1 to NR_VP( LOGICAL_CFU NO
RUNNING_LIST[VP_ID] .PREEMPT := #TRUE
VP_ID := VP_ID + 1
end do
! Find preempt candidates !
CANDIDATES :=
PROCESS := READV LIST HEAD(LOGICAL CPU NO)




Do (for CYCLE = 1 to NR 7?(LOGICAL_CPU_N0 ) and
not end of REAM LIST (LOGICAL CPU NO)
If PROCESS = ^RUNNING
tnen
RUNNING_LISTIVP_IDJ .PREEMPT := #FALS2
else
CANDIDATES := CANDIDATES + 1
end if
7P_ID := VP_ID + 1
PROCESS := PROCESS. NEXT_PROCESS
end do
! Preempt appropriate candidates !
VT>_ID := EIRST_V?(LOGICAL_CPU_NO)
To for CHECK := 1 to NR_VP (LOGICAL_CPU NO )




CANDIDATES := CANDIDATES - 1
end if
vp_ID := VP_ID + 1
end do





figure 11. TC ADVANCE Aigoritnm (Continued)
88

eventcount. If tne process' VALUE is less tnan or equal to
the current eventcount value, tne awaited event nas occurred
and tne process is removed from tne blocked list and
threaded into the appropriate ready list by tne library
function LIST_INSERT.
Once the blocked list has been checked, it is
necessary to reevaluate eacn ready list to insure that the
nighest priority processes are running. It is relatively
simple to determine if a virtual preempt interrupt is
necessary, however, it is considerably more difficult to
determine which virtual processor should receive the virtual
preempt. To assist in tnis evaluation, a "count" variable
(number of preempts needed) is zeroed and a preempt vector
is created on the Kernel stack with an entry for every
virtual processor associated with the logical CPU being
evaluated. Initially, every entry in tne preempt vector is
marked "true" indicating tnat its associated virtual
processor is a candidate for preemption. Once the preempt
vector is initialized, tne first "n" processes on the ready
list (where n equals the number of VP's associated with the
current logical CPU) are checked for a determination of
their state. If a process is found to be "running'" then it
should not be preempted as processes appear in tne ready
list in order of priority. When a running process is found,
its associated entry in tne preempt vector is marked
"false." If a process is encountered in tne "ready" state
89

then it should be running and the count variable is
incremented. Wnen tne first "n" processes nave been cnecfced
or when we reach the end of the current ready list
(wnicnever comes first), the entries in tne preempt vector
are "popped" from the stacir. If an entry from the preempt
vector is found to be "true", this indicates that its
associated virtual processor is a candidate for preemption
since it is either hound to a lower priority process, or it
is "idle." In such a case, tne "count" variable is evaluated
to determine if the virtual processor associated with tne
vector entry should be preempted. If the count exceeds zero,
a virtual preempt interrupt is sent to the V? and the count
is decremented. Otherwise, no preempt is sent as tnere is no
Higher priority process awaiting scheduling.
This preemption algorithm is completed for every
ready list in tne Active Process Table. Once all ready lists
nave been evaluated, tne APT is unlocked ana control is
returned to the caller. It is noted that it is not necessary
to invoke TC_GETWORK before exiting ADVANCE. If tne current
V? requires rescheduling, it will have received a virtual
preempt interrupt from the preemption algorithm. If this has
occurred, the VP will be rescheduled wnen its running
process attempts to leave tne Kernel domain ana the virtual
preempt interrupts are unmasJced.
90

4. Virtual Preempt Handier
VIRTUALJ>REEMPT_HANDLER is the interrupt nandler for
virtual preempt interrupts. The entry address of
VIRTUAL_PREEMPT_HANDLER is maintained in the virtual
interrupt vector located in the Inner Traffic Controller.
Once invoked, the handler locks the Active Process Table and
determines which virtual processor is being preempted hy
calling RUNNINGJTP. The process running on the preempted VP
is then set to the "ready" state and TC_GETW0R5 is invoked
to reschedule tne virtual processor. When TC_GETWORK returns
to VIRTUAL_PREEMPT_fiANDLER, the APT is unlocked and a
virtual interrupt return is executed. This return is simply
a jump to the point in the hardware preempt handler where
the virtual interrupts are unmasked. This effects a virtual
interrupt return instruction.
5. Remaining Procedures
The remaining two procedures in tne Traffic
Controller module represent the extended instructions:
PROCESS_CLASS and GET_DBR_NUMBER . Both procedures lock the
Active Process Table and call RUNNING_VP to determine which
virtual processor is executing the current process. The
process ID (viz., APT entry Number) is then extracted from
the running list. PROCESS_CLASS reads and returns the
current process' security access classification from the
APT. GET_DBR_NUMBER reads and returns tne current process'
DBR handle. It should be noted that in general the BBR
91

number provided by procedure GET_DBR_NUMBER is only valid
while the APT is locked. Particularly, in the current SASS
implementation, the Segment Manager invokes GET_DBP_NUMBER
and then passes the obtained DBF. number to the Distributed
Memory Manager for utilization at that level. In a more
general situation, the process associated with the DBR
number may nave been unloaded before the DBR number was
utilized, thus making it invalid. This problem does not
arise in SASS as ail processes remain loaded for the life of
the system.
C. DISTRIBUTED MEMORY MANAGER MODULE
The Distributed Memory Manager module provides an
interface between the Segment Manager and the Memory Manager
process, manipulates event data in the Global Active Segment
Table (G_AST), and dynamically allocates available memory. A
detailed description of the Distributed Memory Manager
interface to the Memory Manager process was presented by
Wells [6]. The remaining extended instruction set is
discussed in detail below. The complete P1Z/ASM source
listings for the Distributed Memory Manager module is
provided in Appendix C.
1. MM Read Eventcount
MM_READ_EVENTCOUNT is invoked by the Event Manager
and tne Traffic Controller to obtain the current value of
the eventcount associated with a particular event. The input
92

parameters to this procedure are a segment nandle pointer
and an instance (event Number), which together uniquely
identify 'a particular event.
The G_AST is locked and the entry offset of the
segment into the G_AST is obtained from the segment's
handle. The instance parameter is then validated to
determine which eventcount is to be read. If an invalid
instance is specified, control is returned to the caller
specifying an error condition. Otherwise, the current value
of the specified eventcount is read. The G_AST is then
unlocked, and the current eventcount value is returned to
the caller.
2. MM Advance
MM_ADVANCE is invoiced by the Traffic Controller to
reflect the occurrence of some event. The input parameters
to MM_ADVANCE are a pointer to a segment's handle and a
particular instance (event number).
The Global Active Segment Table is locxed to prevent
a race condition, and the offset of the segment's entry into
the G_AST is obtained from the segment handle. The instance
parameter is then validated to determine which eventcount is
to be advanced. If an invalid instance is specified, an
error condition is returned to the caller and no data
entries are affected. If the instance value is valid, the





MM_TICOT is invoked by the Event Manager to obtain
tne current value of tne sequencer associated with a
specified segment. Tne input parameter to MM_TICKET is a
pointer to a segment's handle.
Initially, MMJTICKET locks tne Global Active Segment
Table to prevent a race condition. Next the offset of the
segment's entry into the G_AST is obtained from tne segment
handle. The current value of the sequencer for the specified
segment is then read and saved as a return parameter to the
caller. The sequencer value is then incremented in
anticipation of tne next ticket request. Once this is
complete, the G_AST is unlocked and control is returned to
the caller.
4. MM Allocate
The MM_ALLOCATE procedure provided in this
implementation is a stub of tne MM_A1L0C&TE described in tne
Memory Manager design of Moore and Gary [4] .
The primary function of MM_AILOCATE is t.ne dynamic
allocation of fixed size biocics of available memory space.
It is invoked in the current implementation by tne
initialization routines in B00TSTRAP_L0AJ3ER and TC_INI? for
tne allocation of memory space used in tne creation of tne
Kernel domain and Supervisor domain stack segments and the
creation of the Known Segment Tables for user processes.
Dynamic reallocation of previously used memory space (viz.,
94

garbage collection) is not provided by tne MM_AIIOCATE stub
in tnis implementation. All memory allocation required in
tnis implementation is for segments supporting system
processes that remain active, and thus allocated, for tne
entire life of tne system. Memory is allocated in blocks of
256 (decimal) bytes of processor local memory (on-board
P.AM). In tnis stub allocatable memory is declared at compile
time by a data structure (MEM_POOL) tnat is accessible only
by MM_ALLOCATE.
Tne input parameter to MM_AILOCATE is tne number of
blocks of requested memory. Tnis parameter is converted from
a block size to tne actual number of bytes requested. Tnis
computation is made simple since memory is allocated in
powers of two. Tne byte size is obtained by logically
shifting left the input parameter ei,?nt times, where ei^ht
is tne power of two desired (viz., 256). Once tne size of
the requested memory is computed, it is necessary to
determine tne starting address of tne memory biock(s) to be
allocated. To assist in this computation, a variable
(NEXT_BL0C£) is used to keep track of tne next available
block of memory in MEM_P00L. NEXT_BLOCK, which is
initialized as zero, provides tne offset into tne memory
being allocated. Once the starting address is obtained, the
physical size of the memory allocated is added to NEXT_2ICCK
so that the next request for memory allocation will begin at
the next free byte of memory in MEY_POOL. This new value of
95

NEXT_BLOCK is saved and tne starting address of tne memory
for tnis request is returned to tne caller.
D. GATE KEEPER MODULES
The SASS Gate Keeper provides the logical boundary
between tne Supervisor and tne Kernel and isolates tne
Kernel from the system users, thus ma King- it tamperproof
.
Tnis is accomplished by means of tne nardware system/normal
mode and the software ring-crossing mechanism provided by
the Gate Keeper. Tne Gate Keeper is comprised of two
separate modules: l) tne USER_GATE module, and 2) tne
KERNEL_GATE_KEEPER module. Tnese modules are disjoint, with
the USER_GATE module residing in the Supervisor domain and
the KERNEL_GAT£_KEEPER module residing in tne Kernel domain.
It is important to note tnat the USER_GATE is a separately
linked component in the Supervisor domain and is not linked
to the Kernel. The only tning in common between tnese two
modules is a set of constants identifying tne valid extended
instruction set which tne Kernel provides to the users.
The Gate Keeper modules presented in tnis implenemtation
are only stubs as they do not provide all of the functions
required of the Gate Keeper. However, the only tas* not
provided in this implementation is the validation of
parameters passed from the Supervisor to the Kernel. A
detailed description of this parameter validation design is
provided by Coleman [3] . In the process management
96

demonstration, tne Supervisor stubs are written in PLZ/ASM
with all parameters passed by CPU registers. A detailed
description of the Gate Keeper modules and tne nature cf
tfteir interfaces is presented below. Tne PLZ/ASM source
listings for tne two Gate Keeper modules are provided in
Appendix E.
1. User Gate Module
Tne USER_GATE module provides tne interface
structure between tne user processes in tne Supervisor
domain and the Kernel. Tne USER_GATS is comprised of ten
procedures (viz. t entry points) tnat correlate on a one to
one basis witn the ten "user visible" extended instructions
(listed in figure 6) provided by the Kernel. The only action
performed by each of these procedures is the execution of
the "system call" instruction (SO with a constant value,
identifying the particular extended instruction inve&ed, as
the source operand.
The SC instruction is a system trap tnat forces tne
hardware into the system mode (Kernel domain) and loads
register 15 with tne system stacx pointer (Kernel domain
stack). The current instruction counter value (IC) is pushed
onto tne Kernel stacit along witn tne current CPU flag
control word (PCW). In addition, the system trap instruction
is pushed onto tne Kernel stack: with tne upper byte
representing the SC instruction and the lower byte
representing the SC instruction's source operand (viz., tne
97

Kernel extended instruction code). Togetner, these
operations form an interrupt return (IRET) frame as
illustrated in figure 9. Once tnis is complete, tne ECW is
loaded witn tne 3?CW value found in tne System Call frame of
the Program Status Area (viz., tne hardware "interrupt
vector"). Tne structure of tne Program Status Area is
illustrated in figure 12, Tne instruction counter is then
loaded witn the address of the SC instruction trap nandier.
This value is also located in the SC frame of the Program
Status Area.
2. Kernel Gate Keeper Module
The system trap nandier for the System Call
instruction is the KERNEL_GAT£_KEEPER . The address of the
KERNEL_GATE_KEEPER and the Kernel FCW value are placed in
the System Call frame of tne Program Status Area by the
BOOTSTRAP_LOADER module during initialization. The
ORNEL_GATE_KEEPER fetches the extended instruction code
from the trap instruction entry in the IRET frame on the
Kernel stack. This value is then decoded by a "case"
statement to determine which extended instruction is to be
executed. If the extended instruction cod*3 is valid, the
appropriate Kernel procedure is invoiced. Otnerwise, an error
condition is set and no Kernel procedures are not invoked.
Once control returns to tne KERNEI_GATE_KEEPER , tne CPU
registers and normal stack pointer (NSP) value are pushed





































NOTE: Offsets represent Program Status Area structure
for non-segmented Z£ici62 microprocessor.
Figure 12. Program Status Area
99

Supervisor domain. It is noted that this operation would
normally occur immediately upon entry into tne
KERNEL_GATE_KEEPER . In this implementation, however,
parameter validation is not accomplished and the CPU
registers are used to pass parameters to and from the Kernel
only for use by the process management demonstration. In an
actual SASS environment, all parameters would be passed in a
separate argument list and the CPU registers would appear
exactly the same upon leaving the Kernel as they did upon
entering the Kernel. This is important to insure that no
data or information is leaded from the Kernel by means of
the CPU registers.
Control is returned to tne Supervisor by means of the
return mechanism in the hardware preempt handier. This
mechanism is utilized to preclude tne necessity of building
a separate mechanism for the KERNEI_GAT2_KEEPER that would
actually perform the very same function. To accomplisn tnis,
the KERNEL_GATE_KEEPER executes an unconditional jump to the
PR£EMPT_RET label in PHYS_PREEMPT_HANDLER . Tnis "jump" to
the hardware preempt handler represents a "virtual IRET"
instruction providing the same function as tne virtual
interrupt return described in the discussion of tne virtual
preempt handler. At tnis point, tne virtual preempt
interrupts are unmaslced, the normal staci pointer and CPU
registers are restored from the stacir, and control is





The implementation of process management functions for
tne SASS Has been presented in tnis cnapter. Tne
implementation was discussed in terms of the Event Manager,
Traffic Controller, Distributed Memory Manager, and Gate
Keeper modules.
Cnapter V will present tne conclusions drawn from tnis





The implementation of process management for the
security Kernel of a secure arcnival storage system nas ceen
presented. The process management functions presented
provide a logical and efficient means of process creation,
control, and scheduling. In addition, a simple but effective
mechanism for inter-process communication, cased on tne
eventcount and sequencer primitives, was created. Work was
also completed in tne area of Kernel database initialization
and a Gate Keeper stub to allow for dual domain operation.
The design for tnis implementation was based on tne
Zilog Z8001 sixteen bit segmented microprocessor [17J used
in conjunction witn tne Zilog Z8010 memory Management Unit
[18]. The actual implementation of process management for
the SASS was conducted on the Advanced Micro Computers
Am9b/4116 MonoBoara Computer [19 ) featuring tne AmZS002
sixteen bit non-segmented microprocessor. Segmentation
nardware was simulated by a software Memory Management Unit
Image.
This implementation was effected specifically to support
the Secure Archival Storage System (SASS) (.21J . However, tne
implementation is based on a family of Operating Systems [lj
designed with a primary goal of providing multilevel
information security. Tne loop free modular design utilized
in this implementation easily facilitates any required
102

expansion or modification for otner family members. In
addition, tnis implementation fully supports a
multiprocessor design. Wnile tne process management
implementation appears to perform correctly, it Has not been
subjected to a formal test plan. Such a test plan snould be
developed and implemented before Kernel verification is
begun.
A. FOLLOW ON WORK
Tnere are several possitie areas in tne SASS design tnat
would be immediately suitable for continued research. In the
area of nardware, tnis includes, tne establishment of a
multiprocessor environment, hardware initialization, and
interfacing to tne host computers and secondary storage.
Further wort in tne Kernel includes the actual
implementation of the memory manager process, and the
refinement of tne Gate Keeper and Kernel intiali zat ion
structures. The implementation of the Supervisor has not
been addressed to date. Its areas of research include the
implementation of the File Manager and Input/Cutput
processes, and the final design and implementation of tne
SASS-Hosts protocols.
Otner areas tnat could also prove interesting in
relation to the SASS include the implementation of dynamic
memory management, the support of multilevel nosts, dynamic
process creation and deletion, and the provision of
constructive worK to be performed by tne Idle process.
103

APPENDIX A - EVENT MANAGER LISTINGS
Z8000ASM 2.02




T"P TJE = 1
FALSE -=
READ ACCESS '- 1
WRITE ACCESS =
SUCCEEDED = 2
SEGMENT NOT KNOWN := 28
ACCESS CLASS NOT EC = 33
ACCESS CLASS NOT GE = 41
KST SEG NO := 2
NR OF KSEGS := 10
MAX NO KST ENTRIES = 54
NOT KNOWN := %Y7
T VPE
H_ARRAI ARRAY [3 WORDJ
KST REC RECORD






















! NOTE: THIS SECTION IS AN "OVERLAY"
OR "FRAME" USED TO DEFINE THE
FORMAT OF THE KST. NO STORAGE IS
ASSIGNED EUT RATHER THE KST IS
STORED IN A SEPARATELY OBTAINED
AREA. (A SEGMENT SET ASIDE FOR IT)!
$ABS




SSECTION EM GLB PROC
0000 READ PROCEDURE
* READS SPECIFIED EVENTCOUNT *
* AND RETURNS IT'S VALUE TO *
* THE CALLER *
* PARAMETERS: *
* Rl: SEGMENT # *
* R2: INSTANCE -




* R0: SUCCESS CODE *
* RR4: EVENTCOUNT v
0000 93F2
ENTRV













! READ ACCESS REQUIRED !
LD R2, #READ_ACCESS
! GET SEG HANDLE & VERIFY ACCESS !




Rl .'HANDLE PTR !
C^ R0, #SUCCEEDED









0018 5E08 ELSE !RESTORE SP!
001A 001E'







I rfTfrf ijiif.zf.ij.7f.-xf.7s. ;?. if if 7f if. vv^^W?-"^'1;'?=?W V *P
* RETURNS CURRENT VALUE OF *
* TICKET TO CALLER AND INCRE- *
* MENTS SEQUENCER FOR NEXT *
* TICKET OPERATION *
^.7fif^7fl£7f*f3flf%C7f,3f^l£7f.lf,&Zf%L7f7fi7flF,XfXf7filf,3fl,llf
* PARAMETERS: *
* Rl: SEGMENT # *
7fJf7f7f7fXf7f7f7f7f3f^l^lf7f\il^rf7fXf7^7fltl7f-XfXf7flflf.7flf
* RETURNS: *
* R0: SUCCESS CODE *
















! GET SEC- HANDLE 6, VERIFT ACCESS !
! "WRITE" ACCESS REQUIRED !
LD R2, *WRITE_ACCESS






IF EO IACCESS PERMITTED!
THEN ! GET TICKET !
CALL MM_TICKET !Rl:EANDLE PTR
RETURNS :
RR4:TICKET!










* CURRENT EVENTCOUNT VALUE IS
* COMPARED TO USER SPECIFIED
* VALUE. IF USER VALUE IS
* GREATER THAN CURRENT EVENT-
* COUNT VALUE THEN PROCESS IS
"BLOCKED" UNTIL THE DESIRED
EVENT OCCURS .
ifi »,* J|» tofi 2f* SgC «f* ^|i i|i 5j£ 2yS 3|S 5|% »,5 »,« *,i *|C *J% *|* i,» »|» *^» *(» ii* »|* *,* * (* *|» 3^5 »,* -,*
* PARAMETERS: *
* Rl : SEGMENT # *
* R2: INSTANCE (EVENT #) -
* RR4: SPECIFIED VALUE *
* RETURNS: *
















! SAVE DESIRED EVENTCOUNT VALUE !
PUSHL 0P.15, RR4
! SAVE INSTANCE !
PUSH 0R15, R2
! "READ" ACCESS REQUIRED !
LD R2, #READ_ACCESS
! GET SEG HANDLE S. VERIFY ACCESS !






IF EQ ! ACCESS PERMITTED !
TEEN ! AWAIT EVENT OCCURRENCE !
! RESTORE INSTANCE !
POP R2, PR15
! RESTORE SPECIFIED VALUE !
POPL RR4, GRliD







0056 5E08 ELSE .'RESTORE STACK!
0058 005E'
005A 95F4 POPL ?.R4, (?R15










* SIGNALS THE OCCURRENCE
* SOME EVENT. EVENTCOUN
- INCREMENTED AND THE TR
CONTROLLER LS INVOKED
AWAKEN ANT PPOCESS AWA
- THE OCCURRENCE.
—
j* »t* ^S Jj*^f* J|K J|-» <-|C J|* *i(t Jjf» +fi Wfi *fi ^p ^^ »|» #|% *r* >»• Jj» *p *ip *^
* PARAMETERS:
- El: SEGMENT #
* R2: INSTANCE (EVENT #
* RETURNS:






























! GET SEG HANDLE & VERIFY ACCESS !
! "WRITE" ACCESS REQUIRED !
LD R2, #WRITE_ACCESS




Rl : HANDLE PTR!
CP R0, ^SUCCEEDED
IF EO ! ACCESS PERMITTEE !
THEN ! ADVANCED EVENTCOUNT !
! RESTORE INSTANCE !























CONVERT ANT VERIFY PROCEETJRE
I *(£ -i* *»5 ^|* »,4 2^C J,; *^i ^i JjC J,» *,» 3|* *,» •»» JjjJ *»» »i* J,» *»» *,% J,* «|« »,* *j» JJC i,» S|C »|t ;,£ »,» jf* 2,1 £,i J,» 3|C 3,C »,* 5|*
* CONVERTS SEGMENT NUMEER TO KST INDEX*
* AND EXTRACTS SEGMENT'S HANDLE FRO* *
v KST. IE SUCCESSFUL, THEN ACCESS -
* CLASS OF SUBJECT IS CHECKED AGAINST *
* ACCESS CLASS OF OBJECT TO INSURE *
* THAT ACCESS IS PERMITTED. v
s* ace sp a* sje age sp )gc J* *s XT. act*** »** »* n*^ V a* S)t =P f ** *?: ** a* 3* V *«c* **V^ **WV
* PARAMETERS: *
* Rl: SEGMENT NUMBER *
* R2: ACCESS REQUESTED *
^t age spv agi age age a? age 19c age ac< qc age jjc jjc age jje agew age age act 9? ajs age 3^ age age age age age age 39c age »? acs sje ace
- RETURNS: *
* R0: SUCCESS CODE *
* Rl : HANDLE POINTER *
















! SAVE REQUESTED ACCESS !
PUSH (?R15, R2
! GET SEGMENT HANDLE !







IF EO ! SEGMENT IS KNOWN !
THEN ! VERIFY ACCESS !
! SAVE HANDLE & CLASS PTR !
PUSH! (?R15, RR4
! GET SUBJECT'S SAC !
CALL PROCESS _CLASS ! RETURNS:
RR2:PR0C CLASS!
! RETRIEVE SEG CLASS POINTER !
POPL RR0, 0R15
! GET SEGMENT'S CLASS !
LDL RR4, L*R1
! RETRIEVE REQUESTED ACCESS !
POP PI, 0R15
! SAVE HANDLE POINTER !
PUSH GR15, R0








































IF EQ ! WRITE ACCESS REQUESTED !
THEN












ELSE ! READ ACCESS REQUESTED !












! RETRIEVE HANDLE POINTER !
POP Rl , PR15
ELSE










* CONVERTS SEGMENT NUMBER TO *
KST INDEX AND DETERMINES IF *
SEGMENT IS KNOWN. IE KNOWN *
POINTER TO SEGMENT HANDLE *
AND POINTER TO SEGMENT CLASS*
ARE RETURNED. *
* PARAMETERS: *
* Rl: SEGMENT NUMBER *
RETURNS:
* R0: SUCCESS CODE
* R4: HANDLE POINTER

























! CONVERT SEGMENT # TO KST INDEX # !
SUB Rl, #NR_OF_KSEGS
! VERIFY KST INDEX !
LD R0, #SUCCEED£D
CP Rl, #0
IF LE '.INDEX NEGATIVE!
THEN
LD R0, #SEGMENT_NOT_KNOWN
ELSE ! INDEX POSITIVE!
CP Rl, #MAX_NO_KST_ENTRIES
IF GT ! EXCEEDS MAXIMUM INDEX!
THEN ! INVALID INDEX!




IF EO ! INDEX VALID!
THEN
! SAVE KST INDEX !
PUSH @R15, Rl





































CALL ITC_GET_SEG_PTR ! Rl :KST_SEG_NO
RETURNS:
R0:KST ADER!
! P.ETPIEVE KST INDEX # !
POP R3, G»R15
! CONVERT KST INDEX # TO KST OIFSET !
MULT RR2, #SIZEOF KST_REC
! COMPUTE KST ENTRY ADDRESS !
ADD R3, R0
! SEE IF SEGMENT IS KNOWN !
CP KST.M_SEG_N0(R3), #NOT_KNOWN





! GET HANDLE POINTER !
LDA R4 f KST.MM_HANDLE(R3)









APPENDIX B - TRAFFIC CONTROLLER LISTINGS
Z8000ASM 2.02




I jps^siejtejjcjjcjje SYSTEM PARAMETERS ^W*'!''?'!'
NR PROC ! - 4-
VP~NR = 2
NR CPU = 2
NR_KST :- b4
i 3fimfi3fw>t))i SYSTEM CONSTANTS *?w*wp*
RUNNING : =
READY : : = 1
BLOCKED : ; = 2
IDLE PROC : = SDDDD
NIL : = tFFFF
INVALID : = %EEEE
KERNEL STACK : ! = 1
USER STACK : =
KST SEG : : = 2
KST LIMIT : = 1
USER FCW ; - sieee
WRITE : : =
! INDICATES LO'i(EST SYSTEM
SECURITY CIAS;s »
SYSTEM LOW : : =
STK_OFFSET : = SFF
REMOVED : ; = %AjBCD
TRUE : = 1
FALSE : =



























































































































! THESE VARIABLES ARE USED DURING TC
INITIALIZATION TO SPECIFY AVAILABLE
ENTRIES IN THE APT, AND ARE INITIAL-































!NOTE: USED AS STACK FRAME FOR
STORAGE OF TEMPORARY VARIABLES


















!THE FOLLOWING DECLARATION IS UTILIZE!
AS A STACK FRAME FOR STORAGE OF













!NOTE: KST DECLARATION IS USED HERE
TO SUPPORT KST INITIALIZATION FOR
THIS DEMONSTRATION ONLT. THIS
DECLARATION AND INITIALIZATION
SHOULD EXIST AT THE SEGMENT MANAGER
LEVEL AND THUS SHOULD BE REMOVED
UPON IMPLEMENTATION OF SYSTEM
INITIALIZATION. !
$ABS




$SBCTION TC INT PROC
TC GETWORK PR
* PROVIDES GENERAL MAN
* MENT OF USER PROCESS
* EFFECTING PROCESS SC
* LING ON VIRTUAL PROC
- PARAMETERS:
* Rl: CURRENT VP ID
* R3: LOGICAL CPU #
r,t #|* »,» SJSSgC 9JC *,£ *i* *?• 2jt 3JS *^% 5J» JJ* J»? S^ i|* i t» *,» 3JC Sjj» *«
* LOCAL VARIABLES:
* R2: NEXT READY PROC






JQB 3? 3QG 3}C 3£ 3JC 3QC





































! FIND FIRST READY PROCESS !
ID R2, APT.READY_LIST(R3)
GET_READT_AP:
DO '.WHILE NOT (END OF LIST OR READY)!
CP R2, #NIL
IF EO !NO READY PROCESS! THEN
EXIT FROM GET_READY_AP
FI
CP APT.AP.STATE(R2) , #READY
IF EO ! PROCESS READY! THEN
EXIT FROM GET_READY_AP
FI




CP R2 f *NIL
IF SO ! IF NO PROCESSES READY ! TEEN
! LOAD IDLE PROCESS !





































* LOADS FIRST READY AP *
* IN RESPONSE TO PREEMPT *
* INTERRUPT *










!** CALL WAIT LOCK (APT". LOCK) **
!
!** RETURNS WEEN PROCESS HAS LOCKED APT **!
LDA R4, APT. LOCK
CALL K_LOCK
! GET RUNNING_VP ID !
CALL RUNNlNG_VP ! RETURNS:
Rl :VF_ID
R3:CPU #!















! IF NOT AN IDLE PROCESS, SET IT TO READY I
CP R2 t #IDLE_PROC
IF NE ! NOT IDLE ! THEN
LD APT. AP. STATE (R2) , *READT
FI
! LOAD FIRST READY PROCESS !
CALL TC_GETWORK !R1:VP_IE
R3:CPU #!
!NOTE: THIS IS THE INITIAL POINT OF
EXECUTION FOP USER PROCESSES.!
7IRT PREEMPT RETURN:
!** CALL UNLOCK (APT". LOCK) **
!
!** RETURNS WHEN PROCESS HAS UNLOCKEE AP^ **
!
!** AND ADVANCED ON THIS EVENT **!




! PERFORM A VIRTUAL INTERRUPT RETURN !
!NOTE: THIS JUMP EFFECTS A VIRTUAL
I3ET INSTRUCTION.!
007E 5E08 JP PREEMPT_RET
0080 0000*






'* INITIALIZES APT HEADER *
* AND VIRTUAL INT VECTOR *
* PARAMETERS: *
* Rl : CPU_ID *
* R2: NR_VP -
ENTRT
! NOTE: THE NEXT FOUR VALUES ARE
ONLY TO BE INITIALIZED ONCE. !






















NOTE: THE FOLLOWING CODE IS INCLUDED
ONLY FOP. SIMULATION OF A MULTIPROCESSOR
ENVIRONMENT. THIS IS TO INSURE THAT THE
READY LIST(S) AND VP DATA OF THE SIMULATED
C?U(S) APE PROPERLY INITIALIZED. IN AN
ACTUAL MULTIPROCESSOR ENVIRONMENT, THIS
BLOCK OF CODE SHOULD BE REMOVED.
LD R4 t #0
DO
CP R4, #NR_CPU*2

































































! INITIALIZE READY LISTS AS EMPTY !
LD APT.READY_LIST(R4) , #NIL
! INITIALLY MARK ALL LOGICAL CPU'S
AS HAVING 1 VP. THIS IS NECESSARY
TO INSURE TC ADVANCE WILL FUNCTION
PROPERLY, AS "IT EXPECTS EVERY CPU
TO HAVE AT LEAST 1 VP . !
LD APT.VP.NR VP(R4), #1
INC R4, #2
OD
! END MULTIPROCESSOR SIMULATION CODE.
LD APT.VP.NR_VP(R1) , R2
LD R3, NEXT_VP
LD APT.VP.FIRST(Rl), R3
! RECOMPUTE NSXT_VP VALUE FOR TC
INITIALIZATION OF NEXT LOGICAL
CPU. !
LD R5, R2
WULT RR4 t #2
ADD R3, R5
LD NEXT_VP, R3




IF EO TEEN EXIT FI
LD APT. RUNNING LIST(R3>, #IDLE PRCC
INC R3, #2
DEC R2 t #1
OD





















ee?E CREATE PROCESS PROCEDURE
* CREATES USER PROCESS ;s
* DATABASES AND APT *
* ENTRIES *
i,C 3|5 J,J *J» 2^C 3gC 3|S 5JC 2jS 2,i *»» J,£ 5,i J,i *^ JJI 3jC i,« J,I 5j? 5»C *,* ;, i 3^£ »»*
* PARAMETERS: *



























!N0TE: THIS PROCEDURE IS A STUB TO ALLOW
PROCESS INITIALIZATION FOR THIS
DEMONSTRATION.
!
! ESTABLISH STACK FRAME FOR L0C/\L
VARIABLES. !
SUB R15, #SIZEOF CREATE
! STORE INPUT ARGUMENT POINTER !
ID CREATE. ARG_PTR(R15) , R14
! LOCK APT !
LDA R4, APT. LOCK
CALL K_LOCK
! RETURNS WHEN APT IS LOCKED !
! CREATE MMU ENTRT FOR PROCESS !
CALL ALLOCATE_MMU {RETURNS:
R0: DBR #!
! GET NEXT AVAILABLE ENTRI IN APT I
LD Rl, APT_ENTRY
! COMPUTE APT OFFSET !
LD R2, #SIZEOF AP_TABLE
ADD R2, Rl
! SAVE NEXT AVAILABLE APT ENTRY !
LD APT_ENTRY, R2
! CREATE APT ENTRY FOR PROCESS !
LD APT. AP. NEXT AP(Rl), #NIL
LD APT.AP.DBR(Rl), R0




















































! GET PROCESS PRIORITY !
ID R2, ARG_LIST.PRI1(R14)
ID APT.AP.PRI(Rl), R2
! GET LOGICAL CPU # !
LD R2, APG LIST. CPU ID(R14)
LD APT.AP.AFFINITY(RI), R2
!THREAD IN LIST AND MAKE READY!
LDA R3, APT.READY_LIST(R2)
R4, APT.AP.NEXT_AP
R5, APT. AP. PR I







! SAVE DER # !
LD CREATE. DBR_NUM(R15) , R0
CALL LIST INSERT
!R2: OBJ ID
R3: LIST HEAD PTR




! UNLOCK APT !
LDA R4, APT. LOCK
CALL KJJNLOCK
!CREATE USER STACK!
! RESTORE ARGUMENT POINTER !
LD R14, CREATE. ARG PTR(RIS)
LD R3, ARG LIST.USR STK(R14)
! SAVE LIMITS !







































!COMPUTE & SAVE NSP!
LD R8, R2
! ESTABLISH INITIAL SP VALUE
FOR USER STACK. !
ADD R8, #ST5 OFFSET
LD CREATE. N_S_P(R15) , R8
! RESTORE LIMITS !
LD R4, CREATE. LIMITS(R15)
DEC R4 !SEG LIMITS
!
! RESTORE DBR !
LD R0, CREATE. DBR_\'UM (R15
)
LD Rl, #USER_STACK







! CREATE KERNEL STACK!
! RESTORE ARGUMENT POINTER !
LD Rl*, CREATE. ARG_PTR (Rib)
LD R3, ARG_LIST.KER_STK(R14)
CALL MM_ALLOCATS !R3: # OF BLOCKS
RETURNS
R2: START ADER !
!MAKE MMU ENTRY!
! RESTORE DBR n !
0124 61F0 LD R0, CREATE
0126 0002
0128 2101 LD Rl, #KERNE
012A 0001
012C A134 LD R4, R3
012E AB40 DEC R4
0130 2103 LD R3, #WRITE
0132 0000
















































! RESTORE ARGUMENT POINTER !
ID R14 t CREATE ,ARG_PTR(Rl 5)
! RESTORE STACK ADDRESS !




! RESTORE INITIAL NSP !
LD R5, CHEATS. N_S_P(R15)
LDA R6, VIRT_PREEMPT_RETURN
SUB R15, #8
LDM G>R15, R3 t #4
! LOAD ARGUMENT POINTER FOR




! LOAD INITIAL REGISTER VALUES TO
BE PASSED TO USER PROCESS AS
INITIAL PARAMETERS. !




PI: TOP OF STACK
R2-R14: INITIAL
REG STATES!
!NOTE: THE ABOVE INITIAL REG STATES
REPRESENT THE INITIAL PARAMETERS
(VIZ., REGISTER CONTENTS ) THAT A




ei6E 010F ADD R15, #8 IOVERLAY PARAMETERS!
0170 0008
! ALLOCATE KST !
0172 2103 LD R3, #KST_LIMIT
0174 0001




! RESTORE DBR !
017A 61F0 LD R0, CREATE .DBR_NUM(R15 )
017C 0002
! SAVE KST ADERESS !
017E 6FF2 LD CREATE. SEG_ADDR( R15 ), R2
0180 0006
!MAKE MMU ENTRY FOR KST SEG!
0182 2101 LD Rl, #KST_SSG
0184 0002
0186 2103 LD R3, #WRITE IATTRIBUTE!
0188 0000
018A 2104 LD R4, #KST_LIMIT-1
018C 0000












! RESTORE KST ADDRESS !





! CREATE INITIAL KST STUB !
CALL CREATE KST !R2:KST ADDR
!
! REMOVE TEMPORARY VARIABLE
STACK FRAME. !
ei9A 010F ADD R15, #SIZEOF CREATE
019C 000A
019E 9E08 RET
01A0 END CREATE PROCESS
130

01A0 CREATE KST PROCEDURE
f ;,- »r* *|5 *|S »jS 3J% ^* *|t *|* J,C 3y» J,J 2,i J,i #,C Xfi *«* J,S J^C i,C i,i 5p *i* J,i
* CREATES KST STUB FOR *
* PROCESS MANAGEMENT *
* DEMO. INSERTS ROOT *
* ENTRY IN KST. NOT *
* INTENDED TO BE FINAL *
* PRODUCT. *
* PARAMETERS: *
* R2: KST ADDRESS -
ENTRY
!NOTE: THIS PROCEDURE IS A STUB USED
FOR INITIALIZATION IN THIS IMPLEMENTATION
ONLT. THE ACTUAL INITIALIZATION COD*
FOR THE KST WILL RESIDE i>T THE SEGMENT
MANAGER LEVEL ONCE IMPLEMENTATION OF
























! CREATE ROOT ENTRY IN KST !
LDL RR6, #-1 !ROOT HANDLE!
LDL KST.MM_EANDLE(R2) t RR6
!SET ROOT ENTRY ft IN G AST !
LD KST.MM_HANDLE[2J7R2) , *0
! SET ROOT CLASSIFICATION !
LDL P.R6, ^SYSTEM LOW
LDL KST. CLASS (R2) , RR6
!SET MENTOR SEG #!
LDB KST.M SEC- N0(R2) , #0
UNITIALIZE FREE KST ENTRIES








eiD0 0102 AM R2, #SIZEOF KST_R£C
01D2 0010
01D4 4C25 IDE KST. M_SEG_N0(R2 ) , #%T$
01D6 000E
01D8 FFFF
01DA AB10 DEC Rl
01DC E8F3 OE
01DE 9E08 RET




* EVENTCOUNT IS ADVANCED BY *
* INVOCATION OF MM ADVANCE.
* PROCESSES THAT AHE AWAITING *
* THIS EVENT OCCURRENCE ARE *
* REMOVED FROM THE BLOCKED LIST*
* AND MADE READY. THE READY *
* LISTS ARE THEN CHECKED TO *
* INSURE PROPER SHEDULING IS *
* EFFECTED. IF NECESSARY VIR- *
* TUAL PREEMPTS ARE SENT TO ALL*
* THOSE VP'S BOUND TO LOWER *
* PRIORITY PROCESSES. *
- PARAMETERS: *
* Rl: HANDLE POINTER *






















! ESTABLISH TEMPORARY VARIABLE
STACK FRAME. !
SUB R15, #SIZE0F TEMP
! SAVE INPUT ARGUMENTS !
LD TEMP. HANDLE PTR(R15) f Rl
LD TEMP. EVENT NR(R15), R2
! LOCK APT !
LDA R4, APT. LOCK
CALL K_L0CK
! RETURNS WHEN APT IS LOCKED !
! ANNOUNCE EVENT OCCURRENCE BY
INCREMENTING EVENTCOUNT IN G AST!













































! SAVE EVFNTCOUNT !
LDL TEMP.EVENT_VAL(R15) , RR2
! RESTORE INSTANCE !
LD R0 t TEMP.EVENT_NR(Rlb)
! RESTORE HANDLE POINTER !
ID Hi, TEMP.HANDLE_PTR(R15)





LD TEMP.FANDLE_L0W(R15) , R4
! AWAKEN ALL PROCESSES AWAITING
THIS EVENT OCCURRENCE !





! DETERMINE IF AT END OF BLOCKED LIST !
CP Rl, #NIL
IF EC ! NO MORE BLOCKED PROCESSES !
THEN EXIT FROM WAKE UP
FI
! SAVE NEXT ITEM IN LIST !
LD R?, APT.AP.NEXT_AP(R1)
! DETERMINE IF PROCESS IS ASSOCIATED
WITH CURRENT HANDLE !
LDL RR4, TEMP.HANDLE_HIGH(R15)
CPL RR4, APT.AP.HANDIE(RI)
IF EC '.HIGH HANDLE VALUE MATCHES!
THEN
LD R4, TEMP.HANDLE_L0W(R15)








































IF Eg ! HANDLE'S MATCH !
THEN ! CHECK FOR INSTANCE MATCH !
LD R0, TEMP.EVENT_NR(R1S)
CP R0, APT. AP. INSTANCE (Rl)
IF EQ ! INSTANCE MATCHES !




CPL RR2, APT. AP. VALUE (Rl)
IF GE ! AWAITED EVENT HAS OCCURRED!
THEN ! AWAKEN PROCESS !
! REMOVE FROM SLOCKED LIST !
LD G»R6, R7
! SAVE LOCAL VARIABLES !
PUSHL 0R15, RR6
!SET LIST THREADING ARGUMENTS!
LD R2 t APT.AP.AFFINlTY(Hl)
LDA R3, APT.READY_LIST(R2)
LDA R4, APT.AP.NEXT_AP
LDA P5, APT. AP. PR I
LDA R6, APT. AP. STATS
LD R7, #READr
LD R2 t Rl
CALL LIST_INSERT
!R2: OEJ ID
R3: LIST HEAD PTR
R4: NEXT OBJ PTR
R5: PRIORITY PTR
R6: STATE PTR
R7: STATE VALUE !
! RESTORE LOCAL VARIABLES !
POPL RR6. 0R15
LD Rll t #REMOVED







































EI ! END VALUE CHECK !
ELSE JPROCESS STILL BL0CKET!
CLR Rll
FI ! END INSTANCE CHECK !
ELSE !PROCESS STILL BLOCKED!
C LR Rll
FI ! END HANDLE CHECK !
ELSE IPROCESS STILL BLOCKED!
CLR Rll
FI ! END HIGH HANDLE CHECK !
! RESET AP POINTER REGISTERS !
CP Rll, #REMOVED
IF NE ! PROCESS IS STILL BLOCKED !
THEN





! DETERMINE IF ANY VIRTUAL PREEMPT




CP R2, #NR_CPU * 2
IF EC !ALL READ* LISTS CHECKED! THEN
EXIT FROM PREEMPT_CHECK
FI
! CREATE PREEMPT VECTOR FOR VP'S !
CLR Rl
DO IFOR Rl=l TO NR_VP'S!
INC Rl
CP Rl, APT.VP.NR_VP(R2)





















































! # TO PREEMPT !
C LR R3
ID" R4, APT.VP.NRJTP(R2)
! # OF VP'S !




! SEE IF READY LIST IS EMPTY !
CP Rl, #ML
IF EO !LIST IS EMPTY!
THEN EXIT FROM CHECK RDY LIST
FI
CP APT.AP.STATE(R1 ), ^RUNNING
IF EO JPROCESS IS RUNNING!
THEN !BON'T PREEMPT IT!
LD R5 t APT.AP.VP_ID(R1)
! COMPUTE LOCATION IN PREEMPT VECTOP!
SUB R5, APT.VP. FIRST (R2)
LDA R6, R15(R5)
LD (?R6, #FALSE




CP R4 t #0




! GET NEXT AP IN READY LIST !















































! CHECK TEMPLATE !
CP ?.0, #TRUE
IF EQ !CAN EE PREEMPTED!
THEN
CP R3, #0























! CHECK NEXT READY LIST !
INC R2, #2
OD !END PREEMPT CHECK!
138

! UNLOCK APT !
0366 7604 IDA R4, APT. LOCK
0368 0000'




! RESTORE SUCCESS CODE !
ID R0, #SUCCEEDED
FI
! RESTORE STACK !
0372 010F ADD R15, #SIZEOF TEMP
0374 0012
0376 9E08 RET























* CHECKS USER SPECIFIED VALUE *
* AGAINST CURRENT EVENTCOUNT
* VALUE. IF USER VALUE IS LESS *
* THAN OP EQUAL EVENTCOUNT THEN*
* CONTROL IS RETURNED TO USER. *
* ELSE USER IS BLOCKED UNTIL *
* EVENT OCCURRENCE. *




* Rl: HANDLE POINTER *
* R2 : INSTANCE (EVENT #) *




* R0: SUCCESS CODE *
ENTRY
! ESTABLISH STACK FRAME FOR
TEMPORARY VARIABLES. !
SUB R15, #SIZEOF TEMP
! SAVE INPUT PARAMETERS !
LD TEMP.HANDLE_PTR(R15) , Rl
LD TEMP. EVENT_NR( Rib ), R2
LDL TEMP.EVENT_VAI(R15) , RR4
! LOCK APT !
LDA R4, APT. LOCK
CALL K_LOCK
! RETURNS WHEN APT IS LOCKET !























































IF GT !EVENT HAS NOT OCCURRED!
THEN !BLOCK PROCESS!




! SAVE RETURN VARIABLES !
LD TEMP.ID_VP(R15) , Rl
LD TEMP.CPU_NUM(Rl5) , R3
LD R8, A?T.RUNNING_LIST(R1)
! RESTORE REMAINING ARGUMENTS !
LD R2, TEMP. EVENT NR(R15)
LD Rl, TEMP. HANDLE PTR(Rl5)
! SAVE EVENT DATA !
LDL P.R4, HANDLE_VAL.HIGH(R1)
LDL APT. AP. HANDLE ( R8 ) , RR4
LD R4, HANDLE_VAL.LO'4(Rl)
LD APT. AP. HANDLE [2 J (R8) , R4




! REMOVE PROCESS FROM READY LIST !
LD Rl, APT.AP.AFFINITT(RS)
ID R2, APT.READY_LIST(R1)
! SEE IF PROCESS IS FIRST
ENTRY IN READY LIST !
CP ^2 R8
IF EC VlNSERT NEW READY LIST HEAL!
THEN









































ELSE !PELETE FROM LIST BODY!
DO
ID R3, APT. AP. NEXT AP ( R2 )
CP R3, R8
















R3 t APT. BLOCKED LIST
LDA R4, APT.AP.NEXT_AP
LDA R5, APT. AP. PR I
LDA R6, APT. AP. STATE
LD R7, #ELOCKED






! GET CURRENT VP ID !
LD Rl, TEMP. ID VP(R15)
LD R3, TEMP. CPU NUM(R15)
! SCHEDULE FIRST READY PROCESS !
CALL TC GETWORK !R1:VP ID
! UNLOCK APT !













! RESTORE STACK !
0440 010F ADD R15, *SIZEOF TEMP
0442 0012
0*44 9E08 RET
0446 END TC AWAIT
143

0446 PROCESS CLASS PHOCEDU
T *|» *»» *(• »|S 5^5 *|5 »,» Jf* J(5 3i» *,* S|S 5jS SQC 5»5 J,J 1,1 5|% 5,5 i,J i , i 5,5 »i» *t* *(* *i*
* READS SECURITY ACCESS
- CLASS OF CURRENT PROCESS
* IN APT. CALLED Ey SEG
* MGR AND EVENT MGR
sp sp sp ap sp ap ifi ap ap ap ap ap tfi >$ ^s ap ap ap 5* ageage ap ap sp ap s?
* LOCAL VARIABLES:
* Rl : VP ID










* RR2: PROCESS SAC
*,Z r t% »,% *,» i»» SgC *(% 5|* i>» 5f» *,C r ti *,i 1,4 i»» 5fC i^ »,i ^1 5ft J,i Z^Z -,* #)% J,C i,S «
ENTRY
0446 7604 LDA R4, APT. LOCK
0448 0000'
044A 5F00 CALL K_L0CK !R4:~APT.LOCK!
044C 0000*




0452 6115 LD R5,APT.RUNNING_LIST(R1 )
04D4 0002'
0456 5452 IDL RR2, APT.AP.SAC(R5)
0458 0024'
! UNLOCK APT
045A 7604 LDA R4, APT. LOCK
045C 0000'
045E 5F00 CALL K_UNLOCK
0460 0000*
0462 9E08 RET








- OBTAINS DBR NUMBER EROM APT
* FOR THE CURRENT PROCESS.
* CALLED Bv SEGMENT MANAGER
*l* £|» »,» 5,i J,i 93 iy* i*fi iji i,I 3,1 ^(1 i^J »,S i,i 3,J 3,* #^ 2,* J,i »,I 3,* V|« 3,» *,S *|» *)* v,C »,* *p* *|* *,» #y*
* LOCAL VARIABLES:
* Pi: VP ID
* R5: PROCESS ID
* RETURNS: *





























!N0TE: DBR * IS ONLY VALID WHILE PROCESS
IS LOADED. THIS IS NO PROBLEM IN SASS
AS ALL PROCESSES REMAIN LOADED. IN A
MORE GENERAL CASE, THE DBR # COULD ONLY
BE ASSUMED CORRECT WHILE THE APT IS LOCKEIM










! UNLOCK APT !
LDA R4, APT. LOCK
CALL KJJNLOCK
RET




APPENDIX C - DISTRIBUTED MEMORY MANAGER LISTINGS
Z8000ASM 2.02




CREATE CODE : = 50
DELETE CODE = 51
ACTIVATE CODE ; = 52
DEACTIVATE CODE ; = 53
SWAP IN CODE = 54
S¥AP^OTJT_CODE : = 55
NR CP T J • = 2
NR KST ENTRY • = 54
MAX SEG SIZE : = 128
MAX DER NO ; = 4
KST SEG~NO s 2
NR OF KSEGS : = 10
BLOCK SIZE : = 8
MEM AVAIL s %F0fc)
G AST LIMIT : = 10
INS^ANCEI = 1
INSTANCE2 ; = 2
INVALID INSTANCE : ; = 95
SUCCEEDED ; = 2
TYPE
E ARRAY ARRAY [3 WORD J
COM MSG ORAT [16 BYTE J
ADDRESS WORD
G AST REC RECORD
Thniotte ID LONG
GLOEAL ADDR ADDRESS


























MM CPH TBL ARRAY [NR CPU MM VP IDJ
^SECTION AVAIL MEM
INTERNAL
! NOTE: MEM_POOL IS LOCATED IN
CPU LOCAL MEMORY. !




BLOCK IS USED IN THE MM
OFFSET POINTER INTO THE'
ALLOCATE
'ILOCK
OF ALLOCATABLE MEMORY. IT IS INITIALIZED




!NOTE: THESE RECORDS ARE
TO DEFINE MESSAGE FORMATS
$A2S
CREATE MSG RECORD
OVERLAYS" OR '"FRAMES'" USED

















































0000 DEACTIVATE MSG RECORD [DEACT_CODE WORD
D_DER_NO WORD
D_MM_HANDLE H_ARRAY
D^FILL ARRAY [3 WORD]
J
$ABS





SI_FILL ARHA3f[2 WCRDJ J
$AES
0000 SWAP OUT MSG RECORD [S OUT_CODS WORD
SO_DER_NO WORD











R_ACTIVATE_ARG RECORD [R SUC CODE BVTE
R FILL BYTE



























MM CREATE ENTRY FROCEDURE
f ;,S J^ 2,1 2,1 2,1 2jl 2,1 2,1 2,1 3ifi 2,1 3JC 2^1 3,1 3(1 3J! 2,1 2,1 3^1 3^C 2,1 2,1 3,1 2^ 2,1 3|1 2,1 2fC 2^ »,1 2,1 JJ1 2,1
INTERFACE BETWEEN SEG MGR
(CREATE_SEG PROCEDURE 1 AND
MMGR PROCESS ( CREATE_ENTRY
PROCEDURE). ARRANGES AND
PERFORMS IPC.













!USE STACK FOR MESSAGE!
SUB R15,#SIZE0F COM MSG
LD R13,R15 'COM MSGBUF
!FILL COM MSGBUF (LOAD MESSAGE)
FRAME IS BASED AT ADDRESS ZERO
OVERLAID ONTO COM_MSGBUF FRAME
EACH ENTRX (I.E. ADDING TO EACH ENTRY) THE


























CREATE_MSG.CE_MM_HANDLE[2J (R13) , R6


















LDL CREATE_MSG.CE_CLASS (R13) .RB4
LD CR£ATE_MSG.CE_SIZE(R13) ,R3
ID R8,R13
CALL PE*TORM_IPC ! R8 : "COM_MSGBUE!
! RETRIEVE SUCCESS_CODE FROM RETURNED MESSAGE!
CLR R0
IDB RL0,RET_SUC_CODE.SUC_CODE(H13)
ADD Rl5,#SIZE0F COM_MSG ! RESTORE STACK STATE!
RET
































































f ;,si»i i,s vi,; ?,c ^ i£ :^v *i* *** *i£^» *»• *•- *»* *»* **»»•* *i: *** V *»* *i» *i* ** *r* *«* *<* -w* *•» *>*
* INTERFACE BETWEEN SEG MGR *
* (DELETE_SEG PROCEDURE) AND *
* MMGR (DELETE_ENTRY PROCEDURE).-




* Rl:HPTR( INPUT) *
* R2: ENTRY NO (INPUT) *
* LOCAI USE *




!USE STACK FOR MESSAGE!
SUB R15,#SIZE0F COM_MSG
LD Rl3 t Rl5 ! ~COM_MSGBUF !
!FILL COM_MSGBUF (LOAD MESSAGE). DELETE_MSG FRAME
IS BASED AT ADDRESS ZERO. IT IS OVERLAID ONTO
COM MSGBUT F^AME BY INDEXING EACH ENTRY (I.E. ADD-
ING TO EACH ENTRY) THE BASE ADDRESS OF COM MSGEUF!
LD DELFTE_MSG.DE_C0DE(R13^ ,#LELETE_CODE
LD R6,Rl(#fc) JINDEX TO MM_HANDLE ENTRY!
LD LELETE_MSG.DE_MM_HANDLE[0j (R13),R6
LD R6,R1(#2)
LD DELETE_MSG.DE_MM_HANDLE[lJ (R13) ,R6
LD R6,P1(#4)
LD DELETE_MSG.DE_MM_HANDLE[2J (R13),E6
LD DELETE MSG.DE ENTRY N0(R13),R2
LD R8.R13
CALL PERFORM_IPC !R6: ~COM_MSGIUF!
JRETRIEVE SUCCESS_CODE FROM RETURNED MESSAGE!
CLR R0
LDB RL0 t RET_SUC_CODE .SUC_C0DE(R13^
ADD R15,#SIZE0F COM_MSG !RESTORE STACK STATE!
RET
END MM DELETE ENTRY
152

007 C MM ACTIVATE PROCEDURE
* INTERFACE BETWEEN SEG MGR -
* (MAKE KNOWN PROCEDURE) ANT *
* *MGR (ACTIVATE PROCEDURE). -





* Rl :DBR NO(INPUT)
* R2: HPT? (INPUT)
W R3:ENTRY NO
-"? R4:SEGMENT NO





























!USE STACK FOR MESSAGE!
SUB R15,#SIZE0F COM_MSG
LD R13.R15 ! "COM_MSGBUF !
! SAVE RETURN HANDLE POINTER !
PUSH 0R15, R12
!FILL COM_MSGBUF (LOAD MESSAGE). ACTIVATE_MSG FRAME
IS BASED AT ADDRESS ZERO. IT IS OVERLAID ONTO
COM MSGBU1' FRAME BY INDEXING EACH ENTR y (I.E. ADD-
ING TO EACH ENTRK ) THE BASE ADDRESS OF C0M_MSG2UF!
ACTIVATE MSG.ACT C0DE(R12) , #ACTIVATE CODE
ACTIVATS_MSG.A_DBR_N0(R13) ,R1
R6 t R2(#0)











































LDB ACTIVATE_MSG.A_S2GMENT_NG(R13 ) ,RL4
LD R8,R13
CALL tfEBFORM^IPC ! (R8 :"COM_MSG£UF
!
! RESTORE RETURN HANDLE POINTER !
POP R12, 0R15
! UPDATE MM HANDLE ENTRY !
LDL RR6, R_ACTIVATE_ARG.R_MM_HANDLE(R13)
LDL MM_EANDLE.ID(R12) , RR6
LD R6 t R_ACTIVATE_ARG.R_ v,M_HANDLEl2J fR13)
ID MM_EANDLE.ENTRY_N0(R12) , R6













00DA MM DEACTIVATE FROCEEURE
588 INTERFACE BETWEEN SEG MGR -
* (TERMINATE PROCEDURE) AND *
* MMGR (DEACTIVATE PROCEDURE). *
* ARRANGES AND PERFORMS IPC.
jjc J? sjs jpjje jjc a* sje jjc *f sjc ajs >* sp sje jjc sa: j* apajc ^e ape a? 3? sp age ap jfc ap ap ap ap ap
* REGISTER USE: *
- PARAMETERS -
* R0:SUCCESS_CODE(RET ,I -
* RlrDBR NO(INPUT) *
- R2:HPTR(INPUT) -
* LOCAL USE *






!USE STACK FOR MESSAGE!
00DA 030F SUB R15,#SIZE0E C0M_MSG
00DC 0010
00EE A1FE LD R13.R1S ! ~COM_MSGEUF !
!FILL COM_MSGEUF (LOAD MESSAGE). DEACTIVATE MSG FRAME
IS EASED AT ADDRESS ZERO. IT IS OVERLAID ONTO
COM_MSGBUF FRAME BY INDEXING EACH ENTRY (I.E. ADD-
ING TO EACH ENTRY) THE BASE ADDRESS OF COM_MSGBUF!
00E0 4DD5 LD DEACTIVATE_MSC .DEACT_CODE ( R13 ^,
00E2 0000 #DEACTIVATE_COEF
00E4 0035
00E6 6FD1 LD EEACTIVATE_MSG. D_DBR_NO (R13 ) . Rl
00E8 0002
00EA 3126 LD Rb,P.2(#0) ! INDEX TO MM HANDLE ENTR V !
00EC 0000
00EE 6FD6 LD DEACTIVATE MS G. D_MM_HANELE [0j (R13) ,R6
00F0 0004
00F2 3126 LD R6,R2(#2)
00F4 0002
00F6 6FD6 LD DEACTIVATE MSG.D_MM HANDL£[l J (R13) f R6
00Fe 0006
00FA 3126 LD R6,P2(#4)
00FC 0004
00FE 6FD6 LD DEACTIVATE MSCD MM_HANDLE [2j ( Rl 3) , R6
0100 0008
0102 A1D8 LD R8,R13












0114 END MM DEACTIVATE
CLR R0
LDB RI0,PET_SUC_CODE.SUC_COEE(R12>
ADD R15,#SIZE0F COM MSG- {RESTORE STACK STATE!
156

0114 MM SWAP IN PROCEDURE
* INTERFACE BETWEEN SEG MGR (SM_*
- SWAP IN PROCEDURE) AND MMC-R *
* (SWAP IN PROCEDURE). ARRANGES *
* AND PERFOPMS IPC .
* REGISTER USE: *
* PARAMETERS -
* R0:SUCCESS_CODS(RET) *
* Rl :EEK_N0( INPUT) *
* R2:HPTR( INPUT) *
* R3: ACCESS (INPUT) -
* LOCAL USE *




!USE STACK FOR MESSAGE!
0114 030F SUB R15,#SIZEOF COM_MSG
0116 0010
0118 A1FD LD R13.R15 ! ~COM_MSGBUF !
.'FILL COM_MSGEUF (LOAD MESSAGE). SWAP IN MSG FRAME
IS BASED AT ADDRESS ZERO. IT IS OVERLAID ONTO
COM_^SGBUF FRAME EY INDEXING EACH ENTRY (I.E. ADD-
ING TO EACH ENTRT) THE BASE ADDRESS OF COM_MSGBUF!
011A 4DD5 ID SWAP IN MSG.S IN C0DE(R13) ,#SWAP_IN CODE
011C 0000
011E 0036
0120 3126 LD R6,R2(#0) 'INDEX TO MM HANDLE ENTRT!
0122 0000
0124 6FD6 LD SWAP IN_MSG.SI_MM HANDLE [0] ( R13) ,R6
0126 0002
0128 3126 LD R6,?2(#2)
012A 0002
012C 6FD6 LD SWAP IN_MSG.SI MM HANDLE [lj ( R13> ,R6
012E 0004
0130 3126 LD R6,R2(#4)
0132 0004
0134 6FD6 LD SWAP_IN MSG .S I_MM_EANDLE [2J (R13 ) ,R6
0136 0006
0138 6FD1 LD SWAP_IN_MSG .SI DER_NO( R13) ,R1
013A 0008
013C 6FDB LDB SWAP_IN_MSG .S I_ACCESS_AUTH (R13) , RL3
013E 000A
0140 UD8 LD R6,P13




JRETRIEVE SUCCESS CODE FROM RETURNEE MESSAGE!
0146 8D08 CLR Re
0148 60D8 IDB RL0 ,RET_SUC_CODE .SUC_COEE (R13
)
014A 0000
014C 010F ADD R15,#SIZE0F COM_MSG !RESTORE STACK STATE!
014E 0010
0150 9E08 RET
0152 END MM SWAP IN
158

0152 MM SWAP OUT PROCEDURE
f -,* »>» i* *i* *1* «|* *t% **» *,- 9|* ?,* *j£ -,* *,* 5|* i,» J,* #|* *,» *,« J,I *(« «,* *»* 5,5 J,S *," i|S *,£ i,l 3|* f|* -,*
* INTERFACE BETWEEN SEG YGR (SM_*
* SWAP OUT PROCEDURE) AND MMGR *
* (SWAF_OUT PROCEDURE). ARRANGES*
* AND PERFORMS IPC. *
sp»? sp ;psp ape v Tjt >je ageafcagt sp a? sp sp sp sp sp sp sp sp »? s? sp sp t? jjc sp sp sp sp sp
* REGISTER USE: -
* PARAMETERS *
* R0:SUCCESS_CODE(RET) *
* RlrDBR NO(INPUT) *
* R2:HPTR( INPUT) *
* LOCAL USE *
" R6:MM_HANDLE ARRAY ENTRY *
* R8:~G0M MSGBUI *
* R13:~C0M_MSGBUF *
ENTRY
!USE STACK FOR MESSAGE!
0152 030F SUB R15,#SIZE0F COM_MSG
0154 0010
0156 AlFD LD Rl3,Rl5 ! ~COM_MSGBUF !
'.FILL COM MSGBUE (LOAD MESSAGE). SWAP OUT_MSG FRAME
IS BASED AT ADDRESS ZERO. IT IS OVERLAID ONTO
COM MSGBUE FFA*E BT INDEXING EACH ENTRY (I.E. ADD-
ING TO EACH ENTRY) THE BASE ADDRESS OF CCM_MSGBUF!
0158 4DD5 LD SWAP_OUT_MSG.S_OUT_CODE (R13 ) , #SWAP_OUT_CODE
015A 0000
015C 0037
015E 3126 LD R6,R2(#0) .'INDEX TO MM_flANDLE ENTRY!
0160 0000
0162 6FD6 LD SWAP OUT MSG. S O_MM_HANDL£[0j (R13 ) ,R6
0164 0004
016b 3126 LD R6,R2(#2)
0168 0002
016A 6FD6 LD SWAP OUT MSG.SO MM_HANDLE[1J (R13) ,R6
016C 0006
016E 3126 LD R6,R2(#4)
0170 0004
0172 6FD6 LD SWAP_OUT MSG .SO MM HANDLE [2J (R13 ) ,R6
0174 0008
0176 6FD1 LD SWAP_OUT_MSG.SO_D£R_NO (R13 ) ,R1
0178 0002
017A A1D8 LD R8,R13





JRETRIEVE SUCCESS_CODE FROM RETURNED MESSAGE!
0180 8D08 CLR R0
0182 S0D8 LDB RL0 , RET SUC CODE .SUC_CODE (R13
)
0184 0000
0186 010F ADD Rl5 t #SIZEOE COM_MSG {RESTORE STACK STATE!
0188 0010
018A 9E08 RET
018C END MM SWAP OUT
160

eiac PERFORM IPC PROCEEDS*
* SERVICE ROUTINE TO ARRANGE AND *
* PERFORM IPC WITH THE MEM MGR PROC *
* REGISTER USE: *
* PARAMETERS *
* R8: ~COM_MSG(INPUT) *
* LOCAL USE *



















































PUSH 0R15.R13 !"COM MSGBUF!






CALL SIGNAL ! Rl :MM_VP_ ID ,RS :~COM_MSGPUF
!
POP R13.PR15











* ALLOCATES BLOCKS OF CPU*
* LOCAL MEMORY. EACH *
* BLOCK CONTAINS 256 *
* BYTES OF MEMORY. *
* PARAMETERS: *
* R3: # OF BLOCKS *
* RETURNS: *
* R2: STARTING ADDR *
* LOCAL: *
* R4: BLOCK POINTER *
ENTRf
! NOTE: THIS PROCEDURE IS ONLY A STUB
OF THE ORIGINALLY DESIGNED MEMORY
ALLOCATING MECHANISM. IT IS USED
BY tee PROCESS MANAGEMENT DEMONSTRATION
TO ALLOCATE CPU LOCAL MEMO?. I FOR ALL
MEMORY ALLOCATION REQUIREMENTS. IN AN
ACTUAL SASS ENVIRONMENT, THIS WOULD
BE EETTER SERVED TO HAVE SEPARATE
ALLOCATION PROCEDURES FOR KERNEL AND
SUPERVISOR NEEDS. (E.G., KERNEL ALLOCATE
AND SUPERVISOR ALLOCATE), !
! COMPUTE SIZE OF MEMORY REQUESTED !
SLL P3, #BLOCK_SIZE
! COMPUTE OFFSET OF MEMORY THAT IS
TO BE ALLOCATED !
LD R4, NEXT_BLOCK 10FFSET!
LDA R2, MEM_P00L(R4) ISTART ADDR!
ADD R4, R3 JUPDATE OFFSET!
! UPDATE OFFSET IN SECTION OF AVAILABLE
MEMORY TO INDICATE THAT CURRENTLY
REQUESTED MEMORY IS NOW ALLOCATED !
01C8 6F04 LD NEXT_BLOCK , R4 !SAVE OFFSET!
01CA 0F00'
01CC 9E08 RET
















































* RETURNS CURRENT VALUE OF
* SEGMENT SEQUENCER AND
* INCREMENTS SEQUENCER VALUE*
* FOR NEXT TICKET OPERATION *
^^ ***3*« >p jgc 2?* *: sgc j«c sp *c ;ge *c ? jpJ? ip sgc 3? :p 3* 4( j«c J* *c
* PARAMETERS: *
* 11: SEG HANDLE PTR *
RETURNS: *
RR4: TICKET VALUE *
LOCAL VARIABLES: *
RR6: SEQUENCER VALUE *
R8: G_AST ENTRY # *
ENTRY
! SAVE HANDLE PTR !
PUSH (?R15, Rl
! LOCK G_AST !
LDA R4, G_AST_LOCK
CALL K_LOCK
! RESTORE HANDLE PTR !
POP Rl, G>R15
! GET G_AST ENTRY # !
LD Re, MM_RANDLE.ENTRY_NO(Rl)
! GET TICKET VALUE !
LDL RR6, G_AST.SEGUENCER(R8)
! SET RETURN REGISTER VALUE !
LDL RR4, RR6
!ADVANCE SEQUENCER FOR NEXT
TICKET OPERATION!
ADDL RR6, #1
! SAVE NEW SEQUENCER VALUE IN G_AST !
IDL G_AST. SEQUENCER* Re), RR6
! UNLOCK G_AST !











* READS CURRENT VALUE OF THE *
* EVENTCOUNT SPECIFIED BY THE *
* USER. *
* PARAMETERS: *
* Rl: SEG HANDLE PTR *
* R2: INSTANCE (EVENT #) •
* RETURNS: *
* RR4: EVENTCOUNT VALUE *
:p^* 3C*< 3* *c *c *c 3C* *c >P* *c *c *( 3? *c *e >** 7 *c ** 3«C >P*«9
* LOCAL VARIABLES:
* RR6: SEQUENCER VALUE



























! SAVE INPUT PARAMETERS !
PUSH GR15, Rl
PUSH PR15, R2
! LOCK G_AST !
LDA R4T G_AST_L0CK
CALL K_L0CK
! RESTORE INPUT PARAMETERS !
POP R2, 0R15
POP Rl, GR15
! GET G_AST ENTRY # !
LD R8, MM_HANDLE.ENTRY_N0(R1)
! READ EVENTCOUNT !



























LD R0 t #INVALID_INSTANCE
FI
! NOTE: NO VALUE IS RETURNED IF
USER SPECIFIED INVALID EVENT #
! SAVE RETURN VALUES I
PUSHL (?R15, RR4
! UNLOCK G_AST !
LDA R4 f G_AST_LOCK
CALL KJJNLOCK
! RESTORE RETURN VALUES !
POPL RR4, 0R15
RET
END MM READ EVENTCOUNT
165

024A MM ADVANCE PROCEDURE
I K*&>*Wi«>PWWWWW?^>»9irV9W^W?Vs;ip
* DETERMINES G_AST OFFSET FROM *
* SEGMENT HANDLE AND INCREMENTS *
* THE INSTANCE(EVSNT #) SPECIFIED *
* BY TEE CALLER. THIS IN EFFECT
* ANNOUNCES THE OCCURRENCE OF THE
* EVENT. THE NEW VALUE CF THE
* EVENTCOUNT IS RETURNED TO THE
* CALLER.
* PARAMETERS: *
* Pi: HANDLE POINTER *
* R2: INSTANCE (EVENT #)
* RETURNS: *


























! SAVE INPUT PARAMETERS !
PUSH GR15, Rl
PUSH GR15, R2
! LOCK G AST !
LDA R47 G_AST_LOCK
CALL K_L0CK
! RESTORE INPUT PARAMETERS !
POP R2, PR15
POP Rl, 0R15
! GET G_AST OFFSET !
LD R4, MM_HANDLE.£NTRT_NO(Rl)
















0284 5442 LDL RR2, G_AST.EVENT2(R4)
0286 001C*
0288 1602 ADDL RR2, #1
028A 0000
028C 0001
! SAVE NEW EVENTCOUNT
028E 5D42 LDL G_AST.EVSNT2(R4) , RR2
0290 001C*
0292 2100 LD R0, #SUCCEEDED
0294 0002
0296 5E08 ELSE IINVALID INPUT!
0298 029E'









! NOTE: AN INVALID INSTANCE VALUE
WILL NOT AFFECT EVENT DATA !








APPENDIX D - GATE KEEPER LISTINGS
Z8000ASM 2.02
































































$SECTION KERNEL GATE FROC
168






































! SAVE REGISTERS !
SUB R15, #REGIST^R_BLOCX
LDM @R15, Rl, #16
! SAVE NSP !
PUSH G>R15, R2
LDCTL R2, NSP
! RESTORE INPUT REGISTERS !
EX R2, CR15
! SAVE REGISTER 2 !
PUSH G>Rl5 f R2
! GET SYSTEM TRAP CODE !
LD R2, R15(ffTRAP_C0DE_0FFSET)
! REMOVE SYSTEM CALL IDENTIFIER FROM
SYSTEM TRAP INSTRUCTION !
CLRB RH2
! NOTE: THIS LEAVES THE USER VISI3LE
EXTENDED INSTRUCTION NUMBER IN R2 !
! DECODE AND EXECUTE EXTENDED INSTRUCTION
IF R2
! NOTE: THE INITIAL VALUE FOR REGISTER 2
WILL BE RESTORED WHEN THE APPROPRIATE
CONDITION IS FOUND !
CASE #ADVANCE CALL THEN
POP R2 ? GR15
CALL ADVANCE
CASE #AVAIT CALL THEN
POP R2, GR15
CALL AWAIT
CASE #CREATE SEG CALL THEN
169

0042 97F2 POP E2, 0R15
0044 5F00 CALL CREATi_SEG-
0046 0000*






0054 97F2 POP R2, 0R15
0056 5F00 CAIL DELETE_SEG
0058 0000*






0066 97F2 POP R2, (?R15
0068 5F00 CALL MAKE_KNOVN
006A 0000-






0078 97F2 POP R2, CR15
007A 5F00 CALL READ
007C 0000-






008A 97F2 POP R2, 0R15
008C 5F00 CAIL SM SWAP IN
008E 0000*






009C 97F2 POP ?.2, C°R15
009E 5F00 CALL SM_SWAP_OUT
00A0 0000*































































































CASE ^TICKET CALL THEN
POP R2, 0R15
CALL TICKET
CASE #WRITS CALL THEN
POP R2, ORIS
CALL WRITE
CASE *WRITELN CALL THEN
POP R2, ORIS
CALL WRITELN





ELSE ! INVALID KERNEL INVOCATION!
! RETURN TO MONITOR !
! NOTE: THIS RETURN TO MONITOR IS
FOR STUB USE ONLY. AN INVALID
KERNEL INVOCATION WOULD NORMALLY




0104 2100 LD R0, #INVALID KERNEL ENTRY
0106 0BAD
0108 5F00 CAIL MONITOR
010A A902
FI
! SAVE REGISTERS ON KERNEL STACK !
! SAVE Rl !
010C 93F1 PUSH GR15, Rl
! GET ADDRESS OF REGISTER BLOCK !
010E 34F1 LDA Rl, R15(#4)
0110 0004
! SAVE REGISTERS IN REGISTER BLOCK
ON KERNEL STACK. !
0112 1C19 LDM (?R1, Rl, #16
0114 010F
! RESTORE Rl JUT MAINTAIN ADDRESS
OF REGISTER ULOCK !
0116 2DF1 EX Rl, PR15
! SAVE Rl ON STACK !
0118 33F1 ID R15(#4), Rl
011A 0004
! RESTORE REGISTER BLOCK ADDRESS !
011C 97F1 POP Rl, fiR It)
! SAVE VALID EXIT SP VALUE !
011E 33F1 LD R15(#30), Rl
0120 001E
! EXIT KERNEL BY MEANS OF HARDWARE
PREEMPT HANDLER !
0122 5E08 JP KERNEL EXIT
0124 0000*
0126 END GATE KEEPER_MAIN











































v Rl:SEGMENT # *
* R2:INSTANCE (ENTRY*) 5*
- RETURNS: *







* R1:SEGMENT # *
* R2: INSTANCE *
- RR4::SPECIFIED VALUE -
* RETURNS: *













* RR4: CLASS *
»j« 3i> »i" »i* 5|t *,» ?,» i,i 3f» J ti J,* i,I 2y* *y* *»t i|" 3|S #,: ^,i *,C S^C -,C 3JC J,t
* RETURNS: *
* R0:SUCCESS CODE *
',' '|JV '.: '«*V V 'I'V V 'l* '.* '^ *!' »1* '.; V '.* 'I1 '.*^ ^ '.* 'I' T
ENTRY
0008 7F03 SC #CREATE_SEC-_CALL
000A 9E08 RET
000C END CREATE_SEG
000C DELETERS EG PROCEDURE
5:4 PARAMETERS : *
* Rl : MENTOR SEG NO *
- R2:ENTRY_NO
=? *? ^t sp *W sp =* a«c sjc Sit a* j* a* 3* sjc jj« s* ap 3c 3* 3? s?
* RETURNS: *
* R0:SUCCESS CODE *
ENTRY










- R3:ACCESS DESIRED *
-




* R0: SUCCESS CODE -
"• Rl: SEGMENT #
* RH: ACCESS ALLOWED *
3* 3? 3? J£ 33! 3* 3£ 3? a? 3? 3? J? 3*3?: 3* J? 3£ 3^331 3? 331 3? 3? 331 |
ENTRY
0010 7F05 SC #MAKE_£NOWN_CALL
0012 9E08 RET





* RlrSEGMENT # *
* ^2: INSTANCE *
#i» »(» *i* *i» JJ» »|» *i% *(» J|S »i% * (S J,» »|» J|« *|* »(• ?|% *|* »(» *)» •%» 1» *(• #i»
* RETURNS: *
* R0:SUCCESS CODE *
* RR4:EVENTCOUNT *
ENTRY





* Rl: SEGMENT # *
* RETURNS: *
* R0:SUCCESS CODE *
ENTRY





* RlrSEGMENT # *
* RETURNS: *
* PB: SUCCESS CODE -
ENTRY





* Ri: SEGMENT # *
* RETURNS: *
- P0r SUCCESS CODE
ENTRY







* Pi:SEGMENT # *
<-,i *|» *|* *i» *»» •»» »,* »|» *»i *|* »i» *,i »,* *|C *|» »|» *,» ifi *,i »,S #{• i,» l|i i,»
* RETURNS: *
* R0:SUCCESS CODE *
* RR4: TICKET 7ALUE
ENTRY




















APPENDIX E - BOOTSTRAP LOADER LISTINGS
Z8000ASM 2.02






jjs^ajc^JiejFJjesje SYSTEM '.PARAMETERS ********
NR CPU : = 2
NR VP : = NR CPU*4
NP. AVAIL VP : - = NR C?U*2
MAX DBR NR i\ — 10
STACK. SEG :: = 1
STACK SEG SIZE : ; = %100
STACK_3L0C"K : ' = STACK_SEG_SIZE/25b
! * * OFFSETS ]:n STACK SEG * * !
STAC! BASE : =s STACK SEG SIZJL-310
STATUS REG BLOCK: : = STACK SEG SIZE-%10
INTERRUPT FRAME • ; = STACK BASE-4
INTERRUPT REG : ' = INTERRUPT FRAME-34
N S P : = INTERRUPT REG-2
F_C_W j = STACK SEG SIZE-£E
i w?wv SYSTEM CONSTANTS ****** \
ON :; = %FFFF
OFF : =
READY : = 1
NIL > = %FFFF
INVALID :; = tiij Jl- EE
KERNEL FCW : = sseee
AVAILABLE ; =
ALLOCATED ; = %jj





















































































ARRAY [NR_VP t VP TABLEJ
ARRA* [NR VP,~MSG TABLEJ
178

EXT_VP_LIST ARRAY [NR_AVAIL VP WORDJ








! NOTE: THESE DECLARATIONS tfILL NOT WORK
IN A TRUE MULTIPROCESSOR ENVIRONMENT AS
THET ARE SUBJECT TO A "CALL." THEY MUST
BE DECLARED AS A SHARED GLOBAL DATABASE
WITH "RACE" PROTECTION (E.G., LOCK). !
0000 NEXT_A?AIL_VP INTEGER






* CREATES KERNEL PROCESSES
* INITIALIZES KERNEL DATAEA
* INCLUDES INITIALIZATION
* VIRTUAL PROCESSOR TABLE,
* EXTERNAL 7P LIST, AND MMU
* IMAGES. ALLOCATES MPU IM
* AND CREATES KERNEL DOMAIN

























! INITIALIZE PRDS AND MMU POINTER !
! NOTE: THE FOLLOWING CONSTANTS ARE
ONLY TO BE INITIALIZED ONCE. THIS
WILL OCCUR DURING SYSTEM INITIALIZATION!
LD PRDS. PHY S CPU ID, #^FFFF
NOTE: LOGICAL CPU NUMBERS ARE ASSIGNED
IN INCREMENTS OF 2 TO FACILITATE INDEXING
(OFFSETS) INTO LISTS SUBSCRIPTED Bv
LOGICAL CPU NUMBER. !
PRDS. LOG CPU ID, #2
! SPECIFY NUMBER OF VIRTUAL PROCESSORS





! ESTABLISH GATE KEEPER AS SYSTEM CALL
TRAP HANDLER !






! ADD SYSTEM CALL OFFSET TO PSA BASE ADDR !
ADD Rl, #SC_OFFSET








! STORE ADDRESS OF SATE KEEPER IN PROGRAM
STATUS AREA AS SYSTEM TRAP HANDIER !
INC Rl, #2
LD (?R1, #GATS KEEPER ENTRY
CI? P.l ! NEXT AVAIL MMU INDEX !
! INITIALIZE ALL MMU IMAGES AS AVAILABLE !
SET_MMU_MAP:
DO
0030 4C15 LDiJ NEXT_AVAIL_MMU(R1), #AVAILA£LE
0032 0000*
0034 0000
0036 A910 INC Rl, Ul
! CHECK FOP END OF TABLE !
0038 0B01 CP Rl, *MAX_DBR_NR
003A 000A





! CREATE MEMORX MANAGER PROCESS !
0046 2103 LD R3, #STACK_BLOCK
0048 0001
! ALLOCATE AND I N 1
1
DOMAIN STACK SEGMENT !





004E A121 LD Rl, R2
0050 2103 LD R3, #KERNEL_FCW
0052 5000
0054 7604 LDA R4, MM_SNTRY
0056 0000*
0058 6105 LD R5, 2FFFF !NSP!
005A FFFF
005C 7606 LDA R6, PREEMPT_RET
005E 0000*
0060 93F1 PUSH (?Rl5 t Rl !SAVE STACK ADDR!
0062 030F SUB R15, #8
0064 0008
0066 1CF9 LDM 0R15, R3, #4
0068 0303
006A A1F0 LD R0, R15
! NOTE: ARGLIST FOR CREATJS STACK INCLUDES


















CALL CREATE STACK ! (R0: ARGUMENT PTR
ADD
Hi: TCP OF STACK
R2-R14: INITIAL
^ E G STATES !
Rib, #8 !OVERLAY ARGUMENTS!







(R0: DBR #) !
! SEGMENT NO
R2, GR15 !GET STACK ADER!
R3, #0 ! "VRITE ATTRIBUTE !
i SPECIFY NUMBER OF BLOCKS. COUNT STARTS
FROM ZERO. (I.E. ,1 BLOCK=0, 2=1, ETC.)!
LD R4. #STACK_£LOCK-l







! CREATE MMU ENTRY FOR MM STACK SEGMENT !





















! GET ADDRESS OF MMU IMAGE !
CALL GET_D£R_ADDR ! (R0: DER rt)
RETURNS:
(Hi: DBR ADDRESS) !
! PREPARE VP TABLE ENTRIES FOR MM !
R2, #2 ! PRIORITY !
R5, #OFF ! PREEMPT !
R6, #OFF ! KERNEL PROCESS !










! INITIALIZE MM_CPU_TEL IN DISTRIBUTED MEMORY
MANAGER WITH VP ID OF MM PROCESS !
! GET LOGICAL CPU # !
00A2 610A LD R10, PRDS.LOG_CPU_ID
00A4 0002*
00A6 6FA9 LD MM_CPU_T£L(R10), R9
00A8 0000V
! CREATE IDLE PROCESS !
00AA 2103 LD R3, #STACK_BIOCK
00AC 0001




00B2 A121 LD Rl, R2
00B4 2103 LD R3, #KERNSL_FCW
00E6 5000
00B8 7604 LDA R4, IDLE_ENTRY
00BA 0000*
00BC 2105 LD R5, #£FFFF !NSP!
00BE FFFF
00C0 7606 LDA R6, PRESMPT_RET
00C2 0000*
00C4 93F1 PUSH GR15, Rl !SAVE STACK ADDR!
00C6 030F SUB R15, #8
00C8 0008
00CA 1CF9 LDM 0R15, R3, #4
00CC 0303
00CE A1F0 LD R0, R15
! INITIALIZE IDLE STACK VALUES !





Rl : TOP 01 STACK
R2-R14: INITIAL
REG. STATES '
R15, #8 ! OVERLAY ARGUMENTS!
00D8 5F00
00DA 0000*
! ALLOCATE MMU IMAGE FOR IDLE PROCESS !




! PREPARE IDLE PROCESS MMU ENTRIES !
LD Rl, #STACK SEG ! SEG # !





















R3, #0 ! WRITE ATTRIBUTE !
R4, #STACK BLOCK-1 ! BLOCK LIMITS !
! SAVE DBR n !
PUSH (3R15, Re
! CREATE MMU IMAGE ENTR 7" !
CALL UPDATE MMU IMAGE ! (31: SEGMENT #
R2: SEG ADDRESS
A3: SEG ATTRIBUTES
R4: SEG LIMITS ) !
! RESTORE DBR # !
POP R0, CR15
! GET MMU ADDRESS !
CALL GET DBR ADDR ! (P.0: £BR #)
RETURNS
(Rl: DBR ADDRESS) !
! PREPARE VPT ENTRIES FOR IDLE PROCESS !






! KERNEL PROC !
! CREATE VPT ENTRIES !





R6: EXT VP FLAG^
RETURNS
:
R9: VP ID !
! ENTER VP ID OF IDLE PROCESS IN FRDS !
0106 6F09 LD PRDS.IDLE_VP, P9
0108 0006*
! INITIALIZE IDLE VP 'S !
010A 2102 LD R2, *1 ! PRIORITY !
010C 0001
010E 2105 LD R5, #ON ! PREEMPT !
0110 FFFF
0112 2106 LD R6, #ON ! NON-KERN EL PROC!
0114 FFFF
0116 6100 LD R0, PRDS.VP_NR
0118 0004*







































EC !ALL VP'S INITIALIZED! THEN
EXIT
ITILIZE VPT HEADER !
T LOGICAL CPU NUMBER !
R2, P?DS.LOG_CPU_ID
VPT. LOCK, *OFF
VPT. RUNNING LIST(R2), #NIL
VPT. READY LIST(R2), ffNIL
VPT. FREE LIST !HEAD CF MSG LIST!
!THREAD VP 'S BY PRIORITY AND SET STATES TO READY !
































! SAVE OBJ ID !
PUSH GR15. R2





















! RESTORE OBJ ID !
POP R2, GR15
ADD R2, #SIZEOF VP_TABL£
CP ?2, #(NR_VP * (SIZEOF V?_TAELE))




! INITIALIZE VP MESSAGE LIST !
! NOTE: ONL^ THE THREAD FOR THE MESSAGE
LIST NEED BE CREATED AS ALL MESSAGES
ARE INITIALLY AVAILABLE FOR USE. THE
INITIAL MESSAGE VALUES WERE CREATED
FOR CLARITY ONLY TO SHOW THAT THE
MESSAGES HAVE NO USABLE INITIAL VALUE!
CLR Rl
LST_INIT:
! NOTE: Rl REPRESENTS CURRENT ENTRY IN
MSG_LIST, R2 REPRESENTS CURRENT POSITION
IN MSG_LIST ENTRY, AND R3 REPRESENTS
NEXT ENTR^ IN MSG LIST. !
DO
017E A112 LD R2 t Rl
0180 A123 LD R3, R2




0186 4D25 LD VPT.MSG_C.MSG(R2) , #INVALID
0188 0110*
018A EEEE
018C A921 INC R2, #2
018E 8B32 CP R2, R3











































! GST LOGICAL CPU # FOR USE
BY ITC GETWORK. !
LD R13, PRDS .LOG_CPU_ID
! BOOTSTRAP COMPLETE !
! START SYSTEM EXECUTION AT PREEMPT ENTRV !





01CA UPDATE VP TABLE PROCEDURE
* INITIALIZES VPT ENTRIES *
2y£ *,**,» ijC i,i i,i j^i 5|C *^ ;,c ;,i i,s j,« £,£ «^c »,» J^ i,i «,£ .*,» *,i J#s 2^* »,* J,; i,i Tfi 5^C J,C JJ» *,* Z£
* REGISTER USE: *
* PARAMETERS: *
* Rl: DBR ADDRESS *
R2: PRIORITY *
R5: PREEMPT FLAG *
Rb: EXTERNAL VP FLAG
RETURNS:
R9: ASSIGNED V? ID
LOCAL VARIABLES: *
R7: LOGICAL CPU * »
R8: EXT_VP_LIST OFFSET *















































VPT.VP.MSG LIST(R9), #N II
! CHECK EXTERNAL VP FLAG !
R6, #ON
IF EO ! EXTERNAL VP!
TEEN ! VP IS TC VISIBLE !
LD R8, NEXT EXT VP





0202 6F98 LD VPT.VP.EXT ID(R9) , Rb
0204 0020*
0205 Ay81 INC R8 f #2
020e 6Fee ld nsxt_extjtp. Re
020A 0002'
020C 5E08 ELSE !V? BOUND TO KERNEL PROCESS!
020E 0216'




0216 A19A LD Rl0, R9
0218 010A ADD R10, #SIZ£OF VP_TA£LE
021A 0020
021C 6F0A LD NEXT AVAIL_VP f R10
021E 0000'
0220 9E08 RET

































* INSERTS OBJECTS INTO A LIST
* BY ORDER OF PRIORITY AND SETS *
* ITS STATS *
* REGISTER USE: *
* PARAMETERS: *
* R2: OEJECT ID *
* R3: HEAD_OF_LIST PTR ADDR *
* R4: NEXT OBJ_PT?~ADDR - *
* R5: PRIORITf_PTR ADDR *
* R6: STATE_PTR ADDR *
* R7: OBJECT STATE *
* LOCAL VARIABLES: *
* R£: HEAD OF LIST PTR *
* R9: NEXT_OBJ_PTR *
* R10: CURRENT_OBJ PRIORITY *





































! GET FIRST OBJECT IN LIST !
LD R8, PR3
CP R8, #NIL
IF EO !LIST IS EMPTY! THEN






! COMPARE OBJ PHI WITH LIST HEAD PRI !
LD R10, R5(R2) !OBJ PRI!
LD Rll, R5(R8) !HEAD PRI!
CP R10, Rll
IF GT !0BJ PRI>HEAD PRI! THEN
LD
LD
GR3, R2 !PUT AT FRONT!
R4 ( R2 ) , R8






0030 0B08 CP R8, *NIL
0032 FFFF
^034 5E0E II EO !END OF LIST! THEN
0036 003C '
0038 5E08 EXIT FROM SEARCH LIST
0e3A 0052'
FI
003C 715B LD Rll, 35 (RS) !GET NEXT FRI !
003E 0800
0040 8BBA CP R10, Rll
0042 5E02 IF GT ! CURRENT PRnNEXT PRI! THEN
0044 004A'
0046 5E08 EXIT FROM SEARCH_LIST
0048 0052'
FI
! GET NEXT OBJ !
004A A189 LD R9 , RS
004C 7148 LD R8, R4(R9)
004E 0900
0050 EfcEF OD ! END SEARCH_LIST !
! INSERT IN LIST !
0052 7348 LD R4(R2) t RS
0054 0200




! SET OBJECT'S STATE !
005A 7367 LD R6(R2) , R7
005C 0200
005E 9E08 RET







































































ORIS, R0 !SAVE ARGUMENT PTP !
R0, R15 !SAVE SP!
R15, R1(#INTERRUPT_REG)
ORIS, Rl, *16 ! INITIAL REG. VALUES!












R15, R0 ! RESTORE SP!
R0, GR15 ! RESTORE ARGUMENT PTR!
R14, Rib !SAVE CALLER RETURN POINT!
R15, R0 !G£T ARGUMENT PTP!
R3, GR15, *4 !LOAD ARGUMENTS!
Rib, R1(#INTERRUFT_FRAME)
(?R15, R3, UZ !INIT I RET FRAME!
R15, Rl(*N_S_?)





008A 2FF6 ID 0R15, R6 ! PREEMPT RET POINT!
008C 3418 IDA R8 f Rl (#STACK BASE )
008E 00F0
! INITIALIZE STATUS REGISTER RLOCK !
0090 2100 ID R0, #KERNEI_FC'v
0092 5000
0094 1C89 LDM (?R8, R15, *2 !SAVE SP * FCW
!
0096 0F01
0098 A1EF LD R15, R14 IRES TORE RETURN POINT!





APPENDIX G - INNER TRAFFIC CONTOLLER LISTINGS
ZS000ASM 2.e2
IOC OBJ CODE STMT SOURCE STATEMENT
INNER TRAFFIC CONTROL MODULE
$LISTON $tty
. GETWORK:
A. NORMAL ENTRY DOSS NOT SAVE REGISTERS.
( THIS IS A FUNCTION OF THi GATEK1EFER ).
B. R14 IS AN INPUT PARAMETER TO GETWORK THAT
SIMULATES INFO THAT WILL EVENTUALLY JBE ON
THE MMU HARDWARE. THIS REGISTER MUST BE
ESTABLISHED AS A DBR EY ANY PROCEDURE
INVOKING GETWCRK.
C. THE PREEMPT INTERRUPT ENTRY HANDLER DOES
NOT USE THE GATEKEEPER AND MUST PERFORM
FUNCTIONS NORMALLY ACCOMPLISHED BY IT
PRIOR TO NORMAL ENTRY AND EXIT.
( SAVE/RESTORE: REGS, NSPJ UNLOCK VPT, TEST INT
2. GENERAL:
A. ALL VIOLATIONS OF VIRTUAL MACHINE INSTRUCTIONS
APE CONSIDERED ERROR CONDITIONS AND WILL RETURN
SYSTEM TO THE MONITOR WITH AN ERROR CODE IN R0
AND THE PC VALUE IN Rl
.
B. ITC PROCEDURES CALLING GETWORK PASS DPR
(REGISTER R14) AND LOGICAL CPU NUM££R
(REGISTER R13) AS INPUT PARAMETERS.
(INCLUDES: SIGNAL, WAIT, SWAP_VDrP,





M L ER := 2




M U~ := 7
ERROR CODES ********** t
UNAUTHORIZED LOCK !
MESSAGE LIST EMFTY !
MESSAGE LIST ERRC 73 !
READY LIST tMPTY !
MESSAGE LIST OVERFLOW
! SWAP NOT ALLOWED !
! VP INDEX ERROR !





SYSTEM PARAMETERS ******** f






























































































RUNN1NG_LIST ARRAY [NR_CPU WORDJ
READY LIST ARRAY [NR CPU WORDJ
FREE_IIST MSG_IND£X
VIRT_INT_VEC ARRAY [1, ADTRESSJ
FILLER_2 WORD
VP ARRAY [NR VP , VP_TAELEJ
MSG_0 ARRAY [NR_VP. MSG- TAJbLfiJ
J
0210 EXT_VP_LIST ARRAY [NR_AVAIL_VP WORDJ
$SECTION MMU_DATA
0000 MMU IMAGE RECORD
"[
MMU STRUCTURE ARRAY [MAX DBR NH MMU J
]












* SWAPS VIRTUAL PROCESSORS *
- ON PHYSICAL PROCESSOR.
jjt sj: as: age age 9 age ap j? qc aje ay ap ags ay jjc sj« age jjc ap ap ap ^s a? ajc *s spv jjcj? a,t
* PARAMETERS: *


































! GET STACK BASE !
LD R4, R14(*STACK SEG*4)
LDA R5, R4(*STATUS REG BLOCK)
! * * SAVE SP " !
LD (?R5, R15
I
=? v SA^E FCW * * !
LDCTL R3, FCW
LD R4(#F C W) , R3
0010 61D1
0012 0006'
BOOTSTRAP_ENTF.Y: ! GLOBAL LAi^EL !
! GET~READY_VP LIST !











DO ! UNTIL SLGIBLE READY VP FOUND !
CP VPT. VP. IDLE FLAG (Rl), *ON
IF EC ! VP IS IDLE ! THEN
CP VPT.VP.PREEMPT(Rl) , #ON

































ELSE ! VP NOT IDLE !
EXIT FROM SELECT_V?
FI




! NOTE: THE READY_LIST WILL NEVER BE
THE IDLE VP, WHICH IS THE LOWEST
WILL NEVER BE REMOVED FROM THE
IT WILL RUN ONLY IF ALL OTHER FE£DV VP'S
IDLING OR IF THERE ARE NO OTHER VP'S ON
THE READT_LIST. ONCE SCHEDULED, IT
WILL RUN UNTIL RECEIVING A HDWE INTERRUPT
! NOTE: R14 IS USED AS D£R HERE. WHEN MMU
IS AVAILABLE THIS SERIES OF SAVE AND LOAD
INSTRUCTIONS WILL iJE REPLACED Ei SPECIAL I/O
INSTRUCTIONS TO THE MMU. !
! PLACE NEW VP IN RUNNING STATE !







! - - SWAP DBP * - !
LD R14, VPT.VP.DBR(Rl)
! LOAD NEW_VP SP !
LD R4, R14(#STACK_SEG*4)
LDA R5 f R4(*STATUS_REG_BLOCK)
LD R15, GR5







005c ErvTER msg list PROCEDURE
f sps^Jis^jjc^jp^sis^spstJiCjpsje^jp^^^j.sspjis^jjtSis^SrJisv^sissP
V INSERTS POINTER TO MESSAGE
* FROM CURRENT VP TO SIGNALED VP*
* IN FIFO MSG LIST *
iji *i* *|» *|» ^* *»* *|» *t* *»* *i» *»* *(» *i* *(* *i» *t* *»* *»* *^ *I* *** *»" *»* *»* *(* *I* *l" "l* 'l* *»* *»' *>* *1*
s? REGISTER USE: *
V PARAMETERS: *
•i* R8(R9):MSG (INPUT) *
"r Rl: SIGNALED VP (INPUTS *
5? R13: LOGICAL~CPU NUMBER *
V LOCAL VARIABLES: *
* R2: CURRENT VP *
53 R3: FIRST FREE MSG *
V R4: NEXT FREE MSG *
*e R5: NEXT Q MSG *
V R6: PRESENT Q MSG *
*«£ *i* *.» «i* »!» *»5 ijZ *fi #,i i t; ;,c afi zfi 7fi J,i ^i 3,s s^t -^ 2^s ^i ;,* »,> j^c ;,i sjc ;,c i,i ;,j #^« *,; i,; *,» j
ENTRY
005C 61D2 ID R2, VPT.RUNNING_LIST(R13)
005E 0002'
! GET FIRST MSG FROM FREE LIST !
0060 6103 LI
00b2 000A'
j sje v * * DEBUG * * * * !
0064 0E03 CP R3, #NIL
0066 FFFF
0068 5E0E IF EC THEN
006A 0079'
006C 7601 LDA Rl, S
006E 006C'
0070 2100 LD R0, #M_L_0! MESSAGE LIST
0072 0004














w * * END DEBUG * v * !
LD R4, VPT.MSG_0.N£XT_MSG(R3^
LD VPT.FREE_LIST, R4






008C 6F32 LD VPT. MSG .SENDER (R3 ) , R2
008E 0120'
! INSERT MSG IN MSG_LIST !
0090 6115 LB R5, VPT . VP ,MSG_LIST f Rl )
0092 0015'
0094 0E05 CP R5, #NIL
0096 FFFF
0098 5E0S IF EO ! ^SG LIST IS EMPTY ! THEN
009A 00A4'
! INSERT *SG AT TOP OF LIST !
009C 6F13 LD VPT.?P.MSG_LIST(Rl) , R3
009E 001E'
00A0 5E08 ELSE ! INSERT MSG IN LIST !
00A2 00EC'
MSG Q_SEARCH:
DO ~! '#HILE NOT END OF LIST !
00A4 0B05 CP R5, #NIL
00A6 FFFF
00A8 5E0E IF EO ! END OF LIST ! THEN
00AA 00B0'
00AC 5E08 EXIT FROM MSG SEARCH
00AE 00B8'
FI
! GET NEXT LINK. !
00B0 A156 LD R6, R5




! INSERT ^SG IN LIST !
00B8 6F63 LD VPT. MSG_0. NEXT_MSG( 86 ) , R3
002 A 0122'
FI
00BC 6F35 LD VPT. MSG Q .NEXT MSG (R3 ) , R5
00EE 0122'
00C0 9E08 RET









* REMOVES MSG FROM MSG_1IST
* AND PLACES ON FREE LIST.




* Rd(R9): MSG POINTER (INPUT)
* R13: LOGICAL CPU NUMBER ( INPU




















! REMOVE FIRST MSG FROM MSG_LIST !


















































! INSERT MESSAGE IN FREE LIST !
LD R5, VPT.FREE_LIST
CP R5, #NIL
























! INSERT AT TOP OF LIST !




















LD yPT.MSGJ}.N£XT_MSG(R3) t #NIL




IF EO ! END OF LIST ! THEN
EXIT FROM FREE_g_SEARCH
FI




! INSERT IN LIST !





! GET MESSAGE INFORMATION:









END GET FIRST MSG
203

! * * INNER TRAFFIC CONTROL ENTRY POINTS * v !
! NOTE: AIL INTERRUPTS MUST BE MASKED WHENEVER
THE VPT IS LOCKED. THIS IS TO PREVENT AN
EMBRACE FROM OCCURRING SHOULD AN INTERRUPT






* CREATES ENTRY IN VIRTUAL INT-*
* ERRUPT VECTOR WITH ADDRESS *
* OF THE VIRTUAL INTERRUPT FAN-*
* DLER. *
* PARAMETERS: *
* w l : VIRTUAL INTERRUPT # *
* R2: INTERRUPT HANDIER ADDR *
ENTRY
! COMPUTE OFFSET IN VIRTUAL
INTERRUPT VECTOR !
0000 1900 MULT RR0, *SIZEOF ADDRESS
0002 0002
! SAVE ADDRESS OF VIRTUAL INTERRUPT
HANDLER IN INTERRUPT VECTOR !
0004 6F12 LD VPT.VIRT_INT_VEC(R1) f R2
0006 000C'
0008 9E08 RET
000A END CREATE INT VEC
204

eeeA get dbr aedr procedure
* CALCULATES DER ADDRESS FROM *
* DBR NUMBER *




* R0 : DBR # *
- RETURNS: v
* Rl : DBR ADDRESS *
ENTRV
! GET BASE ADDRESS 0? MMU IMAGE !
000A 7601 IDA Rl, MMU_IMAGE
000C 0000'
! ADD DBR HANDLE (OFFSET) TO MMU EASE
ADDRESS TO OBTAIN DBR ADDRESS !
000E 8101 ADD Rl, R0
eeie 9E08 ret










ifi Zfi J? J? Tjt 3p Vf. 3f( Jp 0? S£ J? 7£ 3}C 3(Sf SpV S?V >p S? Sp *P >P Sp >P 3pV *P >P^
- ALLOCATES NEXT AVAILABLE MMU *
* IMAGE ANT CREATES PRDS ENTRY *
- REGISTER USE: *
* RETURNS : *
R0: DBR # *
LOCAL VARIABLES: *
Rl : SEGMENT # *
R2: PRDS ADDRESS *
R3: PRDS ATTRIBUTES *
R4: PRDS LIMITS *
ENTRY
! GET NEXT AVAILABLE DBR # !
CLR R0
CLR Rl
! NOTE: THE FOLLOWING IS A SAFE SEQUENCE




























CPB NEXT AVAIL MMU(Rl), ^AVAILABLE
IF EO !MMU ENTRY IS AVAILABLE!
THEN
LDB NEXT AVAIL MMU(Rl), #ALLOCATED
EXIT FROM GET_DBP
ELSE !CURRENT ENTRY IS ALLOCATED!
INC Rl, #1
ADD R0, #SIZEOF MMU
J
? V "r * JJgJ'Jg vr ? ? ? |
CP Rl, #MAX_DBR_NR
IF EO THEN

















Rl, #PRDS_SEG ! SEGMENT NO.
R2, PRDS ! PRDS ADDR
R3, #1 ! READ ATTR !
R4, #((SIZEOF PRDS)-l)/256





! CREATE PRDS ENTRY IN MMU IMAGE !
CALL UPDATE_MMU_IMAGE !(R1: SEGMENT #
R2: SEC- ADDRESS
R3: ATTRIBUTES




























































* CREATES SEGMENT DESCRIPTOR
* ENTRY IN MMU IMAGE



























LD R13, #SIZSOF SEG DESC REG
MULT RR12, Rl ! COMPUTE SEG_DES.C
ADD R10, R13 !ADD OFFSET TO BASE






























END UPDATE MMU IMAGE
! EXECUTE M A5? !































- INT^A_KERNEL SYNC/COM PRIVATIVE
* INVOKED BI KERNEL PROCESSES
sp sp 5p sp Sit sp ^s sp9 sp sjs ^« ?? sp sp sp ;gc s? sp ^t sp sp 3? sp sjc sp sp sp sp sp j? ^ sp
- PARAMETERS
* RS(R9): MSG POINTER (INPUTS
* Rl : SENDING_VP (RETURN)
* GLOEAL VARIABLES
* R14: DBfi (PARAM TO GETWORIH *
* LOCAL VARIA3LES *
- R2: CURRENT_VP (RUNNING) -
* R3: NE7T_READY_VP *
* R4: LOCK ADDRESS *
* R13: LOGICAL CPU NUMEER *
ENTRY
! MASK INTERRUPTS !
DI VI
! LOCK VPT !
LDA R4 f VPT. LOCK
CALL SPIN LOCK ! (R4:~VPT.LOCK) !
! NOTE: RETURNS WHEN VPT IS LOCKEE It THIS VF !
! GET CPU NUMBER !








R2 t VPT. T?.UNNING_LIST(R13)
R3, VFT.VP.NEXT_READI_VP(R2>
VPT.VP.MSG LIST(R2), #NIL
IF EC ! CURRENT VP'S ^SG LIST IS EMPT V ! THEN
! REMOVE CURRENT_VP FROM R£AEY_LIST !
f
-v v v v DEBUG * :,: * -"! !
CP R3, #NIL
IF EO THEN










































! * * * END DE£UG * * * !
7PT.READT_LIST(R13), R2
VPT. VP. NEXT READY VP(R2 ,l f #NIL
! PUT IT IN WAITING STATE !
LD VPT.VP.STAT£(R2) t ^WAITING
! SET DPR !
LD R14, 7PT.VP.CPR(R2)
! SCHEDULE FIRST ELGIBLi READV VP !
PUSH GR15.R8
! SAVE LOGICAL CPU # !
PUSH fJRlb, R13
CALL GETWORK !R13:C?U *
R14:DER!




! GET FIRST MSG ON CURRENT VP'S MSG LIST !
CALL GET_FIRST_MSG ! COPIES MSG IN MSG ARRA y '
! R13: LOGICAL CPU # !
! RETURNS Rl: SENDER VP !
! UNLOCK VPT !
00EE 4D08 CLR VPT. LOCK
00F0 0000'
! UNMASK VECTORED INTERRUPTS !
00F2 7C05 EI VI








* INTRA KERNEL STNC /COM PRIMATIVE -
* INVOKED PY KERNEL PROCESSES *
- REGISTER USE:
* PARAMETERS: *
* R8(R9): MSG POINTER (INFUT) *
* Rl : SIGNALED VP ID (INPUT) *
* GLOBAL VARIABLES *
* R13: CPU # (PARAM TO GETWORK ) *
* R14: DBR (PARAM TO GETWORK)
* LOCAL VARIABLES: *
* Rl: SIGNALED VP *
* R2: CURRENT VP *
* R4: VPT. LOCK ADDRESS *
ENTRT
! SAVE VP ID !
00F6 93F1 PUSH 0R15, Rl
! MASK INTERRUPTS !
00F8 7C01 DI VI
! LOCK VPT !
00FA 7604 LDA R4, VPT.LOCK
00FC 0000'
00FE 5F00 CALL SPIN_LOCK ! (R4 :~VPT.LOCK) !
0100 0282'
!NOTE: RETURNS WHEN VPT IS LOCKED BY THIS VP. !
! GET LOGICAL CPU # !
0102 5F00 CALL GET_CPU_NO ! RETURNS:
0104 02C8'
El: CPU #
R2 : * V? 'S !
0106 A11D LD R13, Rl
! RESTORE VP ID !
0108 97F1 POP Rl, (?Rl5
! PLACE MSG IN SIGNALED_V? 'S MSG_LIST !
010A 5F00 CALL ENTER MSG_LIST !(R8:MSG POINTER
010C 005C' Rl:SIGNALED_VP
Rl?:LOGICAL CPU #) !
010E 4D11 CP VPT.VP.STATE(R1 ) , ^WAITING
0110 0014'
0112 0002
0114 5E0E IF EO ! SIGNALED_VP IS WAITING ! THEN
0116 0148'
! WAKE IT UP AND MAKE IT READY !
0118 A112 LD R2, Rl

































LDA Rti, VPT.VP. STATS
LD R7, #RSAD V
! SAVE LOGICAL CPU # !
PUSH tfP.15, R13
CALL LIST INSERT !R2: OBJ ID
LIST FTP AL'CP.
R4: NEXT OEJ PTR
R5 : PRIORITY FTP.
R6 : STATE_FTR
R7: STATE !
! RESTORE LOGICAL CPU # !
POP R13, GR15
! PUT CURRENT VP IN READ 1?' STATE !
LD R2, VPT. RUNNING IlST(R13 N
LD VPT.VP. STATE (R2) , #READ7













! SCHEDULE FIRST ELGIELE READY VP !
CALL GETWORK !R13:I0GICAL CPU ft
P14:DBR !
FI
! UNLOCK VPT !
CLR VPT. LOCK






0150 SET PREEMPT PROCEDURE
* SETS PREEMPT INTERRUPT ON*
* TA?GET_VP. CAIIED BY TC_ *
* ADVANCE. *
i,: ?p 'i» *£>£ i? 2,* ^r 1* ^ *t» *i? 5^ *? *r *rV *J» *?*i* V '•» 1* 2£ 3£ 2,1 J,; i^




* Rl : TARGET VP I E (INPUT) -
- LOCAL VARIABLES *
* Rl: VP_ INDEX *
^C5^ 5? n*5£ J£ ^CSii^i V J^ ^ 3£ ^i ^i 2£*r *? ^*£ *^ ~fi *i* 5^ *£ V *i* *i ; I
ENTRT
! NOTE: DESIGNED AS SAFE SEQUENCE SO VFT NEED
NOT BE LOCKED. !
! CONVERT VP_ID TO VP INDEX !
R2, EXT VP LIST(R1^
ON TGT_VP PREEMPT FLAG !
VPTTVP. PREEMPT ( R2 ) , #ON
! ** IF TARGET VP NOT LOCAL
( NOT BOUND TO THIS CPU )
[IE, IF «CPU_SEG»CFU_IDOVFT.VF.FHYS_CPU( :3.l)J
THEN SEND HARDWARE PREEMPT INTERRUPT TO












| rt+ •»» *(• *|* »!» *,» »|* »|» »|5 •)» 5^ *y» #j* ^5 »(• » (* J(J J^% *(* »]• *|* *(% *|» ;.: ;,:
3? LOADS IDLE DER ON *
^ CURRENT VP. CALLED BY ;?
V TC GETWO^K. V
^yt*^^3fi^^Xt#xt*st3?**ifiVfi****ifi*fi
^r REGISTER USE T«
n* GLOBAL VARIABLE -.«
5? R13: LOG CPU # ¥
J? F14: EBR 5?
sge LOCAL VARIABLES: V
5? R2: CURRENT VP *
* R3: TEMP VAS 5?
•P R4: VPT.LOCK ADDR V
=* R5: TEMP *<
:? s^ ^ ;,cjs ^t ^ j^ v xx ;^ >;; ;? ^« " r^ r,s x,; ^i j£ ^: ^c v >? s,< f
ENTR?
' GET LOGICAL CPU # !



















! TURN ON CURRENT VP'S IDLE FLAG !
LD VPT.VP.IDLE FLAG(R2) t *ON
! SET VP TO READY STATE !






! SCHEDULE FIRST ELIGIBLE READY VP !
CALL GETWORK ! R13:IOGICAL CPU #
R14:DBR !
! UNLOCK VPT !
CLR VPT.LOCK








0198 SWAP VDBR^ PROCEDURE
* LOADS NEW DBR ON *
* CURRENT VP. CALLED 3Y *
- TC_GETWORK.
* REGISTER USE *
* PARAMETERS v
* RU NEW DBR (INPUT) *
* GLOBAL VARIABLES *
R13: LOGICAL CPU # -
* R14: DBR *
* LOCAL VARIABLES *
R2: CURRENT VP -
* R4: VPT.LOCK ADDR *
ENTRT
! SAVE NEW Di3R !
0198 93F1 PUSH PR15, Rl
! MASK INTERRUPTS !
019A 7C01 DI VI
! LOCK VPT !
019C 7604 LDA R4, VPT.LOCK
ei9E eeee'
01A0 5F00 CALL SPIN_LOCK ! (R4 :~VPT . LOCK ) !
01A2 0282'
! NOTE: RETURNS WHEN VPT IS LOCKED BY THIS VP.!
! GET CPU # !
01A4 5F00 CALL GET_CPU_NO ! RETURNS:
01A6 02C8'
Rl : CPU #
R2:* VP'S!
eiA8 A11D LD R13, Rl
! GET CURRENT VP !




^s :? v DEBUG * * * !
01AE 4D21 CP VPT. VP.MSG LIST (R2), *NIL
0iij0 eeis'
01B2 FFFF
01B4 5S06 IF NE ! MSG WAITING ! THEN
01B6 eiC4'
01B8 2100 LE R0, #S N A ! S'*AP NOT ALLOWED !
01BA 0005
01BC 7601 LDA Rl , $ IPC !
01BE 01BC
01C0 5F00 CALL MONITOR
01C2 A900
FI
! - * END DEEUG * ~- !
! SET DBR !
215

eiC4 61??, LD R14, VPT.VP.DER(R2l
01C6 0010'
! RES TOR i' NEW DBF !
eiCS 97F0 POP R0, GH15
01CA 5E00 CALL GET_DER_ADDR ! (R0: IBP ff)
01CC 000A'
RETURNS
(Rl: EBR AEER) !
! LOAD NEW DBF ON CURRENT VP !
01CE 6F21 LD VPT . VP ,DBR( R2 > , Rl
01D0 0010'
! TURN OFF I DIE FLAG !
01D2 4P25 IE VPT . VP . IDIEFIAG ( R2 ), ?CFF
01D4 0016'
01D6 0ee0
! SET VP TO READY STATE !
01D6 4P25 LD VPT .VP .STATE ( R2 ) . *REAEI
01DA 0014'
01DC 0001
! SCHEDULE FIRST ELGIBLE READ! VP !
eiDE bFe0 CALL GETWORK !R13:I0GICAL CPU *
01E0 0000'
R14:DBR !
! UNLOCK VPT !
01E2 4D08 CLR VPT. LOCK
P1E4 0000'
! UNMASK VECTORED INTERRUPTS !
01E6 7C05 EI VI
01E8 9E08 RET




I ^z %< *fi *c zt zt ^ 3£ v-~2,= :.: spa? ^r,;:?:,; r,;v ?? *,: :;; ~,; ^ ^< -,: ^ V ',= V^'
•" HARDWARE PREEMPT INTEPRUFT *
* HANDLER. ALSO TESTS FOR *
* VIRTUAL PREEMPT INTERRUPT *
* FLAG AND INVOKES INTERRUPT
- HANDLER IF FLAG IS SET. *
- INVOKED UPON EVERY EXIT FROM *
* KERNEL. KERNEL FCW MASKS
* NVI INTERRUPTS TO PREVENT *
* SIMULTANEOUS PREEMPT INTiRR. *
'•s HANDLING.
* REGISTER USE -
- LOCAL VARIABLES *
* Rl: FREEMPT INT_FIAG *
* R2: CURRENTJT? *
* GLOBAL VARIABLES *
* R13:I0GICAL CPU # *
* F14:DB? *
ENTRY
i * * FREEMPT_HANDLER * * !
! SAVE ALL REGISTERS !
01EA 030F S TT F R15, #32
01EC 0020
01EE 1CF9 LDM 0R15, Rl , #16
01F0 010F
! SAVE NORMAL STACK POINTER (NS?) !
01F2 7D67 LDCTL R6, NSP
01F4 93F6 PUSH PR15, R6
! GET CPU * !
*>1F6 5F00 CALL GET_CPU NO 'RETURNS:
01FB 02C8'
Rl : CPU n
R2:# VP'S !
01FA A11D LD R13, Rl
!
MASK INTERRUPTS !
01FC 7C01 DI VI
! LOCK VPT !
01FE 7604 LDA R4, VPT. LOCK
0200 0000'
0202 5F00 CALL S?IN_LOCK
0204 0282'
! RETURNS WHEN VPT IS LOCKED!
! SET DEB. !




020A 612S LD ' R14, VPT .VP .DER (R2
)
020C 2010'
! PUT CURRENT PROCESS IN READY ST!TF. !
020E 4D25 LD VPT . VP. STATE (R2 ) f #HJ£AEY
0210 0014'
0212 0001




! UNLOCK VPT !
0218 4D08 CL* VP^.LOCK
021A 0000'
! UNMASK VECTORED INTERRUPTS !
021C 7C05 EI VI
KERNEL EXIT:
» www UNMASK VIRTUAL PREEMPTS *** f
!
ww NOTE: SAFE SEQUENCE AND EOES NOT REQUIRE
VPT TO BZ LOCKED. -- !
! GET CURRENT_VP !
021E 610D LD R13, PRDS.LOG_CPU ID
0220 0A0C'
2222 61D2 LD R2, VFT. RUNNING LIST(R13^
0224 0002'
! TEST PREEMPT INTERRUPT FLAG !
0226 4D21 CP VPT.VP.PREEMPT(R2^ , #ON
022B 0018'
022A FFFF
022C 5E0E IF SO ! PREEMPT FLAG IS CN ! THEN
022E 0240'
! RESET PREEMPT FLAG !
2230 4D25 LD VPT. VP .PREEMPT (R2 ), *OFF
0232 0018'
0234 2000
! SIMULATE VIRTUAL PREEMPT INTERRUPT !
0236 2101 Ld Rl, #2
0236 0200
223A 6112 LD R2, VPT
.
VIRT_I NT_VEC ( Rl
)
023C 000C'
023E 1S28 JP @R2
!NOTE: TEIS JUMP TO TRAFFIC_CONTROl
IS USED ONLY IN THE CASE OF A PREEMPT INTERRUPT,
AND SIMULATES A HARDWARE INTERRUPT. -- !
!




! NOTE: SINCE A HDWE INTERRUPT DOES NOT EXIT
THROUGH THE GATE, THOSE FUNCTIONS PROVIDED
21 A GATE EXIT TO HANDLE PREEMPTS MUST BE
PROVIDED HERE ALSO. !
! RESTORE MSP !
^240 9?Fb POP RS, PR15
0242 7D6F LDCTI NSP, R6
! RESTORE ALL REGSTERS
£244 1CF1 LDM Rl, (?Rlb, #16
0246 010F
0246 010F ADD R15, #32
£24 A 0020
! EXECUTE HARDWARE INTERRUPT RETURN !
024C 7B00 IRET
024E END PfiYS PKEEMPT HANDLER
219

£24£ RUNNING VP PROCEDURE
I »(* 3t% *^» ^* i,5 J,* «>^i #l« *,i J,C »,i i,i 7|C *,i *,£ *,i *,C »,» »,* *,S ?, « i|i *,» »,i »,» -,» J, «. J,C 3JJ » ; " «,i »,£ i,»
* CALLED £Y TRAFFIC CONTROL. *
- RETURNS ^T P ID. RESULT IS VALID*
- ONLY WHILE APT IS LOCKED.
* REGISTER USE *
:! PARAMETERS *
* Rl: ill 1: VP_IE (RETURNEE) -
* R3: LOG~CPU # (RETURNEE) *
* LOCAL VARIAELES *
* R2: VP INDEX *
3gS J<c 3J< 3£v ^ Si'- J"^ ^* ^ *,i ^;^^ )? ;* ^; ^; ^s /;; ^ ^ ^i ^. ;^ ^ ^: ^ ^ v ^c ?;x f
ENTRY
! MASK INTERRUPTS !
024E 7C01 DI VI
! LOCK VPT !
0250 7604- LDA R4, VPT. LOCK
0252 0000'
0254 5F00 CALL SPIN_LOCK ! (R4 :'~7PT . LOCK ) !
0256 0282'
! NOTE: RETURNS VHEN VPT IS LOCKED BY THIS VP !
! GET LOGICAL CPU # !




025C A113 LD R3, Rl
0255 6132 LD R2 , VPT. RUNNING LIST(R2)
£260 0££2'
! CONVERT VP_INEEX TO V?_1E !
0262 6121 LD Rl , VPT .VP .EXT_IE (R2 )
0264 0£20'
» * * * DEBUG * * * !
2266 0E01 CP Rl. #NIL
0268 FFFF
026A 5E0E IF EQ ! KERNEL PROC ! TEEN
026C 027A'
026E 2100 LD R0, #V I E ! VP INDEX ERROR !
0270 0006
0272 7601 LDA Rl , S
£274 0272'
0276 5F00 CALL MONITOR
0278 A900
FI
! * * END DEBUG * * !
! UNLOCK VPT !
027A 4D08 CLR VPT. LOCK
027C 0K00'
! UNMASK VECTORED INTERRUPTS !
027E 7C05 EI VI
0280 9E08 RET
0282 END RUNNING V?
220

0282 SPIN LOCK PROCEDURE
* USES SPIN_LOCK MECE. *
* LOCKS UNLOCKED DATA
* STRUCTURE (POINTED TO *
* BY INPUT PARAMETER). *
;,;;,; ^ J ;,c #,; jgi j,; ;,; ;,; 3,; %z 5,; :,; ;,; *,i ^j ;,s j^c i,i •,? 7fi ;,; J^ *,! ;., '-
^REGISTER USE *
* PARAMETERS *
- P4: LOCK ADDR (INPUT)-
ENTRY
! NOTE: SINCE ON L^ ONE PROCESSOR CURRENTLY
IN SYSTEM, LOCK NOT NECESSARY. ** !
j ss: j* j* JJEJUQ ^ t ? J
CP PR4, *OFF
IF NE ! NOT UNLOCKED ! THEN
LD Re, #U_L ! UNAUTHORIZED LOCK !
LDA Rl , S
CALL MONITOR
EI
! * * END DE-fcUG * * !
TEST_LOCK:
! DO WHILE STRUCTURE LOCKED !
0296 0D*6 TSET GR4
0298 E5EE JR MI, TEST_LOCK
!
v* N OTE SEE PLZ/ASM MANUAL
FOR RESTRICTIONS ON
USE OF TSET. ** !
029A 9E08 RET














J J,i *|4 3|i JJC JjS 3JS i|» #^5 ?^C ?il JJ5 5J» 2|C i|C J^i 5^C *f« ^i »J5 JJ% J"(J »p »i» »,i 3JC 3J? *,% *]* *^* Jjl 3p ![» i,i
* GETS EASE ADDRESS OF SEGMENT *
* INDICATED. *
J,"? ?£ J!* 3QC 5^ 9QC 5£ *;» >JC 3£V 3J8V *£ Is 1* *£ 3QC *»» 3j* 5J* 3QC 3J6 3^ 3}i >|C 5£ ^S 3JC 5£ 3QC SJC Sp
* REGISTER USE: -
* R0:SEG BASE ADDRESS (RET ) *
* RltSEG NT? (INPUT)
'•' R2: RUNNING VP (LOCAL)
* R3:D£R VALUE (LOCAL) *
* R4: VPT. LOCK *
* R13 .'LOGICAL CFU tt
ENTRY
! SAVE SEGMENT ft !
029 C 93F1 PUSH OR lb, Rl
! MASK INTERRUPTS !
029E 7C01 DI VI
! LOCK VPT !
02A0 7604 LDA R4, VPT. LOCK
02A2 0000'




! GET CPU # !
8 CALL GET CPU NO IRETURNS:
Rl : CPU #
R2:# VP 'S !
02AC A11D LD PI 3, Rl
! RESTORE SEGMENT *t !
02AE 97T1 POP Rl, G>R15
02B0 61D2 LD R2, VPT.RUNNING LIST(R13)
02B2 0002'
02B4 6123 LD R3 , VPT . VP .DBR ( R2
)
02B6 0010'
! UNLOCK VPT !
02B8 4D08 CLR VPT. LOCK
02BA 0000'
! "NMASK VECTORED INTERRUPTS !
02BC 7C05 EI VI
02BE 1900 MULT RR0,#4
02C0 0004
02C2 7130 LD R0,R3(R1)
02C4 0100
02C6 9E08 RET
02C8 END ITC GET SEG PTR
222

02CS GET CPU NO PROCEDURE
* FIND CURRENT CPU_NO *
- CALLED BT DIST MMGR
* AND MM *
3£ 3? 33S ',iV t* 3^ ^ 5?^ 3,c v ;^ 3? 3,5 3?v ^ 3?c v *,* 3,; v -;' 3£
* RETURNS *
- Hi: CPU_NO *
* R2: # OP VP'S *
3^« 3|5 3JC 3,C 3,* 3,£ 3,4 if* *|i 3jS 3,1 3,5 -,i 3,* »,» 2^* #,; *,5 3,* 3,« 3,* 3,C 3,i J,. 3|* T
ENTRY
02C8 6101 LD HI, PRDS .LOG_CPU_ID
02CA 0A0C'
02CC 6102 LD H2, PRDb.VP_NR
02C£ 0A0S'
02D0 9E08 RET
02D2 END GET CPU NO
02D2 K_LOCK PROCEDURE
f »|{3ifi SQS 3g»3^S 3Q6 JQ(3j(9gS3|C 8{E 3|C3^X 9QC 9JC 3,; 3,; 3,; ;,;^i ; ;« ^1 3,; -,-;,;
* STUii FOR *AIT LOCK *
3|C 3;* 9QC 3^3|C 33^3^3^3^3^3^3^3;C33:3^3^3|C3^3^33S3f%3^3'(C3^3^
* R4:"lOCK (INPUT) *
jpjjcjjjjp^jicj^jp spa? a;: >*:?"* ^cs^sjcj^^tjjt^cjiejp^t^t
J
ENTRY
02D2 5P00 CALL SPIN_LOCK
02D4 02S2'
02D6 9E08 RET
02D8 END K LOCK
£2D8 KJJNLOCK PROCEDURE
l 5J6 3Ji 35> 2^^ 53* 3)C 3^£ 3JS 3Ji 3^ 3^i 33* 3J5 3J» 33> i^C 3jC 3JC 3f% 3\S 33! 33* 3,C 3^C
* STUB FOR WAIT UNLOCK *
5£ t£ sp ggogi ^t jp jjc ap ^1 ^c sje jjc ^t 3^ sjc jjc ^c jjc jjs 3? J? ;? jp ^e
v R4:~LOCK (INPUT) *
•
ENTRY
02D8 0D48 CLR C°P4
02DA 9E08 RET
02DC END KJJNLOCK




1. O'Corneii, J. S., and Picnardscr., I. £., iistricutgd
Sq^:rg "Design for a Mu It i - v i Toprocesso r Operating
S y s t e
n
t MS Tnesis, Naval Postgraduate Scnooi,
June 1979.
2. Parses, 5. J., Tne Design of a Secure Pile Storage
System . MS Tnesis, Naval Postgraduate c rr.coi .
December 1979.
2. Coleman, A. P., Security Kernel Design for a
MicroPro cessc r-Pasec t Multilevel. Arcnival S y orag,e
System, MS Tnesis, Naval Postgraduate Softool,
December 1979.
4. Moore, E. E. and Gary, A. V., Tne Design ana Implem°r.t ion
of tne "emery Manager for a Secure Arcmval Storage




P e i t z , S . L . , An Implementation of Mul tirro gracing and
Process Management for a Security Kernel Operating





Wells, J . T . , Implementation of Segment v anagerer.t for
a Secure Arcnival Storage System, ^S Tnesis, Naval
Postgraduate School, September I960.
rga n i c * , S . J . , Tne Multics System: An Exami-at i on of
Its S tructure . MIT Press, 1972.
Madnicic, S. E., and Donovan,
McGraw Hill , 1974.





Peed, P. D., Processor Multiplexing In a layered
Operating System , MS Tnesis, Massachusetts
Institute of Tecnnology, MIT LCS/TR-167, 1979.
Scnell, It. Col. R. R., "Computer Security: tne Acniiles
Heel of tne Electronic Air Force?,' A
i
r University
Review , v. 30, no. 2, p. 16-33, January 1979.
11. Scnell, Lt.Col. R. P., Security Kernels: A Metnonical
Design of System Security,' USE Ternni^ai Pauers
(Spring Conference, 1979). p. 245-25K, varcn 1979.
224

12. Denning, T A E. f "a lattice ^odel of Secure Information
Flow,' Cormunica tions of the AC** , v. 19,
p. 236-242, fay 1976.
13. Srnroeder, M. D., "a Hardware ircnitecture for
Implementing Protection Rings," Communications of
tae AC V , v. 15, no. 3, o. 157-170, Marcs 1972.
14. nostra, F. '*'., "The Humble Programmer." Cojiimuni cations
of trie ACM , v. 15, no. 10, p. 859-865, OctoCer 1972,
lb. Reed, P. D., and Kanodia, R. K., "Synchronization tfitn
Eventrounts and Sequencers," Communications of tne
AC v , v. 22, no. 2, p. 115-124, February 1979.
16. Saltzer, T . H
.
, Traffic Control in a M ul timered
Computer 5ysterr t Pti.D. Thesis, Massacnuse t ts
Institute of Technology, 1966.
17. Zilog, Inc., 78001 CP t t z»002 CF T ' . Preliminary Product
Specification, tfarch 1979.
16. Ziiog, Inc., Z8010 MMU Memory ^anarenent Unit .
Preliminary Product Specification, October 1979.




20. Zilog, Inc., Z800g PLZ/ASM Assembly Language Programing
v ar,v.ai , 03-30 55-01, Revision A , ADril 1979.
21. S one 1 1 , R. R . and Cox, 1 . A . , Secure Arrival S to rage







S chell , R . R . and Cot, I . A . , Secure Ar clival Storage
System. Part II - Segment and Process v j".3? e rer.t








Alexandria, TT irginia 22314








Department Cnairman, Code 52
Department of Compute** Science
Naval Postgraduate Scnool
Monterey, California 9394^
L^COL ?.o« Scneli, Code 52Sj
Department of Computer Science
Naval Postgraduate Scnool
Monterey, California 9394?
Lyle A. Cox, Jr., Code S2C1
Department of Computer Science
Naval Postgraduate Scnool
Monterey, California 9394£
6. Joel Trimble, Coce 221
Office of Naval Research




Department of Computer Science
United States Military Academy
Vest Point, New Yor.K: 10996
B. INTSI Corporation
Attn: Mr. Robert Cnilds
M ail Code: SC 4-490
3065 Bowers Avenue
Santa Clara, California 95051






10. Digital Equircrcent Corpcratior




M aynard, Massachusetts 01754
11. Joe Srfcan
University of ScutAwestern Louisiana
P.O. fox 4433fc
Lafavette, Louisiana 70504
12. LCLR Gary Ealcer, Cede 27
Leoartnent of Computer Tecnnolo^y
Naval Postgraduate Srnool
Monterey, California 915940
13. LCLP Jo An T. Wells
P.O. Pcx 36fc>
Waynesboro, Mississippi 3936'7
14. CPT Artnony ?. . Stricter
Route #12









J 9244;S847 Strickler * H *
'
c •' Implementation of
process management for
a secure archival
storage system.
27203
Thesis 192447
S847 Strickler
c.l Implementation of
process management for
a secure archival
storage system.
M-
»-
1
