阅读说明：本技术 用于管理能力域的设备及方法 (Apparatus and method for managing capability domain ) 是由 格雷姆·彼得·巴尔内斯 于 2018-04-27 设计创作，主要内容包括：本发明提供一种用于管理能力域的设备及方法。该设备具有用于执行指令的处理电路,该处理电路当处于默认状态时被布置为在能力域中操作,该能力域包括用以约束执行指令时由处理电路执行的操作的能力。亦提供了程序计数器能力储存元件以储存由处理电路用来确定程序计数器值的程序计数器能力。程序计数器能力被布置为标识处理电路的能力状态。当能力状态指示默认状态时,则处理电路被布置为在能力域中操作。然而,当能力状态指示执行状态时,处理电路被布置为以比当处于默认状态时受到更少约束的方式操作,以便允许更改能力域。此提供了用于选择性地允许设备更改能力域的简单且有效的机制。(The invention provides a device and a method for managing a capability domain. The apparatus has processing circuitry for executing instructions, the processing circuitry when in a default state being arranged to operate in a capability domain, the capability domain comprising capabilities to constrain operations performed by the processing circuitry when executing instructions. A program counter capability storage element is also provided for storing program counter capability used by the processing circuitry to determine the program counter value. The program counter capability is arranged to identify a capability state of the processing circuitry. When the capability state indicates the default state, then the processing circuitry is arranged to operate in the capability domain. However, when the capability state indicates an execution state, the processing circuitry is arranged to operate in a less constrained manner than when in the default state, so as to allow the capability domain to be changed. This provides a simple and efficient mechanism for selectively allowing a device to change capability domains.)

1. An apparatus, comprising:

processing circuitry for executing instructions, the processing circuitry when in a default state being arranged to operate in a capability domain, the capability domain comprising a capability for constraining operations performed by the processing circuitry when executing said instructions; and

a program counter capability storage element for storing a program counter capability used by the processing circuitry to determine a program counter value, the program counter capability identifying a capability status of the processing circuitry;

the processing circuitry is arranged to operate in the capability domain in response to the capability status indicating the default state; and is

The processing circuitry is arranged to operate in a less constrained manner to allow the capability domain to be altered in response to the capability state indicating an execution state than when in said default state.

2. Apparatus according to claim 1, wherein the processing circuitry is arranged to execute a branch instruction identifying a capability to move the identified capability into the program counter capability storage element to form a new program counter capability, the processing circuitry then operating in the capability state identified by the new program counter capability.

3. The apparatus of claim 2, wherein:

the branch instruction is a branch with a link instruction;

the program counter capability stored in the program counter capability storage element forms an old program counter capability prior to execution of the branch with linked instruction; and is

The processing circuitry is arranged to use the old program counter capability to generate a return address capability for storage in a return address capability storage element, the return address capability maintaining a capability state identified by the old program counter capability.

4. Apparatus as claimed in claim 3, wherein said processing circuitry is arranged to execute a return instruction to write said return address capability into said program counter capability storage element to form a return program counter capability, said processing circuitry subsequently operating in a capability state identified by said return program counter capability.

5. The apparatus of any preceding claim, wherein when the capability status indicates the execution status, the processing circuitry is arranged to: by arranging the processing circuitry to operate without capability constraints when operating in the execution state, to operate with less constraints than when in the default state.

6. The apparatus of any of claims 1-4, wherein when the capability state indicates the execution state, the processing circuitry is arranged to operate in a less constrained manner than when in the default state by disabling at least one capability check when the processing circuitry is operating in the execution state.

7. The device of claim 6, wherein the disabled at least one capability check comprises at least one of:

a capability check performed with reference to the program counter capability when the program counter value is used to identify an address of an instruction to be fetched from memory; and

a capability check performed with reference to a default data capability when an unbounded pointer is used to identify an address of a data block in memory to be accessed.

8. The apparatus of any of claims 1-4, further comprising:

one or more groups of grouped capability storage elements for storing capability, each group of grouped capability storage elements including a first capability storage element for storing capability for constraining operations performed by the processing circuit when the processing circuit is operating in the default state; and a second capability storage element for storing a capability for constraining operations performed by the processing circuitry when the processing circuitry is operating in the execution state;

wherein the capabilities identified in the first and second capability storage elements in each group of grouped capability storage elements are such that: when the capability state indicates the execution state, the processing circuit operates in a less constrained manner than when in the default state.

9. The apparatus of any of claims 1-4, further comprising:

one or more capability storage elements for storing capabilities for constraining operations performed by the processing circuitry;

when an update to the program counter capability causes the capability state to change from a source state to a target state, capabilities of the one or more capability storage elements with respect to the source state are saved to allow them to be later restored, and associated capabilities associated with the target state are written to the one or more capability storage elements;

wherein the capability written into the one or more capability storage elements causes the processing circuitry to operate in a less constrained manner when the capability state transitions to the execution state than when in the default state.

10. The apparatus of any one of the preceding claims depending on claim 2, wherein:

when the branch instruction identifies a capability that will cause the capability state to change from the execution state to the default state, the processing circuitry is arranged to perform a check operation to determine whether use of the program counter capability as updated using the capability identified by the branch instruction is allowed.

11. The apparatus of claim 10, wherein the checking operation comprises: determining whether the branch instruction is of a type that allows the capability stored in the program counter capability storage element to be updated in a manner that will cause the capability state to change from the execution state to the default state.

12. Apparatus according to claim 10 or 11, wherein the processing circuitry is arranged to perform a predetermined action in determining a failure condition for the checking operation.

13. The apparatus of claim 12, wherein the predetermined action comprises one of:

an exception occurs when the branch instruction is executed;

a flag is set that causes an exception to occur when the next instruction is executed, and the branch instruction is allowed to execute to update the program counter capability.

14. The apparatus according to any of the preceding claims, wherein when operating in the execute state, the processing circuitry is allowed to alter the program counter capability stored in the program counter capability storage element to change capability state to the default state.

15. The apparatus of any of the preceding claims, wherein one or more of the capabilities comprise a bounded pointer.

16. A method of managing a capability domain within a device, the device having processing circuitry for executing instructions, the processing circuitry being arranged to operate in the capability domain when in a default state, the capability domain comprising capabilities for restricting operations performed by the processing circuitry when executing said instructions, the method comprising the steps of:

storing, in a program counter capability storage element, a program counter capability used by the processing circuit to determine a program counter value, the program counter capability identifying a capability status of the processing circuit;

operating the processing circuitry in the capability domain in response to the capability status indicating the default state; and

in response to the capability status indicating an execution state, the processing circuitry is operated in a less constrained manner than when in the default state to allow the capability domain to be changed.

17. An apparatus, comprising:

processing means for executing an instruction, the processing means when in a default state for operating in a capability domain, the capability domain comprising capabilities for constraining operations performed by the processing means when executing the instruction; and

program counter capability storage means for storing program counter capabilities used by the processing means to determine a program counter value, the program counter capabilities identifying a capability status of the processing means;

in response to the capability status indicating the default status, the processing device is to operate in the capability domain; and

in response to the capability status indicating an execution state, the processing device is to operate in a less constrained manner than when in the default state to allow the capability domain to be changed.

18. A virtual machine computer program comprising program instructions for controlling a host data processing apparatus to provide an instruction execution environment corresponding to the apparatus according to any one of claims 1-15.

19. A computer readable storage medium storing the virtual machine computer program of claim 18.

Technical Field

The present technology relates to the field of data processing.

Background

There is an increasing interest in capability-based architectures, where certain capabilities are defined for a given process, and if attempts are made to perform operations outside the defined capabilities, errors may be triggered. Such capabilities may take various forms, but one type of capability is a bounded pointer (which may also be referred to as a "fat pointer").

A number of capability storage elements (e.g. registers) may be provided for storing capabilities, such as bounded pointers for access by the processing circuitry of the data processing apparatus. Each bounded pointer within such a capability storage element will identify a non-extensible range of memory addresses that are accessible by the processing circuitry, and thus each bounded pointer may be referred to as a capability (an address of memory that identifies an allowable range that the processing circuitry is capable of accessing, and any associated permissions). While the processing circuitry may be allowed to take steps to reduce the range and/or permissions associated with any particular bounded pointer that is available to the processing circuitry, this does not extend the range in normal operation to try to increase the capacity provided to the processing circuitry by the bounded pointer.

Any particular range of memory addresses identified by a bounded pointer within a capacity storage element may include data, instructions, and/or other capabilities (e.g., other bounded pointers). Thus, it should be understood that the ability of the processing circuit to access memory at any point in time is defined by a set of capabilities that includes the capabilities identified in the capability storage element and any other capabilities accessible via the capabilities maintained in such capability storage element, and this set of capabilities will be referred to herein as a capability domain.

It may be necessary to try to change the capability domain of the processing circuitry during operation of the data processing device. However, this may require accessing memory addresses that cannot be accessed given the capabilities of the current capability domain.

It is desirable to provide an efficient and reliable mechanism for enabling such changes in the capability domain of the processing circuitry.

Disclosure of Invention

In a first exemplary configuration, an apparatus is provided, the apparatus comprising: processing circuitry for executing instructions, the processing circuitry when in a default state being arranged to operate in a capability domain, the capability domain containing capabilities for constraining operations performed by the processing circuitry when executing such instructions; and a program counter capability storage element for storing a program counter capability used by the processing circuitry to determine a program counter value, the program counter capability identifying a capability state of the processing circuitry; the processing circuitry is arranged to operate in a capability domain in response to a capability state indicating the default state; and the processing circuitry is arranged, in response to the capability state indicating the execution state, to operate in a less constrained manner than when in the default state so as to allow the capability domain to be changed.

In another exemplary configuration, there is provided a method of managing a capability domain within a device having processing circuitry for executing instructions, the processing circuitry being arranged to operate in the capability domain when in a default state, the capability domain containing capabilities for restricting operations performed by the processing circuitry when executing such instructions, the method comprising the steps of: storing, within a program counter capability storage element, a program counter capability used by the processing circuitry to determine a program counter value, the program counter capability identifying a capability state of the processing circuitry; operating the processing circuitry in a capability domain in response to a capability state indicating the default state; and in response to the capability state indicating the execution state, operating the processing circuitry to allow the capability domain to be changed in a manner that is less constrained than when in the default state.

In yet another exemplary configuration, an apparatus is provided, the apparatus comprising: processing means for executing instructions, the processing means when in a default state for operating in a capability domain, the capability domain containing capabilities for constraining operations performed by the processing means when executing such instructions; and program counter capability storage means for storing program counter capability used by the processing means to determine a program counter value, the program counter capability identifying a capability state of the processing means; the processing device is responsive to a capability state indicating the default state for operating in a capability domain; and the processing means is responsive to the capability state indicating the execution state for operating in a less constrained manner than when in the default state to allow the capability domain to be changed.

In a further exemplary configuration, there is provided a virtual machine computer program containing program instructions for controlling a host data processing apparatus to provide an instruction execution environment corresponding to the apparatus having the first exemplary configuration described above. In one embodiment, a computer readable storage medium may be provided for storing a virtual machine computer program.

Drawings

The present technology will be further described, by way of example only, with reference to embodiments of the present technology illustrated in the accompanying drawings, in which:

FIG. 1 is a block diagram of an apparatus according to one embodiment;

FIG. 2 illustrates an example of the types of instructions that may trigger an error if an attempt is made to set or access a pointer value within a bounded group of pointer storage elements where the pointer value is used to specify an address outside the range indicated by the associated range information;

FIG. 3 illustrates the use of a marker bit associated with a bounded pointer, according to one embodiment;

FIG. 4 illustrates operations performed when executing a branch instruction in order to update the capability state of a processing circuit, according to one embodiment;

FIG. 5 illustrates operations performed when executing a branch with a linked instruction according to one embodiment in order to update the capability state of a processing circuit;

FIG. 6 illustrates operations performed when executing a return instruction in order to update the capability state of a processing circuit, according to one embodiment;

FIG. 7 is a flowchart illustrating steps taken when updating program counter capabilities according to one embodiment;

FIGS. 8A and 8B illustrate two alternative options for performing step 370 of FIG. 7, according to one embodiment; and

FIG. 9 illustrates a virtual machine implementation that may be used.

DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION

Before discussing embodiments with reference to the figures, the following description of embodiments is provided.

As previously mentioned, there is increasing interest in capability-based architectures, where certain capabilities are defined for a given process and an attempt to perform an operation outside of the defined capabilities may trigger an error. Various types of capabilities may be defined, but one type of capability is a bounded pointer (which in one embodiment incorporates both the pointer value and the associated range and permissions information).

Devices employing such capability-based architectures will typically have storage elements for storage capabilities (also referred to herein as bounded pointer storage elements, or more generally capability storage elements). The storage elements may be registers (also referred to herein as bounded pointer registers or capability registers) and/or may be memory locations in general-purpose memory, such as locations on stack memory. Certain instructions may be used to reference such storage elements to access a desired capability and perform operations depending on that capability. For example, in view of a bounded pointer, executing such an instruction may result in the bounded pointer being fetched, and the pointer value in the bounded pointer is then used to derive the address in memory needed during execution of the instruction. The pointer value may be used directly to identify the memory address or may be used to derive the memory address, for example by adding an offset to the pointer value. If the memory address is within the range specified by the range information and any permissions specified in the permission information are met, then the operation will be allowed to proceed.

Thus, when a bounded pointer is used, the pointer value itself may point to, or be used to determine, for example, a data value to be accessed or an address to fetch an instruction for execution. However, the range and permission information may then be referenced, for example, to ensure that any addresses accessed are within an allowable range and accessed for permission purposes. This may be used, for example, to ensure that the address determined by the pointer remains within certain limits to maintain the security or functional correctness of the behavior.

By this means it is possible to efficiently supervise memory accesses by the processing circuitry. However, as mentioned previously, the problem arises of how to efficiently and reliably provide a mechanism for enabling a capability domain change, as this may require access to memory addresses that cannot be accessed given the capabilities of the current capability domain.

According to one embodiment, if the device has processing circuitry for executing instructions, the processing circuitry, when in a default state, is arranged to operate in a capability domain comprising capabilities for constraining operations performed by the processing circuitry when executing instructions. A program counter capability storage element is also provided for storing program counter capability used by the processing circuitry to determine the program counter value. According to embodiments described herein, the program counter capability also includes information for identifying a capability state of the processing circuitry.

When the capability state indicates the default state, the processing circuitry is arranged to operate in the capability domain. Thus, the processing circuit cannot access memory addresses that cannot be accessed given the capabilities of the current capability domain. However, in response to the capability state indicating an execution state, the processing circuitry is instead arranged to operate in a less constrained manner than when in the default state, so as to allow the capability domain to be altered.

There are many ways in which the constraints on the capability domain may be relaxed when in the execution state, but the purpose is to allow the processing circuitry to be able to access one or more memory addresses or regions that would otherwise be inaccessible when the constraints on the capability domain were imposed.

Thus, according to the described embodiments, capabilities are supplemented so that they may additionally specify capability status information. If such capability is subsequently moved into the program counter capability storage element to form a program counter capability, the capability state information specified by the capability is then used to identify the current capability state of the processing circuit, and thereby determine whether the processing circuit is in a default state that is constrained to operate according to the capability domain, or in an execution state in which it may operate in a less constrained manner.

This provides a simple and effective mechanism for temporarily allowing a processing circuit to obtain enhanced rights sufficient to enable its change capability domain. When the program counter capability is updated at the appropriate time to identify the default state as the new capability state of the processing circuit, then the processing circuit will operate according to the capability domain that was changed while the processing circuit was in the execution state.

To change the capability state, there are many mechanisms that can be used to update the program counter capability stored within the program counter capability storage element. In one embodiment, the processing circuitry may be arranged to execute a branch instruction identifying a capability to move the identified capability into the program counter capability storage element to form a new program counter capability, the processing circuitry then operating in the capability state identified by the new program counter capability. Thus, a currently executing process may, through the use of a branch instruction, move one of its currently accessed capabilities from the general purpose capability storage element into the program counter capability storage element, wherein the capability state of the processing circuit is then identified by the new program counter capability resulting from the performance of the branch operation.

Branch instructions may take various forms. However, in one embodiment, the branch instruction is a branch with a link instruction. In such an arrangement, the program counter capability stored in the program counter capability storage element prior to execution of the branch with the linked instruction may be considered to form an old program counter capability, and the processing circuitry is arranged to use the old program counter capability to generate a return address capability for storage in the return address capability storage element, the return address capability maintaining the capability state identified by the old program counter capability. Thus, this enables the process to branch to a particular section of code and then, when the code has been executed, return the contents of the program counter capability storage element to a form that maintains the capability state that existed prior to the branch being executed. Thus, for example, code may branch to a particular segment of code to be operated on in an execution state, enabling certain changes to be made to the capabilities of the capability domain to be formed, and upon completion of the code the process will then return to a default state at which time the processing circuitry will be constrained by the capabilities of the modified capability domain.

Thus, in one embodiment, the processing circuitry may be arranged to execute a return instruction (which may be considered to be another form of branch instruction) to write a return address capability into the program counter capability storage element to form a return program counter capability, the processing circuitry then operating in the capability state identified by the return program counter capability.

There are many ways in which the processing circuitry may be arranged to operate in a manner that is less constrained when the capability status indicates an execution state. However, in one embodiment, the processing circuitry is arranged to operate in such a less constrained manner by arranging for the processing circuitry to operate in the execution state without being constrained by capability. Such an approach therefore gives the processing circuit full access to the memory address space, removing all protection from the capability domain, but may be useful in certain situations where code executing in the executing state is highly trusted.

In an alternative embodiment, when the capability state indicates the execution state, the processing circuitry may be arranged to operate in a less constrained manner than when in the default state by disabling at least one capability check when the processing circuitry is operating in the execution state. The disabled capability check may take various forms. For example, it is possible that certain memory access instructions may identify an unbounded pointer stored within a general purpose register of the data processing apparatus. To ensure that such access is also restricted, a Default Data Capability (DDC) may be provided to provide the range information and any associated permissions, and may be referenced when determining whether to allow memory access to an address identified with reference to the unbounded pointer. However, in one embodiment, while in the execution state, any such checks that are performed with reference to the default data capabilities may be determined to be turned off, providing a mechanism for the processing circuit to access memory address spaces beyond that allowed by the capability domain.

As another alternative, when a program counter capability is used to identify the address from which an instruction is fetched, if the processing circuitry is operating in an execution state, a range of reference program counter capabilities and associated capability checks that permit execution of information may be determined to be disabled.

In yet another alternative embodiment, the apparatus may further comprise one or more groups of grouped capability storage elements for storing capability, each group of grouped capability storage elements comprising a first capability storage element for storing capability for constraining operations performed by the processing circuitry when operating in a default state; and a second capability storage element for storing a capability for constraining operations performed by the processing circuitry when operating in the execution state. The capabilities identified in the first and second capability storage elements of each group of grouped capability storage elements may then be arranged such that when the capability status indicates an execution state, the processing circuitry operates in a less constrained manner than when in the default state.

Thus, according to such an embodiment, the grouping of at least some of the capability storage elements may be used as a mechanism for allowing the constraints of the capability domain to be relaxed when operating in the execution state. In particular, when in the execution state, the processing circuitry in such embodiments will reference a different grouped storage element for at least one of the used capabilities, wherein the grouped capability storage element stores capabilities that specify constraints that are less burdensome than the normal capabilities used when in the default state. This allows the processing circuitry to obtain a controlled extra entitlement benefit when in the execution state, which is sufficient to enable the capability domain to be changed.

As an alternative to using grouped capability storage elements, in an alternative embodiment, when an update to the program counter capability causes the capability state to change from the source state to the target state, the capabilities of one or more capability storage elements with respect to the source state are saved to allow them to be later restored, and the associated capabilities associated with the target state are written to the one or more capability storage elements. When the capability state is transformed to the execution state, the capability to write to the one or more capability storage elements may be arranged to cause the processing circuitry to operate in a less constrained manner than when in the default state. Thus, the contents of certain capability storage elements may be switched when the capability state changes, as indicated by the current program counter capability, allowing some capabilities to be replaced by a less constrained version to allow the processing circuitry to have enhanced access to the memory sufficient to enable it to change the capability domain.

In one embodiment, a mechanism may be provided to constrain how the capability state may change from the execution state to the default state. In particular, it may be necessary to ensure that when the capability state is returned to the default state, the processing circuitry does not leave any enforcement rights that may enable it to circumvent the capability domain. Thus, in one embodiment, when the branch instruction identifies a capability that will result in a change of capability state from an execution state to a default state, the processing circuitry is arranged to perform a check operation to determine whether use of the program counter capability as updated using the capability identified by the branch instruction is allowed.

There may be many ways to identify allowed branch instructions. However, in one embodiment, if one or more types of branch instructions are available to change the capability state from the execution state to the default state, and if a branch is attempted by a process other than using one or more specific types of branch instructions, the checking operation will detect this and take appropriate action.

In particular, in one embodiment, the processing circuitry is arranged to perform a predetermined action when determining a failure condition of the checking operation. The predetermined action may take various forms. For example, in one embodiment, it may involve an exception occurring when a branch instruction is executed that results in a failure condition to be determined. The software exception handler then transfers control to the appropriate error handler to handle the attempted change from the execution state to the default state. For example, an exception handler may cause a program counter update to occur, but the processing circuitry remains in the execution state. Alternatively, the processing circuitry may be arranged to perform some additional checking and/or clearing operations to ensure that it is safe to update the program counter capability in a manner that causes the processing circuitry to return from the execution state to the default state before allowing an update of the program counter capability according to the branch instruction to occur.

As an alternative to an exception occurring immediately upon execution of the branch instruction, in one alternative embodiment, a flag may be set to indicate the occurrence of an invalid condition, but execution of the branch instruction may be allowed to complete to update the program counter capability. Thereafter, the presence of the set flag may be used to cause an exception to occur when the next instruction is to be executed. This allows certain events to occur between the time the branch instruction is executed and the flag target is set and the time an exception occurs. For example, it may allow a higher priority exception/interrupt to occur that retains flag information and Program Counter Capability (PCC) information, then clears the flag and loads a different program counter capability into the program counter capability storage element. Upon return from a higher priority exception/interrupt, the flag and PCC information will be restored, and when the next instruction will be executed, the presence of the set flag will cause an exception to occur.

In one embodiment, the capability state information maintained within the program counter capability may be processed similarly to any other permission information maintained within the capability, and thus the information indicating the capability state may be cleared in order to change the capability state to a default state. This may allow, for example, the processing circuit to transition itself to a default state when operating in the execute state by clearing relevant information fields within the program counter capability. However, according to the general principle of not allowing activities of processes to be managed by a process of a specified capability to increase the permission of the specified capability, it is not possible for the processing circuit to change the value of the capability state information in a manner that indicates a transition from the default state to the execution state.

In an alternative embodiment, the capability status information may be treated as a new type of field separate from the general permission field, and may be arranged so that it cannot be changed by the process of using the capability.

Specific embodiments will now be described with reference to the accompanying drawings.

Figure 1 schematically illustrates an example of a data processing apparatus 2 comprising a processing pipeline 4 for processing instructions. In this example, the processing pipeline 4 includes a number of pipeline stages, including a fetch stage 6, a decode stage 8, an issue stage 10, a run time 12, and a write back stage 14, although it should be understood that other types or combinations of stages may be provided. For example, a rename phase for performing register renaming may be included in some embodiments. Instructions to be processed move from stage to stage, and while an instruction is pending at one stage, another instruction may be pending at a different stage of the pipeline 4.

The fetch stage 6 fetches instructions from the level 1 (L1) instruction cache 20. The fetch stage 6 may fetch instructions sequentially, typically from consecutive instruction addresses. However, the fetch stage may also have a branch predictor 22 for predicting the outcome of a branch instruction, and the fetch stage 6 may fetch instructions from a (non-consecutive) branch target address if a branch is predicted to occur, or from the next consecutive address if a branch is not predicted to occur. Branch predictor 22 may include one or more branch history tables for storing information used to predict whether certain branches may or may not occur. For example, the branch history table may include counters for tracking actual outcomes of previously executed branches or for indicating confidence in predictions made for branches. The branch predictor 22 may also include a Branch Target Address Cache (BTAC) 24 for caching previous target addresses of branch instructions so that such addresses may be predicted when the same branch instruction is subsequently encountered.

The fetched instruction is passed to a decode stage 8, which decodes the instruction to generate a decoded instruction. The decoded instructions may include control information for controlling the runtime 12 to perform appropriate processing operations. For some more complex instructions fetched from cache 20, decode stage 8 may map such instructions to a plurality of decoded instructions, which may be referred to as micro-operations (μ ops/uops). Thus, there may not be a one-to-one relationship between instructions fetched from the L1 instruction cache 20 and instructions visible by subsequent stages of the pipeline. In general, references to "instructions" should be interpreted in this application as including micro-operations.

The decoded instruction is passed to the issue stage 10 which determines whether operands required to execute the instruction are available and issues the instruction for execution when operands are available. Some embodiments may support in-order processing such that instructions are issued for execution in an order corresponding to the program order in which the instructions were fetched from the Ll instruction cache 20. Other embodiments may support out-of-order execution so that instructions may be issued to run time l2 in an order different from the program order. Out-of-order processing may be used to improve performance because later instructions in program order, for which operands are available, may be executed first when earlier instructions stall while waiting for operands.

The issue stage 10 issues instructions to a runtime 12 where the instructions are executed to perform various data processing operations. For example, runtime may include a number of execution units 30, 32, 34 (such execution units include an arithmetic/logic unit (ALU) 30 to perform arithmetic or logical operations on integer values), a floating-point (FP) unit 32 to perform operations on values represented in floating-point form, and a load/store unit 34 to perform load operations to load data values from a level 1 (Ll) data cache 36 into registers 40 or store operations to store data values from registers 40 into the Ll data cache 36. It will be appreciated that these are just some examples of the kinds of units that execution may provide, and that many other kinds may also be provided. To perform a processing operation, the runtime 12 may read data values from a set of registers 40. The results of the subsequently executed instruction may be written back to register 40 by write back stage 14.

The L1 instruction cache 20 and the Ll data cache 36 may be part of a hierarchy of caches including a multi-level cache. For example, a level 2 (L2) cache 44 may also be provided and other levels of cache may be provided as appropriate. In this example, the L2 cache 44 is shared between the L1 instruction cache 20 and the L1 data cache 36, although other examples may have separate L2 instruction and data caches. Instructions may be fetched from the L2 cache 44 when they are not fetched from the L1 instruction cache 20, and similarly may be fetched from main memory 50 if they are not fetched from the L2 cache 44. Similarly, in response to a load instruction, if the instruction is not in the L1 data cache 36 and fetched from memory 50, data may be fetched from the L2 cache 44 as needed. Any known scheme may be used to manage the cache hierarchy.

The addresses used by the pipeline 4 to reference program instructions and data values may be virtual addresses, but at least the main memory 50, and optionally also at least some levels of the cache hierarchy, may be physically addressed. Thus, a Translation Lookaside Buffer (TLB) 52 may be provided for translating virtual addresses used by the pipeline 4 into physical addresses for accessing cache or memory. For example, the TLB 52 may include a number of entries, each entry specifying a virtual page address of a corresponding page of the virtual address space and a corresponding physical page address to which the virtual page address should be mapped, in order to translate the virtual address within the corresponding page to a physical address. For example, the virtual and physical page addresses may correspond to the most significant portions of the corresponding virtual and physical addresses, with the least significant portions remaining when mapping the virtual addresses to the physical addresses remaining unchanged. In addition to address translation information, each TLB entry may also include information specifying access permissions, such as indicating whether certain pages of the address may be accessed in certain modes of pipeline 4. In some embodiments, the TLB entries may also define other properties of the corresponding page of addresses, such as cache correction information defining which levels of the cache hierarchy to update in response to read or write operations (e.g., whether the cache should operate in a write-back mode or a write-through mode), or information defining whether data accesses to addresses in the corresponding page are re-orderable by the memory system as compared to the order of data accesses issued by the pipeline 4.

Although FIG. 1 illustrates a single-level TLB 52, it will be understood that a hierarchy of TLBs may be provided, such that a level 1 (Ll) TLB 52 may include TLB entries for translating addresses in many recently accessed pages, and a level 2 (L2) TLB may be provided for storing entries for a larger number of pages. When the desired entry is not present in the Ll TLB, it may be fetched from the L2TLB, or from another TLB in the hierarchy. If the desired entry for the page to be accessed is not in any TLB, a page table walk may be performed to access the page table in memory 50. Any known TLB management scheme may be used in the present techniques.

Also, it will be understood that some systems may support multiple levels of address translation, such that, for example, a first TLB (or hierarchy of TLBs) may be used to translate virtual addresses to intermediate addresses, and a second level of address translation using one or more additional TLBs may then translate the intermediate addresses to physical addresses for accessing cache or memory. This may be used, for example, to support virtualization, where first level address translation may be managed by the operating system and second level address translation may be managed by the hypervisor.

As illustrated in FIG. 1, device 2 may have a set of bounded pointer registers 60. Although a set of bounded pointer registers is shown in FIG. 1 as being physically separate from the set of general purpose data registers 40, in one embodiment, the same physical storage may be used to provide both general purpose data registers and bounded pointer registers.

Each bounded pointer register 60 includes a pointer value 62 that can be used to determine the address of the data value to be accessed, and range information 64 that specifies the allowable range of addresses when using the corresponding pointer 62. The bounded pointer register 60 may also include limit information 66 (also referred to herein as permission information) that may define one or more limits/permissions when using pointers. For example, the limit 66 may be used to limit the types of instructions that may use the pointer 62, or the mode of the pipeline 4 that may use the pointer. Accordingly, range information 64 and limit information 66 may be considered to define the capabilities within which pointer 62 is allowed to be used. An error may be triggered when an attempt is made to use a pointer 62 that is beyond the defined capability. The range information 64 may be used, for example, to ensure that the pointer remains within certain known limits and does not scatter to other areas of the memory address space that may contain sensitive or secure information. In embodiments where the same physical registers are used for both general purpose data registers and bounded pointer registers, then in one embodiment the pointer values 62 may be stored, for example, in the same storage locations for use by the corresponding general purpose registers.

FIG. 2 illustrates an example of types of instructions for which the allowable range is used to prevent unauthorized access to data or instructions. As shown at the top of FIG. 2, the particular bounded pointer register PRl includes a given pointer value 62 and range information 64, which in this example is specified using a lower bound address 68 that defines a lower bound of the allowable range and an upper bound address 69 that defines an upper bound of the allowable range. For example, limits 68, 69 may be set to define a range of addresses 80000 to 81000. An error may be triggered when certain instructions reference the bounded pointer register PRl and the address determined by the pointer 62 is outside this range.

For example, as illustrated in part A of FIG. 2, in some systems an attempt is made to set the value of pointer 62 in pointer register 60 to a value outside the range specified by range information 64 (assuming the pointer directly specifies an address here), an error may be triggered. This prevents pointer 62 from taking any value outside of the specified range so that any access using the pointer can be guaranteed to be safely within the allowed range. Alternatively, as illustrated in part B of FIG. 2, when an instruction attempts to access a location identified by the address of pointer 62, an error may be triggered when the address is outside of a specified range. Thus, it may still allow pointer 62 to be set to a value outside of the specified range, but once a data access is attempted at the pointer address (or an address derived from the pointer), an error may be triggered if the address is outside of the allowed range. Other systems may trigger an error in response to both instruction types illustrated in part a and part B of fig. 2.

The range information 64 may be set in different ways. For example, security code or an operating system or hypervisor may specify the range allowed by a given pointer. For example, the instruction set architecture may include many instructions for setting or altering the range information 64 for a given pointer 62, and execution of such instructions may be limited to certain software or certain modes or exception levels of the processor 4. Any known method for setting or altering the range information 64 may be used.

In addition to the set of bounded pointer storage elements 60 that may be used at the execution state 12 when performing certain designations of reference pointers, a Program Counter Capability (PCC) register 80 may also be used to provide similar functionality at the fetch stage 6 when an instruction is being fetched from the level 1 instruction cache 20. In particular, program count pointers may be stored in field 82, where PCC 80 may also provide range information 84 and any appropriate limit information 86 similar to the range and limit information provided with each pointer in the bounded set of pointer storage elements 60.

Additionally, in one embodiment, an unbounded pointer may also be specified within general purpose registers 40 and used when performing a memory access. To limit the memory addresses that can be accessed using such unbounded pointers, it may be assumed that a Default Data Capability (DDC) register 90 specifies both range information 92 and any limit Data 94, which is similar to the range and limit information included within any Capability register. Subsequently, when a memory access instruction is executed that references an unbounded pointer in the general purpose register 40 to identify a memory address, a bound check operation similar to that performed with respect to an unbounded pointer may still be performed based on any address derived from the unbounded pointer, but in this case with respect to the range and limit information held within the DDC register 90. In this way, the capability-aware code may wish to set the DDC register 90 with some capability-agnostic code in an existing software library, for example, in order to place constraints on how to use pointers accessed from general purpose registers 40 when executing the capability-agnostic code. In particular, the range information may be used to limit the range of addresses accessed when executing such capability-agnostic code.

The range information and any associated limits specified in the PCC register 80 or DDC register 90 may be set in various ways. However, in one embodiment, the information is determined using one or more bounded pointers available to processing circuitry in the current capability domain such that the memory address cannot be accessed using PCC-based or DDC boundary checks that reside outside of the memory address range identified for the current capability domain.

Fig. 3 schematically illustrates how marker bits are used to associate with individual data blocks to identify whether the data block represents capabilities (i.e., bounded pointers and associated constraint information) or normal data. In particular, the memory address space 110 will store a series of data blocks 115, which will typically have a specified size. For purposes of illustration only, it is assumed in this example that each data block includes 128 bits. Associated with each data chunk 115, a flag field 120 is provided, which in one example is a single bit field called a flag bit, set to identify the associated data chunk representation capability, and cleared to indicate that the associated data chunk represents normal data, and therefore cannot be considered as a capability. It should be understood that the actual value associated with the set or clear state may vary according to embodiments, but by way of example only, in one embodiment if the flag bit has a value of 1, it indicates that the associated data block is capable, and if it has a value of 0, it indicates that the associated data block contains normal data.

When a capability is loaded into one of the bounded pointer registers 60 (also referred to herein as a capability register), such as the capability register 100 of the icon in FIG. 3, then the flag bit is moved along with the capability information. Thus, when loading capabilities into the capability register 100, the pointer 102, range information 104, and limit information 106 (hereinafter referred to as permission information) will be loaded into the capability register. In addition, associated with the capability register, or as a particular bit field within the capability register, the flag bit 108 will be set to identify the content representing the capability. Similarly, when storing the capability back to memory, the associated flag bit 120 will be set in association with the data block storing the capability. By this method, it is possible to distinguish between capabilities and normal data, and thus ensure that normal data is not used as capabilities.

As mentioned previously, the current set of capabilities available to the processing circuit (whether accessed directly via the capability register 60 or left within a memory address space accessible via one of the bounded pointers in the capability register) forms a capability domain. Thus, the capability domain identifies the available area of memory that is accessible by the processor, as well as any associated permissions/restrictions. As discussed with reference to the remaining figures, a controllable mechanism is provided in the described embodiments to energize the device change capability domain.

In particular, in one embodiment, the bounded pointer is provided with additional fields in addition to the pointer value field 62, range field 64, and permission/restriction field 66 previously discussed. In particular, the Provisioning State field may be set or cleared to identify the execution state or default state previously discussed. Although the capabilities fall within any of the general purpose capability registers 60 previously discussed with reference to FIG. 1, this capability status information is not used. However, when such a bounded pointer is loaded into the PCC register 80, this additional field is referenced in order to identify the current capability state of the processor.

This is illustrated with reference to fig. 4, which schematically illustrates the operation of a branch instruction, which is designated as an operand of the capability register CN. The capabilities 200 stored in the capabilities register CN include a capability status bit 210. Although the capabilities are stored in the capability register, the information in field 210 is not used. However, when a branch instruction is executed to load the capability stored within capability register CN into program counter capability register 80, then the updated contents 215 of PCC register 80 now contain a capability status 220 having the same value as that set within capability 200. Also schematically illustrated, the range and permission information is copied across from the capability register CN into the PCC and the pointer values in the capability CN form the new PC value. Once the PCC storage element 80 has been updated, the capability status of the processing circuit is determined by the capability status bit of the updated PCC 215.

In one embodiment, the capability status field can be considered an additional permission field and can be manipulated in the same manner as other permissions. In particular, a process running on a processor can remove one or more permissions for its capabilities in use, typically by clearing one or more permission bits, and in one embodiment will allow the same process to be performed with reference to the capability status bit. Thus, this will allow the capability status field indicating the run status to be cleared to indicate the default status. However, in accordance with common practice regarding capabilities, processing is not allowed to increase its permissions, and thus, if the capability status bit is cleared, the capability status bit is not allowed to be set, thus preventing processing from associating a status of execution with the capability status bit for the capability, the current value of which indicates a default status.

In an alternative embodiment, capability status location 210 can be considered a new type of field separate from the permission field, and can be arranged so that it cannot be altered by the process using that capability.

FIG. 5 is a diagram similar to FIG. 4, but illustrating operations that occur when a branch with a linked instruction is executed, additionally specifying a capability register CN. In particular, two separate processes are performed when executing branches with linked instructions. As illustrated by step i, the range address is generated by the current PCC contents, which is then stored in a Capability Linking Register (CLR) as a return address capability for later use when returning from a branch. As shown, the current PCC capabilities 250 are read from the PCC register and used to generate the return address capabilities 260 stored in the CLR. The CLR may take various forms, but in one embodiment is a dedicated one of the general purpose capability registers, such as C30. As part of the processing, the capability state 255 within the current PCC capability 250 will be replicated across to form a field 265 within the return address capability 260 to ensure that processing returns from the branch in a timely manner, and the capability state will be restored to the state that existed prior to the branch occurring.

Additionally, in one embodiment, the current range and permission information is copied from the PCC across into the return address capability and the current PC value is increased by the instruction size, as indicated by function 270, to generate the return address within the return address capability.

As illustrated by step ii, the capabilities within the specified source register CN are then copied into PCC storage element 80, as it copies capability status 285 within capabilities 280 into the PCC capability status field 295 when a new program counter capability 290 is generated. Thus, the capability state of the processing circuit changes from CSA to CSB.

Fig. 6 illustrates processing performed when a return instruction is executed. Upon execution of the return instruction, the current contents of the CLR are copied into PCC storage element 80. Thus, return address capability 300, including its capability state 305, is copied into the PCC storage element to form a new program counter capability 310 having an associated capability state field 315 whose value matches the value in CLR's capability state field 305. Thus, the capability state of the processing circuit is determined by the capability state of the updated PCC, which would then be the same capability state that existed before the initial branch with the chained instruction had been executed.

Via the above mechanism, the program counter capability may be updated at some time so that it designates the execution state as the capability state. When in the execution state, the processing circuitry is capable of operating in a less constrained manner than when in the default state to allow the capability domain to be changed. The relaxation in this constraint can be implemented in various ways. For example, in one embodiment, the processor may be arranged to operate in an execution state without being constrained by capabilities. Thus, whenever a capability is referenced, any association scope and restriction information may be ignored, allowing the processor to access memory regions outside of the region associated with the capability domain that is in place when in the default state. This allows, for example, access to additional capabilities, which may then be available to the processor when returning to the default state, resulting in an altered capability domain.

In some embodiments, it may be deemed inappropriate to remove references to capabilities entirely when operating in the execution state, and instead may be arranged to disable one or more capability checks when the processing circuitry is operating in the execution state, but still perform further capability checks. For example, it may be determined that while in the execute state, the capability check is not used when instructions are fetched from memory using program counter capability, and thus range 84 and constraint 86 information associated with the PCC 80 is ignored.

Alternatively, or in addition, DDC 90 may be ignored so that no capability check is performed when the processor accesses memory with reference to an unbounded pointer. However, the association range and permission information may still be checked before access is allowed, with the bounded pointer being used in the capability register 60 to access memory.

As another alternative, and as schematically illustrated in FIG. 1, certain capability registers may be grouped such that there is a version of the capability register that is used when the processor is operating in the default state, and there is a different version that is used when the processor is operating in the execution state. For example, as illustrated in FIG. 1, the DDC registers may be grouped such that there is one DDC register 90 used when the processor is in a default state, and a different DDC register 95 used when the processor is in an execution state. This allows the default data capabilities used when in the default state to be different from the default data capabilities used when in the execution state. In particular, the default data capability for use in the execution state may be arranged to extend the range of available addresses and/or increase the permissions relative to the default data capability used when in the default state. As another example, a Capability Stack Pointer (CSP) may be identified and stored within the associated register 96 for use in the default state. However, a packet version 97 may be provided that instead references a capability stack pointer when operating in the execution state. Thus, a processor may have different capabilities associated with its stack pointer depending on whether it is operating in a default state or an execution state, with the processor switching between different packet registers depending on the current capability state.

Although the grouping of capability registers has been illustrated by way of example with reference to DDC and CSP registers, it will be understood that in alternative embodiments, additional, or different, capability registers may be grouped as desired.

As an alternative to grouping certain capability registers, it may instead be arranged to set equal capabilities available in the execution state to some default capabilities, e.g. maximum capabilities. Thus, in view of the DDC example, DDC register 90 may be used in a default state, but when in an execution state, the predetermined DDC may effectively be hard-coded for use by the processor.

As another alternative to using a packet capability register, save and restore type functions may be performed when the capability state changes, as indicated by capability state information in the PCC. In particular, when the capability state changes from a source state to a target state, capabilities in one or more capability storage elements with respect to the source state may be saved to certain control registers to allow them to be later restored, and once saved, the associated capabilities associated with the target state are written into the associated capability storage element. Further, such processing may enable relaxation of the capability constraints when the processor is operating in an execution state by providing more general purpose permissions and/or scope access to the processor when certain functions are being performed.

For purposes of the following discussion of fig. 7 and 8, all of the previously described examples of fig. 4, 5, and 6 will be generally referred to as branch instructions because they result in updating the contents of PCC storage element 80 to identify new program counter capabilities. As discussed with reference to FIG. 7, certain checks may be performed in one embodiment when any such branch instruction is encountered. In particular, once a branch instruction is identified at step 350 for updating the PCC, a determination is made at step 355 whether the capability status bit in the current PCC is the same as the new PCC that will overwrite the current contents. If so, processing proceeds to step 375 where the PCC register 80 is updated with the new PCC at step 375.

However, if it is determined at step 355 that the capability status bits are different, then it is determined at step 360 whether the capability status bit of the new PCC indicates a default status. If not, this indication update will cause the processor to move from the default state to the execution state, and in one embodiment, this allows the transition without any additional checking. Thus, processing proceeds to step 375 where the PCC content is updated.

However, if the capability bit of the new PCC does not indicate a default state, this indicates a transition from the execution state to the default state, and in one embodiment this is the only allowed if some type of branch instruction is used to perform the transition. Thus, at step 365, a determination is made as to whether the branch instruction is of an allowed type. In one particular embodiment, the three allowed types of branch instructions are a branch to restricted (BRR) instruction, a restricted with link register to restricted (BLRR) instruction, and a restricted return to restricted (RETR) instruction. If the branch instruction is one of these permitted types, processing proceeds to step 375, and further processing proceeds to step 370 where a predetermined action is taken.

The predetermined action may take various forms, and two exemplary options are illustrated in fig. 8A and 8B. As illustrated in figure 8A, one option is that an exception occurs at step 400 without completing execution of the branch instruction, since its branch does not update the PCC register contents. Instead, the software exception handler transfers control to the appropriate error handler that is executed to resolve the situation. There are many ways in which an exception handler may resolve a situation. For example, in one embodiment, it may allow PCC content to be updated, but the capability state is forced to continue to identify the execution state. Alternatively, it may perform some additional steps to ensure that the processor will not have any execution privileges once it returns to the constrained state, and thus it may ensure that once the processor returns to the constrained state, it will be fully constrained by the altered capability domain.

As an alternative to the process illustrated in FIG. 8A, the process illustrated in FIG. 8B may be performed instead, effectively having two separate parts. First, at step 410, a flag is set in a control register to identify that a branch instruction that does not have an allowed type seeks to update the PCC in a manner that transitions the processor from an execution state to a default state. Thereafter, at step 415, execution of the branch instruction is allowed to complete, resulting in the new PCC being stored in the PCC register 80 and the default state being identified.

As illustrated in part ii of FIG. 8B, it is then determined at step 420 when the next instruction is to be executed, and once it is determined that the next instruction is to be executed, it is determined at step 425 whether the flag is still set, and at step 430 whether an exception has occurred, at what time the flag is cleared. An exception handler is then triggered which may perform the processing previously discussed with reference to fig. 8A. If it is determined that the flag is not set at step 425, the instruction is allowed to execute at step 435.

Due to the processing shown in FIG. 8B, some situations may occur after the flag has been set and the branch instruction has completed, before an exception is triggered. For example, a higher priority exception/interrupt may occur that preserves the flag state and PCC content, then clears the flag and loads a different value into the PCC. A higher priority exception routine may then be executed to perform the required function and, upon returning from the exception, to restore the PCC contents into the PCC register and to restore the flag to the set state. At this point, once the next instruction is identified at step 420, it will be determined that the flag is set, and an exception occurs at step 430 to handle the flag set condition.

FIG. 9 illustrates a virtual machine implementation that may be used. Although the previously described embodiments implement the present invention in terms of apparatus and methods for operating specific processing hardware supporting the associated methods, it is also possible to provide so-called virtual machine implementations of hardware devices. These virtual machine implementations run on a host processor 530 running a host operating system 520 that supports virtual machine programs 510. Typically, a powerful processor is required to provide virtual machine implementations that execute at reasonable speeds, but such an approach may be justified in certain situations, such as when it is desirable to run native code to another processor for compatibility or reuse reasons. The virtual machine program 510 may be stored on a computer readable storage medium (which may be a non-transitory medium) and provides an application programming interface (instruction execution environment) to the same application program 500 as would be provided by real hardware, which is a device modeled by the virtual machine program 510. The above-described method for managing capability domains may be implemented within a virtual machine environment. For example, software running on or controlling a virtual machine may utilize hardware implementing such features.

From the above embodiments, it will be seen that these described embodiments provide two levels of privileges orthogonal to the privileges that may be provided through multiple exception levels, each with different software execution privileges. In particular, within an exception hierarchy, the processor may be placed in a default state or an execution state, and when in the execution state, the processing circuitry may operate in a less constrained manner than when in the default state, in which the processor is constrained by the current capability domain. This provides a mechanism to allow the capability domain to be changed as needed.

According to the described technique, the current capability state is encoded within information set within the program counter capability, and thus the branch office may be used to install new capabilities into the program counter capability register, potentially changing the capability state. This provides a simple and effective mechanism for allowing the processing circuitry to selectively obtain the ability to change capability domains.

In this application, the use of the term "configured to … …" means that the device element has a structure that is capable of performing the defined operation. In this context, "configuration" means an arrangement or manner of interconnection of hardware or software. For example, the apparatus may have dedicated hardware providing defined operations, or the processor or other processing element may be programmed to perform the functions. "configured to" does not imply that the device elements need to be changed in any way in order to provide the defined operation.

Although illustrative embodiments of the present invention have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to such precise embodiments and that various changes, additions and modifications may be effected therein by one skilled in the art without departing from the scope and spirit of the invention as defined by the appended claims. For example, various combinations of the features of the dependent claims could be made with the features of the independent claims without departing from the scope of the present invention.