JPH07302227A - Memory protection method and device therefor - Google Patents

Abstract

PURPOSE:To provide a memory protection method and a device therefor capable of increasing the total number of process-specific domains generatable in one period regardless of the length of a domain access control field while suppressing the increase of a hardware amount. CONSTITUTION:In the case of accessing the data of a virtual address where a certain process is present, a TLB is retrieved and address conversion information (a physical address and a domain number, etc.) is obtained (a step 100). The domain number inside the address conversion information is compared with a process intrinsic domain number inside the process-specific domain number field of the process (the step 110) and access is permitted when they are equal (the step 110; NO). When they are different, whether or not the domain number inside the address conversion is present inside a shared domain is checked (the step 120) and conventional domain protection checking is performed when it is present.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a memory protection method and a memory protection device in a memory management device of a computer system, and more specifically, in a system in which a plurality of processes share a memory, each memory is predetermined. A domain that each process has by dividing it into multiple memory areas that can be accessed only by the specified process or process group (for example, a memory area that consists of a set of memory blocks such as pages; hereinafter referred to as a domain). The present invention relates to a memory protection method and a memory protection device for suppressing memory access to an unauthorized domain by collating access right information with domain information of each memory block to be accessed.

[0002]

2. Description of the Related Art In recent computer systems, it has become common for a plurality of processes to share a memory. In that case, the memory area is divided into a plurality of domains, and a domain access control field for holding access permission information for each divided domain is provided for each process, and the domain access control field is referred to when the process is executed. Conventionally, a memory protection method for suppressing memory access to an unauthorized domain is known. Assigning domains to processes,
The setting of access permission information to the domain access control field is performed by the OS (operating system) at the request of the user process. Each domain is accessed by one or more processes determined by the access permission information. In this way, accessible processes are defined for each domain. Here, the domain is a part of the memory including a set of memory blocks such as pages as described above, and it is assumed that the domains do not overlap each other on the memory.

FIG. 5 is a diagram showing a configuration example of the domain access control field described above. In the figure, 4
00 is a domain access control field (DAC; Dom)
ainAccess Control Field) 410 to 417 are subfields in the domain access control field. Here, the eight domains from domain “0” to domain “7” are the maximum number of domains. Sub-field 41
0 to sub-field 417 are in order domain 0 (D
0) to domain 7 (D7), and the content of each sub-field indicates whether or not access to the corresponding domain is possible. Each sub-field is composed of, for example, 2 bits, and depending on the pattern of the 2 bits, all access is prohibited (for example, “00”), read only is possible (for example, “01”), read / write is possible (for example, “1”).
0 "), execution is also possible (for example," 11 "), etc. The subfield is not limited to 2 bits, and if it is made up of more bits, more detailed and diverse access control is performed. With reference to this access control bit, a specific bit pattern (for example,
It is possible to easily determine whether or not access to the domain is impossible by determining whether or not it is "00") by a decoder or the like. For example, in the case of the above example, it can be seen that if the access control bit is not a specific (“00”) pattern, some kind of access to the domain is possible. In this case, although access is permitted, there are cases where only reading is actually permitted, read / write is permitted, and execution is also permitted. The number of bits in the sub-field is 1
By increasing the number of bits and directly designating whether or not all access to the domain is prohibited by this one bit, it is not necessary to determine whether or not the value of the sub-field is a specific pattern as described above. Disappear.

FIG. 6 is a diagram showing an outline of memory protection such as a plurality of processes (process A to process G), a plurality of domains, and a relationship of access permission / denial between them according to a conventional technique. In the figure, the arrow indicates the domain access permitted, and the arrow with a cross indicates the domain access not permitted. For convenience of description, for example, when the process B (510) is allowed to access the domain “1” and the domain “6”, the domain access control field (DAC) 51 in FIG.
2 is described as "1,6", but is actually represented by the sub-field as shown in FIG. FIG. 6 shows that one domain access control field (DAC) is assigned to each process to prevent unauthorized access, or to share one domain among a plurality of processes. For example, process B (510)
Occupies the domain "1" and assigns the domain "6" to the process A (500) and the process C (52).
It is shared with 0). Process B (510) indicates that the domain other than the domain "1" and the domain "6", for example, the domain "2" cannot be accessed. Further, the process C (520) occupies the domain “2”, and the domain “6” is processed by the process A (50).
0) and process B (510) in common, domain "7"
Is shared with process D (530).

FIG. 7 shows a flowchart of a conventional memory protection method. In this embodiment, the memory protection is checked together with the address conversion process for converting the virtual address in the virtual storage device into the physical address. Therefore, the address translation table in the main memory or the domain to which the page belongs in the address translation information of each page (memory block) in the TLB (table lookaside buffer) provided for high-speed address translation. The number is included. In the conventional memory protection method, when a process accesses data of a certain virtual address, the address translation information of the page for the virtual address is searched by the address translation table or TLB described above, and the physical address corresponding to the virtual address is retrieved. The domain number to which the page belongs is determined (step 600). If the sub-field in the domain access control field (DAC) of the process indicates access permission to the obtained domain number in the address translation information (if it has the same domain number), the domain is changed to the domain. Access is permitted (step 610). Although not shown in the figure, when the domain access is permitted, further detailed contents of the access control bit are referred to, and whether the access is permitted or not is checked for each access type such as read, write, and execute. When the sub-field in the domain access control field indicates access prohibition (when they do not have the same domain number), an interrupt related to the illegal memory access is generated and the access to the domain is interrupted (step 620). With the conventional memory protection method described above, one process can have two or more shared domains. A memory management device having the above conventional memory protection method is disclosed in, for example, Super ASCII Vol.3 No.10.
(October 1992) Page 86 (Super ASCII, Vol.3 No.
10 (October 1992) pp.86).

[0006]

However, in the above-mentioned conventional memory protection method, the total number of domains that can be generated at one time or the total number of processes that can be executed at one time is limited by the length of the domain access control field (DAC). For example, in the example of the domain access control field (DAC) of FIG. 5, the maximum number of domain “0” to domain “7” is limited to eight. Therefore, in order to increase the total number of domains that can be created at one time or the total number of processes that can be executed at one time, the domain access control field must be lengthened to increase the number of sub-fields. There is a problem that the amount of hardware for storing increases.

This problem will be described more specifically with reference to FIGS. 5 and 6 described above. As shown in FIG. 5, each sub-field of the domain access control field is associated with domains “0” to “7”, and the maximum number of domains that can be generated at one time is eight. In this case, as shown in FIG. 6, six processes A (500) to F (550) are activated, and domain numbers “0” to “5” are assigned as the domains occupied by the respective processes. , Process A (500) and Process C (52
0) shares domain “6” and process C (520)
And the process D (530) share the domain “7”, all the eight domain numbers that can be generated at one time are used and there is no free domain number. In this state, process E (540) and process F
When attempting to generate a domain (590) shared with (550), a new shared domain 590 cannot be generated because there is no free domain number already.
When a new process such as process G (560) is to be started, even a process-specific domain cannot be created because there is no free domain number already. Therefore, until the starting process releases the domain. It is not possible to start any new process. In order to eliminate such shortage of domain numbers, it is necessary to lengthen the domain access control field and increase the number of subfields so that more domains can be generated at one time.

More specifically, the amount of hardware required for the all domain access control field in the prior art is as follows. Hardware amount of one sub-field x maximum total number of domains Here, the sub-field is a sub-field in the domain access control field. As can be seen from the above equation, the conventional technology has a problem in that the amount of hardware required for the domain access control field increases as the domain access control field lengthens to increase the number of domains that can be generated at one time. It was An object of the present invention is to provide a memory protection method and apparatus capable of increasing the total number of process-specific domains that can be generated at one time regardless of the length of the domain access control field while suppressing an increase in the amount of hardware. To provide.

[0009]

According to the memory protection method of the present invention, the memory is divided into a plurality of domains each consisting of a set of memory blocks, and it is shown that each process is a unique domain occupied and used by the process. Unique domain information (301 to 331 in FIG. 3 and 341 to 371 in FIG. 4)
Shared domain information (indicated by 302 in FIG. 3)
332 and 342 to 372 in FIG. 4), and domain information (201 in FIG. 2) for identifying the domain to which each memory block belongs, and domain access right information. Unauthorized memory access is suppressed by information and domain information, and when a process accesses a memory block, it is determined whether the memory block belongs to the unique domain of the process (Fig. 1) 110), permitting the access when the memory block is determined to belong to the unique domain of the process, and determining that the memory block does not belong to the unique domain of the process. Whether the memory block belongs to the shared domain of the process. The determination is made (step 120), the access is permitted when it is determined that the memory block belongs to the shared domain of the process, and it is determined that the memory block does not belong to the shared domain of the process. In this case, access to the memory block is prohibited.

The memory protection device of the present invention also includes a process-specific domain identifier register (301 to 301 in FIG. 3) for storing the identifier of the domain unique to the accessing process.
31 and 341 to 371 in FIG. 4), and memory block / domain correspondence means (for example, TLB in the virtual memory; 200 in FIG. 2) that associates each memory block with the domain to which each memory block belongs,
Unique domain determining means (220 in FIG. 2) for determining whether the domain to which the accessed memory block belongs is a unique domain of the accessing process, and shared domain determination for determining whether the accessed domain is a shared domain Means (230 in FIG. 2) and an illegal memory access interrupt control means for generating an illegal memory access interrupt when the domain to be accessed is neither the unique domain of the process to be accessed nor the shared domain accessible to the process. (250 in FIG. 2).

[0011]

According to the present invention, for each process, unique domain information indicating that the process is occupied and used by the process and shared domain information indicating that the process is shared by other processes. All the domains that can be generated at one time by having the domain access right information consisting of and performing the domain protection check by collating this with the domain information of each memory block to be accessed. Process-specific domain number field that holds the total domain number of the process (corresponding to 211 in FIG. 2, which is a part of PSW)
, And the total number of shared domains that can be generated at one time is defined by the domain access control field (corresponding to the DAC in FIG. 5). This makes it possible to increase the total number of process-specific domains that can be generated at one time regardless of the length of the domain access control field while suppressing the increase in the total amount of hardware.

[0012]

EXAMPLE An example of the present invention will be described below. The domain access control field (DAC) in this embodiment is the same as the control code shown in FIG. That is,
The total number of shared domains that can be created at one time is eight.
The domain identifier in this embodiment is an 8-bit positive integer, which is called a domain number. That is, the domain number is in the range of 0 to 255. Domain numbers 0 to 7 are assigned to the eight shared domains, and the remaining domain numbers 8 to 255 are assigned to the process-specific domain.
That is, the total number of process-specific domains that can be generated at one time is 248. Similar to the description of the prior art, it is assumed that the memory protection is checked together with the address conversion that converts a virtual address into a physical address. for that reason,
Similar to the conventional example, the address conversion table in the main memory or the T provided for high-speed address conversion is provided.
It is assumed that the address translation information of each page (memory block) in the LB (table lookaside buffer) includes the domain number to which the page belongs.

Next, an embodiment of the memory protection method of the present invention will be described. FIG. 1 is a flowchart showing the processing procedure of this embodiment. Each process has a process-specific domain number field that holds a process-specific domain number and a domain access control field that holds a shared domain number shared by a plurality of processes (see FIG.
The same configuration as that shown in FIG. When a process accesses data at a virtual address, the address translation table or TLB is searched by the virtual address, and address translation information (physical address, domain number, etc.) corresponding to the virtual address is obtained (step 100). It is determined whether the domain number in the address translation information thus obtained is equal to the process unique domain number in the process unique domain number field of the process (step 110). If the domain number in the address translation information and the process-specific domain number in the process-specific domain number field of the process are equal, that is, if the data to be accessed is in the process-specific domain, the access is permitted. (Step 110; NO).

If the domain number in the address translation information is different from the process-specific domain number, then it is determined whether the domain number in the address translation information is 0 or more and 7 or less (step 120). If the domain number in the address translation information is 0 or more and 7 or less, that is, if the data to be accessed exists in any of the shared domains, it is the same as the conventional domain protection check shown in step 610 of FIG. Domain protection check is performed on the domain access control field holding the shared domain number (step 130). When it is determined as NO (the domain number in the address translation information is "8" or more) in step 120, that is, when the data to be accessed exists in the unique domain of another process, and in the domain protection check in step 130. If the access is prohibited, an interrupt relating to an illegal memory access is generated and the access is interrupted (step 140).

Next, this embodiment will be described more specifically with reference to FIGS. 3 and 4. 3 and 4, each process A to H has a process unique domain number field 30 indicating a domain that can be uniquely used by the process.
1 to 371 and domain access control fields 302 to 372 indicating a shared domain, respectively. For example, in the example of FIG. 3, the process B (310) is
"21" in the process-specific domain number field 311
And the domain access control field 312 holds “0”. When the process B (310) accesses the memory, the TLB (or the address translation table) is searched by the virtual address (step 10 in FIG. 1).
0), translate the virtual address to the physical address in the corresponding address translation information. At that time, the domain number in the address translation information and the process-specific domain number field 3
It is compared with the domain number “21” in 11. If the domain number in the address translation information is "21", the two match (step 110; NO), that is, it is regarded as the unique domain of the process B (310), and the access is permitted. If the domain number in the address translation information is "0", they do not match (step 11).
0; YES). That is, domain "0" is process B
It is not the unique domain of (310). In this case, next, it is determined whether the domain number in the address translation information is "0" or more and "7" or less (step 120). In this case, since the domain number "0" falls within this range, it is regarded as a shared domain (step 120; YES), and the domain access control field 312 indicating the shared domain of the process B is used to perform the same domain protection check as in the prior art. Is performed (step 130). The domain access control field 312 of the process B is the domain number "0".
Since this holds, the domain indicated by the domain number in the address translation information is the shared domain of the process B (310) (step 130; YES: domain protection inspection passed), and the access is permitted. When the domain number in the address translation information is, for example, “22”, the domain is neither the unique domain of the process B (310) (“21” ≠ “22”) nor the shared domain (“22” is “ Since it is not less than 0 "and not less than" 7 "(step 120; NO), an illegal access interrupt occurs and the access is interrupted (step 140).

Next, an embodiment of the memory protection device of the present invention will be described. FIG. 2 shows a memory protection device of this embodiment. In the figure, reference numeral 201 denotes a domain number field included in the address translation information in the TLB (or address translation table). In this embodiment,
The domain number field 201 in the address translation information is T
It is a part of the LB (or address translation buffer) 200. The domain number in the domain number field in the address translation information indicates the domain number to which the address-translated page belongs. 211 indicates a process unique domain number field (3
0 to 371) is a field for storing the process unique domain number. In this embodiment, the process-specific domain number field 211 is the process state word (PSW) 2
Part of 10. It is assumed that the domain number field 201 in the address translation information and the process-specific domain number field 211 are each composed of 8 bits. A comparator 220 compares the contents (DT) of the domain number field 201 in the address translation information with the contents (DP) of the process-specific domain number field 211 for equality. If both outputs of the comparator 220 indicate that they are equal, the access is to the unique domain of the accessing process itself, and in this case, access to the domain is permitted (the domain protection inspection result is passed). If domain access is granted, access control bits (eg, 2 bits) are also added.
Access right check is performed, and the access permission / prohibition is checked for each access type such as read, write, and execute.

As a result of the comparison in the comparator 220, the contents (DT) of the domain number field 201 in the address translation information
And the content (DP) of the process-specific domain number field 211 are not equal, the decoder 230 that determines whether the content (DT) of the domain number field 201 in the address translation information is "0" or more and "7" or less
To enable. As a result of the determination by the decoder 230, the domain number field 2 in the address translation information
If the content (DT) of 01 is not less than 0 and not more than 7, the illegal access interrupt control unit 250 issues an illegal access interrupt to interrupt the access. As a result of the judgment by the decoder 230, the domain number field 20 in the address translation information
If the content (DT) of 1 is "0" or more and "7" or less, the comparator 241 of the domain protection checking unit 240
The shared domain number (DAC; FIG. 5) of the process fetched from the domain access control field of the process at the time of process switching is compared with the content (DT) of the domain number field 201 in the address translation information. As a result of the comparison in the comparator 241, if the two are equal (the domain protection inspection result is passed), the access is to the shared domain of the process to be accessed, and thus the access to the domain is permitted. As a result of the comparison by the comparator 241,
If they are not equal (domain protection inspection result is unsuccessful), the domain number field 20 in the address translation information
Since the content of 1 (domain DT) is neither a unique domain of the accessing process nor a shared domain, access is prohibited, and the illegal access interrupt control unit 250 controls the illegal access interrupt.

According to the above embodiment, it is possible to protect the memory for a larger number of domains with a smaller amount of hardware than the prior art. This will be described quantitatively. The conventional hardware amount is as follows. Hardware amount of one sub-field x maximum total number of domains The hardware amount of the present invention is as follows. Hardware amount of 1 sub-field × maximum shared domain total number and hardware amount of Log2 (maximum domain total number) bits Here, the sub-field is a sub-field in the domain access control field. Note that the maximum total number of domains is the total number of all domains including unique domains that can be generated at one time and shared domains that can be generated at one time, and the maximum total number of shared domains is the total number of shared domains that can be generated at one time. That is.

For example, consider the case where each sub-field is composed of 2 bits as described above. In this case, the maximum total number of domains (the sum of the number of unique domains that can be generated at one time and the number of shared domains that can be generated at one time) and the maximum total number of shared domains according to the present invention for some values of the total hardware amount (bit number) The maximum total number of unique domains (total number of unique domains that can be generated at one time) and the maximum total number of domains are as shown in FIG. 8, for example. From this figure, when the amount of hardware is fixed, it can be seen that in the present invention, if the maximum total number of shared domains is reduced, the maximum total number of domains can be made significantly larger than the maximum total number of domains in the prior art. Further, when the maximum total number of shared domains is somewhat smaller than the maximum total number of domains, the amount of hardware for memory protection according to the present invention can be smaller than that according to the prior art.

[0020]

According to the present invention, the domain access control field (DA) is suppressed while suppressing an increase in the amount of hardware.
It becomes possible to significantly increase the total number of process-specific domains and the maximum total number of domains that can be generated at one time regardless of the length of C).

[Brief description of drawings]

FIG. 1 is a flowchart showing a procedure of an embodiment of a memory protection method of the present invention.

FIG. 2 is a configuration diagram showing an embodiment of a memory protection device of the present invention.

FIG. 3 is an explanatory diagram illustrating a concept of memory protection according to the present invention.

FIG. 4 is an explanatory diagram illustrating a concept of memory protection according to the present invention (continued).

FIG. 5 is an explanatory diagram showing an example of a domain access control field.

FIG. 6 is an explanatory diagram illustrating a concept of memory protection according to a conventional technique.

FIG. 7 is a flowchart showing a procedure of a conventional memory protection method.

FIG. 8 is a comparison diagram of the total amount of hardware and the number of domains in the related art and the present invention.

[Explanation of symbols]

100 to 140 ... Procedure of one embodiment of the memory protection method of the present invention, 200 ... Address translation buffer (TLB), 20
1 ... Domain number field in address translation information, 21
0 ... Process status word (PSW), 211 ... Process unique domain number field, 220, 241 ... Comparator, 2
30 ... Decoder, 240 ... Domain protection inspection unit, 250
... Illegal access interrupt control unit, 300, 310, 32
0, 330, 340, 350, 360, 370, 50
0, 510, 520, 530, 540, 550, and 560 ... Process, 301, 311, 321, 331,
341, 351, 361, and 371 ... Process-specific domain number field, 302, 312, 322, 3
32, 342, 352, 362, 372, 400, 50
2, 512, 522, 532, 542, 552, and 562 ... Domain access control field, 380-3
85, 390-395, 580-585, and 590
... 594 ... Domain, 410-417 ... Subfield in domain access control field, 600 and 6
10 ... Procedure of Prior Art Memory Protection Method

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Ikuya Kawasaki 5-20-1 Kamimizuhonmachi, Kodaira-shi, Tokyo Incorporated company Hitachi Ltd. Semiconductor Division

Claims (6)

[Claims] 1. The memory is divided into a plurality of domains each consisting of a set of memory blocks, and the unique domain information indicating that the unique domain is occupied and used by the process and shared with other processes. Domain access right information consisting of shared domain information indicating that it is a shared domain to be used for each memory block, and domain information for identifying the domain to which each memory block belongs, and the domain access right information. A first aspect of the present invention is a memory protection method for suppressing an illegal memory access according to the domain information, wherein when a process accesses a memory block, a first process determines whether the memory block belongs to a unique domain of the process. In the determination step and the first determination step, the memory In the step of permitting the access when it is determined that the block belongs to the unique domain of the process, and in the first determining step, it is determined that the memory block does not belong to the unique domain of the process. In this case, the memory block belongs to the shared domain of the process in the second determination step of determining whether the memory block belongs to the shared domain of the process, and the second determination step. If it is determined that the memory block does not belong to the shared domain of the process in the second determination step, the access to the memory block is prohibited. A memory protection method comprising the steps of: 2. The memory protection method according to claim 1, wherein the first determining step is performed by comparing the domain access right information of the accessing process with the domain information of the accessed memory block. A memory protection method characterized by being exposed. 3. The memory protection method according to claim 1, wherein the domain information of the memory block is stored in an address translation table or a TLB (table lookaside buffer) for address translation in a virtual memory device. And a memory protection method characterized by being referred to during address translation. 4. The memory protection method according to claim 1, wherein the second determining step determines whether the memory block belongs to a predetermined shared domain. Whether the shared domain number accessible by the process is equal to the domain number of the memory block when the memory block is determined to belong to a predetermined shared domain in the determination step and the third determination step. And a fourth determination step for determining whether or not the memory protection method. 5. The memory is divided into a plurality of domains each consisting of a set of memory blocks, and the unique domain information indicating that each process is a unique domain occupied and used by each process is shared with other processes. Domain access right information consisting of shared domain information indicating that it is a shared domain to be used for each memory block, and domain information for identifying the domain to which each memory block belongs, and the domain access right information. A memory protection device for preventing unauthorized memory access by the domain information, a process-specific domain identifier register for storing an identifier of a domain occupied by a currently executing process, each memory block, and the memory block to which the memory block belongs. Memory block domain that associates with domain Inter-correspondence means, unique domain identification means for identifying whether the domain to which the accessed memory block belongs is a unique domain of the accessing process, and shared domain determination for determining whether the accessed domain is a shared domain Means and an illegal memory access interrupt control means for generating an illegal memory access interrupt when the domain to be accessed is not a unique domain of the process to be accessed and is not a shared domain accessible to the process. Memory protection device characterized by. 6. The memory protection device according to claim 5, wherein the memory block / domain correspondence means is an address conversion table or a TLB in a virtual memory device.