JPS61502568A - Data processor with module access control - Google Patents

Abstract

(57) [Summary] This bulletin contains application data before electronic filing, so abstract data is not recorded.

Description

[Detailed description of the invention] Has 7 joules access control data processor field of invention TECHNICAL FIELD The present invention relates generally to data processors, and more particularly to data processors. A data processor having an access control mechanism t-.

Background of the invention In many processors, the executable program is generally utilized by the processor. It has the ability to access any address within the address space. many others In data processors, access restrictions are imposed on user programs. , not imposed on monitoring programs. Typically, access restrictions are The address range imposed by air is the generation of space restrictions. other normal Restrictions are placed on the specified addresses that would otherwise be accessible to the user program. This is done by imposing write protection on the range.

The other components of the system include monitoring programs, RAM, input/output operations, etc. A number of service routines are provided to perform operations and other required system functions. Contains. Generally, such routines are considered privileged. All access to it by user programs is restricted to the appropriate What happens when a trap (t de αp 2 interrupt) occurs for a privilege withdrawal (obstruction) handler? It's normal. In such execution, determining whether the request should be granted or not. It is I-/Dora's responsibility. If the decision is positive, control is The handler executes the requested service before being sent back to the program. enable. This software implements an access control mechanism. , it is very versatile, so the overhead associated with this mechanism is extremely negligible. Melt with meaning.

Digital Eqsiptmant Corporations WAX and Natiosallmioosdsator NSC16000 Micro Pro Applicable to other 7 joules in other data processors, such as As a set of data/code modules that get “called” Then the program will be configured. called module (galled m At the end of odslm), control is transferred to the calling module (aalli%gmo dsLa). However, these processors have limited access to modières. It does not provide any mechanism to control the Therefore, Mosier Cole (no. dsla call) instruction branches to the appropriate start address of the module. Before doing so, the data processor returns (data ts1-%) 1x@ the user ・Ordinary branch subroutines (brasch - 1o-ashy. sting) instruction. Some of these systems , this starting address is used to generate an executable load module. In the process, the conoviler/assembler and linker (1tskar) “Module descriptor (som1m daaartpto Other information about Mosier is also available at Mosier des It will be provided in Cryptor.

GssgraJ Elacrtr4c's GE 645 "MULTIC!i" Mashi ) Recent Pv4tma Cavsp*tara and Data Gmsmral offers a wide range of commercially available system memory Each “page” of available address space within is associated with an access level; A pair of protective concentric circles on top form a “ring°.The number of rings may vary However, the most perceivable data/code modules are stored within the most sensitive ring. Typically, the user module is in the outermost ring, and the monitor log 2 is Munozashi and related compilers/Acenobu 2 modules are available to some extent. properly distributed among the rings. Data/code stored in the innermost ring To gain access to Mosier, call Mosier to the highest The module that should be given access level and has the lowest access level However, you can access the mosieres stored in the outer ring. Like this model In the system-enabled version, the call module instruction is protected from unauthorized use. User programmatically converts @ to the data/code module desired by the system. access.

In a typical data processing system that implements an access control mechanism, The monitoring program has access to each user program installed on the system. Responsible for assigning service levels. For example, a user is task number nine, the same other users of the program) may be assigned higher access privileges.

Similarly, some programs have a higher level of access than other programs due to their properties. It may require a level. On the other hand, all programs have normal input/output and Access to monitoring programs and modules that perform related service functions is restricted to the general public. You can fit it in. Invocation (the call module mechanism is facilitate such dynamic changes in the system.

During the translation/assembly and linking process, supervisors typically nail descriptor (sometimes called segment descriptor) t-initial and enter information about each module's address and its access level. . Depending on the requirements of the system, these descriptors may contain their respective modules. What happens inside the ring will be remembered somewhere outside.

These descriptors are then placed on a suitable storage medium within the system resources. (call realtsg) appropriate modules and link programs. It is inserted into the call/modiere instruction. In this way, the program is executed. Whenever a program is executed, all modière calls made in that program are The monitoring program can confirm that the department has been approved in advance. However, the program It is still necessary for the system to extend beyond the modules granted high-level access privileges. must be thwarted. This dynamic access control feature is typically either within the data processor itself or within a memory management device closely connected to the data processor. Processed by the executed access controller. Generally, the access code The controller Raises each access to system memory and records the current execution module. Is the access level greater than the access level of the page being accessed? Determine equality. If so, access is granted and Otherwise, the access is incorrect.a), the calling module Ccalltng fi%od%1m) is forced to terminate. Call module instruction executed Whenever the data processor Enable execution of the called module (aallad sod%1m). be changed to a higher level, if necessary, in order to Notice. The access controller then selects a peer with a higher access level. Please allow access to the page. The corresponding “reta/(data from module)” To execute the tar% - f - inertia - m - ) ''' instruction, the data processor will: Access control calls access level module (aaLLt%gm・d nbLm) to return to the initial level.

In some systems, each access level has a set of "gates" associated with it. , each gate can be “open” or “closed” at the discretion of the monitoring program. Ru. Typically, a modiseal is used by a user group with a particular access level. If the program is made accessible, the monitoring program Memorize the descriptor for the internal modière of a specific gate table in a level. This will open the gate to this module. Input like this Without (-1 deci), the gate would be effectively closed. Then the desired Call module that controls access to modules Gate number (number) and module data within the access level of om1m) together specify the index into each gate table where the scripter is stored By calling module (aa(j(%g mod %1m)) You can request access to the tool. If the access controller If the processor verifies that an input like The information contained in the module descriptor is used to identify the are allowed to establish access levels and routes to called mosieres. Otherwise, the access is considered erroneous and forces termination of the calling module. call If you output from a module, the processor will call it before returning control to it. Initial access level of output module (aallinfl f1Mlm1-) re-establish the link. In addition to the dedicated storage space for Kana 9's gate table, this technique , requires a large amount of complex circuitry to perform the table lookup function.

Summary of the invention Therefore, it is an object of the present invention to have an improved modiny λ access mechanism. By providing one data processor.

Other purposes require data processors related to the criteria by which access is granted. By providing a module access control mechanism that does not

Yet another objective is to provide access controllers that are independent of the data processor. , to determine whether the requested access should be granted on behalf of the data processor. 6 by providing a data processor that supports

Yet another purpose is to control access to the nine modules stored in system storage. In order for the data processor to cooperate with an independent access controller in This is to provide an effective mechanism for

Yet another object of the present invention is to provide a system for implementing a module running within a data processor. , the access controller directly controls access to system storage. The purpose of the present invention is to provide an improved gate mechanism for

These and other purposes are to control access to modules stored in storage devices. The improved data management system according to the present invention cooperates with the access controller to By processor: i! will be accomplished. In its most basic form, the invention Sessa is configured to receive instructions requesting access to Mosier, and specifies the address within storage that contains the access request.

The data processor issues the access request using the address specified in the instruction. It works horizontally and supplies access requests to the access controller. data processing The server then initiates the requested access to the module. However, access If the access controller makes a full decision to deny the access request, ,! It will be sent to @shi(faxlt).

In a preferred form of the invention, the data processor attempts the requested access. requests the access controller's decision on the access request before Aku If the process controller's decision is positive, the data processor Allow access. However, if the decision of access controller 2 is negative, the The data processor denies access to the module.

In either type, the data processor is There is no need to know the access criteria imposed. Thus, the type and content of the access request is , change the data processor and method by which the access control mechanism is implemented. It can be modified to suit specific requirements without having to do so.

Brief description of the drawing FIG. 1 is a block diagram of a data processing system suitable for implementing the present invention.

FIG. 2 is a block diagram of the data, gross, and data in FIG. 1.

Description of the invention A data processing system is illustrated in FIG. 2) The logical address (LADDR) issued by physical buses (PBUs) The memory management device 14 outputs data to the memory management device 14 to the memory address physical address (PADDR) for output to the memory management device 16. It's getting smeared. At the same time, the percentage supplied by the ninth DP12 that controls access Various logical access control signals (LCNTL) The fire device 18 sends an appropriately timed physical access control signal (P CNTL). In a preferred form, DP12 is modified according to the invention. access to data and code stored as modules in memory 20 For example, in order to control the Strengthen.

Corresponding to a range of physical addresses, the memory 20 includes a false alarm detection and correction circuit (HDA). C) In cooperation with 22, PBUEI I6 physical access control signal (PCNTL) ) and j) DP12 and data (DATA) t- exchange. If the EDAC 22 detects an erroneous code in the data, it will retry the exchange (CRETRY). If the error occurs, either report a bus error (ENTER) or press D. Either request to P12.

Mass storage (massatortsgm) device in response to a physical address Interface 24 cooperates with DP I2.

Transfer data to mass storage 26, or transfer data from there. cormorant. If 11 occurs during a transfer, interface 24 will ER) or request a retry (RFjTRY) if appropriate. It's also possible.

The MMU 14 assigns a specific logical address (LADDR) to the corresponding physical address vi- If it is not possible, the MMU 14 will issue an access failure (FAULT) ftM I'll probably report it.

A watchdog timer 28 is supplied as a check to the MMU 14, and the physical Any physical device within a reasonable time regarding the access control signal (PCNTL) If it does not respond to the address (pAnnR), it will signal a no(s error) (BEER). It is possible to report.

If EETRY is requested during a data access bus cycle, O R gates 32 and 34 respectively connect the EEEE and HALT inputs of f) p12. It will start. Both BEER and HALT inputs during the DP control bus cycle DP 12 aborts the current node cycle. RH: When the TEY signal ends.

Will try the cycle of seven again.

With judicious use of numbers, they can also be controlled externally. OE gate 34 In response to activation of only the HALT input through the Stop automatically and resume operation only after the HALT signal ends. Dew.

In response to activation of the BEER input only during a processor management bus cycle, the DP 12 aborts the current cycle, protects the contents of the status register, and closes the monitoring program. If the dress state is on, turn it off and set it to the bus error state. This will generate a vector number. Op 12 there, The monitoring program in memory 20 stores information blocks reflecting the current internal contents of the processor. stuck in the ram stack area, and the supervisor's error no. We will use the vector number (nanno ζ-) to branch into the ring parts.

During the stack operation, p'12 is in the evacuated state (5 aved m). lat%#) The current contents of a register, program, or counter, usually the current execution instruction. The contents of the instruction register taken by the first word of the instruction are shifted by the aborted cycle. the logical address that was written, and the characteristics of the abort/extend cycle, i.e. read/write Stacks certain information of a general nature, including instructions/data and function codes. I'll do it. In addition to the above information, DP 12 also provides a lot of information regarding the internal machine state. configured to stack information. If the exception/dora is successful in solving the error, If successful, that final command will return control of DP12 to the aborted program. Dew. During the execution of this instruction, the next stacked information is searched and the DP12's next information is searched. It is loaded into the appropriate part, and the state that existed when the bus/work 2- occurred is restored. .

DP12's superior operating experience is realized by DPI20 micro-programmable It will be described with reference to FIG. 2, which illustrates the internal organization of an example. Illustration of DP12 The shape is described in detail in several U.S. patents cited hereafter. Motorola OMG 6B (very similar to IOQ microprocessor) In O, a typical operating environment will be described rather broadly. people Once a general understanding of the internal architecture of the DP12 is gained, the discussion can move on to the present invention. access control aspects will be the focus.

DP12 is a pipeline screen, a microprogram data processor.

In pipelined processors, each instruction is etched 7 times during the execution of the previous instruction. Translation of a fetched instruction typically begins before the previous instruction finishes.

In a microprogram data processor, each instruction The fetched instruction is usually translated before the previous instruction finishes. It begins. In a microprogram data processor, each instruction is Well defined operations! executed in the order of microinstructions that perform the details of 1/ Ru. With chivalry, user instructions are written as microinstructions to avoid confusion with microinstructions. In DP12, each microinstruction has a microinstruction order and function code. The microword (mlaro%Dord) that controls code generation and the function device controls the actual routing of information between and the driving of special function devices within the DP12. It is a nanoword (%anoword). With this in mind, a typical The general instruction execution cycle will be explained.

Prefetching of microinstructions will occur at appropriate times during the execution of each instruction. cormorant. The micro word part is similar to the micro EOM56 and the micro ROM output latch. Once loaded into chip 38, function code buffer 740t-enables and commands Outputs the function code (FC) part of the logical address (LADDR) that displays the cycle. do. At the same time, the corresponding data is loaded from the nanoRQM42 to the nanoROM output latch 44. Nowaard commands bus controller 4 to perform instruction 7 bus cycles. 6t--Request and fill TFC address bus buffer 150 with the first word of the next instruction. Requests instruction execution unit 48 to provide a logical address. PBUS16 system If the bus controller 46 receives control, the address of the logical address (LADDR) In order to output the part, it is necessary to enable the address buffer 750i. Shiba Bus controller 46 then provides appropriate data to drive memory 20. - Will provide strobes (some LCNTL signals). memory 20 Upon request and supplying the command 7, bus controller 46 receives a command from PBUS 16. To input the first word of the next instruction, execute instruction register search (zRc) 52. Enable. At some later point during the execution of the current instruction, another instruction is executed and I From RC52 to instruction register (IB)54.

The first word of the next instruction is transferred and the next word is transferred from memory 20 to IRC 52. will be loaded. Depending on the instruction type of lR54, F) IRC52 word is , Immediate data (i-date data), operand address, or Or maybe it's the first word of the next command. In general, an instruction set suitable for DP12 An example of the microinstruction order applied to the implementation of such an instruction set is It is entitled Two-Level Control Storage Device 2 for Crop Program Data Processor. 19 Published on April 13, 1982 in Gsnta de et al. and incorporated herein for reference. U.S. Pat. No. 4,525,121.

As soon as the first word of the next instruction is loaded into IR54, the address 1 decoder 56 starts decoding certain control fields and starts the lR540 individual instruction. The first microinstruction micro in the micro order (m1aroaaqs-am) ・Determine the address. At the same time, the illegal instruction decoder 58 - I'll probably start considering mats. If the format is determined to be invalid, Illegal instruction decoder 58 decodes the first microinstruction microinstruction in the illegal instruction microsequence. ・You can supply one address. Format/Engineer 9-vcE Answer Exception Logic 60 forces the multiplexer 62 and the address 1 decoder 56 supplies the place the microaddress at the microaddress provided by the illegal instruction decoder 58. I can change it. Once the final microinstruction of the currently executing instruction has been executed, The microword portion loads the microaddress latch 64 with the appropriate microaddress. multiplexer 62f:, to supply the The code section is the first word of the next instruction from the IE 54. enable the data decoder (CIRD) 66. selected micro address When the micro ROM S6 is loaded into the micro address latch 64, the micro ROM S6 outputs each microword to the microROM output latch 58. Lori. The nano EOM 42 also stores the corresponding nano word in the nano ROM output latch 44. will be output to .

A portion of each microword is typically loaded into the microROM output latch 38. part specifies the microaddress of the next microinstruction to be executed, while the other part specifies the microaddress of the next microinstruction to be executed. The minutes are determined by multiplexer 60 on the inputs of microaddress 64. to determine which alternate micro-address is selected. Some commands use specified operation t - one or more micro-sequences must be executed to achieve None. Tasks with higher indirect address resolution (rmmolstio%) are generally specified using additional control fields in the instruction. These additional micro The microaddress of the first microinstruction for the sequence carries the control information of lR54. address 2-3 decoder 68. simple stars like that In instructions, the first micro-sequence typically performs some preparatory task and then Address 2-3 deco-f6Bc) Actual operation generated from address 3 part し　／′? e Set the master to select the micro address of the micro order to execute. Multiplexer 62ft will be enabled. Such a complicated life In the instruction, the first micro-order performs the first preparation task and addresses 2-3 decoders. The second part of the address of 68 is the micro address of the next prepared micro sequence generated. Multiplexer 62 could be enabled to select the path. This addition After performing the preparation task, the second micro-sequence is the address 2-3 decoder address. The actual operation M/l that was generated in response part 5 is the micro-order map to be executed. Enable multiplexer 62t'' to select the macro address. Ruro. Toniga〈The final microinstruction of the final microinstruction of each instruction is atto L/ The first microinstruction microinstruction of the arrow instruction generated by the - Will enable multiplexer 621 to select the address . In this way, each instruction is executed in a specific order of microinstructions/! -t- progress through A complete explanation of the micro-address order selection mechanism can be found in 19 entitled "Instruction Register Order Decoder for Program Data Processor" Published on July 27, 1982 on T-day dgss4c & others, for reference. No. 4,542,078, incorporated herein by reference.

In contrast to microwords, nanowords loaded into nanoROM output latch 44 The code controls register control (high line 70) and register control (low and data) 72. between several registers of execution unit 48, and if necessary Indirectly controls the routing of operands between If the nanoword is enable the field converter (tea%alat-0%%nzet) 74; A specific pit field is input from the IRD 6B command to the execution device 48. Extract. The nanoword is also controlled by the AU control 76 and the AL control 78. Indirectly controls effective address calculation and actual operand calculation of execution unit 48 . When appropriate, the nanoword enables the AL and control 78 and executes the execution unit 48. The condition code resulting from each operand calculation is recorded in the status register (SR) 80. Make me remember. °A detailed description of a suitable thermal ALU control 78 can be found in “Data Processor Support ALU and condition codes have been published and are incorporated herein for reference.

No. 4,312.034. DP12 service and operation Other details regarding / filed on December 7, 1982 and filed on June 2, 1984. The “Data Processor Purge □-i7% Validity Checking Device” was approved on the 1st. No. 447,600.

DP12 is a microprogram machine, all its resources and control paths. The implementation of additional instructions is primarily based on the new instructions, provided that the This is done by providing an appropriate micro-order to the instructions.

Module call (CALF, M) and U Mosier return (RTM) are The hardware requirements imposed on the DP12 by this command are , reads from a specific address in the entire address space already available to the DP12, and Since this kit is included, only existing abilities are required.

On the other hand, within the constraints imposed by the CALLM/ETM interface, access ・The realization of the controller function is completely at the discretion of the system designer. So C.A.L. For the purpose of explaining the operation of DP12 in the execution of LM and RTM instructions. For example, access controllers that are conveniently grouped together in the MMU 14 are a set of registers addressable at each given address in the existing address space; It is thought that 0p12 recognizes that it exists as a "black box". cormorant.

In the preferred i form, the CALLM instruction indicates the address in memory 20 where the descriptor for effective address and the calling module (o811isgmodsline) Moving on to the module where is called, the number of the argument (a de gsm - %t) is (member) t-indicating argument color/return.

In preparing the CALLM instruction, the modière descriptor is called nine modières. to obtain the entry address of the module and the address of the data area associated with that module. Therefore, it will be initialized by the supervisor at link time. Mosier The le descriptor is also the access point of the stack where Mosier expects to find the argument. That would include the dress. In addition, module descriptors can be Include requests for special format access as appropriate to individual levels of access control. Muderoro. For example, in the preferred embodiment, the access request is based on the access level should be changed, and if so, the new access requested by the called module. This is the access code that tells you what the access level is.

Upon receiving a CADLM command for execution, the DP12 first evaluates the effective address. , then from that address access request, module address and module will retrieve the rule data area address. Therefore, DP12 requests access. Test the type of access that should be done, i.e. change of access level is required. or the current access level is appropriate for the called module. Decide if it is necessary.

A further preferred form of access request is also that the called modier is the calling modier. It is expected to find arguments on the module stack, or the module called Indicates whether it is likely to be found in Le Stack.

For example, if the access type indicates that the access level should not change, D P12 will create a mosier stack frame on top of the current stack.

If the called module finds an argument on the calling module stack, If included, DP12 has one model of call-out simulator stack. The modules stacked in the module stack frame and called there are 5゜If the called module is in its own standby DPi2 expects to find arguments in the calling module stack. Shortest path (5hort out) without stacking / compensating Simply advance the module stack frame pointer as shown below. DP12 is , where the module stack followed by the address of the module descriptor Writes the current value of the calling module program counter to the frame.

In the preferred form, the first word of the called module is the data of that module. If the address of the data area is included, the modière expects it. DP12 Orule Specify the register. At this point in the execution of the CALLM instruction, DP12 registers this register. ・Search for Svesifier (apmetft-de), then select the specified nine cash registers. The current contents of the star will be stored in the mosier stack frame. DP1 2 is the argument count and modière desk specified in the CALLM command. (by remembering the access requests retrieved from the Complete the 7th frame. DP12 then becomes a register specifier. In the following first instruction, execution of the module is started.

On the other hand, if the access type indicates that the access level should be changed In this case, DP12 first sends an argument to the called module. If so, all arguments are passed to the call The fDP 12 will make sure that it is within the module's conforming address space. If, a If an access violation is detected2, the DP12 vectors to the exception handler to It will force the calling module to exit. If no access violation is detected , DP12 has a "current address" known as simply the first predetermined address of the address space. The access level and credentials of the calling module from the “access level register”. DP12 will read what is entered. Then DP12 is available A “module” known to DP 12 only as the second predetermined address of the address space. ・The address of the module called in address register 1 and the empty address Z), known to PI3 as the third predetermined address between It will write a "new" access level to the bell register. Then DP1 2 is an "access" address known to DP 12 only as the fourth predetermined address in the address space. The access controller's decision in response to an access request from the "Status Status Register" Read what you can believe.

If the decision is negative (at least DP12 recognizes it as negative), DP12 vector to the exception handler and force the termination of the calling module.9゜ If the decision (by DP12) is found positive, the The “new” access level that was previously included in the access request maintained in The "old" access level will be inserted in place of the file.

If the called module has arguments or all At least find a pointer to the argument in the module stack frame. If you expect that DP12 continues completing the mosier stack frame. contrary to this When a module is expected to find an argument on its stack, DP1 2 is the module stack pointer called from the module descriptor. Finds all arguments from the calling module stack into the called module. will be transferred to the le stack. DP12 there, the already explained mosier module stack frame instead of the called module stack. Create on the output module stack. Module stack frame completed After that, DP12 is always the first instruction following the register specifier. Start execution of the module.

Upon receiving the RTM instruction for execution at the end of the called module, the DP 12 is an access request counter, an argument counter, and a program counter for the calling module. record used by the called module as a pointer to its data area. Searching for a value in the register 5゜Access temperature in access request, access request If the DP12 indicates that no access change was made, the module The current stack pointer t is used to discard all tack frames and arguments. v4, restores the initial values of the registers used by the called module, and Restore the program counter to begin execution of the calling module.

However, if the access type indicates that an access level change has occurred, the address Decrement-by-one access known to DP12 only as the fifth predetermined address in space - Before writing “old access level” to level register 2, DP12 Search the discovered module stack for 1 old” stack pointer.DP1 2 then reads the “Access Status Register” again and reduces the access level. Find out what the access controller's decisions are for small requests. If that If the decision is negative, DP12 calls the exception handler by vectoring to the exception handler. This would force Mosier's termination. If the decision is positive, DP12 , the “old” stack pointer t− to discard the mosier stack frame Arrange aq, extract the original current stack pointer, and adjust the relational argument t. Deroro. Then, DP12, as already explained, is used by the called Modinir. restores the initial values of the used registers and then starts execution of the calling module. To begin, we will restore the program counter.

As already explained, the DP 12 is responsible for the processing of CALLM and ETM instructions. the access controller, and before starting to execute the called module. I'm waiting for a decision. However, if there is a request, it will request access to the access controller. It is also possible to simply start working on the request process after you have moved it. If you access If the access controller decides to deny access, the access controller Simply fault the access cycle, thereby l) DP 12 to This will push it to the exception handler. Thus, in a general sense, the present invention A data processor such as A mechanism for advising an independent access controller where access requests are made related. No matter how much access an access controller grants, it It is possible for the data processor to be My commands for all commands of DP12 As with micro-orders, for a general understanding of such micro-orders, see U.S. Pat. , 325, 121.

Claims (11)

[Claims] 1. Access control that controls access to modules stored in storage devices In a data processor adapted to cooperate with Laura, an address in the storage device that requests access to the module and includes the access request; a first means for receiving an instruction specifying a response; a second means for searching for an access request from the storage device; third means for providing the access request to the access controller; Unless said access request is denied by said access controller, fourth means for granting said requested access to said module; Sessa. 2. If the access request is denied by the access controller, Claim 1 further comprising fifth means for vectoring to an exception handler. Data Processor as described in Section. 3. The module specified by the instruction is a code module, and the module specified by the instruction is a code module. The instruction also specifies a selection number of arguments to be passed to said code module and the fourth means for passing the argument to the code module before granting access to the code module; 2. A data processor as claimed in claim 1, wherein said data processor passes through said data processor. 4. The fourth means is receiving a decision from the access controller regarding the access request; fifth means for controlling the module in response to a positive determination from the access controller; grant the requested access to the access controller; sixth means for denying the requested access to the module in response to the determination; 2. A data processor as claimed in claim 1, comprising: 5. an exception if the access request is denied by the access controller. Claim 4 further comprising seventh means for vectoring to the handler. data processor. 6. Access controls that control access to modules stored in storage devices. In a data processor adapted to cooperate with a controller, said module request access to a file and specify the address within said storage device that contains the access request. receive an instruction to Retrieves the access request from the storage device and forwards it to the access controller. Serving the access request: If the access request is not denied by the access controller, the module granting the requested access to the module. 7. 7. The data processor of claim 6, wherein the access request is If denied by the access controller, vectoring to the exception handler How to further include. 8. The module specified by the instruction is a code module, and the module specified by the instruction A claim also specifies a selection number of arguments to be moved to said code module. In the data processor of Clause 6, before granting the requested access, the data processor The step of allowing access is the court.・Moving the above arguments to the module How to add more. 9. In the data processor according to claim 6, the access is permitted. The stages are receiving a decision from the access controller regarding the access request; forward access to the module in response to a positive determination from the access controller; allow the requested access, forwarding to the module in response to a negative decision from the access controller; A method comprising steps for denying requested access. 10. The data processor according to claim 9, wherein the access request is When negated by the access controller, the vector to the exception handler is A method that further includes a floor. 11. An access controller that controls access to modules stored in storage devices. in a data processor adapted to cooperate with the troller; an address in the storage device that requests access to the module and includes the access request; receive an instruction specifying the response, retrieves the access request from the storage device and forwards it to the access controller; provide access requests; receiving a decision from the access controller regarding the access request; access to the module in response to a positive determination of the access controller; the module in response to a negative decision of the access controller; Denying access to: A step-by-step method.