Supervisor Call instruction

A Supervisor Call instruction (SVC) is a hardware instruction in the System/360 family of IBM mainframe computers up to contemporary zSeries (as well as non-IBM mainframe computers such as the Univac 90/60, 90/70 and 90/80, and the Fujitsu B8000 series) used to cause an interrupt to request a service from the operating system. The system routine providing the service is called an SVC routine. SVC is a specific implementation of a system call.

Rationale

IBM mainframes in the System/360 and successor families operate in either of two states: problem state or supervisor state. In problem state a set of non-privileged instructions are available to a program. In supervisor state, programs are additionally able to use privileged instructions which are generally intended for supervisory functions. These functions may affect other users or the entire computer system. A general user is only allowed to access specific supervisory functions after thorough authorization checking by the operating system (TESTAUTH, SVC 119, and other checks).

Implementation

SVC is a two byte instruction with the operation code of 0x0A; the second byte, the SVC number, indicates the specific request.[1]

SVC invokes a supervisory functionusually implemented as a "closed subroutine" of the system's SVC interrupt handler. Information passed to and from the SVC routines is passed in general purpose registers or in memory.

Under IBM-developed operating systems, return from an SVC routine is, for type 2, 3 and 4 SVC routines, via an SVC 3 (EXIT) invocation, and for other SVC types by the privileged Load PSW (LPSW) instruction which is executed on behalf of the SVC routine by the control program's dispatcher or SVC interrupt handler.

On non-IBM developed operating systems such as MUSIC/SP developed by McGill University in Montreal, Canada for IBM mainframes, and for non-IBM mainframes, VS/9, developed by Univac (from the TSOS operating system for the RCA Spectra 70 series computers) for Univac's Series 90 mainframe, and the B800 operating system (also developed from the TSOS operating system) for Fujitsu's mainfames, all use the LPSW instruction to exit from a Supervisor Call.

In MVS/370 and later incarnations of the OS, branch and Program Call (PC) entries have supplanted SVCs for invocations of many supervisory functions by so-called "authorized" programs and some functions may only be invoked by these branch and PC entries, e.g. Start Input/Output.

Different IBM operating systems have little compatibility in the specific codes used or in the supervisor services which may be invoked. VM/370 and z/VM systems use the DIAG instruction in a similar manner, and leave SVC for the use by operating systems running in virtual machines. Most OS/360 SVCs have been maintained for "legacy" programs, but some SVCs have been "extended" over the passage of time.

OS/360 SVCs

In OS/360 and successors SVC numbers 0 through approximately 127 are defined by IBM, and 255 downwards are available for use by an installation's systems programming staff. SVC routines must have module names in a specific format beginning with IGC.

OS/360 defined four types of SVC routines, called "Type 1" through "Type 4"; MVS/370 added an additional "Type 6". The following information, part of a table for an early release of OS/360, gives an idea of the considerations involved in writing an SVC routine.

Conventions Type 1 Type 2 Type 3 Type 4
Part of resident control program Yes Yes No No
Size of routine Any Any ≤1024 bytes Each load module
≤ 1024 bytes
Reenterable routine Optional but must be serially reusable Yes Yes Yes
May allow interruptions No Yes Yes Yes
Register contents at entry Registers 3, 4, 5, and 14 contain communication pointers; registers 0, 1, and 15 are parameter registers
May contain relocatable data Yes Yes No No
May issue WAIT No Yes Yes Yes
May pass control to what other types of SVC routines None Any Any Any
Table condensed from IBM System/360 Operating System System Programmer's Guide C28-6550-2[2]:p.33

The size restrictions on types 3 and 4 SVC routines are necessary because they are loaded into designated "transient areas" (PLPA in post-MVT) when invoked.

Security

OS/360 did not, in general, have any way of restricting the use of SVCs. Consequently, there were quite a number of unintentional system- and data-integrity exposures which were possible by employing certain sequences of SVCs and other instructions. It became common practice for curious users to attempt to discover these exposures, but some system programmers used these exposures rather than develop their own user-written SVCs.

Beginning with MVS IBM considered it a product defect if a system design error would allow an application program to enter supervisor state without authorization. They mandated that all IBM SVCs be protected to close all system- and data-integrity exposures. They "guaranteed" to close such exposures as these were discovered. By Release 3.7 of MVS/370 in 1977 nearly every such exposure had indeed been identified and closed, at the cost of 100,000 Authorized Program Analysis Reports (APARs) and related Program temporary fixes (PTFs). This was a remarkable achievement, as system "up time" was thereafter measured in years, rather than in days or even in hours.

References

  1. IBM Corporation. IBM System/360 Principles of Operation. p. 72.
  2. IBM Corporation (1967). IBM System/360 Operating System System Programmer's Guide.