Supervisor Call instruction

A Supervisor Call instruction (SVC) is a hardware instruction in the System/360 family of IBM mainframe computers up to contemporary zSeries (as well as non-IBM mainframe computers such as the Amdahl 470/V5, 470/V6, 470/V7, 470/V8, 580, 5880, 5990M, and 5990A, and others; Univac 90/60, 90/70 and 90/80, and possibly others; and the Fujitsu M180 (UP), and M200 (MP), and others) used to cause an interrupt to request a service from the operating system. The system routine providing the service is called an SVC routine. SVC is a specific implementation of a system call.

Rationale

IBM mainframes in the System/360 and successor families operate in one of two states: problem state or supervisor state. In problem state, a large set of general purpose non-privileged instructions are available to a user program. In supervisor state, system programs are additionally able to use a small set of privileged instructions which are generally intended for supervisory functions. These functions may affect other users, other processors, or the entire computer system. A program is only allowed to access specific supervisory functions after thorough authorization checking by the operating system: DEBCHK (SVC 117), TESTAUTH (SVC 119), and possibly additional tests. Programs which fail any of these tests are ABENDed, that is abnormally terminated and immediately cease processing. Some of these tests were not available in OS/360, but were added in SVS or MVS/370, but all were available in MVS/370 or subsequent releases, and are still available to this day.

In MVS/370 and subsequent versions of the OS, the MODESET function (SVC 107) obviated the need for many user-written SVCs as this system SVC accommodated both change in mode (problem state to supervisor state) and changes in key (non-zero [ user ] to zero [ system ] ) in a single operation, and many user-written SVCs were originally intended for simple mode and key changes, anyway, and subsequently the only requirement was that the MODESET-invoking program be resident in a "link library" which was identified as an "authorized library", and this secure approach was completely under the installation's control. This link library could be the system's own link library, SYS1.LINKLIB, or a user's link library which was associated with SYS1.LINKLIB. This change generally simplified user controls over authorization, although some simple changes to the application were thereby required. In general, user installations favored this accommodation, and the overall reliability of the system was significantly improved thereby.

Although mainframe applications are naturally synchronous processes, the operating system itself is naturally asynchronous, although the system also supports many processes which are naturally synchronous. When an application requests a system service which is naturally asynchronous, such as input/output processing, a mechanism for synchronizing the application and the operating system must be employed. This essential mechanism is through functions which are built into the operating system, or are specifically supported by it, including: WAIT (temporarily halt application processing until an external event has occurred); POST (indicate occurrence of an external event so application processing may continue); and SYNCH (change system processing modes (supervisor to user), while preserving system integrity, and synchronously perform a function on behalf of the application, after which application processing may continue).

The OS/360 SVCs table below indicates the conditions under which these synchronizing facilities may be employed.

Implementation

SVC is a two byte instruction with the operation code of 0x0A; the second byte, the SVC number, indicates the specific request.[1]

SVC invokes a supervisory functionusually implemented as a "closed subroutine" of the system's SVC interrupt handler. Information passed to and from the SVC routines is passed in general purpose registers or in memory.

Under IBM-developed operating systems, return from an SVC routine is, for type 2, 3 and 4 SVC routines, via an SVC 3 (EXIT) invocation, and for other SVC types by the privileged Load PSW (LPSW) instruction, and which is executed on behalf of the SVC routine by the control program's dispatcher or SVC interrupt handler.

On non-IBM developed operating systems such as MUSIC/SP developed by McGill University in Montreal, Canada for IBM mainframes, and for non-IBM mainframes, VS/9, developed by Univac (from the TSOS operating system for the RCA Spectra 70 series computers) for Univac's Series 90 mainframe, and the B800 operating system (also developed from the TSOS operating system) for Fujitsu's mainfames, all use the LPSW instruction to exit from a Supervisor Call.

In MVS/370 and later incarnations of the OS, branch and link entry points are alternatives to SVC invocations for supervisor mode routines. In MVS/SP V1R3 and later incarnations of the OS, Program Call (PC) entries have augmented SVCs for invocations of many supervisory functions by both authorized and unauthorized programs; and some functions may only be invoked by branch or PC entries, e.g. Start Input/Output.

Different IBM operating systems have little compatibility in the specific codes used or in the supervisor services which may be invoked. VM/370 and z/VM systems use the DIAG instruction in a similar manner, and leave SVC for the use by operating systems running in virtual machines. Most OS/360 SVCs have been maintained for "legacy" programs, but some SVCs have been "extended" over the passage of time.

OS/360 SVCs

In OS/360 and successors SVC numbers 0 through approximately 127 are defined by IBM, and 255 downwards are available for use by an installation's systems programming staff. SVC routines must have module names in a specific format beginning with IGC. z/OS changed this to SVC numbers 0 through approximately 200 for IBM, and 255 downwards for the installation, as additional system services, primarily in support of encryption/decryption, were being implemented by IBM using SVCs.

By system design, the term "disabled" means disabled for all interruptions except for machine check interruptions in pre-MVS/370 systems, and with the "local lock" being held, but not "disabled" for any interruptions in MVS/370 and all later systems. The former is physical disablement, the latter is logical disablement, as the "local lock" has the same impact within the same address space as physical disablement, but it has no impact on other address spaces.

OS/360 defined four types of SVC routines, called "Type 1" through "Type 4"; MVS/370 added an additional "Type 6", which is similar to "Type 1" except that the SVC routine is physically disabled. "Type 5" was never defined nor implemented. The following information, part of a table for OS/360, augmented for MVS/370, gives an idea of the considerations involved in writing an SVC routine.

Conventions Type 1 Type 2 Type 3 Type 4
Part of resident control program Yes Yes No No
Size of routine Any Any ≤ 1024 bytes Each load module
≤ 1024 bytes
Reenterable routine Optional, but must be serially reusable Yes Yes Yes
May allow interruptions No Yes Yes Yes
Register contents at entry Registers 3, 4, 5, and 14 contain communication pointers; registers 0, 1, and 15 are parameter registers
May contain relocatable data Yes Yes No No
May pass control to what other types of SVC routines None[2] Any
May issue WAIT No Yes, using "WAIT" (SVC 1)
May issue POST Yes, but must use "POST" disabled branch entry Yes, using "POST" (SVC 2)
May schedule synchronous exits Yes, but must use "Exit Effector" disabled branch entry Yes, using "Exit Effector" (SVC 12)
May schedule abnormal termination Yes, but "Abterm" disabled branch entry is recommended Yes, using "ABEND" (SVC 13)
Table condensed from IBM System/360 Operating System System Programmer's Guide C28-6550-2[3]:p.33

The size restrictions on types 3 and 4 SVC routines are necessary because they are loaded into designated "transient areas" (PLPA in post-MVT) when invoked.

Security

OS/360 did not, in general, have any way of restricting the use of SVCs. Consequently, there were quite a number of unintentional system- and data-integrity exposures which were possible by employing certain sequences of SVCs and other instructions. It became common practice for curious users to attempt to discover these exposures, but some system programmers used these exposures rather than develop their own user-written SVCs.

Beginning with MVS/370, IBM considered it a product defect if a system design error would allow an application program to enter supervisor state without authorization. They mandated that all IBM SVCs be protected to close all system- and data-integrity exposures. They "guaranteed" to close such exposures as these were discovered. By Release 3.7 of MVS/370 in 1977 nearly every such exposure had indeed been identified and closed, at the cost of 100,000 Authorized Program Analysis Reports (APARs) and related Program temporary fixes (PTFs). This was a remarkable achievement, as system "up time" was thereafter measured in years, rather than in days or even in hours.

References

  1. IBM Corporation. IBM System/360 Principles of Operation (PDF). p. 72.
  2. May use ABEND SVC, but Abterm disabled branch entry is preferred
  3. IBM Corporation (1967). IBM System/360 Operating System System Programmer's Guide (PDF).
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.