A computer processor includes an instruction processing pipeline that interfaces to a hierarchical memory system employing an address space. The instruction processing pipeline includes execution logic that executes at least one thread in different protection domains over time, wherein the different protection domains are defined by region descriptors each including first data specifying a memory region of the address space employed by the hierarchical memory system and second data specifying permissions for accessing the associated memory region. The address space can be a virtual address space or a physical address space. The protection domains can be associated with different turfs each representing a collection of region descriptors. A given thread can execute in a particular turf, one turf at a time. The particular turf can be selectively configured to change over time.

Systems, methods, and software can be used to manage resource access. In some aspect, a user interface is outputted on an electronic device. The user interface includes information for resource access and a user interface object for controlling a resource access permission. A user input associated with the user interface object is received. In response to receiving the user input, the resource access permission is changed.

In one example, a request to migrate an application running on a first compute node to a second compute node with a change in a version of the application may be received. Migration information may be provided to a cloud-based Migration as a Service provider based on the request. An application migration component may be received from the cloud-based Migration as a Service provider based on the migration information. Further, the application migration component may be executed to migrate the application from the first compute node to the second compute node with the change in the version of the application.

Managing an application zone is provided. A request is received from a program on a client device to enter a zone of an application that provides a service. In response to determining that the zone does not currently exist in the application, the zone is generated in the application based on defined parameters of the zone. An enter notification is sent to the program on the client device indicating that the zone is ready for the program to enter to receive the service.

Global register protection in a multi-threaded processor is described. In an embodiment, global resources within a multi-threaded processor are protected by performing checks, before allowing a thread to write to a global resource, to determine whether the thread has write access to the particular global resource. The check involves accessing one or more local control registers or a global control field within the multi-threaded processor and in an example, a local register associated with each other thread in the multi-threaded processor is accessed and checked to see whether it contains an identifier for the particular global resource. Only if none of the accessed local resources contain such an identifier, is the instruction issued and the thread allowed to write to the global resource. Otherwise, the instruction is blocked and an exception may be raised to alert the program that issued the instruction that the write failed.

A method and apparatus for account intercommunication among APPs. The method comprises: acquiring account information entered by a user in a current APP; and, after using the account information to log in successfully, providing the account information to other APPs having intercommunication permissions with the current APP for the other APPs to log in. Via the disclosed method, account information entered in any APP may be shared among APPs having intercommunication permissions with the APP, so that other APPs may be logged into using an intercommunicated account after they are opened, without the need to manage account information about various APPs through a unified entrance, and thus the APP need not access the entrance in advance, and login can be realized without the need to exit the APP to open the entrance; obviously, the flexibility and independence of APP login are improved, and the complexity of operation is reduced.

Methods and apparatus for ultra-secure accelerators. New ISA enqueue (ENQ) instructions with a wrapping key (WK) are provided to facilitate secure access to on-chip and off-chip accelerators in computer platforms and systems. The ISA ENQ with WK instructions include a dest operand having an address of an accelerator portal and a scr operand having the address of a request descriptor in system memory defining a job to be performed by an accelerator and including a wrapped key. Execution of the instruction writes a record including the src and a WK to the portal, and the record is enqueued in an accelerator queue if a slot is available. The accelerator reads the enqueued request descriptor and uses the WK to unwrap the wrapped key, which is then used to decrypt encrypted data read from one or more buffers in memory. The accelerator then performs one or more functions on the decrypted data as defined by the job and writes the output of the processing back to memory with optional encryption.

NUMA-aware reader-writer locks may leverage lock cohorting techniques that introduce a synthetic level into the lock hierarchy (e.g., one whose nodes do not correspond to the system topology). The synthetic level may include a global reader lock and a global writer lock. A writer thread may acquire a node-level writer lock, then the global writer lock, and then the top-level lock, after which it may access a critical section protected by the lock. The writer may release the lock (if an upper bound on consecutive writers has been met), or may pass the lock to another writer (on the same node or a different node, according to a fairness policy). A reader may acquire the global reader lock (whether or not node-level reader locks are present), and then the top-level lock. However, readers may only hold these locks long enough to increment reader counts associated with them.

A multi-user computing device, such a communal computing device like an interactive digital whiteboard, can execute single user aware (“SUA”) applications and multi-user aware (“MUA”) applications. Instances of SUA applications execute in the context of a single user. MUA applications can execute in the contexts of multiple authenticated users simultaneously. A multi-user aware OS platform authenticates and de-authenticates users of the multi-user computing device. The multi-user aware OS platform provides notifications to MUA applications when users are authenticated and de-authenticated. When a new user is authenticated, MUA applications begin executing in the context of the newly authenticated user and any other previously authenticated users. When users are de-authenticated, MUA applications stop executing in the context of the de-authenticated user but continue executing in the context of the remaining authenticated users of the multi-user computing device. Data associated with the de-authenticated user is removed from the multi-user computing device.

Mechanisms are provided to allow devices to support multiple modes, such as work, personal, and family modes. Conventional mobile solutions provide only for mode distinctions at the application level, e.g. one work application may prevent access to certain data, but a different application may want to allow access to that same data. Existing computer system solutions rely on multiple operating system instances or multiple virtual machines. Framework level modes are provided that do not require different, mutually exclusive, or possibly conflicting applications or platforms. A device and associated applications may have access to different data and capabilities based on a current mode.