A major feature of the POSEVEN specification is the trampoline zone at the start of the code area.

One of the aspects is the protocol that preserves speed and security. Hardware protection makes it impossible to access accidentally but the module itself must participate with its own filtering code.

The trampoline spans the lowest 64Ki-instruction page of the code area. Granularity would be 4 or 8 instructions so only 8Ki to 16Ki entry points (maximum) are possible.

The trampoline zone is accessed directly from a different module by a special JUMP instruction called IPC, which expects to point to an IPE instruction. This ensure that random jumps or even scanning (spraying) do not work.

Returning to the calling module goes through the IPR instruction, which must re-execute the calling IPC instruction to ensure the stack's integrity (and restore some registers) (so IPC is a two-mode instruction).

IPE must be located at the first instruction of a cache line (otherwise: trap), for safety and speed. The rest of the cache line (and the following line(s)) may filter the parameter, and trap or return immediately in case of error, otherwise the code jumps to the actual code, outside of the small (somewhat) zone.

IPR can be executed anywhere.

-----------------------------------

Since IPE can only exist at certain addresses, the OS loader (that configures the program) can simply scan the first 64K instructions of a program, looking for the IPE opcode, and re-create a table of valid entry points. This makes it easy to create new versions of a module that preserves the high-level entry points but implements it differently (as long as the entry points remain in the same order).

The calling programs are distributed with binaries that IPC to an entry point number, and the loader must "relocate", translate that number to the actual address of the instruction. This lookup at load time removes expensive/slow runtime lookups.

So this whole system ensures that a dynamic library, the kernel, an application, a device driver.... use the same and only one file format and structures, there is no special case to manage in the processor.

The trampoline also defines the granularity of the pages for code : 64K instructions per page. This first page is always (or preferably) resident, in order to keep the system fast. And with 64Ki instructions per page, a module has a low maximum number of pages. Depending on the maximum number of bits of the Program Counter:

• 20 bits : 16 pages
• 22 bits : 64 pages
• 24 bits : 256 pages 

This lets the iTLB hold more simultaneous modules in cache. 

----------------------------

Now what can the trampoline be compared to ?

• for Unix, that would be _start and all the signal()s. Signals are asynchronous, so is POSEVEN, so there is an expectation of concurrency. Except that absolutely arbitrary signals can be sent to a module, any quantity at any rate with any parameter....
• The trampoline is also inspired by the interrupt/trap structure of certain DSP/CPUs, so an IRQ can directly trigger a given codepath in a given module. 
• For an object-oriented programming language, the trampoline correspond to the declaration of all public functions.
• For Pascal, the trampoline is more or less the declarative part of a "unit". In fact, in POSEVEN, every module is a "unit", and the init system (ID0)  calls all the other units.

So the trampoline makes all the entry points safely accessible, allowing filtering of the requests. It makes the OOP paradigm more visible at the OS/System level. It maps directly to many common programming paradigms.

------------------------------

Remember :

By default, any module may call any other module at any entry point. Spraying is not impossible and there is always the risk that "rogue discovery" takes place.

Each module is responsible for filtering the callee : IPE provides the caller's ID and it must be compared (as well as capabilities) with safe callers. Some HW features must help expedite this frequent check.

• The callee may trap and / or signal the OS of a rogue call.

• Or if it provides a system-wide feature, there is no filtering.

--------------------------

Note : since the trampoline starts at address #0  then ASLR is not possible. But POSEVEN makes it useless anyway, for many reasons (split address spaces, blackbox instruction space, impossibility to jump to arbitrary addresses...)