JP2002373084A - Method for both exchanging states and detecting failure of duplex system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method by which one of two computer systems detects a failure of the other computer system by reflecting change of various states stored in a local memory of the one system on a local memory of the other system by using a shared memory and also utilizing its state reflection mechanism in the two computer systems having a storage device of both the local memory and the shared memory. SOLUTION: The shared memory is provided with a ring buffer, and the one system writes information representing change contents to the ring buffer each time the one system changes various states of its local memory. The other system reads the information from the ring buffer and applies state change to the local memory. The one system also detects a failure of the other system or a shared memory mechanism by periodically monitoring the value of a pointer rewritten in accordance with operation to the ring buffer by the other system.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to two computer systems having both a local storage area that can be referred to by only one system and a shared storage area that can be referred to by both systems. Various states in the storage area,
By sequentially transferring to the other system via the shared storage area according to the state change, the various states held in the local storage areas of both systems are synchronized, and a mechanism for transferring the state is used. The present invention relates to a technique for one system to detect a failure in the other system.

[0002]

2. Description of the Related Art With the widespread use of computers and networks, applications in which a large number of users connect to server computers from their own computers via a network and receive services provided therefrom are expanding. In such a service, the server computer and the network require high reliability according to the number of users who receive the service and the contents of the service. Therefore, the server computer and the computer installed in the network and performing data transfer. One of the issues is how to improve the reliability of routers and exchanges.

One of the techniques for improving the reliability of these computers is to duplicate the computers. In this method, two computers having the same function
A system computer (operating system and standby system) is provided, the operating system performs processing originally imposed on the entire computer, and the standby system stands by in preparation for stopping the operating system. When a failure occurs in the active system, the active system becomes a standby system, and the system that has been operating as the standby system becomes a new active system and continues to operate, thereby stopping the entire computer. To avoid. In this way, switching the active system and the standby system in a duplicated computer is called system switching.

[0004] When the reliability of a computer is improved by using duplication, how to shorten the service stop time that occurs during system switchover and how to provide services provided before the system switchover after system switchover are performed. The question is whether to continue. To solve these problems, the standby system must quickly detect the occurrence of a failure in the active system, and the new operating system must faithfully reproduce the various states held by the old operating system immediately before system switching. It is necessary to satisfy three conditions that the time from the start of switching to the reproduction of various states in the new operating system as in the old operating system is sufficiently short.

[0005] Faults that must be detected under the first condition can be roughly classified into two types: hardware faults and software faults. The detection of hardware failure is generally realized by providing hardware for failure detection, but this is not discussed in the present invention. To detect a software failure, it is common to employ a method in which the active software periodically performs processing such as communication, and the result of the processing is monitored by the standby system.

Conventional methods satisfying the second and third conditions include a method of sharing a state between the two systems using a shared memory, and a method of causing the active system and the standby system to perform exactly the same operation.
One is. In the former method of the shared memory, the active system puts all states that must be delivered to the new operating system at the time of system switching on the shared memory, and after the system switching, the new operating system continues operation using the state as it is. In the latter same operation method, both systems receive various data received from outside by the entire computer in exactly the same way, both systems process the data exactly in the same way, and the data of the processing result is exactly the same. Both systems transmit (however, the only data transmitted outside the computer is the one transmitted by the active system)
This makes the state of both systems the same.

[0007]

In the conventional method of shared memory, all states shared by both systems must be stored in the shared memory. Therefore, if the memory capacity required for storing the state is large, a large enough memory is needed. It must have a shared capacity memory, which increases the hardware manufacturing cost. Also, after the system switchover, the new active system takes over the state of the old active system by using the data structure used by the old active system as it was until immediately before the failure occurs. If the data structure is abnormal, the new operating system may stop for the same reason or may not be able to take over part of the state.

On the other hand, in the same operation method, since both systems perform exactly the same operation, if the cause of the failure is a bug in hardware or software, a failure occurs in both systems at the same time, resulting in a redundant system. May not make sense.

Conventionally, since the status synchronization function and the software failure detection function of both systems are implemented as completely separate modules, it takes time and effort to implement, and an extra load is imposed on the operation system for failure detection. There was a problem.

According to the present invention, the statuses of the two systems are synchronized by using a small amount of shared memory, the two systems do not directly share the status data, and one of the two systems uses the state synchronization mechanism to allow the other system to perform the status synchronization. This is for detecting a software failure in the system.

[0011]

According to the present invention, the active system and the standby system each have, in addition to the shared memory, a local memory that can be accessed only by one of the systems, and store the state data used in each system in the local memory. Shall be stored.
Then, the OS (Operatin) operating in the operation system
g System) or the application sequentially transfers state change information indicating what kind of change has been made to the standby system via the shared memory each time the state recorded in the local memory of the active system is changed. . The standby system changes the state recorded in the local memory of the standby system based on the received state change information. In the present invention, the operating system OS or application transmits the status change information to the standby system OS.
The procedure for delivering to the S and the application is unified, but the data format and interpretation of the status change information itself are not defined, and each OS / application defines it independently. As a result, it is possible to efficiently use the limited capacity of the shared memory and to transmit the state change information in a data format suitable for the characteristics of the OS and the application.

A ring buffer is provided in the shared memory, and is used for transferring state change information between systems. The ring buffer includes a buffer memory area for holding data stored in the buffer, a head pointer indicating a head position of a range where data is actually recorded in the buffer memory area, and a tail pointer indicating a tail position. Operating OS
When writing the status change information generated by the application or the application to the shared memory, the status change information includes
Create data to which an application ID representing an application is added, and write it to the buffer memory area of the ring buffer from the position indicated by the end pointer. Then, the value of the tail pointer is shifted by the length of the data. When the standby system reads the status change information from the shared memory,
The buffer memory area of the ring buffer is read in order from the position indicated by the head pointer, and the state change information included in the data is indicated by the application ID indicated by the application ID included in the data.
S ・ Deliver to application. Then, the value of the leading pointer is shifted by the length of the read data.

As can be seen from the above-described mechanism of the ring buffer, the value of the end pointer changes when the active system writes the state change information, and the value of the start pointer changes when the standby system reads the state change information. In the present invention, a software failure of another system is detected using this feature. That is, the standby system periodically monitors the tail pointer of the ring buffer, and if the value does not change for a certain period of time, determines that a failure has occurred in the active system (or the shared memory mechanism).
However, in order for this failure detection method to work properly,
Even when there is no state change information to be transmitted to the standby system, the active system periodically writes state change information indicating that there is no state change (hereinafter, this is referred to as NOP information) to the ring buffer. If the read state change information is NOP information, the standby system discards the information without passing it to any OS / application. Furthermore, if the standby system reads the state change information (including the NOP information) from the ring buffer within a certain period, the active system can detect the failure of the standby system by monitoring the head pointer.

[0014]

DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention will be described below with reference to the drawings.

FIG. 1 shows a system configuration of a duplicated computer.

The present system includes:
Two systems of computers 110-A and 110- having the same function
B, and these two computers are connected by a shared memory synchronization mechanism 120. In the present embodiment, both systems have a storage device that is an entity of the shared memory separately, these storage devices are connected by the shared memory synchronization mechanism 120, and the data written to one storage device is shared memory synchronization. Mechanism 1
Assume that the shared memory 20 is realized by automatically copying the data to the other storage device. However, the present invention can be implemented with a shared memory that does not rely on this method.

In this embodiment, two systems of computers 110-
A and 110-B are connected by an inter-system communication line 130 in addition to the shared memory synchronization mechanism 120. When one system detects that a failure has occurred in the other system or the shared memory synchronization mechanism using the shared memory, the inter-system communication line 130 is activated by either failure of the other system or the shared memory synchronization mechanism. Used only to determine if there is.
The present invention can also be implemented by making this determination by other means.

In this embodiment, two computers 110-
A, 110-B are control terminal connection lines 140-A, 14
0-B is connected to the control terminal 150, and the administrator of the entire computer 100 uses this control terminal 150 to operate the entire computer 100 and each unit therein. However, the present invention can be implemented even when the administrator operates the computer using other means, or when there is no means for the administrator to operate the computer.

FIG. 2 shows a hardware configuration of the computer 110 of each system.

CPU (Central Process)
(ing Unit) 200 is a processor for executing a program stored in the local memory 210. The local memory 210 includes an OS 213 for controlling the entire apparatus, and state update information exchange software 21 for exchanging state update information and detecting a failure with another system.
5. Stores a group of applications 217 that need to be operated in order to provide the entire computer with the intended service. The data written to the shared memory 220 is automatically written to the shared memory of the other system by the shared memory synchronization mechanism 120, whereby exactly the same data is stored in the shared memory 220 of both systems. In this shared memory 220, a ring buffer for exchanging state update information is provided. Inter-system communication controller 23
0 controls transmission / reception performed by the computers 110 of the respective systems using the inter-system communication line 130. The control terminal communication controller 240 connects the computer 110 of each system to the control terminal connection line 14.
0 is used to control transmission and reception. The auxiliary storage device controller 250 controls input and output to and from the auxiliary storage device 255. FIG. 3 illustrates local memory 210 and shared memory 220.
Shows the structure of programs and data placed in the.

In the local memory 210, the OS 213,
Software such as status update information exchange software 215 and application group 217 is stored. Here, each of the applications included in the OS 213 and the application group 217 includes programs 330 and 370 representing a software processing procedure, and state data 335 and 375 representing an internal state of the software which changes according to the processing of the program. Think as something. The OS program 330 includes a timer control unit 331 that calls a periodic process in the status update information exchange software 215, an inter-system communication control unit 332 that directly operates the inter-system communication controller 230 to perform transmission and reception with another system, and the like. A partial program such as a failure recovery processing unit 333 that performs appropriate processing such as system switching when a failure of the system or the shared memory synchronization mechanism 120 is found is included. OS 213,
Regarding any of the application groups 217, the same software is operated in the active system and the standby system. However,
OS 213 and application group 2 operating in the active system
Reference numeral 17 denotes a process necessary for causing the entire computer to perform the intended service and a process for transferring the status update information to the status update information exchange software 215, while the OS 213 and the application group 217 operating in the standby system.
Performs only the process of receiving the status update information from the status update information exchange software 215 and reflecting it on its own status data, and the minimum necessary process for operating as a standby system.

The status update information exchange software 215 includes:
A ring buffer control unit 351, an update information processing unit 352,
It is composed of three pieces of software of the other system fault monitoring unit 353.

The ring buffer controller 351 is a component of the ring buffer 320 that performs writing (performed only by the active system) and reading (performed only by the standby system) on the ring buffer 320 provided in the shared memory 220. Buffer memory area 325, start pointer 32
6. This is performed by directly operating the end pointer 327. The ring buffer control unit 351 determines whether the value of the head pointer 326 or the end pointer 327 has been changed in another system by using the pointer previous value 356.
And a pointer change flag 357 in the local memory.

The update information processing unit 352 establishes a software connection for transmitting and receiving state update information to and from the OS 213 and each application included in the application group 217. The update information processing unit 352 receives the application ID from the OS or the application when the connection is established, and creates a correspondence table 355 between the application ID and the connection on the local memory. Then, the update information processing unit 352 operating in the active system adds the application ID corresponding to the connection to the status update information received from the OS or the application through the connection, and transfers the data to the ring buffer control unit 35.
1 to write to the ring buffer 320. The update information processing unit 352 operating in the standby system uses the ring buffer
, And periodically reads the application ID and the status update information, and delivers the status update information to an appropriate OS or application through a connection corresponding to the application ID. In addition, the update information processing unit 352 operating in the active system periodically
It instructs the ring buffer control unit 351 to write information. When the read status update information is NOP information, the update information processing unit 352 operating in the standby system
Discard the information.

The other system fault monitoring unit 353 stores the first pointer 326 (in the case of the active system) or the last pointer 327 (in the case of the standby system) on the shared memory, the previous pointer value 356 and the pointer change flag 357 on the local memory. Use
It periodically monitors whether a failure has occurred in the other system or the shared memory synchronization mechanism 120. When this monitoring shows that a failure has occurred in the other system or the shared memory synchronization mechanism 120, the other system failure monitoring unit 353 uses the inter-system communication to determine which of the other system and the shared memory synchronization mechanism 120 has a failure. Is checked, and the result is notified to the failure recovery processing unit 333 of the OS 213.

FIG. 4 shows triad data 40 composed of an application ID, status update information, and data length used for reading / writing from / to a ring buffer 320 in the shared memory 220.
0 indicates the format.

The length field 410 contains the sum of the lengths of all of the length field 410, the application ID field 420, and the status update information field 430. If this value is the same as the length of the length field 410, that is, if the application ID field 420 and the status update information field 430 do not exist, the triple data is NO
Handled as P information. In the application ID field 420, O of the delivery source and delivery destination of the status update information 430 are set.
S. An application ID representing the application is entered. In the status update information field 430, the status update information passed from the OS / application is directly entered.

FIG. 5 shows a ring buffer 3 used in this embodiment.
20 shows the data structure of the twentieth data. The shared memory 220
It is assumed that the storage area is a continuous storage area in which an address number is sequentially assigned to each word from the head (a word closer to the head has a smaller address number). Ring buffer 320
Buffer memory area 325 is secured in the shared memory by a certain size. Hereinafter, the address number of the first word of the buffer memory area 325 is represented by SA, and the address number of the word located next to the last word is represented by EA. The head pointer 326 stores, as its value, the address number of the word located at the head of the area where data is actually recorded in the buffer memory area, and the end pointer 327 stores the address number of the word in the buffer memory area. Then, the address number of the word located next to the end of the area where the data is actually recorded (that is, the write start word when writing data to the buffer memory area next time) is stored as the value. Hereinafter, the value of the start pointer 326 is represented as HP, and the value of the end pointer 327 is represented as TP. Both HP and TP can take values from SA to EA-1. If HP <TP, the word TP from the word located at address HP in the buffer memory area
Data is recorded in order up to the word located at -1. If HP> TP, data is sequentially recorded from the word located at address HP to the word located at EA-1 in the buffer memory area, and from the word located at SA to the word located at TP-1. ing. When the buffer is full, HP = SA and TP = EA-1,
Or, HP = TP + 1. If the buffer is empty,
HP = TP. The initial values of HP and TP are both SA
It is.

The present invention can be implemented even if the ring buffer 320 does not have the structure described above, as long as the value of the end pointer is changed at the time of writing and the value of the start pointer is changed at the time of reading. It is.

FIG. 6 shows the ring buffer controller 3 of the active system.
A ring buffer write processing 600 performed by the CPU 51 when writing the triple data 400 to the ring buffer 320;
The flow of is shown.

The ring buffer write processing 600 receives the triplet data 400 to be written as an argument from the caller and returns a buffer overflow at the time of writing (free space in the buffer memory area 325 for writing argument data). This is implemented as a function-type procedure that returns to the caller a value indicating whether or not an error indicating that the area is insufficient is generated. The ring buffer write processing 600 is called only in the active system. Hereinafter, the value of the length field 410 included in the triple data 400 of the argument is referred to as DS.

The called ring buffer write processing 600 firstly starts with the start pointer 3 in the shared memory.
The value of 26 is read (step 605). Hereinafter, the read value is treated as HP. Subsequently, the HP is compared with the previous value 356 of the pointer (step 610). If the values are different, the value of the pointer change flag 357 is changed to 1 (step 615).

Next, the end pointer 3 on the shared memory
It is checked whether the sum of the value TP of 27 and DS is smaller than EA (step 620). As a result, TP + DS
Is smaller than EA, the process from step 645 to step 655, which is the process of writing the data of the argument continuously from the word pointed to by the TP in the buffer memory area 325 to the DS word, is performed. If TP + DS is equal to or larger than EA, argument data is written from the word pointed to by TP in the buffer memory area 325 to the end of the buffer memory area 325, and the remaining data is written to the buffer memory area 325.
The processing from step 625 to step 640, which is the processing of writing from the beginning, is performed.

If TP + DS ≧ EA at step 620, first, it is checked whether SA + DS− (EA−TP) <HP ≦ TP to determine whether buffer overflow occurs as a result of writing the argument data. A check is performed (step 625). If this inequality is not satisfied, a return value indicating a buffer overflow is returned to the caller, and the ring buffer write processing 6
End 00. If this inequality is satisfied, only the first EA-TP word of the argument data is written after the word pointed to by the TP in the buffer memory area 325 (step 630), and the remaining DS- (EA-T) of the argument data is written.
P) Write a word from the beginning of the buffer memory area 325 (step 635), and set the value of the end pointer 327 to S
Change to A + DS- (EA-TP) (step 64)
0), a return value indicating that the writing has been normally completed is returned to the caller, and the ring buffer writing process 600 ends.

If TP + DS <EA in step 620, first, it is checked whether or not TP <HP ≦ TP + DS is satisfied, thereby checking whether or not buffer data overflow does not occur as a result of writing argument data (step). 645). If this inequality is satisfied,
The return value indicating the buffer overflow is returned to the caller, and the ring buffer write processing 600 ends. If this inequality is not satisfied, all the argument data is written to the word after the word pointed to by TP in the buffer memory area 325 (step 650), and the value of the tail pointer 327 is written to TP +
DS (step 655), returns a return value indicating that the writing has been completed normally to the caller, and ends the ring buffer writing process 600.

FIG. 7 shows the ring buffer controller 3 of the standby system.
A ring buffer read process 70 performed by the device 51 when reading the triple data 400 from the ring buffer 320
0 is shown.

The ring buffer read processing 700 does not require an argument, but is implemented as a function-type procedure that returns the triple data 400 read as a return value to the caller. However, a special value indicating that the ring buffer is empty may be returned to the caller as a return value. The ring buffer read processing 700
Is called only in the standby system. The called ring buffer read processing 700 first reads the value of the tail pointer 327 on the shared memory (step 70).
5). Hereinafter, the read value is treated as TP. Subsequently, the TP is compared with the previous value 356 of the pointer (step 710).
Is changed to 1 (step 715).

Next, the start pointer 3 in the shared memory
It is checked whether the value HP of 26 is equal to TP (step 720). As a result, if the HP and the TP are equal, a return value indicating that the ring buffer is empty is returned to the caller, and the ring buffer read processing 700 ends. If HP and TP are not equal, the word to length field 410 in the buffer memory area 325 points to the HP.
Is read out and the value is treated as DS (step 725).

Subsequently, it is checked whether HP + DS is smaller than EA (step 730). If HP + DS ≧ EA, read the EA-HP word after the word indicated by the HP in the buffer memory area 325 (step 73).
5), the remaining DS-from the beginning of the buffer memory area 325
Read (EA-HP) word (step 740),
Set the value of the start pointer 326 to SA + DS- (EA-HP)
(Step 745), and the data read in step 735 and the data read in step 740 are sequentially returned to the caller as a return value, and the ring buffer read processing 700 ends. Step 7
If HP + DS <EA at 30, a DS word is read after the word pointed to by HP in the buffer memory area 325 (step 750), and the value of the head pointer 326 is set to HP.
+ DS (step 755), returns the data read in step 750 as a return value to the caller, and ends the ring buffer read processing 700.

FIG. 8 shows that when the active update information processing unit 352 receives state update information from the OS 213 or the application group 217, the application ID is included in the state update information.
And the triple data 400 to which the data length is added is written to the ring buffer 320. 9 shows a flow of a status update information writing process 800.

The update information processing unit 352, which has received the status update information from the OS or the application, determines the application ID from the connection that has received the status update information using the correspondence table 355 between the application ID and the connection. The triple data 400 is constructed based on the status update information and its length (step 805). Then, by calling the ring buffer write processing 600 using the triple data as an argument, the triple data including the state update information is written to the ring buffer (step 810). next,
It is determined whether a buffer overflow has occurred based on the return value of the ring buffer write processing 600 called in step 810 (step 815). as a result,
If it is determined that a buffer overflow has occurred, an appropriate overflow process is performed (step 82).
0), the state update information writing processing 800 ends. If no buffer overflow occurs, NOP
NO for periodically executing the information writing process 900
The P information writing timer is returned to the initial value of the timer (step 825), and the state update information writing processing 800
To end.

Since the specific contents of the overflow process in step 820 differ depending on the operation expected of the active system, the details will not be described in the present embodiment. Here is an example of the method. The first method is to wait in the state update information exchange software 215 until writing to the ring buffer 320 is possible, and do not return to the original OS or application until the writing is completed. According to this method, the status synchronization between the two systems can be reliably performed, but there is a risk that the processing that should be performed by the active system is stopped. The second method is to notify the original OS or application that writing to the ring buffer 320 has failed, and to perform processing that can be performed without notifying the standby system of the status update. With this method, the status of both systems can be reliably synchronized, and the possibility that the processing that should be performed by the active system should be stopped is reduced. However, this does not completely prevent the processing from being stopped. Becomes complicated. Third, state update information for which writing to the ring buffer 320 has failed is temporarily saved to the local memory 210, processing is returned to the original OS or application, and state update information exchange is performed to determine whether the ring buffer 320 is free. This is a method in which the software 215 periodically monitors, and writes the saved status update information to the ring buffer 320 when a space is available.
In this method, while there is no possibility that the processing that should be performed by the active system is stopped, when a failure occurs in the active system, the status update information saved in the local memory 210 disappears without being reflected in the standby system. there's a possibility that. Since each of the above three methods has advantages and disadvantages, it is desirable to secure a relatively large capacity of the buffer memory area 325 of the ring buffer 320 so that buffer overflow does not occur as much as possible. .

FIG. 9 shows that the active update information processing unit 352 writes NOP information to the ring buffer 320. NOP
9 shows a flow of an information writing process 900.

The NOP information writing process 900 is executed by the NOP
It is periodically executed by the information writing timer.

The update information processing unit 352 called when the NOP information writing timer expires calls the ring buffer writing process 600 with the NOP information as an argument, and writes the NOP information into the ring buffer (step 905). Then, it is determined whether a buffer overflow has occurred based on the return value of the ring buffer write processing 600 called in step 905 (step 910). If no buffer overflow has occurred, the NOP information writing timer is set to the timer. (Step 915), and the NOP information writing process 900 ends.

On the other hand, if it is determined in step 910 that a buffer overflow has occurred, a fault confirmation process 1300 by inter-system communication is called to check whether an error has occurred in the standby system (step 920).
It is determined whether an abnormality has occurred in the standby system based on the result (step 925). Then, when it is determined that an abnormality has occurred in the standby system, the failure recovery processing unit 333 of the OS 213 is notified that the abnormality has occurred in the standby system (step 930), and all operations of the status update information exchange software 215 are stopped. I do. If there is no abnormality in the standby system, it is determined whether an abnormality has occurred in the shared memory synchronization mechanism 120 based on the result of step 920 (step 93).
5). Then, when it is determined that an error has occurred in the shared memory synchronization mechanism 120, the failure recovery processing unit 33 of the OS 213 reports that an error has occurred in the shared memory synchronization mechanism 120.
3 (step 940), and stops all operations of the status update information exchange software 215. If there is no abnormality in both the standby system and the shared memory synchronization mechanism 120, it is considered that the ring buffer processing of the standby system is simply not in time, so the NOP information writing timer is reset (step 945), and the NOP information is reset. The writing process 900 ends. However, in this case, it is desirable to write the NOP information as soon as the ring buffer becomes free. Therefore, the length of the NOP information write timer set in step 945 is set to a value shorter than the initial value of the normal NOP information write timer. Should be.

FIG. 10 shows the update information processing section 352 of the standby system.
Reads the triplet data 400 from the ring buffer 320 and delivers the status update information included in the triplet data to the OS or application corresponding to the application ID included in the triplet data. 10 shows a flow of a process 1000.

In this embodiment, the state update information read processing 1000 is periodically executed by a ring buffer read timer (length equal to or less than the NOP information write timer), but when the write to the tail pointer 327 occurs. The present invention can also be implemented by providing hardware for generating an interrupt to the standby system in the shared memory 220 and executing the status update information reading processing 1000 when the interrupt occurs.

The update information processing unit 352 called when the ring buffer read timer expires calls the ring buffer read processing 700 to
The triad data 400 is read from the ring buffer (step 1005). Then, from the return value of the ring buffer read processing 700 called in step 1005,
It is determined whether the ring buffer is empty (step 101).
0), if it is empty, the ring buffer read timer is returned to the initial value of the timer (step 1015), and the state update information read processing 1000 ends.

If the return value of the ring buffer read processing 700 called in step 1005 is not a value indicating that the buffer is empty, the read data is N
It is checked whether the information is OP information (step 102).
0), if it is NOP information, the process returns to step 1005 again. If the information is not NOP information, a connection to be used for transfer of status update information is determined using the application ID included in the read triplet data and the application ID / connection correspondence table 355, and the connection is used to determine the connection. The status update information included in the tuple data is delivered to the OS or application corresponding to the application ID (step 1025).
Then, the process returns to step 1005 again.

FIG. 11 shows that the other system fault monitoring unit 353 monitors whether or not a fault has occurred in the other system or the shared memory synchronization mechanism 120 by monitoring the value of the pointer updated by the other system. If it is determined that a failure has occurred in any of them, the flow of the other system failure monitoring processing 1100 for confirming which of the failures it is by using inter-system communication is shown.

The other-system fault monitoring process 1100 is periodically executed by a fault monitoring timer (length longer than the NOP information writing timer). The other system fault monitoring process 1100 can be executed by both the active system and the standby system (if it is not necessary to monitor the fault of the other system, it is not necessary to execute the process). When 326 is executed in the standby system, the tail pointer 327 is set as a monitoring target pointer. Hereinafter, the value of the pointer to be monitored is represented by P.
When the execution of the state update information exchange software 215 is started, the previous value 356 of the pointer is set to the initial value of P (= S
A) It is assumed that the pointer change flag 357 has been initialized to 0.

The other system fault monitoring unit 353 called by the expiration of the fault monitoring timer checks whether or not the pointer change flag 357 is 1 (step 1105). 1
If this is the case, it means that P has been changed after the pointer change flag 357 was previously returned to 0, so that the failure monitoring timer, the previous pointer value 356, and the pointer change flag 357 are initialized. , The processing from step 1115 to step 1120 is performed.

When the pointer change flag 357 is 0, the pointer change flag 357 is returned to 0 before, and when P is not changed at all, the own system performs the ring buffer write processing 600 or the ring buffer read processing. There are two cases in which the process 700 is not performed at all. In order to distinguish these cases, it is checked whether P and the previous value 356 of the pointer are equal (step 111).
0). If the values are different, steps 1115 to 1120 are performed as in the case where the pointer change flag 357 is 1.
The processing up to is performed. In addition, P is added to the previous value 356 of the pointer.
Is set, and the local system performs ring buffer write processing 6
00 or even once the ring buffer read processing 700 is performed, P may make one round of the ring buffer and return to the same value as the previous pointer value 356. Therefore, P is changed only by comparing the previous pointer value 356 with P. I can't tell if it was done. Therefore, neither Step 1105 nor Step 1110 can be omitted.

Step 1105 and Step 1110
When P is found to have changed, the previous pointer value 356 is set to P, the pointer change flag 357 is set to 0 (step 1115), and the failure monitoring timer is returned to the initial value of the timer (step 1120). The system failure monitoring processing 1100 ends.

On the other hand, step 1105 and step 1
When 110 finds that P has not been changed,
In order to check whether an abnormality has occurred in the other system, the failure confirmation processing 1300 by inter-system communication is called (step 1125), and based on the result, it is determined whether or not an abnormality has occurred in the other system (step 1130). ). Then, when it is determined that an abnormality has occurred in the other system, the failure recovery processing unit 333 of the OS 213 is notified that an abnormality has occurred in the other system (step 1135), and all operations of the status update information exchange software 215 are stopped. I do. If there is no abnormality in the other system, it is determined whether an abnormality has occurred in the shared memory synchronization mechanism 120 based on the result of step 1125 (step 1140). If it is determined that an error has occurred in the shared memory synchronization mechanism 120, the shared memory synchronization mechanism 1
20 is notified to the failure recovery processing unit 333 of the OS 213 (step 1145), and all the operations of the status update information exchange software 215 are stopped. If neither the other system nor the shared memory synchronization mechanism 120 has an abnormality, it is considered that the ring buffer processing of the other system is simply not in time. Therefore, the failure monitoring timer is reset (step 1150), and the other system failure is detected. The monitoring processing 1100 ends.
However, in this case, it is desirable to be able to detect that there is no failure as soon as the other system executes the ring buffer processing.
The length of the fault monitoring timer set in step 1150 is
The value should be shorter than the initial value of the normal fault monitoring timer.

FIG. 12 shows a failure confirmation process 1 by inter-system communication.
The format of the inter-system communication message used in 300 is shown.

The header 1210 is a message header including a message length and the like. The sequence number 1220 is a number for uniquely distinguishing each message flowing through the inter-system communication line 130, and a value that is as different as possible from the sequence number 1220 of the message that has flowed so far is used. However, the sequence number 1220 is the same between the request message and the reply message to the request message.
The message type 1230 contains a number indicating the format of the message. In this embodiment, a head pointer request message requesting the other system to return the value of the head pointer 326, a head pointer reply message as a response thereto, and a tail pointer requesting the other system to reply the value of the tail pointer 327. Four types of message formats, that is, a request message and a tail pointer response message that is a response to the request message, are prepared, and the numbers representing the respective types are 1, 2, 3, and 4. The pointer value 1240 is a field added only in the case of a reply message, and contains the value of the leading pointer 326 in the case of a leading pointer reply message and the value of the trailing pointer 327 in the case of a trailing pointer reply message.

FIG. 13 shows that the other-system fault monitor 353 uses the inter-system communication to determine whether a fault has occurred in the other system, a fault has occurred in the shared memory synchronization mechanism 120, or a fault has occurred. 9 shows a flow of a failure confirmation process 1300 by inter-system communication for confirming whether or not the failure has occurred.

The failure confirmation processing 1300 by inter-system communication
Although it does not require an argument, it is implemented as a function-type procedure that returns to the caller a value indicating whether it is a failure of another system, a failure of the shared memory synchronization mechanism 120, or no failure has occurred. I decided to.

The failure confirmation processing 1300 based on the inter-system communication called by a certain system A is performed by first calling the inter-system communication control unit 332 in the OS 213 to request the other system B. Stream the message (Step 1
305). Message type 12 of this request message
Numeral 30 denotes number 1 representing a head pointer request message when the system A is an active system, and number 3 representing a tail pointer request message when the system A is a standby system. Then, it waits for a certain time until a response message having the same sequence number 1220 as the transmitted request message is received from the system B (step 1310). While waiting for reception in step 1310, the state update information exchange software 21
All processes including all the processing units 5 may be performed in parallel.

When the system B operating normally receives the request message from the system A, first, the inter-system communication control unit 332 in the OS 213 performs a process of receiving the request message. Deliver to the system failure monitoring unit 353. Then, the other-system fault monitoring unit 353 creates a reply message corresponding to the request message. At this time, in the message type 1230, if the received message is a head pointer request message, a number 2 representing a head pointer reply message is entered, and if a received message is a tail pointer request message, a number 4 representing a tail pointer reply message is entered. The sequence number 1220 contains the same sequence number as the received request message. The pointer value 1240 contains the value of the head pointer 326 held by the system B on the shared memory when the received message is the head pointer request message, and the tail value held by the system B on the shared memory when the received message is the tail pointer request message. The value of the pointer 327 is entered. Then, the created reply message is transmitted toward the system A by calling the inter-system communication control unit 332 in the OS 213.

When the waiting for reception for a predetermined time in step 1310 is completed, the system A checks whether or not the completion of the waiting for reception is due to time out (step 131).
5). If waiting time is over due to timeout,
A return value indicating that a failure has occurred in the other system is returned to the caller, and the failure confirmation processing 1300 by inter-system communication ends.

If the end of the reception waiting is due to the reception of the reply message, steps 1320 to 1330
, The start pointer 326 provided on the shared memory
Or synchronization of the value of the end pointer 327. It will be checked whether it is performed between the system A and the system B.

First, while waiting for reception, the pointer to be monitored (the head pointer 32 if the system A is the active system)
6. In the case of the standby system, whether the value P of the end pointer 327 has changed, whether the pointer change flag 357 is 1 (step 1320), and whether the previous value 356 of the pointer is equal to P (step 1325) Find out by). If it is determined in steps 1320 and 1325 that P has changed, a return value indicating that no failure has occurred in the other system or the shared memory synchronization mechanism 120 is returned to the caller, and the failure is confirmed by inter-system communication. Process 1300
To end. If it is found in Steps 1320 and 1325 that P has not changed, P is compared with the pointer value 1240 included in the reply message received from the system B (Step 1330). A return value indicating that a failure has occurred is returned to the caller, and failure confirmation processing 1300 by inter-system communication is performed.
To end. If the values are the same, a return value indicating that no failure has occurred in the other system or the shared memory synchronization mechanism 120 is returned to the caller, and the failure confirmation processing 13 by the inter-system communication is performed.
End 00.

[0066]

As described above, by utilizing the state exchange / fault detection system of the present invention, the state synchronization of both systems can be performed using only a small amount of shared memory, and at the same time, the state synchronization mechanism is provided. Can be used to detect one system's software failure. In addition, according to the present invention, since the two systems do not directly share the status data, and most of the processes performed by the two systems are different, the system is highly resistant to abnormalities in status data and failures due to software / hardware bugs.

[Brief description of the drawings]

FIG. 1 is a system configuration diagram of a duplicated computer according to the present invention.

FIG. 2 is a hardware configuration diagram of each computer system incorporated in a duplicated computer in the present invention.

FIG. 3 is a configuration diagram of programs and data stored in a local memory and a shared memory of each computer system according to the present invention.

FIG. 4 is a diagram showing a format of triple data used for reading / writing from / to a ring buffer.

FIG. 5 is a diagram showing a data structure of a ring buffer.

FIG. 6 is a diagram showing a flow of a process of writing data to a ring buffer.

FIG. 7 is a diagram showing a flow of a process of reading data from a ring buffer.

FIG. 8 is a diagram illustrating a flow of a process of writing state update information received from an OS or an application to a ring buffer.

FIG. 9 is a diagram showing a flow of a process of writing NOP information to a ring buffer.

FIG. 10 is a diagram illustrating a flow of a process of reading state update information from a ring buffer and transferring the information to an OS or an application.

FIG. 11 is a diagram illustrating a flow of monitoring a failure of another system or a shared memory synchronization mechanism using a shared memory, and confirming the failure content using inter-system communication when the failure is found.

FIG. 12 is a diagram showing a message format used in a failure confirmation process by inter-system communication.

FIG. 13 is a diagram illustrating a flow of a process of confirming whether a failure has occurred in another system or a shared memory synchronization mechanism using inter-system communication.

[Explanation of symbols]

100: The entire computer, 110: Computer of each system, 120
... shared memory synchronization mechanism, 130 ... inter-system communication line, 140
... Control terminal connection line, 150 ... Control terminal, 200 ... CP
U, 210 local memory, 213 OS, 215 state update information exchange software, 217 application group, 220 shared memory, 230 inter-system communication controller, 240 control terminal communication controller, 250 auxiliary memory device controller 255: auxiliary storage device, 320
... ring buffer, 325 ... buffer memory area, 32
6 Start pointer, 327 End pointer, 330 O
S program, 331: timer control unit, 332: inter-system communication control unit, 333: failure recovery processing unit, 335: OS state data, 351: ring buffer control unit, 352: update information processing unit, 353: other system failure monitoring Part, 355: correspondence table between application ID and connection, 356: previous value of pointer, 357
... pointer change flag, 370 ... application program, 375 ... application state data, 400
.. Triplet data, 410 length field, 420 application ID field, 430 state update information field, 600 ring buffer write processing, 700 ring buffer read processing, 800 state update information write processing, 900 NOP Information writing process, 1000
... Status update information read processing, 1100 other system fault monitoring processing, 1210 header, 1220.
1230: message type, 1240: pointer value,
1300: Failure confirmation processing by inter-system communication.

Claims (6)

[Claims] A computer having therein both a local storage area that can be referred to only by the computer and a shared storage area that can be referred to by other computers, wherein the local storage area of the computer is provided. Means for sequentially writing information on the change of data stored in the shared storage area of the computer, data stored in a specific storage area provided in the shared storage area of the computer, Means for periodically rewriting in accordance with the writing; other means for sharing the shared storage area with the computer by periodically monitoring a specific storage area provided in the shared storage area of the computer. It is determined that a failure has occurred in the computer, an apparatus for sharing the storage contents of the shared storage area between the computer and another computer, or both of them. , A computer comprising: 2. A computer having therein both a local storage area that can be referred to only by the computer and a shared storage area that can be referred to by other computers, wherein the shared storage area of the computer is provided. Means for sequentially reading data stored in the computer, interpreting the data as information relating to a change in the data stored in the local storage area of the computer, and reflecting the data in the local storage area of the computer; Means for periodically rewriting data stored in a specific storage area provided in the storage area in accordance with the reading of the information; and periodically updating the specific storage area provided in the shared storage area of the computer. The other computer sharing the shared storage area with the computer, or the storage contents of the shared storage area can be monitored by the computer and another computer. A computer for sharing with the computer, or a unit for determining that a failure has occurred in both of them. 3. The computer according to claim 1, wherein: a means for transmitting data from the computer to another computer using a device other than the shared storage area; and using a device other than the shared storage area. Means for receiving data from another computer to the computer, data stored in a specific storage area provided in the shared storage area of the computer in accordance with data received from the other computer by the data receiving means. Means for sending to another computer using the data transmitting means, after sending data to another computer using the data transmitting means, the data receiving means did not receive data from the other computer for a certain period of time. Means for judging that a failure has occurred in another computer sharing the shared storage area with the computer, and receiving from the other computer by the data receiving means. Means for sharing the storage contents of the shared storage area between the computer and another computer using the taken data, and determining whether a failure has occurred in an apparatus. calculator. 4. The computer according to claim 2, wherein: a means for transmitting data from the computer to another computer using a device other than the shared storage area; and using a device other than the shared storage area. Means for receiving data from another computer to the computer, data stored in a specific storage area provided in the shared storage area of the computer in accordance with data received from the other computer by the data receiving means. Means for sending to another computer using the data transmitting means, after sending data to another computer using the data transmitting means, the data receiving means did not receive data from the other computer for a certain period of time. Means for judging that a failure has occurred in another computer sharing the shared storage area with the computer, and receiving from the other computer by the data receiving means. Means for sharing the storage contents of the shared storage area between the computer and another computer using the taken data, and determining whether a failure has occurred in an apparatus. calculator. 5. A computer system comprising a computer according to claim 1 or 3 and a computer according to claim 2 therein, one each of which comprises: A means for sharing the storage contents of the shared storage area. 6. A computer system having one computer according to claim 3 and one computer according to claim 4 therein, wherein the two computers share a common storage area with each other. And a means for transmitting and receiving data between the two computers using a device other than the shared storage area.