JP2973425B2 - Fault handling method and device therefor - Google Patents

Description

Description: TECHNICAL FIELD The present invention relates to a failure handling method in a disk control device and a device therefor, and more particularly to a method for incorporating a cache,
The write data from the host computer to the disk is temporarily held in a cache, and asynchronously with the above-described write operation to the disk by the host computer,
The present invention relates to a failure processing method suitable for improving the reliability of write-pending data in response to a failure of a disk control device that performs collective writing operation from a cache to a disk, and an apparatus therefor.

[Conventional technology]

In the conventional disk controller with cache,
Data to be accessed frequently is stored in a cache, and when such data is accessed, data is read from the cache without going to the disk to improve the data access efficiency. . In this case, for example, as disclosed in Japanese Patent Application Laid-Open No. Sho 60-79447, when a cache failure is detected, the entire cache is disconnected and all data on the cache is discarded.

[Problems to be solved by the invention]

The prior art described above assumes that the same data as a disk drive is stored in a cache and is used only for reading. However, the disk control that presupposes the write data from the host computer in a temporary cache and performs the collective write operation from the cache to the disk asynchronously with the write operation to the disk of the host computer, which is a premise of the present invention. For a device failure, it is not enough to simply discard the data on the cache.

That is, when performing the batch writing operation in the disk controller, a backup memory of the cache is prepared,
The write pending data on the cache is duplicated, and the write pending data from the cache is reflected on the disk drive from the backup memory in the event of a cache failure, and vice versa. However, if the processor in the disk controller fails to update the cache or backup memory management information,
Since the management information becomes invalid, the write pending data is lost.

In this case, since the cache memory or the backup memory itself is normal in terms of hardware, only detection of a hardware failure in these memories determines which of the cache and the backup memory is to be used to reflect write pending data to the disk drive. And cannot be dealt with by the conventional technology.

The present invention has been made in view of the above circumstances, and an object of the present invention is to solve the above-described problems in the related art, to temporarily hold write data from a host computer in a cache, and to store data in a disk of the host computer. An object of the present invention is to provide a failure handling method capable of coping with a failure of a disk control device that performs a collective writing operation from a cache to a disk asynchronously with a writing operation to a disk.

[Means for solving the problem]

It is an object of the present invention to provide a host computer which has a plurality of processors, a cache memory and a cache backup memory, and temporarily writes data to a disk drive from a host computer in the cache memory and the backup memory. The disk control device that reports the end and writes the pending data on the cache to the disk drive (collectively write operation) asynchronously with the data write operation of the host computer. The update of the information in the cache directory having the cache directory and the backup data in the backup memory directory having the management information of the pending data in the backup memory is performed by any one of the plurality of processors while excluding the other processors. At the same time as detecting that any processor has stopped operating due to a failure, the processor identifies whether the cache directory information or the backup memory directory information is being updated, and manages any of them. This is achieved by a failure handling method and an apparatus therefor, characterized in that the write pending data is written to a disk drive from a memory corresponding to the one whose information has been updated.

[Action]

In the failure processing method according to the present invention, any one of the plurality of processors in the disk control device exclusively and sequentially updates the management information of the cache or the backup memory having the write pending data. By doing so, based on the fact that the management information of the cache and the backup memory is not destroyed at the same time due to the failure of the processor, when the failure of the processor is detected, A normal processor identifies whether the management information is being updated, and writes the write-pending data to the disk drive from the cache or the backup memory from which the update of the management information is completed. Writing that has become unified Reliably hold data and makes it possible to be written to the disk drive.

Further, the fault processing apparatus according to the present invention includes means necessary for this.

〔Example〕

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 2 is a configuration diagram of a disk subsystem with a cache according to one embodiment of the present invention. The disk subsystem of the present embodiment includes a channel controller 101, a disk controller 102, and disk drives 1100 and 1200 connected to the host computer 100. The disk controller 102 has four processors 103, 104, 105 and 106.
Each processor has a lock mechanism 107 for inter-processor exclusion, a control memory 187 reflecting the processor state, a cache memory 1060, a cache directory 1050 for storing its management information, a cache backup memory 109, and its management. It is connected to a backup memory directory 108 for storing information. Each processor is connected to the channel control device 101 and the disk drives 1100 and 1200, respectively.

First, the collective writing operation of the disk control device 102 when each processor operates normally will be described. For example, when the processor 103 in the disk controller 102 receives an access request from the host computer 100 via a channel, the processor 103 decodes the request and determines which disk drive is the access request. As an example, it is assumed here that the request is a write request to the disk drive 1100.

The processor 103 connects the signal line 12 to the lock mechanism 107.
A lock request is issued to the disk drive 1100 via 6. The internal operation of the lock mechanism 107 will be described later. The processor 103 outputs the signal line 125 from the lock mechanism 107.
When the response of the lock acquisition success to the disk drive 1100 is received via the, the command is requested to the channel control device 101. When a command is transmitted from the channel control device 101 to the processor 103, the processor 103 decodes the command, distinguishes between read / write (here, a write command), the track number to be accessed (TR1) and the record number (R1). ) Recognize.

Next, the processor 103
A search is made of the disk drive 1100 track table 3801 (see FIG. 5) in the cache directory 1050 storing the management information of 0, and whether or not the cache slot for the access target track number TR1 has already been allocated on the cache. Is determined. Here, the slot control block 354 is allocated to TR1 of the track table 3801, and the data of TR1 is already stored in the data storage area 306 in the cache memory 1060 from the slot control block 354. These are called track hits. FIG. 5 is a diagram showing a logical configuration of the cache directory 1050 and the cache memory 1060.

There are two types of track hit data in the cache memory 1060. That is, a slot in which the data stored in the slot on the cache matches the data on the track on the disk drive corresponding to the slot (this is called a “non-pending slot”), and
These are slots that do not match (this is called a "pending slot"). The former is a non-hatched slot in the cache memory 1060 in FIG.
The latter are indicated by hatched slots. The pending slot is generated when write pending data is stored in the cache by the collective writing operation of the disk control device 102. In the case of TR1 mentioned above,
This is a non-pending slot.

Here, based on FIG. 5, the cache directory
The queue connecting the slot control blocks in 1050 will be explained. The queue 322 is a collection of slot control blocks pointing to the positions of non-pending slots in all disk drives in one queue. Also, the queue 320 is a collection of slot control blocks that point to the positions of all pending slots for the disk drive 1100 in one queue,
The queue 321 is a collection of slot control blocks pointing to the positions of all pending slots for the disk drive 1200 in one queue. In this way, the queue of the slot control block pointing to the pending slot is made independent for the disk drive. The queue 323 is a collection of slot control blocks pointing to the positions of empty slots on the cache in one queue.

The processor 103 determines the slot status of the slot control block 354 (see FIG. 6), and determines whether or not another processor is accessing the slot (whether the slot status is busy). Here, it is assumed that another processor is not accessing the slot.
At this time, the processor 103
Is updated to busy, and the own processor number 103 is written to the locked processor number.

Next, in order to make the slot a target for batch writing,
The slot control block 354 is moved from the non-pending slot queue 322 to the pending slot queue 320. Further, in order to duplicate the write pending data on the cache, the directory 108 of the backup memory 109 is searched, and an empty slot on the backup memory 109 for storing the same data as the pending slot on the cache is secured.

In the directory 108 of the backup memory 109, slot control blocks indicating the positions of pending slots on the backup memory 109 are stored in the disk drives 1100 and 1100.
There are queues 4010 and 4011 (see FIG. 7) connected to the corresponding 200 and a queue 4020 connecting the slot control blocks indicating the empty slot positions on the backup memory 109 to one.

For example, to duplicate the slot corresponding to TR1 on the cache, the slot control block 654 that points to the empty slot 605 is extracted from the queue 4020, and the pending slot queue 40 for the disk drive 1100 is extracted.
Add to 10. And TR on the cache directory
As the backup memory slot pointer of the slot control block 354 corresponding to 1, a pointer to the slot control block 654 on the backup memory directory 108 is stored.

Further, the processor 103 includes a control memory 187 shown in FIG.
Contents of the above job form 602 (Read / Write distinction, access target drive No. access target track and record N
o. and the slot number reserved by the processor, etc.), via the above-described channel control device 101 and processor 103, the field of the record R1 in the cache slot 306 (see FIG. 5) and the backup memory. The write record data is simultaneously transferred to the field of the record R1 in the slot 605 (see FIG. 7).

When the transfer of the write record data to the cache and the backup memory is completed, the channel controller
In response to 101, a report of completion of data writing to the disk drive is returned. At this time, the write record data is doubly reserved as a pending slot on the cache and the backup memory. When the number of such pending slot data reaches a certain number, an arbitrary processor that is not processing an access request from the channel control device 101 collectively writes a plurality of tracks to the disk drive and writes the cache slots and the cache slots that have been written to the disk drive. Is released from the pending slot queue and returned to the empty slot queue.

The above is the summary writing operation in the disk controller 102 in the normal state.

Next, the configuration and operation of the lock mechanism 107 will be described with reference to FIGS.

FIG. 3 is a diagram showing the internal configuration of the lock mechanism 107, which comprises three registers 3000, 3100, 3300, a monitoring timer 208, a lock control unit 206, and an arbiter 290. Register 3
000 stores lock information 2000 for each drive. When bit 2001 in lock information 2000 is set to “1”,
Indicates that one processor is securing the lock on the drive and that other processors should not access the drive.

Also, when "1" is set to the update flag A (2002), it indicates that the processor which is securing the lock of the drive may update the cache directory information related to the drive. Conversely, the update flag B
If “1” is set to (2003), it indicates that the processor that is securing the lock of the drive may update the backup memory directory information related to the drive. In the processor No. (2004), a processor No. which is securing the lock of the drive is set. In the register 3100, a new lock request from the processor for each drive is set. Also register
In 3200, a lock release request for each drive and a request to forcibly acquire a lock already acquired by another processor are set.

The setting information of these registers for each drive is the same as that set in the lock information 2000. The usage of these registers will be described together with the description of the operation of the lock control unit 206 described below.

The operation of the lock control unit 206 is shown in the flowchart of FIG. The lock control unit 206 includes the register 3100 described above.
And operation starts when any processor sets a lock request to any of 3200 and 3200 (step 4000). In addition,
Arbiter 290 handles conflicts when multiple processors set lock requests.

Now, assuming that a lock request for a certain drive is set in the register 3100 (the lock bit and the processor number are set, and when a directory is updated, the corresponding update flag is also set), the lock control unit 206
Started the monitoring timer 206 first (step 4190)
Thereafter, the lock bit in the lock information of the drive of the register 3000 is checked (step 4300). If the lock bit is not set, after stopping the monitoring timer 206, the content of the register 3100 is transferred to the register 3000,
The lock for the drive of the processor which has requested the lock is secured (steps 4600 and 4800). If the lock bit is set, the lock wait state is entered, and if the lock bit is not reset before the monitoring timer 208 times out, a lock request timeout error is reported (steps 4400, 4500, 4700).

If a lock request for the drive in the register 3200 (set a lock bit and a processor number, and if a directory is updated, also set a corresponding update flag) is set, the lock control unit 206
Examines the lock bit in the lock information of the drive in the register 3200, and if it is “1”, determines a forced lock acquisition request, and if it is “0”, determines a lock release request.

In the case of a forced lock acquisition request, the contents of the register 3200 are unconditionally transferred to the register 3000. If there is a lock wait request in the register 3100, the monitoring timer 208 is reset and started (steps 4140, 4180, 4170). . This control lock acquisition mode is also used when the same processor changes only the content of the update flag while canceling the lock of the same drive. In the case of a lock release request, the processor 3000 of the lock information of the register 3000 and the processor number of the lock information of the 3100 are compared, and if they are equal, the registers 3000 and 3100 are cleared. If they are not equal, only the register 3100 is cleared (step 412).
0,4130).

In the disk control device performing the above operation, consider a case where a processor failure occurs while updating the queue connecting each slot control block in the cache directory 1050 or the backup memory directory 108 described above. In this case, the management information of the pending slot in the directory becomes invalid, and the write pending data from the memory having the illegal directory cannot be written to the disk drive. Therefore, the write pending data is virtually unified in the disk controller. State. It is necessary to detect the state and write the unified write pending data to the disk drive as failure processing.

Hereinafter, the failure processing operation according to the present embodiment will be described with reference to the flowchart shown in FIG. 1 using the above-described disk control device as an example.

There are two occasions for starting the failure handling operation (step 700). The first is a reset input from the channel control device 101. For example, when the processor 103 stops due to a failure in the disk control device 102, the processor generates an abnormality occurrence notification interrupt to the channel control device 101 via the signal line 112. The channel control device 101 that has received the abnormality occurrence notification interrupt outputs a reset signal to the processor 103 via the signal line 111. The processor 103 that has received the reset signal sets its own processor number to the failed processor number (step 702).

Another trigger is the occurrence of a lock acquisition timeout error in the lock mechanism 107. In this case, it is conceivable that one of the processors has caused a permanent failure while securing the lock of a certain disk drive. In this case, the faulty processor is isolated as follows. The processor that has received the lock timeout report from the lock mechanism 107 registers the register 3 in the lock mechanism 107 regarding the disk drive that the processor was trying to lock.
The processor number in the lock information of 000 is read, and the processor status of the processor in the control memory 187 described above is checked for the read processor number. No. is set (steps 701 and 703).

After the above processing, the following processing is performed. The following processing is common to the above two occasions.

First, the job slip of the failed processor is checked in the control memory 187, and the disk drive No. for which the failed processor was performing access processing is read (step 713).
As a result, if there is a drive that is being accessed (step 783), the corresponding disk drive information in the register 3000 of the lock mechanism 107 is checked, the lock bit is set, and the lock acquisition processor No. (2004 ) Matches the failed processor number. If they do not match, it is considered that another processor has already started the failure processing, and the own processor does not perform the failure processing.

If they match, a forced lock request of the own processor for the disk drive is set in the register 3200 of the lock mechanism 107, the lock of the disk drive is acquired, and the following processing is performed.

First, the update flag in the lock information of the disk drive is checked to determine which of the update flag A indicating the cache directory update and the update flag B indicating the backup memory directory update is set (step 704). If the update flag A is set, it is considered that the cache directory information has been destroyed due to the processor failure during the cache directory update, and the cache is closed (step 705). The access from the control device 101 is temporarily stopped (step 707).

The process of writing the write pending data of the disk drive in the backup memory to the disk drive is performed in the backup memory directory, which is linked to the pending slot queue for the disk drive and pointed to by the slot control block. The above write pending data for the disk drive is written on the disk drive (step 709). After the writing is completed, the cache directory is initialized, and access to the disk drive from the channel control device 101 is permitted.
The job table of the failed processor in the control memory 187 is cleared, an unlock request for the disk drive is set in the register 3200 of the lock mechanism 107, and the collective writing operation on the disk drive is restarted (step 711,
714).

On the other hand, if the update flag B is set, the backup memory is closed, assuming that the backup memory directory information has been destroyed due to a processor failure during the update of the backup memory directory (step 70).
6), suspend access from the channel controller 101 to the disk drive accessed by the failed processor (step 708), and point to the slot control block connected to the pending slot queue for the disk drive in the cache directory. The written write data on the cache memory and the disk drive is written to the disk drive (step 710). After the writing is completed, the backup memory directory is initialized to access the disk drive from the channel controller 101. Is cleared, the job vote of the failed processor in the control memory 187 is cleared, and a lock release request for the disk drive is set in the register 3200 of the lock mechanism 107,
The collective writing operation for the disk drive is restarted (steps 712 and 714).

The lock mechanism 107 performs inter-processor exclusion as described above so that different processors do not update the cache directory and the backup memory directory at the same time. Both directories cannot be corrupted at the same time.

Next, consider the case where the processor itself is normal, but a path failure has occurred in the path connecting the directory and the processor.

In this case, as long as a path failure has occurred in the path connecting the directory and the processor, the processor itself that is updating the directory cannot initialize the directory (step 714 in FIG. 1), so that the processing cannot be completed.

In response to this, the processor itself that is updating the directory puts its own processor in a permanent failure state, so that another processor having a normal path to the directory can update the processor that is updating the directory. The lock mechanism 107 detects a lock time-out error in an attempt to secure the lock of the disk drive that has been secured, and triggers the failure processing shown in FIG. After that, the collective writing operation of the disk drive can be restarted.

According to the above-described embodiment, in the disk control device that performs the collective writing operation, an arbitrary processor in the disk control device stops operation due to a failure, and the management information of the write-pending data in the cache memory or the management information in the backup memory. Even when the update of the management information of the write pending data cannot be completed, the information of the job ticket in the lock mechanism 107 and the control memory 187 can secure one of the write pending data management information in a correct state, and Since it is possible to determine whether the data is correct or not, the write pending data can be surely written to the disk drive from the memory having the correct write pending data management information.

In addition, since the lock information of the cache directory and the backup memory directory of the lock mechanism 107 is stored in units of disk drives, for each disk drive that has been accessed by the failed processor, either the cache directory or the backup memory directory, It is possible to determine whether the data management information has been updated or not. Even if multiple processors in the disk control unit have a simultaneous failure, the write pending data of each disk drive accessed by the failed processor survives. The processor can completely write to the disk drive.

As a result, in this embodiment, there is an effect that the reliability of the collective writing operation of the disk control device as described above is greatly improved.

In the above embodiment, the number of processors in the disk controller is four, but in general, the disk controller may be composed of n processors. Also, update flags A and B for separating the update of the cache directory and the backup memory directory are provided in the register inside the lock mechanism 107. These flags are provided in the cache directory and the backup memory directory. It is also possible. That is, an update flag A is provided for each pending slot queue corresponding to a disk drive in the cache directory,
An update flag B is provided for each pending slot queue corresponding to a disk drive in the backup memory directory, the processor sets these flags immediately before updating the respective queues, and resets the flags after the update is completed. Good.

〔The invention's effect〕

As described above in detail, according to the present invention, a plurality of processors, a cache memory, and a cache backup memory are built in, and writing from the host computer to the disk drive is temporarily suspended in the cache memory and the backup memory. At this point, the disk control device that reports the end of writing to the host computer and performs a collective writing operation of writing the held data in the cache to the disk drive asynchronously with the data writing operation of the host computer. One of the plurality of processors updates data in a cache directory having management information and a backup memory directory having management information of pending data in the backup memory by another processor. And while sequentially performing, while detecting that any processor has stopped operating due to a failure, the processor identifies which of the cache directory information and backup memory directory information was being updated, and identified By writing the write pending data to the disk drive from the memory corresponding to the one whose update of the management information has been completed, the write pending data cannot be written out from the disk controller to the disk drive, A failure processing method capable of preventing write pending data from being left in a single state in the disk control device and greatly improving the reliability of the collective writing operation by the disk control device, and a failure processing method thereof. Has a remarkable effect of realizing a device for .

[Brief description of the drawings]

FIG. 1 is a flowchart showing a failure processing operation in a disk control device according to an embodiment of the present invention, FIG. 2 is a configuration diagram of a disk subsystem with a cache according to the embodiment,
FIG. 3 is a diagram showing an internal configuration of a lock mechanism as a main part thereof, FIG. 4 is a flowchart showing an operation of a lock control unit, FIG. 5 is a diagram showing a logical configuration of a cache directory and a cache memory, and FIG. Is a block diagram of a slot control block in the cache directory, FIG. 7 is a logical block diagram of a backup memory directory and a backup memory, and FIG. 8 is a logical block diagram of a control memory. 100: Host computer, 101: Channel controller, 102:
Disk control device, 103, 104, 105, 106: processor, 107:
Lock mechanism, 108: Backup memory directory, 10
60: cache memory, 187: control memory, 109: backup memory, 1050: cache directory, 1100 and 1200: disk drive, 3000, 3100, 3300: register in lock mechanism, 208: monitoring timer, 206: lock control unit, 29
0: Arbiter, 2000: Lock information.

Continuing on the front page (72) Inventor Kenzo Kurihara 1099 Ozenji Temple, Aso-ku, Kawasaki City, Kanagawa Prefecture Inside System Development Laboratory, Hitachi, Ltd. (56) References JP-A-63-269244 (JP, A) (58) Fields investigated (Int. Cl. ⁶ , DB name) G06F 12/08 G06F 12/16 G06F 11/00

Claims (7)

(57) [Claims] A host computer has a built-in cache memory and a cache backup memory. When a host computer temporarily writes to a disk drive and temporarily suspends the cache memory and the backup memory, the host computer notifies the host computer of the end of writing. A disk controller that reports and asynchronously writes the pending data on the cache to the disk drive (collectively write operation) asynchronously with the data write operation of the host computer, has the management information of the pending data on the cache. Updating of information in a cache directory and a backup memory directory having management information on pending data in the backup memory is performed by any one of the plurality of processors while excluding other processors. At the time when it is detected that any processor has stopped operating due to a failure, the processor identifies which of the cache directory information and the backup memory directory information was being updated, and manages any of them. A failure processing method comprising writing the write-pending data to a disk drive from a memory corresponding to the one whose information has been updated. 2. The fault handling method according to claim 1, wherein the two directory information are initialized in addition to each of the operations, and the collective writing operation is restarted. 3. In addition to the above operations, if the faulty processor does not restart due to a reset and becomes a permanent fault, the permanent fault is detected when the faulty processor is detected. Identifying which of the information occurred during the update, and writing the write pending data to the disk drive from the memory corresponding to the one whose update of the management information was completed, and writing the two directories 2. The failure processing method according to claim 1, wherein the information is initialized in a reusable form, and the collective writing operation is restarted. 4. A plurality of processors, a cache memory, and a cache backup memory are built-in, and when the writing from the host computer to the disk drive is temporarily suspended in the cache memory and the backup memory, the writing completion is notified to the host computer. A disk controller that reports and asynchronously writes the pending data on the cache to the disk drive (collectively write operation) asynchronously with the data write operation of the host computer, has the management information of the pending data on the cache. Update of information in the cache directory and the backup memory directory having the management information of the pending data on the backup memory is performed by one of the plurality of processors while excluding the other processors. When a failure in a write path connecting the processor and each directory is detected during execution, the processor that is using the failed path is placed in a permanent failure state, and the permanent failure is stored in the cache directory information. And which of the backup memory directory information occurred during the update, and from the memory corresponding to the one whose update of the management information was completed,
A failure processing method comprising: writing the write pending data to a disk drive; initializing the two directory information in a reusable form; and restarting the collective writing operation. 5. The system according to claim 1, wherein the cache directory information and the backup memory directory information have an independent data structure for each disk drive to be written from the host computer, and each operation is performed for each disk drive. The fault processing method according to claim 1, wherein: 6. A plurality of processors, a cache memory, and a cache backup memory are built-in, and when the writing from the host computer to the disk drive is temporarily suspended in the cache memory and the backup memory, the writing completion is notified to the host computer. The disk control device that performs the operation of writing the pending data in the cache to the disk drive (collectively writing operation) asynchronously with the data write operation of the host computer, and stores the management information of the pending data in the cache. The update of information in the cache directory having the cache memory and the backup memory directory having the management information of the pending data in the backup memory is performed by one of the plurality of processors while excluding the other processors. Means for controlling the execution of any of the processors, means for detecting that any of the processors has stopped operating due to a failure, and which of the cache directory information and the backup memory directory information has been updated by the processor which has stopped operating due to the failure. A fault handling apparatus characterized by comprising means for identifying a fault. 7. In addition to the above means, means for detecting when the failed processor does not restart due to a reset and becomes a permanent failure, and when detecting the presence of the processor which has become a permanent failure. 7. The apparatus according to claim 6, further comprising means for enabling another processor to acquire the cache directory or the backup memory directory locked by the processor after the processor is forcibly unlocked. Fault handling equipment.