JP2002215416A - Fault-tolerant computer system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect change of memory (including cache memory) data by using a CPU instruction by using a programmatic method. SOLUTION: In this fault-tolerant computer system, an instruction simulator 132 for recording updated data of the memory and an updated event of the memory is realized by software. The simulator 132 decodes an instruction word, and records the memory updated data or the memory updated even when decoded results accompany memory update. When the decoded results are an I/O instruction, a checkpoint mechanism transmits checkpoint information and the contents of a performance register from an active system to an inactive system through a LAN. The checkpoint reflection mechanism of the inactive system updates the memory on the basis of transmitted data and substitutes for the operation of the active system when the active system becomes inoperable.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a fault-tolerant computer system for realizing fault-tolerance of a computer system by software.

[0002]

2. Description of the Related Art Conventional example. An invention for realizing a conventional fault-tolerant system is disclosed in Japanese Patent Application Laid-Open No. Hei 4-21373.
No. 6 ", there is a" checkpoint mechanism for a fault-tolerant system ". According to this conventional invention, in a multiprocessor system (for example, two server devices) including a plurality of interconnected identical processors, update information of a memory is transmitted, and the state of the processor is determined by the failure of the active processor. The backup processor detects the state saved in a memory device that is not correlated with the processor, thereby realizing a fault tolerance function that can take over even if one processor goes down. FIG. 34 shows a block diagram of a checkpoint mechanism according to the conventional invention. In FIG. 34,
The device 10-1 and the device 10-2 are a multiprocessor system including a plurality of identical processors. The checkpoint mechanism according to the conventional example includes devices 10-1 and 10-2.
Includes memory change detectors 28-1 and 28-2 and mirroring control circuits 30-1 and 30-2, respectively. It also includes a mirror bus 34 which is a dedicated circuit between the devices 10-1 and 10-2. This mirror bus is for transferring state data between the active processor and its backup processor. The operation of the checkpoint mechanism will be described assuming that device 10-1 is the active device and device 10-2 is the backup device. Apparatus 10
Since -1 is an active device, the memory change detector 28-1
Is activated, and the mirroring control circuit 30-1 is deactivated. Conversely, the memory change detector 28-2 has been deactivated, and the mirroring control circuit 30-2 has been activated. The memory change detector 28-1 responds to a write signal on the bus 16-1 and, when a write operation is performed, records a memory change record including at least a memory address and data on the bus 16-1. Generate. The generated record is supplied to the queue 32-2 of the backup device 10-2 via the mirror bus 34 and stored therein. At the end of each task, the active program issues a recovery point establishment command, so that the memory change detector 28
-1 detects this, and is supplied to the mirroring control circuit 30-2 from the line 42-1.
-2 generates a record and writes it to the queue 32-2. Further, the mirroring control circuit 30-2 dumps all the records in the queue up to the recovery point reached most recently by the read control line 44-2 in the memory 14-2 of the backup device 10-2. ST
The ORE operation is detected by the memory change detector 28-1 and the corresponding memory change record is stored in the queue 3 for loading into the memory 14-2 of the backup device 10-2.
2-2. If the active processor 12-1 fails before the program reaches the recovery point, the state of the backup processor is not updated and the value set up at the most recently reached recovery point contains the NextEntry Point in memory 14-2. It is held at the address.

[0003]

As described above, the checkpoint mechanism of the prior art uses a memory change detector to check the writing to the memory. This causes a problem that a change in the cache memory cannot be detected.
Further, if the above-described checkpoint mechanism is provided in the cache memory, there is a problem that it is difficult to mount the checkpoint mechanism on a high-frequency computer.

[0004] In order to solve the above problems, the present invention aims at the following. An object of the present invention is to detect a change in memory (including a cache memory) data using a CPU instruction using a program technique.

[0005]

A first computer system according to the present invention, and a second computer system capable of performing the same operation as the first computer system, are provided by the second computer system. The operation of the first computer system is monitored, and as a result of the monitoring, when the inoperable state of the first computer system is detected,
In the fault tolerant computer system taking over the operation of the first computer system by the computer system, the fault tolerant computer system connects the first computer system and the second computer system, and A communication network for communicating checkpoint information for taking over the operation of the computer system by the second computer system, wherein the first computer system has a first memory for storing predetermined information; An execution register for storing program control information for controlling the order of execution when the processing program having the following is executed according to the predetermined instruction, and an instruction to be executed according to the program control information stored in the execution register. And analyze it. And executes the instructions, the receiving a request for forcibly replacing the interrupt processing program control information stored in the execution register 1
When the result analyzed by the first instruction simulator and the first instruction simulator involves updating the first memory, an update history of the first memory is recorded as memory update information, and the first memory is updated. When the instruction simulator accepts a request for interrupt processing, generates the checkpoint information using the memory update information,
A checkpoint mechanism for transmitting the generated checkpoint information and the program control information stored in the execution register to the second computer system via the communication network, wherein the second computer system comprises: A second memory for storing predetermined information; a standby register for storing program control information for controlling an execution order when a processing program having a predetermined instruction is executed according to the predetermined instruction; Receiving the checkpoint information and the program control information transmitted from the checkpoint mechanism of the computer, reflecting the received checkpoint information in the second memory, and storing the received program control information in the standby register. Checkpoint reflection mechanism to be reflected and reflection by the above checkpoint reflection mechanism In accordance with the program control information of the standby register obtained, using the predetermined information stored in the second memory reflected by the checkpoint reflection mechanism, the operation of the first computer system is performed by the second And a second instruction simulator that is replaced by a computer system.

Further, in the fault tolerant computer system according to the present invention, the interrupt received by the first instruction simulator may include an instruction to the second computer system that at least the first computer system is operating normally. This is an alive timer interrupt for reporting, and the first computer system generates an alive timer interrupt at predetermined time intervals.

In a fault tolerant computer system according to the present invention, the first instruction simulator includes:
When the request for the interrupt processing is received, the checkpoint mechanism transmits the checkpoint information to the second computer system, executes the interrupt processing according to the request for the interrupt processing, and then re-executes. Generating the checkpoint information using the memory update information by the checkpoint mechanism, and transmitting the generated checkpoint information and the program control information stored in the execution register via the communication network. 2 is transmitted to the computer system.

Further, in the fault-tolerant computer system according to the present invention, the first memory stores the predetermined information in association with an address indicating a storage position of the predetermined information, and the checkpoint information is , At least an address of the first memory and predetermined information stored in correspondence with the address of the first memory.

Further, in the fault tolerant computer system according to the present invention, when the checkpoint mechanism updates the first memory, the checkpoint mechanism updates the memory as the memory update information in the order in which the memory was updated. A stack for storing one or more addresses of the first memory, a transmission buffer for storing one or more checkpoint information, and a storage location of the checkpoint information managed by a pointer; The address and the pointer of the transmission buffer that stores the checkpoint information are stored as lookup information in association with each other, and the lookup information is managed by a subaddress obtained by a hash method based on the address stored in the stack. And a look-up table to be stored in the stack The extracted addresses are extracted in the order in which they are stored, the extracted addresses are converted into sub-addresses by a hash method, and the presence / absence of lookup information stored in the lookup table managed by the converted sub-addresses is confirmed. If the lookup information is managed, the address of the lookup information is compared with the address taken out of the stack, and based on the result of confirming the presence or absence and the result of comparing the address. And generating the lookup information and storing it in the lookup table. Using the generated lookup information, obtains predetermined information stored in the first memory. The above checkpoint information is generated using the lookup information and the generation is performed. The checkpoint information based on the look-up information and to store to the transmission buffer.

Further, in the fault tolerant computer system according to the present invention, the checkpoint mechanism stores one or more checkpoint information, and a transmission buffer in which a storage position of the checkpoint information is managed by a pointer; 1 for storing the memory update information
An event table having one or more entries, and managing the entries by one or more columns and one or more rows, using an index address which is a part of the address of the first memory; To the column information indicating the columns of the event table by a hashing method. By comparing with a partial page address, if no matching entry is stored, an entry that does not store the memory update information is found. When the page address is stored as the memory update information and an entry that does not store the memory update information cannot be found,
For all the entries of the event table where the memory update information is stored, the memory update information stored in the order of the entries is extracted and stored in the first memory using the memory update information. The obtained predetermined information is obtained, the checkpoint information is generated using the obtained predetermined information and the memory update information, and the generated checkpoint information is stored in the transmission buffer.

Further, in the fault-tolerant computer system according to the present invention, the checkpoint mechanism uses the memory update information as the page address,
Acquiring all the predetermined information stored in the storage area of the first memory indicated by the page address from the memory update information stored in one entry of the event table. I do.

Further, a fault tolerant computer system according to the present invention is characterized in that the first memory includes at least a cache memory.

Further, the fault tolerant computer system according to the present invention is characterized in that the communication network is a LAN (local area network).

[0014]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 One example of the fault-tolerant computer system according to the first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a hardware configuration diagram of the fault-tolerant computer system of the present invention. In FIG. 1, the fault-tolerant computer system according to the first embodiment includes an active system 100 that is operating and an inactive system 200 that has the same components as the active system 100 and backs up the active system 100. And two systems.
101, 102, 201, and 202 are CPUs (cent
ral processing unit). There are two CPUs in each system, but this is to make it compatible with multiprocessors and is not a feature of the invention. 103 and 203 are MMU (memory mana).
and the memory of each of 104 and 205 is accessed. Numerals 105 and 205 denote disk controllers, which control the disk devices 107 and 207, respectively. 106 and 206 are LAN (l
Occasionally, an area network controller is connected to each of the 300 LANs. The active system 100 and the inactive system 200 are LA
Through the N300, they can be mutually accessed like a local disk.

FIG. 2 is a configuration diagram showing an example of a software configuration of the computer system of the present invention. In FIG. 2, 110 indicates the software configuration of the active system, and 210 indicates the software configuration of the inactive system. Inactive system software configuration 210
Is the same as the active software configuration 110, so the software configuration 110 of the active system is used here.
I will explain only. In FIG. 2, reference numeral 111 denotes an Operating System (O) of the host computer (PC server).
S), for example, Microsoft Windows
It is. The OS 111 of the PC server has 112 kernels,
Storage management unit 113, file management unit 114, 115
, An input / output (I / O) management unit 116, and an application 117
Programming Interface (AP
I) and 118 instruction simulators, 119a and 119
Application program of b (AP
P), Guest Operatin of 120 guest computers
g System (OS), 121 input / output (I / O) simulator. The I / O simulator 121 includes a disk (DISK) simulator 122 and a LAN simulator 123. By providing the instruction simulator 118 and the I / O simulator 121, a virtual (guest) computer is created on a PC server (host computer). The fault-tolerant computer system of the present invention uses a program-based method to detect a change in memory data by executing a simulation on an instruction on another computer (guest computer) using an instruction set of a host computer. There is a feature that can be easily realized in a system of the second environment.

FIG. 3 is a diagram for explaining the storage configuration of each of the active system and the inactive system. In FIG. 3, reference numeral 130 denotes a virtual storage unit of the active system 100;
0 is the kernel of the host computer 131, the instruction simulator 132, the checkpoint mechanism 133, and 138.
Execution register area, guest OS of 134, 135
a, 135b, a 136 DISK simulator, and a 137 LAN simulator.
The main storage data of the guest computer is APP 135a, 135
b and the guest OS 134, and the other elements are virtual storage data of the host computer. In other words, the contents of the main storage data of the guest computer differ depending on the processing contents executed at each time.
Is always one data (program) regardless of the processing content. Virtual storage unit 23 of inactive system 200
The element of 0 is the same as the active system 100 except for the checkpoint reflection mechanism of 233 and the execution register area. Each of the checkpoint mechanism 133 and the checkpoint reflection mechanism 233 further has a storage configuration shown in FIG. In FIG. 4, the checkpoint mechanism 133
Comprises a stack, look-up table 133a, and transmission buffer 133b.
Reference numeral 33 denotes a standby register area 233a and a reception buffer 2
33b. A feature of the computer system of the present invention is that a change in a memory is monitored by a program technique. The checkpoint mechanism 133 and the checkpoint reflection mechanism 134 realize this. That is, the checkpoint mechanism 133 and the checkpoint reflection mechanism 233 are software.

FIG. 5 shows a disk configuration and a file configuration of the active system 100 and the inactive system 200.
In FIG. 5, the disk device 1 of the active system 100
07 has a mirroring configuration. Further, a plurality of files can be stored in one volume. The DISK data of the hatched portion of the active system 100 and the DISK data of the inactive system 200 have a mirror configuration that retains the same contents.
The corresponding data of the inactive system 200 is also updated at the timing of updating the 0 mirror disk data. In addition, because of the mirror disk configuration, when the hatched portion of the active system 100 fails, data is read from the disk of the inactive system 200. Due to the mirror operation, when both DISKs operate normally, data is stored in both hatched DISKs, and when one of them fails, the data is stored only in the DISK of the non-failed system.

FIG. 6 shows an active instruction simulator 118.
5 is a flowchart of the program of FIG. The procedure of the active instruction simulator will be described with reference to the flowchart of FIG. First, in S1, the disk simulator 122 and L
Initialize the AN simulator 123. The initialization performed in S1 is performed by the disk simulator 122 and the LAN.
The registers and memories used by the simulator 123 are initialized. Next, in S2, the instruction simulator 11
8 is initialized. In initialization of S2, registers and memories used by the instruction simulator 118 are initialized.
Then, in S3, a storage area (guest OS 134) for the guest OS 120 is secured in the memory 104, and in S4, the IPL (initial program l) of the guest computer is acquired.
oda). After activating the IPL, the instruction of the guest computer, that is, the instruction constituting the application program of the APP 119a or the APP 119b is simulated (detailed processing of S5 will be described with reference to FIG. 9). FIG. 7 is a flowchart of the program of the inactive instruction simulator. When the active system 100 operates in the procedure of FIG. 6, the inactive system 200 performs the operation of FIG. In FIG. 7, the instruction simulator is initialized in S10. The initialization in S10 is the initialization of registers and memories used by the instruction simulator. Next, in S11, a storage area for the guest OS is secured in the memory 204. Then, a function for backing up the guest computer operating in the active system 100 is started (S12). To activate the function for backing up the guest computer, the instruction simulator waits for a register and memory initialization instruction from the service processor, and in response to the initialization instruction, the instruction simulator initializes the register and memory. . Thereafter, if the mode is not the backup mode, a PSW (Program Status Wor) indicating the instruction state and the program counter is set.
Simulation of each instruction is started according to d), but instruction simulation is not performed in the backup mode. Next, a checkpoint reflection process (FIG. 8A) and a monitoring timer process (FIG. 8A)
(B)). The checkpoint reflection process will be described with reference to FIG. The checkpoint reflection process is performed by the checkpoint reflection mechanism 233. In FIG. 8A, the checkpoint reflection mechanism 233 waits for a checkpoint creation request from the active system 100 in S170. If there is a request, the checkpoint information transmitted from the active system 100 is reflected on the inactive system 200 (S171,
(FIG. 13). Figure 8 shows the procedure for generating the monitoring timer process.
A description will be given according to (B). The monitoring timer process is performed by the checkpoint reflection mechanism 233. FIG.
In (B), the counter is initialized in S173. This counter is used to count the number of times the process of confirming that the active system 100 is alive is repeated.
Next, in step S174, an alive notification from the active system 100 is waited for a predetermined period of time. In S175, it is checked whether or not there is an alive notification. If there is an alive notification, the processes of S173 and S174 are repeated. If there is no alive notification, the counter is decremented by one (S17).
6). When the counter becomes 0 or less (S177), a flag is set to process the operation of the active system 100 instead (S178). Returning to the processing of FIG. 7, in S14, it is confirmed whether or not a flag for replacing the operation of the active system is set (the flag is set in S178 of FIG. 8B). The confirmation process of S14 is a confirmation process executed at regular time intervals. This confirmation processing and S13
The checkpoint reflection process and the monitoring timer process generated in step (1) operate in parallel. If the flag has not been set, the process returns to S14. If the flag is set, the active-type substitution process (FIG. 10) in S15 is performed. After the completion of the active substitution process, that is, the reason for the occurrence of the substitution request in S17, which is the last process in FIG. Became
Determines whether a request to return to the inactive system has occurred. Therefore, if the determination in S17 is YES, the process returns to S14, and if the determination is NO, the process returns to before S164 in the flowchart of the active-system substitution process (FIG. 10). Then, the instruction simulation of the guest computer is executed again.

Next, the sequence will be described with reference to FIG. 9. First, the flow chart of the active substitution process of FIG. 10 will be described. FIG. 10 is a flowchart of the active substitution process in S15 of FIG. In FIG. 10, in S160, the DISK simulator and the LAN simulator are initialized to shift the inactive system 200 to the active system.
Then, the instruction simulator is partially initialized. The reason for partially initializing the instruction simulator is that the initialization of the instruction simulator has already been performed in S10 of the flowchart of FIG. In this step S10, the inactive system 200 initializes the instruction simulator for backup, so that the instruction simulator necessary in the active system to shift from the inactive system to the active system is initialized in S161. . Then, in S162, the register value stored in the standby register area 233a is copied to the execution register area. Although the execution register area is not shown in the elements of the virtual storage unit 230 in FIG.
A register area similar to the execution register area 138 shown in the virtual storage unit 130 of the inactive system 20
It is assumed that it also exists in the virtual storage unit 230 of “0”. next,
In step S163, the value of the PSW is copied to the program counter. Then, an instruction simulation process of the guest computer shown in FIG. 9 is performed (S164).

Next, returning to FIG. 9, the processing procedure of the instruction simulation in the guest computer of FIG. 9 will be described. FIG.
The processing procedure shown in FIG. 7 is a main processing performed by an instruction simulation for realizing the fault-tolerant computer system according to the present invention. In the processing of FIG.
The instruction simulation generates checkpoint information to be transmitted to the inactive system 200 that is the backup computer, and transmits the generated checkpoint information to the inactive system 200. Figure 9 below
Will be described in detail. First, the instruction simulation 118 confirms the occurrence of the interrupt processing in S50. The types of the interrupt processing to be confirmed in S50 include the alive timer interrupt performed by the checkpoint reflection mechanism 233 of the inactive system 200 and, for example, J
A timer interrupt that occurs when a timer of 10 seconds is set for OB A and 2 seconds for JOB B, and a CPU resource is switched and allocated to JOB A and JOB B according to the set time, and a peripheral device. And I / O interrupts for receiving a code for notifying that the access processing to the peripheral device has been completed from the CPU. If there is no interrupt, S
At 51, an instruction is fetched from the memory indicated by the program counter, and at S52, the fetched instruction is decoded. The above S
The processing of 51 and S52 is the same operation as the processing of the instruction simulator when a normal application program is executed. Then, S53a, S53b,
The process branches to one of S53c. When branching to S53a is a general instruction without a memory update, branching to S53b is performed when the decryption result is a general instruction with a memory update or a control instruction with a memory update. The branch occurs when the decoding result is an I / O instruction. After branching to S53a, a simulated execution of the instruction is performed in the same manner as the execution of the instruction constituting the normal application program, and the program counter is updated (S54a). Is ended, and if there is no stop request, the processing is repeated from S50 (S55a). The stop request generated in S55a is mainly considered in the following three cases. (1) When a stop instruction is manually input from a virtual operation panel or a real operation panel, etc. (2) When a shutdown instruction of the host computer is issued, or when the simulator program is executed by the process itself or the I / O simulator or the service processor process When the notification is received (3) The stop time is specified in advance by the automatic operation. When the stop time is reached, the guest OS shuts down the guest system, and the guest OS issues an instruction to stop the guest computer. When. After branching to S53b, a simulated execution of the instruction is performed (S53b).
53b), and record the memory update data or memory update event (S54b). The processing procedure for recording the memory update data is described in FIG. 14, and the processing procedure for recording the memory update event is described in FIG. Thereafter, the flow branches to the processing of S54a. In the process of S54b, recording of the memory update data is performed when a general instruction involving a memory update is performed, and recording of a memory update event is performed when a control instruction involving a memory update is performed. After branching to S53c, checkpoint information is created (FIG. 11).
Simulated execution of the / O instruction is performed (FIG. 27). Then, checkpoint information is created again in S55c (FIG. 1).
1). If there is an interruption in the process of S50, the process proceeds to S53.
In step d, checkpoint information is created (FIG. 11).
Interrupt processing is performed (S54d, FIG. 25), and S55d
To create checkpoint information (FIG. 11). As can be seen from the flowchart of FIG. 9, checkpoint information is created when an interrupt occurs and when an I / O instruction appears. Also, recording of memory update data or memory update event as base information for generating checkpoint information is performed when a general instruction or a control instruction accompanied by memory update is executed.

Next, the contents of the process for creating checkpoint information will be described. FIG. 11 shows the details of the processing in steps S53c, S55c, S53d, and S55d for creating the checkpoint information in FIG. In FIG. 11, first, memory update data or memory update event data is processed to create memory difference data (S530, FIG. 16 or FIG. 2).
2). Then, the created difference data in the memory is transmitted to the inactive system 200 via the LAN 300 (S531). Further, the value of the register is also transmitted to the inactive system 200 via the LAN 300 (S5).
32). FIG. 12 shows a data example of the checkpoint information. FIG. 12 is a diagram illustrating an example of data in the transmission buffer and the reception buffer. Checkpoint information is LAN3
The data is transmitted from the active system to the non-active system via 00 to be taken over. From the active system, it is stored and transmitted in the transmission buffer 133b, and received by the reception buffer 233b in the inactive system. As shown in FIG. 12, the transmission (reception) buffer has a checkpoint start command 10 and a checkpoint end command 40, and a memory difference between the checkpoint start command 10 and the checkpoint end command 40. Stores data and register values. The contents of the active memory are set between the start 20 of the memory data and the end 29 of the memory data. The register data is set between the start 30 of the register data and the end 39 of the register data. The memory data is shown in FIG.
Are stored by the processing described in the flowchart of FIG. The checkpoint information 24 is composed of an address 21, upper data 22, and lower data 23,
The address and data are stored by a process of recording memory update data or memory update event data. There are 1 to n register data 31, and the value set is shown in FIG.
This is performed in the process of S532 of FIG. As shown in FIG. 12, the transmission buffer has two items, checkpoint information and register information. However, in the flowchart described with reference to FIG. 11, the difference data in the memory is transmitted to the inactive system in S531, and the value of the register is transmitted in S5322.
In this processing, since the memory difference data and the register value are separately transmitted to the inactive system, the checkpoint is not as shown in FIG. 12, and two check points each having memory information and register information are separately provided. A transmission buffer is required. If the memory information and the register information are simultaneously transmitted to the inactive system, that is, if the processes of 531 and S532 are collectively performed, the transmission buffer desirably has the contents as shown in FIG. If the difference data in the memory and the information of the register are transmitted from the active system to the inactive system, the inactive system can substitute the processing of the active system. Therefore, even if the necessary information is transmitted twice, Sending in one transmission process does not affect that the inactive system performs the substitution process. Thereafter, the process waits for a checkpoint reception notification from the inactive system (S533), and upon receiving the notification, resets the memory update completion counter or flag (S53).
4, FIG. 29 (A) and FIG. 29 (B)).

FIG. 13 is a detailed flowchart of the checkpoint reflection processing S171 of FIG. 8A. In FIG. 13, in S1710, the inactive system 200
Receives the difference data and the register value of the memory from the active system 100 via the LAN 300, and repeats the process of S1710 until it is confirmed that all the data has been received. Since the processing in S1710 is repeated within a predetermined time, if all data has not been received (S1711, No), a timeout is confirmed (S1711).
15) If a timeout occurs, that is, the inactive system 200 cannot receive the checkpoint information within a predetermined time,
It is determined that the inactive system 200 cannot substitute the processing of the active system 100. Based on this determination, a flag is set for the active system 100, which originally operated as the active system, requesting that processing be substituted (S1716). When all the data is received (S1711), the memory 204 of the inactive system 200 is updated based on the received difference data of the memory (S1712, FIG. 30). Then, the register value is updated in the standby register area 233a (S1713). S
Since the reflection of the checkpoint information and the register value is completed by performing the processing of 1712 and S1713, the completion of the processing is notified from the inactive system 200 to the active system 10.
0 is notified via the LAN 300 (S171).
4). The notification performed in S1714 is the same as the notification in S5 of FIG.
33 is an end notification received.

FIG. 14 is a flowchart for explaining the process of “recording memory update data” in the process of “recording memory update data or update event” in S54b of FIG. If the instruction is a general instruction accompanied by a memory update,
The recording process of the memory update data of No. 4 is performed. In the first embodiment, a stack is used as a table for storing an address of a memory whose memory has been updated for a process of recording memory update data. The stack can store addresses from the stack counter 0 to the stack counter (SC + N) as shown in FIG. The addresses are sequentially stored in the stack from the stack counter 0, and when the stack becomes full and there is no more area for storing addresses, the checkpoint creation processing described with reference to FIG. 11 is performed. The recording process of the memory update data will be described with reference to the flowchart of FIG. Figure 1
In S5430 of No. 4, the stack counter (SC) is compared with the stack size. If the stack counter is equal to or larger than the stack size, that is, if the number of addresses stored in the stack as shown in FIG. If the stack counter (SC) + N is fully stored and there is no free area, a check point creation process (FIG. 11) is performed in S5431, and the process proceeds to S5432. If it is smaller, that is, if there is still an area for storing an address in the stack, the process proceeds to S5432. In S5432, the address at which the memory has been updated is set in the stack using the stack counter as a pointer, and 1 is added to the stack counter. In the example of the stack shown in FIG. 15, addresses up to SC-1 are stored and used. An address can be stored in the stack until the stack size becomes full (until the stack counter becomes SC + n), and the stack counter becomes SC + n.
Then, the process of creating checkpoint information in FIG. 11 is performed in the determination process of S5430.

FIG. 16 is a flowchart for explaining the process of "processing the memory update data and generating the difference data" in the process of "processing the memory update data or update event data and generating the difference data" in S530 of FIG. It is.
The checkpoint information 24 shown in FIG. 12 is generated using the stack described in FIG. In order to set the memory difference data in the checkpoint information 24 of FIG. 12, a lookup table is used in the processing of FIG. FIG. 17 shows the configuration of the lookup table. Figure 1
The lookup table shown in FIG. 7 is managed by sub-addresses from 0 to 255, and can store 256 pieces of lookup information. Lookup information is
It has the address of the memory where the memory was updated and the pointer of the transmission buffer. FIG. 18 illustrates the relationship between a stack, a lookup table, and a transmission buffer that stores two or more checkpoint information. In FIG.
The stack 50 stores the updated address. If the addresses stored in the stack are duplicated in the look-up table, they are stored together as one, and if the addresses stored in the stack are not duplicated, the addresses are directly stored in the look-up table. I do. Then, in order to store the data and the address of the memory stored corresponding to the address in the transmission buffer, the pointer of the transmission buffer is stored in the lookup table corresponding to the address. For example, the stack in FIG. 18 has a stack counter (3).
And the same address (10) is stored in the stack counter (5). Since the duplicated addresses are collectively stored in the lookup table, the addresses (10) stored in the stack counter (3) and the stack counter (5) are stored in the entry (10) of the lookup table. Is done. Since the lookup table also stores the pointer of the transmission buffer corresponding to the address, the pointer of the transmission buffer corresponding to the address (10) stored in the entry (10) is stored as (5). The transmission buffer pointer stored in the look-up table indicates the storage position of the checkpoint information stored in the transmission buffer. As shown in FIG. 18, the checkpoint information has an address and data of a memory stored in the address, and the data is divided into four bytes and stored. Since the pointer of the transmission buffer indicates the starting position for storing the address, when obtaining the pointer of the next transmission buffer, 3 is added to the pointer of the immediately preceding transmission buffer to obtain a new transmission buffer pointer. The flowchart of FIG. 16 shows the operation procedure of the checkpoint mechanism 133 for generating the transmission buffer shown in FIG. Hereinafter, the procedure of the flowchart of FIG. 16 will be described. In FIG. 16, in S5300, the pointer (b) of the checkpoint information stored in the transmission buffer is set to 0. The pointer (b) is information for managing the storage position of the transmission buffer. Then, in step S5301, all entries in the lookup table are invalidated. All entries in the look-up table 51 are invalidated each time the processing in FIG. 16 is performed. Next, s is set to 0 in S5302. s is an index for designating a stack counter in which an address referred to by the stack 50 is stored. By repeating the processing from S5303 to S5309, checkpoint information is generated and stored in the transmission buffer. In S5303, s <SC is determined,
If s <SC, the process advances to step S5304. If s ≧ SC, the process in FIG. 16 ends. SC is a counter indicating the last position where the address of the stack 50 is stored. Since the initial value of s is 0, the stack counter 0
The processing is performed in order from the address at the position. S5304
Then, an address is fetched from the stack (s) (the fetched address is assumed to be a), and 8 bits of bit 10-3 of a are cut out to be X (X is a subaddress indicating an entry of the lookup table 51). bit 10- of a
The X is obtained by cutting out the 8 bits of 3. However, since it takes a long time to perform a full search to check whether or not the address has been transmitted in the past, a certain type of hash processing using a lookup table is performed. It indicates that. Bit 10-3 of the address is used as a hash key in this hash processing. S53
04 is used as the sub-address of the look-up table, and the X extracted at step 04 is used for the lookup table entry (X).
Is invalid (S5305). If invalid, the address a extracted in S5304 is stored in the lookup table entry (X) in S5306, and b is set as a pointer of the transmission buffer. In step S5307, check point information is stored in the transmission buffer. The position where the checkpoint information of the transmission buffer is stored is the pointer b of the lookup table. Therefore, the address a is set at the position of the pointer b in the transmission buffer, the data of 4 bytes is acquired and stored from the position of the address a on the memory at the position of the pointer b + 1 in the transmission buffer, and the pointer b + 2 of the transmission buffer is set. Four bytes from the address a + 4 on the memory are acquired and stored in the position, 3 is added to the point b, and a position for storing the checkpoint information in the transmission buffer is obtained in advance. After one checkpoint information is stored in the transmission buffer, the next address is taken out of the stack 50.
Is added (S5308), and the process returns to S5303.
In step S5305, if the lookup table entry (X) is not invalid, that is, if data is already stored in the lookup table entry (X), the address of the lookup table entry (X) is compared with the address a. If they are the same, there is no change in the data on the memory, and the process proceeds to S5308. If the addresses are different, the process advances to step S5306. In step S5306, the address a and the pointer b of the transmission buffer are stored in the lookup table, and in step S5307, the address and data are stored in the transmission buffer. NO in S5309
Means that the lookup table has overflowed. In that case, the FIFO (Firs
“Set a” to apply the algorithm of “t In First Out”. The above is the processing for recording the memory update data and the processing for storing the checkpoint information in the transmission buffer when the general instruction accompanied by the memory update is executed.

Next, the processing procedure for recording the memory update event in S54b of FIG. 9 will be described with reference to FIG. FIG. 20 is a flowchart of the process of “recording a memory update event” in the process of “recording memory update data or update event” in S54b of FIG. In the process of recording the memory update event in FIG. 20, the memory update event is recorded using the event table 52 shown in FIG. The event table 52 shown in FIG.
Remember one or more. The entry is for storing a memory update event. An entry has its storage location managed by row and column. The event table 52 has 256 sets from 0 to 255 in the column direction, and has eight ways from 0 to 7 in the row direction. The storage location of the entry is specified by the set and the way. The address is 32-bit information from 0 to 31, and bits 31 to 28 of the address are stored in the entry. Also, bits 27-20 of the address are cut out, and the cut out value is used as a set. In FIG. 20, in S5490, bits 27-20 of the address at which the memory has been updated are cut out to determine the event table set (s). By examining all the ways (way 0 to way 7 of the set (s)) in the event table with respect to the obtained set, a way (w) in which bits 31 to 28 of the address match is obtained. As described above, the row direction of the event table 52 in FIG. 21 is the way, and the target way is determined by w. There are 8 ways from 0 to 7. The set is in the column direction, and the target set is determined by s. There are 256 sets from 0 to 255. A position determined by the way and the set is an entry, and the entry stores 4-bit information. This 4-bit information is bits 31-28 of the address stored in the entry in S5496. Referring back to FIG. If there is a matching way in S5491, the process of FIG. 20 ends. If there is no matching way, S549
The processing after 2 is performed. In S5492, a search is made to determine whether there are any invalid entries (entries whose values are all 1) in ways 0 to 7 of the set (s) obtained in S5490.
Let e be the way of the found entry. If there is no empty way of the set (s) in S5493 (that is, if an entry having a value of all 1 is not found),
The process of creating the checkpoint information of FIG. 11 which is the process of 5494 is performed. That is, when information is stored in all entries of way 0 to way 7 of the set (s), checkpoint information creation processing is performed. Since the event table 52 is cleared when the checkpoint information creation processing is performed, the way 0 of the set (s) is set in S5495.
Arbitrary 0 to 7 among the ways 7 are defined as e. When e is determined, bits 31-28 of the address are set for the entry of way e in set (s) (S5496).
Although bits 27-20 of the address are cut out in S5490 in FIG. 20 to obtain the set (s) of the event table 52, this is a hash process. Bits 27-20 of the address are used as the hash key. It is assumed that the page unit of the memory of the fault-tolerant computer system is set to 4 KB, and management is performed for each page. Therefore, bits 19-0 of the address will be ignored. Since all pages require 1M hash entries, the set is limited to 256 using 8 bits. The entry contains the address 31-28.
Are stored. Since the hash key is a direct hash, when the event table 52 is searched, the address bits 27-20 are already included in the set (s). Therefore, information of only the upper bits 31 to 28 of the address not included in the set (s) is stored in the entry. Of course, bits 31-20 and 31-0 (the lower 20 bits are all 0) which are redundant information may be stored in the entry.

FIG. 22 shows processing of the memory update event data in the process of processing the memory update data or update event data to create difference data in S530 of the checkpoint information generation processing of FIG. 12 is a flowchart of a process for creating difference data using the event table 52. In FIG. 22, the pointer b of the transmission buffer is set to 0 in S5310. The transmission buffer is
One or more checkpoint information is stored and transmitted from active system 100 to inactive system 200. Checkpoint information is generated in the process of S5320 described below. In step S5311, s is set to 0. s is used as a variable for specifying the set of the event table shown in FIG. As described with reference to FIG. 21, the number of sets is from 0 to 255, that is, s changes from 0 to a maximum of 255. Check if has finished. If s is 256 or more, FIG.
Is completed. If s is smaller than 256, S531
Proceed to step 3. In S5313, 0 is set to w. w is used as a variable for designating a way in the event table shown in FIG. As described with reference to FIG. 21, the number of ways is from 0 to 7, that is, w changes from 0 to a maximum of 7. Therefore, in S5314, it is checked whether w <8 and 1 is set.
Confirm the end of scanning of all ways for one set. If w is 8 or more, 1 is added to s to perform the next set of scans (S5315). Then, S53
The process is repeated from step 12. If w is less than 8, S
The processing after 5315 is performed. In S5315, it is checked whether the value of the entry (s, w) in the event table is all 1s. All 1s indicate an unused state in which the initial value is still set. If unused,
Since it is not necessary to store in the transmission buffer, 1 is added to w in S5319 to scan the next way, and
It returns to the process of 14. Event table (s, w) is all 1
If not, the entry (s, w) of the event table is added to a having 32-bit information of bits 31-0 in S5316.
Is taken out and set from 31 bits to 28 bits of a, and the value of s of set (s) is set to 2 of a.
7 bits are set to 20 bits, and 0 bits are set to 0 bits from the remaining 19 bits. FIG. 23 shows the process of S5316. As shown in FIG.
Since 0 is set up to the bit, the effective value is the value set in the 31st to 20th bits of a. Next, 0 is set to c in S5317. The information stored in the entry as described above is the page address. Therefore, c is used as a counter for data transfer within one page. S532 to be described below
The processing of 0 is the address of the page indicated by a,
This is a process for storing data and checkpoint information in the transmission buffer. Since the transfer data in one page is 4096 bytes, c is set to 4 by S5318.
It is checked whether it is 096 bytes or more. S5
If c is equal to or more than 4096 bytes in 318, 1 is added to w in S5319 to perform processing of the next way, and S531
Return to 4. When c is smaller than 4096 bytes, a + c (“a + c” is an address) is stored in the pointer (b) of the transmission buffer, and the position of the pointer in the transmission buffer is shifted to a position of b + 1 from the address “a + c” of the memory. 4 bytes are set, and further, the pointer of the transmission buffer is shifted to a position of b + 2 at a memory address “a + c”.
Four bytes are set from "+4", 3 is added to b, and 8 is added to c (S5320). Thereafter, the process returns to S5318 to repeat the processing. FIG. 24 shows an example of storing address and checkpoint information as data in a transmission buffer. As shown in FIG. 24, the address is stored at the position of the pointer b in the transmission buffer, and the pointer b + 1 and the pointer b +
The data is stored in each of the four locations in 4 bytes. This processing is repeated 256 times by S5320. The above is the procedure of the memory update event recording process and the checkpoint information generation process using the memory update event when a control instruction involving a memory update occurs.

FIG. 25 is a detailed flowchart of the interrupt processing by the instruction simulator in S54d of FIG. In FIG. 25, in the interrupt processing, the type of the interrupt is determined and the processing is performed for each type (S540). In the first embodiment, there are three types of interrupts. An "alive timer interrupt" and an "I / O interrupt" are used to confirm that operation is possible from an active system to an inactive system.
A processing time is determined in advance for each job, a timer interrupt is executed for the job that has reached the processing time, and the value of the PSW is forcibly set in order to terminate the job and start another job. And “timer interrupt” for performing the process. The contents of the processing will be described for each type of interrupt. When the "alive timer interrupt" occurs, the inactive system confirms that the active system is operable (S541), and if the active system is operable, alive the inactive system via the LAN 300. A notification is made (S542), and a timer for interrupting the alive timer is set again. The processing of the alive timer interrupt is performed by the monitoring timer process generated in S13 of FIG. When the "I / O interrupt" occurs, the old PSW value is stored in the memory (S544), and the memory update data or the memory update event by the I / O operation is recorded (S5).
46, FIG. 26). Next, the value of the new PSW is retrieved from the memory and set. Also update the program counter (S
547). Originally, the PSW is a hardware register, but in the case of the present invention, since the hardware operation is simulated by software, the PSW is a memory variable in the “instruction simulator”. When the "timer interrupt" occurs, the old PSW value is stored in the memory (S548), and the memory update data or the memory update event is recorded (S548).
549, FIGS. 14, 20). Next, the value of the new PSW is retrieved from the memory and set. The program counter is also updated (S550).

FIG. 26 is a flowchart of the process of "recording memory update data or memory update event by I / O operation" in S546 of FIG. In FIG. 26,
In S5460, CCW (channel command)
word), and the obtained address is defined as P. Then, in S5461, the value of the CCW is extracted from the contents of the memory indicated by P. The CCW is made up of an order code instructed what to do and information indicating the data location. In the case of DISK, DISK
There is an order of writing from the memory and writing to the memory, and calling from the memory and writing to the DISK. For other information,
There are addresses on the disk (consisting of cylinders, selectors, offsets, etc.) and addresses on the memory. S5
At 462, it is checked whether or not the memory has been updated. The investigation here is directed to the order of writing to the memory, and in the case of DISK, it corresponds to the “DISK READ order”. If it is determined in step S5463 that a write operation has been performed, the process advances to step S5464; otherwise, the process in FIG. 26 ends. In S5464, a is set to the memory address extracted from the CCW, and c is set to the transfer byte length / 8 extracted from the CCW. Next, when c is larger than 0 in S5465, the process proceeds to S5466, and when c is 0 or less, FIG.
The processing of 6 is ended. In S5466, either the memory update data recording process of FIG. 14 or the memory update event recording process of FIG. 20 is performed.
, And subtract 1 from c. And S546
Return to 5. The processing of S5466 and S5467 is repeated c times.

FIG. 27 is a flow chart for explaining in detail the simulation execution processing of the I / O instruction in S54c of FIG. In FIG. 27, the CCW address and the device address are set in S5400, and the corresponding I / O is set in S5401.
O simulator (I / O simulator has LAN simulator 123 and disk simulator 122)
Start notification. In this activation, the disk simulator program itself is activated only once. “Notification of activation” does not mean activation of a program, but refers to activation of an “order” to an “applicable device by an I / O command”. The order is an operation instruction such as reading or writing data from a predetermined area of the disc. Taking a disk simulator as an example, it has a plurality of devices corresponding to a plurality of device numbers. In the example of FIG. 5, there is a picture of a cylindrical disk on the left side, which is a physical disk on the guest computer. This physical disk is mapped to three files (depicted by pictures on the folder of the disk 107 in FIG. 5) on the host computer.

The I / O notified in S5401 of FIG.
A disk simulator of the O simulator will be described with reference to FIG. FIG. 28 is a diagram showing S5401 of FIG.
5 is a flowchart of a process of the disk simulator notified of startup in the step S1. In FIG. 28, in S5402, the disk controller 105 is initialized and information for each device is initialized. In step S5403, a thread is generated for each device (a thread is generated for each device assuming that the disk simulator manages a plurality of disks. The thread is to activate each disk.) . The processing of S5404 to S5421 described below is processing for one disk, and when there are a plurality of disks, processing corresponding to the number of disks exists. First, it is checked in step S5404 whether the device has been activated. If started, S
Proceeding to the process of 5405, if not started, S54
Step 04 is repeated. In step S5405, the CCW is extracted from the memory 104, and the extracted CCW is decoded (S5406). If the decoding result indicates "WRITE", the process proceeds to S5407; if the decoding result indicates "READ", the process proceeds to S5407.
The process proceeds to 5413, and if neither is the case, the process proceeds to S5419. The processing in the case where the instruction is “WRITE” in S5407 will be described. In S5407, the master DISK 107a
Check the operable state of
The memory data is written to the specified position of the file corresponding to the S virtual DISK volume. If operable in step S5407, the process advances to step S5409. S5409
Then, the operable state of the mirror DISK 107b is confirmed. If operable, the memory data is written to the designated position of the mirror file corresponding to the virtual DISK volume of the guest OS in S5410. If it is not operable in S5409, the process proceeds to S5411. In S5411, CSW (channel status word)
Is set, and the DISK simulator issues an interrupt notification. When the interrupt notification is received by the instruction simulator, the processing from S5404 is repeated (S5404).
412). The confirmation is continued until it is confirmed that the interruption notification is received in S5412. Next, processing when the instruction is “READ” in S5413 will be described. S5
In 413, the operable state of the master DISK 107a is confirmed, and if operable, the virtual DISK of the guest OS is
The data from the designated position of the file corresponding to the volume is written to the memory 104 (S5414). S5
If it is not operable in 413, the process proceeds to S5419.
In step S5415, it is checked whether an error has occurred or a timeout has occurred. If not, S541
The process branches to processing 1. If it has occurred, a flag indicating that the master DISK 107a is inoperable is set in S5416, and it is confirmed in S5417 whether the mirror DISK is operable. If operable, the flow branches to S5419. If the operation is not possible, a device error is set in the CSW in step S5418, and the flow advances to step S5411.
The processing in the case where the instruction is neither the “WRITE” instruction nor the “READ” instruction is omitted. At S5419, the mirror file 10 corresponding to the virtual DISK volume of the guest OS is
The data from the designated position of 7b is written to the memory 104. In S5420, it is confirmed that no error or timeout has occurred. If there is no occurrence, S541
Proceed to 1. If there is, a mirror DIS is generated in S5421.
A flag indicating that the K disk 107b is inoperable is set. Then, the process proceeds to S5418.

FIG. 29A shows "Reset the memory update completion counter or flag" in S534 of FIG.
9 is a flowchart illustrating a process of invalidating a lookup table of FIG. In FIG. 29A, S534
At 0, all entries in the lookup table are invalidated (all 1s are set). Next, the stack pointer S
C is set to 0 (S5431). FIG. 29B is a flowchart illustrating the process of invalidating the event table of “Resetting the memory update completion counter or flag” in S534 of FIG. In FIG. 29B, in S5342, all entries in the event table are invalidated (all 1s are set). Next, the stack pointer SC is set to 0 (S5343).

According to FIGS. 9 to 29, the active instruction simulator 118 and the checkpoint mechanism 133,
The operation with the checkpoint reflection mechanism 233 has been described. When the operations described with reference to FIGS. 9 to 29 are performed, checkpoint information is transmitted from the active system to the inactive system. A preparation process for substituting the operation of the active system in the inactive system using the received checkpoint information will be described with reference to FIG. FIG. 30 is a flowchart of the process of writing the difference data of the memory to the memory in S1712 of FIG. In FIG. 30, in S17120, the head address of the memory update data in the reception buffer is set as an initial value in the pointer s. The image of the reception buffer is the same as the image of the transmission buffer in FIG. Therefore, as the address set as the initial value in the pointer s, a pointer indicating the storage position of the address at the top of the checkpoint information 24 in FIG. 12, that is, immediately below the start of the memory data is set. Next, the reception buffer (s) is set to a in S17121.
Set to. If a, that is, all 1s are set in the reception buffer (s), it indicates that the subsequent reception buffers are unused, and it is confirmed in S17122 that the initial value all 1 is set in a. Then, the end of the process is determined. If "1" is set in "a", the processing in FIG. If all 1s are not set to a, the data of the reception buffer (s + 1) is stored at the fourth byte position from the memory (a), and the data of the reception buffer (s + 2) is stored at the position of the memory (a + 4). To store. Then, 3 is added to s (S1712)
3). In this way, the checkpoint information transmitted from the active system is reflected in the memory of the inactive system by the procedure shown in FIG.

FIG. 31 shows that, when both the active system and the inactive system are operating normally, a failure occurs in one of the active system and the inactive system for some reason, and the failure occurs. It is a figure explaining the state when operation of a system has become impossible. In FIG.
The state illustrated at the top indicates that both the active system 100 and the inactive system 200 are operating normally. For example, in the active system 100, the disk operation is performed by (1), and the disk operation is performed together with the disk operation by (2) with respect to the mirror disk of the inactive system 200 via the LAN 300 (1).
A disk operation similar to the disk operation described above is performed. Then, from the active system 100 to the inactive system 200
, The information indicating the alive state is transmitted via the LAN 300 to the active system 100, and the checkpoint information is transmitted from the active system 100 to the inactive system 200 via the LAN 300. This is a state in which the active system 100 and the inactive system 200 are operating normally. In this state, the state moves to (A).
(A) shows a case where a failure has occurred in the active system 100 for some reason. Activity system 100
, The inactive system 200 replaces the operation of the active system 100 and becomes a new active system. In the new active system, (1) disk operation and LA
The LAN operation (2) performed with another system via the N300 is performed. Original active system 100 that has failed
Is completed, the state transits to the state (C). In the state (C), the new active system continues to operate as the active system as it is, and the original active system 100 in which the repair of the failure is completed.
Receives the transmission of checkpoint information and the information of the alive state from the new active system as an inactive system. Thus, after the system failure is completed, the original active system 100 operates as a new inactive system. In the state (B), the case where the inactive system 200 has failed for some reason is described. In this case, the active system 100 stops the process (3) of writing the mirror disk and the process (4) of transmitting the information indicating the alive state and transmitting the checkpoint information. However, the activity system 100
Is operating normally, the disk operation of (1) and the LAN operation of (2) are performed as usual. However, the operation of (2) is the inactive system 2 in which a failure has occurred.
Communication with a system other than 00.

As described above, when one of the active system 100 and the inactive system 200 becomes inoperable due to a failure from the state of normal operation, the other system becomes inoperable. The system is taken over by the system that is operating normally. If the failed system has been repaired, the inactive system 2
When 00 is operating as a new active system, the original active system 100 operates as a new inactive system.

Embodiment 2 In the example of the fault-tolerant computer system described in the first embodiment, an example has been described in which the present invention is configured by separate active and inactive systems. In the second embodiment, a case will be described in which one system has two systems, an active system and an inactive system. FIG. 32 is a diagram illustrating an example of a hardware configuration configuring a fault-tolerant computer system according to the second embodiment. In FIG. 32, the system 10
00 has two CPUs, CPU A is active, CP
UB is operated as an inactive system. Further, the system 2000 has two CPUs, and operates the CPU A as an inactive CPU B as an active CPU. In such a system, when a failure occurs in the system 1000, the state transitions to (A). If the system 1000 fails and becomes inoperable, the C
PU A operates as an active system to replace the operation of system 1000. System 2000 CPU
B operates as an active system as it is. When the repair of the failure of the system 1000 is completed, the state transits to (B), and the system 100 is again restored as shown in the upper diagram of FIG.
0 indicates that CPU A is active, CPU B is inactive, and system 2000 operates as CPU A is inactive and CPU B is active.

As described above, two systems in which one system has an active system and an inactive system are connected, and the CPU of the system which is operable when one of the systems fails. Can be changed from the inactive system to the active system, and when the repair of the failed system is completed, the original system state can be restored.

Embodiment 3 In the third embodiment, the configuration of a fault-tolerant computer system having the same hardware configuration as that of FIG.
Furthermore, a RAID disk device 300 that can be shared by the system 1000 and the system 2000
0 is newly provided. Shared RAID disk device 300
0, as in (A), the system 10
When the system failure occurs, the CPU A of the system 2000 becomes active, accesses the RAID disk device 3000 as a shared disk by taking over the operation of the system 1000, and realizes an operation that does not change during the operation of the system 1000. can do. System 100
0 is completed and the system becomes operable, the state transits to (B), and the system 10 remains in the same state as before the failure occurred.
00 and system 2000 can both operate with active and inactive systems, respectively.

In the first to third embodiments, the instruction simulator provided in the fault-tolerant computer system of the present invention stores a change history of the memory for an instruction that causes a change in the memory. Then, a process of generating checkpoint information before and after the I / O command and transmitting the checkpoint information to the inactive system is performed. The latest value of the transmission processing register and the change history of the memory are transferred to the inactive system via the LAN. The I / O simulator performs a write operation on both the disk and the mirror disk on the inactive system. In addition, the inactive system that has received the checkpoint reflects the received checkpoint information in the memory, and then notifies the active system that the reflection has been completed. The active system does not move to the next operation until the inactive system notifies that the reflection of the checkpoint information has been completed.
An example of such a fault-tolerant computer system has been described. As described above, the active system and the inactive system can completely copy each other's operations, and the state of the file and the like can be reproduced. The instruction simulator, the checkpoint mechanism and the checkpoint reflection mechanism execute their operations by software. For this reason, even when the cache memory is updated, the update history is grasped and transmitted as checkpoint information from the active system to the inactive system. It is possible to reflect. Further, as in the second and third embodiments, when one system has an active system and an inactive system and two such systems are connected, one system is used. When the system goes down and becomes inoperable, the inactive system of the operable system changes its state to the active system, that is, another set of instruction simulator and I / O simulator is started, and a failure occurs. As a result, the operation of the system that has become inoperable can be taken over.

[0039]

The first computer system and the second computer system are connected by a communication network, and when the first computer system becomes inoperable, the operation of the first computer system is changed to the second computer system. The instruction simulator of the first computer system records an update history of the memory as memory update information when executing an instruction that causes a memory update, and accepts an interrupt processing request because the instruction simulator takes over the instruction by the computer system. A checkpoint mechanism for generating checkpoint information and transmitting the generated checkpoint information and the program control information stored in the execution register to the second computer system via the communication network. And the second computer system is:
A checkpoint reflection mechanism is provided for reflecting the transmitted checkpoint information in the second memory of the second computer system and for reflecting the program control information in the standby register of the second computer system. And the second
Uses the information stored in the second memory reflected by the second instruction simulator by the checkpoint reflection mechanism and according to the program control information of the standby register, to execute the operation of the first computer system in the second instruction simulator. 2 was replaced by a computer system.
For this reason, the contents of the first memory of the first computer system can be reliably reflected in the second memory of the second computer system, and the operation of the first computer system can be reliably performed by the second computer system. There is an effect that can be taken over.

Further, the first computer system generates a monitoring timer interrupt for the second computer system at predetermined time intervals. Thus, the second computer system can confirm the inoperable state of the first computer system, and has an effect that the operation of the first computer system can be immediately taken over by the second computer system.

Further, the first instruction simulator generates checkpoint information by the checkpoint mechanism before and after executing the interrupt processing, and transmits the generated checkpoint information to the second computer system. To do. For this reason, even when the memory is updated by another job during the execution of the interrupt processing, the checkpoint information is generated and transmitted after the execution of the interrupt processing. There is an effect that the update history of the memory can be reliably reflected on the second memory.

The checkpoint information has at least an address of the first memory and predetermined information stored in correspondence with the address of the first memory. For this reason, the checkpoint reflection mechanism uses the second address of the same address as the first memory address of the checkpoint information.
Of the checkpoint information can be stored as information corresponding to the address of the second memory. This ensures that the contents of the first memory are
There is an effect that can be reflected in the memory.

The checkpoint mechanism uses a look-up table and a stack to store one or more pieces of checkpoint information in the transmission buffer. The look-up table is configured to store the latest contents of the memory when the same address of the first memory is updated a plurality of times. Therefore, the content of the first memory transmitted to the second computer system as the checkpoint information is the latest content of the first memory. When the checkpoint information is reflected so as to have the same contents, if the same address is reflected only once, the contents become the same as the contents of the first memory. Thus, there is an effect that the process of reflecting the checkpoint information can be performed quickly.

The checkpoint mechanism also uses an event table to store one or more pieces of checkpoint information in a transmission buffer. The event table has one or more entries, and even if the same address in the first memory is updated a plurality of times, the address is stored as one piece of memory update information. Checkpoint information is generated based on the event table.
The check point reflection mechanism of the second computer sends a predetermined address of the first memory to the address of the second memory at the same address as the address of the first memory of the check point information. The process of reflecting the information is performed once. Therefore, there is an effect that the process of reflecting the contents of the first memory to the second memory can be performed quickly.

Further, since the address of the first memory stored in the checkpoint information is a page address, the same page of the first memory is stored in the storage area of the second memory indicated by the page address. All the predetermined information stored in the storage area indicated by the address can be reflected in the second memory. For this reason, when the content of the first memory is reflected in the second memory by the checkpoint reflection mechanism, the reflection is performed in page units, so that paging processing can be prevented from occurring frequently, and the second memory can be efficiently performed. This has the effect that the memory can be updated.

The first memory includes at least a cache memory. For this reason, in the process of generating checkpoint information for realizing a fault-tolerant computer system by hardware, it was not possible to grasp the update of the cache memory. However, the fault-tolerant computer system of the present invention has an instruction simulator, a checkpoint generation mechanism, and a checkpoint reflection mechanism configured by software. Can be grasped, the second
There is an effect that the operation of the first computer system can be reliably taken over by the computer system.

Further, since the communication network is a LAN, there is an effect that a computer system connected to a conventional network system can be easily adapted to the fault-tolerant computer system of the present invention.

[Brief description of the drawings]

FIG. 1 is a hardware configuration diagram of a fault-tolerant computer system according to a first embodiment.

FIG. 2 is a diagram showing an example of a software configuration of the fault-tolerant computer system according to the first embodiment.

FIG. 3 is a diagram illustrating a storage configuration of each of an active system and an inactive system according to the first embodiment;

FIG. 4 is a configuration diagram showing an example of a checkpoint mechanism and a checkpoint reflection mechanism of the present invention.

FIG. 5 is a diagram showing a disk configuration and a file configuration of an active system and an inactive system according to the first embodiment.

FIG. 6 is a flowchart diagram of a program of an instruction simulator of the active system according to the first embodiment;

FIG. 7 is a flowchart showing a program of an inactive instruction simulator according to the first embodiment;

FIG. 8A is a flowchart of a checkpoint reflection process according to the first embodiment. (B) The flowchart figure of the monitoring timer of Embodiment 1.

FIG. 9 is an exemplary view for explaining the procedure of instruction simulation in the guest computer of the first embodiment;

FIG. 10 is a flowchart of an activity-based substitution process in FIG. 7;

FIG. 11 is a detailed flowchart of a process for creating checkpoint information according to the first embodiment;

FIG. 12 is a diagram illustrating an example of a configuration of a transmission buffer.

FIG. 13 is a detailed flowchart of the checkpoint reflection process of FIG.

FIG. 14 is a flowchart illustrating a process of “recording memory update data” in FIG. 9;

FIG. 15 is a diagram showing a stack according to the first embodiment.

FIG. 16 is a flowchart illustrating processing of “processing memory update data and creating difference data” in FIG. 11;

FIG. 17 illustrates an example of a look-up table according to the first embodiment.

FIG. 18 is a diagram illustrating a relationship among a stack, a lookup table, and a transmission buffer according to the first embodiment;

FIG. 19 is a diagram illustrating an example of a transmission buffer according to the first embodiment;

FIG. 20 is a flowchart of the process of “recording a memory update event” in FIG. 9;

FIG. 21 illustrates an example of an event table according to the first embodiment.

FIG. 22 is a flowchart of “processing for processing memory update event data and creating difference data” in FIG. 11;

FIG. 23 is a diagram illustrating an example of an entry of an event table according to the first embodiment;

FIG. 24 is a diagram illustrating an example of a transmission buffer according to the first embodiment;

FIG. 25 is a detailed flowchart of the interrupt processing of FIG. 9;

FIG. 26 is a flowchart of a process of “recording memory update data or memory update event by I / O operation” in FIG. 25;

FIG. 27 is a flowchart illustrating the “simulation of an I / O instruction” execution process in FIG. 9 in detail;

FIG. 28 is a flowchart of the process of the disk simulator of FIG. 27;

29A and 29B are flowcharts for explaining the process of “resetting the memory update completion counter or flag” in FIG. 11;

FIG. 30 is a flowchart of the “write difference data of a memory to a memory” process of FIG. 13;

FIG. 31 is a diagram for explaining a state transition of each system when a failure occurs in one of the active system and the inactive system according to the first embodiment;

FIG. 32 is a hardware configuration diagram of a fault-tolerant computer system according to the second embodiment.

FIG. 33 is a hardware configuration diagram of a fault-tolerant computer system according to the third embodiment.

FIG. 34 is a hardware configuration diagram of a conventional fault-tolerant computer system.

[Explanation of symbols]

1 transmission buffer, 10 checkpoint start command, 20 memory data start, 21 address, 22,
23 data, 24, 24a, 24b checkpoint information, 29 memory data end, 30 register data start, 31 register data, 39 register data end, 40 checkpoint end command, 50 stack, 51 lookup table, 100 active system, 101, 201, 102, 202 CPU, 1
03,203 MMU, 104,204 memory, 10
5,205 disk control, 106,206L
AN control, 107 master disk, 107
a, 107b Master disk file, 110
Active software, 111 PC server OS, 1
12 kernel, 113 storage management unit, 114 file management unit, 115 network management unit, 116 I /
O management unit, 118 instruction simulator, 119a, 11
9b APP, 120 guest OS, 121 I / O simulator, 122 disk simulator, 123
LAN simulator, 130 Active storage unit, 131
Kernel, 132 instruction simulator, 133 checkpoint mechanism, 133a stack, lookup table, 133b transmission buffer, 134 guest O
S, 135a, 135b APP, 136 disk simulator, 137 LAN simulator, 138 execution register area, 200 inactive system, 207
Mirror disk, 207a, 207b mirror disk file, 210 inactive software, 23
0 Inactive storage unit, 233 Checkpoint reflection mechanism, 233a Standby register area, 233b Receive buffer, 300 LAN, 1000 computer system, 2000 computer system, 3000 RAID
Disk device.

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5B005 JJ01 MM01 VV01 WW02 WW13 5B018 GA04 HA05 HA22 KA02 KA14 MA01 MA03 QA15 5B034 BB02 CC01 CC02 DD05 DD07 5B060 AA06 AA20

Claims (9)

[Claims] 1. A computer system comprising: a first computer system; and a second computer system capable of performing the same operation as the first computer system. The operation of the first computer system is performed by the second computer system. In the fault-tolerant computer system that takes over the operation of the first computer system by the second computer system when the inoperable state of the first computer system is detected as a result of the monitoring, The tolerant computer system uses the first
And a communication network for communicating checkpoint information for taking over the operation of the first computer system by the second computer system by connecting the computer system to the second computer system. A first memory for storing predetermined information, and an execution register for storing program control information for controlling an execution order when a processing program having a predetermined instruction is executed according to the predetermined instruction. According to the program control information stored in the execution register, an instruction to be executed is taken out and analyzed, and the analyzed instruction is executed according to the result of the analysis, and the program stored in the execution register is executed. A first instruction simulator for receiving an interrupt processing request for forcibly replacing control information; The result analyzed by the first instruction simulator is
When updating the first memory, an update history of the first memory is recorded as memory update information, and the first memory is updated.
When the request for interrupt processing is accepted by the instruction simulator, the checkpoint information is generated using the memory update information, and the generated checkpoint information and the program control information stored in the execution register are generated. And a checkpoint mechanism for transmitting to the second computer system via the communication network, the second computer system comprises: a second memory for storing predetermined information; and a processing program having predetermined instructions. Is executed in accordance with the predetermined instruction, a standby register storing program control information for controlling the order of execution, and the checkpoint information and program control information transmitted from the checkpoint mechanism of the first computer. When the received checkpoint information is reflected in the second memory, In addition, a checkpoint reflection mechanism that reflects the received program control information in the standby register, and the checkpoint reflection mechanism reflected by the checkpoint reflection mechanism according to the program control information of the standby register reflected by the checkpoint reflection mechanism. A second instruction simulator for replacing the operation of the first computer system by the second computer system using predetermined information stored in a second memory. Computer system. 2. An interrupt accepted by the first instruction simulator is an alive timer interrupt for reporting at least that the first computer system is operating normally to the second computer system. 2. The fault tolerant computer system according to claim 1, wherein said first computer system generates an alive timer interrupt at predetermined time intervals. 3. The first instruction simulator, when receiving the interrupt processing request, sends checkpoint information to the second computer system by the checkpoint mechanism, and then executes the interrupt processing. In accordance with the request, interrupt processing is executed, and then the checkpoint information is generated again by the checkpoint mechanism using the memory update information, and the checkpoint information is stored in the generated checkpoint information and the execution register. 3. The fault tolerant computer system according to claim 1, wherein program control information is transmitted to said second computer system via said communication network. 4. The first memory stores the predetermined information in association with an address indicating a storage location of the predetermined information, wherein the checkpoint information includes an address of the first memory; 2. The fault tolerant computer system according to claim 1, further comprising at least predetermined information stored in correspondence with the address of said first memory. 5. The checkpoint mechanism according to claim 1, wherein
When the memory is updated, a stack for storing one or more addresses of the first memory in the order in which the memory is updated, and one or more checkpoint information are stored as the memory update information. Then, the transmission buffer in which the storage position of the checkpoint information is managed by a pointer, the address of the first memory and the pointer of the transmission buffer storing the checkpoint information are stored in association with each other as lookup information. A lookup table for managing the lookup information by subaddresses obtained by a hash method based on the addresses stored in the stack, and fetching the addresses stored in the stack in the order of storage. , And convert the fetched address to a subaddress by hashing The presence / absence of the lookup information stored in the lookup table managed by the converted subaddress, and if the lookup information is managed, the address of the lookup information and the stack Comparing the retrieved address, based on the result of confirming the presence / absence and the result of comparing the address, generates the lookup information and stores it in the lookup table, and generates the lookup information. Obtaining predetermined information stored in the first memory using the information; generating the checkpoint information using the obtained information and the look-up information; 2. The method according to claim 1, wherein the information is stored in the transmission buffer based on lookup information. Fault-tolerant computer system as set forth. 6. The checkpoint mechanism stores at least one checkpoint information, a transmission buffer in which a storage position of the checkpoint information is managed by a pointer, and at least one memory for storing the memory update information. And an event table that manages the entry by one or more columns and one or more rows, and includes a hash using an index address that is a part of the address of the first memory. To the column information indicating the columns of the event table, and all the entries of the columns of the event table that match the converted column information and a part of the addresses of the first memory other than the index addresses. Is compared with the page address, and if no matching entry is stored, the entry that does not store the memory update information If the entry is found, the page address is stored in the found entry as the memory update information, and if an entry that does not store the memory update information cannot be found, the event For all entries in the table where the memory update information is stored, the memory update information stored in the order of the entries is extracted, and stored in the first memory using the memory update information. 5. The method according to claim 4, further comprising: obtaining predetermined information, generating the checkpoint information using the obtained predetermined information and the memory update information, and storing the generated checkpoint information in the transmission buffer. Or the fault tolerant computer system according to 5. 7. The check point mechanism uses the memory update information, which is the page address, to delete all the predetermined information stored in a storage area of the first memory indicated by the page address. 7. The fault tolerant computer system according to claim 6, wherein the information is acquired from the memory update information stored in one entry of the event table. 8. The fault tolerant computer system according to claim 1, wherein said first memory includes at least a cache memory. 9. The fault tolerant computer system according to claim 1, wherein said communication network is a LAN (Local Area Network).