JP2922981B2 - Task execution continuation method - Google Patents

Description

The present invention relates to a method for continuing execution of a process (task) interrupted by a failure. Particularly in a multiprocessor system in which a plurality of instruction processors share a main storage device, if the execution of the processing cannot be continued due to a failure in one instruction processor, the processing executed by the instruction processor is normally continued. The present invention relates to a method for continuing execution of a process for providing a method for enabling execution.

[Conventional technology]

As a recovery method when an intermittent failure occurs in the instruction processing device, there are known a method of retrying a process executed at the time of occurrence of the failure, a method of returning to a certain checkpoint such as an instruction unit, and re-executing the same. .

On the other hand, when a fixed failure has occurred in the instruction processing apparatus and recovery from the failure has failed, an interruption of failure recovery failure is generally generated for the instruction processing apparatus. For example, the occurrence of an unrecoverable failure is notified by a machine check interrupt or the like.

There are the following two cases of a machine check interrupt when an unrecoverable failure occurs.

(1) An unrecoverable failure has occurred, but the state of the checkpoint prior to the failure is guaranteed at the time of the interruption.

(2) An unrecoverable failure has occurred, and the state of the checkpoint before the failure has not been guaranteed at the time of occurrence of the interrupt.

The machine check interrupt in the state (1) is called PDB (processor damage backup), and the machine check in the state (2) is called PD (processor damage).
The difference between the two will be described with reference to FIG. In FIG. 2, 21 to 24 are instructions. Now, it is assumed that a failure occurs while the instruction processing device is executing the instruction C. The instruction processing device
Depending on the nature of the fault, a PD / B or PD machine check interrupt is generated. When the state of the instruction processing device before execution of the instruction C (the state of the checkpoint before the occurrence of the failure) is guaranteed, the instruction processing device generates a PD / B machine check interrupt. Therefore, if the instruction C is generally re-executed after receiving the interrupt, the program can be normally continuously executed. On the other hand, when the state of the checkpoint before the execution of the instruction C cannot be guaranteed, such as when the internal state of the instruction processing apparatus has been changed by the instruction C, the instruction processing apparatus generates a PD machine check interrupt. In this case, even if the instruction C is re-executed even after the occurrence of the interrupt, the normality of the processing cannot generally be guaranteed.

Furthermore, depending on the failure occurrence situation, the re-
In some cases, a failure recovery operation may not be possible at all. Also, if a further failure occurs during failure recovery processing such as checkpoint guarantee, the failure recovery operation is impossible,
In such a case, the instruction processing device stops abnormally. This operation is called a check stop (check stop), and when one instruction processing device performs a check stop in the multiprocessor system, an interrupt called a malfunction alarm is reported to the other active instruction processing devices.

The operation of the above-described instruction processing device for detecting and reporting a fault, checking and stopping, and malfunction alarm interruption will be described with reference to FIG. In FIG. 3, reference numerals 311a and 311b are instruction processing devices. In this configuration example, the case where the number of instruction processing devices is two is shown, but the same applies to the case where there are two or more instruction processing devices. Each instruction processing device includes an instruction execution unit 312a, b, a failure detection unit 313a, b, an interruption control unit 314a, b, and a check stop latch 315a, b.

The failure detection unit 313a of the instruction processing device 311a detects the failure,
If it is not the check stop factor, the fact is communicated to the instruction execution unit 312a via the signal line 319a. Upon receiving the notification, the instruction execution unit 312a attempts to retry the instruction and recover the checkpoint state. If the instruction retry succeeds, the process is continued, but if the instruction retry fails, the own instruction execution unit generates a machine check interrupt. As described above, a PD / B machine check interrupt is generated when the checkpoint state recovery is successful, and a PD machine check interrupt is generated when the checkpoint state recovery fails.

When the failure detection unit 313a detects a failure due to a check stop factor, the failure detection unit 313a instructs the instruction execution unit 312a to stop execution of the instruction via a signal line 319a, and the instruction execution unit 312a executes the instruction execution. To stop. In addition, the failure detector
313a is a check stop latch 315a via signal line 317a
Is set. When the check stop latch 315a is set, it is transmitted to the interrupt control unit 314b of another instruction processing device 311b via the signal line 318a, and the interrupt control unit 31
In 4b, an operation is performed with an interrupt mask that controls the availability of interrupts,
Create an interrupt signal. The interrupt signal is transmitted to the instruction execution unit 312b via the signal line 320b, and the instruction execution unit 312b generates a malfunction alarm interrupt. In this case, the internal state of the check-stopped instruction processing device 311a is generally undefined,
Even if the internal state can be read, no retry or re-execution from the checkpoint can be performed from the information.

By the way, when a failure occurs and re-execution by hardware fails, a report such as a machine check interrupt is received, and processing is continued or abnormal termination processing is performed by the OS running on the failed instruction processing device. There is a high possibility that the instruction processing device will cause a failure again. In such a case, the failure occurs in a core part such as a failure processing part of the OS, and there is a high possibility that the system will be down.

Conventionally, in order to prevent a system failure due to a fixed failure, in a multiprocessor system, a method in which the processing performed by the failed instruction processing device is taken over by another normal instruction processing device and executed is performed. Has been taken. Several techniques have been provided for this method (Japanese Patent Publication No. 47-36181 and Japanese Patent Publication No. 61-56537).
JP-A-57-85151, JP-A-57-137949, JP-A-1-133171, etc.). In these systems, the state immediately before the failure of the failed instruction processing device is stored in a main storage device or the like by the operation of the failed instruction processing device, the normal instruction processing device, or the recovery control device. Alternatively, the information is transferred directly to a normal instruction processing device, and the normal instruction processing device uses the information to re-execute the interrupted processing on the failed instruction processing device.

[Problems to be solved by the invention]

In the prior art, a device for recovery control or a device for recovery control (Japanese Patent Publication No. 47-36181) is used in order to take over the processing that was being performed by the faulty instruction processing device and execute it by another normal instruction processing device.
No., JP-B-61-56537, etc.) It is necessary to provide a circuit for retrying the instruction of the faulty instruction processor in the normal instruction processor (JP-A-57-137949, etc.), and a lot of additional hardware And the problem is that the mechanism becomes complicated, and the fault instruction processing device creates information for continuous execution of processing (Japanese Patent Publication No. 57-85151, etc.), so that the possibility of a fault occurring again increases. There was a problem. Also, even in the case of a multiprocessor, if only one processor in operation is faulty for some reason, a faulty instruction is executed by performing an operation for taking over the process with a normal instruction processing device. Since the re-execution and recovery processing in the processing device is abandoned, there is a problem that the probability of stopping the system is increased and the reliability is reduced.

SUMMARY OF THE INVENTION An object of the present invention is to overcome the above-mentioned problems, to reduce the addition of hardware, and to prevent the occurrence of a new failure due to the creation of information for continuing execution of processing by the failed instruction processing device. In addition, even if only one instruction processing unit is operating, the processing performed by the failed instruction processing unit is taken over by another normal instruction processing unit without increasing the probability of system stoppage. An object of the present invention is to provide a method for executing the above.

[Means for solving the problem]

In order to achieve the above object, according to the present invention, an indicator is provided to indicate whether or not the checkpoint state has been successfully recovered in the failure recovery processing during instruction execution, and the internal state of hardware such as the instruction processing device is stored in the main storage. A mechanism for communicating an operation state with another instruction processing device, a mechanism for communicating a malfunction alarm interrupt to another instruction processing device when the instruction processing device stops checking, and And an instruction to read the contents of the storage device.

[Action]

When a fixed fault occurs in a certain instruction processing device, the faulty instruction processing device guarantees a checkpoint and attempts to retry the instruction. If the instruction retry fails and the state of the checkpoint before instruction execution can be guaranteed, the checkpoint guarantee indicator is set, and the state of the checkpoint is stored in the main memory by the scan-out process. Examples of specific operations of the scan-in and scan-out methods are described in, for example, JP-A-59-161744, "Scanning method of information command processing device", and JP-A-61-123939, "Scanning method of information command processing device". Are listed.
Thereafter, the instruction processing unit stops checking and a malfunction alarm interrupt is communicated to another instruction processing unit. The instruction processing device that received the notification reads the scan-out information stored in the main memory by the processing of the OS and confirms that the checkpoint information is correctly stored by the checkpoint indicator. Edit the internal information of the device and create a control table required for continuous execution of processing. As a result, it is possible to continuously execute processing using another normal instruction processing device even when a fixed failure occurs, without requiring information operation by a large-scale additional circuit / device or a failure occurrence instruction processing device. Become.

〔Example〕

 Hereinafter, an embodiment of the present invention will be described with reference to the drawings.

FIG. 1 is a block diagram of a multiprocessor system to which one embodiment of the present invention is applied. In the figure, 111a, b
Denotes an instruction processing device (hereinafter, referred to as IP), 121 denotes a system control device (hereinafter, referred to as SC), and 131 denotes a main storage device (hereinafter, referred to as MS). The instruction processing devices 111a and 111b have the same configuration, and include an instruction execution unit 112a, b, a failure detection unit 113a, b, an interrupt control unit 114a, b, a checkpoint guarantee latch 115a, b, and a check stop latch 116a, b, respectively. Have. The instruction execution units 112a and 112b include execution control units 117a and 117b and checkpoint assurance units 118a and 118b. Further, the system control device 121 includes a scan control unit 122. FIG. 1 shows a configuration having two instruction processing devices. However, the configurations of both instruction processing devices are the same, and the present embodiment can be applied without change to a configuration having two or more instruction processing devices. Here, the checkpoint assurance latch uses a conventional malfunction alarm interrupt for communication to continue processing, and when a normal IP receives a malfunction alarm interrupt, it detects a malfunction due to a check stop in the conventional sense. This is essential for distinguishing between an alarm interrupt and a malfunction alarm interrupt for continuing processing described in the present invention.

Next, an operation when a failure occurs in the IP 111a will be described with reference to FIG. The instruction execution unit 112a of the IP 111a accesses the MS 131 via the signal line 152a to execute the instruction processing. The fact that the instruction execution unit 112a is operating is reported to another instruction processing device via the signal line 147. Similarly, whether or not another instruction processing device is operating is notified to the execution control unit 117a via the signal line 148. This signal has been used for buffer storage, which is not explicitly described in the present embodiment, and for matching control of the address translation buffer. The failure detection unit 113a detects a failure in the own IP and reports the fact to the execution control unit 117a of the own IP via the signal line 143a. When a fixed IP failure occurs, the execution control unit 117a instructs the checkpoint assurance unit 118a via the signal line 146a to guarantee the checkpoint, and if the checkpoint guarantee succeeds, the checkpoint assurance via the signal line 141a. Set the latch 115a. Next, signal line 14
Instruct the scan control unit 122 in the SC 121 to scan out the internal state of the instruction processing device 111a via 9a. SC
The scan control unit 122 in the 121 receives the IP11 via the signal line 150a.
The internal information of 1a is read and written to MS1131 via signal line 151. Further, when the execution control unit 117a confirms that the other instruction processing device is operating from the operation state of the other instruction processing device notified by the signal line 148, the signal line 142
The check stop latches 116a and 116b are set via a and b, and the execution of the instruction in the own IP is stopped. By setting the check stop latches 116a, b, an interrupt signal is issued to the other normal IP interrupt control units 114b, a via the signal lines 145a, b. The interrupt control unit 114b, a instructs the normal IP execution control unit 117b, a to generate an interrupt through the signal line 144b, a.

The instruction execution units 112a and 112b of the IP include checkpoint assurance units 118a and 118b that return the state of the IP to a state at a certain point (checkpoint) before the occurrence of a failure, and an instruction execution control unit.
117a, b. FIG. 4 shows a configuration example of the checkpoint assurance unit. The execution control unit is a control circuit, and its operation is shown in FIG. FIG. 4 shows the checkpoint assurance means 118a for IP111a, but the same applies to IP111b.

In FIG. 4, execution control section 117a includes signal lines 146a-1, 146
Each element of the checkpoint assurance unit is controlled through 6a-2 and the like. Here, 146a-1,
Only two control signal lines 146a-2 are shown. In the figure, reference numeral 411 denotes a register in which data from the MS 131 is set via a signal line 152a-1, reference numeral 412 denotes a register for setting data before operation by an arithmetic unit (ALU) 413, reference numeral 413 denotes an arithmetic unit, 414 is a register for setting the operation result. 415 is a general-purpose register group that can be referenced by an instruction, 416
Is a selector for selecting an input to the general-purpose register group 415, 417
Is a group of registers for storing data before the operation. Reference numeral 418 denotes a control information group indicating whether the stored data 417 before the operation is data that can be retried or data whose checkpoint can be guaranteed, and is controlled in synchronization with the register group 417. Data of the register group 415 is set in the register 412 via the signal line 425. The contents of the registers 411 and 412 are written into the register group 415 again via the signal line 424 after the arithmetic unit (ALU) 413 performs the operation, or the signal lines 152a-2
Or written to MS131 via Register group 417
Saves the contents of the register 412 each time an instruction is executed, and writes the contents of the register group 415 before the execution of the operation (before executing the operation).
Are saved in order. The control information group 418 is information indicating whether data saved in the register group 417 every time an instruction is executed is data that can be retried or data whose checkpoint can be guaranteed.
It is sequentially saved in synchronization with the saving to the register group 417 via 6a-1.

Next, the operation of the instruction execution unit when a failure occurs in the IP 111a will be described with reference to FIGS.
This operation is the same when a failure occurs in the IP 111b.

When a failure occurs in the IP 111a, the execution control unit 117a
The report is received from the failure detection unit 113a via 143a. Then, first, the state of the save information immediately before the occurrence of the failure is read out via the signal line 146a-2, and it is determined whether the save information can be retried (step 501). If retry is not possible, control is performed to generate a machine check interrupt (PD) for retry failure. If retry is possible, signal line
Via the 423, the register group 415 performs a retry restore process for restoring the data for retry (step 502).
The failure occurrence processing is retried (step 503). In this embodiment, it is determined whether the failure is a fixed failure or an intermittent failure based on the success / failure of the retry (step 504). The method of determining whether a fault has occurred is a fixed fault. Alternatively, the same fault may be determined even if the instruction is retried a plurality of times. May be determined. If the failure is not a fixed failure, the processing retry succeeds and normal instruction execution processing can be continued.

If the retry fails or if it is determined that the failure is a fixed failure when a failure occurs, the following processing is performed.
First, the state of the save information before the occurrence of the failure is read out via the signal line 146a-2, and it is confirmed whether the internal state can be returned to a certain checkpoint before the occurrence of the failure (step 50).
Five). Checkpoints cannot be guaranteed when the contents of the MS 131 have already been rewritten or when the register group 415 cannot be recovered from the contents of the save register 417. At this time, a machine check interrupt of the PD display is generated. If the checkpoint can be guaranteed, the contents of the save register 417 shown in FIG. 4 are written to the register group 415 via the signal line 424 and the selector 416 until the checkpoint can be guaranteed (step 506). When the checkpoint guarantee ends, the checkpoint guarantee latch is set via the signal line 141a (step 50).
7). Next, a scan-out instruction is issued to the scan-out control unit 122 in the SC 121 via the signal line 149a (step
508). In response to the notification, the can-out control unit 122 executes the register group 41 shown in FIG.
The contents of 5 and the internal state of the instruction processing device including the state of the checkpoint guarantee latch are read out via the signal line 150a-1, etc., and stored in the MS 113 via the signal line 151. When the reading and storing are completed, the end of the scan-out is reported to the execution control unit 117a via the signal line 149a. The execution control unit 117a that has received the scan-out end confirms the operation states of the IPs other than itself through the signal line 148 (step 50).
9). If there is an operating IP other than yourself, the check stop latch is set by the signal line 142a (step 51).
0), Stop the instruction execution and check-stop. By setting this check stop latch, the interrupt control unit 11 of the IP 111b that is operating normally via the signal line 145a
4b is notified of a malfunction alarm interrupt request. If there is no operating IP other than yourself, a PD / B machine check is issued to itself.

FIG. 6 is an example of IP internal information stored on MS 113. The internal information 61 includes information 611 of a checkpoint assurance latch indicating whether the checkpoint assurance was successful.
And information 612 of registers that can be read from a program, which is an internal state of the IP, information 613 of timers, and the like. The area where this information is stored may be a fixed area set in advance for each instruction processing device, or may be specified in advance to the instruction processing device or the scan-out control unit 122 before a failure occurs. Alternatively, an area exclusively used for scan-out or the like may be set and stored therein. However, in that case, means for reading out the stored information by software is required.

Next, an example of the operation when the execution control unit 117b of the IP 111b receives the malfunction alarm interrupt will be described with reference to FIG.
Upon receiving the malfunction alarm interrupt, the OS reads the internal state of the IP stored in the MS 131 (step 701) and tests whether the checkpoint is guaranteed (step 70).
2). If a checkpoint is guaranteed and the internal IP information before the failure is stored, the task control is performed so that the stored internal information of IP111a is read out and the process that was being executed can be continued. The information is edited in the form of information (step 703) and registered in an appropriate ready task queue so that the task is continuously executed (step 70).
Four). Once registered in the queue, tasks are dispatched in order, like tasks that are ready in normal time slice control or tasks that are waiting for I / O for which I / O has been completed.
Be executed. If the checkpoint is not guaranteed, the internal information of the IP111a is not saved and processing cannot be continued. Abnormal processing is terminated (step 705).

Since the processing by the above software is performed by the IP111b, a state in which the processing can be continued is guaranteed, and even if the processing is continued or the processing cannot be continued and the abnormal termination processing is performed, no failure occurs again. .

In the present embodiment, a method is employed in which a hardware latch is provided as an indicator for guaranteeing a checkpoint, and the state is stored in the MS. Direct MS instead of hardware latch
Even if the IP that performs the continuation of the processing directly reads the state of the latch, the value of the checkpoint guarantee indicator can be tested from the IP that continues the processing.
In the present embodiment, the task control information is created in the instruction processing apparatus that continues the processing, but another control method capable of continuously executing the processing may be used.

〔The invention's effect〕

As is apparent from the above description, according to the present invention, in a multiprocessor system sharing a main storage device, when a fixed fault occurs in a certain instruction processing device, a checkpoint is guaranteed and an interrupt is issued to another normal processor. The operation for reporting to the instruction processing unit and continuing the interrupted processing with the normal instruction processing unit is an operation that can be performed easily and inexpensively by using the conventional mechanism by increasing the minimum amount of hardware.
Furthermore, there is an effect that even if only one instruction processing device is operating in the multiprocessor, it becomes possible without lowering the reliability.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a multiprocessor system to which an embodiment of the present invention is applied, FIG. 2 is an explanatory diagram of a checkpoint, and FIG. 3 is a block diagram showing a configuration of an instruction processing device in a conventional system. FIG. 4 is a configuration diagram showing a configuration example of a checkpoint assurance unit in an instruction execution unit.
FIG. 6 is a flow chart of a process at the time of failure processing in an instruction execution control unit, FIG. 6 is an explanatory diagram showing an example of IP internal information, and FIG. 7 is a flow chart of a process performed by a normal instruction processing device which has received an interrupt. . 13: Main storage device, 21 to 24: Instruction, 61: IP internal information example, 111a, b: Instruction processing device, 112a, b: Instruction execution unit,
113a, b ... fault detection unit, 114a, b ... interrupt control unit, 115
a, b ... checkpoint assurance latch, 116a, b ... check stop latch, 117a, b ... execution control unit, 118a, b ...
... Checkpoint assurance unit, 121 ... System control unit, 122 ... Scanout control unit, 411,412,414 ... Register, 413 ... Calculation unit, 415 ... General purpose register group, 41
7 ... save register group, 418 ... control information group.

──────────────────────────────────────────────────続 き Continuation of the front page (56) References JP-A-58-35645 (JP, A) JP-A-57-85151 (JP, A) JP-A-57-137949 (JP, A) JP-A-1- 133171 (JP, A) JP-B 61-56537 (JP, B2) JP-B 47-36181 (JP, B1) (58) Fields investigated (Int. Cl. ⁶ , DB name) G06F 11/14 G06F 11 / 20 G06F 15/16

Claims (1)

(57) [Claims] 1. A plurality of instruction processing devices, and a main storage device shared by the plurality of instruction processing devices, wherein each of the instruction processing devices detects its own failure and sets a state when a failure occurs. Means for returning the internal state of the instruction processing device to a state at a time before the occurrence of the failure, means for saving the internal state of the instruction processing device to the main storage device for each instruction processing device, Means for contacting at least one, and means for reading internal information of the faulty instruction processing device saved to the main storage device and creating task control information,
A task execution continuation method in a multiprocessor system that executes a task based on task control information registered in a ready task queue provided in the main storage device, wherein each of the instruction processing devices is configured to execute a fixed fault Guarantees the state before the occurrence of the failure, and if it can be guaranteed, saves the state to the area of the main storage device corresponding to the instruction processing apparatus, and then checks whether there is another operating instruction processing apparatus. If there is another operating instruction processing device, the instruction processing device is contacted, and the notified instruction processing device reads the internal information of the faulty instruction processing device saved in the storage device. Determining the validity of the internal information, editing the task control information of the interrupted task, and registering the task control information in the ready task queue. Wherein the instruction processing apparatus that does not cause a failure in a multiprocessor system, execution continues a task, characterized by continuously executing the interrupted task.