JP5635815B2 - Computer system and control method thereof - Google Patents

Description

  The present invention relates to a computer system configuration technology, and more particularly to a configuration technology that realizes high reliability by multiplexing installed processors and detecting and concealing a failure that occurs.

  As one of highly reliable computer system configuration techniques that can suppress a failure in a computer system or minimize its influence, there is a fault tolerant (Fault Tolerant, hereinafter abbreviated as FT) technique.

  There are various types of processor FT technology, but in order to obtain a high effect on computer system failure suppression, a technique called lock stepping is used to multiplex processors by operating them at the hardware level, Therefore, by comparing output signals between multiplexed processors, a failure occurring in the processor is detected and concealed.

  In recent years, however, the same operation at the hardware level has become impossible due to the improvement of the processor operating frequency and the introduction of asynchronously operating circuits inside the processor for the purpose of improving the performance of the processor. Processor FT by lockstepping is becoming difficult.

  On the other hand, with the development of virtualization technology in computer systems in recent years, as in the technology disclosed in Patent Document 1, a hypervisor causes a plurality of processors to perform the same program operation on the hypervisor at the software level. Multiplexing techniques are being used.

JP 2009-80695 A

  The above-described technique for performing the same operation at the software level has the problem that although the same operation can be multiplexed, the detection and concealment of processor faults are incomplete or the performance is significantly reduced.

  Detection and concealment of processor faults are basically realized by comparing the internal state and output of the processors between the multiplexed processors.

  To complete detection and concealment of processor faults, a considerable amount of comparison processing is required, such as comparing all I / O events output from the processor, but the comparison processing must be performed by a software hypervisor. Therefore, performance degradation is significant.

  Conversely, if all I / O events output from the processor are not compared, for example, if only the I / O command output that outputs access directly to the I / O without going through the memory is compared, the performance deteriorates. However, detection and concealment of processor failures are incomplete.

  An object of the present invention is to provide a computer system that realizes complete detection and concealment of a processor failure while suppressing performance degradation in processor multiplexing at the software level, and a control method therefor.

  In order to achieve the above object, in the present invention, a computer system in which a plurality of virtual machines execute the same application program, a physical computer having a processor, a memory, and an I / O device, and a computer of the physical machine A virtualization control unit configured to virtualize resources and execute the first virtual computer and the second virtual computer, the virtualization control unit executing an application program on the first virtual computer and the second virtual computer; Synchronous control unit that executes simultaneously, I / O event issued by the first virtual machine and the second virtual machine, and I / O event detection unit that identifies the type and issued by the first virtual machine An I / O event processing unit that compares an I / O event with an I / O event issued by a second virtual machine and generates an output to an I / O device The I / O event processing unit compares the I / O commands when the I / O events issued by the first virtual machine and the second virtual machine are I / O commands. When the comparison result of the I / O command comparison unit does not match, a computer system having a configuration including a suppression unit that suppresses output of the I / O command is provided.

  In order to achieve the above object, in the present invention, the I / O event processing unit described above is configured such that the I / O event issued by the first virtual machine and the second virtual machine is an I / O data output. In some cases, an I / O data comparison unit that compares the I / O data read from the memory area of the first virtual machine and the memory area of the second virtual machine is further provided. Provided is a computer system that suppresses reading of the I / O data from the memory area when the comparison result of the O data comparison unit does not match.

Furthermore, in order to achieve the above object, in the present invention, a plurality of virtual machines are computer systems that execute the same application program,
A physical computer including a processor, a memory, and an I / O device; a virtualization controller that virtualizes computer resources of the physical computer and executes the first virtual computer, the second virtual computer, and the third virtual computer; The virtualization control unit includes a synchronous control unit that simultaneously executes application programs on the first, second, and third virtual machines, and an I / O issued by the first, second, and third virtual machines. Compares the I / O event detector that detects the event and identifies the type with the I / O event issued by the first, second, and third virtual machines, and generates an output for the I / O device I / O event processing unit, and when the I / O event issued by the first, second and third virtual machines is an I / O command, the I / O event processing unit I / O command to compare O command A comparison unit and a suppression unit that outputs a matching I / O command if the two match, and if all do not match, a suppression unit that suppresses the output of the I / O command. A computer system having the above configuration is provided.

  Furthermore, in order to achieve the above object, in the present invention, the I / O event processing unit described above is configured so that I / O events issued by the first, second, and third virtual machines are output as I / O data. The I / O data comparison unit for comparing the I / O data read from the memory areas of the first, second, and third virtual machines, and the suppression unit includes the I / O data. If the two match as a result of the comparison by the comparison unit, a data read command corresponding to the matching I / O data output is output, and if all do not match, the I / O data is stored in the memory area. Provided is a computer system that suppresses reading from a computer.

  Furthermore, in order to achieve the above object, the present invention virtualizes a physical computer having a processor, a memory, and an I / O device, and virtualizing computer resources of the physical computer to execute a plurality of virtual computers. A control method of a computer system having a control unit, wherein the virtualization control unit simultaneously executes the same application program on a plurality of virtual machines, detects an I / O event issued by the plurality of virtual machines, When the type of / O event is specified and an I / O event issued by multiple virtual machines is an I / O command, the I / O command is compared, and the I / O event is an I / O data output In this case, the I / O data is read from the memory areas of a plurality of virtual machines and compared, and if the comparison result of the I / O command does not match, the I / O command A computer system control method that suppresses output to an I / O device and suppresses reading of I / O data from the memory area to the I / O device when the comparison result of the I / O data is inconsistent. provide.

  That is, in the present invention, all I / O events output from the processor including I / O data output that outputs an I / O event indirectly via a memory are compared. Adopt a policy of suppressing performance degradation by increasing efficiency. The efficiency of the comparison processing is performed by two points: (1) reduction of hypervisor transition overhead associated with I / O data output memory access, and (2) reduction of I / O data output memory and comparison overhead.

  (1) Hypervisor transition overhead reduction associated with I / O data output memory access means that the memory area used for I / O data output is read from the I / O after a specific I / O command output. Paying attention, every time the processor accesses the I / O data output memory area, it does not perform a hypervisor transition and compares it, but captures a specific I / O command output and performs a hypervisor transition and compares them together. This is achieved by reducing the number of transitions to the hypervisor.

  (2) I / O data output memory read and comparison overhead reduction can be achieved by reading I / O data output memory area from I / O as long as an address is given. A data comparison unit is added to the I / O switch, and after the hypervisor captures an I / O data output memory read, the hypervisor gives the address of the memory area to the I / O data comparison unit, and the comparison process is an I / O data comparison. It is realized by doing in the department.

  According to the present invention, even in a computer system equipped with a high-performance processor in recent years, a processor FT having a high failure suppression effect can be realized, and as a result, a high-performance and highly reliable computer system can be realized.

It is a figure which shows the whole structure of the virtual computer system of a 1st Example. It is a figure which shows the detailed structure of the hypervisor B of the virtual machine system of a 1st Example. It is a figure which shows the detailed structure of the I / O switch of the virtual machine system of a 1st Example. It is a figure explaining the flow of VM synchronization processing by a hypervisor in a virtual machine system. It is a figure which shows the flow of VM synchronization and I / O event output comparison processing by a hypervisor when a processor failure has not occurred in the first embodiment. It is a figure which shows the flow of a VM synchronization and I / O event output comparison process by a hypervisor when a processor failure occurs and an I / O command changes in the first embodiment. It is a figure which shows the flow of VM synchronization and I / O event output comparison processing by a hypervisor when a processor failure occurs and I / O data changes in the first embodiment. It is a figure which shows the processing flow of the physical address conversion part of the hypervisor B of a 1st Example. It is a figure which shows the whole structure of the virtual machine system of a 2nd Example. It is a detailed block diagram of the hypervisor C of the virtual machine system of a 2nd Example. It is a detailed block diagram of the I / O switch of the virtual machine system of the second embodiment.

  Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings. In this specification, functional blocks of various programs executed on each computer may be expressed as “parts”, but the display of “parts” is omitted in the drawings. For example, “I / O event processing unit” is expressed as “I / O Event Processing”, and “Unit” is omitted.

  FIG. 1 is a diagram showing the overall configuration of the first embodiment. In this figure, the left side shows the physical computer A constituting the system A, and the right side shows the physical computer B constituting the system B. However, since it is clear from the drawing, the system A and B notations are omitted in the following description. To do.

  Reference numerals 100 and 101 denote processors (Central Processing Units), 102 and 103 denote memories, 105 and 106 denote I / O devices X and Y, and 120 and 121 denote processors, memories, and I / O devices. It is a physical computer.

  Since the processor and the I / O device are connected via the I / O switch 104, the connection between the physical computer and the I / O device is shared, and the processor 100, the memory 102, and the I / O switch 104 The physical computer 120 includes a processor 101, a memory 103, and an I / O switch 104, and a physical computer 121 is configured. The I / O devices 105 and 106 including a DMA controller (Direct Memory Access Controller: DMA) are physical computers. 120 and 121 are connected.

  Here, 107, 108 and 109 are physical connections by Peripheral Component Interconnect (PCI) Express Bus, and the processors 100 and 101, the memories 102 and 103 and the I / O switch 104 are connected by the PCI Express Bus 107 and I The / O switch 104 and the I / O device 105 are connected by a PCI Express Bus 108, and the I / O switch 104 and the I / O device 106 are connected by a PCI Express Bus 109, respectively.

  132 and 133 are hypervisor programs that function as a virtualization control unit. A virtual machine (Virtual Machine, hereinafter abbreviated as VM), which is a software execution environment corresponding to a virtual computer, when the hypervisors 132 and 133 constituting the virtualization control unit operate on the physical computers 120 and 121, respectively. 122 and 123 are generated.

  The memory 102 is divided into a memory area 110 used by the VM 122 and a memory area 112 used by the hypervisor 132 by the action of the hypervisor 132. At this time, the correspondence between the virtual address space in the VM 122 and the physical address space in the physical computer 120 is managed by the address conversion unit 141 provided with a page table in the hypervisor 132.

  Similarly, the memory 103 is divided into a memory area 111 used by the VM 123 and a memory area 113 used by the hypervisor 133 by the action of the hypervisor 133, and the virtual address space in the VM 123 and the physical area in the physical computer 121. Address space correspondence is managed by the address conversion unit 143 in the hypervisor 133.

  Softwares 130 and 131 operate in the VMs 122 and 123, respectively. However, when information is transmitted from the synchronization processing unit 140 of the hypervisor 132 to the synchronization processing unit 142 of the hypervisor 133 through the event transmission channel 160, the software The operations 130 and 131 are the same at the software level.

  Here, the event transmission channel 160 logically indicates data transmission / reception between the physical computers 120 and 121, and is physically communication via the I / O switch 104.

  The software operation is the same at the software level, which means that the software program execution flow is the same, including the effects of asynchronous events such as interrupts. Asynchronous events such as interrupts cannot be uniquely determined only by the contents of the executed program. Therefore, in order to make the program execution flow the same, it is necessary to make the asynchronous events occur in the same way. The synchronization processing unit 140 of the hypervisor 132 and the synchronization processing unit 142 of the hypervisor 133 perform this processing. Details of the processing will be described later.

  When the software 130 is executed, an I / O event 170 is generated. The I / O event 170 is trapped by the hypervisor 132 and input to the synchronization processing unit 140 due to the mechanism of the processor 100. The synchronization processing unit 140 transmits information on the generated I / O event 170 to the synchronization processing unit 142 of the hypervisor 133 through the event transmission channel 160.

  The synchronization processing unit 142 uses the received information of the I / O event 170 for processing to make the operations of the software 130 and 131 the same at the software level, and also as the I / O event 172, the I / O event in the hypervisor 133. Output to the O event detection unit 144.

  The I / O event 171 generated by the execution of the software 131 is trapped by the hypervisor 133 and input to the I / O event detection unit 144 by the function of the processor 101.

  The I / O event detection unit 144 analyzes the type of the I / O event 172 on the VM 122 side, and in particular, an I / O command for an event that outputs an I / O command and an event that outputs I / O data, respectively. The output event 173 and the I / O data output event 174 are output to the I / O event processing unit 145. Further, the I / O event detection unit 144 analyzes the type of the I / O event 171 on the VM 123 side, and outputs an I / O command output event 175 and an I / O data output event 176, and an I / O event processing unit 145. Output to.

  The I / O event processing unit 145 compares the contents of the I / O command with respect to the I / O command output events 173 and 175, and if they match, the I / O event processing unit 145 exchanges the I / O command with the I / O switch 104. Transmission / reception is performed as an I / O command 190.

  The I / O switch 104 transmits / receives an I / O command 190 to the I / O device 105 or the I / O device 106 as I / O commands 181 and 182 according to the transmission / reception destination, respectively. The / O command output events 173 and 175 are output to the I / O device 105 or 106.

  In addition, the I / O event processing unit 145 compares the contents of the I / O data for the I / O data output events 174 and 176, and if they match, the I / O command 105 is used as the I / O command 190. Or a read command is transmitted to the DMA 106.

  The I / O data in the I / O data output event 174 is stored in the I / O data in the memory area 110 used by the VM 122 prior to the I / O data output event 174 by the I / O data write 177 of the software 130. It is written in the data buffer 114.

  Also, the I / O data in the I / O data output event 176 is stored in the memory area 111 used by the VM 123 prior to the I / O data output event 176 by the I / O data write 178 of the software 131. / O data buffer 115 is written.

  In particular, the I / O event processing unit 145 includes an I / O data output comparison unit 146, which specifies an address in the address space of the VM 122 of the I / O data buffer 114 from the information of the I / O data output event 174. Further, the address in the address space of the VM 122 is converted into an address in the address space of the physical computer 120.

  Similarly, the I / O data output comparison unit 146 identifies the address in the address space of the VM 123 of the I / O data buffer 115 from the information of the I / O data output event 176, and further in the address space of the VM 123. The address is converted into an address in the address space of the physical computer 121.

  Subsequently, the I / O data output comparison unit 146 uses the I / O data output event notification 191 and the address information in the address space of the physical computer 120 of the I / O data buffer 114 corresponding to the I / O data output event 174. The physical address information 192 and the physical address information 193 that is address information in the address space of the physical computer 121 of the I / O data buffer 115 corresponding to the I / O data output event 175 are sent to the I / O switch 104. The data is transmitted to the request reception unit 116 of the I / O switch 104 through the request transmission unit 147.

  When the request receiving unit 116 of the I / O switch 104 receives the I / O data output event notification 191, physical address information 192, and 193, the I / O switch 104 reads the contents of the I / O data buffers 114 and 115. As DMA data readings 186 and 187, respectively, they are directly read from the memories 102 and 103 and compared, and the comparison result 194 is sent to the I / O data output comparing unit 146 through the response transmission unit 117 to the I / O data output comparing unit 146. To the response receiver 148.

  Here, the I / O command 190, the I / O data output event notification 191, the physical address information 192, 193, and the comparison result 194 are the same buses as transmission / reception of the I / O command 180 on the PCI Express Bus 107. It is executed in sequence.

  The DMA data readings 186 and 187 are executed in the same bus sequence as the DMA data reading 185 on the PCI Express Bus 107.

  The I / O data output comparison unit 146 receives the comparison result between the I / O data buffers 114 and 115 through the response reception unit 148, and if the result indicates that they match, an I / O command 190 is obtained. , A DMA read command is transmitted to the I / O device 105 or 106.

  When the I / O device 105 or 106 receives the DMA read command, the I / O switch 104 performs reading as the DMA data read 188 or 189. The I / O switch 104 reads the DMA data readings 188 and 189 from the memories 102 and 103 as the DMA data readings 186 and 187 according to the reading destinations, and returns the reading results of the DMA data readings 188 and 189, respectively. As a result, the I / O data output events 174 and 176 are output to the I / O device 105 or 106 as a result.

  FIG. 2 is a diagram illustrating details of a configuration example of the hypervisor 133 that configures the virtualization control unit that operates on the physical computer 121 of the system according to the first embodiment illustrated in FIG. 1.

  The hypervisor 133 includes a synchronization processing unit 142, an address conversion unit 143, an I / O event detection unit 144, and an I / O event processing unit 145. The I / O event processing unit 145 includes an I / O data output comparison unit. As described above, the I / O data output comparison unit 146 includes the request transmission unit 147 and the response reception unit 148 for the I / O switch 104. , Physical address conversion unit 152, and the like.

  In addition, the I / O event processing unit 145 of the hypervisor 133 includes an I / O command output comparison unit 149, an I / O command output suppression unit 150, and a DMA suppression unit 153. The I / O command output suppression unit 150 and the DMA suppression unit 153 may be collectively referred to as a suppression unit.

  The I / O command output comparison unit 149 compares the contents of the I / O command of the I / O command output events 173 and 175 from the I / O event detection unit 144 and uses the result as the I / O command comparison result 201. , Output to the I / O command output suppression unit 150.

  The I / O command output suppression unit 150 transmits and receives the I / O command contents of the I / O command output events 173 and 175 from the I / O event detection unit 144 as an I / O command 190. When the comparison result 201 indicates a mismatch, I / O command transmission / reception of the corresponding I / O command output events 173 and 175 is suppressed.

  The virtual address specifying unit 151 of the I / O data output comparing unit 146 uses the information of the I / O data output events 174 and 176 from the I / O event detecting unit 144 to search the address space of the VM 122 of the I / O data buffer 114. And the virtual address in the address space of the VM 123 of the I / O data buffer 116 are specified, and the result is output to the physical address conversion unit 152 as I / O data output event virtual address information 211, 212.

  Based on the I / O data output event virtual address information 211, the physical address conversion unit 152 inputs a virtual page number 221 to the address conversion unit 143 for each page table size of the address conversion unit 143 having a general page table. Then, by inputting the corresponding physical page number 222 from the address conversion unit 143, it is converted into an address in the address space of the physical computer 120 of the I / O data buffer 114, and the result is converted to an I / O data output event. The physical address information 231 is output to the request transmission unit 147.

  Similarly, the physical address conversion unit 152 outputs the address in the address space of the physical computer 121 of the I / O data buffer 116 to the request transmission unit 147 as I / O data output event physical address information 232. .

  The request transmission unit 147 receives the input of I / O data output events 174 and 176 from the I / O event detection unit 144 and the input of I / O data output event physical address information 231 and 232 from the physical address conversion unit 152. , I / O data output event notification 191, physical address information 192 and 193 are transmitted to the request receiving unit 116 of the I / O switch 104.

  The response reception unit 148 receives the comparison result 194 from the response transmission unit 117 of the I / O switch 104, and outputs the result as the I / O data comparison result 241 to the DMA suppression unit 153.

  The DMA suppression unit 153 transmits a DMA read command to the I / O device 105 or 106 included in the I / O data output events 174 and 176 from the I / O event detection unit 144 as an I / O command 190. When the I / O data comparison result 241 indicates a mismatch, the DMA read command transmission of the corresponding I / O data output events 174 and 176 is suppressed.

  FIG. 3 is a diagram illustrating details of a configuration example of the I / O switch 104 in the system according to the first embodiment illustrated in FIG. 1.

  The I / O switch 104 is connected to the processors 100 and 101 by the PCI Express Bus 107, the I / O device 105 by the PCI Express Bus 108, and the I / O device 106 by the PCI Express Bus 109, and transmits and receives the I / O command 180. Is transmitted / received to / from the I / O device 105 as an I / O command 181, or transmitted / received to / from the I / O device 106 as an I / O command 182, and DMA read 188 from the I / O device 105, or The DMA read 189 from the O device 106 is read as the DMA read 185, which is due to the operation of the switch circuit 300 in the I / O switch 104.

  As described above, the I / O switch 104 includes the request receiving unit 116 and the response transmitting unit 117 for the I / O data output comparing unit 146. , An I / O data buffer comparator 302 that functions as an I / O data comparator is added. By adding the I / O data buffer comparison unit 302, the I / O switch 104 shares the data comparison function of the virtualization control units of the hypervisors 132 and 133, and reduces the comparison overhead.

  The request receiving unit 116 is connected to the PCI Express Bus 107 in the I / O switch 104 through the switch circuit 300, and the I / O data output event notification 191, the physical address information 192 and 193 are used as the I / O command 180. , I / O data output comparison unit 146 received from request transmission unit 147, received contents are I / O data output event notification 311, physical address information 312 of I / O data buffer 114, I / O data buffer 115 The physical address 313 is output to the DMA data reading unit 301.

  Upon receiving the I / O data output event notification 311 and the physical address information 312 and 313, the DMA data reading unit 301 receives the I / O data based on the physical address information 312 and 313 of the I / O data buffers 114 and 115. DMA data readings 186 and 187 to the buffers 114 and 115 are performed, and DMA reading results 326 and 327 are output to the I / O data buffer comparison unit 302, respectively.

  The I / O data buffer comparison unit 302 sequentially compares the DMA read results 326 and 327 input from the DMA data read unit 301 and outputs the comparison result 314 to the response transmission unit 117.

  The response transmission unit 117 receives the comparison result 314 from the I / O data buffer comparison unit 302 and is connected to the PCI Express Bus 107 through the switch circuit 300 in the I / O switch 104. The data is transmitted as a / O command 180 to the response reception unit 148 of the I / O data output comparison unit 146. The response receiving unit 148 receiving it outputs the I / O data comparison result 241 to the DMA inhibiting unit 153 as described above.

  FIG. 4 is a diagram for explaining a flow in the case where only the VM synchronization processing by the hypervisor is performed in the above-described system configuration of the present embodiment.

  The VM 122 is generated by operating the hypervisor 132 in the physical computer 120, the software 130 operates in the VM 122, the VM 123 is generated by operating the hypervisor 133 in the physical computer 121, and the software 131 operates in the VM 123. Said earlier.

  In addition, as described above, the I / O device 105 connected via the I / O switch 104 includes a DMA, and DMA data reading is activated by the I / O command 180.

  Then, the flow of processing in the entire virtual machine system according to the processing of the software 130 and 131 will be described.

  In this example, the software 130 is an asynchronous event, specifically, an interrupt, but 481 is input to the physical computer 120 and accepted in process 401, and then I / O command 1 is output in process 402. Asynchronous event 482 is input, it is accepted in process 403, then I / O data 1 is written to memory in process 404, I / O data 2 is written to memory in process 405, and DMA is processed in process 406. When the read start I / O command 2 is output and an asynchronous event 483 is input, processing 407 accepts it.

  The DMA of the I / O device 105 accepts the DMA read activation I / O command 2 output in the process 406 of the software 130, starts the DMA transfer in the process 471, and the software 130 processes in the process 472. In step 404, the I / O data 1 written in the memory is read. In step 473, the software 130 reads the I / O data 2 written in the memory in step 405. In step 474, the DMA transfer ends.

  As shown in FIG. 4, among the operations of the software 130, the processes 401, 403, and 407 that are acceptance of asynchronous events cause the transition to the hypervisor 132 instead of the transition in the software 130 due to the action of the hypervisor 132. Occur.

  When an asynchronous event 481 is input to the physical computer 120, it is received in the process 401 and transitions to the hypervisor 132. When the hypervisor 132 receives the information of the received asynchronous event 481 and the information in the process 451, Information on the execution position of the software 130 is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  When an asynchronous event 482 is input to the physical computer 120, it is received in the process 403 and transitioned to the hypervisor 132. When the hypervisor 132 receives the information of the received asynchronous event 482 in the process 453, Information on the execution position of the software 130 is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  In step 452, the hypervisor 133 receives the information on the asynchronous event 481 transmitted by the hypervisor 132 in step 451 and the information on the execution position of the software 130 when it is received.

  Similarly, the hypervisor 133 receives in step 454 information on the asynchronous event 482 transmitted by the hypervisor 132 in step 453 and information on the execution position of the software 130 when it is received.

  In step 455, the hypervisor 133 stops the execution of the software 131 at the position from the information on the execution position of the software 130 received when the asynchronous event 482 was received in step 454, and a transition to the hypervisor 133 occurs. Thus, the physical computer 121 is set.

  Next, in a process 456, a virtual asynchronous event 491 is set from the information of the asynchronous event 481 received in the process 452, and the asynchronous event 481 is input to the virtual machine 123, and it is received and received in the software 131. Transition to the software 131 as if a transition occurred.

  When the transition is made to the software 131, the software 131 performs the same operation as the operation of the software 130 after the asynchronous event 481 is input. Therefore, in the process 412, the software 131 is the same as the I / O command 1 output in the process 402. However, due to the action of the hypervisor 133, it is not actually output and a transition to the hypervisor 133 occurs.

  In the hypervisor 133, the I / O command 1 that the software 131 tried to output in the process 412 is discarded in the process 457. The reason for discarding is that the I / O command 1 has already been output in the process 402 by the software 130. After discarding, the software 131 again transitions to the software 131.

  After transitioning to the software 131 again, the software 131 performs the same operation as that of the software 130. Eventually, the hypervisor 133 reaches the stop position set in the physical computer 121 in the process 455, and the process to the hypervisor 133 is performed in the process 413. A transition occurs.

  The operation of the software 131 so far, specifically, the operation starting immediately after the process 456, suspended in the process 412, resumed after the process 457, and suspended until the process 413 is interrupted. , Starting from the process 451, executing the process 402, and the same as the operation until being interrupted by the process 403.

  When the asynchronous event 483 is input to the physical computer 120, it is similarly accepted in the process 407 and transitions to the hypervisor 132. The hypervisor 132 receives the information of the asynchronous event 483 accepted in the process 458 and the information. Information on the execution position of the software 130 at the time of acceptance is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  In step 459, the hypervisor 133 receives the information on the asynchronous event 483 transmitted by the hypervisor 132 in step 458 and the information on the execution position of the software 130 when the hypervisor 132 receives the information.

  In step 460, the hypervisor 133 stops the execution of the software 131 at the position from the information on the execution position of the software 130 received in the step 459 when the asynchronous event 483 is received, and a transition to the hypervisor 133 occurs. Thus, the physical computer 121 is set.

  Next, in a process 461, a virtual asynchronous event 492 is set from the information of the asynchronous event 482 received in the process 454, and the asynchronous event 482 is input to the virtual machine 123, and is received and received in the software 131. Transition to the software 131 as if a transition occurred.

  When the transition is made to the software 131, the software 131 performs the same operation as the operation of the software 130 after the asynchronous event 482 is input. Therefore, in the processes 414 and 415, the software 130 writes the I / O to the memory in the processes 404 and 405. The same I / O data as data 1 and 2 is written into the memory.

  After that, the software 131 tries to output the same I / O command as the DMA read start I / O command 2 output by the software 130 in the process 406 in the process 416. Is not output, and a transition to the hypervisor 133 occurs.

  In the hypervisor 133, the I / O command 2 that the software 131 tried to output in the process 416 is discarded in the process 462, and the software 131 transitions to the software 131 again.

  After the transition to the software 131 again, the software 131 performs the same operation as that of the software 130, and eventually the hypervisor 133 reaches the stop position set in the physical computer 121 in the process 460, and in the process 417, the software 131 A transition occurs.

  The operation of the software 131 up to this point, specifically, starts immediately after the process 461, executes the processes 414 and 415, is interrupted in the process 416, resumes after the process 462, and is interrupted in the process 417. The operation in the middle is the same as the operation of the software 130 that starts after the processing 453, executes the processing 404, 405, 406, and is interrupted in the processing 407.

  As described above, the hypervisor 132 transmits information on the asynchronous event input to the physical computer 120 and information on the transition of the software 130 caused by the event to the hypervisor 133, and the hypervisor 133 transmits the information. Originally, the software 131 can also perform the VM synchronization processing by reproducing the asynchronous event.

  FIG. 5 is a diagram illustrating the flow of VM synchronization and I / O event output comparison processing by the hypervisor, particularly when no processor failure has occurred in the present embodiment.

  In this example, when the asynchronous event 581 is input to the physical computer 120 and received in the process 501, the software 130 outputs the I / O command 1 in the process 502 and the asynchronous event 582 is input. In step 503, it is accepted, and in step 504, I / O data 1 is written to the memory. In step 505, I / O data 2 is written to the memory. In step 506, an I / O command 2 for starting DMA read is output. The operation to be performed.

  Among the operations of the software 130, the processing 501, 503, which is the reception of asynchronous events, and the processing 502, 506, which is the output of the I / O command, are not a transition in the software 130 but a hypervisor by the action of the hypervisor 132. A transition to 132 occurs.

  When an asynchronous event 581 is input to the physical computer 120, it is received in the process 501 and transitioned to the hypervisor 132. When the hypervisor 132 receives the information of the received asynchronous event 581 in the process 551, Information on the execution position of the software 130 is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  If the I / O command 1 output is to be executed in the process 502 of the software 130, the process transits to the hypervisor 132, and the hypervisor 132 performs the process 553, the contents of the I / O command 1 that the software 130 tried to execute, Information on the execution position of the software 130 at that time is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  In step 552, the hypervisor 133 receives information on the asynchronous event 581 transmitted by the hypervisor 132 in step 551 and information on the execution position of the software 130 when the hypervisor 132 receives the information.

  In step 554, the hypervisor 133 sends the contents of the I / O command 1 that the hypervisor 132 transmitted in step 553 and is about to be executed in step 502 of the software 130, and information on the execution position of the software 130 at that time. Receive.

  In step 555, the hypervisor 133 sets a virtual asynchronous event 591 from the information of the asynchronous event 581 received in step 552, as if the asynchronous event 591 is input to the virtual machine 123, receives it, and the software 131. Transitions to the software 131 as if the transitions in FIG.

  When the transition is made to the software 131, the software 131 performs the same operation as the operation of the software 130 after the asynchronous event 581 is input. Therefore, in the process 512, the I / O command 1 that the software 130 tried to output in the process 502 is performed. The same I / O command 1 is to be output, but due to the action of the hypervisor 133, it is not actually output and a transition to the hypervisor 133 occurs.

  The hypervisor 133 compares the contents of the I / O command 1 that the software 130 tried to output in the process 502 with the contents of the I / O command 1 that the software 131 tried to output in the process 512 in the process 556, and they match. If so, in process 557, I / O command 1 is output.

  Here, in the case of only the VM synchronization process described with reference to FIG. 4, the I / O command 1 is immediately output in the process 402 of the virtual machine 122, but in the process of the present embodiment shown in FIG. Note that the processing is performed by the hypervisors 132 and 133 in response to the process 502 in the virtual machine 122 and the process 512 in the virtual machine 123, and the I / O command 1 is output in the process 557.

  Further, the operation of the software 131 so far, specifically, the operation until immediately after the process 555 and until it is interrupted in the process 512 is started immediately after the process 551 of the software 130, and the process 502. The operation is the same as that until the interruption.

  When an asynchronous event 582 is input to the physical computer 120, it is similarly received in the process 503 and transitioned to the hypervisor 132. The hypervisor 132 receives the information of the asynchronous event 582 received in the process 558 and the information. Information on the execution position of the software 130 at the time of acceptance is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  In step 559, the hypervisor 133 receives information on the asynchronous event 582 transmitted by the hypervisor 132 in step 558 and information on the execution position of the software 130 when the hypervisor 132 has received the information.

  In step 560, the hypervisor 133 stops the execution of the software 131 at the position from the information on the execution position of the software 130 received in the process 559 when the asynchronous event 582 is received, and a transition to the hypervisor 133 occurs. Then, the physical computer 121 is set so as to shift to the software 131.

  When transitioning to the software 131, the software 131 performs the same operation as that of the software 130 after attempting to output the I / O command 1, and eventually the hypervisor 133 sets the stop position set in the physical computer 121 in the process 560. In process 513, a transition to the hypervisor 133 occurs.

  The operation of the software 131 up to this point, specifically, the operation that starts immediately after the process 560 and is interrupted in the process 513 is started after the process 553 of the software 130. It is the same as the operation until it is interrupted.

  On the other hand, the software 130 continues processing after processing 558 of the hypervisor 132, writes I / O data 1 to the memory in processing 504, writes I / O data 2 to the memory in processing 505, and in processing 506, When the output of the DMA read start I / O command 2 is to be executed, a transition is made to the hypervisor 132, and the hypervisor 132 is the process 561, and the contents of the I / O command 2 that the software 130 attempted to execute, and at that time Information on the execution position of the software 130 is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  The hypervisor 133 processes the contents of the DMA read activation I / O command 2 to be executed in the process 506 of the software 130 transmitted by the hypervisor 132 in the process 561 and the execution position information of the software 130 at that time. Receive at 562.

  In step 563, the hypervisor 133 sets a virtual asynchronous event 592 from the information of the asynchronous event 582 received in step 559, as if the asynchronous event 592 is input to the virtual machine 123, receives it, and the software 131. Transitions to the software 131 as if the transitions in FIG.

  When the transition is made to the software 131, the software 131 performs the same operation as the operation of the software 130 after the asynchronous event 582 is input. Therefore, in the processing 514 and 515, the software 130 writes the I / The same I / O data as the O data 1 and 2 is written into the memory.

  Thereafter, the software 131 tries to output the same I / O command 2 as the DMA read activation I / O command 2 that the software 130 tried to output in the process 506 in the process 516, but the function of the hypervisor 133. As a result, a transition to the hypervisor 133 occurs without actually being output.

  In the hypervisor 133, the contents of the DMA read start I / O command 2 that the software 130 tried to output in the process 506 in the process 564 and the DMA read start I / O command 2 that the software 131 tried to output in the process 516. Compare the contents of.

  Next, in processing 565, the I / O data output event notification 191 and the I / O data buffer are sent to the request receiving unit 116 of the I / O switch 104 through the request transmitting unit 147 of the I / O data comparing unit 146. The physical address information 192 of 114 and the physical address information 193 of the I / O data buffer 115 are transmitted.

  The DMA reading unit 301 and the I / O data buffer comparison unit 302 of the I / O switch 104 start I / O data comparison in operation 571 triggered by the processing 565 of the hypervisor 133, and in operation 572, the software 130 The I / O data 1 and 2 written to the I / O data buffer 114 in processes 504 and 505 and the I / O 1 and 2 written in the I / O data buffer 115 by the software 131 in processes 514 and 515 are read and compared. , The I / O data comparison of operation 573 is completed.

  In step 566, the hypervisor 133 receives the comparison result 194 from the response transmission unit 117 of the I / O switch 104 through the response reception unit 148 of the I / O data comparison unit 146. , DMA read start I / O command 2 is output.

  Here, the DMA read activation I / O command 2 that was immediately output in the process 406 of the virtual machine 122 only by the VM synchronization process described in FIG. 4 is the process of the present embodiment shown in FIG. Then, with the processing 506 in the virtual computer 122 and the processing 516 in the virtual computer 123 as a trigger, the hypervisors 132 and 133 and the DMA read unit 301 of the I / O switch 104 and the I / O data buffer comparison unit 302 compare them. Note that the I / O command 2 is output in the process 567.

  The operation of the software 131 so far, specifically, the operation starting from immediately after the process 563, executing the processes 514 and 515 and being interrupted by the process 516, is performed by the process 130 of the software 130. This operation is the same as the operation from the start of the process until the process 504, 505 is executed and the process is interrupted in the process 506.

  FIG. 6 shows the processing in the case where a processor failure occurs and the processor failure does not occur as shown in FIG. 5 in the flow of VM synchronization and I / O event output comparison processing by the hypervisor in this embodiment. It is a figure which shows the flow when the I / O command 1 which is going to be output in 502 changes.

  In this example, the software 130 inputs the asynchronous event 681 to the physical computer 120 and accepts it in the process 601, and then outputs the I / O command 1 in the process 602. However, the processor failure 621 occurs and the process 130 The I / O command 1 output at 602 changes to an incorrect command.

  Among the operations of the software 130, the processing 601 that is acceptance of an asynchronous event and the processing 602 that is the output of an I / O command cause a transition to the hypervisor 132 as described above.

  When the asynchronous event 681 is input to the physical computer 120, it is received in the process 601 and transitions to the hypervisor 132. When the hypervisor 132 receives the information of the received asynchronous event 681 in the process 651, Information on the execution position of the software 130 is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  When the I / O command 1 output is to be executed in the process 602 of the software 130, the process transits to the hypervisor 132, and the hypervisor 132, in the process 653, the contents of the I / O command 1 that the software 130 attempted to execute, Information on the execution position of the software 130 at that time is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  Here, it should be noted that the content of the I / O command 1 transmitted in the process 653 is different from the content of the I / O command 1 that should be output due to the influence of the processor failure 621.

  In step 652, the hypervisor 133 receives information on the asynchronous event 681 transmitted by the hypervisor 132 in step 651 and information on the execution position of the software 130 when the hypervisor 132 receives the information.

  Further, the hypervisor 133 transmits the contents of the I / O command 1 which is different from the original contents and is executed by the process 1302 of the software 130 transmitted by the hypervisor 132 in the process 653 and the execution position of the software 130 at that time. Is received in processing 654.

  In step 655, the hypervisor 133 sets a virtual asynchronous event 691 from the information of the asynchronous event 681 received in step 652, as if the asynchronous event 691 is input to the virtual machine 123, receives it, and the software 131. Transitions to the software 131 as if the transitions in FIG.

  When the transition to the software 131 is performed, the software 131 performs the same operation as the operation of the software 130 after the asynchronous event 681 is input. Therefore, when the processor failure 621 does not occur in the processing 612, the software 130 performs processing. In step 602, the same I / O command as the I / O command 1 to be output is to be output. Due to the action of the hypervisor 133, the output is not actually output, but a transition to the hypervisor 133 occurs.

  Here, it should be noted that the content of the I / O command 1 that the software 131 intends to output in the process 612 is the content of the I / O command 1 that should be output.

  In the hypervisor 133, in the process 656, the I / O command 1 that is different from the original content that the software 130 tried to output in the process 602 and the original I / O command 1 that the software 131 tried to output in the process 612 Compare the contents and find inconsistencies.

  Thereafter, the hypervisor 133 transmits a VM stop notification to the hypervisor 132 through the event transmission channel 160 in the process 657, suppresses the output of the I / O command 1 in the process 659, and thereafter enters the recovery process of the virtual machine 123. . In step 658, the hypervisor 132 receives a VM stop notification from the hypervisor 133 through the event transmission channel 160, and thereafter enters the recovery process of the virtual machine 122. Examples of the recovery process include a process such as self-diagnosis.

  FIG. 7 shows a case where a processor failure occurs and the processor failure shown in FIG. 5 does not occur in the flow of VM synchronization and I / O event output comparison processing by the hypervisor in this embodiment. It is a figure which shows the flow when the I / O data 2 which is going to be output in the process 505 changes.

  In this example, the software 130 inputs the asynchronous event 782 to the physical computer 120 and accepts it in the process 703, then writes the I / O data 1 to the memory in the process 704, and then writes the I / O data 2 in the process 705. Is written in the memory, but the processor failure 721 has occurred, and the I / O data 2 written in the process 705 has changed to an incorrect data, and then the I / O command 2 for starting DMA read is output in the process 706 The operation to be performed.

  Among the operations of the software 130, the process 703 that is an asynchronous event acceptance and the process 706 that is the output of the I / O command cause a transition to the hypervisor 132 as described above.

  When an asynchronous event 782 is input to the physical computer 120, it is received in process 703 and transitioned to the hypervisor 132. When the hypervisor 132 receives the information of the received asynchronous event 782 in process 758, Information on the execution position of the software 130 is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  In step 759, the hypervisor 133 receives information on the asynchronous event 782 transmitted by the hypervisor 132 in step 758 and information on the execution position of the software 130 when the hypervisor 132 has received the information.

  In step 760, the hypervisor 133 stops the execution of the software 131 at the position from the information on the execution position of the software 130 received in the process 759 when the asynchronous event 782 is received, and a transition to the hypervisor 133 occurs. Then, the physical computer 121 is set so as to shift to the software 131.

  When transitioning to the software 131, the software 131 performs the same operation as the processing up to the processing 703 of the software 130, and eventually the hypervisor 133 reaches the stop position set in the physical computer 121 in the processing 760, and in the processing 713, A transition to the hypervisor 133 occurs.

  On the other hand, the software 130 continues processing after processing 758 of the hypervisor 132, writes I / O data 1 to the memory in processing 704, writes I / O data 2 to the memory in processing 705, and in processing 706, When the output of the DMA read start I / O command 2 is to be executed, the state transits to the hypervisor 132, and the hypervisor 132 is the process 761, and the contents of the I / O command 2 that the software 130 is going to execute and at that time Information on the execution position of the software 130 is transmitted to the hypervisor 133 through the event transmission channel 160, and the software 130 is transitioned to.

  Here, it should be noted that the content of the I / O data 2 written to the memory by the processing 705 is different from the content of the I / O data 2 that should be originally written due to the influence of the processor failure 721.

  The hypervisor 133 processes the contents of the DMA read activation I / O command 2 transmitted by the hypervisor 132 in process 761 to be executed in the process 706 of the software 130 and the execution position information of the software 130 at that time. Receive at 762.

  In step 763, the hypervisor 133 sets a virtual asynchronous event 792 from the information of the asynchronous event 782 received in step 759, as if the asynchronous event 792 is input to the virtual machine 123, receives it, and the software 131. Transitions to the software 131 as if the transitions in FIG.

  When the transition is made to the software 131, the software 131 performs the same operation as the operation of the software 130 after the asynchronous event 782 is input. Therefore, if the processor failure 721 does not occur in the processing 714 and 715, the software 130 In the processes 704 and 705, the same I / O data as the I / O data 1 and 2 written to the memory is written to the memory.

  Here, it should be noted that the content of the I / O data 2 that the software 131 writes to the memory in the process 715 is the content of the I / O data 2 that should be originally written.

  After that, the software 131 tries to output the same I / O command as the DMA read start I / O command 2 that the software 130 tried to output in the process 706 in the process 716, but the hypervisor 133 works. , But not actually output, a transition to the hypervisor 133 occurs.

  In the hypervisor 133, the contents of the DMA read start I / O command 2 that the software 130 tried to output in the process 706 in the process 764 and the DMA read start I / O command 2 that the software 131 tried to output in the process 716. Compare the contents of.

  Next, in processing 765, the I / O data output event notification 191 and the I / O data buffer are sent to the request receiving unit 116 of the I / O switch 104 through the request transmitting unit 147 of the I / O data comparing unit 146. The physical address information 192 of 114 and the physical address information 193 of the I / O data buffer 115 are transmitted.

  The DMA read unit 301 and the I / O data buffer comparison unit 302 of the I / O switch 104 start I / O data comparison in operation 771 triggered by the processing 765 of the hypervisor 133. In operation 772, the software 130 The I / O data 1 and 2 written to the I / O data buffer 114 in processes 704 and 705 and the I / O 1 and 2 written in the I / O data buffer 115 by the software 131 in processes 714 and 715 are read and compared. , A mismatch is found, the I / O data comparison ends in operation 773, and the result is transmitted.

  In step 766, the hypervisor 133 receives the comparison result 194 from the response transmission unit 117 of the I / O switch 104 through the response reception unit 148 of the I / O data comparison unit 146. A VM stop notification is transmitted to the hypervisor 132 through the event transmission channel 160, and thereafter, the above-described recovery processing of the virtual machine 123 is entered.

In step 768, the hypervisor 132 receives the VM stop notification from the hypervisor 133 through the event transmission channel 160, and thereafter enters the above-described recovery processing of the virtual machine 122.
FIG. 8 is a processing flow of the physical address translation unit 152 in the hypervisor 133 which is a virtualization control unit in this embodiment.

  As described above, the physical address conversion unit 152 receives the I / O data output event virtual address information 211 and 212 as inputs and outputs the I / O data output event physical address information 231 and 232.

  Here, a series of processes starting at step 801 and ending at step 820 is a single process execution, and one I / O data output event is output for one input of I / O data output event virtual address information. Note that the event physical address information is output, and two processes are executed for the input of two I / O data output event virtual address information 211 and 212.

  Specifically, the input I / O data output event virtual address information is expressed by a plurality of pairs of start address and size in the virtual address. Here, the number of pairs is Vblkmax, and i is 0. The i-th start address and the size are expressed as Vblkstart [i] and Vblksize [i], respectively, as values between 1 and Vblkmax−1.

  The output I / O data output event physical address information is represented by a plurality of pairs of start addresses and sizes of physical addresses. Here, the number of pairs is Pblkmax, and i is from 0 to Pblkmax−. As the values between 1, the i-th start address and the size are expressed as Pblkstart [i] and Pblksize [i], respectively.

  Steps 801 and 802 are initial settings, and Vblk and Pblk are variables indicating the current I / O data output event virtual address information pair and physical address information pair, respectively, and tmpPblkst And tmpPblksz are temporary variables of the physical address information pair currently being processed.

  In step 803, Vblkstart [Vblk] and Vblksize [Vblk] are stored in the temporary variables tmpVblkst and tmpVblksz, respectively, as initial settings that are made each time processing proceeds to a new I / O data output event virtual address information pair. ing.

  From step 804, the processing is repeated until the processing of the range of one I / O data output event virtual address information pair is completed. In step 804, the virtual page number (Vpnum) corresponding to the virtual address of tmpVblkst, the offset from the page head (offset), and the page size (pagesize) are obtained.

  In steps 805, 806, and 807, the size (size) of the portion to be converted in the area represented by the virtual address information pair of tmpVblkst and tmpVblksz in the conversion process to the physical page number (Ppnum) corresponding to the current Vpnum. ). The size obtained by subtracting offset from pagesize is the size of the portion that can be converted, but comparison processing is performed in step 805. If tmpVblksz is small, the process branches to step 807, and size is set to tmpVblksz. If they are equal or greater, size is pagesize-offset.

  In step 808, Ppnum corresponding to Vpnum is obtained, but this processing is performed by calling the address conversion unit 143.

  In step 809, offset is added to the top address of the physical page of Ppnum to obtain the top address (Pstart) of the physical address area to be converted.

  In steps 810 to 815, the process of updating tmpPblkst and tmpPblksz reflecting the result of the previous conversion process is performed from the physical address area to be converted this time.

The case of branching to step 811 is the case of the first processing, in which 1 is added to Pblk, and Pstart and size are stored as they are in tmpPblkst and tmpPblksz, respectively.
The case of branching to step 813 is when the end of the physical address area of the previous conversion process and the start of the physical address area to be converted this time match. In this case, add size to tmpPblksz doing.

  The case of branching to steps 814 and 815 is the case where the end of the physical address area of the previous conversion process and the start of the physical address area that is the current conversion target do not match. In this case, step 814 The previous conversion results are stored in the Pblk-th I / O data output event physical address information pair, 1 is added to Pblk in step 815, and Pstart and size are stored as they are in tmpPblkst and tmpPblksz, respectively. doing.

  In step 816, a process for removing the part to be converted this time from the area represented by the virtual address information pair of tmpVblkst and tmpVblksz is performed. Specifically, size is added to tmpVblkst, and size is subtracted from tmpVblksz.

  In step 817, it is determined whether or not the entire area represented by the virtual address information pair of tmpVblkst and tmpVblksz has been converted. If tmpVblksz is greater than 0, there is still a portion to be converted, and the process returns to step 804.

  In step 818, the process proceeds to the next I / O data output event virtual address information pair. 1 is added to Vblk.

  In step 819, it is determined whether all the I / O data output event virtual address information pairs have been processed. If Vblk is equal to or larger than Vblkmax, there are still virtual address information pairs to be converted. Return to 803.

  In step 820, the last conversion result is stored in the Pblk-th I / O data output event physical address information pair, and the value of Pblk is stored in Pblkmax.

  As described above, for the asynchronous event input to the physical computer 120, the hypervisor 132 transmits information on the event and information on the transition of the software 130 caused by the event to the hypervisor 133, and the hypervisor 133 transmits the information. In addition to reproducing the asynchronous event in the software 131, the hypervisor 132 further transmits information on the I / O event of the software 130 to the hypervisor 133, and the hypervisor 133 By comparing the I / O event information of the software 131, it is possible to detect a processor failure by performing an I / O event output comparison process while executing VMs synchronously.

  FIG. 9 is a diagram showing the overall configuration of the second embodiment. In the first embodiment, the computer system including the systems A and B has been described. However, the present embodiment is an embodiment of the computer system including the systems A, B, and C. The left side shows the physical computer A constituting the system A, the center shows the physical computer B constituting the system B, and the right side shows the physical computer C constituting the system C. The notation of A, B, and C is omitted.

  In the figure, 900, 901 and 902 are processors, 903, 904 and 905 are memories, 908 and 909 are I / O devices, and 915, 916 and 917 are constituted by processors, memories and I / O devices. It is a physical computer.

  By connecting the processors 900, 901, 902 and the I / O devices 908, 909 via the I / O switch 907, the connection between the physical computer and the I / O device is shared, and the processor 900, memory 903, an I / O switch 907, a physical computer 915, a processor 901, a memory 904, an I / O switch 907, a physical computer 916, a processor 902, a memory 905, and an I / O switch 907, respectively. The I / O devices 908 and 909 are connected to physical computers 915, 916, and 917.

  910, 911, and 912 are physical connections by PCI Express Bus, and the processors 900, 901, 902, memories 903, 904, and 905 and the I / O switch 907 are connected by the PCI Express Bus 910 and the I / O switch 907. And the I / O device 908 are connected by a PCI Express Bus 911, and the I / O switch 907 and the I / O device 909 are connected by a PCI Express Bus 912, respectively.

  936, 937, and 938 are hypervisor programs, and VMs 930, 931, and 932 are generated by operating on the physical computers 915, 916, and 917, respectively.

  The memory 903 is divided into a memory area 920 used by the VM 930 and a memory area 923 used by the hypervisor 936 by the action of the hypervisor 936. At this time, the correspondence between the address space in the VM 930 and the address space in the physical computer 915 is managed by the address conversion unit 941 in the hypervisor 936 in particular.

  Similarly, the memory 904 is divided into a memory area 921 used by the VM 931 and a memory area 924 used by the hypervisor 937 by the action of the hypervisor 937. Correspondence between the address space in the VM 931 and the address space in the physical computer 916 Is managed by the address conversion unit 943 in the hypervisor 937, and the memory 905 is divided into a memory area 922 used by the VM 932 and a memory area 925 used by the hypervisor 938 by the action of the hypervisor 938, and the address space in the VM 932 The address space correspondence in the physical computer 917 is managed by the address conversion unit 945 in the hypervisor 938.

  Software 933, 934, and 935 operate in the VMs 930, 931, and 932, respectively, but information is transmitted from the synchronization processing unit 940 of the hypervisor 936 to the synchronization processing unit 942 of the hypervisor 937 through the event transmission channel 957. Further, information is transmitted from the synchronization processing unit 940 of the hypervisor 936 to the synchronization processing unit 944 of the hypervisor 938 through the event transmission channel 958, so that the operations of the software 933, 934, and 935 are the same at the software level.

  The event transmission channel 957 logically indicates transmission / reception of data between the physical computers 915 and 916 and is physically communication via the I / O switch 907. Similarly, the event transmission channels 958 and 959 logically indicate data transmission / reception between the physical computers 915 and 917 and between the physical computers 916 and 917. Physically, I / O Communication via the switch 907.

  When the software 933 is executed, an I / O event 960 is generated. The I / O event 960 is trapped by the hypervisor 936 and input to the synchronization processing unit 940 by the function of the processor 900.

  The synchronization processing unit 940 transmits information on the generated I / O event 960 to the synchronization processing unit 944 of the hypervisor 938 through the event transmission channel 958.

  When the software 934 is executed, an I / O event 961 is generated. The I / O event 961 is trapped by the hypervisor 937 and input to the synchronization processing unit 942 by the operation of the mechanism of the processor 901. The processing unit 942 transmits information on the generated I / O event 961 to the synchronization processing unit 944 of the hypervisor 938 through the event transmission channel 959.

  The synchronization processing unit 944 uses the received information of the I / O events 960 and 961 for processing for making the operations of the software 933, 934, and 935 the same at the software level, and also as the I / O events 963 and 964. The data is output to the I / O event detection unit 946 in the hypervisor 938.

  Further, an I / O event 962 generated by the execution of the software 935 is trapped by the hypervisor 938 and input to the I / O event detection unit 946 by the function of the processor 902.

  The I / O event detection unit 946 analyzes the type of the I / O event 963 on the VM 930 side, and in particular, an I / O command for an event that outputs an I / O command and an event that outputs I / O data, respectively. An output event 965 and an I / O data output event 966 are output to the I / O event processing unit 947.

  Further, the I / O event detection unit 946 analyzes the type of the I / O event 964 on the VM 931 side, and outputs an I / O command output event 967 and an I / O data output event 968 as an I / O event processing unit 947. And the type of the I / O event 962 on the VM 932 side is analyzed, and the I / O command output event 969 and the I / O data output event 970 are output to the I / O event processing unit 947.

  The I / O event processing unit 947 compares the contents of the I / O command with respect to the I / O command output events 965, 967, and 969. Transmission / reception is performed as an O command 990.

  The I / O switch 907 transmits / receives the I / O command 990 to the I / O device 908 or the I / O device 909 as I / O commands 981 and 982 according to the transmission / reception destination, respectively. The / O command output events 965, 967, and 969 are output to the I / O device 908 or 909.

  Further, the I / O event processing unit 947 compares the contents of the I / O data for the I / O data output events 966, 968, and 970, and based on the result, the I / O command 990 is used as the I / O command 990. A read command is transmitted to the DMA of the device 908 or 909.

  The I / O data at the I / O data output event 966 is stored in the I / O data in the memory area 920 used by the VM 930 prior to the I / O data output event 966 by the I / O data write 971 of the software 933. The data is written in the data buffer 926.

  Also, the I / O data at the I / O data output event 968 is stored in the memory area 921 used by the VM 931 prior to the I / O data output event 968 by the I / O data write 972 of the software 934. In the I / O data buffer 927, the I / O data in the I / O data output event 970 is a memory area used by the VM 932 prior to the I / O data output event 970 by the I / O data write 973 of the software 935. The data is written in the I / O data buffer 928 in the 922.

  In particular, the I / O event processing unit 947 includes an I / O data output comparison unit 948, which identifies an address in the address space of the VM 930 of the I / O data buffer 926 from the information of the I / O data output event 966. Further, the address in the address space of the VM 930 is converted into an address in the address space of the physical computer 915.

  Similarly, the I / O data output comparison unit 948 specifies an address in the address space of the VM 931 of the I / O data buffer 927 from the information of the I / O data output event 968, and further, in the address space of the VM 931. The address is converted into an address in the address space of the physical computer 916.

  Similarly, the I / O data output comparison unit 948 specifies the address in the address space of the VM 932 of the I / O data buffer 928 from the information of the I / O data output event 970, and further, in the address space of the VM 932 The address is converted into an address in the address space of the physical computer 917.

  Subsequently, the I / O data output comparison unit 948 uses the I / O data output event notification 991 and the address information in the address space of the physical computer 915 of the I / O data buffer 926 corresponding to the I / O data output event 966. Physical address information 992, physical address information 993 which is address information in the address space of the physical computer 916 of the I / O data buffer 927 corresponding to the I / O data output event 968, and I / O data output event The physical address information 994, which is address information in the address space of the physical computer 917 of the I / O data buffer 928 corresponding to 970, is received by the I / O switch 907 via the request transmission unit 949 for the I / O switch 907. The data is transmitted to the unit 913.

  When the request receiving unit 913 of the I / O switch 907 receives the I / O data output event notification 991, physical address information 992, 993, 994, the I / O switch 907 causes the I / O data buffers 926, 927, 928 to be received. Are read directly from the memories 903, 904, and 905 as DMA data readings 985, 986, and 987, respectively, and compared, and the comparison result 995 is sent through the response transmission unit 914 to the I / O data output event comparison unit 948. , I / O data output comparison unit 948 transmits to response reception unit 950.

  Here, the I / O command 990, the I / O data output event notification 991, the physical address information 992, 993, 994, and the comparison result 995 are the same as the transmission / reception of the I / O command 980 on the PCI Express Bus 910. This is executed in the bus sequence.

  The DMA data read 985, 986, and 987 are executed in the same bus sequence as the DMA data read 984 on the PCI Express Bus 910.

  The I / O data output comparison unit 948 receives the comparison result of the I / O data buffers 926, 927, and 928 through the response reception unit 950, and based on the result, as an I / O command 990, an I / O device A DMA read command is transmitted to 908 or 909.

  When the I / O device 908 or 909 receives the DMA read command, the I / O switch 907 performs reading as the DMA data read 988 or 989. The I / O switch 907 reads the DMA data readings 988 and 989 from the memories 903, 904, and 905 as DMA data readings 985, 986, and 987 according to the reading destinations, and reads the DMA data readings 988 and 989, respectively. By returning the read result, an I / O data output event 966, 968, 970 is output to the I / O device 908 or 909 as a result.

  FIG. 10 is a diagram showing details of the configuration of the hypervisor 938 operating on the physical computer 917 of the system of the second embodiment shown in FIG.

  The hypervisor 938 includes a synchronization processing unit 944, an address conversion unit 945, an I / O event detection unit 946, and an I / O event processing unit 947. The I / O event processing unit 947 includes an I / O data output comparison unit. As described above, the I / O data output comparison unit 948 includes the request transmission unit 949 and the response reception unit 950 for the I / O switch 907. In addition, the I / O event of the hypervisor 938 The processing unit 947 includes an I / O command output comparison unit 951, an I / O command output correction unit 952, and a DMA correction unit 955. The I / O data output comparison unit 948 includes a virtual address specifying unit 953, There is an address conversion unit 954. In this embodiment, as in the previous embodiment, the I / O command output correction unit 952 and the DMA correction unit 955 may be collectively referred to as a suppression unit. This is because, as will be described below, in addition to the correction function, it has a deterrent function as in the first embodiment.

  The I / O command output comparison unit 951 compares the I / O command contents of the I / O command output events 965, 967, and 969 from the I / O event detection unit 946, and the result is the I / O command comparison result. 1001 is output to the I / O command output correction unit 952.

  The I / O command output correction unit 952 transmits / receives the I / O command output events 965, 967, 969 from the I / O event detection unit 946 as the I / O command 990, but the I / O command comparison result 1001 does not match. In particular, if two of the three I / O command contents of the I / O command output events 965, 967, and 969 match, the two I / O commands that match I / O command transmission / reception corresponding to the output event is performed. If all three do not match, I / O command transmission / reception is suppressed.

  The virtual address specifying unit 953 of the I / O data output comparison unit 948 uses the information of the I / O data output events 966, 968, and 970 from the I / O event detection unit 946 to determine the address of the VM 930 in the I / O data buffer 926. The address in the space, the address in the VM931 address space of the I / O data buffer 927, the address in the VM932 address space of the I / O data buffer 928 are specified, and the result is the I / O data output event virtual address The information 1011, 1012, 1013 is output to the physical address conversion unit 954.

  The physical address conversion unit 954 inputs the virtual page number 1021 to the address conversion unit 945 for each page table size of the address conversion unit 945 based on the I / O data output event virtual address information 1011. , By inputting the corresponding physical page number 1022, it is converted into an address in the address space of the physical computer 915 of the I / O data buffer 926, and the result is requested as I / O data output event physical address information 1031. The data is output to the transmission unit 949.

  Similarly, the physical address conversion unit 954 uses the address in the address space of the physical computer 916 of the I / O data buffer 927 as the I / O data output event physical address information 1032 and also the I / O data buffer. The address in the address space of the physical computer 917 928 is output to the request transmission unit 949 as I / O data output event physical address information 1033.

  The request transmission unit 949 receives I / O data output events 966, 968, and 970 from the I / O event detection unit 946, and I / O data output event physical address information 1031 and 1032 from the physical address conversion unit 954. From the input of 1033, I / O data output event notification 991, physical address information 992, 993, and 994 are transmitted to the request receiving unit 913 of the I / O switch 907.

  The response reception unit 950 receives the comparison result 995 from the response transmission unit 914 of the I / O switch 907 and outputs the result as the I / O data comparison result 1041 to the DMA correction unit 955.

  The DMA correction unit 955 transmits a DMA read command to the I / O device 908 included in the I / O data output events 966, 968, and 909 from the I / O event detection unit 946 as an I / O command 990. However, when the I / O data comparison result 1041 indicates a mismatch, particularly when two of the contents of the three I / O data of the I / O data output events 966, 968, and 970 match. Transmits a DMA read command corresponding to two matching I / O data output events, and if none of the three matches, transmits a DMA read command of the corresponding I / O data output event 966, 968, 970 Is suppressed.

  FIG. 11 is a diagram illustrating details of the configuration of the I / O switch 907 in the system according to the second embodiment illustrated in FIG. 9.

  The I / O switch 907 is connected to the processors 900, 901, and 902 by the PCI Express Bus 910, the I / O device 908 by the PCI Express Bus 911, and the I / O device 909 by the PCI Express Bus 912, respectively. Transmission / reception to / from the I / O device 908 as an I / O command 981, or transmission / reception to / from the I / O device 909 as an I / O command 982, and DMA reading 988 from the I / O device 908, or The DMA read 989 from the I / O device 909 is read as the DMA read 984, which is due to the operation of the switch circuit 1100 in the I / O switch 907.

  In addition, as described above, the I / O switch 907 includes the request reception unit 913 and the response transmission unit 914 for the I / O data output comparison unit 948. In addition, the DMA data reading unit 1101, There is an O data buffer comparison unit 1102.

  The request receiving unit 913 is connected to the PCI Express Bus 910 through the switch circuit 1100 in the I / O switch 907, and the I / O data output event notification 991, physical address information 992, 993, and 994 are transferred to the I / O command. 980 received from the request transmission unit 949 of the I / O data output comparison unit 948, and the received contents are physical address information 1112 of the I / O data output event notification 1111 and I / O data buffer 926, and the I / O data buffer. The physical address 1113 of 927 and the physical address 1114 of the I / O data buffer 928 are output to the DMA data reading unit 1101.

  When the DMA data reading unit 1101 receives the I / O data output event notification 1111, physical address information 1112, 1113, 1114, the DMA data reading unit 1101 uses the physical address information 1112, 1113, 1114 in the I / O data buffers 926, 927, 928. Then, DMA data readings 985, 986, and 987 to the I / O data buffers 926, 927, and 928 are performed, respectively, and the DMA reading results 1126, 1127, and 1128 are output to the I / O data buffer comparison unit 1102, respectively.

  The I / O data buffer comparison unit 1102 sequentially compares the DMA read results 1126, 1127, and 1128 input from the DMA data read unit 1101, and outputs the comparison results 1115 to the response transmission unit 914.

  The response transmission unit 914 receives the comparison result 1115 from the I / O data buffer comparison unit 1102, and is connected to the PCI Express Bus 910 through the switch circuit 1100 in the I / O switch 907. The data is transmitted as a / O command 980 to the response receiving unit 950 of the I / O data output comparing unit.

  As described above, the hypervisor 936 transmits information on the asynchronous event input to the physical computer 915 and information on the transition of the software 933 caused by the event to the hypervisor 937 and 938. However, in addition to reproducing the asynchronous event in the software 934 and 935 based on the information, the hypervisor 936 and 937 further transmits the information on the I / O event of the software 933 and 934 to the hypervisor 938. Then, the hypervisor 938 compares the information with the information of the I / O event of the software 935, thereby performing the I / O event comparison process while executing the VM synchronously and concealing the processor failure. Become.

  Although the preferred embodiments have been described above, the present invention can be variously modified without departing from the technical idea thereof. For example, in the above embodiment, the physical address information of the I / O data buffer is directly transferred from the request transmission interface of the I / O data output comparison unit to the request reception interface of the I / O switch. For example, the physical address information of the I / O data buffer is stored in the memory area of the hypervisor, and the memory address storing the information is transferred to the request receiving interface of the I / O switch.

100, 101 ... processor,
102, 103 ... memory,
104-I / O switch,
105, 106 ... I / O device,
107, 108, 109 ... PCI Express Bus,
110, 111, 112, 113 ... memory area,
114, 115 ... I / O data buffer in the memory area,
116... The request reception interface unit,
117 ... Response transmission interface part,
120, 121 ... physical computer,
122, 123 ... virtual machines,
130, 131 ... guest software,
132, 133 ... hypervisor,
140, 142 ... synchronization processing unit,
141, 143 ... Address converter,
144 ... I / O event detector,
145 ... I / O event processing unit,
146... I / O data output comparison unit,
147 ... request transmission interface unit,
148 ... Response reception interface section,
149 ... I / O command output comparison unit,
150 ... I / O command output suppression section,
151... Virtual address specifying unit,
152 ... physical address conversion unit,
153 ... DMA suppression unit,
160 ... event transmission channel,
170, 171, 172, 173, 174, 175, 176 ... I / O event output,
177, 178 ... I / O data write,
180, 181, 182 ... I / O command transmission / reception,
185, 186, 187, 188, 189 ... DMA read,
190 ... I / O command transmission / reception corresponding to I / O event output,
191 ... I / O command transmission corresponding to data output event notification,
192, 193 ... I / O command transmission corresponding to physical address information,
194 ... Receiving an I / O command corresponding to the comparison result,
201 ... Data output in the hypervisor corresponding to the I / O command comparison result,
211, 212 ... I / O data output event Data output in hypervisor corresponding to virtual address information,
221 ... Data output in the hypervisor corresponding to the virtual page number,
222 ... Data output in the hypervisor corresponding to the physical page number,
231, 232 ... I / O data output event Data output in the hypervisor corresponding to the physical address information,
241 ... Data output in the hypervisor corresponding to the I / O data comparison result,
300 ... Switch circuit,
301: DMA data reading unit,
302 ... I / O data buffer comparison unit,
311 ... Signal corresponding to data output event notification,
312, 313... Signal corresponding to physical address information,
314... Signal corresponding to the comparison result,
326, 327 ... DMA read result,
401, 402, 403, 404, 405, 406, 407, 412, 413, 414, 415, 416, 417 ... guest software processing steps,
451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462... Hypervisor processing steps,
471, 472, 473, 474 ... DMA operation steps,
481, 482, 483 ... Asynchronous event (interrupt) from I / O,
491, 492 ... Virtual asynchronous events (interrupts) from the hypervisor,
501,502,503,504,505,506,512,513,514,515,516 ... guest software processing steps,
551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567 ... hypervisor processing steps,
571, 572, 573... Operation steps of the DMA read unit and the I / O data buffer comparison unit,
581, 582... Asynchronous event (interrupt) from I / O,
591, 592 ... Virtual asynchronous event (interrupt) from the hypervisor,
601 602 612 ... guest software processing steps,
621 ... processor failure occurrence timing,
651, 652, 653, 654, 655, 656, 657, 658, 659 ... processing steps of the hypervisor,
681 ... Asynchronous event (interrupt) from I / O,
691 ... Virtual asynchronous event (interrupt) from the hypervisor,
703, 704, 705, 706, 713, 714, 715, 716 ... guest software processing steps,
721 ... processor failure occurrence timing,
758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768 ... processing steps of the hypervisor,
771, 772, 773-DMA read section and I / O data buffer comparison section operation steps,
782 ... Asynchronous event (interrupt) from I / O,
792 ... Virtual asynchronous event (interrupt) from the hypervisor
801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820 ... Steps 900, 901 of the processing flow of the hypervisor 902 ... a processor,
903, 904, 905 ... memory,
907 ... I / O switch,
908, 909 ... I / O device,
910, 911, 912 ... PCI Express Bus,
920, 921, 922, 923, 924, 925... Memory area,
926, 927, 928 ... I / O data buffer in the memory area,
913 ... Request receiving interface part,
914 ... Response transmission interface unit,
915, 916, 917 ... physical computer,
930, 931, 932 ... virtual machine,
933, 934, 935 ... Guest software,
936, 937, 938 ... hypervisor,
940, 942, 944... Synchronization processing unit,
941, 943, 945 ... Address conversion unit,
946 ... I / O event detection unit,
947 ... I / O event processing unit,
948 ... I / O data output comparison unit,
949 ... Request transmission interface unit,
950 ... Response reception interface unit,
951 ... I / O command output comparison unit,
952 ... I / O command output correction section,
953 ... Virtual address specifying part,
954: Physical address conversion unit,
955 ... DMA correction section,
957, 958, 959 ... event transmission channel,
960, 961, 962, 963, 964, 965, 966, 967, 968, 969, 970 ... I / O event output,
971, 972, 973 ... I / O data write,
980, 981, 982 ... I / O command transmission / reception,
984, 985, 986, 987, 988, 989 ... DMA read,
990 ... I / O command transmission / reception corresponding to I / O event output,
991 ... I / O command transmission corresponding to data output event notification,
992, 993, 994 ... I / O command transmission corresponding to physical address information,
995 ... I / O command reception corresponding to the comparison result,
1001 ... Data output in the hypervisor corresponding to the I / O command comparison result,
1011, 1012, 1013 ... I / O data output event Data output in hypervisor corresponding to virtual address information,
1021 ... Data output in the hypervisor corresponding to the virtual page number,
1022 ... Data output in the hypervisor corresponding to the physical page number,
1031, 1032, 1033 ... I / O data output event Data output in the hypervisor corresponding to physical address information,
1041... Data output in the hypervisor corresponding to the I / O data comparison result,
1100: Switch circuit,
1101... DMA data reading unit,
1102 ... I / O data buffer comparison unit,
1111 ... Signal corresponding to the data output event notification,
1112, 1113, 1114... Signal corresponding to physical address information,
1115: Signal corresponding to the comparison result,
1126, 1127, 1128 ... DMA read results.

Claims (15)

A plurality of physical computers including a processor, a memory, and an I / O device; a virtualization control unit that virtualizes computer resources of the physical computers and executes the plurality of virtual computers; and The first virtual machine on the first physical computer and the second virtual machine on the second physical computer are computer systems that execute the same application program,
The virtualization control unit
A synchronization control unit that simultaneously executes application programs on the first virtual machine and the second virtual machine;
An I / O event detector for detecting an I / O event issued by the first virtual machine and the second virtual machine and identifying a type;
An I / O event processing unit that compares an I / O event issued by the first virtual machine with an I / O event issued by the second virtual machine and generates an output for the I / O device. And comprising
The I / O event processing unit
An I / O command comparison unit that compares the I / O command when the I / O event issued by the first virtual machine and the second virtual machine is an I / O command;
If the comparison result of the I / O command comparison unit does not match, a suppression unit for suppressing the output of the I / O command;
A computer system comprising: A computer system according to claim 1,
The I / O event processing unit
When the I / O event issued by the first virtual machine and the second virtual machine is an I / O data output, the memory area of the first virtual machine and the second virtual machine An I / O data comparison unit that reads and compares the I / O data from the memory area of
The inhibition unit inhibits reading of the I / O data from the memory area to the I / O device when the comparison result of the I / O data comparison unit does not match;
A computer system characterized by that. A computer system according to claim 2,
The I / O device comprises a DMA controller;
The inhibiting unit inhibits the DMA controller from reading the I / O data from the memory area when the comparison result of the I / O data comparing unit is inconsistent;
A computer system characterized by that. A computer system according to claim 2,
The virtualization control unit
An address conversion unit for managing correspondence between virtual addresses managed by the first virtual machine and the second virtual machine, and physical addresses managed by the first physical computer and the second physical machine, respectively; Have
The I / O data comparison unit
Memory in which target data of I / O data output of the first virtual machine and the second virtual machine is held from the I / O event issued by the first virtual machine and the second virtual machine A virtual address specifying part for specifying a virtual address of the area;
A physical address specifying unit for specifying a physical address corresponding to the specified virtual address using the address conversion unit;
A data reading unit that reads the target data from the memory area indicated by the identified physical address;
Outputting the comparison result of the read target data to the suppression unit;
A computer system characterized by that. A computer system according to claim 4,
The address conversion unit
A page table for managing the correspondence between the virtual address and the physical address in units of pages;
The virtual address specifying unit
Identifying the memory area in which the target data of I / O data output of the first virtual machine and the second virtual machine is held by the start address and size of the virtual address;
The physical address specifying unit is:
Using the page table, virtual address information specified by the virtual address specifying unit and including the start address and size of the virtual address is converted into physical address information including a combination of one or more start addresses and sizes. ,
A computer system characterized by that. A computer system according to claim 2,
The physical computer further includes an I / O switch for connecting the processor and the I / O device,
The I / O switch
From the virtualization control unit, a plurality of physical addresses in the memory area in which I / O data output notification and target data for I / O data output of the first virtual machine and the second virtual machine are held A request receiving interface part for receiving;
When the request reception interface unit receives the I / O data output notification, a memory data reading unit that reads target data from the memory areas indicated by the received physical addresses,
A memory data comparison unit for comparing the read target data;
A response transmission interface unit for passing the comparison result to the virtualization control unit;
With
A computer system characterized by that. A computer system according to claim 6,
The virtualization control unit
An address conversion unit for managing correspondence between virtual addresses managed by the first virtual machine and the second virtual machine, and physical addresses managed by the first physical computer and the second physical machine, respectively; Have
The I / O data comparison unit
The target data of the I / O data output of the first virtual machine and the second virtual machine is held from the I / O event issued by the first virtual machine and the second virtual machine. A virtual address specifying unit for specifying a plurality of virtual addresses in the memory area;
A physical address specifying unit for specifying a plurality of physical addresses corresponding to the specified plurality of virtual addresses using the address conversion unit;
An I / O data output notification to the request reception interface unit of the I / O switch; a request transmission interface unit that delivers a plurality of the physical addresses;
A response reception interface unit for receiving a comparison result from the response transmission interface unit of the I / O switch;
A computer system characterized by that. A computer system in which a plurality of virtual machines execute application programs,
A plurality of physical computers with processors, memory and I / O devices;
By virtualizing the computer resources of the physical computer, a first virtual computer on the first physical computer, a second virtual computer on the second physical computer, and a third virtual computer on the third physical computer A virtualization control unit that executes the computer,
The virtualization control unit
A synchronous control unit that simultaneously executes the same application program on the first, second, and third virtual machines;
An I / O event detector that detects an I / O event issued by the first, second, and third virtual machines and identifies a type;
An I / O event processing unit that compares the I / O events issued by the first, second, and third virtual machines and generates an output for the I / O device;
The I / O event processing unit
An I / O command comparison unit that compares the I / O commands when the I / O events issued by the first, second, and third virtual machines are I / O commands;
As a result of comparison by the I / O command comparison unit, when the two match, the matched I / O command is output, and when all do not match, the I / O command is output. A deterrence unit that deters
A computer system comprising: 9. A computer system according to claim 8, comprising:
The I / O event processing unit
When the I / O event issued by the first, second, and third virtual machines is an I / O data output, I / O data is output from the memory area of each of the first, second, and third virtual machines. An I / O data comparison unit that reads and compares / O data
The suppression unit outputs a read command corresponding to the matched I / O data output when the two match as a result of the comparison of the I / O data comparison unit, and all do not match. In this case, reading the I / O data from the memory area is suppressed.
A computer system characterized by that. A computer system control method comprising: a plurality of physical computers including a processor, a memory, and an I / O device; and a virtualization control unit that virtualizes computer resources of each of the physical computers and executes the plurality of virtual computers. ,
The virtualization control unit
Simultaneously executing the same application program on a plurality of virtual machines,
Detect I / O events issued by multiple virtual machines, identify the type of I / O event,
When the I / O event issued by a plurality of virtual machines is an I / O command, the I / O commands are compared, and when the I / O event is an I / O data output, a plurality of I / O events are output. I / O data is read from the memory area of the virtual machine and compared,
If the comparison result of the I / O command is inconsistent, the output of the I / O command is suppressed,
If the result of comparing the I / O data is inconsistent, reading the I / O data from the memory area is suppressed.
A method for controlling a computer system. A method of controlling a computer system according to claim 10,
The virtualization control unit
When reading and comparing the I / O data,
From the I / O events issued by the plurality of virtual machines, specify the virtual address of the memory area where the target data of the I / O data output of the plurality of virtual machines is held,
Converting the identified virtual address into a physical address managed by the corresponding physical computer;
Read target data from the memory area indicated by the converted physical address,
A method for controlling a computer system. A computer system control method according to claim 11, comprising:
The plurality of virtual machines includes a first virtual machine on a first physical machine and a second virtual machine on a second physical machine,
The virtualization control unit
A page table for managing the correspondence between the virtual address and the physical address in units of pages;
When specifying the virtual address, the memory area in which the target data of the I / O data output of the first and second virtual machines is held is specified by virtual address information consisting of the start address and size of the virtual address. ,
Converting the virtual address information into physical address information comprising a combination of one or more start addresses and sizes using the page table;
A method for controlling a computer system. A method of controlling a computer system according to claim 10,
The physical computer further includes an I / O switch for connecting the processor and the I / O device,
The I / O switch
From the virtualization control unit, an I / O data output notification and a physical address of a memory area in which target data for I / O data output of the plurality of virtual machines are held are received,
Upon receiving the I / O data output notification, the target data is read from the memory area indicated by the received plurality of physical addresses,
Compare the read target data and pass the comparison result to the virtualization control unit.
A method for controlling a computer system. A method for controlling a computer system according to claim 10, comprising:
The plurality of virtual machines includes a first virtual machine on a first physical machine, a second virtual machine on a second physical machine, and a third virtual machine on a third physical machine ,
The virtual control unit
As a result of comparing the I / O commands, if one of the I / O commands issued by the first, second, and third virtual machines does not match, the two matching I / O commands are regarded as correct I / O commands. If it is output as an O command and all do not match, the output of the I / O command is suppressed.
A method for controlling a computer system. A method for controlling a computer system according to claim 10, comprising:
The plurality of virtual machines includes a first virtual machine on a first physical machine, a second virtual machine on a second physical machine, and a third virtual machine on a third physical machine ,
The virtual control unit
As a result of reading and comparing the I / O data, if one of the I / O data read from the memory areas of the first, second, and third virtual machines does not match, the two that match If all data are inconsistent, the I / O data is inhibited from being read from the memory area.
A method for controlling a computer system.

Images