JPH10260826A - Partial file updating method during system operation - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent the operation interruption of an entire system with receiving only a partial effect even though a conflict occurs because of an interrupting task and it might be a system failure at the time of partially changing an operation file and also to make the system perform normal operation recovery even when a fault is repeated in spite of excution of the main processing. SOLUTION: A failure detecting mechanism 61 detects a failure, a failure analysis processing part 62 analyzes if the failure is caused by a software factor, a task specification and release processing part 64 specifies a program parallel execution processing unit that generates the failure when it is caused by the software factor and resets the task 51 in which a conflict occurs and at the same time, a post-processing function starting part 65 specifies a resource about 52 about the task and starts a function that initializes. A fixed point restart processing part 66 resumes the operation of a system at the fixed point 501 of an execution controlling part 5.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a file management method for a system in which operation is controlled by a program. The present invention relates to a method for updating a partial file during system operation, which can eliminate a hindrance to the operation of the entire system due to only a partial influence where an inconsistency occurs and causes a system failure, thereby reducing the possibility of a system failure. .

[0002]

2. Description of the Related Art Conventionally, in a system operated by a program, a program is changed by partially replacing a file by correcting a defect of the program, adding a function, or the like. In this case, if the task is interrupted immediately before the partial replacement file is entered, if the task resumes from the point of interruption immediately after the partial replacement file is allocated, the stack information and the partial replacement file stored in this task There is a possibility that a processing inconsistency occurs between the new program processing and a system error. Therefore, it is important to change the running file while avoiding a system abnormality. FIG. 13 is a block diagram showing a conventional system configuration example. In FIG. 13, reference numeral 1 denotes a system controlled by a program, 2 denotes an original operation file set at the time of system construction or update of the entire file, and 21 to 2N denote program units constituting the operation file (herein referred to as functions). ), The replacement target, 211 is the interruption point of the replacement function, 3 is the partial replacement file, 31 and 3N are the replacement target functions constituting the partial replacement file, and 4 is the replacement function allocated on the memory. A partial file change loader having a function of relinking instead of the replacement target function of the original file, 41 is a partial update determination flag, 5 is an execution control unit, 501 is a fixed point, and 51 is provided by an execution control unit. A parallel execution unit called a task to be executed, 6 is a restart processing unit,
61 is a failure detection unit, 62 is a failure analysis processing unit, and 67 is a whole restart processing unit. Note that the failure detection unit 61 is a hardware mechanism in a processor that causes an interrupt in hardware when running in an unmounted address or a protected instruction area, but the execution control unit 5 and the task 51 , And other functional units of the restart processing unit 6 are configured by a program stored in a memory and driven by a processor when an event occurs. Of course, it can also be incorporated by firmware or the like. Operation file 2
The partial replacement file 3 is a file having an area for storing data on the memory.

If the currently running file 2 has a defect or if it is desired to add a function to the currently running file 2, a partial replacement file 3 is introduced. However, before the partial replacement file 3 is input,
Is interrupted in the replacement function 21 (interruption point 21
1), a new replacement function 31,
A link is taken to 3N. This interrupted task 51
Has not experienced the processing of the new replacement function 31, but if the execution is resumed after the completion of the replacement processing, the new replacement function 3N will be run. In this case, the task 51 executes the function 3 without processing the new replacement function 31.
Since the vehicle travels N, if the function 3N has a process based on the processing result of the function 31, the operation of the task 51 is likely to become abnormal after the interruption and restart. That is, the logic is inconsistent if the replacement function 3N is executed without going through the processing of the replacement function 31. This contradiction is not a minor malfunction,
In order to cause a software failure such as accessing an unmounted address, accessing a data part, or destroying data at an incorrect address, it was necessary to restore the operation of the system by all initial settings of software. That is, when a software failure occurs, the failure detection unit 61 detects the failure and activates the whole system restart processing 67, and restarts the operation of the system after erasing all tasks and the like. However, when such restart processing occurs, there is a problem in that the operating system is interrupted and the service being provided cannot be provided.

[0004]

As described above, in the conventional system, when partially replacing a file during operation, even if the content of the replacement program is correct, the task interrupted before the change completes the replacement process. Immediately after the restart of the process, a process inconsistency may occur, resulting in a software failure, which may make stable operation impossible. Therefore, an object of the present invention is to solve such a conventional problem, and the interrupted task remaining immediately before loading and linking the partial replacement file with respect to the running original file is replaced by the newly included replacement file. Even if there is a possibility of causing a software failure such as unmounted address access, data section running, data destruction, etc., only the task that caused the software failure is erased, preventing the occurrence of floating resources and interrupting tasks to prevent software failure. It is an object of the present invention to provide a method of updating a partial file during a system operation in which a service other than the service that has occurred can be continued. Further, another object of the present invention is to provide a system operation part that can be used as a guard for normal operation recovery of the system when normal operation of the system cannot be recovered by such partial restart processing. It is to provide a file updating method.

[0005]

In order to achieve the above object, in the method of updating a partial file during operation of a system according to the present invention, a partial file update loader for partially replacing a running file is used to replace a replaced part of the operating file. When changing to a new partial replacement file, the failure detection unit detects a failure that has occurred within a certain monitoring time after the replacement file is incorporated, and the failure analysis processing unit determines whether the failure is due to a software factor. Analyze, and if it is a software factor, the task identification / release processing unit identifies the program parallel execution processing unit that caused the failure and then deletes it, and the fixed point restart processing unit removes it from the specific point of execution control. Resume processing. Further, after erasing the program parallel execution processing unit that caused the failure, the post-processing function starting unit starts the post-processing program, and after the resource release processing by the program, the fixed point restart processing unit performs processing from a specific point of execution control. Resume. Furthermore, if the normal operation of the system cannot be recovered by the partial restart processing, the number of repeated failures is counted, and when the threshold is exceeded, the entire system is restarted to guarantee the recovery of the system operation. I do.

[0006]

Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a block diagram of a system showing an embodiment of the present invention. As shown in FIG.
In the present invention, the same parts as in FIG. 13 of the conventional example are provided, and the different parts from FIG. 13 are that the configuration of the restart processing unit 6 is added and that the post-processing function 3
P is provided, and a task 51 is provided with a related resource 52. The same components as those in FIG. 13 are denoted by the same reference numerals. That is, 1 is a system controlled by a program, 2 is an original operation file set at the time of system construction or update of the entire file, 21 to 2
N is a function to be replaced among the functions constituting the operation file 2, 3 is a partial replacement file, 31 and 3N are functions to be replaced constituting a partial replacement file, 4
Is a partial file change loader having a function of allocating a replacement function on the memory and relinking the original file instead of the function to be replaced and a function of unloading (removing) it, 41 is a partial update determination flag, 5 is an execution control unit, 501 is a fixed point which is a starting point of task activation control, 51 is a parallel execution unit called a task provided by the execution control unit, 52 is a related resource, and 6 is a system restart processing unit. The system restart processing section 6 includes a failure detection mechanism 61, an analysis processing section 62 for determining whether or not a software failure has occurred, a partial file changing determination section 63 for confirming whether or not the system is changing a partial file, and a failed task. Task specification / release processing 64 for specifying and releasing this,
A post-processing function activating unit 65 that activates the post-processing function 3P; a fixed-point resuming process 66 that returns to the fixed point 501 of the execution control unit 5 and continues execution control; an overall resuming process 67 that performs an overall resumption of the system; And after invoking the post-processing function,
Partial restart threshold 63 to determine whether to repeat the disease
1, and a global restart threshold 632 for determining whether the illness will repeat further. Note that only the failure detection mechanism 61 is a mechanism that causes an interrupt in hardware, and has a hardware configuration. The operation file 2 and the replacement file 3
Is a file with an area for storing data in the memory, all other functional units are stored in the memory,
This is a program driven by the processor when an event occurs. Of course, it is also possible to use a device (processor) in which the logic is incorporated by firmware or the like.

In FIG. 1, an original file 2 during operation is shown.
In contrast, the functions 31 and 3N for replacing the functions 21 and 2N to be replaced include a function 3P describing a process for erasing resources related to a task related to a software failure that may be caused by the replacement files 31 and 3N. Attach. Further, in the restart processing unit 6, the failure detection unit 61 detects a failure that has occurred after allocation to the memory by the loader 4, and the analysis unit 62 determines whether or not a software failure has occurred. Check if 63 is changing the system partial file,
The task identification / release processing prevention 64 identifies and releases the affected task, the post-processing function activating unit 65 activates the post-processing function 3P, and the overall resumption processing unit 67 performs the overall resumption of the system. As a result, the task suspended immediately before the loader 4 executes the replacement process is replaced with the replacement file 31.
And 3N are linked to each other, causing a contradiction and causing a software failure. If it is a software failure and the affected task 51 can be identified,
Forcibly delete the task. Then, the post-processing function 3P for erasing the resource related to the task is activated, the resource erasure process is performed as described in the function, and the process returns to the fixed point 501 of the execution control 5. .
Except for the part related to the task interrupted immediately before the partial file replacement, it is possible to partially change the running file without any influence. Further, it is determined whether or not the illness is repeated after the activation of the post-processing function, by the partial restart threshold value 631. Is forcibly erased. At the same time, the loader 4 is started to unload the partial replacement files 31 and 3N to return to the state before the partial replacement. Further, when the disease is repeated thereafter, the number of times is counted, and when the number exceeds the total restart threshold value 632, the whole system restart process 67 is started to recover the operation of the system.

FIGS. 2 to 4 are explanatory diagrams showing the operation principle of the present invention. The same components as those in FIG. 1 are denoted by the same reference numerals. Then, a state in which the state changes in the order of FIGS. 2, 3, and 4 is shown. FIG. 2 shows a state in which the task is interrupted in the execution control before the partial replacement file is input to the running file. That is, the task 5 controlled by the execution control unit 5
1 is the replacement function 21 as the break point address 511
The address of the interruption point 211 is stored. In FIG. 3, the task 51 is activated immediately after the partial replacement file 3 is allocated to the system, and the processing of the task 51 is resumed from the break point address 511. However, the task 51 is replaced before and after the task break point 511. Since the function 51 is placed and the task 51 of the replaced function passes only the latter half of the processing of the replaced function, the task 51 indicates a state in which a processing inconsistency has occurred in the replaced function. That is, when the replacement function 3N is operated after the renewal from the interruption, a software abnormality occurs. Thereby, the failure detection mechanism 61 is activated. In FIG. 4, as a result of detection by the failure detection mechanism 61 and analysis by the failure analysis processing unit 63, the generated failure is a software failure. The resource to be deleted is input by the post-processing function at the same time as the replacement file, and is deleted by the post-processing function, indicating that the replacement of the partial file is completed without affecting other parts.

FIGS. 5 to 12 are explanatory diagrams of the detailed operation showing one embodiment of the present invention. The above-described operation principle will be described in detail by actual operation. As shown in FIG. 5, it is assumed that the task 51 is interrupted in the replacement function 21 before the partial replacement file 3 is allocated. The execution of the task 51 is controlled by the execution control unit 5, and the task 51 stores the address of the interruption point 211 in the replacement function 21 as the interruption point address 511. At this time, as shown in FIG. 6, the functions 31 and 3N in the replacement file 3 are allocated by the loader 4, and linkage is performed between the functions 21 and 2N (linkage jumps 311 and 31N). When the partial replacement file 3 is input in this way, the replacement functions 31 and 3N and the post-processing function 3P are allocated on the system by the function of the loader 4. Note that the task 51 interrupted immediately before the linkage processing remains as it is until after the linkage. Next, as shown in FIG. 7, when the partial replacement functions 31 and 3N complete the allocation, the loader 4 passes control to the execution control unit 5, and the execution control unit 5 starts the task 51 from the interruption point and interrupts the task 51. Attempt to restart the process from point address 211. However, since the task 51 is sleeping at the interruption point, the task 51 tries to run the processing of the replacement function 3N without experiencing the processing of the replacement function 31. Therefore, originally, in the combination of the functions 31 and 3N, 1
Where two legitimate processes are performed, this is not actually the case, so that a process inconsistency occurs and a system failure occurs (failure is indicated by x).

Next, in FIG. 8, a failure detecting mechanism 61
Detects a failure, and when the failure analysis processing unit 62 determines that the failure is caused by a software factor, the partial updating determination unit 6
3, the partial update flag 41 in the partial file update loader 4 is determined, and the partial restart threshold value 631 is determined. If the partial update is within the threshold, the task identification release processing unit 64 identifies the task that caused the illness, and deletes the task 51 (deletion is indicated by x).
Subsequent to the task erasure, as shown in FIG. 9, the post-processing function activating unit 65 activates the post-processing function 3P, and erases the resource 511 related to the task.
). The post-processing function 3P includes the replacement functions 31 and 3N
Describes a process for identifying and releasing related resources in the event of a possible failure caused by the presence of an interrupted task. this function is,
It is started only at this time, but how to start it depends on the implementation. In this embodiment, it is assumed that a specific name or a suffix is added to the function name to identify the function, and the allocation position has the name as data for associating the address. In FIG. 8 and FIG. 9, depending on the implementation, other processing is not interrupted.
An interrupt mask is set for the execution control unit 5.

FIG. 10 shows a flow in which the normal operation is restarted from the fixed point 501 of the execution control unit 5 by the fixed point restart processing unit 66 after the related resources are deleted. That is, when returning from the erasure of the related resource 52, the fixed point 501 of the execution control unit 5 is passed through the fixed point restart processing unit 66.
Restart the system operation from. FIG. 11 is an explanatory diagram of the processing when the update partial threshold is exceeded. Even if the task or resource is deleted by activating the post-processing function activating unit 65, if the failure is repeated and the partial restart threshold value 631 is exceeded, the newly assigned partial replacement files 31 and 3N have defects. Yes, it is considered that illness cannot be recovered by forced termination of the task. In this case,
The task is released, and the allocation of the partial replacement files 31 and 3N is restored (unloaded) by the partial restart loader 4 (same as the partial file change loader).
The linkage is returned, and the fixed point restart processing unit 66 performs a process of restarting the normal operation from the fixed point 501 of the execution control unit 5. The threshold value is reset under a certain condition, for example, a certain time condition, and the probability of the threshold value being exceeded due to occurrence of an unrelated factor is reduced. FIG. 12 illustrates an operation of determining whether a failure has occurred that cannot be recovered even by returning a partial replacement file, and whether a software failure has occurred due to a factor unrelated to the current partial file replacement. . For example, if the software failure exceeds the entire restart threshold 632 within a certain time, the entire system can be restarted by the entire restart process 67, so that the probability of recovering the system can be increased.

[0012]

As described above, according to the present invention,
In a system controlled by a program, when changing the operation file partially, even if you modify multiple functions, there is an interrupted task due to an interrupted task, which causes a system failure, and the task where the inconsistency occurred , And by activating a function for specifying and initializing resources related to the task, it is possible to eliminate the hindrance to the operation of the entire system due to only a partial effect. Also,
If the disease is repeated even after performing the above processing, it is possible to perform a guard to restore the normal operation of the system by returning the partial replacement file and restarting the fixed point or restarting the entire system. it can. As a result, according to the present invention, a system failure can be prevented when the running file is partially updated, so that the system can be operated stably.

[Brief description of the drawings]

FIG. 1 is a diagram showing the operation principle of updating a partial file during system operation according to the present invention.

FIG. 2 is an explanatory diagram (before a partial replacement file is input) of a schematic operation of updating a partial file during system operation according to the present invention.

FIG. 3 is an explanatory diagram of a schematic operation (a state in which processing inconsistency occurs in a partial replacement function).

FIG. 4 is an explanatory diagram of a schematic operation (a process of resetting a diseased task and erasing resources).

FIG. 5 is an explanatory diagram (before allocation of a partial replacement file) of a detailed operation of updating a partial file during system operation according to an embodiment of the present invention.

FIG. 6 is an explanatory view of the detailed operation (allocation processing of a replacement function and a post-processing function).

FIG. 7 is an explanatory diagram of the detailed operation (the occurrence of processing inconsistency and system failure).

FIG. 8 is an explanatory view of the detailed operation (the task is erased because it is within the threshold value during the partial update).

FIG. 9 is an explanatory diagram of the detailed operation (deletion of related resources).

FIG. 10 is an explanatory diagram of the detailed operation (fixed point restart processing).
It is.

FIG. 11 is an explanatory diagram of a detailed operation (when a partial threshold value is exceeded).

FIG. 12 is an explanatory diagram of a detailed operation (in the case of a failure that cannot be recovered even by returning a partially replaced file).

FIG. 13 is an explanatory diagram of a conventional operation of updating a partial file during system operation.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 ... System controlled by a program, 2 ... Operation file, 21-2N ... Program unit (function) (replacement function to be replaced) which comprises an operation file, 211 ... Task interruption point, 3 ... Partial replacement file, 4 a partial file change loader, 3P a post-processing function describing a post-processing for erasing resources related to a software failure that may occur due to the replacement function,
31 to 3N: within the replacement file, a partial replacement function for replacement, 41: a partial update determination flag, 5: an execution control unit for managing task execution, 51: a program execution unit task, 501: a starting point for execution control Fixed point, 511
... Interruption point address indicating the address at which the task 51 is interrupted in the function, 52...
... A failure detection mechanism, 6... A resumption processing unit that performs recovery processing when a failure occurs, 62... A failure analysis processing unit that determines whether the detected failure is a software failure, 63.
Partial update determination section 631 for checking partial update flag 41 to determine whether partial update is in progress, 631... Partial restart threshold value for determining whether or not to unload partial replacement file due to repeated failures, 632 .., An overall restart threshold value for determining whether or not the system is restarted due to repeated failures; 64, a task specification / release processing unit for specifying and releasing an affected task; 65, simultaneously with the input of the replacement file 3 A post-processing function activating unit that activates the allocated post-processing function 3P, 66 ...
Fixed point restart processing unit 67 for performing processing for resuming from a fixed point of execution control, 67 ... Overall restart processing unit for processing restart of the entire system.

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Tetsuyasu Yamada 3-19-2 Nishishinjuku, Shinjuku-ku, Tokyo Japan Telegraph and Telephone Corporation (72) Inventor Kenichi Ochi 5-7-1 Shiba 5-chome, Minato-ku, Tokyo NEC Corporation

Claims (4)

[Claims] A communication for loading and linking a partial replacement file to an operation file to change a program.
In the file update method of the information processing system, when the partial file update loader is changing the replacement part of the operation file to a new partial replacement file, the partial file update loader is installed within a predetermined monitoring time after the partial replacement file is incorporated. The fault that occurred was detected, and it was analyzed whether the fault was caused by a software factor. As a result of the analysis, if the fault was a software factor, the program parallel execution processing unit that caused the fault was specified, and the specified A method for updating a partial file during system operation, wherein the execution unit is deleted and processing is restarted from a specific point of program execution control. 2. The method according to claim 1, wherein when the partial file update loader changes the replacement part of the operation file to a new partial replacement file,
At the same time that the partial replacement file is input to the operating system, a post-processing program described to release resources related to software failures that may occur due to the inclusion of the partial replacement file is allocated to the system. During the replacement period,
When a software failure occurs, the program parallel execution processing unit that caused the software failure is erased, and then the post-processing program is activated to release the resources by the processing program. A method for updating a partial file during system operation, wherein the process is restarted from a specific point. 3. The method according to claim 2, wherein a threshold value of the number of failure occurrences of a software factor occurring during a period in which the operating file is partially replaced is specified. Means for updating a partial file during system operation, wherein the system counts the number of fault occurrences during the period and removes the relevant partial replacement file when the threshold value of the specifying means is reached. 4. The method according to claim 3, wherein at least two types of software-related failures occur during a period in which the operating files are partially replaced. A means for designating a threshold value is provided, and the system counts the number of fault occurrences during the above period, and when the first threshold number is reached, removes the relevant partial replacement file, and replaces the partial replacement file. A method of updating a partial file during system operation, comprising restarting the entire system when a failure occurs again after the removal and the number of times reaches the next threshold value.