JPH11508069A - Checkpoint and recovery system for persistent state - Google Patents

Abstract

(57) [Summary] The checkpoint restoration system saves a process state including a volatile state and a desired part of a persistent state during a normal execution for a user application process, and thereafter saves the saved state. Restore the state. The delayed checkpoint technique delays the setting of a persistent state checkpoint until there is an inconsistency between the checkpointed volatile state and a portion of the persistent state. The checkpoint recovery system of the present invention allows a user application process to exclude a specified portion of the persistent state from a checkpoint. Protect selected parts of the pre-recovery process state, such as return arguments, before restoring the user application process to a checkpointed state, and restore the protected state's pre-recovery values to the checkpoint. It can be retained after recovery. The retained return value allows the segment of the recovery code to be executed after recovery and also allows the normal execution mode to be distinguished from the recovery mode.

Description

DETAILED DESCRIPTION OF THE INVENTION               Checkpoint and recovery system for persistent stateTechnical field to which the invention belongs   The present invention provides a system for executing and restoring a process state to a checkpoint. Process status, especially including delayed checkpoints of persistent process state System for suspending and restoring the state.Conventional technology   Increasingly, users of software applications find that software is Less likely to cause a hardware failure (fault), or at least for failure It requires resistance. For example, users of a telecommunications switching system Requires that the stem be continuously available. In addition, the communication For financial transactions, such as cash machines, or other important data, Customers also demand the highest data integrity.   Thus, it can cause consequences for user application processes Various software inspection devices to detect many programming errors Tooling tools have been developed. For example, Pure from Sunnyvale, California, USA Software, Inc., and is described in U.S. Pat. No. 5,193,180. Purify^TMSoftware inspection tools can detect memory access errors and We provide a system to detect moly leaks. Purify^TMThe system is Monitor the allocation and initialization status of each byte. Further notes Purify for each software instruction that accesses the^TMSystem runs test The program has not written to unallocated memory, and Guarantee that no data is read from the unallocated or unallocated memory.   Purify^TMSoftware inspection and debugging tools like the system Many programming that can lead to failure in the application process It provides a valid basis for detecting errors, but it does not No matter how many checks, verifications or checks are performed during And removes them for complete reliability in user application programs I can't give it. Therefore, residual failure due to untested boundary conditions, not predicted Exceptions and unexpected execution environments bypass inspection and bagging processes It has been observed that these can surface when triggered during program execution. Can cause the application process to crash or hang. Service interruption.   Therefore, if the user application minimizes the amount of lost information and It would be desirable to provide a mechanism that can recover from the failure. Therefore, the hardware Software and software failures to minimize the amount of lost information. Several checkpointing and recovery methods have been proposed for . Checkpoint execution and rollback recovery Generally, R.A. Koo and S. Toueg, ″ Checkpointing and Rollback-Recovery for  Distributed Systems ", IEEE Trans. Software Eng., Vol. SE-13, No. 1, pp. 2 3-31 (January 1987). In general, checkpoints and recovery The old technology saves the state of the process periodically during normal execution and then after a failure , Restore the saved state. In this way, the amount of work lost is To the progress made by the user application since the checkpoint Is done.   Note that the state of the process can be volatile or persistent. Is included. Volatile states contain process information that would normally be lost in the event of a fault Is included. The persistent state contains the current execution of the user application process. All relevant user files are included. Persistent states are generally impaired Is not lost, but to maintain data integrity, the same port as the recovered volatile state is used. Int need to restore the sustained state.   Existing checkpoint execution and recovery techniques rely on volatile state checkpoints. However, these methods do not checkpoint persistent status. I haven't dealt with int execution enough. According to one approach, all In the persistent state, in other words, all user files, each checkpoint in the volatile state A checkpoint is performed at the point. Clearly, the overhead associated with this method Can be very large for most applications. Existing Unix^TMCheck Another method, such as a checkpoint library, is to checkpoint volatile states. File of the active or open user file when Checkpoint only the scripter. However, this method does not The user file is created or activated after the If you do, you will run into integrity problems. The reason is that the process is the last checkpoint Is restored, a new one is created since the last checkpoint or Changes to the activated file are not undone. this Such inconsistencies often result in corrupt files that are not detected obtain.   Such checkpointing and recovery techniques are useful in many applications. Works well in an environment, but has some limitations. These limitations are overcome This will increase the integrity and transparency of the checkpoint execution system, It also expands its usefulness to other applications that were previously unthinkable. Especially, Most traditional checkpointing and recovery techniques rely on disaster recovery. Do not take advantage of the benefits of checkpointing and recovery other than that.   As is clear from the above explanation, the whole persistent state, or its necessary parts, Checkpoint execution and enable each checkpoint to be included in Recovery techniques are needed. In addition, checking for persistent states until an inconsistency occurs Technology for delayed checkpoint execution and recovery that delays It is important. In addition, save as a starting point for performing new tasks. Selected part of the persistent state so that the intermediate state can be used Checkpoints can be excluded from a given checkpoint Execution and recovery systems are needed. In addition, protected state recovery Before restoring the current process, ensure that the previous values are retained after the checkpoint is restored. Checkpoints that can protect selected parts of the access state and A recovery system is needed.Summary of the Invention   In general, according to one aspect of the invention, a checkpoint and recovery system is provided. The system saves the process state during normal execution and then, for example, recovers after a failure. The user application process to restore the saved state during And implement checkpoint and recovery techniques. According to a feature of the invention, Checkpoint and recovery systems are designed for both volatile and persistent states. Perform a checkpoint. In one embodiment, the persistent state checkpoint Line is inconsistent between checkpointed volatile state and user file Delay check to delay taking a persistent state checkpoint until Consists of the lockpoint method.   According to another aspect of the invention, a checkpoint and recovery system is provided. More specifically, the user or user application process It is possible to specify that the selected part should be excluded from the checkpoint it can. In this way, the desired intermediate state is checkpointed and a new It can be used as a starting point for performing processing tasks. For example, you The application process requires a long initialization process and then If you are processing some input using a synchronized state, check the input file. Checkpoints can be excluded from the it can. After that, the checkpoint executed initialization state is restored, and new entry Processing tasks can be performed for each set of input files. Thus, Yu The user application process can transform the desired or predictable state into a future Input can be processed. In another embodiment, the checkpoints and Recovery system recovers the entire persistence state, in other words, all user files , Used to exclude parts of the process state that are checkpointed It is possible.   According to another aspect of the invention, a user executing on a computer system. Checkpointing and restoring the application process is realized You. In this way, the user application process is responsible for the volatile state and user And a persistent state consisting of user files. The method of the present invention Is   Performing a checkpoint of the volatile state at the checkpoint location;   Checkpoint that will monitor the persistence state and change the persistence state A monitor step for detecting file operations after the position;   If the monitoring step detects that a change in the persistence state is to be performed, Checkpoint at least the part of the sexual state that will be changed Steps and   Checkpointing can be performed by restoring the process state to the checkpoint position. Reverting changes to the persistence state since the   Resume execution of the user application process from the checkpoint position It consists of steps.   According to yet another aspect of the present invention, a user application process A method of restoring the associated initialized state is realized. In this way, the user An application process has a process state and at least two sets of inputs Perform processing tasks based on the initialization state for the file. The method of the present invention ,   (A) A process for initializing a user application process to form an initialized state Tep,   (B) Specify the input file to be excluded from the process state checkpoint Steps   (C) Checkpointing a part of the process state that is not excluded Steps and   (D) processing tasks based on the initialization state and the current set of input files Steps to perform;   (E) Put the user application process in a state where the checkpoint has been executed A recovery step to recover and generate a predefined return value indicating the recovery mode; ,   (F) If the recovery step returns a predefined return value, a new input Obtaining a set of files and replacing the excluded input files;   (G) Repeat steps d to f for each set of input files to be processed. Consists of Tep.   A more complete understanding of the present invention may be had from the more features and advantages of the present invention. And with reference to the detailed description and drawings.BRIEF DESCRIPTION OF THE FIGURES   FIG. 1 is a schematic diagram showing a checkpoint execution and recovery system according to the present invention. It is a block diagram.   FIG. 2 is an execution graph of the user application process, in which the volatile check is performed. Process migration to a new machine Show   FIG. 3 shows the relationship between the user application process and the operating system. Monitor file system calls for inconsistencies between persistent and volatile states FIG. 4 illustrates an interrupt routine that detects a change to a persistent state that will occur.   Figure 4 shows the persistence for each file that has changed since the last volatile checkpoint. Indicates the persistence checkpoint table that stores the checkpoint information You.   FIG. 5 illustrates an exemplary implementation that is called before the execution of the user application process. 9 is a flowchart describing a before-line checkpoint subroutine.   FIG. 6 illustrates an example called to checkpoint a volatile state. 5 is a flowchart describing a volatile state checkpoint subroutine.   FIG. 7 illustrates an exemplary implementation of the file system call interrupt subroutine of FIG. It is a flowchart which describes. This means that changes can cause inconsistencies between volatile and persistent states. Called to checkpoint the user file before it occurs.   FIG. 8A and FIG. 8B collectively show return values capable of controlling processing after restoration. Together with the specified checkpoint to restore the process state. 4 is a flowchart describing an exemplary recovery subroutine.   FIG. 9 can be called after execution of a user application process 5 is a flow diagram describing an exemplary cleanup subroutine.   Figure 10 shows software termination caused by resource shortage Here is a sample source code that incorporates the features of the present invention to bypass.   FIG. 11 checks the initialization state of a set of additional input files and parameters. Of the present invention to execute the lockpoint and restore the process state to its initialized state. In a flowchart describing an exemplary routine that bypasses long initialization, incorporating features is there.   FIG. 12 shows a checkpoint of a clean memory state and its clean state. An example incorporating the features of the present invention to restore the process state to the memory state Is a flowchart describing a typical memory reset subroutine.Detailed description   FIG. 1 shows a checkpoint restoration system 10 according to the present invention. Further below As described, according to the checkpoint recovery system 10, during normal execution, Process state, and then save the saved state, for example, during recovery mode after a failure. Checkpoint in the user application process to recover And recovery technology can be implemented. In this way, the application Work lost by the process is generated since the last checkpoint It is limited to what was done.                           System architecture   As shown in FIG. 1, the checkpoint restoration system 10 disclosed here Computer, workstation or other general purpose computer device It can be implemented on such a processing node 20. Processing nodes 20 Both have one processing unit 25 and memory storage device 30. No processing The processing unit 25 and the memory storage device 30 of the Or on the local processing node 20 for intra-node communication. It can be interconnected by an inter-process communication (IPC) facility. Further In a known manner, each node 20 performs serial or parallel inter-node communication. Network interface 70 to a communication link 75 for other nodes. Interconnected with a remote or remote centralized recovery coordinator (not shown) Is also possible. The network interface 70 is, for example, ATM host adapter available from Fore Systems, Inc. of Pittsburgh, N.A. Puttacard. In this way, the user application process Permanent or long term hardware failure may cause If it cannot recover, the user application process It can be exported to a processing node. This technology is often It is called smigration.   Processing unit 25 may operate as a single processor or in parallel. It can be implemented as several processors. Memory storage device 30 Is an area of volatile memory which is generally unstable. Instructions that can be interpreted and executed can be stored. In one embodiment, The regenerative memory storage device 30 is a process executed by the processing unit 25. Software code associated with each user application process, such as 40 Together with the checkpoint library called by the user process 40 The re-function 50 is stored. Further, the volatile memory storage device 30 may be User application process 40 and checkpoint recovery license Data segment section storing data associated with each of the library functions 50 Option 55 is included.   Checkpoint called by user application process 40 Library function 50 is selected from checkpoint recovery library 150 . Checkpoint recovery library 150 can also be stored locally. Yes, or stored on a centralized file system such as file system 120 It is also possible to pay. File systems such as file system 120 Provide a centralized warehouse for storing user accessible files. General In addition, the centralized file system 120 is a non-volatile or persistent memory area. Thus, information can be held without a power supply.   Included in checkpoint recovery library 150, as described further below Functions are written in a high-level programming language such as the C programming language. User-level library functions. Checkpoint recovery library 15 The function in 0 can be used to save process state during normal execution, or During the recovery mode after a failure, the user application is required to restore the saved state. Can be read by the application process. In one embodiment, checkpoint recovery The user process 40 that calls a function from the library 150 Or the function link called by the dynamic linking process. Bound with the code.   As shown in FIG. 1, the checkpoint recovery library 150 It has a point subroutine 152. Checkpoint subroutine before execution 152 is called before the execution of the user application process. Check before execution The lockpoint subroutine 152 is described in more detail below with respect to FIG. . In addition, the checkpoint recovery library 150 A subroutine 154 is provided. Volatile state checkpoint subroutine 1 54 is volatile when called by the user application process 40. From the memory 30 to a non-volatile memory area such as the disk 100, the volatile state Store a copy of. Checkpoint disk 100 is located on processing node 20 It can be local or remote to the communication network. It can also be on a node. Volatile state checkpoint subroutine The details of the button 154 will be described later with reference to FIG. In addition, checkpoi Component recovery library 150 is a file system call interrupt subroutine 15 6. File system call interrupt subroutine 156 has a persistent state Provides a delay technique for performing a checkpoint on a desired portion of the File The system call interrupt subroutine 156 is further described in FIGS. And will be described later.   The library 150 has a restoration subroutine 158. Recovery sub blue The routine 158 returns the user application process to the desired checkpoint. Called to obsolete. 8A and FIG. 8B will be described later. As already pointed out, the recovery subroutine 158 User specifies user files to be excluded from the persistence state checkpoint Provides a mechanism that allows the user application process to Ah Or it allows to process future inputs from a predictable state. Finally, The checkpoint recovery library 150 executes a cleanup subroutine 160. Have. The cleanup subroutine 160, if necessary, Run the user application process to remove the Called after a line.   In various implementations, the recovery subroutine 158 will be apparent to one of ordinary skill in the art. It can also be started automatically in response to a detected fault, or Manually initiated by the user, for example, by command line input. Both are possible. In the automatic mounting, as shown in FIG. Can have a watchdog 80. Watchdog 80 Error detection monitor 85 that monitors the processes running on each node including. The error detection monitor 85 indicates that the process is hung or Execution on node 20, such as process 40, to determine if Continuously monitor running application processes.   The monitoring performed by the error detection monitor 85 must be active Can also be passive. In an active monitoring configuration, the watch The process 80 uses the inter-process communication (IPC) facility on the local node 20 Monitor by periodically sending messages to the Poll each application process to determine the status of that process. , To determine if the process is still active.   In the passive monitoring configuration, each application process is 0, which is used by a user application such as process 40. When called by the watch process, the watchdog 80 , A heartbeat message indicating that process 40 is still active Send a page. Before the end of the specified interval, the watchdog 80 If no signal is received from the process 40, the watchdog 80 Presumed that the solution process was hung or crashed.   As will be further described later, the error detection monitor 85 controls the user application. When a failure in the restart process 40 is detected, the restart subsystem 90 From the last checkpoint, the failed application process Attempt to recover a failed application process by performing a restart . The restart subsystem 90 performs a recovery subroutine 158 when a failure is detected. To restart the failed user application process.                 Checkpoint and recovery concepts and definitions   For a general explanation of checkpoint and recovery concepts and definitions, see For example, Yi-Min Wang et al., “Progressive Retry Technique for Software Error  Recovery in Distributed Systems ″, Proc. Of 23rd IEEE Conf. On Fault-To lerant Computing Systems (FTCS), pp. 138-144 (June 1993), or R. Koo and S. Toueg, ″ Checkpointing and Rollback-Recovery for Distribut ed Systems ", IEEE Trans. Software Eng., Vol. SE-13, No. 1, pp. 23-31 (19 Jan. 1987). In general, checkpoint and recovery techniques are To minimize the amount of work lost, sometimes during normal program execution. Process state, and then restore the saved state, for example, after a failure .   FIG. 2 illustrates the execution of a user application process, such as process 40. . While the user application process 40 continues to execute, the volatile checkpoint Int VC₁, VC_TwoAnd VC_ThreeCheckpoint for volatile state Be thrown out. Here, the term volatile state includes the program stack, open File descriptors, static and dynamic Information that would normally be lost in the event of a failure, such as data segments, and the operating Such as operating system registers, program counters and stack pointers Related to the operating system kernel essential to the current program execution Data structures.   Further, in accordance with a feature of the present invention, user application process 40 is Perform file operations that change the persistence state, such as user file attributes In this case, the affected files are Before being executed, a persistent checkpoint PC_{3 '}And PC_{Three ″}Indicated by A checkpoint is performed so that Here, the term persistent state , Yu User files associated with the current execution of the user application process Is included. The persistence state is generally not lost in the event of a failure, but the persistence checkpoint The process is triggered by the last volatile checkpoint, for example, when a fault is detected. Ensure that the persistent state is consistent with the volatile state when rolling back to Testify. Note that the persistence state indicates that updates to a given file Recorded until inconsistent with the volatile state associated with the last checkpoint. Not. As described below, the persistent checkpoint PC_{3 '}And PC_{Three ″}By Undo all changes to the persistent state since the last volatile checkpoint Is done.   Thus, "F₁If a failure is detected at the point indicated by The emitting state is the last volatile checkpoint VC_ThreeCheckpoints related to Checkpoint VC by restoring data_ThreeRoll back to be able to. In addition, a persistent checkpoint PC_{3 '}And PC_{Three ″}By , Last volatile checkpoint VC_ThreeSubsequent changes to the persistence state And returned to. Thus, after a rollback, the entire persistent state is the last volatile chip Check Point VC_ThreeConsistent with the volatile state as it existed at the time. Note The point is, if the process cannot be restarted on machine A, As shown, the process migration causes the process to look like machine B. It is possible to restart on an alternative machine.     Monitoring persistence status by interrupting file system calls   As noted earlier, the persistent state includes the current state of the user application process. Contains all user files related to the current run. Generally, user apps Application process can access and modify user files The only way to do this is to send the file system to the operating system kernel. It is due to Mucor. Therefore, depending on the user application process Checkpoint recovery system interrupts each file system call generated. Identify all possible changes to the persistent state, as assessed by system 10 Is possible. Thus, as shown conceptually in FIG. All file systems created by the user application process The call is made when the desired file operation is actually performed by the operating system 300. Before being executed, it is interrupted and monitored by the interrupt routine 156. This This will be described later with reference to FIG. In this way, file operations are persistent If you are trying to change a file that is related to the status, the status of the affected file Can be recorded to ensure consistency.   In one embodiment, the persistent state checkpoint is the persistent checkpoint illustrated in FIG. Recorded in the int table 400. The persistence checkpoint table 400 is , Stored in persistent memory, such as a disk, every time the table 400 is changed. Stored on the disk. Each persistence checkpoint table 400 contains a specific Checkpoint related to the user application process by id Associated with the particular volatile checkpoint identified, lines 405 and 410 Have multiple rows. Each row has something after the associated volatile checkpoint Corresponding to the changed user file. Each indicated by "file name" Per file, the persistence checkpoint table 400 may change There is an entry for each file attribute with. For example, a persistent checkpoint The table 400 includes a column 435 for recording the “change time” of each file, A column 440 for recording the “access mode” of each file, and the current Includes a column 445 for recording the current "size".   In one embodiment, each entry in table 400 contains, for a given file, When a row is created, it is initialized with a default value such as "-1". afterwards When a file attribute is changed, the current attribute value can be recorded before the change. Wear. In this way, the given attribute of the file to be recovered is "-1". If so, the attribute has not changed and does not need to be restored. Regarding FIG. As described later, the entry is stored in the file system call interrupt subroutine 15. 6 is created in the persistence checkpoint table 400. further, As described below with respect to FIGS. 8A and 8B, checkpoint Identified by id value During the recovery of a particular checkpoint to be performed, the recovery subroutine Access the checkpoint table 400 and use the information contained in Continued Restore sexual condition.                     Checkpoint recovery library function   Checkpoint subroutine before execution   As already pointed out, the checkpoint recovery library 150 And a checkpoint subroutine 152. Checkpoint subroutine before execution Step 152 is executed before the user application process 40 is executed. For example , Programs written in the C programming language usually have a "main" routine. Start execution from the first line Therefore, the pre-execution checkpoint subroutine The execution of the routine 152 should be called before the execution of the "main" routine.   The checkpoint restoration system 10 has two modes, the insert mode and the transparent mode. Provides two modes of operation for executing the checkpoint. Insert mode is By inserting a checkpoint function at the desired location in the source code, The application process to implement a checkpoint mechanism. You. Transparent mode automatically performs checkpoints at specified time intervals Provide a mechanism. According to the transparent mode, the user application process Without the need to change or recompile the user application process A checkpoint mechanism can be incorporated.   As described later, in transparent mode, checkpoints are performed at predefined intervals. To start a close, the pre-execution checkpoint subroutine 152 A lock daemon process is created. Each specified interval, as described below Spawned clock daemon to initiate a checkpoint at the end of A process interrupt call is issued by the operating system at the direction of the process. To the associated user application process.   As shown in FIG. 5, the pre-execution checkpoint subroutine 152 Starting at 500, then at step 505, checkpoint recovery system Open File Table and Persistence Checkpoint Required by 10 Initialize a data structure such as the client table 400.   Then, in step 520, for example, from the user's designation on the command line , Alternatively, the user application process is set to insert mode A test to determine if it is running in transparent mode or Execute. At step 520, the user application process is in transparent mode If it is determined that execution has been performed, in step 525, for example, the fork system code Creates a clock daemon process. As already pointed out, The lock daemon process is executed by the user application process at specified intervals. Acts as a checkpoint timer that starts the checkpoint of One practice In the example, the checkpoint is every 30 minutes unless a valley interval is specified. Started at a default interval such as   On the other hand, at step 520, the user application process runs in insert mode. If it is determined that the process has been executed, the Checkpoints are only initiated when called.   In step 540, a correct check for the user application process A test is performed to determine if the point file already exists. Paraphrase If this is the case, the test is running in normal or recovery mode. Is determined. Note that the user application process Upon successful completion of the process, unless otherwise specified, the clear is performed as described below with respect to FIG. Startup subroutine 160 is associated with the user application process. Delete the checkpoint file to be executed. Thus, the user application If a checkpoint file exists at the start of the process, e.g. The previous execution did not end normally, or the user application process Requested that the checkpoint file be stored for later recovery. Either. At step 540, the user application process If it is determined that the correct checkpoint file exists, check before execution The point subroutine 152 returns and will be described later with respect to FIGS. 8A and 8B. The data related to the existing checkpoint file was recovered and recovered Start the execution of the user application process from the time of the checkpoint Therefore, in step 550, execution of the recovery subroutine 158 is started.   On the other hand, in step 540, the correct check for the user application process is performed. If it is determined that the checkpoint file does not exist, The subroutine 152 returns and at step 560, the user application program The execution of the process starts.   Volatile state checkpoint subroutine   As already pointed out, the checkpoint recovery library 150 has a volatile state. It has a checkpoint subroutine 154. Volatile state checkpointer The routine 154 states that in transparent mode, a checkpoint should be initiated. By an interrupt signal from the clock daemon or in insert mode Is a checkpoint inserted in the source code of the user application process. Called when an event function call is executed. In addition, as described below, The spontaneous state checkpoint subroutine 154 returns the program counter value to It is called indirectly from the recovery subroutine 158 after being aged.   The volatile state checkpoint subroutine 154 is a user application Stores all information needed to recover the process, which is lost in case of failure I do. In one embodiment, the volatile state checkpoint subroutine 154 includes Checkpoint available to identify checkpoint intervals passed the id argument . The volatile state checkpoint subroutine 154 checkspoint passed the id argument If not, the previous checkpoint data is overwritten. checkpoint id discount Numbers can be global variables to later checkpoint the persistence state. The file system call interrupt subroutine 156 to be implemented has an appropriate (current ) To associate a persistent state checkpoint with a volatile checkpoint, Can be accessed.   As noted above, hardware for temporary storage of values in the central processing unit User registers, such as hardware registers, stack pointers, and program counters. Some volatile information related to the current execution of the application process is Managed by the rating system kernel. These memory elements are usually Is not accessible by the user application process, but Operating systems are typically required by specific user application processes. Checkpoints required operating system information To provide a routine. Operating system to perform this task The routine provided by the system, at step 610, registers, This is executed to save the contents of the pointer and the program counter. example For example, the Unix operating system Access data structures and save them in the declared global data structure Offers tjmp calls. Those global data structures are then A checkpoint can be performed as part of the sexual state. setjmp system co For details of the operation of the rule, see, for example, W.W. R. Stevens, "Advanced Programmin g in the Unix Environment ", pp.174-180 (Addison Wesley, 1992) ing.   Thereafter, program control proceeds to step 620. It is important to note that During execution of old subroutine 158 (FIGS. 8A and 8B), After recovery of the program, the value of the program counter corresponds to the restored checkpoint. It is restored to the value. Therefore, when the value of the program counter is changed, The old subroutine 158 jumps to the position immediately after the execution of step 610. And It should be further noted that the recovery subroutine 158 must be greater than zero. Returns the return value. This can be used to control the flow of execution after recovery. You. For example, for a predefined return value, a code is executed, Another code sequence is executed in case of another predefined return value .   Thus, in step 620, an operation such as the setjmp system call Test to determine whether the return value from the Be executed. As noted above, the restore subroutine 158 causes The return value can be used in recovery mode. In step 620, the return value is If it is determined that it is not 0, the volatile state checkpoint subroutine 154 The current execution is called from the recovery subroutine 158 in recovery mode and Program control proceeds directly to step 670 without performing a checkpoint. No.   On the other hand, if it is determined in step 620 that the return value is equal to 0, the volatile state check is performed. The current execution of the checkpoint subroutine 154 Instead of being called, the volatile state checkpoint subroutine 154 Continue volatile checkpoint. That is, in step 630, the volatile check is performed. File descriptors of all open files at the time of the File, along with the file name and current location of the file Stored in a table. The open file table contains a file for each open file. Includes file descriptor, file name and location. Then, step 640 The data segment associated with the user application process All dynamically and statically allocated such as file variables and static variables Including the memory and the open file table. Finally, step At step 650, the current contents of the stack are saved.   Execution of the volatile state checkpoint subroutine 154 ends at step 670. And return with the indicated return value. Volatile state checkpoint If subroutine 154 returns a value of 0, this is a checkpoint Indicates success. Further, the volatile state checkpoint subroutine 15 If 4 returns a value greater than 0, this can be used to control the flow of execution Execution has returned indirectly from the recovery subroutine 158 with a valid return value. Is shown.   File system call interrupt subroutine   As already pointed out, the checkpoint recovery library 150 has a persistent state File system call interrupt subroutine 156 implementing checkpoint including. File system call interrupt subroutine 156 To file system calls that may change the attributes of the file, if necessary Performs a delayed checkpoint of the changed portion of the persistent state. The file system call interrupt subroutine 156 performs the required file operations. Perform a persistent state checkpoint before actually executing In addition, The file system interrupt subroutine 156 can be held only as necessary. Perform a checkpoint of the persistent state.   The file system call interrupt subroutine 156 has The process starts at step 700 when a file system call is received. Steps At 710, the interrupted file operation should begin setting checkpoints A test is performed to determine whether to change file attributes. Step 71 0 indicates that the interrupted file operation should start setting checkpoints. If it is determined not to change the file attribute, the program control proceeds to step 750. The desired file operation is executed as described later.   On the other hand, at step 710, the interrupted file operation sets a checkpoint. If it is determined that the file attribute for which the setting should be started is changed, in step 720, The user performs, for example, a function call or enters command line arguments , Or by setting an environment variable, the current file is checked A test is performed to determine if it has been specified to be excluded from the list. This The user or user application process is given a Determines whether a file should be included in the persistent state checkpoint And can be specified selectively.   At step 720, the current file should be excluded from the checkpoint Is determined, the program control proceeds to step 750, where Perform the desired file operation. On the other hand, in step 720, the current file is If it is determined that it should not be excluded from the check point, Global variable checkpoint The last volatile check identified by the current value of id This file determines whether a checkpoint has already been performed since the The specified test is performed. In step 730, the last volatile checkpoint If this file is subsequently determined to have been checkpointed, The program control proceeds to step 750, where a desired file operation is performed as described later. Run.   On the other hand, in step 730, this file If it is determined that the checkpoint has not been executed, step 740 Creates a shadow copy of this file, and gives the file name and attribute The previous value to the checkpoint Persistence checkpoint table corresponding to the current value of id This file is checkpointed by appending to You. In an alternative embodiment, the persistence state checkpoints each file by attribute. Perform a checkpoint on the attributes affected by the current file system call. Checkpointing only genders can further optimize It is. In other words, file operations affect only a subset of all attributes, A subset of the affected attributes before the file operation is performed in step 750 Only the checkpoint needs to be executed. For example, a write system call already exists If you only add data to the end of the file, the volatile The file contents that existed at the checkpoint are not changed, so the file Checkpoint the file size without checking the contents. Is enough. After recovery, this file can be truncated to an appropriate size. is there.   After performing a checkpoint on the file in step 740, At step 750, the desired file operation can be performed. Persistent state Checkpoints are recorded before file operations are performed, so they are not persistent. The information stored in the checkpoint table 400 is the last volatile checkpoint. Can be used to undo changes made to each user file since It is possible. At step 750, after the desired file operation has been performed, the file Execution of the system call interrupt subroutine 156 ends at step 760, and Return to execution of user application process.   Recovery subroutine   As already pointed out, the checkpoint recovery library 150 is not And a recovery subroutine 158 shown in FIG. 8B. The recovery subroutine 158 is an example For example, after a failure is detected, the watchdog 80 When the application restarts from the correct checkpoint, or A rollback function call is inserted in the source code corresponding to the application process. Called when it is running. Here, the term rollback is used Or indicates a recovery initiated by the user application process, The term is used to indicate recovery after a failure with the correct checkpoint file. Used. In one embodiment, the following arguments are passed to the recovery subroutine 158: .   • The value of mode indicates whether the current run is in recovery mode or rollback. Indicates whether the mode is the lock mode.   ・ Checkpoint id (checkpoint ID) value and return value (return value) Is returned after the execution of the restoration subroutine 158.   ・ Protected list of variables (protected variables) Even after being restored to the default, the value before restoration is maintained. Note that checkpoint If no id value is specified, the process will It is restored to a later checkpoint. Furthermore, return If value is not specified , A positive return value (for example, 1) is used. The recovery subroutine 158 is instructed Acts to restore the volatile and persistent state corresponding to the checkpoint. You. As described below, the restore subroutine 158 restores a volatile checkpoint. Based on changes made to persistent state since the restored volatile checkpoint. Reverting guarantees consistency between volatile and persistent states.   According to a feature of the invention, the recovery subroutine 158 is Return when called by the process value and protected variables An array is specified. In one embodiment, the recovery subroutine 158 is Protected when rolling back to finger by variables array The current value of the indicated variable is return protected with the current value of the value variable . Thus, after a recovery to a particular checkpoint, the return specified before the recovery value is maintained and can be used to control the flow of execution after recovery It is. In addition, if the user or user application process If you do not want to roll the number back to a particular checkpoint, d Using the variables mechanism, specify the variables that should keep their current values after recovery Can be return If value is not specified, 1 is used as default value Can be.   As shown in FIG. 8A, when called, the recovery subroutine 158 proceeds to step 8 It starts from 00. Then, at step 810, checkpoint indicated by the id argument The persistence checkpoint table 400 (FIG. 4) corresponding to the value to be read is read. You. At step 815, the user can, for example, by command line input or Depending on the setting of the environment variable, it is listed in the persistence checkpoint table 400. To indicate that the shadow file must not be recovered. Test to determine whether the int table 400 has been indicated to be changed Is executed. In step 815, the user sets the persistence checkpoint table 4 If it is determined that the user has instructed that 00 should be changed, then in step 820, The table 400 is changed according to the specified change.   After the persistence checkpoint table 400 is changed, if necessary, At step 825, the shadow files corresponding to each file listed in the table 400 are displayed. The file is searched from the appropriate checkpoint data and its shadow file is By copying over the existing file, the persistence checkpoint table 4 00, the persistent state is restored. In addition, a persistent checkpoint table The attributes of each file listed in the file 400 are It is changed according to the value recorded in the entry.   Then, in step 830, the current execution mode of the recovery subroutine 158 is Recovery mode after failure or rollback mode initiated by user Is and protected Determine if values in variables array are correct The test runs. At step 830, the current execution of the recovery subroutine 158 Mode is rollback mode, protected if the values in the variables array are correct If determined, in step 835, the data segment Protected while the event is restored protect variables specified by variables array Variables are copied from the data segment to a temporary file to .   Then, at step 840, checkpoint the volatile key identified by the id argument The checkpoint file is read. In step 845, the Using the obtained volatile checkpoint file, open file table The containing data segment is restored.   Then, at step 850, the current execution mode of the recovery subroutine 158 is Whether the device is in the callback mode and protected variables array value is positive The test to determine if it is acceptable is performed again. In step 850, the recovery sub The current execution mode of the routine 158 is the rollback mode, va If the value of the riables array is determined to be correct, at step 855, protected The variables specified by the variables array are protected in the temporary file. From the specified location to the data segment and returned. In this way, prot expected Each variable specified in the variables array keeps its value before restoration.   At step 865, the user may enter a command line Indicates that the open file table should be changed by setting environment variables. A test is performed to determine if At step 865, the user If it is determined that the command indicates that the open file should be changed, the specified change Is executed in step 870. For example, a section later entitled "Bypassing Long Initialization" In one application, including the features of the present invention, described in The punfile table lists the first set of previously processed input files. To For each subsequent set of inputs to be processed, a first set of input files To replace the file with a set of input files suitable for the current run. Change the file table.   After the open file table is changed, if necessary, at step 875 , The file descriptor indicated in the open file table is restored . In other words, for each entry in the open file table, the file is Opened, the file name is associated with the indicated file descriptor, The current position of the file is adjusted to the position recorded in the open file table entry. Is adjusted. Thereafter, at step 880, stack space is allocated and At step 885, the stack reads the volatile checkpoint read at step 840. Is restored according to the information in the event file.   As noted above, hardware for temporary storage of values in the central processing unit User registers, such as hardware registers, stack pointers, and program counters. Some volatile information related to the execution of the application process Managed by the operating system kernel. These memory elements are usually Not accessible by the application process but operating System is generally required by a particular user application process. Provides routines that allow you to recover operating system information ing. Provided by the operating system to perform this task. The routine that is executed determines in step 890 the registers, stack pointer and program This is executed to restore the contents of the ram counter. For example, Unix operating System recovers these operating system data structures long Offers jmp call. See the example for details on the behavior of the longjmp system call. For example, W. R. It is mentioned in Stevens, op.   As pointed out above, the value of the program counter indicates that the checkpoint has been restored. When the value recorded at the time of recovery is restored, the execution of the recovery subroutine Jump to step 620 of state checkpoint subroutine 154 (FIG. 6). You. Thus, the recovery subroutine 158 is a volatile state checkpoint subroutine. Return from the routine 154 effectively. Further, a restoration subroutine 15 8 is the specified return value and protected Variables specified in the variables array Returns with the number kept at the value before restoration.   Cleanup subroutine   As already pointed out, the checkpoint recovery library 150 Cleanup subroutine 160 executed after the execution of the application process including. As shown in FIG. 9, the cleanup subroutine 160 The process starts at step 900 when the application process ends. Step In step 910, the current execution mode of the user application process is set to the transparent mode. A test is performed to determine if In step 910, the current execution If the mode is determined to be the transparent mode, in step 930, the pre-execution check is performed. The clock daemon process created by the It is deleted (killed).   Thereafter, at step 950, a check associated with the user application process is performed. A test is performed to determine whether the lockpoint file should be maintained. S If it is determined in step 950 that the checkpoint file should not be retained, If not, in step 970, checkpoints associated with the user application process The int file is deleted. In step 980, the cleanup subroutine 160 ends the execution.                   Checkpoint recovery application   Bypassing software premature termination   The User Application process allocates the resources needed to continue execution May be terminated on the way because it cannot be performed. Different from software failure If the process terminates prematurely due to a resource shortage or an exception, The process is still under control just prior to the end of the program. This Here, the exceptional state is a normal state defined by the user application process. Is defined as an execution other than a simple execution flow. Generally, resources that require processes When a process (for example, dynamic memory) cannot be allocated, Prints an error message indicating the "resource cannot be allocated" status and the program finish. Such software premature termination wastes a lot of useful processing Therefore, it is of course not preferable for an application that has been operating for a long time. General In addition, the process may start from the beginning, or perhaps, in a transparent checkpoint mode. Restart from the last checkpoint set at the interval specified in the Must.   However, according to the checkpoint recovery system 10 according to the present invention, the process Inserts a checkpoint function call in the source code just before the end of It is possible to In this way, the process status will later correspond to the premature termination It can be restored to the point just before the position where it is performed. Furthermore, according to the invention, the user Execution controller after application process recovers to last checkpoint By using the function, the return value of the restoration subroutine 158 Can indicate that the current run is a recovery mode that initiates a special recovery process It is.   In FIG. 10, for example, caused by a failure in allocating dynamic memory Source code containing the features of the present invention that can be used to bypass software premature termination Indicates the code segment. The code sequence shown in lines 1015 to 1050 is the first Executed at line 010 unless the process can allocate dynamic memory. The malloc function call executed at line 1010 is usually a C programming language related The memory allocation function in the library Allocate the start address of the allocated memory to the declared pointer ptr. Returns a value.   For example, if another process runs out of remaining swap space When a process cannot allocate the desired dynamic memory, Seth is the variable MAX RETRY Until the maximum number of retries specified by COUNT is exceeded Retry the assignment. Note that the maximum number of retries is 0 Can also be set to MAX RETRY If COUNT is exceeded, step 102 After chkpnt () (checkpoint) is executed in step 5, the process is executed in step 1035. Ends.   As noted above, when the process is restored, the restore subroutine 158 ( 8A and 8B) are called to check the volatile and persistent states for the last check. To a lockpoint (in other words, the checkpoint executed just before the end) I do. It should be noted that when executing the recovery subroutine 158, the program When the counter value is restored, execution returns from the restore subroutine 158 to the volatile status check. Jump to the checkpoint subroutine 154. The recovery subroutine 158 A positive return value indicating recovery mode to volatile state checkpoint subroutine 154 Return with. As described above, in the embodiment of FIG. Gram control proceeds to line 1040 which executes the recovery code. In this example, the recovery Mode is retry Reset count to 0 and retry allocation of desired dynamic memory It consists of doing. However, as will be apparent to those skilled in the art, execute other recovery code It is also possible.   It should be noted that resource shortages can be transitional and pro- The same process runs under different conditions when the process is restored due to environmental changes As a result, the resource shortage state may be bypassed. However, resource shortage Is persistent, for example, if the current machine simply Bypass the premature termination if the resources provided are not sufficient to meet the Turn the process migration to another processing node with greater capacity. You may need an option. The technology of the present invention is a After starting on above, only after encountering a resource shortage condition It is possible to move a process to another machine with the desired resources.   Bypass long initialization   Many software programs include often time-consuming initialization routines. No. Furthermore, the same program is re-executed for different sets of input data. In each execution, it is necessary to repeat the time-consuming initialization routine in each execution. And many. However, in many cases, many executions of a processing routine are initialized with the same Can be reused with different input data. In this case, the initial Saves the activation state and changes depending on the future execution of the corresponding software program. Software programs by restoring them for use with force data sets. The efficiency of the system is greatly improved.   According to a feature of the present invention, as shown in FIG. Checkpoints the initialization state associated with the ram and later uses different input data Can be restored to run against. Replace for each different run Input files are excluded from checkpoints and new input files are It is possible to process each new run.   As shown in FIG. 11, an initialization bypass routine 1100 that bypasses a long initialization is executed. The process starts from step 1105. First, in step 1110, an initialization detour route 1100 includes, for example, a command line or a set of input file names. Read a first set of input parameters from the data file. Then, In step 1115, an initialization rule suitable for a given user application process is provided. Routine is executed. At step 1120, files to be excluded from checkpoints In other words, a file to be replaced in each subsequent execution is specified.   Then, in step 1130, the volatile state and if not specified in the previous step The portion of the persistent state that was set is checkpointed. Checkpoint function When the control returns, at step 1135, the return value from the checkpoint function is 0. A test is performed to determine if the value is greater (indicating a recovery mode). Step If it is determined in step 1135 that the return value is greater than 0, this is the initialization bypass route. The first execution of the chin 1100, in step 1150, the initialization state and the first The first set of data is processed according to the input file and the set of parameters Is done.   In step 1160, a set of input files and parameters to be further processed A test is performed to determine if there is an event. In step 1160, If it is determined that there is an input file and a set of parameters to process, Program control proceeds to step 1170, where the recovery subroutine 158 returns a positive return value. Be executed. The restoration subroutine 158 executes the check set in step 1130. Restore the process state to the point. It should be noted that step 113 The open file table that has been checkpointed at 0 It lists each input file associated with the cut. However, in subsequent runs, The same set of file descriptors listed in the open file table , Associated with the input file associated with each execution. Thus, the finger already As mentioned above, the recovery subroutine 158 is executed when the user opens the open file table. And a mechanism that allows the change to be reflected.   Note that in step 1170, the process status is the last check When the point is restored, the program counter also corresponds to the checkpoint The program control is executed at step 1130. Jump to the checkpoint function to be performed. At step 1130, the program If you return from the checkpoint with a positive return value as described above, step 1 As a result of the test performed at 135, program control proceeds to step 1140. Thus, the next set of input parameters, including the list of input file names, is Without the need to re-run the optimization routine, To be read in step 1140.   However, at step 1160, the input files and parameters to be further processed If it is determined that there is no data set, in step 1180, the initialization bypass routine 1 is executed. Execution of 100 ends.   Memory reset   Over time, undesired memory conditions can occur and the efficiency of software processes System performance and gradually degrade system performance until the software May cause failure. For example, software programs are often When the correct memory release is not performed for a certain execution path, including a successful commercial product In some cases, a memory leak may occur. The allocated memory space is As a result of the leak, it cannot be accessed because it is not referenced by any pointer. And cannot do it. Generally, a memory leak is caused by the first block of allocated memory. Pointer to the second block of allocated memory without releasing the first block. Happens when it is reassigned to point to As a result of memory leak, overall performance Processes run out of memory over time, with cumulative degradation and, in theory, over time You.   In addition, memory keys provided by some commercial memory managers Caches and weak memory reuse mechanisms ensure that the machine has sufficient physical capacity to meet demand. Even with the quantity, a memory shortage condition may occur. For example, the user The application process repeatedly executes a small memory block (for example, 32 bytes). The memory manager requests those small blocks After freeing the memory, use another list or the memory cache to Manage future anticipated demands on locks. Thus, these small The smaller blocks become unavailable for larger memory requests. Small blocks If there were enough requests for If there is physical capacity, it will be rejected. What is a weak memory reuse mechanism? For example, a machine with 30 megabytes of memory might have a 15 megabyte memory, for example. It is about allocating a memory first and then releasing it. After that, When the user application process requests a 16 MB allocation, Run out of conditions. The reason is that 1 megabyte for every 15 megabytes released Rather than adding, this memory manager reserves 15 megabytes freed And try to allocate 16 megabytes. In this case, in practice, sufficient physical capacity Despite the amount, it seems to exceed the machine's memory limit.   According to a feature of the present invention, the memory reset subroutine 1200 shown in FIG. Check the process memory in a “clean” state as part of the volatile state Process to prevent software failures. Roll back to a clean state. In step 1210, the memory reset subroutine The chin 1200 sets the loop index i to 0. Then step 1 At 215, an appropriate initialization routine is performed. It is important to note that initialized The dropped state is part of a volatile state that is checkpointed.   Exclude all user files from checkpoint at step 1220 Is specified. Thus, when a checkpoint is set and later restored Only the clean memory state will be restored. In addition, all Exclude all input files from the checkpoint in a persistent state, in other words Thereby, the current contents of the user file are maintained after recovery. Step 1 At 230, execute the volatile state checkpoint subroutine 154 (FIG. 6). This will checkpoint the volatile state. Then step 1 At 240, based on the initialization state and the current value of loop index i, the desired Is executed. In step 1245, the process performed in the previous step is executed. The result of the logical task is written to the output buffer, as is well known. Output battery The contents of the file until the buffer is full or when the flush system call Until it is executed, it is not sent to its intended destination, such as a disk.   At step 1250, whether there is a value of loop index i to be processed further A test is performed to determine if At step 1250, the rules to be further processed If it is determined that there is a value of the loop index i, in step 1255, the loop The index is incremented. Then, in step 1270, the loop Determines whether the current value of index i is a multiple of the specified reset period Test is performed. In other words, a clean memory state every 15 executions Current state of loop index is a multiple of 15 if state should be restored A test is performed to determine if At step 1270, the loop index is If it is determined that the current value of the box i is not a multiple of the specified reset period, Program control returns to step 1240 and continues processing as described above.   However, at step 1270, the current value of loop index i is specified If it is determined that the output buffer is a multiple of the reset cycle, the output buffer After the keys are flushed, the memory is restored to a clean state. Then, In step 1280, the return value is made equal to the current value of the loop index i, and the recovery sub Executing routine 158 rolls back to a volatile state. Choi Since the lockpoint does not contain any user files, only the clean memory state is restored. Be old. As noted above, the recovery subroutine 158 includes a step 1230 Returns with the return value from the checkpoint function. Therefore, this return value (Equal to the index of the user application). The correct progress of the process is guaranteed. Recovery subroutine 158 is checkpoint Upon return from the function, program control proceeds to step 1240, and continues as described above. Continue.   In step 1250, it is determined that there is no value of the loop index i to be further processed. If so, program control proceeds to step 1290, where memory reset subroutine is performed. The execution of the routine 1200 ends.   As will be appreciated, the embodiments described herein and modifications thereof are merely exemplary of the invention. By way of illustration, those skilled in the art will appreciate that various modifications Various modifications can be implemented.

────────────────────────────────────────────────── ─── Continuation of front page    (72) Inventor Juan, Jen Nun             United States 08807 New Jersey             ー, Somerset County, Bridgewood             Water, Limburger Drive 33 (72) Inventors Quintara, Chandra             United States 07059 New Jersey             ー, Somerset County, Wale             , Mountain Avenue 29 (72) Inventors Vaud, Kiem-Fon             United States 07922 New Jersey             ー, Union County, Berkeley             Heights, Swenson Circle 80 (72) Inventor One, E-Min             United States 07922 New Jersey             ー, Union County, Berkeley             Heights, Pinewood Crescent 10

Claims (1)

[Claims]   1. User application process running on a computer system In the method of checkpoint execution and recovery,   The user application process determines from the volatile state and the user file And a process state comprising:   The method comprises:   (A) A step for performing a checkpoint of the volatile state at the checkpoint position And   (B) Checkpoints that will monitor the persistent state and change the persistent state Detecting a file operation after the int position;   (C) when the step b detects that the change of the persistent state is performed; Checkpoint at least the part of the persistence state that will be changed. Steps to perform;   (D) By restoring the process state to the checkpoint position, Undoing any changes to the persistence state since the   (E) Restart the execution of the user application process from the checkpoint position Opening the user application process. How to checkpoint and recover.   2. Checkpoint execution of volatile state is automatically and periodically invoked The method of claim 1, wherein:   3. The checkpoint execution of the volatile state is performed by the user application program. 2. The method of claim 1, wherein the method is called by a function call during a session.   4. Performing a persistent state checkpoint will change the persistent state Called by an interrupt routine that detects file operations The method of claim 1.   5. The method specifies a user file to be excluded from the checkpoint Further comprising the step of:   Checkpoint execution of at least the part of the persistence state that will be changed The line is characterized by not including the specified excluded file checkpoint The method of claim 1 wherein:   6. Performing a checkpoint of a persistent state is not an option between volatile and persistent states. 2. The method of claim 1, wherein the method is not performed until a match occurs.   7. The part of the persistent state that is checkpointed is the intermediate state,   The step (e) processes the input after the intermediate state. Item 1. The method of Item 1.   8. User application process running on a computer system In the method of checkpoint execution and recovery,   The user application process determines from the volatile state and the user file And a process state comprising:   The method comprises:   (A) A step for performing a checkpoint of the volatile state at the checkpoint position And   (B) For each change performed after the checkpoint position, the Checkpointing at least part of at least one user file And   (C) By restoring the process state to the checkpoint position, Undoing changes to the user file since the lockpoint location When,   (D) Restart the execution of the user application process from the checkpoint position Opening the user application process. How to checkpoint and recover.   9. Checkpoint execution of volatile state is automatically and periodically invoked The method of claim 8, wherein:   10. Checkpoint execution of the volatile state is performed by the user application program. 9. The method of claim 8, wherein the method is invoked by an instruction in the process.   11. Check at least part of at least one user file to be modified Executing a checkpoint detects a file operation that changes one of the user files. 9. The method of claim 8, wherein the method is called by an issued interrupt routine.   12. The method specifies a user file to be excluded from the checkpoint. Further comprising the step of defining   Checkpoint at least part of at least one user file to be modified Must not include checkpoints for the specified excluded files 9. The method of claim 8, wherein:   13. Check at least part of at least one user file to be modified Executes the run until the inconsistency between the volatile state and the user file occurs. 9. The method of claim 8, wherein said method is not performed.   14． The checkpointed part of the user file is in the intermediate state. And   The step (d) processes an input after the intermediate state. Item 8. The method according to Item 8.   15. The method for restoring the initialization state associated with the user application process And   A user application process has a process state and has at least two Perform processing tasks based on the initialization state of the   The method comprises:   (A) A process for initializing a user application process to form an initialized state Tep,   (B) Specify the input file to be excluded from the process state checkpoint Steps   (C) Checkpointing a part of the process state that is not excluded Steps and   (D) a processing status based on the initialization state and the current set of input files; Performing the task,   (E) Put the user application process in a state where the checkpoint has been executed Recovering and generating a predefined return value indicating the recovery mode;   (F) If step e returns the predefined return value, a new Steps to take a set of input files and replace the excluded input files And   (G) Repeat steps d to f for each set of input files to be processed. The first step in the user application process, which is characterized by How to recover the reset state.   16. The process state includes a volatile state and a persistent state,   The step c includes:   Performing a checkpoint of the volatile state;   Checkpoint that will monitor the persistence state and change the persistence state A monitor step for detecting file operations after the position;   If the monitoring step detects that a change in the persistent state is performed, Checkpoint at least the part of the persistence state that will change 16. The method of claim 15, comprising the steps of: