JPS5932050A - Computer system - Google Patents

Abstract

PURPOSE:To improve the reliability of a fault processing function for a composite computer system using plural computers, by providing a deciding function for collation, diagnosis and majority to each computer. CONSTITUTION:A computer system link (CSL)6 is provided with a device number register 7 which stores the device numbers of CSLs of other computers, an address register 9 which has a communication with an instruction register 5 via a memory bus 2 for a physical address, a data register 10 which stores the data to be exchanged with other computers, and a coincidence detecting part 8 which detects the coincidence between the value of the register 7 and that of the register 9. The CSL6 is connected to a CSL of another computer via an interface bus 11. An instruction OP of the register 5 can access freely to the local memory of another computer by a physical address PA and via the CSL6.

Description

[Detailed Description of the Invention] a. Technical Field The present invention relates to a complex computer system using a plurality of computers, in which when a failure occurs in any computer, other healthy computers back it up and eliminate the effects of the failure. This invention relates to a fault-tolerant computer system that is protected so that the entire system is not affected.

b. Conventional technology Traditionally, fault-tolerant meters q have used multiple computers.

'9. (fault tolerant system
m) has been invented in various configurations by many people. (Published by Ohmsha, Microcomputer Fundamentals Course, etc.) However, many of them have specific components that have a verification function, diagnosis function, and failure location determination function. There is a drawback that when a failure occurs in a component, the function of the entire system is impaired.

CObject of the Invention The object of the present invention is to provide a multifunction computer system that uses a plurality of computers, a function that performs verification, diagnosis, and judgment by majority vote for each individual calculation, and improves fault tolerance. The object of the present invention is to obtain a fault-tolerant computer system with improved reliability of processing functions.

d.Summary of the Invention The present invention provides, when the divider 1 executes an instruction, an address signal indicating the address of the operand of the instruction is placed on the memory bus, and the second divider is identified from the address No. 18. A plurality of interconnected computers are used to read out and rewrite the contents of the storage locations at the addresses in the main storage devices of the second nine computers in accordance with the action of the instructions. A program for the same purpose is stored in each of the dividing machines, and a verification section is provided in the middle of each of the programs to be executed exclusively, and each of the plurality of calculators can be used to perform other calculations by the action of the verification section. # Compare the calculated values and status values of the machine, further collate the collation results, and when it is determined that there is an abnormality, determine the location of the failure, system reconfiguration, and restart policy, and perform fault tolerance processing by collating the determination results. This is a total nine-machine system with the following characteristics.

e. Configuration of the Invention The figure is a configuration diagram showing only one of the counting machines used in the present invention.

Local memory (hereinafter referred to as LM) [, processor unit (hereinafter referred to as 1), and processor unit (hereinafter referred to as U) 3.
It is composed of an arithmetic unit (hereinafter referred to as AU) 4, a memory bus 2, and the like. There is an instruction register 5 inside the AU, which is divided into an OP section that specifies the action of the instruction, and a PA section that specifies the physical address where data related to that action is stored.

Figure 1 shows a 32-bit computer as an example, and the 0 to 7 bits of instruction register 5 are the OP section, the 8 to 7 bits are
31 bits are used as the PA section.

The computer system link (hereinafter referred to as C8L) 6 is a device specially provided for the configuration of the present invention, and its contents have already been disclosed in Japanese Patent Applications No. 56-101227, No. 101228, and No. 10122.
1229, and "l'08BAc Series 7 Equipment Manual 770KL43A, etc.".In other words, C3L6 has a device number register 7 that stores the i device number of 081. of other computers, and a memory bus. Address register 9 is used to exchange physical addresses with register 5 via 2, data register 101 is used to store data exchanged with other calculations 1, and data is stored in device number register 7 and address register 9. A coincidence detection section 8 is provided to detect coincidence of the values (upper addresses).

The C3L 6 is connected to the C8L of another computer via the interface bus 11, and the instruction OP of the instruction register 5 can freely access the local memory of the other computer via the C8L 5 at the physical address FA. can.

Figure 2 shows three computers C8L 6-12.13, 21
．． 23°31.33' and interface bus 11-
12.13.23 is called a complete connection method. In this method, when connecting n computers, C
n(n-1) pieces of 8L are required.

v, Figure 3)-1, 3 computers'e CAL 6-11
-13.21 to 23 degrees 31 to 33 and interface buses 11-1 to 3. Another example of connection is called an n-bus connection method.

In this method, when n computers are combined, CAL is n
One piece is required. Furthermore, this method has greater fault tolerance for reasons described later.

FIG. 4 is a diagram illustrating how to allocate physical addresses of fine-needle calculators from instruction operands when three machines, m21 to m23, are combined as shown in FIG.

That is, in the figure, the first computer 21 is connected to the second computer 22 and the third computer 22.
The case where the local memory in the computer 23 is referred to is shown.

FA of the instruction register inside the first computer 21
When the physical size of the part 24 exceeds the physical number 'bs LMB < megabytes) and is less than 2 MB, a match detection part (not shown) in the C8I, 6-12 operates to refer to the local memory of the second computer 22. Also, the PAAg2O physical address of the instruction register exceeds 2MB and 3. C if less than MB
A coincidence detection section (not shown) in 3L6-13 acts to detect the third
The local memory of the computer 23 is referred to. In Figure 4, each C8L @ is shown as an individual, but in reality, as mentioned above, there are two C8Ls on both sides of the interface bus, and the CAL that controls the communication rights of the interface bus is the master C8L, and the other C8Ls. is called slave C8L.

FIG. 5 is a signal flow diagram when the first computer 21 writes data to the local memory of the second computer 22, and FIG. 6 is a timing diagram thereof. First, the AU inside the first computer 21 issues a write request to CBBSYO, CM.
IFO issues CWRTI-10 to C8I, 6-12. C8L 6-12 takes in the address information and mode information and returns a wait request CWA I To to the AU.
Wait for access. At the same time, C3L6- on the master side
21 Issues a K interface bus acquisition request CL EQO. When the request is accepted, the bus permission signal CIENLO changes to C.
Returns from 3L5-21. C3 that received this signal
L6-12 requests CB to write again after a predetermined time from AU.
88YO, CML like FO, CAC when CWRTHO comes
Returns PTO to AU and accepts write request. Next, AU outputs the CDATAO signal and write data to C8L 6-12, and C3L6-12 receives the data and sends it to C3YNHO.
is returned to the AU.

The C3L6-12 that has received the address and data from the AU outputs address information to the interface bus at the timing of C3L6-21'1cADRGO. C3L6-
21 receives address information by strobe signal CADR8O. Similarly, the data output from C3L6-12 to the interface bus at the gate timing of 0DATGO is transferred to C3L6-21 using the CDAT80 strobe signal.
Receive data to.

C3L6-2 has completed importing address and data information
1 issues a memory bus acquisition request CATNBO in order to write to the local memory of the second computer 22. Second calculator 2
2 is CI? as a bus use permission signal? Release AKBO. C
When 3L6-21 receives this signal, CBBSYO.

CMREFO, CWRTI (issues 0, requests write to local memory; second computer 22 receives address +) returns CACPTO. C8I, 6-21 C outputs CDATAO data, and when the second computer 22 receives the data, it returns C3YNHO to C3L6-21 and sends the data to the first computer 22.
The cycle of writing data from the second computer 21 to the second computer 22 is completed. The timing of these signals is as shown in FIG.

FIG. 7 is a signal flow diagram when the first computer 21 reads data from the local memory of the second computer 22, and FIG. 8 is a timing diagram thereof.

First, the AU inside [computer 2] makes a read request CBB.
Issue SYO, CMRgFO to C3L6-12. C3
L6-12 takes in address information and mode information and sends it to AU
A wait request signal CWAiTO is returned to the AU to make the AU wait for access. At the same time, an interface bus acquisition request CIREQO is issued to the master C3L6-21. When the request is accepted, CI BNLO is returned from master C8I, 6-21.

C3L6-12 that received the permission signal CIENLO
CADRGO the L5-21 head address information and field information.
Send at the timing of CADR80 is its strobe signal. The wait request CWAITO is returned to the AU again.

After receiving the address information and mode information, the C3L6-21 reads the local memory of the second computer 22.
゛ Memory bus acquisition request CATNBO
issue. The second computer that received CATNBO issues a memory bus use permission signal CRAKBO.

When C3L6-21 receives this signal, CBBSYO,
CM) Issues LE code 0 and requests read to local memory. At the same time as returning CACPTO, the second computer 22 reads the corresponding address in the local memory and reads CDATAO.
Output the data together.

C3L6-21 F; CO) Receive f -1 root cs
Return YN1(o to the second computer 22 and complete the memory path read cycle.C3L6-2 that received the data
1 is CDA' to C3L6-12 making the read request
Data is output at the timing of l'GO, and a strobe signal CDATSO is output. C3L6 that received the data
-12, read request CBBS from AU again after a certain period of time
YO, CM EFO returns CACPTO, CD
Outputs ATAO and data at the same time. The AU that received the data returns CS YNHO to C3L6-12 and completes all read cycles. The actual timing of these signals is as shown in FIG.

The above memory bus control signals are summarized in Table 1, and the interface bus control signals are summarized in Table 2. (Hereinafter, all white) Table 1 (Hereinafter, all white) Table 2 The present invention connects a plurality of computers by the above-mentioned complete coupling method or n-bus coupling method using the above-mentioned computational load communication device such as CAL. This is a computer system that improves fault tolerance.

A specific storage area used for fault-tolerant processing is provided in the local memory of each computer, and this storage area is expressed by giving the following variable names.

A: Variable to check X: A variable that stores variable names that do not match as a result of matching.

If there is a match, enter ``O''.

Y: A variable that matches the matching results and stores the matching results that do not match. When it matches! Insert 10″″.

F: A variable that stores the result of failure determination, that is, failure information.

z: A variable that confirms the values between F and takes a value of 0" if the result is reasonable, and a value other than 0 if it is not rational.

P: Variable whose value is the processing policy.

Figure 9 shows an example where a computer system to which the present invention is applied is configured with three computers, and the local memory of each computer is
This is a memory map showing the storage area of each variable in l-1, 1-2, and 1-3.

In addition to normal instructions, each computer has fault-tolerant processing instructions (Instructions for Fa
ultTolerant Computing) (hereinafter abbreviated as FTC instruction).

(1) C0L (P: in ARRAY of specified form, Q: out A) LL (AYof character string) Explanation: P is a sequence of variables in the form specified by the user (the number of sequences is equal to the number of computers). , performs a comparison between each variable in this sequence' (majority judgment is performed, and the different variable names are entered into Q. The variable names that are array elements may be written as is in the P and Q parts. If there are no different variables, enter "ONB".

(2) Fl, QC (P: in ARI (AY of
Character string r Q: out ARRAY of character string) Explanation: Determine where the faulty part is using P. When this instruction is executed, it is determined which computer or C8L is at fault. It is not possible to analyze the internal failures of a computer. The variable names that are array elements may be written as is in the P and Q parts.

When one C8L fails, in the fully coupled method, %
Although it is possible to only match between (n-1) computers, n
In the bus coupling method, matching between n computers can be easily achieved by alternative means. Even if many CALs fail and only one interface bus is active, the n-bus combination method continues initial fault tolerance processing, but the complete combination method uses more than a certain number of interface buses. If the initial failure tolerance processing function is no longer fulfilled, it becomes impossible to perform the initial fault tolerance processing function.

A3) DIAG (Q: out AR) (AY of
Character string) Description: This command is used to identify the fault by diagnosing each component when the fault cannot be determined even by the FLQC command.

14) RBCOV (P:in AItRAY of
Character string) Description: This is an instruction to remove the fault identified by the FLQC command or DIAG command, rebuild the system, and restart the system.

f. Effect of the Invention The computer constituting the computer system of the present invention is equipped with the above-mentioned FTC instruction group in addition to the normal instruction function, and the FTC
When an instruction operates, it can affect other computers via the CAL and perform the functions described above.

The computer system of the present invention configured using such a computer takes fault tolerance measures within the computer system in the event of a failure in the computer, C8L, or interface bus, so as to prevent the influence of the failure from affecting the outside. do.

As mentioned above, the computer system of the present invention is composed of two or more computers, a C8L, and an interface bus, and the method of connecting them is also described above. The configuration will be explained as an example.

Exactly the same program is stored in the three computers, and 3
Local memo IJ l-111-211 for each computer
-3 is provided with a storage area for fault-tolerant processing as shown in FIG. 9, and the three computers are assumed to execute at mutually synchronized timing.

FIG. 1O is an explanatory view of a part of the programs in the three computers (inner phase 1).

A part of the program includes a collation section (Collation section).
This collation section is the part shown in sentence numbers l to 17, and enter collation 5ectio
Starting with the instruction n, Ieame collation
The result is an instruction called n5ection. By executing the former instruction, interrupts of the first computer are prohibited, and by the latter instruction, the interrupt prohibition is canceled. These instructions also prevent the operating system from interfering with the execution of this section.

Assuming that the three computers execute the same program synchronously at the same timing, they should enter the collation section at the same timing, but each computer has a rotary auxiliary storage device and an input section. It is expected that the timing will shift when communicating with an output device or an external interrupt.

Therefore, the matching timing is synchronized with the slowest computer using the instructions shown in statement numbers 2 and 3.

Next, a mile-stone point is used to indicate which point on the program should be compared using normal instructions.
The value AI (A, , A3 in the second and third calculators)
) is written using the instruction 5tore(A,) of statement number 4.

Instruction C0L of statement number 5 ((A, , A, , A,)
: in, X, : out) for AI, A,
, A3 is checked, and if there is a value that does not match, a majority decision is made and the variable name of the unfavorable value is entered in X.

Instruction C0L of statement number 6 ((X, , X, , X,)
: in, Y,, 2 out), the variable name returned in Xl is checked to see if it matches the value of X,, Xs, and the unfavorable variable name is placed in Y.

If the verification is passed by executing the instruction in statement number 5.6, the instruction in statement number 7, if (all Y are "N0NE
Then 14 moves to statement number 14, synchronizes the completion of collation with statement number 14115.16, and returns to the original program.

If matching is not possible with statement numbers 5 and 6, the instruction of statement number 8 FLOC((Y, , Y, , Y,): in,
F, : out) to investigate the cause of the failure F0, and execute statement number 9 instruction cOL ((F, IF21 F3) :In+
zH: out) is used to check the cause F, and if they match, the statement number lO command entry (Zt~t'NO
Ng') then 13 Move to text number 13 and go to North CO
The fault z1 is removed by the V (Z, :in) instruction, the computer system is reconfigured, and the system is restarted.

If the cause of the failure does not match in statement number 9, execute the diagnostic program with the instruction DIA-G (P, : out) in statement number 11, search for the cause p, and execute the command kgCOV (P, : in) in statement number 12. ), the cause of the failure P is isolated, the computer system is reconfigured, and the system is restarted.

The command of statement number 12.13 transfers control from this collation section to another program prepared in advance.

Table 3 is a matrix for explaining the collation procedure of the collation section of FIG. 1O, and is an example of the case where it is performed for the configuration using the n-bus coupling method of FIG. 3. The vertical direction of Table 3 shows the failure element, and the horizontal direction shows the name of the storage location where the verification result is stored after executing the instruction of statement number 5. Table 3 shows only the action of the first computer, storage location X,...
, , X,,s,...X■3 are all the first
It is provided in the local memory X of the computer.

Items marked with an X in Table 3 indicate that a value cannot be read into the corresponding storage location XI as a result of executing the instruction of statement number 5. For example, C3L6-11
If a failure occurs, it means that no value can be entered into X, , , X, , .

Second. A similar table is created for the third computer, and the failure location can be determined by combining the three types of tables and performing a -C analysis. The instruction with statement number 8 uses this method to determine the location of the failure.

When the failure location of 'C' is not determined as shown in Table 3 using the method described above, the test data is actively sent through the command of statement number 11 to perform self-diagnosis and determine the failure location.

The above-mentioned collation section is provided in the main memory of the first computer and is executed exclusively at the same clock timing as the collation sections of other computers, so the instructions within the collation section are executed one by one in synchronization. Ru. However, when contention occurs in the memory bus in each computer, the number of execution cycles consumed by each instruction is considered to be large or small. Therefore, the number of NOPs considered necessary between instructions
(No-operation) instructions are placed and idle linked so that the instructions in the verification sections of all computers start executing at the same timing.

g. Effects of the Invention According to the computer system of the present invention, each computer constituting the computer system can read and compare the memory contents of multiple other computers with a single command, and multiple computers can be It is operated by a program, and the process values at any point in each program are checked against each other at the same time by the multiple computers mentioned above, and the results of the checks are also checked against each other. A fault-tolerant computer system with extremely high reliability can be obtained by making a determination and mutually confirming and executing the system reconfiguration and system restart policy as a result of the fault determination.

[Brief explanation of drawings]

Figure 1 is a configuration diagram of only one computer, which is a component of the present invention. Figures 2 and 3 are diagrams showing a method of combining three computers in an embodiment of the present invention. Figure 4 is a diagram showing the method of converting an instruction operand to a physical address of the fine needle calculator, and Figure 5 is a diagram of signal exchange when writing data from the first computer to the local memory of the second computer, X:Ps. , WJ6 is its timing diagram, Figure 7 is a signal exchange diagram when the first computer reads data from the local memory of the second computer, Figure 8 is its timing diagram, and Figure 9 is the signal exchange diagram when the first computer reads data from the local memory of the second computer. A memory map showing the storage area provided for fault-tolerant processing in the local memory of the computer, Figure 10 shows the program for fault-tolerant processing inserted into the door of the present invention.
:1Jjr:It is a diagram. 1.1-1. ~l-3...Local memory (LM) 2
...Memory bus 3.3-1 to 3-3...Processor unit 4...
Arithmetic unit 5...Instruction registers 6.6-11 to 6-33...Computer system link (C8L) tt, tti-i1-i
a...Interface bus 21-23...Computer (7317) Representative Patent Attorney Kensuke Chika (and 1 other person) Figure 1 Figure 2 //-/3 Figure 3 Figure 4

Claims (1)

[Claims] When the first 9″ machine executes an instruction, an address signal indicating the address of the operand of the instruction is placed on the memory bus;
The second computer is identified from the address signal and the second computer is identified.
A total of n computers connected to each other using an intercomputer communication device that reads and rewrites the contents of the memory location at the address in the main memory of the computer by the action of the instruction, each having the same purpose. Programs are stored, and in the middle of each program there is provided a collation section that is executed exclusively, and by the action of the collation section, each of the plurality of computers can calculate the calculated value of the other computer,
It is characterized by comparing it with the status value, further comparing the comparison result, and when it is determined that there is an abnormality, determines the location of the failure, system reconfiguration, and restart policy, and performs fault tolerance processing by combining the determination results. computer system.