Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
2000-08-24
2003-12-16
Beausoliel, Robert (Department: 2184)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C714S043000
Reexamination Certificate
active
06665811
ABSTRACT:
CROSS-REFERENCES TO RELATED APPLICATIONS
STATEMENT AS TO RIGHTS TO INVENTIONS MADE UNDER FEDERALLY SPONSORED RESEARCH AND DEVELOPMENT
BACKGROUND OF THE INVENTION
This invention relates generally to fault-tolerant distributed or clustered multiprocessor systems. More particularly, the invention relates to methods, and apparatus implementing those methods, for improving the resilience of a multiprocessor system in partial and total communication failure scenarios, and in the face of failure of periodic or timed events on a constituent processor. Thereby, system fault tolerance is improved.
One inventive method of achieving fault-tolerant capability in distributed multiprocessor architectures is to detect processor failures quickly with an “I'mAlive” protocol (described in U.S. Pat. No. 4,817,091). Briefly, the I'mAlive protocol involves each processor of the system periodically sending or otherwise broadcasting I'mAlive message packets to each of the other processors in the system. Each processor determines whether another processor is operational by timing I'mAlive packets from it. When a processor sees that the time interval passes without receipt of an I'mAlive packet from a given processor, the first processor decides that the silent processor might have failed.
The I'mAlive protocol message scheme is often combined with a “process pair” mechanism, comprising a primary process installed and running on one processor of the multiple processor system with a copy of that process operating as a backup process on another processor of the system. Periodic updates are sent from the primary process to the backup process so that should the primary process, or the processor it runs on, fail, the backup can take over for the primary process with minimal interruption. An example of the use of process pairs can be found in the above-identified '091 patent.
Unfortunately, there are situations in which a processor will be late in broadcasting its required I'mAlive message, in turn causing one or more of the other processors to assume that the tardy processor has failed. These situations, in turn, can give rise to such actions (to name a few) as: (1) both of the processes of a process pair (running on different processors) regarding themselves as the primary, destroying the ability to perform backup functions and possibly corrupting files; or (2) all system processors becoming trapped in infinite loops, contending for common resources; or (3) corrupting various system tables. Although such situations are rare, they are possible and have been observed in systems developed prior to implementation of a “Regroup” technique (described below). For fault tolerant systems, such situations must be made practically non-existent.
To supplement the I'mAlive protocol, and to avoid the problems referred to above, a technique referred to as “Regroup” was developed. Triggered when a processor fails to see an I'mAlive message within a prescribed check period, Regroup begins with messages being exchanged between all processors of the system in order to enlist them in the Regroup operation. Regroup then employs a consensus algorithm to determine the true state of each processor in the system by having each volunteer its record of the state of all other processors. Each processor compares its own record with records from other processors and updates its record accordingly. When the consensus is complete, all processors have the same record of the system's state. The processors will have coordinated among themselves to reintegrate functional but previously isolated processors and to correctly identify and isolate nonfunctional processors.
Later developments have refined the Regroup technique, allowing its use to determine membership even when physical communication among processors is lost. See, for example, U.S. Pat. No. 5,884,018 for “Method and Apparatus for Distributed Agreement on Processor Membership in a Multi-Processor System.” To the extent necessary, said U.S. Pat. No. 5,884,018 is incorporated by reference as if fully set forth herein.
As indicated above, a missing or tardy I'mAlive message can cause each of the two processes of a process pair to operate as if it is the primary process. This, in turn, gives rise to the possibility of data corruption caused by both processors of the pair trying to write (and/or overwrite) portions of a disk drive (or other I/O controller) managed by the two processes. To avoid this situation, Regroup is structured to require each processor, at the start of a Regroup event, to invoke a “Hold I/O” state in which all input/output transmissions, except those necessary to the Regroup operation, are suspended. The Hold I/O state is turned off for those processors determined to be fit to continue operation. Any processor(s) determined to be faulty (either on its own, or by the Regroup operation) will continue the Hold I/O state until it halts. In addition, to preclude premature takeover of a process' operations by its backup process, the first stage of Regroup is “stalled” (i.e., extended) long enough to ensure that all processors have entered the Regroup operation and invoked the Hold I/O state. It has been determined that the stall period is at least two I'mAlive checking periods (2T
check
), plus a safety margin to cover message transit time and to account for small differences in the processor clocks in the multiple processors of the system; one extra T
tick
more than covers these small effects. (T
tick
, approximately 0.3 seconds, is a basic time unit in the I'mAlive messaging operation as well as the Regroup algorithm. In addition to its use in “pacing” the sending of I'mAlive messages every two T
tick
intervals and checking every four T
tick
intervals, the Regroup operation, when activated, proceeds in multiple rounds, the interval between which is T
tick
. That is, when Regroup is active, on every T
tick
interval, every processor sends its Regroup messages to all other processors.)
The stall period described in the previous paragraph is known as stage
1
of the Regroup operation. Under certain special circumstances, a processor participating in a Regroup operation may determine that the duration of the stall period (or stage
1
) must be extended beyond 2T
check
+T
tick
. This is referred to as a “cautious mode” Regroup operation. While in cautious mode, the processor invokes Hold I/O and waits longer for stage
1
to complete. The situations leading to a processor entering cautious mode are:
1. The processor detects that two or more peer processors are missing in the current Regroup operation. Note that this situation is possible if the processor is isolated, or if the system is subject to multiple processor and/or communication path failures.
2. The Regroup operation is restarted due to processor or communication failures that occur during the Regroup operation itself.
3. The Regroup operation is started because the multiprocessor system is recovering from a power outage. Because the recovery speed of individual processor units may vary, processor units must wait longer in stage
1
of the Regroup operation.
The I'mAlive protocol is most often employed in a prioritized interrupt scheme in which the work done by the processor in order to construct and send I'mAlive messages is assigned a low priority level. Message construction allows the I'mAlive message to provide a fair indication of the state of well-being or health of the sending processor. It informs the other processors that the sending processor is capable of doing more than just sending I'mAlive messages. However, higher priority tasks can delay the I'mAlive interrupt, and the send of an I'mAlive message, long enough so that another of the processors of the system, failing to see the I'mAlive message within the requisite time, will initiate the Regroup operation. Regroup operations that are triggered by late sending of I'mAlive messages (as opposed to a processor failure or commu
de Azevedo Marcelo Moraes
Jardine Robert L.
Beausoliel Robert
Bonzo Bryce P.
LandOfFree
Method and apparatus for checking communicative connectivity... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for checking communicative connectivity..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for checking communicative connectivity... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3125225