The present invention relates to a method and apparatus for update/recovery of a database in a database system which ensures logical integrity for the database to be updated by transactions or subjected to storage medium failure particularly for the database to be recovered after system failure such as power interruption.
Logical integrity for a database in a database system must be retained after system failure such as power interruption or after transaction failure due to program error for example. Specifically, the data base update results obtained by transactions which have not been completed by the time failure occurs, must be invalidated.
As a related prior art, there is known a method of storing update results by a transaction in a new location different from that in which information prior to update was stored. Such a method is described in "ACM Transactions on Database Systems", Vol. 2, No. 1 (1977), pp. 91-104. This method is called a shadow page method wherein before a transaction is completely executed, all the updated database contents are written in new storage locations, and at the time the transaction has been completely executed, information before update is invalidated while information after update is validated. The features of the shadow page method are summarized as in the following (1) to (4):
(1) A database is constructed of pages each constituting a logical area unit. Two page tables including a current version and a backup version are provided, the table indicating a correspondence between pages and slots in the database storage medium in which the contents of pages are stored. The tables are stored in non-volatile medium such as on a disk. The page table itself is usually divided into plural blocks. Transfer between a main storage and the non-volatile medium is executed in units of blocks.
(2) A new slot wherein the update contents by a transaction of a page in a database are stored, is called a current page slot. The correspondence between pages and slots is retained in a current version page table. Whereas a slot wherein the contents prior to update of a page are stored, is called a shadow page slot. The correspondence between pages and slots is retained in a backup version page table.
(3) Upon completion of transaction execution, the current version page table is validated such that update information stored in a current page slot is validated. Particularly, a status bit in the non-volatile medium is changed which indicates an available one of the current and backup version page tables.
(4) When system/transaction failure occurs while executing a transaction, the backup version page table is decided as valid by the status bit. That is, the information before update stored in the shadow page slot identified by the backup version page table is made valid.
Therefore, it is possible to retain logical integrity, even when system/transaction failure occurs. In addition, it is unnecessary to fetch database update journal information.
The following three problems are known in the prior art shadow page method.
The first problem is that a plurality of transactions cannot share and update the database at the same time. The reason for this is that since status bits are changed collectively for validating the current version page table after completing transaction execution, it is necessary that pages being updated by other transactions should not be included in the page table concerned.
The second problem is that synchronization is difficult between validating the updated results of a database and validating messages transmitted to terminals and the updated results of system management information in the main storage. A transaction generally includes not only database update but also message transmission and system management information update. However, change of status bits according to the prior art concerns only database update. Therefore, when system failure occurs, a fear may arise at a certain timing that only the updated database results are validated, or conversely only the message or system management information update results are validated.
The third problem is that it is necessary to update the page table and status bits in the non-volatile medium for each transaction so that the update overhead becomes one of the reasons deteriorating the system performance.
In an actual system environment where a plurality of on-line transactions share and update the database at the same time, instead of the above-described shadow page method, a shadow method combined with a method wherein a database update journal is fetched, is used in view of the first and second problems described above. This latter method however has a large overhead in storing fetching database update information, and has a fear that the system performance is deteriorated while still incorporating the third problem described above.
Apart from the above prior art, another method has been employed for recovery at the occurrence of database medium failure, wherein a backup copy of the entire data base and a database update journal time-sequentially recording all the update contents of the database, are used. This method is described in "An Introduction to Database Systems", Vol. II, Chapter 1, p. 20, by C. J. Date. According to this method, if information in the database storage medium is destroyed, the backup copy is loaded into the database storage medium, sequentially reflecting to the loaded backup copy the database update journal information after the backup copy was obtained, thus enabling recovery of the information.
The above prior art has the following problems (1) to (4):
(1) Since an update journal regarding the entire database is serially written in a single journal file, the write process becomes a bottle neck and the system performance is deteriorated.
(2) If certain information of the database in the storage medium is destroyed, not only the update journal regarding the information concerned, but also all the database update journal after the backup copy was obtained must be read from the journal file and analyzed. There and the database recovery time becomes very long.
(3) The whole or part of the database must be invalidated while a backup copy is being obtained. This deteriorates availability of the database system, and thus a serious problem arises particularly in the case of a 24-hour operating system or the like.
(4) To avoid the deterioration of availability of the database system as described in (3), frequently obtaining backup copies must be restricted. As the time for obtaining backup copies becomes longer, the storage amount of the database update journal becomes extraordinary.