A fault tolerant server (“FT Server”) is a computer system with redundant hardware and software that permits a currently active server subsystem to fail, and yet permit the continued processing of data on a duplicate or redundant server subsystem. Such an FT Server must maintain a duplicated or mirrored current image of the operating system state in the second non-active server subsystem, and that image must include all the processor, register, cache and memory state of the currently active server subsystem, so as to reduce the possibility of functional server failure when a hardware component fails. In such an FT Server, the first or currently active server subsystem memory must be copied and updated into a physically separate, mirrored physical memory system in the second or currently non-active server subsystem in order to continue operation using that second previously non-active server subsystem with no or minimal interruption when a hardware component failure occurs in first or active server subsystem. In such an FT Server, after the memory contents and processor state of the two server subsystems have been made identical, the two subsystems must continue to execute all their processing operations in a parallel and identical manner that generates identical memory contents on the two subsystems unless a hardware failure or a transient hardware error occurs. In this discussion, the phrases “FT Server” and the “Server” are used synonymously.
In more detail, such a redundant or mirrored physical FT Server (also referred to as a “Mirrored System”) in one embodiment typically includes two physically separate but logically identical server subsystem modules which may be termed mirrored processor and memory units. In this configuration, the FT Server computer system consists of two physically separate processing units which contain identical memory data and identical processor and clocking states. When such an FT Server is first started or booted, or when a module is removed or replaced, the system will temporarily execute in a non-redundant mode with only one FT Server subsystem functioning. When the malfunctioning unit is brought back into service after a transient hardware error, or when the malfunctioning unit is replaced, the FT Server will transition again into the highly reliable fault tolerant state by using a hardware and software mechanism to copy the current processor and memory state of the functioning FT Server subsystem into the new or uninitialized module of the repaired FT Server subsystem. The FT Server then enters a state of mirrored execution in which the two modules receive identical IO device inputs from the external environment, and the two modules continue to generate identical processor, memory, and system hardware clock states on their own. The mirrored subsystems can be described as operating “in lockstep”. While in the state of Mirrored Execution, the FT Server uses logic within a hardware Field Programmable Gate Array (FPGA) component to detect hardware errors or other state differences in either Mirrored Subsystem, and to isolate the failing subsystem so that the other subsystem can continue to operate normally. While in the state of Mirrored Execution, the FPGA causes all IO Direct Memory Access (DMA) writes into system memory to occur in parallel with the same timing on both subsystems, so that the two subsystems receive identical IO device inputs from the external environment.
To create the mirrored state, the entire current system memory contents must be copied into the new module. The system memory is constantly being written and modified by the currently running programs and workload, such as the Operating System or “OS” installed on the FT Server; the services and applications installed on the Server; the Operating System's commonly used Hypervisor, if installed to control virtual machines and any virtual machine (VM) guests; and the guest operating systems and programs of those virtual machine guests. These changes to active system memory are termed “dirty pages” and must be detected by a selective memory mirroring hardware and software mechanism so as to be able to create a fault-tolerant mirrored memory state by copying just the changes in memory (i.e., the changes in memory which occur during and after an initial phase which copies the entire system memory into the new memory module). By copying just the changes in memory (after the initial complete copy has completed), a copy of the entire active memory is maintained without introducing the excessive delays or temporary server outages that would accompany suspending the system workload in order to complete the copying of all of the memory of the active server subsystem.
The native operating system of the FT Server and its components may not provide a suitable memory-mirroring interface or API. This is especially true when a hypervisor such as Windows Hyper-V, VMWare ESX, or Linux KVM has been enabled in the FT Server. What is needed is a method for determining dirty pages for operating systems that do not provide a suitable memory-mirroring interface.
The present invention addresses this need.