1. Field of the Invention
This invention relates to the field of operating system software-based fault-tolerant computer systems utilizing multiple processors.
2. Background Art
In computer system applications, it is often desired to provide for continuous operation of the computer system, even in the event of a component failure. For example, personal computers (PC's) or workstations often use a computer network to allow the sharing of data, applications, files, processing power, communications and other resources, such as printers, modems, mass storage and the like. Generally, the sharing of resources is accomplished by the use of a network server. The server is a processing unit dedicated to managing the centralized resources, managing data, and sharing these resources with client PC's and workstations. The server, network and PC's or workstations combined together constitute the computer system. If there is a failure in the network server, the PC's and workstations on the network can no longer access the desired centralized resources and the system fails.
To maintain operation of a computer system during a component failure, a redundant or backup system is required. One prior art backup system involves complete hardware redundancy. Two identical processors are provided with the same inputs at the hardware signal level at the same time during operation of the computer system. Typically, one processor is considered the primary processor and the other is a secondary processor. If the primary processor fails, the system switches to the secondary processor. An example of such a hardware redundancy system is described in Lovell, U.S. Pat. No. 3,444,528. In Lovell, two identical computer systems receive the same inputs and execute the same operations. However, only one of the computers provides output unless there is a failure, in which case the second computer takes control of the output. In operation, the output circuits of the backup computer are disabled until a malfunction occurs in the master computer. At that time, the outputs of the backup computer are enabled.
The use of identical processors or hardware has a number of potential disadvantages. One disadvantage is the complexity and cost of synchronizing the processors at a signal level.
Another prior art method of providing a backup system is referred to as a "checkpoint" system. A checkpoint system takes advantage of a principle known as "finite state automata." This principle holds that if two devices are at the same state, identical inputs to those devices will result in identical outputs for each device, and each device will advance to the same identical state.
In a checkpoint system, the entire state of a device, such as the processor state and associated memory, is transferred to another backup processor after each operation of the primary processor. In the event of a failure, the backup processor is ideally at the most recent valid state of the primary processor. The most recent operation is provided to the backup processor and operation continues from that point using the backup processor. Alternatively, the state information is provided to mass storage after each operation of the primary processor. In the event of a failure, the stored state information is provided to a backup processor which may or may not have been used for other operations prior to that event.
One prior art checkpoint system is described in Glaser, U.S. Pat. No. 4,590,554. In Glaser, a primary processor is provided to perform certain tasks. A secondary processor is provided to perform other tasks. Periodically, the state of the primary processor is transferred to the secondary processor. Upon failure of the primary processor, any operations executed by the primary processor since the last synchronization of the primary and backup processors are executed by the backup processor to bring it current with the primary processor. The system of Glaser, as well as other checkpoint systems, suffer a number of disadvantages. One disadvantage is the amount of time and memory required to transfer the state of the primary system to the secondary system. Another disadvantage of checkpoint systems is the interruption of service upon failure of the primary system. The secondary system must be "brought up to speed" by execution of messages in a message string.
One prior art attempt to solve this problem is to update only those portions of the state of the primary system that have been changed since the previous update. However, this requires complex memory and data management schemes.
It is an object of the invention to provide a backup system that does not require specialized hardware for the synchronization of the backup system.
It is another object of the invention to provide a backup system which is transparent to asynchronous events.
It is still another object of the present invention to provide an improved backup system for network server operation.
It is another object of the present invention to provide continuous service through a single hardware component failure.