Progressive retry method and apparatus having reusable software modules for software failure recovery in multi-process message-passing applications

US 5,440,726 A
Filed: 06/22/1994
Issued: 08/08/1995
Est. Priority Date: 06/22/1994
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus for bypassing faults in an application process, said fault bypass apparatus comprising:

at least one processor for executing a plurality of concurrent application processes;

a watchdog which includes an error detection monitor for monitoring one or more of said application processes and a restart subsystem for executing a progressive retry recovery algorithm for bypassing a fault detected by said monitor in one of said application processes; and

a memory device for storing a plurality of fault tolerant library functions which may be invoked from one or more of said application processes to make said application fault tolerant, said fault tolerant library including;

a checkpoint function for periodically performing a checkpoint of data associated with an application process;

a recover function for restoring the checkpointed data from the nonvolatile memory during a recovery mode;

a fault tolerant write function for logging each output message generated by said application processes in a sender log file before said message is transmitted by the application process, wherein said fault tolerant write function includes a mechanism for suppressing one or more of said outputs during a recovery mode; and

a fault tolerant read function for logging each input message received by said application processes in a receiver log file before they are processed by the receiving application process, wherein said fault tolerant read function will read data from a communication channel and log the received message in the receiver log file in a normal mode, and wherein the input data will be read from said receiver log file during a recovery mode.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A progressive retry recovery system based on checkpointing, message logging, rollback, message replaying and message reordering is disclosed. The disclosed progressive retry system minimizes the number of involved processes as well as the total rollback distance. The progressive retry recovery system includes a fault tolerant software library which provides a number of functions which may be invoked by application processes to implement fault tolerance. Fault tolerant functions are provided for allowing an application process to generate a heartbeat message at specified intervals indicating that the application process is still active. In addition, fault tolerance implementation functions are provided for specifying critical memory, for executing checkpoints to store backup copies of critical data, and for restoring critical data during a recovery. In addition, functions are provided which process messages that are sent or received by an application process and maintain logs of the sent and received messages. The progressive retry recovery method consists of a number of retry steps which gradually increase the scope of the rollback when a previous retry step fails.

178 Citations

16 Claims

1. An apparatus for bypassing faults in an application process, said fault bypass apparatus comprising:
- at least one processor for executing a plurality of concurrent application processes;
  
  a watchdog which includes an error detection monitor for monitoring one or more of said application processes and a restart subsystem for executing a progressive retry recovery algorithm for bypassing a fault detected by said monitor in one of said application processes; and
  
  a memory device for storing a plurality of fault tolerant library functions which may be invoked from one or more of said application processes to make said application fault tolerant, said fault tolerant library including;
  
  a checkpoint function for periodically performing a checkpoint of data associated with an application process;
  
  a recover function for restoring the checkpointed data from the nonvolatile memory during a recovery mode;
  
  a fault tolerant write function for logging each output message generated by said application processes in a sender log file before said message is transmitted by the application process, wherein said fault tolerant write function includes a mechanism for suppressing one or more of said outputs during a recovery mode; and
  
  a fault tolerant read function for logging each input message received by said application processes in a receiver log file before they are processed by the receiving application process, wherein said fault tolerant read function will read data from a communication channel and log the received message in the receiver log file in a normal mode, and wherein the input data will be read from said receiver log file during a recovery mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The fault bypass apparatus according to claim 1, wherein said fault tolerant library further includes a heartbeat function which sends a heartbeat message at specified intervals to said error detection monitor indicating that the associated process is still active and wherein said error detection monitor will detect a fault if said heartbeat signal from said application process is not received before the end of said specified interval.
  - 3. The fault bypass apparatus according to claim 1, wherein said fault tolerant library further includes a critical memory function which allows critical data in an application process to be specified and wherein said checkpoint function only copies said specified critical data.
  - 4. The fault bypass apparatus according to claim 1, wherein said fault tolerant write function will compare each newly generated message to said corresponding message in said sender log file during said recovery mode in order to verify the piecewise deterministic assumption.
  - 5. The fault bypass apparatus according to claim 1, wherein said fault tolerant read function checks said sender'"'"'s checkpoint interval number included with each received message, and initiates a checkpoint of said associated receiving application process if said sender'"'"'s checkpoint interval number is greater than said receiver'"'"'s current checkpoint interval number, thereby ensuring consistent global checkpoints.
  - 6. The fault bypass apparatus according to claim 1, wherein said progressive retry algorithm includes a plurality of retry steps which gradually increase the scope of the recovery roll back when a previous retry step fails to bypass said detected fault.
  - 7. The fault bypass apparatus according to claim 1, wherein said progressive retry algorithm comprises the steps of:
    - performing a receiver replay step to restore said faulty process to said latest checkpoint associated with said process and to replay said messages in said message log associated with said faulty process that were received by said faulty process since said latest checkpoint up to said point of said detected fault;
      
      performing a receiver reorder step if said receiver replay step does not bypass said software fault, wherein at least two of said received messages in said message log of said faulty process will be reordered before being replayed;
      
      performing a sender replay step if said receiver reorder step does not bypass said software fault, wherein one or more of said messages in said message log associated with said faulty process that were received by said faulty process after its latest checkpoint will be discarded and wherein each of said sending processes that sent said discarded messages to said faulty process will resend messages to said faulty process during said sender replay step;
      
      performing a sender reorder step if said sender replay step does not bypass said software fault, wherein each of said sending processes that sent messages to said faulty process which were received by the faulty process since its latest checkpoint will reorder at least two of said messages in its message log before replaying said messages; and
      
      performing a large scope roll back step if said sender reorder step does not bypass said software fault, said large scope roll back step rolling back each of said monitored processes to the latest consistent global checkpoint.
  - 8. The fault bypass apparatus according to claim 1, wherein said progressive retry algorithm employs a roll back propagation algorithm to compute a recovery line at the latest available actual or logical checkpoint for each of said monitored processes which has not been discarded, said roll back propagation algorithm enforcing the roll back propagation rule, said messages in said message logs that were received and processed by said associated processes between said latest actual checkpoint of said associated process and said computed recovery line being deterministic messages, said messages in said message logs that were sent before said computed recovery line and received after said recovery line being in-transit messages, said progressive retry algorithm comprising the steps of:
    - performing a receiver replay step to restore said faulty process its latest checkpoint and to replay said messages in said message log associated with said faulty process that were received by said faulty process since said latest checkpoint up to the point of the detected fault;
      
      performing a receiver reorder step if said receiver replay step does not bypass said software fault, said receiver reorder step further comprising the steps of;
      
      discarding said processing order information for said messages in said message log associated with said faulty process that were received after its latest checkpoint;
      
      computing said recovery line;
      
      reordering said in-transit messages in said message log of said faulty process; and
      
      replaying said deterministic messages and replaying or resubmitting said in-transit messages in said message logs of each of said monitored processes whose current process state is not at said recovery line;
      
      performing a sender replay step if said receiver reorder step does not bypass said software fault, said sender replay step further comprising the steps of;
      
      discarding said messages in said message log associated with said faulty process that were received by said faulty process after the last checkpoint performed for said faulty process; and
      
      replaying said deterministic messages and resubmitting said in-transit messages in said message logs of each of said monitored processes whose current process state is not at said recovery line, wherein each of said sending processes that sent said discarded messages to said faulty process during initial processing will resend messages to said faulty process during said sender replay step;
      
      performing a sender reorder step if said sender replay step does not bypass said software fault, said sender reorder step further comprising the steps of;
      
      discarding said processing order information for each of those messages in said message logs associated with said sending process that were received by said sending process after the logical checkpoint which is before the first message sent by said sending process to said faulty process since the latest checkpoint associated with said faulty process;
      
      recomputing said recovery line;
      
      reordering said in-transit messages in said message logs associated with said sending processes; and
      
      replaying said deterministic messages and replaying or resubmitting said in-transit messages in said message logs of each of said monitored processes whose current process state is not at said recovery line;
      
      performing a large scope roll back step if said sender reorder step does not bypass said software fault, said large scope roll back step rolling back each of said monitored processes to the latest consistent global checkpoint.

9. A method for making an application process fault tolerant, said fault tolerant method comprising the steps of:
- invoking functions in said application function from a fault tolerant library to make said application fault tolerant, said fault tolerant library including;
  
  a checkpoint function for periodically performing a checkpoint of data associated with an application process;
  
  a recover function for restoring the checkpointed data from the nonvolatile memory during a recovery mode;
  
  a fault tolerant write function for logging each output message generated by said application processes in a sender log file before said message is transmitted by the application process, wherein said fault tolerant write function includes a mechanism for suppressing one or more of said outputs during a recovery mode; and
  
  a fault tolerant read function for logging each input message received by said application processes in a receiver log file before they are processed by the receiving application process, wherein said fault tolerant read function will read data from a communication channel and log the received message in the receiver log file in a normal mode, and wherein the input data will be read from said receiver log file during a recovery mode;
  
  monitoring said application process for software faults; and
  
  executing a progressive retry recovery algorithm upon detection of a fault during said monitoring step to recover said faulty process, said progressive retry algorithm including a plurality of retry steps which gradually increase the scope of the recovery roll back when a previous retry step fails to bypass said detected fault.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The fault bypass method according to claim 9, wherein said fault tolerant library further includes a heartbeat function which sends a heartbeat message at specified intervals to said error detection monitor indicating that the associated process is still active and wherein said error detection monitor will detect a fault if said heartbeat signal from said application process is not received before the end of said specified interval.
  - 11. The fault bypass method according to claim 9, wherein said fault tolerant library further includes a critical memory function which allows critical data in an application process to be specified and wherein said checkpoint function only copies said specified critical data.
  - 12. The fault bypass method according to claim 9, wherein said fault tolerant write function will compare each newly generated message to said corresponding message in said sender log file during said recovery mode in order to verify the piecewise deterministic assumption.
  - 13. The fault bypass method according to claim 9, wherein said fault tolerant read function checks said sender'"'"'s checkpoint interval number included with each received message, and initiates a checkpoint of said associated receiving application process if said sender'"'"'s checkpoint interval number is greater than said receiver'"'"'s current checkpoint interval number, thereby ensuring consistent global checkpoints.
  - 14. The fault bypass method according to claim 9, wherein said progressive retry algorithm includes a plurality of retry steps which gradually increase the scope of the recovery roll back when a previous retry step fails to bypass said detected fault.
  - 15. The fault bypass method according to claim 9, wherein said progressive retry algorithm comprises the steps of:
    - performing a receiver replay step to restore said faulty process to said latest checkpoint associated with said process and to replay said messages in said message log associated with said faulty process that were received by said faulty process since said latest checkpoint up to said point of said detected fault;
      
      performing a receiver reorder step if said receiver replay step does not bypass said software fault, wherein at least two of said received messages in said message log of said faulty process will be reordered before being replayed;
      
      performing a sender replay step if said receiver reorder step does not bypass said software fault, wherein one or more of said messages in said message log associated with said faulty process that were received by said faulty process after its latest checkpoint will be discarded and wherein each of said sending processes that sent said discarded messages to said faulty process will resend messages to said faulty process during said sender replay step;
      
      performing a sender reorder step if said sender replay step does not bypass said software fault, wherein each of said sending processes that sent messages to said faulty process which were received by the faulty process since its latest checkpoint will reorder at least two of said messages in its message log before replaying said messages; and
      
      performing a large scope roll back step if said sender reorder step does not bypass said software fault, said large scope roll back step rolling back each of said monitored processes to the latest consistent global checkpoint.
  - 16. The fault bypass method according to claim 9, wherein said progressive retry algorithm employs a roll back propagation algorithm to compute a recovery line at the latest available actual or logical checkpoint for each of said monitored processes which has not been discarded, said roll back propagation algorithm enforcing the roll back propagation rule, said messages in said message logs that were received and processed by said associated processes between said latest actual checkpoint of said associated process and said computed recovery line being deterministic messages, said messages in said message logs that were sent before said computed recovery line and received after said recovery line being in-transit messages, said progressive retry algorithm comprising the steps of:
    - performing a receiver replay step to restore said faulty process its latest checkpoint and to replay said messages in said message log associated with said faulty process that were received by said faulty process since said latest checkpoint up to the point of the detected fault;
      
      performing a receiver reorder step if said receiver replay step does not bypass said software fault, said receiver reorder step further comprising the steps of;
      
      discarding said processing order information for said messages in said message log associated with said faulty process that were received after its latest checkpoint;
      
      computing said recovery line;
      
      reordering said in-transit messages in said message log of said faulty process; and
      
      replaying said deterministic messages and replaying or resubmitting said in-transit messages in said message logs of each of said monitored processes whose current process state is not at said recovery line;
      
      performing a sender replay step if said receiver reorder step does not bypass said software fault, said sender replay step further comprising the steps of;
      
      discarding said messages in said message log associated with said faulty process that were received by said faulty process after the last checkpoint performed for said faulty process; and
      
      replaying said deterministic messages and resubmitting said in-transit messages in said message logs of each of said monitored processes whose current process state is not at said recovery line, wherein each of said sending processes that sent said discarded messages to said faulty process during initial processing will resend messages to said faulty process during said sender replay step;
      
      performing a sender reorder step if said sender replay step does not bypass said software fault, said sender reorder step further comprising the steps of;
      
      discarding said processing order information for each of those messages in said message logs associated with said sending process that were received by said sending process after the logical checkpoint which is before the first message sent by said sending process to said faulty process since the latest checkpoint associated with said faulty process;
      
      recomputing said recovery line;
      
      reordering said in-transit messages in said message logs associated with said sending processes; and
      
      replaying said deterministic messages and replaying or resubmitting said in-transit messages in said message logs of each of said monitored processes whose current process state is not at said recovery line;
      
      performing a large scope roll back step if said sender reorder step does not bypass said software fault, said large scope roll back step rolling back each of said monitored processes to the latest consistent global checkpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T IPM Corp. (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Wang, Yi-Min, Huang, Yennun, Kintala, Chandra M., Fuchs, Wesley K.
Primary Examiner(s)
Canney, Vincent P.

Application Number

US08/263,916
Time in Patent Office

412 Days
Field of Search

395/575, 395/200, 371/11.3, 371/12, 371/16.3, 364/228.3, 364/268.9, 364/268.1, 364/268.3, 364/285.2, 364/285.3
US Class Current

714/20
CPC Class Codes

G06F 11/1402 Saving, restoring, recoveri...

Progressive retry method and apparatus having reusable software modules for software failure recovery in multi-process message-passing applications

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

178 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Progressive retry method and apparatus having reusable software modules for software failure recovery in multi-process message-passing applications

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

178 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links