Fault tolerant computer system with shadow virtual processor

Abstract

A fault-tolerant computer system has primary and backup computers. Primary and backup virtual machines running on the computers are controlled by corresponding virtual machine monitors. The virtual machines execute only user-mode instructions, while all kernel-mode instructions are trapped and handled by the virtual machine monitors. Each computer has a recovery register that generates a hardware interrupt each time that a specified number of instructions, called an epoch, are executed. Prior to failure of the primary computer, the backup computer's virtual machine monitor converts all I/O instructions into no-ops and the primary computer sends copies of all I/O interrupts to the backup computer. To ensure that the instruction streams in the primary and backup virtual machines are identical and that all instructions for handling interrupts and traps are executed at exactly the same point in the two virtual machines' instruction streams, all interrupts and traps that occur on the primary computer during an epoch are buffered by the virtual machine monitor. At the end of each epoch, the buffered interrupts and traps are delivered to the primary computer's virtual machine and a message is sent to the backup computer allowing the just completed epoch to be executed by the backup virtual machine. Whenever a fail-over occurs, all I/O operation completed interrupts from the epoch in which the failure occurred are deleted, and 'disconnected' interrupts are generated for all I/O devices in use. The backup virtual processor re-connects to the i/O devices and then reissues outstanding I/O operations for which a operation completed interrupt was not received. As a result, processor failures look like ordinary I/O device failures to the software running in the backup virtual machine.